256bc9f5436ff17558c6c3561ca8fbdb610eb44dcd22946d993f49eee6f352dc

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17-07-2023 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97e9be2006fff1_JC.exe
Size

372KB
MD5

97e9be2006fff19f26a7d6a58489e017
SHA1

bd187de7bff5634be75253fe08f83e038f595a27
SHA256

256bc9f5436ff17558c6c3561ca8fbdb610eb44dcd22946d993f49eee6f352dc
SHA512

34906719b9427e7f1896285273017646074af779828d3085511018da5525b63d7932618d880e3c206437b0e26e3f2a831ed96783f00744f1a77197718e0d72a5
SSDEEP

3072:CEGh0oOmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGhl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5774B52C-412D-4af8-8BBD-7A72396479C7}	{D1E97B3F-71F8-43e4-9F8D-B6FD76BE1A23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5774B52C-412D-4af8-8BBD-7A72396479C7}\stubpath = "C:\\Windows\\{5774B52C-412D-4af8-8BBD-7A72396479C7}.exe"	{D1E97B3F-71F8-43e4-9F8D-B6FD76BE1A23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF971490-8996-4d0a-9B83-F8E1CAC6515D}	97e9be2006fff1_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF971490-8996-4d0a-9B83-F8E1CAC6515D}\stubpath = "C:\\Windows\\{DF971490-8996-4d0a-9B83-F8E1CAC6515D}.exe"	97e9be2006fff1_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0F25F59-8F79-4ba5-B1F9-55894AACA6CD}	{CA338BF8-228C-40ef-8B31-37F2C05FD779}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E729C72-A7B9-44ba-B6B4-59F026493F32}	{E6F9E97B-BAD8-465c-8B8B-574C2D815128}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1518B96-3E9C-4bc0-9F52-D263D68FD725}	{8E729C72-A7B9-44ba-B6B4-59F026493F32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA338BF8-228C-40ef-8B31-37F2C05FD779}	{DF971490-8996-4d0a-9B83-F8E1CAC6515D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6773A8C6-1513-4b6e-BFF2-C19BDCB6F395}	{5774B52C-412D-4af8-8BBD-7A72396479C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C02893D0-65AE-499a-A185-FE1F2B77A494}\stubpath = "C:\\Windows\\{C02893D0-65AE-499a-A185-FE1F2B77A494}.exe"	{6773A8C6-1513-4b6e-BFF2-C19BDCB6F395}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1E97B3F-71F8-43e4-9F8D-B6FD76BE1A23}\stubpath = "C:\\Windows\\{D1E97B3F-71F8-43e4-9F8D-B6FD76BE1A23}.exe"	{C1518B96-3E9C-4bc0-9F52-D263D68FD725}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C02893D0-65AE-499a-A185-FE1F2B77A494}	{6773A8C6-1513-4b6e-BFF2-C19BDCB6F395}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0F25F59-8F79-4ba5-B1F9-55894AACA6CD}\stubpath = "C:\\Windows\\{F0F25F59-8F79-4ba5-B1F9-55894AACA6CD}.exe"	{CA338BF8-228C-40ef-8B31-37F2C05FD779}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{930C7A70-E7C5-4c12-A262-27D130A0F24D}	{F0F25F59-8F79-4ba5-B1F9-55894AACA6CD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{930C7A70-E7C5-4c12-A262-27D130A0F24D}\stubpath = "C:\\Windows\\{930C7A70-E7C5-4c12-A262-27D130A0F24D}.exe"	{F0F25F59-8F79-4ba5-B1F9-55894AACA6CD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6F9E97B-BAD8-465c-8B8B-574C2D815128}	{930C7A70-E7C5-4c12-A262-27D130A0F24D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6F9E97B-BAD8-465c-8B8B-574C2D815128}\stubpath = "C:\\Windows\\{E6F9E97B-BAD8-465c-8B8B-574C2D815128}.exe"	{930C7A70-E7C5-4c12-A262-27D130A0F24D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA338BF8-228C-40ef-8B31-37F2C05FD779}\stubpath = "C:\\Windows\\{CA338BF8-228C-40ef-8B31-37F2C05FD779}.exe"	{DF971490-8996-4d0a-9B83-F8E1CAC6515D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8E729C72-A7B9-44ba-B6B4-59F026493F32}\stubpath = "C:\\Windows\\{8E729C72-A7B9-44ba-B6B4-59F026493F32}.exe"	{E6F9E97B-BAD8-465c-8B8B-574C2D815128}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1518B96-3E9C-4bc0-9F52-D263D68FD725}\stubpath = "C:\\Windows\\{C1518B96-3E9C-4bc0-9F52-D263D68FD725}.exe"	{8E729C72-A7B9-44ba-B6B4-59F026493F32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1E97B3F-71F8-43e4-9F8D-B6FD76BE1A23}	{C1518B96-3E9C-4bc0-9F52-D263D68FD725}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6773A8C6-1513-4b6e-BFF2-C19BDCB6F395}\stubpath = "C:\\Windows\\{6773A8C6-1513-4b6e-BFF2-C19BDCB6F395}.exe"	{5774B52C-412D-4af8-8BBD-7A72396479C7}.exe

