937ec0724b990640c54dbf62129aaca4ca37eac1a222ea35bf76f808eec5c6e8

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
16/07/2023, 17:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7f89b53e35257d_JC.exe
Size

168KB
MD5

7f89b53e35257d21f4ef7cac5a9f6d18
SHA1

129499d78cf3dc08f9488d24cd3dac5068cdc30a
SHA256

937ec0724b990640c54dbf62129aaca4ca37eac1a222ea35bf76f808eec5c6e8
SHA512

565c00a05498d651fef1412a2fca7a8ce7a2812527d95e1ed1f8ee9095660c602c852e29be6995c0984efcb8601ca02516f96a80ab53d9f6583f888ec4dfa382
SSDEEP

1536:1EGh0oplq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oplqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FB4D692-C1B7-45fc-A6F8-C8D68E48BEAB}	{9AD52312-6771-4cdb-BA83-4185977DAD89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BE4D93A-03F5-4d68-A0D2-67E6FE2A7A3C}\stubpath = "C:\\Windows\\{5BE4D93A-03F5-4d68-A0D2-67E6FE2A7A3C}.exe"	{D3AAB8ED-985E-40a8-A59A-4471E540EC51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA2CDF01-B1E6-4daf-88DF-F9FAB3940B3A}	{B9CA8A32-A0C3-4d52-8FA6-65203201C2C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54FD2A47-65A8-49af-BD6F-668CD647ACD6}	{8FCD9488-4B4B-4fdc-BD3E-6C151CC36B98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{54FD2A47-65A8-49af-BD6F-668CD647ACD6}\stubpath = "C:\\Windows\\{54FD2A47-65A8-49af-BD6F-668CD647ACD6}.exe"	{8FCD9488-4B4B-4fdc-BD3E-6C151CC36B98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8A3C1C3-676E-4eb2-A905-4D966C68C5D7}	{C50BAEFD-6FB6-4c39-966F-5B49B9170F2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AD52312-6771-4cdb-BA83-4185977DAD89}	{B8A3C1C3-676E-4eb2-A905-4D966C68C5D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5BE4D93A-03F5-4d68-A0D2-67E6FE2A7A3C}	{D3AAB8ED-985E-40a8-A59A-4471E540EC51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9CA8A32-A0C3-4d52-8FA6-65203201C2C0}	{5BE4D93A-03F5-4d68-A0D2-67E6FE2A7A3C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B9CA8A32-A0C3-4d52-8FA6-65203201C2C0}\stubpath = "C:\\Windows\\{B9CA8A32-A0C3-4d52-8FA6-65203201C2C0}.exe"	{5BE4D93A-03F5-4d68-A0D2-67E6FE2A7A3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FCD9488-4B4B-4fdc-BD3E-6C151CC36B98}	{EA2CDF01-B1E6-4daf-88DF-F9FAB3940B3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FCD9488-4B4B-4fdc-BD3E-6C151CC36B98}\stubpath = "C:\\Windows\\{8FCD9488-4B4B-4fdc-BD3E-6C151CC36B98}.exe"	{EA2CDF01-B1E6-4daf-88DF-F9FAB3940B3A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C50BAEFD-6FB6-4c39-966F-5B49B9170F2D}\stubpath = "C:\\Windows\\{C50BAEFD-6FB6-4c39-966F-5B49B9170F2D}.exe"	{54FD2A47-65A8-49af-BD6F-668CD647ACD6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3AAB8ED-985E-40a8-A59A-4471E540EC51}	7f89b53e35257d_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D3AAB8ED-985E-40a8-A59A-4471E540EC51}\stubpath = "C:\\Windows\\{D3AAB8ED-985E-40a8-A59A-4471E540EC51}.exe"	7f89b53e35257d_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EA2CDF01-B1E6-4daf-88DF-F9FAB3940B3A}\stubpath = "C:\\Windows\\{EA2CDF01-B1E6-4daf-88DF-F9FAB3940B3A}.exe"	{B9CA8A32-A0C3-4d52-8FA6-65203201C2C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C50BAEFD-6FB6-4c39-966F-5B49B9170F2D}	{54FD2A47-65A8-49af-BD6F-668CD647ACD6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7FB4D692-C1B7-45fc-A6F8-C8D68E48BEAB}\stubpath = "C:\\Windows\\{7FB4D692-C1B7-45fc-A6F8-C8D68E48BEAB}.exe"	{9AD52312-6771-4cdb-BA83-4185977DAD89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFD48E45-66A4-469c-B846-3B27531F9A81}\stubpath = "C:\\Windows\\{CFD48E45-66A4-469c-B846-3B27531F9A81}.exe"	{7FB4D692-C1B7-45fc-A6F8-C8D68E48BEAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8A3C1C3-676E-4eb2-A905-4D966C68C5D7}\stubpath = "C:\\Windows\\{B8A3C1C3-676E-4eb2-A905-4D966C68C5D7}.exe"	{C50BAEFD-6FB6-4c39-966F-5B49B9170F2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9AD52312-6771-4cdb-BA83-4185977DAD89}\stubpath = "C:\\Windows\\{9AD52312-6771-4cdb-BA83-4185977DAD89}.exe"	{B8A3C1C3-676E-4eb2-A905-4D966C68C5D7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFD48E45-66A4-469c-B846-3B27531F9A81}	{7FB4D692-C1B7-45fc-A6F8-C8D68E48BEAB}.exe

