a9e0bed3df76a3a4399a9963ca714712d19f394883eda99a05f7fb4968956d45

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2023, 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc99d27b2a2caaexeexeexeex.exe
Size

192KB
MD5

fc99d27b2a2caa3c2adbb1f0c9be8adb
SHA1

9c35fba96fcbff61ea4f021ac60479ebb5974017
SHA256

a9e0bed3df76a3a4399a9963ca714712d19f394883eda99a05f7fb4968956d45
SHA512

da412c2225d1ca4ed90a3474135e6411a4d4cceb30345d018c94da4e8843ca6366470eddaf579d4eb3234b1c7b7fb662b3e7ac8626c822d61c26a894bb8e5783
SSDEEP

1536:1EGh0ozl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0ozl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62B36BDC-FFEC-4fc8-B9F9-5A078355BED7}\stubpath = "C:\\Windows\\{62B36BDC-FFEC-4fc8-B9F9-5A078355BED7}.exe"	{D58B127A-F2D6-4120-A2D6-FB3F0D7A4F4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4330983B-0D69-46c9-95E3-F01328E12ABF}	{3DE4871B-1805-4bc9-B704-109FF010C382}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21BE7712-2F7F-4564-A473-2463F92C778C}\stubpath = "C:\\Windows\\{21BE7712-2F7F-4564-A473-2463F92C778C}.exe"	{4330983B-0D69-46c9-95E3-F01328E12ABF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{242F332A-1066-4057-A3ED-A5BB3F831450}	{21BE7712-2F7F-4564-A473-2463F92C778C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EB3D907-8455-485d-924D-B7A248329A42}\stubpath = "C:\\Windows\\{8EB3D907-8455-485d-924D-B7A248329A42}.exe"	{313FBD67-AB81-4da9-A63A-40A0078E65CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6124DBC3-E2FE-4161-9E54-5417BDE1FD84}\stubpath = "C:\\Windows\\{6124DBC3-E2FE-4161-9E54-5417BDE1FD84}.exe"	{242F332A-1066-4057-A3ED-A5BB3F831450}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6577035-1DC7-4650-9595-0ED2F1085DB4}\stubpath = "C:\\Windows\\{C6577035-1DC7-4650-9595-0ED2F1085DB4}.exe"	{6124DBC3-E2FE-4161-9E54-5417BDE1FD84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F85AC5AF-4E6F-4194-A09E-E1499CB8F00E}	{8EB3D907-8455-485d-924D-B7A248329A42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D58B127A-F2D6-4120-A2D6-FB3F0D7A4F4A}\stubpath = "C:\\Windows\\{D58B127A-F2D6-4120-A2D6-FB3F0D7A4F4A}.exe"	fc99d27b2a2caaexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6124DBC3-E2FE-4161-9E54-5417BDE1FD84}	{242F332A-1066-4057-A3ED-A5BB3F831450}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{536D3C61-D921-4273-AECE-133B2C2BEC36}	{C6577035-1DC7-4650-9595-0ED2F1085DB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21BE7712-2F7F-4564-A473-2463F92C778C}	{4330983B-0D69-46c9-95E3-F01328E12ABF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{242F332A-1066-4057-A3ED-A5BB3F831450}\stubpath = "C:\\Windows\\{242F332A-1066-4057-A3ED-A5BB3F831450}.exe"	{21BE7712-2F7F-4564-A473-2463F92C778C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C6577035-1DC7-4650-9595-0ED2F1085DB4}	{6124DBC3-E2FE-4161-9E54-5417BDE1FD84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D58B127A-F2D6-4120-A2D6-FB3F0D7A4F4A}	fc99d27b2a2caaexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62B36BDC-FFEC-4fc8-B9F9-5A078355BED7}	{D58B127A-F2D6-4120-A2D6-FB3F0D7A4F4A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DE4871B-1805-4bc9-B704-109FF010C382}	{62B36BDC-FFEC-4fc8-B9F9-5A078355BED7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3DE4871B-1805-4bc9-B704-109FF010C382}\stubpath = "C:\\Windows\\{3DE4871B-1805-4bc9-B704-109FF010C382}.exe"	{62B36BDC-FFEC-4fc8-B9F9-5A078355BED7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4330983B-0D69-46c9-95E3-F01328E12ABF}\stubpath = "C:\\Windows\\{4330983B-0D69-46c9-95E3-F01328E12ABF}.exe"	{3DE4871B-1805-4bc9-B704-109FF010C382}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{536D3C61-D921-4273-AECE-133B2C2BEC36}\stubpath = "C:\\Windows\\{536D3C61-D921-4273-AECE-133B2C2BEC36}.exe"	{C6577035-1DC7-4650-9595-0ED2F1085DB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{313FBD67-AB81-4da9-A63A-40A0078E65CD}	{536D3C61-D921-4273-AECE-133B2C2BEC36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{313FBD67-AB81-4da9-A63A-40A0078E65CD}\stubpath = "C:\\Windows\\{313FBD67-AB81-4da9-A63A-40A0078E65CD}.exe"	{536D3C61-D921-4273-AECE-133B2C2BEC36}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EB3D907-8455-485d-924D-B7A248329A42}	{313FBD67-AB81-4da9-A63A-40A0078E65CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F85AC5AF-4E6F-4194-A09E-E1499CB8F00E}\stubpath = "C:\\Windows\\{F85AC5AF-4E6F-4194-A09E-E1499CB8F00E}.exe"	{8EB3D907-8455-485d-924D-B7A248329A42}.exe

