e9f89ad6cadceb3a9a861ef4ec93a3680eec338a496fc1a53e0ab514fe18cae8

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2023, 15:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

35fda886396cc8exeexeexeex.exe
Size

216KB
MD5

35fda886396cc8b38240c073b59cb56f
SHA1

8a7aab3388de5cd336b9b031f4ec4532d59823ef
SHA256

e9f89ad6cadceb3a9a861ef4ec93a3680eec338a496fc1a53e0ab514fe18cae8
SHA512

b1ba757d420d05aa410ff626c1777ea6ae85961b1cae47716a9414a41de38fd059d661ac2b0427bac6e3c68e5a05a8ca12ce3347515ffe02c9a5998e9e5694d9
SSDEEP

3072:jEGh0o1l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGTlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4BD7616-C831-47bf-B7D3-5A020235481D}\stubpath = "C:\\Windows\\{B4BD7616-C831-47bf-B7D3-5A020235481D}.exe"	{94915012-0F8E-4488-89AD-68A85B03695E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB1EDF91-F388-4c9e-984E-8F1CA36242BC}	{DDED034E-F912-424f-9952-1B3D87AA1CD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{529E647B-CC28-4495-A3F4-81756382ECCA}\stubpath = "C:\\Windows\\{529E647B-CC28-4495-A3F4-81756382ECCA}.exe"	{CB1EDF91-F388-4c9e-984E-8F1CA36242BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF75A41C-31B9-4a87-B94D-D3468FC1DCCB}	{4F2C2441-310C-46a4-813D-422AF10A0D95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6502DF23-D661-46ba-A460-5F53CC3EEC86}\stubpath = "C:\\Windows\\{6502DF23-D661-46ba-A460-5F53CC3EEC86}.exe"	{FD6B2330-37DC-4618-9336-C33C932CD130}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACE0BFD4-41AA-4c58-A155-4D15D6FCFBF8}	{6502DF23-D661-46ba-A460-5F53CC3EEC86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DC28DA5-145E-4dc8-848F-0E43F78E0882}	{ACE0BFD4-41AA-4c58-A155-4D15D6FCFBF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4BD7616-C831-47bf-B7D3-5A020235481D}	{94915012-0F8E-4488-89AD-68A85B03695E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2A9CEAF-7F6D-4dc0-8F0F-270E590819AC}	{B4BD7616-C831-47bf-B7D3-5A020235481D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDED034E-F912-424f-9952-1B3D87AA1CD4}\stubpath = "C:\\Windows\\{DDED034E-F912-424f-9952-1B3D87AA1CD4}.exe"	35fda886396cc8exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F2C2441-310C-46a4-813D-422AF10A0D95}\stubpath = "C:\\Windows\\{4F2C2441-310C-46a4-813D-422AF10A0D95}.exe"	{529E647B-CC28-4495-A3F4-81756382ECCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF75A41C-31B9-4a87-B94D-D3468FC1DCCB}\stubpath = "C:\\Windows\\{CF75A41C-31B9-4a87-B94D-D3468FC1DCCB}.exe"	{4F2C2441-310C-46a4-813D-422AF10A0D95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD6B2330-37DC-4618-9336-C33C932CD130}	{CF75A41C-31B9-4a87-B94D-D3468FC1DCCB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6502DF23-D661-46ba-A460-5F53CC3EEC86}	{FD6B2330-37DC-4618-9336-C33C932CD130}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2A9CEAF-7F6D-4dc0-8F0F-270E590819AC}\stubpath = "C:\\Windows\\{F2A9CEAF-7F6D-4dc0-8F0F-270E590819AC}.exe"	{B4BD7616-C831-47bf-B7D3-5A020235481D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB1EDF91-F388-4c9e-984E-8F1CA36242BC}\stubpath = "C:\\Windows\\{CB1EDF91-F388-4c9e-984E-8F1CA36242BC}.exe"	{DDED034E-F912-424f-9952-1B3D87AA1CD4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{529E647B-CC28-4495-A3F4-81756382ECCA}	{CB1EDF91-F388-4c9e-984E-8F1CA36242BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F2C2441-310C-46a4-813D-422AF10A0D95}	{529E647B-CC28-4495-A3F4-81756382ECCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0DC28DA5-145E-4dc8-848F-0E43F78E0882}\stubpath = "C:\\Windows\\{0DC28DA5-145E-4dc8-848F-0E43F78E0882}.exe"	{ACE0BFD4-41AA-4c58-A155-4D15D6FCFBF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94915012-0F8E-4488-89AD-68A85B03695E}\stubpath = "C:\\Windows\\{94915012-0F8E-4488-89AD-68A85B03695E}.exe"	{0DC28DA5-145E-4dc8-848F-0E43F78E0882}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDED034E-F912-424f-9952-1B3D87AA1CD4}	35fda886396cc8exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD6B2330-37DC-4618-9336-C33C932CD130}\stubpath = "C:\\Windows\\{FD6B2330-37DC-4618-9336-C33C932CD130}.exe"	{CF75A41C-31B9-4a87-B94D-D3468FC1DCCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACE0BFD4-41AA-4c58-A155-4D15D6FCFBF8}\stubpath = "C:\\Windows\\{ACE0BFD4-41AA-4c58-A155-4D15D6FCFBF8}.exe"	{6502DF23-D661-46ba-A460-5F53CC3EEC86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94915012-0F8E-4488-89AD-68A85B03695E}	{0DC28DA5-145E-4dc8-848F-0E43F78E0882}.exe

