f66ffe9563e0208901a5d3da3d990f5f0c96ddc970920329b45effed7847c192

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2023, 17:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4104a3469da45fexeexeexeex.exe
Size

204KB
MD5

4104a3469da45fb0020ebbbd6eab7b0a
SHA1

4db8f05d3d496ad2c3f9ea3370af69e6a981913b
SHA256

f66ffe9563e0208901a5d3da3d990f5f0c96ddc970920329b45effed7847c192
SHA512

571ca9118c978cb6953fe2795b3fc8ef052bd50d82273eb63c21b7184785531c369beb3c2e46a4eb724f424cd89a98e6b4e7c163fb3952ba51139965722e003a
SSDEEP

1536:1EGh0oxYl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oCl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A225E6C4-C8AA-4084-88F6-E5DEF6A71562}\stubpath = "C:\\Windows\\{A225E6C4-C8AA-4084-88F6-E5DEF6A71562}.exe"	{A2F58FC8-B95B-471c-910A-9832B956F411}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B049AE6-38B6-4ece-89C2-CA3F48848395}\stubpath = "C:\\Windows\\{4B049AE6-38B6-4ece-89C2-CA3F48848395}.exe"	{D08F3BCA-C652-4ca5-ACFF-8C8387BDAAE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0BAFEED-4979-43e3-AD6E-7759748CAAE3}	{4B049AE6-38B6-4ece-89C2-CA3F48848395}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{231083C7-2EBA-4962-998C-39EBE1B94FB1}	{A0BAFEED-4979-43e3-AD6E-7759748CAAE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{231083C7-2EBA-4962-998C-39EBE1B94FB1}\stubpath = "C:\\Windows\\{231083C7-2EBA-4962-998C-39EBE1B94FB1}.exe"	{A0BAFEED-4979-43e3-AD6E-7759748CAAE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6F86935-0A44-4d7a-B75B-595957D6DEC0}	4104a3469da45fexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{160C4CCC-EDEB-49e9-B79C-9B550BA6B3D9}	{E6F86935-0A44-4d7a-B75B-595957D6DEC0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D329A6E5-BA7A-4d00-9D6A-286F7F45B6E6}	{160C4CCC-EDEB-49e9-B79C-9B550BA6B3D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC172184-B95C-4bb8-B696-39FBB304516E}	{2FC0FC67-D242-46a3-921A-05325B42839F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC172184-B95C-4bb8-B696-39FBB304516E}\stubpath = "C:\\Windows\\{CC172184-B95C-4bb8-B696-39FBB304516E}.exe"	{2FC0FC67-D242-46a3-921A-05325B42839F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F91D13D1-32DB-4afa-A98F-8F47A8A515C5}\stubpath = "C:\\Windows\\{F91D13D1-32DB-4afa-A98F-8F47A8A515C5}.exe"	{D329A6E5-BA7A-4d00-9D6A-286F7F45B6E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D08F3BCA-C652-4ca5-ACFF-8C8387BDAAE1}\stubpath = "C:\\Windows\\{D08F3BCA-C652-4ca5-ACFF-8C8387BDAAE1}.exe"	{A225E6C4-C8AA-4084-88F6-E5DEF6A71562}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0BAFEED-4979-43e3-AD6E-7759748CAAE3}\stubpath = "C:\\Windows\\{A0BAFEED-4979-43e3-AD6E-7759748CAAE3}.exe"	{4B049AE6-38B6-4ece-89C2-CA3F48848395}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B049AE6-38B6-4ece-89C2-CA3F48848395}	{D08F3BCA-C652-4ca5-ACFF-8C8387BDAAE1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FC0FC67-D242-46a3-921A-05325B42839F}	{231083C7-2EBA-4962-998C-39EBE1B94FB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FC0FC67-D242-46a3-921A-05325B42839F}\stubpath = "C:\\Windows\\{2FC0FC67-D242-46a3-921A-05325B42839F}.exe"	{231083C7-2EBA-4962-998C-39EBE1B94FB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2F58FC8-B95B-471c-910A-9832B956F411}	{F91D13D1-32DB-4afa-A98F-8F47A8A515C5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2F58FC8-B95B-471c-910A-9832B956F411}\stubpath = "C:\\Windows\\{A2F58FC8-B95B-471c-910A-9832B956F411}.exe"	{F91D13D1-32DB-4afa-A98F-8F47A8A515C5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A225E6C4-C8AA-4084-88F6-E5DEF6A71562}	{A2F58FC8-B95B-471c-910A-9832B956F411}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F91D13D1-32DB-4afa-A98F-8F47A8A515C5}	{D329A6E5-BA7A-4d00-9D6A-286F7F45B6E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D08F3BCA-C652-4ca5-ACFF-8C8387BDAAE1}	{A225E6C4-C8AA-4084-88F6-E5DEF6A71562}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6F86935-0A44-4d7a-B75B-595957D6DEC0}\stubpath = "C:\\Windows\\{E6F86935-0A44-4d7a-B75B-595957D6DEC0}.exe"	4104a3469da45fexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{160C4CCC-EDEB-49e9-B79C-9B550BA6B3D9}\stubpath = "C:\\Windows\\{160C4CCC-EDEB-49e9-B79C-9B550BA6B3D9}.exe"	{E6F86935-0A44-4d7a-B75B-595957D6DEC0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D329A6E5-BA7A-4d00-9D6A-286F7F45B6E6}\stubpath = "C:\\Windows\\{D329A6E5-BA7A-4d00-9D6A-286F7F45B6E6}.exe"	{160C4CCC-EDEB-49e9-B79C-9B550BA6B3D9}.exe

