ac38b68f6c1e38a62fdeae4610518220bb9d01128387fb35b98f8ec4b5229fc1

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 19:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bc992076ba77ecexeexeexeex.exe
Size

168KB
MD5

bc992076ba77ecb4fb8add70588d68bd
SHA1

bdc5c8dc477513984186cfcda8616f271add9226
SHA256

ac38b68f6c1e38a62fdeae4610518220bb9d01128387fb35b98f8ec4b5229fc1
SHA512

820a002f99766029439c8bfaf132ea4308a2fdd3b3cbdba1fe6fb1eca49e0473bf4137906f3fa3fd96a62b9282166fd610d0f98852fc7f5b1a2eadb456c69f2f
SSDEEP

1536:1EGh0oalq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oalqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CA936DA-4DEF-409f-AA6C-FA7607A1EBA2}\stubpath = "C:\\Windows\\{6CA936DA-4DEF-409f-AA6C-FA7607A1EBA2}.exe"	{026D7AF4-A6D2-4037-80D1-DEFEF63C8D91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{005F698D-032C-49e0-B039-A9FE25A83BE2}	{6CA936DA-4DEF-409f-AA6C-FA7607A1EBA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB3F5E1E-0E14-42c9-9A1E-6DD8E1E1B047}	bc992076ba77ecexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E154D15A-C35A-4c9f-9F19-98F09F634962}	{C249182E-948E-41a0-9890-2FF5EC0BD3C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{698B9F1D-19AF-42c9-8648-EF32D8670ACE}	{E154D15A-C35A-4c9f-9F19-98F09F634962}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{698B9F1D-19AF-42c9-8648-EF32D8670ACE}\stubpath = "C:\\Windows\\{698B9F1D-19AF-42c9-8648-EF32D8670ACE}.exe"	{E154D15A-C35A-4c9f-9F19-98F09F634962}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26947EF2-E996-4239-B8C9-F4FFE38FBBDE}	{698B9F1D-19AF-42c9-8648-EF32D8670ACE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4F6D4BC-3D7F-4288-B803-F0150F608A1E}\stubpath = "C:\\Windows\\{C4F6D4BC-3D7F-4288-B803-F0150F608A1E}.exe"	{26947EF2-E996-4239-B8C9-F4FFE38FBBDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{005F698D-032C-49e0-B039-A9FE25A83BE2}\stubpath = "C:\\Windows\\{005F698D-032C-49e0-B039-A9FE25A83BE2}.exe"	{6CA936DA-4DEF-409f-AA6C-FA7607A1EBA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FE77C1F-ABAE-47e4-BC21-7C509AD51E4E}	{005F698D-032C-49e0-B039-A9FE25A83BE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C249182E-948E-41a0-9890-2FF5EC0BD3C3}	{BB3F5E1E-0E14-42c9-9A1E-6DD8E1E1B047}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C249182E-948E-41a0-9890-2FF5EC0BD3C3}\stubpath = "C:\\Windows\\{C249182E-948E-41a0-9890-2FF5EC0BD3C3}.exe"	{BB3F5E1E-0E14-42c9-9A1E-6DD8E1E1B047}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{026D7AF4-A6D2-4037-80D1-DEFEF63C8D91}\stubpath = "C:\\Windows\\{026D7AF4-A6D2-4037-80D1-DEFEF63C8D91}.exe"	{C4F6D4BC-3D7F-4288-B803-F0150F608A1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7FE77C1F-ABAE-47e4-BC21-7C509AD51E4E}\stubpath = "C:\\Windows\\{7FE77C1F-ABAE-47e4-BC21-7C509AD51E4E}.exe"	{005F698D-032C-49e0-B039-A9FE25A83BE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1661D31-F10B-45d1-84C2-209FF07DA4BB}\stubpath = "C:\\Windows\\{C1661D31-F10B-45d1-84C2-209FF07DA4BB}.exe"	{EC373819-C62E-4d0e-BFE8-3A1857B31CD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB3F5E1E-0E14-42c9-9A1E-6DD8E1E1B047}\stubpath = "C:\\Windows\\{BB3F5E1E-0E14-42c9-9A1E-6DD8E1E1B047}.exe"	bc992076ba77ecexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CA936DA-4DEF-409f-AA6C-FA7607A1EBA2}	{026D7AF4-A6D2-4037-80D1-DEFEF63C8D91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC373819-C62E-4d0e-BFE8-3A1857B31CD9}	{7FE77C1F-ABAE-47e4-BC21-7C509AD51E4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC373819-C62E-4d0e-BFE8-3A1857B31CD9}\stubpath = "C:\\Windows\\{EC373819-C62E-4d0e-BFE8-3A1857B31CD9}.exe"	{7FE77C1F-ABAE-47e4-BC21-7C509AD51E4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1661D31-F10B-45d1-84C2-209FF07DA4BB}	{EC373819-C62E-4d0e-BFE8-3A1857B31CD9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E154D15A-C35A-4c9f-9F19-98F09F634962}\stubpath = "C:\\Windows\\{E154D15A-C35A-4c9f-9F19-98F09F634962}.exe"	{C249182E-948E-41a0-9890-2FF5EC0BD3C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{26947EF2-E996-4239-B8C9-F4FFE38FBBDE}\stubpath = "C:\\Windows\\{26947EF2-E996-4239-B8C9-F4FFE38FBBDE}.exe"	{698B9F1D-19AF-42c9-8648-EF32D8670ACE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4F6D4BC-3D7F-4288-B803-F0150F608A1E}	{26947EF2-E996-4239-B8C9-F4FFE38FBBDE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{026D7AF4-A6D2-4037-80D1-DEFEF63C8D91}	{C4F6D4BC-3D7F-4288-B803-F0150F608A1E}.exe

