1c59572f516e3254857555d29e15804a3449fe66b88c02de8bd5c23e18dc6321

Analysis

max time kernel
146s
max time network
34s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11/07/2023, 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f14320b6c0dbd7exeexeexeex.exe
Size

204KB
MD5

f14320b6c0dbd799c8cce3a6ca6f5d5e
SHA1

9b45dfc5165cefb06650c364f13889255a08b36c
SHA256

1c59572f516e3254857555d29e15804a3449fe66b88c02de8bd5c23e18dc6321
SHA512

89e019390f20998d1ed7a5c34ed9693ecd5b5cde88ae93327e415e093e684a763e542f4d09341058048166ca7246f85e699c302ccb1ceb4ec3b55b475521a9cc
SSDEEP

1536:1EGh0oZl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oZl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99946303-ECEC-4d16-8910-83305A1A14EF}	{46DE7567-6146-493c-8DCA-5466110B4B3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C68E8F0-BC97-4f36-90FF-4381F923FCBC}	{0AB590CC-D4E2-4a07-BC8A-0400FDF67E6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5915CE38-475F-4f79-ABE4-F1A5BD743FF2}\stubpath = "C:\\Windows\\{5915CE38-475F-4f79-ABE4-F1A5BD743FF2}.exe"	{0303AF80-DE3C-4294-8D4B-0EC4450350FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED60F3EC-7C87-44e8-AFFC-D1C6450308A1}\stubpath = "C:\\Windows\\{ED60F3EC-7C87-44e8-AFFC-D1C6450308A1}.exe"	{04392CD8-F207-4d08-8980-A61EC4EFCD82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46DE7567-6146-493c-8DCA-5466110B4B3F}	{ED60F3EC-7C87-44e8-AFFC-D1C6450308A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5915CE38-475F-4f79-ABE4-F1A5BD743FF2}	{0303AF80-DE3C-4294-8D4B-0EC4450350FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED60F3EC-7C87-44e8-AFFC-D1C6450308A1}	{04392CD8-F207-4d08-8980-A61EC4EFCD82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46DE7567-6146-493c-8DCA-5466110B4B3F}\stubpath = "C:\\Windows\\{46DE7567-6146-493c-8DCA-5466110B4B3F}.exe"	{ED60F3EC-7C87-44e8-AFFC-D1C6450308A1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99946303-ECEC-4d16-8910-83305A1A14EF}\stubpath = "C:\\Windows\\{99946303-ECEC-4d16-8910-83305A1A14EF}.exe"	{46DE7567-6146-493c-8DCA-5466110B4B3F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C053EBD8-656F-43c2-A395-972A383FB62F}	f14320b6c0dbd7exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AB590CC-D4E2-4a07-BC8A-0400FDF67E6D}	{C053EBD8-656F-43c2-A395-972A383FB62F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{428C50C2-4044-481b-81AF-B11B92FCC494}\stubpath = "C:\\Windows\\{428C50C2-4044-481b-81AF-B11B92FCC494}.exe"	{5C68E8F0-BC97-4f36-90FF-4381F923FCBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0303AF80-DE3C-4294-8D4B-0EC4450350FC}	{13CF026F-3845-49e9-9412-270706B8277B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64B3EA11-A95E-400f-B4F2-E76A3CD76D16}	{5915CE38-475F-4f79-ABE4-F1A5BD743FF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C053EBD8-656F-43c2-A395-972A383FB62F}\stubpath = "C:\\Windows\\{C053EBD8-656F-43c2-A395-972A383FB62F}.exe"	f14320b6c0dbd7exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AB590CC-D4E2-4a07-BC8A-0400FDF67E6D}\stubpath = "C:\\Windows\\{0AB590CC-D4E2-4a07-BC8A-0400FDF67E6D}.exe"	{C053EBD8-656F-43c2-A395-972A383FB62F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{428C50C2-4044-481b-81AF-B11B92FCC494}	{5C68E8F0-BC97-4f36-90FF-4381F923FCBC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AE6A754-EFE5-4e77-ADB8-DD66AD603A36}	{428C50C2-4044-481b-81AF-B11B92FCC494}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0303AF80-DE3C-4294-8D4B-0EC4450350FC}\stubpath = "C:\\Windows\\{0303AF80-DE3C-4294-8D4B-0EC4450350FC}.exe"	{13CF026F-3845-49e9-9412-270706B8277B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{64B3EA11-A95E-400f-B4F2-E76A3CD76D16}\stubpath = "C:\\Windows\\{64B3EA11-A95E-400f-B4F2-E76A3CD76D16}.exe"	{5915CE38-475F-4f79-ABE4-F1A5BD743FF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04392CD8-F207-4d08-8980-A61EC4EFCD82}	{64B3EA11-A95E-400f-B4F2-E76A3CD76D16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04392CD8-F207-4d08-8980-A61EC4EFCD82}\stubpath = "C:\\Windows\\{04392CD8-F207-4d08-8980-A61EC4EFCD82}.exe"	{64B3EA11-A95E-400f-B4F2-E76A3CD76D16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C68E8F0-BC97-4f36-90FF-4381F923FCBC}\stubpath = "C:\\Windows\\{5C68E8F0-BC97-4f36-90FF-4381F923FCBC}.exe"	{0AB590CC-D4E2-4a07-BC8A-0400FDF67E6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0AE6A754-EFE5-4e77-ADB8-DD66AD603A36}\stubpath = "C:\\Windows\\{0AE6A754-EFE5-4e77-ADB8-DD66AD603A36}.exe"	{428C50C2-4044-481b-81AF-B11B92FCC494}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13CF026F-3845-49e9-9412-270706B8277B}	{0AE6A754-EFE5-4e77-ADB8-DD66AD603A36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13CF026F-3845-49e9-9412-270706B8277B}\stubpath = "C:\\Windows\\{13CF026F-3845-49e9-9412-270706B8277B}.exe"	{0AE6A754-EFE5-4e77-ADB8-DD66AD603A36}.exe

