6e22f4c09b07a0714d7b223b23afb3d978f60a168d2856d8324d89415672fa98

Analysis

max time kernel
149s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2023, 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f15d14f387f1aaexeexeexeex.exe
Size

204KB
MD5

f15d14f387f1aac42362238cb91abdd2
SHA1

a21bfafdf4f178b366c6d312255a2b72291a41a6
SHA256

6e22f4c09b07a0714d7b223b23afb3d978f60a168d2856d8324d89415672fa98
SHA512

fd5880fca5c3d956f96e5b03697064baf0529ace3beb236a38331f7c5392de2327c50d093df2be2863cc3159041bac6d02694272dd57900312e67d0117fd7378
SSDEEP

1536:1EGh0o4l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o4l1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97872868-F2C7-491a-A6B4-4837FA014F32}\stubpath = "C:\\Windows\\{97872868-F2C7-491a-A6B4-4837FA014F32}.exe"	{F5753BF2-2086-4954-92E3-FAFA68907724}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{873FA936-E509-4481-A4E9-3B59140BB001}\stubpath = "C:\\Windows\\{873FA936-E509-4481-A4E9-3B59140BB001}.exe"	{F873F4A4-0C47-4067-99FE-77CA4B9E5806}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0864C037-B3F2-49e0-871F-08DC30B20530}	{334D6B6B-5223-457f-BB09-940472A2D6F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DB266C1-DDD9-4a37-9DE0-B4FF686923B3}\stubpath = "C:\\Windows\\{1DB266C1-DDD9-4a37-9DE0-B4FF686923B3}.exe"	{0864C037-B3F2-49e0-871F-08DC30B20530}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E87682A9-FD90-4654-8896-BD0A90A5870F}	{B960FA8B-8E3E-4c56-BE82-A4854D4C062E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E87682A9-FD90-4654-8896-BD0A90A5870F}\stubpath = "C:\\Windows\\{E87682A9-FD90-4654-8896-BD0A90A5870F}.exe"	{B960FA8B-8E3E-4c56-BE82-A4854D4C062E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5753BF2-2086-4954-92E3-FAFA68907724}	{A7775917-2953-47c6-89BD-6A5D1BB96836}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5753BF2-2086-4954-92E3-FAFA68907724}\stubpath = "C:\\Windows\\{F5753BF2-2086-4954-92E3-FAFA68907724}.exe"	{A7775917-2953-47c6-89BD-6A5D1BB96836}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{334D6B6B-5223-457f-BB09-940472A2D6F7}	{BD9F0371-2DD2-44ed-ACCC-807C1362659D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0864C037-B3F2-49e0-871F-08DC30B20530}\stubpath = "C:\\Windows\\{0864C037-B3F2-49e0-871F-08DC30B20530}.exe"	{334D6B6B-5223-457f-BB09-940472A2D6F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7775917-2953-47c6-89BD-6A5D1BB96836}\stubpath = "C:\\Windows\\{A7775917-2953-47c6-89BD-6A5D1BB96836}.exe"	{51851AFF-C226-414e-83D8-65B1D24A5B3A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F873F4A4-0C47-4067-99FE-77CA4B9E5806}	{97872868-F2C7-491a-A6B4-4837FA014F32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{873FA936-E509-4481-A4E9-3B59140BB001}	{F873F4A4-0C47-4067-99FE-77CA4B9E5806}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD9F0371-2DD2-44ed-ACCC-807C1362659D}	{873FA936-E509-4481-A4E9-3B59140BB001}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{334D6B6B-5223-457f-BB09-940472A2D6F7}\stubpath = "C:\\Windows\\{334D6B6B-5223-457f-BB09-940472A2D6F7}.exe"	{BD9F0371-2DD2-44ed-ACCC-807C1362659D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B960FA8B-8E3E-4c56-BE82-A4854D4C062E}\stubpath = "C:\\Windows\\{B960FA8B-8E3E-4c56-BE82-A4854D4C062E}.exe"	{1DB266C1-DDD9-4a37-9DE0-B4FF686923B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51851AFF-C226-414e-83D8-65B1D24A5B3A}	f15d14f387f1aaexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7775917-2953-47c6-89BD-6A5D1BB96836}	{51851AFF-C226-414e-83D8-65B1D24A5B3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F873F4A4-0C47-4067-99FE-77CA4B9E5806}\stubpath = "C:\\Windows\\{F873F4A4-0C47-4067-99FE-77CA4B9E5806}.exe"	{97872868-F2C7-491a-A6B4-4837FA014F32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD9F0371-2DD2-44ed-ACCC-807C1362659D}\stubpath = "C:\\Windows\\{BD9F0371-2DD2-44ed-ACCC-807C1362659D}.exe"	{873FA936-E509-4481-A4E9-3B59140BB001}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DB266C1-DDD9-4a37-9DE0-B4FF686923B3}	{0864C037-B3F2-49e0-871F-08DC30B20530}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B960FA8B-8E3E-4c56-BE82-A4854D4C062E}	{1DB266C1-DDD9-4a37-9DE0-B4FF686923B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51851AFF-C226-414e-83D8-65B1D24A5B3A}\stubpath = "C:\\Windows\\{51851AFF-C226-414e-83D8-65B1D24A5B3A}.exe"	f15d14f387f1aaexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97872868-F2C7-491a-A6B4-4837FA014F32}	{F5753BF2-2086-4954-92E3-FAFA68907724}.exe

