809b3cf2f93eda1c971915c87a0af59fb1847f376717421990a3bd9e63fd55ef

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2023 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ffa02557e2a5aexeexeexeex.exe
Size

204KB
MD5

3ffa02557e2a5ab929cadf394c66def9
SHA1

ca54a3eb0855456c67ea80cbb8c4509a8db08442
SHA256

809b3cf2f93eda1c971915c87a0af59fb1847f376717421990a3bd9e63fd55ef
SHA512

02a8a715285028a7beecd7911aa9bd557bba7deb596648ba3f58d0b88bac896bf50e20338ec38cf6a138d217d23b1a2e5e1bfc711e4873c7c54e164f75f78b03
SSDEEP

1536:1EGh0o8l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o8l1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29E76C30-F97A-4c0b-B2EC-A6E6BFB7F9EE}	{4997E6D6-232A-4fa1-AEA8-57D8D9A17471}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29E76C30-F97A-4c0b-B2EC-A6E6BFB7F9EE}\stubpath = "C:\\Windows\\{29E76C30-F97A-4c0b-B2EC-A6E6BFB7F9EE}.exe"	{4997E6D6-232A-4fa1-AEA8-57D8D9A17471}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{984ABEE4-5D26-45c9-9C3C-FAD5075E54FE}	{29E76C30-F97A-4c0b-B2EC-A6E6BFB7F9EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1EA284E-1818-4d7b-9B60-7B832DD7D0BD}	{AEE6BC73-D22F-4755-9F23-D3017D72C0B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1EA284E-1818-4d7b-9B60-7B832DD7D0BD}\stubpath = "C:\\Windows\\{A1EA284E-1818-4d7b-9B60-7B832DD7D0BD}.exe"	{AEE6BC73-D22F-4755-9F23-D3017D72C0B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95153378-2FD5-443f-B51C-5CEA9811884C}\stubpath = "C:\\Windows\\{95153378-2FD5-443f-B51C-5CEA9811884C}.exe"	{6AE2DFB5-6860-4718-8403-01689937B131}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC41BA5B-E20A-404a-B10F-E53A19E3F615}	3ffa02557e2a5aexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4997E6D6-232A-4fa1-AEA8-57D8D9A17471}\stubpath = "C:\\Windows\\{4997E6D6-232A-4fa1-AEA8-57D8D9A17471}.exe"	{53DA3594-72C3-410b-BDE6-0CB1C71B0B89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEC2717D-C522-4a98-9536-7BC4C567BB7F}	{62F09A07-8D08-4495-9585-91DCBFBC2483}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDFEABDD-2C51-49b9-AB59-0948BE38F7E0}	{95153378-2FD5-443f-B51C-5CEA9811884C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DDFEABDD-2C51-49b9-AB59-0948BE38F7E0}\stubpath = "C:\\Windows\\{DDFEABDD-2C51-49b9-AB59-0948BE38F7E0}.exe"	{95153378-2FD5-443f-B51C-5CEA9811884C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AE2DFB5-6860-4718-8403-01689937B131}	{A1EA284E-1818-4d7b-9B60-7B832DD7D0BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC41BA5B-E20A-404a-B10F-E53A19E3F615}\stubpath = "C:\\Windows\\{CC41BA5B-E20A-404a-B10F-E53A19E3F615}.exe"	3ffa02557e2a5aexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53DA3594-72C3-410b-BDE6-0CB1C71B0B89}	{CC41BA5B-E20A-404a-B10F-E53A19E3F615}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4997E6D6-232A-4fa1-AEA8-57D8D9A17471}	{53DA3594-72C3-410b-BDE6-0CB1C71B0B89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEE6BC73-D22F-4755-9F23-D3017D72C0B6}	{984ABEE4-5D26-45c9-9C3C-FAD5075E54FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEE6BC73-D22F-4755-9F23-D3017D72C0B6}\stubpath = "C:\\Windows\\{AEE6BC73-D22F-4755-9F23-D3017D72C0B6}.exe"	{984ABEE4-5D26-45c9-9C3C-FAD5075E54FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AE2DFB5-6860-4718-8403-01689937B131}\stubpath = "C:\\Windows\\{6AE2DFB5-6860-4718-8403-01689937B131}.exe"	{A1EA284E-1818-4d7b-9B60-7B832DD7D0BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{95153378-2FD5-443f-B51C-5CEA9811884C}	{6AE2DFB5-6860-4718-8403-01689937B131}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62F09A07-8D08-4495-9585-91DCBFBC2483}	{DDFEABDD-2C51-49b9-AB59-0948BE38F7E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62F09A07-8D08-4495-9585-91DCBFBC2483}\stubpath = "C:\\Windows\\{62F09A07-8D08-4495-9585-91DCBFBC2483}.exe"	{DDFEABDD-2C51-49b9-AB59-0948BE38F7E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEC2717D-C522-4a98-9536-7BC4C567BB7F}\stubpath = "C:\\Windows\\{FEC2717D-C522-4a98-9536-7BC4C567BB7F}.exe"	{62F09A07-8D08-4495-9585-91DCBFBC2483}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53DA3594-72C3-410b-BDE6-0CB1C71B0B89}\stubpath = "C:\\Windows\\{53DA3594-72C3-410b-BDE6-0CB1C71B0B89}.exe"	{CC41BA5B-E20A-404a-B10F-E53A19E3F615}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{984ABEE4-5D26-45c9-9C3C-FAD5075E54FE}\stubpath = "C:\\Windows\\{984ABEE4-5D26-45c9-9C3C-FAD5075E54FE}.exe"	{29E76C30-F97A-4c0b-B2EC-A6E6BFB7F9EE}.exe