Executes dropped EXE 12 IoCs

pid	Process
4648	{BB3F5E1E-0E14-42c9-9A1E-6DD8E1E1B047}.exe
4492	{C249182E-948E-41a0-9890-2FF5EC0BD3C3}.exe
2256	{E154D15A-C35A-4c9f-9F19-98F09F634962}.exe
2500	{698B9F1D-19AF-42c9-8648-EF32D8670ACE}.exe
1444	{26947EF2-E996-4239-B8C9-F4FFE38FBBDE}.exe
4692	{C4F6D4BC-3D7F-4288-B803-F0150F608A1E}.exe
5108	{026D7AF4-A6D2-4037-80D1-DEFEF63C8D91}.exe
552	{6CA936DA-4DEF-409f-AA6C-FA7607A1EBA2}.exe
4764	{005F698D-032C-49e0-B039-A9FE25A83BE2}.exe
620	{7FE77C1F-ABAE-47e4-BC21-7C509AD51E4E}.exe
2396	{EC373819-C62E-4d0e-BFE8-3A1857B31CD9}.exe
1012	{C1661D31-F10B-45d1-84C2-209FF07DA4BB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BB3F5E1E-0E14-42c9-9A1E-6DD8E1E1B047}.exe	bc992076ba77ecexeexeexeex.exe
File created	C:\Windows\{C249182E-948E-41a0-9890-2FF5EC0BD3C3}.exe	{BB3F5E1E-0E14-42c9-9A1E-6DD8E1E1B047}.exe
File created	C:\Windows\{E154D15A-C35A-4c9f-9F19-98F09F634962}.exe	{C249182E-948E-41a0-9890-2FF5EC0BD3C3}.exe
File created	C:\Windows\{26947EF2-E996-4239-B8C9-F4FFE38FBBDE}.exe	{698B9F1D-19AF-42c9-8648-EF32D8670ACE}.exe
File created	C:\Windows\{6CA936DA-4DEF-409f-AA6C-FA7607A1EBA2}.exe	{026D7AF4-A6D2-4037-80D1-DEFEF63C8D91}.exe
File created	C:\Windows\{7FE77C1F-ABAE-47e4-BC21-7C509AD51E4E}.exe	{005F698D-032C-49e0-B039-A9FE25A83BE2}.exe
File created	C:\Windows\{EC373819-C62E-4d0e-BFE8-3A1857B31CD9}.exe	{7FE77C1F-ABAE-47e4-BC21-7C509AD51E4E}.exe
File created	C:\Windows\{698B9F1D-19AF-42c9-8648-EF32D8670ACE}.exe	{E154D15A-C35A-4c9f-9F19-98F09F634962}.exe
File created	C:\Windows\{C4F6D4BC-3D7F-4288-B803-F0150F608A1E}.exe	{26947EF2-E996-4239-B8C9-F4FFE38FBBDE}.exe
File created	C:\Windows\{026D7AF4-A6D2-4037-80D1-DEFEF63C8D91}.exe	{C4F6D4BC-3D7F-4288-B803-F0150F608A1E}.exe
File created	C:\Windows\{005F698D-032C-49e0-B039-A9FE25A83BE2}.exe	{6CA936DA-4DEF-409f-AA6C-FA7607A1EBA2}.exe
File created	C:\Windows\{C1661D31-F10B-45d1-84C2-209FF07DA4BB}.exe	{EC373819-C62E-4d0e-BFE8-3A1857B31CD9}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1316	bc992076ba77ecexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4648	{BB3F5E1E-0E14-42c9-9A1E-6DD8E1E1B047}.exe
Token: SeIncBasePriorityPrivilege	4492	{C249182E-948E-41a0-9890-2FF5EC0BD3C3}.exe
Token: SeIncBasePriorityPrivilege	2256	{E154D15A-C35A-4c9f-9F19-98F09F634962}.exe
Token: SeIncBasePriorityPrivilege	2500	{698B9F1D-19AF-42c9-8648-EF32D8670ACE}.exe
Token: SeIncBasePriorityPrivilege	1444	{26947EF2-E996-4239-B8C9-F4FFE38FBBDE}.exe
Token: SeIncBasePriorityPrivilege	4692	{C4F6D4BC-3D7F-4288-B803-F0150F608A1E}.exe
Token: SeIncBasePriorityPrivilege	5108	{026D7AF4-A6D2-4037-80D1-DEFEF63C8D91}.exe
Token: SeIncBasePriorityPrivilege	552	{6CA936DA-4DEF-409f-AA6C-FA7607A1EBA2}.exe
Token: SeIncBasePriorityPrivilege	4764	{005F698D-032C-49e0-B039-A9FE25A83BE2}.exe
