5d363731e17b3f0d85c3b610fe34772f7be5f135eeda403e281d698224be1268

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2023 14:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7f8e66c524762exeexeexeex.exe
Size

192KB
MD5

c7f8e66c524762d96d246a2262c8802b
SHA1

099dd7506b0325e5d819a905d5ce97301aefbe44
SHA256

5d363731e17b3f0d85c3b610fe34772f7be5f135eeda403e281d698224be1268
SHA512

8bd044674494e5c03bae3a5c1f6f1afa13ad3223af1a5efa1870cadecbde0ed179708941b5dae02dd7082e03930d94cdd7f407daebf884716c99ff776139801a
SSDEEP

1536:1EGh0oxl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oxl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DF30B4A-886E-4e5f-A4F6-FFAD1219EF0C}\stubpath = "C:\\Windows\\{1DF30B4A-886E-4e5f-A4F6-FFAD1219EF0C}.exe"	c7f8e66c524762exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7929D249-10C2-41ed-970D-F948F1B3E2FC}	{59C6223D-A7AF-4549-9AF4-981A0379D656}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7929D249-10C2-41ed-970D-F948F1B3E2FC}\stubpath = "C:\\Windows\\{7929D249-10C2-41ed-970D-F948F1B3E2FC}.exe"	{59C6223D-A7AF-4549-9AF4-981A0379D656}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0708B7E8-D2B0-457d-A3FA-24FC653D8E1B}\stubpath = "C:\\Windows\\{0708B7E8-D2B0-457d-A3FA-24FC653D8E1B}.exe"	{A37E4C5E-2970-4c69-935E-5165791A3B50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC7A495E-78B6-475b-837C-7AA0F944EFEA}	{0AB695B3-9C83-4aee-8E3F-DF87C24D2A74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A771CAD9-F0B0-434f-89D5-5E22E1314D0E}	{BC7A495E-78B6-475b-837C-7AA0F944EFEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DF30B4A-886E-4e5f-A4F6-FFAD1219EF0C}	c7f8e66c524762exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0763350B-DCEC-4dcb-AD90-278203A8979A}	{1DF30B4A-886E-4e5f-A4F6-FFAD1219EF0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0763350B-DCEC-4dcb-AD90-278203A8979A}\stubpath = "C:\\Windows\\{0763350B-DCEC-4dcb-AD90-278203A8979A}.exe"	{1DF30B4A-886E-4e5f-A4F6-FFAD1219EF0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5773F9B6-9CC3-490a-9486-96F799B42A64}\stubpath = "C:\\Windows\\{5773F9B6-9CC3-490a-9486-96F799B42A64}.exe"	{0763350B-DCEC-4dcb-AD90-278203A8979A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCCD0E6F-828A-4d8a-BFC8-B46DE1E39BB0}	{5773F9B6-9CC3-490a-9486-96F799B42A64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59C6223D-A7AF-4549-9AF4-981A0379D656}	{DCCD0E6F-828A-4d8a-BFC8-B46DE1E39BB0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A771CAD9-F0B0-434f-89D5-5E22E1314D0E}\stubpath = "C:\\Windows\\{A771CAD9-F0B0-434f-89D5-5E22E1314D0E}.exe"	{BC7A495E-78B6-475b-837C-7AA0F944EFEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A37E4C5E-2970-4c69-935E-5165791A3B50}\stubpath = "C:\\Windows\\{A37E4C5E-2970-4c69-935E-5165791A3B50}.exe"	{A771CAD9-F0B0-434f-89D5-5E22E1314D0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0708B7E8-D2B0-457d-A3FA-24FC653D8E1B}	{A37E4C5E-2970-4c69-935E-5165791A3B50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59C6223D-A7AF-4549-9AF4-981A0379D656}\stubpath = "C:\\Windows\\{59C6223D-A7AF-4549-9AF4-981A0379D656}.exe"	{DCCD0E6F-828A-4d8a-BFC8-B46DE1E39BB0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AB695B3-9C83-4aee-8E3F-DF87C24D2A74}	{7929D249-10C2-41ed-970D-F948F1B3E2FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75AEE72D-FAA2-4701-88C1-D01B6A161044}	{0708B7E8-D2B0-457d-A3FA-24FC653D8E1B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75AEE72D-FAA2-4701-88C1-D01B6A161044}\stubpath = "C:\\Windows\\{75AEE72D-FAA2-4701-88C1-D01B6A161044}.exe"	{0708B7E8-D2B0-457d-A3FA-24FC653D8E1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5773F9B6-9CC3-490a-9486-96F799B42A64}	{0763350B-DCEC-4dcb-AD90-278203A8979A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCCD0E6F-828A-4d8a-BFC8-B46DE1E39BB0}\stubpath = "C:\\Windows\\{DCCD0E6F-828A-4d8a-BFC8-B46DE1E39BB0}.exe"	{5773F9B6-9CC3-490a-9486-96F799B42A64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AB695B3-9C83-4aee-8E3F-DF87C24D2A74}\stubpath = "C:\\Windows\\{0AB695B3-9C83-4aee-8E3F-DF87C24D2A74}.exe"	{7929D249-10C2-41ed-970D-F948F1B3E2FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC7A495E-78B6-475b-837C-7AA0F944EFEA}\stubpath = "C:\\Windows\\{BC7A495E-78B6-475b-837C-7AA0F944EFEA}.exe"	{0AB695B3-9C83-4aee-8E3F-DF87C24D2A74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A37E4C5E-2970-4c69-935E-5165791A3B50}	{A771CAD9-F0B0-434f-89D5-5E22E1314D0E}.exe