Deletes itself 1 IoCs

pid	Process
2352	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2400	{C053EBD8-656F-43c2-A395-972A383FB62F}.exe
2168	{0AB590CC-D4E2-4a07-BC8A-0400FDF67E6D}.exe
824	{5C68E8F0-BC97-4f36-90FF-4381F923FCBC}.exe
2980	{428C50C2-4044-481b-81AF-B11B92FCC494}.exe
2152	{0AE6A754-EFE5-4e77-ADB8-DD66AD603A36}.exe
2576	{13CF026F-3845-49e9-9412-270706B8277B}.exe
3036	{0303AF80-DE3C-4294-8D4B-0EC4450350FC}.exe
1512	{5915CE38-475F-4f79-ABE4-F1A5BD743FF2}.exe
2600	{64B3EA11-A95E-400f-B4F2-E76A3CD76D16}.exe
2772	{04392CD8-F207-4d08-8980-A61EC4EFCD82}.exe
2696	{ED60F3EC-7C87-44e8-AFFC-D1C6450308A1}.exe
2524	{46DE7567-6146-493c-8DCA-5466110B4B3F}.exe
2552	{99946303-ECEC-4d16-8910-83305A1A14EF}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{0AB590CC-D4E2-4a07-BC8A-0400FDF67E6D}.exe	{C053EBD8-656F-43c2-A395-972A383FB62F}.exe
File created	C:\Windows\{5C68E8F0-BC97-4f36-90FF-4381F923FCBC}.exe	{0AB590CC-D4E2-4a07-BC8A-0400FDF67E6D}.exe
File created	C:\Windows\{04392CD8-F207-4d08-8980-A61EC4EFCD82}.exe	{64B3EA11-A95E-400f-B4F2-E76A3CD76D16}.exe
File created	C:\Windows\{46DE7567-6146-493c-8DCA-5466110B4B3F}.exe	{ED60F3EC-7C87-44e8-AFFC-D1C6450308A1}.exe
File created	C:\Windows\{99946303-ECEC-4d16-8910-83305A1A14EF}.exe	{46DE7567-6146-493c-8DCA-5466110B4B3F}.exe
File created	C:\Windows\{C053EBD8-656F-43c2-A395-972A383FB62F}.exe	f14320b6c0dbd7exeexeexeex.exe
File created	C:\Windows\{428C50C2-4044-481b-81AF-B11B92FCC494}.exe	{5C68E8F0-BC97-4f36-90FF-4381F923FCBC}.exe
File created	C:\Windows\{0AE6A754-EFE5-4e77-ADB8-DD66AD603A36}.exe	{428C50C2-4044-481b-81AF-B11B92FCC494}.exe
File created	C:\Windows\{13CF026F-3845-49e9-9412-270706B8277B}.exe	{0AE6A754-EFE5-4e77-ADB8-DD66AD603A36}.exe
File created	C:\Windows\{0303AF80-DE3C-4294-8D4B-0EC4450350FC}.exe	{13CF026F-3845-49e9-9412-270706B8277B}.exe
File created	C:\Windows\{5915CE38-475F-4f79-ABE4-F1A5BD743FF2}.exe	{0303AF80-DE3C-4294-8D4B-0EC4450350FC}.exe
File created	C:\Windows\{64B3EA11-A95E-400f-B4F2-E76A3CD76D16}.exe	{5915CE38-475F-4f79-ABE4-F1A5BD743FF2}.exe
File created	C:\Windows\{ED60F3EC-7C87-44e8-AFFC-D1C6450308A1}.exe	{04392CD8-F207-4d08-8980-A61EC4EFCD82}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2188	f14320b6c0dbd7exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2400	{C053EBD8-656F-43c2-A395-972A383FB62F}.exe
Token: SeIncBasePriorityPrivilege	2168	{0AB590CC-D4E2-4a07-BC8A-0400FDF67E6D}.exe
Token: SeIncBasePriorityPrivilege	824	{5C68E8F0-BC97-4f36-90FF-4381F923FCBC}.exe
Token: SeIncBasePriorityPrivilege	2980	{428C50C2-4044-481b-81AF-B11B92FCC494}.exe
Token: SeIncBasePriorityPrivilege	2152	{0AE6A754-EFE5-4e77-ADB8-DD66AD603A36}.exe
Token: SeIncBasePriorityPrivilege	2576	{13CF026F-3845-49e9-9412-270706B8277B}.exe
Token: SeIncBasePriorityPrivilege	3036	{0303AF80-DE3C-4294-8D4B-0EC4450350FC}.exe
