c78d365018d54a3e8c1149037c8f144e007364028eedacef387d5a727176a28c

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18/07/2023, 12:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aebd8d4958aa12_JC.exe
Size

168KB
MD5

aebd8d4958aa121dcf4b1ee86737e865
SHA1

00b16e2a06110328164b4c3f5685cda37f616a8b
SHA256

c78d365018d54a3e8c1149037c8f144e007364028eedacef387d5a727176a28c
SHA512

b334d03114446993c4896ce4840d6ccadfd07cf68ccf17338ce14775b6ff12705edaa302cafde6718ff3b47a598f8266ec3506286d97c27ab6c8cc4c0706c630
SSDEEP

1536:1EGh0o8lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o8lqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32716DA1-6C01-4805-AE19-FB505FFA4D45}\stubpath = "C:\\Windows\\{32716DA1-6C01-4805-AE19-FB505FFA4D45}.exe"	{3DE8457D-9985-4b40-9215-97656078C5DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D32598B-88D3-4f3a-BDE6-96BE3860F1C9}	{CC49F1F6-BF71-4939-B13B-41DC4E7DF681}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92F7977A-BBB6-4850-ADCD-39575189A767}	{4D32598B-88D3-4f3a-BDE6-96BE3860F1C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{369AF7C5-8CE4-456d-B917-B7A324967D3E}\stubpath = "C:\\Windows\\{369AF7C5-8CE4-456d-B917-B7A324967D3E}.exe"	aebd8d4958aa12_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE6239DB-4AFC-46a7-8790-BE3CD6320522}\stubpath = "C:\\Windows\\{BE6239DB-4AFC-46a7-8790-BE3CD6320522}.exe"	{0B66CC29-178A-49a1-BE18-A0A0FCBA097A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3259A4D-F648-4a4b-8184-FC6239AE5A93}\stubpath = "C:\\Windows\\{B3259A4D-F648-4a4b-8184-FC6239AE5A93}.exe"	{BE6239DB-4AFC-46a7-8790-BE3CD6320522}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B64582AB-C18D-4288-9956-3A842D4E87D6}	{B3259A4D-F648-4a4b-8184-FC6239AE5A93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC49F1F6-BF71-4939-B13B-41DC4E7DF681}	{B64582AB-C18D-4288-9956-3A842D4E87D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4D32598B-88D3-4f3a-BDE6-96BE3860F1C9}\stubpath = "C:\\Windows\\{4D32598B-88D3-4f3a-BDE6-96BE3860F1C9}.exe"	{CC49F1F6-BF71-4939-B13B-41DC4E7DF681}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAD664C1-6237-46b9-878F-2696428A43A4}	{92F7977A-BBB6-4850-ADCD-39575189A767}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CAD664C1-6237-46b9-878F-2696428A43A4}\stubpath = "C:\\Windows\\{CAD664C1-6237-46b9-878F-2696428A43A4}.exe"	{92F7977A-BBB6-4850-ADCD-39575189A767}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{369AF7C5-8CE4-456d-B917-B7A324967D3E}	aebd8d4958aa12_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B66CC29-178A-49a1-BE18-A0A0FCBA097A}	{369AF7C5-8CE4-456d-B917-B7A324967D3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0B66CC29-178A-49a1-BE18-A0A0FCBA097A}\stubpath = "C:\\Windows\\{0B66CC29-178A-49a1-BE18-A0A0FCBA097A}.exe"	{369AF7C5-8CE4-456d-B917-B7A324967D3E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B64582AB-C18D-4288-9956-3A842D4E87D6}\stubpath = "C:\\Windows\\{B64582AB-C18D-4288-9956-3A842D4E87D6}.exe"	{B3259A4D-F648-4a4b-8184-FC6239AE5A93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DE8457D-9985-4b40-9215-97656078C5DA}	{CAD664C1-6237-46b9-878F-2696428A43A4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3DE8457D-9985-4b40-9215-97656078C5DA}\stubpath = "C:\\Windows\\{3DE8457D-9985-4b40-9215-97656078C5DA}.exe"	{CAD664C1-6237-46b9-878F-2696428A43A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{32716DA1-6C01-4805-AE19-FB505FFA4D45}	{3DE8457D-9985-4b40-9215-97656078C5DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE6239DB-4AFC-46a7-8790-BE3CD6320522}	{0B66CC29-178A-49a1-BE18-A0A0FCBA097A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B3259A4D-F648-4a4b-8184-FC6239AE5A93}	{BE6239DB-4AFC-46a7-8790-BE3CD6320522}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CC49F1F6-BF71-4939-B13B-41DC4E7DF681}\stubpath = "C:\\Windows\\{CC49F1F6-BF71-4939-B13B-41DC4E7DF681}.exe"	{B64582AB-C18D-4288-9956-3A842D4E87D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92F7977A-BBB6-4850-ADCD-39575189A767}\stubpath = "C:\\Windows\\{92F7977A-BBB6-4850-ADCD-39575189A767}.exe"	{4D32598B-88D3-4f3a-BDE6-96BE3860F1C9}.exe

