85bb8692ae698ac838e200f2911a3d09b92c592e8158079b51d37daabd692f5c

Analysis

max time kernel
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2023 16:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a43b9e7ef7495exeexeexeex.exe
Size

168KB
MD5

3a43b9e7ef7495be86863cbdd936b33d
SHA1

a5e966b9fd048b8060aef3f4fe022e21b887a2ad
SHA256

85bb8692ae698ac838e200f2911a3d09b92c592e8158079b51d37daabd692f5c
SHA512

bf112acf6d35e41ef86c61a85d15294e6641969c65352901d6699887dbebe7647a3c458818f745304649b228cc6bfd9c3f6b89592a0558c458329490c5b0e1e9
SSDEEP

1536:1EGh0o/lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o/lqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2FA21E7-1EB4-4d5f-BB6D-41E6496D2EF4}\stubpath = "C:\\Windows\\{D2FA21E7-1EB4-4d5f-BB6D-41E6496D2EF4}.exe"	{AEE4A216-FBB7-4dc5-956B-EFC8DDC7EEA1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89623A1C-1E43-44ab-8B59-2918F8423E0F}\stubpath = "C:\\Windows\\{89623A1C-1E43-44ab-8B59-2918F8423E0F}.exe"	{D2FA21E7-1EB4-4d5f-BB6D-41E6496D2EF4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDD4751C-17F6-414f-998D-96CF74F24EB3}\stubpath = "C:\\Windows\\{CDD4751C-17F6-414f-998D-96CF74F24EB3}.exe"	3a43b9e7ef7495exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA80B43B-FADD-4e2d-921F-4BD0D22F6F8D}\stubpath = "C:\\Windows\\{EA80B43B-FADD-4e2d-921F-4BD0D22F6F8D}.exe"	{644F1750-315C-4bce-AD47-2B1A206DCF82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C68B207-7564-48ab-A3CC-E06B662B2ED0}\stubpath = "C:\\Windows\\{3C68B207-7564-48ab-A3CC-E06B662B2ED0}.exe"	{EA80B43B-FADD-4e2d-921F-4BD0D22F6F8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8688729-EE5E-49b0-967D-4E5F7B0CA82F}	{3C68B207-7564-48ab-A3CC-E06B662B2ED0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC36B917-4798-4892-80D2-E14BCC79584E}\stubpath = "C:\\Windows\\{FC36B917-4798-4892-80D2-E14BCC79584E}.exe"	{8CCFF680-6A99-4a45-A710-E5A0A09DAAEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDD4751C-17F6-414f-998D-96CF74F24EB3}	3a43b9e7ef7495exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC36B917-4798-4892-80D2-E14BCC79584E}	{8CCFF680-6A99-4a45-A710-E5A0A09DAAEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEE4A216-FBB7-4dc5-956B-EFC8DDC7EEA1}	{43173060-5156-4471-B283-C437AEE6BCB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2FA21E7-1EB4-4d5f-BB6D-41E6496D2EF4}	{AEE4A216-FBB7-4dc5-956B-EFC8DDC7EEA1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89623A1C-1E43-44ab-8B59-2918F8423E0F}	{D2FA21E7-1EB4-4d5f-BB6D-41E6496D2EF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{644F1750-315C-4bce-AD47-2B1A206DCF82}	{CDD4751C-17F6-414f-998D-96CF74F24EB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{644F1750-315C-4bce-AD47-2B1A206DCF82}\stubpath = "C:\\Windows\\{644F1750-315C-4bce-AD47-2B1A206DCF82}.exe"	{CDD4751C-17F6-414f-998D-96CF74F24EB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CCFF680-6A99-4a45-A710-E5A0A09DAAEF}	{D8688729-EE5E-49b0-967D-4E5F7B0CA82F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CCFF680-6A99-4a45-A710-E5A0A09DAAEF}\stubpath = "C:\\Windows\\{8CCFF680-6A99-4a45-A710-E5A0A09DAAEF}.exe"	{D8688729-EE5E-49b0-967D-4E5F7B0CA82F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEE4A216-FBB7-4dc5-956B-EFC8DDC7EEA1}\stubpath = "C:\\Windows\\{AEE4A216-FBB7-4dc5-956B-EFC8DDC7EEA1}.exe"	{43173060-5156-4471-B283-C437AEE6BCB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA80B43B-FADD-4e2d-921F-4BD0D22F6F8D}	{644F1750-315C-4bce-AD47-2B1A206DCF82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C68B207-7564-48ab-A3CC-E06B662B2ED0}	{EA80B43B-FADD-4e2d-921F-4BD0D22F6F8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8688729-EE5E-49b0-967D-4E5F7B0CA82F}\stubpath = "C:\\Windows\\{D8688729-EE5E-49b0-967D-4E5F7B0CA82F}.exe"	{3C68B207-7564-48ab-A3CC-E06B662B2ED0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43173060-5156-4471-B283-C437AEE6BCB9}	{FC36B917-4798-4892-80D2-E14BCC79584E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43173060-5156-4471-B283-C437AEE6BCB9}\stubpath = "C:\\Windows\\{43173060-5156-4471-B283-C437AEE6BCB9}.exe"	{FC36B917-4798-4892-80D2-E14BCC79584E}.exe

