292ead2839bc4dc109e41bc1da65ad1cad8e24c8f6c8a2c6bf8e957f3317bacb

Analysis

max time kernel
150s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2023, 11:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2346f521722ac2exeexeexeex.exe
Size

168KB
MD5

2346f521722ac29398dfd1c23f28ee6c
SHA1

2caef4ddc31d6973fd851f50ae7e4e4e508de7e3
SHA256

292ead2839bc4dc109e41bc1da65ad1cad8e24c8f6c8a2c6bf8e957f3317bacb
SHA512

307aa06bc2a99f1e5447bdc8e39c28079298de9b3f368041d8cb6c55705950868d05842be646f9c2ffe68f9bdc35ec15763026dcca8205e71f05b1b4de8b13e6
SSDEEP

1536:1EGh0o9lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o9lqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97D026DE-C7BD-4360-9170-6B2F4C1DEC89}	{A13E7C3E-77FB-4967-802F-DDBEAF1A2312}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{97D026DE-C7BD-4360-9170-6B2F4C1DEC89}\stubpath = "C:\\Windows\\{97D026DE-C7BD-4360-9170-6B2F4C1DEC89}.exe"	{A13E7C3E-77FB-4967-802F-DDBEAF1A2312}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C64931AD-9850-406d-B7FC-47B93B8B8C5C}\stubpath = "C:\\Windows\\{C64931AD-9850-406d-B7FC-47B93B8B8C5C}.exe"	{97D026DE-C7BD-4360-9170-6B2F4C1DEC89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{490A3E0A-FB7B-44e2-A09B-374C1CFE16A9}	{57BE6884-AD70-486e-BE05-A25DCE84B5D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0140545D-187C-401e-873B-F4C35A45E570}\stubpath = "C:\\Windows\\{0140545D-187C-401e-873B-F4C35A45E570}.exe"	{94581A3C-C431-4602-89C3-01DF45B03846}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEBB3988-6CAF-457c-A751-E2722F3B0FB2}	{0140545D-187C-401e-873B-F4C35A45E570}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60DCF512-C225-464e-93FE-02BD7E65EC8C}	{AEBB3988-6CAF-457c-A751-E2722F3B0FB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{60DCF512-C225-464e-93FE-02BD7E65EC8C}\stubpath = "C:\\Windows\\{60DCF512-C225-464e-93FE-02BD7E65EC8C}.exe"	{AEBB3988-6CAF-457c-A751-E2722F3B0FB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0140545D-187C-401e-873B-F4C35A45E570}	{94581A3C-C431-4602-89C3-01DF45B03846}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{183489B9-63D4-4de2-966E-F5FBF6CD4335}	{60DCF512-C225-464e-93FE-02BD7E65EC8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{435F9A36-5D67-4f41-BE83-0A7ECF76F4D8}\stubpath = "C:\\Windows\\{435F9A36-5D67-4f41-BE83-0A7ECF76F4D8}.exe"	{C64931AD-9850-406d-B7FC-47B93B8B8C5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{828D8EA8-2B7E-4285-9A4E-CB0D436A244F}	{490A3E0A-FB7B-44e2-A09B-374C1CFE16A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C64931AD-9850-406d-B7FC-47B93B8B8C5C}	{97D026DE-C7BD-4360-9170-6B2F4C1DEC89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{435F9A36-5D67-4f41-BE83-0A7ECF76F4D8}	{C64931AD-9850-406d-B7FC-47B93B8B8C5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{490A3E0A-FB7B-44e2-A09B-374C1CFE16A9}\stubpath = "C:\\Windows\\{490A3E0A-FB7B-44e2-A09B-374C1CFE16A9}.exe"	{57BE6884-AD70-486e-BE05-A25DCE84B5D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{828D8EA8-2B7E-4285-9A4E-CB0D436A244F}\stubpath = "C:\\Windows\\{828D8EA8-2B7E-4285-9A4E-CB0D436A244F}.exe"	{490A3E0A-FB7B-44e2-A09B-374C1CFE16A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94581A3C-C431-4602-89C3-01DF45B03846}	2346f521722ac2exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEBB3988-6CAF-457c-A751-E2722F3B0FB2}\stubpath = "C:\\Windows\\{AEBB3988-6CAF-457c-A751-E2722F3B0FB2}.exe"	{0140545D-187C-401e-873B-F4C35A45E570}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{183489B9-63D4-4de2-966E-F5FBF6CD4335}\stubpath = "C:\\Windows\\{183489B9-63D4-4de2-966E-F5FBF6CD4335}.exe"	{60DCF512-C225-464e-93FE-02BD7E65EC8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A13E7C3E-77FB-4967-802F-DDBEAF1A2312}	{183489B9-63D4-4de2-966E-F5FBF6CD4335}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94581A3C-C431-4602-89C3-01DF45B03846}\stubpath = "C:\\Windows\\{94581A3C-C431-4602-89C3-01DF45B03846}.exe"	2346f521722ac2exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A13E7C3E-77FB-4967-802F-DDBEAF1A2312}\stubpath = "C:\\Windows\\{A13E7C3E-77FB-4967-802F-DDBEAF1A2312}.exe"	{183489B9-63D4-4de2-966E-F5FBF6CD4335}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57BE6884-AD70-486e-BE05-A25DCE84B5D0}	{435F9A36-5D67-4f41-BE83-0A7ECF76F4D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{57BE6884-AD70-486e-BE05-A25DCE84B5D0}\stubpath = "C:\\Windows\\{57BE6884-AD70-486e-BE05-A25DCE84B5D0}.exe"	{435F9A36-5D67-4f41-BE83-0A7ECF76F4D8}.exe

