ac81c7a566970289e37dbba88e8597c28260ea286a5aa9feafa399dfef34d30e

Analysis

max time kernel
145s
max time network
31s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
10/07/2023, 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3a9a902adcd3dexeexeexeex.exe
Size

204KB
MD5

d3a9a902adcd3d096157f83e088d838f
SHA1

b7b31b47ca7a112c3afdf4ebe65d3308b5260488
SHA256

ac81c7a566970289e37dbba88e8597c28260ea286a5aa9feafa399dfef34d30e
SHA512

24b68d5c26552cda8b637b8db807a68c8f983054810c46f5d948da389d41586c28a1d54bb81bdacafdb91e55bd014a8565222a619789e98992257d4f2a91fcb0
SSDEEP

1536:1EGh0ovl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ovl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27762754-C57A-4ba1-B68A-82510E19063D}\stubpath = "C:\\Windows\\{27762754-C57A-4ba1-B68A-82510E19063D}.exe"	{568EED0F-4725-4959-AE4B-E65D36893394}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3539728-5278-4aaa-BFF8-B3497E6B103A}\stubpath = "C:\\Windows\\{B3539728-5278-4aaa-BFF8-B3497E6B103A}.exe"	{C07DEFD3-D45B-4627-8789-7639ECFB1262}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD290EDA-2B40-4e49-AA2F-D279A94C35FB}	{B3539728-5278-4aaa-BFF8-B3497E6B103A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{493BB4D5-4A80-472d-9592-A1BB22F3324F}	{E109B202-FDB9-4fb5-B685-9F6FE6142244}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A904804C-1D67-4b48-8FCA-EAD6497064D4}	{CBAC0AD0-9A53-428a-8234-B5370F25C0E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{568EED0F-4725-4959-AE4B-E65D36893394}	d3a9a902adcd3dexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27762754-C57A-4ba1-B68A-82510E19063D}	{568EED0F-4725-4959-AE4B-E65D36893394}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBAC0AD0-9A53-428a-8234-B5370F25C0E1}	{9106FE16-D7F6-437f-9133-9B631E00D7DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A904804C-1D67-4b48-8FCA-EAD6497064D4}\stubpath = "C:\\Windows\\{A904804C-1D67-4b48-8FCA-EAD6497064D4}.exe"	{CBAC0AD0-9A53-428a-8234-B5370F25C0E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7340757B-2008-467e-B33F-DBB4C1C8980C}	{A904804C-1D67-4b48-8FCA-EAD6497064D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7340757B-2008-467e-B33F-DBB4C1C8980C}\stubpath = "C:\\Windows\\{7340757B-2008-467e-B33F-DBB4C1C8980C}.exe"	{A904804C-1D67-4b48-8FCA-EAD6497064D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BFAF328-7924-4365-A71A-C978E9F7F1A8}\stubpath = "C:\\Windows\\{2BFAF328-7924-4365-A71A-C978E9F7F1A8}.exe"	{7340757B-2008-467e-B33F-DBB4C1C8980C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3539728-5278-4aaa-BFF8-B3497E6B103A}	{C07DEFD3-D45B-4627-8789-7639ECFB1262}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70569064-E2B9-4939-90A6-C1802B7191D3}	{AD290EDA-2B40-4e49-AA2F-D279A94C35FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E109B202-FDB9-4fb5-B685-9F6FE6142244}\stubpath = "C:\\Windows\\{E109B202-FDB9-4fb5-B685-9F6FE6142244}.exe"	{70569064-E2B9-4939-90A6-C1802B7191D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{493BB4D5-4A80-472d-9592-A1BB22F3324F}\stubpath = "C:\\Windows\\{493BB4D5-4A80-472d-9592-A1BB22F3324F}.exe"	{E109B202-FDB9-4fb5-B685-9F6FE6142244}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9106FE16-D7F6-437f-9133-9B631E00D7DF}	{493BB4D5-4A80-472d-9592-A1BB22F3324F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9106FE16-D7F6-437f-9133-9B631E00D7DF}\stubpath = "C:\\Windows\\{9106FE16-D7F6-437f-9133-9B631E00D7DF}.exe"	{493BB4D5-4A80-472d-9592-A1BB22F3324F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{70569064-E2B9-4939-90A6-C1802B7191D3}\stubpath = "C:\\Windows\\{70569064-E2B9-4939-90A6-C1802B7191D3}.exe"	{AD290EDA-2B40-4e49-AA2F-D279A94C35FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E109B202-FDB9-4fb5-B685-9F6FE6142244}	{70569064-E2B9-4939-90A6-C1802B7191D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C07DEFD3-D45B-4627-8789-7639ECFB1262}\stubpath = "C:\\Windows\\{C07DEFD3-D45B-4627-8789-7639ECFB1262}.exe"	{27762754-C57A-4ba1-B68A-82510E19063D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD290EDA-2B40-4e49-AA2F-D279A94C35FB}\stubpath = "C:\\Windows\\{AD290EDA-2B40-4e49-AA2F-D279A94C35FB}.exe"	{B3539728-5278-4aaa-BFF8-B3497E6B103A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBAC0AD0-9A53-428a-8234-B5370F25C0E1}\stubpath = "C:\\Windows\\{CBAC0AD0-9A53-428a-8234-B5370F25C0E1}.exe"	{9106FE16-D7F6-437f-9133-9B631E00D7DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2BFAF328-7924-4365-A71A-C978E9F7F1A8}	{7340757B-2008-467e-B33F-DBB4C1C8980C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{568EED0F-4725-4959-AE4B-E65D36893394}\stubpath = "C:\\Windows\\{568EED0F-4725-4959-AE4B-E65D36893394}.exe"	d3a9a902adcd3dexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C07DEFD3-D45B-4627-8789-7639ECFB1262}	{27762754-C57A-4ba1-B68A-82510E19063D}.exe

