0f4b3b79db443375dd204d7175b76c19d342cb79b186a8eb0f4640cefe1452a5

Analysis

max time kernel
147s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
05/07/2023, 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14f7e26a304898exeexeexeex.exe
Size

372KB
MD5

14f7e26a304898b7122499d5fb5d5d8d
SHA1

bfe9ec58ac55d0d4fdfc0a28471c53fff5c8c661
SHA256

0f4b3b79db443375dd204d7175b76c19d342cb79b186a8eb0f4640cefe1452a5
SHA512

efe7c89228f9c7a523bc927a9d760314f9587030c1e5f28d6062912986fdc2a34cbbb98d05db594a20a31535b1f775d59f4473d5a77f76464e3f67c5f7e61059
SSDEEP

3072:CEGh0oemlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGBl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE4C4376-584F-4c5d-BDD6-E986DFCD3A41}	{C19A40D2-33F9-4edb-B9DE-E6F6840D1739}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81AD4AF9-5EE6-4927-9A2F-EB2696D5C2B7}	{CE4C4376-584F-4c5d-BDD6-E986DFCD3A41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86328467-3F6A-4807-9E79-963B66B7F82A}	{126187FB-8083-411c-832D-60E408866D51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68077047-D7ED-47d3-87FF-F05FD6A6F170}	{D2F087B6-71B1-400a-8F69-940861284C06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8B607E8-7EDD-44c7-8B25-35848D0AC29F}	{7ABCC40A-B6FE-41f1-92E2-07D5FC765726}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8B607E8-7EDD-44c7-8B25-35848D0AC29F}\stubpath = "C:\\Windows\\{B8B607E8-7EDD-44c7-8B25-35848D0AC29F}.exe"	{7ABCC40A-B6FE-41f1-92E2-07D5FC765726}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D4759A2-515C-4916-900D-17E7BCBD289F}	14f7e26a304898exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C93F2908-103D-4f66-BB10-513518ED1218}	{2D4759A2-515C-4916-900D-17E7BCBD289F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C19A40D2-33F9-4edb-B9DE-E6F6840D1739}	{C93F2908-103D-4f66-BB10-513518ED1218}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE4C4376-584F-4c5d-BDD6-E986DFCD3A41}\stubpath = "C:\\Windows\\{CE4C4376-584F-4c5d-BDD6-E986DFCD3A41}.exe"	{C19A40D2-33F9-4edb-B9DE-E6F6840D1739}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2F087B6-71B1-400a-8F69-940861284C06}\stubpath = "C:\\Windows\\{D2F087B6-71B1-400a-8F69-940861284C06}.exe"	{86328467-3F6A-4807-9E79-963B66B7F82A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB3C70C0-F54D-4d4d-B7F2-1D6C186EFDC3}	{B8B607E8-7EDD-44c7-8B25-35848D0AC29F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB3C70C0-F54D-4d4d-B7F2-1D6C186EFDC3}\stubpath = "C:\\Windows\\{DB3C70C0-F54D-4d4d-B7F2-1D6C186EFDC3}.exe"	{B8B607E8-7EDD-44c7-8B25-35848D0AC29F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45DDC940-F373-4d67-A6A9-E44CE2E0ACC4}\stubpath = "C:\\Windows\\{45DDC940-F373-4d67-A6A9-E44CE2E0ACC4}.exe"	{DB3C70C0-F54D-4d4d-B7F2-1D6C186EFDC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{126187FB-8083-411c-832D-60E408866D51}	{81AD4AF9-5EE6-4927-9A2F-EB2696D5C2B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{126187FB-8083-411c-832D-60E408866D51}\stubpath = "C:\\Windows\\{126187FB-8083-411c-832D-60E408866D51}.exe"	{81AD4AF9-5EE6-4927-9A2F-EB2696D5C2B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86328467-3F6A-4807-9E79-963B66B7F82A}\stubpath = "C:\\Windows\\{86328467-3F6A-4807-9E79-963B66B7F82A}.exe"	{126187FB-8083-411c-832D-60E408866D51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2F087B6-71B1-400a-8F69-940861284C06}	{86328467-3F6A-4807-9E79-963B66B7F82A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7ABCC40A-B6FE-41f1-92E2-07D5FC765726}\stubpath = "C:\\Windows\\{7ABCC40A-B6FE-41f1-92E2-07D5FC765726}.exe"	{68077047-D7ED-47d3-87FF-F05FD6A6F170}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7ABCC40A-B6FE-41f1-92E2-07D5FC765726}	{68077047-D7ED-47d3-87FF-F05FD6A6F170}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{45DDC940-F373-4d67-A6A9-E44CE2E0ACC4}	{DB3C70C0-F54D-4d4d-B7F2-1D6C186EFDC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D4759A2-515C-4916-900D-17E7BCBD289F}\stubpath = "C:\\Windows\\{2D4759A2-515C-4916-900D-17E7BCBD289F}.exe"	14f7e26a304898exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C93F2908-103D-4f66-BB10-513518ED1218}\stubpath = "C:\\Windows\\{C93F2908-103D-4f66-BB10-513518ED1218}.exe"	{2D4759A2-515C-4916-900D-17E7BCBD289F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C19A40D2-33F9-4edb-B9DE-E6F6840D1739}\stubpath = "C:\\Windows\\{C19A40D2-33F9-4edb-B9DE-E6F6840D1739}.exe"	{C93F2908-103D-4f66-BB10-513518ED1218}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81AD4AF9-5EE6-4927-9A2F-EB2696D5C2B7}\stubpath = "C:\\Windows\\{81AD4AF9-5EE6-4927-9A2F-EB2696D5C2B7}.exe"	{CE4C4376-584F-4c5d-BDD6-E986DFCD3A41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68077047-D7ED-47d3-87FF-F05FD6A6F170}\stubpath = "C:\\Windows\\{68077047-D7ED-47d3-87FF-F05FD6A6F170}.exe"	{D2F087B6-71B1-400a-8F69-940861284C06}.exe

