47a3a246d7a49999ac4a3abc534f8a954beb8d9ba675dba34369db8f4ba00110

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
15-07-2023 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ef18495bd07b6exeexe_JC.exe
Size

168KB
MD5

4ef18495bd07b6802883b2697116c89a
SHA1

3a4e84dd9cbfab5598bf56b51cf1dba86799f4b4
SHA256

47a3a246d7a49999ac4a3abc534f8a954beb8d9ba675dba34369db8f4ba00110
SHA512

f2ddf881cbab6daff4659aaab72ba411dfcbe21b0ff99f0371e6eb341146f8afabf2a8e2920aa8236cc3740067d39be1b5721a6df443c674f8a34e4823f1d4e1
SSDEEP

1536:1EGh0ohlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ohlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01D2B325-82AD-4d1f-B4D7-9A3CC2D2B74B}\stubpath = "C:\\Windows\\{01D2B325-82AD-4d1f-B4D7-9A3CC2D2B74B}.exe"	{8F4D546B-A8E1-42ff-9F2A-7FBAB862E159}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{693551AD-5C42-4aea-9078-E435D9A45A1D}\stubpath = "C:\\Windows\\{693551AD-5C42-4aea-9078-E435D9A45A1D}.exe"	{01D2B325-82AD-4d1f-B4D7-9A3CC2D2B74B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C1C6733-8C2C-471a-BDD0-0032AA3323F9}	{0A8197DE-6955-44d9-939A-4D069595D70C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3C1C6733-8C2C-471a-BDD0-0032AA3323F9}\stubpath = "C:\\Windows\\{3C1C6733-8C2C-471a-BDD0-0032AA3323F9}.exe"	{0A8197DE-6955-44d9-939A-4D069595D70C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5A9661B-2190-4d38-BD16-0D8CF5B1775D}\stubpath = "C:\\Windows\\{A5A9661B-2190-4d38-BD16-0D8CF5B1775D}.exe"	{3C1C6733-8C2C-471a-BDD0-0032AA3323F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81E30AE2-15AD-4a5d-BC26-1CA8DA53DED3}	{A5A9661B-2190-4d38-BD16-0D8CF5B1775D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EE739F4-7C3E-4341-B1A1-FC28E7E4EE07}	{6D45FECA-8903-4fe1-A32C-A93AB2F6A62B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F4D546B-A8E1-42ff-9F2A-7FBAB862E159}	{3EE739F4-7C3E-4341-B1A1-FC28E7E4EE07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5143CA4D-E2A0-4522-BEEA-7CDB2D3CEB44}\stubpath = "C:\\Windows\\{5143CA4D-E2A0-4522-BEEA-7CDB2D3CEB44}.exe"	4ef18495bd07b6exeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A8197DE-6955-44d9-939A-4D069595D70C}	{9E62E90F-F097-4c9b-8FEB-455C0968AA56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81E30AE2-15AD-4a5d-BC26-1CA8DA53DED3}\stubpath = "C:\\Windows\\{81E30AE2-15AD-4a5d-BC26-1CA8DA53DED3}.exe"	{A5A9661B-2190-4d38-BD16-0D8CF5B1775D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EE739F4-7C3E-4341-B1A1-FC28E7E4EE07}\stubpath = "C:\\Windows\\{3EE739F4-7C3E-4341-B1A1-FC28E7E4EE07}.exe"	{6D45FECA-8903-4fe1-A32C-A93AB2F6A62B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{01D2B325-82AD-4d1f-B4D7-9A3CC2D2B74B}	{8F4D546B-A8E1-42ff-9F2A-7FBAB862E159}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5143CA4D-E2A0-4522-BEEA-7CDB2D3CEB44}	4ef18495bd07b6exeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E62E90F-F097-4c9b-8FEB-455C0968AA56}	{5143CA4D-E2A0-4522-BEEA-7CDB2D3CEB44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{693551AD-5C42-4aea-9078-E435D9A45A1D}	{01D2B325-82AD-4d1f-B4D7-9A3CC2D2B74B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E62E90F-F097-4c9b-8FEB-455C0968AA56}\stubpath = "C:\\Windows\\{9E62E90F-F097-4c9b-8FEB-455C0968AA56}.exe"	{5143CA4D-E2A0-4522-BEEA-7CDB2D3CEB44}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A8197DE-6955-44d9-939A-4D069595D70C}\stubpath = "C:\\Windows\\{0A8197DE-6955-44d9-939A-4D069595D70C}.exe"	{9E62E90F-F097-4c9b-8FEB-455C0968AA56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A5A9661B-2190-4d38-BD16-0D8CF5B1775D}	{3C1C6733-8C2C-471a-BDD0-0032AA3323F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D45FECA-8903-4fe1-A32C-A93AB2F6A62B}	{81E30AE2-15AD-4a5d-BC26-1CA8DA53DED3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6D45FECA-8903-4fe1-A32C-A93AB2F6A62B}\stubpath = "C:\\Windows\\{6D45FECA-8903-4fe1-A32C-A93AB2F6A62B}.exe"	{81E30AE2-15AD-4a5d-BC26-1CA8DA53DED3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F4D546B-A8E1-42ff-9F2A-7FBAB862E159}\stubpath = "C:\\Windows\\{8F4D546B-A8E1-42ff-9F2A-7FBAB862E159}.exe"	{3EE739F4-7C3E-4341-B1A1-FC28E7E4EE07}.exe

