8f50d2307223b6bfa4f5d400a352c4d26e65a1103f0529e501e2c2238880805a

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2023, 16:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f7b02348b7f51exeexeexeex.exe
Size

372KB
MD5

0f7b02348b7f517800d67f56c78dbcef
SHA1

e069d47d34cc39a805f0c061933e85e0fbca7290
SHA256

8f50d2307223b6bfa4f5d400a352c4d26e65a1103f0529e501e2c2238880805a
SHA512

a58893a8c48283404bafdbb4c2f2beb08d0036243d1a9353e617a3025e003b7a08fccd655a0f8f4be704cbc840960b2d43ed0245777c98c0ccd56cc5a659dfd0
SSDEEP

3072:CEGh0otmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGKl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC041C88-708B-4d8b-BF60-6971A75E6CA7}	{1E2A04AA-16D3-493d-9109-307C043F5987}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6E9D11B-842B-4c20-A28B-5194414E5DBA}	{702B38CF-CC59-4511-88BB-13BCB7D60342}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6E9D11B-842B-4c20-A28B-5194414E5DBA}\stubpath = "C:\\Windows\\{B6E9D11B-842B-4c20-A28B-5194414E5DBA}.exe"	{702B38CF-CC59-4511-88BB-13BCB7D60342}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCDE16E1-2F23-4730-A9E5-CE4B68D97B25}	{63BD70CB-DFFA-4056-BFC6-F512F5E2D1CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A39D8F3-9E07-4119-BF78-546E9595C799}	{315DBF33-0DE9-41c9-8F30-9F5F8027B740}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3B2E7EA-1003-4009-BD97-509908C39F6A}\stubpath = "C:\\Windows\\{C3B2E7EA-1003-4009-BD97-509908C39F6A}.exe"	{9A39D8F3-9E07-4119-BF78-546E9595C799}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{923577D3-B2D1-4be5-9CDC-BF75ABF8D247}	{E04D4977-E07C-40e9-A9DC-E1EFF9E91E03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63BD70CB-DFFA-4056-BFC6-F512F5E2D1CC}	{923577D3-B2D1-4be5-9CDC-BF75ABF8D247}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AEE01F2-C03A-4c6f-B1E1-51072539475F}	{BCDE16E1-2F23-4730-A9E5-CE4B68D97B25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{315DBF33-0DE9-41c9-8F30-9F5F8027B740}\stubpath = "C:\\Windows\\{315DBF33-0DE9-41c9-8F30-9F5F8027B740}.exe"	{1AEE01F2-C03A-4c6f-B1E1-51072539475F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AEE01F2-C03A-4c6f-B1E1-51072539475F}\stubpath = "C:\\Windows\\{1AEE01F2-C03A-4c6f-B1E1-51072539475F}.exe"	{BCDE16E1-2F23-4730-A9E5-CE4B68D97B25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3B2E7EA-1003-4009-BD97-509908C39F6A}	{9A39D8F3-9E07-4119-BF78-546E9595C799}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E2A04AA-16D3-493d-9109-307C043F5987}\stubpath = "C:\\Windows\\{1E2A04AA-16D3-493d-9109-307C043F5987}.exe"	{C3B2E7EA-1003-4009-BD97-509908C39F6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{702B38CF-CC59-4511-88BB-13BCB7D60342}\stubpath = "C:\\Windows\\{702B38CF-CC59-4511-88BB-13BCB7D60342}.exe"	0f7b02348b7f51exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{923577D3-B2D1-4be5-9CDC-BF75ABF8D247}\stubpath = "C:\\Windows\\{923577D3-B2D1-4be5-9CDC-BF75ABF8D247}.exe"	{E04D4977-E07C-40e9-A9DC-E1EFF9E91E03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63BD70CB-DFFA-4056-BFC6-F512F5E2D1CC}\stubpath = "C:\\Windows\\{63BD70CB-DFFA-4056-BFC6-F512F5E2D1CC}.exe"	{923577D3-B2D1-4be5-9CDC-BF75ABF8D247}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCDE16E1-2F23-4730-A9E5-CE4B68D97B25}\stubpath = "C:\\Windows\\{BCDE16E1-2F23-4730-A9E5-CE4B68D97B25}.exe"	{63BD70CB-DFFA-4056-BFC6-F512F5E2D1CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A39D8F3-9E07-4119-BF78-546E9595C799}\stubpath = "C:\\Windows\\{9A39D8F3-9E07-4119-BF78-546E9595C799}.exe"	{315DBF33-0DE9-41c9-8F30-9F5F8027B740}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E2A04AA-16D3-493d-9109-307C043F5987}	{C3B2E7EA-1003-4009-BD97-509908C39F6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC041C88-708B-4d8b-BF60-6971A75E6CA7}\stubpath = "C:\\Windows\\{DC041C88-708B-4d8b-BF60-6971A75E6CA7}.exe"	{1E2A04AA-16D3-493d-9109-307C043F5987}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{702B38CF-CC59-4511-88BB-13BCB7D60342}	0f7b02348b7f51exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E04D4977-E07C-40e9-A9DC-E1EFF9E91E03}	{B6E9D11B-842B-4c20-A28B-5194414E5DBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E04D4977-E07C-40e9-A9DC-E1EFF9E91E03}\stubpath = "C:\\Windows\\{E04D4977-E07C-40e9-A9DC-E1EFF9E91E03}.exe"	{B6E9D11B-842B-4c20-A28B-5194414E5DBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{315DBF33-0DE9-41c9-8F30-9F5F8027B740}	{1AEE01F2-C03A-4c6f-B1E1-51072539475F}.exe

