e55ed4bd21848f12b76f39a4fdfd447dec40a23ff21a6669dd6072c6b967ac25

Analysis

max time kernel
146s
max time network
80s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
10/07/2023, 14:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c5254ee4c7f095exeexeexeex.exe
Size

204KB
MD5

c5254ee4c7f0953d7d3ac0f129a608c4
SHA1

4b4c65d1c78ee586aa71f8d7202b742a18cff55d
SHA256

e55ed4bd21848f12b76f39a4fdfd447dec40a23ff21a6669dd6072c6b967ac25
SHA512

d4ecb9d3a97a20df2939f785f1c77da91ad1be50eaae0f9eea54d4d9a2352b72be21d216e1857a0197494bc8a160501b198a4d70c000d614836a5ac4ed9e1f15
SSDEEP

1536:1EGh0ofl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ofl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FA61140-0D8D-4969-847A-A5F91997A06B}\stubpath = "C:\\Windows\\{6FA61140-0D8D-4969-847A-A5F91997A06B}.exe"	{6C46EF07-457F-4231-BF24-5A9C103962CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7249025-5DE8-4b55-ACA0-C577EDFFF715}	{6FA61140-0D8D-4969-847A-A5F91997A06B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DB98C09-AA01-48f5-BB60-962DB5E2604B}	{C7249025-5DE8-4b55-ACA0-C577EDFFF715}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F931286-0809-4ec0-AA8C-0D994ACCD450}	{5DB98C09-AA01-48f5-BB60-962DB5E2604B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3739E1D7-ED1A-4b53-86B8-13A9D2788E96}	{B2D26E31-9976-4875-A346-BAFC50F15DED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{296CBA0D-DB31-408e-85DC-8451738B65B8}	{4606DF49-CC1E-4bee-B45E-D93173EE43E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5C4ECAB-7E2E-47be-BD7E-C8CD13F8942B}	{296CBA0D-DB31-408e-85DC-8451738B65B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C46EF07-457F-4231-BF24-5A9C103962CE}	c5254ee4c7f095exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7249025-5DE8-4b55-ACA0-C577EDFFF715}\stubpath = "C:\\Windows\\{C7249025-5DE8-4b55-ACA0-C577EDFFF715}.exe"	{6FA61140-0D8D-4969-847A-A5F91997A06B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DB98C09-AA01-48f5-BB60-962DB5E2604B}\stubpath = "C:\\Windows\\{5DB98C09-AA01-48f5-BB60-962DB5E2604B}.exe"	{C7249025-5DE8-4b55-ACA0-C577EDFFF715}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{296CBA0D-DB31-408e-85DC-8451738B65B8}\stubpath = "C:\\Windows\\{296CBA0D-DB31-408e-85DC-8451738B65B8}.exe"	{4606DF49-CC1E-4bee-B45E-D93173EE43E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1413F6AF-4166-4214-A07B-6636CC9D05ED}\stubpath = "C:\\Windows\\{1413F6AF-4166-4214-A07B-6636CC9D05ED}.exe"	{A5C4ECAB-7E2E-47be-BD7E-C8CD13F8942B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F689705D-1BC3-4939-96BB-D960389112F5}	{1413F6AF-4166-4214-A07B-6636CC9D05ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4606DF49-CC1E-4bee-B45E-D93173EE43E0}	{3739E1D7-ED1A-4b53-86B8-13A9D2788E96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6C46EF07-457F-4231-BF24-5A9C103962CE}\stubpath = "C:\\Windows\\{6C46EF07-457F-4231-BF24-5A9C103962CE}.exe"	c5254ee4c7f095exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FA61140-0D8D-4969-847A-A5F91997A06B}	{6C46EF07-457F-4231-BF24-5A9C103962CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5F931286-0809-4ec0-AA8C-0D994ACCD450}\stubpath = "C:\\Windows\\{5F931286-0809-4ec0-AA8C-0D994ACCD450}.exe"	{5DB98C09-AA01-48f5-BB60-962DB5E2604B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF8A74AE-0D2B-4248-8A8E-18C96C7C9C46}	{5F931286-0809-4ec0-AA8C-0D994ACCD450}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2D26E31-9976-4875-A346-BAFC50F15DED}	{CF8A74AE-0D2B-4248-8A8E-18C96C7C9C46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2D26E31-9976-4875-A346-BAFC50F15DED}\stubpath = "C:\\Windows\\{B2D26E31-9976-4875-A346-BAFC50F15DED}.exe"	{CF8A74AE-0D2B-4248-8A8E-18C96C7C9C46}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3739E1D7-ED1A-4b53-86B8-13A9D2788E96}\stubpath = "C:\\Windows\\{3739E1D7-ED1A-4b53-86B8-13A9D2788E96}.exe"	{B2D26E31-9976-4875-A346-BAFC50F15DED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4606DF49-CC1E-4bee-B45E-D93173EE43E0}\stubpath = "C:\\Windows\\{4606DF49-CC1E-4bee-B45E-D93173EE43E0}.exe"	{3739E1D7-ED1A-4b53-86B8-13A9D2788E96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF8A74AE-0D2B-4248-8A8E-18C96C7C9C46}\stubpath = "C:\\Windows\\{CF8A74AE-0D2B-4248-8A8E-18C96C7C9C46}.exe"	{5F931286-0809-4ec0-AA8C-0D994ACCD450}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5C4ECAB-7E2E-47be-BD7E-C8CD13F8942B}\stubpath = "C:\\Windows\\{A5C4ECAB-7E2E-47be-BD7E-C8CD13F8942B}.exe"	{296CBA0D-DB31-408e-85DC-8451738B65B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1413F6AF-4166-4214-A07B-6636CC9D05ED}	{A5C4ECAB-7E2E-47be-BD7E-C8CD13F8942B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F689705D-1BC3-4939-96BB-D960389112F5}\stubpath = "C:\\Windows\\{F689705D-1BC3-4939-96BB-D960389112F5}.exe"	{1413F6AF-4166-4214-A07B-6636CC9D05ED}.exe

