b20e84e453725c7489b4b51a7bbf408fc04f20b7cd6f7be554da3e6a27674213

Analysis

max time kernel
150s
max time network
31s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
05/07/2023, 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14ad2c5e99823fexeexeexeex.exe
Size

192KB
MD5

14ad2c5e99823f2f74bd0fe85ca7abfc
SHA1

4a6745212a995e0ea9a54242eceebd25c2ca0234
SHA256

b20e84e453725c7489b4b51a7bbf408fc04f20b7cd6f7be554da3e6a27674213
SHA512

b0cada727184dc1005c178c4794ce2ffa3d6090bc9e34324f597265e0ae04dcf0962998bd5d1245e8e9a820996b4331a321956610a3007f693da6f134fa50710
SSDEEP

1536:1EGh0oDl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oDl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B99D81A7-D0E0-44dc-86C6-AEA9EE2315DF}	{B61C7DEB-481D-44c4-A084-91894E2CAB5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E661111B-323D-4245-AE81-CAB1D5EE3140}\stubpath = "C:\\Windows\\{E661111B-323D-4245-AE81-CAB1D5EE3140}.exe"	{F5D277ED-8942-4d33-8437-1CA550A64AC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F0E9772-C7C8-414a-9E39-C4305666BF0A}\stubpath = "C:\\Windows\\{4F0E9772-C7C8-414a-9E39-C4305666BF0A}.exe"	{0AB695CD-C974-4bfc-9037-B626E348AFA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8B44178-9FA5-47aa-A7EE-9E549E4BCEE5}\stubpath = "C:\\Windows\\{D8B44178-9FA5-47aa-A7EE-9E549E4BCEE5}.exe"	{7A7F70D5-D569-41da-88CC-1DA4CD79DBCD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16171EB9-56EE-4b50-8737-F4648A3AEDF5}	{6CF5B0BF-F30D-4ac4-8F90-023A63087F3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5D277ED-8942-4d33-8437-1CA550A64AC2}\stubpath = "C:\\Windows\\{F5D277ED-8942-4d33-8437-1CA550A64AC2}.exe"	{B99D81A7-D0E0-44dc-86C6-AEA9EE2315DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AB695CD-C974-4bfc-9037-B626E348AFA8}	{E661111B-323D-4245-AE81-CAB1D5EE3140}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F0E9772-C7C8-414a-9E39-C4305666BF0A}	{0AB695CD-C974-4bfc-9037-B626E348AFA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A7F70D5-D569-41da-88CC-1DA4CD79DBCD}\stubpath = "C:\\Windows\\{7A7F70D5-D569-41da-88CC-1DA4CD79DBCD}.exe"	{4F0E9772-C7C8-414a-9E39-C4305666BF0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D8B44178-9FA5-47aa-A7EE-9E549E4BCEE5}	{7A7F70D5-D569-41da-88CC-1DA4CD79DBCD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C73C0BB4-3070-4107-97C1-F72519A72602}\stubpath = "C:\\Windows\\{C73C0BB4-3070-4107-97C1-F72519A72602}.exe"	{6E65FEFF-B601-451a-A02F-8B8561353467}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B61C7DEB-481D-44c4-A084-91894E2CAB5E}\stubpath = "C:\\Windows\\{B61C7DEB-481D-44c4-A084-91894E2CAB5E}.exe"	14ad2c5e99823fexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B99D81A7-D0E0-44dc-86C6-AEA9EE2315DF}\stubpath = "C:\\Windows\\{B99D81A7-D0E0-44dc-86C6-AEA9EE2315DF}.exe"	{B61C7DEB-481D-44c4-A084-91894E2CAB5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5D277ED-8942-4d33-8437-1CA550A64AC2}	{B99D81A7-D0E0-44dc-86C6-AEA9EE2315DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E661111B-323D-4245-AE81-CAB1D5EE3140}	{F5D277ED-8942-4d33-8437-1CA550A64AC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AB695CD-C974-4bfc-9037-B626E348AFA8}\stubpath = "C:\\Windows\\{0AB695CD-C974-4bfc-9037-B626E348AFA8}.exe"	{E661111B-323D-4245-AE81-CAB1D5EE3140}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E65FEFF-B601-451a-A02F-8B8561353467}	{572C9720-45F5-4401-8684-D6D66272932E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CF5B0BF-F30D-4ac4-8F90-023A63087F3D}	{C73C0BB4-3070-4107-97C1-F72519A72602}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CF5B0BF-F30D-4ac4-8F90-023A63087F3D}\stubpath = "C:\\Windows\\{6CF5B0BF-F30D-4ac4-8F90-023A63087F3D}.exe"	{C73C0BB4-3070-4107-97C1-F72519A72602}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B61C7DEB-481D-44c4-A084-91894E2CAB5E}	14ad2c5e99823fexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7A7F70D5-D569-41da-88CC-1DA4CD79DBCD}	{4F0E9772-C7C8-414a-9E39-C4305666BF0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{572C9720-45F5-4401-8684-D6D66272932E}	{D8B44178-9FA5-47aa-A7EE-9E549E4BCEE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{572C9720-45F5-4401-8684-D6D66272932E}\stubpath = "C:\\Windows\\{572C9720-45F5-4401-8684-D6D66272932E}.exe"	{D8B44178-9FA5-47aa-A7EE-9E549E4BCEE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6E65FEFF-B601-451a-A02F-8B8561353467}\stubpath = "C:\\Windows\\{6E65FEFF-B601-451a-A02F-8B8561353467}.exe"	{572C9720-45F5-4401-8684-D6D66272932E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C73C0BB4-3070-4107-97C1-F72519A72602}	{6E65FEFF-B601-451a-A02F-8B8561353467}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16171EB9-56EE-4b50-8737-F4648A3AEDF5}\stubpath = "C:\\Windows\\{16171EB9-56EE-4b50-8737-F4648A3AEDF5}.exe"	{6CF5B0BF-F30D-4ac4-8F90-023A63087F3D}.exe

