4e6fb84ffad61bf7416a5860dc275c8a427a366408a1f486e439d81f6b0f37b1

Analysis

max time kernel
144s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 10:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6ba5123f5f4bb7exeexeexeex.exe
Size

204KB
MD5

6ba5123f5f4bb7839af7fc23c1b365c4
SHA1

55cfdadc1912a939ef1a6bdf79520264686147ca
SHA256

4e6fb84ffad61bf7416a5860dc275c8a427a366408a1f486e439d81f6b0f37b1
SHA512

72c2ca4e374da8852fbff525be0710adec80d5ed707bcd82800885ad7caf76a61286b6ba14b72d52264899f19ef6fc51d9e3ffe10a00436baa7230a81a9185ff
SSDEEP

1536:1EGh0oGl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oGl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E598760D-D508-40e9-83D3-8EABC8C98B6E}	{B91C1584-F5F3-4804-9671-4E7215252DE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8B27775-ECCE-433a-AD3B-E98B084D1534}	6ba5123f5f4bb7exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D26B5E07-1CE0-4d6d-A2C5-9C98A3699A8F}	{39BF9EA3-37F8-4e49-BA0E-6B89830F81A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39BF9EA3-37F8-4e49-BA0E-6B89830F81A9}\stubpath = "C:\\Windows\\{39BF9EA3-37F8-4e49-BA0E-6B89830F81A9}.exe"	{6B15BB1A-F8A0-44d6-8FBA-0EF83379EE84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E622A872-6724-48cd-B885-7A2206985627}\stubpath = "C:\\Windows\\{E622A872-6724-48cd-B885-7A2206985627}.exe"	{D26B5E07-1CE0-4d6d-A2C5-9C98A3699A8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ECDBA2E-5F7C-4c2e-BB81-869C25804553}\stubpath = "C:\\Windows\\{7ECDBA2E-5F7C-4c2e-BB81-869C25804553}.exe"	{E598760D-D508-40e9-83D3-8EABC8C98B6E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE619809-F746-4496-A643-204E4DC74AF0}	{7ECDBA2E-5F7C-4c2e-BB81-869C25804553}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B15BB1A-F8A0-44d6-8FBA-0EF83379EE84}	{FA227C87-5830-491c-8CC0-A4377BDB6000}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39BF9EA3-37F8-4e49-BA0E-6B89830F81A9}	{6B15BB1A-F8A0-44d6-8FBA-0EF83379EE84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6B15BB1A-F8A0-44d6-8FBA-0EF83379EE84}\stubpath = "C:\\Windows\\{6B15BB1A-F8A0-44d6-8FBA-0EF83379EE84}.exe"	{FA227C87-5830-491c-8CC0-A4377BDB6000}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E598760D-D508-40e9-83D3-8EABC8C98B6E}\stubpath = "C:\\Windows\\{E598760D-D508-40e9-83D3-8EABC8C98B6E}.exe"	{B91C1584-F5F3-4804-9671-4E7215252DE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7ECDBA2E-5F7C-4c2e-BB81-869C25804553}	{E598760D-D508-40e9-83D3-8EABC8C98B6E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE619809-F746-4496-A643-204E4DC74AF0}\stubpath = "C:\\Windows\\{FE619809-F746-4496-A643-204E4DC74AF0}.exe"	{7ECDBA2E-5F7C-4c2e-BB81-869C25804553}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8B27775-ECCE-433a-AD3B-E98B084D1534}\stubpath = "C:\\Windows\\{A8B27775-ECCE-433a-AD3B-E98B084D1534}.exe"	6ba5123f5f4bb7exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA227C87-5830-491c-8CC0-A4377BDB6000}	{CE8DA423-E176-44da-A235-74B93474B695}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA227C87-5830-491c-8CC0-A4377BDB6000}\stubpath = "C:\\Windows\\{FA227C87-5830-491c-8CC0-A4377BDB6000}.exe"	{CE8DA423-E176-44da-A235-74B93474B695}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D26B5E07-1CE0-4d6d-A2C5-9C98A3699A8F}\stubpath = "C:\\Windows\\{D26B5E07-1CE0-4d6d-A2C5-9C98A3699A8F}.exe"	{39BF9EA3-37F8-4e49-BA0E-6B89830F81A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E622A872-6724-48cd-B885-7A2206985627}	{D26B5E07-1CE0-4d6d-A2C5-9C98A3699A8F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B91C1584-F5F3-4804-9671-4E7215252DE6}	{E622A872-6724-48cd-B885-7A2206985627}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B91C1584-F5F3-4804-9671-4E7215252DE6}\stubpath = "C:\\Windows\\{B91C1584-F5F3-4804-9671-4E7215252DE6}.exe"	{E622A872-6724-48cd-B885-7A2206985627}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE8DA423-E176-44da-A235-74B93474B695}	{A8B27775-ECCE-433a-AD3B-E98B084D1534}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE8DA423-E176-44da-A235-74B93474B695}\stubpath = "C:\\Windows\\{CE8DA423-E176-44da-A235-74B93474B695}.exe"	{A8B27775-ECCE-433a-AD3B-E98B084D1534}.exe

