00900b0e80b0093bcb316c7607506e471c4cd7dae396facda19706d7fff5a70b

Analysis

max time kernel
151s
max time network
34s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 13:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

99c3fb5b420f33exeexeexeex.exe
Size

408KB
MD5

99c3fb5b420f33c78b98ace7fc06753a
SHA1

281a89c3dd8b4a8d02418cc3fde4de4140b3960f
SHA256

00900b0e80b0093bcb316c7607506e471c4cd7dae396facda19706d7fff5a70b
SHA512

e11ab5da9a09815e4e30b04ded7c9ac0e4f99a53078e8895db4c200839407b1ad34fe7cfd8b16b28323b7a381a14642973ecc7fdc265068d3fe187b83fa979af
SSDEEP

3072:CEGh0o+l3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGcldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17CFE46F-7B60-4900-A2C0-4F9E7F182708}\stubpath = "C:\\Windows\\{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe"	99c3fb5b420f33exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44F212A1-6B97-4453-A5F5-F8062FF51D5F}\stubpath = "C:\\Windows\\{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe"	{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{837FBAC4-6CA4-4ff5-A169-468CC0630B83}\stubpath = "C:\\Windows\\{837FBAC4-6CA4-4ff5-A169-468CC0630B83}.exe"	{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D58B3B25-245B-4e9e-94C9-D5E09F5C8DD6}\stubpath = "C:\\Windows\\{D58B3B25-245B-4e9e-94C9-D5E09F5C8DD6}.exe"	{6C850190-F39F-4bcd-92ED-5E85CA8E6B7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C613541-BC82-4b62-8580-91945C402D3C}\stubpath = "C:\\Windows\\{3C613541-BC82-4b62-8580-91945C402D3C}.exe"	{0BD2A462-90B9-495a-887F-5CA6C0D0F298}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{480B06FA-5971-4b1c-8DD5-E722C15F141C}	{3C613541-BC82-4b62-8580-91945C402D3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{882EC4DC-0227-4b24-8302-D3F94FB7EA89}	{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{882EC4DC-0227-4b24-8302-D3F94FB7EA89}\stubpath = "C:\\Windows\\{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe"	{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{837FBAC4-6CA4-4ff5-A169-468CC0630B83}	{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14B615E6-0ECB-439e-81B0-0C585B415D30}\stubpath = "C:\\Windows\\{14B615E6-0ECB-439e-81B0-0C585B415D30}.exe"	{49294579-6700-4919-A693-327FB6E36518}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BD2A462-90B9-495a-887F-5CA6C0D0F298}	{35FFC18C-FF7B-4b87-8F94-D692CF253671}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35FFC18C-FF7B-4b87-8F94-D692CF253671}\stubpath = "C:\\Windows\\{35FFC18C-FF7B-4b87-8F94-D692CF253671}.exe"	{5F2E955A-F2C0-4ac3-8037-E5538E57B3FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0BD2A462-90B9-495a-887F-5CA6C0D0F298}\stubpath = "C:\\Windows\\{0BD2A462-90B9-495a-887F-5CA6C0D0F298}.exe"	{35FFC18C-FF7B-4b87-8F94-D692CF253671}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49294579-6700-4919-A693-327FB6E36518}\stubpath = "C:\\Windows\\{49294579-6700-4919-A693-327FB6E36518}.exe"	{837FBAC4-6CA4-4ff5-A169-468CC0630B83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14B615E6-0ECB-439e-81B0-0C585B415D30}	{49294579-6700-4919-A693-327FB6E36518}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C850190-F39F-4bcd-92ED-5E85CA8E6B7C}	{14B615E6-0ECB-439e-81B0-0C585B415D30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C850190-F39F-4bcd-92ED-5E85CA8E6B7C}\stubpath = "C:\\Windows\\{6C850190-F39F-4bcd-92ED-5E85CA8E6B7C}.exe"	{14B615E6-0ECB-439e-81B0-0C585B415D30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F2E955A-F2C0-4ac3-8037-E5538E57B3FA}	{D58B3B25-245B-4e9e-94C9-D5E09F5C8DD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35FFC18C-FF7B-4b87-8F94-D692CF253671}	{5F2E955A-F2C0-4ac3-8037-E5538E57B3FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C613541-BC82-4b62-8580-91945C402D3C}	{0BD2A462-90B9-495a-887F-5CA6C0D0F298}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{480B06FA-5971-4b1c-8DD5-E722C15F141C}\stubpath = "C:\\Windows\\{480B06FA-5971-4b1c-8DD5-E722C15F141C}.exe"	{3C613541-BC82-4b62-8580-91945C402D3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{17CFE46F-7B60-4900-A2C0-4F9E7F182708}	99c3fb5b420f33exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44F212A1-6B97-4453-A5F5-F8062FF51D5F}	{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49294579-6700-4919-A693-327FB6E36518}	{837FBAC4-6CA4-4ff5-A169-468CC0630B83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D58B3B25-245B-4e9e-94C9-D5E09F5C8DD6}	{6C850190-F39F-4bcd-92ED-5E85CA8E6B7C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F2E955A-F2C0-4ac3-8037-E5538E57B3FA}\stubpath = "C:\\Windows\\{5F2E955A-F2C0-4ac3-8037-E5538E57B3FA}.exe"	{D58B3B25-245B-4e9e-94C9-D5E09F5C8DD6}.exe