Executes dropped EXE 12 IoCs

pid	Process
1184	{51851AFF-C226-414e-83D8-65B1D24A5B3A}.exe
1680	{A7775917-2953-47c6-89BD-6A5D1BB96836}.exe
1464	{F5753BF2-2086-4954-92E3-FAFA68907724}.exe
1352	{97872868-F2C7-491a-A6B4-4837FA014F32}.exe
4720	{F873F4A4-0C47-4067-99FE-77CA4B9E5806}.exe
32	{873FA936-E509-4481-A4E9-3B59140BB001}.exe
908	{BD9F0371-2DD2-44ed-ACCC-807C1362659D}.exe
5016	{334D6B6B-5223-457f-BB09-940472A2D6F7}.exe
4448	{0864C037-B3F2-49e0-871F-08DC30B20530}.exe
4764	{1DB266C1-DDD9-4a37-9DE0-B4FF686923B3}.exe
5112	{B960FA8B-8E3E-4c56-BE82-A4854D4C062E}.exe
4604	{E87682A9-FD90-4654-8896-BD0A90A5870F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F5753BF2-2086-4954-92E3-FAFA68907724}.exe	{A7775917-2953-47c6-89BD-6A5D1BB96836}.exe
File created	C:\Windows\{97872868-F2C7-491a-A6B4-4837FA014F32}.exe	{F5753BF2-2086-4954-92E3-FAFA68907724}.exe
File created	C:\Windows\{BD9F0371-2DD2-44ed-ACCC-807C1362659D}.exe	{873FA936-E509-4481-A4E9-3B59140BB001}.exe
File created	C:\Windows\{334D6B6B-5223-457f-BB09-940472A2D6F7}.exe	{BD9F0371-2DD2-44ed-ACCC-807C1362659D}.exe
File created	C:\Windows\{E87682A9-FD90-4654-8896-BD0A90A5870F}.exe	{B960FA8B-8E3E-4c56-BE82-A4854D4C062E}.exe
File created	C:\Windows\{51851AFF-C226-414e-83D8-65B1D24A5B3A}.exe	f15d14f387f1aaexeexeexeex.exe
File created	C:\Windows\{A7775917-2953-47c6-89BD-6A5D1BB96836}.exe	{51851AFF-C226-414e-83D8-65B1D24A5B3A}.exe
File created	C:\Windows\{F873F4A4-0C47-4067-99FE-77CA4B9E5806}.exe	{97872868-F2C7-491a-A6B4-4837FA014F32}.exe
File created	C:\Windows\{873FA936-E509-4481-A4E9-3B59140BB001}.exe	{F873F4A4-0C47-4067-99FE-77CA4B9E5806}.exe
File created	C:\Windows\{0864C037-B3F2-49e0-871F-08DC30B20530}.exe	{334D6B6B-5223-457f-BB09-940472A2D6F7}.exe
File created	C:\Windows\{1DB266C1-DDD9-4a37-9DE0-B4FF686923B3}.exe	{0864C037-B3F2-49e0-871F-08DC30B20530}.exe
File created	C:\Windows\{B960FA8B-8E3E-4c56-BE82-A4854D4C062E}.exe	{1DB266C1-DDD9-4a37-9DE0-B4FF686923B3}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2592	f15d14f387f1aaexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1184	{51851AFF-C226-414e-83D8-65B1D24A5B3A}.exe
Token: SeIncBasePriorityPrivilege	1680	{A7775917-2953-47c6-89BD-6A5D1BB96836}.exe
Token: SeIncBasePriorityPrivilege	1464	{F5753BF2-2086-4954-92E3-FAFA68907724}.exe
Token: SeIncBasePriorityPrivilege	1352	{97872868-F2C7-491a-A6B4-4837FA014F32}.exe
Token: SeIncBasePriorityPrivilege	4720	{F873F4A4-0C47-4067-99FE-77CA4B9E5806}.exe
Token: SeIncBasePriorityPrivilege	32	{873FA936-E509-4481-A4E9-3B59140BB001}.exe
Token: SeIncBasePriorityPrivilege	908	{BD9F0371-2DD2-44ed-ACCC-807C1362659D}.exe
Token: SeIncBasePriorityPrivilege	5016	{334D6B6B-5223-457f-BB09-940472A2D6F7}.exe
Token: SeIncBasePriorityPrivilege	4448	{0864C037-B3F2-49e0-871F-08DC30B20530}.exe
