6d8c6d7e20f62b890e54c1c3b41d5faab625784c5f0158f6f2c380d614bb5067

Analysis

max time kernel
146s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
10-07-2023 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d5350317f4f773exeexeexeex.exe
Size

192KB
MD5

d5350317f4f773b328a918adcc4cfdc5
SHA1

efb5e1a876187cec0a6a86e5bbe0c2246211101d
SHA256

6d8c6d7e20f62b890e54c1c3b41d5faab625784c5f0158f6f2c380d614bb5067
SHA512

44f940d256f5676c32dc2ffed722c59471295957edd7c9c13bb8edaf23684862c705977283fc11498b5d3bfe85b3a54828a6c56a81fa29cbb66a5e8a43089b3b
SSDEEP

1536:1EGh0oRl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oRl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}\stubpath = "C:\\Windows\\{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe"	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63707C50-F423-46b0-BDAF-069D318EE72F}\stubpath = "C:\\Windows\\{63707C50-F423-46b0-BDAF-069D318EE72F}.exe"	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B64ABEB3-DD76-4638-BB1F-A6C3FBB159ED}	{292B3C2D-78B7-46b9-B871-D618B9F51DF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B64ABEB3-DD76-4638-BB1F-A6C3FBB159ED}\stubpath = "C:\\Windows\\{B64ABEB3-DD76-4638-BB1F-A6C3FBB159ED}.exe"	{292B3C2D-78B7-46b9-B871-D618B9F51DF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6ACA36D-5229-47ff-A54C-1185300D2DFC}	{5AA01BE2-F68A-45a2-B9D6-62A541F57608}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CE404CD-1962-4c99-A65F-15287DC3306E}	d5350317f4f773exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4450B8AF-C544-4ec6-A680-44D32D951D9F}	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}\stubpath = "C:\\Windows\\{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe"	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEA80842-5A4B-4e94-BC1D-D1015B2C4967}\stubpath = "C:\\Windows\\{DEA80842-5A4B-4e94-BC1D-D1015B2C4967}.exe"	{63707C50-F423-46b0-BDAF-069D318EE72F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{292B3C2D-78B7-46b9-B871-D618B9F51DF7}	{DEA80842-5A4B-4e94-BC1D-D1015B2C4967}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{292B3C2D-78B7-46b9-B871-D618B9F51DF7}\stubpath = "C:\\Windows\\{292B3C2D-78B7-46b9-B871-D618B9F51DF7}.exe"	{DEA80842-5A4B-4e94-BC1D-D1015B2C4967}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AA01BE2-F68A-45a2-B9D6-62A541F57608}\stubpath = "C:\\Windows\\{5AA01BE2-F68A-45a2-B9D6-62A541F57608}.exe"	{B64ABEB3-DD76-4638-BB1F-A6C3FBB159ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{754A9E03-B63C-43a6-87F5-4095602421B7}	{FCEA0B37-86C3-41d0-8FDA-B077EB27B5D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{754A9E03-B63C-43a6-87F5-4095602421B7}\stubpath = "C:\\Windows\\{754A9E03-B63C-43a6-87F5-4095602421B7}.exe"	{FCEA0B37-86C3-41d0-8FDA-B077EB27B5D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82F75D7C-3C27-4446-B129-19FE4856087D}	{754A9E03-B63C-43a6-87F5-4095602421B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4450B8AF-C544-4ec6-A680-44D32D951D9F}\stubpath = "C:\\Windows\\{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe"	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{63707C50-F423-46b0-BDAF-069D318EE72F}	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DEA80842-5A4B-4e94-BC1D-D1015B2C4967}	{63707C50-F423-46b0-BDAF-069D318EE72F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6ACA36D-5229-47ff-A54C-1185300D2DFC}\stubpath = "C:\\Windows\\{A6ACA36D-5229-47ff-A54C-1185300D2DFC}.exe"	{5AA01BE2-F68A-45a2-B9D6-62A541F57608}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCEA0B37-86C3-41d0-8FDA-B077EB27B5D2}	{A6ACA36D-5229-47ff-A54C-1185300D2DFC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{82F75D7C-3C27-4446-B129-19FE4856087D}\stubpath = "C:\\Windows\\{82F75D7C-3C27-4446-B129-19FE4856087D}.exe"	{754A9E03-B63C-43a6-87F5-4095602421B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CE404CD-1962-4c99-A65F-15287DC3306E}\stubpath = "C:\\Windows\\{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe"	d5350317f4f773exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5AA01BE2-F68A-45a2-B9D6-62A541F57608}	{B64ABEB3-DD76-4638-BB1F-A6C3FBB159ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FCEA0B37-86C3-41d0-8FDA-B077EB27B5D2}\stubpath = "C:\\Windows\\{FCEA0B37-86C3-41d0-8FDA-B077EB27B5D2}.exe"	{A6ACA36D-5229-47ff-A54C-1185300D2DFC}.exe

