a14f5a31fb6a407d112494fa31aff72f4b80fba7ee8fe57e7549bb8af68a952d

Analysis

max time kernel
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05/07/2023, 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f3f0507f7e429exeexeexeex.exe
Size

408KB
MD5

0f3f0507f7e429c1a215382a0b52480a
SHA1

030b3bb4ac74eb3deccf508937da39ba460a5472
SHA256

a14f5a31fb6a407d112494fa31aff72f4b80fba7ee8fe57e7549bb8af68a952d
SHA512

2a7a5d3bd7758ec151d9815419b556d08d2294c26100691275ccd412973ab06035d3576b64c850f3b1befa299ab6c177374c1f7ded730b68fb9bbfcfb1131b37
SSDEEP

3072:CEGh0obl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGJldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C019475F-4C19-4f01-9429-315EDA886941}\stubpath = "C:\\Windows\\{C019475F-4C19-4f01-9429-315EDA886941}.exe"	0f3f0507f7e429exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2B8D347-C25D-4835-9D3A-84FE438788C1}	{C53B4280-7C21-49d7-8536-A2FD073C3596}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F3F9840-78CE-4753-8B5A-0269946178DF}\stubpath = "C:\\Windows\\{7F3F9840-78CE-4753-8B5A-0269946178DF}.exe"	{E2B8D347-C25D-4835-9D3A-84FE438788C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A862D02-864A-4243-8E0C-CF3B12F53A1D}\stubpath = "C:\\Windows\\{7A862D02-864A-4243-8E0C-CF3B12F53A1D}.exe"	{A804470C-0072-4a9f-A4CF-4A8CBE28CF6F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{948CAC2D-F049-4ab5-AFA6-DB9665821E60}	{7A862D02-864A-4243-8E0C-CF3B12F53A1D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38148EBF-3DBA-425b-A47C-1D3C6BDD7791}	{948CAC2D-F049-4ab5-AFA6-DB9665821E60}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38148EBF-3DBA-425b-A47C-1D3C6BDD7791}\stubpath = "C:\\Windows\\{38148EBF-3DBA-425b-A47C-1D3C6BDD7791}.exe"	{948CAC2D-F049-4ab5-AFA6-DB9665821E60}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F7DC5CA-BF6C-47df-9136-DE627993E30E}	{38148EBF-3DBA-425b-A47C-1D3C6BDD7791}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C53B4280-7C21-49d7-8536-A2FD073C3596}	{C019475F-4C19-4f01-9429-315EDA886941}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F3F9840-78CE-4753-8B5A-0269946178DF}	{E2B8D347-C25D-4835-9D3A-84FE438788C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10353EBD-E8D0-46da-B720-4EAD9BCF5D36}\stubpath = "C:\\Windows\\{10353EBD-E8D0-46da-B720-4EAD9BCF5D36}.exe"	{7F3F9840-78CE-4753-8B5A-0269946178DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B8B1719-47EA-40f4-9809-5429E180A7DC}\stubpath = "C:\\Windows\\{5B8B1719-47EA-40f4-9809-5429E180A7DC}.exe"	{10353EBD-E8D0-46da-B720-4EAD9BCF5D36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{948CAC2D-F049-4ab5-AFA6-DB9665821E60}\stubpath = "C:\\Windows\\{948CAC2D-F049-4ab5-AFA6-DB9665821E60}.exe"	{7A862D02-864A-4243-8E0C-CF3B12F53A1D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F7DC5CA-BF6C-47df-9136-DE627993E30E}\stubpath = "C:\\Windows\\{1F7DC5CA-BF6C-47df-9136-DE627993E30E}.exe"	{38148EBF-3DBA-425b-A47C-1D3C6BDD7791}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6656FCE5-B328-4d34-86F8-FEF4D867C23D}\stubpath = "C:\\Windows\\{6656FCE5-B328-4d34-86F8-FEF4D867C23D}.exe"	{5B8B1719-47EA-40f4-9809-5429E180A7DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C019475F-4C19-4f01-9429-315EDA886941}	0f3f0507f7e429exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C53B4280-7C21-49d7-8536-A2FD073C3596}\stubpath = "C:\\Windows\\{C53B4280-7C21-49d7-8536-A2FD073C3596}.exe"	{C019475F-4C19-4f01-9429-315EDA886941}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2B8D347-C25D-4835-9D3A-84FE438788C1}\stubpath = "C:\\Windows\\{E2B8D347-C25D-4835-9D3A-84FE438788C1}.exe"	{C53B4280-7C21-49d7-8536-A2FD073C3596}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10353EBD-E8D0-46da-B720-4EAD9BCF5D36}	{7F3F9840-78CE-4753-8B5A-0269946178DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B8B1719-47EA-40f4-9809-5429E180A7DC}	{10353EBD-E8D0-46da-B720-4EAD9BCF5D36}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6656FCE5-B328-4d34-86F8-FEF4D867C23D}	{5B8B1719-47EA-40f4-9809-5429E180A7DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A804470C-0072-4a9f-A4CF-4A8CBE28CF6F}	{6656FCE5-B328-4d34-86F8-FEF4D867C23D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A804470C-0072-4a9f-A4CF-4A8CBE28CF6F}\stubpath = "C:\\Windows\\{A804470C-0072-4a9f-A4CF-4A8CBE28CF6F}.exe"	{6656FCE5-B328-4d34-86F8-FEF4D867C23D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A862D02-864A-4243-8E0C-CF3B12F53A1D}	{A804470C-0072-4a9f-A4CF-4A8CBE28CF6F}.exe

