77f48ed0ff11a664fe374f1c44762836896b167883d6cbcda63066b07d661009

Analysis

max time kernel
145s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2023 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2e9e42dcd0f8acexeexe_JC.exe
Size

168KB
MD5

2e9e42dcd0f8ac61b4750401d72facf1
SHA1

459f335befd9a667ef33e11f4c3893d204bff5b5
SHA256

77f48ed0ff11a664fe374f1c44762836896b167883d6cbcda63066b07d661009
SHA512

794b3433b199af06927399f78b5cf655ff8babadc9e620f3e77c8f46886fbae79d50251aa4b541f5dc1278ca92fe61b764dcb2bc1ca214e1553f77f10d038039
SSDEEP

1536:1EGh0o0lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o0lqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03E07DB7-214C-45b7-BF7F-8F74CE13541D}\stubpath = "C:\\Windows\\{03E07DB7-214C-45b7-BF7F-8F74CE13541D}.exe"	{DC136C8F-4D6D-4e50-8548-AD8439E675F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76B0913E-EEB1-47e6-967D-74DFDBC08BB7}\stubpath = "C:\\Windows\\{76B0913E-EEB1-47e6-967D-74DFDBC08BB7}.exe"	{E627DDAB-5EDB-4078-9B2A-4BD179DFCAF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C378214-EBD9-4cd9-B593-C6387DC6A66C}	{7982D617-8831-4c05-84CD-1AF6B201AA24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E627DDAB-5EDB-4078-9B2A-4BD179DFCAF4}\stubpath = "C:\\Windows\\{E627DDAB-5EDB-4078-9B2A-4BD179DFCAF4}.exe"	{5CD041F0-C7F5-4f08-8671-60F7D91DA34F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D33E2605-2B47-4b2e-B902-8E1D8C9AD334}	{94DF00AC-E49E-465c-9269-2BBA98057531}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE0A9028-044F-487a-8522-FA327C19A654}	{D33E2605-2B47-4b2e-B902-8E1D8C9AD334}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CD041F0-C7F5-4f08-8671-60F7D91DA34F}	{AE0A9028-044F-487a-8522-FA327C19A654}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CD041F0-C7F5-4f08-8671-60F7D91DA34F}\stubpath = "C:\\Windows\\{5CD041F0-C7F5-4f08-8671-60F7D91DA34F}.exe"	{AE0A9028-044F-487a-8522-FA327C19A654}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E627DDAB-5EDB-4078-9B2A-4BD179DFCAF4}	{5CD041F0-C7F5-4f08-8671-60F7D91DA34F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E712895-DF66-40ed-AAD0-182731F6C724}	{6C378214-EBD9-4cd9-B593-C6387DC6A66C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E712895-DF66-40ed-AAD0-182731F6C724}\stubpath = "C:\\Windows\\{8E712895-DF66-40ed-AAD0-182731F6C724}.exe"	{6C378214-EBD9-4cd9-B593-C6387DC6A66C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B91D7FA7-DAD5-4881-A292-77A2A0782D23}	{8E712895-DF66-40ed-AAD0-182731F6C724}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC136C8F-4D6D-4e50-8548-AD8439E675F3}	2e9e42dcd0f8acexeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03E07DB7-214C-45b7-BF7F-8F74CE13541D}	{DC136C8F-4D6D-4e50-8548-AD8439E675F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE0A9028-044F-487a-8522-FA327C19A654}\stubpath = "C:\\Windows\\{AE0A9028-044F-487a-8522-FA327C19A654}.exe"	{D33E2605-2B47-4b2e-B902-8E1D8C9AD334}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76B0913E-EEB1-47e6-967D-74DFDBC08BB7}	{E627DDAB-5EDB-4078-9B2A-4BD179DFCAF4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7982D617-8831-4c05-84CD-1AF6B201AA24}\stubpath = "C:\\Windows\\{7982D617-8831-4c05-84CD-1AF6B201AA24}.exe"	{76B0913E-EEB1-47e6-967D-74DFDBC08BB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B91D7FA7-DAD5-4881-A292-77A2A0782D23}\stubpath = "C:\\Windows\\{B91D7FA7-DAD5-4881-A292-77A2A0782D23}.exe"	{8E712895-DF66-40ed-AAD0-182731F6C724}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C378214-EBD9-4cd9-B593-C6387DC6A66C}\stubpath = "C:\\Windows\\{6C378214-EBD9-4cd9-B593-C6387DC6A66C}.exe"	{7982D617-8831-4c05-84CD-1AF6B201AA24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC136C8F-4D6D-4e50-8548-AD8439E675F3}\stubpath = "C:\\Windows\\{DC136C8F-4D6D-4e50-8548-AD8439E675F3}.exe"	2e9e42dcd0f8acexeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94DF00AC-E49E-465c-9269-2BBA98057531}	{03E07DB7-214C-45b7-BF7F-8F74CE13541D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94DF00AC-E49E-465c-9269-2BBA98057531}\stubpath = "C:\\Windows\\{94DF00AC-E49E-465c-9269-2BBA98057531}.exe"	{03E07DB7-214C-45b7-BF7F-8F74CE13541D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D33E2605-2B47-4b2e-B902-8E1D8C9AD334}\stubpath = "C:\\Windows\\{D33E2605-2B47-4b2e-B902-8E1D8C9AD334}.exe"	{94DF00AC-E49E-465c-9269-2BBA98057531}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7982D617-8831-4c05-84CD-1AF6B201AA24}	{76B0913E-EEB1-47e6-967D-74DFDBC08BB7}.exe

