e5acf17e261a1902bfff264bcf8a6e0d1e0739a8f24fd9073dea9c35fca70753

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2023, 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dd44f9311e284exeexeexeex.exe
Size

204KB
MD5

3dd44f9311e28469e1ddc60a4670a8e1
SHA1

442b6f3869e20c132d63c11cc2178709795110db
SHA256

e5acf17e261a1902bfff264bcf8a6e0d1e0739a8f24fd9073dea9c35fca70753
SHA512

efc99475d60794ffc3632eaba3d5920a9d5a8889edf4dae45a45b58e77057da9e248f5b6c1c2a0d5771b0ba9e3bdea7c4ca7da414ff2c32dbacfb6a35164fa49
SSDEEP

1536:1EGh0oel15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oel1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D85C461-3EE9-4f58-803D-721F952794A7}	{8D895A5F-A86D-44f7-9CCD-8D8BF67D734A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A79973D7-57D2-4e9f-ADC1-0C1A40C438FA}	{8D85C461-3EE9-4f58-803D-721F952794A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3131F392-65A2-43aa-88DD-866CFE4231E4}	{A79973D7-57D2-4e9f-ADC1-0C1A40C438FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4C58EA4-3114-4718-9C53-70EC50C81ED9}\stubpath = "C:\\Windows\\{D4C58EA4-3114-4718-9C53-70EC50C81ED9}.exe"	{78F52A3C-B837-424f-A0B0-EFDC6908FA42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22EB9211-65C3-4489-BF6E-1C5CCB012B02}\stubpath = "C:\\Windows\\{22EB9211-65C3-4489-BF6E-1C5CCB012B02}.exe"	{D4033E32-F90F-406b-9416-C21ECAB5E670}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D895A5F-A86D-44f7-9CCD-8D8BF67D734A}\stubpath = "C:\\Windows\\{8D895A5F-A86D-44f7-9CCD-8D8BF67D734A}.exe"	{5CEA4A49-D3FC-467a-ABB8-EDB1F106F098}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D895A5F-A86D-44f7-9CCD-8D8BF67D734A}	{5CEA4A49-D3FC-467a-ABB8-EDB1F106F098}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A6D241E-EC43-41b2-9410-FB12C92217C5}	{FD5989A3-546C-4c73-B955-83CC9BCD6BB6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4033E32-F90F-406b-9416-C21ECAB5E670}	{6A6D241E-EC43-41b2-9410-FB12C92217C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4033E32-F90F-406b-9416-C21ECAB5E670}\stubpath = "C:\\Windows\\{D4033E32-F90F-406b-9416-C21ECAB5E670}.exe"	{6A6D241E-EC43-41b2-9410-FB12C92217C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22EB9211-65C3-4489-BF6E-1C5CCB012B02}	{D4033E32-F90F-406b-9416-C21ECAB5E670}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CEA4A49-D3FC-467a-ABB8-EDB1F106F098}	3dd44f9311e284exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E5D373A-9E91-473e-99E9-472604D72BC1}\stubpath = "C:\\Windows\\{3E5D373A-9E91-473e-99E9-472604D72BC1}.exe"	{3131F392-65A2-43aa-88DD-866CFE4231E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4C58EA4-3114-4718-9C53-70EC50C81ED9}	{78F52A3C-B837-424f-A0B0-EFDC6908FA42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CEA4A49-D3FC-467a-ABB8-EDB1F106F098}\stubpath = "C:\\Windows\\{5CEA4A49-D3FC-467a-ABB8-EDB1F106F098}.exe"	3dd44f9311e284exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A79973D7-57D2-4e9f-ADC1-0C1A40C438FA}\stubpath = "C:\\Windows\\{A79973D7-57D2-4e9f-ADC1-0C1A40C438FA}.exe"	{8D85C461-3EE9-4f58-803D-721F952794A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3131F392-65A2-43aa-88DD-866CFE4231E4}\stubpath = "C:\\Windows\\{3131F392-65A2-43aa-88DD-866CFE4231E4}.exe"	{A79973D7-57D2-4e9f-ADC1-0C1A40C438FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E5D373A-9E91-473e-99E9-472604D72BC1}	{3131F392-65A2-43aa-88DD-866CFE4231E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78F52A3C-B837-424f-A0B0-EFDC6908FA42}	{3E5D373A-9E91-473e-99E9-472604D72BC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78F52A3C-B837-424f-A0B0-EFDC6908FA42}\stubpath = "C:\\Windows\\{78F52A3C-B837-424f-A0B0-EFDC6908FA42}.exe"	{3E5D373A-9E91-473e-99E9-472604D72BC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD5989A3-546C-4c73-B955-83CC9BCD6BB6}	{D4C58EA4-3114-4718-9C53-70EC50C81ED9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD5989A3-546C-4c73-B955-83CC9BCD6BB6}\stubpath = "C:\\Windows\\{FD5989A3-546C-4c73-B955-83CC9BCD6BB6}.exe"	{D4C58EA4-3114-4718-9C53-70EC50C81ED9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D85C461-3EE9-4f58-803D-721F952794A7}\stubpath = "C:\\Windows\\{8D85C461-3EE9-4f58-803D-721F952794A7}.exe"	{8D895A5F-A86D-44f7-9CCD-8D8BF67D734A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A6D241E-EC43-41b2-9410-FB12C92217C5}\stubpath = "C:\\Windows\\{6A6D241E-EC43-41b2-9410-FB12C92217C5}.exe"	{FD5989A3-546C-4c73-B955-83CC9BCD6BB6}.exe