Token: SeIncBasePriorityPrivilege	620	{7FE77C1F-ABAE-47e4-BC21-7C509AD51E4E}.exe
Token: SeIncBasePriorityPrivilege	2396	{EC373819-C62E-4d0e-BFE8-3A1857B31CD9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 4648	1316	bc992076ba77ecexeexeexeex.exe	87
PID 1316 wrote to memory of 4648	1316	bc992076ba77ecexeexeexeex.exe	87
PID 1316 wrote to memory of 4648	1316	bc992076ba77ecexeexeexeex.exe	87
PID 1316 wrote to memory of 3708	1316	bc992076ba77ecexeexeexeex.exe	88
PID 1316 wrote to memory of 3708	1316	bc992076ba77ecexeexeexeex.exe	88
PID 1316 wrote to memory of 3708	1316	bc992076ba77ecexeexeexeex.exe	88
PID 4648 wrote to memory of 4492	4648	{BB3F5E1E-0E14-42c9-9A1E-6DD8E1E1B047}.exe	89
PID 4648 wrote to memory of 4492	4648	{BB3F5E1E-0E14-42c9-9A1E-6DD8E1E1B047}.exe	89
PID 4648 wrote to memory of 4492	4648	{BB3F5E1E-0E14-42c9-9A1E-6DD8E1E1B047}.exe	89
PID 4648 wrote to memory of 1964	4648	{BB3F5E1E-0E14-42c9-9A1E-6DD8E1E1B047}.exe	90
PID 4648 wrote to memory of 1964	4648	{BB3F5E1E-0E14-42c9-9A1E-6DD8E1E1B047}.exe	90
PID 4648 wrote to memory of 1964	4648	{BB3F5E1E-0E14-42c9-9A1E-6DD8E1E1B047}.exe	90
PID 4492 wrote to memory of 2256	4492	{C249182E-948E-41a0-9890-2FF5EC0BD3C3}.exe	95
PID 4492 wrote to memory of 2256	4492	{C249182E-948E-41a0-9890-2FF5EC0BD3C3}.exe	95
PID 4492 wrote to memory of 2256	4492	{C249182E-948E-41a0-9890-2FF5EC0BD3C3}.exe	95
PID 4492 wrote to memory of 5076	4492	{C249182E-948E-41a0-9890-2FF5EC0BD3C3}.exe	94
PID 4492 wrote to memory of 5076	4492	{C249182E-948E-41a0-9890-2FF5EC0BD3C3}.exe	94
PID 4492 wrote to memory of 5076	4492	{C249182E-948E-41a0-9890-2FF5EC0BD3C3}.exe	94
PID 2256 wrote to memory of 2500	2256	{E154D15A-C35A-4c9f-9F19-98F09F634962}.exe	96
PID 2256 wrote to memory of 2500	2256	{E154D15A-C35A-4c9f-9F19-98F09F634962}.exe	96
PID 2256 wrote to memory of 2500	2256	{E154D15A-C35A-4c9f-9F19-98F09F634962}.exe	96
PID 2256 wrote to memory of 3324	2256	{E154D15A-C35A-4c9f-9F19-98F09F634962}.exe	97
PID 2256 wrote to memory of 3324	2256	{E154D15A-C35A-4c9f-9F19-98F09F634962}.exe	97
PID 2256 wrote to memory of 3324	2256	{E154D15A-C35A-4c9f-9F19-98F09F634962}.exe	97
PID 2500 wrote to memory of 1444	2500	{698B9F1D-19AF-42c9-8648-EF32D8670ACE}.exe	98
PID 2500 wrote to memory of 1444	2500	{698B9F1D-19AF-42c9-8648-EF32D8670ACE}.exe	98
PID 2500 wrote to memory of 1444	2500	{698B9F1D-19AF-42c9-8648-EF32D8670ACE}.exe	98
PID 2500 wrote to memory of 452	2500	{698B9F1D-19AF-42c9-8648-EF32D8670ACE}.exe	99
PID 2500 wrote to memory of 452	2500	{698B9F1D-19AF-42c9-8648-EF32D8670ACE}.exe	99
PID 2500 wrote to memory of 452	2500	{698B9F1D-19AF-42c9-8648-EF32D8670ACE}.exe	99
PID 1444 wrote to memory of 4692	1444	{26947EF2-E996-4239-B8C9-F4FFE38FBBDE}.exe	100