Executes dropped EXE 12 IoCs

pid	Process
2656	{C019475F-4C19-4f01-9429-315EDA886941}.exe
3920	{C53B4280-7C21-49d7-8536-A2FD073C3596}.exe
2216	{E2B8D347-C25D-4835-9D3A-84FE438788C1}.exe
1512	{7F3F9840-78CE-4753-8B5A-0269946178DF}.exe
3396	{10353EBD-E8D0-46da-B720-4EAD9BCF5D36}.exe
2960	{5B8B1719-47EA-40f4-9809-5429E180A7DC}.exe
1244	{6656FCE5-B328-4d34-86F8-FEF4D867C23D}.exe
532	{A804470C-0072-4a9f-A4CF-4A8CBE28CF6F}.exe
2248	{7A862D02-864A-4243-8E0C-CF3B12F53A1D}.exe
4132	{948CAC2D-F049-4ab5-AFA6-DB9665821E60}.exe
4764	{38148EBF-3DBA-425b-A47C-1D3C6BDD7791}.exe
4988	{1F7DC5CA-BF6C-47df-9136-DE627993E30E}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7F3F9840-78CE-4753-8B5A-0269946178DF}.exe	{E2B8D347-C25D-4835-9D3A-84FE438788C1}.exe
File created	C:\Windows\{5B8B1719-47EA-40f4-9809-5429E180A7DC}.exe	{10353EBD-E8D0-46da-B720-4EAD9BCF5D36}.exe
File created	C:\Windows\{6656FCE5-B328-4d34-86F8-FEF4D867C23D}.exe	{5B8B1719-47EA-40f4-9809-5429E180A7DC}.exe
File created	C:\Windows\{7A862D02-864A-4243-8E0C-CF3B12F53A1D}.exe	{A804470C-0072-4a9f-A4CF-4A8CBE28CF6F}.exe
File created	C:\Windows\{948CAC2D-F049-4ab5-AFA6-DB9665821E60}.exe	{7A862D02-864A-4243-8E0C-CF3B12F53A1D}.exe
File created	C:\Windows\{1F7DC5CA-BF6C-47df-9136-DE627993E30E}.exe	{38148EBF-3DBA-425b-A47C-1D3C6BDD7791}.exe
File created	C:\Windows\{E2B8D347-C25D-4835-9D3A-84FE438788C1}.exe	{C53B4280-7C21-49d7-8536-A2FD073C3596}.exe
File created	C:\Windows\{C53B4280-7C21-49d7-8536-A2FD073C3596}.exe	{C019475F-4C19-4f01-9429-315EDA886941}.exe
File created	C:\Windows\{10353EBD-E8D0-46da-B720-4EAD9BCF5D36}.exe	{7F3F9840-78CE-4753-8B5A-0269946178DF}.exe
File created	C:\Windows\{A804470C-0072-4a9f-A4CF-4A8CBE28CF6F}.exe	{6656FCE5-B328-4d34-86F8-FEF4D867C23D}.exe
File created	C:\Windows\{38148EBF-3DBA-425b-A47C-1D3C6BDD7791}.exe	{948CAC2D-F049-4ab5-AFA6-DB9665821E60}.exe
File created	C:\Windows\{C019475F-4C19-4f01-9429-315EDA886941}.exe	0f3f0507f7e429exeexeexeex.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4916	0f3f0507f7e429exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2656	{C019475F-4C19-4f01-9429-315EDA886941}.exe
Token: SeIncBasePriorityPrivilege	3920	{C53B4280-7C21-49d7-8536-A2FD073C3596}.exe
Token: SeIncBasePriorityPrivilege	2216	{E2B8D347-C25D-4835-9D3A-84FE438788C1}.exe
Token: SeIncBasePriorityPrivilege	1512	{7F3F9840-78CE-4753-8B5A-0269946178DF}.exe
Token: SeIncBasePriorityPrivilege	3396	{10353EBD-E8D0-46da-B720-4EAD9BCF5D36}.exe
Token: SeIncBasePriorityPrivilege	2960	{5B8B1719-47EA-40f4-9809-5429E180A7DC}.exe
Token: SeIncBasePriorityPrivilege	1244	{6656FCE5-B328-4d34-86F8-FEF4D867C23D}.exe
Token: SeIncBasePriorityPrivilege	532	{A804470C-0072-4a9f-A4CF-4A8CBE28CF6F}.exe
Token: SeIncBasePriorityPrivilege	2248	{7A862D02-864A-4243-8E0C-CF3B12F53A1D}.exe
