3531023ca731199e3b65cf4337eaa703d7edf84cbc3e9b28b595a40b62ccfa1d

Analysis

max time kernel
146s
max time network
34s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08/07/2023, 17:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8decaa91c22cbeexeexeexeex.exe
Size

372KB
MD5

8decaa91c22cbeac370b3a5ccc0e55cb
SHA1

eff5678c2955aa7c68795eceacb89e9320288a7d
SHA256

3531023ca731199e3b65cf4337eaa703d7edf84cbc3e9b28b595a40b62ccfa1d
SHA512

b473c15714fd7083d165e4660eff47022735e22a15c250a34c8201167069bea133b1bedb44b838ac4ceba23398004c376ca3cfed994afeae02a9dac4f8af8dff
SSDEEP

3072:CEGh0oPmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGQl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C020B456-F9A6-4a17-943A-FD14D37E436B}	8decaa91c22cbeexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C020B456-F9A6-4a17-943A-FD14D37E436B}\stubpath = "C:\\Windows\\{C020B456-F9A6-4a17-943A-FD14D37E436B}.exe"	8decaa91c22cbeexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9E7F8F7-629D-4b03-9307-8E3BA2385DFB}\stubpath = "C:\\Windows\\{A9E7F8F7-629D-4b03-9307-8E3BA2385DFB}.exe"	{CF4AE844-C245-4192-9C95-04C33648A091}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5C1CF80-11C4-428d-98B3-3B9B521F7C69}\stubpath = "C:\\Windows\\{C5C1CF80-11C4-428d-98B3-3B9B521F7C69}.exe"	{A9E7F8F7-629D-4b03-9307-8E3BA2385DFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{109902CF-9810-481c-8055-7F5BAAEA6A92}	{3421AF7D-A109-4a07-8688-28BC9DF8CE15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1F17F52-5BA0-453e-828B-A615D822FA9D}	{A0A1AB1E-0586-4f38-B804-ED5F9ADB27FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3421AF7D-A109-4a07-8688-28BC9DF8CE15}\stubpath = "C:\\Windows\\{3421AF7D-A109-4a07-8688-28BC9DF8CE15}.exe"	{F1F17F52-5BA0-453e-828B-A615D822FA9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{951733C4-3885-45b5-AE39-43AADA0D5F31}	{8730C3D1-8972-4642-AA60-03E8329B3512}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E9B1C2F-B5CE-4e37-AA61-10395DF33BE6}\stubpath = "C:\\Windows\\{5E9B1C2F-B5CE-4e37-AA61-10395DF33BE6}.exe"	{FEA8B0EC-387A-49c2-BBF6-CFD586E680D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{109902CF-9810-481c-8055-7F5BAAEA6A92}\stubpath = "C:\\Windows\\{109902CF-9810-481c-8055-7F5BAAEA6A92}.exe"	{3421AF7D-A109-4a07-8688-28BC9DF8CE15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{951733C4-3885-45b5-AE39-43AADA0D5F31}\stubpath = "C:\\Windows\\{951733C4-3885-45b5-AE39-43AADA0D5F31}.exe"	{8730C3D1-8972-4642-AA60-03E8329B3512}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEA8B0EC-387A-49c2-BBF6-CFD586E680D7}	{951733C4-3885-45b5-AE39-43AADA0D5F31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF4AE844-C245-4192-9C95-04C33648A091}	{C020B456-F9A6-4a17-943A-FD14D37E436B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5C1CF80-11C4-428d-98B3-3B9B521F7C69}	{A9E7F8F7-629D-4b03-9307-8E3BA2385DFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0A1AB1E-0586-4f38-B804-ED5F9ADB27FE}	{C5C1CF80-11C4-428d-98B3-3B9B521F7C69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A0A1AB1E-0586-4f38-B804-ED5F9ADB27FE}\stubpath = "C:\\Windows\\{A0A1AB1E-0586-4f38-B804-ED5F9ADB27FE}.exe"	{C5C1CF80-11C4-428d-98B3-3B9B521F7C69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F1F17F52-5BA0-453e-828B-A615D822FA9D}\stubpath = "C:\\Windows\\{F1F17F52-5BA0-453e-828B-A615D822FA9D}.exe"	{A0A1AB1E-0586-4f38-B804-ED5F9ADB27FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEA8B0EC-387A-49c2-BBF6-CFD586E680D7}\stubpath = "C:\\Windows\\{FEA8B0EC-387A-49c2-BBF6-CFD586E680D7}.exe"	{951733C4-3885-45b5-AE39-43AADA0D5F31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0458125-5DB1-46a0-89DC-D5747266D806}	{5E9B1C2F-B5CE-4e37-AA61-10395DF33BE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E9B1C2F-B5CE-4e37-AA61-10395DF33BE6}	{FEA8B0EC-387A-49c2-BBF6-CFD586E680D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0458125-5DB1-46a0-89DC-D5747266D806}\stubpath = "C:\\Windows\\{F0458125-5DB1-46a0-89DC-D5747266D806}.exe"	{5E9B1C2F-B5CE-4e37-AA61-10395DF33BE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CF4AE844-C245-4192-9C95-04C33648A091}\stubpath = "C:\\Windows\\{CF4AE844-C245-4192-9C95-04C33648A091}.exe"	{C020B456-F9A6-4a17-943A-FD14D37E436B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9E7F8F7-629D-4b03-9307-8E3BA2385DFB}	{CF4AE844-C245-4192-9C95-04C33648A091}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3421AF7D-A109-4a07-8688-28BC9DF8CE15}	{F1F17F52-5BA0-453e-828B-A615D822FA9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8730C3D1-8972-4642-AA60-03E8329B3512}	{109902CF-9810-481c-8055-7F5BAAEA6A92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8730C3D1-8972-4642-AA60-03E8329B3512}\stubpath = "C:\\Windows\\{8730C3D1-8972-4642-AA60-03E8329B3512}.exe"	{109902CF-9810-481c-8055-7F5BAAEA6A92}.exe