Executes dropped EXE 11 IoCs

pid	Process
4792	{CDD4751C-17F6-414f-998D-96CF74F24EB3}.exe
2104	{644F1750-315C-4bce-AD47-2B1A206DCF82}.exe
2592	{EA80B43B-FADD-4e2d-921F-4BD0D22F6F8D}.exe
4456	{3C68B207-7564-48ab-A3CC-E06B662B2ED0}.exe
1744	{D8688729-EE5E-49b0-967D-4E5F7B0CA82F}.exe
1828	{8CCFF680-6A99-4a45-A710-E5A0A09DAAEF}.exe
4880	{FC36B917-4798-4892-80D2-E14BCC79584E}.exe
3308	{43173060-5156-4471-B283-C437AEE6BCB9}.exe
3508	{AEE4A216-FBB7-4dc5-956B-EFC8DDC7EEA1}.exe
1824	{D2FA21E7-1EB4-4d5f-BB6D-41E6496D2EF4}.exe
3532	{89623A1C-1E43-44ab-8B59-2918F8423E0F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{644F1750-315C-4bce-AD47-2B1A206DCF82}.exe	{CDD4751C-17F6-414f-998D-96CF74F24EB3}.exe
File created	C:\Windows\{3C68B207-7564-48ab-A3CC-E06B662B2ED0}.exe	{EA80B43B-FADD-4e2d-921F-4BD0D22F6F8D}.exe
File created	C:\Windows\{FC36B917-4798-4892-80D2-E14BCC79584E}.exe	{8CCFF680-6A99-4a45-A710-E5A0A09DAAEF}.exe
File created	C:\Windows\{AEE4A216-FBB7-4dc5-956B-EFC8DDC7EEA1}.exe	{43173060-5156-4471-B283-C437AEE6BCB9}.exe
File created	C:\Windows\{CDD4751C-17F6-414f-998D-96CF74F24EB3}.exe	3a43b9e7ef7495exeexeexeex.exe
File created	C:\Windows\{EA80B43B-FADD-4e2d-921F-4BD0D22F6F8D}.exe	{644F1750-315C-4bce-AD47-2B1A206DCF82}.exe
File created	C:\Windows\{D8688729-EE5E-49b0-967D-4E5F7B0CA82F}.exe	{3C68B207-7564-48ab-A3CC-E06B662B2ED0}.exe
File created	C:\Windows\{8CCFF680-6A99-4a45-A710-E5A0A09DAAEF}.exe	{D8688729-EE5E-49b0-967D-4E5F7B0CA82F}.exe
File created	C:\Windows\{43173060-5156-4471-B283-C437AEE6BCB9}.exe	{FC36B917-4798-4892-80D2-E14BCC79584E}.exe
File created	C:\Windows\{D2FA21E7-1EB4-4d5f-BB6D-41E6496D2EF4}.exe	{AEE4A216-FBB7-4dc5-956B-EFC8DDC7EEA1}.exe
File created	C:\Windows\{89623A1C-1E43-44ab-8B59-2918F8423E0F}.exe	{D2FA21E7-1EB4-4d5f-BB6D-41E6496D2EF4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4036	3a43b9e7ef7495exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4792	{CDD4751C-17F6-414f-998D-96CF74F24EB3}.exe
Token: SeIncBasePriorityPrivilege	2104	{644F1750-315C-4bce-AD47-2B1A206DCF82}.exe
Token: SeIncBasePriorityPrivilege	2592	{EA80B43B-FADD-4e2d-921F-4BD0D22F6F8D}.exe
Token: SeIncBasePriorityPrivilege	4456	{3C68B207-7564-48ab-A3CC-E06B662B2ED0}.exe
Token: SeIncBasePriorityPrivilege	1744	{D8688729-EE5E-49b0-967D-4E5F7B0CA82F}.exe
Token: SeIncBasePriorityPrivilege	1828	{8CCFF680-6A99-4a45-A710-E5A0A09DAAEF}.exe
Token: SeIncBasePriorityPrivilege	4880	{FC36B917-4798-4892-80D2-E14BCC79584E}.exe
Token: SeIncBasePriorityPrivilege	3308	{43173060-5156-4471-B283-C437AEE6BCB9}.exe
Token: SeIncBasePriorityPrivilege	3508	{AEE4A216-FBB7-4dc5-956B-EFC8DDC7EEA1}.exe
