0c37b798a5d7aaef3c7f8de55cd4a3b7aa60eee7fae52171797743d6312176e2

Analysis

max time kernel
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2023 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0015838af8857fexe.exe
Size

204KB
MD5

0015838af8857fb448e941e905be2703
SHA1

78944f62d8c03822fa1c483af501e1c2b858238f
SHA256

0c37b798a5d7aaef3c7f8de55cd4a3b7aa60eee7fae52171797743d6312176e2
SHA512

bcd9249d1521a550fd653096d443783c756896b26e36a3b9fe6142cd7c46c6106977aec159cfcc1dfd3acfb6c8ec55f70e499c4cff89ebf3038775df8468eadf
SSDEEP

1536:1EGh0o/l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o/l1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44905264-1D62-4776-B44A-E8A1DB7644D6}\stubpath = "C:\\Windows\\{44905264-1D62-4776-B44A-E8A1DB7644D6}.exe"	{88623188-6B2A-4bf4-94D6-4FD02F83C3D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3377EA1C-DC0D-4765-B18B-946FA5503951}\stubpath = "C:\\Windows\\{3377EA1C-DC0D-4765-B18B-946FA5503951}.exe"	{A3D6346E-F918-4ef8-B7C9-D463C2746D2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30555A5B-6671-4e22-92D2-761AB25B9776}\stubpath = "C:\\Windows\\{30555A5B-6671-4e22-92D2-761AB25B9776}.exe"	{3377EA1C-DC0D-4765-B18B-946FA5503951}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F43F5AB1-4F01-4577-BE3E-D6AC58C70339}	0015838af8857fexe.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{131AF38A-8EAA-453f-A87B-1AFDC884DC9E}	{1E1F6055-5CD3-4130-B4BF-D375D16BEF88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3377EA1C-DC0D-4765-B18B-946FA5503951}	{A3D6346E-F918-4ef8-B7C9-D463C2746D2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30555A5B-6671-4e22-92D2-761AB25B9776}	{3377EA1C-DC0D-4765-B18B-946FA5503951}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20729A52-EA8D-4263-9BCE-43D306C33C42}	{6A5A09B9-5311-4836-82CB-CF56ADBE8A84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2D72FCC-299B-45ab-AB53-F6E46BD16CC2}\stubpath = "C:\\Windows\\{C2D72FCC-299B-45ab-AB53-F6E46BD16CC2}.exe"	{F43F5AB1-4F01-4577-BE3E-D6AC58C70339}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44905264-1D62-4776-B44A-E8A1DB7644D6}	{88623188-6B2A-4bf4-94D6-4FD02F83C3D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E1F6055-5CD3-4130-B4BF-D375D16BEF88}\stubpath = "C:\\Windows\\{1E1F6055-5CD3-4130-B4BF-D375D16BEF88}.exe"	{C2D72FCC-299B-45ab-AB53-F6E46BD16CC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88623188-6B2A-4bf4-94D6-4FD02F83C3D4}\stubpath = "C:\\Windows\\{88623188-6B2A-4bf4-94D6-4FD02F83C3D4}.exe"	{131AF38A-8EAA-453f-A87B-1AFDC884DC9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3D6346E-F918-4ef8-B7C9-D463C2746D2C}\stubpath = "C:\\Windows\\{A3D6346E-F918-4ef8-B7C9-D463C2746D2C}.exe"	{44905264-1D62-4776-B44A-E8A1DB7644D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0878F62-011C-4e90-8E31-4F87E2E84182}	{30555A5B-6671-4e22-92D2-761AB25B9776}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0878F62-011C-4e90-8E31-4F87E2E84182}\stubpath = "C:\\Windows\\{A0878F62-011C-4e90-8E31-4F87E2E84182}.exe"	{30555A5B-6671-4e22-92D2-761AB25B9776}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A5A09B9-5311-4836-82CB-CF56ADBE8A84}	{A0878F62-011C-4e90-8E31-4F87E2E84182}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2D72FCC-299B-45ab-AB53-F6E46BD16CC2}	{F43F5AB1-4F01-4577-BE3E-D6AC58C70339}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E1F6055-5CD3-4130-B4BF-D375D16BEF88}	{C2D72FCC-299B-45ab-AB53-F6E46BD16CC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88623188-6B2A-4bf4-94D6-4FD02F83C3D4}	{131AF38A-8EAA-453f-A87B-1AFDC884DC9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3D6346E-F918-4ef8-B7C9-D463C2746D2C}	{44905264-1D62-4776-B44A-E8A1DB7644D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6A5A09B9-5311-4836-82CB-CF56ADBE8A84}\stubpath = "C:\\Windows\\{6A5A09B9-5311-4836-82CB-CF56ADBE8A84}.exe"	{A0878F62-011C-4e90-8E31-4F87E2E84182}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20729A52-EA8D-4263-9BCE-43D306C33C42}\stubpath = "C:\\Windows\\{20729A52-EA8D-4263-9BCE-43D306C33C42}.exe"	{6A5A09B9-5311-4836-82CB-CF56ADBE8A84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F43F5AB1-4F01-4577-BE3E-D6AC58C70339}\stubpath = "C:\\Windows\\{F43F5AB1-4F01-4577-BE3E-D6AC58C70339}.exe"	0015838af8857fexe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{131AF38A-8EAA-453f-A87B-1AFDC884DC9E}\stubpath = "C:\\Windows\\{131AF38A-8EAA-453f-A87B-1AFDC884DC9E}.exe"	{1E1F6055-5CD3-4130-B4BF-D375D16BEF88}.exe

