b16fbc4e21f58f65ffd6d3d2ca4ecc2be6b3a6c732e64e73fa2d8f706000e764

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2023, 20:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5864b7995de03cexeexeexeex.exe
Size

372KB
MD5

5864b7995de03c7dc0928291eaf56a14
SHA1

bf07c09ad060edd3a215738eee03003040e25865
SHA256

b16fbc4e21f58f65ffd6d3d2ca4ecc2be6b3a6c732e64e73fa2d8f706000e764
SHA512

0e563db012ff20e3a92fa5f35d298029afa808d54174ca3a69b521885ae92e74783f98c9e2ea64e7a39834a10c8b07820d5a9b6cb08a09903f166b4b51a6d7ca
SSDEEP

3072:CEGh0oomlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGnl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02DEDE70-41D8-4883-9A1B-75FAF37FCBAA}	{C0E26308-FA49-41c7-904F-5BFC8654DE8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EEAA8EC-AE54-4c9c-98E7-0C7D844EDEEC}	{02DEDE70-41D8-4883-9A1B-75FAF37FCBAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EEAA8EC-AE54-4c9c-98E7-0C7D844EDEEC}\stubpath = "C:\\Windows\\{8EEAA8EC-AE54-4c9c-98E7-0C7D844EDEEC}.exe"	{02DEDE70-41D8-4883-9A1B-75FAF37FCBAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3A57B97-7206-4030-BBEA-4E719C43CE06}	{88F8220C-0DC8-4e28-BEE1-1550E10D0C34}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9761E80-BD8E-4724-B7B7-2A81D35E4948}\stubpath = "C:\\Windows\\{C9761E80-BD8E-4724-B7B7-2A81D35E4948}.exe"	{4F32CA5B-33B5-4e23-93E9-6E791BDBC584}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0E26308-FA49-41c7-904F-5BFC8654DE8B}	{C9761E80-BD8E-4724-B7B7-2A81D35E4948}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1F5D129-A68E-4d3b-8B95-416F73FF9F08}\stubpath = "C:\\Windows\\{F1F5D129-A68E-4d3b-8B95-416F73FF9F08}.exe"	{E6A011A2-6B27-4035-A4F2-D629FF3CB75A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FA70035-25F5-40d2-9D23-B51EB91FA4A3}\stubpath = "C:\\Windows\\{3FA70035-25F5-40d2-9D23-B51EB91FA4A3}.exe"	{E7B4157C-C181-41c3-8483-8E6F29F38320}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88F8220C-0DC8-4e28-BEE1-1550E10D0C34}\stubpath = "C:\\Windows\\{88F8220C-0DC8-4e28-BEE1-1550E10D0C34}.exe"	{3FA70035-25F5-40d2-9D23-B51EB91FA4A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3A57B97-7206-4030-BBEA-4E719C43CE06}\stubpath = "C:\\Windows\\{A3A57B97-7206-4030-BBEA-4E719C43CE06}.exe"	{88F8220C-0DC8-4e28-BEE1-1550E10D0C34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F32CA5B-33B5-4e23-93E9-6E791BDBC584}	{A3A57B97-7206-4030-BBEA-4E719C43CE06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6A011A2-6B27-4035-A4F2-D629FF3CB75A}	{5CEB5E33-AF8F-416f-A375-C41CB2B9103D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6A011A2-6B27-4035-A4F2-D629FF3CB75A}\stubpath = "C:\\Windows\\{E6A011A2-6B27-4035-A4F2-D629FF3CB75A}.exe"	{5CEB5E33-AF8F-416f-A375-C41CB2B9103D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1F5D129-A68E-4d3b-8B95-416F73FF9F08}	{E6A011A2-6B27-4035-A4F2-D629FF3CB75A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F32CA5B-33B5-4e23-93E9-6E791BDBC584}\stubpath = "C:\\Windows\\{4F32CA5B-33B5-4e23-93E9-6E791BDBC584}.exe"	{A3A57B97-7206-4030-BBEA-4E719C43CE06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7B4157C-C181-41c3-8483-8E6F29F38320}\stubpath = "C:\\Windows\\{E7B4157C-C181-41c3-8483-8E6F29F38320}.exe"	{F1F5D129-A68E-4d3b-8B95-416F73FF9F08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FA70035-25F5-40d2-9D23-B51EB91FA4A3}	{E7B4157C-C181-41c3-8483-8E6F29F38320}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88F8220C-0DC8-4e28-BEE1-1550E10D0C34}	{3FA70035-25F5-40d2-9D23-B51EB91FA4A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02DEDE70-41D8-4883-9A1B-75FAF37FCBAA}\stubpath = "C:\\Windows\\{02DEDE70-41D8-4883-9A1B-75FAF37FCBAA}.exe"	{C0E26308-FA49-41c7-904F-5BFC8654DE8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CEB5E33-AF8F-416f-A375-C41CB2B9103D}	5864b7995de03cexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CEB5E33-AF8F-416f-A375-C41CB2B9103D}\stubpath = "C:\\Windows\\{5CEB5E33-AF8F-416f-A375-C41CB2B9103D}.exe"	5864b7995de03cexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7B4157C-C181-41c3-8483-8E6F29F38320}	{F1F5D129-A68E-4d3b-8B95-416F73FF9F08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9761E80-BD8E-4724-B7B7-2A81D35E4948}	{4F32CA5B-33B5-4e23-93E9-6E791BDBC584}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0E26308-FA49-41c7-904F-5BFC8654DE8B}\stubpath = "C:\\Windows\\{C0E26308-FA49-41c7-904F-5BFC8654DE8B}.exe"	{C9761E80-BD8E-4724-B7B7-2A81D35E4948}.exe

