74f0f72173722f6684ef11909b45104d3070746709f5ba7f5b2254d250a5d458

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
16/07/2023, 09:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5ff10fe234f7d2_JC.exe
Size

372KB
MD5

5ff10fe234f7d25fc465729bb5536413
SHA1

3eaced71a6768428c58ba1c38719c45d22d468c7
SHA256

74f0f72173722f6684ef11909b45104d3070746709f5ba7f5b2254d250a5d458
SHA512

69266bf211ae008bd92c95a56a25ceed82756ec137ce7ff82763d6653c47fad328700efd829dc6ccd71481207391c76e00916dd136159dc4967ce8ea97c27757
SSDEEP

3072:CEGh0oVmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGKl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FECD3AB-3596-4f75-8C33-417F0282AA97}	{8A885DAD-2E23-4295-A8BA-EF9FE0685221}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5029BC57-6E42-407d-B90E-9F6B68EBF4BB}\stubpath = "C:\\Windows\\{5029BC57-6E42-407d-B90E-9F6B68EBF4BB}.exe"	{9BD153A2-E643-4a5b-8FC3-3393875BF1D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F58700C2-A395-4c8f-8A9B-0757AC4AED78}	{480651BC-7F07-4c44-8422-F13F7D802900}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A224050-1CA3-4eef-B40B-06B5DCFAFC47}\stubpath = "C:\\Windows\\{8A224050-1CA3-4eef-B40B-06B5DCFAFC47}.exe"	{F58700C2-A395-4c8f-8A9B-0757AC4AED78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A885DAD-2E23-4295-A8BA-EF9FE0685221}\stubpath = "C:\\Windows\\{8A885DAD-2E23-4295-A8BA-EF9FE0685221}.exe"	{0EDAA9E6-C551-4e84-99C8-6BE0A3282FF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76D4E9F8-61B5-4220-8D27-4F4D520BFE63}\stubpath = "C:\\Windows\\{76D4E9F8-61B5-4220-8D27-4F4D520BFE63}.exe"	{4FECD3AB-3596-4f75-8C33-417F0282AA97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{480651BC-7F07-4c44-8422-F13F7D802900}	{5029BC57-6E42-407d-B90E-9F6B68EBF4BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{480651BC-7F07-4c44-8422-F13F7D802900}\stubpath = "C:\\Windows\\{480651BC-7F07-4c44-8422-F13F7D802900}.exe"	{5029BC57-6E42-407d-B90E-9F6B68EBF4BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EDAA9E6-C551-4e84-99C8-6BE0A3282FF0}	{B32873F4-8251-46d2-AF23-7C5593383454}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A885DAD-2E23-4295-A8BA-EF9FE0685221}	{0EDAA9E6-C551-4e84-99C8-6BE0A3282FF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4FECD3AB-3596-4f75-8C33-417F0282AA97}\stubpath = "C:\\Windows\\{4FECD3AB-3596-4f75-8C33-417F0282AA97}.exe"	{8A885DAD-2E23-4295-A8BA-EF9FE0685221}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91722FD7-F31A-469e-AF0C-6A2F8D69AC99}	{76D4E9F8-61B5-4220-8D27-4F4D520BFE63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BD153A2-E643-4a5b-8FC3-3393875BF1D4}\stubpath = "C:\\Windows\\{9BD153A2-E643-4a5b-8FC3-3393875BF1D4}.exe"	{91722FD7-F31A-469e-AF0C-6A2F8D69AC99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5029BC57-6E42-407d-B90E-9F6B68EBF4BB}	{9BD153A2-E643-4a5b-8FC3-3393875BF1D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F58700C2-A395-4c8f-8A9B-0757AC4AED78}\stubpath = "C:\\Windows\\{F58700C2-A395-4c8f-8A9B-0757AC4AED78}.exe"	{480651BC-7F07-4c44-8422-F13F7D802900}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8A224050-1CA3-4eef-B40B-06B5DCFAFC47}	{F58700C2-A395-4c8f-8A9B-0757AC4AED78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B32873F4-8251-46d2-AF23-7C5593383454}\stubpath = "C:\\Windows\\{B32873F4-8251-46d2-AF23-7C5593383454}.exe"	5ff10fe234f7d2_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EDAA9E6-C551-4e84-99C8-6BE0A3282FF0}\stubpath = "C:\\Windows\\{0EDAA9E6-C551-4e84-99C8-6BE0A3282FF0}.exe"	{B32873F4-8251-46d2-AF23-7C5593383454}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{76D4E9F8-61B5-4220-8D27-4F4D520BFE63}	{4FECD3AB-3596-4f75-8C33-417F0282AA97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91722FD7-F31A-469e-AF0C-6A2F8D69AC99}\stubpath = "C:\\Windows\\{91722FD7-F31A-469e-AF0C-6A2F8D69AC99}.exe"	{76D4E9F8-61B5-4220-8D27-4F4D520BFE63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BD153A2-E643-4a5b-8FC3-3393875BF1D4}	{91722FD7-F31A-469e-AF0C-6A2F8D69AC99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B32873F4-8251-46d2-AF23-7C5593383454}	5ff10fe234f7d2_JC.exe

