88e91fbe52ddf17199c5d96773552b73711e597189dcbbf584811fc0cfb8e74c

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 11:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

769a755cf3a6f6exeexeexeex.exe
Size

372KB
MD5

769a755cf3a6f689dfed65ab42820f95
SHA1

a92546b9829091c40ea7bc014446f5ec9459ca70
SHA256

88e91fbe52ddf17199c5d96773552b73711e597189dcbbf584811fc0cfb8e74c
SHA512

90b883fc3d4f88714e853a24e65a63256da5cee4fab2721642f05dfa85bd55d0f5fd5f124ba39f342bcc6f00d336c5c5ec4d2fb53a82cf0715dbcc6df6655a18
SSDEEP

3072:CEGh0o/mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG4l/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{522F20A5-1A7C-4f07-B31B-FB42DA5653EF}\stubpath = "C:\\Windows\\{522F20A5-1A7C-4f07-B31B-FB42DA5653EF}.exe"	{C67676B0-F17E-4da9-B54D-15A91770C45C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8745F6B-BF53-418e-ABC2-31676AF58B73}	{522F20A5-1A7C-4f07-B31B-FB42DA5653EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4808D8FB-62C1-4c97-85B6-3D5AD52DA221}	{7407B1B1-D812-41a1-BB7E-04AC03E9AD51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B16C0D5A-DE62-4127-BC6F-7948E19F43BC}\stubpath = "C:\\Windows\\{B16C0D5A-DE62-4127-BC6F-7948E19F43BC}.exe"	769a755cf3a6f6exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B51AD8D-D028-4d1b-8D25-C16601B48B3B}\stubpath = "C:\\Windows\\{7B51AD8D-D028-4d1b-8D25-C16601B48B3B}.exe"	{B16C0D5A-DE62-4127-BC6F-7948E19F43BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C5BC523-3784-44cc-82F7-D0B0ACCA8DA4}	{7B51AD8D-D028-4d1b-8D25-C16601B48B3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C67676B0-F17E-4da9-B54D-15A91770C45C}\stubpath = "C:\\Windows\\{C67676B0-F17E-4da9-B54D-15A91770C45C}.exe"	{C61C3A05-E26A-4d32-AA55-D3453E686792}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{522F20A5-1A7C-4f07-B31B-FB42DA5653EF}	{C67676B0-F17E-4da9-B54D-15A91770C45C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8745F6B-BF53-418e-ABC2-31676AF58B73}\stubpath = "C:\\Windows\\{C8745F6B-BF53-418e-ABC2-31676AF58B73}.exe"	{522F20A5-1A7C-4f07-B31B-FB42DA5653EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED6A3929-C04E-4154-836F-AE409ADA631A}\stubpath = "C:\\Windows\\{ED6A3929-C04E-4154-836F-AE409ADA631A}.exe"	{C8745F6B-BF53-418e-ABC2-31676AF58B73}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB45AF98-4D03-4281-A846-53744EBD938F}	{ED6A3929-C04E-4154-836F-AE409ADA631A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B16C0D5A-DE62-4127-BC6F-7948E19F43BC}	769a755cf3a6f6exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B51AD8D-D028-4d1b-8D25-C16601B48B3B}	{B16C0D5A-DE62-4127-BC6F-7948E19F43BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C5BC523-3784-44cc-82F7-D0B0ACCA8DA4}\stubpath = "C:\\Windows\\{6C5BC523-3784-44cc-82F7-D0B0ACCA8DA4}.exe"	{7B51AD8D-D028-4d1b-8D25-C16601B48B3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51F58FF9-ED73-493e-A9CC-B072D0BFD9A9}\stubpath = "C:\\Windows\\{51F58FF9-ED73-493e-A9CC-B072D0BFD9A9}.exe"	{AB45AF98-4D03-4281-A846-53744EBD938F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7407B1B1-D812-41a1-BB7E-04AC03E9AD51}\stubpath = "C:\\Windows\\{7407B1B1-D812-41a1-BB7E-04AC03E9AD51}.exe"	{51F58FF9-ED73-493e-A9CC-B072D0BFD9A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4808D8FB-62C1-4c97-85B6-3D5AD52DA221}\stubpath = "C:\\Windows\\{4808D8FB-62C1-4c97-85B6-3D5AD52DA221}.exe"	{7407B1B1-D812-41a1-BB7E-04AC03E9AD51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7407B1B1-D812-41a1-BB7E-04AC03E9AD51}	{51F58FF9-ED73-493e-A9CC-B072D0BFD9A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C61C3A05-E26A-4d32-AA55-D3453E686792}	{6C5BC523-3784-44cc-82F7-D0B0ACCA8DA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C67676B0-F17E-4da9-B54D-15A91770C45C}	{C61C3A05-E26A-4d32-AA55-D3453E686792}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51F58FF9-ED73-493e-A9CC-B072D0BFD9A9}	{AB45AF98-4D03-4281-A846-53744EBD938F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C61C3A05-E26A-4d32-AA55-D3453E686792}\stubpath = "C:\\Windows\\{C61C3A05-E26A-4d32-AA55-D3453E686792}.exe"	{6C5BC523-3784-44cc-82F7-D0B0ACCA8DA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED6A3929-C04E-4154-836F-AE409ADA631A}	{C8745F6B-BF53-418e-ABC2-31676AF58B73}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB45AF98-4D03-4281-A846-53744EBD938F}\stubpath = "C:\\Windows\\{AB45AF98-4D03-4281-A846-53744EBD938F}.exe"	{ED6A3929-C04E-4154-836F-AE409ADA631A}.exe

