7730f8957e88eb4a02b4b4a4f64c8903b1bc380b164f626a1c8149e5dc873551

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
16/07/2023, 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

546eabb692dab6_JC.exe
Size

192KB
MD5

546eabb692dab6cd66b7199045361123
SHA1

203f7016e23ab7b7d5511d3fe0c1cd544ba7c337
SHA256

7730f8957e88eb4a02b4b4a4f64c8903b1bc380b164f626a1c8149e5dc873551
SHA512

376583e0e9d7970bebd6bac2438da34197e8d3d54ae00de3da2608c184046d2cd6d1f39d15f6b015b89c135e3cefd8700088740f4779b489af2ca634122989d3
SSDEEP

1536:1EGh0oHl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oHl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7E45005-5676-4deb-BAD3-EA86D92729CE}\stubpath = "C:\\Windows\\{D7E45005-5676-4deb-BAD3-EA86D92729CE}.exe"	{DDB8DD5C-04DA-443b-A966-679C4129775F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{038F2906-9512-4867-9CC6-C8E167089760}	{D7E45005-5676-4deb-BAD3-EA86D92729CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A833AE9-1919-4491-AD24-EB0E4A47CFCC}\stubpath = "C:\\Windows\\{2A833AE9-1919-4491-AD24-EB0E4A47CFCC}.exe"	{764835D5-ECE5-4825-8907-E9916B2D8E2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4198AD6A-D56F-42ec-9B65-3964D01DC0B0}	546eabb692dab6_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97D493B0-8F54-4f4c-AEF6-C010566BDFF2}	{C9EA99A8-EE60-4229-AE03-F032143CF298}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97D493B0-8F54-4f4c-AEF6-C010566BDFF2}\stubpath = "C:\\Windows\\{97D493B0-8F54-4f4c-AEF6-C010566BDFF2}.exe"	{C9EA99A8-EE60-4229-AE03-F032143CF298}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4198AD6A-D56F-42ec-9B65-3964D01DC0B0}\stubpath = "C:\\Windows\\{4198AD6A-D56F-42ec-9B65-3964D01DC0B0}.exe"	546eabb692dab6_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9EA99A8-EE60-4229-AE03-F032143CF298}\stubpath = "C:\\Windows\\{C9EA99A8-EE60-4229-AE03-F032143CF298}.exe"	{4198AD6A-D56F-42ec-9B65-3964D01DC0B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{640CE293-72F9-4189-A67A-0C00643B2ADF}\stubpath = "C:\\Windows\\{640CE293-72F9-4189-A67A-0C00643B2ADF}.exe"	{038F2906-9512-4867-9CC6-C8E167089760}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A3D9B39-BAE1-411e-9610-2EF554D5ACA4}\stubpath = "C:\\Windows\\{3A3D9B39-BAE1-411e-9610-2EF554D5ACA4}.exe"	{2A833AE9-1919-4491-AD24-EB0E4A47CFCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5202522F-9BC6-4d56-9DD4-140E8CB1A82F}\stubpath = "C:\\Windows\\{5202522F-9BC6-4d56-9DD4-140E8CB1A82F}.exe"	{97D493B0-8F54-4f4c-AEF6-C010566BDFF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{038F2906-9512-4867-9CC6-C8E167089760}\stubpath = "C:\\Windows\\{038F2906-9512-4867-9CC6-C8E167089760}.exe"	{D7E45005-5676-4deb-BAD3-EA86D92729CE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3A3D9B39-BAE1-411e-9610-2EF554D5ACA4}	{2A833AE9-1919-4491-AD24-EB0E4A47CFCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDB8DD5C-04DA-443b-A966-679C4129775F}\stubpath = "C:\\Windows\\{DDB8DD5C-04DA-443b-A966-679C4129775F}.exe"	{5202522F-9BC6-4d56-9DD4-140E8CB1A82F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D7E45005-5676-4deb-BAD3-EA86D92729CE}	{DDB8DD5C-04DA-443b-A966-679C4129775F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{640CE293-72F9-4189-A67A-0C00643B2ADF}	{038F2906-9512-4867-9CC6-C8E167089760}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{764835D5-ECE5-4825-8907-E9916B2D8E2D}	{640CE293-72F9-4189-A67A-0C00643B2ADF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{764835D5-ECE5-4825-8907-E9916B2D8E2D}\stubpath = "C:\\Windows\\{764835D5-ECE5-4825-8907-E9916B2D8E2D}.exe"	{640CE293-72F9-4189-A67A-0C00643B2ADF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C9EA99A8-EE60-4229-AE03-F032143CF298}	{4198AD6A-D56F-42ec-9B65-3964D01DC0B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5202522F-9BC6-4d56-9DD4-140E8CB1A82F}	{97D493B0-8F54-4f4c-AEF6-C010566BDFF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDB8DD5C-04DA-443b-A966-679C4129775F}	{5202522F-9BC6-4d56-9DD4-140E8CB1A82F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2A833AE9-1919-4491-AD24-EB0E4A47CFCC}	{764835D5-ECE5-4825-8907-E9916B2D8E2D}.exe

