6c4ccecff27b65dcb598caf7e920774215465446c89a9a6a95e3710f1f405af9

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
15/07/2023, 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44eb2b44caf1e3exeexe_JC.exe
Size

192KB
MD5

44eb2b44caf1e3124b8bf1e4841b0286
SHA1

3c663efd3ff150c95a44fc6cdc86879b49eab765
SHA256

6c4ccecff27b65dcb598caf7e920774215465446c89a9a6a95e3710f1f405af9
SHA512

f2bdaed1eaa75a668d27923f1fa5700b5107689ce011fd0888e0f4f87419f0bd553a5ae57ab671a5d2b1bef7805735bf3d1f353ba14660215bee29bc274190ec
SSDEEP

1536:1EGh0oBl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oBl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3771314B-A8E8-40eb-80E2-7465CAA0726E}\stubpath = "C:\\Windows\\{3771314B-A8E8-40eb-80E2-7465CAA0726E}.exe"	{FD2E1BB6-3F06-40ea-AC5B-754BB648D8A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72A01245-7D62-46ea-A07F-650D693F2A07}	{3771314B-A8E8-40eb-80E2-7465CAA0726E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E5A3BD1-ECAE-4f98-812C-EFD858F2BE8B}\stubpath = "C:\\Windows\\{3E5A3BD1-ECAE-4f98-812C-EFD858F2BE8B}.exe"	{72A01245-7D62-46ea-A07F-650D693F2A07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD4718B2-3B23-488b-A067-72154DB65E6A}	{D9FECC76-F896-431a-8CEE-92BF0FE2D5AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F85710CA-BDBB-4195-A312-C625A71F9348}	{CD4718B2-3B23-488b-A067-72154DB65E6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F919B21-B656-4a74-BA90-4230A9EEC2EE}	44eb2b44caf1e3exeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F919B21-B656-4a74-BA90-4230A9EEC2EE}\stubpath = "C:\\Windows\\{8F919B21-B656-4a74-BA90-4230A9EEC2EE}.exe"	44eb2b44caf1e3exeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3771314B-A8E8-40eb-80E2-7465CAA0726E}	{FD2E1BB6-3F06-40ea-AC5B-754BB648D8A1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E990F2B8-8741-45b4-AE8E-E3F2E20197CD}	{8F919B21-B656-4a74-BA90-4230A9EEC2EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42554AF6-4237-4810-A84C-3945A8E450B4}\stubpath = "C:\\Windows\\{42554AF6-4237-4810-A84C-3945A8E450B4}.exe"	{E990F2B8-8741-45b4-AE8E-E3F2E20197CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9FECC76-F896-431a-8CEE-92BF0FE2D5AC}\stubpath = "C:\\Windows\\{D9FECC76-F896-431a-8CEE-92BF0FE2D5AC}.exe"	{3E5A3BD1-ECAE-4f98-812C-EFD858F2BE8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D9FECC76-F896-431a-8CEE-92BF0FE2D5AC}	{3E5A3BD1-ECAE-4f98-812C-EFD858F2BE8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD4718B2-3B23-488b-A067-72154DB65E6A}\stubpath = "C:\\Windows\\{CD4718B2-3B23-488b-A067-72154DB65E6A}.exe"	{D9FECC76-F896-431a-8CEE-92BF0FE2D5AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F85710CA-BDBB-4195-A312-C625A71F9348}\stubpath = "C:\\Windows\\{F85710CA-BDBB-4195-A312-C625A71F9348}.exe"	{CD4718B2-3B23-488b-A067-72154DB65E6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E990F2B8-8741-45b4-AE8E-E3F2E20197CD}\stubpath = "C:\\Windows\\{E990F2B8-8741-45b4-AE8E-E3F2E20197CD}.exe"	{8F919B21-B656-4a74-BA90-4230A9EEC2EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD2E1BB6-3F06-40ea-AC5B-754BB648D8A1}\stubpath = "C:\\Windows\\{FD2E1BB6-3F06-40ea-AC5B-754BB648D8A1}.exe"	{42554AF6-4237-4810-A84C-3945A8E450B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{72A01245-7D62-46ea-A07F-650D693F2A07}\stubpath = "C:\\Windows\\{72A01245-7D62-46ea-A07F-650D693F2A07}.exe"	{3771314B-A8E8-40eb-80E2-7465CAA0726E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B21BE67E-97C6-4a78-BB07-6E1DFA7E5EA2}	{F85710CA-BDBB-4195-A312-C625A71F9348}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B21BE67E-97C6-4a78-BB07-6E1DFA7E5EA2}\stubpath = "C:\\Windows\\{B21BE67E-97C6-4a78-BB07-6E1DFA7E5EA2}.exe"	{F85710CA-BDBB-4195-A312-C625A71F9348}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42554AF6-4237-4810-A84C-3945A8E450B4}	{E990F2B8-8741-45b4-AE8E-E3F2E20197CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD2E1BB6-3F06-40ea-AC5B-754BB648D8A1}	{42554AF6-4237-4810-A84C-3945A8E450B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E5A3BD1-ECAE-4f98-812C-EFD858F2BE8B}	{72A01245-7D62-46ea-A07F-650D693F2A07}.exe

