211919c83f55760996184d4063f5e85d19fa0b96848f592e1564291e02d8d5e1

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2023, 20:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

552147f2fd8725exeexeexeex.exe
Size

408KB
MD5

552147f2fd872577bd152106ae62e283
SHA1

2dee8541e876c336fa3f00a2ba538ab8c1d830f8
SHA256

211919c83f55760996184d4063f5e85d19fa0b96848f592e1564291e02d8d5e1
SHA512

b29042860751df60bce9f7d219d1772701a0e9492e7436d052ddd00d7447283b068a138f438e222e381c0439b407079b0e6fdaf6363f08991c6408c0b0800ad5
SSDEEP

3072:CEGh0obl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG1ldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F9A06DC-625B-468a-BE8F-EA73C403D7FA}\stubpath = "C:\\Windows\\{7F9A06DC-625B-468a-BE8F-EA73C403D7FA}.exe"	{479D833A-7B29-47f3-9684-9D5CBFFABD8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57AD7B0F-CAC1-40c7-9A41-1B8B524E8848}\stubpath = "C:\\Windows\\{57AD7B0F-CAC1-40c7-9A41-1B8B524E8848}.exe"	{7F9A06DC-625B-468a-BE8F-EA73C403D7FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC9B9052-6798-4bbc-8CE1-7E2C4838762E}	{BB001DE8-117C-46a1-8038-CC4C7BA0C638}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29267999-147F-4b24-B709-2B7EE7FEC967}\stubpath = "C:\\Windows\\{29267999-147F-4b24-B709-2B7EE7FEC967}.exe"	{AA8004A3-775C-423c-BACA-DACB2FCECF4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59AF5BE7-E558-4393-B2AD-908BD97E2600}	{29267999-147F-4b24-B709-2B7EE7FEC967}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F9A06DC-625B-468a-BE8F-EA73C403D7FA}	{479D833A-7B29-47f3-9684-9D5CBFFABD8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F87C3F6-463D-416d-B39D-18BF7A708178}\stubpath = "C:\\Windows\\{6F87C3F6-463D-416d-B39D-18BF7A708178}.exe"	{57AD7B0F-CAC1-40c7-9A41-1B8B524E8848}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E95D6D8A-CA8B-41b1-9E6D-8F75EB446203}	{6F87C3F6-463D-416d-B39D-18BF7A708178}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C1B6CEF-8074-4c9c-9C67-0EACE45872C4}\stubpath = "C:\\Windows\\{9C1B6CEF-8074-4c9c-9C67-0EACE45872C4}.exe"	{EC9B9052-6798-4bbc-8CE1-7E2C4838762E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F84446CC-F023-4aa9-BE33-BCB3F720994D}	{9C1B6CEF-8074-4c9c-9C67-0EACE45872C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F84446CC-F023-4aa9-BE33-BCB3F720994D}\stubpath = "C:\\Windows\\{F84446CC-F023-4aa9-BE33-BCB3F720994D}.exe"	{9C1B6CEF-8074-4c9c-9C67-0EACE45872C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{479D833A-7B29-47f3-9684-9D5CBFFABD8A}	552147f2fd8725exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{479D833A-7B29-47f3-9684-9D5CBFFABD8A}\stubpath = "C:\\Windows\\{479D833A-7B29-47f3-9684-9D5CBFFABD8A}.exe"	552147f2fd8725exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57AD7B0F-CAC1-40c7-9A41-1B8B524E8848}	{7F9A06DC-625B-468a-BE8F-EA73C403D7FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F87C3F6-463D-416d-B39D-18BF7A708178}	{57AD7B0F-CAC1-40c7-9A41-1B8B524E8848}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E95D6D8A-CA8B-41b1-9E6D-8F75EB446203}\stubpath = "C:\\Windows\\{E95D6D8A-CA8B-41b1-9E6D-8F75EB446203}.exe"	{6F87C3F6-463D-416d-B39D-18BF7A708178}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB001DE8-117C-46a1-8038-CC4C7BA0C638}	{E95D6D8A-CA8B-41b1-9E6D-8F75EB446203}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C1B6CEF-8074-4c9c-9C67-0EACE45872C4}	{EC9B9052-6798-4bbc-8CE1-7E2C4838762E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA8004A3-775C-423c-BACA-DACB2FCECF4A}	{F84446CC-F023-4aa9-BE33-BCB3F720994D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA8004A3-775C-423c-BACA-DACB2FCECF4A}\stubpath = "C:\\Windows\\{AA8004A3-775C-423c-BACA-DACB2FCECF4A}.exe"	{F84446CC-F023-4aa9-BE33-BCB3F720994D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29267999-147F-4b24-B709-2B7EE7FEC967}	{AA8004A3-775C-423c-BACA-DACB2FCECF4A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB001DE8-117C-46a1-8038-CC4C7BA0C638}\stubpath = "C:\\Windows\\{BB001DE8-117C-46a1-8038-CC4C7BA0C638}.exe"	{E95D6D8A-CA8B-41b1-9E6D-8F75EB446203}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC9B9052-6798-4bbc-8CE1-7E2C4838762E}\stubpath = "C:\\Windows\\{EC9B9052-6798-4bbc-8CE1-7E2C4838762E}.exe"	{BB001DE8-117C-46a1-8038-CC4C7BA0C638}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59AF5BE7-E558-4393-B2AD-908BD97E2600}\stubpath = "C:\\Windows\\{59AF5BE7-E558-4393-B2AD-908BD97E2600}.exe"	{29267999-147F-4b24-B709-2B7EE7FEC967}.exe

