224dc9c324a78bf5365ed2435cb7c52ef6e11d8cfdbcd0bf45a1751380f58f0d

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2023, 16:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5ee8ba7226561exeexeexeex.exe
Size

168KB
MD5

b5ee8ba722656146cb3ffec68c7c4a1e
SHA1

fbff8ec0110977db666933a56aa2cd285056a1fe
SHA256

224dc9c324a78bf5365ed2435cb7c52ef6e11d8cfdbcd0bf45a1751380f58f0d
SHA512

a047cb0e6b9768a7dc188709155879dedb493d1ac1b0889f95fe2ee98435b846115e34939ba9856d36a8f86f2a9665eabe830dc95af889861bccc4a63b927e43
SSDEEP

1536:1EGh0odlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0odlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1E4B20F-6A2E-472f-AFA3-AA7CA5BBC90A}	b5ee8ba7226561exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1E4B20F-6A2E-472f-AFA3-AA7CA5BBC90A}\stubpath = "C:\\Windows\\{C1E4B20F-6A2E-472f-AFA3-AA7CA5BBC90A}.exe"	b5ee8ba7226561exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C7B9DA3-9800-4168-8B3D-E62038AE679D}	{37AC2756-BB27-41de-8D96-83F22BA3AE04}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1E83CF2-7D4C-40bc-A0A2-233C13D13BCF}	{5C7B9DA3-9800-4168-8B3D-E62038AE679D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18D98605-744E-4f8f-B7F7-D6F2FC1EC85B}	{EB953A71-B489-47da-8E8E-497228CF8646}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29B082EA-EB14-4f97-A42E-A5DCC51D6943}\stubpath = "C:\\Windows\\{29B082EA-EB14-4f97-A42E-A5DCC51D6943}.exe"	{18D98605-744E-4f8f-B7F7-D6F2FC1EC85B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C7B9DA3-9800-4168-8B3D-E62038AE679D}\stubpath = "C:\\Windows\\{5C7B9DA3-9800-4168-8B3D-E62038AE679D}.exe"	{37AC2756-BB27-41de-8D96-83F22BA3AE04}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18D98605-744E-4f8f-B7F7-D6F2FC1EC85B}\stubpath = "C:\\Windows\\{18D98605-744E-4f8f-B7F7-D6F2FC1EC85B}.exe"	{EB953A71-B489-47da-8E8E-497228CF8646}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29B082EA-EB14-4f97-A42E-A5DCC51D6943}	{18D98605-744E-4f8f-B7F7-D6F2FC1EC85B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{607EB164-1CF7-4e5c-8C79-68186317A4F3}	{94B014C9-6C07-48d9-ADB2-D79D8FBF8951}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{607EB164-1CF7-4e5c-8C79-68186317A4F3}\stubpath = "C:\\Windows\\{607EB164-1CF7-4e5c-8C79-68186317A4F3}.exe"	{94B014C9-6C07-48d9-ADB2-D79D8FBF8951}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37AC2756-BB27-41de-8D96-83F22BA3AE04}\stubpath = "C:\\Windows\\{37AC2756-BB27-41de-8D96-83F22BA3AE04}.exe"	{C1E4B20F-6A2E-472f-AFA3-AA7CA5BBC90A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1E83CF2-7D4C-40bc-A0A2-233C13D13BCF}\stubpath = "C:\\Windows\\{D1E83CF2-7D4C-40bc-A0A2-233C13D13BCF}.exe"	{5C7B9DA3-9800-4168-8B3D-E62038AE679D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F378792-C7EF-41f7-A4C5-DDA6A19EA74D}\stubpath = "C:\\Windows\\{8F378792-C7EF-41f7-A4C5-DDA6A19EA74D}.exe"	{29B082EA-EB14-4f97-A42E-A5DCC51D6943}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEF1B4F4-1A48-4d30-994C-531BA5F735F9}	{8F378792-C7EF-41f7-A4C5-DDA6A19EA74D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94B014C9-6C07-48d9-ADB2-D79D8FBF8951}\stubpath = "C:\\Windows\\{94B014C9-6C07-48d9-ADB2-D79D8FBF8951}.exe"	{DEF1B4F4-1A48-4d30-994C-531BA5F735F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DDF9E3B-011A-44a1-B2D0-003E469236EE}	{607EB164-1CF7-4e5c-8C79-68186317A4F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DDF9E3B-011A-44a1-B2D0-003E469236EE}\stubpath = "C:\\Windows\\{7DDF9E3B-011A-44a1-B2D0-003E469236EE}.exe"	{607EB164-1CF7-4e5c-8C79-68186317A4F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37AC2756-BB27-41de-8D96-83F22BA3AE04}	{C1E4B20F-6A2E-472f-AFA3-AA7CA5BBC90A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB953A71-B489-47da-8E8E-497228CF8646}	{D1E83CF2-7D4C-40bc-A0A2-233C13D13BCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB953A71-B489-47da-8E8E-497228CF8646}\stubpath = "C:\\Windows\\{EB953A71-B489-47da-8E8E-497228CF8646}.exe"	{D1E83CF2-7D4C-40bc-A0A2-233C13D13BCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F378792-C7EF-41f7-A4C5-DDA6A19EA74D}	{29B082EA-EB14-4f97-A42E-A5DCC51D6943}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEF1B4F4-1A48-4d30-994C-531BA5F735F9}\stubpath = "C:\\Windows\\{DEF1B4F4-1A48-4d30-994C-531BA5F735F9}.exe"	{8F378792-C7EF-41f7-A4C5-DDA6A19EA74D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94B014C9-6C07-48d9-ADB2-D79D8FBF8951}	{DEF1B4F4-1A48-4d30-994C-531BA5F735F9}.exe