Executes dropped EXE 12 IoCs

pid	Process
2112	{F43F5AB1-4F01-4577-BE3E-D6AC58C70339}.exe
1900	{C2D72FCC-299B-45ab-AB53-F6E46BD16CC2}.exe
4808	{1E1F6055-5CD3-4130-B4BF-D375D16BEF88}.exe
4116	{131AF38A-8EAA-453f-A87B-1AFDC884DC9E}.exe
972	{88623188-6B2A-4bf4-94D6-4FD02F83C3D4}.exe
2844	{44905264-1D62-4776-B44A-E8A1DB7644D6}.exe
4608	{A3D6346E-F918-4ef8-B7C9-D463C2746D2C}.exe
5036	{3377EA1C-DC0D-4765-B18B-946FA5503951}.exe
1300	{30555A5B-6671-4e22-92D2-761AB25B9776}.exe
3876	{A0878F62-011C-4e90-8E31-4F87E2E84182}.exe
4132	{6A5A09B9-5311-4836-82CB-CF56ADBE8A84}.exe
4612	{20729A52-EA8D-4263-9BCE-43D306C33C42}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F43F5AB1-4F01-4577-BE3E-D6AC58C70339}.exe	0015838af8857fexe.exe
File created	C:\Windows\{1E1F6055-5CD3-4130-B4BF-D375D16BEF88}.exe	{C2D72FCC-299B-45ab-AB53-F6E46BD16CC2}.exe
File created	C:\Windows\{131AF38A-8EAA-453f-A87B-1AFDC884DC9E}.exe	{1E1F6055-5CD3-4130-B4BF-D375D16BEF88}.exe
File created	C:\Windows\{44905264-1D62-4776-B44A-E8A1DB7644D6}.exe	{88623188-6B2A-4bf4-94D6-4FD02F83C3D4}.exe
File created	C:\Windows\{A3D6346E-F918-4ef8-B7C9-D463C2746D2C}.exe	{44905264-1D62-4776-B44A-E8A1DB7644D6}.exe
File created	C:\Windows\{3377EA1C-DC0D-4765-B18B-946FA5503951}.exe	{A3D6346E-F918-4ef8-B7C9-D463C2746D2C}.exe
File created	C:\Windows\{30555A5B-6671-4e22-92D2-761AB25B9776}.exe	{3377EA1C-DC0D-4765-B18B-946FA5503951}.exe
File created	C:\Windows\{A0878F62-011C-4e90-8E31-4F87E2E84182}.exe	{30555A5B-6671-4e22-92D2-761AB25B9776}.exe
File created	C:\Windows\{6A5A09B9-5311-4836-82CB-CF56ADBE8A84}.exe	{A0878F62-011C-4e90-8E31-4F87E2E84182}.exe
File created	C:\Windows\{C2D72FCC-299B-45ab-AB53-F6E46BD16CC2}.exe	{F43F5AB1-4F01-4577-BE3E-D6AC58C70339}.exe
File created	C:\Windows\{88623188-6B2A-4bf4-94D6-4FD02F83C3D4}.exe	{131AF38A-8EAA-453f-A87B-1AFDC884DC9E}.exe
File created	C:\Windows\{20729A52-EA8D-4263-9BCE-43D306C33C42}.exe	{6A5A09B9-5311-4836-82CB-CF56ADBE8A84}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3384	0015838af8857fexe.exe
Token: SeIncBasePriorityPrivilege	2112	{F43F5AB1-4F01-4577-BE3E-D6AC58C70339}.exe
Token: SeIncBasePriorityPrivilege	1900	{C2D72FCC-299B-45ab-AB53-F6E46BD16CC2}.exe
Token: SeIncBasePriorityPrivilege	4808	{1E1F6055-5CD3-4130-B4BF-D375D16BEF88}.exe
Token: SeIncBasePriorityPrivilege	4116	{131AF38A-8EAA-453f-A87B-1AFDC884DC9E}.exe
Token: SeIncBasePriorityPrivilege	972	{88623188-6B2A-4bf4-94D6-4FD02F83C3D4}.exe
Token: SeIncBasePriorityPrivilege	2844	{44905264-1D62-4776-B44A-E8A1DB7644D6}.exe
Token: SeIncBasePriorityPrivilege	4608	{A3D6346E-F918-4ef8-B7C9-D463C2746D2C}.exe
Token: SeIncBasePriorityPrivilege	5036	{3377EA1C-DC0D-4765-B18B-946FA5503951}.exe
Token: SeIncBasePriorityPrivilege	1300	{30555A5B-6671-4e22-92D2-761AB25B9776}.exe
