a1fca69f3cf065f092c1fca278b02abe8b739f2b3896c6fac09be40593c6602d

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17/07/2023, 18:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a403536394ec8a_JC.exe
Size

204KB
MD5

a403536394ec8abc46b4f29ac4e425aa
SHA1

2814e4580a3623878935997397bc23aa13981832
SHA256

a1fca69f3cf065f092c1fca278b02abe8b739f2b3896c6fac09be40593c6602d
SHA512

4fdf1a4b8634d6bdddabd31cb11f8d497b0357e81155a07e3bfb854f97b56fb42573de8e6b7a04b23ef9ba381f4fa783794fe79a832fcc70b46806677f023349
SSDEEP

1536:1EGh0oxLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oVl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E0020BA-E56D-4750-A94D-B1FFA5C1E898}	a403536394ec8a_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FB48042-84AD-457f-839E-F124E8DB0E90}	{C74063B0-3401-4f6f-B252-3ECA8BCE4E12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C77F7C2-61FB-4b34-9B7C-1CBFA8C74DCD}	{5FB48042-84AD-457f-839E-F124E8DB0E90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D438B2C0-FA27-44da-B199-B566FA428871}\stubpath = "C:\\Windows\\{D438B2C0-FA27-44da-B199-B566FA428871}.exe"	{AE288A7C-843A-4296-82A2-8F8D86DAE901}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C74063B0-3401-4f6f-B252-3ECA8BCE4E12}	{2C83FDD0-F61C-4910-936C-59B5E261820A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8C77F7C2-61FB-4b34-9B7C-1CBFA8C74DCD}\stubpath = "C:\\Windows\\{8C77F7C2-61FB-4b34-9B7C-1CBFA8C74DCD}.exe"	{5FB48042-84AD-457f-839E-F124E8DB0E90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE288A7C-843A-4296-82A2-8F8D86DAE901}	{A47D6109-BEAE-4b5e-ABA1-EBE9C36BF40D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE288A7C-843A-4296-82A2-8F8D86DAE901}\stubpath = "C:\\Windows\\{AE288A7C-843A-4296-82A2-8F8D86DAE901}.exe"	{A47D6109-BEAE-4b5e-ABA1-EBE9C36BF40D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4E0020BA-E56D-4750-A94D-B1FFA5C1E898}\stubpath = "C:\\Windows\\{4E0020BA-E56D-4750-A94D-B1FFA5C1E898}.exe"	a403536394ec8a_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{445559AE-3BAE-4aba-927D-A42C53A5885A}	{4E0020BA-E56D-4750-A94D-B1FFA5C1E898}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39988B3E-B081-434e-9FFB-6AEECD660FF6}	{445559AE-3BAE-4aba-927D-A42C53A5885A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C83FDD0-F61C-4910-936C-59B5E261820A}	{39988B3E-B081-434e-9FFB-6AEECD660FF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39988B3E-B081-434e-9FFB-6AEECD660FF6}\stubpath = "C:\\Windows\\{39988B3E-B081-434e-9FFB-6AEECD660FF6}.exe"	{445559AE-3BAE-4aba-927D-A42C53A5885A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C74063B0-3401-4f6f-B252-3ECA8BCE4E12}\stubpath = "C:\\Windows\\{C74063B0-3401-4f6f-B252-3ECA8BCE4E12}.exe"	{2C83FDD0-F61C-4910-936C-59B5E261820A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A47D6109-BEAE-4b5e-ABA1-EBE9C36BF40D}	{8C77F7C2-61FB-4b34-9B7C-1CBFA8C74DCD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A47D6109-BEAE-4b5e-ABA1-EBE9C36BF40D}\stubpath = "C:\\Windows\\{A47D6109-BEAE-4b5e-ABA1-EBE9C36BF40D}.exe"	{8C77F7C2-61FB-4b34-9B7C-1CBFA8C74DCD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6C32137-21FE-46bf-8EBD-63C8343913D8}	{D438B2C0-FA27-44da-B199-B566FA428871}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6C32137-21FE-46bf-8EBD-63C8343913D8}\stubpath = "C:\\Windows\\{F6C32137-21FE-46bf-8EBD-63C8343913D8}.exe"	{D438B2C0-FA27-44da-B199-B566FA428871}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{445559AE-3BAE-4aba-927D-A42C53A5885A}\stubpath = "C:\\Windows\\{445559AE-3BAE-4aba-927D-A42C53A5885A}.exe"	{4E0020BA-E56D-4750-A94D-B1FFA5C1E898}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C83FDD0-F61C-4910-936C-59B5E261820A}\stubpath = "C:\\Windows\\{2C83FDD0-F61C-4910-936C-59B5E261820A}.exe"	{39988B3E-B081-434e-9FFB-6AEECD660FF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FB48042-84AD-457f-839E-F124E8DB0E90}\stubpath = "C:\\Windows\\{5FB48042-84AD-457f-839E-F124E8DB0E90}.exe"	{C74063B0-3401-4f6f-B252-3ECA8BCE4E12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D438B2C0-FA27-44da-B199-B566FA428871}	{AE288A7C-843A-4296-82A2-8F8D86DAE901}.exe

