bf991e9390852c3b68fac09c0e76eca51424867811c064cbe99889aa65ca3ec9

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

77bc3e50487498exeexeexeex.exe
Size

168KB
MD5

77bc3e504874989bf47c1abffa45639e
SHA1

d09ff257696b366eab1177e529192a4a438cb183
SHA256

bf991e9390852c3b68fac09c0e76eca51424867811c064cbe99889aa65ca3ec9
SHA512

ca082ad8a67dae1082cc9f43cd42c778ffa24b067e8b79332f0a3afc8f0fa468afd00c35628a31deb26cd5092089c0987e717381c3ab222fffdfb47d86ff9946
SSDEEP

1536:1EGh0ovlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ovlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34AE3D27-057C-481b-ABEB-0CB873C3DD36}	{8E9B0F98-B7CE-49df-93B3-5D7CCA681361}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34AE3D27-057C-481b-ABEB-0CB873C3DD36}\stubpath = "C:\\Windows\\{34AE3D27-057C-481b-ABEB-0CB873C3DD36}.exe"	{8E9B0F98-B7CE-49df-93B3-5D7CCA681361}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D365621-3EA9-4979-9E74-D803A55304B5}	{34AE3D27-057C-481b-ABEB-0CB873C3DD36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E06CB134-6F86-4ca5-8466-4EC5122A8131}\stubpath = "C:\\Windows\\{E06CB134-6F86-4ca5-8466-4EC5122A8131}.exe"	{3163059A-C714-4f3c-BB79-5956077905E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7FC4387-FDCC-4ffe-AB79-501AEE3ACABE}	{E06CB134-6F86-4ca5-8466-4EC5122A8131}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7FC4387-FDCC-4ffe-AB79-501AEE3ACABE}\stubpath = "C:\\Windows\\{D7FC4387-FDCC-4ffe-AB79-501AEE3ACABE}.exe"	{E06CB134-6F86-4ca5-8466-4EC5122A8131}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF1AE03-31C1-4f76-9D4B-73BB4D959566}	{80238161-CA66-44f2-BC72-BCF0F687677F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEB44CDF-ED45-45a8-A07E-3EE8C5C1C7AB}	{6BF1AE03-31C1-4f76-9D4B-73BB4D959566}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CEB44CDF-ED45-45a8-A07E-3EE8C5C1C7AB}\stubpath = "C:\\Windows\\{CEB44CDF-ED45-45a8-A07E-3EE8C5C1C7AB}.exe"	{6BF1AE03-31C1-4f76-9D4B-73BB4D959566}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D365621-3EA9-4979-9E74-D803A55304B5}\stubpath = "C:\\Windows\\{7D365621-3EA9-4979-9E74-D803A55304B5}.exe"	{34AE3D27-057C-481b-ABEB-0CB873C3DD36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3163059A-C714-4f3c-BB79-5956077905E8}\stubpath = "C:\\Windows\\{3163059A-C714-4f3c-BB79-5956077905E8}.exe"	77bc3e50487498exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E06CB134-6F86-4ca5-8466-4EC5122A8131}	{3163059A-C714-4f3c-BB79-5956077905E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{785D00E5-A984-4c44-BA87-77AFF7268F32}	{31882124-546A-40fb-9D4A-DC12B40F0BCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{785D00E5-A984-4c44-BA87-77AFF7268F32}\stubpath = "C:\\Windows\\{785D00E5-A984-4c44-BA87-77AFF7268F32}.exe"	{31882124-546A-40fb-9D4A-DC12B40F0BCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80238161-CA66-44f2-BC72-BCF0F687677F}	{785D00E5-A984-4c44-BA87-77AFF7268F32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BF1AE03-31C1-4f76-9D4B-73BB4D959566}\stubpath = "C:\\Windows\\{6BF1AE03-31C1-4f76-9D4B-73BB4D959566}.exe"	{80238161-CA66-44f2-BC72-BCF0F687677F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE7A1B27-930C-4919-BB3C-6F7A753D6D28}	{CEB44CDF-ED45-45a8-A07E-3EE8C5C1C7AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE7A1B27-930C-4919-BB3C-6F7A753D6D28}\stubpath = "C:\\Windows\\{EE7A1B27-930C-4919-BB3C-6F7A753D6D28}.exe"	{CEB44CDF-ED45-45a8-A07E-3EE8C5C1C7AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3163059A-C714-4f3c-BB79-5956077905E8}	77bc3e50487498exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31882124-546A-40fb-9D4A-DC12B40F0BCA}	{D7FC4387-FDCC-4ffe-AB79-501AEE3ACABE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E9B0F98-B7CE-49df-93B3-5D7CCA681361}	{EE7A1B27-930C-4919-BB3C-6F7A753D6D28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E9B0F98-B7CE-49df-93B3-5D7CCA681361}\stubpath = "C:\\Windows\\{8E9B0F98-B7CE-49df-93B3-5D7CCA681361}.exe"	{EE7A1B27-930C-4919-BB3C-6F7A753D6D28}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31882124-546A-40fb-9D4A-DC12B40F0BCA}\stubpath = "C:\\Windows\\{31882124-546A-40fb-9D4A-DC12B40F0BCA}.exe"	{D7FC4387-FDCC-4ffe-AB79-501AEE3ACABE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80238161-CA66-44f2-BC72-BCF0F687677F}\stubpath = "C:\\Windows\\{80238161-CA66-44f2-BC72-BCF0F687677F}.exe"	{785D00E5-A984-4c44-BA87-77AFF7268F32}.exe