Deletes itself 1 IoCs

pid	Process
2176	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2184	{C020B456-F9A6-4a17-943A-FD14D37E436B}.exe
2360	{CF4AE844-C245-4192-9C95-04C33648A091}.exe
1396	{A9E7F8F7-629D-4b03-9307-8E3BA2385DFB}.exe
2244	{C5C1CF80-11C4-428d-98B3-3B9B521F7C69}.exe
2992	{A0A1AB1E-0586-4f38-B804-ED5F9ADB27FE}.exe
2116	{F1F17F52-5BA0-453e-828B-A615D822FA9D}.exe
2256	{3421AF7D-A109-4a07-8688-28BC9DF8CE15}.exe
2148	{109902CF-9810-481c-8055-7F5BAAEA6A92}.exe
2168	{8730C3D1-8972-4642-AA60-03E8329B3512}.exe
2740	{951733C4-3885-45b5-AE39-43AADA0D5F31}.exe
2936	{FEA8B0EC-387A-49c2-BBF6-CFD586E680D7}.exe
2768	{5E9B1C2F-B5CE-4e37-AA61-10395DF33BE6}.exe
2440	{F0458125-5DB1-46a0-89DC-D5747266D806}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{A9E7F8F7-629D-4b03-9307-8E3BA2385DFB}.exe	{CF4AE844-C245-4192-9C95-04C33648A091}.exe
File created	C:\Windows\{C5C1CF80-11C4-428d-98B3-3B9B521F7C69}.exe	{A9E7F8F7-629D-4b03-9307-8E3BA2385DFB}.exe
File created	C:\Windows\{A0A1AB1E-0586-4f38-B804-ED5F9ADB27FE}.exe	{C5C1CF80-11C4-428d-98B3-3B9B521F7C69}.exe
File created	C:\Windows\{F1F17F52-5BA0-453e-828B-A615D822FA9D}.exe	{A0A1AB1E-0586-4f38-B804-ED5F9ADB27FE}.exe
File created	C:\Windows\{3421AF7D-A109-4a07-8688-28BC9DF8CE15}.exe	{F1F17F52-5BA0-453e-828B-A615D822FA9D}.exe
File created	C:\Windows\{FEA8B0EC-387A-49c2-BBF6-CFD586E680D7}.exe	{951733C4-3885-45b5-AE39-43AADA0D5F31}.exe
File created	C:\Windows\{C020B456-F9A6-4a17-943A-FD14D37E436B}.exe	8decaa91c22cbeexeexeexeex.exe
File created	C:\Windows\{CF4AE844-C245-4192-9C95-04C33648A091}.exe	{C020B456-F9A6-4a17-943A-FD14D37E436B}.exe
File created	C:\Windows\{F0458125-5DB1-46a0-89DC-D5747266D806}.exe	{5E9B1C2F-B5CE-4e37-AA61-10395DF33BE6}.exe
File created	C:\Windows\{951733C4-3885-45b5-AE39-43AADA0D5F31}.exe	{8730C3D1-8972-4642-AA60-03E8329B3512}.exe
File created	C:\Windows\{5E9B1C2F-B5CE-4e37-AA61-10395DF33BE6}.exe	{FEA8B0EC-387A-49c2-BBF6-CFD586E680D7}.exe
File created	C:\Windows\{109902CF-9810-481c-8055-7F5BAAEA6A92}.exe	{3421AF7D-A109-4a07-8688-28BC9DF8CE15}.exe
File created	C:\Windows\{8730C3D1-8972-4642-AA60-03E8329B3512}.exe	{109902CF-9810-481c-8055-7F5BAAEA6A92}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	540	8decaa91c22cbeexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2184	{C020B456-F9A6-4a17-943A-FD14D37E436B}.exe
Token: SeIncBasePriorityPrivilege	2360	{CF4AE844-C245-4192-9C95-04C33648A091}.exe
Token: SeIncBasePriorityPrivilege	1396	{A9E7F8F7-629D-4b03-9307-8E3BA2385DFB}.exe
Token: SeIncBasePriorityPrivilege	2244	{C5C1CF80-11C4-428d-98B3-3B9B521F7C69}.exe
Token: SeIncBasePriorityPrivilege	2992	{A0A1AB1E-0586-4f38-B804-ED5F9ADB27FE}.exe
Token: SeIncBasePriorityPrivilege	2116	{F1F17F52-5BA0-453e-828B-A615D822FA9D}.exe
Token: SeIncBasePriorityPrivilege	2256	{3421AF7D-A109-4a07-8688-28BC9DF8CE15}.exe