Deletes itself 1 IoCs

pid	Process
2864	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
1168	{6C46EF07-457F-4231-BF24-5A9C103962CE}.exe
704	{6FA61140-0D8D-4969-847A-A5F91997A06B}.exe
1932	{C7249025-5DE8-4b55-ACA0-C577EDFFF715}.exe
1492	{5DB98C09-AA01-48f5-BB60-962DB5E2604B}.exe
2036	{5F931286-0809-4ec0-AA8C-0D994ACCD450}.exe
2276	{CF8A74AE-0D2B-4248-8A8E-18C96C7C9C46}.exe
1688	{B2D26E31-9976-4875-A346-BAFC50F15DED}.exe
1928	{3739E1D7-ED1A-4b53-86B8-13A9D2788E96}.exe
2668	{4606DF49-CC1E-4bee-B45E-D93173EE43E0}.exe
2624	{296CBA0D-DB31-408e-85DC-8451738B65B8}.exe
2644	{A5C4ECAB-7E2E-47be-BD7E-C8CD13F8942B}.exe
2200	{1413F6AF-4166-4214-A07B-6636CC9D05ED}.exe
2524	{F689705D-1BC3-4939-96BB-D960389112F5}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{5F931286-0809-4ec0-AA8C-0D994ACCD450}.exe	{5DB98C09-AA01-48f5-BB60-962DB5E2604B}.exe
File created	C:\Windows\{CF8A74AE-0D2B-4248-8A8E-18C96C7C9C46}.exe	{5F931286-0809-4ec0-AA8C-0D994ACCD450}.exe
File created	C:\Windows\{B2D26E31-9976-4875-A346-BAFC50F15DED}.exe	{CF8A74AE-0D2B-4248-8A8E-18C96C7C9C46}.exe
File created	C:\Windows\{A5C4ECAB-7E2E-47be-BD7E-C8CD13F8942B}.exe	{296CBA0D-DB31-408e-85DC-8451738B65B8}.exe
File created	C:\Windows\{1413F6AF-4166-4214-A07B-6636CC9D05ED}.exe	{A5C4ECAB-7E2E-47be-BD7E-C8CD13F8942B}.exe
File created	C:\Windows\{F689705D-1BC3-4939-96BB-D960389112F5}.exe	{1413F6AF-4166-4214-A07B-6636CC9D05ED}.exe
File created	C:\Windows\{C7249025-5DE8-4b55-ACA0-C577EDFFF715}.exe	{6FA61140-0D8D-4969-847A-A5F91997A06B}.exe
File created	C:\Windows\{6FA61140-0D8D-4969-847A-A5F91997A06B}.exe	{6C46EF07-457F-4231-BF24-5A9C103962CE}.exe
File created	C:\Windows\{5DB98C09-AA01-48f5-BB60-962DB5E2604B}.exe	{C7249025-5DE8-4b55-ACA0-C577EDFFF715}.exe
File created	C:\Windows\{3739E1D7-ED1A-4b53-86B8-13A9D2788E96}.exe	{B2D26E31-9976-4875-A346-BAFC50F15DED}.exe
File created	C:\Windows\{4606DF49-CC1E-4bee-B45E-D93173EE43E0}.exe	{3739E1D7-ED1A-4b53-86B8-13A9D2788E96}.exe
File created	C:\Windows\{296CBA0D-DB31-408e-85DC-8451738B65B8}.exe	{4606DF49-CC1E-4bee-B45E-D93173EE43E0}.exe
File created	C:\Windows\{6C46EF07-457F-4231-BF24-5A9C103962CE}.exe	c5254ee4c7f095exeexeexeex.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3012	c5254ee4c7f095exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1168	{6C46EF07-457F-4231-BF24-5A9C103962CE}.exe
Token: SeIncBasePriorityPrivilege	704	{6FA61140-0D8D-4969-847A-A5F91997A06B}.exe
Token: SeIncBasePriorityPrivilege	1932	{C7249025-5DE8-4b55-ACA0-C577EDFFF715}.exe
Token: SeIncBasePriorityPrivilege	1492	{5DB98C09-AA01-48f5-BB60-962DB5E2604B}.exe
Token: SeIncBasePriorityPrivilege	2036	{5F931286-0809-4ec0-AA8C-0D994ACCD450}.exe
Token: SeIncBasePriorityPrivilege	2276	{CF8A74AE-0D2B-4248-8A8E-18C96C7C9C46}.exe
Token: SeIncBasePriorityPrivilege	1688	{B2D26E31-9976-4875-A346-BAFC50F15DED}.exe