Executes dropped EXE 12 IoCs

pid	Process
1256	{CC41BA5B-E20A-404a-B10F-E53A19E3F615}.exe
60	{53DA3594-72C3-410b-BDE6-0CB1C71B0B89}.exe
2644	{4997E6D6-232A-4fa1-AEA8-57D8D9A17471}.exe
4680	{29E76C30-F97A-4c0b-B2EC-A6E6BFB7F9EE}.exe
2784	{984ABEE4-5D26-45c9-9C3C-FAD5075E54FE}.exe
920	{AEE6BC73-D22F-4755-9F23-D3017D72C0B6}.exe
4216	{A1EA284E-1818-4d7b-9B60-7B832DD7D0BD}.exe
2368	{6AE2DFB5-6860-4718-8403-01689937B131}.exe
2160	{95153378-2FD5-443f-B51C-5CEA9811884C}.exe
2192	{DDFEABDD-2C51-49b9-AB59-0948BE38F7E0}.exe
408	{62F09A07-8D08-4495-9585-91DCBFBC2483}.exe
4112	{FEC2717D-C522-4a98-9536-7BC4C567BB7F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4997E6D6-232A-4fa1-AEA8-57D8D9A17471}.exe	{53DA3594-72C3-410b-BDE6-0CB1C71B0B89}.exe
File created	C:\Windows\{984ABEE4-5D26-45c9-9C3C-FAD5075E54FE}.exe	{29E76C30-F97A-4c0b-B2EC-A6E6BFB7F9EE}.exe
File created	C:\Windows\{95153378-2FD5-443f-B51C-5CEA9811884C}.exe	{6AE2DFB5-6860-4718-8403-01689937B131}.exe
File created	C:\Windows\{DDFEABDD-2C51-49b9-AB59-0948BE38F7E0}.exe	{95153378-2FD5-443f-B51C-5CEA9811884C}.exe
File created	C:\Windows\{62F09A07-8D08-4495-9585-91DCBFBC2483}.exe	{DDFEABDD-2C51-49b9-AB59-0948BE38F7E0}.exe
File created	C:\Windows\{CC41BA5B-E20A-404a-B10F-E53A19E3F615}.exe	3ffa02557e2a5aexeexeexeex.exe
File created	C:\Windows\{53DA3594-72C3-410b-BDE6-0CB1C71B0B89}.exe	{CC41BA5B-E20A-404a-B10F-E53A19E3F615}.exe
File created	C:\Windows\{29E76C30-F97A-4c0b-B2EC-A6E6BFB7F9EE}.exe	{4997E6D6-232A-4fa1-AEA8-57D8D9A17471}.exe
File created	C:\Windows\{AEE6BC73-D22F-4755-9F23-D3017D72C0B6}.exe	{984ABEE4-5D26-45c9-9C3C-FAD5075E54FE}.exe
File created	C:\Windows\{A1EA284E-1818-4d7b-9B60-7B832DD7D0BD}.exe	{AEE6BC73-D22F-4755-9F23-D3017D72C0B6}.exe
File created	C:\Windows\{6AE2DFB5-6860-4718-8403-01689937B131}.exe	{A1EA284E-1818-4d7b-9B60-7B832DD7D0BD}.exe
File created	C:\Windows\{FEC2717D-C522-4a98-9536-7BC4C567BB7F}.exe	{62F09A07-8D08-4495-9585-91DCBFBC2483}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5084	3ffa02557e2a5aexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1256	{CC41BA5B-E20A-404a-B10F-E53A19E3F615}.exe
Token: SeIncBasePriorityPrivilege	60	{53DA3594-72C3-410b-BDE6-0CB1C71B0B89}.exe
Token: SeIncBasePriorityPrivilege	2644	{4997E6D6-232A-4fa1-AEA8-57D8D9A17471}.exe
Token: SeIncBasePriorityPrivilege	4680	{29E76C30-F97A-4c0b-B2EC-A6E6BFB7F9EE}.exe
Token: SeIncBasePriorityPrivilege	2784	{984ABEE4-5D26-45c9-9C3C-FAD5075E54FE}.exe
Token: SeIncBasePriorityPrivilege	920	{AEE6BC73-D22F-4755-9F23-D3017D72C0B6}.exe
Token: SeIncBasePriorityPrivilege	4216	{A1EA284E-1818-4d7b-9B60-7B832DD7D0BD}.exe
Token: SeIncBasePriorityPrivilege	2368	{6AE2DFB5-6860-4718-8403-01689937B131}.exe
Token: SeIncBasePriorityPrivilege	2160	{95153378-2FD5-443f-B51C-5CEA9811884C}.exe