Executes dropped EXE 12 IoCs

pid	Process
3932	{3163059A-C714-4f3c-BB79-5956077905E8}.exe
4200	{E06CB134-6F86-4ca5-8466-4EC5122A8131}.exe
632	{D7FC4387-FDCC-4ffe-AB79-501AEE3ACABE}.exe
1208	{31882124-546A-40fb-9D4A-DC12B40F0BCA}.exe
3928	{785D00E5-A984-4c44-BA87-77AFF7268F32}.exe
1064	{80238161-CA66-44f2-BC72-BCF0F687677F}.exe
1416	{6BF1AE03-31C1-4f76-9D4B-73BB4D959566}.exe
1468	{CEB44CDF-ED45-45a8-A07E-3EE8C5C1C7AB}.exe
2852	{EE7A1B27-930C-4919-BB3C-6F7A753D6D28}.exe
2960	{8E9B0F98-B7CE-49df-93B3-5D7CCA681361}.exe
2316	{34AE3D27-057C-481b-ABEB-0CB873C3DD36}.exe
1552	{7D365621-3EA9-4979-9E74-D803A55304B5}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D7FC4387-FDCC-4ffe-AB79-501AEE3ACABE}.exe	{E06CB134-6F86-4ca5-8466-4EC5122A8131}.exe
File created	C:\Windows\{80238161-CA66-44f2-BC72-BCF0F687677F}.exe	{785D00E5-A984-4c44-BA87-77AFF7268F32}.exe
File created	C:\Windows\{6BF1AE03-31C1-4f76-9D4B-73BB4D959566}.exe	{80238161-CA66-44f2-BC72-BCF0F687677F}.exe
File created	C:\Windows\{EE7A1B27-930C-4919-BB3C-6F7A753D6D28}.exe	{CEB44CDF-ED45-45a8-A07E-3EE8C5C1C7AB}.exe
File created	C:\Windows\{34AE3D27-057C-481b-ABEB-0CB873C3DD36}.exe	{8E9B0F98-B7CE-49df-93B3-5D7CCA681361}.exe
File created	C:\Windows\{7D365621-3EA9-4979-9E74-D803A55304B5}.exe	{34AE3D27-057C-481b-ABEB-0CB873C3DD36}.exe
File created	C:\Windows\{E06CB134-6F86-4ca5-8466-4EC5122A8131}.exe	{3163059A-C714-4f3c-BB79-5956077905E8}.exe
File created	C:\Windows\{31882124-546A-40fb-9D4A-DC12B40F0BCA}.exe	{D7FC4387-FDCC-4ffe-AB79-501AEE3ACABE}.exe
File created	C:\Windows\{785D00E5-A984-4c44-BA87-77AFF7268F32}.exe	{31882124-546A-40fb-9D4A-DC12B40F0BCA}.exe
File created	C:\Windows\{CEB44CDF-ED45-45a8-A07E-3EE8C5C1C7AB}.exe	{6BF1AE03-31C1-4f76-9D4B-73BB4D959566}.exe
File created	C:\Windows\{8E9B0F98-B7CE-49df-93B3-5D7CCA681361}.exe	{EE7A1B27-930C-4919-BB3C-6F7A753D6D28}.exe
File created	C:\Windows\{3163059A-C714-4f3c-BB79-5956077905E8}.exe	77bc3e50487498exeexeexeex.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1536	77bc3e50487498exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3932	{3163059A-C714-4f3c-BB79-5956077905E8}.exe
Token: SeIncBasePriorityPrivilege	4200	{E06CB134-6F86-4ca5-8466-4EC5122A8131}.exe
Token: SeIncBasePriorityPrivilege	632	{D7FC4387-FDCC-4ffe-AB79-501AEE3ACABE}.exe
Token: SeIncBasePriorityPrivilege	1208	{31882124-546A-40fb-9D4A-DC12B40F0BCA}.exe
Token: SeIncBasePriorityPrivilege	3928	{785D00E5-A984-4c44-BA87-77AFF7268F32}.exe
Token: SeIncBasePriorityPrivilege	1064	{80238161-CA66-44f2-BC72-BCF0F687677F}.exe
Token: SeIncBasePriorityPrivilege	1416	{6BF1AE03-31C1-4f76-9D4B-73BB4D959566}.exe
Token: SeIncBasePriorityPrivilege	1468	{CEB44CDF-ED45-45a8-A07E-3EE8C5C1C7AB}.exe
Token: SeIncBasePriorityPrivilege	2852	{EE7A1B27-930C-4919-BB3C-6F7A753D6D28}.exe