Executes dropped EXE 11 IoCs

pid	Process
1988	{B32873F4-8251-46d2-AF23-7C5593383454}.exe
2996	{0EDAA9E6-C551-4e84-99C8-6BE0A3282FF0}.exe
2784	{8A885DAD-2E23-4295-A8BA-EF9FE0685221}.exe
2916	{4FECD3AB-3596-4f75-8C33-417F0282AA97}.exe
2704	{76D4E9F8-61B5-4220-8D27-4F4D520BFE63}.exe
2720	{91722FD7-F31A-469e-AF0C-6A2F8D69AC99}.exe
2728	{9BD153A2-E643-4a5b-8FC3-3393875BF1D4}.exe
2524	{5029BC57-6E42-407d-B90E-9F6B68EBF4BB}.exe
996	{480651BC-7F07-4c44-8422-F13F7D802900}.exe
1484	{F58700C2-A395-4c8f-8A9B-0757AC4AED78}.exe
3048	{8A224050-1CA3-4eef-B40B-06B5DCFAFC47}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{0EDAA9E6-C551-4e84-99C8-6BE0A3282FF0}.exe	{B32873F4-8251-46d2-AF23-7C5593383454}.exe
File created	C:\Windows\{8A885DAD-2E23-4295-A8BA-EF9FE0685221}.exe	{0EDAA9E6-C551-4e84-99C8-6BE0A3282FF0}.exe
File created	C:\Windows\{4FECD3AB-3596-4f75-8C33-417F0282AA97}.exe	{8A885DAD-2E23-4295-A8BA-EF9FE0685221}.exe
File created	C:\Windows\{5029BC57-6E42-407d-B90E-9F6B68EBF4BB}.exe	{9BD153A2-E643-4a5b-8FC3-3393875BF1D4}.exe
File created	C:\Windows\{B32873F4-8251-46d2-AF23-7C5593383454}.exe	5ff10fe234f7d2_JC.exe
File created	C:\Windows\{76D4E9F8-61B5-4220-8D27-4F4D520BFE63}.exe	{4FECD3AB-3596-4f75-8C33-417F0282AA97}.exe
File created	C:\Windows\{91722FD7-F31A-469e-AF0C-6A2F8D69AC99}.exe	{76D4E9F8-61B5-4220-8D27-4F4D520BFE63}.exe
File created	C:\Windows\{9BD153A2-E643-4a5b-8FC3-3393875BF1D4}.exe	{91722FD7-F31A-469e-AF0C-6A2F8D69AC99}.exe
File created	C:\Windows\{480651BC-7F07-4c44-8422-F13F7D802900}.exe	{5029BC57-6E42-407d-B90E-9F6B68EBF4BB}.exe
File created	C:\Windows\{F58700C2-A395-4c8f-8A9B-0757AC4AED78}.exe	{480651BC-7F07-4c44-8422-F13F7D802900}.exe
File created	C:\Windows\{8A224050-1CA3-4eef-B40B-06B5DCFAFC47}.exe	{F58700C2-A395-4c8f-8A9B-0757AC4AED78}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2572	5ff10fe234f7d2_JC.exe
Token: SeIncBasePriorityPrivilege	1988	{B32873F4-8251-46d2-AF23-7C5593383454}.exe
Token: SeIncBasePriorityPrivilege	2996	{0EDAA9E6-C551-4e84-99C8-6BE0A3282FF0}.exe
Token: SeIncBasePriorityPrivilege	2784	{8A885DAD-2E23-4295-A8BA-EF9FE0685221}.exe
Token: SeIncBasePriorityPrivilege	2916	{4FECD3AB-3596-4f75-8C33-417F0282AA97}.exe
Token: SeIncBasePriorityPrivilege	2704	{76D4E9F8-61B5-4220-8D27-4F4D520BFE63}.exe
Token: SeIncBasePriorityPrivilege	2720	{91722FD7-F31A-469e-AF0C-6A2F8D69AC99}.exe
Token: SeIncBasePriorityPrivilege	2728	{9BD153A2-E643-4a5b-8FC3-3393875BF1D4}.exe
Token: SeIncBasePriorityPrivilege	2524	{5029BC57-6E42-407d-B90E-9F6B68EBF4BB}.exe
Token: SeIncBasePriorityPrivilege	996	{480651BC-7F07-4c44-8422-F13F7D802900}.exe
