731157c2e8b65ebeee14111fc47a0b71cd91b13cbd5bd1418d82d5bf5b59bdd8

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
15/07/2023, 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43567acf1ec431exeexe_JC.exe
Size

216KB
MD5

43567acf1ec43124fada490f70bfb363
SHA1

6436c1d4218d7cd75c04cdab3f470e6c768f5946
SHA256

731157c2e8b65ebeee14111fc47a0b71cd91b13cbd5bd1418d82d5bf5b59bdd8
SHA512

ec15160cd2d8e4427c6c3d4459954a32e7775eba20c3d03653f478ed3f656673dea1418c5b89a2385ce30b39ea7f390d2846b139c86daddcd715d9bc58ba2d5a
SSDEEP

3072:jEGh0o4l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGelEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09BC3A9E-A93B-48d4-9ABB-472EC6CBF99A}\stubpath = "C:\\Windows\\{09BC3A9E-A93B-48d4-9ABB-472EC6CBF99A}.exe"	{F9912EDE-BE77-4483-ADB5-B7F76D4C500E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D838FD61-05E0-46eb-B5D9-0C0C9F8FA630}	{07ABA531-F63B-48e3-B67C-F790FBCCDF8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CFBFAE5-6684-4534-B714-DC04123E7C16}\stubpath = "C:\\Windows\\{3CFBFAE5-6684-4534-B714-DC04123E7C16}.exe"	{57540E6C-6770-4235-B088-A4BD2EC14947}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09BC3A9E-A93B-48d4-9ABB-472EC6CBF99A}	{F9912EDE-BE77-4483-ADB5-B7F76D4C500E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F67831DA-19A7-4748-855E-D3D9D8401F13}\stubpath = "C:\\Windows\\{F67831DA-19A7-4748-855E-D3D9D8401F13}.exe"	{A6507D73-7133-4d91-901D-1D79165EE404}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0624CC7E-F5B2-408f-961A-C3286F3B3337}	{F67831DA-19A7-4748-855E-D3D9D8401F13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0624CC7E-F5B2-408f-961A-C3286F3B3337}\stubpath = "C:\\Windows\\{0624CC7E-F5B2-408f-961A-C3286F3B3337}.exe"	{F67831DA-19A7-4748-855E-D3D9D8401F13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9912EDE-BE77-4483-ADB5-B7F76D4C500E}\stubpath = "C:\\Windows\\{F9912EDE-BE77-4483-ADB5-B7F76D4C500E}.exe"	{3CFBFAE5-6684-4534-B714-DC04123E7C16}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CA624FB-6B68-43d9-99F4-54E6B6DEC939}	43567acf1ec431exeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07ABA531-F63B-48e3-B67C-F790FBCCDF8E}	{8CA624FB-6B68-43d9-99F4-54E6B6DEC939}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6507D73-7133-4d91-901D-1D79165EE404}\stubpath = "C:\\Windows\\{A6507D73-7133-4d91-901D-1D79165EE404}.exe"	{6B3A1A8C-BCE8-48a2-AC17-80B1454CFD0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F67831DA-19A7-4748-855E-D3D9D8401F13}	{A6507D73-7133-4d91-901D-1D79165EE404}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57540E6C-6770-4235-B088-A4BD2EC14947}\stubpath = "C:\\Windows\\{57540E6C-6770-4235-B088-A4BD2EC14947}.exe"	{0624CC7E-F5B2-408f-961A-C3286F3B3337}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9912EDE-BE77-4483-ADB5-B7F76D4C500E}	{3CFBFAE5-6684-4534-B714-DC04123E7C16}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D838FD61-05E0-46eb-B5D9-0C0C9F8FA630}\stubpath = "C:\\Windows\\{D838FD61-05E0-46eb-B5D9-0C0C9F8FA630}.exe"	{07ABA531-F63B-48e3-B67C-F790FBCCDF8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B3A1A8C-BCE8-48a2-AC17-80B1454CFD0C}\stubpath = "C:\\Windows\\{6B3A1A8C-BCE8-48a2-AC17-80B1454CFD0C}.exe"	{D838FD61-05E0-46eb-B5D9-0C0C9F8FA630}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A6507D73-7133-4d91-901D-1D79165EE404}	{6B3A1A8C-BCE8-48a2-AC17-80B1454CFD0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57540E6C-6770-4235-B088-A4BD2EC14947}	{0624CC7E-F5B2-408f-961A-C3286F3B3337}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3CFBFAE5-6684-4534-B714-DC04123E7C16}	{57540E6C-6770-4235-B088-A4BD2EC14947}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8CA624FB-6B68-43d9-99F4-54E6B6DEC939}\stubpath = "C:\\Windows\\{8CA624FB-6B68-43d9-99F4-54E6B6DEC939}.exe"	43567acf1ec431exeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07ABA531-F63B-48e3-B67C-F790FBCCDF8E}\stubpath = "C:\\Windows\\{07ABA531-F63B-48e3-B67C-F790FBCCDF8E}.exe"	{8CA624FB-6B68-43d9-99F4-54E6B6DEC939}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B3A1A8C-BCE8-48a2-AC17-80B1454CFD0C}	{D838FD61-05E0-46eb-B5D9-0C0C9F8FA630}.exe