Executes dropped EXE 12 IoCs

pid	Process
1408	{1DF30B4A-886E-4e5f-A4F6-FFAD1219EF0C}.exe
1588	{0763350B-DCEC-4dcb-AD90-278203A8979A}.exe
1436	{5773F9B6-9CC3-490a-9486-96F799B42A64}.exe
1200	{DCCD0E6F-828A-4d8a-BFC8-B46DE1E39BB0}.exe
3148	{59C6223D-A7AF-4549-9AF4-981A0379D656}.exe
4196	{7929D249-10C2-41ed-970D-F948F1B3E2FC}.exe
2760	{0AB695B3-9C83-4aee-8E3F-DF87C24D2A74}.exe
2976	{BC7A495E-78B6-475b-837C-7AA0F944EFEA}.exe
3632	{A771CAD9-F0B0-434f-89D5-5E22E1314D0E}.exe
2472	{A37E4C5E-2970-4c69-935E-5165791A3B50}.exe
3176	{0708B7E8-D2B0-457d-A3FA-24FC653D8E1B}.exe
4256	{75AEE72D-FAA2-4701-88C1-D01B6A161044}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BC7A495E-78B6-475b-837C-7AA0F944EFEA}.exe	{0AB695B3-9C83-4aee-8E3F-DF87C24D2A74}.exe
File created	C:\Windows\{A37E4C5E-2970-4c69-935E-5165791A3B50}.exe	{A771CAD9-F0B0-434f-89D5-5E22E1314D0E}.exe
File created	C:\Windows\{0708B7E8-D2B0-457d-A3FA-24FC653D8E1B}.exe	{A37E4C5E-2970-4c69-935E-5165791A3B50}.exe
File created	C:\Windows\{1DF30B4A-886E-4e5f-A4F6-FFAD1219EF0C}.exe	c7f8e66c524762exeexeexeex.exe
File created	C:\Windows\{5773F9B6-9CC3-490a-9486-96F799B42A64}.exe	{0763350B-DCEC-4dcb-AD90-278203A8979A}.exe
File created	C:\Windows\{59C6223D-A7AF-4549-9AF4-981A0379D656}.exe	{DCCD0E6F-828A-4d8a-BFC8-B46DE1E39BB0}.exe
File created	C:\Windows\{0AB695B3-9C83-4aee-8E3F-DF87C24D2A74}.exe	{7929D249-10C2-41ed-970D-F948F1B3E2FC}.exe
File created	C:\Windows\{A771CAD9-F0B0-434f-89D5-5E22E1314D0E}.exe	{BC7A495E-78B6-475b-837C-7AA0F944EFEA}.exe
File created	C:\Windows\{75AEE72D-FAA2-4701-88C1-D01B6A161044}.exe	{0708B7E8-D2B0-457d-A3FA-24FC653D8E1B}.exe
File created	C:\Windows\{0763350B-DCEC-4dcb-AD90-278203A8979A}.exe	{1DF30B4A-886E-4e5f-A4F6-FFAD1219EF0C}.exe
File created	C:\Windows\{DCCD0E6F-828A-4d8a-BFC8-B46DE1E39BB0}.exe	{5773F9B6-9CC3-490a-9486-96F799B42A64}.exe
File created	C:\Windows\{7929D249-10C2-41ed-970D-F948F1B3E2FC}.exe	{59C6223D-A7AF-4549-9AF4-981A0379D656}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4184	c7f8e66c524762exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1408	{1DF30B4A-886E-4e5f-A4F6-FFAD1219EF0C}.exe
Token: SeIncBasePriorityPrivilege	1588	{0763350B-DCEC-4dcb-AD90-278203A8979A}.exe
Token: SeIncBasePriorityPrivilege	1436	{5773F9B6-9CC3-490a-9486-96F799B42A64}.exe
Token: SeIncBasePriorityPrivilege	1200	{DCCD0E6F-828A-4d8a-BFC8-B46DE1E39BB0}.exe
Token: SeIncBasePriorityPrivilege	3148	{59C6223D-A7AF-4549-9AF4-981A0379D656}.exe
Token: SeIncBasePriorityPrivilege	4196	{7929D249-10C2-41ed-970D-F948F1B3E2FC}.exe
Token: SeIncBasePriorityPrivilege	2760	{0AB695B3-9C83-4aee-8E3F-DF87C24D2A74}.exe
Token: SeIncBasePriorityPrivilege	2976	{BC7A495E-78B6-475b-837C-7AA0F944EFEA}.exe
Token: SeIncBasePriorityPrivilege	3632	{A771CAD9-F0B0-434f-89D5-5E22E1314D0E}.exe
