3d56b8883884335ee14bf32edcb88bc2d2cc4b556eff377b8fa853915e39e7f4

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
19/07/2023, 15:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1ef8440bb0372exe_JC.exe
Size

168KB
MD5

f1ef8440bb037241ac07209dab09e5cf
SHA1

61280dc26a94fedc9b890e94fcd269fcb47829a6
SHA256

3d56b8883884335ee14bf32edcb88bc2d2cc4b556eff377b8fa853915e39e7f4
SHA512

228bee5191577e0c2d3eed20575d648a29b3991e8b87550ac7f4cebe99611b4eafb98b5b7b6417cdfffdb8f971adfbaf534be1f9afa55d9012d8de2199f0f47d
SSDEEP

1536:1EGh0oHTlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ozlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD96300F-0917-47c9-8EA7-F7F7E205BA96}\stubpath = "C:\\Windows\\{BD96300F-0917-47c9-8EA7-F7F7E205BA96}.exe"	{55764B02-C06C-4c73-8BFE-507C68DCBEF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BD3BC84-B842-4341-AD99-0F55AD26A1CA}	{31669CE7-AD80-4985-B136-48C20B61140D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{295D748B-8E41-4c4d-9FAD-FE77CD5DD7FC}	{EF01795F-F5AF-4e3d-A42C-543A3934EAD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7E41F10-7832-4564-B70D-5E5C48E50B0E}	{295D748B-8E41-4c4d-9FAD-FE77CD5DD7FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69A820F5-182C-499c-BF62-3EBEB27B7EEF}	f1ef8440bb0372exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55764B02-C06C-4c73-8BFE-507C68DCBEF8}\stubpath = "C:\\Windows\\{55764B02-C06C-4c73-8BFE-507C68DCBEF8}.exe"	{69A820F5-182C-499c-BF62-3EBEB27B7EEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD96300F-0917-47c9-8EA7-F7F7E205BA96}	{55764B02-C06C-4c73-8BFE-507C68DCBEF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF01795F-F5AF-4e3d-A42C-543A3934EAD9}	{7BD3BC84-B842-4341-AD99-0F55AD26A1CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{295D748B-8E41-4c4d-9FAD-FE77CD5DD7FC}\stubpath = "C:\\Windows\\{295D748B-8E41-4c4d-9FAD-FE77CD5DD7FC}.exe"	{EF01795F-F5AF-4e3d-A42C-543A3934EAD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE412889-FEF2-4faa-8C31-D5DE6AB7C326}	{A7E41F10-7832-4564-B70D-5E5C48E50B0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{799A367A-E4B9-43b2-A78B-8A31397019DF}\stubpath = "C:\\Windows\\{799A367A-E4B9-43b2-A78B-8A31397019DF}.exe"	{A772396A-C773-450a-9613-AA288B4B33E8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{55764B02-C06C-4c73-8BFE-507C68DCBEF8}	{69A820F5-182C-499c-BF62-3EBEB27B7EEF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31669CE7-AD80-4985-B136-48C20B61140D}	{BD96300F-0917-47c9-8EA7-F7F7E205BA96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF01795F-F5AF-4e3d-A42C-543A3934EAD9}\stubpath = "C:\\Windows\\{EF01795F-F5AF-4e3d-A42C-543A3934EAD9}.exe"	{7BD3BC84-B842-4341-AD99-0F55AD26A1CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7E41F10-7832-4564-B70D-5E5C48E50B0E}\stubpath = "C:\\Windows\\{A7E41F10-7832-4564-B70D-5E5C48E50B0E}.exe"	{295D748B-8E41-4c4d-9FAD-FE77CD5DD7FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DE412889-FEF2-4faa-8C31-D5DE6AB7C326}\stubpath = "C:\\Windows\\{DE412889-FEF2-4faa-8C31-D5DE6AB7C326}.exe"	{A7E41F10-7832-4564-B70D-5E5C48E50B0E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A772396A-C773-450a-9613-AA288B4B33E8}\stubpath = "C:\\Windows\\{A772396A-C773-450a-9613-AA288B4B33E8}.exe"	{DE412889-FEF2-4faa-8C31-D5DE6AB7C326}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{69A820F5-182C-499c-BF62-3EBEB27B7EEF}\stubpath = "C:\\Windows\\{69A820F5-182C-499c-BF62-3EBEB27B7EEF}.exe"	f1ef8440bb0372exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31669CE7-AD80-4985-B136-48C20B61140D}\stubpath = "C:\\Windows\\{31669CE7-AD80-4985-B136-48C20B61140D}.exe"	{BD96300F-0917-47c9-8EA7-F7F7E205BA96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7BD3BC84-B842-4341-AD99-0F55AD26A1CA}\stubpath = "C:\\Windows\\{7BD3BC84-B842-4341-AD99-0F55AD26A1CA}.exe"	{31669CE7-AD80-4985-B136-48C20B61140D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A772396A-C773-450a-9613-AA288B4B33E8}	{DE412889-FEF2-4faa-8C31-D5DE6AB7C326}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{799A367A-E4B9-43b2-A78B-8A31397019DF}	{A772396A-C773-450a-9613-AA288B4B33E8}.exe

