2dc1db862f7b2f38a1ed7b603e8ee6827906d7abff8621fceb2c188fa4a4c36f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2dc1db862f7b2f38a1ed7b603e8ee6827906d7abff8621fceb2c188fa4a4c36f.exe
Size

60KB
MD5

6314412510fc5ab9de5eb363ee568163
SHA1

1adceb2ff6147903afa12323c8e2c9f533f9e399
SHA256

2dc1db862f7b2f38a1ed7b603e8ee6827906d7abff8621fceb2c188fa4a4c36f
SHA512

477a72e1d3de331935f545138f6db4a9b4e309715259adc55a4e799afae48d1a4e67d69f35e76fe840535ef8c51288780a3135228682725e8c10fa147dc6847a
SSDEEP

768:vvw9816vhKQLroCc4/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVd:nEGh0oCclwWMZQcpmgDagIyS1loL7Wr

Score

9^/10

persistence

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 12 IoCs

Processes:

resource	yara_rule
C:\Windows\{754DBFE7-82AB-4a5c-B9B4-278A7A3A00F8}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{6F13E0B8-9E64-4e0b-8B00-B7F2DEDF2F0E}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{2A5223FF-E6C0-48ca-8447-9B8A388165EF}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{6D82E6FF-6B30-4370-81B9-393DEA49D051}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{A2428B80-FE55-4acf-A1AD-A705E8C944A4}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{863F6790-8D49-4854-AD02-35AB6CF8893A}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{1B16E6BF-2702-4b81-A002-30AA8CF0BB5E}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{A392CA12-2D68-4755-A4C8-43529FCA919C}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{52180925-14E2-4fd0-A5C6-C86C32236ACE}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{B9AAAE81-9302-43be-BC01-8597AFEB79D1}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{C175E375-847F-4759-A0B8-000A7319BDC9}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{FCBAF658-50FB-43b1-8655-B3D7F0A473AF}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{6F13E0B8-9E64-4e0b-8B00-B7F2DEDF2F0E}.exe{2A5223FF-E6C0-48ca-8447-9B8A388165EF}.exe{A2428B80-FE55-4acf-A1AD-A705E8C944A4}.exe{863F6790-8D49-4854-AD02-35AB6CF8893A}.exe{A392CA12-2D68-4755-A4C8-43529FCA919C}.exe2dc1db862f7b2f38a1ed7b603e8ee6827906d7abff8621fceb2c188fa4a4c36f.exe{6D82E6FF-6B30-4370-81B9-393DEA49D051}.exe{1B16E6BF-2702-4b81-A002-30AA8CF0BB5E}.exe{52180925-14E2-4fd0-A5C6-C86C32236ACE}.exe{C175E375-847F-4759-A0B8-000A7319BDC9}.exe{754DBFE7-82AB-4a5c-B9B4-278A7A3A00F8}.exe{B9AAAE81-9302-43be-BC01-8597AFEB79D1}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A5223FF-E6C0-48ca-8447-9B8A388165EF}	{6F13E0B8-9E64-4e0b-8B00-B7F2DEDF2F0E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D82E6FF-6B30-4370-81B9-393DEA49D051}	{2A5223FF-E6C0-48ca-8447-9B8A388165EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{863F6790-8D49-4854-AD02-35AB6CF8893A}\stubpath = "C:\\Windows\\{863F6790-8D49-4854-AD02-35AB6CF8893A}.exe"	{A2428B80-FE55-4acf-A1AD-A705E8C944A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B16E6BF-2702-4b81-A002-30AA8CF0BB5E}	{863F6790-8D49-4854-AD02-35AB6CF8893A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52180925-14E2-4fd0-A5C6-C86C32236ACE}	{A392CA12-2D68-4755-A4C8-43529FCA919C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{754DBFE7-82AB-4a5c-B9B4-278A7A3A00F8}	2dc1db862f7b2f38a1ed7b603e8ee6827906d7abff8621fceb2c188fa4a4c36f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{754DBFE7-82AB-4a5c-B9B4-278A7A3A00F8}\stubpath = "C:\\Windows\\{754DBFE7-82AB-4a5c-B9B4-278A7A3A00F8}.exe"	2dc1db862f7b2f38a1ed7b603e8ee6827906d7abff8621fceb2c188fa4a4c36f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2428B80-FE55-4acf-A1AD-A705E8C944A4}\stubpath = "C:\\Windows\\{A2428B80-FE55-4acf-A1AD-A705E8C944A4}.exe"	{6D82E6FF-6B30-4370-81B9-393DEA49D051}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B16E6BF-2702-4b81-A002-30AA8CF0BB5E}\stubpath = "C:\\Windows\\{1B16E6BF-2702-4b81-A002-30AA8CF0BB5E}.exe"	{863F6790-8D49-4854-AD02-35AB6CF8893A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A392CA12-2D68-4755-A4C8-43529FCA919C}\stubpath = "C:\\Windows\\{A392CA12-2D68-4755-A4C8-43529FCA919C}.exe"	{1B16E6BF-2702-4b81-A002-30AA8CF0BB5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9AAAE81-9302-43be-BC01-8597AFEB79D1}\stubpath = "C:\\Windows\\{B9AAAE81-9302-43be-BC01-8597AFEB79D1}.exe"	{52180925-14E2-4fd0-A5C6-C86C32236ACE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCBAF658-50FB-43b1-8655-B3D7F0A473AF}	{C175E375-847F-4759-A0B8-000A7319BDC9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCBAF658-50FB-43b1-8655-B3D7F0A473AF}\stubpath = "C:\\Windows\\{FCBAF658-50FB-43b1-8655-B3D7F0A473AF}.exe"	{C175E375-847F-4759-A0B8-000A7319BDC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F13E0B8-9E64-4e0b-8B00-B7F2DEDF2F0E}	{754DBFE7-82AB-4a5c-B9B4-278A7A3A00F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{52180925-14E2-4fd0-A5C6-C86C32236ACE}\stubpath = "C:\\Windows\\{52180925-14E2-4fd0-A5C6-C86C32236ACE}.exe"	{A392CA12-2D68-4755-A4C8-43529FCA919C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C175E375-847F-4759-A0B8-000A7319BDC9}\stubpath = "C:\\Windows\\{C175E375-847F-4759-A0B8-000A7319BDC9}.exe"	{B9AAAE81-9302-43be-BC01-8597AFEB79D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F13E0B8-9E64-4e0b-8B00-B7F2DEDF2F0E}\stubpath = "C:\\Windows\\{6F13E0B8-9E64-4e0b-8B00-B7F2DEDF2F0E}.exe"	{754DBFE7-82AB-4a5c-B9B4-278A7A3A00F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A5223FF-E6C0-48ca-8447-9B8A388165EF}\stubpath = "C:\\Windows\\{2A5223FF-E6C0-48ca-8447-9B8A388165EF}.exe"	{6F13E0B8-9E64-4e0b-8B00-B7F2DEDF2F0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D82E6FF-6B30-4370-81B9-393DEA49D051}\stubpath = "C:\\Windows\\{6D82E6FF-6B30-4370-81B9-393DEA49D051}.exe"	{2A5223FF-E6C0-48ca-8447-9B8A388165EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2428B80-FE55-4acf-A1AD-A705E8C944A4}	{6D82E6FF-6B30-4370-81B9-393DEA49D051}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{863F6790-8D49-4854-AD02-35AB6CF8893A}	{A2428B80-FE55-4acf-A1AD-A705E8C944A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A392CA12-2D68-4755-A4C8-43529FCA919C}	{1B16E6BF-2702-4b81-A002-30AA8CF0BB5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9AAAE81-9302-43be-BC01-8597AFEB79D1}	{52180925-14E2-4fd0-A5C6-C86C32236ACE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C175E375-847F-4759-A0B8-000A7319BDC9}	{B9AAAE81-9302-43be-BC01-8597AFEB79D1}.exe