Deletes itself 1 IoCs

pid	Process
2212	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe
2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe
1336	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe
2216	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe
2332	{63707C50-F423-46b0-BDAF-069D318EE72F}.exe
2080	{DEA80842-5A4B-4e94-BC1D-D1015B2C4967}.exe
2864	{292B3C2D-78B7-46b9-B871-D618B9F51DF7}.exe
2944	{B64ABEB3-DD76-4638-BB1F-A6C3FBB159ED}.exe
2704	{5AA01BE2-F68A-45a2-B9D6-62A541F57608}.exe
2812	{A6ACA36D-5229-47ff-A54C-1185300D2DFC}.exe
2792	{FCEA0B37-86C3-41d0-8FDA-B077EB27B5D2}.exe
2572	{754A9E03-B63C-43a6-87F5-4095602421B7}.exe
2492	{82F75D7C-3C27-4446-B129-19FE4856087D}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	d5350317f4f773exeexeexeex.exe
File created	C:\Windows\{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe
File created	C:\Windows\{63707C50-F423-46b0-BDAF-069D318EE72F}.exe	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe
File created	C:\Windows\{B64ABEB3-DD76-4638-BB1F-A6C3FBB159ED}.exe	{292B3C2D-78B7-46b9-B871-D618B9F51DF7}.exe
File created	C:\Windows\{FCEA0B37-86C3-41d0-8FDA-B077EB27B5D2}.exe	{A6ACA36D-5229-47ff-A54C-1185300D2DFC}.exe
File created	C:\Windows\{754A9E03-B63C-43a6-87F5-4095602421B7}.exe	{FCEA0B37-86C3-41d0-8FDA-B077EB27B5D2}.exe
File created	C:\Windows\{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe
File created	C:\Windows\{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe
File created	C:\Windows\{DEA80842-5A4B-4e94-BC1D-D1015B2C4967}.exe	{63707C50-F423-46b0-BDAF-069D318EE72F}.exe
File created	C:\Windows\{292B3C2D-78B7-46b9-B871-D618B9F51DF7}.exe	{DEA80842-5A4B-4e94-BC1D-D1015B2C4967}.exe
File created	C:\Windows\{5AA01BE2-F68A-45a2-B9D6-62A541F57608}.exe	{B64ABEB3-DD76-4638-BB1F-A6C3FBB159ED}.exe
File created	C:\Windows\{A6ACA36D-5229-47ff-A54C-1185300D2DFC}.exe	{5AA01BE2-F68A-45a2-B9D6-62A541F57608}.exe
File created	C:\Windows\{82F75D7C-3C27-4446-B129-19FE4856087D}.exe	{754A9E03-B63C-43a6-87F5-4095602421B7}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2356	d5350317f4f773exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe
Token: SeIncBasePriorityPrivilege	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe
Token: SeIncBasePriorityPrivilege	1336	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe
Token: SeIncBasePriorityPrivilege	2216	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe
Token: SeIncBasePriorityPrivilege	2332	{63707C50-F423-46b0-BDAF-069D318EE72F}.exe
Token: SeIncBasePriorityPrivilege	2080	{DEA80842-5A4B-4e94-BC1D-D1015B2C4967}.exe
Token: SeIncBasePriorityPrivilege	2864	{292B3C2D-78B7-46b9-B871-D618B9F51DF7}.exe
Token: SeIncBasePriorityPrivilege	2944	{B64ABEB3-DD76-4638-BB1F-A6C3FBB159ED}.exe
Token: SeIncBasePriorityPrivilege	2704	{5AA01BE2-F68A-45a2-B9D6-62A541F57608}.exe
Token: SeIncBasePriorityPrivilege	2812	{A6ACA36D-5229-47ff-A54C-1185300D2DFC}.exe
Token: SeIncBasePriorityPrivilege	2792	{FCEA0B37-86C3-41d0-8FDA-B077EB27B5D2}.exe
Token: SeIncBasePriorityPrivilege	2572	{754A9E03-B63C-43a6-87F5-4095602421B7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 848	2356	d5350317f4f773exeexeexeex.exe	28
PID 2356 wrote to memory of 848	2356	d5350317f4f773exeexeexeex.exe	28
PID 2356 wrote to memory of 848	2356	d5350317f4f773exeexeexeex.exe	28
PID 2356 wrote to memory of 848	2356	d5350317f4f773exeexeexeex.exe	28
PID 2356 wrote to memory of 2212	2356	d5350317f4f773exeexeexeex.exe	29
PID 2356 wrote to memory of 2212	2356	d5350317f4f773exeexeexeex.exe	29
PID 2356 wrote to memory of 2212	2356	d5350317f4f773exeexeexeex.exe	29
PID 2356 wrote to memory of 2212	2356	d5350317f4f773exeexeexeex.exe	29
PID 848 wrote to memory of 2320	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	30
PID 848 wrote to memory of 2320	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	30
PID 848 wrote to memory of 2320	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	30
PID 848 wrote to memory of 2320	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	30
PID 848 wrote to memory of 1284	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	31
PID 848 wrote to memory of 1284	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	31
PID 848 wrote to memory of 1284	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	31