Deletes itself 1 IoCs

pid	Process
2052	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2060	{568EED0F-4725-4959-AE4B-E65D36893394}.exe
2148	{27762754-C57A-4ba1-B68A-82510E19063D}.exe
2972	{C07DEFD3-D45B-4627-8789-7639ECFB1262}.exe
2312	{B3539728-5278-4aaa-BFF8-B3497E6B103A}.exe
908	{AD290EDA-2B40-4e49-AA2F-D279A94C35FB}.exe
616	{70569064-E2B9-4939-90A6-C1802B7191D3}.exe
976	{E109B202-FDB9-4fb5-B685-9F6FE6142244}.exe
2124	{493BB4D5-4A80-472d-9592-A1BB22F3324F}.exe
2160	{9106FE16-D7F6-437f-9133-9B631E00D7DF}.exe
2704	{CBAC0AD0-9A53-428a-8234-B5370F25C0E1}.exe
2916	{A904804C-1D67-4b48-8FCA-EAD6497064D4}.exe
2568	{7340757B-2008-467e-B33F-DBB4C1C8980C}.exe
2476	{2BFAF328-7924-4365-A71A-C978E9F7F1A8}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{AD290EDA-2B40-4e49-AA2F-D279A94C35FB}.exe	{B3539728-5278-4aaa-BFF8-B3497E6B103A}.exe
File created	C:\Windows\{70569064-E2B9-4939-90A6-C1802B7191D3}.exe	{AD290EDA-2B40-4e49-AA2F-D279A94C35FB}.exe
File created	C:\Windows\{9106FE16-D7F6-437f-9133-9B631E00D7DF}.exe	{493BB4D5-4A80-472d-9592-A1BB22F3324F}.exe
File created	C:\Windows\{7340757B-2008-467e-B33F-DBB4C1C8980C}.exe	{A904804C-1D67-4b48-8FCA-EAD6497064D4}.exe
File created	C:\Windows\{27762754-C57A-4ba1-B68A-82510E19063D}.exe	{568EED0F-4725-4959-AE4B-E65D36893394}.exe
File created	C:\Windows\{C07DEFD3-D45B-4627-8789-7639ECFB1262}.exe	{27762754-C57A-4ba1-B68A-82510E19063D}.exe
File created	C:\Windows\{B3539728-5278-4aaa-BFF8-B3497E6B103A}.exe	{C07DEFD3-D45B-4627-8789-7639ECFB1262}.exe
File created	C:\Windows\{E109B202-FDB9-4fb5-B685-9F6FE6142244}.exe	{70569064-E2B9-4939-90A6-C1802B7191D3}.exe
File created	C:\Windows\{493BB4D5-4A80-472d-9592-A1BB22F3324F}.exe	{E109B202-FDB9-4fb5-B685-9F6FE6142244}.exe
File created	C:\Windows\{CBAC0AD0-9A53-428a-8234-B5370F25C0E1}.exe	{9106FE16-D7F6-437f-9133-9B631E00D7DF}.exe
File created	C:\Windows\{A904804C-1D67-4b48-8FCA-EAD6497064D4}.exe	{CBAC0AD0-9A53-428a-8234-B5370F25C0E1}.exe
File created	C:\Windows\{2BFAF328-7924-4365-A71A-C978E9F7F1A8}.exe	{7340757B-2008-467e-B33F-DBB4C1C8980C}.exe
File created	C:\Windows\{568EED0F-4725-4959-AE4B-E65D36893394}.exe	d3a9a902adcd3dexeexeexeex.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2364	d3a9a902adcd3dexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2060	{568EED0F-4725-4959-AE4B-E65D36893394}.exe
Token: SeIncBasePriorityPrivilege	2148	{27762754-C57A-4ba1-B68A-82510E19063D}.exe
Token: SeIncBasePriorityPrivilege	2972	{C07DEFD3-D45B-4627-8789-7639ECFB1262}.exe
Token: SeIncBasePriorityPrivilege	2312	{B3539728-5278-4aaa-BFF8-B3497E6B103A}.exe
Token: SeIncBasePriorityPrivilege	908	{AD290EDA-2B40-4e49-AA2F-D279A94C35FB}.exe
Token: SeIncBasePriorityPrivilege	616	{70569064-E2B9-4939-90A6-C1802B7191D3}.exe
Token: SeIncBasePriorityPrivilege	976	{E109B202-FDB9-4fb5-B685-9F6FE6142244}.exe
