a7a4b8111fc7864464bacff93c8edd4207acb12c4d130e6b53d157c13d095754

Analysis

max time kernel
146s
max time network
30s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

354447de058bd6exeexeexeex.exe
Size

408KB
MD5

354447de058bd6b4567e234d445f918b
SHA1

94bdec65639cfbc265a3f1eb7b589110f9e8f699
SHA256

a7a4b8111fc7864464bacff93c8edd4207acb12c4d130e6b53d157c13d095754
SHA512

e5902d170334e68e50e527695b8353d7ac4ec67cf3e5a4736c95895f239137d5d8d164f72d0b75fdebccb2ea9b4882c6a20e55a0e5282f6a4dcac8867c0e38c2
SSDEEP

3072:CEGh0oLl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGhldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED387DC8-C0B0-4557-A094-78CA0FA8E910}\stubpath = "C:\\Windows\\{ED387DC8-C0B0-4557-A094-78CA0FA8E910}.exe"	{21FC791A-33F8-49a5-A326-11996C6427BE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6BDE6C7-FDA7-4715-B9C6-0D196471EB0B}	{3678E2D6-7F02-4762-8735-C6B91373B725}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{366108E8-5EF9-498e-BAA8-9FE0A04D3E72}	{2E33CBAF-88F7-477c-99AA-3AA3578E91EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED387DC8-C0B0-4557-A094-78CA0FA8E910}	{21FC791A-33F8-49a5-A326-11996C6427BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21FC791A-33F8-49a5-A326-11996C6427BE}\stubpath = "C:\\Windows\\{21FC791A-33F8-49a5-A326-11996C6427BE}.exe"	354447de058bd6exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D43E57C-A94E-41a5-8718-B8640964E124}\stubpath = "C:\\Windows\\{4D43E57C-A94E-41a5-8718-B8640964E124}.exe"	{ED387DC8-C0B0-4557-A094-78CA0FA8E910}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3678E2D6-7F02-4762-8735-C6B91373B725}\stubpath = "C:\\Windows\\{3678E2D6-7F02-4762-8735-C6B91373B725}.exe"	{4D43E57C-A94E-41a5-8718-B8640964E124}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C724FF7-11A3-46a3-A6C1-8D6943D6660B}	{A6BDE6C7-FDA7-4715-B9C6-0D196471EB0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E3E31E5-1C7F-4c75-AB47-38BAB1536A78}\stubpath = "C:\\Windows\\{2E3E31E5-1C7F-4c75-AB47-38BAB1536A78}.exe"	{6FA11F0E-115F-4f05-820B-845CC2E19379}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBAF942F-7CF7-40e9-9D2C-C98BB60F1699}	{2E3E31E5-1C7F-4c75-AB47-38BAB1536A78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBAF942F-7CF7-40e9-9D2C-C98BB60F1699}\stubpath = "C:\\Windows\\{CBAF942F-7CF7-40e9-9D2C-C98BB60F1699}.exe"	{2E3E31E5-1C7F-4c75-AB47-38BAB1536A78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21FC791A-33F8-49a5-A326-11996C6427BE}	354447de058bd6exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E33CBAF-88F7-477c-99AA-3AA3578E91EB}	{2F5AA018-F7A1-4c30-8DB7-71C5ED2F9AC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E33CBAF-88F7-477c-99AA-3AA3578E91EB}\stubpath = "C:\\Windows\\{2E33CBAF-88F7-477c-99AA-3AA3578E91EB}.exe"	{2F5AA018-F7A1-4c30-8DB7-71C5ED2F9AC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{366108E8-5EF9-498e-BAA8-9FE0A04D3E72}\stubpath = "C:\\Windows\\{366108E8-5EF9-498e-BAA8-9FE0A04D3E72}.exe"	{2E33CBAF-88F7-477c-99AA-3AA3578E91EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C77753A-7D09-4484-95B2-4D5D0FE6CD25}\stubpath = "C:\\Windows\\{9C77753A-7D09-4484-95B2-4D5D0FE6CD25}.exe"	{366108E8-5EF9-498e-BAA8-9FE0A04D3E72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F5AA018-F7A1-4c30-8DB7-71C5ED2F9AC1}	{CBAF942F-7CF7-40e9-9D2C-C98BB60F1699}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C724FF7-11A3-46a3-A6C1-8D6943D6660B}\stubpath = "C:\\Windows\\{3C724FF7-11A3-46a3-A6C1-8D6943D6660B}.exe"	{A6BDE6C7-FDA7-4715-B9C6-0D196471EB0B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FA11F0E-115F-4f05-820B-845CC2E19379}\stubpath = "C:\\Windows\\{6FA11F0E-115F-4f05-820B-845CC2E19379}.exe"	{3C724FF7-11A3-46a3-A6C1-8D6943D6660B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E3E31E5-1C7F-4c75-AB47-38BAB1536A78}	{6FA11F0E-115F-4f05-820B-845CC2E19379}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C77753A-7D09-4484-95B2-4D5D0FE6CD25}	{366108E8-5EF9-498e-BAA8-9FE0A04D3E72}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3678E2D6-7F02-4762-8735-C6B91373B725}	{4D43E57C-A94E-41a5-8718-B8640964E124}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6BDE6C7-FDA7-4715-B9C6-0D196471EB0B}\stubpath = "C:\\Windows\\{A6BDE6C7-FDA7-4715-B9C6-0D196471EB0B}.exe"	{3678E2D6-7F02-4762-8735-C6B91373B725}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FA11F0E-115F-4f05-820B-845CC2E19379}	{3C724FF7-11A3-46a3-A6C1-8D6943D6660B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2F5AA018-F7A1-4c30-8DB7-71C5ED2F9AC1}\stubpath = "C:\\Windows\\{2F5AA018-F7A1-4c30-8DB7-71C5ED2F9AC1}.exe"	{CBAF942F-7CF7-40e9-9D2C-C98BB60F1699}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D43E57C-A94E-41a5-8718-B8640964E124}	{ED387DC8-C0B0-4557-A094-78CA0FA8E910}.exe

