95856e8477de5ee110c7175fa00f6212a5e38775aa22addaf6ce04326e81f5f1

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
07/07/2023, 12:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a4ffd20fef576exeexeexeex.exe
Size

204KB
MD5

4a4ffd20fef576424462f6d7d75640b9
SHA1

b18beec40b1af5f5021bf64913012f9321a1429e
SHA256

95856e8477de5ee110c7175fa00f6212a5e38775aa22addaf6ce04326e81f5f1
SHA512

945ae821dd656d3fc7613cc21d385a6567f4a7add9b2eb759f58005cbbc14f2585fe464f0f653350d81865db4f57e00ec6db99bb41508a0d365f3ce76ccf687c
SSDEEP

1536:1EGh0ocl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ocl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5B84986-51DF-48e0-A85A-D7881D52FFA9}	{CA7B95A5-4718-40d9-96F5-5D82239B4FE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5B84986-51DF-48e0-A85A-D7881D52FFA9}\stubpath = "C:\\Windows\\{E5B84986-51DF-48e0-A85A-D7881D52FFA9}.exe"	{CA7B95A5-4718-40d9-96F5-5D82239B4FE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76E7781C-0ED3-4705-909D-1B59532A2744}	{E5B84986-51DF-48e0-A85A-D7881D52FFA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{617EC4D3-E819-489c-B677-0C2846F0401C}\stubpath = "C:\\Windows\\{617EC4D3-E819-489c-B677-0C2846F0401C}.exe"	{76E7781C-0ED3-4705-909D-1B59532A2744}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B683216F-FA8E-4120-B5EB-AEF93234B5EE}\stubpath = "C:\\Windows\\{B683216F-FA8E-4120-B5EB-AEF93234B5EE}.exe"	{617EC4D3-E819-489c-B677-0C2846F0401C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{248D8344-1DD3-435c-A22F-A90FC494D314}\stubpath = "C:\\Windows\\{248D8344-1DD3-435c-A22F-A90FC494D314}.exe"	{DE266EDB-5310-40a2-9300-3CCB547DED5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5F00306-CC23-43da-A9E5-27439945F534}	{248D8344-1DD3-435c-A22F-A90FC494D314}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76E7781C-0ED3-4705-909D-1B59532A2744}\stubpath = "C:\\Windows\\{76E7781C-0ED3-4705-909D-1B59532A2744}.exe"	{E5B84986-51DF-48e0-A85A-D7881D52FFA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE266EDB-5310-40a2-9300-3CCB547DED5E}\stubpath = "C:\\Windows\\{DE266EDB-5310-40a2-9300-3CCB547DED5E}.exe"	{B683216F-FA8E-4120-B5EB-AEF93234B5EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{248D8344-1DD3-435c-A22F-A90FC494D314}	{DE266EDB-5310-40a2-9300-3CCB547DED5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5F00306-CC23-43da-A9E5-27439945F534}\stubpath = "C:\\Windows\\{B5F00306-CC23-43da-A9E5-27439945F534}.exe"	{248D8344-1DD3-435c-A22F-A90FC494D314}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B61BF8B-5A0C-4045-88D5-0400D5975548}	{BDBA6747-C45D-4db3-B079-4A2BA3CC46BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{026D8017-6ED3-4b1a-9CCD-EEA82BE6E0CB}\stubpath = "C:\\Windows\\{026D8017-6ED3-4b1a-9CCD-EEA82BE6E0CB}.exe"	4a4ffd20fef576exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA7B95A5-4718-40d9-96F5-5D82239B4FE9}	{026D8017-6ED3-4b1a-9CCD-EEA82BE6E0CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE266EDB-5310-40a2-9300-3CCB547DED5E}	{B683216F-FA8E-4120-B5EB-AEF93234B5EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDD35445-D4B1-4d09-8E28-ABCD8298B0A6}	{B5F00306-CC23-43da-A9E5-27439945F534}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CDD35445-D4B1-4d09-8E28-ABCD8298B0A6}\stubpath = "C:\\Windows\\{CDD35445-D4B1-4d09-8E28-ABCD8298B0A6}.exe"	{B5F00306-CC23-43da-A9E5-27439945F534}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDBA6747-C45D-4db3-B079-4A2BA3CC46BE}\stubpath = "C:\\Windows\\{BDBA6747-C45D-4db3-B079-4A2BA3CC46BE}.exe"	{CDD35445-D4B1-4d09-8E28-ABCD8298B0A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{026D8017-6ED3-4b1a-9CCD-EEA82BE6E0CB}	4a4ffd20fef576exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA7B95A5-4718-40d9-96F5-5D82239B4FE9}\stubpath = "C:\\Windows\\{CA7B95A5-4718-40d9-96F5-5D82239B4FE9}.exe"	{026D8017-6ED3-4b1a-9CCD-EEA82BE6E0CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{617EC4D3-E819-489c-B677-0C2846F0401C}	{76E7781C-0ED3-4705-909D-1B59532A2744}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B683216F-FA8E-4120-B5EB-AEF93234B5EE}	{617EC4D3-E819-489c-B677-0C2846F0401C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDBA6747-C45D-4db3-B079-4A2BA3CC46BE}	{CDD35445-D4B1-4d09-8E28-ABCD8298B0A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7B61BF8B-5A0C-4045-88D5-0400D5975548}\stubpath = "C:\\Windows\\{7B61BF8B-5A0C-4045-88D5-0400D5975548}.exe"	{BDBA6747-C45D-4db3-B079-4A2BA3CC46BE}.exe