Deletes itself 1 IoCs

pid	Process
2932	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2308	{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe
2944	{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe
540	{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe
2000	{837FBAC4-6CA4-4ff5-A169-468CC0630B83}.exe
2260	{49294579-6700-4919-A693-327FB6E36518}.exe
2240	{14B615E6-0ECB-439e-81B0-0C585B415D30}.exe
896	{6C850190-F39F-4bcd-92ED-5E85CA8E6B7C}.exe
2196	{D58B3B25-245B-4e9e-94C9-D5E09F5C8DD6}.exe
1016	{5F2E955A-F2C0-4ac3-8037-E5538E57B3FA}.exe
2688	{35FFC18C-FF7B-4b87-8F94-D692CF253671}.exe
2728	{0BD2A462-90B9-495a-887F-5CA6C0D0F298}.exe
2752	{3C613541-BC82-4b62-8580-91945C402D3C}.exe
1940	{480B06FA-5971-4b1c-8DD5-E722C15F141C}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{837FBAC4-6CA4-4ff5-A169-468CC0630B83}.exe	{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe
File created	C:\Windows\{D58B3B25-245B-4e9e-94C9-D5E09F5C8DD6}.exe	{6C850190-F39F-4bcd-92ED-5E85CA8E6B7C}.exe
File created	C:\Windows\{5F2E955A-F2C0-4ac3-8037-E5538E57B3FA}.exe	{D58B3B25-245B-4e9e-94C9-D5E09F5C8DD6}.exe
File created	C:\Windows\{0BD2A462-90B9-495a-887F-5CA6C0D0F298}.exe	{35FFC18C-FF7B-4b87-8F94-D692CF253671}.exe
File created	C:\Windows\{3C613541-BC82-4b62-8580-91945C402D3C}.exe	{0BD2A462-90B9-495a-887F-5CA6C0D0F298}.exe
File created	C:\Windows\{6C850190-F39F-4bcd-92ED-5E85CA8E6B7C}.exe	{14B615E6-0ECB-439e-81B0-0C585B415D30}.exe
File created	C:\Windows\{35FFC18C-FF7B-4b87-8F94-D692CF253671}.exe	{5F2E955A-F2C0-4ac3-8037-E5538E57B3FA}.exe
File created	C:\Windows\{480B06FA-5971-4b1c-8DD5-E722C15F141C}.exe	{3C613541-BC82-4b62-8580-91945C402D3C}.exe
File created	C:\Windows\{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe	99c3fb5b420f33exeexeexeex.exe
File created	C:\Windows\{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe	{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe
File created	C:\Windows\{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe	{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe
File created	C:\Windows\{49294579-6700-4919-A693-327FB6E36518}.exe	{837FBAC4-6CA4-4ff5-A169-468CC0630B83}.exe
File created	C:\Windows\{14B615E6-0ECB-439e-81B0-0C585B415D30}.exe	{49294579-6700-4919-A693-327FB6E36518}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2392	99c3fb5b420f33exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2308	{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe
Token: SeIncBasePriorityPrivilege	2944	{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe
Token: SeIncBasePriorityPrivilege	540	{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe
Token: SeIncBasePriorityPrivilege	2000	{837FBAC4-6CA4-4ff5-A169-468CC0630B83}.exe
Token: SeIncBasePriorityPrivilege	2260	{49294579-6700-4919-A693-327FB6E36518}.exe
Token: SeIncBasePriorityPrivilege	2240	{14B615E6-0ECB-439e-81B0-0C585B415D30}.exe
Token: SeIncBasePriorityPrivilege	896	{6C850190-F39F-4bcd-92ED-5E85CA8E6B7C}.exe