Deletes itself 1 IoCs

pid	Process
2656	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1852	{DF971490-8996-4d0a-9B83-F8E1CAC6515D}.exe
540	{CA338BF8-228C-40ef-8B31-37F2C05FD779}.exe
2944	{F0F25F59-8F79-4ba5-B1F9-55894AACA6CD}.exe
2308	{930C7A70-E7C5-4c12-A262-27D130A0F24D}.exe
2916	{E6F9E97B-BAD8-465c-8B8B-574C2D815128}.exe
1644	{8E729C72-A7B9-44ba-B6B4-59F026493F32}.exe
564	{C1518B96-3E9C-4bc0-9F52-D263D68FD725}.exe
2744	{D1E97B3F-71F8-43e4-9F8D-B6FD76BE1A23}.exe
2356	{5774B52C-412D-4af8-8BBD-7A72396479C7}.exe
2456	{6773A8C6-1513-4b6e-BFF2-C19BDCB6F395}.exe
1316	{C02893D0-65AE-499a-A185-FE1F2B77A494}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CA338BF8-228C-40ef-8B31-37F2C05FD779}.exe	{DF971490-8996-4d0a-9B83-F8E1CAC6515D}.exe
File created	C:\Windows\{F0F25F59-8F79-4ba5-B1F9-55894AACA6CD}.exe	{CA338BF8-228C-40ef-8B31-37F2C05FD779}.exe
File created	C:\Windows\{930C7A70-E7C5-4c12-A262-27D130A0F24D}.exe	{F0F25F59-8F79-4ba5-B1F9-55894AACA6CD}.exe
File created	C:\Windows\{C1518B96-3E9C-4bc0-9F52-D263D68FD725}.exe	{8E729C72-A7B9-44ba-B6B4-59F026493F32}.exe
File created	C:\Windows\{C02893D0-65AE-499a-A185-FE1F2B77A494}.exe	{6773A8C6-1513-4b6e-BFF2-C19BDCB6F395}.exe
File created	C:\Windows\{6773A8C6-1513-4b6e-BFF2-C19BDCB6F395}.exe	{5774B52C-412D-4af8-8BBD-7A72396479C7}.exe
File created	C:\Windows\{DF971490-8996-4d0a-9B83-F8E1CAC6515D}.exe	97e9be2006fff1_JC.exe
File created	C:\Windows\{E6F9E97B-BAD8-465c-8B8B-574C2D815128}.exe	{930C7A70-E7C5-4c12-A262-27D130A0F24D}.exe
File created	C:\Windows\{8E729C72-A7B9-44ba-B6B4-59F026493F32}.exe	{E6F9E97B-BAD8-465c-8B8B-574C2D815128}.exe
File created	C:\Windows\{D1E97B3F-71F8-43e4-9F8D-B6FD76BE1A23}.exe	{C1518B96-3E9C-4bc0-9F52-D263D68FD725}.exe
File created	C:\Windows\{5774B52C-412D-4af8-8BBD-7A72396479C7}.exe	{D1E97B3F-71F8-43e4-9F8D-B6FD76BE1A23}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2684	97e9be2006fff1_JC.exe
Token: SeIncBasePriorityPrivilege	1852	{DF971490-8996-4d0a-9B83-F8E1CAC6515D}.exe
Token: SeIncBasePriorityPrivilege	540	{CA338BF8-228C-40ef-8B31-37F2C05FD779}.exe
Token: SeIncBasePriorityPrivilege	2944	{F0F25F59-8F79-4ba5-B1F9-55894AACA6CD}.exe
Token: SeIncBasePriorityPrivilege	2308	{930C7A70-E7C5-4c12-A262-27D130A0F24D}.exe
Token: SeIncBasePriorityPrivilege	2916	{E6F9E97B-BAD8-465c-8B8B-574C2D815128}.exe
Token: SeIncBasePriorityPrivilege	1644	{8E729C72-A7B9-44ba-B6B4-59F026493F32}.exe
Token: SeIncBasePriorityPrivilege	564	{C1518B96-3E9C-4bc0-9F52-D263D68FD725}.exe
Token: SeIncBasePriorityPrivilege	2744	{D1E97B3F-71F8-43e4-9F8D-B6FD76BE1A23}.exe
Token: SeIncBasePriorityPrivilege	2356	{5774B52C-412D-4af8-8BBD-7A72396479C7}.exe