Executes dropped EXE 12 IoCs

pid	Process
4904	{479D833A-7B29-47f3-9684-9D5CBFFABD8A}.exe
3572	{7F9A06DC-625B-468a-BE8F-EA73C403D7FA}.exe
1596	{57AD7B0F-CAC1-40c7-9A41-1B8B524E8848}.exe
948	{6F87C3F6-463D-416d-B39D-18BF7A708178}.exe
2736	{E95D6D8A-CA8B-41b1-9E6D-8F75EB446203}.exe
4092	{BB001DE8-117C-46a1-8038-CC4C7BA0C638}.exe
5100	{EC9B9052-6798-4bbc-8CE1-7E2C4838762E}.exe
3952	{9C1B6CEF-8074-4c9c-9C67-0EACE45872C4}.exe
1896	{F84446CC-F023-4aa9-BE33-BCB3F720994D}.exe
5084	{AA8004A3-775C-423c-BACA-DACB2FCECF4A}.exe
3368	{29267999-147F-4b24-B709-2B7EE7FEC967}.exe
708	{59AF5BE7-E558-4393-B2AD-908BD97E2600}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BB001DE8-117C-46a1-8038-CC4C7BA0C638}.exe	{E95D6D8A-CA8B-41b1-9E6D-8F75EB446203}.exe
File created	C:\Windows\{9C1B6CEF-8074-4c9c-9C67-0EACE45872C4}.exe	{EC9B9052-6798-4bbc-8CE1-7E2C4838762E}.exe
File created	C:\Windows\{F84446CC-F023-4aa9-BE33-BCB3F720994D}.exe	{9C1B6CEF-8074-4c9c-9C67-0EACE45872C4}.exe
File created	C:\Windows\{AA8004A3-775C-423c-BACA-DACB2FCECF4A}.exe	{F84446CC-F023-4aa9-BE33-BCB3F720994D}.exe
File created	C:\Windows\{29267999-147F-4b24-B709-2B7EE7FEC967}.exe	{AA8004A3-775C-423c-BACA-DACB2FCECF4A}.exe
File created	C:\Windows\{59AF5BE7-E558-4393-B2AD-908BD97E2600}.exe	{29267999-147F-4b24-B709-2B7EE7FEC967}.exe
File created	C:\Windows\{479D833A-7B29-47f3-9684-9D5CBFFABD8A}.exe	552147f2fd8725exeexeexeex.exe
File created	C:\Windows\{E95D6D8A-CA8B-41b1-9E6D-8F75EB446203}.exe	{6F87C3F6-463D-416d-B39D-18BF7A708178}.exe
File created	C:\Windows\{6F87C3F6-463D-416d-B39D-18BF7A708178}.exe	{57AD7B0F-CAC1-40c7-9A41-1B8B524E8848}.exe
File created	C:\Windows\{EC9B9052-6798-4bbc-8CE1-7E2C4838762E}.exe	{BB001DE8-117C-46a1-8038-CC4C7BA0C638}.exe
File created	C:\Windows\{7F9A06DC-625B-468a-BE8F-EA73C403D7FA}.exe	{479D833A-7B29-47f3-9684-9D5CBFFABD8A}.exe
File created	C:\Windows\{57AD7B0F-CAC1-40c7-9A41-1B8B524E8848}.exe	{7F9A06DC-625B-468a-BE8F-EA73C403D7FA}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3140	552147f2fd8725exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4904	{479D833A-7B29-47f3-9684-9D5CBFFABD8A}.exe
Token: SeIncBasePriorityPrivilege	3572	{7F9A06DC-625B-468a-BE8F-EA73C403D7FA}.exe
Token: SeIncBasePriorityPrivilege	1596	{57AD7B0F-CAC1-40c7-9A41-1B8B524E8848}.exe
Token: SeIncBasePriorityPrivilege	948	{6F87C3F6-463D-416d-B39D-18BF7A708178}.exe
Token: SeIncBasePriorityPrivilege	2736	{E95D6D8A-CA8B-41b1-9E6D-8F75EB446203}.exe
Token: SeIncBasePriorityPrivilege	4092	{BB001DE8-117C-46a1-8038-CC4C7BA0C638}.exe
Token: SeIncBasePriorityPrivilege	5100	{EC9B9052-6798-4bbc-8CE1-7E2C4838762E}.exe
Token: SeIncBasePriorityPrivilege	3952	{9C1B6CEF-8074-4c9c-9C67-0EACE45872C4}.exe
Token: SeIncBasePriorityPrivilege	1896	{F84446CC-F023-4aa9-BE33-BCB3F720994D}.exe