Deletes itself 1 IoCs

pid	Process
932	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1648	{8F919B21-B656-4a74-BA90-4230A9EEC2EE}.exe
928	{E990F2B8-8741-45b4-AE8E-E3F2E20197CD}.exe
2080	{42554AF6-4237-4810-A84C-3945A8E450B4}.exe
2304	{FD2E1BB6-3F06-40ea-AC5B-754BB648D8A1}.exe
2812	{3771314B-A8E8-40eb-80E2-7465CAA0726E}.exe
3008	{72A01245-7D62-46ea-A07F-650D693F2A07}.exe
1572	{3E5A3BD1-ECAE-4f98-812C-EFD858F2BE8B}.exe
1108	{D9FECC76-F896-431a-8CEE-92BF0FE2D5AC}.exe
2152	{CD4718B2-3B23-488b-A067-72154DB65E6A}.exe
2720	{F85710CA-BDBB-4195-A312-C625A71F9348}.exe
2416	{B21BE67E-97C6-4a78-BB07-6E1DFA7E5EA2}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D9FECC76-F896-431a-8CEE-92BF0FE2D5AC}.exe	{3E5A3BD1-ECAE-4f98-812C-EFD858F2BE8B}.exe
File created	C:\Windows\{CD4718B2-3B23-488b-A067-72154DB65E6A}.exe	{D9FECC76-F896-431a-8CEE-92BF0FE2D5AC}.exe
File created	C:\Windows\{FD2E1BB6-3F06-40ea-AC5B-754BB648D8A1}.exe	{42554AF6-4237-4810-A84C-3945A8E450B4}.exe
File created	C:\Windows\{3771314B-A8E8-40eb-80E2-7465CAA0726E}.exe	{FD2E1BB6-3F06-40ea-AC5B-754BB648D8A1}.exe
File created	C:\Windows\{72A01245-7D62-46ea-A07F-650D693F2A07}.exe	{3771314B-A8E8-40eb-80E2-7465CAA0726E}.exe
File created	C:\Windows\{3E5A3BD1-ECAE-4f98-812C-EFD858F2BE8B}.exe	{72A01245-7D62-46ea-A07F-650D693F2A07}.exe
File created	C:\Windows\{F85710CA-BDBB-4195-A312-C625A71F9348}.exe	{CD4718B2-3B23-488b-A067-72154DB65E6A}.exe
File created	C:\Windows\{8F919B21-B656-4a74-BA90-4230A9EEC2EE}.exe	44eb2b44caf1e3exeexe_JC.exe
File created	C:\Windows\{E990F2B8-8741-45b4-AE8E-E3F2E20197CD}.exe	{8F919B21-B656-4a74-BA90-4230A9EEC2EE}.exe
File created	C:\Windows\{42554AF6-4237-4810-A84C-3945A8E450B4}.exe	{E990F2B8-8741-45b4-AE8E-E3F2E20197CD}.exe
File created	C:\Windows\{B21BE67E-97C6-4a78-BB07-6E1DFA7E5EA2}.exe	{F85710CA-BDBB-4195-A312-C625A71F9348}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1500	44eb2b44caf1e3exeexe_JC.exe
Token: SeIncBasePriorityPrivilege	1648	{8F919B21-B656-4a74-BA90-4230A9EEC2EE}.exe
Token: SeIncBasePriorityPrivilege	928	{E990F2B8-8741-45b4-AE8E-E3F2E20197CD}.exe
Token: SeIncBasePriorityPrivilege	2080	{42554AF6-4237-4810-A84C-3945A8E450B4}.exe
Token: SeIncBasePriorityPrivilege	2304	{FD2E1BB6-3F06-40ea-AC5B-754BB648D8A1}.exe
Token: SeIncBasePriorityPrivilege	2812	{3771314B-A8E8-40eb-80E2-7465CAA0726E}.exe
Token: SeIncBasePriorityPrivilege	3008	{72A01245-7D62-46ea-A07F-650D693F2A07}.exe
Token: SeIncBasePriorityPrivilege	1572	{3E5A3BD1-ECAE-4f98-812C-EFD858F2BE8B}.exe
Token: SeIncBasePriorityPrivilege	1108	{D9FECC76-F896-431a-8CEE-92BF0FE2D5AC}.exe
Token: SeIncBasePriorityPrivilege	2152	{CD4718B2-3B23-488b-A067-72154DB65E6A}.exe
