2a68ba8a9754856278973317092ee7d4ee5b8fd0fad8275377ea62331c7f4756

Analysis

max time kernel
151s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09-07-2023 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c02c7d466fab23exeexeexeex.exe
Size

408KB
MD5

c02c7d466fab23ae070b96019fefaaab
SHA1

7d1a9d11b836f546b03d500a8583d9b50c9d57c1
SHA256

2a68ba8a9754856278973317092ee7d4ee5b8fd0fad8275377ea62331c7f4756
SHA512

266702496240e16b0057c2ad23790779048a344a11ebec7d346a78a1a679442c45e54d7074da6d17129f944bee2faa17589cf0c42dfdece86026edace00e376a
SSDEEP

3072:CEGh0oNl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGXldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C0533AA-E981-4852-BE6D-4D255847A269}	{EC4E1D54-3E96-4522-A9E1-FFA408404FC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C0533AA-E981-4852-BE6D-4D255847A269}\stubpath = "C:\\Windows\\{5C0533AA-E981-4852-BE6D-4D255847A269}.exe"	{EC4E1D54-3E96-4522-A9E1-FFA408404FC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E43BC62-435A-4af9-940D-CF56909F903F}	{45AAC349-BD8D-4b8f-A71A-AD26132BFF82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E43BC62-435A-4af9-940D-CF56909F903F}\stubpath = "C:\\Windows\\{1E43BC62-435A-4af9-940D-CF56909F903F}.exe"	{45AAC349-BD8D-4b8f-A71A-AD26132BFF82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{632B505C-4587-4a0a-96C5-6A13E4004659}	c02c7d466fab23exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC4E1D54-3E96-4522-A9E1-FFA408404FC9}\stubpath = "C:\\Windows\\{EC4E1D54-3E96-4522-A9E1-FFA408404FC9}.exe"	{67F4A6FD-9209-47a3-A04B-D54C70C05641}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC4E1D54-3E96-4522-A9E1-FFA408404FC9}	{67F4A6FD-9209-47a3-A04B-D54C70C05641}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC55144F-E743-413f-9D84-9A013EB7092E}	{5C0533AA-E981-4852-BE6D-4D255847A269}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF5CB0D7-C3CC-4cbc-815F-6190CA37C0C7}\stubpath = "C:\\Windows\\{FF5CB0D7-C3CC-4cbc-815F-6190CA37C0C7}.exe"	{AC55144F-E743-413f-9D84-9A013EB7092E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEC5D6A8-14DA-43ad-9BFF-6454FE82A1BB}\stubpath = "C:\\Windows\\{DEC5D6A8-14DA-43ad-9BFF-6454FE82A1BB}.exe"	{F707FB0F-39B5-431c-A9C7-A3EEBC5D7EC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67F4A6FD-9209-47a3-A04B-D54C70C05641}	{632B505C-4587-4a0a-96C5-6A13E4004659}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67F4A6FD-9209-47a3-A04B-D54C70C05641}\stubpath = "C:\\Windows\\{67F4A6FD-9209-47a3-A04B-D54C70C05641}.exe"	{632B505C-4587-4a0a-96C5-6A13E4004659}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEC5D6A8-14DA-43ad-9BFF-6454FE82A1BB}	{F707FB0F-39B5-431c-A9C7-A3EEBC5D7EC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC55144F-E743-413f-9D84-9A013EB7092E}\stubpath = "C:\\Windows\\{AC55144F-E743-413f-9D84-9A013EB7092E}.exe"	{5C0533AA-E981-4852-BE6D-4D255847A269}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BB51C03-B083-4563-842D-8884D8F7E965}\stubpath = "C:\\Windows\\{9BB51C03-B083-4563-842D-8884D8F7E965}.exe"	{85EDC9A3-02DF-4c6f-A560-B69479DB72A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45AAC349-BD8D-4b8f-A71A-AD26132BFF82}	{FF5CB0D7-C3CC-4cbc-815F-6190CA37C0C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45AAC349-BD8D-4b8f-A71A-AD26132BFF82}\stubpath = "C:\\Windows\\{45AAC349-BD8D-4b8f-A71A-AD26132BFF82}.exe"	{FF5CB0D7-C3CC-4cbc-815F-6190CA37C0C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85EDC9A3-02DF-4c6f-A560-B69479DB72A0}	{1E43BC62-435A-4af9-940D-CF56909F903F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85EDC9A3-02DF-4c6f-A560-B69479DB72A0}\stubpath = "C:\\Windows\\{85EDC9A3-02DF-4c6f-A560-B69479DB72A0}.exe"	{1E43BC62-435A-4af9-940D-CF56909F903F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BB51C03-B083-4563-842D-8884D8F7E965}	{85EDC9A3-02DF-4c6f-A560-B69479DB72A0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F707FB0F-39B5-431c-A9C7-A3EEBC5D7EC1}	{9BB51C03-B083-4563-842D-8884D8F7E965}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{632B505C-4587-4a0a-96C5-6A13E4004659}\stubpath = "C:\\Windows\\{632B505C-4587-4a0a-96C5-6A13E4004659}.exe"	c02c7d466fab23exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF5CB0D7-C3CC-4cbc-815F-6190CA37C0C7}	{AC55144F-E743-413f-9D84-9A013EB7092E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F707FB0F-39B5-431c-A9C7-A3EEBC5D7EC1}\stubpath = "C:\\Windows\\{F707FB0F-39B5-431c-A9C7-A3EEBC5D7EC1}.exe"	{9BB51C03-B083-4563-842D-8884D8F7E965}.exe