PID 1444 wrote to memory of 4692	1444	{26947EF2-E996-4239-B8C9-F4FFE38FBBDE}.exe	100
PID 1444 wrote to memory of 4692	1444	{26947EF2-E996-4239-B8C9-F4FFE38FBBDE}.exe	100
PID 1444 wrote to memory of 4640	1444	{26947EF2-E996-4239-B8C9-F4FFE38FBBDE}.exe	101
PID 1444 wrote to memory of 4640	1444	{26947EF2-E996-4239-B8C9-F4FFE38FBBDE}.exe	101
PID 1444 wrote to memory of 4640	1444	{26947EF2-E996-4239-B8C9-F4FFE38FBBDE}.exe	101
PID 4692 wrote to memory of 5108	4692	{C4F6D4BC-3D7F-4288-B803-F0150F608A1E}.exe	102
PID 4692 wrote to memory of 5108	4692	{C4F6D4BC-3D7F-4288-B803-F0150F608A1E}.exe	102
PID 4692 wrote to memory of 5108	4692	{C4F6D4BC-3D7F-4288-B803-F0150F608A1E}.exe	102
PID 4692 wrote to memory of 2060	4692	{C4F6D4BC-3D7F-4288-B803-F0150F608A1E}.exe	103
PID 4692 wrote to memory of 2060	4692	{C4F6D4BC-3D7F-4288-B803-F0150F608A1E}.exe	103
PID 4692 wrote to memory of 2060	4692	{C4F6D4BC-3D7F-4288-B803-F0150F608A1E}.exe	103
PID 5108 wrote to memory of 552	5108	{026D7AF4-A6D2-4037-80D1-DEFEF63C8D91}.exe	104
PID 5108 wrote to memory of 552	5108	{026D7AF4-A6D2-4037-80D1-DEFEF63C8D91}.exe	104
PID 5108 wrote to memory of 552	5108	{026D7AF4-A6D2-4037-80D1-DEFEF63C8D91}.exe	104
PID 5108 wrote to memory of 3508	5108	{026D7AF4-A6D2-4037-80D1-DEFEF63C8D91}.exe	105
PID 5108 wrote to memory of 3508	5108	{026D7AF4-A6D2-4037-80D1-DEFEF63C8D91}.exe	105
PID 5108 wrote to memory of 3508	5108	{026D7AF4-A6D2-4037-80D1-DEFEF63C8D91}.exe	105
PID 552 wrote to memory of 4764	552	{6CA936DA-4DEF-409f-AA6C-FA7607A1EBA2}.exe	106
PID 552 wrote to memory of 4764	552	{6CA936DA-4DEF-409f-AA6C-FA7607A1EBA2}.exe	106
PID 552 wrote to memory of 4764	552	{6CA936DA-4DEF-409f-AA6C-FA7607A1EBA2}.exe	106
PID 552 wrote to memory of 2088	552	{6CA936DA-4DEF-409f-AA6C-FA7607A1EBA2}.exe	107
PID 552 wrote to memory of 2088	552	{6CA936DA-4DEF-409f-AA6C-FA7607A1EBA2}.exe	107
PID 552 wrote to memory of 2088	552	{6CA936DA-4DEF-409f-AA6C-FA7607A1EBA2}.exe	107
PID 4764 wrote to memory of 620	4764	{005F698D-032C-49e0-B039-A9FE25A83BE2}.exe	108
PID 4764 wrote to memory of 620	4764	{005F698D-032C-49e0-B039-A9FE25A83BE2}.exe	108
PID 4764 wrote to memory of 620	4764	{005F698D-032C-49e0-B039-A9FE25A83BE2}.exe	108
PID 4764 wrote to memory of 5084	4764	{005F698D-032C-49e0-B039-A9FE25A83BE2}.exe	109
PID 4764 wrote to memory of 5084	4764	{005F698D-032C-49e0-B039-A9FE25A83BE2}.exe	109
PID 4764 wrote to memory of 5084	4764	{005F698D-032C-49e0-B039-A9FE25A83BE2}.exe	109
PID 620 wrote to memory of 2396	620	{7FE77C1F-ABAE-47e4-BC21-7C509AD51E4E}.exe	110
PID 620 wrote to memory of 2396	620	{7FE77C1F-ABAE-47e4-BC21-7C509AD51E4E}.exe	110
PID 620 wrote to memory of 2396	620	{7FE77C1F-ABAE-47e4-BC21-7C509AD51E4E}.exe	110
PID 620 wrote to memory of 2304	620	{7FE77C1F-ABAE-47e4-BC21-7C509AD51E4E}.exe	111