Token: SeIncBasePriorityPrivilege	2960	{8E9B0F98-B7CE-49df-93B3-5D7CCA681361}.exe
Token: SeIncBasePriorityPrivilege	2316	{34AE3D27-057C-481b-ABEB-0CB873C3DD36}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 3932	1536	77bc3e50487498exeexeexeex.exe	85
PID 1536 wrote to memory of 3932	1536	77bc3e50487498exeexeexeex.exe	85
PID 1536 wrote to memory of 3932	1536	77bc3e50487498exeexeexeex.exe	85
PID 1536 wrote to memory of 2676	1536	77bc3e50487498exeexeexeex.exe	86
PID 1536 wrote to memory of 2676	1536	77bc3e50487498exeexeexeex.exe	86
PID 1536 wrote to memory of 2676	1536	77bc3e50487498exeexeexeex.exe	86
PID 3932 wrote to memory of 4200	3932	{3163059A-C714-4f3c-BB79-5956077905E8}.exe	87
PID 3932 wrote to memory of 4200	3932	{3163059A-C714-4f3c-BB79-5956077905E8}.exe	87
PID 3932 wrote to memory of 4200	3932	{3163059A-C714-4f3c-BB79-5956077905E8}.exe	87
PID 3932 wrote to memory of 4388	3932	{3163059A-C714-4f3c-BB79-5956077905E8}.exe	88
PID 3932 wrote to memory of 4388	3932	{3163059A-C714-4f3c-BB79-5956077905E8}.exe	88
PID 3932 wrote to memory of 4388	3932	{3163059A-C714-4f3c-BB79-5956077905E8}.exe	88
PID 4200 wrote to memory of 632	4200	{E06CB134-6F86-4ca5-8466-4EC5122A8131}.exe	92
PID 4200 wrote to memory of 632	4200	{E06CB134-6F86-4ca5-8466-4EC5122A8131}.exe	92
PID 4200 wrote to memory of 632	4200	{E06CB134-6F86-4ca5-8466-4EC5122A8131}.exe	92
PID 4200 wrote to memory of 3084	4200	{E06CB134-6F86-4ca5-8466-4EC5122A8131}.exe	93
PID 4200 wrote to memory of 3084	4200	{E06CB134-6F86-4ca5-8466-4EC5122A8131}.exe	93
PID 4200 wrote to memory of 3084	4200	{E06CB134-6F86-4ca5-8466-4EC5122A8131}.exe	93
PID 632 wrote to memory of 1208	632	{D7FC4387-FDCC-4ffe-AB79-501AEE3ACABE}.exe	94
PID 632 wrote to memory of 1208	632	{D7FC4387-FDCC-4ffe-AB79-501AEE3ACABE}.exe	94
PID 632 wrote to memory of 1208	632	{D7FC4387-FDCC-4ffe-AB79-501AEE3ACABE}.exe	94
PID 632 wrote to memory of 2440	632	{D7FC4387-FDCC-4ffe-AB79-501AEE3ACABE}.exe	95
PID 632 wrote to memory of 2440	632	{D7FC4387-FDCC-4ffe-AB79-501AEE3ACABE}.exe	95
PID 632 wrote to memory of 2440	632	{D7FC4387-FDCC-4ffe-AB79-501AEE3ACABE}.exe	95
PID 1208 wrote to memory of 3928	1208	{31882124-546A-40fb-9D4A-DC12B40F0BCA}.exe	96
PID 1208 wrote to memory of 3928	1208	{31882124-546A-40fb-9D4A-DC12B40F0BCA}.exe	96
PID 1208 wrote to memory of 3928	1208	{31882124-546A-40fb-9D4A-DC12B40F0BCA}.exe	96
PID 1208 wrote to memory of 1876	1208	{31882124-546A-40fb-9D4A-DC12B40F0BCA}.exe	97
PID 1208 wrote to memory of 1876	1208	{31882124-546A-40fb-9D4A-DC12B40F0BCA}.exe	97
PID 1208 wrote to memory of 1876	1208	{31882124-546A-40fb-9D4A-DC12B40F0BCA}.exe	97
PID 3928 wrote to memory of 1064	3928	{785D00E5-A984-4c44-BA87-77AFF7268F32}.exe	98