Deletes itself 1 IoCs

pid	Process
1344	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
552	{8CA624FB-6B68-43d9-99F4-54E6B6DEC939}.exe
2720	{07ABA531-F63B-48e3-B67C-F790FBCCDF8E}.exe
2672	{D838FD61-05E0-46eb-B5D9-0C0C9F8FA630}.exe
2808	{6B3A1A8C-BCE8-48a2-AC17-80B1454CFD0C}.exe
2744	{A6507D73-7133-4d91-901D-1D79165EE404}.exe
2692	{F67831DA-19A7-4748-855E-D3D9D8401F13}.exe
3008	{0624CC7E-F5B2-408f-961A-C3286F3B3337}.exe
2528	{57540E6C-6770-4235-B088-A4BD2EC14947}.exe
524	{3CFBFAE5-6684-4534-B714-DC04123E7C16}.exe
2516	{F9912EDE-BE77-4483-ADB5-B7F76D4C500E}.exe
2384	{09BC3A9E-A93B-48d4-9ABB-472EC6CBF99A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{57540E6C-6770-4235-B088-A4BD2EC14947}.exe	{0624CC7E-F5B2-408f-961A-C3286F3B3337}.exe
File created	C:\Windows\{3CFBFAE5-6684-4534-B714-DC04123E7C16}.exe	{57540E6C-6770-4235-B088-A4BD2EC14947}.exe
File created	C:\Windows\{09BC3A9E-A93B-48d4-9ABB-472EC6CBF99A}.exe	{F9912EDE-BE77-4483-ADB5-B7F76D4C500E}.exe
File created	C:\Windows\{07ABA531-F63B-48e3-B67C-F790FBCCDF8E}.exe	{8CA624FB-6B68-43d9-99F4-54E6B6DEC939}.exe
File created	C:\Windows\{D838FD61-05E0-46eb-B5D9-0C0C9F8FA630}.exe	{07ABA531-F63B-48e3-B67C-F790FBCCDF8E}.exe
File created	C:\Windows\{A6507D73-7133-4d91-901D-1D79165EE404}.exe	{6B3A1A8C-BCE8-48a2-AC17-80B1454CFD0C}.exe
File created	C:\Windows\{F67831DA-19A7-4748-855E-D3D9D8401F13}.exe	{A6507D73-7133-4d91-901D-1D79165EE404}.exe
File created	C:\Windows\{8CA624FB-6B68-43d9-99F4-54E6B6DEC939}.exe	43567acf1ec431exeexe_JC.exe
File created	C:\Windows\{6B3A1A8C-BCE8-48a2-AC17-80B1454CFD0C}.exe	{D838FD61-05E0-46eb-B5D9-0C0C9F8FA630}.exe
File created	C:\Windows\{0624CC7E-F5B2-408f-961A-C3286F3B3337}.exe	{F67831DA-19A7-4748-855E-D3D9D8401F13}.exe
File created	C:\Windows\{F9912EDE-BE77-4483-ADB5-B7F76D4C500E}.exe	{3CFBFAE5-6684-4534-B714-DC04123E7C16}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2432	43567acf1ec431exeexe_JC.exe
Token: SeIncBasePriorityPrivilege	552	{8CA624FB-6B68-43d9-99F4-54E6B6DEC939}.exe
Token: SeIncBasePriorityPrivilege	2720	{07ABA531-F63B-48e3-B67C-F790FBCCDF8E}.exe
Token: SeIncBasePriorityPrivilege	2672	{D838FD61-05E0-46eb-B5D9-0C0C9F8FA630}.exe
Token: SeIncBasePriorityPrivilege	2808	{6B3A1A8C-BCE8-48a2-AC17-80B1454CFD0C}.exe
Token: SeIncBasePriorityPrivilege	2744	{A6507D73-7133-4d91-901D-1D79165EE404}.exe
Token: SeIncBasePriorityPrivilege	2692	{F67831DA-19A7-4748-855E-D3D9D8401F13}.exe
Token: SeIncBasePriorityPrivilege	3008	{0624CC7E-F5B2-408f-961A-C3286F3B3337}.exe
Token: SeIncBasePriorityPrivilege	2528	{57540E6C-6770-4235-B088-A4BD2EC14947}.exe
Token: SeIncBasePriorityPrivilege	524	{3CFBFAE5-6684-4534-B714-DC04123E7C16}.exe