Token: SeIncBasePriorityPrivilege	2124	{493BB4D5-4A80-472d-9592-A1BB22F3324F}.exe
Token: SeIncBasePriorityPrivilege	2160	{9106FE16-D7F6-437f-9133-9B631E00D7DF}.exe
Token: SeIncBasePriorityPrivilege	2704	{CBAC0AD0-9A53-428a-8234-B5370F25C0E1}.exe
Token: SeIncBasePriorityPrivilege	2916	{A904804C-1D67-4b48-8FCA-EAD6497064D4}.exe
Token: SeIncBasePriorityPrivilege	2568	{7340757B-2008-467e-B33F-DBB4C1C8980C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2060	2364	d3a9a902adcd3dexeexeexeex.exe	29
PID 2364 wrote to memory of 2060	2364	d3a9a902adcd3dexeexeexeex.exe	29
PID 2364 wrote to memory of 2060	2364	d3a9a902adcd3dexeexeexeex.exe	29
PID 2364 wrote to memory of 2060	2364	d3a9a902adcd3dexeexeexeex.exe	29
PID 2364 wrote to memory of 2052	2364	d3a9a902adcd3dexeexeexeex.exe	30
PID 2364 wrote to memory of 2052	2364	d3a9a902adcd3dexeexeexeex.exe	30
PID 2364 wrote to memory of 2052	2364	d3a9a902adcd3dexeexeexeex.exe	30
PID 2364 wrote to memory of 2052	2364	d3a9a902adcd3dexeexeexeex.exe	30
PID 2060 wrote to memory of 2148	2060	{568EED0F-4725-4959-AE4B-E65D36893394}.exe	31
PID 2060 wrote to memory of 2148	2060	{568EED0F-4725-4959-AE4B-E65D36893394}.exe	31
PID 2060 wrote to memory of 2148	2060	{568EED0F-4725-4959-AE4B-E65D36893394}.exe	31
PID 2060 wrote to memory of 2148	2060	{568EED0F-4725-4959-AE4B-E65D36893394}.exe	31
PID 2060 wrote to memory of 2344	2060	{568EED0F-4725-4959-AE4B-E65D36893394}.exe	32
PID 2060 wrote to memory of 2344	2060	{568EED0F-4725-4959-AE4B-E65D36893394}.exe	32
PID 2060 wrote to memory of 2344	2060	{568EED0F-4725-4959-AE4B-E65D36893394}.exe	32
PID 2060 wrote to memory of 2344	2060	{568EED0F-4725-4959-AE4B-E65D36893394}.exe	32
PID 2148 wrote to memory of 2972	2148	{27762754-C57A-4ba1-B68A-82510E19063D}.exe	33
PID 2148 wrote to memory of 2972	2148	{27762754-C57A-4ba1-B68A-82510E19063D}.exe	33
PID 2148 wrote to memory of 2972	2148	{27762754-C57A-4ba1-B68A-82510E19063D}.exe	33
PID 2148 wrote to memory of 2972	2148	{27762754-C57A-4ba1-B68A-82510E19063D}.exe	33
PID 2148 wrote to memory of 3036	2148	{27762754-C57A-4ba1-B68A-82510E19063D}.exe	34
PID 2148 wrote to memory of 3036	2148	{27762754-C57A-4ba1-B68A-82510E19063D}.exe	34
PID 2148 wrote to memory of 3036	2148	{27762754-C57A-4ba1-B68A-82510E19063D}.exe	34
PID 2148 wrote to memory of 3036	2148	{27762754-C57A-4ba1-B68A-82510E19063D}.exe	34
PID 2972 wrote to memory of 2312	2972	{C07DEFD3-D45B-4627-8789-7639ECFB1262}.exe	35
PID 2972 wrote to memory of 2312	2972	{C07DEFD3-D45B-4627-8789-7639ECFB1262}.exe	35
PID 2972 wrote to memory of 2312	2972	{C07DEFD3-D45B-4627-8789-7639ECFB1262}.exe	35
PID 2972 wrote to memory of 2312	2972	{C07DEFD3-D45B-4627-8789-7639ECFB1262}.exe	35
PID 2972 wrote to memory of 1068	2972	{C07DEFD3-D45B-4627-8789-7639ECFB1262}.exe	36
PID 2972 wrote to memory of 1068	2972	{C07DEFD3-D45B-4627-8789-7639ECFB1262}.exe	36
