74645255227d518895ced60e1b41f5d471025f69de8bdd2366c706389e33fa30

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
14/07/2023, 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c4402d0ddf309exe_JC.exe
Size

372KB
MD5

1c4402d0ddf309efec5d82a90ff6b254
SHA1

33be19474af1402f457f8823e1ce5f9f40f73b98
SHA256

74645255227d518895ced60e1b41f5d471025f69de8bdd2366c706389e33fa30
SHA512

e6d8a90de55878e351595878b3972537b912c57ad60cea313e11f9e7e6affafb86542d2ba18ad412648993de2d0e554e68c0e79db8c98ac6d8fe807adacc3ff5
SSDEEP

3072:CEGh0oFmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGml/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EF25E50-0A4F-4bb3-A3EB-926BF0699E74}	1c4402d0ddf309exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EF25E50-0A4F-4bb3-A3EB-926BF0699E74}\stubpath = "C:\\Windows\\{4EF25E50-0A4F-4bb3-A3EB-926BF0699E74}.exe"	1c4402d0ddf309exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BF94BAC-F9E2-462e-BD43-B02522B2BFC2}	{4EF25E50-0A4F-4bb3-A3EB-926BF0699E74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4BF94BAC-F9E2-462e-BD43-B02522B2BFC2}\stubpath = "C:\\Windows\\{4BF94BAC-F9E2-462e-BD43-B02522B2BFC2}.exe"	{4EF25E50-0A4F-4bb3-A3EB-926BF0699E74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A120CA3B-D92A-4236-953F-2471B6B1B26C}	{4BF94BAC-F9E2-462e-BD43-B02522B2BFC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C307B49C-4966-46dc-9B32-05ADA03FD080}\stubpath = "C:\\Windows\\{C307B49C-4966-46dc-9B32-05ADA03FD080}.exe"	{68A238E1-10EA-4ecd-B2BF-F9E6281D851B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A120CA3B-D92A-4236-953F-2471B6B1B26C}\stubpath = "C:\\Windows\\{A120CA3B-D92A-4236-953F-2471B6B1B26C}.exe"	{4BF94BAC-F9E2-462e-BD43-B02522B2BFC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF69E011-EB64-4bd7-ADDF-6275E1B5A0E5}	{A120CA3B-D92A-4236-953F-2471B6B1B26C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28CC8E68-5743-4e26-B27C-FC00C078469F}	{BF69E011-EB64-4bd7-ADDF-6275E1B5A0E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{28CC8E68-5743-4e26-B27C-FC00C078469F}\stubpath = "C:\\Windows\\{28CC8E68-5743-4e26-B27C-FC00C078469F}.exe"	{BF69E011-EB64-4bd7-ADDF-6275E1B5A0E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BF69E011-EB64-4bd7-ADDF-6275E1B5A0E5}\stubpath = "C:\\Windows\\{BF69E011-EB64-4bd7-ADDF-6275E1B5A0E5}.exe"	{A120CA3B-D92A-4236-953F-2471B6B1B26C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7839FC07-CD8F-4505-854F-67BD7FBED7F7}	{41F307C7-859A-4cfb-8A3C-C3FFEB2BEF94}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C15C2EE8-EADF-425b-BA30-0F0DD8BCE729}\stubpath = "C:\\Windows\\{C15C2EE8-EADF-425b-BA30-0F0DD8BCE729}.exe"	{7839FC07-CD8F-4505-854F-67BD7FBED7F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68A238E1-10EA-4ecd-B2BF-F9E6281D851B}	{C15C2EE8-EADF-425b-BA30-0F0DD8BCE729}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0297ECF-1DB5-472d-852A-C1F2B179D015}\stubpath = "C:\\Windows\\{E0297ECF-1DB5-472d-852A-C1F2B179D015}.exe"	{C307B49C-4966-46dc-9B32-05ADA03FD080}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41F307C7-859A-4cfb-8A3C-C3FFEB2BEF94}	{28CC8E68-5743-4e26-B27C-FC00C078469F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41F307C7-859A-4cfb-8A3C-C3FFEB2BEF94}\stubpath = "C:\\Windows\\{41F307C7-859A-4cfb-8A3C-C3FFEB2BEF94}.exe"	{28CC8E68-5743-4e26-B27C-FC00C078469F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7839FC07-CD8F-4505-854F-67BD7FBED7F7}\stubpath = "C:\\Windows\\{7839FC07-CD8F-4505-854F-67BD7FBED7F7}.exe"	{41F307C7-859A-4cfb-8A3C-C3FFEB2BEF94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C15C2EE8-EADF-425b-BA30-0F0DD8BCE729}	{7839FC07-CD8F-4505-854F-67BD7FBED7F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{68A238E1-10EA-4ecd-B2BF-F9E6281D851B}\stubpath = "C:\\Windows\\{68A238E1-10EA-4ecd-B2BF-F9E6281D851B}.exe"	{C15C2EE8-EADF-425b-BA30-0F0DD8BCE729}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C307B49C-4966-46dc-9B32-05ADA03FD080}	{68A238E1-10EA-4ecd-B2BF-F9E6281D851B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0297ECF-1DB5-472d-852A-C1F2B179D015}	{C307B49C-4966-46dc-9B32-05ADA03FD080}.exe

