019941eda20f8b71820ff05559a5d729497eea62d3cde704af0a27f5105a3e77

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
15/07/2023, 12:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4298cc27f37f99exeexe_JC.exe
Size

204KB
MD5

4298cc27f37f99862aec37b0c97ed706
SHA1

437eff05d406bc7dfc47780c7453614841044a1c
SHA256

019941eda20f8b71820ff05559a5d729497eea62d3cde704af0a27f5105a3e77
SHA512

121ddc52d17f8331d597f84878025fcd83b91e5743cf468b3553f1f48078711d8ad4d3ffd03f0c48805a35de3b0b92179a59fa6ed52a2d2a51c047141a92578d
SSDEEP

1536:1EGh0ocl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ocl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A43DEEF6-F635-433d-8B55-B034F54785EF}\stubpath = "C:\\Windows\\{A43DEEF6-F635-433d-8B55-B034F54785EF}.exe"	{6CE0F198-6FCF-4cd9-93C4-5DCF54C85F8C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB7D1D8C-F451-4024-91DA-A8B8A97FFF70}\stubpath = "C:\\Windows\\{AB7D1D8C-F451-4024-91DA-A8B8A97FFF70}.exe"	{E7D053D3-9D2B-4c6d-B012-68604C5DA08E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D8B2F66-0FCE-487a-B4E3-4133E5558977}	{496B4684-4A96-41f5-BA89-7159BD850885}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7D053D3-9D2B-4c6d-B012-68604C5DA08E}\stubpath = "C:\\Windows\\{E7D053D3-9D2B-4c6d-B012-68604C5DA08E}.exe"	{EC6C8815-74DF-4739-866C-D7BA67CFB22B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB7D1D8C-F451-4024-91DA-A8B8A97FFF70}	{E7D053D3-9D2B-4c6d-B012-68604C5DA08E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93202371-66A6-4d05-B3A8-E2B0410BC9E4}	{AB7D1D8C-F451-4024-91DA-A8B8A97FFF70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{496B4684-4A96-41f5-BA89-7159BD850885}	{93202371-66A6-4d05-B3A8-E2B0410BC9E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{496B4684-4A96-41f5-BA89-7159BD850885}\stubpath = "C:\\Windows\\{496B4684-4A96-41f5-BA89-7159BD850885}.exe"	{93202371-66A6-4d05-B3A8-E2B0410BC9E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB8EF758-400A-48b7-B581-B773379B8D4C}	{B710E6B0-2F2D-4fb7-B80B-1772800FA15F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CE0F198-6FCF-4cd9-93C4-5DCF54C85F8C}\stubpath = "C:\\Windows\\{6CE0F198-6FCF-4cd9-93C4-5DCF54C85F8C}.exe"	{DB8EF758-400A-48b7-B581-B773379B8D4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D78A0669-82A6-4815-8B9A-2D4C0CFDAA0A}\stubpath = "C:\\Windows\\{D78A0669-82A6-4815-8B9A-2D4C0CFDAA0A}.exe"	{A43DEEF6-F635-433d-8B55-B034F54785EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6CE0F198-6FCF-4cd9-93C4-5DCF54C85F8C}	{DB8EF758-400A-48b7-B581-B773379B8D4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A43DEEF6-F635-433d-8B55-B034F54785EF}	{6CE0F198-6FCF-4cd9-93C4-5DCF54C85F8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D78A0669-82A6-4815-8B9A-2D4C0CFDAA0A}	{A43DEEF6-F635-433d-8B55-B034F54785EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC6C8815-74DF-4739-866C-D7BA67CFB22B}	{D78A0669-82A6-4815-8B9A-2D4C0CFDAA0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EC6C8815-74DF-4739-866C-D7BA67CFB22B}\stubpath = "C:\\Windows\\{EC6C8815-74DF-4739-866C-D7BA67CFB22B}.exe"	{D78A0669-82A6-4815-8B9A-2D4C0CFDAA0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B710E6B0-2F2D-4fb7-B80B-1772800FA15F}	4298cc27f37f99exeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B710E6B0-2F2D-4fb7-B80B-1772800FA15F}\stubpath = "C:\\Windows\\{B710E6B0-2F2D-4fb7-B80B-1772800FA15F}.exe"	4298cc27f37f99exeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DB8EF758-400A-48b7-B581-B773379B8D4C}\stubpath = "C:\\Windows\\{DB8EF758-400A-48b7-B581-B773379B8D4C}.exe"	{B710E6B0-2F2D-4fb7-B80B-1772800FA15F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7D053D3-9D2B-4c6d-B012-68604C5DA08E}	{EC6C8815-74DF-4739-866C-D7BA67CFB22B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93202371-66A6-4d05-B3A8-E2B0410BC9E4}\stubpath = "C:\\Windows\\{93202371-66A6-4d05-B3A8-E2B0410BC9E4}.exe"	{AB7D1D8C-F451-4024-91DA-A8B8A97FFF70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D8B2F66-0FCE-487a-B4E3-4133E5558977}\stubpath = "C:\\Windows\\{6D8B2F66-0FCE-487a-B4E3-4133E5558977}.exe"	{496B4684-4A96-41f5-BA89-7159BD850885}.exe

