142ef5a5393625cacfb2b1f3cbac16e2a1ebd3579e3db643e805c6a979690b13

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2023, 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd3e7228d66a81exeexeexeex.exe
Size

372KB
MD5

dd3e7228d66a816cdf9c803cc78cb46c
SHA1

b681943bfa2319c9961c027e13f9d110d5ea44dc
SHA256

142ef5a5393625cacfb2b1f3cbac16e2a1ebd3579e3db643e805c6a979690b13
SHA512

5cab9121450b98e99bfb15314203d74264cd107d3f869286ff98ee6938f31a1565eb5084364d830cf2e1597653fd035f0c73079e9a53c26f18917f1efdab221b
SSDEEP

3072:CEGh0ormlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGol/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B4779D0-DC4F-4dcd-96B3-E54FCCA5B5E8}\stubpath = "C:\\Windows\\{2B4779D0-DC4F-4dcd-96B3-E54FCCA5B5E8}.exe"	{89E55FB7-A18D-4588-9C70-D8FF9B74551C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E2035F1-94A3-4c6f-96A4-E21264A8CD1D}\stubpath = "C:\\Windows\\{6E2035F1-94A3-4c6f-96A4-E21264A8CD1D}.exe"	{2B4779D0-DC4F-4dcd-96B3-E54FCCA5B5E8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7537D1C8-604C-459b-9C0B-33AACC5EAE90}\stubpath = "C:\\Windows\\{7537D1C8-604C-459b-9C0B-33AACC5EAE90}.exe"	{F4468432-9C9A-4f50-A050-415F06482517}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEE26AAF-8610-4998-9CD7-3B12F8E7EE05}\stubpath = "C:\\Windows\\{FEE26AAF-8610-4998-9CD7-3B12F8E7EE05}.exe"	{7537D1C8-604C-459b-9C0B-33AACC5EAE90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B4779D0-DC4F-4dcd-96B3-E54FCCA5B5E8}	{89E55FB7-A18D-4588-9C70-D8FF9B74551C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7537D1C8-604C-459b-9C0B-33AACC5EAE90}	{F4468432-9C9A-4f50-A050-415F06482517}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02ABB2C3-337C-4ff0-8A67-375E2EB4B138}\stubpath = "C:\\Windows\\{02ABB2C3-337C-4ff0-8A67-375E2EB4B138}.exe"	{FEE26AAF-8610-4998-9CD7-3B12F8E7EE05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C68AC4BE-A507-4ca8-A265-8CB61D3DE617}	{C44BAD22-B454-4e8c-9A8B-303243B25EF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{326D44AC-5BAD-493d-8F19-70E940ADC59D}\stubpath = "C:\\Windows\\{326D44AC-5BAD-493d-8F19-70E940ADC59D}.exe"	dd3e7228d66a81exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89E55FB7-A18D-4588-9C70-D8FF9B74551C}\stubpath = "C:\\Windows\\{89E55FB7-A18D-4588-9C70-D8FF9B74551C}.exe"	{326D44AC-5BAD-493d-8F19-70E940ADC59D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4468432-9C9A-4f50-A050-415F06482517}	{6E2035F1-94A3-4c6f-96A4-E21264A8CD1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4468432-9C9A-4f50-A050-415F06482517}\stubpath = "C:\\Windows\\{F4468432-9C9A-4f50-A050-415F06482517}.exe"	{6E2035F1-94A3-4c6f-96A4-E21264A8CD1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEE26AAF-8610-4998-9CD7-3B12F8E7EE05}	{7537D1C8-604C-459b-9C0B-33AACC5EAE90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02ABB2C3-337C-4ff0-8A67-375E2EB4B138}	{FEE26AAF-8610-4998-9CD7-3B12F8E7EE05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C44BAD22-B454-4e8c-9A8B-303243B25EF1}\stubpath = "C:\\Windows\\{C44BAD22-B454-4e8c-9A8B-303243B25EF1}.exe"	{02ABB2C3-337C-4ff0-8A67-375E2EB4B138}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C68AC4BE-A507-4ca8-A265-8CB61D3DE617}\stubpath = "C:\\Windows\\{C68AC4BE-A507-4ca8-A265-8CB61D3DE617}.exe"	{C44BAD22-B454-4e8c-9A8B-303243B25EF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{326D44AC-5BAD-493d-8F19-70E940ADC59D}	dd3e7228d66a81exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B4ABF2E-73AA-4c76-A6DF-D66F8F3FA201}\stubpath = "C:\\Windows\\{3B4ABF2E-73AA-4c76-A6DF-D66F8F3FA201}.exe"	{C68AC4BE-A507-4ca8-A265-8CB61D3DE617}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B47989A-5B58-4b49-B46F-F9FC1EAC385B}	{3B4ABF2E-73AA-4c76-A6DF-D66F8F3FA201}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B47989A-5B58-4b49-B46F-F9FC1EAC385B}\stubpath = "C:\\Windows\\{3B47989A-5B58-4b49-B46F-F9FC1EAC385B}.exe"	{3B4ABF2E-73AA-4c76-A6DF-D66F8F3FA201}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B4ABF2E-73AA-4c76-A6DF-D66F8F3FA201}	{C68AC4BE-A507-4ca8-A265-8CB61D3DE617}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6E2035F1-94A3-4c6f-96A4-E21264A8CD1D}	{2B4779D0-DC4F-4dcd-96B3-E54FCCA5B5E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C44BAD22-B454-4e8c-9A8B-303243B25EF1}	{02ABB2C3-337C-4ff0-8A67-375E2EB4B138}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89E55FB7-A18D-4588-9C70-D8FF9B74551C}	{326D44AC-5BAD-493d-8F19-70E940ADC59D}.exe

