268da3fcb122d8071b66246f550cb219b7b139c75394e684b8871ce38c5a4188

Analysis

max time kernel
145s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3350e58190c305exeexeexeex.exe
Size

372KB
MD5

3350e58190c305d62d607fedbc970b2d
SHA1

d5ce21fc16f9fc967652f757aa2140d8839fc0f2
SHA256

268da3fcb122d8071b66246f550cb219b7b139c75394e684b8871ce38c5a4188
SHA512

e5cfeceb3c3ba6574850e5d750e60a7d7acadcc9544d23b7f7f335b33e1746d1ec96b1d706670d32916a5e83423327da42fa35503b57e261c6878494fb5824f2
SSDEEP

3072:CEGh0odmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGal/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC4F4FD7-DDD2-4104-BA39-FA0878D5DCF8}	3350e58190c305exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AC4F4FD7-DDD2-4104-BA39-FA0878D5DCF8}\stubpath = "C:\\Windows\\{AC4F4FD7-DDD2-4104-BA39-FA0878D5DCF8}.exe"	3350e58190c305exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A97523F-245D-487e-A481-1726083333B3}	{A2111796-CDCF-45a2-86A6-F3987CE6D22E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7122AEDC-0F1F-4e83-9EDA-0AD6E8790A2A}\stubpath = "C:\\Windows\\{7122AEDC-0F1F-4e83-9EDA-0AD6E8790A2A}.exe"	{38CBB76A-BF91-4322-98F0-C18A9C5DD81E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F09667DB-AAE5-4f26-A910-C6982F66843D}	{7122AEDC-0F1F-4e83-9EDA-0AD6E8790A2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6800019E-8402-4f19-AFD3-41CF4209486B}	{AC4F4FD7-DDD2-4104-BA39-FA0878D5DCF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F50F3F1-EE70-4c80-8737-3417BA074F66}\stubpath = "C:\\Windows\\{4F50F3F1-EE70-4c80-8737-3417BA074F66}.exe"	{0A97523F-245D-487e-A481-1726083333B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66947F2D-69AA-4ec7-90FA-044AC90CA058}	{4F50F3F1-EE70-4c80-8737-3417BA074F66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66947F2D-69AA-4ec7-90FA-044AC90CA058}\stubpath = "C:\\Windows\\{66947F2D-69AA-4ec7-90FA-044AC90CA058}.exe"	{4F50F3F1-EE70-4c80-8737-3417BA074F66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{035C4578-3FFC-4415-A27A-3292A6710D6C}\stubpath = "C:\\Windows\\{035C4578-3FFC-4415-A27A-3292A6710D6C}.exe"	{66947F2D-69AA-4ec7-90FA-044AC90CA058}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66FB0EAB-667B-4611-A458-50A068ABE45C}	{035C4578-3FFC-4415-A27A-3292A6710D6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{66FB0EAB-667B-4611-A458-50A068ABE45C}\stubpath = "C:\\Windows\\{66FB0EAB-667B-4611-A458-50A068ABE45C}.exe"	{035C4578-3FFC-4415-A27A-3292A6710D6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{972DF69F-56F0-4025-9EA7-1E20D384BA66}	{66FB0EAB-667B-4611-A458-50A068ABE45C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38CBB76A-BF91-4322-98F0-C18A9C5DD81E}	{92B93527-0818-4177-BB6E-F115970F0CAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{38CBB76A-BF91-4322-98F0-C18A9C5DD81E}\stubpath = "C:\\Windows\\{38CBB76A-BF91-4322-98F0-C18A9C5DD81E}.exe"	{92B93527-0818-4177-BB6E-F115970F0CAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2111796-CDCF-45a2-86A6-F3987CE6D22E}	{6800019E-8402-4f19-AFD3-41CF4209486B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2111796-CDCF-45a2-86A6-F3987CE6D22E}\stubpath = "C:\\Windows\\{A2111796-CDCF-45a2-86A6-F3987CE6D22E}.exe"	{6800019E-8402-4f19-AFD3-41CF4209486B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{035C4578-3FFC-4415-A27A-3292A6710D6C}	{66947F2D-69AA-4ec7-90FA-044AC90CA058}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7122AEDC-0F1F-4e83-9EDA-0AD6E8790A2A}	{38CBB76A-BF91-4322-98F0-C18A9C5DD81E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F09667DB-AAE5-4f26-A910-C6982F66843D}\stubpath = "C:\\Windows\\{F09667DB-AAE5-4f26-A910-C6982F66843D}.exe"	{7122AEDC-0F1F-4e83-9EDA-0AD6E8790A2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6800019E-8402-4f19-AFD3-41CF4209486B}\stubpath = "C:\\Windows\\{6800019E-8402-4f19-AFD3-41CF4209486B}.exe"	{AC4F4FD7-DDD2-4104-BA39-FA0878D5DCF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A97523F-245D-487e-A481-1726083333B3}\stubpath = "C:\\Windows\\{0A97523F-245D-487e-A481-1726083333B3}.exe"	{A2111796-CDCF-45a2-86A6-F3987CE6D22E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F50F3F1-EE70-4c80-8737-3417BA074F66}	{0A97523F-245D-487e-A481-1726083333B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{972DF69F-56F0-4025-9EA7-1E20D384BA66}\stubpath = "C:\\Windows\\{972DF69F-56F0-4025-9EA7-1E20D384BA66}.exe"	{66FB0EAB-667B-4611-A458-50A068ABE45C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92B93527-0818-4177-BB6E-F115970F0CAD}	{972DF69F-56F0-4025-9EA7-1E20D384BA66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92B93527-0818-4177-BB6E-F115970F0CAD}\stubpath = "C:\\Windows\\{92B93527-0818-4177-BB6E-F115970F0CAD}.exe"	{972DF69F-56F0-4025-9EA7-1E20D384BA66}.exe

