d96d3c864042ffee0f51a5f30f4a47f60255efdce0907b883949002fc242dd81

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
19/07/2023, 14:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

edd052f9324b3fexe_JC.exe
Size

216KB
MD5

edd052f9324b3ff57eb3885e08363f36
SHA1

fc9549b95abe39314bbb3257cfa9ea733978e387
SHA256

d96d3c864042ffee0f51a5f30f4a47f60255efdce0907b883949002fc242dd81
SHA512

32bace5721f5d0e4509387859e0aace23163d4e387c8c3453db3a21e15150ea6647452d4576e0972394cc6c99e2d91457ebabda7314302bce7fd52f6dfaa8aeb
SSDEEP

3072:jEGh0oDl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEG1lEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FE5F668-B794-4994-B61F-95B5C27484D5}	{80F01E88-405E-4e56-A0B5-49101ECA2D58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AA9D680-7AEB-470b-A819-37168B65B774}\stubpath = "C:\\Windows\\{8AA9D680-7AEB-470b-A819-37168B65B774}.exe"	{6FE5F668-B794-4994-B61F-95B5C27484D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DD22C2B-DDEF-4172-95E9-B55E3273617E}	{8AA9D680-7AEB-470b-A819-37168B65B774}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02E19253-A06B-40b4-A947-5FD71148A472}\stubpath = "C:\\Windows\\{02E19253-A06B-40b4-A947-5FD71148A472}.exe"	{D2E1E3F2-6AE9-4f63-8188-991A7056F763}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDFF1ED0-A744-458f-BDD8-41CA9C0B5466}\stubpath = "C:\\Windows\\{EDFF1ED0-A744-458f-BDD8-41CA9C0B5466}.exe"	edd052f9324b3fexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE29E731-211C-481b-B67D-252B19F56CCB}	{EDFF1ED0-A744-458f-BDD8-41CA9C0B5466}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2E1E3F2-6AE9-4f63-8188-991A7056F763}	{BC1AA810-1951-4895-BBF0-7717CAF5F979}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69479FF4-4D5E-45b1-B333-198FEFBB4172}	{9E668667-4F89-4e2d-9F34-B615D3FE591C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69479FF4-4D5E-45b1-B333-198FEFBB4172}\stubpath = "C:\\Windows\\{69479FF4-4D5E-45b1-B333-198FEFBB4172}.exe"	{9E668667-4F89-4e2d-9F34-B615D3FE591C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80F01E88-405E-4e56-A0B5-49101ECA2D58}\stubpath = "C:\\Windows\\{80F01E88-405E-4e56-A0B5-49101ECA2D58}.exe"	{69479FF4-4D5E-45b1-B333-198FEFBB4172}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8DD22C2B-DDEF-4172-95E9-B55E3273617E}\stubpath = "C:\\Windows\\{8DD22C2B-DDEF-4172-95E9-B55E3273617E}.exe"	{8AA9D680-7AEB-470b-A819-37168B65B774}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC1AA810-1951-4895-BBF0-7717CAF5F979}	{8DD22C2B-DDEF-4172-95E9-B55E3273617E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D2E1E3F2-6AE9-4f63-8188-991A7056F763}\stubpath = "C:\\Windows\\{D2E1E3F2-6AE9-4f63-8188-991A7056F763}.exe"	{BC1AA810-1951-4895-BBF0-7717CAF5F979}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EDFF1ED0-A744-458f-BDD8-41CA9C0B5466}	edd052f9324b3fexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E668667-4F89-4e2d-9F34-B615D3FE591C}	{FE29E731-211C-481b-B67D-252B19F56CCB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{80F01E88-405E-4e56-A0B5-49101ECA2D58}	{69479FF4-4D5E-45b1-B333-198FEFBB4172}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6FE5F668-B794-4994-B61F-95B5C27484D5}\stubpath = "C:\\Windows\\{6FE5F668-B794-4994-B61F-95B5C27484D5}.exe"	{80F01E88-405E-4e56-A0B5-49101ECA2D58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AA9D680-7AEB-470b-A819-37168B65B774}	{6FE5F668-B794-4994-B61F-95B5C27484D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC1AA810-1951-4895-BBF0-7717CAF5F979}\stubpath = "C:\\Windows\\{BC1AA810-1951-4895-BBF0-7717CAF5F979}.exe"	{8DD22C2B-DDEF-4172-95E9-B55E3273617E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{02E19253-A06B-40b4-A947-5FD71148A472}	{D2E1E3F2-6AE9-4f63-8188-991A7056F763}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE29E731-211C-481b-B67D-252B19F56CCB}\stubpath = "C:\\Windows\\{FE29E731-211C-481b-B67D-252B19F56CCB}.exe"	{EDFF1ED0-A744-458f-BDD8-41CA9C0B5466}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E668667-4F89-4e2d-9F34-B615D3FE591C}\stubpath = "C:\\Windows\\{9E668667-4F89-4e2d-9F34-B615D3FE591C}.exe"	{FE29E731-211C-481b-B67D-252B19F56CCB}.exe