C:\Users\Admin\AppData\Local\Temp\bc992076ba77ecexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\bc992076ba77ecexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\{BB3F5E1E-0E14-42c9-9A1E-6DD8E1E1B047}.exe
  C:\Windows\{BB3F5E1E-0E14-42c9-9A1E-6DD8E1E1B047}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Windows\{C249182E-948E-41a0-9890-2FF5EC0BD3C3}.exe
    C:\Windows\{C249182E-948E-41a0-9890-2FF5EC0BD3C3}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C2491~1.EXE > nul
      4⤵
      PID:5076
  - - C:\Windows\{E154D15A-C35A-4c9f-9F19-98F09F634962}.exe
      C:\Windows\{E154D15A-C35A-4c9f-9F19-98F09F634962}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Windows\{698B9F1D-19AF-42c9-8648-EF32D8670ACE}.exe
        
        C:\Windows\{698B9F1D-19AF-42c9-8648-EF32D8670ACE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
      - C:\Windows\{26947EF2-E996-4239-B8C9-F4FFE38FBBDE}.exe
        
        C:\Windows\{26947EF2-E996-4239-B8C9-F4FFE38FBBDE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\{C4F6D4BC-3D7F-4288-B803-F0150F608A1E}.exe
        
        C:\Windows\{C4F6D4BC-3D7F-4288-B803-F0150F608A1E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4692
        
        C:\Windows\{026D7AF4-A6D2-4037-80D1-DEFEF63C8D91}.exe
        
        C:\Windows\{026D7AF4-A6D2-4037-80D1-DEFEF63C8D91}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\{6CA936DA-4DEF-409f-AA6C-FA7607A1EBA2}.exe
        
        C:\Windows\{6CA936DA-4DEF-409f-AA6C-FA7607A1EBA2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\{005F698D-032C-49e0-B039-A9FE25A83BE2}.exe
        
        C:\Windows\{005F698D-032C-49e0-B039-A9FE25A83BE2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4764
        
        C:\Windows\{7FE77C1F-ABAE-47e4-BC21-7C509AD51E4E}.exe
        
        C:\Windows\{7FE77C1F-ABAE-47e4-BC21-7C509AD51E4E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:620
        
        C:\Windows\{EC373819-C62E-4d0e-BFE8-3A1857B31CD9}.exe
        
        C:\Windows\{EC373819-C62E-4d0e-BFE8-3A1857B31CD9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\{C1661D31-F10B-45d1-84C2-209FF07DA4BB}.exe
        
        C:\Windows\{C1661D31-F10B-45d1-84C2-209FF07DA4BB}.exe
        13⤵
        Executes dropped EXE
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC373~1.EXE > nul
        13⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FE77~1.EXE > nul
        12⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{005F6~1.EXE > nul
        11⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CA93~1.EXE > nul
        10⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{026D7~1.EXE > nul
        9⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4F6D~1.EXE > nul
        8⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26947~1.EXE > nul
        7⤵
        
        PID:4640
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{698B9~1.EXE > nul
        6⤵
        
        PID:452
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E154D~1.EXE > nul
        5⤵
        
        PID:3324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BB3F5~1.EXE > nul
    3⤵
    PID:1964
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BC9920~1.EXE > nul
  2⤵
  PID:3708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{005F698D-032C-49e0-B039-A9FE25A83BE2}.exe

Filesize
168KB

MD5
dab229e6a9eff5691c729342fc06f6d5

SHA1
fa40a7a334a39b46b64a3d4de17e9b3bab010561

SHA256
3e62b3cf67124037188fc6e1f9a0ebf4f58d92638d843a8144defe56315e689e

SHA512
cde440c96deb1094ee91779ac459d6caaf0f056ab9a74f11f8367cde658b23278e9f474172a00e55767d9a79b55e9c9d2a95968f2b9fe0379800935bc2d0cdc5

Download Submit
C:\Windows\{005F698D-032C-49e0-B039-A9FE25A83BE2}.exe

Filesize
168KB

MD5
dab229e6a9eff5691c729342fc06f6d5

SHA1
fa40a7a334a39b46b64a3d4de17e9b3bab010561

SHA256
3e62b3cf67124037188fc6e1f9a0ebf4f58d92638d843a8144defe56315e689e

SHA512
cde440c96deb1094ee91779ac459d6caaf0f056ab9a74f11f8367cde658b23278e9f474172a00e55767d9a79b55e9c9d2a95968f2b9fe0379800935bc2d0cdc5

