55775234cf63a1694d0f6e14c8865a456aa36b4bb58a4e00df36fe115b2a160d

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
15-07-2023 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e83f764d2e9fcexeexe_JC.exe
Size

372KB
MD5

4e83f764d2e9fc3c62a3309edfde13f7
SHA1

484aa5b28e9741b9cef27ef01d42d7d2df0af9f0
SHA256

55775234cf63a1694d0f6e14c8865a456aa36b4bb58a4e00df36fe115b2a160d
SHA512

d787a44638598a7890fffadbe98e4e9733637522862e739606ba26c28d38e3e926bec9cd69c220af27b7447d4768cccd6e970d372580f3b99d20cafc430233f8
SSDEEP

3072:CEGh0o8mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGjl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C7518E2-824E-4cd4-AABB-96C2E5CC0418}	{9E3DF7AD-A351-4dae-9C1B-18882F7C0720}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4E45F9E-FF3D-4e94-AF32-C2058ABA86D0}	{5C7518E2-824E-4cd4-AABB-96C2E5CC0418}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4E45F9E-FF3D-4e94-AF32-C2058ABA86D0}\stubpath = "C:\\Windows\\{B4E45F9E-FF3D-4e94-AF32-C2058ABA86D0}.exe"	{5C7518E2-824E-4cd4-AABB-96C2E5CC0418}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00FF03F8-401F-49fb-8AE0-DDE9742AEB70}	{96A4A3E7-2701-4fbf-B640-65C948D639D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{00FF03F8-401F-49fb-8AE0-DDE9742AEB70}\stubpath = "C:\\Windows\\{00FF03F8-401F-49fb-8AE0-DDE9742AEB70}.exe"	{96A4A3E7-2701-4fbf-B640-65C948D639D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94AA1F4D-DF4F-4c0a-91EC-13FAAEB88B0C}\stubpath = "C:\\Windows\\{94AA1F4D-DF4F-4c0a-91EC-13FAAEB88B0C}.exe"	{00FF03F8-401F-49fb-8AE0-DDE9742AEB70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2C81EDD-90D6-4840-93DD-CD420F456D7F}\stubpath = "C:\\Windows\\{A2C81EDD-90D6-4840-93DD-CD420F456D7F}.exe"	4e83f764d2e9fcexeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E3DF7AD-A351-4dae-9C1B-18882F7C0720}	{A2C81EDD-90D6-4840-93DD-CD420F456D7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34B557F2-DED3-4d08-8677-39093BE5A470}	{94AA1F4D-DF4F-4c0a-91EC-13FAAEB88B0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34B557F2-DED3-4d08-8677-39093BE5A470}\stubpath = "C:\\Windows\\{34B557F2-DED3-4d08-8677-39093BE5A470}.exe"	{94AA1F4D-DF4F-4c0a-91EC-13FAAEB88B0C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE512BBF-265F-4fc6-89AA-E1FBEE75BE03}	{34B557F2-DED3-4d08-8677-39093BE5A470}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D47692C6-FE5B-49dc-89C9-8A032370F68F}	{AE512BBF-265F-4fc6-89AA-E1FBEE75BE03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D47692C6-FE5B-49dc-89C9-8A032370F68F}\stubpath = "C:\\Windows\\{D47692C6-FE5B-49dc-89C9-8A032370F68F}.exe"	{AE512BBF-265F-4fc6-89AA-E1FBEE75BE03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CA0B002-B6CF-4d2f-B71E-9B8F5B70E8F4}	{D47692C6-FE5B-49dc-89C9-8A032370F68F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CA0B002-B6CF-4d2f-B71E-9B8F5B70E8F4}\stubpath = "C:\\Windows\\{7CA0B002-B6CF-4d2f-B71E-9B8F5B70E8F4}.exe"	{D47692C6-FE5B-49dc-89C9-8A032370F68F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A2C81EDD-90D6-4840-93DD-CD420F456D7F}	4e83f764d2e9fcexeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E3DF7AD-A351-4dae-9C1B-18882F7C0720}\stubpath = "C:\\Windows\\{9E3DF7AD-A351-4dae-9C1B-18882F7C0720}.exe"	{A2C81EDD-90D6-4840-93DD-CD420F456D7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96A4A3E7-2701-4fbf-B640-65C948D639D4}	{B4E45F9E-FF3D-4e94-AF32-C2058ABA86D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{96A4A3E7-2701-4fbf-B640-65C948D639D4}\stubpath = "C:\\Windows\\{96A4A3E7-2701-4fbf-B640-65C948D639D4}.exe"	{B4E45F9E-FF3D-4e94-AF32-C2058ABA86D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE512BBF-265F-4fc6-89AA-E1FBEE75BE03}\stubpath = "C:\\Windows\\{AE512BBF-265F-4fc6-89AA-E1FBEE75BE03}.exe"	{34B557F2-DED3-4d08-8677-39093BE5A470}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5C7518E2-824E-4cd4-AABB-96C2E5CC0418}\stubpath = "C:\\Windows\\{5C7518E2-824E-4cd4-AABB-96C2E5CC0418}.exe"	{9E3DF7AD-A351-4dae-9C1B-18882F7C0720}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{94AA1F4D-DF4F-4c0a-91EC-13FAAEB88B0C}	{00FF03F8-401F-49fb-8AE0-DDE9742AEB70}.exe