Executes dropped EXE 12 IoCs

pid	Process
4760	{DC136C8F-4D6D-4e50-8548-AD8439E675F3}.exe
4652	{03E07DB7-214C-45b7-BF7F-8F74CE13541D}.exe
3080	{94DF00AC-E49E-465c-9269-2BBA98057531}.exe
5108	{D33E2605-2B47-4b2e-B902-8E1D8C9AD334}.exe
4788	{AE0A9028-044F-487a-8522-FA327C19A654}.exe
2460	{5CD041F0-C7F5-4f08-8671-60F7D91DA34F}.exe
2764	{E627DDAB-5EDB-4078-9B2A-4BD179DFCAF4}.exe
1604	{76B0913E-EEB1-47e6-967D-74DFDBC08BB7}.exe
3292	{7982D617-8831-4c05-84CD-1AF6B201AA24}.exe
1872	{6C378214-EBD9-4cd9-B593-C6387DC6A66C}.exe
2932	{8E712895-DF66-40ed-AAD0-182731F6C724}.exe
4964	{B91D7FA7-DAD5-4881-A292-77A2A0782D23}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E627DDAB-5EDB-4078-9B2A-4BD179DFCAF4}.exe	{5CD041F0-C7F5-4f08-8671-60F7D91DA34F}.exe
File created	C:\Windows\{7982D617-8831-4c05-84CD-1AF6B201AA24}.exe	{76B0913E-EEB1-47e6-967D-74DFDBC08BB7}.exe
File created	C:\Windows\{8E712895-DF66-40ed-AAD0-182731F6C724}.exe	{6C378214-EBD9-4cd9-B593-C6387DC6A66C}.exe
File created	C:\Windows\{B91D7FA7-DAD5-4881-A292-77A2A0782D23}.exe	{8E712895-DF66-40ed-AAD0-182731F6C724}.exe
File created	C:\Windows\{03E07DB7-214C-45b7-BF7F-8F74CE13541D}.exe	{DC136C8F-4D6D-4e50-8548-AD8439E675F3}.exe
File created	C:\Windows\{D33E2605-2B47-4b2e-B902-8E1D8C9AD334}.exe	{94DF00AC-E49E-465c-9269-2BBA98057531}.exe
File created	C:\Windows\{AE0A9028-044F-487a-8522-FA327C19A654}.exe	{D33E2605-2B47-4b2e-B902-8E1D8C9AD334}.exe
File created	C:\Windows\{76B0913E-EEB1-47e6-967D-74DFDBC08BB7}.exe	{E627DDAB-5EDB-4078-9B2A-4BD179DFCAF4}.exe
File created	C:\Windows\{6C378214-EBD9-4cd9-B593-C6387DC6A66C}.exe	{7982D617-8831-4c05-84CD-1AF6B201AA24}.exe
File created	C:\Windows\{DC136C8F-4D6D-4e50-8548-AD8439E675F3}.exe	2e9e42dcd0f8acexeexe_JC.exe
File created	C:\Windows\{94DF00AC-E49E-465c-9269-2BBA98057531}.exe	{03E07DB7-214C-45b7-BF7F-8F74CE13541D}.exe
File created	C:\Windows\{5CD041F0-C7F5-4f08-8671-60F7D91DA34F}.exe	{AE0A9028-044F-487a-8522-FA327C19A654}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4520	2e9e42dcd0f8acexeexe_JC.exe
Token: SeIncBasePriorityPrivilege	4760	{DC136C8F-4D6D-4e50-8548-AD8439E675F3}.exe
Token: SeIncBasePriorityPrivilege	4652	{03E07DB7-214C-45b7-BF7F-8F74CE13541D}.exe
Token: SeIncBasePriorityPrivilege	3080	{94DF00AC-E49E-465c-9269-2BBA98057531}.exe
Token: SeIncBasePriorityPrivilege	5108	{D33E2605-2B47-4b2e-B902-8E1D8C9AD334}.exe
Token: SeIncBasePriorityPrivilege	4788	{AE0A9028-044F-487a-8522-FA327C19A654}.exe
Token: SeIncBasePriorityPrivilege	2460	{5CD041F0-C7F5-4f08-8671-60F7D91DA34F}.exe
Token: SeIncBasePriorityPrivilege	2764	{E627DDAB-5EDB-4078-9B2A-4BD179DFCAF4}.exe
Token: SeIncBasePriorityPrivilege	1604	{76B0913E-EEB1-47e6-967D-74DFDBC08BB7}.exe
Token: SeIncBasePriorityPrivilege	3292	{7982D617-8831-4c05-84CD-1AF6B201AA24}.exe
