cde221d70bab08131965367bc5b3d3c883b208b2b35be13c2853a2f6bd411017

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
13/07/2023, 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05f8dabd0c8cb6exe_JC.exe
Size

204KB
MD5

05f8dabd0c8cb650856d11f9a25727e2
SHA1

6ca249c1ab1f73f3a33479567ab9a4c42899931c
SHA256

cde221d70bab08131965367bc5b3d3c883b208b2b35be13c2853a2f6bd411017
SHA512

7160594cdba50250de7cd2e31d1a9e28c75a639d83dcd05bb1858e44983cdc9f7feb0592adbb660bd2d3acf64f4ed13f2d84fbeaaeea564bc4a2f404ac387095
SSDEEP

1536:1EGh0o4l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o4l1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF7DF2A1-9558-4244-8389-716B145920E7}	{E3E129EB-A7CF-4b7c-ADA6-5C7DA1F05DDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5290FC2-DAEE-4c63-8677-D84882BCB765}	{5D9DC948-4D24-473c-B5B2-E0F977A45385}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D5290FC2-DAEE-4c63-8677-D84882BCB765}\stubpath = "C:\\Windows\\{D5290FC2-DAEE-4c63-8677-D84882BCB765}.exe"	{5D9DC948-4D24-473c-B5B2-E0F977A45385}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D9DC948-4D24-473c-B5B2-E0F977A45385}	{90CD6BD8-EE94-4a57-9598-42BFA1B84BB2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3E129EB-A7CF-4b7c-ADA6-5C7DA1F05DDC}\stubpath = "C:\\Windows\\{E3E129EB-A7CF-4b7c-ADA6-5C7DA1F05DDC}.exe"	{FC2AA516-FB19-4d2b-8962-BF42B15E4043}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF7DF2A1-9558-4244-8389-716B145920E7}\stubpath = "C:\\Windows\\{EF7DF2A1-9558-4244-8389-716B145920E7}.exe"	{E3E129EB-A7CF-4b7c-ADA6-5C7DA1F05DDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2EC6703C-8D33-49ae-91B1-E82B11342CCA}	{EF7DF2A1-9558-4244-8389-716B145920E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3C284EC-73BB-4eb5-A837-CDBB419EDF1E}\stubpath = "C:\\Windows\\{D3C284EC-73BB-4eb5-A837-CDBB419EDF1E}.exe"	{2EC6703C-8D33-49ae-91B1-E82B11342CCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F29448E3-DC82-4db5-ABAC-8D0504D219A7}	{D3C284EC-73BB-4eb5-A837-CDBB419EDF1E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A68909E0-7E14-4c3c-9D60-1DB2F8CA9E38}	{F29448E3-DC82-4db5-ABAC-8D0504D219A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2EC6703C-8D33-49ae-91B1-E82B11342CCA}\stubpath = "C:\\Windows\\{2EC6703C-8D33-49ae-91B1-E82B11342CCA}.exe"	{EF7DF2A1-9558-4244-8389-716B145920E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A68909E0-7E14-4c3c-9D60-1DB2F8CA9E38}\stubpath = "C:\\Windows\\{A68909E0-7E14-4c3c-9D60-1DB2F8CA9E38}.exe"	{F29448E3-DC82-4db5-ABAC-8D0504D219A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E03C79D9-6DDF-4055-BB67-CA117C1F127F}	{A68909E0-7E14-4c3c-9D60-1DB2F8CA9E38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E03C79D9-6DDF-4055-BB67-CA117C1F127F}\stubpath = "C:\\Windows\\{E03C79D9-6DDF-4055-BB67-CA117C1F127F}.exe"	{A68909E0-7E14-4c3c-9D60-1DB2F8CA9E38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90CD6BD8-EE94-4a57-9598-42BFA1B84BB2}	{E03C79D9-6DDF-4055-BB67-CA117C1F127F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90CD6BD8-EE94-4a57-9598-42BFA1B84BB2}\stubpath = "C:\\Windows\\{90CD6BD8-EE94-4a57-9598-42BFA1B84BB2}.exe"	{E03C79D9-6DDF-4055-BB67-CA117C1F127F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC2AA516-FB19-4d2b-8962-BF42B15E4043}	05f8dabd0c8cb6exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FC2AA516-FB19-4d2b-8962-BF42B15E4043}\stubpath = "C:\\Windows\\{FC2AA516-FB19-4d2b-8962-BF42B15E4043}.exe"	05f8dabd0c8cb6exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3E129EB-A7CF-4b7c-ADA6-5C7DA1F05DDC}	{FC2AA516-FB19-4d2b-8962-BF42B15E4043}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3C284EC-73BB-4eb5-A837-CDBB419EDF1E}	{2EC6703C-8D33-49ae-91B1-E82B11342CCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F29448E3-DC82-4db5-ABAC-8D0504D219A7}\stubpath = "C:\\Windows\\{F29448E3-DC82-4db5-ABAC-8D0504D219A7}.exe"	{D3C284EC-73BB-4eb5-A837-CDBB419EDF1E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5D9DC948-4D24-473c-B5B2-E0F977A45385}\stubpath = "C:\\Windows\\{5D9DC948-4D24-473c-B5B2-E0F977A45385}.exe"	{90CD6BD8-EE94-4a57-9598-42BFA1B84BB2}.exe