Deletes itself 1 IoCs

pid	Process
756	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2456	{A2C81EDD-90D6-4840-93DD-CD420F456D7F}.exe
2720	{9E3DF7AD-A351-4dae-9C1B-18882F7C0720}.exe
2740	{5C7518E2-824E-4cd4-AABB-96C2E5CC0418}.exe
2880	{B4E45F9E-FF3D-4e94-AF32-C2058ABA86D0}.exe
2744	{96A4A3E7-2701-4fbf-B640-65C948D639D4}.exe
2540	{00FF03F8-401F-49fb-8AE0-DDE9742AEB70}.exe
472	{94AA1F4D-DF4F-4c0a-91EC-13FAAEB88B0C}.exe
1132	{34B557F2-DED3-4d08-8677-39093BE5A470}.exe
832	{AE512BBF-265F-4fc6-89AA-E1FBEE75BE03}.exe
2376	{D47692C6-FE5B-49dc-89C9-8A032370F68F}.exe
2964	{7CA0B002-B6CF-4d2f-B71E-9B8F5B70E8F4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D47692C6-FE5B-49dc-89C9-8A032370F68F}.exe	{AE512BBF-265F-4fc6-89AA-E1FBEE75BE03}.exe
File created	C:\Windows\{A2C81EDD-90D6-4840-93DD-CD420F456D7F}.exe	4e83f764d2e9fcexeexe_JC.exe
File created	C:\Windows\{9E3DF7AD-A351-4dae-9C1B-18882F7C0720}.exe	{A2C81EDD-90D6-4840-93DD-CD420F456D7F}.exe
File created	C:\Windows\{96A4A3E7-2701-4fbf-B640-65C948D639D4}.exe	{B4E45F9E-FF3D-4e94-AF32-C2058ABA86D0}.exe
File created	C:\Windows\{34B557F2-DED3-4d08-8677-39093BE5A470}.exe	{94AA1F4D-DF4F-4c0a-91EC-13FAAEB88B0C}.exe
File created	C:\Windows\{AE512BBF-265F-4fc6-89AA-E1FBEE75BE03}.exe	{34B557F2-DED3-4d08-8677-39093BE5A470}.exe
File created	C:\Windows\{7CA0B002-B6CF-4d2f-B71E-9B8F5B70E8F4}.exe	{D47692C6-FE5B-49dc-89C9-8A032370F68F}.exe
File created	C:\Windows\{5C7518E2-824E-4cd4-AABB-96C2E5CC0418}.exe	{9E3DF7AD-A351-4dae-9C1B-18882F7C0720}.exe
File created	C:\Windows\{B4E45F9E-FF3D-4e94-AF32-C2058ABA86D0}.exe	{5C7518E2-824E-4cd4-AABB-96C2E5CC0418}.exe
File created	C:\Windows\{00FF03F8-401F-49fb-8AE0-DDE9742AEB70}.exe	{96A4A3E7-2701-4fbf-B640-65C948D639D4}.exe
File created	C:\Windows\{94AA1F4D-DF4F-4c0a-91EC-13FAAEB88B0C}.exe	{00FF03F8-401F-49fb-8AE0-DDE9742AEB70}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2060	4e83f764d2e9fcexeexe_JC.exe
Token: SeIncBasePriorityPrivilege	2456	{A2C81EDD-90D6-4840-93DD-CD420F456D7F}.exe
Token: SeIncBasePriorityPrivilege	2720	{9E3DF7AD-A351-4dae-9C1B-18882F7C0720}.exe
Token: SeIncBasePriorityPrivilege	2740	{5C7518E2-824E-4cd4-AABB-96C2E5CC0418}.exe
Token: SeIncBasePriorityPrivilege	2880	{B4E45F9E-FF3D-4e94-AF32-C2058ABA86D0}.exe
Token: SeIncBasePriorityPrivilege	2744	{96A4A3E7-2701-4fbf-B640-65C948D639D4}.exe
Token: SeIncBasePriorityPrivilege	2540	{00FF03F8-401F-49fb-8AE0-DDE9742AEB70}.exe
Token: SeIncBasePriorityPrivilege	472	{94AA1F4D-DF4F-4c0a-91EC-13FAAEB88B0C}.exe
Token: SeIncBasePriorityPrivilege	1132	{34B557F2-DED3-4d08-8677-39093BE5A470}.exe
Token: SeIncBasePriorityPrivilege	832	{AE512BBF-265F-4fc6-89AA-E1FBEE75BE03}.exe