Deletes itself 1 IoCs

pid	Process
2480	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2112	{69A820F5-182C-499c-BF62-3EBEB27B7EEF}.exe
1736	{55764B02-C06C-4c73-8BFE-507C68DCBEF8}.exe
2720	{BD96300F-0917-47c9-8EA7-F7F7E205BA96}.exe
1148	{31669CE7-AD80-4985-B136-48C20B61140D}.exe
2752	{7BD3BC84-B842-4341-AD99-0F55AD26A1CA}.exe
1444	{EF01795F-F5AF-4e3d-A42C-543A3934EAD9}.exe
1936	{295D748B-8E41-4c4d-9FAD-FE77CD5DD7FC}.exe
1104	{A7E41F10-7832-4564-B70D-5E5C48E50B0E}.exe
832	{DE412889-FEF2-4faa-8C31-D5DE6AB7C326}.exe
2404	{A772396A-C773-450a-9613-AA288B4B33E8}.exe
1700	{799A367A-E4B9-43b2-A78B-8A31397019DF}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{55764B02-C06C-4c73-8BFE-507C68DCBEF8}.exe	{69A820F5-182C-499c-BF62-3EBEB27B7EEF}.exe
File created	C:\Windows\{BD96300F-0917-47c9-8EA7-F7F7E205BA96}.exe	{55764B02-C06C-4c73-8BFE-507C68DCBEF8}.exe
File created	C:\Windows\{31669CE7-AD80-4985-B136-48C20B61140D}.exe	{BD96300F-0917-47c9-8EA7-F7F7E205BA96}.exe
File created	C:\Windows\{A7E41F10-7832-4564-B70D-5E5C48E50B0E}.exe	{295D748B-8E41-4c4d-9FAD-FE77CD5DD7FC}.exe
File created	C:\Windows\{DE412889-FEF2-4faa-8C31-D5DE6AB7C326}.exe	{A7E41F10-7832-4564-B70D-5E5C48E50B0E}.exe
File created	C:\Windows\{799A367A-E4B9-43b2-A78B-8A31397019DF}.exe	{A772396A-C773-450a-9613-AA288B4B33E8}.exe
File created	C:\Windows\{69A820F5-182C-499c-BF62-3EBEB27B7EEF}.exe	f1ef8440bb0372exe_JC.exe
File created	C:\Windows\{7BD3BC84-B842-4341-AD99-0F55AD26A1CA}.exe	{31669CE7-AD80-4985-B136-48C20B61140D}.exe
File created	C:\Windows\{EF01795F-F5AF-4e3d-A42C-543A3934EAD9}.exe	{7BD3BC84-B842-4341-AD99-0F55AD26A1CA}.exe
File created	C:\Windows\{295D748B-8E41-4c4d-9FAD-FE77CD5DD7FC}.exe	{EF01795F-F5AF-4e3d-A42C-543A3934EAD9}.exe
File created	C:\Windows\{A772396A-C773-450a-9613-AA288B4B33E8}.exe	{DE412889-FEF2-4faa-8C31-D5DE6AB7C326}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2588	f1ef8440bb0372exe_JC.exe
Token: SeIncBasePriorityPrivilege	2112	{69A820F5-182C-499c-BF62-3EBEB27B7EEF}.exe
Token: SeIncBasePriorityPrivilege	1736	{55764B02-C06C-4c73-8BFE-507C68DCBEF8}.exe
Token: SeIncBasePriorityPrivilege	2720	{BD96300F-0917-47c9-8EA7-F7F7E205BA96}.exe
Token: SeIncBasePriorityPrivilege	1148	{31669CE7-AD80-4985-B136-48C20B61140D}.exe
Token: SeIncBasePriorityPrivilege	2752	{7BD3BC84-B842-4341-AD99-0F55AD26A1CA}.exe
Token: SeIncBasePriorityPrivilege	1444	{EF01795F-F5AF-4e3d-A42C-543A3934EAD9}.exe
Token: SeIncBasePriorityPrivilege	1936	{295D748B-8E41-4c4d-9FAD-FE77CD5DD7FC}.exe
Token: SeIncBasePriorityPrivilege	1104	{A7E41F10-7832-4564-B70D-5E5C48E50B0E}.exe
Token: SeIncBasePriorityPrivilege	832	{DE412889-FEF2-4faa-8C31-D5DE6AB7C326}.exe