Token: SeIncBasePriorityPrivilege	2472	{A37E4C5E-2970-4c69-935E-5165791A3B50}.exe
Token: SeIncBasePriorityPrivilege	3176	{0708B7E8-D2B0-457d-A3FA-24FC653D8E1B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 1408	4184	c7f8e66c524762exeexeexeex.exe	84
PID 4184 wrote to memory of 1408	4184	c7f8e66c524762exeexeexeex.exe	84
PID 4184 wrote to memory of 1408	4184	c7f8e66c524762exeexeexeex.exe	84
PID 4184 wrote to memory of 3592	4184	c7f8e66c524762exeexeexeex.exe	85
PID 4184 wrote to memory of 3592	4184	c7f8e66c524762exeexeexeex.exe	85
PID 4184 wrote to memory of 3592	4184	c7f8e66c524762exeexeexeex.exe	85
PID 1408 wrote to memory of 1588	1408	{1DF30B4A-886E-4e5f-A4F6-FFAD1219EF0C}.exe	86
PID 1408 wrote to memory of 1588	1408	{1DF30B4A-886E-4e5f-A4F6-FFAD1219EF0C}.exe	86
PID 1408 wrote to memory of 1588	1408	{1DF30B4A-886E-4e5f-A4F6-FFAD1219EF0C}.exe	86
PID 1408 wrote to memory of 1960	1408	{1DF30B4A-886E-4e5f-A4F6-FFAD1219EF0C}.exe	87
PID 1408 wrote to memory of 1960	1408	{1DF30B4A-886E-4e5f-A4F6-FFAD1219EF0C}.exe	87
PID 1408 wrote to memory of 1960	1408	{1DF30B4A-886E-4e5f-A4F6-FFAD1219EF0C}.exe	87
PID 1588 wrote to memory of 1436	1588	{0763350B-DCEC-4dcb-AD90-278203A8979A}.exe	91
PID 1588 wrote to memory of 1436	1588	{0763350B-DCEC-4dcb-AD90-278203A8979A}.exe	91
PID 1588 wrote to memory of 1436	1588	{0763350B-DCEC-4dcb-AD90-278203A8979A}.exe	91
PID 1588 wrote to memory of 2988	1588	{0763350B-DCEC-4dcb-AD90-278203A8979A}.exe	92
PID 1588 wrote to memory of 2988	1588	{0763350B-DCEC-4dcb-AD90-278203A8979A}.exe	92
PID 1588 wrote to memory of 2988	1588	{0763350B-DCEC-4dcb-AD90-278203A8979A}.exe	92
PID 1436 wrote to memory of 1200	1436	{5773F9B6-9CC3-490a-9486-96F799B42A64}.exe	93
PID 1436 wrote to memory of 1200	1436	{5773F9B6-9CC3-490a-9486-96F799B42A64}.exe	93
PID 1436 wrote to memory of 1200	1436	{5773F9B6-9CC3-490a-9486-96F799B42A64}.exe	93
PID 1436 wrote to memory of 1808	1436	{5773F9B6-9CC3-490a-9486-96F799B42A64}.exe	94
PID 1436 wrote to memory of 1808	1436	{5773F9B6-9CC3-490a-9486-96F799B42A64}.exe	94
PID 1436 wrote to memory of 1808	1436	{5773F9B6-9CC3-490a-9486-96F799B42A64}.exe	94
PID 1200 wrote to memory of 3148	1200	{DCCD0E6F-828A-4d8a-BFC8-B46DE1E39BB0}.exe	95
PID 1200 wrote to memory of 3148	1200	{DCCD0E6F-828A-4d8a-BFC8-B46DE1E39BB0}.exe	95
PID 1200 wrote to memory of 3148	1200	{DCCD0E6F-828A-4d8a-BFC8-B46DE1E39BB0}.exe	95
PID 1200 wrote to memory of 2524	1200	{DCCD0E6F-828A-4d8a-BFC8-B46DE1E39BB0}.exe	96
PID 1200 wrote to memory of 2524	1200	{DCCD0E6F-828A-4d8a-BFC8-B46DE1E39BB0}.exe	96
PID 1200 wrote to memory of 2524	1200	{DCCD0E6F-828A-4d8a-BFC8-B46DE1E39BB0}.exe	96
PID 3148 wrote to memory of 4196	3148	{59C6223D-A7AF-4549-9AF4-981A0379D656}.exe	98
