93cdc816e34b8f935eb7ba09a5c8c75bfb5af317f032736210c9868d858a238c

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e3d5243019a4b1a8321608b878788895.exe
Size

344KB
MD5

e3d5243019a4b1a8321608b878788895
SHA1

089b2bb2252d79f2966235d92a84b0737157f37e
SHA256

93cdc816e34b8f935eb7ba09a5c8c75bfb5af317f032736210c9868d858a238c
SHA512

2ff7b208742c5aa4b0f5b13030a5ef97a9bbd30e8c0ef59325a453e2bd739e75fa1c1d9e6b3eeaef3a428b795350db446f969ddf0ba1d8b336b11f87f76d77a6
SSDEEP

3072:mEGh0oklEOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGL:mEGylqOe2MUVg3v2IneKcAEcA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC9958D1-573F-4703-B55B-812461C32C50}\stubpath = "C:\\Windows\\{FC9958D1-573F-4703-B55B-812461C32C50}.exe"	{74F4D175-665E-4408-875D-E5A4ADC78BC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7FCB288-DD65-4c92-9D4E-B6402BF1B9AC}	{FC9958D1-573F-4703-B55B-812461C32C50}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75D48538-5683-4eb5-8248-388844FB4EEF}	{A7FCB288-DD65-4c92-9D4E-B6402BF1B9AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75D48538-5683-4eb5-8248-388844FB4EEF}\stubpath = "C:\\Windows\\{75D48538-5683-4eb5-8248-388844FB4EEF}.exe"	{A7FCB288-DD65-4c92-9D4E-B6402BF1B9AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30BD05A6-F993-4a90-B08B-7E50FDA29283}	{13D66D77-E8FA-4b24-B832-BF132AC6089A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31D5AB68-D5C3-496c-9816-DC4D4E41F254}\stubpath = "C:\\Windows\\{31D5AB68-D5C3-496c-9816-DC4D4E41F254}.exe"	{7F74FD1B-92E2-488f-A7DD-39E9D843C21A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DD594A1-AD28-450e-8704-37BB5EF53C1D}	{31D5AB68-D5C3-496c-9816-DC4D4E41F254}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2B011BF-EDBC-4db4-BE41-8984E7035E11}	{67416B44-C4FE-43a2-853E-3FF49C5CC399}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13D66D77-E8FA-4b24-B832-BF132AC6089A}\stubpath = "C:\\Windows\\{13D66D77-E8FA-4b24-B832-BF132AC6089A}.exe"	{75D48538-5683-4eb5-8248-388844FB4EEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F74FD1B-92E2-488f-A7DD-39E9D843C21A}\stubpath = "C:\\Windows\\{7F74FD1B-92E2-488f-A7DD-39E9D843C21A}.exe"	{30BD05A6-F993-4a90-B08B-7E50FDA29283}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9DD594A1-AD28-450e-8704-37BB5EF53C1D}\stubpath = "C:\\Windows\\{9DD594A1-AD28-450e-8704-37BB5EF53C1D}.exe"	{31D5AB68-D5C3-496c-9816-DC4D4E41F254}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13D66D77-E8FA-4b24-B832-BF132AC6089A}	{75D48538-5683-4eb5-8248-388844FB4EEF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2B011BF-EDBC-4db4-BE41-8984E7035E11}\stubpath = "C:\\Windows\\{E2B011BF-EDBC-4db4-BE41-8984E7035E11}.exe"	{67416B44-C4FE-43a2-853E-3FF49C5CC399}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74F4D175-665E-4408-875D-E5A4ADC78BC7}\stubpath = "C:\\Windows\\{74F4D175-665E-4408-875D-E5A4ADC78BC7}.exe"	{E2B011BF-EDBC-4db4-BE41-8984E7035E11}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC9958D1-573F-4703-B55B-812461C32C50}	{74F4D175-665E-4408-875D-E5A4ADC78BC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F74FD1B-92E2-488f-A7DD-39E9D843C21A}	{30BD05A6-F993-4a90-B08B-7E50FDA29283}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67416B44-C4FE-43a2-853E-3FF49C5CC399}\stubpath = "C:\\Windows\\{67416B44-C4FE-43a2-853E-3FF49C5CC399}.exe"	e3d5243019a4b1a8321608b878788895.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74F4D175-665E-4408-875D-E5A4ADC78BC7}	{E2B011BF-EDBC-4db4-BE41-8984E7035E11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7FCB288-DD65-4c92-9D4E-B6402BF1B9AC}\stubpath = "C:\\Windows\\{A7FCB288-DD65-4c92-9D4E-B6402BF1B9AC}.exe"	{FC9958D1-573F-4703-B55B-812461C32C50}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30BD05A6-F993-4a90-B08B-7E50FDA29283}\stubpath = "C:\\Windows\\{30BD05A6-F993-4a90-B08B-7E50FDA29283}.exe"	{13D66D77-E8FA-4b24-B832-BF132AC6089A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{31D5AB68-D5C3-496c-9816-DC4D4E41F254}	{7F74FD1B-92E2-488f-A7DD-39E9D843C21A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87A29FB1-83E5-4208-95DD-8294A36716ED}	{9DD594A1-AD28-450e-8704-37BB5EF53C1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87A29FB1-83E5-4208-95DD-8294A36716ED}\stubpath = "C:\\Windows\\{87A29FB1-83E5-4208-95DD-8294A36716ED}.exe"	{9DD594A1-AD28-450e-8704-37BB5EF53C1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67416B44-C4FE-43a2-853E-3FF49C5CC399}	e3d5243019a4b1a8321608b878788895.exe

