292ead2839bc4dc109e41bc1da65ad1cad8e24c8f6c8a2c6bf8e957f3317bacb

Analysis

max time kernel
146s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06-07-2023 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2346f521722ac2exeexeexeex.exe
Size

168KB
MD5

2346f521722ac29398dfd1c23f28ee6c
SHA1

2caef4ddc31d6973fd851f50ae7e4e4e508de7e3
SHA256

292ead2839bc4dc109e41bc1da65ad1cad8e24c8f6c8a2c6bf8e957f3317bacb
SHA512

307aa06bc2a99f1e5447bdc8e39c28079298de9b3f368041d8cb6c55705950868d05842be646f9c2ffe68f9bdc35ec15763026dcca8205e71f05b1b4de8b13e6
SSDEEP

1536:1EGh0o9lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o9lqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92E8E78F-62B3-4aeb-B822-B6C1A8686319}	{19C20098-7BD6-40de-A6C1-DC550B68EDF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{358D7991-C259-4920-B913-929CDF9D5506}\stubpath = "C:\\Windows\\{358D7991-C259-4920-B913-929CDF9D5506}.exe"	{92E8E78F-62B3-4aeb-B822-B6C1A8686319}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96CC504D-F3F7-443b-A3F7-C8AC32C165E4}	{1D8CCC5D-C84C-4939-AD25-012C3082904B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B97A70C-2D7F-44aa-B352-4DDB44325824}\stubpath = "C:\\Windows\\{8B97A70C-2D7F-44aa-B352-4DDB44325824}.exe"	{50D45A93-567C-4c3b-9F93-5BDE02E37050}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19C20098-7BD6-40de-A6C1-DC550B68EDF1}\stubpath = "C:\\Windows\\{19C20098-7BD6-40de-A6C1-DC550B68EDF1}.exe"	{04A7252D-5971-483b-A849-6C8AC4E69E1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{358D7991-C259-4920-B913-929CDF9D5506}	{92E8E78F-62B3-4aeb-B822-B6C1A8686319}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D8CCC5D-C84C-4939-AD25-012C3082904B}	{358D7991-C259-4920-B913-929CDF9D5506}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15D28167-6DF3-47d2-AD5E-6CD9CAD57031}\stubpath = "C:\\Windows\\{15D28167-6DF3-47d2-AD5E-6CD9CAD57031}.exe"	{96CC504D-F3F7-443b-A3F7-C8AC32C165E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28F5C98F-B288-4eef-972F-888A7151F8D2}\stubpath = "C:\\Windows\\{28F5C98F-B288-4eef-972F-888A7151F8D2}.exe"	{A076B71C-9E03-4bf9-A0C4-476027A34C13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{419BE751-F025-4029-8559-1A2BAB0B45E7}\stubpath = "C:\\Windows\\{419BE751-F025-4029-8559-1A2BAB0B45E7}.exe"	{28F5C98F-B288-4eef-972F-888A7151F8D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70CF4CE4-E51E-41e4-90CC-6E7723238464}	2346f521722ac2exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04A7252D-5971-483b-A849-6C8AC4E69E1E}	{70CF4CE4-E51E-41e4-90CC-6E7723238464}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04A7252D-5971-483b-A849-6C8AC4E69E1E}\stubpath = "C:\\Windows\\{04A7252D-5971-483b-A849-6C8AC4E69E1E}.exe"	{70CF4CE4-E51E-41e4-90CC-6E7723238464}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19C20098-7BD6-40de-A6C1-DC550B68EDF1}	{04A7252D-5971-483b-A849-6C8AC4E69E1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96CC504D-F3F7-443b-A3F7-C8AC32C165E4}\stubpath = "C:\\Windows\\{96CC504D-F3F7-443b-A3F7-C8AC32C165E4}.exe"	{1D8CCC5D-C84C-4939-AD25-012C3082904B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B97A70C-2D7F-44aa-B352-4DDB44325824}	{50D45A93-567C-4c3b-9F93-5BDE02E37050}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A076B71C-9E03-4bf9-A0C4-476027A34C13}	{8B97A70C-2D7F-44aa-B352-4DDB44325824}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28F5C98F-B288-4eef-972F-888A7151F8D2}	{A076B71C-9E03-4bf9-A0C4-476027A34C13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70CF4CE4-E51E-41e4-90CC-6E7723238464}\stubpath = "C:\\Windows\\{70CF4CE4-E51E-41e4-90CC-6E7723238464}.exe"	2346f521722ac2exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92E8E78F-62B3-4aeb-B822-B6C1A8686319}\stubpath = "C:\\Windows\\{92E8E78F-62B3-4aeb-B822-B6C1A8686319}.exe"	{19C20098-7BD6-40de-A6C1-DC550B68EDF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1D8CCC5D-C84C-4939-AD25-012C3082904B}\stubpath = "C:\\Windows\\{1D8CCC5D-C84C-4939-AD25-012C3082904B}.exe"	{358D7991-C259-4920-B913-929CDF9D5506}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{15D28167-6DF3-47d2-AD5E-6CD9CAD57031}	{96CC504D-F3F7-443b-A3F7-C8AC32C165E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50D45A93-567C-4c3b-9F93-5BDE02E37050}	{15D28167-6DF3-47d2-AD5E-6CD9CAD57031}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50D45A93-567C-4c3b-9F93-5BDE02E37050}\stubpath = "C:\\Windows\\{50D45A93-567C-4c3b-9F93-5BDE02E37050}.exe"	{15D28167-6DF3-47d2-AD5E-6CD9CAD57031}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A076B71C-9E03-4bf9-A0C4-476027A34C13}\stubpath = "C:\\Windows\\{A076B71C-9E03-4bf9-A0C4-476027A34C13}.exe"	{8B97A70C-2D7F-44aa-B352-4DDB44325824}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{419BE751-F025-4029-8559-1A2BAB0B45E7}	{28F5C98F-B288-4eef-972F-888A7151F8D2}.exe