Token: SeIncBasePriorityPrivilege	2196	{D58B3B25-245B-4e9e-94C9-D5E09F5C8DD6}.exe
Token: SeIncBasePriorityPrivilege	1016	{5F2E955A-F2C0-4ac3-8037-E5538E57B3FA}.exe
Token: SeIncBasePriorityPrivilege	2688	{35FFC18C-FF7B-4b87-8F94-D692CF253671}.exe
Token: SeIncBasePriorityPrivilege	2728	{0BD2A462-90B9-495a-887F-5CA6C0D0F298}.exe
Token: SeIncBasePriorityPrivilege	2752	{3C613541-BC82-4b62-8580-91945C402D3C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2308	2392	99c3fb5b420f33exeexeexeex.exe	28
PID 2392 wrote to memory of 2308	2392	99c3fb5b420f33exeexeexeex.exe	28
PID 2392 wrote to memory of 2308	2392	99c3fb5b420f33exeexeexeex.exe	28
PID 2392 wrote to memory of 2308	2392	99c3fb5b420f33exeexeexeex.exe	28
PID 2392 wrote to memory of 2932	2392	99c3fb5b420f33exeexeexeex.exe	29
PID 2392 wrote to memory of 2932	2392	99c3fb5b420f33exeexeexeex.exe	29
PID 2392 wrote to memory of 2932	2392	99c3fb5b420f33exeexeexeex.exe	29
PID 2392 wrote to memory of 2932	2392	99c3fb5b420f33exeexeexeex.exe	29
PID 2308 wrote to memory of 2944	2308	{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe	30
PID 2308 wrote to memory of 2944	2308	{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe	30
PID 2308 wrote to memory of 2944	2308	{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe	30
PID 2308 wrote to memory of 2944	2308	{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe	30
PID 2308 wrote to memory of 3060	2308	{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe	31
PID 2308 wrote to memory of 3060	2308	{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe	31
PID 2308 wrote to memory of 3060	2308	{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe	31
PID 2308 wrote to memory of 3060	2308	{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe	31
PID 2944 wrote to memory of 540	2944	{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe	32
PID 2944 wrote to memory of 540	2944	{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe	32
PID 2944 wrote to memory of 540	2944	{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe	32
PID 2944 wrote to memory of 540	2944	{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe	32
PID 2944 wrote to memory of 1292	2944	{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe	33
PID 2944 wrote to memory of 1292	2944	{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe	33
PID 2944 wrote to memory of 1292	2944	{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe	33
PID 2944 wrote to memory of 1292	2944	{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe	33
PID 540 wrote to memory of 2000	540	{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe	34
PID 540 wrote to memory of 2000	540	{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe	34
PID 540 wrote to memory of 2000	540	{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe	34
PID 540 wrote to memory of 2000	540	{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe	34
PID 540 wrote to memory of 2552	540	{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe	35