Executes dropped EXE 12 IoCs

pid	Process
1876	{DDED034E-F912-424f-9952-1B3D87AA1CD4}.exe
384	{CB1EDF91-F388-4c9e-984E-8F1CA36242BC}.exe
912	{529E647B-CC28-4495-A3F4-81756382ECCA}.exe
3120	{4F2C2441-310C-46a4-813D-422AF10A0D95}.exe
3704	{CF75A41C-31B9-4a87-B94D-D3468FC1DCCB}.exe
2196	{FD6B2330-37DC-4618-9336-C33C932CD130}.exe
2980	{6502DF23-D661-46ba-A460-5F53CC3EEC86}.exe
4856	{ACE0BFD4-41AA-4c58-A155-4D15D6FCFBF8}.exe
5032	{0DC28DA5-145E-4dc8-848F-0E43F78E0882}.exe
3320	{94915012-0F8E-4488-89AD-68A85B03695E}.exe
1756	{B4BD7616-C831-47bf-B7D3-5A020235481D}.exe
60	{F2A9CEAF-7F6D-4dc0-8F0F-270E590819AC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4F2C2441-310C-46a4-813D-422AF10A0D95}.exe	{529E647B-CC28-4495-A3F4-81756382ECCA}.exe
File created	C:\Windows\{FD6B2330-37DC-4618-9336-C33C932CD130}.exe	{CF75A41C-31B9-4a87-B94D-D3468FC1DCCB}.exe
File created	C:\Windows\{6502DF23-D661-46ba-A460-5F53CC3EEC86}.exe	{FD6B2330-37DC-4618-9336-C33C932CD130}.exe
File created	C:\Windows\{ACE0BFD4-41AA-4c58-A155-4D15D6FCFBF8}.exe	{6502DF23-D661-46ba-A460-5F53CC3EEC86}.exe
File created	C:\Windows\{B4BD7616-C831-47bf-B7D3-5A020235481D}.exe	{94915012-0F8E-4488-89AD-68A85B03695E}.exe
File created	C:\Windows\{DDED034E-F912-424f-9952-1B3D87AA1CD4}.exe	35fda886396cc8exeexeexeex.exe
File created	C:\Windows\{529E647B-CC28-4495-A3F4-81756382ECCA}.exe	{CB1EDF91-F388-4c9e-984E-8F1CA36242BC}.exe
File created	C:\Windows\{CF75A41C-31B9-4a87-B94D-D3468FC1DCCB}.exe	{4F2C2441-310C-46a4-813D-422AF10A0D95}.exe
File created	C:\Windows\{0DC28DA5-145E-4dc8-848F-0E43F78E0882}.exe	{ACE0BFD4-41AA-4c58-A155-4D15D6FCFBF8}.exe
File created	C:\Windows\{94915012-0F8E-4488-89AD-68A85B03695E}.exe	{0DC28DA5-145E-4dc8-848F-0E43F78E0882}.exe
File created	C:\Windows\{F2A9CEAF-7F6D-4dc0-8F0F-270E590819AC}.exe	{B4BD7616-C831-47bf-B7D3-5A020235481D}.exe
File created	C:\Windows\{CB1EDF91-F388-4c9e-984E-8F1CA36242BC}.exe	{DDED034E-F912-424f-9952-1B3D87AA1CD4}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2360	35fda886396cc8exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1876	{DDED034E-F912-424f-9952-1B3D87AA1CD4}.exe
Token: SeIncBasePriorityPrivilege	384	{CB1EDF91-F388-4c9e-984E-8F1CA36242BC}.exe
Token: SeIncBasePriorityPrivilege	912	{529E647B-CC28-4495-A3F4-81756382ECCA}.exe
Token: SeIncBasePriorityPrivilege	3120	{4F2C2441-310C-46a4-813D-422AF10A0D95}.exe
Token: SeIncBasePriorityPrivilege	3704	{CF75A41C-31B9-4a87-B94D-D3468FC1DCCB}.exe
Token: SeIncBasePriorityPrivilege	2196	{FD6B2330-37DC-4618-9336-C33C932CD130}.exe
Token: SeIncBasePriorityPrivilege	2980	{6502DF23-D661-46ba-A460-5F53CC3EEC86}.exe
Token: SeIncBasePriorityPrivilege	4856	{ACE0BFD4-41AA-4c58-A155-4D15D6FCFBF8}.exe
Token: SeIncBasePriorityPrivilege	5032	{0DC28DA5-145E-4dc8-848F-0E43F78E0882}.exe
