851ab2844a44635f3c5a4200f2cbda718b01d93b91a43445d9c99756afefb8b0

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
14/07/2023, 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14412b53c5f2ccexe_JC.exe
Size

372KB
MD5

14412b53c5f2ccecd82d0d9b42aef425
SHA1

846a3dfc4f553bc8538beedcd00f4b656a864b83
SHA256

851ab2844a44635f3c5a4200f2cbda718b01d93b91a43445d9c99756afefb8b0
SHA512

401942d4ddcbfa815b910272bb3b0cfd9e9cbd941d329476ea8e5b710b1bdfe699837d1bf8533cd138d7f153656d1660fddc8a3caacc9ee6cb6e2bc3f7de749f
SSDEEP

3072:CEGh0oEmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGTl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3A1E40E-5AE3-4bac-A04D-8C85FD46F803}\stubpath = "C:\\Windows\\{E3A1E40E-5AE3-4bac-A04D-8C85FD46F803}.exe"	14412b53c5f2ccexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53CAFA58-70FB-463a-8986-01458D6A1748}	{F15EAFB3-C349-459e-AF8E-31CB49312BB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6515D482-8EEB-4f21-82BB-0C5F82F1C478}	{53CAFA58-70FB-463a-8986-01458D6A1748}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83AA690E-6DAF-4e29-8936-037A751F731E}	{C77D2DF9-EA64-4748-8F37-23219ED164DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F15EAFB3-C349-459e-AF8E-31CB49312BB4}\stubpath = "C:\\Windows\\{F15EAFB3-C349-459e-AF8E-31CB49312BB4}.exe"	{E3A1E40E-5AE3-4bac-A04D-8C85FD46F803}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{53CAFA58-70FB-463a-8986-01458D6A1748}\stubpath = "C:\\Windows\\{53CAFA58-70FB-463a-8986-01458D6A1748}.exe"	{F15EAFB3-C349-459e-AF8E-31CB49312BB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6515D482-8EEB-4f21-82BB-0C5F82F1C478}\stubpath = "C:\\Windows\\{6515D482-8EEB-4f21-82BB-0C5F82F1C478}.exe"	{53CAFA58-70FB-463a-8986-01458D6A1748}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C77D2DF9-EA64-4748-8F37-23219ED164DF}\stubpath = "C:\\Windows\\{C77D2DF9-EA64-4748-8F37-23219ED164DF}.exe"	{6515D482-8EEB-4f21-82BB-0C5F82F1C478}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{447C81E8-0FD0-4777-B9D0-CFEA543F299D}\stubpath = "C:\\Windows\\{447C81E8-0FD0-4777-B9D0-CFEA543F299D}.exe"	{4137806A-873E-4166-857D-C9B85CCE67E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3A1E40E-5AE3-4bac-A04D-8C85FD46F803}	14412b53c5f2ccexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F15EAFB3-C349-459e-AF8E-31CB49312BB4}	{E3A1E40E-5AE3-4bac-A04D-8C85FD46F803}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83AA690E-6DAF-4e29-8936-037A751F731E}\stubpath = "C:\\Windows\\{83AA690E-6DAF-4e29-8936-037A751F731E}.exe"	{C77D2DF9-EA64-4748-8F37-23219ED164DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3C171AD-2D01-4f62-897B-AFA68B33D965}	{DB1E8336-2E28-4dc7-BD1C-F59F29B0374A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3C171AD-2D01-4f62-897B-AFA68B33D965}\stubpath = "C:\\Windows\\{B3C171AD-2D01-4f62-897B-AFA68B33D965}.exe"	{DB1E8336-2E28-4dc7-BD1C-F59F29B0374A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C77D2DF9-EA64-4748-8F37-23219ED164DF}	{6515D482-8EEB-4f21-82BB-0C5F82F1C478}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB1E8336-2E28-4dc7-BD1C-F59F29B0374A}	{83AA690E-6DAF-4e29-8936-037A751F731E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB1E8336-2E28-4dc7-BD1C-F59F29B0374A}\stubpath = "C:\\Windows\\{DB1E8336-2E28-4dc7-BD1C-F59F29B0374A}.exe"	{83AA690E-6DAF-4e29-8936-037A751F731E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CA84343-10CA-4120-A701-5809E369B038}	{B3C171AD-2D01-4f62-897B-AFA68B33D965}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CA84343-10CA-4120-A701-5809E369B038}\stubpath = "C:\\Windows\\{6CA84343-10CA-4120-A701-5809E369B038}.exe"	{B3C171AD-2D01-4f62-897B-AFA68B33D965}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4137806A-873E-4166-857D-C9B85CCE67E4}	{6CA84343-10CA-4120-A701-5809E369B038}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4137806A-873E-4166-857D-C9B85CCE67E4}\stubpath = "C:\\Windows\\{4137806A-873E-4166-857D-C9B85CCE67E4}.exe"	{6CA84343-10CA-4120-A701-5809E369B038}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{447C81E8-0FD0-4777-B9D0-CFEA543F299D}	{4137806A-873E-4166-857D-C9B85CCE67E4}.exe

