d75db434c647632b372ae2c20dfd6a4722387689d73da9598bdb814702d0e3e7

Analysis

max time kernel
150s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2023, 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c3b9fe1d160660exeexeexeex.exe
Size

372KB
MD5

c3b9fe1d160660519ea0ab5776dec981
SHA1

5d3e70c21c1e4e001f0404beb05f7387b827ddb9
SHA256

d75db434c647632b372ae2c20dfd6a4722387689d73da9598bdb814702d0e3e7
SHA512

9cef8ec9bbf53978a1cecddb26e7b3e1db6f32a4301208781736e838deafa76b7bfb51fa746a1d997d6e87b7347ebfcf1ce4c15d2710175a1d4aa9833074100b
SSDEEP

3072:CEGh0oNmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGil/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4376663D-34E5-463f-AACA-95BD91F78474}	{D645D3CE-E8BB-4bc8-BFD0-AA56B13F8005}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{304F0FA8-2209-4944-9F26-1A0928667C3E}	{4376663D-34E5-463f-AACA-95BD91F78474}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F508733F-50F0-4586-9108-E77F7337EC78}\stubpath = "C:\\Windows\\{F508733F-50F0-4586-9108-E77F7337EC78}.exe"	{304F0FA8-2209-4944-9F26-1A0928667C3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2E0C6E8-FE44-47b7-B169-428C3CBE3D40}\stubpath = "C:\\Windows\\{F2E0C6E8-FE44-47b7-B169-428C3CBE3D40}.exe"	{F508733F-50F0-4586-9108-E77F7337EC78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E054E0F7-8057-4a84-8B3E-F4AB22F85EE8}\stubpath = "C:\\Windows\\{E054E0F7-8057-4a84-8B3E-F4AB22F85EE8}.exe"	{F42B8652-A8DE-4d0e-BBCE-1368A20366BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78254DE7-92BB-4fef-88B1-16B55504D9A7}\stubpath = "C:\\Windows\\{78254DE7-92BB-4fef-88B1-16B55504D9A7}.exe"	c3b9fe1d160660exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9676F857-64C5-4aa1-8512-47CF0099B581}	{2042EC2B-E804-466a-AA51-72C15C40F9C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F508733F-50F0-4586-9108-E77F7337EC78}	{304F0FA8-2209-4944-9F26-1A0928667C3E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2E0C6E8-FE44-47b7-B169-428C3CBE3D40}	{F508733F-50F0-4586-9108-E77F7337EC78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F42B8652-A8DE-4d0e-BBCE-1368A20366BD}\stubpath = "C:\\Windows\\{F42B8652-A8DE-4d0e-BBCE-1368A20366BD}.exe"	{F2E0C6E8-FE44-47b7-B169-428C3CBE3D40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BACEFEB-6A49-452a-83F2-CD6BCE5437CB}	{E054E0F7-8057-4a84-8B3E-F4AB22F85EE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F24E68B0-A649-4046-A75E-CC839801DAF0}	{78254DE7-92BB-4fef-88B1-16B55504D9A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F24E68B0-A649-4046-A75E-CC839801DAF0}\stubpath = "C:\\Windows\\{F24E68B0-A649-4046-A75E-CC839801DAF0}.exe"	{78254DE7-92BB-4fef-88B1-16B55504D9A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2042EC2B-E804-466a-AA51-72C15C40F9C1}	{F24E68B0-A649-4046-A75E-CC839801DAF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2042EC2B-E804-466a-AA51-72C15C40F9C1}\stubpath = "C:\\Windows\\{2042EC2B-E804-466a-AA51-72C15C40F9C1}.exe"	{F24E68B0-A649-4046-A75E-CC839801DAF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9676F857-64C5-4aa1-8512-47CF0099B581}\stubpath = "C:\\Windows\\{9676F857-64C5-4aa1-8512-47CF0099B581}.exe"	{2042EC2B-E804-466a-AA51-72C15C40F9C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{304F0FA8-2209-4944-9F26-1A0928667C3E}\stubpath = "C:\\Windows\\{304F0FA8-2209-4944-9F26-1A0928667C3E}.exe"	{4376663D-34E5-463f-AACA-95BD91F78474}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E054E0F7-8057-4a84-8B3E-F4AB22F85EE8}	{F42B8652-A8DE-4d0e-BBCE-1368A20366BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BACEFEB-6A49-452a-83F2-CD6BCE5437CB}\stubpath = "C:\\Windows\\{3BACEFEB-6A49-452a-83F2-CD6BCE5437CB}.exe"	{E054E0F7-8057-4a84-8B3E-F4AB22F85EE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78254DE7-92BB-4fef-88B1-16B55504D9A7}	c3b9fe1d160660exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D645D3CE-E8BB-4bc8-BFD0-AA56B13F8005}\stubpath = "C:\\Windows\\{D645D3CE-E8BB-4bc8-BFD0-AA56B13F8005}.exe"	{9676F857-64C5-4aa1-8512-47CF0099B581}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4376663D-34E5-463f-AACA-95BD91F78474}\stubpath = "C:\\Windows\\{4376663D-34E5-463f-AACA-95BD91F78474}.exe"	{D645D3CE-E8BB-4bc8-BFD0-AA56B13F8005}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F42B8652-A8DE-4d0e-BBCE-1368A20366BD}	{F2E0C6E8-FE44-47b7-B169-428C3CBE3D40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D645D3CE-E8BB-4bc8-BFD0-AA56B13F8005}	{9676F857-64C5-4aa1-8512-47CF0099B581}.exe

