ca8c58382a6a2d683a5a1349eb8a844af56778545afedcdd895a892d5ac50ba6

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
08/07/2023, 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e9992d47dfb5cexeexeexeex.exe
Size

204KB
MD5

6e9992d47dfb5c063cb960becad5a1e1
SHA1

7aa7a74142271cedbd9a78828dc910e5a112cef2
SHA256

ca8c58382a6a2d683a5a1349eb8a844af56778545afedcdd895a892d5ac50ba6
SHA512

2101721d0d10e6e7ba4f3a485ca107f49a7e3df48e49e91759ab67a5250c460c7ef1b9d4c85b7aef667a0169fad46fd7d17e57cd4d5ee5bc8ee378b95e593426
SSDEEP

1536:1EGh0o0l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o0l1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB6F0E4D-2FE0-4284-827D-41181DC7FECD}\stubpath = "C:\\Windows\\{CB6F0E4D-2FE0-4284-827D-41181DC7FECD}.exe"	6e9992d47dfb5cexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86E48E60-F634-4673-8AE6-461DBFA10C0E}	{7061FCD9-5483-44ea-9E61-2DA3708B411A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFF1E9DF-E7C5-4858-9E08-C6F5BF40CE41}\stubpath = "C:\\Windows\\{DFF1E9DF-E7C5-4858-9E08-C6F5BF40CE41}.exe"	{86E48E60-F634-4673-8AE6-461DBFA10C0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08F3AAEA-6022-40a0-BB74-4E7FC576E38E}\stubpath = "C:\\Windows\\{08F3AAEA-6022-40a0-BB74-4E7FC576E38E}.exe"	{559C7571-C37D-4d3a-BFCC-B18F7F0BB66C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82A86D4C-594E-4b15-933E-4EBFA64E785B}	{D520A127-676D-4187-828B-30B60A22F3F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82A86D4C-594E-4b15-933E-4EBFA64E785B}\stubpath = "C:\\Windows\\{82A86D4C-594E-4b15-933E-4EBFA64E785B}.exe"	{D520A127-676D-4187-828B-30B60A22F3F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49640C55-0F4E-410c-9374-A4C8F7DB0E03}	{8F7044F8-0969-410f-9DC7-82481C7A2485}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7061FCD9-5483-44ea-9E61-2DA3708B411A}	{CB6F0E4D-2FE0-4284-827D-41181DC7FECD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86E48E60-F634-4673-8AE6-461DBFA10C0E}\stubpath = "C:\\Windows\\{86E48E60-F634-4673-8AE6-461DBFA10C0E}.exe"	{7061FCD9-5483-44ea-9E61-2DA3708B411A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{559C7571-C37D-4d3a-BFCC-B18F7F0BB66C}	{DFF1E9DF-E7C5-4858-9E08-C6F5BF40CE41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{559C7571-C37D-4d3a-BFCC-B18F7F0BB66C}\stubpath = "C:\\Windows\\{559C7571-C37D-4d3a-BFCC-B18F7F0BB66C}.exe"	{DFF1E9DF-E7C5-4858-9E08-C6F5BF40CE41}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2660EF65-250F-4e4d-8737-0EBFEA0E47E8}\stubpath = "C:\\Windows\\{2660EF65-250F-4e4d-8737-0EBFEA0E47E8}.exe"	{08F3AAEA-6022-40a0-BB74-4E7FC576E38E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D520A127-676D-4187-828B-30B60A22F3F2}	{2660EF65-250F-4e4d-8737-0EBFEA0E47E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFFDFFFF-8A99-427f-90D8-5BEFA8A6803B}	{49640C55-0F4E-410c-9374-A4C8F7DB0E03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFFDFFFF-8A99-427f-90D8-5BEFA8A6803B}\stubpath = "C:\\Windows\\{CFFDFFFF-8A99-427f-90D8-5BEFA8A6803B}.exe"	{49640C55-0F4E-410c-9374-A4C8F7DB0E03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7061FCD9-5483-44ea-9E61-2DA3708B411A}\stubpath = "C:\\Windows\\{7061FCD9-5483-44ea-9E61-2DA3708B411A}.exe"	{CB6F0E4D-2FE0-4284-827D-41181DC7FECD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2660EF65-250F-4e4d-8737-0EBFEA0E47E8}	{08F3AAEA-6022-40a0-BB74-4E7FC576E38E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D520A127-676D-4187-828B-30B60A22F3F2}\stubpath = "C:\\Windows\\{D520A127-676D-4187-828B-30B60A22F3F2}.exe"	{2660EF65-250F-4e4d-8737-0EBFEA0E47E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F7044F8-0969-410f-9DC7-82481C7A2485}	{82A86D4C-594E-4b15-933E-4EBFA64E785B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F7044F8-0969-410f-9DC7-82481C7A2485}\stubpath = "C:\\Windows\\{8F7044F8-0969-410f-9DC7-82481C7A2485}.exe"	{82A86D4C-594E-4b15-933E-4EBFA64E785B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{49640C55-0F4E-410c-9374-A4C8F7DB0E03}\stubpath = "C:\\Windows\\{49640C55-0F4E-410c-9374-A4C8F7DB0E03}.exe"	{8F7044F8-0969-410f-9DC7-82481C7A2485}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB6F0E4D-2FE0-4284-827D-41181DC7FECD}	6e9992d47dfb5cexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFF1E9DF-E7C5-4858-9E08-C6F5BF40CE41}	{86E48E60-F634-4673-8AE6-461DBFA10C0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08F3AAEA-6022-40a0-BB74-4E7FC576E38E}	{559C7571-C37D-4d3a-BFCC-B18F7F0BB66C}.exe