Token: SeIncBasePriorityPrivilege	2376	{D47692C6-FE5B-49dc-89C9-8A032370F68F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2456	2060	4e83f764d2e9fcexeexe_JC.exe	28
PID 2060 wrote to memory of 2456	2060	4e83f764d2e9fcexeexe_JC.exe	28
PID 2060 wrote to memory of 2456	2060	4e83f764d2e9fcexeexe_JC.exe	28
PID 2060 wrote to memory of 2456	2060	4e83f764d2e9fcexeexe_JC.exe	28
PID 2060 wrote to memory of 756	2060	4e83f764d2e9fcexeexe_JC.exe	29
PID 2060 wrote to memory of 756	2060	4e83f764d2e9fcexeexe_JC.exe	29
PID 2060 wrote to memory of 756	2060	4e83f764d2e9fcexeexe_JC.exe	29
PID 2060 wrote to memory of 756	2060	4e83f764d2e9fcexeexe_JC.exe	29
PID 2456 wrote to memory of 2720	2456	{A2C81EDD-90D6-4840-93DD-CD420F456D7F}.exe	32
PID 2456 wrote to memory of 2720	2456	{A2C81EDD-90D6-4840-93DD-CD420F456D7F}.exe	32
PID 2456 wrote to memory of 2720	2456	{A2C81EDD-90D6-4840-93DD-CD420F456D7F}.exe	32
PID 2456 wrote to memory of 2720	2456	{A2C81EDD-90D6-4840-93DD-CD420F456D7F}.exe	32
PID 2456 wrote to memory of 2912	2456	{A2C81EDD-90D6-4840-93DD-CD420F456D7F}.exe	33
PID 2456 wrote to memory of 2912	2456	{A2C81EDD-90D6-4840-93DD-CD420F456D7F}.exe	33
PID 2456 wrote to memory of 2912	2456	{A2C81EDD-90D6-4840-93DD-CD420F456D7F}.exe	33
PID 2456 wrote to memory of 2912	2456	{A2C81EDD-90D6-4840-93DD-CD420F456D7F}.exe	33
PID 2720 wrote to memory of 2740	2720	{9E3DF7AD-A351-4dae-9C1B-18882F7C0720}.exe	34
PID 2720 wrote to memory of 2740	2720	{9E3DF7AD-A351-4dae-9C1B-18882F7C0720}.exe	34
PID 2720 wrote to memory of 2740	2720	{9E3DF7AD-A351-4dae-9C1B-18882F7C0720}.exe	34
PID 2720 wrote to memory of 2740	2720	{9E3DF7AD-A351-4dae-9C1B-18882F7C0720}.exe	34
PID 2720 wrote to memory of 2192	2720	{9E3DF7AD-A351-4dae-9C1B-18882F7C0720}.exe	35
PID 2720 wrote to memory of 2192	2720	{9E3DF7AD-A351-4dae-9C1B-18882F7C0720}.exe	35
PID 2720 wrote to memory of 2192	2720	{9E3DF7AD-A351-4dae-9C1B-18882F7C0720}.exe	35
PID 2720 wrote to memory of 2192	2720	{9E3DF7AD-A351-4dae-9C1B-18882F7C0720}.exe	35
PID 2740 wrote to memory of 2880	2740	{5C7518E2-824E-4cd4-AABB-96C2E5CC0418}.exe	37
PID 2740 wrote to memory of 2880	2740	{5C7518E2-824E-4cd4-AABB-96C2E5CC0418}.exe	37
PID 2740 wrote to memory of 2880	2740	{5C7518E2-824E-4cd4-AABB-96C2E5CC0418}.exe	37
PID 2740 wrote to memory of 2880	2740	{5C7518E2-824E-4cd4-AABB-96C2E5CC0418}.exe	37
PID 2740 wrote to memory of 2712	2740	{5C7518E2-824E-4cd4-AABB-96C2E5CC0418}.exe	36
PID 2740 wrote to memory of 2712	2740	{5C7518E2-824E-4cd4-AABB-96C2E5CC0418}.exe	36
PID 2740 wrote to memory of 2712	2740	{5C7518E2-824E-4cd4-AABB-96C2E5CC0418}.exe	36
PID 2740 wrote to memory of 2712	2740	{5C7518E2-824E-4cd4-AABB-96C2E5CC0418}.exe	36