Deletes itself 1 IoCs

pid	Process
1608	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2156	{B710E6B0-2F2D-4fb7-B80B-1772800FA15F}.exe
2968	{DB8EF758-400A-48b7-B581-B773379B8D4C}.exe
2744	{6CE0F198-6FCF-4cd9-93C4-5DCF54C85F8C}.exe
2884	{A43DEEF6-F635-433d-8B55-B034F54785EF}.exe
2724	{D78A0669-82A6-4815-8B9A-2D4C0CFDAA0A}.exe
2632	{EC6C8815-74DF-4739-866C-D7BA67CFB22B}.exe
1196	{E7D053D3-9D2B-4c6d-B012-68604C5DA08E}.exe
1488	{AB7D1D8C-F451-4024-91DA-A8B8A97FFF70}.exe
296	{93202371-66A6-4d05-B3A8-E2B0410BC9E4}.exe
2132	{496B4684-4A96-41f5-BA89-7159BD850885}.exe
2260	{6D8B2F66-0FCE-487a-B4E3-4133E5558977}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{6CE0F198-6FCF-4cd9-93C4-5DCF54C85F8C}.exe	{DB8EF758-400A-48b7-B581-B773379B8D4C}.exe
File created	C:\Windows\{A43DEEF6-F635-433d-8B55-B034F54785EF}.exe	{6CE0F198-6FCF-4cd9-93C4-5DCF54C85F8C}.exe
File created	C:\Windows\{D78A0669-82A6-4815-8B9A-2D4C0CFDAA0A}.exe	{A43DEEF6-F635-433d-8B55-B034F54785EF}.exe
File created	C:\Windows\{EC6C8815-74DF-4739-866C-D7BA67CFB22B}.exe	{D78A0669-82A6-4815-8B9A-2D4C0CFDAA0A}.exe
File created	C:\Windows\{93202371-66A6-4d05-B3A8-E2B0410BC9E4}.exe	{AB7D1D8C-F451-4024-91DA-A8B8A97FFF70}.exe
File created	C:\Windows\{B710E6B0-2F2D-4fb7-B80B-1772800FA15F}.exe	4298cc27f37f99exeexe_JC.exe
File created	C:\Windows\{DB8EF758-400A-48b7-B581-B773379B8D4C}.exe	{B710E6B0-2F2D-4fb7-B80B-1772800FA15F}.exe
File created	C:\Windows\{496B4684-4A96-41f5-BA89-7159BD850885}.exe	{93202371-66A6-4d05-B3A8-E2B0410BC9E4}.exe
File created	C:\Windows\{6D8B2F66-0FCE-487a-B4E3-4133E5558977}.exe	{496B4684-4A96-41f5-BA89-7159BD850885}.exe
File created	C:\Windows\{E7D053D3-9D2B-4c6d-B012-68604C5DA08E}.exe	{EC6C8815-74DF-4739-866C-D7BA67CFB22B}.exe
File created	C:\Windows\{AB7D1D8C-F451-4024-91DA-A8B8A97FFF70}.exe	{E7D053D3-9D2B-4c6d-B012-68604C5DA08E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2604	4298cc27f37f99exeexe_JC.exe
Token: SeIncBasePriorityPrivilege	2156	{B710E6B0-2F2D-4fb7-B80B-1772800FA15F}.exe
Token: SeIncBasePriorityPrivilege	2968	{DB8EF758-400A-48b7-B581-B773379B8D4C}.exe
Token: SeIncBasePriorityPrivilege	2744	{6CE0F198-6FCF-4cd9-93C4-5DCF54C85F8C}.exe
Token: SeIncBasePriorityPrivilege	2884	{A43DEEF6-F635-433d-8B55-B034F54785EF}.exe
Token: SeIncBasePriorityPrivilege	2724	{D78A0669-82A6-4815-8B9A-2D4C0CFDAA0A}.exe
Token: SeIncBasePriorityPrivilege	2632	{EC6C8815-74DF-4739-866C-D7BA67CFB22B}.exe
Token: SeIncBasePriorityPrivilege	1196	{E7D053D3-9D2B-4c6d-B012-68604C5DA08E}.exe
Token: SeIncBasePriorityPrivilege	1488	{AB7D1D8C-F451-4024-91DA-A8B8A97FFF70}.exe
Token: SeIncBasePriorityPrivilege	296	{93202371-66A6-4d05-B3A8-E2B0410BC9E4}.exe
