59dc2faaa3884d4028ce3e796775274a2d94f0d6f2b55b6a764c0d2a3ec5536b

Analysis

max time kernel
144s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 16:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b3894e6a38ea32exeexeexeex.exe
Size

372KB
MD5

b3894e6a38ea329396921f4ea3476570
SHA1

67b732f4c28a6c90342756c796e2c7e95de970b0
SHA256

59dc2faaa3884d4028ce3e796775274a2d94f0d6f2b55b6a764c0d2a3ec5536b
SHA512

aa5c48fe39db6a02a6c0f77f6ee953efe3d4189ab6b7e05bda1b6b7af1d8b514a9f2990a95851bb01efd67624c2abb43fbaa18ad1695f8215e14de852f383abc
SSDEEP

3072:CEGh0ojmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGQl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{997AA570-258E-45e8-99D6-C7E79317D609}\stubpath = "C:\\Windows\\{997AA570-258E-45e8-99D6-C7E79317D609}.exe"	{E1A5289E-1422-48be-8B63-9975C8C86500}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{378D5E84-FC04-40c2-8267-CBD99A865CC6}	{997AA570-258E-45e8-99D6-C7E79317D609}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0BE8669-BDA2-4e3b-A4C6-1E7AD21A52F4}	{378D5E84-FC04-40c2-8267-CBD99A865CC6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFC7A09A-6734-4a22-81D7-35DC558C5887}\stubpath = "C:\\Windows\\{BFC7A09A-6734-4a22-81D7-35DC558C5887}.exe"	{C0BE8669-BDA2-4e3b-A4C6-1E7AD21A52F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC3E5CEE-1BA7-4e49-88AF-78D17646B242}\stubpath = "C:\\Windows\\{DC3E5CEE-1BA7-4e49-88AF-78D17646B242}.exe"	{468301EA-AE69-49e4-945C-0B583C24588C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93D9F99F-1578-46cd-9AED-3B6F22787F85}	b3894e6a38ea32exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1A5289E-1422-48be-8B63-9975C8C86500}\stubpath = "C:\\Windows\\{E1A5289E-1422-48be-8B63-9975C8C86500}.exe"	{93D9F99F-1578-46cd-9AED-3B6F22787F85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{832B27BE-6E32-4f1a-8CC7-48889A77ED60}	{DC3E5CEE-1BA7-4e49-88AF-78D17646B242}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11971E9B-581A-45a9-83BD-7FA5333D7BFE}	{074A6BDE-ADCD-422e-9811-12C52C0B54A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFC7A09A-6734-4a22-81D7-35DC558C5887}	{C0BE8669-BDA2-4e3b-A4C6-1E7AD21A52F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{468301EA-AE69-49e4-945C-0B583C24588C}\stubpath = "C:\\Windows\\{468301EA-AE69-49e4-945C-0B583C24588C}.exe"	{BFC7A09A-6734-4a22-81D7-35DC558C5887}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC3E5CEE-1BA7-4e49-88AF-78D17646B242}	{468301EA-AE69-49e4-945C-0B583C24588C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{832B27BE-6E32-4f1a-8CC7-48889A77ED60}\stubpath = "C:\\Windows\\{832B27BE-6E32-4f1a-8CC7-48889A77ED60}.exe"	{DC3E5CEE-1BA7-4e49-88AF-78D17646B242}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{074A6BDE-ADCD-422e-9811-12C52C0B54A2}\stubpath = "C:\\Windows\\{074A6BDE-ADCD-422e-9811-12C52C0B54A2}.exe"	{832B27BE-6E32-4f1a-8CC7-48889A77ED60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11971E9B-581A-45a9-83BD-7FA5333D7BFE}\stubpath = "C:\\Windows\\{11971E9B-581A-45a9-83BD-7FA5333D7BFE}.exe"	{074A6BDE-ADCD-422e-9811-12C52C0B54A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93D9F99F-1578-46cd-9AED-3B6F22787F85}\stubpath = "C:\\Windows\\{93D9F99F-1578-46cd-9AED-3B6F22787F85}.exe"	b3894e6a38ea32exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1A5289E-1422-48be-8B63-9975C8C86500}	{93D9F99F-1578-46cd-9AED-3B6F22787F85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{997AA570-258E-45e8-99D6-C7E79317D609}	{E1A5289E-1422-48be-8B63-9975C8C86500}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{378D5E84-FC04-40c2-8267-CBD99A865CC6}\stubpath = "C:\\Windows\\{378D5E84-FC04-40c2-8267-CBD99A865CC6}.exe"	{997AA570-258E-45e8-99D6-C7E79317D609}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0BE8669-BDA2-4e3b-A4C6-1E7AD21A52F4}\stubpath = "C:\\Windows\\{C0BE8669-BDA2-4e3b-A4C6-1E7AD21A52F4}.exe"	{378D5E84-FC04-40c2-8267-CBD99A865CC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{468301EA-AE69-49e4-945C-0B583C24588C}	{BFC7A09A-6734-4a22-81D7-35DC558C5887}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{074A6BDE-ADCD-422e-9811-12C52C0B54A2}	{832B27BE-6E32-4f1a-8CC7-48889A77ED60}.exe

