bf991e9390852c3b68fac09c0e76eca51424867811c064cbe99889aa65ca3ec9

Analysis

max time kernel
146s
max time network
30s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08/07/2023, 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77bc3e50487498exeexeexeex.exe
Size

168KB
MD5

77bc3e504874989bf47c1abffa45639e
SHA1

d09ff257696b366eab1177e529192a4a438cb183
SHA256

bf991e9390852c3b68fac09c0e76eca51424867811c064cbe99889aa65ca3ec9
SHA512

ca082ad8a67dae1082cc9f43cd42c778ffa24b067e8b79332f0a3afc8f0fa468afd00c35628a31deb26cd5092089c0987e717381c3ab222fffdfb47d86ff9946
SSDEEP

1536:1EGh0ovlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ovlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FB68138-C062-4136-B1EF-ED9AAFCBD2F8}	{C305BA47-3C57-4c1e-B389-02C4497E5D7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51F9EEEF-6F9E-4b9a-83C2-AFDC62C27E86}	{EA8A6DDF-F1C3-4b11-87A2-754ABF6ED04A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E16E3D7-8B96-4c58-BCFD-B0BCAB394846}	{53E8DAD9-3F25-40a5-BDB5-43ED8B207770}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1E16E3D7-8B96-4c58-BCFD-B0BCAB394846}\stubpath = "C:\\Windows\\{1E16E3D7-8B96-4c58-BCFD-B0BCAB394846}.exe"	{53E8DAD9-3F25-40a5-BDB5-43ED8B207770}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1AE36AF-EAC7-4d3d-8BE9-77200E34DA2B}	{2EF677EA-D386-4de8-AA6A-F4EAD71A0EB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B1AE36AF-EAC7-4d3d-8BE9-77200E34DA2B}\stubpath = "C:\\Windows\\{B1AE36AF-EAC7-4d3d-8BE9-77200E34DA2B}.exe"	{2EF677EA-D386-4de8-AA6A-F4EAD71A0EB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8FEF3EF-3A9A-4947-BCB6-49C1BC08E12E}\stubpath = "C:\\Windows\\{E8FEF3EF-3A9A-4947-BCB6-49C1BC08E12E}.exe"	{B1AE36AF-EAC7-4d3d-8BE9-77200E34DA2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8743DB8B-DD01-48c3-B4E7-0BC7E19F1845}\stubpath = "C:\\Windows\\{8743DB8B-DD01-48c3-B4E7-0BC7E19F1845}.exe"	{E8FEF3EF-3A9A-4947-BCB6-49C1BC08E12E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24B907F0-6BFA-46aa-9B45-EDCD89F4E8EF}\stubpath = "C:\\Windows\\{24B907F0-6BFA-46aa-9B45-EDCD89F4E8EF}.exe"	{8743DB8B-DD01-48c3-B4E7-0BC7E19F1845}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D8830E0-18F1-4909-A039-4C99A814BF4D}	77bc3e50487498exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA5BF02C-939A-42c2-9F72-4FCDA566D05D}	{9D8830E0-18F1-4909-A039-4C99A814BF4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA5BF02C-939A-42c2-9F72-4FCDA566D05D}\stubpath = "C:\\Windows\\{EA5BF02C-939A-42c2-9F72-4FCDA566D05D}.exe"	{9D8830E0-18F1-4909-A039-4C99A814BF4D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53E8DAD9-3F25-40a5-BDB5-43ED8B207770}	{EA5BF02C-939A-42c2-9F72-4FCDA566D05D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C305BA47-3C57-4c1e-B389-02C4497E5D7B}\stubpath = "C:\\Windows\\{C305BA47-3C57-4c1e-B389-02C4497E5D7B}.exe"	{51F9EEEF-6F9E-4b9a-83C2-AFDC62C27E86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2EF677EA-D386-4de8-AA6A-F4EAD71A0EB3}	{8FB68138-C062-4136-B1EF-ED9AAFCBD2F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24B907F0-6BFA-46aa-9B45-EDCD89F4E8EF}	{8743DB8B-DD01-48c3-B4E7-0BC7E19F1845}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D8830E0-18F1-4909-A039-4C99A814BF4D}\stubpath = "C:\\Windows\\{9D8830E0-18F1-4909-A039-4C99A814BF4D}.exe"	77bc3e50487498exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA8A6DDF-F1C3-4b11-87A2-754ABF6ED04A}	{1E16E3D7-8B96-4c58-BCFD-B0BCAB394846}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA8A6DDF-F1C3-4b11-87A2-754ABF6ED04A}\stubpath = "C:\\Windows\\{EA8A6DDF-F1C3-4b11-87A2-754ABF6ED04A}.exe"	{1E16E3D7-8B96-4c58-BCFD-B0BCAB394846}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51F9EEEF-6F9E-4b9a-83C2-AFDC62C27E86}\stubpath = "C:\\Windows\\{51F9EEEF-6F9E-4b9a-83C2-AFDC62C27E86}.exe"	{EA8A6DDF-F1C3-4b11-87A2-754ABF6ED04A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C305BA47-3C57-4c1e-B389-02C4497E5D7B}	{51F9EEEF-6F9E-4b9a-83C2-AFDC62C27E86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FB68138-C062-4136-B1EF-ED9AAFCBD2F8}\stubpath = "C:\\Windows\\{8FB68138-C062-4136-B1EF-ED9AAFCBD2F8}.exe"	{C305BA47-3C57-4c1e-B389-02C4497E5D7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2EF677EA-D386-4de8-AA6A-F4EAD71A0EB3}\stubpath = "C:\\Windows\\{2EF677EA-D386-4de8-AA6A-F4EAD71A0EB3}.exe"	{8FB68138-C062-4136-B1EF-ED9AAFCBD2F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8FEF3EF-3A9A-4947-BCB6-49C1BC08E12E}	{B1AE36AF-EAC7-4d3d-8BE9-77200E34DA2B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53E8DAD9-3F25-40a5-BDB5-43ED8B207770}\stubpath = "C:\\Windows\\{53E8DAD9-3F25-40a5-BDB5-43ED8B207770}.exe"	{EA5BF02C-939A-42c2-9F72-4FCDA566D05D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8743DB8B-DD01-48c3-B4E7-0BC7E19F1845}	{E8FEF3EF-3A9A-4947-BCB6-49C1BC08E12E}.exe