PID 2972 wrote to memory of 1068	2972	{C07DEFD3-D45B-4627-8789-7639ECFB1262}.exe	36
PID 2972 wrote to memory of 1068	2972	{C07DEFD3-D45B-4627-8789-7639ECFB1262}.exe	36
PID 2312 wrote to memory of 908	2312	{B3539728-5278-4aaa-BFF8-B3497E6B103A}.exe	37
PID 2312 wrote to memory of 908	2312	{B3539728-5278-4aaa-BFF8-B3497E6B103A}.exe	37
PID 2312 wrote to memory of 908	2312	{B3539728-5278-4aaa-BFF8-B3497E6B103A}.exe	37
PID 2312 wrote to memory of 908	2312	{B3539728-5278-4aaa-BFF8-B3497E6B103A}.exe	37
PID 2312 wrote to memory of 580	2312	{B3539728-5278-4aaa-BFF8-B3497E6B103A}.exe	38
PID 2312 wrote to memory of 580	2312	{B3539728-5278-4aaa-BFF8-B3497E6B103A}.exe	38
PID 2312 wrote to memory of 580	2312	{B3539728-5278-4aaa-BFF8-B3497E6B103A}.exe	38
PID 2312 wrote to memory of 580	2312	{B3539728-5278-4aaa-BFF8-B3497E6B103A}.exe	38
PID 908 wrote to memory of 616	908	{AD290EDA-2B40-4e49-AA2F-D279A94C35FB}.exe	39
PID 908 wrote to memory of 616	908	{AD290EDA-2B40-4e49-AA2F-D279A94C35FB}.exe	39
PID 908 wrote to memory of 616	908	{AD290EDA-2B40-4e49-AA2F-D279A94C35FB}.exe	39
PID 908 wrote to memory of 616	908	{AD290EDA-2B40-4e49-AA2F-D279A94C35FB}.exe	39
PID 908 wrote to memory of 876	908	{AD290EDA-2B40-4e49-AA2F-D279A94C35FB}.exe	40
PID 908 wrote to memory of 876	908	{AD290EDA-2B40-4e49-AA2F-D279A94C35FB}.exe	40
PID 908 wrote to memory of 876	908	{AD290EDA-2B40-4e49-AA2F-D279A94C35FB}.exe	40
PID 908 wrote to memory of 876	908	{AD290EDA-2B40-4e49-AA2F-D279A94C35FB}.exe	40
PID 616 wrote to memory of 976	616	{70569064-E2B9-4939-90A6-C1802B7191D3}.exe	41
PID 616 wrote to memory of 976	616	{70569064-E2B9-4939-90A6-C1802B7191D3}.exe	41
PID 616 wrote to memory of 976	616	{70569064-E2B9-4939-90A6-C1802B7191D3}.exe	41
PID 616 wrote to memory of 976	616	{70569064-E2B9-4939-90A6-C1802B7191D3}.exe	41
PID 616 wrote to memory of 360	616	{70569064-E2B9-4939-90A6-C1802B7191D3}.exe	42
PID 616 wrote to memory of 360	616	{70569064-E2B9-4939-90A6-C1802B7191D3}.exe	42
PID 616 wrote to memory of 360	616	{70569064-E2B9-4939-90A6-C1802B7191D3}.exe	42
PID 616 wrote to memory of 360	616	{70569064-E2B9-4939-90A6-C1802B7191D3}.exe	42
PID 976 wrote to memory of 2124	976	{E109B202-FDB9-4fb5-B685-9F6FE6142244}.exe	43
PID 976 wrote to memory of 2124	976	{E109B202-FDB9-4fb5-B685-9F6FE6142244}.exe	43
PID 976 wrote to memory of 2124	976	{E109B202-FDB9-4fb5-B685-9F6FE6142244}.exe	43
PID 976 wrote to memory of 2124	976	{E109B202-FDB9-4fb5-B685-9F6FE6142244}.exe	43
PID 976 wrote to memory of 2220	976	{E109B202-FDB9-4fb5-B685-9F6FE6142244}.exe	44
PID 976 wrote to memory of 2220	976	{E109B202-FDB9-4fb5-B685-9F6FE6142244}.exe	44
PID 976 wrote to memory of 2220	976	{E109B202-FDB9-4fb5-B685-9F6FE6142244}.exe	44
PID 976 wrote to memory of 2220	976	{E109B202-FDB9-4fb5-B685-9F6FE6142244}.exe	44