Executes dropped EXE 13 IoCs

pid	Process
1516	{B61C7DEB-481D-44c4-A084-91894E2CAB5E}.exe
2368	{B99D81A7-D0E0-44dc-86C6-AEA9EE2315DF}.exe
1308	{F5D277ED-8942-4d33-8437-1CA550A64AC2}.exe
2452	{E661111B-323D-4245-AE81-CAB1D5EE3140}.exe
2968	{0AB695CD-C974-4bfc-9037-B626E348AFA8}.exe
2100	{4F0E9772-C7C8-414a-9E39-C4305666BF0A}.exe
2288	{7A7F70D5-D569-41da-88CC-1DA4CD79DBCD}.exe
320	{D8B44178-9FA5-47aa-A7EE-9E549E4BCEE5}.exe
2640	{572C9720-45F5-4401-8684-D6D66272932E}.exe
2600	{6E65FEFF-B601-451a-A02F-8B8561353467}.exe
2720	{C73C0BB4-3070-4107-97C1-F72519A72602}.exe
2692	{6CF5B0BF-F30D-4ac4-8F90-023A63087F3D}.exe
3016	{16171EB9-56EE-4b50-8737-F4648A3AEDF5}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{6E65FEFF-B601-451a-A02F-8B8561353467}.exe	{572C9720-45F5-4401-8684-D6D66272932E}.exe
File created	C:\Windows\{6CF5B0BF-F30D-4ac4-8F90-023A63087F3D}.exe	{C73C0BB4-3070-4107-97C1-F72519A72602}.exe
File created	C:\Windows\{B61C7DEB-481D-44c4-A084-91894E2CAB5E}.exe	14ad2c5e99823fexeexeexeex.exe
File created	C:\Windows\{B99D81A7-D0E0-44dc-86C6-AEA9EE2315DF}.exe	{B61C7DEB-481D-44c4-A084-91894E2CAB5E}.exe
File created	C:\Windows\{E661111B-323D-4245-AE81-CAB1D5EE3140}.exe	{F5D277ED-8942-4d33-8437-1CA550A64AC2}.exe
File created	C:\Windows\{0AB695CD-C974-4bfc-9037-B626E348AFA8}.exe	{E661111B-323D-4245-AE81-CAB1D5EE3140}.exe
File created	C:\Windows\{D8B44178-9FA5-47aa-A7EE-9E549E4BCEE5}.exe	{7A7F70D5-D569-41da-88CC-1DA4CD79DBCD}.exe
File created	C:\Windows\{572C9720-45F5-4401-8684-D6D66272932E}.exe	{D8B44178-9FA5-47aa-A7EE-9E549E4BCEE5}.exe
File created	C:\Windows\{F5D277ED-8942-4d33-8437-1CA550A64AC2}.exe	{B99D81A7-D0E0-44dc-86C6-AEA9EE2315DF}.exe
File created	C:\Windows\{4F0E9772-C7C8-414a-9E39-C4305666BF0A}.exe	{0AB695CD-C974-4bfc-9037-B626E348AFA8}.exe
File created	C:\Windows\{7A7F70D5-D569-41da-88CC-1DA4CD79DBCD}.exe	{4F0E9772-C7C8-414a-9E39-C4305666BF0A}.exe
File created	C:\Windows\{C73C0BB4-3070-4107-97C1-F72519A72602}.exe	{6E65FEFF-B601-451a-A02F-8B8561353467}.exe
File created	C:\Windows\{16171EB9-56EE-4b50-8737-F4648A3AEDF5}.exe	{6CF5B0BF-F30D-4ac4-8F90-023A63087F3D}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2364	14ad2c5e99823fexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1516	{B61C7DEB-481D-44c4-A084-91894E2CAB5E}.exe
Token: SeIncBasePriorityPrivilege	2368	{B99D81A7-D0E0-44dc-86C6-AEA9EE2315DF}.exe
Token: SeIncBasePriorityPrivilege	1308	{F5D277ED-8942-4d33-8437-1CA550A64AC2}.exe
Token: SeIncBasePriorityPrivilege	2452	{E661111B-323D-4245-AE81-CAB1D5EE3140}.exe
Token: SeIncBasePriorityPrivilege	2968	{0AB695CD-C974-4bfc-9037-B626E348AFA8}.exe
Token: SeIncBasePriorityPrivilege	2100	{4F0E9772-C7C8-414a-9E39-C4305666BF0A}.exe
Token: SeIncBasePriorityPrivilege	2288	{7A7F70D5-D569-41da-88CC-1DA4CD79DBCD}.exe
Token: SeIncBasePriorityPrivilege	320	{D8B44178-9FA5-47aa-A7EE-9E549E4BCEE5}.exe