Executes dropped EXE 12 IoCs

pid	Process
3104	{5CEB5E33-AF8F-416f-A375-C41CB2B9103D}.exe
4760	{E6A011A2-6B27-4035-A4F2-D629FF3CB75A}.exe
4404	{F1F5D129-A68E-4d3b-8B95-416F73FF9F08}.exe
688	{E7B4157C-C181-41c3-8483-8E6F29F38320}.exe
2272	{3FA70035-25F5-40d2-9D23-B51EB91FA4A3}.exe
3364	{88F8220C-0DC8-4e28-BEE1-1550E10D0C34}.exe
1524	{A3A57B97-7206-4030-BBEA-4E719C43CE06}.exe
3760	{4F32CA5B-33B5-4e23-93E9-6E791BDBC584}.exe
4104	{C9761E80-BD8E-4724-B7B7-2A81D35E4948}.exe
2144	{C0E26308-FA49-41c7-904F-5BFC8654DE8B}.exe
2340	{02DEDE70-41D8-4883-9A1B-75FAF37FCBAA}.exe
4016	{8EEAA8EC-AE54-4c9c-98E7-0C7D844EDEEC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A3A57B97-7206-4030-BBEA-4E719C43CE06}.exe	{88F8220C-0DC8-4e28-BEE1-1550E10D0C34}.exe
File created	C:\Windows\{4F32CA5B-33B5-4e23-93E9-6E791BDBC584}.exe	{A3A57B97-7206-4030-BBEA-4E719C43CE06}.exe
File created	C:\Windows\{C9761E80-BD8E-4724-B7B7-2A81D35E4948}.exe	{4F32CA5B-33B5-4e23-93E9-6E791BDBC584}.exe
File created	C:\Windows\{C0E26308-FA49-41c7-904F-5BFC8654DE8B}.exe	{C9761E80-BD8E-4724-B7B7-2A81D35E4948}.exe
File created	C:\Windows\{8EEAA8EC-AE54-4c9c-98E7-0C7D844EDEEC}.exe	{02DEDE70-41D8-4883-9A1B-75FAF37FCBAA}.exe
File created	C:\Windows\{F1F5D129-A68E-4d3b-8B95-416F73FF9F08}.exe	{E6A011A2-6B27-4035-A4F2-D629FF3CB75A}.exe
File created	C:\Windows\{88F8220C-0DC8-4e28-BEE1-1550E10D0C34}.exe	{3FA70035-25F5-40d2-9D23-B51EB91FA4A3}.exe
File created	C:\Windows\{E7B4157C-C181-41c3-8483-8E6F29F38320}.exe	{F1F5D129-A68E-4d3b-8B95-416F73FF9F08}.exe
File created	C:\Windows\{3FA70035-25F5-40d2-9D23-B51EB91FA4A3}.exe	{E7B4157C-C181-41c3-8483-8E6F29F38320}.exe
File created	C:\Windows\{02DEDE70-41D8-4883-9A1B-75FAF37FCBAA}.exe	{C0E26308-FA49-41c7-904F-5BFC8654DE8B}.exe
File created	C:\Windows\{5CEB5E33-AF8F-416f-A375-C41CB2B9103D}.exe	5864b7995de03cexeexeexeex.exe
File created	C:\Windows\{E6A011A2-6B27-4035-A4F2-D629FF3CB75A}.exe	{5CEB5E33-AF8F-416f-A375-C41CB2B9103D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1232	5864b7995de03cexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3104	{5CEB5E33-AF8F-416f-A375-C41CB2B9103D}.exe
Token: SeIncBasePriorityPrivilege	4760	{E6A011A2-6B27-4035-A4F2-D629FF3CB75A}.exe
Token: SeIncBasePriorityPrivilege	4404	{F1F5D129-A68E-4d3b-8B95-416F73FF9F08}.exe
Token: SeIncBasePriorityPrivilege	688	{E7B4157C-C181-41c3-8483-8E6F29F38320}.exe
Token: SeIncBasePriorityPrivilege	2272	{3FA70035-25F5-40d2-9D23-B51EB91FA4A3}.exe
Token: SeIncBasePriorityPrivilege	3364	{88F8220C-0DC8-4e28-BEE1-1550E10D0C34}.exe
Token: SeIncBasePriorityPrivilege	1524	{A3A57B97-7206-4030-BBEA-4E719C43CE06}.exe
Token: SeIncBasePriorityPrivilege	3760	{4F32CA5B-33B5-4e23-93E9-6E791BDBC584}.exe
Token: SeIncBasePriorityPrivilege	4104	{C9761E80-BD8E-4724-B7B7-2A81D35E4948}.exe