Deletes itself 1 IoCs

pid	Process
2856	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1048	{4E0020BA-E56D-4750-A94D-B1FFA5C1E898}.exe
2832	{445559AE-3BAE-4aba-927D-A42C53A5885A}.exe
2736	{39988B3E-B081-434e-9FFB-6AEECD660FF6}.exe
2716	{2C83FDD0-F61C-4910-936C-59B5E261820A}.exe
1520	{C74063B0-3401-4f6f-B252-3ECA8BCE4E12}.exe
528	{5FB48042-84AD-457f-839E-F124E8DB0E90}.exe
1032	{8C77F7C2-61FB-4b34-9B7C-1CBFA8C74DCD}.exe
1988	{A47D6109-BEAE-4b5e-ABA1-EBE9C36BF40D}.exe
1336	{AE288A7C-843A-4296-82A2-8F8D86DAE901}.exe
1940	{D438B2C0-FA27-44da-B199-B566FA428871}.exe
1696	{F6C32137-21FE-46bf-8EBD-63C8343913D8}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{5FB48042-84AD-457f-839E-F124E8DB0E90}.exe	{C74063B0-3401-4f6f-B252-3ECA8BCE4E12}.exe
File created	C:\Windows\{AE288A7C-843A-4296-82A2-8F8D86DAE901}.exe	{A47D6109-BEAE-4b5e-ABA1-EBE9C36BF40D}.exe
File created	C:\Windows\{8C77F7C2-61FB-4b34-9B7C-1CBFA8C74DCD}.exe	{5FB48042-84AD-457f-839E-F124E8DB0E90}.exe
File created	C:\Windows\{A47D6109-BEAE-4b5e-ABA1-EBE9C36BF40D}.exe	{8C77F7C2-61FB-4b34-9B7C-1CBFA8C74DCD}.exe
File created	C:\Windows\{D438B2C0-FA27-44da-B199-B566FA428871}.exe	{AE288A7C-843A-4296-82A2-8F8D86DAE901}.exe
File created	C:\Windows\{4E0020BA-E56D-4750-A94D-B1FFA5C1E898}.exe	a403536394ec8a_JC.exe
File created	C:\Windows\{445559AE-3BAE-4aba-927D-A42C53A5885A}.exe	{4E0020BA-E56D-4750-A94D-B1FFA5C1E898}.exe
File created	C:\Windows\{39988B3E-B081-434e-9FFB-6AEECD660FF6}.exe	{445559AE-3BAE-4aba-927D-A42C53A5885A}.exe
File created	C:\Windows\{2C83FDD0-F61C-4910-936C-59B5E261820A}.exe	{39988B3E-B081-434e-9FFB-6AEECD660FF6}.exe
File created	C:\Windows\{C74063B0-3401-4f6f-B252-3ECA8BCE4E12}.exe	{2C83FDD0-F61C-4910-936C-59B5E261820A}.exe
File created	C:\Windows\{F6C32137-21FE-46bf-8EBD-63C8343913D8}.exe	{D438B2C0-FA27-44da-B199-B566FA428871}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2160	a403536394ec8a_JC.exe
Token: SeIncBasePriorityPrivilege	1048	{4E0020BA-E56D-4750-A94D-B1FFA5C1E898}.exe
Token: SeIncBasePriorityPrivilege	2832	{445559AE-3BAE-4aba-927D-A42C53A5885A}.exe
Token: SeIncBasePriorityPrivilege	2736	{39988B3E-B081-434e-9FFB-6AEECD660FF6}.exe
Token: SeIncBasePriorityPrivilege	2716	{2C83FDD0-F61C-4910-936C-59B5E261820A}.exe
Token: SeIncBasePriorityPrivilege	1520	{C74063B0-3401-4f6f-B252-3ECA8BCE4E12}.exe
Token: SeIncBasePriorityPrivilege	528	{5FB48042-84AD-457f-839E-F124E8DB0E90}.exe
Token: SeIncBasePriorityPrivilege	1032	{8C77F7C2-61FB-4b34-9B7C-1CBFA8C74DCD}.exe
Token: SeIncBasePriorityPrivilege	1988	{A47D6109-BEAE-4b5e-ABA1-EBE9C36BF40D}.exe
Token: SeIncBasePriorityPrivilege	1336	{AE288A7C-843A-4296-82A2-8F8D86DAE901}.exe
