8e04bd87b221465b61edaae3b033d1530aa3c9778372c8ceb547dc85a8a616ef

Analysis

max time kernel
147s
max time network
34s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
10/07/2023, 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dca3f2cf5d8cabexeexeexeex.exe
Size

168KB
MD5

dca3f2cf5d8cab8c969caf2504437152
SHA1

9c053d62aa9956d4bc31b50d90d7ac00d182f999
SHA256

8e04bd87b221465b61edaae3b033d1530aa3c9778372c8ceb547dc85a8a616ef
SHA512

a7a85406d6505db880a28386fa3737dd192e64d204bc077c31d8e222bb59d2c3badf128bfe3e49ae98594505ff063c536429699f8cd885d7783d172102cd39d7
SSDEEP

1536:1EGh0oRlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oRlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{112860A2-9AF0-442e-8A56-8A24340582C0}\stubpath = "C:\\Windows\\{112860A2-9AF0-442e-8A56-8A24340582C0}.exe"	{4FFDF48E-4F06-4510-859D-07ADAC9DE3A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49C766BC-46AB-4581-9B5B-B756A2F18526}\stubpath = "C:\\Windows\\{49C766BC-46AB-4581-9B5B-B756A2F18526}.exe"	{112860A2-9AF0-442e-8A56-8A24340582C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14B8B69A-771B-4579-82DF-871B5E24AE1C}\stubpath = "C:\\Windows\\{14B8B69A-771B-4579-82DF-871B5E24AE1C}.exe"	dca3f2cf5d8cabexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CB86A1C-2B30-455d-AF47-FBAF6D5C17C0}	{DCDE93D0-DB58-4b59-86E0-08851DE89D4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CB86A1C-2B30-455d-AF47-FBAF6D5C17C0}\stubpath = "C:\\Windows\\{0CB86A1C-2B30-455d-AF47-FBAF6D5C17C0}.exe"	{DCDE93D0-DB58-4b59-86E0-08851DE89D4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8AFF8A1-C7A2-4a15-9DBF-4004442F11F8}	{0CB86A1C-2B30-455d-AF47-FBAF6D5C17C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FFDF48E-4F06-4510-859D-07ADAC9DE3A9}	{A8AFF8A1-C7A2-4a15-9DBF-4004442F11F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FFDF48E-4F06-4510-859D-07ADAC9DE3A9}\stubpath = "C:\\Windows\\{4FFDF48E-4F06-4510-859D-07ADAC9DE3A9}.exe"	{A8AFF8A1-C7A2-4a15-9DBF-4004442F11F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7843CEFB-0474-43c8-B415-1F4C6ADDE61A}	{49C766BC-46AB-4581-9B5B-B756A2F18526}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3C9B00B-DAE2-4f39-83FD-EB19BF050A22}	{4DCD9C16-F04F-4acd-8807-0C29DBF92E61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{14B8B69A-771B-4579-82DF-871B5E24AE1C}	dca3f2cf5d8cabexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DCD9C16-F04F-4acd-8807-0C29DBF92E61}	{7843CEFB-0474-43c8-B415-1F4C6ADDE61A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD76F4E5-B23B-4f68-A5D7-F0BA5109E0A0}	{A3C9B00B-DAE2-4f39-83FD-EB19BF050A22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD76F4E5-B23B-4f68-A5D7-F0BA5109E0A0}\stubpath = "C:\\Windows\\{BD76F4E5-B23B-4f68-A5D7-F0BA5109E0A0}.exe"	{A3C9B00B-DAE2-4f39-83FD-EB19BF050A22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7ABD70A-382B-496d-8D25-F6854567F71F}	{BD76F4E5-B23B-4f68-A5D7-F0BA5109E0A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7ABD70A-382B-496d-8D25-F6854567F71F}\stubpath = "C:\\Windows\\{A7ABD70A-382B-496d-8D25-F6854567F71F}.exe"	{BD76F4E5-B23B-4f68-A5D7-F0BA5109E0A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA23BADA-3B22-40ef-A335-0646D0CC64FD}\stubpath = "C:\\Windows\\{FA23BADA-3B22-40ef-A335-0646D0CC64FD}.exe"	{14B8B69A-771B-4579-82DF-871B5E24AE1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A8AFF8A1-C7A2-4a15-9DBF-4004442F11F8}\stubpath = "C:\\Windows\\{A8AFF8A1-C7A2-4a15-9DBF-4004442F11F8}.exe"	{0CB86A1C-2B30-455d-AF47-FBAF6D5C17C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DCD9C16-F04F-4acd-8807-0C29DBF92E61}\stubpath = "C:\\Windows\\{4DCD9C16-F04F-4acd-8807-0C29DBF92E61}.exe"	{7843CEFB-0474-43c8-B415-1F4C6ADDE61A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A3C9B00B-DAE2-4f39-83FD-EB19BF050A22}\stubpath = "C:\\Windows\\{A3C9B00B-DAE2-4f39-83FD-EB19BF050A22}.exe"	{4DCD9C16-F04F-4acd-8807-0C29DBF92E61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FA23BADA-3B22-40ef-A335-0646D0CC64FD}	{14B8B69A-771B-4579-82DF-871B5E24AE1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCDE93D0-DB58-4b59-86E0-08851DE89D4C}	{FA23BADA-3B22-40ef-A335-0646D0CC64FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCDE93D0-DB58-4b59-86E0-08851DE89D4C}\stubpath = "C:\\Windows\\{DCDE93D0-DB58-4b59-86E0-08851DE89D4C}.exe"	{FA23BADA-3B22-40ef-A335-0646D0CC64FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{112860A2-9AF0-442e-8A56-8A24340582C0}	{4FFDF48E-4F06-4510-859D-07ADAC9DE3A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{49C766BC-46AB-4581-9B5B-B756A2F18526}	{112860A2-9AF0-442e-8A56-8A24340582C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7843CEFB-0474-43c8-B415-1F4C6ADDE61A}\stubpath = "C:\\Windows\\{7843CEFB-0474-43c8-B415-1F4C6ADDE61A}.exe"	{49C766BC-46AB-4581-9B5B-B756A2F18526}.exe

