5c3842d12b554badd98b28bdce75bab1cbdd8d377d99d6624f44ed2b43b2a614

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2023, 18:16

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d98b5cc38a1bdaexeexeexeex.exe
Size

192KB
MD5

d98b5cc38a1bdafb551907701cc0a18a
SHA1

af31d676a5c03bfa7a9d2c41daaa91c72a1660d5
SHA256

5c3842d12b554badd98b28bdce75bab1cbdd8d377d99d6624f44ed2b43b2a614
SHA512

f786f95a12571c924e91a2f10e491922e405cd922a4660b1b2fafa587403f13c5b7018833d4dd31b38a8a78fb88e91fa6ef9ae7be7dd9a53c938a167e60db78c
SSDEEP

1536:1EGh0oYLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0okl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CFCB473-54FA-4cd7-AAE5-735E226379CF}\stubpath = "C:\\Windows\\{8CFCB473-54FA-4cd7-AAE5-735E226379CF}.exe"	{491EEE24-AC81-4c35-86C6-33E3048ADD2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66A8C0AD-6896-4b4d-883B-6BE957199927}	{888AC52D-AECD-46e6-8DA4-904CC2329DDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66A8C0AD-6896-4b4d-883B-6BE957199927}\stubpath = "C:\\Windows\\{66A8C0AD-6896-4b4d-883B-6BE957199927}.exe"	{888AC52D-AECD-46e6-8DA4-904CC2329DDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30804B86-DDDA-468f-BAC9-5D174ABC1B1B}	{36C98C1C-F12E-4fb0-99A5-339B19523FCC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF840E3B-2969-45f5-9E7F-DDC679C24EC3}	{30804B86-DDDA-468f-BAC9-5D174ABC1B1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4486C1B2-D2BA-4b23-A984-A963FCD73EF6}	{C38033B6-ED58-48b7-9ABF-FEE2E6A33392}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{491EEE24-AC81-4c35-86C6-33E3048ADD2F}\stubpath = "C:\\Windows\\{491EEE24-AC81-4c35-86C6-33E3048ADD2F}.exe"	{870362B9-60AB-4714-B337-AF1DC23D8CFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{888AC52D-AECD-46e6-8DA4-904CC2329DDC}\stubpath = "C:\\Windows\\{888AC52D-AECD-46e6-8DA4-904CC2329DDC}.exe"	{8CFCB473-54FA-4cd7-AAE5-735E226379CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF840E3B-2969-45f5-9E7F-DDC679C24EC3}\stubpath = "C:\\Windows\\{EF840E3B-2969-45f5-9E7F-DDC679C24EC3}.exe"	{30804B86-DDDA-468f-BAC9-5D174ABC1B1B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A913B38B-DF69-4625-8D79-08CFB792B334}	{71409A30-638E-43e2-8331-396615299122}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{870362B9-60AB-4714-B337-AF1DC23D8CFA}\stubpath = "C:\\Windows\\{870362B9-60AB-4714-B337-AF1DC23D8CFA}.exe"	d98b5cc38a1bdaexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36C98C1C-F12E-4fb0-99A5-339B19523FCC}	{66A8C0AD-6896-4b4d-883B-6BE957199927}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4486C1B2-D2BA-4b23-A984-A963FCD73EF6}\stubpath = "C:\\Windows\\{4486C1B2-D2BA-4b23-A984-A963FCD73EF6}.exe"	{C38033B6-ED58-48b7-9ABF-FEE2E6A33392}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71409A30-638E-43e2-8331-396615299122}\stubpath = "C:\\Windows\\{71409A30-638E-43e2-8331-396615299122}.exe"	{4486C1B2-D2BA-4b23-A984-A963FCD73EF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A913B38B-DF69-4625-8D79-08CFB792B334}\stubpath = "C:\\Windows\\{A913B38B-DF69-4625-8D79-08CFB792B334}.exe"	{71409A30-638E-43e2-8331-396615299122}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C38033B6-ED58-48b7-9ABF-FEE2E6A33392}	{EF840E3B-2969-45f5-9E7F-DDC679C24EC3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C38033B6-ED58-48b7-9ABF-FEE2E6A33392}\stubpath = "C:\\Windows\\{C38033B6-ED58-48b7-9ABF-FEE2E6A33392}.exe"	{EF840E3B-2969-45f5-9E7F-DDC679C24EC3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{870362B9-60AB-4714-B337-AF1DC23D8CFA}	d98b5cc38a1bdaexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{491EEE24-AC81-4c35-86C6-33E3048ADD2F}	{870362B9-60AB-4714-B337-AF1DC23D8CFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8CFCB473-54FA-4cd7-AAE5-735E226379CF}	{491EEE24-AC81-4c35-86C6-33E3048ADD2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{888AC52D-AECD-46e6-8DA4-904CC2329DDC}	{8CFCB473-54FA-4cd7-AAE5-735E226379CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36C98C1C-F12E-4fb0-99A5-339B19523FCC}\stubpath = "C:\\Windows\\{36C98C1C-F12E-4fb0-99A5-339B19523FCC}.exe"	{66A8C0AD-6896-4b4d-883B-6BE957199927}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30804B86-DDDA-468f-BAC9-5D174ABC1B1B}\stubpath = "C:\\Windows\\{30804B86-DDDA-468f-BAC9-5D174ABC1B1B}.exe"	{36C98C1C-F12E-4fb0-99A5-339B19523FCC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71409A30-638E-43e2-8331-396615299122}	{4486C1B2-D2BA-4b23-A984-A963FCD73EF6}.exe