Executes dropped EXE 12 IoCs

pid	Process
4068	{D58B127A-F2D6-4120-A2D6-FB3F0D7A4F4A}.exe
2160	{62B36BDC-FFEC-4fc8-B9F9-5A078355BED7}.exe
3468	{3DE4871B-1805-4bc9-B704-109FF010C382}.exe
8	{4330983B-0D69-46c9-95E3-F01328E12ABF}.exe
3448	{21BE7712-2F7F-4564-A473-2463F92C778C}.exe
1972	{242F332A-1066-4057-A3ED-A5BB3F831450}.exe
4336	{6124DBC3-E2FE-4161-9E54-5417BDE1FD84}.exe
3948	{C6577035-1DC7-4650-9595-0ED2F1085DB4}.exe
3904	{536D3C61-D921-4273-AECE-133B2C2BEC36}.exe
3120	{313FBD67-AB81-4da9-A63A-40A0078E65CD}.exe
1408	{8EB3D907-8455-485d-924D-B7A248329A42}.exe
4936	{F85AC5AF-4E6F-4194-A09E-E1499CB8F00E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{62B36BDC-FFEC-4fc8-B9F9-5A078355BED7}.exe	{D58B127A-F2D6-4120-A2D6-FB3F0D7A4F4A}.exe
File created	C:\Windows\{3DE4871B-1805-4bc9-B704-109FF010C382}.exe	{62B36BDC-FFEC-4fc8-B9F9-5A078355BED7}.exe
File created	C:\Windows\{242F332A-1066-4057-A3ED-A5BB3F831450}.exe	{21BE7712-2F7F-4564-A473-2463F92C778C}.exe
File created	C:\Windows\{F85AC5AF-4E6F-4194-A09E-E1499CB8F00E}.exe	{8EB3D907-8455-485d-924D-B7A248329A42}.exe
File created	C:\Windows\{D58B127A-F2D6-4120-A2D6-FB3F0D7A4F4A}.exe	fc99d27b2a2caaexeexeexeex.exe
File created	C:\Windows\{4330983B-0D69-46c9-95E3-F01328E12ABF}.exe	{3DE4871B-1805-4bc9-B704-109FF010C382}.exe
File created	C:\Windows\{21BE7712-2F7F-4564-A473-2463F92C778C}.exe	{4330983B-0D69-46c9-95E3-F01328E12ABF}.exe
File created	C:\Windows\{6124DBC3-E2FE-4161-9E54-5417BDE1FD84}.exe	{242F332A-1066-4057-A3ED-A5BB3F831450}.exe
File created	C:\Windows\{C6577035-1DC7-4650-9595-0ED2F1085DB4}.exe	{6124DBC3-E2FE-4161-9E54-5417BDE1FD84}.exe
File created	C:\Windows\{536D3C61-D921-4273-AECE-133B2C2BEC36}.exe	{C6577035-1DC7-4650-9595-0ED2F1085DB4}.exe
File created	C:\Windows\{313FBD67-AB81-4da9-A63A-40A0078E65CD}.exe	{536D3C61-D921-4273-AECE-133B2C2BEC36}.exe
File created	C:\Windows\{8EB3D907-8455-485d-924D-B7A248329A42}.exe	{313FBD67-AB81-4da9-A63A-40A0078E65CD}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2764	fc99d27b2a2caaexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4068	{D58B127A-F2D6-4120-A2D6-FB3F0D7A4F4A}.exe
Token: SeIncBasePriorityPrivilege	2160	{62B36BDC-FFEC-4fc8-B9F9-5A078355BED7}.exe
Token: SeIncBasePriorityPrivilege	3468	{3DE4871B-1805-4bc9-B704-109FF010C382}.exe
Token: SeIncBasePriorityPrivilege	8	{4330983B-0D69-46c9-95E3-F01328E12ABF}.exe
Token: SeIncBasePriorityPrivilege	3448	{21BE7712-2F7F-4564-A473-2463F92C778C}.exe
Token: SeIncBasePriorityPrivilege	1972	{242F332A-1066-4057-A3ED-A5BB3F831450}.exe
Token: SeIncBasePriorityPrivilege	4336	{6124DBC3-E2FE-4161-9E54-5417BDE1FD84}.exe
Token: SeIncBasePriorityPrivilege	3948	{C6577035-1DC7-4650-9595-0ED2F1085DB4}.exe
Token: SeIncBasePriorityPrivilege	3904	{536D3C61-D921-4273-AECE-133B2C2BEC36}.exe