Deletes itself 1 IoCs

pid	Process
1580	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2300	{4198AD6A-D56F-42ec-9B65-3964D01DC0B0}.exe
2804	{C9EA99A8-EE60-4229-AE03-F032143CF298}.exe
2920	{97D493B0-8F54-4f4c-AEF6-C010566BDFF2}.exe
2836	{5202522F-9BC6-4d56-9DD4-140E8CB1A82F}.exe
2944	{DDB8DD5C-04DA-443b-A966-679C4129775F}.exe
612	{D7E45005-5676-4deb-BAD3-EA86D92729CE}.exe
2704	{038F2906-9512-4867-9CC6-C8E167089760}.exe
2312	{640CE293-72F9-4189-A67A-0C00643B2ADF}.exe
2884	{764835D5-ECE5-4825-8907-E9916B2D8E2D}.exe
1852	{2A833AE9-1919-4491-AD24-EB0E4A47CFCC}.exe
1616	{3A3D9B39-BAE1-411e-9610-2EF554D5ACA4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{D7E45005-5676-4deb-BAD3-EA86D92729CE}.exe	{DDB8DD5C-04DA-443b-A966-679C4129775F}.exe
File created	C:\Windows\{640CE293-72F9-4189-A67A-0C00643B2ADF}.exe	{038F2906-9512-4867-9CC6-C8E167089760}.exe
File created	C:\Windows\{3A3D9B39-BAE1-411e-9610-2EF554D5ACA4}.exe	{2A833AE9-1919-4491-AD24-EB0E4A47CFCC}.exe
File created	C:\Windows\{4198AD6A-D56F-42ec-9B65-3964D01DC0B0}.exe	546eabb692dab6_JC.exe
File created	C:\Windows\{C9EA99A8-EE60-4229-AE03-F032143CF298}.exe	{4198AD6A-D56F-42ec-9B65-3964D01DC0B0}.exe
File created	C:\Windows\{97D493B0-8F54-4f4c-AEF6-C010566BDFF2}.exe	{C9EA99A8-EE60-4229-AE03-F032143CF298}.exe
File created	C:\Windows\{5202522F-9BC6-4d56-9DD4-140E8CB1A82F}.exe	{97D493B0-8F54-4f4c-AEF6-C010566BDFF2}.exe
File created	C:\Windows\{DDB8DD5C-04DA-443b-A966-679C4129775F}.exe	{5202522F-9BC6-4d56-9DD4-140E8CB1A82F}.exe
File created	C:\Windows\{038F2906-9512-4867-9CC6-C8E167089760}.exe	{D7E45005-5676-4deb-BAD3-EA86D92729CE}.exe
File created	C:\Windows\{764835D5-ECE5-4825-8907-E9916B2D8E2D}.exe	{640CE293-72F9-4189-A67A-0C00643B2ADF}.exe
File created	C:\Windows\{2A833AE9-1919-4491-AD24-EB0E4A47CFCC}.exe	{764835D5-ECE5-4825-8907-E9916B2D8E2D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2224	546eabb692dab6_JC.exe
Token: SeIncBasePriorityPrivilege	2300	{4198AD6A-D56F-42ec-9B65-3964D01DC0B0}.exe
Token: SeIncBasePriorityPrivilege	2804	{C9EA99A8-EE60-4229-AE03-F032143CF298}.exe
Token: SeIncBasePriorityPrivilege	2920	{97D493B0-8F54-4f4c-AEF6-C010566BDFF2}.exe
Token: SeIncBasePriorityPrivilege	2836	{5202522F-9BC6-4d56-9DD4-140E8CB1A82F}.exe
Token: SeIncBasePriorityPrivilege	2944	{DDB8DD5C-04DA-443b-A966-679C4129775F}.exe
Token: SeIncBasePriorityPrivilege	612	{D7E45005-5676-4deb-BAD3-EA86D92729CE}.exe
Token: SeIncBasePriorityPrivilege	2704	{038F2906-9512-4867-9CC6-C8E167089760}.exe
Token: SeIncBasePriorityPrivilege	2312	{640CE293-72F9-4189-A67A-0C00643B2ADF}.exe
Token: SeIncBasePriorityPrivilege	2884	{764835D5-ECE5-4825-8907-E9916B2D8E2D}.exe