Executes dropped EXE 12 IoCs

pid	Process
232	{E6F86935-0A44-4d7a-B75B-595957D6DEC0}.exe
2004	{160C4CCC-EDEB-49e9-B79C-9B550BA6B3D9}.exe
2844	{D329A6E5-BA7A-4d00-9D6A-286F7F45B6E6}.exe
4716	{F91D13D1-32DB-4afa-A98F-8F47A8A515C5}.exe
3544	{A2F58FC8-B95B-471c-910A-9832B956F411}.exe
4276	{A225E6C4-C8AA-4084-88F6-E5DEF6A71562}.exe
1220	{D08F3BCA-C652-4ca5-ACFF-8C8387BDAAE1}.exe
1108	{4B049AE6-38B6-4ece-89C2-CA3F48848395}.exe
2808	{A0BAFEED-4979-43e3-AD6E-7759748CAAE3}.exe
828	{231083C7-2EBA-4962-998C-39EBE1B94FB1}.exe
2728	{2FC0FC67-D242-46a3-921A-05325B42839F}.exe
4404	{CC172184-B95C-4bb8-B696-39FBB304516E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2FC0FC67-D242-46a3-921A-05325B42839F}.exe	{231083C7-2EBA-4962-998C-39EBE1B94FB1}.exe
File created	C:\Windows\{CC172184-B95C-4bb8-B696-39FBB304516E}.exe	{2FC0FC67-D242-46a3-921A-05325B42839F}.exe
File created	C:\Windows\{160C4CCC-EDEB-49e9-B79C-9B550BA6B3D9}.exe	{E6F86935-0A44-4d7a-B75B-595957D6DEC0}.exe
File created	C:\Windows\{D329A6E5-BA7A-4d00-9D6A-286F7F45B6E6}.exe	{160C4CCC-EDEB-49e9-B79C-9B550BA6B3D9}.exe
File created	C:\Windows\{F91D13D1-32DB-4afa-A98F-8F47A8A515C5}.exe	{D329A6E5-BA7A-4d00-9D6A-286F7F45B6E6}.exe
File created	C:\Windows\{D08F3BCA-C652-4ca5-ACFF-8C8387BDAAE1}.exe	{A225E6C4-C8AA-4084-88F6-E5DEF6A71562}.exe
File created	C:\Windows\{4B049AE6-38B6-4ece-89C2-CA3F48848395}.exe	{D08F3BCA-C652-4ca5-ACFF-8C8387BDAAE1}.exe
File created	C:\Windows\{A0BAFEED-4979-43e3-AD6E-7759748CAAE3}.exe	{4B049AE6-38B6-4ece-89C2-CA3F48848395}.exe
File created	C:\Windows\{E6F86935-0A44-4d7a-B75B-595957D6DEC0}.exe	4104a3469da45fexeexeexeex.exe
File created	C:\Windows\{A2F58FC8-B95B-471c-910A-9832B956F411}.exe	{F91D13D1-32DB-4afa-A98F-8F47A8A515C5}.exe
File created	C:\Windows\{A225E6C4-C8AA-4084-88F6-E5DEF6A71562}.exe	{A2F58FC8-B95B-471c-910A-9832B956F411}.exe
File created	C:\Windows\{231083C7-2EBA-4962-998C-39EBE1B94FB1}.exe	{A0BAFEED-4979-43e3-AD6E-7759748CAAE3}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2972	4104a3469da45fexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	232	{E6F86935-0A44-4d7a-B75B-595957D6DEC0}.exe
Token: SeIncBasePriorityPrivilege	2004	{160C4CCC-EDEB-49e9-B79C-9B550BA6B3D9}.exe
Token: SeIncBasePriorityPrivilege	2844	{D329A6E5-BA7A-4d00-9D6A-286F7F45B6E6}.exe
Token: SeIncBasePriorityPrivilege	4716	{F91D13D1-32DB-4afa-A98F-8F47A8A515C5}.exe
Token: SeIncBasePriorityPrivilege	3544	{A2F58FC8-B95B-471c-910A-9832B956F411}.exe
Token: SeIncBasePriorityPrivilege	4276	{A225E6C4-C8AA-4084-88F6-E5DEF6A71562}.exe
Token: SeIncBasePriorityPrivilege	1220	{D08F3BCA-C652-4ca5-ACFF-8C8387BDAAE1}.exe
Token: SeIncBasePriorityPrivilege	1108	{4B049AE6-38B6-4ece-89C2-CA3F48848395}.exe
Token: SeIncBasePriorityPrivilege	2808	{A0BAFEED-4979-43e3-AD6E-7759748CAAE3}.exe
