775782ebfbed97854671595ab7ed9388905110ad217ce1caf54ee3480a28028a

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2023 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c5439eec115bfexeexeexeex.exe
Size

168KB
MD5

3c5439eec115bf95c23a84c6722b1763
SHA1

7937827d602db97a3b8e1618524d2bae973d4585
SHA256

775782ebfbed97854671595ab7ed9388905110ad217ce1caf54ee3480a28028a
SHA512

6eabbd746bcf94f8b568eda3a2a4492e79411bc24208afaf4502f0b6019566851c2f9d4fad64edb6e44e5166276f058a0f9f78e4eecd44dc2dc289b321230b45
SSDEEP

1536:1EGh0ozlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ozlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FA29F52-957A-4ddc-BD0A-C2F35D700036}	{778F9ED4-D1E1-4e2e-8AB1-B840DB3AADDE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1115B189-D065-4cfd-9930-E774CA471075}	{1931C1A2-02CF-4451-B15D-5688EEFEE729}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAF1186B-C375-4d08-A3A5-91AEE682784E}	{1115B189-D065-4cfd-9930-E774CA471075}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{501BAB0D-F78C-44f1-A9C1-06909F4C08DE}	{B30A768C-CFB7-4c58-8176-50E31CBB878D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{501BAB0D-F78C-44f1-A9C1-06909F4C08DE}\stubpath = "C:\\Windows\\{501BAB0D-F78C-44f1-A9C1-06909F4C08DE}.exe"	{B30A768C-CFB7-4c58-8176-50E31CBB878D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17CD468E-23F7-4f48-AD13-1359A7AF4103}\stubpath = "C:\\Windows\\{17CD468E-23F7-4f48-AD13-1359A7AF4103}.exe"	{501BAB0D-F78C-44f1-A9C1-06909F4C08DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{250F2F1C-73DF-4393-9440-AFAAEAB9A91F}	{9D23F4BE-A0A8-440f-9FE4-BB98BA8A34ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{778F9ED4-D1E1-4e2e-8AB1-B840DB3AADDE}\stubpath = "C:\\Windows\\{778F9ED4-D1E1-4e2e-8AB1-B840DB3AADDE}.exe"	{250F2F1C-73DF-4393-9440-AFAAEAB9A91F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC7A540A-74DF-4930-9AC1-6E07F66F61F6}	{1FA29F52-957A-4ddc-BD0A-C2F35D700036}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1931C1A2-02CF-4451-B15D-5688EEFEE729}	{6B2E733B-83B9-4e16-B81A-4A452F085723}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1931C1A2-02CF-4451-B15D-5688EEFEE729}\stubpath = "C:\\Windows\\{1931C1A2-02CF-4451-B15D-5688EEFEE729}.exe"	{6B2E733B-83B9-4e16-B81A-4A452F085723}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B30A768C-CFB7-4c58-8176-50E31CBB878D}\stubpath = "C:\\Windows\\{B30A768C-CFB7-4c58-8176-50E31CBB878D}.exe"	3c5439eec115bfexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17CD468E-23F7-4f48-AD13-1359A7AF4103}	{501BAB0D-F78C-44f1-A9C1-06909F4C08DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D23F4BE-A0A8-440f-9FE4-BB98BA8A34ED}\stubpath = "C:\\Windows\\{9D23F4BE-A0A8-440f-9FE4-BB98BA8A34ED}.exe"	{17CD468E-23F7-4f48-AD13-1359A7AF4103}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1115B189-D065-4cfd-9930-E774CA471075}\stubpath = "C:\\Windows\\{1115B189-D065-4cfd-9930-E774CA471075}.exe"	{1931C1A2-02CF-4451-B15D-5688EEFEE729}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC7A540A-74DF-4930-9AC1-6E07F66F61F6}\stubpath = "C:\\Windows\\{DC7A540A-74DF-4930-9AC1-6E07F66F61F6}.exe"	{1FA29F52-957A-4ddc-BD0A-C2F35D700036}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B2E733B-83B9-4e16-B81A-4A452F085723}	{DC7A540A-74DF-4930-9AC1-6E07F66F61F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B2E733B-83B9-4e16-B81A-4A452F085723}\stubpath = "C:\\Windows\\{6B2E733B-83B9-4e16-B81A-4A452F085723}.exe"	{DC7A540A-74DF-4930-9AC1-6E07F66F61F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B30A768C-CFB7-4c58-8176-50E31CBB878D}	3c5439eec115bfexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D23F4BE-A0A8-440f-9FE4-BB98BA8A34ED}	{17CD468E-23F7-4f48-AD13-1359A7AF4103}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{778F9ED4-D1E1-4e2e-8AB1-B840DB3AADDE}	{250F2F1C-73DF-4393-9440-AFAAEAB9A91F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{250F2F1C-73DF-4393-9440-AFAAEAB9A91F}\stubpath = "C:\\Windows\\{250F2F1C-73DF-4393-9440-AFAAEAB9A91F}.exe"	{9D23F4BE-A0A8-440f-9FE4-BB98BA8A34ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FA29F52-957A-4ddc-BD0A-C2F35D700036}\stubpath = "C:\\Windows\\{1FA29F52-957A-4ddc-BD0A-C2F35D700036}.exe"	{778F9ED4-D1E1-4e2e-8AB1-B840DB3AADDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EAF1186B-C375-4d08-A3A5-91AEE682784E}\stubpath = "C:\\Windows\\{EAF1186B-C375-4d08-A3A5-91AEE682784E}.exe"	{1115B189-D065-4cfd-9930-E774CA471075}.exe