Executes dropped EXE 11 IoCs

pid	Process
5028	{A8B27775-ECCE-433a-AD3B-E98B084D1534}.exe
1176	{CE8DA423-E176-44da-A235-74B93474B695}.exe
1992	{FA227C87-5830-491c-8CC0-A4377BDB6000}.exe
3392	{6B15BB1A-F8A0-44d6-8FBA-0EF83379EE84}.exe
3404	{39BF9EA3-37F8-4e49-BA0E-6B89830F81A9}.exe
4884	{D26B5E07-1CE0-4d6d-A2C5-9C98A3699A8F}.exe
3960	{E622A872-6724-48cd-B885-7A2206985627}.exe
4140	{B91C1584-F5F3-4804-9671-4E7215252DE6}.exe
3712	{E598760D-D508-40e9-83D3-8EABC8C98B6E}.exe
5000	{7ECDBA2E-5F7C-4c2e-BB81-869C25804553}.exe
4972	{FE619809-F746-4496-A643-204E4DC74AF0}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{A8B27775-ECCE-433a-AD3B-E98B084D1534}.exe	6ba5123f5f4bb7exeexeexeex.exe
File created	C:\Windows\{39BF9EA3-37F8-4e49-BA0E-6B89830F81A9}.exe	{6B15BB1A-F8A0-44d6-8FBA-0EF83379EE84}.exe
File created	C:\Windows\{B91C1584-F5F3-4804-9671-4E7215252DE6}.exe	{E622A872-6724-48cd-B885-7A2206985627}.exe
File created	C:\Windows\{FE619809-F746-4496-A643-204E4DC74AF0}.exe	{7ECDBA2E-5F7C-4c2e-BB81-869C25804553}.exe
File created	C:\Windows\{E622A872-6724-48cd-B885-7A2206985627}.exe	{D26B5E07-1CE0-4d6d-A2C5-9C98A3699A8F}.exe
File created	C:\Windows\{E598760D-D508-40e9-83D3-8EABC8C98B6E}.exe	{B91C1584-F5F3-4804-9671-4E7215252DE6}.exe
File created	C:\Windows\{7ECDBA2E-5F7C-4c2e-BB81-869C25804553}.exe	{E598760D-D508-40e9-83D3-8EABC8C98B6E}.exe
File created	C:\Windows\{CE8DA423-E176-44da-A235-74B93474B695}.exe	{A8B27775-ECCE-433a-AD3B-E98B084D1534}.exe
File created	C:\Windows\{FA227C87-5830-491c-8CC0-A4377BDB6000}.exe	{CE8DA423-E176-44da-A235-74B93474B695}.exe
File created	C:\Windows\{6B15BB1A-F8A0-44d6-8FBA-0EF83379EE84}.exe	{FA227C87-5830-491c-8CC0-A4377BDB6000}.exe
File created	C:\Windows\{D26B5E07-1CE0-4d6d-A2C5-9C98A3699A8F}.exe	{39BF9EA3-37F8-4e49-BA0E-6B89830F81A9}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1436	6ba5123f5f4bb7exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	5028	{A8B27775-ECCE-433a-AD3B-E98B084D1534}.exe
Token: SeIncBasePriorityPrivilege	1176	{CE8DA423-E176-44da-A235-74B93474B695}.exe
Token: SeIncBasePriorityPrivilege	1992	{FA227C87-5830-491c-8CC0-A4377BDB6000}.exe
Token: SeIncBasePriorityPrivilege	3392	{6B15BB1A-F8A0-44d6-8FBA-0EF83379EE84}.exe
Token: SeIncBasePriorityPrivilege	3404	{39BF9EA3-37F8-4e49-BA0E-6B89830F81A9}.exe
Token: SeIncBasePriorityPrivilege	4884	{D26B5E07-1CE0-4d6d-A2C5-9C98A3699A8F}.exe
Token: SeIncBasePriorityPrivilege	3960	{E622A872-6724-48cd-B885-7A2206985627}.exe
Token: SeIncBasePriorityPrivilege	4140	{B91C1584-F5F3-4804-9671-4E7215252DE6}.exe
Token: SeIncBasePriorityPrivilege	3712	{E598760D-D508-40e9-83D3-8EABC8C98B6E}.exe