Executes dropped EXE 12 IoCs

pid	Process
1380	{326D44AC-5BAD-493d-8F19-70E940ADC59D}.exe
3104	{89E55FB7-A18D-4588-9C70-D8FF9B74551C}.exe
4104	{2B4779D0-DC4F-4dcd-96B3-E54FCCA5B5E8}.exe
3040	{6E2035F1-94A3-4c6f-96A4-E21264A8CD1D}.exe
2260	{F4468432-9C9A-4f50-A050-415F06482517}.exe
4732	{7537D1C8-604C-459b-9C0B-33AACC5EAE90}.exe
4920	{FEE26AAF-8610-4998-9CD7-3B12F8E7EE05}.exe
416	{02ABB2C3-337C-4ff0-8A67-375E2EB4B138}.exe
1696	{C44BAD22-B454-4e8c-9A8B-303243B25EF1}.exe
4100	{C68AC4BE-A507-4ca8-A265-8CB61D3DE617}.exe
4168	{3B4ABF2E-73AA-4c76-A6DF-D66F8F3FA201}.exe
5048	{3B47989A-5B58-4b49-B46F-F9FC1EAC385B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{326D44AC-5BAD-493d-8F19-70E940ADC59D}.exe	dd3e7228d66a81exeexeexeex.exe
File created	C:\Windows\{89E55FB7-A18D-4588-9C70-D8FF9B74551C}.exe	{326D44AC-5BAD-493d-8F19-70E940ADC59D}.exe
File created	C:\Windows\{6E2035F1-94A3-4c6f-96A4-E21264A8CD1D}.exe	{2B4779D0-DC4F-4dcd-96B3-E54FCCA5B5E8}.exe
File created	C:\Windows\{02ABB2C3-337C-4ff0-8A67-375E2EB4B138}.exe	{FEE26AAF-8610-4998-9CD7-3B12F8E7EE05}.exe
File created	C:\Windows\{C44BAD22-B454-4e8c-9A8B-303243B25EF1}.exe	{02ABB2C3-337C-4ff0-8A67-375E2EB4B138}.exe
File created	C:\Windows\{2B4779D0-DC4F-4dcd-96B3-E54FCCA5B5E8}.exe	{89E55FB7-A18D-4588-9C70-D8FF9B74551C}.exe
File created	C:\Windows\{F4468432-9C9A-4f50-A050-415F06482517}.exe	{6E2035F1-94A3-4c6f-96A4-E21264A8CD1D}.exe
File created	C:\Windows\{7537D1C8-604C-459b-9C0B-33AACC5EAE90}.exe	{F4468432-9C9A-4f50-A050-415F06482517}.exe
File created	C:\Windows\{FEE26AAF-8610-4998-9CD7-3B12F8E7EE05}.exe	{7537D1C8-604C-459b-9C0B-33AACC5EAE90}.exe
File created	C:\Windows\{C68AC4BE-A507-4ca8-A265-8CB61D3DE617}.exe	{C44BAD22-B454-4e8c-9A8B-303243B25EF1}.exe
File created	C:\Windows\{3B4ABF2E-73AA-4c76-A6DF-D66F8F3FA201}.exe	{C68AC4BE-A507-4ca8-A265-8CB61D3DE617}.exe
File created	C:\Windows\{3B47989A-5B58-4b49-B46F-F9FC1EAC385B}.exe	{3B4ABF2E-73AA-4c76-A6DF-D66F8F3FA201}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1496	dd3e7228d66a81exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1380	{326D44AC-5BAD-493d-8F19-70E940ADC59D}.exe
Token: SeIncBasePriorityPrivilege	3104	{89E55FB7-A18D-4588-9C70-D8FF9B74551C}.exe
Token: SeIncBasePriorityPrivilege	4104	{2B4779D0-DC4F-4dcd-96B3-E54FCCA5B5E8}.exe
Token: SeIncBasePriorityPrivilege	3040	{6E2035F1-94A3-4c6f-96A4-E21264A8CD1D}.exe
Token: SeIncBasePriorityPrivilege	2260	{F4468432-9C9A-4f50-A050-415F06482517}.exe
Token: SeIncBasePriorityPrivilege	4732	{7537D1C8-604C-459b-9C0B-33AACC5EAE90}.exe
Token: SeIncBasePriorityPrivilege	4920	{FEE26AAF-8610-4998-9CD7-3B12F8E7EE05}.exe
Token: SeIncBasePriorityPrivilege	416	{02ABB2C3-337C-4ff0-8A67-375E2EB4B138}.exe
Token: SeIncBasePriorityPrivilege	1696	{C44BAD22-B454-4e8c-9A8B-303243B25EF1}.exe