Deletes itself 1 IoCs

pid	Process
2336	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1252	{EDFF1ED0-A744-458f-BDD8-41CA9C0B5466}.exe
2500	{FE29E731-211C-481b-B67D-252B19F56CCB}.exe
2988	{9E668667-4F89-4e2d-9F34-B615D3FE591C}.exe
2836	{69479FF4-4D5E-45b1-B333-198FEFBB4172}.exe
2920	{80F01E88-405E-4e56-A0B5-49101ECA2D58}.exe
2896	{6FE5F668-B794-4994-B61F-95B5C27484D5}.exe
2720	{8AA9D680-7AEB-470b-A819-37168B65B774}.exe
2308	{8DD22C2B-DDEF-4172-95E9-B55E3273617E}.exe
560	{BC1AA810-1951-4895-BBF0-7717CAF5F979}.exe
1976	{D2E1E3F2-6AE9-4f63-8188-991A7056F763}.exe
2040	{02E19253-A06B-40b4-A947-5FD71148A472}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{EDFF1ED0-A744-458f-BDD8-41CA9C0B5466}.exe	edd052f9324b3fexe_JC.exe
File created	C:\Windows\{FE29E731-211C-481b-B67D-252B19F56CCB}.exe	{EDFF1ED0-A744-458f-BDD8-41CA9C0B5466}.exe
File created	C:\Windows\{69479FF4-4D5E-45b1-B333-198FEFBB4172}.exe	{9E668667-4F89-4e2d-9F34-B615D3FE591C}.exe
File created	C:\Windows\{8AA9D680-7AEB-470b-A819-37168B65B774}.exe	{6FE5F668-B794-4994-B61F-95B5C27484D5}.exe
File created	C:\Windows\{02E19253-A06B-40b4-A947-5FD71148A472}.exe	{D2E1E3F2-6AE9-4f63-8188-991A7056F763}.exe
File created	C:\Windows\{9E668667-4F89-4e2d-9F34-B615D3FE591C}.exe	{FE29E731-211C-481b-B67D-252B19F56CCB}.exe
File created	C:\Windows\{80F01E88-405E-4e56-A0B5-49101ECA2D58}.exe	{69479FF4-4D5E-45b1-B333-198FEFBB4172}.exe
File created	C:\Windows\{6FE5F668-B794-4994-B61F-95B5C27484D5}.exe	{80F01E88-405E-4e56-A0B5-49101ECA2D58}.exe
File created	C:\Windows\{8DD22C2B-DDEF-4172-95E9-B55E3273617E}.exe	{8AA9D680-7AEB-470b-A819-37168B65B774}.exe
File created	C:\Windows\{BC1AA810-1951-4895-BBF0-7717CAF5F979}.exe	{8DD22C2B-DDEF-4172-95E9-B55E3273617E}.exe
File created	C:\Windows\{D2E1E3F2-6AE9-4f63-8188-991A7056F763}.exe	{BC1AA810-1951-4895-BBF0-7717CAF5F979}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2676	edd052f9324b3fexe_JC.exe
Token: SeIncBasePriorityPrivilege	1252	{EDFF1ED0-A744-458f-BDD8-41CA9C0B5466}.exe
Token: SeIncBasePriorityPrivilege	2500	{FE29E731-211C-481b-B67D-252B19F56CCB}.exe
Token: SeIncBasePriorityPrivilege	2988	{9E668667-4F89-4e2d-9F34-B615D3FE591C}.exe
Token: SeIncBasePriorityPrivilege	2836	{69479FF4-4D5E-45b1-B333-198FEFBB4172}.exe
Token: SeIncBasePriorityPrivilege	2920	{80F01E88-405E-4e56-A0B5-49101ECA2D58}.exe
Token: SeIncBasePriorityPrivilege	2896	{6FE5F668-B794-4994-B61F-95B5C27484D5}.exe
Token: SeIncBasePriorityPrivilege	2720	{8AA9D680-7AEB-470b-A819-37168B65B774}.exe
Token: SeIncBasePriorityPrivilege	2308	{8DD22C2B-DDEF-4172-95E9-B55E3273617E}.exe
Token: SeIncBasePriorityPrivilege	560	{BC1AA810-1951-4895-BBF0-7717CAF5F979}.exe