Deletes itself 1 IoCs

pid	Process
2352	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2176	{21FC791A-33F8-49a5-A326-11996C6427BE}.exe
2336	{ED387DC8-C0B0-4557-A094-78CA0FA8E910}.exe
3048	{4D43E57C-A94E-41a5-8718-B8640964E124}.exe
304	{3678E2D6-7F02-4762-8735-C6B91373B725}.exe
576	{A6BDE6C7-FDA7-4715-B9C6-0D196471EB0B}.exe
1048	{3C724FF7-11A3-46a3-A6C1-8D6943D6660B}.exe
1616	{6FA11F0E-115F-4f05-820B-845CC2E19379}.exe
2236	{2E3E31E5-1C7F-4c75-AB47-38BAB1536A78}.exe
2584	{CBAF942F-7CF7-40e9-9D2C-C98BB60F1699}.exe
2764	{2F5AA018-F7A1-4c30-8DB7-71C5ED2F9AC1}.exe
2484	{2E33CBAF-88F7-477c-99AA-3AA3578E91EB}.exe
2512	{366108E8-5EF9-498e-BAA8-9FE0A04D3E72}.exe
3024	{9C77753A-7D09-4484-95B2-4D5D0FE6CD25}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{9C77753A-7D09-4484-95B2-4D5D0FE6CD25}.exe	{366108E8-5EF9-498e-BAA8-9FE0A04D3E72}.exe
File created	C:\Windows\{21FC791A-33F8-49a5-A326-11996C6427BE}.exe	354447de058bd6exeexeexeex.exe
File created	C:\Windows\{A6BDE6C7-FDA7-4715-B9C6-0D196471EB0B}.exe	{3678E2D6-7F02-4762-8735-C6B91373B725}.exe
File created	C:\Windows\{6FA11F0E-115F-4f05-820B-845CC2E19379}.exe	{3C724FF7-11A3-46a3-A6C1-8D6943D6660B}.exe
File created	C:\Windows\{CBAF942F-7CF7-40e9-9D2C-C98BB60F1699}.exe	{2E3E31E5-1C7F-4c75-AB47-38BAB1536A78}.exe
File created	C:\Windows\{2E33CBAF-88F7-477c-99AA-3AA3578E91EB}.exe	{2F5AA018-F7A1-4c30-8DB7-71C5ED2F9AC1}.exe
File created	C:\Windows\{366108E8-5EF9-498e-BAA8-9FE0A04D3E72}.exe	{2E33CBAF-88F7-477c-99AA-3AA3578E91EB}.exe
File created	C:\Windows\{ED387DC8-C0B0-4557-A094-78CA0FA8E910}.exe	{21FC791A-33F8-49a5-A326-11996C6427BE}.exe
File created	C:\Windows\{4D43E57C-A94E-41a5-8718-B8640964E124}.exe	{ED387DC8-C0B0-4557-A094-78CA0FA8E910}.exe
File created	C:\Windows\{3678E2D6-7F02-4762-8735-C6B91373B725}.exe	{4D43E57C-A94E-41a5-8718-B8640964E124}.exe
File created	C:\Windows\{3C724FF7-11A3-46a3-A6C1-8D6943D6660B}.exe	{A6BDE6C7-FDA7-4715-B9C6-0D196471EB0B}.exe
File created	C:\Windows\{2E3E31E5-1C7F-4c75-AB47-38BAB1536A78}.exe	{6FA11F0E-115F-4f05-820B-845CC2E19379}.exe
File created	C:\Windows\{2F5AA018-F7A1-4c30-8DB7-71C5ED2F9AC1}.exe	{CBAF942F-7CF7-40e9-9D2C-C98BB60F1699}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1984	354447de058bd6exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2176	{21FC791A-33F8-49a5-A326-11996C6427BE}.exe
Token: SeIncBasePriorityPrivilege	2336	{ED387DC8-C0B0-4557-A094-78CA0FA8E910}.exe
Token: SeIncBasePriorityPrivilege	3048	{4D43E57C-A94E-41a5-8718-B8640964E124}.exe
Token: SeIncBasePriorityPrivilege	304	{3678E2D6-7F02-4762-8735-C6B91373B725}.exe
Token: SeIncBasePriorityPrivilege	576	{A6BDE6C7-FDA7-4715-B9C6-0D196471EB0B}.exe
Token: SeIncBasePriorityPrivilege	1048	{3C724FF7-11A3-46a3-A6C1-8D6943D6660B}.exe
Token: SeIncBasePriorityPrivilege	1616	{6FA11F0E-115F-4f05-820B-845CC2E19379}.exe