Token: SeIncBasePriorityPrivilege	2404	{A772396A-C773-450a-9613-AA288B4B33E8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 2112	2588	f1ef8440bb0372exe_JC.exe	28
PID 2588 wrote to memory of 2112	2588	f1ef8440bb0372exe_JC.exe	28
PID 2588 wrote to memory of 2112	2588	f1ef8440bb0372exe_JC.exe	28
PID 2588 wrote to memory of 2112	2588	f1ef8440bb0372exe_JC.exe	28
PID 2588 wrote to memory of 2480	2588	f1ef8440bb0372exe_JC.exe	29
PID 2588 wrote to memory of 2480	2588	f1ef8440bb0372exe_JC.exe	29
PID 2588 wrote to memory of 2480	2588	f1ef8440bb0372exe_JC.exe	29
PID 2588 wrote to memory of 2480	2588	f1ef8440bb0372exe_JC.exe	29
PID 2112 wrote to memory of 1736	2112	{69A820F5-182C-499c-BF62-3EBEB27B7EEF}.exe	30
PID 2112 wrote to memory of 1736	2112	{69A820F5-182C-499c-BF62-3EBEB27B7EEF}.exe	30
PID 2112 wrote to memory of 1736	2112	{69A820F5-182C-499c-BF62-3EBEB27B7EEF}.exe	30
PID 2112 wrote to memory of 1736	2112	{69A820F5-182C-499c-BF62-3EBEB27B7EEF}.exe	30
PID 2112 wrote to memory of 2892	2112	{69A820F5-182C-499c-BF62-3EBEB27B7EEF}.exe	31
PID 2112 wrote to memory of 2892	2112	{69A820F5-182C-499c-BF62-3EBEB27B7EEF}.exe	31
PID 2112 wrote to memory of 2892	2112	{69A820F5-182C-499c-BF62-3EBEB27B7EEF}.exe	31
PID 2112 wrote to memory of 2892	2112	{69A820F5-182C-499c-BF62-3EBEB27B7EEF}.exe	31
PID 1736 wrote to memory of 2720	1736	{55764B02-C06C-4c73-8BFE-507C68DCBEF8}.exe	34
PID 1736 wrote to memory of 2720	1736	{55764B02-C06C-4c73-8BFE-507C68DCBEF8}.exe	34
PID 1736 wrote to memory of 2720	1736	{55764B02-C06C-4c73-8BFE-507C68DCBEF8}.exe	34
PID 1736 wrote to memory of 2720	1736	{55764B02-C06C-4c73-8BFE-507C68DCBEF8}.exe	34
PID 1736 wrote to memory of 1192	1736	{55764B02-C06C-4c73-8BFE-507C68DCBEF8}.exe	35
PID 1736 wrote to memory of 1192	1736	{55764B02-C06C-4c73-8BFE-507C68DCBEF8}.exe	35
PID 1736 wrote to memory of 1192	1736	{55764B02-C06C-4c73-8BFE-507C68DCBEF8}.exe	35
PID 1736 wrote to memory of 1192	1736	{55764B02-C06C-4c73-8BFE-507C68DCBEF8}.exe	35
PID 2720 wrote to memory of 1148	2720	{BD96300F-0917-47c9-8EA7-F7F7E205BA96}.exe	36
PID 2720 wrote to memory of 1148	2720	{BD96300F-0917-47c9-8EA7-F7F7E205BA96}.exe	36
PID 2720 wrote to memory of 1148	2720	{BD96300F-0917-47c9-8EA7-F7F7E205BA96}.exe	36
PID 2720 wrote to memory of 1148	2720	{BD96300F-0917-47c9-8EA7-F7F7E205BA96}.exe	36
PID 2720 wrote to memory of 2704	2720	{BD96300F-0917-47c9-8EA7-F7F7E205BA96}.exe	37
PID 2720 wrote to memory of 2704	2720	{BD96300F-0917-47c9-8EA7-F7F7E205BA96}.exe	37
PID 2720 wrote to memory of 2704	2720	{BD96300F-0917-47c9-8EA7-F7F7E205BA96}.exe	37
PID 2720 wrote to memory of 2704	2720	{BD96300F-0917-47c9-8EA7-F7F7E205BA96}.exe	37