Token: SeIncBasePriorityPrivilege	3120	{313FBD67-AB81-4da9-A63A-40A0078E65CD}.exe
Token: SeIncBasePriorityPrivilege	1408	{8EB3D907-8455-485d-924D-B7A248329A42}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 4068	2764	fc99d27b2a2caaexeexeexeex.exe	91
PID 2764 wrote to memory of 4068	2764	fc99d27b2a2caaexeexeexeex.exe	91
PID 2764 wrote to memory of 4068	2764	fc99d27b2a2caaexeexeexeex.exe	91
PID 2764 wrote to memory of 1644	2764	fc99d27b2a2caaexeexeexeex.exe	92
PID 2764 wrote to memory of 1644	2764	fc99d27b2a2caaexeexeexeex.exe	92
PID 2764 wrote to memory of 1644	2764	fc99d27b2a2caaexeexeexeex.exe	92
PID 4068 wrote to memory of 2160	4068	{D58B127A-F2D6-4120-A2D6-FB3F0D7A4F4A}.exe	94
PID 4068 wrote to memory of 2160	4068	{D58B127A-F2D6-4120-A2D6-FB3F0D7A4F4A}.exe	94
PID 4068 wrote to memory of 2160	4068	{D58B127A-F2D6-4120-A2D6-FB3F0D7A4F4A}.exe	94
PID 4068 wrote to memory of 4260	4068	{D58B127A-F2D6-4120-A2D6-FB3F0D7A4F4A}.exe	95
PID 4068 wrote to memory of 4260	4068	{D58B127A-F2D6-4120-A2D6-FB3F0D7A4F4A}.exe	95
PID 4068 wrote to memory of 4260	4068	{D58B127A-F2D6-4120-A2D6-FB3F0D7A4F4A}.exe	95
PID 2160 wrote to memory of 3468	2160	{62B36BDC-FFEC-4fc8-B9F9-5A078355BED7}.exe	103
PID 2160 wrote to memory of 3468	2160	{62B36BDC-FFEC-4fc8-B9F9-5A078355BED7}.exe	103
PID 2160 wrote to memory of 3468	2160	{62B36BDC-FFEC-4fc8-B9F9-5A078355BED7}.exe	103
PID 2160 wrote to memory of 3664	2160	{62B36BDC-FFEC-4fc8-B9F9-5A078355BED7}.exe	104
PID 2160 wrote to memory of 3664	2160	{62B36BDC-FFEC-4fc8-B9F9-5A078355BED7}.exe	104
PID 2160 wrote to memory of 3664	2160	{62B36BDC-FFEC-4fc8-B9F9-5A078355BED7}.exe	104
PID 3468 wrote to memory of 8	3468	{3DE4871B-1805-4bc9-B704-109FF010C382}.exe	106
PID 3468 wrote to memory of 8	3468	{3DE4871B-1805-4bc9-B704-109FF010C382}.exe	106
PID 3468 wrote to memory of 8	3468	{3DE4871B-1805-4bc9-B704-109FF010C382}.exe	106
PID 3468 wrote to memory of 4220	3468	{3DE4871B-1805-4bc9-B704-109FF010C382}.exe	107
PID 3468 wrote to memory of 4220	3468	{3DE4871B-1805-4bc9-B704-109FF010C382}.exe	107
PID 3468 wrote to memory of 4220	3468	{3DE4871B-1805-4bc9-B704-109FF010C382}.exe	107
PID 8 wrote to memory of 3448	8	{4330983B-0D69-46c9-95E3-F01328E12ABF}.exe	108
PID 8 wrote to memory of 3448	8	{4330983B-0D69-46c9-95E3-F01328E12ABF}.exe	108
PID 8 wrote to memory of 3448	8	{4330983B-0D69-46c9-95E3-F01328E12ABF}.exe	108
PID 8 wrote to memory of 4544	8	{4330983B-0D69-46c9-95E3-F01328E12ABF}.exe	109
PID 8 wrote to memory of 4544	8	{4330983B-0D69-46c9-95E3-F01328E12ABF}.exe	109
PID 8 wrote to memory of 4544	8	{4330983B-0D69-46c9-95E3-F01328E12ABF}.exe	109
PID 3448 wrote to memory of 1972	3448	{21BE7712-2F7F-4564-A473-2463F92C778C}.exe	111
PID 3448 wrote to memory of 1972	3448	{21BE7712-2F7F-4564-A473-2463F92C778C}.exe	111