C:\Users\Admin\AppData\Local\Temp\d3a9a902adcd3dexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\d3a9a902adcd3dexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\{568EED0F-4725-4959-AE4B-E65D36893394}.exe
  C:\Windows\{568EED0F-4725-4959-AE4B-E65D36893394}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\{27762754-C57A-4ba1-B68A-82510E19063D}.exe
    C:\Windows\{27762754-C57A-4ba1-B68A-82510E19063D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2148
  - - C:\Windows\{C07DEFD3-D45B-4627-8789-7639ECFB1262}.exe
      C:\Windows\{C07DEFD3-D45B-4627-8789-7639ECFB1262}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2972
    - - C:\Windows\{B3539728-5278-4aaa-BFF8-B3497E6B103A}.exe
        
        C:\Windows\{B3539728-5278-4aaa-BFF8-B3497E6B103A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
      - C:\Windows\{AD290EDA-2B40-4e49-AA2F-D279A94C35FB}.exe
        
        C:\Windows\{AD290EDA-2B40-4e49-AA2F-D279A94C35FB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\{70569064-E2B9-4939-90A6-C1802B7191D3}.exe
        
        C:\Windows\{70569064-E2B9-4939-90A6-C1802B7191D3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:616
        
        C:\Windows\{E109B202-FDB9-4fb5-B685-9F6FE6142244}.exe
        
        C:\Windows\{E109B202-FDB9-4fb5-B685-9F6FE6142244}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:976
        
        C:\Windows\{493BB4D5-4A80-472d-9592-A1BB22F3324F}.exe
        
        C:\Windows\{493BB4D5-4A80-472d-9592-A1BB22F3324F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\{9106FE16-D7F6-437f-9133-9B631E00D7DF}.exe
        
        C:\Windows\{9106FE16-D7F6-437f-9133-9B631E00D7DF}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\{CBAC0AD0-9A53-428a-8234-B5370F25C0E1}.exe
        
        C:\Windows\{CBAC0AD0-9A53-428a-8234-B5370F25C0E1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBAC0~1.EXE > nul
        12⤵
        
        PID:2460
        
        C:\Windows\{A904804C-1D67-4b48-8FCA-EAD6497064D4}.exe
        
        C:\Windows\{A904804C-1D67-4b48-8FCA-EAD6497064D4}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9048~1.EXE > nul
        13⤵
        
        PID:2552
        
        C:\Windows\{7340757B-2008-467e-B33F-DBB4C1C8980C}.exe
        
        C:\Windows\{7340757B-2008-467e-B33F-DBB4C1C8980C}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73407~1.EXE > nul
        14⤵
        
        PID:2616
        
        C:\Windows\{2BFAF328-7924-4365-A71A-C978E9F7F1A8}.exe
        
        C:\Windows\{2BFAF328-7924-4365-A71A-C978E9F7F1A8}.exe
        14⤵
        Executes dropped EXE
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9106F~1.EXE > nul
        11⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{493BB~1.EXE > nul
        10⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E109B~1.EXE > nul
        9⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70569~1.EXE > nul
        8⤵
        
        PID:360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD290~1.EXE > nul
        7⤵
        
        PID:876
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3539~1.EXE > nul
        6⤵
        
        PID:580
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C07DE~1.EXE > nul
        5⤵
        
        PID:1068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{27762~1.EXE > nul
      4⤵
      PID:3036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{568EE~1.EXE > nul
    3⤵
    PID:2344
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D3A9A9~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2052

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{27762754-C57A-4ba1-B68A-82510E19063D}.exe

Filesize
204KB

MD5
5c30af2428fe3ee31d7f271e17885059

SHA1
333d530fd30a39ad2dd9d6f68c9fcc38ab60cdff

SHA256
c3a8265df10c2e545e408e66f6505d808ee44291b0b441eaa7f2a5680c7e7757

SHA512
f6244519196e1411dc9628313cbd22ed80d6f400f52f3f1b21f4764961de66081f7783bc315102d1ef81a58b2f856cbbf6a0ddadeb963ef490818f253564f0a2

Download Submit
C:\Windows\{27762754-C57A-4ba1-B68A-82510E19063D}.exe

Filesize
204KB

MD5
5c30af2428fe3ee31d7f271e17885059

SHA1
333d530fd30a39ad2dd9d6f68c9fcc38ab60cdff

SHA256
c3a8265df10c2e545e408e66f6505d808ee44291b0b441eaa7f2a5680c7e7757

SHA512
f6244519196e1411dc9628313cbd22ed80d6f400f52f3f1b21f4764961de66081f7783bc315102d1ef81a58b2f856cbbf6a0ddadeb963ef490818f253564f0a2

Download Submit
C:\Windows\{2BFAF328-7924-4365-A71A-C978E9F7F1A8}.exe

Filesize
204KB

MD5
e8a755fb84faa55432a39f0358e73bab

SHA1
237da22031b16059d14e6caa98dc2fd1d80c3811

SHA256
11eded14357f12630b1e62d23ebf77648bd7519f3cb76d8684b6573b89792fc3

SHA512
3caba923657d1f0436908bada8d8b192fe09344eac3355757b68c57225b18219c9391f911e6ce7ae8d1b37666e9b5e0fc64e9865c49d49bfbd605cb083b816e2