Token: SeIncBasePriorityPrivilege	3876	{A0878F62-011C-4e90-8E31-4F87E2E84182}.exe
Token: SeIncBasePriorityPrivilege	4132	{6A5A09B9-5311-4836-82CB-CF56ADBE8A84}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3384 wrote to memory of 2112	3384	0015838af8857fexe.exe	80
PID 3384 wrote to memory of 2112	3384	0015838af8857fexe.exe	80
PID 3384 wrote to memory of 2112	3384	0015838af8857fexe.exe	80
PID 3384 wrote to memory of 1012	3384	0015838af8857fexe.exe	81
PID 3384 wrote to memory of 1012	3384	0015838af8857fexe.exe	81
PID 3384 wrote to memory of 1012	3384	0015838af8857fexe.exe	81
PID 2112 wrote to memory of 1900	2112	{F43F5AB1-4F01-4577-BE3E-D6AC58C70339}.exe	82
PID 2112 wrote to memory of 1900	2112	{F43F5AB1-4F01-4577-BE3E-D6AC58C70339}.exe	82
PID 2112 wrote to memory of 1900	2112	{F43F5AB1-4F01-4577-BE3E-D6AC58C70339}.exe	82
PID 2112 wrote to memory of 2848	2112	{F43F5AB1-4F01-4577-BE3E-D6AC58C70339}.exe	83
PID 2112 wrote to memory of 2848	2112	{F43F5AB1-4F01-4577-BE3E-D6AC58C70339}.exe	83
PID 2112 wrote to memory of 2848	2112	{F43F5AB1-4F01-4577-BE3E-D6AC58C70339}.exe	83
PID 1900 wrote to memory of 4808	1900	{C2D72FCC-299B-45ab-AB53-F6E46BD16CC2}.exe	85
PID 1900 wrote to memory of 4808	1900	{C2D72FCC-299B-45ab-AB53-F6E46BD16CC2}.exe	85
PID 1900 wrote to memory of 4808	1900	{C2D72FCC-299B-45ab-AB53-F6E46BD16CC2}.exe	85
PID 1900 wrote to memory of 3544	1900	{C2D72FCC-299B-45ab-AB53-F6E46BD16CC2}.exe	84
PID 1900 wrote to memory of 3544	1900	{C2D72FCC-299B-45ab-AB53-F6E46BD16CC2}.exe	84
PID 1900 wrote to memory of 3544	1900	{C2D72FCC-299B-45ab-AB53-F6E46BD16CC2}.exe	84
PID 4808 wrote to memory of 4116	4808	{1E1F6055-5CD3-4130-B4BF-D375D16BEF88}.exe	86
PID 4808 wrote to memory of 4116	4808	{1E1F6055-5CD3-4130-B4BF-D375D16BEF88}.exe	86
PID 4808 wrote to memory of 4116	4808	{1E1F6055-5CD3-4130-B4BF-D375D16BEF88}.exe	86
PID 4808 wrote to memory of 4396	4808	{1E1F6055-5CD3-4130-B4BF-D375D16BEF88}.exe	87
PID 4808 wrote to memory of 4396	4808	{1E1F6055-5CD3-4130-B4BF-D375D16BEF88}.exe	87
PID 4808 wrote to memory of 4396	4808	{1E1F6055-5CD3-4130-B4BF-D375D16BEF88}.exe	87
PID 4116 wrote to memory of 972	4116	{131AF38A-8EAA-453f-A87B-1AFDC884DC9E}.exe	88
PID 4116 wrote to memory of 972	4116	{131AF38A-8EAA-453f-A87B-1AFDC884DC9E}.exe	88
PID 4116 wrote to memory of 972	4116	{131AF38A-8EAA-453f-A87B-1AFDC884DC9E}.exe	88
PID 4116 wrote to memory of 1460	4116	{131AF38A-8EAA-453f-A87B-1AFDC884DC9E}.exe	89
PID 4116 wrote to memory of 1460	4116	{131AF38A-8EAA-453f-A87B-1AFDC884DC9E}.exe	89
PID 4116 wrote to memory of 1460	4116	{131AF38A-8EAA-453f-A87B-1AFDC884DC9E}.exe	89
PID 972 wrote to memory of 2844	972	{88623188-6B2A-4bf4-94D6-4FD02F83C3D4}.exe	90
