fef755fa5e250d8cbf7c993e513aac8eed6c86c845182f2eae84ecce02969a4b

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2023, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3849260a82017aexeexeexeex.exe
Size

372KB
MD5

3849260a82017a748a164b40d3c6228f
SHA1

686de56a5dd5b3571518c4fa1034b57eab2dcabe
SHA256

fef755fa5e250d8cbf7c993e513aac8eed6c86c845182f2eae84ecce02969a4b
SHA512

ed8af92f8ea65715e956ec8aa8e6f90e5d2d18d1a9cfa1059348a2eb29aa296b6ea3247a2c76bc6483027b598cbe1c168730c763a9b7ae4dee254fe832ee38fb
SSDEEP

3072:CEGh0osmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGHl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{211D7BCF-7D29-4681-85AF-FBDC5F6ECAAD}	{CF45FAD2-3C01-4c84-AAFB-15DA1414D4D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{211D7BCF-7D29-4681-85AF-FBDC5F6ECAAD}\stubpath = "C:\\Windows\\{211D7BCF-7D29-4681-85AF-FBDC5F6ECAAD}.exe"	{CF45FAD2-3C01-4c84-AAFB-15DA1414D4D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFF3D5BC-0D02-4a36-87F1-B381FC7CC678}\stubpath = "C:\\Windows\\{FFF3D5BC-0D02-4a36-87F1-B381FC7CC678}.exe"	{766C1651-79A1-4cf7-81A2-50C76A124EDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3C377D7-45DF-4402-89FF-1CBBE3CB2320}	{2F4FBCE0-BD72-4dd2-B19F-57E0B94D84A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85CD03F2-25C3-4493-8834-352CDB80F328}\stubpath = "C:\\Windows\\{85CD03F2-25C3-4493-8834-352CDB80F328}.exe"	{3579F59C-6086-4546-9BD8-20A8AD84BDC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{766C1651-79A1-4cf7-81A2-50C76A124EDD}\stubpath = "C:\\Windows\\{766C1651-79A1-4cf7-81A2-50C76A124EDD}.exe"	{211D7BCF-7D29-4681-85AF-FBDC5F6ECAAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8AA32EF-DF01-47ec-BDAD-0564B97B00B8}	3849260a82017aexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{530EDEBD-5C13-405f-B87A-B6383CE71D43}	{C8AA32EF-DF01-47ec-BDAD-0564B97B00B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{530EDEBD-5C13-405f-B87A-B6383CE71D43}\stubpath = "C:\\Windows\\{530EDEBD-5C13-405f-B87A-B6383CE71D43}.exe"	{C8AA32EF-DF01-47ec-BDAD-0564B97B00B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5750DE37-66F1-4afb-94C1-B9E5553FC9E1}	{87E21A24-E4B3-4e50-8F09-BF91A57C87F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF45FAD2-3C01-4c84-AAFB-15DA1414D4D9}	{5750DE37-66F1-4afb-94C1-B9E5553FC9E1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF45FAD2-3C01-4c84-AAFB-15DA1414D4D9}\stubpath = "C:\\Windows\\{CF45FAD2-3C01-4c84-AAFB-15DA1414D4D9}.exe"	{5750DE37-66F1-4afb-94C1-B9E5553FC9E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{766C1651-79A1-4cf7-81A2-50C76A124EDD}	{211D7BCF-7D29-4681-85AF-FBDC5F6ECAAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFF3D5BC-0D02-4a36-87F1-B381FC7CC678}	{766C1651-79A1-4cf7-81A2-50C76A124EDD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F4FBCE0-BD72-4dd2-B19F-57E0B94D84A5}	{FFF3D5BC-0D02-4a36-87F1-B381FC7CC678}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F4FBCE0-BD72-4dd2-B19F-57E0B94D84A5}\stubpath = "C:\\Windows\\{2F4FBCE0-BD72-4dd2-B19F-57E0B94D84A5}.exe"	{FFF3D5BC-0D02-4a36-87F1-B381FC7CC678}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3C377D7-45DF-4402-89FF-1CBBE3CB2320}\stubpath = "C:\\Windows\\{A3C377D7-45DF-4402-89FF-1CBBE3CB2320}.exe"	{2F4FBCE0-BD72-4dd2-B19F-57E0B94D84A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3579F59C-6086-4546-9BD8-20A8AD84BDC1}	{A3C377D7-45DF-4402-89FF-1CBBE3CB2320}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3579F59C-6086-4546-9BD8-20A8AD84BDC1}\stubpath = "C:\\Windows\\{3579F59C-6086-4546-9BD8-20A8AD84BDC1}.exe"	{A3C377D7-45DF-4402-89FF-1CBBE3CB2320}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87E21A24-E4B3-4e50-8F09-BF91A57C87F7}	{530EDEBD-5C13-405f-B87A-B6383CE71D43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87E21A24-E4B3-4e50-8F09-BF91A57C87F7}\stubpath = "C:\\Windows\\{87E21A24-E4B3-4e50-8F09-BF91A57C87F7}.exe"	{530EDEBD-5C13-405f-B87A-B6383CE71D43}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5750DE37-66F1-4afb-94C1-B9E5553FC9E1}\stubpath = "C:\\Windows\\{5750DE37-66F1-4afb-94C1-B9E5553FC9E1}.exe"	{87E21A24-E4B3-4e50-8F09-BF91A57C87F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8AA32EF-DF01-47ec-BDAD-0564B97B00B8}\stubpath = "C:\\Windows\\{C8AA32EF-DF01-47ec-BDAD-0564B97B00B8}.exe"	3849260a82017aexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85CD03F2-25C3-4493-8834-352CDB80F328}	{3579F59C-6086-4546-9BD8-20A8AD84BDC1}.exe