Deletes itself 1 IoCs

pid	Process
2572	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2056	{D3AAB8ED-985E-40a8-A59A-4471E540EC51}.exe
2948	{5BE4D93A-03F5-4d68-A0D2-67E6FE2A7A3C}.exe
2720	{B9CA8A32-A0C3-4d52-8FA6-65203201C2C0}.exe
2700	{EA2CDF01-B1E6-4daf-88DF-F9FAB3940B3A}.exe
2820	{8FCD9488-4B4B-4fdc-BD3E-6C151CC36B98}.exe
2148	{54FD2A47-65A8-49af-BD6F-668CD647ACD6}.exe
1388	{C50BAEFD-6FB6-4c39-966F-5B49B9170F2D}.exe
1624	{B8A3C1C3-676E-4eb2-A905-4D966C68C5D7}.exe
2768	{9AD52312-6771-4cdb-BA83-4185977DAD89}.exe
840	{7FB4D692-C1B7-45fc-A6F8-C8D68E48BEAB}.exe
684	{CFD48E45-66A4-469c-B846-3B27531F9A81}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{8FCD9488-4B4B-4fdc-BD3E-6C151CC36B98}.exe	{EA2CDF01-B1E6-4daf-88DF-F9FAB3940B3A}.exe
File created	C:\Windows\{C50BAEFD-6FB6-4c39-966F-5B49B9170F2D}.exe	{54FD2A47-65A8-49af-BD6F-668CD647ACD6}.exe
File created	C:\Windows\{B8A3C1C3-676E-4eb2-A905-4D966C68C5D7}.exe	{C50BAEFD-6FB6-4c39-966F-5B49B9170F2D}.exe
File created	C:\Windows\{9AD52312-6771-4cdb-BA83-4185977DAD89}.exe	{B8A3C1C3-676E-4eb2-A905-4D966C68C5D7}.exe
File created	C:\Windows\{7FB4D692-C1B7-45fc-A6F8-C8D68E48BEAB}.exe	{9AD52312-6771-4cdb-BA83-4185977DAD89}.exe
File created	C:\Windows\{CFD48E45-66A4-469c-B846-3B27531F9A81}.exe	{7FB4D692-C1B7-45fc-A6F8-C8D68E48BEAB}.exe
File created	C:\Windows\{5BE4D93A-03F5-4d68-A0D2-67E6FE2A7A3C}.exe	{D3AAB8ED-985E-40a8-A59A-4471E540EC51}.exe
File created	C:\Windows\{B9CA8A32-A0C3-4d52-8FA6-65203201C2C0}.exe	{5BE4D93A-03F5-4d68-A0D2-67E6FE2A7A3C}.exe
File created	C:\Windows\{54FD2A47-65A8-49af-BD6F-668CD647ACD6}.exe	{8FCD9488-4B4B-4fdc-BD3E-6C151CC36B98}.exe
File created	C:\Windows\{D3AAB8ED-985E-40a8-A59A-4471E540EC51}.exe	7f89b53e35257d_JC.exe
File created	C:\Windows\{EA2CDF01-B1E6-4daf-88DF-F9FAB3940B3A}.exe	{B9CA8A32-A0C3-4d52-8FA6-65203201C2C0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2644	7f89b53e35257d_JC.exe
Token: SeIncBasePriorityPrivilege	2056	{D3AAB8ED-985E-40a8-A59A-4471E540EC51}.exe
Token: SeIncBasePriorityPrivilege	2948	{5BE4D93A-03F5-4d68-A0D2-67E6FE2A7A3C}.exe
Token: SeIncBasePriorityPrivilege	2720	{B9CA8A32-A0C3-4d52-8FA6-65203201C2C0}.exe
Token: SeIncBasePriorityPrivilege	2700	{EA2CDF01-B1E6-4daf-88DF-F9FAB3940B3A}.exe
Token: SeIncBasePriorityPrivilege	2820	{8FCD9488-4B4B-4fdc-BD3E-6C151CC36B98}.exe
Token: SeIncBasePriorityPrivilege	2148	{54FD2A47-65A8-49af-BD6F-668CD647ACD6}.exe
Token: SeIncBasePriorityPrivilege	1388	{C50BAEFD-6FB6-4c39-966F-5B49B9170F2D}.exe
Token: SeIncBasePriorityPrivilege	1624	{B8A3C1C3-676E-4eb2-A905-4D966C68C5D7}.exe
Token: SeIncBasePriorityPrivilege	2768	{9AD52312-6771-4cdb-BA83-4185977DAD89}.exe