Deletes itself 1 IoCs

pid	Process
2400	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2276	{2D4759A2-515C-4916-900D-17E7BCBD289F}.exe
2316	{C93F2908-103D-4f66-BB10-513518ED1218}.exe
2536	{C19A40D2-33F9-4edb-B9DE-E6F6840D1739}.exe
1040	{CE4C4376-584F-4c5d-BDD6-E986DFCD3A41}.exe
2660	{81AD4AF9-5EE6-4927-9A2F-EB2696D5C2B7}.exe
1380	{126187FB-8083-411c-832D-60E408866D51}.exe
2916	{86328467-3F6A-4807-9E79-963B66B7F82A}.exe
2264	{D2F087B6-71B1-400a-8F69-940861284C06}.exe
3032	{68077047-D7ED-47d3-87FF-F05FD6A6F170}.exe
2692	{7ABCC40A-B6FE-41f1-92E2-07D5FC765726}.exe
2456	{B8B607E8-7EDD-44c7-8B25-35848D0AC29F}.exe
376	{DB3C70C0-F54D-4d4d-B7F2-1D6C186EFDC3}.exe
2732	{45DDC940-F373-4d67-A6A9-E44CE2E0ACC4}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{CE4C4376-584F-4c5d-BDD6-E986DFCD3A41}.exe	{C19A40D2-33F9-4edb-B9DE-E6F6840D1739}.exe
File created	C:\Windows\{81AD4AF9-5EE6-4927-9A2F-EB2696D5C2B7}.exe	{CE4C4376-584F-4c5d-BDD6-E986DFCD3A41}.exe
File created	C:\Windows\{126187FB-8083-411c-832D-60E408866D51}.exe	{81AD4AF9-5EE6-4927-9A2F-EB2696D5C2B7}.exe
File created	C:\Windows\{B8B607E8-7EDD-44c7-8B25-35848D0AC29F}.exe	{7ABCC40A-B6FE-41f1-92E2-07D5FC765726}.exe
File created	C:\Windows\{45DDC940-F373-4d67-A6A9-E44CE2E0ACC4}.exe	{DB3C70C0-F54D-4d4d-B7F2-1D6C186EFDC3}.exe
File created	C:\Windows\{2D4759A2-515C-4916-900D-17E7BCBD289F}.exe	14f7e26a304898exeexeexeex.exe
File created	C:\Windows\{C93F2908-103D-4f66-BB10-513518ED1218}.exe	{2D4759A2-515C-4916-900D-17E7BCBD289F}.exe
File created	C:\Windows\{C19A40D2-33F9-4edb-B9DE-E6F6840D1739}.exe	{C93F2908-103D-4f66-BB10-513518ED1218}.exe
File created	C:\Windows\{7ABCC40A-B6FE-41f1-92E2-07D5FC765726}.exe	{68077047-D7ED-47d3-87FF-F05FD6A6F170}.exe
File created	C:\Windows\{DB3C70C0-F54D-4d4d-B7F2-1D6C186EFDC3}.exe	{B8B607E8-7EDD-44c7-8B25-35848D0AC29F}.exe
File created	C:\Windows\{86328467-3F6A-4807-9E79-963B66B7F82A}.exe	{126187FB-8083-411c-832D-60E408866D51}.exe
File created	C:\Windows\{D2F087B6-71B1-400a-8F69-940861284C06}.exe	{86328467-3F6A-4807-9E79-963B66B7F82A}.exe
File created	C:\Windows\{68077047-D7ED-47d3-87FF-F05FD6A6F170}.exe	{D2F087B6-71B1-400a-8F69-940861284C06}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2160	14f7e26a304898exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2276	{2D4759A2-515C-4916-900D-17E7BCBD289F}.exe
Token: SeIncBasePriorityPrivilege	2316	{C93F2908-103D-4f66-BB10-513518ED1218}.exe
Token: SeIncBasePriorityPrivilege	2536	{C19A40D2-33F9-4edb-B9DE-E6F6840D1739}.exe
Token: SeIncBasePriorityPrivilege	1040	{CE4C4376-584F-4c5d-BDD6-E986DFCD3A41}.exe
Token: SeIncBasePriorityPrivilege	2660	{81AD4AF9-5EE6-4927-9A2F-EB2696D5C2B7}.exe
Token: SeIncBasePriorityPrivilege	1380	{126187FB-8083-411c-832D-60E408866D51}.exe
Token: SeIncBasePriorityPrivilege	2916	{86328467-3F6A-4807-9E79-963B66B7F82A}.exe