Token: SeIncBasePriorityPrivilege	1976	{D2E1E3F2-6AE9-4f63-8188-991A7056F763}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 1252	2676	edd052f9324b3fexe_JC.exe	28
PID 2676 wrote to memory of 1252	2676	edd052f9324b3fexe_JC.exe	28
PID 2676 wrote to memory of 1252	2676	edd052f9324b3fexe_JC.exe	28
PID 2676 wrote to memory of 1252	2676	edd052f9324b3fexe_JC.exe	28
PID 2676 wrote to memory of 2336	2676	edd052f9324b3fexe_JC.exe	29
PID 2676 wrote to memory of 2336	2676	edd052f9324b3fexe_JC.exe	29
PID 2676 wrote to memory of 2336	2676	edd052f9324b3fexe_JC.exe	29
PID 2676 wrote to memory of 2336	2676	edd052f9324b3fexe_JC.exe	29
PID 1252 wrote to memory of 2500	1252	{EDFF1ED0-A744-458f-BDD8-41CA9C0B5466}.exe	32
PID 1252 wrote to memory of 2500	1252	{EDFF1ED0-A744-458f-BDD8-41CA9C0B5466}.exe	32
PID 1252 wrote to memory of 2500	1252	{EDFF1ED0-A744-458f-BDD8-41CA9C0B5466}.exe	32
PID 1252 wrote to memory of 2500	1252	{EDFF1ED0-A744-458f-BDD8-41CA9C0B5466}.exe	32
PID 1252 wrote to memory of 2940	1252	{EDFF1ED0-A744-458f-BDD8-41CA9C0B5466}.exe	33
PID 1252 wrote to memory of 2940	1252	{EDFF1ED0-A744-458f-BDD8-41CA9C0B5466}.exe	33
PID 1252 wrote to memory of 2940	1252	{EDFF1ED0-A744-458f-BDD8-41CA9C0B5466}.exe	33
PID 1252 wrote to memory of 2940	1252	{EDFF1ED0-A744-458f-BDD8-41CA9C0B5466}.exe	33
PID 2500 wrote to memory of 2988	2500	{FE29E731-211C-481b-B67D-252B19F56CCB}.exe	34
PID 2500 wrote to memory of 2988	2500	{FE29E731-211C-481b-B67D-252B19F56CCB}.exe	34
PID 2500 wrote to memory of 2988	2500	{FE29E731-211C-481b-B67D-252B19F56CCB}.exe	34
PID 2500 wrote to memory of 2988	2500	{FE29E731-211C-481b-B67D-252B19F56CCB}.exe	34
PID 2500 wrote to memory of 2808	2500	{FE29E731-211C-481b-B67D-252B19F56CCB}.exe	35
PID 2500 wrote to memory of 2808	2500	{FE29E731-211C-481b-B67D-252B19F56CCB}.exe	35
PID 2500 wrote to memory of 2808	2500	{FE29E731-211C-481b-B67D-252B19F56CCB}.exe	35
PID 2500 wrote to memory of 2808	2500	{FE29E731-211C-481b-B67D-252B19F56CCB}.exe	35
PID 2988 wrote to memory of 2836	2988	{9E668667-4F89-4e2d-9F34-B615D3FE591C}.exe	36
PID 2988 wrote to memory of 2836	2988	{9E668667-4F89-4e2d-9F34-B615D3FE591C}.exe	36
PID 2988 wrote to memory of 2836	2988	{9E668667-4F89-4e2d-9F34-B615D3FE591C}.exe	36
PID 2988 wrote to memory of 2836	2988	{9E668667-4F89-4e2d-9F34-B615D3FE591C}.exe	36
PID 2988 wrote to memory of 1836	2988	{9E668667-4F89-4e2d-9F34-B615D3FE591C}.exe	37
PID 2988 wrote to memory of 1836	2988	{9E668667-4F89-4e2d-9F34-B615D3FE591C}.exe	37
PID 2988 wrote to memory of 1836	2988	{9E668667-4F89-4e2d-9F34-B615D3FE591C}.exe	37
PID 2988 wrote to memory of 1836	2988	{9E668667-4F89-4e2d-9F34-B615D3FE591C}.exe	37
