ac81c7a566970289e37dbba88e8597c28260ea286a5aa9feafa399dfef34d30e

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2023 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3a9a902adcd3dexeexeexeex.exe
Size

204KB
MD5

d3a9a902adcd3d096157f83e088d838f
SHA1

b7b31b47ca7a112c3afdf4ebe65d3308b5260488
SHA256

ac81c7a566970289e37dbba88e8597c28260ea286a5aa9feafa399dfef34d30e
SHA512

24b68d5c26552cda8b637b8db807a68c8f983054810c46f5d948da389d41586c28a1d54bb81bdacafdb91e55bd014a8565222a619789e98992257d4f2a91fcb0
SSDEEP

1536:1EGh0ovl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ovl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{601887E2-A0F4-4220-BF7A-62DEB68BF0F0}\stubpath = "C:\\Windows\\{601887E2-A0F4-4220-BF7A-62DEB68BF0F0}.exe"	d3a9a902adcd3dexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{242C17C8-2352-44f8-8148-834447B0BB86}	{1494E3CF-7036-4cb2-879B-F66D71F692DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D27AACD-292B-4a08-A083-925027AE2987}\stubpath = "C:\\Windows\\{2D27AACD-292B-4a08-A083-925027AE2987}.exe"	{41C22396-7115-4050-8569-50CA9C907BB8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A814F897-D666-42b0-8786-04BA026D2AC1}\stubpath = "C:\\Windows\\{A814F897-D666-42b0-8786-04BA026D2AC1}.exe"	{2D27AACD-292B-4a08-A083-925027AE2987}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B54243F-8830-4f12-B4FB-55AFD793F316}\stubpath = "C:\\Windows\\{7B54243F-8830-4f12-B4FB-55AFD793F316}.exe"	{1817DECA-AAF0-4521-9295-D973618795C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF007D61-0C5F-4a9a-B5CA-3FCAAB86F81B}\stubpath = "C:\\Windows\\{EF007D61-0C5F-4a9a-B5CA-3FCAAB86F81B}.exe"	{7B54243F-8830-4f12-B4FB-55AFD793F316}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C2FAF12-1DF6-401a-8EC7-21E42ADD9321}\stubpath = "C:\\Windows\\{4C2FAF12-1DF6-401a-8EC7-21E42ADD9321}.exe"	{EF007D61-0C5F-4a9a-B5CA-3FCAAB86F81B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{601887E2-A0F4-4220-BF7A-62DEB68BF0F0}	d3a9a902adcd3dexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{242C17C8-2352-44f8-8148-834447B0BB86}\stubpath = "C:\\Windows\\{242C17C8-2352-44f8-8148-834447B0BB86}.exe"	{1494E3CF-7036-4cb2-879B-F66D71F692DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34A20F43-2EC8-42b5-AEC6-32F0EB2F98AD}	{242C17C8-2352-44f8-8148-834447B0BB86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{34A20F43-2EC8-42b5-AEC6-32F0EB2F98AD}\stubpath = "C:\\Windows\\{34A20F43-2EC8-42b5-AEC6-32F0EB2F98AD}.exe"	{242C17C8-2352-44f8-8148-834447B0BB86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41C22396-7115-4050-8569-50CA9C907BB8}	{34A20F43-2EC8-42b5-AEC6-32F0EB2F98AD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41C22396-7115-4050-8569-50CA9C907BB8}\stubpath = "C:\\Windows\\{41C22396-7115-4050-8569-50CA9C907BB8}.exe"	{34A20F43-2EC8-42b5-AEC6-32F0EB2F98AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B54243F-8830-4f12-B4FB-55AFD793F316}	{1817DECA-AAF0-4521-9295-D973618795C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{052DA68D-40B8-4ab2-8D0D-F151D6CBB816}	{601887E2-A0F4-4220-BF7A-62DEB68BF0F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D27AACD-292B-4a08-A083-925027AE2987}	{41C22396-7115-4050-8569-50CA9C907BB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF007D61-0C5F-4a9a-B5CA-3FCAAB86F81B}	{7B54243F-8830-4f12-B4FB-55AFD793F316}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4C2FAF12-1DF6-401a-8EC7-21E42ADD9321}	{EF007D61-0C5F-4a9a-B5CA-3FCAAB86F81B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{052DA68D-40B8-4ab2-8D0D-F151D6CBB816}\stubpath = "C:\\Windows\\{052DA68D-40B8-4ab2-8D0D-F151D6CBB816}.exe"	{601887E2-A0F4-4220-BF7A-62DEB68BF0F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1494E3CF-7036-4cb2-879B-F66D71F692DE}	{052DA68D-40B8-4ab2-8D0D-F151D6CBB816}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1494E3CF-7036-4cb2-879B-F66D71F692DE}\stubpath = "C:\\Windows\\{1494E3CF-7036-4cb2-879B-F66D71F692DE}.exe"	{052DA68D-40B8-4ab2-8D0D-F151D6CBB816}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A814F897-D666-42b0-8786-04BA026D2AC1}	{2D27AACD-292B-4a08-A083-925027AE2987}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1817DECA-AAF0-4521-9295-D973618795C6}	{A814F897-D666-42b0-8786-04BA026D2AC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1817DECA-AAF0-4521-9295-D973618795C6}\stubpath = "C:\\Windows\\{1817DECA-AAF0-4521-9295-D973618795C6}.exe"	{A814F897-D666-42b0-8786-04BA026D2AC1}.exe