PID 1148 wrote to memory of 2752	1148	{31669CE7-AD80-4985-B136-48C20B61140D}.exe	38
PID 1148 wrote to memory of 2752	1148	{31669CE7-AD80-4985-B136-48C20B61140D}.exe	38
PID 1148 wrote to memory of 2752	1148	{31669CE7-AD80-4985-B136-48C20B61140D}.exe	38
PID 1148 wrote to memory of 2752	1148	{31669CE7-AD80-4985-B136-48C20B61140D}.exe	38
PID 1148 wrote to memory of 2432	1148	{31669CE7-AD80-4985-B136-48C20B61140D}.exe	39
PID 1148 wrote to memory of 2432	1148	{31669CE7-AD80-4985-B136-48C20B61140D}.exe	39
PID 1148 wrote to memory of 2432	1148	{31669CE7-AD80-4985-B136-48C20B61140D}.exe	39
PID 1148 wrote to memory of 2432	1148	{31669CE7-AD80-4985-B136-48C20B61140D}.exe	39
PID 2752 wrote to memory of 1444	2752	{7BD3BC84-B842-4341-AD99-0F55AD26A1CA}.exe	40
PID 2752 wrote to memory of 1444	2752	{7BD3BC84-B842-4341-AD99-0F55AD26A1CA}.exe	40
PID 2752 wrote to memory of 1444	2752	{7BD3BC84-B842-4341-AD99-0F55AD26A1CA}.exe	40
PID 2752 wrote to memory of 1444	2752	{7BD3BC84-B842-4341-AD99-0F55AD26A1CA}.exe	40
PID 2752 wrote to memory of 2676	2752	{7BD3BC84-B842-4341-AD99-0F55AD26A1CA}.exe	41
PID 2752 wrote to memory of 2676	2752	{7BD3BC84-B842-4341-AD99-0F55AD26A1CA}.exe	41
PID 2752 wrote to memory of 2676	2752	{7BD3BC84-B842-4341-AD99-0F55AD26A1CA}.exe	41
PID 2752 wrote to memory of 2676	2752	{7BD3BC84-B842-4341-AD99-0F55AD26A1CA}.exe	41
PID 1444 wrote to memory of 1936	1444	{EF01795F-F5AF-4e3d-A42C-543A3934EAD9}.exe	42
PID 1444 wrote to memory of 1936	1444	{EF01795F-F5AF-4e3d-A42C-543A3934EAD9}.exe	42
PID 1444 wrote to memory of 1936	1444	{EF01795F-F5AF-4e3d-A42C-543A3934EAD9}.exe	42
PID 1444 wrote to memory of 1936	1444	{EF01795F-F5AF-4e3d-A42C-543A3934EAD9}.exe	42
PID 1444 wrote to memory of 1164	1444	{EF01795F-F5AF-4e3d-A42C-543A3934EAD9}.exe	43
PID 1444 wrote to memory of 1164	1444	{EF01795F-F5AF-4e3d-A42C-543A3934EAD9}.exe	43
PID 1444 wrote to memory of 1164	1444	{EF01795F-F5AF-4e3d-A42C-543A3934EAD9}.exe	43
PID 1444 wrote to memory of 1164	1444	{EF01795F-F5AF-4e3d-A42C-543A3934EAD9}.exe	43
PID 1936 wrote to memory of 1104	1936	{295D748B-8E41-4c4d-9FAD-FE77CD5DD7FC}.exe	44
PID 1936 wrote to memory of 1104	1936	{295D748B-8E41-4c4d-9FAD-FE77CD5DD7FC}.exe	44
PID 1936 wrote to memory of 1104	1936	{295D748B-8E41-4c4d-9FAD-FE77CD5DD7FC}.exe	44
PID 1936 wrote to memory of 1104	1936	{295D748B-8E41-4c4d-9FAD-FE77CD5DD7FC}.exe	44
PID 1936 wrote to memory of 300	1936	{295D748B-8E41-4c4d-9FAD-FE77CD5DD7FC}.exe	45
PID 1936 wrote to memory of 300	1936	{295D748B-8E41-4c4d-9FAD-FE77CD5DD7FC}.exe	45
PID 1936 wrote to memory of 300	1936	{295D748B-8E41-4c4d-9FAD-FE77CD5DD7FC}.exe	45
PID 1936 wrote to memory of 300	1936	{295D748B-8E41-4c4d-9FAD-FE77CD5DD7FC}.exe	45