PID 2836 wrote to memory of 2920	2836	{69479FF4-4D5E-45b1-B333-198FEFBB4172}.exe	39
PID 2836 wrote to memory of 2920	2836	{69479FF4-4D5E-45b1-B333-198FEFBB4172}.exe	39
PID 2836 wrote to memory of 2920	2836	{69479FF4-4D5E-45b1-B333-198FEFBB4172}.exe	39
PID 2836 wrote to memory of 2920	2836	{69479FF4-4D5E-45b1-B333-198FEFBB4172}.exe	39
PID 2836 wrote to memory of 2728	2836	{69479FF4-4D5E-45b1-B333-198FEFBB4172}.exe	38
PID 2836 wrote to memory of 2728	2836	{69479FF4-4D5E-45b1-B333-198FEFBB4172}.exe	38
PID 2836 wrote to memory of 2728	2836	{69479FF4-4D5E-45b1-B333-198FEFBB4172}.exe	38
PID 2836 wrote to memory of 2728	2836	{69479FF4-4D5E-45b1-B333-198FEFBB4172}.exe	38
PID 2920 wrote to memory of 2896	2920	{80F01E88-405E-4e56-A0B5-49101ECA2D58}.exe	41
PID 2920 wrote to memory of 2896	2920	{80F01E88-405E-4e56-A0B5-49101ECA2D58}.exe	41
PID 2920 wrote to memory of 2896	2920	{80F01E88-405E-4e56-A0B5-49101ECA2D58}.exe	41
PID 2920 wrote to memory of 2896	2920	{80F01E88-405E-4e56-A0B5-49101ECA2D58}.exe	41
PID 2920 wrote to memory of 2816	2920	{80F01E88-405E-4e56-A0B5-49101ECA2D58}.exe	40
PID 2920 wrote to memory of 2816	2920	{80F01E88-405E-4e56-A0B5-49101ECA2D58}.exe	40
PID 2920 wrote to memory of 2816	2920	{80F01E88-405E-4e56-A0B5-49101ECA2D58}.exe	40
PID 2920 wrote to memory of 2816	2920	{80F01E88-405E-4e56-A0B5-49101ECA2D58}.exe	40
PID 2896 wrote to memory of 2720	2896	{6FE5F668-B794-4994-B61F-95B5C27484D5}.exe	42
PID 2896 wrote to memory of 2720	2896	{6FE5F668-B794-4994-B61F-95B5C27484D5}.exe	42
PID 2896 wrote to memory of 2720	2896	{6FE5F668-B794-4994-B61F-95B5C27484D5}.exe	42
PID 2896 wrote to memory of 2720	2896	{6FE5F668-B794-4994-B61F-95B5C27484D5}.exe	42
PID 2896 wrote to memory of 2776	2896	{6FE5F668-B794-4994-B61F-95B5C27484D5}.exe	43
PID 2896 wrote to memory of 2776	2896	{6FE5F668-B794-4994-B61F-95B5C27484D5}.exe	43
PID 2896 wrote to memory of 2776	2896	{6FE5F668-B794-4994-B61F-95B5C27484D5}.exe	43
PID 2896 wrote to memory of 2776	2896	{6FE5F668-B794-4994-B61F-95B5C27484D5}.exe	43
PID 2720 wrote to memory of 2308	2720	{8AA9D680-7AEB-470b-A819-37168B65B774}.exe	44
PID 2720 wrote to memory of 2308	2720	{8AA9D680-7AEB-470b-A819-37168B65B774}.exe	44
PID 2720 wrote to memory of 2308	2720	{8AA9D680-7AEB-470b-A819-37168B65B774}.exe	44
PID 2720 wrote to memory of 2308	2720	{8AA9D680-7AEB-470b-A819-37168B65B774}.exe	44
PID 2720 wrote to memory of 1560	2720	{8AA9D680-7AEB-470b-A819-37168B65B774}.exe	45
PID 2720 wrote to memory of 1560	2720	{8AA9D680-7AEB-470b-A819-37168B65B774}.exe	45
PID 2720 wrote to memory of 1560	2720	{8AA9D680-7AEB-470b-A819-37168B65B774}.exe	45
PID 2720 wrote to memory of 1560	2720	{8AA9D680-7AEB-470b-A819-37168B65B774}.exe	45