Executes dropped EXE 11 IoCs

pid	Process
4452	{93D9F99F-1578-46cd-9AED-3B6F22787F85}.exe
3480	{E1A5289E-1422-48be-8B63-9975C8C86500}.exe
4028	{997AA570-258E-45e8-99D6-C7E79317D609}.exe
4172	{378D5E84-FC04-40c2-8267-CBD99A865CC6}.exe
4216	{C0BE8669-BDA2-4e3b-A4C6-1E7AD21A52F4}.exe
4588	{BFC7A09A-6734-4a22-81D7-35DC558C5887}.exe
4284	{468301EA-AE69-49e4-945C-0B583C24588C}.exe
1964	{DC3E5CEE-1BA7-4e49-88AF-78D17646B242}.exe
2328	{832B27BE-6E32-4f1a-8CC7-48889A77ED60}.exe
2448	{074A6BDE-ADCD-422e-9811-12C52C0B54A2}.exe
4528	{11971E9B-581A-45a9-83BD-7FA5333D7BFE}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{11971E9B-581A-45a9-83BD-7FA5333D7BFE}.exe	{074A6BDE-ADCD-422e-9811-12C52C0B54A2}.exe
File created	C:\Windows\{E1A5289E-1422-48be-8B63-9975C8C86500}.exe	{93D9F99F-1578-46cd-9AED-3B6F22787F85}.exe
File created	C:\Windows\{C0BE8669-BDA2-4e3b-A4C6-1E7AD21A52F4}.exe	{378D5E84-FC04-40c2-8267-CBD99A865CC6}.exe
File created	C:\Windows\{BFC7A09A-6734-4a22-81D7-35DC558C5887}.exe	{C0BE8669-BDA2-4e3b-A4C6-1E7AD21A52F4}.exe
File created	C:\Windows\{468301EA-AE69-49e4-945C-0B583C24588C}.exe	{BFC7A09A-6734-4a22-81D7-35DC558C5887}.exe
File created	C:\Windows\{832B27BE-6E32-4f1a-8CC7-48889A77ED60}.exe	{DC3E5CEE-1BA7-4e49-88AF-78D17646B242}.exe
File created	C:\Windows\{93D9F99F-1578-46cd-9AED-3B6F22787F85}.exe	b3894e6a38ea32exeexeexeex.exe
File created	C:\Windows\{997AA570-258E-45e8-99D6-C7E79317D609}.exe	{E1A5289E-1422-48be-8B63-9975C8C86500}.exe
File created	C:\Windows\{378D5E84-FC04-40c2-8267-CBD99A865CC6}.exe	{997AA570-258E-45e8-99D6-C7E79317D609}.exe
File created	C:\Windows\{DC3E5CEE-1BA7-4e49-88AF-78D17646B242}.exe	{468301EA-AE69-49e4-945C-0B583C24588C}.exe
File created	C:\Windows\{074A6BDE-ADCD-422e-9811-12C52C0B54A2}.exe	{832B27BE-6E32-4f1a-8CC7-48889A77ED60}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4080	b3894e6a38ea32exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4452	{93D9F99F-1578-46cd-9AED-3B6F22787F85}.exe
Token: SeIncBasePriorityPrivilege	3480	{E1A5289E-1422-48be-8B63-9975C8C86500}.exe
Token: SeIncBasePriorityPrivilege	4028	{997AA570-258E-45e8-99D6-C7E79317D609}.exe
Token: SeIncBasePriorityPrivilege	4172	{378D5E84-FC04-40c2-8267-CBD99A865CC6}.exe
Token: SeIncBasePriorityPrivilege	4216	{C0BE8669-BDA2-4e3b-A4C6-1E7AD21A52F4}.exe
Token: SeIncBasePriorityPrivilege	4588	{BFC7A09A-6734-4a22-81D7-35DC558C5887}.exe
Token: SeIncBasePriorityPrivilege	4284	{468301EA-AE69-49e4-945C-0B583C24588C}.exe
Token: SeIncBasePriorityPrivilege	1964	{DC3E5CEE-1BA7-4e49-88AF-78D17646B242}.exe
Token: SeIncBasePriorityPrivilege	2328	{832B27BE-6E32-4f1a-8CC7-48889A77ED60}.exe
