5ebd3e4c10f4b1f6eedc04303ae6bffdfc71a1b0a9472686c6acd413e8fc5a37

Analysis

max time kernel
146s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06-07-2023 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

252d8c7c326f4fexeexeexeex.exe
Size

168KB
MD5

252d8c7c326f4ff5e150f13f9f63c2d2
SHA1

6fd45c9df7189d35639d8279b5379bd4e9fe349b
SHA256

5ebd3e4c10f4b1f6eedc04303ae6bffdfc71a1b0a9472686c6acd413e8fc5a37
SHA512

0867c3a7f26e426c7cd10b97ed8943fa207dcc847d2b14b07c5063b00b9ba33c8db706fedcdd7a5911dc82742c963764e658a33d21044a21bc14b02ef46c244e
SSDEEP

1536:1EGh0oGlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oGlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C811D270-E586-47c6-BF83-6C3FDC5F8959}	{F992F553-D77F-4135-A729-B5D6720E2269}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4CB339B-3CE7-4cb7-B32E-1D5BDCD61A5F}	{C811D270-E586-47c6-BF83-6C3FDC5F8959}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8326E8D-9F83-4f5f-9A5E-E16327E22967}\stubpath = "C:\\Windows\\{F8326E8D-9F83-4f5f-9A5E-E16327E22967}.exe"	{B4CB339B-3CE7-4cb7-B32E-1D5BDCD61A5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4450B8AF-C544-4ec6-A680-44D32D951D9F}	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}\stubpath = "C:\\Windows\\{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe"	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C45089A2-FBA1-4239-AECC-C8AE03790E3A}	{65B61E71-D213-448f-967C-D266E173B9F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE605F7C-AECC-483a-8B69-6E979358A234}	{C45089A2-FBA1-4239-AECC-C8AE03790E3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE605F7C-AECC-483a-8B69-6E979358A234}\stubpath = "C:\\Windows\\{CE605F7C-AECC-483a-8B69-6E979358A234}.exe"	{C45089A2-FBA1-4239-AECC-C8AE03790E3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAC27369-BCFB-4c71-93F8-043D2A236EB1}	{F8326E8D-9F83-4f5f-9A5E-E16327E22967}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDF3F111-8A99-4172-90C5-993CD76A49B2}\stubpath = "C:\\Windows\\{EDF3F111-8A99-4172-90C5-993CD76A49B2}.exe"	{AAC27369-BCFB-4c71-93F8-043D2A236EB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65B61E71-D213-448f-967C-D266E173B9F5}\stubpath = "C:\\Windows\\{65B61E71-D213-448f-967C-D266E173B9F5}.exe"	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C45089A2-FBA1-4239-AECC-C8AE03790E3A}\stubpath = "C:\\Windows\\{C45089A2-FBA1-4239-AECC-C8AE03790E3A}.exe"	{65B61E71-D213-448f-967C-D266E173B9F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4CB339B-3CE7-4cb7-B32E-1D5BDCD61A5F}\stubpath = "C:\\Windows\\{B4CB339B-3CE7-4cb7-B32E-1D5BDCD61A5F}.exe"	{C811D270-E586-47c6-BF83-6C3FDC5F8959}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AAC27369-BCFB-4c71-93F8-043D2A236EB1}\stubpath = "C:\\Windows\\{AAC27369-BCFB-4c71-93F8-043D2A236EB1}.exe"	{F8326E8D-9F83-4f5f-9A5E-E16327E22967}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDF3F111-8A99-4172-90C5-993CD76A49B2}	{AAC27369-BCFB-4c71-93F8-043D2A236EB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F992F553-D77F-4135-A729-B5D6720E2269}\stubpath = "C:\\Windows\\{F992F553-D77F-4135-A729-B5D6720E2269}.exe"	{CE605F7C-AECC-483a-8B69-6E979358A234}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CE404CD-1962-4c99-A65F-15287DC3306E}\stubpath = "C:\\Windows\\{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe"	252d8c7c326f4fexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4450B8AF-C544-4ec6-A680-44D32D951D9F}\stubpath = "C:\\Windows\\{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe"	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65B61E71-D213-448f-967C-D266E173B9F5}	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CE404CD-1962-4c99-A65F-15287DC3306E}	252d8c7c326f4fexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}\stubpath = "C:\\Windows\\{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe"	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F992F553-D77F-4135-A729-B5D6720E2269}	{CE605F7C-AECC-483a-8B69-6E979358A234}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C811D270-E586-47c6-BF83-6C3FDC5F8959}\stubpath = "C:\\Windows\\{C811D270-E586-47c6-BF83-6C3FDC5F8959}.exe"	{F992F553-D77F-4135-A729-B5D6720E2269}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F8326E8D-9F83-4f5f-9A5E-E16327E22967}	{B4CB339B-3CE7-4cb7-B32E-1D5BDCD61A5F}.exe