PID 2880 wrote to memory of 2744	2880	{B4E45F9E-FF3D-4e94-AF32-C2058ABA86D0}.exe	38
PID 2880 wrote to memory of 2744	2880	{B4E45F9E-FF3D-4e94-AF32-C2058ABA86D0}.exe	38
PID 2880 wrote to memory of 2744	2880	{B4E45F9E-FF3D-4e94-AF32-C2058ABA86D0}.exe	38
PID 2880 wrote to memory of 2744	2880	{B4E45F9E-FF3D-4e94-AF32-C2058ABA86D0}.exe	38
PID 2880 wrote to memory of 2832	2880	{B4E45F9E-FF3D-4e94-AF32-C2058ABA86D0}.exe	39
PID 2880 wrote to memory of 2832	2880	{B4E45F9E-FF3D-4e94-AF32-C2058ABA86D0}.exe	39
PID 2880 wrote to memory of 2832	2880	{B4E45F9E-FF3D-4e94-AF32-C2058ABA86D0}.exe	39
PID 2880 wrote to memory of 2832	2880	{B4E45F9E-FF3D-4e94-AF32-C2058ABA86D0}.exe	39
PID 2744 wrote to memory of 2540	2744	{96A4A3E7-2701-4fbf-B640-65C948D639D4}.exe	40
PID 2744 wrote to memory of 2540	2744	{96A4A3E7-2701-4fbf-B640-65C948D639D4}.exe	40
PID 2744 wrote to memory of 2540	2744	{96A4A3E7-2701-4fbf-B640-65C948D639D4}.exe	40
PID 2744 wrote to memory of 2540	2744	{96A4A3E7-2701-4fbf-B640-65C948D639D4}.exe	40
PID 2744 wrote to memory of 524	2744	{96A4A3E7-2701-4fbf-B640-65C948D639D4}.exe	41
PID 2744 wrote to memory of 524	2744	{96A4A3E7-2701-4fbf-B640-65C948D639D4}.exe	41
PID 2744 wrote to memory of 524	2744	{96A4A3E7-2701-4fbf-B640-65C948D639D4}.exe	41
PID 2744 wrote to memory of 524	2744	{96A4A3E7-2701-4fbf-B640-65C948D639D4}.exe	41
PID 2540 wrote to memory of 472	2540	{00FF03F8-401F-49fb-8AE0-DDE9742AEB70}.exe	42
PID 2540 wrote to memory of 472	2540	{00FF03F8-401F-49fb-8AE0-DDE9742AEB70}.exe	42
PID 2540 wrote to memory of 472	2540	{00FF03F8-401F-49fb-8AE0-DDE9742AEB70}.exe	42
PID 2540 wrote to memory of 472	2540	{00FF03F8-401F-49fb-8AE0-DDE9742AEB70}.exe	42
PID 2540 wrote to memory of 1484	2540	{00FF03F8-401F-49fb-8AE0-DDE9742AEB70}.exe	43
PID 2540 wrote to memory of 1484	2540	{00FF03F8-401F-49fb-8AE0-DDE9742AEB70}.exe	43
PID 2540 wrote to memory of 1484	2540	{00FF03F8-401F-49fb-8AE0-DDE9742AEB70}.exe	43
PID 2540 wrote to memory of 1484	2540	{00FF03F8-401F-49fb-8AE0-DDE9742AEB70}.exe	43
PID 472 wrote to memory of 1132	472	{94AA1F4D-DF4F-4c0a-91EC-13FAAEB88B0C}.exe	44
PID 472 wrote to memory of 1132	472	{94AA1F4D-DF4F-4c0a-91EC-13FAAEB88B0C}.exe	44
PID 472 wrote to memory of 1132	472	{94AA1F4D-DF4F-4c0a-91EC-13FAAEB88B0C}.exe	44
PID 472 wrote to memory of 1132	472	{94AA1F4D-DF4F-4c0a-91EC-13FAAEB88B0C}.exe	44
PID 472 wrote to memory of 2008	472	{94AA1F4D-DF4F-4c0a-91EC-13FAAEB88B0C}.exe	45
PID 472 wrote to memory of 2008	472	{94AA1F4D-DF4F-4c0a-91EC-13FAAEB88B0C}.exe	45
PID 472 wrote to memory of 2008	472	{94AA1F4D-DF4F-4c0a-91EC-13FAAEB88B0C}.exe	45
PID 472 wrote to memory of 2008	472	{94AA1F4D-DF4F-4c0a-91EC-13FAAEB88B0C}.exe	45

