c5429ea53126a30e8a5a44963460e488f7e1e0138dde1523f893ed4b8f2c5eaa

Analysis

max time kernel
146s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08/07/2023, 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75d301e7b8651fexeexeexeex.exe
Size

168KB
MD5

75d301e7b8651f382cd435881869e0e2
SHA1

49a7b112ed3533776246d16b0108c1ec9f7980e4
SHA256

c5429ea53126a30e8a5a44963460e488f7e1e0138dde1523f893ed4b8f2c5eaa
SHA512

e26c65c4aace5c3a8164968f4affc13454ad84005e7b53d492437902ecc15d80540467c455c4e5bf07f3cca72d5df57024a6c0357aadef8882a28f45372de52a
SSDEEP

1536:1EGh0oulq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oulqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C010D238-86E0-4ae3-9F32-EFF8BF019F26}\stubpath = "C:\\Windows\\{C010D238-86E0-4ae3-9F32-EFF8BF019F26}.exe"	{53B04172-C937-499a-BC2E-1F579E12D378}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AF5D6AB-899E-471a-A8D8-30770E3D99E7}\stubpath = "C:\\Windows\\{3AF5D6AB-899E-471a-A8D8-30770E3D99E7}.exe"	{90E0997A-0705-4e08-902C-63F80923614D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04B2C3C4-D80A-4c69-94B4-8BCB0E03E024}	{7D0C3EF7-2DB8-480c-ADCB-D6969194D0E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AB4B31F-AE26-47b7-8ED7-D0935ED3546A}	75d301e7b8651fexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53B04172-C937-499a-BC2E-1F579E12D378}	{3CEAADB8-709A-4681-8520-11DA2A7BC15A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C010D238-86E0-4ae3-9F32-EFF8BF019F26}	{53B04172-C937-499a-BC2E-1F579E12D378}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B427218-7FEA-4f45-94F6-1723BBA21338}\stubpath = "C:\\Windows\\{9B427218-7FEA-4f45-94F6-1723BBA21338}.exe"	{C010D238-86E0-4ae3-9F32-EFF8BF019F26}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2E69D29-1CC5-4da3-9887-3B48AE49704A}\stubpath = "C:\\Windows\\{E2E69D29-1CC5-4da3-9887-3B48AE49704A}.exe"	{9B427218-7FEA-4f45-94F6-1723BBA21338}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D0C3EF7-2DB8-480c-ADCB-D6969194D0E1}	{3AF5D6AB-899E-471a-A8D8-30770E3D99E7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70A56980-8367-43e2-A40E-9244D997ADD5}	{04B2C3C4-D80A-4c69-94B4-8BCB0E03E024}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1AB4B31F-AE26-47b7-8ED7-D0935ED3546A}\stubpath = "C:\\Windows\\{1AB4B31F-AE26-47b7-8ED7-D0935ED3546A}.exe"	75d301e7b8651fexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53B04172-C937-499a-BC2E-1F579E12D378}\stubpath = "C:\\Windows\\{53B04172-C937-499a-BC2E-1F579E12D378}.exe"	{3CEAADB8-709A-4681-8520-11DA2A7BC15A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B427218-7FEA-4f45-94F6-1723BBA21338}	{C010D238-86E0-4ae3-9F32-EFF8BF019F26}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECE61FD5-6609-4e8e-84E3-6A5CC9FAFD9E}	{E2E69D29-1CC5-4da3-9887-3B48AE49704A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90E0997A-0705-4e08-902C-63F80923614D}\stubpath = "C:\\Windows\\{90E0997A-0705-4e08-902C-63F80923614D}.exe"	{ECE61FD5-6609-4e8e-84E3-6A5CC9FAFD9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AF5D6AB-899E-471a-A8D8-30770E3D99E7}	{90E0997A-0705-4e08-902C-63F80923614D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{456EE5DB-0B2C-4f16-AB9E-4E508EE1C4FE}\stubpath = "C:\\Windows\\{456EE5DB-0B2C-4f16-AB9E-4E508EE1C4FE}.exe"	{70A56980-8367-43e2-A40E-9244D997ADD5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CEAADB8-709A-4681-8520-11DA2A7BC15A}	{1AB4B31F-AE26-47b7-8ED7-D0935ED3546A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CEAADB8-709A-4681-8520-11DA2A7BC15A}\stubpath = "C:\\Windows\\{3CEAADB8-709A-4681-8520-11DA2A7BC15A}.exe"	{1AB4B31F-AE26-47b7-8ED7-D0935ED3546A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2E69D29-1CC5-4da3-9887-3B48AE49704A}	{9B427218-7FEA-4f45-94F6-1723BBA21338}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04B2C3C4-D80A-4c69-94B4-8BCB0E03E024}\stubpath = "C:\\Windows\\{04B2C3C4-D80A-4c69-94B4-8BCB0E03E024}.exe"	{7D0C3EF7-2DB8-480c-ADCB-D6969194D0E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70A56980-8367-43e2-A40E-9244D997ADD5}\stubpath = "C:\\Windows\\{70A56980-8367-43e2-A40E-9244D997ADD5}.exe"	{04B2C3C4-D80A-4c69-94B4-8BCB0E03E024}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{456EE5DB-0B2C-4f16-AB9E-4E508EE1C4FE}	{70A56980-8367-43e2-A40E-9244D997ADD5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECE61FD5-6609-4e8e-84E3-6A5CC9FAFD9E}\stubpath = "C:\\Windows\\{ECE61FD5-6609-4e8e-84E3-6A5CC9FAFD9E}.exe"	{E2E69D29-1CC5-4da3-9887-3B48AE49704A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90E0997A-0705-4e08-902C-63F80923614D}	{ECE61FD5-6609-4e8e-84E3-6A5CC9FAFD9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D0C3EF7-2DB8-480c-ADCB-D6969194D0E1}\stubpath = "C:\\Windows\\{7D0C3EF7-2DB8-480c-ADCB-D6969194D0E1}.exe"	{3AF5D6AB-899E-471a-A8D8-30770E3D99E7}.exe