Executes dropped EXE 12 IoCs

pid	Process
4696	{870362B9-60AB-4714-B337-AF1DC23D8CFA}.exe
2968	{491EEE24-AC81-4c35-86C6-33E3048ADD2F}.exe
324	{8CFCB473-54FA-4cd7-AAE5-735E226379CF}.exe
2944	{888AC52D-AECD-46e6-8DA4-904CC2329DDC}.exe
3488	{66A8C0AD-6896-4b4d-883B-6BE957199927}.exe
2720	{36C98C1C-F12E-4fb0-99A5-339B19523FCC}.exe
3732	{30804B86-DDDA-468f-BAC9-5D174ABC1B1B}.exe
1876	{EF840E3B-2969-45f5-9E7F-DDC679C24EC3}.exe
444	{C38033B6-ED58-48b7-9ABF-FEE2E6A33392}.exe
1320	{4486C1B2-D2BA-4b23-A984-A963FCD73EF6}.exe
1732	{71409A30-638E-43e2-8331-396615299122}.exe
264	{A913B38B-DF69-4625-8D79-08CFB792B334}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8CFCB473-54FA-4cd7-AAE5-735E226379CF}.exe	{491EEE24-AC81-4c35-86C6-33E3048ADD2F}.exe
File created	C:\Windows\{66A8C0AD-6896-4b4d-883B-6BE957199927}.exe	{888AC52D-AECD-46e6-8DA4-904CC2329DDC}.exe
File created	C:\Windows\{36C98C1C-F12E-4fb0-99A5-339B19523FCC}.exe	{66A8C0AD-6896-4b4d-883B-6BE957199927}.exe
File created	C:\Windows\{30804B86-DDDA-468f-BAC9-5D174ABC1B1B}.exe	{36C98C1C-F12E-4fb0-99A5-339B19523FCC}.exe
File created	C:\Windows\{C38033B6-ED58-48b7-9ABF-FEE2E6A33392}.exe	{EF840E3B-2969-45f5-9E7F-DDC679C24EC3}.exe
File created	C:\Windows\{A913B38B-DF69-4625-8D79-08CFB792B334}.exe	{71409A30-638E-43e2-8331-396615299122}.exe
File created	C:\Windows\{870362B9-60AB-4714-B337-AF1DC23D8CFA}.exe	d98b5cc38a1bdaexeexeexeex.exe
File created	C:\Windows\{491EEE24-AC81-4c35-86C6-33E3048ADD2F}.exe	{870362B9-60AB-4714-B337-AF1DC23D8CFA}.exe
File created	C:\Windows\{888AC52D-AECD-46e6-8DA4-904CC2329DDC}.exe	{8CFCB473-54FA-4cd7-AAE5-735E226379CF}.exe
File created	C:\Windows\{EF840E3B-2969-45f5-9E7F-DDC679C24EC3}.exe	{30804B86-DDDA-468f-BAC9-5D174ABC1B1B}.exe
File created	C:\Windows\{4486C1B2-D2BA-4b23-A984-A963FCD73EF6}.exe	{C38033B6-ED58-48b7-9ABF-FEE2E6A33392}.exe
File created	C:\Windows\{71409A30-638E-43e2-8331-396615299122}.exe	{4486C1B2-D2BA-4b23-A984-A963FCD73EF6}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2120	d98b5cc38a1bdaexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	4696	{870362B9-60AB-4714-B337-AF1DC23D8CFA}.exe
Token: SeIncBasePriorityPrivilege	2968	{491EEE24-AC81-4c35-86C6-33E3048ADD2F}.exe
Token: SeIncBasePriorityPrivilege	324	{8CFCB473-54FA-4cd7-AAE5-735E226379CF}.exe
Token: SeIncBasePriorityPrivilege	2944	{888AC52D-AECD-46e6-8DA4-904CC2329DDC}.exe
Token: SeIncBasePriorityPrivilege	3488	{66A8C0AD-6896-4b4d-883B-6BE957199927}.exe
Token: SeIncBasePriorityPrivilege	2720	{36C98C1C-F12E-4fb0-99A5-339B19523FCC}.exe
Token: SeIncBasePriorityPrivilege	3732	{30804B86-DDDA-468f-BAC9-5D174ABC1B1B}.exe
Token: SeIncBasePriorityPrivilege	1876	{EF840E3B-2969-45f5-9E7F-DDC679C24EC3}.exe
Token: SeIncBasePriorityPrivilege	444	{C38033B6-ED58-48b7-9ABF-FEE2E6A33392}.exe