Executes dropped EXE 12 IoCs

pid	Process
3288	{601887E2-A0F4-4220-BF7A-62DEB68BF0F0}.exe
5056	{052DA68D-40B8-4ab2-8D0D-F151D6CBB816}.exe
4912	{1494E3CF-7036-4cb2-879B-F66D71F692DE}.exe
1716	{242C17C8-2352-44f8-8148-834447B0BB86}.exe
392	{34A20F43-2EC8-42b5-AEC6-32F0EB2F98AD}.exe
1084	{41C22396-7115-4050-8569-50CA9C907BB8}.exe
4220	{2D27AACD-292B-4a08-A083-925027AE2987}.exe
4104	{A814F897-D666-42b0-8786-04BA026D2AC1}.exe
3520	{1817DECA-AAF0-4521-9295-D973618795C6}.exe
4028	{7B54243F-8830-4f12-B4FB-55AFD793F316}.exe
3536	{EF007D61-0C5F-4a9a-B5CA-3FCAAB86F81B}.exe
1036	{4C2FAF12-1DF6-401a-8EC7-21E42ADD9321}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{052DA68D-40B8-4ab2-8D0D-F151D6CBB816}.exe	{601887E2-A0F4-4220-BF7A-62DEB68BF0F0}.exe
File created	C:\Windows\{1494E3CF-7036-4cb2-879B-F66D71F692DE}.exe	{052DA68D-40B8-4ab2-8D0D-F151D6CBB816}.exe
File created	C:\Windows\{242C17C8-2352-44f8-8148-834447B0BB86}.exe	{1494E3CF-7036-4cb2-879B-F66D71F692DE}.exe
File created	C:\Windows\{1817DECA-AAF0-4521-9295-D973618795C6}.exe	{A814F897-D666-42b0-8786-04BA026D2AC1}.exe
File created	C:\Windows\{7B54243F-8830-4f12-B4FB-55AFD793F316}.exe	{1817DECA-AAF0-4521-9295-D973618795C6}.exe
File created	C:\Windows\{EF007D61-0C5F-4a9a-B5CA-3FCAAB86F81B}.exe	{7B54243F-8830-4f12-B4FB-55AFD793F316}.exe
File created	C:\Windows\{601887E2-A0F4-4220-BF7A-62DEB68BF0F0}.exe	d3a9a902adcd3dexeexeexeex.exe
File created	C:\Windows\{34A20F43-2EC8-42b5-AEC6-32F0EB2F98AD}.exe	{242C17C8-2352-44f8-8148-834447B0BB86}.exe
File created	C:\Windows\{41C22396-7115-4050-8569-50CA9C907BB8}.exe	{34A20F43-2EC8-42b5-AEC6-32F0EB2F98AD}.exe
File created	C:\Windows\{2D27AACD-292B-4a08-A083-925027AE2987}.exe	{41C22396-7115-4050-8569-50CA9C907BB8}.exe
File created	C:\Windows\{A814F897-D666-42b0-8786-04BA026D2AC1}.exe	{2D27AACD-292B-4a08-A083-925027AE2987}.exe
File created	C:\Windows\{4C2FAF12-1DF6-401a-8EC7-21E42ADD9321}.exe	{EF007D61-0C5F-4a9a-B5CA-3FCAAB86F81B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	228	d3a9a902adcd3dexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3288	{601887E2-A0F4-4220-BF7A-62DEB68BF0F0}.exe
Token: SeIncBasePriorityPrivilege	5056	{052DA68D-40B8-4ab2-8D0D-F151D6CBB816}.exe
Token: SeIncBasePriorityPrivilege	4912	{1494E3CF-7036-4cb2-879B-F66D71F692DE}.exe
Token: SeIncBasePriorityPrivilege	1716	{242C17C8-2352-44f8-8148-834447B0BB86}.exe
Token: SeIncBasePriorityPrivilege	392	{34A20F43-2EC8-42b5-AEC6-32F0EB2F98AD}.exe
Token: SeIncBasePriorityPrivilege	1084	{41C22396-7115-4050-8569-50CA9C907BB8}.exe
Token: SeIncBasePriorityPrivilege	4220	{2D27AACD-292B-4a08-A083-925027AE2987}.exe
Token: SeIncBasePriorityPrivilege	4104	{A814F897-D666-42b0-8786-04BA026D2AC1}.exe
Token: SeIncBasePriorityPrivilege	3520	{1817DECA-AAF0-4521-9295-D973618795C6}.exe