Token: SeIncBasePriorityPrivilege	3320	{94915012-0F8E-4488-89AD-68A85B03695E}.exe
Token: SeIncBasePriorityPrivilege	1756	{B4BD7616-C831-47bf-B7D3-5A020235481D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2360 wrote to memory of 1876	2360	35fda886396cc8exeexeexeex.exe	83
PID 2360 wrote to memory of 1876	2360	35fda886396cc8exeexeexeex.exe	83
PID 2360 wrote to memory of 1876	2360	35fda886396cc8exeexeexeex.exe	83
PID 2360 wrote to memory of 4304	2360	35fda886396cc8exeexeexeex.exe	84
PID 2360 wrote to memory of 4304	2360	35fda886396cc8exeexeexeex.exe	84
PID 2360 wrote to memory of 4304	2360	35fda886396cc8exeexeexeex.exe	84
PID 1876 wrote to memory of 384	1876	{DDED034E-F912-424f-9952-1B3D87AA1CD4}.exe	85
PID 1876 wrote to memory of 384	1876	{DDED034E-F912-424f-9952-1B3D87AA1CD4}.exe	85
PID 1876 wrote to memory of 384	1876	{DDED034E-F912-424f-9952-1B3D87AA1CD4}.exe	85
PID 1876 wrote to memory of 4168	1876	{DDED034E-F912-424f-9952-1B3D87AA1CD4}.exe	86
PID 1876 wrote to memory of 4168	1876	{DDED034E-F912-424f-9952-1B3D87AA1CD4}.exe	86
PID 1876 wrote to memory of 4168	1876	{DDED034E-F912-424f-9952-1B3D87AA1CD4}.exe	86
PID 384 wrote to memory of 912	384	{CB1EDF91-F388-4c9e-984E-8F1CA36242BC}.exe	89
PID 384 wrote to memory of 912	384	{CB1EDF91-F388-4c9e-984E-8F1CA36242BC}.exe	89
PID 384 wrote to memory of 912	384	{CB1EDF91-F388-4c9e-984E-8F1CA36242BC}.exe	89
PID 384 wrote to memory of 628	384	{CB1EDF91-F388-4c9e-984E-8F1CA36242BC}.exe	88
PID 384 wrote to memory of 628	384	{CB1EDF91-F388-4c9e-984E-8F1CA36242BC}.exe	88
PID 384 wrote to memory of 628	384	{CB1EDF91-F388-4c9e-984E-8F1CA36242BC}.exe	88
PID 912 wrote to memory of 3120	912	{529E647B-CC28-4495-A3F4-81756382ECCA}.exe	90
PID 912 wrote to memory of 3120	912	{529E647B-CC28-4495-A3F4-81756382ECCA}.exe	90
PID 912 wrote to memory of 3120	912	{529E647B-CC28-4495-A3F4-81756382ECCA}.exe	90
PID 912 wrote to memory of 4268	912	{529E647B-CC28-4495-A3F4-81756382ECCA}.exe	91
PID 912 wrote to memory of 4268	912	{529E647B-CC28-4495-A3F4-81756382ECCA}.exe	91
PID 912 wrote to memory of 4268	912	{529E647B-CC28-4495-A3F4-81756382ECCA}.exe	91
PID 3120 wrote to memory of 3704	3120	{4F2C2441-310C-46a4-813D-422AF10A0D95}.exe	92
PID 3120 wrote to memory of 3704	3120	{4F2C2441-310C-46a4-813D-422AF10A0D95}.exe	92
PID 3120 wrote to memory of 3704	3120	{4F2C2441-310C-46a4-813D-422AF10A0D95}.exe	92
PID 3120 wrote to memory of 3208	3120	{4F2C2441-310C-46a4-813D-422AF10A0D95}.exe	93
PID 3120 wrote to memory of 3208	3120	{4F2C2441-310C-46a4-813D-422AF10A0D95}.exe	93
PID 3120 wrote to memory of 3208	3120	{4F2C2441-310C-46a4-813D-422AF10A0D95}.exe	93
PID 3704 wrote to memory of 2196	3704	{CF75A41C-31B9-4a87-B94D-D3468FC1DCCB}.exe	94