Token: SeIncBasePriorityPrivilege	1872	{6C378214-EBD9-4cd9-B593-C6387DC6A66C}.exe
Token: SeIncBasePriorityPrivilege	2932	{8E712895-DF66-40ed-AAD0-182731F6C724}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4520 wrote to memory of 4760	4520	2e9e42dcd0f8acexeexe_JC.exe	97
PID 4520 wrote to memory of 4760	4520	2e9e42dcd0f8acexeexe_JC.exe	97
PID 4520 wrote to memory of 4760	4520	2e9e42dcd0f8acexeexe_JC.exe	97
PID 4520 wrote to memory of 4880	4520	2e9e42dcd0f8acexeexe_JC.exe	98
PID 4520 wrote to memory of 4880	4520	2e9e42dcd0f8acexeexe_JC.exe	98
PID 4520 wrote to memory of 4880	4520	2e9e42dcd0f8acexeexe_JC.exe	98
PID 4760 wrote to memory of 4652	4760	{DC136C8F-4D6D-4e50-8548-AD8439E675F3}.exe	100
PID 4760 wrote to memory of 4652	4760	{DC136C8F-4D6D-4e50-8548-AD8439E675F3}.exe	100
PID 4760 wrote to memory of 4652	4760	{DC136C8F-4D6D-4e50-8548-AD8439E675F3}.exe	100
PID 4760 wrote to memory of 4752	4760	{DC136C8F-4D6D-4e50-8548-AD8439E675F3}.exe	101
PID 4760 wrote to memory of 4752	4760	{DC136C8F-4D6D-4e50-8548-AD8439E675F3}.exe	101
PID 4760 wrote to memory of 4752	4760	{DC136C8F-4D6D-4e50-8548-AD8439E675F3}.exe	101
PID 4652 wrote to memory of 3080	4652	{03E07DB7-214C-45b7-BF7F-8F74CE13541D}.exe	103
PID 4652 wrote to memory of 3080	4652	{03E07DB7-214C-45b7-BF7F-8F74CE13541D}.exe	103
PID 4652 wrote to memory of 3080	4652	{03E07DB7-214C-45b7-BF7F-8F74CE13541D}.exe	103
PID 4652 wrote to memory of 4324	4652	{03E07DB7-214C-45b7-BF7F-8F74CE13541D}.exe	104
PID 4652 wrote to memory of 4324	4652	{03E07DB7-214C-45b7-BF7F-8F74CE13541D}.exe	104
PID 4652 wrote to memory of 4324	4652	{03E07DB7-214C-45b7-BF7F-8F74CE13541D}.exe	104
PID 3080 wrote to memory of 5108	3080	{94DF00AC-E49E-465c-9269-2BBA98057531}.exe	105
PID 3080 wrote to memory of 5108	3080	{94DF00AC-E49E-465c-9269-2BBA98057531}.exe	105
PID 3080 wrote to memory of 5108	3080	{94DF00AC-E49E-465c-9269-2BBA98057531}.exe	105
PID 3080 wrote to memory of 4000	3080	{94DF00AC-E49E-465c-9269-2BBA98057531}.exe	106
PID 3080 wrote to memory of 4000	3080	{94DF00AC-E49E-465c-9269-2BBA98057531}.exe	106
PID 3080 wrote to memory of 4000	3080	{94DF00AC-E49E-465c-9269-2BBA98057531}.exe	106
PID 5108 wrote to memory of 4788	5108	{D33E2605-2B47-4b2e-B902-8E1D8C9AD334}.exe	107
PID 5108 wrote to memory of 4788	5108	{D33E2605-2B47-4b2e-B902-8E1D8C9AD334}.exe	107
PID 5108 wrote to memory of 4788	5108	{D33E2605-2B47-4b2e-B902-8E1D8C9AD334}.exe	107
PID 5108 wrote to memory of 3764	5108	{D33E2605-2B47-4b2e-B902-8E1D8C9AD334}.exe	108
PID 5108 wrote to memory of 3764	5108	{D33E2605-2B47-4b2e-B902-8E1D8C9AD334}.exe	108
PID 5108 wrote to memory of 3764	5108	{D33E2605-2B47-4b2e-B902-8E1D8C9AD334}.exe	108
PID 4788 wrote to memory of 2460	4788	{AE0A9028-044F-487a-8522-FA327C19A654}.exe	109