Deletes itself 1 IoCs

pid	Process
2656	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2232	{E3A1E40E-5AE3-4bac-A04D-8C85FD46F803}.exe
2908	{F15EAFB3-C349-459e-AF8E-31CB49312BB4}.exe
2840	{53CAFA58-70FB-463a-8986-01458D6A1748}.exe
2880	{6515D482-8EEB-4f21-82BB-0C5F82F1C478}.exe
2452	{C77D2DF9-EA64-4748-8F37-23219ED164DF}.exe
2700	{83AA690E-6DAF-4e29-8936-037A751F731E}.exe
1956	{DB1E8336-2E28-4dc7-BD1C-F59F29B0374A}.exe
572	{B3C171AD-2D01-4f62-897B-AFA68B33D965}.exe
1520	{6CA84343-10CA-4120-A701-5809E369B038}.exe
2408	{4137806A-873E-4166-857D-C9B85CCE67E4}.exe
2288	{447C81E8-0FD0-4777-B9D0-CFEA543F299D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6CA84343-10CA-4120-A701-5809E369B038}.exe	{B3C171AD-2D01-4f62-897B-AFA68B33D965}.exe
File created	C:\Windows\{F15EAFB3-C349-459e-AF8E-31CB49312BB4}.exe	{E3A1E40E-5AE3-4bac-A04D-8C85FD46F803}.exe
File created	C:\Windows\{53CAFA58-70FB-463a-8986-01458D6A1748}.exe	{F15EAFB3-C349-459e-AF8E-31CB49312BB4}.exe
File created	C:\Windows\{C77D2DF9-EA64-4748-8F37-23219ED164DF}.exe	{6515D482-8EEB-4f21-82BB-0C5F82F1C478}.exe
File created	C:\Windows\{83AA690E-6DAF-4e29-8936-037A751F731E}.exe	{C77D2DF9-EA64-4748-8F37-23219ED164DF}.exe
File created	C:\Windows\{B3C171AD-2D01-4f62-897B-AFA68B33D965}.exe	{DB1E8336-2E28-4dc7-BD1C-F59F29B0374A}.exe
File created	C:\Windows\{E3A1E40E-5AE3-4bac-A04D-8C85FD46F803}.exe	14412b53c5f2ccexe_JC.exe
File created	C:\Windows\{6515D482-8EEB-4f21-82BB-0C5F82F1C478}.exe	{53CAFA58-70FB-463a-8986-01458D6A1748}.exe
File created	C:\Windows\{DB1E8336-2E28-4dc7-BD1C-F59F29B0374A}.exe	{83AA690E-6DAF-4e29-8936-037A751F731E}.exe
File created	C:\Windows\{4137806A-873E-4166-857D-C9B85CCE67E4}.exe	{6CA84343-10CA-4120-A701-5809E369B038}.exe
File created	C:\Windows\{447C81E8-0FD0-4777-B9D0-CFEA543F299D}.exe	{4137806A-873E-4166-857D-C9B85CCE67E4}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1952	14412b53c5f2ccexe_JC.exe
Token: SeIncBasePriorityPrivilege	2232	{E3A1E40E-5AE3-4bac-A04D-8C85FD46F803}.exe
Token: SeIncBasePriorityPrivilege	2908	{F15EAFB3-C349-459e-AF8E-31CB49312BB4}.exe
Token: SeIncBasePriorityPrivilege	2840	{53CAFA58-70FB-463a-8986-01458D6A1748}.exe
Token: SeIncBasePriorityPrivilege	2880	{6515D482-8EEB-4f21-82BB-0C5F82F1C478}.exe
Token: SeIncBasePriorityPrivilege	2452	{C77D2DF9-EA64-4748-8F37-23219ED164DF}.exe
Token: SeIncBasePriorityPrivilege	2700	{83AA690E-6DAF-4e29-8936-037A751F731E}.exe
Token: SeIncBasePriorityPrivilege	1956	{DB1E8336-2E28-4dc7-BD1C-F59F29B0374A}.exe
Token: SeIncBasePriorityPrivilege	572	{B3C171AD-2D01-4f62-897B-AFA68B33D965}.exe
Token: SeIncBasePriorityPrivilege	1520	{6CA84343-10CA-4120-A701-5809E369B038}.exe