Download Submit
C:\Windows\{493BB4D5-4A80-472d-9592-A1BB22F3324F}.exe

Filesize
204KB

MD5
cf0e813d410e34ffd614b61497f4840a

SHA1
6991181e526ebe2c81aac2203d027d16c00030f1

SHA256
f1e412e84beb36cbb0256082abfc7b45c342b3a36c4d2431680dd7445d8a0e75

SHA512
8eac53f66a9723e7daebaa60f6b11884b84ff8a401f6787619fe1e3bc3fac7de37db1ca5eefa97b17ee3ab2a66e432c832def8bbc7c61be7e84aaca829a1824b

Download Submit
C:\Windows\{493BB4D5-4A80-472d-9592-A1BB22F3324F}.exe

Filesize
204KB

MD5
cf0e813d410e34ffd614b61497f4840a

SHA1
6991181e526ebe2c81aac2203d027d16c00030f1

SHA256
f1e412e84beb36cbb0256082abfc7b45c342b3a36c4d2431680dd7445d8a0e75

SHA512
8eac53f66a9723e7daebaa60f6b11884b84ff8a401f6787619fe1e3bc3fac7de37db1ca5eefa97b17ee3ab2a66e432c832def8bbc7c61be7e84aaca829a1824b

Download Submit
C:\Windows\{568EED0F-4725-4959-AE4B-E65D36893394}.exe

Filesize
204KB

MD5
b7232a46823dd2152520750d335241ab

SHA1
7346d3aa4570479f60ae8d5762575670cc4bd613

SHA256
0f33fa71ae264cc0c1e41987eb03f7e3056d7fc53411aa66988909eca707ae31

SHA512
8fa958526cf645fbfda0a3f161ed702d6fbdcec902f5b7efe4937ebf7211260ebd001a4bdf65098f682314036c2fa924550e9d17e43c883eecbc968daa40f92f

Download Submit
C:\Windows\{568EED0F-4725-4959-AE4B-E65D36893394}.exe

Filesize
204KB

MD5
b7232a46823dd2152520750d335241ab

SHA1
7346d3aa4570479f60ae8d5762575670cc4bd613

SHA256
0f33fa71ae264cc0c1e41987eb03f7e3056d7fc53411aa66988909eca707ae31

SHA512
8fa958526cf645fbfda0a3f161ed702d6fbdcec902f5b7efe4937ebf7211260ebd001a4bdf65098f682314036c2fa924550e9d17e43c883eecbc968daa40f92f

Download Submit
C:\Windows\{568EED0F-4725-4959-AE4B-E65D36893394}.exe

Filesize
204KB

MD5
b7232a46823dd2152520750d335241ab

SHA1
7346d3aa4570479f60ae8d5762575670cc4bd613

SHA256
0f33fa71ae264cc0c1e41987eb03f7e3056d7fc53411aa66988909eca707ae31

SHA512
8fa958526cf645fbfda0a3f161ed702d6fbdcec902f5b7efe4937ebf7211260ebd001a4bdf65098f682314036c2fa924550e9d17e43c883eecbc968daa40f92f

Download Submit
C:\Windows\{70569064-E2B9-4939-90A6-C1802B7191D3}.exe

Filesize
204KB

MD5
8ac3e83ecf0ebe8202f599ae6f43f228

SHA1
46cf9abb686daf6d82ab3f403940dda4fdf2596e

SHA256
9082c64f06b632830b1d5c7508ee562e077759ba29aedd5bccbc2fb8dffb8e20

SHA512
c83c44710e970edfbfc209d7af76ba161b39fa1e1a551cf5d6ceeb0e56088064e099a765b13a89fcca9678f4bb7e1acdc46ee3720b67f705741c7b0a721275e1

Download Submit
C:\Windows\{70569064-E2B9-4939-90A6-C1802B7191D3}.exe

Filesize
204KB

MD5
8ac3e83ecf0ebe8202f599ae6f43f228

SHA1
46cf9abb686daf6d82ab3f403940dda4fdf2596e

SHA256
9082c64f06b632830b1d5c7508ee562e077759ba29aedd5bccbc2fb8dffb8e20

SHA512
c83c44710e970edfbfc209d7af76ba161b39fa1e1a551cf5d6ceeb0e56088064e099a765b13a89fcca9678f4bb7e1acdc46ee3720b67f705741c7b0a721275e1