Token: SeIncBasePriorityPrivilege	4132	{948CAC2D-F049-4ab5-AFA6-DB9665821E60}.exe
Token: SeIncBasePriorityPrivilege	4764	{38148EBF-3DBA-425b-A47C-1D3C6BDD7791}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4916 wrote to memory of 2656	4916	0f3f0507f7e429exeexeexeex.exe	80
PID 4916 wrote to memory of 2656	4916	0f3f0507f7e429exeexeexeex.exe	80
PID 4916 wrote to memory of 2656	4916	0f3f0507f7e429exeexeexeex.exe	80
PID 4916 wrote to memory of 4700	4916	0f3f0507f7e429exeexeexeex.exe	81
PID 4916 wrote to memory of 4700	4916	0f3f0507f7e429exeexeexeex.exe	81
PID 4916 wrote to memory of 4700	4916	0f3f0507f7e429exeexeexeex.exe	81
PID 2656 wrote to memory of 3920	2656	{C019475F-4C19-4f01-9429-315EDA886941}.exe	82
PID 2656 wrote to memory of 3920	2656	{C019475F-4C19-4f01-9429-315EDA886941}.exe	82
PID 2656 wrote to memory of 3920	2656	{C019475F-4C19-4f01-9429-315EDA886941}.exe	82
PID 2656 wrote to memory of 888	2656	{C019475F-4C19-4f01-9429-315EDA886941}.exe	83
PID 2656 wrote to memory of 888	2656	{C019475F-4C19-4f01-9429-315EDA886941}.exe	83
PID 2656 wrote to memory of 888	2656	{C019475F-4C19-4f01-9429-315EDA886941}.exe	83
PID 3920 wrote to memory of 2216	3920	{C53B4280-7C21-49d7-8536-A2FD073C3596}.exe	85
PID 3920 wrote to memory of 2216	3920	{C53B4280-7C21-49d7-8536-A2FD073C3596}.exe	85
PID 3920 wrote to memory of 2216	3920	{C53B4280-7C21-49d7-8536-A2FD073C3596}.exe	85
PID 3920 wrote to memory of 2628	3920	{C53B4280-7C21-49d7-8536-A2FD073C3596}.exe	84
PID 3920 wrote to memory of 2628	3920	{C53B4280-7C21-49d7-8536-A2FD073C3596}.exe	84
PID 3920 wrote to memory of 2628	3920	{C53B4280-7C21-49d7-8536-A2FD073C3596}.exe	84
PID 2216 wrote to memory of 1512	2216	{E2B8D347-C25D-4835-9D3A-84FE438788C1}.exe	86
PID 2216 wrote to memory of 1512	2216	{E2B8D347-C25D-4835-9D3A-84FE438788C1}.exe	86
PID 2216 wrote to memory of 1512	2216	{E2B8D347-C25D-4835-9D3A-84FE438788C1}.exe	86
PID 2216 wrote to memory of 2044	2216	{E2B8D347-C25D-4835-9D3A-84FE438788C1}.exe	87
PID 2216 wrote to memory of 2044	2216	{E2B8D347-C25D-4835-9D3A-84FE438788C1}.exe	87
PID 2216 wrote to memory of 2044	2216	{E2B8D347-C25D-4835-9D3A-84FE438788C1}.exe	87
PID 1512 wrote to memory of 3396	1512	{7F3F9840-78CE-4753-8B5A-0269946178DF}.exe	88
PID 1512 wrote to memory of 3396	1512	{7F3F9840-78CE-4753-8B5A-0269946178DF}.exe	88
PID 1512 wrote to memory of 3396	1512	{7F3F9840-78CE-4753-8B5A-0269946178DF}.exe	88
PID 1512 wrote to memory of 4972	1512	{7F3F9840-78CE-4753-8B5A-0269946178DF}.exe	89
PID 1512 wrote to memory of 4972	1512	{7F3F9840-78CE-4753-8B5A-0269946178DF}.exe	89
PID 1512 wrote to memory of 4972	1512	{7F3F9840-78CE-4753-8B5A-0269946178DF}.exe	89
PID 3396 wrote to memory of 2960	3396	{10353EBD-E8D0-46da-B720-4EAD9BCF5D36}.exe	90