Token: SeIncBasePriorityPrivilege	2408	{4137806A-873E-4166-857D-C9B85CCE67E4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2232	1952	14412b53c5f2ccexe_JC.exe	28
PID 1952 wrote to memory of 2232	1952	14412b53c5f2ccexe_JC.exe	28
PID 1952 wrote to memory of 2232	1952	14412b53c5f2ccexe_JC.exe	28
PID 1952 wrote to memory of 2232	1952	14412b53c5f2ccexe_JC.exe	28
PID 1952 wrote to memory of 2656	1952	14412b53c5f2ccexe_JC.exe	29
PID 1952 wrote to memory of 2656	1952	14412b53c5f2ccexe_JC.exe	29
PID 1952 wrote to memory of 2656	1952	14412b53c5f2ccexe_JC.exe	29
PID 1952 wrote to memory of 2656	1952	14412b53c5f2ccexe_JC.exe	29
PID 2232 wrote to memory of 2908	2232	{E3A1E40E-5AE3-4bac-A04D-8C85FD46F803}.exe	32
PID 2232 wrote to memory of 2908	2232	{E3A1E40E-5AE3-4bac-A04D-8C85FD46F803}.exe	32
PID 2232 wrote to memory of 2908	2232	{E3A1E40E-5AE3-4bac-A04D-8C85FD46F803}.exe	32
PID 2232 wrote to memory of 2908	2232	{E3A1E40E-5AE3-4bac-A04D-8C85FD46F803}.exe	32
PID 2232 wrote to memory of 2812	2232	{E3A1E40E-5AE3-4bac-A04D-8C85FD46F803}.exe	33
PID 2232 wrote to memory of 2812	2232	{E3A1E40E-5AE3-4bac-A04D-8C85FD46F803}.exe	33
PID 2232 wrote to memory of 2812	2232	{E3A1E40E-5AE3-4bac-A04D-8C85FD46F803}.exe	33
PID 2232 wrote to memory of 2812	2232	{E3A1E40E-5AE3-4bac-A04D-8C85FD46F803}.exe	33
PID 2908 wrote to memory of 2840	2908	{F15EAFB3-C349-459e-AF8E-31CB49312BB4}.exe	34
PID 2908 wrote to memory of 2840	2908	{F15EAFB3-C349-459e-AF8E-31CB49312BB4}.exe	34
PID 2908 wrote to memory of 2840	2908	{F15EAFB3-C349-459e-AF8E-31CB49312BB4}.exe	34
PID 2908 wrote to memory of 2840	2908	{F15EAFB3-C349-459e-AF8E-31CB49312BB4}.exe	34
PID 2908 wrote to memory of 2992	2908	{F15EAFB3-C349-459e-AF8E-31CB49312BB4}.exe	35
PID 2908 wrote to memory of 2992	2908	{F15EAFB3-C349-459e-AF8E-31CB49312BB4}.exe	35
PID 2908 wrote to memory of 2992	2908	{F15EAFB3-C349-459e-AF8E-31CB49312BB4}.exe	35
PID 2908 wrote to memory of 2992	2908	{F15EAFB3-C349-459e-AF8E-31CB49312BB4}.exe	35
PID 2840 wrote to memory of 2880	2840	{53CAFA58-70FB-463a-8986-01458D6A1748}.exe	36
PID 2840 wrote to memory of 2880	2840	{53CAFA58-70FB-463a-8986-01458D6A1748}.exe	36
PID 2840 wrote to memory of 2880	2840	{53CAFA58-70FB-463a-8986-01458D6A1748}.exe	36
PID 2840 wrote to memory of 2880	2840	{53CAFA58-70FB-463a-8986-01458D6A1748}.exe	36
PID 2840 wrote to memory of 2808	2840	{53CAFA58-70FB-463a-8986-01458D6A1748}.exe	37
PID 2840 wrote to memory of 2808	2840	{53CAFA58-70FB-463a-8986-01458D6A1748}.exe	37
PID 2840 wrote to memory of 2808	2840	{53CAFA58-70FB-463a-8986-01458D6A1748}.exe	37
PID 2840 wrote to memory of 2808	2840	{53CAFA58-70FB-463a-8986-01458D6A1748}.exe	37