Executes dropped EXE 12 IoCs

pid	Process
3900	{C8AA32EF-DF01-47ec-BDAD-0564B97B00B8}.exe
4552	{530EDEBD-5C13-405f-B87A-B6383CE71D43}.exe
2464	{87E21A24-E4B3-4e50-8F09-BF91A57C87F7}.exe
1952	{5750DE37-66F1-4afb-94C1-B9E5553FC9E1}.exe
3960	{CF45FAD2-3C01-4c84-AAFB-15DA1414D4D9}.exe
4896	{211D7BCF-7D29-4681-85AF-FBDC5F6ECAAD}.exe
2428	{766C1651-79A1-4cf7-81A2-50C76A124EDD}.exe
1544	{FFF3D5BC-0D02-4a36-87F1-B381FC7CC678}.exe
2244	{2F4FBCE0-BD72-4dd2-B19F-57E0B94D84A5}.exe
1412	{A3C377D7-45DF-4402-89FF-1CBBE3CB2320}.exe
3632	{3579F59C-6086-4546-9BD8-20A8AD84BDC1}.exe
1504	{85CD03F2-25C3-4493-8834-352CDB80F328}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{766C1651-79A1-4cf7-81A2-50C76A124EDD}.exe	{211D7BCF-7D29-4681-85AF-FBDC5F6ECAAD}.exe
File created	C:\Windows\{85CD03F2-25C3-4493-8834-352CDB80F328}.exe	{3579F59C-6086-4546-9BD8-20A8AD84BDC1}.exe
File created	C:\Windows\{C8AA32EF-DF01-47ec-BDAD-0564B97B00B8}.exe	3849260a82017aexeexeexeex.exe
File created	C:\Windows\{530EDEBD-5C13-405f-B87A-B6383CE71D43}.exe	{C8AA32EF-DF01-47ec-BDAD-0564B97B00B8}.exe
File created	C:\Windows\{5750DE37-66F1-4afb-94C1-B9E5553FC9E1}.exe	{87E21A24-E4B3-4e50-8F09-BF91A57C87F7}.exe
File created	C:\Windows\{CF45FAD2-3C01-4c84-AAFB-15DA1414D4D9}.exe	{5750DE37-66F1-4afb-94C1-B9E5553FC9E1}.exe
File created	C:\Windows\{A3C377D7-45DF-4402-89FF-1CBBE3CB2320}.exe	{2F4FBCE0-BD72-4dd2-B19F-57E0B94D84A5}.exe
File created	C:\Windows\{3579F59C-6086-4546-9BD8-20A8AD84BDC1}.exe	{A3C377D7-45DF-4402-89FF-1CBBE3CB2320}.exe
File created	C:\Windows\{87E21A24-E4B3-4e50-8F09-BF91A57C87F7}.exe	{530EDEBD-5C13-405f-B87A-B6383CE71D43}.exe
File created	C:\Windows\{211D7BCF-7D29-4681-85AF-FBDC5F6ECAAD}.exe	{CF45FAD2-3C01-4c84-AAFB-15DA1414D4D9}.exe
File created	C:\Windows\{FFF3D5BC-0D02-4a36-87F1-B381FC7CC678}.exe	{766C1651-79A1-4cf7-81A2-50C76A124EDD}.exe
File created	C:\Windows\{2F4FBCE0-BD72-4dd2-B19F-57E0B94D84A5}.exe	{FFF3D5BC-0D02-4a36-87F1-B381FC7CC678}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3420	3849260a82017aexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3900	{C8AA32EF-DF01-47ec-BDAD-0564B97B00B8}.exe
Token: SeIncBasePriorityPrivilege	4552	{530EDEBD-5C13-405f-B87A-B6383CE71D43}.exe
Token: SeIncBasePriorityPrivilege	2464	{87E21A24-E4B3-4e50-8F09-BF91A57C87F7}.exe
Token: SeIncBasePriorityPrivilege	1952	{5750DE37-66F1-4afb-94C1-B9E5553FC9E1}.exe
Token: SeIncBasePriorityPrivilege	3960	{CF45FAD2-3C01-4c84-AAFB-15DA1414D4D9}.exe
Token: SeIncBasePriorityPrivilege	4896	{211D7BCF-7D29-4681-85AF-FBDC5F6ECAAD}.exe
Token: SeIncBasePriorityPrivilege	2428	{766C1651-79A1-4cf7-81A2-50C76A124EDD}.exe
Token: SeIncBasePriorityPrivilege	1544	{FFF3D5BC-0D02-4a36-87F1-B381FC7CC678}.exe
Token: SeIncBasePriorityPrivilege	2244	{2F4FBCE0-BD72-4dd2-B19F-57E0B94D84A5}.exe