Token: SeIncBasePriorityPrivilege	840	{7FB4D692-C1B7-45fc-A6F8-C8D68E48BEAB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2056	2644	7f89b53e35257d_JC.exe	28
PID 2644 wrote to memory of 2056	2644	7f89b53e35257d_JC.exe	28
PID 2644 wrote to memory of 2056	2644	7f89b53e35257d_JC.exe	28
PID 2644 wrote to memory of 2056	2644	7f89b53e35257d_JC.exe	28
PID 2644 wrote to memory of 2572	2644	7f89b53e35257d_JC.exe	29
PID 2644 wrote to memory of 2572	2644	7f89b53e35257d_JC.exe	29
PID 2644 wrote to memory of 2572	2644	7f89b53e35257d_JC.exe	29
PID 2644 wrote to memory of 2572	2644	7f89b53e35257d_JC.exe	29
PID 2056 wrote to memory of 2948	2056	{D3AAB8ED-985E-40a8-A59A-4471E540EC51}.exe	30
PID 2056 wrote to memory of 2948	2056	{D3AAB8ED-985E-40a8-A59A-4471E540EC51}.exe	30
PID 2056 wrote to memory of 2948	2056	{D3AAB8ED-985E-40a8-A59A-4471E540EC51}.exe	30
PID 2056 wrote to memory of 2948	2056	{D3AAB8ED-985E-40a8-A59A-4471E540EC51}.exe	30
PID 2056 wrote to memory of 2856	2056	{D3AAB8ED-985E-40a8-A59A-4471E540EC51}.exe	31
PID 2056 wrote to memory of 2856	2056	{D3AAB8ED-985E-40a8-A59A-4471E540EC51}.exe	31
PID 2056 wrote to memory of 2856	2056	{D3AAB8ED-985E-40a8-A59A-4471E540EC51}.exe	31
PID 2056 wrote to memory of 2856	2056	{D3AAB8ED-985E-40a8-A59A-4471E540EC51}.exe	31
PID 2948 wrote to memory of 2720	2948	{5BE4D93A-03F5-4d68-A0D2-67E6FE2A7A3C}.exe	34
PID 2948 wrote to memory of 2720	2948	{5BE4D93A-03F5-4d68-A0D2-67E6FE2A7A3C}.exe	34
PID 2948 wrote to memory of 2720	2948	{5BE4D93A-03F5-4d68-A0D2-67E6FE2A7A3C}.exe	34
PID 2948 wrote to memory of 2720	2948	{5BE4D93A-03F5-4d68-A0D2-67E6FE2A7A3C}.exe	34
PID 2948 wrote to memory of 2752	2948	{5BE4D93A-03F5-4d68-A0D2-67E6FE2A7A3C}.exe	35
PID 2948 wrote to memory of 2752	2948	{5BE4D93A-03F5-4d68-A0D2-67E6FE2A7A3C}.exe	35
PID 2948 wrote to memory of 2752	2948	{5BE4D93A-03F5-4d68-A0D2-67E6FE2A7A3C}.exe	35
PID 2948 wrote to memory of 2752	2948	{5BE4D93A-03F5-4d68-A0D2-67E6FE2A7A3C}.exe	35
PID 2720 wrote to memory of 2700	2720	{B9CA8A32-A0C3-4d52-8FA6-65203201C2C0}.exe	36
PID 2720 wrote to memory of 2700	2720	{B9CA8A32-A0C3-4d52-8FA6-65203201C2C0}.exe	36
PID 2720 wrote to memory of 2700	2720	{B9CA8A32-A0C3-4d52-8FA6-65203201C2C0}.exe	36
PID 2720 wrote to memory of 2700	2720	{B9CA8A32-A0C3-4d52-8FA6-65203201C2C0}.exe	36
PID 2720 wrote to memory of 2756	2720	{B9CA8A32-A0C3-4d52-8FA6-65203201C2C0}.exe	37
PID 2720 wrote to memory of 2756	2720	{B9CA8A32-A0C3-4d52-8FA6-65203201C2C0}.exe	37
PID 2720 wrote to memory of 2756	2720	{B9CA8A32-A0C3-4d52-8FA6-65203201C2C0}.exe	37
PID 2720 wrote to memory of 2756	2720	{B9CA8A32-A0C3-4d52-8FA6-65203201C2C0}.exe	37