Deletes itself 1 IoCs

pid	Process
2004	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2204	{4EF25E50-0A4F-4bb3-A3EB-926BF0699E74}.exe
2804	{4BF94BAC-F9E2-462e-BD43-B02522B2BFC2}.exe
3036	{A120CA3B-D92A-4236-953F-2471B6B1B26C}.exe
2976	{BF69E011-EB64-4bd7-ADDF-6275E1B5A0E5}.exe
2296	{28CC8E68-5743-4e26-B27C-FC00C078469F}.exe
2724	{41F307C7-859A-4cfb-8A3C-C3FFEB2BEF94}.exe
2704	{7839FC07-CD8F-4505-854F-67BD7FBED7F7}.exe
1244	{C15C2EE8-EADF-425b-BA30-0F0DD8BCE729}.exe
2512	{68A238E1-10EA-4ecd-B2BF-F9E6281D851B}.exe
1996	{C307B49C-4966-46dc-9B32-05ADA03FD080}.exe
2140	{E0297ECF-1DB5-472d-852A-C1F2B179D015}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4EF25E50-0A4F-4bb3-A3EB-926BF0699E74}.exe	1c4402d0ddf309exe_JC.exe
File created	C:\Windows\{A120CA3B-D92A-4236-953F-2471B6B1B26C}.exe	{4BF94BAC-F9E2-462e-BD43-B02522B2BFC2}.exe
File created	C:\Windows\{BF69E011-EB64-4bd7-ADDF-6275E1B5A0E5}.exe	{A120CA3B-D92A-4236-953F-2471B6B1B26C}.exe
File created	C:\Windows\{C307B49C-4966-46dc-9B32-05ADA03FD080}.exe	{68A238E1-10EA-4ecd-B2BF-F9E6281D851B}.exe
File created	C:\Windows\{4BF94BAC-F9E2-462e-BD43-B02522B2BFC2}.exe	{4EF25E50-0A4F-4bb3-A3EB-926BF0699E74}.exe
File created	C:\Windows\{28CC8E68-5743-4e26-B27C-FC00C078469F}.exe	{BF69E011-EB64-4bd7-ADDF-6275E1B5A0E5}.exe
File created	C:\Windows\{41F307C7-859A-4cfb-8A3C-C3FFEB2BEF94}.exe	{28CC8E68-5743-4e26-B27C-FC00C078469F}.exe
File created	C:\Windows\{7839FC07-CD8F-4505-854F-67BD7FBED7F7}.exe	{41F307C7-859A-4cfb-8A3C-C3FFEB2BEF94}.exe
File created	C:\Windows\{C15C2EE8-EADF-425b-BA30-0F0DD8BCE729}.exe	{7839FC07-CD8F-4505-854F-67BD7FBED7F7}.exe
File created	C:\Windows\{68A238E1-10EA-4ecd-B2BF-F9E6281D851B}.exe	{C15C2EE8-EADF-425b-BA30-0F0DD8BCE729}.exe
File created	C:\Windows\{E0297ECF-1DB5-472d-852A-C1F2B179D015}.exe	{C307B49C-4966-46dc-9B32-05ADA03FD080}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	532	1c4402d0ddf309exe_JC.exe
Token: SeIncBasePriorityPrivilege	2204	{4EF25E50-0A4F-4bb3-A3EB-926BF0699E74}.exe
Token: SeIncBasePriorityPrivilege	2804	{4BF94BAC-F9E2-462e-BD43-B02522B2BFC2}.exe
Token: SeIncBasePriorityPrivilege	3036	{A120CA3B-D92A-4236-953F-2471B6B1B26C}.exe
Token: SeIncBasePriorityPrivilege	2976	{BF69E011-EB64-4bd7-ADDF-6275E1B5A0E5}.exe
Token: SeIncBasePriorityPrivilege	2296	{28CC8E68-5743-4e26-B27C-FC00C078469F}.exe
Token: SeIncBasePriorityPrivilege	2724	{41F307C7-859A-4cfb-8A3C-C3FFEB2BEF94}.exe
Token: SeIncBasePriorityPrivilege	2704	{7839FC07-CD8F-4505-854F-67BD7FBED7F7}.exe
Token: SeIncBasePriorityPrivilege	1244	{C15C2EE8-EADF-425b-BA30-0F0DD8BCE729}.exe
Token: SeIncBasePriorityPrivilege	2512	{68A238E1-10EA-4ecd-B2BF-F9E6281D851B}.exe
