c5429ea53126a30e8a5a44963460e488f7e1e0138dde1523f893ed4b8f2c5eaa

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 11:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75d301e7b8651fexeexeexeex.exe
Size

168KB
MD5

75d301e7b8651f382cd435881869e0e2
SHA1

49a7b112ed3533776246d16b0108c1ec9f7980e4
SHA256

c5429ea53126a30e8a5a44963460e488f7e1e0138dde1523f893ed4b8f2c5eaa
SHA512

e26c65c4aace5c3a8164968f4affc13454ad84005e7b53d492437902ecc15d80540467c455c4e5bf07f3cca72d5df57024a6c0357aadef8882a28f45372de52a
SSDEEP

1536:1EGh0oulq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oulqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BB49531-4DAD-4895-A05E-88AB1228550C}\stubpath = "C:\\Windows\\{1BB49531-4DAD-4895-A05E-88AB1228550C}.exe"	75d301e7b8651fexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEF8C3C1-BAFC-47ea-87CE-979B2EEC087C}	{C2D4F4E7-CF3F-4fc0-9CF5-82B445DD52BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A10EDBFA-CA46-418c-954B-F397B8C86225}	{7D47392C-9B64-4e17-8D34-B8D4237B7589}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9173D51-523B-45ff-AC98-A58AD6968394}	{7289F45D-8A80-4096-91FF-96031FB3BEEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2D4F4E7-CF3F-4fc0-9CF5-82B445DD52BC}\stubpath = "C:\\Windows\\{C2D4F4E7-CF3F-4fc0-9CF5-82B445DD52BC}.exe"	{1BB49531-4DAD-4895-A05E-88AB1228550C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19395242-CD15-4866-B00B-668E4BDE7135}\stubpath = "C:\\Windows\\{19395242-CD15-4866-B00B-668E4BDE7135}.exe"	{A10EDBFA-CA46-418c-954B-F397B8C86225}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60CCF405-7BE8-4a4a-8F7C-E5104225C1BA}	{325F98B5-EE43-4f02-AD20-995ECF212C1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60CCF405-7BE8-4a4a-8F7C-E5104225C1BA}\stubpath = "C:\\Windows\\{60CCF405-7BE8-4a4a-8F7C-E5104225C1BA}.exe"	{325F98B5-EE43-4f02-AD20-995ECF212C1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C17FA51-033F-41b6-99FD-00FAE3C5E176}\stubpath = "C:\\Windows\\{5C17FA51-033F-41b6-99FD-00FAE3C5E176}.exe"	{60CCF405-7BE8-4a4a-8F7C-E5104225C1BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39F74FC8-62E2-46a7-95C6-121A3EDC1D89}\stubpath = "C:\\Windows\\{39F74FC8-62E2-46a7-95C6-121A3EDC1D89}.exe"	{5C17FA51-033F-41b6-99FD-00FAE3C5E176}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BB49531-4DAD-4895-A05E-88AB1228550C}	75d301e7b8651fexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2D4F4E7-CF3F-4fc0-9CF5-82B445DD52BC}	{1BB49531-4DAD-4895-A05E-88AB1228550C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D47392C-9B64-4e17-8D34-B8D4237B7589}	{FEF8C3C1-BAFC-47ea-87CE-979B2EEC087C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A10EDBFA-CA46-418c-954B-F397B8C86225}\stubpath = "C:\\Windows\\{A10EDBFA-CA46-418c-954B-F397B8C86225}.exe"	{7D47392C-9B64-4e17-8D34-B8D4237B7589}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19395242-CD15-4866-B00B-668E4BDE7135}	{A10EDBFA-CA46-418c-954B-F397B8C86225}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7289F45D-8A80-4096-91FF-96031FB3BEEC}\stubpath = "C:\\Windows\\{7289F45D-8A80-4096-91FF-96031FB3BEEC}.exe"	{19395242-CD15-4866-B00B-668E4BDE7135}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C17FA51-033F-41b6-99FD-00FAE3C5E176}	{60CCF405-7BE8-4a4a-8F7C-E5104225C1BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEF8C3C1-BAFC-47ea-87CE-979B2EEC087C}\stubpath = "C:\\Windows\\{FEF8C3C1-BAFC-47ea-87CE-979B2EEC087C}.exe"	{C2D4F4E7-CF3F-4fc0-9CF5-82B445DD52BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D47392C-9B64-4e17-8D34-B8D4237B7589}\stubpath = "C:\\Windows\\{7D47392C-9B64-4e17-8D34-B8D4237B7589}.exe"	{FEF8C3C1-BAFC-47ea-87CE-979B2EEC087C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7289F45D-8A80-4096-91FF-96031FB3BEEC}	{19395242-CD15-4866-B00B-668E4BDE7135}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9173D51-523B-45ff-AC98-A58AD6968394}\stubpath = "C:\\Windows\\{F9173D51-523B-45ff-AC98-A58AD6968394}.exe"	{7289F45D-8A80-4096-91FF-96031FB3BEEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{325F98B5-EE43-4f02-AD20-995ECF212C1A}	{F9173D51-523B-45ff-AC98-A58AD6968394}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{325F98B5-EE43-4f02-AD20-995ECF212C1A}\stubpath = "C:\\Windows\\{325F98B5-EE43-4f02-AD20-995ECF212C1A}.exe"	{F9173D51-523B-45ff-AC98-A58AD6968394}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39F74FC8-62E2-46a7-95C6-121A3EDC1D89}	{5C17FA51-033F-41b6-99FD-00FAE3C5E176}.exe

