29b87e136b6a415315c131af68fe6e0b5d657dbf4b91066f03b7f6730da6a082

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2023 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4312efde401009exeexeexeex.exe
Size

204KB
MD5

4312efde4010092f1cd878388f2d145f
SHA1

84a9824315dd90c79c46dc3d5a3b8170be5e4886
SHA256

29b87e136b6a415315c131af68fe6e0b5d657dbf4b91066f03b7f6730da6a082
SHA512

8d2eeb562769fd42b4667768f30674d2baa0d75c31158c5d17c51d696e0c5731b18248b45103026b2c56b3681e3d3c851c79d9bf3d72c1aa0e325b3c13cb3436
SSDEEP

1536:1EGh0oYl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oYl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93AB8D5A-A2FB-4093-AB8A-766D1BD3F891}	{1F7C911A-2558-42fd-8AD3-13BA5DCB18B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF6B76DB-E9C4-4a55-ADC3-19039287D0A6}	4312efde401009exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF6B76DB-E9C4-4a55-ADC3-19039287D0A6}\stubpath = "C:\\Windows\\{BF6B76DB-E9C4-4a55-ADC3-19039287D0A6}.exe"	4312efde401009exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78A4D7D6-E3C7-4af1-8AF7-E5883BFFC16B}	{BF6B76DB-E9C4-4a55-ADC3-19039287D0A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15C46E66-C6A8-4746-A6C1-4D36731D4733}	{58594D68-95AC-442e-9CD9-738B4CB67FB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E4C58E8-F4BF-48a3-BCB4-8354DA1FBFF7}\stubpath = "C:\\Windows\\{3E4C58E8-F4BF-48a3-BCB4-8354DA1FBFF7}.exe"	{E7E897B8-86D0-4886-BFC0-E372C286A4B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F7C911A-2558-42fd-8AD3-13BA5DCB18B4}	{32723EBB-E08D-4c6a-AEB0-EB29E43DB003}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F7C911A-2558-42fd-8AD3-13BA5DCB18B4}\stubpath = "C:\\Windows\\{1F7C911A-2558-42fd-8AD3-13BA5DCB18B4}.exe"	{32723EBB-E08D-4c6a-AEB0-EB29E43DB003}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F2C36E4-26D7-4cd3-90A4-20E3E5E6C2C4}\stubpath = "C:\\Windows\\{5F2C36E4-26D7-4cd3-90A4-20E3E5E6C2C4}.exe"	{2C665D15-9C82-44db-AA92-BB2F41BF33A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78A4D7D6-E3C7-4af1-8AF7-E5883BFFC16B}\stubpath = "C:\\Windows\\{78A4D7D6-E3C7-4af1-8AF7-E5883BFFC16B}.exe"	{BF6B76DB-E9C4-4a55-ADC3-19039287D0A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15C46E66-C6A8-4746-A6C1-4D36731D4733}\stubpath = "C:\\Windows\\{15C46E66-C6A8-4746-A6C1-4D36731D4733}.exe"	{58594D68-95AC-442e-9CD9-738B4CB67FB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C665D15-9C82-44db-AA92-BB2F41BF33A7}\stubpath = "C:\\Windows\\{2C665D15-9C82-44db-AA92-BB2F41BF33A7}.exe"	{93AB8D5A-A2FB-4093-AB8A-766D1BD3F891}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F2C36E4-26D7-4cd3-90A4-20E3E5E6C2C4}	{2C665D15-9C82-44db-AA92-BB2F41BF33A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{408041E4-A3CC-44f6-9CF3-C15CAD4F2961}\stubpath = "C:\\Windows\\{408041E4-A3CC-44f6-9CF3-C15CAD4F2961}.exe"	{78A4D7D6-E3C7-4af1-8AF7-E5883BFFC16B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7E897B8-86D0-4886-BFC0-E372C286A4B6}	{15C46E66-C6A8-4746-A6C1-4D36731D4733}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E4C58E8-F4BF-48a3-BCB4-8354DA1FBFF7}	{E7E897B8-86D0-4886-BFC0-E372C286A4B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32723EBB-E08D-4c6a-AEB0-EB29E43DB003}	{3E4C58E8-F4BF-48a3-BCB4-8354DA1FBFF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93AB8D5A-A2FB-4093-AB8A-766D1BD3F891}\stubpath = "C:\\Windows\\{93AB8D5A-A2FB-4093-AB8A-766D1BD3F891}.exe"	{1F7C911A-2558-42fd-8AD3-13BA5DCB18B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C665D15-9C82-44db-AA92-BB2F41BF33A7}	{93AB8D5A-A2FB-4093-AB8A-766D1BD3F891}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{408041E4-A3CC-44f6-9CF3-C15CAD4F2961}	{78A4D7D6-E3C7-4af1-8AF7-E5883BFFC16B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58594D68-95AC-442e-9CD9-738B4CB67FB3}	{408041E4-A3CC-44f6-9CF3-C15CAD4F2961}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58594D68-95AC-442e-9CD9-738B4CB67FB3}\stubpath = "C:\\Windows\\{58594D68-95AC-442e-9CD9-738B4CB67FB3}.exe"	{408041E4-A3CC-44f6-9CF3-C15CAD4F2961}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7E897B8-86D0-4886-BFC0-E372C286A4B6}\stubpath = "C:\\Windows\\{E7E897B8-86D0-4886-BFC0-E372C286A4B6}.exe"	{15C46E66-C6A8-4746-A6C1-4D36731D4733}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32723EBB-E08D-4c6a-AEB0-EB29E43DB003}\stubpath = "C:\\Windows\\{32723EBB-E08D-4c6a-AEB0-EB29E43DB003}.exe"	{3E4C58E8-F4BF-48a3-BCB4-8354DA1FBFF7}.exe