Token: SeIncBasePriorityPrivilege	1996	{C307B49C-4966-46dc-9B32-05ADA03FD080}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 2204	532	1c4402d0ddf309exe_JC.exe	28
PID 532 wrote to memory of 2204	532	1c4402d0ddf309exe_JC.exe	28
PID 532 wrote to memory of 2204	532	1c4402d0ddf309exe_JC.exe	28
PID 532 wrote to memory of 2204	532	1c4402d0ddf309exe_JC.exe	28
PID 532 wrote to memory of 2004	532	1c4402d0ddf309exe_JC.exe	29
PID 532 wrote to memory of 2004	532	1c4402d0ddf309exe_JC.exe	29
PID 532 wrote to memory of 2004	532	1c4402d0ddf309exe_JC.exe	29
PID 532 wrote to memory of 2004	532	1c4402d0ddf309exe_JC.exe	29
PID 2204 wrote to memory of 2804	2204	{4EF25E50-0A4F-4bb3-A3EB-926BF0699E74}.exe	32
PID 2204 wrote to memory of 2804	2204	{4EF25E50-0A4F-4bb3-A3EB-926BF0699E74}.exe	32
PID 2204 wrote to memory of 2804	2204	{4EF25E50-0A4F-4bb3-A3EB-926BF0699E74}.exe	32
PID 2204 wrote to memory of 2804	2204	{4EF25E50-0A4F-4bb3-A3EB-926BF0699E74}.exe	32
PID 2204 wrote to memory of 2960	2204	{4EF25E50-0A4F-4bb3-A3EB-926BF0699E74}.exe	33
PID 2204 wrote to memory of 2960	2204	{4EF25E50-0A4F-4bb3-A3EB-926BF0699E74}.exe	33
PID 2204 wrote to memory of 2960	2204	{4EF25E50-0A4F-4bb3-A3EB-926BF0699E74}.exe	33
PID 2204 wrote to memory of 2960	2204	{4EF25E50-0A4F-4bb3-A3EB-926BF0699E74}.exe	33
PID 2804 wrote to memory of 3036	2804	{4BF94BAC-F9E2-462e-BD43-B02522B2BFC2}.exe	34
PID 2804 wrote to memory of 3036	2804	{4BF94BAC-F9E2-462e-BD43-B02522B2BFC2}.exe	34
PID 2804 wrote to memory of 3036	2804	{4BF94BAC-F9E2-462e-BD43-B02522B2BFC2}.exe	34
PID 2804 wrote to memory of 3036	2804	{4BF94BAC-F9E2-462e-BD43-B02522B2BFC2}.exe	34
PID 2804 wrote to memory of 2800	2804	{4BF94BAC-F9E2-462e-BD43-B02522B2BFC2}.exe	35
PID 2804 wrote to memory of 2800	2804	{4BF94BAC-F9E2-462e-BD43-B02522B2BFC2}.exe	35
PID 2804 wrote to memory of 2800	2804	{4BF94BAC-F9E2-462e-BD43-B02522B2BFC2}.exe	35
PID 2804 wrote to memory of 2800	2804	{4BF94BAC-F9E2-462e-BD43-B02522B2BFC2}.exe	35
PID 3036 wrote to memory of 2976	3036	{A120CA3B-D92A-4236-953F-2471B6B1B26C}.exe	36
PID 3036 wrote to memory of 2976	3036	{A120CA3B-D92A-4236-953F-2471B6B1B26C}.exe	36
PID 3036 wrote to memory of 2976	3036	{A120CA3B-D92A-4236-953F-2471B6B1B26C}.exe	36
PID 3036 wrote to memory of 2976	3036	{A120CA3B-D92A-4236-953F-2471B6B1B26C}.exe	36
PID 3036 wrote to memory of 2708	3036	{A120CA3B-D92A-4236-953F-2471B6B1B26C}.exe	37
PID 3036 wrote to memory of 2708	3036	{A120CA3B-D92A-4236-953F-2471B6B1B26C}.exe	37
PID 3036 wrote to memory of 2708	3036	{A120CA3B-D92A-4236-953F-2471B6B1B26C}.exe	37
PID 3036 wrote to memory of 2708	3036	{A120CA3B-D92A-4236-953F-2471B6B1B26C}.exe	37