Deletes itself 1 IoCs

pid	Process
2316	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
3064	{70CF4CE4-E51E-41e4-90CC-6E7723238464}.exe
3012	{04A7252D-5971-483b-A849-6C8AC4E69E1E}.exe
2988	{19C20098-7BD6-40de-A6C1-DC550B68EDF1}.exe
2056	{92E8E78F-62B3-4aeb-B822-B6C1A8686319}.exe
2052	{358D7991-C259-4920-B913-929CDF9D5506}.exe
2220	{1D8CCC5D-C84C-4939-AD25-012C3082904B}.exe
2532	{96CC504D-F3F7-443b-A3F7-C8AC32C165E4}.exe
1944	{15D28167-6DF3-47d2-AD5E-6CD9CAD57031}.exe
2596	{50D45A93-567C-4c3b-9F93-5BDE02E37050}.exe
2668	{8B97A70C-2D7F-44aa-B352-4DDB44325824}.exe
3060	{A076B71C-9E03-4bf9-A0C4-476027A34C13}.exe
2636	{28F5C98F-B288-4eef-972F-888A7151F8D2}.exe
2504	{419BE751-F025-4029-8559-1A2BAB0B45E7}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{96CC504D-F3F7-443b-A3F7-C8AC32C165E4}.exe	{1D8CCC5D-C84C-4939-AD25-012C3082904B}.exe
File created	C:\Windows\{28F5C98F-B288-4eef-972F-888A7151F8D2}.exe	{A076B71C-9E03-4bf9-A0C4-476027A34C13}.exe
File created	C:\Windows\{70CF4CE4-E51E-41e4-90CC-6E7723238464}.exe	2346f521722ac2exeexeexeex.exe
File created	C:\Windows\{04A7252D-5971-483b-A849-6C8AC4E69E1E}.exe	{70CF4CE4-E51E-41e4-90CC-6E7723238464}.exe
File created	C:\Windows\{19C20098-7BD6-40de-A6C1-DC550B68EDF1}.exe	{04A7252D-5971-483b-A849-6C8AC4E69E1E}.exe
File created	C:\Windows\{92E8E78F-62B3-4aeb-B822-B6C1A8686319}.exe	{19C20098-7BD6-40de-A6C1-DC550B68EDF1}.exe
File created	C:\Windows\{358D7991-C259-4920-B913-929CDF9D5506}.exe	{92E8E78F-62B3-4aeb-B822-B6C1A8686319}.exe
File created	C:\Windows\{1D8CCC5D-C84C-4939-AD25-012C3082904B}.exe	{358D7991-C259-4920-B913-929CDF9D5506}.exe
File created	C:\Windows\{419BE751-F025-4029-8559-1A2BAB0B45E7}.exe	{28F5C98F-B288-4eef-972F-888A7151F8D2}.exe
File created	C:\Windows\{15D28167-6DF3-47d2-AD5E-6CD9CAD57031}.exe	{96CC504D-F3F7-443b-A3F7-C8AC32C165E4}.exe
File created	C:\Windows\{50D45A93-567C-4c3b-9F93-5BDE02E37050}.exe	{15D28167-6DF3-47d2-AD5E-6CD9CAD57031}.exe
File created	C:\Windows\{8B97A70C-2D7F-44aa-B352-4DDB44325824}.exe	{50D45A93-567C-4c3b-9F93-5BDE02E37050}.exe
File created	C:\Windows\{A076B71C-9E03-4bf9-A0C4-476027A34C13}.exe	{8B97A70C-2D7F-44aa-B352-4DDB44325824}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2232	2346f521722ac2exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3064	{70CF4CE4-E51E-41e4-90CC-6E7723238464}.exe
Token: SeIncBasePriorityPrivilege	3012	{04A7252D-5971-483b-A849-6C8AC4E69E1E}.exe
Token: SeIncBasePriorityPrivilege	2988	{19C20098-7BD6-40de-A6C1-DC550B68EDF1}.exe
Token: SeIncBasePriorityPrivilege	2056	{92E8E78F-62B3-4aeb-B822-B6C1A8686319}.exe
Token: SeIncBasePriorityPrivilege	2052	{358D7991-C259-4920-B913-929CDF9D5506}.exe
Token: SeIncBasePriorityPrivilege	2220	{1D8CCC5D-C84C-4939-AD25-012C3082904B}.exe
Token: SeIncBasePriorityPrivilege	2532	{96CC504D-F3F7-443b-A3F7-C8AC32C165E4}.exe