PID 3928 wrote to memory of 1064	3928	{785D00E5-A984-4c44-BA87-77AFF7268F32}.exe	98
PID 3928 wrote to memory of 1064	3928	{785D00E5-A984-4c44-BA87-77AFF7268F32}.exe	98
PID 3928 wrote to memory of 700	3928	{785D00E5-A984-4c44-BA87-77AFF7268F32}.exe	99
PID 3928 wrote to memory of 700	3928	{785D00E5-A984-4c44-BA87-77AFF7268F32}.exe	99
PID 3928 wrote to memory of 700	3928	{785D00E5-A984-4c44-BA87-77AFF7268F32}.exe	99
PID 1064 wrote to memory of 1416	1064	{80238161-CA66-44f2-BC72-BCF0F687677F}.exe	100
PID 1064 wrote to memory of 1416	1064	{80238161-CA66-44f2-BC72-BCF0F687677F}.exe	100
PID 1064 wrote to memory of 1416	1064	{80238161-CA66-44f2-BC72-BCF0F687677F}.exe	100
PID 1064 wrote to memory of 3400	1064	{80238161-CA66-44f2-BC72-BCF0F687677F}.exe	101
PID 1064 wrote to memory of 3400	1064	{80238161-CA66-44f2-BC72-BCF0F687677F}.exe	101
PID 1064 wrote to memory of 3400	1064	{80238161-CA66-44f2-BC72-BCF0F687677F}.exe	101
PID 1416 wrote to memory of 1468	1416	{6BF1AE03-31C1-4f76-9D4B-73BB4D959566}.exe	102
PID 1416 wrote to memory of 1468	1416	{6BF1AE03-31C1-4f76-9D4B-73BB4D959566}.exe	102
PID 1416 wrote to memory of 1468	1416	{6BF1AE03-31C1-4f76-9D4B-73BB4D959566}.exe	102
PID 1416 wrote to memory of 1136	1416	{6BF1AE03-31C1-4f76-9D4B-73BB4D959566}.exe	103
PID 1416 wrote to memory of 1136	1416	{6BF1AE03-31C1-4f76-9D4B-73BB4D959566}.exe	103
PID 1416 wrote to memory of 1136	1416	{6BF1AE03-31C1-4f76-9D4B-73BB4D959566}.exe	103
PID 1468 wrote to memory of 2852	1468	{CEB44CDF-ED45-45a8-A07E-3EE8C5C1C7AB}.exe	104
PID 1468 wrote to memory of 2852	1468	{CEB44CDF-ED45-45a8-A07E-3EE8C5C1C7AB}.exe	104
PID 1468 wrote to memory of 2852	1468	{CEB44CDF-ED45-45a8-A07E-3EE8C5C1C7AB}.exe	104
PID 1468 wrote to memory of 8	1468	{CEB44CDF-ED45-45a8-A07E-3EE8C5C1C7AB}.exe	105
PID 1468 wrote to memory of 8	1468	{CEB44CDF-ED45-45a8-A07E-3EE8C5C1C7AB}.exe	105
PID 1468 wrote to memory of 8	1468	{CEB44CDF-ED45-45a8-A07E-3EE8C5C1C7AB}.exe	105
PID 2852 wrote to memory of 2960	2852	{EE7A1B27-930C-4919-BB3C-6F7A753D6D28}.exe	107
PID 2852 wrote to memory of 2960	2852	{EE7A1B27-930C-4919-BB3C-6F7A753D6D28}.exe	107
PID 2852 wrote to memory of 2960	2852	{EE7A1B27-930C-4919-BB3C-6F7A753D6D28}.exe	107
PID 2852 wrote to memory of 4132	2852	{EE7A1B27-930C-4919-BB3C-6F7A753D6D28}.exe	106
PID 2852 wrote to memory of 4132	2852	{EE7A1B27-930C-4919-BB3C-6F7A753D6D28}.exe	106
PID 2852 wrote to memory of 4132	2852	{EE7A1B27-930C-4919-BB3C-6F7A753D6D28}.exe	106
PID 2960 wrote to memory of 2316	2960	{8E9B0F98-B7CE-49df-93B3-5D7CCA681361}.exe	108
PID 2960 wrote to memory of 2316	2960	{8E9B0F98-B7CE-49df-93B3-5D7CCA681361}.exe	108
PID 2960 wrote to memory of 2316	2960	{8E9B0F98-B7CE-49df-93B3-5D7CCA681361}.exe	108
PID 2960 wrote to memory of 5084	2960	{8E9B0F98-B7CE-49df-93B3-5D7CCA681361}.exe	109