Token: SeIncBasePriorityPrivilege	1320	{4486C1B2-D2BA-4b23-A984-A963FCD73EF6}.exe
Token: SeIncBasePriorityPrivilege	1732	{71409A30-638E-43e2-8331-396615299122}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2120 wrote to memory of 4696	2120	d98b5cc38a1bdaexeexeexeex.exe	84
PID 2120 wrote to memory of 4696	2120	d98b5cc38a1bdaexeexeexeex.exe	84
PID 2120 wrote to memory of 4696	2120	d98b5cc38a1bdaexeexeexeex.exe	84
PID 2120 wrote to memory of 2260	2120	d98b5cc38a1bdaexeexeexeex.exe	85
PID 2120 wrote to memory of 2260	2120	d98b5cc38a1bdaexeexeexeex.exe	85
PID 2120 wrote to memory of 2260	2120	d98b5cc38a1bdaexeexeexeex.exe	85
PID 4696 wrote to memory of 2968	4696	{870362B9-60AB-4714-B337-AF1DC23D8CFA}.exe	86
PID 4696 wrote to memory of 2968	4696	{870362B9-60AB-4714-B337-AF1DC23D8CFA}.exe	86
PID 4696 wrote to memory of 2968	4696	{870362B9-60AB-4714-B337-AF1DC23D8CFA}.exe	86
PID 4696 wrote to memory of 2972	4696	{870362B9-60AB-4714-B337-AF1DC23D8CFA}.exe	87
PID 4696 wrote to memory of 2972	4696	{870362B9-60AB-4714-B337-AF1DC23D8CFA}.exe	87
PID 4696 wrote to memory of 2972	4696	{870362B9-60AB-4714-B337-AF1DC23D8CFA}.exe	87
PID 2968 wrote to memory of 324	2968	{491EEE24-AC81-4c35-86C6-33E3048ADD2F}.exe	91
PID 2968 wrote to memory of 324	2968	{491EEE24-AC81-4c35-86C6-33E3048ADD2F}.exe	91
PID 2968 wrote to memory of 324	2968	{491EEE24-AC81-4c35-86C6-33E3048ADD2F}.exe	91
PID 2968 wrote to memory of 4160	2968	{491EEE24-AC81-4c35-86C6-33E3048ADD2F}.exe	92
PID 2968 wrote to memory of 4160	2968	{491EEE24-AC81-4c35-86C6-33E3048ADD2F}.exe	92
PID 2968 wrote to memory of 4160	2968	{491EEE24-AC81-4c35-86C6-33E3048ADD2F}.exe	92
PID 324 wrote to memory of 2944	324	{8CFCB473-54FA-4cd7-AAE5-735E226379CF}.exe	93
PID 324 wrote to memory of 2944	324	{8CFCB473-54FA-4cd7-AAE5-735E226379CF}.exe	93
PID 324 wrote to memory of 2944	324	{8CFCB473-54FA-4cd7-AAE5-735E226379CF}.exe	93
PID 324 wrote to memory of 4212	324	{8CFCB473-54FA-4cd7-AAE5-735E226379CF}.exe	94
PID 324 wrote to memory of 4212	324	{8CFCB473-54FA-4cd7-AAE5-735E226379CF}.exe	94
PID 324 wrote to memory of 4212	324	{8CFCB473-54FA-4cd7-AAE5-735E226379CF}.exe	94
PID 2944 wrote to memory of 3488	2944	{888AC52D-AECD-46e6-8DA4-904CC2329DDC}.exe	95
PID 2944 wrote to memory of 3488	2944	{888AC52D-AECD-46e6-8DA4-904CC2329DDC}.exe	95
PID 2944 wrote to memory of 3488	2944	{888AC52D-AECD-46e6-8DA4-904CC2329DDC}.exe	95
PID 2944 wrote to memory of 2308	2944	{888AC52D-AECD-46e6-8DA4-904CC2329DDC}.exe	96
PID 2944 wrote to memory of 2308	2944	{888AC52D-AECD-46e6-8DA4-904CC2329DDC}.exe	96
PID 2944 wrote to memory of 2308	2944	{888AC52D-AECD-46e6-8DA4-904CC2329DDC}.exe	96
PID 3488 wrote to memory of 2720	3488	{66A8C0AD-6896-4b4d-883B-6BE957199927}.exe	103