Deletes itself 1 IoCs

pid	Process
564	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
1648	{14B8B69A-771B-4579-82DF-871B5E24AE1C}.exe
524	{FA23BADA-3B22-40ef-A335-0646D0CC64FD}.exe
1496	{DCDE93D0-DB58-4b59-86E0-08851DE89D4C}.exe
2320	{0CB86A1C-2B30-455d-AF47-FBAF6D5C17C0}.exe
2172	{A8AFF8A1-C7A2-4a15-9DBF-4004442F11F8}.exe
2092	{4FFDF48E-4F06-4510-859D-07ADAC9DE3A9}.exe
2176	{112860A2-9AF0-442e-8A56-8A24340582C0}.exe
2000	{49C766BC-46AB-4581-9B5B-B756A2F18526}.exe
2696	{7843CEFB-0474-43c8-B415-1F4C6ADDE61A}.exe
2620	{4DCD9C16-F04F-4acd-8807-0C29DBF92E61}.exe
2980	{A3C9B00B-DAE2-4f39-83FD-EB19BF050A22}.exe
2800	{BD76F4E5-B23B-4f68-A5D7-F0BA5109E0A0}.exe
2520	{A7ABD70A-382B-496d-8D25-F6854567F71F}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{112860A2-9AF0-442e-8A56-8A24340582C0}.exe	{4FFDF48E-4F06-4510-859D-07ADAC9DE3A9}.exe
File created	C:\Windows\{7843CEFB-0474-43c8-B415-1F4C6ADDE61A}.exe	{49C766BC-46AB-4581-9B5B-B756A2F18526}.exe
File created	C:\Windows\{A7ABD70A-382B-496d-8D25-F6854567F71F}.exe	{BD76F4E5-B23B-4f68-A5D7-F0BA5109E0A0}.exe
File created	C:\Windows\{FA23BADA-3B22-40ef-A335-0646D0CC64FD}.exe	{14B8B69A-771B-4579-82DF-871B5E24AE1C}.exe
File created	C:\Windows\{0CB86A1C-2B30-455d-AF47-FBAF6D5C17C0}.exe	{DCDE93D0-DB58-4b59-86E0-08851DE89D4C}.exe
File created	C:\Windows\{A8AFF8A1-C7A2-4a15-9DBF-4004442F11F8}.exe	{0CB86A1C-2B30-455d-AF47-FBAF6D5C17C0}.exe
File created	C:\Windows\{4FFDF48E-4F06-4510-859D-07ADAC9DE3A9}.exe	{A8AFF8A1-C7A2-4a15-9DBF-4004442F11F8}.exe
File created	C:\Windows\{49C766BC-46AB-4581-9B5B-B756A2F18526}.exe	{112860A2-9AF0-442e-8A56-8A24340582C0}.exe
File created	C:\Windows\{4DCD9C16-F04F-4acd-8807-0C29DBF92E61}.exe	{7843CEFB-0474-43c8-B415-1F4C6ADDE61A}.exe
File created	C:\Windows\{A3C9B00B-DAE2-4f39-83FD-EB19BF050A22}.exe	{4DCD9C16-F04F-4acd-8807-0C29DBF92E61}.exe
File created	C:\Windows\{BD76F4E5-B23B-4f68-A5D7-F0BA5109E0A0}.exe	{A3C9B00B-DAE2-4f39-83FD-EB19BF050A22}.exe
File created	C:\Windows\{14B8B69A-771B-4579-82DF-871B5E24AE1C}.exe	dca3f2cf5d8cabexeexeexeex.exe
File created	C:\Windows\{DCDE93D0-DB58-4b59-86E0-08851DE89D4C}.exe	{FA23BADA-3B22-40ef-A335-0646D0CC64FD}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	432	dca3f2cf5d8cabexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1648	{14B8B69A-771B-4579-82DF-871B5E24AE1C}.exe
Token: SeIncBasePriorityPrivilege	524	{FA23BADA-3B22-40ef-A335-0646D0CC64FD}.exe
Token: SeIncBasePriorityPrivilege	1496	{DCDE93D0-DB58-4b59-86E0-08851DE89D4C}.exe
Token: SeIncBasePriorityPrivilege	2320	{0CB86A1C-2B30-455d-AF47-FBAF6D5C17C0}.exe
Token: SeIncBasePriorityPrivilege	2172	{A8AFF8A1-C7A2-4a15-9DBF-4004442F11F8}.exe
Token: SeIncBasePriorityPrivilege	2092	{4FFDF48E-4F06-4510-859D-07ADAC9DE3A9}.exe
Token: SeIncBasePriorityPrivilege	2176	{112860A2-9AF0-442e-8A56-8A24340582C0}.exe