Token: SeIncBasePriorityPrivilege	2264	{D2F087B6-71B1-400a-8F69-940861284C06}.exe
Token: SeIncBasePriorityPrivilege	3032	{68077047-D7ED-47d3-87FF-F05FD6A6F170}.exe
Token: SeIncBasePriorityPrivilege	2692	{7ABCC40A-B6FE-41f1-92E2-07D5FC765726}.exe
Token: SeIncBasePriorityPrivilege	2456	{B8B607E8-7EDD-44c7-8B25-35848D0AC29F}.exe
Token: SeIncBasePriorityPrivilege	376	{DB3C70C0-F54D-4d4d-B7F2-1D6C186EFDC3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2276	2160	14f7e26a304898exeexeexeex.exe	29
PID 2160 wrote to memory of 2276	2160	14f7e26a304898exeexeexeex.exe	29
PID 2160 wrote to memory of 2276	2160	14f7e26a304898exeexeexeex.exe	29
PID 2160 wrote to memory of 2276	2160	14f7e26a304898exeexeexeex.exe	29
PID 2160 wrote to memory of 2400	2160	14f7e26a304898exeexeexeex.exe	30
PID 2160 wrote to memory of 2400	2160	14f7e26a304898exeexeexeex.exe	30
PID 2160 wrote to memory of 2400	2160	14f7e26a304898exeexeexeex.exe	30
PID 2160 wrote to memory of 2400	2160	14f7e26a304898exeexeexeex.exe	30
PID 2276 wrote to memory of 2316	2276	{2D4759A2-515C-4916-900D-17E7BCBD289F}.exe	31
PID 2276 wrote to memory of 2316	2276	{2D4759A2-515C-4916-900D-17E7BCBD289F}.exe	31
PID 2276 wrote to memory of 2316	2276	{2D4759A2-515C-4916-900D-17E7BCBD289F}.exe	31
PID 2276 wrote to memory of 2316	2276	{2D4759A2-515C-4916-900D-17E7BCBD289F}.exe	31
PID 2276 wrote to memory of 1916	2276	{2D4759A2-515C-4916-900D-17E7BCBD289F}.exe	32
PID 2276 wrote to memory of 1916	2276	{2D4759A2-515C-4916-900D-17E7BCBD289F}.exe	32
PID 2276 wrote to memory of 1916	2276	{2D4759A2-515C-4916-900D-17E7BCBD289F}.exe	32
PID 2276 wrote to memory of 1916	2276	{2D4759A2-515C-4916-900D-17E7BCBD289F}.exe	32
PID 2316 wrote to memory of 2536	2316	{C93F2908-103D-4f66-BB10-513518ED1218}.exe	33
PID 2316 wrote to memory of 2536	2316	{C93F2908-103D-4f66-BB10-513518ED1218}.exe	33
PID 2316 wrote to memory of 2536	2316	{C93F2908-103D-4f66-BB10-513518ED1218}.exe	33
PID 2316 wrote to memory of 2536	2316	{C93F2908-103D-4f66-BB10-513518ED1218}.exe	33
PID 2316 wrote to memory of 1720	2316	{C93F2908-103D-4f66-BB10-513518ED1218}.exe	34
PID 2316 wrote to memory of 1720	2316	{C93F2908-103D-4f66-BB10-513518ED1218}.exe	34
PID 2316 wrote to memory of 1720	2316	{C93F2908-103D-4f66-BB10-513518ED1218}.exe	34
PID 2316 wrote to memory of 1720	2316	{C93F2908-103D-4f66-BB10-513518ED1218}.exe	34
PID 2536 wrote to memory of 1040	2536	{C19A40D2-33F9-4edb-B9DE-E6F6840D1739}.exe	35
PID 2536 wrote to memory of 1040	2536	{C19A40D2-33F9-4edb-B9DE-E6F6840D1739}.exe	35
PID 2536 wrote to memory of 1040	2536	{C19A40D2-33F9-4edb-B9DE-E6F6840D1739}.exe	35
PID 2536 wrote to memory of 1040	2536	{C19A40D2-33F9-4edb-B9DE-E6F6840D1739}.exe	35
PID 2536 wrote to memory of 1688	2536	{C19A40D2-33F9-4edb-B9DE-E6F6840D1739}.exe	36
PID 2536 wrote to memory of 1688	2536	{C19A40D2-33F9-4edb-B9DE-E6F6840D1739}.exe	36
