2ac1189a34aa660b0665acee60ade67803b79b33e5ba8461971e794fcb04b072

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b520e746ab80d8exeexeexeex.exe
Size

372KB
MD5

b520e746ab80d8d8e46c6e11d692b72b
SHA1

cc22af188cbb24384109fbaf99a8baf8948d702f
SHA256

2ac1189a34aa660b0665acee60ade67803b79b33e5ba8461971e794fcb04b072
SHA512

4a124e6439b1c150782d621052d399974ceb6aeec3801d3ffce32d2f932cfe5d93fb7d6044a371f9bea66eb89e3f86c59873cd34b4c1bf41e383605f83286214
SSDEEP

3072:CEGh0oGmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGBl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCA28452-11C6-42c9-82C9-6AFED595232C}	{020B4EB6-0942-498c-8CD9-D20EBBB42910}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94F23315-8A6F-4c6c-9370-B5ADD427952A}\stubpath = "C:\\Windows\\{94F23315-8A6F-4c6c-9370-B5ADD427952A}.exe"	{A732E4A7-BE5A-44e4-A477-CB78CFD2DC33}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE6B3F3A-C248-4de8-A3B2-E8962BA157A9}\stubpath = "C:\\Windows\\{BE6B3F3A-C248-4de8-A3B2-E8962BA157A9}.exe"	{94F23315-8A6F-4c6c-9370-B5ADD427952A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{716CB790-2FAF-42b6-9390-E5BA7663A2C1}	{29914D76-A0C9-44f4-8EEF-B0A09909B995}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{716CB790-2FAF-42b6-9390-E5BA7663A2C1}\stubpath = "C:\\Windows\\{716CB790-2FAF-42b6-9390-E5BA7663A2C1}.exe"	{29914D76-A0C9-44f4-8EEF-B0A09909B995}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{020B4EB6-0942-498c-8CD9-D20EBBB42910}	{4655F9AF-8528-487c-93EA-BE10B64C0E75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{020B4EB6-0942-498c-8CD9-D20EBBB42910}\stubpath = "C:\\Windows\\{020B4EB6-0942-498c-8CD9-D20EBBB42910}.exe"	{4655F9AF-8528-487c-93EA-BE10B64C0E75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCA28452-11C6-42c9-82C9-6AFED595232C}\stubpath = "C:\\Windows\\{FCA28452-11C6-42c9-82C9-6AFED595232C}.exe"	{020B4EB6-0942-498c-8CD9-D20EBBB42910}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C6A0208-2D3C-491f-A6BD-16D4D448B21C}\stubpath = "C:\\Windows\\{3C6A0208-2D3C-491f-A6BD-16D4D448B21C}.exe"	{BE6B3F3A-C248-4de8-A3B2-E8962BA157A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09273BDB-F6D7-4b2f-BBFD-F9F2FA3F516B}	{3C6A0208-2D3C-491f-A6BD-16D4D448B21C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2DC1B3C-10FC-4489-B3C5-34E66F1B75BE}	{716CB790-2FAF-42b6-9390-E5BA7663A2C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A732E4A7-BE5A-44e4-A477-CB78CFD2DC33}\stubpath = "C:\\Windows\\{A732E4A7-BE5A-44e4-A477-CB78CFD2DC33}.exe"	{F2749B82-4C9F-4afc-9547-D48969DEA4F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94F23315-8A6F-4c6c-9370-B5ADD427952A}	{A732E4A7-BE5A-44e4-A477-CB78CFD2DC33}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE6B3F3A-C248-4de8-A3B2-E8962BA157A9}	{94F23315-8A6F-4c6c-9370-B5ADD427952A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C6A0208-2D3C-491f-A6BD-16D4D448B21C}	{BE6B3F3A-C248-4de8-A3B2-E8962BA157A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{09273BDB-F6D7-4b2f-BBFD-F9F2FA3F516B}\stubpath = "C:\\Windows\\{09273BDB-F6D7-4b2f-BBFD-F9F2FA3F516B}.exe"	{3C6A0208-2D3C-491f-A6BD-16D4D448B21C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2DC1B3C-10FC-4489-B3C5-34E66F1B75BE}\stubpath = "C:\\Windows\\{A2DC1B3C-10FC-4489-B3C5-34E66F1B75BE}.exe"	{716CB790-2FAF-42b6-9390-E5BA7663A2C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29914D76-A0C9-44f4-8EEF-B0A09909B995}\stubpath = "C:\\Windows\\{29914D76-A0C9-44f4-8EEF-B0A09909B995}.exe"	{09273BDB-F6D7-4b2f-BBFD-F9F2FA3F516B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4655F9AF-8528-487c-93EA-BE10B64C0E75}	b520e746ab80d8exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4655F9AF-8528-487c-93EA-BE10B64C0E75}\stubpath = "C:\\Windows\\{4655F9AF-8528-487c-93EA-BE10B64C0E75}.exe"	b520e746ab80d8exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2749B82-4C9F-4afc-9547-D48969DEA4F0}	{FCA28452-11C6-42c9-82C9-6AFED595232C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2749B82-4C9F-4afc-9547-D48969DEA4F0}\stubpath = "C:\\Windows\\{F2749B82-4C9F-4afc-9547-D48969DEA4F0}.exe"	{FCA28452-11C6-42c9-82C9-6AFED595232C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A732E4A7-BE5A-44e4-A477-CB78CFD2DC33}	{F2749B82-4C9F-4afc-9547-D48969DEA4F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29914D76-A0C9-44f4-8EEF-B0A09909B995}	{09273BDB-F6D7-4b2f-BBFD-F9F2FA3F516B}.exe