Token: SeIncBasePriorityPrivilege	2456	{6773A8C6-1513-4b6e-BFF2-C19BDCB6F395}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 1852	2684	97e9be2006fff1_JC.exe	28
PID 2684 wrote to memory of 1852	2684	97e9be2006fff1_JC.exe	28
PID 2684 wrote to memory of 1852	2684	97e9be2006fff1_JC.exe	28
PID 2684 wrote to memory of 1852	2684	97e9be2006fff1_JC.exe	28
PID 2684 wrote to memory of 2656	2684	97e9be2006fff1_JC.exe	29
PID 2684 wrote to memory of 2656	2684	97e9be2006fff1_JC.exe	29
PID 2684 wrote to memory of 2656	2684	97e9be2006fff1_JC.exe	29
PID 2684 wrote to memory of 2656	2684	97e9be2006fff1_JC.exe	29
PID 1852 wrote to memory of 540	1852	{DF971490-8996-4d0a-9B83-F8E1CAC6515D}.exe	32
PID 1852 wrote to memory of 540	1852	{DF971490-8996-4d0a-9B83-F8E1CAC6515D}.exe	32
PID 1852 wrote to memory of 540	1852	{DF971490-8996-4d0a-9B83-F8E1CAC6515D}.exe	32
PID 1852 wrote to memory of 540	1852	{DF971490-8996-4d0a-9B83-F8E1CAC6515D}.exe	32
PID 1852 wrote to memory of 1152	1852	{DF971490-8996-4d0a-9B83-F8E1CAC6515D}.exe	33
PID 1852 wrote to memory of 1152	1852	{DF971490-8996-4d0a-9B83-F8E1CAC6515D}.exe	33
PID 1852 wrote to memory of 1152	1852	{DF971490-8996-4d0a-9B83-F8E1CAC6515D}.exe	33
PID 1852 wrote to memory of 1152	1852	{DF971490-8996-4d0a-9B83-F8E1CAC6515D}.exe	33
PID 540 wrote to memory of 2944	540	{CA338BF8-228C-40ef-8B31-37F2C05FD779}.exe	35
PID 540 wrote to memory of 2944	540	{CA338BF8-228C-40ef-8B31-37F2C05FD779}.exe	35
PID 540 wrote to memory of 2944	540	{CA338BF8-228C-40ef-8B31-37F2C05FD779}.exe	35
PID 540 wrote to memory of 2944	540	{CA338BF8-228C-40ef-8B31-37F2C05FD779}.exe	35
PID 540 wrote to memory of 2984	540	{CA338BF8-228C-40ef-8B31-37F2C05FD779}.exe	34
PID 540 wrote to memory of 2984	540	{CA338BF8-228C-40ef-8B31-37F2C05FD779}.exe	34
PID 540 wrote to memory of 2984	540	{CA338BF8-228C-40ef-8B31-37F2C05FD779}.exe	34
PID 540 wrote to memory of 2984	540	{CA338BF8-228C-40ef-8B31-37F2C05FD779}.exe	34
PID 2944 wrote to memory of 2308	2944	{F0F25F59-8F79-4ba5-B1F9-55894AACA6CD}.exe	36
PID 2944 wrote to memory of 2308	2944	{F0F25F59-8F79-4ba5-B1F9-55894AACA6CD}.exe	36
PID 2944 wrote to memory of 2308	2944	{F0F25F59-8F79-4ba5-B1F9-55894AACA6CD}.exe	36
PID 2944 wrote to memory of 2308	2944	{F0F25F59-8F79-4ba5-B1F9-55894AACA6CD}.exe	36
PID 2944 wrote to memory of 2868	2944	{F0F25F59-8F79-4ba5-B1F9-55894AACA6CD}.exe	37
PID 2944 wrote to memory of 2868	2944	{F0F25F59-8F79-4ba5-B1F9-55894AACA6CD}.exe	37
PID 2944 wrote to memory of 2868	2944	{F0F25F59-8F79-4ba5-B1F9-55894AACA6CD}.exe	37
PID 2944 wrote to memory of 2868	2944	{F0F25F59-8F79-4ba5-B1F9-55894AACA6CD}.exe	37
