94dc52f922371dab02ca88d1c218582a6316bfece2d734a5c07b16b8db4a160f

Analysis

max time kernel
147s
max time network
76s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08/07/2023, 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8ca1d4bf2211ccexeexeexeex.exe
Size

168KB
MD5

8ca1d4bf2211ccc99ea26dbb1400e942
SHA1

e014845276894a438697c89b14f87e30afa2d73d
SHA256

94dc52f922371dab02ca88d1c218582a6316bfece2d734a5c07b16b8db4a160f
SHA512

e651f1656c902168d932e57bd2a12b45a81b11704dfc849582e23e2f94727332547ae67e03047a6a729c0041793a2390bcd0de6213d3a8f4bc330ae84ff6191a
SSDEEP

1536:1EGh0ozlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ozlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54EBCA15-FD2D-45a1-A5FA-BDE2A26F087C}\stubpath = "C:\\Windows\\{54EBCA15-FD2D-45a1-A5FA-BDE2A26F087C}.exe"	{D0028059-4161-4c05-9365-1D887A0939A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55B79803-2C00-4fb1-9F9B-80511CCB187C}	{54EBCA15-FD2D-45a1-A5FA-BDE2A26F087C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37E11AB1-381D-4cf3-B50D-4EC96D6727AF}	{6F616F64-844F-431a-B17F-55FAD79CF7F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8754F396-F10B-4986-AB94-8DDECB077792}	{A62BC1C6-0859-47e0-8D12-C2618177161D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8754F396-F10B-4986-AB94-8DDECB077792}\stubpath = "C:\\Windows\\{8754F396-F10B-4986-AB94-8DDECB077792}.exe"	{A62BC1C6-0859-47e0-8D12-C2618177161D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EBB0F55-2BAC-474f-B9D2-EA840E9D3AB5}	{8754F396-F10B-4986-AB94-8DDECB077792}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F616F64-844F-431a-B17F-55FAD79CF7F6}	{1EBB0F55-2BAC-474f-B9D2-EA840E9D3AB5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0028059-4161-4c05-9365-1D887A0939A8}\stubpath = "C:\\Windows\\{D0028059-4161-4c05-9365-1D887A0939A8}.exe"	{37E11AB1-381D-4cf3-B50D-4EC96D6727AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55B79803-2C00-4fb1-9F9B-80511CCB187C}\stubpath = "C:\\Windows\\{55B79803-2C00-4fb1-9F9B-80511CCB187C}.exe"	{54EBCA15-FD2D-45a1-A5FA-BDE2A26F087C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F9DECE1-798A-49b9-8848-F0056300B8A9}	{55B79803-2C00-4fb1-9F9B-80511CCB187C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A62BC1C6-0859-47e0-8D12-C2618177161D}	8ca1d4bf2211ccexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09FF4F54-9EB5-4e8e-94B0-D9F2FE4A84C9}\stubpath = "C:\\Windows\\{09FF4F54-9EB5-4e8e-94B0-D9F2FE4A84C9}.exe"	{A29DA351-FD16-444d-9222-4CB91E7DAD4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{173F279B-AEEA-4636-B17C-CE9051C960AE}\stubpath = "C:\\Windows\\{173F279B-AEEA-4636-B17C-CE9051C960AE}.exe"	{9F9DECE1-798A-49b9-8848-F0056300B8A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92251D31-E9D9-475d-802A-03F8E16A45F7}	{173F279B-AEEA-4636-B17C-CE9051C960AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09FF4F54-9EB5-4e8e-94B0-D9F2FE4A84C9}	{A29DA351-FD16-444d-9222-4CB91E7DAD4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F9DECE1-798A-49b9-8848-F0056300B8A9}\stubpath = "C:\\Windows\\{9F9DECE1-798A-49b9-8848-F0056300B8A9}.exe"	{55B79803-2C00-4fb1-9F9B-80511CCB187C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EBB0F55-2BAC-474f-B9D2-EA840E9D3AB5}\stubpath = "C:\\Windows\\{1EBB0F55-2BAC-474f-B9D2-EA840E9D3AB5}.exe"	{8754F396-F10B-4986-AB94-8DDECB077792}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6F616F64-844F-431a-B17F-55FAD79CF7F6}\stubpath = "C:\\Windows\\{6F616F64-844F-431a-B17F-55FAD79CF7F6}.exe"	{1EBB0F55-2BAC-474f-B9D2-EA840E9D3AB5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{37E11AB1-381D-4cf3-B50D-4EC96D6727AF}\stubpath = "C:\\Windows\\{37E11AB1-381D-4cf3-B50D-4EC96D6727AF}.exe"	{6F616F64-844F-431a-B17F-55FAD79CF7F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D0028059-4161-4c05-9365-1D887A0939A8}	{37E11AB1-381D-4cf3-B50D-4EC96D6727AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54EBCA15-FD2D-45a1-A5FA-BDE2A26F087C}	{D0028059-4161-4c05-9365-1D887A0939A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{173F279B-AEEA-4636-B17C-CE9051C960AE}	{9F9DECE1-798A-49b9-8848-F0056300B8A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92251D31-E9D9-475d-802A-03F8E16A45F7}\stubpath = "C:\\Windows\\{92251D31-E9D9-475d-802A-03F8E16A45F7}.exe"	{173F279B-AEEA-4636-B17C-CE9051C960AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A62BC1C6-0859-47e0-8D12-C2618177161D}\stubpath = "C:\\Windows\\{A62BC1C6-0859-47e0-8D12-C2618177161D}.exe"	8ca1d4bf2211ccexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A29DA351-FD16-444d-9222-4CB91E7DAD4E}\stubpath = "C:\\Windows\\{A29DA351-FD16-444d-9222-4CB91E7DAD4E}.exe"	{92251D31-E9D9-475d-802A-03F8E16A45F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A29DA351-FD16-444d-9222-4CB91E7DAD4E}	{92251D31-E9D9-475d-802A-03F8E16A45F7}.exe

