174076edf4bdd126e2a8903466aecdacdfbfd2d66f24c718b20ff110cf2cb4b8

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a0b5ada268f1bexeexeexeex.exe
Size

216KB
MD5

6a0b5ada268f1baf18040233896bfcce
SHA1

0f624d8cc420fc58aa8715fb9632199383c4ea5f
SHA256

174076edf4bdd126e2a8903466aecdacdfbfd2d66f24c718b20ff110cf2cb4b8
SHA512

d6791fa36692e71754c45d88b6df0392145a00fb2e0a6417f206dc0554f77eec784760d89cfa96a5b86351ad14ed4ba0a152ea2168a0bb63a1da12490330dda4
SSDEEP

3072:jEGh0oPl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGJlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{817B5FD2-5818-4ec7-B3AE-C923BBF4D7B9}\stubpath = "C:\\Windows\\{817B5FD2-5818-4ec7-B3AE-C923BBF4D7B9}.exe"	6a0b5ada268f1bexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B3420CF-E85C-42ce-9A13-11C8D661397B}	{132DA405-9FF7-42d0-8F67-32E0B50DFEA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6362EF9B-082C-4c03-82EE-9B9C41E9355C}	{07E7CD5C-46C3-4bc4-9887-AC193A633DF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABA38D3C-2799-46f0-A381-547855861AA4}\stubpath = "C:\\Windows\\{ABA38D3C-2799-46f0-A381-547855861AA4}.exe"	{A857B1F8-606D-4a76-8499-B98CE2F5476E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B968D26-00D7-493a-BD6B-8CC54C397673}	{FD6A0338-41DE-4f76-A4CF-92CE561AD512}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D702895-5431-4ebb-9F45-E7E37F023189}\stubpath = "C:\\Windows\\{6D702895-5431-4ebb-9F45-E7E37F023189}.exe"	{453525CC-AC9F-46f5-966B-0CFA8796D345}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53F4073E-3E19-41bd-A15F-65FBB933B762}	{817B5FD2-5818-4ec7-B3AE-C923BBF4D7B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{132DA405-9FF7-42d0-8F67-32E0B50DFEA5}	{53F4073E-3E19-41bd-A15F-65FBB933B762}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{132DA405-9FF7-42d0-8F67-32E0B50DFEA5}\stubpath = "C:\\Windows\\{132DA405-9FF7-42d0-8F67-32E0B50DFEA5}.exe"	{53F4073E-3E19-41bd-A15F-65FBB933B762}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6362EF9B-082C-4c03-82EE-9B9C41E9355C}\stubpath = "C:\\Windows\\{6362EF9B-082C-4c03-82EE-9B9C41E9355C}.exe"	{07E7CD5C-46C3-4bc4-9887-AC193A633DF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B968D26-00D7-493a-BD6B-8CC54C397673}\stubpath = "C:\\Windows\\{4B968D26-00D7-493a-BD6B-8CC54C397673}.exe"	{FD6A0338-41DE-4f76-A4CF-92CE561AD512}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53F4073E-3E19-41bd-A15F-65FBB933B762}\stubpath = "C:\\Windows\\{53F4073E-3E19-41bd-A15F-65FBB933B762}.exe"	{817B5FD2-5818-4ec7-B3AE-C923BBF4D7B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B3420CF-E85C-42ce-9A13-11C8D661397B}\stubpath = "C:\\Windows\\{1B3420CF-E85C-42ce-9A13-11C8D661397B}.exe"	{132DA405-9FF7-42d0-8F67-32E0B50DFEA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07E7CD5C-46C3-4bc4-9887-AC193A633DF7}	{1B3420CF-E85C-42ce-9A13-11C8D661397B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A857B1F8-606D-4a76-8499-B98CE2F5476E}	{6362EF9B-082C-4c03-82EE-9B9C41E9355C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{817B5FD2-5818-4ec7-B3AE-C923BBF4D7B9}	6a0b5ada268f1bexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07E7CD5C-46C3-4bc4-9887-AC193A633DF7}\stubpath = "C:\\Windows\\{07E7CD5C-46C3-4bc4-9887-AC193A633DF7}.exe"	{1B3420CF-E85C-42ce-9A13-11C8D661397B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A857B1F8-606D-4a76-8499-B98CE2F5476E}\stubpath = "C:\\Windows\\{A857B1F8-606D-4a76-8499-B98CE2F5476E}.exe"	{6362EF9B-082C-4c03-82EE-9B9C41E9355C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABA38D3C-2799-46f0-A381-547855861AA4}	{A857B1F8-606D-4a76-8499-B98CE2F5476E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD6A0338-41DE-4f76-A4CF-92CE561AD512}	{ABA38D3C-2799-46f0-A381-547855861AA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD6A0338-41DE-4f76-A4CF-92CE561AD512}\stubpath = "C:\\Windows\\{FD6A0338-41DE-4f76-A4CF-92CE561AD512}.exe"	{ABA38D3C-2799-46f0-A381-547855861AA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{453525CC-AC9F-46f5-966B-0CFA8796D345}	{4B968D26-00D7-493a-BD6B-8CC54C397673}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{453525CC-AC9F-46f5-966B-0CFA8796D345}\stubpath = "C:\\Windows\\{453525CC-AC9F-46f5-966B-0CFA8796D345}.exe"	{4B968D26-00D7-493a-BD6B-8CC54C397673}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D702895-5431-4ebb-9F45-E7E37F023189}	{453525CC-AC9F-46f5-966B-0CFA8796D345}.exe