Token: SeIncBasePriorityPrivilege	5084	{AA8004A3-775C-423c-BACA-DACB2FCECF4A}.exe
Token: SeIncBasePriorityPrivilege	3368	{29267999-147F-4b24-B709-2B7EE7FEC967}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3140 wrote to memory of 4904	3140	552147f2fd8725exeexeexeex.exe	84
PID 3140 wrote to memory of 4904	3140	552147f2fd8725exeexeexeex.exe	84
PID 3140 wrote to memory of 4904	3140	552147f2fd8725exeexeexeex.exe	84
PID 3140 wrote to memory of 4800	3140	552147f2fd8725exeexeexeex.exe	85
PID 3140 wrote to memory of 4800	3140	552147f2fd8725exeexeexeex.exe	85
PID 3140 wrote to memory of 4800	3140	552147f2fd8725exeexeexeex.exe	85
PID 4904 wrote to memory of 3572	4904	{479D833A-7B29-47f3-9684-9D5CBFFABD8A}.exe	86
PID 4904 wrote to memory of 3572	4904	{479D833A-7B29-47f3-9684-9D5CBFFABD8A}.exe	86
PID 4904 wrote to memory of 3572	4904	{479D833A-7B29-47f3-9684-9D5CBFFABD8A}.exe	86
PID 4904 wrote to memory of 1036	4904	{479D833A-7B29-47f3-9684-9D5CBFFABD8A}.exe	87
PID 4904 wrote to memory of 1036	4904	{479D833A-7B29-47f3-9684-9D5CBFFABD8A}.exe	87
PID 4904 wrote to memory of 1036	4904	{479D833A-7B29-47f3-9684-9D5CBFFABD8A}.exe	87
PID 3572 wrote to memory of 1596	3572	{7F9A06DC-625B-468a-BE8F-EA73C403D7FA}.exe	91
PID 3572 wrote to memory of 1596	3572	{7F9A06DC-625B-468a-BE8F-EA73C403D7FA}.exe	91
PID 3572 wrote to memory of 1596	3572	{7F9A06DC-625B-468a-BE8F-EA73C403D7FA}.exe	91
PID 3572 wrote to memory of 456	3572	{7F9A06DC-625B-468a-BE8F-EA73C403D7FA}.exe	92
PID 3572 wrote to memory of 456	3572	{7F9A06DC-625B-468a-BE8F-EA73C403D7FA}.exe	92
PID 3572 wrote to memory of 456	3572	{7F9A06DC-625B-468a-BE8F-EA73C403D7FA}.exe	92
PID 1596 wrote to memory of 948	1596	{57AD7B0F-CAC1-40c7-9A41-1B8B524E8848}.exe	93
PID 1596 wrote to memory of 948	1596	{57AD7B0F-CAC1-40c7-9A41-1B8B524E8848}.exe	93
PID 1596 wrote to memory of 948	1596	{57AD7B0F-CAC1-40c7-9A41-1B8B524E8848}.exe	93
PID 1596 wrote to memory of 4960	1596	{57AD7B0F-CAC1-40c7-9A41-1B8B524E8848}.exe	94
PID 1596 wrote to memory of 4960	1596	{57AD7B0F-CAC1-40c7-9A41-1B8B524E8848}.exe	94
PID 1596 wrote to memory of 4960	1596	{57AD7B0F-CAC1-40c7-9A41-1B8B524E8848}.exe	94
PID 948 wrote to memory of 2736	948	{6F87C3F6-463D-416d-B39D-18BF7A708178}.exe	95
PID 948 wrote to memory of 2736	948	{6F87C3F6-463D-416d-B39D-18BF7A708178}.exe	95
PID 948 wrote to memory of 2736	948	{6F87C3F6-463D-416d-B39D-18BF7A708178}.exe	95
PID 948 wrote to memory of 2768	948	{6F87C3F6-463D-416d-B39D-18BF7A708178}.exe	96
PID 948 wrote to memory of 2768	948	{6F87C3F6-463D-416d-B39D-18BF7A708178}.exe	96
PID 948 wrote to memory of 2768	948	{6F87C3F6-463D-416d-B39D-18BF7A708178}.exe	96
PID 2736 wrote to memory of 4092	2736	{E95D6D8A-CA8B-41b1-9E6D-8F75EB446203}.exe	97