Deletes itself 1 IoCs

pid	Process
2996	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2224	{A62BC1C6-0859-47e0-8D12-C2618177161D}.exe
3024	{8754F396-F10B-4986-AB94-8DDECB077792}.exe
2108	{1EBB0F55-2BAC-474f-B9D2-EA840E9D3AB5}.exe
1880	{6F616F64-844F-431a-B17F-55FAD79CF7F6}.exe
2292	{37E11AB1-381D-4cf3-B50D-4EC96D6727AF}.exe
1036	{D0028059-4161-4c05-9365-1D887A0939A8}.exe
1596	{54EBCA15-FD2D-45a1-A5FA-BDE2A26F087C}.exe
2312	{55B79803-2C00-4fb1-9F9B-80511CCB187C}.exe
2584	{9F9DECE1-798A-49b9-8848-F0056300B8A9}.exe
2588	{173F279B-AEEA-4636-B17C-CE9051C960AE}.exe
2596	{92251D31-E9D9-475d-802A-03F8E16A45F7}.exe
2456	{A29DA351-FD16-444d-9222-4CB91E7DAD4E}.exe
2488	{09FF4F54-9EB5-4e8e-94B0-D9F2FE4A84C9}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{54EBCA15-FD2D-45a1-A5FA-BDE2A26F087C}.exe	{D0028059-4161-4c05-9365-1D887A0939A8}.exe
File created	C:\Windows\{55B79803-2C00-4fb1-9F9B-80511CCB187C}.exe	{54EBCA15-FD2D-45a1-A5FA-BDE2A26F087C}.exe
File created	C:\Windows\{173F279B-AEEA-4636-B17C-CE9051C960AE}.exe	{9F9DECE1-798A-49b9-8848-F0056300B8A9}.exe
File created	C:\Windows\{A62BC1C6-0859-47e0-8D12-C2618177161D}.exe	8ca1d4bf2211ccexeexeexeex.exe
File created	C:\Windows\{8754F396-F10B-4986-AB94-8DDECB077792}.exe	{A62BC1C6-0859-47e0-8D12-C2618177161D}.exe
File created	C:\Windows\{37E11AB1-381D-4cf3-B50D-4EC96D6727AF}.exe	{6F616F64-844F-431a-B17F-55FAD79CF7F6}.exe
File created	C:\Windows\{9F9DECE1-798A-49b9-8848-F0056300B8A9}.exe	{55B79803-2C00-4fb1-9F9B-80511CCB187C}.exe
File created	C:\Windows\{92251D31-E9D9-475d-802A-03F8E16A45F7}.exe	{173F279B-AEEA-4636-B17C-CE9051C960AE}.exe
File created	C:\Windows\{A29DA351-FD16-444d-9222-4CB91E7DAD4E}.exe	{92251D31-E9D9-475d-802A-03F8E16A45F7}.exe
File created	C:\Windows\{09FF4F54-9EB5-4e8e-94B0-D9F2FE4A84C9}.exe	{A29DA351-FD16-444d-9222-4CB91E7DAD4E}.exe
File created	C:\Windows\{1EBB0F55-2BAC-474f-B9D2-EA840E9D3AB5}.exe	{8754F396-F10B-4986-AB94-8DDECB077792}.exe
File created	C:\Windows\{6F616F64-844F-431a-B17F-55FAD79CF7F6}.exe	{1EBB0F55-2BAC-474f-B9D2-EA840E9D3AB5}.exe
File created	C:\Windows\{D0028059-4161-4c05-9365-1D887A0939A8}.exe	{37E11AB1-381D-4cf3-B50D-4EC96D6727AF}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2136	8ca1d4bf2211ccexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2224	{A62BC1C6-0859-47e0-8D12-C2618177161D}.exe
Token: SeIncBasePriorityPrivilege	3024	{8754F396-F10B-4986-AB94-8DDECB077792}.exe
Token: SeIncBasePriorityPrivilege	2108	{1EBB0F55-2BAC-474f-B9D2-EA840E9D3AB5}.exe
Token: SeIncBasePriorityPrivilege	1880	{6F616F64-844F-431a-B17F-55FAD79CF7F6}.exe
Token: SeIncBasePriorityPrivilege	2292	{37E11AB1-381D-4cf3-B50D-4EC96D6727AF}.exe
Token: SeIncBasePriorityPrivilege	1036	{D0028059-4161-4c05-9365-1D887A0939A8}.exe
Token: SeIncBasePriorityPrivilege	1596	{54EBCA15-FD2D-45a1-A5FA-BDE2A26F087C}.exe