PID 4788 wrote to memory of 2460	4788	{AE0A9028-044F-487a-8522-FA327C19A654}.exe	109
PID 4788 wrote to memory of 2460	4788	{AE0A9028-044F-487a-8522-FA327C19A654}.exe	109
PID 4788 wrote to memory of 1752	4788	{AE0A9028-044F-487a-8522-FA327C19A654}.exe	110
PID 4788 wrote to memory of 1752	4788	{AE0A9028-044F-487a-8522-FA327C19A654}.exe	110
PID 4788 wrote to memory of 1752	4788	{AE0A9028-044F-487a-8522-FA327C19A654}.exe	110
PID 2460 wrote to memory of 2764	2460	{5CD041F0-C7F5-4f08-8671-60F7D91DA34F}.exe	111
PID 2460 wrote to memory of 2764	2460	{5CD041F0-C7F5-4f08-8671-60F7D91DA34F}.exe	111
PID 2460 wrote to memory of 2764	2460	{5CD041F0-C7F5-4f08-8671-60F7D91DA34F}.exe	111
PID 2460 wrote to memory of 392	2460	{5CD041F0-C7F5-4f08-8671-60F7D91DA34F}.exe	112
PID 2460 wrote to memory of 392	2460	{5CD041F0-C7F5-4f08-8671-60F7D91DA34F}.exe	112
PID 2460 wrote to memory of 392	2460	{5CD041F0-C7F5-4f08-8671-60F7D91DA34F}.exe	112
PID 2764 wrote to memory of 1604	2764	{E627DDAB-5EDB-4078-9B2A-4BD179DFCAF4}.exe	113
PID 2764 wrote to memory of 1604	2764	{E627DDAB-5EDB-4078-9B2A-4BD179DFCAF4}.exe	113
PID 2764 wrote to memory of 1604	2764	{E627DDAB-5EDB-4078-9B2A-4BD179DFCAF4}.exe	113
PID 2764 wrote to memory of 4172	2764	{E627DDAB-5EDB-4078-9B2A-4BD179DFCAF4}.exe	114
PID 2764 wrote to memory of 4172	2764	{E627DDAB-5EDB-4078-9B2A-4BD179DFCAF4}.exe	114
PID 2764 wrote to memory of 4172	2764	{E627DDAB-5EDB-4078-9B2A-4BD179DFCAF4}.exe	114
PID 1604 wrote to memory of 3292	1604	{76B0913E-EEB1-47e6-967D-74DFDBC08BB7}.exe	115
PID 1604 wrote to memory of 3292	1604	{76B0913E-EEB1-47e6-967D-74DFDBC08BB7}.exe	115
PID 1604 wrote to memory of 3292	1604	{76B0913E-EEB1-47e6-967D-74DFDBC08BB7}.exe	115
PID 1604 wrote to memory of 1132	1604	{76B0913E-EEB1-47e6-967D-74DFDBC08BB7}.exe	116
PID 1604 wrote to memory of 1132	1604	{76B0913E-EEB1-47e6-967D-74DFDBC08BB7}.exe	116
PID 1604 wrote to memory of 1132	1604	{76B0913E-EEB1-47e6-967D-74DFDBC08BB7}.exe	116
PID 3292 wrote to memory of 1872	3292	{7982D617-8831-4c05-84CD-1AF6B201AA24}.exe	117
PID 3292 wrote to memory of 1872	3292	{7982D617-8831-4c05-84CD-1AF6B201AA24}.exe	117
PID 3292 wrote to memory of 1872	3292	{7982D617-8831-4c05-84CD-1AF6B201AA24}.exe	117
PID 3292 wrote to memory of 3608	3292	{7982D617-8831-4c05-84CD-1AF6B201AA24}.exe	118
PID 3292 wrote to memory of 3608	3292	{7982D617-8831-4c05-84CD-1AF6B201AA24}.exe	118
PID 3292 wrote to memory of 3608	3292	{7982D617-8831-4c05-84CD-1AF6B201AA24}.exe	118
PID 1872 wrote to memory of 2932	1872	{6C378214-EBD9-4cd9-B593-C6387DC6A66C}.exe	119
PID 1872 wrote to memory of 2932	1872	{6C378214-EBD9-4cd9-B593-C6387DC6A66C}.exe	119
PID 1872 wrote to memory of 2932	1872	{6C378214-EBD9-4cd9-B593-C6387DC6A66C}.exe	119
PID 1872 wrote to memory of 4248	1872	{6C378214-EBD9-4cd9-B593-C6387DC6A66C}.exe	120