PID 2880 wrote to memory of 2452	2880	{6515D482-8EEB-4f21-82BB-0C5F82F1C478}.exe	38
PID 2880 wrote to memory of 2452	2880	{6515D482-8EEB-4f21-82BB-0C5F82F1C478}.exe	38
PID 2880 wrote to memory of 2452	2880	{6515D482-8EEB-4f21-82BB-0C5F82F1C478}.exe	38
PID 2880 wrote to memory of 2452	2880	{6515D482-8EEB-4f21-82BB-0C5F82F1C478}.exe	38
PID 2880 wrote to memory of 2964	2880	{6515D482-8EEB-4f21-82BB-0C5F82F1C478}.exe	39
PID 2880 wrote to memory of 2964	2880	{6515D482-8EEB-4f21-82BB-0C5F82F1C478}.exe	39
PID 2880 wrote to memory of 2964	2880	{6515D482-8EEB-4f21-82BB-0C5F82F1C478}.exe	39
PID 2880 wrote to memory of 2964	2880	{6515D482-8EEB-4f21-82BB-0C5F82F1C478}.exe	39
PID 2452 wrote to memory of 2700	2452	{C77D2DF9-EA64-4748-8F37-23219ED164DF}.exe	40
PID 2452 wrote to memory of 2700	2452	{C77D2DF9-EA64-4748-8F37-23219ED164DF}.exe	40
PID 2452 wrote to memory of 2700	2452	{C77D2DF9-EA64-4748-8F37-23219ED164DF}.exe	40
PID 2452 wrote to memory of 2700	2452	{C77D2DF9-EA64-4748-8F37-23219ED164DF}.exe	40
PID 2452 wrote to memory of 2764	2452	{C77D2DF9-EA64-4748-8F37-23219ED164DF}.exe	41
PID 2452 wrote to memory of 2764	2452	{C77D2DF9-EA64-4748-8F37-23219ED164DF}.exe	41
PID 2452 wrote to memory of 2764	2452	{C77D2DF9-EA64-4748-8F37-23219ED164DF}.exe	41
PID 2452 wrote to memory of 2764	2452	{C77D2DF9-EA64-4748-8F37-23219ED164DF}.exe	41
PID 2700 wrote to memory of 1956	2700	{83AA690E-6DAF-4e29-8936-037A751F731E}.exe	42
PID 2700 wrote to memory of 1956	2700	{83AA690E-6DAF-4e29-8936-037A751F731E}.exe	42
PID 2700 wrote to memory of 1956	2700	{83AA690E-6DAF-4e29-8936-037A751F731E}.exe	42
PID 2700 wrote to memory of 1956	2700	{83AA690E-6DAF-4e29-8936-037A751F731E}.exe	42
PID 2700 wrote to memory of 2564	2700	{83AA690E-6DAF-4e29-8936-037A751F731E}.exe	43
PID 2700 wrote to memory of 2564	2700	{83AA690E-6DAF-4e29-8936-037A751F731E}.exe	43
PID 2700 wrote to memory of 2564	2700	{83AA690E-6DAF-4e29-8936-037A751F731E}.exe	43
PID 2700 wrote to memory of 2564	2700	{83AA690E-6DAF-4e29-8936-037A751F731E}.exe	43
PID 1956 wrote to memory of 572	1956	{DB1E8336-2E28-4dc7-BD1C-F59F29B0374A}.exe	44
PID 1956 wrote to memory of 572	1956	{DB1E8336-2E28-4dc7-BD1C-F59F29B0374A}.exe	44
PID 1956 wrote to memory of 572	1956	{DB1E8336-2E28-4dc7-BD1C-F59F29B0374A}.exe	44
PID 1956 wrote to memory of 572	1956	{DB1E8336-2E28-4dc7-BD1C-F59F29B0374A}.exe	44
PID 1956 wrote to memory of 2272	1956	{DB1E8336-2E28-4dc7-BD1C-F59F29B0374A}.exe	45
PID 1956 wrote to memory of 2272	1956	{DB1E8336-2E28-4dc7-BD1C-F59F29B0374A}.exe	45
PID 1956 wrote to memory of 2272	1956	{DB1E8336-2E28-4dc7-BD1C-F59F29B0374A}.exe	45
PID 1956 wrote to memory of 2272	1956	{DB1E8336-2E28-4dc7-BD1C-F59F29B0374A}.exe	45