Executes dropped EXE 12 IoCs

pid	Process
1452	{BF6B76DB-E9C4-4a55-ADC3-19039287D0A6}.exe
1148	{78A4D7D6-E3C7-4af1-8AF7-E5883BFFC16B}.exe
2876	{408041E4-A3CC-44f6-9CF3-C15CAD4F2961}.exe
2724	{58594D68-95AC-442e-9CD9-738B4CB67FB3}.exe
2104	{15C46E66-C6A8-4746-A6C1-4D36731D4733}.exe
4348	{E7E897B8-86D0-4886-BFC0-E372C286A4B6}.exe
2676	{3E4C58E8-F4BF-48a3-BCB4-8354DA1FBFF7}.exe
4960	{32723EBB-E08D-4c6a-AEB0-EB29E43DB003}.exe
3028	{1F7C911A-2558-42fd-8AD3-13BA5DCB18B4}.exe
3116	{93AB8D5A-A2FB-4093-AB8A-766D1BD3F891}.exe
492	{2C665D15-9C82-44db-AA92-BB2F41BF33A7}.exe
644	{5F2C36E4-26D7-4cd3-90A4-20E3E5E6C2C4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2C665D15-9C82-44db-AA92-BB2F41BF33A7}.exe	{93AB8D5A-A2FB-4093-AB8A-766D1BD3F891}.exe
File created	C:\Windows\{5F2C36E4-26D7-4cd3-90A4-20E3E5E6C2C4}.exe	{2C665D15-9C82-44db-AA92-BB2F41BF33A7}.exe
File created	C:\Windows\{BF6B76DB-E9C4-4a55-ADC3-19039287D0A6}.exe	4312efde401009exeexeexeex.exe
File created	C:\Windows\{15C46E66-C6A8-4746-A6C1-4D36731D4733}.exe	{58594D68-95AC-442e-9CD9-738B4CB67FB3}.exe
File created	C:\Windows\{E7E897B8-86D0-4886-BFC0-E372C286A4B6}.exe	{15C46E66-C6A8-4746-A6C1-4D36731D4733}.exe
File created	C:\Windows\{3E4C58E8-F4BF-48a3-BCB4-8354DA1FBFF7}.exe	{E7E897B8-86D0-4886-BFC0-E372C286A4B6}.exe
File created	C:\Windows\{32723EBB-E08D-4c6a-AEB0-EB29E43DB003}.exe	{3E4C58E8-F4BF-48a3-BCB4-8354DA1FBFF7}.exe
File created	C:\Windows\{1F7C911A-2558-42fd-8AD3-13BA5DCB18B4}.exe	{32723EBB-E08D-4c6a-AEB0-EB29E43DB003}.exe
File created	C:\Windows\{78A4D7D6-E3C7-4af1-8AF7-E5883BFFC16B}.exe	{BF6B76DB-E9C4-4a55-ADC3-19039287D0A6}.exe
File created	C:\Windows\{408041E4-A3CC-44f6-9CF3-C15CAD4F2961}.exe	{78A4D7D6-E3C7-4af1-8AF7-E5883BFFC16B}.exe
File created	C:\Windows\{58594D68-95AC-442e-9CD9-738B4CB67FB3}.exe	{408041E4-A3CC-44f6-9CF3-C15CAD4F2961}.exe
File created	C:\Windows\{93AB8D5A-A2FB-4093-AB8A-766D1BD3F891}.exe	{1F7C911A-2558-42fd-8AD3-13BA5DCB18B4}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2300	4312efde401009exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1452	{BF6B76DB-E9C4-4a55-ADC3-19039287D0A6}.exe
Token: SeIncBasePriorityPrivilege	1148	{78A4D7D6-E3C7-4af1-8AF7-E5883BFFC16B}.exe
Token: SeIncBasePriorityPrivilege	2876	{408041E4-A3CC-44f6-9CF3-C15CAD4F2961}.exe
Token: SeIncBasePriorityPrivilege	2724	{58594D68-95AC-442e-9CD9-738B4CB67FB3}.exe
Token: SeIncBasePriorityPrivilege	2104	{15C46E66-C6A8-4746-A6C1-4D36731D4733}.exe
Token: SeIncBasePriorityPrivilege	4348	{E7E897B8-86D0-4886-BFC0-E372C286A4B6}.exe
Token: SeIncBasePriorityPrivilege	2676	{3E4C58E8-F4BF-48a3-BCB4-8354DA1FBFF7}.exe
Token: SeIncBasePriorityPrivilege	4960	{32723EBB-E08D-4c6a-AEB0-EB29E43DB003}.exe
Token: SeIncBasePriorityPrivilege	3028	{1F7C911A-2558-42fd-8AD3-13BA5DCB18B4}.exe