PID 2308 wrote to memory of 2916	2308	{930C7A70-E7C5-4c12-A262-27D130A0F24D}.exe	39
PID 2308 wrote to memory of 2916	2308	{930C7A70-E7C5-4c12-A262-27D130A0F24D}.exe	39
PID 2308 wrote to memory of 2916	2308	{930C7A70-E7C5-4c12-A262-27D130A0F24D}.exe	39
PID 2308 wrote to memory of 2916	2308	{930C7A70-E7C5-4c12-A262-27D130A0F24D}.exe	39
PID 2308 wrote to memory of 2768	2308	{930C7A70-E7C5-4c12-A262-27D130A0F24D}.exe	38
PID 2308 wrote to memory of 2768	2308	{930C7A70-E7C5-4c12-A262-27D130A0F24D}.exe	38
PID 2308 wrote to memory of 2768	2308	{930C7A70-E7C5-4c12-A262-27D130A0F24D}.exe	38
PID 2308 wrote to memory of 2768	2308	{930C7A70-E7C5-4c12-A262-27D130A0F24D}.exe	38
PID 2916 wrote to memory of 1644	2916	{E6F9E97B-BAD8-465c-8B8B-574C2D815128}.exe	41
PID 2916 wrote to memory of 1644	2916	{E6F9E97B-BAD8-465c-8B8B-574C2D815128}.exe	41
PID 2916 wrote to memory of 1644	2916	{E6F9E97B-BAD8-465c-8B8B-574C2D815128}.exe	41
PID 2916 wrote to memory of 1644	2916	{E6F9E97B-BAD8-465c-8B8B-574C2D815128}.exe	41
PID 2916 wrote to memory of 2904	2916	{E6F9E97B-BAD8-465c-8B8B-574C2D815128}.exe	40
PID 2916 wrote to memory of 2904	2916	{E6F9E97B-BAD8-465c-8B8B-574C2D815128}.exe	40
PID 2916 wrote to memory of 2904	2916	{E6F9E97B-BAD8-465c-8B8B-574C2D815128}.exe	40
PID 2916 wrote to memory of 2904	2916	{E6F9E97B-BAD8-465c-8B8B-574C2D815128}.exe	40
PID 1644 wrote to memory of 564	1644	{8E729C72-A7B9-44ba-B6B4-59F026493F32}.exe	43
PID 1644 wrote to memory of 564	1644	{8E729C72-A7B9-44ba-B6B4-59F026493F32}.exe	43
PID 1644 wrote to memory of 564	1644	{8E729C72-A7B9-44ba-B6B4-59F026493F32}.exe	43
PID 1644 wrote to memory of 564	1644	{8E729C72-A7B9-44ba-B6B4-59F026493F32}.exe	43
PID 1644 wrote to memory of 2848	1644	{8E729C72-A7B9-44ba-B6B4-59F026493F32}.exe	42
PID 1644 wrote to memory of 2848	1644	{8E729C72-A7B9-44ba-B6B4-59F026493F32}.exe	42
PID 1644 wrote to memory of 2848	1644	{8E729C72-A7B9-44ba-B6B4-59F026493F32}.exe	42
PID 1644 wrote to memory of 2848	1644	{8E729C72-A7B9-44ba-B6B4-59F026493F32}.exe	42
PID 564 wrote to memory of 2744	564	{C1518B96-3E9C-4bc0-9F52-D263D68FD725}.exe	45
PID 564 wrote to memory of 2744	564	{C1518B96-3E9C-4bc0-9F52-D263D68FD725}.exe	45
PID 564 wrote to memory of 2744	564	{C1518B96-3E9C-4bc0-9F52-D263D68FD725}.exe	45
PID 564 wrote to memory of 2744	564	{C1518B96-3E9C-4bc0-9F52-D263D68FD725}.exe	45
PID 564 wrote to memory of 2788	564	{C1518B96-3E9C-4bc0-9F52-D263D68FD725}.exe	44
PID 564 wrote to memory of 2788	564	{C1518B96-3E9C-4bc0-9F52-D263D68FD725}.exe	44
PID 564 wrote to memory of 2788	564	{C1518B96-3E9C-4bc0-9F52-D263D68FD725}.exe	44
PID 564 wrote to memory of 2788	564	{C1518B96-3E9C-4bc0-9F52-D263D68FD725}.exe	44

