77f48ed0ff11a664fe374f1c44762836896b167883d6cbcda63066b07d661009

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
14-07-2023 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e9e42dcd0f8acexeexe_JC.exe
Size

168KB
MD5

2e9e42dcd0f8ac61b4750401d72facf1
SHA1

459f335befd9a667ef33e11f4c3893d204bff5b5
SHA256

77f48ed0ff11a664fe374f1c44762836896b167883d6cbcda63066b07d661009
SHA512

794b3433b199af06927399f78b5cf655ff8babadc9e620f3e77c8f46886fbae79d50251aa4b541f5dc1278ca92fe61b764dcb2bc1ca214e1553f77f10d038039
SSDEEP

1536:1EGh0o0lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o0lqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DEAC356-F3E8-4c1e-A3CC-E9CE2A170152}	{0F7C0511-09C4-4242-B2F3-A7B7E9A94B3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AB96811-F58E-4bc4-9A27-63BEC132FDAD}	{5DEAC356-F3E8-4c1e-A3CC-E9CE2A170152}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{088C9424-D864-4d33-BA3A-DFAB65D6EEF4}	{8B8D9FFE-5178-423c-A49D-7B7F2B181345}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F2DC861-48F3-431d-B475-F182354DD00D}	{8A325B24-4B3B-4ca1-87E8-B9E2588EDA7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F2DC861-48F3-431d-B475-F182354DD00D}\stubpath = "C:\\Windows\\{8F2DC861-48F3-431d-B475-F182354DD00D}.exe"	{8A325B24-4B3B-4ca1-87E8-B9E2588EDA7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C81A1860-350E-4662-8522-C0883C3364E4}	{7AE4EB6A-CA4A-4a71-B5A9-BF7A903572B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B8D9FFE-5178-423c-A49D-7B7F2B181345}	{6AB96811-F58E-4bc4-9A27-63BEC132FDAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0684DD54-23A5-4590-AE30-C1A0AB80F329}	{8F2DC861-48F3-431d-B475-F182354DD00D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C81A1860-350E-4662-8522-C0883C3364E4}\stubpath = "C:\\Windows\\{C81A1860-350E-4662-8522-C0883C3364E4}.exe"	{7AE4EB6A-CA4A-4a71-B5A9-BF7A903572B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F7C0511-09C4-4242-B2F3-A7B7E9A94B3C}\stubpath = "C:\\Windows\\{0F7C0511-09C4-4242-B2F3-A7B7E9A94B3C}.exe"	2e9e42dcd0f8acexeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5DEAC356-F3E8-4c1e-A3CC-E9CE2A170152}\stubpath = "C:\\Windows\\{5DEAC356-F3E8-4c1e-A3CC-E9CE2A170152}.exe"	{0F7C0511-09C4-4242-B2F3-A7B7E9A94B3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{088C9424-D864-4d33-BA3A-DFAB65D6EEF4}\stubpath = "C:\\Windows\\{088C9424-D864-4d33-BA3A-DFAB65D6EEF4}.exe"	{8B8D9FFE-5178-423c-A49D-7B7F2B181345}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A325B24-4B3B-4ca1-87E8-B9E2588EDA7A}\stubpath = "C:\\Windows\\{8A325B24-4B3B-4ca1-87E8-B9E2588EDA7A}.exe"	{088C9424-D864-4d33-BA3A-DFAB65D6EEF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFF8F352-6DA4-463f-80AC-0B0DF21D09B6}	{0684DD54-23A5-4590-AE30-C1A0AB80F329}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AE4EB6A-CA4A-4a71-B5A9-BF7A903572B1}	{FFF8F352-6DA4-463f-80AC-0B0DF21D09B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7AE4EB6A-CA4A-4a71-B5A9-BF7A903572B1}\stubpath = "C:\\Windows\\{7AE4EB6A-CA4A-4a71-B5A9-BF7A903572B1}.exe"	{FFF8F352-6DA4-463f-80AC-0B0DF21D09B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F7C0511-09C4-4242-B2F3-A7B7E9A94B3C}	2e9e42dcd0f8acexeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6AB96811-F58E-4bc4-9A27-63BEC132FDAD}\stubpath = "C:\\Windows\\{6AB96811-F58E-4bc4-9A27-63BEC132FDAD}.exe"	{5DEAC356-F3E8-4c1e-A3CC-E9CE2A170152}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B8D9FFE-5178-423c-A49D-7B7F2B181345}\stubpath = "C:\\Windows\\{8B8D9FFE-5178-423c-A49D-7B7F2B181345}.exe"	{6AB96811-F58E-4bc4-9A27-63BEC132FDAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A325B24-4B3B-4ca1-87E8-B9E2588EDA7A}	{088C9424-D864-4d33-BA3A-DFAB65D6EEF4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0684DD54-23A5-4590-AE30-C1A0AB80F329}\stubpath = "C:\\Windows\\{0684DD54-23A5-4590-AE30-C1A0AB80F329}.exe"	{8F2DC861-48F3-431d-B475-F182354DD00D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FFF8F352-6DA4-463f-80AC-0B0DF21D09B6}\stubpath = "C:\\Windows\\{FFF8F352-6DA4-463f-80AC-0B0DF21D09B6}.exe"	{0684DD54-23A5-4590-AE30-C1A0AB80F329}.exe