Executes dropped EXE 12 IoCs

pid	Process
4072	{B30A768C-CFB7-4c58-8176-50E31CBB878D}.exe
408	{501BAB0D-F78C-44f1-A9C1-06909F4C08DE}.exe
3236	{17CD468E-23F7-4f48-AD13-1359A7AF4103}.exe
2828	{9D23F4BE-A0A8-440f-9FE4-BB98BA8A34ED}.exe
3872	{250F2F1C-73DF-4393-9440-AFAAEAB9A91F}.exe
656	{778F9ED4-D1E1-4e2e-8AB1-B840DB3AADDE}.exe
1676	{1FA29F52-957A-4ddc-BD0A-C2F35D700036}.exe
3784	{DC7A540A-74DF-4930-9AC1-6E07F66F61F6}.exe
4504	{6B2E733B-83B9-4e16-B81A-4A452F085723}.exe
2356	{1931C1A2-02CF-4451-B15D-5688EEFEE729}.exe
1712	{1115B189-D065-4cfd-9930-E774CA471075}.exe
3572	{EAF1186B-C375-4d08-A3A5-91AEE682784E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DC7A540A-74DF-4930-9AC1-6E07F66F61F6}.exe	{1FA29F52-957A-4ddc-BD0A-C2F35D700036}.exe
File created	C:\Windows\{1931C1A2-02CF-4451-B15D-5688EEFEE729}.exe	{6B2E733B-83B9-4e16-B81A-4A452F085723}.exe
File created	C:\Windows\{1115B189-D065-4cfd-9930-E774CA471075}.exe	{1931C1A2-02CF-4451-B15D-5688EEFEE729}.exe
File created	C:\Windows\{B30A768C-CFB7-4c58-8176-50E31CBB878D}.exe	3c5439eec115bfexeexeexeex.exe
File created	C:\Windows\{778F9ED4-D1E1-4e2e-8AB1-B840DB3AADDE}.exe	{250F2F1C-73DF-4393-9440-AFAAEAB9A91F}.exe
File created	C:\Windows\{9D23F4BE-A0A8-440f-9FE4-BB98BA8A34ED}.exe	{17CD468E-23F7-4f48-AD13-1359A7AF4103}.exe
File created	C:\Windows\{250F2F1C-73DF-4393-9440-AFAAEAB9A91F}.exe	{9D23F4BE-A0A8-440f-9FE4-BB98BA8A34ED}.exe
File created	C:\Windows\{1FA29F52-957A-4ddc-BD0A-C2F35D700036}.exe	{778F9ED4-D1E1-4e2e-8AB1-B840DB3AADDE}.exe
File created	C:\Windows\{6B2E733B-83B9-4e16-B81A-4A452F085723}.exe	{DC7A540A-74DF-4930-9AC1-6E07F66F61F6}.exe
File created	C:\Windows\{EAF1186B-C375-4d08-A3A5-91AEE682784E}.exe	{1115B189-D065-4cfd-9930-E774CA471075}.exe
File created	C:\Windows\{501BAB0D-F78C-44f1-A9C1-06909F4C08DE}.exe	{B30A768C-CFB7-4c58-8176-50E31CBB878D}.exe
File created	C:\Windows\{17CD468E-23F7-4f48-AD13-1359A7AF4103}.exe	{501BAB0D-F78C-44f1-A9C1-06909F4C08DE}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3908	3c5439eec115bfexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4072	{B30A768C-CFB7-4c58-8176-50E31CBB878D}.exe
Token: SeIncBasePriorityPrivilege	408	{501BAB0D-F78C-44f1-A9C1-06909F4C08DE}.exe
Token: SeIncBasePriorityPrivilege	3236	{17CD468E-23F7-4f48-AD13-1359A7AF4103}.exe
Token: SeIncBasePriorityPrivilege	2828	{9D23F4BE-A0A8-440f-9FE4-BB98BA8A34ED}.exe
Token: SeIncBasePriorityPrivilege	3872	{250F2F1C-73DF-4393-9440-AFAAEAB9A91F}.exe
Token: SeIncBasePriorityPrivilege	656	{778F9ED4-D1E1-4e2e-8AB1-B840DB3AADDE}.exe
Token: SeIncBasePriorityPrivilege	1676	{1FA29F52-957A-4ddc-BD0A-C2F35D700036}.exe
Token: SeIncBasePriorityPrivilege	3784	{DC7A540A-74DF-4930-9AC1-6E07F66F61F6}.exe
Token: SeIncBasePriorityPrivilege	4504	{6B2E733B-83B9-4e16-B81A-4A452F085723}.exe