PID 3488 wrote to memory of 2720	3488	{66A8C0AD-6896-4b4d-883B-6BE957199927}.exe	103
PID 3488 wrote to memory of 2720	3488	{66A8C0AD-6896-4b4d-883B-6BE957199927}.exe	103
PID 3488 wrote to memory of 4168	3488	{66A8C0AD-6896-4b4d-883B-6BE957199927}.exe	104
PID 3488 wrote to memory of 4168	3488	{66A8C0AD-6896-4b4d-883B-6BE957199927}.exe	104
PID 3488 wrote to memory of 4168	3488	{66A8C0AD-6896-4b4d-883B-6BE957199927}.exe	104
PID 2720 wrote to memory of 3732	2720	{36C98C1C-F12E-4fb0-99A5-339B19523FCC}.exe	105
PID 2720 wrote to memory of 3732	2720	{36C98C1C-F12E-4fb0-99A5-339B19523FCC}.exe	105
PID 2720 wrote to memory of 3732	2720	{36C98C1C-F12E-4fb0-99A5-339B19523FCC}.exe	105
PID 2720 wrote to memory of 4768	2720	{36C98C1C-F12E-4fb0-99A5-339B19523FCC}.exe	106
PID 2720 wrote to memory of 4768	2720	{36C98C1C-F12E-4fb0-99A5-339B19523FCC}.exe	106
PID 2720 wrote to memory of 4768	2720	{36C98C1C-F12E-4fb0-99A5-339B19523FCC}.exe	106
PID 3732 wrote to memory of 1876	3732	{30804B86-DDDA-468f-BAC9-5D174ABC1B1B}.exe	108
PID 3732 wrote to memory of 1876	3732	{30804B86-DDDA-468f-BAC9-5D174ABC1B1B}.exe	108
PID 3732 wrote to memory of 1876	3732	{30804B86-DDDA-468f-BAC9-5D174ABC1B1B}.exe	108
PID 3732 wrote to memory of 1336	3732	{30804B86-DDDA-468f-BAC9-5D174ABC1B1B}.exe	109
PID 3732 wrote to memory of 1336	3732	{30804B86-DDDA-468f-BAC9-5D174ABC1B1B}.exe	109
PID 3732 wrote to memory of 1336	3732	{30804B86-DDDA-468f-BAC9-5D174ABC1B1B}.exe	109
PID 1876 wrote to memory of 444	1876	{EF840E3B-2969-45f5-9E7F-DDC679C24EC3}.exe	110
PID 1876 wrote to memory of 444	1876	{EF840E3B-2969-45f5-9E7F-DDC679C24EC3}.exe	110
PID 1876 wrote to memory of 444	1876	{EF840E3B-2969-45f5-9E7F-DDC679C24EC3}.exe	110
PID 1876 wrote to memory of 380	1876	{EF840E3B-2969-45f5-9E7F-DDC679C24EC3}.exe	111
PID 1876 wrote to memory of 380	1876	{EF840E3B-2969-45f5-9E7F-DDC679C24EC3}.exe	111
PID 1876 wrote to memory of 380	1876	{EF840E3B-2969-45f5-9E7F-DDC679C24EC3}.exe	111
PID 444 wrote to memory of 1320	444	{C38033B6-ED58-48b7-9ABF-FEE2E6A33392}.exe	112
PID 444 wrote to memory of 1320	444	{C38033B6-ED58-48b7-9ABF-FEE2E6A33392}.exe	112
PID 444 wrote to memory of 1320	444	{C38033B6-ED58-48b7-9ABF-FEE2E6A33392}.exe	112
PID 444 wrote to memory of 2612	444	{C38033B6-ED58-48b7-9ABF-FEE2E6A33392}.exe	113
PID 444 wrote to memory of 2612	444	{C38033B6-ED58-48b7-9ABF-FEE2E6A33392}.exe	113
PID 444 wrote to memory of 2612	444	{C38033B6-ED58-48b7-9ABF-FEE2E6A33392}.exe	113
PID 1320 wrote to memory of 1732	1320	{4486C1B2-D2BA-4b23-A984-A963FCD73EF6}.exe	114
PID 1320 wrote to memory of 1732	1320	{4486C1B2-D2BA-4b23-A984-A963FCD73EF6}.exe	114
PID 1320 wrote to memory of 1732	1320	{4486C1B2-D2BA-4b23-A984-A963FCD73EF6}.exe	114
PID 1320 wrote to memory of 3384	1320	{4486C1B2-D2BA-4b23-A984-A963FCD73EF6}.exe	115