Deletes itself 1 IoCs

pid	Process
2404	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1404	{0F7C0511-09C4-4242-B2F3-A7B7E9A94B3C}.exe
3012	{5DEAC356-F3E8-4c1e-A3CC-E9CE2A170152}.exe
3000	{6AB96811-F58E-4bc4-9A27-63BEC132FDAD}.exe
2720	{8B8D9FFE-5178-423c-A49D-7B7F2B181345}.exe
2696	{088C9424-D864-4d33-BA3A-DFAB65D6EEF4}.exe
1208	{8A325B24-4B3B-4ca1-87E8-B9E2588EDA7A}.exe
2352	{8F2DC861-48F3-431d-B475-F182354DD00D}.exe
1184	{0684DD54-23A5-4590-AE30-C1A0AB80F329}.exe
1480	{FFF8F352-6DA4-463f-80AC-0B0DF21D09B6}.exe
1516	{7AE4EB6A-CA4A-4a71-B5A9-BF7A903572B1}.exe
1860	{C81A1860-350E-4662-8522-C0883C3364E4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0684DD54-23A5-4590-AE30-C1A0AB80F329}.exe	{8F2DC861-48F3-431d-B475-F182354DD00D}.exe
File created	C:\Windows\{FFF8F352-6DA4-463f-80AC-0B0DF21D09B6}.exe	{0684DD54-23A5-4590-AE30-C1A0AB80F329}.exe
File created	C:\Windows\{7AE4EB6A-CA4A-4a71-B5A9-BF7A903572B1}.exe	{FFF8F352-6DA4-463f-80AC-0B0DF21D09B6}.exe
File created	C:\Windows\{8B8D9FFE-5178-423c-A49D-7B7F2B181345}.exe	{6AB96811-F58E-4bc4-9A27-63BEC132FDAD}.exe
File created	C:\Windows\{088C9424-D864-4d33-BA3A-DFAB65D6EEF4}.exe	{8B8D9FFE-5178-423c-A49D-7B7F2B181345}.exe
File created	C:\Windows\{8A325B24-4B3B-4ca1-87E8-B9E2588EDA7A}.exe	{088C9424-D864-4d33-BA3A-DFAB65D6EEF4}.exe
File created	C:\Windows\{8F2DC861-48F3-431d-B475-F182354DD00D}.exe	{8A325B24-4B3B-4ca1-87E8-B9E2588EDA7A}.exe
File created	C:\Windows\{C81A1860-350E-4662-8522-C0883C3364E4}.exe	{7AE4EB6A-CA4A-4a71-B5A9-BF7A903572B1}.exe
File created	C:\Windows\{0F7C0511-09C4-4242-B2F3-A7B7E9A94B3C}.exe	2e9e42dcd0f8acexeexe_JC.exe
File created	C:\Windows\{5DEAC356-F3E8-4c1e-A3CC-E9CE2A170152}.exe	{0F7C0511-09C4-4242-B2F3-A7B7E9A94B3C}.exe
File created	C:\Windows\{6AB96811-F58E-4bc4-9A27-63BEC132FDAD}.exe	{5DEAC356-F3E8-4c1e-A3CC-E9CE2A170152}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2476	2e9e42dcd0f8acexeexe_JC.exe
Token: SeIncBasePriorityPrivilege	1404	{0F7C0511-09C4-4242-B2F3-A7B7E9A94B3C}.exe
Token: SeIncBasePriorityPrivilege	3012	{5DEAC356-F3E8-4c1e-A3CC-E9CE2A170152}.exe
Token: SeIncBasePriorityPrivilege	3000	{6AB96811-F58E-4bc4-9A27-63BEC132FDAD}.exe
Token: SeIncBasePriorityPrivilege	2720	{8B8D9FFE-5178-423c-A49D-7B7F2B181345}.exe
Token: SeIncBasePriorityPrivilege	2696	{088C9424-D864-4d33-BA3A-DFAB65D6EEF4}.exe
Token: SeIncBasePriorityPrivilege	1208	{8A325B24-4B3B-4ca1-87E8-B9E2588EDA7A}.exe
Token: SeIncBasePriorityPrivilege	2352	{8F2DC861-48F3-431d-B475-F182354DD00D}.exe
Token: SeIncBasePriorityPrivilege	1184	{0684DD54-23A5-4590-AE30-C1A0AB80F329}.exe
Token: SeIncBasePriorityPrivilege	1480	{FFF8F352-6DA4-463f-80AC-0B0DF21D09B6}.exe
