a7a4b8111fc7864464bacff93c8edd4207acb12c4d130e6b53d157c13d095754

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2023 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

354447de058bd6exeexeexeex.exe
Size

408KB
MD5

354447de058bd6b4567e234d445f918b
SHA1

94bdec65639cfbc265a3f1eb7b589110f9e8f699
SHA256

a7a4b8111fc7864464bacff93c8edd4207acb12c4d130e6b53d157c13d095754
SHA512

e5902d170334e68e50e527695b8353d7ac4ec67cf3e5a4736c95895f239137d5d8d164f72d0b75fdebccb2ea9b4882c6a20e55a0e5282f6a4dcac8867c0e38c2
SSDEEP

3072:CEGh0oLl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGhldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{419C6890-5983-4141-AC9D-0D3D77FAB265}	{3A603A8B-17DA-4b27-BDC3-F523B0F0F34B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32BFB6C6-341B-46bb-9E56-FA148D3DA9A9}	{419C6890-5983-4141-AC9D-0D3D77FAB265}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32BFB6C6-341B-46bb-9E56-FA148D3DA9A9}\stubpath = "C:\\Windows\\{32BFB6C6-341B-46bb-9E56-FA148D3DA9A9}.exe"	{419C6890-5983-4141-AC9D-0D3D77FAB265}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B35D305-9C7B-410d-AB64-A8D28FC80652}	{32BFB6C6-341B-46bb-9E56-FA148D3DA9A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B35D305-9C7B-410d-AB64-A8D28FC80652}\stubpath = "C:\\Windows\\{6B35D305-9C7B-410d-AB64-A8D28FC80652}.exe"	{32BFB6C6-341B-46bb-9E56-FA148D3DA9A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02ABD7DF-9BCF-4022-82A3-3B7C4DBA884E}	{C8114CA4-AA9B-4bae-80BB-DA7738ABEB64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E44E69D7-4A9A-490d-ADC2-DD587F5CF00D}	{35701DE7-44FD-4f93-8061-5F6CEC901CFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A603A8B-17DA-4b27-BDC3-F523B0F0F34B}\stubpath = "C:\\Windows\\{3A603A8B-17DA-4b27-BDC3-F523B0F0F34B}.exe"	{E44E69D7-4A9A-490d-ADC2-DD587F5CF00D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02ABD7DF-9BCF-4022-82A3-3B7C4DBA884E}\stubpath = "C:\\Windows\\{02ABD7DF-9BCF-4022-82A3-3B7C4DBA884E}.exe"	{C8114CA4-AA9B-4bae-80BB-DA7738ABEB64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35701DE7-44FD-4f93-8061-5F6CEC901CFE}	354447de058bd6exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{419C6890-5983-4141-AC9D-0D3D77FAB265}\stubpath = "C:\\Windows\\{419C6890-5983-4141-AC9D-0D3D77FAB265}.exe"	{3A603A8B-17DA-4b27-BDC3-F523B0F0F34B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D618F93-A6E4-459b-9B6D-D9DC89108E4E}	{6B35D305-9C7B-410d-AB64-A8D28FC80652}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8114CA4-AA9B-4bae-80BB-DA7738ABEB64}	{DDB6A2E9-169F-4c4a-852A-37E67D80841B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE0B9593-1490-4e13-891A-B272C08CDFD8}\stubpath = "C:\\Windows\\{EE0B9593-1490-4e13-891A-B272C08CDFD8}.exe"	{02ABD7DF-9BCF-4022-82A3-3B7C4DBA884E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6594BD4C-091F-4dce-900A-8C213F30C20F}	{EE0B9593-1490-4e13-891A-B272C08CDFD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35701DE7-44FD-4f93-8061-5F6CEC901CFE}\stubpath = "C:\\Windows\\{35701DE7-44FD-4f93-8061-5F6CEC901CFE}.exe"	354447de058bd6exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A603A8B-17DA-4b27-BDC3-F523B0F0F34B}	{E44E69D7-4A9A-490d-ADC2-DD587F5CF00D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDB6A2E9-169F-4c4a-852A-37E67D80841B}	{5D618F93-A6E4-459b-9B6D-D9DC89108E4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDB6A2E9-169F-4c4a-852A-37E67D80841B}\stubpath = "C:\\Windows\\{DDB6A2E9-169F-4c4a-852A-37E67D80841B}.exe"	{5D618F93-A6E4-459b-9B6D-D9DC89108E4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8114CA4-AA9B-4bae-80BB-DA7738ABEB64}\stubpath = "C:\\Windows\\{C8114CA4-AA9B-4bae-80BB-DA7738ABEB64}.exe"	{DDB6A2E9-169F-4c4a-852A-37E67D80841B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE0B9593-1490-4e13-891A-B272C08CDFD8}	{02ABD7DF-9BCF-4022-82A3-3B7C4DBA884E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6594BD4C-091F-4dce-900A-8C213F30C20F}\stubpath = "C:\\Windows\\{6594BD4C-091F-4dce-900A-8C213F30C20F}.exe"	{EE0B9593-1490-4e13-891A-B272C08CDFD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E44E69D7-4A9A-490d-ADC2-DD587F5CF00D}\stubpath = "C:\\Windows\\{E44E69D7-4A9A-490d-ADC2-DD587F5CF00D}.exe"	{35701DE7-44FD-4f93-8061-5F6CEC901CFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D618F93-A6E4-459b-9B6D-D9DC89108E4E}\stubpath = "C:\\Windows\\{5D618F93-A6E4-459b-9B6D-D9DC89108E4E}.exe"	{6B35D305-9C7B-410d-AB64-A8D28FC80652}.exe

