b3903780db7a053021c28b1f71841410b5b3a6a2846324f61251d78aabfd8bb0

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2023, 18:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

50fb5e175d6af9exeexeexeex.exe
Size

372KB
MD5

50fb5e175d6af9ad0358372c9d9d6b4e
SHA1

4c60f13e70be818f48bce23dee8fc852abf15816
SHA256

b3903780db7a053021c28b1f71841410b5b3a6a2846324f61251d78aabfd8bb0
SHA512

a3de9d2749e80297272b9cadee410a42a26c7ef53993d5c2a1510fcd998a7f0ed6a8a37970ea24f4380096bc0b7b54d792d49e879fac1fbb55be064aef1e845b
SSDEEP

3072:CEGh0obmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGEl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69FBC1AD-2384-4596-92AB-3C130F7C1052}\stubpath = "C:\\Windows\\{69FBC1AD-2384-4596-92AB-3C130F7C1052}.exe"	{38AD7528-ED18-4b05-B3B6-FE18012CF383}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21528B3E-8820-4a54-801D-2DF7B54E0EFD}\stubpath = "C:\\Windows\\{21528B3E-8820-4a54-801D-2DF7B54E0EFD}.exe"	{69FBC1AD-2384-4596-92AB-3C130F7C1052}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D320F23-20E2-40f1-BE7A-E23ADF46BF8A}\stubpath = "C:\\Windows\\{8D320F23-20E2-40f1-BE7A-E23ADF46BF8A}.exe"	{305B5A32-EEB1-4d60-B5A7-5AB3C6204FAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A9E192F-08EC-499b-AEFF-37AB4FFF790D}	{8D320F23-20E2-40f1-BE7A-E23ADF46BF8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3276E683-D2E0-45b2-95E7-5BA4620427DF}\stubpath = "C:\\Windows\\{3276E683-D2E0-45b2-95E7-5BA4620427DF}.exe"	{4B6ADCA1-D7D5-4c0d-8EA0-3C29A298DE81}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{201467EC-FF20-4c35-9839-0EA813803108}	{3276E683-D2E0-45b2-95E7-5BA4620427DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38AD7528-ED18-4b05-B3B6-FE18012CF383}\stubpath = "C:\\Windows\\{38AD7528-ED18-4b05-B3B6-FE18012CF383}.exe"	{DD7C78EB-BA5A-4bd9-B6F3-3AC8AD9CB3E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A9E192F-08EC-499b-AEFF-37AB4FFF790D}\stubpath = "C:\\Windows\\{3A9E192F-08EC-499b-AEFF-37AB4FFF790D}.exe"	{8D320F23-20E2-40f1-BE7A-E23ADF46BF8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{177F371C-F196-4aa7-AF57-3F81EDA2B7BE}	{201467EC-FF20-4c35-9839-0EA813803108}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD7C78EB-BA5A-4bd9-B6F3-3AC8AD9CB3E3}	{177F371C-F196-4aa7-AF57-3F81EDA2B7BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3276E683-D2E0-45b2-95E7-5BA4620427DF}	{4B6ADCA1-D7D5-4c0d-8EA0-3C29A298DE81}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD7C78EB-BA5A-4bd9-B6F3-3AC8AD9CB3E3}\stubpath = "C:\\Windows\\{DD7C78EB-BA5A-4bd9-B6F3-3AC8AD9CB3E3}.exe"	{177F371C-F196-4aa7-AF57-3F81EDA2B7BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{305B5A32-EEB1-4d60-B5A7-5AB3C6204FAA}	50fb5e175d6af9exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D320F23-20E2-40f1-BE7A-E23ADF46BF8A}	{305B5A32-EEB1-4d60-B5A7-5AB3C6204FAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAF91158-21BF-47f3-A48B-C977A0566EFA}	{3A9E192F-08EC-499b-AEFF-37AB4FFF790D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAF91158-21BF-47f3-A48B-C977A0566EFA}\stubpath = "C:\\Windows\\{FAF91158-21BF-47f3-A48B-C977A0566EFA}.exe"	{3A9E192F-08EC-499b-AEFF-37AB4FFF790D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B6ADCA1-D7D5-4c0d-8EA0-3C29A298DE81}	{FAF91158-21BF-47f3-A48B-C977A0566EFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69FBC1AD-2384-4596-92AB-3C130F7C1052}	{38AD7528-ED18-4b05-B3B6-FE18012CF383}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21528B3E-8820-4a54-801D-2DF7B54E0EFD}	{69FBC1AD-2384-4596-92AB-3C130F7C1052}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{305B5A32-EEB1-4d60-B5A7-5AB3C6204FAA}\stubpath = "C:\\Windows\\{305B5A32-EEB1-4d60-B5A7-5AB3C6204FAA}.exe"	50fb5e175d6af9exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B6ADCA1-D7D5-4c0d-8EA0-3C29A298DE81}\stubpath = "C:\\Windows\\{4B6ADCA1-D7D5-4c0d-8EA0-3C29A298DE81}.exe"	{FAF91158-21BF-47f3-A48B-C977A0566EFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{201467EC-FF20-4c35-9839-0EA813803108}\stubpath = "C:\\Windows\\{201467EC-FF20-4c35-9839-0EA813803108}.exe"	{3276E683-D2E0-45b2-95E7-5BA4620427DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{177F371C-F196-4aa7-AF57-3F81EDA2B7BE}\stubpath = "C:\\Windows\\{177F371C-F196-4aa7-AF57-3F81EDA2B7BE}.exe"	{201467EC-FF20-4c35-9839-0EA813803108}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38AD7528-ED18-4b05-B3B6-FE18012CF383}	{DD7C78EB-BA5A-4bd9-B6F3-3AC8AD9CB3E3}.exe