Token: SeIncBasePriorityPrivilege	2000	{49C766BC-46AB-4581-9B5B-B756A2F18526}.exe
Token: SeIncBasePriorityPrivilege	2696	{7843CEFB-0474-43c8-B415-1F4C6ADDE61A}.exe
Token: SeIncBasePriorityPrivilege	2620	{4DCD9C16-F04F-4acd-8807-0C29DBF92E61}.exe
Token: SeIncBasePriorityPrivilege	2980	{A3C9B00B-DAE2-4f39-83FD-EB19BF050A22}.exe
Token: SeIncBasePriorityPrivilege	2800	{BD76F4E5-B23B-4f68-A5D7-F0BA5109E0A0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 432 wrote to memory of 1648	432	dca3f2cf5d8cabexeexeexeex.exe	27
PID 432 wrote to memory of 1648	432	dca3f2cf5d8cabexeexeexeex.exe	27
PID 432 wrote to memory of 1648	432	dca3f2cf5d8cabexeexeexeex.exe	27
PID 432 wrote to memory of 1648	432	dca3f2cf5d8cabexeexeexeex.exe	27
PID 432 wrote to memory of 564	432	dca3f2cf5d8cabexeexeexeex.exe	28
PID 432 wrote to memory of 564	432	dca3f2cf5d8cabexeexeexeex.exe	28
PID 432 wrote to memory of 564	432	dca3f2cf5d8cabexeexeexeex.exe	28
PID 432 wrote to memory of 564	432	dca3f2cf5d8cabexeexeexeex.exe	28
PID 1648 wrote to memory of 524	1648	{14B8B69A-771B-4579-82DF-871B5E24AE1C}.exe	29
PID 1648 wrote to memory of 524	1648	{14B8B69A-771B-4579-82DF-871B5E24AE1C}.exe	29
PID 1648 wrote to memory of 524	1648	{14B8B69A-771B-4579-82DF-871B5E24AE1C}.exe	29
PID 1648 wrote to memory of 524	1648	{14B8B69A-771B-4579-82DF-871B5E24AE1C}.exe	29
PID 1648 wrote to memory of 1488	1648	{14B8B69A-771B-4579-82DF-871B5E24AE1C}.exe	30
PID 1648 wrote to memory of 1488	1648	{14B8B69A-771B-4579-82DF-871B5E24AE1C}.exe	30
PID 1648 wrote to memory of 1488	1648	{14B8B69A-771B-4579-82DF-871B5E24AE1C}.exe	30
PID 1648 wrote to memory of 1488	1648	{14B8B69A-771B-4579-82DF-871B5E24AE1C}.exe	30
PID 524 wrote to memory of 1496	524	{FA23BADA-3B22-40ef-A335-0646D0CC64FD}.exe	31
PID 524 wrote to memory of 1496	524	{FA23BADA-3B22-40ef-A335-0646D0CC64FD}.exe	31
PID 524 wrote to memory of 1496	524	{FA23BADA-3B22-40ef-A335-0646D0CC64FD}.exe	31
PID 524 wrote to memory of 1496	524	{FA23BADA-3B22-40ef-A335-0646D0CC64FD}.exe	31
PID 524 wrote to memory of 2864	524	{FA23BADA-3B22-40ef-A335-0646D0CC64FD}.exe	32
PID 524 wrote to memory of 2864	524	{FA23BADA-3B22-40ef-A335-0646D0CC64FD}.exe	32
PID 524 wrote to memory of 2864	524	{FA23BADA-3B22-40ef-A335-0646D0CC64FD}.exe	32
PID 524 wrote to memory of 2864	524	{FA23BADA-3B22-40ef-A335-0646D0CC64FD}.exe	32
PID 1496 wrote to memory of 2320	1496	{DCDE93D0-DB58-4b59-86E0-08851DE89D4C}.exe	33
PID 1496 wrote to memory of 2320	1496	{DCDE93D0-DB58-4b59-86E0-08851DE89D4C}.exe	33
PID 1496 wrote to memory of 2320	1496	{DCDE93D0-DB58-4b59-86E0-08851DE89D4C}.exe	33
PID 1496 wrote to memory of 2320	1496	{DCDE93D0-DB58-4b59-86E0-08851DE89D4C}.exe	33
PID 1496 wrote to memory of 2140	1496	{DCDE93D0-DB58-4b59-86E0-08851DE89D4C}.exe	34
PID 1496 wrote to memory of 2140	1496	{DCDE93D0-DB58-4b59-86E0-08851DE89D4C}.exe	34