Deletes itself 1 IoCs

pid	Process
2400	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe
2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe
328	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe
2196	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe
280	{65B61E71-D213-448f-967C-D266E173B9F5}.exe
2080	{C45089A2-FBA1-4239-AECC-C8AE03790E3A}.exe
2864	{CE605F7C-AECC-483a-8B69-6E979358A234}.exe
2944	{F992F553-D77F-4135-A729-B5D6720E2269}.exe
2704	{C811D270-E586-47c6-BF83-6C3FDC5F8959}.exe
2812	{B4CB339B-3CE7-4cb7-B32E-1D5BDCD61A5F}.exe
2792	{F8326E8D-9F83-4f5f-9A5E-E16327E22967}.exe
2508	{AAC27369-BCFB-4c71-93F8-043D2A236EB1}.exe
2632	{EDF3F111-8A99-4172-90C5-993CD76A49B2}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{65B61E71-D213-448f-967C-D266E173B9F5}.exe	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe
File created	C:\Windows\{B4CB339B-3CE7-4cb7-B32E-1D5BDCD61A5F}.exe	{C811D270-E586-47c6-BF83-6C3FDC5F8959}.exe
File created	C:\Windows\{AAC27369-BCFB-4c71-93F8-043D2A236EB1}.exe	{F8326E8D-9F83-4f5f-9A5E-E16327E22967}.exe
File created	C:\Windows\{EDF3F111-8A99-4172-90C5-993CD76A49B2}.exe	{AAC27369-BCFB-4c71-93F8-043D2A236EB1}.exe
File created	C:\Windows\{CE605F7C-AECC-483a-8B69-6E979358A234}.exe	{C45089A2-FBA1-4239-AECC-C8AE03790E3A}.exe
File created	C:\Windows\{F992F553-D77F-4135-A729-B5D6720E2269}.exe	{CE605F7C-AECC-483a-8B69-6E979358A234}.exe
File created	C:\Windows\{C811D270-E586-47c6-BF83-6C3FDC5F8959}.exe	{F992F553-D77F-4135-A729-B5D6720E2269}.exe
File created	C:\Windows\{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	252d8c7c326f4fexeexeexeex.exe
File created	C:\Windows\{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe
File created	C:\Windows\{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe
File created	C:\Windows\{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe
File created	C:\Windows\{C45089A2-FBA1-4239-AECC-C8AE03790E3A}.exe	{65B61E71-D213-448f-967C-D266E173B9F5}.exe
File created	C:\Windows\{F8326E8D-9F83-4f5f-9A5E-E16327E22967}.exe	{B4CB339B-3CE7-4cb7-B32E-1D5BDCD61A5F}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2396	252d8c7c326f4fexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe
Token: SeIncBasePriorityPrivilege	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe
Token: SeIncBasePriorityPrivilege	328	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe
Token: SeIncBasePriorityPrivilege	2196	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe
Token: SeIncBasePriorityPrivilege	280	{65B61E71-D213-448f-967C-D266E173B9F5}.exe
Token: SeIncBasePriorityPrivilege	2080	{C45089A2-FBA1-4239-AECC-C8AE03790E3A}.exe
Token: SeIncBasePriorityPrivilege	2864	{CE605F7C-AECC-483a-8B69-6E979358A234}.exe
Token: SeIncBasePriorityPrivilege	2944	{F992F553-D77F-4135-A729-B5D6720E2269}.exe
Token: SeIncBasePriorityPrivilege	2704	{C811D270-E586-47c6-BF83-6C3FDC5F8959}.exe
Token: SeIncBasePriorityPrivilege	2812	{B4CB339B-3CE7-4cb7-B32E-1D5BDCD61A5F}.exe
Token: SeIncBasePriorityPrivilege	2792	{F8326E8D-9F83-4f5f-9A5E-E16327E22967}.exe
Token: SeIncBasePriorityPrivilege	2508	{AAC27369-BCFB-4c71-93F8-043D2A236EB1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 848	2396	252d8c7c326f4fexeexeexeex.exe	28
PID 2396 wrote to memory of 848	2396	252d8c7c326f4fexeexeexeex.exe	28
PID 2396 wrote to memory of 848	2396	252d8c7c326f4fexeexeexeex.exe	28
PID 2396 wrote to memory of 848	2396	252d8c7c326f4fexeexeexeex.exe	28
PID 2396 wrote to memory of 2400	2396	252d8c7c326f4fexeexeexeex.exe	29
PID 2396 wrote to memory of 2400	2396	252d8c7c326f4fexeexeexeex.exe	29
PID 2396 wrote to memory of 2400	2396	252d8c7c326f4fexeexeexeex.exe	29
PID 2396 wrote to memory of 2400	2396	252d8c7c326f4fexeexeexeex.exe	29
PID 848 wrote to memory of 2320	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	30
PID 848 wrote to memory of 2320	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	30
PID 848 wrote to memory of 2320	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	30
PID 848 wrote to memory of 2320	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	30
PID 848 wrote to memory of 1284	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	31
PID 848 wrote to memory of 1284	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	31
PID 848 wrote to memory of 1284	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	31