Token: SeIncBasePriorityPrivilege	1824	{D2FA21E7-1EB4-4d5f-BB6D-41E6496D2EF4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 4792	4036	3a43b9e7ef7495exeexeexeex.exe	79
PID 4036 wrote to memory of 4792	4036	3a43b9e7ef7495exeexeexeex.exe	79
PID 4036 wrote to memory of 4792	4036	3a43b9e7ef7495exeexeexeex.exe	79
PID 4036 wrote to memory of 5016	4036	3a43b9e7ef7495exeexeexeex.exe	80
PID 4036 wrote to memory of 5016	4036	3a43b9e7ef7495exeexeexeex.exe	80
PID 4036 wrote to memory of 5016	4036	3a43b9e7ef7495exeexeexeex.exe	80
PID 4792 wrote to memory of 2104	4792	{CDD4751C-17F6-414f-998D-96CF74F24EB3}.exe	81
PID 4792 wrote to memory of 2104	4792	{CDD4751C-17F6-414f-998D-96CF74F24EB3}.exe	81
PID 4792 wrote to memory of 2104	4792	{CDD4751C-17F6-414f-998D-96CF74F24EB3}.exe	81
PID 4792 wrote to memory of 4940	4792	{CDD4751C-17F6-414f-998D-96CF74F24EB3}.exe	82
PID 4792 wrote to memory of 4940	4792	{CDD4751C-17F6-414f-998D-96CF74F24EB3}.exe	82
PID 4792 wrote to memory of 4940	4792	{CDD4751C-17F6-414f-998D-96CF74F24EB3}.exe	82
PID 2104 wrote to memory of 2592	2104	{644F1750-315C-4bce-AD47-2B1A206DCF82}.exe	83
PID 2104 wrote to memory of 2592	2104	{644F1750-315C-4bce-AD47-2B1A206DCF82}.exe	83
PID 2104 wrote to memory of 2592	2104	{644F1750-315C-4bce-AD47-2B1A206DCF82}.exe	83
PID 2104 wrote to memory of 3784	2104	{644F1750-315C-4bce-AD47-2B1A206DCF82}.exe	84
PID 2104 wrote to memory of 3784	2104	{644F1750-315C-4bce-AD47-2B1A206DCF82}.exe	84
PID 2104 wrote to memory of 3784	2104	{644F1750-315C-4bce-AD47-2B1A206DCF82}.exe	84
PID 2592 wrote to memory of 4456	2592	{EA80B43B-FADD-4e2d-921F-4BD0D22F6F8D}.exe	85
PID 2592 wrote to memory of 4456	2592	{EA80B43B-FADD-4e2d-921F-4BD0D22F6F8D}.exe	85
PID 2592 wrote to memory of 4456	2592	{EA80B43B-FADD-4e2d-921F-4BD0D22F6F8D}.exe	85
PID 2592 wrote to memory of 4136	2592	{EA80B43B-FADD-4e2d-921F-4BD0D22F6F8D}.exe	86
PID 2592 wrote to memory of 4136	2592	{EA80B43B-FADD-4e2d-921F-4BD0D22F6F8D}.exe	86
PID 2592 wrote to memory of 4136	2592	{EA80B43B-FADD-4e2d-921F-4BD0D22F6F8D}.exe	86
PID 4456 wrote to memory of 1744	4456	{3C68B207-7564-48ab-A3CC-E06B662B2ED0}.exe	87
PID 4456 wrote to memory of 1744	4456	{3C68B207-7564-48ab-A3CC-E06B662B2ED0}.exe	87
PID 4456 wrote to memory of 1744	4456	{3C68B207-7564-48ab-A3CC-E06B662B2ED0}.exe	87
PID 4456 wrote to memory of 2572	4456	{3C68B207-7564-48ab-A3CC-E06B662B2ED0}.exe	88
PID 4456 wrote to memory of 2572	4456	{3C68B207-7564-48ab-A3CC-E06B662B2ED0}.exe	88
PID 4456 wrote to memory of 2572	4456	{3C68B207-7564-48ab-A3CC-E06B662B2ED0}.exe	88
PID 1744 wrote to memory of 1828	1744	{D8688729-EE5E-49b0-967D-4E5F7B0CA82F}.exe	89
PID 1744 wrote to memory of 1828	1744	{D8688729-EE5E-49b0-967D-4E5F7B0CA82F}.exe	89