Token: SeIncBasePriorityPrivilege	2132	{496B4684-4A96-41f5-BA89-7159BD850885}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2156	2604	4298cc27f37f99exeexe_JC.exe	28
PID 2604 wrote to memory of 2156	2604	4298cc27f37f99exeexe_JC.exe	28
PID 2604 wrote to memory of 2156	2604	4298cc27f37f99exeexe_JC.exe	28
PID 2604 wrote to memory of 2156	2604	4298cc27f37f99exeexe_JC.exe	28
PID 2604 wrote to memory of 1608	2604	4298cc27f37f99exeexe_JC.exe	29
PID 2604 wrote to memory of 1608	2604	4298cc27f37f99exeexe_JC.exe	29
PID 2604 wrote to memory of 1608	2604	4298cc27f37f99exeexe_JC.exe	29
PID 2604 wrote to memory of 1608	2604	4298cc27f37f99exeexe_JC.exe	29
PID 2156 wrote to memory of 2968	2156	{B710E6B0-2F2D-4fb7-B80B-1772800FA15F}.exe	32
PID 2156 wrote to memory of 2968	2156	{B710E6B0-2F2D-4fb7-B80B-1772800FA15F}.exe	32
PID 2156 wrote to memory of 2968	2156	{B710E6B0-2F2D-4fb7-B80B-1772800FA15F}.exe	32
PID 2156 wrote to memory of 2968	2156	{B710E6B0-2F2D-4fb7-B80B-1772800FA15F}.exe	32
PID 2156 wrote to memory of 2960	2156	{B710E6B0-2F2D-4fb7-B80B-1772800FA15F}.exe	33
PID 2156 wrote to memory of 2960	2156	{B710E6B0-2F2D-4fb7-B80B-1772800FA15F}.exe	33
PID 2156 wrote to memory of 2960	2156	{B710E6B0-2F2D-4fb7-B80B-1772800FA15F}.exe	33
PID 2156 wrote to memory of 2960	2156	{B710E6B0-2F2D-4fb7-B80B-1772800FA15F}.exe	33
PID 2968 wrote to memory of 2744	2968	{DB8EF758-400A-48b7-B581-B773379B8D4C}.exe	34
PID 2968 wrote to memory of 2744	2968	{DB8EF758-400A-48b7-B581-B773379B8D4C}.exe	34
PID 2968 wrote to memory of 2744	2968	{DB8EF758-400A-48b7-B581-B773379B8D4C}.exe	34
PID 2968 wrote to memory of 2744	2968	{DB8EF758-400A-48b7-B581-B773379B8D4C}.exe	34
PID 2968 wrote to memory of 2924	2968	{DB8EF758-400A-48b7-B581-B773379B8D4C}.exe	35
PID 2968 wrote to memory of 2924	2968	{DB8EF758-400A-48b7-B581-B773379B8D4C}.exe	35
PID 2968 wrote to memory of 2924	2968	{DB8EF758-400A-48b7-B581-B773379B8D4C}.exe	35
PID 2968 wrote to memory of 2924	2968	{DB8EF758-400A-48b7-B581-B773379B8D4C}.exe	35
PID 2744 wrote to memory of 2884	2744	{6CE0F198-6FCF-4cd9-93C4-5DCF54C85F8C}.exe	36
PID 2744 wrote to memory of 2884	2744	{6CE0F198-6FCF-4cd9-93C4-5DCF54C85F8C}.exe	36
PID 2744 wrote to memory of 2884	2744	{6CE0F198-6FCF-4cd9-93C4-5DCF54C85F8C}.exe	36
PID 2744 wrote to memory of 2884	2744	{6CE0F198-6FCF-4cd9-93C4-5DCF54C85F8C}.exe	36
PID 2744 wrote to memory of 2824	2744	{6CE0F198-6FCF-4cd9-93C4-5DCF54C85F8C}.exe	37
PID 2744 wrote to memory of 2824	2744	{6CE0F198-6FCF-4cd9-93C4-5DCF54C85F8C}.exe	37
PID 2744 wrote to memory of 2824	2744	{6CE0F198-6FCF-4cd9-93C4-5DCF54C85F8C}.exe	37
PID 2744 wrote to memory of 2824	2744	{6CE0F198-6FCF-4cd9-93C4-5DCF54C85F8C}.exe	37