Token: SeIncBasePriorityPrivilege	3116	{93AB8D5A-A2FB-4093-AB8A-766D1BD3F891}.exe
Token: SeIncBasePriorityPrivilege	492	{2C665D15-9C82-44db-AA92-BB2F41BF33A7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 1452	2300	4312efde401009exeexeexeex.exe	89
PID 2300 wrote to memory of 1452	2300	4312efde401009exeexeexeex.exe	89
PID 2300 wrote to memory of 1452	2300	4312efde401009exeexeexeex.exe	89
PID 2300 wrote to memory of 4780	2300	4312efde401009exeexeexeex.exe	90
PID 2300 wrote to memory of 4780	2300	4312efde401009exeexeexeex.exe	90
PID 2300 wrote to memory of 4780	2300	4312efde401009exeexeexeex.exe	90
PID 1452 wrote to memory of 1148	1452	{BF6B76DB-E9C4-4a55-ADC3-19039287D0A6}.exe	91
PID 1452 wrote to memory of 1148	1452	{BF6B76DB-E9C4-4a55-ADC3-19039287D0A6}.exe	91
PID 1452 wrote to memory of 1148	1452	{BF6B76DB-E9C4-4a55-ADC3-19039287D0A6}.exe	91
PID 1452 wrote to memory of 4800	1452	{BF6B76DB-E9C4-4a55-ADC3-19039287D0A6}.exe	92
PID 1452 wrote to memory of 4800	1452	{BF6B76DB-E9C4-4a55-ADC3-19039287D0A6}.exe	92
PID 1452 wrote to memory of 4800	1452	{BF6B76DB-E9C4-4a55-ADC3-19039287D0A6}.exe	92
PID 1148 wrote to memory of 2876	1148	{78A4D7D6-E3C7-4af1-8AF7-E5883BFFC16B}.exe	97
PID 1148 wrote to memory of 2876	1148	{78A4D7D6-E3C7-4af1-8AF7-E5883BFFC16B}.exe	97
PID 1148 wrote to memory of 2876	1148	{78A4D7D6-E3C7-4af1-8AF7-E5883BFFC16B}.exe	97
PID 1148 wrote to memory of 3324	1148	{78A4D7D6-E3C7-4af1-8AF7-E5883BFFC16B}.exe	96
PID 1148 wrote to memory of 3324	1148	{78A4D7D6-E3C7-4af1-8AF7-E5883BFFC16B}.exe	96
PID 1148 wrote to memory of 3324	1148	{78A4D7D6-E3C7-4af1-8AF7-E5883BFFC16B}.exe	96
PID 2876 wrote to memory of 2724	2876	{408041E4-A3CC-44f6-9CF3-C15CAD4F2961}.exe	98
PID 2876 wrote to memory of 2724	2876	{408041E4-A3CC-44f6-9CF3-C15CAD4F2961}.exe	98
PID 2876 wrote to memory of 2724	2876	{408041E4-A3CC-44f6-9CF3-C15CAD4F2961}.exe	98
PID 2876 wrote to memory of 3972	2876	{408041E4-A3CC-44f6-9CF3-C15CAD4F2961}.exe	99
PID 2876 wrote to memory of 3972	2876	{408041E4-A3CC-44f6-9CF3-C15CAD4F2961}.exe	99
PID 2876 wrote to memory of 3972	2876	{408041E4-A3CC-44f6-9CF3-C15CAD4F2961}.exe	99
PID 2724 wrote to memory of 2104	2724	{58594D68-95AC-442e-9CD9-738B4CB67FB3}.exe	100
PID 2724 wrote to memory of 2104	2724	{58594D68-95AC-442e-9CD9-738B4CB67FB3}.exe	100
PID 2724 wrote to memory of 2104	2724	{58594D68-95AC-442e-9CD9-738B4CB67FB3}.exe	100
PID 2724 wrote to memory of 4228	2724	{58594D68-95AC-442e-9CD9-738B4CB67FB3}.exe	101
PID 2724 wrote to memory of 4228	2724	{58594D68-95AC-442e-9CD9-738B4CB67FB3}.exe	101
PID 2724 wrote to memory of 4228	2724	{58594D68-95AC-442e-9CD9-738B4CB67FB3}.exe	101
PID 2104 wrote to memory of 4348	2104	{15C46E66-C6A8-4746-A6C1-4D36731D4733}.exe	102