PID 2736 wrote to memory of 4092	2736	{E95D6D8A-CA8B-41b1-9E6D-8F75EB446203}.exe	97
PID 2736 wrote to memory of 4092	2736	{E95D6D8A-CA8B-41b1-9E6D-8F75EB446203}.exe	97
PID 2736 wrote to memory of 1000	2736	{E95D6D8A-CA8B-41b1-9E6D-8F75EB446203}.exe	98
PID 2736 wrote to memory of 1000	2736	{E95D6D8A-CA8B-41b1-9E6D-8F75EB446203}.exe	98
PID 2736 wrote to memory of 1000	2736	{E95D6D8A-CA8B-41b1-9E6D-8F75EB446203}.exe	98
PID 4092 wrote to memory of 5100	4092	{BB001DE8-117C-46a1-8038-CC4C7BA0C638}.exe	99
PID 4092 wrote to memory of 5100	4092	{BB001DE8-117C-46a1-8038-CC4C7BA0C638}.exe	99
PID 4092 wrote to memory of 5100	4092	{BB001DE8-117C-46a1-8038-CC4C7BA0C638}.exe	99
PID 4092 wrote to memory of 3000	4092	{BB001DE8-117C-46a1-8038-CC4C7BA0C638}.exe	100
PID 4092 wrote to memory of 3000	4092	{BB001DE8-117C-46a1-8038-CC4C7BA0C638}.exe	100
PID 4092 wrote to memory of 3000	4092	{BB001DE8-117C-46a1-8038-CC4C7BA0C638}.exe	100
PID 5100 wrote to memory of 3952	5100	{EC9B9052-6798-4bbc-8CE1-7E2C4838762E}.exe	101
PID 5100 wrote to memory of 3952	5100	{EC9B9052-6798-4bbc-8CE1-7E2C4838762E}.exe	101
PID 5100 wrote to memory of 3952	5100	{EC9B9052-6798-4bbc-8CE1-7E2C4838762E}.exe	101
PID 5100 wrote to memory of 4768	5100	{EC9B9052-6798-4bbc-8CE1-7E2C4838762E}.exe	102
PID 5100 wrote to memory of 4768	5100	{EC9B9052-6798-4bbc-8CE1-7E2C4838762E}.exe	102
PID 5100 wrote to memory of 4768	5100	{EC9B9052-6798-4bbc-8CE1-7E2C4838762E}.exe	102
PID 3952 wrote to memory of 1896	3952	{9C1B6CEF-8074-4c9c-9C67-0EACE45872C4}.exe	103
PID 3952 wrote to memory of 1896	3952	{9C1B6CEF-8074-4c9c-9C67-0EACE45872C4}.exe	103
PID 3952 wrote to memory of 1896	3952	{9C1B6CEF-8074-4c9c-9C67-0EACE45872C4}.exe	103
PID 3952 wrote to memory of 4068	3952	{9C1B6CEF-8074-4c9c-9C67-0EACE45872C4}.exe	104
PID 3952 wrote to memory of 4068	3952	{9C1B6CEF-8074-4c9c-9C67-0EACE45872C4}.exe	104
PID 3952 wrote to memory of 4068	3952	{9C1B6CEF-8074-4c9c-9C67-0EACE45872C4}.exe	104
PID 1896 wrote to memory of 5084	1896	{F84446CC-F023-4aa9-BE33-BCB3F720994D}.exe	105
PID 1896 wrote to memory of 5084	1896	{F84446CC-F023-4aa9-BE33-BCB3F720994D}.exe	105
PID 1896 wrote to memory of 5084	1896	{F84446CC-F023-4aa9-BE33-BCB3F720994D}.exe	105
PID 1896 wrote to memory of 1556	1896	{F84446CC-F023-4aa9-BE33-BCB3F720994D}.exe	106
PID 1896 wrote to memory of 1556	1896	{F84446CC-F023-4aa9-BE33-BCB3F720994D}.exe	106
PID 1896 wrote to memory of 1556	1896	{F84446CC-F023-4aa9-BE33-BCB3F720994D}.exe	106
PID 5084 wrote to memory of 3368	5084	{AA8004A3-775C-423c-BACA-DACB2FCECF4A}.exe	107
PID 5084 wrote to memory of 3368	5084	{AA8004A3-775C-423c-BACA-DACB2FCECF4A}.exe	107
PID 5084 wrote to memory of 3368	5084	{AA8004A3-775C-423c-BACA-DACB2FCECF4A}.exe	107
PID 5084 wrote to memory of 3264	5084	{AA8004A3-775C-423c-BACA-DACB2FCECF4A}.exe	108