Token: SeIncBasePriorityPrivilege	1512	{5915CE38-475F-4f79-ABE4-F1A5BD743FF2}.exe
Token: SeIncBasePriorityPrivilege	2600	{64B3EA11-A95E-400f-B4F2-E76A3CD76D16}.exe
Token: SeIncBasePriorityPrivilege	2772	{04392CD8-F207-4d08-8980-A61EC4EFCD82}.exe
Token: SeIncBasePriorityPrivilege	2696	{ED60F3EC-7C87-44e8-AFFC-D1C6450308A1}.exe
Token: SeIncBasePriorityPrivilege	2524	{46DE7567-6146-493c-8DCA-5466110B4B3F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2400	2188	f14320b6c0dbd7exeexeexeex.exe	29
PID 2188 wrote to memory of 2400	2188	f14320b6c0dbd7exeexeexeex.exe	29
PID 2188 wrote to memory of 2400	2188	f14320b6c0dbd7exeexeexeex.exe	29
PID 2188 wrote to memory of 2400	2188	f14320b6c0dbd7exeexeexeex.exe	29
PID 2188 wrote to memory of 2352	2188	f14320b6c0dbd7exeexeexeex.exe	30
PID 2188 wrote to memory of 2352	2188	f14320b6c0dbd7exeexeexeex.exe	30
PID 2188 wrote to memory of 2352	2188	f14320b6c0dbd7exeexeexeex.exe	30
PID 2188 wrote to memory of 2352	2188	f14320b6c0dbd7exeexeexeex.exe	30
PID 2400 wrote to memory of 2168	2400	{C053EBD8-656F-43c2-A395-972A383FB62F}.exe	31
PID 2400 wrote to memory of 2168	2400	{C053EBD8-656F-43c2-A395-972A383FB62F}.exe	31
PID 2400 wrote to memory of 2168	2400	{C053EBD8-656F-43c2-A395-972A383FB62F}.exe	31
PID 2400 wrote to memory of 2168	2400	{C053EBD8-656F-43c2-A395-972A383FB62F}.exe	31
PID 2400 wrote to memory of 2276	2400	{C053EBD8-656F-43c2-A395-972A383FB62F}.exe	32
PID 2400 wrote to memory of 2276	2400	{C053EBD8-656F-43c2-A395-972A383FB62F}.exe	32
PID 2400 wrote to memory of 2276	2400	{C053EBD8-656F-43c2-A395-972A383FB62F}.exe	32
PID 2400 wrote to memory of 2276	2400	{C053EBD8-656F-43c2-A395-972A383FB62F}.exe	32
PID 2168 wrote to memory of 824	2168	{0AB590CC-D4E2-4a07-BC8A-0400FDF67E6D}.exe	34
PID 2168 wrote to memory of 824	2168	{0AB590CC-D4E2-4a07-BC8A-0400FDF67E6D}.exe	34
PID 2168 wrote to memory of 824	2168	{0AB590CC-D4E2-4a07-BC8A-0400FDF67E6D}.exe	34
PID 2168 wrote to memory of 824	2168	{0AB590CC-D4E2-4a07-BC8A-0400FDF67E6D}.exe	34
PID 2168 wrote to memory of 2244	2168	{0AB590CC-D4E2-4a07-BC8A-0400FDF67E6D}.exe	33
PID 2168 wrote to memory of 2244	2168	{0AB590CC-D4E2-4a07-BC8A-0400FDF67E6D}.exe	33
PID 2168 wrote to memory of 2244	2168	{0AB590CC-D4E2-4a07-BC8A-0400FDF67E6D}.exe	33
PID 2168 wrote to memory of 2244	2168	{0AB590CC-D4E2-4a07-BC8A-0400FDF67E6D}.exe	33
PID 824 wrote to memory of 2980	824	{5C68E8F0-BC97-4f36-90FF-4381F923FCBC}.exe	36
PID 824 wrote to memory of 2980	824	{5C68E8F0-BC97-4f36-90FF-4381F923FCBC}.exe	36
PID 824 wrote to memory of 2980	824	{5C68E8F0-BC97-4f36-90FF-4381F923FCBC}.exe	36
PID 824 wrote to memory of 2980	824	{5C68E8F0-BC97-4f36-90FF-4381F923FCBC}.exe	36
PID 824 wrote to memory of 1908	824	{5C68E8F0-BC97-4f36-90FF-4381F923FCBC}.exe	35
PID 824 wrote to memory of 1908	824	{5C68E8F0-BC97-4f36-90FF-4381F923FCBC}.exe	35