PID 2976 wrote to memory of 2296	2976	{BF69E011-EB64-4bd7-ADDF-6275E1B5A0E5}.exe	38
PID 2976 wrote to memory of 2296	2976	{BF69E011-EB64-4bd7-ADDF-6275E1B5A0E5}.exe	38
PID 2976 wrote to memory of 2296	2976	{BF69E011-EB64-4bd7-ADDF-6275E1B5A0E5}.exe	38
PID 2976 wrote to memory of 2296	2976	{BF69E011-EB64-4bd7-ADDF-6275E1B5A0E5}.exe	38
PID 2976 wrote to memory of 1580	2976	{BF69E011-EB64-4bd7-ADDF-6275E1B5A0E5}.exe	39
PID 2976 wrote to memory of 1580	2976	{BF69E011-EB64-4bd7-ADDF-6275E1B5A0E5}.exe	39
PID 2976 wrote to memory of 1580	2976	{BF69E011-EB64-4bd7-ADDF-6275E1B5A0E5}.exe	39
PID 2976 wrote to memory of 1580	2976	{BF69E011-EB64-4bd7-ADDF-6275E1B5A0E5}.exe	39
PID 2296 wrote to memory of 2724	2296	{28CC8E68-5743-4e26-B27C-FC00C078469F}.exe	40
PID 2296 wrote to memory of 2724	2296	{28CC8E68-5743-4e26-B27C-FC00C078469F}.exe	40
PID 2296 wrote to memory of 2724	2296	{28CC8E68-5743-4e26-B27C-FC00C078469F}.exe	40
PID 2296 wrote to memory of 2724	2296	{28CC8E68-5743-4e26-B27C-FC00C078469F}.exe	40
PID 2296 wrote to memory of 924	2296	{28CC8E68-5743-4e26-B27C-FC00C078469F}.exe	41
PID 2296 wrote to memory of 924	2296	{28CC8E68-5743-4e26-B27C-FC00C078469F}.exe	41
PID 2296 wrote to memory of 924	2296	{28CC8E68-5743-4e26-B27C-FC00C078469F}.exe	41
PID 2296 wrote to memory of 924	2296	{28CC8E68-5743-4e26-B27C-FC00C078469F}.exe	41
PID 2724 wrote to memory of 2704	2724	{41F307C7-859A-4cfb-8A3C-C3FFEB2BEF94}.exe	42
PID 2724 wrote to memory of 2704	2724	{41F307C7-859A-4cfb-8A3C-C3FFEB2BEF94}.exe	42
PID 2724 wrote to memory of 2704	2724	{41F307C7-859A-4cfb-8A3C-C3FFEB2BEF94}.exe	42
PID 2724 wrote to memory of 2704	2724	{41F307C7-859A-4cfb-8A3C-C3FFEB2BEF94}.exe	42
PID 2724 wrote to memory of 2764	2724	{41F307C7-859A-4cfb-8A3C-C3FFEB2BEF94}.exe	43
PID 2724 wrote to memory of 2764	2724	{41F307C7-859A-4cfb-8A3C-C3FFEB2BEF94}.exe	43
PID 2724 wrote to memory of 2764	2724	{41F307C7-859A-4cfb-8A3C-C3FFEB2BEF94}.exe	43
PID 2724 wrote to memory of 2764	2724	{41F307C7-859A-4cfb-8A3C-C3FFEB2BEF94}.exe	43
PID 2704 wrote to memory of 1244	2704	{7839FC07-CD8F-4505-854F-67BD7FBED7F7}.exe	44
PID 2704 wrote to memory of 1244	2704	{7839FC07-CD8F-4505-854F-67BD7FBED7F7}.exe	44
PID 2704 wrote to memory of 1244	2704	{7839FC07-CD8F-4505-854F-67BD7FBED7F7}.exe	44
PID 2704 wrote to memory of 1244	2704	{7839FC07-CD8F-4505-854F-67BD7FBED7F7}.exe	44
PID 2704 wrote to memory of 1748	2704	{7839FC07-CD8F-4505-854F-67BD7FBED7F7}.exe	45
PID 2704 wrote to memory of 1748	2704	{7839FC07-CD8F-4505-854F-67BD7FBED7F7}.exe	45
PID 2704 wrote to memory of 1748	2704	{7839FC07-CD8F-4505-854F-67BD7FBED7F7}.exe	45
PID 2704 wrote to memory of 1748	2704	{7839FC07-CD8F-4505-854F-67BD7FBED7F7}.exe	45