Token: SeIncBasePriorityPrivilege	2640	{572C9720-45F5-4401-8684-D6D66272932E}.exe
Token: SeIncBasePriorityPrivilege	2600	{6E65FEFF-B601-451a-A02F-8B8561353467}.exe
Token: SeIncBasePriorityPrivilege	2720	{C73C0BB4-3070-4107-97C1-F72519A72602}.exe
Token: SeIncBasePriorityPrivilege	2692	{6CF5B0BF-F30D-4ac4-8F90-023A63087F3D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 1516	2364	14ad2c5e99823fexeexeexeex.exe	28
PID 2364 wrote to memory of 1516	2364	14ad2c5e99823fexeexeexeex.exe	28
PID 2364 wrote to memory of 1516	2364	14ad2c5e99823fexeexeexeex.exe	28
PID 2364 wrote to memory of 1516	2364	14ad2c5e99823fexeexeexeex.exe	28
PID 2364 wrote to memory of 2436	2364	14ad2c5e99823fexeexeexeex.exe	29
PID 2364 wrote to memory of 2436	2364	14ad2c5e99823fexeexeexeex.exe	29
PID 2364 wrote to memory of 2436	2364	14ad2c5e99823fexeexeexeex.exe	29
PID 2364 wrote to memory of 2436	2364	14ad2c5e99823fexeexeexeex.exe	29
PID 1516 wrote to memory of 2368	1516	{B61C7DEB-481D-44c4-A084-91894E2CAB5E}.exe	30
PID 1516 wrote to memory of 2368	1516	{B61C7DEB-481D-44c4-A084-91894E2CAB5E}.exe	30
PID 1516 wrote to memory of 2368	1516	{B61C7DEB-481D-44c4-A084-91894E2CAB5E}.exe	30
PID 1516 wrote to memory of 2368	1516	{B61C7DEB-481D-44c4-A084-91894E2CAB5E}.exe	30
PID 1516 wrote to memory of 2432	1516	{B61C7DEB-481D-44c4-A084-91894E2CAB5E}.exe	31
PID 1516 wrote to memory of 2432	1516	{B61C7DEB-481D-44c4-A084-91894E2CAB5E}.exe	31
PID 1516 wrote to memory of 2432	1516	{B61C7DEB-481D-44c4-A084-91894E2CAB5E}.exe	31
PID 1516 wrote to memory of 2432	1516	{B61C7DEB-481D-44c4-A084-91894E2CAB5E}.exe	31
PID 2368 wrote to memory of 1308	2368	{B99D81A7-D0E0-44dc-86C6-AEA9EE2315DF}.exe	32
PID 2368 wrote to memory of 1308	2368	{B99D81A7-D0E0-44dc-86C6-AEA9EE2315DF}.exe	32
PID 2368 wrote to memory of 1308	2368	{B99D81A7-D0E0-44dc-86C6-AEA9EE2315DF}.exe	32
PID 2368 wrote to memory of 1308	2368	{B99D81A7-D0E0-44dc-86C6-AEA9EE2315DF}.exe	32
PID 2368 wrote to memory of 2160	2368	{B99D81A7-D0E0-44dc-86C6-AEA9EE2315DF}.exe	33
PID 2368 wrote to memory of 2160	2368	{B99D81A7-D0E0-44dc-86C6-AEA9EE2315DF}.exe	33
PID 2368 wrote to memory of 2160	2368	{B99D81A7-D0E0-44dc-86C6-AEA9EE2315DF}.exe	33
PID 2368 wrote to memory of 2160	2368	{B99D81A7-D0E0-44dc-86C6-AEA9EE2315DF}.exe	33
PID 1308 wrote to memory of 2452	1308	{F5D277ED-8942-4d33-8437-1CA550A64AC2}.exe	35
PID 1308 wrote to memory of 2452	1308	{F5D277ED-8942-4d33-8437-1CA550A64AC2}.exe	35
PID 1308 wrote to memory of 2452	1308	{F5D277ED-8942-4d33-8437-1CA550A64AC2}.exe	35
PID 1308 wrote to memory of 2452	1308	{F5D277ED-8942-4d33-8437-1CA550A64AC2}.exe	35
PID 1308 wrote to memory of 2040	1308	{F5D277ED-8942-4d33-8437-1CA550A64AC2}.exe	34
PID 1308 wrote to memory of 2040	1308	{F5D277ED-8942-4d33-8437-1CA550A64AC2}.exe	34