PID 2104 wrote to memory of 4348	2104	{15C46E66-C6A8-4746-A6C1-4D36731D4733}.exe	102
PID 2104 wrote to memory of 4348	2104	{15C46E66-C6A8-4746-A6C1-4D36731D4733}.exe	102
PID 2104 wrote to memory of 1136	2104	{15C46E66-C6A8-4746-A6C1-4D36731D4733}.exe	103
PID 2104 wrote to memory of 1136	2104	{15C46E66-C6A8-4746-A6C1-4D36731D4733}.exe	103
PID 2104 wrote to memory of 1136	2104	{15C46E66-C6A8-4746-A6C1-4D36731D4733}.exe	103
PID 4348 wrote to memory of 2676	4348	{E7E897B8-86D0-4886-BFC0-E372C286A4B6}.exe	104
PID 4348 wrote to memory of 2676	4348	{E7E897B8-86D0-4886-BFC0-E372C286A4B6}.exe	104
PID 4348 wrote to memory of 2676	4348	{E7E897B8-86D0-4886-BFC0-E372C286A4B6}.exe	104
PID 4348 wrote to memory of 2172	4348	{E7E897B8-86D0-4886-BFC0-E372C286A4B6}.exe	105
PID 4348 wrote to memory of 2172	4348	{E7E897B8-86D0-4886-BFC0-E372C286A4B6}.exe	105
PID 4348 wrote to memory of 2172	4348	{E7E897B8-86D0-4886-BFC0-E372C286A4B6}.exe	105
PID 2676 wrote to memory of 4960	2676	{3E4C58E8-F4BF-48a3-BCB4-8354DA1FBFF7}.exe	106
PID 2676 wrote to memory of 4960	2676	{3E4C58E8-F4BF-48a3-BCB4-8354DA1FBFF7}.exe	106
PID 2676 wrote to memory of 4960	2676	{3E4C58E8-F4BF-48a3-BCB4-8354DA1FBFF7}.exe	106
PID 2676 wrote to memory of 4320	2676	{3E4C58E8-F4BF-48a3-BCB4-8354DA1FBFF7}.exe	107
PID 2676 wrote to memory of 4320	2676	{3E4C58E8-F4BF-48a3-BCB4-8354DA1FBFF7}.exe	107
PID 2676 wrote to memory of 4320	2676	{3E4C58E8-F4BF-48a3-BCB4-8354DA1FBFF7}.exe	107
PID 4960 wrote to memory of 3028	4960	{32723EBB-E08D-4c6a-AEB0-EB29E43DB003}.exe	108
PID 4960 wrote to memory of 3028	4960	{32723EBB-E08D-4c6a-AEB0-EB29E43DB003}.exe	108
PID 4960 wrote to memory of 3028	4960	{32723EBB-E08D-4c6a-AEB0-EB29E43DB003}.exe	108
PID 4960 wrote to memory of 4704	4960	{32723EBB-E08D-4c6a-AEB0-EB29E43DB003}.exe	109
PID 4960 wrote to memory of 4704	4960	{32723EBB-E08D-4c6a-AEB0-EB29E43DB003}.exe	109
PID 4960 wrote to memory of 4704	4960	{32723EBB-E08D-4c6a-AEB0-EB29E43DB003}.exe	109
PID 3028 wrote to memory of 3116	3028	{1F7C911A-2558-42fd-8AD3-13BA5DCB18B4}.exe	110
PID 3028 wrote to memory of 3116	3028	{1F7C911A-2558-42fd-8AD3-13BA5DCB18B4}.exe	110
PID 3028 wrote to memory of 3116	3028	{1F7C911A-2558-42fd-8AD3-13BA5DCB18B4}.exe	110
PID 3028 wrote to memory of 828	3028	{1F7C911A-2558-42fd-8AD3-13BA5DCB18B4}.exe	111
PID 3028 wrote to memory of 828	3028	{1F7C911A-2558-42fd-8AD3-13BA5DCB18B4}.exe	111
PID 3028 wrote to memory of 828	3028	{1F7C911A-2558-42fd-8AD3-13BA5DCB18B4}.exe	111
PID 3116 wrote to memory of 492	3116	{93AB8D5A-A2FB-4093-AB8A-766D1BD3F891}.exe	112
PID 3116 wrote to memory of 492	3116	{93AB8D5A-A2FB-4093-AB8A-766D1BD3F891}.exe	112
PID 3116 wrote to memory of 492	3116	{93AB8D5A-A2FB-4093-AB8A-766D1BD3F891}.exe	112
PID 3116 wrote to memory of 2684	3116	{93AB8D5A-A2FB-4093-AB8A-766D1BD3F891}.exe	113