Executes dropped EXE 12 IoCs

Processes:

{754DBFE7-82AB-4a5c-B9B4-278A7A3A00F8}.exe{6F13E0B8-9E64-4e0b-8B00-B7F2DEDF2F0E}.exe{2A5223FF-E6C0-48ca-8447-9B8A388165EF}.exe{6D82E6FF-6B30-4370-81B9-393DEA49D051}.exe{A2428B80-FE55-4acf-A1AD-A705E8C944A4}.exe{863F6790-8D49-4854-AD02-35AB6CF8893A}.exe{1B16E6BF-2702-4b81-A002-30AA8CF0BB5E}.exe{A392CA12-2D68-4755-A4C8-43529FCA919C}.exe{52180925-14E2-4fd0-A5C6-C86C32236ACE}.exe{B9AAAE81-9302-43be-BC01-8597AFEB79D1}.exe{C175E375-847F-4759-A0B8-000A7319BDC9}.exe{FCBAF658-50FB-43b1-8655-B3D7F0A473AF}.exe

pid	process
3732	{754DBFE7-82AB-4a5c-B9B4-278A7A3A00F8}.exe
752	{6F13E0B8-9E64-4e0b-8B00-B7F2DEDF2F0E}.exe
4736	{2A5223FF-E6C0-48ca-8447-9B8A388165EF}.exe
1232	{6D82E6FF-6B30-4370-81B9-393DEA49D051}.exe
3484	{A2428B80-FE55-4acf-A1AD-A705E8C944A4}.exe
4136	{863F6790-8D49-4854-AD02-35AB6CF8893A}.exe
4896	{1B16E6BF-2702-4b81-A002-30AA8CF0BB5E}.exe
4320	{A392CA12-2D68-4755-A4C8-43529FCA919C}.exe
3536	{52180925-14E2-4fd0-A5C6-C86C32236ACE}.exe
2080	{B9AAAE81-9302-43be-BC01-8597AFEB79D1}.exe
3048	{C175E375-847F-4759-A0B8-000A7319BDC9}.exe
4272	{FCBAF658-50FB-43b1-8655-B3D7F0A473AF}.exe