Token: SeIncBasePriorityPrivilege	4100	{C68AC4BE-A507-4ca8-A265-8CB61D3DE617}.exe
Token: SeIncBasePriorityPrivilege	4168	{3B4ABF2E-73AA-4c76-A6DF-D66F8F3FA201}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 1380	1496	dd3e7228d66a81exeexeexeex.exe	87
PID 1496 wrote to memory of 1380	1496	dd3e7228d66a81exeexeexeex.exe	87
PID 1496 wrote to memory of 1380	1496	dd3e7228d66a81exeexeexeex.exe	87
PID 1496 wrote to memory of 1172	1496	dd3e7228d66a81exeexeexeex.exe	88
PID 1496 wrote to memory of 1172	1496	dd3e7228d66a81exeexeexeex.exe	88
PID 1496 wrote to memory of 1172	1496	dd3e7228d66a81exeexeexeex.exe	88
PID 1380 wrote to memory of 3104	1380	{326D44AC-5BAD-493d-8F19-70E940ADC59D}.exe	89
PID 1380 wrote to memory of 3104	1380	{326D44AC-5BAD-493d-8F19-70E940ADC59D}.exe	89
PID 1380 wrote to memory of 3104	1380	{326D44AC-5BAD-493d-8F19-70E940ADC59D}.exe	89
PID 1380 wrote to memory of 3780	1380	{326D44AC-5BAD-493d-8F19-70E940ADC59D}.exe	90
PID 1380 wrote to memory of 3780	1380	{326D44AC-5BAD-493d-8F19-70E940ADC59D}.exe	90
PID 1380 wrote to memory of 3780	1380	{326D44AC-5BAD-493d-8F19-70E940ADC59D}.exe	90
PID 3104 wrote to memory of 4104	3104	{89E55FB7-A18D-4588-9C70-D8FF9B74551C}.exe	95
PID 3104 wrote to memory of 4104	3104	{89E55FB7-A18D-4588-9C70-D8FF9B74551C}.exe	95
PID 3104 wrote to memory of 4104	3104	{89E55FB7-A18D-4588-9C70-D8FF9B74551C}.exe	95
PID 3104 wrote to memory of 1832	3104	{89E55FB7-A18D-4588-9C70-D8FF9B74551C}.exe	94
PID 3104 wrote to memory of 1832	3104	{89E55FB7-A18D-4588-9C70-D8FF9B74551C}.exe	94
PID 3104 wrote to memory of 1832	3104	{89E55FB7-A18D-4588-9C70-D8FF9B74551C}.exe	94
PID 4104 wrote to memory of 3040	4104	{2B4779D0-DC4F-4dcd-96B3-E54FCCA5B5E8}.exe	96
PID 4104 wrote to memory of 3040	4104	{2B4779D0-DC4F-4dcd-96B3-E54FCCA5B5E8}.exe	96
PID 4104 wrote to memory of 3040	4104	{2B4779D0-DC4F-4dcd-96B3-E54FCCA5B5E8}.exe	96
PID 4104 wrote to memory of 3548	4104	{2B4779D0-DC4F-4dcd-96B3-E54FCCA5B5E8}.exe	97
PID 4104 wrote to memory of 3548	4104	{2B4779D0-DC4F-4dcd-96B3-E54FCCA5B5E8}.exe	97
PID 4104 wrote to memory of 3548	4104	{2B4779D0-DC4F-4dcd-96B3-E54FCCA5B5E8}.exe	97
PID 3040 wrote to memory of 2260	3040	{6E2035F1-94A3-4c6f-96A4-E21264A8CD1D}.exe	98
PID 3040 wrote to memory of 2260	3040	{6E2035F1-94A3-4c6f-96A4-E21264A8CD1D}.exe	98
PID 3040 wrote to memory of 2260	3040	{6E2035F1-94A3-4c6f-96A4-E21264A8CD1D}.exe	98
PID 3040 wrote to memory of 4680	3040	{6E2035F1-94A3-4c6f-96A4-E21264A8CD1D}.exe	99
PID 3040 wrote to memory of 4680	3040	{6E2035F1-94A3-4c6f-96A4-E21264A8CD1D}.exe	99
PID 3040 wrote to memory of 4680	3040	{6E2035F1-94A3-4c6f-96A4-E21264A8CD1D}.exe	99
PID 2260 wrote to memory of 4732	2260	{F4468432-9C9A-4f50-A050-415F06482517}.exe	101