Token: SeIncBasePriorityPrivilege	2516	{F9912EDE-BE77-4483-ADB5-B7F76D4C500E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 552	2432	43567acf1ec431exeexe_JC.exe	30
PID 2432 wrote to memory of 552	2432	43567acf1ec431exeexe_JC.exe	30
PID 2432 wrote to memory of 552	2432	43567acf1ec431exeexe_JC.exe	30
PID 2432 wrote to memory of 552	2432	43567acf1ec431exeexe_JC.exe	30
PID 2432 wrote to memory of 1344	2432	43567acf1ec431exeexe_JC.exe	31
PID 2432 wrote to memory of 1344	2432	43567acf1ec431exeexe_JC.exe	31
PID 2432 wrote to memory of 1344	2432	43567acf1ec431exeexe_JC.exe	31
PID 2432 wrote to memory of 1344	2432	43567acf1ec431exeexe_JC.exe	31
PID 552 wrote to memory of 2720	552	{8CA624FB-6B68-43d9-99F4-54E6B6DEC939}.exe	32
PID 552 wrote to memory of 2720	552	{8CA624FB-6B68-43d9-99F4-54E6B6DEC939}.exe	32
PID 552 wrote to memory of 2720	552	{8CA624FB-6B68-43d9-99F4-54E6B6DEC939}.exe	32
PID 552 wrote to memory of 2720	552	{8CA624FB-6B68-43d9-99F4-54E6B6DEC939}.exe	32
PID 552 wrote to memory of 2236	552	{8CA624FB-6B68-43d9-99F4-54E6B6DEC939}.exe	33
PID 552 wrote to memory of 2236	552	{8CA624FB-6B68-43d9-99F4-54E6B6DEC939}.exe	33
PID 552 wrote to memory of 2236	552	{8CA624FB-6B68-43d9-99F4-54E6B6DEC939}.exe	33
PID 552 wrote to memory of 2236	552	{8CA624FB-6B68-43d9-99F4-54E6B6DEC939}.exe	33
PID 2720 wrote to memory of 2672	2720	{07ABA531-F63B-48e3-B67C-F790FBCCDF8E}.exe	34
PID 2720 wrote to memory of 2672	2720	{07ABA531-F63B-48e3-B67C-F790FBCCDF8E}.exe	34
PID 2720 wrote to memory of 2672	2720	{07ABA531-F63B-48e3-B67C-F790FBCCDF8E}.exe	34
PID 2720 wrote to memory of 2672	2720	{07ABA531-F63B-48e3-B67C-F790FBCCDF8E}.exe	34
PID 2720 wrote to memory of 2788	2720	{07ABA531-F63B-48e3-B67C-F790FBCCDF8E}.exe	35
PID 2720 wrote to memory of 2788	2720	{07ABA531-F63B-48e3-B67C-F790FBCCDF8E}.exe	35
PID 2720 wrote to memory of 2788	2720	{07ABA531-F63B-48e3-B67C-F790FBCCDF8E}.exe	35
PID 2720 wrote to memory of 2788	2720	{07ABA531-F63B-48e3-B67C-F790FBCCDF8E}.exe	35
PID 2672 wrote to memory of 2808	2672	{D838FD61-05E0-46eb-B5D9-0C0C9F8FA630}.exe	36
PID 2672 wrote to memory of 2808	2672	{D838FD61-05E0-46eb-B5D9-0C0C9F8FA630}.exe	36
PID 2672 wrote to memory of 2808	2672	{D838FD61-05E0-46eb-B5D9-0C0C9F8FA630}.exe	36
PID 2672 wrote to memory of 2808	2672	{D838FD61-05E0-46eb-B5D9-0C0C9F8FA630}.exe	36
PID 2672 wrote to memory of 2636	2672	{D838FD61-05E0-46eb-B5D9-0C0C9F8FA630}.exe	37
PID 2672 wrote to memory of 2636	2672	{D838FD61-05E0-46eb-B5D9-0C0C9F8FA630}.exe	37
PID 2672 wrote to memory of 2636	2672	{D838FD61-05E0-46eb-B5D9-0C0C9F8FA630}.exe	37
PID 2672 wrote to memory of 2636	2672	{D838FD61-05E0-46eb-B5D9-0C0C9F8FA630}.exe	37
