43b46c5d2dd21ef1ff93088994c0b1a3a83a8eecee7ec27113228e4811fca09e

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

776313dc7c1675exeexeexeex.exe
Size

372KB
MD5

776313dc7c16759e0d4d58f30ae9d1a9
SHA1

5bf219e0dbd7c762fee7b03c849a230a35bdebdc
SHA256

43b46c5d2dd21ef1ff93088994c0b1a3a83a8eecee7ec27113228e4811fca09e
SHA512

0770cadd78169c2687b355ca61949eeea923aecc3e4f4c179fdcb67bd71608662867b58f3036ef15b1ec4132e7902e119b52615f803307c156546ab940490d8e
SSDEEP

3072:CEGh0o8mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEG7l/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA37AD35-6C27-4f28-9D16-6F8012346DB5}	{FC063F23-487D-4abc-9A17-27898206A95E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F49F010A-F9DD-4634-A883-BC825AE205EE}	{FA37AD35-6C27-4f28-9D16-6F8012346DB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB518384-494F-4c00-A740-2862A7DC1B3B}	{F49F010A-F9DD-4634-A883-BC825AE205EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D730E349-9817-4404-93D2-25DA9DE8D48F}	{8236BFC3-A671-4156-91D0-F5823F553215}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1719B6D7-3D81-492a-95E4-8282374F352E}	{D730E349-9817-4404-93D2-25DA9DE8D48F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B0E00E4-DC27-47cd-AB80-9CECD331360E}	{1719B6D7-3D81-492a-95E4-8282374F352E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7E8E7B5-63FA-46b8-A3DB-84CF9205097F}\stubpath = "C:\\Windows\\{D7E8E7B5-63FA-46b8-A3DB-84CF9205097F}.exe"	{A0943CD0-0DC8-442f-803B-F68DAA6DF7C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA37AD35-6C27-4f28-9D16-6F8012346DB5}\stubpath = "C:\\Windows\\{FA37AD35-6C27-4f28-9D16-6F8012346DB5}.exe"	{FC063F23-487D-4abc-9A17-27898206A95E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F49F010A-F9DD-4634-A883-BC825AE205EE}\stubpath = "C:\\Windows\\{F49F010A-F9DD-4634-A883-BC825AE205EE}.exe"	{FA37AD35-6C27-4f28-9D16-6F8012346DB5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB518384-494F-4c00-A740-2862A7DC1B3B}\stubpath = "C:\\Windows\\{AB518384-494F-4c00-A740-2862A7DC1B3B}.exe"	{F49F010A-F9DD-4634-A883-BC825AE205EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1719B6D7-3D81-492a-95E4-8282374F352E}\stubpath = "C:\\Windows\\{1719B6D7-3D81-492a-95E4-8282374F352E}.exe"	{D730E349-9817-4404-93D2-25DA9DE8D48F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7E8E7B5-63FA-46b8-A3DB-84CF9205097F}	{A0943CD0-0DC8-442f-803B-F68DAA6DF7C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3767415-B6C5-4b97-8D3C-B888FD1AE1AF}\stubpath = "C:\\Windows\\{D3767415-B6C5-4b97-8D3C-B888FD1AE1AF}.exe"	{D7E8E7B5-63FA-46b8-A3DB-84CF9205097F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC063F23-487D-4abc-9A17-27898206A95E}	776313dc7c1675exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8236BFC3-A671-4156-91D0-F5823F553215}	{806765A5-57E7-4ba3-B87D-B07A0DC7DDB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8236BFC3-A671-4156-91D0-F5823F553215}\stubpath = "C:\\Windows\\{8236BFC3-A671-4156-91D0-F5823F553215}.exe"	{806765A5-57E7-4ba3-B87D-B07A0DC7DDB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D730E349-9817-4404-93D2-25DA9DE8D48F}\stubpath = "C:\\Windows\\{D730E349-9817-4404-93D2-25DA9DE8D48F}.exe"	{8236BFC3-A671-4156-91D0-F5823F553215}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0943CD0-0DC8-442f-803B-F68DAA6DF7C7}	{5B0E00E4-DC27-47cd-AB80-9CECD331360E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0943CD0-0DC8-442f-803B-F68DAA6DF7C7}\stubpath = "C:\\Windows\\{A0943CD0-0DC8-442f-803B-F68DAA6DF7C7}.exe"	{5B0E00E4-DC27-47cd-AB80-9CECD331360E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3767415-B6C5-4b97-8D3C-B888FD1AE1AF}	{D7E8E7B5-63FA-46b8-A3DB-84CF9205097F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC063F23-487D-4abc-9A17-27898206A95E}\stubpath = "C:\\Windows\\{FC063F23-487D-4abc-9A17-27898206A95E}.exe"	776313dc7c1675exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{806765A5-57E7-4ba3-B87D-B07A0DC7DDB9}	{AB518384-494F-4c00-A740-2862A7DC1B3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{806765A5-57E7-4ba3-B87D-B07A0DC7DDB9}\stubpath = "C:\\Windows\\{806765A5-57E7-4ba3-B87D-B07A0DC7DDB9}.exe"	{AB518384-494F-4c00-A740-2862A7DC1B3B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B0E00E4-DC27-47cd-AB80-9CECD331360E}\stubpath = "C:\\Windows\\{5B0E00E4-DC27-47cd-AB80-9CECD331360E}.exe"	{1719B6D7-3D81-492a-95E4-8282374F352E}.exe