C:\Users\Admin\AppData\Local\Temp\4312efde401009exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\4312efde401009exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\{BF6B76DB-E9C4-4a55-ADC3-19039287D0A6}.exe
  C:\Windows\{BF6B76DB-E9C4-4a55-ADC3-19039287D0A6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1452
- - C:\Windows\{78A4D7D6-E3C7-4af1-8AF7-E5883BFFC16B}.exe
    C:\Windows\{78A4D7D6-E3C7-4af1-8AF7-E5883BFFC16B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{78A4D~1.EXE > nul
      4⤵
      PID:3324
  - - C:\Windows\{408041E4-A3CC-44f6-9CF3-C15CAD4F2961}.exe
      C:\Windows\{408041E4-A3CC-44f6-9CF3-C15CAD4F2961}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\{58594D68-95AC-442e-9CD9-738B4CB67FB3}.exe
        
        C:\Windows\{58594D68-95AC-442e-9CD9-738B4CB67FB3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\{15C46E66-C6A8-4746-A6C1-4D36731D4733}.exe
        
        C:\Windows\{15C46E66-C6A8-4746-A6C1-4D36731D4733}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\Windows\{E7E897B8-86D0-4886-BFC0-E372C286A4B6}.exe
        
        C:\Windows\{E7E897B8-86D0-4886-BFC0-E372C286A4B6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\{3E4C58E8-F4BF-48a3-BCB4-8354DA1FBFF7}.exe
        
        C:\Windows\{3E4C58E8-F4BF-48a3-BCB4-8354DA1FBFF7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
        
        C:\Windows\{32723EBB-E08D-4c6a-AEB0-EB29E43DB003}.exe
        
        C:\Windows\{32723EBB-E08D-4c6a-AEB0-EB29E43DB003}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\{1F7C911A-2558-42fd-8AD3-13BA5DCB18B4}.exe
        
        C:\Windows\{1F7C911A-2558-42fd-8AD3-13BA5DCB18B4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Windows\{93AB8D5A-A2FB-4093-AB8A-766D1BD3F891}.exe
        
        C:\Windows\{93AB8D5A-A2FB-4093-AB8A-766D1BD3F891}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3116
        
        C:\Windows\{2C665D15-9C82-44db-AA92-BB2F41BF33A7}.exe
        
        C:\Windows\{2C665D15-9C82-44db-AA92-BB2F41BF33A7}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:492
        
        C:\Windows\{5F2C36E4-26D7-4cd3-90A4-20E3E5E6C2C4}.exe
        
        C:\Windows\{5F2C36E4-26D7-4cd3-90A4-20E3E5E6C2C4}.exe
        13⤵
        Executes dropped EXE
        
        PID:644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C665~1.EXE > nul
        13⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93AB8~1.EXE > nul
        12⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F7C9~1.EXE > nul
        11⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32723~1.EXE > nul
        10⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E4C5~1.EXE > nul
        9⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7E89~1.EXE > nul
        8⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15C46~1.EXE > nul
        7⤵
        
        PID:1136
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58594~1.EXE > nul
        6⤵
        
        PID:4228
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40804~1.EXE > nul
        5⤵
        
        PID:3972
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BF6B7~1.EXE > nul
    3⤵
    PID:4800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4312EF~1.EXE > nul
  2⤵
  PID:4780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{15C46E66-C6A8-4746-A6C1-4D36731D4733}.exe

Filesize
204KB

MD5
267919e7f88c58913b1d15fe210a69d9

SHA1
57fc4595437fcde8c029f0c77acab7d90d3e7257

SHA256
d15cba058a96e27103e74ef7d4360588f4583561c44716173fd517ab7f0dfd61

SHA512
b0c3334db6299c7342dac4f257cd741650321acd3a70f187623a046f5da391ed01c1c54757c4209d47fd6e082973e3dfb469f96913fe529a68e341fbee2f0551

Download Submit
C:\Windows\{15C46E66-C6A8-4746-A6C1-4D36731D4733}.exe

Filesize
204KB

MD5
267919e7f88c58913b1d15fe210a69d9

SHA1
57fc4595437fcde8c029f0c77acab7d90d3e7257

SHA256
d15cba058a96e27103e74ef7d4360588f4583561c44716173fd517ab7f0dfd61

SHA512
b0c3334db6299c7342dac4f257cd741650321acd3a70f187623a046f5da391ed01c1c54757c4209d47fd6e082973e3dfb469f96913fe529a68e341fbee2f0551