PID 3148 wrote to memory of 4196	3148	{59C6223D-A7AF-4549-9AF4-981A0379D656}.exe	98
PID 3148 wrote to memory of 4196	3148	{59C6223D-A7AF-4549-9AF4-981A0379D656}.exe	98
PID 3148 wrote to memory of 2196	3148	{59C6223D-A7AF-4549-9AF4-981A0379D656}.exe	99
PID 3148 wrote to memory of 2196	3148	{59C6223D-A7AF-4549-9AF4-981A0379D656}.exe	99
PID 3148 wrote to memory of 2196	3148	{59C6223D-A7AF-4549-9AF4-981A0379D656}.exe	99
PID 4196 wrote to memory of 2760	4196	{7929D249-10C2-41ed-970D-F948F1B3E2FC}.exe	100
PID 4196 wrote to memory of 2760	4196	{7929D249-10C2-41ed-970D-F948F1B3E2FC}.exe	100
PID 4196 wrote to memory of 2760	4196	{7929D249-10C2-41ed-970D-F948F1B3E2FC}.exe	100
PID 4196 wrote to memory of 2664	4196	{7929D249-10C2-41ed-970D-F948F1B3E2FC}.exe	101
PID 4196 wrote to memory of 2664	4196	{7929D249-10C2-41ed-970D-F948F1B3E2FC}.exe	101
PID 4196 wrote to memory of 2664	4196	{7929D249-10C2-41ed-970D-F948F1B3E2FC}.exe	101
PID 2760 wrote to memory of 2976	2760	{0AB695B3-9C83-4aee-8E3F-DF87C24D2A74}.exe	103
PID 2760 wrote to memory of 2976	2760	{0AB695B3-9C83-4aee-8E3F-DF87C24D2A74}.exe	103
PID 2760 wrote to memory of 2976	2760	{0AB695B3-9C83-4aee-8E3F-DF87C24D2A74}.exe	103
PID 2760 wrote to memory of 5028	2760	{0AB695B3-9C83-4aee-8E3F-DF87C24D2A74}.exe	104
PID 2760 wrote to memory of 5028	2760	{0AB695B3-9C83-4aee-8E3F-DF87C24D2A74}.exe	104
PID 2760 wrote to memory of 5028	2760	{0AB695B3-9C83-4aee-8E3F-DF87C24D2A74}.exe	104
PID 2976 wrote to memory of 3632	2976	{BC7A495E-78B6-475b-837C-7AA0F944EFEA}.exe	111
PID 2976 wrote to memory of 3632	2976	{BC7A495E-78B6-475b-837C-7AA0F944EFEA}.exe	111
PID 2976 wrote to memory of 3632	2976	{BC7A495E-78B6-475b-837C-7AA0F944EFEA}.exe	111
PID 2976 wrote to memory of 964	2976	{BC7A495E-78B6-475b-837C-7AA0F944EFEA}.exe	112
PID 2976 wrote to memory of 964	2976	{BC7A495E-78B6-475b-837C-7AA0F944EFEA}.exe	112
PID 2976 wrote to memory of 964	2976	{BC7A495E-78B6-475b-837C-7AA0F944EFEA}.exe	112
PID 3632 wrote to memory of 2472	3632	{A771CAD9-F0B0-434f-89D5-5E22E1314D0E}.exe	113
PID 3632 wrote to memory of 2472	3632	{A771CAD9-F0B0-434f-89D5-5E22E1314D0E}.exe	113
PID 3632 wrote to memory of 2472	3632	{A771CAD9-F0B0-434f-89D5-5E22E1314D0E}.exe	113
PID 3632 wrote to memory of 4840	3632	{A771CAD9-F0B0-434f-89D5-5E22E1314D0E}.exe	114
PID 3632 wrote to memory of 4840	3632	{A771CAD9-F0B0-434f-89D5-5E22E1314D0E}.exe	114
PID 3632 wrote to memory of 4840	3632	{A771CAD9-F0B0-434f-89D5-5E22E1314D0E}.exe	114
PID 2472 wrote to memory of 3176	2472	{A37E4C5E-2970-4c69-935E-5165791A3B50}.exe	116
PID 2472 wrote to memory of 3176	2472	{A37E4C5E-2970-4c69-935E-5165791A3B50}.exe	116
PID 2472 wrote to memory of 3176	2472	{A37E4C5E-2970-4c69-935E-5165791A3B50}.exe	116
PID 2472 wrote to memory of 4380	2472	{A37E4C5E-2970-4c69-935E-5165791A3B50}.exe	115