PID 848 wrote to memory of 1284	848	{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe	31
PID 2320 wrote to memory of 1336	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	32
PID 2320 wrote to memory of 1336	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	32
PID 2320 wrote to memory of 1336	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	32
PID 2320 wrote to memory of 1336	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	32
PID 2320 wrote to memory of 1932	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	33
PID 2320 wrote to memory of 1932	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	33
PID 2320 wrote to memory of 1932	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	33
PID 2320 wrote to memory of 1932	2320	{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe	33
PID 1336 wrote to memory of 2216	1336	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	34
PID 1336 wrote to memory of 2216	1336	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	34
PID 1336 wrote to memory of 2216	1336	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	34
PID 1336 wrote to memory of 2216	1336	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	34
PID 1336 wrote to memory of 1852	1336	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	35
PID 1336 wrote to memory of 1852	1336	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	35
PID 1336 wrote to memory of 1852	1336	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	35
PID 1336 wrote to memory of 1852	1336	{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe	35
PID 2216 wrote to memory of 2332	2216	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	36
PID 2216 wrote to memory of 2332	2216	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	36
PID 2216 wrote to memory of 2332	2216	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	36
PID 2216 wrote to memory of 2332	2216	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	36
PID 2216 wrote to memory of 1760	2216	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	37
PID 2216 wrote to memory of 1760	2216	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	37
PID 2216 wrote to memory of 1760	2216	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	37
PID 2216 wrote to memory of 1760	2216	{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe	37
PID 2332 wrote to memory of 2080	2332	{63707C50-F423-46b0-BDAF-069D318EE72F}.exe	38
PID 2332 wrote to memory of 2080	2332	{63707C50-F423-46b0-BDAF-069D318EE72F}.exe	38
PID 2332 wrote to memory of 2080	2332	{63707C50-F423-46b0-BDAF-069D318EE72F}.exe	38
PID 2332 wrote to memory of 2080	2332	{63707C50-F423-46b0-BDAF-069D318EE72F}.exe	38
PID 2332 wrote to memory of 2068	2332	{63707C50-F423-46b0-BDAF-069D318EE72F}.exe	39
PID 2332 wrote to memory of 2068	2332	{63707C50-F423-46b0-BDAF-069D318EE72F}.exe	39
PID 2332 wrote to memory of 2068	2332	{63707C50-F423-46b0-BDAF-069D318EE72F}.exe	39
PID 2332 wrote to memory of 2068	2332	{63707C50-F423-46b0-BDAF-069D318EE72F}.exe	39
PID 2080 wrote to memory of 2864	2080	{DEA80842-5A4B-4e94-BC1D-D1015B2C4967}.exe	40
PID 2080 wrote to memory of 2864	2080	{DEA80842-5A4B-4e94-BC1D-D1015B2C4967}.exe	40
PID 2080 wrote to memory of 2864	2080	{DEA80842-5A4B-4e94-BC1D-D1015B2C4967}.exe	40
PID 2080 wrote to memory of 2864	2080	{DEA80842-5A4B-4e94-BC1D-D1015B2C4967}.exe	40
PID 2080 wrote to memory of 2940	2080	{DEA80842-5A4B-4e94-BC1D-D1015B2C4967}.exe	41
PID 2080 wrote to memory of 2940	2080	{DEA80842-5A4B-4e94-BC1D-D1015B2C4967}.exe	41
PID 2080 wrote to memory of 2940	2080	{DEA80842-5A4B-4e94-BC1D-D1015B2C4967}.exe	41
PID 2080 wrote to memory of 2940	2080	{DEA80842-5A4B-4e94-BC1D-D1015B2C4967}.exe	41
PID 2864 wrote to memory of 2944	2864	{292B3C2D-78B7-46b9-B871-D618B9F51DF7}.exe	42
PID 2864 wrote to memory of 2944	2864	{292B3C2D-78B7-46b9-B871-D618B9F51DF7}.exe	42
PID 2864 wrote to memory of 2944	2864	{292B3C2D-78B7-46b9-B871-D618B9F51DF7}.exe	42
PID 2864 wrote to memory of 2944	2864	{292B3C2D-78B7-46b9-B871-D618B9F51DF7}.exe	42
PID 2864 wrote to memory of 2288	2864	{292B3C2D-78B7-46b9-B871-D618B9F51DF7}.exe	43
PID 2864 wrote to memory of 2288	2864	{292B3C2D-78B7-46b9-B871-D618B9F51DF7}.exe	43
PID 2864 wrote to memory of 2288	2864	{292B3C2D-78B7-46b9-B871-D618B9F51DF7}.exe	43
PID 2864 wrote to memory of 2288	2864	{292B3C2D-78B7-46b9-B871-D618B9F51DF7}.exe	43