Executes dropped EXE 12 IoCs

pid	Process
4660	{1BB49531-4DAD-4895-A05E-88AB1228550C}.exe
4752	{C2D4F4E7-CF3F-4fc0-9CF5-82B445DD52BC}.exe
4060	{FEF8C3C1-BAFC-47ea-87CE-979B2EEC087C}.exe
2428	{7D47392C-9B64-4e17-8D34-B8D4237B7589}.exe
3432	{A10EDBFA-CA46-418c-954B-F397B8C86225}.exe
1152	{19395242-CD15-4866-B00B-668E4BDE7135}.exe
1712	{7289F45D-8A80-4096-91FF-96031FB3BEEC}.exe
220	{F9173D51-523B-45ff-AC98-A58AD6968394}.exe
2312	{325F98B5-EE43-4f02-AD20-995ECF212C1A}.exe
4932	{60CCF405-7BE8-4a4a-8F7C-E5104225C1BA}.exe
3196	{5C17FA51-033F-41b6-99FD-00FAE3C5E176}.exe
1780	{39F74FC8-62E2-46a7-95C6-121A3EDC1D89}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{60CCF405-7BE8-4a4a-8F7C-E5104225C1BA}.exe	{325F98B5-EE43-4f02-AD20-995ECF212C1A}.exe
File created	C:\Windows\{5C17FA51-033F-41b6-99FD-00FAE3C5E176}.exe	{60CCF405-7BE8-4a4a-8F7C-E5104225C1BA}.exe
File created	C:\Windows\{1BB49531-4DAD-4895-A05E-88AB1228550C}.exe	75d301e7b8651fexeexeexeex.exe
File created	C:\Windows\{C2D4F4E7-CF3F-4fc0-9CF5-82B445DD52BC}.exe	{1BB49531-4DAD-4895-A05E-88AB1228550C}.exe
File created	C:\Windows\{7D47392C-9B64-4e17-8D34-B8D4237B7589}.exe	{FEF8C3C1-BAFC-47ea-87CE-979B2EEC087C}.exe
File created	C:\Windows\{A10EDBFA-CA46-418c-954B-F397B8C86225}.exe	{7D47392C-9B64-4e17-8D34-B8D4237B7589}.exe
File created	C:\Windows\{F9173D51-523B-45ff-AC98-A58AD6968394}.exe	{7289F45D-8A80-4096-91FF-96031FB3BEEC}.exe
File created	C:\Windows\{FEF8C3C1-BAFC-47ea-87CE-979B2EEC087C}.exe	{C2D4F4E7-CF3F-4fc0-9CF5-82B445DD52BC}.exe
File created	C:\Windows\{19395242-CD15-4866-B00B-668E4BDE7135}.exe	{A10EDBFA-CA46-418c-954B-F397B8C86225}.exe
File created	C:\Windows\{7289F45D-8A80-4096-91FF-96031FB3BEEC}.exe	{19395242-CD15-4866-B00B-668E4BDE7135}.exe
File created	C:\Windows\{325F98B5-EE43-4f02-AD20-995ECF212C1A}.exe	{F9173D51-523B-45ff-AC98-A58AD6968394}.exe
File created	C:\Windows\{39F74FC8-62E2-46a7-95C6-121A3EDC1D89}.exe	{5C17FA51-033F-41b6-99FD-00FAE3C5E176}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	696	75d301e7b8651fexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4660	{1BB49531-4DAD-4895-A05E-88AB1228550C}.exe
Token: SeIncBasePriorityPrivilege	4752	{C2D4F4E7-CF3F-4fc0-9CF5-82B445DD52BC}.exe
Token: SeIncBasePriorityPrivilege	4060	{FEF8C3C1-BAFC-47ea-87CE-979B2EEC087C}.exe
Token: SeIncBasePriorityPrivilege	2428	{7D47392C-9B64-4e17-8D34-B8D4237B7589}.exe
Token: SeIncBasePriorityPrivilege	3432	{A10EDBFA-CA46-418c-954B-F397B8C86225}.exe
Token: SeIncBasePriorityPrivilege	1152	{19395242-CD15-4866-B00B-668E4BDE7135}.exe
Token: SeIncBasePriorityPrivilege	1712	{7289F45D-8A80-4096-91FF-96031FB3BEEC}.exe
Token: SeIncBasePriorityPrivilege	220	{F9173D51-523B-45ff-AC98-A58AD6968394}.exe
Token: SeIncBasePriorityPrivilege	2312	{325F98B5-EE43-4f02-AD20-995ECF212C1A}.exe