Deletes itself 1 IoCs

pid	Process
2380	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2120	{AC4F4FD7-DDD2-4104-BA39-FA0878D5DCF8}.exe
2560	{6800019E-8402-4f19-AFD3-41CF4209486B}.exe
1712	{A2111796-CDCF-45a2-86A6-F3987CE6D22E}.exe
1556	{0A97523F-245D-487e-A481-1726083333B3}.exe
588	{4F50F3F1-EE70-4c80-8737-3417BA074F66}.exe
2016	{66947F2D-69AA-4ec7-90FA-044AC90CA058}.exe
1716	{035C4578-3FFC-4415-A27A-3292A6710D6C}.exe
2428	{66FB0EAB-667B-4611-A458-50A068ABE45C}.exe
2608	{972DF69F-56F0-4025-9EA7-1E20D384BA66}.exe
2632	{92B93527-0818-4177-BB6E-F115970F0CAD}.exe
2664	{38CBB76A-BF91-4322-98F0-C18A9C5DD81E}.exe
2916	{7122AEDC-0F1F-4e83-9EDA-0AD6E8790A2A}.exe
2592	{F09667DB-AAE5-4f26-A910-C6982F66843D}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{AC4F4FD7-DDD2-4104-BA39-FA0878D5DCF8}.exe	3350e58190c305exeexeexeex.exe
File created	C:\Windows\{6800019E-8402-4f19-AFD3-41CF4209486B}.exe	{AC4F4FD7-DDD2-4104-BA39-FA0878D5DCF8}.exe
File created	C:\Windows\{A2111796-CDCF-45a2-86A6-F3987CE6D22E}.exe	{6800019E-8402-4f19-AFD3-41CF4209486B}.exe
File created	C:\Windows\{38CBB76A-BF91-4322-98F0-C18A9C5DD81E}.exe	{92B93527-0818-4177-BB6E-F115970F0CAD}.exe
File created	C:\Windows\{F09667DB-AAE5-4f26-A910-C6982F66843D}.exe	{7122AEDC-0F1F-4e83-9EDA-0AD6E8790A2A}.exe
File created	C:\Windows\{0A97523F-245D-487e-A481-1726083333B3}.exe	{A2111796-CDCF-45a2-86A6-F3987CE6D22E}.exe
File created	C:\Windows\{4F50F3F1-EE70-4c80-8737-3417BA074F66}.exe	{0A97523F-245D-487e-A481-1726083333B3}.exe
File created	C:\Windows\{66947F2D-69AA-4ec7-90FA-044AC90CA058}.exe	{4F50F3F1-EE70-4c80-8737-3417BA074F66}.exe
File created	C:\Windows\{035C4578-3FFC-4415-A27A-3292A6710D6C}.exe	{66947F2D-69AA-4ec7-90FA-044AC90CA058}.exe
File created	C:\Windows\{66FB0EAB-667B-4611-A458-50A068ABE45C}.exe	{035C4578-3FFC-4415-A27A-3292A6710D6C}.exe
File created	C:\Windows\{972DF69F-56F0-4025-9EA7-1E20D384BA66}.exe	{66FB0EAB-667B-4611-A458-50A068ABE45C}.exe
File created	C:\Windows\{92B93527-0818-4177-BB6E-F115970F0CAD}.exe	{972DF69F-56F0-4025-9EA7-1E20D384BA66}.exe
File created	C:\Windows\{7122AEDC-0F1F-4e83-9EDA-0AD6E8790A2A}.exe	{38CBB76A-BF91-4322-98F0-C18A9C5DD81E}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2396	3350e58190c305exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2120	{AC4F4FD7-DDD2-4104-BA39-FA0878D5DCF8}.exe
Token: SeIncBasePriorityPrivilege	2560	{6800019E-8402-4f19-AFD3-41CF4209486B}.exe
Token: SeIncBasePriorityPrivilege	1712	{A2111796-CDCF-45a2-86A6-F3987CE6D22E}.exe
Token: SeIncBasePriorityPrivilege	1556	{0A97523F-245D-487e-A481-1726083333B3}.exe
Token: SeIncBasePriorityPrivilege	588	{4F50F3F1-EE70-4c80-8737-3417BA074F66}.exe
Token: SeIncBasePriorityPrivilege	2016	{66947F2D-69AA-4ec7-90FA-044AC90CA058}.exe
Token: SeIncBasePriorityPrivilege	1716	{035C4578-3FFC-4415-A27A-3292A6710D6C}.exe