Executes dropped EXE 12 IoCs

pid	Process
4136	{4655F9AF-8528-487c-93EA-BE10B64C0E75}.exe
4620	{020B4EB6-0942-498c-8CD9-D20EBBB42910}.exe
3044	{FCA28452-11C6-42c9-82C9-6AFED595232C}.exe
1488	{F2749B82-4C9F-4afc-9547-D48969DEA4F0}.exe
764	{A732E4A7-BE5A-44e4-A477-CB78CFD2DC33}.exe
5068	{94F23315-8A6F-4c6c-9370-B5ADD427952A}.exe
4284	{BE6B3F3A-C248-4de8-A3B2-E8962BA157A9}.exe
3672	{3C6A0208-2D3C-491f-A6BD-16D4D448B21C}.exe
5056	{09273BDB-F6D7-4b2f-BBFD-F9F2FA3F516B}.exe
1896	{29914D76-A0C9-44f4-8EEF-B0A09909B995}.exe
4404	{716CB790-2FAF-42b6-9390-E5BA7663A2C1}.exe
2532	{A2DC1B3C-10FC-4489-B3C5-34E66F1B75BE}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{29914D76-A0C9-44f4-8EEF-B0A09909B995}.exe	{09273BDB-F6D7-4b2f-BBFD-F9F2FA3F516B}.exe
File created	C:\Windows\{4655F9AF-8528-487c-93EA-BE10B64C0E75}.exe	b520e746ab80d8exeexeexeex.exe
File created	C:\Windows\{FCA28452-11C6-42c9-82C9-6AFED595232C}.exe	{020B4EB6-0942-498c-8CD9-D20EBBB42910}.exe
File created	C:\Windows\{A732E4A7-BE5A-44e4-A477-CB78CFD2DC33}.exe	{F2749B82-4C9F-4afc-9547-D48969DEA4F0}.exe
File created	C:\Windows\{3C6A0208-2D3C-491f-A6BD-16D4D448B21C}.exe	{BE6B3F3A-C248-4de8-A3B2-E8962BA157A9}.exe
File created	C:\Windows\{09273BDB-F6D7-4b2f-BBFD-F9F2FA3F516B}.exe	{3C6A0208-2D3C-491f-A6BD-16D4D448B21C}.exe
File created	C:\Windows\{716CB790-2FAF-42b6-9390-E5BA7663A2C1}.exe	{29914D76-A0C9-44f4-8EEF-B0A09909B995}.exe
File created	C:\Windows\{A2DC1B3C-10FC-4489-B3C5-34E66F1B75BE}.exe	{716CB790-2FAF-42b6-9390-E5BA7663A2C1}.exe
File created	C:\Windows\{020B4EB6-0942-498c-8CD9-D20EBBB42910}.exe	{4655F9AF-8528-487c-93EA-BE10B64C0E75}.exe
File created	C:\Windows\{F2749B82-4C9F-4afc-9547-D48969DEA4F0}.exe	{FCA28452-11C6-42c9-82C9-6AFED595232C}.exe
File created	C:\Windows\{94F23315-8A6F-4c6c-9370-B5ADD427952A}.exe	{A732E4A7-BE5A-44e4-A477-CB78CFD2DC33}.exe
File created	C:\Windows\{BE6B3F3A-C248-4de8-A3B2-E8962BA157A9}.exe	{94F23315-8A6F-4c6c-9370-B5ADD427952A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3496	b520e746ab80d8exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4136	{4655F9AF-8528-487c-93EA-BE10B64C0E75}.exe
Token: SeIncBasePriorityPrivilege	4620	{020B4EB6-0942-498c-8CD9-D20EBBB42910}.exe
Token: SeIncBasePriorityPrivilege	3044	{FCA28452-11C6-42c9-82C9-6AFED595232C}.exe
Token: SeIncBasePriorityPrivilege	1488	{F2749B82-4C9F-4afc-9547-D48969DEA4F0}.exe
Token: SeIncBasePriorityPrivilege	764	{A732E4A7-BE5A-44e4-A477-CB78CFD2DC33}.exe
Token: SeIncBasePriorityPrivilege	5068	{94F23315-8A6F-4c6c-9370-B5ADD427952A}.exe
Token: SeIncBasePriorityPrivilege	4284	{BE6B3F3A-C248-4de8-A3B2-E8962BA157A9}.exe
Token: SeIncBasePriorityPrivilege	3672	{3C6A0208-2D3C-491f-A6BD-16D4D448B21C}.exe
Token: SeIncBasePriorityPrivilege	5056	{09273BDB-F6D7-4b2f-BBFD-F9F2FA3F516B}.exe