Executes dropped EXE 12 IoCs

pid	Process
4180	{5CEA4A49-D3FC-467a-ABB8-EDB1F106F098}.exe
4252	{8D895A5F-A86D-44f7-9CCD-8D8BF67D734A}.exe
3816	{8D85C461-3EE9-4f58-803D-721F952794A7}.exe
4724	{A79973D7-57D2-4e9f-ADC1-0C1A40C438FA}.exe
4304	{3131F392-65A2-43aa-88DD-866CFE4231E4}.exe
2960	{3E5D373A-9E91-473e-99E9-472604D72BC1}.exe
3436	{78F52A3C-B837-424f-A0B0-EFDC6908FA42}.exe
3352	{D4C58EA4-3114-4718-9C53-70EC50C81ED9}.exe
1204	{FD5989A3-546C-4c73-B955-83CC9BCD6BB6}.exe
4388	{6A6D241E-EC43-41b2-9410-FB12C92217C5}.exe
4132	{D4033E32-F90F-406b-9416-C21ECAB5E670}.exe
652	{22EB9211-65C3-4489-BF6E-1C5CCB012B02}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5CEA4A49-D3FC-467a-ABB8-EDB1F106F098}.exe	3dd44f9311e284exeexeexeex.exe
File created	C:\Windows\{A79973D7-57D2-4e9f-ADC1-0C1A40C438FA}.exe	{8D85C461-3EE9-4f58-803D-721F952794A7}.exe
File created	C:\Windows\{3131F392-65A2-43aa-88DD-866CFE4231E4}.exe	{A79973D7-57D2-4e9f-ADC1-0C1A40C438FA}.exe
File created	C:\Windows\{3E5D373A-9E91-473e-99E9-472604D72BC1}.exe	{3131F392-65A2-43aa-88DD-866CFE4231E4}.exe
File created	C:\Windows\{22EB9211-65C3-4489-BF6E-1C5CCB012B02}.exe	{D4033E32-F90F-406b-9416-C21ECAB5E670}.exe
File created	C:\Windows\{D4033E32-F90F-406b-9416-C21ECAB5E670}.exe	{6A6D241E-EC43-41b2-9410-FB12C92217C5}.exe
File created	C:\Windows\{8D895A5F-A86D-44f7-9CCD-8D8BF67D734A}.exe	{5CEA4A49-D3FC-467a-ABB8-EDB1F106F098}.exe
File created	C:\Windows\{8D85C461-3EE9-4f58-803D-721F952794A7}.exe	{8D895A5F-A86D-44f7-9CCD-8D8BF67D734A}.exe
File created	C:\Windows\{78F52A3C-B837-424f-A0B0-EFDC6908FA42}.exe	{3E5D373A-9E91-473e-99E9-472604D72BC1}.exe
File created	C:\Windows\{D4C58EA4-3114-4718-9C53-70EC50C81ED9}.exe	{78F52A3C-B837-424f-A0B0-EFDC6908FA42}.exe
File created	C:\Windows\{FD5989A3-546C-4c73-B955-83CC9BCD6BB6}.exe	{D4C58EA4-3114-4718-9C53-70EC50C81ED9}.exe
File created	C:\Windows\{6A6D241E-EC43-41b2-9410-FB12C92217C5}.exe	{FD5989A3-546C-4c73-B955-83CC9BCD6BB6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3828	3dd44f9311e284exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4180	{5CEA4A49-D3FC-467a-ABB8-EDB1F106F098}.exe
Token: SeIncBasePriorityPrivilege	4252	{8D895A5F-A86D-44f7-9CCD-8D8BF67D734A}.exe
Token: SeIncBasePriorityPrivilege	3816	{8D85C461-3EE9-4f58-803D-721F952794A7}.exe
Token: SeIncBasePriorityPrivilege	4724	{A79973D7-57D2-4e9f-ADC1-0C1A40C438FA}.exe
Token: SeIncBasePriorityPrivilege	4304	{3131F392-65A2-43aa-88DD-866CFE4231E4}.exe
Token: SeIncBasePriorityPrivilege	2960	{3E5D373A-9E91-473e-99E9-472604D72BC1}.exe
Token: SeIncBasePriorityPrivilege	3436	{78F52A3C-B837-424f-A0B0-EFDC6908FA42}.exe
Token: SeIncBasePriorityPrivilege	3352	{D4C58EA4-3114-4718-9C53-70EC50C81ED9}.exe
Token: SeIncBasePriorityPrivilege	1204	{FD5989A3-546C-4c73-B955-83CC9BCD6BB6}.exe