Drops file in Windows directory 12 IoCs

Processes:

2dc1db862f7b2f38a1ed7b603e8ee6827906d7abff8621fceb2c188fa4a4c36f.exe{2A5223FF-E6C0-48ca-8447-9B8A388165EF}.exe{6D82E6FF-6B30-4370-81B9-393DEA49D051}.exe{A2428B80-FE55-4acf-A1AD-A705E8C944A4}.exe{863F6790-8D49-4854-AD02-35AB6CF8893A}.exe{1B16E6BF-2702-4b81-A002-30AA8CF0BB5E}.exe{A392CA12-2D68-4755-A4C8-43529FCA919C}.exe{52180925-14E2-4fd0-A5C6-C86C32236ACE}.exe{B9AAAE81-9302-43be-BC01-8597AFEB79D1}.exe{754DBFE7-82AB-4a5c-B9B4-278A7A3A00F8}.exe{6F13E0B8-9E64-4e0b-8B00-B7F2DEDF2F0E}.exe{C175E375-847F-4759-A0B8-000A7319BDC9}.exe

description	ioc	process
File created	C:\Windows\{754DBFE7-82AB-4a5c-B9B4-278A7A3A00F8}.exe	2dc1db862f7b2f38a1ed7b603e8ee6827906d7abff8621fceb2c188fa4a4c36f.exe
File created	C:\Windows\{6D82E6FF-6B30-4370-81B9-393DEA49D051}.exe	{2A5223FF-E6C0-48ca-8447-9B8A388165EF}.exe
File created	C:\Windows\{A2428B80-FE55-4acf-A1AD-A705E8C944A4}.exe	{6D82E6FF-6B30-4370-81B9-393DEA49D051}.exe
File created	C:\Windows\{863F6790-8D49-4854-AD02-35AB6CF8893A}.exe	{A2428B80-FE55-4acf-A1AD-A705E8C944A4}.exe
File created	C:\Windows\{1B16E6BF-2702-4b81-A002-30AA8CF0BB5E}.exe	{863F6790-8D49-4854-AD02-35AB6CF8893A}.exe
File created	C:\Windows\{A392CA12-2D68-4755-A4C8-43529FCA919C}.exe	{1B16E6BF-2702-4b81-A002-30AA8CF0BB5E}.exe
File created	C:\Windows\{52180925-14E2-4fd0-A5C6-C86C32236ACE}.exe	{A392CA12-2D68-4755-A4C8-43529FCA919C}.exe
File created	C:\Windows\{B9AAAE81-9302-43be-BC01-8597AFEB79D1}.exe	{52180925-14E2-4fd0-A5C6-C86C32236ACE}.exe
File created	C:\Windows\{C175E375-847F-4759-A0B8-000A7319BDC9}.exe	{B9AAAE81-9302-43be-BC01-8597AFEB79D1}.exe
File created	C:\Windows\{6F13E0B8-9E64-4e0b-8B00-B7F2DEDF2F0E}.exe	{754DBFE7-82AB-4a5c-B9B4-278A7A3A00F8}.exe
File created	C:\Windows\{2A5223FF-E6C0-48ca-8447-9B8A388165EF}.exe	{6F13E0B8-9E64-4e0b-8B00-B7F2DEDF2F0E}.exe
File created	C:\Windows\{FCBAF658-50FB-43b1-8655-B3D7F0A473AF}.exe	{C175E375-847F-4759-A0B8-000A7319BDC9}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2dc1db862f7b2f38a1ed7b603e8ee6827906d7abff8621fceb2c188fa4a4c36f.exe{754DBFE7-82AB-4a5c-B9B4-278A7A3A00F8}.exe{6F13E0B8-9E64-4e0b-8B00-B7F2DEDF2F0E}.exe{2A5223FF-E6C0-48ca-8447-9B8A388165EF}.exe{6D82E6FF-6B30-4370-81B9-393DEA49D051}.exe{A2428B80-FE55-4acf-A1AD-A705E8C944A4}.exe{863F6790-8D49-4854-AD02-35AB6CF8893A}.exe{1B16E6BF-2702-4b81-A002-30AA8CF0BB5E}.exe{A392CA12-2D68-4755-A4C8-43529FCA919C}.exe{52180925-14E2-4fd0-A5C6-C86C32236ACE}.exe{B9AAAE81-9302-43be-BC01-8597AFEB79D1}.exe{C175E375-847F-4759-A0B8-000A7319BDC9}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	508	2dc1db862f7b2f38a1ed7b603e8ee6827906d7abff8621fceb2c188fa4a4c36f.exe
Token: SeIncBasePriorityPrivilege	3732	{754DBFE7-82AB-4a5c-B9B4-278A7A3A00F8}.exe
Token: SeIncBasePriorityPrivilege	752	{6F13E0B8-9E64-4e0b-8B00-B7F2DEDF2F0E}.exe