Executes dropped EXE 12 IoCs

pid	Process
3884	{817B5FD2-5818-4ec7-B3AE-C923BBF4D7B9}.exe
4352	{53F4073E-3E19-41bd-A15F-65FBB933B762}.exe
2564	{132DA405-9FF7-42d0-8F67-32E0B50DFEA5}.exe
3308	{1B3420CF-E85C-42ce-9A13-11C8D661397B}.exe
3632	{07E7CD5C-46C3-4bc4-9887-AC193A633DF7}.exe
2504	{6362EF9B-082C-4c03-82EE-9B9C41E9355C}.exe
5116	{A857B1F8-606D-4a76-8499-B98CE2F5476E}.exe
3104	{ABA38D3C-2799-46f0-A381-547855861AA4}.exe
3580	{FD6A0338-41DE-4f76-A4CF-92CE561AD512}.exe
3224	{4B968D26-00D7-493a-BD6B-8CC54C397673}.exe
2804	{453525CC-AC9F-46f5-966B-0CFA8796D345}.exe
4532	{6D702895-5431-4ebb-9F45-E7E37F023189}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6D702895-5431-4ebb-9F45-E7E37F023189}.exe	{453525CC-AC9F-46f5-966B-0CFA8796D345}.exe
File created	C:\Windows\{817B5FD2-5818-4ec7-B3AE-C923BBF4D7B9}.exe	6a0b5ada268f1bexeexeexeex.exe
File created	C:\Windows\{132DA405-9FF7-42d0-8F67-32E0B50DFEA5}.exe	{53F4073E-3E19-41bd-A15F-65FBB933B762}.exe
File created	C:\Windows\{1B3420CF-E85C-42ce-9A13-11C8D661397B}.exe	{132DA405-9FF7-42d0-8F67-32E0B50DFEA5}.exe
File created	C:\Windows\{A857B1F8-606D-4a76-8499-B98CE2F5476E}.exe	{6362EF9B-082C-4c03-82EE-9B9C41E9355C}.exe
File created	C:\Windows\{FD6A0338-41DE-4f76-A4CF-92CE561AD512}.exe	{ABA38D3C-2799-46f0-A381-547855861AA4}.exe
File created	C:\Windows\{4B968D26-00D7-493a-BD6B-8CC54C397673}.exe	{FD6A0338-41DE-4f76-A4CF-92CE561AD512}.exe
File created	C:\Windows\{453525CC-AC9F-46f5-966B-0CFA8796D345}.exe	{4B968D26-00D7-493a-BD6B-8CC54C397673}.exe
File created	C:\Windows\{53F4073E-3E19-41bd-A15F-65FBB933B762}.exe	{817B5FD2-5818-4ec7-B3AE-C923BBF4D7B9}.exe
File created	C:\Windows\{07E7CD5C-46C3-4bc4-9887-AC193A633DF7}.exe	{1B3420CF-E85C-42ce-9A13-11C8D661397B}.exe
File created	C:\Windows\{6362EF9B-082C-4c03-82EE-9B9C41E9355C}.exe	{07E7CD5C-46C3-4bc4-9887-AC193A633DF7}.exe
File created	C:\Windows\{ABA38D3C-2799-46f0-A381-547855861AA4}.exe	{A857B1F8-606D-4a76-8499-B98CE2F5476E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4608	6a0b5ada268f1bexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3884	{817B5FD2-5818-4ec7-B3AE-C923BBF4D7B9}.exe
Token: SeIncBasePriorityPrivilege	4352	{53F4073E-3E19-41bd-A15F-65FBB933B762}.exe
Token: SeIncBasePriorityPrivilege	2564	{132DA405-9FF7-42d0-8F67-32E0B50DFEA5}.exe
Token: SeIncBasePriorityPrivilege	3308	{1B3420CF-E85C-42ce-9A13-11C8D661397B}.exe
Token: SeIncBasePriorityPrivilege	3632	{07E7CD5C-46C3-4bc4-9887-AC193A633DF7}.exe
Token: SeIncBasePriorityPrivilege	2504	{6362EF9B-082C-4c03-82EE-9B9C41E9355C}.exe
Token: SeIncBasePriorityPrivilege	5116	{A857B1F8-606D-4a76-8499-B98CE2F5476E}.exe
Token: SeIncBasePriorityPrivilege	3104	{ABA38D3C-2799-46f0-A381-547855861AA4}.exe
Token: SeIncBasePriorityPrivilege	3580	{FD6A0338-41DE-4f76-A4CF-92CE561AD512}.exe