Token: SeIncBasePriorityPrivilege	1896	{29914D76-A0C9-44f4-8EEF-B0A09909B995}.exe
Token: SeIncBasePriorityPrivilege	4404	{716CB790-2FAF-42b6-9390-E5BA7663A2C1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3496 wrote to memory of 4136	3496	b520e746ab80d8exeexeexeex.exe	89
PID 3496 wrote to memory of 4136	3496	b520e746ab80d8exeexeexeex.exe	89
PID 3496 wrote to memory of 4136	3496	b520e746ab80d8exeexeexeex.exe	89
PID 3496 wrote to memory of 2016	3496	b520e746ab80d8exeexeexeex.exe	90
PID 3496 wrote to memory of 2016	3496	b520e746ab80d8exeexeexeex.exe	90
PID 3496 wrote to memory of 2016	3496	b520e746ab80d8exeexeexeex.exe	90
PID 4136 wrote to memory of 4620	4136	{4655F9AF-8528-487c-93EA-BE10B64C0E75}.exe	91
PID 4136 wrote to memory of 4620	4136	{4655F9AF-8528-487c-93EA-BE10B64C0E75}.exe	91
PID 4136 wrote to memory of 4620	4136	{4655F9AF-8528-487c-93EA-BE10B64C0E75}.exe	91
PID 4136 wrote to memory of 452	4136	{4655F9AF-8528-487c-93EA-BE10B64C0E75}.exe	92
PID 4136 wrote to memory of 452	4136	{4655F9AF-8528-487c-93EA-BE10B64C0E75}.exe	92
PID 4136 wrote to memory of 452	4136	{4655F9AF-8528-487c-93EA-BE10B64C0E75}.exe	92
PID 4620 wrote to memory of 3044	4620	{020B4EB6-0942-498c-8CD9-D20EBBB42910}.exe	98
PID 4620 wrote to memory of 3044	4620	{020B4EB6-0942-498c-8CD9-D20EBBB42910}.exe	98
PID 4620 wrote to memory of 3044	4620	{020B4EB6-0942-498c-8CD9-D20EBBB42910}.exe	98
PID 4620 wrote to memory of 1604	4620	{020B4EB6-0942-498c-8CD9-D20EBBB42910}.exe	97
PID 4620 wrote to memory of 1604	4620	{020B4EB6-0942-498c-8CD9-D20EBBB42910}.exe	97
PID 4620 wrote to memory of 1604	4620	{020B4EB6-0942-498c-8CD9-D20EBBB42910}.exe	97
PID 3044 wrote to memory of 1488	3044	{FCA28452-11C6-42c9-82C9-6AFED595232C}.exe	99
PID 3044 wrote to memory of 1488	3044	{FCA28452-11C6-42c9-82C9-6AFED595232C}.exe	99
PID 3044 wrote to memory of 1488	3044	{FCA28452-11C6-42c9-82C9-6AFED595232C}.exe	99
PID 3044 wrote to memory of 1172	3044	{FCA28452-11C6-42c9-82C9-6AFED595232C}.exe	100
PID 3044 wrote to memory of 1172	3044	{FCA28452-11C6-42c9-82C9-6AFED595232C}.exe	100
PID 3044 wrote to memory of 1172	3044	{FCA28452-11C6-42c9-82C9-6AFED595232C}.exe	100
PID 1488 wrote to memory of 764	1488	{F2749B82-4C9F-4afc-9547-D48969DEA4F0}.exe	101
PID 1488 wrote to memory of 764	1488	{F2749B82-4C9F-4afc-9547-D48969DEA4F0}.exe	101
PID 1488 wrote to memory of 764	1488	{F2749B82-4C9F-4afc-9547-D48969DEA4F0}.exe	101
PID 1488 wrote to memory of 2200	1488	{F2749B82-4C9F-4afc-9547-D48969DEA4F0}.exe	102
PID 1488 wrote to memory of 2200	1488	{F2749B82-4C9F-4afc-9547-D48969DEA4F0}.exe	102
PID 1488 wrote to memory of 2200	1488	{F2749B82-4C9F-4afc-9547-D48969DEA4F0}.exe	102
PID 764 wrote to memory of 5068	764	{A732E4A7-BE5A-44e4-A477-CB78CFD2DC33}.exe	103