Executes dropped EXE 12 IoCs

pid	Process
4348	{94581A3C-C431-4602-89C3-01DF45B03846}.exe
5108	{0140545D-187C-401e-873B-F4C35A45E570}.exe
1544	{AEBB3988-6CAF-457c-A751-E2722F3B0FB2}.exe
3316	{60DCF512-C225-464e-93FE-02BD7E65EC8C}.exe
3828	{183489B9-63D4-4de2-966E-F5FBF6CD4335}.exe
1140	{A13E7C3E-77FB-4967-802F-DDBEAF1A2312}.exe
1820	{97D026DE-C7BD-4360-9170-6B2F4C1DEC89}.exe
2992	{C64931AD-9850-406d-B7FC-47B93B8B8C5C}.exe
4008	{435F9A36-5D67-4f41-BE83-0A7ECF76F4D8}.exe
1172	{57BE6884-AD70-486e-BE05-A25DCE84B5D0}.exe
8	{490A3E0A-FB7B-44e2-A09B-374C1CFE16A9}.exe
1156	{828D8EA8-2B7E-4285-9A4E-CB0D436A244F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C64931AD-9850-406d-B7FC-47B93B8B8C5C}.exe	{97D026DE-C7BD-4360-9170-6B2F4C1DEC89}.exe
File created	C:\Windows\{57BE6884-AD70-486e-BE05-A25DCE84B5D0}.exe	{435F9A36-5D67-4f41-BE83-0A7ECF76F4D8}.exe
File created	C:\Windows\{490A3E0A-FB7B-44e2-A09B-374C1CFE16A9}.exe	{57BE6884-AD70-486e-BE05-A25DCE84B5D0}.exe
File created	C:\Windows\{94581A3C-C431-4602-89C3-01DF45B03846}.exe	2346f521722ac2exeexeexeex.exe
File created	C:\Windows\{0140545D-187C-401e-873B-F4C35A45E570}.exe	{94581A3C-C431-4602-89C3-01DF45B03846}.exe
File created	C:\Windows\{AEBB3988-6CAF-457c-A751-E2722F3B0FB2}.exe	{0140545D-187C-401e-873B-F4C35A45E570}.exe
File created	C:\Windows\{A13E7C3E-77FB-4967-802F-DDBEAF1A2312}.exe	{183489B9-63D4-4de2-966E-F5FBF6CD4335}.exe
File created	C:\Windows\{97D026DE-C7BD-4360-9170-6B2F4C1DEC89}.exe	{A13E7C3E-77FB-4967-802F-DDBEAF1A2312}.exe
File created	C:\Windows\{60DCF512-C225-464e-93FE-02BD7E65EC8C}.exe	{AEBB3988-6CAF-457c-A751-E2722F3B0FB2}.exe
File created	C:\Windows\{183489B9-63D4-4de2-966E-F5FBF6CD4335}.exe	{60DCF512-C225-464e-93FE-02BD7E65EC8C}.exe
File created	C:\Windows\{435F9A36-5D67-4f41-BE83-0A7ECF76F4D8}.exe	{C64931AD-9850-406d-B7FC-47B93B8B8C5C}.exe
File created	C:\Windows\{828D8EA8-2B7E-4285-9A4E-CB0D436A244F}.exe	{490A3E0A-FB7B-44e2-A09B-374C1CFE16A9}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4568	2346f521722ac2exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4348	{94581A3C-C431-4602-89C3-01DF45B03846}.exe
Token: SeIncBasePriorityPrivilege	5108	{0140545D-187C-401e-873B-F4C35A45E570}.exe
Token: SeIncBasePriorityPrivilege	1544	{AEBB3988-6CAF-457c-A751-E2722F3B0FB2}.exe
Token: SeIncBasePriorityPrivilege	3316	{60DCF512-C225-464e-93FE-02BD7E65EC8C}.exe
Token: SeIncBasePriorityPrivilege	3828	{183489B9-63D4-4de2-966E-F5FBF6CD4335}.exe
Token: SeIncBasePriorityPrivilege	1140	{A13E7C3E-77FB-4967-802F-DDBEAF1A2312}.exe
Token: SeIncBasePriorityPrivilege	1820	{97D026DE-C7BD-4360-9170-6B2F4C1DEC89}.exe
Token: SeIncBasePriorityPrivilege	2992	{C64931AD-9850-406d-B7FC-47B93B8B8C5C}.exe
Token: SeIncBasePriorityPrivilege	4008	{435F9A36-5D67-4f41-BE83-0A7ECF76F4D8}.exe