Token: SeIncBasePriorityPrivilege	1516	{7AE4EB6A-CA4A-4a71-B5A9-BF7A903572B1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 1404	2476	2e9e42dcd0f8acexeexe_JC.exe	28
PID 2476 wrote to memory of 1404	2476	2e9e42dcd0f8acexeexe_JC.exe	28
PID 2476 wrote to memory of 1404	2476	2e9e42dcd0f8acexeexe_JC.exe	28
PID 2476 wrote to memory of 1404	2476	2e9e42dcd0f8acexeexe_JC.exe	28
PID 2476 wrote to memory of 2404	2476	2e9e42dcd0f8acexeexe_JC.exe	29
PID 2476 wrote to memory of 2404	2476	2e9e42dcd0f8acexeexe_JC.exe	29
PID 2476 wrote to memory of 2404	2476	2e9e42dcd0f8acexeexe_JC.exe	29
PID 2476 wrote to memory of 2404	2476	2e9e42dcd0f8acexeexe_JC.exe	29
PID 1404 wrote to memory of 3012	1404	{0F7C0511-09C4-4242-B2F3-A7B7E9A94B3C}.exe	32
PID 1404 wrote to memory of 3012	1404	{0F7C0511-09C4-4242-B2F3-A7B7E9A94B3C}.exe	32
PID 1404 wrote to memory of 3012	1404	{0F7C0511-09C4-4242-B2F3-A7B7E9A94B3C}.exe	32
PID 1404 wrote to memory of 3012	1404	{0F7C0511-09C4-4242-B2F3-A7B7E9A94B3C}.exe	32
PID 1404 wrote to memory of 2704	1404	{0F7C0511-09C4-4242-B2F3-A7B7E9A94B3C}.exe	33
PID 1404 wrote to memory of 2704	1404	{0F7C0511-09C4-4242-B2F3-A7B7E9A94B3C}.exe	33
PID 1404 wrote to memory of 2704	1404	{0F7C0511-09C4-4242-B2F3-A7B7E9A94B3C}.exe	33
PID 1404 wrote to memory of 2704	1404	{0F7C0511-09C4-4242-B2F3-A7B7E9A94B3C}.exe	33
PID 3012 wrote to memory of 3000	3012	{5DEAC356-F3E8-4c1e-A3CC-E9CE2A170152}.exe	34
PID 3012 wrote to memory of 3000	3012	{5DEAC356-F3E8-4c1e-A3CC-E9CE2A170152}.exe	34
PID 3012 wrote to memory of 3000	3012	{5DEAC356-F3E8-4c1e-A3CC-E9CE2A170152}.exe	34
PID 3012 wrote to memory of 3000	3012	{5DEAC356-F3E8-4c1e-A3CC-E9CE2A170152}.exe	34
PID 3012 wrote to memory of 2724	3012	{5DEAC356-F3E8-4c1e-A3CC-E9CE2A170152}.exe	35
PID 3012 wrote to memory of 2724	3012	{5DEAC356-F3E8-4c1e-A3CC-E9CE2A170152}.exe	35
PID 3012 wrote to memory of 2724	3012	{5DEAC356-F3E8-4c1e-A3CC-E9CE2A170152}.exe	35
PID 3012 wrote to memory of 2724	3012	{5DEAC356-F3E8-4c1e-A3CC-E9CE2A170152}.exe	35
PID 3000 wrote to memory of 2720	3000	{6AB96811-F58E-4bc4-9A27-63BEC132FDAD}.exe	36
PID 3000 wrote to memory of 2720	3000	{6AB96811-F58E-4bc4-9A27-63BEC132FDAD}.exe	36
PID 3000 wrote to memory of 2720	3000	{6AB96811-F58E-4bc4-9A27-63BEC132FDAD}.exe	36
PID 3000 wrote to memory of 2720	3000	{6AB96811-F58E-4bc4-9A27-63BEC132FDAD}.exe	36
PID 3000 wrote to memory of 240	3000	{6AB96811-F58E-4bc4-9A27-63BEC132FDAD}.exe	37
PID 3000 wrote to memory of 240	3000	{6AB96811-F58E-4bc4-9A27-63BEC132FDAD}.exe	37
PID 3000 wrote to memory of 240	3000	{6AB96811-F58E-4bc4-9A27-63BEC132FDAD}.exe	37
PID 3000 wrote to memory of 240	3000	{6AB96811-F58E-4bc4-9A27-63BEC132FDAD}.exe	37