C:\Users\Admin\AppData\Local\Temp\d5350317f4f773exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\d5350317f4f773exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe
  C:\Windows\{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe
    C:\Windows\{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe
      C:\Windows\{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1336
    - - C:\Windows\{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe
        
        C:\Windows\{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2216
      - C:\Windows\{63707C50-F423-46b0-BDAF-069D318EE72F}.exe
        
        C:\Windows\{63707C50-F423-46b0-BDAF-069D318EE72F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\{DEA80842-5A4B-4e94-BC1D-D1015B2C4967}.exe
        
        C:\Windows\{DEA80842-5A4B-4e94-BC1D-D1015B2C4967}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\{292B3C2D-78B7-46b9-B871-D618B9F51DF7}.exe
        
        C:\Windows\{292B3C2D-78B7-46b9-B871-D618B9F51DF7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\{B64ABEB3-DD76-4638-BB1F-A6C3FBB159ED}.exe
        
        C:\Windows\{B64ABEB3-DD76-4638-BB1F-A6C3FBB159ED}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\{5AA01BE2-F68A-45a2-B9D6-62A541F57608}.exe
        
        C:\Windows\{5AA01BE2-F68A-45a2-B9D6-62A541F57608}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\{A6ACA36D-5229-47ff-A54C-1185300D2DFC}.exe
        
        C:\Windows\{A6ACA36D-5229-47ff-A54C-1185300D2DFC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\{FCEA0B37-86C3-41d0-8FDA-B077EB27B5D2}.exe
        
        C:\Windows\{FCEA0B37-86C3-41d0-8FDA-B077EB27B5D2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\{754A9E03-B63C-43a6-87F5-4095602421B7}.exe
        
        C:\Windows\{754A9E03-B63C-43a6-87F5-4095602421B7}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\{82F75D7C-3C27-4446-B129-19FE4856087D}.exe
        