Token: SeIncBasePriorityPrivilege	1172	{57BE6884-AD70-486e-BE05-A25DCE84B5D0}.exe
Token: SeIncBasePriorityPrivilege	8	{490A3E0A-FB7B-44e2-A09B-374C1CFE16A9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4568 wrote to memory of 4348	4568	2346f521722ac2exeexeexeex.exe	79
PID 4568 wrote to memory of 4348	4568	2346f521722ac2exeexeexeex.exe	79
PID 4568 wrote to memory of 4348	4568	2346f521722ac2exeexeexeex.exe	79
PID 4568 wrote to memory of 2076	4568	2346f521722ac2exeexeexeex.exe	80
PID 4568 wrote to memory of 2076	4568	2346f521722ac2exeexeexeex.exe	80
PID 4568 wrote to memory of 2076	4568	2346f521722ac2exeexeexeex.exe	80
PID 4348 wrote to memory of 5108	4348	{94581A3C-C431-4602-89C3-01DF45B03846}.exe	81
PID 4348 wrote to memory of 5108	4348	{94581A3C-C431-4602-89C3-01DF45B03846}.exe	81
PID 4348 wrote to memory of 5108	4348	{94581A3C-C431-4602-89C3-01DF45B03846}.exe	81
PID 4348 wrote to memory of 4644	4348	{94581A3C-C431-4602-89C3-01DF45B03846}.exe	82
PID 4348 wrote to memory of 4644	4348	{94581A3C-C431-4602-89C3-01DF45B03846}.exe	82
PID 4348 wrote to memory of 4644	4348	{94581A3C-C431-4602-89C3-01DF45B03846}.exe	82
PID 5108 wrote to memory of 1544	5108	{0140545D-187C-401e-873B-F4C35A45E570}.exe	83
PID 5108 wrote to memory of 1544	5108	{0140545D-187C-401e-873B-F4C35A45E570}.exe	83
PID 5108 wrote to memory of 1544	5108	{0140545D-187C-401e-873B-F4C35A45E570}.exe	83
PID 5108 wrote to memory of 3736	5108	{0140545D-187C-401e-873B-F4C35A45E570}.exe	84
PID 5108 wrote to memory of 3736	5108	{0140545D-187C-401e-873B-F4C35A45E570}.exe	84
PID 5108 wrote to memory of 3736	5108	{0140545D-187C-401e-873B-F4C35A45E570}.exe	84
PID 1544 wrote to memory of 3316	1544	{AEBB3988-6CAF-457c-A751-E2722F3B0FB2}.exe	85
PID 1544 wrote to memory of 3316	1544	{AEBB3988-6CAF-457c-A751-E2722F3B0FB2}.exe	85
PID 1544 wrote to memory of 3316	1544	{AEBB3988-6CAF-457c-A751-E2722F3B0FB2}.exe	85
PID 1544 wrote to memory of 3296	1544	{AEBB3988-6CAF-457c-A751-E2722F3B0FB2}.exe	86
PID 1544 wrote to memory of 3296	1544	{AEBB3988-6CAF-457c-A751-E2722F3B0FB2}.exe	86
PID 1544 wrote to memory of 3296	1544	{AEBB3988-6CAF-457c-A751-E2722F3B0FB2}.exe	86
PID 3316 wrote to memory of 3828	3316	{60DCF512-C225-464e-93FE-02BD7E65EC8C}.exe	87
PID 3316 wrote to memory of 3828	3316	{60DCF512-C225-464e-93FE-02BD7E65EC8C}.exe	87
PID 3316 wrote to memory of 3828	3316	{60DCF512-C225-464e-93FE-02BD7E65EC8C}.exe	87
PID 3316 wrote to memory of 2908	3316	{60DCF512-C225-464e-93FE-02BD7E65EC8C}.exe	88
PID 3316 wrote to memory of 2908	3316	{60DCF512-C225-464e-93FE-02BD7E65EC8C}.exe	88
PID 3316 wrote to memory of 2908	3316	{60DCF512-C225-464e-93FE-02BD7E65EC8C}.exe	88
PID 3828 wrote to memory of 1140	3828	{183489B9-63D4-4de2-966E-F5FBF6CD4335}.exe	89