Executes dropped EXE 12 IoCs

pid	Process
1984	{C1E4B20F-6A2E-472f-AFA3-AA7CA5BBC90A}.exe
3516	{37AC2756-BB27-41de-8D96-83F22BA3AE04}.exe
4576	{5C7B9DA3-9800-4168-8B3D-E62038AE679D}.exe
4328	{D1E83CF2-7D4C-40bc-A0A2-233C13D13BCF}.exe
2084	{EB953A71-B489-47da-8E8E-497228CF8646}.exe
4780	{18D98605-744E-4f8f-B7F7-D6F2FC1EC85B}.exe
1904	{29B082EA-EB14-4f97-A42E-A5DCC51D6943}.exe
4940	{8F378792-C7EF-41f7-A4C5-DDA6A19EA74D}.exe
4984	{DEF1B4F4-1A48-4d30-994C-531BA5F735F9}.exe
5004	{94B014C9-6C07-48d9-ADB2-D79D8FBF8951}.exe
1764	{607EB164-1CF7-4e5c-8C79-68186317A4F3}.exe
2664	{7DDF9E3B-011A-44a1-B2D0-003E469236EE}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{607EB164-1CF7-4e5c-8C79-68186317A4F3}.exe	{94B014C9-6C07-48d9-ADB2-D79D8FBF8951}.exe
File created	C:\Windows\{7DDF9E3B-011A-44a1-B2D0-003E469236EE}.exe	{607EB164-1CF7-4e5c-8C79-68186317A4F3}.exe
File created	C:\Windows\{37AC2756-BB27-41de-8D96-83F22BA3AE04}.exe	{C1E4B20F-6A2E-472f-AFA3-AA7CA5BBC90A}.exe
File created	C:\Windows\{5C7B9DA3-9800-4168-8B3D-E62038AE679D}.exe	{37AC2756-BB27-41de-8D96-83F22BA3AE04}.exe
File created	C:\Windows\{94B014C9-6C07-48d9-ADB2-D79D8FBF8951}.exe	{DEF1B4F4-1A48-4d30-994C-531BA5F735F9}.exe
File created	C:\Windows\{18D98605-744E-4f8f-B7F7-D6F2FC1EC85B}.exe	{EB953A71-B489-47da-8E8E-497228CF8646}.exe
File created	C:\Windows\{29B082EA-EB14-4f97-A42E-A5DCC51D6943}.exe	{18D98605-744E-4f8f-B7F7-D6F2FC1EC85B}.exe
File created	C:\Windows\{8F378792-C7EF-41f7-A4C5-DDA6A19EA74D}.exe	{29B082EA-EB14-4f97-A42E-A5DCC51D6943}.exe
File created	C:\Windows\{DEF1B4F4-1A48-4d30-994C-531BA5F735F9}.exe	{8F378792-C7EF-41f7-A4C5-DDA6A19EA74D}.exe
File created	C:\Windows\{C1E4B20F-6A2E-472f-AFA3-AA7CA5BBC90A}.exe	b5ee8ba7226561exeexeexeex.exe
File created	C:\Windows\{D1E83CF2-7D4C-40bc-A0A2-233C13D13BCF}.exe	{5C7B9DA3-9800-4168-8B3D-E62038AE679D}.exe
File created	C:\Windows\{EB953A71-B489-47da-8E8E-497228CF8646}.exe	{D1E83CF2-7D4C-40bc-A0A2-233C13D13BCF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4600	b5ee8ba7226561exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1984	{C1E4B20F-6A2E-472f-AFA3-AA7CA5BBC90A}.exe
Token: SeIncBasePriorityPrivilege	3516	{37AC2756-BB27-41de-8D96-83F22BA3AE04}.exe
Token: SeIncBasePriorityPrivilege	4576	{5C7B9DA3-9800-4168-8B3D-E62038AE679D}.exe
Token: SeIncBasePriorityPrivilege	4328	{D1E83CF2-7D4C-40bc-A0A2-233C13D13BCF}.exe
Token: SeIncBasePriorityPrivilege	2084	{EB953A71-B489-47da-8E8E-497228CF8646}.exe
Token: SeIncBasePriorityPrivilege	4780	{18D98605-744E-4f8f-B7F7-D6F2FC1EC85B}.exe
Token: SeIncBasePriorityPrivilege	1904	{29B082EA-EB14-4f97-A42E-A5DCC51D6943}.exe
Token: SeIncBasePriorityPrivilege	4940	{8F378792-C7EF-41f7-A4C5-DDA6A19EA74D}.exe
Token: SeIncBasePriorityPrivilege	4984	{DEF1B4F4-1A48-4d30-994C-531BA5F735F9}.exe