PID 1744 wrote to memory of 1828	1744	{D8688729-EE5E-49b0-967D-4E5F7B0CA82F}.exe	89
PID 1744 wrote to memory of 1924	1744	{D8688729-EE5E-49b0-967D-4E5F7B0CA82F}.exe	90
PID 1744 wrote to memory of 1924	1744	{D8688729-EE5E-49b0-967D-4E5F7B0CA82F}.exe	90
PID 1744 wrote to memory of 1924	1744	{D8688729-EE5E-49b0-967D-4E5F7B0CA82F}.exe	90
PID 1828 wrote to memory of 4880	1828	{8CCFF680-6A99-4a45-A710-E5A0A09DAAEF}.exe	91
PID 1828 wrote to memory of 4880	1828	{8CCFF680-6A99-4a45-A710-E5A0A09DAAEF}.exe	91
PID 1828 wrote to memory of 4880	1828	{8CCFF680-6A99-4a45-A710-E5A0A09DAAEF}.exe	91
PID 1828 wrote to memory of 1652	1828	{8CCFF680-6A99-4a45-A710-E5A0A09DAAEF}.exe	92
PID 1828 wrote to memory of 1652	1828	{8CCFF680-6A99-4a45-A710-E5A0A09DAAEF}.exe	92
PID 1828 wrote to memory of 1652	1828	{8CCFF680-6A99-4a45-A710-E5A0A09DAAEF}.exe	92
PID 4880 wrote to memory of 3308	4880	{FC36B917-4798-4892-80D2-E14BCC79584E}.exe	93
PID 4880 wrote to memory of 3308	4880	{FC36B917-4798-4892-80D2-E14BCC79584E}.exe	93
PID 4880 wrote to memory of 3308	4880	{FC36B917-4798-4892-80D2-E14BCC79584E}.exe	93
PID 4880 wrote to memory of 3200	4880	{FC36B917-4798-4892-80D2-E14BCC79584E}.exe	94
PID 4880 wrote to memory of 3200	4880	{FC36B917-4798-4892-80D2-E14BCC79584E}.exe	94
PID 4880 wrote to memory of 3200	4880	{FC36B917-4798-4892-80D2-E14BCC79584E}.exe	94
PID 3308 wrote to memory of 3508	3308	{43173060-5156-4471-B283-C437AEE6BCB9}.exe	95
PID 3308 wrote to memory of 3508	3308	{43173060-5156-4471-B283-C437AEE6BCB9}.exe	95
PID 3308 wrote to memory of 3508	3308	{43173060-5156-4471-B283-C437AEE6BCB9}.exe	95
PID 3308 wrote to memory of 5032	3308	{43173060-5156-4471-B283-C437AEE6BCB9}.exe	96
PID 3308 wrote to memory of 5032	3308	{43173060-5156-4471-B283-C437AEE6BCB9}.exe	96
PID 3308 wrote to memory of 5032	3308	{43173060-5156-4471-B283-C437AEE6BCB9}.exe	96
PID 3508 wrote to memory of 1824	3508	{AEE4A216-FBB7-4dc5-956B-EFC8DDC7EEA1}.exe	97
PID 3508 wrote to memory of 1824	3508	{AEE4A216-FBB7-4dc5-956B-EFC8DDC7EEA1}.exe	97
PID 3508 wrote to memory of 1824	3508	{AEE4A216-FBB7-4dc5-956B-EFC8DDC7EEA1}.exe	97
PID 3508 wrote to memory of 4180	3508	{AEE4A216-FBB7-4dc5-956B-EFC8DDC7EEA1}.exe	98
PID 3508 wrote to memory of 4180	3508	{AEE4A216-FBB7-4dc5-956B-EFC8DDC7EEA1}.exe	98
PID 3508 wrote to memory of 4180	3508	{AEE4A216-FBB7-4dc5-956B-EFC8DDC7EEA1}.exe	98
PID 1824 wrote to memory of 3532	1824	{D2FA21E7-1EB4-4d5f-BB6D-41E6496D2EF4}.exe	99
PID 1824 wrote to memory of 3532	1824	{D2FA21E7-1EB4-4d5f-BB6D-41E6496D2EF4}.exe	99
PID 1824 wrote to memory of 3532	1824	{D2FA21E7-1EB4-4d5f-BB6D-41E6496D2EF4}.exe	99
PID 1824 wrote to memory of 4556	1824	{D2FA21E7-1EB4-4d5f-BB6D-41E6496D2EF4}.exe	100