PID 2884 wrote to memory of 2724	2884	{A43DEEF6-F635-433d-8B55-B034F54785EF}.exe	38
PID 2884 wrote to memory of 2724	2884	{A43DEEF6-F635-433d-8B55-B034F54785EF}.exe	38
PID 2884 wrote to memory of 2724	2884	{A43DEEF6-F635-433d-8B55-B034F54785EF}.exe	38
PID 2884 wrote to memory of 2724	2884	{A43DEEF6-F635-433d-8B55-B034F54785EF}.exe	38
PID 2884 wrote to memory of 2776	2884	{A43DEEF6-F635-433d-8B55-B034F54785EF}.exe	39
PID 2884 wrote to memory of 2776	2884	{A43DEEF6-F635-433d-8B55-B034F54785EF}.exe	39
PID 2884 wrote to memory of 2776	2884	{A43DEEF6-F635-433d-8B55-B034F54785EF}.exe	39
PID 2884 wrote to memory of 2776	2884	{A43DEEF6-F635-433d-8B55-B034F54785EF}.exe	39
PID 2724 wrote to memory of 2632	2724	{D78A0669-82A6-4815-8B9A-2D4C0CFDAA0A}.exe	40
PID 2724 wrote to memory of 2632	2724	{D78A0669-82A6-4815-8B9A-2D4C0CFDAA0A}.exe	40
PID 2724 wrote to memory of 2632	2724	{D78A0669-82A6-4815-8B9A-2D4C0CFDAA0A}.exe	40
PID 2724 wrote to memory of 2632	2724	{D78A0669-82A6-4815-8B9A-2D4C0CFDAA0A}.exe	40
PID 2724 wrote to memory of 2644	2724	{D78A0669-82A6-4815-8B9A-2D4C0CFDAA0A}.exe	41
PID 2724 wrote to memory of 2644	2724	{D78A0669-82A6-4815-8B9A-2D4C0CFDAA0A}.exe	41
PID 2724 wrote to memory of 2644	2724	{D78A0669-82A6-4815-8B9A-2D4C0CFDAA0A}.exe	41
PID 2724 wrote to memory of 2644	2724	{D78A0669-82A6-4815-8B9A-2D4C0CFDAA0A}.exe	41
PID 2632 wrote to memory of 1196	2632	{EC6C8815-74DF-4739-866C-D7BA67CFB22B}.exe	42
PID 2632 wrote to memory of 1196	2632	{EC6C8815-74DF-4739-866C-D7BA67CFB22B}.exe	42
PID 2632 wrote to memory of 1196	2632	{EC6C8815-74DF-4739-866C-D7BA67CFB22B}.exe	42
PID 2632 wrote to memory of 1196	2632	{EC6C8815-74DF-4739-866C-D7BA67CFB22B}.exe	42
PID 2632 wrote to memory of 1028	2632	{EC6C8815-74DF-4739-866C-D7BA67CFB22B}.exe	43
PID 2632 wrote to memory of 1028	2632	{EC6C8815-74DF-4739-866C-D7BA67CFB22B}.exe	43
PID 2632 wrote to memory of 1028	2632	{EC6C8815-74DF-4739-866C-D7BA67CFB22B}.exe	43
PID 2632 wrote to memory of 1028	2632	{EC6C8815-74DF-4739-866C-D7BA67CFB22B}.exe	43
PID 1196 wrote to memory of 1488	1196	{E7D053D3-9D2B-4c6d-B012-68604C5DA08E}.exe	44
PID 1196 wrote to memory of 1488	1196	{E7D053D3-9D2B-4c6d-B012-68604C5DA08E}.exe	44
PID 1196 wrote to memory of 1488	1196	{E7D053D3-9D2B-4c6d-B012-68604C5DA08E}.exe	44
PID 1196 wrote to memory of 1488	1196	{E7D053D3-9D2B-4c6d-B012-68604C5DA08E}.exe	44
PID 1196 wrote to memory of 2196	1196	{E7D053D3-9D2B-4c6d-B012-68604C5DA08E}.exe	45
PID 1196 wrote to memory of 2196	1196	{E7D053D3-9D2B-4c6d-B012-68604C5DA08E}.exe	45
PID 1196 wrote to memory of 2196	1196	{E7D053D3-9D2B-4c6d-B012-68604C5DA08E}.exe	45
PID 1196 wrote to memory of 2196	1196	{E7D053D3-9D2B-4c6d-B012-68604C5DA08E}.exe	45