Token: SeIncBasePriorityPrivilege	2192	{DDFEABDD-2C51-49b9-AB59-0948BE38F7E0}.exe
Token: SeIncBasePriorityPrivilege	408	{62F09A07-8D08-4495-9585-91DCBFBC2483}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 1256	5084	3ffa02557e2a5aexeexeexeex.exe	87
PID 5084 wrote to memory of 1256	5084	3ffa02557e2a5aexeexeexeex.exe	87
PID 5084 wrote to memory of 1256	5084	3ffa02557e2a5aexeexeexeex.exe	87
PID 5084 wrote to memory of 3688	5084	3ffa02557e2a5aexeexeexeex.exe	88
PID 5084 wrote to memory of 3688	5084	3ffa02557e2a5aexeexeexeex.exe	88
PID 5084 wrote to memory of 3688	5084	3ffa02557e2a5aexeexeexeex.exe	88
PID 1256 wrote to memory of 60	1256	{CC41BA5B-E20A-404a-B10F-E53A19E3F615}.exe	89
PID 1256 wrote to memory of 60	1256	{CC41BA5B-E20A-404a-B10F-E53A19E3F615}.exe	89
PID 1256 wrote to memory of 60	1256	{CC41BA5B-E20A-404a-B10F-E53A19E3F615}.exe	89
PID 1256 wrote to memory of 4808	1256	{CC41BA5B-E20A-404a-B10F-E53A19E3F615}.exe	90
PID 1256 wrote to memory of 4808	1256	{CC41BA5B-E20A-404a-B10F-E53A19E3F615}.exe	90
PID 1256 wrote to memory of 4808	1256	{CC41BA5B-E20A-404a-B10F-E53A19E3F615}.exe	90
PID 60 wrote to memory of 2644	60	{53DA3594-72C3-410b-BDE6-0CB1C71B0B89}.exe	94
PID 60 wrote to memory of 2644	60	{53DA3594-72C3-410b-BDE6-0CB1C71B0B89}.exe	94
PID 60 wrote to memory of 2644	60	{53DA3594-72C3-410b-BDE6-0CB1C71B0B89}.exe	94
PID 60 wrote to memory of 1804	60	{53DA3594-72C3-410b-BDE6-0CB1C71B0B89}.exe	95
PID 60 wrote to memory of 1804	60	{53DA3594-72C3-410b-BDE6-0CB1C71B0B89}.exe	95
PID 60 wrote to memory of 1804	60	{53DA3594-72C3-410b-BDE6-0CB1C71B0B89}.exe	95
PID 2644 wrote to memory of 4680	2644	{4997E6D6-232A-4fa1-AEA8-57D8D9A17471}.exe	96
PID 2644 wrote to memory of 4680	2644	{4997E6D6-232A-4fa1-AEA8-57D8D9A17471}.exe	96
PID 2644 wrote to memory of 4680	2644	{4997E6D6-232A-4fa1-AEA8-57D8D9A17471}.exe	96
PID 2644 wrote to memory of 4952	2644	{4997E6D6-232A-4fa1-AEA8-57D8D9A17471}.exe	97
PID 2644 wrote to memory of 4952	2644	{4997E6D6-232A-4fa1-AEA8-57D8D9A17471}.exe	97
PID 2644 wrote to memory of 4952	2644	{4997E6D6-232A-4fa1-AEA8-57D8D9A17471}.exe	97
PID 4680 wrote to memory of 2784	4680	{29E76C30-F97A-4c0b-B2EC-A6E6BFB7F9EE}.exe	98
PID 4680 wrote to memory of 2784	4680	{29E76C30-F97A-4c0b-B2EC-A6E6BFB7F9EE}.exe	98
PID 4680 wrote to memory of 2784	4680	{29E76C30-F97A-4c0b-B2EC-A6E6BFB7F9EE}.exe	98
PID 4680 wrote to memory of 4928	4680	{29E76C30-F97A-4c0b-B2EC-A6E6BFB7F9EE}.exe	99
PID 4680 wrote to memory of 4928	4680	{29E76C30-F97A-4c0b-B2EC-A6E6BFB7F9EE}.exe	99
PID 4680 wrote to memory of 4928	4680	{29E76C30-F97A-4c0b-B2EC-A6E6BFB7F9EE}.exe	99
PID 2784 wrote to memory of 920	2784	{984ABEE4-5D26-45c9-9C3C-FAD5075E54FE}.exe	100
PID 2784 wrote to memory of 920	2784	{984ABEE4-5D26-45c9-9C3C-FAD5075E54FE}.exe	100