C:\Users\Admin\AppData\Local\Temp\2e9e42dcd0f8acexeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2e9e42dcd0f8acexeexe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4520
- C:\Windows\{DC136C8F-4D6D-4e50-8548-AD8439E675F3}.exe
  C:\Windows\{DC136C8F-4D6D-4e50-8548-AD8439E675F3}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\{03E07DB7-214C-45b7-BF7F-8F74CE13541D}.exe
    C:\Windows\{03E07DB7-214C-45b7-BF7F-8F74CE13541D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\{94DF00AC-E49E-465c-9269-2BBA98057531}.exe
      C:\Windows\{94DF00AC-E49E-465c-9269-2BBA98057531}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3080
    - - C:\Windows\{D33E2605-2B47-4b2e-B902-8E1D8C9AD334}.exe
        
        C:\Windows\{D33E2605-2B47-4b2e-B902-8E1D8C9AD334}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5108
      - C:\Windows\{AE0A9028-044F-487a-8522-FA327C19A654}.exe
        
        C:\Windows\{AE0A9028-044F-487a-8522-FA327C19A654}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4788
        
        C:\Windows\{5CD041F0-C7F5-4f08-8671-60F7D91DA34F}.exe
        
        C:\Windows\{5CD041F0-C7F5-4f08-8671-60F7D91DA34F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2460
        