Download Submit
C:\Windows\{1F7C911A-2558-42fd-8AD3-13BA5DCB18B4}.exe

Filesize
204KB

MD5
d8ec7f2e429f264c9e3384db31503823

SHA1
ffd1353528afd0a32903ca3d620b6b7a3509ee14

SHA256
c8b8441a28286b25d3abcf123e3a7f47ff4196637b861765b087dd155e530211

SHA512
a15b4f4d16332c62d4a1f2902bf70e037cc8a4e7c94e5db2818e7b1c18622144ea75af5aae4d88e10a974a4e14ae9b47bcba88eb0db7cac4bb28c5aeaf8b45be

Download Submit
C:\Windows\{1F7C911A-2558-42fd-8AD3-13BA5DCB18B4}.exe

Filesize
204KB

MD5
d8ec7f2e429f264c9e3384db31503823

SHA1
ffd1353528afd0a32903ca3d620b6b7a3509ee14

SHA256
c8b8441a28286b25d3abcf123e3a7f47ff4196637b861765b087dd155e530211

SHA512
a15b4f4d16332c62d4a1f2902bf70e037cc8a4e7c94e5db2818e7b1c18622144ea75af5aae4d88e10a974a4e14ae9b47bcba88eb0db7cac4bb28c5aeaf8b45be

Download Submit
C:\Windows\{2C665D15-9C82-44db-AA92-BB2F41BF33A7}.exe

Filesize
204KB

MD5
ad086edd7c6ee16161660ca4ad1a4980

SHA1
c47fa0b0c6e24ef81437518b7c8cd5514eee6a16

SHA256
490cf9a1fcb3b392e6eac06f7de3c68c31694a63d37cf9d4b5832cfc4c82df10

SHA512
727cea45a55e2e458c9802b4bf3761c42d97647cd72a1da90987bfde535aaca1fac36f6b9461b7a6f306ad9f93f299ffa81349c24478f9aa3351f113fed3e15c

Download Submit
C:\Windows\{2C665D15-9C82-44db-AA92-BB2F41BF33A7}.exe

Filesize
204KB

MD5
ad086edd7c6ee16161660ca4ad1a4980

SHA1
c47fa0b0c6e24ef81437518b7c8cd5514eee6a16

SHA256
490cf9a1fcb3b392e6eac06f7de3c68c31694a63d37cf9d4b5832cfc4c82df10

SHA512
727cea45a55e2e458c9802b4bf3761c42d97647cd72a1da90987bfde535aaca1fac36f6b9461b7a6f306ad9f93f299ffa81349c24478f9aa3351f113fed3e15c

Download Submit
C:\Windows\{32723EBB-E08D-4c6a-AEB0-EB29E43DB003}.exe

Filesize
204KB

MD5
de098ae79f4e552acad8ad556140b171

SHA1
6eace81806bf2d335a77a5c78ad6cbe253c4039c

SHA256
09251e0e51829355c9b3c9e7e0e608760b166105c94c364bf8db326a966fa0f6

SHA512
e447806817b2216a3b4eb24d3f5d5a9ede48a8153dabba2df6904c5b4ada67ea6579707d87005e0c1e14a46883f4d64ee086dd0d02c2aa851cc5078c775481e8

Download Submit
C:\Windows\{32723EBB-E08D-4c6a-AEB0-EB29E43DB003}.exe

Filesize
204KB

MD5
de098ae79f4e552acad8ad556140b171

SHA1
6eace81806bf2d335a77a5c78ad6cbe253c4039c

SHA256
09251e0e51829355c9b3c9e7e0e608760b166105c94c364bf8db326a966fa0f6

SHA512
e447806817b2216a3b4eb24d3f5d5a9ede48a8153dabba2df6904c5b4ada67ea6579707d87005e0c1e14a46883f4d64ee086dd0d02c2aa851cc5078c775481e8

Download Submit
C:\Windows\{3E4C58E8-F4BF-48a3-BCB4-8354DA1FBFF7}.exe

Filesize
204KB

MD5
00faf8f5a9d9be8e27fd7b58326e62e4

SHA1
8bf4416b19385324ed4fd368702ad0f884487cec

SHA256
48f3252b7fa3d5187b9a57c38d999f795438c0d58a8979291484e8d2758983a6

SHA512
22ac1a9a75ce0fb13e93af389870a1fa6e00bb836de3171974da4bf0ceb775095ffb1169ac0cd7d5ed4657fb55b69ab338cc0a5a4c554f713d499af80b6056d1

Download Submit
C:\Windows\{3E4C58E8-F4BF-48a3-BCB4-8354DA1FBFF7}.exe

Filesize
204KB

MD5
00faf8f5a9d9be8e27fd7b58326e62e4

SHA1
8bf4416b19385324ed4fd368702ad0f884487cec

SHA256
48f3252b7fa3d5187b9a57c38d999f795438c0d58a8979291484e8d2758983a6

SHA512
22ac1a9a75ce0fb13e93af389870a1fa6e00bb836de3171974da4bf0ceb775095ffb1169ac0cd7d5ed4657fb55b69ab338cc0a5a4c554f713d499af80b6056d1