C:\Users\Admin\AppData\Local\Temp\1c4402d0ddf309exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\1c4402d0ddf309exe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532
- C:\Windows\{4EF25E50-0A4F-4bb3-A3EB-926BF0699E74}.exe
  C:\Windows\{4EF25E50-0A4F-4bb3-A3EB-926BF0699E74}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\{4BF94BAC-F9E2-462e-BD43-B02522B2BFC2}.exe
    C:\Windows\{4BF94BAC-F9E2-462e-BD43-B02522B2BFC2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\{A120CA3B-D92A-4236-953F-2471B6B1B26C}.exe
      C:\Windows\{A120CA3B-D92A-4236-953F-2471B6B1B26C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Windows\{BF69E011-EB64-4bd7-ADDF-6275E1B5A0E5}.exe
        
        C:\Windows\{BF69E011-EB64-4bd7-ADDF-6275E1B5A0E5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Windows\{28CC8E68-5743-4e26-B27C-FC00C078469F}.exe
        
        C:\Windows\{28CC8E68-5743-4e26-B27C-FC00C078469F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\{41F307C7-859A-4cfb-8A3C-C3FFEB2BEF94}.exe
        
        C:\Windows\{41F307C7-859A-4cfb-8A3C-C3FFEB2BEF94}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\{7839FC07-CD8F-4505-854F-67BD7FBED7F7}.exe
        
        C:\Windows\{7839FC07-CD8F-4505-854F-67BD7FBED7F7}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\{C15C2EE8-EADF-425b-BA30-0F0DD8BCE729}.exe
        
        C:\Windows\{C15C2EE8-EADF-425b-BA30-0F0DD8BCE729}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\{68A238E1-10EA-4ecd-B2BF-F9E6281D851B}.exe
        
        C:\Windows\{68A238E1-10EA-4ecd-B2BF-F9E6281D851B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Windows\{C307B49C-4966-46dc-9B32-05ADA03FD080}.exe
        
        C:\Windows\{C307B49C-4966-46dc-9B32-05ADA03FD080}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\{E0297ECF-1DB5-472d-852A-C1F2B179D015}.exe
        
        C:\Windows\{E0297ECF-1DB5-472d-852A-C1F2B179D015}.exe
        12⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C307B~1.EXE > nul
        12⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68A23~1.EXE > nul
        11⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C15C2~1.EXE > nul
        10⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7839F~1.EXE > nul
        9⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41F30~1.EXE > nul
        8⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28CC8~1.EXE > nul
        7⤵
        
        PID:924
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF69E~1.EXE > nul
        6⤵
        
        PID:1580
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A120C~1.EXE > nul
        5⤵
        
        PID:2708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4BF94~1.EXE > nul
      4⤵
      PID:2800
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4EF25~1.EXE > nul
    3⤵
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\1C4402~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{28CC8E68-5743-4e26-B27C-FC00C078469F}.exe

Filesize
372KB

MD5
60cd57711000171e77c52b8624ad51a2

SHA1
8a59a26a47a8b5a140f77c5eb741af8492451bfb

SHA256
f20998060f1c1535ec27f1c44f4f3547ed29b7da59287e9814cca1aa070ecd60

SHA512
cc1133d39dc29ff5b3ad5ef87f8dfb5457e393474d141a7279e51c5bb8b48c64cd969711415cf3b442aeee1ef21e16b49b51c89c0a1fc43f0abcb5afc83bd1c6