Token: SeIncBasePriorityPrivilege	5000	{7ECDBA2E-5F7C-4c2e-BB81-869C25804553}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 5028	1436	6ba5123f5f4bb7exeexeexeex.exe	87
PID 1436 wrote to memory of 5028	1436	6ba5123f5f4bb7exeexeexeex.exe	87
PID 1436 wrote to memory of 5028	1436	6ba5123f5f4bb7exeexeexeex.exe	87
PID 1436 wrote to memory of 3932	1436	6ba5123f5f4bb7exeexeexeex.exe	88
PID 1436 wrote to memory of 3932	1436	6ba5123f5f4bb7exeexeexeex.exe	88
PID 1436 wrote to memory of 3932	1436	6ba5123f5f4bb7exeexeexeex.exe	88
PID 5028 wrote to memory of 1176	5028	{A8B27775-ECCE-433a-AD3B-E98B084D1534}.exe	89
PID 5028 wrote to memory of 1176	5028	{A8B27775-ECCE-433a-AD3B-E98B084D1534}.exe	89
PID 5028 wrote to memory of 1176	5028	{A8B27775-ECCE-433a-AD3B-E98B084D1534}.exe	89
PID 5028 wrote to memory of 380	5028	{A8B27775-ECCE-433a-AD3B-E98B084D1534}.exe	90
PID 5028 wrote to memory of 380	5028	{A8B27775-ECCE-433a-AD3B-E98B084D1534}.exe	90
PID 5028 wrote to memory of 380	5028	{A8B27775-ECCE-433a-AD3B-E98B084D1534}.exe	90
PID 1176 wrote to memory of 1992	1176	{CE8DA423-E176-44da-A235-74B93474B695}.exe	94
PID 1176 wrote to memory of 1992	1176	{CE8DA423-E176-44da-A235-74B93474B695}.exe	94
PID 1176 wrote to memory of 1992	1176	{CE8DA423-E176-44da-A235-74B93474B695}.exe	94
PID 1176 wrote to memory of 4048	1176	{CE8DA423-E176-44da-A235-74B93474B695}.exe	95
PID 1176 wrote to memory of 4048	1176	{CE8DA423-E176-44da-A235-74B93474B695}.exe	95
PID 1176 wrote to memory of 4048	1176	{CE8DA423-E176-44da-A235-74B93474B695}.exe	95
PID 1992 wrote to memory of 3392	1992	{FA227C87-5830-491c-8CC0-A4377BDB6000}.exe	96
PID 1992 wrote to memory of 3392	1992	{FA227C87-5830-491c-8CC0-A4377BDB6000}.exe	96
PID 1992 wrote to memory of 3392	1992	{FA227C87-5830-491c-8CC0-A4377BDB6000}.exe	96
PID 1992 wrote to memory of 4948	1992	{FA227C87-5830-491c-8CC0-A4377BDB6000}.exe	97
PID 1992 wrote to memory of 4948	1992	{FA227C87-5830-491c-8CC0-A4377BDB6000}.exe	97
PID 1992 wrote to memory of 4948	1992	{FA227C87-5830-491c-8CC0-A4377BDB6000}.exe	97
PID 3392 wrote to memory of 3404	3392	{6B15BB1A-F8A0-44d6-8FBA-0EF83379EE84}.exe	98
PID 3392 wrote to memory of 3404	3392	{6B15BB1A-F8A0-44d6-8FBA-0EF83379EE84}.exe	98
PID 3392 wrote to memory of 3404	3392	{6B15BB1A-F8A0-44d6-8FBA-0EF83379EE84}.exe	98
PID 3392 wrote to memory of 4864	3392	{6B15BB1A-F8A0-44d6-8FBA-0EF83379EE84}.exe	99
PID 3392 wrote to memory of 4864	3392	{6B15BB1A-F8A0-44d6-8FBA-0EF83379EE84}.exe	99
PID 3392 wrote to memory of 4864	3392	{6B15BB1A-F8A0-44d6-8FBA-0EF83379EE84}.exe	99
PID 3404 wrote to memory of 4884	3404	{39BF9EA3-37F8-4e49-BA0E-6B89830F81A9}.exe	100
PID 3404 wrote to memory of 4884	3404	{39BF9EA3-37F8-4e49-BA0E-6B89830F81A9}.exe	100