C:\Users\Admin\AppData\Local\Temp\4298cc27f37f99exeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\4298cc27f37f99exeexe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\{B710E6B0-2F2D-4fb7-B80B-1772800FA15F}.exe
  C:\Windows\{B710E6B0-2F2D-4fb7-B80B-1772800FA15F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\{DB8EF758-400A-48b7-B581-B773379B8D4C}.exe
    C:\Windows\{DB8EF758-400A-48b7-B581-B773379B8D4C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2968
  - - C:\Windows\{6CE0F198-6FCF-4cd9-93C4-5DCF54C85F8C}.exe
      C:\Windows\{6CE0F198-6FCF-4cd9-93C4-5DCF54C85F8C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\{A43DEEF6-F635-433d-8B55-B034F54785EF}.exe
        
        C:\Windows\{A43DEEF6-F635-433d-8B55-B034F54785EF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2884
      - C:\Windows\{D78A0669-82A6-4815-8B9A-2D4C0CFDAA0A}.exe
        
        C:\Windows\{D78A0669-82A6-4815-8B9A-2D4C0CFDAA0A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\{EC6C8815-74DF-4739-866C-D7BA67CFB22B}.exe
        
        C:\Windows\{EC6C8815-74DF-4739-866C-D7BA67CFB22B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2632
        
        C:\Windows\{E7D053D3-9D2B-4c6d-B012-68604C5DA08E}.exe
        
        C:\Windows\{E7D053D3-9D2B-4c6d-B012-68604C5DA08E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\{AB7D1D8C-F451-4024-91DA-A8B8A97FFF70}.exe
        
        C:\Windows\{AB7D1D8C-F451-4024-91DA-A8B8A97FFF70}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
        
        C:\Windows\{93202371-66A6-4d05-B3A8-E2B0410BC9E4}.exe
        
        C:\Windows\{93202371-66A6-4d05-B3A8-E2B0410BC9E4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93202~1.EXE > nul
        11⤵
        
        PID:2080
        
        C:\Windows\{496B4684-4A96-41f5-BA89-7159BD850885}.exe
        
        C:\Windows\{496B4684-4A96-41f5-BA89-7159BD850885}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\{6D8B2F66-0FCE-487a-B4E3-4133E5558977}.exe
        
        C:\Windows\{6D8B2F66-0FCE-487a-B4E3-4133E5558977}.exe
        12⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{496B4~1.EXE > nul
        12⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB7D1~1.EXE > nul
        10⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7D05~1.EXE > nul
        9⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC6C8~1.EXE > nul
        8⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D78A0~1.EXE > nul
        7⤵
        
        PID:2644
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A43DE~1.EXE > nul
        6⤵
        
        PID:2776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6CE0F~1.EXE > nul
        5⤵
        
        PID:2824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DB8EF~1.EXE > nul
      4⤵
      PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B710E~1.EXE > nul
    3⤵
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4298CC~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{496B4684-4A96-41f5-BA89-7159BD850885}.exe

Filesize
204KB

MD5
796e7a0028c72833b7e12619a3f6876b

SHA1
9777816ebc8d42e4206e071efee57b6d170e21cd

SHA256
90f38e717412a67ff68b36d29587b6e8b6cfe1ebe1f832ad3b9e2e076c2cd6aa

SHA512
89b3d8737564550977f9ab74a31b9eb7132cf516edce2e903fcbe7baebb8b4d5ded2b51e536a338a2abf76fd63accffdccfe16a6a7300f4dfed17984fcfdb5c3