C:\Users\Admin\AppData\Local\Temp\c7f8e66c524762exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\c7f8e66c524762exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Windows\{1DF30B4A-886E-4e5f-A4F6-FFAD1219EF0C}.exe
  C:\Windows\{1DF30B4A-886E-4e5f-A4F6-FFAD1219EF0C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\{0763350B-DCEC-4dcb-AD90-278203A8979A}.exe
    C:\Windows\{0763350B-DCEC-4dcb-AD90-278203A8979A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\{5773F9B6-9CC3-490a-9486-96F799B42A64}.exe
      C:\Windows\{5773F9B6-9CC3-490a-9486-96F799B42A64}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1436
    - - C:\Windows\{DCCD0E6F-828A-4d8a-BFC8-B46DE1E39BB0}.exe
        
        C:\Windows\{DCCD0E6F-828A-4d8a-BFC8-B46DE1E39BB0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1200
      - C:\Windows\{59C6223D-A7AF-4549-9AF4-981A0379D656}.exe
        
        C:\Windows\{59C6223D-A7AF-4549-9AF4-981A0379D656}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3148
        
        C:\Windows\{7929D249-10C2-41ed-970D-F948F1B3E2FC}.exe
        
        C:\Windows\{7929D249-10C2-41ed-970D-F948F1B3E2FC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4196
        
        C:\Windows\{0AB695B3-9C83-4aee-8E3F-DF87C24D2A74}.exe
        
        C:\Windows\{0AB695B3-9C83-4aee-8E3F-DF87C24D2A74}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{BC7A495E-78B6-475b-837C-7AA0F944EFEA}.exe
        
        C:\Windows\{BC7A495E-78B6-475b-837C-7AA0F944EFEA}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\{A771CAD9-F0B0-434f-89D5-5E22E1314D0E}.exe
        
        C:\Windows\{A771CAD9-F0B0-434f-89D5-5E22E1314D0E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\{A37E4C5E-2970-4c69-935E-5165791A3B50}.exe
        
        C:\Windows\{A37E4C5E-2970-4c69-935E-5165791A3B50}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A37E4~1.EXE > nul
        12⤵
        
        PID:4380
        
        C:\Windows\{0708B7E8-D2B0-457d-A3FA-24FC653D8E1B}.exe
        
        C:\Windows\{0708B7E8-D2B0-457d-A3FA-24FC653D8E1B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0708B~1.EXE > nul
        13⤵
        
        PID:4816
        
        C:\Windows\{75AEE72D-FAA2-4701-88C1-D01B6A161044}.exe
        
        C:\Windows\{75AEE72D-FAA2-4701-88C1-D01B6A161044}.exe
        13⤵
        Executes dropped EXE
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A771C~1.EXE > nul
        11⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC7A4~1.EXE > nul
        10⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0AB69~1.EXE > nul
        9⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7929D~1.EXE > nul
        8⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59C62~1.EXE > nul
        7⤵
        
        PID:2196
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCCD0~1.EXE > nul
        6⤵
        
        PID:2524
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5773F~1.EXE > nul
        5⤵
        
        PID:1808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{07633~1.EXE > nul
      4⤵
      PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1DF30~1.EXE > nul
    3⤵
    PID:1960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C7F8E6~1.EXE > nul
  2⤵
  PID:3592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0708B7E8-D2B0-457d-A3FA-24FC653D8E1B}.exe

Filesize
192KB

MD5
9a9ab74189eba62a38ea32b4f21b771a

SHA1
25b28092222be30bbfb11062c7896f50af6e532a

SHA256
783a6e85353aa7a354df80a4c05fdcc2187baaa74e0851cf4323ba68e439754c

SHA512
14fad634d47c36526ec5c7f9198bb16f99aea13d24d9864f28448d0f9ed584d134e554f59ffb316d273f5b265e8da92c213242f3a3b06fb15090eaa3331e98ce

Download Submit
C:\Windows\{0708B7E8-D2B0-457d-A3FA-24FC653D8E1B}.exe

Filesize
192KB

MD5
9a9ab74189eba62a38ea32b4f21b771a

SHA1
25b28092222be30bbfb11062c7896f50af6e532a

SHA256
783a6e85353aa7a354df80a4c05fdcc2187baaa74e0851cf4323ba68e439754c

SHA512
14fad634d47c36526ec5c7f9198bb16f99aea13d24d9864f28448d0f9ed584d134e554f59ffb316d273f5b265e8da92c213242f3a3b06fb15090eaa3331e98ce