Token: SeIncBasePriorityPrivilege	4932	{60CCF405-7BE8-4a4a-8F7C-E5104225C1BA}.exe
Token: SeIncBasePriorityPrivilege	3196	{5C17FA51-033F-41b6-99FD-00FAE3C5E176}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 696 wrote to memory of 4660	696	75d301e7b8651fexeexeexeex.exe	85
PID 696 wrote to memory of 4660	696	75d301e7b8651fexeexeexeex.exe	85
PID 696 wrote to memory of 4660	696	75d301e7b8651fexeexeexeex.exe	85
PID 696 wrote to memory of 2380	696	75d301e7b8651fexeexeexeex.exe	86
PID 696 wrote to memory of 2380	696	75d301e7b8651fexeexeexeex.exe	86
PID 696 wrote to memory of 2380	696	75d301e7b8651fexeexeexeex.exe	86
PID 4660 wrote to memory of 4752	4660	{1BB49531-4DAD-4895-A05E-88AB1228550C}.exe	87
PID 4660 wrote to memory of 4752	4660	{1BB49531-4DAD-4895-A05E-88AB1228550C}.exe	87
PID 4660 wrote to memory of 4752	4660	{1BB49531-4DAD-4895-A05E-88AB1228550C}.exe	87
PID 4660 wrote to memory of 1648	4660	{1BB49531-4DAD-4895-A05E-88AB1228550C}.exe	88
PID 4660 wrote to memory of 1648	4660	{1BB49531-4DAD-4895-A05E-88AB1228550C}.exe	88
PID 4660 wrote to memory of 1648	4660	{1BB49531-4DAD-4895-A05E-88AB1228550C}.exe	88
PID 4752 wrote to memory of 4060	4752	{C2D4F4E7-CF3F-4fc0-9CF5-82B445DD52BC}.exe	93
PID 4752 wrote to memory of 4060	4752	{C2D4F4E7-CF3F-4fc0-9CF5-82B445DD52BC}.exe	93
PID 4752 wrote to memory of 4060	4752	{C2D4F4E7-CF3F-4fc0-9CF5-82B445DD52BC}.exe	93
PID 4752 wrote to memory of 4972	4752	{C2D4F4E7-CF3F-4fc0-9CF5-82B445DD52BC}.exe	92
PID 4752 wrote to memory of 4972	4752	{C2D4F4E7-CF3F-4fc0-9CF5-82B445DD52BC}.exe	92
PID 4752 wrote to memory of 4972	4752	{C2D4F4E7-CF3F-4fc0-9CF5-82B445DD52BC}.exe	92
PID 4060 wrote to memory of 2428	4060	{FEF8C3C1-BAFC-47ea-87CE-979B2EEC087C}.exe	94
PID 4060 wrote to memory of 2428	4060	{FEF8C3C1-BAFC-47ea-87CE-979B2EEC087C}.exe	94
PID 4060 wrote to memory of 2428	4060	{FEF8C3C1-BAFC-47ea-87CE-979B2EEC087C}.exe	94
PID 4060 wrote to memory of 1524	4060	{FEF8C3C1-BAFC-47ea-87CE-979B2EEC087C}.exe	95
PID 4060 wrote to memory of 1524	4060	{FEF8C3C1-BAFC-47ea-87CE-979B2EEC087C}.exe	95
PID 4060 wrote to memory of 1524	4060	{FEF8C3C1-BAFC-47ea-87CE-979B2EEC087C}.exe	95
PID 2428 wrote to memory of 3432	2428	{7D47392C-9B64-4e17-8D34-B8D4237B7589}.exe	96
PID 2428 wrote to memory of 3432	2428	{7D47392C-9B64-4e17-8D34-B8D4237B7589}.exe	96
PID 2428 wrote to memory of 3432	2428	{7D47392C-9B64-4e17-8D34-B8D4237B7589}.exe	96
PID 2428 wrote to memory of 884	2428	{7D47392C-9B64-4e17-8D34-B8D4237B7589}.exe	97
PID 2428 wrote to memory of 884	2428	{7D47392C-9B64-4e17-8D34-B8D4237B7589}.exe	97
PID 2428 wrote to memory of 884	2428	{7D47392C-9B64-4e17-8D34-B8D4237B7589}.exe	97
PID 3432 wrote to memory of 1152	3432	{A10EDBFA-CA46-418c-954B-F397B8C86225}.exe	98