PID 3828 wrote to memory of 1140	3828	{183489B9-63D4-4de2-966E-F5FBF6CD4335}.exe	89
PID 3828 wrote to memory of 1140	3828	{183489B9-63D4-4de2-966E-F5FBF6CD4335}.exe	89
PID 3828 wrote to memory of 1312	3828	{183489B9-63D4-4de2-966E-F5FBF6CD4335}.exe	90
PID 3828 wrote to memory of 1312	3828	{183489B9-63D4-4de2-966E-F5FBF6CD4335}.exe	90
PID 3828 wrote to memory of 1312	3828	{183489B9-63D4-4de2-966E-F5FBF6CD4335}.exe	90
PID 1140 wrote to memory of 1820	1140	{A13E7C3E-77FB-4967-802F-DDBEAF1A2312}.exe	91
PID 1140 wrote to memory of 1820	1140	{A13E7C3E-77FB-4967-802F-DDBEAF1A2312}.exe	91
PID 1140 wrote to memory of 1820	1140	{A13E7C3E-77FB-4967-802F-DDBEAF1A2312}.exe	91
PID 1140 wrote to memory of 2880	1140	{A13E7C3E-77FB-4967-802F-DDBEAF1A2312}.exe	92
PID 1140 wrote to memory of 2880	1140	{A13E7C3E-77FB-4967-802F-DDBEAF1A2312}.exe	92
PID 1140 wrote to memory of 2880	1140	{A13E7C3E-77FB-4967-802F-DDBEAF1A2312}.exe	92
PID 1820 wrote to memory of 2992	1820	{97D026DE-C7BD-4360-9170-6B2F4C1DEC89}.exe	93
PID 1820 wrote to memory of 2992	1820	{97D026DE-C7BD-4360-9170-6B2F4C1DEC89}.exe	93
PID 1820 wrote to memory of 2992	1820	{97D026DE-C7BD-4360-9170-6B2F4C1DEC89}.exe	93
PID 1820 wrote to memory of 4604	1820	{97D026DE-C7BD-4360-9170-6B2F4C1DEC89}.exe	94
PID 1820 wrote to memory of 4604	1820	{97D026DE-C7BD-4360-9170-6B2F4C1DEC89}.exe	94
PID 1820 wrote to memory of 4604	1820	{97D026DE-C7BD-4360-9170-6B2F4C1DEC89}.exe	94
PID 2992 wrote to memory of 4008	2992	{C64931AD-9850-406d-B7FC-47B93B8B8C5C}.exe	95
PID 2992 wrote to memory of 4008	2992	{C64931AD-9850-406d-B7FC-47B93B8B8C5C}.exe	95
PID 2992 wrote to memory of 4008	2992	{C64931AD-9850-406d-B7FC-47B93B8B8C5C}.exe	95
PID 2992 wrote to memory of 2664	2992	{C64931AD-9850-406d-B7FC-47B93B8B8C5C}.exe	96
PID 2992 wrote to memory of 2664	2992	{C64931AD-9850-406d-B7FC-47B93B8B8C5C}.exe	96
PID 2992 wrote to memory of 2664	2992	{C64931AD-9850-406d-B7FC-47B93B8B8C5C}.exe	96
PID 4008 wrote to memory of 1172	4008	{435F9A36-5D67-4f41-BE83-0A7ECF76F4D8}.exe	97
PID 4008 wrote to memory of 1172	4008	{435F9A36-5D67-4f41-BE83-0A7ECF76F4D8}.exe	97
PID 4008 wrote to memory of 1172	4008	{435F9A36-5D67-4f41-BE83-0A7ECF76F4D8}.exe	97
PID 4008 wrote to memory of 2808	4008	{435F9A36-5D67-4f41-BE83-0A7ECF76F4D8}.exe	98
PID 4008 wrote to memory of 2808	4008	{435F9A36-5D67-4f41-BE83-0A7ECF76F4D8}.exe	98
PID 4008 wrote to memory of 2808	4008	{435F9A36-5D67-4f41-BE83-0A7ECF76F4D8}.exe	98
PID 1172 wrote to memory of 8	1172	{57BE6884-AD70-486e-BE05-A25DCE84B5D0}.exe	99
PID 1172 wrote to memory of 8	1172	{57BE6884-AD70-486e-BE05-A25DCE84B5D0}.exe	99
PID 1172 wrote to memory of 8	1172	{57BE6884-AD70-486e-BE05-A25DCE84B5D0}.exe	99
PID 1172 wrote to memory of 4928	1172	{57BE6884-AD70-486e-BE05-A25DCE84B5D0}.exe	100