Token: SeIncBasePriorityPrivilege	2144	{C0E26308-FA49-41c7-904F-5BFC8654DE8B}.exe
Token: SeIncBasePriorityPrivilege	2340	{02DEDE70-41D8-4883-9A1B-75FAF37FCBAA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 3104	1232	5864b7995de03cexeexeexeex.exe	84
PID 1232 wrote to memory of 3104	1232	5864b7995de03cexeexeexeex.exe	84
PID 1232 wrote to memory of 3104	1232	5864b7995de03cexeexeexeex.exe	84
PID 1232 wrote to memory of 928	1232	5864b7995de03cexeexeexeex.exe	85
PID 1232 wrote to memory of 928	1232	5864b7995de03cexeexeexeex.exe	85
PID 1232 wrote to memory of 928	1232	5864b7995de03cexeexeexeex.exe	85
PID 3104 wrote to memory of 4760	3104	{5CEB5E33-AF8F-416f-A375-C41CB2B9103D}.exe	86
PID 3104 wrote to memory of 4760	3104	{5CEB5E33-AF8F-416f-A375-C41CB2B9103D}.exe	86
PID 3104 wrote to memory of 4760	3104	{5CEB5E33-AF8F-416f-A375-C41CB2B9103D}.exe	86
PID 3104 wrote to memory of 3556	3104	{5CEB5E33-AF8F-416f-A375-C41CB2B9103D}.exe	87
PID 3104 wrote to memory of 3556	3104	{5CEB5E33-AF8F-416f-A375-C41CB2B9103D}.exe	87
PID 3104 wrote to memory of 3556	3104	{5CEB5E33-AF8F-416f-A375-C41CB2B9103D}.exe	87
PID 4760 wrote to memory of 4404	4760	{E6A011A2-6B27-4035-A4F2-D629FF3CB75A}.exe	91
PID 4760 wrote to memory of 4404	4760	{E6A011A2-6B27-4035-A4F2-D629FF3CB75A}.exe	91
PID 4760 wrote to memory of 4404	4760	{E6A011A2-6B27-4035-A4F2-D629FF3CB75A}.exe	91
PID 4760 wrote to memory of 1936	4760	{E6A011A2-6B27-4035-A4F2-D629FF3CB75A}.exe	92
PID 4760 wrote to memory of 1936	4760	{E6A011A2-6B27-4035-A4F2-D629FF3CB75A}.exe	92
PID 4760 wrote to memory of 1936	4760	{E6A011A2-6B27-4035-A4F2-D629FF3CB75A}.exe	92
PID 4404 wrote to memory of 688	4404	{F1F5D129-A68E-4d3b-8B95-416F73FF9F08}.exe	93
PID 4404 wrote to memory of 688	4404	{F1F5D129-A68E-4d3b-8B95-416F73FF9F08}.exe	93
PID 4404 wrote to memory of 688	4404	{F1F5D129-A68E-4d3b-8B95-416F73FF9F08}.exe	93
PID 4404 wrote to memory of 3008	4404	{F1F5D129-A68E-4d3b-8B95-416F73FF9F08}.exe	94
PID 4404 wrote to memory of 3008	4404	{F1F5D129-A68E-4d3b-8B95-416F73FF9F08}.exe	94
PID 4404 wrote to memory of 3008	4404	{F1F5D129-A68E-4d3b-8B95-416F73FF9F08}.exe	94
PID 688 wrote to memory of 2272	688	{E7B4157C-C181-41c3-8483-8E6F29F38320}.exe	95
PID 688 wrote to memory of 2272	688	{E7B4157C-C181-41c3-8483-8E6F29F38320}.exe	95
PID 688 wrote to memory of 2272	688	{E7B4157C-C181-41c3-8483-8E6F29F38320}.exe	95
PID 688 wrote to memory of 1772	688	{E7B4157C-C181-41c3-8483-8E6F29F38320}.exe	96
PID 688 wrote to memory of 1772	688	{E7B4157C-C181-41c3-8483-8E6F29F38320}.exe	96
PID 688 wrote to memory of 1772	688	{E7B4157C-C181-41c3-8483-8E6F29F38320}.exe	96
PID 2272 wrote to memory of 3364	2272	{3FA70035-25F5-40d2-9D23-B51EB91FA4A3}.exe	97
PID 2272 wrote to memory of 3364	2272	{3FA70035-25F5-40d2-9D23-B51EB91FA4A3}.exe	97