Token: SeIncBasePriorityPrivilege	1484	{F58700C2-A395-4c8f-8A9B-0757AC4AED78}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 1988	2572	5ff10fe234f7d2_JC.exe	28
PID 2572 wrote to memory of 1988	2572	5ff10fe234f7d2_JC.exe	28
PID 2572 wrote to memory of 1988	2572	5ff10fe234f7d2_JC.exe	28
PID 2572 wrote to memory of 1988	2572	5ff10fe234f7d2_JC.exe	28
PID 2572 wrote to memory of 2528	2572	5ff10fe234f7d2_JC.exe	29
PID 2572 wrote to memory of 2528	2572	5ff10fe234f7d2_JC.exe	29
PID 2572 wrote to memory of 2528	2572	5ff10fe234f7d2_JC.exe	29
PID 2572 wrote to memory of 2528	2572	5ff10fe234f7d2_JC.exe	29
PID 1988 wrote to memory of 2996	1988	{B32873F4-8251-46d2-AF23-7C5593383454}.exe	31
PID 1988 wrote to memory of 2996	1988	{B32873F4-8251-46d2-AF23-7C5593383454}.exe	31
PID 1988 wrote to memory of 2996	1988	{B32873F4-8251-46d2-AF23-7C5593383454}.exe	31
PID 1988 wrote to memory of 2996	1988	{B32873F4-8251-46d2-AF23-7C5593383454}.exe	31
PID 1988 wrote to memory of 2436	1988	{B32873F4-8251-46d2-AF23-7C5593383454}.exe	30
PID 1988 wrote to memory of 2436	1988	{B32873F4-8251-46d2-AF23-7C5593383454}.exe	30
PID 1988 wrote to memory of 2436	1988	{B32873F4-8251-46d2-AF23-7C5593383454}.exe	30
PID 1988 wrote to memory of 2436	1988	{B32873F4-8251-46d2-AF23-7C5593383454}.exe	30
PID 2996 wrote to memory of 2784	2996	{0EDAA9E6-C551-4e84-99C8-6BE0A3282FF0}.exe	34
PID 2996 wrote to memory of 2784	2996	{0EDAA9E6-C551-4e84-99C8-6BE0A3282FF0}.exe	34
PID 2996 wrote to memory of 2784	2996	{0EDAA9E6-C551-4e84-99C8-6BE0A3282FF0}.exe	34
PID 2996 wrote to memory of 2784	2996	{0EDAA9E6-C551-4e84-99C8-6BE0A3282FF0}.exe	34
PID 2996 wrote to memory of 2956	2996	{0EDAA9E6-C551-4e84-99C8-6BE0A3282FF0}.exe	35
PID 2996 wrote to memory of 2956	2996	{0EDAA9E6-C551-4e84-99C8-6BE0A3282FF0}.exe	35
PID 2996 wrote to memory of 2956	2996	{0EDAA9E6-C551-4e84-99C8-6BE0A3282FF0}.exe	35
PID 2996 wrote to memory of 2956	2996	{0EDAA9E6-C551-4e84-99C8-6BE0A3282FF0}.exe	35
PID 2784 wrote to memory of 2916	2784	{8A885DAD-2E23-4295-A8BA-EF9FE0685221}.exe	37
PID 2784 wrote to memory of 2916	2784	{8A885DAD-2E23-4295-A8BA-EF9FE0685221}.exe	37
PID 2784 wrote to memory of 2916	2784	{8A885DAD-2E23-4295-A8BA-EF9FE0685221}.exe	37
PID 2784 wrote to memory of 2916	2784	{8A885DAD-2E23-4295-A8BA-EF9FE0685221}.exe	37
PID 2784 wrote to memory of 2964	2784	{8A885DAD-2E23-4295-A8BA-EF9FE0685221}.exe	36
PID 2784 wrote to memory of 2964	2784	{8A885DAD-2E23-4295-A8BA-EF9FE0685221}.exe	36
PID 2784 wrote to memory of 2964	2784	{8A885DAD-2E23-4295-A8BA-EF9FE0685221}.exe	36
PID 2784 wrote to memory of 2964	2784	{8A885DAD-2E23-4295-A8BA-EF9FE0685221}.exe	36
PID 2916 wrote to memory of 2704	2916	{4FECD3AB-3596-4f75-8C33-417F0282AA97}.exe	39