Deletes itself 1 IoCs

pid	Process
640	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2100	{1AB4B31F-AE26-47b7-8ED7-D0935ED3546A}.exe
1848	{3CEAADB8-709A-4681-8520-11DA2A7BC15A}.exe
956	{53B04172-C937-499a-BC2E-1F579E12D378}.exe
2884	{C010D238-86E0-4ae3-9F32-EFF8BF019F26}.exe
2912	{9B427218-7FEA-4f45-94F6-1723BBA21338}.exe
2244	{E2E69D29-1CC5-4da3-9887-3B48AE49704A}.exe
660	{ECE61FD5-6609-4e8e-84E3-6A5CC9FAFD9E}.exe
2064	{90E0997A-0705-4e08-902C-63F80923614D}.exe
2852	{3AF5D6AB-899E-471a-A8D8-30770E3D99E7}.exe
2580	{7D0C3EF7-2DB8-480c-ADCB-D6969194D0E1}.exe
2380	{04B2C3C4-D80A-4c69-94B4-8BCB0E03E024}.exe
2424	{70A56980-8367-43e2-A40E-9244D997ADD5}.exe
2920	{456EE5DB-0B2C-4f16-AB9E-4E508EE1C4FE}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{7D0C3EF7-2DB8-480c-ADCB-D6969194D0E1}.exe	{3AF5D6AB-899E-471a-A8D8-30770E3D99E7}.exe
File created	C:\Windows\{04B2C3C4-D80A-4c69-94B4-8BCB0E03E024}.exe	{7D0C3EF7-2DB8-480c-ADCB-D6969194D0E1}.exe
File created	C:\Windows\{1AB4B31F-AE26-47b7-8ED7-D0935ED3546A}.exe	75d301e7b8651fexeexeexeex.exe
File created	C:\Windows\{53B04172-C937-499a-BC2E-1F579E12D378}.exe	{3CEAADB8-709A-4681-8520-11DA2A7BC15A}.exe
File created	C:\Windows\{9B427218-7FEA-4f45-94F6-1723BBA21338}.exe	{C010D238-86E0-4ae3-9F32-EFF8BF019F26}.exe
File created	C:\Windows\{E2E69D29-1CC5-4da3-9887-3B48AE49704A}.exe	{9B427218-7FEA-4f45-94F6-1723BBA21338}.exe
File created	C:\Windows\{ECE61FD5-6609-4e8e-84E3-6A5CC9FAFD9E}.exe	{E2E69D29-1CC5-4da3-9887-3B48AE49704A}.exe
File created	C:\Windows\{90E0997A-0705-4e08-902C-63F80923614D}.exe	{ECE61FD5-6609-4e8e-84E3-6A5CC9FAFD9E}.exe
File created	C:\Windows\{456EE5DB-0B2C-4f16-AB9E-4E508EE1C4FE}.exe	{70A56980-8367-43e2-A40E-9244D997ADD5}.exe
File created	C:\Windows\{3CEAADB8-709A-4681-8520-11DA2A7BC15A}.exe	{1AB4B31F-AE26-47b7-8ED7-D0935ED3546A}.exe
File created	C:\Windows\{C010D238-86E0-4ae3-9F32-EFF8BF019F26}.exe	{53B04172-C937-499a-BC2E-1F579E12D378}.exe
File created	C:\Windows\{3AF5D6AB-899E-471a-A8D8-30770E3D99E7}.exe	{90E0997A-0705-4e08-902C-63F80923614D}.exe
File created	C:\Windows\{70A56980-8367-43e2-A40E-9244D997ADD5}.exe	{04B2C3C4-D80A-4c69-94B4-8BCB0E03E024}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2996	75d301e7b8651fexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2100	{1AB4B31F-AE26-47b7-8ED7-D0935ED3546A}.exe
Token: SeIncBasePriorityPrivilege	1848	{3CEAADB8-709A-4681-8520-11DA2A7BC15A}.exe
Token: SeIncBasePriorityPrivilege	956	{53B04172-C937-499a-BC2E-1F579E12D378}.exe
Token: SeIncBasePriorityPrivilege	2884	{C010D238-86E0-4ae3-9F32-EFF8BF019F26}.exe
Token: SeIncBasePriorityPrivilege	2912	{9B427218-7FEA-4f45-94F6-1723BBA21338}.exe
Token: SeIncBasePriorityPrivilege	2244	{E2E69D29-1CC5-4da3-9887-3B48AE49704A}.exe
Token: SeIncBasePriorityPrivilege	660	{ECE61FD5-6609-4e8e-84E3-6A5CC9FAFD9E}.exe