Token: SeIncBasePriorityPrivilege	2448	{074A6BDE-ADCD-422e-9811-12C52C0B54A2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4080 wrote to memory of 4452	4080	b3894e6a38ea32exeexeexeex.exe	84
PID 4080 wrote to memory of 4452	4080	b3894e6a38ea32exeexeexeex.exe	84
PID 4080 wrote to memory of 4452	4080	b3894e6a38ea32exeexeexeex.exe	84
PID 4080 wrote to memory of 4696	4080	b3894e6a38ea32exeexeexeex.exe	85
PID 4080 wrote to memory of 4696	4080	b3894e6a38ea32exeexeexeex.exe	85
PID 4080 wrote to memory of 4696	4080	b3894e6a38ea32exeexeexeex.exe	85
PID 4452 wrote to memory of 3480	4452	{93D9F99F-1578-46cd-9AED-3B6F22787F85}.exe	86
PID 4452 wrote to memory of 3480	4452	{93D9F99F-1578-46cd-9AED-3B6F22787F85}.exe	86
PID 4452 wrote to memory of 3480	4452	{93D9F99F-1578-46cd-9AED-3B6F22787F85}.exe	86
PID 4452 wrote to memory of 2968	4452	{93D9F99F-1578-46cd-9AED-3B6F22787F85}.exe	87
PID 4452 wrote to memory of 2968	4452	{93D9F99F-1578-46cd-9AED-3B6F22787F85}.exe	87
PID 4452 wrote to memory of 2968	4452	{93D9F99F-1578-46cd-9AED-3B6F22787F85}.exe	87
PID 3480 wrote to memory of 4028	3480	{E1A5289E-1422-48be-8B63-9975C8C86500}.exe	92
PID 3480 wrote to memory of 4028	3480	{E1A5289E-1422-48be-8B63-9975C8C86500}.exe	92
PID 3480 wrote to memory of 4028	3480	{E1A5289E-1422-48be-8B63-9975C8C86500}.exe	92
PID 3480 wrote to memory of 1040	3480	{E1A5289E-1422-48be-8B63-9975C8C86500}.exe	91
PID 3480 wrote to memory of 1040	3480	{E1A5289E-1422-48be-8B63-9975C8C86500}.exe	91
PID 3480 wrote to memory of 1040	3480	{E1A5289E-1422-48be-8B63-9975C8C86500}.exe	91
PID 4028 wrote to memory of 4172	4028	{997AA570-258E-45e8-99D6-C7E79317D609}.exe	93
PID 4028 wrote to memory of 4172	4028	{997AA570-258E-45e8-99D6-C7E79317D609}.exe	93
PID 4028 wrote to memory of 4172	4028	{997AA570-258E-45e8-99D6-C7E79317D609}.exe	93
PID 4028 wrote to memory of 3520	4028	{997AA570-258E-45e8-99D6-C7E79317D609}.exe	94
PID 4028 wrote to memory of 3520	4028	{997AA570-258E-45e8-99D6-C7E79317D609}.exe	94
PID 4028 wrote to memory of 3520	4028	{997AA570-258E-45e8-99D6-C7E79317D609}.exe	94
PID 4172 wrote to memory of 4216	4172	{378D5E84-FC04-40c2-8267-CBD99A865CC6}.exe	95
PID 4172 wrote to memory of 4216	4172	{378D5E84-FC04-40c2-8267-CBD99A865CC6}.exe	95
PID 4172 wrote to memory of 4216	4172	{378D5E84-FC04-40c2-8267-CBD99A865CC6}.exe	95
PID 4172 wrote to memory of 228	4172	{378D5E84-FC04-40c2-8267-CBD99A865CC6}.exe	96
PID 4172 wrote to memory of 228	4172	{378D5E84-FC04-40c2-8267-CBD99A865CC6}.exe	96
PID 4172 wrote to memory of 228	4172	{378D5E84-FC04-40c2-8267-CBD99A865CC6}.exe	96
PID 4216 wrote to memory of 4588	4216	{C0BE8669-BDA2-4e3b-A4C6-1E7AD21A52F4}.exe	97
PID 4216 wrote to memory of 4588	4216	{C0BE8669-BDA2-4e3b-A4C6-1E7AD21A52F4}.exe	97