PID 2700 wrote to memory of 2820	2700	{EA2CDF01-B1E6-4daf-88DF-F9FAB3940B3A}.exe	38
PID 2700 wrote to memory of 2820	2700	{EA2CDF01-B1E6-4daf-88DF-F9FAB3940B3A}.exe	38
PID 2700 wrote to memory of 2820	2700	{EA2CDF01-B1E6-4daf-88DF-F9FAB3940B3A}.exe	38
PID 2700 wrote to memory of 2820	2700	{EA2CDF01-B1E6-4daf-88DF-F9FAB3940B3A}.exe	38
PID 2700 wrote to memory of 2748	2700	{EA2CDF01-B1E6-4daf-88DF-F9FAB3940B3A}.exe	39
PID 2700 wrote to memory of 2748	2700	{EA2CDF01-B1E6-4daf-88DF-F9FAB3940B3A}.exe	39
PID 2700 wrote to memory of 2748	2700	{EA2CDF01-B1E6-4daf-88DF-F9FAB3940B3A}.exe	39
PID 2700 wrote to memory of 2748	2700	{EA2CDF01-B1E6-4daf-88DF-F9FAB3940B3A}.exe	39
PID 2820 wrote to memory of 2148	2820	{8FCD9488-4B4B-4fdc-BD3E-6C151CC36B98}.exe	40
PID 2820 wrote to memory of 2148	2820	{8FCD9488-4B4B-4fdc-BD3E-6C151CC36B98}.exe	40
PID 2820 wrote to memory of 2148	2820	{8FCD9488-4B4B-4fdc-BD3E-6C151CC36B98}.exe	40
PID 2820 wrote to memory of 2148	2820	{8FCD9488-4B4B-4fdc-BD3E-6C151CC36B98}.exe	40
PID 2820 wrote to memory of 476	2820	{8FCD9488-4B4B-4fdc-BD3E-6C151CC36B98}.exe	41
PID 2820 wrote to memory of 476	2820	{8FCD9488-4B4B-4fdc-BD3E-6C151CC36B98}.exe	41
PID 2820 wrote to memory of 476	2820	{8FCD9488-4B4B-4fdc-BD3E-6C151CC36B98}.exe	41
PID 2820 wrote to memory of 476	2820	{8FCD9488-4B4B-4fdc-BD3E-6C151CC36B98}.exe	41
PID 2148 wrote to memory of 1388	2148	{54FD2A47-65A8-49af-BD6F-668CD647ACD6}.exe	42
PID 2148 wrote to memory of 1388	2148	{54FD2A47-65A8-49af-BD6F-668CD647ACD6}.exe	42
PID 2148 wrote to memory of 1388	2148	{54FD2A47-65A8-49af-BD6F-668CD647ACD6}.exe	42
PID 2148 wrote to memory of 1388	2148	{54FD2A47-65A8-49af-BD6F-668CD647ACD6}.exe	42
PID 2148 wrote to memory of 1720	2148	{54FD2A47-65A8-49af-BD6F-668CD647ACD6}.exe	43
PID 2148 wrote to memory of 1720	2148	{54FD2A47-65A8-49af-BD6F-668CD647ACD6}.exe	43
PID 2148 wrote to memory of 1720	2148	{54FD2A47-65A8-49af-BD6F-668CD647ACD6}.exe	43
PID 2148 wrote to memory of 1720	2148	{54FD2A47-65A8-49af-BD6F-668CD647ACD6}.exe	43
PID 1388 wrote to memory of 1624	1388	{C50BAEFD-6FB6-4c39-966F-5B49B9170F2D}.exe	44
PID 1388 wrote to memory of 1624	1388	{C50BAEFD-6FB6-4c39-966F-5B49B9170F2D}.exe	44
PID 1388 wrote to memory of 1624	1388	{C50BAEFD-6FB6-4c39-966F-5B49B9170F2D}.exe	44
PID 1388 wrote to memory of 1624	1388	{C50BAEFD-6FB6-4c39-966F-5B49B9170F2D}.exe	44
PID 1388 wrote to memory of 532	1388	{C50BAEFD-6FB6-4c39-966F-5B49B9170F2D}.exe	45
PID 1388 wrote to memory of 532	1388	{C50BAEFD-6FB6-4c39-966F-5B49B9170F2D}.exe	45
PID 1388 wrote to memory of 532	1388	{C50BAEFD-6FB6-4c39-966F-5B49B9170F2D}.exe	45
PID 1388 wrote to memory of 532	1388	{C50BAEFD-6FB6-4c39-966F-5B49B9170F2D}.exe	45