Token: SeIncBasePriorityPrivilege	2064	{90E0997A-0705-4e08-902C-63F80923614D}.exe
Token: SeIncBasePriorityPrivilege	2852	{3AF5D6AB-899E-471a-A8D8-30770E3D99E7}.exe
Token: SeIncBasePriorityPrivilege	2580	{7D0C3EF7-2DB8-480c-ADCB-D6969194D0E1}.exe
Token: SeIncBasePriorityPrivilege	2380	{04B2C3C4-D80A-4c69-94B4-8BCB0E03E024}.exe
Token: SeIncBasePriorityPrivilege	2424	{70A56980-8367-43e2-A40E-9244D997ADD5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 2100	2996	75d301e7b8651fexeexeexeex.exe	28
PID 2996 wrote to memory of 2100	2996	75d301e7b8651fexeexeexeex.exe	28
PID 2996 wrote to memory of 2100	2996	75d301e7b8651fexeexeexeex.exe	28
PID 2996 wrote to memory of 2100	2996	75d301e7b8651fexeexeexeex.exe	28
PID 2996 wrote to memory of 640	2996	75d301e7b8651fexeexeexeex.exe	29
PID 2996 wrote to memory of 640	2996	75d301e7b8651fexeexeexeex.exe	29
PID 2996 wrote to memory of 640	2996	75d301e7b8651fexeexeexeex.exe	29
PID 2996 wrote to memory of 640	2996	75d301e7b8651fexeexeexeex.exe	29
PID 2100 wrote to memory of 1848	2100	{1AB4B31F-AE26-47b7-8ED7-D0935ED3546A}.exe	30
PID 2100 wrote to memory of 1848	2100	{1AB4B31F-AE26-47b7-8ED7-D0935ED3546A}.exe	30
PID 2100 wrote to memory of 1848	2100	{1AB4B31F-AE26-47b7-8ED7-D0935ED3546A}.exe	30
PID 2100 wrote to memory of 1848	2100	{1AB4B31F-AE26-47b7-8ED7-D0935ED3546A}.exe	30
PID 2100 wrote to memory of 2196	2100	{1AB4B31F-AE26-47b7-8ED7-D0935ED3546A}.exe	31
PID 2100 wrote to memory of 2196	2100	{1AB4B31F-AE26-47b7-8ED7-D0935ED3546A}.exe	31
PID 2100 wrote to memory of 2196	2100	{1AB4B31F-AE26-47b7-8ED7-D0935ED3546A}.exe	31
PID 2100 wrote to memory of 2196	2100	{1AB4B31F-AE26-47b7-8ED7-D0935ED3546A}.exe	31
PID 1848 wrote to memory of 956	1848	{3CEAADB8-709A-4681-8520-11DA2A7BC15A}.exe	32
PID 1848 wrote to memory of 956	1848	{3CEAADB8-709A-4681-8520-11DA2A7BC15A}.exe	32
PID 1848 wrote to memory of 956	1848	{3CEAADB8-709A-4681-8520-11DA2A7BC15A}.exe	32
PID 1848 wrote to memory of 956	1848	{3CEAADB8-709A-4681-8520-11DA2A7BC15A}.exe	32
PID 1848 wrote to memory of 1900	1848	{3CEAADB8-709A-4681-8520-11DA2A7BC15A}.exe	33
PID 1848 wrote to memory of 1900	1848	{3CEAADB8-709A-4681-8520-11DA2A7BC15A}.exe	33
PID 1848 wrote to memory of 1900	1848	{3CEAADB8-709A-4681-8520-11DA2A7BC15A}.exe	33
PID 1848 wrote to memory of 1900	1848	{3CEAADB8-709A-4681-8520-11DA2A7BC15A}.exe	33
PID 956 wrote to memory of 2884	956	{53B04172-C937-499a-BC2E-1F579E12D378}.exe	34
PID 956 wrote to memory of 2884	956	{53B04172-C937-499a-BC2E-1F579E12D378}.exe	34
PID 956 wrote to memory of 2884	956	{53B04172-C937-499a-BC2E-1F579E12D378}.exe	34
PID 956 wrote to memory of 2884	956	{53B04172-C937-499a-BC2E-1F579E12D378}.exe	34
PID 956 wrote to memory of 2080	956	{53B04172-C937-499a-BC2E-1F579E12D378}.exe	35
PID 956 wrote to memory of 2080	956	{53B04172-C937-499a-BC2E-1F579E12D378}.exe	35