Executes dropped EXE 12 IoCs

pid	Process
4392	{CB6F0E4D-2FE0-4284-827D-41181DC7FECD}.exe
2124	{7061FCD9-5483-44ea-9E61-2DA3708B411A}.exe
2384	{86E48E60-F634-4673-8AE6-461DBFA10C0E}.exe
4060	{DFF1E9DF-E7C5-4858-9E08-C6F5BF40CE41}.exe
1616	{559C7571-C37D-4d3a-BFCC-B18F7F0BB66C}.exe
2636	{08F3AAEA-6022-40a0-BB74-4E7FC576E38E}.exe
3960	{2660EF65-250F-4e4d-8737-0EBFEA0E47E8}.exe
1204	{D520A127-676D-4187-828B-30B60A22F3F2}.exe
1588	{82A86D4C-594E-4b15-933E-4EBFA64E785B}.exe
3388	{8F7044F8-0969-410f-9DC7-82481C7A2485}.exe
1248	{49640C55-0F4E-410c-9374-A4C8F7DB0E03}.exe
2296	{CFFDFFFF-8A99-427f-90D8-5BEFA8A6803B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{49640C55-0F4E-410c-9374-A4C8F7DB0E03}.exe	{8F7044F8-0969-410f-9DC7-82481C7A2485}.exe
File created	C:\Windows\{CFFDFFFF-8A99-427f-90D8-5BEFA8A6803B}.exe	{49640C55-0F4E-410c-9374-A4C8F7DB0E03}.exe
File created	C:\Windows\{7061FCD9-5483-44ea-9E61-2DA3708B411A}.exe	{CB6F0E4D-2FE0-4284-827D-41181DC7FECD}.exe
File created	C:\Windows\{86E48E60-F634-4673-8AE6-461DBFA10C0E}.exe	{7061FCD9-5483-44ea-9E61-2DA3708B411A}.exe
File created	C:\Windows\{559C7571-C37D-4d3a-BFCC-B18F7F0BB66C}.exe	{DFF1E9DF-E7C5-4858-9E08-C6F5BF40CE41}.exe
File created	C:\Windows\{08F3AAEA-6022-40a0-BB74-4E7FC576E38E}.exe	{559C7571-C37D-4d3a-BFCC-B18F7F0BB66C}.exe
File created	C:\Windows\{D520A127-676D-4187-828B-30B60A22F3F2}.exe	{2660EF65-250F-4e4d-8737-0EBFEA0E47E8}.exe
File created	C:\Windows\{8F7044F8-0969-410f-9DC7-82481C7A2485}.exe	{82A86D4C-594E-4b15-933E-4EBFA64E785B}.exe
File created	C:\Windows\{CB6F0E4D-2FE0-4284-827D-41181DC7FECD}.exe	6e9992d47dfb5cexeexeexeex.exe
File created	C:\Windows\{DFF1E9DF-E7C5-4858-9E08-C6F5BF40CE41}.exe	{86E48E60-F634-4673-8AE6-461DBFA10C0E}.exe
File created	C:\Windows\{2660EF65-250F-4e4d-8737-0EBFEA0E47E8}.exe	{08F3AAEA-6022-40a0-BB74-4E7FC576E38E}.exe
File created	C:\Windows\{82A86D4C-594E-4b15-933E-4EBFA64E785B}.exe	{D520A127-676D-4187-828B-30B60A22F3F2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3428	6e9992d47dfb5cexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4392	{CB6F0E4D-2FE0-4284-827D-41181DC7FECD}.exe
Token: SeIncBasePriorityPrivilege	2124	{7061FCD9-5483-44ea-9E61-2DA3708B411A}.exe
Token: SeIncBasePriorityPrivilege	2384	{86E48E60-F634-4673-8AE6-461DBFA10C0E}.exe
Token: SeIncBasePriorityPrivilege	4060	{DFF1E9DF-E7C5-4858-9E08-C6F5BF40CE41}.exe
Token: SeIncBasePriorityPrivilege	1616	{559C7571-C37D-4d3a-BFCC-B18F7F0BB66C}.exe
Token: SeIncBasePriorityPrivilege	2636	{08F3AAEA-6022-40a0-BB74-4E7FC576E38E}.exe
Token: SeIncBasePriorityPrivilege	3960	{2660EF65-250F-4e4d-8737-0EBFEA0E47E8}.exe
Token: SeIncBasePriorityPrivilege	1204	{D520A127-676D-4187-828B-30B60A22F3F2}.exe
Token: SeIncBasePriorityPrivilege	1588	{82A86D4C-594E-4b15-933E-4EBFA64E785B}.exe