Deletes itself 1 IoCs

pid	Process
1684	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1896	{369AF7C5-8CE4-456d-B917-B7A324967D3E}.exe
2508	{0B66CC29-178A-49a1-BE18-A0A0FCBA097A}.exe
2476	{BE6239DB-4AFC-46a7-8790-BE3CD6320522}.exe
1632	{B3259A4D-F648-4a4b-8184-FC6239AE5A93}.exe
2956	{B64582AB-C18D-4288-9956-3A842D4E87D6}.exe
2832	{CC49F1F6-BF71-4939-B13B-41DC4E7DF681}.exe
1728	{4D32598B-88D3-4f3a-BDE6-96BE3860F1C9}.exe
2864	{92F7977A-BBB6-4850-ADCD-39575189A767}.exe
2712	{CAD664C1-6237-46b9-878F-2696428A43A4}.exe
2380	{3DE8457D-9985-4b40-9215-97656078C5DA}.exe
1160	{32716DA1-6C01-4805-AE19-FB505FFA4D45}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{CC49F1F6-BF71-4939-B13B-41DC4E7DF681}.exe	{B64582AB-C18D-4288-9956-3A842D4E87D6}.exe
File created	C:\Windows\{4D32598B-88D3-4f3a-BDE6-96BE3860F1C9}.exe	{CC49F1F6-BF71-4939-B13B-41DC4E7DF681}.exe
File created	C:\Windows\{CAD664C1-6237-46b9-878F-2696428A43A4}.exe	{92F7977A-BBB6-4850-ADCD-39575189A767}.exe
File created	C:\Windows\{3DE8457D-9985-4b40-9215-97656078C5DA}.exe	{CAD664C1-6237-46b9-878F-2696428A43A4}.exe
File created	C:\Windows\{32716DA1-6C01-4805-AE19-FB505FFA4D45}.exe	{3DE8457D-9985-4b40-9215-97656078C5DA}.exe
File created	C:\Windows\{BE6239DB-4AFC-46a7-8790-BE3CD6320522}.exe	{0B66CC29-178A-49a1-BE18-A0A0FCBA097A}.exe
File created	C:\Windows\{B64582AB-C18D-4288-9956-3A842D4E87D6}.exe	{B3259A4D-F648-4a4b-8184-FC6239AE5A93}.exe
File created	C:\Windows\{B3259A4D-F648-4a4b-8184-FC6239AE5A93}.exe	{BE6239DB-4AFC-46a7-8790-BE3CD6320522}.exe
File created	C:\Windows\{92F7977A-BBB6-4850-ADCD-39575189A767}.exe	{4D32598B-88D3-4f3a-BDE6-96BE3860F1C9}.exe
File created	C:\Windows\{369AF7C5-8CE4-456d-B917-B7A324967D3E}.exe	aebd8d4958aa12_JC.exe
File created	C:\Windows\{0B66CC29-178A-49a1-BE18-A0A0FCBA097A}.exe	{369AF7C5-8CE4-456d-B917-B7A324967D3E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2216	aebd8d4958aa12_JC.exe
Token: SeIncBasePriorityPrivilege	1896	{369AF7C5-8CE4-456d-B917-B7A324967D3E}.exe
Token: SeIncBasePriorityPrivilege	2508	{0B66CC29-178A-49a1-BE18-A0A0FCBA097A}.exe
Token: SeIncBasePriorityPrivilege	2476	{BE6239DB-4AFC-46a7-8790-BE3CD6320522}.exe
Token: SeIncBasePriorityPrivilege	1632	{B3259A4D-F648-4a4b-8184-FC6239AE5A93}.exe
Token: SeIncBasePriorityPrivilege	2956	{B64582AB-C18D-4288-9956-3A842D4E87D6}.exe
Token: SeIncBasePriorityPrivilege	2832	{CC49F1F6-BF71-4939-B13B-41DC4E7DF681}.exe
Token: SeIncBasePriorityPrivilege	1728	{4D32598B-88D3-4f3a-BDE6-96BE3860F1C9}.exe
Token: SeIncBasePriorityPrivilege	2864	{92F7977A-BBB6-4850-ADCD-39575189A767}.exe
Token: SeIncBasePriorityPrivilege	2712	{CAD664C1-6237-46b9-878F-2696428A43A4}.exe