Token: SeIncBasePriorityPrivilege	4388	{6A6D241E-EC43-41b2-9410-FB12C92217C5}.exe
Token: SeIncBasePriorityPrivilege	4132	{D4033E32-F90F-406b-9416-C21ECAB5E670}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3828 wrote to memory of 4180	3828	3dd44f9311e284exeexeexeex.exe	84
PID 3828 wrote to memory of 4180	3828	3dd44f9311e284exeexeexeex.exe	84
PID 3828 wrote to memory of 4180	3828	3dd44f9311e284exeexeexeex.exe	84
PID 3828 wrote to memory of 3440	3828	3dd44f9311e284exeexeexeex.exe	85
PID 3828 wrote to memory of 3440	3828	3dd44f9311e284exeexeexeex.exe	85
PID 3828 wrote to memory of 3440	3828	3dd44f9311e284exeexeexeex.exe	85
PID 4180 wrote to memory of 4252	4180	{5CEA4A49-D3FC-467a-ABB8-EDB1F106F098}.exe	86
PID 4180 wrote to memory of 4252	4180	{5CEA4A49-D3FC-467a-ABB8-EDB1F106F098}.exe	86
PID 4180 wrote to memory of 4252	4180	{5CEA4A49-D3FC-467a-ABB8-EDB1F106F098}.exe	86
PID 4180 wrote to memory of 492	4180	{5CEA4A49-D3FC-467a-ABB8-EDB1F106F098}.exe	87
PID 4180 wrote to memory of 492	4180	{5CEA4A49-D3FC-467a-ABB8-EDB1F106F098}.exe	87
PID 4180 wrote to memory of 492	4180	{5CEA4A49-D3FC-467a-ABB8-EDB1F106F098}.exe	87
PID 4252 wrote to memory of 3816	4252	{8D895A5F-A86D-44f7-9CCD-8D8BF67D734A}.exe	92
PID 4252 wrote to memory of 3816	4252	{8D895A5F-A86D-44f7-9CCD-8D8BF67D734A}.exe	92
PID 4252 wrote to memory of 3816	4252	{8D895A5F-A86D-44f7-9CCD-8D8BF67D734A}.exe	92
PID 4252 wrote to memory of 3936	4252	{8D895A5F-A86D-44f7-9CCD-8D8BF67D734A}.exe	91
PID 4252 wrote to memory of 3936	4252	{8D895A5F-A86D-44f7-9CCD-8D8BF67D734A}.exe	91
PID 4252 wrote to memory of 3936	4252	{8D895A5F-A86D-44f7-9CCD-8D8BF67D734A}.exe	91
PID 3816 wrote to memory of 4724	3816	{8D85C461-3EE9-4f58-803D-721F952794A7}.exe	93
PID 3816 wrote to memory of 4724	3816	{8D85C461-3EE9-4f58-803D-721F952794A7}.exe	93
PID 3816 wrote to memory of 4724	3816	{8D85C461-3EE9-4f58-803D-721F952794A7}.exe	93
PID 3816 wrote to memory of 436	3816	{8D85C461-3EE9-4f58-803D-721F952794A7}.exe	94
PID 3816 wrote to memory of 436	3816	{8D85C461-3EE9-4f58-803D-721F952794A7}.exe	94
PID 3816 wrote to memory of 436	3816	{8D85C461-3EE9-4f58-803D-721F952794A7}.exe	94
PID 4724 wrote to memory of 4304	4724	{A79973D7-57D2-4e9f-ADC1-0C1A40C438FA}.exe	95
PID 4724 wrote to memory of 4304	4724	{A79973D7-57D2-4e9f-ADC1-0C1A40C438FA}.exe	95
PID 4724 wrote to memory of 4304	4724	{A79973D7-57D2-4e9f-ADC1-0C1A40C438FA}.exe	95
PID 4724 wrote to memory of 1128	4724	{A79973D7-57D2-4e9f-ADC1-0C1A40C438FA}.exe	96
PID 4724 wrote to memory of 1128	4724	{A79973D7-57D2-4e9f-ADC1-0C1A40C438FA}.exe	96
PID 4724 wrote to memory of 1128	4724	{A79973D7-57D2-4e9f-ADC1-0C1A40C438FA}.exe	96
PID 4304 wrote to memory of 2960	4304	{3131F392-65A2-43aa-88DD-866CFE4231E4}.exe	97