Token: SeIncBasePriorityPrivilege	1928	{3739E1D7-ED1A-4b53-86B8-13A9D2788E96}.exe
Token: SeIncBasePriorityPrivilege	2668	{4606DF49-CC1E-4bee-B45E-D93173EE43E0}.exe
Token: SeIncBasePriorityPrivilege	2624	{296CBA0D-DB31-408e-85DC-8451738B65B8}.exe
Token: SeIncBasePriorityPrivilege	2644	{A5C4ECAB-7E2E-47be-BD7E-C8CD13F8942B}.exe
Token: SeIncBasePriorityPrivilege	2200	{1413F6AF-4166-4214-A07B-6636CC9D05ED}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 1168	3012	c5254ee4c7f095exeexeexeex.exe	28
PID 3012 wrote to memory of 1168	3012	c5254ee4c7f095exeexeexeex.exe	28
PID 3012 wrote to memory of 1168	3012	c5254ee4c7f095exeexeexeex.exe	28
PID 3012 wrote to memory of 1168	3012	c5254ee4c7f095exeexeexeex.exe	28
PID 3012 wrote to memory of 2864	3012	c5254ee4c7f095exeexeexeex.exe	29
PID 3012 wrote to memory of 2864	3012	c5254ee4c7f095exeexeexeex.exe	29
PID 3012 wrote to memory of 2864	3012	c5254ee4c7f095exeexeexeex.exe	29
PID 3012 wrote to memory of 2864	3012	c5254ee4c7f095exeexeexeex.exe	29
PID 1168 wrote to memory of 704	1168	{6C46EF07-457F-4231-BF24-5A9C103962CE}.exe	30
PID 1168 wrote to memory of 704	1168	{6C46EF07-457F-4231-BF24-5A9C103962CE}.exe	30
PID 1168 wrote to memory of 704	1168	{6C46EF07-457F-4231-BF24-5A9C103962CE}.exe	30
PID 1168 wrote to memory of 704	1168	{6C46EF07-457F-4231-BF24-5A9C103962CE}.exe	30
PID 1168 wrote to memory of 1740	1168	{6C46EF07-457F-4231-BF24-5A9C103962CE}.exe	31
PID 1168 wrote to memory of 1740	1168	{6C46EF07-457F-4231-BF24-5A9C103962CE}.exe	31
PID 1168 wrote to memory of 1740	1168	{6C46EF07-457F-4231-BF24-5A9C103962CE}.exe	31
PID 1168 wrote to memory of 1740	1168	{6C46EF07-457F-4231-BF24-5A9C103962CE}.exe	31
PID 704 wrote to memory of 1932	704	{6FA61140-0D8D-4969-847A-A5F91997A06B}.exe	33
PID 704 wrote to memory of 1932	704	{6FA61140-0D8D-4969-847A-A5F91997A06B}.exe	33
PID 704 wrote to memory of 1932	704	{6FA61140-0D8D-4969-847A-A5F91997A06B}.exe	33
PID 704 wrote to memory of 1932	704	{6FA61140-0D8D-4969-847A-A5F91997A06B}.exe	33
PID 704 wrote to memory of 1028	704	{6FA61140-0D8D-4969-847A-A5F91997A06B}.exe	32
PID 704 wrote to memory of 1028	704	{6FA61140-0D8D-4969-847A-A5F91997A06B}.exe	32
PID 704 wrote to memory of 1028	704	{6FA61140-0D8D-4969-847A-A5F91997A06B}.exe	32
PID 704 wrote to memory of 1028	704	{6FA61140-0D8D-4969-847A-A5F91997A06B}.exe	32
PID 1932 wrote to memory of 1492	1932	{C7249025-5DE8-4b55-ACA0-C577EDFFF715}.exe	34
PID 1932 wrote to memory of 1492	1932	{C7249025-5DE8-4b55-ACA0-C577EDFFF715}.exe	34
PID 1932 wrote to memory of 1492	1932	{C7249025-5DE8-4b55-ACA0-C577EDFFF715}.exe	34
PID 1932 wrote to memory of 1492	1932	{C7249025-5DE8-4b55-ACA0-C577EDFFF715}.exe	34
PID 1932 wrote to memory of 2860	1932	{C7249025-5DE8-4b55-ACA0-C577EDFFF715}.exe	35
PID 1932 wrote to memory of 2860	1932	{C7249025-5DE8-4b55-ACA0-C577EDFFF715}.exe	35