Token: SeIncBasePriorityPrivilege	3388	{8F7044F8-0969-410f-9DC7-82481C7A2485}.exe
Token: SeIncBasePriorityPrivilege	1248	{49640C55-0F4E-410c-9374-A4C8F7DB0E03}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3428 wrote to memory of 4392	3428	6e9992d47dfb5cexeexeexeex.exe	84
PID 3428 wrote to memory of 4392	3428	6e9992d47dfb5cexeexeexeex.exe	84
PID 3428 wrote to memory of 4392	3428	6e9992d47dfb5cexeexeexeex.exe	84
PID 3428 wrote to memory of 4676	3428	6e9992d47dfb5cexeexeexeex.exe	85
PID 3428 wrote to memory of 4676	3428	6e9992d47dfb5cexeexeexeex.exe	85
PID 3428 wrote to memory of 4676	3428	6e9992d47dfb5cexeexeexeex.exe	85
PID 4392 wrote to memory of 2124	4392	{CB6F0E4D-2FE0-4284-827D-41181DC7FECD}.exe	86
PID 4392 wrote to memory of 2124	4392	{CB6F0E4D-2FE0-4284-827D-41181DC7FECD}.exe	86
PID 4392 wrote to memory of 2124	4392	{CB6F0E4D-2FE0-4284-827D-41181DC7FECD}.exe	86
PID 4392 wrote to memory of 856	4392	{CB6F0E4D-2FE0-4284-827D-41181DC7FECD}.exe	87
PID 4392 wrote to memory of 856	4392	{CB6F0E4D-2FE0-4284-827D-41181DC7FECD}.exe	87
PID 4392 wrote to memory of 856	4392	{CB6F0E4D-2FE0-4284-827D-41181DC7FECD}.exe	87
PID 2124 wrote to memory of 2384	2124	{7061FCD9-5483-44ea-9E61-2DA3708B411A}.exe	92
PID 2124 wrote to memory of 2384	2124	{7061FCD9-5483-44ea-9E61-2DA3708B411A}.exe	92
PID 2124 wrote to memory of 2384	2124	{7061FCD9-5483-44ea-9E61-2DA3708B411A}.exe	92
PID 2124 wrote to memory of 812	2124	{7061FCD9-5483-44ea-9E61-2DA3708B411A}.exe	91
PID 2124 wrote to memory of 812	2124	{7061FCD9-5483-44ea-9E61-2DA3708B411A}.exe	91
PID 2124 wrote to memory of 812	2124	{7061FCD9-5483-44ea-9E61-2DA3708B411A}.exe	91
PID 2384 wrote to memory of 4060	2384	{86E48E60-F634-4673-8AE6-461DBFA10C0E}.exe	93
PID 2384 wrote to memory of 4060	2384	{86E48E60-F634-4673-8AE6-461DBFA10C0E}.exe	93
PID 2384 wrote to memory of 4060	2384	{86E48E60-F634-4673-8AE6-461DBFA10C0E}.exe	93
PID 2384 wrote to memory of 4628	2384	{86E48E60-F634-4673-8AE6-461DBFA10C0E}.exe	94
PID 2384 wrote to memory of 4628	2384	{86E48E60-F634-4673-8AE6-461DBFA10C0E}.exe	94
PID 2384 wrote to memory of 4628	2384	{86E48E60-F634-4673-8AE6-461DBFA10C0E}.exe	94
PID 4060 wrote to memory of 1616	4060	{DFF1E9DF-E7C5-4858-9E08-C6F5BF40CE41}.exe	95
PID 4060 wrote to memory of 1616	4060	{DFF1E9DF-E7C5-4858-9E08-C6F5BF40CE41}.exe	95
PID 4060 wrote to memory of 1616	4060	{DFF1E9DF-E7C5-4858-9E08-C6F5BF40CE41}.exe	95
PID 4060 wrote to memory of 2840	4060	{DFF1E9DF-E7C5-4858-9E08-C6F5BF40CE41}.exe	96
PID 4060 wrote to memory of 2840	4060	{DFF1E9DF-E7C5-4858-9E08-C6F5BF40CE41}.exe	96
PID 4060 wrote to memory of 2840	4060	{DFF1E9DF-E7C5-4858-9E08-C6F5BF40CE41}.exe	96
PID 1616 wrote to memory of 2636	1616	{559C7571-C37D-4d3a-BFCC-B18F7F0BB66C}.exe	97