PID 1496 wrote to memory of 2140	1496	{DCDE93D0-DB58-4b59-86E0-08851DE89D4C}.exe	34
PID 1496 wrote to memory of 2140	1496	{DCDE93D0-DB58-4b59-86E0-08851DE89D4C}.exe	34
PID 2320 wrote to memory of 2172	2320	{0CB86A1C-2B30-455d-AF47-FBAF6D5C17C0}.exe	35
PID 2320 wrote to memory of 2172	2320	{0CB86A1C-2B30-455d-AF47-FBAF6D5C17C0}.exe	35
PID 2320 wrote to memory of 2172	2320	{0CB86A1C-2B30-455d-AF47-FBAF6D5C17C0}.exe	35
PID 2320 wrote to memory of 2172	2320	{0CB86A1C-2B30-455d-AF47-FBAF6D5C17C0}.exe	35
PID 2320 wrote to memory of 2364	2320	{0CB86A1C-2B30-455d-AF47-FBAF6D5C17C0}.exe	36
PID 2320 wrote to memory of 2364	2320	{0CB86A1C-2B30-455d-AF47-FBAF6D5C17C0}.exe	36
PID 2320 wrote to memory of 2364	2320	{0CB86A1C-2B30-455d-AF47-FBAF6D5C17C0}.exe	36
PID 2320 wrote to memory of 2364	2320	{0CB86A1C-2B30-455d-AF47-FBAF6D5C17C0}.exe	36
PID 2172 wrote to memory of 2092	2172	{A8AFF8A1-C7A2-4a15-9DBF-4004442F11F8}.exe	37
PID 2172 wrote to memory of 2092	2172	{A8AFF8A1-C7A2-4a15-9DBF-4004442F11F8}.exe	37
PID 2172 wrote to memory of 2092	2172	{A8AFF8A1-C7A2-4a15-9DBF-4004442F11F8}.exe	37
PID 2172 wrote to memory of 2092	2172	{A8AFF8A1-C7A2-4a15-9DBF-4004442F11F8}.exe	37
PID 2172 wrote to memory of 2104	2172	{A8AFF8A1-C7A2-4a15-9DBF-4004442F11F8}.exe	38
PID 2172 wrote to memory of 2104	2172	{A8AFF8A1-C7A2-4a15-9DBF-4004442F11F8}.exe	38
PID 2172 wrote to memory of 2104	2172	{A8AFF8A1-C7A2-4a15-9DBF-4004442F11F8}.exe	38
PID 2172 wrote to memory of 2104	2172	{A8AFF8A1-C7A2-4a15-9DBF-4004442F11F8}.exe	38
PID 2092 wrote to memory of 2176	2092	{4FFDF48E-4F06-4510-859D-07ADAC9DE3A9}.exe	39
PID 2092 wrote to memory of 2176	2092	{4FFDF48E-4F06-4510-859D-07ADAC9DE3A9}.exe	39
PID 2092 wrote to memory of 2176	2092	{4FFDF48E-4F06-4510-859D-07ADAC9DE3A9}.exe	39
PID 2092 wrote to memory of 2176	2092	{4FFDF48E-4F06-4510-859D-07ADAC9DE3A9}.exe	39
PID 2092 wrote to memory of 2948	2092	{4FFDF48E-4F06-4510-859D-07ADAC9DE3A9}.exe	40
PID 2092 wrote to memory of 2948	2092	{4FFDF48E-4F06-4510-859D-07ADAC9DE3A9}.exe	40
PID 2092 wrote to memory of 2948	2092	{4FFDF48E-4F06-4510-859D-07ADAC9DE3A9}.exe	40
PID 2092 wrote to memory of 2948	2092	{4FFDF48E-4F06-4510-859D-07ADAC9DE3A9}.exe	40
PID 2176 wrote to memory of 2000	2176	{112860A2-9AF0-442e-8A56-8A24340582C0}.exe	41
PID 2176 wrote to memory of 2000	2176	{112860A2-9AF0-442e-8A56-8A24340582C0}.exe	41
PID 2176 wrote to memory of 2000	2176	{112860A2-9AF0-442e-8A56-8A24340582C0}.exe	41
PID 2176 wrote to memory of 2000	2176	{112860A2-9AF0-442e-8A56-8A24340582C0}.exe	41
PID 2176 wrote to memory of 2224	2176	{112860A2-9AF0-442e-8A56-8A24340582C0}.exe	42
PID 2176 wrote to memory of 2224	2176	{112860A2-9AF0-442e-8A56-8A24340582C0}.exe	42
PID 2176 wrote to memory of 2224	2176	{112860A2-9AF0-442e-8A56-8A24340582C0}.exe	42
PID 2176 wrote to memory of 2224	2176	{112860A2-9AF0-442e-8A56-8A24340582C0}.exe	42