Token: SeIncBasePriorityPrivilege	3224	{4B968D26-00D7-493a-BD6B-8CC54C397673}.exe
Token: SeIncBasePriorityPrivilege	2804	{453525CC-AC9F-46f5-966B-0CFA8796D345}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 3884	4608	6a0b5ada268f1bexeexeexeex.exe	84
PID 4608 wrote to memory of 3884	4608	6a0b5ada268f1bexeexeexeex.exe	84
PID 4608 wrote to memory of 3884	4608	6a0b5ada268f1bexeexeexeex.exe	84
PID 4608 wrote to memory of 4748	4608	6a0b5ada268f1bexeexeexeex.exe	85
PID 4608 wrote to memory of 4748	4608	6a0b5ada268f1bexeexeexeex.exe	85
PID 4608 wrote to memory of 4748	4608	6a0b5ada268f1bexeexeexeex.exe	85
PID 3884 wrote to memory of 4352	3884	{817B5FD2-5818-4ec7-B3AE-C923BBF4D7B9}.exe	86
PID 3884 wrote to memory of 4352	3884	{817B5FD2-5818-4ec7-B3AE-C923BBF4D7B9}.exe	86
PID 3884 wrote to memory of 4352	3884	{817B5FD2-5818-4ec7-B3AE-C923BBF4D7B9}.exe	86
PID 3884 wrote to memory of 4968	3884	{817B5FD2-5818-4ec7-B3AE-C923BBF4D7B9}.exe	87
PID 3884 wrote to memory of 4968	3884	{817B5FD2-5818-4ec7-B3AE-C923BBF4D7B9}.exe	87
PID 3884 wrote to memory of 4968	3884	{817B5FD2-5818-4ec7-B3AE-C923BBF4D7B9}.exe	87
PID 4352 wrote to memory of 2564	4352	{53F4073E-3E19-41bd-A15F-65FBB933B762}.exe	91
PID 4352 wrote to memory of 2564	4352	{53F4073E-3E19-41bd-A15F-65FBB933B762}.exe	91
PID 4352 wrote to memory of 2564	4352	{53F4073E-3E19-41bd-A15F-65FBB933B762}.exe	91
PID 4352 wrote to memory of 3872	4352	{53F4073E-3E19-41bd-A15F-65FBB933B762}.exe	92
PID 4352 wrote to memory of 3872	4352	{53F4073E-3E19-41bd-A15F-65FBB933B762}.exe	92
PID 4352 wrote to memory of 3872	4352	{53F4073E-3E19-41bd-A15F-65FBB933B762}.exe	92
PID 2564 wrote to memory of 3308	2564	{132DA405-9FF7-42d0-8F67-32E0B50DFEA5}.exe	93
PID 2564 wrote to memory of 3308	2564	{132DA405-9FF7-42d0-8F67-32E0B50DFEA5}.exe	93
PID 2564 wrote to memory of 3308	2564	{132DA405-9FF7-42d0-8F67-32E0B50DFEA5}.exe	93
PID 2564 wrote to memory of 4288	2564	{132DA405-9FF7-42d0-8F67-32E0B50DFEA5}.exe	94
PID 2564 wrote to memory of 4288	2564	{132DA405-9FF7-42d0-8F67-32E0B50DFEA5}.exe	94
PID 2564 wrote to memory of 4288	2564	{132DA405-9FF7-42d0-8F67-32E0B50DFEA5}.exe	94
PID 3308 wrote to memory of 3632	3308	{1B3420CF-E85C-42ce-9A13-11C8D661397B}.exe	95
PID 3308 wrote to memory of 3632	3308	{1B3420CF-E85C-42ce-9A13-11C8D661397B}.exe	95
PID 3308 wrote to memory of 3632	3308	{1B3420CF-E85C-42ce-9A13-11C8D661397B}.exe	95
PID 3308 wrote to memory of 3340	3308	{1B3420CF-E85C-42ce-9A13-11C8D661397B}.exe	96
PID 3308 wrote to memory of 3340	3308	{1B3420CF-E85C-42ce-9A13-11C8D661397B}.exe	96
PID 3308 wrote to memory of 3340	3308	{1B3420CF-E85C-42ce-9A13-11C8D661397B}.exe	96
PID 3632 wrote to memory of 2504	3632	{07E7CD5C-46C3-4bc4-9887-AC193A633DF7}.exe	97