Executes dropped EXE 12 IoCs

pid	Process
1660	{632B505C-4587-4a0a-96C5-6A13E4004659}.exe
1120	{67F4A6FD-9209-47a3-A04B-D54C70C05641}.exe
4644	{EC4E1D54-3E96-4522-A9E1-FFA408404FC9}.exe
1848	{5C0533AA-E981-4852-BE6D-4D255847A269}.exe
2656	{AC55144F-E743-413f-9D84-9A013EB7092E}.exe
3952	{FF5CB0D7-C3CC-4cbc-815F-6190CA37C0C7}.exe
4112	{45AAC349-BD8D-4b8f-A71A-AD26132BFF82}.exe
3848	{1E43BC62-435A-4af9-940D-CF56909F903F}.exe
632	{85EDC9A3-02DF-4c6f-A560-B69479DB72A0}.exe
2800	{9BB51C03-B083-4563-842D-8884D8F7E965}.exe
4316	{F707FB0F-39B5-431c-A9C7-A3EEBC5D7EC1}.exe
2308	{DEC5D6A8-14DA-43ad-9BFF-6454FE82A1BB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{EC4E1D54-3E96-4522-A9E1-FFA408404FC9}.exe	{67F4A6FD-9209-47a3-A04B-D54C70C05641}.exe
File created	C:\Windows\{FF5CB0D7-C3CC-4cbc-815F-6190CA37C0C7}.exe	{AC55144F-E743-413f-9D84-9A013EB7092E}.exe
File created	C:\Windows\{1E43BC62-435A-4af9-940D-CF56909F903F}.exe	{45AAC349-BD8D-4b8f-A71A-AD26132BFF82}.exe
File created	C:\Windows\{9BB51C03-B083-4563-842D-8884D8F7E965}.exe	{85EDC9A3-02DF-4c6f-A560-B69479DB72A0}.exe
File created	C:\Windows\{F707FB0F-39B5-431c-A9C7-A3EEBC5D7EC1}.exe	{9BB51C03-B083-4563-842D-8884D8F7E965}.exe
File created	C:\Windows\{DEC5D6A8-14DA-43ad-9BFF-6454FE82A1BB}.exe	{F707FB0F-39B5-431c-A9C7-A3EEBC5D7EC1}.exe
File created	C:\Windows\{632B505C-4587-4a0a-96C5-6A13E4004659}.exe	c02c7d466fab23exeexeexeex.exe
File created	C:\Windows\{67F4A6FD-9209-47a3-A04B-D54C70C05641}.exe	{632B505C-4587-4a0a-96C5-6A13E4004659}.exe
File created	C:\Windows\{5C0533AA-E981-4852-BE6D-4D255847A269}.exe	{EC4E1D54-3E96-4522-A9E1-FFA408404FC9}.exe
File created	C:\Windows\{AC55144F-E743-413f-9D84-9A013EB7092E}.exe	{5C0533AA-E981-4852-BE6D-4D255847A269}.exe
File created	C:\Windows\{45AAC349-BD8D-4b8f-A71A-AD26132BFF82}.exe	{FF5CB0D7-C3CC-4cbc-815F-6190CA37C0C7}.exe
File created	C:\Windows\{85EDC9A3-02DF-4c6f-A560-B69479DB72A0}.exe	{1E43BC62-435A-4af9-940D-CF56909F903F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2692	c02c7d466fab23exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1660	{632B505C-4587-4a0a-96C5-6A13E4004659}.exe
Token: SeIncBasePriorityPrivilege	1120	{67F4A6FD-9209-47a3-A04B-D54C70C05641}.exe
Token: SeIncBasePriorityPrivilege	4644	{EC4E1D54-3E96-4522-A9E1-FFA408404FC9}.exe
Token: SeIncBasePriorityPrivilege	1848	{5C0533AA-E981-4852-BE6D-4D255847A269}.exe
Token: SeIncBasePriorityPrivilege	2656	{AC55144F-E743-413f-9D84-9A013EB7092E}.exe
Token: SeIncBasePriorityPrivilege	3952	{FF5CB0D7-C3CC-4cbc-815F-6190CA37C0C7}.exe
Token: SeIncBasePriorityPrivilege	4112	{45AAC349-BD8D-4b8f-A71A-AD26132BFF82}.exe
Token: SeIncBasePriorityPrivilege	3848	{1E43BC62-435A-4af9-940D-CF56909F903F}.exe
Token: SeIncBasePriorityPrivilege	632	{85EDC9A3-02DF-4c6f-A560-B69479DB72A0}.exe