Executes dropped EXE 12 IoCs

pid	Process
4188	{B16C0D5A-DE62-4127-BC6F-7948E19F43BC}.exe
4652	{7B51AD8D-D028-4d1b-8D25-C16601B48B3B}.exe
4324	{6C5BC523-3784-44cc-82F7-D0B0ACCA8DA4}.exe
524	{C61C3A05-E26A-4d32-AA55-D3453E686792}.exe
4112	{C67676B0-F17E-4da9-B54D-15A91770C45C}.exe
1232	{522F20A5-1A7C-4f07-B31B-FB42DA5653EF}.exe
4056	{C8745F6B-BF53-418e-ABC2-31676AF58B73}.exe
2076	{ED6A3929-C04E-4154-836F-AE409ADA631A}.exe
4984	{AB45AF98-4D03-4281-A846-53744EBD938F}.exe
3092	{51F58FF9-ED73-493e-A9CC-B072D0BFD9A9}.exe
4676	{7407B1B1-D812-41a1-BB7E-04AC03E9AD51}.exe
3504	{4808D8FB-62C1-4c97-85B6-3D5AD52DA221}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C61C3A05-E26A-4d32-AA55-D3453E686792}.exe	{6C5BC523-3784-44cc-82F7-D0B0ACCA8DA4}.exe
File created	C:\Windows\{C8745F6B-BF53-418e-ABC2-31676AF58B73}.exe	{522F20A5-1A7C-4f07-B31B-FB42DA5653EF}.exe
File created	C:\Windows\{AB45AF98-4D03-4281-A846-53744EBD938F}.exe	{ED6A3929-C04E-4154-836F-AE409ADA631A}.exe
File created	C:\Windows\{51F58FF9-ED73-493e-A9CC-B072D0BFD9A9}.exe	{AB45AF98-4D03-4281-A846-53744EBD938F}.exe
File created	C:\Windows\{7407B1B1-D812-41a1-BB7E-04AC03E9AD51}.exe	{51F58FF9-ED73-493e-A9CC-B072D0BFD9A9}.exe
File created	C:\Windows\{ED6A3929-C04E-4154-836F-AE409ADA631A}.exe	{C8745F6B-BF53-418e-ABC2-31676AF58B73}.exe
File created	C:\Windows\{4808D8FB-62C1-4c97-85B6-3D5AD52DA221}.exe	{7407B1B1-D812-41a1-BB7E-04AC03E9AD51}.exe
File created	C:\Windows\{B16C0D5A-DE62-4127-BC6F-7948E19F43BC}.exe	769a755cf3a6f6exeexeexeex.exe
File created	C:\Windows\{7B51AD8D-D028-4d1b-8D25-C16601B48B3B}.exe	{B16C0D5A-DE62-4127-BC6F-7948E19F43BC}.exe
File created	C:\Windows\{6C5BC523-3784-44cc-82F7-D0B0ACCA8DA4}.exe	{7B51AD8D-D028-4d1b-8D25-C16601B48B3B}.exe
File created	C:\Windows\{C67676B0-F17E-4da9-B54D-15A91770C45C}.exe	{C61C3A05-E26A-4d32-AA55-D3453E686792}.exe
File created	C:\Windows\{522F20A5-1A7C-4f07-B31B-FB42DA5653EF}.exe	{C67676B0-F17E-4da9-B54D-15A91770C45C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4136	769a755cf3a6f6exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4188	{B16C0D5A-DE62-4127-BC6F-7948E19F43BC}.exe
Token: SeIncBasePriorityPrivilege	4652	{7B51AD8D-D028-4d1b-8D25-C16601B48B3B}.exe
Token: SeIncBasePriorityPrivilege	4324	{6C5BC523-3784-44cc-82F7-D0B0ACCA8DA4}.exe
Token: SeIncBasePriorityPrivilege	524	{C61C3A05-E26A-4d32-AA55-D3453E686792}.exe
Token: SeIncBasePriorityPrivilege	4112	{C67676B0-F17E-4da9-B54D-15A91770C45C}.exe
Token: SeIncBasePriorityPrivilege	1232	{522F20A5-1A7C-4f07-B31B-FB42DA5653EF}.exe
Token: SeIncBasePriorityPrivilege	4056	{C8745F6B-BF53-418e-ABC2-31676AF58B73}.exe
Token: SeIncBasePriorityPrivilege	2076	{ED6A3929-C04E-4154-836F-AE409ADA631A}.exe
Token: SeIncBasePriorityPrivilege	4984	{AB45AF98-4D03-4281-A846-53744EBD938F}.exe