Token: SeIncBasePriorityPrivilege	1852	{2A833AE9-1919-4491-AD24-EB0E4A47CFCC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2300	2224	546eabb692dab6_JC.exe	28
PID 2224 wrote to memory of 2300	2224	546eabb692dab6_JC.exe	28
PID 2224 wrote to memory of 2300	2224	546eabb692dab6_JC.exe	28
PID 2224 wrote to memory of 2300	2224	546eabb692dab6_JC.exe	28
PID 2224 wrote to memory of 1580	2224	546eabb692dab6_JC.exe	29
PID 2224 wrote to memory of 1580	2224	546eabb692dab6_JC.exe	29
PID 2224 wrote to memory of 1580	2224	546eabb692dab6_JC.exe	29
PID 2224 wrote to memory of 1580	2224	546eabb692dab6_JC.exe	29
PID 2300 wrote to memory of 2804	2300	{4198AD6A-D56F-42ec-9B65-3964D01DC0B0}.exe	32
PID 2300 wrote to memory of 2804	2300	{4198AD6A-D56F-42ec-9B65-3964D01DC0B0}.exe	32
PID 2300 wrote to memory of 2804	2300	{4198AD6A-D56F-42ec-9B65-3964D01DC0B0}.exe	32
PID 2300 wrote to memory of 2804	2300	{4198AD6A-D56F-42ec-9B65-3964D01DC0B0}.exe	32
PID 2300 wrote to memory of 2820	2300	{4198AD6A-D56F-42ec-9B65-3964D01DC0B0}.exe	33
PID 2300 wrote to memory of 2820	2300	{4198AD6A-D56F-42ec-9B65-3964D01DC0B0}.exe	33
PID 2300 wrote to memory of 2820	2300	{4198AD6A-D56F-42ec-9B65-3964D01DC0B0}.exe	33
PID 2300 wrote to memory of 2820	2300	{4198AD6A-D56F-42ec-9B65-3964D01DC0B0}.exe	33
PID 2804 wrote to memory of 2920	2804	{C9EA99A8-EE60-4229-AE03-F032143CF298}.exe	35
PID 2804 wrote to memory of 2920	2804	{C9EA99A8-EE60-4229-AE03-F032143CF298}.exe	35
PID 2804 wrote to memory of 2920	2804	{C9EA99A8-EE60-4229-AE03-F032143CF298}.exe	35
PID 2804 wrote to memory of 2920	2804	{C9EA99A8-EE60-4229-AE03-F032143CF298}.exe	35
PID 2804 wrote to memory of 2912	2804	{C9EA99A8-EE60-4229-AE03-F032143CF298}.exe	34
PID 2804 wrote to memory of 2912	2804	{C9EA99A8-EE60-4229-AE03-F032143CF298}.exe	34
PID 2804 wrote to memory of 2912	2804	{C9EA99A8-EE60-4229-AE03-F032143CF298}.exe	34
PID 2804 wrote to memory of 2912	2804	{C9EA99A8-EE60-4229-AE03-F032143CF298}.exe	34
PID 2920 wrote to memory of 2836	2920	{97D493B0-8F54-4f4c-AEF6-C010566BDFF2}.exe	36
PID 2920 wrote to memory of 2836	2920	{97D493B0-8F54-4f4c-AEF6-C010566BDFF2}.exe	36
PID 2920 wrote to memory of 2836	2920	{97D493B0-8F54-4f4c-AEF6-C010566BDFF2}.exe	36
PID 2920 wrote to memory of 2836	2920	{97D493B0-8F54-4f4c-AEF6-C010566BDFF2}.exe	36
PID 2920 wrote to memory of 2148	2920	{97D493B0-8F54-4f4c-AEF6-C010566BDFF2}.exe	37
PID 2920 wrote to memory of 2148	2920	{97D493B0-8F54-4f4c-AEF6-C010566BDFF2}.exe	37
PID 2920 wrote to memory of 2148	2920	{97D493B0-8F54-4f4c-AEF6-C010566BDFF2}.exe	37
PID 2920 wrote to memory of 2148	2920	{97D493B0-8F54-4f4c-AEF6-C010566BDFF2}.exe	37