Executes dropped EXE 12 IoCs

pid	Process
3204	{67416B44-C4FE-43a2-853E-3FF49C5CC399}.exe
5004	{E2B011BF-EDBC-4db4-BE41-8984E7035E11}.exe
4836	{74F4D175-665E-4408-875D-E5A4ADC78BC7}.exe
1032	{FC9958D1-573F-4703-B55B-812461C32C50}.exe
4964	{A7FCB288-DD65-4c92-9D4E-B6402BF1B9AC}.exe
1620	{75D48538-5683-4eb5-8248-388844FB4EEF}.exe
2888	{13D66D77-E8FA-4b24-B832-BF132AC6089A}.exe
2332	{30BD05A6-F993-4a90-B08B-7E50FDA29283}.exe
2944	{7F74FD1B-92E2-488f-A7DD-39E9D843C21A}.exe
4584	{31D5AB68-D5C3-496c-9816-DC4D4E41F254}.exe
3792	{9DD594A1-AD28-450e-8704-37BB5EF53C1D}.exe
3952	{87A29FB1-83E5-4208-95DD-8294A36716ED}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{75D48538-5683-4eb5-8248-388844FB4EEF}.exe	{A7FCB288-DD65-4c92-9D4E-B6402BF1B9AC}.exe
File created	C:\Windows\{13D66D77-E8FA-4b24-B832-BF132AC6089A}.exe	{75D48538-5683-4eb5-8248-388844FB4EEF}.exe
File created	C:\Windows\{7F74FD1B-92E2-488f-A7DD-39E9D843C21A}.exe	{30BD05A6-F993-4a90-B08B-7E50FDA29283}.exe
File created	C:\Windows\{67416B44-C4FE-43a2-853E-3FF49C5CC399}.exe	e3d5243019a4b1a8321608b878788895.exe
File created	C:\Windows\{E2B011BF-EDBC-4db4-BE41-8984E7035E11}.exe	{67416B44-C4FE-43a2-853E-3FF49C5CC399}.exe
File created	C:\Windows\{74F4D175-665E-4408-875D-E5A4ADC78BC7}.exe	{E2B011BF-EDBC-4db4-BE41-8984E7035E11}.exe
File created	C:\Windows\{FC9958D1-573F-4703-B55B-812461C32C50}.exe	{74F4D175-665E-4408-875D-E5A4ADC78BC7}.exe
File created	C:\Windows\{A7FCB288-DD65-4c92-9D4E-B6402BF1B9AC}.exe	{FC9958D1-573F-4703-B55B-812461C32C50}.exe
File created	C:\Windows\{9DD594A1-AD28-450e-8704-37BB5EF53C1D}.exe	{31D5AB68-D5C3-496c-9816-DC4D4E41F254}.exe
File created	C:\Windows\{87A29FB1-83E5-4208-95DD-8294A36716ED}.exe	{9DD594A1-AD28-450e-8704-37BB5EF53C1D}.exe
File created	C:\Windows\{30BD05A6-F993-4a90-B08B-7E50FDA29283}.exe	{13D66D77-E8FA-4b24-B832-BF132AC6089A}.exe
File created	C:\Windows\{31D5AB68-D5C3-496c-9816-DC4D4E41F254}.exe	{7F74FD1B-92E2-488f-A7DD-39E9D843C21A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3152	e3d5243019a4b1a8321608b878788895.exe
Token: SeIncBasePriorityPrivilege	3204	{67416B44-C4FE-43a2-853E-3FF49C5CC399}.exe
Token: SeIncBasePriorityPrivilege	5004	{E2B011BF-EDBC-4db4-BE41-8984E7035E11}.exe
Token: SeIncBasePriorityPrivilege	4836	{74F4D175-665E-4408-875D-E5A4ADC78BC7}.exe
Token: SeIncBasePriorityPrivilege	1032	{FC9958D1-573F-4703-B55B-812461C32C50}.exe
Token: SeIncBasePriorityPrivilege	4964	{A7FCB288-DD65-4c92-9D4E-B6402BF1B9AC}.exe
Token: SeIncBasePriorityPrivilege	1620	{75D48538-5683-4eb5-8248-388844FB4EEF}.exe
Token: SeIncBasePriorityPrivilege	2888	{13D66D77-E8FA-4b24-B832-BF132AC6089A}.exe
Token: SeIncBasePriorityPrivilege	2332	{30BD05A6-F993-4a90-B08B-7E50FDA29283}.exe
Token: SeIncBasePriorityPrivilege	2944	{7F74FD1B-92E2-488f-A7DD-39E9D843C21A}.exe