Token: SeIncBasePriorityPrivilege	2312	{55B79803-2C00-4fb1-9F9B-80511CCB187C}.exe
Token: SeIncBasePriorityPrivilege	2584	{9F9DECE1-798A-49b9-8848-F0056300B8A9}.exe
Token: SeIncBasePriorityPrivilege	2588	{173F279B-AEEA-4636-B17C-CE9051C960AE}.exe
Token: SeIncBasePriorityPrivilege	2596	{92251D31-E9D9-475d-802A-03F8E16A45F7}.exe
Token: SeIncBasePriorityPrivilege	2456	{A29DA351-FD16-444d-9222-4CB91E7DAD4E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2224	2136	8ca1d4bf2211ccexeexeexeex.exe	29
PID 2136 wrote to memory of 2224	2136	8ca1d4bf2211ccexeexeexeex.exe	29
PID 2136 wrote to memory of 2224	2136	8ca1d4bf2211ccexeexeexeex.exe	29
PID 2136 wrote to memory of 2224	2136	8ca1d4bf2211ccexeexeexeex.exe	29
PID 2136 wrote to memory of 2996	2136	8ca1d4bf2211ccexeexeexeex.exe	30
PID 2136 wrote to memory of 2996	2136	8ca1d4bf2211ccexeexeexeex.exe	30
PID 2136 wrote to memory of 2996	2136	8ca1d4bf2211ccexeexeexeex.exe	30
PID 2136 wrote to memory of 2996	2136	8ca1d4bf2211ccexeexeexeex.exe	30
PID 2224 wrote to memory of 3024	2224	{A62BC1C6-0859-47e0-8D12-C2618177161D}.exe	31
PID 2224 wrote to memory of 3024	2224	{A62BC1C6-0859-47e0-8D12-C2618177161D}.exe	31
PID 2224 wrote to memory of 3024	2224	{A62BC1C6-0859-47e0-8D12-C2618177161D}.exe	31
PID 2224 wrote to memory of 3024	2224	{A62BC1C6-0859-47e0-8D12-C2618177161D}.exe	31
PID 2224 wrote to memory of 1448	2224	{A62BC1C6-0859-47e0-8D12-C2618177161D}.exe	32
PID 2224 wrote to memory of 1448	2224	{A62BC1C6-0859-47e0-8D12-C2618177161D}.exe	32
PID 2224 wrote to memory of 1448	2224	{A62BC1C6-0859-47e0-8D12-C2618177161D}.exe	32
PID 2224 wrote to memory of 1448	2224	{A62BC1C6-0859-47e0-8D12-C2618177161D}.exe	32
PID 3024 wrote to memory of 2108	3024	{8754F396-F10B-4986-AB94-8DDECB077792}.exe	34
PID 3024 wrote to memory of 2108	3024	{8754F396-F10B-4986-AB94-8DDECB077792}.exe	34
PID 3024 wrote to memory of 2108	3024	{8754F396-F10B-4986-AB94-8DDECB077792}.exe	34
PID 3024 wrote to memory of 2108	3024	{8754F396-F10B-4986-AB94-8DDECB077792}.exe	34
PID 3024 wrote to memory of 2228	3024	{8754F396-F10B-4986-AB94-8DDECB077792}.exe	33
PID 3024 wrote to memory of 2228	3024	{8754F396-F10B-4986-AB94-8DDECB077792}.exe	33
PID 3024 wrote to memory of 2228	3024	{8754F396-F10B-4986-AB94-8DDECB077792}.exe	33
PID 3024 wrote to memory of 2228	3024	{8754F396-F10B-4986-AB94-8DDECB077792}.exe	33
PID 2108 wrote to memory of 1880	2108	{1EBB0F55-2BAC-474f-B9D2-EA840E9D3AB5}.exe	36
PID 2108 wrote to memory of 1880	2108	{1EBB0F55-2BAC-474f-B9D2-EA840E9D3AB5}.exe	36
PID 2108 wrote to memory of 1880	2108	{1EBB0F55-2BAC-474f-B9D2-EA840E9D3AB5}.exe	36
PID 2108 wrote to memory of 1880	2108	{1EBB0F55-2BAC-474f-B9D2-EA840E9D3AB5}.exe	36
PID 2108 wrote to memory of 1072	2108	{1EBB0F55-2BAC-474f-B9D2-EA840E9D3AB5}.exe	35
PID 2108 wrote to memory of 1072	2108	{1EBB0F55-2BAC-474f-B9D2-EA840E9D3AB5}.exe	35