Executes dropped EXE 12 IoCs

pid	Process
3836	{FC063F23-487D-4abc-9A17-27898206A95E}.exe
3444	{FA37AD35-6C27-4f28-9D16-6F8012346DB5}.exe
4152	{F49F010A-F9DD-4634-A883-BC825AE205EE}.exe
4128	{AB518384-494F-4c00-A740-2862A7DC1B3B}.exe
3800	{806765A5-57E7-4ba3-B87D-B07A0DC7DDB9}.exe
5100	{8236BFC3-A671-4156-91D0-F5823F553215}.exe
2604	{D730E349-9817-4404-93D2-25DA9DE8D48F}.exe
1392	{1719B6D7-3D81-492a-95E4-8282374F352E}.exe
4180	{5B0E00E4-DC27-47cd-AB80-9CECD331360E}.exe
1276	{A0943CD0-0DC8-442f-803B-F68DAA6DF7C7}.exe
3924	{D7E8E7B5-63FA-46b8-A3DB-84CF9205097F}.exe
2460	{D3767415-B6C5-4b97-8D3C-B888FD1AE1AF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{FA37AD35-6C27-4f28-9D16-6F8012346DB5}.exe	{FC063F23-487D-4abc-9A17-27898206A95E}.exe
File created	C:\Windows\{1719B6D7-3D81-492a-95E4-8282374F352E}.exe	{D730E349-9817-4404-93D2-25DA9DE8D48F}.exe
File created	C:\Windows\{5B0E00E4-DC27-47cd-AB80-9CECD331360E}.exe	{1719B6D7-3D81-492a-95E4-8282374F352E}.exe
File created	C:\Windows\{A0943CD0-0DC8-442f-803B-F68DAA6DF7C7}.exe	{5B0E00E4-DC27-47cd-AB80-9CECD331360E}.exe
File created	C:\Windows\{D7E8E7B5-63FA-46b8-A3DB-84CF9205097F}.exe	{A0943CD0-0DC8-442f-803B-F68DAA6DF7C7}.exe
File created	C:\Windows\{D3767415-B6C5-4b97-8D3C-B888FD1AE1AF}.exe	{D7E8E7B5-63FA-46b8-A3DB-84CF9205097F}.exe
File created	C:\Windows\{FC063F23-487D-4abc-9A17-27898206A95E}.exe	776313dc7c1675exeexeexeex.exe
File created	C:\Windows\{AB518384-494F-4c00-A740-2862A7DC1B3B}.exe	{F49F010A-F9DD-4634-A883-BC825AE205EE}.exe
File created	C:\Windows\{806765A5-57E7-4ba3-B87D-B07A0DC7DDB9}.exe	{AB518384-494F-4c00-A740-2862A7DC1B3B}.exe
File created	C:\Windows\{8236BFC3-A671-4156-91D0-F5823F553215}.exe	{806765A5-57E7-4ba3-B87D-B07A0DC7DDB9}.exe
File created	C:\Windows\{D730E349-9817-4404-93D2-25DA9DE8D48F}.exe	{8236BFC3-A671-4156-91D0-F5823F553215}.exe
File created	C:\Windows\{F49F010A-F9DD-4634-A883-BC825AE205EE}.exe	{FA37AD35-6C27-4f28-9D16-6F8012346DB5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2876	776313dc7c1675exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3836	{FC063F23-487D-4abc-9A17-27898206A95E}.exe
Token: SeIncBasePriorityPrivilege	3444	{FA37AD35-6C27-4f28-9D16-6F8012346DB5}.exe
Token: SeIncBasePriorityPrivilege	4152	{F49F010A-F9DD-4634-A883-BC825AE205EE}.exe
Token: SeIncBasePriorityPrivilege	4128	{AB518384-494F-4c00-A740-2862A7DC1B3B}.exe
Token: SeIncBasePriorityPrivilege	3800	{806765A5-57E7-4ba3-B87D-B07A0DC7DDB9}.exe
Token: SeIncBasePriorityPrivilege	5100	{8236BFC3-A671-4156-91D0-F5823F553215}.exe
Token: SeIncBasePriorityPrivilege	2604	{D730E349-9817-4404-93D2-25DA9DE8D48F}.exe
Token: SeIncBasePriorityPrivilege	1392	{1719B6D7-3D81-492a-95E4-8282374F352E}.exe
Token: SeIncBasePriorityPrivilege	4180	{5B0E00E4-DC27-47cd-AB80-9CECD331360E}.exe