C:\Users\Admin\AppData\Local\Temp\4e83f764d2e9fcexeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\4e83f764d2e9fcexeexe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\{A2C81EDD-90D6-4840-93DD-CD420F456D7F}.exe
  C:\Windows\{A2C81EDD-90D6-4840-93DD-CD420F456D7F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2456
- - C:\Windows\{9E3DF7AD-A351-4dae-9C1B-18882F7C0720}.exe
    C:\Windows\{9E3DF7AD-A351-4dae-9C1B-18882F7C0720}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\{5C7518E2-824E-4cd4-AABB-96C2E5CC0418}.exe
      C:\Windows\{5C7518E2-824E-4cd4-AABB-96C2E5CC0418}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5C751~1.EXE > nul
        5⤵
        
        PID:2712
    - - C:\Windows\{B4E45F9E-FF3D-4e94-AF32-C2058ABA86D0}.exe
        
        C:\Windows\{B4E45F9E-FF3D-4e94-AF32-C2058ABA86D0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
      - C:\Windows\{96A4A3E7-2701-4fbf-B640-65C948D639D4}.exe
        
        C:\Windows\{96A4A3E7-2701-4fbf-B640-65C948D639D4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\{00FF03F8-401F-49fb-8AE0-DDE9742AEB70}.exe
        
        C:\Windows\{00FF03F8-401F-49fb-8AE0-DDE9742AEB70}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\{94AA1F4D-DF4F-4c0a-91EC-13FAAEB88B0C}.exe
        
        C:\Windows\{94AA1F4D-DF4F-4c0a-91EC-13FAAEB88B0C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:472
        
        C:\Windows\{34B557F2-DED3-4d08-8677-39093BE5A470}.exe
        
        C:\Windows\{34B557F2-DED3-4d08-8677-39093BE5A470}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
        
        C:\Windows\{AE512BBF-265F-4fc6-89AA-E1FBEE75BE03}.exe
        
        C:\Windows\{AE512BBF-265F-4fc6-89AA-E1FBEE75BE03}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\Windows\{D47692C6-FE5B-49dc-89C9-8A032370F68F}.exe
        
        C:\Windows\{D47692C6-FE5B-49dc-89C9-8A032370F68F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\{7CA0B002-B6CF-4d2f-B71E-9B8F5B70E8F4}.exe
        
        C:\Windows\{7CA0B002-B6CF-4d2f-B71E-9B8F5B70E8F4}.exe
        12⤵
        Executes dropped EXE
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4769~1.EXE > nul
        12⤵
        
        PID:1980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE512~1.EXE > nul
        11⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34B55~1.EXE > nul
        10⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94AA1~1.EXE > nul
        9⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00FF0~1.EXE > nul
        8⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96A4A~1.EXE > nul
        7⤵
        
        PID:524
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4E45~1.EXE > nul
        6⤵
        
        PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9E3DF~1.EXE > nul
      4⤵
      PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A2C81~1.EXE > nul
    3⤵
    PID:2912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4E83F7~1.EXE > nul
  2⤵
  - Deletes itself
  PID:756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00FF03F8-401F-49fb-8AE0-DDE9742AEB70}.exe