Token: SeIncBasePriorityPrivilege	1412	{A3C377D7-45DF-4402-89FF-1CBBE3CB2320}.exe
Token: SeIncBasePriorityPrivilege	3632	{3579F59C-6086-4546-9BD8-20A8AD84BDC1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 3900	3420	3849260a82017aexeexeexeex.exe	84
PID 3420 wrote to memory of 3900	3420	3849260a82017aexeexeexeex.exe	84
PID 3420 wrote to memory of 3900	3420	3849260a82017aexeexeexeex.exe	84
PID 3420 wrote to memory of 2340	3420	3849260a82017aexeexeexeex.exe	85
PID 3420 wrote to memory of 2340	3420	3849260a82017aexeexeexeex.exe	85
PID 3420 wrote to memory of 2340	3420	3849260a82017aexeexeexeex.exe	85
PID 3900 wrote to memory of 4552	3900	{C8AA32EF-DF01-47ec-BDAD-0564B97B00B8}.exe	86
PID 3900 wrote to memory of 4552	3900	{C8AA32EF-DF01-47ec-BDAD-0564B97B00B8}.exe	86
PID 3900 wrote to memory of 4552	3900	{C8AA32EF-DF01-47ec-BDAD-0564B97B00B8}.exe	86
PID 3900 wrote to memory of 1984	3900	{C8AA32EF-DF01-47ec-BDAD-0564B97B00B8}.exe	87
PID 3900 wrote to memory of 1984	3900	{C8AA32EF-DF01-47ec-BDAD-0564B97B00B8}.exe	87
PID 3900 wrote to memory of 1984	3900	{C8AA32EF-DF01-47ec-BDAD-0564B97B00B8}.exe	87
PID 4552 wrote to memory of 2464	4552	{530EDEBD-5C13-405f-B87A-B6383CE71D43}.exe	92
PID 4552 wrote to memory of 2464	4552	{530EDEBD-5C13-405f-B87A-B6383CE71D43}.exe	92
PID 4552 wrote to memory of 2464	4552	{530EDEBD-5C13-405f-B87A-B6383CE71D43}.exe	92
PID 4552 wrote to memory of 2120	4552	{530EDEBD-5C13-405f-B87A-B6383CE71D43}.exe	93
PID 4552 wrote to memory of 2120	4552	{530EDEBD-5C13-405f-B87A-B6383CE71D43}.exe	93
PID 4552 wrote to memory of 2120	4552	{530EDEBD-5C13-405f-B87A-B6383CE71D43}.exe	93
PID 2464 wrote to memory of 1952	2464	{87E21A24-E4B3-4e50-8F09-BF91A57C87F7}.exe	94
PID 2464 wrote to memory of 1952	2464	{87E21A24-E4B3-4e50-8F09-BF91A57C87F7}.exe	94
PID 2464 wrote to memory of 1952	2464	{87E21A24-E4B3-4e50-8F09-BF91A57C87F7}.exe	94
PID 2464 wrote to memory of 2824	2464	{87E21A24-E4B3-4e50-8F09-BF91A57C87F7}.exe	95
PID 2464 wrote to memory of 2824	2464	{87E21A24-E4B3-4e50-8F09-BF91A57C87F7}.exe	95
PID 2464 wrote to memory of 2824	2464	{87E21A24-E4B3-4e50-8F09-BF91A57C87F7}.exe	95
PID 1952 wrote to memory of 3960	1952	{5750DE37-66F1-4afb-94C1-B9E5553FC9E1}.exe	96
PID 1952 wrote to memory of 3960	1952	{5750DE37-66F1-4afb-94C1-B9E5553FC9E1}.exe	96
PID 1952 wrote to memory of 3960	1952	{5750DE37-66F1-4afb-94C1-B9E5553FC9E1}.exe	96
PID 1952 wrote to memory of 228	1952	{5750DE37-66F1-4afb-94C1-B9E5553FC9E1}.exe	97
PID 1952 wrote to memory of 228	1952	{5750DE37-66F1-4afb-94C1-B9E5553FC9E1}.exe	97
PID 1952 wrote to memory of 228	1952	{5750DE37-66F1-4afb-94C1-B9E5553FC9E1}.exe	97
PID 3960 wrote to memory of 4896	3960	{CF45FAD2-3C01-4c84-AAFB-15DA1414D4D9}.exe	98