Download Submit
C:\Windows\{0763350B-DCEC-4dcb-AD90-278203A8979A}.exe

Filesize
192KB

MD5
22d79b84f2da39d7f0edd29bddb97b1a

SHA1
b5f1fee3d1d02be62b22be8cb2e357ef6fd356fc

SHA256
32f18b4a3af91da12b57e83a017421f2d2cf196bd3afe51a468bb95e81834225

SHA512
9f4dbf87612342f9bea017820e0cbe2ee03ec6ab57189da8387893e87b18e57368809640893dfdff0372724158389e6be5485da514ee37ac311f3d0a440b95af

Download Submit
C:\Windows\{0763350B-DCEC-4dcb-AD90-278203A8979A}.exe

Filesize
192KB

MD5
22d79b84f2da39d7f0edd29bddb97b1a

SHA1
b5f1fee3d1d02be62b22be8cb2e357ef6fd356fc

SHA256
32f18b4a3af91da12b57e83a017421f2d2cf196bd3afe51a468bb95e81834225

SHA512
9f4dbf87612342f9bea017820e0cbe2ee03ec6ab57189da8387893e87b18e57368809640893dfdff0372724158389e6be5485da514ee37ac311f3d0a440b95af

Download Submit
C:\Windows\{0AB695B3-9C83-4aee-8E3F-DF87C24D2A74}.exe

Filesize
192KB

MD5
9846cd5034cd06c6318639df1412ae39

SHA1
36d95ec015583092b6e4dea9d80cce0a84b3ba15

SHA256
d6a3220e7331484ca1c71fb5e5722926308a7e89508afbf123531e4b8f4e1c45

SHA512
9c352ad13a2b7d35b607519c9e187222057d52affbaee964bdec38a94f901853276f9371a199c670fedc59c5979ddbc8ee0438494af1105543ea1828bc3cb00d

Download Submit
C:\Windows\{0AB695B3-9C83-4aee-8E3F-DF87C24D2A74}.exe

Filesize
192KB

MD5
9846cd5034cd06c6318639df1412ae39

SHA1
36d95ec015583092b6e4dea9d80cce0a84b3ba15

SHA256
d6a3220e7331484ca1c71fb5e5722926308a7e89508afbf123531e4b8f4e1c45

SHA512
9c352ad13a2b7d35b607519c9e187222057d52affbaee964bdec38a94f901853276f9371a199c670fedc59c5979ddbc8ee0438494af1105543ea1828bc3cb00d

Download Submit
C:\Windows\{1DF30B4A-886E-4e5f-A4F6-FFAD1219EF0C}.exe

Filesize
192KB

MD5
dee4ed56171db0b221208d45f9b21176

SHA1
113128cb98bd4df1769e7355ac63d09ac6b57517

SHA256
9447ce9be6509b6004efa0c93d66320a62684b5f91e12e27601de359eb0955eb

SHA512
1a720585c0e009dbabf540aeab2b988caae4153fa950d1c6601746e5bb4f35812dc09e377092aa8adebef11d782ce1fd548797f20e55cd0aa2198dbcbe845c9a

Download Submit
C:\Windows\{1DF30B4A-886E-4e5f-A4F6-FFAD1219EF0C}.exe

Filesize
192KB

MD5
dee4ed56171db0b221208d45f9b21176

SHA1
113128cb98bd4df1769e7355ac63d09ac6b57517

SHA256
9447ce9be6509b6004efa0c93d66320a62684b5f91e12e27601de359eb0955eb

SHA512
1a720585c0e009dbabf540aeab2b988caae4153fa950d1c6601746e5bb4f35812dc09e377092aa8adebef11d782ce1fd548797f20e55cd0aa2198dbcbe845c9a

Download Submit
C:\Windows\{5773F9B6-9CC3-490a-9486-96F799B42A64}.exe

Filesize
192KB

MD5
4c37c5421c0355c892210cc9d6598a42

SHA1
2335d9e6732c012213a03fe5a963ff3821b78d1f

SHA256
6d23aeca200942a2cb526b15c9dbf6e56d601365943cd3424608de1e3ef0ece2

SHA512
b71a139d20f8a970b569423172d2f7039895abcd151595fd791b2c7983abbe8475a6dff752239502eaf45a471145f2f31bb2f9cd701b4006875881e9cc4380db

Download Submit
C:\Windows\{5773F9B6-9CC3-490a-9486-96F799B42A64}.exe

Filesize
192KB

MD5
4c37c5421c0355c892210cc9d6598a42

SHA1
2335d9e6732c012213a03fe5a963ff3821b78d1f

SHA256
6d23aeca200942a2cb526b15c9dbf6e56d601365943cd3424608de1e3ef0ece2

SHA512
b71a139d20f8a970b569423172d2f7039895abcd151595fd791b2c7983abbe8475a6dff752239502eaf45a471145f2f31bb2f9cd701b4006875881e9cc4380db