Executes dropped EXE 12 IoCs

pid	Process
660	{35701DE7-44FD-4f93-8061-5F6CEC901CFE}.exe
5076	{E44E69D7-4A9A-490d-ADC2-DD587F5CF00D}.exe
3224	{3A603A8B-17DA-4b27-BDC3-F523B0F0F34B}.exe
2004	{419C6890-5983-4141-AC9D-0D3D77FAB265}.exe
2308	{32BFB6C6-341B-46bb-9E56-FA148D3DA9A9}.exe
2208	{6B35D305-9C7B-410d-AB64-A8D28FC80652}.exe
4920	{5D618F93-A6E4-459b-9B6D-D9DC89108E4E}.exe
4004	{DDB6A2E9-169F-4c4a-852A-37E67D80841B}.exe
4516	{C8114CA4-AA9B-4bae-80BB-DA7738ABEB64}.exe
1304	{02ABD7DF-9BCF-4022-82A3-3B7C4DBA884E}.exe
3896	{EE0B9593-1490-4e13-891A-B272C08CDFD8}.exe
60	{6594BD4C-091F-4dce-900A-8C213F30C20F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E44E69D7-4A9A-490d-ADC2-DD587F5CF00D}.exe	{35701DE7-44FD-4f93-8061-5F6CEC901CFE}.exe
File created	C:\Windows\{3A603A8B-17DA-4b27-BDC3-F523B0F0F34B}.exe	{E44E69D7-4A9A-490d-ADC2-DD587F5CF00D}.exe
File created	C:\Windows\{419C6890-5983-4141-AC9D-0D3D77FAB265}.exe	{3A603A8B-17DA-4b27-BDC3-F523B0F0F34B}.exe
File created	C:\Windows\{6B35D305-9C7B-410d-AB64-A8D28FC80652}.exe	{32BFB6C6-341B-46bb-9E56-FA148D3DA9A9}.exe
File created	C:\Windows\{5D618F93-A6E4-459b-9B6D-D9DC89108E4E}.exe	{6B35D305-9C7B-410d-AB64-A8D28FC80652}.exe
File created	C:\Windows\{C8114CA4-AA9B-4bae-80BB-DA7738ABEB64}.exe	{DDB6A2E9-169F-4c4a-852A-37E67D80841B}.exe
File created	C:\Windows\{6594BD4C-091F-4dce-900A-8C213F30C20F}.exe	{EE0B9593-1490-4e13-891A-B272C08CDFD8}.exe
File created	C:\Windows\{35701DE7-44FD-4f93-8061-5F6CEC901CFE}.exe	354447de058bd6exeexeexeex.exe
File created	C:\Windows\{32BFB6C6-341B-46bb-9E56-FA148D3DA9A9}.exe	{419C6890-5983-4141-AC9D-0D3D77FAB265}.exe
File created	C:\Windows\{DDB6A2E9-169F-4c4a-852A-37E67D80841B}.exe	{5D618F93-A6E4-459b-9B6D-D9DC89108E4E}.exe
File created	C:\Windows\{02ABD7DF-9BCF-4022-82A3-3B7C4DBA884E}.exe	{C8114CA4-AA9B-4bae-80BB-DA7738ABEB64}.exe
File created	C:\Windows\{EE0B9593-1490-4e13-891A-B272C08CDFD8}.exe	{02ABD7DF-9BCF-4022-82A3-3B7C4DBA884E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4824	354447de058bd6exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	660	{35701DE7-44FD-4f93-8061-5F6CEC901CFE}.exe
Token: SeIncBasePriorityPrivilege	5076	{E44E69D7-4A9A-490d-ADC2-DD587F5CF00D}.exe
Token: SeIncBasePriorityPrivilege	3224	{3A603A8B-17DA-4b27-BDC3-F523B0F0F34B}.exe
Token: SeIncBasePriorityPrivilege	2004	{419C6890-5983-4141-AC9D-0D3D77FAB265}.exe
Token: SeIncBasePriorityPrivilege	2308	{32BFB6C6-341B-46bb-9E56-FA148D3DA9A9}.exe
Token: SeIncBasePriorityPrivilege	2208	{6B35D305-9C7B-410d-AB64-A8D28FC80652}.exe
Token: SeIncBasePriorityPrivilege	4920	{5D618F93-A6E4-459b-9B6D-D9DC89108E4E}.exe
Token: SeIncBasePriorityPrivilege	4004	{DDB6A2E9-169F-4c4a-852A-37E67D80841B}.exe
Token: SeIncBasePriorityPrivilege	4516	{C8114CA4-AA9B-4bae-80BB-DA7738ABEB64}.exe