Token: SeIncBasePriorityPrivilege	1940	{D438B2C0-FA27-44da-B199-B566FA428871}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 1048	2160	a403536394ec8a_JC.exe	28
PID 2160 wrote to memory of 1048	2160	a403536394ec8a_JC.exe	28
PID 2160 wrote to memory of 1048	2160	a403536394ec8a_JC.exe	28
PID 2160 wrote to memory of 1048	2160	a403536394ec8a_JC.exe	28
PID 2160 wrote to memory of 2856	2160	a403536394ec8a_JC.exe	29
PID 2160 wrote to memory of 2856	2160	a403536394ec8a_JC.exe	29
PID 2160 wrote to memory of 2856	2160	a403536394ec8a_JC.exe	29
PID 2160 wrote to memory of 2856	2160	a403536394ec8a_JC.exe	29
PID 1048 wrote to memory of 2832	1048	{4E0020BA-E56D-4750-A94D-B1FFA5C1E898}.exe	32
PID 1048 wrote to memory of 2832	1048	{4E0020BA-E56D-4750-A94D-B1FFA5C1E898}.exe	32
PID 1048 wrote to memory of 2832	1048	{4E0020BA-E56D-4750-A94D-B1FFA5C1E898}.exe	32
PID 1048 wrote to memory of 2832	1048	{4E0020BA-E56D-4750-A94D-B1FFA5C1E898}.exe	32
PID 1048 wrote to memory of 2748	1048	{4E0020BA-E56D-4750-A94D-B1FFA5C1E898}.exe	33
PID 1048 wrote to memory of 2748	1048	{4E0020BA-E56D-4750-A94D-B1FFA5C1E898}.exe	33
PID 1048 wrote to memory of 2748	1048	{4E0020BA-E56D-4750-A94D-B1FFA5C1E898}.exe	33
PID 1048 wrote to memory of 2748	1048	{4E0020BA-E56D-4750-A94D-B1FFA5C1E898}.exe	33
PID 2832 wrote to memory of 2736	2832	{445559AE-3BAE-4aba-927D-A42C53A5885A}.exe	34
PID 2832 wrote to memory of 2736	2832	{445559AE-3BAE-4aba-927D-A42C53A5885A}.exe	34
PID 2832 wrote to memory of 2736	2832	{445559AE-3BAE-4aba-927D-A42C53A5885A}.exe	34
PID 2832 wrote to memory of 2736	2832	{445559AE-3BAE-4aba-927D-A42C53A5885A}.exe	34
PID 2832 wrote to memory of 2768	2832	{445559AE-3BAE-4aba-927D-A42C53A5885A}.exe	35
PID 2832 wrote to memory of 2768	2832	{445559AE-3BAE-4aba-927D-A42C53A5885A}.exe	35
PID 2832 wrote to memory of 2768	2832	{445559AE-3BAE-4aba-927D-A42C53A5885A}.exe	35
PID 2832 wrote to memory of 2768	2832	{445559AE-3BAE-4aba-927D-A42C53A5885A}.exe	35
PID 2736 wrote to memory of 2716	2736	{39988B3E-B081-434e-9FFB-6AEECD660FF6}.exe	36
PID 2736 wrote to memory of 2716	2736	{39988B3E-B081-434e-9FFB-6AEECD660FF6}.exe	36
PID 2736 wrote to memory of 2716	2736	{39988B3E-B081-434e-9FFB-6AEECD660FF6}.exe	36
PID 2736 wrote to memory of 2716	2736	{39988B3E-B081-434e-9FFB-6AEECD660FF6}.exe	36
PID 2736 wrote to memory of 2756	2736	{39988B3E-B081-434e-9FFB-6AEECD660FF6}.exe	37
PID 2736 wrote to memory of 2756	2736	{39988B3E-B081-434e-9FFB-6AEECD660FF6}.exe	37
PID 2736 wrote to memory of 2756	2736	{39988B3E-B081-434e-9FFB-6AEECD660FF6}.exe	37
PID 2736 wrote to memory of 2756	2736	{39988B3E-B081-434e-9FFB-6AEECD660FF6}.exe	37