PID 2808 wrote to memory of 2744	2808	{6B3A1A8C-BCE8-48a2-AC17-80B1454CFD0C}.exe	38
PID 2808 wrote to memory of 2744	2808	{6B3A1A8C-BCE8-48a2-AC17-80B1454CFD0C}.exe	38
PID 2808 wrote to memory of 2744	2808	{6B3A1A8C-BCE8-48a2-AC17-80B1454CFD0C}.exe	38
PID 2808 wrote to memory of 2744	2808	{6B3A1A8C-BCE8-48a2-AC17-80B1454CFD0C}.exe	38
PID 2808 wrote to memory of 3056	2808	{6B3A1A8C-BCE8-48a2-AC17-80B1454CFD0C}.exe	39
PID 2808 wrote to memory of 3056	2808	{6B3A1A8C-BCE8-48a2-AC17-80B1454CFD0C}.exe	39
PID 2808 wrote to memory of 3056	2808	{6B3A1A8C-BCE8-48a2-AC17-80B1454CFD0C}.exe	39
PID 2808 wrote to memory of 3056	2808	{6B3A1A8C-BCE8-48a2-AC17-80B1454CFD0C}.exe	39
PID 2744 wrote to memory of 2692	2744	{A6507D73-7133-4d91-901D-1D79165EE404}.exe	40
PID 2744 wrote to memory of 2692	2744	{A6507D73-7133-4d91-901D-1D79165EE404}.exe	40
PID 2744 wrote to memory of 2692	2744	{A6507D73-7133-4d91-901D-1D79165EE404}.exe	40
PID 2744 wrote to memory of 2692	2744	{A6507D73-7133-4d91-901D-1D79165EE404}.exe	40
PID 2744 wrote to memory of 2792	2744	{A6507D73-7133-4d91-901D-1D79165EE404}.exe	41
PID 2744 wrote to memory of 2792	2744	{A6507D73-7133-4d91-901D-1D79165EE404}.exe	41
PID 2744 wrote to memory of 2792	2744	{A6507D73-7133-4d91-901D-1D79165EE404}.exe	41
PID 2744 wrote to memory of 2792	2744	{A6507D73-7133-4d91-901D-1D79165EE404}.exe	41
PID 2692 wrote to memory of 3008	2692	{F67831DA-19A7-4748-855E-D3D9D8401F13}.exe	42
PID 2692 wrote to memory of 3008	2692	{F67831DA-19A7-4748-855E-D3D9D8401F13}.exe	42
PID 2692 wrote to memory of 3008	2692	{F67831DA-19A7-4748-855E-D3D9D8401F13}.exe	42
PID 2692 wrote to memory of 3008	2692	{F67831DA-19A7-4748-855E-D3D9D8401F13}.exe	42
PID 2692 wrote to memory of 2588	2692	{F67831DA-19A7-4748-855E-D3D9D8401F13}.exe	43
PID 2692 wrote to memory of 2588	2692	{F67831DA-19A7-4748-855E-D3D9D8401F13}.exe	43
PID 2692 wrote to memory of 2588	2692	{F67831DA-19A7-4748-855E-D3D9D8401F13}.exe	43
PID 2692 wrote to memory of 2588	2692	{F67831DA-19A7-4748-855E-D3D9D8401F13}.exe	43
PID 3008 wrote to memory of 2528	3008	{0624CC7E-F5B2-408f-961A-C3286F3B3337}.exe	44
PID 3008 wrote to memory of 2528	3008	{0624CC7E-F5B2-408f-961A-C3286F3B3337}.exe	44
PID 3008 wrote to memory of 2528	3008	{0624CC7E-F5B2-408f-961A-C3286F3B3337}.exe	44
PID 3008 wrote to memory of 2528	3008	{0624CC7E-F5B2-408f-961A-C3286F3B3337}.exe	44
PID 3008 wrote to memory of 2604	3008	{0624CC7E-F5B2-408f-961A-C3286F3B3337}.exe	45
PID 3008 wrote to memory of 2604	3008	{0624CC7E-F5B2-408f-961A-C3286F3B3337}.exe	45
PID 3008 wrote to memory of 2604	3008	{0624CC7E-F5B2-408f-961A-C3286F3B3337}.exe	45
PID 3008 wrote to memory of 2604	3008	{0624CC7E-F5B2-408f-961A-C3286F3B3337}.exe	45