Deletes itself 1 IoCs

pid	Process
1540	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1916	{FC2AA516-FB19-4d2b-8962-BF42B15E4043}.exe
2944	{E3E129EB-A7CF-4b7c-ADA6-5C7DA1F05DDC}.exe
2864	{EF7DF2A1-9558-4244-8389-716B145920E7}.exe
2376	{2EC6703C-8D33-49ae-91B1-E82B11342CCA}.exe
2100	{D3C284EC-73BB-4eb5-A837-CDBB419EDF1E}.exe
3048	{F29448E3-DC82-4db5-ABAC-8D0504D219A7}.exe
2812	{A68909E0-7E14-4c3c-9D60-1DB2F8CA9E38}.exe
280	{E03C79D9-6DDF-4055-BB67-CA117C1F127F}.exe
776	{90CD6BD8-EE94-4a57-9598-42BFA1B84BB2}.exe
1508	{5D9DC948-4D24-473c-B5B2-E0F977A45385}.exe
852	{D5290FC2-DAEE-4c63-8677-D84882BCB765}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{EF7DF2A1-9558-4244-8389-716B145920E7}.exe	{E3E129EB-A7CF-4b7c-ADA6-5C7DA1F05DDC}.exe
File created	C:\Windows\{2EC6703C-8D33-49ae-91B1-E82B11342CCA}.exe	{EF7DF2A1-9558-4244-8389-716B145920E7}.exe
File created	C:\Windows\{A68909E0-7E14-4c3c-9D60-1DB2F8CA9E38}.exe	{F29448E3-DC82-4db5-ABAC-8D0504D219A7}.exe
File created	C:\Windows\{5D9DC948-4D24-473c-B5B2-E0F977A45385}.exe	{90CD6BD8-EE94-4a57-9598-42BFA1B84BB2}.exe
File created	C:\Windows\{D5290FC2-DAEE-4c63-8677-D84882BCB765}.exe	{5D9DC948-4D24-473c-B5B2-E0F977A45385}.exe
File created	C:\Windows\{FC2AA516-FB19-4d2b-8962-BF42B15E4043}.exe	05f8dabd0c8cb6exe_JC.exe
File created	C:\Windows\{E3E129EB-A7CF-4b7c-ADA6-5C7DA1F05DDC}.exe	{FC2AA516-FB19-4d2b-8962-BF42B15E4043}.exe
File created	C:\Windows\{E03C79D9-6DDF-4055-BB67-CA117C1F127F}.exe	{A68909E0-7E14-4c3c-9D60-1DB2F8CA9E38}.exe
File created	C:\Windows\{90CD6BD8-EE94-4a57-9598-42BFA1B84BB2}.exe	{E03C79D9-6DDF-4055-BB67-CA117C1F127F}.exe
File created	C:\Windows\{D3C284EC-73BB-4eb5-A837-CDBB419EDF1E}.exe	{2EC6703C-8D33-49ae-91B1-E82B11342CCA}.exe
File created	C:\Windows\{F29448E3-DC82-4db5-ABAC-8D0504D219A7}.exe	{D3C284EC-73BB-4eb5-A837-CDBB419EDF1E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2508	05f8dabd0c8cb6exe_JC.exe
Token: SeIncBasePriorityPrivilege	1916	{FC2AA516-FB19-4d2b-8962-BF42B15E4043}.exe
Token: SeIncBasePriorityPrivilege	2944	{E3E129EB-A7CF-4b7c-ADA6-5C7DA1F05DDC}.exe
Token: SeIncBasePriorityPrivilege	2864	{EF7DF2A1-9558-4244-8389-716B145920E7}.exe
Token: SeIncBasePriorityPrivilege	2376	{2EC6703C-8D33-49ae-91B1-E82B11342CCA}.exe
Token: SeIncBasePriorityPrivilege	2100	{D3C284EC-73BB-4eb5-A837-CDBB419EDF1E}.exe
Token: SeIncBasePriorityPrivilege	3048	{F29448E3-DC82-4db5-ABAC-8D0504D219A7}.exe
Token: SeIncBasePriorityPrivilege	2812	{A68909E0-7E14-4c3c-9D60-1DB2F8CA9E38}.exe
Token: SeIncBasePriorityPrivilege	280	{E03C79D9-6DDF-4055-BB67-CA117C1F127F}.exe
Token: SeIncBasePriorityPrivilege	776	{90CD6BD8-EE94-4a57-9598-42BFA1B84BB2}.exe