PID 3448 wrote to memory of 1972	3448	{21BE7712-2F7F-4564-A473-2463F92C778C}.exe	111
PID 3448 wrote to memory of 2568	3448	{21BE7712-2F7F-4564-A473-2463F92C778C}.exe	112
PID 3448 wrote to memory of 2568	3448	{21BE7712-2F7F-4564-A473-2463F92C778C}.exe	112
PID 3448 wrote to memory of 2568	3448	{21BE7712-2F7F-4564-A473-2463F92C778C}.exe	112
PID 1972 wrote to memory of 4336	1972	{242F332A-1066-4057-A3ED-A5BB3F831450}.exe	113
PID 1972 wrote to memory of 4336	1972	{242F332A-1066-4057-A3ED-A5BB3F831450}.exe	113
PID 1972 wrote to memory of 4336	1972	{242F332A-1066-4057-A3ED-A5BB3F831450}.exe	113
PID 1972 wrote to memory of 5044	1972	{242F332A-1066-4057-A3ED-A5BB3F831450}.exe	114
PID 1972 wrote to memory of 5044	1972	{242F332A-1066-4057-A3ED-A5BB3F831450}.exe	114
PID 1972 wrote to memory of 5044	1972	{242F332A-1066-4057-A3ED-A5BB3F831450}.exe	114
PID 4336 wrote to memory of 3948	4336	{6124DBC3-E2FE-4161-9E54-5417BDE1FD84}.exe	115
PID 4336 wrote to memory of 3948	4336	{6124DBC3-E2FE-4161-9E54-5417BDE1FD84}.exe	115
PID 4336 wrote to memory of 3948	4336	{6124DBC3-E2FE-4161-9E54-5417BDE1FD84}.exe	115
PID 4336 wrote to memory of 752	4336	{6124DBC3-E2FE-4161-9E54-5417BDE1FD84}.exe	116
PID 4336 wrote to memory of 752	4336	{6124DBC3-E2FE-4161-9E54-5417BDE1FD84}.exe	116
PID 4336 wrote to memory of 752	4336	{6124DBC3-E2FE-4161-9E54-5417BDE1FD84}.exe	116
PID 3948 wrote to memory of 3904	3948	{C6577035-1DC7-4650-9595-0ED2F1085DB4}.exe	117
PID 3948 wrote to memory of 3904	3948	{C6577035-1DC7-4650-9595-0ED2F1085DB4}.exe	117
PID 3948 wrote to memory of 3904	3948	{C6577035-1DC7-4650-9595-0ED2F1085DB4}.exe	117
PID 3948 wrote to memory of 4140	3948	{C6577035-1DC7-4650-9595-0ED2F1085DB4}.exe	118
PID 3948 wrote to memory of 4140	3948	{C6577035-1DC7-4650-9595-0ED2F1085DB4}.exe	118
PID 3948 wrote to memory of 4140	3948	{C6577035-1DC7-4650-9595-0ED2F1085DB4}.exe	118
PID 3904 wrote to memory of 3120	3904	{536D3C61-D921-4273-AECE-133B2C2BEC36}.exe	119
PID 3904 wrote to memory of 3120	3904	{536D3C61-D921-4273-AECE-133B2C2BEC36}.exe	119
PID 3904 wrote to memory of 3120	3904	{536D3C61-D921-4273-AECE-133B2C2BEC36}.exe	119
PID 3904 wrote to memory of 1592	3904	{536D3C61-D921-4273-AECE-133B2C2BEC36}.exe	120
PID 3904 wrote to memory of 1592	3904	{536D3C61-D921-4273-AECE-133B2C2BEC36}.exe	120
PID 3904 wrote to memory of 1592	3904	{536D3C61-D921-4273-AECE-133B2C2BEC36}.exe	120
PID 3120 wrote to memory of 1408	3120	{313FBD67-AB81-4da9-A63A-40A0078E65CD}.exe	121
PID 3120 wrote to memory of 1408	3120	{313FBD67-AB81-4da9-A63A-40A0078E65CD}.exe	121
PID 3120 wrote to memory of 1408	3120	{313FBD67-AB81-4da9-A63A-40A0078E65CD}.exe	121
PID 3120 wrote to memory of 3440	3120	{313FBD67-AB81-4da9-A63A-40A0078E65CD}.exe	122