PID 3432 wrote to memory of 1152	3432	{A10EDBFA-CA46-418c-954B-F397B8C86225}.exe	98
PID 3432 wrote to memory of 1152	3432	{A10EDBFA-CA46-418c-954B-F397B8C86225}.exe	98
PID 3432 wrote to memory of 3212	3432	{A10EDBFA-CA46-418c-954B-F397B8C86225}.exe	99
PID 3432 wrote to memory of 3212	3432	{A10EDBFA-CA46-418c-954B-F397B8C86225}.exe	99
PID 3432 wrote to memory of 3212	3432	{A10EDBFA-CA46-418c-954B-F397B8C86225}.exe	99
PID 1152 wrote to memory of 1712	1152	{19395242-CD15-4866-B00B-668E4BDE7135}.exe	100
PID 1152 wrote to memory of 1712	1152	{19395242-CD15-4866-B00B-668E4BDE7135}.exe	100
PID 1152 wrote to memory of 1712	1152	{19395242-CD15-4866-B00B-668E4BDE7135}.exe	100
PID 1152 wrote to memory of 3052	1152	{19395242-CD15-4866-B00B-668E4BDE7135}.exe	101
PID 1152 wrote to memory of 3052	1152	{19395242-CD15-4866-B00B-668E4BDE7135}.exe	101
PID 1152 wrote to memory of 3052	1152	{19395242-CD15-4866-B00B-668E4BDE7135}.exe	101
PID 1712 wrote to memory of 220	1712	{7289F45D-8A80-4096-91FF-96031FB3BEEC}.exe	102
PID 1712 wrote to memory of 220	1712	{7289F45D-8A80-4096-91FF-96031FB3BEEC}.exe	102
PID 1712 wrote to memory of 220	1712	{7289F45D-8A80-4096-91FF-96031FB3BEEC}.exe	102
PID 1712 wrote to memory of 1444	1712	{7289F45D-8A80-4096-91FF-96031FB3BEEC}.exe	103
PID 1712 wrote to memory of 1444	1712	{7289F45D-8A80-4096-91FF-96031FB3BEEC}.exe	103
PID 1712 wrote to memory of 1444	1712	{7289F45D-8A80-4096-91FF-96031FB3BEEC}.exe	103
PID 220 wrote to memory of 2312	220	{F9173D51-523B-45ff-AC98-A58AD6968394}.exe	104
PID 220 wrote to memory of 2312	220	{F9173D51-523B-45ff-AC98-A58AD6968394}.exe	104
PID 220 wrote to memory of 2312	220	{F9173D51-523B-45ff-AC98-A58AD6968394}.exe	104
PID 220 wrote to memory of 892	220	{F9173D51-523B-45ff-AC98-A58AD6968394}.exe	105
PID 220 wrote to memory of 892	220	{F9173D51-523B-45ff-AC98-A58AD6968394}.exe	105
PID 220 wrote to memory of 892	220	{F9173D51-523B-45ff-AC98-A58AD6968394}.exe	105
PID 2312 wrote to memory of 4932	2312	{325F98B5-EE43-4f02-AD20-995ECF212C1A}.exe	106
PID 2312 wrote to memory of 4932	2312	{325F98B5-EE43-4f02-AD20-995ECF212C1A}.exe	106
PID 2312 wrote to memory of 4932	2312	{325F98B5-EE43-4f02-AD20-995ECF212C1A}.exe	106
PID 2312 wrote to memory of 1992	2312	{325F98B5-EE43-4f02-AD20-995ECF212C1A}.exe	107
PID 2312 wrote to memory of 1992	2312	{325F98B5-EE43-4f02-AD20-995ECF212C1A}.exe	107
PID 2312 wrote to memory of 1992	2312	{325F98B5-EE43-4f02-AD20-995ECF212C1A}.exe	107
PID 4932 wrote to memory of 3196	4932	{60CCF405-7BE8-4a4a-8F7C-E5104225C1BA}.exe	108
PID 4932 wrote to memory of 3196	4932	{60CCF405-7BE8-4a4a-8F7C-E5104225C1BA}.exe	108
PID 4932 wrote to memory of 3196	4932	{60CCF405-7BE8-4a4a-8F7C-E5104225C1BA}.exe	108
PID 4932 wrote to memory of 5016	4932	{60CCF405-7BE8-4a4a-8F7C-E5104225C1BA}.exe	109