Executes dropped EXE 12 IoCs

pid	Process
5072	{026D8017-6ED3-4b1a-9CCD-EEA82BE6E0CB}.exe
32	{CA7B95A5-4718-40d9-96F5-5D82239B4FE9}.exe
3928	{E5B84986-51DF-48e0-A85A-D7881D52FFA9}.exe
4604	{76E7781C-0ED3-4705-909D-1B59532A2744}.exe
4112	{617EC4D3-E819-489c-B677-0C2846F0401C}.exe
3676	{B683216F-FA8E-4120-B5EB-AEF93234B5EE}.exe
5016	{DE266EDB-5310-40a2-9300-3CCB547DED5E}.exe
4048	{248D8344-1DD3-435c-A22F-A90FC494D314}.exe
1812	{B5F00306-CC23-43da-A9E5-27439945F534}.exe
560	{CDD35445-D4B1-4d09-8E28-ABCD8298B0A6}.exe
3924	{BDBA6747-C45D-4db3-B079-4A2BA3CC46BE}.exe
1116	{7B61BF8B-5A0C-4045-88D5-0400D5975548}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{248D8344-1DD3-435c-A22F-A90FC494D314}.exe	{DE266EDB-5310-40a2-9300-3CCB547DED5E}.exe
File created	C:\Windows\{7B61BF8B-5A0C-4045-88D5-0400D5975548}.exe	{BDBA6747-C45D-4db3-B079-4A2BA3CC46BE}.exe
File created	C:\Windows\{026D8017-6ED3-4b1a-9CCD-EEA82BE6E0CB}.exe	4a4ffd20fef576exeexeexeex.exe
File created	C:\Windows\{CA7B95A5-4718-40d9-96F5-5D82239B4FE9}.exe	{026D8017-6ED3-4b1a-9CCD-EEA82BE6E0CB}.exe
File created	C:\Windows\{E5B84986-51DF-48e0-A85A-D7881D52FFA9}.exe	{CA7B95A5-4718-40d9-96F5-5D82239B4FE9}.exe
File created	C:\Windows\{76E7781C-0ED3-4705-909D-1B59532A2744}.exe	{E5B84986-51DF-48e0-A85A-D7881D52FFA9}.exe
File created	C:\Windows\{B683216F-FA8E-4120-B5EB-AEF93234B5EE}.exe	{617EC4D3-E819-489c-B677-0C2846F0401C}.exe
File created	C:\Windows\{617EC4D3-E819-489c-B677-0C2846F0401C}.exe	{76E7781C-0ED3-4705-909D-1B59532A2744}.exe
File created	C:\Windows\{DE266EDB-5310-40a2-9300-3CCB547DED5E}.exe	{B683216F-FA8E-4120-B5EB-AEF93234B5EE}.exe
File created	C:\Windows\{B5F00306-CC23-43da-A9E5-27439945F534}.exe	{248D8344-1DD3-435c-A22F-A90FC494D314}.exe
File created	C:\Windows\{CDD35445-D4B1-4d09-8E28-ABCD8298B0A6}.exe	{B5F00306-CC23-43da-A9E5-27439945F534}.exe
File created	C:\Windows\{BDBA6747-C45D-4db3-B079-4A2BA3CC46BE}.exe	{CDD35445-D4B1-4d09-8E28-ABCD8298B0A6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5064	4a4ffd20fef576exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	5072	{026D8017-6ED3-4b1a-9CCD-EEA82BE6E0CB}.exe
Token: SeIncBasePriorityPrivilege	32	{CA7B95A5-4718-40d9-96F5-5D82239B4FE9}.exe
Token: SeIncBasePriorityPrivilege	3928	{E5B84986-51DF-48e0-A85A-D7881D52FFA9}.exe
Token: SeIncBasePriorityPrivilege	4604	{76E7781C-0ED3-4705-909D-1B59532A2744}.exe
Token: SeIncBasePriorityPrivilege	4112	{617EC4D3-E819-489c-B677-0C2846F0401C}.exe
Token: SeIncBasePriorityPrivilege	3676	{B683216F-FA8E-4120-B5EB-AEF93234B5EE}.exe
Token: SeIncBasePriorityPrivilege	5016	{DE266EDB-5310-40a2-9300-3CCB547DED5E}.exe
Token: SeIncBasePriorityPrivilege	4048	{248D8344-1DD3-435c-A22F-A90FC494D314}.exe
Token: SeIncBasePriorityPrivilege	1812	{B5F00306-CC23-43da-A9E5-27439945F534}.exe