Download Submit
C:\Windows\{496B4684-4A96-41f5-BA89-7159BD850885}.exe

Filesize
204KB

MD5
796e7a0028c72833b7e12619a3f6876b

SHA1
9777816ebc8d42e4206e071efee57b6d170e21cd

SHA256
90f38e717412a67ff68b36d29587b6e8b6cfe1ebe1f832ad3b9e2e076c2cd6aa

SHA512
89b3d8737564550977f9ab74a31b9eb7132cf516edce2e903fcbe7baebb8b4d5ded2b51e536a338a2abf76fd63accffdccfe16a6a7300f4dfed17984fcfdb5c3

Download Submit
C:\Windows\{6CE0F198-6FCF-4cd9-93C4-5DCF54C85F8C}.exe

Filesize
204KB

MD5
e6a1d3185d05e4b1a0d17a3a3004e9e4

SHA1
184a6a5a81f76f07fd9f91eacbc2dce430e2abfd

SHA256
dd8e68c1cbaa9517876613c32739df76aca0da89fae5071c78a84c2f684f3336

SHA512
817f82aa52d38d5f052553ce8746139f7ff5702ec9cf12f7b6616934e4d134ad2b2454b92f24b7baf4f1d6da1d2a6fde91fb3ea22048a8cd6d04280dc1e3b8eb

Download Submit
C:\Windows\{6CE0F198-6FCF-4cd9-93C4-5DCF54C85F8C}.exe

Filesize
204KB

MD5
e6a1d3185d05e4b1a0d17a3a3004e9e4

SHA1
184a6a5a81f76f07fd9f91eacbc2dce430e2abfd

SHA256
dd8e68c1cbaa9517876613c32739df76aca0da89fae5071c78a84c2f684f3336

SHA512
817f82aa52d38d5f052553ce8746139f7ff5702ec9cf12f7b6616934e4d134ad2b2454b92f24b7baf4f1d6da1d2a6fde91fb3ea22048a8cd6d04280dc1e3b8eb

Download Submit
C:\Windows\{6D8B2F66-0FCE-487a-B4E3-4133E5558977}.exe

Filesize
204KB

MD5
e2a4e325f5e3255234f7b964d1ec06fe

SHA1
74352e1c0fce359ceb0c7b20295c04ccfc4562f2

SHA256
baced8c8c4aea2f87215bf938b6f43a81d9bbe5f6e6105b9d89f9ef557be729b

SHA512
916b62937d2729afe594f0ed65778647648c1c661160f6c29742022a26929f60c186551cf6bf464dcd68a46a5a941676ebfe91efdb1e2601429d1869a4a0a4cd

Download Submit
C:\Windows\{93202371-66A6-4d05-B3A8-E2B0410BC9E4}.exe

Filesize
204KB

MD5
12c42d4365aec6a340b52a91345e02ed

SHA1
bb6ada1bb2cb8a85c0cd065f38c2d16a43a13cde

SHA256
f5563e28292dcbee539dd1256c5fd9d09a7e3554584927c50b418cab27d48ab6

SHA512
27eed7a52a6e9d001550ed309ab922d02d769890944c2b88d5e303c49720db3459a9df6c3bc76218d45fe704fe58f58c3770d603f5ac0ef50e2d1157abf6d47e

Download Submit
C:\Windows\{93202371-66A6-4d05-B3A8-E2B0410BC9E4}.exe

Filesize
204KB

MD5
12c42d4365aec6a340b52a91345e02ed

SHA1
bb6ada1bb2cb8a85c0cd065f38c2d16a43a13cde

SHA256
f5563e28292dcbee539dd1256c5fd9d09a7e3554584927c50b418cab27d48ab6

SHA512
27eed7a52a6e9d001550ed309ab922d02d769890944c2b88d5e303c49720db3459a9df6c3bc76218d45fe704fe58f58c3770d603f5ac0ef50e2d1157abf6d47e

Download Submit
C:\Windows\{A43DEEF6-F635-433d-8B55-B034F54785EF}.exe

Filesize
204KB

MD5
f2f499a0bca2dea9892f58476d8de9cb

SHA1
0ee48b1fad1d113f3efce4cfa43698db4b3e29b5

SHA256
8e6f591b470b4b15fb08cb7997d115bf100b4f1ea6f8d5e880af0dd1c5310af3

SHA512
7a9f9b80ebfd626de17ff7891903b0ca719c12bb076ec7b3068119a3f3edef5446284cb6fbbf879f43d1a15350d550c1b97a8c7f12dbe65dc239663033be2581