Executes dropped EXE 12 IoCs

pid	Process
5104	{78254DE7-92BB-4fef-88B1-16B55504D9A7}.exe
3928	{F24E68B0-A649-4046-A75E-CC839801DAF0}.exe
3800	{2042EC2B-E804-466a-AA51-72C15C40F9C1}.exe
3704	{9676F857-64C5-4aa1-8512-47CF0099B581}.exe
4592	{D645D3CE-E8BB-4bc8-BFD0-AA56B13F8005}.exe
4780	{4376663D-34E5-463f-AACA-95BD91F78474}.exe
2516	{304F0FA8-2209-4944-9F26-1A0928667C3E}.exe
4580	{F508733F-50F0-4586-9108-E77F7337EC78}.exe
4768	{F2E0C6E8-FE44-47b7-B169-428C3CBE3D40}.exe
3604	{F42B8652-A8DE-4d0e-BBCE-1368A20366BD}.exe
4836	{E054E0F7-8057-4a84-8B3E-F4AB22F85EE8}.exe
4192	{3BACEFEB-6A49-452a-83F2-CD6BCE5437CB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{78254DE7-92BB-4fef-88B1-16B55504D9A7}.exe	c3b9fe1d160660exeexeexeex.exe
File created	C:\Windows\{F24E68B0-A649-4046-A75E-CC839801DAF0}.exe	{78254DE7-92BB-4fef-88B1-16B55504D9A7}.exe
File created	C:\Windows\{D645D3CE-E8BB-4bc8-BFD0-AA56B13F8005}.exe	{9676F857-64C5-4aa1-8512-47CF0099B581}.exe
File created	C:\Windows\{304F0FA8-2209-4944-9F26-1A0928667C3E}.exe	{4376663D-34E5-463f-AACA-95BD91F78474}.exe
File created	C:\Windows\{F2E0C6E8-FE44-47b7-B169-428C3CBE3D40}.exe	{F508733F-50F0-4586-9108-E77F7337EC78}.exe
File created	C:\Windows\{E054E0F7-8057-4a84-8B3E-F4AB22F85EE8}.exe	{F42B8652-A8DE-4d0e-BBCE-1368A20366BD}.exe
File created	C:\Windows\{3BACEFEB-6A49-452a-83F2-CD6BCE5437CB}.exe	{E054E0F7-8057-4a84-8B3E-F4AB22F85EE8}.exe
File created	C:\Windows\{2042EC2B-E804-466a-AA51-72C15C40F9C1}.exe	{F24E68B0-A649-4046-A75E-CC839801DAF0}.exe
File created	C:\Windows\{9676F857-64C5-4aa1-8512-47CF0099B581}.exe	{2042EC2B-E804-466a-AA51-72C15C40F9C1}.exe
File created	C:\Windows\{4376663D-34E5-463f-AACA-95BD91F78474}.exe	{D645D3CE-E8BB-4bc8-BFD0-AA56B13F8005}.exe
File created	C:\Windows\{F508733F-50F0-4586-9108-E77F7337EC78}.exe	{304F0FA8-2209-4944-9F26-1A0928667C3E}.exe
File created	C:\Windows\{F42B8652-A8DE-4d0e-BBCE-1368A20366BD}.exe	{F2E0C6E8-FE44-47b7-B169-428C3CBE3D40}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3972	c3b9fe1d160660exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	5104	{78254DE7-92BB-4fef-88B1-16B55504D9A7}.exe
Token: SeIncBasePriorityPrivilege	3928	{F24E68B0-A649-4046-A75E-CC839801DAF0}.exe
Token: SeIncBasePriorityPrivilege	3800	{2042EC2B-E804-466a-AA51-72C15C40F9C1}.exe
Token: SeIncBasePriorityPrivilege	3704	{9676F857-64C5-4aa1-8512-47CF0099B581}.exe
Token: SeIncBasePriorityPrivilege	4592	{D645D3CE-E8BB-4bc8-BFD0-AA56B13F8005}.exe
Token: SeIncBasePriorityPrivilege	4780	{4376663D-34E5-463f-AACA-95BD91F78474}.exe
Token: SeIncBasePriorityPrivilege	2516	{304F0FA8-2209-4944-9F26-1A0928667C3E}.exe
Token: SeIncBasePriorityPrivilege	4580	{F508733F-50F0-4586-9108-E77F7337EC78}.exe
Token: SeIncBasePriorityPrivilege	4768	{F2E0C6E8-FE44-47b7-B169-428C3CBE3D40}.exe