Token: SeIncBasePriorityPrivilege	2148	{109902CF-9810-481c-8055-7F5BAAEA6A92}.exe
Token: SeIncBasePriorityPrivilege	2168	{8730C3D1-8972-4642-AA60-03E8329B3512}.exe
Token: SeIncBasePriorityPrivilege	2740	{951733C4-3885-45b5-AE39-43AADA0D5F31}.exe
Token: SeIncBasePriorityPrivilege	2936	{FEA8B0EC-387A-49c2-BBF6-CFD586E680D7}.exe
Token: SeIncBasePriorityPrivilege	2768	{5E9B1C2F-B5CE-4e37-AA61-10395DF33BE6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 540 wrote to memory of 2184	540	8decaa91c22cbeexeexeexeex.exe	29
PID 540 wrote to memory of 2184	540	8decaa91c22cbeexeexeexeex.exe	29
PID 540 wrote to memory of 2184	540	8decaa91c22cbeexeexeexeex.exe	29
PID 540 wrote to memory of 2184	540	8decaa91c22cbeexeexeexeex.exe	29
PID 540 wrote to memory of 2176	540	8decaa91c22cbeexeexeexeex.exe	30
PID 540 wrote to memory of 2176	540	8decaa91c22cbeexeexeexeex.exe	30
PID 540 wrote to memory of 2176	540	8decaa91c22cbeexeexeexeex.exe	30
PID 540 wrote to memory of 2176	540	8decaa91c22cbeexeexeexeex.exe	30
PID 2184 wrote to memory of 2360	2184	{C020B456-F9A6-4a17-943A-FD14D37E436B}.exe	31
PID 2184 wrote to memory of 2360	2184	{C020B456-F9A6-4a17-943A-FD14D37E436B}.exe	31
PID 2184 wrote to memory of 2360	2184	{C020B456-F9A6-4a17-943A-FD14D37E436B}.exe	31
PID 2184 wrote to memory of 2360	2184	{C020B456-F9A6-4a17-943A-FD14D37E436B}.exe	31
PID 2184 wrote to memory of 1760	2184	{C020B456-F9A6-4a17-943A-FD14D37E436B}.exe	32
PID 2184 wrote to memory of 1760	2184	{C020B456-F9A6-4a17-943A-FD14D37E436B}.exe	32
PID 2184 wrote to memory of 1760	2184	{C020B456-F9A6-4a17-943A-FD14D37E436B}.exe	32
PID 2184 wrote to memory of 1760	2184	{C020B456-F9A6-4a17-943A-FD14D37E436B}.exe	32
PID 2360 wrote to memory of 1396	2360	{CF4AE844-C245-4192-9C95-04C33648A091}.exe	33
PID 2360 wrote to memory of 1396	2360	{CF4AE844-C245-4192-9C95-04C33648A091}.exe	33
PID 2360 wrote to memory of 1396	2360	{CF4AE844-C245-4192-9C95-04C33648A091}.exe	33
PID 2360 wrote to memory of 1396	2360	{CF4AE844-C245-4192-9C95-04C33648A091}.exe	33
PID 2360 wrote to memory of 628	2360	{CF4AE844-C245-4192-9C95-04C33648A091}.exe	34
PID 2360 wrote to memory of 628	2360	{CF4AE844-C245-4192-9C95-04C33648A091}.exe	34
PID 2360 wrote to memory of 628	2360	{CF4AE844-C245-4192-9C95-04C33648A091}.exe	34
PID 2360 wrote to memory of 628	2360	{CF4AE844-C245-4192-9C95-04C33648A091}.exe	34
PID 1396 wrote to memory of 2244	1396	{A9E7F8F7-629D-4b03-9307-8E3BA2385DFB}.exe	35
PID 1396 wrote to memory of 2244	1396	{A9E7F8F7-629D-4b03-9307-8E3BA2385DFB}.exe	35
PID 1396 wrote to memory of 2244	1396	{A9E7F8F7-629D-4b03-9307-8E3BA2385DFB}.exe	35
PID 1396 wrote to memory of 2244	1396	{A9E7F8F7-629D-4b03-9307-8E3BA2385DFB}.exe	35
PID 1396 wrote to memory of 2400	1396	{A9E7F8F7-629D-4b03-9307-8E3BA2385DFB}.exe	36
PID 1396 wrote to memory of 2400	1396	{A9E7F8F7-629D-4b03-9307-8E3BA2385DFB}.exe	36