PID 2536 wrote to memory of 1688	2536	{C19A40D2-33F9-4edb-B9DE-E6F6840D1739}.exe	36
PID 2536 wrote to memory of 1688	2536	{C19A40D2-33F9-4edb-B9DE-E6F6840D1739}.exe	36
PID 1040 wrote to memory of 2660	1040	{CE4C4376-584F-4c5d-BDD6-E986DFCD3A41}.exe	37
PID 1040 wrote to memory of 2660	1040	{CE4C4376-584F-4c5d-BDD6-E986DFCD3A41}.exe	37
PID 1040 wrote to memory of 2660	1040	{CE4C4376-584F-4c5d-BDD6-E986DFCD3A41}.exe	37
PID 1040 wrote to memory of 2660	1040	{CE4C4376-584F-4c5d-BDD6-E986DFCD3A41}.exe	37
PID 1040 wrote to memory of 1532	1040	{CE4C4376-584F-4c5d-BDD6-E986DFCD3A41}.exe	38
PID 1040 wrote to memory of 1532	1040	{CE4C4376-584F-4c5d-BDD6-E986DFCD3A41}.exe	38
PID 1040 wrote to memory of 1532	1040	{CE4C4376-584F-4c5d-BDD6-E986DFCD3A41}.exe	38
PID 1040 wrote to memory of 1532	1040	{CE4C4376-584F-4c5d-BDD6-E986DFCD3A41}.exe	38
PID 2660 wrote to memory of 1380	2660	{81AD4AF9-5EE6-4927-9A2F-EB2696D5C2B7}.exe	39
PID 2660 wrote to memory of 1380	2660	{81AD4AF9-5EE6-4927-9A2F-EB2696D5C2B7}.exe	39
PID 2660 wrote to memory of 1380	2660	{81AD4AF9-5EE6-4927-9A2F-EB2696D5C2B7}.exe	39
PID 2660 wrote to memory of 1380	2660	{81AD4AF9-5EE6-4927-9A2F-EB2696D5C2B7}.exe	39
PID 2660 wrote to memory of 556	2660	{81AD4AF9-5EE6-4927-9A2F-EB2696D5C2B7}.exe	40
PID 2660 wrote to memory of 556	2660	{81AD4AF9-5EE6-4927-9A2F-EB2696D5C2B7}.exe	40
PID 2660 wrote to memory of 556	2660	{81AD4AF9-5EE6-4927-9A2F-EB2696D5C2B7}.exe	40
PID 2660 wrote to memory of 556	2660	{81AD4AF9-5EE6-4927-9A2F-EB2696D5C2B7}.exe	40
PID 1380 wrote to memory of 2916	1380	{126187FB-8083-411c-832D-60E408866D51}.exe	41
PID 1380 wrote to memory of 2916	1380	{126187FB-8083-411c-832D-60E408866D51}.exe	41
PID 1380 wrote to memory of 2916	1380	{126187FB-8083-411c-832D-60E408866D51}.exe	41
PID 1380 wrote to memory of 2916	1380	{126187FB-8083-411c-832D-60E408866D51}.exe	41
PID 1380 wrote to memory of 2976	1380	{126187FB-8083-411c-832D-60E408866D51}.exe	42
PID 1380 wrote to memory of 2976	1380	{126187FB-8083-411c-832D-60E408866D51}.exe	42
PID 1380 wrote to memory of 2976	1380	{126187FB-8083-411c-832D-60E408866D51}.exe	42
PID 1380 wrote to memory of 2976	1380	{126187FB-8083-411c-832D-60E408866D51}.exe	42
PID 2916 wrote to memory of 2264	2916	{86328467-3F6A-4807-9E79-963B66B7F82A}.exe	43
PID 2916 wrote to memory of 2264	2916	{86328467-3F6A-4807-9E79-963B66B7F82A}.exe	43
PID 2916 wrote to memory of 2264	2916	{86328467-3F6A-4807-9E79-963B66B7F82A}.exe	43
PID 2916 wrote to memory of 2264	2916	{86328467-3F6A-4807-9E79-963B66B7F82A}.exe	43
PID 2916 wrote to memory of 436	2916	{86328467-3F6A-4807-9E79-963B66B7F82A}.exe	44
PID 2916 wrote to memory of 436	2916	{86328467-3F6A-4807-9E79-963B66B7F82A}.exe	44
PID 2916 wrote to memory of 436	2916	{86328467-3F6A-4807-9E79-963B66B7F82A}.exe	44
PID 2916 wrote to memory of 436	2916	{86328467-3F6A-4807-9E79-963B66B7F82A}.exe	44