PID 3960 wrote to memory of 4896	3960	{CF45FAD2-3C01-4c84-AAFB-15DA1414D4D9}.exe	98
PID 3960 wrote to memory of 4896	3960	{CF45FAD2-3C01-4c84-AAFB-15DA1414D4D9}.exe	98
PID 3960 wrote to memory of 1588	3960	{CF45FAD2-3C01-4c84-AAFB-15DA1414D4D9}.exe	99
PID 3960 wrote to memory of 1588	3960	{CF45FAD2-3C01-4c84-AAFB-15DA1414D4D9}.exe	99
PID 3960 wrote to memory of 1588	3960	{CF45FAD2-3C01-4c84-AAFB-15DA1414D4D9}.exe	99
PID 4896 wrote to memory of 2428	4896	{211D7BCF-7D29-4681-85AF-FBDC5F6ECAAD}.exe	100
PID 4896 wrote to memory of 2428	4896	{211D7BCF-7D29-4681-85AF-FBDC5F6ECAAD}.exe	100
PID 4896 wrote to memory of 2428	4896	{211D7BCF-7D29-4681-85AF-FBDC5F6ECAAD}.exe	100
PID 4896 wrote to memory of 1652	4896	{211D7BCF-7D29-4681-85AF-FBDC5F6ECAAD}.exe	101
PID 4896 wrote to memory of 1652	4896	{211D7BCF-7D29-4681-85AF-FBDC5F6ECAAD}.exe	101
PID 4896 wrote to memory of 1652	4896	{211D7BCF-7D29-4681-85AF-FBDC5F6ECAAD}.exe	101
PID 2428 wrote to memory of 1544	2428	{766C1651-79A1-4cf7-81A2-50C76A124EDD}.exe	102
PID 2428 wrote to memory of 1544	2428	{766C1651-79A1-4cf7-81A2-50C76A124EDD}.exe	102
PID 2428 wrote to memory of 1544	2428	{766C1651-79A1-4cf7-81A2-50C76A124EDD}.exe	102
PID 2428 wrote to memory of 3992	2428	{766C1651-79A1-4cf7-81A2-50C76A124EDD}.exe	103
PID 2428 wrote to memory of 3992	2428	{766C1651-79A1-4cf7-81A2-50C76A124EDD}.exe	103
PID 2428 wrote to memory of 3992	2428	{766C1651-79A1-4cf7-81A2-50C76A124EDD}.exe	103
PID 1544 wrote to memory of 2244	1544	{FFF3D5BC-0D02-4a36-87F1-B381FC7CC678}.exe	104
PID 1544 wrote to memory of 2244	1544	{FFF3D5BC-0D02-4a36-87F1-B381FC7CC678}.exe	104
PID 1544 wrote to memory of 2244	1544	{FFF3D5BC-0D02-4a36-87F1-B381FC7CC678}.exe	104
PID 1544 wrote to memory of 4856	1544	{FFF3D5BC-0D02-4a36-87F1-B381FC7CC678}.exe	105
PID 1544 wrote to memory of 4856	1544	{FFF3D5BC-0D02-4a36-87F1-B381FC7CC678}.exe	105
PID 1544 wrote to memory of 4856	1544	{FFF3D5BC-0D02-4a36-87F1-B381FC7CC678}.exe	105
PID 2244 wrote to memory of 1412	2244	{2F4FBCE0-BD72-4dd2-B19F-57E0B94D84A5}.exe	108
PID 2244 wrote to memory of 1412	2244	{2F4FBCE0-BD72-4dd2-B19F-57E0B94D84A5}.exe	108
PID 2244 wrote to memory of 1412	2244	{2F4FBCE0-BD72-4dd2-B19F-57E0B94D84A5}.exe	108
PID 2244 wrote to memory of 3300	2244	{2F4FBCE0-BD72-4dd2-B19F-57E0B94D84A5}.exe	109
PID 2244 wrote to memory of 3300	2244	{2F4FBCE0-BD72-4dd2-B19F-57E0B94D84A5}.exe	109
PID 2244 wrote to memory of 3300	2244	{2F4FBCE0-BD72-4dd2-B19F-57E0B94D84A5}.exe	109
PID 1412 wrote to memory of 3632	1412	{A3C377D7-45DF-4402-89FF-1CBBE3CB2320}.exe	110
PID 1412 wrote to memory of 3632	1412	{A3C377D7-45DF-4402-89FF-1CBBE3CB2320}.exe	110
PID 1412 wrote to memory of 3632	1412	{A3C377D7-45DF-4402-89FF-1CBBE3CB2320}.exe	110
PID 1412 wrote to memory of 4940	1412	{A3C377D7-45DF-4402-89FF-1CBBE3CB2320}.exe	111