Token: SeIncBasePriorityPrivilege	828	{231083C7-2EBA-4962-998C-39EBE1B94FB1}.exe
Token: SeIncBasePriorityPrivilege	2728	{2FC0FC67-D242-46a3-921A-05325B42839F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 232	2972	4104a3469da45fexeexeexeex.exe	83
PID 2972 wrote to memory of 232	2972	4104a3469da45fexeexeexeex.exe	83
PID 2972 wrote to memory of 232	2972	4104a3469da45fexeexeexeex.exe	83
PID 2972 wrote to memory of 3656	2972	4104a3469da45fexeexeexeex.exe	84
PID 2972 wrote to memory of 3656	2972	4104a3469da45fexeexeexeex.exe	84
PID 2972 wrote to memory of 3656	2972	4104a3469da45fexeexeexeex.exe	84
PID 232 wrote to memory of 2004	232	{E6F86935-0A44-4d7a-B75B-595957D6DEC0}.exe	85
PID 232 wrote to memory of 2004	232	{E6F86935-0A44-4d7a-B75B-595957D6DEC0}.exe	85
PID 232 wrote to memory of 2004	232	{E6F86935-0A44-4d7a-B75B-595957D6DEC0}.exe	85
PID 232 wrote to memory of 3624	232	{E6F86935-0A44-4d7a-B75B-595957D6DEC0}.exe	86
PID 232 wrote to memory of 3624	232	{E6F86935-0A44-4d7a-B75B-595957D6DEC0}.exe	86
PID 232 wrote to memory of 3624	232	{E6F86935-0A44-4d7a-B75B-595957D6DEC0}.exe	86
PID 2004 wrote to memory of 2844	2004	{160C4CCC-EDEB-49e9-B79C-9B550BA6B3D9}.exe	88
PID 2004 wrote to memory of 2844	2004	{160C4CCC-EDEB-49e9-B79C-9B550BA6B3D9}.exe	88
PID 2004 wrote to memory of 2844	2004	{160C4CCC-EDEB-49e9-B79C-9B550BA6B3D9}.exe	88
PID 2004 wrote to memory of 972	2004	{160C4CCC-EDEB-49e9-B79C-9B550BA6B3D9}.exe	89
PID 2004 wrote to memory of 972	2004	{160C4CCC-EDEB-49e9-B79C-9B550BA6B3D9}.exe	89
PID 2004 wrote to memory of 972	2004	{160C4CCC-EDEB-49e9-B79C-9B550BA6B3D9}.exe	89
PID 2844 wrote to memory of 4716	2844	{D329A6E5-BA7A-4d00-9D6A-286F7F45B6E6}.exe	90
PID 2844 wrote to memory of 4716	2844	{D329A6E5-BA7A-4d00-9D6A-286F7F45B6E6}.exe	90
PID 2844 wrote to memory of 4716	2844	{D329A6E5-BA7A-4d00-9D6A-286F7F45B6E6}.exe	90
PID 2844 wrote to memory of 868	2844	{D329A6E5-BA7A-4d00-9D6A-286F7F45B6E6}.exe	91
PID 2844 wrote to memory of 868	2844	{D329A6E5-BA7A-4d00-9D6A-286F7F45B6E6}.exe	91
PID 2844 wrote to memory of 868	2844	{D329A6E5-BA7A-4d00-9D6A-286F7F45B6E6}.exe	91
PID 4716 wrote to memory of 3544	4716	{F91D13D1-32DB-4afa-A98F-8F47A8A515C5}.exe	92
PID 4716 wrote to memory of 3544	4716	{F91D13D1-32DB-4afa-A98F-8F47A8A515C5}.exe	92
PID 4716 wrote to memory of 3544	4716	{F91D13D1-32DB-4afa-A98F-8F47A8A515C5}.exe	92
PID 4716 wrote to memory of 1456	4716	{F91D13D1-32DB-4afa-A98F-8F47A8A515C5}.exe	93
PID 4716 wrote to memory of 1456	4716	{F91D13D1-32DB-4afa-A98F-8F47A8A515C5}.exe	93
PID 4716 wrote to memory of 1456	4716	{F91D13D1-32DB-4afa-A98F-8F47A8A515C5}.exe	93
PID 3544 wrote to memory of 4276	3544	{A2F58FC8-B95B-471c-910A-9832B956F411}.exe	94