Deletes itself 1 IoCs

pid	Process
3036	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
320	{5143CA4D-E2A0-4522-BEEA-7CDB2D3CEB44}.exe
2864	{9E62E90F-F097-4c9b-8FEB-455C0968AA56}.exe
2836	{0A8197DE-6955-44d9-939A-4D069595D70C}.exe
2388	{3C1C6733-8C2C-471a-BDD0-0032AA3323F9}.exe
2724	{A5A9661B-2190-4d38-BD16-0D8CF5B1775D}.exe
2840	{81E30AE2-15AD-4a5d-BC26-1CA8DA53DED3}.exe
2308	{6D45FECA-8903-4fe1-A32C-A93AB2F6A62B}.exe
1504	{3EE739F4-7C3E-4341-B1A1-FC28E7E4EE07}.exe
1492	{8F4D546B-A8E1-42ff-9F2A-7FBAB862E159}.exe
2088	{01D2B325-82AD-4d1f-B4D7-9A3CC2D2B74B}.exe
784	{693551AD-5C42-4aea-9078-E435D9A45A1D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9E62E90F-F097-4c9b-8FEB-455C0968AA56}.exe	{5143CA4D-E2A0-4522-BEEA-7CDB2D3CEB44}.exe
File created	C:\Windows\{0A8197DE-6955-44d9-939A-4D069595D70C}.exe	{9E62E90F-F097-4c9b-8FEB-455C0968AA56}.exe
File created	C:\Windows\{81E30AE2-15AD-4a5d-BC26-1CA8DA53DED3}.exe	{A5A9661B-2190-4d38-BD16-0D8CF5B1775D}.exe
File created	C:\Windows\{8F4D546B-A8E1-42ff-9F2A-7FBAB862E159}.exe	{3EE739F4-7C3E-4341-B1A1-FC28E7E4EE07}.exe
File created	C:\Windows\{01D2B325-82AD-4d1f-B4D7-9A3CC2D2B74B}.exe	{8F4D546B-A8E1-42ff-9F2A-7FBAB862E159}.exe
File created	C:\Windows\{693551AD-5C42-4aea-9078-E435D9A45A1D}.exe	{01D2B325-82AD-4d1f-B4D7-9A3CC2D2B74B}.exe
File created	C:\Windows\{5143CA4D-E2A0-4522-BEEA-7CDB2D3CEB44}.exe	4ef18495bd07b6exeexe_JC.exe
File created	C:\Windows\{3C1C6733-8C2C-471a-BDD0-0032AA3323F9}.exe	{0A8197DE-6955-44d9-939A-4D069595D70C}.exe
File created	C:\Windows\{A5A9661B-2190-4d38-BD16-0D8CF5B1775D}.exe	{3C1C6733-8C2C-471a-BDD0-0032AA3323F9}.exe
File created	C:\Windows\{6D45FECA-8903-4fe1-A32C-A93AB2F6A62B}.exe	{81E30AE2-15AD-4a5d-BC26-1CA8DA53DED3}.exe
File created	C:\Windows\{3EE739F4-7C3E-4341-B1A1-FC28E7E4EE07}.exe	{6D45FECA-8903-4fe1-A32C-A93AB2F6A62B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1152	4ef18495bd07b6exeexe_JC.exe
Token: SeIncBasePriorityPrivilege	320	{5143CA4D-E2A0-4522-BEEA-7CDB2D3CEB44}.exe
Token: SeIncBasePriorityPrivilege	2864	{9E62E90F-F097-4c9b-8FEB-455C0968AA56}.exe
Token: SeIncBasePriorityPrivilege	2836	{0A8197DE-6955-44d9-939A-4D069595D70C}.exe
Token: SeIncBasePriorityPrivilege	2388	{3C1C6733-8C2C-471a-BDD0-0032AA3323F9}.exe
Token: SeIncBasePriorityPrivilege	2724	{A5A9661B-2190-4d38-BD16-0D8CF5B1775D}.exe
Token: SeIncBasePriorityPrivilege	2840	{81E30AE2-15AD-4a5d-BC26-1CA8DA53DED3}.exe
Token: SeIncBasePriorityPrivilege	2308	{6D45FECA-8903-4fe1-A32C-A93AB2F6A62B}.exe
Token: SeIncBasePriorityPrivilege	1504	{3EE739F4-7C3E-4341-B1A1-FC28E7E4EE07}.exe
Token: SeIncBasePriorityPrivilege	1492	{8F4D546B-A8E1-42ff-9F2A-7FBAB862E159}.exe