PID 2272 wrote to memory of 3364	2272	{3FA70035-25F5-40d2-9D23-B51EB91FA4A3}.exe	97
PID 2272 wrote to memory of 4272	2272	{3FA70035-25F5-40d2-9D23-B51EB91FA4A3}.exe	98
PID 2272 wrote to memory of 4272	2272	{3FA70035-25F5-40d2-9D23-B51EB91FA4A3}.exe	98
PID 2272 wrote to memory of 4272	2272	{3FA70035-25F5-40d2-9D23-B51EB91FA4A3}.exe	98
PID 3364 wrote to memory of 1524	3364	{88F8220C-0DC8-4e28-BEE1-1550E10D0C34}.exe	99
PID 3364 wrote to memory of 1524	3364	{88F8220C-0DC8-4e28-BEE1-1550E10D0C34}.exe	99
PID 3364 wrote to memory of 1524	3364	{88F8220C-0DC8-4e28-BEE1-1550E10D0C34}.exe	99
PID 3364 wrote to memory of 2548	3364	{88F8220C-0DC8-4e28-BEE1-1550E10D0C34}.exe	100
PID 3364 wrote to memory of 2548	3364	{88F8220C-0DC8-4e28-BEE1-1550E10D0C34}.exe	100
PID 3364 wrote to memory of 2548	3364	{88F8220C-0DC8-4e28-BEE1-1550E10D0C34}.exe	100
PID 1524 wrote to memory of 3760	1524	{A3A57B97-7206-4030-BBEA-4E719C43CE06}.exe	101
PID 1524 wrote to memory of 3760	1524	{A3A57B97-7206-4030-BBEA-4E719C43CE06}.exe	101
PID 1524 wrote to memory of 3760	1524	{A3A57B97-7206-4030-BBEA-4E719C43CE06}.exe	101
PID 1524 wrote to memory of 4464	1524	{A3A57B97-7206-4030-BBEA-4E719C43CE06}.exe	102
PID 1524 wrote to memory of 4464	1524	{A3A57B97-7206-4030-BBEA-4E719C43CE06}.exe	102
PID 1524 wrote to memory of 4464	1524	{A3A57B97-7206-4030-BBEA-4E719C43CE06}.exe	102
PID 3760 wrote to memory of 4104	3760	{4F32CA5B-33B5-4e23-93E9-6E791BDBC584}.exe	103
PID 3760 wrote to memory of 4104	3760	{4F32CA5B-33B5-4e23-93E9-6E791BDBC584}.exe	103
PID 3760 wrote to memory of 4104	3760	{4F32CA5B-33B5-4e23-93E9-6E791BDBC584}.exe	103
PID 3760 wrote to memory of 3120	3760	{4F32CA5B-33B5-4e23-93E9-6E791BDBC584}.exe	104
PID 3760 wrote to memory of 3120	3760	{4F32CA5B-33B5-4e23-93E9-6E791BDBC584}.exe	104
PID 3760 wrote to memory of 3120	3760	{4F32CA5B-33B5-4e23-93E9-6E791BDBC584}.exe	104
PID 4104 wrote to memory of 2144	4104	{C9761E80-BD8E-4724-B7B7-2A81D35E4948}.exe	105
PID 4104 wrote to memory of 2144	4104	{C9761E80-BD8E-4724-B7B7-2A81D35E4948}.exe	105
PID 4104 wrote to memory of 2144	4104	{C9761E80-BD8E-4724-B7B7-2A81D35E4948}.exe	105
PID 4104 wrote to memory of 2228	4104	{C9761E80-BD8E-4724-B7B7-2A81D35E4948}.exe	106
PID 4104 wrote to memory of 2228	4104	{C9761E80-BD8E-4724-B7B7-2A81D35E4948}.exe	106
PID 4104 wrote to memory of 2228	4104	{C9761E80-BD8E-4724-B7B7-2A81D35E4948}.exe	106
PID 2144 wrote to memory of 2340	2144	{C0E26308-FA49-41c7-904F-5BFC8654DE8B}.exe	107
PID 2144 wrote to memory of 2340	2144	{C0E26308-FA49-41c7-904F-5BFC8654DE8B}.exe	107
PID 2144 wrote to memory of 2340	2144	{C0E26308-FA49-41c7-904F-5BFC8654DE8B}.exe	107
PID 2144 wrote to memory of 2476	2144	{C0E26308-FA49-41c7-904F-5BFC8654DE8B}.exe	108