Token: SeIncBasePriorityPrivilege	4736	{2A5223FF-E6C0-48ca-8447-9B8A388165EF}.exe
Token: SeIncBasePriorityPrivilege	1232	{6D82E6FF-6B30-4370-81B9-393DEA49D051}.exe
Token: SeIncBasePriorityPrivilege	3484	{A2428B80-FE55-4acf-A1AD-A705E8C944A4}.exe
Token: SeIncBasePriorityPrivilege	4136	{863F6790-8D49-4854-AD02-35AB6CF8893A}.exe
Token: SeIncBasePriorityPrivilege	4896	{1B16E6BF-2702-4b81-A002-30AA8CF0BB5E}.exe
Token: SeIncBasePriorityPrivilege	4320	{A392CA12-2D68-4755-A4C8-43529FCA919C}.exe
Token: SeIncBasePriorityPrivilege	3536	{52180925-14E2-4fd0-A5C6-C86C32236ACE}.exe
Token: SeIncBasePriorityPrivilege	2080	{B9AAAE81-9302-43be-BC01-8597AFEB79D1}.exe
Token: SeIncBasePriorityPrivilege	3048	{C175E375-847F-4759-A0B8-000A7319BDC9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 508 wrote to memory of 3732	508	2dc1db862f7b2f38a1ed7b603e8ee6827906d7abff8621fceb2c188fa4a4c36f.exe	{754DBFE7-82AB-4a5c-B9B4-278A7A3A00F8}.exe
PID 508 wrote to memory of 3732	508	2dc1db862f7b2f38a1ed7b603e8ee6827906d7abff8621fceb2c188fa4a4c36f.exe	{754DBFE7-82AB-4a5c-B9B4-278A7A3A00F8}.exe
PID 508 wrote to memory of 3732	508	2dc1db862f7b2f38a1ed7b603e8ee6827906d7abff8621fceb2c188fa4a4c36f.exe	{754DBFE7-82AB-4a5c-B9B4-278A7A3A00F8}.exe
PID 508 wrote to memory of 3880	508	2dc1db862f7b2f38a1ed7b603e8ee6827906d7abff8621fceb2c188fa4a4c36f.exe	cmd.exe
PID 508 wrote to memory of 3880	508	2dc1db862f7b2f38a1ed7b603e8ee6827906d7abff8621fceb2c188fa4a4c36f.exe	cmd.exe
PID 508 wrote to memory of 3880	508	2dc1db862f7b2f38a1ed7b603e8ee6827906d7abff8621fceb2c188fa4a4c36f.exe	cmd.exe
PID 3732 wrote to memory of 752	3732	{754DBFE7-82AB-4a5c-B9B4-278A7A3A00F8}.exe	{6F13E0B8-9E64-4e0b-8B00-B7F2DEDF2F0E}.exe
PID 3732 wrote to memory of 752	3732	{754DBFE7-82AB-4a5c-B9B4-278A7A3A00F8}.exe	{6F13E0B8-9E64-4e0b-8B00-B7F2DEDF2F0E}.exe
PID 3732 wrote to memory of 752	3732	{754DBFE7-82AB-4a5c-B9B4-278A7A3A00F8}.exe	{6F13E0B8-9E64-4e0b-8B00-B7F2DEDF2F0E}.exe
PID 3732 wrote to memory of 4064	3732	{754DBFE7-82AB-4a5c-B9B4-278A7A3A00F8}.exe	cmd.exe
PID 3732 wrote to memory of 4064	3732	{754DBFE7-82AB-4a5c-B9B4-278A7A3A00F8}.exe	cmd.exe
PID 3732 wrote to memory of 4064	3732	{754DBFE7-82AB-4a5c-B9B4-278A7A3A00F8}.exe	cmd.exe
PID 752 wrote to memory of 4736	752	{6F13E0B8-9E64-4e0b-8B00-B7F2DEDF2F0E}.exe	{2A5223FF-E6C0-48ca-8447-9B8A388165EF}.exe
PID 752 wrote to memory of 4736	752	{6F13E0B8-9E64-4e0b-8B00-B7F2DEDF2F0E}.exe	{2A5223FF-E6C0-48ca-8447-9B8A388165EF}.exe
PID 752 wrote to memory of 4736	752	{6F13E0B8-9E64-4e0b-8B00-B7F2DEDF2F0E}.exe	{2A5223FF-E6C0-48ca-8447-9B8A388165EF}.exe
PID 752 wrote to memory of 3764	752	{6F13E0B8-9E64-4e0b-8B00-B7F2DEDF2F0E}.exe	cmd.exe
PID 752 wrote to memory of 3764	752	{6F13E0B8-9E64-4e0b-8B00-B7F2DEDF2F0E}.exe	cmd.exe
PID 752 wrote to memory of 3764	752	{6F13E0B8-9E64-4e0b-8B00-B7F2DEDF2F0E}.exe	cmd.exe