Token: SeIncBasePriorityPrivilege	2720	{F85710CA-BDBB-4195-A312-C625A71F9348}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 1648	1500	44eb2b44caf1e3exeexe_JC.exe	30
PID 1500 wrote to memory of 1648	1500	44eb2b44caf1e3exeexe_JC.exe	30
PID 1500 wrote to memory of 1648	1500	44eb2b44caf1e3exeexe_JC.exe	30
PID 1500 wrote to memory of 1648	1500	44eb2b44caf1e3exeexe_JC.exe	30
PID 1500 wrote to memory of 932	1500	44eb2b44caf1e3exeexe_JC.exe	31
PID 1500 wrote to memory of 932	1500	44eb2b44caf1e3exeexe_JC.exe	31
PID 1500 wrote to memory of 932	1500	44eb2b44caf1e3exeexe_JC.exe	31
PID 1500 wrote to memory of 932	1500	44eb2b44caf1e3exeexe_JC.exe	31
PID 1648 wrote to memory of 928	1648	{8F919B21-B656-4a74-BA90-4230A9EEC2EE}.exe	32
PID 1648 wrote to memory of 928	1648	{8F919B21-B656-4a74-BA90-4230A9EEC2EE}.exe	32
PID 1648 wrote to memory of 928	1648	{8F919B21-B656-4a74-BA90-4230A9EEC2EE}.exe	32
PID 1648 wrote to memory of 928	1648	{8F919B21-B656-4a74-BA90-4230A9EEC2EE}.exe	32
PID 1648 wrote to memory of 1364	1648	{8F919B21-B656-4a74-BA90-4230A9EEC2EE}.exe	33
PID 1648 wrote to memory of 1364	1648	{8F919B21-B656-4a74-BA90-4230A9EEC2EE}.exe	33
PID 1648 wrote to memory of 1364	1648	{8F919B21-B656-4a74-BA90-4230A9EEC2EE}.exe	33
PID 1648 wrote to memory of 1364	1648	{8F919B21-B656-4a74-BA90-4230A9EEC2EE}.exe	33
PID 928 wrote to memory of 2080	928	{E990F2B8-8741-45b4-AE8E-E3F2E20197CD}.exe	34
PID 928 wrote to memory of 2080	928	{E990F2B8-8741-45b4-AE8E-E3F2E20197CD}.exe	34
PID 928 wrote to memory of 2080	928	{E990F2B8-8741-45b4-AE8E-E3F2E20197CD}.exe	34
PID 928 wrote to memory of 2080	928	{E990F2B8-8741-45b4-AE8E-E3F2E20197CD}.exe	34
PID 928 wrote to memory of 2360	928	{E990F2B8-8741-45b4-AE8E-E3F2E20197CD}.exe	35
PID 928 wrote to memory of 2360	928	{E990F2B8-8741-45b4-AE8E-E3F2E20197CD}.exe	35
PID 928 wrote to memory of 2360	928	{E990F2B8-8741-45b4-AE8E-E3F2E20197CD}.exe	35
PID 928 wrote to memory of 2360	928	{E990F2B8-8741-45b4-AE8E-E3F2E20197CD}.exe	35
PID 2080 wrote to memory of 2304	2080	{42554AF6-4237-4810-A84C-3945A8E450B4}.exe	36
PID 2080 wrote to memory of 2304	2080	{42554AF6-4237-4810-A84C-3945A8E450B4}.exe	36
PID 2080 wrote to memory of 2304	2080	{42554AF6-4237-4810-A84C-3945A8E450B4}.exe	36
PID 2080 wrote to memory of 2304	2080	{42554AF6-4237-4810-A84C-3945A8E450B4}.exe	36
PID 2080 wrote to memory of 1488	2080	{42554AF6-4237-4810-A84C-3945A8E450B4}.exe	37
PID 2080 wrote to memory of 1488	2080	{42554AF6-4237-4810-A84C-3945A8E450B4}.exe	37
PID 2080 wrote to memory of 1488	2080	{42554AF6-4237-4810-A84C-3945A8E450B4}.exe	37
PID 2080 wrote to memory of 1488	2080	{42554AF6-4237-4810-A84C-3945A8E450B4}.exe	37