PID 1396 wrote to memory of 2400	1396	{A9E7F8F7-629D-4b03-9307-8E3BA2385DFB}.exe	36
PID 1396 wrote to memory of 2400	1396	{A9E7F8F7-629D-4b03-9307-8E3BA2385DFB}.exe	36
PID 2244 wrote to memory of 2992	2244	{C5C1CF80-11C4-428d-98B3-3B9B521F7C69}.exe	37
PID 2244 wrote to memory of 2992	2244	{C5C1CF80-11C4-428d-98B3-3B9B521F7C69}.exe	37
PID 2244 wrote to memory of 2992	2244	{C5C1CF80-11C4-428d-98B3-3B9B521F7C69}.exe	37
PID 2244 wrote to memory of 2992	2244	{C5C1CF80-11C4-428d-98B3-3B9B521F7C69}.exe	37
PID 2244 wrote to memory of 2056	2244	{C5C1CF80-11C4-428d-98B3-3B9B521F7C69}.exe	38
PID 2244 wrote to memory of 2056	2244	{C5C1CF80-11C4-428d-98B3-3B9B521F7C69}.exe	38
PID 2244 wrote to memory of 2056	2244	{C5C1CF80-11C4-428d-98B3-3B9B521F7C69}.exe	38
PID 2244 wrote to memory of 2056	2244	{C5C1CF80-11C4-428d-98B3-3B9B521F7C69}.exe	38
PID 2992 wrote to memory of 2116	2992	{A0A1AB1E-0586-4f38-B804-ED5F9ADB27FE}.exe	39
PID 2992 wrote to memory of 2116	2992	{A0A1AB1E-0586-4f38-B804-ED5F9ADB27FE}.exe	39
PID 2992 wrote to memory of 2116	2992	{A0A1AB1E-0586-4f38-B804-ED5F9ADB27FE}.exe	39
PID 2992 wrote to memory of 2116	2992	{A0A1AB1E-0586-4f38-B804-ED5F9ADB27FE}.exe	39
PID 2992 wrote to memory of 2212	2992	{A0A1AB1E-0586-4f38-B804-ED5F9ADB27FE}.exe	40
PID 2992 wrote to memory of 2212	2992	{A0A1AB1E-0586-4f38-B804-ED5F9ADB27FE}.exe	40
PID 2992 wrote to memory of 2212	2992	{A0A1AB1E-0586-4f38-B804-ED5F9ADB27FE}.exe	40
PID 2992 wrote to memory of 2212	2992	{A0A1AB1E-0586-4f38-B804-ED5F9ADB27FE}.exe	40
PID 2116 wrote to memory of 2256	2116	{F1F17F52-5BA0-453e-828B-A615D822FA9D}.exe	41
PID 2116 wrote to memory of 2256	2116	{F1F17F52-5BA0-453e-828B-A615D822FA9D}.exe	41
PID 2116 wrote to memory of 2256	2116	{F1F17F52-5BA0-453e-828B-A615D822FA9D}.exe	41
PID 2116 wrote to memory of 2256	2116	{F1F17F52-5BA0-453e-828B-A615D822FA9D}.exe	41
PID 2116 wrote to memory of 1752	2116	{F1F17F52-5BA0-453e-828B-A615D822FA9D}.exe	42
PID 2116 wrote to memory of 1752	2116	{F1F17F52-5BA0-453e-828B-A615D822FA9D}.exe	42
PID 2116 wrote to memory of 1752	2116	{F1F17F52-5BA0-453e-828B-A615D822FA9D}.exe	42
PID 2116 wrote to memory of 1752	2116	{F1F17F52-5BA0-453e-828B-A615D822FA9D}.exe	42
PID 2256 wrote to memory of 2148	2256	{3421AF7D-A109-4a07-8688-28BC9DF8CE15}.exe	43
PID 2256 wrote to memory of 2148	2256	{3421AF7D-A109-4a07-8688-28BC9DF8CE15}.exe	43
PID 2256 wrote to memory of 2148	2256	{3421AF7D-A109-4a07-8688-28BC9DF8CE15}.exe	43
PID 2256 wrote to memory of 2148	2256	{3421AF7D-A109-4a07-8688-28BC9DF8CE15}.exe	43
PID 2256 wrote to memory of 576	2256	{3421AF7D-A109-4a07-8688-28BC9DF8CE15}.exe	44
PID 2256 wrote to memory of 576	2256	{3421AF7D-A109-4a07-8688-28BC9DF8CE15}.exe	44
PID 2256 wrote to memory of 576	2256	{3421AF7D-A109-4a07-8688-28BC9DF8CE15}.exe	44
PID 2256 wrote to memory of 576	2256	{3421AF7D-A109-4a07-8688-28BC9DF8CE15}.exe	44