Token: SeIncBasePriorityPrivilege	4584	{31D5AB68-D5C3-496c-9816-DC4D4E41F254}.exe
Token: SeIncBasePriorityPrivilege	3792	{9DD594A1-AD28-450e-8704-37BB5EF53C1D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 3204	3152	e3d5243019a4b1a8321608b878788895.exe	92
PID 3152 wrote to memory of 3204	3152	e3d5243019a4b1a8321608b878788895.exe	92
PID 3152 wrote to memory of 3204	3152	e3d5243019a4b1a8321608b878788895.exe	92
PID 3152 wrote to memory of 1372	3152	e3d5243019a4b1a8321608b878788895.exe	91
PID 3152 wrote to memory of 1372	3152	e3d5243019a4b1a8321608b878788895.exe	91
PID 3152 wrote to memory of 1372	3152	e3d5243019a4b1a8321608b878788895.exe	91
PID 3204 wrote to memory of 5004	3204	{67416B44-C4FE-43a2-853E-3FF49C5CC399}.exe	94
PID 3204 wrote to memory of 5004	3204	{67416B44-C4FE-43a2-853E-3FF49C5CC399}.exe	94
PID 3204 wrote to memory of 5004	3204	{67416B44-C4FE-43a2-853E-3FF49C5CC399}.exe	94
PID 3204 wrote to memory of 244	3204	{67416B44-C4FE-43a2-853E-3FF49C5CC399}.exe	93
PID 3204 wrote to memory of 244	3204	{67416B44-C4FE-43a2-853E-3FF49C5CC399}.exe	93
PID 3204 wrote to memory of 244	3204	{67416B44-C4FE-43a2-853E-3FF49C5CC399}.exe	93
PID 5004 wrote to memory of 4836	5004	{E2B011BF-EDBC-4db4-BE41-8984E7035E11}.exe	96
PID 5004 wrote to memory of 4836	5004	{E2B011BF-EDBC-4db4-BE41-8984E7035E11}.exe	96
PID 5004 wrote to memory of 4836	5004	{E2B011BF-EDBC-4db4-BE41-8984E7035E11}.exe	96
PID 5004 wrote to memory of 4044	5004	{E2B011BF-EDBC-4db4-BE41-8984E7035E11}.exe	97
PID 5004 wrote to memory of 4044	5004	{E2B011BF-EDBC-4db4-BE41-8984E7035E11}.exe	97
PID 5004 wrote to memory of 4044	5004	{E2B011BF-EDBC-4db4-BE41-8984E7035E11}.exe	97
PID 4836 wrote to memory of 1032	4836	{74F4D175-665E-4408-875D-E5A4ADC78BC7}.exe	99
PID 4836 wrote to memory of 1032	4836	{74F4D175-665E-4408-875D-E5A4ADC78BC7}.exe	99
PID 4836 wrote to memory of 1032	4836	{74F4D175-665E-4408-875D-E5A4ADC78BC7}.exe	99
PID 4836 wrote to memory of 1060	4836	{74F4D175-665E-4408-875D-E5A4ADC78BC7}.exe	98
PID 4836 wrote to memory of 1060	4836	{74F4D175-665E-4408-875D-E5A4ADC78BC7}.exe	98
PID 4836 wrote to memory of 1060	4836	{74F4D175-665E-4408-875D-E5A4ADC78BC7}.exe	98
PID 1032 wrote to memory of 4964	1032	{FC9958D1-573F-4703-B55B-812461C32C50}.exe	101
PID 1032 wrote to memory of 4964	1032	{FC9958D1-573F-4703-B55B-812461C32C50}.exe	101
PID 1032 wrote to memory of 4964	1032	{FC9958D1-573F-4703-B55B-812461C32C50}.exe	101
PID 1032 wrote to memory of 1692	1032	{FC9958D1-573F-4703-B55B-812461C32C50}.exe	100
PID 1032 wrote to memory of 1692	1032	{FC9958D1-573F-4703-B55B-812461C32C50}.exe	100
PID 1032 wrote to memory of 1692	1032	{FC9958D1-573F-4703-B55B-812461C32C50}.exe	100
PID 4964 wrote to memory of 1620	4964	{A7FCB288-DD65-4c92-9D4E-B6402BF1B9AC}.exe	103