PID 764 wrote to memory of 5068	764	{A732E4A7-BE5A-44e4-A477-CB78CFD2DC33}.exe	103
PID 764 wrote to memory of 5068	764	{A732E4A7-BE5A-44e4-A477-CB78CFD2DC33}.exe	103
PID 764 wrote to memory of 3128	764	{A732E4A7-BE5A-44e4-A477-CB78CFD2DC33}.exe	104
PID 764 wrote to memory of 3128	764	{A732E4A7-BE5A-44e4-A477-CB78CFD2DC33}.exe	104
PID 764 wrote to memory of 3128	764	{A732E4A7-BE5A-44e4-A477-CB78CFD2DC33}.exe	104
PID 5068 wrote to memory of 4284	5068	{94F23315-8A6F-4c6c-9370-B5ADD427952A}.exe	105
PID 5068 wrote to memory of 4284	5068	{94F23315-8A6F-4c6c-9370-B5ADD427952A}.exe	105
PID 5068 wrote to memory of 4284	5068	{94F23315-8A6F-4c6c-9370-B5ADD427952A}.exe	105
PID 5068 wrote to memory of 2876	5068	{94F23315-8A6F-4c6c-9370-B5ADD427952A}.exe	106
PID 5068 wrote to memory of 2876	5068	{94F23315-8A6F-4c6c-9370-B5ADD427952A}.exe	106
PID 5068 wrote to memory of 2876	5068	{94F23315-8A6F-4c6c-9370-B5ADD427952A}.exe	106
PID 4284 wrote to memory of 3672	4284	{BE6B3F3A-C248-4de8-A3B2-E8962BA157A9}.exe	107
PID 4284 wrote to memory of 3672	4284	{BE6B3F3A-C248-4de8-A3B2-E8962BA157A9}.exe	107
PID 4284 wrote to memory of 3672	4284	{BE6B3F3A-C248-4de8-A3B2-E8962BA157A9}.exe	107
PID 4284 wrote to memory of 1392	4284	{BE6B3F3A-C248-4de8-A3B2-E8962BA157A9}.exe	108
PID 4284 wrote to memory of 1392	4284	{BE6B3F3A-C248-4de8-A3B2-E8962BA157A9}.exe	108
PID 4284 wrote to memory of 1392	4284	{BE6B3F3A-C248-4de8-A3B2-E8962BA157A9}.exe	108
PID 3672 wrote to memory of 5056	3672	{3C6A0208-2D3C-491f-A6BD-16D4D448B21C}.exe	109
PID 3672 wrote to memory of 5056	3672	{3C6A0208-2D3C-491f-A6BD-16D4D448B21C}.exe	109
PID 3672 wrote to memory of 5056	3672	{3C6A0208-2D3C-491f-A6BD-16D4D448B21C}.exe	109
PID 3672 wrote to memory of 4408	3672	{3C6A0208-2D3C-491f-A6BD-16D4D448B21C}.exe	110
PID 3672 wrote to memory of 4408	3672	{3C6A0208-2D3C-491f-A6BD-16D4D448B21C}.exe	110
PID 3672 wrote to memory of 4408	3672	{3C6A0208-2D3C-491f-A6BD-16D4D448B21C}.exe	110
PID 5056 wrote to memory of 1896	5056	{09273BDB-F6D7-4b2f-BBFD-F9F2FA3F516B}.exe	113
PID 5056 wrote to memory of 1896	5056	{09273BDB-F6D7-4b2f-BBFD-F9F2FA3F516B}.exe	113
PID 5056 wrote to memory of 1896	5056	{09273BDB-F6D7-4b2f-BBFD-F9F2FA3F516B}.exe	113
PID 5056 wrote to memory of 2204	5056	{09273BDB-F6D7-4b2f-BBFD-F9F2FA3F516B}.exe	114
PID 5056 wrote to memory of 2204	5056	{09273BDB-F6D7-4b2f-BBFD-F9F2FA3F516B}.exe	114
PID 5056 wrote to memory of 2204	5056	{09273BDB-F6D7-4b2f-BBFD-F9F2FA3F516B}.exe	114
PID 1896 wrote to memory of 4404	1896	{29914D76-A0C9-44f4-8EEF-B0A09909B995}.exe	115
PID 1896 wrote to memory of 4404	1896	{29914D76-A0C9-44f4-8EEF-B0A09909B995}.exe	115
PID 1896 wrote to memory of 4404	1896	{29914D76-A0C9-44f4-8EEF-B0A09909B995}.exe	115
PID 1896 wrote to memory of 3440	1896	{29914D76-A0C9-44f4-8EEF-B0A09909B995}.exe	116