Token: SeIncBasePriorityPrivilege	2088	{01D2B325-82AD-4d1f-B4D7-9A3CC2D2B74B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 320	1152	4ef18495bd07b6exeexe_JC.exe	28
PID 1152 wrote to memory of 320	1152	4ef18495bd07b6exeexe_JC.exe	28
PID 1152 wrote to memory of 320	1152	4ef18495bd07b6exeexe_JC.exe	28
PID 1152 wrote to memory of 320	1152	4ef18495bd07b6exeexe_JC.exe	28
PID 1152 wrote to memory of 3036	1152	4ef18495bd07b6exeexe_JC.exe	29
PID 1152 wrote to memory of 3036	1152	4ef18495bd07b6exeexe_JC.exe	29
PID 1152 wrote to memory of 3036	1152	4ef18495bd07b6exeexe_JC.exe	29
PID 1152 wrote to memory of 3036	1152	4ef18495bd07b6exeexe_JC.exe	29
PID 320 wrote to memory of 2864	320	{5143CA4D-E2A0-4522-BEEA-7CDB2D3CEB44}.exe	30
PID 320 wrote to memory of 2864	320	{5143CA4D-E2A0-4522-BEEA-7CDB2D3CEB44}.exe	30
PID 320 wrote to memory of 2864	320	{5143CA4D-E2A0-4522-BEEA-7CDB2D3CEB44}.exe	30
PID 320 wrote to memory of 2864	320	{5143CA4D-E2A0-4522-BEEA-7CDB2D3CEB44}.exe	30
PID 320 wrote to memory of 2932	320	{5143CA4D-E2A0-4522-BEEA-7CDB2D3CEB44}.exe	31
PID 320 wrote to memory of 2932	320	{5143CA4D-E2A0-4522-BEEA-7CDB2D3CEB44}.exe	31
PID 320 wrote to memory of 2932	320	{5143CA4D-E2A0-4522-BEEA-7CDB2D3CEB44}.exe	31
PID 320 wrote to memory of 2932	320	{5143CA4D-E2A0-4522-BEEA-7CDB2D3CEB44}.exe	31
PID 2864 wrote to memory of 2836	2864	{9E62E90F-F097-4c9b-8FEB-455C0968AA56}.exe	34
PID 2864 wrote to memory of 2836	2864	{9E62E90F-F097-4c9b-8FEB-455C0968AA56}.exe	34
PID 2864 wrote to memory of 2836	2864	{9E62E90F-F097-4c9b-8FEB-455C0968AA56}.exe	34
PID 2864 wrote to memory of 2836	2864	{9E62E90F-F097-4c9b-8FEB-455C0968AA56}.exe	34
PID 2864 wrote to memory of 3068	2864	{9E62E90F-F097-4c9b-8FEB-455C0968AA56}.exe	35
PID 2864 wrote to memory of 3068	2864	{9E62E90F-F097-4c9b-8FEB-455C0968AA56}.exe	35
PID 2864 wrote to memory of 3068	2864	{9E62E90F-F097-4c9b-8FEB-455C0968AA56}.exe	35
PID 2864 wrote to memory of 3068	2864	{9E62E90F-F097-4c9b-8FEB-455C0968AA56}.exe	35
PID 2836 wrote to memory of 2388	2836	{0A8197DE-6955-44d9-939A-4D069595D70C}.exe	37
PID 2836 wrote to memory of 2388	2836	{0A8197DE-6955-44d9-939A-4D069595D70C}.exe	37
PID 2836 wrote to memory of 2388	2836	{0A8197DE-6955-44d9-939A-4D069595D70C}.exe	37
PID 2836 wrote to memory of 2388	2836	{0A8197DE-6955-44d9-939A-4D069595D70C}.exe	37
PID 2836 wrote to memory of 2768	2836	{0A8197DE-6955-44d9-939A-4D069595D70C}.exe	36
PID 2836 wrote to memory of 2768	2836	{0A8197DE-6955-44d9-939A-4D069595D70C}.exe	36
PID 2836 wrote to memory of 2768	2836	{0A8197DE-6955-44d9-939A-4D069595D70C}.exe	36
PID 2836 wrote to memory of 2768	2836	{0A8197DE-6955-44d9-939A-4D069595D70C}.exe	36