Token: SeIncBasePriorityPrivilege	1944	{15D28167-6DF3-47d2-AD5E-6CD9CAD57031}.exe
Token: SeIncBasePriorityPrivilege	2596	{50D45A93-567C-4c3b-9F93-5BDE02E37050}.exe
Token: SeIncBasePriorityPrivilege	2668	{8B97A70C-2D7F-44aa-B352-4DDB44325824}.exe
Token: SeIncBasePriorityPrivilege	3060	{A076B71C-9E03-4bf9-A0C4-476027A34C13}.exe
Token: SeIncBasePriorityPrivilege	2636	{28F5C98F-B288-4eef-972F-888A7151F8D2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 3064	2232	2346f521722ac2exeexeexeex.exe	29
PID 2232 wrote to memory of 3064	2232	2346f521722ac2exeexeexeex.exe	29
PID 2232 wrote to memory of 3064	2232	2346f521722ac2exeexeexeex.exe	29
PID 2232 wrote to memory of 3064	2232	2346f521722ac2exeexeexeex.exe	29
PID 2232 wrote to memory of 2316	2232	2346f521722ac2exeexeexeex.exe	30
PID 2232 wrote to memory of 2316	2232	2346f521722ac2exeexeexeex.exe	30
PID 2232 wrote to memory of 2316	2232	2346f521722ac2exeexeexeex.exe	30
PID 2232 wrote to memory of 2316	2232	2346f521722ac2exeexeexeex.exe	30
PID 3064 wrote to memory of 3012	3064	{70CF4CE4-E51E-41e4-90CC-6E7723238464}.exe	31
PID 3064 wrote to memory of 3012	3064	{70CF4CE4-E51E-41e4-90CC-6E7723238464}.exe	31
PID 3064 wrote to memory of 3012	3064	{70CF4CE4-E51E-41e4-90CC-6E7723238464}.exe	31
PID 3064 wrote to memory of 3012	3064	{70CF4CE4-E51E-41e4-90CC-6E7723238464}.exe	31
PID 3064 wrote to memory of 2904	3064	{70CF4CE4-E51E-41e4-90CC-6E7723238464}.exe	32
PID 3064 wrote to memory of 2904	3064	{70CF4CE4-E51E-41e4-90CC-6E7723238464}.exe	32
PID 3064 wrote to memory of 2904	3064	{70CF4CE4-E51E-41e4-90CC-6E7723238464}.exe	32
PID 3064 wrote to memory of 2904	3064	{70CF4CE4-E51E-41e4-90CC-6E7723238464}.exe	32
PID 3012 wrote to memory of 2988	3012	{04A7252D-5971-483b-A849-6C8AC4E69E1E}.exe	33
PID 3012 wrote to memory of 2988	3012	{04A7252D-5971-483b-A849-6C8AC4E69E1E}.exe	33
PID 3012 wrote to memory of 2988	3012	{04A7252D-5971-483b-A849-6C8AC4E69E1E}.exe	33
PID 3012 wrote to memory of 2988	3012	{04A7252D-5971-483b-A849-6C8AC4E69E1E}.exe	33
PID 3012 wrote to memory of 2224	3012	{04A7252D-5971-483b-A849-6C8AC4E69E1E}.exe	34
PID 3012 wrote to memory of 2224	3012	{04A7252D-5971-483b-A849-6C8AC4E69E1E}.exe	34
PID 3012 wrote to memory of 2224	3012	{04A7252D-5971-483b-A849-6C8AC4E69E1E}.exe	34
PID 3012 wrote to memory of 2224	3012	{04A7252D-5971-483b-A849-6C8AC4E69E1E}.exe	34
PID 2988 wrote to memory of 2056	2988	{19C20098-7BD6-40de-A6C1-DC550B68EDF1}.exe	35
PID 2988 wrote to memory of 2056	2988	{19C20098-7BD6-40de-A6C1-DC550B68EDF1}.exe	35
PID 2988 wrote to memory of 2056	2988	{19C20098-7BD6-40de-A6C1-DC550B68EDF1}.exe	35
PID 2988 wrote to memory of 2056	2988	{19C20098-7BD6-40de-A6C1-DC550B68EDF1}.exe	35
PID 2988 wrote to memory of 1496	2988	{19C20098-7BD6-40de-A6C1-DC550B68EDF1}.exe	36
PID 2988 wrote to memory of 1496	2988	{19C20098-7BD6-40de-A6C1-DC550B68EDF1}.exe	36