Download Submit
C:\Windows\{28CC8E68-5743-4e26-B27C-FC00C078469F}.exe

Filesize
372KB

MD5
60cd57711000171e77c52b8624ad51a2

SHA1
8a59a26a47a8b5a140f77c5eb741af8492451bfb

SHA256
f20998060f1c1535ec27f1c44f4f3547ed29b7da59287e9814cca1aa070ecd60

SHA512
cc1133d39dc29ff5b3ad5ef87f8dfb5457e393474d141a7279e51c5bb8b48c64cd969711415cf3b442aeee1ef21e16b49b51c89c0a1fc43f0abcb5afc83bd1c6

Download Submit
C:\Windows\{41F307C7-859A-4cfb-8A3C-C3FFEB2BEF94}.exe

Filesize
372KB

MD5
b41c189d37748fb1deb6c1edc1421c60

SHA1
a6c59c8b8816bb2d820d29a2f44845cb3a3399b0

SHA256
4b2c0a6833bbf1e50f73f149559c1eed66a91e4b81ac8f959ccaca0a8007bcbc

SHA512
0eb2717cfa06921b8eda9f52cf6849ba47ab9ff20309907d43fc3b04321f25302f2507f4d7976f3462bc82ac404b6174b84b8ac8dfa3917d56f26ad0c23304a6

Download Submit
C:\Windows\{41F307C7-859A-4cfb-8A3C-C3FFEB2BEF94}.exe

Filesize
372KB

MD5
b41c189d37748fb1deb6c1edc1421c60

SHA1
a6c59c8b8816bb2d820d29a2f44845cb3a3399b0

SHA256
4b2c0a6833bbf1e50f73f149559c1eed66a91e4b81ac8f959ccaca0a8007bcbc

SHA512
0eb2717cfa06921b8eda9f52cf6849ba47ab9ff20309907d43fc3b04321f25302f2507f4d7976f3462bc82ac404b6174b84b8ac8dfa3917d56f26ad0c23304a6

Download Submit
C:\Windows\{4BF94BAC-F9E2-462e-BD43-B02522B2BFC2}.exe

Filesize
372KB

MD5
0c0da62f3c49ef502f09e723b5cf3254

SHA1
bd114caa567b2c92d278b4046480d4d4113aed64

SHA256
1bfae33652e9ba8c5dd875fa49f24b5ba8ba830af8c7eb2d29876db079a11ff2

SHA512
f7efb928afc441877e3f2774fb6f7e910aa78d12a1e1072122d4df0a4752695bbc24a6b69cbc8aeb6f368677e6e73d0c35d529f9b734c62191598a7eb61383f2

Download Submit
C:\Windows\{4BF94BAC-F9E2-462e-BD43-B02522B2BFC2}.exe

Filesize
372KB

MD5
0c0da62f3c49ef502f09e723b5cf3254

SHA1
bd114caa567b2c92d278b4046480d4d4113aed64

SHA256
1bfae33652e9ba8c5dd875fa49f24b5ba8ba830af8c7eb2d29876db079a11ff2

SHA512
f7efb928afc441877e3f2774fb6f7e910aa78d12a1e1072122d4df0a4752695bbc24a6b69cbc8aeb6f368677e6e73d0c35d529f9b734c62191598a7eb61383f2

Download Submit
C:\Windows\{4EF25E50-0A4F-4bb3-A3EB-926BF0699E74}.exe

Filesize
372KB

MD5
b427c9af978f442c9e436cf43b18af28

SHA1
800d1e442e307c3827f875a277be637d0fc5dba9

SHA256
92c32b8cbb633b6f988a35e2b1c022b30a39b0127a081254e8f6d3a4b7f8b3da

SHA512
a4a9e8a6a905c24fcb35cd396a2fbbc819af599738ba7b3558c6bdc4fb55f9741ff1deb4800e8d965eedf42920857fc6e14a4c7f1b57e8adaa54c0e1eb88382c

Download Submit
C:\Windows\{4EF25E50-0A4F-4bb3-A3EB-926BF0699E74}.exe

Filesize
372KB

MD5
b427c9af978f442c9e436cf43b18af28

SHA1
800d1e442e307c3827f875a277be637d0fc5dba9

SHA256
92c32b8cbb633b6f988a35e2b1c022b30a39b0127a081254e8f6d3a4b7f8b3da

SHA512
a4a9e8a6a905c24fcb35cd396a2fbbc819af599738ba7b3558c6bdc4fb55f9741ff1deb4800e8d965eedf42920857fc6e14a4c7f1b57e8adaa54c0e1eb88382c