PID 2916 wrote to memory of 2704	2916	{4FECD3AB-3596-4f75-8C33-417F0282AA97}.exe	39
PID 2916 wrote to memory of 2704	2916	{4FECD3AB-3596-4f75-8C33-417F0282AA97}.exe	39
PID 2916 wrote to memory of 2704	2916	{4FECD3AB-3596-4f75-8C33-417F0282AA97}.exe	39
PID 2916 wrote to memory of 1980	2916	{4FECD3AB-3596-4f75-8C33-417F0282AA97}.exe	38
PID 2916 wrote to memory of 1980	2916	{4FECD3AB-3596-4f75-8C33-417F0282AA97}.exe	38
PID 2916 wrote to memory of 1980	2916	{4FECD3AB-3596-4f75-8C33-417F0282AA97}.exe	38
PID 2916 wrote to memory of 1980	2916	{4FECD3AB-3596-4f75-8C33-417F0282AA97}.exe	38
PID 2704 wrote to memory of 2720	2704	{76D4E9F8-61B5-4220-8D27-4F4D520BFE63}.exe	41
PID 2704 wrote to memory of 2720	2704	{76D4E9F8-61B5-4220-8D27-4F4D520BFE63}.exe	41
PID 2704 wrote to memory of 2720	2704	{76D4E9F8-61B5-4220-8D27-4F4D520BFE63}.exe	41
PID 2704 wrote to memory of 2720	2704	{76D4E9F8-61B5-4220-8D27-4F4D520BFE63}.exe	41
PID 2704 wrote to memory of 2672	2704	{76D4E9F8-61B5-4220-8D27-4F4D520BFE63}.exe	40
PID 2704 wrote to memory of 2672	2704	{76D4E9F8-61B5-4220-8D27-4F4D520BFE63}.exe	40
PID 2704 wrote to memory of 2672	2704	{76D4E9F8-61B5-4220-8D27-4F4D520BFE63}.exe	40
PID 2704 wrote to memory of 2672	2704	{76D4E9F8-61B5-4220-8D27-4F4D520BFE63}.exe	40
PID 2720 wrote to memory of 2728	2720	{91722FD7-F31A-469e-AF0C-6A2F8D69AC99}.exe	43
PID 2720 wrote to memory of 2728	2720	{91722FD7-F31A-469e-AF0C-6A2F8D69AC99}.exe	43
PID 2720 wrote to memory of 2728	2720	{91722FD7-F31A-469e-AF0C-6A2F8D69AC99}.exe	43
PID 2720 wrote to memory of 2728	2720	{91722FD7-F31A-469e-AF0C-6A2F8D69AC99}.exe	43
PID 2720 wrote to memory of 1944	2720	{91722FD7-F31A-469e-AF0C-6A2F8D69AC99}.exe	42
PID 2720 wrote to memory of 1944	2720	{91722FD7-F31A-469e-AF0C-6A2F8D69AC99}.exe	42
PID 2720 wrote to memory of 1944	2720	{91722FD7-F31A-469e-AF0C-6A2F8D69AC99}.exe	42
PID 2720 wrote to memory of 1944	2720	{91722FD7-F31A-469e-AF0C-6A2F8D69AC99}.exe	42
PID 2728 wrote to memory of 2524	2728	{9BD153A2-E643-4a5b-8FC3-3393875BF1D4}.exe	45
PID 2728 wrote to memory of 2524	2728	{9BD153A2-E643-4a5b-8FC3-3393875BF1D4}.exe	45
PID 2728 wrote to memory of 2524	2728	{9BD153A2-E643-4a5b-8FC3-3393875BF1D4}.exe	45
PID 2728 wrote to memory of 2524	2728	{9BD153A2-E643-4a5b-8FC3-3393875BF1D4}.exe	45
PID 2728 wrote to memory of 580	2728	{9BD153A2-E643-4a5b-8FC3-3393875BF1D4}.exe	44
PID 2728 wrote to memory of 580	2728	{9BD153A2-E643-4a5b-8FC3-3393875BF1D4}.exe	44
PID 2728 wrote to memory of 580	2728	{9BD153A2-E643-4a5b-8FC3-3393875BF1D4}.exe	44
PID 2728 wrote to memory of 580	2728	{9BD153A2-E643-4a5b-8FC3-3393875BF1D4}.exe	44