PID 2716 wrote to memory of 1520	2716	{2C83FDD0-F61C-4910-936C-59B5E261820A}.exe	38
PID 2716 wrote to memory of 1520	2716	{2C83FDD0-F61C-4910-936C-59B5E261820A}.exe	38
PID 2716 wrote to memory of 1520	2716	{2C83FDD0-F61C-4910-936C-59B5E261820A}.exe	38
PID 2716 wrote to memory of 1520	2716	{2C83FDD0-F61C-4910-936C-59B5E261820A}.exe	38
PID 2716 wrote to memory of 2772	2716	{2C83FDD0-F61C-4910-936C-59B5E261820A}.exe	39
PID 2716 wrote to memory of 2772	2716	{2C83FDD0-F61C-4910-936C-59B5E261820A}.exe	39
PID 2716 wrote to memory of 2772	2716	{2C83FDD0-F61C-4910-936C-59B5E261820A}.exe	39
PID 2716 wrote to memory of 2772	2716	{2C83FDD0-F61C-4910-936C-59B5E261820A}.exe	39
PID 1520 wrote to memory of 528	1520	{C74063B0-3401-4f6f-B252-3ECA8BCE4E12}.exe	40
PID 1520 wrote to memory of 528	1520	{C74063B0-3401-4f6f-B252-3ECA8BCE4E12}.exe	40
PID 1520 wrote to memory of 528	1520	{C74063B0-3401-4f6f-B252-3ECA8BCE4E12}.exe	40
PID 1520 wrote to memory of 528	1520	{C74063B0-3401-4f6f-B252-3ECA8BCE4E12}.exe	40
PID 1520 wrote to memory of 776	1520	{C74063B0-3401-4f6f-B252-3ECA8BCE4E12}.exe	41
PID 1520 wrote to memory of 776	1520	{C74063B0-3401-4f6f-B252-3ECA8BCE4E12}.exe	41
PID 1520 wrote to memory of 776	1520	{C74063B0-3401-4f6f-B252-3ECA8BCE4E12}.exe	41
PID 1520 wrote to memory of 776	1520	{C74063B0-3401-4f6f-B252-3ECA8BCE4E12}.exe	41
PID 528 wrote to memory of 1032	528	{5FB48042-84AD-457f-839E-F124E8DB0E90}.exe	42
PID 528 wrote to memory of 1032	528	{5FB48042-84AD-457f-839E-F124E8DB0E90}.exe	42
PID 528 wrote to memory of 1032	528	{5FB48042-84AD-457f-839E-F124E8DB0E90}.exe	42
PID 528 wrote to memory of 1032	528	{5FB48042-84AD-457f-839E-F124E8DB0E90}.exe	42
PID 528 wrote to memory of 928	528	{5FB48042-84AD-457f-839E-F124E8DB0E90}.exe	43
PID 528 wrote to memory of 928	528	{5FB48042-84AD-457f-839E-F124E8DB0E90}.exe	43
PID 528 wrote to memory of 928	528	{5FB48042-84AD-457f-839E-F124E8DB0E90}.exe	43
PID 528 wrote to memory of 928	528	{5FB48042-84AD-457f-839E-F124E8DB0E90}.exe	43
PID 1032 wrote to memory of 1988	1032	{8C77F7C2-61FB-4b34-9B7C-1CBFA8C74DCD}.exe	44
PID 1032 wrote to memory of 1988	1032	{8C77F7C2-61FB-4b34-9B7C-1CBFA8C74DCD}.exe	44
PID 1032 wrote to memory of 1988	1032	{8C77F7C2-61FB-4b34-9B7C-1CBFA8C74DCD}.exe	44
PID 1032 wrote to memory of 1988	1032	{8C77F7C2-61FB-4b34-9B7C-1CBFA8C74DCD}.exe	44
PID 1032 wrote to memory of 1480	1032	{8C77F7C2-61FB-4b34-9B7C-1CBFA8C74DCD}.exe	45
PID 1032 wrote to memory of 1480	1032	{8C77F7C2-61FB-4b34-9B7C-1CBFA8C74DCD}.exe	45
PID 1032 wrote to memory of 1480	1032	{8C77F7C2-61FB-4b34-9B7C-1CBFA8C74DCD}.exe	45
PID 1032 wrote to memory of 1480	1032	{8C77F7C2-61FB-4b34-9B7C-1CBFA8C74DCD}.exe	45