Token: SeIncBasePriorityPrivilege	2800	{9BB51C03-B083-4563-842D-8884D8F7E965}.exe
Token: SeIncBasePriorityPrivilege	4316	{F707FB0F-39B5-431c-A9C7-A3EEBC5D7EC1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 1660	2692	c02c7d466fab23exeexeexeex.exe	87
PID 2692 wrote to memory of 1660	2692	c02c7d466fab23exeexeexeex.exe	87
PID 2692 wrote to memory of 1660	2692	c02c7d466fab23exeexeexeex.exe	87
PID 2692 wrote to memory of 1096	2692	c02c7d466fab23exeexeexeex.exe	88
PID 2692 wrote to memory of 1096	2692	c02c7d466fab23exeexeexeex.exe	88
PID 2692 wrote to memory of 1096	2692	c02c7d466fab23exeexeexeex.exe	88
PID 1660 wrote to memory of 1120	1660	{632B505C-4587-4a0a-96C5-6A13E4004659}.exe	89
PID 1660 wrote to memory of 1120	1660	{632B505C-4587-4a0a-96C5-6A13E4004659}.exe	89
PID 1660 wrote to memory of 1120	1660	{632B505C-4587-4a0a-96C5-6A13E4004659}.exe	89
PID 1660 wrote to memory of 3864	1660	{632B505C-4587-4a0a-96C5-6A13E4004659}.exe	90
PID 1660 wrote to memory of 3864	1660	{632B505C-4587-4a0a-96C5-6A13E4004659}.exe	90
PID 1660 wrote to memory of 3864	1660	{632B505C-4587-4a0a-96C5-6A13E4004659}.exe	90
PID 1120 wrote to memory of 4644	1120	{67F4A6FD-9209-47a3-A04B-D54C70C05641}.exe	94
PID 1120 wrote to memory of 4644	1120	{67F4A6FD-9209-47a3-A04B-D54C70C05641}.exe	94
PID 1120 wrote to memory of 4644	1120	{67F4A6FD-9209-47a3-A04B-D54C70C05641}.exe	94
PID 1120 wrote to memory of 2868	1120	{67F4A6FD-9209-47a3-A04B-D54C70C05641}.exe	95
PID 1120 wrote to memory of 2868	1120	{67F4A6FD-9209-47a3-A04B-D54C70C05641}.exe	95
PID 1120 wrote to memory of 2868	1120	{67F4A6FD-9209-47a3-A04B-D54C70C05641}.exe	95
PID 4644 wrote to memory of 1848	4644	{EC4E1D54-3E96-4522-A9E1-FFA408404FC9}.exe	96
PID 4644 wrote to memory of 1848	4644	{EC4E1D54-3E96-4522-A9E1-FFA408404FC9}.exe	96
PID 4644 wrote to memory of 1848	4644	{EC4E1D54-3E96-4522-A9E1-FFA408404FC9}.exe	96
PID 4644 wrote to memory of 1448	4644	{EC4E1D54-3E96-4522-A9E1-FFA408404FC9}.exe	97
PID 4644 wrote to memory of 1448	4644	{EC4E1D54-3E96-4522-A9E1-FFA408404FC9}.exe	97
PID 4644 wrote to memory of 1448	4644	{EC4E1D54-3E96-4522-A9E1-FFA408404FC9}.exe	97
PID 1848 wrote to memory of 2656	1848	{5C0533AA-E981-4852-BE6D-4D255847A269}.exe	98
PID 1848 wrote to memory of 2656	1848	{5C0533AA-E981-4852-BE6D-4D255847A269}.exe	98
PID 1848 wrote to memory of 2656	1848	{5C0533AA-E981-4852-BE6D-4D255847A269}.exe	98
PID 1848 wrote to memory of 3996	1848	{5C0533AA-E981-4852-BE6D-4D255847A269}.exe	99
PID 1848 wrote to memory of 3996	1848	{5C0533AA-E981-4852-BE6D-4D255847A269}.exe	99
PID 1848 wrote to memory of 3996	1848	{5C0533AA-E981-4852-BE6D-4D255847A269}.exe	99
PID 2656 wrote to memory of 3952	2656	{AC55144F-E743-413f-9D84-9A013EB7092E}.exe	100