PID 4304 wrote to memory of 2960	4304	{3131F392-65A2-43aa-88DD-866CFE4231E4}.exe	97
PID 4304 wrote to memory of 2960	4304	{3131F392-65A2-43aa-88DD-866CFE4231E4}.exe	97
PID 4304 wrote to memory of 3428	4304	{3131F392-65A2-43aa-88DD-866CFE4231E4}.exe	98
PID 4304 wrote to memory of 3428	4304	{3131F392-65A2-43aa-88DD-866CFE4231E4}.exe	98
PID 4304 wrote to memory of 3428	4304	{3131F392-65A2-43aa-88DD-866CFE4231E4}.exe	98
PID 2960 wrote to memory of 3436	2960	{3E5D373A-9E91-473e-99E9-472604D72BC1}.exe	99
PID 2960 wrote to memory of 3436	2960	{3E5D373A-9E91-473e-99E9-472604D72BC1}.exe	99
PID 2960 wrote to memory of 3436	2960	{3E5D373A-9E91-473e-99E9-472604D72BC1}.exe	99
PID 2960 wrote to memory of 3844	2960	{3E5D373A-9E91-473e-99E9-472604D72BC1}.exe	100
PID 2960 wrote to memory of 3844	2960	{3E5D373A-9E91-473e-99E9-472604D72BC1}.exe	100
PID 2960 wrote to memory of 3844	2960	{3E5D373A-9E91-473e-99E9-472604D72BC1}.exe	100
PID 3436 wrote to memory of 3352	3436	{78F52A3C-B837-424f-A0B0-EFDC6908FA42}.exe	101
PID 3436 wrote to memory of 3352	3436	{78F52A3C-B837-424f-A0B0-EFDC6908FA42}.exe	101
PID 3436 wrote to memory of 3352	3436	{78F52A3C-B837-424f-A0B0-EFDC6908FA42}.exe	101
PID 3436 wrote to memory of 1144	3436	{78F52A3C-B837-424f-A0B0-EFDC6908FA42}.exe	102
PID 3436 wrote to memory of 1144	3436	{78F52A3C-B837-424f-A0B0-EFDC6908FA42}.exe	102
PID 3436 wrote to memory of 1144	3436	{78F52A3C-B837-424f-A0B0-EFDC6908FA42}.exe	102
PID 3352 wrote to memory of 1204	3352	{D4C58EA4-3114-4718-9C53-70EC50C81ED9}.exe	103
PID 3352 wrote to memory of 1204	3352	{D4C58EA4-3114-4718-9C53-70EC50C81ED9}.exe	103
PID 3352 wrote to memory of 1204	3352	{D4C58EA4-3114-4718-9C53-70EC50C81ED9}.exe	103
PID 3352 wrote to memory of 4968	3352	{D4C58EA4-3114-4718-9C53-70EC50C81ED9}.exe	104
PID 3352 wrote to memory of 4968	3352	{D4C58EA4-3114-4718-9C53-70EC50C81ED9}.exe	104
PID 3352 wrote to memory of 4968	3352	{D4C58EA4-3114-4718-9C53-70EC50C81ED9}.exe	104
PID 1204 wrote to memory of 4388	1204	{FD5989A3-546C-4c73-B955-83CC9BCD6BB6}.exe	105
PID 1204 wrote to memory of 4388	1204	{FD5989A3-546C-4c73-B955-83CC9BCD6BB6}.exe	105
PID 1204 wrote to memory of 4388	1204	{FD5989A3-546C-4c73-B955-83CC9BCD6BB6}.exe	105
PID 1204 wrote to memory of 1480	1204	{FD5989A3-546C-4c73-B955-83CC9BCD6BB6}.exe	106
PID 1204 wrote to memory of 1480	1204	{FD5989A3-546C-4c73-B955-83CC9BCD6BB6}.exe	106
PID 1204 wrote to memory of 1480	1204	{FD5989A3-546C-4c73-B955-83CC9BCD6BB6}.exe	106
PID 4388 wrote to memory of 4132	4388	{6A6D241E-EC43-41b2-9410-FB12C92217C5}.exe	107
PID 4388 wrote to memory of 4132	4388	{6A6D241E-EC43-41b2-9410-FB12C92217C5}.exe	107
PID 4388 wrote to memory of 4132	4388	{6A6D241E-EC43-41b2-9410-FB12C92217C5}.exe	107
PID 4388 wrote to memory of 4176	4388	{6A6D241E-EC43-41b2-9410-FB12C92217C5}.exe	108