C:\Users\Admin\AppData\Local\Temp\d98b5cc38a1bdaexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\d98b5cc38a1bdaexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120
- C:\Windows\{870362B9-60AB-4714-B337-AF1DC23D8CFA}.exe
  C:\Windows\{870362B9-60AB-4714-B337-AF1DC23D8CFA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Windows\{491EEE24-AC81-4c35-86C6-33E3048ADD2F}.exe
    C:\Windows\{491EEE24-AC81-4c35-86C6-33E3048ADD2F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\{8CFCB473-54FA-4cd7-AAE5-735E226379CF}.exe
      C:\Windows\{8CFCB473-54FA-4cd7-AAE5-735E226379CF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:324
    - - C:\Windows\{888AC52D-AECD-46e6-8DA4-904CC2329DDC}.exe
        
        C:\Windows\{888AC52D-AECD-46e6-8DA4-904CC2329DDC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
      - C:\Windows\{66A8C0AD-6896-4b4d-883B-6BE957199927}.exe
        
        C:\Windows\{66A8C0AD-6896-4b4d-883B-6BE957199927}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\{36C98C1C-F12E-4fb0-99A5-339B19523FCC}.exe
        
        C:\Windows\{36C98C1C-F12E-4fb0-99A5-339B19523FCC}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\{30804B86-DDDA-468f-BAC9-5D174ABC1B1B}.exe
        
        C:\Windows\{30804B86-DDDA-468f-BAC9-5D174ABC1B1B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3732
        
        C:\Windows\{EF840E3B-2969-45f5-9E7F-DDC679C24EC3}.exe
        
        C:\Windows\{EF840E3B-2969-45f5-9E7F-DDC679C24EC3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1876
        
        C:\Windows\{C38033B6-ED58-48b7-9ABF-FEE2E6A33392}.exe
        
        C:\Windows\{C38033B6-ED58-48b7-9ABF-FEE2E6A33392}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\{4486C1B2-D2BA-4b23-A984-A963FCD73EF6}.exe
        
        C:\Windows\{4486C1B2-D2BA-4b23-A984-A963FCD73EF6}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\{71409A30-638E-43e2-8331-396615299122}.exe
        
        C:\Windows\{71409A30-638E-43e2-8331-396615299122}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71409~1.EXE > nul
        13⤵
        
        PID:2932
        
        C:\Windows\{A913B38B-DF69-4625-8D79-08CFB792B334}.exe
        
        C:\Windows\{A913B38B-DF69-4625-8D79-08CFB792B334}.exe
        13⤵
        Executes dropped EXE
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4486C~1.EXE > nul
        12⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3803~1.EXE > nul
        11⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF840~1.EXE > nul
        10⤵
        
        PID:380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30804~1.EXE > nul
        9⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36C98~1.EXE > nul
        8⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66A8C~1.EXE > nul
        7⤵
        
        PID:4168
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{888AC~1.EXE > nul
        6⤵
        
        PID:2308
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8CFCB~1.EXE > nul
        5⤵
        
        PID:4212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{491EE~1.EXE > nul
      4⤵
      PID:4160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{87036~1.EXE > nul
    3⤵
    PID:2972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D98B5C~1.EXE > nul
  2⤵
  PID:2260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{30804B86-DDDA-468f-BAC9-5D174ABC1B1B}.exe

Filesize
192KB

MD5
15e691e126c42984112371fe052a582f

SHA1
5a17c4e8a3d9c7456a7b8b6f0268ae0ea7ded681

SHA256
4e62cbfcf00fc2b70c55ef29952982f77851486d28800b5e8daea6e4a847a165

SHA512
556c657589487419f24fd0b5d4ca1aa209a1bc5b383258feefd49e37c741bd5b5bcdf247d6c0d43fb1659e70871a89abe6cc3656016ee1aea92d242598a1bccf

Download Submit
C:\Windows\{30804B86-DDDA-468f-BAC9-5D174ABC1B1B}.exe

Filesize
192KB

MD5
15e691e126c42984112371fe052a582f

SHA1
5a17c4e8a3d9c7456a7b8b6f0268ae0ea7ded681

SHA256
4e62cbfcf00fc2b70c55ef29952982f77851486d28800b5e8daea6e4a847a165

SHA512
556c657589487419f24fd0b5d4ca1aa209a1bc5b383258feefd49e37c741bd5b5bcdf247d6c0d43fb1659e70871a89abe6cc3656016ee1aea92d242598a1bccf

Download Submit
C:\Windows\{36C98C1C-F12E-4fb0-99A5-339B19523FCC}.exe

Filesize
192KB

MD5
6196f9d7024d02472d826d7c9a53d1d8

SHA1
4a8c4f876542f52a2ab0c3611f8d114bac20ab96

SHA256
80216b6e8261e16e260618296565a02fffa21ac4e4fd6f86c05be956ebe0cf97

SHA512
67f572375c69204f403ac4d05b1e60a5168ed4c328645769f759aa2120fa787ba9793041fbb62a6a4b8fd9479496801a01a1c1a9fbf3290c16268fa3b6e05bfc