PID 2304 wrote to memory of 2812	2304	{FD2E1BB6-3F06-40ea-AC5B-754BB648D8A1}.exe	38
PID 2304 wrote to memory of 2812	2304	{FD2E1BB6-3F06-40ea-AC5B-754BB648D8A1}.exe	38
PID 2304 wrote to memory of 2812	2304	{FD2E1BB6-3F06-40ea-AC5B-754BB648D8A1}.exe	38
PID 2304 wrote to memory of 2812	2304	{FD2E1BB6-3F06-40ea-AC5B-754BB648D8A1}.exe	38
PID 2304 wrote to memory of 2872	2304	{FD2E1BB6-3F06-40ea-AC5B-754BB648D8A1}.exe	39
PID 2304 wrote to memory of 2872	2304	{FD2E1BB6-3F06-40ea-AC5B-754BB648D8A1}.exe	39
PID 2304 wrote to memory of 2872	2304	{FD2E1BB6-3F06-40ea-AC5B-754BB648D8A1}.exe	39
PID 2304 wrote to memory of 2872	2304	{FD2E1BB6-3F06-40ea-AC5B-754BB648D8A1}.exe	39
PID 2812 wrote to memory of 3008	2812	{3771314B-A8E8-40eb-80E2-7465CAA0726E}.exe	40
PID 2812 wrote to memory of 3008	2812	{3771314B-A8E8-40eb-80E2-7465CAA0726E}.exe	40
PID 2812 wrote to memory of 3008	2812	{3771314B-A8E8-40eb-80E2-7465CAA0726E}.exe	40
PID 2812 wrote to memory of 3008	2812	{3771314B-A8E8-40eb-80E2-7465CAA0726E}.exe	40
PID 2812 wrote to memory of 2996	2812	{3771314B-A8E8-40eb-80E2-7465CAA0726E}.exe	41
PID 2812 wrote to memory of 2996	2812	{3771314B-A8E8-40eb-80E2-7465CAA0726E}.exe	41
PID 2812 wrote to memory of 2996	2812	{3771314B-A8E8-40eb-80E2-7465CAA0726E}.exe	41
PID 2812 wrote to memory of 2996	2812	{3771314B-A8E8-40eb-80E2-7465CAA0726E}.exe	41
PID 3008 wrote to memory of 1572	3008	{72A01245-7D62-46ea-A07F-650D693F2A07}.exe	42
PID 3008 wrote to memory of 1572	3008	{72A01245-7D62-46ea-A07F-650D693F2A07}.exe	42
PID 3008 wrote to memory of 1572	3008	{72A01245-7D62-46ea-A07F-650D693F2A07}.exe	42
PID 3008 wrote to memory of 1572	3008	{72A01245-7D62-46ea-A07F-650D693F2A07}.exe	42
PID 3008 wrote to memory of 2900	3008	{72A01245-7D62-46ea-A07F-650D693F2A07}.exe	43
PID 3008 wrote to memory of 2900	3008	{72A01245-7D62-46ea-A07F-650D693F2A07}.exe	43
PID 3008 wrote to memory of 2900	3008	{72A01245-7D62-46ea-A07F-650D693F2A07}.exe	43
PID 3008 wrote to memory of 2900	3008	{72A01245-7D62-46ea-A07F-650D693F2A07}.exe	43
PID 1572 wrote to memory of 1108	1572	{3E5A3BD1-ECAE-4f98-812C-EFD858F2BE8B}.exe	44
PID 1572 wrote to memory of 1108	1572	{3E5A3BD1-ECAE-4f98-812C-EFD858F2BE8B}.exe	44
PID 1572 wrote to memory of 1108	1572	{3E5A3BD1-ECAE-4f98-812C-EFD858F2BE8B}.exe	44
PID 1572 wrote to memory of 1108	1572	{3E5A3BD1-ECAE-4f98-812C-EFD858F2BE8B}.exe	44
PID 1572 wrote to memory of 2756	1572	{3E5A3BD1-ECAE-4f98-812C-EFD858F2BE8B}.exe	45
PID 1572 wrote to memory of 2756	1572	{3E5A3BD1-ECAE-4f98-812C-EFD858F2BE8B}.exe	45
PID 1572 wrote to memory of 2756	1572	{3E5A3BD1-ECAE-4f98-812C-EFD858F2BE8B}.exe	45
PID 1572 wrote to memory of 2756	1572	{3E5A3BD1-ECAE-4f98-812C-EFD858F2BE8B}.exe	45