Token: SeIncBasePriorityPrivilege	2380	{3DE8457D-9985-4b40-9215-97656078C5DA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 1896	2216	aebd8d4958aa12_JC.exe	28
PID 2216 wrote to memory of 1896	2216	aebd8d4958aa12_JC.exe	28
PID 2216 wrote to memory of 1896	2216	aebd8d4958aa12_JC.exe	28
PID 2216 wrote to memory of 1896	2216	aebd8d4958aa12_JC.exe	28
PID 2216 wrote to memory of 1684	2216	aebd8d4958aa12_JC.exe	29
PID 2216 wrote to memory of 1684	2216	aebd8d4958aa12_JC.exe	29
PID 2216 wrote to memory of 1684	2216	aebd8d4958aa12_JC.exe	29
PID 2216 wrote to memory of 1684	2216	aebd8d4958aa12_JC.exe	29
PID 1896 wrote to memory of 2508	1896	{369AF7C5-8CE4-456d-B917-B7A324967D3E}.exe	32
PID 1896 wrote to memory of 2508	1896	{369AF7C5-8CE4-456d-B917-B7A324967D3E}.exe	32
PID 1896 wrote to memory of 2508	1896	{369AF7C5-8CE4-456d-B917-B7A324967D3E}.exe	32
PID 1896 wrote to memory of 2508	1896	{369AF7C5-8CE4-456d-B917-B7A324967D3E}.exe	32
PID 1896 wrote to memory of 2416	1896	{369AF7C5-8CE4-456d-B917-B7A324967D3E}.exe	33
PID 1896 wrote to memory of 2416	1896	{369AF7C5-8CE4-456d-B917-B7A324967D3E}.exe	33
PID 1896 wrote to memory of 2416	1896	{369AF7C5-8CE4-456d-B917-B7A324967D3E}.exe	33
PID 1896 wrote to memory of 2416	1896	{369AF7C5-8CE4-456d-B917-B7A324967D3E}.exe	33
PID 2508 wrote to memory of 2476	2508	{0B66CC29-178A-49a1-BE18-A0A0FCBA097A}.exe	34
PID 2508 wrote to memory of 2476	2508	{0B66CC29-178A-49a1-BE18-A0A0FCBA097A}.exe	34
PID 2508 wrote to memory of 2476	2508	{0B66CC29-178A-49a1-BE18-A0A0FCBA097A}.exe	34
PID 2508 wrote to memory of 2476	2508	{0B66CC29-178A-49a1-BE18-A0A0FCBA097A}.exe	34
PID 2508 wrote to memory of 2792	2508	{0B66CC29-178A-49a1-BE18-A0A0FCBA097A}.exe	35
PID 2508 wrote to memory of 2792	2508	{0B66CC29-178A-49a1-BE18-A0A0FCBA097A}.exe	35
PID 2508 wrote to memory of 2792	2508	{0B66CC29-178A-49a1-BE18-A0A0FCBA097A}.exe	35
PID 2508 wrote to memory of 2792	2508	{0B66CC29-178A-49a1-BE18-A0A0FCBA097A}.exe	35
PID 2476 wrote to memory of 1632	2476	{BE6239DB-4AFC-46a7-8790-BE3CD6320522}.exe	36
PID 2476 wrote to memory of 1632	2476	{BE6239DB-4AFC-46a7-8790-BE3CD6320522}.exe	36
PID 2476 wrote to memory of 1632	2476	{BE6239DB-4AFC-46a7-8790-BE3CD6320522}.exe	36
PID 2476 wrote to memory of 1632	2476	{BE6239DB-4AFC-46a7-8790-BE3CD6320522}.exe	36
PID 2476 wrote to memory of 2948	2476	{BE6239DB-4AFC-46a7-8790-BE3CD6320522}.exe	37
PID 2476 wrote to memory of 2948	2476	{BE6239DB-4AFC-46a7-8790-BE3CD6320522}.exe	37
PID 2476 wrote to memory of 2948	2476	{BE6239DB-4AFC-46a7-8790-BE3CD6320522}.exe	37
PID 2476 wrote to memory of 2948	2476	{BE6239DB-4AFC-46a7-8790-BE3CD6320522}.exe	37