C:\Users\Admin\AppData\Local\Temp\edd052f9324b3fexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\edd052f9324b3fexe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\{EDFF1ED0-A744-458f-BDD8-41CA9C0B5466}.exe
  C:\Windows\{EDFF1ED0-A744-458f-BDD8-41CA9C0B5466}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\{FE29E731-211C-481b-B67D-252B19F56CCB}.exe
    C:\Windows\{FE29E731-211C-481b-B67D-252B19F56CCB}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\{9E668667-4F89-4e2d-9F34-B615D3FE591C}.exe
      C:\Windows\{9E668667-4F89-4e2d-9F34-B615D3FE591C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\{69479FF4-4D5E-45b1-B333-198FEFBB4172}.exe
        
        C:\Windows\{69479FF4-4D5E-45b1-B333-198FEFBB4172}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69479~1.EXE > nul
        6⤵
        
        PID:2728
      - C:\Windows\{80F01E88-405E-4e56-A0B5-49101ECA2D58}.exe
        
        C:\Windows\{80F01E88-405E-4e56-A0B5-49101ECA2D58}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80F01~1.EXE > nul
        7⤵
        
        PID:2816
        
        C:\Windows\{6FE5F668-B794-4994-B61F-95B5C27484D5}.exe
        
        C:\Windows\{6FE5F668-B794-4994-B61F-95B5C27484D5}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\{8AA9D680-7AEB-470b-A819-37168B65B774}.exe
        
        C:\Windows\{8AA9D680-7AEB-470b-A819-37168B65B774}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\{8DD22C2B-DDEF-4172-95E9-B55E3273617E}.exe
        
        C:\Windows\{8DD22C2B-DDEF-4172-95E9-B55E3273617E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\{BC1AA810-1951-4895-BBF0-7717CAF5F979}.exe
        
        C:\Windows\{BC1AA810-1951-4895-BBF0-7717CAF5F979}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
        
        C:\Windows\{D2E1E3F2-6AE9-4f63-8188-991A7056F763}.exe
        
        C:\Windows\{D2E1E3F2-6AE9-4f63-8188-991A7056F763}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2E1E~1.EXE > nul
        12⤵
        
        PID:1276
        
        C:\Windows\{02E19253-A06B-40b4-A947-5FD71148A472}.exe
        
        C:\Windows\{02E19253-A06B-40b4-A947-5FD71148A472}.exe
        12⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC1AA~1.EXE > nul
        11⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DD22~1.EXE > nul
        10⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AA9D~1.EXE > nul
        9⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6FE5F~1.EXE > nul
        8⤵
        
        PID:2776
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E668~1.EXE > nul
        5⤵
        
        PID:1836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FE29E~1.EXE > nul
      4⤵
      PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EDFF1~1.EXE > nul
    3⤵
    PID:2940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EDD052~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2336

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02E19253-A06B-40b4-A947-5FD71148A472}.exe

Filesize
216KB

MD5
66f1cf6def5eca8f078a3e025f84b1aa

SHA1
d558ae73fd59def7a3d32d6267ec83ba148c7ae4

SHA256
e3df861b2504bd5ad7e755bdce1e9fd3338d0af4112eb988f51865850754c4fb

SHA512
6f85254a06d59302b886a7e704c1e61e9f5ed109c4f3f8bfaf32649626483b46db17ea4c2b4cc7b96224499e8d80c65cc8be974cd27834a65747e0d6121462eb