Token: SeIncBasePriorityPrivilege	1304	{02ABD7DF-9BCF-4022-82A3-3B7C4DBA884E}.exe
Token: SeIncBasePriorityPrivilege	3896	{EE0B9593-1490-4e13-891A-B272C08CDFD8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 660	4824	354447de058bd6exeexeexeex.exe	83
PID 4824 wrote to memory of 660	4824	354447de058bd6exeexeexeex.exe	83
PID 4824 wrote to memory of 660	4824	354447de058bd6exeexeexeex.exe	83
PID 4824 wrote to memory of 3480	4824	354447de058bd6exeexeexeex.exe	84
PID 4824 wrote to memory of 3480	4824	354447de058bd6exeexeexeex.exe	84
PID 4824 wrote to memory of 3480	4824	354447de058bd6exeexeexeex.exe	84
PID 660 wrote to memory of 5076	660	{35701DE7-44FD-4f93-8061-5F6CEC901CFE}.exe	85
PID 660 wrote to memory of 5076	660	{35701DE7-44FD-4f93-8061-5F6CEC901CFE}.exe	85
PID 660 wrote to memory of 5076	660	{35701DE7-44FD-4f93-8061-5F6CEC901CFE}.exe	85
PID 660 wrote to memory of 1348	660	{35701DE7-44FD-4f93-8061-5F6CEC901CFE}.exe	86
PID 660 wrote to memory of 1348	660	{35701DE7-44FD-4f93-8061-5F6CEC901CFE}.exe	86
PID 660 wrote to memory of 1348	660	{35701DE7-44FD-4f93-8061-5F6CEC901CFE}.exe	86
PID 5076 wrote to memory of 3224	5076	{E44E69D7-4A9A-490d-ADC2-DD587F5CF00D}.exe	88
PID 5076 wrote to memory of 3224	5076	{E44E69D7-4A9A-490d-ADC2-DD587F5CF00D}.exe	88
PID 5076 wrote to memory of 3224	5076	{E44E69D7-4A9A-490d-ADC2-DD587F5CF00D}.exe	88
PID 5076 wrote to memory of 2868	5076	{E44E69D7-4A9A-490d-ADC2-DD587F5CF00D}.exe	89
PID 5076 wrote to memory of 2868	5076	{E44E69D7-4A9A-490d-ADC2-DD587F5CF00D}.exe	89
PID 5076 wrote to memory of 2868	5076	{E44E69D7-4A9A-490d-ADC2-DD587F5CF00D}.exe	89
PID 3224 wrote to memory of 2004	3224	{3A603A8B-17DA-4b27-BDC3-F523B0F0F34B}.exe	90
PID 3224 wrote to memory of 2004	3224	{3A603A8B-17DA-4b27-BDC3-F523B0F0F34B}.exe	90
PID 3224 wrote to memory of 2004	3224	{3A603A8B-17DA-4b27-BDC3-F523B0F0F34B}.exe	90
PID 3224 wrote to memory of 4152	3224	{3A603A8B-17DA-4b27-BDC3-F523B0F0F34B}.exe	91
PID 3224 wrote to memory of 4152	3224	{3A603A8B-17DA-4b27-BDC3-F523B0F0F34B}.exe	91
PID 3224 wrote to memory of 4152	3224	{3A603A8B-17DA-4b27-BDC3-F523B0F0F34B}.exe	91
PID 2004 wrote to memory of 2308	2004	{419C6890-5983-4141-AC9D-0D3D77FAB265}.exe	92
PID 2004 wrote to memory of 2308	2004	{419C6890-5983-4141-AC9D-0D3D77FAB265}.exe	92
PID 2004 wrote to memory of 2308	2004	{419C6890-5983-4141-AC9D-0D3D77FAB265}.exe	92
PID 2004 wrote to memory of 1972	2004	{419C6890-5983-4141-AC9D-0D3D77FAB265}.exe	93
PID 2004 wrote to memory of 1972	2004	{419C6890-5983-4141-AC9D-0D3D77FAB265}.exe	93
PID 2004 wrote to memory of 1972	2004	{419C6890-5983-4141-AC9D-0D3D77FAB265}.exe	93
PID 2308 wrote to memory of 2208	2308	{32BFB6C6-341B-46bb-9E56-FA148D3DA9A9}.exe	94