PID 2108 wrote to memory of 1072	2108	{1EBB0F55-2BAC-474f-B9D2-EA840E9D3AB5}.exe	35
PID 2108 wrote to memory of 1072	2108	{1EBB0F55-2BAC-474f-B9D2-EA840E9D3AB5}.exe	35
PID 1880 wrote to memory of 2292	1880	{6F616F64-844F-431a-B17F-55FAD79CF7F6}.exe	37
PID 1880 wrote to memory of 2292	1880	{6F616F64-844F-431a-B17F-55FAD79CF7F6}.exe	37
PID 1880 wrote to memory of 2292	1880	{6F616F64-844F-431a-B17F-55FAD79CF7F6}.exe	37
PID 1880 wrote to memory of 2292	1880	{6F616F64-844F-431a-B17F-55FAD79CF7F6}.exe	37
PID 1880 wrote to memory of 632	1880	{6F616F64-844F-431a-B17F-55FAD79CF7F6}.exe	38
PID 1880 wrote to memory of 632	1880	{6F616F64-844F-431a-B17F-55FAD79CF7F6}.exe	38
PID 1880 wrote to memory of 632	1880	{6F616F64-844F-431a-B17F-55FAD79CF7F6}.exe	38
PID 1880 wrote to memory of 632	1880	{6F616F64-844F-431a-B17F-55FAD79CF7F6}.exe	38
PID 2292 wrote to memory of 1036	2292	{37E11AB1-381D-4cf3-B50D-4EC96D6727AF}.exe	40
PID 2292 wrote to memory of 1036	2292	{37E11AB1-381D-4cf3-B50D-4EC96D6727AF}.exe	40
PID 2292 wrote to memory of 1036	2292	{37E11AB1-381D-4cf3-B50D-4EC96D6727AF}.exe	40
PID 2292 wrote to memory of 1036	2292	{37E11AB1-381D-4cf3-B50D-4EC96D6727AF}.exe	40
PID 2292 wrote to memory of 2396	2292	{37E11AB1-381D-4cf3-B50D-4EC96D6727AF}.exe	39
PID 2292 wrote to memory of 2396	2292	{37E11AB1-381D-4cf3-B50D-4EC96D6727AF}.exe	39
PID 2292 wrote to memory of 2396	2292	{37E11AB1-381D-4cf3-B50D-4EC96D6727AF}.exe	39
PID 2292 wrote to memory of 2396	2292	{37E11AB1-381D-4cf3-B50D-4EC96D6727AF}.exe	39
PID 1036 wrote to memory of 1596	1036	{D0028059-4161-4c05-9365-1D887A0939A8}.exe	42
PID 1036 wrote to memory of 1596	1036	{D0028059-4161-4c05-9365-1D887A0939A8}.exe	42
PID 1036 wrote to memory of 1596	1036	{D0028059-4161-4c05-9365-1D887A0939A8}.exe	42
PID 1036 wrote to memory of 1596	1036	{D0028059-4161-4c05-9365-1D887A0939A8}.exe	42
PID 1036 wrote to memory of 2356	1036	{D0028059-4161-4c05-9365-1D887A0939A8}.exe	41
PID 1036 wrote to memory of 2356	1036	{D0028059-4161-4c05-9365-1D887A0939A8}.exe	41
PID 1036 wrote to memory of 2356	1036	{D0028059-4161-4c05-9365-1D887A0939A8}.exe	41
PID 1036 wrote to memory of 2356	1036	{D0028059-4161-4c05-9365-1D887A0939A8}.exe	41
PID 1596 wrote to memory of 2312	1596	{54EBCA15-FD2D-45a1-A5FA-BDE2A26F087C}.exe	43
PID 1596 wrote to memory of 2312	1596	{54EBCA15-FD2D-45a1-A5FA-BDE2A26F087C}.exe	43
PID 1596 wrote to memory of 2312	1596	{54EBCA15-FD2D-45a1-A5FA-BDE2A26F087C}.exe	43
PID 1596 wrote to memory of 2312	1596	{54EBCA15-FD2D-45a1-A5FA-BDE2A26F087C}.exe	43
PID 1596 wrote to memory of 2140	1596	{54EBCA15-FD2D-45a1-A5FA-BDE2A26F087C}.exe	44
PID 1596 wrote to memory of 2140	1596	{54EBCA15-FD2D-45a1-A5FA-BDE2A26F087C}.exe	44
PID 1596 wrote to memory of 2140	1596	{54EBCA15-FD2D-45a1-A5FA-BDE2A26F087C}.exe	44
PID 1596 wrote to memory of 2140	1596	{54EBCA15-FD2D-45a1-A5FA-BDE2A26F087C}.exe	44