PID 2388 wrote to memory of 2724	2388	{3C1C6733-8C2C-471a-BDD0-0032AA3323F9}.exe	38
PID 2388 wrote to memory of 2724	2388	{3C1C6733-8C2C-471a-BDD0-0032AA3323F9}.exe	38
PID 2388 wrote to memory of 2724	2388	{3C1C6733-8C2C-471a-BDD0-0032AA3323F9}.exe	38
PID 2388 wrote to memory of 2724	2388	{3C1C6733-8C2C-471a-BDD0-0032AA3323F9}.exe	38
PID 2388 wrote to memory of 2776	2388	{3C1C6733-8C2C-471a-BDD0-0032AA3323F9}.exe	39
PID 2388 wrote to memory of 2776	2388	{3C1C6733-8C2C-471a-BDD0-0032AA3323F9}.exe	39
PID 2388 wrote to memory of 2776	2388	{3C1C6733-8C2C-471a-BDD0-0032AA3323F9}.exe	39
PID 2388 wrote to memory of 2776	2388	{3C1C6733-8C2C-471a-BDD0-0032AA3323F9}.exe	39
PID 2724 wrote to memory of 2840	2724	{A5A9661B-2190-4d38-BD16-0D8CF5B1775D}.exe	40
PID 2724 wrote to memory of 2840	2724	{A5A9661B-2190-4d38-BD16-0D8CF5B1775D}.exe	40
PID 2724 wrote to memory of 2840	2724	{A5A9661B-2190-4d38-BD16-0D8CF5B1775D}.exe	40
PID 2724 wrote to memory of 2840	2724	{A5A9661B-2190-4d38-BD16-0D8CF5B1775D}.exe	40
PID 2724 wrote to memory of 2320	2724	{A5A9661B-2190-4d38-BD16-0D8CF5B1775D}.exe	41
PID 2724 wrote to memory of 2320	2724	{A5A9661B-2190-4d38-BD16-0D8CF5B1775D}.exe	41
PID 2724 wrote to memory of 2320	2724	{A5A9661B-2190-4d38-BD16-0D8CF5B1775D}.exe	41
PID 2724 wrote to memory of 2320	2724	{A5A9661B-2190-4d38-BD16-0D8CF5B1775D}.exe	41
PID 2840 wrote to memory of 2308	2840	{81E30AE2-15AD-4a5d-BC26-1CA8DA53DED3}.exe	42
PID 2840 wrote to memory of 2308	2840	{81E30AE2-15AD-4a5d-BC26-1CA8DA53DED3}.exe	42
PID 2840 wrote to memory of 2308	2840	{81E30AE2-15AD-4a5d-BC26-1CA8DA53DED3}.exe	42
PID 2840 wrote to memory of 2308	2840	{81E30AE2-15AD-4a5d-BC26-1CA8DA53DED3}.exe	42
PID 2840 wrote to memory of 472	2840	{81E30AE2-15AD-4a5d-BC26-1CA8DA53DED3}.exe	43
PID 2840 wrote to memory of 472	2840	{81E30AE2-15AD-4a5d-BC26-1CA8DA53DED3}.exe	43
PID 2840 wrote to memory of 472	2840	{81E30AE2-15AD-4a5d-BC26-1CA8DA53DED3}.exe	43
PID 2840 wrote to memory of 472	2840	{81E30AE2-15AD-4a5d-BC26-1CA8DA53DED3}.exe	43
PID 2308 wrote to memory of 1504	2308	{6D45FECA-8903-4fe1-A32C-A93AB2F6A62B}.exe	44
PID 2308 wrote to memory of 1504	2308	{6D45FECA-8903-4fe1-A32C-A93AB2F6A62B}.exe	44
PID 2308 wrote to memory of 1504	2308	{6D45FECA-8903-4fe1-A32C-A93AB2F6A62B}.exe	44
PID 2308 wrote to memory of 1504	2308	{6D45FECA-8903-4fe1-A32C-A93AB2F6A62B}.exe	44
PID 2308 wrote to memory of 2260	2308	{6D45FECA-8903-4fe1-A32C-A93AB2F6A62B}.exe	45
PID 2308 wrote to memory of 2260	2308	{6D45FECA-8903-4fe1-A32C-A93AB2F6A62B}.exe	45
PID 2308 wrote to memory of 2260	2308	{6D45FECA-8903-4fe1-A32C-A93AB2F6A62B}.exe	45
PID 2308 wrote to memory of 2260	2308	{6D45FECA-8903-4fe1-A32C-A93AB2F6A62B}.exe	45