PID 824 wrote to memory of 1908	824	{5C68E8F0-BC97-4f36-90FF-4381F923FCBC}.exe	35
PID 824 wrote to memory of 1908	824	{5C68E8F0-BC97-4f36-90FF-4381F923FCBC}.exe	35
PID 2980 wrote to memory of 2152	2980	{428C50C2-4044-481b-81AF-B11B92FCC494}.exe	37
PID 2980 wrote to memory of 2152	2980	{428C50C2-4044-481b-81AF-B11B92FCC494}.exe	37
PID 2980 wrote to memory of 2152	2980	{428C50C2-4044-481b-81AF-B11B92FCC494}.exe	37
PID 2980 wrote to memory of 2152	2980	{428C50C2-4044-481b-81AF-B11B92FCC494}.exe	37
PID 2980 wrote to memory of 2240	2980	{428C50C2-4044-481b-81AF-B11B92FCC494}.exe	38
PID 2980 wrote to memory of 2240	2980	{428C50C2-4044-481b-81AF-B11B92FCC494}.exe	38
PID 2980 wrote to memory of 2240	2980	{428C50C2-4044-481b-81AF-B11B92FCC494}.exe	38
PID 2980 wrote to memory of 2240	2980	{428C50C2-4044-481b-81AF-B11B92FCC494}.exe	38
PID 2152 wrote to memory of 2576	2152	{0AE6A754-EFE5-4e77-ADB8-DD66AD603A36}.exe	39
PID 2152 wrote to memory of 2576	2152	{0AE6A754-EFE5-4e77-ADB8-DD66AD603A36}.exe	39
PID 2152 wrote to memory of 2576	2152	{0AE6A754-EFE5-4e77-ADB8-DD66AD603A36}.exe	39
PID 2152 wrote to memory of 2576	2152	{0AE6A754-EFE5-4e77-ADB8-DD66AD603A36}.exe	39
PID 2152 wrote to memory of 2792	2152	{0AE6A754-EFE5-4e77-ADB8-DD66AD603A36}.exe	40
PID 2152 wrote to memory of 2792	2152	{0AE6A754-EFE5-4e77-ADB8-DD66AD603A36}.exe	40
PID 2152 wrote to memory of 2792	2152	{0AE6A754-EFE5-4e77-ADB8-DD66AD603A36}.exe	40
PID 2152 wrote to memory of 2792	2152	{0AE6A754-EFE5-4e77-ADB8-DD66AD603A36}.exe	40
PID 2576 wrote to memory of 3036	2576	{13CF026F-3845-49e9-9412-270706B8277B}.exe	41
PID 2576 wrote to memory of 3036	2576	{13CF026F-3845-49e9-9412-270706B8277B}.exe	41
PID 2576 wrote to memory of 3036	2576	{13CF026F-3845-49e9-9412-270706B8277B}.exe	41
PID 2576 wrote to memory of 3036	2576	{13CF026F-3845-49e9-9412-270706B8277B}.exe	41
PID 2576 wrote to memory of 1040	2576	{13CF026F-3845-49e9-9412-270706B8277B}.exe	42
PID 2576 wrote to memory of 1040	2576	{13CF026F-3845-49e9-9412-270706B8277B}.exe	42
PID 2576 wrote to memory of 1040	2576	{13CF026F-3845-49e9-9412-270706B8277B}.exe	42
PID 2576 wrote to memory of 1040	2576	{13CF026F-3845-49e9-9412-270706B8277B}.exe	42
PID 3036 wrote to memory of 1512	3036	{0303AF80-DE3C-4294-8D4B-0EC4450350FC}.exe	44
PID 3036 wrote to memory of 1512	3036	{0303AF80-DE3C-4294-8D4B-0EC4450350FC}.exe	44
PID 3036 wrote to memory of 1512	3036	{0303AF80-DE3C-4294-8D4B-0EC4450350FC}.exe	44
PID 3036 wrote to memory of 1512	3036	{0303AF80-DE3C-4294-8D4B-0EC4450350FC}.exe	44
PID 3036 wrote to memory of 1132	3036	{0303AF80-DE3C-4294-8D4B-0EC4450350FC}.exe	43
PID 3036 wrote to memory of 1132	3036	{0303AF80-DE3C-4294-8D4B-0EC4450350FC}.exe	43
PID 3036 wrote to memory of 1132	3036	{0303AF80-DE3C-4294-8D4B-0EC4450350FC}.exe	43
PID 3036 wrote to memory of 1132	3036	{0303AF80-DE3C-4294-8D4B-0EC4450350FC}.exe	43