Token: SeIncBasePriorityPrivilege	3092	{51F58FF9-ED73-493e-A9CC-B072D0BFD9A9}.exe
Token: SeIncBasePriorityPrivilege	4676	{7407B1B1-D812-41a1-BB7E-04AC03E9AD51}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4136 wrote to memory of 4188	4136	769a755cf3a6f6exeexeexeex.exe	84
PID 4136 wrote to memory of 4188	4136	769a755cf3a6f6exeexeexeex.exe	84
PID 4136 wrote to memory of 4188	4136	769a755cf3a6f6exeexeexeex.exe	84
PID 4136 wrote to memory of 2276	4136	769a755cf3a6f6exeexeexeex.exe	85
PID 4136 wrote to memory of 2276	4136	769a755cf3a6f6exeexeexeex.exe	85
PID 4136 wrote to memory of 2276	4136	769a755cf3a6f6exeexeexeex.exe	85
PID 4188 wrote to memory of 4652	4188	{B16C0D5A-DE62-4127-BC6F-7948E19F43BC}.exe	86
PID 4188 wrote to memory of 4652	4188	{B16C0D5A-DE62-4127-BC6F-7948E19F43BC}.exe	86
PID 4188 wrote to memory of 4652	4188	{B16C0D5A-DE62-4127-BC6F-7948E19F43BC}.exe	86
PID 4188 wrote to memory of 1164	4188	{B16C0D5A-DE62-4127-BC6F-7948E19F43BC}.exe	87
PID 4188 wrote to memory of 1164	4188	{B16C0D5A-DE62-4127-BC6F-7948E19F43BC}.exe	87
PID 4188 wrote to memory of 1164	4188	{B16C0D5A-DE62-4127-BC6F-7948E19F43BC}.exe	87
PID 4652 wrote to memory of 4324	4652	{7B51AD8D-D028-4d1b-8D25-C16601B48B3B}.exe	91
PID 4652 wrote to memory of 4324	4652	{7B51AD8D-D028-4d1b-8D25-C16601B48B3B}.exe	91
PID 4652 wrote to memory of 4324	4652	{7B51AD8D-D028-4d1b-8D25-C16601B48B3B}.exe	91
PID 4652 wrote to memory of 3340	4652	{7B51AD8D-D028-4d1b-8D25-C16601B48B3B}.exe	92
PID 4652 wrote to memory of 3340	4652	{7B51AD8D-D028-4d1b-8D25-C16601B48B3B}.exe	92
PID 4652 wrote to memory of 3340	4652	{7B51AD8D-D028-4d1b-8D25-C16601B48B3B}.exe	92
PID 4324 wrote to memory of 524	4324	{6C5BC523-3784-44cc-82F7-D0B0ACCA8DA4}.exe	93
PID 4324 wrote to memory of 524	4324	{6C5BC523-3784-44cc-82F7-D0B0ACCA8DA4}.exe	93
PID 4324 wrote to memory of 524	4324	{6C5BC523-3784-44cc-82F7-D0B0ACCA8DA4}.exe	93
PID 4324 wrote to memory of 1152	4324	{6C5BC523-3784-44cc-82F7-D0B0ACCA8DA4}.exe	94
PID 4324 wrote to memory of 1152	4324	{6C5BC523-3784-44cc-82F7-D0B0ACCA8DA4}.exe	94
PID 4324 wrote to memory of 1152	4324	{6C5BC523-3784-44cc-82F7-D0B0ACCA8DA4}.exe	94
PID 524 wrote to memory of 4112	524	{C61C3A05-E26A-4d32-AA55-D3453E686792}.exe	95
PID 524 wrote to memory of 4112	524	{C61C3A05-E26A-4d32-AA55-D3453E686792}.exe	95
PID 524 wrote to memory of 4112	524	{C61C3A05-E26A-4d32-AA55-D3453E686792}.exe	95
PID 524 wrote to memory of 3464	524	{C61C3A05-E26A-4d32-AA55-D3453E686792}.exe	96
PID 524 wrote to memory of 3464	524	{C61C3A05-E26A-4d32-AA55-D3453E686792}.exe	96
PID 524 wrote to memory of 3464	524	{C61C3A05-E26A-4d32-AA55-D3453E686792}.exe	96
PID 4112 wrote to memory of 1232	4112	{C67676B0-F17E-4da9-B54D-15A91770C45C}.exe	97