Token: SeIncBasePriorityPrivilege	5004	{94B014C9-6C07-48d9-ADB2-D79D8FBF8951}.exe
Token: SeIncBasePriorityPrivilege	1764	{607EB164-1CF7-4e5c-8C79-68186317A4F3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 1984	4600	b5ee8ba7226561exeexeexeex.exe	87
PID 4600 wrote to memory of 1984	4600	b5ee8ba7226561exeexeexeex.exe	87
PID 4600 wrote to memory of 1984	4600	b5ee8ba7226561exeexeexeex.exe	87
PID 4600 wrote to memory of 4800	4600	b5ee8ba7226561exeexeexeex.exe	88
PID 4600 wrote to memory of 4800	4600	b5ee8ba7226561exeexeexeex.exe	88
PID 4600 wrote to memory of 4800	4600	b5ee8ba7226561exeexeexeex.exe	88
PID 1984 wrote to memory of 3516	1984	{C1E4B20F-6A2E-472f-AFA3-AA7CA5BBC90A}.exe	89
PID 1984 wrote to memory of 3516	1984	{C1E4B20F-6A2E-472f-AFA3-AA7CA5BBC90A}.exe	89
PID 1984 wrote to memory of 3516	1984	{C1E4B20F-6A2E-472f-AFA3-AA7CA5BBC90A}.exe	89
PID 1984 wrote to memory of 4784	1984	{C1E4B20F-6A2E-472f-AFA3-AA7CA5BBC90A}.exe	90
PID 1984 wrote to memory of 4784	1984	{C1E4B20F-6A2E-472f-AFA3-AA7CA5BBC90A}.exe	90
PID 1984 wrote to memory of 4784	1984	{C1E4B20F-6A2E-472f-AFA3-AA7CA5BBC90A}.exe	90
PID 3516 wrote to memory of 4576	3516	{37AC2756-BB27-41de-8D96-83F22BA3AE04}.exe	94
PID 3516 wrote to memory of 4576	3516	{37AC2756-BB27-41de-8D96-83F22BA3AE04}.exe	94
PID 3516 wrote to memory of 4576	3516	{37AC2756-BB27-41de-8D96-83F22BA3AE04}.exe	94
PID 3516 wrote to memory of 4192	3516	{37AC2756-BB27-41de-8D96-83F22BA3AE04}.exe	95
PID 3516 wrote to memory of 4192	3516	{37AC2756-BB27-41de-8D96-83F22BA3AE04}.exe	95
PID 3516 wrote to memory of 4192	3516	{37AC2756-BB27-41de-8D96-83F22BA3AE04}.exe	95
PID 4576 wrote to memory of 4328	4576	{5C7B9DA3-9800-4168-8B3D-E62038AE679D}.exe	96
PID 4576 wrote to memory of 4328	4576	{5C7B9DA3-9800-4168-8B3D-E62038AE679D}.exe	96
PID 4576 wrote to memory of 4328	4576	{5C7B9DA3-9800-4168-8B3D-E62038AE679D}.exe	96
PID 4576 wrote to memory of 3720	4576	{5C7B9DA3-9800-4168-8B3D-E62038AE679D}.exe	97
PID 4576 wrote to memory of 3720	4576	{5C7B9DA3-9800-4168-8B3D-E62038AE679D}.exe	97
PID 4576 wrote to memory of 3720	4576	{5C7B9DA3-9800-4168-8B3D-E62038AE679D}.exe	97
PID 4328 wrote to memory of 2084	4328	{D1E83CF2-7D4C-40bc-A0A2-233C13D13BCF}.exe	98
PID 4328 wrote to memory of 2084	4328	{D1E83CF2-7D4C-40bc-A0A2-233C13D13BCF}.exe	98
PID 4328 wrote to memory of 2084	4328	{D1E83CF2-7D4C-40bc-A0A2-233C13D13BCF}.exe	98
PID 4328 wrote to memory of 3772	4328	{D1E83CF2-7D4C-40bc-A0A2-233C13D13BCF}.exe	99
PID 4328 wrote to memory of 3772	4328	{D1E83CF2-7D4C-40bc-A0A2-233C13D13BCF}.exe	99
PID 4328 wrote to memory of 3772	4328	{D1E83CF2-7D4C-40bc-A0A2-233C13D13BCF}.exe	99
PID 2084 wrote to memory of 4780	2084	{EB953A71-B489-47da-8E8E-497228CF8646}.exe	100