C:\Users\Admin\AppData\Local\Temp\75d301e7b8651fexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\75d301e7b8651fexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:696
- C:\Windows\{1BB49531-4DAD-4895-A05E-88AB1228550C}.exe
  C:\Windows\{1BB49531-4DAD-4895-A05E-88AB1228550C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4660
- - C:\Windows\{C2D4F4E7-CF3F-4fc0-9CF5-82B445DD52BC}.exe
    C:\Windows\{C2D4F4E7-CF3F-4fc0-9CF5-82B445DD52BC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4752
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C2D4F~1.EXE > nul
      4⤵
      PID:4972
  - - C:\Windows\{FEF8C3C1-BAFC-47ea-87CE-979B2EEC087C}.exe
      C:\Windows\{FEF8C3C1-BAFC-47ea-87CE-979B2EEC087C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4060
    - - C:\Windows\{7D47392C-9B64-4e17-8D34-B8D4237B7589}.exe
        
        C:\Windows\{7D47392C-9B64-4e17-8D34-B8D4237B7589}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Windows\{A10EDBFA-CA46-418c-954B-F397B8C86225}.exe
        
        C:\Windows\{A10EDBFA-CA46-418c-954B-F397B8C86225}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3432
        
        C:\Windows\{19395242-CD15-4866-B00B-668E4BDE7135}.exe
        
        C:\Windows\{19395242-CD15-4866-B00B-668E4BDE7135}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\{7289F45D-8A80-4096-91FF-96031FB3BEEC}.exe
        
        C:\Windows\{7289F45D-8A80-4096-91FF-96031FB3BEEC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\{F9173D51-523B-45ff-AC98-A58AD6968394}.exe
        
        C:\Windows\{F9173D51-523B-45ff-AC98-A58AD6968394}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:220
        
        C:\Windows\{325F98B5-EE43-4f02-AD20-995ECF212C1A}.exe
        
        C:\Windows\{325F98B5-EE43-4f02-AD20-995ECF212C1A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\{60CCF405-7BE8-4a4a-8F7C-E5104225C1BA}.exe
        
        C:\Windows\{60CCF405-7BE8-4a4a-8F7C-E5104225C1BA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\{5C17FA51-033F-41b6-99FD-00FAE3C5E176}.exe
        
        C:\Windows\{5C17FA51-033F-41b6-99FD-00FAE3C5E176}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3196
        
        C:\Windows\{39F74FC8-62E2-46a7-95C6-121A3EDC1D89}.exe
        
        C:\Windows\{39F74FC8-62E2-46a7-95C6-121A3EDC1D89}.exe
        13⤵
        Executes dropped EXE
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C17F~1.EXE > nul
        13⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60CCF~1.EXE > nul
        12⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{325F9~1.EXE > nul
        11⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9173~1.EXE > nul
        10⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7289F~1.EXE > nul
        9⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19395~1.EXE > nul
        8⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A10ED~1.EXE > nul
        7⤵
        
        PID:3212
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D473~1.EXE > nul
        6⤵
        
        PID:884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEF8C~1.EXE > nul
        5⤵
        
        PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1BB49~1.EXE > nul
    3⤵
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\75D301~1.EXE > nul
  2⤵
  PID:2380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19395242-CD15-4866-B00B-668E4BDE7135}.exe

Filesize
168KB

MD5
bbafa3d6954e6d1a70ba821103725c88

SHA1
7896b0d59e59288ca61495bd50a231e2be1aa0d0

SHA256
23174d56eea02452d43b82f3ad7b3bd497279ec3c14a0cd01ae95146048fcb4e

SHA512
d65ded737ac71edfa51f6f770c2ab26611bb20e59fd8937fa5dbe9d5952ff2330b241400d32d2b00b05c51e6f2c715ee807ba3ac7220051cd957ba806c279833

Download Submit
C:\Windows\{19395242-CD15-4866-B00B-668E4BDE7135}.exe

Filesize
168KB

MD5
bbafa3d6954e6d1a70ba821103725c88

SHA1
7896b0d59e59288ca61495bd50a231e2be1aa0d0

SHA256
23174d56eea02452d43b82f3ad7b3bd497279ec3c14a0cd01ae95146048fcb4e

SHA512
d65ded737ac71edfa51f6f770c2ab26611bb20e59fd8937fa5dbe9d5952ff2330b241400d32d2b00b05c51e6f2c715ee807ba3ac7220051cd957ba806c279833