PID 848 wrote to memory of 1284	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	31
PID 2320 wrote to memory of 328	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	32
PID 2320 wrote to memory of 328	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	32
PID 2320 wrote to memory of 328	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	32
PID 2320 wrote to memory of 328	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	32
PID 2320 wrote to memory of 896	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	33
PID 2320 wrote to memory of 896	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	33
PID 2320 wrote to memory of 896	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	33
PID 2320 wrote to memory of 896	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	33
PID 328 wrote to memory of 2196	328	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	34
PID 328 wrote to memory of 2196	328	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	34
PID 328 wrote to memory of 2196	328	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	34
PID 328 wrote to memory of 2196	328	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	34
PID 328 wrote to memory of 3036	328	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	35
PID 328 wrote to memory of 3036	328	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	35
PID 328 wrote to memory of 3036	328	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	35
PID 328 wrote to memory of 3036	328	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	35
PID 2196 wrote to memory of 280	2196	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	36
PID 2196 wrote to memory of 280	2196	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	36
PID 2196 wrote to memory of 280	2196	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	36
PID 2196 wrote to memory of 280	2196	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	36
PID 2196 wrote to memory of 2404	2196	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	37
PID 2196 wrote to memory of 2404	2196	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	37
PID 2196 wrote to memory of 2404	2196	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	37
PID 2196 wrote to memory of 2404	2196	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	37
PID 280 wrote to memory of 2080	280	{65B61E71-D213-448f-967C-D266E173B9F5}.exe	38
PID 280 wrote to memory of 2080	280	{65B61E71-D213-448f-967C-D266E173B9F5}.exe	38
PID 280 wrote to memory of 2080	280	{65B61E71-D213-448f-967C-D266E173B9F5}.exe	38
PID 280 wrote to memory of 2080	280	{65B61E71-D213-448f-967C-D266E173B9F5}.exe	38
PID 280 wrote to memory of 2068	280	{65B61E71-D213-448f-967C-D266E173B9F5}.exe	39
PID 280 wrote to memory of 2068	280	{65B61E71-D213-448f-967C-D266E173B9F5}.exe	39
PID 280 wrote to memory of 2068	280	{65B61E71-D213-448f-967C-D266E173B9F5}.exe	39
PID 280 wrote to memory of 2068	280	{65B61E71-D213-448f-967C-D266E173B9F5}.exe	39
PID 2080 wrote to memory of 2864	2080	{C45089A2-FBA1-4239-AECC-C8AE03790E3A}.exe	40
PID 2080 wrote to memory of 2864	2080	{C45089A2-FBA1-4239-AECC-C8AE03790E3A}.exe	40
PID 2080 wrote to memory of 2864	2080	{C45089A2-FBA1-4239-AECC-C8AE03790E3A}.exe	40
PID 2080 wrote to memory of 2864	2080	{C45089A2-FBA1-4239-AECC-C8AE03790E3A}.exe	40
PID 2080 wrote to memory of 2940	2080	{C45089A2-FBA1-4239-AECC-C8AE03790E3A}.exe	41
PID 2080 wrote to memory of 2940	2080	{C45089A2-FBA1-4239-AECC-C8AE03790E3A}.exe	41
PID 2080 wrote to memory of 2940	2080	{C45089A2-FBA1-4239-AECC-C8AE03790E3A}.exe	41
PID 2080 wrote to memory of 2940	2080	{C45089A2-FBA1-4239-AECC-C8AE03790E3A}.exe	41
PID 2864 wrote to memory of 2944	2864	{CE605F7C-AECC-483a-8B69-6E979358A234}.exe	42
PID 2864 wrote to memory of 2944	2864	{CE605F7C-AECC-483a-8B69-6E979358A234}.exe	42
PID 2864 wrote to memory of 2944	2864	{CE605F7C-AECC-483a-8B69-6E979358A234}.exe	42
PID 2864 wrote to memory of 2944	2864	{CE605F7C-AECC-483a-8B69-6E979358A234}.exe	42
PID 2864 wrote to memory of 2288	2864	{CE605F7C-AECC-483a-8B69-6E979358A234}.exe	43
PID 2864 wrote to memory of 2288	2864	{CE605F7C-AECC-483a-8B69-6E979358A234}.exe	43
PID 2864 wrote to memory of 2288	2864	{CE605F7C-AECC-483a-8B69-6E979358A234}.exe	43
PID 2864 wrote to memory of 2288	2864	{CE605F7C-AECC-483a-8B69-6E979358A234}.exe	43

