a7c4ace3a33392ee77dd93bb44b79637301136eb33a8227a4d69a367a3e71274

Analysis

max time kernel
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2023, 16:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c238842a415d3exeexeexeex.exe
Size

192KB
MD5

0c238842a415d3f3da27ef532c0498e8
SHA1

c8cce9c09c402ef6254e435ea58f87a0611e0c53
SHA256

a7c4ace3a33392ee77dd93bb44b79637301136eb33a8227a4d69a367a3e71274
SHA512

5e9e4bf8cd613916e829a5ea6c506ab69b508556b2ed2f6db230895d723586b21a3cd1111dc89da02aee99a5e45149552843a96e47d4b437cf92548f573e6995
SSDEEP

1536:1EGh0oml15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oml1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{280077D7-96A4-4b82-A915-5BE6F9D5CEA2}\stubpath = "C:\\Windows\\{280077D7-96A4-4b82-A915-5BE6F9D5CEA2}.exe"	{474FD20F-694D-468b-AC7A-AA85AE94C2BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37D0C12B-D5D1-428f-B758-31D784D4C8F9}\stubpath = "C:\\Windows\\{37D0C12B-D5D1-428f-B758-31D784D4C8F9}.exe"	{280077D7-96A4-4b82-A915-5BE6F9D5CEA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{497600AD-A913-4775-9B3E-8DB2D2084424}	{ACF1849F-E6D7-4e4e-ACC2-D044B0D59987}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA67F237-5FC1-4f75-BF0D-F8C98607C996}\stubpath = "C:\\Windows\\{FA67F237-5FC1-4f75-BF0D-F8C98607C996}.exe"	0c238842a415d3exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A4D0D89-1548-48ed-9D1F-3087A485A33C}	{A616892F-A098-4984-A21C-3A0652E04BB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92AF954A-1EE9-42df-AFC0-B492F0E76243}	{1A4D0D89-1548-48ed-9D1F-3087A485A33C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{305E0670-0E66-41d4-9EC5-F16CD6515AF7}\stubpath = "C:\\Windows\\{305E0670-0E66-41d4-9EC5-F16CD6515AF7}.exe"	{92AF954A-1EE9-42df-AFC0-B492F0E76243}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06FFB0CB-A37C-46fb-8C56-59510DA26AE4}	{305E0670-0E66-41d4-9EC5-F16CD6515AF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A616892F-A098-4984-A21C-3A0652E04BB2}	{FA67F237-5FC1-4f75-BF0D-F8C98607C996}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A616892F-A098-4984-A21C-3A0652E04BB2}\stubpath = "C:\\Windows\\{A616892F-A098-4984-A21C-3A0652E04BB2}.exe"	{FA67F237-5FC1-4f75-BF0D-F8C98607C996}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FC85A9A-E06C-462b-815A-C4910A1DE00E}	{06FFB0CB-A37C-46fb-8C56-59510DA26AE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{474FD20F-694D-468b-AC7A-AA85AE94C2BF}\stubpath = "C:\\Windows\\{474FD20F-694D-468b-AC7A-AA85AE94C2BF}.exe"	{6FC85A9A-E06C-462b-815A-C4910A1DE00E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACF1849F-E6D7-4e4e-ACC2-D044B0D59987}\stubpath = "C:\\Windows\\{ACF1849F-E6D7-4e4e-ACC2-D044B0D59987}.exe"	{37D0C12B-D5D1-428f-B758-31D784D4C8F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA67F237-5FC1-4f75-BF0D-F8C98607C996}	0c238842a415d3exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A4D0D89-1548-48ed-9D1F-3087A485A33C}\stubpath = "C:\\Windows\\{1A4D0D89-1548-48ed-9D1F-3087A485A33C}.exe"	{A616892F-A098-4984-A21C-3A0652E04BB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{305E0670-0E66-41d4-9EC5-F16CD6515AF7}	{92AF954A-1EE9-42df-AFC0-B492F0E76243}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06FFB0CB-A37C-46fb-8C56-59510DA26AE4}\stubpath = "C:\\Windows\\{06FFB0CB-A37C-46fb-8C56-59510DA26AE4}.exe"	{305E0670-0E66-41d4-9EC5-F16CD6515AF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACF1849F-E6D7-4e4e-ACC2-D044B0D59987}	{37D0C12B-D5D1-428f-B758-31D784D4C8F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{497600AD-A913-4775-9B3E-8DB2D2084424}\stubpath = "C:\\Windows\\{497600AD-A913-4775-9B3E-8DB2D2084424}.exe"	{ACF1849F-E6D7-4e4e-ACC2-D044B0D59987}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{92AF954A-1EE9-42df-AFC0-B492F0E76243}\stubpath = "C:\\Windows\\{92AF954A-1EE9-42df-AFC0-B492F0E76243}.exe"	{1A4D0D89-1548-48ed-9D1F-3087A485A33C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6FC85A9A-E06C-462b-815A-C4910A1DE00E}\stubpath = "C:\\Windows\\{6FC85A9A-E06C-462b-815A-C4910A1DE00E}.exe"	{06FFB0CB-A37C-46fb-8C56-59510DA26AE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{474FD20F-694D-468b-AC7A-AA85AE94C2BF}	{6FC85A9A-E06C-462b-815A-C4910A1DE00E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{280077D7-96A4-4b82-A915-5BE6F9D5CEA2}	{474FD20F-694D-468b-AC7A-AA85AE94C2BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37D0C12B-D5D1-428f-B758-31D784D4C8F9}	{280077D7-96A4-4b82-A915-5BE6F9D5CEA2}.exe