C:\Users\Admin\AppData\Local\Temp\2346f521722ac2exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\2346f521722ac2exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568
- C:\Windows\{94581A3C-C431-4602-89C3-01DF45B03846}.exe
  C:\Windows\{94581A3C-C431-4602-89C3-01DF45B03846}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\{0140545D-187C-401e-873B-F4C35A45E570}.exe
    C:\Windows\{0140545D-187C-401e-873B-F4C35A45E570}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5108
  - - C:\Windows\{AEBB3988-6CAF-457c-A751-E2722F3B0FB2}.exe
      C:\Windows\{AEBB3988-6CAF-457c-A751-E2722F3B0FB2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1544
    - - C:\Windows\{60DCF512-C225-464e-93FE-02BD7E65EC8C}.exe
        
        C:\Windows\{60DCF512-C225-464e-93FE-02BD7E65EC8C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3316
      - C:\Windows\{183489B9-63D4-4de2-966E-F5FBF6CD4335}.exe
        
        C:\Windows\{183489B9-63D4-4de2-966E-F5FBF6CD4335}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\{A13E7C3E-77FB-4967-802F-DDBEAF1A2312}.exe
        
        C:\Windows\{A13E7C3E-77FB-4967-802F-DDBEAF1A2312}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\{97D026DE-C7BD-4360-9170-6B2F4C1DEC89}.exe
        
        C:\Windows\{97D026DE-C7BD-4360-9170-6B2F4C1DEC89}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1820
        
        C:\Windows\{C64931AD-9850-406d-B7FC-47B93B8B8C5C}.exe
        
        C:\Windows\{C64931AD-9850-406d-B7FC-47B93B8B8C5C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\{435F9A36-5D67-4f41-BE83-0A7ECF76F4D8}.exe
        
        C:\Windows\{435F9A36-5D67-4f41-BE83-0A7ECF76F4D8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\{57BE6884-AD70-486e-BE05-A25DCE84B5D0}.exe
        
        C:\Windows\{57BE6884-AD70-486e-BE05-A25DCE84B5D0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\{490A3E0A-FB7B-44e2-A09B-374C1CFE16A9}.exe
        
        C:\Windows\{490A3E0A-FB7B-44e2-A09B-374C1CFE16A9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:8
        
        C:\Windows\{828D8EA8-2B7E-4285-9A4E-CB0D436A244F}.exe
        
        C:\Windows\{828D8EA8-2B7E-4285-9A4E-CB0D436A244F}.exe
        13⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{490A3~1.EXE > nul
        13⤵
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57BE6~1.EXE > nul
        12⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{435F9~1.EXE > nul
        11⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6493~1.EXE > nul
        10⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97D02~1.EXE > nul
        9⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A13E7~1.EXE > nul
        8⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18348~1.EXE > nul
        7⤵
        
        PID:1312
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60DCF~1.EXE > nul
        6⤵
        
        PID:2908
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEBB3~1.EXE > nul
        5⤵
        
        PID:3296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{01405~1.EXE > nul
      4⤵
      PID:3736
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{94581~1.EXE > nul
    3⤵
    PID:4644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2346F5~1.EXE > nul
  2⤵
  PID:2076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0140545D-187C-401e-873B-F4C35A45E570}.exe

Filesize
168KB

MD5
9a98e8287b7e39578ae32fc764861165

SHA1
abaecc0c8387071408c53f2f6b17298f488bb2f0

SHA256
83eebb87f2d946ed8e8946630d81a8df08d67f88edebc7e7b449aed378b664d4

SHA512
003790070a26161352f27f16e674578f9243980c223d6e961a1269d1df816d06a751764f08278e3ba9d15e1decf23e2bd097831682073e326f179273196f46bd

Download Submit
C:\Windows\{0140545D-187C-401e-873B-F4C35A45E570}.exe

Filesize
168KB

MD5
9a98e8287b7e39578ae32fc764861165

SHA1
abaecc0c8387071408c53f2f6b17298f488bb2f0

SHA256
83eebb87f2d946ed8e8946630d81a8df08d67f88edebc7e7b449aed378b664d4

SHA512
003790070a26161352f27f16e674578f9243980c223d6e961a1269d1df816d06a751764f08278e3ba9d15e1decf23e2bd097831682073e326f179273196f46bd