C:\Users\Admin\AppData\Local\Temp\8ca1d4bf2211ccexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\8ca1d4bf2211ccexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Windows\{A62BC1C6-0859-47e0-8D12-C2618177161D}.exe
  C:\Windows\{A62BC1C6-0859-47e0-8D12-C2618177161D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\{8754F396-F10B-4986-AB94-8DDECB077792}.exe
    C:\Windows\{8754F396-F10B-4986-AB94-8DDECB077792}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8754F~1.EXE > nul
      4⤵
      PID:2228
  - - C:\Windows\{1EBB0F55-2BAC-474f-B9D2-EA840E9D3AB5}.exe
      C:\Windows\{1EBB0F55-2BAC-474f-B9D2-EA840E9D3AB5}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2108
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1EBB0~1.EXE > nul
        5⤵
        
        PID:1072
    - - C:\Windows\{6F616F64-844F-431a-B17F-55FAD79CF7F6}.exe
        
        C:\Windows\{6F616F64-844F-431a-B17F-55FAD79CF7F6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1880
      - C:\Windows\{37E11AB1-381D-4cf3-B50D-4EC96D6727AF}.exe
        
        C:\Windows\{37E11AB1-381D-4cf3-B50D-4EC96D6727AF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37E11~1.EXE > nul
        7⤵
        
        PID:2396
        
        C:\Windows\{D0028059-4161-4c05-9365-1D887A0939A8}.exe
        
        C:\Windows\{D0028059-4161-4c05-9365-1D887A0939A8}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D0028~1.EXE > nul
        8⤵
        
        PID:2356
        
        C:\Windows\{54EBCA15-FD2D-45a1-A5FA-BDE2A26F087C}.exe
        
        C:\Windows\{54EBCA15-FD2D-45a1-A5FA-BDE2A26F087C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\{55B79803-2C00-4fb1-9F9B-80511CCB187C}.exe
        
        C:\Windows\{55B79803-2C00-4fb1-9F9B-80511CCB187C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\{9F9DECE1-798A-49b9-8848-F0056300B8A9}.exe
        
        C:\Windows\{9F9DECE1-798A-49b9-8848-F0056300B8A9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F9DE~1.EXE > nul
        11⤵
        
        PID:2568
        
        C:\Windows\{173F279B-AEEA-4636-B17C-CE9051C960AE}.exe
        
        C:\Windows\{173F279B-AEEA-4636-B17C-CE9051C960AE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{173F2~1.EXE > nul
        12⤵
        
        PID:2700
        
        C:\Windows\{92251D31-E9D9-475d-802A-03F8E16A45F7}.exe
        
        C:\Windows\{92251D31-E9D9-475d-802A-03F8E16A45F7}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92251~1.EXE > nul
        13⤵
        
        PID:2712
        
        C:\Windows\{A29DA351-FD16-444d-9222-4CB91E7DAD4E}.exe
        
        C:\Windows\{A29DA351-FD16-444d-9222-4CB91E7DAD4E}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A29DA~1.EXE > nul
        14⤵
        
        PID:2420
        
        C:\Windows\{09FF4F54-9EB5-4e8e-94B0-D9F2FE4A84C9}.exe
        
        C:\Windows\{09FF4F54-9EB5-4e8e-94B0-D9F2FE4A84C9}.exe
        14⤵
        Executes dropped EXE
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{55B79~1.EXE > nul
        10⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54EBC~1.EXE > nul
        9⤵
        
        PID:2140
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F616~1.EXE > nul
        6⤵
        
        PID:632
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A62BC~1.EXE > nul
    3⤵
    PID:1448
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8CA1D4~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{09FF4F54-9EB5-4e8e-94B0-D9F2FE4A84C9}.exe

Filesize
168KB

MD5
7772d4e436bea41662b08e466d63d99a

SHA1
5fca140642b48067485b93a92fd09eba4000571c

SHA256
71fb3bf51793f29b933fde18bc34bba6288ec3c05801ca784c4e25e16f53c9cb

SHA512
6abaa1c0ddd2ad2da62a684a72a0d6f0379d2d506731fffe84e78156893ed4dfdb68e586075ff1a43d6e7e97068bf907151b309f3561dad58ddfaef5930659da

Download Submit
C:\Windows\{173F279B-AEEA-4636-B17C-CE9051C960AE}.exe

Filesize
168KB

MD5
984c03b73b5709f00d0cc5ef80c7e752

SHA1
f5059a0b842401c376d28acdc3ed0f339a00db39

SHA256
d3fd6015f04a594cebe7bac30773ae59031ba455fa16bca28921aedcf74fb010

SHA512
b11dd7be526aa33aa114c6b8e202d91eb564553e9364fadd200d1db4d3e1d5b83ab98847b007b7854e93b8c425d49cce014e87fd2da819699db1aff7b73949e4