Token: SeIncBasePriorityPrivilege	2236	{2E3E31E5-1C7F-4c75-AB47-38BAB1536A78}.exe
Token: SeIncBasePriorityPrivilege	2584	{CBAF942F-7CF7-40e9-9D2C-C98BB60F1699}.exe
Token: SeIncBasePriorityPrivilege	2764	{2F5AA018-F7A1-4c30-8DB7-71C5ED2F9AC1}.exe
Token: SeIncBasePriorityPrivilege	2484	{2E33CBAF-88F7-477c-99AA-3AA3578E91EB}.exe
Token: SeIncBasePriorityPrivilege	2512	{366108E8-5EF9-498e-BAA8-9FE0A04D3E72}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2176	1984	354447de058bd6exeexeexeex.exe	27
PID 1984 wrote to memory of 2176	1984	354447de058bd6exeexeexeex.exe	27
PID 1984 wrote to memory of 2176	1984	354447de058bd6exeexeexeex.exe	27
PID 1984 wrote to memory of 2176	1984	354447de058bd6exeexeexeex.exe	27
PID 1984 wrote to memory of 2352	1984	354447de058bd6exeexeexeex.exe	28
PID 1984 wrote to memory of 2352	1984	354447de058bd6exeexeexeex.exe	28
PID 1984 wrote to memory of 2352	1984	354447de058bd6exeexeexeex.exe	28
PID 1984 wrote to memory of 2352	1984	354447de058bd6exeexeexeex.exe	28
PID 2176 wrote to memory of 2336	2176	{21FC791A-33F8-49a5-A326-11996C6427BE}.exe	30
PID 2176 wrote to memory of 2336	2176	{21FC791A-33F8-49a5-A326-11996C6427BE}.exe	30
PID 2176 wrote to memory of 2336	2176	{21FC791A-33F8-49a5-A326-11996C6427BE}.exe	30
PID 2176 wrote to memory of 2336	2176	{21FC791A-33F8-49a5-A326-11996C6427BE}.exe	30
PID 2176 wrote to memory of 2908	2176	{21FC791A-33F8-49a5-A326-11996C6427BE}.exe	29
PID 2176 wrote to memory of 2908	2176	{21FC791A-33F8-49a5-A326-11996C6427BE}.exe	29
PID 2176 wrote to memory of 2908	2176	{21FC791A-33F8-49a5-A326-11996C6427BE}.exe	29
PID 2176 wrote to memory of 2908	2176	{21FC791A-33F8-49a5-A326-11996C6427BE}.exe	29
PID 2336 wrote to memory of 3048	2336	{ED387DC8-C0B0-4557-A094-78CA0FA8E910}.exe	32
PID 2336 wrote to memory of 3048	2336	{ED387DC8-C0B0-4557-A094-78CA0FA8E910}.exe	32
PID 2336 wrote to memory of 3048	2336	{ED387DC8-C0B0-4557-A094-78CA0FA8E910}.exe	32
PID 2336 wrote to memory of 3048	2336	{ED387DC8-C0B0-4557-A094-78CA0FA8E910}.exe	32
PID 2336 wrote to memory of 3052	2336	{ED387DC8-C0B0-4557-A094-78CA0FA8E910}.exe	31
PID 2336 wrote to memory of 3052	2336	{ED387DC8-C0B0-4557-A094-78CA0FA8E910}.exe	31
PID 2336 wrote to memory of 3052	2336	{ED387DC8-C0B0-4557-A094-78CA0FA8E910}.exe	31
PID 2336 wrote to memory of 3052	2336	{ED387DC8-C0B0-4557-A094-78CA0FA8E910}.exe	31
PID 3048 wrote to memory of 304	3048	{4D43E57C-A94E-41a5-8718-B8640964E124}.exe	34
PID 3048 wrote to memory of 304	3048	{4D43E57C-A94E-41a5-8718-B8640964E124}.exe	34
PID 3048 wrote to memory of 304	3048	{4D43E57C-A94E-41a5-8718-B8640964E124}.exe	34
PID 3048 wrote to memory of 304	3048	{4D43E57C-A94E-41a5-8718-B8640964E124}.exe	34
PID 3048 wrote to memory of 1380	3048	{4D43E57C-A94E-41a5-8718-B8640964E124}.exe	33
PID 3048 wrote to memory of 1380	3048	{4D43E57C-A94E-41a5-8718-B8640964E124}.exe	33