PID 3404 wrote to memory of 4884	3404	{39BF9EA3-37F8-4e49-BA0E-6B89830F81A9}.exe	100
PID 3404 wrote to memory of 4812	3404	{39BF9EA3-37F8-4e49-BA0E-6B89830F81A9}.exe	101
PID 3404 wrote to memory of 4812	3404	{39BF9EA3-37F8-4e49-BA0E-6B89830F81A9}.exe	101
PID 3404 wrote to memory of 4812	3404	{39BF9EA3-37F8-4e49-BA0E-6B89830F81A9}.exe	101
PID 4884 wrote to memory of 3960	4884	{D26B5E07-1CE0-4d6d-A2C5-9C98A3699A8F}.exe	102
PID 4884 wrote to memory of 3960	4884	{D26B5E07-1CE0-4d6d-A2C5-9C98A3699A8F}.exe	102
PID 4884 wrote to memory of 3960	4884	{D26B5E07-1CE0-4d6d-A2C5-9C98A3699A8F}.exe	102
PID 4884 wrote to memory of 4052	4884	{D26B5E07-1CE0-4d6d-A2C5-9C98A3699A8F}.exe	103
PID 4884 wrote to memory of 4052	4884	{D26B5E07-1CE0-4d6d-A2C5-9C98A3699A8F}.exe	103
PID 4884 wrote to memory of 4052	4884	{D26B5E07-1CE0-4d6d-A2C5-9C98A3699A8F}.exe	103
PID 3960 wrote to memory of 4140	3960	{E622A872-6724-48cd-B885-7A2206985627}.exe	105
PID 3960 wrote to memory of 4140	3960	{E622A872-6724-48cd-B885-7A2206985627}.exe	105
PID 3960 wrote to memory of 4140	3960	{E622A872-6724-48cd-B885-7A2206985627}.exe	105
PID 3960 wrote to memory of 5048	3960	{E622A872-6724-48cd-B885-7A2206985627}.exe	104
PID 3960 wrote to memory of 5048	3960	{E622A872-6724-48cd-B885-7A2206985627}.exe	104
PID 3960 wrote to memory of 5048	3960	{E622A872-6724-48cd-B885-7A2206985627}.exe	104
PID 4140 wrote to memory of 3712	4140	{B91C1584-F5F3-4804-9671-4E7215252DE6}.exe	106
PID 4140 wrote to memory of 3712	4140	{B91C1584-F5F3-4804-9671-4E7215252DE6}.exe	106
PID 4140 wrote to memory of 3712	4140	{B91C1584-F5F3-4804-9671-4E7215252DE6}.exe	106
PID 4140 wrote to memory of 4028	4140	{B91C1584-F5F3-4804-9671-4E7215252DE6}.exe	107
PID 4140 wrote to memory of 4028	4140	{B91C1584-F5F3-4804-9671-4E7215252DE6}.exe	107
PID 4140 wrote to memory of 4028	4140	{B91C1584-F5F3-4804-9671-4E7215252DE6}.exe	107
PID 3712 wrote to memory of 5000	3712	{E598760D-D508-40e9-83D3-8EABC8C98B6E}.exe	108
PID 3712 wrote to memory of 5000	3712	{E598760D-D508-40e9-83D3-8EABC8C98B6E}.exe	108
PID 3712 wrote to memory of 5000	3712	{E598760D-D508-40e9-83D3-8EABC8C98B6E}.exe	108
PID 3712 wrote to memory of 5020	3712	{E598760D-D508-40e9-83D3-8EABC8C98B6E}.exe	109
PID 3712 wrote to memory of 5020	3712	{E598760D-D508-40e9-83D3-8EABC8C98B6E}.exe	109
PID 3712 wrote to memory of 5020	3712	{E598760D-D508-40e9-83D3-8EABC8C98B6E}.exe	109
PID 5000 wrote to memory of 4972	5000	{7ECDBA2E-5F7C-4c2e-BB81-869C25804553}.exe	110
PID 5000 wrote to memory of 4972	5000	{7ECDBA2E-5F7C-4c2e-BB81-869C25804553}.exe	110
PID 5000 wrote to memory of 4972	5000	{7ECDBA2E-5F7C-4c2e-BB81-869C25804553}.exe	110
PID 5000 wrote to memory of 3112	5000	{7ECDBA2E-5F7C-4c2e-BB81-869C25804553}.exe	111