Token: SeIncBasePriorityPrivilege	1508	{5D9DC948-4D24-473c-B5B2-E0F977A45385}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 1916	2508	05f8dabd0c8cb6exe_JC.exe	28
PID 2508 wrote to memory of 1916	2508	05f8dabd0c8cb6exe_JC.exe	28
PID 2508 wrote to memory of 1916	2508	05f8dabd0c8cb6exe_JC.exe	28
PID 2508 wrote to memory of 1916	2508	05f8dabd0c8cb6exe_JC.exe	28
PID 2508 wrote to memory of 1540	2508	05f8dabd0c8cb6exe_JC.exe	29
PID 2508 wrote to memory of 1540	2508	05f8dabd0c8cb6exe_JC.exe	29
PID 2508 wrote to memory of 1540	2508	05f8dabd0c8cb6exe_JC.exe	29
PID 2508 wrote to memory of 1540	2508	05f8dabd0c8cb6exe_JC.exe	29
PID 1916 wrote to memory of 2944	1916	{FC2AA516-FB19-4d2b-8962-BF42B15E4043}.exe	32
PID 1916 wrote to memory of 2944	1916	{FC2AA516-FB19-4d2b-8962-BF42B15E4043}.exe	32
PID 1916 wrote to memory of 2944	1916	{FC2AA516-FB19-4d2b-8962-BF42B15E4043}.exe	32
PID 1916 wrote to memory of 2944	1916	{FC2AA516-FB19-4d2b-8962-BF42B15E4043}.exe	32
PID 1916 wrote to memory of 3044	1916	{FC2AA516-FB19-4d2b-8962-BF42B15E4043}.exe	33
PID 1916 wrote to memory of 3044	1916	{FC2AA516-FB19-4d2b-8962-BF42B15E4043}.exe	33
PID 1916 wrote to memory of 3044	1916	{FC2AA516-FB19-4d2b-8962-BF42B15E4043}.exe	33
PID 1916 wrote to memory of 3044	1916	{FC2AA516-FB19-4d2b-8962-BF42B15E4043}.exe	33
PID 2944 wrote to memory of 2864	2944	{E3E129EB-A7CF-4b7c-ADA6-5C7DA1F05DDC}.exe	34
PID 2944 wrote to memory of 2864	2944	{E3E129EB-A7CF-4b7c-ADA6-5C7DA1F05DDC}.exe	34
PID 2944 wrote to memory of 2864	2944	{E3E129EB-A7CF-4b7c-ADA6-5C7DA1F05DDC}.exe	34
PID 2944 wrote to memory of 2864	2944	{E3E129EB-A7CF-4b7c-ADA6-5C7DA1F05DDC}.exe	34
PID 2944 wrote to memory of 3000	2944	{E3E129EB-A7CF-4b7c-ADA6-5C7DA1F05DDC}.exe	35
PID 2944 wrote to memory of 3000	2944	{E3E129EB-A7CF-4b7c-ADA6-5C7DA1F05DDC}.exe	35
PID 2944 wrote to memory of 3000	2944	{E3E129EB-A7CF-4b7c-ADA6-5C7DA1F05DDC}.exe	35
PID 2944 wrote to memory of 3000	2944	{E3E129EB-A7CF-4b7c-ADA6-5C7DA1F05DDC}.exe	35
PID 2864 wrote to memory of 2376	2864	{EF7DF2A1-9558-4244-8389-716B145920E7}.exe	36
PID 2864 wrote to memory of 2376	2864	{EF7DF2A1-9558-4244-8389-716B145920E7}.exe	36
PID 2864 wrote to memory of 2376	2864	{EF7DF2A1-9558-4244-8389-716B145920E7}.exe	36
PID 2864 wrote to memory of 2376	2864	{EF7DF2A1-9558-4244-8389-716B145920E7}.exe	36
PID 2864 wrote to memory of 2084	2864	{EF7DF2A1-9558-4244-8389-716B145920E7}.exe	37
PID 2864 wrote to memory of 2084	2864	{EF7DF2A1-9558-4244-8389-716B145920E7}.exe	37
PID 2864 wrote to memory of 2084	2864	{EF7DF2A1-9558-4244-8389-716B145920E7}.exe	37
PID 2864 wrote to memory of 2084	2864	{EF7DF2A1-9558-4244-8389-716B145920E7}.exe	37