Download Submit
C:\Windows\{026D7AF4-A6D2-4037-80D1-DEFEF63C8D91}.exe

Filesize
168KB

MD5
403d0dbf28b264426a3965123d760af5

SHA1
e052dc28716b471020507061a21e545c71b56695

SHA256
e17e2becae69bfcb0073635d3abe361f7b3b854b630f5b1c0bc3a9bc8a67c968

SHA512
a8220f3cf5b0467e18124c54f1558b18e376973c1a7de32edf5ab571ce9cefa4313dddc58ee34667fb85b71e219e0cbb64610b4db8e9c0edc267639ae2c8284b

Download Submit
C:\Windows\{026D7AF4-A6D2-4037-80D1-DEFEF63C8D91}.exe

Filesize
168KB

MD5
403d0dbf28b264426a3965123d760af5

SHA1
e052dc28716b471020507061a21e545c71b56695

SHA256
e17e2becae69bfcb0073635d3abe361f7b3b854b630f5b1c0bc3a9bc8a67c968

SHA512
a8220f3cf5b0467e18124c54f1558b18e376973c1a7de32edf5ab571ce9cefa4313dddc58ee34667fb85b71e219e0cbb64610b4db8e9c0edc267639ae2c8284b

Download Submit
C:\Windows\{26947EF2-E996-4239-B8C9-F4FFE38FBBDE}.exe

Filesize
168KB

MD5
100f31377a78900727fa8de4b48e575a

SHA1
7eee898b4b6b857fd36dacccb2f38eaaa39eb909

SHA256
5954ec70e9383bebd5381c67a2110558d390a2f9f09e151f8b3e91532d3a0b7c

SHA512
dadf3a3ded0ac4fc404c5cc07cd7b9e6198c4d4ead00335c12a522e75b9096de0a47ff0da575fff37416d473fde15ef247797446ebb05df9c802f4d659e5690e

Download Submit
C:\Windows\{26947EF2-E996-4239-B8C9-F4FFE38FBBDE}.exe

Filesize
168KB

MD5
100f31377a78900727fa8de4b48e575a

SHA1
7eee898b4b6b857fd36dacccb2f38eaaa39eb909

SHA256
5954ec70e9383bebd5381c67a2110558d390a2f9f09e151f8b3e91532d3a0b7c

SHA512
dadf3a3ded0ac4fc404c5cc07cd7b9e6198c4d4ead00335c12a522e75b9096de0a47ff0da575fff37416d473fde15ef247797446ebb05df9c802f4d659e5690e

Download Submit
C:\Windows\{698B9F1D-19AF-42c9-8648-EF32D8670ACE}.exe

Filesize
168KB

MD5
badf924be3c404c3c7999ff54c4f4fd3

SHA1
3246c76c42bb40ce244d808f6a2da45d1f6d9982

SHA256
a575327cbd79bfa771e428da2e9c7386692ee6047844022ff41d0144146cb178

SHA512
f12dcecbb19ecf7820bbf4062238f1679fa8f6dbd9d3d564cd0b499b1ee5a158fe06fbdb3e97420d1c77d585dac2c82d079eecac77f1b4acc506abf46c0ca9a8

Download Submit
C:\Windows\{698B9F1D-19AF-42c9-8648-EF32D8670ACE}.exe

Filesize
168KB

MD5
badf924be3c404c3c7999ff54c4f4fd3

SHA1
3246c76c42bb40ce244d808f6a2da45d1f6d9982

SHA256
a575327cbd79bfa771e428da2e9c7386692ee6047844022ff41d0144146cb178

SHA512
f12dcecbb19ecf7820bbf4062238f1679fa8f6dbd9d3d564cd0b499b1ee5a158fe06fbdb3e97420d1c77d585dac2c82d079eecac77f1b4acc506abf46c0ca9a8

Download Submit
C:\Windows\{6CA936DA-4DEF-409f-AA6C-FA7607A1EBA2}.exe

Filesize
168KB

MD5
44ec5c2058bdb249586ad70b9e8f38c3

SHA1
5ac863ca7ad37955817dfa8fa8ecb9055407b603

SHA256
59c0c3a82e563d8ad4cb8122340e2e7815c98fc6f2e68d88748d3feeef40eb2d

SHA512
75929253a9e161815d448f2f2e0bdc0206f9db589280b9a63975c2ec973b60ec2da593cc41183552206cfd0639745a448e2ae9c30e34b22d16880069fdf43432

Download Submit
C:\Windows\{6CA936DA-4DEF-409f-AA6C-FA7607A1EBA2}.exe

Filesize
168KB

MD5
44ec5c2058bdb249586ad70b9e8f38c3

SHA1
5ac863ca7ad37955817dfa8fa8ecb9055407b603

SHA256
59c0c3a82e563d8ad4cb8122340e2e7815c98fc6f2e68d88748d3feeef40eb2d

SHA512
75929253a9e161815d448f2f2e0bdc0206f9db589280b9a63975c2ec973b60ec2da593cc41183552206cfd0639745a448e2ae9c30e34b22d16880069fdf43432