C:\Users\Admin\AppData\Local\Temp\77bc3e50487498exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\77bc3e50487498exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\{3163059A-C714-4f3c-BB79-5956077905E8}.exe
  C:\Windows\{3163059A-C714-4f3c-BB79-5956077905E8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Windows\{E06CB134-6F86-4ca5-8466-4EC5122A8131}.exe
    C:\Windows\{E06CB134-6F86-4ca5-8466-4EC5122A8131}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4200
  - - C:\Windows\{D7FC4387-FDCC-4ffe-AB79-501AEE3ACABE}.exe
      C:\Windows\{D7FC4387-FDCC-4ffe-AB79-501AEE3ACABE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:632
    - - C:\Windows\{31882124-546A-40fb-9D4A-DC12B40F0BCA}.exe
        
        C:\Windows\{31882124-546A-40fb-9D4A-DC12B40F0BCA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1208
      - C:\Windows\{785D00E5-A984-4c44-BA87-77AFF7268F32}.exe
        
        C:\Windows\{785D00E5-A984-4c44-BA87-77AFF7268F32}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\{80238161-CA66-44f2-BC72-BCF0F687677F}.exe
        
        C:\Windows\{80238161-CA66-44f2-BC72-BCF0F687677F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\{6BF1AE03-31C1-4f76-9D4B-73BB4D959566}.exe
        
        C:\Windows\{6BF1AE03-31C1-4f76-9D4B-73BB4D959566}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1416
        
        C:\Windows\{CEB44CDF-ED45-45a8-A07E-3EE8C5C1C7AB}.exe
        
        C:\Windows\{CEB44CDF-ED45-45a8-A07E-3EE8C5C1C7AB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\{EE7A1B27-930C-4919-BB3C-6F7A753D6D28}.exe
        
        C:\Windows\{EE7A1B27-930C-4919-BB3C-6F7A753D6D28}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE7A1~1.EXE > nul
        11⤵
        
        PID:4132
        
        C:\Windows\{8E9B0F98-B7CE-49df-93B3-5D7CCA681361}.exe
        
        C:\Windows\{8E9B0F98-B7CE-49df-93B3-5D7CCA681361}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{34AE3D27-057C-481b-ABEB-0CB873C3DD36}.exe
        
        C:\Windows\{34AE3D27-057C-481b-ABEB-0CB873C3DD36}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\{7D365621-3EA9-4979-9E74-D803A55304B5}.exe
        
        C:\Windows\{7D365621-3EA9-4979-9E74-D803A55304B5}.exe
        13⤵
        Executes dropped EXE
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34AE3~1.EXE > nul
        13⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E9B0~1.EXE > nul
        12⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CEB44~1.EXE > nul
        10⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6BF1A~1.EXE > nul
        9⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80238~1.EXE > nul
        8⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{785D0~1.EXE > nul
        7⤵
        
        PID:700
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31882~1.EXE > nul
        6⤵
        
        PID:1876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7FC4~1.EXE > nul
        5⤵
        
        PID:2440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E06CB~1.EXE > nul
      4⤵
      PID:3084
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{31630~1.EXE > nul
    3⤵
    PID:4388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\77BC3E~1.EXE > nul
  2⤵
  PID:2676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3163059A-C714-4f3c-BB79-5956077905E8}.exe

Filesize
168KB

MD5
028c8cebf15d0cd8145f8c0973c0bf74

SHA1
8b430b792fcd0444d95b93355d24a875122d167d

SHA256
f7b1d801617211198f65d97aa005b5ad410a47a97c68fe00fa86bc5448d74375

SHA512
b4181ffd8a578d62f7e7397e6e5ac6c335394022bb69cfa15200690d903882c462f217fa268e542c595f5cde87b1632d628cd7dcb6c56ebd8de6e31dee53bde5

Download Submit
C:\Windows\{3163059A-C714-4f3c-BB79-5956077905E8}.exe

Filesize
168KB

MD5
028c8cebf15d0cd8145f8c0973c0bf74

SHA1
8b430b792fcd0444d95b93355d24a875122d167d

SHA256
f7b1d801617211198f65d97aa005b5ad410a47a97c68fe00fa86bc5448d74375

SHA512
b4181ffd8a578d62f7e7397e6e5ac6c335394022bb69cfa15200690d903882c462f217fa268e542c595f5cde87b1632d628cd7dcb6c56ebd8de6e31dee53bde5