PID 3632 wrote to memory of 2504	3632	{07E7CD5C-46C3-4bc4-9887-AC193A633DF7}.exe	97
PID 3632 wrote to memory of 2504	3632	{07E7CD5C-46C3-4bc4-9887-AC193A633DF7}.exe	97
PID 3632 wrote to memory of 3984	3632	{07E7CD5C-46C3-4bc4-9887-AC193A633DF7}.exe	98
PID 3632 wrote to memory of 3984	3632	{07E7CD5C-46C3-4bc4-9887-AC193A633DF7}.exe	98
PID 3632 wrote to memory of 3984	3632	{07E7CD5C-46C3-4bc4-9887-AC193A633DF7}.exe	98
PID 2504 wrote to memory of 5116	2504	{6362EF9B-082C-4c03-82EE-9B9C41E9355C}.exe	99
PID 2504 wrote to memory of 5116	2504	{6362EF9B-082C-4c03-82EE-9B9C41E9355C}.exe	99
PID 2504 wrote to memory of 5116	2504	{6362EF9B-082C-4c03-82EE-9B9C41E9355C}.exe	99
PID 2504 wrote to memory of 720	2504	{6362EF9B-082C-4c03-82EE-9B9C41E9355C}.exe	100
PID 2504 wrote to memory of 720	2504	{6362EF9B-082C-4c03-82EE-9B9C41E9355C}.exe	100
PID 2504 wrote to memory of 720	2504	{6362EF9B-082C-4c03-82EE-9B9C41E9355C}.exe	100
PID 5116 wrote to memory of 3104	5116	{A857B1F8-606D-4a76-8499-B98CE2F5476E}.exe	101
PID 5116 wrote to memory of 3104	5116	{A857B1F8-606D-4a76-8499-B98CE2F5476E}.exe	101
PID 5116 wrote to memory of 3104	5116	{A857B1F8-606D-4a76-8499-B98CE2F5476E}.exe	101
PID 5116 wrote to memory of 2720	5116	{A857B1F8-606D-4a76-8499-B98CE2F5476E}.exe	102
PID 5116 wrote to memory of 2720	5116	{A857B1F8-606D-4a76-8499-B98CE2F5476E}.exe	102
PID 5116 wrote to memory of 2720	5116	{A857B1F8-606D-4a76-8499-B98CE2F5476E}.exe	102
PID 3104 wrote to memory of 3580	3104	{ABA38D3C-2799-46f0-A381-547855861AA4}.exe	103
PID 3104 wrote to memory of 3580	3104	{ABA38D3C-2799-46f0-A381-547855861AA4}.exe	103
PID 3104 wrote to memory of 3580	3104	{ABA38D3C-2799-46f0-A381-547855861AA4}.exe	103
PID 3104 wrote to memory of 4604	3104	{ABA38D3C-2799-46f0-A381-547855861AA4}.exe	104
PID 3104 wrote to memory of 4604	3104	{ABA38D3C-2799-46f0-A381-547855861AA4}.exe	104
PID 3104 wrote to memory of 4604	3104	{ABA38D3C-2799-46f0-A381-547855861AA4}.exe	104
PID 3580 wrote to memory of 3224	3580	{FD6A0338-41DE-4f76-A4CF-92CE561AD512}.exe	105
PID 3580 wrote to memory of 3224	3580	{FD6A0338-41DE-4f76-A4CF-92CE561AD512}.exe	105
PID 3580 wrote to memory of 3224	3580	{FD6A0338-41DE-4f76-A4CF-92CE561AD512}.exe	105
PID 3580 wrote to memory of 3800	3580	{FD6A0338-41DE-4f76-A4CF-92CE561AD512}.exe	106
PID 3580 wrote to memory of 3800	3580	{FD6A0338-41DE-4f76-A4CF-92CE561AD512}.exe	106
PID 3580 wrote to memory of 3800	3580	{FD6A0338-41DE-4f76-A4CF-92CE561AD512}.exe	106
PID 3224 wrote to memory of 2804	3224	{4B968D26-00D7-493a-BD6B-8CC54C397673}.exe	108
PID 3224 wrote to memory of 2804	3224	{4B968D26-00D7-493a-BD6B-8CC54C397673}.exe	108
PID 3224 wrote to memory of 2804	3224	{4B968D26-00D7-493a-BD6B-8CC54C397673}.exe	108
PID 3224 wrote to memory of 1636	3224	{4B968D26-00D7-493a-BD6B-8CC54C397673}.exe	107