Token: SeIncBasePriorityPrivilege	2356	{1931C1A2-02CF-4451-B15D-5688EEFEE729}.exe
Token: SeIncBasePriorityPrivilege	1712	{1115B189-D065-4cfd-9930-E774CA471075}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 4072	3908	3c5439eec115bfexeexeexeex.exe	89
PID 3908 wrote to memory of 4072	3908	3c5439eec115bfexeexeexeex.exe	89
PID 3908 wrote to memory of 4072	3908	3c5439eec115bfexeexeexeex.exe	89
PID 3908 wrote to memory of 4600	3908	3c5439eec115bfexeexeexeex.exe	90
PID 3908 wrote to memory of 4600	3908	3c5439eec115bfexeexeexeex.exe	90
PID 3908 wrote to memory of 4600	3908	3c5439eec115bfexeexeexeex.exe	90
PID 4072 wrote to memory of 408	4072	{B30A768C-CFB7-4c58-8176-50E31CBB878D}.exe	91
PID 4072 wrote to memory of 408	4072	{B30A768C-CFB7-4c58-8176-50E31CBB878D}.exe	91
PID 4072 wrote to memory of 408	4072	{B30A768C-CFB7-4c58-8176-50E31CBB878D}.exe	91
PID 4072 wrote to memory of 4488	4072	{B30A768C-CFB7-4c58-8176-50E31CBB878D}.exe	92
PID 4072 wrote to memory of 4488	4072	{B30A768C-CFB7-4c58-8176-50E31CBB878D}.exe	92
PID 4072 wrote to memory of 4488	4072	{B30A768C-CFB7-4c58-8176-50E31CBB878D}.exe	92
PID 408 wrote to memory of 3236	408	{501BAB0D-F78C-44f1-A9C1-06909F4C08DE}.exe	97
PID 408 wrote to memory of 3236	408	{501BAB0D-F78C-44f1-A9C1-06909F4C08DE}.exe	97
PID 408 wrote to memory of 3236	408	{501BAB0D-F78C-44f1-A9C1-06909F4C08DE}.exe	97
PID 408 wrote to memory of 3996	408	{501BAB0D-F78C-44f1-A9C1-06909F4C08DE}.exe	96
PID 408 wrote to memory of 3996	408	{501BAB0D-F78C-44f1-A9C1-06909F4C08DE}.exe	96
PID 408 wrote to memory of 3996	408	{501BAB0D-F78C-44f1-A9C1-06909F4C08DE}.exe	96
PID 3236 wrote to memory of 2828	3236	{17CD468E-23F7-4f48-AD13-1359A7AF4103}.exe	98
PID 3236 wrote to memory of 2828	3236	{17CD468E-23F7-4f48-AD13-1359A7AF4103}.exe	98
PID 3236 wrote to memory of 2828	3236	{17CD468E-23F7-4f48-AD13-1359A7AF4103}.exe	98
PID 3236 wrote to memory of 4424	3236	{17CD468E-23F7-4f48-AD13-1359A7AF4103}.exe	99
PID 3236 wrote to memory of 4424	3236	{17CD468E-23F7-4f48-AD13-1359A7AF4103}.exe	99
PID 3236 wrote to memory of 4424	3236	{17CD468E-23F7-4f48-AD13-1359A7AF4103}.exe	99
PID 2828 wrote to memory of 3872	2828	{9D23F4BE-A0A8-440f-9FE4-BB98BA8A34ED}.exe	100
PID 2828 wrote to memory of 3872	2828	{9D23F4BE-A0A8-440f-9FE4-BB98BA8A34ED}.exe	100
PID 2828 wrote to memory of 3872	2828	{9D23F4BE-A0A8-440f-9FE4-BB98BA8A34ED}.exe	100
PID 2828 wrote to memory of 868	2828	{9D23F4BE-A0A8-440f-9FE4-BB98BA8A34ED}.exe	101
PID 2828 wrote to memory of 868	2828	{9D23F4BE-A0A8-440f-9FE4-BB98BA8A34ED}.exe	101
PID 2828 wrote to memory of 868	2828	{9D23F4BE-A0A8-440f-9FE4-BB98BA8A34ED}.exe	101
PID 3872 wrote to memory of 656	3872	{250F2F1C-73DF-4393-9440-AFAAEAB9A91F}.exe	102