PID 2720 wrote to memory of 2696	2720	{8B8D9FFE-5178-423c-A49D-7B7F2B181345}.exe	38
PID 2720 wrote to memory of 2696	2720	{8B8D9FFE-5178-423c-A49D-7B7F2B181345}.exe	38
PID 2720 wrote to memory of 2696	2720	{8B8D9FFE-5178-423c-A49D-7B7F2B181345}.exe	38
PID 2720 wrote to memory of 2696	2720	{8B8D9FFE-5178-423c-A49D-7B7F2B181345}.exe	38
PID 2720 wrote to memory of 2728	2720	{8B8D9FFE-5178-423c-A49D-7B7F2B181345}.exe	39
PID 2720 wrote to memory of 2728	2720	{8B8D9FFE-5178-423c-A49D-7B7F2B181345}.exe	39
PID 2720 wrote to memory of 2728	2720	{8B8D9FFE-5178-423c-A49D-7B7F2B181345}.exe	39
PID 2720 wrote to memory of 2728	2720	{8B8D9FFE-5178-423c-A49D-7B7F2B181345}.exe	39
PID 2696 wrote to memory of 1208	2696	{088C9424-D864-4d33-BA3A-DFAB65D6EEF4}.exe	40
PID 2696 wrote to memory of 1208	2696	{088C9424-D864-4d33-BA3A-DFAB65D6EEF4}.exe	40
PID 2696 wrote to memory of 1208	2696	{088C9424-D864-4d33-BA3A-DFAB65D6EEF4}.exe	40
PID 2696 wrote to memory of 1208	2696	{088C9424-D864-4d33-BA3A-DFAB65D6EEF4}.exe	40
PID 2696 wrote to memory of 2740	2696	{088C9424-D864-4d33-BA3A-DFAB65D6EEF4}.exe	41
PID 2696 wrote to memory of 2740	2696	{088C9424-D864-4d33-BA3A-DFAB65D6EEF4}.exe	41
PID 2696 wrote to memory of 2740	2696	{088C9424-D864-4d33-BA3A-DFAB65D6EEF4}.exe	41
PID 2696 wrote to memory of 2740	2696	{088C9424-D864-4d33-BA3A-DFAB65D6EEF4}.exe	41
PID 1208 wrote to memory of 2352	1208	{8A325B24-4B3B-4ca1-87E8-B9E2588EDA7A}.exe	42
PID 1208 wrote to memory of 2352	1208	{8A325B24-4B3B-4ca1-87E8-B9E2588EDA7A}.exe	42
PID 1208 wrote to memory of 2352	1208	{8A325B24-4B3B-4ca1-87E8-B9E2588EDA7A}.exe	42
PID 1208 wrote to memory of 2352	1208	{8A325B24-4B3B-4ca1-87E8-B9E2588EDA7A}.exe	42
PID 1208 wrote to memory of 268	1208	{8A325B24-4B3B-4ca1-87E8-B9E2588EDA7A}.exe	43
PID 1208 wrote to memory of 268	1208	{8A325B24-4B3B-4ca1-87E8-B9E2588EDA7A}.exe	43
PID 1208 wrote to memory of 268	1208	{8A325B24-4B3B-4ca1-87E8-B9E2588EDA7A}.exe	43
PID 1208 wrote to memory of 268	1208	{8A325B24-4B3B-4ca1-87E8-B9E2588EDA7A}.exe	43
PID 2352 wrote to memory of 1184	2352	{8F2DC861-48F3-431d-B475-F182354DD00D}.exe	44
PID 2352 wrote to memory of 1184	2352	{8F2DC861-48F3-431d-B475-F182354DD00D}.exe	44
PID 2352 wrote to memory of 1184	2352	{8F2DC861-48F3-431d-B475-F182354DD00D}.exe	44
PID 2352 wrote to memory of 1184	2352	{8F2DC861-48F3-431d-B475-F182354DD00D}.exe	44
PID 2352 wrote to memory of 1500	2352	{8F2DC861-48F3-431d-B475-F182354DD00D}.exe	45
PID 2352 wrote to memory of 1500	2352	{8F2DC861-48F3-431d-B475-F182354DD00D}.exe	45
PID 2352 wrote to memory of 1500	2352	{8F2DC861-48F3-431d-B475-F182354DD00D}.exe	45
PID 2352 wrote to memory of 1500	2352	{8F2DC861-48F3-431d-B475-F182354DD00D}.exe	45