Download Submit
C:\Windows\{173F279B-AEEA-4636-B17C-CE9051C960AE}.exe

Filesize
168KB

MD5
984c03b73b5709f00d0cc5ef80c7e752

SHA1
f5059a0b842401c376d28acdc3ed0f339a00db39

SHA256
d3fd6015f04a594cebe7bac30773ae59031ba455fa16bca28921aedcf74fb010

SHA512
b11dd7be526aa33aa114c6b8e202d91eb564553e9364fadd200d1db4d3e1d5b83ab98847b007b7854e93b8c425d49cce014e87fd2da819699db1aff7b73949e4

Download Submit
C:\Windows\{1EBB0F55-2BAC-474f-B9D2-EA840E9D3AB5}.exe

Filesize
168KB

MD5
dbbabbe5f9032878304d570b329805f8

SHA1
8f5c55f60cccb71be6cabbbd98ad5a1316a9b328

SHA256
a27de2dda037899dcec6d7311619193937d648cf279e2671767c3b6226694713

SHA512
be35e6cdddefa1423483e47aa562e208721c31e8eb42e1e4bddb03f03823c07b0f139e7e9d5aef6cb9f59947897df63457b6cde94cc18a9506abf4d13c443db2

Download Submit
C:\Windows\{1EBB0F55-2BAC-474f-B9D2-EA840E9D3AB5}.exe

Filesize
168KB

MD5
dbbabbe5f9032878304d570b329805f8

SHA1
8f5c55f60cccb71be6cabbbd98ad5a1316a9b328

SHA256
a27de2dda037899dcec6d7311619193937d648cf279e2671767c3b6226694713

SHA512
be35e6cdddefa1423483e47aa562e208721c31e8eb42e1e4bddb03f03823c07b0f139e7e9d5aef6cb9f59947897df63457b6cde94cc18a9506abf4d13c443db2

Download Submit
C:\Windows\{37E11AB1-381D-4cf3-B50D-4EC96D6727AF}.exe

Filesize
168KB

MD5
fad0a27a6731bb2db6ec98a81a74520c

SHA1
f5afdda18fdb9c7ef14aa375f52204e95441066e

SHA256
8272745e649b1dbda80042a65abc5037ec7880053d5f6eeda7a5b2d765441c1c

SHA512
4126e7e58a3cc51a45b88cb390cbfaf4285decd253ebcb2b8dcb7b0472c4eccbff9f3796e4c1c3e2016f35d33c3206f573a1db3b7f852d776c5403b464440342

Download Submit
C:\Windows\{37E11AB1-381D-4cf3-B50D-4EC96D6727AF}.exe

Filesize
168KB

MD5
fad0a27a6731bb2db6ec98a81a74520c

SHA1
f5afdda18fdb9c7ef14aa375f52204e95441066e

SHA256
8272745e649b1dbda80042a65abc5037ec7880053d5f6eeda7a5b2d765441c1c

SHA512
4126e7e58a3cc51a45b88cb390cbfaf4285decd253ebcb2b8dcb7b0472c4eccbff9f3796e4c1c3e2016f35d33c3206f573a1db3b7f852d776c5403b464440342

Download Submit
C:\Windows\{54EBCA15-FD2D-45a1-A5FA-BDE2A26F087C}.exe

Filesize
168KB

MD5
ac7efddcbc433f63faeac9992388dc7b

SHA1
d9777413876842dfab3fe83b05fd482c8b386668

SHA256
b4744a33b8b9e595f66798abf5da2775315d4724023f3f419c7b00b264091574

SHA512
a204e663eb79cd6f9b037aee7b947fe07bc5e77267994abccd0ea023b3a204d5b161f741236292f0cd078042657ff7ad5fa7ae70a93129f9d15098fa991f5b56

Download Submit
C:\Windows\{54EBCA15-FD2D-45a1-A5FA-BDE2A26F087C}.exe

Filesize
168KB

MD5
ac7efddcbc433f63faeac9992388dc7b

SHA1
d9777413876842dfab3fe83b05fd482c8b386668

SHA256
b4744a33b8b9e595f66798abf5da2775315d4724023f3f419c7b00b264091574

SHA512
a204e663eb79cd6f9b037aee7b947fe07bc5e77267994abccd0ea023b3a204d5b161f741236292f0cd078042657ff7ad5fa7ae70a93129f9d15098fa991f5b56

Download Submit
C:\Windows\{55B79803-2C00-4fb1-9F9B-80511CCB187C}.exe

Filesize
168KB

MD5
83fea0fdcc5994fb63ea80ca22245719

SHA1
5d10e23be7b98fde1b534c5bb0b473eda6ef1128

SHA256
20c5fbd06ca7176381637ab76446b62fe13c2f6a6f5b7d068bb030bb34af6167

SHA512
73ecb9e080c14baea8d25df349b30de26f574313cfa2cf127f5c1273d1f505375e3d23e8af504abf7ea868599c6ada4c2a4e293cae1a1f4ce6e72c8d1a27a5c0