C:\Users\Admin\AppData\Local\Temp\5864b7995de03cexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\5864b7995de03cexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\{5CEB5E33-AF8F-416f-A375-C41CB2B9103D}.exe
  C:\Windows\{5CEB5E33-AF8F-416f-A375-C41CB2B9103D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Windows\{E6A011A2-6B27-4035-A4F2-D629FF3CB75A}.exe
    C:\Windows\{E6A011A2-6B27-4035-A4F2-D629FF3CB75A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4760
  - - C:\Windows\{F1F5D129-A68E-4d3b-8B95-416F73FF9F08}.exe
      C:\Windows\{F1F5D129-A68E-4d3b-8B95-416F73FF9F08}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4404
    - - C:\Windows\{E7B4157C-C181-41c3-8483-8E6F29F38320}.exe
        
        C:\Windows\{E7B4157C-C181-41c3-8483-8E6F29F38320}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:688
      - C:\Windows\{3FA70035-25F5-40d2-9D23-B51EB91FA4A3}.exe
        
        C:\Windows\{3FA70035-25F5-40d2-9D23-B51EB91FA4A3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\{88F8220C-0DC8-4e28-BEE1-1550E10D0C34}.exe
        
        C:\Windows\{88F8220C-0DC8-4e28-BEE1-1550E10D0C34}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\{A3A57B97-7206-4030-BBEA-4E719C43CE06}.exe
        
        C:\Windows\{A3A57B97-7206-4030-BBEA-4E719C43CE06}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1524
        
        C:\Windows\{4F32CA5B-33B5-4e23-93E9-6E791BDBC584}.exe
        
        C:\Windows\{4F32CA5B-33B5-4e23-93E9-6E791BDBC584}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3760
        
        C:\Windows\{C9761E80-BD8E-4724-B7B7-2A81D35E4948}.exe
        
        C:\Windows\{C9761E80-BD8E-4724-B7B7-2A81D35E4948}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Windows\{C0E26308-FA49-41c7-904F-5BFC8654DE8B}.exe
        
        C:\Windows\{C0E26308-FA49-41c7-904F-5BFC8654DE8B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\{02DEDE70-41D8-4883-9A1B-75FAF37FCBAA}.exe
        
        C:\Windows\{02DEDE70-41D8-4883-9A1B-75FAF37FCBAA}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\{8EEAA8EC-AE54-4c9c-98E7-0C7D844EDEEC}.exe
        
        C:\Windows\{8EEAA8EC-AE54-4c9c-98E7-0C7D844EDEEC}.exe
        13⤵
        Executes dropped EXE
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02DED~1.EXE > nul
        13⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0E26~1.EXE > nul
        12⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9761~1.EXE > nul
        11⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F32C~1.EXE > nul
        10⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3A57~1.EXE > nul
        9⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88F82~1.EXE > nul
        8⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FA70~1.EXE > nul
        7⤵
        
        PID:4272
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7B41~1.EXE > nul
        6⤵
        
        PID:1772
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1F5D~1.EXE > nul
        5⤵
        
        PID:3008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E6A01~1.EXE > nul
      4⤵
      PID:1936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5CEB5~1.EXE > nul
    3⤵
    PID:3556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5864B7~1.EXE > nul
  2⤵
  PID:928

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02DEDE70-41D8-4883-9A1B-75FAF37FCBAA}.exe

Filesize
372KB

MD5
4c97f3f125510cf16132eec1ceb4a8f2

SHA1
91a0f04d65a108f8cacee495fd53f8cd678711ff

SHA256
d6e9a9e95b9d20b78f5d5698da3dbb8af90a114bf01b2b95a396042209bf90ee

SHA512
39c11c641823b1b6ad60ab6ca135a754332b801a217255841b6c11847c4844374dfbf1cab79f169fb95243420cc121041e2635ab7dbab7f06ac63855498d73e1

Download Submit
C:\Windows\{02DEDE70-41D8-4883-9A1B-75FAF37FCBAA}.exe

Filesize
372KB

MD5
4c97f3f125510cf16132eec1ceb4a8f2

SHA1
91a0f04d65a108f8cacee495fd53f8cd678711ff

SHA256
d6e9a9e95b9d20b78f5d5698da3dbb8af90a114bf01b2b95a396042209bf90ee

SHA512
39c11c641823b1b6ad60ab6ca135a754332b801a217255841b6c11847c4844374dfbf1cab79f169fb95243420cc121041e2635ab7dbab7f06ac63855498d73e1