C:\Users\Admin\AppData\Local\Temp\552147f2fd8725exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\552147f2fd8725exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3140
- C:\Windows\{479D833A-7B29-47f3-9684-9D5CBFFABD8A}.exe
  C:\Windows\{479D833A-7B29-47f3-9684-9D5CBFFABD8A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Windows\{7F9A06DC-625B-468a-BE8F-EA73C403D7FA}.exe
    C:\Windows\{7F9A06DC-625B-468a-BE8F-EA73C403D7FA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3572
  - - C:\Windows\{57AD7B0F-CAC1-40c7-9A41-1B8B524E8848}.exe
      C:\Windows\{57AD7B0F-CAC1-40c7-9A41-1B8B524E8848}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1596
    - - C:\Windows\{6F87C3F6-463D-416d-B39D-18BF7A708178}.exe
        
        C:\Windows\{6F87C3F6-463D-416d-B39D-18BF7A708178}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:948
      - C:\Windows\{E95D6D8A-CA8B-41b1-9E6D-8F75EB446203}.exe
        
        C:\Windows\{E95D6D8A-CA8B-41b1-9E6D-8F75EB446203}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\{BB001DE8-117C-46a1-8038-CC4C7BA0C638}.exe
        
        C:\Windows\{BB001DE8-117C-46a1-8038-CC4C7BA0C638}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\{EC9B9052-6798-4bbc-8CE1-7E2C4838762E}.exe
        
        C:\Windows\{EC9B9052-6798-4bbc-8CE1-7E2C4838762E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\{9C1B6CEF-8074-4c9c-9C67-0EACE45872C4}.exe
        
        C:\Windows\{9C1B6CEF-8074-4c9c-9C67-0EACE45872C4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\{F84446CC-F023-4aa9-BE33-BCB3F720994D}.exe
        
        C:\Windows\{F84446CC-F023-4aa9-BE33-BCB3F720994D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\{AA8004A3-775C-423c-BACA-DACB2FCECF4A}.exe
        
        C:\Windows\{AA8004A3-775C-423c-BACA-DACB2FCECF4A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\{29267999-147F-4b24-B709-2B7EE7FEC967}.exe
        
        C:\Windows\{29267999-147F-4b24-B709-2B7EE7FEC967}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3368
        
        C:\Windows\{59AF5BE7-E558-4393-B2AD-908BD97E2600}.exe
        
        C:\Windows\{59AF5BE7-E558-4393-B2AD-908BD97E2600}.exe
        13⤵
        Executes dropped EXE
        
        PID:708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29267~1.EXE > nul
        13⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA800~1.EXE > nul
        12⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8444~1.EXE > nul
        11⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C1B6~1.EXE > nul
        10⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC9B9~1.EXE > nul
        9⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB001~1.EXE > nul
        8⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E95D6~1.EXE > nul
        7⤵
        
        PID:1000
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F87C~1.EXE > nul
        6⤵
        
        PID:2768
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57AD7~1.EXE > nul
        5⤵
        
        PID:4960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7F9A0~1.EXE > nul
      4⤵
      PID:456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{479D8~1.EXE > nul
    3⤵
    PID:1036
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\552147~1.EXE > nul
  2⤵
  PID:4800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{29267999-147F-4b24-B709-2B7EE7FEC967}.exe

Filesize
408KB

MD5
909aca9d37c62d2751cbf3bd08dddb46

SHA1
12ba1149eec908b5ec61e37e5b630021d78bb926

SHA256
4c89ce86ad6000f7528a43b1d3a5ab14d3e6025b656f27fe49d5e060e4fa62e8

SHA512
8cc9cda19c03599a770f02941a7bc31dbc2cb3d408c4a6312f699a7e62f3ae3624ffab393afcaba5c6091556ff61755faf2bbec7c550f4e85486a95a42221c41

Download Submit
C:\Windows\{29267999-147F-4b24-B709-2B7EE7FEC967}.exe

Filesize
408KB

MD5
909aca9d37c62d2751cbf3bd08dddb46

SHA1
12ba1149eec908b5ec61e37e5b630021d78bb926

SHA256
4c89ce86ad6000f7528a43b1d3a5ab14d3e6025b656f27fe49d5e060e4fa62e8

SHA512
8cc9cda19c03599a770f02941a7bc31dbc2cb3d408c4a6312f699a7e62f3ae3624ffab393afcaba5c6091556ff61755faf2bbec7c550f4e85486a95a42221c41