C:\Users\Admin\AppData\Local\Temp\dca3f2cf5d8cabexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\dca3f2cf5d8cabexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432
- C:\Windows\{14B8B69A-771B-4579-82DF-871B5E24AE1C}.exe
  C:\Windows\{14B8B69A-771B-4579-82DF-871B5E24AE1C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\{FA23BADA-3B22-40ef-A335-0646D0CC64FD}.exe
    C:\Windows\{FA23BADA-3B22-40ef-A335-0646D0CC64FD}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Windows\{DCDE93D0-DB58-4b59-86E0-08851DE89D4C}.exe
      C:\Windows\{DCDE93D0-DB58-4b59-86E0-08851DE89D4C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1496
    - - C:\Windows\{0CB86A1C-2B30-455d-AF47-FBAF6D5C17C0}.exe
        
        C:\Windows\{0CB86A1C-2B30-455d-AF47-FBAF6D5C17C0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
      - C:\Windows\{A8AFF8A1-C7A2-4a15-9DBF-4004442F11F8}.exe
        
        C:\Windows\{A8AFF8A1-C7A2-4a15-9DBF-4004442F11F8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\{4FFDF48E-4F06-4510-859D-07ADAC9DE3A9}.exe
        
        C:\Windows\{4FFDF48E-4F06-4510-859D-07ADAC9DE3A9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\{112860A2-9AF0-442e-8A56-8A24340582C0}.exe
        
        C:\Windows\{112860A2-9AF0-442e-8A56-8A24340582C0}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\{49C766BC-46AB-4581-9B5B-B756A2F18526}.exe
        
        C:\Windows\{49C766BC-46AB-4581-9B5B-B756A2F18526}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\{7843CEFB-0474-43c8-B415-1F4C6ADDE61A}.exe
        
        C:\Windows\{7843CEFB-0474-43c8-B415-1F4C6ADDE61A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\{4DCD9C16-F04F-4acd-8807-0C29DBF92E61}.exe
        
        C:\Windows\{4DCD9C16-F04F-4acd-8807-0C29DBF92E61}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\{A3C9B00B-DAE2-4f39-83FD-EB19BF050A22}.exe
        
        C:\Windows\{A3C9B00B-DAE2-4f39-83FD-EB19BF050A22}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\{BD76F4E5-B23B-4f68-A5D7-F0BA5109E0A0}.exe
        
        C:\Windows\{BD76F4E5-B23B-4f68-A5D7-F0BA5109E0A0}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\{A7ABD70A-382B-496d-8D25-F6854567F71F}.exe
        
        C:\Windows\{A7ABD70A-382B-496d-8D25-F6854567F71F}.exe
        14⤵
        Executes dropped EXE
        
        PID:2520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD76F~1.EXE > nul
        14⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A3C9B~1.EXE > nul
        13⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DCD9~1.EXE > nul
        12⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7843C~1.EXE > nul
        11⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{49C76~1.EXE > nul
        10⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11286~1.EXE > nul
        9⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FFDF~1.EXE > nul
        8⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8AFF~1.EXE > nul
        7⤵
        
        PID:2104
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CB86~1.EXE > nul
        6⤵
        
        PID:2364
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCDE9~1.EXE > nul
        5⤵
        
        PID:2140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FA23B~1.EXE > nul
      4⤵
      PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{14B8B~1.EXE > nul
    3⤵
    PID:1488
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\DCA3F2~1.EXE > nul
  2⤵
  - Deletes itself
  PID:564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CB86A1C-2B30-455d-AF47-FBAF6D5C17C0}.exe

Filesize
168KB

MD5
e7a575e5d9d7c2704f13ba5fb9000846

SHA1
6da72687edb518c03d13afb64704f9872b616994

SHA256
0ed5fa00e319c250053e3795f86605c76e38f79669054f7b70a73ffa09f0fcd9

SHA512
4a1e22646039da2224e5a12a80c4a27c9ed949eb83d63e552cfcd82e3a27eb6db31ad2f128e34ea063b472158ee1b27e21b6305e1b69581047d191f33a59b700

Download Submit
C:\Windows\{0CB86A1C-2B30-455d-AF47-FBAF6D5C17C0}.exe

Filesize
168KB

MD5
e7a575e5d9d7c2704f13ba5fb9000846

SHA1
6da72687edb518c03d13afb64704f9872b616994

SHA256
0ed5fa00e319c250053e3795f86605c76e38f79669054f7b70a73ffa09f0fcd9

SHA512
4a1e22646039da2224e5a12a80c4a27c9ed949eb83d63e552cfcd82e3a27eb6db31ad2f128e34ea063b472158ee1b27e21b6305e1b69581047d191f33a59b700