Token: SeIncBasePriorityPrivilege	3604	{F42B8652-A8DE-4d0e-BBCE-1368A20366BD}.exe
Token: SeIncBasePriorityPrivilege	4836	{E054E0F7-8057-4a84-8B3E-F4AB22F85EE8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 5104	3972	c3b9fe1d160660exeexeexeex.exe	88
PID 3972 wrote to memory of 5104	3972	c3b9fe1d160660exeexeexeex.exe	88
PID 3972 wrote to memory of 5104	3972	c3b9fe1d160660exeexeexeex.exe	88
PID 3972 wrote to memory of 464	3972	c3b9fe1d160660exeexeexeex.exe	89
PID 3972 wrote to memory of 464	3972	c3b9fe1d160660exeexeexeex.exe	89
PID 3972 wrote to memory of 464	3972	c3b9fe1d160660exeexeexeex.exe	89
PID 5104 wrote to memory of 3928	5104	{78254DE7-92BB-4fef-88B1-16B55504D9A7}.exe	90
PID 5104 wrote to memory of 3928	5104	{78254DE7-92BB-4fef-88B1-16B55504D9A7}.exe	90
PID 5104 wrote to memory of 3928	5104	{78254DE7-92BB-4fef-88B1-16B55504D9A7}.exe	90
PID 5104 wrote to memory of 972	5104	{78254DE7-92BB-4fef-88B1-16B55504D9A7}.exe	91
PID 5104 wrote to memory of 972	5104	{78254DE7-92BB-4fef-88B1-16B55504D9A7}.exe	91
PID 5104 wrote to memory of 972	5104	{78254DE7-92BB-4fef-88B1-16B55504D9A7}.exe	91
PID 3928 wrote to memory of 3800	3928	{F24E68B0-A649-4046-A75E-CC839801DAF0}.exe	95
PID 3928 wrote to memory of 3800	3928	{F24E68B0-A649-4046-A75E-CC839801DAF0}.exe	95
PID 3928 wrote to memory of 3800	3928	{F24E68B0-A649-4046-A75E-CC839801DAF0}.exe	95
PID 3928 wrote to memory of 1268	3928	{F24E68B0-A649-4046-A75E-CC839801DAF0}.exe	96
PID 3928 wrote to memory of 1268	3928	{F24E68B0-A649-4046-A75E-CC839801DAF0}.exe	96
PID 3928 wrote to memory of 1268	3928	{F24E68B0-A649-4046-A75E-CC839801DAF0}.exe	96
PID 3800 wrote to memory of 3704	3800	{2042EC2B-E804-466a-AA51-72C15C40F9C1}.exe	97
PID 3800 wrote to memory of 3704	3800	{2042EC2B-E804-466a-AA51-72C15C40F9C1}.exe	97
PID 3800 wrote to memory of 3704	3800	{2042EC2B-E804-466a-AA51-72C15C40F9C1}.exe	97
PID 3800 wrote to memory of 2100	3800	{2042EC2B-E804-466a-AA51-72C15C40F9C1}.exe	98
PID 3800 wrote to memory of 2100	3800	{2042EC2B-E804-466a-AA51-72C15C40F9C1}.exe	98
PID 3800 wrote to memory of 2100	3800	{2042EC2B-E804-466a-AA51-72C15C40F9C1}.exe	98
PID 3704 wrote to memory of 4592	3704	{9676F857-64C5-4aa1-8512-47CF0099B581}.exe	99
PID 3704 wrote to memory of 4592	3704	{9676F857-64C5-4aa1-8512-47CF0099B581}.exe	99
PID 3704 wrote to memory of 4592	3704	{9676F857-64C5-4aa1-8512-47CF0099B581}.exe	99
PID 3704 wrote to memory of 560	3704	{9676F857-64C5-4aa1-8512-47CF0099B581}.exe	100
PID 3704 wrote to memory of 560	3704	{9676F857-64C5-4aa1-8512-47CF0099B581}.exe	100
PID 3704 wrote to memory of 560	3704	{9676F857-64C5-4aa1-8512-47CF0099B581}.exe	100
PID 4592 wrote to memory of 4780	4592	{D645D3CE-E8BB-4bc8-BFD0-AA56B13F8005}.exe	102
PID 4592 wrote to memory of 4780	4592	{D645D3CE-E8BB-4bc8-BFD0-AA56B13F8005}.exe	102