Token: SeIncBasePriorityPrivilege	4764	{1DB266C1-DDD9-4a37-9DE0-B4FF686923B3}.exe
Token: SeIncBasePriorityPrivilege	5112	{B960FA8B-8E3E-4c56-BE82-A4854D4C062E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 1184	2592	f15d14f387f1aaexeexeexeex.exe	90
PID 2592 wrote to memory of 1184	2592	f15d14f387f1aaexeexeexeex.exe	90
PID 2592 wrote to memory of 1184	2592	f15d14f387f1aaexeexeexeex.exe	90
PID 2592 wrote to memory of 5012	2592	f15d14f387f1aaexeexeexeex.exe	91
PID 2592 wrote to memory of 5012	2592	f15d14f387f1aaexeexeexeex.exe	91
PID 2592 wrote to memory of 5012	2592	f15d14f387f1aaexeexeexeex.exe	91
PID 1184 wrote to memory of 1680	1184	{51851AFF-C226-414e-83D8-65B1D24A5B3A}.exe	95
PID 1184 wrote to memory of 1680	1184	{51851AFF-C226-414e-83D8-65B1D24A5B3A}.exe	95
PID 1184 wrote to memory of 1680	1184	{51851AFF-C226-414e-83D8-65B1D24A5B3A}.exe	95
PID 1184 wrote to memory of 3964	1184	{51851AFF-C226-414e-83D8-65B1D24A5B3A}.exe	96
PID 1184 wrote to memory of 3964	1184	{51851AFF-C226-414e-83D8-65B1D24A5B3A}.exe	96
PID 1184 wrote to memory of 3964	1184	{51851AFF-C226-414e-83D8-65B1D24A5B3A}.exe	96
PID 1680 wrote to memory of 1464	1680	{A7775917-2953-47c6-89BD-6A5D1BB96836}.exe	99
PID 1680 wrote to memory of 1464	1680	{A7775917-2953-47c6-89BD-6A5D1BB96836}.exe	99
PID 1680 wrote to memory of 1464	1680	{A7775917-2953-47c6-89BD-6A5D1BB96836}.exe	99
PID 1680 wrote to memory of 2228	1680	{A7775917-2953-47c6-89BD-6A5D1BB96836}.exe	100
PID 1680 wrote to memory of 2228	1680	{A7775917-2953-47c6-89BD-6A5D1BB96836}.exe	100
PID 1680 wrote to memory of 2228	1680	{A7775917-2953-47c6-89BD-6A5D1BB96836}.exe	100
PID 1464 wrote to memory of 1352	1464	{F5753BF2-2086-4954-92E3-FAFA68907724}.exe	101
PID 1464 wrote to memory of 1352	1464	{F5753BF2-2086-4954-92E3-FAFA68907724}.exe	101
PID 1464 wrote to memory of 1352	1464	{F5753BF2-2086-4954-92E3-FAFA68907724}.exe	101
PID 1464 wrote to memory of 872	1464	{F5753BF2-2086-4954-92E3-FAFA68907724}.exe	102
PID 1464 wrote to memory of 872	1464	{F5753BF2-2086-4954-92E3-FAFA68907724}.exe	102
PID 1464 wrote to memory of 872	1464	{F5753BF2-2086-4954-92E3-FAFA68907724}.exe	102
PID 1352 wrote to memory of 4720	1352	{97872868-F2C7-491a-A6B4-4837FA014F32}.exe	103
PID 1352 wrote to memory of 4720	1352	{97872868-F2C7-491a-A6B4-4837FA014F32}.exe	103
PID 1352 wrote to memory of 4720	1352	{97872868-F2C7-491a-A6B4-4837FA014F32}.exe	103
PID 1352 wrote to memory of 3036	1352	{97872868-F2C7-491a-A6B4-4837FA014F32}.exe	104
PID 1352 wrote to memory of 3036	1352	{97872868-F2C7-491a-A6B4-4837FA014F32}.exe	104
PID 1352 wrote to memory of 3036	1352	{97872868-F2C7-491a-A6B4-4837FA014F32}.exe	104
PID 4720 wrote to memory of 32	4720	{F873F4A4-0C47-4067-99FE-77CA4B9E5806}.exe	106