Executes dropped EXE 12 IoCs

pid	Process
4888	{702B38CF-CC59-4511-88BB-13BCB7D60342}.exe
4480	{B6E9D11B-842B-4c20-A28B-5194414E5DBA}.exe
1628	{E04D4977-E07C-40e9-A9DC-E1EFF9E91E03}.exe
1992	{923577D3-B2D1-4be5-9CDC-BF75ABF8D247}.exe
3544	{63BD70CB-DFFA-4056-BFC6-F512F5E2D1CC}.exe
540	{BCDE16E1-2F23-4730-A9E5-CE4B68D97B25}.exe
1924	{1AEE01F2-C03A-4c6f-B1E1-51072539475F}.exe
800	{315DBF33-0DE9-41c9-8F30-9F5F8027B740}.exe
3440	{9A39D8F3-9E07-4119-BF78-546E9595C799}.exe
4144	{C3B2E7EA-1003-4009-BD97-509908C39F6A}.exe
2484	{1E2A04AA-16D3-493d-9109-307C043F5987}.exe
4548	{DC041C88-708B-4d8b-BF60-6971A75E6CA7}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{BCDE16E1-2F23-4730-A9E5-CE4B68D97B25}.exe	{63BD70CB-DFFA-4056-BFC6-F512F5E2D1CC}.exe
File created	C:\Windows\{1AEE01F2-C03A-4c6f-B1E1-51072539475F}.exe	{BCDE16E1-2F23-4730-A9E5-CE4B68D97B25}.exe
File created	C:\Windows\{9A39D8F3-9E07-4119-BF78-546E9595C799}.exe	{315DBF33-0DE9-41c9-8F30-9F5F8027B740}.exe
File created	C:\Windows\{C3B2E7EA-1003-4009-BD97-509908C39F6A}.exe	{9A39D8F3-9E07-4119-BF78-546E9595C799}.exe
File created	C:\Windows\{1E2A04AA-16D3-493d-9109-307C043F5987}.exe	{C3B2E7EA-1003-4009-BD97-509908C39F6A}.exe
File created	C:\Windows\{B6E9D11B-842B-4c20-A28B-5194414E5DBA}.exe	{702B38CF-CC59-4511-88BB-13BCB7D60342}.exe
File created	C:\Windows\{E04D4977-E07C-40e9-A9DC-E1EFF9E91E03}.exe	{B6E9D11B-842B-4c20-A28B-5194414E5DBA}.exe
File created	C:\Windows\{63BD70CB-DFFA-4056-BFC6-F512F5E2D1CC}.exe	{923577D3-B2D1-4be5-9CDC-BF75ABF8D247}.exe
File created	C:\Windows\{DC041C88-708B-4d8b-BF60-6971A75E6CA7}.exe	{1E2A04AA-16D3-493d-9109-307C043F5987}.exe
File created	C:\Windows\{702B38CF-CC59-4511-88BB-13BCB7D60342}.exe	0f7b02348b7f51exeexeexeex.exe
File created	C:\Windows\{923577D3-B2D1-4be5-9CDC-BF75ABF8D247}.exe	{E04D4977-E07C-40e9-A9DC-E1EFF9E91E03}.exe
File created	C:\Windows\{315DBF33-0DE9-41c9-8F30-9F5F8027B740}.exe	{1AEE01F2-C03A-4c6f-B1E1-51072539475F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	848	0f7b02348b7f51exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4888	{702B38CF-CC59-4511-88BB-13BCB7D60342}.exe
Token: SeIncBasePriorityPrivilege	4480	{B6E9D11B-842B-4c20-A28B-5194414E5DBA}.exe
Token: SeIncBasePriorityPrivilege	1628	{E04D4977-E07C-40e9-A9DC-E1EFF9E91E03}.exe
Token: SeIncBasePriorityPrivilege	1992	{923577D3-B2D1-4be5-9CDC-BF75ABF8D247}.exe
Token: SeIncBasePriorityPrivilege	3544	{63BD70CB-DFFA-4056-BFC6-F512F5E2D1CC}.exe
Token: SeIncBasePriorityPrivilege	540	{BCDE16E1-2F23-4730-A9E5-CE4B68D97B25}.exe
Token: SeIncBasePriorityPrivilege	1924	{1AEE01F2-C03A-4c6f-B1E1-51072539475F}.exe
Token: SeIncBasePriorityPrivilege	800	{315DBF33-0DE9-41c9-8F30-9F5F8027B740}.exe
Token: SeIncBasePriorityPrivilege	3440	{9A39D8F3-9E07-4119-BF78-546E9595C799}.exe