PID 3396 wrote to memory of 2960	3396	{10353EBD-E8D0-46da-B720-4EAD9BCF5D36}.exe	90
PID 3396 wrote to memory of 2960	3396	{10353EBD-E8D0-46da-B720-4EAD9BCF5D36}.exe	90
PID 3396 wrote to memory of 2988	3396	{10353EBD-E8D0-46da-B720-4EAD9BCF5D36}.exe	91
PID 3396 wrote to memory of 2988	3396	{10353EBD-E8D0-46da-B720-4EAD9BCF5D36}.exe	91
PID 3396 wrote to memory of 2988	3396	{10353EBD-E8D0-46da-B720-4EAD9BCF5D36}.exe	91
PID 2960 wrote to memory of 1244	2960	{5B8B1719-47EA-40f4-9809-5429E180A7DC}.exe	92
PID 2960 wrote to memory of 1244	2960	{5B8B1719-47EA-40f4-9809-5429E180A7DC}.exe	92
PID 2960 wrote to memory of 1244	2960	{5B8B1719-47EA-40f4-9809-5429E180A7DC}.exe	92
PID 2960 wrote to memory of 1868	2960	{5B8B1719-47EA-40f4-9809-5429E180A7DC}.exe	93
PID 2960 wrote to memory of 1868	2960	{5B8B1719-47EA-40f4-9809-5429E180A7DC}.exe	93
PID 2960 wrote to memory of 1868	2960	{5B8B1719-47EA-40f4-9809-5429E180A7DC}.exe	93
PID 1244 wrote to memory of 532	1244	{6656FCE5-B328-4d34-86F8-FEF4D867C23D}.exe	94
PID 1244 wrote to memory of 532	1244	{6656FCE5-B328-4d34-86F8-FEF4D867C23D}.exe	94
PID 1244 wrote to memory of 532	1244	{6656FCE5-B328-4d34-86F8-FEF4D867C23D}.exe	94
PID 1244 wrote to memory of 5044	1244	{6656FCE5-B328-4d34-86F8-FEF4D867C23D}.exe	95
PID 1244 wrote to memory of 5044	1244	{6656FCE5-B328-4d34-86F8-FEF4D867C23D}.exe	95
PID 1244 wrote to memory of 5044	1244	{6656FCE5-B328-4d34-86F8-FEF4D867C23D}.exe	95
PID 532 wrote to memory of 2248	532	{A804470C-0072-4a9f-A4CF-4A8CBE28CF6F}.exe	96
PID 532 wrote to memory of 2248	532	{A804470C-0072-4a9f-A4CF-4A8CBE28CF6F}.exe	96
PID 532 wrote to memory of 2248	532	{A804470C-0072-4a9f-A4CF-4A8CBE28CF6F}.exe	96
PID 532 wrote to memory of 2424	532	{A804470C-0072-4a9f-A4CF-4A8CBE28CF6F}.exe	97
PID 532 wrote to memory of 2424	532	{A804470C-0072-4a9f-A4CF-4A8CBE28CF6F}.exe	97
PID 532 wrote to memory of 2424	532	{A804470C-0072-4a9f-A4CF-4A8CBE28CF6F}.exe	97
PID 2248 wrote to memory of 4132	2248	{7A862D02-864A-4243-8E0C-CF3B12F53A1D}.exe	98
PID 2248 wrote to memory of 4132	2248	{7A862D02-864A-4243-8E0C-CF3B12F53A1D}.exe	98
PID 2248 wrote to memory of 4132	2248	{7A862D02-864A-4243-8E0C-CF3B12F53A1D}.exe	98
PID 2248 wrote to memory of 4496	2248	{7A862D02-864A-4243-8E0C-CF3B12F53A1D}.exe	99
PID 2248 wrote to memory of 4496	2248	{7A862D02-864A-4243-8E0C-CF3B12F53A1D}.exe	99
PID 2248 wrote to memory of 4496	2248	{7A862D02-864A-4243-8E0C-CF3B12F53A1D}.exe	99
PID 4132 wrote to memory of 4764	4132	{948CAC2D-F049-4ab5-AFA6-DB9665821E60}.exe	100
PID 4132 wrote to memory of 4764	4132	{948CAC2D-F049-4ab5-AFA6-DB9665821E60}.exe	100
PID 4132 wrote to memory of 4764	4132	{948CAC2D-F049-4ab5-AFA6-DB9665821E60}.exe	100
PID 4132 wrote to memory of 2132	4132	{948CAC2D-F049-4ab5-AFA6-DB9665821E60}.exe	101