PID 4112 wrote to memory of 1232	4112	{C67676B0-F17E-4da9-B54D-15A91770C45C}.exe	97
PID 4112 wrote to memory of 1232	4112	{C67676B0-F17E-4da9-B54D-15A91770C45C}.exe	97
PID 4112 wrote to memory of 1772	4112	{C67676B0-F17E-4da9-B54D-15A91770C45C}.exe	98
PID 4112 wrote to memory of 1772	4112	{C67676B0-F17E-4da9-B54D-15A91770C45C}.exe	98
PID 4112 wrote to memory of 1772	4112	{C67676B0-F17E-4da9-B54D-15A91770C45C}.exe	98
PID 1232 wrote to memory of 4056	1232	{522F20A5-1A7C-4f07-B31B-FB42DA5653EF}.exe	99
PID 1232 wrote to memory of 4056	1232	{522F20A5-1A7C-4f07-B31B-FB42DA5653EF}.exe	99
PID 1232 wrote to memory of 4056	1232	{522F20A5-1A7C-4f07-B31B-FB42DA5653EF}.exe	99
PID 1232 wrote to memory of 1296	1232	{522F20A5-1A7C-4f07-B31B-FB42DA5653EF}.exe	100
PID 1232 wrote to memory of 1296	1232	{522F20A5-1A7C-4f07-B31B-FB42DA5653EF}.exe	100
PID 1232 wrote to memory of 1296	1232	{522F20A5-1A7C-4f07-B31B-FB42DA5653EF}.exe	100
PID 4056 wrote to memory of 2076	4056	{C8745F6B-BF53-418e-ABC2-31676AF58B73}.exe	101
PID 4056 wrote to memory of 2076	4056	{C8745F6B-BF53-418e-ABC2-31676AF58B73}.exe	101
PID 4056 wrote to memory of 2076	4056	{C8745F6B-BF53-418e-ABC2-31676AF58B73}.exe	101
PID 4056 wrote to memory of 2692	4056	{C8745F6B-BF53-418e-ABC2-31676AF58B73}.exe	102
PID 4056 wrote to memory of 2692	4056	{C8745F6B-BF53-418e-ABC2-31676AF58B73}.exe	102
PID 4056 wrote to memory of 2692	4056	{C8745F6B-BF53-418e-ABC2-31676AF58B73}.exe	102
PID 2076 wrote to memory of 4984	2076	{ED6A3929-C04E-4154-836F-AE409ADA631A}.exe	103
PID 2076 wrote to memory of 4984	2076	{ED6A3929-C04E-4154-836F-AE409ADA631A}.exe	103
PID 2076 wrote to memory of 4984	2076	{ED6A3929-C04E-4154-836F-AE409ADA631A}.exe	103
PID 2076 wrote to memory of 3048	2076	{ED6A3929-C04E-4154-836F-AE409ADA631A}.exe	104
PID 2076 wrote to memory of 3048	2076	{ED6A3929-C04E-4154-836F-AE409ADA631A}.exe	104
PID 2076 wrote to memory of 3048	2076	{ED6A3929-C04E-4154-836F-AE409ADA631A}.exe	104
PID 4984 wrote to memory of 3092	4984	{AB45AF98-4D03-4281-A846-53744EBD938F}.exe	105
PID 4984 wrote to memory of 3092	4984	{AB45AF98-4D03-4281-A846-53744EBD938F}.exe	105
PID 4984 wrote to memory of 3092	4984	{AB45AF98-4D03-4281-A846-53744EBD938F}.exe	105
PID 4984 wrote to memory of 4712	4984	{AB45AF98-4D03-4281-A846-53744EBD938F}.exe	106
PID 4984 wrote to memory of 4712	4984	{AB45AF98-4D03-4281-A846-53744EBD938F}.exe	106
PID 4984 wrote to memory of 4712	4984	{AB45AF98-4D03-4281-A846-53744EBD938F}.exe	106
PID 3092 wrote to memory of 4676	3092	{51F58FF9-ED73-493e-A9CC-B072D0BFD9A9}.exe	107
PID 3092 wrote to memory of 4676	3092	{51F58FF9-ED73-493e-A9CC-B072D0BFD9A9}.exe	107
PID 3092 wrote to memory of 4676	3092	{51F58FF9-ED73-493e-A9CC-B072D0BFD9A9}.exe	107
PID 3092 wrote to memory of 4332	3092	{51F58FF9-ED73-493e-A9CC-B072D0BFD9A9}.exe	108