PID 1308 wrote to memory of 2040	1308	{F5D277ED-8942-4d33-8437-1CA550A64AC2}.exe	34
PID 1308 wrote to memory of 2040	1308	{F5D277ED-8942-4d33-8437-1CA550A64AC2}.exe	34
PID 2452 wrote to memory of 2968	2452	{E661111B-323D-4245-AE81-CAB1D5EE3140}.exe	36
PID 2452 wrote to memory of 2968	2452	{E661111B-323D-4245-AE81-CAB1D5EE3140}.exe	36
PID 2452 wrote to memory of 2968	2452	{E661111B-323D-4245-AE81-CAB1D5EE3140}.exe	36
PID 2452 wrote to memory of 2968	2452	{E661111B-323D-4245-AE81-CAB1D5EE3140}.exe	36
PID 2452 wrote to memory of 2576	2452	{E661111B-323D-4245-AE81-CAB1D5EE3140}.exe	37
PID 2452 wrote to memory of 2576	2452	{E661111B-323D-4245-AE81-CAB1D5EE3140}.exe	37
PID 2452 wrote to memory of 2576	2452	{E661111B-323D-4245-AE81-CAB1D5EE3140}.exe	37
PID 2452 wrote to memory of 2576	2452	{E661111B-323D-4245-AE81-CAB1D5EE3140}.exe	37
PID 2968 wrote to memory of 2100	2968	{0AB695CD-C974-4bfc-9037-B626E348AFA8}.exe	38
PID 2968 wrote to memory of 2100	2968	{0AB695CD-C974-4bfc-9037-B626E348AFA8}.exe	38
PID 2968 wrote to memory of 2100	2968	{0AB695CD-C974-4bfc-9037-B626E348AFA8}.exe	38
PID 2968 wrote to memory of 2100	2968	{0AB695CD-C974-4bfc-9037-B626E348AFA8}.exe	38
PID 2968 wrote to memory of 2256	2968	{0AB695CD-C974-4bfc-9037-B626E348AFA8}.exe	39
PID 2968 wrote to memory of 2256	2968	{0AB695CD-C974-4bfc-9037-B626E348AFA8}.exe	39
PID 2968 wrote to memory of 2256	2968	{0AB695CD-C974-4bfc-9037-B626E348AFA8}.exe	39
PID 2968 wrote to memory of 2256	2968	{0AB695CD-C974-4bfc-9037-B626E348AFA8}.exe	39
PID 2100 wrote to memory of 2288	2100	{4F0E9772-C7C8-414a-9E39-C4305666BF0A}.exe	40
PID 2100 wrote to memory of 2288	2100	{4F0E9772-C7C8-414a-9E39-C4305666BF0A}.exe	40
PID 2100 wrote to memory of 2288	2100	{4F0E9772-C7C8-414a-9E39-C4305666BF0A}.exe	40
PID 2100 wrote to memory of 2288	2100	{4F0E9772-C7C8-414a-9E39-C4305666BF0A}.exe	40
PID 2100 wrote to memory of 2580	2100	{4F0E9772-C7C8-414a-9E39-C4305666BF0A}.exe	41
PID 2100 wrote to memory of 2580	2100	{4F0E9772-C7C8-414a-9E39-C4305666BF0A}.exe	41
PID 2100 wrote to memory of 2580	2100	{4F0E9772-C7C8-414a-9E39-C4305666BF0A}.exe	41
PID 2100 wrote to memory of 2580	2100	{4F0E9772-C7C8-414a-9E39-C4305666BF0A}.exe	41
PID 2288 wrote to memory of 320	2288	{7A7F70D5-D569-41da-88CC-1DA4CD79DBCD}.exe	42
PID 2288 wrote to memory of 320	2288	{7A7F70D5-D569-41da-88CC-1DA4CD79DBCD}.exe	42
PID 2288 wrote to memory of 320	2288	{7A7F70D5-D569-41da-88CC-1DA4CD79DBCD}.exe	42
PID 2288 wrote to memory of 320	2288	{7A7F70D5-D569-41da-88CC-1DA4CD79DBCD}.exe	42
PID 2288 wrote to memory of 2132	2288	{7A7F70D5-D569-41da-88CC-1DA4CD79DBCD}.exe	43
PID 2288 wrote to memory of 2132	2288	{7A7F70D5-D569-41da-88CC-1DA4CD79DBCD}.exe	43
PID 2288 wrote to memory of 2132	2288	{7A7F70D5-D569-41da-88CC-1DA4CD79DBCD}.exe	43
PID 2288 wrote to memory of 2132	2288	{7A7F70D5-D569-41da-88CC-1DA4CD79DBCD}.exe	43