C:\Users\Admin\AppData\Local\Temp\f1ef8440bb0372exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\f1ef8440bb0372exe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2588
- C:\Windows\{69A820F5-182C-499c-BF62-3EBEB27B7EEF}.exe
  C:\Windows\{69A820F5-182C-499c-BF62-3EBEB27B7EEF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\{55764B02-C06C-4c73-8BFE-507C68DCBEF8}.exe
    C:\Windows\{55764B02-C06C-4c73-8BFE-507C68DCBEF8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1736
  - - C:\Windows\{BD96300F-0917-47c9-8EA7-F7F7E205BA96}.exe
      C:\Windows\{BD96300F-0917-47c9-8EA7-F7F7E205BA96}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\{31669CE7-AD80-4985-B136-48C20B61140D}.exe
        
        C:\Windows\{31669CE7-AD80-4985-B136-48C20B61140D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1148
      - C:\Windows\{7BD3BC84-B842-4341-AD99-0F55AD26A1CA}.exe
        
        C:\Windows\{7BD3BC84-B842-4341-AD99-0F55AD26A1CA}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\{EF01795F-F5AF-4e3d-A42C-543A3934EAD9}.exe
        
        C:\Windows\{EF01795F-F5AF-4e3d-A42C-543A3934EAD9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\{295D748B-8E41-4c4d-9FAD-FE77CD5DD7FC}.exe
        
        C:\Windows\{295D748B-8E41-4c4d-9FAD-FE77CD5DD7FC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\{A7E41F10-7832-4564-B70D-5E5C48E50B0E}.exe
        
        C:\Windows\{A7E41F10-7832-4564-B70D-5E5C48E50B0E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
        
        C:\Windows\{DE412889-FEF2-4faa-8C31-D5DE6AB7C326}.exe
        
        C:\Windows\{DE412889-FEF2-4faa-8C31-D5DE6AB7C326}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\Windows\{A772396A-C773-450a-9613-AA288B4B33E8}.exe
        
        C:\Windows\{A772396A-C773-450a-9613-AA288B4B33E8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\{799A367A-E4B9-43b2-A78B-8A31397019DF}.exe
        
        C:\Windows\{799A367A-E4B9-43b2-A78B-8A31397019DF}.exe
        12⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7723~1.EXE > nul
        12⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE412~1.EXE > nul
        11⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7E41~1.EXE > nul
        10⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{295D7~1.EXE > nul
        9⤵
        
        PID:300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF017~1.EXE > nul
        8⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BD3B~1.EXE > nul
        7⤵
        
        PID:2676
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31669~1.EXE > nul
        6⤵
        
        PID:2432
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BD963~1.EXE > nul
        5⤵
        
        PID:2704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{55764~1.EXE > nul
      4⤵
      PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{69A82~1.EXE > nul
    3⤵
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F1EF84~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{295D748B-8E41-4c4d-9FAD-FE77CD5DD7FC}.exe

Filesize
168KB

MD5
686a160ea6a981b84c7d50d249065b96

SHA1
a4409a303289c9b18113bbe7d59d66d8beb99142

SHA256
b5dad3a7131eff2fdd4fb2eee62aedf05de8dbff21f42a3ed5940b2be4bad0c3

SHA512
2c08a400520fd92e254ea96aca84cb884f51cb876fa969b6376d847b73ccbf2835ae8b6d96f36a80ef58339fe9636e057503be6f46911a68c1c0df660ca74c40