PID 2376 wrote to memory of 2100	2376	{2EC6703C-8D33-49ae-91B1-E82B11342CCA}.exe	38
PID 2376 wrote to memory of 2100	2376	{2EC6703C-8D33-49ae-91B1-E82B11342CCA}.exe	38
PID 2376 wrote to memory of 2100	2376	{2EC6703C-8D33-49ae-91B1-E82B11342CCA}.exe	38
PID 2376 wrote to memory of 2100	2376	{2EC6703C-8D33-49ae-91B1-E82B11342CCA}.exe	38
PID 2376 wrote to memory of 2876	2376	{2EC6703C-8D33-49ae-91B1-E82B11342CCA}.exe	39
PID 2376 wrote to memory of 2876	2376	{2EC6703C-8D33-49ae-91B1-E82B11342CCA}.exe	39
PID 2376 wrote to memory of 2876	2376	{2EC6703C-8D33-49ae-91B1-E82B11342CCA}.exe	39
PID 2376 wrote to memory of 2876	2376	{2EC6703C-8D33-49ae-91B1-E82B11342CCA}.exe	39
PID 2100 wrote to memory of 3048	2100	{D3C284EC-73BB-4eb5-A837-CDBB419EDF1E}.exe	40
PID 2100 wrote to memory of 3048	2100	{D3C284EC-73BB-4eb5-A837-CDBB419EDF1E}.exe	40
PID 2100 wrote to memory of 3048	2100	{D3C284EC-73BB-4eb5-A837-CDBB419EDF1E}.exe	40
PID 2100 wrote to memory of 3048	2100	{D3C284EC-73BB-4eb5-A837-CDBB419EDF1E}.exe	40
PID 2100 wrote to memory of 2756	2100	{D3C284EC-73BB-4eb5-A837-CDBB419EDF1E}.exe	41
PID 2100 wrote to memory of 2756	2100	{D3C284EC-73BB-4eb5-A837-CDBB419EDF1E}.exe	41
PID 2100 wrote to memory of 2756	2100	{D3C284EC-73BB-4eb5-A837-CDBB419EDF1E}.exe	41
PID 2100 wrote to memory of 2756	2100	{D3C284EC-73BB-4eb5-A837-CDBB419EDF1E}.exe	41
PID 3048 wrote to memory of 2812	3048	{F29448E3-DC82-4db5-ABAC-8D0504D219A7}.exe	42
PID 3048 wrote to memory of 2812	3048	{F29448E3-DC82-4db5-ABAC-8D0504D219A7}.exe	42
PID 3048 wrote to memory of 2812	3048	{F29448E3-DC82-4db5-ABAC-8D0504D219A7}.exe	42
PID 3048 wrote to memory of 2812	3048	{F29448E3-DC82-4db5-ABAC-8D0504D219A7}.exe	42
PID 3048 wrote to memory of 808	3048	{F29448E3-DC82-4db5-ABAC-8D0504D219A7}.exe	43
PID 3048 wrote to memory of 808	3048	{F29448E3-DC82-4db5-ABAC-8D0504D219A7}.exe	43
PID 3048 wrote to memory of 808	3048	{F29448E3-DC82-4db5-ABAC-8D0504D219A7}.exe	43
PID 3048 wrote to memory of 808	3048	{F29448E3-DC82-4db5-ABAC-8D0504D219A7}.exe	43
PID 2812 wrote to memory of 280	2812	{A68909E0-7E14-4c3c-9D60-1DB2F8CA9E38}.exe	44
PID 2812 wrote to memory of 280	2812	{A68909E0-7E14-4c3c-9D60-1DB2F8CA9E38}.exe	44
PID 2812 wrote to memory of 280	2812	{A68909E0-7E14-4c3c-9D60-1DB2F8CA9E38}.exe	44
PID 2812 wrote to memory of 280	2812	{A68909E0-7E14-4c3c-9D60-1DB2F8CA9E38}.exe	44
PID 2812 wrote to memory of 580	2812	{A68909E0-7E14-4c3c-9D60-1DB2F8CA9E38}.exe	45
PID 2812 wrote to memory of 580	2812	{A68909E0-7E14-4c3c-9D60-1DB2F8CA9E38}.exe	45
PID 2812 wrote to memory of 580	2812	{A68909E0-7E14-4c3c-9D60-1DB2F8CA9E38}.exe	45
PID 2812 wrote to memory of 580	2812	{A68909E0-7E14-4c3c-9D60-1DB2F8CA9E38}.exe	45