Token: SeIncBasePriorityPrivilege	4144	{C3B2E7EA-1003-4009-BD97-509908C39F6A}.exe
Token: SeIncBasePriorityPrivilege	2484	{1E2A04AA-16D3-493d-9109-307C043F5987}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 4888	848	0f7b02348b7f51exeexeexeex.exe	84
PID 848 wrote to memory of 4888	848	0f7b02348b7f51exeexeexeex.exe	84
PID 848 wrote to memory of 4888	848	0f7b02348b7f51exeexeexeex.exe	84
PID 848 wrote to memory of 3640	848	0f7b02348b7f51exeexeexeex.exe	85
PID 848 wrote to memory of 3640	848	0f7b02348b7f51exeexeexeex.exe	85
PID 848 wrote to memory of 3640	848	0f7b02348b7f51exeexeexeex.exe	85
PID 4888 wrote to memory of 4480	4888	{702B38CF-CC59-4511-88BB-13BCB7D60342}.exe	86
PID 4888 wrote to memory of 4480	4888	{702B38CF-CC59-4511-88BB-13BCB7D60342}.exe	86
PID 4888 wrote to memory of 4480	4888	{702B38CF-CC59-4511-88BB-13BCB7D60342}.exe	86
PID 4888 wrote to memory of 1868	4888	{702B38CF-CC59-4511-88BB-13BCB7D60342}.exe	87
PID 4888 wrote to memory of 1868	4888	{702B38CF-CC59-4511-88BB-13BCB7D60342}.exe	87
PID 4888 wrote to memory of 1868	4888	{702B38CF-CC59-4511-88BB-13BCB7D60342}.exe	87
PID 4480 wrote to memory of 1628	4480	{B6E9D11B-842B-4c20-A28B-5194414E5DBA}.exe	91
PID 4480 wrote to memory of 1628	4480	{B6E9D11B-842B-4c20-A28B-5194414E5DBA}.exe	91
PID 4480 wrote to memory of 1628	4480	{B6E9D11B-842B-4c20-A28B-5194414E5DBA}.exe	91
PID 4480 wrote to memory of 948	4480	{B6E9D11B-842B-4c20-A28B-5194414E5DBA}.exe	92
PID 4480 wrote to memory of 948	4480	{B6E9D11B-842B-4c20-A28B-5194414E5DBA}.exe	92
PID 4480 wrote to memory of 948	4480	{B6E9D11B-842B-4c20-A28B-5194414E5DBA}.exe	92
PID 1628 wrote to memory of 1992	1628	{E04D4977-E07C-40e9-A9DC-E1EFF9E91E03}.exe	93
PID 1628 wrote to memory of 1992	1628	{E04D4977-E07C-40e9-A9DC-E1EFF9E91E03}.exe	93
PID 1628 wrote to memory of 1992	1628	{E04D4977-E07C-40e9-A9DC-E1EFF9E91E03}.exe	93
PID 1628 wrote to memory of 3992	1628	{E04D4977-E07C-40e9-A9DC-E1EFF9E91E03}.exe	94
PID 1628 wrote to memory of 3992	1628	{E04D4977-E07C-40e9-A9DC-E1EFF9E91E03}.exe	94
PID 1628 wrote to memory of 3992	1628	{E04D4977-E07C-40e9-A9DC-E1EFF9E91E03}.exe	94
PID 1992 wrote to memory of 3544	1992	{923577D3-B2D1-4be5-9CDC-BF75ABF8D247}.exe	95
PID 1992 wrote to memory of 3544	1992	{923577D3-B2D1-4be5-9CDC-BF75ABF8D247}.exe	95
PID 1992 wrote to memory of 3544	1992	{923577D3-B2D1-4be5-9CDC-BF75ABF8D247}.exe	95
PID 1992 wrote to memory of 1524	1992	{923577D3-B2D1-4be5-9CDC-BF75ABF8D247}.exe	96
PID 1992 wrote to memory of 1524	1992	{923577D3-B2D1-4be5-9CDC-BF75ABF8D247}.exe	96
PID 1992 wrote to memory of 1524	1992	{923577D3-B2D1-4be5-9CDC-BF75ABF8D247}.exe	96
PID 3544 wrote to memory of 540	3544	{63BD70CB-DFFA-4056-BFC6-F512F5E2D1CC}.exe	97