Token: SeIncBasePriorityPrivilege	2428	{66FB0EAB-667B-4611-A458-50A068ABE45C}.exe
Token: SeIncBasePriorityPrivilege	2608	{972DF69F-56F0-4025-9EA7-1E20D384BA66}.exe
Token: SeIncBasePriorityPrivilege	2632	{92B93527-0818-4177-BB6E-F115970F0CAD}.exe
Token: SeIncBasePriorityPrivilege	2664	{38CBB76A-BF91-4322-98F0-C18A9C5DD81E}.exe
Token: SeIncBasePriorityPrivilege	2916	{7122AEDC-0F1F-4e83-9EDA-0AD6E8790A2A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 2120	2396	3350e58190c305exeexeexeex.exe	28
PID 2396 wrote to memory of 2120	2396	3350e58190c305exeexeexeex.exe	28
PID 2396 wrote to memory of 2120	2396	3350e58190c305exeexeexeex.exe	28
PID 2396 wrote to memory of 2120	2396	3350e58190c305exeexeexeex.exe	28
PID 2396 wrote to memory of 2380	2396	3350e58190c305exeexeexeex.exe	29
PID 2396 wrote to memory of 2380	2396	3350e58190c305exeexeexeex.exe	29
PID 2396 wrote to memory of 2380	2396	3350e58190c305exeexeexeex.exe	29
PID 2396 wrote to memory of 2380	2396	3350e58190c305exeexeexeex.exe	29
PID 2120 wrote to memory of 2560	2120	{AC4F4FD7-DDD2-4104-BA39-FA0878D5DCF8}.exe	31
PID 2120 wrote to memory of 2560	2120	{AC4F4FD7-DDD2-4104-BA39-FA0878D5DCF8}.exe	31
PID 2120 wrote to memory of 2560	2120	{AC4F4FD7-DDD2-4104-BA39-FA0878D5DCF8}.exe	31
PID 2120 wrote to memory of 2560	2120	{AC4F4FD7-DDD2-4104-BA39-FA0878D5DCF8}.exe	31
PID 2120 wrote to memory of 456	2120	{AC4F4FD7-DDD2-4104-BA39-FA0878D5DCF8}.exe	30
PID 2120 wrote to memory of 456	2120	{AC4F4FD7-DDD2-4104-BA39-FA0878D5DCF8}.exe	30
PID 2120 wrote to memory of 456	2120	{AC4F4FD7-DDD2-4104-BA39-FA0878D5DCF8}.exe	30
PID 2120 wrote to memory of 456	2120	{AC4F4FD7-DDD2-4104-BA39-FA0878D5DCF8}.exe	30
PID 2560 wrote to memory of 1712	2560	{6800019E-8402-4f19-AFD3-41CF4209486B}.exe	33
PID 2560 wrote to memory of 1712	2560	{6800019E-8402-4f19-AFD3-41CF4209486B}.exe	33
PID 2560 wrote to memory of 1712	2560	{6800019E-8402-4f19-AFD3-41CF4209486B}.exe	33
PID 2560 wrote to memory of 1712	2560	{6800019E-8402-4f19-AFD3-41CF4209486B}.exe	33
PID 2560 wrote to memory of 3016	2560	{6800019E-8402-4f19-AFD3-41CF4209486B}.exe	32
PID 2560 wrote to memory of 3016	2560	{6800019E-8402-4f19-AFD3-41CF4209486B}.exe	32
PID 2560 wrote to memory of 3016	2560	{6800019E-8402-4f19-AFD3-41CF4209486B}.exe	32
PID 2560 wrote to memory of 3016	2560	{6800019E-8402-4f19-AFD3-41CF4209486B}.exe	32
PID 1712 wrote to memory of 1556	1712	{A2111796-CDCF-45a2-86A6-F3987CE6D22E}.exe	34
PID 1712 wrote to memory of 1556	1712	{A2111796-CDCF-45a2-86A6-F3987CE6D22E}.exe	34
PID 1712 wrote to memory of 1556	1712	{A2111796-CDCF-45a2-86A6-F3987CE6D22E}.exe	34
PID 1712 wrote to memory of 1556	1712	{A2111796-CDCF-45a2-86A6-F3987CE6D22E}.exe	34
PID 1712 wrote to memory of 2132	1712	{A2111796-CDCF-45a2-86A6-F3987CE6D22E}.exe	35
PID 1712 wrote to memory of 2132	1712	{A2111796-CDCF-45a2-86A6-F3987CE6D22E}.exe	35