C:\Users\Admin\AppData\Local\Temp\14f7e26a304898exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\14f7e26a304898exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\{2D4759A2-515C-4916-900D-17E7BCBD289F}.exe
  C:\Windows\{2D4759A2-515C-4916-900D-17E7BCBD289F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\{C93F2908-103D-4f66-BB10-513518ED1218}.exe
    C:\Windows\{C93F2908-103D-4f66-BB10-513518ED1218}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Windows\{C19A40D2-33F9-4edb-B9DE-E6F6840D1739}.exe
      C:\Windows\{C19A40D2-33F9-4edb-B9DE-E6F6840D1739}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2536
    - - C:\Windows\{CE4C4376-584F-4c5d-BDD6-E986DFCD3A41}.exe
        
        C:\Windows\{CE4C4376-584F-4c5d-BDD6-E986DFCD3A41}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1040
      - C:\Windows\{81AD4AF9-5EE6-4927-9A2F-EB2696D5C2B7}.exe
        
        C:\Windows\{81AD4AF9-5EE6-4927-9A2F-EB2696D5C2B7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\{126187FB-8083-411c-832D-60E408866D51}.exe
        
        C:\Windows\{126187FB-8083-411c-832D-60E408866D51}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\{86328467-3F6A-4807-9E79-963B66B7F82A}.exe
        
        C:\Windows\{86328467-3F6A-4807-9E79-963B66B7F82A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\{D2F087B6-71B1-400a-8F69-940861284C06}.exe
        
        C:\Windows\{D2F087B6-71B1-400a-8F69-940861284C06}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\{68077047-D7ED-47d3-87FF-F05FD6A6F170}.exe
        
        C:\Windows\{68077047-D7ED-47d3-87FF-F05FD6A6F170}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Windows\{7ABCC40A-B6FE-41f1-92E2-07D5FC765726}.exe
        
        C:\Windows\{7ABCC40A-B6FE-41f1-92E2-07D5FC765726}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\{B8B607E8-7EDD-44c7-8B25-35848D0AC29F}.exe
        
        C:\Windows\{B8B607E8-7EDD-44c7-8B25-35848D0AC29F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\{DB3C70C0-F54D-4d4d-B7F2-1D6C186EFDC3}.exe
        
        C:\Windows\{DB3C70C0-F54D-4d4d-B7F2-1D6C186EFDC3}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
        
        C:\Windows\{45DDC940-F373-4d67-A6A9-E44CE2E0ACC4}.exe
        
        C:\Windows\{45DDC940-F373-4d67-A6A9-E44CE2E0ACC4}.exe
        14⤵
        Executes dropped EXE
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB3C7~1.EXE > nul
        14⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8B60~1.EXE > nul
        13⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7ABCC~1.EXE > nul
        12⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68077~1.EXE > nul
        11⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2F08~1.EXE > nul
        10⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86328~1.EXE > nul
        9⤵
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12618~1.EXE > nul
        8⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81AD4~1.EXE > nul
        7⤵
        
        PID:556
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE4C4~1.EXE > nul
        6⤵
        
        PID:1532
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C19A4~1.EXE > nul
        5⤵
        
        PID:1688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C93F2~1.EXE > nul
      4⤵
      PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2D475~1.EXE > nul
    3⤵
    PID:1916
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\14F7E2~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{126187FB-8083-411c-832D-60E408866D51}.exe

Filesize
372KB

MD5
1ffe059a02bedffcaf4aa3745ba99b15

SHA1
5ea9b822f25aa9d9a5daa65a3b34824e2b114465

SHA256
e5c0785032f4def53dcc6174270e9683b918bc462bacdc9a0d858cc807d6331e

SHA512
1d839d8d749584fb20c1ea73132b5d49d2ff3536e2c67c53ab67faee01785602d99efb511f1a623b979bf42eb1088d97cec6fe578b66e815dc026d5f54f9f6b6

Download Submit
C:\Windows\{126187FB-8083-411c-832D-60E408866D51}.exe

Filesize
372KB

MD5
1ffe059a02bedffcaf4aa3745ba99b15

SHA1
5ea9b822f25aa9d9a5daa65a3b34824e2b114465

SHA256
e5c0785032f4def53dcc6174270e9683b918bc462bacdc9a0d858cc807d6331e

SHA512
1d839d8d749584fb20c1ea73132b5d49d2ff3536e2c67c53ab67faee01785602d99efb511f1a623b979bf42eb1088d97cec6fe578b66e815dc026d5f54f9f6b6

Download Submit
C:\Windows\{2D4759A2-515C-4916-900D-17E7BCBD289F}.exe

Filesize
372KB

MD5
c3f9c3ccdb5e4fd1fd2297069ba3c7b2

SHA1
0e7e5b55c955d7146c4cf71e6c74c8c9f3619c73

SHA256
de3efc99809c7a34efc9b2d73e7465db4a5dce17d9f90827983ddc4e7b5a6fe0

SHA512
d525a27281b5ec9019da00bae6f29a3810930c368d9153417378a52e931c2b80765762fbc548d295964bb7cd28710babbbc3f792e990d7267fb91eb00e393590