PID 4736 wrote to memory of 1232	4736	{2A5223FF-E6C0-48ca-8447-9B8A388165EF}.exe	{6D82E6FF-6B30-4370-81B9-393DEA49D051}.exe
PID 4736 wrote to memory of 1232	4736	{2A5223FF-E6C0-48ca-8447-9B8A388165EF}.exe	{6D82E6FF-6B30-4370-81B9-393DEA49D051}.exe
PID 4736 wrote to memory of 1232	4736	{2A5223FF-E6C0-48ca-8447-9B8A388165EF}.exe	{6D82E6FF-6B30-4370-81B9-393DEA49D051}.exe
PID 4736 wrote to memory of 3272	4736	{2A5223FF-E6C0-48ca-8447-9B8A388165EF}.exe	cmd.exe
PID 4736 wrote to memory of 3272	4736	{2A5223FF-E6C0-48ca-8447-9B8A388165EF}.exe	cmd.exe
PID 4736 wrote to memory of 3272	4736	{2A5223FF-E6C0-48ca-8447-9B8A388165EF}.exe	cmd.exe
PID 1232 wrote to memory of 3484	1232	{6D82E6FF-6B30-4370-81B9-393DEA49D051}.exe	{A2428B80-FE55-4acf-A1AD-A705E8C944A4}.exe
PID 1232 wrote to memory of 3484	1232	{6D82E6FF-6B30-4370-81B9-393DEA49D051}.exe	{A2428B80-FE55-4acf-A1AD-A705E8C944A4}.exe
PID 1232 wrote to memory of 3484	1232	{6D82E6FF-6B30-4370-81B9-393DEA49D051}.exe	{A2428B80-FE55-4acf-A1AD-A705E8C944A4}.exe
PID 1232 wrote to memory of 3496	1232	{6D82E6FF-6B30-4370-81B9-393DEA49D051}.exe	cmd.exe
PID 1232 wrote to memory of 3496	1232	{6D82E6FF-6B30-4370-81B9-393DEA49D051}.exe	cmd.exe
PID 1232 wrote to memory of 3496	1232	{6D82E6FF-6B30-4370-81B9-393DEA49D051}.exe	cmd.exe
PID 3484 wrote to memory of 4136	3484	{A2428B80-FE55-4acf-A1AD-A705E8C944A4}.exe	{863F6790-8D49-4854-AD02-35AB6CF8893A}.exe
PID 3484 wrote to memory of 4136	3484	{A2428B80-FE55-4acf-A1AD-A705E8C944A4}.exe	{863F6790-8D49-4854-AD02-35AB6CF8893A}.exe
PID 3484 wrote to memory of 4136	3484	{A2428B80-FE55-4acf-A1AD-A705E8C944A4}.exe	{863F6790-8D49-4854-AD02-35AB6CF8893A}.exe
PID 3484 wrote to memory of 1000	3484	{A2428B80-FE55-4acf-A1AD-A705E8C944A4}.exe	cmd.exe
PID 3484 wrote to memory of 1000	3484	{A2428B80-FE55-4acf-A1AD-A705E8C944A4}.exe	cmd.exe
PID 3484 wrote to memory of 1000	3484	{A2428B80-FE55-4acf-A1AD-A705E8C944A4}.exe	cmd.exe
PID 4136 wrote to memory of 4896	4136	{863F6790-8D49-4854-AD02-35AB6CF8893A}.exe	{1B16E6BF-2702-4b81-A002-30AA8CF0BB5E}.exe
PID 4136 wrote to memory of 4896	4136	{863F6790-8D49-4854-AD02-35AB6CF8893A}.exe	{1B16E6BF-2702-4b81-A002-30AA8CF0BB5E}.exe
PID 4136 wrote to memory of 4896	4136	{863F6790-8D49-4854-AD02-35AB6CF8893A}.exe	{1B16E6BF-2702-4b81-A002-30AA8CF0BB5E}.exe
PID 4136 wrote to memory of 2540	4136	{863F6790-8D49-4854-AD02-35AB6CF8893A}.exe	cmd.exe
PID 4136 wrote to memory of 2540	4136	{863F6790-8D49-4854-AD02-35AB6CF8893A}.exe	cmd.exe
PID 4136 wrote to memory of 2540	4136	{863F6790-8D49-4854-AD02-35AB6CF8893A}.exe	cmd.exe
PID 4896 wrote to memory of 4320	4896	{1B16E6BF-2702-4b81-A002-30AA8CF0BB5E}.exe	{A392CA12-2D68-4755-A4C8-43529FCA919C}.exe
PID 4896 wrote to memory of 4320	4896	{1B16E6BF-2702-4b81-A002-30AA8CF0BB5E}.exe	{A392CA12-2D68-4755-A4C8-43529FCA919C}.exe
PID 4896 wrote to memory of 4320	4896	{1B16E6BF-2702-4b81-A002-30AA8CF0BB5E}.exe	{A392CA12-2D68-4755-A4C8-43529FCA919C}.exe