Executes dropped EXE 12 IoCs

pid	Process
4520	{305B5A32-EEB1-4d60-B5A7-5AB3C6204FAA}.exe
3524	{8D320F23-20E2-40f1-BE7A-E23ADF46BF8A}.exe
5020	{3A9E192F-08EC-499b-AEFF-37AB4FFF790D}.exe
5108	{FAF91158-21BF-47f3-A48B-C977A0566EFA}.exe
4464	{4B6ADCA1-D7D5-4c0d-8EA0-3C29A298DE81}.exe
404	{3276E683-D2E0-45b2-95E7-5BA4620427DF}.exe
3320	{201467EC-FF20-4c35-9839-0EA813803108}.exe
2716	{177F371C-F196-4aa7-AF57-3F81EDA2B7BE}.exe
4716	{DD7C78EB-BA5A-4bd9-B6F3-3AC8AD9CB3E3}.exe
432	{38AD7528-ED18-4b05-B3B6-FE18012CF383}.exe
1616	{69FBC1AD-2384-4596-92AB-3C130F7C1052}.exe
336	{21528B3E-8820-4a54-801D-2DF7B54E0EFD}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4B6ADCA1-D7D5-4c0d-8EA0-3C29A298DE81}.exe	{FAF91158-21BF-47f3-A48B-C977A0566EFA}.exe
File created	C:\Windows\{201467EC-FF20-4c35-9839-0EA813803108}.exe	{3276E683-D2E0-45b2-95E7-5BA4620427DF}.exe
File created	C:\Windows\{177F371C-F196-4aa7-AF57-3F81EDA2B7BE}.exe	{201467EC-FF20-4c35-9839-0EA813803108}.exe
File created	C:\Windows\{DD7C78EB-BA5A-4bd9-B6F3-3AC8AD9CB3E3}.exe	{177F371C-F196-4aa7-AF57-3F81EDA2B7BE}.exe
File created	C:\Windows\{69FBC1AD-2384-4596-92AB-3C130F7C1052}.exe	{38AD7528-ED18-4b05-B3B6-FE18012CF383}.exe
File created	C:\Windows\{305B5A32-EEB1-4d60-B5A7-5AB3C6204FAA}.exe	50fb5e175d6af9exeexeexeex.exe
File created	C:\Windows\{3A9E192F-08EC-499b-AEFF-37AB4FFF790D}.exe	{8D320F23-20E2-40f1-BE7A-E23ADF46BF8A}.exe
File created	C:\Windows\{3276E683-D2E0-45b2-95E7-5BA4620427DF}.exe	{4B6ADCA1-D7D5-4c0d-8EA0-3C29A298DE81}.exe
File created	C:\Windows\{38AD7528-ED18-4b05-B3B6-FE18012CF383}.exe	{DD7C78EB-BA5A-4bd9-B6F3-3AC8AD9CB3E3}.exe
File created	C:\Windows\{21528B3E-8820-4a54-801D-2DF7B54E0EFD}.exe	{69FBC1AD-2384-4596-92AB-3C130F7C1052}.exe
File created	C:\Windows\{8D320F23-20E2-40f1-BE7A-E23ADF46BF8A}.exe	{305B5A32-EEB1-4d60-B5A7-5AB3C6204FAA}.exe
File created	C:\Windows\{FAF91158-21BF-47f3-A48B-C977A0566EFA}.exe	{3A9E192F-08EC-499b-AEFF-37AB4FFF790D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1964	50fb5e175d6af9exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4520	{305B5A32-EEB1-4d60-B5A7-5AB3C6204FAA}.exe
Token: SeIncBasePriorityPrivilege	3524	{8D320F23-20E2-40f1-BE7A-E23ADF46BF8A}.exe
Token: SeIncBasePriorityPrivilege	5020	{3A9E192F-08EC-499b-AEFF-37AB4FFF790D}.exe
Token: SeIncBasePriorityPrivilege	5108	{FAF91158-21BF-47f3-A48B-C977A0566EFA}.exe
Token: SeIncBasePriorityPrivilege	4464	{4B6ADCA1-D7D5-4c0d-8EA0-3C29A298DE81}.exe
Token: SeIncBasePriorityPrivilege	404	{3276E683-D2E0-45b2-95E7-5BA4620427DF}.exe
Token: SeIncBasePriorityPrivilege	3320	{201467EC-FF20-4c35-9839-0EA813803108}.exe
Token: SeIncBasePriorityPrivilege	2716	{177F371C-F196-4aa7-AF57-3F81EDA2B7BE}.exe
Token: SeIncBasePriorityPrivilege	4716	{DD7C78EB-BA5A-4bd9-B6F3-3AC8AD9CB3E3}.exe