PID 1932 wrote to memory of 2860	1932	{C7249025-5DE8-4b55-ACA0-C577EDFFF715}.exe	35
PID 1932 wrote to memory of 2860	1932	{C7249025-5DE8-4b55-ACA0-C577EDFFF715}.exe	35
PID 1492 wrote to memory of 2036	1492	{5DB98C09-AA01-48f5-BB60-962DB5E2604B}.exe	36
PID 1492 wrote to memory of 2036	1492	{5DB98C09-AA01-48f5-BB60-962DB5E2604B}.exe	36
PID 1492 wrote to memory of 2036	1492	{5DB98C09-AA01-48f5-BB60-962DB5E2604B}.exe	36
PID 1492 wrote to memory of 2036	1492	{5DB98C09-AA01-48f5-BB60-962DB5E2604B}.exe	36
PID 1492 wrote to memory of 2312	1492	{5DB98C09-AA01-48f5-BB60-962DB5E2604B}.exe	37
PID 1492 wrote to memory of 2312	1492	{5DB98C09-AA01-48f5-BB60-962DB5E2604B}.exe	37
PID 1492 wrote to memory of 2312	1492	{5DB98C09-AA01-48f5-BB60-962DB5E2604B}.exe	37
PID 1492 wrote to memory of 2312	1492	{5DB98C09-AA01-48f5-BB60-962DB5E2604B}.exe	37
PID 2036 wrote to memory of 2276	2036	{5F931286-0809-4ec0-AA8C-0D994ACCD450}.exe	38
PID 2036 wrote to memory of 2276	2036	{5F931286-0809-4ec0-AA8C-0D994ACCD450}.exe	38
PID 2036 wrote to memory of 2276	2036	{5F931286-0809-4ec0-AA8C-0D994ACCD450}.exe	38
PID 2036 wrote to memory of 2276	2036	{5F931286-0809-4ec0-AA8C-0D994ACCD450}.exe	38
PID 2036 wrote to memory of 2260	2036	{5F931286-0809-4ec0-AA8C-0D994ACCD450}.exe	39
PID 2036 wrote to memory of 2260	2036	{5F931286-0809-4ec0-AA8C-0D994ACCD450}.exe	39
PID 2036 wrote to memory of 2260	2036	{5F931286-0809-4ec0-AA8C-0D994ACCD450}.exe	39
PID 2036 wrote to memory of 2260	2036	{5F931286-0809-4ec0-AA8C-0D994ACCD450}.exe	39
PID 2276 wrote to memory of 1688	2276	{CF8A74AE-0D2B-4248-8A8E-18C96C7C9C46}.exe	40
PID 2276 wrote to memory of 1688	2276	{CF8A74AE-0D2B-4248-8A8E-18C96C7C9C46}.exe	40
PID 2276 wrote to memory of 1688	2276	{CF8A74AE-0D2B-4248-8A8E-18C96C7C9C46}.exe	40
PID 2276 wrote to memory of 1688	2276	{CF8A74AE-0D2B-4248-8A8E-18C96C7C9C46}.exe	40
PID 2276 wrote to memory of 2236	2276	{CF8A74AE-0D2B-4248-8A8E-18C96C7C9C46}.exe	41
PID 2276 wrote to memory of 2236	2276	{CF8A74AE-0D2B-4248-8A8E-18C96C7C9C46}.exe	41
PID 2276 wrote to memory of 2236	2276	{CF8A74AE-0D2B-4248-8A8E-18C96C7C9C46}.exe	41
PID 2276 wrote to memory of 2236	2276	{CF8A74AE-0D2B-4248-8A8E-18C96C7C9C46}.exe	41
PID 1688 wrote to memory of 1928	1688	{B2D26E31-9976-4875-A346-BAFC50F15DED}.exe	42
PID 1688 wrote to memory of 1928	1688	{B2D26E31-9976-4875-A346-BAFC50F15DED}.exe	42
PID 1688 wrote to memory of 1928	1688	{B2D26E31-9976-4875-A346-BAFC50F15DED}.exe	42
PID 1688 wrote to memory of 1928	1688	{B2D26E31-9976-4875-A346-BAFC50F15DED}.exe	42
PID 1688 wrote to memory of 1940	1688	{B2D26E31-9976-4875-A346-BAFC50F15DED}.exe	43
PID 1688 wrote to memory of 1940	1688	{B2D26E31-9976-4875-A346-BAFC50F15DED}.exe	43
PID 1688 wrote to memory of 1940	1688	{B2D26E31-9976-4875-A346-BAFC50F15DED}.exe	43
PID 1688 wrote to memory of 1940	1688	{B2D26E31-9976-4875-A346-BAFC50F15DED}.exe	43