C:\Users\Admin\AppData\Local\Temp\3dd44f9311e284exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\3dd44f9311e284exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Windows\{5CEA4A49-D3FC-467a-ABB8-EDB1F106F098}.exe
  C:\Windows\{5CEA4A49-D3FC-467a-ABB8-EDB1F106F098}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Windows\{8D895A5F-A86D-44f7-9CCD-8D8BF67D734A}.exe
    C:\Windows\{8D895A5F-A86D-44f7-9CCD-8D8BF67D734A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4252
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8D895~1.EXE > nul
      4⤵
      PID:3936
  - - C:\Windows\{8D85C461-3EE9-4f58-803D-721F952794A7}.exe
      C:\Windows\{8D85C461-3EE9-4f58-803D-721F952794A7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3816
    - - C:\Windows\{A79973D7-57D2-4e9f-ADC1-0C1A40C438FA}.exe
        
        C:\Windows\{A79973D7-57D2-4e9f-ADC1-0C1A40C438FA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4724
      - C:\Windows\{3131F392-65A2-43aa-88DD-866CFE4231E4}.exe
        
        C:\Windows\{3131F392-65A2-43aa-88DD-866CFE4231E4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4304
        
        C:\Windows\{3E5D373A-9E91-473e-99E9-472604D72BC1}.exe
        
        C:\Windows\{3E5D373A-9E91-473e-99E9-472604D72BC1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{78F52A3C-B837-424f-A0B0-EFDC6908FA42}.exe
        
        C:\Windows\{78F52A3C-B837-424f-A0B0-EFDC6908FA42}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\{D4C58EA4-3114-4718-9C53-70EC50C81ED9}.exe
        
        C:\Windows\{D4C58EA4-3114-4718-9C53-70EC50C81ED9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3352
        
        C:\Windows\{FD5989A3-546C-4c73-B955-83CC9BCD6BB6}.exe
        
        C:\Windows\{FD5989A3-546C-4c73-B955-83CC9BCD6BB6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\{6A6D241E-EC43-41b2-9410-FB12C92217C5}.exe
        
        C:\Windows\{6A6D241E-EC43-41b2-9410-FB12C92217C5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\{D4033E32-F90F-406b-9416-C21ECAB5E670}.exe
        
        C:\Windows\{D4033E32-F90F-406b-9416-C21ECAB5E670}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4132
        
        C:\Windows\{22EB9211-65C3-4489-BF6E-1C5CCB012B02}.exe
        
        C:\Windows\{22EB9211-65C3-4489-BF6E-1C5CCB012B02}.exe
        13⤵
        Executes dropped EXE
        
        PID:652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4033~1.EXE > nul
        13⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A6D2~1.EXE > nul
        12⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD598~1.EXE > nul
        11⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4C58~1.EXE > nul
        10⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78F52~1.EXE > nul
        9⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E5D3~1.EXE > nul
        8⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3131F~1.EXE > nul
        7⤵
        
        PID:3428
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7997~1.EXE > nul
        6⤵
        
        PID:1128
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D85C~1.EXE > nul
        5⤵
        
        PID:436
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5CEA4~1.EXE > nul
    3⤵
    PID:492
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3DD44F~1.EXE > nul
  2⤵
  PID:3440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{22EB9211-65C3-4489-BF6E-1C5CCB012B02}.exe

Filesize
204KB

MD5
b8ef9314293a9825f9926718272bbca5

SHA1
8c3f51f828c0e1203d6e605f0dff19b0ed0ef8ad

SHA256
d1d6519418df7b4a170f34393fc7fe1ed539df929a68a080e75b94ba67ff87b2

SHA512
5e32ebeb2b1944b7fa2aef78a4333ffd956441816451e94df133e7ce3cb44f0345fe66bb5d2439ff57fce49f1d7a4efc8e7088289936cd1a47bc285994206878

Download Submit
C:\Windows\{22EB9211-65C3-4489-BF6E-1C5CCB012B02}.exe

Filesize
204KB

MD5
b8ef9314293a9825f9926718272bbca5

SHA1
8c3f51f828c0e1203d6e605f0dff19b0ed0ef8ad

SHA256
d1d6519418df7b4a170f34393fc7fe1ed539df929a68a080e75b94ba67ff87b2

SHA512
5e32ebeb2b1944b7fa2aef78a4333ffd956441816451e94df133e7ce3cb44f0345fe66bb5d2439ff57fce49f1d7a4efc8e7088289936cd1a47bc285994206878