C:\Users\Admin\AppData\Local\Temp\3a43b9e7ef7495exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\3a43b9e7ef7495exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Windows\{CDD4751C-17F6-414f-998D-96CF74F24EB3}.exe
  C:\Windows\{CDD4751C-17F6-414f-998D-96CF74F24EB3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Windows\{644F1750-315C-4bce-AD47-2B1A206DCF82}.exe
    C:\Windows\{644F1750-315C-4bce-AD47-2B1A206DCF82}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2104
  - - C:\Windows\{EA80B43B-FADD-4e2d-921F-4BD0D22F6F8D}.exe
      C:\Windows\{EA80B43B-FADD-4e2d-921F-4BD0D22F6F8D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2592
    - - C:\Windows\{3C68B207-7564-48ab-A3CC-E06B662B2ED0}.exe
        
        C:\Windows\{3C68B207-7564-48ab-A3CC-E06B662B2ED0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4456
      - C:\Windows\{D8688729-EE5E-49b0-967D-4E5F7B0CA82F}.exe
        
        C:\Windows\{D8688729-EE5E-49b0-967D-4E5F7B0CA82F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\{8CCFF680-6A99-4a45-A710-E5A0A09DAAEF}.exe
        
        C:\Windows\{8CCFF680-6A99-4a45-A710-E5A0A09DAAEF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\{FC36B917-4798-4892-80D2-E14BCC79584E}.exe
        
        C:\Windows\{FC36B917-4798-4892-80D2-E14BCC79584E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\{43173060-5156-4471-B283-C437AEE6BCB9}.exe
        
        C:\Windows\{43173060-5156-4471-B283-C437AEE6BCB9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3308
        
        C:\Windows\{AEE4A216-FBB7-4dc5-956B-EFC8DDC7EEA1}.exe
        
        C:\Windows\{AEE4A216-FBB7-4dc5-956B-EFC8DDC7EEA1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\{D2FA21E7-1EB4-4d5f-BB6D-41E6496D2EF4}.exe
        
        C:\Windows\{D2FA21E7-1EB4-4d5f-BB6D-41E6496D2EF4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\{89623A1C-1E43-44ab-8B59-2918F8423E0F}.exe
        
        C:\Windows\{89623A1C-1E43-44ab-8B59-2918F8423E0F}.exe
        12⤵
        Executes dropped EXE
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2FA2~1.EXE > nul
        12⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEE4A~1.EXE > nul
        11⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43173~1.EXE > nul
        10⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC36B~1.EXE > nul
        9⤵
        
        PID:3200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CCFF~1.EXE > nul
        8⤵
        
        PID:1652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D8688~1.EXE > nul
        7⤵
        
        PID:1924
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C68B~1.EXE > nul
        6⤵
        
        PID:2572
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA80B~1.EXE > nul
        5⤵
        
        PID:4136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{644F1~1.EXE > nul
      4⤵
      PID:3784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CDD47~1.EXE > nul
    3⤵
    PID:4940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3A43B9~1.EXE > nul
  2⤵
  PID:5016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3C68B207-7564-48ab-A3CC-E06B662B2ED0}.exe

Filesize
168KB

MD5
86cb1be94e13df92639806edf8a0cd9a

SHA1
398f9c4f56165a5ba72d2572ab6b6c5c6357d86c

SHA256
ba0871c4744987fad4610d2522ead9c9bdb1d4054051d0bca7e98aa2664e5efb

SHA512
d1958459280cb790d939d0a5acb9e3ac2be4d84016dabec9de89ea48de57f3d935d776d4bd0ca94eb56b6375936bf54f76826c2a82722f0606c1759eba785691

Download Submit
C:\Windows\{3C68B207-7564-48ab-A3CC-E06B662B2ED0}.exe

Filesize
168KB

MD5
86cb1be94e13df92639806edf8a0cd9a

SHA1
398f9c4f56165a5ba72d2572ab6b6c5c6357d86c

SHA256
ba0871c4744987fad4610d2522ead9c9bdb1d4054051d0bca7e98aa2664e5efb

SHA512
d1958459280cb790d939d0a5acb9e3ac2be4d84016dabec9de89ea48de57f3d935d776d4bd0ca94eb56b6375936bf54f76826c2a82722f0606c1759eba785691