C:\Users\Admin\AppData\Local\Temp\7f89b53e35257d_JC.exe
"C:\Users\Admin\AppData\Local\Temp\7f89b53e35257d_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\{D3AAB8ED-985E-40a8-A59A-4471E540EC51}.exe
  C:\Windows\{D3AAB8ED-985E-40a8-A59A-4471E540EC51}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\{5BE4D93A-03F5-4d68-A0D2-67E6FE2A7A3C}.exe
    C:\Windows\{5BE4D93A-03F5-4d68-A0D2-67E6FE2A7A3C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\{B9CA8A32-A0C3-4d52-8FA6-65203201C2C0}.exe
      C:\Windows\{B9CA8A32-A0C3-4d52-8FA6-65203201C2C0}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\{EA2CDF01-B1E6-4daf-88DF-F9FAB3940B3A}.exe
        
        C:\Windows\{EA2CDF01-B1E6-4daf-88DF-F9FAB3940B3A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2700
      - C:\Windows\{8FCD9488-4B4B-4fdc-BD3E-6C151CC36B98}.exe
        
        C:\Windows\{8FCD9488-4B4B-4fdc-BD3E-6C151CC36B98}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2820
        
        C:\Windows\{54FD2A47-65A8-49af-BD6F-668CD647ACD6}.exe
        
        C:\Windows\{54FD2A47-65A8-49af-BD6F-668CD647ACD6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\{C50BAEFD-6FB6-4c39-966F-5B49B9170F2D}.exe
        
        C:\Windows\{C50BAEFD-6FB6-4c39-966F-5B49B9170F2D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\{B8A3C1C3-676E-4eb2-A905-4D966C68C5D7}.exe
        
        C:\Windows\{B8A3C1C3-676E-4eb2-A905-4D966C68C5D7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\{9AD52312-6771-4cdb-BA83-4185977DAD89}.exe
        
        C:\Windows\{9AD52312-6771-4cdb-BA83-4185977DAD89}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\{7FB4D692-C1B7-45fc-A6F8-C8D68E48BEAB}.exe
        
        C:\Windows\{7FB4D692-C1B7-45fc-A6F8-C8D68E48BEAB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
        
        C:\Windows\{CFD48E45-66A4-469c-B846-3B27531F9A81}.exe
        
        C:\Windows\{CFD48E45-66A4-469c-B846-3B27531F9A81}.exe
        12⤵
        Executes dropped EXE
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7FB4D~1.EXE > nul
        12⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AD52~1.EXE > nul
        11⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B8A3C~1.EXE > nul
        10⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C50BA~1.EXE > nul
        9⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{54FD2~1.EXE > nul
        8⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FCD9~1.EXE > nul
        7⤵
        
        PID:476
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA2CD~1.EXE > nul
        6⤵
        
        PID:2748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9CA8~1.EXE > nul
        5⤵
        
        PID:2756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5BE4D~1.EXE > nul
      4⤵
      PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D3AAB~1.EXE > nul
    3⤵
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7F89B5~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{54FD2A47-65A8-49af-BD6F-668CD647ACD6}.exe

Filesize
168KB

MD5
ff93cf838a4a08dd4de071a74603e1ac

SHA1
1f790ed9636985ec9e800c2afd6d9679b1ff8237

SHA256
9f20c1dfbe6c261f96c2e17f9fac33c28f7b7ffca1aff1f3d4dd7f1d66d88fca

SHA512
a4dfa5e6cdd791a52827402639361d03c8ecb8e81df84558256597a4d0780d4f9ba00f7d2eb9e45d94ca5fba9927c631f5598f553b5e2038376e40347b7751ae