C:\Users\Admin\AppData\Local\Temp\a403536394ec8a_JC.exe
"C:\Users\Admin\AppData\Local\Temp\a403536394ec8a_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\{4E0020BA-E56D-4750-A94D-B1FFA5C1E898}.exe
  C:\Windows\{4E0020BA-E56D-4750-A94D-B1FFA5C1E898}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1048
- - C:\Windows\{445559AE-3BAE-4aba-927D-A42C53A5885A}.exe
    C:\Windows\{445559AE-3BAE-4aba-927D-A42C53A5885A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\{39988B3E-B081-434e-9FFB-6AEECD660FF6}.exe
      C:\Windows\{39988B3E-B081-434e-9FFB-6AEECD660FF6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\{2C83FDD0-F61C-4910-936C-59B5E261820A}.exe
        
        C:\Windows\{2C83FDD0-F61C-4910-936C-59B5E261820A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
      - C:\Windows\{C74063B0-3401-4f6f-B252-3ECA8BCE4E12}.exe
        
        C:\Windows\{C74063B0-3401-4f6f-B252-3ECA8BCE4E12}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\{5FB48042-84AD-457f-839E-F124E8DB0E90}.exe
        
        C:\Windows\{5FB48042-84AD-457f-839E-F124E8DB0E90}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\{8C77F7C2-61FB-4b34-9B7C-1CBFA8C74DCD}.exe
        
        C:\Windows\{8C77F7C2-61FB-4b34-9B7C-1CBFA8C74DCD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\{A47D6109-BEAE-4b5e-ABA1-EBE9C36BF40D}.exe
        
        C:\Windows\{A47D6109-BEAE-4b5e-ABA1-EBE9C36BF40D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\{AE288A7C-843A-4296-82A2-8F8D86DAE901}.exe
        
        C:\Windows\{AE288A7C-843A-4296-82A2-8F8D86DAE901}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
        
        C:\Windows\{D438B2C0-FA27-44da-B199-B566FA428871}.exe
        
        C:\Windows\{D438B2C0-FA27-44da-B199-B566FA428871}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\{F6C32137-21FE-46bf-8EBD-63C8343913D8}.exe
        
        C:\Windows\{F6C32137-21FE-46bf-8EBD-63C8343913D8}.exe
        12⤵
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D438B~1.EXE > nul
        12⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE288~1.EXE > nul
        11⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A47D6~1.EXE > nul
        10⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C77F~1.EXE > nul
        9⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FB48~1.EXE > nul
        8⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7406~1.EXE > nul
        7⤵
        
        PID:776
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C83F~1.EXE > nul
        6⤵
        
        PID:2772
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39988~1.EXE > nul
        5⤵
        
        PID:2756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{44555~1.EXE > nul
      4⤵
      PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4E002~1.EXE > nul
    3⤵
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A40353~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2856

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2C83FDD0-F61C-4910-936C-59B5E261820A}.exe

Filesize
204KB

MD5
ef9184870af354d3d2e4ee7fca0907ac

SHA1
4774993f3cfe8ff1314480f96501f9f865d19ff1

SHA256
accce4869bbf2c039d77f125b596bc7a0764eb7f9866a6a4bc9b8ad90684fd3a

SHA512
7e925627c355dee31d83ab897151b178b9b761383b7226b4d68e573c6bacf78019f949775104706e38ca730832bda9966bc682c2dee2526475342127fbc30f4e