PID 972 wrote to memory of 2844	972	{88623188-6B2A-4bf4-94D6-4FD02F83C3D4}.exe	90
PID 972 wrote to memory of 2844	972	{88623188-6B2A-4bf4-94D6-4FD02F83C3D4}.exe	90
PID 972 wrote to memory of 1684	972	{88623188-6B2A-4bf4-94D6-4FD02F83C3D4}.exe	91
PID 972 wrote to memory of 1684	972	{88623188-6B2A-4bf4-94D6-4FD02F83C3D4}.exe	91
PID 972 wrote to memory of 1684	972	{88623188-6B2A-4bf4-94D6-4FD02F83C3D4}.exe	91
PID 2844 wrote to memory of 4608	2844	{44905264-1D62-4776-B44A-E8A1DB7644D6}.exe	92
PID 2844 wrote to memory of 4608	2844	{44905264-1D62-4776-B44A-E8A1DB7644D6}.exe	92
PID 2844 wrote to memory of 4608	2844	{44905264-1D62-4776-B44A-E8A1DB7644D6}.exe	92
PID 2844 wrote to memory of 1136	2844	{44905264-1D62-4776-B44A-E8A1DB7644D6}.exe	93
PID 2844 wrote to memory of 1136	2844	{44905264-1D62-4776-B44A-E8A1DB7644D6}.exe	93
PID 2844 wrote to memory of 1136	2844	{44905264-1D62-4776-B44A-E8A1DB7644D6}.exe	93
PID 4608 wrote to memory of 5036	4608	{A3D6346E-F918-4ef8-B7C9-D463C2746D2C}.exe	94
PID 4608 wrote to memory of 5036	4608	{A3D6346E-F918-4ef8-B7C9-D463C2746D2C}.exe	94
PID 4608 wrote to memory of 5036	4608	{A3D6346E-F918-4ef8-B7C9-D463C2746D2C}.exe	94
PID 4608 wrote to memory of 4892	4608	{A3D6346E-F918-4ef8-B7C9-D463C2746D2C}.exe	95
PID 4608 wrote to memory of 4892	4608	{A3D6346E-F918-4ef8-B7C9-D463C2746D2C}.exe	95
PID 4608 wrote to memory of 4892	4608	{A3D6346E-F918-4ef8-B7C9-D463C2746D2C}.exe	95
PID 5036 wrote to memory of 1300	5036	{3377EA1C-DC0D-4765-B18B-946FA5503951}.exe	96
PID 5036 wrote to memory of 1300	5036	{3377EA1C-DC0D-4765-B18B-946FA5503951}.exe	96
PID 5036 wrote to memory of 1300	5036	{3377EA1C-DC0D-4765-B18B-946FA5503951}.exe	96
PID 5036 wrote to memory of 2084	5036	{3377EA1C-DC0D-4765-B18B-946FA5503951}.exe	97
PID 5036 wrote to memory of 2084	5036	{3377EA1C-DC0D-4765-B18B-946FA5503951}.exe	97
PID 5036 wrote to memory of 2084	5036	{3377EA1C-DC0D-4765-B18B-946FA5503951}.exe	97
PID 1300 wrote to memory of 3876	1300	{30555A5B-6671-4e22-92D2-761AB25B9776}.exe	98
PID 1300 wrote to memory of 3876	1300	{30555A5B-6671-4e22-92D2-761AB25B9776}.exe	98
PID 1300 wrote to memory of 3876	1300	{30555A5B-6671-4e22-92D2-761AB25B9776}.exe	98
PID 1300 wrote to memory of 4448	1300	{30555A5B-6671-4e22-92D2-761AB25B9776}.exe	99
PID 1300 wrote to memory of 4448	1300	{30555A5B-6671-4e22-92D2-761AB25B9776}.exe	99
PID 1300 wrote to memory of 4448	1300	{30555A5B-6671-4e22-92D2-761AB25B9776}.exe	99
PID 3876 wrote to memory of 4132	3876	{A0878F62-011C-4e90-8E31-4F87E2E84182}.exe	100
PID 3876 wrote to memory of 4132	3876	{A0878F62-011C-4e90-8E31-4F87E2E84182}.exe	100
PID 3876 wrote to memory of 4132	3876	{A0878F62-011C-4e90-8E31-4F87E2E84182}.exe	100
PID 3876 wrote to memory of 4192	3876	{A0878F62-011C-4e90-8E31-4F87E2E84182}.exe	101