PID 2784 wrote to memory of 920	2784	{984ABEE4-5D26-45c9-9C3C-FAD5075E54FE}.exe	100
PID 2784 wrote to memory of 3148	2784	{984ABEE4-5D26-45c9-9C3C-FAD5075E54FE}.exe	101
PID 2784 wrote to memory of 3148	2784	{984ABEE4-5D26-45c9-9C3C-FAD5075E54FE}.exe	101
PID 2784 wrote to memory of 3148	2784	{984ABEE4-5D26-45c9-9C3C-FAD5075E54FE}.exe	101
PID 920 wrote to memory of 4216	920	{AEE6BC73-D22F-4755-9F23-D3017D72C0B6}.exe	102
PID 920 wrote to memory of 4216	920	{AEE6BC73-D22F-4755-9F23-D3017D72C0B6}.exe	102
PID 920 wrote to memory of 4216	920	{AEE6BC73-D22F-4755-9F23-D3017D72C0B6}.exe	102
PID 920 wrote to memory of 4588	920	{AEE6BC73-D22F-4755-9F23-D3017D72C0B6}.exe	103
PID 920 wrote to memory of 4588	920	{AEE6BC73-D22F-4755-9F23-D3017D72C0B6}.exe	103
PID 920 wrote to memory of 4588	920	{AEE6BC73-D22F-4755-9F23-D3017D72C0B6}.exe	103
PID 4216 wrote to memory of 2368	4216	{A1EA284E-1818-4d7b-9B60-7B832DD7D0BD}.exe	104
PID 4216 wrote to memory of 2368	4216	{A1EA284E-1818-4d7b-9B60-7B832DD7D0BD}.exe	104
PID 4216 wrote to memory of 2368	4216	{A1EA284E-1818-4d7b-9B60-7B832DD7D0BD}.exe	104
PID 4216 wrote to memory of 2572	4216	{A1EA284E-1818-4d7b-9B60-7B832DD7D0BD}.exe	105
PID 4216 wrote to memory of 2572	4216	{A1EA284E-1818-4d7b-9B60-7B832DD7D0BD}.exe	105
PID 4216 wrote to memory of 2572	4216	{A1EA284E-1818-4d7b-9B60-7B832DD7D0BD}.exe	105
PID 2368 wrote to memory of 2160	2368	{6AE2DFB5-6860-4718-8403-01689937B131}.exe	107
PID 2368 wrote to memory of 2160	2368	{6AE2DFB5-6860-4718-8403-01689937B131}.exe	107
PID 2368 wrote to memory of 2160	2368	{6AE2DFB5-6860-4718-8403-01689937B131}.exe	107
PID 2368 wrote to memory of 4320	2368	{6AE2DFB5-6860-4718-8403-01689937B131}.exe	106
PID 2368 wrote to memory of 4320	2368	{6AE2DFB5-6860-4718-8403-01689937B131}.exe	106
PID 2368 wrote to memory of 4320	2368	{6AE2DFB5-6860-4718-8403-01689937B131}.exe	106
PID 2160 wrote to memory of 2192	2160	{95153378-2FD5-443f-B51C-5CEA9811884C}.exe	108
PID 2160 wrote to memory of 2192	2160	{95153378-2FD5-443f-B51C-5CEA9811884C}.exe	108
PID 2160 wrote to memory of 2192	2160	{95153378-2FD5-443f-B51C-5CEA9811884C}.exe	108
PID 2160 wrote to memory of 5032	2160	{95153378-2FD5-443f-B51C-5CEA9811884C}.exe	109
PID 2160 wrote to memory of 5032	2160	{95153378-2FD5-443f-B51C-5CEA9811884C}.exe	109
PID 2160 wrote to memory of 5032	2160	{95153378-2FD5-443f-B51C-5CEA9811884C}.exe	109
PID 2192 wrote to memory of 408	2192	{DDFEABDD-2C51-49b9-AB59-0948BE38F7E0}.exe	110
PID 2192 wrote to memory of 408	2192	{DDFEABDD-2C51-49b9-AB59-0948BE38F7E0}.exe	110
PID 2192 wrote to memory of 408	2192	{DDFEABDD-2C51-49b9-AB59-0948BE38F7E0}.exe	110
PID 2192 wrote to memory of 332	2192	{DDFEABDD-2C51-49b9-AB59-0948BE38F7E0}.exe	111