PID 540 wrote to memory of 2552	540	{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe	35
PID 540 wrote to memory of 2552	540	{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe	35
PID 540 wrote to memory of 2552	540	{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe	35
PID 2000 wrote to memory of 2260	2000	{837FBAC4-6CA4-4ff5-A169-468CC0630B83}.exe	36
PID 2000 wrote to memory of 2260	2000	{837FBAC4-6CA4-4ff5-A169-468CC0630B83}.exe	36
PID 2000 wrote to memory of 2260	2000	{837FBAC4-6CA4-4ff5-A169-468CC0630B83}.exe	36
PID 2000 wrote to memory of 2260	2000	{837FBAC4-6CA4-4ff5-A169-468CC0630B83}.exe	36
PID 2000 wrote to memory of 1136	2000	{837FBAC4-6CA4-4ff5-A169-468CC0630B83}.exe	37
PID 2000 wrote to memory of 1136	2000	{837FBAC4-6CA4-4ff5-A169-468CC0630B83}.exe	37
PID 2000 wrote to memory of 1136	2000	{837FBAC4-6CA4-4ff5-A169-468CC0630B83}.exe	37
PID 2000 wrote to memory of 1136	2000	{837FBAC4-6CA4-4ff5-A169-468CC0630B83}.exe	37
PID 2260 wrote to memory of 2240	2260	{49294579-6700-4919-A693-327FB6E36518}.exe	38
PID 2260 wrote to memory of 2240	2260	{49294579-6700-4919-A693-327FB6E36518}.exe	38
PID 2260 wrote to memory of 2240	2260	{49294579-6700-4919-A693-327FB6E36518}.exe	38
PID 2260 wrote to memory of 2240	2260	{49294579-6700-4919-A693-327FB6E36518}.exe	38
PID 2260 wrote to memory of 1596	2260	{49294579-6700-4919-A693-327FB6E36518}.exe	39
PID 2260 wrote to memory of 1596	2260	{49294579-6700-4919-A693-327FB6E36518}.exe	39
PID 2260 wrote to memory of 1596	2260	{49294579-6700-4919-A693-327FB6E36518}.exe	39
PID 2260 wrote to memory of 1596	2260	{49294579-6700-4919-A693-327FB6E36518}.exe	39
PID 2240 wrote to memory of 896	2240	{14B615E6-0ECB-439e-81B0-0C585B415D30}.exe	40
PID 2240 wrote to memory of 896	2240	{14B615E6-0ECB-439e-81B0-0C585B415D30}.exe	40
PID 2240 wrote to memory of 896	2240	{14B615E6-0ECB-439e-81B0-0C585B415D30}.exe	40
PID 2240 wrote to memory of 896	2240	{14B615E6-0ECB-439e-81B0-0C585B415D30}.exe	40
PID 2240 wrote to memory of 572	2240	{14B615E6-0ECB-439e-81B0-0C585B415D30}.exe	41
PID 2240 wrote to memory of 572	2240	{14B615E6-0ECB-439e-81B0-0C585B415D30}.exe	41
PID 2240 wrote to memory of 572	2240	{14B615E6-0ECB-439e-81B0-0C585B415D30}.exe	41
PID 2240 wrote to memory of 572	2240	{14B615E6-0ECB-439e-81B0-0C585B415D30}.exe	41
PID 896 wrote to memory of 2196	896	{6C850190-F39F-4bcd-92ED-5E85CA8E6B7C}.exe	42
PID 896 wrote to memory of 2196	896	{6C850190-F39F-4bcd-92ED-5E85CA8E6B7C}.exe	42
PID 896 wrote to memory of 2196	896	{6C850190-F39F-4bcd-92ED-5E85CA8E6B7C}.exe	42
PID 896 wrote to memory of 2196	896	{6C850190-F39F-4bcd-92ED-5E85CA8E6B7C}.exe	42
PID 896 wrote to memory of 2300	896	{6C850190-F39F-4bcd-92ED-5E85CA8E6B7C}.exe	43
PID 896 wrote to memory of 2300	896	{6C850190-F39F-4bcd-92ED-5E85CA8E6B7C}.exe	43
PID 896 wrote to memory of 2300	896	{6C850190-F39F-4bcd-92ED-5E85CA8E6B7C}.exe	43
PID 896 wrote to memory of 2300	896	{6C850190-F39F-4bcd-92ED-5E85CA8E6B7C}.exe	43