PID 956 wrote to memory of 2080	956	{53B04172-C937-499a-BC2E-1F579E12D378}.exe	35
PID 956 wrote to memory of 2080	956	{53B04172-C937-499a-BC2E-1F579E12D378}.exe	35
PID 2884 wrote to memory of 2912	2884	{C010D238-86E0-4ae3-9F32-EFF8BF019F26}.exe	36
PID 2884 wrote to memory of 2912	2884	{C010D238-86E0-4ae3-9F32-EFF8BF019F26}.exe	36
PID 2884 wrote to memory of 2912	2884	{C010D238-86E0-4ae3-9F32-EFF8BF019F26}.exe	36
PID 2884 wrote to memory of 2912	2884	{C010D238-86E0-4ae3-9F32-EFF8BF019F26}.exe	36
PID 2884 wrote to memory of 2084	2884	{C010D238-86E0-4ae3-9F32-EFF8BF019F26}.exe	37
PID 2884 wrote to memory of 2084	2884	{C010D238-86E0-4ae3-9F32-EFF8BF019F26}.exe	37
PID 2884 wrote to memory of 2084	2884	{C010D238-86E0-4ae3-9F32-EFF8BF019F26}.exe	37
PID 2884 wrote to memory of 2084	2884	{C010D238-86E0-4ae3-9F32-EFF8BF019F26}.exe	37
PID 2912 wrote to memory of 2244	2912	{9B427218-7FEA-4f45-94F6-1723BBA21338}.exe	38
PID 2912 wrote to memory of 2244	2912	{9B427218-7FEA-4f45-94F6-1723BBA21338}.exe	38
PID 2912 wrote to memory of 2244	2912	{9B427218-7FEA-4f45-94F6-1723BBA21338}.exe	38
PID 2912 wrote to memory of 2244	2912	{9B427218-7FEA-4f45-94F6-1723BBA21338}.exe	38
PID 2912 wrote to memory of 2192	2912	{9B427218-7FEA-4f45-94F6-1723BBA21338}.exe	39
PID 2912 wrote to memory of 2192	2912	{9B427218-7FEA-4f45-94F6-1723BBA21338}.exe	39
PID 2912 wrote to memory of 2192	2912	{9B427218-7FEA-4f45-94F6-1723BBA21338}.exe	39
PID 2912 wrote to memory of 2192	2912	{9B427218-7FEA-4f45-94F6-1723BBA21338}.exe	39
PID 2244 wrote to memory of 660	2244	{E2E69D29-1CC5-4da3-9887-3B48AE49704A}.exe	40
PID 2244 wrote to memory of 660	2244	{E2E69D29-1CC5-4da3-9887-3B48AE49704A}.exe	40
PID 2244 wrote to memory of 660	2244	{E2E69D29-1CC5-4da3-9887-3B48AE49704A}.exe	40
PID 2244 wrote to memory of 660	2244	{E2E69D29-1CC5-4da3-9887-3B48AE49704A}.exe	40
PID 2244 wrote to memory of 2768	2244	{E2E69D29-1CC5-4da3-9887-3B48AE49704A}.exe	41
PID 2244 wrote to memory of 2768	2244	{E2E69D29-1CC5-4da3-9887-3B48AE49704A}.exe	41
PID 2244 wrote to memory of 2768	2244	{E2E69D29-1CC5-4da3-9887-3B48AE49704A}.exe	41
PID 2244 wrote to memory of 2768	2244	{E2E69D29-1CC5-4da3-9887-3B48AE49704A}.exe	41
PID 660 wrote to memory of 2064	660	{ECE61FD5-6609-4e8e-84E3-6A5CC9FAFD9E}.exe	42
PID 660 wrote to memory of 2064	660	{ECE61FD5-6609-4e8e-84E3-6A5CC9FAFD9E}.exe	42
PID 660 wrote to memory of 2064	660	{ECE61FD5-6609-4e8e-84E3-6A5CC9FAFD9E}.exe	42
PID 660 wrote to memory of 2064	660	{ECE61FD5-6609-4e8e-84E3-6A5CC9FAFD9E}.exe	42
PID 660 wrote to memory of 2360	660	{ECE61FD5-6609-4e8e-84E3-6A5CC9FAFD9E}.exe	43
PID 660 wrote to memory of 2360	660	{ECE61FD5-6609-4e8e-84E3-6A5CC9FAFD9E}.exe	43
PID 660 wrote to memory of 2360	660	{ECE61FD5-6609-4e8e-84E3-6A5CC9FAFD9E}.exe	43
PID 660 wrote to memory of 2360	660	{ECE61FD5-6609-4e8e-84E3-6A5CC9FAFD9E}.exe	43