C:\Users\Admin\AppData\Local\Temp\5ff10fe234f7d2_JC.exe
"C:\Users\Admin\AppData\Local\Temp\5ff10fe234f7d2_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\{B32873F4-8251-46d2-AF23-7C5593383454}.exe
  C:\Windows\{B32873F4-8251-46d2-AF23-7C5593383454}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1988
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B3287~1.EXE > nul
    3⤵
    PID:2436
- - C:\Windows\{0EDAA9E6-C551-4e84-99C8-6BE0A3282FF0}.exe
    C:\Windows\{0EDAA9E6-C551-4e84-99C8-6BE0A3282FF0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\{8A885DAD-2E23-4295-A8BA-EF9FE0685221}.exe
      C:\Windows\{8A885DAD-2E23-4295-A8BA-EF9FE0685221}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A885~1.EXE > nul
        5⤵
        
        PID:2964
    - - C:\Windows\{4FECD3AB-3596-4f75-8C33-417F0282AA97}.exe
        
        C:\Windows\{4FECD3AB-3596-4f75-8C33-417F0282AA97}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FECD~1.EXE > nul
        6⤵
        
        PID:1980
      - C:\Windows\{76D4E9F8-61B5-4220-8D27-4F4D520BFE63}.exe
        
        C:\Windows\{76D4E9F8-61B5-4220-8D27-4F4D520BFE63}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76D4E~1.EXE > nul
        7⤵
        
        PID:2672
        
        C:\Windows\{91722FD7-F31A-469e-AF0C-6A2F8D69AC99}.exe
        
        C:\Windows\{91722FD7-F31A-469e-AF0C-6A2F8D69AC99}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91722~1.EXE > nul
        8⤵
        
        PID:1944
        
        C:\Windows\{9BD153A2-E643-4a5b-8FC3-3393875BF1D4}.exe
        
        C:\Windows\{9BD153A2-E643-4a5b-8FC3-3393875BF1D4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BD15~1.EXE > nul
        9⤵
        
        PID:580
        
        C:\Windows\{5029BC57-6E42-407d-B90E-9F6B68EBF4BB}.exe
        
        C:\Windows\{5029BC57-6E42-407d-B90E-9F6B68EBF4BB}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
        
        C:\Windows\{480651BC-7F07-4c44-8422-F13F7D802900}.exe
        
        C:\Windows\{480651BC-7F07-4c44-8422-F13F7D802900}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
        
        C:\Windows\{F58700C2-A395-4c8f-8A9B-0757AC4AED78}.exe
        
        C:\Windows\{F58700C2-A395-4c8f-8A9B-0757AC4AED78}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\{8A224050-1CA3-4eef-B40B-06B5DCFAFC47}.exe
        
        C:\Windows\{8A224050-1CA3-4eef-B40B-06B5DCFAFC47}.exe
        12⤵
        Executes dropped EXE
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5870~1.EXE > nul
        12⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48065~1.EXE > nul
        11⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5029B~1.EXE > nul
        10⤵
        
        PID:1264
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0EDAA~1.EXE > nul
      4⤵
      PID:2956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5FF10F~1.EXE > nul
  2⤵
  PID:2528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0EDAA9E6-C551-4e84-99C8-6BE0A3282FF0}.exe

Filesize
372KB

MD5
9e73489164db0e0a317c26eb08652250

SHA1
920ef049107ee2403e6576d38e271e627226f8a2

SHA256
caa3b00d86645b11d22cd39d2bc40a08819ae2f2db084346e30017804c10bc71

SHA512
bf51c77ce1d8e9bd594d6af9521f05053fd5e8ae326cbba3e73cb5e8a9b72d29a18258066fe841401f9261aee10967c0f20e247af59f9e74965ad1b98d6e9a6b