Executes dropped EXE 12 IoCs

pid	Process
4192	{FA67F237-5FC1-4f75-BF0D-F8C98607C996}.exe
1940	{A616892F-A098-4984-A21C-3A0652E04BB2}.exe
3804	{1A4D0D89-1548-48ed-9D1F-3087A485A33C}.exe
2180	{92AF954A-1EE9-42df-AFC0-B492F0E76243}.exe
2524	{305E0670-0E66-41d4-9EC5-F16CD6515AF7}.exe
1488	{06FFB0CB-A37C-46fb-8C56-59510DA26AE4}.exe
4756	{6FC85A9A-E06C-462b-815A-C4910A1DE00E}.exe
4720	{474FD20F-694D-468b-AC7A-AA85AE94C2BF}.exe
4544	{280077D7-96A4-4b82-A915-5BE6F9D5CEA2}.exe
3864	{37D0C12B-D5D1-428f-B758-31D784D4C8F9}.exe
4412	{ACF1849F-E6D7-4e4e-ACC2-D044B0D59987}.exe
1808	{497600AD-A913-4775-9B3E-8DB2D2084424}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{FA67F237-5FC1-4f75-BF0D-F8C98607C996}.exe	0c238842a415d3exeexeexeex.exe
File created	C:\Windows\{A616892F-A098-4984-A21C-3A0652E04BB2}.exe	{FA67F237-5FC1-4f75-BF0D-F8C98607C996}.exe
File created	C:\Windows\{1A4D0D89-1548-48ed-9D1F-3087A485A33C}.exe	{A616892F-A098-4984-A21C-3A0652E04BB2}.exe
File created	C:\Windows\{6FC85A9A-E06C-462b-815A-C4910A1DE00E}.exe	{06FFB0CB-A37C-46fb-8C56-59510DA26AE4}.exe
File created	C:\Windows\{474FD20F-694D-468b-AC7A-AA85AE94C2BF}.exe	{6FC85A9A-E06C-462b-815A-C4910A1DE00E}.exe
File created	C:\Windows\{280077D7-96A4-4b82-A915-5BE6F9D5CEA2}.exe	{474FD20F-694D-468b-AC7A-AA85AE94C2BF}.exe
File created	C:\Windows\{37D0C12B-D5D1-428f-B758-31D784D4C8F9}.exe	{280077D7-96A4-4b82-A915-5BE6F9D5CEA2}.exe
File created	C:\Windows\{497600AD-A913-4775-9B3E-8DB2D2084424}.exe	{ACF1849F-E6D7-4e4e-ACC2-D044B0D59987}.exe
File created	C:\Windows\{92AF954A-1EE9-42df-AFC0-B492F0E76243}.exe	{1A4D0D89-1548-48ed-9D1F-3087A485A33C}.exe
File created	C:\Windows\{305E0670-0E66-41d4-9EC5-F16CD6515AF7}.exe	{92AF954A-1EE9-42df-AFC0-B492F0E76243}.exe
File created	C:\Windows\{06FFB0CB-A37C-46fb-8C56-59510DA26AE4}.exe	{305E0670-0E66-41d4-9EC5-F16CD6515AF7}.exe
File created	C:\Windows\{ACF1849F-E6D7-4e4e-ACC2-D044B0D59987}.exe	{37D0C12B-D5D1-428f-B758-31D784D4C8F9}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4880	0c238842a415d3exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4192	{FA67F237-5FC1-4f75-BF0D-F8C98607C996}.exe
Token: SeIncBasePriorityPrivilege	1940	{A616892F-A098-4984-A21C-3A0652E04BB2}.exe
Token: SeIncBasePriorityPrivilege	3804	{1A4D0D89-1548-48ed-9D1F-3087A485A33C}.exe
Token: SeIncBasePriorityPrivilege	2180	{92AF954A-1EE9-42df-AFC0-B492F0E76243}.exe
Token: SeIncBasePriorityPrivilege	2524	{305E0670-0E66-41d4-9EC5-F16CD6515AF7}.exe
Token: SeIncBasePriorityPrivilege	1488	{06FFB0CB-A37C-46fb-8C56-59510DA26AE4}.exe
Token: SeIncBasePriorityPrivilege	4756	{6FC85A9A-E06C-462b-815A-C4910A1DE00E}.exe
Token: SeIncBasePriorityPrivilege	4720	{474FD20F-694D-468b-AC7A-AA85AE94C2BF}.exe
Token: SeIncBasePriorityPrivilege	4544	{280077D7-96A4-4b82-A915-5BE6F9D5CEA2}.exe