Download Submit
C:\Windows\{55B79803-2C00-4fb1-9F9B-80511CCB187C}.exe

Filesize
168KB

MD5
83fea0fdcc5994fb63ea80ca22245719

SHA1
5d10e23be7b98fde1b534c5bb0b473eda6ef1128

SHA256
20c5fbd06ca7176381637ab76446b62fe13c2f6a6f5b7d068bb030bb34af6167

SHA512
73ecb9e080c14baea8d25df349b30de26f574313cfa2cf127f5c1273d1f505375e3d23e8af504abf7ea868599c6ada4c2a4e293cae1a1f4ce6e72c8d1a27a5c0

Download Submit
C:\Windows\{6F616F64-844F-431a-B17F-55FAD79CF7F6}.exe

Filesize
168KB

MD5
47c666f3dd2994b53d486c18cf6dd117

SHA1
a89e8b81f6f6192466702868349a469d442cb1e4

SHA256
e64f6147d257f5f4fb03f7ea52b735d9d64903debd2a654c44cd5c0e5b2c083e

SHA512
4ddaaa912084df68ba3676ddd97b6729268d0da3652437623238b22c78360de5de9b8a64b0129b46c33089ebef3680852982c44d5dd8e66eaa00471040dad086

Download Submit
C:\Windows\{6F616F64-844F-431a-B17F-55FAD79CF7F6}.exe

Filesize
168KB

MD5
47c666f3dd2994b53d486c18cf6dd117

SHA1
a89e8b81f6f6192466702868349a469d442cb1e4

SHA256
e64f6147d257f5f4fb03f7ea52b735d9d64903debd2a654c44cd5c0e5b2c083e

SHA512
4ddaaa912084df68ba3676ddd97b6729268d0da3652437623238b22c78360de5de9b8a64b0129b46c33089ebef3680852982c44d5dd8e66eaa00471040dad086

Download Submit
C:\Windows\{8754F396-F10B-4986-AB94-8DDECB077792}.exe

Filesize
168KB

MD5
1d901fba6885783ed29b1701aa4eb136

SHA1
ab26a88c8bea4de36fab9954755cd35fe10db3ac

SHA256
bb1add12fb1af990e0720a260b04778845b1ab4fe58888670d6c8509d31096b2

SHA512
ca2b7bf070e904b66214734400ab4b47fce7e05d65ffd9fbd7e70e99efeaa605694377818f742524e0333cd6919cb81525ee5f80beed1dbec69bf6b1b6ead735

Download Submit
C:\Windows\{8754F396-F10B-4986-AB94-8DDECB077792}.exe

Filesize
168KB

MD5
1d901fba6885783ed29b1701aa4eb136

SHA1
ab26a88c8bea4de36fab9954755cd35fe10db3ac

SHA256
bb1add12fb1af990e0720a260b04778845b1ab4fe58888670d6c8509d31096b2

SHA512
ca2b7bf070e904b66214734400ab4b47fce7e05d65ffd9fbd7e70e99efeaa605694377818f742524e0333cd6919cb81525ee5f80beed1dbec69bf6b1b6ead735

Download Submit
C:\Windows\{92251D31-E9D9-475d-802A-03F8E16A45F7}.exe

Filesize
168KB

MD5
8cb38302ffa7d88467e740bb3025ab73

SHA1
3a167887b44cc3a01ef3627e541c84b5e9297a46

SHA256
2014aaf0b6b70564c830fb85d4752ddb7aeb84f4bf8c82049e7cdf5073263807

SHA512
80ed52e4809d0b8a77093ee82df204952d7696f4c4f8b31954bef2223c568fa853821bae9ce1620a78fceec5d483a37a2c8acaaccc19c109166c65799ee69442

Download Submit
C:\Windows\{92251D31-E9D9-475d-802A-03F8E16A45F7}.exe

Filesize
168KB

MD5
8cb38302ffa7d88467e740bb3025ab73

SHA1
3a167887b44cc3a01ef3627e541c84b5e9297a46

SHA256
2014aaf0b6b70564c830fb85d4752ddb7aeb84f4bf8c82049e7cdf5073263807

SHA512
80ed52e4809d0b8a77093ee82df204952d7696f4c4f8b31954bef2223c568fa853821bae9ce1620a78fceec5d483a37a2c8acaaccc19c109166c65799ee69442

Download Submit
C:\Windows\{9F9DECE1-798A-49b9-8848-F0056300B8A9}.exe

Filesize
168KB

MD5
1fd4f0e80facbf52c63d3da63f0e4f11

SHA1
e2b50b957f6450d80c1b5e33a6adf622c5525ceb

SHA256
000681a306fd3a87ec5f19ab486fbb937d80b394ec14ae7efb37f20843c4b71f

SHA512
18abbfd7e8a679aebcc860afbf0a1efe4d8f50c4efeaf8a96f984772c45a823227f76b3b07808bc0371e276a2f86d3d87dc7644ad2ecd96655be9c9bf98f264f