PID 4896 wrote to memory of 4012	4896	{1B16E6BF-2702-4b81-A002-30AA8CF0BB5E}.exe	cmd.exe
PID 4896 wrote to memory of 4012	4896	{1B16E6BF-2702-4b81-A002-30AA8CF0BB5E}.exe	cmd.exe
PID 4896 wrote to memory of 4012	4896	{1B16E6BF-2702-4b81-A002-30AA8CF0BB5E}.exe	cmd.exe
PID 4320 wrote to memory of 3536	4320	{A392CA12-2D68-4755-A4C8-43529FCA919C}.exe	{52180925-14E2-4fd0-A5C6-C86C32236ACE}.exe
PID 4320 wrote to memory of 3536	4320	{A392CA12-2D68-4755-A4C8-43529FCA919C}.exe	{52180925-14E2-4fd0-A5C6-C86C32236ACE}.exe
PID 4320 wrote to memory of 3536	4320	{A392CA12-2D68-4755-A4C8-43529FCA919C}.exe	{52180925-14E2-4fd0-A5C6-C86C32236ACE}.exe
PID 4320 wrote to memory of 2224	4320	{A392CA12-2D68-4755-A4C8-43529FCA919C}.exe	cmd.exe
PID 4320 wrote to memory of 2224	4320	{A392CA12-2D68-4755-A4C8-43529FCA919C}.exe	cmd.exe
PID 4320 wrote to memory of 2224	4320	{A392CA12-2D68-4755-A4C8-43529FCA919C}.exe	cmd.exe
PID 3536 wrote to memory of 2080	3536	{52180925-14E2-4fd0-A5C6-C86C32236ACE}.exe	{B9AAAE81-9302-43be-BC01-8597AFEB79D1}.exe
PID 3536 wrote to memory of 2080	3536	{52180925-14E2-4fd0-A5C6-C86C32236ACE}.exe	{B9AAAE81-9302-43be-BC01-8597AFEB79D1}.exe
PID 3536 wrote to memory of 2080	3536	{52180925-14E2-4fd0-A5C6-C86C32236ACE}.exe	{B9AAAE81-9302-43be-BC01-8597AFEB79D1}.exe
PID 3536 wrote to memory of 1804	3536	{52180925-14E2-4fd0-A5C6-C86C32236ACE}.exe	cmd.exe
PID 3536 wrote to memory of 1804	3536	{52180925-14E2-4fd0-A5C6-C86C32236ACE}.exe	cmd.exe
PID 3536 wrote to memory of 1804	3536	{52180925-14E2-4fd0-A5C6-C86C32236ACE}.exe	cmd.exe
PID 2080 wrote to memory of 3048	2080	{B9AAAE81-9302-43be-BC01-8597AFEB79D1}.exe	{C175E375-847F-4759-A0B8-000A7319BDC9}.exe
PID 2080 wrote to memory of 3048	2080	{B9AAAE81-9302-43be-BC01-8597AFEB79D1}.exe	{C175E375-847F-4759-A0B8-000A7319BDC9}.exe
PID 2080 wrote to memory of 3048	2080	{B9AAAE81-9302-43be-BC01-8597AFEB79D1}.exe	{C175E375-847F-4759-A0B8-000A7319BDC9}.exe
PID 2080 wrote to memory of 3520	2080	{B9AAAE81-9302-43be-BC01-8597AFEB79D1}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\2dc1db862f7b2f38a1ed7b603e8ee6827906d7abff8621fceb2c188fa4a4c36f.exe
"C:\Users\Admin\AppData\Local\Temp\2dc1db862f7b2f38a1ed7b603e8ee6827906d7abff8621fceb2c188fa4a4c36f.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:508
- C:\Windows\{754DBFE7-82AB-4a5c-B9B4-278A7A3A00F8}.exe
  C:\Windows\{754DBFE7-82AB-4a5c-B9B4-278A7A3A00F8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Windows\{6F13E0B8-9E64-4e0b-8B00-B7F2DEDF2F0E}.exe
    C:\Windows\{6F13E0B8-9E64-4e0b-8B00-B7F2DEDF2F0E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\{2A5223FF-E6C0-48ca-8447-9B8A388165EF}.exe
      C:\Windows\{2A5223FF-E6C0-48ca-8447-9B8A388165EF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4736
    - - C:\Windows\{6D82E6FF-6B30-4370-81B9-393DEA49D051}.exe
        