C:\Users\Admin\AppData\Local\Temp\4ef18495bd07b6exeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\4ef18495bd07b6exeexe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\{5143CA4D-E2A0-4522-BEEA-7CDB2D3CEB44}.exe
  C:\Windows\{5143CA4D-E2A0-4522-BEEA-7CDB2D3CEB44}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:320
- - C:\Windows\{9E62E90F-F097-4c9b-8FEB-455C0968AA56}.exe
    C:\Windows\{9E62E90F-F097-4c9b-8FEB-455C0968AA56}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\{0A8197DE-6955-44d9-939A-4D069595D70C}.exe
      C:\Windows\{0A8197DE-6955-44d9-939A-4D069595D70C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A819~1.EXE > nul
        5⤵
        
        PID:2768
    - - C:\Windows\{3C1C6733-8C2C-471a-BDD0-0032AA3323F9}.exe
        
        C:\Windows\{3C1C6733-8C2C-471a-BDD0-0032AA3323F9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
      - C:\Windows\{A5A9661B-2190-4d38-BD16-0D8CF5B1775D}.exe
        
        C:\Windows\{A5A9661B-2190-4d38-BD16-0D8CF5B1775D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\{81E30AE2-15AD-4a5d-BC26-1CA8DA53DED3}.exe
        
        C:\Windows\{81E30AE2-15AD-4a5d-BC26-1CA8DA53DED3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\{6D45FECA-8903-4fe1-A32C-A93AB2F6A62B}.exe
        
        C:\Windows\{6D45FECA-8903-4fe1-A32C-A93AB2F6A62B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\{3EE739F4-7C3E-4341-B1A1-FC28E7E4EE07}.exe
        
        C:\Windows\{3EE739F4-7C3E-4341-B1A1-FC28E7E4EE07}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
        
        C:\Windows\{8F4D546B-A8E1-42ff-9F2A-7FBAB862E159}.exe
        
        C:\Windows\{8F4D546B-A8E1-42ff-9F2A-7FBAB862E159}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\{01D2B325-82AD-4d1f-B4D7-9A3CC2D2B74B}.exe
        
        C:\Windows\{01D2B325-82AD-4d1f-B4D7-9A3CC2D2B74B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01D2B~1.EXE > nul
        12⤵
        
        PID:2984
        
        C:\Windows\{693551AD-5C42-4aea-9078-E435D9A45A1D}.exe
        
        C:\Windows\{693551AD-5C42-4aea-9078-E435D9A45A1D}.exe
        12⤵
        Executes dropped EXE
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F4D5~1.EXE > nul
        11⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EE73~1.EXE > nul
        10⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D45F~1.EXE > nul
        9⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81E30~1.EXE > nul
        8⤵
        
        PID:472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5A96~1.EXE > nul
        7⤵
        
        PID:2320
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C1C6~1.EXE > nul
        6⤵
        
        PID:2776
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9E62E~1.EXE > nul
      4⤵
      PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5143C~1.EXE > nul
    3⤵
    PID:2932
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4EF184~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01D2B325-82AD-4d1f-B4D7-9A3CC2D2B74B}.exe

Filesize
168KB

MD5
406f827f2d83dda558e35a451865dd60

SHA1
7d27c648f4be31d4a0fb71fe4b3bd3442ddec09c

SHA256
9d65d6ec24e06f8d657e808aafb477531917624f087422944ef43153b8b0af75

SHA512
0ce4a4b031b5b857d4e90cf89ca170fbdaed7eaa20d0c3cc9b463f0cab9456b9b487b86de2a20f9550ad0dc3ab563546deec397a59a45f1c31ac67da60bce8c1