C:\Users\Admin\AppData\Local\Temp\0f3f0507f7e429exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\0f3f0507f7e429exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4916
- C:\Windows\{C019475F-4C19-4f01-9429-315EDA886941}.exe
  C:\Windows\{C019475F-4C19-4f01-9429-315EDA886941}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\{C53B4280-7C21-49d7-8536-A2FD073C3596}.exe
    C:\Windows\{C53B4280-7C21-49d7-8536-A2FD073C3596}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C53B4~1.EXE > nul
      4⤵
      PID:2628
  - - C:\Windows\{E2B8D347-C25D-4835-9D3A-84FE438788C1}.exe
      C:\Windows\{E2B8D347-C25D-4835-9D3A-84FE438788C1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2216
    - - C:\Windows\{7F3F9840-78CE-4753-8B5A-0269946178DF}.exe
        
        C:\Windows\{7F3F9840-78CE-4753-8B5A-0269946178DF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
      - C:\Windows\{10353EBD-E8D0-46da-B720-4EAD9BCF5D36}.exe
        
        C:\Windows\{10353EBD-E8D0-46da-B720-4EAD9BCF5D36}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3396
        
        C:\Windows\{5B8B1719-47EA-40f4-9809-5429E180A7DC}.exe
        
        C:\Windows\{5B8B1719-47EA-40f4-9809-5429E180A7DC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{6656FCE5-B328-4d34-86F8-FEF4D867C23D}.exe
        
        C:\Windows\{6656FCE5-B328-4d34-86F8-FEF4D867C23D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\{A804470C-0072-4a9f-A4CF-4A8CBE28CF6F}.exe
        
        C:\Windows\{A804470C-0072-4a9f-A4CF-4A8CBE28CF6F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:532
        
        C:\Windows\{7A862D02-864A-4243-8E0C-CF3B12F53A1D}.exe
        
        C:\Windows\{7A862D02-864A-4243-8E0C-CF3B12F53A1D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\{948CAC2D-F049-4ab5-AFA6-DB9665821E60}.exe
        
        C:\Windows\{948CAC2D-F049-4ab5-AFA6-DB9665821E60}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\{38148EBF-3DBA-425b-A47C-1D3C6BDD7791}.exe
        
        C:\Windows\{38148EBF-3DBA-425b-A47C-1D3C6BDD7791}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4764
        
        C:\Windows\{1F7DC5CA-BF6C-47df-9136-DE627993E30E}.exe
        
        C:\Windows\{1F7DC5CA-BF6C-47df-9136-DE627993E30E}.exe
        13⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38148~1.EXE > nul
        13⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{948CA~1.EXE > nul
        12⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A862~1.EXE > nul
        11⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8044~1.EXE > nul
        10⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6656F~1.EXE > nul
        9⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B8B1~1.EXE > nul
        8⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10353~1.EXE > nul
        7⤵
        
        PID:2988
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F3F9~1.EXE > nul
        6⤵
        
        PID:4972
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2B8D~1.EXE > nul
        5⤵
        
        PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C0194~1.EXE > nul
    3⤵
    PID:888
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0F3F05~1.EXE > nul
  2⤵
  PID:4700

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10353EBD-E8D0-46da-B720-4EAD9BCF5D36}.exe

Filesize
408KB

MD5
8b65fe5e676f34cab303c146d34326e8

SHA1
7369dcaee65100181cd222bc03e1d3ab8dc3d536

SHA256
360f9f80e11d76c73442d87b2df577a758dee0fec38e108d070a162c9699f58a

SHA512
3aef542d8a780ebe7d85ec1cddc0f025e127d80bae92151939aa8c82f7e50c64d48812ab4bfb67a6e79b0391f2c1e04e62799fc765ef6f69667445f246c1c553

Download Submit
C:\Windows\{10353EBD-E8D0-46da-B720-4EAD9BCF5D36}.exe

Filesize
408KB

MD5
8b65fe5e676f34cab303c146d34326e8

SHA1
7369dcaee65100181cd222bc03e1d3ab8dc3d536

SHA256
360f9f80e11d76c73442d87b2df577a758dee0fec38e108d070a162c9699f58a

SHA512
3aef542d8a780ebe7d85ec1cddc0f025e127d80bae92151939aa8c82f7e50c64d48812ab4bfb67a6e79b0391f2c1e04e62799fc765ef6f69667445f246c1c553