Token: SeIncBasePriorityPrivilege	1276	{A0943CD0-0DC8-442f-803B-F68DAA6DF7C7}.exe
Token: SeIncBasePriorityPrivilege	3924	{D7E8E7B5-63FA-46b8-A3DB-84CF9205097F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2876 wrote to memory of 3836	2876	776313dc7c1675exeexeexeex.exe	84
PID 2876 wrote to memory of 3836	2876	776313dc7c1675exeexeexeex.exe	84
PID 2876 wrote to memory of 3836	2876	776313dc7c1675exeexeexeex.exe	84
PID 2876 wrote to memory of 5048	2876	776313dc7c1675exeexeexeex.exe	85
PID 2876 wrote to memory of 5048	2876	776313dc7c1675exeexeexeex.exe	85
PID 2876 wrote to memory of 5048	2876	776313dc7c1675exeexeexeex.exe	85
PID 3836 wrote to memory of 3444	3836	{FC063F23-487D-4abc-9A17-27898206A95E}.exe	86
PID 3836 wrote to memory of 3444	3836	{FC063F23-487D-4abc-9A17-27898206A95E}.exe	86
PID 3836 wrote to memory of 3444	3836	{FC063F23-487D-4abc-9A17-27898206A95E}.exe	86
PID 3836 wrote to memory of 4552	3836	{FC063F23-487D-4abc-9A17-27898206A95E}.exe	87
PID 3836 wrote to memory of 4552	3836	{FC063F23-487D-4abc-9A17-27898206A95E}.exe	87
PID 3836 wrote to memory of 4552	3836	{FC063F23-487D-4abc-9A17-27898206A95E}.exe	87
PID 3444 wrote to memory of 4152	3444	{FA37AD35-6C27-4f28-9D16-6F8012346DB5}.exe	92
PID 3444 wrote to memory of 4152	3444	{FA37AD35-6C27-4f28-9D16-6F8012346DB5}.exe	92
PID 3444 wrote to memory of 4152	3444	{FA37AD35-6C27-4f28-9D16-6F8012346DB5}.exe	92
PID 3444 wrote to memory of 3708	3444	{FA37AD35-6C27-4f28-9D16-6F8012346DB5}.exe	91
PID 3444 wrote to memory of 3708	3444	{FA37AD35-6C27-4f28-9D16-6F8012346DB5}.exe	91
PID 3444 wrote to memory of 3708	3444	{FA37AD35-6C27-4f28-9D16-6F8012346DB5}.exe	91
PID 4152 wrote to memory of 4128	4152	{F49F010A-F9DD-4634-A883-BC825AE205EE}.exe	93
PID 4152 wrote to memory of 4128	4152	{F49F010A-F9DD-4634-A883-BC825AE205EE}.exe	93
PID 4152 wrote to memory of 4128	4152	{F49F010A-F9DD-4634-A883-BC825AE205EE}.exe	93
PID 4152 wrote to memory of 3828	4152	{F49F010A-F9DD-4634-A883-BC825AE205EE}.exe	94
PID 4152 wrote to memory of 3828	4152	{F49F010A-F9DD-4634-A883-BC825AE205EE}.exe	94
PID 4152 wrote to memory of 3828	4152	{F49F010A-F9DD-4634-A883-BC825AE205EE}.exe	94
PID 4128 wrote to memory of 3800	4128	{AB518384-494F-4c00-A740-2862A7DC1B3B}.exe	95
PID 4128 wrote to memory of 3800	4128	{AB518384-494F-4c00-A740-2862A7DC1B3B}.exe	95
PID 4128 wrote to memory of 3800	4128	{AB518384-494F-4c00-A740-2862A7DC1B3B}.exe	95
PID 4128 wrote to memory of 4184	4128	{AB518384-494F-4c00-A740-2862A7DC1B3B}.exe	96
PID 4128 wrote to memory of 4184	4128	{AB518384-494F-4c00-A740-2862A7DC1B3B}.exe	96
PID 4128 wrote to memory of 4184	4128	{AB518384-494F-4c00-A740-2862A7DC1B3B}.exe	96
PID 3800 wrote to memory of 5100	3800	{806765A5-57E7-4ba3-B87D-B07A0DC7DDB9}.exe	97