Download Submit
C:\Windows\{0EDAA9E6-C551-4e84-99C8-6BE0A3282FF0}.exe

Filesize
372KB

MD5
9e73489164db0e0a317c26eb08652250

SHA1
920ef049107ee2403e6576d38e271e627226f8a2

SHA256
caa3b00d86645b11d22cd39d2bc40a08819ae2f2db084346e30017804c10bc71

SHA512
bf51c77ce1d8e9bd594d6af9521f05053fd5e8ae326cbba3e73cb5e8a9b72d29a18258066fe841401f9261aee10967c0f20e247af59f9e74965ad1b98d6e9a6b

Download Submit
C:\Windows\{480651BC-7F07-4c44-8422-F13F7D802900}.exe

Filesize
372KB

MD5
d79fa9706a0613c953bf6e82f1409582

SHA1
b0739a1497e5f805e9c1bf0f89f17ec0a625f980

SHA256
0801332ce15696b08b9b649ffaf4ed65d2e4699713b9a5f374c523b5027c9f25

SHA512
aa138b2624c92c92d2e2f7bf6aa7ed9190eb6b9a4d2818546c36e1f30e47ece340a037f0f3ebcc540f4bc427051637c41b5274d9c1781d7c389037a1eb6155b7

Download Submit
C:\Windows\{480651BC-7F07-4c44-8422-F13F7D802900}.exe

Filesize
372KB

MD5
d79fa9706a0613c953bf6e82f1409582

SHA1
b0739a1497e5f805e9c1bf0f89f17ec0a625f980

SHA256
0801332ce15696b08b9b649ffaf4ed65d2e4699713b9a5f374c523b5027c9f25

SHA512
aa138b2624c92c92d2e2f7bf6aa7ed9190eb6b9a4d2818546c36e1f30e47ece340a037f0f3ebcc540f4bc427051637c41b5274d9c1781d7c389037a1eb6155b7

Download Submit
C:\Windows\{4FECD3AB-3596-4f75-8C33-417F0282AA97}.exe

Filesize
372KB

MD5
bd963a35d71326115d69433d5ef47c3d

SHA1
ae4d2b97593da1ab4f2eb93bfef00a4389873cb3

SHA256
de935e0dfa5087c91069782f57fc49962495bb03e8f62220516d2775e2edbd68

SHA512
3f31a5d4101766751a84a1c6f97903d81859f36939bb1c582f75175c94e0d6e8dafeeeea07f86b43b1f288191869399d010794320851f54a4a0d2a5499f353f4

Download Submit
C:\Windows\{4FECD3AB-3596-4f75-8C33-417F0282AA97}.exe

Filesize
372KB

MD5
bd963a35d71326115d69433d5ef47c3d

SHA1
ae4d2b97593da1ab4f2eb93bfef00a4389873cb3

SHA256
de935e0dfa5087c91069782f57fc49962495bb03e8f62220516d2775e2edbd68

SHA512
3f31a5d4101766751a84a1c6f97903d81859f36939bb1c582f75175c94e0d6e8dafeeeea07f86b43b1f288191869399d010794320851f54a4a0d2a5499f353f4

Download Submit
C:\Windows\{5029BC57-6E42-407d-B90E-9F6B68EBF4BB}.exe

Filesize
372KB

MD5
9f5a2080353ee3f072d7e75559203b75

SHA1
4ddb3cba8def0fbbd08031be47509fb4c6329142

SHA256
30d765278666d34cd5eaba912b8e7e417c702b268f71e19bb12491d4f2f3c8f1

SHA512
b1f11131a8edcd325df884a27bd5485d42d3a46a62fd2b87959ca8bbcf1845d1932483026eba437177aa4c2d76b3ae06eb48a0d45d90b2e53822ccf0dc1c7952

Download Submit
C:\Windows\{5029BC57-6E42-407d-B90E-9F6B68EBF4BB}.exe

Filesize
372KB

MD5
9f5a2080353ee3f072d7e75559203b75

SHA1
4ddb3cba8def0fbbd08031be47509fb4c6329142

SHA256
30d765278666d34cd5eaba912b8e7e417c702b268f71e19bb12491d4f2f3c8f1

SHA512
b1f11131a8edcd325df884a27bd5485d42d3a46a62fd2b87959ca8bbcf1845d1932483026eba437177aa4c2d76b3ae06eb48a0d45d90b2e53822ccf0dc1c7952