C:\Users\Admin\AppData\Local\Temp\75d301e7b8651fexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\75d301e7b8651fexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\{1AB4B31F-AE26-47b7-8ED7-D0935ED3546A}.exe
  C:\Windows\{1AB4B31F-AE26-47b7-8ED7-D0935ED3546A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\{3CEAADB8-709A-4681-8520-11DA2A7BC15A}.exe
    C:\Windows\{3CEAADB8-709A-4681-8520-11DA2A7BC15A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1848
  - - C:\Windows\{53B04172-C937-499a-BC2E-1F579E12D378}.exe
      C:\Windows\{53B04172-C937-499a-BC2E-1F579E12D378}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:956
    - - C:\Windows\{C010D238-86E0-4ae3-9F32-EFF8BF019F26}.exe
        
        C:\Windows\{C010D238-86E0-4ae3-9F32-EFF8BF019F26}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
      - C:\Windows\{9B427218-7FEA-4f45-94F6-1723BBA21338}.exe
        
        C:\Windows\{9B427218-7FEA-4f45-94F6-1723BBA21338}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\{E2E69D29-1CC5-4da3-9887-3B48AE49704A}.exe
        
        C:\Windows\{E2E69D29-1CC5-4da3-9887-3B48AE49704A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\{ECE61FD5-6609-4e8e-84E3-6A5CC9FAFD9E}.exe
        
        C:\Windows\{ECE61FD5-6609-4e8e-84E3-6A5CC9FAFD9E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:660
        
        C:\Windows\{90E0997A-0705-4e08-902C-63F80923614D}.exe
        
        C:\Windows\{90E0997A-0705-4e08-902C-63F80923614D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\{3AF5D6AB-899E-471a-A8D8-30770E3D99E7}.exe
        
        C:\Windows\{3AF5D6AB-899E-471a-A8D8-30770E3D99E7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\{7D0C3EF7-2DB8-480c-ADCB-D6969194D0E1}.exe
        
        C:\Windows\{7D0C3EF7-2DB8-480c-ADCB-D6969194D0E1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
        
        C:\Windows\{04B2C3C4-D80A-4c69-94B4-8BCB0E03E024}.exe
        
        C:\Windows\{04B2C3C4-D80A-4c69-94B4-8BCB0E03E024}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\{70A56980-8367-43e2-A40E-9244D997ADD5}.exe
        
        C:\Windows\{70A56980-8367-43e2-A40E-9244D997ADD5}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\{456EE5DB-0B2C-4f16-AB9E-4E508EE1C4FE}.exe
        
        C:\Windows\{456EE5DB-0B2C-4f16-AB9E-4E508EE1C4FE}.exe
        14⤵
        Executes dropped EXE
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70A56~1.EXE > nul
        14⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04B2C~1.EXE > nul
        13⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D0C3~1.EXE > nul
        12⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3AF5D~1.EXE > nul
        11⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90E09~1.EXE > nul
        10⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ECE61~1.EXE > nul
        9⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2E69~1.EXE > nul
        8⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B427~1.EXE > nul
        7⤵
        
        PID:2192
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C010D~1.EXE > nul
        6⤵
        
        PID:2084
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53B04~1.EXE > nul
        5⤵
        
        PID:2080
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3CEAA~1.EXE > nul
      4⤵
      PID:1900
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1AB4B~1.EXE > nul
    3⤵
    PID:2196
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\75D301~1.EXE > nul
  2⤵
  - Deletes itself
  PID:640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04B2C3C4-D80A-4c69-94B4-8BCB0E03E024}.exe

Filesize
168KB

MD5
79e4543853831cb6849c3e997447ac9f

SHA1
62f670a40d016fee240363fbb7e2322c2eccaac1

SHA256
491f8331439700ee112503864b677c5d7585ad93d69e2b7e9db2b9a4ddb209f3

SHA512
5705f9822e811e9deccb6753acc979a20da9a19dcb2745543ee51c8db1dcd9802d0319e345ced88bd8eacc81acb27d4e32fda1c05ba2d9f4d2597b07b986afe1

Download Submit
C:\Windows\{04B2C3C4-D80A-4c69-94B4-8BCB0E03E024}.exe

Filesize
168KB

MD5
79e4543853831cb6849c3e997447ac9f

SHA1
62f670a40d016fee240363fbb7e2322c2eccaac1

SHA256
491f8331439700ee112503864b677c5d7585ad93d69e2b7e9db2b9a4ddb209f3

SHA512
5705f9822e811e9deccb6753acc979a20da9a19dcb2745543ee51c8db1dcd9802d0319e345ced88bd8eacc81acb27d4e32fda1c05ba2d9f4d2597b07b986afe1