C:\Users\Admin\AppData\Local\Temp\c5254ee4c7f095exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\c5254ee4c7f095exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\{6C46EF07-457F-4231-BF24-5A9C103962CE}.exe
  C:\Windows\{6C46EF07-457F-4231-BF24-5A9C103962CE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\{6FA61140-0D8D-4969-847A-A5F91997A06B}.exe
    C:\Windows\{6FA61140-0D8D-4969-847A-A5F91997A06B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6FA61~1.EXE > nul
      4⤵
      PID:1028
  - - C:\Windows\{C7249025-5DE8-4b55-ACA0-C577EDFFF715}.exe
      C:\Windows\{C7249025-5DE8-4b55-ACA0-C577EDFFF715}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1932
    - - C:\Windows\{5DB98C09-AA01-48f5-BB60-962DB5E2604B}.exe
        
        C:\Windows\{5DB98C09-AA01-48f5-BB60-962DB5E2604B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1492
      - C:\Windows\{5F931286-0809-4ec0-AA8C-0D994ACCD450}.exe
        
        C:\Windows\{5F931286-0809-4ec0-AA8C-0D994ACCD450}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\{CF8A74AE-0D2B-4248-8A8E-18C96C7C9C46}.exe
        
        C:\Windows\{CF8A74AE-0D2B-4248-8A8E-18C96C7C9C46}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\{B2D26E31-9976-4875-A346-BAFC50F15DED}.exe
        
        C:\Windows\{B2D26E31-9976-4875-A346-BAFC50F15DED}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Windows\{3739E1D7-ED1A-4b53-86B8-13A9D2788E96}.exe
        
        C:\Windows\{3739E1D7-ED1A-4b53-86B8-13A9D2788E96}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
        
        C:\Windows\{4606DF49-CC1E-4bee-B45E-D93173EE43E0}.exe
        
        C:\Windows\{4606DF49-CC1E-4bee-B45E-D93173EE43E0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\{296CBA0D-DB31-408e-85DC-8451738B65B8}.exe
        
        C:\Windows\{296CBA0D-DB31-408e-85DC-8451738B65B8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{296CB~1.EXE > nul
        12⤵
        
        PID:2996
        
        C:\Windows\{A5C4ECAB-7E2E-47be-BD7E-C8CD13F8942B}.exe
        
        C:\Windows\{A5C4ECAB-7E2E-47be-BD7E-C8CD13F8942B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5C4E~1.EXE > nul
        13⤵
        
        PID:2492
        
        C:\Windows\{1413F6AF-4166-4214-A07B-6636CC9D05ED}.exe
        
        C:\Windows\{1413F6AF-4166-4214-A07B-6636CC9D05ED}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1413F~1.EXE > nul
        14⤵
        
        PID:2472
        
        C:\Windows\{F689705D-1BC3-4939-96BB-D960389112F5}.exe
        
        C:\Windows\{F689705D-1BC3-4939-96BB-D960389112F5}.exe
        14⤵
        Executes dropped EXE
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4606D~1.EXE > nul
        11⤵
        
        PID:1528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3739E~1.EXE > nul
        10⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2D26~1.EXE > nul
        9⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF8A7~1.EXE > nul
        8⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F931~1.EXE > nul
        7⤵
        
        PID:2260
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5DB98~1.EXE > nul
        6⤵
        
        PID:2312
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7249~1.EXE > nul
        5⤵
        
        PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6C46E~1.EXE > nul
    3⤵
    PID:1740
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C5254E~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1413F6AF-4166-4214-A07B-6636CC9D05ED}.exe

Filesize
204KB

MD5
d9b375caba53a8a7f77662dd8f9020d8

SHA1
054be386cfd1782dd42add71159feba17f3a0e8d

SHA256
e014aa16d94d4df8633d118cb779336812937e0528943fe7eecff5b7bc398a92

SHA512
364d250b9421c65b469a0d12432279915e0e56503399a98467116799a0c903f6b933914e92c7081159aa9ae352be782017d4174d40a3132263456c08aca43c3a

Download Submit
C:\Windows\{1413F6AF-4166-4214-A07B-6636CC9D05ED}.exe

Filesize
204KB

MD5
d9b375caba53a8a7f77662dd8f9020d8

SHA1
054be386cfd1782dd42add71159feba17f3a0e8d

SHA256
e014aa16d94d4df8633d118cb779336812937e0528943fe7eecff5b7bc398a92

SHA512
364d250b9421c65b469a0d12432279915e0e56503399a98467116799a0c903f6b933914e92c7081159aa9ae352be782017d4174d40a3132263456c08aca43c3a