Download Submit
C:\Windows\{01D2B325-82AD-4d1f-B4D7-9A3CC2D2B74B}.exe

Filesize
168KB

MD5
406f827f2d83dda558e35a451865dd60

SHA1
7d27c648f4be31d4a0fb71fe4b3bd3442ddec09c

SHA256
9d65d6ec24e06f8d657e808aafb477531917624f087422944ef43153b8b0af75

SHA512
0ce4a4b031b5b857d4e90cf89ca170fbdaed7eaa20d0c3cc9b463f0cab9456b9b487b86de2a20f9550ad0dc3ab563546deec397a59a45f1c31ac67da60bce8c1

Download Submit
C:\Windows\{0A8197DE-6955-44d9-939A-4D069595D70C}.exe

Filesize
168KB

MD5
824920ed895d6693422899a6caa2e9ce

SHA1
9a723d7cdb249f669e32e08dcd7903d99e2f65d0

SHA256
336b2eddda46231d94258179365cdab5d42c75fe667bc9417017d44d6f750e28

SHA512
374e58edbec6070886fb90b15ec4a0c3e590b51dd418ec24ab60772c2b74b9bf3b11d968922922dff2a07d55b6bac04770db0979d51a90553d96be4ea0487568

Download Submit
C:\Windows\{0A8197DE-6955-44d9-939A-4D069595D70C}.exe

Filesize
168KB

MD5
824920ed895d6693422899a6caa2e9ce

SHA1
9a723d7cdb249f669e32e08dcd7903d99e2f65d0

SHA256
336b2eddda46231d94258179365cdab5d42c75fe667bc9417017d44d6f750e28

SHA512
374e58edbec6070886fb90b15ec4a0c3e590b51dd418ec24ab60772c2b74b9bf3b11d968922922dff2a07d55b6bac04770db0979d51a90553d96be4ea0487568

Download Submit
C:\Windows\{3C1C6733-8C2C-471a-BDD0-0032AA3323F9}.exe

Filesize
168KB

MD5
5dd1eb9014515811af1e07f0ae89dbfc

SHA1
5ea993c4f07ba7ef77098a549dcd9a99726cb54a

SHA256
3173ea6181e2f8d3ff7926d37d6e431f6ef588c5672b5c67d4b0b86111851233

SHA512
0c7cf7a0a18cd6e92c6d078a555675853c8b56aee5ef1cef73ae496557bbb95a26a42db20946ee38c64ba30ef92674497eef3095f9427db1b35d296a9da1493b

Download Submit
C:\Windows\{3C1C6733-8C2C-471a-BDD0-0032AA3323F9}.exe

Filesize
168KB

MD5
5dd1eb9014515811af1e07f0ae89dbfc

SHA1
5ea993c4f07ba7ef77098a549dcd9a99726cb54a

SHA256
3173ea6181e2f8d3ff7926d37d6e431f6ef588c5672b5c67d4b0b86111851233

SHA512
0c7cf7a0a18cd6e92c6d078a555675853c8b56aee5ef1cef73ae496557bbb95a26a42db20946ee38c64ba30ef92674497eef3095f9427db1b35d296a9da1493b

Download Submit
C:\Windows\{3EE739F4-7C3E-4341-B1A1-FC28E7E4EE07}.exe

Filesize
168KB

MD5
6d72ee3a72067c23280e6556f82d0f29

SHA1
8e4e6402f6e1923ed4f82b601bc494f025993dcf

SHA256
364c0e153281f20e1cd0163aae4d7f4ed383979d69a30b3121bac5de3f9798c1

SHA512
3f7e97dccbdaa0b179519f6ab965c819e1548ee121cbe9e43476aef2eab96268584334cf3dabc317b668f5884dd221bcb64d24ce92f389720a21ccc05dc35f21

Download Submit
C:\Windows\{3EE739F4-7C3E-4341-B1A1-FC28E7E4EE07}.exe

Filesize
168KB

MD5
6d72ee3a72067c23280e6556f82d0f29

SHA1
8e4e6402f6e1923ed4f82b601bc494f025993dcf

SHA256
364c0e153281f20e1cd0163aae4d7f4ed383979d69a30b3121bac5de3f9798c1

SHA512
3f7e97dccbdaa0b179519f6ab965c819e1548ee121cbe9e43476aef2eab96268584334cf3dabc317b668f5884dd221bcb64d24ce92f389720a21ccc05dc35f21