PID 4216 wrote to memory of 4588	4216	{C0BE8669-BDA2-4e3b-A4C6-1E7AD21A52F4}.exe	97
PID 4216 wrote to memory of 4324	4216	{C0BE8669-BDA2-4e3b-A4C6-1E7AD21A52F4}.exe	98
PID 4216 wrote to memory of 4324	4216	{C0BE8669-BDA2-4e3b-A4C6-1E7AD21A52F4}.exe	98
PID 4216 wrote to memory of 4324	4216	{C0BE8669-BDA2-4e3b-A4C6-1E7AD21A52F4}.exe	98
PID 4588 wrote to memory of 4284	4588	{BFC7A09A-6734-4a22-81D7-35DC558C5887}.exe	99
PID 4588 wrote to memory of 4284	4588	{BFC7A09A-6734-4a22-81D7-35DC558C5887}.exe	99
PID 4588 wrote to memory of 4284	4588	{BFC7A09A-6734-4a22-81D7-35DC558C5887}.exe	99
PID 4588 wrote to memory of 2528	4588	{BFC7A09A-6734-4a22-81D7-35DC558C5887}.exe	100
PID 4588 wrote to memory of 2528	4588	{BFC7A09A-6734-4a22-81D7-35DC558C5887}.exe	100
PID 4588 wrote to memory of 2528	4588	{BFC7A09A-6734-4a22-81D7-35DC558C5887}.exe	100
PID 4284 wrote to memory of 1964	4284	{468301EA-AE69-49e4-945C-0B583C24588C}.exe	101
PID 4284 wrote to memory of 1964	4284	{468301EA-AE69-49e4-945C-0B583C24588C}.exe	101
PID 4284 wrote to memory of 1964	4284	{468301EA-AE69-49e4-945C-0B583C24588C}.exe	101
PID 4284 wrote to memory of 1684	4284	{468301EA-AE69-49e4-945C-0B583C24588C}.exe	102
PID 4284 wrote to memory of 1684	4284	{468301EA-AE69-49e4-945C-0B583C24588C}.exe	102
PID 4284 wrote to memory of 1684	4284	{468301EA-AE69-49e4-945C-0B583C24588C}.exe	102
PID 1964 wrote to memory of 2328	1964	{DC3E5CEE-1BA7-4e49-88AF-78D17646B242}.exe	103
PID 1964 wrote to memory of 2328	1964	{DC3E5CEE-1BA7-4e49-88AF-78D17646B242}.exe	103
PID 1964 wrote to memory of 2328	1964	{DC3E5CEE-1BA7-4e49-88AF-78D17646B242}.exe	103
PID 1964 wrote to memory of 3320	1964	{DC3E5CEE-1BA7-4e49-88AF-78D17646B242}.exe	104
PID 1964 wrote to memory of 3320	1964	{DC3E5CEE-1BA7-4e49-88AF-78D17646B242}.exe	104
PID 1964 wrote to memory of 3320	1964	{DC3E5CEE-1BA7-4e49-88AF-78D17646B242}.exe	104
PID 2328 wrote to memory of 2448	2328	{832B27BE-6E32-4f1a-8CC7-48889A77ED60}.exe	105
PID 2328 wrote to memory of 2448	2328	{832B27BE-6E32-4f1a-8CC7-48889A77ED60}.exe	105
PID 2328 wrote to memory of 2448	2328	{832B27BE-6E32-4f1a-8CC7-48889A77ED60}.exe	105
PID 2328 wrote to memory of 3592	2328	{832B27BE-6E32-4f1a-8CC7-48889A77ED60}.exe	106
PID 2328 wrote to memory of 3592	2328	{832B27BE-6E32-4f1a-8CC7-48889A77ED60}.exe	106
PID 2328 wrote to memory of 3592	2328	{832B27BE-6E32-4f1a-8CC7-48889A77ED60}.exe	106
PID 2448 wrote to memory of 4528	2448	{074A6BDE-ADCD-422e-9811-12C52C0B54A2}.exe	107
PID 2448 wrote to memory of 4528	2448	{074A6BDE-ADCD-422e-9811-12C52C0B54A2}.exe	107
PID 2448 wrote to memory of 4528	2448	{074A6BDE-ADCD-422e-9811-12C52C0B54A2}.exe	107
PID 2448 wrote to memory of 1696	2448	{074A6BDE-ADCD-422e-9811-12C52C0B54A2}.exe	108