C:\Users\Admin\AppData\Local\Temp\769a755cf3a6f6exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\769a755cf3a6f6exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4136
- C:\Windows\{B16C0D5A-DE62-4127-BC6F-7948E19F43BC}.exe
  C:\Windows\{B16C0D5A-DE62-4127-BC6F-7948E19F43BC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\{7B51AD8D-D028-4d1b-8D25-C16601B48B3B}.exe
    C:\Windows\{7B51AD8D-D028-4d1b-8D25-C16601B48B3B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\{6C5BC523-3784-44cc-82F7-D0B0ACCA8DA4}.exe
      C:\Windows\{6C5BC523-3784-44cc-82F7-D0B0ACCA8DA4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4324
    - - C:\Windows\{C61C3A05-E26A-4d32-AA55-D3453E686792}.exe
        
        C:\Windows\{C61C3A05-E26A-4d32-AA55-D3453E686792}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:524
      - C:\Windows\{C67676B0-F17E-4da9-B54D-15A91770C45C}.exe
        
        C:\Windows\{C67676B0-F17E-4da9-B54D-15A91770C45C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\{522F20A5-1A7C-4f07-B31B-FB42DA5653EF}.exe
        
        C:\Windows\{522F20A5-1A7C-4f07-B31B-FB42DA5653EF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\{C8745F6B-BF53-418e-ABC2-31676AF58B73}.exe
        
        C:\Windows\{C8745F6B-BF53-418e-ABC2-31676AF58B73}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\{ED6A3929-C04E-4154-836F-AE409ADA631A}.exe
        
        C:\Windows\{ED6A3929-C04E-4154-836F-AE409ADA631A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\{AB45AF98-4D03-4281-A846-53744EBD938F}.exe
        
        C:\Windows\{AB45AF98-4D03-4281-A846-53744EBD938F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\{51F58FF9-ED73-493e-A9CC-B072D0BFD9A9}.exe
        
        C:\Windows\{51F58FF9-ED73-493e-A9CC-B072D0BFD9A9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\{7407B1B1-D812-41a1-BB7E-04AC03E9AD51}.exe
        
        C:\Windows\{7407B1B1-D812-41a1-BB7E-04AC03E9AD51}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4676
        
        C:\Windows\{4808D8FB-62C1-4c97-85B6-3D5AD52DA221}.exe
        
        C:\Windows\{4808D8FB-62C1-4c97-85B6-3D5AD52DA221}.exe
        13⤵
        Executes dropped EXE
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7407B~1.EXE > nul
        13⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51F58~1.EXE > nul
        12⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB45A~1.EXE > nul
        11⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED6A3~1.EXE > nul
        10⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8745~1.EXE > nul
        9⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{522F2~1.EXE > nul
        8⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6767~1.EXE > nul
        7⤵
        
        PID:1772
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C61C3~1.EXE > nul
        6⤵
        
        PID:3464
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C5BC~1.EXE > nul
        5⤵
        
        PID:1152
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7B51A~1.EXE > nul
      4⤵
      PID:3340
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B16C0~1.EXE > nul
    3⤵
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\769A75~1.EXE > nul
  2⤵
  PID:2276

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{4808D8FB-62C1-4c97-85B6-3D5AD52DA221}.exe

Filesize
372KB

MD5
aeb5ec174d518b8b8bb8ad74ae61b4bf

SHA1
62d927e30e139f9a15ee32682a1e2263c388da3e

SHA256
04b29419a9291852091086c8643874b95e561bc264ecd67c9c44a343c6f8de27

SHA512
70cc3cd1f10db52c55ff5c921b8fff259483a72436297dd36290d0dbb0bde84904186073233ea186b0396a919bd64595ba72601048794165be34ec8134988606

Download Submit
C:\Windows\{4808D8FB-62C1-4c97-85B6-3D5AD52DA221}.exe

Filesize
372KB

MD5
aeb5ec174d518b8b8bb8ad74ae61b4bf

SHA1
62d927e30e139f9a15ee32682a1e2263c388da3e

SHA256
04b29419a9291852091086c8643874b95e561bc264ecd67c9c44a343c6f8de27

SHA512
70cc3cd1f10db52c55ff5c921b8fff259483a72436297dd36290d0dbb0bde84904186073233ea186b0396a919bd64595ba72601048794165be34ec8134988606

Download Submit
C:\Windows\{51F58FF9-ED73-493e-A9CC-B072D0BFD9A9}.exe

Filesize
372KB

MD5
3f20466743ca8c4e141107d8be896f9a

SHA1
1f870a37acfcd4211d767407b5851b642513f268

SHA256
ae86bc3ae1e9378e0dd1eb4eaab47b84b0bd02e61fb3f751336046066c5e2f2a

SHA512
7c0765fa812a4bc7f8cb70c9e5c8942258d058706172309922d9d53b10eccd29be6db9f7e06190441f47eacaac8063c9617cd025e3b0f8077619ec24b6b40bed