Download Submit
C:\Windows\{296CBA0D-DB31-408e-85DC-8451738B65B8}.exe

Filesize
204KB

MD5
1ceb75e87a9f54152194670b2de39c2a

SHA1
b91afcb632d3542b6075c19988e1bdfbf3bf86f7

SHA256
9721510cf50e3188bc04675f558a97140d8ff710c4b9dc722665ab3c9b17fc4b

SHA512
1936964c8c0130d2b5562d0431aa54eadb3e0ca5709b5f65ea5a67d75d91ecbed4d5b7eda2f4398c145c592c24f1d5c176f61cc91f10abb1edb84e21664460ff

Download Submit
C:\Windows\{296CBA0D-DB31-408e-85DC-8451738B65B8}.exe

Filesize
204KB

MD5
1ceb75e87a9f54152194670b2de39c2a

SHA1
b91afcb632d3542b6075c19988e1bdfbf3bf86f7

SHA256
9721510cf50e3188bc04675f558a97140d8ff710c4b9dc722665ab3c9b17fc4b

SHA512
1936964c8c0130d2b5562d0431aa54eadb3e0ca5709b5f65ea5a67d75d91ecbed4d5b7eda2f4398c145c592c24f1d5c176f61cc91f10abb1edb84e21664460ff

Download Submit
C:\Windows\{3739E1D7-ED1A-4b53-86B8-13A9D2788E96}.exe

Filesize
204KB

MD5
e8ab8049473381b6a7aca854dccafe69

SHA1
d57e5ced609bfadca6e0ad242519c800e7424868

SHA256
d51e7a3966fe3d132c60724a9fd68a841c49c7e591a346f147ca8c988590b510

SHA512
5cf12ac8ca4d334f36ddc964ad2548ca50db51ee4bf815048068f948c7869dd4c2c8a6ac59bcc6bfdb97bd6c0c9fc3622ae27e30660323b356c8527dbd16677f

Download Submit
C:\Windows\{3739E1D7-ED1A-4b53-86B8-13A9D2788E96}.exe

Filesize
204KB

MD5
e8ab8049473381b6a7aca854dccafe69

SHA1
d57e5ced609bfadca6e0ad242519c800e7424868

SHA256
d51e7a3966fe3d132c60724a9fd68a841c49c7e591a346f147ca8c988590b510

SHA512
5cf12ac8ca4d334f36ddc964ad2548ca50db51ee4bf815048068f948c7869dd4c2c8a6ac59bcc6bfdb97bd6c0c9fc3622ae27e30660323b356c8527dbd16677f

Download Submit
C:\Windows\{4606DF49-CC1E-4bee-B45E-D93173EE43E0}.exe

Filesize
204KB

MD5
b49ebb791d8f6332684fe5012f4331f3

SHA1
734b05dbbf49b266c0f6daa83e3bda294f011b3b

SHA256
6cbae85b4cad20c346a3f5055fdca11c69276ab63773fddd5f7d74a18e01ea3b

SHA512
90d1d4681ea166a046b50e18d6dcc631bd706715482f1d9a58c360031ceae3b78d04d1c3518a9a0823aa0e67dc49024e2b25a3ce3ab40fdacef2e0728c8031a6

Download Submit
C:\Windows\{4606DF49-CC1E-4bee-B45E-D93173EE43E0}.exe

Filesize
204KB

MD5
b49ebb791d8f6332684fe5012f4331f3

SHA1
734b05dbbf49b266c0f6daa83e3bda294f011b3b

SHA256
6cbae85b4cad20c346a3f5055fdca11c69276ab63773fddd5f7d74a18e01ea3b

SHA512
90d1d4681ea166a046b50e18d6dcc631bd706715482f1d9a58c360031ceae3b78d04d1c3518a9a0823aa0e67dc49024e2b25a3ce3ab40fdacef2e0728c8031a6

Download Submit
C:\Windows\{5DB98C09-AA01-48f5-BB60-962DB5E2604B}.exe

Filesize
204KB

MD5
6b341e7d3e0bd4c0a56222b62b331f12

SHA1
4794bb36fcc263407e2da27f5b8aedda16acd3c7

SHA256
e5b13bd72dd9f4ea820b87eb52ca2e5820eb8394766e0863b06440700d8a2782

SHA512
98312589788875c7067c4b6f40476f78f5db15728b19b2be6120b5b38536facd27e22eb37fe95d56b17a29d955621b5ff98411fc81bb7bf903c22b1896fe0279

Download Submit
C:\Windows\{5DB98C09-AA01-48f5-BB60-962DB5E2604B}.exe

Filesize
204KB

MD5
6b341e7d3e0bd4c0a56222b62b331f12

SHA1
4794bb36fcc263407e2da27f5b8aedda16acd3c7

SHA256
e5b13bd72dd9f4ea820b87eb52ca2e5820eb8394766e0863b06440700d8a2782

SHA512
98312589788875c7067c4b6f40476f78f5db15728b19b2be6120b5b38536facd27e22eb37fe95d56b17a29d955621b5ff98411fc81bb7bf903c22b1896fe0279