C:\Users\Admin\AppData\Local\Temp\6a0b5ada268f1bexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\6a0b5ada268f1bexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\{817B5FD2-5818-4ec7-B3AE-C923BBF4D7B9}.exe
  C:\Windows\{817B5FD2-5818-4ec7-B3AE-C923BBF4D7B9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Windows\{53F4073E-3E19-41bd-A15F-65FBB933B762}.exe
    C:\Windows\{53F4073E-3E19-41bd-A15F-65FBB933B762}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4352
  - - C:\Windows\{132DA405-9FF7-42d0-8F67-32E0B50DFEA5}.exe
      C:\Windows\{132DA405-9FF7-42d0-8F67-32E0B50DFEA5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2564
    - - C:\Windows\{1B3420CF-E85C-42ce-9A13-11C8D661397B}.exe
        
        C:\Windows\{1B3420CF-E85C-42ce-9A13-11C8D661397B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3308
      - C:\Windows\{07E7CD5C-46C3-4bc4-9887-AC193A633DF7}.exe
        
        C:\Windows\{07E7CD5C-46C3-4bc4-9887-AC193A633DF7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\{6362EF9B-082C-4c03-82EE-9B9C41E9355C}.exe
        
        C:\Windows\{6362EF9B-082C-4c03-82EE-9B9C41E9355C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\{A857B1F8-606D-4a76-8499-B98CE2F5476E}.exe
        
        C:\Windows\{A857B1F8-606D-4a76-8499-B98CE2F5476E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5116
        
        C:\Windows\{ABA38D3C-2799-46f0-A381-547855861AA4}.exe
        
        C:\Windows\{ABA38D3C-2799-46f0-A381-547855861AA4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\{FD6A0338-41DE-4f76-A4CF-92CE561AD512}.exe
        
        C:\Windows\{FD6A0338-41DE-4f76-A4CF-92CE561AD512}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\{4B968D26-00D7-493a-BD6B-8CC54C397673}.exe
        
        C:\Windows\{4B968D26-00D7-493a-BD6B-8CC54C397673}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B968~1.EXE > nul
        12⤵
        
        PID:1636
        
        C:\Windows\{453525CC-AC9F-46f5-966B-0CFA8796D345}.exe
        
        C:\Windows\{453525CC-AC9F-46f5-966B-0CFA8796D345}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45352~1.EXE > nul
        13⤵
        
        PID:2772
        
        C:\Windows\{6D702895-5431-4ebb-9F45-E7E37F023189}.exe
        
        C:\Windows\{6D702895-5431-4ebb-9F45-E7E37F023189}.exe
        13⤵
        Executes dropped EXE
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD6A0~1.EXE > nul
        11⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABA38~1.EXE > nul
        10⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A857B~1.EXE > nul
        9⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6362E~1.EXE > nul
        8⤵
        
        PID:720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07E7C~1.EXE > nul
        7⤵
        
        PID:3984
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B342~1.EXE > nul
        6⤵
        
        PID:3340
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{132DA~1.EXE > nul
        5⤵
        
        PID:4288
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{53F40~1.EXE > nul
      4⤵
      PID:3872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{817B5~1.EXE > nul
    3⤵
    PID:4968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6A0B5A~1.EXE > nul
  2⤵
  PID:4748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{07E7CD5C-46C3-4bc4-9887-AC193A633DF7}.exe

Filesize
216KB

MD5
1926f19e026299aa4fdca4379626fe82

SHA1
7e6f46b63803f738c82e39021b0b1329e65f18b5

SHA256
dc0ca456d235925854b2a89a09ef55216f2c1813310c44f7b9db7a7c39ad8524

SHA512
12855674acb314c2868966b02b32b486c0c15f888c85422aec2bd9130ddf1015f1083868a26017bca029d759140e5e11f3db61d8ce5e79103cae570a4bfc7afa

Download Submit
C:\Windows\{07E7CD5C-46C3-4bc4-9887-AC193A633DF7}.exe

Filesize
216KB

MD5
1926f19e026299aa4fdca4379626fe82

SHA1
7e6f46b63803f738c82e39021b0b1329e65f18b5

SHA256
dc0ca456d235925854b2a89a09ef55216f2c1813310c44f7b9db7a7c39ad8524

SHA512
12855674acb314c2868966b02b32b486c0c15f888c85422aec2bd9130ddf1015f1083868a26017bca029d759140e5e11f3db61d8ce5e79103cae570a4bfc7afa