C:\Users\Admin\AppData\Local\Temp\14412b53c5f2ccexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\14412b53c5f2ccexe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1952
- C:\Windows\{E3A1E40E-5AE3-4bac-A04D-8C85FD46F803}.exe
  C:\Windows\{E3A1E40E-5AE3-4bac-A04D-8C85FD46F803}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\{F15EAFB3-C349-459e-AF8E-31CB49312BB4}.exe
    C:\Windows\{F15EAFB3-C349-459e-AF8E-31CB49312BB4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\{53CAFA58-70FB-463a-8986-01458D6A1748}.exe
      C:\Windows\{53CAFA58-70FB-463a-8986-01458D6A1748}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\{6515D482-8EEB-4f21-82BB-0C5F82F1C478}.exe
        
        C:\Windows\{6515D482-8EEB-4f21-82BB-0C5F82F1C478}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
      - C:\Windows\{C77D2DF9-EA64-4748-8F37-23219ED164DF}.exe
        
        C:\Windows\{C77D2DF9-EA64-4748-8F37-23219ED164DF}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\{83AA690E-6DAF-4e29-8936-037A751F731E}.exe
        
        C:\Windows\{83AA690E-6DAF-4e29-8936-037A751F731E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\{DB1E8336-2E28-4dc7-BD1C-F59F29B0374A}.exe
        
        C:\Windows\{DB1E8336-2E28-4dc7-BD1C-F59F29B0374A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\{B3C171AD-2D01-4f62-897B-AFA68B33D965}.exe
        
        C:\Windows\{B3C171AD-2D01-4f62-897B-AFA68B33D965}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
        
        C:\Windows\{6CA84343-10CA-4120-A701-5809E369B038}.exe
        
        C:\Windows\{6CA84343-10CA-4120-A701-5809E369B038}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\{4137806A-873E-4166-857D-C9B85CCE67E4}.exe
        
        C:\Windows\{4137806A-873E-4166-857D-C9B85CCE67E4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\{447C81E8-0FD0-4777-B9D0-CFEA543F299D}.exe
        
        C:\Windows\{447C81E8-0FD0-4777-B9D0-CFEA543F299D}.exe
        12⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41378~1.EXE > nul
        12⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CA84~1.EXE > nul
        11⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3C17~1.EXE > nul
        10⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB1E8~1.EXE > nul
        9⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83AA6~1.EXE > nul
        8⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C77D2~1.EXE > nul
        7⤵
        
        PID:2764
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6515D~1.EXE > nul
        6⤵
        
        PID:2964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{53CAF~1.EXE > nul
        5⤵
        
        PID:2808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F15EA~1.EXE > nul
      4⤵
      PID:2992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E3A1E~1.EXE > nul
    3⤵
    PID:2812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\14412B~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{4137806A-873E-4166-857D-C9B85CCE67E4}.exe

Filesize
372KB

MD5
9d4cb81c42253f01a9d118ee7528e4df

SHA1
e7624eaac73e77f68a113d7a31024ede88d55b56

SHA256
48d35f3bc2a483b14b0249242843bf44b8bce9da9412234c7d5a55295588e86b

SHA512
18ac31959e5ef5070b5df7d2f7edaf133ddd4ee98efca581f044973bcd54a96433c68a1549c83d5626c7c8012625041ae9ed55ebb1d5f56bd832050811d4f0f8

Download Submit
C:\Windows\{4137806A-873E-4166-857D-C9B85CCE67E4}.exe

Filesize
372KB

MD5
9d4cb81c42253f01a9d118ee7528e4df

SHA1
e7624eaac73e77f68a113d7a31024ede88d55b56

SHA256
48d35f3bc2a483b14b0249242843bf44b8bce9da9412234c7d5a55295588e86b

SHA512
18ac31959e5ef5070b5df7d2f7edaf133ddd4ee98efca581f044973bcd54a96433c68a1549c83d5626c7c8012625041ae9ed55ebb1d5f56bd832050811d4f0f8