C:\Users\Admin\AppData\Local\Temp\0015838af8857fexe.exe
"C:\Users\Admin\AppData\Local\Temp\0015838af8857fexe.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3384
- C:\Windows\{F43F5AB1-4F01-4577-BE3E-D6AC58C70339}.exe
  C:\Windows\{F43F5AB1-4F01-4577-BE3E-D6AC58C70339}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\{C2D72FCC-299B-45ab-AB53-F6E46BD16CC2}.exe
    C:\Windows\{C2D72FCC-299B-45ab-AB53-F6E46BD16CC2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C2D72~1.EXE > nul
      4⤵
      PID:3544
  - - C:\Windows\{1E1F6055-5CD3-4130-B4BF-D375D16BEF88}.exe
      C:\Windows\{1E1F6055-5CD3-4130-B4BF-D375D16BEF88}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4808
    - - C:\Windows\{131AF38A-8EAA-453f-A87B-1AFDC884DC9E}.exe
        
        C:\Windows\{131AF38A-8EAA-453f-A87B-1AFDC884DC9E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4116
      - C:\Windows\{88623188-6B2A-4bf4-94D6-4FD02F83C3D4}.exe
        
        C:\Windows\{88623188-6B2A-4bf4-94D6-4FD02F83C3D4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Windows\{44905264-1D62-4776-B44A-E8A1DB7644D6}.exe
        
        C:\Windows\{44905264-1D62-4776-B44A-E8A1DB7644D6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\{A3D6346E-F918-4ef8-B7C9-D463C2746D2C}.exe
        
        C:\Windows\{A3D6346E-F918-4ef8-B7C9-D463C2746D2C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4608
        
        C:\Windows\{3377EA1C-DC0D-4765-B18B-946FA5503951}.exe
        
        C:\Windows\{3377EA1C-DC0D-4765-B18B-946FA5503951}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\{30555A5B-6671-4e22-92D2-761AB25B9776}.exe
        
        C:\Windows\{30555A5B-6671-4e22-92D2-761AB25B9776}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\{A0878F62-011C-4e90-8E31-4F87E2E84182}.exe
        
        C:\Windows\{A0878F62-011C-4e90-8E31-4F87E2E84182}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\{6A5A09B9-5311-4836-82CB-CF56ADBE8A84}.exe
        
        C:\Windows\{6A5A09B9-5311-4836-82CB-CF56ADBE8A84}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4132
        
        C:\Windows\{20729A52-EA8D-4263-9BCE-43D306C33C42}.exe
        
        C:\Windows\{20729A52-EA8D-4263-9BCE-43D306C33C42}.exe
        13⤵
        Executes dropped EXE
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6A5A0~1.EXE > nul
        13⤵
        
        PID:3800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0878~1.EXE > nul
        12⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30555~1.EXE > nul
        11⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3377E~1.EXE > nul
        10⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3D63~1.EXE > nul
        9⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44905~1.EXE > nul
        8⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88623~1.EXE > nul
        7⤵
        
        PID:1684
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{131AF~1.EXE > nul
        6⤵
        
        PID:1460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E1F6~1.EXE > nul
        5⤵
        
        PID:4396
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F43F5~1.EXE > nul
    3⤵
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\001583~1.EXE > nul
  2⤵
  PID:1012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{131AF38A-8EAA-453f-A87B-1AFDC884DC9E}.exe

Filesize
204KB

MD5
16d0917a067c4c0982aead5d4533a4ea

SHA1
970b0dfe051cdb4fd0fd20da675f3f8203a6556c

SHA256
83b8092d97f5a358a6ed8cb00a6f85f3235b8bd71a7f55432b3253773e23abe0

SHA512
7a6c42f8b6eccdaca3da6b7a50c9ab750616ac58fadb004da493f40a9a491ec08ba29a83a0a9b359c9b9e8e17d44322add25ffe9bd2350bdadf9a7f5c61138eb

Download Submit
C:\Windows\{131AF38A-8EAA-453f-A87B-1AFDC884DC9E}.exe

Filesize
204KB

MD5
16d0917a067c4c0982aead5d4533a4ea

SHA1
970b0dfe051cdb4fd0fd20da675f3f8203a6556c

SHA256
83b8092d97f5a358a6ed8cb00a6f85f3235b8bd71a7f55432b3253773e23abe0

SHA512
7a6c42f8b6eccdaca3da6b7a50c9ab750616ac58fadb004da493f40a9a491ec08ba29a83a0a9b359c9b9e8e17d44322add25ffe9bd2350bdadf9a7f5c61138eb