Token: SeIncBasePriorityPrivilege	432	{38AD7528-ED18-4b05-B3B6-FE18012CF383}.exe
Token: SeIncBasePriorityPrivilege	1616	{69FBC1AD-2384-4596-92AB-3C130F7C1052}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 4520	1964	50fb5e175d6af9exeexeexeex.exe	85
PID 1964 wrote to memory of 4520	1964	50fb5e175d6af9exeexeexeex.exe	85
PID 1964 wrote to memory of 4520	1964	50fb5e175d6af9exeexeexeex.exe	85
PID 1964 wrote to memory of 4780	1964	50fb5e175d6af9exeexeexeex.exe	86
PID 1964 wrote to memory of 4780	1964	50fb5e175d6af9exeexeexeex.exe	86
PID 1964 wrote to memory of 4780	1964	50fb5e175d6af9exeexeexeex.exe	86
PID 4520 wrote to memory of 3524	4520	{305B5A32-EEB1-4d60-B5A7-5AB3C6204FAA}.exe	87
PID 4520 wrote to memory of 3524	4520	{305B5A32-EEB1-4d60-B5A7-5AB3C6204FAA}.exe	87
PID 4520 wrote to memory of 3524	4520	{305B5A32-EEB1-4d60-B5A7-5AB3C6204FAA}.exe	87
PID 4520 wrote to memory of 4432	4520	{305B5A32-EEB1-4d60-B5A7-5AB3C6204FAA}.exe	88
PID 4520 wrote to memory of 4432	4520	{305B5A32-EEB1-4d60-B5A7-5AB3C6204FAA}.exe	88
PID 4520 wrote to memory of 4432	4520	{305B5A32-EEB1-4d60-B5A7-5AB3C6204FAA}.exe	88
PID 3524 wrote to memory of 5020	3524	{8D320F23-20E2-40f1-BE7A-E23ADF46BF8A}.exe	92
PID 3524 wrote to memory of 5020	3524	{8D320F23-20E2-40f1-BE7A-E23ADF46BF8A}.exe	92
PID 3524 wrote to memory of 5020	3524	{8D320F23-20E2-40f1-BE7A-E23ADF46BF8A}.exe	92
PID 3524 wrote to memory of 2552	3524	{8D320F23-20E2-40f1-BE7A-E23ADF46BF8A}.exe	91
PID 3524 wrote to memory of 2552	3524	{8D320F23-20E2-40f1-BE7A-E23ADF46BF8A}.exe	91
PID 3524 wrote to memory of 2552	3524	{8D320F23-20E2-40f1-BE7A-E23ADF46BF8A}.exe	91
PID 5020 wrote to memory of 5108	5020	{3A9E192F-08EC-499b-AEFF-37AB4FFF790D}.exe	95
PID 5020 wrote to memory of 5108	5020	{3A9E192F-08EC-499b-AEFF-37AB4FFF790D}.exe	95
PID 5020 wrote to memory of 5108	5020	{3A9E192F-08EC-499b-AEFF-37AB4FFF790D}.exe	95
PID 5020 wrote to memory of 4728	5020	{3A9E192F-08EC-499b-AEFF-37AB4FFF790D}.exe	96
PID 5020 wrote to memory of 4728	5020	{3A9E192F-08EC-499b-AEFF-37AB4FFF790D}.exe	96
PID 5020 wrote to memory of 4728	5020	{3A9E192F-08EC-499b-AEFF-37AB4FFF790D}.exe	96
PID 5108 wrote to memory of 4464	5108	{FAF91158-21BF-47f3-A48B-C977A0566EFA}.exe	97
PID 5108 wrote to memory of 4464	5108	{FAF91158-21BF-47f3-A48B-C977A0566EFA}.exe	97
PID 5108 wrote to memory of 4464	5108	{FAF91158-21BF-47f3-A48B-C977A0566EFA}.exe	97
PID 5108 wrote to memory of 536	5108	{FAF91158-21BF-47f3-A48B-C977A0566EFA}.exe	98
PID 5108 wrote to memory of 536	5108	{FAF91158-21BF-47f3-A48B-C977A0566EFA}.exe	98
PID 5108 wrote to memory of 536	5108	{FAF91158-21BF-47f3-A48B-C977A0566EFA}.exe	98
PID 4464 wrote to memory of 404	4464	{4B6ADCA1-D7D5-4c0d-8EA0-3C29A298DE81}.exe	99