Deletes itself 1 IoCs

pid	Process
2896	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
3060	{9D8830E0-18F1-4909-A039-4C99A814BF4D}.exe
2364	{EA5BF02C-939A-42c2-9F72-4FCDA566D05D}.exe
2268	{53E8DAD9-3F25-40a5-BDB5-43ED8B207770}.exe
2112	{1E16E3D7-8B96-4c58-BCFD-B0BCAB394846}.exe
1412	{EA8A6DDF-F1C3-4b11-87A2-754ABF6ED04A}.exe
2232	{51F9EEEF-6F9E-4b9a-83C2-AFDC62C27E86}.exe
1084	{C305BA47-3C57-4c1e-B389-02C4497E5D7B}.exe
1960	{8FB68138-C062-4136-B1EF-ED9AAFCBD2F8}.exe
3064	{2EF677EA-D386-4de8-AA6A-F4EAD71A0EB3}.exe
2832	{B1AE36AF-EAC7-4d3d-8BE9-77200E34DA2B}.exe
2484	{E8FEF3EF-3A9A-4947-BCB6-49C1BC08E12E}.exe
2724	{8743DB8B-DD01-48c3-B4E7-0BC7E19F1845}.exe
2728	{24B907F0-6BFA-46aa-9B45-EDCD89F4E8EF}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{1E16E3D7-8B96-4c58-BCFD-B0BCAB394846}.exe	{53E8DAD9-3F25-40a5-BDB5-43ED8B207770}.exe
File created	C:\Windows\{EA8A6DDF-F1C3-4b11-87A2-754ABF6ED04A}.exe	{1E16E3D7-8B96-4c58-BCFD-B0BCAB394846}.exe
File created	C:\Windows\{C305BA47-3C57-4c1e-B389-02C4497E5D7B}.exe	{51F9EEEF-6F9E-4b9a-83C2-AFDC62C27E86}.exe
File created	C:\Windows\{B1AE36AF-EAC7-4d3d-8BE9-77200E34DA2B}.exe	{2EF677EA-D386-4de8-AA6A-F4EAD71A0EB3}.exe
File created	C:\Windows\{E8FEF3EF-3A9A-4947-BCB6-49C1BC08E12E}.exe	{B1AE36AF-EAC7-4d3d-8BE9-77200E34DA2B}.exe
File created	C:\Windows\{8743DB8B-DD01-48c3-B4E7-0BC7E19F1845}.exe	{E8FEF3EF-3A9A-4947-BCB6-49C1BC08E12E}.exe
File created	C:\Windows\{24B907F0-6BFA-46aa-9B45-EDCD89F4E8EF}.exe	{8743DB8B-DD01-48c3-B4E7-0BC7E19F1845}.exe
File created	C:\Windows\{9D8830E0-18F1-4909-A039-4C99A814BF4D}.exe	77bc3e50487498exeexeexeex.exe
File created	C:\Windows\{EA5BF02C-939A-42c2-9F72-4FCDA566D05D}.exe	{9D8830E0-18F1-4909-A039-4C99A814BF4D}.exe
File created	C:\Windows\{53E8DAD9-3F25-40a5-BDB5-43ED8B207770}.exe	{EA5BF02C-939A-42c2-9F72-4FCDA566D05D}.exe
File created	C:\Windows\{51F9EEEF-6F9E-4b9a-83C2-AFDC62C27E86}.exe	{EA8A6DDF-F1C3-4b11-87A2-754ABF6ED04A}.exe
File created	C:\Windows\{8FB68138-C062-4136-B1EF-ED9AAFCBD2F8}.exe	{C305BA47-3C57-4c1e-B389-02C4497E5D7B}.exe
File created	C:\Windows\{2EF677EA-D386-4de8-AA6A-F4EAD71A0EB3}.exe	{8FB68138-C062-4136-B1EF-ED9AAFCBD2F8}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2172	77bc3e50487498exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3060	{9D8830E0-18F1-4909-A039-4C99A814BF4D}.exe
Token: SeIncBasePriorityPrivilege	2364	{EA5BF02C-939A-42c2-9F72-4FCDA566D05D}.exe
Token: SeIncBasePriorityPrivilege	2268	{53E8DAD9-3F25-40a5-BDB5-43ED8B207770}.exe
Token: SeIncBasePriorityPrivilege	2112	{1E16E3D7-8B96-4c58-BCFD-B0BCAB394846}.exe
Token: SeIncBasePriorityPrivilege	1412	{EA8A6DDF-F1C3-4b11-87A2-754ABF6ED04A}.exe
Token: SeIncBasePriorityPrivilege	2232	{51F9EEEF-6F9E-4b9a-83C2-AFDC62C27E86}.exe
Token: SeIncBasePriorityPrivilege	1084	{C305BA47-3C57-4c1e-B389-02C4497E5D7B}.exe