Download Submit
C:\Windows\{A43DEEF6-F635-433d-8B55-B034F54785EF}.exe

Filesize
204KB

MD5
f2f499a0bca2dea9892f58476d8de9cb

SHA1
0ee48b1fad1d113f3efce4cfa43698db4b3e29b5

SHA256
8e6f591b470b4b15fb08cb7997d115bf100b4f1ea6f8d5e880af0dd1c5310af3

SHA512
7a9f9b80ebfd626de17ff7891903b0ca719c12bb076ec7b3068119a3f3edef5446284cb6fbbf879f43d1a15350d550c1b97a8c7f12dbe65dc239663033be2581

Download Submit
C:\Windows\{AB7D1D8C-F451-4024-91DA-A8B8A97FFF70}.exe

Filesize
204KB

MD5
eaf75bf9839448f01149fde364fba994

SHA1
58d0b791b0a163cd2d7691329eb07d149dd14bd0

SHA256
4b9999090161b2116331baf1ac6af450a57b1116dbf38da446a01f0dbd4ad519

SHA512
bed481d38ddba18d5f960220ecaed3d6af52eb658eea15c7fc27d5ef2d83216ffd454a33f60e68f9fbd942da5185fb84c0bf29a4dad264eda1691fd2a2061136

Download Submit
C:\Windows\{AB7D1D8C-F451-4024-91DA-A8B8A97FFF70}.exe

Filesize
204KB

MD5
eaf75bf9839448f01149fde364fba994

SHA1
58d0b791b0a163cd2d7691329eb07d149dd14bd0

SHA256
4b9999090161b2116331baf1ac6af450a57b1116dbf38da446a01f0dbd4ad519

SHA512
bed481d38ddba18d5f960220ecaed3d6af52eb658eea15c7fc27d5ef2d83216ffd454a33f60e68f9fbd942da5185fb84c0bf29a4dad264eda1691fd2a2061136

Download Submit
C:\Windows\{B710E6B0-2F2D-4fb7-B80B-1772800FA15F}.exe

Filesize
204KB

MD5
4ea02940e410ff77013bb7c81f7211a9

SHA1
d7b5a62800229d39e15fd58909fab8a82211fa46

SHA256
c60b4f0f8c65bd150b3bff3ae08cf89eb44340eccaa7b3ec39bf854ff3a34f03

SHA512
edcfecafd9c6983c56fc4accef91e6d89c609473781e7d4ffbf8ce3b7a26a6a30a992052cfc01148667e09ce90635302a0186b7e8160998b4a9b05e24745501c

Download Submit
C:\Windows\{B710E6B0-2F2D-4fb7-B80B-1772800FA15F}.exe

Filesize
204KB

MD5
4ea02940e410ff77013bb7c81f7211a9

SHA1
d7b5a62800229d39e15fd58909fab8a82211fa46

SHA256
c60b4f0f8c65bd150b3bff3ae08cf89eb44340eccaa7b3ec39bf854ff3a34f03

SHA512
edcfecafd9c6983c56fc4accef91e6d89c609473781e7d4ffbf8ce3b7a26a6a30a992052cfc01148667e09ce90635302a0186b7e8160998b4a9b05e24745501c

Download Submit
C:\Windows\{B710E6B0-2F2D-4fb7-B80B-1772800FA15F}.exe

Filesize
204KB

MD5
4ea02940e410ff77013bb7c81f7211a9

SHA1
d7b5a62800229d39e15fd58909fab8a82211fa46

SHA256
c60b4f0f8c65bd150b3bff3ae08cf89eb44340eccaa7b3ec39bf854ff3a34f03

SHA512
edcfecafd9c6983c56fc4accef91e6d89c609473781e7d4ffbf8ce3b7a26a6a30a992052cfc01148667e09ce90635302a0186b7e8160998b4a9b05e24745501c

Download Submit
C:\Windows\{D78A0669-82A6-4815-8B9A-2D4C0CFDAA0A}.exe

Filesize
204KB

MD5
082981a2938bf0c2092b04920fc4b7aa

SHA1
fdcefa487ce0fd53ab9211c6d7e2fc6d3ae17d98

SHA256
c1686d8489f3416b1b53fd4e5506fe87d1031b5cdf1874ae9061198d4124c459

SHA512
e09512721a680d7415bae1b960efb51faa30e1bae3e3e987db59984b3d5f58548c48efe87bd1110a216e4f4440d69bc43f8aae8987263e5154d65e48b6993971