        C:\Windows\{82F75D7C-3C27-4446-B129-19FE4856087D}.exe
        14⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{754A9~1.EXE > nul
        14⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCEA0~1.EXE > nul
        13⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6ACA~1.EXE > nul
        12⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5AA01~1.EXE > nul
        11⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B64AB~1.EXE > nul
        10⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{292B3~1.EXE > nul
        9⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEA80~1.EXE > nul
        8⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63707~1.EXE > nul
        7⤵
        
        PID:2068
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{233BD~1.EXE > nul
        6⤵
        
        PID:1760
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14ECD~1.EXE > nul
        5⤵
        
        PID:1852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4450B~1.EXE > nul
      4⤵
      PID:1932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9CE40~1.EXE > nul
    3⤵
    PID:1284
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D53503~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe

Filesize
192KB

MD5
6341dc210fc13ece34880eebdf227b36

SHA1
348974ae8370481b7be6b4f385077496a8d2fa1c

SHA256
f7703695aaf2e28dbd9bbbdc8c5de8fdfac3ab12baff0110cf3fb289f76f3331

SHA512
612355e467f6347461aa451af7a7f26cbe3ce309af6f5d8dd5a203090936937164205961fe49b1f2718f5be04e8578701ef7320f12592aa0e27693c2474fc021

Download Submit
C:\Windows\{14ECD952-A93E-4c18-BAFB-D37AB31DAA79}.exe

Filesize
192KB

MD5
6341dc210fc13ece34880eebdf227b36

SHA1
348974ae8370481b7be6b4f385077496a8d2fa1c

SHA256
f7703695aaf2e28dbd9bbbdc8c5de8fdfac3ab12baff0110cf3fb289f76f3331

SHA512
612355e467f6347461aa451af7a7f26cbe3ce309af6f5d8dd5a203090936937164205961fe49b1f2718f5be04e8578701ef7320f12592aa0e27693c2474fc021

Download Submit
C:\Windows\{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe

Filesize
192KB

MD5
47b090020e17c69040a33341be835902

SHA1
f434fccfc18115616e9986cfa967e6213828d959

SHA256
61a325b3642606ecc2f4b9f015507f8e6ca80c5e9ca61fc46f9e8e8b21ebe19b

SHA512
3e05fde3777589ad9f9c039a5f6d275887c1204dd4a374c96c46667bf42dcdded3bc846efbd71ff81e8649940f0368f9142baacf3d7e9c4d702ff6040327feb2

Download Submit
C:\Windows\{233BDBDB-2C70-41a7-A9FD-45D5481DB3F9}.exe

Filesize
192KB

MD5
47b090020e17c69040a33341be835902

SHA1
f434fccfc18115616e9986cfa967e6213828d959

SHA256
61a325b3642606ecc2f4b9f015507f8e6ca80c5e9ca61fc46f9e8e8b21ebe19b

SHA512
3e05fde3777589ad9f9c039a5f6d275887c1204dd4a374c96c46667bf42dcdded3bc846efbd71ff81e8649940f0368f9142baacf3d7e9c4d702ff6040327feb2

Download Submit
C:\Windows\{292B3C2D-78B7-46b9-B871-D618B9F51DF7}.exe

Filesize
192KB

MD5
e0193088a49b42943b3dc6d1cd28ba5d

SHA1
7e6d90f1cb293a9386fa0535ce94bbb4080e704b

SHA256
94e919b8657148197a1d742c8c0626de3e03e8d018bf5d3b11e43579415d048b

SHA512
65bb23bd9d9f036673e60ec43fd8daceb6d78e7f04b322ddba2a68ff674f4a7b96428fe4ad546d10cc148fdbde30ab0f09c3ccadc9f1a31ac1d2341cace4eea6

Download Submit
C:\Windows\{292B3C2D-78B7-46b9-B871-D618B9F51DF7}.exe

Filesize
192KB

MD5
e0193088a49b42943b3dc6d1cd28ba5d

SHA1
7e6d90f1cb293a9386fa0535ce94bbb4080e704b

SHA256
94e919b8657148197a1d742c8c0626de3e03e8d018bf5d3b11e43579415d048b

SHA512
65bb23bd9d9f036673e60ec43fd8daceb6d78e7f04b322ddba2a68ff674f4a7b96428fe4ad546d10cc148fdbde30ab0f09c3ccadc9f1a31ac1d2341cace4eea6