PID 3544 wrote to memory of 540	3544	{63BD70CB-DFFA-4056-BFC6-F512F5E2D1CC}.exe	97
PID 3544 wrote to memory of 540	3544	{63BD70CB-DFFA-4056-BFC6-F512F5E2D1CC}.exe	97
PID 3544 wrote to memory of 4200	3544	{63BD70CB-DFFA-4056-BFC6-F512F5E2D1CC}.exe	98
PID 3544 wrote to memory of 4200	3544	{63BD70CB-DFFA-4056-BFC6-F512F5E2D1CC}.exe	98
PID 3544 wrote to memory of 4200	3544	{63BD70CB-DFFA-4056-BFC6-F512F5E2D1CC}.exe	98
PID 540 wrote to memory of 1924	540	{BCDE16E1-2F23-4730-A9E5-CE4B68D97B25}.exe	99
PID 540 wrote to memory of 1924	540	{BCDE16E1-2F23-4730-A9E5-CE4B68D97B25}.exe	99
PID 540 wrote to memory of 1924	540	{BCDE16E1-2F23-4730-A9E5-CE4B68D97B25}.exe	99
PID 540 wrote to memory of 1620	540	{BCDE16E1-2F23-4730-A9E5-CE4B68D97B25}.exe	100
PID 540 wrote to memory of 1620	540	{BCDE16E1-2F23-4730-A9E5-CE4B68D97B25}.exe	100
PID 540 wrote to memory of 1620	540	{BCDE16E1-2F23-4730-A9E5-CE4B68D97B25}.exe	100
PID 1924 wrote to memory of 800	1924	{1AEE01F2-C03A-4c6f-B1E1-51072539475F}.exe	101
PID 1924 wrote to memory of 800	1924	{1AEE01F2-C03A-4c6f-B1E1-51072539475F}.exe	101
PID 1924 wrote to memory of 800	1924	{1AEE01F2-C03A-4c6f-B1E1-51072539475F}.exe	101
PID 1924 wrote to memory of 624	1924	{1AEE01F2-C03A-4c6f-B1E1-51072539475F}.exe	102
PID 1924 wrote to memory of 624	1924	{1AEE01F2-C03A-4c6f-B1E1-51072539475F}.exe	102
PID 1924 wrote to memory of 624	1924	{1AEE01F2-C03A-4c6f-B1E1-51072539475F}.exe	102
PID 800 wrote to memory of 3440	800	{315DBF33-0DE9-41c9-8F30-9F5F8027B740}.exe	103
PID 800 wrote to memory of 3440	800	{315DBF33-0DE9-41c9-8F30-9F5F8027B740}.exe	103
PID 800 wrote to memory of 3440	800	{315DBF33-0DE9-41c9-8F30-9F5F8027B740}.exe	103
PID 800 wrote to memory of 5036	800	{315DBF33-0DE9-41c9-8F30-9F5F8027B740}.exe	104
PID 800 wrote to memory of 5036	800	{315DBF33-0DE9-41c9-8F30-9F5F8027B740}.exe	104
PID 800 wrote to memory of 5036	800	{315DBF33-0DE9-41c9-8F30-9F5F8027B740}.exe	104
PID 3440 wrote to memory of 4144	3440	{9A39D8F3-9E07-4119-BF78-546E9595C799}.exe	105
PID 3440 wrote to memory of 4144	3440	{9A39D8F3-9E07-4119-BF78-546E9595C799}.exe	105
PID 3440 wrote to memory of 4144	3440	{9A39D8F3-9E07-4119-BF78-546E9595C799}.exe	105
PID 3440 wrote to memory of 3204	3440	{9A39D8F3-9E07-4119-BF78-546E9595C799}.exe	106
PID 3440 wrote to memory of 3204	3440	{9A39D8F3-9E07-4119-BF78-546E9595C799}.exe	106
PID 3440 wrote to memory of 3204	3440	{9A39D8F3-9E07-4119-BF78-546E9595C799}.exe	106
PID 4144 wrote to memory of 2484	4144	{C3B2E7EA-1003-4009-BD97-509908C39F6A}.exe	107
PID 4144 wrote to memory of 2484	4144	{C3B2E7EA-1003-4009-BD97-509908C39F6A}.exe	107
PID 4144 wrote to memory of 2484	4144	{C3B2E7EA-1003-4009-BD97-509908C39F6A}.exe	107
PID 4144 wrote to memory of 4728	4144	{C3B2E7EA-1003-4009-BD97-509908C39F6A}.exe	108