Download Submit
C:\Windows\{2D4759A2-515C-4916-900D-17E7BCBD289F}.exe

Filesize
372KB

MD5
c3f9c3ccdb5e4fd1fd2297069ba3c7b2

SHA1
0e7e5b55c955d7146c4cf71e6c74c8c9f3619c73

SHA256
de3efc99809c7a34efc9b2d73e7465db4a5dce17d9f90827983ddc4e7b5a6fe0

SHA512
d525a27281b5ec9019da00bae6f29a3810930c368d9153417378a52e931c2b80765762fbc548d295964bb7cd28710babbbc3f792e990d7267fb91eb00e393590

Download Submit
C:\Windows\{2D4759A2-515C-4916-900D-17E7BCBD289F}.exe

Filesize
372KB

MD5
c3f9c3ccdb5e4fd1fd2297069ba3c7b2

SHA1
0e7e5b55c955d7146c4cf71e6c74c8c9f3619c73

SHA256
de3efc99809c7a34efc9b2d73e7465db4a5dce17d9f90827983ddc4e7b5a6fe0

SHA512
d525a27281b5ec9019da00bae6f29a3810930c368d9153417378a52e931c2b80765762fbc548d295964bb7cd28710babbbc3f792e990d7267fb91eb00e393590

Download Submit
C:\Windows\{45DDC940-F373-4d67-A6A9-E44CE2E0ACC4}.exe

Filesize
372KB

MD5
6d63278868040c1e15053159393df3df

SHA1
93b06c055991257bac9d5270e99acee61f8aa243

SHA256
aa01d7be6bc109d21288c65df642722df44cc28ef2f3210c2cbb62bd50cf85b8

SHA512
4dd59246758f127408a3b73def59f9333f54a42b5ce12b41b36840054e02073f250b67c21c7801a50bb49b58f028b2e50a69205c0af1831480fbc12f42fab240

Download Submit
C:\Windows\{68077047-D7ED-47d3-87FF-F05FD6A6F170}.exe

Filesize
372KB

MD5
25f9dc32fb6e69132b81664828283dcd

SHA1
c129c884369b5c7638cd907d9a9f2da3c8272da6

SHA256
3ae725d11f3df19560acd69a5932a4e559ebc0e7ba29c5503373786347925659

SHA512
d77b02f761851c1a31c52eb8fba32d63048d31e0e6c8f96401aa0d3853fa916fd1ccbaf05d963451c9ea7cf128d20b0c7d1f5e0a87664db4507c4bb53cb13e51

Download Submit
C:\Windows\{68077047-D7ED-47d3-87FF-F05FD6A6F170}.exe

Filesize
372KB

MD5
25f9dc32fb6e69132b81664828283dcd

SHA1
c129c884369b5c7638cd907d9a9f2da3c8272da6

SHA256
3ae725d11f3df19560acd69a5932a4e559ebc0e7ba29c5503373786347925659

SHA512
d77b02f761851c1a31c52eb8fba32d63048d31e0e6c8f96401aa0d3853fa916fd1ccbaf05d963451c9ea7cf128d20b0c7d1f5e0a87664db4507c4bb53cb13e51

Download Submit
C:\Windows\{7ABCC40A-B6FE-41f1-92E2-07D5FC765726}.exe

Filesize
372KB

MD5
55a7c3fa953c14d61be17173ae3a470d

SHA1
eacb4adcf226fa6db1f1c5ee3402fca07ca63db9

SHA256
5f43556843a9dcd1ca7a06fbe903e1cd5fe22668b627c38da10261e97859d69a

SHA512
9490c02b5f9d7dfa7c25a7e2820d21b954645876a0b85dd4a6b1a50f2ed005e90a3eff6a7f3b59788c7c8d882a2dde5833374f89911752a241ad45d42d04ce10

Download Submit
C:\Windows\{7ABCC40A-B6FE-41f1-92E2-07D5FC765726}.exe

Filesize
372KB

MD5
55a7c3fa953c14d61be17173ae3a470d

SHA1
eacb4adcf226fa6db1f1c5ee3402fca07ca63db9

SHA256
5f43556843a9dcd1ca7a06fbe903e1cd5fe22668b627c38da10261e97859d69a

SHA512
9490c02b5f9d7dfa7c25a7e2820d21b954645876a0b85dd4a6b1a50f2ed005e90a3eff6a7f3b59788c7c8d882a2dde5833374f89911752a241ad45d42d04ce10