Filesize
372KB

MD5
93dbe111b2c3e3a1ab1e7115de21a461

SHA1
8fa541c0233b366106746a4d5bc2ea6077a3bcb8

SHA256
1d9b88113d19962707cbf52725de8be65f090ce41dc17c62aa8ea0b04687577e

SHA512
79d9de21a99003869c70704407db45a1cf75e777227666d2f9cd523abc9f9a801f8b4eef3664dbce73a8f6399083847a97d74d3e580b09015e76e07428ac0a54

Download Submit
C:\Windows\{00FF03F8-401F-49fb-8AE0-DDE9742AEB70}.exe

Filesize
372KB

MD5
93dbe111b2c3e3a1ab1e7115de21a461

SHA1
8fa541c0233b366106746a4d5bc2ea6077a3bcb8

SHA256
1d9b88113d19962707cbf52725de8be65f090ce41dc17c62aa8ea0b04687577e

SHA512
79d9de21a99003869c70704407db45a1cf75e777227666d2f9cd523abc9f9a801f8b4eef3664dbce73a8f6399083847a97d74d3e580b09015e76e07428ac0a54

Download Submit
C:\Windows\{34B557F2-DED3-4d08-8677-39093BE5A470}.exe

Filesize
372KB

MD5
7fdcb61428dff195f26baf8713717412

SHA1
ed59364ef42045672e780940ff04287e656e5230

SHA256
211116638948ea54ee812aba999dd58056f9daaf0f9cb265beb4f224941e3e03

SHA512
2b6226dbfce30e424102af303b70c8757e65a9a8c93ecb9601e94cd18ab3c1c08a2095b4b28e666c338c22151c618830ef295fe7b7c11844f9e0aa645b4b4c81

Download Submit
C:\Windows\{34B557F2-DED3-4d08-8677-39093BE5A470}.exe

Filesize
372KB

MD5
7fdcb61428dff195f26baf8713717412

SHA1
ed59364ef42045672e780940ff04287e656e5230

SHA256
211116638948ea54ee812aba999dd58056f9daaf0f9cb265beb4f224941e3e03

SHA512
2b6226dbfce30e424102af303b70c8757e65a9a8c93ecb9601e94cd18ab3c1c08a2095b4b28e666c338c22151c618830ef295fe7b7c11844f9e0aa645b4b4c81

Download Submit
C:\Windows\{5C7518E2-824E-4cd4-AABB-96C2E5CC0418}.exe

Filesize
372KB

MD5
f022e17e2b6663dea5e19e4566000f0a

SHA1
a376acb6cc95bf37f45153c9fad0714308514772

SHA256
437a99d499f63eb5c58af4c2328a750b03cffcb4532d018ea1ca6a4c838a87f9

SHA512
2301d65157d30a52617c998be041a40014fdd47550d691c310b0bee465889a5be8e01270b09e2cec28107ba5b6b8f01e6e732f66d22ab551f73eff64dec65b02

Download Submit
C:\Windows\{5C7518E2-824E-4cd4-AABB-96C2E5CC0418}.exe

Filesize
372KB

MD5
f022e17e2b6663dea5e19e4566000f0a

SHA1
a376acb6cc95bf37f45153c9fad0714308514772

SHA256
437a99d499f63eb5c58af4c2328a750b03cffcb4532d018ea1ca6a4c838a87f9

SHA512
2301d65157d30a52617c998be041a40014fdd47550d691c310b0bee465889a5be8e01270b09e2cec28107ba5b6b8f01e6e732f66d22ab551f73eff64dec65b02

Download Submit
C:\Windows\{7CA0B002-B6CF-4d2f-B71E-9B8F5B70E8F4}.exe

Filesize
372KB

MD5
a159666bd7f9bb856e360d428232ab6a

SHA1
b9838b224cfd014a3ee0a37c460d4781ca9a5365

SHA256
feb7d76ff941e61f8be5cb37ee40f63bf2bd2a1bf9871963b3c12d6788c5de9a

SHA512
973249e8dc262b649ca83c04b6f183d1e8734c55a3d96b3e837f13488594001a85fc3fe3d4019cbdeee1bbb9296db5558871ccb4a1066fa009912d5821c28a63

Download Submit
C:\Windows\{94AA1F4D-DF4F-4c0a-91EC-13FAAEB88B0C}.exe

Filesize
372KB

MD5
25ec442daed73a3469e438be7c1cf771

SHA1
db2579f58bda2f1fc354e31b8b59f136dc7b3a51

SHA256
301c9e621fcb4cb0fdd334d951753c5eca4ff5001d2acadcf90c90bbd2cb3c89

SHA512
1de2fa50dd986d10099f9b63225edea775b43f32f181113f37a39b4451decc1d5bb2f308021876b24288c267903e714c1d80ab79a4d4660262e70a609f494f99