        C:\Windows\{6D82E6FF-6B30-4370-81B9-393DEA49D051}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1232
      - C:\Windows\{A2428B80-FE55-4acf-A1AD-A705E8C944A4}.exe
        
        C:\Windows\{A2428B80-FE55-4acf-A1AD-A705E8C944A4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\{863F6790-8D49-4854-AD02-35AB6CF8893A}.exe
        
        C:\Windows\{863F6790-8D49-4854-AD02-35AB6CF8893A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\{1B16E6BF-2702-4b81-A002-30AA8CF0BB5E}.exe
        
        C:\Windows\{1B16E6BF-2702-4b81-A002-30AA8CF0BB5E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4896
        
        C:\Windows\{A392CA12-2D68-4755-A4C8-43529FCA919C}.exe
        
        C:\Windows\{A392CA12-2D68-4755-A4C8-43529FCA919C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\{52180925-14E2-4fd0-A5C6-C86C32236ACE}.exe
        
        C:\Windows\{52180925-14E2-4fd0-A5C6-C86C32236ACE}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\{B9AAAE81-9302-43be-BC01-8597AFEB79D1}.exe
        
        C:\Windows\{B9AAAE81-9302-43be-BC01-8597AFEB79D1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\{C175E375-847F-4759-A0B8-000A7319BDC9}.exe
        
        C:\Windows\{C175E375-847F-4759-A0B8-000A7319BDC9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\{FCBAF658-50FB-43b1-8655-B3D7F0A473AF}.exe
        
        C:\Windows\{FCBAF658-50FB-43b1-8655-B3D7F0A473AF}.exe
        13⤵
        Executes dropped EXE
        
        PID:4272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C175E~1.EXE > nul
        13⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9AAA~1.EXE > nul
        12⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52180~1.EXE > nul
        11⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A392C~1.EXE > nul
        10⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B16E~1.EXE > nul
        9⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{863F6~1.EXE > nul
        8⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2428~1.EXE > nul
        7⤵
        
        PID:1000
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D82E~1.EXE > nul
        6⤵
        
        PID:3496
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A522~1.EXE > nul
        5⤵
        
        PID:3272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6F13E~1.EXE > nul
      4⤵
      PID:3764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{754DB~1.EXE > nul
    3⤵
    PID:4064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2DC1DB~1.EXE > nul
  2⤵
  PID:3880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1B16E6BF-2702-4b81-A002-30AA8CF0BB5E}.exe

Filesize
60KB

MD5
cf45da2e8e4494c2256da1bb77ae0097

SHA1
83eee385ea72531d02879e783fea12183d49cd0c

SHA256
9cdd7974a8f78e604cfbc68cbec04979e11fbe158c2c4498e9390c4112018b48

SHA512
96f4f52f007839f3f119193a9cdced6bb9ca28e5292abbcccf645b741558f65210d5851eac59e2dbfc449f8ee4c7c48d8d86a1023d712e8ca003528fb80beace

Download Submit
C:\Windows\{2A5223FF-E6C0-48ca-8447-9B8A388165EF}.exe

Filesize
60KB

MD5
dd2bc6dd68b4b4465bef69e52b30c72e

SHA1
623ff18ee2ea1807c1e08fb77a0253b4135b1a55

SHA256
69e2c982f858290e7efdf08437e01215f338c82395ea76fd668da246c2878b46

SHA512
871847ac751b7d7502e8d5001b372e9b3b58e780339b00b1f1b4c00ee06cab70d154cbc1e25b4d954623019d415ca0703c729167b041bd47f7ebdcf1beed66db

Download Submit
C:\Windows\{52180925-14E2-4fd0-A5C6-C86C32236ACE}.exe

Filesize
60KB

MD5
be57c2f82f4e6b74ccc714c8a8df4bf8

SHA1
7c59185dcf7b2c31cfdae73a3dc819319056f8fa

SHA256
ad050be56402ccba66559a27110a62f7167531f3d07b4dc5f1c63612faada250

SHA512
ea308f3e25ef18dfe8c542e49c1a82aa94f5efae9ffa6e7a2aacad35d42fd95449bc7afe84884c160237f699ac4dfea81267941f9f9ad6d4c77b626c76220f9f

Download Submit
C:\Windows\{6D82E6FF-6B30-4370-81B9-393DEA49D051}.exe

Filesize
60KB

MD5
9efaa2d91b02d51f1e15a6a77f6f683e

SHA1
2016cab9cf9c7924bb24d738831d909f1c8e8fc9

SHA256
ffaa3438084b7dbb539ef6429e7795c265177bb94d2aef810dedcf7bba2dd533

SHA512
492327658ff19f50d85ed5f9ec7b4baa43c683e8302cff89e73c5a24e2a3da96a25bf6efdb76ee555a8c8db07262b450c6894222c3e7514ed0760a8f2be7482d