PID 3048 wrote to memory of 1380	3048	{4D43E57C-A94E-41a5-8718-B8640964E124}.exe	33
PID 3048 wrote to memory of 1380	3048	{4D43E57C-A94E-41a5-8718-B8640964E124}.exe	33
PID 304 wrote to memory of 576	304	{3678E2D6-7F02-4762-8735-C6B91373B725}.exe	36
PID 304 wrote to memory of 576	304	{3678E2D6-7F02-4762-8735-C6B91373B725}.exe	36
PID 304 wrote to memory of 576	304	{3678E2D6-7F02-4762-8735-C6B91373B725}.exe	36
PID 304 wrote to memory of 576	304	{3678E2D6-7F02-4762-8735-C6B91373B725}.exe	36
PID 304 wrote to memory of 1900	304	{3678E2D6-7F02-4762-8735-C6B91373B725}.exe	35
PID 304 wrote to memory of 1900	304	{3678E2D6-7F02-4762-8735-C6B91373B725}.exe	35
PID 304 wrote to memory of 1900	304	{3678E2D6-7F02-4762-8735-C6B91373B725}.exe	35
PID 304 wrote to memory of 1900	304	{3678E2D6-7F02-4762-8735-C6B91373B725}.exe	35
PID 576 wrote to memory of 1048	576	{A6BDE6C7-FDA7-4715-B9C6-0D196471EB0B}.exe	38
PID 576 wrote to memory of 1048	576	{A6BDE6C7-FDA7-4715-B9C6-0D196471EB0B}.exe	38
PID 576 wrote to memory of 1048	576	{A6BDE6C7-FDA7-4715-B9C6-0D196471EB0B}.exe	38
PID 576 wrote to memory of 1048	576	{A6BDE6C7-FDA7-4715-B9C6-0D196471EB0B}.exe	38
PID 576 wrote to memory of 2112	576	{A6BDE6C7-FDA7-4715-B9C6-0D196471EB0B}.exe	37
PID 576 wrote to memory of 2112	576	{A6BDE6C7-FDA7-4715-B9C6-0D196471EB0B}.exe	37
PID 576 wrote to memory of 2112	576	{A6BDE6C7-FDA7-4715-B9C6-0D196471EB0B}.exe	37
PID 576 wrote to memory of 2112	576	{A6BDE6C7-FDA7-4715-B9C6-0D196471EB0B}.exe	37
PID 1048 wrote to memory of 1616	1048	{3C724FF7-11A3-46a3-A6C1-8D6943D6660B}.exe	40
PID 1048 wrote to memory of 1616	1048	{3C724FF7-11A3-46a3-A6C1-8D6943D6660B}.exe	40
PID 1048 wrote to memory of 1616	1048	{3C724FF7-11A3-46a3-A6C1-8D6943D6660B}.exe	40
PID 1048 wrote to memory of 1616	1048	{3C724FF7-11A3-46a3-A6C1-8D6943D6660B}.exe	40
PID 1048 wrote to memory of 1724	1048	{3C724FF7-11A3-46a3-A6C1-8D6943D6660B}.exe	39
PID 1048 wrote to memory of 1724	1048	{3C724FF7-11A3-46a3-A6C1-8D6943D6660B}.exe	39
PID 1048 wrote to memory of 1724	1048	{3C724FF7-11A3-46a3-A6C1-8D6943D6660B}.exe	39
PID 1048 wrote to memory of 1724	1048	{3C724FF7-11A3-46a3-A6C1-8D6943D6660B}.exe	39
PID 1616 wrote to memory of 2236	1616	{6FA11F0E-115F-4f05-820B-845CC2E19379}.exe	42
PID 1616 wrote to memory of 2236	1616	{6FA11F0E-115F-4f05-820B-845CC2E19379}.exe	42
PID 1616 wrote to memory of 2236	1616	{6FA11F0E-115F-4f05-820B-845CC2E19379}.exe	42
PID 1616 wrote to memory of 2236	1616	{6FA11F0E-115F-4f05-820B-845CC2E19379}.exe	42
PID 1616 wrote to memory of 1768	1616	{6FA11F0E-115F-4f05-820B-845CC2E19379}.exe	41
PID 1616 wrote to memory of 1768	1616	{6FA11F0E-115F-4f05-820B-845CC2E19379}.exe	41
PID 1616 wrote to memory of 1768	1616	{6FA11F0E-115F-4f05-820B-845CC2E19379}.exe	41
PID 1616 wrote to memory of 1768	1616	{6FA11F0E-115F-4f05-820B-845CC2E19379}.exe	41