PID 4464 wrote to memory of 404	4464	{4B6ADCA1-D7D5-4c0d-8EA0-3C29A298DE81}.exe	99
PID 4464 wrote to memory of 404	4464	{4B6ADCA1-D7D5-4c0d-8EA0-3C29A298DE81}.exe	99
PID 4464 wrote to memory of 1572	4464	{4B6ADCA1-D7D5-4c0d-8EA0-3C29A298DE81}.exe	100
PID 4464 wrote to memory of 1572	4464	{4B6ADCA1-D7D5-4c0d-8EA0-3C29A298DE81}.exe	100
PID 4464 wrote to memory of 1572	4464	{4B6ADCA1-D7D5-4c0d-8EA0-3C29A298DE81}.exe	100
PID 404 wrote to memory of 3320	404	{3276E683-D2E0-45b2-95E7-5BA4620427DF}.exe	101
PID 404 wrote to memory of 3320	404	{3276E683-D2E0-45b2-95E7-5BA4620427DF}.exe	101
PID 404 wrote to memory of 3320	404	{3276E683-D2E0-45b2-95E7-5BA4620427DF}.exe	101
PID 404 wrote to memory of 3744	404	{3276E683-D2E0-45b2-95E7-5BA4620427DF}.exe	102
PID 404 wrote to memory of 3744	404	{3276E683-D2E0-45b2-95E7-5BA4620427DF}.exe	102
PID 404 wrote to memory of 3744	404	{3276E683-D2E0-45b2-95E7-5BA4620427DF}.exe	102
PID 3320 wrote to memory of 2716	3320	{201467EC-FF20-4c35-9839-0EA813803108}.exe	103
PID 3320 wrote to memory of 2716	3320	{201467EC-FF20-4c35-9839-0EA813803108}.exe	103
PID 3320 wrote to memory of 2716	3320	{201467EC-FF20-4c35-9839-0EA813803108}.exe	103
PID 3320 wrote to memory of 364	3320	{201467EC-FF20-4c35-9839-0EA813803108}.exe	104
PID 3320 wrote to memory of 364	3320	{201467EC-FF20-4c35-9839-0EA813803108}.exe	104
PID 3320 wrote to memory of 364	3320	{201467EC-FF20-4c35-9839-0EA813803108}.exe	104
PID 2716 wrote to memory of 4716	2716	{177F371C-F196-4aa7-AF57-3F81EDA2B7BE}.exe	105
PID 2716 wrote to memory of 4716	2716	{177F371C-F196-4aa7-AF57-3F81EDA2B7BE}.exe	105
PID 2716 wrote to memory of 4716	2716	{177F371C-F196-4aa7-AF57-3F81EDA2B7BE}.exe	105
PID 2716 wrote to memory of 3372	2716	{177F371C-F196-4aa7-AF57-3F81EDA2B7BE}.exe	106
PID 2716 wrote to memory of 3372	2716	{177F371C-F196-4aa7-AF57-3F81EDA2B7BE}.exe	106
PID 2716 wrote to memory of 3372	2716	{177F371C-F196-4aa7-AF57-3F81EDA2B7BE}.exe	106
PID 4716 wrote to memory of 432	4716	{DD7C78EB-BA5A-4bd9-B6F3-3AC8AD9CB3E3}.exe	107
PID 4716 wrote to memory of 432	4716	{DD7C78EB-BA5A-4bd9-B6F3-3AC8AD9CB3E3}.exe	107
PID 4716 wrote to memory of 432	4716	{DD7C78EB-BA5A-4bd9-B6F3-3AC8AD9CB3E3}.exe	107
PID 4716 wrote to memory of 4956	4716	{DD7C78EB-BA5A-4bd9-B6F3-3AC8AD9CB3E3}.exe	108
PID 4716 wrote to memory of 4956	4716	{DD7C78EB-BA5A-4bd9-B6F3-3AC8AD9CB3E3}.exe	108
PID 4716 wrote to memory of 4956	4716	{DD7C78EB-BA5A-4bd9-B6F3-3AC8AD9CB3E3}.exe	108
PID 432 wrote to memory of 1616	432	{38AD7528-ED18-4b05-B3B6-FE18012CF383}.exe	109
PID 432 wrote to memory of 1616	432	{38AD7528-ED18-4b05-B3B6-FE18012CF383}.exe	109
PID 432 wrote to memory of 1616	432	{38AD7528-ED18-4b05-B3B6-FE18012CF383}.exe	109
PID 432 wrote to memory of 3688	432	{38AD7528-ED18-4b05-B3B6-FE18012CF383}.exe	110