Download Submit
C:\Windows\{295D748B-8E41-4c4d-9FAD-FE77CD5DD7FC}.exe

Filesize
168KB

MD5
686a160ea6a981b84c7d50d249065b96

SHA1
a4409a303289c9b18113bbe7d59d66d8beb99142

SHA256
b5dad3a7131eff2fdd4fb2eee62aedf05de8dbff21f42a3ed5940b2be4bad0c3

SHA512
2c08a400520fd92e254ea96aca84cb884f51cb876fa969b6376d847b73ccbf2835ae8b6d96f36a80ef58339fe9636e057503be6f46911a68c1c0df660ca74c40

Download Submit
C:\Windows\{31669CE7-AD80-4985-B136-48C20B61140D}.exe

Filesize
168KB

MD5
1fe790fe9b58695564fd77698f4e9f32

SHA1
8a028450dfd1a0fb8f4e726bc83cfa0068924f1d

SHA256
65c02a2701a4f09be4f4739cb252be686a340de7bc37f8f4b7bd537906773721

SHA512
b0e98c40750aad0e813c88e85abe1cb3a74051e318c74d87cf864c921bb338269ad760ddf4ce8d687ab7e844edc45f3042f46b7dced8481abd4d88cc5d3dd759

Download Submit
C:\Windows\{31669CE7-AD80-4985-B136-48C20B61140D}.exe

Filesize
168KB

MD5
1fe790fe9b58695564fd77698f4e9f32

SHA1
8a028450dfd1a0fb8f4e726bc83cfa0068924f1d

SHA256
65c02a2701a4f09be4f4739cb252be686a340de7bc37f8f4b7bd537906773721

SHA512
b0e98c40750aad0e813c88e85abe1cb3a74051e318c74d87cf864c921bb338269ad760ddf4ce8d687ab7e844edc45f3042f46b7dced8481abd4d88cc5d3dd759

Download Submit
C:\Windows\{55764B02-C06C-4c73-8BFE-507C68DCBEF8}.exe

Filesize
168KB

MD5
d3110489c036797dd61b1c28545fcfb4

SHA1
adb9bf2f90652bf37e8ddbe1593d85f5f7163725

SHA256
e0ed2a83d2696130147975cd61e4381a7965fa9aa21cec99e1d72ffec46a4df5

SHA512
54e5ed09b90bdb4172d4f2d54c4b8822e128a46828b3d2ee2f64d12393230944629c415fc5399cbe9164107ea0010d018022c37fcc4418fe25fbb35c4e6a87d1

Download Submit
C:\Windows\{55764B02-C06C-4c73-8BFE-507C68DCBEF8}.exe

Filesize
168KB

MD5
d3110489c036797dd61b1c28545fcfb4

SHA1
adb9bf2f90652bf37e8ddbe1593d85f5f7163725

SHA256
e0ed2a83d2696130147975cd61e4381a7965fa9aa21cec99e1d72ffec46a4df5

SHA512
54e5ed09b90bdb4172d4f2d54c4b8822e128a46828b3d2ee2f64d12393230944629c415fc5399cbe9164107ea0010d018022c37fcc4418fe25fbb35c4e6a87d1

Download Submit
C:\Windows\{69A820F5-182C-499c-BF62-3EBEB27B7EEF}.exe

Filesize
168KB

MD5
42f463f92ba072faef5bce87847d242d

SHA1
d691d2583d380c32b123b08035efec187307091b

SHA256
f1bed06d4ba0150bb8b41ed80e7fb95fac8f9eb42b8e8091c29080efbeede5e2

SHA512
64a68c34a4583422089c01ab0da0a3a1dc2b762b0dfc2f2879b656742ac0ed9634e1b4384c7c9bfaa7a12e5ce9e40d57a9cdc438c7efcf0d640b9c90faa35222

Download Submit
C:\Windows\{69A820F5-182C-499c-BF62-3EBEB27B7EEF}.exe

Filesize
168KB

MD5
42f463f92ba072faef5bce87847d242d

SHA1
d691d2583d380c32b123b08035efec187307091b

SHA256
f1bed06d4ba0150bb8b41ed80e7fb95fac8f9eb42b8e8091c29080efbeede5e2

SHA512
64a68c34a4583422089c01ab0da0a3a1dc2b762b0dfc2f2879b656742ac0ed9634e1b4384c7c9bfaa7a12e5ce9e40d57a9cdc438c7efcf0d640b9c90faa35222