C:\Users\Admin\AppData\Local\Temp\252d8c7c326f4fexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\252d8c7c326f4fexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe
  C:\Windows\{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe
    C:\Windows\{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe
      C:\Windows\{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:328
    - - C:\Windows\{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe
        
        C:\Windows\{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2196
      - C:\Windows\{65B61E71-D213-448f-967C-D266E173B9F5}.exe
        
        C:\Windows\{65B61E71-D213-448f-967C-D266E173B9F5}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:280
        
        C:\Windows\{C45089A2-FBA1-4239-AECC-C8AE03790E3A}.exe
        
        C:\Windows\{C45089A2-FBA1-4239-AECC-C8AE03790E3A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\{CE605F7C-AECC-483a-8B69-6E979358A234}.exe
        
        C:\Windows\{CE605F7C-AECC-483a-8B69-6E979358A234}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\{F992F553-D77F-4135-A729-B5D6720E2269}.exe
        
        C:\Windows\{F992F553-D77F-4135-A729-B5D6720E2269}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\{C811D270-E586-47c6-BF83-6C3FDC5F8959}.exe
        
        C:\Windows\{C811D270-E586-47c6-BF83-6C3FDC5F8959}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\{B4CB339B-3CE7-4cb7-B32E-1D5BDCD61A5F}.exe
        
        C:\Windows\{B4CB339B-3CE7-4cb7-B32E-1D5BDCD61A5F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\{F8326E8D-9F83-4f5f-9A5E-E16327E22967}.exe
        
        C:\Windows\{F8326E8D-9F83-4f5f-9A5E-E16327E22967}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\{AAC27369-BCFB-4c71-93F8-043D2A236EB1}.exe
        
        C:\Windows\{AAC27369-BCFB-4c71-93F8-043D2A236EB1}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\{EDF3F111-8A99-4172-90C5-993CD76A49B2}.exe
        