PID 2836 wrote to memory of 2944	2836	{5202522F-9BC6-4d56-9DD4-140E8CB1A82F}.exe	38
PID 2836 wrote to memory of 2944	2836	{5202522F-9BC6-4d56-9DD4-140E8CB1A82F}.exe	38
PID 2836 wrote to memory of 2944	2836	{5202522F-9BC6-4d56-9DD4-140E8CB1A82F}.exe	38
PID 2836 wrote to memory of 2944	2836	{5202522F-9BC6-4d56-9DD4-140E8CB1A82F}.exe	38
PID 2836 wrote to memory of 884	2836	{5202522F-9BC6-4d56-9DD4-140E8CB1A82F}.exe	39
PID 2836 wrote to memory of 884	2836	{5202522F-9BC6-4d56-9DD4-140E8CB1A82F}.exe	39
PID 2836 wrote to memory of 884	2836	{5202522F-9BC6-4d56-9DD4-140E8CB1A82F}.exe	39
PID 2836 wrote to memory of 884	2836	{5202522F-9BC6-4d56-9DD4-140E8CB1A82F}.exe	39
PID 2944 wrote to memory of 612	2944	{DDB8DD5C-04DA-443b-A966-679C4129775F}.exe	40
PID 2944 wrote to memory of 612	2944	{DDB8DD5C-04DA-443b-A966-679C4129775F}.exe	40
PID 2944 wrote to memory of 612	2944	{DDB8DD5C-04DA-443b-A966-679C4129775F}.exe	40
PID 2944 wrote to memory of 612	2944	{DDB8DD5C-04DA-443b-A966-679C4129775F}.exe	40
PID 2944 wrote to memory of 2752	2944	{DDB8DD5C-04DA-443b-A966-679C4129775F}.exe	41
PID 2944 wrote to memory of 2752	2944	{DDB8DD5C-04DA-443b-A966-679C4129775F}.exe	41
PID 2944 wrote to memory of 2752	2944	{DDB8DD5C-04DA-443b-A966-679C4129775F}.exe	41
PID 2944 wrote to memory of 2752	2944	{DDB8DD5C-04DA-443b-A966-679C4129775F}.exe	41
PID 612 wrote to memory of 2704	612	{D7E45005-5676-4deb-BAD3-EA86D92729CE}.exe	42
PID 612 wrote to memory of 2704	612	{D7E45005-5676-4deb-BAD3-EA86D92729CE}.exe	42
PID 612 wrote to memory of 2704	612	{D7E45005-5676-4deb-BAD3-EA86D92729CE}.exe	42
PID 612 wrote to memory of 2704	612	{D7E45005-5676-4deb-BAD3-EA86D92729CE}.exe	42
PID 612 wrote to memory of 2772	612	{D7E45005-5676-4deb-BAD3-EA86D92729CE}.exe	43
PID 612 wrote to memory of 2772	612	{D7E45005-5676-4deb-BAD3-EA86D92729CE}.exe	43
PID 612 wrote to memory of 2772	612	{D7E45005-5676-4deb-BAD3-EA86D92729CE}.exe	43
PID 612 wrote to memory of 2772	612	{D7E45005-5676-4deb-BAD3-EA86D92729CE}.exe	43
PID 2704 wrote to memory of 2312	2704	{038F2906-9512-4867-9CC6-C8E167089760}.exe	44
PID 2704 wrote to memory of 2312	2704	{038F2906-9512-4867-9CC6-C8E167089760}.exe	44
PID 2704 wrote to memory of 2312	2704	{038F2906-9512-4867-9CC6-C8E167089760}.exe	44
PID 2704 wrote to memory of 2312	2704	{038F2906-9512-4867-9CC6-C8E167089760}.exe	44
PID 2704 wrote to memory of 1688	2704	{038F2906-9512-4867-9CC6-C8E167089760}.exe	45
PID 2704 wrote to memory of 1688	2704	{038F2906-9512-4867-9CC6-C8E167089760}.exe	45
PID 2704 wrote to memory of 1688	2704	{038F2906-9512-4867-9CC6-C8E167089760}.exe	45
PID 2704 wrote to memory of 1688	2704	{038F2906-9512-4867-9CC6-C8E167089760}.exe	45