C:\Users\Admin\AppData\Local\Temp\14ad2c5e99823fexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\14ad2c5e99823fexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\{B61C7DEB-481D-44c4-A084-91894E2CAB5E}.exe
  C:\Windows\{B61C7DEB-481D-44c4-A084-91894E2CAB5E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1516
- - C:\Windows\{B99D81A7-D0E0-44dc-86C6-AEA9EE2315DF}.exe
    C:\Windows\{B99D81A7-D0E0-44dc-86C6-AEA9EE2315DF}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Windows\{F5D277ED-8942-4d33-8437-1CA550A64AC2}.exe
      C:\Windows\{F5D277ED-8942-4d33-8437-1CA550A64AC2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1308
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5D27~1.EXE > nul
        5⤵
        
        PID:2040
    - - C:\Windows\{E661111B-323D-4245-AE81-CAB1D5EE3140}.exe
        
        C:\Windows\{E661111B-323D-4245-AE81-CAB1D5EE3140}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
      - C:\Windows\{0AB695CD-C974-4bfc-9037-B626E348AFA8}.exe
        
        C:\Windows\{0AB695CD-C974-4bfc-9037-B626E348AFA8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\{4F0E9772-C7C8-414a-9E39-C4305666BF0A}.exe
        
        C:\Windows\{4F0E9772-C7C8-414a-9E39-C4305666BF0A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\{7A7F70D5-D569-41da-88CC-1DA4CD79DBCD}.exe
        
        C:\Windows\{7A7F70D5-D569-41da-88CC-1DA4CD79DBCD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\{D8B44178-9FA5-47aa-A7EE-9E549E4BCEE5}.exe
        
        C:\Windows\{D8B44178-9FA5-47aa-A7EE-9E549E4BCEE5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8B44~1.EXE > nul
        10⤵
        
        PID:2712
        
        C:\Windows\{572C9720-45F5-4401-8684-D6D66272932E}.exe
        
        C:\Windows\{572C9720-45F5-4401-8684-D6D66272932E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\{6E65FEFF-B601-451a-A02F-8B8561353467}.exe
        
        C:\Windows\{6E65FEFF-B601-451a-A02F-8B8561353467}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E65F~1.EXE > nul
        12⤵
        
        PID:2372
        
        C:\Windows\{C73C0BB4-3070-4107-97C1-F72519A72602}.exe
        
        C:\Windows\{C73C0BB4-3070-4107-97C1-F72519A72602}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\{6CF5B0BF-F30D-4ac4-8F90-023A63087F3D}.exe
        
        C:\Windows\{6CF5B0BF-F30D-4ac4-8F90-023A63087F3D}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\{16171EB9-56EE-4b50-8737-F4648A3AEDF5}.exe
        
        C:\Windows\{16171EB9-56EE-4b50-8737-F4648A3AEDF5}.exe
        14⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CF5B~1.EXE > nul
        14⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C73C0~1.EXE > nul
        13⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{572C9~1.EXE > nul
        11⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A7F7~1.EXE > nul
        9⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F0E9~1.EXE > nul
        8⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AB69~1.EXE > nul
        7⤵
        
        PID:2256
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6611~1.EXE > nul
        6⤵
        
        PID:2576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B99D8~1.EXE > nul
      4⤵
      PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B61C7~1.EXE > nul
    3⤵
    PID:2432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\14AD2C~1.EXE > nul
  2⤵
  PID:2436

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AB695CD-C974-4bfc-9037-B626E348AFA8}.exe

Filesize
192KB

MD5
aa21faac6e71b37b21c5f291019fb1a5

SHA1
8c1d214381eaaf30bc2a868e495a003cb62b4a91

SHA256
ae35f6269c03734081ade23076f3d0a3e6a7a1b5bcd74db66b0fde3acfc58763

SHA512
3061e2fbe26a85b70985bd7bb4d239279adf51af83cb109f1fb1ef153afa99cf90bb17a3f34db97fe9968f56945d1407b9fefc4ed546de204a9eec109ed0a904

Download Submit
C:\Windows\{0AB695CD-C974-4bfc-9037-B626E348AFA8}.exe

Filesize
192KB

MD5
aa21faac6e71b37b21c5f291019fb1a5

SHA1
8c1d214381eaaf30bc2a868e495a003cb62b4a91

SHA256
ae35f6269c03734081ade23076f3d0a3e6a7a1b5bcd74db66b0fde3acfc58763

SHA512
3061e2fbe26a85b70985bd7bb4d239279adf51af83cb109f1fb1ef153afa99cf90bb17a3f34db97fe9968f56945d1407b9fefc4ed546de204a9eec109ed0a904

Download Submit
C:\Windows\{16171EB9-56EE-4b50-8737-F4648A3AEDF5}.exe

Filesize
192KB

MD5
8b783b5777553cd08494d981dba09bc9

SHA1
31d2e070ef6956f6b949be1a16ddafce39d81c54

SHA256
f47e5c35e2deb8d0f29d28ae2a120573fd7a1c0f335dae0166fdcae663a4b813

SHA512
ac788dec6ac156271995a87e6f6c2604047205c09b9265112fb5696603246d3224af33bef4c51f21d58f354b13f3a4a72b1bd72d7283daaf1d1cb48a9a073257