PID 2260 wrote to memory of 4732	2260	{F4468432-9C9A-4f50-A050-415F06482517}.exe	101
PID 2260 wrote to memory of 4732	2260	{F4468432-9C9A-4f50-A050-415F06482517}.exe	101
PID 2260 wrote to memory of 2924	2260	{F4468432-9C9A-4f50-A050-415F06482517}.exe	102
PID 2260 wrote to memory of 2924	2260	{F4468432-9C9A-4f50-A050-415F06482517}.exe	102
PID 2260 wrote to memory of 2924	2260	{F4468432-9C9A-4f50-A050-415F06482517}.exe	102
PID 4732 wrote to memory of 4920	4732	{7537D1C8-604C-459b-9C0B-33AACC5EAE90}.exe	103
PID 4732 wrote to memory of 4920	4732	{7537D1C8-604C-459b-9C0B-33AACC5EAE90}.exe	103
PID 4732 wrote to memory of 4920	4732	{7537D1C8-604C-459b-9C0B-33AACC5EAE90}.exe	103
PID 4732 wrote to memory of 1784	4732	{7537D1C8-604C-459b-9C0B-33AACC5EAE90}.exe	104
PID 4732 wrote to memory of 1784	4732	{7537D1C8-604C-459b-9C0B-33AACC5EAE90}.exe	104
PID 4732 wrote to memory of 1784	4732	{7537D1C8-604C-459b-9C0B-33AACC5EAE90}.exe	104
PID 4920 wrote to memory of 416	4920	{FEE26AAF-8610-4998-9CD7-3B12F8E7EE05}.exe	107
PID 4920 wrote to memory of 416	4920	{FEE26AAF-8610-4998-9CD7-3B12F8E7EE05}.exe	107
PID 4920 wrote to memory of 416	4920	{FEE26AAF-8610-4998-9CD7-3B12F8E7EE05}.exe	107
PID 4920 wrote to memory of 392	4920	{FEE26AAF-8610-4998-9CD7-3B12F8E7EE05}.exe	106
PID 4920 wrote to memory of 392	4920	{FEE26AAF-8610-4998-9CD7-3B12F8E7EE05}.exe	106
PID 4920 wrote to memory of 392	4920	{FEE26AAF-8610-4998-9CD7-3B12F8E7EE05}.exe	106
PID 416 wrote to memory of 1696	416	{02ABB2C3-337C-4ff0-8A67-375E2EB4B138}.exe	112
PID 416 wrote to memory of 1696	416	{02ABB2C3-337C-4ff0-8A67-375E2EB4B138}.exe	112
PID 416 wrote to memory of 1696	416	{02ABB2C3-337C-4ff0-8A67-375E2EB4B138}.exe	112
PID 416 wrote to memory of 1452	416	{02ABB2C3-337C-4ff0-8A67-375E2EB4B138}.exe	113
PID 416 wrote to memory of 1452	416	{02ABB2C3-337C-4ff0-8A67-375E2EB4B138}.exe	113
PID 416 wrote to memory of 1452	416	{02ABB2C3-337C-4ff0-8A67-375E2EB4B138}.exe	113
PID 1696 wrote to memory of 4100	1696	{C44BAD22-B454-4e8c-9A8B-303243B25EF1}.exe	114
PID 1696 wrote to memory of 4100	1696	{C44BAD22-B454-4e8c-9A8B-303243B25EF1}.exe	114
PID 1696 wrote to memory of 4100	1696	{C44BAD22-B454-4e8c-9A8B-303243B25EF1}.exe	114
PID 1696 wrote to memory of 3920	1696	{C44BAD22-B454-4e8c-9A8B-303243B25EF1}.exe	115
PID 1696 wrote to memory of 3920	1696	{C44BAD22-B454-4e8c-9A8B-303243B25EF1}.exe	115
PID 1696 wrote to memory of 3920	1696	{C44BAD22-B454-4e8c-9A8B-303243B25EF1}.exe	115
PID 4100 wrote to memory of 4168	4100	{C68AC4BE-A507-4ca8-A265-8CB61D3DE617}.exe	116
PID 4100 wrote to memory of 4168	4100	{C68AC4BE-A507-4ca8-A265-8CB61D3DE617}.exe	116
PID 4100 wrote to memory of 4168	4100	{C68AC4BE-A507-4ca8-A265-8CB61D3DE617}.exe	116
PID 4100 wrote to memory of 4252	4100	{C68AC4BE-A507-4ca8-A265-8CB61D3DE617}.exe	117