PID 1632 wrote to memory of 2956	1632	{B3259A4D-F648-4a4b-8184-FC6239AE5A93}.exe	39
PID 1632 wrote to memory of 2956	1632	{B3259A4D-F648-4a4b-8184-FC6239AE5A93}.exe	39
PID 1632 wrote to memory of 2956	1632	{B3259A4D-F648-4a4b-8184-FC6239AE5A93}.exe	39
PID 1632 wrote to memory of 2956	1632	{B3259A4D-F648-4a4b-8184-FC6239AE5A93}.exe	39
PID 1632 wrote to memory of 2284	1632	{B3259A4D-F648-4a4b-8184-FC6239AE5A93}.exe	38
PID 1632 wrote to memory of 2284	1632	{B3259A4D-F648-4a4b-8184-FC6239AE5A93}.exe	38
PID 1632 wrote to memory of 2284	1632	{B3259A4D-F648-4a4b-8184-FC6239AE5A93}.exe	38
PID 1632 wrote to memory of 2284	1632	{B3259A4D-F648-4a4b-8184-FC6239AE5A93}.exe	38
PID 2956 wrote to memory of 2832	2956	{B64582AB-C18D-4288-9956-3A842D4E87D6}.exe	40
PID 2956 wrote to memory of 2832	2956	{B64582AB-C18D-4288-9956-3A842D4E87D6}.exe	40
PID 2956 wrote to memory of 2832	2956	{B64582AB-C18D-4288-9956-3A842D4E87D6}.exe	40
PID 2956 wrote to memory of 2832	2956	{B64582AB-C18D-4288-9956-3A842D4E87D6}.exe	40
PID 2956 wrote to memory of 2096	2956	{B64582AB-C18D-4288-9956-3A842D4E87D6}.exe	41
PID 2956 wrote to memory of 2096	2956	{B64582AB-C18D-4288-9956-3A842D4E87D6}.exe	41
PID 2956 wrote to memory of 2096	2956	{B64582AB-C18D-4288-9956-3A842D4E87D6}.exe	41
PID 2956 wrote to memory of 2096	2956	{B64582AB-C18D-4288-9956-3A842D4E87D6}.exe	41
PID 2832 wrote to memory of 1728	2832	{CC49F1F6-BF71-4939-B13B-41DC4E7DF681}.exe	42
PID 2832 wrote to memory of 1728	2832	{CC49F1F6-BF71-4939-B13B-41DC4E7DF681}.exe	42
PID 2832 wrote to memory of 1728	2832	{CC49F1F6-BF71-4939-B13B-41DC4E7DF681}.exe	42
PID 2832 wrote to memory of 1728	2832	{CC49F1F6-BF71-4939-B13B-41DC4E7DF681}.exe	42
PID 2832 wrote to memory of 3000	2832	{CC49F1F6-BF71-4939-B13B-41DC4E7DF681}.exe	43
PID 2832 wrote to memory of 3000	2832	{CC49F1F6-BF71-4939-B13B-41DC4E7DF681}.exe	43
PID 2832 wrote to memory of 3000	2832	{CC49F1F6-BF71-4939-B13B-41DC4E7DF681}.exe	43
PID 2832 wrote to memory of 3000	2832	{CC49F1F6-BF71-4939-B13B-41DC4E7DF681}.exe	43
PID 1728 wrote to memory of 2864	1728	{4D32598B-88D3-4f3a-BDE6-96BE3860F1C9}.exe	44
PID 1728 wrote to memory of 2864	1728	{4D32598B-88D3-4f3a-BDE6-96BE3860F1C9}.exe	44
PID 1728 wrote to memory of 2864	1728	{4D32598B-88D3-4f3a-BDE6-96BE3860F1C9}.exe	44
PID 1728 wrote to memory of 2864	1728	{4D32598B-88D3-4f3a-BDE6-96BE3860F1C9}.exe	44
PID 1728 wrote to memory of 2812	1728	{4D32598B-88D3-4f3a-BDE6-96BE3860F1C9}.exe	45
PID 1728 wrote to memory of 2812	1728	{4D32598B-88D3-4f3a-BDE6-96BE3860F1C9}.exe	45
PID 1728 wrote to memory of 2812	1728	{4D32598B-88D3-4f3a-BDE6-96BE3860F1C9}.exe	45
PID 1728 wrote to memory of 2812	1728	{4D32598B-88D3-4f3a-BDE6-96BE3860F1C9}.exe	45