PID 2656 wrote to memory of 3952	2656	{AC55144F-E743-413f-9D84-9A013EB7092E}.exe	100
PID 2656 wrote to memory of 3952	2656	{AC55144F-E743-413f-9D84-9A013EB7092E}.exe	100
PID 2656 wrote to memory of 1964	2656	{AC55144F-E743-413f-9D84-9A013EB7092E}.exe	101
PID 2656 wrote to memory of 1964	2656	{AC55144F-E743-413f-9D84-9A013EB7092E}.exe	101
PID 2656 wrote to memory of 1964	2656	{AC55144F-E743-413f-9D84-9A013EB7092E}.exe	101
PID 3952 wrote to memory of 4112	3952	{FF5CB0D7-C3CC-4cbc-815F-6190CA37C0C7}.exe	102
PID 3952 wrote to memory of 4112	3952	{FF5CB0D7-C3CC-4cbc-815F-6190CA37C0C7}.exe	102
PID 3952 wrote to memory of 4112	3952	{FF5CB0D7-C3CC-4cbc-815F-6190CA37C0C7}.exe	102
PID 3952 wrote to memory of 4400	3952	{FF5CB0D7-C3CC-4cbc-815F-6190CA37C0C7}.exe	103
PID 3952 wrote to memory of 4400	3952	{FF5CB0D7-C3CC-4cbc-815F-6190CA37C0C7}.exe	103
PID 3952 wrote to memory of 4400	3952	{FF5CB0D7-C3CC-4cbc-815F-6190CA37C0C7}.exe	103
PID 4112 wrote to memory of 3848	4112	{45AAC349-BD8D-4b8f-A71A-AD26132BFF82}.exe	104
PID 4112 wrote to memory of 3848	4112	{45AAC349-BD8D-4b8f-A71A-AD26132BFF82}.exe	104
PID 4112 wrote to memory of 3848	4112	{45AAC349-BD8D-4b8f-A71A-AD26132BFF82}.exe	104
PID 4112 wrote to memory of 1792	4112	{45AAC349-BD8D-4b8f-A71A-AD26132BFF82}.exe	105
PID 4112 wrote to memory of 1792	4112	{45AAC349-BD8D-4b8f-A71A-AD26132BFF82}.exe	105
PID 4112 wrote to memory of 1792	4112	{45AAC349-BD8D-4b8f-A71A-AD26132BFF82}.exe	105
PID 3848 wrote to memory of 632	3848	{1E43BC62-435A-4af9-940D-CF56909F903F}.exe	106
PID 3848 wrote to memory of 632	3848	{1E43BC62-435A-4af9-940D-CF56909F903F}.exe	106
PID 3848 wrote to memory of 632	3848	{1E43BC62-435A-4af9-940D-CF56909F903F}.exe	106
PID 3848 wrote to memory of 4540	3848	{1E43BC62-435A-4af9-940D-CF56909F903F}.exe	107
PID 3848 wrote to memory of 4540	3848	{1E43BC62-435A-4af9-940D-CF56909F903F}.exe	107
PID 3848 wrote to memory of 4540	3848	{1E43BC62-435A-4af9-940D-CF56909F903F}.exe	107
PID 632 wrote to memory of 2800	632	{85EDC9A3-02DF-4c6f-A560-B69479DB72A0}.exe	108
PID 632 wrote to memory of 2800	632	{85EDC9A3-02DF-4c6f-A560-B69479DB72A0}.exe	108
PID 632 wrote to memory of 2800	632	{85EDC9A3-02DF-4c6f-A560-B69479DB72A0}.exe	108
PID 632 wrote to memory of 2460	632	{85EDC9A3-02DF-4c6f-A560-B69479DB72A0}.exe	109
PID 632 wrote to memory of 2460	632	{85EDC9A3-02DF-4c6f-A560-B69479DB72A0}.exe	109
PID 632 wrote to memory of 2460	632	{85EDC9A3-02DF-4c6f-A560-B69479DB72A0}.exe	109
PID 2800 wrote to memory of 4316	2800	{9BB51C03-B083-4563-842D-8884D8F7E965}.exe	110
PID 2800 wrote to memory of 4316	2800	{9BB51C03-B083-4563-842D-8884D8F7E965}.exe	110
PID 2800 wrote to memory of 4316	2800	{9BB51C03-B083-4563-842D-8884D8F7E965}.exe	110
PID 2800 wrote to memory of 380	2800	{9BB51C03-B083-4563-842D-8884D8F7E965}.exe	111