C:\Users\Admin\AppData\Local\Temp\8decaa91c22cbeexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\8decaa91c22cbeexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\{C020B456-F9A6-4a17-943A-FD14D37E436B}.exe
  C:\Windows\{C020B456-F9A6-4a17-943A-FD14D37E436B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\{CF4AE844-C245-4192-9C95-04C33648A091}.exe
    C:\Windows\{CF4AE844-C245-4192-9C95-04C33648A091}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2360
  - - C:\Windows\{A9E7F8F7-629D-4b03-9307-8E3BA2385DFB}.exe
      C:\Windows\{A9E7F8F7-629D-4b03-9307-8E3BA2385DFB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1396
    - - C:\Windows\{C5C1CF80-11C4-428d-98B3-3B9B521F7C69}.exe
        
        C:\Windows\{C5C1CF80-11C4-428d-98B3-3B9B521F7C69}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2244
      - C:\Windows\{A0A1AB1E-0586-4f38-B804-ED5F9ADB27FE}.exe
        
        C:\Windows\{A0A1AB1E-0586-4f38-B804-ED5F9ADB27FE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\{F1F17F52-5BA0-453e-828B-A615D822FA9D}.exe
        
        C:\Windows\{F1F17F52-5BA0-453e-828B-A615D822FA9D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\{3421AF7D-A109-4a07-8688-28BC9DF8CE15}.exe
        
        C:\Windows\{3421AF7D-A109-4a07-8688-28BC9DF8CE15}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2256
        
        C:\Windows\{109902CF-9810-481c-8055-7F5BAAEA6A92}.exe
        
        C:\Windows\{109902CF-9810-481c-8055-7F5BAAEA6A92}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Windows\{8730C3D1-8972-4642-AA60-03E8329B3512}.exe
        
        C:\Windows\{8730C3D1-8972-4642-AA60-03E8329B3512}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\{951733C4-3885-45b5-AE39-43AADA0D5F31}.exe
        
        C:\Windows\{951733C4-3885-45b5-AE39-43AADA0D5F31}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\{FEA8B0EC-387A-49c2-BBF6-CFD586E680D7}.exe
        
        C:\Windows\{FEA8B0EC-387A-49c2-BBF6-CFD586E680D7}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\{5E9B1C2F-B5CE-4e37-AA61-10395DF33BE6}.exe
        
        C:\Windows\{5E9B1C2F-B5CE-4e37-AA61-10395DF33BE6}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\{F0458125-5DB1-46a0-89DC-D5747266D806}.exe
        
        C:\Windows\{F0458125-5DB1-46a0-89DC-D5747266D806}.exe
        14⤵
        Executes dropped EXE
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E9B1~1.EXE > nul
        14⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEA8B~1.EXE > nul
        13⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{95173~1.EXE > nul
        12⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8730C~1.EXE > nul
        11⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10990~1.EXE > nul
        10⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3421A~1.EXE > nul
        9⤵
        
        PID:576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1F17~1.EXE > nul
        8⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0A1A~1.EXE > nul
        7⤵
        
        PID:2212
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5C1C~1.EXE > nul
        6⤵
        
        PID:2056
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9E7F~1.EXE > nul
        5⤵
        
        PID:2400
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CF4AE~1.EXE > nul
      4⤵
      PID:628
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C020B~1.EXE > nul
    3⤵
    PID:1760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8DECAA~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{109902CF-9810-481c-8055-7F5BAAEA6A92}.exe

Filesize
372KB

MD5
bef63b78b02efd32cfc466e6c87978b0

SHA1
fb82e3d05679202e8d99d8216b8dceec5336ebaa

SHA256
9fa4aa0ead9c41f21c0a14c0bc1c11a7301405930e2b3a0f458674fae194bcd3

SHA512
403bb89a2aa43b296dc46b7292a51b091d361cbd8eb1f90daaba058a454d38ca29906e871034178528b555b3e64a2a99ac3c12bc57a4305c05c5e583c6743d68

Download Submit
C:\Windows\{109902CF-9810-481c-8055-7F5BAAEA6A92}.exe

Filesize
372KB

MD5
bef63b78b02efd32cfc466e6c87978b0

SHA1
fb82e3d05679202e8d99d8216b8dceec5336ebaa

SHA256
9fa4aa0ead9c41f21c0a14c0bc1c11a7301405930e2b3a0f458674fae194bcd3

SHA512
403bb89a2aa43b296dc46b7292a51b091d361cbd8eb1f90daaba058a454d38ca29906e871034178528b555b3e64a2a99ac3c12bc57a4305c05c5e583c6743d68