Download Submit
C:\Windows\{3131F392-65A2-43aa-88DD-866CFE4231E4}.exe

Filesize
204KB

MD5
bb64d5e9c495aeee3bc4e312056c211a

SHA1
10450f618d6a5fc78bf0a766109eaf2673e0b496

SHA256
6fb55b6580dbda5ee2c6cdcb5714372b88daa9aaf2cb43f90b17001187ecad15

SHA512
d3eb1db84ee2a6bc1e9f064ce2be777bdae31a811248f10a10e9e0c56d947c073c5e18e1fdefbc21b41255c896b59cb388127dac3dd068a7e9824e8260b0449f

Download Submit
C:\Windows\{3131F392-65A2-43aa-88DD-866CFE4231E4}.exe

Filesize
204KB

MD5
bb64d5e9c495aeee3bc4e312056c211a

SHA1
10450f618d6a5fc78bf0a766109eaf2673e0b496

SHA256
6fb55b6580dbda5ee2c6cdcb5714372b88daa9aaf2cb43f90b17001187ecad15

SHA512
d3eb1db84ee2a6bc1e9f064ce2be777bdae31a811248f10a10e9e0c56d947c073c5e18e1fdefbc21b41255c896b59cb388127dac3dd068a7e9824e8260b0449f

Download Submit
C:\Windows\{3E5D373A-9E91-473e-99E9-472604D72BC1}.exe

Filesize
204KB

MD5
2a283646629ddda21ecf97ba7148f29f

SHA1
889140c7cd47b2c02b544d17a6e6d2f624b23016

SHA256
e52eb6a83e6feae3c77a342328e41d5124723532eaebe4522336e2039f3429da

SHA512
1716ec14f66518f1b7f948d0e9fdd76d1c098ee29fcedf2ac0a2dd12b57cff664200d0c30b65a188d8e716dbf9c486f4376d6c49bc1a5838461cbb3b08a87b6f

Download Submit
C:\Windows\{3E5D373A-9E91-473e-99E9-472604D72BC1}.exe

Filesize
204KB

MD5
2a283646629ddda21ecf97ba7148f29f

SHA1
889140c7cd47b2c02b544d17a6e6d2f624b23016

SHA256
e52eb6a83e6feae3c77a342328e41d5124723532eaebe4522336e2039f3429da

SHA512
1716ec14f66518f1b7f948d0e9fdd76d1c098ee29fcedf2ac0a2dd12b57cff664200d0c30b65a188d8e716dbf9c486f4376d6c49bc1a5838461cbb3b08a87b6f

Download Submit
C:\Windows\{5CEA4A49-D3FC-467a-ABB8-EDB1F106F098}.exe

Filesize
204KB

MD5
af0d546a43f220969001e577dc6d4d80

SHA1
5e3ad44578f8f5326aeb85448c18cdb24ce7d924

SHA256
58f5f10cd8178f6606bb02b3ebc55b7f676cfb50d12c52734236f00f012aad1d

SHA512
d12ec0e929adeb92a488f27214b746b9df2e921bb671ab6698d425e4955b28e85d81706a5bf4315ce840b468bb008de3765be7e26f73823b485782c56b6aa455

Download Submit
C:\Windows\{5CEA4A49-D3FC-467a-ABB8-EDB1F106F098}.exe

Filesize
204KB

MD5
af0d546a43f220969001e577dc6d4d80

SHA1
5e3ad44578f8f5326aeb85448c18cdb24ce7d924

SHA256
58f5f10cd8178f6606bb02b3ebc55b7f676cfb50d12c52734236f00f012aad1d

SHA512
d12ec0e929adeb92a488f27214b746b9df2e921bb671ab6698d425e4955b28e85d81706a5bf4315ce840b468bb008de3765be7e26f73823b485782c56b6aa455

Download Submit
C:\Windows\{6A6D241E-EC43-41b2-9410-FB12C92217C5}.exe

Filesize
204KB

MD5
ae1c4d8397f74ee4151885bd63480d13

SHA1
f36e07c11c8209418dc5a1334880eb0683ecd5bc

SHA256
6acda5140372ec7bcc62cc932dc12c87b27265358273b59ff44b13f80a591385

SHA512
b61cc2270fb65388cfd07092d0b81a02aca0efdf48c9f968327af714ed3d94705f27c815d7a463d194e571c1e6a89617e2bfd2fe71a4f0c1e462918c966ad6bd

Download Submit
C:\Windows\{6A6D241E-EC43-41b2-9410-FB12C92217C5}.exe

Filesize
204KB

MD5
ae1c4d8397f74ee4151885bd63480d13

SHA1
f36e07c11c8209418dc5a1334880eb0683ecd5bc

SHA256
6acda5140372ec7bcc62cc932dc12c87b27265358273b59ff44b13f80a591385

SHA512
b61cc2270fb65388cfd07092d0b81a02aca0efdf48c9f968327af714ed3d94705f27c815d7a463d194e571c1e6a89617e2bfd2fe71a4f0c1e462918c966ad6bd