Download Submit
C:\Windows\{7340757B-2008-467e-B33F-DBB4C1C8980C}.exe

Filesize
204KB

MD5
8146fa7037c059f47c85f773a1e261d2

SHA1
aff9ef38d4de712c00101ad1adb3c21306ecd875

SHA256
210859809fd0fb828af2107a34bbfcf367d0da2f97a25201c05c9e80f367c1af

SHA512
765794a8ea0db883f778c96c5b76b0f70bfcc303a23f94a699551c89cda93e89e66854c0adde74e8128bff68a3f04bcc49c6769caf120db91f9746f8acdbf2ba

Download Submit
C:\Windows\{7340757B-2008-467e-B33F-DBB4C1C8980C}.exe

Filesize
204KB

MD5
8146fa7037c059f47c85f773a1e261d2

SHA1
aff9ef38d4de712c00101ad1adb3c21306ecd875

SHA256
210859809fd0fb828af2107a34bbfcf367d0da2f97a25201c05c9e80f367c1af

SHA512
765794a8ea0db883f778c96c5b76b0f70bfcc303a23f94a699551c89cda93e89e66854c0adde74e8128bff68a3f04bcc49c6769caf120db91f9746f8acdbf2ba

Download Submit
C:\Windows\{9106FE16-D7F6-437f-9133-9B631E00D7DF}.exe

Filesize
204KB

MD5
5b05085f3cad705fd2267224aad14411

SHA1
9aceed7542622cf30e2f2f6bb6b13068e17a800a

SHA256
b2c1b69deb194daf21c1b2364201a9dbf6a4e492475b5f2394ff277eafe8d785

SHA512
ec69214f8c257ccaa1a68c5ced915829d8a49630d7c870120e17a67cb826f21a52c2504bbb0db2b0937c4b65c7f6d1897752b1b41cd5e506e9b11c45641cbdf4

Download Submit
C:\Windows\{9106FE16-D7F6-437f-9133-9B631E00D7DF}.exe

Filesize
204KB

MD5
5b05085f3cad705fd2267224aad14411

SHA1
9aceed7542622cf30e2f2f6bb6b13068e17a800a

SHA256
b2c1b69deb194daf21c1b2364201a9dbf6a4e492475b5f2394ff277eafe8d785

SHA512
ec69214f8c257ccaa1a68c5ced915829d8a49630d7c870120e17a67cb826f21a52c2504bbb0db2b0937c4b65c7f6d1897752b1b41cd5e506e9b11c45641cbdf4

Download Submit
C:\Windows\{A904804C-1D67-4b48-8FCA-EAD6497064D4}.exe

Filesize
204KB

MD5
c5a06895febae27694aae944fc016940

SHA1
39f541ac0ecf544c8cee987bdf8810837e342637

SHA256
e907c68b1ecec036d485ee6e4d6d56ab25d525459b3e1f96ea66cc0d0c58b95d

SHA512
72df83d2f82083272f534f6080262e852373290c96bbb61a7940498263d619dc8ac345fb095bc9003c7c93ea3b743a2d6438aa116c43340f187c743b7ff616e7

Download Submit
C:\Windows\{A904804C-1D67-4b48-8FCA-EAD6497064D4}.exe

Filesize
204KB

MD5
c5a06895febae27694aae944fc016940

SHA1
39f541ac0ecf544c8cee987bdf8810837e342637

SHA256
e907c68b1ecec036d485ee6e4d6d56ab25d525459b3e1f96ea66cc0d0c58b95d

SHA512
72df83d2f82083272f534f6080262e852373290c96bbb61a7940498263d619dc8ac345fb095bc9003c7c93ea3b743a2d6438aa116c43340f187c743b7ff616e7

Download Submit
C:\Windows\{AD290EDA-2B40-4e49-AA2F-D279A94C35FB}.exe

Filesize
204KB

MD5
b89a15a24dcd1bbd0d575912d6cd5b5a

SHA1
549a5c9e22372625803d872ac8806301a50f3b03

SHA256
8f28b52baae9c84ff645bc6ffcd3d67f141f6900d0ca9907d61403471cfb329f

SHA512
9c956f55931fe078a35641b5519720aa8071c3a69ceca6bd9afb0b1dfa299bd4e8067676d5db3379c7168f7510e47e564fca834587c8d83508b29417e7871ac6

Download Submit
C:\Windows\{AD290EDA-2B40-4e49-AA2F-D279A94C35FB}.exe

Filesize
204KB

MD5
b89a15a24dcd1bbd0d575912d6cd5b5a

SHA1
549a5c9e22372625803d872ac8806301a50f3b03

SHA256
8f28b52baae9c84ff645bc6ffcd3d67f141f6900d0ca9907d61403471cfb329f

SHA512
9c956f55931fe078a35641b5519720aa8071c3a69ceca6bd9afb0b1dfa299bd4e8067676d5db3379c7168f7510e47e564fca834587c8d83508b29417e7871ac6