PID 4592 wrote to memory of 4780	4592	{D645D3CE-E8BB-4bc8-BFD0-AA56B13F8005}.exe	102
PID 4592 wrote to memory of 2776	4592	{D645D3CE-E8BB-4bc8-BFD0-AA56B13F8005}.exe	103
PID 4592 wrote to memory of 2776	4592	{D645D3CE-E8BB-4bc8-BFD0-AA56B13F8005}.exe	103
PID 4592 wrote to memory of 2776	4592	{D645D3CE-E8BB-4bc8-BFD0-AA56B13F8005}.exe	103
PID 4780 wrote to memory of 2516	4780	{4376663D-34E5-463f-AACA-95BD91F78474}.exe	104
PID 4780 wrote to memory of 2516	4780	{4376663D-34E5-463f-AACA-95BD91F78474}.exe	104
PID 4780 wrote to memory of 2516	4780	{4376663D-34E5-463f-AACA-95BD91F78474}.exe	104
PID 4780 wrote to memory of 4764	4780	{4376663D-34E5-463f-AACA-95BD91F78474}.exe	105
PID 4780 wrote to memory of 4764	4780	{4376663D-34E5-463f-AACA-95BD91F78474}.exe	105
PID 4780 wrote to memory of 4764	4780	{4376663D-34E5-463f-AACA-95BD91F78474}.exe	105
PID 2516 wrote to memory of 4580	2516	{304F0FA8-2209-4944-9F26-1A0928667C3E}.exe	106
PID 2516 wrote to memory of 4580	2516	{304F0FA8-2209-4944-9F26-1A0928667C3E}.exe	106
PID 2516 wrote to memory of 4580	2516	{304F0FA8-2209-4944-9F26-1A0928667C3E}.exe	106
PID 2516 wrote to memory of 4332	2516	{304F0FA8-2209-4944-9F26-1A0928667C3E}.exe	107
PID 2516 wrote to memory of 4332	2516	{304F0FA8-2209-4944-9F26-1A0928667C3E}.exe	107
PID 2516 wrote to memory of 4332	2516	{304F0FA8-2209-4944-9F26-1A0928667C3E}.exe	107
PID 4580 wrote to memory of 4768	4580	{F508733F-50F0-4586-9108-E77F7337EC78}.exe	108
PID 4580 wrote to memory of 4768	4580	{F508733F-50F0-4586-9108-E77F7337EC78}.exe	108
PID 4580 wrote to memory of 4768	4580	{F508733F-50F0-4586-9108-E77F7337EC78}.exe	108
PID 4580 wrote to memory of 4956	4580	{F508733F-50F0-4586-9108-E77F7337EC78}.exe	109
PID 4580 wrote to memory of 4956	4580	{F508733F-50F0-4586-9108-E77F7337EC78}.exe	109
PID 4580 wrote to memory of 4956	4580	{F508733F-50F0-4586-9108-E77F7337EC78}.exe	109
PID 4768 wrote to memory of 3604	4768	{F2E0C6E8-FE44-47b7-B169-428C3CBE3D40}.exe	111
PID 4768 wrote to memory of 3604	4768	{F2E0C6E8-FE44-47b7-B169-428C3CBE3D40}.exe	111
PID 4768 wrote to memory of 3604	4768	{F2E0C6E8-FE44-47b7-B169-428C3CBE3D40}.exe	111
PID 4768 wrote to memory of 3612	4768	{F2E0C6E8-FE44-47b7-B169-428C3CBE3D40}.exe	110
PID 4768 wrote to memory of 3612	4768	{F2E0C6E8-FE44-47b7-B169-428C3CBE3D40}.exe	110
PID 4768 wrote to memory of 3612	4768	{F2E0C6E8-FE44-47b7-B169-428C3CBE3D40}.exe	110
PID 3604 wrote to memory of 4836	3604	{F42B8652-A8DE-4d0e-BBCE-1368A20366BD}.exe	112
PID 3604 wrote to memory of 4836	3604	{F42B8652-A8DE-4d0e-BBCE-1368A20366BD}.exe	112
PID 3604 wrote to memory of 4836	3604	{F42B8652-A8DE-4d0e-BBCE-1368A20366BD}.exe	112
PID 3604 wrote to memory of 5088	3604	{F42B8652-A8DE-4d0e-BBCE-1368A20366BD}.exe	113