C:\Users\Admin\AppData\Local\Temp\05f8dabd0c8cb6exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\05f8dabd0c8cb6exe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\{FC2AA516-FB19-4d2b-8962-BF42B15E4043}.exe
  C:\Windows\{FC2AA516-FB19-4d2b-8962-BF42B15E4043}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\{E3E129EB-A7CF-4b7c-ADA6-5C7DA1F05DDC}.exe
    C:\Windows\{E3E129EB-A7CF-4b7c-ADA6-5C7DA1F05DDC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\{EF7DF2A1-9558-4244-8389-716B145920E7}.exe
      C:\Windows\{EF7DF2A1-9558-4244-8389-716B145920E7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2864
    - - C:\Windows\{2EC6703C-8D33-49ae-91B1-E82B11342CCA}.exe
        
        C:\Windows\{2EC6703C-8D33-49ae-91B1-E82B11342CCA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
      - C:\Windows\{D3C284EC-73BB-4eb5-A837-CDBB419EDF1E}.exe
        
        C:\Windows\{D3C284EC-73BB-4eb5-A837-CDBB419EDF1E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\{F29448E3-DC82-4db5-ABAC-8D0504D219A7}.exe
        
        C:\Windows\{F29448E3-DC82-4db5-ABAC-8D0504D219A7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\{A68909E0-7E14-4c3c-9D60-1DB2F8CA9E38}.exe
        
        C:\Windows\{A68909E0-7E14-4c3c-9D60-1DB2F8CA9E38}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\{E03C79D9-6DDF-4055-BB67-CA117C1F127F}.exe
        
        C:\Windows\{E03C79D9-6DDF-4055-BB67-CA117C1F127F}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:280
        
        C:\Windows\{90CD6BD8-EE94-4a57-9598-42BFA1B84BB2}.exe
        
        C:\Windows\{90CD6BD8-EE94-4a57-9598-42BFA1B84BB2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
        
        C:\Windows\{5D9DC948-4D24-473c-B5B2-E0F977A45385}.exe
        
        C:\Windows\{5D9DC948-4D24-473c-B5B2-E0F977A45385}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\{D5290FC2-DAEE-4c63-8677-D84882BCB765}.exe
        
        C:\Windows\{D5290FC2-DAEE-4c63-8677-D84882BCB765}.exe
        12⤵
        Executes dropped EXE
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D9DC~1.EXE > nul
        12⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90CD6~1.EXE > nul
        11⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E03C7~1.EXE > nul
        10⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6890~1.EXE > nul
        9⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2944~1.EXE > nul
        8⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3C28~1.EXE > nul
        7⤵
        
        PID:2756
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EC67~1.EXE > nul
        6⤵
        
        PID:2876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF7DF~1.EXE > nul
        5⤵
        
        PID:2084
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E3E12~1.EXE > nul
      4⤵
      PID:3000
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FC2AA~1.EXE > nul
    3⤵
    PID:3044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\05F8DA~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2EC6703C-8D33-49ae-91B1-E82B11342CCA}.exe

Filesize
204KB

MD5
ae511b0f09c7c4b9943d68ae76537f49

SHA1
23f02aefa2004df36c6979d31ec567965349f76e

SHA256
37864fcd1df0cb97dd0604955a562a3f6d2446975bb94fe3b26471cc64c973d6

SHA512
813ed42ae8f41daa860586b90fe80e059b0ff4a02acdab35c785ef63973e055cf62af40a04e26a86a4d232036a588bac00b33a2fe0885cc7ee8fb823a81e0a29