C:\Users\Admin\AppData\Local\Temp\2e9e42dcd0f8acexeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2e9e42dcd0f8acexeexe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\{0F7C0511-09C4-4242-B2F3-A7B7E9A94B3C}.exe
  C:\Windows\{0F7C0511-09C4-4242-B2F3-A7B7E9A94B3C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1404
- - C:\Windows\{5DEAC356-F3E8-4c1e-A3CC-E9CE2A170152}.exe
    C:\Windows\{5DEAC356-F3E8-4c1e-A3CC-E9CE2A170152}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\{6AB96811-F58E-4bc4-9A27-63BEC132FDAD}.exe
      C:\Windows\{6AB96811-F58E-4bc4-9A27-63BEC132FDAD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3000
    - - C:\Windows\{8B8D9FFE-5178-423c-A49D-7B7F2B181345}.exe
        
        C:\Windows\{8B8D9FFE-5178-423c-A49D-7B7F2B181345}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
      - C:\Windows\{088C9424-D864-4d33-BA3A-DFAB65D6EEF4}.exe
        
        C:\Windows\{088C9424-D864-4d33-BA3A-DFAB65D6EEF4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\{8A325B24-4B3B-4ca1-87E8-B9E2588EDA7A}.exe
        
        C:\Windows\{8A325B24-4B3B-4ca1-87E8-B9E2588EDA7A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1208
        
        C:\Windows\{8F2DC861-48F3-431d-B475-F182354DD00D}.exe
        
        C:\Windows\{8F2DC861-48F3-431d-B475-F182354DD00D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\{0684DD54-23A5-4590-AE30-C1A0AB80F329}.exe
        
        C:\Windows\{0684DD54-23A5-4590-AE30-C1A0AB80F329}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
        
        C:\Windows\{FFF8F352-6DA4-463f-80AC-0B0DF21D09B6}.exe
        
        C:\Windows\{FFF8F352-6DA4-463f-80AC-0B0DF21D09B6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\{7AE4EB6A-CA4A-4a71-B5A9-BF7A903572B1}.exe
        
        C:\Windows\{7AE4EB6A-CA4A-4a71-B5A9-BF7A903572B1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1516
        
        C:\Windows\{C81A1860-350E-4662-8522-C0883C3364E4}.exe
        
        C:\Windows\{C81A1860-350E-4662-8522-C0883C3364E4}.exe
        12⤵
        Executes dropped EXE
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AE4E~1.EXE > nul
        12⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FFF8F~1.EXE > nul
        11⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0684D~1.EXE > nul
        10⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F2DC~1.EXE > nul
        9⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A325~1.EXE > nul
        8⤵
        
        PID:268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{088C9~1.EXE > nul
        7⤵
        
        PID:2740
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B8D9~1.EXE > nul
        6⤵
        
        PID:2728
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6AB96~1.EXE > nul
        5⤵
        
        PID:240
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5DEAC~1.EXE > nul
      4⤵
      PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0F7C0~1.EXE > nul
    3⤵
    PID:2704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2E9E42~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0684DD54-23A5-4590-AE30-C1A0AB80F329}.exe

Filesize
168KB

MD5
24e51f07c25883fb036911b149fdaae9

SHA1
48036a5518d23eff620e7c17a59c1231cbb27d89

SHA256
5950668f19aefce96ff0b25a5bebf6953d7aa25b4ce333681626ea5727f3fba2

SHA512
610afdf9eb984bab08c1b5900846c9013b7f8dae60f23999258c30e87c5a9b2d911ad7aa0606d1fc406bd1f57d4b4a3977666605bcf3b8a56943c853f7289ed5