PID 1616 wrote to memory of 2636	1616	{559C7571-C37D-4d3a-BFCC-B18F7F0BB66C}.exe	97
PID 1616 wrote to memory of 2636	1616	{559C7571-C37D-4d3a-BFCC-B18F7F0BB66C}.exe	97
PID 1616 wrote to memory of 4724	1616	{559C7571-C37D-4d3a-BFCC-B18F7F0BB66C}.exe	98
PID 1616 wrote to memory of 4724	1616	{559C7571-C37D-4d3a-BFCC-B18F7F0BB66C}.exe	98
PID 1616 wrote to memory of 4724	1616	{559C7571-C37D-4d3a-BFCC-B18F7F0BB66C}.exe	98
PID 2636 wrote to memory of 3960	2636	{08F3AAEA-6022-40a0-BB74-4E7FC576E38E}.exe	99
PID 2636 wrote to memory of 3960	2636	{08F3AAEA-6022-40a0-BB74-4E7FC576E38E}.exe	99
PID 2636 wrote to memory of 3960	2636	{08F3AAEA-6022-40a0-BB74-4E7FC576E38E}.exe	99
PID 2636 wrote to memory of 3576	2636	{08F3AAEA-6022-40a0-BB74-4E7FC576E38E}.exe	100
PID 2636 wrote to memory of 3576	2636	{08F3AAEA-6022-40a0-BB74-4E7FC576E38E}.exe	100
PID 2636 wrote to memory of 3576	2636	{08F3AAEA-6022-40a0-BB74-4E7FC576E38E}.exe	100
PID 3960 wrote to memory of 1204	3960	{2660EF65-250F-4e4d-8737-0EBFEA0E47E8}.exe	101
PID 3960 wrote to memory of 1204	3960	{2660EF65-250F-4e4d-8737-0EBFEA0E47E8}.exe	101
PID 3960 wrote to memory of 1204	3960	{2660EF65-250F-4e4d-8737-0EBFEA0E47E8}.exe	101
PID 3960 wrote to memory of 4328	3960	{2660EF65-250F-4e4d-8737-0EBFEA0E47E8}.exe	102
PID 3960 wrote to memory of 4328	3960	{2660EF65-250F-4e4d-8737-0EBFEA0E47E8}.exe	102
PID 3960 wrote to memory of 4328	3960	{2660EF65-250F-4e4d-8737-0EBFEA0E47E8}.exe	102
PID 1204 wrote to memory of 1588	1204	{D520A127-676D-4187-828B-30B60A22F3F2}.exe	103
PID 1204 wrote to memory of 1588	1204	{D520A127-676D-4187-828B-30B60A22F3F2}.exe	103
PID 1204 wrote to memory of 1588	1204	{D520A127-676D-4187-828B-30B60A22F3F2}.exe	103
PID 1204 wrote to memory of 116	1204	{D520A127-676D-4187-828B-30B60A22F3F2}.exe	104
PID 1204 wrote to memory of 116	1204	{D520A127-676D-4187-828B-30B60A22F3F2}.exe	104
PID 1204 wrote to memory of 116	1204	{D520A127-676D-4187-828B-30B60A22F3F2}.exe	104
PID 1588 wrote to memory of 3388	1588	{82A86D4C-594E-4b15-933E-4EBFA64E785B}.exe	105
PID 1588 wrote to memory of 3388	1588	{82A86D4C-594E-4b15-933E-4EBFA64E785B}.exe	105
PID 1588 wrote to memory of 3388	1588	{82A86D4C-594E-4b15-933E-4EBFA64E785B}.exe	105
PID 1588 wrote to memory of 4248	1588	{82A86D4C-594E-4b15-933E-4EBFA64E785B}.exe	106
PID 1588 wrote to memory of 4248	1588	{82A86D4C-594E-4b15-933E-4EBFA64E785B}.exe	106
PID 1588 wrote to memory of 4248	1588	{82A86D4C-594E-4b15-933E-4EBFA64E785B}.exe	106
PID 3388 wrote to memory of 1248	3388	{8F7044F8-0969-410f-9DC7-82481C7A2485}.exe	107
PID 3388 wrote to memory of 1248	3388	{8F7044F8-0969-410f-9DC7-82481C7A2485}.exe	107
PID 3388 wrote to memory of 1248	3388	{8F7044F8-0969-410f-9DC7-82481C7A2485}.exe	107
PID 3388 wrote to memory of 3352	3388	{8F7044F8-0969-410f-9DC7-82481C7A2485}.exe	108