PID 2988 wrote to memory of 1496	2988	{19C20098-7BD6-40de-A6C1-DC550B68EDF1}.exe	36
PID 2988 wrote to memory of 1496	2988	{19C20098-7BD6-40de-A6C1-DC550B68EDF1}.exe	36
PID 2056 wrote to memory of 2052	2056	{92E8E78F-62B3-4aeb-B822-B6C1A8686319}.exe	38
PID 2056 wrote to memory of 2052	2056	{92E8E78F-62B3-4aeb-B822-B6C1A8686319}.exe	38
PID 2056 wrote to memory of 2052	2056	{92E8E78F-62B3-4aeb-B822-B6C1A8686319}.exe	38
PID 2056 wrote to memory of 2052	2056	{92E8E78F-62B3-4aeb-B822-B6C1A8686319}.exe	38
PID 2056 wrote to memory of 900	2056	{92E8E78F-62B3-4aeb-B822-B6C1A8686319}.exe	37
PID 2056 wrote to memory of 900	2056	{92E8E78F-62B3-4aeb-B822-B6C1A8686319}.exe	37
PID 2056 wrote to memory of 900	2056	{92E8E78F-62B3-4aeb-B822-B6C1A8686319}.exe	37
PID 2056 wrote to memory of 900	2056	{92E8E78F-62B3-4aeb-B822-B6C1A8686319}.exe	37
PID 2052 wrote to memory of 2220	2052	{358D7991-C259-4920-B913-929CDF9D5506}.exe	40
PID 2052 wrote to memory of 2220	2052	{358D7991-C259-4920-B913-929CDF9D5506}.exe	40
PID 2052 wrote to memory of 2220	2052	{358D7991-C259-4920-B913-929CDF9D5506}.exe	40
PID 2052 wrote to memory of 2220	2052	{358D7991-C259-4920-B913-929CDF9D5506}.exe	40
PID 2052 wrote to memory of 2208	2052	{358D7991-C259-4920-B913-929CDF9D5506}.exe	39
PID 2052 wrote to memory of 2208	2052	{358D7991-C259-4920-B913-929CDF9D5506}.exe	39
PID 2052 wrote to memory of 2208	2052	{358D7991-C259-4920-B913-929CDF9D5506}.exe	39
PID 2052 wrote to memory of 2208	2052	{358D7991-C259-4920-B913-929CDF9D5506}.exe	39
PID 2220 wrote to memory of 2532	2220	{1D8CCC5D-C84C-4939-AD25-012C3082904B}.exe	41
PID 2220 wrote to memory of 2532	2220	{1D8CCC5D-C84C-4939-AD25-012C3082904B}.exe	41
PID 2220 wrote to memory of 2532	2220	{1D8CCC5D-C84C-4939-AD25-012C3082904B}.exe	41
PID 2220 wrote to memory of 2532	2220	{1D8CCC5D-C84C-4939-AD25-012C3082904B}.exe	41
PID 2220 wrote to memory of 2264	2220	{1D8CCC5D-C84C-4939-AD25-012C3082904B}.exe	42
PID 2220 wrote to memory of 2264	2220	{1D8CCC5D-C84C-4939-AD25-012C3082904B}.exe	42
PID 2220 wrote to memory of 2264	2220	{1D8CCC5D-C84C-4939-AD25-012C3082904B}.exe	42
PID 2220 wrote to memory of 2264	2220	{1D8CCC5D-C84C-4939-AD25-012C3082904B}.exe	42
PID 2532 wrote to memory of 1944	2532	{96CC504D-F3F7-443b-A3F7-C8AC32C165E4}.exe	44
PID 2532 wrote to memory of 1944	2532	{96CC504D-F3F7-443b-A3F7-C8AC32C165E4}.exe	44
PID 2532 wrote to memory of 1944	2532	{96CC504D-F3F7-443b-A3F7-C8AC32C165E4}.exe	44
PID 2532 wrote to memory of 1944	2532	{96CC504D-F3F7-443b-A3F7-C8AC32C165E4}.exe	44
PID 2532 wrote to memory of 2740	2532	{96CC504D-F3F7-443b-A3F7-C8AC32C165E4}.exe	43
PID 2532 wrote to memory of 2740	2532	{96CC504D-F3F7-443b-A3F7-C8AC32C165E4}.exe	43
PID 2532 wrote to memory of 2740	2532	{96CC504D-F3F7-443b-A3F7-C8AC32C165E4}.exe	43
PID 2532 wrote to memory of 2740	2532	{96CC504D-F3F7-443b-A3F7-C8AC32C165E4}.exe	43