C:\Users\Admin\AppData\Local\Temp\354447de058bd6exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\354447de058bd6exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\{21FC791A-33F8-49a5-A326-11996C6427BE}.exe
  C:\Windows\{21FC791A-33F8-49a5-A326-11996C6427BE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{21FC7~1.EXE > nul
    3⤵
    PID:2908
- - C:\Windows\{ED387DC8-C0B0-4557-A094-78CA0FA8E910}.exe
    C:\Windows\{ED387DC8-C0B0-4557-A094-78CA0FA8E910}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{ED387~1.EXE > nul
      4⤵
      PID:3052
  - - C:\Windows\{4D43E57C-A94E-41a5-8718-B8640964E124}.exe
      C:\Windows\{4D43E57C-A94E-41a5-8718-B8640964E124}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D43E~1.EXE > nul
        5⤵
        
        PID:1380
    - - C:\Windows\{3678E2D6-7F02-4762-8735-C6B91373B725}.exe
        
        C:\Windows\{3678E2D6-7F02-4762-8735-C6B91373B725}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:304
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3678E~1.EXE > nul
        6⤵
        
        PID:1900
      - C:\Windows\{A6BDE6C7-FDA7-4715-B9C6-0D196471EB0B}.exe
        
        C:\Windows\{A6BDE6C7-FDA7-4715-B9C6-0D196471EB0B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6BDE~1.EXE > nul
        7⤵
        
        PID:2112
        
        C:\Windows\{3C724FF7-11A3-46a3-A6C1-8D6943D6660B}.exe
        
        C:\Windows\{3C724FF7-11A3-46a3-A6C1-8D6943D6660B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C724~1.EXE > nul
        8⤵
        
        PID:1724
        
        C:\Windows\{6FA11F0E-115F-4f05-820B-845CC2E19379}.exe
        
        C:\Windows\{6FA11F0E-115F-4f05-820B-845CC2E19379}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FA11~1.EXE > nul
        9⤵
        
        PID:1768
        
        C:\Windows\{2E3E31E5-1C7F-4c75-AB47-38BAB1536A78}.exe
        
        C:\Windows\{2E3E31E5-1C7F-4c75-AB47-38BAB1536A78}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E3E3~1.EXE > nul
        10⤵
        
        PID:2740
        
        C:\Windows\{CBAF942F-7CF7-40e9-9D2C-C98BB60F1699}.exe
        
        C:\Windows\{CBAF942F-7CF7-40e9-9D2C-C98BB60F1699}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBAF9~1.EXE > nul
        11⤵
        
        PID:2632
        
        C:\Windows\{2F5AA018-F7A1-4c30-8DB7-71C5ED2F9AC1}.exe
        
        C:\Windows\{2F5AA018-F7A1-4c30-8DB7-71C5ED2F9AC1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\{2E33CBAF-88F7-477c-99AA-3AA3578E91EB}.exe
        
        C:\Windows\{2E33CBAF-88F7-477c-99AA-3AA3578E91EB}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\{366108E8-5EF9-498e-BAA8-9FE0A04D3E72}.exe
        
        C:\Windows\{366108E8-5EF9-498e-BAA8-9FE0A04D3E72}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Windows\{9C77753A-7D09-4484-95B2-4D5D0FE6CD25}.exe
        
        C:\Windows\{9C77753A-7D09-4484-95B2-4D5D0FE6CD25}.exe
        14⤵
        Executes dropped EXE
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36610~1.EXE > nul
        14⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E33C~1.EXE > nul
        13⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F5AA~1.EXE > nul
        12⤵
        
        PID:2732
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\354447~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2352

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{21FC791A-33F8-49a5-A326-11996C6427BE}.exe

Filesize
408KB

MD5
a2915f7438577fcc1c34ea9bf8671979

SHA1
c606c6bde4c9208290a9fdbbc41ba624037a6468

SHA256
7a7295472a7dcea9dec1efd391ccd3a4edb0dc5ec4f0084a2eed01fe0bef2195

SHA512
6811ffd42be555c4c8098ff15dbd2d9c99163e58ae7c9e600f3e858e101411c6767d16467d10e7648f76175bf39d6d78c0c405959ea089c4dbc6042c36fc2c91

Download Submit
C:\Windows\{21FC791A-33F8-49a5-A326-11996C6427BE}.exe

Filesize
408KB

MD5
a2915f7438577fcc1c34ea9bf8671979

SHA1
c606c6bde4c9208290a9fdbbc41ba624037a6468

SHA256
7a7295472a7dcea9dec1efd391ccd3a4edb0dc5ec4f0084a2eed01fe0bef2195

SHA512
6811ffd42be555c4c8098ff15dbd2d9c99163e58ae7c9e600f3e858e101411c6767d16467d10e7648f76175bf39d6d78c0c405959ea089c4dbc6042c36fc2c91