C:\Users\Admin\AppData\Local\Temp\0f7b02348b7f51exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\0f7b02348b7f51exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\{702B38CF-CC59-4511-88BB-13BCB7D60342}.exe
  C:\Windows\{702B38CF-CC59-4511-88BB-13BCB7D60342}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4888
- - C:\Windows\{B6E9D11B-842B-4c20-A28B-5194414E5DBA}.exe
    C:\Windows\{B6E9D11B-842B-4c20-A28B-5194414E5DBA}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\{E04D4977-E07C-40e9-A9DC-E1EFF9E91E03}.exe
      C:\Windows\{E04D4977-E07C-40e9-A9DC-E1EFF9E91E03}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1628
    - - C:\Windows\{923577D3-B2D1-4be5-9CDC-BF75ABF8D247}.exe
        
        C:\Windows\{923577D3-B2D1-4be5-9CDC-BF75ABF8D247}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
      - C:\Windows\{63BD70CB-DFFA-4056-BFC6-F512F5E2D1CC}.exe
        
        C:\Windows\{63BD70CB-DFFA-4056-BFC6-F512F5E2D1CC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Windows\{BCDE16E1-2F23-4730-A9E5-CE4B68D97B25}.exe
        
        C:\Windows\{BCDE16E1-2F23-4730-A9E5-CE4B68D97B25}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:540
        
        C:\Windows\{1AEE01F2-C03A-4c6f-B1E1-51072539475F}.exe
        
        C:\Windows\{1AEE01F2-C03A-4c6f-B1E1-51072539475F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\{315DBF33-0DE9-41c9-8F30-9F5F8027B740}.exe
        
        C:\Windows\{315DBF33-0DE9-41c9-8F30-9F5F8027B740}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:800
        
        C:\Windows\{9A39D8F3-9E07-4119-BF78-546E9595C799}.exe
        
        C:\Windows\{9A39D8F3-9E07-4119-BF78-546E9595C799}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\{C3B2E7EA-1003-4009-BD97-509908C39F6A}.exe
        
        C:\Windows\{C3B2E7EA-1003-4009-BD97-509908C39F6A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4144
        
        C:\Windows\{1E2A04AA-16D3-493d-9109-307C043F5987}.exe
        
        C:\Windows\{1E2A04AA-16D3-493d-9109-307C043F5987}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\{DC041C88-708B-4d8b-BF60-6971A75E6CA7}.exe
        
        C:\Windows\{DC041C88-708B-4d8b-BF60-6971A75E6CA7}.exe
        13⤵
        Executes dropped EXE
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1E2A0~1.EXE > nul
        13⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3B2E~1.EXE > nul
        12⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A39D~1.EXE > nul
        11⤵
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{315DB~1.EXE > nul
        10⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1AEE0~1.EXE > nul
        9⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCDE1~1.EXE > nul
        8⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{63BD7~1.EXE > nul
        7⤵
        
        PID:4200
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92357~1.EXE > nul
        6⤵
        
        PID:1524
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E04D4~1.EXE > nul
        5⤵
        
        PID:3992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B6E9D~1.EXE > nul
      4⤵
      PID:948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{702B3~1.EXE > nul
    3⤵
    PID:1868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0F7B02~1.EXE > nul
  2⤵
  PID:3640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1AEE01F2-C03A-4c6f-B1E1-51072539475F}.exe

Filesize
372KB

MD5
2b695b4578097a6fb4bd4857bf317338

SHA1
0f4766d915324e16e380f152ac470674774a8185

SHA256
cf9a86c30f772c4eb574d5a34aeb21ef0382f27164032bb8d38980784a4ac2e2

SHA512
4afabedebd28cacecb3b4e61086f90119e6b4fe426c6b448e63eb995bd172d5bb7f6d3e0254e852618a67a87f6dc6f1d3460bcfe5b2c96b796ae99cd1eb85acf

Download Submit
C:\Windows\{1AEE01F2-C03A-4c6f-B1E1-51072539475F}.exe

Filesize
372KB

MD5
2b695b4578097a6fb4bd4857bf317338

SHA1
0f4766d915324e16e380f152ac470674774a8185

SHA256
cf9a86c30f772c4eb574d5a34aeb21ef0382f27164032bb8d38980784a4ac2e2

SHA512
4afabedebd28cacecb3b4e61086f90119e6b4fe426c6b448e63eb995bd172d5bb7f6d3e0254e852618a67a87f6dc6f1d3460bcfe5b2c96b796ae99cd1eb85acf

Download Submit
C:\Windows\{1E2A04AA-16D3-493d-9109-307C043F5987}.exe

Filesize
372KB

MD5
8112b6f6f48ba87b5ad42ae7dd43bdaf

SHA1
44219b2bfc887476cadd08a230dfae7eb9916db6

SHA256
89b6f79b77fd8856fe7dbcfc6914f14e0a8afc0a60068c0e5e9a8fc925571f98

SHA512
26058cb6ddc35509c2fb709b34c52798a37234d8b5fa885608baed3a4f108e30dcd27ba29e8d6a937ec1339008af55aa2ea8101744642a646f7c1a9567e6a249