Token: SeIncBasePriorityPrivilege	3864	{37D0C12B-D5D1-428f-B758-31D784D4C8F9}.exe
Token: SeIncBasePriorityPrivilege	4412	{ACF1849F-E6D7-4e4e-ACC2-D044B0D59987}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 4192	4880	0c238842a415d3exeexeexeex.exe	80
PID 4880 wrote to memory of 4192	4880	0c238842a415d3exeexeexeex.exe	80
PID 4880 wrote to memory of 4192	4880	0c238842a415d3exeexeexeex.exe	80
PID 4880 wrote to memory of 2688	4880	0c238842a415d3exeexeexeex.exe	81
PID 4880 wrote to memory of 2688	4880	0c238842a415d3exeexeexeex.exe	81
PID 4880 wrote to memory of 2688	4880	0c238842a415d3exeexeexeex.exe	81
PID 4192 wrote to memory of 1940	4192	{FA67F237-5FC1-4f75-BF0D-F8C98607C996}.exe	82
PID 4192 wrote to memory of 1940	4192	{FA67F237-5FC1-4f75-BF0D-F8C98607C996}.exe	82
PID 4192 wrote to memory of 1940	4192	{FA67F237-5FC1-4f75-BF0D-F8C98607C996}.exe	82
PID 4192 wrote to memory of 4240	4192	{FA67F237-5FC1-4f75-BF0D-F8C98607C996}.exe	83
PID 4192 wrote to memory of 4240	4192	{FA67F237-5FC1-4f75-BF0D-F8C98607C996}.exe	83
PID 4192 wrote to memory of 4240	4192	{FA67F237-5FC1-4f75-BF0D-F8C98607C996}.exe	83
PID 1940 wrote to memory of 3804	1940	{A616892F-A098-4984-A21C-3A0652E04BB2}.exe	84
PID 1940 wrote to memory of 3804	1940	{A616892F-A098-4984-A21C-3A0652E04BB2}.exe	84
PID 1940 wrote to memory of 3804	1940	{A616892F-A098-4984-A21C-3A0652E04BB2}.exe	84
PID 1940 wrote to memory of 4556	1940	{A616892F-A098-4984-A21C-3A0652E04BB2}.exe	85
PID 1940 wrote to memory of 4556	1940	{A616892F-A098-4984-A21C-3A0652E04BB2}.exe	85
PID 1940 wrote to memory of 4556	1940	{A616892F-A098-4984-A21C-3A0652E04BB2}.exe	85
PID 3804 wrote to memory of 2180	3804	{1A4D0D89-1548-48ed-9D1F-3087A485A33C}.exe	86
PID 3804 wrote to memory of 2180	3804	{1A4D0D89-1548-48ed-9D1F-3087A485A33C}.exe	86
PID 3804 wrote to memory of 2180	3804	{1A4D0D89-1548-48ed-9D1F-3087A485A33C}.exe	86
PID 3804 wrote to memory of 3608	3804	{1A4D0D89-1548-48ed-9D1F-3087A485A33C}.exe	87
PID 3804 wrote to memory of 3608	3804	{1A4D0D89-1548-48ed-9D1F-3087A485A33C}.exe	87
PID 3804 wrote to memory of 3608	3804	{1A4D0D89-1548-48ed-9D1F-3087A485A33C}.exe	87
PID 2180 wrote to memory of 2524	2180	{92AF954A-1EE9-42df-AFC0-B492F0E76243}.exe	88
PID 2180 wrote to memory of 2524	2180	{92AF954A-1EE9-42df-AFC0-B492F0E76243}.exe	88
PID 2180 wrote to memory of 2524	2180	{92AF954A-1EE9-42df-AFC0-B492F0E76243}.exe	88
PID 2180 wrote to memory of 1656	2180	{92AF954A-1EE9-42df-AFC0-B492F0E76243}.exe	89
PID 2180 wrote to memory of 1656	2180	{92AF954A-1EE9-42df-AFC0-B492F0E76243}.exe	89
PID 2180 wrote to memory of 1656	2180	{92AF954A-1EE9-42df-AFC0-B492F0E76243}.exe	89
PID 2524 wrote to memory of 1488	2524	{305E0670-0E66-41d4-9EC5-F16CD6515AF7}.exe	90