C:\Users\Admin\AppData\Local\Temp\44eb2b44caf1e3exeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\44eb2b44caf1e3exeexe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\{8F919B21-B656-4a74-BA90-4230A9EEC2EE}.exe
  C:\Windows\{8F919B21-B656-4a74-BA90-4230A9EEC2EE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1648
- - C:\Windows\{E990F2B8-8741-45b4-AE8E-E3F2E20197CD}.exe
    C:\Windows\{E990F2B8-8741-45b4-AE8E-E3F2E20197CD}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:928
  - - C:\Windows\{42554AF6-4237-4810-A84C-3945A8E450B4}.exe
      C:\Windows\{42554AF6-4237-4810-A84C-3945A8E450B4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2080
    - - C:\Windows\{FD2E1BB6-3F06-40ea-AC5B-754BB648D8A1}.exe
        
        C:\Windows\{FD2E1BB6-3F06-40ea-AC5B-754BB648D8A1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2304
      - C:\Windows\{3771314B-A8E8-40eb-80E2-7465CAA0726E}.exe
        
        C:\Windows\{3771314B-A8E8-40eb-80E2-7465CAA0726E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\{72A01245-7D62-46ea-A07F-650D693F2A07}.exe
        
        C:\Windows\{72A01245-7D62-46ea-A07F-650D693F2A07}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\{3E5A3BD1-ECAE-4f98-812C-EFD858F2BE8B}.exe
        
        C:\Windows\{3E5A3BD1-ECAE-4f98-812C-EFD858F2BE8B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1572
        
        C:\Windows\{D9FECC76-F896-431a-8CEE-92BF0FE2D5AC}.exe
        
        C:\Windows\{D9FECC76-F896-431a-8CEE-92BF0FE2D5AC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
        
        C:\Windows\{CD4718B2-3B23-488b-A067-72154DB65E6A}.exe
        
        C:\Windows\{CD4718B2-3B23-488b-A067-72154DB65E6A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\{F85710CA-BDBB-4195-A312-C625A71F9348}.exe
        
        C:\Windows\{F85710CA-BDBB-4195-A312-C625A71F9348}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\{B21BE67E-97C6-4a78-BB07-6E1DFA7E5EA2}.exe
        
        C:\Windows\{B21BE67E-97C6-4a78-BB07-6E1DFA7E5EA2}.exe
        12⤵
        Executes dropped EXE
        
        PID:2416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8571~1.EXE > nul
        12⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD471~1.EXE > nul
        11⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9FEC~1.EXE > nul
        10⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E5A3~1.EXE > nul
        9⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72A01~1.EXE > nul
        8⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37713~1.EXE > nul
        7⤵
        
        PID:2996
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD2E1~1.EXE > nul
        6⤵
        
        PID:2872
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42554~1.EXE > nul
        5⤵
        
        PID:1488
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E990F~1.EXE > nul
      4⤵
      PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8F919~1.EXE > nul
    3⤵
    PID:1364
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\44EB2B~1.EXE > nul
  2⤵
  - Deletes itself
  PID:932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3771314B-A8E8-40eb-80E2-7465CAA0726E}.exe

Filesize
192KB

MD5
de1ad6539c0b5927ebebdf510d637256

SHA1
f2217982a2a31100e6cd2e74e023d4472a890516

SHA256
406afce1f1d70029cdada1d6df0770d42e136069de3fa7f78850c970c2e0fb19

SHA512
a15f4a52e792bdd7a7cbf6475490625bc219dc1c0fa45d86d0db8ac5ccbc526523de65c97eccac9f5aad32dd7e8d1ab6a86912d7f363a51a1e0d1a4ec306c830