Download Submit
C:\Windows\{7FE77C1F-ABAE-47e4-BC21-7C509AD51E4E}.exe

Filesize
168KB

MD5
b65f4c4a1211845d5cf5cf97a1729068

SHA1
f9203b12eb31636392dad8d9b4ddfe98bcbb072f

SHA256
0d53df8eddbed2c215dc5e1f0e510d7fc8c03742252587454401065bf2b5c96b

SHA512
5848cc5942e2e8ccafc7f86f7f8da8d08590f0f091461e17e3653975a577e80df4bdc21ece62e9ae2f5a00a7ca85a30321eec9731da351a0bae06677ee9f36e8

Download Submit
C:\Windows\{7FE77C1F-ABAE-47e4-BC21-7C509AD51E4E}.exe

Filesize
168KB

MD5
b65f4c4a1211845d5cf5cf97a1729068

SHA1
f9203b12eb31636392dad8d9b4ddfe98bcbb072f

SHA256
0d53df8eddbed2c215dc5e1f0e510d7fc8c03742252587454401065bf2b5c96b

SHA512
5848cc5942e2e8ccafc7f86f7f8da8d08590f0f091461e17e3653975a577e80df4bdc21ece62e9ae2f5a00a7ca85a30321eec9731da351a0bae06677ee9f36e8

Download Submit
C:\Windows\{BB3F5E1E-0E14-42c9-9A1E-6DD8E1E1B047}.exe

Filesize
168KB

MD5
7596d939ade08d3567c9b5411b9b80b2

SHA1
f056db20d4440da98ab53ca5f07ab0ffd9231260

SHA256
d9ef04f2292a250728655a2958449a88bccadbf99f33ae3d2c9ed906fb761bc7

SHA512
d161224caa19e5c52123f9d96ee99bf06358ecdd26d1e1e7f9e35b9155b8aeddfa6c0923e7b37d06920a89fdfdaf92b1f17636de88f78a5964de8c1b49ea9115

Download Submit
C:\Windows\{BB3F5E1E-0E14-42c9-9A1E-6DD8E1E1B047}.exe

Filesize
168KB

MD5
7596d939ade08d3567c9b5411b9b80b2

SHA1
f056db20d4440da98ab53ca5f07ab0ffd9231260

SHA256
d9ef04f2292a250728655a2958449a88bccadbf99f33ae3d2c9ed906fb761bc7

SHA512
d161224caa19e5c52123f9d96ee99bf06358ecdd26d1e1e7f9e35b9155b8aeddfa6c0923e7b37d06920a89fdfdaf92b1f17636de88f78a5964de8c1b49ea9115

Download Submit
C:\Windows\{C1661D31-F10B-45d1-84C2-209FF07DA4BB}.exe

Filesize
168KB

MD5
1337199171ba25c7bcbbaf8200a63596

SHA1
8543c63a0371c3eec6fd289a8dbd0deaecbac2a4

SHA256
c56baa04a162b937d3da24e282757fab09b8d8cc83ab40b263045a030777e30e

SHA512
962d840940c32af4fb4dde507e3cb84c7ec426d136b531cb0338c17753e6c08be41d40646109f5a735d2453a1e95215adf00be437fc00a7d423a502d60fcc1c7

Download Submit
C:\Windows\{C1661D31-F10B-45d1-84C2-209FF07DA4BB}.exe

Filesize
168KB

MD5
1337199171ba25c7bcbbaf8200a63596

SHA1
8543c63a0371c3eec6fd289a8dbd0deaecbac2a4

SHA256
c56baa04a162b937d3da24e282757fab09b8d8cc83ab40b263045a030777e30e

SHA512
962d840940c32af4fb4dde507e3cb84c7ec426d136b531cb0338c17753e6c08be41d40646109f5a735d2453a1e95215adf00be437fc00a7d423a502d60fcc1c7

Download Submit
C:\Windows\{C249182E-948E-41a0-9890-2FF5EC0BD3C3}.exe

Filesize
168KB

MD5
1cbdced0edbcc8ee58d265ace5f1bd55

SHA1
a132171fa08da464a9e8656ea5479dfb9fe97b08

SHA256
fab13c29cfed2c9a0c42452a45f3490c5439f29a2183548fa00ba0e7baf0d64e

SHA512
a2e31fd0117f48d16ee845b16f75dc3f33842ccb10a599c955dabc739ce089a35861c92759b2eacef37a6840b67dcde52519e85b15bd0ab193d1a473ec6895cc