Token: SeIncBasePriorityPrivilege	4028	{7B54243F-8830-4f12-B4FB-55AFD793F316}.exe
Token: SeIncBasePriorityPrivilege	3536	{EF007D61-0C5F-4a9a-B5CA-3FCAAB86F81B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 3288	228	d3a9a902adcd3dexeexeexeex.exe	89
PID 228 wrote to memory of 3288	228	d3a9a902adcd3dexeexeexeex.exe	89
PID 228 wrote to memory of 3288	228	d3a9a902adcd3dexeexeexeex.exe	89
PID 228 wrote to memory of 4744	228	d3a9a902adcd3dexeexeexeex.exe	90
PID 228 wrote to memory of 4744	228	d3a9a902adcd3dexeexeexeex.exe	90
PID 228 wrote to memory of 4744	228	d3a9a902adcd3dexeexeexeex.exe	90
PID 3288 wrote to memory of 5056	3288	{601887E2-A0F4-4220-BF7A-62DEB68BF0F0}.exe	91
PID 3288 wrote to memory of 5056	3288	{601887E2-A0F4-4220-BF7A-62DEB68BF0F0}.exe	91
PID 3288 wrote to memory of 5056	3288	{601887E2-A0F4-4220-BF7A-62DEB68BF0F0}.exe	91
PID 3288 wrote to memory of 1992	3288	{601887E2-A0F4-4220-BF7A-62DEB68BF0F0}.exe	92
PID 3288 wrote to memory of 1992	3288	{601887E2-A0F4-4220-BF7A-62DEB68BF0F0}.exe	92
PID 3288 wrote to memory of 1992	3288	{601887E2-A0F4-4220-BF7A-62DEB68BF0F0}.exe	92
PID 5056 wrote to memory of 4912	5056	{052DA68D-40B8-4ab2-8D0D-F151D6CBB816}.exe	97
PID 5056 wrote to memory of 4912	5056	{052DA68D-40B8-4ab2-8D0D-F151D6CBB816}.exe	97
PID 5056 wrote to memory of 4912	5056	{052DA68D-40B8-4ab2-8D0D-F151D6CBB816}.exe	97
PID 5056 wrote to memory of 4688	5056	{052DA68D-40B8-4ab2-8D0D-F151D6CBB816}.exe	96
PID 5056 wrote to memory of 4688	5056	{052DA68D-40B8-4ab2-8D0D-F151D6CBB816}.exe	96
PID 5056 wrote to memory of 4688	5056	{052DA68D-40B8-4ab2-8D0D-F151D6CBB816}.exe	96
PID 4912 wrote to memory of 1716	4912	{1494E3CF-7036-4cb2-879B-F66D71F692DE}.exe	98
PID 4912 wrote to memory of 1716	4912	{1494E3CF-7036-4cb2-879B-F66D71F692DE}.exe	98
PID 4912 wrote to memory of 1716	4912	{1494E3CF-7036-4cb2-879B-F66D71F692DE}.exe	98
PID 4912 wrote to memory of 968	4912	{1494E3CF-7036-4cb2-879B-F66D71F692DE}.exe	99
PID 4912 wrote to memory of 968	4912	{1494E3CF-7036-4cb2-879B-F66D71F692DE}.exe	99
PID 4912 wrote to memory of 968	4912	{1494E3CF-7036-4cb2-879B-F66D71F692DE}.exe	99
PID 1716 wrote to memory of 392	1716	{242C17C8-2352-44f8-8148-834447B0BB86}.exe	100
PID 1716 wrote to memory of 392	1716	{242C17C8-2352-44f8-8148-834447B0BB86}.exe	100
PID 1716 wrote to memory of 392	1716	{242C17C8-2352-44f8-8148-834447B0BB86}.exe	100
PID 1716 wrote to memory of 4988	1716	{242C17C8-2352-44f8-8148-834447B0BB86}.exe	101
PID 1716 wrote to memory of 4988	1716	{242C17C8-2352-44f8-8148-834447B0BB86}.exe	101
PID 1716 wrote to memory of 4988	1716	{242C17C8-2352-44f8-8148-834447B0BB86}.exe	101
PID 392 wrote to memory of 1084	392	{34A20F43-2EC8-42b5-AEC6-32F0EB2F98AD}.exe	102