Download Submit
C:\Windows\{4F0E9772-C7C8-414a-9E39-C4305666BF0A}.exe

Filesize
192KB

MD5
e6d5ca7d9ceb07c0f563855b39a46a6c

SHA1
c448ad1728d6fa8228f7d56e056ba34ad265932b

SHA256
eba4725689ac8db65f697abb19805bfd880c355306e9b5f0c029f46685c2b8d8

SHA512
1d59aeb19cc3da50a3fdf6dbe30f6d1153644ba41fd73670d4ec936aa9ebacbbd4c5dff97e14b66cb90a6a35479efc7641bd526c3ed58f12805c230a4f50abf8

Download Submit
C:\Windows\{4F0E9772-C7C8-414a-9E39-C4305666BF0A}.exe

Filesize
192KB

MD5
e6d5ca7d9ceb07c0f563855b39a46a6c

SHA1
c448ad1728d6fa8228f7d56e056ba34ad265932b

SHA256
eba4725689ac8db65f697abb19805bfd880c355306e9b5f0c029f46685c2b8d8

SHA512
1d59aeb19cc3da50a3fdf6dbe30f6d1153644ba41fd73670d4ec936aa9ebacbbd4c5dff97e14b66cb90a6a35479efc7641bd526c3ed58f12805c230a4f50abf8

Download Submit
C:\Windows\{572C9720-45F5-4401-8684-D6D66272932E}.exe

Filesize
192KB

MD5
f702355d8c2f9ac72325495905531070

SHA1
a63cb77a80e79f2292fd807170304da4a2301c8d

SHA256
9975e35e8b86c94faffda6dc6580a16b6093b8a32db38f04605c2b2625799e8c

SHA512
76310a383860e1feb474c9820f46ba5f1cec5313527c31b7239b4290c191e168d2bb58235deed0b1c72d7d15067de718be712489b3fbf9a54cf8e09c213a7e24

Download Submit
C:\Windows\{572C9720-45F5-4401-8684-D6D66272932E}.exe

Filesize
192KB

MD5
f702355d8c2f9ac72325495905531070

SHA1
a63cb77a80e79f2292fd807170304da4a2301c8d

SHA256
9975e35e8b86c94faffda6dc6580a16b6093b8a32db38f04605c2b2625799e8c

SHA512
76310a383860e1feb474c9820f46ba5f1cec5313527c31b7239b4290c191e168d2bb58235deed0b1c72d7d15067de718be712489b3fbf9a54cf8e09c213a7e24

Download Submit
C:\Windows\{6CF5B0BF-F30D-4ac4-8F90-023A63087F3D}.exe

Filesize
192KB

MD5
cb36e12700df981026645f8b573ea7ee

SHA1
b017fd36604776512fbd589e3bc75c0ba0c24b11

SHA256
c3bf4e9761be2cf4766809d01c43cb776b3135b230e9e4b4676d8d54c80b69c6

SHA512
df7d3c8c869c61a0f96f2769201a0135536ce3effeb0a497b2cb823ebfecba5d15765d8d8d09b8e711696f7c02f238b6a2343b53285d44c3994c0eedf4a43e10

Download Submit
C:\Windows\{6CF5B0BF-F30D-4ac4-8F90-023A63087F3D}.exe

Filesize
192KB

MD5
cb36e12700df981026645f8b573ea7ee

SHA1
b017fd36604776512fbd589e3bc75c0ba0c24b11

SHA256
c3bf4e9761be2cf4766809d01c43cb776b3135b230e9e4b4676d8d54c80b69c6

SHA512
df7d3c8c869c61a0f96f2769201a0135536ce3effeb0a497b2cb823ebfecba5d15765d8d8d09b8e711696f7c02f238b6a2343b53285d44c3994c0eedf4a43e10

Download Submit
C:\Windows\{6E65FEFF-B601-451a-A02F-8B8561353467}.exe

Filesize
192KB

MD5
b6c63b0db68d0551972616219ddedc8f

SHA1
40b013fc938e17e402fd473fd3b76af8c50a1213

SHA256
47d293e123f66a598481f6568f245c357decebac60ddb7d0612b57089442d0a0

SHA512
362f33ed30936c2ddb5b5f60b903cff35ff0ba75d45d9620aa0e89e6ba261656f3515de657fe4097d31c44aa73843511c783e38af2be0bc0a4bcfce179f6918d