Download Submit
C:\Windows\{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe

Filesize
192KB

MD5
637be6010ca03c38daa834805dff9740

SHA1
911d5bcf661c3f1d95ad38e3b03b984a67b5b340

SHA256
5b7174a4e8e334947b09c8d10cf3c11244937f75fde94ac490a51c3ccf1cf4e3

SHA512
4bd2de234136098d2832d6e650efe6e3faae5060928fdde45e3bab413208380c7cad53fac058e1260082875eba50d80e472875d4467b51045b4d97891380104c

Download Submit
C:\Windows\{4450B8AF-C544-4ec6-A680-44D32D951D9F}.exe

Filesize
192KB

MD5
637be6010ca03c38daa834805dff9740

SHA1
911d5bcf661c3f1d95ad38e3b03b984a67b5b340

SHA256
5b7174a4e8e334947b09c8d10cf3c11244937f75fde94ac490a51c3ccf1cf4e3

SHA512
4bd2de234136098d2832d6e650efe6e3faae5060928fdde45e3bab413208380c7cad53fac058e1260082875eba50d80e472875d4467b51045b4d97891380104c

Download Submit
C:\Windows\{5AA01BE2-F68A-45a2-B9D6-62A541F57608}.exe

Filesize
192KB

MD5
945b48a5c49ef53014a661e2f3e7e92b

SHA1
2e7883219747da77b0e0907c83c76835945927e6

SHA256
750a5c91367f2b6456ae2c0bf02b9bc2c7dfa5f0c0121cdc3f8cc24527bd676c

SHA512
5ed7ae85300f608eb309bc16a0b31aae0265a2aac42691dc1f43b408bda77b10ac16e3d87c4a2e715b9b9c1b6dcfb1c93ec91e411b5cfb8a0f96d5c1ed05c0ed

Download Submit
C:\Windows\{5AA01BE2-F68A-45a2-B9D6-62A541F57608}.exe

Filesize
192KB

MD5
945b48a5c49ef53014a661e2f3e7e92b

SHA1
2e7883219747da77b0e0907c83c76835945927e6

SHA256
750a5c91367f2b6456ae2c0bf02b9bc2c7dfa5f0c0121cdc3f8cc24527bd676c

SHA512
5ed7ae85300f608eb309bc16a0b31aae0265a2aac42691dc1f43b408bda77b10ac16e3d87c4a2e715b9b9c1b6dcfb1c93ec91e411b5cfb8a0f96d5c1ed05c0ed

Download Submit
C:\Windows\{63707C50-F423-46b0-BDAF-069D318EE72F}.exe

Filesize
192KB

MD5
1ebdd997d978aac61ccb62560e93f86e

SHA1
01d2bbc25dc5ddc848eca13c1db365520e26a453

SHA256
72ec829bb37f9030e3652ea96f670aa401aefd4aed76805e30baff1c06beb0d4

SHA512
83db5e5ed0174b4501cb46f46cc0ae3a528511d178e60e7331f4a775bcdc90589e042955c6f7c7e5536932de2839e41fd0aaf24cee52323d68ac8a37c3f1a9c9

Download Submit
C:\Windows\{63707C50-F423-46b0-BDAF-069D318EE72F}.exe

Filesize
192KB

MD5
1ebdd997d978aac61ccb62560e93f86e

SHA1
01d2bbc25dc5ddc848eca13c1db365520e26a453

SHA256
72ec829bb37f9030e3652ea96f670aa401aefd4aed76805e30baff1c06beb0d4

SHA512
83db5e5ed0174b4501cb46f46cc0ae3a528511d178e60e7331f4a775bcdc90589e042955c6f7c7e5536932de2839e41fd0aaf24cee52323d68ac8a37c3f1a9c9

Download Submit
C:\Windows\{754A9E03-B63C-43a6-87F5-4095602421B7}.exe

Filesize
192KB

MD5
a3a42cef4d30d83c331478ec5cde1e22

SHA1
75eaee8b7561b32f0d6788f8d4843886a1acde27

SHA256
adf98dd13eb27560f39619ccc9f46b7c982eeb520df8fc0fe7030c3dbf1aa1fe

SHA512
c0feae4b24479ef74e2e2822cc10face2282574ba893f95b86b55a1bc735ee51cf8928edb984137f9a70d901e21aee06dcad47bcbe23391bbe0ae33d0cff4080