C:\Users\Admin\AppData\Local\Temp\6e9992d47dfb5cexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\6e9992d47dfb5cexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428
- C:\Windows\{CB6F0E4D-2FE0-4284-827D-41181DC7FECD}.exe
  C:\Windows\{CB6F0E4D-2FE0-4284-827D-41181DC7FECD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Windows\{7061FCD9-5483-44ea-9E61-2DA3708B411A}.exe
    C:\Windows\{7061FCD9-5483-44ea-9E61-2DA3708B411A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7061F~1.EXE > nul
      4⤵
      PID:812
  - - C:\Windows\{86E48E60-F634-4673-8AE6-461DBFA10C0E}.exe
      C:\Windows\{86E48E60-F634-4673-8AE6-461DBFA10C0E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2384
    - - C:\Windows\{DFF1E9DF-E7C5-4858-9E08-C6F5BF40CE41}.exe
        
        C:\Windows\{DFF1E9DF-E7C5-4858-9E08-C6F5BF40CE41}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4060
      - C:\Windows\{559C7571-C37D-4d3a-BFCC-B18F7F0BB66C}.exe
        
        C:\Windows\{559C7571-C37D-4d3a-BFCC-B18F7F0BB66C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\{08F3AAEA-6022-40a0-BB74-4E7FC576E38E}.exe
        
        C:\Windows\{08F3AAEA-6022-40a0-BB74-4E7FC576E38E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\{2660EF65-250F-4e4d-8737-0EBFEA0E47E8}.exe
        
        C:\Windows\{2660EF65-250F-4e4d-8737-0EBFEA0E47E8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\{D520A127-676D-4187-828B-30B60A22F3F2}.exe
        
        C:\Windows\{D520A127-676D-4187-828B-30B60A22F3F2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1204
        
        C:\Windows\{82A86D4C-594E-4b15-933E-4EBFA64E785B}.exe
        
        C:\Windows\{82A86D4C-594E-4b15-933E-4EBFA64E785B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\{8F7044F8-0969-410f-9DC7-82481C7A2485}.exe
        
        C:\Windows\{8F7044F8-0969-410f-9DC7-82481C7A2485}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\{49640C55-0F4E-410c-9374-A4C8F7DB0E03}.exe
        
        C:\Windows\{49640C55-0F4E-410c-9374-A4C8F7DB0E03}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Windows\{CFFDFFFF-8A99-427f-90D8-5BEFA8A6803B}.exe
        
        C:\Windows\{CFFDFFFF-8A99-427f-90D8-5BEFA8A6803B}.exe
        13⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49640~1.EXE > nul
        13⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F704~1.EXE > nul
        12⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{82A86~1.EXE > nul
        11⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D520A~1.EXE > nul
        10⤵
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2660E~1.EXE > nul
        9⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08F3A~1.EXE > nul
        8⤵
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{559C7~1.EXE > nul
        7⤵
        
        PID:4724
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFF1E~1.EXE > nul
        6⤵
        
        PID:2840
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86E48~1.EXE > nul
        5⤵
        
        PID:4628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CB6F0~1.EXE > nul
    3⤵
    PID:856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6E9992~1.EXE > nul
  2⤵
  PID:4676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{08F3AAEA-6022-40a0-BB74-4E7FC576E38E}.exe

Filesize
204KB

MD5
70d24e549a3ae4fcf993f5affe9f921c

SHA1
9ff5ad3a41296a7afb302cca982cc64bd3ae05a0

SHA256
6f80154f4fc40ae3ade021ec558866dc255f8824200b4f4da53dcaffe16920c0

SHA512
c0cc86c81197c6d90ee98dd267f087dfceb78e3531f1fd82a0a93902f9087478e4abec709226d58c26d19d1b7511df9a61c0341caae7f0297a482d6be7edb2c5

Download Submit
C:\Windows\{08F3AAEA-6022-40a0-BB74-4E7FC576E38E}.exe

Filesize
204KB

MD5
70d24e549a3ae4fcf993f5affe9f921c

SHA1
9ff5ad3a41296a7afb302cca982cc64bd3ae05a0

SHA256
6f80154f4fc40ae3ade021ec558866dc255f8824200b4f4da53dcaffe16920c0

SHA512
c0cc86c81197c6d90ee98dd267f087dfceb78e3531f1fd82a0a93902f9087478e4abec709226d58c26d19d1b7511df9a61c0341caae7f0297a482d6be7edb2c5