C:\Users\Admin\AppData\Local\Temp\fc99d27b2a2caaexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\fc99d27b2a2caaexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\{D58B127A-F2D6-4120-A2D6-FB3F0D7A4F4A}.exe
  C:\Windows\{D58B127A-F2D6-4120-A2D6-FB3F0D7A4F4A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4068
- - C:\Windows\{62B36BDC-FFEC-4fc8-B9F9-5A078355BED7}.exe
    C:\Windows\{62B36BDC-FFEC-4fc8-B9F9-5A078355BED7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2160
  - - C:\Windows\{3DE4871B-1805-4bc9-B704-109FF010C382}.exe
      C:\Windows\{3DE4871B-1805-4bc9-B704-109FF010C382}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3468
    - - C:\Windows\{4330983B-0D69-46c9-95E3-F01328E12ABF}.exe
        
        C:\Windows\{4330983B-0D69-46c9-95E3-F01328E12ABF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:8
      - C:\Windows\{21BE7712-2F7F-4564-A473-2463F92C778C}.exe
        
        C:\Windows\{21BE7712-2F7F-4564-A473-2463F92C778C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\{242F332A-1066-4057-A3ED-A5BB3F831450}.exe
        
        C:\Windows\{242F332A-1066-4057-A3ED-A5BB3F831450}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\{6124DBC3-E2FE-4161-9E54-5417BDE1FD84}.exe
        
        C:\Windows\{6124DBC3-E2FE-4161-9E54-5417BDE1FD84}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4336
        
        C:\Windows\{C6577035-1DC7-4650-9595-0ED2F1085DB4}.exe
        
        C:\Windows\{C6577035-1DC7-4650-9595-0ED2F1085DB4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\{536D3C61-D921-4273-AECE-133B2C2BEC36}.exe
        
        C:\Windows\{536D3C61-D921-4273-AECE-133B2C2BEC36}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3904
        
        C:\Windows\{313FBD67-AB81-4da9-A63A-40A0078E65CD}.exe
        
        C:\Windows\{313FBD67-AB81-4da9-A63A-40A0078E65CD}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3120
        
        C:\Windows\{8EB3D907-8455-485d-924D-B7A248329A42}.exe
        
        C:\Windows\{8EB3D907-8455-485d-924D-B7A248329A42}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
        
        C:\Windows\{F85AC5AF-4E6F-4194-A09E-E1499CB8F00E}.exe
        
        C:\Windows\{F85AC5AF-4E6F-4194-A09E-E1499CB8F00E}.exe
        13⤵
        Executes dropped EXE
        
        PID:4936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EB3D~1.EXE > nul
        13⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{313FB~1.EXE > nul
        12⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{536D3~1.EXE > nul
        11⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6577~1.EXE > nul
        10⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6124D~1.EXE > nul
        9⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{242F3~1.EXE > nul
        8⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21BE7~1.EXE > nul
        7⤵
        
        PID:2568
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43309~1.EXE > nul
        6⤵
        
        PID:4544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DE48~1.EXE > nul
        5⤵
        
        PID:4220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{62B36~1.EXE > nul
      4⤵
      PID:3664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D58B1~1.EXE > nul
    3⤵
    PID:4260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\FC99D2~1.EXE > nul
  2⤵
  PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{21BE7712-2F7F-4564-A473-2463F92C778C}.exe

Filesize
192KB

MD5
60cb4ea5418c9b4a2a2c4093f0193a9e

SHA1
2e288093b442c0441a05f1fab137ebb46a8e1935

SHA256
64ca0217df8b3d50aabf3b7eb0d7d62b14cf3b7a929a81cd3826ead54e5ee61f

SHA512
c9d97adb3b4cbb9dcb749349b30e477330b986f21b3af4e00f01fadb220264ed5ced01685f70d6dda3777d92e9eaa6045ecb81075ffc4996b66e87fab08aa843

Download Submit
C:\Windows\{21BE7712-2F7F-4564-A473-2463F92C778C}.exe

Filesize
192KB

MD5
60cb4ea5418c9b4a2a2c4093f0193a9e

SHA1
2e288093b442c0441a05f1fab137ebb46a8e1935

SHA256
64ca0217df8b3d50aabf3b7eb0d7d62b14cf3b7a929a81cd3826ead54e5ee61f

SHA512
c9d97adb3b4cbb9dcb749349b30e477330b986f21b3af4e00f01fadb220264ed5ced01685f70d6dda3777d92e9eaa6045ecb81075ffc4996b66e87fab08aa843

Download Submit
C:\Windows\{242F332A-1066-4057-A3ED-A5BB3F831450}.exe

Filesize
192KB

MD5
5b1748297e3a5230db7c01b6ef6bbf9f

SHA1
f92b41b6fd0f6d08ed6b14b81304fc72241c4363

SHA256
12e9ee2de5dd9fb4cc2ce493ab0c947ba282bab0dd13b3cb261177ded34ad515

SHA512
7c9a6e57f28679618d77cafc465cd3553504e92bae2c57cc749bf813001fc0c40a2980df4ac3f8f9754cc53f0bc5012970ed1d29cab434c126c755e7d9110be3