C:\Users\Admin\AppData\Local\Temp\3849260a82017aexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\3849260a82017aexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Windows\{C8AA32EF-DF01-47ec-BDAD-0564B97B00B8}.exe
  C:\Windows\{C8AA32EF-DF01-47ec-BDAD-0564B97B00B8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3900
- - C:\Windows\{530EDEBD-5C13-405f-B87A-B6383CE71D43}.exe
    C:\Windows\{530EDEBD-5C13-405f-B87A-B6383CE71D43}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\{87E21A24-E4B3-4e50-8F09-BF91A57C87F7}.exe
      C:\Windows\{87E21A24-E4B3-4e50-8F09-BF91A57C87F7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\{5750DE37-66F1-4afb-94C1-B9E5553FC9E1}.exe
        
        C:\Windows\{5750DE37-66F1-4afb-94C1-B9E5553FC9E1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
      - C:\Windows\{CF45FAD2-3C01-4c84-AAFB-15DA1414D4D9}.exe
        
        C:\Windows\{CF45FAD2-3C01-4c84-AAFB-15DA1414D4D9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\{211D7BCF-7D29-4681-85AF-FBDC5F6ECAAD}.exe
        
        C:\Windows\{211D7BCF-7D29-4681-85AF-FBDC5F6ECAAD}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\{766C1651-79A1-4cf7-81A2-50C76A124EDD}.exe
        
        C:\Windows\{766C1651-79A1-4cf7-81A2-50C76A124EDD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\{FFF3D5BC-0D02-4a36-87F1-B381FC7CC678}.exe
        
        C:\Windows\{FFF3D5BC-0D02-4a36-87F1-B381FC7CC678}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1544
        
        C:\Windows\{2F4FBCE0-BD72-4dd2-B19F-57E0B94D84A5}.exe
        
        C:\Windows\{2F4FBCE0-BD72-4dd2-B19F-57E0B94D84A5}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\{A3C377D7-45DF-4402-89FF-1CBBE3CB2320}.exe
        
        C:\Windows\{A3C377D7-45DF-4402-89FF-1CBBE3CB2320}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\{3579F59C-6086-4546-9BD8-20A8AD84BDC1}.exe
        
        C:\Windows\{3579F59C-6086-4546-9BD8-20A8AD84BDC1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3632
        
        C:\Windows\{85CD03F2-25C3-4493-8834-352CDB80F328}.exe
        
        C:\Windows\{85CD03F2-25C3-4493-8834-352CDB80F328}.exe
        13⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3579F~1.EXE > nul
        13⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3C37~1.EXE > nul
        12⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F4FB~1.EXE > nul
        11⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FFF3D~1.EXE > nul
        10⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{766C1~1.EXE > nul
        9⤵
        
        PID:3992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{211D7~1.EXE > nul
        8⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF45F~1.EXE > nul
        7⤵
        
        PID:1588
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5750D~1.EXE > nul
        6⤵
        
        PID:228
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87E21~1.EXE > nul
        5⤵
        
        PID:2824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{530ED~1.EXE > nul
      4⤵
      PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C8AA3~1.EXE > nul
    3⤵
    PID:1984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\384926~1.EXE > nul
  2⤵
  PID:2340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{211D7BCF-7D29-4681-85AF-FBDC5F6ECAAD}.exe

Filesize
372KB

MD5
1f7c12e5d7d96d7b14fbe02c63f4f258

SHA1
0507b6099cc5a45768cb85cb7c69d334ce1732c7

SHA256
dbfe5182aaa0e2c845ea8da09f531edf89798a3f87bc1cf364b26192a4ea01bb

SHA512
4a6b7632a847357663cf368ac17b927e9f7b95b98ec456e399d9cfbdde459d9b024cad5080613a83bd2622763e98a1b32146455621d629f909c500d5c7b3f288

Download Submit
C:\Windows\{211D7BCF-7D29-4681-85AF-FBDC5F6ECAAD}.exe

Filesize
372KB

MD5
1f7c12e5d7d96d7b14fbe02c63f4f258

SHA1
0507b6099cc5a45768cb85cb7c69d334ce1732c7

SHA256
dbfe5182aaa0e2c845ea8da09f531edf89798a3f87bc1cf364b26192a4ea01bb

SHA512
4a6b7632a847357663cf368ac17b927e9f7b95b98ec456e399d9cfbdde459d9b024cad5080613a83bd2622763e98a1b32146455621d629f909c500d5c7b3f288