C:\Users\Admin\AppData\Local\Temp\43567acf1ec431exeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\43567acf1ec431exeexe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\{8CA624FB-6B68-43d9-99F4-54E6B6DEC939}.exe
  C:\Windows\{8CA624FB-6B68-43d9-99F4-54E6B6DEC939}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:552
- - C:\Windows\{07ABA531-F63B-48e3-B67C-F790FBCCDF8E}.exe
    C:\Windows\{07ABA531-F63B-48e3-B67C-F790FBCCDF8E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\{D838FD61-05E0-46eb-B5D9-0C0C9F8FA630}.exe
      C:\Windows\{D838FD61-05E0-46eb-B5D9-0C0C9F8FA630}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\{6B3A1A8C-BCE8-48a2-AC17-80B1454CFD0C}.exe
        
        C:\Windows\{6B3A1A8C-BCE8-48a2-AC17-80B1454CFD0C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
      - C:\Windows\{A6507D73-7133-4d91-901D-1D79165EE404}.exe
        
        C:\Windows\{A6507D73-7133-4d91-901D-1D79165EE404}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\{F67831DA-19A7-4748-855E-D3D9D8401F13}.exe
        
        C:\Windows\{F67831DA-19A7-4748-855E-D3D9D8401F13}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\{0624CC7E-F5B2-408f-961A-C3286F3B3337}.exe
        
        C:\Windows\{0624CC7E-F5B2-408f-961A-C3286F3B3337}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\{57540E6C-6770-4235-B088-A4BD2EC14947}.exe
        
        C:\Windows\{57540E6C-6770-4235-B088-A4BD2EC14947}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\{3CFBFAE5-6684-4534-B714-DC04123E7C16}.exe
        
        C:\Windows\{3CFBFAE5-6684-4534-B714-DC04123E7C16}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:524
        
        C:\Windows\{F9912EDE-BE77-4483-ADB5-B7F76D4C500E}.exe
        
        C:\Windows\{F9912EDE-BE77-4483-ADB5-B7F76D4C500E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Windows\{09BC3A9E-A93B-48d4-9ABB-472EC6CBF99A}.exe
        
        C:\Windows\{09BC3A9E-A93B-48d4-9ABB-472EC6CBF99A}.exe
        12⤵
        Executes dropped EXE
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9912~1.EXE > nul
        12⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CFBF~1.EXE > nul
        11⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57540~1.EXE > nul
        10⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0624C~1.EXE > nul
        9⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6783~1.EXE > nul
        8⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6507~1.EXE > nul
        7⤵
        
        PID:2792
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B3A1~1.EXE > nul
        6⤵
        
        PID:3056
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D838F~1.EXE > nul
        5⤵
        
        PID:2636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{07ABA~1.EXE > nul
      4⤵
      PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8CA62~1.EXE > nul
    3⤵
    PID:2236
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\43567A~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0624CC7E-F5B2-408f-961A-C3286F3B3337}.exe

Filesize
216KB

MD5
5ad575e42ef3f84321db20b52f41c180

SHA1
c26f27101b352ff0bda965c8c26849ded9cc4513

SHA256
33269ef0ff46ef6eb82c472186d6cb1f377ba445b3af5bbeb630c6a86ad4ff04

SHA512
31051301c8ce530ef1d251420b0f3abab3279c6aa7117f515f35eb771dc79b0e57591dcab501e836c8fdca4028a4ecf59014714c448753450354fd2d86050583