Download Submit
C:\Windows\{242F332A-1066-4057-A3ED-A5BB3F831450}.exe

Filesize
192KB

MD5
5b1748297e3a5230db7c01b6ef6bbf9f

SHA1
f92b41b6fd0f6d08ed6b14b81304fc72241c4363

SHA256
12e9ee2de5dd9fb4cc2ce493ab0c947ba282bab0dd13b3cb261177ded34ad515

SHA512
7c9a6e57f28679618d77cafc465cd3553504e92bae2c57cc749bf813001fc0c40a2980df4ac3f8f9754cc53f0bc5012970ed1d29cab434c126c755e7d9110be3

Download Submit
C:\Windows\{313FBD67-AB81-4da9-A63A-40A0078E65CD}.exe

Filesize
192KB

MD5
c456a09a3ce0d03c50a571a3ceb294f5

SHA1
151e720ec516df38a8400cf6d73d0477b239c222

SHA256
ed5a5653121b5987f360ab2d474cfd19d5cee55630c6317f7e07b05670dd76c5

SHA512
a16a0e112183f9797f333f8e4c34fc920661068dffbf5224d24abadbd17e2333dcee514463ca93a043fd7b35eaad948065ea97edfad43f0727b2713137dfce01

Download Submit
C:\Windows\{313FBD67-AB81-4da9-A63A-40A0078E65CD}.exe

Filesize
192KB

MD5
c456a09a3ce0d03c50a571a3ceb294f5

SHA1
151e720ec516df38a8400cf6d73d0477b239c222

SHA256
ed5a5653121b5987f360ab2d474cfd19d5cee55630c6317f7e07b05670dd76c5

SHA512
a16a0e112183f9797f333f8e4c34fc920661068dffbf5224d24abadbd17e2333dcee514463ca93a043fd7b35eaad948065ea97edfad43f0727b2713137dfce01

Download Submit
C:\Windows\{3DE4871B-1805-4bc9-B704-109FF010C382}.exe

Filesize
192KB

MD5
6fe452c3f78c7214833457b8d8b50a36

SHA1
8ba9f19ae427ba26a35ecf950b52a42247b92434

SHA256
ad8323a8a2a1892dae82d4d2d8bc64ea418ef125a6c361123a5a62338bd01219

SHA512
6a338e559ef056b900d66a25000ce7c16401630c307fbd99f65fd1922bbf0d6d2ff7aa62ecb7707cce8e38126ecc1b8304838bb599ef6e8a339d5f4b67e42233

Download Submit
C:\Windows\{3DE4871B-1805-4bc9-B704-109FF010C382}.exe

Filesize
192KB

MD5
6fe452c3f78c7214833457b8d8b50a36

SHA1
8ba9f19ae427ba26a35ecf950b52a42247b92434

SHA256
ad8323a8a2a1892dae82d4d2d8bc64ea418ef125a6c361123a5a62338bd01219

SHA512
6a338e559ef056b900d66a25000ce7c16401630c307fbd99f65fd1922bbf0d6d2ff7aa62ecb7707cce8e38126ecc1b8304838bb599ef6e8a339d5f4b67e42233

Download Submit
C:\Windows\{3DE4871B-1805-4bc9-B704-109FF010C382}.exe

Filesize
192KB

MD5
6fe452c3f78c7214833457b8d8b50a36

SHA1
8ba9f19ae427ba26a35ecf950b52a42247b92434

SHA256
ad8323a8a2a1892dae82d4d2d8bc64ea418ef125a6c361123a5a62338bd01219

SHA512
6a338e559ef056b900d66a25000ce7c16401630c307fbd99f65fd1922bbf0d6d2ff7aa62ecb7707cce8e38126ecc1b8304838bb599ef6e8a339d5f4b67e42233

Download Submit
C:\Windows\{4330983B-0D69-46c9-95E3-F01328E12ABF}.exe

Filesize
192KB

MD5
075a272a95e58cc442a147a907e415e3

SHA1
dd48c36d69c77f41685a07fcf2c093e675a2dd05

SHA256
5fe149bbdc25a247a48559f7202c5fc01b853c2769368e8a19fd84bcbb8be6fc

SHA512
8de293b2751ecbb38f357a95a1b6fa05eee843943d60a8242f6c89b1141335a38428a749ee944d3fb90b03aaf450badf0c670dc008581b8ddd3c20447ae8b49a