Download Submit
C:\Windows\{754A9E03-B63C-43a6-87F5-4095602421B7}.exe

Filesize
192KB

MD5
a3a42cef4d30d83c331478ec5cde1e22

SHA1
75eaee8b7561b32f0d6788f8d4843886a1acde27

SHA256
adf98dd13eb27560f39619ccc9f46b7c982eeb520df8fc0fe7030c3dbf1aa1fe

SHA512
c0feae4b24479ef74e2e2822cc10face2282574ba893f95b86b55a1bc735ee51cf8928edb984137f9a70d901e21aee06dcad47bcbe23391bbe0ae33d0cff4080

Download Submit
C:\Windows\{82F75D7C-3C27-4446-B129-19FE4856087D}.exe

Filesize
192KB

MD5
90c58981e7f9aefdf3a97a000bdaed05

SHA1
846f2967f7f1c990c8f3a90c014442b1252cf784

SHA256
219856f447be922e0a676cb50bf6e01a7b366e6ddf78c345b5e6df824ee2093e

SHA512
d8eff2098a268383baa51d0f0a1b6ab6a45caa376286923521c70a5c32a72dcef8125a1090adcee532ec5c031d6739afa41c795cfbaa4ec0abe31df17cd05c61

Download Submit
C:\Windows\{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe

Filesize
192KB

MD5
136f3aeb7b52382babd161b2b5d324a8

SHA1
7dce95115cf2a91f92a36c08c40df82801637fb7

SHA256
fb1b8a7be0b7ad46cb85788832c347d12ac0d663ab1275829ccad06473b9bdc7

SHA512
9148d71aa7b547271d6cd590e029f8cf66292424aa9dee08d3d9f8a5e6eb9ea4add6c1d361e854be7b9997ffc6b44cf8bdaa1c535bcdc642cc124a14191748fa

Download Submit
C:\Windows\{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe

Filesize
192KB

MD5
136f3aeb7b52382babd161b2b5d324a8

SHA1
7dce95115cf2a91f92a36c08c40df82801637fb7

SHA256
fb1b8a7be0b7ad46cb85788832c347d12ac0d663ab1275829ccad06473b9bdc7

SHA512
9148d71aa7b547271d6cd590e029f8cf66292424aa9dee08d3d9f8a5e6eb9ea4add6c1d361e854be7b9997ffc6b44cf8bdaa1c535bcdc642cc124a14191748fa

Download Submit
C:\Windows\{9CE404CD-1962-4c99-A65F-15287DC3306E}.exe

Filesize
192KB

MD5
136f3aeb7b52382babd161b2b5d324a8

SHA1
7dce95115cf2a91f92a36c08c40df82801637fb7

SHA256
fb1b8a7be0b7ad46cb85788832c347d12ac0d663ab1275829ccad06473b9bdc7

SHA512
9148d71aa7b547271d6cd590e029f8cf66292424aa9dee08d3d9f8a5e6eb9ea4add6c1d361e854be7b9997ffc6b44cf8bdaa1c535bcdc642cc124a14191748fa

Download Submit
C:\Windows\{A6ACA36D-5229-47ff-A54C-1185300D2DFC}.exe

Filesize
192KB

MD5
e24ec3cb6d8f7e1cbe481bdf049b8e77

SHA1
e3f6790e8623f41ed550edb54832ea9f49340be9

SHA256
ceda809a4f1143c5ffbf5de833b88aeda7b28d88f27cbccb6e3a0525e603db7c

SHA512
94e1f01b1339cb8606e9cd4eb71066e6f69ce9a0403b968639665fd7e1e4b4557fefb0a0bf7b58b46b657589fa89cbc78a259942e8f637dfbd85724b0ea90e8e