PID 3800 wrote to memory of 5100	3800	{806765A5-57E7-4ba3-B87D-B07A0DC7DDB9}.exe	97
PID 3800 wrote to memory of 5100	3800	{806765A5-57E7-4ba3-B87D-B07A0DC7DDB9}.exe	97
PID 3800 wrote to memory of 4652	3800	{806765A5-57E7-4ba3-B87D-B07A0DC7DDB9}.exe	98
PID 3800 wrote to memory of 4652	3800	{806765A5-57E7-4ba3-B87D-B07A0DC7DDB9}.exe	98
PID 3800 wrote to memory of 4652	3800	{806765A5-57E7-4ba3-B87D-B07A0DC7DDB9}.exe	98
PID 5100 wrote to memory of 2604	5100	{8236BFC3-A671-4156-91D0-F5823F553215}.exe	99
PID 5100 wrote to memory of 2604	5100	{8236BFC3-A671-4156-91D0-F5823F553215}.exe	99
PID 5100 wrote to memory of 2604	5100	{8236BFC3-A671-4156-91D0-F5823F553215}.exe	99
PID 5100 wrote to memory of 2224	5100	{8236BFC3-A671-4156-91D0-F5823F553215}.exe	100
PID 5100 wrote to memory of 2224	5100	{8236BFC3-A671-4156-91D0-F5823F553215}.exe	100
PID 5100 wrote to memory of 2224	5100	{8236BFC3-A671-4156-91D0-F5823F553215}.exe	100
PID 2604 wrote to memory of 1392	2604	{D730E349-9817-4404-93D2-25DA9DE8D48F}.exe	101
PID 2604 wrote to memory of 1392	2604	{D730E349-9817-4404-93D2-25DA9DE8D48F}.exe	101
PID 2604 wrote to memory of 1392	2604	{D730E349-9817-4404-93D2-25DA9DE8D48F}.exe	101
PID 2604 wrote to memory of 4776	2604	{D730E349-9817-4404-93D2-25DA9DE8D48F}.exe	102
PID 2604 wrote to memory of 4776	2604	{D730E349-9817-4404-93D2-25DA9DE8D48F}.exe	102
PID 2604 wrote to memory of 4776	2604	{D730E349-9817-4404-93D2-25DA9DE8D48F}.exe	102
PID 1392 wrote to memory of 4180	1392	{1719B6D7-3D81-492a-95E4-8282374F352E}.exe	103
PID 1392 wrote to memory of 4180	1392	{1719B6D7-3D81-492a-95E4-8282374F352E}.exe	103
PID 1392 wrote to memory of 4180	1392	{1719B6D7-3D81-492a-95E4-8282374F352E}.exe	103
PID 1392 wrote to memory of 4348	1392	{1719B6D7-3D81-492a-95E4-8282374F352E}.exe	104
PID 1392 wrote to memory of 4348	1392	{1719B6D7-3D81-492a-95E4-8282374F352E}.exe	104
PID 1392 wrote to memory of 4348	1392	{1719B6D7-3D81-492a-95E4-8282374F352E}.exe	104
PID 4180 wrote to memory of 1276	4180	{5B0E00E4-DC27-47cd-AB80-9CECD331360E}.exe	105
PID 4180 wrote to memory of 1276	4180	{5B0E00E4-DC27-47cd-AB80-9CECD331360E}.exe	105
PID 4180 wrote to memory of 1276	4180	{5B0E00E4-DC27-47cd-AB80-9CECD331360E}.exe	105
PID 4180 wrote to memory of 2644	4180	{5B0E00E4-DC27-47cd-AB80-9CECD331360E}.exe	106
PID 4180 wrote to memory of 2644	4180	{5B0E00E4-DC27-47cd-AB80-9CECD331360E}.exe	106
PID 4180 wrote to memory of 2644	4180	{5B0E00E4-DC27-47cd-AB80-9CECD331360E}.exe	106
PID 1276 wrote to memory of 3924	1276	{A0943CD0-0DC8-442f-803B-F68DAA6DF7C7}.exe	107
PID 1276 wrote to memory of 3924	1276	{A0943CD0-0DC8-442f-803B-F68DAA6DF7C7}.exe	107
PID 1276 wrote to memory of 3924	1276	{A0943CD0-0DC8-442f-803B-F68DAA6DF7C7}.exe	107
PID 1276 wrote to memory of 4788	1276	{A0943CD0-0DC8-442f-803B-F68DAA6DF7C7}.exe	108