C:\Users\Admin\AppData\Local\Temp\99c3fb5b420f33exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\99c3fb5b420f33exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe
  C:\Windows\{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe
    C:\Windows\{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe
      C:\Windows\{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:540
    - - C:\Windows\{837FBAC4-6CA4-4ff5-A169-468CC0630B83}.exe
        
        C:\Windows\{837FBAC4-6CA4-4ff5-A169-468CC0630B83}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2000
      - C:\Windows\{49294579-6700-4919-A693-327FB6E36518}.exe
        
        C:\Windows\{49294579-6700-4919-A693-327FB6E36518}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\{14B615E6-0ECB-439e-81B0-0C585B415D30}.exe
        
        C:\Windows\{14B615E6-0ECB-439e-81B0-0C585B415D30}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\{6C850190-F39F-4bcd-92ED-5E85CA8E6B7C}.exe
        
        C:\Windows\{6C850190-F39F-4bcd-92ED-5E85CA8E6B7C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\{D58B3B25-245B-4e9e-94C9-D5E09F5C8DD6}.exe
        
        C:\Windows\{D58B3B25-245B-4e9e-94C9-D5E09F5C8DD6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\{5F2E955A-F2C0-4ac3-8037-E5538E57B3FA}.exe
        
        C:\Windows\{5F2E955A-F2C0-4ac3-8037-E5538E57B3FA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
        
        C:\Windows\{35FFC18C-FF7B-4b87-8F94-D692CF253671}.exe
        
        C:\Windows\{35FFC18C-FF7B-4b87-8F94-D692CF253671}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\{0BD2A462-90B9-495a-887F-5CA6C0D0F298}.exe
        
        C:\Windows\{0BD2A462-90B9-495a-887F-5CA6C0D0F298}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\{3C613541-BC82-4b62-8580-91945C402D3C}.exe
        
        C:\Windows\{3C613541-BC82-4b62-8580-91945C402D3C}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\{480B06FA-5971-4b1c-8DD5-E722C15F141C}.exe
        
        C:\Windows\{480B06FA-5971-4b1c-8DD5-E722C15F141C}.exe
        14⤵
        Executes dropped EXE
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C613~1.EXE > nul
        14⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0BD2A~1.EXE > nul
        13⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35FFC~1.EXE > nul
        12⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F2E9~1.EXE > nul
        11⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D58B3~1.EXE > nul
        10⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C850~1.EXE > nul
        9⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14B61~1.EXE > nul
        8⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49294~1.EXE > nul
        7⤵
        
        PID:1596
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{837FB~1.EXE > nul
        6⤵
        
        PID:1136
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44F21~1.EXE > nul
        5⤵
        
        PID:2552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{882EC~1.EXE > nul
      4⤵
      PID:1292
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{17CFE~1.EXE > nul
    3⤵
    PID:3060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\99C3FB~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0BD2A462-90B9-495a-887F-5CA6C0D0F298}.exe

Filesize
408KB

MD5
c7af4d05d067b9a9382826db420825c6

SHA1
253aee1984a13b7aba931b92f1ed5cc8a0597b08

SHA256
589ba622443e2e653f78f5bb5dfd3844f72433f55822ccb4c140f03f21d9960c

SHA512
ccf71e6121fca5a647fa90e325324ae840b061cc656766af3f0200b2770287c6f53f17df28bac00905fd876641b39e4e352232383050a7ab55cba3dc3be2ec6d

Download Submit
C:\Windows\{0BD2A462-90B9-495a-887F-5CA6C0D0F298}.exe

Filesize
408KB

MD5
c7af4d05d067b9a9382826db420825c6

SHA1
253aee1984a13b7aba931b92f1ed5cc8a0597b08

SHA256
589ba622443e2e653f78f5bb5dfd3844f72433f55822ccb4c140f03f21d9960c

SHA512
ccf71e6121fca5a647fa90e325324ae840b061cc656766af3f0200b2770287c6f53f17df28bac00905fd876641b39e4e352232383050a7ab55cba3dc3be2ec6d

Download Submit
C:\Windows\{14B615E6-0ECB-439e-81B0-0C585B415D30}.exe

Filesize
408KB

MD5
c51fcec0dce2541317c9b13faf949cd5

SHA1
ed33b75043125e79046a4a22d86dbae874572be4

SHA256
9e59ff436344cff362ca81afc18f4a5a0cd39b5d7dfa742525373d8c65397658

SHA512
51ec714ff505f3881a7fdafdde99dd342d66f3e16b82caa23bcb55b6f14b4173b6c688cb368402158f6e92999a217b212ea1d3794d7ef1102d29873a739b0334

Download Submit
C:\Windows\{14B615E6-0ECB-439e-81B0-0C585B415D30}.exe

Filesize
408KB

MD5
c51fcec0dce2541317c9b13faf949cd5

SHA1
ed33b75043125e79046a4a22d86dbae874572be4

SHA256
9e59ff436344cff362ca81afc18f4a5a0cd39b5d7dfa742525373d8c65397658

SHA512
51ec714ff505f3881a7fdafdde99dd342d66f3e16b82caa23bcb55b6f14b4173b6c688cb368402158f6e92999a217b212ea1d3794d7ef1102d29873a739b0334

Download Submit
C:\Windows\{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe

Filesize
408KB

MD5
fdaaa359b43a19eb98539413caf4fa06

SHA1
626d1b7b2331d8fdc93d7055efed2cb1974d4b9b

SHA256
08968ef6f58d63fae82538cae0897bcd899355b6faec94d4278f34fc1a1d0da2

SHA512
aa9e8616391cb41f6f466eadfda11d7b6e3d11356bb084f2a926f3cabc61cf4d351e5c8356cde851c37675ab3263950f736ab42802711c38e3e98da7aa284fb3