Download Submit
C:\Windows\{21FC791A-33F8-49a5-A326-11996C6427BE}.exe

Filesize
408KB

MD5
a2915f7438577fcc1c34ea9bf8671979

SHA1
c606c6bde4c9208290a9fdbbc41ba624037a6468

SHA256
7a7295472a7dcea9dec1efd391ccd3a4edb0dc5ec4f0084a2eed01fe0bef2195

SHA512
6811ffd42be555c4c8098ff15dbd2d9c99163e58ae7c9e600f3e858e101411c6767d16467d10e7648f76175bf39d6d78c0c405959ea089c4dbc6042c36fc2c91

Download Submit
C:\Windows\{2E33CBAF-88F7-477c-99AA-3AA3578E91EB}.exe

Filesize
408KB

MD5
d71a85c69e101ecac7a7f94ae47a0cda

SHA1
92f20e9ba9501b460f6381a5e47346da78a61157

SHA256
43ddb2b866f3c7f64008844fcfd399ecf615d3c322b562bd48b977c8ccc7e554

SHA512
064432573385cc96193c7bbef079539a72917d639cfba7e726796396dae64dc0b8d67f5fc5b6c46b8e1279428aeea63b5ca3587e74e656ec03facbcb1a615c87

Download Submit
C:\Windows\{2E33CBAF-88F7-477c-99AA-3AA3578E91EB}.exe

Filesize
408KB

MD5
d71a85c69e101ecac7a7f94ae47a0cda

SHA1
92f20e9ba9501b460f6381a5e47346da78a61157

SHA256
43ddb2b866f3c7f64008844fcfd399ecf615d3c322b562bd48b977c8ccc7e554

SHA512
064432573385cc96193c7bbef079539a72917d639cfba7e726796396dae64dc0b8d67f5fc5b6c46b8e1279428aeea63b5ca3587e74e656ec03facbcb1a615c87

Download Submit
C:\Windows\{2E3E31E5-1C7F-4c75-AB47-38BAB1536A78}.exe

Filesize
408KB

MD5
aa84f739e388e9698b3bfeac1173a226

SHA1
72c4ea1ea0695a7ee915887cf7a5bb33601d68d7

SHA256
ceb1e2fd8e09568991f4a250e1d3e41eebb2bce8e826e96121df3218f42b04c5

SHA512
54082637df7e2ebb6606da26b61ee1fabdf76cbba20700df421e446b9b6408c12c9bd328f71351d0c8cdbb5eedf470e0abee44832d0dc4949d408364bb1eb127

Download Submit
C:\Windows\{2E3E31E5-1C7F-4c75-AB47-38BAB1536A78}.exe

Filesize
408KB

MD5
aa84f739e388e9698b3bfeac1173a226

SHA1
72c4ea1ea0695a7ee915887cf7a5bb33601d68d7

SHA256
ceb1e2fd8e09568991f4a250e1d3e41eebb2bce8e826e96121df3218f42b04c5

SHA512
54082637df7e2ebb6606da26b61ee1fabdf76cbba20700df421e446b9b6408c12c9bd328f71351d0c8cdbb5eedf470e0abee44832d0dc4949d408364bb1eb127

Download Submit
C:\Windows\{2F5AA018-F7A1-4c30-8DB7-71C5ED2F9AC1}.exe

Filesize
408KB

MD5
a727441d6fff19f44cb8fc1367f5cbe4

SHA1
3ed85ef6e4658c6e274834e6c27ec58365635751

SHA256
cce10b38dd866b66b2cea0b91ea561033a541de823dc05838cbc0e645009be7f

SHA512
22b29734bc945dc11ef23bb73e7d4c70341e904a923e47422c109893fbb61ff93675c2e9b07ab1f161e804ccb903aee1688b71935930666b3de9bcc44bfb4616

Download Submit
C:\Windows\{2F5AA018-F7A1-4c30-8DB7-71C5ED2F9AC1}.exe

Filesize
408KB

MD5
a727441d6fff19f44cb8fc1367f5cbe4

SHA1
3ed85ef6e4658c6e274834e6c27ec58365635751

SHA256
cce10b38dd866b66b2cea0b91ea561033a541de823dc05838cbc0e645009be7f

SHA512
22b29734bc945dc11ef23bb73e7d4c70341e904a923e47422c109893fbb61ff93675c2e9b07ab1f161e804ccb903aee1688b71935930666b3de9bcc44bfb4616

Download Submit
C:\Windows\{366108E8-5EF9-498e-BAA8-9FE0A04D3E72}.exe

Filesize
408KB

MD5
4757310be15bfdd87369947eda366475

SHA1
d1ae8f8d4669e7d2cfda6f53fffaa33c719e1056

SHA256
3b4947d3d856643c9d9ee6bd564a018e9138fe7126b5390cb6f9988ee4e5bbc5

SHA512
dc66e5622aebefdb57793484cfa2735d99dd16a07ccb4017ba6cb2c9ff3f657e964467a203ad0e1df741cebbdcad021e2307de68e10c500b35ed34d37ee68cc0

Download Submit
C:\Windows\{366108E8-5EF9-498e-BAA8-9FE0A04D3E72}.exe

Filesize
408KB

MD5
4757310be15bfdd87369947eda366475

SHA1
d1ae8f8d4669e7d2cfda6f53fffaa33c719e1056

SHA256
3b4947d3d856643c9d9ee6bd564a018e9138fe7126b5390cb6f9988ee4e5bbc5

SHA512
dc66e5622aebefdb57793484cfa2735d99dd16a07ccb4017ba6cb2c9ff3f657e964467a203ad0e1df741cebbdcad021e2307de68e10c500b35ed34d37ee68cc0

Download Submit
C:\Windows\{3678E2D6-7F02-4762-8735-C6B91373B725}.exe

Filesize
408KB

MD5
3c16c8f5d9ff5d6049e7a17bfe96201c

SHA1
0135af9002d584ec8e3634c8913d07fcbb62c8de

SHA256
221a69f57c85d0453ed135287940cd5b2cdf762e60f01817edc6e90fec3e9c6b

SHA512
041f0a1048fe692487f4dfa45cff63088104c31e9f1a291c1170928fbdb7f83dc42ccf5ca1643617be0ca9f35c440dd9258743793f5a4d31fcdd3a1f49aea138

Download Submit
C:\Windows\{3678E2D6-7F02-4762-8735-C6B91373B725}.exe

Filesize
408KB

MD5
3c16c8f5d9ff5d6049e7a17bfe96201c

SHA1
0135af9002d584ec8e3634c8913d07fcbb62c8de

SHA256
221a69f57c85d0453ed135287940cd5b2cdf762e60f01817edc6e90fec3e9c6b

SHA512
041f0a1048fe692487f4dfa45cff63088104c31e9f1a291c1170928fbdb7f83dc42ccf5ca1643617be0ca9f35c440dd9258743793f5a4d31fcdd3a1f49aea138

Download Submit
C:\Windows\{3C724FF7-11A3-46a3-A6C1-8D6943D6660B}.exe

Filesize
408KB

MD5
3486e0011080fb779a2190fa504de5db

SHA1
1250dbabc71d0ad515f755688d0831d6a418b8f0

SHA256
71575aeda2d789996563111f49f65dd9820c9a81ca9250173f6b39f0cbe712a1

SHA512
2dddbabaeb8c64b458c6fea73c62aa97560e80d7cc75de71d94b6b382bc250fd2269e39c8b4908e263fee40a6c097da4c95747793a190b66080b93e4f97dee19

Download Submit
C:\Windows\{3C724FF7-11A3-46a3-A6C1-8D6943D6660B}.exe

Filesize
408KB

MD5
3486e0011080fb779a2190fa504de5db

SHA1
1250dbabc71d0ad515f755688d0831d6a418b8f0

SHA256
71575aeda2d789996563111f49f65dd9820c9a81ca9250173f6b39f0cbe712a1

SHA512
2dddbabaeb8c64b458c6fea73c62aa97560e80d7cc75de71d94b6b382bc250fd2269e39c8b4908e263fee40a6c097da4c95747793a190b66080b93e4f97dee19

Download Submit
C:\Windows\{4D43E57C-A94E-41a5-8718-B8640964E124}.exe

Filesize
408KB

MD5
b1210deb5e724ec5dfc16aab1ef217bd

SHA1
4d473fb410d9c6685dff96122c179ad75153b01a

SHA256
e0b404be6a7368989a922562df879b4087901538beecad831262f5310d10f716

SHA512
4386dfaf9f64f6c8dde59862a55e08fa18f0075f8ab01616d0409fcd6b4369f16586d9abc3e6a03046859164136825c566dd9035d1c9985a02ba7a16dbcca994

Download Submit
C:\Windows\{4D43E57C-A94E-41a5-8718-B8640964E124}.exe

Filesize
408KB

MD5
b1210deb5e724ec5dfc16aab1ef217bd

SHA1
4d473fb410d9c6685dff96122c179ad75153b01a

SHA256
e0b404be6a7368989a922562df879b4087901538beecad831262f5310d10f716

SHA512
4386dfaf9f64f6c8dde59862a55e08fa18f0075f8ab01616d0409fcd6b4369f16586d9abc3e6a03046859164136825c566dd9035d1c9985a02ba7a16dbcca994

Download Submit
C:\Windows\{6FA11F0E-115F-4f05-820B-845CC2E19379}.exe

Filesize
408KB

MD5
79263c7d2b73598e0fd8c874a96aa4c4

SHA1
4b5b8e588d53731ce35f1e789658fa63b8c1d90d

SHA256
b1abaf3e21a2b27c48328858bd28063393bc974c333f432e8f35735d04d0b7ae

SHA512
6c570dc37b05f6492522748f115268beb23561ab306dca4c7467dfb912522834257f4561a7352633c4fc78eec5ef6c1249364d6a1c63365024129dbef8038c6d

Download Submit
C:\Windows\{6FA11F0E-115F-4f05-820B-845CC2E19379}.exe

Filesize
408KB

MD5
79263c7d2b73598e0fd8c874a96aa4c4

SHA1
4b5b8e588d53731ce35f1e789658fa63b8c1d90d

SHA256
b1abaf3e21a2b27c48328858bd28063393bc974c333f432e8f35735d04d0b7ae

SHA512
6c570dc37b05f6492522748f115268beb23561ab306dca4c7467dfb912522834257f4561a7352633c4fc78eec5ef6c1249364d6a1c63365024129dbef8038c6d

Download Submit
C:\Windows\{9C77753A-7D09-4484-95B2-4D5D0FE6CD25}.exe

Filesize
408KB

MD5
813b9791ddd4756227e00d3394f63ead

SHA1
ccf49b59a77c1d1d36d29f85660f3264a2abd9a6

SHA256
87a5c7d88626ef9c7d1df8ec08430901bfe34eb6c515cf409542debd767e4823

SHA512
21050becfcd5c2f93723693fccdbb1f6ea296415b448ba867d947e94cacdd90d5403c8f6daf77267476f6487582445e6fa134689cb77670338da9e8dc073ddcf

Download Submit
C:\Windows\{A6BDE6C7-FDA7-4715-B9C6-0D196471EB0B}.exe

Filesize
408KB

MD5
ccdd8edbe4723dab1aa2b026023381aa

SHA1
dc7b152a2a1b385b4c4ba64b6820cc8a759034cd

SHA256
01699afea34b3c8ebcd8fa5e755d26c7027634dda43d0d6425522ffb816edaa9

SHA512
4fd007e3b830c306dfce259082dfa34b17e522ee9c4bb77b49f8a78ec720a0fce47cbd45a906e000428ebbcde91ec47fe53378c22bae62dac96ce965d2ce651d

Download Submit
C:\Windows\{A6BDE6C7-FDA7-4715-B9C6-0D196471EB0B}.exe

Filesize
408KB

MD5
ccdd8edbe4723dab1aa2b026023381aa

SHA1
dc7b152a2a1b385b4c4ba64b6820cc8a759034cd

SHA256
01699afea34b3c8ebcd8fa5e755d26c7027634dda43d0d6425522ffb816edaa9

SHA512
4fd007e3b830c306dfce259082dfa34b17e522ee9c4bb77b49f8a78ec720a0fce47cbd45a906e000428ebbcde91ec47fe53378c22bae62dac96ce965d2ce651d

Download Submit
C:\Windows\{CBAF942F-7CF7-40e9-9D2C-C98BB60F1699}.exe

Filesize
408KB

MD5
51a483b697cd0dad008c5ee9edb3e574

SHA1
8ac2bfd87235b872dc1ed854f442a154a74b2c1b

SHA256
f676597c8700b795dfa4703996428fd1b21babb6d0ec0a3cc38c232e876a9c77

SHA512
20c2258a9f0847aceb7ef271308c1426a85b604490127a5899b0b3b82cbbecaf4eb0d1dc0d45c2e8e2be7fbf5044cab836c0c8b1cbb7420c8a650920fd4b8e73

Download Submit
C:\Windows\{CBAF942F-7CF7-40e9-9D2C-C98BB60F1699}.exe

Filesize
408KB

MD5
51a483b697cd0dad008c5ee9edb3e574

SHA1
8ac2bfd87235b872dc1ed854f442a154a74b2c1b

SHA256
f676597c8700b795dfa4703996428fd1b21babb6d0ec0a3cc38c232e876a9c77

SHA512
20c2258a9f0847aceb7ef271308c1426a85b604490127a5899b0b3b82cbbecaf4eb0d1dc0d45c2e8e2be7fbf5044cab836c0c8b1cbb7420c8a650920fd4b8e73

Download Submit
C:\Windows\{ED387DC8-C0B0-4557-A094-78CA0FA8E910}.exe

Filesize
408KB

MD5
8f2ca4f0324d154ebeebb2871e1e5f11

SHA1
c3baf3cf9215a6f17781539dc84fda16509a8271

SHA256
4da185741437a9525ea8a34e61655fa138026c3a233f46ae0bcecd3f79831174

SHA512
22b16320f550a394d0184366a1e5f80d8b083a875648191501894a18f3bd9b67f7f6758cfda00ccc0bd882182b993124a396fd932168718e6c5ef2528598cacc

Download Submit
C:\Windows\{ED387DC8-C0B0-4557-A094-78CA0FA8E910}.exe

Filesize
408KB

MD5
8f2ca4f0324d154ebeebb2871e1e5f11

SHA1
c3baf3cf9215a6f17781539dc84fda16509a8271

SHA256
4da185741437a9525ea8a34e61655fa138026c3a233f46ae0bcecd3f79831174

SHA512
22b16320f550a394d0184366a1e5f80d8b083a875648191501894a18f3bd9b67f7f6758cfda00ccc0bd882182b993124a396fd932168718e6c5ef2528598cacc

Download Submit