C:\Users\Admin\AppData\Local\Temp\776313dc7c1675exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\776313dc7c1675exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Windows\{FC063F23-487D-4abc-9A17-27898206A95E}.exe
  C:\Windows\{FC063F23-487D-4abc-9A17-27898206A95E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3836
- - C:\Windows\{FA37AD35-6C27-4f28-9D16-6F8012346DB5}.exe
    C:\Windows\{FA37AD35-6C27-4f28-9D16-6F8012346DB5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3444
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FA37A~1.EXE > nul
      4⤵
      PID:3708
  - - C:\Windows\{F49F010A-F9DD-4634-A883-BC825AE205EE}.exe
      C:\Windows\{F49F010A-F9DD-4634-A883-BC825AE205EE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4152
    - - C:\Windows\{AB518384-494F-4c00-A740-2862A7DC1B3B}.exe
        
        C:\Windows\{AB518384-494F-4c00-A740-2862A7DC1B3B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4128
      - C:\Windows\{806765A5-57E7-4ba3-B87D-B07A0DC7DDB9}.exe
        
        C:\Windows\{806765A5-57E7-4ba3-B87D-B07A0DC7DDB9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3800
        
        C:\Windows\{8236BFC3-A671-4156-91D0-F5823F553215}.exe
        
        C:\Windows\{8236BFC3-A671-4156-91D0-F5823F553215}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5100
        
        C:\Windows\{D730E349-9817-4404-93D2-25DA9DE8D48F}.exe
        
        C:\Windows\{D730E349-9817-4404-93D2-25DA9DE8D48F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\{1719B6D7-3D81-492a-95E4-8282374F352E}.exe
        
        C:\Windows\{1719B6D7-3D81-492a-95E4-8282374F352E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1392
        
        C:\Windows\{5B0E00E4-DC27-47cd-AB80-9CECD331360E}.exe
        
        C:\Windows\{5B0E00E4-DC27-47cd-AB80-9CECD331360E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\{A0943CD0-0DC8-442f-803B-F68DAA6DF7C7}.exe
        
        C:\Windows\{A0943CD0-0DC8-442f-803B-F68DAA6DF7C7}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\{D7E8E7B5-63FA-46b8-A3DB-84CF9205097F}.exe
        
        C:\Windows\{D7E8E7B5-63FA-46b8-A3DB-84CF9205097F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3924
        
        C:\Windows\{D3767415-B6C5-4b97-8D3C-B888FD1AE1AF}.exe
        
        C:\Windows\{D3767415-B6C5-4b97-8D3C-B888FD1AE1AF}.exe
        13⤵
        Executes dropped EXE
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7E8E~1.EXE > nul
        13⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0943~1.EXE > nul
        12⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B0E0~1.EXE > nul
        11⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1719B~1.EXE > nul
        10⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D730E~1.EXE > nul
        9⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8236B~1.EXE > nul
        8⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80676~1.EXE > nul
        7⤵
        
        PID:4652
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB518~1.EXE > nul
        6⤵
        
        PID:4184
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F49F0~1.EXE > nul
        5⤵
        
        PID:3828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FC063~1.EXE > nul
    3⤵
    PID:4552
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\776313~1.EXE > nul
  2⤵
  PID:5048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1719B6D7-3D81-492a-95E4-8282374F352E}.exe

Filesize
372KB

MD5
601835b9efd3d35582e40c67c182e8f3

SHA1
18cf533c9c5c632dd997822f3981ab4e83a73b14

SHA256
adefb0361b5935dea9db39b27cf4f190aa25975b10c980542f069b2cf6833675

SHA512
2dbad73e49cfd7cb63a01418e8d7ec64498afe834b8cdfb3ff83d5b53596323e3bc4b9272c7edf5105352948936e8e11ae46836eccc59fb145735f2bf1207150

Download Submit
C:\Windows\{1719B6D7-3D81-492a-95E4-8282374F352E}.exe

Filesize
372KB

MD5
601835b9efd3d35582e40c67c182e8f3

SHA1
18cf533c9c5c632dd997822f3981ab4e83a73b14

SHA256
adefb0361b5935dea9db39b27cf4f190aa25975b10c980542f069b2cf6833675

SHA512
2dbad73e49cfd7cb63a01418e8d7ec64498afe834b8cdfb3ff83d5b53596323e3bc4b9272c7edf5105352948936e8e11ae46836eccc59fb145735f2bf1207150

Download Submit
C:\Windows\{5B0E00E4-DC27-47cd-AB80-9CECD331360E}.exe

Filesize
372KB

MD5
02ee2db2a15cbc3c1c00fb6f1c370b45

SHA1
4b206900d1fab42d976cd287ad36344ffa6dfd57

SHA256
87185d346491fa352b5a83257fb0604bcc51d8e27a0464af5acb949e5766fb05

SHA512
221083d661ff77831416539cab6179a84d206f6146d1236f94b1e5af98dd03cc105b80e596c30d0ae7e5a27ccab37513d3adae62c38aa926dd4a9e62cf19dbc0