Download Submit
C:\Windows\{2C83FDD0-F61C-4910-936C-59B5E261820A}.exe

Filesize
204KB

MD5
ef9184870af354d3d2e4ee7fca0907ac

SHA1
4774993f3cfe8ff1314480f96501f9f865d19ff1

SHA256
accce4869bbf2c039d77f125b596bc7a0764eb7f9866a6a4bc9b8ad90684fd3a

SHA512
7e925627c355dee31d83ab897151b178b9b761383b7226b4d68e573c6bacf78019f949775104706e38ca730832bda9966bc682c2dee2526475342127fbc30f4e

Download Submit
C:\Windows\{39988B3E-B081-434e-9FFB-6AEECD660FF6}.exe

Filesize
204KB

MD5
e47e570376f275137044165435d31e3d

SHA1
e8c16647fab40f8eb54067bde4a343b65d95ea64

SHA256
384c595017e2dd81bedeea7fcb611eea38f65918783184416959745af2aad422

SHA512
87f1c3d554a48115a20d365becac0074cf04ba3c71fc44cb69dfb1e8e045569bcb2461e73681cd4ac17bc55d7c18ec74cf47440f7c063bacbd99851a0c1e8810

Download Submit
C:\Windows\{39988B3E-B081-434e-9FFB-6AEECD660FF6}.exe

Filesize
204KB

MD5
e47e570376f275137044165435d31e3d

SHA1
e8c16647fab40f8eb54067bde4a343b65d95ea64

SHA256
384c595017e2dd81bedeea7fcb611eea38f65918783184416959745af2aad422

SHA512
87f1c3d554a48115a20d365becac0074cf04ba3c71fc44cb69dfb1e8e045569bcb2461e73681cd4ac17bc55d7c18ec74cf47440f7c063bacbd99851a0c1e8810

Download Submit
C:\Windows\{445559AE-3BAE-4aba-927D-A42C53A5885A}.exe

Filesize
204KB

MD5
79e3d02a6565b68ebcaea028b54d5d47

SHA1
85f026b78c74e33fe08159d4d9fb304e74fec82f

SHA256
efe081c8a943a5e738a1df40f670b064441a243fac6064fc875f79ac700e6231

SHA512
53ff2892c504ae5d3355c92529e1297e5f70f10631e738c06cd3787d6051c175a027d00b3b4c31a8063abc2bd603cef7c65c4c903258d52664277ef7a40b3d86

Download Submit
C:\Windows\{445559AE-3BAE-4aba-927D-A42C53A5885A}.exe

Filesize
204KB

MD5
79e3d02a6565b68ebcaea028b54d5d47

SHA1
85f026b78c74e33fe08159d4d9fb304e74fec82f

SHA256
efe081c8a943a5e738a1df40f670b064441a243fac6064fc875f79ac700e6231

SHA512
53ff2892c504ae5d3355c92529e1297e5f70f10631e738c06cd3787d6051c175a027d00b3b4c31a8063abc2bd603cef7c65c4c903258d52664277ef7a40b3d86

Download Submit
C:\Windows\{4E0020BA-E56D-4750-A94D-B1FFA5C1E898}.exe

Filesize
204KB

MD5
4e246a7ca79b87efd4c60646b6031aeb

SHA1
459e95aa50ea43a732ebcd7aa9e3bb37bef65931

SHA256
a7cab3de9f0e0d85cecca2bfe2a39e49562fd314325fefd315bcf3ca1ba53cba

SHA512
88f58a6b21df97399f46665d6bb26e2e09ab8543c772ad3ab6b748938bc7baea25d594fcbec572cc2569de60e3744fa4bf7c15c012dd824eab0147ecf03f9f63

Download Submit
C:\Windows\{4E0020BA-E56D-4750-A94D-B1FFA5C1E898}.exe

Filesize
204KB

MD5
4e246a7ca79b87efd4c60646b6031aeb

SHA1
459e95aa50ea43a732ebcd7aa9e3bb37bef65931

SHA256
a7cab3de9f0e0d85cecca2bfe2a39e49562fd314325fefd315bcf3ca1ba53cba

SHA512
88f58a6b21df97399f46665d6bb26e2e09ab8543c772ad3ab6b748938bc7baea25d594fcbec572cc2569de60e3744fa4bf7c15c012dd824eab0147ecf03f9f63