Download Submit
C:\Windows\{3FA70035-25F5-40d2-9D23-B51EB91FA4A3}.exe

Filesize
372KB

MD5
0769b095f26f1849b07614407b65701a

SHA1
37405786e62de10c063e7245ef7cec9e5dc7f4e4

SHA256
7a7b4894a7e38afece3e7d1d0964706c8f3a79eed539240f30822fff0a441ac8

SHA512
d58198c7f92209cc884384a267694070f8b0f9a2cf27f955238974dbda889d44113ad30d61c1945adc58e97baf394cd591111b318904b46bd86f3ac7d38d9461

Download Submit
C:\Windows\{3FA70035-25F5-40d2-9D23-B51EB91FA4A3}.exe

Filesize
372KB

MD5
0769b095f26f1849b07614407b65701a

SHA1
37405786e62de10c063e7245ef7cec9e5dc7f4e4

SHA256
7a7b4894a7e38afece3e7d1d0964706c8f3a79eed539240f30822fff0a441ac8

SHA512
d58198c7f92209cc884384a267694070f8b0f9a2cf27f955238974dbda889d44113ad30d61c1945adc58e97baf394cd591111b318904b46bd86f3ac7d38d9461

Download Submit
C:\Windows\{4F32CA5B-33B5-4e23-93E9-6E791BDBC584}.exe

Filesize
372KB

MD5
9cb2354dd70acb0209edfaae1a2ee2c0

SHA1
5aec775b12cef489c18220a17c868ad8d76252ae

SHA256
0759c001612483a55cd3e466d05cf23bb9d831bd5e7f84cbcf0747928334563b

SHA512
22a789e0d374da13c3bf4357ac0cdf3dbd7237771482b820bf250ca36ba031003e6b31cd5476ab6c800894a91ae4d1df1fd2ac4e037a3ff63196e7cdce39010b

Download Submit
C:\Windows\{4F32CA5B-33B5-4e23-93E9-6E791BDBC584}.exe

Filesize
372KB

MD5
9cb2354dd70acb0209edfaae1a2ee2c0

SHA1
5aec775b12cef489c18220a17c868ad8d76252ae

SHA256
0759c001612483a55cd3e466d05cf23bb9d831bd5e7f84cbcf0747928334563b

SHA512
22a789e0d374da13c3bf4357ac0cdf3dbd7237771482b820bf250ca36ba031003e6b31cd5476ab6c800894a91ae4d1df1fd2ac4e037a3ff63196e7cdce39010b

Download Submit
C:\Windows\{5CEB5E33-AF8F-416f-A375-C41CB2B9103D}.exe

Filesize
372KB

MD5
2634003d580e27ac1ef9d7bfb14cb4a7

SHA1
72b6fd17b819bafdec6e5cc6d1f95a23a4405281

SHA256
b5513273f89f7104070e17228748aab2e64b156d0ed522b4a332d493e1a10dc2

SHA512
ba04f180ca58e7a75c003d86205ff513c20e5a06a9026ceb86f7ba53f8925a6b1a806a5073e0427c14e152fad5a0ae28259f6dd15ada179f731463ce7a4dc82f

Download Submit
C:\Windows\{5CEB5E33-AF8F-416f-A375-C41CB2B9103D}.exe

Filesize
372KB

MD5
2634003d580e27ac1ef9d7bfb14cb4a7

SHA1
72b6fd17b819bafdec6e5cc6d1f95a23a4405281

SHA256
b5513273f89f7104070e17228748aab2e64b156d0ed522b4a332d493e1a10dc2

SHA512
ba04f180ca58e7a75c003d86205ff513c20e5a06a9026ceb86f7ba53f8925a6b1a806a5073e0427c14e152fad5a0ae28259f6dd15ada179f731463ce7a4dc82f

Download Submit
C:\Windows\{88F8220C-0DC8-4e28-BEE1-1550E10D0C34}.exe

Filesize
372KB

MD5
6491540832092dea62c7f601e6a2ea14

SHA1
297d9820e8c61d056783a42537a28004c97016e0

SHA256
c89e213e2e271327c376e9005f30ceadc245123a42e8d01b6c69471b7fdb1891

SHA512
5eec5a8e3e03e4ee7c89ea79cca768c38cfb1bfdf3e50df4e3897f20bc09c73a26037e090eed68bc92c1f058225f87ebd4de511d7f64cad35aabb5a6ae1a4a93

Download Submit
C:\Windows\{88F8220C-0DC8-4e28-BEE1-1550E10D0C34}.exe

Filesize
372KB

MD5
6491540832092dea62c7f601e6a2ea14

SHA1
297d9820e8c61d056783a42537a28004c97016e0

SHA256
c89e213e2e271327c376e9005f30ceadc245123a42e8d01b6c69471b7fdb1891

SHA512
5eec5a8e3e03e4ee7c89ea79cca768c38cfb1bfdf3e50df4e3897f20bc09c73a26037e090eed68bc92c1f058225f87ebd4de511d7f64cad35aabb5a6ae1a4a93