Download Submit
C:\Windows\{2EC6703C-8D33-49ae-91B1-E82B11342CCA}.exe

Filesize
204KB

MD5
ae511b0f09c7c4b9943d68ae76537f49

SHA1
23f02aefa2004df36c6979d31ec567965349f76e

SHA256
37864fcd1df0cb97dd0604955a562a3f6d2446975bb94fe3b26471cc64c973d6

SHA512
813ed42ae8f41daa860586b90fe80e059b0ff4a02acdab35c785ef63973e055cf62af40a04e26a86a4d232036a588bac00b33a2fe0885cc7ee8fb823a81e0a29

Download Submit
C:\Windows\{5D9DC948-4D24-473c-B5B2-E0F977A45385}.exe

Filesize
204KB

MD5
99685a34a0dd80615f373c342a802f79

SHA1
5ba18ab060ccbcb5d8ceb1ee7f02c2207d214ee0

SHA256
3951c57ef2e087896e9ae838e3e2f1d25a9506f01ed44520dce57928c717e152

SHA512
98f7ea09086f562c194bc9a034534d78619b687508ad515a8c1af963e49c845f6dd9f1af99b01a44080a59a208e6658b8bd15bea80e474e8a253c7f3b18e7765

Download Submit
C:\Windows\{5D9DC948-4D24-473c-B5B2-E0F977A45385}.exe

Filesize
204KB

MD5
99685a34a0dd80615f373c342a802f79

SHA1
5ba18ab060ccbcb5d8ceb1ee7f02c2207d214ee0

SHA256
3951c57ef2e087896e9ae838e3e2f1d25a9506f01ed44520dce57928c717e152

SHA512
98f7ea09086f562c194bc9a034534d78619b687508ad515a8c1af963e49c845f6dd9f1af99b01a44080a59a208e6658b8bd15bea80e474e8a253c7f3b18e7765

Download Submit
C:\Windows\{90CD6BD8-EE94-4a57-9598-42BFA1B84BB2}.exe

Filesize
204KB

MD5
92cc83a03f1009a51d98ea95ac8467cf

SHA1
6952fcbab454388fe8a11bcfdcba2f69c846e422

SHA256
06665aa73518c84aaeaa970078525d50353611ea0be59ab1b927b0e6d0c433e3

SHA512
a35107305b0a0bd2ec605c0147fa9ff8dfe19e216867d50194ce6d36258d196673275afb8ce7d2f659f8243ac23b8884670ba6cab9d47c45183bcfbcb623b8c9

Download Submit
C:\Windows\{90CD6BD8-EE94-4a57-9598-42BFA1B84BB2}.exe

Filesize
204KB

MD5
92cc83a03f1009a51d98ea95ac8467cf

SHA1
6952fcbab454388fe8a11bcfdcba2f69c846e422

SHA256
06665aa73518c84aaeaa970078525d50353611ea0be59ab1b927b0e6d0c433e3

SHA512
a35107305b0a0bd2ec605c0147fa9ff8dfe19e216867d50194ce6d36258d196673275afb8ce7d2f659f8243ac23b8884670ba6cab9d47c45183bcfbcb623b8c9

Download Submit
C:\Windows\{A68909E0-7E14-4c3c-9D60-1DB2F8CA9E38}.exe

Filesize
204KB

MD5
e33e74b4378d40eef675aae2e35a2447

SHA1
fed16665da4a5b2adc23f4fb51da99c0944add03

SHA256
cd1e8b6d75ae2affb3decfcd4b90f304b4e686b96e92693050f5d2fd9995d1f9

SHA512
1f9f31d22113535f35085f6fea990d6377e41575c36ee07cec93444c34ecb3030293c13054e4f3607c748c50f0912e8e97aa89b74339d78f5d707151160be2bf

Download Submit
C:\Windows\{A68909E0-7E14-4c3c-9D60-1DB2F8CA9E38}.exe

Filesize
204KB

MD5
e33e74b4378d40eef675aae2e35a2447

SHA1
fed16665da4a5b2adc23f4fb51da99c0944add03

SHA256
cd1e8b6d75ae2affb3decfcd4b90f304b4e686b96e92693050f5d2fd9995d1f9

SHA512
1f9f31d22113535f35085f6fea990d6377e41575c36ee07cec93444c34ecb3030293c13054e4f3607c748c50f0912e8e97aa89b74339d78f5d707151160be2bf