C:\Users\Admin\AppData\Local\Temp\c02c7d466fab23exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\c02c7d466fab23exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\{632B505C-4587-4a0a-96C5-6A13E4004659}.exe
  C:\Windows\{632B505C-4587-4a0a-96C5-6A13E4004659}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1660
- - C:\Windows\{67F4A6FD-9209-47a3-A04B-D54C70C05641}.exe
    C:\Windows\{67F4A6FD-9209-47a3-A04B-D54C70C05641}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1120
  - - C:\Windows\{EC4E1D54-3E96-4522-A9E1-FFA408404FC9}.exe
      C:\Windows\{EC4E1D54-3E96-4522-A9E1-FFA408404FC9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4644
    - - C:\Windows\{5C0533AA-E981-4852-BE6D-4D255847A269}.exe
        
        C:\Windows\{5C0533AA-E981-4852-BE6D-4D255847A269}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1848
      - C:\Windows\{AC55144F-E743-413f-9D84-9A013EB7092E}.exe
        
        C:\Windows\{AC55144F-E743-413f-9D84-9A013EB7092E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\{FF5CB0D7-C3CC-4cbc-815F-6190CA37C0C7}.exe
        
        C:\Windows\{FF5CB0D7-C3CC-4cbc-815F-6190CA37C0C7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3952
        
        C:\Windows\{45AAC349-BD8D-4b8f-A71A-AD26132BFF82}.exe
        
        C:\Windows\{45AAC349-BD8D-4b8f-A71A-AD26132BFF82}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\{1E43BC62-435A-4af9-940D-CF56909F903F}.exe
        
        C:\Windows\{1E43BC62-435A-4af9-940D-CF56909F903F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Windows\{85EDC9A3-02DF-4c6f-A560-B69479DB72A0}.exe
        
        C:\Windows\{85EDC9A3-02DF-4c6f-A560-B69479DB72A0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:632
        
        C:\Windows\{9BB51C03-B083-4563-842D-8884D8F7E965}.exe
        
        C:\Windows\{9BB51C03-B083-4563-842D-8884D8F7E965}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\{F707FB0F-39B5-431c-A9C7-A3EEBC5D7EC1}.exe
        
        C:\Windows\{F707FB0F-39B5-431c-A9C7-A3EEBC5D7EC1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4316
        
        C:\Windows\{DEC5D6A8-14DA-43ad-9BFF-6454FE82A1BB}.exe
        
        C:\Windows\{DEC5D6A8-14DA-43ad-9BFF-6454FE82A1BB}.exe
        13⤵
        Executes dropped EXE
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F707F~1.EXE > nul
        13⤵
        
        PID:4008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BB51~1.EXE > nul
        12⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85EDC~1.EXE > nul
        11⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E43B~1.EXE > nul
        10⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45AAC~1.EXE > nul
        9⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF5CB~1.EXE > nul
        8⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC551~1.EXE > nul
        7⤵
        
        PID:1964
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C053~1.EXE > nul
        6⤵
        
        PID:3996
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC4E1~1.EXE > nul
        5⤵
        
        PID:1448
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{67F4A~1.EXE > nul
      4⤵
      PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{632B5~1.EXE > nul
    3⤵
    PID:3864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C02C7D~1.EXE > nul
  2⤵
  PID:1096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1E43BC62-435A-4af9-940D-CF56909F903F}.exe

Filesize
408KB

MD5
4065c55ff007767974b2b1b815d65138

SHA1
067480cfe531829fb5d25fbdeb5456b80d4b6454

SHA256
3d9d0ba127dd352fb35b58eaa4c117bdacacfbe3976460d93c888f703b3cde5f

SHA512
7a5a41752d80634281180d314babb747d93790863948f36972689509613576feb96a707052d0d9bc3dea495862383b528a5af7d2324037c34a1b81c216d66d64

Download Submit
C:\Windows\{1E43BC62-435A-4af9-940D-CF56909F903F}.exe

Filesize
408KB

MD5
4065c55ff007767974b2b1b815d65138

SHA1
067480cfe531829fb5d25fbdeb5456b80d4b6454

SHA256
3d9d0ba127dd352fb35b58eaa4c117bdacacfbe3976460d93c888f703b3cde5f

SHA512
7a5a41752d80634281180d314babb747d93790863948f36972689509613576feb96a707052d0d9bc3dea495862383b528a5af7d2324037c34a1b81c216d66d64