PID 2308 wrote to memory of 2208	2308	{32BFB6C6-341B-46bb-9E56-FA148D3DA9A9}.exe	94
PID 2308 wrote to memory of 2208	2308	{32BFB6C6-341B-46bb-9E56-FA148D3DA9A9}.exe	94
PID 2308 wrote to memory of 648	2308	{32BFB6C6-341B-46bb-9E56-FA148D3DA9A9}.exe	95
PID 2308 wrote to memory of 648	2308	{32BFB6C6-341B-46bb-9E56-FA148D3DA9A9}.exe	95
PID 2308 wrote to memory of 648	2308	{32BFB6C6-341B-46bb-9E56-FA148D3DA9A9}.exe	95
PID 2208 wrote to memory of 4920	2208	{6B35D305-9C7B-410d-AB64-A8D28FC80652}.exe	96
PID 2208 wrote to memory of 4920	2208	{6B35D305-9C7B-410d-AB64-A8D28FC80652}.exe	96
PID 2208 wrote to memory of 4920	2208	{6B35D305-9C7B-410d-AB64-A8D28FC80652}.exe	96
PID 2208 wrote to memory of 1040	2208	{6B35D305-9C7B-410d-AB64-A8D28FC80652}.exe	97
PID 2208 wrote to memory of 1040	2208	{6B35D305-9C7B-410d-AB64-A8D28FC80652}.exe	97
PID 2208 wrote to memory of 1040	2208	{6B35D305-9C7B-410d-AB64-A8D28FC80652}.exe	97
PID 4920 wrote to memory of 4004	4920	{5D618F93-A6E4-459b-9B6D-D9DC89108E4E}.exe	98
PID 4920 wrote to memory of 4004	4920	{5D618F93-A6E4-459b-9B6D-D9DC89108E4E}.exe	98
PID 4920 wrote to memory of 4004	4920	{5D618F93-A6E4-459b-9B6D-D9DC89108E4E}.exe	98
PID 4920 wrote to memory of 1568	4920	{5D618F93-A6E4-459b-9B6D-D9DC89108E4E}.exe	99
PID 4920 wrote to memory of 1568	4920	{5D618F93-A6E4-459b-9B6D-D9DC89108E4E}.exe	99
PID 4920 wrote to memory of 1568	4920	{5D618F93-A6E4-459b-9B6D-D9DC89108E4E}.exe	99
PID 4004 wrote to memory of 4516	4004	{DDB6A2E9-169F-4c4a-852A-37E67D80841B}.exe	100
PID 4004 wrote to memory of 4516	4004	{DDB6A2E9-169F-4c4a-852A-37E67D80841B}.exe	100
PID 4004 wrote to memory of 4516	4004	{DDB6A2E9-169F-4c4a-852A-37E67D80841B}.exe	100
PID 4004 wrote to memory of 4544	4004	{DDB6A2E9-169F-4c4a-852A-37E67D80841B}.exe	101
PID 4004 wrote to memory of 4544	4004	{DDB6A2E9-169F-4c4a-852A-37E67D80841B}.exe	101
PID 4004 wrote to memory of 4544	4004	{DDB6A2E9-169F-4c4a-852A-37E67D80841B}.exe	101
PID 4516 wrote to memory of 1304	4516	{C8114CA4-AA9B-4bae-80BB-DA7738ABEB64}.exe	102
PID 4516 wrote to memory of 1304	4516	{C8114CA4-AA9B-4bae-80BB-DA7738ABEB64}.exe	102
PID 4516 wrote to memory of 1304	4516	{C8114CA4-AA9B-4bae-80BB-DA7738ABEB64}.exe	102
PID 4516 wrote to memory of 732	4516	{C8114CA4-AA9B-4bae-80BB-DA7738ABEB64}.exe	103
PID 4516 wrote to memory of 732	4516	{C8114CA4-AA9B-4bae-80BB-DA7738ABEB64}.exe	103
PID 4516 wrote to memory of 732	4516	{C8114CA4-AA9B-4bae-80BB-DA7738ABEB64}.exe	103
PID 1304 wrote to memory of 3896	1304	{02ABD7DF-9BCF-4022-82A3-3B7C4DBA884E}.exe	104
PID 1304 wrote to memory of 3896	1304	{02ABD7DF-9BCF-4022-82A3-3B7C4DBA884E}.exe	104
PID 1304 wrote to memory of 3896	1304	{02ABD7DF-9BCF-4022-82A3-3B7C4DBA884E}.exe	104
PID 1304 wrote to memory of 3776	1304	{02ABD7DF-9BCF-4022-82A3-3B7C4DBA884E}.exe	105