PID 392 wrote to memory of 1084	392	{34A20F43-2EC8-42b5-AEC6-32F0EB2F98AD}.exe	102
PID 392 wrote to memory of 1084	392	{34A20F43-2EC8-42b5-AEC6-32F0EB2F98AD}.exe	102
PID 392 wrote to memory of 1372	392	{34A20F43-2EC8-42b5-AEC6-32F0EB2F98AD}.exe	103
PID 392 wrote to memory of 1372	392	{34A20F43-2EC8-42b5-AEC6-32F0EB2F98AD}.exe	103
PID 392 wrote to memory of 1372	392	{34A20F43-2EC8-42b5-AEC6-32F0EB2F98AD}.exe	103
PID 1084 wrote to memory of 4220	1084	{41C22396-7115-4050-8569-50CA9C907BB8}.exe	105
PID 1084 wrote to memory of 4220	1084	{41C22396-7115-4050-8569-50CA9C907BB8}.exe	105
PID 1084 wrote to memory of 4220	1084	{41C22396-7115-4050-8569-50CA9C907BB8}.exe	105
PID 1084 wrote to memory of 3960	1084	{41C22396-7115-4050-8569-50CA9C907BB8}.exe	106
PID 1084 wrote to memory of 3960	1084	{41C22396-7115-4050-8569-50CA9C907BB8}.exe	106
PID 1084 wrote to memory of 3960	1084	{41C22396-7115-4050-8569-50CA9C907BB8}.exe	106
PID 4220 wrote to memory of 4104	4220	{2D27AACD-292B-4a08-A083-925027AE2987}.exe	107
PID 4220 wrote to memory of 4104	4220	{2D27AACD-292B-4a08-A083-925027AE2987}.exe	107
PID 4220 wrote to memory of 4104	4220	{2D27AACD-292B-4a08-A083-925027AE2987}.exe	107
PID 4220 wrote to memory of 2988	4220	{2D27AACD-292B-4a08-A083-925027AE2987}.exe	108
PID 4220 wrote to memory of 2988	4220	{2D27AACD-292B-4a08-A083-925027AE2987}.exe	108
PID 4220 wrote to memory of 2988	4220	{2D27AACD-292B-4a08-A083-925027AE2987}.exe	108
PID 4104 wrote to memory of 3520	4104	{A814F897-D666-42b0-8786-04BA026D2AC1}.exe	109
PID 4104 wrote to memory of 3520	4104	{A814F897-D666-42b0-8786-04BA026D2AC1}.exe	109
PID 4104 wrote to memory of 3520	4104	{A814F897-D666-42b0-8786-04BA026D2AC1}.exe	109
PID 4104 wrote to memory of 1996	4104	{A814F897-D666-42b0-8786-04BA026D2AC1}.exe	110
PID 4104 wrote to memory of 1996	4104	{A814F897-D666-42b0-8786-04BA026D2AC1}.exe	110
PID 4104 wrote to memory of 1996	4104	{A814F897-D666-42b0-8786-04BA026D2AC1}.exe	110
PID 3520 wrote to memory of 4028	3520	{1817DECA-AAF0-4521-9295-D973618795C6}.exe	111
PID 3520 wrote to memory of 4028	3520	{1817DECA-AAF0-4521-9295-D973618795C6}.exe	111
PID 3520 wrote to memory of 4028	3520	{1817DECA-AAF0-4521-9295-D973618795C6}.exe	111
PID 3520 wrote to memory of 3124	3520	{1817DECA-AAF0-4521-9295-D973618795C6}.exe	112
PID 3520 wrote to memory of 3124	3520	{1817DECA-AAF0-4521-9295-D973618795C6}.exe	112
PID 3520 wrote to memory of 3124	3520	{1817DECA-AAF0-4521-9295-D973618795C6}.exe	112
PID 4028 wrote to memory of 3536	4028	{7B54243F-8830-4f12-B4FB-55AFD793F316}.exe	113
PID 4028 wrote to memory of 3536	4028	{7B54243F-8830-4f12-B4FB-55AFD793F316}.exe	113
PID 4028 wrote to memory of 3536	4028	{7B54243F-8830-4f12-B4FB-55AFD793F316}.exe	113
PID 4028 wrote to memory of 1724	4028	{7B54243F-8830-4f12-B4FB-55AFD793F316}.exe	114