C:\Users\Admin\AppData\Local\Temp\546eabb692dab6_JC.exe
"C:\Users\Admin\AppData\Local\Temp\546eabb692dab6_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\{4198AD6A-D56F-42ec-9B65-3964D01DC0B0}.exe
  C:\Windows\{4198AD6A-D56F-42ec-9B65-3964D01DC0B0}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\{C9EA99A8-EE60-4229-AE03-F032143CF298}.exe
    C:\Windows\{C9EA99A8-EE60-4229-AE03-F032143CF298}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C9EA9~1.EXE > nul
      4⤵
      PID:2912
  - - C:\Windows\{97D493B0-8F54-4f4c-AEF6-C010566BDFF2}.exe
      C:\Windows\{97D493B0-8F54-4f4c-AEF6-C010566BDFF2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Windows\{5202522F-9BC6-4d56-9DD4-140E8CB1A82F}.exe
        
        C:\Windows\{5202522F-9BC6-4d56-9DD4-140E8CB1A82F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\Windows\{DDB8DD5C-04DA-443b-A966-679C4129775F}.exe
        
        C:\Windows\{DDB8DD5C-04DA-443b-A966-679C4129775F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\{D7E45005-5676-4deb-BAD3-EA86D92729CE}.exe
        
        C:\Windows\{D7E45005-5676-4deb-BAD3-EA86D92729CE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:612
        
        C:\Windows\{038F2906-9512-4867-9CC6-C8E167089760}.exe
        
        C:\Windows\{038F2906-9512-4867-9CC6-C8E167089760}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\{640CE293-72F9-4189-A67A-0C00643B2ADF}.exe
        
        C:\Windows\{640CE293-72F9-4189-A67A-0C00643B2ADF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\{764835D5-ECE5-4825-8907-E9916B2D8E2D}.exe
        
        C:\Windows\{764835D5-ECE5-4825-8907-E9916B2D8E2D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76483~1.EXE > nul
        11⤵
        
        PID:1928
        
        C:\Windows\{2A833AE9-1919-4491-AD24-EB0E4A47CFCC}.exe
        
        C:\Windows\{2A833AE9-1919-4491-AD24-EB0E4A47CFCC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A833~1.EXE > nul
        12⤵
        
        PID:3032
        
        C:\Windows\{3A3D9B39-BAE1-411e-9610-2EF554D5ACA4}.exe
        
        C:\Windows\{3A3D9B39-BAE1-411e-9610-2EF554D5ACA4}.exe
        12⤵
        Executes dropped EXE
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{640CE~1.EXE > nul
        10⤵
        
        PID:620
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{038F2~1.EXE > nul
        9⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7E45~1.EXE > nul
        8⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DDB8D~1.EXE > nul
        7⤵
        
        PID:2752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52025~1.EXE > nul
        6⤵
        
        PID:884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97D49~1.EXE > nul
        5⤵
        
        PID:2148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4198A~1.EXE > nul
    3⤵
    PID:2820
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\546EAB~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{038F2906-9512-4867-9CC6-C8E167089760}.exe

Filesize
192KB

MD5
67c5fd6848f643461ee78b16a2b08c35

SHA1
35be1b359c0bb85c19d339659a85aa8eeacf192f

SHA256
2f24849cebdd9be04d9fb5b0a4edb37063cd8cccace707683a5e44c067cfa3b8

SHA512
a0a9ceb08c77af0313b2af8a5b4dd3baf131d1ab0f9b9e5dde5b492028f25288b37a2402e33ed05dfa49dbcaf9a3b5086a0f2bc370cff70205fa53de68202c08

Download Submit
C:\Windows\{038F2906-9512-4867-9CC6-C8E167089760}.exe

Filesize
192KB

MD5
67c5fd6848f643461ee78b16a2b08c35

SHA1
35be1b359c0bb85c19d339659a85aa8eeacf192f

SHA256
2f24849cebdd9be04d9fb5b0a4edb37063cd8cccace707683a5e44c067cfa3b8

SHA512
a0a9ceb08c77af0313b2af8a5b4dd3baf131d1ab0f9b9e5dde5b492028f25288b37a2402e33ed05dfa49dbcaf9a3b5086a0f2bc370cff70205fa53de68202c08