Download Submit
C:\Windows\{0684DD54-23A5-4590-AE30-C1A0AB80F329}.exe

Filesize
168KB

MD5
24e51f07c25883fb036911b149fdaae9

SHA1
48036a5518d23eff620e7c17a59c1231cbb27d89

SHA256
5950668f19aefce96ff0b25a5bebf6953d7aa25b4ce333681626ea5727f3fba2

SHA512
610afdf9eb984bab08c1b5900846c9013b7f8dae60f23999258c30e87c5a9b2d911ad7aa0606d1fc406bd1f57d4b4a3977666605bcf3b8a56943c853f7289ed5

Download Submit
C:\Windows\{088C9424-D864-4d33-BA3A-DFAB65D6EEF4}.exe

Filesize
168KB

MD5
f59c0c061a7b1c09a3747a518789009e

SHA1
ca9f294870f20f069d341bc24dbbea87a01850c7

SHA256
4e22b0e1d7e379fee253cb13af28c88900cdabaae7f803be91a680fe89c58255

SHA512
3a712b4c6fff21ac6bd02cd7a2ae1c8940af6f65a83abb2b377330e434462b2f8bdaf85cf3e9b399a67bf9cfef3aa02fde56c23a82ffefe4841b8f447839ad73

Download Submit
C:\Windows\{088C9424-D864-4d33-BA3A-DFAB65D6EEF4}.exe

Filesize
168KB

MD5
f59c0c061a7b1c09a3747a518789009e

SHA1
ca9f294870f20f069d341bc24dbbea87a01850c7

SHA256
4e22b0e1d7e379fee253cb13af28c88900cdabaae7f803be91a680fe89c58255

SHA512
3a712b4c6fff21ac6bd02cd7a2ae1c8940af6f65a83abb2b377330e434462b2f8bdaf85cf3e9b399a67bf9cfef3aa02fde56c23a82ffefe4841b8f447839ad73

Download Submit
C:\Windows\{0F7C0511-09C4-4242-B2F3-A7B7E9A94B3C}.exe

Filesize
168KB

MD5
40ec79b58c8aef31e73bf884c13b4c46

SHA1
716da9e2c916abcbe02c4e7343448f221b0d6eb5

SHA256
b32c595339a534093eb9a9b6df90cd2aaeb663b628949bc664892fec1c9b6e21

SHA512
85b44f213a4705c99889d53c7ac1fc30a32c1bc44eb47b59f958ae538f00305f9bd9a3b4d1e20a5cb8d0959ef37980076d3bad5cf22664be16d6158b3dd34f7e

Download Submit
C:\Windows\{0F7C0511-09C4-4242-B2F3-A7B7E9A94B3C}.exe

Filesize
168KB

MD5
40ec79b58c8aef31e73bf884c13b4c46

SHA1
716da9e2c916abcbe02c4e7343448f221b0d6eb5

SHA256
b32c595339a534093eb9a9b6df90cd2aaeb663b628949bc664892fec1c9b6e21

SHA512
85b44f213a4705c99889d53c7ac1fc30a32c1bc44eb47b59f958ae538f00305f9bd9a3b4d1e20a5cb8d0959ef37980076d3bad5cf22664be16d6158b3dd34f7e

Download Submit
C:\Windows\{0F7C0511-09C4-4242-B2F3-A7B7E9A94B3C}.exe

Filesize
168KB

MD5
40ec79b58c8aef31e73bf884c13b4c46

SHA1
716da9e2c916abcbe02c4e7343448f221b0d6eb5

SHA256
b32c595339a534093eb9a9b6df90cd2aaeb663b628949bc664892fec1c9b6e21

SHA512
85b44f213a4705c99889d53c7ac1fc30a32c1bc44eb47b59f958ae538f00305f9bd9a3b4d1e20a5cb8d0959ef37980076d3bad5cf22664be16d6158b3dd34f7e

Download Submit
C:\Windows\{5DEAC356-F3E8-4c1e-A3CC-E9CE2A170152}.exe

Filesize
168KB

MD5
49ceead0975f932762dc015c82003bda

SHA1
0f4bd28a0e67e6535c8b40b54e3d0654bd68dc1b

SHA256
ca0c5e7c2fd481df333eb4ba9d2cf85b6a3f63d5d0a24ffd26b4487d8a2085d5

SHA512
14b46caa5959f692a714c6f595870dfe01f8388667e777059e280ee811793c71a78ab1747b309c80e4c78a6315378307f6dba25a0385426a28c4bdb6345a9e90