Download Submit
C:\Windows\{78F52A3C-B837-424f-A0B0-EFDC6908FA42}.exe

Filesize
204KB

MD5
40ad485f06388d8ca98c959ea2a1cef6

SHA1
aca470d9af946184ab281fa1035f7bf8c43817bd

SHA256
95e56aa638e93c27f8156a8dfa5ad4e406cfca909f325d91e5d6300ea6378b5a

SHA512
830f7b533b7e8f99fa195ec767f1a1faa05f6106440246bbfb8b51dc25e47d355579a7f3fc51798f0241f6cda46a20758441be96bb55a2810b73bc49e3cf3edb

Download Submit
C:\Windows\{78F52A3C-B837-424f-A0B0-EFDC6908FA42}.exe

Filesize
204KB

MD5
40ad485f06388d8ca98c959ea2a1cef6

SHA1
aca470d9af946184ab281fa1035f7bf8c43817bd

SHA256
95e56aa638e93c27f8156a8dfa5ad4e406cfca909f325d91e5d6300ea6378b5a

SHA512
830f7b533b7e8f99fa195ec767f1a1faa05f6106440246bbfb8b51dc25e47d355579a7f3fc51798f0241f6cda46a20758441be96bb55a2810b73bc49e3cf3edb

Download Submit
C:\Windows\{8D85C461-3EE9-4f58-803D-721F952794A7}.exe

Filesize
204KB

MD5
d4067aaea02b4e51d9625c168f3821a2

SHA1
57056bc926ec369472611e2724e841faf381cf5a

SHA256
9e8eff8b705a582130eeaf836b3be9aee35cdafd2d838429d80aa91a418f7dc1

SHA512
4277fb812e806fcfc4bc6d9129204f74d4b8e00485f8de91f5c35e268523227279032d4228828ee2ae11c3e21992cd229bbeedd7843b3b778bfc9e4b6d62c52a

Download Submit
C:\Windows\{8D85C461-3EE9-4f58-803D-721F952794A7}.exe

Filesize
204KB

MD5
d4067aaea02b4e51d9625c168f3821a2

SHA1
57056bc926ec369472611e2724e841faf381cf5a

SHA256
9e8eff8b705a582130eeaf836b3be9aee35cdafd2d838429d80aa91a418f7dc1

SHA512
4277fb812e806fcfc4bc6d9129204f74d4b8e00485f8de91f5c35e268523227279032d4228828ee2ae11c3e21992cd229bbeedd7843b3b778bfc9e4b6d62c52a

Download Submit
C:\Windows\{8D85C461-3EE9-4f58-803D-721F952794A7}.exe

Filesize
204KB

MD5
d4067aaea02b4e51d9625c168f3821a2

SHA1
57056bc926ec369472611e2724e841faf381cf5a

SHA256
9e8eff8b705a582130eeaf836b3be9aee35cdafd2d838429d80aa91a418f7dc1

SHA512
4277fb812e806fcfc4bc6d9129204f74d4b8e00485f8de91f5c35e268523227279032d4228828ee2ae11c3e21992cd229bbeedd7843b3b778bfc9e4b6d62c52a

Download Submit
C:\Windows\{8D895A5F-A86D-44f7-9CCD-8D8BF67D734A}.exe

Filesize
204KB

MD5
3f9802375140fff9f9b278db46c5434c

SHA1
dbf9d3495911a80b6132a33e106263ee26d8b39e

SHA256
c9882ad86e8ceb29e46a8a7113235d847c3d656130b51139fc769c7f9f009223

SHA512
67a196a82c4fd71f3870a322390c4482c94924b3c3e8793186d5c3bcfe6a09ddf28b3e1a9f16ba6aabf49af064be2156b34c963f1a397207a7d907a23202b01b

Download Submit
C:\Windows\{8D895A5F-A86D-44f7-9CCD-8D8BF67D734A}.exe

Filesize
204KB

MD5
3f9802375140fff9f9b278db46c5434c

SHA1
dbf9d3495911a80b6132a33e106263ee26d8b39e

SHA256
c9882ad86e8ceb29e46a8a7113235d847c3d656130b51139fc769c7f9f009223

SHA512
67a196a82c4fd71f3870a322390c4482c94924b3c3e8793186d5c3bcfe6a09ddf28b3e1a9f16ba6aabf49af064be2156b34c963f1a397207a7d907a23202b01b