PID 2084 wrote to memory of 4780	2084	{EB953A71-B489-47da-8E8E-497228CF8646}.exe	100
PID 2084 wrote to memory of 4780	2084	{EB953A71-B489-47da-8E8E-497228CF8646}.exe	100
PID 2084 wrote to memory of 3496	2084	{EB953A71-B489-47da-8E8E-497228CF8646}.exe	101
PID 2084 wrote to memory of 3496	2084	{EB953A71-B489-47da-8E8E-497228CF8646}.exe	101
PID 2084 wrote to memory of 3496	2084	{EB953A71-B489-47da-8E8E-497228CF8646}.exe	101
PID 4780 wrote to memory of 1904	4780	{18D98605-744E-4f8f-B7F7-D6F2FC1EC85B}.exe	102
PID 4780 wrote to memory of 1904	4780	{18D98605-744E-4f8f-B7F7-D6F2FC1EC85B}.exe	102
PID 4780 wrote to memory of 1904	4780	{18D98605-744E-4f8f-B7F7-D6F2FC1EC85B}.exe	102
PID 4780 wrote to memory of 4552	4780	{18D98605-744E-4f8f-B7F7-D6F2FC1EC85B}.exe	103
PID 4780 wrote to memory of 4552	4780	{18D98605-744E-4f8f-B7F7-D6F2FC1EC85B}.exe	103
PID 4780 wrote to memory of 4552	4780	{18D98605-744E-4f8f-B7F7-D6F2FC1EC85B}.exe	103
PID 1904 wrote to memory of 4940	1904	{29B082EA-EB14-4f97-A42E-A5DCC51D6943}.exe	104
PID 1904 wrote to memory of 4940	1904	{29B082EA-EB14-4f97-A42E-A5DCC51D6943}.exe	104
PID 1904 wrote to memory of 4940	1904	{29B082EA-EB14-4f97-A42E-A5DCC51D6943}.exe	104
PID 1904 wrote to memory of 388	1904	{29B082EA-EB14-4f97-A42E-A5DCC51D6943}.exe	105
PID 1904 wrote to memory of 388	1904	{29B082EA-EB14-4f97-A42E-A5DCC51D6943}.exe	105
PID 1904 wrote to memory of 388	1904	{29B082EA-EB14-4f97-A42E-A5DCC51D6943}.exe	105
PID 4940 wrote to memory of 4984	4940	{8F378792-C7EF-41f7-A4C5-DDA6A19EA74D}.exe	106
PID 4940 wrote to memory of 4984	4940	{8F378792-C7EF-41f7-A4C5-DDA6A19EA74D}.exe	106
PID 4940 wrote to memory of 4984	4940	{8F378792-C7EF-41f7-A4C5-DDA6A19EA74D}.exe	106
PID 4940 wrote to memory of 1556	4940	{8F378792-C7EF-41f7-A4C5-DDA6A19EA74D}.exe	107
PID 4940 wrote to memory of 1556	4940	{8F378792-C7EF-41f7-A4C5-DDA6A19EA74D}.exe	107
PID 4940 wrote to memory of 1556	4940	{8F378792-C7EF-41f7-A4C5-DDA6A19EA74D}.exe	107
PID 4984 wrote to memory of 5004	4984	{DEF1B4F4-1A48-4d30-994C-531BA5F735F9}.exe	108
PID 4984 wrote to memory of 5004	4984	{DEF1B4F4-1A48-4d30-994C-531BA5F735F9}.exe	108
PID 4984 wrote to memory of 5004	4984	{DEF1B4F4-1A48-4d30-994C-531BA5F735F9}.exe	108
PID 4984 wrote to memory of 3956	4984	{DEF1B4F4-1A48-4d30-994C-531BA5F735F9}.exe	109
PID 4984 wrote to memory of 3956	4984	{DEF1B4F4-1A48-4d30-994C-531BA5F735F9}.exe	109
PID 4984 wrote to memory of 3956	4984	{DEF1B4F4-1A48-4d30-994C-531BA5F735F9}.exe	109
PID 5004 wrote to memory of 1764	5004	{94B014C9-6C07-48d9-ADB2-D79D8FBF8951}.exe	110
PID 5004 wrote to memory of 1764	5004	{94B014C9-6C07-48d9-ADB2-D79D8FBF8951}.exe	110
PID 5004 wrote to memory of 1764	5004	{94B014C9-6C07-48d9-ADB2-D79D8FBF8951}.exe	110
PID 5004 wrote to memory of 3488	5004	{94B014C9-6C07-48d9-ADB2-D79D8FBF8951}.exe	111