C:\Users\Admin\AppData\Local\Temp\6ba5123f5f4bb7exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\6ba5123f5f4bb7exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\{A8B27775-ECCE-433a-AD3B-E98B084D1534}.exe
  C:\Windows\{A8B27775-ECCE-433a-AD3B-E98B084D1534}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5028
- - C:\Windows\{CE8DA423-E176-44da-A235-74B93474B695}.exe
    C:\Windows\{CE8DA423-E176-44da-A235-74B93474B695}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1176
  - - C:\Windows\{FA227C87-5830-491c-8CC0-A4377BDB6000}.exe
      C:\Windows\{FA227C87-5830-491c-8CC0-A4377BDB6000}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Windows\{6B15BB1A-F8A0-44d6-8FBA-0EF83379EE84}.exe
        
        C:\Windows\{6B15BB1A-F8A0-44d6-8FBA-0EF83379EE84}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3392
      - C:\Windows\{39BF9EA3-37F8-4e49-BA0E-6B89830F81A9}.exe
        
        C:\Windows\{39BF9EA3-37F8-4e49-BA0E-6B89830F81A9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\{D26B5E07-1CE0-4d6d-A2C5-9C98A3699A8F}.exe
        
        C:\Windows\{D26B5E07-1CE0-4d6d-A2C5-9C98A3699A8F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\{E622A872-6724-48cd-B885-7A2206985627}.exe
        
        C:\Windows\{E622A872-6724-48cd-B885-7A2206985627}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E622A~1.EXE > nul
        9⤵
        
        PID:5048
        
        C:\Windows\{B91C1584-F5F3-4804-9671-4E7215252DE6}.exe
        
        C:\Windows\{B91C1584-F5F3-4804-9671-4E7215252DE6}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\{E598760D-D508-40e9-83D3-8EABC8C98B6E}.exe
        
        C:\Windows\{E598760D-D508-40e9-83D3-8EABC8C98B6E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Windows\{7ECDBA2E-5F7C-4c2e-BB81-869C25804553}.exe
        
        C:\Windows\{7ECDBA2E-5F7C-4c2e-BB81-869C25804553}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\{FE619809-F746-4496-A643-204E4DC74AF0}.exe
        
        C:\Windows\{FE619809-F746-4496-A643-204E4DC74AF0}.exe
        12⤵
        Executes dropped EXE
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7ECDB~1.EXE > nul
        12⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5987~1.EXE > nul
        11⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B91C1~1.EXE > nul
        10⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D26B5~1.EXE > nul
        8⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39BF9~1.EXE > nul
        7⤵
        
        PID:4812
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B15B~1.EXE > nul
        6⤵
        
        PID:4864
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA227~1.EXE > nul
        5⤵
        
        PID:4948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CE8DA~1.EXE > nul
      4⤵
      PID:4048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A8B27~1.EXE > nul
    3⤵
    PID:380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6BA512~1.EXE > nul
  2⤵
  PID:3932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{39BF9EA3-37F8-4e49-BA0E-6B89830F81A9}.exe

Filesize
204KB

MD5
a8623f5022cb4e4a11075d5044739a6e

SHA1
f4104e598556d083315f84ce1e1a625706c2f488

SHA256
eb91cdca05a3ec65b3ec2dad79bb9af3f726479bb743f284caa624a21aee3633

SHA512
0abb0c57145480b71bf7db47b6dec37ff7c168d66353379c0acd8ec9e1b1bdf5b91b3652f45be35fe2df023525b68e9162cc5f8dea344872276d383ae214b205

Download Submit
C:\Windows\{39BF9EA3-37F8-4e49-BA0E-6B89830F81A9}.exe

Filesize
204KB

MD5
a8623f5022cb4e4a11075d5044739a6e

SHA1
f4104e598556d083315f84ce1e1a625706c2f488

SHA256
eb91cdca05a3ec65b3ec2dad79bb9af3f726479bb743f284caa624a21aee3633

SHA512
0abb0c57145480b71bf7db47b6dec37ff7c168d66353379c0acd8ec9e1b1bdf5b91b3652f45be35fe2df023525b68e9162cc5f8dea344872276d383ae214b205