Download Submit
C:\Windows\{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe

Filesize
408KB

MD5
fdaaa359b43a19eb98539413caf4fa06

SHA1
626d1b7b2331d8fdc93d7055efed2cb1974d4b9b

SHA256
08968ef6f58d63fae82538cae0897bcd899355b6faec94d4278f34fc1a1d0da2

SHA512
aa9e8616391cb41f6f466eadfda11d7b6e3d11356bb084f2a926f3cabc61cf4d351e5c8356cde851c37675ab3263950f736ab42802711c38e3e98da7aa284fb3

Download Submit
C:\Windows\{17CFE46F-7B60-4900-A2C0-4F9E7F182708}.exe

Filesize
408KB

MD5
fdaaa359b43a19eb98539413caf4fa06

SHA1
626d1b7b2331d8fdc93d7055efed2cb1974d4b9b

SHA256
08968ef6f58d63fae82538cae0897bcd899355b6faec94d4278f34fc1a1d0da2

SHA512
aa9e8616391cb41f6f466eadfda11d7b6e3d11356bb084f2a926f3cabc61cf4d351e5c8356cde851c37675ab3263950f736ab42802711c38e3e98da7aa284fb3

Download Submit
C:\Windows\{35FFC18C-FF7B-4b87-8F94-D692CF253671}.exe

Filesize
408KB

MD5
d5dc7c39300959eb0891e393a9cf02c4

SHA1
a2a50c3ca11e9ae99060beb1ea7350df86cb51cc

SHA256
1b0ceee188e130b4758a5d292cb074f1aea4e8be8715e0986479596f8295239a

SHA512
5bfa658912ae909f2fabd5d54fcccecb2e9d58b2cd47594d0bc4c84406db72b572655251a8bb17da00cb2583af53d31985527aa345d068b724db17bd0cd51c80

Download Submit
C:\Windows\{35FFC18C-FF7B-4b87-8F94-D692CF253671}.exe

Filesize
408KB

MD5
d5dc7c39300959eb0891e393a9cf02c4

SHA1
a2a50c3ca11e9ae99060beb1ea7350df86cb51cc

SHA256
1b0ceee188e130b4758a5d292cb074f1aea4e8be8715e0986479596f8295239a

SHA512
5bfa658912ae909f2fabd5d54fcccecb2e9d58b2cd47594d0bc4c84406db72b572655251a8bb17da00cb2583af53d31985527aa345d068b724db17bd0cd51c80

Download Submit
C:\Windows\{3C613541-BC82-4b62-8580-91945C402D3C}.exe

Filesize
408KB

MD5
0c8f8c5758de984dae4829128b98d374

SHA1
9390a891d51e6e9dba3d31f63c84594608a39a23

SHA256
587d3997a6641ae3b206c2feda08dc4a00610ab02a350a3a43ba2485fd15e4f8

SHA512
cbd6399a6e5ec06d5c77162c5e37ba989850cd180f4e5fd7736681a2ffd3fb1f75758ef22a59efbe86989a52798d2ff5321a89413762500ba76d1d85a6534768

Download Submit
C:\Windows\{3C613541-BC82-4b62-8580-91945C402D3C}.exe

Filesize
408KB

MD5
0c8f8c5758de984dae4829128b98d374

SHA1
9390a891d51e6e9dba3d31f63c84594608a39a23

SHA256
587d3997a6641ae3b206c2feda08dc4a00610ab02a350a3a43ba2485fd15e4f8

SHA512
cbd6399a6e5ec06d5c77162c5e37ba989850cd180f4e5fd7736681a2ffd3fb1f75758ef22a59efbe86989a52798d2ff5321a89413762500ba76d1d85a6534768

Download Submit
C:\Windows\{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe

Filesize
408KB

MD5
0c91498a8580e94f1af245e10ac8c288

SHA1
83cb0771eaefdc2ba31bb0f7c2d0904bd3eff223

SHA256
bdf926fc87b912479c3d3e31e952abaf3e6e3574534395a1401406d616382c48

SHA512
2962d6c736a1d9d06957a7174f3be03ff4a2c7953f745ce3b732ea96d5f788049b4aeb1c4e504c33fb18d76d7f77a4b9ba608b5690f3a3a7e310391cec8c8d4a