Download Submit
C:\Windows\{2F4FBCE0-BD72-4dd2-B19F-57E0B94D84A5}.exe

Filesize
372KB

MD5
02bef0d557f637addd938c7f9ccaa74e

SHA1
3233deeadb20f9704335f94d158fdb529f5f5839

SHA256
b87e826868c9c877166a3ea0eb846efcd22dbb2418b7eca28136574456e800df

SHA512
927ad1eb46f428bd643c4a65ea6dace8377090e8fa56dd8c62b4b70734e896eb41963c9b2a71846c2ac8c11e556509aafa3ace65aebdda3ac97aa8530a3306fb

Download Submit
C:\Windows\{2F4FBCE0-BD72-4dd2-B19F-57E0B94D84A5}.exe

Filesize
372KB

MD5
02bef0d557f637addd938c7f9ccaa74e

SHA1
3233deeadb20f9704335f94d158fdb529f5f5839

SHA256
b87e826868c9c877166a3ea0eb846efcd22dbb2418b7eca28136574456e800df

SHA512
927ad1eb46f428bd643c4a65ea6dace8377090e8fa56dd8c62b4b70734e896eb41963c9b2a71846c2ac8c11e556509aafa3ace65aebdda3ac97aa8530a3306fb

Download Submit
C:\Windows\{3579F59C-6086-4546-9BD8-20A8AD84BDC1}.exe

Filesize
372KB

MD5
967c97fcfc926b56b3f48eafc4dbfc1c

SHA1
9d4adabc230e39615b1d9efb6336ddabf6780185

SHA256
65f89ca0550dc5419bee0d62bcc2597d492bb98515d2aa81a9f5030f95b9e2a0

SHA512
e835bce03de85c90cd502ce3d71f034fdac62cab5c5f7dcd020a8847ca0c128b0eabc4347c2241e2d4de26cbc15e1307013070ab61c51d62795059f6ed4b83f6

Download Submit
C:\Windows\{3579F59C-6086-4546-9BD8-20A8AD84BDC1}.exe

Filesize
372KB

MD5
967c97fcfc926b56b3f48eafc4dbfc1c

SHA1
9d4adabc230e39615b1d9efb6336ddabf6780185

SHA256
65f89ca0550dc5419bee0d62bcc2597d492bb98515d2aa81a9f5030f95b9e2a0

SHA512
e835bce03de85c90cd502ce3d71f034fdac62cab5c5f7dcd020a8847ca0c128b0eabc4347c2241e2d4de26cbc15e1307013070ab61c51d62795059f6ed4b83f6

Download Submit
C:\Windows\{530EDEBD-5C13-405f-B87A-B6383CE71D43}.exe

Filesize
372KB

MD5
17eda2e50c914682af7cc3a191c5a4d3

SHA1
5f845fa3536803dd51c8b82677383387ce463ea1

SHA256
a4cf7cc8c86f31614de6ed2c49da8b291d5f7dd842a091856cf9aec8493a71d3

SHA512
9c35e5bd5600501f76de4f00cbf3a7f56e03739b0e6d1ec0638abdcaf5a90770ca0769de5ffa131d2e2657e956274188db579ab4b0ed0f81b2072192c60fb2f2

Download Submit
C:\Windows\{530EDEBD-5C13-405f-B87A-B6383CE71D43}.exe

Filesize
372KB

MD5
17eda2e50c914682af7cc3a191c5a4d3

SHA1
5f845fa3536803dd51c8b82677383387ce463ea1

SHA256
a4cf7cc8c86f31614de6ed2c49da8b291d5f7dd842a091856cf9aec8493a71d3

SHA512
9c35e5bd5600501f76de4f00cbf3a7f56e03739b0e6d1ec0638abdcaf5a90770ca0769de5ffa131d2e2657e956274188db579ab4b0ed0f81b2072192c60fb2f2

Download Submit
C:\Windows\{5750DE37-66F1-4afb-94C1-B9E5553FC9E1}.exe

Filesize
372KB

MD5
21b470421fdb6bfabab825166ff716cd

SHA1
9db51744842b02b0e43af0d63c22e5efd27907db

SHA256
762e34fface207acfad175984537023923bc0b7c91848a940d5416fb0a1a9db0

SHA512
42fbe169b9169302a0e06405e9a51cf62ba787796efe40dd60d1631c4016fc4c124ab9fbf5286526f4c400bd4b2c3cadae7d9af7b56b5c1599056e484c3d697b

Download Submit
C:\Windows\{5750DE37-66F1-4afb-94C1-B9E5553FC9E1}.exe

Filesize
372KB

MD5
21b470421fdb6bfabab825166ff716cd

SHA1
9db51744842b02b0e43af0d63c22e5efd27907db

SHA256
762e34fface207acfad175984537023923bc0b7c91848a940d5416fb0a1a9db0

SHA512
42fbe169b9169302a0e06405e9a51cf62ba787796efe40dd60d1631c4016fc4c124ab9fbf5286526f4c400bd4b2c3cadae7d9af7b56b5c1599056e484c3d697b