Download Submit
C:\Windows\{B3539728-5278-4aaa-BFF8-B3497E6B103A}.exe

Filesize
204KB

MD5
c5a11efb01d438281ca766728e5dc2ad

SHA1
e4e09983cfdbb2bbe60269f5cf4d19871c3e14b5

SHA256
eb89507ec47a01968b6e83baa7c6558e7726c45a1b6666af860026e46f2a58c1

SHA512
039390782417c540f41b98ab804f474baf4e57ca738a7ebf01d8fd3c5413c5e7c92e8ebe0866114e9b8460567196cc36f1a44abe71d7c005b2375c291809061e

Download Submit
C:\Windows\{B3539728-5278-4aaa-BFF8-B3497E6B103A}.exe

Filesize
204KB

MD5
c5a11efb01d438281ca766728e5dc2ad

SHA1
e4e09983cfdbb2bbe60269f5cf4d19871c3e14b5

SHA256
eb89507ec47a01968b6e83baa7c6558e7726c45a1b6666af860026e46f2a58c1

SHA512
039390782417c540f41b98ab804f474baf4e57ca738a7ebf01d8fd3c5413c5e7c92e8ebe0866114e9b8460567196cc36f1a44abe71d7c005b2375c291809061e

Download Submit
C:\Windows\{C07DEFD3-D45B-4627-8789-7639ECFB1262}.exe

Filesize
204KB

MD5
e649bfbe0acd26dee6f56800c6e3d91e

SHA1
27036521c1dd9ece2a0940c9a1850814d07e374f

SHA256
b0238d0f85b393c06f4b43477374da98286ead06fb73517c6dd54ee69db357c7

SHA512
454b13ef186f81e05d9b9f2c345313a849e712a17b77febf77814234fcdee57c43173105ecb962233d15cfb439fff3f9d18f7f397bc3e567061ed53448ec16c7

Download Submit
C:\Windows\{C07DEFD3-D45B-4627-8789-7639ECFB1262}.exe

Filesize
204KB

MD5
e649bfbe0acd26dee6f56800c6e3d91e

SHA1
27036521c1dd9ece2a0940c9a1850814d07e374f

SHA256
b0238d0f85b393c06f4b43477374da98286ead06fb73517c6dd54ee69db357c7

SHA512
454b13ef186f81e05d9b9f2c345313a849e712a17b77febf77814234fcdee57c43173105ecb962233d15cfb439fff3f9d18f7f397bc3e567061ed53448ec16c7

Download Submit
C:\Windows\{CBAC0AD0-9A53-428a-8234-B5370F25C0E1}.exe

Filesize
204KB

MD5
5ab0c99a33cbf9c4ee68a6b602954482

SHA1
3d7ed16d2a5f8f8146eb42afe9888473f2837682

SHA256
80aed13e15a8fd2a7b6a4467ca9596c30b0dc310bf0797a742b84927e867e4db

SHA512
7fadd0260d2acce79b179d1b04828b777b1ffc8d70a6a1ea26db61b796fe8adef341f055424d535fef78002b54757f47cb89b952b3874415b0933dbe7e684011

Download Submit
C:\Windows\{CBAC0AD0-9A53-428a-8234-B5370F25C0E1}.exe

Filesize
204KB

MD5
5ab0c99a33cbf9c4ee68a6b602954482

SHA1
3d7ed16d2a5f8f8146eb42afe9888473f2837682

SHA256
80aed13e15a8fd2a7b6a4467ca9596c30b0dc310bf0797a742b84927e867e4db

SHA512
7fadd0260d2acce79b179d1b04828b777b1ffc8d70a6a1ea26db61b796fe8adef341f055424d535fef78002b54757f47cb89b952b3874415b0933dbe7e684011

Download Submit
C:\Windows\{E109B202-FDB9-4fb5-B685-9F6FE6142244}.exe

Filesize
204KB

MD5
c0e56569894d68efee5e4a28ac6e9c86

SHA1
106a469fd60ff8260c4cf7698a8c0e4b12a93dd4

SHA256
0542ade57d672fee149b54c37b17f24ab910bf28bdff6e21b5fd5966971e9fe1

SHA512
54c4a14b34f4c464c28864c654651153dcd60783cdb0e2e54414dea08210f6f5a0a1313b8ce7de6251fbf623b9bd18030c1c8d60feb83406e7d8f5308c51b304

Download Submit
C:\Windows\{E109B202-FDB9-4fb5-B685-9F6FE6142244}.exe

Filesize
204KB

MD5
c0e56569894d68efee5e4a28ac6e9c86

SHA1
106a469fd60ff8260c4cf7698a8c0e4b12a93dd4

SHA256
0542ade57d672fee149b54c37b17f24ab910bf28bdff6e21b5fd5966971e9fe1

SHA512
54c4a14b34f4c464c28864c654651153dcd60783cdb0e2e54414dea08210f6f5a0a1313b8ce7de6251fbf623b9bd18030c1c8d60feb83406e7d8f5308c51b304

Download Submit