Token: SeIncBasePriorityPrivilege	1960	{8FB68138-C062-4136-B1EF-ED9AAFCBD2F8}.exe
Token: SeIncBasePriorityPrivilege	3064	{2EF677EA-D386-4de8-AA6A-F4EAD71A0EB3}.exe
Token: SeIncBasePriorityPrivilege	2832	{B1AE36AF-EAC7-4d3d-8BE9-77200E34DA2B}.exe
Token: SeIncBasePriorityPrivilege	2484	{E8FEF3EF-3A9A-4947-BCB6-49C1BC08E12E}.exe
Token: SeIncBasePriorityPrivilege	2724	{8743DB8B-DD01-48c3-B4E7-0BC7E19F1845}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 3060	2172	77bc3e50487498exeexeexeex.exe	29
PID 2172 wrote to memory of 3060	2172	77bc3e50487498exeexeexeex.exe	29
PID 2172 wrote to memory of 3060	2172	77bc3e50487498exeexeexeex.exe	29
PID 2172 wrote to memory of 3060	2172	77bc3e50487498exeexeexeex.exe	29
PID 2172 wrote to memory of 2896	2172	77bc3e50487498exeexeexeex.exe	30
PID 2172 wrote to memory of 2896	2172	77bc3e50487498exeexeexeex.exe	30
PID 2172 wrote to memory of 2896	2172	77bc3e50487498exeexeexeex.exe	30
PID 2172 wrote to memory of 2896	2172	77bc3e50487498exeexeexeex.exe	30
PID 3060 wrote to memory of 2364	3060	{9D8830E0-18F1-4909-A039-4C99A814BF4D}.exe	32
PID 3060 wrote to memory of 2364	3060	{9D8830E0-18F1-4909-A039-4C99A814BF4D}.exe	32
PID 3060 wrote to memory of 2364	3060	{9D8830E0-18F1-4909-A039-4C99A814BF4D}.exe	32
PID 3060 wrote to memory of 2364	3060	{9D8830E0-18F1-4909-A039-4C99A814BF4D}.exe	32
PID 3060 wrote to memory of 2292	3060	{9D8830E0-18F1-4909-A039-4C99A814BF4D}.exe	31
PID 3060 wrote to memory of 2292	3060	{9D8830E0-18F1-4909-A039-4C99A814BF4D}.exe	31
PID 3060 wrote to memory of 2292	3060	{9D8830E0-18F1-4909-A039-4C99A814BF4D}.exe	31
PID 3060 wrote to memory of 2292	3060	{9D8830E0-18F1-4909-A039-4C99A814BF4D}.exe	31
PID 2364 wrote to memory of 2268	2364	{EA5BF02C-939A-42c2-9F72-4FCDA566D05D}.exe	34
PID 2364 wrote to memory of 2268	2364	{EA5BF02C-939A-42c2-9F72-4FCDA566D05D}.exe	34
PID 2364 wrote to memory of 2268	2364	{EA5BF02C-939A-42c2-9F72-4FCDA566D05D}.exe	34
PID 2364 wrote to memory of 2268	2364	{EA5BF02C-939A-42c2-9F72-4FCDA566D05D}.exe	34
PID 2364 wrote to memory of 1432	2364	{EA5BF02C-939A-42c2-9F72-4FCDA566D05D}.exe	33
PID 2364 wrote to memory of 1432	2364	{EA5BF02C-939A-42c2-9F72-4FCDA566D05D}.exe	33
PID 2364 wrote to memory of 1432	2364	{EA5BF02C-939A-42c2-9F72-4FCDA566D05D}.exe	33
PID 2364 wrote to memory of 1432	2364	{EA5BF02C-939A-42c2-9F72-4FCDA566D05D}.exe	33
PID 2268 wrote to memory of 2112	2268	{53E8DAD9-3F25-40a5-BDB5-43ED8B207770}.exe	36
PID 2268 wrote to memory of 2112	2268	{53E8DAD9-3F25-40a5-BDB5-43ED8B207770}.exe	36
PID 2268 wrote to memory of 2112	2268	{53E8DAD9-3F25-40a5-BDB5-43ED8B207770}.exe	36
PID 2268 wrote to memory of 2112	2268	{53E8DAD9-3F25-40a5-BDB5-43ED8B207770}.exe	36
PID 2268 wrote to memory of 1208	2268	{53E8DAD9-3F25-40a5-BDB5-43ED8B207770}.exe	35
PID 2268 wrote to memory of 1208	2268	{53E8DAD9-3F25-40a5-BDB5-43ED8B207770}.exe	35