C:\Users\Admin\AppData\Local\Temp\c3b9fe1d160660exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\c3b9fe1d160660exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Windows\{78254DE7-92BB-4fef-88B1-16B55504D9A7}.exe
  C:\Windows\{78254DE7-92BB-4fef-88B1-16B55504D9A7}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\{F24E68B0-A649-4046-A75E-CC839801DAF0}.exe
    C:\Windows\{F24E68B0-A649-4046-A75E-CC839801DAF0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Windows\{2042EC2B-E804-466a-AA51-72C15C40F9C1}.exe
      C:\Windows\{2042EC2B-E804-466a-AA51-72C15C40F9C1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3800
    - - C:\Windows\{9676F857-64C5-4aa1-8512-47CF0099B581}.exe
        
        C:\Windows\{9676F857-64C5-4aa1-8512-47CF0099B581}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3704
      - C:\Windows\{D645D3CE-E8BB-4bc8-BFD0-AA56B13F8005}.exe
        
        C:\Windows\{D645D3CE-E8BB-4bc8-BFD0-AA56B13F8005}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\{4376663D-34E5-463f-AACA-95BD91F78474}.exe
        
        C:\Windows\{4376663D-34E5-463f-AACA-95BD91F78474}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\{304F0FA8-2209-4944-9F26-1A0928667C3E}.exe
        
        C:\Windows\{304F0FA8-2209-4944-9F26-1A0928667C3E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\{F508733F-50F0-4586-9108-E77F7337EC78}.exe
        
        C:\Windows\{F508733F-50F0-4586-9108-E77F7337EC78}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\{F2E0C6E8-FE44-47b7-B169-428C3CBE3D40}.exe
        
        C:\Windows\{F2E0C6E8-FE44-47b7-B169-428C3CBE3D40}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2E0C~1.EXE > nul
        11⤵
        
        PID:3612
        
        C:\Windows\{F42B8652-A8DE-4d0e-BBCE-1368A20366BD}.exe
        
        C:\Windows\{F42B8652-A8DE-4d0e-BBCE-1368A20366BD}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Windows\{E054E0F7-8057-4a84-8B3E-F4AB22F85EE8}.exe
        
        C:\Windows\{E054E0F7-8057-4a84-8B3E-F4AB22F85EE8}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
        
        C:\Windows\{3BACEFEB-6A49-452a-83F2-CD6BCE5437CB}.exe
        
        C:\Windows\{3BACEFEB-6A49-452a-83F2-CD6BCE5437CB}.exe
        13⤵
        Executes dropped EXE
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E054E~1.EXE > nul
        13⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F42B8~1.EXE > nul
        12⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5087~1.EXE > nul
        10⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{304F0~1.EXE > nul
        9⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43766~1.EXE > nul
        8⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D645D~1.EXE > nul
        7⤵
        
        PID:2776
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9676F~1.EXE > nul
        6⤵
        
        PID:560
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2042E~1.EXE > nul
        5⤵
        
        PID:2100
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F24E6~1.EXE > nul
      4⤵
      PID:1268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{78254~1.EXE > nul
    3⤵
    PID:972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C3B9FE~1.EXE > nul
  2⤵
  PID:464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2042EC2B-E804-466a-AA51-72C15C40F9C1}.exe

Filesize
372KB

MD5
c56125b844c90d69a898e56dfa92d22e

SHA1
b17dcbd4211a1b6618e4a79f1a2352a7f98a2026

SHA256
314a66979c7cc13c561cb0efbcfdd33fa0fe3c4203ff124864832b782cc8b785

SHA512
401ae3c75f1ea12701832001d41d6163bacc94bb8d9cd2f923bc06b1454fba2fd8eb9acaf5d34a3e67e377ca522b229eea67b7daad4e20e51ad9028c2c7835ee

Download Submit
C:\Windows\{2042EC2B-E804-466a-AA51-72C15C40F9C1}.exe

Filesize
372KB

MD5
c56125b844c90d69a898e56dfa92d22e

SHA1
b17dcbd4211a1b6618e4a79f1a2352a7f98a2026

SHA256
314a66979c7cc13c561cb0efbcfdd33fa0fe3c4203ff124864832b782cc8b785

SHA512
401ae3c75f1ea12701832001d41d6163bacc94bb8d9cd2f923bc06b1454fba2fd8eb9acaf5d34a3e67e377ca522b229eea67b7daad4e20e51ad9028c2c7835ee