PID 4964 wrote to memory of 1620	4964	{A7FCB288-DD65-4c92-9D4E-B6402BF1B9AC}.exe	103
PID 4964 wrote to memory of 1620	4964	{A7FCB288-DD65-4c92-9D4E-B6402BF1B9AC}.exe	103
PID 4964 wrote to memory of 4636	4964	{A7FCB288-DD65-4c92-9D4E-B6402BF1B9AC}.exe	102
PID 4964 wrote to memory of 4636	4964	{A7FCB288-DD65-4c92-9D4E-B6402BF1B9AC}.exe	102
PID 4964 wrote to memory of 4636	4964	{A7FCB288-DD65-4c92-9D4E-B6402BF1B9AC}.exe	102
PID 1620 wrote to memory of 2888	1620	{75D48538-5683-4eb5-8248-388844FB4EEF}.exe	104
PID 1620 wrote to memory of 2888	1620	{75D48538-5683-4eb5-8248-388844FB4EEF}.exe	104
PID 1620 wrote to memory of 2888	1620	{75D48538-5683-4eb5-8248-388844FB4EEF}.exe	104
PID 1620 wrote to memory of 1200	1620	{75D48538-5683-4eb5-8248-388844FB4EEF}.exe	105
PID 1620 wrote to memory of 1200	1620	{75D48538-5683-4eb5-8248-388844FB4EEF}.exe	105
PID 1620 wrote to memory of 1200	1620	{75D48538-5683-4eb5-8248-388844FB4EEF}.exe	105
PID 2888 wrote to memory of 2332	2888	{13D66D77-E8FA-4b24-B832-BF132AC6089A}.exe	106
PID 2888 wrote to memory of 2332	2888	{13D66D77-E8FA-4b24-B832-BF132AC6089A}.exe	106
PID 2888 wrote to memory of 2332	2888	{13D66D77-E8FA-4b24-B832-BF132AC6089A}.exe	106
PID 2888 wrote to memory of 3292	2888	{13D66D77-E8FA-4b24-B832-BF132AC6089A}.exe	107
PID 2888 wrote to memory of 3292	2888	{13D66D77-E8FA-4b24-B832-BF132AC6089A}.exe	107
PID 2888 wrote to memory of 3292	2888	{13D66D77-E8FA-4b24-B832-BF132AC6089A}.exe	107
PID 2332 wrote to memory of 2944	2332	{30BD05A6-F993-4a90-B08B-7E50FDA29283}.exe	108
PID 2332 wrote to memory of 2944	2332	{30BD05A6-F993-4a90-B08B-7E50FDA29283}.exe	108
PID 2332 wrote to memory of 2944	2332	{30BD05A6-F993-4a90-B08B-7E50FDA29283}.exe	108
PID 2332 wrote to memory of 3788	2332	{30BD05A6-F993-4a90-B08B-7E50FDA29283}.exe	109
PID 2332 wrote to memory of 3788	2332	{30BD05A6-F993-4a90-B08B-7E50FDA29283}.exe	109
PID 2332 wrote to memory of 3788	2332	{30BD05A6-F993-4a90-B08B-7E50FDA29283}.exe	109
PID 2944 wrote to memory of 4584	2944	{7F74FD1B-92E2-488f-A7DD-39E9D843C21A}.exe	110
PID 2944 wrote to memory of 4584	2944	{7F74FD1B-92E2-488f-A7DD-39E9D843C21A}.exe	110
PID 2944 wrote to memory of 4584	2944	{7F74FD1B-92E2-488f-A7DD-39E9D843C21A}.exe	110
PID 2944 wrote to memory of 2008	2944	{7F74FD1B-92E2-488f-A7DD-39E9D843C21A}.exe	111
PID 2944 wrote to memory of 2008	2944	{7F74FD1B-92E2-488f-A7DD-39E9D843C21A}.exe	111
PID 2944 wrote to memory of 2008	2944	{7F74FD1B-92E2-488f-A7DD-39E9D843C21A}.exe	111
PID 4584 wrote to memory of 3792	4584	{31D5AB68-D5C3-496c-9816-DC4D4E41F254}.exe	112
PID 4584 wrote to memory of 3792	4584	{31D5AB68-D5C3-496c-9816-DC4D4E41F254}.exe	112
PID 4584 wrote to memory of 3792	4584	{31D5AB68-D5C3-496c-9816-DC4D4E41F254}.exe	112
PID 4584 wrote to memory of 3976	4584	{31D5AB68-D5C3-496c-9816-DC4D4E41F254}.exe	113