Download Submit
C:\Windows\{5F931286-0809-4ec0-AA8C-0D994ACCD450}.exe

Filesize
204KB

MD5
53059bd44c96507dab7a292ad8d904e6

SHA1
d66280acd493157aefd17a97e63863faeb35edc0

SHA256
e58ebbb888af917d299886ed9077101d3efb14afdc57db5fda9d0adde49c0d58

SHA512
b94145cc4a4a1a9a527c2e83ffed6fcc4b7675bcb7882d471870bdd202e1df3a2fa87ceac05227c8f4ffa3b98bbbb3cc1ba8a3a099cb6116403c41c95862a1e1

Download Submit
C:\Windows\{5F931286-0809-4ec0-AA8C-0D994ACCD450}.exe

Filesize
204KB

MD5
53059bd44c96507dab7a292ad8d904e6

SHA1
d66280acd493157aefd17a97e63863faeb35edc0

SHA256
e58ebbb888af917d299886ed9077101d3efb14afdc57db5fda9d0adde49c0d58

SHA512
b94145cc4a4a1a9a527c2e83ffed6fcc4b7675bcb7882d471870bdd202e1df3a2fa87ceac05227c8f4ffa3b98bbbb3cc1ba8a3a099cb6116403c41c95862a1e1

Download Submit
C:\Windows\{6C46EF07-457F-4231-BF24-5A9C103962CE}.exe

Filesize
204KB

MD5
e7b027adfad899b24f8ed4318a7585cf

SHA1
0f2642a9d90d2ee894883162137af896957800b7

SHA256
65ef8609511eeb409fed51bceb2e1d5a9616b05b851c79b0279c92ff48de220a

SHA512
5897699b6ece063f0fb895c55abfb057bd7d18917cea9a88944fd97cee5a1634e5a1c5b21a410828da9e2aecbb041c17cfab5771529b7140f2b7f0f4e5b54ce4

Download Submit
C:\Windows\{6C46EF07-457F-4231-BF24-5A9C103962CE}.exe

Filesize
204KB

MD5
e7b027adfad899b24f8ed4318a7585cf

SHA1
0f2642a9d90d2ee894883162137af896957800b7

SHA256
65ef8609511eeb409fed51bceb2e1d5a9616b05b851c79b0279c92ff48de220a

SHA512
5897699b6ece063f0fb895c55abfb057bd7d18917cea9a88944fd97cee5a1634e5a1c5b21a410828da9e2aecbb041c17cfab5771529b7140f2b7f0f4e5b54ce4

Download Submit
C:\Windows\{6C46EF07-457F-4231-BF24-5A9C103962CE}.exe

Filesize
204KB

MD5
e7b027adfad899b24f8ed4318a7585cf

SHA1
0f2642a9d90d2ee894883162137af896957800b7

SHA256
65ef8609511eeb409fed51bceb2e1d5a9616b05b851c79b0279c92ff48de220a

SHA512
5897699b6ece063f0fb895c55abfb057bd7d18917cea9a88944fd97cee5a1634e5a1c5b21a410828da9e2aecbb041c17cfab5771529b7140f2b7f0f4e5b54ce4

Download Submit
C:\Windows\{6FA61140-0D8D-4969-847A-A5F91997A06B}.exe

Filesize
204KB

MD5
556caca3fd74aa391e43c81e071e9f99

SHA1
f927298548f273e13ac0b3531e75c61cca7f7f4f

SHA256
e2e3e488e87f89c763dc1087bbbe91734641248fde4fc9cf54c105012919a608

SHA512
12124d6cb1fe0d060dd0838b6a29349bdb593e18df455d7acc824f1714dc1fb0246605027ddfbc56511f1fce6598e889f760d99509b8ed8f58c2dc94a30338b8

Download Submit
C:\Windows\{6FA61140-0D8D-4969-847A-A5F91997A06B}.exe

Filesize
204KB

MD5
556caca3fd74aa391e43c81e071e9f99

SHA1
f927298548f273e13ac0b3531e75c61cca7f7f4f

SHA256
e2e3e488e87f89c763dc1087bbbe91734641248fde4fc9cf54c105012919a608

SHA512
12124d6cb1fe0d060dd0838b6a29349bdb593e18df455d7acc824f1714dc1fb0246605027ddfbc56511f1fce6598e889f760d99509b8ed8f58c2dc94a30338b8

Download Submit
C:\Windows\{A5C4ECAB-7E2E-47be-BD7E-C8CD13F8942B}.exe

Filesize
204KB

MD5
457b35c31ac7a9e9a15c957b564024d0

SHA1
1ee547da0426b6bd6c98330d6c6ec394a5273eb0

SHA256
09891c493ab17456df33d38c9eb89f04b92b5631cd1b61dd839cbb3a83103b07

SHA512
b9776ddbced50a1e51bebcb1016bd2778545cee826def668281fb89a5765a3ac183cce94eb52a51782726eb97d7fbe49a9f00129e93f7a477e36333a423db7c3