C:\Users\Admin\AppData\Local\Temp\2346f521722ac2exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\2346f521722ac2exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\{70CF4CE4-E51E-41e4-90CC-6E7723238464}.exe
  C:\Windows\{70CF4CE4-E51E-41e4-90CC-6E7723238464}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\{04A7252D-5971-483b-A849-6C8AC4E69E1E}.exe
    C:\Windows\{04A7252D-5971-483b-A849-6C8AC4E69E1E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\{19C20098-7BD6-40de-A6C1-DC550B68EDF1}.exe
      C:\Windows\{19C20098-7BD6-40de-A6C1-DC550B68EDF1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\{92E8E78F-62B3-4aeb-B822-B6C1A8686319}.exe
        
        C:\Windows\{92E8E78F-62B3-4aeb-B822-B6C1A8686319}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92E8E~1.EXE > nul
        6⤵
        
        PID:900
      - C:\Windows\{358D7991-C259-4920-B913-929CDF9D5506}.exe
        
        C:\Windows\{358D7991-C259-4920-B913-929CDF9D5506}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{358D7~1.EXE > nul
        7⤵
        
        PID:2208
        
        C:\Windows\{1D8CCC5D-C84C-4939-AD25-012C3082904B}.exe
        
        C:\Windows\{1D8CCC5D-C84C-4939-AD25-012C3082904B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\{96CC504D-F3F7-443b-A3F7-C8AC32C165E4}.exe
        
        C:\Windows\{96CC504D-F3F7-443b-A3F7-C8AC32C165E4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96CC5~1.EXE > nul
        9⤵
        
        PID:2740
        
        C:\Windows\{15D28167-6DF3-47d2-AD5E-6CD9CAD57031}.exe
        
        C:\Windows\{15D28167-6DF3-47d2-AD5E-6CD9CAD57031}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{15D28~1.EXE > nul
        10⤵
        
        PID:2712
        
        C:\Windows\{50D45A93-567C-4c3b-9F93-5BDE02E37050}.exe
        
        C:\Windows\{50D45A93-567C-4c3b-9F93-5BDE02E37050}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\{8B97A70C-2D7F-44aa-B352-4DDB44325824}.exe
        
        C:\Windows\{8B97A70C-2D7F-44aa-B352-4DDB44325824}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\{A076B71C-9E03-4bf9-A0C4-476027A34C13}.exe
        
        C:\Windows\{A076B71C-9E03-4bf9-A0C4-476027A34C13}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\{28F5C98F-B288-4eef-972F-888A7151F8D2}.exe
        
        C:\Windows\{28F5C98F-B288-4eef-972F-888A7151F8D2}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\{419BE751-F025-4029-8559-1A2BAB0B45E7}.exe
        
        C:\Windows\{419BE751-F025-4029-8559-1A2BAB0B45E7}.exe
        14⤵
        Executes dropped EXE
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28F5C~1.EXE > nul
        14⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A076B~1.EXE > nul
        13⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B97A~1.EXE > nul
        12⤵
        
        PID:2608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50D45~1.EXE > nul
        11⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1D8CC~1.EXE > nul
        8⤵
        
        PID:2264
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19C20~1.EXE > nul
        5⤵
        
        PID:1496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{04A72~1.EXE > nul
      4⤵
      PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{70CF4~1.EXE > nul
    3⤵
    PID:2904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2346F5~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04A7252D-5971-483b-A849-6C8AC4E69E1E}.exe

Filesize
168KB

MD5
e40bc41092f215b36fa7293e85afbada

SHA1
02c114a06500a081844d7116892b423207bf1260

SHA256
eb9499e7595dbf43f189ff61e66e3483f46ba016f462baa642a322d40339eca5

SHA512
8b6900101bba8bcdf6947111c517b2596e3e274ba9ab165f9bf90e8a1a37a9c53320a64e740d3b019a3d561da4b160c3c26d2b5f2c031a23299a6b75c5c7c794

Download Submit
C:\Windows\{04A7252D-5971-483b-A849-6C8AC4E69E1E}.exe

Filesize
168KB

MD5
e40bc41092f215b36fa7293e85afbada

SHA1
02c114a06500a081844d7116892b423207bf1260

SHA256
eb9499e7595dbf43f189ff61e66e3483f46ba016f462baa642a322d40339eca5

SHA512
8b6900101bba8bcdf6947111c517b2596e3e274ba9ab165f9bf90e8a1a37a9c53320a64e740d3b019a3d561da4b160c3c26d2b5f2c031a23299a6b75c5c7c794

Download Submit
C:\Windows\{15D28167-6DF3-47d2-AD5E-6CD9CAD57031}.exe

Filesize
168KB

MD5
30ea5ebb0e56043f0610b9608302ddb2

SHA1
a4b12983bf130eb5e76ab4171ff4d00175988cbf

SHA256
db7ec9f2c666fac3968e7efc93b43ff436fe9ae43caf914bdd902a37c7bef112

SHA512
8dfd1262e3b9027c2144746a99bf1a79248437ed05c80f3e2969c9c5aa33abda6c2d59efdedd6ac46c723cad4ac2c94565b9359143e8a31a045d9fcb9a7b93ff