Download Submit
C:\Windows\{5B0E00E4-DC27-47cd-AB80-9CECD331360E}.exe

Filesize
372KB

MD5
02ee2db2a15cbc3c1c00fb6f1c370b45

SHA1
4b206900d1fab42d976cd287ad36344ffa6dfd57

SHA256
87185d346491fa352b5a83257fb0604bcc51d8e27a0464af5acb949e5766fb05

SHA512
221083d661ff77831416539cab6179a84d206f6146d1236f94b1e5af98dd03cc105b80e596c30d0ae7e5a27ccab37513d3adae62c38aa926dd4a9e62cf19dbc0

Download Submit
C:\Windows\{806765A5-57E7-4ba3-B87D-B07A0DC7DDB9}.exe

Filesize
372KB

MD5
99bc9e96f72afbdeb842022503f4219a

SHA1
d36ad8eafafb5d0bd4b3a9bc007b5c98f2e7ebd8

SHA256
b4a3b5f103b11771323349909b39ed4fed8c861b325f4dfa37a22a0b07fa5fdd

SHA512
fb986519e52bc4158bdcc5c517883bd34db56355495c6c8146e3775163ca2bd2ada88cd87216d9cba9731f916b89f7091aa1dbc79edc0bd56dba5b2e49d2d87b

Download Submit
C:\Windows\{806765A5-57E7-4ba3-B87D-B07A0DC7DDB9}.exe

Filesize
372KB

MD5
99bc9e96f72afbdeb842022503f4219a

SHA1
d36ad8eafafb5d0bd4b3a9bc007b5c98f2e7ebd8

SHA256
b4a3b5f103b11771323349909b39ed4fed8c861b325f4dfa37a22a0b07fa5fdd

SHA512
fb986519e52bc4158bdcc5c517883bd34db56355495c6c8146e3775163ca2bd2ada88cd87216d9cba9731f916b89f7091aa1dbc79edc0bd56dba5b2e49d2d87b

Download Submit
C:\Windows\{8236BFC3-A671-4156-91D0-F5823F553215}.exe

Filesize
372KB

MD5
466a8a2be8774aed89662a3f6c3e6a81

SHA1
b0810520925540201893ac9becbabfbf96b41c92

SHA256
52a186342e5019cea5ce76d1bc5f4d89371aafc9872265cb87d0018af099aad4

SHA512
c5fffbd5fa742d038abc1451c90f218275b8bac60c845752de2e1f1185a5c821c589734112ccebbbba5e5d9e3e05f4811899f6b9a380647eaeb18b59c1f3c2e8

Download Submit
C:\Windows\{8236BFC3-A671-4156-91D0-F5823F553215}.exe

Filesize
372KB

MD5
466a8a2be8774aed89662a3f6c3e6a81

SHA1
b0810520925540201893ac9becbabfbf96b41c92

SHA256
52a186342e5019cea5ce76d1bc5f4d89371aafc9872265cb87d0018af099aad4

SHA512
c5fffbd5fa742d038abc1451c90f218275b8bac60c845752de2e1f1185a5c821c589734112ccebbbba5e5d9e3e05f4811899f6b9a380647eaeb18b59c1f3c2e8

Download Submit
C:\Windows\{A0943CD0-0DC8-442f-803B-F68DAA6DF7C7}.exe

Filesize
372KB

MD5
3b34fc9447adaf86cd4aa777ca1e74df

SHA1
1b7851a6abe0c24d421c4cc8a92cc0ac252ca55c

SHA256
854cdd190d65d15cb418befd93e317e4c6798fc338bcdcd782c9bedba1b3c852

SHA512
31d9ce92faeaead01b4a9d92440288a5ddcf3ba2346f85e3a32b3129e8626000a442f1a3a5a8f47fa3bc10bd042e0fdb5bb3f6e4d1d78eff931420bf710e2e51

Download Submit
C:\Windows\{A0943CD0-0DC8-442f-803B-F68DAA6DF7C7}.exe

Filesize
372KB

MD5
3b34fc9447adaf86cd4aa777ca1e74df

SHA1
1b7851a6abe0c24d421c4cc8a92cc0ac252ca55c

SHA256
854cdd190d65d15cb418befd93e317e4c6798fc338bcdcd782c9bedba1b3c852

SHA512
31d9ce92faeaead01b4a9d92440288a5ddcf3ba2346f85e3a32b3129e8626000a442f1a3a5a8f47fa3bc10bd042e0fdb5bb3f6e4d1d78eff931420bf710e2e51