Token: SeIncBasePriorityPrivilege	560	{CDD35445-D4B1-4d09-8E28-ABCD8298B0A6}.exe
Token: SeIncBasePriorityPrivilege	3924	{BDBA6747-C45D-4db3-B079-4A2BA3CC46BE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5064 wrote to memory of 5072	5064	4a4ffd20fef576exeexeexeex.exe	84
PID 5064 wrote to memory of 5072	5064	4a4ffd20fef576exeexeexeex.exe	84
PID 5064 wrote to memory of 5072	5064	4a4ffd20fef576exeexeexeex.exe	84
PID 5064 wrote to memory of 4444	5064	4a4ffd20fef576exeexeexeex.exe	85
PID 5064 wrote to memory of 4444	5064	4a4ffd20fef576exeexeexeex.exe	85
PID 5064 wrote to memory of 4444	5064	4a4ffd20fef576exeexeexeex.exe	85
PID 5072 wrote to memory of 32	5072	{026D8017-6ED3-4b1a-9CCD-EEA82BE6E0CB}.exe	86
PID 5072 wrote to memory of 32	5072	{026D8017-6ED3-4b1a-9CCD-EEA82BE6E0CB}.exe	86
PID 5072 wrote to memory of 32	5072	{026D8017-6ED3-4b1a-9CCD-EEA82BE6E0CB}.exe	86
PID 5072 wrote to memory of 2404	5072	{026D8017-6ED3-4b1a-9CCD-EEA82BE6E0CB}.exe	87
PID 5072 wrote to memory of 2404	5072	{026D8017-6ED3-4b1a-9CCD-EEA82BE6E0CB}.exe	87
PID 5072 wrote to memory of 2404	5072	{026D8017-6ED3-4b1a-9CCD-EEA82BE6E0CB}.exe	87
PID 32 wrote to memory of 3928	32	{CA7B95A5-4718-40d9-96F5-5D82239B4FE9}.exe	92
PID 32 wrote to memory of 3928	32	{CA7B95A5-4718-40d9-96F5-5D82239B4FE9}.exe	92
PID 32 wrote to memory of 3928	32	{CA7B95A5-4718-40d9-96F5-5D82239B4FE9}.exe	92
PID 32 wrote to memory of 4576	32	{CA7B95A5-4718-40d9-96F5-5D82239B4FE9}.exe	91
PID 32 wrote to memory of 4576	32	{CA7B95A5-4718-40d9-96F5-5D82239B4FE9}.exe	91
PID 32 wrote to memory of 4576	32	{CA7B95A5-4718-40d9-96F5-5D82239B4FE9}.exe	91
PID 3928 wrote to memory of 4604	3928	{E5B84986-51DF-48e0-A85A-D7881D52FFA9}.exe	93
PID 3928 wrote to memory of 4604	3928	{E5B84986-51DF-48e0-A85A-D7881D52FFA9}.exe	93
PID 3928 wrote to memory of 4604	3928	{E5B84986-51DF-48e0-A85A-D7881D52FFA9}.exe	93
PID 3928 wrote to memory of 4756	3928	{E5B84986-51DF-48e0-A85A-D7881D52FFA9}.exe	94
PID 3928 wrote to memory of 4756	3928	{E5B84986-51DF-48e0-A85A-D7881D52FFA9}.exe	94
PID 3928 wrote to memory of 4756	3928	{E5B84986-51DF-48e0-A85A-D7881D52FFA9}.exe	94
PID 4604 wrote to memory of 4112	4604	{76E7781C-0ED3-4705-909D-1B59532A2744}.exe	95
PID 4604 wrote to memory of 4112	4604	{76E7781C-0ED3-4705-909D-1B59532A2744}.exe	95
PID 4604 wrote to memory of 4112	4604	{76E7781C-0ED3-4705-909D-1B59532A2744}.exe	95
PID 4604 wrote to memory of 3516	4604	{76E7781C-0ED3-4705-909D-1B59532A2744}.exe	96
PID 4604 wrote to memory of 3516	4604	{76E7781C-0ED3-4705-909D-1B59532A2744}.exe	96
PID 4604 wrote to memory of 3516	4604	{76E7781C-0ED3-4705-909D-1B59532A2744}.exe	96
PID 4112 wrote to memory of 3676	4112	{617EC4D3-E819-489c-B677-0C2846F0401C}.exe	97