C:\Users\Admin\AppData\Local\Temp\97e9be2006fff1_JC.exe
"C:\Users\Admin\AppData\Local\Temp\97e9be2006fff1_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\{DF971490-8996-4d0a-9B83-F8E1CAC6515D}.exe
  C:\Windows\{DF971490-8996-4d0a-9B83-F8E1CAC6515D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\{CA338BF8-228C-40ef-8B31-37F2C05FD779}.exe
    C:\Windows\{CA338BF8-228C-40ef-8B31-37F2C05FD779}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:540
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{CA338~1.EXE > nul
      4⤵
      PID:2984
  - - C:\Windows\{F0F25F59-8F79-4ba5-B1F9-55894AACA6CD}.exe
      C:\Windows\{F0F25F59-8F79-4ba5-B1F9-55894AACA6CD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\{930C7A70-E7C5-4c12-A262-27D130A0F24D}.exe
        
        C:\Windows\{930C7A70-E7C5-4c12-A262-27D130A0F24D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{930C7~1.EXE > nul
        6⤵
        
        PID:2768
      - C:\Windows\{E6F9E97B-BAD8-465c-8B8B-574C2D815128}.exe
        
        C:\Windows\{E6F9E97B-BAD8-465c-8B8B-574C2D815128}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6F9E~1.EXE > nul
        7⤵
        
        PID:2904
        
        C:\Windows\{8E729C72-A7B9-44ba-B6B4-59F026493F32}.exe
        
        C:\Windows\{8E729C72-A7B9-44ba-B6B4-59F026493F32}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E729~1.EXE > nul
        8⤵
        
        PID:2848
        
        C:\Windows\{C1518B96-3E9C-4bc0-9F52-D263D68FD725}.exe
        
        C:\Windows\{C1518B96-3E9C-4bc0-9F52-D263D68FD725}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1518~1.EXE > nul
        9⤵
        
        PID:2788
        
        C:\Windows\{D1E97B3F-71F8-43e4-9F8D-B6FD76BE1A23}.exe
        
        C:\Windows\{D1E97B3F-71F8-43e4-9F8D-B6FD76BE1A23}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\{5774B52C-412D-4af8-8BBD-7A72396479C7}.exe
        
        C:\Windows\{5774B52C-412D-4af8-8BBD-7A72396479C7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5774B~1.EXE > nul
        11⤵
        
        PID:2372
        
        C:\Windows\{6773A8C6-1513-4b6e-BFF2-C19BDCB6F395}.exe
        
        C:\Windows\{6773A8C6-1513-4b6e-BFF2-C19BDCB6F395}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\{C02893D0-65AE-499a-A185-FE1F2B77A494}.exe
        
        C:\Windows\{C02893D0-65AE-499a-A185-FE1F2B77A494}.exe
        12⤵
        Executes dropped EXE
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6773A~1.EXE > nul
        12⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1E97~1.EXE > nul
        10⤵
        
        PID:1484
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0F25~1.EXE > nul
        5⤵
        
        PID:2868
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DF971~1.EXE > nul
    3⤵
    PID:1152
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\97E9BE~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{5774B52C-412D-4af8-8BBD-7A72396479C7}.exe

Filesize
372KB

MD5
3283656344ae9998faf5b4389490b76c

SHA1
b7fe9eba9dd03a74e0b725bba2d3cf05c3cf8172

SHA256
3509ab054e9fd889800fa6032bcd7416dadee3b865f14a57a1b2b586c7d4032e

SHA512
9f76470bd3b585abbe9f8e03db257d4597ca1fc842538a8741559280ac3575fae3aa46c1e8cf43856c31aa9dd389ec2a4b71d94c760935b11c266c9c761d469d