C:\Users\Admin\AppData\Local\Temp\50fb5e175d6af9exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\50fb5e175d6af9exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\{305B5A32-EEB1-4d60-B5A7-5AB3C6204FAA}.exe
  C:\Windows\{305B5A32-EEB1-4d60-B5A7-5AB3C6204FAA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\{8D320F23-20E2-40f1-BE7A-E23ADF46BF8A}.exe
    C:\Windows\{8D320F23-20E2-40f1-BE7A-E23ADF46BF8A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8D320~1.EXE > nul
      4⤵
      PID:2552
  - - C:\Windows\{3A9E192F-08EC-499b-AEFF-37AB4FFF790D}.exe
      C:\Windows\{3A9E192F-08EC-499b-AEFF-37AB4FFF790D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5020
    - - C:\Windows\{FAF91158-21BF-47f3-A48B-C977A0566EFA}.exe
        
        C:\Windows\{FAF91158-21BF-47f3-A48B-C977A0566EFA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5108
      - C:\Windows\{4B6ADCA1-D7D5-4c0d-8EA0-3C29A298DE81}.exe
        
        C:\Windows\{4B6ADCA1-D7D5-4c0d-8EA0-3C29A298DE81}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4464
        
        C:\Windows\{3276E683-D2E0-45b2-95E7-5BA4620427DF}.exe
        
        C:\Windows\{3276E683-D2E0-45b2-95E7-5BA4620427DF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\{201467EC-FF20-4c35-9839-0EA813803108}.exe
        
        C:\Windows\{201467EC-FF20-4c35-9839-0EA813803108}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\{177F371C-F196-4aa7-AF57-3F81EDA2B7BE}.exe
        
        C:\Windows\{177F371C-F196-4aa7-AF57-3F81EDA2B7BE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\{DD7C78EB-BA5A-4bd9-B6F3-3AC8AD9CB3E3}.exe
        
        C:\Windows\{DD7C78EB-BA5A-4bd9-B6F3-3AC8AD9CB3E3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\{38AD7528-ED18-4b05-B3B6-FE18012CF383}.exe
        
        C:\Windows\{38AD7528-ED18-4b05-B3B6-FE18012CF383}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\{69FBC1AD-2384-4596-92AB-3C130F7C1052}.exe
        
        C:\Windows\{69FBC1AD-2384-4596-92AB-3C130F7C1052}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\{21528B3E-8820-4a54-801D-2DF7B54E0EFD}.exe
        
        C:\Windows\{21528B3E-8820-4a54-801D-2DF7B54E0EFD}.exe
        13⤵
        Executes dropped EXE
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69FBC~1.EXE > nul
        13⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38AD7~1.EXE > nul
        12⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD7C7~1.EXE > nul
        11⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{177F3~1.EXE > nul
        10⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20146~1.EXE > nul
        9⤵
        
        PID:364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3276E~1.EXE > nul
        8⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B6AD~1.EXE > nul
        7⤵
        
        PID:1572
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAF91~1.EXE > nul
        6⤵
        
        PID:536
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A9E1~1.EXE > nul
        5⤵
        
        PID:4728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{305B5~1.EXE > nul
    3⤵
    PID:4432
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\50FB5E~1.EXE > nul
  2⤵
  PID:4780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{177F371C-F196-4aa7-AF57-3F81EDA2B7BE}.exe

Filesize
372KB

MD5
9801703dab97cc61c9ce00c8d83da1fc

SHA1
37bd13e29a17c8dd61298484c0f4da8af01f253d

SHA256
2a055f13d442a42ac71c0790a7bacaba9b4864d9cd314a3f944628b88f52106b

SHA512
cc143f46fb83887f4daaffa055d4a3a7c9447de344a2fa12d15c467af6b0cb93fbaded7c5bdd09d9a512228d4af0220baacd419f81e05ee2e324da97e1eb9404

Download Submit
C:\Windows\{177F371C-F196-4aa7-AF57-3F81EDA2B7BE}.exe

Filesize
372KB

MD5
9801703dab97cc61c9ce00c8d83da1fc

SHA1
37bd13e29a17c8dd61298484c0f4da8af01f253d

SHA256
2a055f13d442a42ac71c0790a7bacaba9b4864d9cd314a3f944628b88f52106b

SHA512
cc143f46fb83887f4daaffa055d4a3a7c9447de344a2fa12d15c467af6b0cb93fbaded7c5bdd09d9a512228d4af0220baacd419f81e05ee2e324da97e1eb9404