Download Submit
C:\Windows\{4330983B-0D69-46c9-95E3-F01328E12ABF}.exe

Filesize
192KB

MD5
075a272a95e58cc442a147a907e415e3

SHA1
dd48c36d69c77f41685a07fcf2c093e675a2dd05

SHA256
5fe149bbdc25a247a48559f7202c5fc01b853c2769368e8a19fd84bcbb8be6fc

SHA512
8de293b2751ecbb38f357a95a1b6fa05eee843943d60a8242f6c89b1141335a38428a749ee944d3fb90b03aaf450badf0c670dc008581b8ddd3c20447ae8b49a

Download Submit
C:\Windows\{536D3C61-D921-4273-AECE-133B2C2BEC36}.exe

Filesize
192KB

MD5
59cccb324a3ee2ac121dbc9478fe8916

SHA1
7830b4ffb0152e9355669b9918f0a34867ec1fba

SHA256
0705a84ae5f03a5680c9401127da8bdd0beedb698bfcec68a15608fd5c4953f5

SHA512
4d306fef6a98066c4f4aadf8f79fd6cababd51fdce92cbcecb3079a8e3ec8475e4954a8868ee7cb0e951b8c3582c06e6cce092a1189a90c76d31e2445278c0b1

Download Submit
C:\Windows\{536D3C61-D921-4273-AECE-133B2C2BEC36}.exe

Filesize
192KB

MD5
59cccb324a3ee2ac121dbc9478fe8916

SHA1
7830b4ffb0152e9355669b9918f0a34867ec1fba

SHA256
0705a84ae5f03a5680c9401127da8bdd0beedb698bfcec68a15608fd5c4953f5

SHA512
4d306fef6a98066c4f4aadf8f79fd6cababd51fdce92cbcecb3079a8e3ec8475e4954a8868ee7cb0e951b8c3582c06e6cce092a1189a90c76d31e2445278c0b1

Download Submit
C:\Windows\{6124DBC3-E2FE-4161-9E54-5417BDE1FD84}.exe

Filesize
192KB

MD5
5e2b2015369401d68ede7af87c098efa

SHA1
5f46e22d709919926b6dd86d73ac1c62fced3c1b

SHA256
d2dfeeb05d7c780a7e0048c81dfeec5460bc9ad90ce2eed70909abf3011b782e

SHA512
81e2cb65a326a014f55e34b0ab6c5f9c39771ea9b7605efef6e5be4b6a61d75eb088f7ec7546c97a3b08e3aefdb9ab075d7ac461bf86d4e56ec92923c31a0f06

Download Submit
C:\Windows\{6124DBC3-E2FE-4161-9E54-5417BDE1FD84}.exe

Filesize
192KB

MD5
5e2b2015369401d68ede7af87c098efa

SHA1
5f46e22d709919926b6dd86d73ac1c62fced3c1b

SHA256
d2dfeeb05d7c780a7e0048c81dfeec5460bc9ad90ce2eed70909abf3011b782e

SHA512
81e2cb65a326a014f55e34b0ab6c5f9c39771ea9b7605efef6e5be4b6a61d75eb088f7ec7546c97a3b08e3aefdb9ab075d7ac461bf86d4e56ec92923c31a0f06

Download Submit
C:\Windows\{62B36BDC-FFEC-4fc8-B9F9-5A078355BED7}.exe

Filesize
192KB

MD5
b0fd7dd54ea7f3d06237a029c3bc18c0

SHA1
8f224428f5dab5f860f705efd79460e9afeb3d53

SHA256
b17c64ef5f9c72781b9370049b79a52c80a00b4188fdce672b180f2813bb5014

SHA512
9cbb8dedaaadce1dddc9d9a12764054df2b828ceb4e588defcab36f7ad158ba7651786b8137c3be34af4fec44c41f88045c59400aba690345a437f7a9782df7b

Download Submit
C:\Windows\{62B36BDC-FFEC-4fc8-B9F9-5A078355BED7}.exe

Filesize
192KB

MD5
b0fd7dd54ea7f3d06237a029c3bc18c0

SHA1
8f224428f5dab5f860f705efd79460e9afeb3d53

SHA256
b17c64ef5f9c72781b9370049b79a52c80a00b4188fdce672b180f2813bb5014

SHA512
9cbb8dedaaadce1dddc9d9a12764054df2b828ceb4e588defcab36f7ad158ba7651786b8137c3be34af4fec44c41f88045c59400aba690345a437f7a9782df7b