PID 1712 wrote to memory of 2132	1712	{A2111796-CDCF-45a2-86A6-F3987CE6D22E}.exe	35
PID 1712 wrote to memory of 2132	1712	{A2111796-CDCF-45a2-86A6-F3987CE6D22E}.exe	35
PID 1556 wrote to memory of 588	1556	{0A97523F-245D-487e-A481-1726083333B3}.exe	36
PID 1556 wrote to memory of 588	1556	{0A97523F-245D-487e-A481-1726083333B3}.exe	36
PID 1556 wrote to memory of 588	1556	{0A97523F-245D-487e-A481-1726083333B3}.exe	36
PID 1556 wrote to memory of 588	1556	{0A97523F-245D-487e-A481-1726083333B3}.exe	36
PID 1556 wrote to memory of 1308	1556	{0A97523F-245D-487e-A481-1726083333B3}.exe	37
PID 1556 wrote to memory of 1308	1556	{0A97523F-245D-487e-A481-1726083333B3}.exe	37
PID 1556 wrote to memory of 1308	1556	{0A97523F-245D-487e-A481-1726083333B3}.exe	37
PID 1556 wrote to memory of 1308	1556	{0A97523F-245D-487e-A481-1726083333B3}.exe	37
PID 588 wrote to memory of 2016	588	{4F50F3F1-EE70-4c80-8737-3417BA074F66}.exe	39
PID 588 wrote to memory of 2016	588	{4F50F3F1-EE70-4c80-8737-3417BA074F66}.exe	39
PID 588 wrote to memory of 2016	588	{4F50F3F1-EE70-4c80-8737-3417BA074F66}.exe	39
PID 588 wrote to memory of 2016	588	{4F50F3F1-EE70-4c80-8737-3417BA074F66}.exe	39
PID 588 wrote to memory of 2284	588	{4F50F3F1-EE70-4c80-8737-3417BA074F66}.exe	38
PID 588 wrote to memory of 2284	588	{4F50F3F1-EE70-4c80-8737-3417BA074F66}.exe	38
PID 588 wrote to memory of 2284	588	{4F50F3F1-EE70-4c80-8737-3417BA074F66}.exe	38
PID 588 wrote to memory of 2284	588	{4F50F3F1-EE70-4c80-8737-3417BA074F66}.exe	38
PID 2016 wrote to memory of 1716	2016	{66947F2D-69AA-4ec7-90FA-044AC90CA058}.exe	41
PID 2016 wrote to memory of 1716	2016	{66947F2D-69AA-4ec7-90FA-044AC90CA058}.exe	41
PID 2016 wrote to memory of 1716	2016	{66947F2D-69AA-4ec7-90FA-044AC90CA058}.exe	41
PID 2016 wrote to memory of 1716	2016	{66947F2D-69AA-4ec7-90FA-044AC90CA058}.exe	41
PID 2016 wrote to memory of 2420	2016	{66947F2D-69AA-4ec7-90FA-044AC90CA058}.exe	40
PID 2016 wrote to memory of 2420	2016	{66947F2D-69AA-4ec7-90FA-044AC90CA058}.exe	40
PID 2016 wrote to memory of 2420	2016	{66947F2D-69AA-4ec7-90FA-044AC90CA058}.exe	40
PID 2016 wrote to memory of 2420	2016	{66947F2D-69AA-4ec7-90FA-044AC90CA058}.exe	40
PID 1716 wrote to memory of 2428	1716	{035C4578-3FFC-4415-A27A-3292A6710D6C}.exe	43
PID 1716 wrote to memory of 2428	1716	{035C4578-3FFC-4415-A27A-3292A6710D6C}.exe	43
PID 1716 wrote to memory of 2428	1716	{035C4578-3FFC-4415-A27A-3292A6710D6C}.exe	43
PID 1716 wrote to memory of 2428	1716	{035C4578-3FFC-4415-A27A-3292A6710D6C}.exe	43
PID 1716 wrote to memory of 2332	1716	{035C4578-3FFC-4415-A27A-3292A6710D6C}.exe	42
PID 1716 wrote to memory of 2332	1716	{035C4578-3FFC-4415-A27A-3292A6710D6C}.exe	42
PID 1716 wrote to memory of 2332	1716	{035C4578-3FFC-4415-A27A-3292A6710D6C}.exe	42
PID 1716 wrote to memory of 2332	1716	{035C4578-3FFC-4415-A27A-3292A6710D6C}.exe	42