Download Submit
C:\Windows\{201467EC-FF20-4c35-9839-0EA813803108}.exe

Filesize
372KB

MD5
41dd5b8e98101dc8a6991db674569289

SHA1
a315895eebab82644c1c977492ef8c7a1e5c354a

SHA256
36599163fc6b5dd8ff4217df8f745e2e7a37f33833e3a2ebcd776ee8f5d26ceb

SHA512
3045463051a2a15990c04105236afc51f78dd3b917c64cbc55bdbe68fe89d0f0d9375ab802a590af605e247276b7f1857a7d39b2dc2c03fc3ba1c35cc08b6231

Download Submit
C:\Windows\{201467EC-FF20-4c35-9839-0EA813803108}.exe

Filesize
372KB

MD5
41dd5b8e98101dc8a6991db674569289

SHA1
a315895eebab82644c1c977492ef8c7a1e5c354a

SHA256
36599163fc6b5dd8ff4217df8f745e2e7a37f33833e3a2ebcd776ee8f5d26ceb

SHA512
3045463051a2a15990c04105236afc51f78dd3b917c64cbc55bdbe68fe89d0f0d9375ab802a590af605e247276b7f1857a7d39b2dc2c03fc3ba1c35cc08b6231

Download Submit
C:\Windows\{21528B3E-8820-4a54-801D-2DF7B54E0EFD}.exe

Filesize
372KB

MD5
e41aae51d0097df24234ab72943468b0

SHA1
7574aeb09827e2cf31748d283e7558ec52e82483

SHA256
c0dd7b740e646b3812bd4fc677b2367d0422a6d1e28c75d3b8864b32bf612510

SHA512
7b680646dd146917386959fddd4d22e2bc524d1479101427de518ad23d29bbeca02602ae8b5c44320cc4583971c20ea604f72817f0b10589be3d2b7fc64ec9f9

Download Submit
C:\Windows\{21528B3E-8820-4a54-801D-2DF7B54E0EFD}.exe

Filesize
372KB

MD5
e41aae51d0097df24234ab72943468b0

SHA1
7574aeb09827e2cf31748d283e7558ec52e82483

SHA256
c0dd7b740e646b3812bd4fc677b2367d0422a6d1e28c75d3b8864b32bf612510

SHA512
7b680646dd146917386959fddd4d22e2bc524d1479101427de518ad23d29bbeca02602ae8b5c44320cc4583971c20ea604f72817f0b10589be3d2b7fc64ec9f9

Download Submit
C:\Windows\{305B5A32-EEB1-4d60-B5A7-5AB3C6204FAA}.exe

Filesize
372KB

MD5
01a64f6fe0b369dee963a5b82137a821

SHA1
267ade9de9453459820d5499ea204724778692a9

SHA256
76565c89a10a760b1a4e527132106312d0a00541a25f4a0ada2688aef51885c2

SHA512
cf022e24e7d940ba1e19f07ca22935da46c287c5f640814ad191d86573bc38e207a52aad17f6404ebde6e777782e98bd1408ce11cc78893ef3bb9ca014db7f90

Download Submit
C:\Windows\{305B5A32-EEB1-4d60-B5A7-5AB3C6204FAA}.exe

Filesize
372KB

MD5
01a64f6fe0b369dee963a5b82137a821

SHA1
267ade9de9453459820d5499ea204724778692a9

SHA256
76565c89a10a760b1a4e527132106312d0a00541a25f4a0ada2688aef51885c2

SHA512
cf022e24e7d940ba1e19f07ca22935da46c287c5f640814ad191d86573bc38e207a52aad17f6404ebde6e777782e98bd1408ce11cc78893ef3bb9ca014db7f90

Download Submit
C:\Windows\{3276E683-D2E0-45b2-95E7-5BA4620427DF}.exe

Filesize
372KB

MD5
d8f75f1c88a4d49dd718fa711ea37854

SHA1
25d47a77b398bfa68c81c345fc601b6d72488af7

SHA256
60f0a2afa09b4cfc97c57f65b23207fcb9548176d85b4600c4aadfbd3a4544bb

SHA512
d243c33d3e6daaaab245ffe31fc4a6b8c33aee7cd0bbea399ce782257e514b9a9e442a249ff4bc327921955b1de4fa00df7330a0a6e5259850c87652c2ea9d80

Download Submit
C:\Windows\{3276E683-D2E0-45b2-95E7-5BA4620427DF}.exe

Filesize
372KB

MD5
d8f75f1c88a4d49dd718fa711ea37854

SHA1
25d47a77b398bfa68c81c345fc601b6d72488af7

SHA256
60f0a2afa09b4cfc97c57f65b23207fcb9548176d85b4600c4aadfbd3a4544bb

SHA512
d243c33d3e6daaaab245ffe31fc4a6b8c33aee7cd0bbea399ce782257e514b9a9e442a249ff4bc327921955b1de4fa00df7330a0a6e5259850c87652c2ea9d80