Download Submit
C:\Windows\{112860A2-9AF0-442e-8A56-8A24340582C0}.exe

Filesize
168KB

MD5
2edf60401b0c01b007459bfb517f3700

SHA1
e86a594388508f3d12933fa8cd4b8db8c33bc816

SHA256
732a8b2c482fcc5013bec8587fb42d1323a11b6b311a9c21e020565405d41c58

SHA512
ba5e6f05c4b566ba56ba6796b76c50e6121d5d3610f92cebb18d62d77d48ddc733182f504557d0c298c7202a2db6c44ffc5def03c6d04e35abc04fb3592321f6

Download Submit
C:\Windows\{112860A2-9AF0-442e-8A56-8A24340582C0}.exe

Filesize
168KB

MD5
2edf60401b0c01b007459bfb517f3700

SHA1
e86a594388508f3d12933fa8cd4b8db8c33bc816

SHA256
732a8b2c482fcc5013bec8587fb42d1323a11b6b311a9c21e020565405d41c58

SHA512
ba5e6f05c4b566ba56ba6796b76c50e6121d5d3610f92cebb18d62d77d48ddc733182f504557d0c298c7202a2db6c44ffc5def03c6d04e35abc04fb3592321f6

Download Submit
C:\Windows\{14B8B69A-771B-4579-82DF-871B5E24AE1C}.exe

Filesize
168KB

MD5
461ee1e3689a65e34acb91d573f27ee3

SHA1
26f03206cf32b6ebc9a706aec5be6e306691959a

SHA256
921e541770aad6e7a2615ae93c2462dbc5aaf8798477796f70c0485239a81f18

SHA512
4c433424d563b052dc73b113f0df5de41492b1cd378f8dc09b9697914c18f25dd717c74b563b49383e7323c8151a7c352fef277e439e11659c9d6f24424a0905

Download Submit
C:\Windows\{14B8B69A-771B-4579-82DF-871B5E24AE1C}.exe

Filesize
168KB

MD5
461ee1e3689a65e34acb91d573f27ee3

SHA1
26f03206cf32b6ebc9a706aec5be6e306691959a

SHA256
921e541770aad6e7a2615ae93c2462dbc5aaf8798477796f70c0485239a81f18

SHA512
4c433424d563b052dc73b113f0df5de41492b1cd378f8dc09b9697914c18f25dd717c74b563b49383e7323c8151a7c352fef277e439e11659c9d6f24424a0905

Download Submit
C:\Windows\{14B8B69A-771B-4579-82DF-871B5E24AE1C}.exe

Filesize
168KB

MD5
461ee1e3689a65e34acb91d573f27ee3

SHA1
26f03206cf32b6ebc9a706aec5be6e306691959a

SHA256
921e541770aad6e7a2615ae93c2462dbc5aaf8798477796f70c0485239a81f18

SHA512
4c433424d563b052dc73b113f0df5de41492b1cd378f8dc09b9697914c18f25dd717c74b563b49383e7323c8151a7c352fef277e439e11659c9d6f24424a0905

Download Submit
C:\Windows\{49C766BC-46AB-4581-9B5B-B756A2F18526}.exe

Filesize
168KB

MD5
fa66fb84009d45974572dcfc4b9b3e42

SHA1
81fa023044782542a344e592c8ab32e7ad5455ed

SHA256
b8df1ade6657860a0fc38d0c7c129498fb5e7b4bd3d1efcf444b281ab8529172

SHA512
20cfe4d9f0bc240b6245bf3128728d98801d12d70f6f4cb51b2b7463caf6b1b2db2c5dd36a7fc87d60bdea4426492e29632d15f85f828618822d649583847401

Download Submit
C:\Windows\{49C766BC-46AB-4581-9B5B-B756A2F18526}.exe

Filesize
168KB

MD5
fa66fb84009d45974572dcfc4b9b3e42

SHA1
81fa023044782542a344e592c8ab32e7ad5455ed

SHA256
b8df1ade6657860a0fc38d0c7c129498fb5e7b4bd3d1efcf444b281ab8529172

SHA512
20cfe4d9f0bc240b6245bf3128728d98801d12d70f6f4cb51b2b7463caf6b1b2db2c5dd36a7fc87d60bdea4426492e29632d15f85f828618822d649583847401

Download Submit
C:\Windows\{4DCD9C16-F04F-4acd-8807-0C29DBF92E61}.exe

Filesize
168KB

MD5
156090d2fb292d9d4b80a933f4794689

SHA1
60b7b98cceda70aa20b5c79186b223a81e6c4790

SHA256
bcbd135e1443bc251ceb7af5be2447bd05b3c804c148419f1e8b9498bfb70a54

SHA512
f9bd1941b33661e29dd9e9436a278bd3302c8b8c9feabc0d49226703fc3351d111e0bd71fc7b0275f69becc999ea1fc20d331f7b2ddf2bf7d6d9a4026a3ba631