Download Submit
C:\Windows\{3421AF7D-A109-4a07-8688-28BC9DF8CE15}.exe

Filesize
372KB

MD5
55f7ff001f601aa42d94e2993b80f0b5

SHA1
bb248c1da72ea15685053ab8c0cf2bab8a0f06c0

SHA256
ebd2666ccba4ebc3288b4772ea4a1784a873f93c2267df9545292f48cf873a72

SHA512
9aa074266558323963bbf3a1d1c7274f09138fb83877cffabda119f682314d65a1870a0c0d12360555117944ffab45def669f208ea822f4056c566275e498a20

Download Submit
C:\Windows\{3421AF7D-A109-4a07-8688-28BC9DF8CE15}.exe

Filesize
372KB

MD5
55f7ff001f601aa42d94e2993b80f0b5

SHA1
bb248c1da72ea15685053ab8c0cf2bab8a0f06c0

SHA256
ebd2666ccba4ebc3288b4772ea4a1784a873f93c2267df9545292f48cf873a72

SHA512
9aa074266558323963bbf3a1d1c7274f09138fb83877cffabda119f682314d65a1870a0c0d12360555117944ffab45def669f208ea822f4056c566275e498a20

Download Submit
C:\Windows\{5E9B1C2F-B5CE-4e37-AA61-10395DF33BE6}.exe

Filesize
372KB

MD5
50e4140631eb65fe8beac479a48802d0

SHA1
eae0fff6a2a8562edf93dcac759c974e309adf4e

SHA256
dd0cf1622ab1a78bb1f0ec64850b0d6d49de55951afc8cf09f39305188aa8368

SHA512
ae5f3c641e04f718721e43563c5992d97983fdb9bab92df8fbf58ef1702608b920fa4f08bce87b7c306d10b6bdd177a9d089d1c057b72c637c1494b7bdf1fd87

Download Submit
C:\Windows\{5E9B1C2F-B5CE-4e37-AA61-10395DF33BE6}.exe

Filesize
372KB

MD5
50e4140631eb65fe8beac479a48802d0

SHA1
eae0fff6a2a8562edf93dcac759c974e309adf4e

SHA256
dd0cf1622ab1a78bb1f0ec64850b0d6d49de55951afc8cf09f39305188aa8368

SHA512
ae5f3c641e04f718721e43563c5992d97983fdb9bab92df8fbf58ef1702608b920fa4f08bce87b7c306d10b6bdd177a9d089d1c057b72c637c1494b7bdf1fd87

Download Submit
C:\Windows\{8730C3D1-8972-4642-AA60-03E8329B3512}.exe

Filesize
372KB

MD5
1b0282638a892584b66684930525b999

SHA1
faef670b681858e99a8c75a8c075c0f057f0b910

SHA256
c1c865e3e997545bcf1910ba3c4b5b891902968a9cea1b07d1edccf69446b753

SHA512
8a80d73c72c5d391a70c614335466ed11d4beb95fe8d09b7b6ec1cd45c902df6a52141d686e9fbc827b1a16a4c10702f85ad033a2bee9da4ce5511e0760585e4

Download Submit
C:\Windows\{8730C3D1-8972-4642-AA60-03E8329B3512}.exe

Filesize
372KB

MD5
1b0282638a892584b66684930525b999

SHA1
faef670b681858e99a8c75a8c075c0f057f0b910

SHA256
c1c865e3e997545bcf1910ba3c4b5b891902968a9cea1b07d1edccf69446b753

SHA512
8a80d73c72c5d391a70c614335466ed11d4beb95fe8d09b7b6ec1cd45c902df6a52141d686e9fbc827b1a16a4c10702f85ad033a2bee9da4ce5511e0760585e4

Download Submit
C:\Windows\{951733C4-3885-45b5-AE39-43AADA0D5F31}.exe

Filesize
372KB

MD5
cdf28a6ff39bfb57f3376ebf41cfa51f

SHA1
84a9b2d7fbb8b7de9ddcf6c000d7a5170d9c4917

SHA256
c539dd10f8fffb712e9ec13ae0dc56b9b562e170ec08c30ae28557aceee1f08d

SHA512
515776a907493d75d7b37bf4a91550e72fa036ff1a5e8d41c28fe92c8b90f33527c27496f83614e18609cc80ef03bcd6eff734e5832315eb47572369372ce28c

Download Submit
C:\Windows\{951733C4-3885-45b5-AE39-43AADA0D5F31}.exe

Filesize
372KB

MD5
cdf28a6ff39bfb57f3376ebf41cfa51f

SHA1
84a9b2d7fbb8b7de9ddcf6c000d7a5170d9c4917

SHA256
c539dd10f8fffb712e9ec13ae0dc56b9b562e170ec08c30ae28557aceee1f08d

SHA512
515776a907493d75d7b37bf4a91550e72fa036ff1a5e8d41c28fe92c8b90f33527c27496f83614e18609cc80ef03bcd6eff734e5832315eb47572369372ce28c