Download Submit
C:\Windows\{6E65FEFF-B601-451a-A02F-8B8561353467}.exe

Filesize
192KB

MD5
b6c63b0db68d0551972616219ddedc8f

SHA1
40b013fc938e17e402fd473fd3b76af8c50a1213

SHA256
47d293e123f66a598481f6568f245c357decebac60ddb7d0612b57089442d0a0

SHA512
362f33ed30936c2ddb5b5f60b903cff35ff0ba75d45d9620aa0e89e6ba261656f3515de657fe4097d31c44aa73843511c783e38af2be0bc0a4bcfce179f6918d

Download Submit
C:\Windows\{7A7F70D5-D569-41da-88CC-1DA4CD79DBCD}.exe

Filesize
192KB

MD5
193c0276331d20eb6fe9db98fd8f5e95

SHA1
d8f158f671ac4228a621940ed2d4278d34d4f0c2

SHA256
b7191e0ff245faa553d04fcbd00c3d5b40e4ce75fb5f8a6e0b573f357bf6e9c7

SHA512
e371794b60c0f312fe191f4b5a587f6582b113196aa556c24de54e6787440446685b79a99a5c52abb7f3962f14b3a0e066f2c84e8a2740320b8480e92ae591a5

Download Submit
C:\Windows\{7A7F70D5-D569-41da-88CC-1DA4CD79DBCD}.exe

Filesize
192KB

MD5
193c0276331d20eb6fe9db98fd8f5e95

SHA1
d8f158f671ac4228a621940ed2d4278d34d4f0c2

SHA256
b7191e0ff245faa553d04fcbd00c3d5b40e4ce75fb5f8a6e0b573f357bf6e9c7

SHA512
e371794b60c0f312fe191f4b5a587f6582b113196aa556c24de54e6787440446685b79a99a5c52abb7f3962f14b3a0e066f2c84e8a2740320b8480e92ae591a5

Download Submit
C:\Windows\{B61C7DEB-481D-44c4-A084-91894E2CAB5E}.exe

Filesize
192KB

MD5
483eaa6a8b33d379b0589b68bfe16035

SHA1
4bbd5507d70f079bbc85d070ed13054e4646c2ae

SHA256
502eb5c671d79c0b9eb0fb78309aa90c564a2a511cf9b5e475fb5850732d20b1

SHA512
8e4635b311646cf94e87c723b9ebb2075d99fdb6082ad43bf5e6102b62cd8a82a21c4709239639bc7d96114699022369637c81a5c94f1d9bb841fa361a2e6d85

Download Submit
C:\Windows\{B61C7DEB-481D-44c4-A084-91894E2CAB5E}.exe

Filesize
192KB

MD5
483eaa6a8b33d379b0589b68bfe16035

SHA1
4bbd5507d70f079bbc85d070ed13054e4646c2ae

SHA256
502eb5c671d79c0b9eb0fb78309aa90c564a2a511cf9b5e475fb5850732d20b1

SHA512
8e4635b311646cf94e87c723b9ebb2075d99fdb6082ad43bf5e6102b62cd8a82a21c4709239639bc7d96114699022369637c81a5c94f1d9bb841fa361a2e6d85

Download Submit
C:\Windows\{B61C7DEB-481D-44c4-A084-91894E2CAB5E}.exe

Filesize
192KB

MD5
483eaa6a8b33d379b0589b68bfe16035

SHA1
4bbd5507d70f079bbc85d070ed13054e4646c2ae

SHA256
502eb5c671d79c0b9eb0fb78309aa90c564a2a511cf9b5e475fb5850732d20b1

SHA512
8e4635b311646cf94e87c723b9ebb2075d99fdb6082ad43bf5e6102b62cd8a82a21c4709239639bc7d96114699022369637c81a5c94f1d9bb841fa361a2e6d85

Download Submit
C:\Windows\{B99D81A7-D0E0-44dc-86C6-AEA9EE2315DF}.exe

Filesize
192KB

MD5
5c85e2e3169a6b1662691ab5605d4457

SHA1
16fc4d27cfad64fdba21c8025658e485e6e74cbf

SHA256
04ef613fefacecac45ad8a8152f70b117c3de40a1f89b19a0e44d8729bc1dea0

SHA512
036d4d07389468cba57b3f88bd4862371aca36c5a5d3b4b7e5c4472f3d3b8686ce4a265d0021c9f7360cd854f3ecd59ce8f53cb389e01fccee954e78027cf152

Download Submit
C:\Windows\{B99D81A7-D0E0-44dc-86C6-AEA9EE2315DF}.exe

Filesize
192KB

MD5
5c85e2e3169a6b1662691ab5605d4457

SHA1
16fc4d27cfad64fdba21c8025658e485e6e74cbf

SHA256
04ef613fefacecac45ad8a8152f70b117c3de40a1f89b19a0e44d8729bc1dea0

SHA512
036d4d07389468cba57b3f88bd4862371aca36c5a5d3b4b7e5c4472f3d3b8686ce4a265d0021c9f7360cd854f3ecd59ce8f53cb389e01fccee954e78027cf152