Download Submit
C:\Windows\{1BB49531-4DAD-4895-A05E-88AB1228550C}.exe

Filesize
168KB

MD5
9126422cab91d4a00e3aa997118dc0e8

SHA1
ccf6a60573610ecaebe66b1b80f017d86182ad04

SHA256
36e3dafaeb9ba0f3402ff2f9492c70d404512c26954a673c2560dc4b2c796570

SHA512
3ac49042b3fdbbcda7414ca38906d447f7472ba2fc91c4d22a58eaf012c30c249e5942cc0b3a1dc12e1ff95ea1ef457e05ec1a174fd7a6ce5ce342adc7674693

Download Submit
C:\Windows\{1BB49531-4DAD-4895-A05E-88AB1228550C}.exe

Filesize
168KB

MD5
9126422cab91d4a00e3aa997118dc0e8

SHA1
ccf6a60573610ecaebe66b1b80f017d86182ad04

SHA256
36e3dafaeb9ba0f3402ff2f9492c70d404512c26954a673c2560dc4b2c796570

SHA512
3ac49042b3fdbbcda7414ca38906d447f7472ba2fc91c4d22a58eaf012c30c249e5942cc0b3a1dc12e1ff95ea1ef457e05ec1a174fd7a6ce5ce342adc7674693

Download Submit
C:\Windows\{325F98B5-EE43-4f02-AD20-995ECF212C1A}.exe

Filesize
168KB

MD5
86f744180d64ceda3fd98f71966db462

SHA1
8620ad96cf17a836f66269768c3cfb7403fab898

SHA256
fd2f0a5131adce9e21f5ec75e0dc235ab61466ab00c861efb447b298481ccf41

SHA512
ad922cde56085f554abd5faff0b1ea5f38cf9a288a4a241d6515bb6cc2550f30db89d65b3b5b3679b9326124680e964f85b0b138275d9ba35d82f64c32d96b89

Download Submit
C:\Windows\{325F98B5-EE43-4f02-AD20-995ECF212C1A}.exe

Filesize
168KB

MD5
86f744180d64ceda3fd98f71966db462

SHA1
8620ad96cf17a836f66269768c3cfb7403fab898

SHA256
fd2f0a5131adce9e21f5ec75e0dc235ab61466ab00c861efb447b298481ccf41

SHA512
ad922cde56085f554abd5faff0b1ea5f38cf9a288a4a241d6515bb6cc2550f30db89d65b3b5b3679b9326124680e964f85b0b138275d9ba35d82f64c32d96b89

Download Submit
C:\Windows\{39F74FC8-62E2-46a7-95C6-121A3EDC1D89}.exe

Filesize
168KB

MD5
bf709901d97e914d47ed53dd29b7fa86

SHA1
fd3c1839230b9990eecb6f2744fcbb29d3341bf2

SHA256
2ca671a03f5d96539e0f45c114937a8bf2b49bb656fcfae87ac0d6456f1e513e

SHA512
fc7853a817d947dea3af5f2a7559a6bb399338e9155c2ad1929a2987fd84ec3cbba96bd1dcea972dba6b518e90b20483aea603a138d80fcdd06f275f264f0f6f

Download Submit
C:\Windows\{39F74FC8-62E2-46a7-95C6-121A3EDC1D89}.exe

Filesize
168KB

MD5
bf709901d97e914d47ed53dd29b7fa86

SHA1
fd3c1839230b9990eecb6f2744fcbb29d3341bf2

SHA256
2ca671a03f5d96539e0f45c114937a8bf2b49bb656fcfae87ac0d6456f1e513e

SHA512
fc7853a817d947dea3af5f2a7559a6bb399338e9155c2ad1929a2987fd84ec3cbba96bd1dcea972dba6b518e90b20483aea603a138d80fcdd06f275f264f0f6f

Download Submit
C:\Windows\{5C17FA51-033F-41b6-99FD-00FAE3C5E176}.exe

Filesize
168KB

MD5
872905c9496fca2de63a295d8cea6958

SHA1
bf668eba97f51731ff21f09cea811bbef6b47b34

SHA256
375c3061e0b276789c3a322fe22f26b8dd82dd762854318d555e78053bc398fb

SHA512
4b0e6ee42d28e97e37dce5d5887c9697b539ec5d548895afa6597c14de72eae08a2f322679cdca3e904d7ccffce823423d36479179be3fc66172a91c7b33391d

Download Submit
C:\Windows\{5C17FA51-033F-41b6-99FD-00FAE3C5E176}.exe

Filesize
168KB

MD5
872905c9496fca2de63a295d8cea6958

SHA1
bf668eba97f51731ff21f09cea811bbef6b47b34

SHA256
375c3061e0b276789c3a322fe22f26b8dd82dd762854318d555e78053bc398fb

SHA512
4b0e6ee42d28e97e37dce5d5887c9697b539ec5d548895afa6597c14de72eae08a2f322679cdca3e904d7ccffce823423d36479179be3fc66172a91c7b33391d