C:\Users\Admin\AppData\Local\Temp\b520e746ab80d8exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\b520e746ab80d8exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3496
- C:\Windows\{4655F9AF-8528-487c-93EA-BE10B64C0E75}.exe
  C:\Windows\{4655F9AF-8528-487c-93EA-BE10B64C0E75}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4136
- - C:\Windows\{020B4EB6-0942-498c-8CD9-D20EBBB42910}.exe
    C:\Windows\{020B4EB6-0942-498c-8CD9-D20EBBB42910}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{020B4~1.EXE > nul
      4⤵
      PID:1604
  - - C:\Windows\{FCA28452-11C6-42c9-82C9-6AFED595232C}.exe
      C:\Windows\{FCA28452-11C6-42c9-82C9-6AFED595232C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Windows\{F2749B82-4C9F-4afc-9547-D48969DEA4F0}.exe
        
        C:\Windows\{F2749B82-4C9F-4afc-9547-D48969DEA4F0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1488
      - C:\Windows\{A732E4A7-BE5A-44e4-A477-CB78CFD2DC33}.exe
        
        C:\Windows\{A732E4A7-BE5A-44e4-A477-CB78CFD2DC33}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\{94F23315-8A6F-4c6c-9370-B5ADD427952A}.exe
        
        C:\Windows\{94F23315-8A6F-4c6c-9370-B5ADD427952A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\{BE6B3F3A-C248-4de8-A3B2-E8962BA157A9}.exe
        
        C:\Windows\{BE6B3F3A-C248-4de8-A3B2-E8962BA157A9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\{3C6A0208-2D3C-491f-A6BD-16D4D448B21C}.exe
        
        C:\Windows\{3C6A0208-2D3C-491f-A6BD-16D4D448B21C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\{09273BDB-F6D7-4b2f-BBFD-F9F2FA3F516B}.exe
        
        C:\Windows\{09273BDB-F6D7-4b2f-BBFD-F9F2FA3F516B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\{29914D76-A0C9-44f4-8EEF-B0A09909B995}.exe
        
        C:\Windows\{29914D76-A0C9-44f4-8EEF-B0A09909B995}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\{716CB790-2FAF-42b6-9390-E5BA7663A2C1}.exe
        
        C:\Windows\{716CB790-2FAF-42b6-9390-E5BA7663A2C1}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4404
        
        C:\Windows\{A2DC1B3C-10FC-4489-B3C5-34E66F1B75BE}.exe
        
        C:\Windows\{A2DC1B3C-10FC-4489-B3C5-34E66F1B75BE}.exe
        13⤵
        Executes dropped EXE
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{716CB~1.EXE > nul
        13⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29914~1.EXE > nul
        12⤵
        
        PID:3440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{09273~1.EXE > nul
        11⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C6A0~1.EXE > nul
        10⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE6B3~1.EXE > nul
        9⤵
        
        PID:1392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94F23~1.EXE > nul
        8⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A732E~1.EXE > nul
        7⤵
        
        PID:3128
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2749~1.EXE > nul
        6⤵
        
        PID:2200
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCA28~1.EXE > nul
        5⤵
        
        PID:1172
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4655F~1.EXE > nul
    3⤵
    PID:452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B520E7~1.EXE > nul
  2⤵
  PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{020B4EB6-0942-498c-8CD9-D20EBBB42910}.exe

Filesize
372KB

MD5
be30185cf81ca47a6d987b7d1c8787d6

SHA1
86430cd45ef18b3d2ead63a4e096ea3667b0ae5f

SHA256
b61e18da6482ce5177ee8b7cb6f064a40325b9674887485cbb322d41c25a5e31

SHA512
5c4050f922dac19bcbed637fdd2dc090d02941144bafa0215b1749d8602a966621d9cd6086151a69c4e4c34e714eca5ceced819c27d065bb9fda8c33c2a38a32

Download Submit
C:\Windows\{020B4EB6-0942-498c-8CD9-D20EBBB42910}.exe

Filesize
372KB

MD5
be30185cf81ca47a6d987b7d1c8787d6

SHA1
86430cd45ef18b3d2ead63a4e096ea3667b0ae5f

SHA256
b61e18da6482ce5177ee8b7cb6f064a40325b9674887485cbb322d41c25a5e31

SHA512
5c4050f922dac19bcbed637fdd2dc090d02941144bafa0215b1749d8602a966621d9cd6086151a69c4e4c34e714eca5ceced819c27d065bb9fda8c33c2a38a32