PID 4112 wrote to memory of 3676	4112	{617EC4D3-E819-489c-B677-0C2846F0401C}.exe	97
PID 4112 wrote to memory of 3676	4112	{617EC4D3-E819-489c-B677-0C2846F0401C}.exe	97
PID 4112 wrote to memory of 3264	4112	{617EC4D3-E819-489c-B677-0C2846F0401C}.exe	98
PID 4112 wrote to memory of 3264	4112	{617EC4D3-E819-489c-B677-0C2846F0401C}.exe	98
PID 4112 wrote to memory of 3264	4112	{617EC4D3-E819-489c-B677-0C2846F0401C}.exe	98
PID 3676 wrote to memory of 5016	3676	{B683216F-FA8E-4120-B5EB-AEF93234B5EE}.exe	99
PID 3676 wrote to memory of 5016	3676	{B683216F-FA8E-4120-B5EB-AEF93234B5EE}.exe	99
PID 3676 wrote to memory of 5016	3676	{B683216F-FA8E-4120-B5EB-AEF93234B5EE}.exe	99
PID 3676 wrote to memory of 1128	3676	{B683216F-FA8E-4120-B5EB-AEF93234B5EE}.exe	100
PID 3676 wrote to memory of 1128	3676	{B683216F-FA8E-4120-B5EB-AEF93234B5EE}.exe	100
PID 3676 wrote to memory of 1128	3676	{B683216F-FA8E-4120-B5EB-AEF93234B5EE}.exe	100
PID 5016 wrote to memory of 4048	5016	{DE266EDB-5310-40a2-9300-3CCB547DED5E}.exe	101
PID 5016 wrote to memory of 4048	5016	{DE266EDB-5310-40a2-9300-3CCB547DED5E}.exe	101
PID 5016 wrote to memory of 4048	5016	{DE266EDB-5310-40a2-9300-3CCB547DED5E}.exe	101
PID 5016 wrote to memory of 4892	5016	{DE266EDB-5310-40a2-9300-3CCB547DED5E}.exe	102
PID 5016 wrote to memory of 4892	5016	{DE266EDB-5310-40a2-9300-3CCB547DED5E}.exe	102
PID 5016 wrote to memory of 4892	5016	{DE266EDB-5310-40a2-9300-3CCB547DED5E}.exe	102
PID 4048 wrote to memory of 1812	4048	{248D8344-1DD3-435c-A22F-A90FC494D314}.exe	103
PID 4048 wrote to memory of 1812	4048	{248D8344-1DD3-435c-A22F-A90FC494D314}.exe	103
PID 4048 wrote to memory of 1812	4048	{248D8344-1DD3-435c-A22F-A90FC494D314}.exe	103
PID 4048 wrote to memory of 1776	4048	{248D8344-1DD3-435c-A22F-A90FC494D314}.exe	104
PID 4048 wrote to memory of 1776	4048	{248D8344-1DD3-435c-A22F-A90FC494D314}.exe	104
PID 4048 wrote to memory of 1776	4048	{248D8344-1DD3-435c-A22F-A90FC494D314}.exe	104
PID 1812 wrote to memory of 560	1812	{B5F00306-CC23-43da-A9E5-27439945F534}.exe	105
PID 1812 wrote to memory of 560	1812	{B5F00306-CC23-43da-A9E5-27439945F534}.exe	105
PID 1812 wrote to memory of 560	1812	{B5F00306-CC23-43da-A9E5-27439945F534}.exe	105
PID 1812 wrote to memory of 3780	1812	{B5F00306-CC23-43da-A9E5-27439945F534}.exe	106
PID 1812 wrote to memory of 3780	1812	{B5F00306-CC23-43da-A9E5-27439945F534}.exe	106
PID 1812 wrote to memory of 3780	1812	{B5F00306-CC23-43da-A9E5-27439945F534}.exe	106
PID 560 wrote to memory of 3924	560	{CDD35445-D4B1-4d09-8E28-ABCD8298B0A6}.exe	107
PID 560 wrote to memory of 3924	560	{CDD35445-D4B1-4d09-8E28-ABCD8298B0A6}.exe	107
PID 560 wrote to memory of 3924	560	{CDD35445-D4B1-4d09-8E28-ABCD8298B0A6}.exe	107
PID 560 wrote to memory of 3168	560	{CDD35445-D4B1-4d09-8E28-ABCD8298B0A6}.exe	108