PID 4720 wrote to memory of 32	4720	{F873F4A4-0C47-4067-99FE-77CA4B9E5806}.exe	106
PID 4720 wrote to memory of 32	4720	{F873F4A4-0C47-4067-99FE-77CA4B9E5806}.exe	106
PID 4720 wrote to memory of 1820	4720	{F873F4A4-0C47-4067-99FE-77CA4B9E5806}.exe	107
PID 4720 wrote to memory of 1820	4720	{F873F4A4-0C47-4067-99FE-77CA4B9E5806}.exe	107
PID 4720 wrote to memory of 1820	4720	{F873F4A4-0C47-4067-99FE-77CA4B9E5806}.exe	107
PID 32 wrote to memory of 908	32	{873FA936-E509-4481-A4E9-3B59140BB001}.exe	108
PID 32 wrote to memory of 908	32	{873FA936-E509-4481-A4E9-3B59140BB001}.exe	108
PID 32 wrote to memory of 908	32	{873FA936-E509-4481-A4E9-3B59140BB001}.exe	108
PID 32 wrote to memory of 3520	32	{873FA936-E509-4481-A4E9-3B59140BB001}.exe	109
PID 32 wrote to memory of 3520	32	{873FA936-E509-4481-A4E9-3B59140BB001}.exe	109
PID 32 wrote to memory of 3520	32	{873FA936-E509-4481-A4E9-3B59140BB001}.exe	109
PID 908 wrote to memory of 5016	908	{BD9F0371-2DD2-44ed-ACCC-807C1362659D}.exe	110
PID 908 wrote to memory of 5016	908	{BD9F0371-2DD2-44ed-ACCC-807C1362659D}.exe	110
PID 908 wrote to memory of 5016	908	{BD9F0371-2DD2-44ed-ACCC-807C1362659D}.exe	110
PID 908 wrote to memory of 3044	908	{BD9F0371-2DD2-44ed-ACCC-807C1362659D}.exe	111
PID 908 wrote to memory of 3044	908	{BD9F0371-2DD2-44ed-ACCC-807C1362659D}.exe	111
PID 908 wrote to memory of 3044	908	{BD9F0371-2DD2-44ed-ACCC-807C1362659D}.exe	111
PID 5016 wrote to memory of 4448	5016	{334D6B6B-5223-457f-BB09-940472A2D6F7}.exe	119
PID 5016 wrote to memory of 4448	5016	{334D6B6B-5223-457f-BB09-940472A2D6F7}.exe	119
PID 5016 wrote to memory of 4448	5016	{334D6B6B-5223-457f-BB09-940472A2D6F7}.exe	119
PID 5016 wrote to memory of 1748	5016	{334D6B6B-5223-457f-BB09-940472A2D6F7}.exe	120
PID 5016 wrote to memory of 1748	5016	{334D6B6B-5223-457f-BB09-940472A2D6F7}.exe	120
PID 5016 wrote to memory of 1748	5016	{334D6B6B-5223-457f-BB09-940472A2D6F7}.exe	120
PID 4448 wrote to memory of 4764	4448	{0864C037-B3F2-49e0-871F-08DC30B20530}.exe	121
PID 4448 wrote to memory of 4764	4448	{0864C037-B3F2-49e0-871F-08DC30B20530}.exe	121
PID 4448 wrote to memory of 4764	4448	{0864C037-B3F2-49e0-871F-08DC30B20530}.exe	121
PID 4448 wrote to memory of 2912	4448	{0864C037-B3F2-49e0-871F-08DC30B20530}.exe	122
PID 4448 wrote to memory of 2912	4448	{0864C037-B3F2-49e0-871F-08DC30B20530}.exe	122
PID 4448 wrote to memory of 2912	4448	{0864C037-B3F2-49e0-871F-08DC30B20530}.exe	122
PID 4764 wrote to memory of 5112	4764	{1DB266C1-DDD9-4a37-9DE0-B4FF686923B3}.exe	123
PID 4764 wrote to memory of 5112	4764	{1DB266C1-DDD9-4a37-9DE0-B4FF686923B3}.exe	123
PID 4764 wrote to memory of 5112	4764	{1DB266C1-DDD9-4a37-9DE0-B4FF686923B3}.exe	123
PID 4764 wrote to memory of 972	4764	{1DB266C1-DDD9-4a37-9DE0-B4FF686923B3}.exe	124