Download Submit
C:\Windows\{09273BDB-F6D7-4b2f-BBFD-F9F2FA3F516B}.exe

Filesize
372KB

MD5
bb9dad0a7b8d8ca7287706af435b56cb

SHA1
63c2903d55016c5a6e6f3bb35999e5e7cc7190b1

SHA256
c72f8344fd14e14bd3447074d37c7848dbd520ef4234fb3ad808dc7e8919e626

SHA512
16b87d536f97aaa53cd66162d29d61938dfeeb0c30d440dc1553a4306a8c1e5da0dd29746213860386d53b6461bf4defc1db2e312293c444daff7408d6958aa8

Download Submit
C:\Windows\{09273BDB-F6D7-4b2f-BBFD-F9F2FA3F516B}.exe

Filesize
372KB

MD5
bb9dad0a7b8d8ca7287706af435b56cb

SHA1
63c2903d55016c5a6e6f3bb35999e5e7cc7190b1

SHA256
c72f8344fd14e14bd3447074d37c7848dbd520ef4234fb3ad808dc7e8919e626

SHA512
16b87d536f97aaa53cd66162d29d61938dfeeb0c30d440dc1553a4306a8c1e5da0dd29746213860386d53b6461bf4defc1db2e312293c444daff7408d6958aa8

Download Submit
C:\Windows\{29914D76-A0C9-44f4-8EEF-B0A09909B995}.exe

Filesize
372KB

MD5
3c95d265835017dfd0aabdd719e5f3ea

SHA1
ca349cc959d16a6f0b6c36b03934398ea32512bf

SHA256
ad7d3feaa0586e4e43cd9c539c6ee7fdcb4502ba913c6adfeb1099221a55f556

SHA512
02ccf61da707bacc4a2290a2f95c1fc9be589db3fed2072398e412f061ca8cb35b89314e224732314d042753a7182f8bc10aafcece921abdea6ebc862386e097

Download Submit
C:\Windows\{29914D76-A0C9-44f4-8EEF-B0A09909B995}.exe

Filesize
372KB

MD5
3c95d265835017dfd0aabdd719e5f3ea

SHA1
ca349cc959d16a6f0b6c36b03934398ea32512bf

SHA256
ad7d3feaa0586e4e43cd9c539c6ee7fdcb4502ba913c6adfeb1099221a55f556

SHA512
02ccf61da707bacc4a2290a2f95c1fc9be589db3fed2072398e412f061ca8cb35b89314e224732314d042753a7182f8bc10aafcece921abdea6ebc862386e097

Download Submit
C:\Windows\{3C6A0208-2D3C-491f-A6BD-16D4D448B21C}.exe

Filesize
372KB

MD5
571a6ad109bdb334d2237e750fc96668

SHA1
079970244f18e9f70adaf54a89c40f3f0352d077

SHA256
8599efdaa2ce27fab6c5551cf51b7912fdc81fbb5e6cca3ac0fe8e53b3723644

SHA512
2ce2ea78062db8a33ed8f859d4cd3b3e29cd295df558989d3f542cea367961285d6c8a79d29518c48cdaacee069ce509c13bccddc0e53fe6bf6e4884afa56ffc

Download Submit
C:\Windows\{3C6A0208-2D3C-491f-A6BD-16D4D448B21C}.exe

Filesize
372KB

MD5
571a6ad109bdb334d2237e750fc96668

SHA1
079970244f18e9f70adaf54a89c40f3f0352d077

SHA256
8599efdaa2ce27fab6c5551cf51b7912fdc81fbb5e6cca3ac0fe8e53b3723644

SHA512
2ce2ea78062db8a33ed8f859d4cd3b3e29cd295df558989d3f542cea367961285d6c8a79d29518c48cdaacee069ce509c13bccddc0e53fe6bf6e4884afa56ffc

Download Submit
C:\Windows\{4655F9AF-8528-487c-93EA-BE10B64C0E75}.exe

Filesize
372KB

MD5
c4346875299cf9e05b9a0b43266b6bbd

SHA1
3cd7854383e6cd98a0afde9de19577d0c2b65087

SHA256
132863508e4d069daf26b33bf8625c8529951b59913761662dd7728200b9c383

SHA512
87114cf2886e63ac38901e355238129bcb4c3b5835623faf4b3d3912c9950c47d820c0baa7d3d53b8ba26bd5bc314ce81ea6b86e0760ecc61da3167922f1e8c4

Download Submit
C:\Windows\{4655F9AF-8528-487c-93EA-BE10B64C0E75}.exe

Filesize
372KB

MD5
c4346875299cf9e05b9a0b43266b6bbd

SHA1
3cd7854383e6cd98a0afde9de19577d0c2b65087

SHA256
132863508e4d069daf26b33bf8625c8529951b59913761662dd7728200b9c383

SHA512
87114cf2886e63ac38901e355238129bcb4c3b5835623faf4b3d3912c9950c47d820c0baa7d3d53b8ba26bd5bc314ce81ea6b86e0760ecc61da3167922f1e8c4