Download Submit
C:\Windows\{5143CA4D-E2A0-4522-BEEA-7CDB2D3CEB44}.exe

Filesize
168KB

MD5
1503d791cc8e8ab1b58d81d88002b3d4

SHA1
9b7cfd661c08cc65b221ed28c25dc977e38540f0

SHA256
588d02dcfa6961ab2661367f575d9f06125f26663b8a1c51fc1004d2f49884a3

SHA512
51e4025e3f0e38c6b53da94dc5355c7a48ccf72711027711e4079f5477775599b81cc341f157ef54d4d313368954d3c851641a0b72146432236ed494f4fc487d

Download Submit
C:\Windows\{5143CA4D-E2A0-4522-BEEA-7CDB2D3CEB44}.exe

Filesize
168KB

MD5
1503d791cc8e8ab1b58d81d88002b3d4

SHA1
9b7cfd661c08cc65b221ed28c25dc977e38540f0

SHA256
588d02dcfa6961ab2661367f575d9f06125f26663b8a1c51fc1004d2f49884a3

SHA512
51e4025e3f0e38c6b53da94dc5355c7a48ccf72711027711e4079f5477775599b81cc341f157ef54d4d313368954d3c851641a0b72146432236ed494f4fc487d

Download Submit
C:\Windows\{5143CA4D-E2A0-4522-BEEA-7CDB2D3CEB44}.exe

Filesize
168KB

MD5
1503d791cc8e8ab1b58d81d88002b3d4

SHA1
9b7cfd661c08cc65b221ed28c25dc977e38540f0

SHA256
588d02dcfa6961ab2661367f575d9f06125f26663b8a1c51fc1004d2f49884a3

SHA512
51e4025e3f0e38c6b53da94dc5355c7a48ccf72711027711e4079f5477775599b81cc341f157ef54d4d313368954d3c851641a0b72146432236ed494f4fc487d

Download Submit
C:\Windows\{693551AD-5C42-4aea-9078-E435D9A45A1D}.exe

Filesize
168KB

MD5
6808bd2f37cb24bf9426f69655684b9b

SHA1
be01b940650b03f2522441deea13e5f4bfd07462

SHA256
35c3cfc225c48c561ac627486f551c9e3103798c7f1612a5ae0337e5bd13b411

SHA512
9d61ed62cbb300899c1de251a7395c4e4ff321e309c21966f3f7080e3af8e2cbd21f13c9d0c3ca48b56b04e016c0591c027faff39996b7df676800bf0af56156

Download Submit
C:\Windows\{6D45FECA-8903-4fe1-A32C-A93AB2F6A62B}.exe

Filesize
168KB

MD5
3976569f92e33387f89ea74de31c55d9

SHA1
52fdfa2e836d9e6f0afaf6534f1f514de5a205ff

SHA256
f0245a5307c00f5f498d5e455f9f18121216da07f69c6abdc48e780e6c122111

SHA512
0176c9531d677601d435ed2d4378a39e1fe84cf467847814e8db80385d9f381be248d02505b24c1562626ab5334cb94e51d312171d508bab40598cb5ed2bcc46

Download Submit
C:\Windows\{6D45FECA-8903-4fe1-A32C-A93AB2F6A62B}.exe

Filesize
168KB

MD5
3976569f92e33387f89ea74de31c55d9

SHA1
52fdfa2e836d9e6f0afaf6534f1f514de5a205ff

SHA256
f0245a5307c00f5f498d5e455f9f18121216da07f69c6abdc48e780e6c122111

SHA512
0176c9531d677601d435ed2d4378a39e1fe84cf467847814e8db80385d9f381be248d02505b24c1562626ab5334cb94e51d312171d508bab40598cb5ed2bcc46

Download Submit
C:\Windows\{81E30AE2-15AD-4a5d-BC26-1CA8DA53DED3}.exe

Filesize
168KB

MD5
ad6cc0515239ec849de640ec2ea6ca37

SHA1
ee3997cdc8cd655b0104f6c42577eb99e12367b0

SHA256
12c68f2d6d67fc7ccc36e1ce4fed0c1c813555e7df08d7fde5e26c2809bd0dd2

SHA512
440dce18aef3c82c5ee2e3c492c9ae6bdb1649c91c74e6455da364ef16bff10d554cd2b4f8b991e56efb7ae09e1ad4c42e53495e01997ac87102587991dd44da