C:\Users\Admin\AppData\Local\Temp\f15d14f387f1aaexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\f15d14f387f1aaexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\{51851AFF-C226-414e-83D8-65B1D24A5B3A}.exe
  C:\Windows\{51851AFF-C226-414e-83D8-65B1D24A5B3A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1184
- - C:\Windows\{A7775917-2953-47c6-89BD-6A5D1BB96836}.exe
    C:\Windows\{A7775917-2953-47c6-89BD-6A5D1BB96836}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1680
  - - C:\Windows\{F5753BF2-2086-4954-92E3-FAFA68907724}.exe
      C:\Windows\{F5753BF2-2086-4954-92E3-FAFA68907724}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1464
    - - C:\Windows\{97872868-F2C7-491a-A6B4-4837FA014F32}.exe
        
        C:\Windows\{97872868-F2C7-491a-A6B4-4837FA014F32}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1352
      - C:\Windows\{F873F4A4-0C47-4067-99FE-77CA4B9E5806}.exe
        
        C:\Windows\{F873F4A4-0C47-4067-99FE-77CA4B9E5806}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\{873FA936-E509-4481-A4E9-3B59140BB001}.exe
        
        C:\Windows\{873FA936-E509-4481-A4E9-3B59140BB001}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:32
        
        C:\Windows\{BD9F0371-2DD2-44ed-ACCC-807C1362659D}.exe
        
        C:\Windows\{BD9F0371-2DD2-44ed-ACCC-807C1362659D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\{334D6B6B-5223-457f-BB09-940472A2D6F7}.exe
        
        C:\Windows\{334D6B6B-5223-457f-BB09-940472A2D6F7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\{0864C037-B3F2-49e0-871F-08DC30B20530}.exe
        
        C:\Windows\{0864C037-B3F2-49e0-871F-08DC30B20530}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4448
        
        C:\Windows\{1DB266C1-DDD9-4a37-9DE0-B4FF686923B3}.exe
        
        C:\Windows\{1DB266C1-DDD9-4a37-9DE0-B4FF686923B3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\{B960FA8B-8E3E-4c56-BE82-A4854D4C062E}.exe
        
        C:\Windows\{B960FA8B-8E3E-4c56-BE82-A4854D4C062E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B960F~1.EXE > nul
        13⤵
        
        PID:2440
        
        C:\Windows\{E87682A9-FD90-4654-8896-BD0A90A5870F}.exe
        
        C:\Windows\{E87682A9-FD90-4654-8896-BD0A90A5870F}.exe
        13⤵
        Executes dropped EXE
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1DB26~1.EXE > nul
        12⤵
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0864C~1.EXE > nul
        11⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{334D6~1.EXE > nul
        10⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD9F0~1.EXE > nul
        9⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{873FA~1.EXE > nul
        8⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F873F~1.EXE > nul
        7⤵
        
        PID:1820
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97872~1.EXE > nul
        6⤵
        
        PID:3036
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5753~1.EXE > nul
        5⤵
        
        PID:872
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A7775~1.EXE > nul
      4⤵
      PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{51851~1.EXE > nul
    3⤵
    PID:3964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F15D14~1.EXE > nul
  2⤵
  PID:5012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0864C037-B3F2-49e0-871F-08DC30B20530}.exe

Filesize
204KB

MD5
ae650c6e03906e2819af93176666a779

SHA1
bba2909c12ba5a1c7db8309a7da61e9d4eb35bf4

SHA256
32f7011f42ed3e973cfa7b1e181911447d8786b0ee16b8f0425cc7fdc494ea1f

SHA512
a71b825297166c32df21411fb4673486a479e73b503012cc27cafee30315f4b5b1308aeef9458eb1c827a5004063c4289af0e7a2f0ec8790dad6b90b053507df

Download Submit
C:\Windows\{0864C037-B3F2-49e0-871F-08DC30B20530}.exe

Filesize
204KB

MD5
ae650c6e03906e2819af93176666a779

SHA1
bba2909c12ba5a1c7db8309a7da61e9d4eb35bf4

SHA256
32f7011f42ed3e973cfa7b1e181911447d8786b0ee16b8f0425cc7fdc494ea1f

SHA512
a71b825297166c32df21411fb4673486a479e73b503012cc27cafee30315f4b5b1308aeef9458eb1c827a5004063c4289af0e7a2f0ec8790dad6b90b053507df

Download Submit
C:\Windows\{1DB266C1-DDD9-4a37-9DE0-B4FF686923B3}.exe

Filesize
204KB

MD5
0041c5e80c8921850a1f5b6cdd941b86

SHA1
13d6de639fb55143576eaa5a0f2e6e2e509e1e31

SHA256
b45f87a2f8a06afcb2c91bfaead66ff633c05dd2e0b902978c3fa010a477c6b0

SHA512
2ce81c0112eaf5dcdb1f06973fe7ba82f81958254500096ad627f7c5aa777150e88e73e9f1c02871743a4d573d0835deb190f496a51c5157b4fe768088ff6ed8