C:\Users\Admin\AppData\Local\Temp\4a4ffd20fef576exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\4a4ffd20fef576exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5064
- C:\Windows\{026D8017-6ED3-4b1a-9CCD-EEA82BE6E0CB}.exe
  C:\Windows\{026D8017-6ED3-4b1a-9CCD-EEA82BE6E0CB}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Windows\{CA7B95A5-4718-40d9-96F5-5D82239B4FE9}.exe
    C:\Windows\{CA7B95A5-4718-40d9-96F5-5D82239B4FE9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:32
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CA7B9~1.EXE > nul
      4⤵
      PID:4576
  - - C:\Windows\{E5B84986-51DF-48e0-A85A-D7881D52FFA9}.exe
      C:\Windows\{E5B84986-51DF-48e0-A85A-D7881D52FFA9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3928
    - - C:\Windows\{76E7781C-0ED3-4705-909D-1B59532A2744}.exe
        
        C:\Windows\{76E7781C-0ED3-4705-909D-1B59532A2744}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4604
      - C:\Windows\{617EC4D3-E819-489c-B677-0C2846F0401C}.exe
        
        C:\Windows\{617EC4D3-E819-489c-B677-0C2846F0401C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4112
        
        C:\Windows\{B683216F-FA8E-4120-B5EB-AEF93234B5EE}.exe
        
        C:\Windows\{B683216F-FA8E-4120-B5EB-AEF93234B5EE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3676
        
        C:\Windows\{DE266EDB-5310-40a2-9300-3CCB547DED5E}.exe
        
        C:\Windows\{DE266EDB-5310-40a2-9300-3CCB547DED5E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\{248D8344-1DD3-435c-A22F-A90FC494D314}.exe
        
        C:\Windows\{248D8344-1DD3-435c-A22F-A90FC494D314}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\{B5F00306-CC23-43da-A9E5-27439945F534}.exe
        
        C:\Windows\{B5F00306-CC23-43da-A9E5-27439945F534}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\{CDD35445-D4B1-4d09-8E28-ABCD8298B0A6}.exe
        
        C:\Windows\{CDD35445-D4B1-4d09-8E28-ABCD8298B0A6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\{BDBA6747-C45D-4db3-B079-4A2BA3CC46BE}.exe
        
        C:\Windows\{BDBA6747-C45D-4db3-B079-4A2BA3CC46BE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3924
        
        C:\Windows\{7B61BF8B-5A0C-4045-88D5-0400D5975548}.exe
        
        C:\Windows\{7B61BF8B-5A0C-4045-88D5-0400D5975548}.exe
        13⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDBA6~1.EXE > nul
        13⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CDD35~1.EXE > nul
        12⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5F00~1.EXE > nul
        11⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{248D8~1.EXE > nul
        10⤵
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE266~1.EXE > nul
        9⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6832~1.EXE > nul
        8⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{617EC~1.EXE > nul
        7⤵
        
        PID:3264
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76E77~1.EXE > nul
        6⤵
        
        PID:3516
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5B84~1.EXE > nul
        5⤵
        
        PID:4756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{026D8~1.EXE > nul
    3⤵
    PID:2404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4A4FFD~1.EXE > nul
  2⤵
  PID:4444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{026D8017-6ED3-4b1a-9CCD-EEA82BE6E0CB}.exe

Filesize
204KB

MD5
6bf2a3ab07ed539622562f7a4d078526

SHA1
da196b914ebe4ffd0ebc382bfdb47bc516e524d6

SHA256
1eb7a0ba64bf279f0eb291b4584e67345a22303addeb61c35212ed522a59768c

SHA512
3a82f9838f3dc552f02c230de47b2b26698fe72f700ea57449383c336d43af72bd235fc868afd3e713a9059468dc9ac8374bc20ad7e5b7aecf1fe4cd4da0b309

Download Submit
C:\Windows\{026D8017-6ED3-4b1a-9CCD-EEA82BE6E0CB}.exe

Filesize
204KB

MD5
6bf2a3ab07ed539622562f7a4d078526

SHA1
da196b914ebe4ffd0ebc382bfdb47bc516e524d6

SHA256
1eb7a0ba64bf279f0eb291b4584e67345a22303addeb61c35212ed522a59768c

SHA512
3a82f9838f3dc552f02c230de47b2b26698fe72f700ea57449383c336d43af72bd235fc868afd3e713a9059468dc9ac8374bc20ad7e5b7aecf1fe4cd4da0b309

Download Submit
C:\Windows\{248D8344-1DD3-435c-A22F-A90FC494D314}.exe

Filesize
204KB

MD5
325fe10778212db268039978faf97b81

SHA1
ca970a5c51d24be9ad3105864f0b076ce7e2c8e5

SHA256
d9fc0403953b609eaa921dffa59ec2076c110c99f188cdf35ab408f1f7e9b614

SHA512
ff5ed4981a0e5f56efcb03d097b323789ffc91061557f2873e7a0673ad7dbd281c868e5c8a06cde87316185c3cc7fe64db76dbb4c71f894d79c09374b39e61f4