C:\Users\Admin\AppData\Local\Temp\d3a9a902adcd3dexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\d3a9a902adcd3dexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228
- C:\Windows\{601887E2-A0F4-4220-BF7A-62DEB68BF0F0}.exe
  C:\Windows\{601887E2-A0F4-4220-BF7A-62DEB68BF0F0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3288
- - C:\Windows\{052DA68D-40B8-4ab2-8D0D-F151D6CBB816}.exe
    C:\Windows\{052DA68D-40B8-4ab2-8D0D-F151D6CBB816}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{052DA~1.EXE > nul
      4⤵
      PID:4688
  - - C:\Windows\{1494E3CF-7036-4cb2-879B-F66D71F692DE}.exe
      C:\Windows\{1494E3CF-7036-4cb2-879B-F66D71F692DE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4912
    - - C:\Windows\{242C17C8-2352-44f8-8148-834447B0BB86}.exe
        
        C:\Windows\{242C17C8-2352-44f8-8148-834447B0BB86}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1716
      - C:\Windows\{34A20F43-2EC8-42b5-AEC6-32F0EB2F98AD}.exe
        
        C:\Windows\{34A20F43-2EC8-42b5-AEC6-32F0EB2F98AD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\{41C22396-7115-4050-8569-50CA9C907BB8}.exe
        
        C:\Windows\{41C22396-7115-4050-8569-50CA9C907BB8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1084
        
        C:\Windows\{2D27AACD-292B-4a08-A083-925027AE2987}.exe
        
        C:\Windows\{2D27AACD-292B-4a08-A083-925027AE2987}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4220
        
        C:\Windows\{A814F897-D666-42b0-8786-04BA026D2AC1}.exe
        
        C:\Windows\{A814F897-D666-42b0-8786-04BA026D2AC1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\{1817DECA-AAF0-4521-9295-D973618795C6}.exe
        
        C:\Windows\{1817DECA-AAF0-4521-9295-D973618795C6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\{7B54243F-8830-4f12-B4FB-55AFD793F316}.exe
        
        C:\Windows\{7B54243F-8830-4f12-B4FB-55AFD793F316}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\{EF007D61-0C5F-4a9a-B5CA-3FCAAB86F81B}.exe
        
        C:\Windows\{EF007D61-0C5F-4a9a-B5CA-3FCAAB86F81B}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3536
        
        C:\Windows\{4C2FAF12-1DF6-401a-8EC7-21E42ADD9321}.exe
        
        C:\Windows\{4C2FAF12-1DF6-401a-8EC7-21E42ADD9321}.exe
        13⤵
        Executes dropped EXE
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF007~1.EXE > nul
        13⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7B542~1.EXE > nul
        12⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1817D~1.EXE > nul
        11⤵
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A814F~1.EXE > nul
        10⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D27A~1.EXE > nul
        9⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41C22~1.EXE > nul
        8⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34A20~1.EXE > nul
        7⤵
        
        PID:1372
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{242C1~1.EXE > nul
        6⤵
        
        PID:4988
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1494E~1.EXE > nul
        5⤵
        
        PID:968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{60188~1.EXE > nul
    3⤵
    PID:1992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D3A9A9~1.EXE > nul
  2⤵
  PID:4744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{052DA68D-40B8-4ab2-8D0D-F151D6CBB816}.exe

Filesize
204KB

MD5
8d525042fc3f7759b7381671eff719b1

SHA1
19023247c77d8cc4e3bee205dd104afe2c34c726

SHA256
ed198d077d4903dbce978b6208106dd4789bffc2824062f8db17f415f3d1227e

SHA512
a27fa9a51ca935a582ac51091124fc27a3229a653ab9ed01c0fab71ef3b2756e4c58fe045723075e24de7f84b06128a76ad36683dede06f8d5055adf89fc684e

Download Submit
C:\Windows\{052DA68D-40B8-4ab2-8D0D-F151D6CBB816}.exe

Filesize
204KB

MD5
8d525042fc3f7759b7381671eff719b1

SHA1
19023247c77d8cc4e3bee205dd104afe2c34c726

SHA256
ed198d077d4903dbce978b6208106dd4789bffc2824062f8db17f415f3d1227e

SHA512
a27fa9a51ca935a582ac51091124fc27a3229a653ab9ed01c0fab71ef3b2756e4c58fe045723075e24de7f84b06128a76ad36683dede06f8d5055adf89fc684e

Download Submit
C:\Windows\{1494E3CF-7036-4cb2-879B-F66D71F692DE}.exe

Filesize
204KB

MD5
407e9dbaacbc94b3f20c0c306b347f29

SHA1
1066eb2fdf677a511a4060bdc17daa6a455fba76

SHA256
78b1a954d248b7279d6233fcfea7e089d0fde0c4091585aa6d2bd925f75b0ecc

SHA512
02dd34c6b40fd32f64b0a6e1cad289b5c857b30f297d56fc3e37ea2d6ab3a53f786fd2034ea845d1c63b8b90741b81ebd7ed981d6f4959e0f53bd7ee69f75882