Download Submit
C:\Windows\{2A833AE9-1919-4491-AD24-EB0E4A47CFCC}.exe

Filesize
192KB

MD5
eb1d08b896780d25affcce69af6b3016

SHA1
7a1f92b25e1845bdaad3f8671a5894bb5dda175c

SHA256
7ff2d24d08a00bd7adb2834f7e6e11504b71879a5198bb6038d635990a00adfb

SHA512
8bc43f834792209a64ab56f9c38aa85a575bf1aa003366f5e2795d48d6442b8b8f4a7c594100040e94bb3e8b8df3295d68f05ec208eac29a4b5df08d64e71a13

Download Submit
C:\Windows\{2A833AE9-1919-4491-AD24-EB0E4A47CFCC}.exe

Filesize
192KB

MD5
eb1d08b896780d25affcce69af6b3016

SHA1
7a1f92b25e1845bdaad3f8671a5894bb5dda175c

SHA256
7ff2d24d08a00bd7adb2834f7e6e11504b71879a5198bb6038d635990a00adfb

SHA512
8bc43f834792209a64ab56f9c38aa85a575bf1aa003366f5e2795d48d6442b8b8f4a7c594100040e94bb3e8b8df3295d68f05ec208eac29a4b5df08d64e71a13

Download Submit
C:\Windows\{3A3D9B39-BAE1-411e-9610-2EF554D5ACA4}.exe

Filesize
192KB

MD5
c6529eba84307dca2baf6d7a56fec0e6

SHA1
b35334faf1242dcf843427d58e50e97e7205af35

SHA256
5a7722004e48cf44c3aa2cfa20612b168a84506c4f0849bd78abbe0437fdaefe

SHA512
ed03b998ec07842aa90d5c1337f5d9ead6e4c55faf141d483979cfea9319a6710012fab00d9dceddcd16b44f88c65dcc415ed394f6ad5c3488219525ed708616

Download Submit
C:\Windows\{4198AD6A-D56F-42ec-9B65-3964D01DC0B0}.exe

Filesize
192KB

MD5
07de6a5cdca81fea8ccc3bf69d79fa8d

SHA1
417de1cfa93d46789dc0f621d603618605ca80f0

SHA256
7bb955ddec0a079942b3ea84009eaae466d243345f50d646bc9f94a532bfab0a

SHA512
b8711764ce002ee313b9974be8581d7ef8b1fed68139a09d943967d26675f56373eb8d953b5af1f856ca1f0d9a5a9bccf26cad7050909b34b6857b02ce5cf16a

Download Submit
C:\Windows\{4198AD6A-D56F-42ec-9B65-3964D01DC0B0}.exe

Filesize
192KB

MD5
07de6a5cdca81fea8ccc3bf69d79fa8d

SHA1
417de1cfa93d46789dc0f621d603618605ca80f0

SHA256
7bb955ddec0a079942b3ea84009eaae466d243345f50d646bc9f94a532bfab0a

SHA512
b8711764ce002ee313b9974be8581d7ef8b1fed68139a09d943967d26675f56373eb8d953b5af1f856ca1f0d9a5a9bccf26cad7050909b34b6857b02ce5cf16a

Download Submit
C:\Windows\{4198AD6A-D56F-42ec-9B65-3964D01DC0B0}.exe

Filesize
192KB

MD5
07de6a5cdca81fea8ccc3bf69d79fa8d

SHA1
417de1cfa93d46789dc0f621d603618605ca80f0

SHA256
7bb955ddec0a079942b3ea84009eaae466d243345f50d646bc9f94a532bfab0a

SHA512
b8711764ce002ee313b9974be8581d7ef8b1fed68139a09d943967d26675f56373eb8d953b5af1f856ca1f0d9a5a9bccf26cad7050909b34b6857b02ce5cf16a