PID 2524 wrote to memory of 1488	2524	{305E0670-0E66-41d4-9EC5-F16CD6515AF7}.exe	90
PID 2524 wrote to memory of 1488	2524	{305E0670-0E66-41d4-9EC5-F16CD6515AF7}.exe	90
PID 2524 wrote to memory of 1768	2524	{305E0670-0E66-41d4-9EC5-F16CD6515AF7}.exe	91
PID 2524 wrote to memory of 1768	2524	{305E0670-0E66-41d4-9EC5-F16CD6515AF7}.exe	91
PID 2524 wrote to memory of 1768	2524	{305E0670-0E66-41d4-9EC5-F16CD6515AF7}.exe	91
PID 1488 wrote to memory of 4756	1488	{06FFB0CB-A37C-46fb-8C56-59510DA26AE4}.exe	92
PID 1488 wrote to memory of 4756	1488	{06FFB0CB-A37C-46fb-8C56-59510DA26AE4}.exe	92
PID 1488 wrote to memory of 4756	1488	{06FFB0CB-A37C-46fb-8C56-59510DA26AE4}.exe	92
PID 1488 wrote to memory of 416	1488	{06FFB0CB-A37C-46fb-8C56-59510DA26AE4}.exe	93
PID 1488 wrote to memory of 416	1488	{06FFB0CB-A37C-46fb-8C56-59510DA26AE4}.exe	93
PID 1488 wrote to memory of 416	1488	{06FFB0CB-A37C-46fb-8C56-59510DA26AE4}.exe	93
PID 4756 wrote to memory of 4720	4756	{6FC85A9A-E06C-462b-815A-C4910A1DE00E}.exe	94
PID 4756 wrote to memory of 4720	4756	{6FC85A9A-E06C-462b-815A-C4910A1DE00E}.exe	94
PID 4756 wrote to memory of 4720	4756	{6FC85A9A-E06C-462b-815A-C4910A1DE00E}.exe	94
PID 4756 wrote to memory of 3016	4756	{6FC85A9A-E06C-462b-815A-C4910A1DE00E}.exe	95
PID 4756 wrote to memory of 3016	4756	{6FC85A9A-E06C-462b-815A-C4910A1DE00E}.exe	95
PID 4756 wrote to memory of 3016	4756	{6FC85A9A-E06C-462b-815A-C4910A1DE00E}.exe	95
PID 4720 wrote to memory of 4544	4720	{474FD20F-694D-468b-AC7A-AA85AE94C2BF}.exe	96
PID 4720 wrote to memory of 4544	4720	{474FD20F-694D-468b-AC7A-AA85AE94C2BF}.exe	96
PID 4720 wrote to memory of 4544	4720	{474FD20F-694D-468b-AC7A-AA85AE94C2BF}.exe	96
PID 4720 wrote to memory of 772	4720	{474FD20F-694D-468b-AC7A-AA85AE94C2BF}.exe	97
PID 4720 wrote to memory of 772	4720	{474FD20F-694D-468b-AC7A-AA85AE94C2BF}.exe	97
PID 4720 wrote to memory of 772	4720	{474FD20F-694D-468b-AC7A-AA85AE94C2BF}.exe	97
PID 4544 wrote to memory of 3864	4544	{280077D7-96A4-4b82-A915-5BE6F9D5CEA2}.exe	98
PID 4544 wrote to memory of 3864	4544	{280077D7-96A4-4b82-A915-5BE6F9D5CEA2}.exe	98
PID 4544 wrote to memory of 3864	4544	{280077D7-96A4-4b82-A915-5BE6F9D5CEA2}.exe	98
PID 4544 wrote to memory of 1164	4544	{280077D7-96A4-4b82-A915-5BE6F9D5CEA2}.exe	99
PID 4544 wrote to memory of 1164	4544	{280077D7-96A4-4b82-A915-5BE6F9D5CEA2}.exe	99
PID 4544 wrote to memory of 1164	4544	{280077D7-96A4-4b82-A915-5BE6F9D5CEA2}.exe	99
PID 3864 wrote to memory of 4412	3864	{37D0C12B-D5D1-428f-B758-31D784D4C8F9}.exe	100
PID 3864 wrote to memory of 4412	3864	{37D0C12B-D5D1-428f-B758-31D784D4C8F9}.exe	100
PID 3864 wrote to memory of 4412	3864	{37D0C12B-D5D1-428f-B758-31D784D4C8F9}.exe	100
PID 3864 wrote to memory of 1052	3864	{37D0C12B-D5D1-428f-B758-31D784D4C8F9}.exe	101