C:\Users\Admin\AppData\Local\Temp\f14320b6c0dbd7exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\f14320b6c0dbd7exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\{C053EBD8-656F-43c2-A395-972A383FB62F}.exe
  C:\Windows\{C053EBD8-656F-43c2-A395-972A383FB62F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\{0AB590CC-D4E2-4a07-BC8A-0400FDF67E6D}.exe
    C:\Windows\{0AB590CC-D4E2-4a07-BC8A-0400FDF67E6D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0AB59~1.EXE > nul
      4⤵
      PID:2244
  - - C:\Windows\{5C68E8F0-BC97-4f36-90FF-4381F923FCBC}.exe
      C:\Windows\{5C68E8F0-BC97-4f36-90FF-4381F923FCBC}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:824
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C68E~1.EXE > nul
        5⤵
        
        PID:1908
    - - C:\Windows\{428C50C2-4044-481b-81AF-B11B92FCC494}.exe
        
        C:\Windows\{428C50C2-4044-481b-81AF-B11B92FCC494}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2980
      - C:\Windows\{0AE6A754-EFE5-4e77-ADB8-DD66AD603A36}.exe
        
        C:\Windows\{0AE6A754-EFE5-4e77-ADB8-DD66AD603A36}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\{13CF026F-3845-49e9-9412-270706B8277B}.exe
        
        C:\Windows\{13CF026F-3845-49e9-9412-270706B8277B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2576
        
        C:\Windows\{0303AF80-DE3C-4294-8D4B-0EC4450350FC}.exe
        
        C:\Windows\{0303AF80-DE3C-4294-8D4B-0EC4450350FC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0303A~1.EXE > nul
        9⤵
        
        PID:1132
        
        C:\Windows\{5915CE38-475F-4f79-ABE4-F1A5BD743FF2}.exe
        
        C:\Windows\{5915CE38-475F-4f79-ABE4-F1A5BD743FF2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\{64B3EA11-A95E-400f-B4F2-E76A3CD76D16}.exe
        
        C:\Windows\{64B3EA11-A95E-400f-B4F2-E76A3CD76D16}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\{04392CD8-F207-4d08-8980-A61EC4EFCD82}.exe
        
        C:\Windows\{04392CD8-F207-4d08-8980-A61EC4EFCD82}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\{ED60F3EC-7C87-44e8-AFFC-D1C6450308A1}.exe
        
        C:\Windows\{ED60F3EC-7C87-44e8-AFFC-D1C6450308A1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\{46DE7567-6146-493c-8DCA-5466110B4B3F}.exe
        
        C:\Windows\{46DE7567-6146-493c-8DCA-5466110B4B3F}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46DE7~1.EXE > nul
        14⤵
        
        PID:2492
        
        C:\Windows\{99946303-ECEC-4d16-8910-83305A1A14EF}.exe
        
        C:\Windows\{99946303-ECEC-4d16-8910-83305A1A14EF}.exe
        14⤵
        Executes dropped EXE
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED60F~1.EXE > nul
        13⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04392~1.EXE > nul
        12⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{64B3E~1.EXE > nul
        11⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5915C~1.EXE > nul
        10⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13CF0~1.EXE > nul
        8⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AE6A~1.EXE > nul
        7⤵
        
        PID:2792
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{428C5~1.EXE > nul
        6⤵
        
        PID:2240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C053E~1.EXE > nul
    3⤵
    PID:2276
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F14320~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0303AF80-DE3C-4294-8D4B-0EC4450350FC}.exe

Filesize
204KB

MD5
aa1b7770c8adffb82ebd20ea5375f266

SHA1
075873be1d6e839f6a8f255551cad2577806dc4f

SHA256
e6966085aabd4ffc5f6b9f2f474adc2ddf35728101d5c6369e18486e66732ef9

SHA512
4b7a9d280ed6c7b9630313d36b7909c4a24aa14b52121c6fcafc76a7138cf0b7d9b8759e990311ededfc4bead0ef3da7d8716d8bd320757881cfada408fbc553

Download Submit
C:\Windows\{0303AF80-DE3C-4294-8D4B-0EC4450350FC}.exe

Filesize
204KB

MD5
aa1b7770c8adffb82ebd20ea5375f266

SHA1
075873be1d6e839f6a8f255551cad2577806dc4f

SHA256
e6966085aabd4ffc5f6b9f2f474adc2ddf35728101d5c6369e18486e66732ef9

SHA512
4b7a9d280ed6c7b9630313d36b7909c4a24aa14b52121c6fcafc76a7138cf0b7d9b8759e990311ededfc4bead0ef3da7d8716d8bd320757881cfada408fbc553

Download Submit
C:\Windows\{04392CD8-F207-4d08-8980-A61EC4EFCD82}.exe

Filesize
204KB

MD5
87c8babe7daa62596b4247516724b17e

SHA1
9c3bb5247e9e8c1739dcf972493c0a0bce0abf0a

SHA256
bbee90bacad8004e5eeedbc6effa792238f08af69da8b4fda176d2fae601faa8

SHA512
fb7ecd86b5462c192b92b96e1fb8afb8d70bdc3cc188397f117f6fcde5ad64fceef340db937d17fd03c0b7296f8968ffb44b2ee47c92dc9c2346855bd614e186