Download Submit
C:\Windows\{36C98C1C-F12E-4fb0-99A5-339B19523FCC}.exe

Filesize
192KB

MD5
6196f9d7024d02472d826d7c9a53d1d8

SHA1
4a8c4f876542f52a2ab0c3611f8d114bac20ab96

SHA256
80216b6e8261e16e260618296565a02fffa21ac4e4fd6f86c05be956ebe0cf97

SHA512
67f572375c69204f403ac4d05b1e60a5168ed4c328645769f759aa2120fa787ba9793041fbb62a6a4b8fd9479496801a01a1c1a9fbf3290c16268fa3b6e05bfc

Download Submit
C:\Windows\{4486C1B2-D2BA-4b23-A984-A963FCD73EF6}.exe

Filesize
192KB

MD5
128d43c6af364da4738564f5ced5486b

SHA1
9e9cb92acbe60a106298789ec0545d6d168bab0c

SHA256
86b50d643373471488deb33c1f9783fff0eabc66a47c10c9564c6a03d657a9f7

SHA512
cc26c66e6ab5ffc772b07f347c37add5fdef5ce07ba595016d37a033afc9a8fe79c2ca61dff9362b076def270ea0d007841ffac115ebcf1bb62209441e114f7d

Download Submit
C:\Windows\{4486C1B2-D2BA-4b23-A984-A963FCD73EF6}.exe

Filesize
192KB

MD5
128d43c6af364da4738564f5ced5486b

SHA1
9e9cb92acbe60a106298789ec0545d6d168bab0c

SHA256
86b50d643373471488deb33c1f9783fff0eabc66a47c10c9564c6a03d657a9f7

SHA512
cc26c66e6ab5ffc772b07f347c37add5fdef5ce07ba595016d37a033afc9a8fe79c2ca61dff9362b076def270ea0d007841ffac115ebcf1bb62209441e114f7d

Download Submit
C:\Windows\{491EEE24-AC81-4c35-86C6-33E3048ADD2F}.exe

Filesize
192KB

MD5
2fa731c97c00b627bcce6b88e9ead94e

SHA1
3b5c782ad18a0909d06b11bacdb81246d009fccd

SHA256
7d8c094f88e1e72cee304eab61fcb3e67c97c739a2b49437113cc1679e062841

SHA512
82884aae181720c30f57be212dedb3d9c61f52731add51c26101be4961ab3cbddce69fc9576b8394f5ca06a9f3bc72044048730f26b0fd4261cb4617ce8fe021

Download Submit
C:\Windows\{491EEE24-AC81-4c35-86C6-33E3048ADD2F}.exe

Filesize
192KB

MD5
2fa731c97c00b627bcce6b88e9ead94e

SHA1
3b5c782ad18a0909d06b11bacdb81246d009fccd

SHA256
7d8c094f88e1e72cee304eab61fcb3e67c97c739a2b49437113cc1679e062841

SHA512
82884aae181720c30f57be212dedb3d9c61f52731add51c26101be4961ab3cbddce69fc9576b8394f5ca06a9f3bc72044048730f26b0fd4261cb4617ce8fe021

Download Submit
C:\Windows\{66A8C0AD-6896-4b4d-883B-6BE957199927}.exe

Filesize
192KB

MD5
0c64e4178e069ce81af3684aa3ca0ea0

SHA1
470367016e7d38b7e618aef77c514aa799a8ce22

SHA256
128fa90e99ccfdf55bedd5ef72142b8e4454e22d6188551b41e27514b9472cf8

SHA512
b809bf115c19aa75a658823ba2a45ab9c5f86c2862ee0af3d09b2f5d2546a20409232a0a520ef0d2edeb5ac226049fc574b149b31a8d27dd1f53f6272c25884e

Download Submit
C:\Windows\{66A8C0AD-6896-4b4d-883B-6BE957199927}.exe

Filesize
192KB

MD5
0c64e4178e069ce81af3684aa3ca0ea0

SHA1
470367016e7d38b7e618aef77c514aa799a8ce22

SHA256
128fa90e99ccfdf55bedd5ef72142b8e4454e22d6188551b41e27514b9472cf8

SHA512
b809bf115c19aa75a658823ba2a45ab9c5f86c2862ee0af3d09b2f5d2546a20409232a0a520ef0d2edeb5ac226049fc574b149b31a8d27dd1f53f6272c25884e