Download Submit
C:\Windows\{54FD2A47-65A8-49af-BD6F-668CD647ACD6}.exe

Filesize
168KB

MD5
ff93cf838a4a08dd4de071a74603e1ac

SHA1
1f790ed9636985ec9e800c2afd6d9679b1ff8237

SHA256
9f20c1dfbe6c261f96c2e17f9fac33c28f7b7ffca1aff1f3d4dd7f1d66d88fca

SHA512
a4dfa5e6cdd791a52827402639361d03c8ecb8e81df84558256597a4d0780d4f9ba00f7d2eb9e45d94ca5fba9927c631f5598f553b5e2038376e40347b7751ae

Download Submit
C:\Windows\{5BE4D93A-03F5-4d68-A0D2-67E6FE2A7A3C}.exe

Filesize
168KB

MD5
a61c6ec62bf4b8928d691e91bcb4d887

SHA1
6c074fb1abfc71939f4537364976db80c5f54c88

SHA256
fb54fc6e3f44fb94e8e85ffd4d682b1338d7084d9f33eb96d86aff2c45860701

SHA512
ab8c5abae36c32d6afb34ee1bab28f57778b1bcd602eb07a71d6310f565d1af9b7b01975eef42da43dde2fcf7d52746c5747a3ced3265ceaf2b55a862bfeea1f

Download Submit
C:\Windows\{5BE4D93A-03F5-4d68-A0D2-67E6FE2A7A3C}.exe

Filesize
168KB

MD5
a61c6ec62bf4b8928d691e91bcb4d887

SHA1
6c074fb1abfc71939f4537364976db80c5f54c88

SHA256
fb54fc6e3f44fb94e8e85ffd4d682b1338d7084d9f33eb96d86aff2c45860701

SHA512
ab8c5abae36c32d6afb34ee1bab28f57778b1bcd602eb07a71d6310f565d1af9b7b01975eef42da43dde2fcf7d52746c5747a3ced3265ceaf2b55a862bfeea1f

Download Submit
C:\Windows\{7FB4D692-C1B7-45fc-A6F8-C8D68E48BEAB}.exe

Filesize
168KB

MD5
8d3dcc614da3a7c7e45d44cbad1ca85f

SHA1
869e92dbdc6968827e36abc620c1ac6fe43264e2

SHA256
f06c1a440ee43612caba698f1ba6c99bed59f4f406bc908e920e68f4a5e158b9

SHA512
b94b2c8fff2b706bd3b9bf270cc78fd57b091f7eaffdd0989c4a83f98414748c6c35f40d35a305e095f6450dd44bd0af57506114c29321097bce3533be4dd1fc

Download Submit
C:\Windows\{7FB4D692-C1B7-45fc-A6F8-C8D68E48BEAB}.exe

Filesize
168KB

MD5
8d3dcc614da3a7c7e45d44cbad1ca85f

SHA1
869e92dbdc6968827e36abc620c1ac6fe43264e2

SHA256
f06c1a440ee43612caba698f1ba6c99bed59f4f406bc908e920e68f4a5e158b9

SHA512
b94b2c8fff2b706bd3b9bf270cc78fd57b091f7eaffdd0989c4a83f98414748c6c35f40d35a305e095f6450dd44bd0af57506114c29321097bce3533be4dd1fc

Download Submit
C:\Windows\{8FCD9488-4B4B-4fdc-BD3E-6C151CC36B98}.exe

Filesize
168KB

MD5
fb66e8fd7fcbd349417f8c6afcf3493f

SHA1
01e0d5854acf54322e904fc6f2df5ce28924e2d3

SHA256
bc346c9f9b807047820dc15bfe71ab0b3f9781ff01c82769e0e3716528cbc716

SHA512
ac388cb4163cdc70293ec1ad47c87dcba60997a3404131796a685590fc1e28b252f6c8d1f470d80e90f01457a142a558f94f54b39a7cbec72952da15543f9018

Download Submit
C:\Windows\{8FCD9488-4B4B-4fdc-BD3E-6C151CC36B98}.exe

Filesize
168KB

MD5
fb66e8fd7fcbd349417f8c6afcf3493f

SHA1
01e0d5854acf54322e904fc6f2df5ce28924e2d3

SHA256
bc346c9f9b807047820dc15bfe71ab0b3f9781ff01c82769e0e3716528cbc716

SHA512
ac388cb4163cdc70293ec1ad47c87dcba60997a3404131796a685590fc1e28b252f6c8d1f470d80e90f01457a142a558f94f54b39a7cbec72952da15543f9018