Download Submit
C:\Windows\{248D8344-1DD3-435c-A22F-A90FC494D314}.exe

Filesize
204KB

MD5
325fe10778212db268039978faf97b81

SHA1
ca970a5c51d24be9ad3105864f0b076ce7e2c8e5

SHA256
d9fc0403953b609eaa921dffa59ec2076c110c99f188cdf35ab408f1f7e9b614

SHA512
ff5ed4981a0e5f56efcb03d097b323789ffc91061557f2873e7a0673ad7dbd281c868e5c8a06cde87316185c3cc7fe64db76dbb4c71f894d79c09374b39e61f4

Download Submit
C:\Windows\{617EC4D3-E819-489c-B677-0C2846F0401C}.exe

Filesize
204KB

MD5
7e0382045fb0c423714284384484fd70

SHA1
e4d74ff88c4bba42d02a220589809fa8ec287f13

SHA256
dadf57939ebf916345fc3e36b3fe564fbfbea2b1a2d77341cebffde3e90a4b02

SHA512
94d971314e699bb3679c26006ce8ef741ea282656a669d1d66b606597073b7f577e2190429b32cc4da2eb96cf2d694177936d06feb96bb9af77f523276586323

Download Submit
C:\Windows\{617EC4D3-E819-489c-B677-0C2846F0401C}.exe

Filesize
204KB

MD5
7e0382045fb0c423714284384484fd70

SHA1
e4d74ff88c4bba42d02a220589809fa8ec287f13

SHA256
dadf57939ebf916345fc3e36b3fe564fbfbea2b1a2d77341cebffde3e90a4b02

SHA512
94d971314e699bb3679c26006ce8ef741ea282656a669d1d66b606597073b7f577e2190429b32cc4da2eb96cf2d694177936d06feb96bb9af77f523276586323

Download Submit
C:\Windows\{76E7781C-0ED3-4705-909D-1B59532A2744}.exe

Filesize
204KB

MD5
f2da3b1783dda68a0454153bfbe8f9e7

SHA1
82c290adc61b2c8a1c6d54f68c6e8e59c518fb7a

SHA256
6da28e93a81432d012e2e49eeee2997b5e3d3247ddb46c42630376aa64047c6f

SHA512
2c7502c47e8fefea1b1f3e7edb1a02406c089d8ef14524844237d107edfbf85820f08a7d039d9be146e3d01a929658ebc7d85ae7fdf37467d111e4d9eeb787c5

Download Submit
C:\Windows\{76E7781C-0ED3-4705-909D-1B59532A2744}.exe

Filesize
204KB

MD5
f2da3b1783dda68a0454153bfbe8f9e7

SHA1
82c290adc61b2c8a1c6d54f68c6e8e59c518fb7a

SHA256
6da28e93a81432d012e2e49eeee2997b5e3d3247ddb46c42630376aa64047c6f

SHA512
2c7502c47e8fefea1b1f3e7edb1a02406c089d8ef14524844237d107edfbf85820f08a7d039d9be146e3d01a929658ebc7d85ae7fdf37467d111e4d9eeb787c5

Download Submit
C:\Windows\{7B61BF8B-5A0C-4045-88D5-0400D5975548}.exe

Filesize
204KB

MD5
cf4a82b898bc2604626fde0784a38589

SHA1
50ce5de2326aff41ba2f6a0e30e3641d007d88d5

SHA256
d0e9a3dbaa93e1ee46e31decc89076c19eaecc2e4dbee47dd946dd1888dff31b

SHA512
2a6af25a482722434fa26b4382c230320b8cff9eb0f9a9e1bea6cdd7fcd087eef1c5fafe1dbe4cf3bb2efb565de79e18fba5a8b9af02a28db70a97735981375f

Download Submit
C:\Windows\{7B61BF8B-5A0C-4045-88D5-0400D5975548}.exe

Filesize
204KB

MD5
cf4a82b898bc2604626fde0784a38589

SHA1
50ce5de2326aff41ba2f6a0e30e3641d007d88d5

SHA256
d0e9a3dbaa93e1ee46e31decc89076c19eaecc2e4dbee47dd946dd1888dff31b

SHA512
2a6af25a482722434fa26b4382c230320b8cff9eb0f9a9e1bea6cdd7fcd087eef1c5fafe1dbe4cf3bb2efb565de79e18fba5a8b9af02a28db70a97735981375f