Download Submit
C:\Windows\{2660EF65-250F-4e4d-8737-0EBFEA0E47E8}.exe

Filesize
204KB

MD5
70737d9e893ff638c502d17482f4926d

SHA1
e12806d387c6e207fa426fce6c5bef6b14feca12

SHA256
354e3f0fa4678fbbba9aa8e80b25836295ad0a5b92c0330137ae1257e4e38dd5

SHA512
d3d52bb4c8c6ff33b1ee90706db70c092730271b0f0d9379c36d6c29df1155bcd68e6d9a62cf9ee52a6ac7747372a151979fb7887679aaae3de006207a031871

Download Submit
C:\Windows\{2660EF65-250F-4e4d-8737-0EBFEA0E47E8}.exe

Filesize
204KB

MD5
70737d9e893ff638c502d17482f4926d

SHA1
e12806d387c6e207fa426fce6c5bef6b14feca12

SHA256
354e3f0fa4678fbbba9aa8e80b25836295ad0a5b92c0330137ae1257e4e38dd5

SHA512
d3d52bb4c8c6ff33b1ee90706db70c092730271b0f0d9379c36d6c29df1155bcd68e6d9a62cf9ee52a6ac7747372a151979fb7887679aaae3de006207a031871

Download Submit
C:\Windows\{49640C55-0F4E-410c-9374-A4C8F7DB0E03}.exe

Filesize
204KB

MD5
7c4faf10fed0f40a8b6cf75834cf503e

SHA1
8efffd293c6978b61a872b600b0166450779176e

SHA256
fafba07845348b1b5e6808cbfe819d91cb74f2074d81105ce0c01ecd3c2b8a6c

SHA512
48df27229fe70bb61195156312308d570f71fc027fb31e01a03e73ff8d905a109dbc15b720a06583eb45e73473be9c8c8253798ce764c197d2aabf3d66d71fbf

Download Submit
C:\Windows\{49640C55-0F4E-410c-9374-A4C8F7DB0E03}.exe

Filesize
204KB

MD5
7c4faf10fed0f40a8b6cf75834cf503e

SHA1
8efffd293c6978b61a872b600b0166450779176e

SHA256
fafba07845348b1b5e6808cbfe819d91cb74f2074d81105ce0c01ecd3c2b8a6c

SHA512
48df27229fe70bb61195156312308d570f71fc027fb31e01a03e73ff8d905a109dbc15b720a06583eb45e73473be9c8c8253798ce764c197d2aabf3d66d71fbf

Download Submit
C:\Windows\{559C7571-C37D-4d3a-BFCC-B18F7F0BB66C}.exe

Filesize
204KB

MD5
cffe107f625eb1bc4e1207ebd8882ed6

SHA1
a457647c5cb098201c8cbfec3c87a2b8a899a7eb

SHA256
f8ee760a6b2645573a54217880dbb2f9f1a16b9fd10b63ab0039fb2fff28b221

SHA512
4ab93a2782fb77d9a3a72856326dd9caea60ebc8f7592150854e49433f75f50430c298565213e6e1a77c0f35fb954d123760630cbd0a8770b09bee2d0549f7a5

Download Submit
C:\Windows\{559C7571-C37D-4d3a-BFCC-B18F7F0BB66C}.exe

Filesize
204KB

MD5
cffe107f625eb1bc4e1207ebd8882ed6

SHA1
a457647c5cb098201c8cbfec3c87a2b8a899a7eb

SHA256
f8ee760a6b2645573a54217880dbb2f9f1a16b9fd10b63ab0039fb2fff28b221

SHA512
4ab93a2782fb77d9a3a72856326dd9caea60ebc8f7592150854e49433f75f50430c298565213e6e1a77c0f35fb954d123760630cbd0a8770b09bee2d0549f7a5

Download Submit
C:\Windows\{7061FCD9-5483-44ea-9E61-2DA3708B411A}.exe

Filesize
204KB

MD5
67d855c6a039f60be2d45bf389a2bfad

SHA1
073e23e13dec928bd6fe903305179165cb1929cf

SHA256
3d739ed57aede226e50c4f2723997cdc3abe883e708a6ad36a815006d0b39a3d

SHA512
69b98979db8db1031aa89de743ed6ecafd3b317b49b9f3bd65ddabe688303e9ddb6d6b6325d9548d70b5b20bc50fdcd5095b42999da8240fb7e53e8cd21ea64d

Download Submit
C:\Windows\{7061FCD9-5483-44ea-9E61-2DA3708B411A}.exe

Filesize
204KB

MD5
67d855c6a039f60be2d45bf389a2bfad

SHA1
073e23e13dec928bd6fe903305179165cb1929cf

SHA256
3d739ed57aede226e50c4f2723997cdc3abe883e708a6ad36a815006d0b39a3d

SHA512
69b98979db8db1031aa89de743ed6ecafd3b317b49b9f3bd65ddabe688303e9ddb6d6b6325d9548d70b5b20bc50fdcd5095b42999da8240fb7e53e8cd21ea64d