PID 3544 wrote to memory of 4276	3544	{A2F58FC8-B95B-471c-910A-9832B956F411}.exe	94
PID 3544 wrote to memory of 4276	3544	{A2F58FC8-B95B-471c-910A-9832B956F411}.exe	94
PID 3544 wrote to memory of 3020	3544	{A2F58FC8-B95B-471c-910A-9832B956F411}.exe	95
PID 3544 wrote to memory of 3020	3544	{A2F58FC8-B95B-471c-910A-9832B956F411}.exe	95
PID 3544 wrote to memory of 3020	3544	{A2F58FC8-B95B-471c-910A-9832B956F411}.exe	95
PID 4276 wrote to memory of 1220	4276	{A225E6C4-C8AA-4084-88F6-E5DEF6A71562}.exe	96
PID 4276 wrote to memory of 1220	4276	{A225E6C4-C8AA-4084-88F6-E5DEF6A71562}.exe	96
PID 4276 wrote to memory of 1220	4276	{A225E6C4-C8AA-4084-88F6-E5DEF6A71562}.exe	96
PID 4276 wrote to memory of 3632	4276	{A225E6C4-C8AA-4084-88F6-E5DEF6A71562}.exe	97
PID 4276 wrote to memory of 3632	4276	{A225E6C4-C8AA-4084-88F6-E5DEF6A71562}.exe	97
PID 4276 wrote to memory of 3632	4276	{A225E6C4-C8AA-4084-88F6-E5DEF6A71562}.exe	97
PID 1220 wrote to memory of 1108	1220	{D08F3BCA-C652-4ca5-ACFF-8C8387BDAAE1}.exe	98
PID 1220 wrote to memory of 1108	1220	{D08F3BCA-C652-4ca5-ACFF-8C8387BDAAE1}.exe	98
PID 1220 wrote to memory of 1108	1220	{D08F3BCA-C652-4ca5-ACFF-8C8387BDAAE1}.exe	98
PID 1220 wrote to memory of 3172	1220	{D08F3BCA-C652-4ca5-ACFF-8C8387BDAAE1}.exe	99
PID 1220 wrote to memory of 3172	1220	{D08F3BCA-C652-4ca5-ACFF-8C8387BDAAE1}.exe	99
PID 1220 wrote to memory of 3172	1220	{D08F3BCA-C652-4ca5-ACFF-8C8387BDAAE1}.exe	99
PID 1108 wrote to memory of 2808	1108	{4B049AE6-38B6-4ece-89C2-CA3F48848395}.exe	100
PID 1108 wrote to memory of 2808	1108	{4B049AE6-38B6-4ece-89C2-CA3F48848395}.exe	100
PID 1108 wrote to memory of 2808	1108	{4B049AE6-38B6-4ece-89C2-CA3F48848395}.exe	100
PID 1108 wrote to memory of 1516	1108	{4B049AE6-38B6-4ece-89C2-CA3F48848395}.exe	101
PID 1108 wrote to memory of 1516	1108	{4B049AE6-38B6-4ece-89C2-CA3F48848395}.exe	101
PID 1108 wrote to memory of 1516	1108	{4B049AE6-38B6-4ece-89C2-CA3F48848395}.exe	101
PID 2808 wrote to memory of 828	2808	{A0BAFEED-4979-43e3-AD6E-7759748CAAE3}.exe	102
PID 2808 wrote to memory of 828	2808	{A0BAFEED-4979-43e3-AD6E-7759748CAAE3}.exe	102
PID 2808 wrote to memory of 828	2808	{A0BAFEED-4979-43e3-AD6E-7759748CAAE3}.exe	102
PID 2808 wrote to memory of 1200	2808	{A0BAFEED-4979-43e3-AD6E-7759748CAAE3}.exe	103
PID 2808 wrote to memory of 1200	2808	{A0BAFEED-4979-43e3-AD6E-7759748CAAE3}.exe	103
PID 2808 wrote to memory of 1200	2808	{A0BAFEED-4979-43e3-AD6E-7759748CAAE3}.exe	103
PID 828 wrote to memory of 2728	828	{231083C7-2EBA-4962-998C-39EBE1B94FB1}.exe	104
PID 828 wrote to memory of 2728	828	{231083C7-2EBA-4962-998C-39EBE1B94FB1}.exe	104
PID 828 wrote to memory of 2728	828	{231083C7-2EBA-4962-998C-39EBE1B94FB1}.exe	104
PID 828 wrote to memory of 1540	828	{231083C7-2EBA-4962-998C-39EBE1B94FB1}.exe	105