C:\Users\Admin\AppData\Local\Temp\aebd8d4958aa12_JC.exe
"C:\Users\Admin\AppData\Local\Temp\aebd8d4958aa12_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\{369AF7C5-8CE4-456d-B917-B7A324967D3E}.exe
  C:\Windows\{369AF7C5-8CE4-456d-B917-B7A324967D3E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\{0B66CC29-178A-49a1-BE18-A0A0FCBA097A}.exe
    C:\Windows\{0B66CC29-178A-49a1-BE18-A0A0FCBA097A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\{BE6239DB-4AFC-46a7-8790-BE3CD6320522}.exe
      C:\Windows\{BE6239DB-4AFC-46a7-8790-BE3CD6320522}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Windows\{B3259A4D-F648-4a4b-8184-FC6239AE5A93}.exe
        
        C:\Windows\{B3259A4D-F648-4a4b-8184-FC6239AE5A93}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B3259~1.EXE > nul
        6⤵
        
        PID:2284
      - C:\Windows\{B64582AB-C18D-4288-9956-3A842D4E87D6}.exe
        
        C:\Windows\{B64582AB-C18D-4288-9956-3A842D4E87D6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\{CC49F1F6-BF71-4939-B13B-41DC4E7DF681}.exe
        
        C:\Windows\{CC49F1F6-BF71-4939-B13B-41DC4E7DF681}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\{4D32598B-88D3-4f3a-BDE6-96BE3860F1C9}.exe
        
        C:\Windows\{4D32598B-88D3-4f3a-BDE6-96BE3860F1C9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\{92F7977A-BBB6-4850-ADCD-39575189A767}.exe
        
        C:\Windows\{92F7977A-BBB6-4850-ADCD-39575189A767}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\{CAD664C1-6237-46b9-878F-2696428A43A4}.exe
        
        C:\Windows\{CAD664C1-6237-46b9-878F-2696428A43A4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CAD66~1.EXE > nul
        11⤵
        
        PID:1104
        
        C:\Windows\{3DE8457D-9985-4b40-9215-97656078C5DA}.exe
        
        C:\Windows\{3DE8457D-9985-4b40-9215-97656078C5DA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3DE84~1.EXE > nul
        12⤵
        
        PID:1172
        
        C:\Windows\{32716DA1-6C01-4805-AE19-FB505FFA4D45}.exe
        
        C:\Windows\{32716DA1-6C01-4805-AE19-FB505FFA4D45}.exe
        12⤵
        Executes dropped EXE
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92F79~1.EXE > nul
        10⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D325~1.EXE > nul
        9⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC49F~1.EXE > nul
        8⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6458~1.EXE > nul
        7⤵
        
        PID:2096
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE623~1.EXE > nul
        5⤵
        
        PID:2948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0B66C~1.EXE > nul
      4⤵
      PID:2792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{369AF~1.EXE > nul
    3⤵
    PID:2416
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AEBD8D~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B66CC29-178A-49a1-BE18-A0A0FCBA097A}.exe

Filesize
168KB

MD5
f5b7cdc35fdae4d7cc6e20be3e3c380e

SHA1
0f7ed3e13c59d54f1606aae8c849f6813838b35b

SHA256
78d8ac813bccc4b275d2e5adbdf5aec66fca9ea303f8770901346c68803bd363

SHA512
c25db9d3c9eadc0875d843a04b6e4191546e3c28110dca65320da0d56aa99be6225e2f26cd392c560bb4d406dc11f2adcbf8e4273763aa1b851a93d6266b164c