Download Submit
C:\Windows\{B5F00306-CC23-43da-A9E5-27439945F534}.exe

Filesize
204KB

MD5
d74303b7249cd0b35d5fb0840e8a0d4f

SHA1
86490188ee5d55d43ce7821a48c76e99c21446bf

SHA256
aedf0cb228cb8b47427b428c2c5f8b9202f2ed11de0cee5db3f5a8d74ee5cfe5

SHA512
794d780e8e7f6acbfeec631fdf96c561cc1d63b4d4e84840b70e6b9aa82c3dd01838d5e12a88d7f588c9516377fb0820f628c1a7e2374fc242f2a45614c6d9f9

Download Submit
C:\Windows\{B5F00306-CC23-43da-A9E5-27439945F534}.exe

Filesize
204KB

MD5
d74303b7249cd0b35d5fb0840e8a0d4f

SHA1
86490188ee5d55d43ce7821a48c76e99c21446bf

SHA256
aedf0cb228cb8b47427b428c2c5f8b9202f2ed11de0cee5db3f5a8d74ee5cfe5

SHA512
794d780e8e7f6acbfeec631fdf96c561cc1d63b4d4e84840b70e6b9aa82c3dd01838d5e12a88d7f588c9516377fb0820f628c1a7e2374fc242f2a45614c6d9f9

Download Submit
C:\Windows\{B683216F-FA8E-4120-B5EB-AEF93234B5EE}.exe

Filesize
204KB

MD5
8100dc8e1fca9a52ecfc54f772a52e4a

SHA1
e164148c0ffc9af8e5a22ecda1699b7400d26eff

SHA256
3024668ea6b8606c745eed21c25e604a61157fba680f451bcdf01317a7cc745b

SHA512
2163380eb21fc618274594f3f4e78afdd363ca4026782725ec5e1df3c8412972c389924f06ffa40de6307cc6e2bb7b4f9e7aaa219581db924da0d393bfbc9411

Download Submit
C:\Windows\{B683216F-FA8E-4120-B5EB-AEF93234B5EE}.exe

Filesize
204KB

MD5
8100dc8e1fca9a52ecfc54f772a52e4a

SHA1
e164148c0ffc9af8e5a22ecda1699b7400d26eff

SHA256
3024668ea6b8606c745eed21c25e604a61157fba680f451bcdf01317a7cc745b

SHA512
2163380eb21fc618274594f3f4e78afdd363ca4026782725ec5e1df3c8412972c389924f06ffa40de6307cc6e2bb7b4f9e7aaa219581db924da0d393bfbc9411

Download Submit
C:\Windows\{BDBA6747-C45D-4db3-B079-4A2BA3CC46BE}.exe

Filesize
204KB

MD5
8cc33425b28c8d1f4f30c90d715d51dc

SHA1
617e3a9a906753524986c5d64147fc345b5dea84

SHA256
ddb088fed677a8f16f3962492b494637dd7e135cb9cd0e072ad357968413a2e4

SHA512
3c01f73868a1e7320293bb0ec97e4348054218cbf57a35f95b0568efe3552989297d7f69ac1d07751a0d1f1a19a781df851a02ca4c06c7e5c8eb4bb8f3938327

Download Submit
C:\Windows\{BDBA6747-C45D-4db3-B079-4A2BA3CC46BE}.exe

Filesize
204KB

MD5
8cc33425b28c8d1f4f30c90d715d51dc

SHA1
617e3a9a906753524986c5d64147fc345b5dea84

SHA256
ddb088fed677a8f16f3962492b494637dd7e135cb9cd0e072ad357968413a2e4

SHA512
3c01f73868a1e7320293bb0ec97e4348054218cbf57a35f95b0568efe3552989297d7f69ac1d07751a0d1f1a19a781df851a02ca4c06c7e5c8eb4bb8f3938327

Download Submit
C:\Windows\{CA7B95A5-4718-40d9-96F5-5D82239B4FE9}.exe

Filesize
204KB

MD5
ad5b43d88391c2081f98ac3c4cb836f8

SHA1
8db2cbc1565541a083d1dd44a0b05d3a19c3eff4

SHA256
9db07ba6df3f23133f75eae037cbf71071f6c858ce34b5a80ea4cc8220b3f4cc

SHA512
bae656d976ad35521a61ad8c898e2d48f93359514b9885071418f7de66d949677123e1e49fc149fae8e2ba9f3e379e3477bf4ff87a3723a612a04a7fa03efe4d

Download Submit
C:\Windows\{CA7B95A5-4718-40d9-96F5-5D82239B4FE9}.exe

Filesize
204KB

MD5
ad5b43d88391c2081f98ac3c4cb836f8

SHA1
8db2cbc1565541a083d1dd44a0b05d3a19c3eff4

SHA256
9db07ba6df3f23133f75eae037cbf71071f6c858ce34b5a80ea4cc8220b3f4cc

SHA512
bae656d976ad35521a61ad8c898e2d48f93359514b9885071418f7de66d949677123e1e49fc149fae8e2ba9f3e379e3477bf4ff87a3723a612a04a7fa03efe4d