Download Submit
C:\Windows\{6B15BB1A-F8A0-44d6-8FBA-0EF83379EE84}.exe

Filesize
204KB

MD5
05f4ec8d39f041fd4617fecb6215c9f3

SHA1
5bd85a79d995613b1ac653c7a5fdb0376be339e2

SHA256
0e0280e669caf91347ff9c6b0c2292ce0dbca5ef55da42e5a5df1922814f7f2c

SHA512
60b63996eb33dc460f3cfbd1a247fccd9e1f25501b25c2bc411a021e197e57815776b6fdc2e2da6a0f6845a95e842462298e2312608bdcc0306fabcd20e4f7ec

Download Submit
C:\Windows\{6B15BB1A-F8A0-44d6-8FBA-0EF83379EE84}.exe

Filesize
204KB

MD5
05f4ec8d39f041fd4617fecb6215c9f3

SHA1
5bd85a79d995613b1ac653c7a5fdb0376be339e2

SHA256
0e0280e669caf91347ff9c6b0c2292ce0dbca5ef55da42e5a5df1922814f7f2c

SHA512
60b63996eb33dc460f3cfbd1a247fccd9e1f25501b25c2bc411a021e197e57815776b6fdc2e2da6a0f6845a95e842462298e2312608bdcc0306fabcd20e4f7ec

Download Submit
C:\Windows\{7ECDBA2E-5F7C-4c2e-BB81-869C25804553}.exe

Filesize
204KB

MD5
4e9dc10a9465c0388af7bcdc109dc2e8

SHA1
f226c48bc8b1f5b4b4092d1da3b20cb3d295c60d

SHA256
c5cddd06cbbac68fd5992a2a2d33e6792c709c8b912d3665e886d8cf8f61f72f

SHA512
b03d19ec63bcabfcbce88722df85e91e6e1856c7a3578e0bfb97595b58b6981d973b6d4664b715f4dd0ae1ff867b07501494daaa640b49a2ee9c8362e0ca7c0e

Download Submit
C:\Windows\{7ECDBA2E-5F7C-4c2e-BB81-869C25804553}.exe

Filesize
204KB

MD5
4e9dc10a9465c0388af7bcdc109dc2e8

SHA1
f226c48bc8b1f5b4b4092d1da3b20cb3d295c60d

SHA256
c5cddd06cbbac68fd5992a2a2d33e6792c709c8b912d3665e886d8cf8f61f72f

SHA512
b03d19ec63bcabfcbce88722df85e91e6e1856c7a3578e0bfb97595b58b6981d973b6d4664b715f4dd0ae1ff867b07501494daaa640b49a2ee9c8362e0ca7c0e

Download Submit
C:\Windows\{A8B27775-ECCE-433a-AD3B-E98B084D1534}.exe

Filesize
204KB

MD5
503d9e66e3ff118826e9adffac024dd8

SHA1
64d433596847a59c9e928094517698cda5b6ab59

SHA256
843a957f3594452ce30ac96aaf0bd77f6b1329717a75d2af508fa094f15e5245

SHA512
cf01b4f153990f4af0b4698e0049751152833b86ecda6a79a9acd44a3a7dc8053bae4307777218cb55e775fef8381f24b4f8b83db2c3dd10d810d4e7717a6bf6

Download Submit
C:\Windows\{A8B27775-ECCE-433a-AD3B-E98B084D1534}.exe

Filesize
204KB

MD5
503d9e66e3ff118826e9adffac024dd8

SHA1
64d433596847a59c9e928094517698cda5b6ab59

SHA256
843a957f3594452ce30ac96aaf0bd77f6b1329717a75d2af508fa094f15e5245

SHA512
cf01b4f153990f4af0b4698e0049751152833b86ecda6a79a9acd44a3a7dc8053bae4307777218cb55e775fef8381f24b4f8b83db2c3dd10d810d4e7717a6bf6

Download Submit
C:\Windows\{B91C1584-F5F3-4804-9671-4E7215252DE6}.exe

Filesize
204KB

MD5
2bc3df364f1be168b0378d14886649ae

SHA1
33cfbf9f729c74ba8d4f9eefa98d70017194ec1d

SHA256
8c60ac46e81ade5c8ac58d071da0fe997fad197925570397e49085dd2c01fdec

SHA512
42f4600fe0e3f60a1c5040b871e7004620aed30f6829eb1835879819bfbc8b373efc4f508e395f8066aca8d4e55b3dab259efa34d1656bb43871f9f53552bcb1