Download Submit
C:\Windows\{15D28167-6DF3-47d2-AD5E-6CD9CAD57031}.exe

Filesize
168KB

MD5
30ea5ebb0e56043f0610b9608302ddb2

SHA1
a4b12983bf130eb5e76ab4171ff4d00175988cbf

SHA256
db7ec9f2c666fac3968e7efc93b43ff436fe9ae43caf914bdd902a37c7bef112

SHA512
8dfd1262e3b9027c2144746a99bf1a79248437ed05c80f3e2969c9c5aa33abda6c2d59efdedd6ac46c723cad4ac2c94565b9359143e8a31a045d9fcb9a7b93ff

Download Submit
C:\Windows\{19C20098-7BD6-40de-A6C1-DC550B68EDF1}.exe

Filesize
168KB

MD5
28090c3ce3fdbf072dc3cd142bc2e948

SHA1
ea70e46427c5495350a3ab11287346a47befb5ef

SHA256
b00e10f804a119514b45ce36b3592c3e19a2c28cf48c50dcce0b0f8a98761ee8

SHA512
16d18b2f625bb0b68767c319f2c3d433cc917f6217bcac789dc9a5e47b879e0d60d6517900e52a1bb002fb98be0762f743e4ca042166cd1b712ebb5e0f71eb15

Download Submit
C:\Windows\{19C20098-7BD6-40de-A6C1-DC550B68EDF1}.exe

Filesize
168KB

MD5
28090c3ce3fdbf072dc3cd142bc2e948

SHA1
ea70e46427c5495350a3ab11287346a47befb5ef

SHA256
b00e10f804a119514b45ce36b3592c3e19a2c28cf48c50dcce0b0f8a98761ee8

SHA512
16d18b2f625bb0b68767c319f2c3d433cc917f6217bcac789dc9a5e47b879e0d60d6517900e52a1bb002fb98be0762f743e4ca042166cd1b712ebb5e0f71eb15

Download Submit
C:\Windows\{1D8CCC5D-C84C-4939-AD25-012C3082904B}.exe

Filesize
168KB

MD5
77a49e03f384b6cd761ce3429d8c674a

SHA1
d957ee2a3188810d0d6ccdde1eeb665e2c51492f

SHA256
1cdb829f030de15eae14a8317ae5fdecf018ffae9c8db478d93bf6a1284def30

SHA512
14cf4e5e91f21b7604a0e04a49e3bbdea3e54c9589f21c779285373c3864e137d719872b9245393b352b55c38037e553eb0b0e6e8fc2261f76e4c5752ede5121

Download Submit
C:\Windows\{1D8CCC5D-C84C-4939-AD25-012C3082904B}.exe

Filesize
168KB

MD5
77a49e03f384b6cd761ce3429d8c674a

SHA1
d957ee2a3188810d0d6ccdde1eeb665e2c51492f

SHA256
1cdb829f030de15eae14a8317ae5fdecf018ffae9c8db478d93bf6a1284def30

SHA512
14cf4e5e91f21b7604a0e04a49e3bbdea3e54c9589f21c779285373c3864e137d719872b9245393b352b55c38037e553eb0b0e6e8fc2261f76e4c5752ede5121

Download Submit
C:\Windows\{28F5C98F-B288-4eef-972F-888A7151F8D2}.exe

Filesize
168KB

MD5
d2948411499cff9bf608f4c667263f1a

SHA1
dfc4e5c080d287216f19419163c5a3be945c3039

SHA256
ba96e1c7aaf26f44d72ba0318a3a409d1f475c235cce47f10da1efb60d340d9b

SHA512
0f70232aa06f344a777af751f087c625bd5a08c846a801d74d06dfe9932ed321cd161e1413d044f757d9d86bddc68d9367a7c93129e8e8b18780dcc9d8346bdb

Download Submit
C:\Windows\{28F5C98F-B288-4eef-972F-888A7151F8D2}.exe

Filesize
168KB

MD5
d2948411499cff9bf608f4c667263f1a

SHA1
dfc4e5c080d287216f19419163c5a3be945c3039

SHA256
ba96e1c7aaf26f44d72ba0318a3a409d1f475c235cce47f10da1efb60d340d9b

SHA512
0f70232aa06f344a777af751f087c625bd5a08c846a801d74d06dfe9932ed321cd161e1413d044f757d9d86bddc68d9367a7c93129e8e8b18780dcc9d8346bdb