Download Submit
C:\Windows\{43173060-5156-4471-B283-C437AEE6BCB9}.exe

Filesize
168KB

MD5
40711b3e0ec8755ab11ad734cee1306b

SHA1
e1be5971cc9dc06cdc58a738cb75c268a4d233e3

SHA256
436ef0760708124499fc3e9e17f842805feee5e50d4ce7ed3e142f7f21ae7875

SHA512
e4c6222018bbb39f066e17f63aa6e4ea2ce90a87fbb8dc7feedb29a27e99d4c075b4e9dfacd9e7d55adf981aaa169892e1f524eab23cc485b7a0959c26fa673c

Download Submit
C:\Windows\{43173060-5156-4471-B283-C437AEE6BCB9}.exe

Filesize
168KB

MD5
40711b3e0ec8755ab11ad734cee1306b

SHA1
e1be5971cc9dc06cdc58a738cb75c268a4d233e3

SHA256
436ef0760708124499fc3e9e17f842805feee5e50d4ce7ed3e142f7f21ae7875

SHA512
e4c6222018bbb39f066e17f63aa6e4ea2ce90a87fbb8dc7feedb29a27e99d4c075b4e9dfacd9e7d55adf981aaa169892e1f524eab23cc485b7a0959c26fa673c

Download Submit
C:\Windows\{644F1750-315C-4bce-AD47-2B1A206DCF82}.exe

Filesize
168KB

MD5
6f58c0ffafc19385bc34952d83838515

SHA1
35adcf98b6d04290039c37a96844e3f0c3472f08

SHA256
61396132cff6e6c5840902f2f5035798fc3ee76d1f8c91c21f269bd87929b3c8

SHA512
14962d047a89d95b87ad5c9d7e2b4ebafaafbbc037772f6a9d1f1454c5d69d68de110518ff95c7566887e6b1c8494c69dce176f81a4aa06eba4fed56ea8e3e2e

Download Submit
C:\Windows\{644F1750-315C-4bce-AD47-2B1A206DCF82}.exe

Filesize
168KB

MD5
6f58c0ffafc19385bc34952d83838515

SHA1
35adcf98b6d04290039c37a96844e3f0c3472f08

SHA256
61396132cff6e6c5840902f2f5035798fc3ee76d1f8c91c21f269bd87929b3c8

SHA512
14962d047a89d95b87ad5c9d7e2b4ebafaafbbc037772f6a9d1f1454c5d69d68de110518ff95c7566887e6b1c8494c69dce176f81a4aa06eba4fed56ea8e3e2e

Download Submit
C:\Windows\{89623A1C-1E43-44ab-8B59-2918F8423E0F}.exe

Filesize
168KB

MD5
5d138bd0fcedd65f9104b8211cf8cd0e

SHA1
deafb25059f52f0929f40bb8defb0b71f0df2482

SHA256
69e79b9ab5417815f7f988d0fe61af32e98a3094ca10910cb17c0b4daba085ce

SHA512
8b034c1a51cbd33504a86a8a8058de1bcc2e79700464cb4d6f235ffab99ed52ce89bba96dd6685d61ffffeca33ce96cd2479ad54cb211c8f977b4f07a8555811

Download Submit
C:\Windows\{89623A1C-1E43-44ab-8B59-2918F8423E0F}.exe

Filesize
168KB

MD5
5d138bd0fcedd65f9104b8211cf8cd0e

SHA1
deafb25059f52f0929f40bb8defb0b71f0df2482

SHA256
69e79b9ab5417815f7f988d0fe61af32e98a3094ca10910cb17c0b4daba085ce

SHA512
8b034c1a51cbd33504a86a8a8058de1bcc2e79700464cb4d6f235ffab99ed52ce89bba96dd6685d61ffffeca33ce96cd2479ad54cb211c8f977b4f07a8555811

Download Submit
C:\Windows\{8CCFF680-6A99-4a45-A710-E5A0A09DAAEF}.exe

Filesize
168KB

MD5
f83512b1f5103d12891def7ef9a7cbc8

SHA1
22116e9d5b48559d8b28e05f54fe626b3c66ef30

SHA256
a31eb2992423cb12eaec414b867a00e4643de42571b8a05c9f2d1517762610da

SHA512
f98989ecbd8ebafe5f8dd393174b593d35d2d637327d039cba3a1e9be43826abe01fdd3d2e084ef2048a60589fbcd67e6c7ea96ce6afdcee5295ed34e4d2cab6