Download Submit
C:\Windows\{5774B52C-412D-4af8-8BBD-7A72396479C7}.exe

Filesize
372KB

MD5
3283656344ae9998faf5b4389490b76c

SHA1
b7fe9eba9dd03a74e0b725bba2d3cf05c3cf8172

SHA256
3509ab054e9fd889800fa6032bcd7416dadee3b865f14a57a1b2b586c7d4032e

SHA512
9f76470bd3b585abbe9f8e03db257d4597ca1fc842538a8741559280ac3575fae3aa46c1e8cf43856c31aa9dd389ec2a4b71d94c760935b11c266c9c761d469d

Download Submit
C:\Windows\{6773A8C6-1513-4b6e-BFF2-C19BDCB6F395}.exe

Filesize
372KB

MD5
e97dac86120348aaf18ee08d156311df

SHA1
49a336ec1e1c099425dbd08b536cff51d40b7cc2

SHA256
c51a34f949ced788ac7cc79318bfdaf8fb806f6455e20b5c352db4f8a8398552

SHA512
09e90acbde347456857c533fe50591c514cfb8cf6f37600de3b53588f982085b393a08f660e1ea3649ef3d43f5aaf48e3b4f2788a3216b9367cfecd142f236c5

Download Submit
C:\Windows\{6773A8C6-1513-4b6e-BFF2-C19BDCB6F395}.exe

Filesize
372KB

MD5
e97dac86120348aaf18ee08d156311df

SHA1
49a336ec1e1c099425dbd08b536cff51d40b7cc2

SHA256
c51a34f949ced788ac7cc79318bfdaf8fb806f6455e20b5c352db4f8a8398552

SHA512
09e90acbde347456857c533fe50591c514cfb8cf6f37600de3b53588f982085b393a08f660e1ea3649ef3d43f5aaf48e3b4f2788a3216b9367cfecd142f236c5

Download Submit
C:\Windows\{8E729C72-A7B9-44ba-B6B4-59F026493F32}.exe

Filesize
372KB

MD5
66ba97d859f9d4bfacf99ed63cc70ecd

SHA1
a94870e5daca7046740cc1c640497f334fbd483c

SHA256
f1117a38988906a5044f0a9efb25e195a12b753310e238e54868063c333511f2

SHA512
15c7b9fd094e1757f52db700a1ea5d3af81f0aac0b6f17efdecba95e77410bda641c7e60f1b8286439710c5d7f8ffba51a594ecec7ee3f899e55a76ddbf07dfd

Download Submit
C:\Windows\{8E729C72-A7B9-44ba-B6B4-59F026493F32}.exe

Filesize
372KB

MD5
66ba97d859f9d4bfacf99ed63cc70ecd

SHA1
a94870e5daca7046740cc1c640497f334fbd483c

SHA256
f1117a38988906a5044f0a9efb25e195a12b753310e238e54868063c333511f2

SHA512
15c7b9fd094e1757f52db700a1ea5d3af81f0aac0b6f17efdecba95e77410bda641c7e60f1b8286439710c5d7f8ffba51a594ecec7ee3f899e55a76ddbf07dfd

Download Submit
C:\Windows\{930C7A70-E7C5-4c12-A262-27D130A0F24D}.exe

Filesize
372KB

MD5
f2c8a0ab56c45fbbbcbe25e26aea1dee

SHA1
732ccb269280458bff7c5148c8d13c47e52f69e2

SHA256
78d3aa5fac6c6b66d95475f0965175f7fba7b582aba7ea88b9a2a0b8b571773c

SHA512
26ab569d768f87bab994609d14874f0c4ba1628d1357069c8c0a91d847b0cdc7334b52567b299083ed488d1807afb7dc2b76f15649d0961222a2f9b98e358a9b

Download Submit
C:\Windows\{930C7A70-E7C5-4c12-A262-27D130A0F24D}.exe

Filesize
372KB

MD5
f2c8a0ab56c45fbbbcbe25e26aea1dee

SHA1
732ccb269280458bff7c5148c8d13c47e52f69e2

SHA256
78d3aa5fac6c6b66d95475f0965175f7fba7b582aba7ea88b9a2a0b8b571773c

SHA512
26ab569d768f87bab994609d14874f0c4ba1628d1357069c8c0a91d847b0cdc7334b52567b299083ed488d1807afb7dc2b76f15649d0961222a2f9b98e358a9b