Download Submit
C:\Windows\{69479FF4-4D5E-45b1-B333-198FEFBB4172}.exe

Filesize
216KB

MD5
ab7ac46fda0e3e623c381f2fd98e71c5

SHA1
b23b8def2431612a735a7d95ce3c882972a23894

SHA256
f58b914bdd73e09b0128f222354839f09d13814355650e7d05ffa6ebd9b62220

SHA512
f6946535add85495d85b822b8c47b50f8dffc79fac81199fd7376e807def4ab0079520de185b1b824a9a8da302d338a8909820acc5f990aa50a8fb52b8616495

Download Submit
C:\Windows\{69479FF4-4D5E-45b1-B333-198FEFBB4172}.exe

Filesize
216KB

MD5
ab7ac46fda0e3e623c381f2fd98e71c5

SHA1
b23b8def2431612a735a7d95ce3c882972a23894

SHA256
f58b914bdd73e09b0128f222354839f09d13814355650e7d05ffa6ebd9b62220

SHA512
f6946535add85495d85b822b8c47b50f8dffc79fac81199fd7376e807def4ab0079520de185b1b824a9a8da302d338a8909820acc5f990aa50a8fb52b8616495

Download Submit
C:\Windows\{6FE5F668-B794-4994-B61F-95B5C27484D5}.exe

Filesize
216KB

MD5
f273268fccb6cf9c036fa609a58d1e0c

SHA1
ea3e73fdc5d8144e991237164cba1fc413ece0a2

SHA256
a901b6ec3a4a486420d4bbb44edfddf4bb74597004de480d0d867f0b122da64e

SHA512
0bf075546b5a4391e378e5bb4a9b014f956cb546b6f63fd3a1379df659df091f3e7aeb0485f5387b33e9210ec41d927f5dde31e022032d31a2164cbd5e5d5fa0

Download Submit
C:\Windows\{6FE5F668-B794-4994-B61F-95B5C27484D5}.exe

Filesize
216KB

MD5
f273268fccb6cf9c036fa609a58d1e0c

SHA1
ea3e73fdc5d8144e991237164cba1fc413ece0a2

SHA256
a901b6ec3a4a486420d4bbb44edfddf4bb74597004de480d0d867f0b122da64e

SHA512
0bf075546b5a4391e378e5bb4a9b014f956cb546b6f63fd3a1379df659df091f3e7aeb0485f5387b33e9210ec41d927f5dde31e022032d31a2164cbd5e5d5fa0

Download Submit
C:\Windows\{80F01E88-405E-4e56-A0B5-49101ECA2D58}.exe

Filesize
216KB

MD5
e42a5add10d9ab53950c801142306ac4

SHA1
87840cb4fec078aa4cc4f0723fee74ab319695c3

SHA256
ed0e9cb0b7ff64f532520c9624a87966ae02a67025dd72ae3db614f133af4d23

SHA512
68c951bb931f1aa55deac01890afe21b190f080d2b9ebb6b9dc63203581817c46c1a240c228f1de900007be8fd446197f4f47600a580f8fcd7df82718265b6ed

Download Submit
C:\Windows\{80F01E88-405E-4e56-A0B5-49101ECA2D58}.exe

Filesize
216KB

MD5
e42a5add10d9ab53950c801142306ac4

SHA1
87840cb4fec078aa4cc4f0723fee74ab319695c3

SHA256
ed0e9cb0b7ff64f532520c9624a87966ae02a67025dd72ae3db614f133af4d23

SHA512
68c951bb931f1aa55deac01890afe21b190f080d2b9ebb6b9dc63203581817c46c1a240c228f1de900007be8fd446197f4f47600a580f8fcd7df82718265b6ed

Download Submit
C:\Windows\{8AA9D680-7AEB-470b-A819-37168B65B774}.exe

Filesize
216KB

MD5
be9e6eb4b0832d2fab79d50d373a92dd

SHA1
c787acb78761f5cc91d623df43c43fe3f07cc3e2

SHA256
6072effc3146c8888901e46e2469beda165a2f71491019e61ec1ba422531bb58

SHA512
3405c9bfe97f09b9e1c27ccf7552a0db2bfd5cca5cc8814bcb158426780827d5f144f227f117de1ad4613126da212416503406dc431495832b436a2d98415481