C:\Users\Admin\AppData\Local\Temp\b3894e6a38ea32exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\b3894e6a38ea32exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080
- C:\Windows\{93D9F99F-1578-46cd-9AED-3B6F22787F85}.exe
  C:\Windows\{93D9F99F-1578-46cd-9AED-3B6F22787F85}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4452
- - C:\Windows\{E1A5289E-1422-48be-8B63-9975C8C86500}.exe
    C:\Windows\{E1A5289E-1422-48be-8B63-9975C8C86500}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3480
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E1A52~1.EXE > nul
      4⤵
      PID:1040
  - - C:\Windows\{997AA570-258E-45e8-99D6-C7E79317D609}.exe
      C:\Windows\{997AA570-258E-45e8-99D6-C7E79317D609}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4028
    - - C:\Windows\{378D5E84-FC04-40c2-8267-CBD99A865CC6}.exe
        
        C:\Windows\{378D5E84-FC04-40c2-8267-CBD99A865CC6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4172
      - C:\Windows\{C0BE8669-BDA2-4e3b-A4C6-1E7AD21A52F4}.exe
        
        C:\Windows\{C0BE8669-BDA2-4e3b-A4C6-1E7AD21A52F4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\{BFC7A09A-6734-4a22-81D7-35DC558C5887}.exe
        
        C:\Windows\{BFC7A09A-6734-4a22-81D7-35DC558C5887}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\{468301EA-AE69-49e4-945C-0B583C24588C}.exe
        
        C:\Windows\{468301EA-AE69-49e4-945C-0B583C24588C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4284
        
        C:\Windows\{DC3E5CEE-1BA7-4e49-88AF-78D17646B242}.exe
        
        C:\Windows\{DC3E5CEE-1BA7-4e49-88AF-78D17646B242}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\{832B27BE-6E32-4f1a-8CC7-48889A77ED60}.exe
        
        C:\Windows\{832B27BE-6E32-4f1a-8CC7-48889A77ED60}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\{074A6BDE-ADCD-422e-9811-12C52C0B54A2}.exe
        
        C:\Windows\{074A6BDE-ADCD-422e-9811-12C52C0B54A2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\{11971E9B-581A-45a9-83BD-7FA5333D7BFE}.exe
        
        C:\Windows\{11971E9B-581A-45a9-83BD-7FA5333D7BFE}.exe
        12⤵
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{074A6~1.EXE > nul
        12⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{832B2~1.EXE > nul
        11⤵
        
        PID:3592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC3E5~1.EXE > nul
        10⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46830~1.EXE > nul
        9⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFC7A~1.EXE > nul
        8⤵
        
        PID:2528
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0BE8~1.EXE > nul
        7⤵
        
        PID:4324
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{378D5~1.EXE > nul
        6⤵
        
        PID:228
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{997AA~1.EXE > nul
        5⤵
        
        PID:3520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{93D9F~1.EXE > nul
    3⤵
    PID:2968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B3894E~1.EXE > nul
  2⤵
  PID:4696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{074A6BDE-ADCD-422e-9811-12C52C0B54A2}.exe

Filesize
372KB

MD5
c6276ddbd09085a685559d13ab585411

SHA1
ed39afe73380d75d315c8f911ac2e78e4b987a34

SHA256
43e2163d34ca30a43f24f79bb658b4add4f9556e42008b4c0908f858dab7a125

SHA512
4c621ee2acd711d6dd7145570f5355664e879eb89c6513fdc022a8e04691d157d7e3018322d7e674eb1a73fea339957fa51b7a4a7a7a8dbb1d836852cf87753f

Download Submit
C:\Windows\{074A6BDE-ADCD-422e-9811-12C52C0B54A2}.exe

Filesize
372KB

MD5
c6276ddbd09085a685559d13ab585411

SHA1
ed39afe73380d75d315c8f911ac2e78e4b987a34

SHA256
43e2163d34ca30a43f24f79bb658b4add4f9556e42008b4c0908f858dab7a125

SHA512
4c621ee2acd711d6dd7145570f5355664e879eb89c6513fdc022a8e04691d157d7e3018322d7e674eb1a73fea339957fa51b7a4a7a7a8dbb1d836852cf87753f