Download Submit
C:\Windows\{51F58FF9-ED73-493e-A9CC-B072D0BFD9A9}.exe

Filesize
372KB

MD5
3f20466743ca8c4e141107d8be896f9a

SHA1
1f870a37acfcd4211d767407b5851b642513f268

SHA256
ae86bc3ae1e9378e0dd1eb4eaab47b84b0bd02e61fb3f751336046066c5e2f2a

SHA512
7c0765fa812a4bc7f8cb70c9e5c8942258d058706172309922d9d53b10eccd29be6db9f7e06190441f47eacaac8063c9617cd025e3b0f8077619ec24b6b40bed

Download Submit
C:\Windows\{522F20A5-1A7C-4f07-B31B-FB42DA5653EF}.exe

Filesize
372KB

MD5
3508d5b0cd503bccf25cd2da1415a215

SHA1
dbf9fae854fc84aa43e78dd95511b22288fdddf3

SHA256
a71d828b14cab01655530aa53ed6e6bb6ee02a316b3c0aa6deec90ca2f04c00e

SHA512
79cf667518b1fee270bc9e8ae704ecc93cf9614e4ab4898ade0a1337bad3737ca701f7dbc8477552237d68e0e04660c3b1036d75e49daa353b6a2e379a70aad3

Download Submit
C:\Windows\{522F20A5-1A7C-4f07-B31B-FB42DA5653EF}.exe

Filesize
372KB

MD5
3508d5b0cd503bccf25cd2da1415a215

SHA1
dbf9fae854fc84aa43e78dd95511b22288fdddf3

SHA256
a71d828b14cab01655530aa53ed6e6bb6ee02a316b3c0aa6deec90ca2f04c00e

SHA512
79cf667518b1fee270bc9e8ae704ecc93cf9614e4ab4898ade0a1337bad3737ca701f7dbc8477552237d68e0e04660c3b1036d75e49daa353b6a2e379a70aad3

Download Submit
C:\Windows\{6C5BC523-3784-44cc-82F7-D0B0ACCA8DA4}.exe

Filesize
372KB

MD5
9b9037575c241cd36f88b7b8339091e1

SHA1
b6e7fd7cd06cad992bfc8c7873133f3876c2d726

SHA256
f6ceb1413c4b736ade25f46ee436cd09ce7bf9503fc7744a13d86b8a47fe84f5

SHA512
dacce772e5314c27cda26e5503753aea93f52f47ae0c5df7f774e04bf6a35a2c936021b0e3806b210edd21d810c9268b79a5b67697d5e847a888b1807aea4ff3

Download Submit
C:\Windows\{6C5BC523-3784-44cc-82F7-D0B0ACCA8DA4}.exe

Filesize
372KB

MD5
9b9037575c241cd36f88b7b8339091e1

SHA1
b6e7fd7cd06cad992bfc8c7873133f3876c2d726

SHA256
f6ceb1413c4b736ade25f46ee436cd09ce7bf9503fc7744a13d86b8a47fe84f5

SHA512
dacce772e5314c27cda26e5503753aea93f52f47ae0c5df7f774e04bf6a35a2c936021b0e3806b210edd21d810c9268b79a5b67697d5e847a888b1807aea4ff3

Download Submit
C:\Windows\{6C5BC523-3784-44cc-82F7-D0B0ACCA8DA4}.exe

Filesize
372KB

MD5
9b9037575c241cd36f88b7b8339091e1

SHA1
b6e7fd7cd06cad992bfc8c7873133f3876c2d726

SHA256
f6ceb1413c4b736ade25f46ee436cd09ce7bf9503fc7744a13d86b8a47fe84f5

SHA512
dacce772e5314c27cda26e5503753aea93f52f47ae0c5df7f774e04bf6a35a2c936021b0e3806b210edd21d810c9268b79a5b67697d5e847a888b1807aea4ff3

Download Submit
C:\Windows\{7407B1B1-D812-41a1-BB7E-04AC03E9AD51}.exe

Filesize
372KB

MD5
3c787383403eed557fbf67a699a3be67

SHA1
2a55aae25e298002f187c3c51c22ac914a5b7eaa

SHA256
fe53bd4cbc08b5cf79539a7b1c3b278fddde81ef8b748e916d08781355e8b1b0

SHA512
8cd9ac59a0bc8a2f74d738c67d9941153cdf4f18ca1b4459bd303a9f1b7c5c18aee77d242d7f42f90af164f9682af35d23afc46c15c1bc2252c79006aa96f29b