Download Submit
C:\Windows\{8EEAA8EC-AE54-4c9c-98E7-0C7D844EDEEC}.exe

Filesize
372KB

MD5
58800d47ad5afbb7410f8a2ffe582cdd

SHA1
b1e161c2819c30c06b83e2d73fe8297c55a35c93

SHA256
409b1dfd3b226fa8dae6402a13485bafa68db3fdb277b259117c555692a0704a

SHA512
88abb87f892955f9bb0e01d7aa6a31c8adca0ee4e22ca4d9089cb6e18eb2e29ba741910c184868baa9cd9058cdc334e0724199069da96f4cb340f739539519d3

Download Submit
C:\Windows\{8EEAA8EC-AE54-4c9c-98E7-0C7D844EDEEC}.exe

Filesize
372KB

MD5
58800d47ad5afbb7410f8a2ffe582cdd

SHA1
b1e161c2819c30c06b83e2d73fe8297c55a35c93

SHA256
409b1dfd3b226fa8dae6402a13485bafa68db3fdb277b259117c555692a0704a

SHA512
88abb87f892955f9bb0e01d7aa6a31c8adca0ee4e22ca4d9089cb6e18eb2e29ba741910c184868baa9cd9058cdc334e0724199069da96f4cb340f739539519d3

Download Submit
C:\Windows\{A3A57B97-7206-4030-BBEA-4E719C43CE06}.exe

Filesize
372KB

MD5
9e31544f7a9338850433df54fcd8d7fd

SHA1
8f4bd0a2137574609ff3c2cff6fb0288cf2c03dc

SHA256
e9b4b318b39d19c6cb6b7e20040e2c0ba4fd7c80dab58b3507236068285133f8

SHA512
131c9424f6c972055110f64e9edb6c55c8338575d23ed20a60a4b7375505a2f8ace03921b4f220a977016392f828bf7e17b473c1d7d4642c8b0b87c2df2d151c

Download Submit
C:\Windows\{A3A57B97-7206-4030-BBEA-4E719C43CE06}.exe

Filesize
372KB

MD5
9e31544f7a9338850433df54fcd8d7fd

SHA1
8f4bd0a2137574609ff3c2cff6fb0288cf2c03dc

SHA256
e9b4b318b39d19c6cb6b7e20040e2c0ba4fd7c80dab58b3507236068285133f8

SHA512
131c9424f6c972055110f64e9edb6c55c8338575d23ed20a60a4b7375505a2f8ace03921b4f220a977016392f828bf7e17b473c1d7d4642c8b0b87c2df2d151c

Download Submit
C:\Windows\{C0E26308-FA49-41c7-904F-5BFC8654DE8B}.exe

Filesize
372KB

MD5
2a02808f9caffbc7882f75888abf4879

SHA1
a479a7d2daf85fc743926ba49f36461563200fc6

SHA256
9d78d1733b2d738db87b1515b41d0809918469281a8f277b4d1ebfedd1b49bc1

SHA512
c7d2237bf295673526587df9dc6bc1d1400bcdc6d80351ac681deb4899904a40c3b3d758e5e4b21430f1694df9bac8f333f686cde7aa68fc361043b578f7bfb5

Download Submit
C:\Windows\{C0E26308-FA49-41c7-904F-5BFC8654DE8B}.exe

Filesize
372KB

MD5
2a02808f9caffbc7882f75888abf4879

SHA1
a479a7d2daf85fc743926ba49f36461563200fc6

SHA256
9d78d1733b2d738db87b1515b41d0809918469281a8f277b4d1ebfedd1b49bc1

SHA512
c7d2237bf295673526587df9dc6bc1d1400bcdc6d80351ac681deb4899904a40c3b3d758e5e4b21430f1694df9bac8f333f686cde7aa68fc361043b578f7bfb5

Download Submit
C:\Windows\{C9761E80-BD8E-4724-B7B7-2A81D35E4948}.exe

Filesize
372KB

MD5
cd1e81ee1e78ee8626262f5ab75080e8

SHA1
5e5c4b5e790f49b5456215eb7833402c4fa6abab

SHA256
5891cba5085acd6eddc5ad9aa07cf4b5f1b0ac084600f774578277813b62e734

SHA512
b7bb9cbefedc5d945871fdd8d81752f72d029aebf407654074ad25092674a20e738f206a25ffd143e121e7d47d37bdad98ff125abe6befad927d4d63aa89acc4