Download Submit
C:\Windows\{1494E3CF-7036-4cb2-879B-F66D71F692DE}.exe

Filesize
204KB

MD5
407e9dbaacbc94b3f20c0c306b347f29

SHA1
1066eb2fdf677a511a4060bdc17daa6a455fba76

SHA256
78b1a954d248b7279d6233fcfea7e089d0fde0c4091585aa6d2bd925f75b0ecc

SHA512
02dd34c6b40fd32f64b0a6e1cad289b5c857b30f297d56fc3e37ea2d6ab3a53f786fd2034ea845d1c63b8b90741b81ebd7ed981d6f4959e0f53bd7ee69f75882

Download Submit
C:\Windows\{1494E3CF-7036-4cb2-879B-F66D71F692DE}.exe

Filesize
204KB

MD5
407e9dbaacbc94b3f20c0c306b347f29

SHA1
1066eb2fdf677a511a4060bdc17daa6a455fba76

SHA256
78b1a954d248b7279d6233fcfea7e089d0fde0c4091585aa6d2bd925f75b0ecc

SHA512
02dd34c6b40fd32f64b0a6e1cad289b5c857b30f297d56fc3e37ea2d6ab3a53f786fd2034ea845d1c63b8b90741b81ebd7ed981d6f4959e0f53bd7ee69f75882

Download Submit
C:\Windows\{1817DECA-AAF0-4521-9295-D973618795C6}.exe

Filesize
204KB

MD5
0d482f79b4b1aa3ce62e2917e87c6336

SHA1
1dca7b72e4def780e1cea66249596ed557f94d4f

SHA256
3e8db4d89823bdb33f50b9cd468dc4b33b442687b2857f7cbe373d2608359df2

SHA512
a41992e4e38f412b6eac7d09ff5ca5964a5c90cb988ff2da0a4a3015f755d01dc115fdc5e77d30296d6c4d0d5dd5dfd53a3cf131b47b37534398fe9cf8063362

Download Submit
C:\Windows\{1817DECA-AAF0-4521-9295-D973618795C6}.exe

Filesize
204KB

MD5
0d482f79b4b1aa3ce62e2917e87c6336

SHA1
1dca7b72e4def780e1cea66249596ed557f94d4f

SHA256
3e8db4d89823bdb33f50b9cd468dc4b33b442687b2857f7cbe373d2608359df2

SHA512
a41992e4e38f412b6eac7d09ff5ca5964a5c90cb988ff2da0a4a3015f755d01dc115fdc5e77d30296d6c4d0d5dd5dfd53a3cf131b47b37534398fe9cf8063362

Download Submit
C:\Windows\{242C17C8-2352-44f8-8148-834447B0BB86}.exe

Filesize
204KB

MD5
53fd45f971aba64c39d773851536a452

SHA1
c3ecd10c0db77782769a28be3c06d2833e67fb00

SHA256
430c302fec2f192f0cc085698b98c957f6db7fd2091d042405080ac9cde9906e

SHA512
bdce6a001332a2dc509eefe0d153c72bf38069c0f8ec91f22fed518d5d6874ed256fa786c55b1601b99cef302e9ccfc779e16480272e3428bd62cca86621e40a

Download Submit
C:\Windows\{242C17C8-2352-44f8-8148-834447B0BB86}.exe

Filesize
204KB

MD5
53fd45f971aba64c39d773851536a452

SHA1
c3ecd10c0db77782769a28be3c06d2833e67fb00

SHA256
430c302fec2f192f0cc085698b98c957f6db7fd2091d042405080ac9cde9906e

SHA512
bdce6a001332a2dc509eefe0d153c72bf38069c0f8ec91f22fed518d5d6874ed256fa786c55b1601b99cef302e9ccfc779e16480272e3428bd62cca86621e40a

Download Submit
C:\Windows\{2D27AACD-292B-4a08-A083-925027AE2987}.exe

Filesize
204KB

MD5
54cb34029f5b6ef300095cd4aa0c8282

SHA1
fc886876eecc2546981370603cdd067ea22aeed8

SHA256
10d85075f7ee51a6becea27d9ebe5d585bc950df17641656e7d9f548d9534c8e

SHA512
a79cecf9a08919cc3397e46a8c02694903950f308f9274387b2533c7c555f10e28a968c29c1c753a6b7629c72c65fcdc89341c9a860605d9b293e58c14ffedd5