C:\Users\Admin\AppData\Local\Temp\3ffa02557e2a5aexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\3ffa02557e2a5aexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Windows\{CC41BA5B-E20A-404a-B10F-E53A19E3F615}.exe
  C:\Windows\{CC41BA5B-E20A-404a-B10F-E53A19E3F615}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1256
- - C:\Windows\{53DA3594-72C3-410b-BDE6-0CB1C71B0B89}.exe
    C:\Windows\{53DA3594-72C3-410b-BDE6-0CB1C71B0B89}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:60
  - - C:\Windows\{4997E6D6-232A-4fa1-AEA8-57D8D9A17471}.exe
      C:\Windows\{4997E6D6-232A-4fa1-AEA8-57D8D9A17471}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\{29E76C30-F97A-4c0b-B2EC-A6E6BFB7F9EE}.exe
        
        C:\Windows\{29E76C30-F97A-4c0b-B2EC-A6E6BFB7F9EE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4680
      - C:\Windows\{984ABEE4-5D26-45c9-9C3C-FAD5075E54FE}.exe
        
        C:\Windows\{984ABEE4-5D26-45c9-9C3C-FAD5075E54FE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\{AEE6BC73-D22F-4755-9F23-D3017D72C0B6}.exe
        
        C:\Windows\{AEE6BC73-D22F-4755-9F23-D3017D72C0B6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\{A1EA284E-1818-4d7b-9B60-7B832DD7D0BD}.exe
        
        C:\Windows\{A1EA284E-1818-4d7b-9B60-7B832DD7D0BD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\{6AE2DFB5-6860-4718-8403-01689937B131}.exe
        
        C:\Windows\{6AE2DFB5-6860-4718-8403-01689937B131}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AE2D~1.EXE > nul
        10⤵
        
        PID:4320
        
        C:\Windows\{95153378-2FD5-443f-B51C-5CEA9811884C}.exe
        
        C:\Windows\{95153378-2FD5-443f-B51C-5CEA9811884C}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\{DDFEABDD-2C51-49b9-AB59-0948BE38F7E0}.exe
        
        C:\Windows\{DDFEABDD-2C51-49b9-AB59-0948BE38F7E0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\{62F09A07-8D08-4495-9585-91DCBFBC2483}.exe
        
        C:\Windows\{62F09A07-8D08-4495-9585-91DCBFBC2483}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
        
        C:\Windows\{FEC2717D-C522-4a98-9536-7BC4C567BB7F}.exe
        
        C:\Windows\{FEC2717D-C522-4a98-9536-7BC4C567BB7F}.exe
        13⤵
        Executes dropped EXE
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62F09~1.EXE > nul
        13⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDFEA~1.EXE > nul
        12⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95153~1.EXE > nul
        11⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A1EA2~1.EXE > nul
        9⤵
        
        PID:2572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEE6B~1.EXE > nul
        8⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{984AB~1.EXE > nul
        7⤵
        
        PID:3148
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29E76~1.EXE > nul
        6⤵
        
        PID:4928
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4997E~1.EXE > nul
        5⤵
        
        PID:4952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{53DA3~1.EXE > nul
      4⤵
      PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CC41B~1.EXE > nul
    3⤵
    PID:4808
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3FFA02~1.EXE > nul
  2⤵
  PID:3688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{29E76C30-F97A-4c0b-B2EC-A6E6BFB7F9EE}.exe

Filesize
204KB

MD5
707f5454b6ef8eed19eb44dc93908d89

SHA1
e3c296bc7a045fe0c333442fb9f06be7be41fa05

SHA256
e0a62c2c3a3c6542e1cc8e9870a12a6a93b1f2bdabadcd5d5e80382665ba90f0

SHA512
01d38f7d879418dd71b17fc4f9e0cf6a7564e2d1fcc82c090a7db42707468ee952763776514887c5c93254eda74a12afc1674d7ba948665c38da97681682f7ff

Download Submit
C:\Windows\{29E76C30-F97A-4c0b-B2EC-A6E6BFB7F9EE}.exe

Filesize
204KB

MD5
707f5454b6ef8eed19eb44dc93908d89

SHA1
e3c296bc7a045fe0c333442fb9f06be7be41fa05

SHA256
e0a62c2c3a3c6542e1cc8e9870a12a6a93b1f2bdabadcd5d5e80382665ba90f0

SHA512
01d38f7d879418dd71b17fc4f9e0cf6a7564e2d1fcc82c090a7db42707468ee952763776514887c5c93254eda74a12afc1674d7ba948665c38da97681682f7ff