Download Submit
C:\Windows\{479D833A-7B29-47f3-9684-9D5CBFFABD8A}.exe

Filesize
408KB

MD5
66750651df984b60198c855ad713337f

SHA1
9448cf827f9fd9aa2b8cbd734b9b2b339b03f863

SHA256
16f8c7f01c1bab96963db24d153b8a2436be4c83b07f2e938f2fc45881c3ccaa

SHA512
574131ae6664131d0fb12b7ca8a93e51cb00211320ce5827084bc316f6e8f0bd1f3d78bd98e3ba801e4b812795916ca7834b5c1e1ba8cfa5a15c58ea7786937d

Download Submit
C:\Windows\{479D833A-7B29-47f3-9684-9D5CBFFABD8A}.exe

Filesize
408KB

MD5
66750651df984b60198c855ad713337f

SHA1
9448cf827f9fd9aa2b8cbd734b9b2b339b03f863

SHA256
16f8c7f01c1bab96963db24d153b8a2436be4c83b07f2e938f2fc45881c3ccaa

SHA512
574131ae6664131d0fb12b7ca8a93e51cb00211320ce5827084bc316f6e8f0bd1f3d78bd98e3ba801e4b812795916ca7834b5c1e1ba8cfa5a15c58ea7786937d

Download Submit
C:\Windows\{57AD7B0F-CAC1-40c7-9A41-1B8B524E8848}.exe

Filesize
408KB

MD5
8aa84acdaaaae0135fcf01eca3a2f27c

SHA1
c1d18b1a9628571bdc741b415a6405d506c23e49

SHA256
5380d50aa39b87d016763f1674946cd889b14db3bdc1f8fc4aa86fe74e727e9b

SHA512
64c21689af32e0b8912c04696c2cabf6876ebefad8e8b27c8aaa275ead7f5b674b4d1d20802602e790d7927129be9e008e4540a50b0388aaa8b6c86dbc44e069

Download Submit
C:\Windows\{57AD7B0F-CAC1-40c7-9A41-1B8B524E8848}.exe

Filesize
408KB

MD5
8aa84acdaaaae0135fcf01eca3a2f27c

SHA1
c1d18b1a9628571bdc741b415a6405d506c23e49

SHA256
5380d50aa39b87d016763f1674946cd889b14db3bdc1f8fc4aa86fe74e727e9b

SHA512
64c21689af32e0b8912c04696c2cabf6876ebefad8e8b27c8aaa275ead7f5b674b4d1d20802602e790d7927129be9e008e4540a50b0388aaa8b6c86dbc44e069

Download Submit
C:\Windows\{57AD7B0F-CAC1-40c7-9A41-1B8B524E8848}.exe

Filesize
408KB

MD5
8aa84acdaaaae0135fcf01eca3a2f27c

SHA1
c1d18b1a9628571bdc741b415a6405d506c23e49

SHA256
5380d50aa39b87d016763f1674946cd889b14db3bdc1f8fc4aa86fe74e727e9b

SHA512
64c21689af32e0b8912c04696c2cabf6876ebefad8e8b27c8aaa275ead7f5b674b4d1d20802602e790d7927129be9e008e4540a50b0388aaa8b6c86dbc44e069

Download Submit
C:\Windows\{59AF5BE7-E558-4393-B2AD-908BD97E2600}.exe

Filesize
408KB

MD5
32f35f1bdb4cf91d07d80b84db0290c9

SHA1
c6ccc15a1abf6d6d256faa25191a4c117b385080

SHA256
683b844e15ba681fa46d420ae52cf283d097116e90baca739d2913e945d1b0e0

SHA512
b51d96b7a4dc77d98a9d1f1f6763ccbeb304aa768225a5d980e6c1fe7b51edad26aaa5b90b086296a9bfcb0d3c10dbed4a29a8c12484715c265684db1573f1cb

Download Submit
C:\Windows\{59AF5BE7-E558-4393-B2AD-908BD97E2600}.exe

Filesize
408KB

MD5
32f35f1bdb4cf91d07d80b84db0290c9

SHA1
c6ccc15a1abf6d6d256faa25191a4c117b385080

SHA256
683b844e15ba681fa46d420ae52cf283d097116e90baca739d2913e945d1b0e0

SHA512
b51d96b7a4dc77d98a9d1f1f6763ccbeb304aa768225a5d980e6c1fe7b51edad26aaa5b90b086296a9bfcb0d3c10dbed4a29a8c12484715c265684db1573f1cb

Download Submit
C:\Windows\{6F87C3F6-463D-416d-B39D-18BF7A708178}.exe

Filesize
408KB

MD5
84b61e74b098e828250bcde898285352

SHA1
f33871abaea255145accca9cf65b9129dd1e696c

SHA256
db4ccfcf453b51fd3100f55c0df3eb304151ecd6a5199ac9f5418bf37beed4e6

SHA512
e117bf11a8d5c7d59807f694444607e2fdd1d5791972f47034078d4eca14c08419fadb6af9c0da360c822f0643da684e22f2cb85aaf737adfc36b91f9c06bea7