C:\Users\Admin\AppData\Local\Temp\e3d5243019a4b1a8321608b878788895.exe
"C:\Users\Admin\AppData\Local\Temp\e3d5243019a4b1a8321608b878788895.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E3D524~1.EXE > nul
  2⤵
  PID:1372
- C:\Windows\{67416B44-C4FE-43a2-853E-3FF49C5CC399}.exe
  C:\Windows\{67416B44-C4FE-43a2-853E-3FF49C5CC399}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{67416~1.EXE > nul
    3⤵
    PID:244
- - C:\Windows\{E2B011BF-EDBC-4db4-BE41-8984E7035E11}.exe
    C:\Windows\{E2B011BF-EDBC-4db4-BE41-8984E7035E11}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5004
  - - C:\Windows\{74F4D175-665E-4408-875D-E5A4ADC78BC7}.exe
      C:\Windows\{74F4D175-665E-4408-875D-E5A4ADC78BC7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4836
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74F4D~1.EXE > nul
        5⤵
        
        PID:1060
    - - C:\Windows\{FC9958D1-573F-4703-B55B-812461C32C50}.exe
        
        C:\Windows\{FC9958D1-573F-4703-B55B-812461C32C50}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1032
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC995~1.EXE > nul
        6⤵
        
        PID:1692
      - C:\Windows\{A7FCB288-DD65-4c92-9D4E-B6402BF1B9AC}.exe
        
        C:\Windows\{A7FCB288-DD65-4c92-9D4E-B6402BF1B9AC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7FCB~1.EXE > nul
        7⤵
        
        PID:4636
        
        C:\Windows\{75D48538-5683-4eb5-8248-388844FB4EEF}.exe
        
        C:\Windows\{75D48538-5683-4eb5-8248-388844FB4EEF}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\{13D66D77-E8FA-4b24-B832-BF132AC6089A}.exe
        
        C:\Windows\{13D66D77-E8FA-4b24-B832-BF132AC6089A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\{30BD05A6-F993-4a90-B08B-7E50FDA29283}.exe
        
        C:\Windows\{30BD05A6-F993-4a90-B08B-7E50FDA29283}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\{7F74FD1B-92E2-488f-A7DD-39E9D843C21A}.exe
        
        C:\Windows\{7F74FD1B-92E2-488f-A7DD-39E9D843C21A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\{31D5AB68-D5C3-496c-9816-DC4D4E41F254}.exe
        
        C:\Windows\{31D5AB68-D5C3-496c-9816-DC4D4E41F254}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\{9DD594A1-AD28-450e-8704-37BB5EF53C1D}.exe
        
        C:\Windows\{9DD594A1-AD28-450e-8704-37BB5EF53C1D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3792
        
        C:\Windows\{87A29FB1-83E5-4208-95DD-8294A36716ED}.exe
        
        C:\Windows\{87A29FB1-83E5-4208-95DD-8294A36716ED}.exe
        13⤵
        Executes dropped EXE
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DD59~1.EXE > nul
        13⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31D5A~1.EXE > nul
        12⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F74F~1.EXE > nul
        11⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30BD0~1.EXE > nul
        10⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13D66~1.EXE > nul
        9⤵
        
        PID:3292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75D48~1.EXE > nul
        8⤵
        
        PID:1200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E2B01~1.EXE > nul
      4⤵
      PID:4044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{13D66D77-E8FA-4b24-B832-BF132AC6089A}.exe

Filesize
344KB

MD5
3b25169f2329eaea1d5afc5ab5abd218

SHA1
5cad18a035deb2d604a308cee72464b57c86b1e0

SHA256
37e459bef71dc03398062453d5532577d27c4826d3249cc20ed8588b92b7f76a

SHA512
49313b9dc3f25d635f0be89c027cb5db985b2769b4448cdd1c31376faafd47662c6a3f68f5cb5270a545e3b53e74d41d306c439673dcfabf6ea2fee8ae0ea538

Download Submit
C:\Windows\{30BD05A6-F993-4a90-B08B-7E50FDA29283}.exe

Filesize
344KB

MD5
57762f8c7bc7fec29e7ea6a2ebbe617b

SHA1
c76cb86d3aa189cf306caa7588d4327bf2df4cbb

SHA256
0926ee395fddeb7159ff8563a4c4adc67dc8a48a276926558b4a51a8449523b3

SHA512
a91d55e5c141f5294ee754fa3b1a991ff00963c11a2ba450172220de81f391da9d53aa64bc8c4d1bdec6aeb91e7fbb81d743c776ff0cea53b1fb721115ad3bee