Download Submit
C:\Windows\{45AAC349-BD8D-4b8f-A71A-AD26132BFF82}.exe

Filesize
408KB

MD5
c75a49871065bb94ba53f71407949adb

SHA1
586bcdac939bdab07f9ba5946ef40b2f92643bb5

SHA256
0255b874c756f2e7bd0d9de118923459fafb38d965f8cfbca9d4c09c245c4218

SHA512
5342146aa1aee02aa102274eab0cdee0c2f209a09b5f60cd6966a0316ae447b0759ea3e217cf10560acff4582d8df1c86c9fe673812e821b0e34be52d62f715d

Download Submit
C:\Windows\{45AAC349-BD8D-4b8f-A71A-AD26132BFF82}.exe

Filesize
408KB

MD5
c75a49871065bb94ba53f71407949adb

SHA1
586bcdac939bdab07f9ba5946ef40b2f92643bb5

SHA256
0255b874c756f2e7bd0d9de118923459fafb38d965f8cfbca9d4c09c245c4218

SHA512
5342146aa1aee02aa102274eab0cdee0c2f209a09b5f60cd6966a0316ae447b0759ea3e217cf10560acff4582d8df1c86c9fe673812e821b0e34be52d62f715d

Download Submit
C:\Windows\{5C0533AA-E981-4852-BE6D-4D255847A269}.exe

Filesize
408KB

MD5
bb679a1ffa472418943d586e6b450002

SHA1
2574b036c87e45f9a554b8e16b86f7b49bb4fa67

SHA256
75190ff5c8a67c77ef1a87cee4ccea56e05ec347a6db51859071a1991914f50f

SHA512
f21ba540fa0df79b1c351ec6a63d2efa1ee7edc1bd13ed492732a52306436fb52ca673944ddb71758073bbfbd49f846c820e3a60d0483090bcf671ea8346bba6

Download Submit
C:\Windows\{5C0533AA-E981-4852-BE6D-4D255847A269}.exe

Filesize
408KB

MD5
bb679a1ffa472418943d586e6b450002

SHA1
2574b036c87e45f9a554b8e16b86f7b49bb4fa67

SHA256
75190ff5c8a67c77ef1a87cee4ccea56e05ec347a6db51859071a1991914f50f

SHA512
f21ba540fa0df79b1c351ec6a63d2efa1ee7edc1bd13ed492732a52306436fb52ca673944ddb71758073bbfbd49f846c820e3a60d0483090bcf671ea8346bba6

Download Submit
C:\Windows\{632B505C-4587-4a0a-96C5-6A13E4004659}.exe

Filesize
408KB

MD5
a83f425ff8752f04afa5e0827ee045e1

SHA1
7aa1081f379176003db79ac5d67a43cb8719f643

SHA256
262013416f70756fc6f909079ce043c46db5eb49ac3fc20540ba3774fb3632a8

SHA512
b9e662ecc885608b039890221eaa69735ddef41ca38c74f24f6c315c3647e5304b1498d73b42a51431d709fd021628d4d801bcae8a8168c1d6c98af7d5b5ae7a

Download Submit
C:\Windows\{632B505C-4587-4a0a-96C5-6A13E4004659}.exe

Filesize
408KB

MD5
a83f425ff8752f04afa5e0827ee045e1

SHA1
7aa1081f379176003db79ac5d67a43cb8719f643

SHA256
262013416f70756fc6f909079ce043c46db5eb49ac3fc20540ba3774fb3632a8

SHA512
b9e662ecc885608b039890221eaa69735ddef41ca38c74f24f6c315c3647e5304b1498d73b42a51431d709fd021628d4d801bcae8a8168c1d6c98af7d5b5ae7a

Download Submit
C:\Windows\{67F4A6FD-9209-47a3-A04B-D54C70C05641}.exe

Filesize
408KB

MD5
4b8ea1b310af56db9dbe142541b001ec

SHA1
bc75df0ed02858d068f4bde8d0d7a81aedde4bb7

SHA256
676d6ec8b917e79119ba6f42dec092756f6a7976367ce48556fbb5ad4f5a5383

SHA512
7b553041c14659ffc1a7291c612caae01a463136898d003b3f8fa9a68e439976254a241cf2bfe9ecf70fc4d1c87d30ce352f1cee961f54d4aeeca04a4d2563c4

Download Submit
C:\Windows\{67F4A6FD-9209-47a3-A04B-D54C70C05641}.exe

Filesize
408KB

MD5
4b8ea1b310af56db9dbe142541b001ec

SHA1
bc75df0ed02858d068f4bde8d0d7a81aedde4bb7

SHA256
676d6ec8b917e79119ba6f42dec092756f6a7976367ce48556fbb5ad4f5a5383

SHA512
7b553041c14659ffc1a7291c612caae01a463136898d003b3f8fa9a68e439976254a241cf2bfe9ecf70fc4d1c87d30ce352f1cee961f54d4aeeca04a4d2563c4