Download Submit
C:\Windows\{11971E9B-581A-45a9-83BD-7FA5333D7BFE}.exe

Filesize
372KB

MD5
a53db1651e218edd4e14af25ec7948cd

SHA1
6a0fae00c542e23fbc6a41db8c019fa26c02433b

SHA256
01d92e1651715157f75e593164a1c6fddcf6ad89abf82c040635e703413922d7

SHA512
e84b49e90addd03b8ab606c9eb6621c95faa782eae694257f052f2fd31c804f893b68c109b08400b3c8ff309906bfb5c85aa28df0b674037bbe51b5572f67fcc

Download Submit
C:\Windows\{11971E9B-581A-45a9-83BD-7FA5333D7BFE}.exe

Filesize
372KB

MD5
a53db1651e218edd4e14af25ec7948cd

SHA1
6a0fae00c542e23fbc6a41db8c019fa26c02433b

SHA256
01d92e1651715157f75e593164a1c6fddcf6ad89abf82c040635e703413922d7

SHA512
e84b49e90addd03b8ab606c9eb6621c95faa782eae694257f052f2fd31c804f893b68c109b08400b3c8ff309906bfb5c85aa28df0b674037bbe51b5572f67fcc

Download Submit
C:\Windows\{378D5E84-FC04-40c2-8267-CBD99A865CC6}.exe

Filesize
372KB

MD5
b30b4bc61eff33ac15c89992890f558c

SHA1
43d57b00cfda1ce3019e6364029503922da82ced

SHA256
ddcd23dc898035104da674d5334c0a75896a84b7386239993ceed63bfab6da14

SHA512
4432d92898de96c9111320e7d27c4a11c9a68337b9ea636f0ce594b68d2dc8b99ef967054f048f62fbeb1eca88521c3e6dc25c2829db7f9bdc1e98ba41cbec52

Download Submit
C:\Windows\{378D5E84-FC04-40c2-8267-CBD99A865CC6}.exe

Filesize
372KB

MD5
b30b4bc61eff33ac15c89992890f558c

SHA1
43d57b00cfda1ce3019e6364029503922da82ced

SHA256
ddcd23dc898035104da674d5334c0a75896a84b7386239993ceed63bfab6da14

SHA512
4432d92898de96c9111320e7d27c4a11c9a68337b9ea636f0ce594b68d2dc8b99ef967054f048f62fbeb1eca88521c3e6dc25c2829db7f9bdc1e98ba41cbec52

Download Submit
C:\Windows\{468301EA-AE69-49e4-945C-0B583C24588C}.exe

Filesize
372KB

MD5
4c51d362ec8f77d097de0e079ac65906

SHA1
721d67c4c539bdcfc356f3ae9c43e61b21a90a37

SHA256
41ed41105c995b75271df0c9a4c6a3a704b3d054d9dc7230ffbc7f89a5a7452b

SHA512
1f6351e0b3b64012c3c3a642e19a7992c062ee8057de32de9e49f08694b7d0b62a94d46c67f40c1eccd288f7d1892e57e467d6661e4b8a5cfbec0f22f4580784

Download Submit
C:\Windows\{468301EA-AE69-49e4-945C-0B583C24588C}.exe

Filesize
372KB

MD5
4c51d362ec8f77d097de0e079ac65906

SHA1
721d67c4c539bdcfc356f3ae9c43e61b21a90a37

SHA256
41ed41105c995b75271df0c9a4c6a3a704b3d054d9dc7230ffbc7f89a5a7452b

SHA512
1f6351e0b3b64012c3c3a642e19a7992c062ee8057de32de9e49f08694b7d0b62a94d46c67f40c1eccd288f7d1892e57e467d6661e4b8a5cfbec0f22f4580784

Download Submit
C:\Windows\{832B27BE-6E32-4f1a-8CC7-48889A77ED60}.exe

Filesize
372KB

MD5
3f3f3f612ce0a1ed4694222ae35563a2

SHA1
bc10fb36330ac0ec4d6804f38e3748eae527e9b0

SHA256
f1df6fed0693cb48d34e9b63c7f0ca1c67bc548b1394b00523d81155164fea15

SHA512
bdbae50d2390c870c2caa31ab42225deed43b8614ea21271ebf3a0992028d8ecfa812d99912445f21af1e49b88d2aaeebf00f9bb7d7f7c3fe52c885a33aa2379