Download Submit
C:\Windows\{2D27AACD-292B-4a08-A083-925027AE2987}.exe

Filesize
204KB

MD5
54cb34029f5b6ef300095cd4aa0c8282

SHA1
fc886876eecc2546981370603cdd067ea22aeed8

SHA256
10d85075f7ee51a6becea27d9ebe5d585bc950df17641656e7d9f548d9534c8e

SHA512
a79cecf9a08919cc3397e46a8c02694903950f308f9274387b2533c7c555f10e28a968c29c1c753a6b7629c72c65fcdc89341c9a860605d9b293e58c14ffedd5

Download Submit
C:\Windows\{34A20F43-2EC8-42b5-AEC6-32F0EB2F98AD}.exe

Filesize
204KB

MD5
3b5e5e2fad6380a8318ebaacc058aa54

SHA1
07da8a7da330b93dcbcbab6edae396aaa38b8e48

SHA256
4bcdf8164041a185a1b3cd7d64f121a4aa9ef48bbd8f2c30b7eab6e28f6aaac9

SHA512
2404b0ef6e6bc68a48670676055562c2a124991d7859acb9a2be39ecace80697c4ba35e0721d0c69ac2cf9607bd5401fffbb0cb6c7accb6f24f3c30d4e29ad3f

Download Submit
C:\Windows\{34A20F43-2EC8-42b5-AEC6-32F0EB2F98AD}.exe

Filesize
204KB

MD5
3b5e5e2fad6380a8318ebaacc058aa54

SHA1
07da8a7da330b93dcbcbab6edae396aaa38b8e48

SHA256
4bcdf8164041a185a1b3cd7d64f121a4aa9ef48bbd8f2c30b7eab6e28f6aaac9

SHA512
2404b0ef6e6bc68a48670676055562c2a124991d7859acb9a2be39ecace80697c4ba35e0721d0c69ac2cf9607bd5401fffbb0cb6c7accb6f24f3c30d4e29ad3f

Download Submit
C:\Windows\{41C22396-7115-4050-8569-50CA9C907BB8}.exe

Filesize
204KB

MD5
20a2f89d3db8f39ca70a32862a9c5867

SHA1
0e6a4d70329f5718d1015a80552bc2ed2f018cfb

SHA256
b5eedae66d9f7011f8b044a34cd4b8062463f2ef6b831b3df8664e9364814007

SHA512
daa1fb5cc5366c47fd84ea24b6ead73be6e1fc523a73f8f813c3e0d99cd1f915c39bf60eb7b0fe3f8e446dc8c56a40aa887ca3d67fe3912b9857fa730b3a047d

Download Submit
C:\Windows\{41C22396-7115-4050-8569-50CA9C907BB8}.exe

Filesize
204KB

MD5
20a2f89d3db8f39ca70a32862a9c5867

SHA1
0e6a4d70329f5718d1015a80552bc2ed2f018cfb

SHA256
b5eedae66d9f7011f8b044a34cd4b8062463f2ef6b831b3df8664e9364814007

SHA512
daa1fb5cc5366c47fd84ea24b6ead73be6e1fc523a73f8f813c3e0d99cd1f915c39bf60eb7b0fe3f8e446dc8c56a40aa887ca3d67fe3912b9857fa730b3a047d

Download Submit
C:\Windows\{4C2FAF12-1DF6-401a-8EC7-21E42ADD9321}.exe

Filesize
204KB

MD5
1bee7d48fb450316f0cabbed9cb7deaf

SHA1
c01ea5a2e2cef3806a67b41e60272d9dee344fa6

SHA256
654343f74eccc422e07855eca4f6528a1c68af9f5b09dd49731866b05c68e8fc

SHA512
dde230bfb1ffed2e44b353498b5297e4a4e7ea43c7c69af51ae2cb005e756d5bcf2aec869d320667135cae0bf06efbf20ed021c6b929204e59922ef20f908d85

Download Submit
C:\Windows\{4C2FAF12-1DF6-401a-8EC7-21E42ADD9321}.exe

Filesize
204KB

MD5
1bee7d48fb450316f0cabbed9cb7deaf

SHA1
c01ea5a2e2cef3806a67b41e60272d9dee344fa6

SHA256
654343f74eccc422e07855eca4f6528a1c68af9f5b09dd49731866b05c68e8fc

SHA512
dde230bfb1ffed2e44b353498b5297e4a4e7ea43c7c69af51ae2cb005e756d5bcf2aec869d320667135cae0bf06efbf20ed021c6b929204e59922ef20f908d85