Download Submit
C:\Windows\{A0A1AB1E-0586-4f38-B804-ED5F9ADB27FE}.exe

Filesize
372KB

MD5
da362d4e0fb4e00458ca23044b715331

SHA1
0c59af76f9a64c64c0a6fd4275c4e90f75e0dc99

SHA256
af87eda0432f205b37b836d889a9dc76a60f47019ded4b795f17257374a4d2b0

SHA512
bd0b4e26a6051fb4742c17119e590349be1fdcfb4245b6740753768062e8cdaae76f62406efe753fed045b505d7f7a04c189876168513facc2a2c3d7ac59e9fe

Download Submit
C:\Windows\{A0A1AB1E-0586-4f38-B804-ED5F9ADB27FE}.exe

Filesize
372KB

MD5
da362d4e0fb4e00458ca23044b715331

SHA1
0c59af76f9a64c64c0a6fd4275c4e90f75e0dc99

SHA256
af87eda0432f205b37b836d889a9dc76a60f47019ded4b795f17257374a4d2b0

SHA512
bd0b4e26a6051fb4742c17119e590349be1fdcfb4245b6740753768062e8cdaae76f62406efe753fed045b505d7f7a04c189876168513facc2a2c3d7ac59e9fe

Download Submit
C:\Windows\{A9E7F8F7-629D-4b03-9307-8E3BA2385DFB}.exe

Filesize
372KB

MD5
108fa714815175172f8eab70c9aa9704

SHA1
49a9023306ff3afeeda1100506e2f725594f87e1

SHA256
0e1abb5918393ff9ae02d3f2c699b7e3e42141f67e0964409da6d5552cc576d4

SHA512
27b679c33f24c1214d5c5dfd86227706a558ffcad6d6ae5e8ce134cfdd1e5c30488e38759d4e3f36d10cdb327b18c012581568c25636a3a5f5cbdee7ef5487b5

Download Submit
C:\Windows\{A9E7F8F7-629D-4b03-9307-8E3BA2385DFB}.exe

Filesize
372KB

MD5
108fa714815175172f8eab70c9aa9704

SHA1
49a9023306ff3afeeda1100506e2f725594f87e1

SHA256
0e1abb5918393ff9ae02d3f2c699b7e3e42141f67e0964409da6d5552cc576d4

SHA512
27b679c33f24c1214d5c5dfd86227706a558ffcad6d6ae5e8ce134cfdd1e5c30488e38759d4e3f36d10cdb327b18c012581568c25636a3a5f5cbdee7ef5487b5

Download Submit
C:\Windows\{C020B456-F9A6-4a17-943A-FD14D37E436B}.exe

Filesize
372KB

MD5
0979a127e44509b67de548d24684bb8a

SHA1
d4de1298dc0979f46802bb059ba52e54432637cb

SHA256
fda0ec7884ed149f0a4296b0889f6a8a11f6bac961f90278336de9e39d1e175f

SHA512
5954d508e02f59f925eb5265bffc1442a3aabf85caba277fff12633fff6d79c62e1c78cc20e5d83d77bd5c78376b8fece59248c3eec50dba6efaeefb1a576e22

Download Submit
C:\Windows\{C020B456-F9A6-4a17-943A-FD14D37E436B}.exe

Filesize
372KB

MD5
0979a127e44509b67de548d24684bb8a

SHA1
d4de1298dc0979f46802bb059ba52e54432637cb

SHA256
fda0ec7884ed149f0a4296b0889f6a8a11f6bac961f90278336de9e39d1e175f

SHA512
5954d508e02f59f925eb5265bffc1442a3aabf85caba277fff12633fff6d79c62e1c78cc20e5d83d77bd5c78376b8fece59248c3eec50dba6efaeefb1a576e22

Download Submit
C:\Windows\{C020B456-F9A6-4a17-943A-FD14D37E436B}.exe

Filesize
372KB

MD5
0979a127e44509b67de548d24684bb8a

SHA1
d4de1298dc0979f46802bb059ba52e54432637cb

SHA256
fda0ec7884ed149f0a4296b0889f6a8a11f6bac961f90278336de9e39d1e175f

SHA512
5954d508e02f59f925eb5265bffc1442a3aabf85caba277fff12633fff6d79c62e1c78cc20e5d83d77bd5c78376b8fece59248c3eec50dba6efaeefb1a576e22

Download Submit
C:\Windows\{C5C1CF80-11C4-428d-98B3-3B9B521F7C69}.exe

Filesize
372KB

MD5
b9143cf7a10f81b3588dc231efa28edc

SHA1
ae58b1668030c04a1b1149347cb35610aef4c011

SHA256
5cb321fe34d63ce686560e24f3f61bad0ab185a225923a8d21f9ee1179534d43

SHA512
5704c1c9b6be25babaf1c6ccc824be3b4d00fb336c88efcceb6b001d485b09aa14f91db9f0829abae934f3528a52a58677fed11802e85f1d97b3e06f93b97a41