Download Submit
C:\Windows\{31882124-546A-40fb-9D4A-DC12B40F0BCA}.exe

Filesize
168KB

MD5
a86218085b57abf5140078772a840379

SHA1
509a8de2f8d906391e60cd7a9268c0b9e276e752

SHA256
7e1f055c81ba3526339e2bca0a64f5ae5ef3dbf4c6b386dd2ffbc47b37745b97

SHA512
4d9b1972c62e1c98d15f0ec4dacbfb3f39b6c085109be486c22081df7193735b486615d5351bb71fac013c50f1fa3d0fd1608020350b1468362787e206f7e527

Download Submit
C:\Windows\{31882124-546A-40fb-9D4A-DC12B40F0BCA}.exe

Filesize
168KB

MD5
a86218085b57abf5140078772a840379

SHA1
509a8de2f8d906391e60cd7a9268c0b9e276e752

SHA256
7e1f055c81ba3526339e2bca0a64f5ae5ef3dbf4c6b386dd2ffbc47b37745b97

SHA512
4d9b1972c62e1c98d15f0ec4dacbfb3f39b6c085109be486c22081df7193735b486615d5351bb71fac013c50f1fa3d0fd1608020350b1468362787e206f7e527

Download Submit
C:\Windows\{34AE3D27-057C-481b-ABEB-0CB873C3DD36}.exe

Filesize
168KB

MD5
01f316efc008b9b01e534d1d02d20655

SHA1
6a198e2aa75cfd390c06db0c08983b09adf87b32

SHA256
b6886cc468dce7a63fbab141867210ca102ae92487be06f868f935a3fb09bd45

SHA512
6fbe486f0f75dbb2e4aede51938f3d704c70ff588adcb708c1a679f72df88f56464bae77e701a4afa048a371b535bebf18779dc76b56220ae0b16ad5ef4acbbc

Download Submit
C:\Windows\{34AE3D27-057C-481b-ABEB-0CB873C3DD36}.exe

Filesize
168KB

MD5
01f316efc008b9b01e534d1d02d20655

SHA1
6a198e2aa75cfd390c06db0c08983b09adf87b32

SHA256
b6886cc468dce7a63fbab141867210ca102ae92487be06f868f935a3fb09bd45

SHA512
6fbe486f0f75dbb2e4aede51938f3d704c70ff588adcb708c1a679f72df88f56464bae77e701a4afa048a371b535bebf18779dc76b56220ae0b16ad5ef4acbbc

Download Submit
C:\Windows\{6BF1AE03-31C1-4f76-9D4B-73BB4D959566}.exe

Filesize
168KB

MD5
ec79f21eee620e60170923dbbabc7779

SHA1
0f9ec578ba12564837e5bb61b1cb29dce4601414

SHA256
8b5787ad583a9971e59b02506f74de2b38594d631f23df4ab4f2ae8f684aa29b

SHA512
05898e373888100f477edaa59fa740dfc985a32e055e8a9577d084d2bc955a1bceae35e2ff0f0d9076d5fb7e91ddd7cfdb86ff2327e29f691a0cf3e2e3713266

Download Submit
C:\Windows\{6BF1AE03-31C1-4f76-9D4B-73BB4D959566}.exe

Filesize
168KB

MD5
ec79f21eee620e60170923dbbabc7779

SHA1
0f9ec578ba12564837e5bb61b1cb29dce4601414

SHA256
8b5787ad583a9971e59b02506f74de2b38594d631f23df4ab4f2ae8f684aa29b

SHA512
05898e373888100f477edaa59fa740dfc985a32e055e8a9577d084d2bc955a1bceae35e2ff0f0d9076d5fb7e91ddd7cfdb86ff2327e29f691a0cf3e2e3713266

Download Submit
C:\Windows\{785D00E5-A984-4c44-BA87-77AFF7268F32}.exe

Filesize
168KB

MD5
17a88025a7e2f7c3f8c63042242bfb7d

SHA1
3e2c648124cfd21c74df545f8785492331260bf1

SHA256
71fcbd5c6bbe99b6e30523670e5483cf20697cc31dfcb8429bab77189ea6d641

SHA512
f3d1aea53bca531f31959e203d9703da98d47f2287e4cbf6ea8fa5385ee580cc473d2fe30ffd5c3c916a0fac2e147ab65d05da502cdb85eb94843a2cc9f53d69

Download Submit
C:\Windows\{785D00E5-A984-4c44-BA87-77AFF7268F32}.exe

Filesize
168KB

MD5
17a88025a7e2f7c3f8c63042242bfb7d

SHA1
3e2c648124cfd21c74df545f8785492331260bf1

SHA256
71fcbd5c6bbe99b6e30523670e5483cf20697cc31dfcb8429bab77189ea6d641

SHA512
f3d1aea53bca531f31959e203d9703da98d47f2287e4cbf6ea8fa5385ee580cc473d2fe30ffd5c3c916a0fac2e147ab65d05da502cdb85eb94843a2cc9f53d69