PID 3872 wrote to memory of 656	3872	{250F2F1C-73DF-4393-9440-AFAAEAB9A91F}.exe	102
PID 3872 wrote to memory of 656	3872	{250F2F1C-73DF-4393-9440-AFAAEAB9A91F}.exe	102
PID 3872 wrote to memory of 3004	3872	{250F2F1C-73DF-4393-9440-AFAAEAB9A91F}.exe	103
PID 3872 wrote to memory of 3004	3872	{250F2F1C-73DF-4393-9440-AFAAEAB9A91F}.exe	103
PID 3872 wrote to memory of 3004	3872	{250F2F1C-73DF-4393-9440-AFAAEAB9A91F}.exe	103
PID 656 wrote to memory of 1676	656	{778F9ED4-D1E1-4e2e-8AB1-B840DB3AADDE}.exe	104
PID 656 wrote to memory of 1676	656	{778F9ED4-D1E1-4e2e-8AB1-B840DB3AADDE}.exe	104
PID 656 wrote to memory of 1676	656	{778F9ED4-D1E1-4e2e-8AB1-B840DB3AADDE}.exe	104
PID 656 wrote to memory of 1356	656	{778F9ED4-D1E1-4e2e-8AB1-B840DB3AADDE}.exe	105
PID 656 wrote to memory of 1356	656	{778F9ED4-D1E1-4e2e-8AB1-B840DB3AADDE}.exe	105
PID 656 wrote to memory of 1356	656	{778F9ED4-D1E1-4e2e-8AB1-B840DB3AADDE}.exe	105
PID 1676 wrote to memory of 3784	1676	{1FA29F52-957A-4ddc-BD0A-C2F35D700036}.exe	106
PID 1676 wrote to memory of 3784	1676	{1FA29F52-957A-4ddc-BD0A-C2F35D700036}.exe	106
PID 1676 wrote to memory of 3784	1676	{1FA29F52-957A-4ddc-BD0A-C2F35D700036}.exe	106
PID 1676 wrote to memory of 1316	1676	{1FA29F52-957A-4ddc-BD0A-C2F35D700036}.exe	107
PID 1676 wrote to memory of 1316	1676	{1FA29F52-957A-4ddc-BD0A-C2F35D700036}.exe	107
PID 1676 wrote to memory of 1316	1676	{1FA29F52-957A-4ddc-BD0A-C2F35D700036}.exe	107
PID 3784 wrote to memory of 4504	3784	{DC7A540A-74DF-4930-9AC1-6E07F66F61F6}.exe	108
PID 3784 wrote to memory of 4504	3784	{DC7A540A-74DF-4930-9AC1-6E07F66F61F6}.exe	108
PID 3784 wrote to memory of 4504	3784	{DC7A540A-74DF-4930-9AC1-6E07F66F61F6}.exe	108
PID 3784 wrote to memory of 4500	3784	{DC7A540A-74DF-4930-9AC1-6E07F66F61F6}.exe	109
PID 3784 wrote to memory of 4500	3784	{DC7A540A-74DF-4930-9AC1-6E07F66F61F6}.exe	109
PID 3784 wrote to memory of 4500	3784	{DC7A540A-74DF-4930-9AC1-6E07F66F61F6}.exe	109
PID 4504 wrote to memory of 2356	4504	{6B2E733B-83B9-4e16-B81A-4A452F085723}.exe	110
PID 4504 wrote to memory of 2356	4504	{6B2E733B-83B9-4e16-B81A-4A452F085723}.exe	110
PID 4504 wrote to memory of 2356	4504	{6B2E733B-83B9-4e16-B81A-4A452F085723}.exe	110
PID 4504 wrote to memory of 3168	4504	{6B2E733B-83B9-4e16-B81A-4A452F085723}.exe	111
PID 4504 wrote to memory of 3168	4504	{6B2E733B-83B9-4e16-B81A-4A452F085723}.exe	111
PID 4504 wrote to memory of 3168	4504	{6B2E733B-83B9-4e16-B81A-4A452F085723}.exe	111
PID 2356 wrote to memory of 1712	2356	{1931C1A2-02CF-4451-B15D-5688EEFEE729}.exe	112
PID 2356 wrote to memory of 1712	2356	{1931C1A2-02CF-4451-B15D-5688EEFEE729}.exe	112
PID 2356 wrote to memory of 1712	2356	{1931C1A2-02CF-4451-B15D-5688EEFEE729}.exe	112
PID 2356 wrote to memory of 4392	2356	{1931C1A2-02CF-4451-B15D-5688EEFEE729}.exe	113