        C:\Windows\{EDF3F111-8A99-4172-90C5-993CD76A49B2}.exe
        14⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AAC27~1.EXE > nul
        14⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8326~1.EXE > nul
        13⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4CB3~1.EXE > nul
        12⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C811D~1.EXE > nul
        11⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F992F~1.EXE > nul
        10⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE605~1.EXE > nul
        9⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4508~1.EXE > nul
        8⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65B61~1.EXE > nul
        7⤵
        
        PID:2068
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{233BD~1.EXE > nul
        6⤵
        
        PID:2404
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14ECD~1.EXE > nul
        5⤵
        
        PID:3036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4450B~1.EXE > nul
      4⤵
      PID:896
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9CE40~1.EXE > nul
    3⤵
    PID:1284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\252D8C~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe

Filesize
168KB

MD5
6b0ff5c674a702320380f39681f19ee7

SHA1
37d0ed0b793d7d3a47e0e5db88231cbd1e07de58

SHA256
1a816a7f86c557b193463e9996665e4df75eed9696f2c069cf6ff2c2eb95ee95

SHA512
7b6342bf2e6fdb703227df87cc92e8d1c06ffb9a6a05deec2a8217db0af14eb1dd58d532e38b2d9581236de1e96c6d1045bae58b7bdf9f4db6090ff3e30edf14

Download Submit
C:\Windows\{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe

Filesize
168KB

MD5
6b0ff5c674a702320380f39681f19ee7

SHA1
37d0ed0b793d7d3a47e0e5db88231cbd1e07de58

SHA256
1a816a7f86c557b193463e9996665e4df75eed9696f2c069cf6ff2c2eb95ee95

SHA512
7b6342bf2e6fdb703227df87cc92e8d1c06ffb9a6a05deec2a8217db0af14eb1dd58d532e38b2d9581236de1e96c6d1045bae58b7bdf9f4db6090ff3e30edf14

Download Submit
C:\Windows\{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe

Filesize
168KB

MD5
3da972ab09ba76bd88ed2b09d6e070b4

SHA1
22119f1eec5d89f0076963cc6c1af15b090d5387

SHA256
06ec526be9530622cc23174e4f175ab3b09e8adf9728b475b315cd9ab2749962

SHA512
927c68700a945f6de2c844de498287d8d02122915c2d8f6dc306742b3dd957ccb816980f60b4d9474d4dc268601a3be788db0efd51768073c3d862a55f0054a9

Download Submit
C:\Windows\{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe

Filesize
168KB

MD5
3da972ab09ba76bd88ed2b09d6e070b4

SHA1
22119f1eec5d89f0076963cc6c1af15b090d5387

SHA256
06ec526be9530622cc23174e4f175ab3b09e8adf9728b475b315cd9ab2749962

SHA512
927c68700a945f6de2c844de498287d8d02122915c2d8f6dc306742b3dd957ccb816980f60b4d9474d4dc268601a3be788db0efd51768073c3d862a55f0054a9

Download Submit
C:\Windows\{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe

Filesize
168KB

MD5
040947a9566254739c0afa23456f44b8

SHA1
a584b734c1f05be6ece453b96795d15042f427ff

SHA256
2d4ad51481f5f18af654e67d6bc27ed787ddcab8ea1eb3eccbfd99f4d77a49f8

SHA512
d636063d8881194761b7d2b15ca9e69cefd311d95df809a70d3be794b1f752fbd2df03fb466dd3fb3b318d5fab958c2bdee1c1fd6077d5ba055211062555984a

Download Submit
C:\Windows\{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe

Filesize
168KB

MD5
040947a9566254739c0afa23456f44b8

SHA1
a584b734c1f05be6ece453b96795d15042f427ff

SHA256
2d4ad51481f5f18af654e67d6bc27ed787ddcab8ea1eb3eccbfd99f4d77a49f8

SHA512
d636063d8881194761b7d2b15ca9e69cefd311d95df809a70d3be794b1f752fbd2df03fb466dd3fb3b318d5fab958c2bdee1c1fd6077d5ba055211062555984a