Download Submit
C:\Windows\{A6ACA36D-5229-47ff-A54C-1185300D2DFC}.exe

Filesize
192KB

MD5
e24ec3cb6d8f7e1cbe481bdf049b8e77

SHA1
e3f6790e8623f41ed550edb54832ea9f49340be9

SHA256
ceda809a4f1143c5ffbf5de833b88aeda7b28d88f27cbccb6e3a0525e603db7c

SHA512
94e1f01b1339cb8606e9cd4eb71066e6f69ce9a0403b968639665fd7e1e4b4557fefb0a0bf7b58b46b657589fa89cbc78a259942e8f637dfbd85724b0ea90e8e

Download Submit
C:\Windows\{B64ABEB3-DD76-4638-BB1F-A6C3FBB159ED}.exe

Filesize
192KB

MD5
f56a035548686a3990e048a055733be3

SHA1
386f12b3f765577dd077661763377de83a2ab23e

SHA256
0fa535b4cf904aa9aa1fb98d97841f9edf2afe8fa388f4cbd74b036f657def28

SHA512
fbb6d2372c3881de197bc2ff0379e91322f7ea6dd09401a4577bab32aa5a42867feb02bf852834fe722e89558df5fd862a5a61171b1be6c9b6e07f0891e28ca8

Download Submit
C:\Windows\{B64ABEB3-DD76-4638-BB1F-A6C3FBB159ED}.exe

Filesize
192KB

MD5
f56a035548686a3990e048a055733be3

SHA1
386f12b3f765577dd077661763377de83a2ab23e

SHA256
0fa535b4cf904aa9aa1fb98d97841f9edf2afe8fa388f4cbd74b036f657def28

SHA512
fbb6d2372c3881de197bc2ff0379e91322f7ea6dd09401a4577bab32aa5a42867feb02bf852834fe722e89558df5fd862a5a61171b1be6c9b6e07f0891e28ca8

Download Submit
C:\Windows\{DEA80842-5A4B-4e94-BC1D-D1015B2C4967}.exe

Filesize
192KB

MD5
40834c724c04609b6607b2619ef300d3

SHA1
b4e1d79bdeacac4c518b9c07a12bc931c9606b4c

SHA256
0c960c92a78701dbe46947dd3ad27d789ed72e6dde7d8cf0c11dbfa58b8e82bc

SHA512
671cc798d886c17455f0c8c4857571a568890befb8d0f2cc254724aa67dad892b9a77fd9e0196a919c880b58b3d80bd1d974b7bf81562070b4e2e1a16abf3c33

Download Submit
C:\Windows\{DEA80842-5A4B-4e94-BC1D-D1015B2C4967}.exe

Filesize
192KB

MD5
40834c724c04609b6607b2619ef300d3

SHA1
b4e1d79bdeacac4c518b9c07a12bc931c9606b4c

SHA256
0c960c92a78701dbe46947dd3ad27d789ed72e6dde7d8cf0c11dbfa58b8e82bc

SHA512
671cc798d886c17455f0c8c4857571a568890befb8d0f2cc254724aa67dad892b9a77fd9e0196a919c880b58b3d80bd1d974b7bf81562070b4e2e1a16abf3c33

Download Submit
C:\Windows\{FCEA0B37-86C3-41d0-8FDA-B077EB27B5D2}.exe

Filesize
192KB

MD5
b462fe9c9c3bd49164c8452fd61aadc8

SHA1
01f521b8618e985b1cfe50f7a02cd235f7dbdd85

SHA256
7adc2f5ef167809359f29f294212a8b1d66f29a8026bbbf7474c967fe9080f3f

SHA512
bdebe41df323f3c302c3fdc88cc23914b4d0051f41d6e323fc51d7122ae25d9a1643872e62978a7cc936e0992de6c8bd62dc6c538262c67ad3780cca1571e139

Download Submit
C:\Windows\{FCEA0B37-86C3-41d0-8FDA-B077EB27B5D2}.exe

Filesize
192KB

MD5
b462fe9c9c3bd49164c8452fd61aadc8

SHA1
01f521b8618e985b1cfe50f7a02cd235f7dbdd85

SHA256
7adc2f5ef167809359f29f294212a8b1d66f29a8026bbbf7474c967fe9080f3f

SHA512
bdebe41df323f3c302c3fdc88cc23914b4d0051f41d6e323fc51d7122ae25d9a1643872e62978a7cc936e0992de6c8bd62dc6c538262c67ad3780cca1571e139

Download Submit