Download Submit
C:\Windows\{71409A30-638E-43e2-8331-396615299122}.exe

Filesize
192KB

MD5
836b924c0bf674551c3bd0b3610f2248

SHA1
0aac02c4d215cb219c04cacd9d5a13f945f5d1e4

SHA256
543c791981e0b41c6077131fad3abb09a9dc16d1c536c427a0fafde8148d94e0

SHA512
06f55a23d6fd2ac6f464c38cd8494d124d800963fc027f42276333d1087c16e08ab9ecdabfe65470dcecb754e2e6e11c770cd922c411f0ad15e8149d25164b7b

Download Submit
C:\Windows\{71409A30-638E-43e2-8331-396615299122}.exe

Filesize
192KB

MD5
836b924c0bf674551c3bd0b3610f2248

SHA1
0aac02c4d215cb219c04cacd9d5a13f945f5d1e4

SHA256
543c791981e0b41c6077131fad3abb09a9dc16d1c536c427a0fafde8148d94e0

SHA512
06f55a23d6fd2ac6f464c38cd8494d124d800963fc027f42276333d1087c16e08ab9ecdabfe65470dcecb754e2e6e11c770cd922c411f0ad15e8149d25164b7b

Download Submit
C:\Windows\{870362B9-60AB-4714-B337-AF1DC23D8CFA}.exe

Filesize
192KB

MD5
ae60a0f6518d5c566588d4de61c029c7

SHA1
ac0a12a4dc71cc282f6824af714f5bc71a89ec56

SHA256
968e04ea9a23a8d5edc33e1c88d77c1b8cf8a7275415b58169fe35f0a3abcc6d

SHA512
727007f85a7ff2997b53fad1be3657f0ee26d190f75324439fd0b6fa621f77a20155fe67e92abffd7011d7870f36c4f7d617fb72b1ff450217f0bad9f38277b7

Download Submit
C:\Windows\{870362B9-60AB-4714-B337-AF1DC23D8CFA}.exe

Filesize
192KB

MD5
ae60a0f6518d5c566588d4de61c029c7

SHA1
ac0a12a4dc71cc282f6824af714f5bc71a89ec56

SHA256
968e04ea9a23a8d5edc33e1c88d77c1b8cf8a7275415b58169fe35f0a3abcc6d

SHA512
727007f85a7ff2997b53fad1be3657f0ee26d190f75324439fd0b6fa621f77a20155fe67e92abffd7011d7870f36c4f7d617fb72b1ff450217f0bad9f38277b7

Download Submit
C:\Windows\{888AC52D-AECD-46e6-8DA4-904CC2329DDC}.exe

Filesize
192KB

MD5
93ef8f43a38a4c1138eb87e06a404600

SHA1
f1f0da62479db9ca56ef641958138be8e304dde7

SHA256
c56544f14d90f865ad3c1445674f99bdba34037cdeae68a3df4ecb181c03ebd0

SHA512
9ba487e0017f8c7c48e0392e2a722e86c7a49d10151420e871f5804e9f2a25dfc5c852dc106db21f8f277c98e913c57f837cebf94b8cf3305e4fecdeac16cbc6

Download Submit
C:\Windows\{888AC52D-AECD-46e6-8DA4-904CC2329DDC}.exe

Filesize
192KB

MD5
93ef8f43a38a4c1138eb87e06a404600

SHA1
f1f0da62479db9ca56ef641958138be8e304dde7

SHA256
c56544f14d90f865ad3c1445674f99bdba34037cdeae68a3df4ecb181c03ebd0

SHA512
9ba487e0017f8c7c48e0392e2a722e86c7a49d10151420e871f5804e9f2a25dfc5c852dc106db21f8f277c98e913c57f837cebf94b8cf3305e4fecdeac16cbc6

Download Submit
C:\Windows\{8CFCB473-54FA-4cd7-AAE5-735E226379CF}.exe

Filesize
192KB

MD5
e6f0bd92c19e8c75df416359ebbd7670

SHA1
70d5c1996467543739ebf30e1313a1e904d9e3fb

SHA256
edc2191cc857ed5e4dcfa58312ba449cc25d98c7e422e9a8516a09c2815ed6eb

SHA512
d05a9172c78e38a5e3151cf613ccdd16a8e87c1ed26f08046379f01b5b6f33a5e803f2b163d5796046a7449e462fc52cb2cc377ee3f15c1e7ec490f8f7850c37

Download Submit
C:\Windows\{8CFCB473-54FA-4cd7-AAE5-735E226379CF}.exe

Filesize
192KB

MD5
e6f0bd92c19e8c75df416359ebbd7670

SHA1
70d5c1996467543739ebf30e1313a1e904d9e3fb

SHA256
edc2191cc857ed5e4dcfa58312ba449cc25d98c7e422e9a8516a09c2815ed6eb

SHA512
d05a9172c78e38a5e3151cf613ccdd16a8e87c1ed26f08046379f01b5b6f33a5e803f2b163d5796046a7449e462fc52cb2cc377ee3f15c1e7ec490f8f7850c37