Download Submit
C:\Windows\{4EF25E50-0A4F-4bb3-A3EB-926BF0699E74}.exe

Filesize
372KB

MD5
b427c9af978f442c9e436cf43b18af28

SHA1
800d1e442e307c3827f875a277be637d0fc5dba9

SHA256
92c32b8cbb633b6f988a35e2b1c022b30a39b0127a081254e8f6d3a4b7f8b3da

SHA512
a4a9e8a6a905c24fcb35cd396a2fbbc819af599738ba7b3558c6bdc4fb55f9741ff1deb4800e8d965eedf42920857fc6e14a4c7f1b57e8adaa54c0e1eb88382c

Download Submit
C:\Windows\{68A238E1-10EA-4ecd-B2BF-F9E6281D851B}.exe

Filesize
372KB

MD5
dc97746d21acdda4957e8865803657a2

SHA1
5ebdd9d761797cb2b76d6abca195e9342e0646fc

SHA256
592bb8dce811798fcce1aec7bd362b65be18708aaf543d02bd1105fff1072632

SHA512
0789f926dd49e16814b8f7cb908e864537774c3bdf35c3154348c9bf91a45cfc017d6f5e76f1950e0f7d2e8d5bd26734f7232eea1061df3f022228ddc0c3c221

Download Submit
C:\Windows\{68A238E1-10EA-4ecd-B2BF-F9E6281D851B}.exe

Filesize
372KB

MD5
dc97746d21acdda4957e8865803657a2

SHA1
5ebdd9d761797cb2b76d6abca195e9342e0646fc

SHA256
592bb8dce811798fcce1aec7bd362b65be18708aaf543d02bd1105fff1072632

SHA512
0789f926dd49e16814b8f7cb908e864537774c3bdf35c3154348c9bf91a45cfc017d6f5e76f1950e0f7d2e8d5bd26734f7232eea1061df3f022228ddc0c3c221

Download Submit
C:\Windows\{7839FC07-CD8F-4505-854F-67BD7FBED7F7}.exe

Filesize
372KB

MD5
9ef565205d8a650c82c4b4b6b3460895

SHA1
c45637dbf09c824eba21b85e2ad979b3a721a6a5

SHA256
476c2d58edc8e30b624c2a76fc4e073bfe1c59d98f2b7e0d0bceb8a717b94898

SHA512
3c92ef00516dc67737ce0346b1614393a6a10b7b84ae0b127730c25d370311a26050b553c603d136f67623e25565b7df36a1dce88029e3ed41050502dc737ebc

Download Submit
C:\Windows\{7839FC07-CD8F-4505-854F-67BD7FBED7F7}.exe

Filesize
372KB

MD5
9ef565205d8a650c82c4b4b6b3460895

SHA1
c45637dbf09c824eba21b85e2ad979b3a721a6a5

SHA256
476c2d58edc8e30b624c2a76fc4e073bfe1c59d98f2b7e0d0bceb8a717b94898

SHA512
3c92ef00516dc67737ce0346b1614393a6a10b7b84ae0b127730c25d370311a26050b553c603d136f67623e25565b7df36a1dce88029e3ed41050502dc737ebc

Download Submit
C:\Windows\{A120CA3B-D92A-4236-953F-2471B6B1B26C}.exe

Filesize
372KB

MD5
c7a4e66b6c762554352c7e0c518ead8d

SHA1
209b89971042dfe0b24e8aaff2d4790e76646c8e

SHA256
b724775eaf3682c332e54d97d96aef4b12d17e6fc4e02f3995b3b93daaaa2410

SHA512
bd4eb5f8e902edef91a82bb5d06a25cdef51cfafa7db51196078d3577a6e550b6fb44efdf9edf9016d457c1af08f85c3b2aa08105c983708500017fc8696eb0b

Download Submit
C:\Windows\{A120CA3B-D92A-4236-953F-2471B6B1B26C}.exe

Filesize
372KB

MD5
c7a4e66b6c762554352c7e0c518ead8d

SHA1
209b89971042dfe0b24e8aaff2d4790e76646c8e

SHA256
b724775eaf3682c332e54d97d96aef4b12d17e6fc4e02f3995b3b93daaaa2410

SHA512
bd4eb5f8e902edef91a82bb5d06a25cdef51cfafa7db51196078d3577a6e550b6fb44efdf9edf9016d457c1af08f85c3b2aa08105c983708500017fc8696eb0b