Download Submit
C:\Windows\{832B27BE-6E32-4f1a-8CC7-48889A77ED60}.exe

Filesize
372KB

MD5
3f3f3f612ce0a1ed4694222ae35563a2

SHA1
bc10fb36330ac0ec4d6804f38e3748eae527e9b0

SHA256
f1df6fed0693cb48d34e9b63c7f0ca1c67bc548b1394b00523d81155164fea15

SHA512
bdbae50d2390c870c2caa31ab42225deed43b8614ea21271ebf3a0992028d8ecfa812d99912445f21af1e49b88d2aaeebf00f9bb7d7f7c3fe52c885a33aa2379

Download Submit
C:\Windows\{93D9F99F-1578-46cd-9AED-3B6F22787F85}.exe

Filesize
372KB

MD5
9f9ab1cfd1526b788926f183285d943d

SHA1
e3a1c17744ddba437b67298e8ca16019ecc1cf65

SHA256
217fa8bf6bf0d4337d0f79bfeac56e3065f414eef00bdc5d53e244b163c89c85

SHA512
62a089daf8267974480ee40ad2f40b8e383d085a5a832a69cca16e92d4c9e05e62c12b9570b636beeb73211b5004cc3ffa0b42a4da9ace12801a4b8fe4e9a1b3

Download Submit
C:\Windows\{93D9F99F-1578-46cd-9AED-3B6F22787F85}.exe

Filesize
372KB

MD5
9f9ab1cfd1526b788926f183285d943d

SHA1
e3a1c17744ddba437b67298e8ca16019ecc1cf65

SHA256
217fa8bf6bf0d4337d0f79bfeac56e3065f414eef00bdc5d53e244b163c89c85

SHA512
62a089daf8267974480ee40ad2f40b8e383d085a5a832a69cca16e92d4c9e05e62c12b9570b636beeb73211b5004cc3ffa0b42a4da9ace12801a4b8fe4e9a1b3

Download Submit
C:\Windows\{997AA570-258E-45e8-99D6-C7E79317D609}.exe

Filesize
372KB

MD5
3231c852d97a958a21e44dd85851b9fb

SHA1
e991ebf3be91784e80a93f6e901be71747e3d288

SHA256
befe2e148ce151531679220186f2797733fd89958fd1351add102a055bda603a

SHA512
dfc5e0e5ad9e3d5c0c41ca4adfa914530593a9c74711f337e55eda280db841eff1bf1769ddb9cdb6ac88ddb5a0896a0549e44db0214b980ea0502495de913866

Download Submit
C:\Windows\{997AA570-258E-45e8-99D6-C7E79317D609}.exe

Filesize
372KB

MD5
3231c852d97a958a21e44dd85851b9fb

SHA1
e991ebf3be91784e80a93f6e901be71747e3d288

SHA256
befe2e148ce151531679220186f2797733fd89958fd1351add102a055bda603a

SHA512
dfc5e0e5ad9e3d5c0c41ca4adfa914530593a9c74711f337e55eda280db841eff1bf1769ddb9cdb6ac88ddb5a0896a0549e44db0214b980ea0502495de913866

Download Submit
C:\Windows\{997AA570-258E-45e8-99D6-C7E79317D609}.exe

Filesize
372KB

MD5
3231c852d97a958a21e44dd85851b9fb

SHA1
e991ebf3be91784e80a93f6e901be71747e3d288

SHA256
befe2e148ce151531679220186f2797733fd89958fd1351add102a055bda603a

SHA512
dfc5e0e5ad9e3d5c0c41ca4adfa914530593a9c74711f337e55eda280db841eff1bf1769ddb9cdb6ac88ddb5a0896a0549e44db0214b980ea0502495de913866

Download Submit
C:\Windows\{BFC7A09A-6734-4a22-81D7-35DC558C5887}.exe

Filesize
372KB

MD5
ded786546f4e411f0d6ca4a76d01b8a8

SHA1
577e6daf6a7f4462459a71d9ddaff135297e7825

SHA256
7c85e5d2ebe192aa03c63f3e5584ba4736d7b82488ce5b87ec5d1ec1b31ea589

SHA512
5fed5441f4fffc084365f5bb4e023252737a832288b40677b6fd835b45ffd2104bffe9cda0b803d93b78a3c4c1be324568bf77f4b029f417de2ad6c57b607d27