Download Submit
C:\Windows\{8CFCB473-54FA-4cd7-AAE5-735E226379CF}.exe

Filesize
192KB

MD5
e6f0bd92c19e8c75df416359ebbd7670

SHA1
70d5c1996467543739ebf30e1313a1e904d9e3fb

SHA256
edc2191cc857ed5e4dcfa58312ba449cc25d98c7e422e9a8516a09c2815ed6eb

SHA512
d05a9172c78e38a5e3151cf613ccdd16a8e87c1ed26f08046379f01b5b6f33a5e803f2b163d5796046a7449e462fc52cb2cc377ee3f15c1e7ec490f8f7850c37

Download Submit
C:\Windows\{A913B38B-DF69-4625-8D79-08CFB792B334}.exe

Filesize
192KB

MD5
fe11f65872e6ea4a0846583b790dc4e4

SHA1
78180e54812cada7304d87c1f4652f91795e768e

SHA256
640755d2bc524ff8f696c3f83d7968e43b3fe5c21c411b3cb3df0898f004025b

SHA512
929d19feb13ac920af3b03a75f20cd4bb2adbd1e1fe39e76bae50d8254725cbb1aa4bf5dd6b7ef0c616d7a53f7e3caff92b58601c858772b3c5c82d93534a29e

Download Submit
C:\Windows\{A913B38B-DF69-4625-8D79-08CFB792B334}.exe

Filesize
192KB

MD5
fe11f65872e6ea4a0846583b790dc4e4

SHA1
78180e54812cada7304d87c1f4652f91795e768e

SHA256
640755d2bc524ff8f696c3f83d7968e43b3fe5c21c411b3cb3df0898f004025b

SHA512
929d19feb13ac920af3b03a75f20cd4bb2adbd1e1fe39e76bae50d8254725cbb1aa4bf5dd6b7ef0c616d7a53f7e3caff92b58601c858772b3c5c82d93534a29e

Download Submit
C:\Windows\{C38033B6-ED58-48b7-9ABF-FEE2E6A33392}.exe

Filesize
192KB

MD5
a4fdfb8c0d02df9c40762621c7d40a8b

SHA1
45fe1251ba13bac5b545c29f5c85a9a587f7ccf1

SHA256
2285803efa246a1eecf28f6017f38436acc8bca5bd816e8929f06feab195e257

SHA512
0aba233a347c8d4b85de3747f41b2ca5865b895b450b8824feb477132bc0949a6e6ac9ece382b62c7ae94c4d684b8b2a77ae9396e1f51c724e36af15973eabe5

Download Submit
C:\Windows\{C38033B6-ED58-48b7-9ABF-FEE2E6A33392}.exe

Filesize
192KB

MD5
a4fdfb8c0d02df9c40762621c7d40a8b

SHA1
45fe1251ba13bac5b545c29f5c85a9a587f7ccf1

SHA256
2285803efa246a1eecf28f6017f38436acc8bca5bd816e8929f06feab195e257

SHA512
0aba233a347c8d4b85de3747f41b2ca5865b895b450b8824feb477132bc0949a6e6ac9ece382b62c7ae94c4d684b8b2a77ae9396e1f51c724e36af15973eabe5

Download Submit
C:\Windows\{EF840E3B-2969-45f5-9E7F-DDC679C24EC3}.exe

Filesize
192KB

MD5
ab45c8350ef1fa979796b5b5aa0c71e1

SHA1
68b4651a19a33218cb43a47b3a687ace81164628

SHA256
0101619aca3c279cc5f6f9aa01f38b61fb2282a58eb34dfaef7593ba5d731fdd

SHA512
549fa5b2d2e9aa1fd0c30866489e70b1533e3acc9202a9b0dd2d545d58619235e869f55cf2a4cef41dfbf87a8f9739cf80b1c84e8f21e352d95f44b76cee7cf1

Download Submit
C:\Windows\{EF840E3B-2969-45f5-9E7F-DDC679C24EC3}.exe

Filesize
192KB

MD5
ab45c8350ef1fa979796b5b5aa0c71e1

SHA1
68b4651a19a33218cb43a47b3a687ace81164628

SHA256
0101619aca3c279cc5f6f9aa01f38b61fb2282a58eb34dfaef7593ba5d731fdd

SHA512
549fa5b2d2e9aa1fd0c30866489e70b1533e3acc9202a9b0dd2d545d58619235e869f55cf2a4cef41dfbf87a8f9739cf80b1c84e8f21e352d95f44b76cee7cf1

Download Submit