Download Submit
C:\Windows\{B91C1584-F5F3-4804-9671-4E7215252DE6}.exe

Filesize
204KB

MD5
2bc3df364f1be168b0378d14886649ae

SHA1
33cfbf9f729c74ba8d4f9eefa98d70017194ec1d

SHA256
8c60ac46e81ade5c8ac58d071da0fe997fad197925570397e49085dd2c01fdec

SHA512
42f4600fe0e3f60a1c5040b871e7004620aed30f6829eb1835879819bfbc8b373efc4f508e395f8066aca8d4e55b3dab259efa34d1656bb43871f9f53552bcb1

Download Submit
C:\Windows\{CE8DA423-E176-44da-A235-74B93474B695}.exe

Filesize
204KB

MD5
07310363274642500507a2377ee4c114

SHA1
7a1ee9384ab99238eb1c6037626ec1d2c1425c12

SHA256
992633945641f869cae1b05f6a4620b290683cc464e3f0de04a149095ebd40e8

SHA512
b8de213fec3d0631f47c6cd9a8339c777b347248ab6117e366e61dee362d4088d5e12a1593156ad9a149294cda5a44cc2d25193c80cd44f519e13022c757684e

Download Submit
C:\Windows\{CE8DA423-E176-44da-A235-74B93474B695}.exe

Filesize
204KB

MD5
07310363274642500507a2377ee4c114

SHA1
7a1ee9384ab99238eb1c6037626ec1d2c1425c12

SHA256
992633945641f869cae1b05f6a4620b290683cc464e3f0de04a149095ebd40e8

SHA512
b8de213fec3d0631f47c6cd9a8339c777b347248ab6117e366e61dee362d4088d5e12a1593156ad9a149294cda5a44cc2d25193c80cd44f519e13022c757684e

Download Submit
C:\Windows\{D26B5E07-1CE0-4d6d-A2C5-9C98A3699A8F}.exe

Filesize
204KB

MD5
2909d0d8ff1a5449084607a4ed44bc7f

SHA1
34181365dd4d8b2ce5978ebbe5df12c7410be1c1

SHA256
866b09bc1d6cfa8e612d37004ad6280d902d98adb15ad82929426f0d33b27666

SHA512
9c521aed225b268664e8c0898017339501163565e613619c52505a564093c7dff13874c5ee63bdb8d74b5e2e39e243c424d7d8c3edfd03d8857c1ee39dca7c4e

Download Submit
C:\Windows\{D26B5E07-1CE0-4d6d-A2C5-9C98A3699A8F}.exe

Filesize
204KB

MD5
2909d0d8ff1a5449084607a4ed44bc7f

SHA1
34181365dd4d8b2ce5978ebbe5df12c7410be1c1

SHA256
866b09bc1d6cfa8e612d37004ad6280d902d98adb15ad82929426f0d33b27666

SHA512
9c521aed225b268664e8c0898017339501163565e613619c52505a564093c7dff13874c5ee63bdb8d74b5e2e39e243c424d7d8c3edfd03d8857c1ee39dca7c4e

Download Submit
C:\Windows\{E598760D-D508-40e9-83D3-8EABC8C98B6E}.exe

Filesize
204KB

MD5
04177f195590a5b88222203c82365c4c

SHA1
063c02ff0f49ba5de60ad7165c3b06146b43e606

SHA256
d870dd50babf62f7d237a6ac0260dfd8ca560414828fc6e403f599fe24a25cba

SHA512
3b990964321416ec2158340eb5d7b97447c8a7fa3c8f7a7cc5a8c7ae3c156f3824eed53f6b9d4c3cc3b0a9b4a49365e6a67edee345f776a19382e476caa0c01f

Download Submit
C:\Windows\{E598760D-D508-40e9-83D3-8EABC8C98B6E}.exe

Filesize
204KB

MD5
04177f195590a5b88222203c82365c4c

SHA1
063c02ff0f49ba5de60ad7165c3b06146b43e606

SHA256
d870dd50babf62f7d237a6ac0260dfd8ca560414828fc6e403f599fe24a25cba

SHA512
3b990964321416ec2158340eb5d7b97447c8a7fa3c8f7a7cc5a8c7ae3c156f3824eed53f6b9d4c3cc3b0a9b4a49365e6a67edee345f776a19382e476caa0c01f