Download Submit
C:\Windows\{65B61E71-D213-448f-967C-D266E173B9F5}.exe

Filesize
168KB

MD5
d69d630d8c13b6a7bda28bbbdad9a72c

SHA1
76e23b45d3578a0336cde6dcaa0a059dd674b8cc

SHA256
2105bf08800eef7edab46af21caeaae81dc505ac0767ba9ce945f4d819258dc0

SHA512
78b6ddb4873f93c4a7850cc2ee80cb6188765cc2497386c7161122e84cbea945c4a38be861eaba5c3cc049fd978ee0f0864c99ce4f51e4a219955b190c442ce7

Download Submit
C:\Windows\{65B61E71-D213-448f-967C-D266E173B9F5}.exe

Filesize
168KB

MD5
d69d630d8c13b6a7bda28bbbdad9a72c

SHA1
76e23b45d3578a0336cde6dcaa0a059dd674b8cc

SHA256
2105bf08800eef7edab46af21caeaae81dc505ac0767ba9ce945f4d819258dc0

SHA512
78b6ddb4873f93c4a7850cc2ee80cb6188765cc2497386c7161122e84cbea945c4a38be861eaba5c3cc049fd978ee0f0864c99ce4f51e4a219955b190c442ce7

Download Submit
C:\Windows\{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe

Filesize
168KB

MD5
f118492f40f78dcc6f0444ff1d21b2be

SHA1
062c8239adfd605634cec0c06d4cc4fc8ffc1a37

SHA256
1dc485ad7865dbcd7547876fac4c3d71a4a8a12e0a60ff4d67d5d11a891e2e48

SHA512
676b8eeffbe7ac305491f453ce8a017169ebc8d6849be0a86a187df57fa5a93f1851fe1bfe3b31fb53309c61fde8948c1d30d45b235c4c0ba326597d0b4382f2

Download Submit
C:\Windows\{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe

Filesize
168KB

MD5
f118492f40f78dcc6f0444ff1d21b2be

SHA1
062c8239adfd605634cec0c06d4cc4fc8ffc1a37

SHA256
1dc485ad7865dbcd7547876fac4c3d71a4a8a12e0a60ff4d67d5d11a891e2e48

SHA512
676b8eeffbe7ac305491f453ce8a017169ebc8d6849be0a86a187df57fa5a93f1851fe1bfe3b31fb53309c61fde8948c1d30d45b235c4c0ba326597d0b4382f2

Download Submit
C:\Windows\{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe

Filesize
168KB

MD5
f118492f40f78dcc6f0444ff1d21b2be

SHA1
062c8239adfd605634cec0c06d4cc4fc8ffc1a37

SHA256
1dc485ad7865dbcd7547876fac4c3d71a4a8a12e0a60ff4d67d5d11a891e2e48

SHA512
676b8eeffbe7ac305491f453ce8a017169ebc8d6849be0a86a187df57fa5a93f1851fe1bfe3b31fb53309c61fde8948c1d30d45b235c4c0ba326597d0b4382f2

Download Submit
C:\Windows\{AAC27369-BCFB-4c71-93F8-043D2A236EB1}.exe

Filesize
168KB

MD5
32ced55cc4f5892c77687d2a18e14263

SHA1
84735b60fd984be15b58ec48caedcd8148c7466e

SHA256
0ed68dc528c591d5db64458eb9a61d9efe60f4d4f38b2f51326c9ab499d70159

SHA512
f6efc244232f03862c92f8c652eddfc8abc690cf6e8354e07b305d5f056f2dfb595f40490a7d6f78d83e97155ab88e9f5e465a0f6056db26918a384ce734fb1e

Download Submit
C:\Windows\{AAC27369-BCFB-4c71-93F8-043D2A236EB1}.exe

Filesize
168KB

MD5
32ced55cc4f5892c77687d2a18e14263

SHA1
84735b60fd984be15b58ec48caedcd8148c7466e

SHA256
0ed68dc528c591d5db64458eb9a61d9efe60f4d4f38b2f51326c9ab499d70159

SHA512
f6efc244232f03862c92f8c652eddfc8abc690cf6e8354e07b305d5f056f2dfb595f40490a7d6f78d83e97155ab88e9f5e465a0f6056db26918a384ce734fb1e