Download Submit
C:\Windows\{31D5AB68-D5C3-496c-9816-DC4D4E41F254}.exe

Filesize
344KB

MD5
f58d54fb67d36b9ce60f0ce450008c1a

SHA1
bfeba72da4e64286be29b6baaf4a0084eee5c80a

SHA256
fbb9c576e97fb3fb63a478e2acb462945823bdbbb1a0d4fe767fa2bd70120d0a

SHA512
5e235eb09e989d1cfa129dcdcb9c73fcc86b45f9b1dba05c8b9ee63557d604c95710aafc679ddaf8d6039162ba5ec8209c55beef9b73679739ba1047dac4ca4c

Download Submit
C:\Windows\{67416B44-C4FE-43a2-853E-3FF49C5CC399}.exe

Filesize
92KB

MD5
946645bfb19e98b4772aa67fa04f61da

SHA1
d7c72d7daf4ab53c4b85e3c34ec7c238eb5b4102

SHA256
17735cd5af79d99ec18b93f6aba06c52c9194dd142f2a3b0712d124650692554

SHA512
14bf9f48e480f173de424adbb3025c52c17064c08cd396fffa532a23db8dec40cc88094c7277e9dee9c266b074640a12d3c5f7482b07b5bd66705daef7aedfcb

Download Submit
C:\Windows\{67416B44-C4FE-43a2-853E-3FF49C5CC399}.exe

Filesize
241KB

MD5
fbc0bad6f517cdf588d61ca485ba3fb5

SHA1
8fe25921ae1746b05d115bff174bdb1e882b25f4

SHA256
501caf626eccad29bec354116784ad3fff886b85e7b17f1731575bde2d780e8d

SHA512
fe11ad389f2440b1ac15015b71648223fd61458d6984e0ec6a3dfb14be8b123c5f452cf78558666dd4c48c12c12537733a9f6f0d834d83a7277c77781d2a8e9a

Download Submit
C:\Windows\{74F4D175-665E-4408-875D-E5A4ADC78BC7}.exe

Filesize
344KB

MD5
5958f4327d5d99d6f41e7640f12764f7

SHA1
56f345ccdf2b4cfc3412617f4392505c67822bd5

SHA256
fb0af513d1735a798b657fac4c3ca16fd9723857dcb24ed5bfd7a59a91e14581

SHA512
deea79a50bbd2f336c3917143904208b7ecb93ab4d4c9045acf265e886c0bd97100f5d5244ce9fd2333f80ec0301084b95559193fd829d1562c12ddf7d28329e

Download Submit
C:\Windows\{75D48538-5683-4eb5-8248-388844FB4EEF}.exe

Filesize
344KB

MD5
572acc431535baa0a83c8fc398534be6

SHA1
0791379af2d71c64b403246e6e0b2f664282d2e4

SHA256
5d38c29a3df8e6ee309d3f1f5adfd88e9a0fd8877886daf8bd5276c73d1bfd69

SHA512
df8fce1a32ccb0456f0621c886cd348db10dd623df4318df9012272ab0503483c0de84fda1d8950e39594ae762c361729c767fd1821ccfbb537fb438660a14bc

Download Submit
C:\Windows\{7F74FD1B-92E2-488f-A7DD-39E9D843C21A}.exe

Filesize
344KB

MD5
9158bd46ae5ae8d04c9285bffb1510b5

SHA1
1f21decd8ab94ae40402ea949b80e0fe68baacc1

SHA256
7462285c21f8aede5ee1076e9fbc1463470a50e55369e29d67d01d9278938696

SHA512
3e5e0ef2ce1ee356d35a10b69bd3e3b2721d31ab5f95f238aa89e989acea80b46950af40f30b7868a872d0694ebcf2034d92378f07ef108ef18132882aa84ecd