Download Submit
C:\Windows\{69A820F5-182C-499c-BF62-3EBEB27B7EEF}.exe

Filesize
168KB

MD5
42f463f92ba072faef5bce87847d242d

SHA1
d691d2583d380c32b123b08035efec187307091b

SHA256
f1bed06d4ba0150bb8b41ed80e7fb95fac8f9eb42b8e8091c29080efbeede5e2

SHA512
64a68c34a4583422089c01ab0da0a3a1dc2b762b0dfc2f2879b656742ac0ed9634e1b4384c7c9bfaa7a12e5ce9e40d57a9cdc438c7efcf0d640b9c90faa35222

Download Submit
C:\Windows\{799A367A-E4B9-43b2-A78B-8A31397019DF}.exe

Filesize
168KB

MD5
8841fcc8df64d7a25163816719290d35

SHA1
6adc941e5986d863bde48c724ef8e8f9157c230a

SHA256
016a3137f61e17eff722c41848f3149cb23c18ce5da010e4a97eff41271f39e7

SHA512
3a7292b75c741cf136743aa651d79ecfd8cfb3d7b56f29e1d5667c5a1d7f411d64c24181cc51246528e9b09e2eb3543dd12e6b901aeba791eaa04b229ec9bf4b

Download Submit
C:\Windows\{7BD3BC84-B842-4341-AD99-0F55AD26A1CA}.exe

Filesize
168KB

MD5
84a8f9b88dfedfaa18c934d0e63acab3

SHA1
c6b2ecfb8fffda28b13712842563ff621596c4bd

SHA256
26e9ec23c76a8087adfb12c1184e9ffd67d62f82eb2c000b896380131d9cf08e

SHA512
b39e86e4f6b6ff1764d80ccb307c081270432b6ed276c292b6394002f2f4bae073935d88d5ffb824ee18cf03f2150305f9ce3585c9e5c594a120d104e4dcaaec

Download Submit
C:\Windows\{7BD3BC84-B842-4341-AD99-0F55AD26A1CA}.exe

Filesize
168KB

MD5
84a8f9b88dfedfaa18c934d0e63acab3

SHA1
c6b2ecfb8fffda28b13712842563ff621596c4bd

SHA256
26e9ec23c76a8087adfb12c1184e9ffd67d62f82eb2c000b896380131d9cf08e

SHA512
b39e86e4f6b6ff1764d80ccb307c081270432b6ed276c292b6394002f2f4bae073935d88d5ffb824ee18cf03f2150305f9ce3585c9e5c594a120d104e4dcaaec

Download Submit
C:\Windows\{A772396A-C773-450a-9613-AA288B4B33E8}.exe

Filesize
168KB

MD5
8befad1e316fde94f79e0fbbb2cda001

SHA1
56241b55e1649e4c264d9cd4e0149eb617df9954

SHA256
9b4e94cd20850c6aa463d96d1aa55275d5db55d5fd7f0ce2a437c0c3f31b532f

SHA512
76197c357aa21aa63ec3c1d47ba1f1f66494f593248def96699e82dfb6bc895f3b637885b009947873cdddf28edee605bd776805815e82f163dd5e6a65d2b8c3

Download Submit
C:\Windows\{A772396A-C773-450a-9613-AA288B4B33E8}.exe

Filesize
168KB

MD5
8befad1e316fde94f79e0fbbb2cda001

SHA1
56241b55e1649e4c264d9cd4e0149eb617df9954

SHA256
9b4e94cd20850c6aa463d96d1aa55275d5db55d5fd7f0ce2a437c0c3f31b532f

SHA512
76197c357aa21aa63ec3c1d47ba1f1f66494f593248def96699e82dfb6bc895f3b637885b009947873cdddf28edee605bd776805815e82f163dd5e6a65d2b8c3

Download Submit
C:\Windows\{A7E41F10-7832-4564-B70D-5E5C48E50B0E}.exe

Filesize
168KB

MD5
1fed381191edb47016d22aca04140cbc

SHA1
0e0f457c2a210d8c20649de422ad9bb17ef39471

SHA256
d330f269d572e675e5bfb68e1851c2f2b9e9f9c0f98bda427ef7e7ed8900db72

SHA512
dfe14fcd3e3319fa72707baf238b37191596ebb4870e54a142b67eb28516c7c4a57024ed15a8f7ded6a6c00c796f3128f169332680e5c526ebc80cac3bcf7652