Download Submit
C:\Windows\{82A86D4C-594E-4b15-933E-4EBFA64E785B}.exe

Filesize
204KB

MD5
47a39a05dab4d4d569dbac6c12b0fdee

SHA1
524cc15f2e5b6d43cd56c857b733a98ccf3ff31b

SHA256
4fb8d18636e7a667801cba567859e4a16c3bf5bc71136ba4542e7b2ddd1dc5ec

SHA512
f9f7ac66a1207b1113ba406ef4426735316797fe5755af13322a46171cda22464a898f78930dc8f19555e511faf6d50f3eff7a07ae1ba2378578025942d2ca43

Download Submit
C:\Windows\{82A86D4C-594E-4b15-933E-4EBFA64E785B}.exe

Filesize
204KB

MD5
47a39a05dab4d4d569dbac6c12b0fdee

SHA1
524cc15f2e5b6d43cd56c857b733a98ccf3ff31b

SHA256
4fb8d18636e7a667801cba567859e4a16c3bf5bc71136ba4542e7b2ddd1dc5ec

SHA512
f9f7ac66a1207b1113ba406ef4426735316797fe5755af13322a46171cda22464a898f78930dc8f19555e511faf6d50f3eff7a07ae1ba2378578025942d2ca43

Download Submit
C:\Windows\{86E48E60-F634-4673-8AE6-461DBFA10C0E}.exe

Filesize
204KB

MD5
8c62d01cfe558b930e94ff86e2072737

SHA1
6721caaf766237be3ab02d56bc2a71ffd02b10de

SHA256
695f121584a4be991596fafe70dddfeba0607d7828fc59488bf4190035071c51

SHA512
13100afc6e13afc2e61c06d347c89166dadf65a87c94c135592613d292d12a493458ec6f19e8907d0d9357c945df7c82dfe98808a5678d6bfa46350522e013f8

Download Submit
C:\Windows\{86E48E60-F634-4673-8AE6-461DBFA10C0E}.exe

Filesize
204KB

MD5
8c62d01cfe558b930e94ff86e2072737

SHA1
6721caaf766237be3ab02d56bc2a71ffd02b10de

SHA256
695f121584a4be991596fafe70dddfeba0607d7828fc59488bf4190035071c51

SHA512
13100afc6e13afc2e61c06d347c89166dadf65a87c94c135592613d292d12a493458ec6f19e8907d0d9357c945df7c82dfe98808a5678d6bfa46350522e013f8

Download Submit
C:\Windows\{86E48E60-F634-4673-8AE6-461DBFA10C0E}.exe

Filesize
204KB

MD5
8c62d01cfe558b930e94ff86e2072737

SHA1
6721caaf766237be3ab02d56bc2a71ffd02b10de

SHA256
695f121584a4be991596fafe70dddfeba0607d7828fc59488bf4190035071c51

SHA512
13100afc6e13afc2e61c06d347c89166dadf65a87c94c135592613d292d12a493458ec6f19e8907d0d9357c945df7c82dfe98808a5678d6bfa46350522e013f8

Download Submit
C:\Windows\{8F7044F8-0969-410f-9DC7-82481C7A2485}.exe

Filesize
204KB

MD5
1319a1e2562d6c85bb251d8d9340bf99

SHA1
7fe204d0228ea6abbde3b56bb57e8a613d895b6a

SHA256
d8c2b368c9d6c61dcca31a89c5083cee4663254b8d17f3f90c8139986ca2fc50

SHA512
c369d3a0b84f75a72faadcea8f8dd5d9bd8c2a349b66d86861507d3aa53258b0751a28ae14baae1d7c839c247ace11cfb8fffd7e5eb0e92a30ee69a461d0a70f

Download Submit
C:\Windows\{8F7044F8-0969-410f-9DC7-82481C7A2485}.exe

Filesize
204KB

MD5
1319a1e2562d6c85bb251d8d9340bf99

SHA1
7fe204d0228ea6abbde3b56bb57e8a613d895b6a

SHA256
d8c2b368c9d6c61dcca31a89c5083cee4663254b8d17f3f90c8139986ca2fc50

SHA512
c369d3a0b84f75a72faadcea8f8dd5d9bd8c2a349b66d86861507d3aa53258b0751a28ae14baae1d7c839c247ace11cfb8fffd7e5eb0e92a30ee69a461d0a70f

Download Submit
C:\Windows\{CB6F0E4D-2FE0-4284-827D-41181DC7FECD}.exe

Filesize
204KB

MD5
8df356e45cc62e0971eb51aa922a5dab

SHA1
fbcf054e84715da37ea6ebd856f02a67c61096ec

SHA256
e04d5f179060cbae5470683a832bea0e5491fb549cc662b2f5f516a674fd1c27

SHA512
58ff59e20c10cc9efa3090837498b3e240c9e6297463cd0fc70699a188136c072a8a609abbb8fac1542e6aab6514ff548688b0c96ed5c07565bbc88c6ed754b3