Download Submit
C:\Windows\{7407B1B1-D812-41a1-BB7E-04AC03E9AD51}.exe

Filesize
372KB

MD5
3c787383403eed557fbf67a699a3be67

SHA1
2a55aae25e298002f187c3c51c22ac914a5b7eaa

SHA256
fe53bd4cbc08b5cf79539a7b1c3b278fddde81ef8b748e916d08781355e8b1b0

SHA512
8cd9ac59a0bc8a2f74d738c67d9941153cdf4f18ca1b4459bd303a9f1b7c5c18aee77d242d7f42f90af164f9682af35d23afc46c15c1bc2252c79006aa96f29b

Download Submit
C:\Windows\{7B51AD8D-D028-4d1b-8D25-C16601B48B3B}.exe

Filesize
372KB

MD5
933c1cde559215b7f7daeccd819611ce

SHA1
6c0495d4ba6b74ebd204b744238904ffb1a76a8e

SHA256
3386f1b6ea0ffd2a283a28ee6f921b31a963533ee8d7fad3e32c4bec3bef5400

SHA512
9c74c1e033598d6ad902d700c3c1162af8e0b917405e41b75fa688d73e2531b5325bd5d6028f82920fb33ae67adebe7099ecfddd4413a9040357a712f7157ee7

Download Submit
C:\Windows\{7B51AD8D-D028-4d1b-8D25-C16601B48B3B}.exe

Filesize
372KB

MD5
933c1cde559215b7f7daeccd819611ce

SHA1
6c0495d4ba6b74ebd204b744238904ffb1a76a8e

SHA256
3386f1b6ea0ffd2a283a28ee6f921b31a963533ee8d7fad3e32c4bec3bef5400

SHA512
9c74c1e033598d6ad902d700c3c1162af8e0b917405e41b75fa688d73e2531b5325bd5d6028f82920fb33ae67adebe7099ecfddd4413a9040357a712f7157ee7

Download Submit
C:\Windows\{AB45AF98-4D03-4281-A846-53744EBD938F}.exe

Filesize
372KB

MD5
8c6f0357329e9e742cc97f4162107439

SHA1
6582d680348360b7bf77d424e8b38a929b1884b1

SHA256
4d884f574a6e53d306d259fb3b6c82a5792bf46a8fafd72b0f469842a405ea89

SHA512
b2473d26012990dfe7428167b3b26193fc74e8de1f4135b10b98906ff0492881b1ad62b5a50cc242efcb162c0e5858db8508c26c2e61e7f5ec2a1450a43ba8cb

Download Submit
C:\Windows\{AB45AF98-4D03-4281-A846-53744EBD938F}.exe

Filesize
372KB

MD5
8c6f0357329e9e742cc97f4162107439

SHA1
6582d680348360b7bf77d424e8b38a929b1884b1

SHA256
4d884f574a6e53d306d259fb3b6c82a5792bf46a8fafd72b0f469842a405ea89

SHA512
b2473d26012990dfe7428167b3b26193fc74e8de1f4135b10b98906ff0492881b1ad62b5a50cc242efcb162c0e5858db8508c26c2e61e7f5ec2a1450a43ba8cb

Download Submit
C:\Windows\{B16C0D5A-DE62-4127-BC6F-7948E19F43BC}.exe

Filesize
372KB

MD5
2e705b98a3211991efcbd8001ef93ce0

SHA1
a5f15c34b3407144c665fffafdfa9a7f847b546a

SHA256
c6b2f47aea8c0fc3fd5677b136789bdd7152f2e3fd29ae884ecf04b90ed0c26d

SHA512
b07f45bffad5c13cd0d5c7f782254c46f1aac1d244990050502bb83f8f4d9bfdf59ea14298153e563bacd2bb8b78bcde707b463863ea6c9565b659bbeb7f6d33

Download Submit
C:\Windows\{B16C0D5A-DE62-4127-BC6F-7948E19F43BC}.exe

Filesize
372KB

MD5
2e705b98a3211991efcbd8001ef93ce0

SHA1
a5f15c34b3407144c665fffafdfa9a7f847b546a

SHA256
c6b2f47aea8c0fc3fd5677b136789bdd7152f2e3fd29ae884ecf04b90ed0c26d

SHA512
b07f45bffad5c13cd0d5c7f782254c46f1aac1d244990050502bb83f8f4d9bfdf59ea14298153e563bacd2bb8b78bcde707b463863ea6c9565b659bbeb7f6d33