Download Submit
C:\Windows\{7D365621-3EA9-4979-9E74-D803A55304B5}.exe

Filesize
168KB

MD5
f4c832157674e5f427b7c57e595ea11c

SHA1
fcd6235364d7435fca55a643920aae689cde51e5

SHA256
24b9d4171a69031cd42314ef0ba0be6d7132182a8c4d313675ae53b7a74a0a21

SHA512
7fb332d2db8092b77c8fce78613a7b08afa2a48328534a3fdfc4642ededf9479dd51509d4328ecad127fb89663fddd97a47c331f083e21f90d34f99d3f34d55e

Download Submit
C:\Windows\{7D365621-3EA9-4979-9E74-D803A55304B5}.exe

Filesize
168KB

MD5
f4c832157674e5f427b7c57e595ea11c

SHA1
fcd6235364d7435fca55a643920aae689cde51e5

SHA256
24b9d4171a69031cd42314ef0ba0be6d7132182a8c4d313675ae53b7a74a0a21

SHA512
7fb332d2db8092b77c8fce78613a7b08afa2a48328534a3fdfc4642ededf9479dd51509d4328ecad127fb89663fddd97a47c331f083e21f90d34f99d3f34d55e

Download Submit
C:\Windows\{80238161-CA66-44f2-BC72-BCF0F687677F}.exe

Filesize
168KB

MD5
df96b83e07ccccf9c9cde767029190d9

SHA1
f1d4647bb312c41fd19e1a79df12ccae4ca90d0f

SHA256
9a83a12a780128a26dc0f5d5f21c5d869122482d9fe8e94cd96727ca93f43f07

SHA512
6be12473d1899964dc3c618397c4a473350da7394b1593ccd81a0b46dda03d67c52bb7b44dc1df900a84695bc8432f5b6a9d853dc7680fcbce67ba8781e3126f

Download Submit
C:\Windows\{80238161-CA66-44f2-BC72-BCF0F687677F}.exe

Filesize
168KB

MD5
df96b83e07ccccf9c9cde767029190d9

SHA1
f1d4647bb312c41fd19e1a79df12ccae4ca90d0f

SHA256
9a83a12a780128a26dc0f5d5f21c5d869122482d9fe8e94cd96727ca93f43f07

SHA512
6be12473d1899964dc3c618397c4a473350da7394b1593ccd81a0b46dda03d67c52bb7b44dc1df900a84695bc8432f5b6a9d853dc7680fcbce67ba8781e3126f

Download Submit
C:\Windows\{8E9B0F98-B7CE-49df-93B3-5D7CCA681361}.exe

Filesize
168KB

MD5
3eb7de3d2f3519258d46499589898702

SHA1
72fbfd68d809088f20e2bb0f38c16daa1388852a

SHA256
0d02b215e44ba54cd4b304b3ed2539b45d09c98a7cd16458968a1d10a2e5bef8

SHA512
9dc8633ca3dfcee77520fe13e7c95bea322bba17316aa53caa15deab0288fa3d412371061012ce24ecdef0006c296cb43409f096b44f84814c0031c69edbfc55

Download Submit
C:\Windows\{8E9B0F98-B7CE-49df-93B3-5D7CCA681361}.exe

Filesize
168KB

MD5
3eb7de3d2f3519258d46499589898702

SHA1
72fbfd68d809088f20e2bb0f38c16daa1388852a

SHA256
0d02b215e44ba54cd4b304b3ed2539b45d09c98a7cd16458968a1d10a2e5bef8

SHA512
9dc8633ca3dfcee77520fe13e7c95bea322bba17316aa53caa15deab0288fa3d412371061012ce24ecdef0006c296cb43409f096b44f84814c0031c69edbfc55

Download Submit
C:\Windows\{CEB44CDF-ED45-45a8-A07E-3EE8C5C1C7AB}.exe

Filesize
168KB

MD5
02697ef07f06e93ae6b0e50e53cbfdb8

SHA1
4d0a9da7e1b16f52b03c19738e228d4fe23a2f01

SHA256
f52b4a3ea762f7ab9d2dd7a27e462fde884974050b0db339d8e1f93f1ece81e4

SHA512
f613c9346c00447b99afd14043eeb98701c34b3a0b65b364be1985cf5592f102964ba1427219f536a546bc692fd9480f6c7953a8475d608549064d353ac966d7