Download Submit
C:\Windows\{0624CC7E-F5B2-408f-961A-C3286F3B3337}.exe

Filesize
216KB

MD5
5ad575e42ef3f84321db20b52f41c180

SHA1
c26f27101b352ff0bda965c8c26849ded9cc4513

SHA256
33269ef0ff46ef6eb82c472186d6cb1f377ba445b3af5bbeb630c6a86ad4ff04

SHA512
31051301c8ce530ef1d251420b0f3abab3279c6aa7117f515f35eb771dc79b0e57591dcab501e836c8fdca4028a4ecf59014714c448753450354fd2d86050583

Download Submit
C:\Windows\{07ABA531-F63B-48e3-B67C-F790FBCCDF8E}.exe

Filesize
216KB

MD5
8c5cc0e9bbee5cfb4a11eaa8354ee30d

SHA1
e96af37f334c8eea487222101e98a22a9c2b3ca7

SHA256
eda149a18eab7288b54d557fb007993a8273a1f7c268cab521e5e0fd874a1c9f

SHA512
209dc5a684a7f8fe44de0f7dbf34ef0d2b8ada79b0950dec54fb3d1bd7eee12c92af7993867426fedaeac75f132eba5dd55eaa49fbb83334850e8f116575e2a5

Download Submit
C:\Windows\{07ABA531-F63B-48e3-B67C-F790FBCCDF8E}.exe

Filesize
216KB

MD5
8c5cc0e9bbee5cfb4a11eaa8354ee30d

SHA1
e96af37f334c8eea487222101e98a22a9c2b3ca7

SHA256
eda149a18eab7288b54d557fb007993a8273a1f7c268cab521e5e0fd874a1c9f

SHA512
209dc5a684a7f8fe44de0f7dbf34ef0d2b8ada79b0950dec54fb3d1bd7eee12c92af7993867426fedaeac75f132eba5dd55eaa49fbb83334850e8f116575e2a5

Download Submit
C:\Windows\{09BC3A9E-A93B-48d4-9ABB-472EC6CBF99A}.exe

Filesize
216KB

MD5
3ea061549ee26572dd712b84dc87220f

SHA1
4c9d803cea35a106bf495cb248a1291fd34622af

SHA256
cdfc7bc8d69f8004011d10498866b75e06abb02aac1d34fcc4252dee5317e66c

SHA512
122b315b9d1efd00d9d1a2a4ef582fa955d6bc7de4588b1c9e8a5c961963f0f248953e3f58b7c8a40c0f5d5a6d5d3b9813b827e2db2ccadc0f0915810c526514

Download Submit
C:\Windows\{3CFBFAE5-6684-4534-B714-DC04123E7C16}.exe

Filesize
216KB

MD5
0b0c32f95a301add9b9ee31a6215761c

SHA1
53f66472ce1b3ed89d0f814e3f5b4f7c764b5c9c

SHA256
dc1c84e8233d91ba7759bdaffc90e74fadd20e9bab5025876cc97cfdc8bedfc8

SHA512
e4b0b8d07c3006a276f6186d44c924f457d3cd93dd24a7f9aa35a99d29da20df373b4676af71c8e25aa89660b72353d29686569e2f0290fbd15609df7796fe64

Download Submit
C:\Windows\{3CFBFAE5-6684-4534-B714-DC04123E7C16}.exe

Filesize
216KB

MD5
0b0c32f95a301add9b9ee31a6215761c

SHA1
53f66472ce1b3ed89d0f814e3f5b4f7c764b5c9c

SHA256
dc1c84e8233d91ba7759bdaffc90e74fadd20e9bab5025876cc97cfdc8bedfc8

SHA512
e4b0b8d07c3006a276f6186d44c924f457d3cd93dd24a7f9aa35a99d29da20df373b4676af71c8e25aa89660b72353d29686569e2f0290fbd15609df7796fe64

Download Submit
C:\Windows\{57540E6C-6770-4235-B088-A4BD2EC14947}.exe

Filesize
216KB

MD5
9db8d1d765e1de4397f38f4439e9ea55

SHA1
fbbf78abe5b49268f151b03ba4a35daba4c78abf

SHA256
cad3185b55d4c219282944462c97ec90c5b4a39ceac90af1a1a2f0961fe60434

SHA512
3d26c836ca491bd937c6c39314783e9b561f0dfd72da4a42979e3a7d1f184bd122d0a03f593ec117ec5d2d271b2042870cc31f63e6e17ef41a3c48388cfdc6f3