Download Submit
C:\Windows\{1E1F6055-5CD3-4130-B4BF-D375D16BEF88}.exe

Filesize
204KB

MD5
994d990fbcc083ea82ec037cead0b9a7

SHA1
ede5cfeb389d4448602c8a7aff9e91802f45a48b

SHA256
a2f7ef5db09c6e43f9eb1d728e21f3abf4a851ed8e76403eb43a7bb813326e22

SHA512
fa2ee7701f7594bfb94871c7d70b4e3231c9ad159c74d3421ddfa966ed3439d82989071350b4728bec3e7d0e7d0ad1850b6503c1b6d19121c1564e0677802f55

Download Submit
C:\Windows\{1E1F6055-5CD3-4130-B4BF-D375D16BEF88}.exe

Filesize
204KB

MD5
994d990fbcc083ea82ec037cead0b9a7

SHA1
ede5cfeb389d4448602c8a7aff9e91802f45a48b

SHA256
a2f7ef5db09c6e43f9eb1d728e21f3abf4a851ed8e76403eb43a7bb813326e22

SHA512
fa2ee7701f7594bfb94871c7d70b4e3231c9ad159c74d3421ddfa966ed3439d82989071350b4728bec3e7d0e7d0ad1850b6503c1b6d19121c1564e0677802f55

Download Submit
C:\Windows\{1E1F6055-5CD3-4130-B4BF-D375D16BEF88}.exe

Filesize
204KB

MD5
994d990fbcc083ea82ec037cead0b9a7

SHA1
ede5cfeb389d4448602c8a7aff9e91802f45a48b

SHA256
a2f7ef5db09c6e43f9eb1d728e21f3abf4a851ed8e76403eb43a7bb813326e22

SHA512
fa2ee7701f7594bfb94871c7d70b4e3231c9ad159c74d3421ddfa966ed3439d82989071350b4728bec3e7d0e7d0ad1850b6503c1b6d19121c1564e0677802f55

Download Submit
C:\Windows\{20729A52-EA8D-4263-9BCE-43D306C33C42}.exe

Filesize
204KB

MD5
b4e9ebfa139ba31a08c01eb220d0c194

SHA1
b85794f2d04767b17b3f76b1e6958dc3c96153db

SHA256
fda808f15e897aa03185324308d6f4b1884f21d9613946807e3322c416cbc544

SHA512
e8251b157c264a4fab8fd27f58b63ed3d1dcd8818de29a1c7ca1e9c82ce29d7e02994bd261ad36e2963ec297d83887a3921980eb959865ddf1106f5c71649530

Download Submit
C:\Windows\{20729A52-EA8D-4263-9BCE-43D306C33C42}.exe

Filesize
204KB

MD5
b4e9ebfa139ba31a08c01eb220d0c194

SHA1
b85794f2d04767b17b3f76b1e6958dc3c96153db

SHA256
fda808f15e897aa03185324308d6f4b1884f21d9613946807e3322c416cbc544

SHA512
e8251b157c264a4fab8fd27f58b63ed3d1dcd8818de29a1c7ca1e9c82ce29d7e02994bd261ad36e2963ec297d83887a3921980eb959865ddf1106f5c71649530

Download Submit
C:\Windows\{30555A5B-6671-4e22-92D2-761AB25B9776}.exe

Filesize
204KB

MD5
bc01e9c4cb48a60ac915bde9ba0159a2

SHA1
284f10808ce08fd761598126cc319d177ab671b3

SHA256
c2499019ed62a26571a605825b710c147a89cdeb95c7ffae1a4b5d22be8126a1

SHA512
ee2a48037454a23362a2e92c91e3681c3278cf51c84e17c8c603b0a82fada09006b3e38776f8ffbf0cd68b5f3da4f45c72ff770c51d02b64893fb492de45a091

Download Submit
C:\Windows\{30555A5B-6671-4e22-92D2-761AB25B9776}.exe

Filesize
204KB

MD5
bc01e9c4cb48a60ac915bde9ba0159a2

SHA1
284f10808ce08fd761598126cc319d177ab671b3

SHA256
c2499019ed62a26571a605825b710c147a89cdeb95c7ffae1a4b5d22be8126a1

SHA512
ee2a48037454a23362a2e92c91e3681c3278cf51c84e17c8c603b0a82fada09006b3e38776f8ffbf0cd68b5f3da4f45c72ff770c51d02b64893fb492de45a091

Download Submit
C:\Windows\{3377EA1C-DC0D-4765-B18B-946FA5503951}.exe

Filesize
204KB

MD5
caacd7cb8148842ada5249b8f5211282

SHA1
acc37206210366f2bf97b9b8e90a19f3f9dd918f

SHA256
757d358ef027cb2a6f38f0bea51f6b6a383ba937fd1496d7226a3c25d7e3b191

SHA512
8f9714c92271437370013faaab7eff38bd63aeda98eb0600b4b200c991143351322bb4287d7e1abae2776e8928c1cdc42eb4d7d4741d0e2199439d79ce00d1e5