Download Submit
C:\Windows\{4997E6D6-232A-4fa1-AEA8-57D8D9A17471}.exe

Filesize
204KB

MD5
aff5bc37dfc0d90a0e00e8d71cbda9e2

SHA1
9444758a7dab6078b326e20bbc9494a6625481db

SHA256
ef95b8af34a4b210a0a850237da22f95f2b98a6453c2dd522db7e0753ffc80b3

SHA512
354cbe8f5714d02895d2466c22bf40209ae4286b356acaf83bb39782e6da85632f6b369433b506035939b792205ff4dd4f90469e318eda4f5432e8b992561209

Download Submit
C:\Windows\{4997E6D6-232A-4fa1-AEA8-57D8D9A17471}.exe

Filesize
204KB

MD5
aff5bc37dfc0d90a0e00e8d71cbda9e2

SHA1
9444758a7dab6078b326e20bbc9494a6625481db

SHA256
ef95b8af34a4b210a0a850237da22f95f2b98a6453c2dd522db7e0753ffc80b3

SHA512
354cbe8f5714d02895d2466c22bf40209ae4286b356acaf83bb39782e6da85632f6b369433b506035939b792205ff4dd4f90469e318eda4f5432e8b992561209

Download Submit
C:\Windows\{4997E6D6-232A-4fa1-AEA8-57D8D9A17471}.exe

Filesize
204KB

MD5
aff5bc37dfc0d90a0e00e8d71cbda9e2

SHA1
9444758a7dab6078b326e20bbc9494a6625481db

SHA256
ef95b8af34a4b210a0a850237da22f95f2b98a6453c2dd522db7e0753ffc80b3

SHA512
354cbe8f5714d02895d2466c22bf40209ae4286b356acaf83bb39782e6da85632f6b369433b506035939b792205ff4dd4f90469e318eda4f5432e8b992561209

Download Submit
C:\Windows\{53DA3594-72C3-410b-BDE6-0CB1C71B0B89}.exe

Filesize
204KB

MD5
5aaa1b29d4c0f605e4d7e75da612f451

SHA1
73a5a3009766336aaf8210951a698583fc78f927

SHA256
f59189fad96329278bad18d52b13d4ff3784abd0d7abf932248bd39fb8ec11b6

SHA512
b662631685b3e4f58becaa5d1f257dbb97695060136a657a4a9793f9d5d67255c55a9c98dada927ca6e64093db048079916fa49f43504582c41995cc5f7d0192

Download Submit
C:\Windows\{53DA3594-72C3-410b-BDE6-0CB1C71B0B89}.exe

Filesize
204KB

MD5
5aaa1b29d4c0f605e4d7e75da612f451

SHA1
73a5a3009766336aaf8210951a698583fc78f927

SHA256
f59189fad96329278bad18d52b13d4ff3784abd0d7abf932248bd39fb8ec11b6

SHA512
b662631685b3e4f58becaa5d1f257dbb97695060136a657a4a9793f9d5d67255c55a9c98dada927ca6e64093db048079916fa49f43504582c41995cc5f7d0192

Download Submit
C:\Windows\{62F09A07-8D08-4495-9585-91DCBFBC2483}.exe

Filesize
204KB

MD5
38618446e5c05ca8c22e090800e4a976

SHA1
50f0ff5e744eedda49abfb4b0e08103babdbc37b

SHA256
aae7eea38a2c4d0e60065a8a1788c9ccc637675f06926e6e2112aaa2ca1b69dc

SHA512
686e4d4669c239a98b46a316b09407c400851b3a89a87dab95bbef2883770a17a8107c6b8c6e5124f5b789c1cc671b37871ef6c6b9dc2370e5ff282bbe303cdb

Download Submit
C:\Windows\{62F09A07-8D08-4495-9585-91DCBFBC2483}.exe

Filesize
204KB

MD5
38618446e5c05ca8c22e090800e4a976

SHA1
50f0ff5e744eedda49abfb4b0e08103babdbc37b

SHA256
aae7eea38a2c4d0e60065a8a1788c9ccc637675f06926e6e2112aaa2ca1b69dc

SHA512
686e4d4669c239a98b46a316b09407c400851b3a89a87dab95bbef2883770a17a8107c6b8c6e5124f5b789c1cc671b37871ef6c6b9dc2370e5ff282bbe303cdb

Download Submit
C:\Windows\{6AE2DFB5-6860-4718-8403-01689937B131}.exe

Filesize
204KB

MD5
b2e965acf86f8fb4baeddbbec5a92429

SHA1
d1add63391f0e7a34599d91ef69d9ed5ac80738e

SHA256
9bed77d4053324e60220b465f76cdc43509e1bb3e7669cef4712d92c817100ca

SHA512
6d4f780601ffd9bca7d27efb799cbe158815d36b26eb38a63cb734e57b2f0b94c066fe008d82376e811d670b888fd7e57e9ba364cb1c747d046e9a7b44be6602