Download Submit
C:\Windows\{447C81E8-0FD0-4777-B9D0-CFEA543F299D}.exe

Filesize
372KB

MD5
cdfb13c9bdc2a7464983d27244616929

SHA1
bb9d3ab8f2bb8da6d1ee5900b15a4239869d352f

SHA256
7b1cbb83053dfd5a2b5494c826ae7242eefb12591c08bb6f39b108fead5710a5

SHA512
2b2b44c809a0fd5b34ac01eaf96bbe9f1d783eb8a86bf5ab98978937d9ad5cc167598806d7b71e79b022555157321aba6214571b9a1e3b7c8cd8945843d8ca06

Download Submit
C:\Windows\{53CAFA58-70FB-463a-8986-01458D6A1748}.exe

Filesize
372KB

MD5
4f4fc4491ceb21a66e01d5a83ed29376

SHA1
a5819f90f4f5d6763e0d63fbf5f49bfb9d4dda98

SHA256
ce9dc5111123ff1b041f9780be09003cf264a05941007c7e7e02fbb39231264c

SHA512
4040185ff3845c9304b5e67983d5f8ce93102ca7647d228c1e3f46ba8dda6c77e03c003c680536a59b7b0cba8fb64b491db97b83b2f077745b822ca7ad328cdd

Download Submit
C:\Windows\{53CAFA58-70FB-463a-8986-01458D6A1748}.exe

Filesize
372KB

MD5
4f4fc4491ceb21a66e01d5a83ed29376

SHA1
a5819f90f4f5d6763e0d63fbf5f49bfb9d4dda98

SHA256
ce9dc5111123ff1b041f9780be09003cf264a05941007c7e7e02fbb39231264c

SHA512
4040185ff3845c9304b5e67983d5f8ce93102ca7647d228c1e3f46ba8dda6c77e03c003c680536a59b7b0cba8fb64b491db97b83b2f077745b822ca7ad328cdd

Download Submit
C:\Windows\{6515D482-8EEB-4f21-82BB-0C5F82F1C478}.exe

Filesize
372KB

MD5
9adcd7be215f5fbf19448544ef03b398

SHA1
bd7fc19989c3704100ec407b2ad415e5adfb0fe6

SHA256
47748767e15e0a4724ceb87314d0b9cf4dfdc5240dd04f056e01e47625edbd48

SHA512
2bd6bbe716785c6fcf0622d13ca0bb63762516759c5872c5a0559a12e3f65488068dfc23da1f23e7bd1383fcb2692b10231bcc5045f5bdcbb831caec8dddf6c6

Download Submit
C:\Windows\{6515D482-8EEB-4f21-82BB-0C5F82F1C478}.exe

Filesize
372KB

MD5
9adcd7be215f5fbf19448544ef03b398

SHA1
bd7fc19989c3704100ec407b2ad415e5adfb0fe6

SHA256
47748767e15e0a4724ceb87314d0b9cf4dfdc5240dd04f056e01e47625edbd48

SHA512
2bd6bbe716785c6fcf0622d13ca0bb63762516759c5872c5a0559a12e3f65488068dfc23da1f23e7bd1383fcb2692b10231bcc5045f5bdcbb831caec8dddf6c6

Download Submit
C:\Windows\{6CA84343-10CA-4120-A701-5809E369B038}.exe

Filesize
372KB

MD5
9480ded735aa2baa91d762b11eda6a14

SHA1
3efc8b070020068be3256fcc16662602f29a3ecb

SHA256
cc0b740da90d060e17077ba1e4e8cce5679ccfcee5ce8f6e023992688fcaeb0e

SHA512
d36e0c506d5af7e0b878b25c773ee9d0b66246e1467e7042c25c155c4a2dac07287964ab48304f51c46bb61fb0505a8f00674d4c7974d19ccf88ccb6f622ab04