Download Submit
C:\Windows\{9AD52312-6771-4cdb-BA83-4185977DAD89}.exe

Filesize
168KB

MD5
58aba3398c73a66dbed6caeaf433fb63

SHA1
d5426ec59ba2a846045cb90d6b68ad973f52f277

SHA256
9d7c9ec2a1d11351cda3b0d3bd6574192ec42fcff58cd013e1047028abb75708

SHA512
3ee46dc15f910eb7903a4b83c44e4c7af6b591f79aaf307bde9ee02724fb6f218d8d1d1e7efc1cefe90c6ead98c08368263c8229edd224d81f965ad0b088d482

Download Submit
C:\Windows\{9AD52312-6771-4cdb-BA83-4185977DAD89}.exe

Filesize
168KB

MD5
58aba3398c73a66dbed6caeaf433fb63

SHA1
d5426ec59ba2a846045cb90d6b68ad973f52f277

SHA256
9d7c9ec2a1d11351cda3b0d3bd6574192ec42fcff58cd013e1047028abb75708

SHA512
3ee46dc15f910eb7903a4b83c44e4c7af6b591f79aaf307bde9ee02724fb6f218d8d1d1e7efc1cefe90c6ead98c08368263c8229edd224d81f965ad0b088d482

Download Submit
C:\Windows\{B8A3C1C3-676E-4eb2-A905-4D966C68C5D7}.exe

Filesize
168KB

MD5
28fe92d7d9b8d27a3d671697f3447e9c

SHA1
4dd7fd32759c5d617371f955d9371d0e8dcbe9fd

SHA256
cb41c91cfe91a7fb44b33b0c85f648bd38a7d2daa6402dc7724ca0443052454a

SHA512
ca2d6856f6715061abec6c0fe25a0e19938e9dbc48273ddb6d95938e9d176cd86bd8536076ee66ac8de88ee381467287319d89b11af37641f1f0547a71dafc99

Download Submit
C:\Windows\{B8A3C1C3-676E-4eb2-A905-4D966C68C5D7}.exe

Filesize
168KB

MD5
28fe92d7d9b8d27a3d671697f3447e9c

SHA1
4dd7fd32759c5d617371f955d9371d0e8dcbe9fd

SHA256
cb41c91cfe91a7fb44b33b0c85f648bd38a7d2daa6402dc7724ca0443052454a

SHA512
ca2d6856f6715061abec6c0fe25a0e19938e9dbc48273ddb6d95938e9d176cd86bd8536076ee66ac8de88ee381467287319d89b11af37641f1f0547a71dafc99

Download Submit
C:\Windows\{B9CA8A32-A0C3-4d52-8FA6-65203201C2C0}.exe

Filesize
168KB

MD5
323ecc4d83b6d0e1c921e28b047971a3

SHA1
e4cc15e0a04e172d6a27d05dce2dfc9c7c639065

SHA256
b4d3858f63182d17ed9f3d62724aab0ff8c89470d40f329d54db9441b39a4ba6

SHA512
b018d24d3eadde5f79a41b447931070cadc7ff5dba6befb715c115328fb6604c3dcc5e0d7808b6a216201d4c0cb5e2417cc292d77e9905a3ce9e6a4f3d54ecc5

Download Submit
C:\Windows\{B9CA8A32-A0C3-4d52-8FA6-65203201C2C0}.exe

Filesize
168KB

MD5
323ecc4d83b6d0e1c921e28b047971a3

SHA1
e4cc15e0a04e172d6a27d05dce2dfc9c7c639065

SHA256
b4d3858f63182d17ed9f3d62724aab0ff8c89470d40f329d54db9441b39a4ba6

SHA512
b018d24d3eadde5f79a41b447931070cadc7ff5dba6befb715c115328fb6604c3dcc5e0d7808b6a216201d4c0cb5e2417cc292d77e9905a3ce9e6a4f3d54ecc5

Download Submit
C:\Windows\{C50BAEFD-6FB6-4c39-966F-5B49B9170F2D}.exe

Filesize
168KB

MD5
f15245f6bd60fc9d24addc609d99c214

SHA1
1c363b5011e493b5a09a8c9ac0b5fe173abb674d

SHA256
13f554ea830e13b18f3292faa8f3203bb4fd51bb66fe4e9f4b8e23cd9fc954fd

SHA512
290ab527717c37e3ffa25e7bd3bdb59a6b433284efcfef3c975d21c079f907463a90bfbb68249fbab3e3f8057dc6f7794bc16cbf328f9a2d3a242410c3f43f41