Download Submit
C:\Windows\{81E30AE2-15AD-4a5d-BC26-1CA8DA53DED3}.exe

Filesize
168KB

MD5
ad6cc0515239ec849de640ec2ea6ca37

SHA1
ee3997cdc8cd655b0104f6c42577eb99e12367b0

SHA256
12c68f2d6d67fc7ccc36e1ce4fed0c1c813555e7df08d7fde5e26c2809bd0dd2

SHA512
440dce18aef3c82c5ee2e3c492c9ae6bdb1649c91c74e6455da364ef16bff10d554cd2b4f8b991e56efb7ae09e1ad4c42e53495e01997ac87102587991dd44da

Download Submit
C:\Windows\{8F4D546B-A8E1-42ff-9F2A-7FBAB862E159}.exe

Filesize
168KB

MD5
9f49da85b82c7806dbc690072adfb272

SHA1
45fcb95703e53a99936080d37cbc3c4ca2d77095

SHA256
6e200773d1208d2de866ae2258cc422cf54995504251c4cb28c1161e6f2fba54

SHA512
8b71221b4aff455d99d74c0f2d2b863792fb7f539ac3e4d5f3cb906dc4b5c816b5811eba5a4c74f68b8d48b3b1c8cfd3cd36a8494e439d5f66fdb5039a172458

Download Submit
C:\Windows\{8F4D546B-A8E1-42ff-9F2A-7FBAB862E159}.exe

Filesize
168KB

MD5
9f49da85b82c7806dbc690072adfb272

SHA1
45fcb95703e53a99936080d37cbc3c4ca2d77095

SHA256
6e200773d1208d2de866ae2258cc422cf54995504251c4cb28c1161e6f2fba54

SHA512
8b71221b4aff455d99d74c0f2d2b863792fb7f539ac3e4d5f3cb906dc4b5c816b5811eba5a4c74f68b8d48b3b1c8cfd3cd36a8494e439d5f66fdb5039a172458

Download Submit
C:\Windows\{9E62E90F-F097-4c9b-8FEB-455C0968AA56}.exe

Filesize
168KB

MD5
d7723ca2cddb6e0abb0c2e18b52b4b06

SHA1
90dc4f1efdb1b7343aa83781fd151063f6e7d7fe

SHA256
6e5492335086c911d16984882a603b96837a4ec475fb31e15add1ce5cc59cfbf

SHA512
e797126ea3eee70d354b0c55e67500ac1528a4adcc5a03850bc21d4833de5939acb5c6bd0627726fbd3d0794e6bc0c2ae7f71afbbe01e8d0a00415eef1ce8320

Download Submit
C:\Windows\{9E62E90F-F097-4c9b-8FEB-455C0968AA56}.exe

Filesize
168KB

MD5
d7723ca2cddb6e0abb0c2e18b52b4b06

SHA1
90dc4f1efdb1b7343aa83781fd151063f6e7d7fe

SHA256
6e5492335086c911d16984882a603b96837a4ec475fb31e15add1ce5cc59cfbf

SHA512
e797126ea3eee70d354b0c55e67500ac1528a4adcc5a03850bc21d4833de5939acb5c6bd0627726fbd3d0794e6bc0c2ae7f71afbbe01e8d0a00415eef1ce8320

Download Submit
C:\Windows\{A5A9661B-2190-4d38-BD16-0D8CF5B1775D}.exe

Filesize
168KB

MD5
92b2fd489cc20705532ed9d2e136c188

SHA1
2c9f065dd96a737e76cdf3136889f1a33f1c09f6

SHA256
0975b52d885d422126827697bece0baf6318553c931bb1982c118b3c8ee0ec39

SHA512
f9c7ccb3c168d26c2cb6eb7bd4be07a39df49a87831f54603f1e5439a3dc137e8d850449b559387106396302ff43f10c8d59e661f7770900a7e7f17ba15698fc

Download Submit
C:\Windows\{A5A9661B-2190-4d38-BD16-0D8CF5B1775D}.exe

Filesize
168KB

MD5
92b2fd489cc20705532ed9d2e136c188

SHA1
2c9f065dd96a737e76cdf3136889f1a33f1c09f6

SHA256
0975b52d885d422126827697bece0baf6318553c931bb1982c118b3c8ee0ec39

SHA512
f9c7ccb3c168d26c2cb6eb7bd4be07a39df49a87831f54603f1e5439a3dc137e8d850449b559387106396302ff43f10c8d59e661f7770900a7e7f17ba15698fc

Download Submit