Download Submit
C:\Windows\{132DA405-9FF7-42d0-8F67-32E0B50DFEA5}.exe

Filesize
216KB

MD5
4371e224183c4d4f919a29cd8767591a

SHA1
5f263c4e1c47b5c9d445857511eb518c4d7b3c94

SHA256
1079305aaf5fe35c9d41264eef6d87cadf8d8a2796668f6a72f737bf9caa1c01

SHA512
cd3ee71633afbf9f345df9c8be08bdb600f48c776c9b948eaa296a0eb7737803eee79fe72971f9e89723ff16bd69d355e5467027f2073e98526bf1f90d0d89b9

Download Submit
C:\Windows\{132DA405-9FF7-42d0-8F67-32E0B50DFEA5}.exe

Filesize
216KB

MD5
4371e224183c4d4f919a29cd8767591a

SHA1
5f263c4e1c47b5c9d445857511eb518c4d7b3c94

SHA256
1079305aaf5fe35c9d41264eef6d87cadf8d8a2796668f6a72f737bf9caa1c01

SHA512
cd3ee71633afbf9f345df9c8be08bdb600f48c776c9b948eaa296a0eb7737803eee79fe72971f9e89723ff16bd69d355e5467027f2073e98526bf1f90d0d89b9

Download Submit
C:\Windows\{132DA405-9FF7-42d0-8F67-32E0B50DFEA5}.exe

Filesize
216KB

MD5
4371e224183c4d4f919a29cd8767591a

SHA1
5f263c4e1c47b5c9d445857511eb518c4d7b3c94

SHA256
1079305aaf5fe35c9d41264eef6d87cadf8d8a2796668f6a72f737bf9caa1c01

SHA512
cd3ee71633afbf9f345df9c8be08bdb600f48c776c9b948eaa296a0eb7737803eee79fe72971f9e89723ff16bd69d355e5467027f2073e98526bf1f90d0d89b9

Download Submit
C:\Windows\{1B3420CF-E85C-42ce-9A13-11C8D661397B}.exe

Filesize
216KB

MD5
ad25baeea36fd3390721df255df1043c

SHA1
23393aaa8a9b9c714700449e9f1ca4cbd1a824f1

SHA256
1d23859f57bad8a52f90af42489d6ec70dbc0ed2b39bc7fde7a5ebb568e2dab6

SHA512
68a815a240ffc4cfba06b2992b7fff5f80000b32e7895abc376138bcd69378545869af05de94492be0f4862e074856d2206f11c09728d76fc0bf14e75e5f61c8

Download Submit
C:\Windows\{1B3420CF-E85C-42ce-9A13-11C8D661397B}.exe

Filesize
216KB

MD5
ad25baeea36fd3390721df255df1043c

SHA1
23393aaa8a9b9c714700449e9f1ca4cbd1a824f1

SHA256
1d23859f57bad8a52f90af42489d6ec70dbc0ed2b39bc7fde7a5ebb568e2dab6

SHA512
68a815a240ffc4cfba06b2992b7fff5f80000b32e7895abc376138bcd69378545869af05de94492be0f4862e074856d2206f11c09728d76fc0bf14e75e5f61c8

Download Submit
C:\Windows\{453525CC-AC9F-46f5-966B-0CFA8796D345}.exe

Filesize
216KB

MD5
387acec2af550f64280c2d359d235e6c

SHA1
a8690a1bf8a3d6b009b98bf2b896ef30a9353823

SHA256
d98f60f66b13d42385c8b5fdd9209eecf13cd867218c48ffd1bc157f85e2a4af

SHA512
45b8a7469329d8329adf09a57dfac7ed6d76952224142661bc62c76d579ec38e62ced351368bbdc6b8191adbdcd1fbb653cd8327b3b84daa9904b6bb742fc8cb

Download Submit
C:\Windows\{453525CC-AC9F-46f5-966B-0CFA8796D345}.exe

Filesize
216KB

MD5
387acec2af550f64280c2d359d235e6c

SHA1
a8690a1bf8a3d6b009b98bf2b896ef30a9353823

SHA256
d98f60f66b13d42385c8b5fdd9209eecf13cd867218c48ffd1bc157f85e2a4af

SHA512
45b8a7469329d8329adf09a57dfac7ed6d76952224142661bc62c76d579ec38e62ced351368bbdc6b8191adbdcd1fbb653cd8327b3b84daa9904b6bb742fc8cb

Download Submit
C:\Windows\{4B968D26-00D7-493a-BD6B-8CC54C397673}.exe

Filesize
216KB

MD5
57eba68dc3e567648c333dfabaa6dfb9

SHA1
a9f68a0406998bac677beedcdbf2d0d5c73c6d8b

SHA256
3d245fdda87c2dfe663490fb26532aea0bcd5e8accd7928ddbf1953b01a139e4

SHA512
4a2ab320c551c9e2d03a1b2cb1ce09adeaa74d927c10463c1adbfe27891f36588cb6ead62213a1d8984706f1938d07695182d4a9acabf8834e1f5b88d112d4ed