Download Submit
C:\Windows\{1DB266C1-DDD9-4a37-9DE0-B4FF686923B3}.exe

Filesize
204KB

MD5
0041c5e80c8921850a1f5b6cdd941b86

SHA1
13d6de639fb55143576eaa5a0f2e6e2e509e1e31

SHA256
b45f87a2f8a06afcb2c91bfaead66ff633c05dd2e0b902978c3fa010a477c6b0

SHA512
2ce81c0112eaf5dcdb1f06973fe7ba82f81958254500096ad627f7c5aa777150e88e73e9f1c02871743a4d573d0835deb190f496a51c5157b4fe768088ff6ed8

Download Submit
C:\Windows\{334D6B6B-5223-457f-BB09-940472A2D6F7}.exe

Filesize
204KB

MD5
01e0ddb7f8e98276d5b57c4d762a05c0

SHA1
02f3bc2219355dc404f0287eb285a17048bbd5cf

SHA256
2f7d8d9b8a4090cc3a354462a7134252ff4f0836eafdd6deaec20615e4ec7ce8

SHA512
3190fe76432bf8821bb1250ca26c0745bf02eae5c70cfaad1e2db1aedc06f26f115118d16d87388a8f5fff6e196dd28143f20a43c4c4e6c1e3f39b9276f5d01c

Download Submit
C:\Windows\{334D6B6B-5223-457f-BB09-940472A2D6F7}.exe

Filesize
204KB

MD5
01e0ddb7f8e98276d5b57c4d762a05c0

SHA1
02f3bc2219355dc404f0287eb285a17048bbd5cf

SHA256
2f7d8d9b8a4090cc3a354462a7134252ff4f0836eafdd6deaec20615e4ec7ce8

SHA512
3190fe76432bf8821bb1250ca26c0745bf02eae5c70cfaad1e2db1aedc06f26f115118d16d87388a8f5fff6e196dd28143f20a43c4c4e6c1e3f39b9276f5d01c

Download Submit
C:\Windows\{51851AFF-C226-414e-83D8-65B1D24A5B3A}.exe

Filesize
204KB

MD5
1ac933aa0411cce10ab6a22688e7bb0c

SHA1
679b94db2f36073f4b3b451c908fd245c04d7a39

SHA256
964306d324773c34f8ef5aa377a4c8ea368e43825873b2e2c02647ac3fed309e

SHA512
57b5398dae90e5c90a8c7af1b31883c62f96213982f42ca7692fd2472fe09f44e9313b33ecb08cba714b187307d6a8982bc53171bf4e39787d03684e250fed09

Download Submit
C:\Windows\{51851AFF-C226-414e-83D8-65B1D24A5B3A}.exe

Filesize
204KB

MD5
1ac933aa0411cce10ab6a22688e7bb0c

SHA1
679b94db2f36073f4b3b451c908fd245c04d7a39

SHA256
964306d324773c34f8ef5aa377a4c8ea368e43825873b2e2c02647ac3fed309e

SHA512
57b5398dae90e5c90a8c7af1b31883c62f96213982f42ca7692fd2472fe09f44e9313b33ecb08cba714b187307d6a8982bc53171bf4e39787d03684e250fed09

Download Submit
C:\Windows\{873FA936-E509-4481-A4E9-3B59140BB001}.exe

Filesize
204KB

MD5
1bbd325f74f9bfa5bf677e48ba500f1e

SHA1
51f1f722df59fdebbcf9d39be546fe4225881d7e

SHA256
5ea7ede73fe6de544a2dd14d39a3945867708409bca0ae36939a2797f921afeb

SHA512
57c5297f46c18ec8435c69779d92160026717ff58d20448739d87c5ac912d965374f1c573ba891e23a73c2ab85a9ee4965e3cd4799bab1879d179f98f00df2d7

Download Submit
C:\Windows\{873FA936-E509-4481-A4E9-3B59140BB001}.exe

Filesize
204KB

MD5
1bbd325f74f9bfa5bf677e48ba500f1e

SHA1
51f1f722df59fdebbcf9d39be546fe4225881d7e

SHA256
5ea7ede73fe6de544a2dd14d39a3945867708409bca0ae36939a2797f921afeb

SHA512
57c5297f46c18ec8435c69779d92160026717ff58d20448739d87c5ac912d965374f1c573ba891e23a73c2ab85a9ee4965e3cd4799bab1879d179f98f00df2d7