C:\Users\Admin\AppData\Local\Temp\3350e58190c305exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\3350e58190c305exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Windows\{AC4F4FD7-DDD2-4104-BA39-FA0878D5DCF8}.exe
  C:\Windows\{AC4F4FD7-DDD2-4104-BA39-FA0878D5DCF8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AC4F4~1.EXE > nul
    3⤵
    PID:456
- - C:\Windows\{6800019E-8402-4f19-AFD3-41CF4209486B}.exe
    C:\Windows\{6800019E-8402-4f19-AFD3-41CF4209486B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{68000~1.EXE > nul
      4⤵
      PID:3016
  - - C:\Windows\{A2111796-CDCF-45a2-86A6-F3987CE6D22E}.exe
      C:\Windows\{A2111796-CDCF-45a2-86A6-F3987CE6D22E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Windows\{0A97523F-245D-487e-A481-1726083333B3}.exe
        
        C:\Windows\{0A97523F-245D-487e-A481-1726083333B3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1556
      - C:\Windows\{4F50F3F1-EE70-4c80-8737-3417BA074F66}.exe
        
        C:\Windows\{4F50F3F1-EE70-4c80-8737-3417BA074F66}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F50F~1.EXE > nul
        7⤵
        
        PID:2284
        
        C:\Windows\{66947F2D-69AA-4ec7-90FA-044AC90CA058}.exe
        
        C:\Windows\{66947F2D-69AA-4ec7-90FA-044AC90CA058}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66947~1.EXE > nul
        8⤵
        
        PID:2420
        
        C:\Windows\{035C4578-3FFC-4415-A27A-3292A6710D6C}.exe
        
        C:\Windows\{035C4578-3FFC-4415-A27A-3292A6710D6C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{035C4~1.EXE > nul
        9⤵
        
        PID:2332
        
        C:\Windows\{66FB0EAB-667B-4611-A458-50A068ABE45C}.exe
        
        C:\Windows\{66FB0EAB-667B-4611-A458-50A068ABE45C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66FB0~1.EXE > nul
        10⤵
        
        PID:2744
        
        C:\Windows\{972DF69F-56F0-4025-9EA7-1E20D384BA66}.exe
        
        C:\Windows\{972DF69F-56F0-4025-9EA7-1E20D384BA66}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\{92B93527-0818-4177-BB6E-F115970F0CAD}.exe
        
        C:\Windows\{92B93527-0818-4177-BB6E-F115970F0CAD}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92B93~1.EXE > nul
        12⤵
        
        PID:2640
        
        C:\Windows\{38CBB76A-BF91-4322-98F0-C18A9C5DD81E}.exe
        
        C:\Windows\{38CBB76A-BF91-4322-98F0-C18A9C5DD81E}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38CBB~1.EXE > nul
        13⤵
        
        PID:852
        
        C:\Windows\{7122AEDC-0F1F-4e83-9EDA-0AD6E8790A2A}.exe
        
        C:\Windows\{7122AEDC-0F1F-4e83-9EDA-0AD6E8790A2A}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7122A~1.EXE > nul
        14⤵
        
        PID:2484
        
        C:\Windows\{F09667DB-AAE5-4f26-A910-C6982F66843D}.exe
        
        C:\Windows\{F09667DB-AAE5-4f26-A910-C6982F66843D}.exe
        14⤵
        Executes dropped EXE
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{972DF~1.EXE > nul
        11⤵
        
        PID:2972
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A975~1.EXE > nul
        6⤵
        
        PID:1308
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2111~1.EXE > nul
        5⤵
        
        PID:2132
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3350E5~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{035C4578-3FFC-4415-A27A-3292A6710D6C}.exe

Filesize
372KB

MD5
f7b8c2faceb11095fe6590e092c02097

SHA1
92c826cd61ca067ce94a5a7a68dd34de176beb72

SHA256
a02ea3c4a5e6657ea3e1da8a7ffd9a9855c437bce3b20b2cdf0d1e33b7354d98

SHA512
5d74e7097053e2aca8c1c62a9756c6982b2a04031da48aaa8c9d2b6c8167001f02d1e01b878719934ac1026d6db641591e7b55089fbedf14d27f54eecb5472e3

Download Submit
C:\Windows\{035C4578-3FFC-4415-A27A-3292A6710D6C}.exe

Filesize
372KB

MD5
f7b8c2faceb11095fe6590e092c02097

SHA1
92c826cd61ca067ce94a5a7a68dd34de176beb72

SHA256
a02ea3c4a5e6657ea3e1da8a7ffd9a9855c437bce3b20b2cdf0d1e33b7354d98

SHA512
5d74e7097053e2aca8c1c62a9756c6982b2a04031da48aaa8c9d2b6c8167001f02d1e01b878719934ac1026d6db641591e7b55089fbedf14d27f54eecb5472e3

Download Submit
C:\Windows\{0A97523F-245D-487e-A481-1726083333B3}.exe

Filesize
372KB

MD5
7da0cb5af4ca06f9253d3163d9c475cd

SHA1
bd08f0ed7477dd377bb6982e6e39269621ff121c

SHA256
654484f60da35351976efe2f8aaad6f72f4a49f0f5d47580223c3fecdcb53e34

SHA512
d2827ebc80817f9eb366d8d92dc0f1cdb292fdf3180c983e770182b4d2778943bc08c689ca4a780af56816b0a9742ecda716d649b24da8b25b1d5cb5e1b1d608