Download Submit
C:\Windows\{4B968D26-00D7-493a-BD6B-8CC54C397673}.exe

Filesize
216KB

MD5
57eba68dc3e567648c333dfabaa6dfb9

SHA1
a9f68a0406998bac677beedcdbf2d0d5c73c6d8b

SHA256
3d245fdda87c2dfe663490fb26532aea0bcd5e8accd7928ddbf1953b01a139e4

SHA512
4a2ab320c551c9e2d03a1b2cb1ce09adeaa74d927c10463c1adbfe27891f36588cb6ead62213a1d8984706f1938d07695182d4a9acabf8834e1f5b88d112d4ed

Download Submit
C:\Windows\{53F4073E-3E19-41bd-A15F-65FBB933B762}.exe

Filesize
216KB

MD5
33a1f2f9bc502234ee2ef4940a10e756

SHA1
bb099fc65f9d109f02437d45c97d65b636b91b2f

SHA256
8659477c9f73147e5d1b7f9c2b0d59a8aebe9bca2bf0cb02a8e03937d5b7fb51

SHA512
e1ee061b34f29afe50fd153064764cc92f02f9415a5a4ce4242c578aab9204061fa63edb53ef2651cae5614162fb110d84d76fd14ff35e07e2c47c27cebecb9c

Download Submit
C:\Windows\{53F4073E-3E19-41bd-A15F-65FBB933B762}.exe

Filesize
216KB

MD5
33a1f2f9bc502234ee2ef4940a10e756

SHA1
bb099fc65f9d109f02437d45c97d65b636b91b2f

SHA256
8659477c9f73147e5d1b7f9c2b0d59a8aebe9bca2bf0cb02a8e03937d5b7fb51

SHA512
e1ee061b34f29afe50fd153064764cc92f02f9415a5a4ce4242c578aab9204061fa63edb53ef2651cae5614162fb110d84d76fd14ff35e07e2c47c27cebecb9c

Download Submit
C:\Windows\{6362EF9B-082C-4c03-82EE-9B9C41E9355C}.exe

Filesize
216KB

MD5
e4155747fcad6ced2c597b5238fad876

SHA1
695ef56a9d1da993ef7968c03babd5f028fa1c3a

SHA256
cf90b8cbe1f946d0b753ca453e427ba0dfc9bc82d991df371f799a9137526856

SHA512
71ff230465375ba8904e2ea233ed7dcc8aef43af91ae0b995a3fbb80951a00255d84f20cb1e5e83d05cd2722eb871b7b8e9dc3d00ba73d59f49a57810ce03990

Download Submit
C:\Windows\{6362EF9B-082C-4c03-82EE-9B9C41E9355C}.exe

Filesize
216KB

MD5
e4155747fcad6ced2c597b5238fad876

SHA1
695ef56a9d1da993ef7968c03babd5f028fa1c3a

SHA256
cf90b8cbe1f946d0b753ca453e427ba0dfc9bc82d991df371f799a9137526856

SHA512
71ff230465375ba8904e2ea233ed7dcc8aef43af91ae0b995a3fbb80951a00255d84f20cb1e5e83d05cd2722eb871b7b8e9dc3d00ba73d59f49a57810ce03990

Download Submit
C:\Windows\{6D702895-5431-4ebb-9F45-E7E37F023189}.exe

Filesize
216KB

MD5
a4595038e0e34071a656a73222b72879

SHA1
6466300fd06dba623d210f4093ad958817708ec8

SHA256
54cd126f132ce8d71d33a8c0623ca08aef64ce0c155800ef685da842746412c9

SHA512
174d26b3d2e6e18f9fb1440494090b3a69e38649262cd1a1af817afb537d35849911b59325b35e0337e33b2491fbe4b29caf23f7e47eefe033d15bdfe878f1ce

Download Submit
C:\Windows\{6D702895-5431-4ebb-9F45-E7E37F023189}.exe

Filesize
216KB

MD5
a4595038e0e34071a656a73222b72879

SHA1
6466300fd06dba623d210f4093ad958817708ec8

SHA256
54cd126f132ce8d71d33a8c0623ca08aef64ce0c155800ef685da842746412c9

SHA512
174d26b3d2e6e18f9fb1440494090b3a69e38649262cd1a1af817afb537d35849911b59325b35e0337e33b2491fbe4b29caf23f7e47eefe033d15bdfe878f1ce

Download Submit
C:\Windows\{817B5FD2-5818-4ec7-B3AE-C923BBF4D7B9}.exe

Filesize
216KB

MD5
97567b2f7e90619ab1b9481c973947ee

SHA1
ff73ef78075ebf6bb1b3f172d9777aee84ee0f84

SHA256
de60a2f438b8dfc029652e9053cc2b3927a1b2009edbe67c951476bd90f33125

SHA512
5b2d72c975b40e9744281c379ad4c2021eef75cda542e6d27d5a589cca94900d13c5adcd6f0028226aaabfe016d6330608db12af0ec0ea40bff8105441ef8493