Download Submit
C:\Windows\{8AA9D680-7AEB-470b-A819-37168B65B774}.exe

Filesize
216KB

MD5
be9e6eb4b0832d2fab79d50d373a92dd

SHA1
c787acb78761f5cc91d623df43c43fe3f07cc3e2

SHA256
6072effc3146c8888901e46e2469beda165a2f71491019e61ec1ba422531bb58

SHA512
3405c9bfe97f09b9e1c27ccf7552a0db2bfd5cca5cc8814bcb158426780827d5f144f227f117de1ad4613126da212416503406dc431495832b436a2d98415481

Download Submit
C:\Windows\{8DD22C2B-DDEF-4172-95E9-B55E3273617E}.exe

Filesize
216KB

MD5
6f6110a826771f3ad989c0ea2edc0d7b

SHA1
dd5c217d94621beaf44cae8455ab2be63510d000

SHA256
209fd8a878a6e27a8a5fb3e611500ddda4d267ef4b184b9665c95a49a5afb733

SHA512
eb4b24fe023e46956523ce30ade6d5e74e3dee97d1a2db2fd57796735471aa2c9292b5bc05f75f7c645e0dd76aa8e85f7cc4dd16aa4e3a4374a800b673a75233

Download Submit
C:\Windows\{8DD22C2B-DDEF-4172-95E9-B55E3273617E}.exe

Filesize
216KB

MD5
6f6110a826771f3ad989c0ea2edc0d7b

SHA1
dd5c217d94621beaf44cae8455ab2be63510d000

SHA256
209fd8a878a6e27a8a5fb3e611500ddda4d267ef4b184b9665c95a49a5afb733

SHA512
eb4b24fe023e46956523ce30ade6d5e74e3dee97d1a2db2fd57796735471aa2c9292b5bc05f75f7c645e0dd76aa8e85f7cc4dd16aa4e3a4374a800b673a75233

Download Submit
C:\Windows\{9E668667-4F89-4e2d-9F34-B615D3FE591C}.exe

Filesize
216KB

MD5
56c7c593d96e56be3859a1a6ef4317d1

SHA1
143411c18b620f3c6602c1ea985b23b3b40a4494

SHA256
350adad67e35e29e6d127921cc3964fcbc1379912815060568509647230682ff

SHA512
9ea7d2c250cb755ce7d20ceadaf07494195739468fbf27fda417642f9613273c49ce70f1d369ee7c61d8c806d429662618db1a63b7f6bb6cde5f52c4f2841baf

Download Submit
C:\Windows\{9E668667-4F89-4e2d-9F34-B615D3FE591C}.exe

Filesize
216KB

MD5
56c7c593d96e56be3859a1a6ef4317d1

SHA1
143411c18b620f3c6602c1ea985b23b3b40a4494

SHA256
350adad67e35e29e6d127921cc3964fcbc1379912815060568509647230682ff

SHA512
9ea7d2c250cb755ce7d20ceadaf07494195739468fbf27fda417642f9613273c49ce70f1d369ee7c61d8c806d429662618db1a63b7f6bb6cde5f52c4f2841baf

Download Submit
C:\Windows\{BC1AA810-1951-4895-BBF0-7717CAF5F979}.exe

Filesize
216KB

MD5
2e59ff33c5ae6c0f8f06c1d8b06beb4e

SHA1
2972cb27783fc3dc3871f5c25ecfc230cf42bcc6

SHA256
c21d271759bfa28e0ae75c690fdce102a9322240ffbd076d16e07f36d01d343e

SHA512
b4995bc8ef8c089ede199eb519ff4d8a2c7890aa27377def9fdedda69ed15d8d6130fd08f2caa089c5eb4df627703c74fc6509bd1d3333273c4b79db4f216003

Download Submit
C:\Windows\{BC1AA810-1951-4895-BBF0-7717CAF5F979}.exe

Filesize
216KB

MD5
2e59ff33c5ae6c0f8f06c1d8b06beb4e

SHA1
2972cb27783fc3dc3871f5c25ecfc230cf42bcc6

SHA256
c21d271759bfa28e0ae75c690fdce102a9322240ffbd076d16e07f36d01d343e

SHA512
b4995bc8ef8c089ede199eb519ff4d8a2c7890aa27377def9fdedda69ed15d8d6130fd08f2caa089c5eb4df627703c74fc6509bd1d3333273c4b79db4f216003