Download Submit
C:\Windows\{BFC7A09A-6734-4a22-81D7-35DC558C5887}.exe

Filesize
372KB

MD5
ded786546f4e411f0d6ca4a76d01b8a8

SHA1
577e6daf6a7f4462459a71d9ddaff135297e7825

SHA256
7c85e5d2ebe192aa03c63f3e5584ba4736d7b82488ce5b87ec5d1ec1b31ea589

SHA512
5fed5441f4fffc084365f5bb4e023252737a832288b40677b6fd835b45ffd2104bffe9cda0b803d93b78a3c4c1be324568bf77f4b029f417de2ad6c57b607d27

Download Submit
C:\Windows\{C0BE8669-BDA2-4e3b-A4C6-1E7AD21A52F4}.exe

Filesize
372KB

MD5
f26421d6c8082d09bd6fc9250e1f7571

SHA1
19c0b00639865d65ac9b343c53e7eebe6176a9af

SHA256
4ae9c344cf547253bff0303e92245e369c0f65f473a7ad5f6a7a4a516040044d

SHA512
44b301f7f58ba37a95faa44bfa27af64069bbf22752a3f70719dc6c79cc24fb7ad0b68ae533dde84a743c06a1d52361ad6c6da8a734dcd28a9310faf662713cc

Download Submit
C:\Windows\{C0BE8669-BDA2-4e3b-A4C6-1E7AD21A52F4}.exe

Filesize
372KB

MD5
f26421d6c8082d09bd6fc9250e1f7571

SHA1
19c0b00639865d65ac9b343c53e7eebe6176a9af

SHA256
4ae9c344cf547253bff0303e92245e369c0f65f473a7ad5f6a7a4a516040044d

SHA512
44b301f7f58ba37a95faa44bfa27af64069bbf22752a3f70719dc6c79cc24fb7ad0b68ae533dde84a743c06a1d52361ad6c6da8a734dcd28a9310faf662713cc

Download Submit
C:\Windows\{DC3E5CEE-1BA7-4e49-88AF-78D17646B242}.exe

Filesize
372KB

MD5
c5fe648c6fc9689683cb1ade801c6938

SHA1
ccd23dae9bde5c6fddd96ad08117463513b05a7a

SHA256
bbdcfdea56fce4068f74c8ce1bd32750b14db5a1cbb718b50c422d0564969316

SHA512
b54468aadc093810e27c23824852be67cd304b63176cf261108d37fd9b728a56842cfefb5910d6fd1e76b49d6941a0a6ab1495caa3b2022814ed2ca3a269d61d

Download Submit
C:\Windows\{DC3E5CEE-1BA7-4e49-88AF-78D17646B242}.exe

Filesize
372KB

MD5
c5fe648c6fc9689683cb1ade801c6938

SHA1
ccd23dae9bde5c6fddd96ad08117463513b05a7a

SHA256
bbdcfdea56fce4068f74c8ce1bd32750b14db5a1cbb718b50c422d0564969316

SHA512
b54468aadc093810e27c23824852be67cd304b63176cf261108d37fd9b728a56842cfefb5910d6fd1e76b49d6941a0a6ab1495caa3b2022814ed2ca3a269d61d

Download Submit
C:\Windows\{E1A5289E-1422-48be-8B63-9975C8C86500}.exe

Filesize
372KB

MD5
a5d2cab48341bd6a373b549b5de06881

SHA1
3dd918a0c8b6db203d21e455993389983c60d544

SHA256
2edcbada51c15033225c017fa84cfb0200be348bd735fac7fd345153887b4dac

SHA512
a4868aee65ec2f1c64c062b6ab8e08fe8de2cfc6a389e032d3b3797ee63acb4aee170d43282fa71d362b8c48518075722af6dcfcb63f6273289bf3ee33856e47

Download Submit
C:\Windows\{E1A5289E-1422-48be-8B63-9975C8C86500}.exe

Filesize
372KB

MD5
a5d2cab48341bd6a373b549b5de06881

SHA1
3dd918a0c8b6db203d21e455993389983c60d544

SHA256
2edcbada51c15033225c017fa84cfb0200be348bd735fac7fd345153887b4dac

SHA512
a4868aee65ec2f1c64c062b6ab8e08fe8de2cfc6a389e032d3b3797ee63acb4aee170d43282fa71d362b8c48518075722af6dcfcb63f6273289bf3ee33856e47

Download Submit