Download Submit
C:\Windows\{94AA1F4D-DF4F-4c0a-91EC-13FAAEB88B0C}.exe

Filesize
372KB

MD5
25ec442daed73a3469e438be7c1cf771

SHA1
db2579f58bda2f1fc354e31b8b59f136dc7b3a51

SHA256
301c9e621fcb4cb0fdd334d951753c5eca4ff5001d2acadcf90c90bbd2cb3c89

SHA512
1de2fa50dd986d10099f9b63225edea775b43f32f181113f37a39b4451decc1d5bb2f308021876b24288c267903e714c1d80ab79a4d4660262e70a609f494f99

Download Submit
C:\Windows\{96A4A3E7-2701-4fbf-B640-65C948D639D4}.exe

Filesize
372KB

MD5
dca53ef13b6c716fe92922effdd46654

SHA1
a4f3382c648cec1c8306869fe995ee7aae1ca0d5

SHA256
ed704204c92a9f03068f95f0abe1ff2792f1b5605b944173a8506125367b1aa5

SHA512
1f0a5d09a445d21b12e614c382421dcff5392d6320dbe36308a36fc2878c9f48535ed8bf43f924040fa5748220c9c65faef88669c93a6e7999cd54bceae881c0

Download Submit
C:\Windows\{96A4A3E7-2701-4fbf-B640-65C948D639D4}.exe

Filesize
372KB

MD5
dca53ef13b6c716fe92922effdd46654

SHA1
a4f3382c648cec1c8306869fe995ee7aae1ca0d5

SHA256
ed704204c92a9f03068f95f0abe1ff2792f1b5605b944173a8506125367b1aa5

SHA512
1f0a5d09a445d21b12e614c382421dcff5392d6320dbe36308a36fc2878c9f48535ed8bf43f924040fa5748220c9c65faef88669c93a6e7999cd54bceae881c0

Download Submit
C:\Windows\{9E3DF7AD-A351-4dae-9C1B-18882F7C0720}.exe

Filesize
372KB

MD5
5803162d582dee0f0bbd4d47dd7a35a2

SHA1
f29c93540608ac8efbcd1cb51eba8443912aa525

SHA256
c69c192bb285d93ec67c010d1c869bb39c1ba66f021b178222b873ab5af128d7

SHA512
4403c13c69c11a26cb8166602e2572697cf8ced83fbba48e3197db937f084afa8d4c7e4f0af349aaf35286b7589241efcafabdfe13bc3d41b2587db39d6a118d

Download Submit
C:\Windows\{9E3DF7AD-A351-4dae-9C1B-18882F7C0720}.exe

Filesize
372KB

MD5
5803162d582dee0f0bbd4d47dd7a35a2

SHA1
f29c93540608ac8efbcd1cb51eba8443912aa525

SHA256
c69c192bb285d93ec67c010d1c869bb39c1ba66f021b178222b873ab5af128d7

SHA512
4403c13c69c11a26cb8166602e2572697cf8ced83fbba48e3197db937f084afa8d4c7e4f0af349aaf35286b7589241efcafabdfe13bc3d41b2587db39d6a118d

Download Submit
C:\Windows\{A2C81EDD-90D6-4840-93DD-CD420F456D7F}.exe

Filesize
372KB

MD5
9efa63a8d2cfa4170f9188d9fec52df9

SHA1
0f5c51a921224555e5803d5f3319a6ac49455308

SHA256
78a33b9461dbed3bee3916210011503d00e2944175eae839830df7b257dce933

SHA512
ad43c1c52dc4eedcd876626c759cc8cc299018040aceb9eea1897034b1547f1f667e6235cd7e324a8a6280214e082593e551603b5b673193569bb1b177d083a9

Download Submit
C:\Windows\{A2C81EDD-90D6-4840-93DD-CD420F456D7F}.exe

Filesize
372KB

MD5
9efa63a8d2cfa4170f9188d9fec52df9

SHA1
0f5c51a921224555e5803d5f3319a6ac49455308

SHA256
78a33b9461dbed3bee3916210011503d00e2944175eae839830df7b257dce933

SHA512
ad43c1c52dc4eedcd876626c759cc8cc299018040aceb9eea1897034b1547f1f667e6235cd7e324a8a6280214e082593e551603b5b673193569bb1b177d083a9