C:\Users\Admin\AppData\Local\Temp\354447de058bd6exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\354447de058bd6exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Windows\{35701DE7-44FD-4f93-8061-5F6CEC901CFE}.exe
  C:\Windows\{35701DE7-44FD-4f93-8061-5F6CEC901CFE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:660
- - C:\Windows\{E44E69D7-4A9A-490d-ADC2-DD587F5CF00D}.exe
    C:\Windows\{E44E69D7-4A9A-490d-ADC2-DD587F5CF00D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Windows\{3A603A8B-17DA-4b27-BDC3-F523B0F0F34B}.exe
      C:\Windows\{3A603A8B-17DA-4b27-BDC3-F523B0F0F34B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3224
    - - C:\Windows\{419C6890-5983-4141-AC9D-0D3D77FAB265}.exe
        
        C:\Windows\{419C6890-5983-4141-AC9D-0D3D77FAB265}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
      - C:\Windows\{32BFB6C6-341B-46bb-9E56-FA148D3DA9A9}.exe
        
        C:\Windows\{32BFB6C6-341B-46bb-9E56-FA148D3DA9A9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\{6B35D305-9C7B-410d-AB64-A8D28FC80652}.exe
        
        C:\Windows\{6B35D305-9C7B-410d-AB64-A8D28FC80652}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\{5D618F93-A6E4-459b-9B6D-D9DC89108E4E}.exe
        
        C:\Windows\{5D618F93-A6E4-459b-9B6D-D9DC89108E4E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\{DDB6A2E9-169F-4c4a-852A-37E67D80841B}.exe
        
        C:\Windows\{DDB6A2E9-169F-4c4a-852A-37E67D80841B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\{C8114CA4-AA9B-4bae-80BB-DA7738ABEB64}.exe
        
        C:\Windows\{C8114CA4-AA9B-4bae-80BB-DA7738ABEB64}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\{02ABD7DF-9BCF-4022-82A3-3B7C4DBA884E}.exe
        
        C:\Windows\{02ABD7DF-9BCF-4022-82A3-3B7C4DBA884E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\{EE0B9593-1490-4e13-891A-B272C08CDFD8}.exe
        
        C:\Windows\{EE0B9593-1490-4e13-891A-B272C08CDFD8}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3896
        
        C:\Windows\{6594BD4C-091F-4dce-900A-8C213F30C20F}.exe
        
        C:\Windows\{6594BD4C-091F-4dce-900A-8C213F30C20F}.exe
        13⤵
        Executes dropped EXE
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE0B9~1.EXE > nul
        13⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02ABD~1.EXE > nul
        12⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8114~1.EXE > nul
        11⤵
        
        PID:732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDB6A~1.EXE > nul
        10⤵
        
        PID:4544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D618~1.EXE > nul
        9⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B35D~1.EXE > nul
        8⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32BFB~1.EXE > nul
        7⤵
        
        PID:648
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{419C6~1.EXE > nul
        6⤵
        
        PID:1972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3A603~1.EXE > nul
        5⤵
        
        PID:4152
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E44E6~1.EXE > nul
      4⤵
      PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{35701~1.EXE > nul
    3⤵
    PID:1348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\354447~1.EXE > nul
  2⤵
  PID:3480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02ABD7DF-9BCF-4022-82A3-3B7C4DBA884E}.exe

Filesize
408KB

MD5
9a74a23ddaf9e30f46b3e945a6d9a224

SHA1
821fdfb9ad369b34a2bb5cda52525f36794fc698

SHA256
8aa80dce9e0ece26b89647b96a54f4ea9a99026379a779dbca57fcdeb9d0a74f

SHA512
1c215c4636dc2e3e37972b570215d98f75fad9da329b67df9a645d2cb2b51eb97d77d707fc89f0d08914dd3bc1600b4ca8dcbe5c6374540359d7352b5d1db8be

Download Submit
C:\Windows\{02ABD7DF-9BCF-4022-82A3-3B7C4DBA884E}.exe

Filesize
408KB

MD5
9a74a23ddaf9e30f46b3e945a6d9a224

SHA1
821fdfb9ad369b34a2bb5cda52525f36794fc698

SHA256
8aa80dce9e0ece26b89647b96a54f4ea9a99026379a779dbca57fcdeb9d0a74f

SHA512
1c215c4636dc2e3e37972b570215d98f75fad9da329b67df9a645d2cb2b51eb97d77d707fc89f0d08914dd3bc1600b4ca8dcbe5c6374540359d7352b5d1db8be