Download Submit
C:\Windows\{3771314B-A8E8-40eb-80E2-7465CAA0726E}.exe

Filesize
192KB

MD5
de1ad6539c0b5927ebebdf510d637256

SHA1
f2217982a2a31100e6cd2e74e023d4472a890516

SHA256
406afce1f1d70029cdada1d6df0770d42e136069de3fa7f78850c970c2e0fb19

SHA512
a15f4a52e792bdd7a7cbf6475490625bc219dc1c0fa45d86d0db8ac5ccbc526523de65c97eccac9f5aad32dd7e8d1ab6a86912d7f363a51a1e0d1a4ec306c830

Download Submit
C:\Windows\{3E5A3BD1-ECAE-4f98-812C-EFD858F2BE8B}.exe

Filesize
192KB

MD5
8e279665a6b35a547f47bb68dbf6cdd8

SHA1
687ededb6a1ea52d45b86eee779ff00789fdddcc

SHA256
17c5cde6b46e273de5ac5b676aa378a6aa52841071733fee1a53da235a0de9fe

SHA512
4aa606898a10b884049052011a984d33cb4c4b5199879b88c2c6cecb467fe7c2a6f0c2458d061530166a7cb58a42eb01d6f7c3bd0957868f450d35886c42d7cf

Download Submit
C:\Windows\{3E5A3BD1-ECAE-4f98-812C-EFD858F2BE8B}.exe

Filesize
192KB

MD5
8e279665a6b35a547f47bb68dbf6cdd8

SHA1
687ededb6a1ea52d45b86eee779ff00789fdddcc

SHA256
17c5cde6b46e273de5ac5b676aa378a6aa52841071733fee1a53da235a0de9fe

SHA512
4aa606898a10b884049052011a984d33cb4c4b5199879b88c2c6cecb467fe7c2a6f0c2458d061530166a7cb58a42eb01d6f7c3bd0957868f450d35886c42d7cf

Download Submit
C:\Windows\{42554AF6-4237-4810-A84C-3945A8E450B4}.exe

Filesize
192KB

MD5
e1fb0db94c7f9a42d6fcf7b2a0cb25a8

SHA1
7ee04f6848b6de5c587a2e2aafa67750a19eb980

SHA256
6f506a5641665816b95ce33c1558c44bdf3b51396f09463d78974a538937b575

SHA512
c199f60c368fa65d4ba14f5b32e9dcf68ad6753c369db0369029d91891479a52b4e9d7d5ea94e9e6238f3d97cbb133fae46ba74e28f700d60e69fb2390d212de

Download Submit
C:\Windows\{42554AF6-4237-4810-A84C-3945A8E450B4}.exe

Filesize
192KB

MD5
e1fb0db94c7f9a42d6fcf7b2a0cb25a8

SHA1
7ee04f6848b6de5c587a2e2aafa67750a19eb980

SHA256
6f506a5641665816b95ce33c1558c44bdf3b51396f09463d78974a538937b575

SHA512
c199f60c368fa65d4ba14f5b32e9dcf68ad6753c369db0369029d91891479a52b4e9d7d5ea94e9e6238f3d97cbb133fae46ba74e28f700d60e69fb2390d212de

Download Submit
C:\Windows\{72A01245-7D62-46ea-A07F-650D693F2A07}.exe

Filesize
192KB

MD5
e7fba9acd98eed4123ad9604c3c747bb

SHA1
2ba79b3701941fdb9ca7c6fb0db04ec0600e93c3

SHA256
857faeb243960ffdb951947054446d81ae3c8e48de94034710d7549d49140c29

SHA512
c40a1512aab12d49a3197912a2a75c02fe3dd7480f250aadafea80af2ad628a07a60ac6d8411498dd12f20f2015ea67e60004afc7de83ed6ad1767d1dc54af00

Download Submit
C:\Windows\{72A01245-7D62-46ea-A07F-650D693F2A07}.exe

Filesize
192KB

MD5
e7fba9acd98eed4123ad9604c3c747bb

SHA1
2ba79b3701941fdb9ca7c6fb0db04ec0600e93c3

SHA256
857faeb243960ffdb951947054446d81ae3c8e48de94034710d7549d49140c29

SHA512
c40a1512aab12d49a3197912a2a75c02fe3dd7480f250aadafea80af2ad628a07a60ac6d8411498dd12f20f2015ea67e60004afc7de83ed6ad1767d1dc54af00