Download Submit
C:\Windows\{408041E4-A3CC-44f6-9CF3-C15CAD4F2961}.exe

Filesize
204KB

MD5
e8f2be905af4babb7d3c8e28d80cd9e7

SHA1
fdefb72da24de92f7b974e3746d977f171f2845d

SHA256
482475a34a95d3d0d2d72c6708ca6902d5490aae0b537d0722309c52a0c555df

SHA512
89e03dbfd61064837cc3a4dfdac23b514ad73f8e13f374d63ba9c8687dfe0d5c2c1a0be109a298566466a80e503f4624068e411dfa6b13ecb52cad4ec6f2f0cb

Download Submit
C:\Windows\{408041E4-A3CC-44f6-9CF3-C15CAD4F2961}.exe

Filesize
204KB

MD5
e8f2be905af4babb7d3c8e28d80cd9e7

SHA1
fdefb72da24de92f7b974e3746d977f171f2845d

SHA256
482475a34a95d3d0d2d72c6708ca6902d5490aae0b537d0722309c52a0c555df

SHA512
89e03dbfd61064837cc3a4dfdac23b514ad73f8e13f374d63ba9c8687dfe0d5c2c1a0be109a298566466a80e503f4624068e411dfa6b13ecb52cad4ec6f2f0cb

Download Submit
C:\Windows\{408041E4-A3CC-44f6-9CF3-C15CAD4F2961}.exe

Filesize
204KB

MD5
e8f2be905af4babb7d3c8e28d80cd9e7

SHA1
fdefb72da24de92f7b974e3746d977f171f2845d

SHA256
482475a34a95d3d0d2d72c6708ca6902d5490aae0b537d0722309c52a0c555df

SHA512
89e03dbfd61064837cc3a4dfdac23b514ad73f8e13f374d63ba9c8687dfe0d5c2c1a0be109a298566466a80e503f4624068e411dfa6b13ecb52cad4ec6f2f0cb

Download Submit
C:\Windows\{58594D68-95AC-442e-9CD9-738B4CB67FB3}.exe

Filesize
204KB

MD5
d3975f5c0165bda710d7547ba6bdc31f

SHA1
0456f6f468ba44f4af9ebfbcc894eca6a6cf1637

SHA256
e6b970882c4dc25d4c22cea552a5b64f6df73f8e149fc8e6ff519fec8465378a

SHA512
b902abb36c5c81dd70ab826258446d3f710be03391f110ddffb0d325257da06620fa21a3ed5ea127f5c6e35d1097b5b1cc9042a119d2a6e9ccade1e27dd51fb2

Download Submit
C:\Windows\{58594D68-95AC-442e-9CD9-738B4CB67FB3}.exe

Filesize
204KB

MD5
d3975f5c0165bda710d7547ba6bdc31f

SHA1
0456f6f468ba44f4af9ebfbcc894eca6a6cf1637

SHA256
e6b970882c4dc25d4c22cea552a5b64f6df73f8e149fc8e6ff519fec8465378a

SHA512
b902abb36c5c81dd70ab826258446d3f710be03391f110ddffb0d325257da06620fa21a3ed5ea127f5c6e35d1097b5b1cc9042a119d2a6e9ccade1e27dd51fb2

Download Submit
C:\Windows\{5F2C36E4-26D7-4cd3-90A4-20E3E5E6C2C4}.exe

Filesize
204KB

MD5
1caa1d13260afa02253269fd1c82ee78

SHA1
525c1c4ce0993cb1c14f3819a3bd214cfc3115df

SHA256
56d5437a77f9521e1edf0888abf6a24ddf6c6522f623a93c6c22f6908b285c19

SHA512
8d0fc510036248d4440d7ee043682e84f2d75c3d448e105315a819b370ba032fd1844b5558a6760a4cf28e9f1c32ce6c1a3f4db7304356705120e15e5c430698

Download Submit
C:\Windows\{5F2C36E4-26D7-4cd3-90A4-20E3E5E6C2C4}.exe

Filesize
204KB

MD5
1caa1d13260afa02253269fd1c82ee78

SHA1
525c1c4ce0993cb1c14f3819a3bd214cfc3115df

SHA256
56d5437a77f9521e1edf0888abf6a24ddf6c6522f623a93c6c22f6908b285c19

SHA512
8d0fc510036248d4440d7ee043682e84f2d75c3d448e105315a819b370ba032fd1844b5558a6760a4cf28e9f1c32ce6c1a3f4db7304356705120e15e5c430698

Download Submit
C:\Windows\{78A4D7D6-E3C7-4af1-8AF7-E5883BFFC16B}.exe

Filesize
204KB

MD5
43763be8085b3e0310d1f80ac00c5fa0

SHA1
b7a5cd26f9bb322f0504b9b42fd45d30a23d9b34

SHA256
6d00ae7179d571608df7ed0b274460d6f46b21cefa910ad46da92cc1eac7a845

SHA512
bde8bcbed721a59170129adbb52eab5528ebef94808fd74950b6eaf28d8310ea78d60f51ff59fc95bad550ad34663d5fdc833eeed561a61ebae4ed8c2c66b8eb