Download Submit
C:\Windows\{B4CB339B-3CE7-4cb7-B32E-1D5BDCD61A5F}.exe

Filesize
168KB

MD5
09acefe34e49e6fd3a4b93b37ff85e50

SHA1
c40be002d1c74b6570d066acd9934da1c04c9966

SHA256
68f6648e2ba853828ed2da9832ff553f79ca2cca1ee66da00b99607fff5f6751

SHA512
9c73b6e2cd52090712a9f7e66fc7170f29e1c5c0f8ad75b274dd50a36db535df527d67200a482ae805d5d086ee08c361e173b6059520357a157234a42a7b963d

Download Submit
C:\Windows\{B4CB339B-3CE7-4cb7-B32E-1D5BDCD61A5F}.exe

Filesize
168KB

MD5
09acefe34e49e6fd3a4b93b37ff85e50

SHA1
c40be002d1c74b6570d066acd9934da1c04c9966

SHA256
68f6648e2ba853828ed2da9832ff553f79ca2cca1ee66da00b99607fff5f6751

SHA512
9c73b6e2cd52090712a9f7e66fc7170f29e1c5c0f8ad75b274dd50a36db535df527d67200a482ae805d5d086ee08c361e173b6059520357a157234a42a7b963d

Download Submit
C:\Windows\{C45089A2-FBA1-4239-AECC-C8AE03790E3A}.exe

Filesize
168KB

MD5
e65c5dcdfe4543f3aa19efe2ea606ce3

SHA1
450e2ed09908a2aed618836eadf907b49caf8f70

SHA256
9301161df30eb4f12bdbe903efc14e7d69a168eaa69582732815e17aba024390

SHA512
43b7b13c76ffb1da1350f5b89bba96b5b836c33c22c41a8a1f7c4d3602e39dde1b763238cf6328ba3cbc549386c1c80502feaac3ce50e3afafc954973de57b1d

Download Submit
C:\Windows\{C45089A2-FBA1-4239-AECC-C8AE03790E3A}.exe

Filesize
168KB

MD5
e65c5dcdfe4543f3aa19efe2ea606ce3

SHA1
450e2ed09908a2aed618836eadf907b49caf8f70

SHA256
9301161df30eb4f12bdbe903efc14e7d69a168eaa69582732815e17aba024390

SHA512
43b7b13c76ffb1da1350f5b89bba96b5b836c33c22c41a8a1f7c4d3602e39dde1b763238cf6328ba3cbc549386c1c80502feaac3ce50e3afafc954973de57b1d

Download Submit
C:\Windows\{C811D270-E586-47c6-BF83-6C3FDC5F8959}.exe

Filesize
168KB

MD5
6fc9cc0e7b3c1fbb997ed7b05032d536

SHA1
c448bc359341fcf5d7ed93e1271d19ca778401ea

SHA256
9ebe8f669c3fbf77333a74b0739f4344557d7db96f594bbe428a690b235873d3

SHA512
9bfe877061edccea2e156b98859bcb81c279c467b8fa8f9ced553b9536146e249e0c5cc7c839f733af315e2dd8609036871e795456d1436abb0f8bc58adc7db9

Download Submit
C:\Windows\{C811D270-E586-47c6-BF83-6C3FDC5F8959}.exe

Filesize
168KB

MD5
6fc9cc0e7b3c1fbb997ed7b05032d536

SHA1
c448bc359341fcf5d7ed93e1271d19ca778401ea

SHA256
9ebe8f669c3fbf77333a74b0739f4344557d7db96f594bbe428a690b235873d3

SHA512
9bfe877061edccea2e156b98859bcb81c279c467b8fa8f9ced553b9536146e249e0c5cc7c839f733af315e2dd8609036871e795456d1436abb0f8bc58adc7db9