Download Submit
C:\Windows\{3377EA1C-DC0D-4765-B18B-946FA5503951}.exe

Filesize
204KB

MD5
caacd7cb8148842ada5249b8f5211282

SHA1
acc37206210366f2bf97b9b8e90a19f3f9dd918f

SHA256
757d358ef027cb2a6f38f0bea51f6b6a383ba937fd1496d7226a3c25d7e3b191

SHA512
8f9714c92271437370013faaab7eff38bd63aeda98eb0600b4b200c991143351322bb4287d7e1abae2776e8928c1cdc42eb4d7d4741d0e2199439d79ce00d1e5

Download Submit
C:\Windows\{44905264-1D62-4776-B44A-E8A1DB7644D6}.exe

Filesize
204KB

MD5
5deca6a117020e7a0a45182d16329a5c

SHA1
dffe04c0b91331b42045ec2997d88810f7c328a3

SHA256
a4d25fe6ddd9bd4b5e4de94353855086079bde5c62c1967327e12ab27b637aba

SHA512
1f60bef3ab978f399a0dc394e49980e994801b95f542b424d0e4aa7a66282e593ee294a9671827099f2128c2cab4bd8a78a687d938da11cd5fca335d34d7ae1d

Download Submit
C:\Windows\{44905264-1D62-4776-B44A-E8A1DB7644D6}.exe

Filesize
204KB

MD5
5deca6a117020e7a0a45182d16329a5c

SHA1
dffe04c0b91331b42045ec2997d88810f7c328a3

SHA256
a4d25fe6ddd9bd4b5e4de94353855086079bde5c62c1967327e12ab27b637aba

SHA512
1f60bef3ab978f399a0dc394e49980e994801b95f542b424d0e4aa7a66282e593ee294a9671827099f2128c2cab4bd8a78a687d938da11cd5fca335d34d7ae1d

Download Submit
C:\Windows\{6A5A09B9-5311-4836-82CB-CF56ADBE8A84}.exe

Filesize
204KB

MD5
bae773680fa4adb91044be661b0f434a

SHA1
6ff7ee86dcb61bd8da8292816f5b185106930fc4

SHA256
dd1c2b8c6e7e4e78cf9a54d3133685ee43d5127540b95f1de6acdc2e95120ed8

SHA512
ca57140ee439d8c665a4681f8c007bfa453e385185e180a92876446894c3977aa621a1fb3f18f38de91e20e4e92e10ae75774962e9572bef666fe00d46174464

Download Submit
C:\Windows\{6A5A09B9-5311-4836-82CB-CF56ADBE8A84}.exe

Filesize
204KB

MD5
bae773680fa4adb91044be661b0f434a

SHA1
6ff7ee86dcb61bd8da8292816f5b185106930fc4

SHA256
dd1c2b8c6e7e4e78cf9a54d3133685ee43d5127540b95f1de6acdc2e95120ed8

SHA512
ca57140ee439d8c665a4681f8c007bfa453e385185e180a92876446894c3977aa621a1fb3f18f38de91e20e4e92e10ae75774962e9572bef666fe00d46174464

Download Submit
C:\Windows\{88623188-6B2A-4bf4-94D6-4FD02F83C3D4}.exe

Filesize
204KB

MD5
4b8804dfd6a21885cc21a62ecc271f03

SHA1
a2ff966c2072eacfacf185be2c981345cf103a0d

SHA256
935af740e910259e8322157cdb2f71577c46bb4f53e3d391078c6dc873791ce0

SHA512
13b1409933977bbae7cd990e9b50ddc092b03f4da998bd2e030fe436ee4ebe595596aa2dcb94cc40d0da68f62229132cd64554072e67c904453093d46532e628

Download Submit
C:\Windows\{88623188-6B2A-4bf4-94D6-4FD02F83C3D4}.exe

Filesize
204KB

MD5
4b8804dfd6a21885cc21a62ecc271f03

SHA1
a2ff966c2072eacfacf185be2c981345cf103a0d

SHA256
935af740e910259e8322157cdb2f71577c46bb4f53e3d391078c6dc873791ce0

SHA512
13b1409933977bbae7cd990e9b50ddc092b03f4da998bd2e030fe436ee4ebe595596aa2dcb94cc40d0da68f62229132cd64554072e67c904453093d46532e628