Download Submit
C:\Windows\{5DEAC356-F3E8-4c1e-A3CC-E9CE2A170152}.exe

Filesize
168KB

MD5
49ceead0975f932762dc015c82003bda

SHA1
0f4bd28a0e67e6535c8b40b54e3d0654bd68dc1b

SHA256
ca0c5e7c2fd481df333eb4ba9d2cf85b6a3f63d5d0a24ffd26b4487d8a2085d5

SHA512
14b46caa5959f692a714c6f595870dfe01f8388667e777059e280ee811793c71a78ab1747b309c80e4c78a6315378307f6dba25a0385426a28c4bdb6345a9e90

Download Submit
C:\Windows\{6AB96811-F58E-4bc4-9A27-63BEC132FDAD}.exe

Filesize
168KB

MD5
8dc77bd4512260b89a92c287651d4740

SHA1
abce5fe3ae9137107756c43162992a02bd647b81

SHA256
9888e7a00ef1afab72713cdf570773758356b9c1e05fa8c1deaa76e63981da52

SHA512
e84d97ae52138e17ef5a4f4ca1813f3df442cdc71df51ad2ede280b850a8beb22fbf7786dc31343686670b1ddabdf19eb9b4686a1f15a0f2225341b3b1029935

Download Submit
C:\Windows\{6AB96811-F58E-4bc4-9A27-63BEC132FDAD}.exe

Filesize
168KB

MD5
8dc77bd4512260b89a92c287651d4740

SHA1
abce5fe3ae9137107756c43162992a02bd647b81

SHA256
9888e7a00ef1afab72713cdf570773758356b9c1e05fa8c1deaa76e63981da52

SHA512
e84d97ae52138e17ef5a4f4ca1813f3df442cdc71df51ad2ede280b850a8beb22fbf7786dc31343686670b1ddabdf19eb9b4686a1f15a0f2225341b3b1029935

Download Submit
C:\Windows\{7AE4EB6A-CA4A-4a71-B5A9-BF7A903572B1}.exe

Filesize
168KB

MD5
3b7d81f0a18759f0caf9297f6f32801c

SHA1
84b5fff245602c8c714afd5eb48e4707dfcf7dc3

SHA256
d6c9b0cd36650b4ed6b38dca6718fac9ac8461980a1d9b58c575d126c6ef72ba

SHA512
4b4ff1efa9e05bb31f2cd1ecfd9de7a786de7ce4816969cc9c4c662ba1e34ed56db85358f49ac1f581e14b24c71d70f8420129375b2e5a96d474c033d7cc8a75

Download Submit
C:\Windows\{7AE4EB6A-CA4A-4a71-B5A9-BF7A903572B1}.exe

Filesize
168KB

MD5
3b7d81f0a18759f0caf9297f6f32801c

SHA1
84b5fff245602c8c714afd5eb48e4707dfcf7dc3

SHA256
d6c9b0cd36650b4ed6b38dca6718fac9ac8461980a1d9b58c575d126c6ef72ba

SHA512
4b4ff1efa9e05bb31f2cd1ecfd9de7a786de7ce4816969cc9c4c662ba1e34ed56db85358f49ac1f581e14b24c71d70f8420129375b2e5a96d474c033d7cc8a75

Download Submit
C:\Windows\{8A325B24-4B3B-4ca1-87E8-B9E2588EDA7A}.exe

Filesize
168KB

MD5
a7d6c7e1b0e8f0c9634e5adc2537ce47

SHA1
9717cba650e6dda7aaabfdf75a9ad9c7d780e3c7

SHA256
8b2cd43abb7d2a4b8e44a5e01ad19e0667911cf13f7c0a3d8086eae6472fba2a

SHA512
fd9312a5efff7fe8060e1a9e84c55130b1a8fe654abe8652ec926157405dd67d5a3072d7e4c72e64abb76c91062668d79e3982cc5c31809a71c5a5b83a62106c

Download Submit
C:\Windows\{8A325B24-4B3B-4ca1-87E8-B9E2588EDA7A}.exe

Filesize
168KB

MD5
a7d6c7e1b0e8f0c9634e5adc2537ce47

SHA1
9717cba650e6dda7aaabfdf75a9ad9c7d780e3c7

SHA256
8b2cd43abb7d2a4b8e44a5e01ad19e0667911cf13f7c0a3d8086eae6472fba2a

SHA512
fd9312a5efff7fe8060e1a9e84c55130b1a8fe654abe8652ec926157405dd67d5a3072d7e4c72e64abb76c91062668d79e3982cc5c31809a71c5a5b83a62106c