Download Submit
C:\Windows\{A7E41F10-7832-4564-B70D-5E5C48E50B0E}.exe

Filesize
168KB

MD5
1fed381191edb47016d22aca04140cbc

SHA1
0e0f457c2a210d8c20649de422ad9bb17ef39471

SHA256
d330f269d572e675e5bfb68e1851c2f2b9e9f9c0f98bda427ef7e7ed8900db72

SHA512
dfe14fcd3e3319fa72707baf238b37191596ebb4870e54a142b67eb28516c7c4a57024ed15a8f7ded6a6c00c796f3128f169332680e5c526ebc80cac3bcf7652

Download Submit
C:\Windows\{BD96300F-0917-47c9-8EA7-F7F7E205BA96}.exe

Filesize
168KB

MD5
ed45424412d097623a1abeb4ad1eff37

SHA1
4139025ec6b64f705cf217a299788c0af449059c

SHA256
dec8ecdb29b7c6dda9a799e3bbb69215252acbf818f0c867a648a67fb6427654

SHA512
dffaf61a6beeb4f14f7c3292115dc65dccf49b148470bb41710ef28da72dbddf2c1dd8f95a588589eb57507cb6d3a12002f695b56f93976d911509ca4529c7f5

Download Submit
C:\Windows\{BD96300F-0917-47c9-8EA7-F7F7E205BA96}.exe

Filesize
168KB

MD5
ed45424412d097623a1abeb4ad1eff37

SHA1
4139025ec6b64f705cf217a299788c0af449059c

SHA256
dec8ecdb29b7c6dda9a799e3bbb69215252acbf818f0c867a648a67fb6427654

SHA512
dffaf61a6beeb4f14f7c3292115dc65dccf49b148470bb41710ef28da72dbddf2c1dd8f95a588589eb57507cb6d3a12002f695b56f93976d911509ca4529c7f5

Download Submit
C:\Windows\{DE412889-FEF2-4faa-8C31-D5DE6AB7C326}.exe

Filesize
168KB

MD5
2217e836c0f0a90b984d45f4708d70dc

SHA1
413e04b0d6e1d9445c58aa61f3736c97cc11b79b

SHA256
6e6e0f27ebec249b1f0973b79cb2b9745ade165e82e228f44ba165d160e25ec6

SHA512
06f238587e5e43e10e0b4057ebd6c6372d97c8bf02bbe6576a75f7d67901cf2ac94b3b995353aee6f282715f6d50be73c60e8f0350c5a2fb93d5c2db3c0e0644

Download Submit
C:\Windows\{DE412889-FEF2-4faa-8C31-D5DE6AB7C326}.exe

Filesize
168KB

MD5
2217e836c0f0a90b984d45f4708d70dc

SHA1
413e04b0d6e1d9445c58aa61f3736c97cc11b79b

SHA256
6e6e0f27ebec249b1f0973b79cb2b9745ade165e82e228f44ba165d160e25ec6

SHA512
06f238587e5e43e10e0b4057ebd6c6372d97c8bf02bbe6576a75f7d67901cf2ac94b3b995353aee6f282715f6d50be73c60e8f0350c5a2fb93d5c2db3c0e0644

Download Submit
C:\Windows\{EF01795F-F5AF-4e3d-A42C-543A3934EAD9}.exe

Filesize
168KB

MD5
8151024a859480b4bcbed0269615519d

SHA1
2262ec751be472ff6e40771affe86f0d9efdbdbf

SHA256
5191563a7cdd44ddc20858086660e00258379267e88e9ba7f08e83846b8e89e6

SHA512
18cf734e034fc0b8bb602c8cce45876ced84ff3aa6e77c51b8082cb5a748b9eaa6e6c6ab4aa9b395c19385e7c562f6bd7b2fcb39adf66a8ba0efc2524766f9b6

Download Submit
C:\Windows\{EF01795F-F5AF-4e3d-A42C-543A3934EAD9}.exe

Filesize
168KB

MD5
8151024a859480b4bcbed0269615519d

SHA1
2262ec751be472ff6e40771affe86f0d9efdbdbf

SHA256
5191563a7cdd44ddc20858086660e00258379267e88e9ba7f08e83846b8e89e6

SHA512
18cf734e034fc0b8bb602c8cce45876ced84ff3aa6e77c51b8082cb5a748b9eaa6e6c6ab4aa9b395c19385e7c562f6bd7b2fcb39adf66a8ba0efc2524766f9b6

Download Submit