Download Submit
C:\Windows\{0B66CC29-178A-49a1-BE18-A0A0FCBA097A}.exe

Filesize
168KB

MD5
f5b7cdc35fdae4d7cc6e20be3e3c380e

SHA1
0f7ed3e13c59d54f1606aae8c849f6813838b35b

SHA256
78d8ac813bccc4b275d2e5adbdf5aec66fca9ea303f8770901346c68803bd363

SHA512
c25db9d3c9eadc0875d843a04b6e4191546e3c28110dca65320da0d56aa99be6225e2f26cd392c560bb4d406dc11f2adcbf8e4273763aa1b851a93d6266b164c

Download Submit
C:\Windows\{32716DA1-6C01-4805-AE19-FB505FFA4D45}.exe

Filesize
168KB

MD5
f1eed485a6c6ac617c434125805a5065

SHA1
d37d388a29e785d2efb4dc46bd984f0bb140a145

SHA256
093df54ae4856f66db73ab601aed9a14ba6a633e5616e63cc269270cab44338d

SHA512
094d1b7306cc0a42475f134bc2a1cb6555b081e75904bef13970b1515b5eb7373f2bde0211fb6f5e79d403fd0de29fb5e4f0ca3c423b6767f653ec2f54a97f8b

Download Submit
C:\Windows\{369AF7C5-8CE4-456d-B917-B7A324967D3E}.exe

Filesize
168KB

MD5
8e2f2a175a56c61f3b7873274bdd4d72

SHA1
ca6a8bd63383113f2aa8ef3d98b2d7a194f1c514

SHA256
56c36d62f2206f561ed50690a3c77d01f22bfb74aaea78fea894fe44180a9370

SHA512
81cbf22947a843260e6c0fc0fa7af0def97c20f5565e6ff7bdb6d040ea4393c7c742906c67464217c5747dae109587115e85b675dfe8579d74564326b4b70ad4

Download Submit
C:\Windows\{369AF7C5-8CE4-456d-B917-B7A324967D3E}.exe

Filesize
168KB

MD5
8e2f2a175a56c61f3b7873274bdd4d72

SHA1
ca6a8bd63383113f2aa8ef3d98b2d7a194f1c514

SHA256
56c36d62f2206f561ed50690a3c77d01f22bfb74aaea78fea894fe44180a9370

SHA512
81cbf22947a843260e6c0fc0fa7af0def97c20f5565e6ff7bdb6d040ea4393c7c742906c67464217c5747dae109587115e85b675dfe8579d74564326b4b70ad4

Download Submit
C:\Windows\{369AF7C5-8CE4-456d-B917-B7A324967D3E}.exe

Filesize
168KB

MD5
8e2f2a175a56c61f3b7873274bdd4d72

SHA1
ca6a8bd63383113f2aa8ef3d98b2d7a194f1c514

SHA256
56c36d62f2206f561ed50690a3c77d01f22bfb74aaea78fea894fe44180a9370

SHA512
81cbf22947a843260e6c0fc0fa7af0def97c20f5565e6ff7bdb6d040ea4393c7c742906c67464217c5747dae109587115e85b675dfe8579d74564326b4b70ad4

Download Submit
C:\Windows\{3DE8457D-9985-4b40-9215-97656078C5DA}.exe

Filesize
168KB

MD5
341e388d6c8ed678aba1e52b192b64da

SHA1
11907ff3d739156f8680c86ef5af017b661777ab

SHA256
83aa3dac8437cccc0f1ba3d036a29b59335cb4bb7fbd3c381dcc7a90e4cd62a9

SHA512
55a72ea99b755308533856bd54209af5b6965b657898926d7a497ec6adba68e814694d891084f41098d3735a9cc07fc7f1372f36cab3e2eaefcec791e9a61329

Download Submit
C:\Windows\{3DE8457D-9985-4b40-9215-97656078C5DA}.exe

Filesize
168KB

MD5
341e388d6c8ed678aba1e52b192b64da

SHA1
11907ff3d739156f8680c86ef5af017b661777ab

SHA256
83aa3dac8437cccc0f1ba3d036a29b59335cb4bb7fbd3c381dcc7a90e4cd62a9

SHA512
55a72ea99b755308533856bd54209af5b6965b657898926d7a497ec6adba68e814694d891084f41098d3735a9cc07fc7f1372f36cab3e2eaefcec791e9a61329