Download Submit
C:\Windows\{183489B9-63D4-4de2-966E-F5FBF6CD4335}.exe

Filesize
168KB

MD5
54bfede5406b54eb0ed663ea4a83a60c

SHA1
ea474fd7e0b34f99369e62f46d2e389998b46097

SHA256
f189e8cfebc651bb14101255eeb2e4a95ee210d7c790753b7dfc30c4da2949d3

SHA512
9aa70b39bb4426dbced46b4024caa1949bdf854be93ea1aaa45916b97591248a64abef29d5bfed5212b9d0a625ece4f78c9e028f2676e48ea317e35efe08d62b

Download Submit
C:\Windows\{183489B9-63D4-4de2-966E-F5FBF6CD4335}.exe

Filesize
168KB

MD5
54bfede5406b54eb0ed663ea4a83a60c

SHA1
ea474fd7e0b34f99369e62f46d2e389998b46097

SHA256
f189e8cfebc651bb14101255eeb2e4a95ee210d7c790753b7dfc30c4da2949d3

SHA512
9aa70b39bb4426dbced46b4024caa1949bdf854be93ea1aaa45916b97591248a64abef29d5bfed5212b9d0a625ece4f78c9e028f2676e48ea317e35efe08d62b

Download Submit
C:\Windows\{435F9A36-5D67-4f41-BE83-0A7ECF76F4D8}.exe

Filesize
168KB

MD5
c0ba18a0fec3829eac599630356ff39e

SHA1
e2ecd6aac59fe3e0e4a4a98e10ec0668fb70d546

SHA256
bb72cc4fa31a65e3d3217e79023ef756932dd4a84887fcb7369ffba3266d3eac

SHA512
734e662b3db587a9b328328d2c0faeb7b22d7646aa9ac3ab798ae646b71db0e512d1f856052f58d387ab13d0f108b1ad84161ce509b8034485e26457b12ab584

Download Submit
C:\Windows\{435F9A36-5D67-4f41-BE83-0A7ECF76F4D8}.exe

Filesize
168KB

MD5
c0ba18a0fec3829eac599630356ff39e

SHA1
e2ecd6aac59fe3e0e4a4a98e10ec0668fb70d546

SHA256
bb72cc4fa31a65e3d3217e79023ef756932dd4a84887fcb7369ffba3266d3eac

SHA512
734e662b3db587a9b328328d2c0faeb7b22d7646aa9ac3ab798ae646b71db0e512d1f856052f58d387ab13d0f108b1ad84161ce509b8034485e26457b12ab584

Download Submit
C:\Windows\{490A3E0A-FB7B-44e2-A09B-374C1CFE16A9}.exe

Filesize
168KB

MD5
2362b7f0d12147a0803793d13cda35bb

SHA1
b730e8b3d6ed9c03744bc9ed25bec35809a2046b

SHA256
a7b97e62ea6e66dd77d97793b89042794a5077ff792de838167c6961d8efe975

SHA512
dc7a82a4500b109771393ea3a957cfce46582d4b21bd4d134b15740053d4c21524e0bd271610e1f0f65c01c2ed20378d6bbe56f4c0231ce646078f54bd54fbfb

Download Submit
C:\Windows\{490A3E0A-FB7B-44e2-A09B-374C1CFE16A9}.exe

Filesize
168KB

MD5
2362b7f0d12147a0803793d13cda35bb

SHA1
b730e8b3d6ed9c03744bc9ed25bec35809a2046b

SHA256
a7b97e62ea6e66dd77d97793b89042794a5077ff792de838167c6961d8efe975

SHA512
dc7a82a4500b109771393ea3a957cfce46582d4b21bd4d134b15740053d4c21524e0bd271610e1f0f65c01c2ed20378d6bbe56f4c0231ce646078f54bd54fbfb

Download Submit
C:\Windows\{57BE6884-AD70-486e-BE05-A25DCE84B5D0}.exe

Filesize
168KB

MD5
59b17ef2b0e5a76283a9d91de843a01d

SHA1
e11a15473aaa1d64ae5752d83c2d6adb2c79153b

SHA256
7f5a6142b395a373e67c7cf3a74e702435585e03db94a245a84048ff40c8a3d9

SHA512
156d292b26b8f25a6a8d2f2accbd91037be92fd443abfd1104e78907a4cd096c023eb12ed9cb659613370fbb89ae7ca60f8ca31184e83db8b8bc987130cd001f

Download Submit
C:\Windows\{57BE6884-AD70-486e-BE05-A25DCE84B5D0}.exe

Filesize
168KB

MD5
59b17ef2b0e5a76283a9d91de843a01d

SHA1
e11a15473aaa1d64ae5752d83c2d6adb2c79153b

SHA256
7f5a6142b395a373e67c7cf3a74e702435585e03db94a245a84048ff40c8a3d9

SHA512
156d292b26b8f25a6a8d2f2accbd91037be92fd443abfd1104e78907a4cd096c023eb12ed9cb659613370fbb89ae7ca60f8ca31184e83db8b8bc987130cd001f