PID 3704 wrote to memory of 2196	3704	{CF75A41C-31B9-4a87-B94D-D3468FC1DCCB}.exe	94
PID 3704 wrote to memory of 2196	3704	{CF75A41C-31B9-4a87-B94D-D3468FC1DCCB}.exe	94
PID 3704 wrote to memory of 2140	3704	{CF75A41C-31B9-4a87-B94D-D3468FC1DCCB}.exe	95
PID 3704 wrote to memory of 2140	3704	{CF75A41C-31B9-4a87-B94D-D3468FC1DCCB}.exe	95
PID 3704 wrote to memory of 2140	3704	{CF75A41C-31B9-4a87-B94D-D3468FC1DCCB}.exe	95
PID 2196 wrote to memory of 2980	2196	{FD6B2330-37DC-4618-9336-C33C932CD130}.exe	96
PID 2196 wrote to memory of 2980	2196	{FD6B2330-37DC-4618-9336-C33C932CD130}.exe	96
PID 2196 wrote to memory of 2980	2196	{FD6B2330-37DC-4618-9336-C33C932CD130}.exe	96
PID 2196 wrote to memory of 4832	2196	{FD6B2330-37DC-4618-9336-C33C932CD130}.exe	97
PID 2196 wrote to memory of 4832	2196	{FD6B2330-37DC-4618-9336-C33C932CD130}.exe	97
PID 2196 wrote to memory of 4832	2196	{FD6B2330-37DC-4618-9336-C33C932CD130}.exe	97
PID 2980 wrote to memory of 4856	2980	{6502DF23-D661-46ba-A460-5F53CC3EEC86}.exe	98
PID 2980 wrote to memory of 4856	2980	{6502DF23-D661-46ba-A460-5F53CC3EEC86}.exe	98
PID 2980 wrote to memory of 4856	2980	{6502DF23-D661-46ba-A460-5F53CC3EEC86}.exe	98
PID 2980 wrote to memory of 1452	2980	{6502DF23-D661-46ba-A460-5F53CC3EEC86}.exe	99
PID 2980 wrote to memory of 1452	2980	{6502DF23-D661-46ba-A460-5F53CC3EEC86}.exe	99
PID 2980 wrote to memory of 1452	2980	{6502DF23-D661-46ba-A460-5F53CC3EEC86}.exe	99
PID 4856 wrote to memory of 5032	4856	{ACE0BFD4-41AA-4c58-A155-4D15D6FCFBF8}.exe	100
PID 4856 wrote to memory of 5032	4856	{ACE0BFD4-41AA-4c58-A155-4D15D6FCFBF8}.exe	100
PID 4856 wrote to memory of 5032	4856	{ACE0BFD4-41AA-4c58-A155-4D15D6FCFBF8}.exe	100
PID 4856 wrote to memory of 3400	4856	{ACE0BFD4-41AA-4c58-A155-4D15D6FCFBF8}.exe	101
PID 4856 wrote to memory of 3400	4856	{ACE0BFD4-41AA-4c58-A155-4D15D6FCFBF8}.exe	101
PID 4856 wrote to memory of 3400	4856	{ACE0BFD4-41AA-4c58-A155-4D15D6FCFBF8}.exe	101
PID 5032 wrote to memory of 3320	5032	{0DC28DA5-145E-4dc8-848F-0E43F78E0882}.exe	102
PID 5032 wrote to memory of 3320	5032	{0DC28DA5-145E-4dc8-848F-0E43F78E0882}.exe	102
PID 5032 wrote to memory of 3320	5032	{0DC28DA5-145E-4dc8-848F-0E43F78E0882}.exe	102
PID 5032 wrote to memory of 2388	5032	{0DC28DA5-145E-4dc8-848F-0E43F78E0882}.exe	103
PID 5032 wrote to memory of 2388	5032	{0DC28DA5-145E-4dc8-848F-0E43F78E0882}.exe	103
PID 5032 wrote to memory of 2388	5032	{0DC28DA5-145E-4dc8-848F-0E43F78E0882}.exe	103
PID 3320 wrote to memory of 1756	3320	{94915012-0F8E-4488-89AD-68A85B03695E}.exe	104
PID 3320 wrote to memory of 1756	3320	{94915012-0F8E-4488-89AD-68A85B03695E}.exe	104
PID 3320 wrote to memory of 1756	3320	{94915012-0F8E-4488-89AD-68A85B03695E}.exe	104
PID 3320 wrote to memory of 4400	3320	{94915012-0F8E-4488-89AD-68A85B03695E}.exe	105