Download Submit
C:\Windows\{C5C1CF80-11C4-428d-98B3-3B9B521F7C69}.exe

Filesize
372KB

MD5
b9143cf7a10f81b3588dc231efa28edc

SHA1
ae58b1668030c04a1b1149347cb35610aef4c011

SHA256
5cb321fe34d63ce686560e24f3f61bad0ab185a225923a8d21f9ee1179534d43

SHA512
5704c1c9b6be25babaf1c6ccc824be3b4d00fb336c88efcceb6b001d485b09aa14f91db9f0829abae934f3528a52a58677fed11802e85f1d97b3e06f93b97a41

Download Submit
C:\Windows\{CF4AE844-C245-4192-9C95-04C33648A091}.exe

Filesize
372KB

MD5
bcec8a68fe9fcd30760fbce45892bfc3

SHA1
01fce1fb23cd2873b427ba4abfaba94f546084f1

SHA256
f910fbe15633ad6d323b028b7e5740e25443aedc0b953290355e974aab805d75

SHA512
af89779d3dc4f0529cc1c567a59bc1499cefca4ffaac2c686a0f32fd24abd1187f9c78bb115bd7bf9961058bd702dd1a9ae3b7a960bb3ab7c02baa162f535265

Download Submit
C:\Windows\{CF4AE844-C245-4192-9C95-04C33648A091}.exe

Filesize
372KB

MD5
bcec8a68fe9fcd30760fbce45892bfc3

SHA1
01fce1fb23cd2873b427ba4abfaba94f546084f1

SHA256
f910fbe15633ad6d323b028b7e5740e25443aedc0b953290355e974aab805d75

SHA512
af89779d3dc4f0529cc1c567a59bc1499cefca4ffaac2c686a0f32fd24abd1187f9c78bb115bd7bf9961058bd702dd1a9ae3b7a960bb3ab7c02baa162f535265

Download Submit
C:\Windows\{F0458125-5DB1-46a0-89DC-D5747266D806}.exe

Filesize
372KB

MD5
4b9dfa8a8ffd8ee0819a7e21863af3be

SHA1
eb21f25178c6098bc246d2ee1b16e59af6031dc7

SHA256
b14a3732b7fd3b2fc52fa9725636e0d24d208b9c67535a895aad69d683e8b808

SHA512
c7fd96f7690d95ed8ac34c8e374e2668320c65497dcc4096a330c8583c6afbd6ab7600f64bee6c0ad68cf9663dc3603caebbfdef248d2c30fa8ef16a64f5ea48

Download Submit
C:\Windows\{F1F17F52-5BA0-453e-828B-A615D822FA9D}.exe

Filesize
372KB

MD5
3bdbac86cb0ec067691b8a53c5f883d9

SHA1
916d2ef575aa1bdbd684077d4bcd2b58329c59a0

SHA256
6a9de90eb765ba350d0a127f067ebe14e8272408faf501c094863a4254e5ef68

SHA512
6976a2195ce7edfef5f7a42f058d8c81d20ed093c478f2fd9d802f5f60a011eb14892574744351c493726fdc40dee1335081914c4448521c6b11a8b29217b97d

Download Submit
C:\Windows\{F1F17F52-5BA0-453e-828B-A615D822FA9D}.exe

Filesize
372KB

MD5
3bdbac86cb0ec067691b8a53c5f883d9

SHA1
916d2ef575aa1bdbd684077d4bcd2b58329c59a0

SHA256
6a9de90eb765ba350d0a127f067ebe14e8272408faf501c094863a4254e5ef68

SHA512
6976a2195ce7edfef5f7a42f058d8c81d20ed093c478f2fd9d802f5f60a011eb14892574744351c493726fdc40dee1335081914c4448521c6b11a8b29217b97d

Download Submit
C:\Windows\{FEA8B0EC-387A-49c2-BBF6-CFD586E680D7}.exe

Filesize
372KB

MD5
8d0197c1ad850f115b0557530cba7d85

SHA1
f615de443a92e384c0adf64bf2c7d4f4e262ec09

SHA256
c4411216c990ab5e27599d95bbc97206bc63eb705b4c0f38f19055460e791e00

SHA512
64b2dcfed6135e2fa3df80a0a9fb2ddd034f0ccacaca9965714252ef4c013fa3ee5166db53b0da8d5128ccea98f826ce67e685157e7428d3e9f57621437e50c1

Download Submit
C:\Windows\{FEA8B0EC-387A-49c2-BBF6-CFD586E680D7}.exe

Filesize
372KB

MD5
8d0197c1ad850f115b0557530cba7d85

SHA1
f615de443a92e384c0adf64bf2c7d4f4e262ec09

SHA256
c4411216c990ab5e27599d95bbc97206bc63eb705b4c0f38f19055460e791e00

SHA512
64b2dcfed6135e2fa3df80a0a9fb2ddd034f0ccacaca9965714252ef4c013fa3ee5166db53b0da8d5128ccea98f826ce67e685157e7428d3e9f57621437e50c1

Download Submit