Download Submit
C:\Windows\{32BFB6C6-341B-46bb-9E56-FA148D3DA9A9}.exe

Filesize
408KB

MD5
504170e081e9797fc94cecd234ceeacb

SHA1
603380c688dc5c96e4ad968d3b1249aa6a058433

SHA256
748a533dd11a007162f134dedafacc15fc9ab97e0018c6232c0a357df13579de

SHA512
dc952eb32e57a3273b5dab05df561f67ddee30f09ffcdb3a3d79cc43415579792453670374cbf6319b2d5c7b1ec93ee2b7da5eaf2ecadace22a517fd1f4953b8

Download Submit
C:\Windows\{32BFB6C6-341B-46bb-9E56-FA148D3DA9A9}.exe

Filesize
408KB

MD5
504170e081e9797fc94cecd234ceeacb

SHA1
603380c688dc5c96e4ad968d3b1249aa6a058433

SHA256
748a533dd11a007162f134dedafacc15fc9ab97e0018c6232c0a357df13579de

SHA512
dc952eb32e57a3273b5dab05df561f67ddee30f09ffcdb3a3d79cc43415579792453670374cbf6319b2d5c7b1ec93ee2b7da5eaf2ecadace22a517fd1f4953b8

Download Submit
C:\Windows\{35701DE7-44FD-4f93-8061-5F6CEC901CFE}.exe

Filesize
408KB

MD5
035d3acbc61367af84e5f8cc2fc82aa7

SHA1
83b5ad83108f6bff7815b39753bc9a7691d388d7

SHA256
99bf0577c3515734484b4f68dc49f56749230ad4476f75a9cb0364a046ab3abe

SHA512
020ab49c594ead89566155a25dacd4b7960374946d176bb72250dab6f8d45e9f754b8f0c0da94be050b73ba5c10424d8a1f05244827a57dfa8a4542099185165

Download Submit
C:\Windows\{35701DE7-44FD-4f93-8061-5F6CEC901CFE}.exe

Filesize
408KB

MD5
035d3acbc61367af84e5f8cc2fc82aa7

SHA1
83b5ad83108f6bff7815b39753bc9a7691d388d7

SHA256
99bf0577c3515734484b4f68dc49f56749230ad4476f75a9cb0364a046ab3abe

SHA512
020ab49c594ead89566155a25dacd4b7960374946d176bb72250dab6f8d45e9f754b8f0c0da94be050b73ba5c10424d8a1f05244827a57dfa8a4542099185165

Download Submit
C:\Windows\{3A603A8B-17DA-4b27-BDC3-F523B0F0F34B}.exe

Filesize
408KB

MD5
c7900095ed189276a10bd38fa15f919a

SHA1
a4e6abd5b4c4e8b21b1f07e6306fe729749b3e5f

SHA256
a588988987b46d74eb9f66d02359fd84b2b32cec12bbabe2e97d6a12f49c577f

SHA512
3ed9d18b756301755e81aad2c42e0a96b3ffc38dc87a7f53201e2d831ef0e660bad169cd9c090cf9e96b3ffb226c243428818b758a0a36a89df067fee437ef5d

Download Submit
C:\Windows\{3A603A8B-17DA-4b27-BDC3-F523B0F0F34B}.exe

Filesize
408KB

MD5
c7900095ed189276a10bd38fa15f919a

SHA1
a4e6abd5b4c4e8b21b1f07e6306fe729749b3e5f

SHA256
a588988987b46d74eb9f66d02359fd84b2b32cec12bbabe2e97d6a12f49c577f

SHA512
3ed9d18b756301755e81aad2c42e0a96b3ffc38dc87a7f53201e2d831ef0e660bad169cd9c090cf9e96b3ffb226c243428818b758a0a36a89df067fee437ef5d

Download Submit
C:\Windows\{3A603A8B-17DA-4b27-BDC3-F523B0F0F34B}.exe

Filesize
408KB

MD5
c7900095ed189276a10bd38fa15f919a

SHA1
a4e6abd5b4c4e8b21b1f07e6306fe729749b3e5f

SHA256
a588988987b46d74eb9f66d02359fd84b2b32cec12bbabe2e97d6a12f49c577f

SHA512
3ed9d18b756301755e81aad2c42e0a96b3ffc38dc87a7f53201e2d831ef0e660bad169cd9c090cf9e96b3ffb226c243428818b758a0a36a89df067fee437ef5d

Download Submit
C:\Windows\{419C6890-5983-4141-AC9D-0D3D77FAB265}.exe

Filesize
408KB

MD5
6610093046ccfb45cfaaa627b8c6f5b7

SHA1
505c26899c04891f0a5b12d87fe469136e842d76

SHA256
8ae02c9c3c0bf26b18176b5bd4311dae6a4da225a8f58f3435ebd247fc16ca59

SHA512
dff2412b078fcd8cdde639ea1c7c7fa434f70ec04d05a332ebdcf9e2e353aea7934e3cd7fa04aaf5eea59e2319097d51421bb2a0b78d1782e1861f09b6460b36