Download Submit
C:\Windows\{87A29FB1-83E5-4208-95DD-8294A36716ED}.exe

Filesize
344KB

MD5
277d9eb0cc9d0577f6533edd922aa9c6

SHA1
edcc899ecf737d3e43b6f4913b24688066a75c7a

SHA256
efe6577aa9b0459a852b106f1ca47c55506d518df02ef88a65deec9bb2532085

SHA512
fec5741e141308dddcb6fb1ef4b7224fe17c4ce8d2b5805e415c97333781a26b177053032d87f10b26b6e30db93f7ef39b761139c4ab2c667cc57417b9535ee0

Download Submit
C:\Windows\{9DD594A1-AD28-450e-8704-37BB5EF53C1D}.exe

Filesize
344KB

MD5
06bfeccdc54f689c5f08ac2efde8e91f

SHA1
d843f61ad345eaaac0efa9609df1798cdf95aa47

SHA256
c9e4fa53259f8eb1c4354f0fdc4539f7707bc5431107c69031f6a5a6990a452b

SHA512
189fdb2f0818ff56a2ade5deb9d13de867a5d3b049d7d3deb8e3899ed2b09b47c6191322dc0276c911783e52fd2679c67db0b45eeb97883ff590eaf0eca39fa6

Download Submit
C:\Windows\{A7FCB288-DD65-4c92-9D4E-B6402BF1B9AC}.exe

Filesize
344KB

MD5
e35a8e0ce4663c7b6b3531e1069e2948

SHA1
df733296414addb3a87e80be62920949ea08904d

SHA256
f3d12e455ff036bf885f204ccb16c5bbf92baca4bafd291b49d038136b663784

SHA512
a64da59d8a5f827e3e6f63eac2c6f15e583ad3f62d1f8cafa478925441ad199a85f16135bb1aa29e4e4cbb9e2a6b34baa62be04b0223f31b9286083abb389109

Download Submit
C:\Windows\{E2B011BF-EDBC-4db4-BE41-8984E7035E11}.exe

Filesize
150KB

MD5
e69009d24e2089ec6f245b10379d2872

SHA1
dc83a360aad0819392b4d9a191d302b6ba33cb5c

SHA256
cd35e30fc4fb3cc41552ca6e4b112580cfcb5cc822868aec7d12dec6edb73331

SHA512
bee9e7d896a02f52f21dfc2b50bb229458840571f118432808eb1e688973be853378649f91f171ddcf1d866645147d5b41a4acd51a29712715ba40eccf904f64

Download Submit
C:\Windows\{E2B011BF-EDBC-4db4-BE41-8984E7035E11}.exe

Filesize
159KB

MD5
fe2e068d4605a447703416cacc166fbc

SHA1
9553311c974e9806dd4ddb9c2755bca66cea89df

SHA256
24db28cda1b3b4471d9dcae06e3c0ec4d70234868137c0863e72d79fc6834f3c

SHA512
5ea39e35ad029ac570de34f5915d2e97b715d9bdd1d1ec83a549f088bbc5467a09b196e5dedc66bc78aa2e809219e7e7c06e54736c3fcf30067be57a8fc4c2a1

Download Submit
C:\Windows\{FC9958D1-573F-4703-B55B-812461C32C50}.exe

Filesize
344KB

MD5
9d1ae19c936001c75588ce510dbe5878

SHA1
95689c221cc3a48d93d6ebc6ce212f76466febc9

SHA256
94047878eaf9ec5169e98bf4917ee08449bed7b947c5c7fdebb8d69b3dc5ef90

SHA512
1f29aec9b5f14c3aa911eecf7bdc05bca7e05f9910d14c1f9c9a5f99450916104a070f08747664d64115bd9c325f3fc801dd974174808990734a38ba6a528916

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads