e9f89ad6cadceb3a9a861ef4ec93a3680eec338a496fc1a53e0ab514fe18cae8

Analysis

max time kernel
150s
max time network
33s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
06/07/2023, 15:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

35fda886396cc8exeexeexeex.exe
Size

216KB
MD5

35fda886396cc8b38240c073b59cb56f
SHA1

8a7aab3388de5cd336b9b031f4ec4532d59823ef
SHA256

e9f89ad6cadceb3a9a861ef4ec93a3680eec338a496fc1a53e0ab514fe18cae8
SHA512

b1ba757d420d05aa410ff626c1777ea6ae85961b1cae47716a9414a41de38fd059d661ac2b0427bac6e3c68e5a05a8ca12ce3347515ffe02c9a5998e9e5694d9
SSDEEP

3072:jEGh0o1l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGTlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06AE900D-73C6-4cdc-8B7E-69993BC36A92}\stubpath = "C:\\Windows\\{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe"	{3293E0D8-4590-4b43-B639-D1931C710781}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4C8127A-FF32-42b8-A415-1E319BE688BB}\stubpath = "C:\\Windows\\{D4C8127A-FF32-42b8-A415-1E319BE688BB}.exe"	{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{472BC6F9-58C3-42ef-9651-2CAC8E09127C}\stubpath = "C:\\Windows\\{472BC6F9-58C3-42ef-9651-2CAC8E09127C}.exe"	{D4C8127A-FF32-42b8-A415-1E319BE688BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F834E236-CF66-4149-8745-95C33DB6E010}\stubpath = "C:\\Windows\\{F834E236-CF66-4149-8745-95C33DB6E010}.exe"	{8A5BDCB1-D2B3-49c3-9918-758D175F7547}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4C5ABE2-9572-4688-A1BE-AC91A3671B17}	{ED90B70A-573C-4e46-8582-7AFCBC42501A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C767525F-D276-4282-B961-0E069DCD53E5}\stubpath = "C:\\Windows\\{C767525F-D276-4282-B961-0E069DCD53E5}.exe"	{6071BB9A-7DB8-4267-A6D8-0131EF75A570}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3293E0D8-4590-4b43-B639-D1931C710781}	35fda886396cc8exeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3293E0D8-4590-4b43-B639-D1931C710781}\stubpath = "C:\\Windows\\{3293E0D8-4590-4b43-B639-D1931C710781}.exe"	35fda886396cc8exeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{326A4350-3B3C-4dc8-BA39-EFE833DEA529}	{C82021E6-988A-440e-902E-8206D9ECC356}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED90B70A-573C-4e46-8582-7AFCBC42501A}\stubpath = "C:\\Windows\\{ED90B70A-573C-4e46-8582-7AFCBC42501A}.exe"	{F834E236-CF66-4149-8745-95C33DB6E010}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C4C5ABE2-9572-4688-A1BE-AC91A3671B17}\stubpath = "C:\\Windows\\{C4C5ABE2-9572-4688-A1BE-AC91A3671B17}.exe"	{ED90B70A-573C-4e46-8582-7AFCBC42501A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6071BB9A-7DB8-4267-A6D8-0131EF75A570}\stubpath = "C:\\Windows\\{6071BB9A-7DB8-4267-A6D8-0131EF75A570}.exe"	{C4C5ABE2-9572-4688-A1BE-AC91A3671B17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}	{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D4C8127A-FF32-42b8-A415-1E319BE688BB}	{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{472BC6F9-58C3-42ef-9651-2CAC8E09127C}	{D4C8127A-FF32-42b8-A415-1E319BE688BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{326A4350-3B3C-4dc8-BA39-EFE833DEA529}\stubpath = "C:\\Windows\\{326A4350-3B3C-4dc8-BA39-EFE833DEA529}.exe"	{C82021E6-988A-440e-902E-8206D9ECC356}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A5BDCB1-D2B3-49c3-9918-758D175F7547}	{326A4350-3B3C-4dc8-BA39-EFE833DEA529}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A5BDCB1-D2B3-49c3-9918-758D175F7547}\stubpath = "C:\\Windows\\{8A5BDCB1-D2B3-49c3-9918-758D175F7547}.exe"	{326A4350-3B3C-4dc8-BA39-EFE833DEA529}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6071BB9A-7DB8-4267-A6D8-0131EF75A570}	{C4C5ABE2-9572-4688-A1BE-AC91A3671B17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{06AE900D-73C6-4cdc-8B7E-69993BC36A92}	{3293E0D8-4590-4b43-B639-D1931C710781}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}\stubpath = "C:\\Windows\\{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe"	{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C82021E6-988A-440e-902E-8206D9ECC356}	{472BC6F9-58C3-42ef-9651-2CAC8E09127C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C82021E6-988A-440e-902E-8206D9ECC356}\stubpath = "C:\\Windows\\{C82021E6-988A-440e-902E-8206D9ECC356}.exe"	{472BC6F9-58C3-42ef-9651-2CAC8E09127C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F834E236-CF66-4149-8745-95C33DB6E010}	{8A5BDCB1-D2B3-49c3-9918-758D175F7547}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ED90B70A-573C-4e46-8582-7AFCBC42501A}	{F834E236-CF66-4149-8745-95C33DB6E010}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C767525F-D276-4282-B961-0E069DCD53E5}	{6071BB9A-7DB8-4267-A6D8-0131EF75A570}.exe

Deletes itself 1 IoCs

pid	Process
2272	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2316	{3293E0D8-4590-4b43-B639-D1931C710781}.exe
2332	{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe
992	{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe
3004	{D4C8127A-FF32-42b8-A415-1E319BE688BB}.exe
1656	{472BC6F9-58C3-42ef-9651-2CAC8E09127C}.exe
2876	{C82021E6-988A-440e-902E-8206D9ECC356}.exe
1560	{326A4350-3B3C-4dc8-BA39-EFE833DEA529}.exe
1948	{8A5BDCB1-D2B3-49c3-9918-758D175F7547}.exe
2544	{F834E236-CF66-4149-8745-95C33DB6E010}.exe
2676	{ED90B70A-573C-4e46-8582-7AFCBC42501A}.exe
2556	{C4C5ABE2-9572-4688-A1BE-AC91A3671B17}.exe
2668	{6071BB9A-7DB8-4267-A6D8-0131EF75A570}.exe
2720	{C767525F-D276-4282-B961-0E069DCD53E5}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe	{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe
File created	C:\Windows\{C82021E6-988A-440e-902E-8206D9ECC356}.exe	{472BC6F9-58C3-42ef-9651-2CAC8E09127C}.exe
File created	C:\Windows\{C4C5ABE2-9572-4688-A1BE-AC91A3671B17}.exe	{ED90B70A-573C-4e46-8582-7AFCBC42501A}.exe
File created	C:\Windows\{6071BB9A-7DB8-4267-A6D8-0131EF75A570}.exe	{C4C5ABE2-9572-4688-A1BE-AC91A3671B17}.exe
File created	C:\Windows\{C767525F-D276-4282-B961-0E069DCD53E5}.exe	{6071BB9A-7DB8-4267-A6D8-0131EF75A570}.exe
File created	C:\Windows\{F834E236-CF66-4149-8745-95C33DB6E010}.exe	{8A5BDCB1-D2B3-49c3-9918-758D175F7547}.exe
File created	C:\Windows\{ED90B70A-573C-4e46-8582-7AFCBC42501A}.exe	{F834E236-CF66-4149-8745-95C33DB6E010}.exe
File created	C:\Windows\{3293E0D8-4590-4b43-B639-D1931C710781}.exe	35fda886396cc8exeexeexeex.exe
File created	C:\Windows\{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe	{3293E0D8-4590-4b43-B639-D1931C710781}.exe
File created	C:\Windows\{D4C8127A-FF32-42b8-A415-1E319BE688BB}.exe	{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe
File created	C:\Windows\{472BC6F9-58C3-42ef-9651-2CAC8E09127C}.exe	{D4C8127A-FF32-42b8-A415-1E319BE688BB}.exe
File created	C:\Windows\{326A4350-3B3C-4dc8-BA39-EFE833DEA529}.exe	{C82021E6-988A-440e-902E-8206D9ECC356}.exe
File created	C:\Windows\{8A5BDCB1-D2B3-49c3-9918-758D175F7547}.exe	{326A4350-3B3C-4dc8-BA39-EFE833DEA529}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2156	35fda886396cc8exeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2316	{3293E0D8-4590-4b43-B639-D1931C710781}.exe
Token: SeIncBasePriorityPrivilege	2332	{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe
Token: SeIncBasePriorityPrivilege	992	{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe
Token: SeIncBasePriorityPrivilege	3004	{D4C8127A-FF32-42b8-A415-1E319BE688BB}.exe
Token: SeIncBasePriorityPrivilege	1656	{472BC6F9-58C3-42ef-9651-2CAC8E09127C}.exe
Token: SeIncBasePriorityPrivilege	2876	{C82021E6-988A-440e-902E-8206D9ECC356}.exe
Token: SeIncBasePriorityPrivilege	1560	{326A4350-3B3C-4dc8-BA39-EFE833DEA529}.exe
Token: SeIncBasePriorityPrivilege	1948	{8A5BDCB1-D2B3-49c3-9918-758D175F7547}.exe
Token: SeIncBasePriorityPrivilege	2544	{F834E236-CF66-4149-8745-95C33DB6E010}.exe
Token: SeIncBasePriorityPrivilege	2676	{ED90B70A-573C-4e46-8582-7AFCBC42501A}.exe
Token: SeIncBasePriorityPrivilege	2556	{C4C5ABE2-9572-4688-A1BE-AC91A3671B17}.exe
Token: SeIncBasePriorityPrivilege	2668	{6071BB9A-7DB8-4267-A6D8-0131EF75A570}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2156 wrote to memory of 2316	2156	35fda886396cc8exeexeexeex.exe	27
PID 2156 wrote to memory of 2316	2156	35fda886396cc8exeexeexeex.exe	27
PID 2156 wrote to memory of 2316	2156	35fda886396cc8exeexeexeex.exe	27
PID 2156 wrote to memory of 2316	2156	35fda886396cc8exeexeexeex.exe	27
PID 2156 wrote to memory of 2272	2156	35fda886396cc8exeexeexeex.exe	28
PID 2156 wrote to memory of 2272	2156	35fda886396cc8exeexeexeex.exe	28
PID 2156 wrote to memory of 2272	2156	35fda886396cc8exeexeexeex.exe	28
PID 2156 wrote to memory of 2272	2156	35fda886396cc8exeexeexeex.exe	28
PID 2316 wrote to memory of 2332	2316	{3293E0D8-4590-4b43-B639-D1931C710781}.exe	29
PID 2316 wrote to memory of 2332	2316	{3293E0D8-4590-4b43-B639-D1931C710781}.exe	29
PID 2316 wrote to memory of 2332	2316	{3293E0D8-4590-4b43-B639-D1931C710781}.exe	29
PID 2316 wrote to memory of 2332	2316	{3293E0D8-4590-4b43-B639-D1931C710781}.exe	29
PID 2316 wrote to memory of 3032	2316	{3293E0D8-4590-4b43-B639-D1931C710781}.exe	30
PID 2316 wrote to memory of 3032	2316	{3293E0D8-4590-4b43-B639-D1931C710781}.exe	30
PID 2316 wrote to memory of 3032	2316	{3293E0D8-4590-4b43-B639-D1931C710781}.exe	30
PID 2316 wrote to memory of 3032	2316	{3293E0D8-4590-4b43-B639-D1931C710781}.exe	30
PID 2332 wrote to memory of 992	2332	{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe	31
PID 2332 wrote to memory of 992	2332	{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe	31
PID 2332 wrote to memory of 992	2332	{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe	31
PID 2332 wrote to memory of 992	2332	{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe	31
PID 2332 wrote to memory of 2916	2332	{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe	32
PID 2332 wrote to memory of 2916	2332	{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe	32
PID 2332 wrote to memory of 2916	2332	{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe	32
PID 2332 wrote to memory of 2916	2332	{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe	32
PID 992 wrote to memory of 3004	992	{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe	33
PID 992 wrote to memory of 3004	992	{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe	33
PID 992 wrote to memory of 3004	992	{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe	33
PID 992 wrote to memory of 3004	992	{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe	33
PID 992 wrote to memory of 1988	992	{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe	34
PID 992 wrote to memory of 1988	992	{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe	34
PID 992 wrote to memory of 1988	992	{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe	34
PID 992 wrote to memory of 1988	992	{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe	34
PID 3004 wrote to memory of 1656	3004	{D4C8127A-FF32-42b8-A415-1E319BE688BB}.exe	35
PID 3004 wrote to memory of 1656	3004	{D4C8127A-FF32-42b8-A415-1E319BE688BB}.exe	35
PID 3004 wrote to memory of 1656	3004	{D4C8127A-FF32-42b8-A415-1E319BE688BB}.exe	35
PID 3004 wrote to memory of 1656	3004	{D4C8127A-FF32-42b8-A415-1E319BE688BB}.exe	35
PID 3004 wrote to memory of 2084	3004	{D4C8127A-FF32-42b8-A415-1E319BE688BB}.exe	36
PID 3004 wrote to memory of 2084	3004	{D4C8127A-FF32-42b8-A415-1E319BE688BB}.exe	36
PID 3004 wrote to memory of 2084	3004	{D4C8127A-FF32-42b8-A415-1E319BE688BB}.exe	36
PID 3004 wrote to memory of 2084	3004	{D4C8127A-FF32-42b8-A415-1E319BE688BB}.exe	36
PID 1656 wrote to memory of 2876	1656	{472BC6F9-58C3-42ef-9651-2CAC8E09127C}.exe	37
PID 1656 wrote to memory of 2876	1656	{472BC6F9-58C3-42ef-9651-2CAC8E09127C}.exe	37
PID 1656 wrote to memory of 2876	1656	{472BC6F9-58C3-42ef-9651-2CAC8E09127C}.exe	37
PID 1656 wrote to memory of 2876	1656	{472BC6F9-58C3-42ef-9651-2CAC8E09127C}.exe	37
PID 1656 wrote to memory of 2076	1656	{472BC6F9-58C3-42ef-9651-2CAC8E09127C}.exe	38
PID 1656 wrote to memory of 2076	1656	{472BC6F9-58C3-42ef-9651-2CAC8E09127C}.exe	38
PID 1656 wrote to memory of 2076	1656	{472BC6F9-58C3-42ef-9651-2CAC8E09127C}.exe	38
PID 1656 wrote to memory of 2076	1656	{472BC6F9-58C3-42ef-9651-2CAC8E09127C}.exe	38
PID 2876 wrote to memory of 1560	2876	{C82021E6-988A-440e-902E-8206D9ECC356}.exe	39
PID 2876 wrote to memory of 1560	2876	{C82021E6-988A-440e-902E-8206D9ECC356}.exe	39
PID 2876 wrote to memory of 1560	2876	{C82021E6-988A-440e-902E-8206D9ECC356}.exe	39
PID 2876 wrote to memory of 1560	2876	{C82021E6-988A-440e-902E-8206D9ECC356}.exe	39
PID 2876 wrote to memory of 1524	2876	{C82021E6-988A-440e-902E-8206D9ECC356}.exe	40
PID 2876 wrote to memory of 1524	2876	{C82021E6-988A-440e-902E-8206D9ECC356}.exe	40
PID 2876 wrote to memory of 1524	2876	{C82021E6-988A-440e-902E-8206D9ECC356}.exe	40
PID 2876 wrote to memory of 1524	2876	{C82021E6-988A-440e-902E-8206D9ECC356}.exe	40
PID 1560 wrote to memory of 1948	1560	{326A4350-3B3C-4dc8-BA39-EFE833DEA529}.exe	41
PID 1560 wrote to memory of 1948	1560	{326A4350-3B3C-4dc8-BA39-EFE833DEA529}.exe	41
PID 1560 wrote to memory of 1948	1560	{326A4350-3B3C-4dc8-BA39-EFE833DEA529}.exe	41
PID 1560 wrote to memory of 1948	1560	{326A4350-3B3C-4dc8-BA39-EFE833DEA529}.exe	41
PID 1560 wrote to memory of 2212	1560	{326A4350-3B3C-4dc8-BA39-EFE833DEA529}.exe	42
PID 1560 wrote to memory of 2212	1560	{326A4350-3B3C-4dc8-BA39-EFE833DEA529}.exe	42
PID 1560 wrote to memory of 2212	1560	{326A4350-3B3C-4dc8-BA39-EFE833DEA529}.exe	42
PID 1560 wrote to memory of 2212	1560	{326A4350-3B3C-4dc8-BA39-EFE833DEA529}.exe	42

C:\Users\Admin\AppData\Local\Temp\35fda886396cc8exeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\35fda886396cc8exeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156
- C:\Windows\{3293E0D8-4590-4b43-B639-D1931C710781}.exe
  C:\Windows\{3293E0D8-4590-4b43-B639-D1931C710781}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe
    C:\Windows\{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe
      C:\Windows\{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:992
    - - C:\Windows\{D4C8127A-FF32-42b8-A415-1E319BE688BB}.exe
        
        C:\Windows\{D4C8127A-FF32-42b8-A415-1E319BE688BB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3004
      - C:\Windows\{472BC6F9-58C3-42ef-9651-2CAC8E09127C}.exe
        
        C:\Windows\{472BC6F9-58C3-42ef-9651-2CAC8E09127C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\{C82021E6-988A-440e-902E-8206D9ECC356}.exe
        
        C:\Windows\{C82021E6-988A-440e-902E-8206D9ECC356}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\{326A4350-3B3C-4dc8-BA39-EFE833DEA529}.exe
        
        C:\Windows\{326A4350-3B3C-4dc8-BA39-EFE833DEA529}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1560
        
        C:\Windows\{8A5BDCB1-D2B3-49c3-9918-758D175F7547}.exe
        
        C:\Windows\{8A5BDCB1-D2B3-49c3-9918-758D175F7547}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\{F834E236-CF66-4149-8745-95C33DB6E010}.exe
        
        C:\Windows\{F834E236-CF66-4149-8745-95C33DB6E010}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\{ED90B70A-573C-4e46-8582-7AFCBC42501A}.exe
        
        C:\Windows\{ED90B70A-573C-4e46-8582-7AFCBC42501A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\{C4C5ABE2-9572-4688-A1BE-AC91A3671B17}.exe
        
        C:\Windows\{C4C5ABE2-9572-4688-A1BE-AC91A3671B17}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\{6071BB9A-7DB8-4267-A6D8-0131EF75A570}.exe
        
        C:\Windows\{6071BB9A-7DB8-4267-A6D8-0131EF75A570}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2668
        
        C:\Windows\{C767525F-D276-4282-B961-0E069DCD53E5}.exe
        
        C:\Windows\{C767525F-D276-4282-B961-0E069DCD53E5}.exe
        14⤵
        Executes dropped EXE
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6071B~1.EXE > nul
        14⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4C5A~1.EXE > nul
        13⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED90B~1.EXE > nul
        12⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F834E~1.EXE > nul
        11⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A5BD~1.EXE > nul
        10⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{326A4~1.EXE > nul
        9⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8202~1.EXE > nul
        8⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{472BC~1.EXE > nul
        7⤵
        
        PID:2076
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4C81~1.EXE > nul
        6⤵
        
        PID:2084
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7CD2~1.EXE > nul
        5⤵
        
        PID:1988
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{06AE9~1.EXE > nul
      4⤵
      PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{3293E~1.EXE > nul
    3⤵
    PID:3032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\35FDA8~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe

Filesize
216KB

MD5
66095f832d56523accba349a474d449a

SHA1
233653cb5005882422da0d6dab2c410317d8b728

SHA256
1c3706e37fd9c9fb8b051a820343c9647fb989e38d62c3b2b12849dfbe226e49

SHA512
ae22d62ed80c6e28691846a22a531c30cf83325b0cd6001173e12adcd42838f8a9359fcfcc4df78c96a98ad6cb1c4ca03b17b146bcc1a5778d69696c26844d0a

Download Submit
C:\Windows\{06AE900D-73C6-4cdc-8B7E-69993BC36A92}.exe

Filesize
216KB

MD5
66095f832d56523accba349a474d449a

SHA1
233653cb5005882422da0d6dab2c410317d8b728

SHA256
1c3706e37fd9c9fb8b051a820343c9647fb989e38d62c3b2b12849dfbe226e49

SHA512
ae22d62ed80c6e28691846a22a531c30cf83325b0cd6001173e12adcd42838f8a9359fcfcc4df78c96a98ad6cb1c4ca03b17b146bcc1a5778d69696c26844d0a

Download Submit
C:\Windows\{326A4350-3B3C-4dc8-BA39-EFE833DEA529}.exe

Filesize
216KB

MD5
21d2553f6990c72b983f4cd10c1fb905

SHA1
1757e6d0a65b27a912a92a0276222e5612d4270a

SHA256
e18749aa965d1e69840c619a2bbf56885c415c1d17574b7179ffeaf3d523d898

SHA512
ebdaa2207b2eed6895538f9f451fc013a83e4664809c054d79a619e7d4ebfe15e71ae90223d35039e97b085e2b1ee10e77c8afced9b9acd8f4bea6d181d01d47

Download Submit
C:\Windows\{326A4350-3B3C-4dc8-BA39-EFE833DEA529}.exe

Filesize
216KB

MD5
21d2553f6990c72b983f4cd10c1fb905

SHA1
1757e6d0a65b27a912a92a0276222e5612d4270a

SHA256
e18749aa965d1e69840c619a2bbf56885c415c1d17574b7179ffeaf3d523d898

SHA512
ebdaa2207b2eed6895538f9f451fc013a83e4664809c054d79a619e7d4ebfe15e71ae90223d35039e97b085e2b1ee10e77c8afced9b9acd8f4bea6d181d01d47

Download Submit
C:\Windows\{3293E0D8-4590-4b43-B639-D1931C710781}.exe

Filesize
216KB

MD5
292d71f673bd1548001ddc4f3592cbc3

SHA1
fd88de84e60a4d92e7944d4e136e15aaa01e4613

SHA256
73607a72889f3742553aec13f5203207ca17e28c2a4883c6996ceb144f676b18

SHA512
11159b26450b63cad244adfeb730c440ec85a96f5607f687538ef597650676cce51edc4de7fda8ceb3cb7d8d8ba40eb7afcc9435e9af73f4fe5e389d9cf93072

Download Submit
C:\Windows\{3293E0D8-4590-4b43-B639-D1931C710781}.exe

Filesize
216KB

MD5
292d71f673bd1548001ddc4f3592cbc3

SHA1
fd88de84e60a4d92e7944d4e136e15aaa01e4613

SHA256
73607a72889f3742553aec13f5203207ca17e28c2a4883c6996ceb144f676b18

SHA512
11159b26450b63cad244adfeb730c440ec85a96f5607f687538ef597650676cce51edc4de7fda8ceb3cb7d8d8ba40eb7afcc9435e9af73f4fe5e389d9cf93072

Download Submit
C:\Windows\{3293E0D8-4590-4b43-B639-D1931C710781}.exe

Filesize
216KB

MD5
292d71f673bd1548001ddc4f3592cbc3

SHA1
fd88de84e60a4d92e7944d4e136e15aaa01e4613

SHA256
73607a72889f3742553aec13f5203207ca17e28c2a4883c6996ceb144f676b18

SHA512
11159b26450b63cad244adfeb730c440ec85a96f5607f687538ef597650676cce51edc4de7fda8ceb3cb7d8d8ba40eb7afcc9435e9af73f4fe5e389d9cf93072

Download Submit
C:\Windows\{472BC6F9-58C3-42ef-9651-2CAC8E09127C}.exe

Filesize
216KB

MD5
02eb9f4153631bd1092337f329beccc2

SHA1
60cbea126a3ea7ee208ef92cfa3df5ef3e0b0717

SHA256
19fcef3ddeb2a9487970ba5cd9eb26c42c4b9acf8aad1817c6bd0faea66cab17

SHA512
5fb05d484e98e574942a93127c6266ad012efbd0c4bbaca11d3888091bfd8eb72c2840def015349ce13e545110585228eefec0990b8be02d28f4184803313ba6

Download Submit
C:\Windows\{472BC6F9-58C3-42ef-9651-2CAC8E09127C}.exe

Filesize
216KB

MD5
02eb9f4153631bd1092337f329beccc2

SHA1
60cbea126a3ea7ee208ef92cfa3df5ef3e0b0717

SHA256
19fcef3ddeb2a9487970ba5cd9eb26c42c4b9acf8aad1817c6bd0faea66cab17

SHA512
5fb05d484e98e574942a93127c6266ad012efbd0c4bbaca11d3888091bfd8eb72c2840def015349ce13e545110585228eefec0990b8be02d28f4184803313ba6

Download Submit
C:\Windows\{6071BB9A-7DB8-4267-A6D8-0131EF75A570}.exe

Filesize
216KB

MD5
3ddab7b351061cb0a5e76c4a6f844aaa

SHA1
657d066f1b6c39c476a7a6fae0c61c20da3bd635

SHA256
c99a4cb8fd9a26f4e7eb3995691414b60186853c41ca4f55d71d00564374f124

SHA512
b59b25b4c23671184292a989581a4d810b1ba79aba06dbe6b80791195feb2b88b0b412093cdeeb02d4599113c29f7d111c59649d894137bfde92e2e0a7cdb474

Download Submit
C:\Windows\{6071BB9A-7DB8-4267-A6D8-0131EF75A570}.exe

Filesize
216KB

MD5
3ddab7b351061cb0a5e76c4a6f844aaa

SHA1
657d066f1b6c39c476a7a6fae0c61c20da3bd635

SHA256
c99a4cb8fd9a26f4e7eb3995691414b60186853c41ca4f55d71d00564374f124

SHA512
b59b25b4c23671184292a989581a4d810b1ba79aba06dbe6b80791195feb2b88b0b412093cdeeb02d4599113c29f7d111c59649d894137bfde92e2e0a7cdb474

Download Submit
C:\Windows\{8A5BDCB1-D2B3-49c3-9918-758D175F7547}.exe

Filesize
216KB

MD5
78d65f1b58a9828cd483e3172dac4628

SHA1
d92e169b0b9a7fdde5b6de8d26a3e41847f3b33f

SHA256
aeede192d3d7588087af36b5c5d5920373c652f45de9641aa119a95d12db4265

SHA512
c5e6faa1ea7b527efe2c0a1913228539572bf8821f6d35b4c866f2488e298a0362023b6111ffdc3c33d5cbe7479a799fc1c30b0ecc9502b854135129953beb82

Download Submit
C:\Windows\{8A5BDCB1-D2B3-49c3-9918-758D175F7547}.exe

Filesize
216KB

MD5
78d65f1b58a9828cd483e3172dac4628

SHA1
d92e169b0b9a7fdde5b6de8d26a3e41847f3b33f

SHA256
aeede192d3d7588087af36b5c5d5920373c652f45de9641aa119a95d12db4265

SHA512
c5e6faa1ea7b527efe2c0a1913228539572bf8821f6d35b4c866f2488e298a0362023b6111ffdc3c33d5cbe7479a799fc1c30b0ecc9502b854135129953beb82

Download Submit
C:\Windows\{C4C5ABE2-9572-4688-A1BE-AC91A3671B17}.exe

Filesize
216KB

MD5
07397bbd0cb42b618c83bf4ed8c6fae4

SHA1
fac4b84326d0e7c5eeebc0bbfda34b8c302e3324

SHA256
8ccaa3d82cac9f3ade701dd483bedba80676a574c61fb89e87991d8d258d90e2

SHA512
ac58f0e4d25802e44244265db4f3512436b43e8cd7f3808ca786b8c7aeafd2eba1dc6417e3cf2d36eee9d4fabbd234e8c80fe96eaf473bf7e27fa93d28238d91

Download Submit
C:\Windows\{C4C5ABE2-9572-4688-A1BE-AC91A3671B17}.exe

Filesize
216KB

MD5
07397bbd0cb42b618c83bf4ed8c6fae4

SHA1
fac4b84326d0e7c5eeebc0bbfda34b8c302e3324

SHA256
8ccaa3d82cac9f3ade701dd483bedba80676a574c61fb89e87991d8d258d90e2

SHA512
ac58f0e4d25802e44244265db4f3512436b43e8cd7f3808ca786b8c7aeafd2eba1dc6417e3cf2d36eee9d4fabbd234e8c80fe96eaf473bf7e27fa93d28238d91

Download Submit
C:\Windows\{C767525F-D276-4282-B961-0E069DCD53E5}.exe

Filesize
216KB

MD5
2506a7ec5a0f83e30c7357b8377f519e

SHA1
695ab501429cba6984bec56fc9661bc11d15fba0

SHA256
c4cd868b6a50c6c27008a24454cb1b8da2f835df606f22ac87a3ea9726b87dba

SHA512
3154a23746e4ba8f6b516a685225da9190c0aa831db8bc38de94358f141d0d6fdccdd4303d6f724eaffb28e1e27728bffd3a283837021908313e68144a90a399

Download Submit
C:\Windows\{C82021E6-988A-440e-902E-8206D9ECC356}.exe

Filesize
216KB

MD5
cff0a7e991e54243c5cad6a39bec2083

SHA1
92ec8bb52ef31cdd9b5cf5186a896fedacfececd

SHA256
b3caae466cb8445868310bc0279d6c9eeceee0d5fc5e52480365b02709a3e3cc

SHA512
44301d3900433dd771e85fe08e13ef7ee9024dad89029a6cab925ca1844b660884a80ce5b1bb5cbcf43358b73f3afccf47c1be672cfda5ace8d442ee46af1529

Download Submit
C:\Windows\{C82021E6-988A-440e-902E-8206D9ECC356}.exe

Filesize
216KB

MD5
cff0a7e991e54243c5cad6a39bec2083

SHA1
92ec8bb52ef31cdd9b5cf5186a896fedacfececd

SHA256
b3caae466cb8445868310bc0279d6c9eeceee0d5fc5e52480365b02709a3e3cc

SHA512
44301d3900433dd771e85fe08e13ef7ee9024dad89029a6cab925ca1844b660884a80ce5b1bb5cbcf43358b73f3afccf47c1be672cfda5ace8d442ee46af1529

Download Submit
C:\Windows\{D4C8127A-FF32-42b8-A415-1E319BE688BB}.exe

Filesize
216KB

MD5
bbe6b42b5158747e0b5256b535252e9d

SHA1
2f0dfa4981a07e2e272aa56518c89a459f59638f

SHA256
03b6d3e4abb1d62eb25fbce2040e48b3b3cc657dd1949ea16819840446e9267d

SHA512
8ef3bff88137715d4ac2b37104ca42f5b2f5369d2a91b88d6327ad4948ef2e963794be6c8e2c74ac60b5dbbdf40e93a229a09164092a7b2c9d59f37e0652a3bc

Download Submit
C:\Windows\{D4C8127A-FF32-42b8-A415-1E319BE688BB}.exe

Filesize
216KB

MD5
bbe6b42b5158747e0b5256b535252e9d

SHA1
2f0dfa4981a07e2e272aa56518c89a459f59638f

SHA256
03b6d3e4abb1d62eb25fbce2040e48b3b3cc657dd1949ea16819840446e9267d

SHA512
8ef3bff88137715d4ac2b37104ca42f5b2f5369d2a91b88d6327ad4948ef2e963794be6c8e2c74ac60b5dbbdf40e93a229a09164092a7b2c9d59f37e0652a3bc

Download Submit
C:\Windows\{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe

Filesize
216KB

MD5
9831ae496a3790d34390d663277433be

SHA1
5305fad1a37642789bf5a88466a181f1619741c5

SHA256
cb7025764508107344a60fcc4867b711a8e9db70c85f4b508ec937c0c751079f

SHA512
2bcae903cb201637ea3d502a05b9ec3782f03214bd844ef599e2177c37dab090b00c8cbcc5119711b5136dab7d08bf0a7e69e1e8f053fbda35904a098041747b

Download Submit
C:\Windows\{D7CD203C-9B60-44bf-92E6-6C9F74C75E91}.exe

Filesize
216KB

MD5
9831ae496a3790d34390d663277433be

SHA1
5305fad1a37642789bf5a88466a181f1619741c5

SHA256
cb7025764508107344a60fcc4867b711a8e9db70c85f4b508ec937c0c751079f

SHA512
2bcae903cb201637ea3d502a05b9ec3782f03214bd844ef599e2177c37dab090b00c8cbcc5119711b5136dab7d08bf0a7e69e1e8f053fbda35904a098041747b

Download Submit
C:\Windows\{ED90B70A-573C-4e46-8582-7AFCBC42501A}.exe

Filesize
216KB

MD5
ee36e12b4ee2655fe4ba4a30cd8cc66a

SHA1
ad023a21f2af1230f764c03d5a680891d59a8bfe

SHA256
40b8dab7945e325444afe9da562f1436a6d1ae6263e5e4f9b9ca9676d6905a8e

SHA512
0f84600179c090f52495360f4e4c41781fdb86a9ad66851fa48eaf277663317178a1abf9af8cc47fccd381c5a2f94084d8d145b276326d3a146e6a7c34d859b3

Download Submit
C:\Windows\{ED90B70A-573C-4e46-8582-7AFCBC42501A}.exe

Filesize
216KB

MD5
ee36e12b4ee2655fe4ba4a30cd8cc66a

SHA1
ad023a21f2af1230f764c03d5a680891d59a8bfe

SHA256
40b8dab7945e325444afe9da562f1436a6d1ae6263e5e4f9b9ca9676d6905a8e

SHA512
0f84600179c090f52495360f4e4c41781fdb86a9ad66851fa48eaf277663317178a1abf9af8cc47fccd381c5a2f94084d8d145b276326d3a146e6a7c34d859b3

Download Submit
C:\Windows\{F834E236-CF66-4149-8745-95C33DB6E010}.exe

Filesize
216KB

MD5
376cb592624115c730a4ac51857dc60e

SHA1
364d3283dfad81c623882badfb686bada9840653

SHA256
2d4682e099ffb9da498f231b45479c704afc86e65b8caa905abf0535ccaca7d1

SHA512
7cb1c59bb7ebf582fa9e63dd09b0532ecebaa043be0783b70cbbd9441f928b2e07e370605b04ebaae7a0aa9ed30307638a317f23a5ad4e43c8f6294f7967bea4

Download Submit
C:\Windows\{F834E236-CF66-4149-8745-95C33DB6E010}.exe

Filesize
216KB

MD5
376cb592624115c730a4ac51857dc60e

SHA1
364d3283dfad81c623882badfb686bada9840653

SHA256
2d4682e099ffb9da498f231b45479c704afc86e65b8caa905abf0535ccaca7d1

SHA512
7cb1c59bb7ebf582fa9e63dd09b0532ecebaa043be0783b70cbbd9441f928b2e07e370605b04ebaae7a0aa9ed30307638a317f23a5ad4e43c8f6294f7967bea4

Download Submit