Download Submit
C:\Windows\{1AB4B31F-AE26-47b7-8ED7-D0935ED3546A}.exe

Filesize
168KB

MD5
36d0ab0c3a62f8d52ef9b7d2a6e42f91

SHA1
66a5c65e1152b6ef7fa4abe069ea8e741ab2c544

SHA256
235eed55579c4b296ea819095b7a42ab7a27029c8615a8a500f0520916fe87fe

SHA512
76ff3eddc85907b5b7dad7fe3b98550e3538844ddb04544fa664e293b42f1f0913125ea2c38f1bc2638b6ee13ba2800be8871b6cda00b8794fd653547ef01382

Download Submit
C:\Windows\{1AB4B31F-AE26-47b7-8ED7-D0935ED3546A}.exe

Filesize
168KB

MD5
36d0ab0c3a62f8d52ef9b7d2a6e42f91

SHA1
66a5c65e1152b6ef7fa4abe069ea8e741ab2c544

SHA256
235eed55579c4b296ea819095b7a42ab7a27029c8615a8a500f0520916fe87fe

SHA512
76ff3eddc85907b5b7dad7fe3b98550e3538844ddb04544fa664e293b42f1f0913125ea2c38f1bc2638b6ee13ba2800be8871b6cda00b8794fd653547ef01382

Download Submit
C:\Windows\{1AB4B31F-AE26-47b7-8ED7-D0935ED3546A}.exe

Filesize
168KB

MD5
36d0ab0c3a62f8d52ef9b7d2a6e42f91

SHA1
66a5c65e1152b6ef7fa4abe069ea8e741ab2c544

SHA256
235eed55579c4b296ea819095b7a42ab7a27029c8615a8a500f0520916fe87fe

SHA512
76ff3eddc85907b5b7dad7fe3b98550e3538844ddb04544fa664e293b42f1f0913125ea2c38f1bc2638b6ee13ba2800be8871b6cda00b8794fd653547ef01382

Download Submit
C:\Windows\{3AF5D6AB-899E-471a-A8D8-30770E3D99E7}.exe

Filesize
168KB

MD5
8c3bc49e3067c236f23abe9fd208d095

SHA1
2a805c3ee90660e2374ae0fe14198a651edd5c39

SHA256
ba527400c1eb5abbbabc4346b23e09c007e2a121ba28d74f95d9d1fd76e064a9

SHA512
7540186efae333b74f7209d726f033cab0ce9b4aeca752639c0b548253cf49cd762879f07f0e7d608f086c3c4efa0e398fb8bf809469b2292babcc7114715832

Download Submit
C:\Windows\{3AF5D6AB-899E-471a-A8D8-30770E3D99E7}.exe

Filesize
168KB

MD5
8c3bc49e3067c236f23abe9fd208d095

SHA1
2a805c3ee90660e2374ae0fe14198a651edd5c39

SHA256
ba527400c1eb5abbbabc4346b23e09c007e2a121ba28d74f95d9d1fd76e064a9

SHA512
7540186efae333b74f7209d726f033cab0ce9b4aeca752639c0b548253cf49cd762879f07f0e7d608f086c3c4efa0e398fb8bf809469b2292babcc7114715832

Download Submit
C:\Windows\{3CEAADB8-709A-4681-8520-11DA2A7BC15A}.exe

Filesize
168KB

MD5
4381d58596baf55ff76fe8f0bb1eee23

SHA1
91f1a0048fbe4e27ad0b7b56c180b5e950c9bc20

SHA256
02ea9a7962d1b9b9c11ea1af46325e117c0ffc8300e17919ddd81f556067da95

SHA512
74e2d1dbd963c87e7507541824cab1ce14ac052fbbaaf8ef6f551fab2c4747eebdd428cb5d7a86235cddc070f1379a433c68ff72cc1a0376152253de7d600933

Download Submit
C:\Windows\{3CEAADB8-709A-4681-8520-11DA2A7BC15A}.exe

Filesize
168KB

MD5
4381d58596baf55ff76fe8f0bb1eee23

SHA1
91f1a0048fbe4e27ad0b7b56c180b5e950c9bc20

SHA256
02ea9a7962d1b9b9c11ea1af46325e117c0ffc8300e17919ddd81f556067da95

SHA512
74e2d1dbd963c87e7507541824cab1ce14ac052fbbaaf8ef6f551fab2c4747eebdd428cb5d7a86235cddc070f1379a433c68ff72cc1a0376152253de7d600933

Download Submit
C:\Windows\{456EE5DB-0B2C-4f16-AB9E-4E508EE1C4FE}.exe

Filesize
168KB

MD5
98183383ee372a03be707a21223c385e

SHA1
ebb78ea1c53b0fda5e70fa38416505689d95b4d6

SHA256
ae9e91e1196213d92aaaefb612f876485a2ba856d0790a54394aed88222fc752

SHA512
2d9c7df70dda79ac4c7aef7385d351527768734c481253781051240b765e9c0aab541b2d679b46e31170e7e4c8cdd4b40e924ad8abc1baff453bfc209b4c4c0c