C:\Users\Admin\AppData\Local\Temp\0c238842a415d3exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\0c238842a415d3exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\{FA67F237-5FC1-4f75-BF0D-F8C98607C996}.exe
  C:\Windows\{FA67F237-5FC1-4f75-BF0D-F8C98607C996}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Windows\{A616892F-A098-4984-A21C-3A0652E04BB2}.exe
    C:\Windows\{A616892F-A098-4984-A21C-3A0652E04BB2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\{1A4D0D89-1548-48ed-9D1F-3087A485A33C}.exe
      C:\Windows\{1A4D0D89-1548-48ed-9D1F-3087A485A33C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3804
    - - C:\Windows\{92AF954A-1EE9-42df-AFC0-B492F0E76243}.exe
        
        C:\Windows\{92AF954A-1EE9-42df-AFC0-B492F0E76243}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2180
      - C:\Windows\{305E0670-0E66-41d4-9EC5-F16CD6515AF7}.exe
        
        C:\Windows\{305E0670-0E66-41d4-9EC5-F16CD6515AF7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\{06FFB0CB-A37C-46fb-8C56-59510DA26AE4}.exe
        
        C:\Windows\{06FFB0CB-A37C-46fb-8C56-59510DA26AE4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\{6FC85A9A-E06C-462b-815A-C4910A1DE00E}.exe
        
        C:\Windows\{6FC85A9A-E06C-462b-815A-C4910A1DE00E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4756
        
        C:\Windows\{474FD20F-694D-468b-AC7A-AA85AE94C2BF}.exe
        
        C:\Windows\{474FD20F-694D-468b-AC7A-AA85AE94C2BF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4720
        
        C:\Windows\{280077D7-96A4-4b82-A915-5BE6F9D5CEA2}.exe
        
        C:\Windows\{280077D7-96A4-4b82-A915-5BE6F9D5CEA2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4544
        
        C:\Windows\{37D0C12B-D5D1-428f-B758-31D784D4C8F9}.exe
        
        C:\Windows\{37D0C12B-D5D1-428f-B758-31D784D4C8F9}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\{ACF1849F-E6D7-4e4e-ACC2-D044B0D59987}.exe
        
        C:\Windows\{ACF1849F-E6D7-4e4e-ACC2-D044B0D59987}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4412
        
        C:\Windows\{497600AD-A913-4775-9B3E-8DB2D2084424}.exe
        
        C:\Windows\{497600AD-A913-4775-9B3E-8DB2D2084424}.exe
        13⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACF18~1.EXE > nul
        13⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37D0C~1.EXE > nul
        12⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28007~1.EXE > nul
        11⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{474FD~1.EXE > nul
        10⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FC85~1.EXE > nul
        9⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06FFB~1.EXE > nul
        8⤵
        
        PID:416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{305E0~1.EXE > nul
        7⤵
        
        PID:1768
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92AF9~1.EXE > nul
        6⤵
        
        PID:1656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A4D0~1.EXE > nul
        5⤵
        
        PID:3608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A6168~1.EXE > nul
      4⤵
      PID:4556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FA67F~1.EXE > nul
    3⤵
    PID:4240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0C2388~1.EXE > nul
  2⤵
  PID:2688

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06FFB0CB-A37C-46fb-8C56-59510DA26AE4}.exe

Filesize
192KB

MD5
357f63c3c0837e474b341205cbc8a110

SHA1
0813e6ae579901c0fa1c4b04816c601defd09748

SHA256
f16dea875a0d0b269ab3ba46ff017ec3d8c99208bb33401d81acf8be0ce3a872

SHA512
dd0759e23bb3af93e0a572b48f1097a9f17b3cdf9687e2063044075d97c43645000f6352cdb359f7e197a7b1ad7eeb23ed587687af9ed1f6bff7605964d78124

Download Submit
C:\Windows\{06FFB0CB-A37C-46fb-8C56-59510DA26AE4}.exe

Filesize
192KB

MD5
357f63c3c0837e474b341205cbc8a110

SHA1
0813e6ae579901c0fa1c4b04816c601defd09748

SHA256
f16dea875a0d0b269ab3ba46ff017ec3d8c99208bb33401d81acf8be0ce3a872

SHA512
dd0759e23bb3af93e0a572b48f1097a9f17b3cdf9687e2063044075d97c43645000f6352cdb359f7e197a7b1ad7eeb23ed587687af9ed1f6bff7605964d78124