Download Submit
C:\Windows\{44F212A1-6B97-4453-A5F5-F8062FF51D5F}.exe

Filesize
408KB

MD5
0c91498a8580e94f1af245e10ac8c288

SHA1
83cb0771eaefdc2ba31bb0f7c2d0904bd3eff223

SHA256
bdf926fc87b912479c3d3e31e952abaf3e6e3574534395a1401406d616382c48

SHA512
2962d6c736a1d9d06957a7174f3be03ff4a2c7953f745ce3b732ea96d5f788049b4aeb1c4e504c33fb18d76d7f77a4b9ba608b5690f3a3a7e310391cec8c8d4a

Download Submit
C:\Windows\{480B06FA-5971-4b1c-8DD5-E722C15F141C}.exe

Filesize
408KB

MD5
7214a7344a3deac824690d46248a0703

SHA1
ff1e06cc5d3450bcb04413a99bda28a09d1ed67d

SHA256
85bd0b4335f94007632bc54e27db693b57874e9b33feaf393e55e3e941440935

SHA512
152efa129c6c93b4bf466ec69cf1e801c1784632b863be094f5a6fb0ebe55f37005edb3e7d2afc86a4ce44cd520276b5b7aa8d8d353c7c25b40d9ed87e00ad95

Download Submit
C:\Windows\{49294579-6700-4919-A693-327FB6E36518}.exe

Filesize
408KB

MD5
5d3f7759163b998e841481ecdf982325

SHA1
0c813950de3e4ef83e400f3b416f95c32588d0e7

SHA256
b9e57c1e29fc639ec0e80828f106480eb649ec3abeb190b950b4c15c63d0df92

SHA512
6f988d6a46cf9319fb185cb385432ea10a9d045e5c202b198491902277b7b1f2d5851e8ee3a00a282ca17fbca4559832f779dc7bce6d7f96ba7de923cabc0101

Download Submit
C:\Windows\{49294579-6700-4919-A693-327FB6E36518}.exe

Filesize
408KB

MD5
5d3f7759163b998e841481ecdf982325

SHA1
0c813950de3e4ef83e400f3b416f95c32588d0e7

SHA256
b9e57c1e29fc639ec0e80828f106480eb649ec3abeb190b950b4c15c63d0df92

SHA512
6f988d6a46cf9319fb185cb385432ea10a9d045e5c202b198491902277b7b1f2d5851e8ee3a00a282ca17fbca4559832f779dc7bce6d7f96ba7de923cabc0101

Download Submit
C:\Windows\{5F2E955A-F2C0-4ac3-8037-E5538E57B3FA}.exe

Filesize
408KB

MD5
b0c540bb7011167e2ba21c40921dd5ba

SHA1
3efd99c2540a80a830ba298014150680dc272aee

SHA256
18ca4eaac90f4db2d3fcdfb93081b3983b950f484da7baac0c68ff2ff68e0e51

SHA512
2d80a241fa218eaade657a055e105bd95e9ebb000ded6f602ba62ccefe08e0ff3b51a0c14c764f660c9684570a167c01ad1df72db9124a4b4808e6f64438881b

Download Submit
C:\Windows\{5F2E955A-F2C0-4ac3-8037-E5538E57B3FA}.exe

Filesize
408KB

MD5
b0c540bb7011167e2ba21c40921dd5ba

SHA1
3efd99c2540a80a830ba298014150680dc272aee

SHA256
18ca4eaac90f4db2d3fcdfb93081b3983b950f484da7baac0c68ff2ff68e0e51

SHA512
2d80a241fa218eaade657a055e105bd95e9ebb000ded6f602ba62ccefe08e0ff3b51a0c14c764f660c9684570a167c01ad1df72db9124a4b4808e6f64438881b

Download Submit
C:\Windows\{6C850190-F39F-4bcd-92ED-5E85CA8E6B7C}.exe

Filesize
408KB

MD5
0198c8264615613d3d77b2984d454cfc

SHA1
23351dba2fd45b4c0936203d0665bac07f45d44e

SHA256
bf29fdc34a84d4592900c61ad5c23767c2d8562d116f6e47d2926cb020846db4

SHA512
ca7241b313f66eedae56975ef6d35cd9cc660201afaa40ab3b5058e934142804baa78cfbd30d55317550e4dedbaa5242a26fe6ac341e5381e748bd217790b2f2