Download Submit
C:\Windows\{C50BAEFD-6FB6-4c39-966F-5B49B9170F2D}.exe

Filesize
168KB

MD5
f15245f6bd60fc9d24addc609d99c214

SHA1
1c363b5011e493b5a09a8c9ac0b5fe173abb674d

SHA256
13f554ea830e13b18f3292faa8f3203bb4fd51bb66fe4e9f4b8e23cd9fc954fd

SHA512
290ab527717c37e3ffa25e7bd3bdb59a6b433284efcfef3c975d21c079f907463a90bfbb68249fbab3e3f8057dc6f7794bc16cbf328f9a2d3a242410c3f43f41

Download Submit
C:\Windows\{CFD48E45-66A4-469c-B846-3B27531F9A81}.exe

Filesize
168KB

MD5
68ddfa104989032e41907d7c750aff2f

SHA1
0232f0b3a928c664beb21bca00253d6f81b1284d

SHA256
ff633f788340937ffa2600757e266751f9440522e360ce0b28b63023391263be

SHA512
49a08d05da8185057ef513186ac4e2a36896ac00602136c4e64b7a5fcaa8bcd36e09621792566ed7e53665b69899323b9fcae23af467018bc848efeffd6bd9f7

Download Submit
C:\Windows\{D3AAB8ED-985E-40a8-A59A-4471E540EC51}.exe

Filesize
168KB

MD5
caf2da9c6dc51c5fab70e962aa9064d8

SHA1
40e225a4b7da3d5b6b3734168aeda0238cbd5418

SHA256
cf18acbc5e480123752b887ad57b76fb95173d51a09529dc7baf35b56a2d7855

SHA512
9fb68d6697dff351efd1a99dffc95103dd15a8ee6457de6c35ed093c3d07e9bd3c5a4432aab1ceadf6a2cd17699cc78288d394e60db6d47c390d188e87c82361

Download Submit
C:\Windows\{D3AAB8ED-985E-40a8-A59A-4471E540EC51}.exe

Filesize
168KB

MD5
caf2da9c6dc51c5fab70e962aa9064d8

SHA1
40e225a4b7da3d5b6b3734168aeda0238cbd5418

SHA256
cf18acbc5e480123752b887ad57b76fb95173d51a09529dc7baf35b56a2d7855

SHA512
9fb68d6697dff351efd1a99dffc95103dd15a8ee6457de6c35ed093c3d07e9bd3c5a4432aab1ceadf6a2cd17699cc78288d394e60db6d47c390d188e87c82361

Download Submit
C:\Windows\{D3AAB8ED-985E-40a8-A59A-4471E540EC51}.exe

Filesize
168KB

MD5
caf2da9c6dc51c5fab70e962aa9064d8

SHA1
40e225a4b7da3d5b6b3734168aeda0238cbd5418

SHA256
cf18acbc5e480123752b887ad57b76fb95173d51a09529dc7baf35b56a2d7855

SHA512
9fb68d6697dff351efd1a99dffc95103dd15a8ee6457de6c35ed093c3d07e9bd3c5a4432aab1ceadf6a2cd17699cc78288d394e60db6d47c390d188e87c82361

Download Submit
C:\Windows\{EA2CDF01-B1E6-4daf-88DF-F9FAB3940B3A}.exe

Filesize
168KB

MD5
92ec12faeb9f0ad14d6bf97011d8b9c6

SHA1
366c85f344a11839b9044e76ed715815543f7b81

SHA256
0e7a4b2428fe037dab3ab112c3e99163d8c965c9bcd03ee3d7102fb0f5f2487a

SHA512
e63de93e64ce756cfa1a35b6790ea16bcec7bff7c9023e5332f6a9ec2c7da5087bb2926203019cd1f40e6c18e58eae4b229109b497af6c5c7981b52e46acaa0f

Download Submit
C:\Windows\{EA2CDF01-B1E6-4daf-88DF-F9FAB3940B3A}.exe

Filesize
168KB

MD5
92ec12faeb9f0ad14d6bf97011d8b9c6

SHA1
366c85f344a11839b9044e76ed715815543f7b81

SHA256
0e7a4b2428fe037dab3ab112c3e99163d8c965c9bcd03ee3d7102fb0f5f2487a

SHA512
e63de93e64ce756cfa1a35b6790ea16bcec7bff7c9023e5332f6a9ec2c7da5087bb2926203019cd1f40e6c18e58eae4b229109b497af6c5c7981b52e46acaa0f

Download Submit