Download Submit
C:\Windows\{358D7991-C259-4920-B913-929CDF9D5506}.exe

Filesize
168KB

MD5
d03309b81995d7e525d580d7d01c4e2c

SHA1
215d6bbbf6c2784fd5eea9d3c05aab4215d4cda4

SHA256
17b9525ece3100998b9becead147840952b4881f7e9943e3d86c388ba80781b2

SHA512
00fa1870b1725511de9b9f56e72a106b4f2a8e37bde7ec1912ba55639943ce2243d84d64bc7681788d31d3f6f6e989f125273e668cbcd9a51be9215194e04d1b

Download Submit
C:\Windows\{358D7991-C259-4920-B913-929CDF9D5506}.exe

Filesize
168KB

MD5
d03309b81995d7e525d580d7d01c4e2c

SHA1
215d6bbbf6c2784fd5eea9d3c05aab4215d4cda4

SHA256
17b9525ece3100998b9becead147840952b4881f7e9943e3d86c388ba80781b2

SHA512
00fa1870b1725511de9b9f56e72a106b4f2a8e37bde7ec1912ba55639943ce2243d84d64bc7681788d31d3f6f6e989f125273e668cbcd9a51be9215194e04d1b

Download Submit
C:\Windows\{419BE751-F025-4029-8559-1A2BAB0B45E7}.exe

Filesize
168KB

MD5
7f2c73f406cfd008d39792dcf9681103

SHA1
958e692a9a7d17120cb701ab67e5901fc70bfe59

SHA256
76a5d8edfe1f0a4698e6cef2ed1a20a6b58fb60e5a1f998d8d175d3ae899345b

SHA512
d85a81cb7b08613d63438d831707a755858e5f1968b6898ed39e068e4cef29b741b79549c6971996f03a63d3434722d52ffbc97a87b032dfbfc7a9255859bce2

Download Submit
C:\Windows\{50D45A93-567C-4c3b-9F93-5BDE02E37050}.exe

Filesize
168KB

MD5
a0bde6b3b8dde081e5a1488ad1515bad

SHA1
541556aa554c05a57750afafdbad2de040b95593

SHA256
db9f815d401bcdf03ee8ce8378d4eed7e4a55178eea421044ba5acdabfb81fe3

SHA512
2b7d3c383e3b35aaf0e096ca33436172d4c96f7989b39855417d21380b3174658f007f27898446df521f941457f974a551d8565d21159c794eede247e426ebc3

Download Submit
C:\Windows\{50D45A93-567C-4c3b-9F93-5BDE02E37050}.exe

Filesize
168KB

MD5
a0bde6b3b8dde081e5a1488ad1515bad

SHA1
541556aa554c05a57750afafdbad2de040b95593

SHA256
db9f815d401bcdf03ee8ce8378d4eed7e4a55178eea421044ba5acdabfb81fe3

SHA512
2b7d3c383e3b35aaf0e096ca33436172d4c96f7989b39855417d21380b3174658f007f27898446df521f941457f974a551d8565d21159c794eede247e426ebc3

Download Submit
C:\Windows\{70CF4CE4-E51E-41e4-90CC-6E7723238464}.exe

Filesize
168KB

MD5
8ea66af2367efcd5981231704fa879a5

SHA1
f6c1b79d0fa011934511c39bf096a96d42baa72c

SHA256
39c1c4f073989cdddb41ad08d4d767c3f65bbc6b288eb3cc473f206ef1c4d38e

SHA512
ea8ed82aee966fa09ad8c3c7fcc22eaf5ba56d5874fdb78a3a16375261cbb992d3f2f24638051397004c38571af9c5f56f596ff6278a587baa00aeda2b0f5b0a

Download Submit
C:\Windows\{70CF4CE4-E51E-41e4-90CC-6E7723238464}.exe

Filesize
168KB

MD5
8ea66af2367efcd5981231704fa879a5

SHA1
f6c1b79d0fa011934511c39bf096a96d42baa72c

SHA256
39c1c4f073989cdddb41ad08d4d767c3f65bbc6b288eb3cc473f206ef1c4d38e

SHA512
ea8ed82aee966fa09ad8c3c7fcc22eaf5ba56d5874fdb78a3a16375261cbb992d3f2f24638051397004c38571af9c5f56f596ff6278a587baa00aeda2b0f5b0a

Download Submit
C:\Windows\{70CF4CE4-E51E-41e4-90CC-6E7723238464}.exe

Filesize
168KB

MD5
8ea66af2367efcd5981231704fa879a5

SHA1
f6c1b79d0fa011934511c39bf096a96d42baa72c

SHA256
39c1c4f073989cdddb41ad08d4d767c3f65bbc6b288eb3cc473f206ef1c4d38e

SHA512
ea8ed82aee966fa09ad8c3c7fcc22eaf5ba56d5874fdb78a3a16375261cbb992d3f2f24638051397004c38571af9c5f56f596ff6278a587baa00aeda2b0f5b0a