C:\Users\Admin\AppData\Local\Temp\dd3e7228d66a81exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\dd3e7228d66a81exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\{326D44AC-5BAD-493d-8F19-70E940ADC59D}.exe
  C:\Windows\{326D44AC-5BAD-493d-8F19-70E940ADC59D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Windows\{89E55FB7-A18D-4588-9C70-D8FF9B74551C}.exe
    C:\Windows\{89E55FB7-A18D-4588-9C70-D8FF9B74551C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{89E55~1.EXE > nul
      4⤵
      PID:1832
  - - C:\Windows\{2B4779D0-DC4F-4dcd-96B3-E54FCCA5B5E8}.exe
      C:\Windows\{2B4779D0-DC4F-4dcd-96B3-E54FCCA5B5E8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4104
    - - C:\Windows\{6E2035F1-94A3-4c6f-96A4-E21264A8CD1D}.exe
        
        C:\Windows\{6E2035F1-94A3-4c6f-96A4-E21264A8CD1D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3040
      - C:\Windows\{F4468432-9C9A-4f50-A050-415F06482517}.exe
        
        C:\Windows\{F4468432-9C9A-4f50-A050-415F06482517}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\{7537D1C8-604C-459b-9C0B-33AACC5EAE90}.exe
        
        C:\Windows\{7537D1C8-604C-459b-9C0B-33AACC5EAE90}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4732
        
        C:\Windows\{FEE26AAF-8610-4998-9CD7-3B12F8E7EE05}.exe
        
        C:\Windows\{FEE26AAF-8610-4998-9CD7-3B12F8E7EE05}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEE26~1.EXE > nul
        9⤵
        
        PID:392
        
        C:\Windows\{02ABB2C3-337C-4ff0-8A67-375E2EB4B138}.exe
        
        C:\Windows\{02ABB2C3-337C-4ff0-8A67-375E2EB4B138}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:416
        
        C:\Windows\{C44BAD22-B454-4e8c-9A8B-303243B25EF1}.exe
        
        C:\Windows\{C44BAD22-B454-4e8c-9A8B-303243B25EF1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\{C68AC4BE-A507-4ca8-A265-8CB61D3DE617}.exe
        
        C:\Windows\{C68AC4BE-A507-4ca8-A265-8CB61D3DE617}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4100
        
        C:\Windows\{3B4ABF2E-73AA-4c76-A6DF-D66F8F3FA201}.exe
        
        C:\Windows\{3B4ABF2E-73AA-4c76-A6DF-D66F8F3FA201}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4168
        
        C:\Windows\{3B47989A-5B58-4b49-B46F-F9FC1EAC385B}.exe
        
        C:\Windows\{3B47989A-5B58-4b49-B46F-F9FC1EAC385B}.exe
        13⤵
        Executes dropped EXE
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B4AB~1.EXE > nul
        13⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C68AC~1.EXE > nul
        12⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C44BA~1.EXE > nul
        11⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02ABB~1.EXE > nul
        10⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7537D~1.EXE > nul
        8⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4468~1.EXE > nul
        7⤵
        
        PID:2924
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6E203~1.EXE > nul
        6⤵
        
        PID:4680
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B477~1.EXE > nul
        5⤵
        
        PID:3548
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{326D4~1.EXE > nul
    3⤵
    PID:3780
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\DD3E72~1.EXE > nul
  2⤵
  PID:1172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02ABB2C3-337C-4ff0-8A67-375E2EB4B138}.exe

Filesize
372KB

MD5
1dd375f257aa037a700816d24cbc355c

SHA1
4275248f6fa64da0651df77c101af65ff537a260

SHA256
0ac86c86c0b868f848ab75a79f0e15779e9c8d22fc26c1865ef5de812d21c665

SHA512
17d43425144e2a04735a297636c33e338990c7dce4b91221edfa8e4cce68f206332235acb17ef7e2d7af87d0db5d8af3ecf887324b090ccd408b070774070262

Download Submit
C:\Windows\{02ABB2C3-337C-4ff0-8A67-375E2EB4B138}.exe

Filesize
372KB

MD5
1dd375f257aa037a700816d24cbc355c

SHA1
4275248f6fa64da0651df77c101af65ff537a260

SHA256
0ac86c86c0b868f848ab75a79f0e15779e9c8d22fc26c1865ef5de812d21c665

SHA512
17d43425144e2a04735a297636c33e338990c7dce4b91221edfa8e4cce68f206332235acb17ef7e2d7af87d0db5d8af3ecf887324b090ccd408b070774070262