Download Submit
C:\Windows\{5202522F-9BC6-4d56-9DD4-140E8CB1A82F}.exe

Filesize
192KB

MD5
5a277f11896f2bf43d5d9c40704d333a

SHA1
f4942aa8d6e77b00bbcaa73d572f2e98c1e9a5c3

SHA256
afeb0a67bdbfc2745ce68747fb8dded8d6ac2ba7d074d389f19bda7ae2108e15

SHA512
9194bd553353b1029b07063bb46329c1467606117a7565a522d4097a2a84b0c6352e1b490cabd5a28775193015284cba62b0e74bcfb3f085d5e28ab065b5b5d8

Download Submit
C:\Windows\{5202522F-9BC6-4d56-9DD4-140E8CB1A82F}.exe

Filesize
192KB

MD5
5a277f11896f2bf43d5d9c40704d333a

SHA1
f4942aa8d6e77b00bbcaa73d572f2e98c1e9a5c3

SHA256
afeb0a67bdbfc2745ce68747fb8dded8d6ac2ba7d074d389f19bda7ae2108e15

SHA512
9194bd553353b1029b07063bb46329c1467606117a7565a522d4097a2a84b0c6352e1b490cabd5a28775193015284cba62b0e74bcfb3f085d5e28ab065b5b5d8

Download Submit
C:\Windows\{640CE293-72F9-4189-A67A-0C00643B2ADF}.exe

Filesize
192KB

MD5
d97ce8245f455ec4877deb98c109cbb9

SHA1
2e31be9e6b31d508fa4a044e784bc00b16c8c621

SHA256
6116a959ffd55ba2ec565c67553ce3d35d0df7d0a60797f815dab1d733e883b9

SHA512
ea7ab6004fdaaa37c0863735cd0e0eb05e73a464716ccb8c371be62a90ff4e071bc91f44fc3a40dfa1382c5807523bf2450a305070ffeaeadcea5168de32d3a8

Download Submit
C:\Windows\{640CE293-72F9-4189-A67A-0C00643B2ADF}.exe

Filesize
192KB

MD5
d97ce8245f455ec4877deb98c109cbb9

SHA1
2e31be9e6b31d508fa4a044e784bc00b16c8c621

SHA256
6116a959ffd55ba2ec565c67553ce3d35d0df7d0a60797f815dab1d733e883b9

SHA512
ea7ab6004fdaaa37c0863735cd0e0eb05e73a464716ccb8c371be62a90ff4e071bc91f44fc3a40dfa1382c5807523bf2450a305070ffeaeadcea5168de32d3a8

Download Submit
C:\Windows\{764835D5-ECE5-4825-8907-E9916B2D8E2D}.exe

Filesize
192KB

MD5
f3272e1f299533472a996702b8df3bd3

SHA1
4a7d12b4ddc6d8b1e1142bb1bba61de361343de9

SHA256
e6db128280cc8f14f1139faac62b3a6b999a5f769789f6a05524f222276344e0

SHA512
3e89cf915f62ddec898a281ba663e95b289b93a706aa91b4e311582ab75a2595c203f453d8f4561d237c7c000d28cf24d1e298e5e6fdbcabf1843c65b4c17a0c

Download Submit
C:\Windows\{764835D5-ECE5-4825-8907-E9916B2D8E2D}.exe

Filesize
192KB

MD5
f3272e1f299533472a996702b8df3bd3

SHA1
4a7d12b4ddc6d8b1e1142bb1bba61de361343de9

SHA256
e6db128280cc8f14f1139faac62b3a6b999a5f769789f6a05524f222276344e0

SHA512
3e89cf915f62ddec898a281ba663e95b289b93a706aa91b4e311582ab75a2595c203f453d8f4561d237c7c000d28cf24d1e298e5e6fdbcabf1843c65b4c17a0c

Download Submit
C:\Windows\{97D493B0-8F54-4f4c-AEF6-C010566BDFF2}.exe

Filesize
192KB

MD5
f9f027997b377f9669e08ec5c15b9972

SHA1
1ac2c5e4f98732f1138bddb24c90707451b0db15

SHA256
6e6de0265c89aa69a45dd80e32b8b7779cd9b6cd57b3bd0dcdaed7079f4edabd

SHA512
b80308583f3131a396ef8c34d51250acb186af75c931fbc4b1ad2a4522da9397b483fe5dd69f88b8dcc06484ad1eeaa8d2c9acb7a4100a39bce3ac98d33eb7b3