C:\Users\Admin\AppData\Local\Temp\3c5439eec115bfexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\3c5439eec115bfexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\{B30A768C-CFB7-4c58-8176-50E31CBB878D}.exe
  C:\Windows\{B30A768C-CFB7-4c58-8176-50E31CBB878D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4072
- - C:\Windows\{501BAB0D-F78C-44f1-A9C1-06909F4C08DE}.exe
    C:\Windows\{501BAB0D-F78C-44f1-A9C1-06909F4C08DE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{501BA~1.EXE > nul
      4⤵
      PID:3996
  - - C:\Windows\{17CD468E-23F7-4f48-AD13-1359A7AF4103}.exe
      C:\Windows\{17CD468E-23F7-4f48-AD13-1359A7AF4103}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3236
    - - C:\Windows\{9D23F4BE-A0A8-440f-9FE4-BB98BA8A34ED}.exe
        
        C:\Windows\{9D23F4BE-A0A8-440f-9FE4-BB98BA8A34ED}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Windows\{250F2F1C-73DF-4393-9440-AFAAEAB9A91F}.exe
        
        C:\Windows\{250F2F1C-73DF-4393-9440-AFAAEAB9A91F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\{778F9ED4-D1E1-4e2e-8AB1-B840DB3AADDE}.exe
        
        C:\Windows\{778F9ED4-D1E1-4e2e-8AB1-B840DB3AADDE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\{1FA29F52-957A-4ddc-BD0A-C2F35D700036}.exe
        
        C:\Windows\{1FA29F52-957A-4ddc-BD0A-C2F35D700036}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\{DC7A540A-74DF-4930-9AC1-6E07F66F61F6}.exe
        
        C:\Windows\{DC7A540A-74DF-4930-9AC1-6E07F66F61F6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\{6B2E733B-83B9-4e16-B81A-4A452F085723}.exe
        
        C:\Windows\{6B2E733B-83B9-4e16-B81A-4A452F085723}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\{1931C1A2-02CF-4451-B15D-5688EEFEE729}.exe
        
        C:\Windows\{1931C1A2-02CF-4451-B15D-5688EEFEE729}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\{1115B189-D065-4cfd-9930-E774CA471075}.exe
        
        C:\Windows\{1115B189-D065-4cfd-9930-E774CA471075}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\{EAF1186B-C375-4d08-A3A5-91AEE682784E}.exe
        
        C:\Windows\{EAF1186B-C375-4d08-A3A5-91AEE682784E}.exe
        13⤵
        Executes dropped EXE
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1115B~1.EXE > nul
        13⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1931C~1.EXE > nul
        12⤵
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B2E7~1.EXE > nul
        11⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC7A5~1.EXE > nul
        10⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FA29~1.EXE > nul
        9⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{778F9~1.EXE > nul
        8⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{250F2~1.EXE > nul
        7⤵
        
        PID:3004
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D23F~1.EXE > nul
        6⤵
        
        PID:868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{17CD4~1.EXE > nul
        5⤵
        
        PID:4424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B30A7~1.EXE > nul
    3⤵
    PID:4488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3C5439~1.EXE > nul
  2⤵
  PID:4600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1115B189-D065-4cfd-9930-E774CA471075}.exe

Filesize
168KB

MD5
479df9142ba648075a058885857f6c8e

SHA1
a614ce9d112a2e4ecde8d1cc3d20ac32fbad93e9

SHA256
fe9207da32ead9a2dba486c60f4f3a55815cc2a355f5c3016e072cc98336aa68

SHA512
079621f51cb3d01ecf86ee90e571ce4d1ae81b232679d4a88782d79f6d68d16c398051eab98b9a282d75dfc6c354b81c91f38e1da38b84f12def466b76290031

Download Submit
C:\Windows\{1115B189-D065-4cfd-9930-E774CA471075}.exe

Filesize
168KB

MD5
479df9142ba648075a058885857f6c8e

SHA1
a614ce9d112a2e4ecde8d1cc3d20ac32fbad93e9

SHA256
fe9207da32ead9a2dba486c60f4f3a55815cc2a355f5c3016e072cc98336aa68

SHA512
079621f51cb3d01ecf86ee90e571ce4d1ae81b232679d4a88782d79f6d68d16c398051eab98b9a282d75dfc6c354b81c91f38e1da38b84f12def466b76290031

Download Submit
C:\Windows\{17CD468E-23F7-4f48-AD13-1359A7AF4103}.exe

Filesize
168KB

MD5
57dfc6b9a27d4b2aa05dcfce9dd63d49

SHA1
21e84fb9c341752689c9528c4040097c58c6ab94

SHA256
e500ca3e3dca073dd0e5795c58c38a2486265eb74631a9f555183d53015fc936

SHA512
30d6d95af3b9903cb6ea76a7b4336b191eda2ab3d732e09c07c890f421da2b2527d0fcef8995829df6d2fd8e4302a2aae0640235e0ba74cd112507102ecd44e1