Download Submit
C:\Windows\{9F9DECE1-798A-49b9-8848-F0056300B8A9}.exe

Filesize
168KB

MD5
1fd4f0e80facbf52c63d3da63f0e4f11

SHA1
e2b50b957f6450d80c1b5e33a6adf622c5525ceb

SHA256
000681a306fd3a87ec5f19ab486fbb937d80b394ec14ae7efb37f20843c4b71f

SHA512
18abbfd7e8a679aebcc860afbf0a1efe4d8f50c4efeaf8a96f984772c45a823227f76b3b07808bc0371e276a2f86d3d87dc7644ad2ecd96655be9c9bf98f264f

Download Submit
C:\Windows\{A29DA351-FD16-444d-9222-4CB91E7DAD4E}.exe

Filesize
168KB

MD5
2801a2e2eb5cb481d5a8d9d2ad195e4b

SHA1
0d18e0c76d891b03569798882835b313cf17aaef

SHA256
afb1477654d4dce7d9a3c4e4fba3b9cc11803998b72b98ec3684afad6c321a79

SHA512
a619db47bace37ac1d59a7f4ce85e21c814ecb9c3e634437ff7b18cb73ac4b804812e9591619ac1d9cf1c06a644ca9805b9950e039d03e217456fd10f65769d7

Download Submit
C:\Windows\{A29DA351-FD16-444d-9222-4CB91E7DAD4E}.exe

Filesize
168KB

MD5
2801a2e2eb5cb481d5a8d9d2ad195e4b

SHA1
0d18e0c76d891b03569798882835b313cf17aaef

SHA256
afb1477654d4dce7d9a3c4e4fba3b9cc11803998b72b98ec3684afad6c321a79

SHA512
a619db47bace37ac1d59a7f4ce85e21c814ecb9c3e634437ff7b18cb73ac4b804812e9591619ac1d9cf1c06a644ca9805b9950e039d03e217456fd10f65769d7

Download Submit
C:\Windows\{A62BC1C6-0859-47e0-8D12-C2618177161D}.exe

Filesize
168KB

MD5
75fae09f06a383e3ec582e4407be16cd

SHA1
0bd301ca9914436fdf9f50b8b0aab71c6bd3a907

SHA256
aa35d27416efa53dc77e72f9f4dc875cbe917a73ba2d3fddfcaf562dea1191fa

SHA512
371bc89d332d893b66176905ca2d4e0d92209c2753c53c96dba1658e1979e9854af88ff3f515bac9e5280840d4a2b1683f885ccfa315ae95c94a7006c652f5d4

Download Submit
C:\Windows\{A62BC1C6-0859-47e0-8D12-C2618177161D}.exe

Filesize
168KB

MD5
75fae09f06a383e3ec582e4407be16cd

SHA1
0bd301ca9914436fdf9f50b8b0aab71c6bd3a907

SHA256
aa35d27416efa53dc77e72f9f4dc875cbe917a73ba2d3fddfcaf562dea1191fa

SHA512
371bc89d332d893b66176905ca2d4e0d92209c2753c53c96dba1658e1979e9854af88ff3f515bac9e5280840d4a2b1683f885ccfa315ae95c94a7006c652f5d4

Download Submit
C:\Windows\{A62BC1C6-0859-47e0-8D12-C2618177161D}.exe

Filesize
168KB

MD5
75fae09f06a383e3ec582e4407be16cd

SHA1
0bd301ca9914436fdf9f50b8b0aab71c6bd3a907

SHA256
aa35d27416efa53dc77e72f9f4dc875cbe917a73ba2d3fddfcaf562dea1191fa

SHA512
371bc89d332d893b66176905ca2d4e0d92209c2753c53c96dba1658e1979e9854af88ff3f515bac9e5280840d4a2b1683f885ccfa315ae95c94a7006c652f5d4

Download Submit
C:\Windows\{D0028059-4161-4c05-9365-1D887A0939A8}.exe

Filesize
168KB

MD5
dde81dca8056f82eefcd47b29391e687

SHA1
5fa7a29a347352b2a735dd4f2fa4dc70beebb835

SHA256
bb450c941f7164b66082e08564f562640107bd02118207b6fe7865fdc3995e4f

SHA512
e94dcfd4d458de525f9cb828f4504c90a256896d2459a74fd4a9c7da7ff4f429235bd07344e494d18bb26210de52d35855c38717c4233eaaf2a844f24f56f94b

Download Submit
C:\Windows\{D0028059-4161-4c05-9365-1D887A0939A8}.exe

Filesize
168KB

MD5
dde81dca8056f82eefcd47b29391e687

SHA1
5fa7a29a347352b2a735dd4f2fa4dc70beebb835

SHA256
bb450c941f7164b66082e08564f562640107bd02118207b6fe7865fdc3995e4f

SHA512
e94dcfd4d458de525f9cb828f4504c90a256896d2459a74fd4a9c7da7ff4f429235bd07344e494d18bb26210de52d35855c38717c4233eaaf2a844f24f56f94b

Download Submit