Download Submit
C:\Windows\{2042EC2B-E804-466a-AA51-72C15C40F9C1}.exe

Filesize
372KB

MD5
c56125b844c90d69a898e56dfa92d22e

SHA1
b17dcbd4211a1b6618e4a79f1a2352a7f98a2026

SHA256
314a66979c7cc13c561cb0efbcfdd33fa0fe3c4203ff124864832b782cc8b785

SHA512
401ae3c75f1ea12701832001d41d6163bacc94bb8d9cd2f923bc06b1454fba2fd8eb9acaf5d34a3e67e377ca522b229eea67b7daad4e20e51ad9028c2c7835ee

Download Submit
C:\Windows\{304F0FA8-2209-4944-9F26-1A0928667C3E}.exe

Filesize
372KB

MD5
72e2b3feb2d3446942985cb6257115f7

SHA1
8a743c5fb503bdb766a080d5baf3d97e335b419b

SHA256
9ad8eb6c31cdc8045d784149819dbc52dc53f5e5eb26b01cdf8e278058e4565e

SHA512
392b5d5f498bd3dee223ae3cbc2c69653181282e14261860ad00c10987f26acc6a587b5c0f40d16492b8d6100e3e912375b6c608fcf306b39e56191a1f82c7fe

Download Submit
C:\Windows\{304F0FA8-2209-4944-9F26-1A0928667C3E}.exe

Filesize
372KB

MD5
72e2b3feb2d3446942985cb6257115f7

SHA1
8a743c5fb503bdb766a080d5baf3d97e335b419b

SHA256
9ad8eb6c31cdc8045d784149819dbc52dc53f5e5eb26b01cdf8e278058e4565e

SHA512
392b5d5f498bd3dee223ae3cbc2c69653181282e14261860ad00c10987f26acc6a587b5c0f40d16492b8d6100e3e912375b6c608fcf306b39e56191a1f82c7fe

Download Submit
C:\Windows\{3BACEFEB-6A49-452a-83F2-CD6BCE5437CB}.exe

Filesize
372KB

MD5
db084334178f0896f4769df2d1f0250f

SHA1
8b635cf138c367fd5637fd2911837bf7501f2f6e

SHA256
43a6c1e86c77ddedee92945043839ffc46b1b9cffc490910faa365c382dec671

SHA512
4aa23991017cc241632001b0f9cfaacf76d83516da9076b1aab35e165f6ad6e9113f5fbf0f673cd50c5050e7a7c1275dd8e85d5249c140c5a22fc9451176c720

Download Submit
C:\Windows\{3BACEFEB-6A49-452a-83F2-CD6BCE5437CB}.exe

Filesize
372KB

MD5
db084334178f0896f4769df2d1f0250f

SHA1
8b635cf138c367fd5637fd2911837bf7501f2f6e

SHA256
43a6c1e86c77ddedee92945043839ffc46b1b9cffc490910faa365c382dec671

SHA512
4aa23991017cc241632001b0f9cfaacf76d83516da9076b1aab35e165f6ad6e9113f5fbf0f673cd50c5050e7a7c1275dd8e85d5249c140c5a22fc9451176c720

Download Submit
C:\Windows\{4376663D-34E5-463f-AACA-95BD91F78474}.exe

Filesize
372KB

MD5
bf089459bef988beb4c9398245effced

SHA1
15f0c62bf7be1a0388cf0b46c24653fc64957087

SHA256
421cd5f5f7c17e64581576b9da4a1c47948b46ada251d18805e44a087c5c3566

SHA512
ac117f690e672ad7403b468cb08353cfa75f4fc5e9e94a2f57653ef7e97cdd300b2c6b6a9ae275b92b78f081b4aa993c798e6f4236ae829ccb5022b3cf16e4a8

Download Submit
C:\Windows\{4376663D-34E5-463f-AACA-95BD91F78474}.exe

Filesize
372KB

MD5
bf089459bef988beb4c9398245effced

SHA1
15f0c62bf7be1a0388cf0b46c24653fc64957087

SHA256
421cd5f5f7c17e64581576b9da4a1c47948b46ada251d18805e44a087c5c3566

SHA512
ac117f690e672ad7403b468cb08353cfa75f4fc5e9e94a2f57653ef7e97cdd300b2c6b6a9ae275b92b78f081b4aa993c798e6f4236ae829ccb5022b3cf16e4a8

Download Submit
C:\Windows\{78254DE7-92BB-4fef-88B1-16B55504D9A7}.exe

Filesize
372KB

MD5
2c521222279a03b4072208e3ca55539f

SHA1
4197a58972d7c5e494dfb3012593595ce44c6225

SHA256
a5fe25c70e2e4b8d4d52f26ca3d61e81c5c24309d0c1484f7099ab8968ed142c

SHA512
b5b15da35d1055c22ddf094e831766a5d8c9eb781bf821fbec0718f45bb1a7cfeaaa7cb5d4c3efaa1ba51dcfda78aae1d74a5b7885ebaf789f41da24a6b900e3