Download Submit
C:\Windows\{0A97523F-245D-487e-A481-1726083333B3}.exe

Filesize
372KB

MD5
7da0cb5af4ca06f9253d3163d9c475cd

SHA1
bd08f0ed7477dd377bb6982e6e39269621ff121c

SHA256
654484f60da35351976efe2f8aaad6f72f4a49f0f5d47580223c3fecdcb53e34

SHA512
d2827ebc80817f9eb366d8d92dc0f1cdb292fdf3180c983e770182b4d2778943bc08c689ca4a780af56816b0a9742ecda716d649b24da8b25b1d5cb5e1b1d608

Download Submit
C:\Windows\{38CBB76A-BF91-4322-98F0-C18A9C5DD81E}.exe

Filesize
372KB

MD5
96c504aa4922629bcdd3ecc64a016453

SHA1
bbac6c3e7f9356e583b3942261dda9ef07c164da

SHA256
300e9833d880addb0b7c27541c9cf348cad4ba3a34c55948319fb518c6c9a316

SHA512
0cd90fe76b793cf61221cff10807737ba0b8dcf56040bc209cee995087d092e6fb70d524a071c19cc0cfc416beee69c33d71a264ade0a22348d748ac93d8ebaf

Download Submit
C:\Windows\{38CBB76A-BF91-4322-98F0-C18A9C5DD81E}.exe

Filesize
372KB

MD5
96c504aa4922629bcdd3ecc64a016453

SHA1
bbac6c3e7f9356e583b3942261dda9ef07c164da

SHA256
300e9833d880addb0b7c27541c9cf348cad4ba3a34c55948319fb518c6c9a316

SHA512
0cd90fe76b793cf61221cff10807737ba0b8dcf56040bc209cee995087d092e6fb70d524a071c19cc0cfc416beee69c33d71a264ade0a22348d748ac93d8ebaf

Download Submit
C:\Windows\{4F50F3F1-EE70-4c80-8737-3417BA074F66}.exe

Filesize
372KB

MD5
77e7e62de18f0e0abeeae8391858ebf7

SHA1
127a6c08653cc540f112f12b82909f70ad4667a3

SHA256
5ae65c81a51ad93ffd8992363e6c5975208f4defb6b2af734e7312d2758794e9

SHA512
b7e79e37932ed66a0de976dbd0488d7f42577c47be3795ab7ec8895269f4148ee6397adef617a060f3e55d7f423cee522510053ad82b47143fa7c062d60ac050

Download Submit
C:\Windows\{4F50F3F1-EE70-4c80-8737-3417BA074F66}.exe

Filesize
372KB

MD5
77e7e62de18f0e0abeeae8391858ebf7

SHA1
127a6c08653cc540f112f12b82909f70ad4667a3

SHA256
5ae65c81a51ad93ffd8992363e6c5975208f4defb6b2af734e7312d2758794e9

SHA512
b7e79e37932ed66a0de976dbd0488d7f42577c47be3795ab7ec8895269f4148ee6397adef617a060f3e55d7f423cee522510053ad82b47143fa7c062d60ac050

Download Submit
C:\Windows\{66947F2D-69AA-4ec7-90FA-044AC90CA058}.exe

Filesize
372KB

MD5
df276e73589f4be16508b44cc8cbafce

SHA1
368f1cc0645489dd78ee1652a1a04a9cd70a9c63

SHA256
ecf727476a61315027bc85b67855f92b3cdbd1ddc2d994da5aa21b3c91c0362b

SHA512
f89e2a2fef3ce3726d4d30ac9dbaa60de7cb197bcb338b8e1a1e4f5eb90977015591a308cf47668ad9e3855638c7eb577edaa253bd8404aba127cefff60ba128

Download Submit
C:\Windows\{66947F2D-69AA-4ec7-90FA-044AC90CA058}.exe

Filesize
372KB

MD5
df276e73589f4be16508b44cc8cbafce

SHA1
368f1cc0645489dd78ee1652a1a04a9cd70a9c63

SHA256
ecf727476a61315027bc85b67855f92b3cdbd1ddc2d994da5aa21b3c91c0362b

SHA512
f89e2a2fef3ce3726d4d30ac9dbaa60de7cb197bcb338b8e1a1e4f5eb90977015591a308cf47668ad9e3855638c7eb577edaa253bd8404aba127cefff60ba128

Download Submit
C:\Windows\{66FB0EAB-667B-4611-A458-50A068ABE45C}.exe

Filesize
372KB

MD5
215d522d45228038ac73564292e0647c

SHA1
c06d10d787c2442762616eabee599c811bb2d361

SHA256
e5b5cb8683c4976110ef9af35cd49746708a0e035b2957d4ccf9befa74c195fc

SHA512
da76499b61c1325256041ffa7536cd40c521ceffa5be677f2c6105226d5a9a265a9e56bd3380806398baf3c160272cc0707affebfde1e59e9c10e74c97190ba9