Download Submit
C:\Windows\{5773F9B6-9CC3-490a-9486-96F799B42A64}.exe

Filesize
192KB

MD5
4c37c5421c0355c892210cc9d6598a42

SHA1
2335d9e6732c012213a03fe5a963ff3821b78d1f

SHA256
6d23aeca200942a2cb526b15c9dbf6e56d601365943cd3424608de1e3ef0ece2

SHA512
b71a139d20f8a970b569423172d2f7039895abcd151595fd791b2c7983abbe8475a6dff752239502eaf45a471145f2f31bb2f9cd701b4006875881e9cc4380db

Download Submit
C:\Windows\{59C6223D-A7AF-4549-9AF4-981A0379D656}.exe

Filesize
192KB

MD5
2f1d9af6b935ab2447164dac0559c7a7

SHA1
264430955a4524f504946b2c22f7299737086b64

SHA256
c7e8b23971adcf9b595db5f7a939845654cbf2bdced310e83b8fa1cfedbd7948

SHA512
e901fb910f20034b6ef5b70b0b67c3f060ffd744cb8a343e03ea1ced422196c088c0d649dc7ad2e11470d8ba2ee6ff7ab04484cb8f45080601dfe824907c9fa4

Download Submit
C:\Windows\{59C6223D-A7AF-4549-9AF4-981A0379D656}.exe

Filesize
192KB

MD5
2f1d9af6b935ab2447164dac0559c7a7

SHA1
264430955a4524f504946b2c22f7299737086b64

SHA256
c7e8b23971adcf9b595db5f7a939845654cbf2bdced310e83b8fa1cfedbd7948

SHA512
e901fb910f20034b6ef5b70b0b67c3f060ffd744cb8a343e03ea1ced422196c088c0d649dc7ad2e11470d8ba2ee6ff7ab04484cb8f45080601dfe824907c9fa4

Download Submit
C:\Windows\{75AEE72D-FAA2-4701-88C1-D01B6A161044}.exe

Filesize
192KB

MD5
12ffcffae5151ce9d875fffbdbb739bf

SHA1
79e7129bdb65512db19d65078db67ecee598737f

SHA256
7bf6aa49887b7cbb4b540fab25d3aef0d3b5c758bdf6ec21f69cc0fd6e8d5255

SHA512
db98fe1ec2fcbb2ed70592b1d959577f64a5339b2b28942a5686d7904bda5f98e9a3ca9338df70abd25d21c56a7b39191af6407659bda23be231fcc25d48382f

Download Submit
C:\Windows\{75AEE72D-FAA2-4701-88C1-D01B6A161044}.exe

Filesize
192KB

MD5
12ffcffae5151ce9d875fffbdbb739bf

SHA1
79e7129bdb65512db19d65078db67ecee598737f

SHA256
7bf6aa49887b7cbb4b540fab25d3aef0d3b5c758bdf6ec21f69cc0fd6e8d5255

SHA512
db98fe1ec2fcbb2ed70592b1d959577f64a5339b2b28942a5686d7904bda5f98e9a3ca9338df70abd25d21c56a7b39191af6407659bda23be231fcc25d48382f

Download Submit
C:\Windows\{7929D249-10C2-41ed-970D-F948F1B3E2FC}.exe

Filesize
192KB

MD5
f4dfe5317166544cb8121a185b6b15f2

SHA1
4bb4edb23f67f5b3c05093bdc511c694f618d86b

SHA256
9f2b70eae2362d656a07f935955f371678ebca0fe9df3ce7f182e7d381566d91

SHA512
6ac4a891d89a57eceae71843dd1e19f8868c166be9a2b3aa9b14a6dfe30b7a9be3039d64e047688cfa3f8561f80632a43683c039286dbd3ad03aa23410035046

Download Submit
C:\Windows\{7929D249-10C2-41ed-970D-F948F1B3E2FC}.exe

Filesize
192KB

MD5
f4dfe5317166544cb8121a185b6b15f2

SHA1
4bb4edb23f67f5b3c05093bdc511c694f618d86b

SHA256
9f2b70eae2362d656a07f935955f371678ebca0fe9df3ce7f182e7d381566d91

SHA512
6ac4a891d89a57eceae71843dd1e19f8868c166be9a2b3aa9b14a6dfe30b7a9be3039d64e047688cfa3f8561f80632a43683c039286dbd3ad03aa23410035046

Download Submit
C:\Windows\{A37E4C5E-2970-4c69-935E-5165791A3B50}.exe

Filesize
192KB

MD5
f0bd5b644ac03652a56094d01813dd15

SHA1
a08cb3887288e68e10aff8fe3639e1b6f4cea0d9

SHA256
b3403b4d49a8ad4acaf1dd0151a7b776144b44f4be255afe163d4cab5f5d7e27

SHA512
df695d6a353b867fb7cea9875a4fd856aaeadb1e91b82662af49a272c10fc881219a082b8d70807987c9e98e33a0bab806bd73d2f1d80a59e2f7d8bd370a467f