Download Submit
C:\Windows\{6CA84343-10CA-4120-A701-5809E369B038}.exe

Filesize
372KB

MD5
9480ded735aa2baa91d762b11eda6a14

SHA1
3efc8b070020068be3256fcc16662602f29a3ecb

SHA256
cc0b740da90d060e17077ba1e4e8cce5679ccfcee5ce8f6e023992688fcaeb0e

SHA512
d36e0c506d5af7e0b878b25c773ee9d0b66246e1467e7042c25c155c4a2dac07287964ab48304f51c46bb61fb0505a8f00674d4c7974d19ccf88ccb6f622ab04

Download Submit
C:\Windows\{83AA690E-6DAF-4e29-8936-037A751F731E}.exe

Filesize
372KB

MD5
91946c08703fd1a74bbd8ed2bb8e386d

SHA1
4f7a7c2419268f8bb26ee1665183f454d3216d07

SHA256
77d7922758e0c5165fc2175973187e3ea8b2fc198f8526cfba49b45731d2572a

SHA512
8b8523883dd614592a6d4cf4c5d92eea5e0152030dd27ecaf1df548a6f1c572eb41348df19e58a0f4d77560324191d57afaf5b2d645b5339afd0a24fd6784235

Download Submit
C:\Windows\{83AA690E-6DAF-4e29-8936-037A751F731E}.exe

Filesize
372KB

MD5
91946c08703fd1a74bbd8ed2bb8e386d

SHA1
4f7a7c2419268f8bb26ee1665183f454d3216d07

SHA256
77d7922758e0c5165fc2175973187e3ea8b2fc198f8526cfba49b45731d2572a

SHA512
8b8523883dd614592a6d4cf4c5d92eea5e0152030dd27ecaf1df548a6f1c572eb41348df19e58a0f4d77560324191d57afaf5b2d645b5339afd0a24fd6784235

Download Submit
C:\Windows\{B3C171AD-2D01-4f62-897B-AFA68B33D965}.exe

Filesize
372KB

MD5
c704971c2a4cbf12df0dda85db8f8f70

SHA1
864ec0f543871bd7ddd930e8e28e0f7faf07ba24

SHA256
70087e40088e465a0b4cfe17e8539e4ab73e12f5e414db3d5901ffc219c9e87b

SHA512
c0ac51d9e72db011b110f817ae51fd7df53c7b96c7f5ea91fe15f5d46aa3af97cec7aae2a392ef8922148cfc70c310bb984106b3e11ed8301f153653c086d80d

Download Submit
C:\Windows\{B3C171AD-2D01-4f62-897B-AFA68B33D965}.exe

Filesize
372KB

MD5
c704971c2a4cbf12df0dda85db8f8f70

SHA1
864ec0f543871bd7ddd930e8e28e0f7faf07ba24

SHA256
70087e40088e465a0b4cfe17e8539e4ab73e12f5e414db3d5901ffc219c9e87b

SHA512
c0ac51d9e72db011b110f817ae51fd7df53c7b96c7f5ea91fe15f5d46aa3af97cec7aae2a392ef8922148cfc70c310bb984106b3e11ed8301f153653c086d80d

Download Submit
C:\Windows\{C77D2DF9-EA64-4748-8F37-23219ED164DF}.exe

Filesize
372KB

MD5
f4228120316ef94085d3d698f87cd5f5

SHA1
546c7f24c2619907079d854f4eac2bfede562d8a

SHA256
fbe47bc47d644d9d202a1fa83a6bae45c970154c4a4f27016af34d9eee030b22

SHA512
8500cda966be73b388f9d894d95292ef86db214e5689337bdaf2d9dea1514d59d0b28a027fa7502cdf09c5bfaf34c0fe12fb89dfff34da764c56b0693a59a0e7

Download Submit
C:\Windows\{C77D2DF9-EA64-4748-8F37-23219ED164DF}.exe

Filesize
372KB

MD5
f4228120316ef94085d3d698f87cd5f5

SHA1
546c7f24c2619907079d854f4eac2bfede562d8a

SHA256
fbe47bc47d644d9d202a1fa83a6bae45c970154c4a4f27016af34d9eee030b22

SHA512
8500cda966be73b388f9d894d95292ef86db214e5689337bdaf2d9dea1514d59d0b28a027fa7502cdf09c5bfaf34c0fe12fb89dfff34da764c56b0693a59a0e7