Download Submit
C:\Windows\{766C1651-79A1-4cf7-81A2-50C76A124EDD}.exe

Filesize
372KB

MD5
8c42a17508a808088a99b9a3d1d680cb

SHA1
e7df5873641aef813d361395c6e238059c9c6004

SHA256
c69497d4d5d3d8464f2cb75c1087ca8296f9ef9d1ea521322a288691a77a525d

SHA512
f210ca7addada01d26a9f5a925cf4ad165c2b220e91c3f517c902bae5b9dd1d18cdade024502f49d4aaca687c0f52093b62e41f7f39e8dcd335492143ed8495f

Download Submit
C:\Windows\{766C1651-79A1-4cf7-81A2-50C76A124EDD}.exe

Filesize
372KB

MD5
8c42a17508a808088a99b9a3d1d680cb

SHA1
e7df5873641aef813d361395c6e238059c9c6004

SHA256
c69497d4d5d3d8464f2cb75c1087ca8296f9ef9d1ea521322a288691a77a525d

SHA512
f210ca7addada01d26a9f5a925cf4ad165c2b220e91c3f517c902bae5b9dd1d18cdade024502f49d4aaca687c0f52093b62e41f7f39e8dcd335492143ed8495f

Download Submit
C:\Windows\{85CD03F2-25C3-4493-8834-352CDB80F328}.exe

Filesize
372KB

MD5
a61c5a9ebf27e90df2f9ba4a913b74b0

SHA1
93cade53b8f62a263548e516ff7a9d0b684d31aa

SHA256
e8c4710355b3738e532a60458e6be79daedac865305467a99ebf24e107fd1793

SHA512
26653e8ea598ae9ee9dc16db7ad5928a90a6722d2b52fe18c6022b572ac73efbbb000b13f6caa2c966dc3224466b204fa6281c6a3cb637ee412e7fefcff85e8e

Download Submit
C:\Windows\{85CD03F2-25C3-4493-8834-352CDB80F328}.exe

Filesize
372KB

MD5
a61c5a9ebf27e90df2f9ba4a913b74b0

SHA1
93cade53b8f62a263548e516ff7a9d0b684d31aa

SHA256
e8c4710355b3738e532a60458e6be79daedac865305467a99ebf24e107fd1793

SHA512
26653e8ea598ae9ee9dc16db7ad5928a90a6722d2b52fe18c6022b572ac73efbbb000b13f6caa2c966dc3224466b204fa6281c6a3cb637ee412e7fefcff85e8e

Download Submit
C:\Windows\{87E21A24-E4B3-4e50-8F09-BF91A57C87F7}.exe

Filesize
372KB

MD5
ca0dea783e0e9793f8fe66ec378edfff

SHA1
9a2c43808fec838dd9f3729b12de03c82e20955a

SHA256
f3c7e303f35279670e9406a03d109f0820baa4767fc23d00f56795383f3fdc35

SHA512
8d33f00c368846e4e232b2213cf6a736d5ae532d849171d6154430f72d7d683750063114fe948bcadf9854a98e364dbd5de1342336d559231140cf182fe2afac

Download Submit
C:\Windows\{87E21A24-E4B3-4e50-8F09-BF91A57C87F7}.exe

Filesize
372KB

MD5
ca0dea783e0e9793f8fe66ec378edfff

SHA1
9a2c43808fec838dd9f3729b12de03c82e20955a

SHA256
f3c7e303f35279670e9406a03d109f0820baa4767fc23d00f56795383f3fdc35

SHA512
8d33f00c368846e4e232b2213cf6a736d5ae532d849171d6154430f72d7d683750063114fe948bcadf9854a98e364dbd5de1342336d559231140cf182fe2afac

Download Submit
C:\Windows\{87E21A24-E4B3-4e50-8F09-BF91A57C87F7}.exe

Filesize
372KB

MD5
ca0dea783e0e9793f8fe66ec378edfff

SHA1
9a2c43808fec838dd9f3729b12de03c82e20955a

SHA256
f3c7e303f35279670e9406a03d109f0820baa4767fc23d00f56795383f3fdc35

SHA512
8d33f00c368846e4e232b2213cf6a736d5ae532d849171d6154430f72d7d683750063114fe948bcadf9854a98e364dbd5de1342336d559231140cf182fe2afac

Download Submit
C:\Windows\{A3C377D7-45DF-4402-89FF-1CBBE3CB2320}.exe

Filesize
372KB

MD5
94443f4f09906e9e7929d6c5836c2669

SHA1
5ddd30b62926a71094736fb14004927cc6b3a3b4

SHA256
f1f94a89505cbdbd0a7c57dbca0331df15718b6387e2547fe0dc2dab93d63064

SHA512
ddb95e3c8e6ffe3407059d0de6bf5f52aebf22f47769250c6245e2fb2ed70e91df47870bb3a6a2c836001de1836475646d0c8ab6ad692902d3b17cd377849e60