Download Submit
C:\Windows\{4D32598B-88D3-4f3a-BDE6-96BE3860F1C9}.exe

Filesize
168KB

MD5
a230ade52a413df4e58b0babe8269216

SHA1
fef88e27c381b60045cf6b6fc0075df68afdd40d

SHA256
6130c8ad859a99f6269a527555aaa3a88a68f479a365cf26b67eaa9ee8b0bbec

SHA512
06dd9842341e191292652990b65483f8587201d06b645e54e7849559a9c931aefb07247911670d3556aa7bbe6e6e5e7aa4f3d6d672ca1e8f0a0c82f113c1011b

Download Submit
C:\Windows\{4D32598B-88D3-4f3a-BDE6-96BE3860F1C9}.exe

Filesize
168KB

MD5
a230ade52a413df4e58b0babe8269216

SHA1
fef88e27c381b60045cf6b6fc0075df68afdd40d

SHA256
6130c8ad859a99f6269a527555aaa3a88a68f479a365cf26b67eaa9ee8b0bbec

SHA512
06dd9842341e191292652990b65483f8587201d06b645e54e7849559a9c931aefb07247911670d3556aa7bbe6e6e5e7aa4f3d6d672ca1e8f0a0c82f113c1011b

Download Submit
C:\Windows\{92F7977A-BBB6-4850-ADCD-39575189A767}.exe

Filesize
168KB

MD5
996a8fb701fd14132a266d9f57ca30d2

SHA1
5699e26e24847a2e02b4165c69410e96b09f0252

SHA256
a45d1113b45a94ff2517c5a2af909037fec442a71de158abc3f107ddfc994d43

SHA512
dc0ebc48b34f0ee70fce0f70f362d256b14715a1bf1b24f35577b78aaf1078cc5771e83b3134f647718c5093ba11877a5ebdf02cf1539abd8cdc112e08ea419c

Download Submit
C:\Windows\{92F7977A-BBB6-4850-ADCD-39575189A767}.exe

Filesize
168KB

MD5
996a8fb701fd14132a266d9f57ca30d2

SHA1
5699e26e24847a2e02b4165c69410e96b09f0252

SHA256
a45d1113b45a94ff2517c5a2af909037fec442a71de158abc3f107ddfc994d43

SHA512
dc0ebc48b34f0ee70fce0f70f362d256b14715a1bf1b24f35577b78aaf1078cc5771e83b3134f647718c5093ba11877a5ebdf02cf1539abd8cdc112e08ea419c

Download Submit
C:\Windows\{B3259A4D-F648-4a4b-8184-FC6239AE5A93}.exe

Filesize
168KB

MD5
8f7a6d187414a621e13c9b3ab06bd864

SHA1
22b341ad639fe978b63498714a2998b2eba72ae4

SHA256
ee7e526232db554386a5920004af504ee1345b034e625a3935cd060961fb9534

SHA512
77c2c22816bdbc5db662d02c4c0aa0554b7a82931a8284485eeb6296f01f4c4551bf3a356c6065f0ed6b5b254df3e3bbc8247de8902f6e8b31f5ffb64ede840c

Download Submit
C:\Windows\{B3259A4D-F648-4a4b-8184-FC6239AE5A93}.exe

Filesize
168KB

MD5
8f7a6d187414a621e13c9b3ab06bd864

SHA1
22b341ad639fe978b63498714a2998b2eba72ae4

SHA256
ee7e526232db554386a5920004af504ee1345b034e625a3935cd060961fb9534

SHA512
77c2c22816bdbc5db662d02c4c0aa0554b7a82931a8284485eeb6296f01f4c4551bf3a356c6065f0ed6b5b254df3e3bbc8247de8902f6e8b31f5ffb64ede840c

Download Submit
C:\Windows\{B64582AB-C18D-4288-9956-3A842D4E87D6}.exe

Filesize
168KB

MD5
1343ba0fe6c7eaec652d8fc3ceab4676

SHA1
ae8e54e99e05c003ddc916d1bdfa686ad1f9184a

SHA256
5484d9a3efd4736bd795d29627bf6f04ca500e687522959357249c5b5b435403

SHA512
be0bc3f92d89fbf8dcc71018db05951e02a16f21861882cb59064990319f82b4e7b5aee6c86d92f5d75088ddf4bf81a013f3b5e5ffaaa866749188109736e509