Download Submit
C:\Windows\{81AD4AF9-5EE6-4927-9A2F-EB2696D5C2B7}.exe

Filesize
372KB

MD5
c7b639acad70a3cd1c771150457205a3

SHA1
8f483aa1145dbfe8595dbe06455a61cc510f10fb

SHA256
427fa1f90e818cfe761acad3cc3cd3b0467de2c576aa78453ff4149aec3be15f

SHA512
9386b046740d91d63d71540d60f4268fcd3e3335761495a873d51e322b98535128e2eeebfe0c60b11dc9e335dded92a78334ca3625176705cbb14f34d6ba136a

Download Submit
C:\Windows\{81AD4AF9-5EE6-4927-9A2F-EB2696D5C2B7}.exe

Filesize
372KB

MD5
c7b639acad70a3cd1c771150457205a3

SHA1
8f483aa1145dbfe8595dbe06455a61cc510f10fb

SHA256
427fa1f90e818cfe761acad3cc3cd3b0467de2c576aa78453ff4149aec3be15f

SHA512
9386b046740d91d63d71540d60f4268fcd3e3335761495a873d51e322b98535128e2eeebfe0c60b11dc9e335dded92a78334ca3625176705cbb14f34d6ba136a

Download Submit
C:\Windows\{86328467-3F6A-4807-9E79-963B66B7F82A}.exe

Filesize
372KB

MD5
d56eb4aba0b061cddf0989896b9b91e4

SHA1
f99b03cf498fdbddd7c91ea523dce8ccc148ab52

SHA256
85e7b74372ef8cb233cd025f2e6b109fddf86b4ead98d283f5b40a507284e178

SHA512
00eabd5677db430cf09d36187a823e2780a0c295597066b0b6ed0d2580ad98888516c5c27067f6907d489092a50517b9bc05de55b85b3d68a0261d7942dcef21

Download Submit
C:\Windows\{86328467-3F6A-4807-9E79-963B66B7F82A}.exe

Filesize
372KB

MD5
d56eb4aba0b061cddf0989896b9b91e4

SHA1
f99b03cf498fdbddd7c91ea523dce8ccc148ab52

SHA256
85e7b74372ef8cb233cd025f2e6b109fddf86b4ead98d283f5b40a507284e178

SHA512
00eabd5677db430cf09d36187a823e2780a0c295597066b0b6ed0d2580ad98888516c5c27067f6907d489092a50517b9bc05de55b85b3d68a0261d7942dcef21

Download Submit
C:\Windows\{B8B607E8-7EDD-44c7-8B25-35848D0AC29F}.exe

Filesize
372KB

MD5
384ba9fd8134c19f36639f064e17e2f7

SHA1
c1ae677d23dacaffa66608d70bfc36d579a69be6

SHA256
54f082caaf9eae6973a6c241f13ae0e88ecc24ffe9c6c0e61df87e6f659d561a

SHA512
501ed2e1cce2f15c0e757f6c874c91a17c8f6d782641d1fcbcc9f690d44d7b2fe844df95d97bf005c3316d069cc9a0ee9fc091b45ced64f552da2c8946b94b50

Download Submit
C:\Windows\{B8B607E8-7EDD-44c7-8B25-35848D0AC29F}.exe

Filesize
372KB

MD5
384ba9fd8134c19f36639f064e17e2f7

SHA1
c1ae677d23dacaffa66608d70bfc36d579a69be6

SHA256
54f082caaf9eae6973a6c241f13ae0e88ecc24ffe9c6c0e61df87e6f659d561a

SHA512
501ed2e1cce2f15c0e757f6c874c91a17c8f6d782641d1fcbcc9f690d44d7b2fe844df95d97bf005c3316d069cc9a0ee9fc091b45ced64f552da2c8946b94b50

Download Submit
C:\Windows\{C19A40D2-33F9-4edb-B9DE-E6F6840D1739}.exe

Filesize
372KB

MD5
8f9b6e77cd2e46595412ce857ac1f828

SHA1
02bc51fc1e57521eaeb49966cd666b48f82ad7b6

SHA256
dbcf22ad57ab21c2113d86b272cb6d9d1f9b9e69c5c4ac03e4a9f02dea6ce165

SHA512
63b46cc1a4d0b8782e668c8b5d3369ba22b1658ad3b80b7ba25e91265d668dd38ec1c1b903fe71bd3462d00445b748e0ecfe920063a0974e5f6fdefb3adeb88b

Download Submit
C:\Windows\{C19A40D2-33F9-4edb-B9DE-E6F6840D1739}.exe

Filesize
372KB

MD5
8f9b6e77cd2e46595412ce857ac1f828

SHA1
02bc51fc1e57521eaeb49966cd666b48f82ad7b6

SHA256
dbcf22ad57ab21c2113d86b272cb6d9d1f9b9e69c5c4ac03e4a9f02dea6ce165

SHA512
63b46cc1a4d0b8782e668c8b5d3369ba22b1658ad3b80b7ba25e91265d668dd38ec1c1b903fe71bd3462d00445b748e0ecfe920063a0974e5f6fdefb3adeb88b