Download Submit
C:\Windows\{1A4D0D89-1548-48ed-9D1F-3087A485A33C}.exe

Filesize
192KB

MD5
61580344d42861abed3868c3f8620afe

SHA1
e0c7b467275b68c7ff2d2e61a45a50f7f2595a67

SHA256
9a5c5a4014287c9e3fed5ab07db07e295f5ecf26a6d26d5ac9c90dc3d0796124

SHA512
4fc9cb40778d5a99c839c6eecb4cd3d325b0059143dcd813fbab0de168e3d33d7b820423ea1f972d9554dd3f669e3c7d016da291c7021a28bbf9eafb4f553a1d

Download Submit
C:\Windows\{1A4D0D89-1548-48ed-9D1F-3087A485A33C}.exe

Filesize
192KB

MD5
61580344d42861abed3868c3f8620afe

SHA1
e0c7b467275b68c7ff2d2e61a45a50f7f2595a67

SHA256
9a5c5a4014287c9e3fed5ab07db07e295f5ecf26a6d26d5ac9c90dc3d0796124

SHA512
4fc9cb40778d5a99c839c6eecb4cd3d325b0059143dcd813fbab0de168e3d33d7b820423ea1f972d9554dd3f669e3c7d016da291c7021a28bbf9eafb4f553a1d

Download Submit
C:\Windows\{1A4D0D89-1548-48ed-9D1F-3087A485A33C}.exe

Filesize
192KB

MD5
61580344d42861abed3868c3f8620afe

SHA1
e0c7b467275b68c7ff2d2e61a45a50f7f2595a67

SHA256
9a5c5a4014287c9e3fed5ab07db07e295f5ecf26a6d26d5ac9c90dc3d0796124

SHA512
4fc9cb40778d5a99c839c6eecb4cd3d325b0059143dcd813fbab0de168e3d33d7b820423ea1f972d9554dd3f669e3c7d016da291c7021a28bbf9eafb4f553a1d

Download Submit
C:\Windows\{280077D7-96A4-4b82-A915-5BE6F9D5CEA2}.exe

Filesize
192KB

MD5
f8dbf5debc3316d89b9f59a9811080c4

SHA1
2ec2641ad379c657adb9343999641de62cc1f18f

SHA256
548fa73fcf208deb393822af2615f033994865596f8b349d50d1ad55c1ad9476

SHA512
6866b591df7c9116d1bd92166a44f1933ed8afcf00f666ad089cb1cbfa08b2ca43bd7b3a8ddda5b43432608ac27ac9d054e8c3f0778f60ca9e43c42e3f2dbf08

Download Submit
C:\Windows\{280077D7-96A4-4b82-A915-5BE6F9D5CEA2}.exe

Filesize
192KB

MD5
f8dbf5debc3316d89b9f59a9811080c4

SHA1
2ec2641ad379c657adb9343999641de62cc1f18f

SHA256
548fa73fcf208deb393822af2615f033994865596f8b349d50d1ad55c1ad9476

SHA512
6866b591df7c9116d1bd92166a44f1933ed8afcf00f666ad089cb1cbfa08b2ca43bd7b3a8ddda5b43432608ac27ac9d054e8c3f0778f60ca9e43c42e3f2dbf08

Download Submit
C:\Windows\{305E0670-0E66-41d4-9EC5-F16CD6515AF7}.exe

Filesize
192KB

MD5
3ee880717e7df05295e8aa0a6863061a

SHA1
a0b85920d6e0e1ebf280342d7370acdad7ecb328

SHA256
75570869d6eda3c045d87322e1f4d7d11260431262a5e4a1c2f7f478bfa6a26d

SHA512
d3c4001e4db662f973db7a750e40fc2f356bd7645b56f2a6e22cff2ae2f661df46c6ef64f5f75e4dd2710bdfb8f92c0649d06edba8557f485759ebaf254bbf32

Download Submit
C:\Windows\{305E0670-0E66-41d4-9EC5-F16CD6515AF7}.exe

Filesize
192KB

MD5
3ee880717e7df05295e8aa0a6863061a

SHA1
a0b85920d6e0e1ebf280342d7370acdad7ecb328

SHA256
75570869d6eda3c045d87322e1f4d7d11260431262a5e4a1c2f7f478bfa6a26d

SHA512
d3c4001e4db662f973db7a750e40fc2f356bd7645b56f2a6e22cff2ae2f661df46c6ef64f5f75e4dd2710bdfb8f92c0649d06edba8557f485759ebaf254bbf32

Download Submit
C:\Windows\{37D0C12B-D5D1-428f-B758-31D784D4C8F9}.exe

Filesize
192KB

MD5
e4458bbdecf64ef4e9768269d4ead01f

SHA1
ab831f3985670a0dd875facd96fe0d6430d85957

SHA256
504d4b4876960f00a6b0725adba27bffca9341c567fa7cbab5b25d5e0edc0018

SHA512
04c747a0911e5aec653f2842f38da3a461f53a6978195718ffc304132ae2205d950ce0ec4eabf03a62e0321add4d36226326d7f53b124325739c89659b3d55d5