C:\Users\Admin\AppData\Local\Temp\35fda886396cc8exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\35fda886396cc8exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2360
- C:\Windows\{DDED034E-F912-424f-9952-1B3D87AA1CD4}.exe
  C:\Windows\{DDED034E-F912-424f-9952-1B3D87AA1CD4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\{CB1EDF91-F388-4c9e-984E-8F1CA36242BC}.exe
    C:\Windows\{CB1EDF91-F388-4c9e-984E-8F1CA36242BC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CB1ED~1.EXE > nul
      4⤵
      PID:628
  - - C:\Windows\{529E647B-CC28-4495-A3F4-81756382ECCA}.exe
      C:\Windows\{529E647B-CC28-4495-A3F4-81756382ECCA}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:912
    - - C:\Windows\{4F2C2441-310C-46a4-813D-422AF10A0D95}.exe
        
        C:\Windows\{4F2C2441-310C-46a4-813D-422AF10A0D95}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3120
      - C:\Windows\{CF75A41C-31B9-4a87-B94D-D3468FC1DCCB}.exe
        
        C:\Windows\{CF75A41C-31B9-4a87-B94D-D3468FC1DCCB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3704
        
        C:\Windows\{FD6B2330-37DC-4618-9336-C33C932CD130}.exe
        
        C:\Windows\{FD6B2330-37DC-4618-9336-C33C932CD130}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\{6502DF23-D661-46ba-A460-5F53CC3EEC86}.exe
        
        C:\Windows\{6502DF23-D661-46ba-A460-5F53CC3EEC86}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2980
        
        C:\Windows\{ACE0BFD4-41AA-4c58-A155-4D15D6FCFBF8}.exe
        
        C:\Windows\{ACE0BFD4-41AA-4c58-A155-4D15D6FCFBF8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4856
        
        C:\Windows\{0DC28DA5-145E-4dc8-848F-0E43F78E0882}.exe
        
        C:\Windows\{0DC28DA5-145E-4dc8-848F-0E43F78E0882}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\{94915012-0F8E-4488-89AD-68A85B03695E}.exe
        
        C:\Windows\{94915012-0F8E-4488-89AD-68A85B03695E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\{B4BD7616-C831-47bf-B7D3-5A020235481D}.exe
        
        C:\Windows\{B4BD7616-C831-47bf-B7D3-5A020235481D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\{F2A9CEAF-7F6D-4dc0-8F0F-270E590819AC}.exe
        
        C:\Windows\{F2A9CEAF-7F6D-4dc0-8F0F-270E590819AC}.exe
        13⤵
        Executes dropped EXE
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4BD7~1.EXE > nul
        13⤵
        
        PID:4156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94915~1.EXE > nul
        12⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0DC28~1.EXE > nul
        11⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACE0B~1.EXE > nul
        10⤵
        
        PID:3400
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6502D~1.EXE > nul
        9⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD6B2~1.EXE > nul
        8⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF75A~1.EXE > nul
        7⤵
        
        PID:2140
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F2C2~1.EXE > nul
        6⤵
        
        PID:3208
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{529E6~1.EXE > nul
        5⤵
        
        PID:4268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DDED0~1.EXE > nul
    3⤵
    PID:4168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\35FDA8~1.EXE > nul
  2⤵
  PID:4304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0DC28DA5-145E-4dc8-848F-0E43F78E0882}.exe

Filesize
216KB

MD5
01456285de8198dcc922a4e802264cc9

SHA1
df2d5b0e2b893813854a8e498483f5520ef8323f

SHA256
af81d7ff0f6906e8e8a806c6c8b53eebcf032bd72344bb6c3b6f354a03884373

SHA512
9d6caf3b0bf0210e7b618939dd79c58d9b191d494e79a7ac3c25175805911a8905fd71dfac2efc6801529c199146675b1b4ba73fcea9ce79c6c9f7fa67ec4c3d

Download Submit
C:\Windows\{0DC28DA5-145E-4dc8-848F-0E43F78E0882}.exe

Filesize
216KB

MD5
01456285de8198dcc922a4e802264cc9

SHA1
df2d5b0e2b893813854a8e498483f5520ef8323f

SHA256
af81d7ff0f6906e8e8a806c6c8b53eebcf032bd72344bb6c3b6f354a03884373

SHA512
9d6caf3b0bf0210e7b618939dd79c58d9b191d494e79a7ac3c25175805911a8905fd71dfac2efc6801529c199146675b1b4ba73fcea9ce79c6c9f7fa67ec4c3d

Download Submit
C:\Windows\{4F2C2441-310C-46a4-813D-422AF10A0D95}.exe

Filesize
216KB

MD5
dfd832426550ea5a8eed4a3948cf6b94

SHA1
b051b566c19718484ea047b252812b30b24433e2

SHA256
3e0a7cdbc291dd23c2f8fc246e0e2ed88942267988d4aa5f5e9ce73eddefb574

SHA512
218a28580b48a85fa1881a93e27f74d702559e961256da8eb6a919e5b203733d77b7584496645ea56e08f04e52e0cd4175ed58b52e6971efe0d80b25d3ec37ed