Download Submit
C:\Windows\{85EDC9A3-02DF-4c6f-A560-B69479DB72A0}.exe

Filesize
408KB

MD5
fe69f2d167fbca730fe2bd0f090db872

SHA1
339d4dba68ac0e9cc713b2bef4a1f04683e38f1d

SHA256
a2bd0e6afdd17ecf68332efc5ac416feb0db4abaaab12fc12b30df7d55c21f41

SHA512
86c4133c71193775b94a9f42f517c2b12918653c0c24f99929a2a5b85d3741f23244ce661fb106f9ed07b6e7e6d802fd80dac9131b2458a86fb13bec5213219b

Download Submit
C:\Windows\{85EDC9A3-02DF-4c6f-A560-B69479DB72A0}.exe

Filesize
408KB

MD5
fe69f2d167fbca730fe2bd0f090db872

SHA1
339d4dba68ac0e9cc713b2bef4a1f04683e38f1d

SHA256
a2bd0e6afdd17ecf68332efc5ac416feb0db4abaaab12fc12b30df7d55c21f41

SHA512
86c4133c71193775b94a9f42f517c2b12918653c0c24f99929a2a5b85d3741f23244ce661fb106f9ed07b6e7e6d802fd80dac9131b2458a86fb13bec5213219b

Download Submit
C:\Windows\{9BB51C03-B083-4563-842D-8884D8F7E965}.exe

Filesize
408KB

MD5
bca2760f7c9c8fb10d08ae95bd10014f

SHA1
5c7c3c81a6181621a812b8343bac2311e913b380

SHA256
0750852c58edbfa9bf8e3182fcc9559bcf4ffdb19fd33766136cf64661ebb363

SHA512
743b49d839b1214a7fa6ce2bf32da513cfbc34178923506e932ab728fd13870574b584409e3bdec9efd2bf194a469f6ae2b12dccb0a56b69a7382c3dff8a5dbc

Download Submit
C:\Windows\{9BB51C03-B083-4563-842D-8884D8F7E965}.exe

Filesize
408KB

MD5
bca2760f7c9c8fb10d08ae95bd10014f

SHA1
5c7c3c81a6181621a812b8343bac2311e913b380

SHA256
0750852c58edbfa9bf8e3182fcc9559bcf4ffdb19fd33766136cf64661ebb363

SHA512
743b49d839b1214a7fa6ce2bf32da513cfbc34178923506e932ab728fd13870574b584409e3bdec9efd2bf194a469f6ae2b12dccb0a56b69a7382c3dff8a5dbc

Download Submit
C:\Windows\{AC55144F-E743-413f-9D84-9A013EB7092E}.exe

Filesize
408KB

MD5
9d381311f9fa844568377efa1fd81029

SHA1
37e008f3733118187b72dea3bfc3b5bac9930a4a

SHA256
2c99ab389a7004ce00b73e69333de3db9f1001212c9d5607adb3fe81017b4b91

SHA512
311027d71af91a03ce026acaf6a0a8daca97fe473939983e63b7abab501d0aa3d8ede867e805bb8ba475f8207a131c42111f81d813e8c21777fe5bb0035ecbc2

Download Submit
C:\Windows\{AC55144F-E743-413f-9D84-9A013EB7092E}.exe

Filesize
408KB

MD5
9d381311f9fa844568377efa1fd81029

SHA1
37e008f3733118187b72dea3bfc3b5bac9930a4a

SHA256
2c99ab389a7004ce00b73e69333de3db9f1001212c9d5607adb3fe81017b4b91

SHA512
311027d71af91a03ce026acaf6a0a8daca97fe473939983e63b7abab501d0aa3d8ede867e805bb8ba475f8207a131c42111f81d813e8c21777fe5bb0035ecbc2

Download Submit
C:\Windows\{DEC5D6A8-14DA-43ad-9BFF-6454FE82A1BB}.exe

Filesize
408KB

MD5
dfd6f0a9e4aae9c4a9a788f012798aea

SHA1
344e7603ea508139727b40772db849f396757366

SHA256
07d3948add97799be22509ca8706781d229828603bce228a3e72c37a454b2939

SHA512
49ae945a4df83817f3b5a850288026dd56dfa82c657ba36136b7d0c977de1a4093d7eb52a9adadd54b9384689fbff36b465f1ea5d6931aeb82f88f1d67569e4d

Download Submit
C:\Windows\{DEC5D6A8-14DA-43ad-9BFF-6454FE82A1BB}.exe

Filesize
408KB

MD5
dfd6f0a9e4aae9c4a9a788f012798aea

SHA1
344e7603ea508139727b40772db849f396757366

SHA256
07d3948add97799be22509ca8706781d229828603bce228a3e72c37a454b2939

SHA512
49ae945a4df83817f3b5a850288026dd56dfa82c657ba36136b7d0c977de1a4093d7eb52a9adadd54b9384689fbff36b465f1ea5d6931aeb82f88f1d67569e4d