Download Submit
C:\Windows\{97D493B0-8F54-4f4c-AEF6-C010566BDFF2}.exe

Filesize
192KB

MD5
f9f027997b377f9669e08ec5c15b9972

SHA1
1ac2c5e4f98732f1138bddb24c90707451b0db15

SHA256
6e6de0265c89aa69a45dd80e32b8b7779cd9b6cd57b3bd0dcdaed7079f4edabd

SHA512
b80308583f3131a396ef8c34d51250acb186af75c931fbc4b1ad2a4522da9397b483fe5dd69f88b8dcc06484ad1eeaa8d2c9acb7a4100a39bce3ac98d33eb7b3

Download Submit
C:\Windows\{C9EA99A8-EE60-4229-AE03-F032143CF298}.exe

Filesize
192KB

MD5
6e141aa978cbc5ca9059b3e03458968c

SHA1
f4fed10b834537e5564913fa71da363bd139fe60

SHA256
5c158291a93a95dca9cacab3e4b5333b41f00a0e56e7ca180dad6cbfc5d0fc82

SHA512
715ff2be1cc8957fd694482932434a09bf292b94fef6f652e5a9ed65c1122a8ead9a05f187c9aa904e75f027fa5a77e09e6a182d1130436d056806ce9055636d

Download Submit
C:\Windows\{C9EA99A8-EE60-4229-AE03-F032143CF298}.exe

Filesize
192KB

MD5
6e141aa978cbc5ca9059b3e03458968c

SHA1
f4fed10b834537e5564913fa71da363bd139fe60

SHA256
5c158291a93a95dca9cacab3e4b5333b41f00a0e56e7ca180dad6cbfc5d0fc82

SHA512
715ff2be1cc8957fd694482932434a09bf292b94fef6f652e5a9ed65c1122a8ead9a05f187c9aa904e75f027fa5a77e09e6a182d1130436d056806ce9055636d

Download Submit
C:\Windows\{D7E45005-5676-4deb-BAD3-EA86D92729CE}.exe

Filesize
192KB

MD5
b71fcef092eb1fdbaaae518432df06f1

SHA1
2afd88193b18e391616ddb4e3e7ddbcfa3081c75

SHA256
d6af502f1e8dd238e4e698d54d044269c4f5c381e8aa6ba2a42d829ff40a2605

SHA512
578c6dbe7c130c62b47d398dfdc699a2d9c546a93efd51ff65b4f5f4af0d6b355d738693c0abb5d917e47581acda1bb72aeeffbd7723562cfe84846979e23b3a

Download Submit
C:\Windows\{D7E45005-5676-4deb-BAD3-EA86D92729CE}.exe

Filesize
192KB

MD5
b71fcef092eb1fdbaaae518432df06f1

SHA1
2afd88193b18e391616ddb4e3e7ddbcfa3081c75

SHA256
d6af502f1e8dd238e4e698d54d044269c4f5c381e8aa6ba2a42d829ff40a2605

SHA512
578c6dbe7c130c62b47d398dfdc699a2d9c546a93efd51ff65b4f5f4af0d6b355d738693c0abb5d917e47581acda1bb72aeeffbd7723562cfe84846979e23b3a

Download Submit
C:\Windows\{DDB8DD5C-04DA-443b-A966-679C4129775F}.exe

Filesize
192KB

MD5
79125af4201156c4d90eba32660b0665

SHA1
7064e2a75d64185c98011b1b5d486a5b8c152a66

SHA256
8234ab6dbb3465b676d913f48c3a9cab012a96880be6685cce77f7c16a299012

SHA512
4a4410b71e611c4be2a485a30e56ab656f7d09a0e653a7c482dcaf0fc1d929bd6545f0666d30dad8d7ad8dcefbc7edb16c82b2de08d095108cce4de6db3638bd

Download Submit
C:\Windows\{DDB8DD5C-04DA-443b-A966-679C4129775F}.exe

Filesize
192KB

MD5
79125af4201156c4d90eba32660b0665

SHA1
7064e2a75d64185c98011b1b5d486a5b8c152a66

SHA256
8234ab6dbb3465b676d913f48c3a9cab012a96880be6685cce77f7c16a299012

SHA512
4a4410b71e611c4be2a485a30e56ab656f7d09a0e653a7c482dcaf0fc1d929bd6545f0666d30dad8d7ad8dcefbc7edb16c82b2de08d095108cce4de6db3638bd

Download Submit