Download Submit
C:\Windows\{60DCF512-C225-464e-93FE-02BD7E65EC8C}.exe

Filesize
168KB

MD5
b9ffd7a59e654371ef4604ff61532602

SHA1
01acfeea57b99c8ae3f858c3d5d8b86cafcc37fe

SHA256
348f0e8b8e17a15f315e8cfe9ade548ce55dcc81aa8e33d77905961355779cb6

SHA512
a87012fe95f14e7b8bdd0417641fff668d0e608c52edfb63d61a34d75768cfe5d6b53802a5f206595528116dd3624f4a4fbea1aa61d5b745826bef66cf40a70d

Download Submit
C:\Windows\{60DCF512-C225-464e-93FE-02BD7E65EC8C}.exe

Filesize
168KB

MD5
b9ffd7a59e654371ef4604ff61532602

SHA1
01acfeea57b99c8ae3f858c3d5d8b86cafcc37fe

SHA256
348f0e8b8e17a15f315e8cfe9ade548ce55dcc81aa8e33d77905961355779cb6

SHA512
a87012fe95f14e7b8bdd0417641fff668d0e608c52edfb63d61a34d75768cfe5d6b53802a5f206595528116dd3624f4a4fbea1aa61d5b745826bef66cf40a70d

Download Submit
C:\Windows\{828D8EA8-2B7E-4285-9A4E-CB0D436A244F}.exe

Filesize
168KB

MD5
271753e4be43264d3c179103a54b8571

SHA1
5bcd2c0cb9face762c1aec1b62b05095cbb31ff6

SHA256
c711bc01b535e7a8faa8c97b0a17ecd7f6b8ee574e62bdca109bbe63785dbd37

SHA512
9bf716ae7c919a7fa6398f0deea08e100a69596a4f75c83b2545024ee511e99d0660f59d1607016285ebd84f287740bf1f17d4c32d68285cabc10e10d9933a8c

Download Submit
C:\Windows\{828D8EA8-2B7E-4285-9A4E-CB0D436A244F}.exe

Filesize
168KB

MD5
271753e4be43264d3c179103a54b8571

SHA1
5bcd2c0cb9face762c1aec1b62b05095cbb31ff6

SHA256
c711bc01b535e7a8faa8c97b0a17ecd7f6b8ee574e62bdca109bbe63785dbd37

SHA512
9bf716ae7c919a7fa6398f0deea08e100a69596a4f75c83b2545024ee511e99d0660f59d1607016285ebd84f287740bf1f17d4c32d68285cabc10e10d9933a8c

Download Submit
C:\Windows\{94581A3C-C431-4602-89C3-01DF45B03846}.exe

Filesize
168KB

MD5
56f1f4164b3e05ed6149443d1f7aefdd

SHA1
91b9207df82859cda721a70fe02a1df664ffde16

SHA256
22059129fbec4d2dfd37e3b81c433e41b6a5ad5146bbdb5496daadea0db3f90e

SHA512
be2ee6bfe4c64295c49220b5bbb60bd1fdf385af8e4759ab97b0aa1df5d92a6290b040ff1c66aeaa98217a30b85f82461f0678487a56c73095c7c779b2b1ac25

Download Submit
C:\Windows\{94581A3C-C431-4602-89C3-01DF45B03846}.exe

Filesize
168KB

MD5
56f1f4164b3e05ed6149443d1f7aefdd

SHA1
91b9207df82859cda721a70fe02a1df664ffde16

SHA256
22059129fbec4d2dfd37e3b81c433e41b6a5ad5146bbdb5496daadea0db3f90e

SHA512
be2ee6bfe4c64295c49220b5bbb60bd1fdf385af8e4759ab97b0aa1df5d92a6290b040ff1c66aeaa98217a30b85f82461f0678487a56c73095c7c779b2b1ac25

Download Submit
C:\Windows\{97D026DE-C7BD-4360-9170-6B2F4C1DEC89}.exe

Filesize
168KB

MD5
ea2d1fe138d78f99822bb5ff77de084a

SHA1
388803949444452e580d0b90141b2382a0f9ea7b

SHA256
e232636349a26ad359db6f7bd6285b01d7d268f9766d889e9636935d3a272a5b

SHA512
3a5a2de921b046ea2ec32f8447c764af2be5fbef0a8baace1023e906317aad717b83deb1b44dbaf897ce7d8a9da5aec64256c0333426e812ef0ae84ed3abfd66