Download Submit
C:\Windows\{17CD468E-23F7-4f48-AD13-1359A7AF4103}.exe

Filesize
168KB

MD5
57dfc6b9a27d4b2aa05dcfce9dd63d49

SHA1
21e84fb9c341752689c9528c4040097c58c6ab94

SHA256
e500ca3e3dca073dd0e5795c58c38a2486265eb74631a9f555183d53015fc936

SHA512
30d6d95af3b9903cb6ea76a7b4336b191eda2ab3d732e09c07c890f421da2b2527d0fcef8995829df6d2fd8e4302a2aae0640235e0ba74cd112507102ecd44e1

Download Submit
C:\Windows\{17CD468E-23F7-4f48-AD13-1359A7AF4103}.exe

Filesize
168KB

MD5
57dfc6b9a27d4b2aa05dcfce9dd63d49

SHA1
21e84fb9c341752689c9528c4040097c58c6ab94

SHA256
e500ca3e3dca073dd0e5795c58c38a2486265eb74631a9f555183d53015fc936

SHA512
30d6d95af3b9903cb6ea76a7b4336b191eda2ab3d732e09c07c890f421da2b2527d0fcef8995829df6d2fd8e4302a2aae0640235e0ba74cd112507102ecd44e1

Download Submit
C:\Windows\{1931C1A2-02CF-4451-B15D-5688EEFEE729}.exe

Filesize
168KB

MD5
0bd81548bc2367b2a497e76fea0eaecd

SHA1
3f23c7bedcae7308ffb12b8ecf3a00198645623c

SHA256
b8d576c8910d756ffc4ab6a7ea5ef90f89a7f56226bef0958601ed8aeaea8f58

SHA512
26c18eac5455d97906f0dd698a2f500cae911ae22d23e88f663a0d607271a3eeab3189fab8d2aaf836a8daafbebcde30ecd90fe5315a0fbc8c655eb71413110b

Download Submit
C:\Windows\{1931C1A2-02CF-4451-B15D-5688EEFEE729}.exe

Filesize
168KB

MD5
0bd81548bc2367b2a497e76fea0eaecd

SHA1
3f23c7bedcae7308ffb12b8ecf3a00198645623c

SHA256
b8d576c8910d756ffc4ab6a7ea5ef90f89a7f56226bef0958601ed8aeaea8f58

SHA512
26c18eac5455d97906f0dd698a2f500cae911ae22d23e88f663a0d607271a3eeab3189fab8d2aaf836a8daafbebcde30ecd90fe5315a0fbc8c655eb71413110b

Download Submit
C:\Windows\{1FA29F52-957A-4ddc-BD0A-C2F35D700036}.exe

Filesize
168KB

MD5
f0ee92778dfeafe049775aa580edf545

SHA1
c98bf7c37f3dcf6fc36c100b263623eab52e98a9

SHA256
01ced76d132c882785ecfda3c4e596f95bb093a2917081414cb4949fcec95a4f

SHA512
46cfd0036fc58c33ef6b8476b5ca6a0edf47578d7b8fe99ec30a71cb4b8740612fd59d50d8fcc719ad83799cd314896aeed1a69fb700cb2102a9bd7f2f1bb317

Download Submit
C:\Windows\{1FA29F52-957A-4ddc-BD0A-C2F35D700036}.exe

Filesize
168KB

MD5
f0ee92778dfeafe049775aa580edf545

SHA1
c98bf7c37f3dcf6fc36c100b263623eab52e98a9

SHA256
01ced76d132c882785ecfda3c4e596f95bb093a2917081414cb4949fcec95a4f

SHA512
46cfd0036fc58c33ef6b8476b5ca6a0edf47578d7b8fe99ec30a71cb4b8740612fd59d50d8fcc719ad83799cd314896aeed1a69fb700cb2102a9bd7f2f1bb317

Download Submit
C:\Windows\{250F2F1C-73DF-4393-9440-AFAAEAB9A91F}.exe

Filesize
168KB

MD5
aed8884db40445413c71c6afc147d653

SHA1
1f90ac5c3c64b86be014ec782b3307502a828337

SHA256
a0cb7c82f38d1db202f89b2dd67cc4b719541e6221d9b894741af0ce0b967305

SHA512
51955f9cd6a04dc4ae98d2934173df827602a29c694005eee905152cbe506e5e77a7d8efdd990bcd3aaf2e04c4ed9e61568e1b37e1f30f151326bfcf4306d0cd