C:\Users\Admin\AppData\Local\Temp\b5ee8ba7226561exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\b5ee8ba7226561exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Windows\{C1E4B20F-6A2E-472f-AFA3-AA7CA5BBC90A}.exe
  C:\Windows\{C1E4B20F-6A2E-472f-AFA3-AA7CA5BBC90A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\{37AC2756-BB27-41de-8D96-83F22BA3AE04}.exe
    C:\Windows\{37AC2756-BB27-41de-8D96-83F22BA3AE04}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Windows\{5C7B9DA3-9800-4168-8B3D-E62038AE679D}.exe
      C:\Windows\{5C7B9DA3-9800-4168-8B3D-E62038AE679D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4576
    - - C:\Windows\{D1E83CF2-7D4C-40bc-A0A2-233C13D13BCF}.exe
        
        C:\Windows\{D1E83CF2-7D4C-40bc-A0A2-233C13D13BCF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4328
      - C:\Windows\{EB953A71-B489-47da-8E8E-497228CF8646}.exe
        
        C:\Windows\{EB953A71-B489-47da-8E8E-497228CF8646}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\{18D98605-744E-4f8f-B7F7-D6F2FC1EC85B}.exe
        
        C:\Windows\{18D98605-744E-4f8f-B7F7-D6F2FC1EC85B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4780
        
        C:\Windows\{29B082EA-EB14-4f97-A42E-A5DCC51D6943}.exe
        
        C:\Windows\{29B082EA-EB14-4f97-A42E-A5DCC51D6943}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\{8F378792-C7EF-41f7-A4C5-DDA6A19EA74D}.exe
        
        C:\Windows\{8F378792-C7EF-41f7-A4C5-DDA6A19EA74D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\{DEF1B4F4-1A48-4d30-994C-531BA5F735F9}.exe
        
        C:\Windows\{DEF1B4F4-1A48-4d30-994C-531BA5F735F9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\{94B014C9-6C07-48d9-ADB2-D79D8FBF8951}.exe
        
        C:\Windows\{94B014C9-6C07-48d9-ADB2-D79D8FBF8951}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\{607EB164-1CF7-4e5c-8C79-68186317A4F3}.exe
        
        C:\Windows\{607EB164-1CF7-4e5c-8C79-68186317A4F3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\{7DDF9E3B-011A-44a1-B2D0-003E469236EE}.exe
        
        C:\Windows\{7DDF9E3B-011A-44a1-B2D0-003E469236EE}.exe
        13⤵
        Executes dropped EXE
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{607EB~1.EXE > nul
        13⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94B01~1.EXE > nul
        12⤵
        
        PID:3488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEF1B~1.EXE > nul
        11⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F378~1.EXE > nul
        10⤵
        
        PID:1556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29B08~1.EXE > nul
        9⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18D98~1.EXE > nul
        8⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB953~1.EXE > nul
        7⤵
        
        PID:3496
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1E83~1.EXE > nul
        6⤵
        
        PID:3772
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C7B9~1.EXE > nul
        5⤵
        
        PID:3720
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{37AC2~1.EXE > nul
      4⤵
      PID:4192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C1E4B~1.EXE > nul
    3⤵
    PID:4784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B5EE8B~1.EXE > nul
  2⤵
  PID:4800

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18D98605-744E-4f8f-B7F7-D6F2FC1EC85B}.exe

Filesize
168KB

MD5
b876e312d3151914a75814c9a0239e46

SHA1
3129be65b73846fef942d8478d25ec45aa2a6221

SHA256
11ad39e199c3d9b93c4bd99d7a7d9520f1ef29f7df47be29657efb33a844800d

SHA512
cd61521379b086f1ee661cca2d1b08537195acc72e243244a8e68049a65c3f59a1728da0fb5b76cceefeeab5dc126fdb5c0f02d9d477960a193106ae7f8065a7

Download Submit
C:\Windows\{18D98605-744E-4f8f-B7F7-D6F2FC1EC85B}.exe

Filesize
168KB

MD5
b876e312d3151914a75814c9a0239e46

SHA1
3129be65b73846fef942d8478d25ec45aa2a6221

SHA256
11ad39e199c3d9b93c4bd99d7a7d9520f1ef29f7df47be29657efb33a844800d

SHA512
cd61521379b086f1ee661cca2d1b08537195acc72e243244a8e68049a65c3f59a1728da0fb5b76cceefeeab5dc126fdb5c0f02d9d477960a193106ae7f8065a7