Download Submit
C:\Windows\{AB518384-494F-4c00-A740-2862A7DC1B3B}.exe

Filesize
372KB

MD5
7e604edaa9e422c4846777473f082433

SHA1
4db33b0cfa52e56addf0b891f707116e2f6dce03

SHA256
d8de4e4c10436db41bee348edec9f6b5c6bd97adf0a55f85b2456100794804d1

SHA512
3f93761c756ced95e82a249a5d4a28b5396020de18516285a560280812cf705c0455bdcfe7a6959f7e09d3900744b04bf4ee057ffdcd0d787620ccdff9d57c60

Download Submit
C:\Windows\{AB518384-494F-4c00-A740-2862A7DC1B3B}.exe

Filesize
372KB

MD5
7e604edaa9e422c4846777473f082433

SHA1
4db33b0cfa52e56addf0b891f707116e2f6dce03

SHA256
d8de4e4c10436db41bee348edec9f6b5c6bd97adf0a55f85b2456100794804d1

SHA512
3f93761c756ced95e82a249a5d4a28b5396020de18516285a560280812cf705c0455bdcfe7a6959f7e09d3900744b04bf4ee057ffdcd0d787620ccdff9d57c60

Download Submit
C:\Windows\{D3767415-B6C5-4b97-8D3C-B888FD1AE1AF}.exe

Filesize
372KB

MD5
549bfa2e942f007f311cdf779f129289

SHA1
82fbca8769ea3094574fb2d8c68a8acdb3c53101

SHA256
2b5802d6ce55052c8ef8d984b7dc46ed6cbd3a731d18932f698856de6cba3505

SHA512
f87aee813bfd66d175e4097f555440d2963ea9d62b6ed81102cc7567254da04289eb0afe6ac5f2c02d6b2f0139899881e320bff5edaf9413dce9b173bd017094

Download Submit
C:\Windows\{D3767415-B6C5-4b97-8D3C-B888FD1AE1AF}.exe

Filesize
372KB

MD5
549bfa2e942f007f311cdf779f129289

SHA1
82fbca8769ea3094574fb2d8c68a8acdb3c53101

SHA256
2b5802d6ce55052c8ef8d984b7dc46ed6cbd3a731d18932f698856de6cba3505

SHA512
f87aee813bfd66d175e4097f555440d2963ea9d62b6ed81102cc7567254da04289eb0afe6ac5f2c02d6b2f0139899881e320bff5edaf9413dce9b173bd017094

Download Submit
C:\Windows\{D730E349-9817-4404-93D2-25DA9DE8D48F}.exe

Filesize
372KB

MD5
bcc92a2c47d52335690c9d6e7669123d

SHA1
f13473bae94e6f09fc42f7d8d22c05da6d715b35

SHA256
2002a3158fdafd5933dd9a88b3e65c3f7e5602965a0b03a8a870e0e77357aa1b

SHA512
78759c0291459b2dd972760941f6d9c192bd2ad38ad5e343e2731423105ad918b4423efe98cff0955bb1fccff8974b5f94e63f8c3f5d8186e6f020ba65d50826

Download Submit
C:\Windows\{D730E349-9817-4404-93D2-25DA9DE8D48F}.exe

Filesize
372KB

MD5
bcc92a2c47d52335690c9d6e7669123d

SHA1
f13473bae94e6f09fc42f7d8d22c05da6d715b35

SHA256
2002a3158fdafd5933dd9a88b3e65c3f7e5602965a0b03a8a870e0e77357aa1b

SHA512
78759c0291459b2dd972760941f6d9c192bd2ad38ad5e343e2731423105ad918b4423efe98cff0955bb1fccff8974b5f94e63f8c3f5d8186e6f020ba65d50826

Download Submit
C:\Windows\{D7E8E7B5-63FA-46b8-A3DB-84CF9205097F}.exe

Filesize
372KB

MD5
263ea1bba5488e0aed0406c0aeea05f0

SHA1
cc7274ba83d3981eae4acc3eff609cd5286be126

SHA256
fe6a10157d069112e69c5d1b106ea8d9b1a11ebd15f6af0808b0bdc83dc37bd2

SHA512
b84966244ce03dd10aacf016ecabc86cb8bc6b7c766b8d2f5fbab8e4e1f27686a07f9e2226e2397301da334605341fce780060f93d8d1a3d1b9996c2876ad4f2

Download Submit
C:\Windows\{D7E8E7B5-63FA-46b8-A3DB-84CF9205097F}.exe

Filesize
372KB

MD5
263ea1bba5488e0aed0406c0aeea05f0

SHA1
cc7274ba83d3981eae4acc3eff609cd5286be126

SHA256
fe6a10157d069112e69c5d1b106ea8d9b1a11ebd15f6af0808b0bdc83dc37bd2

SHA512
b84966244ce03dd10aacf016ecabc86cb8bc6b7c766b8d2f5fbab8e4e1f27686a07f9e2226e2397301da334605341fce780060f93d8d1a3d1b9996c2876ad4f2