Download Submit
C:\Windows\{38AD7528-ED18-4b05-B3B6-FE18012CF383}.exe

Filesize
372KB

MD5
54fe020355c5a4eb02bc3f5a74795a85

SHA1
10b622699cad6612a32c551ab004cbfca5564afc

SHA256
2b22a0adf6217e26a93e64febac77ad704a3a9c62ccb2868667259a8043d2d71

SHA512
fa077aa8fbd6bfb90ebbcd2fd967f0c04168ed44d905710e183af3fdcb4f51306ba534efed75c00637626124ec0515ee7f7c637c3098ed1eb3b76150d6455d73

Download Submit
C:\Windows\{38AD7528-ED18-4b05-B3B6-FE18012CF383}.exe

Filesize
372KB

MD5
54fe020355c5a4eb02bc3f5a74795a85

SHA1
10b622699cad6612a32c551ab004cbfca5564afc

SHA256
2b22a0adf6217e26a93e64febac77ad704a3a9c62ccb2868667259a8043d2d71

SHA512
fa077aa8fbd6bfb90ebbcd2fd967f0c04168ed44d905710e183af3fdcb4f51306ba534efed75c00637626124ec0515ee7f7c637c3098ed1eb3b76150d6455d73

Download Submit
C:\Windows\{3A9E192F-08EC-499b-AEFF-37AB4FFF790D}.exe

Filesize
372KB

MD5
2fe420dd760b1f9247a63d7f32526566

SHA1
c5efb6ea2fa25110808cad735322320c04cd2155

SHA256
dcf3da571e8054ef5296b833c20691254b5afc97e2568089a6f4bbecbd1cfd9e

SHA512
496617d025e09bdc7661c2fe6ee12e4afe13b7285d85593140e6e42d775354954add7773767a49dacdf56c24606d080b8a1a0631f40a9e0b35900307880976b8

Download Submit
C:\Windows\{3A9E192F-08EC-499b-AEFF-37AB4FFF790D}.exe

Filesize
372KB

MD5
2fe420dd760b1f9247a63d7f32526566

SHA1
c5efb6ea2fa25110808cad735322320c04cd2155

SHA256
dcf3da571e8054ef5296b833c20691254b5afc97e2568089a6f4bbecbd1cfd9e

SHA512
496617d025e09bdc7661c2fe6ee12e4afe13b7285d85593140e6e42d775354954add7773767a49dacdf56c24606d080b8a1a0631f40a9e0b35900307880976b8

Download Submit
C:\Windows\{3A9E192F-08EC-499b-AEFF-37AB4FFF790D}.exe

Filesize
372KB

MD5
2fe420dd760b1f9247a63d7f32526566

SHA1
c5efb6ea2fa25110808cad735322320c04cd2155

SHA256
dcf3da571e8054ef5296b833c20691254b5afc97e2568089a6f4bbecbd1cfd9e

SHA512
496617d025e09bdc7661c2fe6ee12e4afe13b7285d85593140e6e42d775354954add7773767a49dacdf56c24606d080b8a1a0631f40a9e0b35900307880976b8

Download Submit
C:\Windows\{4B6ADCA1-D7D5-4c0d-8EA0-3C29A298DE81}.exe

Filesize
372KB

MD5
436b94e31652f1d9b06aa866de55f67a

SHA1
58a849ec7860d9bcb8dffe2db9baa8e5ad7b5214

SHA256
4f2180f75be7299aee00a79021f20e2e5b5811de5d9a09d4c6cfd67df3c744ec

SHA512
138e7d345d83cbf9110c44bf7d23e9f633a8da673360b4b8b546cdb83bba72767b8985b455a807a5d5ac29a6367248448e0121ca5e1f87af6d67b6617408e9d4

Download Submit
C:\Windows\{4B6ADCA1-D7D5-4c0d-8EA0-3C29A298DE81}.exe

Filesize
372KB

MD5
436b94e31652f1d9b06aa866de55f67a

SHA1
58a849ec7860d9bcb8dffe2db9baa8e5ad7b5214

SHA256
4f2180f75be7299aee00a79021f20e2e5b5811de5d9a09d4c6cfd67df3c744ec

SHA512
138e7d345d83cbf9110c44bf7d23e9f633a8da673360b4b8b546cdb83bba72767b8985b455a807a5d5ac29a6367248448e0121ca5e1f87af6d67b6617408e9d4