Download Submit
C:\Windows\{250F2F1C-73DF-4393-9440-AFAAEAB9A91F}.exe

Filesize
168KB

MD5
aed8884db40445413c71c6afc147d653

SHA1
1f90ac5c3c64b86be014ec782b3307502a828337

SHA256
a0cb7c82f38d1db202f89b2dd67cc4b719541e6221d9b894741af0ce0b967305

SHA512
51955f9cd6a04dc4ae98d2934173df827602a29c694005eee905152cbe506e5e77a7d8efdd990bcd3aaf2e04c4ed9e61568e1b37e1f30f151326bfcf4306d0cd

Download Submit
C:\Windows\{501BAB0D-F78C-44f1-A9C1-06909F4C08DE}.exe

Filesize
168KB

MD5
55959babed98142263ab7251ff469f40

SHA1
75bc2ac368bffe866ac6ad7b53d3033830ac105d

SHA256
ead70e90983968b665a0ff469e7e3b567280cddca652b0936bb719d830b4a995

SHA512
6e40c5fd0342c928a9b547ce0f7dc4fe657b307b2e1e7dedf171dd8774cae26f1566ee112c8e55b2ae20a242b41822bfcf0fe7709c47a09ce6c03c1922c2d50b

Download Submit
C:\Windows\{501BAB0D-F78C-44f1-A9C1-06909F4C08DE}.exe

Filesize
168KB

MD5
55959babed98142263ab7251ff469f40

SHA1
75bc2ac368bffe866ac6ad7b53d3033830ac105d

SHA256
ead70e90983968b665a0ff469e7e3b567280cddca652b0936bb719d830b4a995

SHA512
6e40c5fd0342c928a9b547ce0f7dc4fe657b307b2e1e7dedf171dd8774cae26f1566ee112c8e55b2ae20a242b41822bfcf0fe7709c47a09ce6c03c1922c2d50b

Download Submit
C:\Windows\{6B2E733B-83B9-4e16-B81A-4A452F085723}.exe

Filesize
168KB

MD5
d5c6b78796afc7f2c0fe734e35b768dc

SHA1
53b2ec21c525a06dccc63e1743d959053cd25e6e

SHA256
a347eb38667cb19707bdf8b7826645c8c8fa9611a3be31ab74b670fbb65f78cd

SHA512
da38eb9ef75c7e8c300eb4dfc06ef7c1cdf90decd4c38bfaa485d89526623b7d177cfb93b32fc6ca687415ad85f17dbc0241df4c6abbaa3b87f82827a6392650

Download Submit
C:\Windows\{6B2E733B-83B9-4e16-B81A-4A452F085723}.exe

Filesize
168KB

MD5
d5c6b78796afc7f2c0fe734e35b768dc

SHA1
53b2ec21c525a06dccc63e1743d959053cd25e6e

SHA256
a347eb38667cb19707bdf8b7826645c8c8fa9611a3be31ab74b670fbb65f78cd

SHA512
da38eb9ef75c7e8c300eb4dfc06ef7c1cdf90decd4c38bfaa485d89526623b7d177cfb93b32fc6ca687415ad85f17dbc0241df4c6abbaa3b87f82827a6392650

Download Submit
C:\Windows\{778F9ED4-D1E1-4e2e-8AB1-B840DB3AADDE}.exe

Filesize
168KB

MD5
36f8df404e615d6c055edb27acfd95d5

SHA1
a7cdc534e4c25a6a7b6588960c78191325b7b21a

SHA256
cff8260ca7a2853c4e62e501e1308ccafd39e28e9995b3be58103790f36039a6

SHA512
73b92184b8eea7426b2492ba57889e34442edc1e68b06a8b16c09b7cb0b770cb8c81b625b9a64016e414bf0944f89e0755473a3c66683d5d7414c5d239d010b3

Download Submit
C:\Windows\{778F9ED4-D1E1-4e2e-8AB1-B840DB3AADDE}.exe

Filesize
168KB

MD5
36f8df404e615d6c055edb27acfd95d5

SHA1
a7cdc534e4c25a6a7b6588960c78191325b7b21a

SHA256
cff8260ca7a2853c4e62e501e1308ccafd39e28e9995b3be58103790f36039a6

SHA512
73b92184b8eea7426b2492ba57889e34442edc1e68b06a8b16c09b7cb0b770cb8c81b625b9a64016e414bf0944f89e0755473a3c66683d5d7414c5d239d010b3

Download Submit
C:\Windows\{9D23F4BE-A0A8-440f-9FE4-BB98BA8A34ED}.exe

Filesize
168KB

MD5
cb5df8e6e99a03e7fc196edd7cdc6f24

SHA1
1792a549362b2787994d302c84df9715c164e22c

SHA256
19d6afafae3681616a2e21462eb5807d6e11076dce68e17c2f9e1f4dfbcb63b8

SHA512
046a95379fdc74edd8c8c78063899c826536ce3ceb37e9cbbd1b990344b98a06f3f23549be43c7332d9a0e23b844af4f6357608b384b4870e87a6f55f21eefab