Download Submit
C:\Windows\{6AE2DFB5-6860-4718-8403-01689937B131}.exe

Filesize
204KB

MD5
b2e965acf86f8fb4baeddbbec5a92429

SHA1
d1add63391f0e7a34599d91ef69d9ed5ac80738e

SHA256
9bed77d4053324e60220b465f76cdc43509e1bb3e7669cef4712d92c817100ca

SHA512
6d4f780601ffd9bca7d27efb799cbe158815d36b26eb38a63cb734e57b2f0b94c066fe008d82376e811d670b888fd7e57e9ba364cb1c747d046e9a7b44be6602

Download Submit
C:\Windows\{95153378-2FD5-443f-B51C-5CEA9811884C}.exe

Filesize
204KB

MD5
ce39298abb9f8a7199fc319c8179e9be

SHA1
cdc3b239b5d2deebc7814862872e3a6e501efc27

SHA256
7c87987083140cbd7bf14625d79080c03616b96f58a584fa709626191c3f8b29

SHA512
eb57302e1eedbd0ba4250574189fb0ec1b1e0dd47bf8efc68c441d830a7c1cb0f0f1821e59f977638132a73aa13d81a3629b29042f79b1cbf445be2e0762ea6f

Download Submit
C:\Windows\{95153378-2FD5-443f-B51C-5CEA9811884C}.exe

Filesize
204KB

MD5
ce39298abb9f8a7199fc319c8179e9be

SHA1
cdc3b239b5d2deebc7814862872e3a6e501efc27

SHA256
7c87987083140cbd7bf14625d79080c03616b96f58a584fa709626191c3f8b29

SHA512
eb57302e1eedbd0ba4250574189fb0ec1b1e0dd47bf8efc68c441d830a7c1cb0f0f1821e59f977638132a73aa13d81a3629b29042f79b1cbf445be2e0762ea6f

Download Submit
C:\Windows\{984ABEE4-5D26-45c9-9C3C-FAD5075E54FE}.exe

Filesize
204KB

MD5
b00353ef4814399298b1357ce7ac26ad

SHA1
ba9b533446611e5e0e9686c4e6fe2fbea70e55e0

SHA256
cc71ce2642a735ff1c838e903198d584fdd6ce20b96b3738076d58d49e6bbd92

SHA512
bd9acb022ccd611928510b4802eefa02e6864bd8705d935d29b8be86389cfe8c4c092cb5c40a6a87eb48c35035947c12182720cad3fe18a3fd301edc47e27d58

Download Submit
C:\Windows\{984ABEE4-5D26-45c9-9C3C-FAD5075E54FE}.exe

Filesize
204KB

MD5
b00353ef4814399298b1357ce7ac26ad

SHA1
ba9b533446611e5e0e9686c4e6fe2fbea70e55e0

SHA256
cc71ce2642a735ff1c838e903198d584fdd6ce20b96b3738076d58d49e6bbd92

SHA512
bd9acb022ccd611928510b4802eefa02e6864bd8705d935d29b8be86389cfe8c4c092cb5c40a6a87eb48c35035947c12182720cad3fe18a3fd301edc47e27d58

Download Submit
C:\Windows\{A1EA284E-1818-4d7b-9B60-7B832DD7D0BD}.exe

Filesize
204KB

MD5
ce6678cc96b514dcbd66b7c073f27cc3

SHA1
b25868a82f3c681d103269a6d120aefcc03a9893

SHA256
fec0fcc09ad6b21b1033b8cc6d19e3a7f0f3c1e68343994ba161fbd0f13cbb47

SHA512
04b0cefa3d12576a9992bc41d27ed7a49248e8d309e478fdf5a1df4fb8cdd2fd518129048ab2f7f1698af5954b2d4ad5baedd1d7cd987092efe6f77550b81d6a

Download Submit
C:\Windows\{A1EA284E-1818-4d7b-9B60-7B832DD7D0BD}.exe

Filesize
204KB

MD5
ce6678cc96b514dcbd66b7c073f27cc3

SHA1
b25868a82f3c681d103269a6d120aefcc03a9893

SHA256
fec0fcc09ad6b21b1033b8cc6d19e3a7f0f3c1e68343994ba161fbd0f13cbb47

SHA512
04b0cefa3d12576a9992bc41d27ed7a49248e8d309e478fdf5a1df4fb8cdd2fd518129048ab2f7f1698af5954b2d4ad5baedd1d7cd987092efe6f77550b81d6a