Download Submit
C:\Windows\{60CCF405-7BE8-4a4a-8F7C-E5104225C1BA}.exe

Filesize
168KB

MD5
353e05c4e38b52707a3e45d9744e621c

SHA1
785655ec6b8555d58cd10573b558a4ed2e393c77

SHA256
0bb4aae3a0d3840f8ec5d2d26b2606075e06ac579752dedc82de38620c963e84

SHA512
e7f069bab9c1d2c2dbca326ee6145d3b829252f4848211f63f4a2cea8388c69199e94e78a5fdad8a611a05638cb5782b2e1da4d728825eb476b5cf0fd1fb8b1a

Download Submit
C:\Windows\{60CCF405-7BE8-4a4a-8F7C-E5104225C1BA}.exe

Filesize
168KB

MD5
353e05c4e38b52707a3e45d9744e621c

SHA1
785655ec6b8555d58cd10573b558a4ed2e393c77

SHA256
0bb4aae3a0d3840f8ec5d2d26b2606075e06ac579752dedc82de38620c963e84

SHA512
e7f069bab9c1d2c2dbca326ee6145d3b829252f4848211f63f4a2cea8388c69199e94e78a5fdad8a611a05638cb5782b2e1da4d728825eb476b5cf0fd1fb8b1a

Download Submit
C:\Windows\{7289F45D-8A80-4096-91FF-96031FB3BEEC}.exe

Filesize
168KB

MD5
7e3cdc3f9486df806853583509d8550a

SHA1
469f8b359c37653c60009ea17b465087df75db5e

SHA256
286ec5d65aab4b975632348b28f4ed1b7cfd7aca511318b7e36aef2ee4150216

SHA512
2d2d2bdc8d77d35007d13b7453bd5923f2c319098befd6c30b98a92af0cbb441afa69293b488ba32b5805b74829385dc7055e11a5dc5d7c33f33a5323aea0214

Download Submit
C:\Windows\{7289F45D-8A80-4096-91FF-96031FB3BEEC}.exe

Filesize
168KB

MD5
7e3cdc3f9486df806853583509d8550a

SHA1
469f8b359c37653c60009ea17b465087df75db5e

SHA256
286ec5d65aab4b975632348b28f4ed1b7cfd7aca511318b7e36aef2ee4150216

SHA512
2d2d2bdc8d77d35007d13b7453bd5923f2c319098befd6c30b98a92af0cbb441afa69293b488ba32b5805b74829385dc7055e11a5dc5d7c33f33a5323aea0214

Download Submit
C:\Windows\{7D47392C-9B64-4e17-8D34-B8D4237B7589}.exe

Filesize
168KB

MD5
539cbfdb10837b69ec693a11bf00cafd

SHA1
1c37538406690ae14f0770dcd64378788ff8edb1

SHA256
7cb3fe750d3a152217f3798f3921579adf037e220d494d90a1dec9a6e585d7fd

SHA512
8181f9e1645cf25ae163a36337a1a7268adb8c2f66993e163c7278810f237cb7d91f345feaaeaa4a1d5388c0e8302cc76c5fbb2b53d71580b3d3cf7834e5b2c9

Download Submit
C:\Windows\{7D47392C-9B64-4e17-8D34-B8D4237B7589}.exe

Filesize
168KB

MD5
539cbfdb10837b69ec693a11bf00cafd

SHA1
1c37538406690ae14f0770dcd64378788ff8edb1

SHA256
7cb3fe750d3a152217f3798f3921579adf037e220d494d90a1dec9a6e585d7fd

SHA512
8181f9e1645cf25ae163a36337a1a7268adb8c2f66993e163c7278810f237cb7d91f345feaaeaa4a1d5388c0e8302cc76c5fbb2b53d71580b3d3cf7834e5b2c9

Download Submit
C:\Windows\{A10EDBFA-CA46-418c-954B-F397B8C86225}.exe

Filesize
168KB

MD5
93a9c0e3bd7d80cf5dbe4ce7a7e79e01

SHA1
da541a146ce750542548f8b882b7eadca48e2b1e

SHA256
84f5427567a80f5402d3445f2908dbdd90786229c27f924e8f5e05ce388204f5

SHA512
e38f6f02d1bd0af6b25ab2e256a3ab1605f3a80932a755d7603078c1f1d971a4ab04808d1bed45bef33af599f53742fb8c28f266503005063d33c810562ef12f