Download Submit
C:\Windows\{57540E6C-6770-4235-B088-A4BD2EC14947}.exe

Filesize
216KB

MD5
9db8d1d765e1de4397f38f4439e9ea55

SHA1
fbbf78abe5b49268f151b03ba4a35daba4c78abf

SHA256
cad3185b55d4c219282944462c97ec90c5b4a39ceac90af1a1a2f0961fe60434

SHA512
3d26c836ca491bd937c6c39314783e9b561f0dfd72da4a42979e3a7d1f184bd122d0a03f593ec117ec5d2d271b2042870cc31f63e6e17ef41a3c48388cfdc6f3

Download Submit
C:\Windows\{6B3A1A8C-BCE8-48a2-AC17-80B1454CFD0C}.exe

Filesize
216KB

MD5
9249d93c807360411e0ec8c7123e4b29

SHA1
32efe2408737142040f1fcf2719ed32731fa1af6

SHA256
8ca8d66f4c541c16e5781663f66cb79eef8f744aea61fb8cd214cc18766444d7

SHA512
b713602fd8f487bde026b5a20f24ca9d9685b11192d8c70ab261e4670099b5f89cb3776236d70ec57b6c522c4c0e9041b105bc7b071dc791643c8b07f379a844

Download Submit
C:\Windows\{6B3A1A8C-BCE8-48a2-AC17-80B1454CFD0C}.exe

Filesize
216KB

MD5
9249d93c807360411e0ec8c7123e4b29

SHA1
32efe2408737142040f1fcf2719ed32731fa1af6

SHA256
8ca8d66f4c541c16e5781663f66cb79eef8f744aea61fb8cd214cc18766444d7

SHA512
b713602fd8f487bde026b5a20f24ca9d9685b11192d8c70ab261e4670099b5f89cb3776236d70ec57b6c522c4c0e9041b105bc7b071dc791643c8b07f379a844

Download Submit
C:\Windows\{8CA624FB-6B68-43d9-99F4-54E6B6DEC939}.exe

Filesize
216KB

MD5
b7333b500c7eedb519ee144b73f2663f

SHA1
7ee8087da0a52e7c2c8b9d0b946b89038315f865

SHA256
9cf3744a43a761802bd4266b3c9d4e960fb4fc63f8d8831094cc78a1e94944b0

SHA512
eb93f82eb2828f58ab63caa324a2527d9936c8f9219c7c0e355abf17473577e28aa065fd9ab2efb7662278e4bb0afd7fc5aae05c078d9c34a29575b38037febc

Download Submit
C:\Windows\{8CA624FB-6B68-43d9-99F4-54E6B6DEC939}.exe

Filesize
216KB

MD5
b7333b500c7eedb519ee144b73f2663f

SHA1
7ee8087da0a52e7c2c8b9d0b946b89038315f865

SHA256
9cf3744a43a761802bd4266b3c9d4e960fb4fc63f8d8831094cc78a1e94944b0

SHA512
eb93f82eb2828f58ab63caa324a2527d9936c8f9219c7c0e355abf17473577e28aa065fd9ab2efb7662278e4bb0afd7fc5aae05c078d9c34a29575b38037febc

Download Submit
C:\Windows\{8CA624FB-6B68-43d9-99F4-54E6B6DEC939}.exe

Filesize
216KB

MD5
b7333b500c7eedb519ee144b73f2663f

SHA1
7ee8087da0a52e7c2c8b9d0b946b89038315f865

SHA256
9cf3744a43a761802bd4266b3c9d4e960fb4fc63f8d8831094cc78a1e94944b0

SHA512
eb93f82eb2828f58ab63caa324a2527d9936c8f9219c7c0e355abf17473577e28aa065fd9ab2efb7662278e4bb0afd7fc5aae05c078d9c34a29575b38037febc

Download Submit
C:\Windows\{A6507D73-7133-4d91-901D-1D79165EE404}.exe

Filesize
216KB

MD5
5ab00bb71a901de0b73d03df9ef69049

SHA1
6bb2441dbb9d21c9ea7e2835b31003c62c8196e3

SHA256
191ef94519f74d694af4bce92e1bf9d15a54d5e20cb47281db564a44e460feeb

SHA512
6faf840f503c6910504704081b010dca58ad344a88a72633fafbf6259230459b622b335faa37b7a0db80de80572a5ab7afd45a0691b8dd438b76d2d261fe1693