Download Submit
C:\Windows\{716CB790-2FAF-42b6-9390-E5BA7663A2C1}.exe

Filesize
372KB

MD5
5660e344702bace52208f32451ddd195

SHA1
42bc1fececc68f751b1caa26aaa5b15afd96911c

SHA256
144c2a23ee8f1c55dc62e5d1fa6b806ba40a7e3242d0e18d3e029fa48adf5207

SHA512
bdb4c4f35cedf0a9a5b12cec66f045d47cb3582e0cfa2f2a6a26e536f0499acef20d54e4c87149536504f24ed626bf83081e7cf88e70373f20bdb865dbe91684

Download Submit
C:\Windows\{716CB790-2FAF-42b6-9390-E5BA7663A2C1}.exe

Filesize
372KB

MD5
5660e344702bace52208f32451ddd195

SHA1
42bc1fececc68f751b1caa26aaa5b15afd96911c

SHA256
144c2a23ee8f1c55dc62e5d1fa6b806ba40a7e3242d0e18d3e029fa48adf5207

SHA512
bdb4c4f35cedf0a9a5b12cec66f045d47cb3582e0cfa2f2a6a26e536f0499acef20d54e4c87149536504f24ed626bf83081e7cf88e70373f20bdb865dbe91684

Download Submit
C:\Windows\{94F23315-8A6F-4c6c-9370-B5ADD427952A}.exe

Filesize
372KB

MD5
b05827abc058f274f21950a0c60b58cc

SHA1
0eb7d6cf00db6f8e3b82d5642befe6694e87906e

SHA256
3ca7a6867ce96e575c9e4b2c6762448e1517268dba2b3e0ae1e985b28d336a01

SHA512
863394cf303c6da41ebe8ec2a708bf127200585fdc11c3c4044e50a062e2620fd7dc869ef5811dd2b167aec87c9fcb48797475a0232d645246594a8c7f26d49e

Download Submit
C:\Windows\{94F23315-8A6F-4c6c-9370-B5ADD427952A}.exe

Filesize
372KB

MD5
b05827abc058f274f21950a0c60b58cc

SHA1
0eb7d6cf00db6f8e3b82d5642befe6694e87906e

SHA256
3ca7a6867ce96e575c9e4b2c6762448e1517268dba2b3e0ae1e985b28d336a01

SHA512
863394cf303c6da41ebe8ec2a708bf127200585fdc11c3c4044e50a062e2620fd7dc869ef5811dd2b167aec87c9fcb48797475a0232d645246594a8c7f26d49e

Download Submit
C:\Windows\{A2DC1B3C-10FC-4489-B3C5-34E66F1B75BE}.exe

Filesize
372KB

MD5
a6755e48e3d096da7b150040c73feb75

SHA1
e7702b9ea2679efc65f95291ec912433f109f498

SHA256
79704ef161bda09dbfa1d90be9b7b875d882afe7514e6a9f02e38b5b8b2e46ae

SHA512
93384159dbdfe593be765e124a441d91839eabd773c59b39ebb7f8df596521e2e2393a2b0db044ed18c3955fc9182a01e979b98240b62a5db715d63100590e62

Download Submit
C:\Windows\{A2DC1B3C-10FC-4489-B3C5-34E66F1B75BE}.exe

Filesize
372KB

MD5
a6755e48e3d096da7b150040c73feb75

SHA1
e7702b9ea2679efc65f95291ec912433f109f498

SHA256
79704ef161bda09dbfa1d90be9b7b875d882afe7514e6a9f02e38b5b8b2e46ae

SHA512
93384159dbdfe593be765e124a441d91839eabd773c59b39ebb7f8df596521e2e2393a2b0db044ed18c3955fc9182a01e979b98240b62a5db715d63100590e62

Download Submit
C:\Windows\{A732E4A7-BE5A-44e4-A477-CB78CFD2DC33}.exe

Filesize
372KB

MD5
4d0c33f07a827f2be4ddc2c325e73549

SHA1
9267a4a4f410697220d00ef0154c3c53ac66be4f

SHA256
40fb86eb676b713f569145f2d439b696f9c9ef87c04ea1282e13afcd27b4e685

SHA512
e8aa218168b2613212c256a5d91574599ce467b964a764081233aff1644da20d97214977cab6b04784df517dc138fa0f89d79637e80006ffba5bb68f6dc64ff9

Download Submit
C:\Windows\{A732E4A7-BE5A-44e4-A477-CB78CFD2DC33}.exe

Filesize
372KB

MD5
4d0c33f07a827f2be4ddc2c325e73549

SHA1
9267a4a4f410697220d00ef0154c3c53ac66be4f

SHA256
40fb86eb676b713f569145f2d439b696f9c9ef87c04ea1282e13afcd27b4e685

SHA512
e8aa218168b2613212c256a5d91574599ce467b964a764081233aff1644da20d97214977cab6b04784df517dc138fa0f89d79637e80006ffba5bb68f6dc64ff9