PID 2268 wrote to memory of 1208	2268	{53E8DAD9-3F25-40a5-BDB5-43ED8B207770}.exe	35
PID 2268 wrote to memory of 1208	2268	{53E8DAD9-3F25-40a5-BDB5-43ED8B207770}.exe	35
PID 2112 wrote to memory of 1412	2112	{1E16E3D7-8B96-4c58-BCFD-B0BCAB394846}.exe	37
PID 2112 wrote to memory of 1412	2112	{1E16E3D7-8B96-4c58-BCFD-B0BCAB394846}.exe	37
PID 2112 wrote to memory of 1412	2112	{1E16E3D7-8B96-4c58-BCFD-B0BCAB394846}.exe	37
PID 2112 wrote to memory of 1412	2112	{1E16E3D7-8B96-4c58-BCFD-B0BCAB394846}.exe	37
PID 2112 wrote to memory of 2208	2112	{1E16E3D7-8B96-4c58-BCFD-B0BCAB394846}.exe	38
PID 2112 wrote to memory of 2208	2112	{1E16E3D7-8B96-4c58-BCFD-B0BCAB394846}.exe	38
PID 2112 wrote to memory of 2208	2112	{1E16E3D7-8B96-4c58-BCFD-B0BCAB394846}.exe	38
PID 2112 wrote to memory of 2208	2112	{1E16E3D7-8B96-4c58-BCFD-B0BCAB394846}.exe	38
PID 1412 wrote to memory of 2232	1412	{EA8A6DDF-F1C3-4b11-87A2-754ABF6ED04A}.exe	40
PID 1412 wrote to memory of 2232	1412	{EA8A6DDF-F1C3-4b11-87A2-754ABF6ED04A}.exe	40
PID 1412 wrote to memory of 2232	1412	{EA8A6DDF-F1C3-4b11-87A2-754ABF6ED04A}.exe	40
PID 1412 wrote to memory of 2232	1412	{EA8A6DDF-F1C3-4b11-87A2-754ABF6ED04A}.exe	40
PID 1412 wrote to memory of 2096	1412	{EA8A6DDF-F1C3-4b11-87A2-754ABF6ED04A}.exe	39
PID 1412 wrote to memory of 2096	1412	{EA8A6DDF-F1C3-4b11-87A2-754ABF6ED04A}.exe	39
PID 1412 wrote to memory of 2096	1412	{EA8A6DDF-F1C3-4b11-87A2-754ABF6ED04A}.exe	39
PID 1412 wrote to memory of 2096	1412	{EA8A6DDF-F1C3-4b11-87A2-754ABF6ED04A}.exe	39
PID 2232 wrote to memory of 1084	2232	{51F9EEEF-6F9E-4b9a-83C2-AFDC62C27E86}.exe	42
PID 2232 wrote to memory of 1084	2232	{51F9EEEF-6F9E-4b9a-83C2-AFDC62C27E86}.exe	42
PID 2232 wrote to memory of 1084	2232	{51F9EEEF-6F9E-4b9a-83C2-AFDC62C27E86}.exe	42
PID 2232 wrote to memory of 1084	2232	{51F9EEEF-6F9E-4b9a-83C2-AFDC62C27E86}.exe	42
PID 2232 wrote to memory of 2972	2232	{51F9EEEF-6F9E-4b9a-83C2-AFDC62C27E86}.exe	41
PID 2232 wrote to memory of 2972	2232	{51F9EEEF-6F9E-4b9a-83C2-AFDC62C27E86}.exe	41
PID 2232 wrote to memory of 2972	2232	{51F9EEEF-6F9E-4b9a-83C2-AFDC62C27E86}.exe	41
PID 2232 wrote to memory of 2972	2232	{51F9EEEF-6F9E-4b9a-83C2-AFDC62C27E86}.exe	41
PID 1084 wrote to memory of 1960	1084	{C305BA47-3C57-4c1e-B389-02C4497E5D7B}.exe	43
PID 1084 wrote to memory of 1960	1084	{C305BA47-3C57-4c1e-B389-02C4497E5D7B}.exe	43
PID 1084 wrote to memory of 1960	1084	{C305BA47-3C57-4c1e-B389-02C4497E5D7B}.exe	43
PID 1084 wrote to memory of 1960	1084	{C305BA47-3C57-4c1e-B389-02C4497E5D7B}.exe	43
PID 1084 wrote to memory of 540	1084	{C305BA47-3C57-4c1e-B389-02C4497E5D7B}.exe	44
PID 1084 wrote to memory of 540	1084	{C305BA47-3C57-4c1e-B389-02C4497E5D7B}.exe	44
PID 1084 wrote to memory of 540	1084	{C305BA47-3C57-4c1e-B389-02C4497E5D7B}.exe	44
PID 1084 wrote to memory of 540	1084	{C305BA47-3C57-4c1e-B389-02C4497E5D7B}.exe	44