Download Submit
C:\Windows\{1E2A04AA-16D3-493d-9109-307C043F5987}.exe

Filesize
372KB

MD5
8112b6f6f48ba87b5ad42ae7dd43bdaf

SHA1
44219b2bfc887476cadd08a230dfae7eb9916db6

SHA256
89b6f79b77fd8856fe7dbcfc6914f14e0a8afc0a60068c0e5e9a8fc925571f98

SHA512
26058cb6ddc35509c2fb709b34c52798a37234d8b5fa885608baed3a4f108e30dcd27ba29e8d6a937ec1339008af55aa2ea8101744642a646f7c1a9567e6a249

Download Submit
C:\Windows\{315DBF33-0DE9-41c9-8F30-9F5F8027B740}.exe

Filesize
372KB

MD5
7ed424ec18a754b029a8bfae851d00f1

SHA1
4a28fdb48e686b4a5806cceea293744804f554c5

SHA256
6bc99580fe1eaac263aa35ad505a1bc51297d3c7b01d48004ee0306be48677e1

SHA512
26edd0d384ee26dff0d15d352f94eb4c73711fd82dccbeaa7d1cd54d29f0d6e11a909a8ec18f2cbfad6b367b6ae8d3ddfcb24c89ef7c2a6c4201ab5bf7e5c57f

Download Submit
C:\Windows\{315DBF33-0DE9-41c9-8F30-9F5F8027B740}.exe

Filesize
372KB

MD5
7ed424ec18a754b029a8bfae851d00f1

SHA1
4a28fdb48e686b4a5806cceea293744804f554c5

SHA256
6bc99580fe1eaac263aa35ad505a1bc51297d3c7b01d48004ee0306be48677e1

SHA512
26edd0d384ee26dff0d15d352f94eb4c73711fd82dccbeaa7d1cd54d29f0d6e11a909a8ec18f2cbfad6b367b6ae8d3ddfcb24c89ef7c2a6c4201ab5bf7e5c57f

Download Submit
C:\Windows\{63BD70CB-DFFA-4056-BFC6-F512F5E2D1CC}.exe

Filesize
372KB

MD5
70ee4fd945f9e3890d4199b44ba3cf1c

SHA1
03ac224abb73407c58e8016bde6b308be1b443a8

SHA256
55ede7c818ddde17b3a8dc658bbe9e3f9222c99a020efb568e4a5fb40b46cb1d

SHA512
7158b46ee1ef406fe283bf5bed36954cdeb1211f493554b6f74cb926e938c7c93878b3e37bf19cfc43cad59c0a84fc3140fe704bb3bb669369c6934420bf5730

Download Submit
C:\Windows\{63BD70CB-DFFA-4056-BFC6-F512F5E2D1CC}.exe

Filesize
372KB

MD5
70ee4fd945f9e3890d4199b44ba3cf1c

SHA1
03ac224abb73407c58e8016bde6b308be1b443a8

SHA256
55ede7c818ddde17b3a8dc658bbe9e3f9222c99a020efb568e4a5fb40b46cb1d

SHA512
7158b46ee1ef406fe283bf5bed36954cdeb1211f493554b6f74cb926e938c7c93878b3e37bf19cfc43cad59c0a84fc3140fe704bb3bb669369c6934420bf5730

Download Submit
C:\Windows\{702B38CF-CC59-4511-88BB-13BCB7D60342}.exe

Filesize
372KB

MD5
c762d5cf31c14f24725712a15711f0be

SHA1
12de0e3ebc63151afa655abf4a98ea639fff41c3

SHA256
bc542f0936622572fa6c7cad994dbbccd052dd0c1981f684810acd3c5ac4902c

SHA512
af40838757da45f32aee72208e236af82e364c9592e91f8dae06a970fb7938d45c8f82e5f53d08861d7af256ae1a12edbfe21fcd1d3f20a7127b5a4609c498a8

Download Submit
C:\Windows\{702B38CF-CC59-4511-88BB-13BCB7D60342}.exe

Filesize
372KB

MD5
c762d5cf31c14f24725712a15711f0be

SHA1
12de0e3ebc63151afa655abf4a98ea639fff41c3

SHA256
bc542f0936622572fa6c7cad994dbbccd052dd0c1981f684810acd3c5ac4902c

SHA512
af40838757da45f32aee72208e236af82e364c9592e91f8dae06a970fb7938d45c8f82e5f53d08861d7af256ae1a12edbfe21fcd1d3f20a7127b5a4609c498a8