C:\Users\Admin\AppData\Local\Temp\4104a3469da45fexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\4104a3469da45fexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\{E6F86935-0A44-4d7a-B75B-595957D6DEC0}.exe
  C:\Windows\{E6F86935-0A44-4d7a-B75B-595957D6DEC0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\{160C4CCC-EDEB-49e9-B79C-9B550BA6B3D9}.exe
    C:\Windows\{160C4CCC-EDEB-49e9-B79C-9B550BA6B3D9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\{D329A6E5-BA7A-4d00-9D6A-286F7F45B6E6}.exe
      C:\Windows\{D329A6E5-BA7A-4d00-9D6A-286F7F45B6E6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\{F91D13D1-32DB-4afa-A98F-8F47A8A515C5}.exe
        
        C:\Windows\{F91D13D1-32DB-4afa-A98F-8F47A8A515C5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4716
      - C:\Windows\{A2F58FC8-B95B-471c-910A-9832B956F411}.exe
        
        C:\Windows\{A2F58FC8-B95B-471c-910A-9832B956F411}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\{A225E6C4-C8AA-4084-88F6-E5DEF6A71562}.exe
        
        C:\Windows\{A225E6C4-C8AA-4084-88F6-E5DEF6A71562}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\{D08F3BCA-C652-4ca5-ACFF-8C8387BDAAE1}.exe
        
        C:\Windows\{D08F3BCA-C652-4ca5-ACFF-8C8387BDAAE1}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\{4B049AE6-38B6-4ece-89C2-CA3F48848395}.exe
        
        C:\Windows\{4B049AE6-38B6-4ece-89C2-CA3F48848395}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\{A0BAFEED-4979-43e3-AD6E-7759748CAAE3}.exe
        
        C:\Windows\{A0BAFEED-4979-43e3-AD6E-7759748CAAE3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\{231083C7-2EBA-4962-998C-39EBE1B94FB1}.exe
        
        C:\Windows\{231083C7-2EBA-4962-998C-39EBE1B94FB1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\{2FC0FC67-D242-46a3-921A-05325B42839F}.exe
        
        C:\Windows\{2FC0FC67-D242-46a3-921A-05325B42839F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\{CC172184-B95C-4bb8-B696-39FBB304516E}.exe
        
        C:\Windows\{CC172184-B95C-4bb8-B696-39FBB304516E}.exe
        13⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FC0F~1.EXE > nul
        13⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23108~1.EXE > nul
        12⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0BAF~1.EXE > nul
        11⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B049~1.EXE > nul
        10⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D08F3~1.EXE > nul
        9⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A225E~1.EXE > nul
        8⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2F58~1.EXE > nul
        7⤵
        
        PID:3020
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F91D1~1.EXE > nul
        6⤵
        
        PID:1456
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D329A~1.EXE > nul
        5⤵
        
        PID:868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{160C4~1.EXE > nul
      4⤵
      PID:972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E6F86~1.EXE > nul
    3⤵
    PID:3624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4104A3~1.EXE > nul
  2⤵
  PID:3656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{160C4CCC-EDEB-49e9-B79C-9B550BA6B3D9}.exe

Filesize
204KB

MD5
c9f6fb823eccfc5abdb5836abf862bff

SHA1
3e4d16801d5cd0df935ff1cae301995932d86eb1

SHA256
c365685d5da8208bc38fd8b261dc03e2e425666b6ce5cbeab21df22faf1848c1

SHA512
519915cecddc24ad2926b554546072cdcd507825bdfe76008df9cdbf27cd5a0074882fd652ee7681a72c773dfb8b55639bcc09b663d1a25f7f600b57a7ccae53

Download Submit
C:\Windows\{160C4CCC-EDEB-49e9-B79C-9B550BA6B3D9}.exe

Filesize
204KB

MD5
c9f6fb823eccfc5abdb5836abf862bff

SHA1
3e4d16801d5cd0df935ff1cae301995932d86eb1

SHA256
c365685d5da8208bc38fd8b261dc03e2e425666b6ce5cbeab21df22faf1848c1

SHA512
519915cecddc24ad2926b554546072cdcd507825bdfe76008df9cdbf27cd5a0074882fd652ee7681a72c773dfb8b55639bcc09b663d1a25f7f600b57a7ccae53

Download Submit
C:\Windows\{231083C7-2EBA-4962-998C-39EBE1B94FB1}.exe

Filesize
204KB

MD5
e07dbad13e935e0fd04d27ed67eea2b0

SHA1
48ca69efc9ff329a0cdf59e6c50782d080e78198

SHA256
ade270f79975cc8f8a86be936f75c73618f651a4295a96c0d43b6c456051e47c

SHA512
30cb5de8d3782fb9c8a7d6c4d626b8618640244530dd6cfcb2e7cb7fc21544a1e35c472cffa5078756dc79eb7404815f194247c89fda319cb0bfac3644a5a191