Download Submit
C:\Windows\{1F7DC5CA-BF6C-47df-9136-DE627993E30E}.exe

Filesize
408KB

MD5
63afd68f739d5a7ca98e81da0beccba1

SHA1
60b3d36126e66381207e79e0e4af27cd23470133

SHA256
dd9c7283eb9cced6ec9d84a75b9daaaf96c07efea10ed62db57b44f75aec91e7

SHA512
7c2cd3a1f10e0811c7f4898ab3ad5bff6afc2cc1adc3909aac5ccb49009c00d2ab8c0182c7e02d39cb229c074fdcd0e2ac720784be687ed29eb693f97cd876d1

Download Submit
C:\Windows\{1F7DC5CA-BF6C-47df-9136-DE627993E30E}.exe

Filesize
408KB

MD5
63afd68f739d5a7ca98e81da0beccba1

SHA1
60b3d36126e66381207e79e0e4af27cd23470133

SHA256
dd9c7283eb9cced6ec9d84a75b9daaaf96c07efea10ed62db57b44f75aec91e7

SHA512
7c2cd3a1f10e0811c7f4898ab3ad5bff6afc2cc1adc3909aac5ccb49009c00d2ab8c0182c7e02d39cb229c074fdcd0e2ac720784be687ed29eb693f97cd876d1

Download Submit
C:\Windows\{38148EBF-3DBA-425b-A47C-1D3C6BDD7791}.exe

Filesize
408KB

MD5
58a61b4a4db842a0d6cdba4e2910caf7

SHA1
fae745bb5ba1466f9702b4ca78c827f0fe426c43

SHA256
12dd19cd4ce744f7e904b2d05f3664593a07e311692ed91419f77cf998c3f124

SHA512
140ac23aea108a536679167e203a60a8c8be9ef8b9ec3ad28454f1b30c3397157391f36e452dc58192bba9c2b067823016a93722da67ab6b101354422d61efce

Download Submit
C:\Windows\{38148EBF-3DBA-425b-A47C-1D3C6BDD7791}.exe

Filesize
408KB

MD5
58a61b4a4db842a0d6cdba4e2910caf7

SHA1
fae745bb5ba1466f9702b4ca78c827f0fe426c43

SHA256
12dd19cd4ce744f7e904b2d05f3664593a07e311692ed91419f77cf998c3f124

SHA512
140ac23aea108a536679167e203a60a8c8be9ef8b9ec3ad28454f1b30c3397157391f36e452dc58192bba9c2b067823016a93722da67ab6b101354422d61efce

Download Submit
C:\Windows\{5B8B1719-47EA-40f4-9809-5429E180A7DC}.exe

Filesize
408KB

MD5
8a9427d7677fa326ba2bbb636bf4f3a0

SHA1
57013a6075efd5a6c3ebec8cc5671b8044921643

SHA256
edd719dc39479fd89148fa20a561eae2712de76490ae117019a891b267c09b5f

SHA512
3d41b272694b0044b0597c369934d3c1e2740ea34ddfbe61b2cefe941d596a8a8fe6a5014d3567add3b0891f1aaa29252c74ac30283cecc1a497ea91511831b0

Download Submit
C:\Windows\{5B8B1719-47EA-40f4-9809-5429E180A7DC}.exe

Filesize
408KB

MD5
8a9427d7677fa326ba2bbb636bf4f3a0

SHA1
57013a6075efd5a6c3ebec8cc5671b8044921643

SHA256
edd719dc39479fd89148fa20a561eae2712de76490ae117019a891b267c09b5f

SHA512
3d41b272694b0044b0597c369934d3c1e2740ea34ddfbe61b2cefe941d596a8a8fe6a5014d3567add3b0891f1aaa29252c74ac30283cecc1a497ea91511831b0

Download Submit
C:\Windows\{6656FCE5-B328-4d34-86F8-FEF4D867C23D}.exe

Filesize
408KB

MD5
f9f94b0f1a25a0a574f3ed23d1f9bf78

SHA1
4326702201ce16c5823b269f259d86d41005cd2c

SHA256
f525d7688e7517f54b7834c93de215086c1988906a42fbbe78c25c94e5cb8655

SHA512
282646a9901afe849d0b2c07eafe3113c6f83102abab1fbcc3bac4b63f84f7f1a50d2d8c3c270f5447f31d54d853a2079a60334f964fe2241912ee9df3ce2f58

Download Submit
C:\Windows\{6656FCE5-B328-4d34-86F8-FEF4D867C23D}.exe

Filesize
408KB

MD5
f9f94b0f1a25a0a574f3ed23d1f9bf78

SHA1
4326702201ce16c5823b269f259d86d41005cd2c

SHA256
f525d7688e7517f54b7834c93de215086c1988906a42fbbe78c25c94e5cb8655

SHA512
282646a9901afe849d0b2c07eafe3113c6f83102abab1fbcc3bac4b63f84f7f1a50d2d8c3c270f5447f31d54d853a2079a60334f964fe2241912ee9df3ce2f58