Download Submit
C:\Windows\{F49F010A-F9DD-4634-A883-BC825AE205EE}.exe

Filesize
372KB

MD5
5977d60b112557cad4babc26a59c7f18

SHA1
e99b0d5145a8f04394ec08e10808e41ccd452392

SHA256
1f9a0b927fb4065247e16ea611fa488a9d6024981b6531d1fd2ea18dca85c830

SHA512
d280cf069619f8cf5071a50c4d8d2496bd04d64a07d964668b7b49a5d87bfff217b4294847678c61d7c94d2bd016216e01575e8e187eabaa6c0a36b824dcfbb6

Download Submit
C:\Windows\{F49F010A-F9DD-4634-A883-BC825AE205EE}.exe

Filesize
372KB

MD5
5977d60b112557cad4babc26a59c7f18

SHA1
e99b0d5145a8f04394ec08e10808e41ccd452392

SHA256
1f9a0b927fb4065247e16ea611fa488a9d6024981b6531d1fd2ea18dca85c830

SHA512
d280cf069619f8cf5071a50c4d8d2496bd04d64a07d964668b7b49a5d87bfff217b4294847678c61d7c94d2bd016216e01575e8e187eabaa6c0a36b824dcfbb6

Download Submit
C:\Windows\{F49F010A-F9DD-4634-A883-BC825AE205EE}.exe

Filesize
372KB

MD5
5977d60b112557cad4babc26a59c7f18

SHA1
e99b0d5145a8f04394ec08e10808e41ccd452392

SHA256
1f9a0b927fb4065247e16ea611fa488a9d6024981b6531d1fd2ea18dca85c830

SHA512
d280cf069619f8cf5071a50c4d8d2496bd04d64a07d964668b7b49a5d87bfff217b4294847678c61d7c94d2bd016216e01575e8e187eabaa6c0a36b824dcfbb6

Download Submit
C:\Windows\{FA37AD35-6C27-4f28-9D16-6F8012346DB5}.exe

Filesize
372KB

MD5
938ed4e26ed4f36d84b08a835349fa9e

SHA1
2dcf6dff44f6458bf3b8bb3f0bff7e71341a1fea

SHA256
acfc39e638679a9cd0ac7619aff93cacf84e8eaa9b241b2e7c279b54d967edf2

SHA512
566e0e6b3d9a51b8d75ee8345672c0d327b22ab9cad376281686e6a7fca578ae1d8dc08739f9f53a8e976315724ac1fb14cf6a2399f61b6e5728a8c6ec438783

Download Submit
C:\Windows\{FA37AD35-6C27-4f28-9D16-6F8012346DB5}.exe

Filesize
372KB

MD5
938ed4e26ed4f36d84b08a835349fa9e

SHA1
2dcf6dff44f6458bf3b8bb3f0bff7e71341a1fea

SHA256
acfc39e638679a9cd0ac7619aff93cacf84e8eaa9b241b2e7c279b54d967edf2

SHA512
566e0e6b3d9a51b8d75ee8345672c0d327b22ab9cad376281686e6a7fca578ae1d8dc08739f9f53a8e976315724ac1fb14cf6a2399f61b6e5728a8c6ec438783

Download Submit
C:\Windows\{FC063F23-487D-4abc-9A17-27898206A95E}.exe

Filesize
372KB

MD5
741dba56dd03a6ad60c24b7dab7f64e9

SHA1
ec32ebb75493dc88edb30360aa0c35f6f0a14237

SHA256
1e57ea94ce4b8bc23fcb78fffb0123b50313ddf25f18ef489760f342a719d61a

SHA512
4c096100d272806a7249f38bfa4a6b712faf9227558064b2fdb03fa83fb2229b4a1f0a88eb0cfa1c53cf399bd7312392a40096849c1d3931fd47639decc1782c

Download Submit
C:\Windows\{FC063F23-487D-4abc-9A17-27898206A95E}.exe

Filesize
372KB

MD5
741dba56dd03a6ad60c24b7dab7f64e9

SHA1
ec32ebb75493dc88edb30360aa0c35f6f0a14237

SHA256
1e57ea94ce4b8bc23fcb78fffb0123b50313ddf25f18ef489760f342a719d61a

SHA512
4c096100d272806a7249f38bfa4a6b712faf9227558064b2fdb03fa83fb2229b4a1f0a88eb0cfa1c53cf399bd7312392a40096849c1d3931fd47639decc1782c

Download Submit