Download Submit
C:\Windows\{4F2C2441-310C-46a4-813D-422AF10A0D95}.exe

Filesize
216KB

MD5
dfd832426550ea5a8eed4a3948cf6b94

SHA1
b051b566c19718484ea047b252812b30b24433e2

SHA256
3e0a7cdbc291dd23c2f8fc246e0e2ed88942267988d4aa5f5e9ce73eddefb574

SHA512
218a28580b48a85fa1881a93e27f74d702559e961256da8eb6a919e5b203733d77b7584496645ea56e08f04e52e0cd4175ed58b52e6971efe0d80b25d3ec37ed

Download Submit
C:\Windows\{529E647B-CC28-4495-A3F4-81756382ECCA}.exe

Filesize
216KB

MD5
179fe0a4aa9d3ee17b9c8a2e1f969917

SHA1
a57a189a37fcbc64819169ef258e1babc94e8079

SHA256
3a182ba460eeb2051889b042b0bbad356cf6bed0299d74e396d142bd36bc9b2a

SHA512
33fa89b5bf0f47050f1b234af126e029a4402b9bf96fa0e8489523e108ece6b9a1f0e628d0f305e1f9b8ad48f7d9e290f254ed135d3dee88287ca4332582d3b8

Download Submit
C:\Windows\{529E647B-CC28-4495-A3F4-81756382ECCA}.exe

Filesize
216KB

MD5
179fe0a4aa9d3ee17b9c8a2e1f969917

SHA1
a57a189a37fcbc64819169ef258e1babc94e8079

SHA256
3a182ba460eeb2051889b042b0bbad356cf6bed0299d74e396d142bd36bc9b2a

SHA512
33fa89b5bf0f47050f1b234af126e029a4402b9bf96fa0e8489523e108ece6b9a1f0e628d0f305e1f9b8ad48f7d9e290f254ed135d3dee88287ca4332582d3b8

Download Submit
C:\Windows\{529E647B-CC28-4495-A3F4-81756382ECCA}.exe

Filesize
216KB

MD5
179fe0a4aa9d3ee17b9c8a2e1f969917

SHA1
a57a189a37fcbc64819169ef258e1babc94e8079

SHA256
3a182ba460eeb2051889b042b0bbad356cf6bed0299d74e396d142bd36bc9b2a

SHA512
33fa89b5bf0f47050f1b234af126e029a4402b9bf96fa0e8489523e108ece6b9a1f0e628d0f305e1f9b8ad48f7d9e290f254ed135d3dee88287ca4332582d3b8

Download Submit
C:\Windows\{6502DF23-D661-46ba-A460-5F53CC3EEC86}.exe

Filesize
216KB

MD5
8ae3a8eecbd133a9f2db6289cd393e59

SHA1
0c75d702bbb7b9e68bef0bde37ca4f311be25f76

SHA256
12b5235bda6443560a2ad826264a8f0ed3ac7e06c5c860072fd9f13401fb3068

SHA512
b9cbea14dc55a1d5ef4466881952253c0f78dcb1f31e712b8ab9cc3b0bf5ce715409730807e3abe19d5f37adb6c1109c45d6dba67f01c5afe46697337548e340

Download Submit
C:\Windows\{6502DF23-D661-46ba-A460-5F53CC3EEC86}.exe

Filesize
216KB

MD5
8ae3a8eecbd133a9f2db6289cd393e59

SHA1
0c75d702bbb7b9e68bef0bde37ca4f311be25f76

SHA256
12b5235bda6443560a2ad826264a8f0ed3ac7e06c5c860072fd9f13401fb3068

SHA512
b9cbea14dc55a1d5ef4466881952253c0f78dcb1f31e712b8ab9cc3b0bf5ce715409730807e3abe19d5f37adb6c1109c45d6dba67f01c5afe46697337548e340

Download Submit
C:\Windows\{94915012-0F8E-4488-89AD-68A85B03695E}.exe

Filesize
216KB

MD5
602ed747fbc9a0c72c72e21dc1cdbf5b

SHA1
21963b211766c20566b9a70184566de4c34c2f06

SHA256
232b3c350dc47af476f9253de551e9a874f38032548be6d38adddacd6798701b

SHA512
ad3d86241440e566536f7881faa65c9ac820f42b98f4b6f6a9fee7afc6648b6a9b237cb446137a032a4dd32a3cf252e5bb882dfa758e82144c9e05f305cd7f41