Download Submit
C:\Windows\{04392CD8-F207-4d08-8980-A61EC4EFCD82}.exe

Filesize
204KB

MD5
87c8babe7daa62596b4247516724b17e

SHA1
9c3bb5247e9e8c1739dcf972493c0a0bce0abf0a

SHA256
bbee90bacad8004e5eeedbc6effa792238f08af69da8b4fda176d2fae601faa8

SHA512
fb7ecd86b5462c192b92b96e1fb8afb8d70bdc3cc188397f117f6fcde5ad64fceef340db937d17fd03c0b7296f8968ffb44b2ee47c92dc9c2346855bd614e186

Download Submit
C:\Windows\{0AB590CC-D4E2-4a07-BC8A-0400FDF67E6D}.exe

Filesize
204KB

MD5
bfc0fd8d38bab3670f6ac1878257cdab

SHA1
26defdfd0cf6f26872dbf426c790e8504c87e00f

SHA256
44d0bb753c4c943dfb96e29e3510acb9a4ab0fe88a4830a53f7296e538c57850

SHA512
3f3dd6493f76fba0b1e96a9337cb698959edde1d016a84d17a7ed24100145e289ea93a8709421180cfd2942a9119c8720f24db72586a2c893c73aada40af6127

Download Submit
C:\Windows\{0AB590CC-D4E2-4a07-BC8A-0400FDF67E6D}.exe

Filesize
204KB

MD5
bfc0fd8d38bab3670f6ac1878257cdab

SHA1
26defdfd0cf6f26872dbf426c790e8504c87e00f

SHA256
44d0bb753c4c943dfb96e29e3510acb9a4ab0fe88a4830a53f7296e538c57850

SHA512
3f3dd6493f76fba0b1e96a9337cb698959edde1d016a84d17a7ed24100145e289ea93a8709421180cfd2942a9119c8720f24db72586a2c893c73aada40af6127

Download Submit
C:\Windows\{0AE6A754-EFE5-4e77-ADB8-DD66AD603A36}.exe

Filesize
204KB

MD5
f259d8d175c910e22c3037c3f95069e7

SHA1
28eb805240144f65e22a57f578c4115217d20c7d

SHA256
8f51502a29702206d3368718de057fec02869c0100558760a30c84037b025bc2

SHA512
4ef8255a1856ba7ad9236dbc84f1699bfa6dec7bb4649c3d6a732b01ae93d0bd23ed0140452f7a130c01956147fc572e4d8248954aa03c40e6c1826cfbe6fb01

Download Submit
C:\Windows\{0AE6A754-EFE5-4e77-ADB8-DD66AD603A36}.exe

Filesize
204KB

MD5
f259d8d175c910e22c3037c3f95069e7

SHA1
28eb805240144f65e22a57f578c4115217d20c7d

SHA256
8f51502a29702206d3368718de057fec02869c0100558760a30c84037b025bc2

SHA512
4ef8255a1856ba7ad9236dbc84f1699bfa6dec7bb4649c3d6a732b01ae93d0bd23ed0140452f7a130c01956147fc572e4d8248954aa03c40e6c1826cfbe6fb01

Download Submit
C:\Windows\{13CF026F-3845-49e9-9412-270706B8277B}.exe

Filesize
204KB

MD5
269411c0193e723765c0d8ad97e665e7

SHA1
5713c816f7eac1dfbc279d02530f5c9ef0fceb45

SHA256
10b07969dd3deefc3cd23e9ceb00fd00a637c6c07140c0db8f15d57dbf8861f0

SHA512
e10883c2497ec408a82e03e2ab9e5e7e3539b779b0690c7f8ddb518ecac64e01bb6f19f0804c56f6dd246f422330fb0f0db6b74685dc69b6425089a036ac8860

Download Submit
C:\Windows\{13CF026F-3845-49e9-9412-270706B8277B}.exe

Filesize
204KB

MD5
269411c0193e723765c0d8ad97e665e7

SHA1
5713c816f7eac1dfbc279d02530f5c9ef0fceb45

SHA256
10b07969dd3deefc3cd23e9ceb00fd00a637c6c07140c0db8f15d57dbf8861f0

SHA512
e10883c2497ec408a82e03e2ab9e5e7e3539b779b0690c7f8ddb518ecac64e01bb6f19f0804c56f6dd246f422330fb0f0db6b74685dc69b6425089a036ac8860