Download Submit
C:\Windows\{29B082EA-EB14-4f97-A42E-A5DCC51D6943}.exe

Filesize
168KB

MD5
1014120ac06d4139f98e9435dad48c5a

SHA1
2c6a66e6d07a2f71482e83775efaec37188ce339

SHA256
1d6a05a2fbf5feccbfea5f0b4309174d9b8990aba8ce7067edd14bec7572ed16

SHA512
88170ae0dad02d9216b8500bb05995fca2b56cbf9d312430d2ac72e3ebc74781d97dd1b395b7cc97cccdefe2b4b11e4fd49c02c2a8a91746fefcb1da06d6bd15

Download Submit
C:\Windows\{29B082EA-EB14-4f97-A42E-A5DCC51D6943}.exe

Filesize
168KB

MD5
1014120ac06d4139f98e9435dad48c5a

SHA1
2c6a66e6d07a2f71482e83775efaec37188ce339

SHA256
1d6a05a2fbf5feccbfea5f0b4309174d9b8990aba8ce7067edd14bec7572ed16

SHA512
88170ae0dad02d9216b8500bb05995fca2b56cbf9d312430d2ac72e3ebc74781d97dd1b395b7cc97cccdefe2b4b11e4fd49c02c2a8a91746fefcb1da06d6bd15

Download Submit
C:\Windows\{37AC2756-BB27-41de-8D96-83F22BA3AE04}.exe

Filesize
168KB

MD5
5de3bce11b869817df53bf6e81e6992c

SHA1
0c5eae63c6e91f034c94218ad417fd49463c6121

SHA256
ec9dc51b91511893a9e6be7f44a6ba4a8bd60f6bbda7b6bea5f2ffde4d9704eb

SHA512
e8a79cdb2687e0523f222f6938f1eb8cc3a6cd51b10df526fb632af8a64cb1589b61aa0bc2957cbc68966a5870c6ed36f4b511ae31bff119550240c25c11b58c

Download Submit
C:\Windows\{37AC2756-BB27-41de-8D96-83F22BA3AE04}.exe

Filesize
168KB

MD5
5de3bce11b869817df53bf6e81e6992c

SHA1
0c5eae63c6e91f034c94218ad417fd49463c6121

SHA256
ec9dc51b91511893a9e6be7f44a6ba4a8bd60f6bbda7b6bea5f2ffde4d9704eb

SHA512
e8a79cdb2687e0523f222f6938f1eb8cc3a6cd51b10df526fb632af8a64cb1589b61aa0bc2957cbc68966a5870c6ed36f4b511ae31bff119550240c25c11b58c

Download Submit
C:\Windows\{5C7B9DA3-9800-4168-8B3D-E62038AE679D}.exe

Filesize
168KB

MD5
25143bf6dbd6f70f64378068ac178ae3

SHA1
529fd0d034023272ec594a2e76e09024c8fce555

SHA256
6e992829e18ae8b24c57b6e8763caa4438c826dd8a68caff981ae537c8dd79df

SHA512
a76e5674fea80bd9c6a41463497c8ae7ca6acc31a89d03e8230171dce58efc46cf666786352399183d971cd8c1c38c92fb6de3339acabc3a58f6280ab164cb7f

Download Submit
C:\Windows\{5C7B9DA3-9800-4168-8B3D-E62038AE679D}.exe

Filesize
168KB

MD5
25143bf6dbd6f70f64378068ac178ae3

SHA1
529fd0d034023272ec594a2e76e09024c8fce555

SHA256
6e992829e18ae8b24c57b6e8763caa4438c826dd8a68caff981ae537c8dd79df

SHA512
a76e5674fea80bd9c6a41463497c8ae7ca6acc31a89d03e8230171dce58efc46cf666786352399183d971cd8c1c38c92fb6de3339acabc3a58f6280ab164cb7f

Download Submit
C:\Windows\{5C7B9DA3-9800-4168-8B3D-E62038AE679D}.exe

Filesize
168KB

MD5
25143bf6dbd6f70f64378068ac178ae3

SHA1
529fd0d034023272ec594a2e76e09024c8fce555

SHA256
6e992829e18ae8b24c57b6e8763caa4438c826dd8a68caff981ae537c8dd79df

SHA512
a76e5674fea80bd9c6a41463497c8ae7ca6acc31a89d03e8230171dce58efc46cf666786352399183d971cd8c1c38c92fb6de3339acabc3a58f6280ab164cb7f

Download Submit
C:\Windows\{607EB164-1CF7-4e5c-8C79-68186317A4F3}.exe

Filesize
168KB

MD5
53488fdd0e779ba90fa8756e882d9a2d

SHA1
bf5f00a9adf92602fd937c2ec2c635c56357b3eb

SHA256
cf86cc4130c378faba2cf6e1a7ac3f34e94249eee41877a68172567bf7f9fcb1

SHA512
2cf1e5f52f3ca2e5ba0f9c2617f1a6a1c4f93f134181ee2dbbd8abfaa29e19ae270e071f3a28558d6bf4d343c7caca5aac0251d857e5ba1cf86209e4db729c74