Download Submit
C:\Windows\{94915012-0F8E-4488-89AD-68A85B03695E}.exe

Filesize
216KB

MD5
602ed747fbc9a0c72c72e21dc1cdbf5b

SHA1
21963b211766c20566b9a70184566de4c34c2f06

SHA256
232b3c350dc47af476f9253de551e9a874f38032548be6d38adddacd6798701b

SHA512
ad3d86241440e566536f7881faa65c9ac820f42b98f4b6f6a9fee7afc6648b6a9b237cb446137a032a4dd32a3cf252e5bb882dfa758e82144c9e05f305cd7f41

Download Submit
C:\Windows\{ACE0BFD4-41AA-4c58-A155-4D15D6FCFBF8}.exe

Filesize
216KB

MD5
c9afe679dcc6be41f7f6ae4d1a3f48b4

SHA1
6f79d295dfab8e1b2ca43e2aebcba34fef6fffa6

SHA256
c01652b05e92fd295ecaf375df978f2c59c62a22b2f0f0a94da58c45a4b0456b

SHA512
86688ec7522af600db8bedf4ec546c88ee6594180638c62ff2c2e00d3aeee660d6493e7d75622ff4dac23b6538deb830e0b3e828f8b056a2e0d4752ed3954dc1

Download Submit
C:\Windows\{ACE0BFD4-41AA-4c58-A155-4D15D6FCFBF8}.exe

Filesize
216KB

MD5
c9afe679dcc6be41f7f6ae4d1a3f48b4

SHA1
6f79d295dfab8e1b2ca43e2aebcba34fef6fffa6

SHA256
c01652b05e92fd295ecaf375df978f2c59c62a22b2f0f0a94da58c45a4b0456b

SHA512
86688ec7522af600db8bedf4ec546c88ee6594180638c62ff2c2e00d3aeee660d6493e7d75622ff4dac23b6538deb830e0b3e828f8b056a2e0d4752ed3954dc1

Download Submit
C:\Windows\{B4BD7616-C831-47bf-B7D3-5A020235481D}.exe

Filesize
216KB

MD5
97052600d2f1c73b31910ef1c5f013fc

SHA1
0ecfbd955826ef443d999217a373ed0dde410894

SHA256
9b4f958b4b3a5e2ae709c0cb747e09e2fb260edb818fa7ccc1ab470b1e6705f1

SHA512
7f5f7e431d2d8b16323d9a7d0fa15b09a604ddbb798163b40d92c31bbc948e0a6a01525bad2c6205e0ab6167301273262625fd61491f62a22ae733131d899d66

Download Submit
C:\Windows\{B4BD7616-C831-47bf-B7D3-5A020235481D}.exe

Filesize
216KB

MD5
97052600d2f1c73b31910ef1c5f013fc

SHA1
0ecfbd955826ef443d999217a373ed0dde410894

SHA256
9b4f958b4b3a5e2ae709c0cb747e09e2fb260edb818fa7ccc1ab470b1e6705f1

SHA512
7f5f7e431d2d8b16323d9a7d0fa15b09a604ddbb798163b40d92c31bbc948e0a6a01525bad2c6205e0ab6167301273262625fd61491f62a22ae733131d899d66

Download Submit
C:\Windows\{CB1EDF91-F388-4c9e-984E-8F1CA36242BC}.exe

Filesize
216KB

MD5
1b4ee583bbd9c2710a94fc37bd57b675

SHA1
37af1f4fe6302d77430a617aa422facf1d622416

SHA256
438187f9e677ab6351d9c5f7dcbc7179a25dd8898c68278d8cf1cec409ab5076

SHA512
d5e972696b1d9b5451a049d0ceca9d65f223a90ff070da30a51aa734e01c4e6c1e36f5eb500e4035b71eb10dda02ce6eb02a998243c0e99e3651783fee726f4b

Download Submit
C:\Windows\{CB1EDF91-F388-4c9e-984E-8F1CA36242BC}.exe

Filesize
216KB

MD5
1b4ee583bbd9c2710a94fc37bd57b675

SHA1
37af1f4fe6302d77430a617aa422facf1d622416

SHA256
438187f9e677ab6351d9c5f7dcbc7179a25dd8898c68278d8cf1cec409ab5076

SHA512
d5e972696b1d9b5451a049d0ceca9d65f223a90ff070da30a51aa734e01c4e6c1e36f5eb500e4035b71eb10dda02ce6eb02a998243c0e99e3651783fee726f4b

Download Submit
C:\Windows\{CF75A41C-31B9-4a87-B94D-D3468FC1DCCB}.exe

Filesize
216KB

MD5
1999205288feca47556870011e04d74f

SHA1
4d970adc846f4d156b37cc99e351f875a3a350a7

SHA256
3cbb4ea47f77625bdcafd2970faf52a5c3b96a9b4d732648cceb2f0644165016

SHA512
426c6c076804b6eff8cd398913b05f28160603a748c4316ee99258bdb4a958e0a72c20b2ecc9361503cda3a3a1af6be8c4a94f7b5485cf231ecf9ffb460d6d53