Download Submit
C:\Windows\{D3C284EC-73BB-4eb5-A837-CDBB419EDF1E}.exe

Filesize
204KB

MD5
55a7b8d7502f0d44806dc6e352a9987a

SHA1
77559e8b818755e21a2b27ecdcad27cf310f7853

SHA256
f1d22952b592623ae033cc06b918874d108ef2b832291a54e229bbfeb142ca4e

SHA512
22b37a1329e1a448c54305d4393e17f33f9f3ce970ddf42ada5b2c2c1bfec64a42955eeb4c08ae34f8b760923b35baafa9ce105f8eaac0aea494dd1a3617abf9

Download Submit
C:\Windows\{D3C284EC-73BB-4eb5-A837-CDBB419EDF1E}.exe

Filesize
204KB

MD5
55a7b8d7502f0d44806dc6e352a9987a

SHA1
77559e8b818755e21a2b27ecdcad27cf310f7853

SHA256
f1d22952b592623ae033cc06b918874d108ef2b832291a54e229bbfeb142ca4e

SHA512
22b37a1329e1a448c54305d4393e17f33f9f3ce970ddf42ada5b2c2c1bfec64a42955eeb4c08ae34f8b760923b35baafa9ce105f8eaac0aea494dd1a3617abf9

Download Submit
C:\Windows\{D5290FC2-DAEE-4c63-8677-D84882BCB765}.exe

Filesize
204KB

MD5
6621673b8d42004729b21c9cb2609f39

SHA1
a56f453f3c9aba0035bd3411e75bfecef139a788

SHA256
e3910144a10ea2b35d7475a6be23d36d2dfe8ad80c8b53a7b97d26c6596fa25d

SHA512
8943f3164fd19a87e36fccdcbbb7438c02be54fbb66dd1604ddaac4d47fcb23504a4d8aecd64948fe822a947817d40111f9d307f1a4d8870c4fc3a0e6515caa4

Download Submit
C:\Windows\{E03C79D9-6DDF-4055-BB67-CA117C1F127F}.exe

Filesize
204KB

MD5
47e9f20ba0dd0211b112484b08ee0701

SHA1
8e7f6d5d70bae452c2a0fb5ea58894e95cb7dc84

SHA256
aa4250776f5114dc7430d6c32586763d4eef33b5711a5036cb03a71b3de3f56c

SHA512
4a1629d4e0ee0fa0c26bd0961f00c683f2a4b12a916af76a6d5352cd0980268ef84874a03050f145132b28961e89b91d4459c82de6cf91bacd667a4059f7aa56

Download Submit
C:\Windows\{E03C79D9-6DDF-4055-BB67-CA117C1F127F}.exe

Filesize
204KB

MD5
47e9f20ba0dd0211b112484b08ee0701

SHA1
8e7f6d5d70bae452c2a0fb5ea58894e95cb7dc84

SHA256
aa4250776f5114dc7430d6c32586763d4eef33b5711a5036cb03a71b3de3f56c

SHA512
4a1629d4e0ee0fa0c26bd0961f00c683f2a4b12a916af76a6d5352cd0980268ef84874a03050f145132b28961e89b91d4459c82de6cf91bacd667a4059f7aa56

Download Submit
C:\Windows\{E3E129EB-A7CF-4b7c-ADA6-5C7DA1F05DDC}.exe

Filesize
204KB

MD5
04e250362f1a31d81fe34c96ef6a3092

SHA1
572f5a1b86341889de2c7cdf2a037122c68710f0

SHA256
7966bc99d087d731402e1fc299bd2d6262a77c19baa2ba784f098b6acced7e31

SHA512
85c6e1ddaa0119557c2d827947c9ea5df81c094f8a8485d2c78e7bd270faafeddfd1256ab5d352c7dcae33be342439ea3220715bafe853fdd3bac8cac492194b

Download Submit
C:\Windows\{E3E129EB-A7CF-4b7c-ADA6-5C7DA1F05DDC}.exe

Filesize
204KB

MD5
04e250362f1a31d81fe34c96ef6a3092

SHA1
572f5a1b86341889de2c7cdf2a037122c68710f0

SHA256
7966bc99d087d731402e1fc299bd2d6262a77c19baa2ba784f098b6acced7e31

SHA512
85c6e1ddaa0119557c2d827947c9ea5df81c094f8a8485d2c78e7bd270faafeddfd1256ab5d352c7dcae33be342439ea3220715bafe853fdd3bac8cac492194b