C:\Users\Admin\AppData\Local\Temp\77bc3e50487498exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\77bc3e50487498exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\{9D8830E0-18F1-4909-A039-4C99A814BF4D}.exe
  C:\Windows\{9D8830E0-18F1-4909-A039-4C99A814BF4D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9D883~1.EXE > nul
    3⤵
    PID:2292
- - C:\Windows\{EA5BF02C-939A-42c2-9F72-4FCDA566D05D}.exe
    C:\Windows\{EA5BF02C-939A-42c2-9F72-4FCDA566D05D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EA5BF~1.EXE > nul
      4⤵
      PID:1432
  - - C:\Windows\{53E8DAD9-3F25-40a5-BDB5-43ED8B207770}.exe
      C:\Windows\{53E8DAD9-3F25-40a5-BDB5-43ED8B207770}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2268
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53E8D~1.EXE > nul
        5⤵
        
        PID:1208
    - - C:\Windows\{1E16E3D7-8B96-4c58-BCFD-B0BCAB394846}.exe
        
        C:\Windows\{1E16E3D7-8B96-4c58-BCFD-B0BCAB394846}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2112
      - C:\Windows\{EA8A6DDF-F1C3-4b11-87A2-754ABF6ED04A}.exe
        
        C:\Windows\{EA8A6DDF-F1C3-4b11-87A2-754ABF6ED04A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA8A6~1.EXE > nul
        7⤵
        
        PID:2096
        
        C:\Windows\{51F9EEEF-6F9E-4b9a-83C2-AFDC62C27E86}.exe
        
        C:\Windows\{51F9EEEF-6F9E-4b9a-83C2-AFDC62C27E86}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51F9E~1.EXE > nul
        8⤵
        
        PID:2972
        
        C:\Windows\{C305BA47-3C57-4c1e-B389-02C4497E5D7B}.exe
        
        C:\Windows\{C305BA47-3C57-4c1e-B389-02C4497E5D7B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\{8FB68138-C062-4136-B1EF-ED9AAFCBD2F8}.exe
        
        C:\Windows\{8FB68138-C062-4136-B1EF-ED9AAFCBD2F8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FB68~1.EXE > nul
        10⤵
        
        PID:2744
        
        C:\Windows\{2EF677EA-D386-4de8-AA6A-F4EAD71A0EB3}.exe
        
        C:\Windows\{2EF677EA-D386-4de8-AA6A-F4EAD71A0EB3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EF67~1.EXE > nul
        11⤵
        
        PID:2624
        
        C:\Windows\{B1AE36AF-EAC7-4d3d-8BE9-77200E34DA2B}.exe
        
        C:\Windows\{B1AE36AF-EAC7-4d3d-8BE9-77200E34DA2B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1AE3~1.EXE > nul
        12⤵
        
        PID:2596
        
        C:\Windows\{E8FEF3EF-3A9A-4947-BCB6-49C1BC08E12E}.exe
        
        C:\Windows\{E8FEF3EF-3A9A-4947-BCB6-49C1BC08E12E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\{8743DB8B-DD01-48c3-B4E7-0BC7E19F1845}.exe
        
        C:\Windows\{8743DB8B-DD01-48c3-B4E7-0BC7E19F1845}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8743D~1.EXE > nul
        14⤵
        
        PID:884
        
        C:\Windows\{24B907F0-6BFA-46aa-9B45-EDCD89F4E8EF}.exe
        
        C:\Windows\{24B907F0-6BFA-46aa-9B45-EDCD89F4E8EF}.exe
        14⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8FEF~1.EXE > nul
        13⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C305B~1.EXE > nul
        9⤵
        
        PID:540
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E16E~1.EXE > nul
        6⤵
        
        PID:2208
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\77BC3E~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1E16E3D7-8B96-4c58-BCFD-B0BCAB394846}.exe

Filesize
168KB

MD5
412b9eec4c6eca60ace69d767778e760

SHA1
ec13f55c34f27c7a1c168e8c7c102d4399d36b0c

SHA256
45c4db21081b8784fae68effe0d19cfbbc570b818b234aa33618bf8980dcbac1

SHA512
be614b0614150a1b49545142656311c8b93e34e6857158a1bb2cb20bafbf1453ce2eb5757ca1349e3e023ec13691c9b5b1a58360ead96e281d3930b2f02ab749

Download Submit
C:\Windows\{1E16E3D7-8B96-4c58-BCFD-B0BCAB394846}.exe

Filesize
168KB

MD5
412b9eec4c6eca60ace69d767778e760

SHA1
ec13f55c34f27c7a1c168e8c7c102d4399d36b0c

SHA256
45c4db21081b8784fae68effe0d19cfbbc570b818b234aa33618bf8980dcbac1

SHA512
be614b0614150a1b49545142656311c8b93e34e6857158a1bb2cb20bafbf1453ce2eb5757ca1349e3e023ec13691c9b5b1a58360ead96e281d3930b2f02ab749