Download Submit
C:\Windows\{A2C81EDD-90D6-4840-93DD-CD420F456D7F}.exe

Filesize
372KB

MD5
9efa63a8d2cfa4170f9188d9fec52df9

SHA1
0f5c51a921224555e5803d5f3319a6ac49455308

SHA256
78a33b9461dbed3bee3916210011503d00e2944175eae839830df7b257dce933

SHA512
ad43c1c52dc4eedcd876626c759cc8cc299018040aceb9eea1897034b1547f1f667e6235cd7e324a8a6280214e082593e551603b5b673193569bb1b177d083a9

Download Submit
C:\Windows\{AE512BBF-265F-4fc6-89AA-E1FBEE75BE03}.exe

Filesize
372KB

MD5
dce00d61422e142dad22b48518cb4b40

SHA1
5d7bc2e9efc08390c2099bfef824942e8a3c3184

SHA256
86039a07a8df0f5180ccccbece921e5105d1abe6519cd7df92adc50c8eb585bc

SHA512
8abcecbfacc850402a336032d188329624e39111fc1031afec873462be0f8729f78a3f85efc623b9661293fcf4228cc5fad04b2655cbfeb04a507c4540b73604

Download Submit
C:\Windows\{AE512BBF-265F-4fc6-89AA-E1FBEE75BE03}.exe

Filesize
372KB

MD5
dce00d61422e142dad22b48518cb4b40

SHA1
5d7bc2e9efc08390c2099bfef824942e8a3c3184

SHA256
86039a07a8df0f5180ccccbece921e5105d1abe6519cd7df92adc50c8eb585bc

SHA512
8abcecbfacc850402a336032d188329624e39111fc1031afec873462be0f8729f78a3f85efc623b9661293fcf4228cc5fad04b2655cbfeb04a507c4540b73604

Download Submit
C:\Windows\{B4E45F9E-FF3D-4e94-AF32-C2058ABA86D0}.exe

Filesize
372KB

MD5
d559f5424c1bdb7fac9670b66b52ad0f

SHA1
0d302254bd9d5f20cf0a660e7156dde80c205fb8

SHA256
122aaab8a867a7126b65f9b36a8592d6362e44726952067179cd4aa77cde4e49

SHA512
ded66d059ee1ca61571f9e9f8c0ee9eff612106bdd4fe88a21b43f7a4db7a9a255dee11df8dce5434431ba6eddb0a0e17cd5d69345b830b6f6bed5b08eb46447

Download Submit
C:\Windows\{B4E45F9E-FF3D-4e94-AF32-C2058ABA86D0}.exe

Filesize
372KB

MD5
d559f5424c1bdb7fac9670b66b52ad0f

SHA1
0d302254bd9d5f20cf0a660e7156dde80c205fb8

SHA256
122aaab8a867a7126b65f9b36a8592d6362e44726952067179cd4aa77cde4e49

SHA512
ded66d059ee1ca61571f9e9f8c0ee9eff612106bdd4fe88a21b43f7a4db7a9a255dee11df8dce5434431ba6eddb0a0e17cd5d69345b830b6f6bed5b08eb46447

Download Submit
C:\Windows\{D47692C6-FE5B-49dc-89C9-8A032370F68F}.exe

Filesize
372KB

MD5
04319f9c38a03b94ef262e931157f1cb

SHA1
82f2c477dd82a3be1975fa793f6154ccb7463166

SHA256
83273769f7a5d330e647c5d3d37f67eb8c3e58d995ec10a2e2a97602c8bf9473

SHA512
2c7f9064a5cb2c963c0bfae95ae1934d58a392cfe72cc9360f22feffc8eff7e25e333e7023b6cad94dc1b63d4ee5991068f3a4d766caf40db17e8117197b337d

Download Submit
C:\Windows\{D47692C6-FE5B-49dc-89C9-8A032370F68F}.exe

Filesize
372KB

MD5
04319f9c38a03b94ef262e931157f1cb

SHA1
82f2c477dd82a3be1975fa793f6154ccb7463166

SHA256
83273769f7a5d330e647c5d3d37f67eb8c3e58d995ec10a2e2a97602c8bf9473

SHA512
2c7f9064a5cb2c963c0bfae95ae1934d58a392cfe72cc9360f22feffc8eff7e25e333e7023b6cad94dc1b63d4ee5991068f3a4d766caf40db17e8117197b337d

Download Submit