Download Submit
C:\Windows\{817B5FD2-5818-4ec7-B3AE-C923BBF4D7B9}.exe

Filesize
216KB

MD5
97567b2f7e90619ab1b9481c973947ee

SHA1
ff73ef78075ebf6bb1b3f172d9777aee84ee0f84

SHA256
de60a2f438b8dfc029652e9053cc2b3927a1b2009edbe67c951476bd90f33125

SHA512
5b2d72c975b40e9744281c379ad4c2021eef75cda542e6d27d5a589cca94900d13c5adcd6f0028226aaabfe016d6330608db12af0ec0ea40bff8105441ef8493

Download Submit
C:\Windows\{A857B1F8-606D-4a76-8499-B98CE2F5476E}.exe

Filesize
216KB

MD5
91f052b9a61a4a453d9d8afb4cf48951

SHA1
defee9b36df28de7aff07387e31645561710e71e

SHA256
ab88800daadc061b7ad4a31d568d7507c19990c09904633a33b7d4f3fd9c5180

SHA512
ad272520e5d927d873ae4bccb1cc3a86dc2b46f807a7a54bf3d45ad243f153fe817227bb22f6a49f6adf6e8ddd36fecbc0faa5492307754a4fdffbfb47b6e5a3

Download Submit
C:\Windows\{A857B1F8-606D-4a76-8499-B98CE2F5476E}.exe

Filesize
216KB

MD5
91f052b9a61a4a453d9d8afb4cf48951

SHA1
defee9b36df28de7aff07387e31645561710e71e

SHA256
ab88800daadc061b7ad4a31d568d7507c19990c09904633a33b7d4f3fd9c5180

SHA512
ad272520e5d927d873ae4bccb1cc3a86dc2b46f807a7a54bf3d45ad243f153fe817227bb22f6a49f6adf6e8ddd36fecbc0faa5492307754a4fdffbfb47b6e5a3

Download Submit
C:\Windows\{ABA38D3C-2799-46f0-A381-547855861AA4}.exe

Filesize
216KB

MD5
20d1cf44447c0e8752558e8897ef0a7f

SHA1
2ba6219cf790ebc49ef36659fbd2a1b3b7945228

SHA256
c528ac0a3680303ff09ca04e66b521d50409e7eaef6260639ba5afa20ad438f8

SHA512
5c798568cf76d75ad2f3f6c19a3a0b3f507e7ce6ec34f594fc261baa54490ce8540c48e4277165b6880463cc7c957e81a2763d47045120db4a3820b9f3fe2fbb

Download Submit
C:\Windows\{ABA38D3C-2799-46f0-A381-547855861AA4}.exe

Filesize
216KB

MD5
20d1cf44447c0e8752558e8897ef0a7f

SHA1
2ba6219cf790ebc49ef36659fbd2a1b3b7945228

SHA256
c528ac0a3680303ff09ca04e66b521d50409e7eaef6260639ba5afa20ad438f8

SHA512
5c798568cf76d75ad2f3f6c19a3a0b3f507e7ce6ec34f594fc261baa54490ce8540c48e4277165b6880463cc7c957e81a2763d47045120db4a3820b9f3fe2fbb

Download Submit
C:\Windows\{FD6A0338-41DE-4f76-A4CF-92CE561AD512}.exe

Filesize
216KB

MD5
e98b79354ee39ffe2256b2254c5d5eb5

SHA1
dd94bd72834fa5df3792416e63a5244a3e84dc2e

SHA256
d2ede0858a8f91ebcd43bb7567e92c85fb4a950784d02e9660a95965872afb98

SHA512
182bd42cf7d175a48f40028764ec1a144e1d6c4da524bb60de07cb72fda548aa4c202cbcadb7aa6f88c99197e01e76ca6bc77dd77318dc5c1468061504f2ef36

Download Submit
C:\Windows\{FD6A0338-41DE-4f76-A4CF-92CE561AD512}.exe

Filesize
216KB

MD5
e98b79354ee39ffe2256b2254c5d5eb5

SHA1
dd94bd72834fa5df3792416e63a5244a3e84dc2e

SHA256
d2ede0858a8f91ebcd43bb7567e92c85fb4a950784d02e9660a95965872afb98

SHA512
182bd42cf7d175a48f40028764ec1a144e1d6c4da524bb60de07cb72fda548aa4c202cbcadb7aa6f88c99197e01e76ca6bc77dd77318dc5c1468061504f2ef36

Download Submit