Download Submit
C:\Windows\{A37E4C5E-2970-4c69-935E-5165791A3B50}.exe

Filesize
192KB

MD5
f0bd5b644ac03652a56094d01813dd15

SHA1
a08cb3887288e68e10aff8fe3639e1b6f4cea0d9

SHA256
b3403b4d49a8ad4acaf1dd0151a7b776144b44f4be255afe163d4cab5f5d7e27

SHA512
df695d6a353b867fb7cea9875a4fd856aaeadb1e91b82662af49a272c10fc881219a082b8d70807987c9e98e33a0bab806bd73d2f1d80a59e2f7d8bd370a467f

Download Submit
C:\Windows\{A771CAD9-F0B0-434f-89D5-5E22E1314D0E}.exe

Filesize
192KB

MD5
c0bc5f5f3ca9bc9377681e2e21b6b0b1

SHA1
7f9a10a8193919f1387ed56d844ada643edf49f4

SHA256
717efa3c355590f26506db674b2120962816455f4176c0e4f0ec448e06a39cb6

SHA512
8f3d3057ee2e7dc1c11e96271fcc738723a05d01f2dca935a35eee8526f138c42280747e8c793fdd8e665c28e05c2f23dc6523284c2a2e465b8d74c23ec0c2b1

Download Submit
C:\Windows\{A771CAD9-F0B0-434f-89D5-5E22E1314D0E}.exe

Filesize
192KB

MD5
c0bc5f5f3ca9bc9377681e2e21b6b0b1

SHA1
7f9a10a8193919f1387ed56d844ada643edf49f4

SHA256
717efa3c355590f26506db674b2120962816455f4176c0e4f0ec448e06a39cb6

SHA512
8f3d3057ee2e7dc1c11e96271fcc738723a05d01f2dca935a35eee8526f138c42280747e8c793fdd8e665c28e05c2f23dc6523284c2a2e465b8d74c23ec0c2b1

Download Submit
C:\Windows\{BC7A495E-78B6-475b-837C-7AA0F944EFEA}.exe

Filesize
192KB

MD5
e24fe9f29e7dec79dbc6b808911ed194

SHA1
080d5f33f815fef048cf9dfab024222e2272c88e

SHA256
8ddfe62aa7e6b5ce15c01e2f554db706e354f32545ba87624a46aa861d31883f

SHA512
cc2c9d0e0578339a07d0faa959848f22a9fc408ece4b4aa3e365c16fdea033151ddc7ded9452f325f0c6d62d15a6f3dd9b013c010e8890e54eb57e88770c0fd3

Download Submit
C:\Windows\{BC7A495E-78B6-475b-837C-7AA0F944EFEA}.exe

Filesize
192KB

MD5
e24fe9f29e7dec79dbc6b808911ed194

SHA1
080d5f33f815fef048cf9dfab024222e2272c88e

SHA256
8ddfe62aa7e6b5ce15c01e2f554db706e354f32545ba87624a46aa861d31883f

SHA512
cc2c9d0e0578339a07d0faa959848f22a9fc408ece4b4aa3e365c16fdea033151ddc7ded9452f325f0c6d62d15a6f3dd9b013c010e8890e54eb57e88770c0fd3

Download Submit
C:\Windows\{DCCD0E6F-828A-4d8a-BFC8-B46DE1E39BB0}.exe

Filesize
192KB

MD5
e16f7a7c99a485ea42f6b7ad4334f8c7

SHA1
fa1f0c5c50971c203bfc2f630c73366b5a873ac7

SHA256
affc74a68cd5f76b470a4447fb3dd7e82c35383442b8160412304daa9b446f97

SHA512
6f6968cbc19c79e2bc6fcea733fb645629ce5f113ee86d86e0c50a8e11547123265b096b144fa60dac674b8786d5e1f3f380b6c3cac93990e4d9a4df29999368

Download Submit
C:\Windows\{DCCD0E6F-828A-4d8a-BFC8-B46DE1E39BB0}.exe

Filesize
192KB

MD5
e16f7a7c99a485ea42f6b7ad4334f8c7

SHA1
fa1f0c5c50971c203bfc2f630c73366b5a873ac7

SHA256
affc74a68cd5f76b470a4447fb3dd7e82c35383442b8160412304daa9b446f97

SHA512
6f6968cbc19c79e2bc6fcea733fb645629ce5f113ee86d86e0c50a8e11547123265b096b144fa60dac674b8786d5e1f3f380b6c3cac93990e4d9a4df29999368

Download Submit