Download Submit
C:\Windows\{8CCFF680-6A99-4a45-A710-E5A0A09DAAEF}.exe

Filesize
168KB

MD5
f83512b1f5103d12891def7ef9a7cbc8

SHA1
22116e9d5b48559d8b28e05f54fe626b3c66ef30

SHA256
a31eb2992423cb12eaec414b867a00e4643de42571b8a05c9f2d1517762610da

SHA512
f98989ecbd8ebafe5f8dd393174b593d35d2d637327d039cba3a1e9be43826abe01fdd3d2e084ef2048a60589fbcd67e6c7ea96ce6afdcee5295ed34e4d2cab6

Download Submit
C:\Windows\{AEE4A216-FBB7-4dc5-956B-EFC8DDC7EEA1}.exe

Filesize
168KB

MD5
3f47a748cd60907964e9707028c034cd

SHA1
6b09c92340a9e93ae0b6bf89935564c4a7418755

SHA256
7fe402fa67e4a3b4bc6f579d7a1cbdf4d12d84351f65c735f22457b9fe8b986a

SHA512
0c80135df8a4e3b2e899365d907c63767ab698e3e14d64275c75d2d30e233c77db2cedb67f54818a4703b97ae9025de7c3df2cd497490d41328a60ffde0acc69

Download Submit
C:\Windows\{AEE4A216-FBB7-4dc5-956B-EFC8DDC7EEA1}.exe

Filesize
168KB

MD5
3f47a748cd60907964e9707028c034cd

SHA1
6b09c92340a9e93ae0b6bf89935564c4a7418755

SHA256
7fe402fa67e4a3b4bc6f579d7a1cbdf4d12d84351f65c735f22457b9fe8b986a

SHA512
0c80135df8a4e3b2e899365d907c63767ab698e3e14d64275c75d2d30e233c77db2cedb67f54818a4703b97ae9025de7c3df2cd497490d41328a60ffde0acc69

Download Submit
C:\Windows\{CDD4751C-17F6-414f-998D-96CF74F24EB3}.exe

Filesize
168KB

MD5
0cff046cf2eb54c89e523918b4498127

SHA1
cb53b4bb563cf7a71f11c7f8ea40ff4b7acc3585

SHA256
2fce2097b383affdf350a155ef0ea3d0f64e352735f4cf44882f5fe3356a5b39

SHA512
f5312a72ad4b9e5ed06d1c2d6fb7b8f2632a257675051e6e6b3b793b0d1de82af99abd10156d9dd8a334953d8dcff73dee5316740d090d9d8a39e3e2d5a0e8d9

Download Submit
C:\Windows\{CDD4751C-17F6-414f-998D-96CF74F24EB3}.exe

Filesize
168KB

MD5
0cff046cf2eb54c89e523918b4498127

SHA1
cb53b4bb563cf7a71f11c7f8ea40ff4b7acc3585

SHA256
2fce2097b383affdf350a155ef0ea3d0f64e352735f4cf44882f5fe3356a5b39

SHA512
f5312a72ad4b9e5ed06d1c2d6fb7b8f2632a257675051e6e6b3b793b0d1de82af99abd10156d9dd8a334953d8dcff73dee5316740d090d9d8a39e3e2d5a0e8d9

Download Submit
C:\Windows\{D2FA21E7-1EB4-4d5f-BB6D-41E6496D2EF4}.exe

Filesize
168KB

MD5
2c43ad25a15780482c360400a4454412

SHA1
313fae44b19140254c0a3224893278a5246346f5

SHA256
ac4072111f379737c53d345ebf2bd19465fd5109a3f9bceb0847bca80def1d76

SHA512
d3790a46e3e0093a16066c601f00aa9dd43d39f295c08d0377c1efb1367618662e9df475b9421b4d28d3f2d33e28f2476a2d8cd51f63c36ca0ea84dd70e235b3

Download Submit
C:\Windows\{D2FA21E7-1EB4-4d5f-BB6D-41E6496D2EF4}.exe

Filesize
168KB

MD5
2c43ad25a15780482c360400a4454412

SHA1
313fae44b19140254c0a3224893278a5246346f5

SHA256
ac4072111f379737c53d345ebf2bd19465fd5109a3f9bceb0847bca80def1d76

SHA512
d3790a46e3e0093a16066c601f00aa9dd43d39f295c08d0377c1efb1367618662e9df475b9421b4d28d3f2d33e28f2476a2d8cd51f63c36ca0ea84dd70e235b3