Download Submit
C:\Windows\{BF69E011-EB64-4bd7-ADDF-6275E1B5A0E5}.exe

Filesize
372KB

MD5
4d921b924f62004f87f7aadfd6091a63

SHA1
35a31c5186fbf20ce62a333f606314436fd7ed60

SHA256
db80db1fe683c32d31d765303b8d64e0699d84585a6557405c5d8b138892b51d

SHA512
f3e179137b0a0f97a4d69fd62dc36cb3e8fc2beaccc271bed6c475b5bfb6bade1e2af15367b9909de333ff6260f6a04adb7d3acc5b61602d08523ff713bbc69a

Download Submit
C:\Windows\{BF69E011-EB64-4bd7-ADDF-6275E1B5A0E5}.exe

Filesize
372KB

MD5
4d921b924f62004f87f7aadfd6091a63

SHA1
35a31c5186fbf20ce62a333f606314436fd7ed60

SHA256
db80db1fe683c32d31d765303b8d64e0699d84585a6557405c5d8b138892b51d

SHA512
f3e179137b0a0f97a4d69fd62dc36cb3e8fc2beaccc271bed6c475b5bfb6bade1e2af15367b9909de333ff6260f6a04adb7d3acc5b61602d08523ff713bbc69a

Download Submit
C:\Windows\{C15C2EE8-EADF-425b-BA30-0F0DD8BCE729}.exe

Filesize
372KB

MD5
210364738a4e30299ace9703eec237a4

SHA1
7e50c642a4477c4b48681d2f74fb865d0058a4c5

SHA256
8a6bf9ea9a7d4ddf976753ea0ab770b4646ad235bc8a2a47adb0cc650960682e

SHA512
a3a9cf2eb8c4f79f5a488f6490667aff0baee8aa5bf813e9a848b7e19bc53442ad87c39fe5faff2c6e50da26bd2f327870747076812e901bfce091e2140cc253

Download Submit
C:\Windows\{C15C2EE8-EADF-425b-BA30-0F0DD8BCE729}.exe

Filesize
372KB

MD5
210364738a4e30299ace9703eec237a4

SHA1
7e50c642a4477c4b48681d2f74fb865d0058a4c5

SHA256
8a6bf9ea9a7d4ddf976753ea0ab770b4646ad235bc8a2a47adb0cc650960682e

SHA512
a3a9cf2eb8c4f79f5a488f6490667aff0baee8aa5bf813e9a848b7e19bc53442ad87c39fe5faff2c6e50da26bd2f327870747076812e901bfce091e2140cc253

Download Submit
C:\Windows\{C307B49C-4966-46dc-9B32-05ADA03FD080}.exe

Filesize
372KB

MD5
a783d717b94ea049588750ef32babbb2

SHA1
f98f9d8625fd77b673c662456ac59b71880fb087

SHA256
885631900d49dcd4a1895710e659889018351ca322211099f195f4b1e4282cb2

SHA512
c8822231f74d1b172b6935bafffbd6d7fd2303e57f222d150335f8f3e1f3157942aac51f8c63a1001e65fa32be7564f643591eb014ebbf37210638fb3b9673f3

Download Submit
C:\Windows\{C307B49C-4966-46dc-9B32-05ADA03FD080}.exe

Filesize
372KB

MD5
a783d717b94ea049588750ef32babbb2

SHA1
f98f9d8625fd77b673c662456ac59b71880fb087

SHA256
885631900d49dcd4a1895710e659889018351ca322211099f195f4b1e4282cb2

SHA512
c8822231f74d1b172b6935bafffbd6d7fd2303e57f222d150335f8f3e1f3157942aac51f8c63a1001e65fa32be7564f643591eb014ebbf37210638fb3b9673f3

Download Submit
C:\Windows\{E0297ECF-1DB5-472d-852A-C1F2B179D015}.exe

Filesize
372KB

MD5
48b0dd2d6849ecf9dc7452428ddb97a5

SHA1
6035b34d086ad2710b3b4daf02cad82d3250fd70

SHA256
4599a4bfb6c00719908f35c488aa16d3d7e136194fed982d11f94e3c7756bca5

SHA512
a14b20b6ba7b017efadbd09441c5b94a0f74308ef56bad933168dbd9aac664ac63116e8d324e221067d95fbb4f7c453a07b322d27e2670695c64d15512742255

Download Submit