Download Submit
C:\Windows\{CB6F0E4D-2FE0-4284-827D-41181DC7FECD}.exe

Filesize
204KB

MD5
8df356e45cc62e0971eb51aa922a5dab

SHA1
fbcf054e84715da37ea6ebd856f02a67c61096ec

SHA256
e04d5f179060cbae5470683a832bea0e5491fb549cc662b2f5f516a674fd1c27

SHA512
58ff59e20c10cc9efa3090837498b3e240c9e6297463cd0fc70699a188136c072a8a609abbb8fac1542e6aab6514ff548688b0c96ed5c07565bbc88c6ed754b3

Download Submit
C:\Windows\{CFFDFFFF-8A99-427f-90D8-5BEFA8A6803B}.exe

Filesize
204KB

MD5
2a8731b14d49ac2df3ab8b36d520330c

SHA1
7ccb614b7c9dca373b838a8de0c9af0c4c94a39d

SHA256
9f37aa9cc72d9af5e1b2a64b02f12a283d1004b10e2cf705d6cf0be5aa231d47

SHA512
7dec32ddfdb8f265803410c1a2d7823aaa21918aec302a63d706fecafc41cd2dbbf5ca14b4e245a54352381a5e3621a510f043ddb426bce2bde4513381ad4d68

Download Submit
C:\Windows\{CFFDFFFF-8A99-427f-90D8-5BEFA8A6803B}.exe

Filesize
204KB

MD5
2a8731b14d49ac2df3ab8b36d520330c

SHA1
7ccb614b7c9dca373b838a8de0c9af0c4c94a39d

SHA256
9f37aa9cc72d9af5e1b2a64b02f12a283d1004b10e2cf705d6cf0be5aa231d47

SHA512
7dec32ddfdb8f265803410c1a2d7823aaa21918aec302a63d706fecafc41cd2dbbf5ca14b4e245a54352381a5e3621a510f043ddb426bce2bde4513381ad4d68

Download Submit
C:\Windows\{D520A127-676D-4187-828B-30B60A22F3F2}.exe

Filesize
204KB

MD5
905f39d656652d45818fd0af961a1f83

SHA1
40fb9bcba07a8d52e153ede74ba5ec5f2081cff2

SHA256
df58c5e7ffd4d33191f6aa9648b693165c6451501be294fae5705a1b878cffec

SHA512
c24a0a389e9c28b6d35b16f9af8f1b029c118db969bcd22f6ed71bb0ab368fb063bfcfc24dd7fedd0f3287e70dfae70942b0d2757afe7280434459f820604a65

Download Submit
C:\Windows\{D520A127-676D-4187-828B-30B60A22F3F2}.exe

Filesize
204KB

MD5
905f39d656652d45818fd0af961a1f83

SHA1
40fb9bcba07a8d52e153ede74ba5ec5f2081cff2

SHA256
df58c5e7ffd4d33191f6aa9648b693165c6451501be294fae5705a1b878cffec

SHA512
c24a0a389e9c28b6d35b16f9af8f1b029c118db969bcd22f6ed71bb0ab368fb063bfcfc24dd7fedd0f3287e70dfae70942b0d2757afe7280434459f820604a65

Download Submit
C:\Windows\{DFF1E9DF-E7C5-4858-9E08-C6F5BF40CE41}.exe

Filesize
204KB

MD5
9e038e45e05712bf3e2703a09f65b63b

SHA1
49b984b6e2c853b90fd23fa52b159bb76e08fc3a

SHA256
b5a499b41bde8f67a608fadbae62e77e324348ba74ffe2902e7b0ebeb85f589f

SHA512
49346165c0ad5b1123348b1f47dfb41f4b9e77a116105dfa9ae0e4477c86a4e1fbf6229f889e9f4ab3599de79559eecbae90c32a544c5087e19d06f787e8d6a2

Download Submit
C:\Windows\{DFF1E9DF-E7C5-4858-9E08-C6F5BF40CE41}.exe

Filesize
204KB

MD5
9e038e45e05712bf3e2703a09f65b63b

SHA1
49b984b6e2c853b90fd23fa52b159bb76e08fc3a

SHA256
b5a499b41bde8f67a608fadbae62e77e324348ba74ffe2902e7b0ebeb85f589f

SHA512
49346165c0ad5b1123348b1f47dfb41f4b9e77a116105dfa9ae0e4477c86a4e1fbf6229f889e9f4ab3599de79559eecbae90c32a544c5087e19d06f787e8d6a2

Download Submit