Download Submit
C:\Windows\{97D026DE-C7BD-4360-9170-6B2F4C1DEC89}.exe

Filesize
168KB

MD5
ea2d1fe138d78f99822bb5ff77de084a

SHA1
388803949444452e580d0b90141b2382a0f9ea7b

SHA256
e232636349a26ad359db6f7bd6285b01d7d268f9766d889e9636935d3a272a5b

SHA512
3a5a2de921b046ea2ec32f8447c764af2be5fbef0a8baace1023e906317aad717b83deb1b44dbaf897ce7d8a9da5aec64256c0333426e812ef0ae84ed3abfd66

Download Submit
C:\Windows\{A13E7C3E-77FB-4967-802F-DDBEAF1A2312}.exe

Filesize
168KB

MD5
00d66da535bc3b0e0f186f77e7df77ed

SHA1
57445b070442ddc69d356fd958c830ecdbe3c659

SHA256
388147bda06fc79fbbb24c468cfb2d1bc7726063f0f1c2d1ca202797a52e6831

SHA512
bcfb30e694a7ae1349f86d88d5f1a98a5855646337c6a9b767ccba21226b69d644de1e0682b0727cd3d36c731336be9af6576fce3deb3cc670bf56dca66ea7c3

Download Submit
C:\Windows\{A13E7C3E-77FB-4967-802F-DDBEAF1A2312}.exe

Filesize
168KB

MD5
00d66da535bc3b0e0f186f77e7df77ed

SHA1
57445b070442ddc69d356fd958c830ecdbe3c659

SHA256
388147bda06fc79fbbb24c468cfb2d1bc7726063f0f1c2d1ca202797a52e6831

SHA512
bcfb30e694a7ae1349f86d88d5f1a98a5855646337c6a9b767ccba21226b69d644de1e0682b0727cd3d36c731336be9af6576fce3deb3cc670bf56dca66ea7c3

Download Submit
C:\Windows\{AEBB3988-6CAF-457c-A751-E2722F3B0FB2}.exe

Filesize
168KB

MD5
8480d05b0fd3a9e5775b2fb07474b368

SHA1
37c4c9bcda52927dc3b4822259a2085a48d5ad3a

SHA256
cfe2572120bbe500b1b83bff4bba33dc0b3b4f5789f04da74e714501c9d70436

SHA512
b888e3dfe6062ab49638e4589ed07171c1ea534d21e978bc8025f3013f34e4f9d019f1f534d442998a3126501439d56045a2a09490b78056f15c788bf36b1eb7

Download Submit
C:\Windows\{AEBB3988-6CAF-457c-A751-E2722F3B0FB2}.exe

Filesize
168KB

MD5
8480d05b0fd3a9e5775b2fb07474b368

SHA1
37c4c9bcda52927dc3b4822259a2085a48d5ad3a

SHA256
cfe2572120bbe500b1b83bff4bba33dc0b3b4f5789f04da74e714501c9d70436

SHA512
b888e3dfe6062ab49638e4589ed07171c1ea534d21e978bc8025f3013f34e4f9d019f1f534d442998a3126501439d56045a2a09490b78056f15c788bf36b1eb7

Download Submit
C:\Windows\{AEBB3988-6CAF-457c-A751-E2722F3B0FB2}.exe

Filesize
168KB

MD5
8480d05b0fd3a9e5775b2fb07474b368

SHA1
37c4c9bcda52927dc3b4822259a2085a48d5ad3a

SHA256
cfe2572120bbe500b1b83bff4bba33dc0b3b4f5789f04da74e714501c9d70436

SHA512
b888e3dfe6062ab49638e4589ed07171c1ea534d21e978bc8025f3013f34e4f9d019f1f534d442998a3126501439d56045a2a09490b78056f15c788bf36b1eb7

Download Submit
C:\Windows\{C64931AD-9850-406d-B7FC-47B93B8B8C5C}.exe

Filesize
168KB

MD5
14898384d7f659145e751708c263b18f

SHA1
568d929eb4437d51d9a42cfe765b7abb64a06cbf

SHA256
9240abf98f6c42d2e391964a2f48a84265bb884baa05fa38b57dd590b5d610f1

SHA512
cbc665767cbccff6a77d88a9e57fd3b58830401138db42d50c1d4994a0b463af9b6900fa36f1181645b5ad251b5037528984c70a21dd811226f25ae4311e28b8

Download Submit
C:\Windows\{C64931AD-9850-406d-B7FC-47B93B8B8C5C}.exe

Filesize
168KB

MD5
14898384d7f659145e751708c263b18f

SHA1
568d929eb4437d51d9a42cfe765b7abb64a06cbf

SHA256
9240abf98f6c42d2e391964a2f48a84265bb884baa05fa38b57dd590b5d610f1

SHA512
cbc665767cbccff6a77d88a9e57fd3b58830401138db42d50c1d4994a0b463af9b6900fa36f1181645b5ad251b5037528984c70a21dd811226f25ae4311e28b8

Download Submit