Download Submit
C:\Windows\{EC4E1D54-3E96-4522-A9E1-FFA408404FC9}.exe

Filesize
408KB

MD5
c8ba6111bd0dc8df29a62f51e0f880b3

SHA1
b0ccf5c35f5e19d7d242e7886921647fec9267da

SHA256
31eaf32b6cd14438c38367ce54588e996daaa3db5f26a64d1ad9742248e20dfb

SHA512
d040affe2fbe252e28fa972da8fbbdc36595d902e901b0eb4ab766631514f0a132d39e01444e251669e3d47f1dd04062dc85ff7b477c0a830b910b105948148e

Download Submit
C:\Windows\{EC4E1D54-3E96-4522-A9E1-FFA408404FC9}.exe

Filesize
408KB

MD5
c8ba6111bd0dc8df29a62f51e0f880b3

SHA1
b0ccf5c35f5e19d7d242e7886921647fec9267da

SHA256
31eaf32b6cd14438c38367ce54588e996daaa3db5f26a64d1ad9742248e20dfb

SHA512
d040affe2fbe252e28fa972da8fbbdc36595d902e901b0eb4ab766631514f0a132d39e01444e251669e3d47f1dd04062dc85ff7b477c0a830b910b105948148e

Download Submit
C:\Windows\{EC4E1D54-3E96-4522-A9E1-FFA408404FC9}.exe

Filesize
408KB

MD5
c8ba6111bd0dc8df29a62f51e0f880b3

SHA1
b0ccf5c35f5e19d7d242e7886921647fec9267da

SHA256
31eaf32b6cd14438c38367ce54588e996daaa3db5f26a64d1ad9742248e20dfb

SHA512
d040affe2fbe252e28fa972da8fbbdc36595d902e901b0eb4ab766631514f0a132d39e01444e251669e3d47f1dd04062dc85ff7b477c0a830b910b105948148e

Download Submit
C:\Windows\{F707FB0F-39B5-431c-A9C7-A3EEBC5D7EC1}.exe

Filesize
408KB

MD5
df4c4aa6e9424fe02693a75beb2a77ad

SHA1
62e6171399130cf7cd5b10a9b9ea4d874a4416bd

SHA256
abae85615c0b95545d67bce7ba9251ae397770c932366a5009cd681ea7f9aaeb

SHA512
1bb919ed3d1009f62e23cd897107f8db1e2b87ba4bd1407d00d0241568060811684bacb6b8b7f13f59421c21365eb09b400f13fd54af6ff7cdc2adea5f2c293f

Download Submit
C:\Windows\{F707FB0F-39B5-431c-A9C7-A3EEBC5D7EC1}.exe

Filesize
408KB

MD5
df4c4aa6e9424fe02693a75beb2a77ad

SHA1
62e6171399130cf7cd5b10a9b9ea4d874a4416bd

SHA256
abae85615c0b95545d67bce7ba9251ae397770c932366a5009cd681ea7f9aaeb

SHA512
1bb919ed3d1009f62e23cd897107f8db1e2b87ba4bd1407d00d0241568060811684bacb6b8b7f13f59421c21365eb09b400f13fd54af6ff7cdc2adea5f2c293f

Download Submit
C:\Windows\{FF5CB0D7-C3CC-4cbc-815F-6190CA37C0C7}.exe

Filesize
408KB

MD5
bca86b6e89b90ca90e54e6f41e3f662b

SHA1
fdbab1f2e67cb977acada229a2a0ba66727094c8

SHA256
5d216bf2323a036b68f065ea7de3e3ea73d144b1494dd7e7056ffde6690a9e81

SHA512
ae5abc129b310028172503fef37fa7a08d642dfb1d237b03ade59cf22dde1f3e1e3e4f28c36e98c698e8e42041263ed33cd419e5392e0f84febb22fe31340048

Download Submit
C:\Windows\{FF5CB0D7-C3CC-4cbc-815F-6190CA37C0C7}.exe

Filesize
408KB

MD5
bca86b6e89b90ca90e54e6f41e3f662b

SHA1
fdbab1f2e67cb977acada229a2a0ba66727094c8

SHA256
5d216bf2323a036b68f065ea7de3e3ea73d144b1494dd7e7056ffde6690a9e81

SHA512
ae5abc129b310028172503fef37fa7a08d642dfb1d237b03ade59cf22dde1f3e1e3e4f28c36e98c698e8e42041263ed33cd419e5392e0f84febb22fe31340048

Download Submit