Download Submit
C:\Windows\{231083C7-2EBA-4962-998C-39EBE1B94FB1}.exe

Filesize
204KB

MD5
e07dbad13e935e0fd04d27ed67eea2b0

SHA1
48ca69efc9ff329a0cdf59e6c50782d080e78198

SHA256
ade270f79975cc8f8a86be936f75c73618f651a4295a96c0d43b6c456051e47c

SHA512
30cb5de8d3782fb9c8a7d6c4d626b8618640244530dd6cfcb2e7cb7fc21544a1e35c472cffa5078756dc79eb7404815f194247c89fda319cb0bfac3644a5a191

Download Submit
C:\Windows\{2FC0FC67-D242-46a3-921A-05325B42839F}.exe

Filesize
204KB

MD5
382636017d9c036efadcde8e933e5749

SHA1
97c76606a0f9bf065a2f51a3a2be6382b94b21a6

SHA256
b2a7e5834befbcc1f706ffe7087afaf47d274e0578bb9c61ef8e9c1db5fd01d3

SHA512
d42e32980d929c8f51b2f9bc99475fe13f1e8b5b90e06ffcbef94c0e0c49277f4dfe233500aa9726d468778a48e35d0e783fc27ea9829cb9d77e6cf0d244d76b

Download Submit
C:\Windows\{2FC0FC67-D242-46a3-921A-05325B42839F}.exe

Filesize
204KB

MD5
382636017d9c036efadcde8e933e5749

SHA1
97c76606a0f9bf065a2f51a3a2be6382b94b21a6

SHA256
b2a7e5834befbcc1f706ffe7087afaf47d274e0578bb9c61ef8e9c1db5fd01d3

SHA512
d42e32980d929c8f51b2f9bc99475fe13f1e8b5b90e06ffcbef94c0e0c49277f4dfe233500aa9726d468778a48e35d0e783fc27ea9829cb9d77e6cf0d244d76b

Download Submit
C:\Windows\{4B049AE6-38B6-4ece-89C2-CA3F48848395}.exe

Filesize
204KB

MD5
3e94feb634031dc0b71b57a688c49e8a

SHA1
d0328391d893a8001850ee27d065a8b343909587

SHA256
ba2cc1f1c7daf81499d6595266ac020e80967ecdfebe84b36b278ee4aa8606df

SHA512
3d807bdd8429e0763b9cba1b7d7c75528edb35bcbcbdf5640c7222697115521a64eb00f40bbde17b2f6ab23eaf4d3f3c753fdd4962379bdc50fa37869724c38c

Download Submit
C:\Windows\{4B049AE6-38B6-4ece-89C2-CA3F48848395}.exe

Filesize
204KB

MD5
3e94feb634031dc0b71b57a688c49e8a

SHA1
d0328391d893a8001850ee27d065a8b343909587

SHA256
ba2cc1f1c7daf81499d6595266ac020e80967ecdfebe84b36b278ee4aa8606df

SHA512
3d807bdd8429e0763b9cba1b7d7c75528edb35bcbcbdf5640c7222697115521a64eb00f40bbde17b2f6ab23eaf4d3f3c753fdd4962379bdc50fa37869724c38c

Download Submit
C:\Windows\{A0BAFEED-4979-43e3-AD6E-7759748CAAE3}.exe

Filesize
204KB

MD5
e7ed2d80d75c028cc498fa435db9db80

SHA1
db7fa62f1f96380fe0d4602603cc84da13cbdc94

SHA256
f3343e7013da2ea1592f6e2a355c9ad31ddaddf2f2643f45c732de6fa8d47711

SHA512
a6bd8f912a21e32e988e33e4c6819a4f4c952b4cc6dea6075c07041ab527357e9e757de8625f2a4ffe98e1924898c830483b735703b53d5d66a0bb503900dabd

Download Submit
C:\Windows\{A0BAFEED-4979-43e3-AD6E-7759748CAAE3}.exe

Filesize
204KB

MD5
e7ed2d80d75c028cc498fa435db9db80

SHA1
db7fa62f1f96380fe0d4602603cc84da13cbdc94

SHA256
f3343e7013da2ea1592f6e2a355c9ad31ddaddf2f2643f45c732de6fa8d47711

SHA512
a6bd8f912a21e32e988e33e4c6819a4f4c952b4cc6dea6075c07041ab527357e9e757de8625f2a4ffe98e1924898c830483b735703b53d5d66a0bb503900dabd