Download Submit
C:\Windows\{419C6890-5983-4141-AC9D-0D3D77FAB265}.exe

Filesize
408KB

MD5
6610093046ccfb45cfaaa627b8c6f5b7

SHA1
505c26899c04891f0a5b12d87fe469136e842d76

SHA256
8ae02c9c3c0bf26b18176b5bd4311dae6a4da225a8f58f3435ebd247fc16ca59

SHA512
dff2412b078fcd8cdde639ea1c7c7fa434f70ec04d05a332ebdcf9e2e353aea7934e3cd7fa04aaf5eea59e2319097d51421bb2a0b78d1782e1861f09b6460b36

Download Submit
C:\Windows\{5D618F93-A6E4-459b-9B6D-D9DC89108E4E}.exe

Filesize
408KB

MD5
37a3541bcefd0f664f2c135166a8feff

SHA1
d5a0d528d6f163aa2b6f7ee55122623718f1f5ce

SHA256
87f65cde1d9a0f2096e81687f276e5471dc17b5cad4cc47d196d0abdd95acc35

SHA512
009cdf9b0fc0b620fb44fd7c3e9d0684b8d0689774aeb560e0025917d8e069969695fb0e2e3d538bd8014ab26dd6d6fbab593a872eb610dabd97619c14171d80

Download Submit
C:\Windows\{5D618F93-A6E4-459b-9B6D-D9DC89108E4E}.exe

Filesize
408KB

MD5
37a3541bcefd0f664f2c135166a8feff

SHA1
d5a0d528d6f163aa2b6f7ee55122623718f1f5ce

SHA256
87f65cde1d9a0f2096e81687f276e5471dc17b5cad4cc47d196d0abdd95acc35

SHA512
009cdf9b0fc0b620fb44fd7c3e9d0684b8d0689774aeb560e0025917d8e069969695fb0e2e3d538bd8014ab26dd6d6fbab593a872eb610dabd97619c14171d80

Download Submit
C:\Windows\{6594BD4C-091F-4dce-900A-8C213F30C20F}.exe

Filesize
408KB

MD5
4e87099dad670891293286e72d132eca

SHA1
9e1a51d9b344b1577f3b749ae6b666bc3b950fed

SHA256
b0ca0c6de3eddddfa2d1aaf6b1c67e6c6bd6f8b7ba044559313f2d385f928c5c

SHA512
485e87cdf4ed1563469fbba88b83bf0c1aa8241292fb536346b55114b4f94b0b7a65c39afef87b3d103069698a8a060778d1495a70af486ae2b5a85c7002402f

Download Submit
C:\Windows\{6594BD4C-091F-4dce-900A-8C213F30C20F}.exe

Filesize
408KB

MD5
4e87099dad670891293286e72d132eca

SHA1
9e1a51d9b344b1577f3b749ae6b666bc3b950fed

SHA256
b0ca0c6de3eddddfa2d1aaf6b1c67e6c6bd6f8b7ba044559313f2d385f928c5c

SHA512
485e87cdf4ed1563469fbba88b83bf0c1aa8241292fb536346b55114b4f94b0b7a65c39afef87b3d103069698a8a060778d1495a70af486ae2b5a85c7002402f

Download Submit
C:\Windows\{6B35D305-9C7B-410d-AB64-A8D28FC80652}.exe

Filesize
408KB

MD5
e2c4ba5454bfc19b07889d6ff5c90743

SHA1
fec6b8088226a47d5dfedecb6f3cf46ac53a69ac

SHA256
e741d12325f0caee466af28b305f995eab9ba5b9fdf9e74bd53f42110d761e50

SHA512
5b85925488965f76a9ee849a10d3a1f56fb929f4c4da7463a6b5ae9ed8373f598eae854e166757841e0d6b4d39f70526934cca2e59bd3e68902124a1aab879d1

Download Submit
C:\Windows\{6B35D305-9C7B-410d-AB64-A8D28FC80652}.exe

Filesize
408KB

MD5
e2c4ba5454bfc19b07889d6ff5c90743

SHA1
fec6b8088226a47d5dfedecb6f3cf46ac53a69ac

SHA256
e741d12325f0caee466af28b305f995eab9ba5b9fdf9e74bd53f42110d761e50

SHA512
5b85925488965f76a9ee849a10d3a1f56fb929f4c4da7463a6b5ae9ed8373f598eae854e166757841e0d6b4d39f70526934cca2e59bd3e68902124a1aab879d1