Download Submit
C:\Windows\{601887E2-A0F4-4220-BF7A-62DEB68BF0F0}.exe

Filesize
204KB

MD5
ab8b19300c6115f036f54dea7a4a4cd0

SHA1
b82cd183fa1e16256b6a3d2bec345384d61bce90

SHA256
afd1f705458d9e136f4de17c6687fe9ab979084fa66915df675645f5b8c41893

SHA512
c8db1cb68493f8993fd21044e2bba5be91c5940ed450078570de2544a9b9410db8b11f5f610728c69d32c1ec5f2626a95a475485e1ec74e530c3da63f5bacecd

Download Submit
C:\Windows\{601887E2-A0F4-4220-BF7A-62DEB68BF0F0}.exe

Filesize
204KB

MD5
ab8b19300c6115f036f54dea7a4a4cd0

SHA1
b82cd183fa1e16256b6a3d2bec345384d61bce90

SHA256
afd1f705458d9e136f4de17c6687fe9ab979084fa66915df675645f5b8c41893

SHA512
c8db1cb68493f8993fd21044e2bba5be91c5940ed450078570de2544a9b9410db8b11f5f610728c69d32c1ec5f2626a95a475485e1ec74e530c3da63f5bacecd

Download Submit
C:\Windows\{7B54243F-8830-4f12-B4FB-55AFD793F316}.exe

Filesize
204KB

MD5
19a35c09aa3cf22dbc4fe7b7caed4312

SHA1
1eb8aebb682cc905880efe5052c51e3bccfe1547

SHA256
9ffe883b7e6aebd77fb028c4d966c0c6a63d6afd329144896971911c1462e4fe

SHA512
c5163a368d5b1740c898edd97ddf223c45de72c137295f14ce3100ddf09c2f47043cf39f73eaae751a96c387a77a27e7d20129cf2134806940956ac5cbf62a7e

Download Submit
C:\Windows\{7B54243F-8830-4f12-B4FB-55AFD793F316}.exe

Filesize
204KB

MD5
19a35c09aa3cf22dbc4fe7b7caed4312

SHA1
1eb8aebb682cc905880efe5052c51e3bccfe1547

SHA256
9ffe883b7e6aebd77fb028c4d966c0c6a63d6afd329144896971911c1462e4fe

SHA512
c5163a368d5b1740c898edd97ddf223c45de72c137295f14ce3100ddf09c2f47043cf39f73eaae751a96c387a77a27e7d20129cf2134806940956ac5cbf62a7e

Download Submit
C:\Windows\{A814F897-D666-42b0-8786-04BA026D2AC1}.exe

Filesize
204KB

MD5
6d73809e859911d70bbabe76340af9ca

SHA1
19fb793456aba328e46e247f01e8f26d1feb1871

SHA256
359edb420e08aa92da529e3f7ae2bd7746e639e3793c330ed72296911f1210dc

SHA512
22e5b31ec1b94219946d09d9dca52f150fd952e16f5cc372386a62155966d3187651ef163693f51a2a7a076bde15b587083122252f3432e25ea0d78c77759ebf

Download Submit
C:\Windows\{A814F897-D666-42b0-8786-04BA026D2AC1}.exe

Filesize
204KB

MD5
6d73809e859911d70bbabe76340af9ca

SHA1
19fb793456aba328e46e247f01e8f26d1feb1871

SHA256
359edb420e08aa92da529e3f7ae2bd7746e639e3793c330ed72296911f1210dc

SHA512
22e5b31ec1b94219946d09d9dca52f150fd952e16f5cc372386a62155966d3187651ef163693f51a2a7a076bde15b587083122252f3432e25ea0d78c77759ebf

Download Submit
C:\Windows\{EF007D61-0C5F-4a9a-B5CA-3FCAAB86F81B}.exe

Filesize
204KB

MD5
61826b1553a110236347bdaf18ae6b0a

SHA1
ab86232649a083bc7bec8becd330a1caabccf7ac

SHA256
c17d071f1a0be019644295cbda1f0473b068e5f73f48a1b2ce438e0eb069aaa5

SHA512
93f1e91b61d7a00581b2b0613249ba05421f33226ffc65617df268bb4c58ce3ee02a55d9f875cf4e872f2d53443316d7b65c6219a0bd880ec162fa0dac7f63af

Download Submit
C:\Windows\{EF007D61-0C5F-4a9a-B5CA-3FCAAB86F81B}.exe

Filesize
204KB

MD5
61826b1553a110236347bdaf18ae6b0a

SHA1
ab86232649a083bc7bec8becd330a1caabccf7ac

SHA256
c17d071f1a0be019644295cbda1f0473b068e5f73f48a1b2ce438e0eb069aaa5

SHA512
93f1e91b61d7a00581b2b0613249ba05421f33226ffc65617df268bb4c58ce3ee02a55d9f875cf4e872f2d53443316d7b65c6219a0bd880ec162fa0dac7f63af

Download Submit