Download Submit
C:\Windows\{66FB0EAB-667B-4611-A458-50A068ABE45C}.exe

Filesize
372KB

MD5
215d522d45228038ac73564292e0647c

SHA1
c06d10d787c2442762616eabee599c811bb2d361

SHA256
e5b5cb8683c4976110ef9af35cd49746708a0e035b2957d4ccf9befa74c195fc

SHA512
da76499b61c1325256041ffa7536cd40c521ceffa5be677f2c6105226d5a9a265a9e56bd3380806398baf3c160272cc0707affebfde1e59e9c10e74c97190ba9

Download Submit
C:\Windows\{6800019E-8402-4f19-AFD3-41CF4209486B}.exe

Filesize
372KB

MD5
c305fd9b6845863c88bfb91bdd6f7967

SHA1
8ae4eb87cb5d842f2ea548a7795f07bfe99e9047

SHA256
065f320ac4ec5c397ac170de4d68cebd01faa436cbcb1a6601c281ac7bc69134

SHA512
396c88456929da79d32ad7579383343cec24a8ebd07da94a67bbf5b9302157368f52ee8fced5c8a2761cfa3731a42fa50211cbb66adce65e9110d19a888a36ab

Download Submit
C:\Windows\{6800019E-8402-4f19-AFD3-41CF4209486B}.exe

Filesize
372KB

MD5
c305fd9b6845863c88bfb91bdd6f7967

SHA1
8ae4eb87cb5d842f2ea548a7795f07bfe99e9047

SHA256
065f320ac4ec5c397ac170de4d68cebd01faa436cbcb1a6601c281ac7bc69134

SHA512
396c88456929da79d32ad7579383343cec24a8ebd07da94a67bbf5b9302157368f52ee8fced5c8a2761cfa3731a42fa50211cbb66adce65e9110d19a888a36ab

Download Submit
C:\Windows\{7122AEDC-0F1F-4e83-9EDA-0AD6E8790A2A}.exe

Filesize
372KB

MD5
fd870ba50c7e8a861881649d0d817d71

SHA1
6cf83c9dbeb0746c4a303d5f78822b3d7bbcb3b7

SHA256
c8878e0ec2e115cacefaa54bb2942ac39f9607e8ec67f9f8d2ee19e30edfa901

SHA512
37b0fc40771b8dfb1d53390ff55f4b8490d26ae6e74ac62ac85c5a8a5d7f692e5342d6458bf2f46dcd50257947f49d98241b21ff82799407836b15f0f5d1bc68

Download Submit
C:\Windows\{7122AEDC-0F1F-4e83-9EDA-0AD6E8790A2A}.exe

Filesize
372KB

MD5
fd870ba50c7e8a861881649d0d817d71

SHA1
6cf83c9dbeb0746c4a303d5f78822b3d7bbcb3b7

SHA256
c8878e0ec2e115cacefaa54bb2942ac39f9607e8ec67f9f8d2ee19e30edfa901

SHA512
37b0fc40771b8dfb1d53390ff55f4b8490d26ae6e74ac62ac85c5a8a5d7f692e5342d6458bf2f46dcd50257947f49d98241b21ff82799407836b15f0f5d1bc68

Download Submit
C:\Windows\{92B93527-0818-4177-BB6E-F115970F0CAD}.exe

Filesize
372KB

MD5
94446a800530450de337e7514c846c01

SHA1
d45b24061725eae103e2f5da96b6ba3c95dba80a

SHA256
64d0171eb56fe6545778183f8c389227d93d197cef0e176cf97d7ecea9690ca5

SHA512
dba8f67dbdbbd0bcc6bc78c5957aaeaebbb84cb2f72749c27622b21262d499604667890c129c9cdb6f6bcf038ec4d4868b3e6413151d8d48756afa19ac160f64

Download Submit
C:\Windows\{92B93527-0818-4177-BB6E-F115970F0CAD}.exe

Filesize
372KB

MD5
94446a800530450de337e7514c846c01

SHA1
d45b24061725eae103e2f5da96b6ba3c95dba80a

SHA256
64d0171eb56fe6545778183f8c389227d93d197cef0e176cf97d7ecea9690ca5

SHA512
dba8f67dbdbbd0bcc6bc78c5957aaeaebbb84cb2f72749c27622b21262d499604667890c129c9cdb6f6bcf038ec4d4868b3e6413151d8d48756afa19ac160f64