Download Submit
C:\Windows\{A79973D7-57D2-4e9f-ADC1-0C1A40C438FA}.exe

Filesize
204KB

MD5
0ff6b2654eb5eb86c5173f63e610d721

SHA1
ce08a51493ba82cbdf3245b319e48595fc18b862

SHA256
20f46d582865ae4780ec062a7ede8f34887f64cb557003c39f2842e5264b2e78

SHA512
39a137433a7459dacea3f918522b01786cdcaf10b2dc4fec9410ad5c93e0e88320fdb2a9be669ee229cb79d002d0f5d8fe50ad46dd93353d49dcd292daf08da8

Download Submit
C:\Windows\{A79973D7-57D2-4e9f-ADC1-0C1A40C438FA}.exe

Filesize
204KB

MD5
0ff6b2654eb5eb86c5173f63e610d721

SHA1
ce08a51493ba82cbdf3245b319e48595fc18b862

SHA256
20f46d582865ae4780ec062a7ede8f34887f64cb557003c39f2842e5264b2e78

SHA512
39a137433a7459dacea3f918522b01786cdcaf10b2dc4fec9410ad5c93e0e88320fdb2a9be669ee229cb79d002d0f5d8fe50ad46dd93353d49dcd292daf08da8

Download Submit
C:\Windows\{D4033E32-F90F-406b-9416-C21ECAB5E670}.exe

Filesize
204KB

MD5
bbbc1d8610af92c3564c23b8ce6bb561

SHA1
aaee710cfdc4c0bf4d50d209d864ab4f0f323811

SHA256
4885235453f0a1fb827583f6bdd944d65a6104d8d45acfa35f93dc1d3c1e71ac

SHA512
5ece7bf0898bba976981f47b568f9d427033e57957800f0c181a5e9bf85ceab4a203e670b00b8e6ce2528767f615803bcc4605327b9b3e5c6e367247257115f3

Download Submit
C:\Windows\{D4033E32-F90F-406b-9416-C21ECAB5E670}.exe

Filesize
204KB

MD5
bbbc1d8610af92c3564c23b8ce6bb561

SHA1
aaee710cfdc4c0bf4d50d209d864ab4f0f323811

SHA256
4885235453f0a1fb827583f6bdd944d65a6104d8d45acfa35f93dc1d3c1e71ac

SHA512
5ece7bf0898bba976981f47b568f9d427033e57957800f0c181a5e9bf85ceab4a203e670b00b8e6ce2528767f615803bcc4605327b9b3e5c6e367247257115f3

Download Submit
C:\Windows\{D4C58EA4-3114-4718-9C53-70EC50C81ED9}.exe

Filesize
204KB

MD5
9602a641c2a482c16badad3ad223ba51

SHA1
37767e3ff9ac3737b7ae8fa603f27a6268a02670

SHA256
fe59aeee027a2021b0126e2665f8ffd33ad1e92c506b11fd846354d941ad04ce

SHA512
f8098b21f5fb97d0220b822d6460f4b20469530e35d155dfec185b8baefb12b7df04499abc0b79033797610ee743c6cc3a4608c7daea2e0974ea4373141e7284

Download Submit
C:\Windows\{D4C58EA4-3114-4718-9C53-70EC50C81ED9}.exe

Filesize
204KB

MD5
9602a641c2a482c16badad3ad223ba51

SHA1
37767e3ff9ac3737b7ae8fa603f27a6268a02670

SHA256
fe59aeee027a2021b0126e2665f8ffd33ad1e92c506b11fd846354d941ad04ce

SHA512
f8098b21f5fb97d0220b822d6460f4b20469530e35d155dfec185b8baefb12b7df04499abc0b79033797610ee743c6cc3a4608c7daea2e0974ea4373141e7284

Download Submit
C:\Windows\{FD5989A3-546C-4c73-B955-83CC9BCD6BB6}.exe

Filesize
204KB

MD5
ec473e01b79e81c507afa0484154bc24

SHA1
e582a506038a7d14ab96fa02c83897ffa1df49fa

SHA256
fd0449b5ad85cfb8c5da3ecaf1f33e9e73f44e424d860fbf71d8584b250dbfb7

SHA512
8f7b0f4f746f921d3f2be897093d8f56428d516dfa1c614e43230dbfca024dbe931f03a549373692d2f9ab58fcc66d2cf8e8dcd8cb71a85b627a5669e71cccd7

Download Submit
C:\Windows\{FD5989A3-546C-4c73-B955-83CC9BCD6BB6}.exe

Filesize
204KB

MD5
ec473e01b79e81c507afa0484154bc24

SHA1
e582a506038a7d14ab96fa02c83897ffa1df49fa

SHA256
fd0449b5ad85cfb8c5da3ecaf1f33e9e73f44e424d860fbf71d8584b250dbfb7

SHA512
8f7b0f4f746f921d3f2be897093d8f56428d516dfa1c614e43230dbfca024dbe931f03a549373692d2f9ab58fcc66d2cf8e8dcd8cb71a85b627a5669e71cccd7

Download Submit