Download Submit
C:\Windows\{53B04172-C937-499a-BC2E-1F579E12D378}.exe

Filesize
168KB

MD5
82a3e2047a14cba25018dc8dc612ceb2

SHA1
fee95a99a7242bbab4e65e7f11b441d11170becc

SHA256
1b8ceff13c5a78a8900d0fab91259a0d33559b48a81a0dc54f4ae6cd70e239b5

SHA512
92090fe7a3b77ea82b166f4018db9f5cba351a8da2e647ee2d4f698577bc31f9674619e811aefcd3e73cc88713645d8f5340397d1a402b1052fb9c16533309d4

Download Submit
C:\Windows\{53B04172-C937-499a-BC2E-1F579E12D378}.exe

Filesize
168KB

MD5
82a3e2047a14cba25018dc8dc612ceb2

SHA1
fee95a99a7242bbab4e65e7f11b441d11170becc

SHA256
1b8ceff13c5a78a8900d0fab91259a0d33559b48a81a0dc54f4ae6cd70e239b5

SHA512
92090fe7a3b77ea82b166f4018db9f5cba351a8da2e647ee2d4f698577bc31f9674619e811aefcd3e73cc88713645d8f5340397d1a402b1052fb9c16533309d4

Download Submit
C:\Windows\{70A56980-8367-43e2-A40E-9244D997ADD5}.exe

Filesize
168KB

MD5
7f266ecc76477c7f2f220d57fae46e3c

SHA1
bb87e1680e99b6af7a713261606a36297b9a4873

SHA256
c0c298267ce8cdec10540e3f00c411937c491e13e66670b769718baa0c3ac28b

SHA512
7cd92439a379dd4a9e3de7e5bf5ebc2cab3c3e5bdb40c2a8e0146bca653420873441b4cede59d2d826113519bedcd51671b3cedfc5de6cd91b6557f82b72ec17

Download Submit
C:\Windows\{70A56980-8367-43e2-A40E-9244D997ADD5}.exe

Filesize
168KB

MD5
7f266ecc76477c7f2f220d57fae46e3c

SHA1
bb87e1680e99b6af7a713261606a36297b9a4873

SHA256
c0c298267ce8cdec10540e3f00c411937c491e13e66670b769718baa0c3ac28b

SHA512
7cd92439a379dd4a9e3de7e5bf5ebc2cab3c3e5bdb40c2a8e0146bca653420873441b4cede59d2d826113519bedcd51671b3cedfc5de6cd91b6557f82b72ec17

Download Submit
C:\Windows\{7D0C3EF7-2DB8-480c-ADCB-D6969194D0E1}.exe

Filesize
168KB

MD5
0b506e06f2e9854cddcef0b291faccbe

SHA1
5b21d574b18daca94349b8feb5b4c3c20ab435df

SHA256
2cdab0e843a84f9efa7a8e275bf13c1b5e7ee4f5aea681bd05ada09d8b9e689e

SHA512
f78aa2d863734553c6c594f97e7ddab1db8674a9970d45507bcedf2ab38da93446055858ea92bc256de23f637726debcc22d1827c49e5cbcb51e9c3e95e8e4e1

Download Submit
C:\Windows\{7D0C3EF7-2DB8-480c-ADCB-D6969194D0E1}.exe

Filesize
168KB

MD5
0b506e06f2e9854cddcef0b291faccbe

SHA1
5b21d574b18daca94349b8feb5b4c3c20ab435df

SHA256
2cdab0e843a84f9efa7a8e275bf13c1b5e7ee4f5aea681bd05ada09d8b9e689e

SHA512
f78aa2d863734553c6c594f97e7ddab1db8674a9970d45507bcedf2ab38da93446055858ea92bc256de23f637726debcc22d1827c49e5cbcb51e9c3e95e8e4e1

Download Submit
C:\Windows\{90E0997A-0705-4e08-902C-63F80923614D}.exe

Filesize
168KB

MD5
8f206ba334ed49c0645615e10e8fb1c7

SHA1
d1b87c5c70128bbc9936aff6d0ac4c199b565152

SHA256
42e4aad473d31922c8f2ccb190b36fa0d580a5eabbed3b207961a83f6a096ae4

SHA512
76dae0b045c2b8c1c7e552686d9748ee507f5f3fd400a0ee4dfd9cd2872f06a364b0162f0519b43c521a8f49c1f031b999cbc8c0f87c7136f2e57000622f26b2

Download Submit
C:\Windows\{90E0997A-0705-4e08-902C-63F80923614D}.exe

Filesize
168KB

MD5
8f206ba334ed49c0645615e10e8fb1c7

SHA1
d1b87c5c70128bbc9936aff6d0ac4c199b565152

SHA256
42e4aad473d31922c8f2ccb190b36fa0d580a5eabbed3b207961a83f6a096ae4

SHA512
76dae0b045c2b8c1c7e552686d9748ee507f5f3fd400a0ee4dfd9cd2872f06a364b0162f0519b43c521a8f49c1f031b999cbc8c0f87c7136f2e57000622f26b2