Download Submit
C:\Windows\{24B907F0-6BFA-46aa-9B45-EDCD89F4E8EF}.exe

Filesize
168KB

MD5
c9aecc9d86ab5bcdc26659852a4de49c

SHA1
101ed22986883d05745ee26739b091917bf8f4c2

SHA256
2b675a9d15af1d52fb12aca4ccc1976bc8c913e91165559cd0d6943be83043e7

SHA512
12cfc132c34d488eefec8bc5d49acf4b4b91f6d719bedd4519b8e8d2c49a4d766f64d7122aafd164f7c821645f998bca354c99109416f71e7c5490e47b188dd3

Download Submit
C:\Windows\{2EF677EA-D386-4de8-AA6A-F4EAD71A0EB3}.exe

Filesize
168KB

MD5
377277fefc87d574597bb2cf17dc1ad1

SHA1
166e748fe5f005e36b20b3d2b42d8f2d7dcfd269

SHA256
380eaeac3d4a55eda6f82854135521be8287ac7ce105f2703021febe23e6c212

SHA512
fcc874d3255582ee52c45c870472c230658f535b09fda14814b281faf7eee84f329c25095ce7edfd6a1a3f3032cb9797c4353b9a1104d533d2f6ee71b229e6a9

Download Submit
C:\Windows\{2EF677EA-D386-4de8-AA6A-F4EAD71A0EB3}.exe

Filesize
168KB

MD5
377277fefc87d574597bb2cf17dc1ad1

SHA1
166e748fe5f005e36b20b3d2b42d8f2d7dcfd269

SHA256
380eaeac3d4a55eda6f82854135521be8287ac7ce105f2703021febe23e6c212

SHA512
fcc874d3255582ee52c45c870472c230658f535b09fda14814b281faf7eee84f329c25095ce7edfd6a1a3f3032cb9797c4353b9a1104d533d2f6ee71b229e6a9

Download Submit
C:\Windows\{51F9EEEF-6F9E-4b9a-83C2-AFDC62C27E86}.exe

Filesize
168KB

MD5
2285005a91e40480503e31a99f273f3f

SHA1
deff47b954e5fd606fc9688de6fddd2287689211

SHA256
8a24d13dbee2d9dfade4734f284568b00bc26f50031eea9752c719e845249969

SHA512
4f4fa4131f6d2417832216e18673f9577d265c31d2cb816d8e01ef88fa6186f9f31afbda3a48933b9bbf5f121a8aad39abff134d32708ef8e650e186313d438c

Download Submit
C:\Windows\{51F9EEEF-6F9E-4b9a-83C2-AFDC62C27E86}.exe

Filesize
168KB

MD5
2285005a91e40480503e31a99f273f3f

SHA1
deff47b954e5fd606fc9688de6fddd2287689211

SHA256
8a24d13dbee2d9dfade4734f284568b00bc26f50031eea9752c719e845249969

SHA512
4f4fa4131f6d2417832216e18673f9577d265c31d2cb816d8e01ef88fa6186f9f31afbda3a48933b9bbf5f121a8aad39abff134d32708ef8e650e186313d438c

Download Submit
C:\Windows\{53E8DAD9-3F25-40a5-BDB5-43ED8B207770}.exe

Filesize
168KB

MD5
e8e016b9d70c6e403983eca087db329c

SHA1
3985e0915dbb64b45f4b63337dea97ab896e6e51

SHA256
b763a49db736384097b0228aadcc07aa4f5d31af0dde9a349e19647789c3ec7b

SHA512
89b5ca6df8ddbccb89b8b28deb044338000425eb4163b07be34757c135a2469f73c28e9aa5590d98591cc685aeb83fde3950e4703a30c6570ff8c2a722d06814

Download Submit
C:\Windows\{53E8DAD9-3F25-40a5-BDB5-43ED8B207770}.exe

Filesize
168KB

MD5
e8e016b9d70c6e403983eca087db329c

SHA1
3985e0915dbb64b45f4b63337dea97ab896e6e51

SHA256
b763a49db736384097b0228aadcc07aa4f5d31af0dde9a349e19647789c3ec7b

SHA512
89b5ca6df8ddbccb89b8b28deb044338000425eb4163b07be34757c135a2469f73c28e9aa5590d98591cc685aeb83fde3950e4703a30c6570ff8c2a722d06814

Download Submit
C:\Windows\{8743DB8B-DD01-48c3-B4E7-0BC7E19F1845}.exe

Filesize
168KB

MD5
aa6c93e4ceb23d9e2fd55ecc1c75d371

SHA1
91a80a71dd046f0c07df8efd9629675e9ad90c05

SHA256
cba323d9ab360a17a1102cc9438aa98a662dfbd4a2bb13e5ede135e082b41d19

SHA512
f8deb7755c50a09639fa468030cc05b49f80e1f2d0f46243c69d0f275f002db769eacbe5f4e58fd03b2334c9d8f7c544cac09ae19a086eded00ea8aacdbc275e