Download Submit
C:\Windows\{6F87C3F6-463D-416d-B39D-18BF7A708178}.exe

Filesize
408KB

MD5
84b61e74b098e828250bcde898285352

SHA1
f33871abaea255145accca9cf65b9129dd1e696c

SHA256
db4ccfcf453b51fd3100f55c0df3eb304151ecd6a5199ac9f5418bf37beed4e6

SHA512
e117bf11a8d5c7d59807f694444607e2fdd1d5791972f47034078d4eca14c08419fadb6af9c0da360c822f0643da684e22f2cb85aaf737adfc36b91f9c06bea7

Download Submit
C:\Windows\{7F9A06DC-625B-468a-BE8F-EA73C403D7FA}.exe

Filesize
408KB

MD5
67fe87f463382f4d11d95e050ae85990

SHA1
e61b30b78b7ebe3d11f17a65908d97a6a12a8975

SHA256
1a0de7084f6536015bab42873133584bf5726715bb65dc13b7d11a11be4082f5

SHA512
5b13d4d101ee7bdbcf053b226b50d2075b06a1b272a7f6620789e23bd4a3e2d3e46637003df3546f08d639151e7f766cd6e5b5606e6f04926f5f98fbb6edce51

Download Submit
C:\Windows\{7F9A06DC-625B-468a-BE8F-EA73C403D7FA}.exe

Filesize
408KB

MD5
67fe87f463382f4d11d95e050ae85990

SHA1
e61b30b78b7ebe3d11f17a65908d97a6a12a8975

SHA256
1a0de7084f6536015bab42873133584bf5726715bb65dc13b7d11a11be4082f5

SHA512
5b13d4d101ee7bdbcf053b226b50d2075b06a1b272a7f6620789e23bd4a3e2d3e46637003df3546f08d639151e7f766cd6e5b5606e6f04926f5f98fbb6edce51

Download Submit
C:\Windows\{9C1B6CEF-8074-4c9c-9C67-0EACE45872C4}.exe

Filesize
408KB

MD5
31707d2cac9c47cc5d4ca90a8b88eb69

SHA1
66a3bcff172008cd769d2269c0f0b8a9b987a748

SHA256
e9626e96952542c743fb516655bb2a7353a14033cdc28956567a490ab8d6f276

SHA512
17cdceaa7fc79303b8d3d473c07abd4f2eed30c90f111cb20d00ab17c2afa7461c9ed57584fee3970273c47af4cb45154b00a52fbc102a4d19145e3bc7a0eb34

Download Submit
C:\Windows\{9C1B6CEF-8074-4c9c-9C67-0EACE45872C4}.exe

Filesize
408KB

MD5
31707d2cac9c47cc5d4ca90a8b88eb69

SHA1
66a3bcff172008cd769d2269c0f0b8a9b987a748

SHA256
e9626e96952542c743fb516655bb2a7353a14033cdc28956567a490ab8d6f276

SHA512
17cdceaa7fc79303b8d3d473c07abd4f2eed30c90f111cb20d00ab17c2afa7461c9ed57584fee3970273c47af4cb45154b00a52fbc102a4d19145e3bc7a0eb34

Download Submit
C:\Windows\{AA8004A3-775C-423c-BACA-DACB2FCECF4A}.exe

Filesize
408KB

MD5
fb74d3d3f36fedfb619b67bad80940fd

SHA1
019684325cd6561b7814487233fc9c06cbc706a6

SHA256
65e11c8c95e9f404529c44cabe583a39f65393c70cb46f9123eb704ca869e489

SHA512
a97946aaf264e53f751f038553fc13f2c39c5f1b914cebc60c523cfc219b56c26b7fb57dcd63fe027c7983c3bc498a0c98f514739732bd41a358fe71728893e5

Download Submit
C:\Windows\{AA8004A3-775C-423c-BACA-DACB2FCECF4A}.exe

Filesize
408KB

MD5
fb74d3d3f36fedfb619b67bad80940fd

SHA1
019684325cd6561b7814487233fc9c06cbc706a6

SHA256
65e11c8c95e9f404529c44cabe583a39f65393c70cb46f9123eb704ca869e489

SHA512
a97946aaf264e53f751f038553fc13f2c39c5f1b914cebc60c523cfc219b56c26b7fb57dcd63fe027c7983c3bc498a0c98f514739732bd41a358fe71728893e5

Download Submit
C:\Windows\{BB001DE8-117C-46a1-8038-CC4C7BA0C638}.exe

Filesize
408KB

MD5
63ae51bbf7583bac4f859da772da44c9

SHA1
5b1868e6f30af9286e4c6dc979e1545c025e12ca

SHA256
d93483a8e09040ccddd2e3e4488c35239beaa04fcc55018989c2475b3a7b6b87

SHA512
a28ade5df5a1ff0250043b2abf691bb43616e3480c0f120fe68b05037452a26d9176162db68b3c1832c252dafd703a7a4273fada5498ec29d831625db09facca