Download Submit
C:\Windows\{923577D3-B2D1-4be5-9CDC-BF75ABF8D247}.exe

Filesize
372KB

MD5
25ac0b48ff5d80f2943bda918ee760f0

SHA1
4820e68f3f53f52ac1506cac42f2bf7331ae7787

SHA256
eebe9d0f1c29daaeaff30453f057662e650c7c32c90b99d9967c0feb48b5da65

SHA512
2a22e7adb3fc5eef4c53c82e16c7331e52b311bca047453206a9041f1cb67d9191ff9a3536c7e06de3c8fb26f81ea1b2491979f753718c65172a11c6dd95b8a8

Download Submit
C:\Windows\{923577D3-B2D1-4be5-9CDC-BF75ABF8D247}.exe

Filesize
372KB

MD5
25ac0b48ff5d80f2943bda918ee760f0

SHA1
4820e68f3f53f52ac1506cac42f2bf7331ae7787

SHA256
eebe9d0f1c29daaeaff30453f057662e650c7c32c90b99d9967c0feb48b5da65

SHA512
2a22e7adb3fc5eef4c53c82e16c7331e52b311bca047453206a9041f1cb67d9191ff9a3536c7e06de3c8fb26f81ea1b2491979f753718c65172a11c6dd95b8a8

Download Submit
C:\Windows\{9A39D8F3-9E07-4119-BF78-546E9595C799}.exe

Filesize
372KB

MD5
f68760ea520b4a0fe37f504dae0a280f

SHA1
c3a7a8ae2d64264c925ffd3a86a0242e62e937bf

SHA256
77b0d82fc8c1e10b181e4a9fd24292e4d9fd36628e8414f5fcf3cfa43b27798d

SHA512
22707915eac4ea98531e1c8052d0e2e2925ccf576cacc970403825c56161c4ebca4f99336c8e64cd68e73ae9fdd8cb2f5b454d005943a4d95a71bf3e877b4ec2

Download Submit
C:\Windows\{9A39D8F3-9E07-4119-BF78-546E9595C799}.exe

Filesize
372KB

MD5
f68760ea520b4a0fe37f504dae0a280f

SHA1
c3a7a8ae2d64264c925ffd3a86a0242e62e937bf

SHA256
77b0d82fc8c1e10b181e4a9fd24292e4d9fd36628e8414f5fcf3cfa43b27798d

SHA512
22707915eac4ea98531e1c8052d0e2e2925ccf576cacc970403825c56161c4ebca4f99336c8e64cd68e73ae9fdd8cb2f5b454d005943a4d95a71bf3e877b4ec2

Download Submit
C:\Windows\{B6E9D11B-842B-4c20-A28B-5194414E5DBA}.exe

Filesize
372KB

MD5
43f76f5bdea384588bc9ac37b95b514e

SHA1
acf9726886bad38b9aaf8e096bdeec11745783d0

SHA256
e7b8af1db2223079fd791a584d1a3b787affaa83bde2afbb7e7b26c2458bebb9

SHA512
b2f8719dc23c8ef1b81dd52f1d2c33c084c191fefaa3a6a56cb12268a3efb2e2c4512ee66501e07d17093e42d3682e6148d18c7b73ba0011f6cab31cb661dc26

Download Submit
C:\Windows\{B6E9D11B-842B-4c20-A28B-5194414E5DBA}.exe

Filesize
372KB

MD5
43f76f5bdea384588bc9ac37b95b514e

SHA1
acf9726886bad38b9aaf8e096bdeec11745783d0

SHA256
e7b8af1db2223079fd791a584d1a3b787affaa83bde2afbb7e7b26c2458bebb9

SHA512
b2f8719dc23c8ef1b81dd52f1d2c33c084c191fefaa3a6a56cb12268a3efb2e2c4512ee66501e07d17093e42d3682e6148d18c7b73ba0011f6cab31cb661dc26

Download Submit
C:\Windows\{BCDE16E1-2F23-4730-A9E5-CE4B68D97B25}.exe

Filesize
372KB

MD5
7186f5d9e425abb3f4e2856b4129bd2f

SHA1
8248bbfb95534bbd5da2c2bf4b5f52fb5817c2cc

SHA256
a6a204f19a951cd286f4fcdd7da45f56ad81c2b5d37734103d78024726c64fc1

SHA512
505a0b3038984285fd1653d52ab39305e8dcc30c8e152876947b3847cc310889dd7a57e1d6e09f7233359dbf33b5d4cc71a6e876001cb4eb4279b0249116a22c