Download Submit
C:\Windows\{8743DB8B-DD01-48c3-B4E7-0BC7E19F1845}.exe

Filesize
168KB

MD5
aa6c93e4ceb23d9e2fd55ecc1c75d371

SHA1
91a80a71dd046f0c07df8efd9629675e9ad90c05

SHA256
cba323d9ab360a17a1102cc9438aa98a662dfbd4a2bb13e5ede135e082b41d19

SHA512
f8deb7755c50a09639fa468030cc05b49f80e1f2d0f46243c69d0f275f002db769eacbe5f4e58fd03b2334c9d8f7c544cac09ae19a086eded00ea8aacdbc275e

Download Submit
C:\Windows\{8FB68138-C062-4136-B1EF-ED9AAFCBD2F8}.exe

Filesize
168KB

MD5
669b603af0ed38a7b3c5be7f4c64a088

SHA1
03303966088e901a48a1a22664d61a3011ed931b

SHA256
73ea4b7d3bd1dbb67188cba68f8ed40c79515f8e8bb7a19cb528471415940f8c

SHA512
6763090609c57602fd8f26af4f5af357cb8ff982090215270158f4ad19efbfa04e5884bbbab71eafe9065a5561fcf0049e720b75ea5e024b056afd46b1be7a14

Download Submit
C:\Windows\{8FB68138-C062-4136-B1EF-ED9AAFCBD2F8}.exe

Filesize
168KB

MD5
669b603af0ed38a7b3c5be7f4c64a088

SHA1
03303966088e901a48a1a22664d61a3011ed931b

SHA256
73ea4b7d3bd1dbb67188cba68f8ed40c79515f8e8bb7a19cb528471415940f8c

SHA512
6763090609c57602fd8f26af4f5af357cb8ff982090215270158f4ad19efbfa04e5884bbbab71eafe9065a5561fcf0049e720b75ea5e024b056afd46b1be7a14

Download Submit
C:\Windows\{9D8830E0-18F1-4909-A039-4C99A814BF4D}.exe

Filesize
168KB

MD5
02567a140596e59372a6ea82179f2d7b

SHA1
8c2be933e500ab38892be4d35d30db2550a12e91

SHA256
63961adf2d0fe5d1b55e030b6cdcd344af8f80a3a330e8f5aa0822f4107f5a6c

SHA512
2b828fd5bca97c8c67e274de9d29a351dbe28aa56e3c9155ebe8b51e5dc321f0f31c9b54a3cfe90a3b4e3df3f617a31f711ee19046ec5585eebafac888344947

Download Submit
C:\Windows\{9D8830E0-18F1-4909-A039-4C99A814BF4D}.exe

Filesize
168KB

MD5
02567a140596e59372a6ea82179f2d7b

SHA1
8c2be933e500ab38892be4d35d30db2550a12e91

SHA256
63961adf2d0fe5d1b55e030b6cdcd344af8f80a3a330e8f5aa0822f4107f5a6c

SHA512
2b828fd5bca97c8c67e274de9d29a351dbe28aa56e3c9155ebe8b51e5dc321f0f31c9b54a3cfe90a3b4e3df3f617a31f711ee19046ec5585eebafac888344947

Download Submit
C:\Windows\{9D8830E0-18F1-4909-A039-4C99A814BF4D}.exe

Filesize
168KB

MD5
02567a140596e59372a6ea82179f2d7b

SHA1
8c2be933e500ab38892be4d35d30db2550a12e91

SHA256
63961adf2d0fe5d1b55e030b6cdcd344af8f80a3a330e8f5aa0822f4107f5a6c

SHA512
2b828fd5bca97c8c67e274de9d29a351dbe28aa56e3c9155ebe8b51e5dc321f0f31c9b54a3cfe90a3b4e3df3f617a31f711ee19046ec5585eebafac888344947

Download Submit
C:\Windows\{B1AE36AF-EAC7-4d3d-8BE9-77200E34DA2B}.exe

Filesize
168KB

MD5
6abbe54198ec212092d48d751c793988

SHA1
ad326887799a4c6ec8f7911ba99a47b8f4385452

SHA256
7cb1e0e4c00194345a5b98386be93798485f65e4253695265ea74f24a7f5f29d

SHA512
9ce4c2b198f4e51615554c28fea1a15a1decbfbd1994be3dc1cdef455113e3758b354d1e19edaa2d64b847ca28c4b0d1ac677fc82b179832aa1ad2a53ce5fec9

Download Submit
C:\Windows\{B1AE36AF-EAC7-4d3d-8BE9-77200E34DA2B}.exe

Filesize
168KB

MD5
6abbe54198ec212092d48d751c793988

SHA1
ad326887799a4c6ec8f7911ba99a47b8f4385452

SHA256
7cb1e0e4c00194345a5b98386be93798485f65e4253695265ea74f24a7f5f29d

SHA512
9ce4c2b198f4e51615554c28fea1a15a1decbfbd1994be3dc1cdef455113e3758b354d1e19edaa2d64b847ca28c4b0d1ac677fc82b179832aa1ad2a53ce5fec9