Download Submit
C:\Windows\{CE605F7C-AECC-483a-8B69-6E979358A234}.exe

Filesize
168KB

MD5
c448de6398442876b11e96d364113b38

SHA1
f625cea952b5ebcbf02867a2ef2de738f0cb1c67

SHA256
f6525fea27947fd14ee012e7349de18cdb07fcd9c0374d518d261d8cc78586cd

SHA512
a0e38d40edc9813a2037591dba3615e8b4ce227dcc0435b86a3ce90cc3033485868fea5623ea9c8ed2ea65f302c2be8992f5602526ffc991174d234c57708e26

Download Submit
C:\Windows\{CE605F7C-AECC-483a-8B69-6E979358A234}.exe

Filesize
168KB

MD5
c448de6398442876b11e96d364113b38

SHA1
f625cea952b5ebcbf02867a2ef2de738f0cb1c67

SHA256
f6525fea27947fd14ee012e7349de18cdb07fcd9c0374d518d261d8cc78586cd

SHA512
a0e38d40edc9813a2037591dba3615e8b4ce227dcc0435b86a3ce90cc3033485868fea5623ea9c8ed2ea65f302c2be8992f5602526ffc991174d234c57708e26

Download Submit
C:\Windows\{EDF3F111-8A99-4172-90C5-993CD76A49B2}.exe

Filesize
168KB

MD5
567a0882d6678afc35ca80b9422c5bee

SHA1
9b9dd5237367c58d858577669394fd5503fc9d76

SHA256
1bc75022a9e10bbe8200399f6ef3f7da7fc3345fb7714da34710c0c38002888a

SHA512
da3478efbec15fcbee14a584657db255bc30c173c61e011f80e741a8e8e6c8289122ea6719dd4a4163ad5fd2f0364eded9c113607d4bffa4a10c735877f7fe5e

Download Submit
C:\Windows\{F8326E8D-9F83-4f5f-9A5E-E16327E22967}.exe

Filesize
168KB

MD5
f7b2caf5f9e734483d6a73016b5285e3

SHA1
fbc7be4429a181d34721b32a093c7ec433c3e484

SHA256
fce93168b98459700b2c6bb406adeeb709da92b5ec0a43a7ff80fe5e3353f553

SHA512
01ddd8bd0bbc8c2101f401def719e79e4f6d02f487b1309cecb0ef24ce6308d39f4f5754013b6eefcde4d267771f896374c4094fbc6794735cc7aa8a9374ad80

Download Submit
C:\Windows\{F8326E8D-9F83-4f5f-9A5E-E16327E22967}.exe

Filesize
168KB

MD5
f7b2caf5f9e734483d6a73016b5285e3

SHA1
fbc7be4429a181d34721b32a093c7ec433c3e484

SHA256
fce93168b98459700b2c6bb406adeeb709da92b5ec0a43a7ff80fe5e3353f553

SHA512
01ddd8bd0bbc8c2101f401def719e79e4f6d02f487b1309cecb0ef24ce6308d39f4f5754013b6eefcde4d267771f896374c4094fbc6794735cc7aa8a9374ad80

Download Submit
C:\Windows\{F992F553-D77F-4135-A729-B5D6720E2269}.exe

Filesize
168KB

MD5
345ca612ccd35fa1f8c403ce22f30b4c

SHA1
526fe2eca098b1ccd13502971ca10c6960d21406

SHA256
4c8d118e36b02510e53c0d6a3902a5e239025d9987783ad707b6fdf7aa098ea1

SHA512
62265bfe20ae29426eec5ec14f441449a99892d1d56cdc68ab2ebbcc0c858d3f265edea2165b8fc98f28e215e927f5ffb48d25e1c408d8dba9807f9f01cb9f52

Download Submit
C:\Windows\{F992F553-D77F-4135-A729-B5D6720E2269}.exe

Filesize
168KB

MD5
345ca612ccd35fa1f8c403ce22f30b4c

SHA1
526fe2eca098b1ccd13502971ca10c6960d21406

SHA256
4c8d118e36b02510e53c0d6a3902a5e239025d9987783ad707b6fdf7aa098ea1

SHA512
62265bfe20ae29426eec5ec14f441449a99892d1d56cdc68ab2ebbcc0c858d3f265edea2165b8fc98f28e215e927f5ffb48d25e1c408d8dba9807f9f01cb9f52

Download Submit