Download Submit
C:\Windows\{D78A0669-82A6-4815-8B9A-2D4C0CFDAA0A}.exe

Filesize
204KB

MD5
082981a2938bf0c2092b04920fc4b7aa

SHA1
fdcefa487ce0fd53ab9211c6d7e2fc6d3ae17d98

SHA256
c1686d8489f3416b1b53fd4e5506fe87d1031b5cdf1874ae9061198d4124c459

SHA512
e09512721a680d7415bae1b960efb51faa30e1bae3e3e987db59984b3d5f58548c48efe87bd1110a216e4f4440d69bc43f8aae8987263e5154d65e48b6993971

Download Submit
C:\Windows\{DB8EF758-400A-48b7-B581-B773379B8D4C}.exe

Filesize
204KB

MD5
69443e3c774fe29cc042f0fee4b14bad

SHA1
9291dbe1975d8f521f6ef9e44a1bab7634c33e5c

SHA256
c335fbe2710a93533b00e7619d0f21422aec4b6f058524a0071ca49d5e7148b0

SHA512
029c706690d66b9c7679204fcdb104c41cb26a1e47d12fba38aa120d62d57cac3cc9ca18fad4c14ccdee8660ba9ea8d7aef899aeb6a4eac80dcfa534c8fcd230

Download Submit
C:\Windows\{DB8EF758-400A-48b7-B581-B773379B8D4C}.exe

Filesize
204KB

MD5
69443e3c774fe29cc042f0fee4b14bad

SHA1
9291dbe1975d8f521f6ef9e44a1bab7634c33e5c

SHA256
c335fbe2710a93533b00e7619d0f21422aec4b6f058524a0071ca49d5e7148b0

SHA512
029c706690d66b9c7679204fcdb104c41cb26a1e47d12fba38aa120d62d57cac3cc9ca18fad4c14ccdee8660ba9ea8d7aef899aeb6a4eac80dcfa534c8fcd230

Download Submit
C:\Windows\{E7D053D3-9D2B-4c6d-B012-68604C5DA08E}.exe

Filesize
204KB

MD5
4cec60e65c7e9fd5f22eee4fc5c803af

SHA1
db7f1976f3e4b1161523af94fb2fe6712b8ec412

SHA256
2bb79e01251945494e5001712e8c6489f799111d5f56bb36edecc2fd1bf7cb4c

SHA512
594b1f710347c3c4c953bb47c064f0668723d1b8ac9abb913aa6d23b7a1b3c89c8ac863ebbc27f29bf74c3b2c6844dcefceead042afceb3c82b3eb0cc2916c61

Download Submit
C:\Windows\{E7D053D3-9D2B-4c6d-B012-68604C5DA08E}.exe

Filesize
204KB

MD5
4cec60e65c7e9fd5f22eee4fc5c803af

SHA1
db7f1976f3e4b1161523af94fb2fe6712b8ec412

SHA256
2bb79e01251945494e5001712e8c6489f799111d5f56bb36edecc2fd1bf7cb4c

SHA512
594b1f710347c3c4c953bb47c064f0668723d1b8ac9abb913aa6d23b7a1b3c89c8ac863ebbc27f29bf74c3b2c6844dcefceead042afceb3c82b3eb0cc2916c61

Download Submit
C:\Windows\{EC6C8815-74DF-4739-866C-D7BA67CFB22B}.exe

Filesize
204KB

MD5
a79204895af77ff78900c5575d6216bc

SHA1
d7c78bba9d30c4a41245aafc52c09637c73b3bdf

SHA256
fd64f09b515ddd1bf30deda4d9fff08ce2224fb8055df1c44425d97b5e7b8cee

SHA512
e667085de938de664c3f8d66da767f68d1a169d38bbbebff42307a53ab3ff54f3dfb3500138e224632efa9e0cab3b17a12e21aa087f3b43f5da2cfd4b5ac3d19

Download Submit
C:\Windows\{EC6C8815-74DF-4739-866C-D7BA67CFB22B}.exe

Filesize
204KB

MD5
a79204895af77ff78900c5575d6216bc

SHA1
d7c78bba9d30c4a41245aafc52c09637c73b3bdf

SHA256
fd64f09b515ddd1bf30deda4d9fff08ce2224fb8055df1c44425d97b5e7b8cee

SHA512
e667085de938de664c3f8d66da767f68d1a169d38bbbebff42307a53ab3ff54f3dfb3500138e224632efa9e0cab3b17a12e21aa087f3b43f5da2cfd4b5ac3d19

Download Submit