Download Submit
C:\Windows\{C305BA47-3C57-4c1e-B389-02C4497E5D7B}.exe

Filesize
168KB

MD5
86012d91c01a6f34e2afb84208b4adc8

SHA1
288557421a542bff49ab0699e8082807d9307820

SHA256
fdf095cdd56d1921f194083c18c607fe3c480c65653efcb522222d9c8b724ae0

SHA512
1ce1d5b32068b5836a7ec6b22e7816468665c0bbff268533cbc3700a8aed55b72e7eebca2d9f66197935b85102f346e8465e1fb3ddfe89232146cc06aca93da5

Download Submit
C:\Windows\{C305BA47-3C57-4c1e-B389-02C4497E5D7B}.exe

Filesize
168KB

MD5
86012d91c01a6f34e2afb84208b4adc8

SHA1
288557421a542bff49ab0699e8082807d9307820

SHA256
fdf095cdd56d1921f194083c18c607fe3c480c65653efcb522222d9c8b724ae0

SHA512
1ce1d5b32068b5836a7ec6b22e7816468665c0bbff268533cbc3700a8aed55b72e7eebca2d9f66197935b85102f346e8465e1fb3ddfe89232146cc06aca93da5

Download Submit
C:\Windows\{E8FEF3EF-3A9A-4947-BCB6-49C1BC08E12E}.exe

Filesize
168KB

MD5
550774a69c369fbdf4b6b03453ef2bd1

SHA1
77ff068fc607dd0d50059fd67baf7396071c714e

SHA256
e65b9804fcd36ab827a73baabae7c1e9b837a8579ede75ed1f3f41f33f849e65

SHA512
f343c7daf7d06d78779baec3abecef0c6670fba0869a524da70f8ac1f9c15daf7f996f8a44b055f5578ebf37c8fb4f1f14e061a803ab3ad30b62334af3ced69d

Download Submit
C:\Windows\{E8FEF3EF-3A9A-4947-BCB6-49C1BC08E12E}.exe

Filesize
168KB

MD5
550774a69c369fbdf4b6b03453ef2bd1

SHA1
77ff068fc607dd0d50059fd67baf7396071c714e

SHA256
e65b9804fcd36ab827a73baabae7c1e9b837a8579ede75ed1f3f41f33f849e65

SHA512
f343c7daf7d06d78779baec3abecef0c6670fba0869a524da70f8ac1f9c15daf7f996f8a44b055f5578ebf37c8fb4f1f14e061a803ab3ad30b62334af3ced69d

Download Submit
C:\Windows\{EA5BF02C-939A-42c2-9F72-4FCDA566D05D}.exe

Filesize
168KB

MD5
b46ab497cdfd254bb94e4fbf4df17851

SHA1
52121c5cd1a8589a633de7a48a0270d3a3bd33a9

SHA256
e164b54fe2d8ef87667d7f5235f2ab48a88e9da83fa88ea5d1d574a68671e634

SHA512
f1761ac77a389fedaea917fa718cc43c4ccf162f4e87029ccdfbc86e3dd4095f0ad316305183c4dad79048d1b4c57d323ec9de05154d9d0368b222dd177e4af9

Download Submit
C:\Windows\{EA5BF02C-939A-42c2-9F72-4FCDA566D05D}.exe

Filesize
168KB

MD5
b46ab497cdfd254bb94e4fbf4df17851

SHA1
52121c5cd1a8589a633de7a48a0270d3a3bd33a9

SHA256
e164b54fe2d8ef87667d7f5235f2ab48a88e9da83fa88ea5d1d574a68671e634

SHA512
f1761ac77a389fedaea917fa718cc43c4ccf162f4e87029ccdfbc86e3dd4095f0ad316305183c4dad79048d1b4c57d323ec9de05154d9d0368b222dd177e4af9

Download Submit
C:\Windows\{EA8A6DDF-F1C3-4b11-87A2-754ABF6ED04A}.exe

Filesize
168KB

MD5
e2b4d5aa50796f51c75ce64ae3533547

SHA1
cce6f3f8900a0b16c7c8fb4c6c430c17ff042533

SHA256
09dd81365240a75d1ded0de9134b93a2b57be3f0d69a8b81836b55f5505073fa

SHA512
fcdc686e269a7a3f0471842e020e8e8ccbcd396631979c6e07c4969c8b5cef83b9ad08b81e35b1d458a8805a5a68cb4a74bcede2252051483ed5ee4394af10e2

Download Submit
C:\Windows\{EA8A6DDF-F1C3-4b11-87A2-754ABF6ED04A}.exe

Filesize
168KB

MD5
e2b4d5aa50796f51c75ce64ae3533547

SHA1
cce6f3f8900a0b16c7c8fb4c6c430c17ff042533

SHA256
09dd81365240a75d1ded0de9134b93a2b57be3f0d69a8b81836b55f5505073fa

SHA512
fcdc686e269a7a3f0471842e020e8e8ccbcd396631979c6e07c4969c8b5cef83b9ad08b81e35b1d458a8805a5a68cb4a74bcede2252051483ed5ee4394af10e2

Download Submit