Download Submit
C:\Windows\{2B4779D0-DC4F-4dcd-96B3-E54FCCA5B5E8}.exe

Filesize
372KB

MD5
f6da73ed961e1ddec57e5b88b330750b

SHA1
5ba604beaf324071916c823038a8e54878e1bda3

SHA256
e165d1e5586f8691cea05760c75ddaf27afe21f3748d12781dcaa7190b79663a

SHA512
27b963e9f561aa0e65866fc1b36760b70f0e2df37a32023bf93a4c941e2e06125fedcd401653d81e2cbabcf7e1dfdd0f0c22048ff8c25b91bdb0473772a14574

Download Submit
C:\Windows\{2B4779D0-DC4F-4dcd-96B3-E54FCCA5B5E8}.exe

Filesize
372KB

MD5
f6da73ed961e1ddec57e5b88b330750b

SHA1
5ba604beaf324071916c823038a8e54878e1bda3

SHA256
e165d1e5586f8691cea05760c75ddaf27afe21f3748d12781dcaa7190b79663a

SHA512
27b963e9f561aa0e65866fc1b36760b70f0e2df37a32023bf93a4c941e2e06125fedcd401653d81e2cbabcf7e1dfdd0f0c22048ff8c25b91bdb0473772a14574

Download Submit
C:\Windows\{2B4779D0-DC4F-4dcd-96B3-E54FCCA5B5E8}.exe

Filesize
372KB

MD5
f6da73ed961e1ddec57e5b88b330750b

SHA1
5ba604beaf324071916c823038a8e54878e1bda3

SHA256
e165d1e5586f8691cea05760c75ddaf27afe21f3748d12781dcaa7190b79663a

SHA512
27b963e9f561aa0e65866fc1b36760b70f0e2df37a32023bf93a4c941e2e06125fedcd401653d81e2cbabcf7e1dfdd0f0c22048ff8c25b91bdb0473772a14574

Download Submit
C:\Windows\{326D44AC-5BAD-493d-8F19-70E940ADC59D}.exe

Filesize
372KB

MD5
8046519a6f3838ca26bdd6dd63a3f3a8

SHA1
f7def8f6efbe31b4f2db6a1de9912a7fe8771d68

SHA256
0d887567cd6a78bf21b2707950e430719dbdde1a54d002f11aa56c27b9fc30ce

SHA512
e8adbf5bea17040ab5a74c38b3236e143e16c0fc8d400e83e85f0db63936474190eafea34bd0e6e7046cbceca5f92ac000c579aa0bc61f82190602fbd01b687c

Download Submit
C:\Windows\{326D44AC-5BAD-493d-8F19-70E940ADC59D}.exe

Filesize
372KB

MD5
8046519a6f3838ca26bdd6dd63a3f3a8

SHA1
f7def8f6efbe31b4f2db6a1de9912a7fe8771d68

SHA256
0d887567cd6a78bf21b2707950e430719dbdde1a54d002f11aa56c27b9fc30ce

SHA512
e8adbf5bea17040ab5a74c38b3236e143e16c0fc8d400e83e85f0db63936474190eafea34bd0e6e7046cbceca5f92ac000c579aa0bc61f82190602fbd01b687c

Download Submit
C:\Windows\{3B47989A-5B58-4b49-B46F-F9FC1EAC385B}.exe

Filesize
372KB

MD5
05ddf18c7bb564742d07e4ac6b2716f5

SHA1
a8c02d0b7ee415d876bf9bd835a5456449344b8d

SHA256
3d87b60cf922d9b375d68b3081a85fe9fd7c5f4890b3d148a0d0a28f3a9f7451

SHA512
f96cce9e570546a1e7ec845a9dbd36bf0f009b3c466bb6577b66719886a91f27ac7f36fec09ae86fc771893406f882378b075660fbfaddfdb76585e8f8334a4b

Download Submit
C:\Windows\{3B47989A-5B58-4b49-B46F-F9FC1EAC385B}.exe

Filesize
372KB

MD5
05ddf18c7bb564742d07e4ac6b2716f5

SHA1
a8c02d0b7ee415d876bf9bd835a5456449344b8d

SHA256
3d87b60cf922d9b375d68b3081a85fe9fd7c5f4890b3d148a0d0a28f3a9f7451

SHA512
f96cce9e570546a1e7ec845a9dbd36bf0f009b3c466bb6577b66719886a91f27ac7f36fec09ae86fc771893406f882378b075660fbfaddfdb76585e8f8334a4b

Download Submit
C:\Windows\{3B4ABF2E-73AA-4c76-A6DF-D66F8F3FA201}.exe

Filesize
372KB

MD5
3ea44b57564304496bff18765da166dd

SHA1
6beb9e53ac0ba9dd56cc5ef6ce952498265a5ae2

SHA256
52f91bab5974fa3c08d54a9262320b8d5890c89995e73238aad5a8a2893c7b31

SHA512
eed28a1fa8e395602df3a69e5060854b6330d7d0fd54c30afcf27380c7e18ea70be6c7db2ce2c67042a5b4df1f21306ac47c97681efe42c4a4e1c5fb15ee05e4