Download Submit
C:\Windows\{BE6B3F3A-C248-4de8-A3B2-E8962BA157A9}.exe

Filesize
372KB

MD5
0c7cc8b6b31495c936a2c69f1334eccf

SHA1
29a797fd2b6a5f91c5813c6a22a6d209c6902ca9

SHA256
b10b3f66dec6e9f670bb614eb30290f6ad0ef9acc4b6580278c2ea2bb5776dd3

SHA512
9ec0a81ac60e4a10cdae821b88698107a0736d800a105179f0419fcc651d41f07ed19c2d162410e66589bac5f94dcd281ec518f8ecdc76c6c879add8f861efdb

Download Submit
C:\Windows\{BE6B3F3A-C248-4de8-A3B2-E8962BA157A9}.exe

Filesize
372KB

MD5
0c7cc8b6b31495c936a2c69f1334eccf

SHA1
29a797fd2b6a5f91c5813c6a22a6d209c6902ca9

SHA256
b10b3f66dec6e9f670bb614eb30290f6ad0ef9acc4b6580278c2ea2bb5776dd3

SHA512
9ec0a81ac60e4a10cdae821b88698107a0736d800a105179f0419fcc651d41f07ed19c2d162410e66589bac5f94dcd281ec518f8ecdc76c6c879add8f861efdb

Download Submit
C:\Windows\{F2749B82-4C9F-4afc-9547-D48969DEA4F0}.exe

Filesize
372KB

MD5
bfe56aa328cfdc1803e53e1213fe4416

SHA1
146cd6e7766cda187b3ba88b5fa6beb2f09ad70b

SHA256
80fb1ed160ae87bc7a53ef5e0e9b4698f7b9a518a1635b107eb9756511805646

SHA512
a5c94f5fc2178f3bd9059c4ba653090734538ce459b6a60ff316e33e8e2c511287f91c217b6ee758532ad2c6e7afbb7b1a60b35a77f0ace2b440bf4afdf3f35f

Download Submit
C:\Windows\{F2749B82-4C9F-4afc-9547-D48969DEA4F0}.exe

Filesize
372KB

MD5
bfe56aa328cfdc1803e53e1213fe4416

SHA1
146cd6e7766cda187b3ba88b5fa6beb2f09ad70b

SHA256
80fb1ed160ae87bc7a53ef5e0e9b4698f7b9a518a1635b107eb9756511805646

SHA512
a5c94f5fc2178f3bd9059c4ba653090734538ce459b6a60ff316e33e8e2c511287f91c217b6ee758532ad2c6e7afbb7b1a60b35a77f0ace2b440bf4afdf3f35f

Download Submit
C:\Windows\{FCA28452-11C6-42c9-82C9-6AFED595232C}.exe

Filesize
372KB

MD5
82b9ddcf854299de0f86d26cfe496f57

SHA1
3f2fbeda67e9e1ebf755a784f03e5979004ecaa8

SHA256
642f73f7a08c910773208d560afb1b0380ae31cc4617db2c0f7e42d905b1fea6

SHA512
9422d8fc3a52888d016f5796e21946a31dffce3f688708d98fe5d79069b79c44df824230b8ec9c6dddbb110f74877f3f86a55aec84a7c99f0b266976e5de9f91

Download Submit
C:\Windows\{FCA28452-11C6-42c9-82C9-6AFED595232C}.exe

Filesize
372KB

MD5
82b9ddcf854299de0f86d26cfe496f57

SHA1
3f2fbeda67e9e1ebf755a784f03e5979004ecaa8

SHA256
642f73f7a08c910773208d560afb1b0380ae31cc4617db2c0f7e42d905b1fea6

SHA512
9422d8fc3a52888d016f5796e21946a31dffce3f688708d98fe5d79069b79c44df824230b8ec9c6dddbb110f74877f3f86a55aec84a7c99f0b266976e5de9f91

Download Submit
C:\Windows\{FCA28452-11C6-42c9-82C9-6AFED595232C}.exe

Filesize
372KB

MD5
82b9ddcf854299de0f86d26cfe496f57

SHA1
3f2fbeda67e9e1ebf755a784f03e5979004ecaa8

SHA256
642f73f7a08c910773208d560afb1b0380ae31cc4617db2c0f7e42d905b1fea6

SHA512
9422d8fc3a52888d016f5796e21946a31dffce3f688708d98fe5d79069b79c44df824230b8ec9c6dddbb110f74877f3f86a55aec84a7c99f0b266976e5de9f91

Download Submit