Download Submit
C:\Windows\{37D0C12B-D5D1-428f-B758-31D784D4C8F9}.exe

Filesize
192KB

MD5
e4458bbdecf64ef4e9768269d4ead01f

SHA1
ab831f3985670a0dd875facd96fe0d6430d85957

SHA256
504d4b4876960f00a6b0725adba27bffca9341c567fa7cbab5b25d5e0edc0018

SHA512
04c747a0911e5aec653f2842f38da3a461f53a6978195718ffc304132ae2205d950ce0ec4eabf03a62e0321add4d36226326d7f53b124325739c89659b3d55d5

Download Submit
C:\Windows\{474FD20F-694D-468b-AC7A-AA85AE94C2BF}.exe

Filesize
192KB

MD5
5d65914d28d4f13b3038e137ec115570

SHA1
295661eda4842b2ae2cf3cfa4beb2cbf832478f6

SHA256
b242023f231396a1ea2910821a3dfce81d08518bb2dfef091a22d490c5bf9d2c

SHA512
578f473b176bae8a30aa24b0193faeb505e4752d2bee31bdd16d6b01cc627bcd87a754de5d4822b7fa5c5e7c10024c3cf7eea05c2aa3a2423424852bf4ab682b

Download Submit
C:\Windows\{474FD20F-694D-468b-AC7A-AA85AE94C2BF}.exe

Filesize
192KB

MD5
5d65914d28d4f13b3038e137ec115570

SHA1
295661eda4842b2ae2cf3cfa4beb2cbf832478f6

SHA256
b242023f231396a1ea2910821a3dfce81d08518bb2dfef091a22d490c5bf9d2c

SHA512
578f473b176bae8a30aa24b0193faeb505e4752d2bee31bdd16d6b01cc627bcd87a754de5d4822b7fa5c5e7c10024c3cf7eea05c2aa3a2423424852bf4ab682b

Download Submit
C:\Windows\{497600AD-A913-4775-9B3E-8DB2D2084424}.exe

Filesize
192KB

MD5
4891d021cf4a637d494a50cdaca48798

SHA1
37ace5d3b54ed57106098abcd9ad27c7b7847044

SHA256
03c55bc0524344071d627b240ebbc979c5ad21dc22cfb18703427dd4caa32606

SHA512
3caf671710239c6cab8c45a27fcf7bc3b1e52c9d4875961fde3e31d869880c5a054a0a712eff7ab22a26d853ba2c431a149761a246e09489fd0ad0efab0562ec

Download Submit
C:\Windows\{497600AD-A913-4775-9B3E-8DB2D2084424}.exe

Filesize
192KB

MD5
4891d021cf4a637d494a50cdaca48798

SHA1
37ace5d3b54ed57106098abcd9ad27c7b7847044

SHA256
03c55bc0524344071d627b240ebbc979c5ad21dc22cfb18703427dd4caa32606

SHA512
3caf671710239c6cab8c45a27fcf7bc3b1e52c9d4875961fde3e31d869880c5a054a0a712eff7ab22a26d853ba2c431a149761a246e09489fd0ad0efab0562ec

Download Submit
C:\Windows\{6FC85A9A-E06C-462b-815A-C4910A1DE00E}.exe

Filesize
192KB

MD5
43b30ab06b762566b02d28acba14b6d6

SHA1
98bc3d8fac4e9f6c808477da2d1f783316889236

SHA256
30013af388c86f1eb5fdd343268b4ad68dc12248a359899612bd7ff410a2ba4b

SHA512
04a8cd2f55aa026c8e4f099951c44b28e313f64062abfd99c1fe99b31ca16894bf51aa6e6cdd85ec8ab34fc9860c5e9f631dbbd63fae236f8b9868b17e0d2544

Download Submit
C:\Windows\{6FC85A9A-E06C-462b-815A-C4910A1DE00E}.exe

Filesize
192KB

MD5
43b30ab06b762566b02d28acba14b6d6

SHA1
98bc3d8fac4e9f6c808477da2d1f783316889236

SHA256
30013af388c86f1eb5fdd343268b4ad68dc12248a359899612bd7ff410a2ba4b

SHA512
04a8cd2f55aa026c8e4f099951c44b28e313f64062abfd99c1fe99b31ca16894bf51aa6e6cdd85ec8ab34fc9860c5e9f631dbbd63fae236f8b9868b17e0d2544

Download Submit
C:\Windows\{92AF954A-1EE9-42df-AFC0-B492F0E76243}.exe

Filesize
192KB

MD5
3e4b7e3fa700fed0e91bfab99f06c8b6

SHA1
3add8352f82a07ed58aabdff481bfc5c1669240e

SHA256
0a41a851fe44312269ce74fd4b504ebae1e159031f4c3e410c60a709856bd33b

SHA512
c43ca72f671e9930373f3ecf10eb5d99f61909e54184826be040e6610a870e562804539bbf79bd5847824d2d8a5c6e04edaffb6b27e8bc710cd26d2ed945316c