Download Submit
C:\Windows\{C02893D0-65AE-499a-A185-FE1F2B77A494}.exe

Filesize
372KB

MD5
6f836af5ff743d5479b9b5aba293f180

SHA1
89f691a7d091c59654742e685690b38a82c215ee

SHA256
4bd86342d62c8eff4ce1a7e1a44db9c10492ee596b11236688047598a830026d

SHA512
efa4dced4e1765d2e12107d9a48088d696ca1f0b00cbae8ccab65b859d7c8878630f4e67c37c9bc525f75ffd40f6b073bd0bb2e96361474f60cf8a852f280e0b

Download Submit
C:\Windows\{C1518B96-3E9C-4bc0-9F52-D263D68FD725}.exe

Filesize
372KB

MD5
b3d1dc5e6345dfa4ee385b1e27380419

SHA1
9ab0682a0df40ca15aa130720b5f765d576b6b1a

SHA256
13513097b943f4a8d4a86469fa70f77f38d114c81765fe7b22e091973a01ee59

SHA512
8484370bad8fe9bff9fbf31d2e42da12bd69a5d5d8a0026ddee77e8abaa0bf12af390a4186373e6bc7bfe150f92f9a9a4ec392861b900b749502bb255ec4e78b

Download Submit
C:\Windows\{C1518B96-3E9C-4bc0-9F52-D263D68FD725}.exe

Filesize
372KB

MD5
b3d1dc5e6345dfa4ee385b1e27380419

SHA1
9ab0682a0df40ca15aa130720b5f765d576b6b1a

SHA256
13513097b943f4a8d4a86469fa70f77f38d114c81765fe7b22e091973a01ee59

SHA512
8484370bad8fe9bff9fbf31d2e42da12bd69a5d5d8a0026ddee77e8abaa0bf12af390a4186373e6bc7bfe150f92f9a9a4ec392861b900b749502bb255ec4e78b

Download Submit
C:\Windows\{CA338BF8-228C-40ef-8B31-37F2C05FD779}.exe

Filesize
372KB

MD5
d9e8824b94acd6bbd2f7a325dde125d1

SHA1
9344a1bd4afec36a5f3b925d04b34d44db0cd5f9

SHA256
a48803fc3f04f91921d1d97b47e41f7b0ec196a7ae0273558a6d7baa1af46e24

SHA512
7fb68fda66b7ae4ed73455525bf748e1ba72a02b526e1413c5191127cc44ef470fc4ccecd2c6f10a22d1ac597c481e84c224154a51d59d49db4b9a60b24b5ee6

Download Submit
C:\Windows\{CA338BF8-228C-40ef-8B31-37F2C05FD779}.exe

Filesize
372KB

MD5
d9e8824b94acd6bbd2f7a325dde125d1

SHA1
9344a1bd4afec36a5f3b925d04b34d44db0cd5f9

SHA256
a48803fc3f04f91921d1d97b47e41f7b0ec196a7ae0273558a6d7baa1af46e24

SHA512
7fb68fda66b7ae4ed73455525bf748e1ba72a02b526e1413c5191127cc44ef470fc4ccecd2c6f10a22d1ac597c481e84c224154a51d59d49db4b9a60b24b5ee6

Download Submit
C:\Windows\{D1E97B3F-71F8-43e4-9F8D-B6FD76BE1A23}.exe

Filesize
372KB

MD5
f1ee80c73fb222977c707af6ee5817d6

SHA1
728c35a34cd8953a36b01c11d899d24e57c17417

SHA256
8e6b375639c0c5fbefe18e48bcf0d931f2b0b89651c48d3f6bcedf819730cd9a

SHA512
0c1f30101c9d38eb5150ef922242e8b34b9a29d56723281ce18f7e39d4bf73fbde1895d4ef7fc2ba0097e4ee9b10fd168a86306ad6dbf988db3e2f54a2e13a6c

Download Submit
C:\Windows\{D1E97B3F-71F8-43e4-9F8D-B6FD76BE1A23}.exe

Filesize
372KB

MD5
f1ee80c73fb222977c707af6ee5817d6

SHA1
728c35a34cd8953a36b01c11d899d24e57c17417

SHA256
8e6b375639c0c5fbefe18e48bcf0d931f2b0b89651c48d3f6bcedf819730cd9a

SHA512
0c1f30101c9d38eb5150ef922242e8b34b9a29d56723281ce18f7e39d4bf73fbde1895d4ef7fc2ba0097e4ee9b10fd168a86306ad6dbf988db3e2f54a2e13a6c