Download Submit
C:\Windows\{CEB44CDF-ED45-45a8-A07E-3EE8C5C1C7AB}.exe

Filesize
168KB

MD5
02697ef07f06e93ae6b0e50e53cbfdb8

SHA1
4d0a9da7e1b16f52b03c19738e228d4fe23a2f01

SHA256
f52b4a3ea762f7ab9d2dd7a27e462fde884974050b0db339d8e1f93f1ece81e4

SHA512
f613c9346c00447b99afd14043eeb98701c34b3a0b65b364be1985cf5592f102964ba1427219f536a546bc692fd9480f6c7953a8475d608549064d353ac966d7

Download Submit
C:\Windows\{D7FC4387-FDCC-4ffe-AB79-501AEE3ACABE}.exe

Filesize
168KB

MD5
98f76958a7c0b57431c111b2af957d07

SHA1
48a111ecde327a6db3787a8a9abbb4815ab478c4

SHA256
4cb01539f19e8342c0eed3cc962c05a935d5a2b5ee5993dae368de566424f735

SHA512
36f0801152c670e035b02bfdf2b70b188f33787da91997a2acf9aed7f210df70b26802f10b9b15eb979f93d9539bd0d5a057f79b7d4e61f471539ee4272cec12

Download Submit
C:\Windows\{D7FC4387-FDCC-4ffe-AB79-501AEE3ACABE}.exe

Filesize
168KB

MD5
98f76958a7c0b57431c111b2af957d07

SHA1
48a111ecde327a6db3787a8a9abbb4815ab478c4

SHA256
4cb01539f19e8342c0eed3cc962c05a935d5a2b5ee5993dae368de566424f735

SHA512
36f0801152c670e035b02bfdf2b70b188f33787da91997a2acf9aed7f210df70b26802f10b9b15eb979f93d9539bd0d5a057f79b7d4e61f471539ee4272cec12

Download Submit
C:\Windows\{D7FC4387-FDCC-4ffe-AB79-501AEE3ACABE}.exe

Filesize
168KB

MD5
98f76958a7c0b57431c111b2af957d07

SHA1
48a111ecde327a6db3787a8a9abbb4815ab478c4

SHA256
4cb01539f19e8342c0eed3cc962c05a935d5a2b5ee5993dae368de566424f735

SHA512
36f0801152c670e035b02bfdf2b70b188f33787da91997a2acf9aed7f210df70b26802f10b9b15eb979f93d9539bd0d5a057f79b7d4e61f471539ee4272cec12

Download Submit
C:\Windows\{E06CB134-6F86-4ca5-8466-4EC5122A8131}.exe

Filesize
168KB

MD5
13e74b347b5766fe82591daa3f03bd80

SHA1
df65b3194efd073342281022a30664b5d52add3a

SHA256
f1af88b66ba86fd067944f5a358d1db2ed654ad4d0aa72a4e23510b3265926d3

SHA512
c85e36b3bb975b8f175c00cca0d800ab0805f30118c400b4a72ab6a6614eb38c43df8061c6c1836491c32de1c81c8df5b31fc9f6d490a2ad8d6bf4f37700b4f4

Download Submit
C:\Windows\{E06CB134-6F86-4ca5-8466-4EC5122A8131}.exe

Filesize
168KB

MD5
13e74b347b5766fe82591daa3f03bd80

SHA1
df65b3194efd073342281022a30664b5d52add3a

SHA256
f1af88b66ba86fd067944f5a358d1db2ed654ad4d0aa72a4e23510b3265926d3

SHA512
c85e36b3bb975b8f175c00cca0d800ab0805f30118c400b4a72ab6a6614eb38c43df8061c6c1836491c32de1c81c8df5b31fc9f6d490a2ad8d6bf4f37700b4f4

Download Submit
C:\Windows\{EE7A1B27-930C-4919-BB3C-6F7A753D6D28}.exe

Filesize
168KB

MD5
116e538384610307b42f637cda4f01ca

SHA1
a4ef70b34a5ffdc28b1211600a980152be64ebf9

SHA256
4b2b9dad32700331ef2b3782e7b2cc747577fd637a0fbd56e53cdd9788c7afde

SHA512
9db2a153ed4f0e617c1561926d9f125f403eba11cef12b9749d47c8e29465131333e6a1ff3e6fdef48d92fb89fe68155b8c76974a0a0214180b71c90e342ffd3

Download Submit
C:\Windows\{EE7A1B27-930C-4919-BB3C-6F7A753D6D28}.exe

Filesize
168KB

MD5
116e538384610307b42f637cda4f01ca

SHA1
a4ef70b34a5ffdc28b1211600a980152be64ebf9

SHA256
4b2b9dad32700331ef2b3782e7b2cc747577fd637a0fbd56e53cdd9788c7afde

SHA512
9db2a153ed4f0e617c1561926d9f125f403eba11cef12b9749d47c8e29465131333e6a1ff3e6fdef48d92fb89fe68155b8c76974a0a0214180b71c90e342ffd3

Download Submit