Download Submit
C:\Windows\{EF7DF2A1-9558-4244-8389-716B145920E7}.exe

Filesize
204KB

MD5
ea9a2a642a040c474ddfeb5c4fef11e5

SHA1
273a3461fb27b4319f005b86fce4524054b0cd4f

SHA256
d5a013eb553db8521e7e0926824b09bdc10cc1fc6b1dae1f662a96f8e086d9e1

SHA512
8422e8e28b71e2ef7370cc9c06dd3ee86b9c1b1e757df99e06bb7d11078d4c90c5b4ca3d931f6f5c1b22039bdc2ab0af4c490da9bc5c172b86e4db07ce0c5ea1

Download Submit
C:\Windows\{EF7DF2A1-9558-4244-8389-716B145920E7}.exe

Filesize
204KB

MD5
ea9a2a642a040c474ddfeb5c4fef11e5

SHA1
273a3461fb27b4319f005b86fce4524054b0cd4f

SHA256
d5a013eb553db8521e7e0926824b09bdc10cc1fc6b1dae1f662a96f8e086d9e1

SHA512
8422e8e28b71e2ef7370cc9c06dd3ee86b9c1b1e757df99e06bb7d11078d4c90c5b4ca3d931f6f5c1b22039bdc2ab0af4c490da9bc5c172b86e4db07ce0c5ea1

Download Submit
C:\Windows\{F29448E3-DC82-4db5-ABAC-8D0504D219A7}.exe

Filesize
204KB

MD5
c72316795188568a162600e2025cb358

SHA1
190d751a29cb8203baf67e32a39359e0f5c7be1b

SHA256
41d3a183b804118a10fc3eaa9ccfe56cca22567f5e801d1cd23035d217b7453e

SHA512
b0fab38e8861468def3b84ffd1f4973ae5bea8e6ff75c28f0ec8d18f2f42c7be47546d4c108aa0ff4d891eba4ae18df8e4115145b66ddaa1e7d71e1c0597a888

Download Submit
C:\Windows\{F29448E3-DC82-4db5-ABAC-8D0504D219A7}.exe

Filesize
204KB

MD5
c72316795188568a162600e2025cb358

SHA1
190d751a29cb8203baf67e32a39359e0f5c7be1b

SHA256
41d3a183b804118a10fc3eaa9ccfe56cca22567f5e801d1cd23035d217b7453e

SHA512
b0fab38e8861468def3b84ffd1f4973ae5bea8e6ff75c28f0ec8d18f2f42c7be47546d4c108aa0ff4d891eba4ae18df8e4115145b66ddaa1e7d71e1c0597a888

Download Submit
C:\Windows\{FC2AA516-FB19-4d2b-8962-BF42B15E4043}.exe

Filesize
204KB

MD5
256b850b89dea5bb07ce22180a7b7f7d

SHA1
72bc2ad0a877c73314654288ed4f0e541a5705ff

SHA256
83a87290bdc70b12523001fbfd17453ec13746744bd254142d2ca630885ff20e

SHA512
a3873dd5ec47ae92e40744920ef5e56ace904d55d050072810d8acc16bd937c5074d8dd0d6c1010a98507ef9f4eb74d1a051ef0759777720f8551276ac692156

Download Submit
C:\Windows\{FC2AA516-FB19-4d2b-8962-BF42B15E4043}.exe

Filesize
204KB

MD5
256b850b89dea5bb07ce22180a7b7f7d

SHA1
72bc2ad0a877c73314654288ed4f0e541a5705ff

SHA256
83a87290bdc70b12523001fbfd17453ec13746744bd254142d2ca630885ff20e

SHA512
a3873dd5ec47ae92e40744920ef5e56ace904d55d050072810d8acc16bd937c5074d8dd0d6c1010a98507ef9f4eb74d1a051ef0759777720f8551276ac692156

Download Submit
C:\Windows\{FC2AA516-FB19-4d2b-8962-BF42B15E4043}.exe

Filesize
204KB

MD5
256b850b89dea5bb07ce22180a7b7f7d

SHA1
72bc2ad0a877c73314654288ed4f0e541a5705ff

SHA256
83a87290bdc70b12523001fbfd17453ec13746744bd254142d2ca630885ff20e

SHA512
a3873dd5ec47ae92e40744920ef5e56ace904d55d050072810d8acc16bd937c5074d8dd0d6c1010a98507ef9f4eb74d1a051ef0759777720f8551276ac692156

Download Submit