Download Submit
C:\Windows\{A225E6C4-C8AA-4084-88F6-E5DEF6A71562}.exe

Filesize
204KB

MD5
0214f45680da81c2bfb8dce953b18168

SHA1
5100dac6cae3595fb7aa916cdf3083056624d164

SHA256
18b9d18899ecd1a8e34a08863bae0da05d04a5a2038a1cfbebaec3ab2ed2e798

SHA512
2683c10d97a1a5b519a388aa5c6b48b146dcd770abef90209d47a4ff9442d4570ca200c41403694a7bd4e023a189859a92f92396e0206e04c8a9edf8b2176907

Download Submit
C:\Windows\{A225E6C4-C8AA-4084-88F6-E5DEF6A71562}.exe

Filesize
204KB

MD5
0214f45680da81c2bfb8dce953b18168

SHA1
5100dac6cae3595fb7aa916cdf3083056624d164

SHA256
18b9d18899ecd1a8e34a08863bae0da05d04a5a2038a1cfbebaec3ab2ed2e798

SHA512
2683c10d97a1a5b519a388aa5c6b48b146dcd770abef90209d47a4ff9442d4570ca200c41403694a7bd4e023a189859a92f92396e0206e04c8a9edf8b2176907

Download Submit
C:\Windows\{A2F58FC8-B95B-471c-910A-9832B956F411}.exe

Filesize
204KB

MD5
f95c9a80dc2df762f3e2cd34ef6e40dd

SHA1
9c2fe22a6ef688816f02c40d0f94cfedf949f301

SHA256
70e26acbcf473d0c1d786c4c533dc15aae6771b4494f7966f6783875b0572570

SHA512
7553a7f6470ce47d2ce494cc9d0663320e57a09261031974fd32e2a2bb033181708abbccb1524aa2d75b24b394a99468f87c0491a7ad58b29bf89ada5032d190

Download Submit
C:\Windows\{A2F58FC8-B95B-471c-910A-9832B956F411}.exe

Filesize
204KB

MD5
f95c9a80dc2df762f3e2cd34ef6e40dd

SHA1
9c2fe22a6ef688816f02c40d0f94cfedf949f301

SHA256
70e26acbcf473d0c1d786c4c533dc15aae6771b4494f7966f6783875b0572570

SHA512
7553a7f6470ce47d2ce494cc9d0663320e57a09261031974fd32e2a2bb033181708abbccb1524aa2d75b24b394a99468f87c0491a7ad58b29bf89ada5032d190

Download Submit
C:\Windows\{CC172184-B95C-4bb8-B696-39FBB304516E}.exe

Filesize
204KB

MD5
571656d3a6b9d12c62ffd15ded662043

SHA1
750b33912c9652a5983c37ce6bd6c17775e12a96

SHA256
c35c9e986a97ee4e86d214bc90a0e9c0f1d69abd89d13a3d743760f2486bbd70

SHA512
b1200eab65e6d7f22357ecddc0bcfed1a37f87c69c88639cba81a2736436cc659eaeb15fd63f1e509283298fdabfd804c6000d0f46076ebca3403fedf28e7062

Download Submit
C:\Windows\{CC172184-B95C-4bb8-B696-39FBB304516E}.exe

Filesize
204KB

MD5
571656d3a6b9d12c62ffd15ded662043

SHA1
750b33912c9652a5983c37ce6bd6c17775e12a96

SHA256
c35c9e986a97ee4e86d214bc90a0e9c0f1d69abd89d13a3d743760f2486bbd70

SHA512
b1200eab65e6d7f22357ecddc0bcfed1a37f87c69c88639cba81a2736436cc659eaeb15fd63f1e509283298fdabfd804c6000d0f46076ebca3403fedf28e7062

Download Submit
C:\Windows\{D08F3BCA-C652-4ca5-ACFF-8C8387BDAAE1}.exe

Filesize
204KB

MD5
ed900db27def9f61a030c3d0857827c9

SHA1
a5a34b5515ec371dc9546a0296b71c81cf67c7ba

SHA256
043034a5c5c8615c888972bd922b83798ee01e238071a9fe64e0982735f78e64

SHA512
867ba8de1aeda94c3af1ecccf247629c038cc053674c40c7c9e092fdd1451800a18d77ee8355bca390d07266f76b9c7d98db83586cf8d3d5aefb839c415d4a50

Download Submit
C:\Windows\{D08F3BCA-C652-4ca5-ACFF-8C8387BDAAE1}.exe

Filesize
204KB

MD5
ed900db27def9f61a030c3d0857827c9

SHA1
a5a34b5515ec371dc9546a0296b71c81cf67c7ba

SHA256
043034a5c5c8615c888972bd922b83798ee01e238071a9fe64e0982735f78e64

SHA512
867ba8de1aeda94c3af1ecccf247629c038cc053674c40c7c9e092fdd1451800a18d77ee8355bca390d07266f76b9c7d98db83586cf8d3d5aefb839c415d4a50