Download Submit
C:\Windows\{BB001DE8-117C-46a1-8038-CC4C7BA0C638}.exe

Filesize
408KB

MD5
63ae51bbf7583bac4f859da772da44c9

SHA1
5b1868e6f30af9286e4c6dc979e1545c025e12ca

SHA256
d93483a8e09040ccddd2e3e4488c35239beaa04fcc55018989c2475b3a7b6b87

SHA512
a28ade5df5a1ff0250043b2abf691bb43616e3480c0f120fe68b05037452a26d9176162db68b3c1832c252dafd703a7a4273fada5498ec29d831625db09facca

Download Submit
C:\Windows\{E95D6D8A-CA8B-41b1-9E6D-8F75EB446203}.exe

Filesize
408KB

MD5
c6bb4a760d1945cd2ffe52b7b51f5037

SHA1
32f1f51caa9203411bf069e51ae393264b5667e1

SHA256
a9ee5cc711f360ec10a43d39b8ded1e730b4be585fbeed552059e36dcfe07b1d

SHA512
4bc4349d3cf971d5850272cc3f4a9df653919d053547101be89c9491725b1d1b4ae63f9d85e848c280c8a8fb6b6b86c4f8dc7713f513a006e72e47c31a50bca3

Download Submit
C:\Windows\{E95D6D8A-CA8B-41b1-9E6D-8F75EB446203}.exe

Filesize
408KB

MD5
c6bb4a760d1945cd2ffe52b7b51f5037

SHA1
32f1f51caa9203411bf069e51ae393264b5667e1

SHA256
a9ee5cc711f360ec10a43d39b8ded1e730b4be585fbeed552059e36dcfe07b1d

SHA512
4bc4349d3cf971d5850272cc3f4a9df653919d053547101be89c9491725b1d1b4ae63f9d85e848c280c8a8fb6b6b86c4f8dc7713f513a006e72e47c31a50bca3

Download Submit
C:\Windows\{EC9B9052-6798-4bbc-8CE1-7E2C4838762E}.exe

Filesize
408KB

MD5
dc267bbe1aa9bd995f1f794cc4a5f18b

SHA1
9756265ffd2f70b8d46c39ce84238b3002dd4e96

SHA256
50ea298212c7511bb5d772f3a4acb9057c5f587b352cc3976ea629960f5524ea

SHA512
13b62ddef70de79ad0e358dbc5ccfeb7eabce585e6e4e9c7b73f8ab0dbc527f26fec5a107c199781e897d69538dc609853f65be3f41ec8a641183895253521ea

Download Submit
C:\Windows\{EC9B9052-6798-4bbc-8CE1-7E2C4838762E}.exe

Filesize
408KB

MD5
dc267bbe1aa9bd995f1f794cc4a5f18b

SHA1
9756265ffd2f70b8d46c39ce84238b3002dd4e96

SHA256
50ea298212c7511bb5d772f3a4acb9057c5f587b352cc3976ea629960f5524ea

SHA512
13b62ddef70de79ad0e358dbc5ccfeb7eabce585e6e4e9c7b73f8ab0dbc527f26fec5a107c199781e897d69538dc609853f65be3f41ec8a641183895253521ea

Download Submit
C:\Windows\{F84446CC-F023-4aa9-BE33-BCB3F720994D}.exe

Filesize
408KB

MD5
2238a7ece27b8f5a596660ebc97414de

SHA1
610ac9dc003398b7ea8865259454312e2521d37e

SHA256
db79cccda8750751d68ba1b9a06a20b4eddfba7d008aa26fcf04900fa0b21e77

SHA512
f21acfc7d59a0c5e674158e3ed02305e62dc36fcd1cb54bbfbb3ce1db5b8f8060b42b73ac27eea9d1b7c65931afdf5edf35ac42d1bee35360b73d09c77224e95

Download Submit
C:\Windows\{F84446CC-F023-4aa9-BE33-BCB3F720994D}.exe

Filesize
408KB

MD5
2238a7ece27b8f5a596660ebc97414de

SHA1
610ac9dc003398b7ea8865259454312e2521d37e

SHA256
db79cccda8750751d68ba1b9a06a20b4eddfba7d008aa26fcf04900fa0b21e77

SHA512
f21acfc7d59a0c5e674158e3ed02305e62dc36fcd1cb54bbfbb3ce1db5b8f8060b42b73ac27eea9d1b7c65931afdf5edf35ac42d1bee35360b73d09c77224e95

Download Submit