Download Submit
C:\Windows\{76D4E9F8-61B5-4220-8D27-4F4D520BFE63}.exe

Filesize
372KB

MD5
f3906c119f4bd9af146aae03776ddb26

SHA1
499f4165c0faf128a61b6afa20cb394766ebfa40

SHA256
9aa7bd4b4b779fe9858afb1c44442377f50f87715154e57559c78307619a3813

SHA512
3f81daa84b4c3122e15789849f55aea2748422ca91e70fd3bc64812a010eb2eaeffc46deb1168269164993774352f851b52f5372a3f6a025e5e8c6dfa1139664

Download Submit
C:\Windows\{76D4E9F8-61B5-4220-8D27-4F4D520BFE63}.exe

Filesize
372KB

MD5
f3906c119f4bd9af146aae03776ddb26

SHA1
499f4165c0faf128a61b6afa20cb394766ebfa40

SHA256
9aa7bd4b4b779fe9858afb1c44442377f50f87715154e57559c78307619a3813

SHA512
3f81daa84b4c3122e15789849f55aea2748422ca91e70fd3bc64812a010eb2eaeffc46deb1168269164993774352f851b52f5372a3f6a025e5e8c6dfa1139664

Download Submit
C:\Windows\{8A224050-1CA3-4eef-B40B-06B5DCFAFC47}.exe

Filesize
372KB

MD5
fe85bc0cdd5b39a3c3cbc689981babd1

SHA1
63a9f91f74269c8061b377394b7dc73b4ef39dfc

SHA256
0a5f5beedb90fbc66ae6cae60667abaaf750ca5b99b9a0754c333a8434a0077b

SHA512
90956de0066a81d3a66c7fe636c52509cab158bfa505c41d844063b836c2e7f0f8830019ef0d05ba6c9d334e46ec31d5b738f1e317bbd87bef3530d796937f63

Download Submit
C:\Windows\{8A885DAD-2E23-4295-A8BA-EF9FE0685221}.exe

Filesize
372KB

MD5
04086847bf3a3681e59af75069338ea2

SHA1
30f7ff45a5f09cf2b19a96f5b8219cd32e00312a

SHA256
ffd0f757215c91d995da0f6f2d6449845ece18ba9543b53212062fd74960ab76

SHA512
d94525f4711382ffb63cc55c9b4012ad1e4257e15476e579c2b083177181ead092f2d17332511c6c1328f28f02180e423b12180e75ec09ce5e96967ff951976e

Download Submit
C:\Windows\{8A885DAD-2E23-4295-A8BA-EF9FE0685221}.exe

Filesize
372KB

MD5
04086847bf3a3681e59af75069338ea2

SHA1
30f7ff45a5f09cf2b19a96f5b8219cd32e00312a

SHA256
ffd0f757215c91d995da0f6f2d6449845ece18ba9543b53212062fd74960ab76

SHA512
d94525f4711382ffb63cc55c9b4012ad1e4257e15476e579c2b083177181ead092f2d17332511c6c1328f28f02180e423b12180e75ec09ce5e96967ff951976e

Download Submit
C:\Windows\{91722FD7-F31A-469e-AF0C-6A2F8D69AC99}.exe

Filesize
372KB

MD5
90ef1a2c91fea0216f188090304da260

SHA1
c2eb5f922c472c04e6b44b94d2d7d7c831a21928

SHA256
15075b6171d150b5182f0b22125efbefc00c3fc8c252fdc4d36b3d8534a7abcd

SHA512
c31fe62304075422e544ec814afc883e2493e3790391efd7fe2c1db3231073bc24ef964ab2f0140d13d0e01d1a496892acc5daf809e88263bfb9caa61e252d08

Download Submit
C:\Windows\{91722FD7-F31A-469e-AF0C-6A2F8D69AC99}.exe

Filesize
372KB

MD5
90ef1a2c91fea0216f188090304da260

SHA1
c2eb5f922c472c04e6b44b94d2d7d7c831a21928

SHA256
15075b6171d150b5182f0b22125efbefc00c3fc8c252fdc4d36b3d8534a7abcd

SHA512
c31fe62304075422e544ec814afc883e2493e3790391efd7fe2c1db3231073bc24ef964ab2f0140d13d0e01d1a496892acc5daf809e88263bfb9caa61e252d08