Download Submit
C:\Windows\{4E0020BA-E56D-4750-A94D-B1FFA5C1E898}.exe

Filesize
204KB

MD5
4e246a7ca79b87efd4c60646b6031aeb

SHA1
459e95aa50ea43a732ebcd7aa9e3bb37bef65931

SHA256
a7cab3de9f0e0d85cecca2bfe2a39e49562fd314325fefd315bcf3ca1ba53cba

SHA512
88f58a6b21df97399f46665d6bb26e2e09ab8543c772ad3ab6b748938bc7baea25d594fcbec572cc2569de60e3744fa4bf7c15c012dd824eab0147ecf03f9f63

Download Submit
C:\Windows\{5FB48042-84AD-457f-839E-F124E8DB0E90}.exe

Filesize
204KB

MD5
136d6d279cff65a71e28a6cf5a633dc4

SHA1
6d3c6ff8638a42f74e01796ac807abd4d546e0e2

SHA256
592ffb7cd131170129a435325df3e80dc5cee4fed6041f4a760cbb800ac78e91

SHA512
c41ea470ebbf340d279dcc9635912087c43630883209b682bb7319102ae3221267091567dfb3b91964dd8f16a61dadec4ec667e0d54bd4d0b7a66d8c1c86d9d1

Download Submit
C:\Windows\{5FB48042-84AD-457f-839E-F124E8DB0E90}.exe

Filesize
204KB

MD5
136d6d279cff65a71e28a6cf5a633dc4

SHA1
6d3c6ff8638a42f74e01796ac807abd4d546e0e2

SHA256
592ffb7cd131170129a435325df3e80dc5cee4fed6041f4a760cbb800ac78e91

SHA512
c41ea470ebbf340d279dcc9635912087c43630883209b682bb7319102ae3221267091567dfb3b91964dd8f16a61dadec4ec667e0d54bd4d0b7a66d8c1c86d9d1

Download Submit
C:\Windows\{8C77F7C2-61FB-4b34-9B7C-1CBFA8C74DCD}.exe

Filesize
204KB

MD5
b6cb288e4004950be4e32224e67fd08b

SHA1
2352ad6c1946b80b4072909706d53e1bd80cd014

SHA256
333bd0110dc8ad709baf221a398bc9d83a5e410edba813b81c1317e43dd191b4

SHA512
3f3b00f9ab3243077382a72cb44a3a00699d7d891a637a2d7092d36ed470cf7c2c3f392b5ede560e0880a4f8ac9e83011b3be95b60e439413be44ea26411aac5

Download Submit
C:\Windows\{8C77F7C2-61FB-4b34-9B7C-1CBFA8C74DCD}.exe

Filesize
204KB

MD5
b6cb288e4004950be4e32224e67fd08b

SHA1
2352ad6c1946b80b4072909706d53e1bd80cd014

SHA256
333bd0110dc8ad709baf221a398bc9d83a5e410edba813b81c1317e43dd191b4

SHA512
3f3b00f9ab3243077382a72cb44a3a00699d7d891a637a2d7092d36ed470cf7c2c3f392b5ede560e0880a4f8ac9e83011b3be95b60e439413be44ea26411aac5

Download Submit
C:\Windows\{A47D6109-BEAE-4b5e-ABA1-EBE9C36BF40D}.exe

Filesize
204KB

MD5
dfa6971ba5e011282978ae176db678d1

SHA1
11a127fda38bad404a6181461cb6ec93156a47dc

SHA256
d3e231dbba13ecf48c53fe4e0b3716f8dbed164076bfbaf05b3157cd7047168d

SHA512
8bb6b34a7a3927e81eea7367228ea29af5dcb41e547b7ff4821e6ef9b47e574e5d68c9b0c3d94b574ff8e14fb2119a7b8c22a1e7d134eefd4a4fe29ed971f58a

Download Submit
C:\Windows\{A47D6109-BEAE-4b5e-ABA1-EBE9C36BF40D}.exe

Filesize
204KB

MD5
dfa6971ba5e011282978ae176db678d1

SHA1
11a127fda38bad404a6181461cb6ec93156a47dc

SHA256
d3e231dbba13ecf48c53fe4e0b3716f8dbed164076bfbaf05b3157cd7047168d

SHA512
8bb6b34a7a3927e81eea7367228ea29af5dcb41e547b7ff4821e6ef9b47e574e5d68c9b0c3d94b574ff8e14fb2119a7b8c22a1e7d134eefd4a4fe29ed971f58a