Download Submit
C:\Windows\{DF971490-8996-4d0a-9B83-F8E1CAC6515D}.exe

Filesize
372KB

MD5
d1283256f1c4ead003caef5016a589ed

SHA1
0be3f1b4d724d776952f86ef1781d41e2f10bd18

SHA256
52cd6ac66fb890a31c993e0df1e935be79f6afa505ac71d6b511303326798022

SHA512
90c64e2f55ebf90287be68ae618d89751390aa4d34420ae21f582463165c3bdb1cbf64e548bbe011faccf14839c59e7fd67b876b4ebf647bcf73e65f4ccb448c

Download Submit
C:\Windows\{DF971490-8996-4d0a-9B83-F8E1CAC6515D}.exe

Filesize
372KB

MD5
d1283256f1c4ead003caef5016a589ed

SHA1
0be3f1b4d724d776952f86ef1781d41e2f10bd18

SHA256
52cd6ac66fb890a31c993e0df1e935be79f6afa505ac71d6b511303326798022

SHA512
90c64e2f55ebf90287be68ae618d89751390aa4d34420ae21f582463165c3bdb1cbf64e548bbe011faccf14839c59e7fd67b876b4ebf647bcf73e65f4ccb448c

Download Submit
C:\Windows\{DF971490-8996-4d0a-9B83-F8E1CAC6515D}.exe

Filesize
372KB

MD5
d1283256f1c4ead003caef5016a589ed

SHA1
0be3f1b4d724d776952f86ef1781d41e2f10bd18

SHA256
52cd6ac66fb890a31c993e0df1e935be79f6afa505ac71d6b511303326798022

SHA512
90c64e2f55ebf90287be68ae618d89751390aa4d34420ae21f582463165c3bdb1cbf64e548bbe011faccf14839c59e7fd67b876b4ebf647bcf73e65f4ccb448c

Download Submit
C:\Windows\{E6F9E97B-BAD8-465c-8B8B-574C2D815128}.exe

Filesize
372KB

MD5
b78054fd6dec07a0be683ead980b3514

SHA1
69b993a53f8edd1c76ba88207514945d4ca555ea

SHA256
38838ff59e28e3b4598aedbb0b48b9bd2ad37d5bf300b899bb7f6a94dce1a863

SHA512
fb8c4ecb986643745221001a40f192da22f5d7e972acdd0254ce09cfb9eab0124222dfd391a1468c9f60dda56b5080c1cd6572f8ac791f59d7e4dc68933c0a04

Download Submit
C:\Windows\{E6F9E97B-BAD8-465c-8B8B-574C2D815128}.exe

Filesize
372KB

MD5
b78054fd6dec07a0be683ead980b3514

SHA1
69b993a53f8edd1c76ba88207514945d4ca555ea

SHA256
38838ff59e28e3b4598aedbb0b48b9bd2ad37d5bf300b899bb7f6a94dce1a863

SHA512
fb8c4ecb986643745221001a40f192da22f5d7e972acdd0254ce09cfb9eab0124222dfd391a1468c9f60dda56b5080c1cd6572f8ac791f59d7e4dc68933c0a04

Download Submit
C:\Windows\{F0F25F59-8F79-4ba5-B1F9-55894AACA6CD}.exe

Filesize
372KB

MD5
90fe533f15b5f15c4c433a422e9e6a2f

SHA1
4212e9aaa729ebea7eec5e2ff789a18a5c4e73c8

SHA256
a901acbfe17ceb40f5e82b63ca2c2e77c3429d79ad95e2bc8a718c362bb30198

SHA512
8a93d0a71ba95a0ed1938838818b901c2e34ad811ac680f8535ff8ed3a04986ab462bc37fe85c6e5c3fee7574430a8b2810ebfcc698bb6c6e06a30c56d558e8e

Download Submit
C:\Windows\{F0F25F59-8F79-4ba5-B1F9-55894AACA6CD}.exe

Filesize
372KB

MD5
90fe533f15b5f15c4c433a422e9e6a2f

SHA1
4212e9aaa729ebea7eec5e2ff789a18a5c4e73c8

SHA256
a901acbfe17ceb40f5e82b63ca2c2e77c3429d79ad95e2bc8a718c362bb30198

SHA512
8a93d0a71ba95a0ed1938838818b901c2e34ad811ac680f8535ff8ed3a04986ab462bc37fe85c6e5c3fee7574430a8b2810ebfcc698bb6c6e06a30c56d558e8e

Download Submit