Download Submit
C:\Windows\{DB1E8336-2E28-4dc7-BD1C-F59F29B0374A}.exe

Filesize
372KB

MD5
d72bb6bc4d3edc87111cc5aa1f49eb79

SHA1
ff1fffbbe8d734903325b0323c33da159d5ca17d

SHA256
d00548de10db34f0d7e3fcb946753c398ed1f24eb94680044448d2fc8e0575ec

SHA512
b2216fcedb6bb3ba0bd2c5bdaa3f426e48e63bb47fc0ab83494e14db478f846a6b053f6490d947ac9f265ecfcea482d30c4c130517f616f6cf30657014d37199

Download Submit
C:\Windows\{DB1E8336-2E28-4dc7-BD1C-F59F29B0374A}.exe

Filesize
372KB

MD5
d72bb6bc4d3edc87111cc5aa1f49eb79

SHA1
ff1fffbbe8d734903325b0323c33da159d5ca17d

SHA256
d00548de10db34f0d7e3fcb946753c398ed1f24eb94680044448d2fc8e0575ec

SHA512
b2216fcedb6bb3ba0bd2c5bdaa3f426e48e63bb47fc0ab83494e14db478f846a6b053f6490d947ac9f265ecfcea482d30c4c130517f616f6cf30657014d37199

Download Submit
C:\Windows\{E3A1E40E-5AE3-4bac-A04D-8C85FD46F803}.exe

Filesize
372KB

MD5
4477ea82529e1116ed38ec1fbddde1ad

SHA1
151c0bdd6feb992ec97c24a81908608d28e7d4fb

SHA256
7402c310db946f3cabbed8e755ab0ce560f8278addafa582fe43350c092092a7

SHA512
2d4ac16d01b8c7e4788cc14e0ec1b25e35c352a0b5a337df1578205e4f28dde3d28f4ff5b38ba6504e22237d14bc705bf8f10d7b4f24312c33836189069a40cd

Download Submit
C:\Windows\{E3A1E40E-5AE3-4bac-A04D-8C85FD46F803}.exe

Filesize
372KB

MD5
4477ea82529e1116ed38ec1fbddde1ad

SHA1
151c0bdd6feb992ec97c24a81908608d28e7d4fb

SHA256
7402c310db946f3cabbed8e755ab0ce560f8278addafa582fe43350c092092a7

SHA512
2d4ac16d01b8c7e4788cc14e0ec1b25e35c352a0b5a337df1578205e4f28dde3d28f4ff5b38ba6504e22237d14bc705bf8f10d7b4f24312c33836189069a40cd

Download Submit
C:\Windows\{E3A1E40E-5AE3-4bac-A04D-8C85FD46F803}.exe

Filesize
372KB

MD5
4477ea82529e1116ed38ec1fbddde1ad

SHA1
151c0bdd6feb992ec97c24a81908608d28e7d4fb

SHA256
7402c310db946f3cabbed8e755ab0ce560f8278addafa582fe43350c092092a7

SHA512
2d4ac16d01b8c7e4788cc14e0ec1b25e35c352a0b5a337df1578205e4f28dde3d28f4ff5b38ba6504e22237d14bc705bf8f10d7b4f24312c33836189069a40cd

Download Submit
C:\Windows\{F15EAFB3-C349-459e-AF8E-31CB49312BB4}.exe

Filesize
372KB

MD5
1136253b774d9e3da5122a8364cc13d1

SHA1
4ac69debfea523b143c5f849e0e9040836a2753c

SHA256
3ffed87ebbf2336b650edecd4c036304284703b63b53b06ae1492356e44d5b56

SHA512
25d8ca1722ee1151b0e1ea7e5e02c8bc10e9bab93df728ce9c7205a3b69922c9642f48231d2aeaf1960dfbd469d5709b227fcf6c1d9ecfdf81b6030950a45f33

Download Submit
C:\Windows\{F15EAFB3-C349-459e-AF8E-31CB49312BB4}.exe

Filesize
372KB

MD5
1136253b774d9e3da5122a8364cc13d1

SHA1
4ac69debfea523b143c5f849e0e9040836a2753c

SHA256
3ffed87ebbf2336b650edecd4c036304284703b63b53b06ae1492356e44d5b56

SHA512
25d8ca1722ee1151b0e1ea7e5e02c8bc10e9bab93df728ce9c7205a3b69922c9642f48231d2aeaf1960dfbd469d5709b227fcf6c1d9ecfdf81b6030950a45f33

Download Submit