Download Submit
C:\Windows\{92AF954A-1EE9-42df-AFC0-B492F0E76243}.exe

Filesize
192KB

MD5
3e4b7e3fa700fed0e91bfab99f06c8b6

SHA1
3add8352f82a07ed58aabdff481bfc5c1669240e

SHA256
0a41a851fe44312269ce74fd4b504ebae1e159031f4c3e410c60a709856bd33b

SHA512
c43ca72f671e9930373f3ecf10eb5d99f61909e54184826be040e6610a870e562804539bbf79bd5847824d2d8a5c6e04edaffb6b27e8bc710cd26d2ed945316c

Download Submit
C:\Windows\{A616892F-A098-4984-A21C-3A0652E04BB2}.exe

Filesize
192KB

MD5
fc33ec9b08aca5e83403a596115abc4d

SHA1
f49a7e023beb50be1cf64ed6229ec40438847edd

SHA256
92824fa270e43d14671893cb04d82ecb5ecf6466a393bd5300c6c55caa5e1522

SHA512
4e7f99dbf6f7f81cc8ac9f8a0c6b0a559a24cb4eca1e606d9a9e9c603255afbd165f78216c3f225271437c954f966c513829a2c85efba99561993b3b1f54613f

Download Submit
C:\Windows\{A616892F-A098-4984-A21C-3A0652E04BB2}.exe

Filesize
192KB

MD5
fc33ec9b08aca5e83403a596115abc4d

SHA1
f49a7e023beb50be1cf64ed6229ec40438847edd

SHA256
92824fa270e43d14671893cb04d82ecb5ecf6466a393bd5300c6c55caa5e1522

SHA512
4e7f99dbf6f7f81cc8ac9f8a0c6b0a559a24cb4eca1e606d9a9e9c603255afbd165f78216c3f225271437c954f966c513829a2c85efba99561993b3b1f54613f

Download Submit
C:\Windows\{ACF1849F-E6D7-4e4e-ACC2-D044B0D59987}.exe

Filesize
192KB

MD5
782c95f4cd05b2d2214a24f3cc8c9af0

SHA1
ba4e01481d367017a4fe6c15902b75a1616679d4

SHA256
91e53d1112fe1a4c823a3cb615bf0bacac8906d9e564271af3b41a3159c65858

SHA512
b1b3e3a36e0545d16c24167cb8af60276fcac18de4d32179ba2f8fd2485b7a391e610eafa94ab360dbaa2ddadaadc703588e4dd8e7eb98b07abdb776ddadd070

Download Submit
C:\Windows\{ACF1849F-E6D7-4e4e-ACC2-D044B0D59987}.exe

Filesize
192KB

MD5
782c95f4cd05b2d2214a24f3cc8c9af0

SHA1
ba4e01481d367017a4fe6c15902b75a1616679d4

SHA256
91e53d1112fe1a4c823a3cb615bf0bacac8906d9e564271af3b41a3159c65858

SHA512
b1b3e3a36e0545d16c24167cb8af60276fcac18de4d32179ba2f8fd2485b7a391e610eafa94ab360dbaa2ddadaadc703588e4dd8e7eb98b07abdb776ddadd070

Download Submit
C:\Windows\{FA67F237-5FC1-4f75-BF0D-F8C98607C996}.exe

Filesize
192KB

MD5
8c4180813d666d1d9dcd9213f6bdbdaf

SHA1
4b52f58e63cdeeddc6da3cca45fcbb8452da62ad

SHA256
561da22c94e357eadd841ea9e82e8c5c703057a2abfe14286fc2cd3c22eb2953

SHA512
61c2b4240a442242bb670ebab83918570e14b648770fdfa622d06af874a910ab5cfc3892bc8fa78a0360c4fa5f74a0a9e9ef4a6614177947e8d8d13631fab081

Download Submit
C:\Windows\{FA67F237-5FC1-4f75-BF0D-F8C98607C996}.exe

Filesize
192KB

MD5
8c4180813d666d1d9dcd9213f6bdbdaf

SHA1
4b52f58e63cdeeddc6da3cca45fcbb8452da62ad

SHA256
561da22c94e357eadd841ea9e82e8c5c703057a2abfe14286fc2cd3c22eb2953

SHA512
61c2b4240a442242bb670ebab83918570e14b648770fdfa622d06af874a910ab5cfc3892bc8fa78a0360c4fa5f74a0a9e9ef4a6614177947e8d8d13631fab081

Download Submit