Download Submit
C:\Windows\{607EB164-1CF7-4e5c-8C79-68186317A4F3}.exe

Filesize
168KB

MD5
53488fdd0e779ba90fa8756e882d9a2d

SHA1
bf5f00a9adf92602fd937c2ec2c635c56357b3eb

SHA256
cf86cc4130c378faba2cf6e1a7ac3f34e94249eee41877a68172567bf7f9fcb1

SHA512
2cf1e5f52f3ca2e5ba0f9c2617f1a6a1c4f93f134181ee2dbbd8abfaa29e19ae270e071f3a28558d6bf4d343c7caca5aac0251d857e5ba1cf86209e4db729c74

Download Submit
C:\Windows\{7DDF9E3B-011A-44a1-B2D0-003E469236EE}.exe

Filesize
168KB

MD5
36a2d82c019b2c9e1a2d78db7750e9bd

SHA1
ea018842c6ee02dfe79c24c79923f357c6dceb98

SHA256
c0642b65e79c3572bcf5e19887d7032ec5a4ae17182ce3da4fa112cb01b0ba3b

SHA512
19a8349e62f89a21dbb4a9ad09cf6071c11cc61dbd6625c9d1112e47c4059a9f203a1c238aee1d29dfb40edd5d3d8c3f383b7b4736c7da3c2653782d75335c0d

Download Submit
C:\Windows\{7DDF9E3B-011A-44a1-B2D0-003E469236EE}.exe

Filesize
168KB

MD5
36a2d82c019b2c9e1a2d78db7750e9bd

SHA1
ea018842c6ee02dfe79c24c79923f357c6dceb98

SHA256
c0642b65e79c3572bcf5e19887d7032ec5a4ae17182ce3da4fa112cb01b0ba3b

SHA512
19a8349e62f89a21dbb4a9ad09cf6071c11cc61dbd6625c9d1112e47c4059a9f203a1c238aee1d29dfb40edd5d3d8c3f383b7b4736c7da3c2653782d75335c0d

Download Submit
C:\Windows\{8F378792-C7EF-41f7-A4C5-DDA6A19EA74D}.exe

Filesize
168KB

MD5
422beef8da150447eb61433415d5f323

SHA1
8e20cac39272439ec59bc04b5ca3144c5a346326

SHA256
aa1cfb42d534e8c1b43dcabb9eb1f5d2ecbcf21145d7e1738bc0636fcb492806

SHA512
17041e172c394ac5f0b8be29f46d633199a9531ab23f023e39e5a3e38f115a4ca288c2cf5aa07ec3e2044c8924baafa9bbbe2aed23f79fff55da0c0991c49991

Download Submit
C:\Windows\{8F378792-C7EF-41f7-A4C5-DDA6A19EA74D}.exe

Filesize
168KB

MD5
422beef8da150447eb61433415d5f323

SHA1
8e20cac39272439ec59bc04b5ca3144c5a346326

SHA256
aa1cfb42d534e8c1b43dcabb9eb1f5d2ecbcf21145d7e1738bc0636fcb492806

SHA512
17041e172c394ac5f0b8be29f46d633199a9531ab23f023e39e5a3e38f115a4ca288c2cf5aa07ec3e2044c8924baafa9bbbe2aed23f79fff55da0c0991c49991

Download Submit
C:\Windows\{94B014C9-6C07-48d9-ADB2-D79D8FBF8951}.exe

Filesize
168KB

MD5
db695a2c0a1d9a4ba98c3ae57e2f3b8b

SHA1
7711a2307c6c989020f7d706f8d8ec20b94c0910

SHA256
8f25b4360e6d00d6a5a85038170f7810f33d60620af7f61729ae2c288dccebaa

SHA512
f90d61a80afbc4abb4e81d1711aa04c4ae07b916037e98298e07a92e31b11b64bc5242ee53be72e0452d4684c2696897a7e24725b2a6418995d4027847a27f42

Download Submit
C:\Windows\{94B014C9-6C07-48d9-ADB2-D79D8FBF8951}.exe

Filesize
168KB

MD5
db695a2c0a1d9a4ba98c3ae57e2f3b8b

SHA1
7711a2307c6c989020f7d706f8d8ec20b94c0910

SHA256
8f25b4360e6d00d6a5a85038170f7810f33d60620af7f61729ae2c288dccebaa

SHA512
f90d61a80afbc4abb4e81d1711aa04c4ae07b916037e98298e07a92e31b11b64bc5242ee53be72e0452d4684c2696897a7e24725b2a6418995d4027847a27f42

Download Submit
C:\Windows\{C1E4B20F-6A2E-472f-AFA3-AA7CA5BBC90A}.exe

Filesize
168KB

MD5
4713e056ad387c3fa1670b62a18bf710

SHA1
f088b8363cdf45a86dff647a199f6f8a9c51b5af

SHA256
471d53d84edf7098b06af970734ed2b80afc508394e84a29f5c91e720ccb424f

SHA512
f95382d152be9770de97e1e79a6a1e1bfd93b03434212f53bf2f3d6e6a05596816fa27aea7704a78a7269a4c16cd4c9a9612ea31c254ea1bb7638ac565d45825

Download Submit
C:\Windows\{C1E4B20F-6A2E-472f-AFA3-AA7CA5BBC90A}.exe

Filesize
168KB

MD5
4713e056ad387c3fa1670b62a18bf710

SHA1
f088b8363cdf45a86dff647a199f6f8a9c51b5af

SHA256
471d53d84edf7098b06af970734ed2b80afc508394e84a29f5c91e720ccb424f

SHA512
f95382d152be9770de97e1e79a6a1e1bfd93b03434212f53bf2f3d6e6a05596816fa27aea7704a78a7269a4c16cd4c9a9612ea31c254ea1bb7638ac565d45825

Download Submit
C:\Windows\{D1E83CF2-7D4C-40bc-A0A2-233C13D13BCF}.exe

Filesize
168KB

MD5
74b94959e2828fccb8b5866879b4327f

SHA1
25feaaa5eed8b2d27ed89ef1fc99961eeb87a80f

SHA256
6a627b2d140138454aa091b65d3dca1902c6a12d6e3528ddfa4ca557f13a3558

SHA512
622df30c9a5cf913db6e281c70c64f8f45c755994017160266cfd10aca7f8cfd9c04571fced8fe6b9d5f23a9560de7d598b7d43bbf219a98964f6aa50d34986b

Download Submit
C:\Windows\{D1E83CF2-7D4C-40bc-A0A2-233C13D13BCF}.exe

Filesize
168KB

MD5
74b94959e2828fccb8b5866879b4327f

SHA1
25feaaa5eed8b2d27ed89ef1fc99961eeb87a80f

SHA256
6a627b2d140138454aa091b65d3dca1902c6a12d6e3528ddfa4ca557f13a3558

SHA512
622df30c9a5cf913db6e281c70c64f8f45c755994017160266cfd10aca7f8cfd9c04571fced8fe6b9d5f23a9560de7d598b7d43bbf219a98964f6aa50d34986b

Download Submit
C:\Windows\{DEF1B4F4-1A48-4d30-994C-531BA5F735F9}.exe

Filesize
168KB

MD5
f6e4182362fbe6851f43a350513941ca

SHA1
d134c81054b5d5a968efb8d61c1ad58f866fedb9

SHA256
a0183ac21e080966a0f680df21106ddaecb25aeb7983626ae402c85dd7a2fc78

SHA512
790e45172d1eddb1a95dbc1263b4b08979111356405b0e4554b4a2f5c1b5d2fef07794473901cf7ad1aea547f85c9910bdd58c8697414836ca1cbc89bd1b44a7

Download Submit
C:\Windows\{DEF1B4F4-1A48-4d30-994C-531BA5F735F9}.exe

Filesize
168KB

MD5
f6e4182362fbe6851f43a350513941ca

SHA1
d134c81054b5d5a968efb8d61c1ad58f866fedb9

SHA256
a0183ac21e080966a0f680df21106ddaecb25aeb7983626ae402c85dd7a2fc78

SHA512
790e45172d1eddb1a95dbc1263b4b08979111356405b0e4554b4a2f5c1b5d2fef07794473901cf7ad1aea547f85c9910bdd58c8697414836ca1cbc89bd1b44a7

Download Submit
C:\Windows\{EB953A71-B489-47da-8E8E-497228CF8646}.exe

Filesize
168KB

MD5
2c2b3424d7a901ab38060c3609e3cd45

SHA1
87863db743f9cc93a7f9de4a2ff308944fe3d925

SHA256
f59b64058ee0c66bda6b271de74f212455cc80d1016a350431f8a2f32e5e3a49

SHA512
55ec3624e393e11cce5559c74a0a806884c2a89f890d7be5f0623180686830d2e832bb261910e45267461f438fa34bf8cb91f3fd0c6eea88859a651aad05c77b

Download Submit
C:\Windows\{EB953A71-B489-47da-8E8E-497228CF8646}.exe

Filesize
168KB

MD5
2c2b3424d7a901ab38060c3609e3cd45

SHA1
87863db743f9cc93a7f9de4a2ff308944fe3d925

SHA256
f59b64058ee0c66bda6b271de74f212455cc80d1016a350431f8a2f32e5e3a49

SHA512
55ec3624e393e11cce5559c74a0a806884c2a89f890d7be5f0623180686830d2e832bb261910e45267461f438fa34bf8cb91f3fd0c6eea88859a651aad05c77b

Download Submit