Download Submit
C:\Windows\{97872868-F2C7-491a-A6B4-4837FA014F32}.exe

Filesize
204KB

MD5
fa18fd78be4e9588a398395e58ca125c

SHA1
c313b435b83c7ceaed448916d909db3299be55aa

SHA256
6ba7ac1b506ec802f6e451c4e6adc391bc91e53f88803ed9646f60d10a39bd02

SHA512
340f358dda58d5fad0da61f1f77f77bb428f4eb305a07e2e16173c013849c6b09bfc87bfdabedb71fae40485d239fee6e938e5078acd8518f618f8a5daf57aff

Download Submit
C:\Windows\{97872868-F2C7-491a-A6B4-4837FA014F32}.exe

Filesize
204KB

MD5
fa18fd78be4e9588a398395e58ca125c

SHA1
c313b435b83c7ceaed448916d909db3299be55aa

SHA256
6ba7ac1b506ec802f6e451c4e6adc391bc91e53f88803ed9646f60d10a39bd02

SHA512
340f358dda58d5fad0da61f1f77f77bb428f4eb305a07e2e16173c013849c6b09bfc87bfdabedb71fae40485d239fee6e938e5078acd8518f618f8a5daf57aff

Download Submit
C:\Windows\{A7775917-2953-47c6-89BD-6A5D1BB96836}.exe

Filesize
204KB

MD5
e62ee85f944feb9c7f96b90b5a737aaa

SHA1
7a47d944829073a235903183e08a505f4954b0ea

SHA256
3bc107dcc7968530903189b6c2da96cb4372c0913472587470b3d9ab2d84f99e

SHA512
a7338253df61316f155b67c048d82b932790407fade2c35e0b421e67382f8b1453052baaba41368a6a433dcfb5324abc8f48b1561694af448690abe1fbaec487

Download Submit
C:\Windows\{A7775917-2953-47c6-89BD-6A5D1BB96836}.exe

Filesize
204KB

MD5
e62ee85f944feb9c7f96b90b5a737aaa

SHA1
7a47d944829073a235903183e08a505f4954b0ea

SHA256
3bc107dcc7968530903189b6c2da96cb4372c0913472587470b3d9ab2d84f99e

SHA512
a7338253df61316f155b67c048d82b932790407fade2c35e0b421e67382f8b1453052baaba41368a6a433dcfb5324abc8f48b1561694af448690abe1fbaec487

Download Submit
C:\Windows\{B960FA8B-8E3E-4c56-BE82-A4854D4C062E}.exe

Filesize
204KB

MD5
f6757c1707d4c8950a293375fea1276d

SHA1
e9866158c2b4b79928ee231641d3fea3596b65f3

SHA256
1eb549904440da270f49b1fc1e378abf74f3a4eb4d0cd82b71e7746747deffbd

SHA512
d8d3f82d62252555a25f328843ea4655c3e88554ff1fd1a6a9d3c22e11f18d39600187b2fc71dd2ef504f43c44b7f5cb272973426f773a7a40a9f3d2d929c2df

Download Submit
C:\Windows\{B960FA8B-8E3E-4c56-BE82-A4854D4C062E}.exe

Filesize
204KB

MD5
f6757c1707d4c8950a293375fea1276d

SHA1
e9866158c2b4b79928ee231641d3fea3596b65f3

SHA256
1eb549904440da270f49b1fc1e378abf74f3a4eb4d0cd82b71e7746747deffbd

SHA512
d8d3f82d62252555a25f328843ea4655c3e88554ff1fd1a6a9d3c22e11f18d39600187b2fc71dd2ef504f43c44b7f5cb272973426f773a7a40a9f3d2d929c2df

Download Submit
C:\Windows\{BD9F0371-2DD2-44ed-ACCC-807C1362659D}.exe

Filesize
204KB

MD5
b7437781e71371e8358073105a861418

SHA1
b24a29c821c0e51948b8c9ffb553bd18def9200c

SHA256
cb6109bd4ba35f20a2611036279394fe3235ceda5ec77358107098f70b39b612

SHA512
0ddc7ca841b2651d8ecf51c9d252302e2df024af3c77a52be159614496b453cbe7147730fcda6a3f86b6efef3a87797b315ced2af5f16ee1ceb30748a7f7c6c6

Download Submit
C:\Windows\{BD9F0371-2DD2-44ed-ACCC-807C1362659D}.exe

Filesize
204KB

MD5
b7437781e71371e8358073105a861418

SHA1
b24a29c821c0e51948b8c9ffb553bd18def9200c

SHA256
cb6109bd4ba35f20a2611036279394fe3235ceda5ec77358107098f70b39b612

SHA512
0ddc7ca841b2651d8ecf51c9d252302e2df024af3c77a52be159614496b453cbe7147730fcda6a3f86b6efef3a87797b315ced2af5f16ee1ceb30748a7f7c6c6