Download Submit
C:\Windows\{AE288A7C-843A-4296-82A2-8F8D86DAE901}.exe

Filesize
204KB

MD5
0bd05915390829b325dd97d0e78e2370

SHA1
a6fed56a193d272a1a71ae21715084372f1c8937

SHA256
c22acec27039115c139fbf32261a859a6ffc7cab30f8ad51141b146485a50324

SHA512
49a359adef11de27ef475b858b20696bb4db45edfa18f63ddc19454d809f76900860c622c722955986045200b62b96b5e96f81292f6cc862102f973cc2814bb2

Download Submit
C:\Windows\{AE288A7C-843A-4296-82A2-8F8D86DAE901}.exe

Filesize
204KB

MD5
0bd05915390829b325dd97d0e78e2370

SHA1
a6fed56a193d272a1a71ae21715084372f1c8937

SHA256
c22acec27039115c139fbf32261a859a6ffc7cab30f8ad51141b146485a50324

SHA512
49a359adef11de27ef475b858b20696bb4db45edfa18f63ddc19454d809f76900860c622c722955986045200b62b96b5e96f81292f6cc862102f973cc2814bb2

Download Submit
C:\Windows\{C74063B0-3401-4f6f-B252-3ECA8BCE4E12}.exe

Filesize
204KB

MD5
cd7afb35241362b5fc3208f4c0d3fd84

SHA1
81055c6012ce4ee81d755a6af217c46a6fb8ef82

SHA256
5a0e2242897247b524d01f8d5f05497d337f986712415d24405b17ef4e03c81d

SHA512
d9929719c825ffe22023acf6f40a486352724772e8471d4a60edb0008c32a82db9624c90ca3ed95ce9b6183dfabe4296b08cf1a6403399501200790bf12f9c91

Download Submit
C:\Windows\{C74063B0-3401-4f6f-B252-3ECA8BCE4E12}.exe

Filesize
204KB

MD5
cd7afb35241362b5fc3208f4c0d3fd84

SHA1
81055c6012ce4ee81d755a6af217c46a6fb8ef82

SHA256
5a0e2242897247b524d01f8d5f05497d337f986712415d24405b17ef4e03c81d

SHA512
d9929719c825ffe22023acf6f40a486352724772e8471d4a60edb0008c32a82db9624c90ca3ed95ce9b6183dfabe4296b08cf1a6403399501200790bf12f9c91

Download Submit
C:\Windows\{D438B2C0-FA27-44da-B199-B566FA428871}.exe

Filesize
204KB

MD5
0817caa4ca80be0cea9f87403ec472c1

SHA1
728be67035e10068589fff076cabe939c02fbc8e

SHA256
ae23ad31ab8d42816316e7083a264801b9b043489763a86d1387f5493bfbcfbe

SHA512
54e09fc9660c3dfa6cd1651c9d039e361b5ed8da14c146c7cb250a93620fbff385cabc0f4fcfd73a5066adab1234d17d25d82368196ac6e01910d35b59a55ecc

Download Submit
C:\Windows\{D438B2C0-FA27-44da-B199-B566FA428871}.exe

Filesize
204KB

MD5
0817caa4ca80be0cea9f87403ec472c1

SHA1
728be67035e10068589fff076cabe939c02fbc8e

SHA256
ae23ad31ab8d42816316e7083a264801b9b043489763a86d1387f5493bfbcfbe

SHA512
54e09fc9660c3dfa6cd1651c9d039e361b5ed8da14c146c7cb250a93620fbff385cabc0f4fcfd73a5066adab1234d17d25d82368196ac6e01910d35b59a55ecc

Download Submit
C:\Windows\{F6C32137-21FE-46bf-8EBD-63C8343913D8}.exe

Filesize
204KB

MD5
63e63f30638f0a7c9792ffa6462f5b83

SHA1
180100b42666bf6417d18292ffe892e8d0789e79

SHA256
2bdfb49c608c9b413641b7ffe9f4adf73a6dd6816aa44851901e22fd71ab9fe5

SHA512
d5cae29d3eecd8eb2c6b7320ffbd50a8d32a1cf27accd5d052be0f0d826099a06bf21e955598313fe01c2837bc65485f9155935209dac516adc53b23ffd02b8a

Download Submit