Download Submit
C:\Windows\{8F919B21-B656-4a74-BA90-4230A9EEC2EE}.exe

Filesize
192KB

MD5
24a7bfc83c8195e3fdc688e9f3ec501d

SHA1
2decbf030fea6ad95f8b5436b4cc13aeb759b6d5

SHA256
9ed0425656d6c2211822ab2de150bf18481d166902afd0867e542079a137b68e

SHA512
358cd9769efcbfaea50f213e3feba9535a1ba29069e13e507cf3fc06a6f3c8830ec0f343c8160ce29aec8ca031159a47d8b852f9df3f7765b39be59acd942ed0

Download Submit
C:\Windows\{8F919B21-B656-4a74-BA90-4230A9EEC2EE}.exe

Filesize
192KB

MD5
24a7bfc83c8195e3fdc688e9f3ec501d

SHA1
2decbf030fea6ad95f8b5436b4cc13aeb759b6d5

SHA256
9ed0425656d6c2211822ab2de150bf18481d166902afd0867e542079a137b68e

SHA512
358cd9769efcbfaea50f213e3feba9535a1ba29069e13e507cf3fc06a6f3c8830ec0f343c8160ce29aec8ca031159a47d8b852f9df3f7765b39be59acd942ed0

Download Submit
C:\Windows\{8F919B21-B656-4a74-BA90-4230A9EEC2EE}.exe

Filesize
192KB

MD5
24a7bfc83c8195e3fdc688e9f3ec501d

SHA1
2decbf030fea6ad95f8b5436b4cc13aeb759b6d5

SHA256
9ed0425656d6c2211822ab2de150bf18481d166902afd0867e542079a137b68e

SHA512
358cd9769efcbfaea50f213e3feba9535a1ba29069e13e507cf3fc06a6f3c8830ec0f343c8160ce29aec8ca031159a47d8b852f9df3f7765b39be59acd942ed0

Download Submit
C:\Windows\{B21BE67E-97C6-4a78-BB07-6E1DFA7E5EA2}.exe

Filesize
192KB

MD5
8b0176a7be1ba751c05048a791eaacc5

SHA1
3782a94dc9e6a93162c2c6dc843fd4baa287d222

SHA256
5e0e84d9e351a2357d623066c6f051c42c0f66f7884a0551bede5d55a409e4c9

SHA512
e13ff6fae138556f08e0b4d94f9a21dd91ef469e7fc1dd4993acea01b9a2df7c69a0175e44e816e555f3e6534a728a202ad6954446ba285ef817ddcb2acfd2fe

Download Submit
C:\Windows\{CD4718B2-3B23-488b-A067-72154DB65E6A}.exe

Filesize
192KB

MD5
78746f9c0a0eb9bc4ea37be9beac9eb1

SHA1
67c5a44d7da7365231df7a1bf816a01c82846165

SHA256
643eeb1349baec6d93a7718fb5b9217942164887221dd86c664dba40b4a74e38

SHA512
3a25aaf12fbccee24c76809d076cb1af42251bdab33efb5fd231d5fd30e5bc35ba1dbc0ce95f9e0900db9300bd45d94a04037a3251f91f4821fadb4815ce3ef6

Download Submit
C:\Windows\{CD4718B2-3B23-488b-A067-72154DB65E6A}.exe

Filesize
192KB

MD5
78746f9c0a0eb9bc4ea37be9beac9eb1

SHA1
67c5a44d7da7365231df7a1bf816a01c82846165

SHA256
643eeb1349baec6d93a7718fb5b9217942164887221dd86c664dba40b4a74e38

SHA512
3a25aaf12fbccee24c76809d076cb1af42251bdab33efb5fd231d5fd30e5bc35ba1dbc0ce95f9e0900db9300bd45d94a04037a3251f91f4821fadb4815ce3ef6

Download Submit
C:\Windows\{D9FECC76-F896-431a-8CEE-92BF0FE2D5AC}.exe

Filesize
192KB

MD5
1c25ae6c5f6b4405bae675d6dbea3568

SHA1
cf227f90933e75db0186570a42863e6af73fe9f0

SHA256
5c190f1cd1640666f4b7c672cdcb7a5cf7951c18148ce8a21bfcd459c82d2db1

SHA512
fcb02679a225ab9b1d8c959ee6bd2b66208d1fc4ee705938bd1910d3caff7f5d38db0a2912a4820238bfe13b06b8d06862f31da5274d89df9ba9c7fafd573c9a