Download Submit
C:\Windows\{E87682A9-FD90-4654-8896-BD0A90A5870F}.exe

Filesize
204KB

MD5
aea4d5d626966dccdab50c4019d0fffb

SHA1
9b344a30d79d8dec6a542c1aad7f0f7a708351fa

SHA256
2e1d2ba570ed017130d3149fb2c58c541cde396a2b62153a41dd5cfa26e0937d

SHA512
c78c9da3e5d1598b40c568f041abcec33cae7f283323d7781c2fd4a300ba4c750cca39bdfb70d16b1019f8611ac3f477121881e929433c0fbb46dbbee8ce5620

Download Submit
C:\Windows\{E87682A9-FD90-4654-8896-BD0A90A5870F}.exe

Filesize
204KB

MD5
aea4d5d626966dccdab50c4019d0fffb

SHA1
9b344a30d79d8dec6a542c1aad7f0f7a708351fa

SHA256
2e1d2ba570ed017130d3149fb2c58c541cde396a2b62153a41dd5cfa26e0937d

SHA512
c78c9da3e5d1598b40c568f041abcec33cae7f283323d7781c2fd4a300ba4c750cca39bdfb70d16b1019f8611ac3f477121881e929433c0fbb46dbbee8ce5620

Download Submit
C:\Windows\{F5753BF2-2086-4954-92E3-FAFA68907724}.exe

Filesize
204KB

MD5
20ffd3b6f26955b6164e69b225a8106b

SHA1
6bdee08a57479feef22c4cb35f0295cbebc82375

SHA256
7a54cc1e514b7f2584a7631d9504f4906cb95a37378f888604eef5bcac6680b6

SHA512
5f69acbfe7053ccea74ee0f0c07fc674f3e3fb2f24a489199794f0bd986b90d9c96665a8a759fdde807ca00f6b23f47b52032baffe2bc8bc0473b02df538522d

Download Submit
C:\Windows\{F5753BF2-2086-4954-92E3-FAFA68907724}.exe

Filesize
204KB

MD5
20ffd3b6f26955b6164e69b225a8106b

SHA1
6bdee08a57479feef22c4cb35f0295cbebc82375

SHA256
7a54cc1e514b7f2584a7631d9504f4906cb95a37378f888604eef5bcac6680b6

SHA512
5f69acbfe7053ccea74ee0f0c07fc674f3e3fb2f24a489199794f0bd986b90d9c96665a8a759fdde807ca00f6b23f47b52032baffe2bc8bc0473b02df538522d

Download Submit
C:\Windows\{F5753BF2-2086-4954-92E3-FAFA68907724}.exe

Filesize
204KB

MD5
20ffd3b6f26955b6164e69b225a8106b

SHA1
6bdee08a57479feef22c4cb35f0295cbebc82375

SHA256
7a54cc1e514b7f2584a7631d9504f4906cb95a37378f888604eef5bcac6680b6

SHA512
5f69acbfe7053ccea74ee0f0c07fc674f3e3fb2f24a489199794f0bd986b90d9c96665a8a759fdde807ca00f6b23f47b52032baffe2bc8bc0473b02df538522d

Download Submit
C:\Windows\{F873F4A4-0C47-4067-99FE-77CA4B9E5806}.exe

Filesize
204KB

MD5
1eb75a5f92174561172fea455cae0fff

SHA1
090edefe1dfecc24b24ccc7fea096ba461072f04

SHA256
731b5db67454cdcce935ccdd05ebade26eb06fe0189875d0756360df8676c94e

SHA512
aa0d66659f2f9b7973b46fbe1fd45aef7aa679b666b76b246c87b5ca20a0de08c93ad440e775db815a7b568939cd4b805372241e173f6a5063514d7976c2ed9c

Download Submit
C:\Windows\{F873F4A4-0C47-4067-99FE-77CA4B9E5806}.exe

Filesize
204KB

MD5
1eb75a5f92174561172fea455cae0fff

SHA1
090edefe1dfecc24b24ccc7fea096ba461072f04

SHA256
731b5db67454cdcce935ccdd05ebade26eb06fe0189875d0756360df8676c94e

SHA512
aa0d66659f2f9b7973b46fbe1fd45aef7aa679b666b76b246c87b5ca20a0de08c93ad440e775db815a7b568939cd4b805372241e173f6a5063514d7976c2ed9c

Download Submit