Download Submit
C:\Windows\{3B4ABF2E-73AA-4c76-A6DF-D66F8F3FA201}.exe

Filesize
372KB

MD5
3ea44b57564304496bff18765da166dd

SHA1
6beb9e53ac0ba9dd56cc5ef6ce952498265a5ae2

SHA256
52f91bab5974fa3c08d54a9262320b8d5890c89995e73238aad5a8a2893c7b31

SHA512
eed28a1fa8e395602df3a69e5060854b6330d7d0fd54c30afcf27380c7e18ea70be6c7db2ce2c67042a5b4df1f21306ac47c97681efe42c4a4e1c5fb15ee05e4

Download Submit
C:\Windows\{6E2035F1-94A3-4c6f-96A4-E21264A8CD1D}.exe

Filesize
372KB

MD5
e2b4ffc5e6c355dbd6d16c69d8fce7d8

SHA1
8a3799198cdce4634a2dcb4b6a0ce115d726e6e4

SHA256
3ed6b55c3335195cf341e8c75cd4cc09948f6b0d22585d89489e51625f2855e2

SHA512
f6465632d3eb88e4723ea06370463d60f23f1c7abf0a73723207817f589d0a018d9401de1865f4367e1fe1b6510bcaff2d4b54e5e0708b1890b34b5c51bc70ef

Download Submit
C:\Windows\{6E2035F1-94A3-4c6f-96A4-E21264A8CD1D}.exe

Filesize
372KB

MD5
e2b4ffc5e6c355dbd6d16c69d8fce7d8

SHA1
8a3799198cdce4634a2dcb4b6a0ce115d726e6e4

SHA256
3ed6b55c3335195cf341e8c75cd4cc09948f6b0d22585d89489e51625f2855e2

SHA512
f6465632d3eb88e4723ea06370463d60f23f1c7abf0a73723207817f589d0a018d9401de1865f4367e1fe1b6510bcaff2d4b54e5e0708b1890b34b5c51bc70ef

Download Submit
C:\Windows\{7537D1C8-604C-459b-9C0B-33AACC5EAE90}.exe

Filesize
372KB

MD5
985b95b5a0240f2504141593fe0996f9

SHA1
2be7e9bb48a77125e2fbfc9f5fdaa235e8164515

SHA256
e13560233292a896a6e81e80e370e0e9615953d0858ae5016bfe4bd48cf04ca4

SHA512
ce202329bce84337c5bc13062579193764b556f651fdc0e80cda2195807b202ca79badabd5f867e535c3a78a40f6a821f6f260e12c2cfbd5f791eb4055a82433

Download Submit
C:\Windows\{7537D1C8-604C-459b-9C0B-33AACC5EAE90}.exe

Filesize
372KB

MD5
985b95b5a0240f2504141593fe0996f9

SHA1
2be7e9bb48a77125e2fbfc9f5fdaa235e8164515

SHA256
e13560233292a896a6e81e80e370e0e9615953d0858ae5016bfe4bd48cf04ca4

SHA512
ce202329bce84337c5bc13062579193764b556f651fdc0e80cda2195807b202ca79badabd5f867e535c3a78a40f6a821f6f260e12c2cfbd5f791eb4055a82433

Download Submit
C:\Windows\{89E55FB7-A18D-4588-9C70-D8FF9B74551C}.exe

Filesize
372KB

MD5
0214e4d215216512bf338daec99b947d

SHA1
6884acddeecb684de0b6ca0fce2ce6d97e0ab2df

SHA256
3d303201bbbadcdc1f26807b2297bb598865071f3eb85757e70299731cbb0264

SHA512
e914cf93a75a72c79b4602f774e48881ce2df44b2cfae3a89e2e83bc16d18d9c53ff2e99d31e07d72ef693ca1781a509dd059ea0ae45951c084acd3f3e34af2b

Download Submit
C:\Windows\{89E55FB7-A18D-4588-9C70-D8FF9B74551C}.exe

Filesize
372KB

MD5
0214e4d215216512bf338daec99b947d

SHA1
6884acddeecb684de0b6ca0fce2ce6d97e0ab2df

SHA256
3d303201bbbadcdc1f26807b2297bb598865071f3eb85757e70299731cbb0264

SHA512
e914cf93a75a72c79b4602f774e48881ce2df44b2cfae3a89e2e83bc16d18d9c53ff2e99d31e07d72ef693ca1781a509dd059ea0ae45951c084acd3f3e34af2b