Download Submit
C:\Windows\{6C850190-F39F-4bcd-92ED-5E85CA8E6B7C}.exe

Filesize
408KB

MD5
0198c8264615613d3d77b2984d454cfc

SHA1
23351dba2fd45b4c0936203d0665bac07f45d44e

SHA256
bf29fdc34a84d4592900c61ad5c23767c2d8562d116f6e47d2926cb020846db4

SHA512
ca7241b313f66eedae56975ef6d35cd9cc660201afaa40ab3b5058e934142804baa78cfbd30d55317550e4dedbaa5242a26fe6ac341e5381e748bd217790b2f2

Download Submit
C:\Windows\{837FBAC4-6CA4-4ff5-A169-468CC0630B83}.exe

Filesize
408KB

MD5
4729c9afc7cdf30404fd23438ce247d2

SHA1
08126d443dbf7c27abab0a73cb380ecde9c9dbb5

SHA256
691a9c6527baa9c9784002aac779d43276b1a8983d3177c48eecc97440e35b64

SHA512
365899aa009e17655feac5c4784a9388d73de9afc12dd7134a29a43fa261fe16d4371e17ab8e2e74875b425f4ed6e24291a7ab66e4ae24cc000224c8a238d534

Download Submit
C:\Windows\{837FBAC4-6CA4-4ff5-A169-468CC0630B83}.exe

Filesize
408KB

MD5
4729c9afc7cdf30404fd23438ce247d2

SHA1
08126d443dbf7c27abab0a73cb380ecde9c9dbb5

SHA256
691a9c6527baa9c9784002aac779d43276b1a8983d3177c48eecc97440e35b64

SHA512
365899aa009e17655feac5c4784a9388d73de9afc12dd7134a29a43fa261fe16d4371e17ab8e2e74875b425f4ed6e24291a7ab66e4ae24cc000224c8a238d534

Download Submit
C:\Windows\{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe

Filesize
408KB

MD5
29de9ef07dd58174b45fdd3491d7df72

SHA1
e104a0758774b6d9048b2275c191c30cd3371c67

SHA256
4c28344380bf15b3fc7051b6a5edfe914692619b7a1463eb4556b438f152ee06

SHA512
83755e966c37a88f1bb9562281bac5293b93db000e54861977205efbdb2b6d7ca675c61ec630d8d6181509ad47f256e1aec2b579ea847505f865f07853ee6382

Download Submit
C:\Windows\{882EC4DC-0227-4b24-8302-D3F94FB7EA89}.exe

Filesize
408KB

MD5
29de9ef07dd58174b45fdd3491d7df72

SHA1
e104a0758774b6d9048b2275c191c30cd3371c67

SHA256
4c28344380bf15b3fc7051b6a5edfe914692619b7a1463eb4556b438f152ee06

SHA512
83755e966c37a88f1bb9562281bac5293b93db000e54861977205efbdb2b6d7ca675c61ec630d8d6181509ad47f256e1aec2b579ea847505f865f07853ee6382

Download Submit
C:\Windows\{D58B3B25-245B-4e9e-94C9-D5E09F5C8DD6}.exe

Filesize
408KB

MD5
69205accf713d008841fe9234955fc5f

SHA1
280a4991410d17705a1778ee674c10b29c1a373c

SHA256
39244b5670850f744a1fbbe379ec839c5e72f4fddfaef03609d241ed3a28fff0

SHA512
e3d6e5f4cc5c82bb94996d2bb2d5c2dedce33ad6605b20c0abe4fd4b56b87f462e53095101097ef02d2e42058c4895280a5e7b6a38a0aa1823425e8e7be56ec7

Download Submit
C:\Windows\{D58B3B25-245B-4e9e-94C9-D5E09F5C8DD6}.exe

Filesize
408KB

MD5
69205accf713d008841fe9234955fc5f

SHA1
280a4991410d17705a1778ee674c10b29c1a373c

SHA256
39244b5670850f744a1fbbe379ec839c5e72f4fddfaef03609d241ed3a28fff0

SHA512
e3d6e5f4cc5c82bb94996d2bb2d5c2dedce33ad6605b20c0abe4fd4b56b87f462e53095101097ef02d2e42058c4895280a5e7b6a38a0aa1823425e8e7be56ec7

Download Submit