Download Submit
C:\Windows\{8B97A70C-2D7F-44aa-B352-4DDB44325824}.exe

Filesize
168KB

MD5
9f2a5f11628f24a06b579d019b9abbe1

SHA1
08c90b6c0025dd58e7402d3e418f1acb4310ab72

SHA256
8526882ec2d6b285d37bab6c4c991622e23c2dbc0f99f9f3a739ed8f7613e0a4

SHA512
eb7bc9d6e47ec066a679f5a94c2446e6045a3ecb76b180c9cd9f676f018254c98c876848be8e8d0bff58f66cb6b40f1081b938b871fb3e78688f840efe478bff

Download Submit
C:\Windows\{8B97A70C-2D7F-44aa-B352-4DDB44325824}.exe

Filesize
168KB

MD5
9f2a5f11628f24a06b579d019b9abbe1

SHA1
08c90b6c0025dd58e7402d3e418f1acb4310ab72

SHA256
8526882ec2d6b285d37bab6c4c991622e23c2dbc0f99f9f3a739ed8f7613e0a4

SHA512
eb7bc9d6e47ec066a679f5a94c2446e6045a3ecb76b180c9cd9f676f018254c98c876848be8e8d0bff58f66cb6b40f1081b938b871fb3e78688f840efe478bff

Download Submit
C:\Windows\{92E8E78F-62B3-4aeb-B822-B6C1A8686319}.exe

Filesize
168KB

MD5
01feec40b2ff7f17df00b63fbd216e8a

SHA1
fb27ee67ca94cfa5ef3f51383195252d0ba2aaad

SHA256
ccee29d2728dddb7992d54d24cd22ab626462ab079bfe003cecf6583dfbc41e1

SHA512
5239cdffd404d93ffb5b3e215bd465b907814a49ed34db711c4cd7b82e629a5a5c96754d73bce9320ba8c09dac2958cef9221bd66598e3154a2a2e4985e82476

Download Submit
C:\Windows\{92E8E78F-62B3-4aeb-B822-B6C1A8686319}.exe

Filesize
168KB

MD5
01feec40b2ff7f17df00b63fbd216e8a

SHA1
fb27ee67ca94cfa5ef3f51383195252d0ba2aaad

SHA256
ccee29d2728dddb7992d54d24cd22ab626462ab079bfe003cecf6583dfbc41e1

SHA512
5239cdffd404d93ffb5b3e215bd465b907814a49ed34db711c4cd7b82e629a5a5c96754d73bce9320ba8c09dac2958cef9221bd66598e3154a2a2e4985e82476

Download Submit
C:\Windows\{96CC504D-F3F7-443b-A3F7-C8AC32C165E4}.exe

Filesize
168KB

MD5
3f37bc95d39c63cb8dee339801210f11

SHA1
ab9968b321a9799a7b7f6f7adf308e87b37f81c1

SHA256
bf42b3ce08944c0e3157fa4b98443d17468ba0cab4c1425540a5cf3497579dcd

SHA512
ac2852b0cbe63085ddf4fff02e67b9b9b1dbb3c244c0542b4cfa8a9cf60c639332969c3ea6a87599ed9de8292a1ad8d198f7fa542494aefa8ca040a0d4390ae4

Download Submit
C:\Windows\{96CC504D-F3F7-443b-A3F7-C8AC32C165E4}.exe

Filesize
168KB

MD5
3f37bc95d39c63cb8dee339801210f11

SHA1
ab9968b321a9799a7b7f6f7adf308e87b37f81c1

SHA256
bf42b3ce08944c0e3157fa4b98443d17468ba0cab4c1425540a5cf3497579dcd

SHA512
ac2852b0cbe63085ddf4fff02e67b9b9b1dbb3c244c0542b4cfa8a9cf60c639332969c3ea6a87599ed9de8292a1ad8d198f7fa542494aefa8ca040a0d4390ae4

Download Submit
C:\Windows\{A076B71C-9E03-4bf9-A0C4-476027A34C13}.exe

Filesize
168KB

MD5
378c6507419b6730ec47122c1f8701ae

SHA1
db88622ffb82c8ab270729e99b0b33069c484d74

SHA256
02ed4fc55178797668992eb9b3442cf72346d146bb702a1594882b696b7dd33f

SHA512
3b1a3722cf6815172944379e3169fa373a12fd8ca883862a0bf94bb2ab719efcc2dc27582b06d5bdd3c041e330981105ba86c7cc0fb66445160c867705d6c6ed

Download Submit
C:\Windows\{A076B71C-9E03-4bf9-A0C4-476027A34C13}.exe

Filesize
168KB

MD5
378c6507419b6730ec47122c1f8701ae

SHA1
db88622ffb82c8ab270729e99b0b33069c484d74

SHA256
02ed4fc55178797668992eb9b3442cf72346d146bb702a1594882b696b7dd33f

SHA512
3b1a3722cf6815172944379e3169fa373a12fd8ca883862a0bf94bb2ab719efcc2dc27582b06d5bdd3c041e330981105ba86c7cc0fb66445160c867705d6c6ed

Download Submit