Download Submit
C:\Windows\{4DCD9C16-F04F-4acd-8807-0C29DBF92E61}.exe

Filesize
168KB

MD5
156090d2fb292d9d4b80a933f4794689

SHA1
60b7b98cceda70aa20b5c79186b223a81e6c4790

SHA256
bcbd135e1443bc251ceb7af5be2447bd05b3c804c148419f1e8b9498bfb70a54

SHA512
f9bd1941b33661e29dd9e9436a278bd3302c8b8c9feabc0d49226703fc3351d111e0bd71fc7b0275f69becc999ea1fc20d331f7b2ddf2bf7d6d9a4026a3ba631

Download Submit
C:\Windows\{4FFDF48E-4F06-4510-859D-07ADAC9DE3A9}.exe

Filesize
168KB

MD5
0365da76904001d26bcc723095283bee

SHA1
12b5a1c33bd0b256ac4c1767777305489eec6098

SHA256
868f65e11377f3fd53a155369880f0dd3aada4a221f6568e8f55e527866d6ecf

SHA512
972a72a2ce0b2d693f9fa1cb78279379846159715dc0d785ce8c52dd894ee26dd924fa21b22e21f0a6bf0de907d087cb8a836b0d591375f885b42c8fa76ffdfd

Download Submit
C:\Windows\{4FFDF48E-4F06-4510-859D-07ADAC9DE3A9}.exe

Filesize
168KB

MD5
0365da76904001d26bcc723095283bee

SHA1
12b5a1c33bd0b256ac4c1767777305489eec6098

SHA256
868f65e11377f3fd53a155369880f0dd3aada4a221f6568e8f55e527866d6ecf

SHA512
972a72a2ce0b2d693f9fa1cb78279379846159715dc0d785ce8c52dd894ee26dd924fa21b22e21f0a6bf0de907d087cb8a836b0d591375f885b42c8fa76ffdfd

Download Submit
C:\Windows\{7843CEFB-0474-43c8-B415-1F4C6ADDE61A}.exe

Filesize
168KB

MD5
7e5f6e53e05c29db04323eaf21843b6a

SHA1
bfe9bcbba22934fc4163a32e16c65872b20d3f76

SHA256
17f9ce420966d251262ed710f304d549ea7758ee2a9a65038823e6aac2a64bc7

SHA512
2828b6c5846ab9cab498eecece5c9cc9ea65cc2eab509c456cc5d74ddd1924e2bfcb10308cebbf0223c8f462ca851a4860069c8e9eb1a1d23a45d2f452390bf4

Download Submit
C:\Windows\{7843CEFB-0474-43c8-B415-1F4C6ADDE61A}.exe

Filesize
168KB

MD5
7e5f6e53e05c29db04323eaf21843b6a

SHA1
bfe9bcbba22934fc4163a32e16c65872b20d3f76

SHA256
17f9ce420966d251262ed710f304d549ea7758ee2a9a65038823e6aac2a64bc7

SHA512
2828b6c5846ab9cab498eecece5c9cc9ea65cc2eab509c456cc5d74ddd1924e2bfcb10308cebbf0223c8f462ca851a4860069c8e9eb1a1d23a45d2f452390bf4

Download Submit
C:\Windows\{A3C9B00B-DAE2-4f39-83FD-EB19BF050A22}.exe

Filesize
168KB

MD5
b0e912a4b080f47d24f09dbeedb9bcc7

SHA1
0645111be2e13524fc1d7178f5856313d5ba1f0a

SHA256
4e5b7dd705df5d5a6ebd5eb15cc71567b2befb5390599fc74b57e60f634b97e6

SHA512
8ec7a70c896707758553e9be12ef4decb2bb6d0533273d3b7421ae39cdf2537d554989d9fe372b09c07d2e4bb187564f8eacbdd1de478d6567c55ae4188c647c

Download Submit
C:\Windows\{A3C9B00B-DAE2-4f39-83FD-EB19BF050A22}.exe

Filesize
168KB

MD5
b0e912a4b080f47d24f09dbeedb9bcc7

SHA1
0645111be2e13524fc1d7178f5856313d5ba1f0a

SHA256
4e5b7dd705df5d5a6ebd5eb15cc71567b2befb5390599fc74b57e60f634b97e6

SHA512
8ec7a70c896707758553e9be12ef4decb2bb6d0533273d3b7421ae39cdf2537d554989d9fe372b09c07d2e4bb187564f8eacbdd1de478d6567c55ae4188c647c

Download Submit
C:\Windows\{A7ABD70A-382B-496d-8D25-F6854567F71F}.exe

Filesize
168KB

MD5
f1d57b1e62ecec4d688d1cc091a46221

SHA1
26230f91a40272fb495e5967be7adba2e8a3300e

SHA256
f005a707b5cb8568b439c32c66d5054ced01a8e2daa7938c0f76f548cf0c5c55

SHA512
002f898cc3df79d478b9057a6aca6e0316c944caec63561ca322ba61829fe4a631cd6ce6e07076f17dd1aedc7a5fc20039e47d68f4dd8051b550b2c760c1e5fd