Download Submit
C:\Windows\{9BD153A2-E643-4a5b-8FC3-3393875BF1D4}.exe

Filesize
372KB

MD5
867566f70b0ac2c275a8ae75b0635029

SHA1
caa76b6597b1c1640235248efdb2656672f63212

SHA256
1beda720a60c90185a4965c5a3a25c182df851f9076cbeba08b3205a0b62d8a6

SHA512
84787cdf8604f364b7c5d7beb60488126c471f0623f18a4b855f57403b9cf0ec363fbd4b6ed6131f741f322ef8e67c046040b4d06c7c981331c1dadffb6aa2be

Download Submit
C:\Windows\{9BD153A2-E643-4a5b-8FC3-3393875BF1D4}.exe

Filesize
372KB

MD5
867566f70b0ac2c275a8ae75b0635029

SHA1
caa76b6597b1c1640235248efdb2656672f63212

SHA256
1beda720a60c90185a4965c5a3a25c182df851f9076cbeba08b3205a0b62d8a6

SHA512
84787cdf8604f364b7c5d7beb60488126c471f0623f18a4b855f57403b9cf0ec363fbd4b6ed6131f741f322ef8e67c046040b4d06c7c981331c1dadffb6aa2be

Download Submit
C:\Windows\{B32873F4-8251-46d2-AF23-7C5593383454}.exe

Filesize
372KB

MD5
d3a7c4654775442ba23392671f33d191

SHA1
18828f5e9e9d52ed458baabcdc91379efa538072

SHA256
0e30c7af97ece8ec8a0d56d31391a1fc85b528deb64911ebc901251b81571d21

SHA512
bb13ce1089473c1e415b0777bf358e8fb71cab897eec9357d19b01c4d63d8acb7e7a0b9dc6ac20f745a4ca68903514df9a981bd8c4d20c6fc466407b3e6332ca

Download Submit
C:\Windows\{B32873F4-8251-46d2-AF23-7C5593383454}.exe

Filesize
372KB

MD5
d3a7c4654775442ba23392671f33d191

SHA1
18828f5e9e9d52ed458baabcdc91379efa538072

SHA256
0e30c7af97ece8ec8a0d56d31391a1fc85b528deb64911ebc901251b81571d21

SHA512
bb13ce1089473c1e415b0777bf358e8fb71cab897eec9357d19b01c4d63d8acb7e7a0b9dc6ac20f745a4ca68903514df9a981bd8c4d20c6fc466407b3e6332ca

Download Submit
C:\Windows\{B32873F4-8251-46d2-AF23-7C5593383454}.exe

Filesize
372KB

MD5
d3a7c4654775442ba23392671f33d191

SHA1
18828f5e9e9d52ed458baabcdc91379efa538072

SHA256
0e30c7af97ece8ec8a0d56d31391a1fc85b528deb64911ebc901251b81571d21

SHA512
bb13ce1089473c1e415b0777bf358e8fb71cab897eec9357d19b01c4d63d8acb7e7a0b9dc6ac20f745a4ca68903514df9a981bd8c4d20c6fc466407b3e6332ca

Download Submit
C:\Windows\{F58700C2-A395-4c8f-8A9B-0757AC4AED78}.exe

Filesize
372KB

MD5
5a39813e11ded3f36aa186656370f713

SHA1
10f66850b51042c026665548c00ee04439a0683d

SHA256
4cc036bfb05438bc639385fa12131d036739f28716cacb6187e4db99dcc2d376

SHA512
368937335d324ab3e09c7ac517537cea316c25d4332a8f4d0f89d8960030b681270c1ba618892481907ec9746437bcf46a69f6f80accb11a882eda893ee8d89d

Download Submit
C:\Windows\{F58700C2-A395-4c8f-8A9B-0757AC4AED78}.exe

Filesize
372KB

MD5
5a39813e11ded3f36aa186656370f713

SHA1
10f66850b51042c026665548c00ee04439a0683d

SHA256
4cc036bfb05438bc639385fa12131d036739f28716cacb6187e4db99dcc2d376

SHA512
368937335d324ab3e09c7ac517537cea316c25d4332a8f4d0f89d8960030b681270c1ba618892481907ec9746437bcf46a69f6f80accb11a882eda893ee8d89d

Download Submit