Download Submit
C:\Windows\{C8114CA4-AA9B-4bae-80BB-DA7738ABEB64}.exe

Filesize
408KB

MD5
90eae5d84944ab14c9603609022c6245

SHA1
467961e9aa50d6ca0e37c5b0d200da1d0fd18e74

SHA256
1c8d10d4591d2e97442c65ac0c6d8167d7224697a4181f662e246d0915988532

SHA512
344a79ae9d8de1a60f53ec96c0974cdc15dd86bcdd8a32ebb088bbaafe74f6d5ec638146af687446c2915e73c6672ceaa7c01d02b3a396c7863cc88da0e994d0

Download Submit
C:\Windows\{C8114CA4-AA9B-4bae-80BB-DA7738ABEB64}.exe

Filesize
408KB

MD5
90eae5d84944ab14c9603609022c6245

SHA1
467961e9aa50d6ca0e37c5b0d200da1d0fd18e74

SHA256
1c8d10d4591d2e97442c65ac0c6d8167d7224697a4181f662e246d0915988532

SHA512
344a79ae9d8de1a60f53ec96c0974cdc15dd86bcdd8a32ebb088bbaafe74f6d5ec638146af687446c2915e73c6672ceaa7c01d02b3a396c7863cc88da0e994d0

Download Submit
C:\Windows\{DDB6A2E9-169F-4c4a-852A-37E67D80841B}.exe

Filesize
408KB

MD5
7dea80d124d275c04ff31b8c2675470b

SHA1
99e2acbdbc78d06d32bd8338ea5e4c09a65d6e6f

SHA256
846b8c58f03eb5418bd3cd2fb777b5bc6207996f2093909fb668dd8a16881bf4

SHA512
20364da4b6334ba616a7c72d2b1b6f7263cdc81a358392155beed8f7e59a94adf753bc01610c97a5d0fd927507858b5bd939fa40023aca2404ff096a08618355

Download Submit
C:\Windows\{DDB6A2E9-169F-4c4a-852A-37E67D80841B}.exe

Filesize
408KB

MD5
7dea80d124d275c04ff31b8c2675470b

SHA1
99e2acbdbc78d06d32bd8338ea5e4c09a65d6e6f

SHA256
846b8c58f03eb5418bd3cd2fb777b5bc6207996f2093909fb668dd8a16881bf4

SHA512
20364da4b6334ba616a7c72d2b1b6f7263cdc81a358392155beed8f7e59a94adf753bc01610c97a5d0fd927507858b5bd939fa40023aca2404ff096a08618355

Download Submit
C:\Windows\{E44E69D7-4A9A-490d-ADC2-DD587F5CF00D}.exe

Filesize
408KB

MD5
2718f4a7bc1089e5da5bdedf9878bba9

SHA1
ddfe234eb1cfe1f219a06329cf72171ff6b220e1

SHA256
48e2e0b7b635dbcb43734bfcf90a241a1ea33961d56d40cd7f0e28ba7e619821

SHA512
5bb4ab2062c759dd6c0ce8a30c27df0ebd1651c90da4658ac1fd2048000f3aea4923e24b0548f8cd2470902a338be975f286e5076836964290284e80d73adcea

Download Submit
C:\Windows\{E44E69D7-4A9A-490d-ADC2-DD587F5CF00D}.exe

Filesize
408KB

MD5
2718f4a7bc1089e5da5bdedf9878bba9

SHA1
ddfe234eb1cfe1f219a06329cf72171ff6b220e1

SHA256
48e2e0b7b635dbcb43734bfcf90a241a1ea33961d56d40cd7f0e28ba7e619821

SHA512
5bb4ab2062c759dd6c0ce8a30c27df0ebd1651c90da4658ac1fd2048000f3aea4923e24b0548f8cd2470902a338be975f286e5076836964290284e80d73adcea

Download Submit
C:\Windows\{EE0B9593-1490-4e13-891A-B272C08CDFD8}.exe

Filesize
408KB

MD5
42eba73d54fe2a0c0e1c38d5226f7686

SHA1
3ef8c440ebe2939e864cd59195eb94b05bbc0782

SHA256
aba136c06dfb57542152533781eeee36da9001d85b924381c77ef7a03a414527

SHA512
1e860587857e0843afff404300de767419447b6a5f39960d053a460584d4b1937724cb5faf3ebd087b9ee3ef4d7258cf59c9d422a4deb26ce29af65801359cb2

Download Submit
C:\Windows\{EE0B9593-1490-4e13-891A-B272C08CDFD8}.exe

Filesize
408KB

MD5
42eba73d54fe2a0c0e1c38d5226f7686

SHA1
3ef8c440ebe2939e864cd59195eb94b05bbc0782

SHA256
aba136c06dfb57542152533781eeee36da9001d85b924381c77ef7a03a414527

SHA512
1e860587857e0843afff404300de767419447b6a5f39960d053a460584d4b1937724cb5faf3ebd087b9ee3ef4d7258cf59c9d422a4deb26ce29af65801359cb2

Download Submit