Download Submit
C:\Windows\{7A862D02-864A-4243-8E0C-CF3B12F53A1D}.exe

Filesize
408KB

MD5
31b366573eed23744c7643aa083afad6

SHA1
ac20f1f64af10a0b9a1f600d8872338873993131

SHA256
33f3e4a2dbcf038cf25889261ae70f2e036cb371659507226ccc9d4a14590d22

SHA512
a10b4ce046475aeb3d732d6034c799cdef233d38c7f44f047a985f67394b9adc2abac46b335661cc7fcb08e179d3a764c2a92a4da1f5da378b5e8ae2f3c93483

Download Submit
C:\Windows\{7A862D02-864A-4243-8E0C-CF3B12F53A1D}.exe

Filesize
408KB

MD5
31b366573eed23744c7643aa083afad6

SHA1
ac20f1f64af10a0b9a1f600d8872338873993131

SHA256
33f3e4a2dbcf038cf25889261ae70f2e036cb371659507226ccc9d4a14590d22

SHA512
a10b4ce046475aeb3d732d6034c799cdef233d38c7f44f047a985f67394b9adc2abac46b335661cc7fcb08e179d3a764c2a92a4da1f5da378b5e8ae2f3c93483

Download Submit
C:\Windows\{7F3F9840-78CE-4753-8B5A-0269946178DF}.exe

Filesize
408KB

MD5
8ded4e15130cf00c077e2eadbab6f883

SHA1
ae8c12ff80f64bd968a689160eda8deb0461a79b

SHA256
2108d522f8ff13e3c0ce21741675631b6114894556b6a4cd1a9081678f38d1c4

SHA512
e0dde90b8c253ca4dc318c4f9d81f3cd79b5eef2c77f155d34b73b6a00e716229af48513e3fb322071a60d56644c3bbbf424ca4531611b17d7cc4bd7c5bb613a

Download Submit
C:\Windows\{7F3F9840-78CE-4753-8B5A-0269946178DF}.exe

Filesize
408KB

MD5
8ded4e15130cf00c077e2eadbab6f883

SHA1
ae8c12ff80f64bd968a689160eda8deb0461a79b

SHA256
2108d522f8ff13e3c0ce21741675631b6114894556b6a4cd1a9081678f38d1c4

SHA512
e0dde90b8c253ca4dc318c4f9d81f3cd79b5eef2c77f155d34b73b6a00e716229af48513e3fb322071a60d56644c3bbbf424ca4531611b17d7cc4bd7c5bb613a

Download Submit
C:\Windows\{948CAC2D-F049-4ab5-AFA6-DB9665821E60}.exe

Filesize
408KB

MD5
3589c118005e94beea43447f31bd91c2

SHA1
d348c9bf0929191268c1eee231aabb517dc444d6

SHA256
5bb5009e22d6c5c6fbb5c6d5a9ef1f71fd863923e564f2b230f4369821e4597a

SHA512
ff13e42d8a520dae0470b9949a6cafd3fb22700f40b46807c81961ba71bed22f7140d59ceeb13ae69f5da1620322982c77d1a8533771c90f8a020b3a886fd32f

Download Submit
C:\Windows\{948CAC2D-F049-4ab5-AFA6-DB9665821E60}.exe

Filesize
408KB

MD5
3589c118005e94beea43447f31bd91c2

SHA1
d348c9bf0929191268c1eee231aabb517dc444d6

SHA256
5bb5009e22d6c5c6fbb5c6d5a9ef1f71fd863923e564f2b230f4369821e4597a

SHA512
ff13e42d8a520dae0470b9949a6cafd3fb22700f40b46807c81961ba71bed22f7140d59ceeb13ae69f5da1620322982c77d1a8533771c90f8a020b3a886fd32f

Download Submit
C:\Windows\{A804470C-0072-4a9f-A4CF-4A8CBE28CF6F}.exe

Filesize
408KB

MD5
e8dea2c027186bcac6e24306a64250a2

SHA1
779a9d4fe79458a2a8ededcd133e31409a672f01

SHA256
921aa393f2e11288b6b2c581942552751a4c8c67c9805c26e800fc1fed25666b

SHA512
f16d9948db3e796621a064f596ae72bb448b55a006e7e636fbdc93cbad1380223f7b6a66e28b1f642a8e6d3b17bb6efa7e9914ee9e4890f1bbba34546a88f6b7