Download Submit
C:\Windows\{B64582AB-C18D-4288-9956-3A842D4E87D6}.exe

Filesize
168KB

MD5
1343ba0fe6c7eaec652d8fc3ceab4676

SHA1
ae8e54e99e05c003ddc916d1bdfa686ad1f9184a

SHA256
5484d9a3efd4736bd795d29627bf6f04ca500e687522959357249c5b5b435403

SHA512
be0bc3f92d89fbf8dcc71018db05951e02a16f21861882cb59064990319f82b4e7b5aee6c86d92f5d75088ddf4bf81a013f3b5e5ffaaa866749188109736e509

Download Submit
C:\Windows\{BE6239DB-4AFC-46a7-8790-BE3CD6320522}.exe

Filesize
168KB

MD5
b1d21f69b701b7483361f20d615d3e1f

SHA1
3943c0441d5089548903832c75af3391c03e5628

SHA256
49b89b2fc5d0e3acf47e369c9c21d7e42262280fff97a164b36c5285d4d8169a

SHA512
7f2a4a1e26adb37c97ba939874a9c5653745a71e4936350ad6ec0c1e007df50c5019ad27c417ab3ecf1fe1f0c8009fe8d53d90b190fb52c071b8a32be5de98e7

Download Submit
C:\Windows\{BE6239DB-4AFC-46a7-8790-BE3CD6320522}.exe

Filesize
168KB

MD5
b1d21f69b701b7483361f20d615d3e1f

SHA1
3943c0441d5089548903832c75af3391c03e5628

SHA256
49b89b2fc5d0e3acf47e369c9c21d7e42262280fff97a164b36c5285d4d8169a

SHA512
7f2a4a1e26adb37c97ba939874a9c5653745a71e4936350ad6ec0c1e007df50c5019ad27c417ab3ecf1fe1f0c8009fe8d53d90b190fb52c071b8a32be5de98e7

Download Submit
C:\Windows\{CAD664C1-6237-46b9-878F-2696428A43A4}.exe

Filesize
168KB

MD5
50c79f5a35a2caefda75641ba9dd9e74

SHA1
ed7c2440952d8b9c3fe072b226c71f8196573535

SHA256
53b02bac9639833c74508648a69d5cc7d30b72fb79800ce31e2ca1f22c5a6928

SHA512
24872d33f61961aece7fd0e6bdd1c4118e82567cc3000994d750b9645038abc7f76e2af44dde442676dadee3e8694b41e7e34de2f1d279512609de5310d3a55f

Download Submit
C:\Windows\{CAD664C1-6237-46b9-878F-2696428A43A4}.exe

Filesize
168KB

MD5
50c79f5a35a2caefda75641ba9dd9e74

SHA1
ed7c2440952d8b9c3fe072b226c71f8196573535

SHA256
53b02bac9639833c74508648a69d5cc7d30b72fb79800ce31e2ca1f22c5a6928

SHA512
24872d33f61961aece7fd0e6bdd1c4118e82567cc3000994d750b9645038abc7f76e2af44dde442676dadee3e8694b41e7e34de2f1d279512609de5310d3a55f

Download Submit
C:\Windows\{CC49F1F6-BF71-4939-B13B-41DC4E7DF681}.exe

Filesize
168KB

MD5
70dc68c52ace62b1875cd01ce32bc307

SHA1
1258771286d929bd06178849156fbfcdc61e5b05

SHA256
2c4ad6206f6ab183779f72e54427e70806f7e1ff26a83dfbecfdf8bf8e87cb8a

SHA512
4eee95633e0a3242cbbaa9b4a06da829f30aecf5362d00636d20f0f8b6fd88526d2344e2a93ae0d606b2a619d0c41f89451ddf25f8d8548ba8d085ea308e83cf

Download Submit
C:\Windows\{CC49F1F6-BF71-4939-B13B-41DC4E7DF681}.exe

Filesize
168KB

MD5
70dc68c52ace62b1875cd01ce32bc307

SHA1
1258771286d929bd06178849156fbfcdc61e5b05

SHA256
2c4ad6206f6ab183779f72e54427e70806f7e1ff26a83dfbecfdf8bf8e87cb8a

SHA512
4eee95633e0a3242cbbaa9b4a06da829f30aecf5362d00636d20f0f8b6fd88526d2344e2a93ae0d606b2a619d0c41f89451ddf25f8d8548ba8d085ea308e83cf

Download Submit