Download Submit
C:\Windows\{C44BAD22-B454-4e8c-9A8B-303243B25EF1}.exe

Filesize
372KB

MD5
0d29fa00a41bc896ab0d6cbeae06f57d

SHA1
c5e58b607a0bf7bd711622d6dbf77dfda82cdea6

SHA256
4e36fc126704ccfa51d07b09bb53c2f8b670effbce050025878751e1d4114aa0

SHA512
cbf3163ff4b447106a4a9658c946d9f102f9148eea959732fd20acb477402cce350f27de401d5e0a0da37e4b29a7b4e7a617109d291ec2b890cd7363ed9edceb

Download Submit
C:\Windows\{C44BAD22-B454-4e8c-9A8B-303243B25EF1}.exe

Filesize
372KB

MD5
0d29fa00a41bc896ab0d6cbeae06f57d

SHA1
c5e58b607a0bf7bd711622d6dbf77dfda82cdea6

SHA256
4e36fc126704ccfa51d07b09bb53c2f8b670effbce050025878751e1d4114aa0

SHA512
cbf3163ff4b447106a4a9658c946d9f102f9148eea959732fd20acb477402cce350f27de401d5e0a0da37e4b29a7b4e7a617109d291ec2b890cd7363ed9edceb

Download Submit
C:\Windows\{C68AC4BE-A507-4ca8-A265-8CB61D3DE617}.exe

Filesize
372KB

MD5
864dd0519200f6e2ab1100205f6af2fb

SHA1
aab8d69ff69366c7acb63286865f802eece75f2e

SHA256
921ca54e01f09b164eb0ae2778ca38f6edbbb5e3985cf4fee49fbb427dcc94f5

SHA512
1ddd9c1708f08c89a614560663e9be3d75d981cdd1dba6d7e4d480f38130a8b71f20daf11a6adaa4cb7805db2553190eb1c0f4a171fff2c54b0b21ae65d37cdb

Download Submit
C:\Windows\{C68AC4BE-A507-4ca8-A265-8CB61D3DE617}.exe

Filesize
372KB

MD5
864dd0519200f6e2ab1100205f6af2fb

SHA1
aab8d69ff69366c7acb63286865f802eece75f2e

SHA256
921ca54e01f09b164eb0ae2778ca38f6edbbb5e3985cf4fee49fbb427dcc94f5

SHA512
1ddd9c1708f08c89a614560663e9be3d75d981cdd1dba6d7e4d480f38130a8b71f20daf11a6adaa4cb7805db2553190eb1c0f4a171fff2c54b0b21ae65d37cdb

Download Submit
C:\Windows\{F4468432-9C9A-4f50-A050-415F06482517}.exe

Filesize
372KB

MD5
a5b8a164829ca44ca43b45b3193abe92

SHA1
444b3717ed76efe98f7a20e579c21e1e66f5e50a

SHA256
5417ff1726b61a6c173a150bf7403951a1214f93a95abbc227eda4139095472e

SHA512
c37fd6cc1092939a3a3e23af907a09bfa64251bac4f41c4d8efc8cf9e742e8473579d2abcba809eab4a07c48dc755e5fa6ccc2054bb34987d276446c876f6b02

Download Submit
C:\Windows\{F4468432-9C9A-4f50-A050-415F06482517}.exe

Filesize
372KB

MD5
a5b8a164829ca44ca43b45b3193abe92

SHA1
444b3717ed76efe98f7a20e579c21e1e66f5e50a

SHA256
5417ff1726b61a6c173a150bf7403951a1214f93a95abbc227eda4139095472e

SHA512
c37fd6cc1092939a3a3e23af907a09bfa64251bac4f41c4d8efc8cf9e742e8473579d2abcba809eab4a07c48dc755e5fa6ccc2054bb34987d276446c876f6b02

Download Submit
C:\Windows\{FEE26AAF-8610-4998-9CD7-3B12F8E7EE05}.exe

Filesize
372KB

MD5
2e9e5ccd17db3b0cbfec5253808645fa

SHA1
5fc951b37e8559766ce8e4e8c8aa7db7ede7fec2

SHA256
5d4df1e77ce0430a1b0bfd7672e0ef4d49170a7d6f288619491255b549abac6d

SHA512
18fdb3741e1d738c1edbe66d330034e49047b64f067e4e78ec5846d5df1beb333e82d7ac2bb43ecf695f209202fceb83d6b8a14db482c118b2301327a0c18138

Download Submit
C:\Windows\{FEE26AAF-8610-4998-9CD7-3B12F8E7EE05}.exe

Filesize
372KB

MD5
2e9e5ccd17db3b0cbfec5253808645fa

SHA1
5fc951b37e8559766ce8e4e8c8aa7db7ede7fec2

SHA256
5d4df1e77ce0430a1b0bfd7672e0ef4d49170a7d6f288619491255b549abac6d

SHA512
18fdb3741e1d738c1edbe66d330034e49047b64f067e4e78ec5846d5df1beb333e82d7ac2bb43ecf695f209202fceb83d6b8a14db482c118b2301327a0c18138

Download Submit