Download Submit
C:\Windows\{CF75A41C-31B9-4a87-B94D-D3468FC1DCCB}.exe

Filesize
216KB

MD5
1999205288feca47556870011e04d74f

SHA1
4d970adc846f4d156b37cc99e351f875a3a350a7

SHA256
3cbb4ea47f77625bdcafd2970faf52a5c3b96a9b4d732648cceb2f0644165016

SHA512
426c6c076804b6eff8cd398913b05f28160603a748c4316ee99258bdb4a958e0a72c20b2ecc9361503cda3a3a1af6be8c4a94f7b5485cf231ecf9ffb460d6d53

Download Submit
C:\Windows\{DDED034E-F912-424f-9952-1B3D87AA1CD4}.exe

Filesize
216KB

MD5
6b11d544fad80ae7b78cf3e3d5157366

SHA1
441c9d038255c4c86d6c858de7d9467e7812d98a

SHA256
6e3c848a8a873fc31e939c49feaf5a678ba1844e2dc153da9232e37b5e7004bf

SHA512
4c38dd91bca89da7fb8e3ca494d7da82e59dd7011cb28a337f61981ce1d8e886e558a11c95eef33e5fbce913bc631ff7404e76856998dcbb40f7a1c6f4d59c28

Download Submit
C:\Windows\{DDED034E-F912-424f-9952-1B3D87AA1CD4}.exe

Filesize
216KB

MD5
6b11d544fad80ae7b78cf3e3d5157366

SHA1
441c9d038255c4c86d6c858de7d9467e7812d98a

SHA256
6e3c848a8a873fc31e939c49feaf5a678ba1844e2dc153da9232e37b5e7004bf

SHA512
4c38dd91bca89da7fb8e3ca494d7da82e59dd7011cb28a337f61981ce1d8e886e558a11c95eef33e5fbce913bc631ff7404e76856998dcbb40f7a1c6f4d59c28

Download Submit
C:\Windows\{F2A9CEAF-7F6D-4dc0-8F0F-270E590819AC}.exe

Filesize
216KB

MD5
4d582fa2a6447f1c51ab23173cdb3e89

SHA1
e0e3d17e0948bfe6cad50bd73c3f06e87084da34

SHA256
3b3ed1ad3fb7a8b95aa3b41140c031215b19ede3c749ef812c21fc946c778990

SHA512
4013e1319b5141ceee644027fa45cfdb73709b3a6be3ab79b5d28be6fb21b80a85109e6c59b964fbd7140fee8a4b96f58d7e6dc7cea7b1a95f2456e9f653c37d

Download Submit
C:\Windows\{F2A9CEAF-7F6D-4dc0-8F0F-270E590819AC}.exe

Filesize
216KB

MD5
4d582fa2a6447f1c51ab23173cdb3e89

SHA1
e0e3d17e0948bfe6cad50bd73c3f06e87084da34

SHA256
3b3ed1ad3fb7a8b95aa3b41140c031215b19ede3c749ef812c21fc946c778990

SHA512
4013e1319b5141ceee644027fa45cfdb73709b3a6be3ab79b5d28be6fb21b80a85109e6c59b964fbd7140fee8a4b96f58d7e6dc7cea7b1a95f2456e9f653c37d

Download Submit
C:\Windows\{FD6B2330-37DC-4618-9336-C33C932CD130}.exe

Filesize
216KB

MD5
a66152bd4f401033b9e26a29295885bf

SHA1
139d8bd2f70815849dea3bc7ae6dd5a8dd195ab4

SHA256
f4e1a35122e7093191d643c49d508d20b9f70d091d9765d8c55840b18b81fad1

SHA512
045ba32eb32709ab22d57d9444e9244678b29b419bd0f15b662a5c0bcec09d5629f1ba07a68466895624717e7147857896e0fc89643a71b02e70324bb8200ed3

Download Submit
C:\Windows\{FD6B2330-37DC-4618-9336-C33C932CD130}.exe

Filesize
216KB

MD5
a66152bd4f401033b9e26a29295885bf

SHA1
139d8bd2f70815849dea3bc7ae6dd5a8dd195ab4

SHA256
f4e1a35122e7093191d643c49d508d20b9f70d091d9765d8c55840b18b81fad1

SHA512
045ba32eb32709ab22d57d9444e9244678b29b419bd0f15b662a5c0bcec09d5629f1ba07a68466895624717e7147857896e0fc89643a71b02e70324bb8200ed3

Download Submit