Download Submit
C:\Windows\{D8688729-EE5E-49b0-967D-4E5F7B0CA82F}.exe

Filesize
168KB

MD5
38778b09e9a4275f57cf968c4da7758d

SHA1
2450eaf822b99338ed3301c89119970dccdbdd20

SHA256
83dc41e10375d836d62c2a8dee182e965e9422eb7502ff0c33ebdc478db0b9d0

SHA512
90d5aa2b6da2d352a93bb82097be1c7189316358b1d545dc77fbaec904f74cf0c5cc84321658829cc4d6af9b63093591dbb31f744221c3a5a877b01b960a8a76

Download Submit
C:\Windows\{D8688729-EE5E-49b0-967D-4E5F7B0CA82F}.exe

Filesize
168KB

MD5
38778b09e9a4275f57cf968c4da7758d

SHA1
2450eaf822b99338ed3301c89119970dccdbdd20

SHA256
83dc41e10375d836d62c2a8dee182e965e9422eb7502ff0c33ebdc478db0b9d0

SHA512
90d5aa2b6da2d352a93bb82097be1c7189316358b1d545dc77fbaec904f74cf0c5cc84321658829cc4d6af9b63093591dbb31f744221c3a5a877b01b960a8a76

Download Submit
C:\Windows\{EA80B43B-FADD-4e2d-921F-4BD0D22F6F8D}.exe

Filesize
168KB

MD5
1123b3a993983ecea07ddd4d77d4b104

SHA1
20ba0a56be6110d215ad7fb2f82ec3c206c8c753

SHA256
fa041965520577cfd6e7218ae065270ecaaf6c26f406ec60dda754507dbef4c1

SHA512
95034a8f4d2872a859e7d42654b096aee9b57dc762dd8ba0f0b7309f568353e66ad43bd833da18b2764a09acc47aab0d65c7d6ec9e13a82f9777bdd9d3412d49

Download Submit
C:\Windows\{EA80B43B-FADD-4e2d-921F-4BD0D22F6F8D}.exe

Filesize
168KB

MD5
1123b3a993983ecea07ddd4d77d4b104

SHA1
20ba0a56be6110d215ad7fb2f82ec3c206c8c753

SHA256
fa041965520577cfd6e7218ae065270ecaaf6c26f406ec60dda754507dbef4c1

SHA512
95034a8f4d2872a859e7d42654b096aee9b57dc762dd8ba0f0b7309f568353e66ad43bd833da18b2764a09acc47aab0d65c7d6ec9e13a82f9777bdd9d3412d49

Download Submit
C:\Windows\{EA80B43B-FADD-4e2d-921F-4BD0D22F6F8D}.exe

Filesize
168KB

MD5
1123b3a993983ecea07ddd4d77d4b104

SHA1
20ba0a56be6110d215ad7fb2f82ec3c206c8c753

SHA256
fa041965520577cfd6e7218ae065270ecaaf6c26f406ec60dda754507dbef4c1

SHA512
95034a8f4d2872a859e7d42654b096aee9b57dc762dd8ba0f0b7309f568353e66ad43bd833da18b2764a09acc47aab0d65c7d6ec9e13a82f9777bdd9d3412d49

Download Submit
C:\Windows\{FC36B917-4798-4892-80D2-E14BCC79584E}.exe

Filesize
168KB

MD5
faf5737f0ce1443a00140c1adafcc23d

SHA1
29906f3c23c2c3bb48fb3d8c7c9a94381834045a

SHA256
315bbd52935b80e7a76c8f26e071d121cb5606b4a9886cc8b3932b056e5d4743

SHA512
b596fb6d2529695e26c6a7f836f83179b5cdaac7f06d71524ed92d4749361d777a91e002d8e4665a059d00aa41829b48c0f0305d9072bd4821ee732d929ee096

Download Submit
C:\Windows\{FC36B917-4798-4892-80D2-E14BCC79584E}.exe

Filesize
168KB

MD5
faf5737f0ce1443a00140c1adafcc23d

SHA1
29906f3c23c2c3bb48fb3d8c7c9a94381834045a

SHA256
315bbd52935b80e7a76c8f26e071d121cb5606b4a9886cc8b3932b056e5d4743

SHA512
b596fb6d2529695e26c6a7f836f83179b5cdaac7f06d71524ed92d4749361d777a91e002d8e4665a059d00aa41829b48c0f0305d9072bd4821ee732d929ee096

Download Submit