Download Submit
C:\Windows\{428C50C2-4044-481b-81AF-B11B92FCC494}.exe

Filesize
204KB

MD5
87ceace45b17f47fe0c40029820d023b

SHA1
b5c41cd78e4689d1dd81ffbcd91f97344e769b99

SHA256
6141d6b33876042a3f9de2d90a932d37d94a5ca030be073d7242c504b251e7ff

SHA512
059274e1dd80deef477fab30313cd22bc59d99e2e0aeb368711371e4eddb409a20e5ec9cb3e140efa5ce9de9fbbd4416f0a168ab81a1e32290ae5274fb72c9ff

Download Submit
C:\Windows\{428C50C2-4044-481b-81AF-B11B92FCC494}.exe

Filesize
204KB

MD5
87ceace45b17f47fe0c40029820d023b

SHA1
b5c41cd78e4689d1dd81ffbcd91f97344e769b99

SHA256
6141d6b33876042a3f9de2d90a932d37d94a5ca030be073d7242c504b251e7ff

SHA512
059274e1dd80deef477fab30313cd22bc59d99e2e0aeb368711371e4eddb409a20e5ec9cb3e140efa5ce9de9fbbd4416f0a168ab81a1e32290ae5274fb72c9ff

Download Submit
C:\Windows\{46DE7567-6146-493c-8DCA-5466110B4B3F}.exe

Filesize
204KB

MD5
4ec000e443941a3f579abab523298035

SHA1
f6a742bd6121019caca9a9dc3204ab395bdc3f3b

SHA256
329a241f89e1480d4fb118de24ed1b9279c27ad9dffab5d09bc6c4c210a81b5a

SHA512
24d9bff29a0a3d9f313fdab40a50ce49e02408737f37d4286a2d37c55c3d6726a47fed168355c833c3d434d134defe6c1ae2a2f245e5730bd4dd0d648671c17d

Download Submit
C:\Windows\{46DE7567-6146-493c-8DCA-5466110B4B3F}.exe

Filesize
204KB

MD5
4ec000e443941a3f579abab523298035

SHA1
f6a742bd6121019caca9a9dc3204ab395bdc3f3b

SHA256
329a241f89e1480d4fb118de24ed1b9279c27ad9dffab5d09bc6c4c210a81b5a

SHA512
24d9bff29a0a3d9f313fdab40a50ce49e02408737f37d4286a2d37c55c3d6726a47fed168355c833c3d434d134defe6c1ae2a2f245e5730bd4dd0d648671c17d

Download Submit
C:\Windows\{5915CE38-475F-4f79-ABE4-F1A5BD743FF2}.exe

Filesize
204KB

MD5
0224749c6e1fa0d3aa26a1fe2fa7b85c

SHA1
3bd537b63141f886ba2062e57d7b914439b4928c

SHA256
25df4f2e360b815998bcb7c087d5f2fe65e421b4a6429fcbc02e4b824ded6d3c

SHA512
6a2fdedc0d6ac1e97e8305e1a08b2d7b0d6c3538a546e030e6ab86b9cb89971b46f5eb27f18fc92fa1ef93b2a524465de02f2a218f59a44e32da9237938669d8

Download Submit
C:\Windows\{5915CE38-475F-4f79-ABE4-F1A5BD743FF2}.exe

Filesize
204KB

MD5
0224749c6e1fa0d3aa26a1fe2fa7b85c

SHA1
3bd537b63141f886ba2062e57d7b914439b4928c

SHA256
25df4f2e360b815998bcb7c087d5f2fe65e421b4a6429fcbc02e4b824ded6d3c

SHA512
6a2fdedc0d6ac1e97e8305e1a08b2d7b0d6c3538a546e030e6ab86b9cb89971b46f5eb27f18fc92fa1ef93b2a524465de02f2a218f59a44e32da9237938669d8

Download Submit
C:\Windows\{5C68E8F0-BC97-4f36-90FF-4381F923FCBC}.exe

Filesize
204KB

MD5
d3978a0f2ea6de115971d8eaee1cf9b4

SHA1
c607f3c1ad7baadaf86d4c1a02672522113e9de0

SHA256
eac90d0183b30063f85ab0460d4b4deced8e1fe8f9ea9ed3f2989211fe952124

SHA512
0eacf1f4dbf476f4de6b06525b52825dc2dce48c3103e768a015adb9fcedb995dfd24fa16c22b14ecc2902e4ed7749de57e8cad38b5656add05e7fcda0bf8cc0

Download Submit
C:\Windows\{5C68E8F0-BC97-4f36-90FF-4381F923FCBC}.exe

Filesize
204KB

MD5
d3978a0f2ea6de115971d8eaee1cf9b4

SHA1
c607f3c1ad7baadaf86d4c1a02672522113e9de0

SHA256
eac90d0183b30063f85ab0460d4b4deced8e1fe8f9ea9ed3f2989211fe952124

SHA512
0eacf1f4dbf476f4de6b06525b52825dc2dce48c3103e768a015adb9fcedb995dfd24fa16c22b14ecc2902e4ed7749de57e8cad38b5656add05e7fcda0bf8cc0