Download Submit
C:\Windows\{69FBC1AD-2384-4596-92AB-3C130F7C1052}.exe

Filesize
372KB

MD5
7d3f3f142fa41077110ba6b9c78064bd

SHA1
db36eef5b9f9268bee30ef3b5f5d59dfd411fd6b

SHA256
cdc2f952d938f16cfeeb37bbb0d567a14081eac1b36b2c78b15d8821559fd329

SHA512
d377e62f80037df6b6c7665cf2462e6323e35fa153b63b9240f5febece5877add255c1a70361257bcd8bcdaf48a89fff537db1075b1034eb4dfae3458b137273

Download Submit
C:\Windows\{69FBC1AD-2384-4596-92AB-3C130F7C1052}.exe

Filesize
372KB

MD5
7d3f3f142fa41077110ba6b9c78064bd

SHA1
db36eef5b9f9268bee30ef3b5f5d59dfd411fd6b

SHA256
cdc2f952d938f16cfeeb37bbb0d567a14081eac1b36b2c78b15d8821559fd329

SHA512
d377e62f80037df6b6c7665cf2462e6323e35fa153b63b9240f5febece5877add255c1a70361257bcd8bcdaf48a89fff537db1075b1034eb4dfae3458b137273

Download Submit
C:\Windows\{8D320F23-20E2-40f1-BE7A-E23ADF46BF8A}.exe

Filesize
372KB

MD5
b9a704be3af073eaf376880f44079674

SHA1
2f8caf129d5f1261a608883cfa64265b8772004a

SHA256
aea087507a5faf8f071223a1c52f3fdd737728e2ab4a987916392081cb70c16e

SHA512
097099f8d1eb4a54793b50c4c7e622d7e37058dad3eafac1f1f319eef11363fae132f3ed0e3b46d914579d10f7e11b788e625b30dd3eb1209da0a2189094cf2e

Download Submit
C:\Windows\{8D320F23-20E2-40f1-BE7A-E23ADF46BF8A}.exe

Filesize
372KB

MD5
b9a704be3af073eaf376880f44079674

SHA1
2f8caf129d5f1261a608883cfa64265b8772004a

SHA256
aea087507a5faf8f071223a1c52f3fdd737728e2ab4a987916392081cb70c16e

SHA512
097099f8d1eb4a54793b50c4c7e622d7e37058dad3eafac1f1f319eef11363fae132f3ed0e3b46d914579d10f7e11b788e625b30dd3eb1209da0a2189094cf2e

Download Submit
C:\Windows\{DD7C78EB-BA5A-4bd9-B6F3-3AC8AD9CB3E3}.exe

Filesize
372KB

MD5
5cfbe72298653eeab3cb56c140a3170a

SHA1
be2b526f1909775a20a66493fa2766904fd45477

SHA256
f639f3345fe43927fdfda9d057ad9f5499aab22aa18c9ee0ebfaf76f2d98e4c0

SHA512
3d24fa3306023de4fd82ad2b657b2644975be39f9d617de80f02280fd41d7d037c484d4b764b51693b78ab120cda15e081b7dc77f08ccbbfb871af1590b1a0b6

Download Submit
C:\Windows\{DD7C78EB-BA5A-4bd9-B6F3-3AC8AD9CB3E3}.exe

Filesize
372KB

MD5
5cfbe72298653eeab3cb56c140a3170a

SHA1
be2b526f1909775a20a66493fa2766904fd45477

SHA256
f639f3345fe43927fdfda9d057ad9f5499aab22aa18c9ee0ebfaf76f2d98e4c0

SHA512
3d24fa3306023de4fd82ad2b657b2644975be39f9d617de80f02280fd41d7d037c484d4b764b51693b78ab120cda15e081b7dc77f08ccbbfb871af1590b1a0b6

Download Submit
C:\Windows\{FAF91158-21BF-47f3-A48B-C977A0566EFA}.exe

Filesize
372KB

MD5
7eaae336696c982933180250ec15eb14

SHA1
1375afcde28728f868eb455a7b22e9946cc4936e

SHA256
e137255cfc454b4aeb3ebadf4123bc1c0368105a962d7a705f13b968791dabae

SHA512
401997b38a4eae720e132a650e101df681358dc294a287269e5eb3eb9ee07664dc67214b69456c5b05abe21dd95a96c2367e5fbc7f51dbfe13850a200d8fb372

Download Submit
C:\Windows\{FAF91158-21BF-47f3-A48B-C977A0566EFA}.exe

Filesize
372KB

MD5
7eaae336696c982933180250ec15eb14

SHA1
1375afcde28728f868eb455a7b22e9946cc4936e

SHA256
e137255cfc454b4aeb3ebadf4123bc1c0368105a962d7a705f13b968791dabae

SHA512
401997b38a4eae720e132a650e101df681358dc294a287269e5eb3eb9ee07664dc67214b69456c5b05abe21dd95a96c2367e5fbc7f51dbfe13850a200d8fb372

Download Submit