Download Submit
C:\Windows\{972DF69F-56F0-4025-9EA7-1E20D384BA66}.exe

Filesize
372KB

MD5
53a212c1a82df776c106b857d3e262e4

SHA1
ea3c26d501a86da109d5eb3d92a1bfc46c4ef0ee

SHA256
098306fbb22055155bd81bca929eb43d0d9eaa97eca1e7fc5a7f1720970c7ea9

SHA512
d51a929e004a12c22b1a34e5411527305ccb303b95916fb2da03bcc97d06218baa46f5bab1b48fbff93b0e876960447ce0240ec638239566424d87160fef0ba1

Download Submit
C:\Windows\{972DF69F-56F0-4025-9EA7-1E20D384BA66}.exe

Filesize
372KB

MD5
53a212c1a82df776c106b857d3e262e4

SHA1
ea3c26d501a86da109d5eb3d92a1bfc46c4ef0ee

SHA256
098306fbb22055155bd81bca929eb43d0d9eaa97eca1e7fc5a7f1720970c7ea9

SHA512
d51a929e004a12c22b1a34e5411527305ccb303b95916fb2da03bcc97d06218baa46f5bab1b48fbff93b0e876960447ce0240ec638239566424d87160fef0ba1

Download Submit
C:\Windows\{A2111796-CDCF-45a2-86A6-F3987CE6D22E}.exe

Filesize
372KB

MD5
4bbc3cf6c050a6d5a65ab8227e7f1869

SHA1
5a52864324c2d5f4d5005114ac4642bb7bfe8adf

SHA256
7d19b8587c9e12532a3dfac29a509d21d486eb9d285154c783280a5cf6b937d9

SHA512
d4beedc83fadf07f9d6ef19365d1982574827d2d92f3351e8a8b19114e06cb3bd8add88c9907c00aea7cb53f8aa66c8dd0e44974bac1f52e5964ad2057bcb9d1

Download Submit
C:\Windows\{A2111796-CDCF-45a2-86A6-F3987CE6D22E}.exe

Filesize
372KB

MD5
4bbc3cf6c050a6d5a65ab8227e7f1869

SHA1
5a52864324c2d5f4d5005114ac4642bb7bfe8adf

SHA256
7d19b8587c9e12532a3dfac29a509d21d486eb9d285154c783280a5cf6b937d9

SHA512
d4beedc83fadf07f9d6ef19365d1982574827d2d92f3351e8a8b19114e06cb3bd8add88c9907c00aea7cb53f8aa66c8dd0e44974bac1f52e5964ad2057bcb9d1

Download Submit
C:\Windows\{AC4F4FD7-DDD2-4104-BA39-FA0878D5DCF8}.exe

Filesize
372KB

MD5
6f9f9292fca7f55e192f798732f869dd

SHA1
cf1585f2d0de07e8c3e84ed5b239d7b361bd48a2

SHA256
d0c6bee147e0de37ababd9d42d4bdd1f62476dc6b78d1094206f61106fd0ecea

SHA512
fcd2fa00a09e07ba8430c45430bc4929ce21ade89402a987f200872ff4eea868aa45f29c2227f123773311c474004ed58e4ef93e108183f726f431a97c46ce8d

Download Submit
C:\Windows\{AC4F4FD7-DDD2-4104-BA39-FA0878D5DCF8}.exe

Filesize
372KB

MD5
6f9f9292fca7f55e192f798732f869dd

SHA1
cf1585f2d0de07e8c3e84ed5b239d7b361bd48a2

SHA256
d0c6bee147e0de37ababd9d42d4bdd1f62476dc6b78d1094206f61106fd0ecea

SHA512
fcd2fa00a09e07ba8430c45430bc4929ce21ade89402a987f200872ff4eea868aa45f29c2227f123773311c474004ed58e4ef93e108183f726f431a97c46ce8d

Download Submit
C:\Windows\{AC4F4FD7-DDD2-4104-BA39-FA0878D5DCF8}.exe

Filesize
372KB

MD5
6f9f9292fca7f55e192f798732f869dd

SHA1
cf1585f2d0de07e8c3e84ed5b239d7b361bd48a2

SHA256
d0c6bee147e0de37ababd9d42d4bdd1f62476dc6b78d1094206f61106fd0ecea

SHA512
fcd2fa00a09e07ba8430c45430bc4929ce21ade89402a987f200872ff4eea868aa45f29c2227f123773311c474004ed58e4ef93e108183f726f431a97c46ce8d

Download Submit
C:\Windows\{F09667DB-AAE5-4f26-A910-C6982F66843D}.exe

Filesize
372KB

MD5
44ecf6f5a129e8c76de74a8ffe5ec764

SHA1
1a58f2185cd6438abd5c7c0032f83a4000b71e03

SHA256
0844d8b5a5cdba5d2431e15730414ae9a498c8c05bc319e082eb930bdcf26cef

SHA512
b9642c6631996e3f9ccd0bffdd33591b54916918f37a3a5e014df89576539cfdb1610dddaab542aa488a72bf16bc9da66d06c11af2f4cb339e10883aaf0c0bbf

Download Submit