Download Submit
C:\Windows\{64B3EA11-A95E-400f-B4F2-E76A3CD76D16}.exe

Filesize
204KB

MD5
1f2546c297f5dbcd0e6fc54066473f78

SHA1
8d01b5d72bc43813eaf8d5353420f33b21fd7d03

SHA256
a1559d5b74e38c06c6b89c9908c953b7918d07be3622768c362c6e8074420aa2

SHA512
7cc84a4f364b1bdc469e9d0d2812edde4aaca6e3581e853e41e3c2b20ad1cfda19028feb1fc65f938962f89de74212c3b2af709cac6eaa3aefd31dc1e277a449

Download Submit
C:\Windows\{64B3EA11-A95E-400f-B4F2-E76A3CD76D16}.exe

Filesize
204KB

MD5
1f2546c297f5dbcd0e6fc54066473f78

SHA1
8d01b5d72bc43813eaf8d5353420f33b21fd7d03

SHA256
a1559d5b74e38c06c6b89c9908c953b7918d07be3622768c362c6e8074420aa2

SHA512
7cc84a4f364b1bdc469e9d0d2812edde4aaca6e3581e853e41e3c2b20ad1cfda19028feb1fc65f938962f89de74212c3b2af709cac6eaa3aefd31dc1e277a449

Download Submit
C:\Windows\{99946303-ECEC-4d16-8910-83305A1A14EF}.exe

Filesize
204KB

MD5
30eb951a557bcff503eb130c8004db65

SHA1
c21306e64370da67162d646ca2f24b970ad348e7

SHA256
5a317a75d661e965cdfeb90c2f39a2fd5c830a646a85402b81079665457b1403

SHA512
04a6a277a9d52f300cb6c6a51802f2e990e42c0a522681d37d8863e056f44e8fe7979d7305cb0f735c08a71f9e08c82a76dfdada41fd5c04b3a535b87ec3094f

Download Submit
C:\Windows\{C053EBD8-656F-43c2-A395-972A383FB62F}.exe

Filesize
204KB

MD5
b32a10651bff5754cf7e7a404c1706dd

SHA1
7c9372e8028a5d6c244d913f3804e8dc6bd6653d

SHA256
dae12a54bfdb69f4f3f213e2c630009b6f135926078b43dac857c408f80cad69

SHA512
c4769121084953293c26de4d22544ad0e0f43dcf932d30d0f7d3d2983bce94f08075e74fa0c0b585f63124c3a6583e65f978cefb60401d7dcf532ec2b054d550

Download Submit
C:\Windows\{C053EBD8-656F-43c2-A395-972A383FB62F}.exe

Filesize
204KB

MD5
b32a10651bff5754cf7e7a404c1706dd

SHA1
7c9372e8028a5d6c244d913f3804e8dc6bd6653d

SHA256
dae12a54bfdb69f4f3f213e2c630009b6f135926078b43dac857c408f80cad69

SHA512
c4769121084953293c26de4d22544ad0e0f43dcf932d30d0f7d3d2983bce94f08075e74fa0c0b585f63124c3a6583e65f978cefb60401d7dcf532ec2b054d550

Download Submit
C:\Windows\{C053EBD8-656F-43c2-A395-972A383FB62F}.exe

Filesize
204KB

MD5
b32a10651bff5754cf7e7a404c1706dd

SHA1
7c9372e8028a5d6c244d913f3804e8dc6bd6653d

SHA256
dae12a54bfdb69f4f3f213e2c630009b6f135926078b43dac857c408f80cad69

SHA512
c4769121084953293c26de4d22544ad0e0f43dcf932d30d0f7d3d2983bce94f08075e74fa0c0b585f63124c3a6583e65f978cefb60401d7dcf532ec2b054d550

Download Submit
C:\Windows\{ED60F3EC-7C87-44e8-AFFC-D1C6450308A1}.exe

Filesize
204KB

MD5
66678e3aa9dcadfb347e70944b70b075

SHA1
e9a2fb226daa4dd9b452849f01725c2a1ba5acc9

SHA256
22d284a8574738b3abff446b7cec6a8cd2b035eed139c9af62220e07664af812

SHA512
02e3cbd407ce1dc71de6d1ceca1a3487239f517bb0ac8fa9ac6a75ea5b42799083706a9f561383550d9758c16dd517bf4934dc200404182273e9490796a531d9

Download Submit
C:\Windows\{ED60F3EC-7C87-44e8-AFFC-D1C6450308A1}.exe

Filesize
204KB

MD5
66678e3aa9dcadfb347e70944b70b075

SHA1
e9a2fb226daa4dd9b452849f01725c2a1ba5acc9

SHA256
22d284a8574738b3abff446b7cec6a8cd2b035eed139c9af62220e07664af812

SHA512
02e3cbd407ce1dc71de6d1ceca1a3487239f517bb0ac8fa9ac6a75ea5b42799083706a9f561383550d9758c16dd517bf4934dc200404182273e9490796a531d9

Download Submit