Download Submit
C:\Windows\{C249182E-948E-41a0-9890-2FF5EC0BD3C3}.exe

Filesize
168KB

MD5
1cbdced0edbcc8ee58d265ace5f1bd55

SHA1
a132171fa08da464a9e8656ea5479dfb9fe97b08

SHA256
fab13c29cfed2c9a0c42452a45f3490c5439f29a2183548fa00ba0e7baf0d64e

SHA512
a2e31fd0117f48d16ee845b16f75dc3f33842ccb10a599c955dabc739ce089a35861c92759b2eacef37a6840b67dcde52519e85b15bd0ab193d1a473ec6895cc

Download Submit
C:\Windows\{C4F6D4BC-3D7F-4288-B803-F0150F608A1E}.exe

Filesize
168KB

MD5
4798dabf5747aa11d57b0073712e3e38

SHA1
f117f0b111cdea8c39ae52db06ef09107f1a8141

SHA256
c2320c99401f1b1e61a4eda3ff5d5da28dbdf4cc5e0fb8b9256c57e938c3178c

SHA512
8ad0d84fa05b7dd69f21ced40a94224ad8063eaa2b8688022ae64a14abb7f0be654b0e866eb567e13d4952f816335017a5a5f1e994591d732fdcc646d9542249

Download Submit
C:\Windows\{C4F6D4BC-3D7F-4288-B803-F0150F608A1E}.exe

Filesize
168KB

MD5
4798dabf5747aa11d57b0073712e3e38

SHA1
f117f0b111cdea8c39ae52db06ef09107f1a8141

SHA256
c2320c99401f1b1e61a4eda3ff5d5da28dbdf4cc5e0fb8b9256c57e938c3178c

SHA512
8ad0d84fa05b7dd69f21ced40a94224ad8063eaa2b8688022ae64a14abb7f0be654b0e866eb567e13d4952f816335017a5a5f1e994591d732fdcc646d9542249

Download Submit
C:\Windows\{E154D15A-C35A-4c9f-9F19-98F09F634962}.exe

Filesize
168KB

MD5
9f4d33795b99745fdf40dfcde179f287

SHA1
00ef6652c2b3adf8de73663449f5d382a0620fbb

SHA256
eff30e4c9396bc495a5b35bd89c821dc7bcf7f9fad300564dabfcd8f9ef9f999

SHA512
4515185c69ee6e7af3c5cb268b55df15ca0368287a02afc9b79dd88de69a9073d6801aff68139af1f5445141e091fcc9cdf512bf527622d01b21ea84691eca29

Download Submit
C:\Windows\{E154D15A-C35A-4c9f-9F19-98F09F634962}.exe

Filesize
168KB

MD5
9f4d33795b99745fdf40dfcde179f287

SHA1
00ef6652c2b3adf8de73663449f5d382a0620fbb

SHA256
eff30e4c9396bc495a5b35bd89c821dc7bcf7f9fad300564dabfcd8f9ef9f999

SHA512
4515185c69ee6e7af3c5cb268b55df15ca0368287a02afc9b79dd88de69a9073d6801aff68139af1f5445141e091fcc9cdf512bf527622d01b21ea84691eca29

Download Submit
C:\Windows\{E154D15A-C35A-4c9f-9F19-98F09F634962}.exe

Filesize
168KB

MD5
9f4d33795b99745fdf40dfcde179f287

SHA1
00ef6652c2b3adf8de73663449f5d382a0620fbb

SHA256
eff30e4c9396bc495a5b35bd89c821dc7bcf7f9fad300564dabfcd8f9ef9f999

SHA512
4515185c69ee6e7af3c5cb268b55df15ca0368287a02afc9b79dd88de69a9073d6801aff68139af1f5445141e091fcc9cdf512bf527622d01b21ea84691eca29

Download Submit
C:\Windows\{EC373819-C62E-4d0e-BFE8-3A1857B31CD9}.exe

Filesize
168KB

MD5
ce7af4c748ab35fff29a296f0f179b82

SHA1
58a692bf54b155a6306e78da388cb3085cfcf64d

SHA256
394d6bf39a581647de6d96ebd30c51c3f13cd995891650d7aa68183793d9a439

SHA512
00ef806485b5dce69fca68a29af5a797fe90cb021f6ff82f533e7c5008d632b7b76433c26f4e10531ce882e222f23522c80e70b2b80539db87c570e4fdef0b2c

Download Submit
C:\Windows\{EC373819-C62E-4d0e-BFE8-3A1857B31CD9}.exe

Filesize
168KB

MD5
ce7af4c748ab35fff29a296f0f179b82

SHA1
58a692bf54b155a6306e78da388cb3085cfcf64d

SHA256
394d6bf39a581647de6d96ebd30c51c3f13cd995891650d7aa68183793d9a439

SHA512
00ef806485b5dce69fca68a29af5a797fe90cb021f6ff82f533e7c5008d632b7b76433c26f4e10531ce882e222f23522c80e70b2b80539db87c570e4fdef0b2c

Download Submit