Download Submit
C:\Windows\{A804470C-0072-4a9f-A4CF-4A8CBE28CF6F}.exe

Filesize
408KB

MD5
e8dea2c027186bcac6e24306a64250a2

SHA1
779a9d4fe79458a2a8ededcd133e31409a672f01

SHA256
921aa393f2e11288b6b2c581942552751a4c8c67c9805c26e800fc1fed25666b

SHA512
f16d9948db3e796621a064f596ae72bb448b55a006e7e636fbdc93cbad1380223f7b6a66e28b1f642a8e6d3b17bb6efa7e9914ee9e4890f1bbba34546a88f6b7

Download Submit
C:\Windows\{C019475F-4C19-4f01-9429-315EDA886941}.exe

Filesize
408KB

MD5
21305074a6447c095c80934b14f68d0a

SHA1
6bf5c632f4984215bf3b0addf9e1388b4b7469d4

SHA256
321ed63d45c824362eca9f0938e959105ed275b3e8c1cbffc2d1ceb9f7b2553b

SHA512
c2087487a957fa703f08f702fce61888d2c6e46947f3c30c9243b2d279987b8f169afccd472d5f6bed672a20249906333118dae6e47b387d4f778e5cf51423cb

Download Submit
C:\Windows\{C019475F-4C19-4f01-9429-315EDA886941}.exe

Filesize
408KB

MD5
21305074a6447c095c80934b14f68d0a

SHA1
6bf5c632f4984215bf3b0addf9e1388b4b7469d4

SHA256
321ed63d45c824362eca9f0938e959105ed275b3e8c1cbffc2d1ceb9f7b2553b

SHA512
c2087487a957fa703f08f702fce61888d2c6e46947f3c30c9243b2d279987b8f169afccd472d5f6bed672a20249906333118dae6e47b387d4f778e5cf51423cb

Download Submit
C:\Windows\{C53B4280-7C21-49d7-8536-A2FD073C3596}.exe

Filesize
408KB

MD5
eb8a6d062ae12c8f391ef8384421a881

SHA1
0f681915479a2fa0c026d8b779c61037c65d6591

SHA256
d6edcc96d98b2024de45a85986ddd532da0899887bcc8feee0450775d9fe309a

SHA512
83c349e8d71acceaccbe8edb484d1524b6710e015b66ed9ab1d9519adafdfb141e08326a5e44453dd94c5a7902e444f4ff7290061a73656326b60bbc8e279bf1

Download Submit
C:\Windows\{C53B4280-7C21-49d7-8536-A2FD073C3596}.exe

Filesize
408KB

MD5
eb8a6d062ae12c8f391ef8384421a881

SHA1
0f681915479a2fa0c026d8b779c61037c65d6591

SHA256
d6edcc96d98b2024de45a85986ddd532da0899887bcc8feee0450775d9fe309a

SHA512
83c349e8d71acceaccbe8edb484d1524b6710e015b66ed9ab1d9519adafdfb141e08326a5e44453dd94c5a7902e444f4ff7290061a73656326b60bbc8e279bf1

Download Submit
C:\Windows\{E2B8D347-C25D-4835-9D3A-84FE438788C1}.exe

Filesize
408KB

MD5
141486d1606e3a7a5faa311ecf481628

SHA1
7b246e134cdeb4c35a0594a888e4cc8ea12cec94

SHA256
1ab913237fa14cc724d9ae8af6b517b51cdd5378ca2c2d4e7f87a3481d7e8913

SHA512
2571664a65ad1f72c2ccbd2273fa60cbe21422fc2b7c99ca110fde6616356fcaf582a76c743b471421a09bb2242cc5967985719d1418015657432b0e08d9fd5e

Download Submit
C:\Windows\{E2B8D347-C25D-4835-9D3A-84FE438788C1}.exe

Filesize
408KB

MD5
141486d1606e3a7a5faa311ecf481628

SHA1
7b246e134cdeb4c35a0594a888e4cc8ea12cec94

SHA256
1ab913237fa14cc724d9ae8af6b517b51cdd5378ca2c2d4e7f87a3481d7e8913

SHA512
2571664a65ad1f72c2ccbd2273fa60cbe21422fc2b7c99ca110fde6616356fcaf582a76c743b471421a09bb2242cc5967985719d1418015657432b0e08d9fd5e

Download Submit
C:\Windows\{E2B8D347-C25D-4835-9D3A-84FE438788C1}.exe

Filesize
408KB

MD5
141486d1606e3a7a5faa311ecf481628

SHA1
7b246e134cdeb4c35a0594a888e4cc8ea12cec94

SHA256
1ab913237fa14cc724d9ae8af6b517b51cdd5378ca2c2d4e7f87a3481d7e8913

SHA512
2571664a65ad1f72c2ccbd2273fa60cbe21422fc2b7c99ca110fde6616356fcaf582a76c743b471421a09bb2242cc5967985719d1418015657432b0e08d9fd5e

Download Submit