Download Submit
C:\Windows\{D329A6E5-BA7A-4d00-9D6A-286F7F45B6E6}.exe

Filesize
204KB

MD5
fdb65cac2d7113988a179f1b956aa70f

SHA1
d8a8a1d12003fee0eac50ee1c287d9f09fdb86e0

SHA256
12a4d9c88757bf2f197d6fec4bea27af4611f0570f9f6c63208e6e6d019e4f7a

SHA512
5afba15ccc2970c6dbe9c2fb5d8f43d0e3945ab84c4e811dae077b4e1553c2add4382f73fd62521e18b0e42f25b5c78a5e5b69ec3e5decdeb1e3709c72b3d615

Download Submit
C:\Windows\{D329A6E5-BA7A-4d00-9D6A-286F7F45B6E6}.exe

Filesize
204KB

MD5
fdb65cac2d7113988a179f1b956aa70f

SHA1
d8a8a1d12003fee0eac50ee1c287d9f09fdb86e0

SHA256
12a4d9c88757bf2f197d6fec4bea27af4611f0570f9f6c63208e6e6d019e4f7a

SHA512
5afba15ccc2970c6dbe9c2fb5d8f43d0e3945ab84c4e811dae077b4e1553c2add4382f73fd62521e18b0e42f25b5c78a5e5b69ec3e5decdeb1e3709c72b3d615

Download Submit
C:\Windows\{D329A6E5-BA7A-4d00-9D6A-286F7F45B6E6}.exe

Filesize
204KB

MD5
fdb65cac2d7113988a179f1b956aa70f

SHA1
d8a8a1d12003fee0eac50ee1c287d9f09fdb86e0

SHA256
12a4d9c88757bf2f197d6fec4bea27af4611f0570f9f6c63208e6e6d019e4f7a

SHA512
5afba15ccc2970c6dbe9c2fb5d8f43d0e3945ab84c4e811dae077b4e1553c2add4382f73fd62521e18b0e42f25b5c78a5e5b69ec3e5decdeb1e3709c72b3d615

Download Submit
C:\Windows\{E6F86935-0A44-4d7a-B75B-595957D6DEC0}.exe

Filesize
204KB

MD5
c5908cb11ba4c85d18a409b71c2c28d9

SHA1
47dbee538e0f531c95a3c857e025e4355e91f9f2

SHA256
7b5d632588472bcd8cd0d7a2b878b38d1664fca7be87af1611858ef25ec7173e

SHA512
376743fcb3f191754ded8ca0baee6216eb78bfcfd1746b108545c0c418b6fc4c532eb1f0bbfbbd099c22c6c048c268529b99a6a8b11dd3e7fa2e8d77036f6f84

Download Submit
C:\Windows\{E6F86935-0A44-4d7a-B75B-595957D6DEC0}.exe

Filesize
204KB

MD5
c5908cb11ba4c85d18a409b71c2c28d9

SHA1
47dbee538e0f531c95a3c857e025e4355e91f9f2

SHA256
7b5d632588472bcd8cd0d7a2b878b38d1664fca7be87af1611858ef25ec7173e

SHA512
376743fcb3f191754ded8ca0baee6216eb78bfcfd1746b108545c0c418b6fc4c532eb1f0bbfbbd099c22c6c048c268529b99a6a8b11dd3e7fa2e8d77036f6f84

Download Submit
C:\Windows\{F91D13D1-32DB-4afa-A98F-8F47A8A515C5}.exe

Filesize
204KB

MD5
b67a1bb0b080a155309be6c59319c0d3

SHA1
b36354adb813378f5b63adbcc0c0bef27fa6b2ee

SHA256
7b54077904fd1d04ffb68e56a7d214d13d7d3dc00aa75fdafd6a27b3fa75d62c

SHA512
d5ea74a35f2e5ea6d56977b1465fa3cb646c09265b654343ce8784011e1163ee5c3a6cbe74d00a685bbd0e2e93de1937555be49497381d22ed1d8a68a8ce67e5

Download Submit
C:\Windows\{F91D13D1-32DB-4afa-A98F-8F47A8A515C5}.exe

Filesize
204KB

MD5
b67a1bb0b080a155309be6c59319c0d3

SHA1
b36354adb813378f5b63adbcc0c0bef27fa6b2ee

SHA256
7b54077904fd1d04ffb68e56a7d214d13d7d3dc00aa75fdafd6a27b3fa75d62c

SHA512
d5ea74a35f2e5ea6d56977b1465fa3cb646c09265b654343ce8784011e1163ee5c3a6cbe74d00a685bbd0e2e93de1937555be49497381d22ed1d8a68a8ce67e5

Download Submit