Download Submit
C:\Windows\{8EB3D907-8455-485d-924D-B7A248329A42}.exe

Filesize
192KB

MD5
1bfdccd8baa854b703b1d18e2fdf0515

SHA1
03fa715f56271f1569b1e1cb7bbca98af97eba83

SHA256
b134c37cf7428839b74cc5313da9d4391f334eda3bcf38e7a2cbfc3d201af114

SHA512
dc01e2d9ad20afb864dfd32f2775ad47d0b9560cdb4efed5e7ce2d817ffa84081af36af24e500f343836a32a0077d6c9901ee6f5c226512e6294a4661d40c25f

Download Submit
C:\Windows\{8EB3D907-8455-485d-924D-B7A248329A42}.exe

Filesize
192KB

MD5
1bfdccd8baa854b703b1d18e2fdf0515

SHA1
03fa715f56271f1569b1e1cb7bbca98af97eba83

SHA256
b134c37cf7428839b74cc5313da9d4391f334eda3bcf38e7a2cbfc3d201af114

SHA512
dc01e2d9ad20afb864dfd32f2775ad47d0b9560cdb4efed5e7ce2d817ffa84081af36af24e500f343836a32a0077d6c9901ee6f5c226512e6294a4661d40c25f

Download Submit
C:\Windows\{C6577035-1DC7-4650-9595-0ED2F1085DB4}.exe

Filesize
192KB

MD5
341131fb091d1d862a616b58c4f466a3

SHA1
74c02ed2f24aa839411d226834e7623febdb54c1

SHA256
123be000e792eb872847eb3cad32f5a9b7b883e76ef489e988f4d481974ce8d0

SHA512
909c9080ea1d93431a49d5cd6fa5a22045bfb5a415094439e539f343a5de8da58d37f0f6348196b04f6688cfefa18494e04a7e642bb5aff60633379063b0996c

Download Submit
C:\Windows\{C6577035-1DC7-4650-9595-0ED2F1085DB4}.exe

Filesize
192KB

MD5
341131fb091d1d862a616b58c4f466a3

SHA1
74c02ed2f24aa839411d226834e7623febdb54c1

SHA256
123be000e792eb872847eb3cad32f5a9b7b883e76ef489e988f4d481974ce8d0

SHA512
909c9080ea1d93431a49d5cd6fa5a22045bfb5a415094439e539f343a5de8da58d37f0f6348196b04f6688cfefa18494e04a7e642bb5aff60633379063b0996c

Download Submit
C:\Windows\{D58B127A-F2D6-4120-A2D6-FB3F0D7A4F4A}.exe

Filesize
192KB

MD5
a318db2c9a812fc63a38924463ea3322

SHA1
e32190acdc30b6718f6fe71a523f93559a2f6dbc

SHA256
a9b4c23615349a5b20e21ed0e375f3260db255e8eb8a4ae48f5d48f1f5847443

SHA512
218773da8acfc8c2416119387a2f2c4833a17a0cb07435f8618dde580815cb6b6903b1305ce4eeda491e3f709e20f52092df12e3fb50e11cc2839f5cf800cd7f

Download Submit
C:\Windows\{D58B127A-F2D6-4120-A2D6-FB3F0D7A4F4A}.exe

Filesize
192KB

MD5
a318db2c9a812fc63a38924463ea3322

SHA1
e32190acdc30b6718f6fe71a523f93559a2f6dbc

SHA256
a9b4c23615349a5b20e21ed0e375f3260db255e8eb8a4ae48f5d48f1f5847443

SHA512
218773da8acfc8c2416119387a2f2c4833a17a0cb07435f8618dde580815cb6b6903b1305ce4eeda491e3f709e20f52092df12e3fb50e11cc2839f5cf800cd7f

Download Submit
C:\Windows\{F85AC5AF-4E6F-4194-A09E-E1499CB8F00E}.exe

Filesize
192KB

MD5
82cee000879081ac583b6b4d626301a4

SHA1
d2bdee7257a09ca9065e72ddbe6974c60b5a97ed

SHA256
0db78a3eecb13f457daa0d39797b6ddab832b71e1adf1dfb2e90f01e54807c90

SHA512
acd17f3ecfa04c34c97f7e07c7a5e3e0290f017c8b5039fb6859fe9073afd36fd943c63f0778f3d7f1862ec5e46144fa9367cd85757f292e0026f22fab38970f

Download Submit
C:\Windows\{F85AC5AF-4E6F-4194-A09E-E1499CB8F00E}.exe

Filesize
192KB

MD5
82cee000879081ac583b6b4d626301a4

SHA1
d2bdee7257a09ca9065e72ddbe6974c60b5a97ed

SHA256
0db78a3eecb13f457daa0d39797b6ddab832b71e1adf1dfb2e90f01e54807c90

SHA512
acd17f3ecfa04c34c97f7e07c7a5e3e0290f017c8b5039fb6859fe9073afd36fd943c63f0778f3d7f1862ec5e46144fa9367cd85757f292e0026f22fab38970f

Download Submit