Download Submit
C:\Windows\{8B8D9FFE-5178-423c-A49D-7B7F2B181345}.exe

Filesize
168KB

MD5
e775fecaa3d15beb143363b8dddccfbb

SHA1
425ea5585e0a7129c4ae10eb28b1610881999411

SHA256
ed5cc2b38decb9e307f9a4e7f90276aec025fe39843e6ed817a5b14622ed012e

SHA512
0cee5aca22329dd6d299a803ba553db8a61f4a79785d99e8542a2fe14eff845541bff08f695b12172ef2fa28ddc80fea56624b7cc97b9c390d8c7d4f9e283a08

Download Submit
C:\Windows\{8B8D9FFE-5178-423c-A49D-7B7F2B181345}.exe

Filesize
168KB

MD5
e775fecaa3d15beb143363b8dddccfbb

SHA1
425ea5585e0a7129c4ae10eb28b1610881999411

SHA256
ed5cc2b38decb9e307f9a4e7f90276aec025fe39843e6ed817a5b14622ed012e

SHA512
0cee5aca22329dd6d299a803ba553db8a61f4a79785d99e8542a2fe14eff845541bff08f695b12172ef2fa28ddc80fea56624b7cc97b9c390d8c7d4f9e283a08

Download Submit
C:\Windows\{8F2DC861-48F3-431d-B475-F182354DD00D}.exe

Filesize
168KB

MD5
861de70d8e2ab04aa282f6503f4b957a

SHA1
21cdf71ac955924a052f6dfbc76a56406e4835ba

SHA256
cee10a0d1e73a46761878801bf3125679d044c3fff94fc50652c4f578a8b67e1

SHA512
cef226d8297b51e07a951c22fe7f18457012174b5e7233f6dd98dc209e3f657833e85d9f7364f1f0051e62dac155c578f59524d4e331c4a919977562b439847f

Download Submit
C:\Windows\{8F2DC861-48F3-431d-B475-F182354DD00D}.exe

Filesize
168KB

MD5
861de70d8e2ab04aa282f6503f4b957a

SHA1
21cdf71ac955924a052f6dfbc76a56406e4835ba

SHA256
cee10a0d1e73a46761878801bf3125679d044c3fff94fc50652c4f578a8b67e1

SHA512
cef226d8297b51e07a951c22fe7f18457012174b5e7233f6dd98dc209e3f657833e85d9f7364f1f0051e62dac155c578f59524d4e331c4a919977562b439847f

Download Submit
C:\Windows\{C81A1860-350E-4662-8522-C0883C3364E4}.exe

Filesize
168KB

MD5
b703798dabafb4e9158045d582449e7f

SHA1
f92115a51552c16214039466841ed697e9e757d0

SHA256
3f9d9bea73d79481fea6bbf559d9258e8b35afd8fb5405b5c1fd417def58068e

SHA512
ef23291ee54f490c3f0b04a9969319239b1d4b8fcd464b8cc700983cb2c4798bb8650c9160c68c84eaa7a91d28be129fe4d341dad74a874bf99e57818d2c4766

Download Submit
C:\Windows\{FFF8F352-6DA4-463f-80AC-0B0DF21D09B6}.exe

Filesize
168KB

MD5
3b03b38294d6790c947617e546a7c53a

SHA1
11a35c11e76f3c27f48f9efed09bd6c5980726cd

SHA256
2377fb2bf4e5813bdff8c119947999feaebfc23234add386b96def5712300bea

SHA512
5584da10abee9ef4b20197c19f12a5064a333982106751c9ba0d8fb8be61923cf14797d585a85f5e188a572d5197956057288ef37beeef2b27f11ae635a0d7f5

Download Submit
C:\Windows\{FFF8F352-6DA4-463f-80AC-0B0DF21D09B6}.exe

Filesize
168KB

MD5
3b03b38294d6790c947617e546a7c53a

SHA1
11a35c11e76f3c27f48f9efed09bd6c5980726cd

SHA256
2377fb2bf4e5813bdff8c119947999feaebfc23234add386b96def5712300bea

SHA512
5584da10abee9ef4b20197c19f12a5064a333982106751c9ba0d8fb8be61923cf14797d585a85f5e188a572d5197956057288ef37beeef2b27f11ae635a0d7f5

Download Submit