Download Submit
C:\Windows\{C9761E80-BD8E-4724-B7B7-2A81D35E4948}.exe

Filesize
372KB

MD5
cd1e81ee1e78ee8626262f5ab75080e8

SHA1
5e5c4b5e790f49b5456215eb7833402c4fa6abab

SHA256
5891cba5085acd6eddc5ad9aa07cf4b5f1b0ac084600f774578277813b62e734

SHA512
b7bb9cbefedc5d945871fdd8d81752f72d029aebf407654074ad25092674a20e738f206a25ffd143e121e7d47d37bdad98ff125abe6befad927d4d63aa89acc4

Download Submit
C:\Windows\{E6A011A2-6B27-4035-A4F2-D629FF3CB75A}.exe

Filesize
372KB

MD5
e8c778d28db363754403e4327a89608e

SHA1
338811946862b63c161d0336f5361e12421570be

SHA256
2950ba9ace1ab2011d3ea3fd50cb8c72a6200526f87a207711c9f768fa12918e

SHA512
a01a475e954158af707715f67927180bf4ae6b19b030c3ab376d4a44f78270c39ae3acfa35913a90b0b90c3e649cfc63cf009d7e19a2690bf5e5b07d0e6962fb

Download Submit
C:\Windows\{E6A011A2-6B27-4035-A4F2-D629FF3CB75A}.exe

Filesize
372KB

MD5
e8c778d28db363754403e4327a89608e

SHA1
338811946862b63c161d0336f5361e12421570be

SHA256
2950ba9ace1ab2011d3ea3fd50cb8c72a6200526f87a207711c9f768fa12918e

SHA512
a01a475e954158af707715f67927180bf4ae6b19b030c3ab376d4a44f78270c39ae3acfa35913a90b0b90c3e649cfc63cf009d7e19a2690bf5e5b07d0e6962fb

Download Submit
C:\Windows\{E7B4157C-C181-41c3-8483-8E6F29F38320}.exe

Filesize
372KB

MD5
8c34a0abccfd4c849aeac336745e57b8

SHA1
4db6de05665f3c6790729740483e23b4e6a7030f

SHA256
677203f5b3d179ffb75d3038e83cb5c2ef0b3b057c384d6678edeaa28b77bc15

SHA512
6e71a2db5cb944297f67fbff5b571ede527895e996877d536d4cacb1452c44a186ca68f95202fc13ce45da2ae15ee39c848abdcaa0adb10bf7a3fc3d5559d12f

Download Submit
C:\Windows\{E7B4157C-C181-41c3-8483-8E6F29F38320}.exe

Filesize
372KB

MD5
8c34a0abccfd4c849aeac336745e57b8

SHA1
4db6de05665f3c6790729740483e23b4e6a7030f

SHA256
677203f5b3d179ffb75d3038e83cb5c2ef0b3b057c384d6678edeaa28b77bc15

SHA512
6e71a2db5cb944297f67fbff5b571ede527895e996877d536d4cacb1452c44a186ca68f95202fc13ce45da2ae15ee39c848abdcaa0adb10bf7a3fc3d5559d12f

Download Submit
C:\Windows\{F1F5D129-A68E-4d3b-8B95-416F73FF9F08}.exe

Filesize
372KB

MD5
15aed17c25af92d38fbf82b43febb411

SHA1
72b32e82fd5485030347ff06607aaf60434768b0

SHA256
9f8e2830688595eb367690e04d5aa92cdd7f1ce5c11b90ab9279dfc83f7a5428

SHA512
796d1706373519fb21fed2596d2828d7ea3d4acd96dd02d8a67d483ddffcee9d07b6f383fc9c67aaa5a5069e18d2008dcf6c7f36cae568f31242e53a305391f8

Download Submit
C:\Windows\{F1F5D129-A68E-4d3b-8B95-416F73FF9F08}.exe

Filesize
372KB

MD5
15aed17c25af92d38fbf82b43febb411

SHA1
72b32e82fd5485030347ff06607aaf60434768b0

SHA256
9f8e2830688595eb367690e04d5aa92cdd7f1ce5c11b90ab9279dfc83f7a5428

SHA512
796d1706373519fb21fed2596d2828d7ea3d4acd96dd02d8a67d483ddffcee9d07b6f383fc9c67aaa5a5069e18d2008dcf6c7f36cae568f31242e53a305391f8

Download Submit
C:\Windows\{F1F5D129-A68E-4d3b-8B95-416F73FF9F08}.exe

Filesize
372KB

MD5
15aed17c25af92d38fbf82b43febb411

SHA1
72b32e82fd5485030347ff06607aaf60434768b0

SHA256
9f8e2830688595eb367690e04d5aa92cdd7f1ce5c11b90ab9279dfc83f7a5428

SHA512
796d1706373519fb21fed2596d2828d7ea3d4acd96dd02d8a67d483ddffcee9d07b6f383fc9c67aaa5a5069e18d2008dcf6c7f36cae568f31242e53a305391f8

Download Submit