Download Submit
C:\Windows\{A10EDBFA-CA46-418c-954B-F397B8C86225}.exe

Filesize
168KB

MD5
93a9c0e3bd7d80cf5dbe4ce7a7e79e01

SHA1
da541a146ce750542548f8b882b7eadca48e2b1e

SHA256
84f5427567a80f5402d3445f2908dbdd90786229c27f924e8f5e05ce388204f5

SHA512
e38f6f02d1bd0af6b25ab2e256a3ab1605f3a80932a755d7603078c1f1d971a4ab04808d1bed45bef33af599f53742fb8c28f266503005063d33c810562ef12f

Download Submit
C:\Windows\{C2D4F4E7-CF3F-4fc0-9CF5-82B445DD52BC}.exe

Filesize
168KB

MD5
59d6ca642b9151b6de4d853aed0d4688

SHA1
796c095eba1721e8050505316b1270320863d056

SHA256
0d7f3d666d646a2c616d134225c82f7fcf943df918a2a78a0d043457178883cb

SHA512
375a773ee3d5dded6295853a27b6aedbc41b1d60ae866b06f847a50e202c599e8135d98da6f66fb66943bb495ea19efe4d5d1d2e2003e9a4a144a208da70367f

Download Submit
C:\Windows\{C2D4F4E7-CF3F-4fc0-9CF5-82B445DD52BC}.exe

Filesize
168KB

MD5
59d6ca642b9151b6de4d853aed0d4688

SHA1
796c095eba1721e8050505316b1270320863d056

SHA256
0d7f3d666d646a2c616d134225c82f7fcf943df918a2a78a0d043457178883cb

SHA512
375a773ee3d5dded6295853a27b6aedbc41b1d60ae866b06f847a50e202c599e8135d98da6f66fb66943bb495ea19efe4d5d1d2e2003e9a4a144a208da70367f

Download Submit
C:\Windows\{F9173D51-523B-45ff-AC98-A58AD6968394}.exe

Filesize
168KB

MD5
05be2fbb515690cc3666e2a442f31101

SHA1
863ec71f64ad8839d908f5f4be19d6854eb79138

SHA256
34ae47629ea865d5fa183c431333c60515eaa579a77526f2ddd3a033a44a6e63

SHA512
e47610719f80f86180a5a51d388f5d35daa77b9a42459a6d6b7911e37ffdefa79ff9dba67058e51f730898dc54422f856ce11d1e8328d0c4eb04e5faa55fd420

Download Submit
C:\Windows\{F9173D51-523B-45ff-AC98-A58AD6968394}.exe

Filesize
168KB

MD5
05be2fbb515690cc3666e2a442f31101

SHA1
863ec71f64ad8839d908f5f4be19d6854eb79138

SHA256
34ae47629ea865d5fa183c431333c60515eaa579a77526f2ddd3a033a44a6e63

SHA512
e47610719f80f86180a5a51d388f5d35daa77b9a42459a6d6b7911e37ffdefa79ff9dba67058e51f730898dc54422f856ce11d1e8328d0c4eb04e5faa55fd420

Download Submit
C:\Windows\{FEF8C3C1-BAFC-47ea-87CE-979B2EEC087C}.exe

Filesize
168KB

MD5
a4daab163b106cff0b9540d305776723

SHA1
5c2b0078cc9343d186b72dfec9549353600a0024

SHA256
b7db9ccb3e7bd0a6a1e0fa7aafa73113d85fe841f06a5cea19f0acd03d3f144a

SHA512
8b952191876faa7cfa1a941d6d32af638521de7b9059a1e9e76f0aa25091704964e67f6c79a2b1cfe1115a42798385633ac7944bfdcd97fabf6a28325bd69d1a

Download Submit
C:\Windows\{FEF8C3C1-BAFC-47ea-87CE-979B2EEC087C}.exe

Filesize
168KB

MD5
a4daab163b106cff0b9540d305776723

SHA1
5c2b0078cc9343d186b72dfec9549353600a0024

SHA256
b7db9ccb3e7bd0a6a1e0fa7aafa73113d85fe841f06a5cea19f0acd03d3f144a

SHA512
8b952191876faa7cfa1a941d6d32af638521de7b9059a1e9e76f0aa25091704964e67f6c79a2b1cfe1115a42798385633ac7944bfdcd97fabf6a28325bd69d1a

Download Submit
C:\Windows\{FEF8C3C1-BAFC-47ea-87CE-979B2EEC087C}.exe

Filesize
168KB

MD5
a4daab163b106cff0b9540d305776723

SHA1
5c2b0078cc9343d186b72dfec9549353600a0024

SHA256
b7db9ccb3e7bd0a6a1e0fa7aafa73113d85fe841f06a5cea19f0acd03d3f144a

SHA512
8b952191876faa7cfa1a941d6d32af638521de7b9059a1e9e76f0aa25091704964e67f6c79a2b1cfe1115a42798385633ac7944bfdcd97fabf6a28325bd69d1a

Download Submit