Download Submit
C:\Windows\{C61C3A05-E26A-4d32-AA55-D3453E686792}.exe

Filesize
372KB

MD5
1b5c56ea2b4349eb32df77f1a64c3598

SHA1
f8cf5968c5d9aadf39d04b21fe70a00fec91bbe0

SHA256
c4f48eb88724df60bc7ad79963f17ce961a55cfec1da99f921963b499e10cf73

SHA512
721643e9157c6d5580448827e9e95f71c73b32b2f54c793b7681ad61981f41af82b59864603ebd494c612bfa6b8ef080e31f75c26be4471333422ebbd495dba3

Download Submit
C:\Windows\{C61C3A05-E26A-4d32-AA55-D3453E686792}.exe

Filesize
372KB

MD5
1b5c56ea2b4349eb32df77f1a64c3598

SHA1
f8cf5968c5d9aadf39d04b21fe70a00fec91bbe0

SHA256
c4f48eb88724df60bc7ad79963f17ce961a55cfec1da99f921963b499e10cf73

SHA512
721643e9157c6d5580448827e9e95f71c73b32b2f54c793b7681ad61981f41af82b59864603ebd494c612bfa6b8ef080e31f75c26be4471333422ebbd495dba3

Download Submit
C:\Windows\{C67676B0-F17E-4da9-B54D-15A91770C45C}.exe

Filesize
372KB

MD5
36a33132f803aecb2cdd3baa6ce721c9

SHA1
29ae600e4c00b5fddc38ab74b18046f83d6c44e6

SHA256
ea1801a1fadd36dd99f04e3a850c009dbc68bcc0d87c55e3a2da7a579750342e

SHA512
9872800305ee075bb26a082f89185f77de9f899489235f21b6f31366dace45dcbac6951397abba2efa08349d3da5141c3dd7eb60de66657d6b7c1c730ab44fbc

Download Submit
C:\Windows\{C67676B0-F17E-4da9-B54D-15A91770C45C}.exe

Filesize
372KB

MD5
36a33132f803aecb2cdd3baa6ce721c9

SHA1
29ae600e4c00b5fddc38ab74b18046f83d6c44e6

SHA256
ea1801a1fadd36dd99f04e3a850c009dbc68bcc0d87c55e3a2da7a579750342e

SHA512
9872800305ee075bb26a082f89185f77de9f899489235f21b6f31366dace45dcbac6951397abba2efa08349d3da5141c3dd7eb60de66657d6b7c1c730ab44fbc

Download Submit
C:\Windows\{C8745F6B-BF53-418e-ABC2-31676AF58B73}.exe

Filesize
372KB

MD5
f2a44e962309822abae05ce8728579bf

SHA1
e2b140d1042461b54744cf13fff417cfa1c84b39

SHA256
350741a5f9644a2eb224cd437647fc36d7259edbc2563b5917d9a0aba943ae59

SHA512
25964a43f61fb2ecf8effd085e9de7c68368517e577f99bbad792422d2d21b68610ced91b9df749411f6b2e8f7d6e62c57f95d4e831f67079a2dad235b6afebb

Download Submit
C:\Windows\{C8745F6B-BF53-418e-ABC2-31676AF58B73}.exe

Filesize
372KB

MD5
f2a44e962309822abae05ce8728579bf

SHA1
e2b140d1042461b54744cf13fff417cfa1c84b39

SHA256
350741a5f9644a2eb224cd437647fc36d7259edbc2563b5917d9a0aba943ae59

SHA512
25964a43f61fb2ecf8effd085e9de7c68368517e577f99bbad792422d2d21b68610ced91b9df749411f6b2e8f7d6e62c57f95d4e831f67079a2dad235b6afebb

Download Submit
C:\Windows\{ED6A3929-C04E-4154-836F-AE409ADA631A}.exe

Filesize
372KB

MD5
842fda60c22d81656011a7266934c46f

SHA1
799d51c9ea7c1f63f782442faa8a583e026a4939

SHA256
c8d46bfbb9b4bc7304c0703524d1b45153aa2e68a980383e1021988bca500e9c

SHA512
90641fbf591288baea21ab88e30c8b8ebd58f22f9641eb51e1d3eefb78d94c066c174ddd86e5d657829046b06b4c8e41bbdcaa05de9649f9f86a5f0c4d38aa46

Download Submit
C:\Windows\{ED6A3929-C04E-4154-836F-AE409ADA631A}.exe

Filesize
372KB

MD5
842fda60c22d81656011a7266934c46f

SHA1
799d51c9ea7c1f63f782442faa8a583e026a4939

SHA256
c8d46bfbb9b4bc7304c0703524d1b45153aa2e68a980383e1021988bca500e9c

SHA512
90641fbf591288baea21ab88e30c8b8ebd58f22f9641eb51e1d3eefb78d94c066c174ddd86e5d657829046b06b4c8e41bbdcaa05de9649f9f86a5f0c4d38aa46

Download Submit