Download Submit
C:\Windows\{A8AFF8A1-C7A2-4a15-9DBF-4004442F11F8}.exe

Filesize
168KB

MD5
d7cd8a7ff0f502f3244d574d5c63feb9

SHA1
0b487858477c98a65ea4d42b82a1b04e73034164

SHA256
43d5d931bfa6dd0553ff088927679f8e6da98aee257cebdccece1e933f42aba5

SHA512
80af67adb95e7b4a17775a5afb406fc75dc27053388e2bd9b59dfd148793f2339088b33e936bc2c24313f04a8a87d1bac7710fc8d0fa5a6ddbeae30254f1107d

Download Submit
C:\Windows\{A8AFF8A1-C7A2-4a15-9DBF-4004442F11F8}.exe

Filesize
168KB

MD5
d7cd8a7ff0f502f3244d574d5c63feb9

SHA1
0b487858477c98a65ea4d42b82a1b04e73034164

SHA256
43d5d931bfa6dd0553ff088927679f8e6da98aee257cebdccece1e933f42aba5

SHA512
80af67adb95e7b4a17775a5afb406fc75dc27053388e2bd9b59dfd148793f2339088b33e936bc2c24313f04a8a87d1bac7710fc8d0fa5a6ddbeae30254f1107d

Download Submit
C:\Windows\{BD76F4E5-B23B-4f68-A5D7-F0BA5109E0A0}.exe

Filesize
168KB

MD5
ecb28064230d2931660d30c266d6de92

SHA1
5580b01f9ae184c1028c3d8b41dc5246fc313628

SHA256
b22a89175b1b8f0f8b4251539ac67967a8b8a9d4d7802205a0ed5c24b87e7af1

SHA512
9ff3c8c10367211234458c9546f8d586dff312f57252484b2b7ad63157823ae3a4c362af7fe34469d4c58bacf462026e90eaac69d289cb29b7c1de72d0bbf0e9

Download Submit
C:\Windows\{BD76F4E5-B23B-4f68-A5D7-F0BA5109E0A0}.exe

Filesize
168KB

MD5
ecb28064230d2931660d30c266d6de92

SHA1
5580b01f9ae184c1028c3d8b41dc5246fc313628

SHA256
b22a89175b1b8f0f8b4251539ac67967a8b8a9d4d7802205a0ed5c24b87e7af1

SHA512
9ff3c8c10367211234458c9546f8d586dff312f57252484b2b7ad63157823ae3a4c362af7fe34469d4c58bacf462026e90eaac69d289cb29b7c1de72d0bbf0e9

Download Submit
C:\Windows\{DCDE93D0-DB58-4b59-86E0-08851DE89D4C}.exe

Filesize
168KB

MD5
1efb7aa26effe2e4de69c08c27bf0688

SHA1
e83e9dd171e98a6bcab758528636ddac7a38ea26

SHA256
01ef4307ed0c23244ba10fe257d36c3c716798e57eda95dbaabd018bb372f78d

SHA512
8e93e749c5ca209db792762f0434b54b2c11ff2d1e4da404e2a4b4db550b8a72a275ad4dab272131d6678926d3428c4b1acb4883c7fa9d905d29ee82bb3c9031

Download Submit
C:\Windows\{DCDE93D0-DB58-4b59-86E0-08851DE89D4C}.exe

Filesize
168KB

MD5
1efb7aa26effe2e4de69c08c27bf0688

SHA1
e83e9dd171e98a6bcab758528636ddac7a38ea26

SHA256
01ef4307ed0c23244ba10fe257d36c3c716798e57eda95dbaabd018bb372f78d

SHA512
8e93e749c5ca209db792762f0434b54b2c11ff2d1e4da404e2a4b4db550b8a72a275ad4dab272131d6678926d3428c4b1acb4883c7fa9d905d29ee82bb3c9031

Download Submit
C:\Windows\{FA23BADA-3B22-40ef-A335-0646D0CC64FD}.exe

Filesize
168KB

MD5
07f8217d40a87360c25805f93be42773

SHA1
bbbb413d914504baa07087a5241881d49c59d88b

SHA256
03e5fa6ad31d41f5bbbd5337d12eb677dcf1f8748477ee19ef7a46b207e6539c

SHA512
9027aa67882024ff16a00b074582e57c40b2b353467539f0713ae050d0ff54a10fc247ec256c7a4a6686a625a778850311d62a022602fb3e1678cd4c0345baa4

Download Submit
C:\Windows\{FA23BADA-3B22-40ef-A335-0646D0CC64FD}.exe

Filesize
168KB

MD5
07f8217d40a87360c25805f93be42773

SHA1
bbbb413d914504baa07087a5241881d49c59d88b

SHA256
03e5fa6ad31d41f5bbbd5337d12eb677dcf1f8748477ee19ef7a46b207e6539c

SHA512
9027aa67882024ff16a00b074582e57c40b2b353467539f0713ae050d0ff54a10fc247ec256c7a4a6686a625a778850311d62a022602fb3e1678cd4c0345baa4

Download Submit