Download Submit
C:\Windows\{78254DE7-92BB-4fef-88B1-16B55504D9A7}.exe

Filesize
372KB

MD5
2c521222279a03b4072208e3ca55539f

SHA1
4197a58972d7c5e494dfb3012593595ce44c6225

SHA256
a5fe25c70e2e4b8d4d52f26ca3d61e81c5c24309d0c1484f7099ab8968ed142c

SHA512
b5b15da35d1055c22ddf094e831766a5d8c9eb781bf821fbec0718f45bb1a7cfeaaa7cb5d4c3efaa1ba51dcfda78aae1d74a5b7885ebaf789f41da24a6b900e3

Download Submit
C:\Windows\{9676F857-64C5-4aa1-8512-47CF0099B581}.exe

Filesize
372KB

MD5
f89e053269264ee70d6645e984ba6a16

SHA1
5dfe133f0f3db472994a4ed2cba72459904f0f2e

SHA256
e0ffbb0039cefc0fa04bd6e3051f8b7c5df1101369233560bdc016e3a5fbaaf1

SHA512
7c38372f9d675c79365c7f9e430f9817c9e622ed741f6db855b122052ef888f65c7765b3d9ac00ced286cdff3111c15114679c0c51a3ce1c7d59c974eb882293

Download Submit
C:\Windows\{9676F857-64C5-4aa1-8512-47CF0099B581}.exe

Filesize
372KB

MD5
f89e053269264ee70d6645e984ba6a16

SHA1
5dfe133f0f3db472994a4ed2cba72459904f0f2e

SHA256
e0ffbb0039cefc0fa04bd6e3051f8b7c5df1101369233560bdc016e3a5fbaaf1

SHA512
7c38372f9d675c79365c7f9e430f9817c9e622ed741f6db855b122052ef888f65c7765b3d9ac00ced286cdff3111c15114679c0c51a3ce1c7d59c974eb882293

Download Submit
C:\Windows\{D645D3CE-E8BB-4bc8-BFD0-AA56B13F8005}.exe

Filesize
372KB

MD5
d15d414ca75b81a3de1fe0989b4483b1

SHA1
c23fae1448b03afa2e1a48435097155d37eb7237

SHA256
1cf3fa2516f07d8f23442242309c73ecb3d79f37a3c96184be1bfe90b3b4c110

SHA512
39409003d185e09ec53fd9fd8bb2c0598f701fac92df6c96568138bd7d39d3123a4234858125fda502303ab719e0952fb4bd7a66406caf17fe2e26dc720dd9aa

Download Submit
C:\Windows\{D645D3CE-E8BB-4bc8-BFD0-AA56B13F8005}.exe

Filesize
372KB

MD5
d15d414ca75b81a3de1fe0989b4483b1

SHA1
c23fae1448b03afa2e1a48435097155d37eb7237

SHA256
1cf3fa2516f07d8f23442242309c73ecb3d79f37a3c96184be1bfe90b3b4c110

SHA512
39409003d185e09ec53fd9fd8bb2c0598f701fac92df6c96568138bd7d39d3123a4234858125fda502303ab719e0952fb4bd7a66406caf17fe2e26dc720dd9aa

Download Submit
C:\Windows\{E054E0F7-8057-4a84-8B3E-F4AB22F85EE8}.exe

Filesize
372KB

MD5
39d0bfc53c994645657bac8d21b0502e

SHA1
d11a4371d9c00cde9456755f9719e783aebf40d9

SHA256
43ebfd6c8719c486f5556fa91bb6bdb7de6b900f0cb5e3d82a321e15bd14339c

SHA512
21a8c12694ae1819326f7a95607648d5a912fff39a483118fa6231d48d086cca167bc2651237d95604f469167258cb29cbd834e1f908fe2db196678ed6a7fb2f

Download Submit
C:\Windows\{E054E0F7-8057-4a84-8B3E-F4AB22F85EE8}.exe

Filesize
372KB

MD5
39d0bfc53c994645657bac8d21b0502e

SHA1
d11a4371d9c00cde9456755f9719e783aebf40d9

SHA256
43ebfd6c8719c486f5556fa91bb6bdb7de6b900f0cb5e3d82a321e15bd14339c

SHA512
21a8c12694ae1819326f7a95607648d5a912fff39a483118fa6231d48d086cca167bc2651237d95604f469167258cb29cbd834e1f908fe2db196678ed6a7fb2f