Download Submit
C:\Windows\{D9FECC76-F896-431a-8CEE-92BF0FE2D5AC}.exe

Filesize
192KB

MD5
1c25ae6c5f6b4405bae675d6dbea3568

SHA1
cf227f90933e75db0186570a42863e6af73fe9f0

SHA256
5c190f1cd1640666f4b7c672cdcb7a5cf7951c18148ce8a21bfcd459c82d2db1

SHA512
fcb02679a225ab9b1d8c959ee6bd2b66208d1fc4ee705938bd1910d3caff7f5d38db0a2912a4820238bfe13b06b8d06862f31da5274d89df9ba9c7fafd573c9a

Download Submit
C:\Windows\{E990F2B8-8741-45b4-AE8E-E3F2E20197CD}.exe

Filesize
192KB

MD5
68bdf8aef15aa892f5eb0f5245933604

SHA1
d9dad889fc1d1b50370c8367bc51b002a0868932

SHA256
cf0e874c4a01d246b3e98410ada971884dbc905548253cf9720940202046a45a

SHA512
712df994090b515e0e16a21f42ed5530133e3ace6c23f286e9d737be37cbfe8e7720e47974bc5521312c5fab8ce91d1a7c42f5384e018a9d8374ab104c1efedf

Download Submit
C:\Windows\{E990F2B8-8741-45b4-AE8E-E3F2E20197CD}.exe

Filesize
192KB

MD5
68bdf8aef15aa892f5eb0f5245933604

SHA1
d9dad889fc1d1b50370c8367bc51b002a0868932

SHA256
cf0e874c4a01d246b3e98410ada971884dbc905548253cf9720940202046a45a

SHA512
712df994090b515e0e16a21f42ed5530133e3ace6c23f286e9d737be37cbfe8e7720e47974bc5521312c5fab8ce91d1a7c42f5384e018a9d8374ab104c1efedf

Download Submit
C:\Windows\{F85710CA-BDBB-4195-A312-C625A71F9348}.exe

Filesize
192KB

MD5
a3f3b615c7c2eae2a8a390c704f57e1f

SHA1
eafb5a533f4f158f6cc38c3c90c132910cfd0881

SHA256
85cf6c5baaf31cba2a20ad2a8e01e0a85935584412bbc44bd4bd209e2ce649c5

SHA512
14bfca766bfe23b6f440039c8a5b305f8adc78ee285f4b5ec92b25c039812abc8e215b4708334a32d00ec8e6506b9f54eabbfed4ca787628716c0997c8e26a8b

Download Submit
C:\Windows\{F85710CA-BDBB-4195-A312-C625A71F9348}.exe

Filesize
192KB

MD5
a3f3b615c7c2eae2a8a390c704f57e1f

SHA1
eafb5a533f4f158f6cc38c3c90c132910cfd0881

SHA256
85cf6c5baaf31cba2a20ad2a8e01e0a85935584412bbc44bd4bd209e2ce649c5

SHA512
14bfca766bfe23b6f440039c8a5b305f8adc78ee285f4b5ec92b25c039812abc8e215b4708334a32d00ec8e6506b9f54eabbfed4ca787628716c0997c8e26a8b

Download Submit
C:\Windows\{FD2E1BB6-3F06-40ea-AC5B-754BB648D8A1}.exe

Filesize
192KB

MD5
1ec40a7f80e03c60fc5e2b5b5c4f03f1

SHA1
eb52a7b56510680377a606b1d7c4347b51386bf6

SHA256
ce7b8b071afe044a037909fdfe58ec29f7c9f8ef830da8589face259a9311d7b

SHA512
55e8ae14c07288ac0676bd3159ceb5389daf1f65b25f69aa9afe2a018d50c915fd47498fd43bd75dbc5be2979958d2276f158a0562a3e6f6a347ef9fa2862172

Download Submit
C:\Windows\{FD2E1BB6-3F06-40ea-AC5B-754BB648D8A1}.exe

Filesize
192KB

MD5
1ec40a7f80e03c60fc5e2b5b5c4f03f1

SHA1
eb52a7b56510680377a606b1d7c4347b51386bf6

SHA256
ce7b8b071afe044a037909fdfe58ec29f7c9f8ef830da8589face259a9311d7b

SHA512
55e8ae14c07288ac0676bd3159ceb5389daf1f65b25f69aa9afe2a018d50c915fd47498fd43bd75dbc5be2979958d2276f158a0562a3e6f6a347ef9fa2862172

Download Submit