Download Submit
C:\Windows\{C93F2908-103D-4f66-BB10-513518ED1218}.exe

Filesize
372KB

MD5
936b6bd8807ac2c9511ab5774cdf46a3

SHA1
84592982e7ddc876a7f9d1e17faaff6da596bfa8

SHA256
956125aafa1a2e1a9fe7085531b4188191559682d32939b75a8f0bad0fa7dd2d

SHA512
468f4bf0fc0de063ac22b7c27cb0ee61b78d71bcf2fd55cc25358090690915c52d19ea21658001fa77fcb7dd5de23983e25af76b78f477008077d8aeb0d7812f

Download Submit
C:\Windows\{C93F2908-103D-4f66-BB10-513518ED1218}.exe

Filesize
372KB

MD5
936b6bd8807ac2c9511ab5774cdf46a3

SHA1
84592982e7ddc876a7f9d1e17faaff6da596bfa8

SHA256
956125aafa1a2e1a9fe7085531b4188191559682d32939b75a8f0bad0fa7dd2d

SHA512
468f4bf0fc0de063ac22b7c27cb0ee61b78d71bcf2fd55cc25358090690915c52d19ea21658001fa77fcb7dd5de23983e25af76b78f477008077d8aeb0d7812f

Download Submit
C:\Windows\{CE4C4376-584F-4c5d-BDD6-E986DFCD3A41}.exe

Filesize
372KB

MD5
645cdca1d2470e5887a16729e511989a

SHA1
59bb325f4af3347078a9a9206886a0f79ee769e1

SHA256
c6a998bd78e975384ead14f19183db1075c8d6548b4bd43434598d040272800c

SHA512
f115346817427a83b0c7cb4592cd1ad90e67590047889bae07747b522c470ae03492bdf37bfbe0a263271bee0ffd711c2ad3b47172881b312358e2086a195ac2

Download Submit
C:\Windows\{CE4C4376-584F-4c5d-BDD6-E986DFCD3A41}.exe

Filesize
372KB

MD5
645cdca1d2470e5887a16729e511989a

SHA1
59bb325f4af3347078a9a9206886a0f79ee769e1

SHA256
c6a998bd78e975384ead14f19183db1075c8d6548b4bd43434598d040272800c

SHA512
f115346817427a83b0c7cb4592cd1ad90e67590047889bae07747b522c470ae03492bdf37bfbe0a263271bee0ffd711c2ad3b47172881b312358e2086a195ac2

Download Submit
C:\Windows\{D2F087B6-71B1-400a-8F69-940861284C06}.exe

Filesize
372KB

MD5
ae4c2b590c1af633c5772e727d99ee64

SHA1
51abeb00caecb7789e8407b9c1e1d1482e26ba6d

SHA256
afa2cf1726c69cae48cc38aa1dc2597d04d35a26386afc4a40a320283e1f841c

SHA512
a8d6d73a68812fc386a3b6295e602cf16315dcdd906c6d12645e0070e3f60f97b917dcdc6617359fb981a7608374b03c9ccc887f36f536cfd5138540c6c78f36

Download Submit
C:\Windows\{D2F087B6-71B1-400a-8F69-940861284C06}.exe

Filesize
372KB

MD5
ae4c2b590c1af633c5772e727d99ee64

SHA1
51abeb00caecb7789e8407b9c1e1d1482e26ba6d

SHA256
afa2cf1726c69cae48cc38aa1dc2597d04d35a26386afc4a40a320283e1f841c

SHA512
a8d6d73a68812fc386a3b6295e602cf16315dcdd906c6d12645e0070e3f60f97b917dcdc6617359fb981a7608374b03c9ccc887f36f536cfd5138540c6c78f36

Download Submit
C:\Windows\{DB3C70C0-F54D-4d4d-B7F2-1D6C186EFDC3}.exe

Filesize
372KB

MD5
c31475653a0d0ccbde42678c78eec08f

SHA1
1aedf2d01441b73d2e2194838d3e4b5c7e21c2c5

SHA256
30fb370a42d06b5876169812c3e353fc8f88d8e8e612ae4858705681c46a4148

SHA512
b1307ae8ac41b2e4b02821d4a0e8469ffa5ac73c86f264b58be7046d9edd75f4fc3181dfc0583efc5280a58fc6d24ad166d8b7e87cb9821cf45fb21592875d8a

Download Submit
C:\Windows\{DB3C70C0-F54D-4d4d-B7F2-1D6C186EFDC3}.exe

Filesize
372KB

MD5
c31475653a0d0ccbde42678c78eec08f

SHA1
1aedf2d01441b73d2e2194838d3e4b5c7e21c2c5

SHA256
30fb370a42d06b5876169812c3e353fc8f88d8e8e612ae4858705681c46a4148

SHA512
b1307ae8ac41b2e4b02821d4a0e8469ffa5ac73c86f264b58be7046d9edd75f4fc3181dfc0583efc5280a58fc6d24ad166d8b7e87cb9821cf45fb21592875d8a

Download Submit