Download Submit
C:\Windows\{9D23F4BE-A0A8-440f-9FE4-BB98BA8A34ED}.exe

Filesize
168KB

MD5
cb5df8e6e99a03e7fc196edd7cdc6f24

SHA1
1792a549362b2787994d302c84df9715c164e22c

SHA256
19d6afafae3681616a2e21462eb5807d6e11076dce68e17c2f9e1f4dfbcb63b8

SHA512
046a95379fdc74edd8c8c78063899c826536ce3ceb37e9cbbd1b990344b98a06f3f23549be43c7332d9a0e23b844af4f6357608b384b4870e87a6f55f21eefab

Download Submit
C:\Windows\{B30A768C-CFB7-4c58-8176-50E31CBB878D}.exe

Filesize
168KB

MD5
35adec4f88913c325c5fb4868e4d7140

SHA1
a9f5a47b899dffd10043f2421995d8303358316b

SHA256
ba2e82e4deaecf2b4a98d51220e2ddfb9b16971a09541ae405c01323d6ec20dd

SHA512
dd316bbf14a3a857aa453923487ceff1aff16bbb35edc8a400b9d615c5c391d08a937721cb62dfa7da6395b5647212619f3f91a7984a9218c8c7e60b903bc4ff

Download Submit
C:\Windows\{B30A768C-CFB7-4c58-8176-50E31CBB878D}.exe

Filesize
168KB

MD5
35adec4f88913c325c5fb4868e4d7140

SHA1
a9f5a47b899dffd10043f2421995d8303358316b

SHA256
ba2e82e4deaecf2b4a98d51220e2ddfb9b16971a09541ae405c01323d6ec20dd

SHA512
dd316bbf14a3a857aa453923487ceff1aff16bbb35edc8a400b9d615c5c391d08a937721cb62dfa7da6395b5647212619f3f91a7984a9218c8c7e60b903bc4ff

Download Submit
C:\Windows\{DC7A540A-74DF-4930-9AC1-6E07F66F61F6}.exe

Filesize
168KB

MD5
da8737604ac73139ad73153c9ce7800e

SHA1
b6cc1af5140edb8062f565a963a80638ddb457be

SHA256
d4fe36123b611bd29a6b6cfae5ddd867c4dc9bb682e866318d15499e7fa0eac7

SHA512
a3a7f2f37005722c9ccd8c38f9b1d0d6586260e3aed5b3bef2c83eb8a1705093a0a5f820e895e3919a2c954ff77feae657a31583d971f6ba59872df6c8de2f20

Download Submit
C:\Windows\{DC7A540A-74DF-4930-9AC1-6E07F66F61F6}.exe

Filesize
168KB

MD5
da8737604ac73139ad73153c9ce7800e

SHA1
b6cc1af5140edb8062f565a963a80638ddb457be

SHA256
d4fe36123b611bd29a6b6cfae5ddd867c4dc9bb682e866318d15499e7fa0eac7

SHA512
a3a7f2f37005722c9ccd8c38f9b1d0d6586260e3aed5b3bef2c83eb8a1705093a0a5f820e895e3919a2c954ff77feae657a31583d971f6ba59872df6c8de2f20

Download Submit
C:\Windows\{EAF1186B-C375-4d08-A3A5-91AEE682784E}.exe

Filesize
168KB

MD5
11ec29284c94bc8d5f877ad6f62a1aaa

SHA1
a9b9e1c24a7ab0cda4ffce6f01da9570c4336b5c

SHA256
fdb1150ed257c1da98c278c75b16ae303853996e967c7366c3254b9da964bb96

SHA512
748bbcf4a31523de8653d77e8ffa5306a35c56310b50e4250b9b0fda035b705b96520411c0cb7dd74a7ec66848e1a693771e64b5e961ba11c3e2b0a1ec1d20d9

Download Submit
C:\Windows\{EAF1186B-C375-4d08-A3A5-91AEE682784E}.exe

Filesize
168KB

MD5
11ec29284c94bc8d5f877ad6f62a1aaa

SHA1
a9b9e1c24a7ab0cda4ffce6f01da9570c4336b5c

SHA256
fdb1150ed257c1da98c278c75b16ae303853996e967c7366c3254b9da964bb96

SHA512
748bbcf4a31523de8653d77e8ffa5306a35c56310b50e4250b9b0fda035b705b96520411c0cb7dd74a7ec66848e1a693771e64b5e961ba11c3e2b0a1ec1d20d9

Download Submit