Download Submit
C:\Windows\{6F13E0B8-9E64-4e0b-8B00-B7F2DEDF2F0E}.exe

Filesize
60KB

MD5
020870610dbd38f9890b0e445e556cde

SHA1
c1b87d2874bbfa068072b1d06925fbc5671e7858

SHA256
9804e5a1a5e1eab493722eee8c8ececdd7cc3ffb844355f584d3c5586b4d6c8b

SHA512
c5cb7ac5ebbd4aea60a4d89743fbe26642a9d7edb773760b029a6b8a1306939cdd283f6e166e39d3daed3c855ff9372da5a4d5f21a1cdfaee4daaacd565edba4

Download Submit
C:\Windows\{754DBFE7-82AB-4a5c-B9B4-278A7A3A00F8}.exe

Filesize
60KB

MD5
baa35d80daa5f2b8ea1ff11b405a6d2a

SHA1
96f5db5f752cfa2a52e4f3a22553bb6d09c228be

SHA256
cf8642b2e6c743fe6a724d3a4753cab41a4a2f716896092c753b1a31d093dbe8

SHA512
7bef3752662346a58db730c7fa516dad536594bcdd0ba3afe451d4f2d3c664a2d9a725a5a2575023fa791a1c44ab06bb294cec298ed7b971dc3ccb1cce6214f0

Download Submit
C:\Windows\{863F6790-8D49-4854-AD02-35AB6CF8893A}.exe

Filesize
60KB

MD5
491a9709351bb660a62791f98ee9011e

SHA1
228c41932c33fdb5878e00500927283f6cdf0f26

SHA256
6dd4d0dda9bc938fc07feaa723fbeac403ec22e907bfa76c3f47368f85108ced

SHA512
6ab175dcdf1b72f063bdc437d24a7646c38a22995204d93fa55050c2d85f3127cda95cd4727b4235d68c8ce5846c131f277733a82dc76de53204d3ddec3d7656

Download Submit
C:\Windows\{A2428B80-FE55-4acf-A1AD-A705E8C944A4}.exe

Filesize
60KB

MD5
60e1cf7ea13cae6536fc4ea4b92976e5

SHA1
5edc232f75de521e95ae4aa70ecd3e3075c259ef

SHA256
dfe14a259d6bf094ff68392f91bd691798656e4b70586a227ebfa02973cec2de

SHA512
6a8aeda9c609e1db4aaecf94a1ca69debedd395c3e1401042a50261218b343c9bc7d783446f80e17b79255efc9a1ff3a5e71082632febdfb9ab5f5358ad83852

Download Submit
C:\Windows\{A392CA12-2D68-4755-A4C8-43529FCA919C}.exe

Filesize
60KB

MD5
abc561d67a0a4467bddaae7b441155b7

SHA1
edfab106c84cbd7f0e2f0483a26c1e030a1458cb

SHA256
1c0f3db0cb7b28e4962d9231c3c3a22d11c55fd5a57e43d2f84f8f5cc5e4528f

SHA512
717185f170e1740925627871deb68596cffef18729c5c4baecefa94ed47e2bb2306082589fc17dd382d26adcb1b3ee79ddb63c1d4f4203619946219eef6df895

Download Submit
C:\Windows\{B9AAAE81-9302-43be-BC01-8597AFEB79D1}.exe

Filesize
60KB

MD5
3442a2dcad1ac1b1e61472a1ee5b330d

SHA1
5c840b26be82023283b743557f4942c6e590060f

SHA256
f13477ffa99cf2a152148c3fd429b8f7c53055cd2c6de6733317005e4fa27986

SHA512
9ef9d79a53b5404e4da8bf35bbcc7b18c45f9b27d1b85de349fbfc8d772084d026e7e17345aff70fddeb907beeef64795efc1dd3c44833cd61be5ba4d6291ea9

Download Submit
C:\Windows\{C175E375-847F-4759-A0B8-000A7319BDC9}.exe

Filesize
60KB

MD5
4bba43f091914b910c145eb01272bbe1

SHA1
69362b046e9fc7b6faf096674d54bda62f1ddefe

SHA256
a0c174efa933ab3ff2ee278e56dc24974b17a57eaebae2e1a626308fa9628ce5

SHA512
e47ba33a92f0f207cddc56af604d5bd8b49907536af1f315e1c432d47c9c42ae76ce4a1f434d126392f4dad14d5cb2356888b516545574bb75aa3af24e106702

Download Submit
C:\Windows\{FCBAF658-50FB-43b1-8655-B3D7F0A473AF}.exe

Filesize
60KB

MD5
301465bd83135458bcc36312d25564c8

SHA1
75a0f29fda45e4bd8aaa8e012ba81f51270cdf0f

SHA256
98d8dd91ce19eba4277439f6507968ee38b149096351149e2582c8b1fb45063a

SHA512
ffed071b9323173a5d855496ca4f87e41c65e9cbce1d0230fd2fefab79b0162b1741094b2c9d97a672005812bda8b87956281cea4f95deafec39f3824cbd39ba

Download Submit