Download Submit
C:\Windows\{F24E68B0-A649-4046-A75E-CC839801DAF0}.exe

Filesize
372KB

MD5
ed8ba55129f468baef69a343c1320ae2

SHA1
ee58462aeba5aa3340ddce73818bf9aea7b404b1

SHA256
a205a3a19af4255a0d190e7c0185c1d31e7e57eb182b3c1e1221f1c577b7708b

SHA512
7e5a72f890038dcfa61ced029d9fa6eb9b88e939add67b292ee008292a9853fa8f4c19076277ad79cfdc214522214c739c0911321d99a8b3e71bdf2383891272

Download Submit
C:\Windows\{F24E68B0-A649-4046-A75E-CC839801DAF0}.exe

Filesize
372KB

MD5
ed8ba55129f468baef69a343c1320ae2

SHA1
ee58462aeba5aa3340ddce73818bf9aea7b404b1

SHA256
a205a3a19af4255a0d190e7c0185c1d31e7e57eb182b3c1e1221f1c577b7708b

SHA512
7e5a72f890038dcfa61ced029d9fa6eb9b88e939add67b292ee008292a9853fa8f4c19076277ad79cfdc214522214c739c0911321d99a8b3e71bdf2383891272

Download Submit
C:\Windows\{F2E0C6E8-FE44-47b7-B169-428C3CBE3D40}.exe

Filesize
372KB

MD5
cd77b571e8fe6dd51d9541bdd2e68dcc

SHA1
14fa150dd99fd6bbedf8549d9353cbba9f788387

SHA256
5e07d3772c608ef7622540ac9281a692a2358c6fd2309d374ae4cbcddcd0897d

SHA512
69876c959131466eb5513eb4977f457be1c97499174f9014db7c87b7238344f5e11a1942c0603b73ebb493a2f7576ef65f22704fbbfa44bf669edcf952c962d1

Download Submit
C:\Windows\{F2E0C6E8-FE44-47b7-B169-428C3CBE3D40}.exe

Filesize
372KB

MD5
cd77b571e8fe6dd51d9541bdd2e68dcc

SHA1
14fa150dd99fd6bbedf8549d9353cbba9f788387

SHA256
5e07d3772c608ef7622540ac9281a692a2358c6fd2309d374ae4cbcddcd0897d

SHA512
69876c959131466eb5513eb4977f457be1c97499174f9014db7c87b7238344f5e11a1942c0603b73ebb493a2f7576ef65f22704fbbfa44bf669edcf952c962d1

Download Submit
C:\Windows\{F42B8652-A8DE-4d0e-BBCE-1368A20366BD}.exe

Filesize
372KB

MD5
c88dcec6587f20349a8c94737925ff06

SHA1
87119e428de94819040d0bd94a4f045505e55018

SHA256
d288c39cc5775273ea5f0614fe5b16ade1c58e75fa1c6f69eb883d5cb0a38970

SHA512
f3b48f511e04729b3339338384d127a415b18d65598052b0e1b5c73fd7acb03029ddcc1f22bd82b682c1118ab0ec0131fc9c2eb757c4e25e311c2bcda13975e5

Download Submit
C:\Windows\{F42B8652-A8DE-4d0e-BBCE-1368A20366BD}.exe

Filesize
372KB

MD5
c88dcec6587f20349a8c94737925ff06

SHA1
87119e428de94819040d0bd94a4f045505e55018

SHA256
d288c39cc5775273ea5f0614fe5b16ade1c58e75fa1c6f69eb883d5cb0a38970

SHA512
f3b48f511e04729b3339338384d127a415b18d65598052b0e1b5c73fd7acb03029ddcc1f22bd82b682c1118ab0ec0131fc9c2eb757c4e25e311c2bcda13975e5

Download Submit
C:\Windows\{F508733F-50F0-4586-9108-E77F7337EC78}.exe

Filesize
372KB

MD5
0d4edb60f7d9ac290243c1eb1c034a15

SHA1
eec2f15b10f55990c62d145578d671d1f6b56e16

SHA256
ac2fd4c6571f7b565d5410d20cfcdfab89a71a304644ed22ce1e300ce2d13c30

SHA512
57457287f4a18fe110c3b24aeb7b6e00957ce893846a3e7ae591693a07537f7884c994832b0358256beb74ee44895048cf11389377df8177ac6a5a3760d474ca

Download Submit
C:\Windows\{F508733F-50F0-4586-9108-E77F7337EC78}.exe

Filesize
372KB

MD5
0d4edb60f7d9ac290243c1eb1c034a15

SHA1
eec2f15b10f55990c62d145578d671d1f6b56e16

SHA256
ac2fd4c6571f7b565d5410d20cfcdfab89a71a304644ed22ce1e300ce2d13c30

SHA512
57457287f4a18fe110c3b24aeb7b6e00957ce893846a3e7ae591693a07537f7884c994832b0358256beb74ee44895048cf11389377df8177ac6a5a3760d474ca

Download Submit