Download Submit
C:\Windows\{A5C4ECAB-7E2E-47be-BD7E-C8CD13F8942B}.exe

Filesize
204KB

MD5
457b35c31ac7a9e9a15c957b564024d0

SHA1
1ee547da0426b6bd6c98330d6c6ec394a5273eb0

SHA256
09891c493ab17456df33d38c9eb89f04b92b5631cd1b61dd839cbb3a83103b07

SHA512
b9776ddbced50a1e51bebcb1016bd2778545cee826def668281fb89a5765a3ac183cce94eb52a51782726eb97d7fbe49a9f00129e93f7a477e36333a423db7c3

Download Submit
C:\Windows\{B2D26E31-9976-4875-A346-BAFC50F15DED}.exe

Filesize
204KB

MD5
814289ac3ef8a55e2980dcb11170d044

SHA1
5e801d8ad60b529f7e951df77f288bacac11333e

SHA256
66332fbf3adb56756f7aef8fe433b011bc8923a85295825249c818364f16303e

SHA512
10db2a0d335b313e49fa92aea088c599904dcfe3c5350774742adaa49463e6456d4afdd51701fb110ee488314153b08bda0f8170a74e37b1bb00c7aa697c55b7

Download Submit
C:\Windows\{B2D26E31-9976-4875-A346-BAFC50F15DED}.exe

Filesize
204KB

MD5
814289ac3ef8a55e2980dcb11170d044

SHA1
5e801d8ad60b529f7e951df77f288bacac11333e

SHA256
66332fbf3adb56756f7aef8fe433b011bc8923a85295825249c818364f16303e

SHA512
10db2a0d335b313e49fa92aea088c599904dcfe3c5350774742adaa49463e6456d4afdd51701fb110ee488314153b08bda0f8170a74e37b1bb00c7aa697c55b7

Download Submit
C:\Windows\{C7249025-5DE8-4b55-ACA0-C577EDFFF715}.exe

Filesize
204KB

MD5
2e166ee3d20397038b3dbe3a874feaf4

SHA1
0bfccf6abcb1e6145fe8106f87920df00e31a62a

SHA256
f2da990c34a057d70777ed70ce3a855f01e1ee50e49e8ed9b913bdb727f649d0

SHA512
ea57af911bfeee63b471edb53c6e468f971cdaa4ba9ba435849b5f56762f0bbeb1651082d8dc7fe43bcd9ffc6525207d7485892f9d380dd07a3188a8d60c8a33

Download Submit
C:\Windows\{C7249025-5DE8-4b55-ACA0-C577EDFFF715}.exe

Filesize
204KB

MD5
2e166ee3d20397038b3dbe3a874feaf4

SHA1
0bfccf6abcb1e6145fe8106f87920df00e31a62a

SHA256
f2da990c34a057d70777ed70ce3a855f01e1ee50e49e8ed9b913bdb727f649d0

SHA512
ea57af911bfeee63b471edb53c6e468f971cdaa4ba9ba435849b5f56762f0bbeb1651082d8dc7fe43bcd9ffc6525207d7485892f9d380dd07a3188a8d60c8a33

Download Submit
C:\Windows\{CF8A74AE-0D2B-4248-8A8E-18C96C7C9C46}.exe

Filesize
204KB

MD5
647174184ba45b91b0bd6815d0e367de

SHA1
b2bae0ea582a56c713675b4f4f1559cf80fd7254

SHA256
c75e92dfade9fade4d45dba2e0bb39cdc0a1232b80c3b51bf9a4a302326a746c

SHA512
7675aef462778d18e62d3f52483a7cdb2077913d0313eabd9d898fd1ee4e77ece40b32e57fad18f93833bcee58ba0b1ca47b67600af7cf40bd2868e7aca32ea7

Download Submit
C:\Windows\{CF8A74AE-0D2B-4248-8A8E-18C96C7C9C46}.exe

Filesize
204KB

MD5
647174184ba45b91b0bd6815d0e367de

SHA1
b2bae0ea582a56c713675b4f4f1559cf80fd7254

SHA256
c75e92dfade9fade4d45dba2e0bb39cdc0a1232b80c3b51bf9a4a302326a746c

SHA512
7675aef462778d18e62d3f52483a7cdb2077913d0313eabd9d898fd1ee4e77ece40b32e57fad18f93833bcee58ba0b1ca47b67600af7cf40bd2868e7aca32ea7

Download Submit
C:\Windows\{F689705D-1BC3-4939-96BB-D960389112F5}.exe

Filesize
204KB

MD5
ca4af65247e99838c6e844906ea72823

SHA1
fe1269badad5f3882ddbc5e131dc065fdb01249d

SHA256
2263a712b68cb09189e7a4fa06b607c9bb9d536cda88c25e749173a5e3df6de3

SHA512
15c9d963d428e1300cd0410e0f64ba6def666772107ffddda552e296c50acb979f697374ccebc9a156e32931be70c52eb8a63154c1d9ddbfd64febefbc918a64

Download Submit