Download Submit
C:\Windows\{9B427218-7FEA-4f45-94F6-1723BBA21338}.exe

Filesize
168KB

MD5
9624cf03cec118bfd3421fbbab39c9f4

SHA1
1398a21246f570e523bd487efb8c93bb557f9f62

SHA256
f67698c1f4078e9186beb1bbcb300a01ae3f0308e629e0a948779487ae873589

SHA512
647757d9bbfb6cf22fc7c6c71a8161d54dc04c9a69b631517752dac47be64186f548a66676754ad15a345c231065a6fd8fa3702eadff7612057a27d27e01f15f

Download Submit
C:\Windows\{9B427218-7FEA-4f45-94F6-1723BBA21338}.exe

Filesize
168KB

MD5
9624cf03cec118bfd3421fbbab39c9f4

SHA1
1398a21246f570e523bd487efb8c93bb557f9f62

SHA256
f67698c1f4078e9186beb1bbcb300a01ae3f0308e629e0a948779487ae873589

SHA512
647757d9bbfb6cf22fc7c6c71a8161d54dc04c9a69b631517752dac47be64186f548a66676754ad15a345c231065a6fd8fa3702eadff7612057a27d27e01f15f

Download Submit
C:\Windows\{C010D238-86E0-4ae3-9F32-EFF8BF019F26}.exe

Filesize
168KB

MD5
b427bee2b58197e8549b4c160ae28fa5

SHA1
f9db23f73780507611ff3da369438645869b7832

SHA256
cbd0a9e6b516ccdf11644c1d44513c6fe4ac4b4c777a566a6d4b3117bdf4b981

SHA512
a5bc15755253e9a108bb3e97a54c5799694c3c31b65a78bb8c02176cc1602092bb200d1033c8d4a9f007c42765ca89ffc52eb0c395aa6064639c32e3d6acca2d

Download Submit
C:\Windows\{C010D238-86E0-4ae3-9F32-EFF8BF019F26}.exe

Filesize
168KB

MD5
b427bee2b58197e8549b4c160ae28fa5

SHA1
f9db23f73780507611ff3da369438645869b7832

SHA256
cbd0a9e6b516ccdf11644c1d44513c6fe4ac4b4c777a566a6d4b3117bdf4b981

SHA512
a5bc15755253e9a108bb3e97a54c5799694c3c31b65a78bb8c02176cc1602092bb200d1033c8d4a9f007c42765ca89ffc52eb0c395aa6064639c32e3d6acca2d

Download Submit
C:\Windows\{E2E69D29-1CC5-4da3-9887-3B48AE49704A}.exe

Filesize
168KB

MD5
6fbf406ce7b163efac4a82c8bdca0255

SHA1
4c5d95bd8ba91ee49d3f72e038753ba3cc127895

SHA256
9d5195410b27c41151fcc92ef2c61cbb02b21c13d6e3fe80f217ed5be2c6dc2a

SHA512
ea349f4aeec082baad3d32cc704221183557813d56461bd81fa9ab9643470418d344be0a8efa9de5c353a22ac5e860790928716b7efd9f3ea2118e83f6e1e794

Download Submit
C:\Windows\{E2E69D29-1CC5-4da3-9887-3B48AE49704A}.exe

Filesize
168KB

MD5
6fbf406ce7b163efac4a82c8bdca0255

SHA1
4c5d95bd8ba91ee49d3f72e038753ba3cc127895

SHA256
9d5195410b27c41151fcc92ef2c61cbb02b21c13d6e3fe80f217ed5be2c6dc2a

SHA512
ea349f4aeec082baad3d32cc704221183557813d56461bd81fa9ab9643470418d344be0a8efa9de5c353a22ac5e860790928716b7efd9f3ea2118e83f6e1e794

Download Submit
C:\Windows\{ECE61FD5-6609-4e8e-84E3-6A5CC9FAFD9E}.exe

Filesize
168KB

MD5
1990ff708868768ecd788087663fad59

SHA1
9c1056fd24ed63594b53aee06e657511a2444626

SHA256
49511ee532bf7fd043f51f971e9c3102fc8e30d5bc587437e2482ab588f54b92

SHA512
1c3afe1fb4c69e260b14286c8fc8fdbacf95c074079b4162ec49e983e95871ab9e1e67b93fd8d21748bfe219174640015f0561a83bed626b410b2da3fcb32667

Download Submit
C:\Windows\{ECE61FD5-6609-4e8e-84E3-6A5CC9FAFD9E}.exe

Filesize
168KB

MD5
1990ff708868768ecd788087663fad59

SHA1
9c1056fd24ed63594b53aee06e657511a2444626

SHA256
49511ee532bf7fd043f51f971e9c3102fc8e30d5bc587437e2482ab588f54b92

SHA512
1c3afe1fb4c69e260b14286c8fc8fdbacf95c074079b4162ec49e983e95871ab9e1e67b93fd8d21748bfe219174640015f0561a83bed626b410b2da3fcb32667

Download Submit