Download Submit
C:\Windows\{C73C0BB4-3070-4107-97C1-F72519A72602}.exe

Filesize
192KB

MD5
538b305f5f7fbd7854840efe6069fa55

SHA1
f65c3a39f2ba20b92416184380b45789c948ae05

SHA256
2b7ecaee8ed565c4df3ee0db602f402086061c79647c8497e42657e55eecd50e

SHA512
500000975f091863f0f7a43641460749a2a2c11c1feb9d3c60c9c833dff49bd455d6fbc20cb26ece9acfaacc8dc47b0ba6bd17802c311f935382aaeac06ca723

Download Submit
C:\Windows\{C73C0BB4-3070-4107-97C1-F72519A72602}.exe

Filesize
192KB

MD5
538b305f5f7fbd7854840efe6069fa55

SHA1
f65c3a39f2ba20b92416184380b45789c948ae05

SHA256
2b7ecaee8ed565c4df3ee0db602f402086061c79647c8497e42657e55eecd50e

SHA512
500000975f091863f0f7a43641460749a2a2c11c1feb9d3c60c9c833dff49bd455d6fbc20cb26ece9acfaacc8dc47b0ba6bd17802c311f935382aaeac06ca723

Download Submit
C:\Windows\{D8B44178-9FA5-47aa-A7EE-9E549E4BCEE5}.exe

Filesize
192KB

MD5
3141d7d267403857be1c3ef1d4553431

SHA1
5c3e551138b64798aba9e4172bcec3ee142f4e4c

SHA256
8fdd408f1d68c78267fd261c0ca4e3c0084ad0735dd0a5ed7e39e7564631057a

SHA512
c638cc70f34f5dfba8846c73c52aeb7b9874210b8c8f9a3345317f5cbd13f0d804403fdd464d1388dfb4fd65a82db20d520682691d0663daca64c48e67b1caf9

Download Submit
C:\Windows\{D8B44178-9FA5-47aa-A7EE-9E549E4BCEE5}.exe

Filesize
192KB

MD5
3141d7d267403857be1c3ef1d4553431

SHA1
5c3e551138b64798aba9e4172bcec3ee142f4e4c

SHA256
8fdd408f1d68c78267fd261c0ca4e3c0084ad0735dd0a5ed7e39e7564631057a

SHA512
c638cc70f34f5dfba8846c73c52aeb7b9874210b8c8f9a3345317f5cbd13f0d804403fdd464d1388dfb4fd65a82db20d520682691d0663daca64c48e67b1caf9

Download Submit
C:\Windows\{E661111B-323D-4245-AE81-CAB1D5EE3140}.exe

Filesize
192KB

MD5
74c0c3ebe083a01aca7d05f31b0ff91e

SHA1
f95696703a97fff640cd3ce876249621926d3f2c

SHA256
c07bc61878e04d6467102a52b82b138a11509fa5be3cb30cda0897ce4ac70f22

SHA512
3a3dd462ba1fa2298043b1dba0b73849f793d42e61562a19f290a2b26ef499e13cc109d4a25afb9b30f2855f222f60f2e11b748b1fd0a8a8af77e120a1914837

Download Submit
C:\Windows\{E661111B-323D-4245-AE81-CAB1D5EE3140}.exe

Filesize
192KB

MD5
74c0c3ebe083a01aca7d05f31b0ff91e

SHA1
f95696703a97fff640cd3ce876249621926d3f2c

SHA256
c07bc61878e04d6467102a52b82b138a11509fa5be3cb30cda0897ce4ac70f22

SHA512
3a3dd462ba1fa2298043b1dba0b73849f793d42e61562a19f290a2b26ef499e13cc109d4a25afb9b30f2855f222f60f2e11b748b1fd0a8a8af77e120a1914837

Download Submit
C:\Windows\{F5D277ED-8942-4d33-8437-1CA550A64AC2}.exe

Filesize
192KB

MD5
f08e30b281a1861af3f0a569f0a679d2

SHA1
4bf27f2bf0df1dcb2b3d8ba20be0ce7edfdd70e1

SHA256
4540930fda9bade2077b1a2b4d1e570fd9abe87b061f0a8952799230ec6c6646

SHA512
907b487956c66d6318c8d1c3e04fde4563784a9606aea123e3fbb50b6bafaeb7586e9a51bbed1fd52db01a0a729b49fcf7b91a503c0f7b7b0ad2bbdbb55c2dd5

Download Submit
C:\Windows\{F5D277ED-8942-4d33-8437-1CA550A64AC2}.exe

Filesize
192KB

MD5
f08e30b281a1861af3f0a569f0a679d2

SHA1
4bf27f2bf0df1dcb2b3d8ba20be0ce7edfdd70e1

SHA256
4540930fda9bade2077b1a2b4d1e570fd9abe87b061f0a8952799230ec6c6646

SHA512
907b487956c66d6318c8d1c3e04fde4563784a9606aea123e3fbb50b6bafaeb7586e9a51bbed1fd52db01a0a729b49fcf7b91a503c0f7b7b0ad2bbdbb55c2dd5

Download Submit