Download Submit
C:\Windows\{CDD35445-D4B1-4d09-8E28-ABCD8298B0A6}.exe

Filesize
204KB

MD5
b625d57e84d587a0e4387c5598ef2c63

SHA1
8579aa352f7db0c6f96090838342bf51ce67e7b2

SHA256
70d9e1814a9cb5b8914220c556e60b7530f4b93fb9c5b5a3bcde69a12709ab73

SHA512
cfdd0951f9cb80411f26fee8c5c3c005404662102cce0bd3632344458b6c585e47b18902c609f14bccde88afb96e524c8fad6c42a06b3ef452f501ab1d75ec8d

Download Submit
C:\Windows\{CDD35445-D4B1-4d09-8E28-ABCD8298B0A6}.exe

Filesize
204KB

MD5
b625d57e84d587a0e4387c5598ef2c63

SHA1
8579aa352f7db0c6f96090838342bf51ce67e7b2

SHA256
70d9e1814a9cb5b8914220c556e60b7530f4b93fb9c5b5a3bcde69a12709ab73

SHA512
cfdd0951f9cb80411f26fee8c5c3c005404662102cce0bd3632344458b6c585e47b18902c609f14bccde88afb96e524c8fad6c42a06b3ef452f501ab1d75ec8d

Download Submit
C:\Windows\{DE266EDB-5310-40a2-9300-3CCB547DED5E}.exe

Filesize
204KB

MD5
f5caedc1e3cbcef3b76fcbe9183ab254

SHA1
9978f1922a49c7dec9b456cbaa36bbf820b7f3b3

SHA256
06bd29c981be5b27bbfb36de04d308ce3486ec23cbc6cf7d9262e142c1a8f613

SHA512
ea6c0e68e2ffa969e637f60e695e9745792610553b83adbf228217c09c471e186e4c317311ce9cb0e8c70678d8232601984c1152fbc298b63f65b7e714afb0aa

Download Submit
C:\Windows\{DE266EDB-5310-40a2-9300-3CCB547DED5E}.exe

Filesize
204KB

MD5
f5caedc1e3cbcef3b76fcbe9183ab254

SHA1
9978f1922a49c7dec9b456cbaa36bbf820b7f3b3

SHA256
06bd29c981be5b27bbfb36de04d308ce3486ec23cbc6cf7d9262e142c1a8f613

SHA512
ea6c0e68e2ffa969e637f60e695e9745792610553b83adbf228217c09c471e186e4c317311ce9cb0e8c70678d8232601984c1152fbc298b63f65b7e714afb0aa

Download Submit
C:\Windows\{E5B84986-51DF-48e0-A85A-D7881D52FFA9}.exe

Filesize
204KB

MD5
30f6071b4a59986a496c717bf022957d

SHA1
4e7175dabd958cd7c6f4f0e3d8f20bba78cf7e57

SHA256
249b94f01c7132cea08d195b3886751ec734e3e6c9c2f0c5a0b8a41d2a1f142a

SHA512
2fba55e1e9693f41ecc8a4e93d618b9a7d1dedf6b9c71e5483caafc6d42d973e268b0257a4a901e0917009af2fe103759adb0ab1ee5190e56b9cd9e60f8fab76

Download Submit
C:\Windows\{E5B84986-51DF-48e0-A85A-D7881D52FFA9}.exe

Filesize
204KB

MD5
30f6071b4a59986a496c717bf022957d

SHA1
4e7175dabd958cd7c6f4f0e3d8f20bba78cf7e57

SHA256
249b94f01c7132cea08d195b3886751ec734e3e6c9c2f0c5a0b8a41d2a1f142a

SHA512
2fba55e1e9693f41ecc8a4e93d618b9a7d1dedf6b9c71e5483caafc6d42d973e268b0257a4a901e0917009af2fe103759adb0ab1ee5190e56b9cd9e60f8fab76

Download Submit
C:\Windows\{E5B84986-51DF-48e0-A85A-D7881D52FFA9}.exe

Filesize
204KB

MD5
30f6071b4a59986a496c717bf022957d

SHA1
4e7175dabd958cd7c6f4f0e3d8f20bba78cf7e57

SHA256
249b94f01c7132cea08d195b3886751ec734e3e6c9c2f0c5a0b8a41d2a1f142a

SHA512
2fba55e1e9693f41ecc8a4e93d618b9a7d1dedf6b9c71e5483caafc6d42d973e268b0257a4a901e0917009af2fe103759adb0ab1ee5190e56b9cd9e60f8fab76

Download Submit