Download Submit
C:\Windows\{E622A872-6724-48cd-B885-7A2206985627}.exe

Filesize
204KB

MD5
2ad46b404f3408fc0d75f8f90672c649

SHA1
ba01797054f7bbadce7996f6bcd9493162256463

SHA256
6b02beb863e151690bf6c54ff701fd9704ca7a83840fa0b1a15e2e2b5de91891

SHA512
d48f626cd4850d8b6d0f6c5178cd41b07910d06a311a0245b0dc53995acd3592563629eb2b9b915fccac1a28b9f3b45e2c9dd738f8458b83190d530fc5d6a9f9

Download Submit
C:\Windows\{E622A872-6724-48cd-B885-7A2206985627}.exe

Filesize
204KB

MD5
2ad46b404f3408fc0d75f8f90672c649

SHA1
ba01797054f7bbadce7996f6bcd9493162256463

SHA256
6b02beb863e151690bf6c54ff701fd9704ca7a83840fa0b1a15e2e2b5de91891

SHA512
d48f626cd4850d8b6d0f6c5178cd41b07910d06a311a0245b0dc53995acd3592563629eb2b9b915fccac1a28b9f3b45e2c9dd738f8458b83190d530fc5d6a9f9

Download Submit
C:\Windows\{FA227C87-5830-491c-8CC0-A4377BDB6000}.exe

Filesize
204KB

MD5
446281f5f1874e1e82006919493a42cc

SHA1
43eb059732ff400aecdaa3fdcf5dd9e870618a24

SHA256
b382c9a6ad01cb87c04266e8ceb8ec37c276cd79398c6b698660a85f4c944aa7

SHA512
5a15b6748864c002bb5209d226b3fb3f51c215afa0a9c12f2b9fcac7447582fedae715a2004218059201532971ee8e989ea8bc067c41217c0e20a67bc9ce017f

Download Submit
C:\Windows\{FA227C87-5830-491c-8CC0-A4377BDB6000}.exe

Filesize
204KB

MD5
446281f5f1874e1e82006919493a42cc

SHA1
43eb059732ff400aecdaa3fdcf5dd9e870618a24

SHA256
b382c9a6ad01cb87c04266e8ceb8ec37c276cd79398c6b698660a85f4c944aa7

SHA512
5a15b6748864c002bb5209d226b3fb3f51c215afa0a9c12f2b9fcac7447582fedae715a2004218059201532971ee8e989ea8bc067c41217c0e20a67bc9ce017f

Download Submit
C:\Windows\{FA227C87-5830-491c-8CC0-A4377BDB6000}.exe

Filesize
204KB

MD5
446281f5f1874e1e82006919493a42cc

SHA1
43eb059732ff400aecdaa3fdcf5dd9e870618a24

SHA256
b382c9a6ad01cb87c04266e8ceb8ec37c276cd79398c6b698660a85f4c944aa7

SHA512
5a15b6748864c002bb5209d226b3fb3f51c215afa0a9c12f2b9fcac7447582fedae715a2004218059201532971ee8e989ea8bc067c41217c0e20a67bc9ce017f

Download Submit
C:\Windows\{FE619809-F746-4496-A643-204E4DC74AF0}.exe

Filesize
204KB

MD5
fde5b1357152763e7eb3f0c968545e70

SHA1
3aa6cb4e7029c754f511626fe649d1308a8c9bb7

SHA256
4a4a99c058afcd97262441721f53bee67d48f8fac91b274e37ef2959fc7e6aeb

SHA512
32c64dd96756b0fa2294c6cb5d4cb7de9232f91c765063b60e5866b8a61a2aaa94dc8343699ce68f54d6dac9fea1160dd87fd1f65118ab7d67a3fb5ec2317565

Download Submit
C:\Windows\{FE619809-F746-4496-A643-204E4DC74AF0}.exe

Filesize
204KB

MD5
fde5b1357152763e7eb3f0c968545e70

SHA1
3aa6cb4e7029c754f511626fe649d1308a8c9bb7

SHA256
4a4a99c058afcd97262441721f53bee67d48f8fac91b274e37ef2959fc7e6aeb

SHA512
32c64dd96756b0fa2294c6cb5d4cb7de9232f91c765063b60e5866b8a61a2aaa94dc8343699ce68f54d6dac9fea1160dd87fd1f65118ab7d67a3fb5ec2317565

Download Submit