Download Submit
C:\Windows\{A3C377D7-45DF-4402-89FF-1CBBE3CB2320}.exe

Filesize
372KB

MD5
94443f4f09906e9e7929d6c5836c2669

SHA1
5ddd30b62926a71094736fb14004927cc6b3a3b4

SHA256
f1f94a89505cbdbd0a7c57dbca0331df15718b6387e2547fe0dc2dab93d63064

SHA512
ddb95e3c8e6ffe3407059d0de6bf5f52aebf22f47769250c6245e2fb2ed70e91df47870bb3a6a2c836001de1836475646d0c8ab6ad692902d3b17cd377849e60

Download Submit
C:\Windows\{C8AA32EF-DF01-47ec-BDAD-0564B97B00B8}.exe

Filesize
372KB

MD5
e1e77f4c3b73fb8fe9f213f61de42442

SHA1
f678cdac0a0882ecf7af9bc8b96f5f11fd82d99c

SHA256
c5aa47ffb075ffb1f1c5ead60c582f831f5643063adb0e3f7b100cd1fc498059

SHA512
38acce5c30be5a820cab793d00384ec3bdebcfbae08c4e4dfa66a56ebc614ecce817a0d4198aa542b98c57cc8b65d6c8efd1cb02207608f5233149e97b5bc93d

Download Submit
C:\Windows\{C8AA32EF-DF01-47ec-BDAD-0564B97B00B8}.exe

Filesize
372KB

MD5
e1e77f4c3b73fb8fe9f213f61de42442

SHA1
f678cdac0a0882ecf7af9bc8b96f5f11fd82d99c

SHA256
c5aa47ffb075ffb1f1c5ead60c582f831f5643063adb0e3f7b100cd1fc498059

SHA512
38acce5c30be5a820cab793d00384ec3bdebcfbae08c4e4dfa66a56ebc614ecce817a0d4198aa542b98c57cc8b65d6c8efd1cb02207608f5233149e97b5bc93d

Download Submit
C:\Windows\{CF45FAD2-3C01-4c84-AAFB-15DA1414D4D9}.exe

Filesize
372KB

MD5
651268dd6b809ee0e6cd1c7a33b982b9

SHA1
8d5a45d228008b5b9ab20ec078273c3603f5a133

SHA256
f8d505e419e21b33e12db1f023ca5e65afafc5478c476daa4fb3a789f2346444

SHA512
16ff228b6e71c6fdd8a468243b832c2be10c1f4e9aee657d78ac905786c1a5f8bc0f4cb1d9be5c793a4723891bb97407c731f661bc2f58dae92be242c37cdbd0

Download Submit
C:\Windows\{CF45FAD2-3C01-4c84-AAFB-15DA1414D4D9}.exe

Filesize
372KB

MD5
651268dd6b809ee0e6cd1c7a33b982b9

SHA1
8d5a45d228008b5b9ab20ec078273c3603f5a133

SHA256
f8d505e419e21b33e12db1f023ca5e65afafc5478c476daa4fb3a789f2346444

SHA512
16ff228b6e71c6fdd8a468243b832c2be10c1f4e9aee657d78ac905786c1a5f8bc0f4cb1d9be5c793a4723891bb97407c731f661bc2f58dae92be242c37cdbd0

Download Submit
C:\Windows\{FFF3D5BC-0D02-4a36-87F1-B381FC7CC678}.exe

Filesize
372KB

MD5
df01e775186f17fdcfcecc54fa220483

SHA1
3e7fbc0d5b5963b5140cfcf33e52274e879a865c

SHA256
413bdf3d7899777387b0a35f81045a8b110ae99ab19877ee3670a101f0bf5333

SHA512
3bf53d89a73fe722df1c5247423279bcb7696beefaedaa88b9d0120439bb5c7be3860e0e41d53fb9643a9e7902133fdfd233ce51a2024636b27162a5e89ecb06

Download Submit
C:\Windows\{FFF3D5BC-0D02-4a36-87F1-B381FC7CC678}.exe

Filesize
372KB

MD5
df01e775186f17fdcfcecc54fa220483

SHA1
3e7fbc0d5b5963b5140cfcf33e52274e879a865c

SHA256
413bdf3d7899777387b0a35f81045a8b110ae99ab19877ee3670a101f0bf5333

SHA512
3bf53d89a73fe722df1c5247423279bcb7696beefaedaa88b9d0120439bb5c7be3860e0e41d53fb9643a9e7902133fdfd233ce51a2024636b27162a5e89ecb06

Download Submit