Download Submit
C:\Windows\{D2E1E3F2-6AE9-4f63-8188-991A7056F763}.exe

Filesize
216KB

MD5
53bddd7337e2b6c3be29596182856352

SHA1
c0e51a14366f5e146aa55b8b621de517c976a5ff

SHA256
17e16b2e287248bb78bc02ffd2faffe8784661f6297455732655e0b6c0803560

SHA512
b24ecb1c31e5174af241f5b43309e81e8c3c74db16991358aa02b1e0f6c36024a189c6d02d186b0f47b83e846cbefaa0153e085d10447c56ecace47daaee0baf

Download Submit
C:\Windows\{D2E1E3F2-6AE9-4f63-8188-991A7056F763}.exe

Filesize
216KB

MD5
53bddd7337e2b6c3be29596182856352

SHA1
c0e51a14366f5e146aa55b8b621de517c976a5ff

SHA256
17e16b2e287248bb78bc02ffd2faffe8784661f6297455732655e0b6c0803560

SHA512
b24ecb1c31e5174af241f5b43309e81e8c3c74db16991358aa02b1e0f6c36024a189c6d02d186b0f47b83e846cbefaa0153e085d10447c56ecace47daaee0baf

Download Submit
C:\Windows\{EDFF1ED0-A744-458f-BDD8-41CA9C0B5466}.exe

Filesize
216KB

MD5
69e3cad964a530dd8b0b145c9a685394

SHA1
f992523872101bffc6de035036f50006e2a039f6

SHA256
2e4607830bcfba8edfac4873431fc599c5962809dd30c83501967fb7471e255c

SHA512
69c8a70d96c8fbe36369426507a481c7ac87338e2277556e8248f9c00bed1b080b31741fcfe16515ffa4b3d8c9e006670ca62300ca4c7173ce806724678bcfe4

Download Submit
C:\Windows\{EDFF1ED0-A744-458f-BDD8-41CA9C0B5466}.exe

Filesize
216KB

MD5
69e3cad964a530dd8b0b145c9a685394

SHA1
f992523872101bffc6de035036f50006e2a039f6

SHA256
2e4607830bcfba8edfac4873431fc599c5962809dd30c83501967fb7471e255c

SHA512
69c8a70d96c8fbe36369426507a481c7ac87338e2277556e8248f9c00bed1b080b31741fcfe16515ffa4b3d8c9e006670ca62300ca4c7173ce806724678bcfe4

Download Submit
C:\Windows\{EDFF1ED0-A744-458f-BDD8-41CA9C0B5466}.exe

Filesize
216KB

MD5
69e3cad964a530dd8b0b145c9a685394

SHA1
f992523872101bffc6de035036f50006e2a039f6

SHA256
2e4607830bcfba8edfac4873431fc599c5962809dd30c83501967fb7471e255c

SHA512
69c8a70d96c8fbe36369426507a481c7ac87338e2277556e8248f9c00bed1b080b31741fcfe16515ffa4b3d8c9e006670ca62300ca4c7173ce806724678bcfe4

Download Submit
C:\Windows\{FE29E731-211C-481b-B67D-252B19F56CCB}.exe

Filesize
216KB

MD5
b4ba36e5c3a7a5ad1bacf43ad5e7a91b

SHA1
9acc9a296980247c375625e4041381e2d325da6e

SHA256
efbb215db4cf06de0984cc119788dc4ec1980a46cb4057f6b619c7f13de3e97a

SHA512
cb2512aad77c3000a9bac41e0dc39a99ec10172eb916ea4464e2e078828c898f5ee45e68fcaeee8e2833adc462fe2eaa78f6c04a950895673fc099caf9735c4f

Download Submit
C:\Windows\{FE29E731-211C-481b-B67D-252B19F56CCB}.exe

Filesize
216KB

MD5
b4ba36e5c3a7a5ad1bacf43ad5e7a91b

SHA1
9acc9a296980247c375625e4041381e2d325da6e

SHA256
efbb215db4cf06de0984cc119788dc4ec1980a46cb4057f6b619c7f13de3e97a

SHA512
cb2512aad77c3000a9bac41e0dc39a99ec10172eb916ea4464e2e078828c898f5ee45e68fcaeee8e2833adc462fe2eaa78f6c04a950895673fc099caf9735c4f

Download Submit