Download Submit
C:\Windows\{A0878F62-011C-4e90-8E31-4F87E2E84182}.exe

Filesize
204KB

MD5
6364886b0e57edc881f3ca64bae2c910

SHA1
44dbd714651b3fc87e470902f3153dd25daca867

SHA256
50aaf702694d87c3f7770d5f8963d623891ffb22f3215f48d04d960243e1921f

SHA512
73274313289428544c7a7ad4b3d3e658fa9f6b31edd8dd635174b2d344dfb294d3822bb2a8d2bba113a549bdf0fafd8ebb7fe3b10d5f8ee2fa9568f6b2453035

Download Submit
C:\Windows\{A0878F62-011C-4e90-8E31-4F87E2E84182}.exe

Filesize
204KB

MD5
6364886b0e57edc881f3ca64bae2c910

SHA1
44dbd714651b3fc87e470902f3153dd25daca867

SHA256
50aaf702694d87c3f7770d5f8963d623891ffb22f3215f48d04d960243e1921f

SHA512
73274313289428544c7a7ad4b3d3e658fa9f6b31edd8dd635174b2d344dfb294d3822bb2a8d2bba113a549bdf0fafd8ebb7fe3b10d5f8ee2fa9568f6b2453035

Download Submit
C:\Windows\{A3D6346E-F918-4ef8-B7C9-D463C2746D2C}.exe

Filesize
204KB

MD5
f1d3dc1586a772f2fb5adec633536909

SHA1
8caa0657f3c735b5d96f475d1e7ae91998a71309

SHA256
a2855cae9e676f99634f6d9b1249ec8949fd3fb4c9d5e5e0198554cca0f47457

SHA512
0e510e188b1118e1629019493fe84826491f56c65ff8b06923e485b3d64b30998d7ce32b70b6ad69f8b14a2420560091ef906212fae530b6f51449c5c423acba

Download Submit
C:\Windows\{A3D6346E-F918-4ef8-B7C9-D463C2746D2C}.exe

Filesize
204KB

MD5
f1d3dc1586a772f2fb5adec633536909

SHA1
8caa0657f3c735b5d96f475d1e7ae91998a71309

SHA256
a2855cae9e676f99634f6d9b1249ec8949fd3fb4c9d5e5e0198554cca0f47457

SHA512
0e510e188b1118e1629019493fe84826491f56c65ff8b06923e485b3d64b30998d7ce32b70b6ad69f8b14a2420560091ef906212fae530b6f51449c5c423acba

Download Submit
C:\Windows\{C2D72FCC-299B-45ab-AB53-F6E46BD16CC2}.exe

Filesize
204KB

MD5
b2b5464cdab58f2f9722e6b063f8476c

SHA1
52551017998989d4b48689ea0a32a99219600419

SHA256
1113fccb9d4a801d5d66c87c7e8316b086611dfeea4dea836229eb6dd90d64e0

SHA512
3f8b18b563acde1df02f292d4d51129196ffd93301becffc040cebfb0cf2a566ab162d679bf79f6693e722cccd7d838aa1a0d35cbcc918b1a3e1ff269b99d21d

Download Submit
C:\Windows\{C2D72FCC-299B-45ab-AB53-F6E46BD16CC2}.exe

Filesize
204KB

MD5
b2b5464cdab58f2f9722e6b063f8476c

SHA1
52551017998989d4b48689ea0a32a99219600419

SHA256
1113fccb9d4a801d5d66c87c7e8316b086611dfeea4dea836229eb6dd90d64e0

SHA512
3f8b18b563acde1df02f292d4d51129196ffd93301becffc040cebfb0cf2a566ab162d679bf79f6693e722cccd7d838aa1a0d35cbcc918b1a3e1ff269b99d21d

Download Submit
C:\Windows\{F43F5AB1-4F01-4577-BE3E-D6AC58C70339}.exe

Filesize
204KB

MD5
82b27a3605a64448e111c77807458239

SHA1
2750aee0007cf307e64713e1da1667d2ae1e895d

SHA256
a5c3271ac3819d86cab7d3395d61b4293ae384091f5f035c6bc8347b8a9c2983

SHA512
853e5d0f42ea18dd74027bddb5d932e3f9972ef4f5dcf4f2a81905d56c4b407864a9a6f0328ef78576ae2323876bfa288dcb016b8b46c138df0075270fa77250

Download Submit
C:\Windows\{F43F5AB1-4F01-4577-BE3E-D6AC58C70339}.exe

Filesize
204KB

MD5
82b27a3605a64448e111c77807458239

SHA1
2750aee0007cf307e64713e1da1667d2ae1e895d

SHA256
a5c3271ac3819d86cab7d3395d61b4293ae384091f5f035c6bc8347b8a9c2983

SHA512
853e5d0f42ea18dd74027bddb5d932e3f9972ef4f5dcf4f2a81905d56c4b407864a9a6f0328ef78576ae2323876bfa288dcb016b8b46c138df0075270fa77250

Download Submit