Download Submit
C:\Windows\{A6507D73-7133-4d91-901D-1D79165EE404}.exe

Filesize
216KB

MD5
5ab00bb71a901de0b73d03df9ef69049

SHA1
6bb2441dbb9d21c9ea7e2835b31003c62c8196e3

SHA256
191ef94519f74d694af4bce92e1bf9d15a54d5e20cb47281db564a44e460feeb

SHA512
6faf840f503c6910504704081b010dca58ad344a88a72633fafbf6259230459b622b335faa37b7a0db80de80572a5ab7afd45a0691b8dd438b76d2d261fe1693

Download Submit
C:\Windows\{D838FD61-05E0-46eb-B5D9-0C0C9F8FA630}.exe

Filesize
216KB

MD5
312eb5ebab73ad955250c655067e5331

SHA1
31cf089ddad996f1a44413f63467a53434e91c58

SHA256
8a5a166871e20c1d08989297d427b89a9f4e26f3107d4ae367f7ce3df826af32

SHA512
190af0af03b4d10dc0fdfd314b1ae65e224c55c2142b6ef6650ff11d4fd819e523988bd0d9c83f87e562c7fd5303e69d340b84cb7a7bac5cba2ade6f2308a219

Download Submit
C:\Windows\{D838FD61-05E0-46eb-B5D9-0C0C9F8FA630}.exe

Filesize
216KB

MD5
312eb5ebab73ad955250c655067e5331

SHA1
31cf089ddad996f1a44413f63467a53434e91c58

SHA256
8a5a166871e20c1d08989297d427b89a9f4e26f3107d4ae367f7ce3df826af32

SHA512
190af0af03b4d10dc0fdfd314b1ae65e224c55c2142b6ef6650ff11d4fd819e523988bd0d9c83f87e562c7fd5303e69d340b84cb7a7bac5cba2ade6f2308a219

Download Submit
C:\Windows\{F67831DA-19A7-4748-855E-D3D9D8401F13}.exe

Filesize
216KB

MD5
025f1ced0948bb2c8d82703cadc5d6d9

SHA1
275896746111e6e2ff4b975e285dc032df476fa2

SHA256
46168eedca1c0f5f1295badae43df4f2ae48525202c755cc2f5101eac4172704

SHA512
43dfc0d9f96fe45cdb355fd17495a885fdf561933c22595e9c2af4fbae296ee78b232d02fa5aef8c1b465ba25bb9fe163686251ecf4f7b51e56f00db8a56d569

Download Submit
C:\Windows\{F67831DA-19A7-4748-855E-D3D9D8401F13}.exe

Filesize
216KB

MD5
025f1ced0948bb2c8d82703cadc5d6d9

SHA1
275896746111e6e2ff4b975e285dc032df476fa2

SHA256
46168eedca1c0f5f1295badae43df4f2ae48525202c755cc2f5101eac4172704

SHA512
43dfc0d9f96fe45cdb355fd17495a885fdf561933c22595e9c2af4fbae296ee78b232d02fa5aef8c1b465ba25bb9fe163686251ecf4f7b51e56f00db8a56d569

Download Submit
C:\Windows\{F9912EDE-BE77-4483-ADB5-B7F76D4C500E}.exe

Filesize
216KB

MD5
27984488b2ad58af7ff638b3bd6d7c39

SHA1
fc056c3682cb852cbaca81d77a5240d845b12d08

SHA256
c5b0b01cfc0d0c749d876666b06035d8f715be29dce9c77097554a6a57bfdb70

SHA512
a055cb012f6e48a985dbeb6c9946fcd5f86741932794e14ab81060ec55ff1b235bf619ae74d99c08046313d23103b82c44eb53f8dccd8f43b076e7fc7832e972

Download Submit
C:\Windows\{F9912EDE-BE77-4483-ADB5-B7F76D4C500E}.exe

Filesize
216KB

MD5
27984488b2ad58af7ff638b3bd6d7c39

SHA1
fc056c3682cb852cbaca81d77a5240d845b12d08

SHA256
c5b0b01cfc0d0c749d876666b06035d8f715be29dce9c77097554a6a57bfdb70

SHA512
a055cb012f6e48a985dbeb6c9946fcd5f86741932794e14ab81060ec55ff1b235bf619ae74d99c08046313d23103b82c44eb53f8dccd8f43b076e7fc7832e972

Download Submit