Download Submit
C:\Windows\{BCDE16E1-2F23-4730-A9E5-CE4B68D97B25}.exe

Filesize
372KB

MD5
7186f5d9e425abb3f4e2856b4129bd2f

SHA1
8248bbfb95534bbd5da2c2bf4b5f52fb5817c2cc

SHA256
a6a204f19a951cd286f4fcdd7da45f56ad81c2b5d37734103d78024726c64fc1

SHA512
505a0b3038984285fd1653d52ab39305e8dcc30c8e152876947b3847cc310889dd7a57e1d6e09f7233359dbf33b5d4cc71a6e876001cb4eb4279b0249116a22c

Download Submit
C:\Windows\{C3B2E7EA-1003-4009-BD97-509908C39F6A}.exe

Filesize
372KB

MD5
f515473e371606c2df8d6b60d1f8f2f8

SHA1
6944bbf6065223bc0f49c8f3a2952d6d4dc4d0ae

SHA256
ac31d25311792f81fc56ea87f90b3ce0094e7613f36f00f1e263901174a3b5e6

SHA512
2555ebbf4bb78900811aeae224fbdb1b64bf2ed1bcbb20d212e80889344ec52d0536637fa02fa6160c1f8facc1e2783d88447686e8f95fe49dd59da9419dc996

Download Submit
C:\Windows\{C3B2E7EA-1003-4009-BD97-509908C39F6A}.exe

Filesize
372KB

MD5
f515473e371606c2df8d6b60d1f8f2f8

SHA1
6944bbf6065223bc0f49c8f3a2952d6d4dc4d0ae

SHA256
ac31d25311792f81fc56ea87f90b3ce0094e7613f36f00f1e263901174a3b5e6

SHA512
2555ebbf4bb78900811aeae224fbdb1b64bf2ed1bcbb20d212e80889344ec52d0536637fa02fa6160c1f8facc1e2783d88447686e8f95fe49dd59da9419dc996

Download Submit
C:\Windows\{DC041C88-708B-4d8b-BF60-6971A75E6CA7}.exe

Filesize
372KB

MD5
ae1e842e139505b8818fee9db12d1b09

SHA1
46ae092a01fe8227570ba681f503def7180ca983

SHA256
5fb2155fe8c02c3d3f8ecd525eadd8200db81194d411a2f8e098572284c2d821

SHA512
35ef55d09ec9348e6ed08679ae60e3a847a8415499d645a92f039cfdaa4ac5f76646af58ca2e0c6dcae26b898cb6516210bfca3cb91e173f067a564139d439b9

Download Submit
C:\Windows\{DC041C88-708B-4d8b-BF60-6971A75E6CA7}.exe

Filesize
372KB

MD5
ae1e842e139505b8818fee9db12d1b09

SHA1
46ae092a01fe8227570ba681f503def7180ca983

SHA256
5fb2155fe8c02c3d3f8ecd525eadd8200db81194d411a2f8e098572284c2d821

SHA512
35ef55d09ec9348e6ed08679ae60e3a847a8415499d645a92f039cfdaa4ac5f76646af58ca2e0c6dcae26b898cb6516210bfca3cb91e173f067a564139d439b9

Download Submit
C:\Windows\{E04D4977-E07C-40e9-A9DC-E1EFF9E91E03}.exe

Filesize
372KB

MD5
c081df43a6eae3965d2e38df7a882fce

SHA1
ee2b5c5dc37661a7bede2664f7725f4d0ce28636

SHA256
6140be331195a4dbee058cb2a9a8c615187bb49428cf4975e51c674333090275

SHA512
2cfdfd75cc7f92a2207b8327c2842f0e99a0eddaf38a4b577928fabd776f8c8b52be63a55831c8f506766de6daf55f097bb08158933957bd0ad631c6a073cc31

Download Submit
C:\Windows\{E04D4977-E07C-40e9-A9DC-E1EFF9E91E03}.exe

Filesize
372KB

MD5
c081df43a6eae3965d2e38df7a882fce

SHA1
ee2b5c5dc37661a7bede2664f7725f4d0ce28636

SHA256
6140be331195a4dbee058cb2a9a8c615187bb49428cf4975e51c674333090275

SHA512
2cfdfd75cc7f92a2207b8327c2842f0e99a0eddaf38a4b577928fabd776f8c8b52be63a55831c8f506766de6daf55f097bb08158933957bd0ad631c6a073cc31

Download Submit
C:\Windows\{E04D4977-E07C-40e9-A9DC-E1EFF9E91E03}.exe

Filesize
372KB

MD5
c081df43a6eae3965d2e38df7a882fce

SHA1
ee2b5c5dc37661a7bede2664f7725f4d0ce28636

SHA256
6140be331195a4dbee058cb2a9a8c615187bb49428cf4975e51c674333090275

SHA512
2cfdfd75cc7f92a2207b8327c2842f0e99a0eddaf38a4b577928fabd776f8c8b52be63a55831c8f506766de6daf55f097bb08158933957bd0ad631c6a073cc31

Download Submit