Download Submit
C:\Windows\{78A4D7D6-E3C7-4af1-8AF7-E5883BFFC16B}.exe

Filesize
204KB

MD5
43763be8085b3e0310d1f80ac00c5fa0

SHA1
b7a5cd26f9bb322f0504b9b42fd45d30a23d9b34

SHA256
6d00ae7179d571608df7ed0b274460d6f46b21cefa910ad46da92cc1eac7a845

SHA512
bde8bcbed721a59170129adbb52eab5528ebef94808fd74950b6eaf28d8310ea78d60f51ff59fc95bad550ad34663d5fdc833eeed561a61ebae4ed8c2c66b8eb

Download Submit
C:\Windows\{93AB8D5A-A2FB-4093-AB8A-766D1BD3F891}.exe

Filesize
204KB

MD5
8b3cd7ecfaf32a4cbdb9a86566a7a84e

SHA1
43c0c99729cc93c563113774a435147567e89fe2

SHA256
4ac10acecbf17ae6cda47a02f27dceee9a3172f0c84f53d4b70d2486dd0a7f49

SHA512
ea2afa49b30ed57089d329cb8634e9ea656d85b8f901a79ecb8f7fed45f4d4c8fd09a060578c0d52ca6364d7d93bd3a6d7a7c50bcf5c9ed6ae2ec169c5603a87

Download Submit
C:\Windows\{93AB8D5A-A2FB-4093-AB8A-766D1BD3F891}.exe

Filesize
204KB

MD5
8b3cd7ecfaf32a4cbdb9a86566a7a84e

SHA1
43c0c99729cc93c563113774a435147567e89fe2

SHA256
4ac10acecbf17ae6cda47a02f27dceee9a3172f0c84f53d4b70d2486dd0a7f49

SHA512
ea2afa49b30ed57089d329cb8634e9ea656d85b8f901a79ecb8f7fed45f4d4c8fd09a060578c0d52ca6364d7d93bd3a6d7a7c50bcf5c9ed6ae2ec169c5603a87

Download Submit
C:\Windows\{BF6B76DB-E9C4-4a55-ADC3-19039287D0A6}.exe

Filesize
204KB

MD5
5a04a30b557509c0f520a010a7ea2ceb

SHA1
7283100c292a21864d384c0a2e6d189f8ef493b4

SHA256
f00d1de706992517ef22bcb5b75a46c03755a7007e1c295e4aa5c2c6dfa949d0

SHA512
38b2c1eedf3194001cab1c8e839d4a4b757e422298504bffa4c49ad08a0964b978f42b4006df082b23dc10fa3a111f68198a35006c318214e3e5c6cc2ace631d

Download Submit
C:\Windows\{BF6B76DB-E9C4-4a55-ADC3-19039287D0A6}.exe

Filesize
204KB

MD5
5a04a30b557509c0f520a010a7ea2ceb

SHA1
7283100c292a21864d384c0a2e6d189f8ef493b4

SHA256
f00d1de706992517ef22bcb5b75a46c03755a7007e1c295e4aa5c2c6dfa949d0

SHA512
38b2c1eedf3194001cab1c8e839d4a4b757e422298504bffa4c49ad08a0964b978f42b4006df082b23dc10fa3a111f68198a35006c318214e3e5c6cc2ace631d

Download Submit
C:\Windows\{E7E897B8-86D0-4886-BFC0-E372C286A4B6}.exe

Filesize
204KB

MD5
d700bbf2129a4abe6a87588040756154

SHA1
21cf286f3fbba7b85cb26dab6cc3ca4f0ee261ac

SHA256
c685f2099b32a86757863978909fb6933ad6fd3069c7f92e54713381083c15e3

SHA512
44e2e9595d9f10f2acebab60cbfa4f777747e730d4ca495b0dd2f65dac89c3cf42c5aeed8032a145554243e51a215f82614d3d5a3c0c673a4324092ecbb4b8dd

Download Submit
C:\Windows\{E7E897B8-86D0-4886-BFC0-E372C286A4B6}.exe

Filesize
204KB

MD5
d700bbf2129a4abe6a87588040756154

SHA1
21cf286f3fbba7b85cb26dab6cc3ca4f0ee261ac

SHA256
c685f2099b32a86757863978909fb6933ad6fd3069c7f92e54713381083c15e3

SHA512
44e2e9595d9f10f2acebab60cbfa4f777747e730d4ca495b0dd2f65dac89c3cf42c5aeed8032a145554243e51a215f82614d3d5a3c0c673a4324092ecbb4b8dd

Download Submit