Download Submit
C:\Windows\{AEE6BC73-D22F-4755-9F23-D3017D72C0B6}.exe

Filesize
204KB

MD5
6f741e67cbebccecac639ccfbf5757a3

SHA1
96d1a9b3bd08eb69fe5592cb60e708353d4f2017

SHA256
5a66221285132192732f2b9ea39bf70967b3339157cd005a7efa83cb4049c886

SHA512
ec6f4a53045f14cafc0d92c5d61a0e446d9adacb5ed13b76e74438663ab7e3805492ebc0dffb22fa22869f1835a44052854584dcd55f76fd705db57f7f56ad89

Download Submit
C:\Windows\{AEE6BC73-D22F-4755-9F23-D3017D72C0B6}.exe

Filesize
204KB

MD5
6f741e67cbebccecac639ccfbf5757a3

SHA1
96d1a9b3bd08eb69fe5592cb60e708353d4f2017

SHA256
5a66221285132192732f2b9ea39bf70967b3339157cd005a7efa83cb4049c886

SHA512
ec6f4a53045f14cafc0d92c5d61a0e446d9adacb5ed13b76e74438663ab7e3805492ebc0dffb22fa22869f1835a44052854584dcd55f76fd705db57f7f56ad89

Download Submit
C:\Windows\{CC41BA5B-E20A-404a-B10F-E53A19E3F615}.exe

Filesize
204KB

MD5
6699c73d90a7732e3e2feeed8403f5b7

SHA1
e7a4db79d6d73725a3d044d34d987a02f2d56596

SHA256
e2d9ddca4df7e90f9971eae43e5085ef8d28db3f2ff99fde2ffa6c38803357f6

SHA512
c53c6222940924b3b1a6990e254ab50f982a5d50933bacecce98db1fd380000fb95c8f0b0377c1d36395b4ec60416d2d8a46e5f2051356b8708e509dec97d0b0

Download Submit
C:\Windows\{CC41BA5B-E20A-404a-B10F-E53A19E3F615}.exe

Filesize
204KB

MD5
6699c73d90a7732e3e2feeed8403f5b7

SHA1
e7a4db79d6d73725a3d044d34d987a02f2d56596

SHA256
e2d9ddca4df7e90f9971eae43e5085ef8d28db3f2ff99fde2ffa6c38803357f6

SHA512
c53c6222940924b3b1a6990e254ab50f982a5d50933bacecce98db1fd380000fb95c8f0b0377c1d36395b4ec60416d2d8a46e5f2051356b8708e509dec97d0b0

Download Submit
C:\Windows\{DDFEABDD-2C51-49b9-AB59-0948BE38F7E0}.exe

Filesize
204KB

MD5
257aa7a2f199f7a8673c93aae8e916e7

SHA1
5d508d29452080239f338ba5abfac67ec0891c37

SHA256
278b36a43e9754b96a02d6468ba955d33c807894c6d0ca9c022efeaf32679586

SHA512
71d39b70afe10921aeda95806754e01481a02e885e28ad7f715c137ff283dbabb2494205b132797f94bcfe8ca9406d98fd899c5612a104dbea1f890a5da101a9

Download Submit
C:\Windows\{DDFEABDD-2C51-49b9-AB59-0948BE38F7E0}.exe

Filesize
204KB

MD5
257aa7a2f199f7a8673c93aae8e916e7

SHA1
5d508d29452080239f338ba5abfac67ec0891c37

SHA256
278b36a43e9754b96a02d6468ba955d33c807894c6d0ca9c022efeaf32679586

SHA512
71d39b70afe10921aeda95806754e01481a02e885e28ad7f715c137ff283dbabb2494205b132797f94bcfe8ca9406d98fd899c5612a104dbea1f890a5da101a9

Download Submit
C:\Windows\{FEC2717D-C522-4a98-9536-7BC4C567BB7F}.exe

Filesize
204KB

MD5
278828a7dd2c47c80b51c4791f7ef4e2

SHA1
89e984d5fd0d8f7bd3ca99e774692194c9a39123

SHA256
1ec9cad803faf13571e4f68ca3c86e9926ff32dbebf25ff47388cfdd7d087547

SHA512
09cbfafca5b13531e3de3ee53239b63fb4e352c5c31d3e06abe3beb123d5b93bf875e2f7a5b17906a83798539282fd3cf9356f034a83929eb729fc059eac089e

Download Submit
C:\Windows\{FEC2717D-C522-4a98-9536-7BC4C567BB7F}.exe

Filesize
204KB

MD5
278828a7dd2c47c80b51c4791f7ef4e2

SHA1
89e984d5fd0d8f7bd3ca99e774692194c9a39123

SHA256
1ec9cad803faf13571e4f68ca3c86e9926ff32dbebf25ff47388cfdd7d087547

SHA512
09cbfafca5b13531e3de3ee53239b63fb4e352c5c31d3e06abe3beb123d5b93bf875e2f7a5b17906a83798539282fd3cf9356f034a83929eb729fc059eac089e

Download Submit