        C:\Windows\{E627DDAB-5EDB-4078-9B2A-4BD179DFCAF4}.exe
        
        C:\Windows\{E627DDAB-5EDB-4078-9B2A-4BD179DFCAF4}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2764
        
        C:\Windows\{76B0913E-EEB1-47e6-967D-74DFDBC08BB7}.exe
        
        C:\Windows\{76B0913E-EEB1-47e6-967D-74DFDBC08BB7}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1604
        
        C:\Windows\{7982D617-8831-4c05-84CD-1AF6B201AA24}.exe
        
        C:\Windows\{7982D617-8831-4c05-84CD-1AF6B201AA24}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3292
        
        C:\Windows\{6C378214-EBD9-4cd9-B593-C6387DC6A66C}.exe
        
        C:\Windows\{6C378214-EBD9-4cd9-B593-C6387DC6A66C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\{8E712895-DF66-40ed-AAD0-182731F6C724}.exe
        
        C:\Windows\{8E712895-DF66-40ed-AAD0-182731F6C724}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\{B91D7FA7-DAD5-4881-A292-77A2A0782D23}.exe
        
        C:\Windows\{B91D7FA7-DAD5-4881-A292-77A2A0782D23}.exe
        13⤵
        Executes dropped EXE
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E712~1.EXE > nul
        13⤵
        
        PID:3596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6C378~1.EXE > nul
        12⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7982D~1.EXE > nul
        11⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76B09~1.EXE > nul
        10⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E627D~1.EXE > nul
        9⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CD04~1.EXE > nul
        8⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE0A9~1.EXE > nul
        7⤵
        
        PID:1752
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D33E2~1.EXE > nul
        6⤵
        
        PID:3764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94DF0~1.EXE > nul
        5⤵
        
        PID:4000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{03E07~1.EXE > nul
      4⤵
      PID:4324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DC136~1.EXE > nul
    3⤵
    PID:4752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2E9E42~1.EXE > nul
  2⤵
  PID:4880

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03E07DB7-214C-45b7-BF7F-8F74CE13541D}.exe

Filesize
168KB

MD5
f4e965631fbdf523addde86293b05830

SHA1
c01b7d73cb0fd4f289654e2d8115fafcc9cde92c

SHA256
4bd9e121a69c8926c0270c570668643e82bebce149f36b1a9266b60562dec0d6

SHA512
cd6f3c6c9e018a457e3c9d0f9b1f8403cc5b6ec7f8b334c1b308f31b2a5560397f3ec6b06cc9ecfb865c9677ae41d5f1fed20b17a3e6e57e32dbdfc8ef4ce69f

Download Submit
C:\Windows\{03E07DB7-214C-45b7-BF7F-8F74CE13541D}.exe

Filesize
168KB

MD5
f4e965631fbdf523addde86293b05830

SHA1
c01b7d73cb0fd4f289654e2d8115fafcc9cde92c

SHA256
4bd9e121a69c8926c0270c570668643e82bebce149f36b1a9266b60562dec0d6

SHA512
cd6f3c6c9e018a457e3c9d0f9b1f8403cc5b6ec7f8b334c1b308f31b2a5560397f3ec6b06cc9ecfb865c9677ae41d5f1fed20b17a3e6e57e32dbdfc8ef4ce69f

Download Submit
C:\Windows\{5CD041F0-C7F5-4f08-8671-60F7D91DA34F}.exe

Filesize
168KB

MD5
5930d503e4975fe946d7afa77ed3f93a

SHA1
20e8fda62b3eef945d2785cb7d8431c0d349ae48

SHA256
4469d944df4134c6cb66334ef0c495c2f94d823e785b29702ba41197975f1082

SHA512
88c97be88d70544a008a1f3e1c931991eeeeb9ba997a56408e4125c733eec692357b660df8fb788c4397d003e8f7a356ad4d7cf1c843358c34a61ff5bffe7f0f

Download Submit
C:\Windows\{5CD041F0-C7F5-4f08-8671-60F7D91DA34F}.exe

Filesize
168KB

MD5
5930d503e4975fe946d7afa77ed3f93a

SHA1
20e8fda62b3eef945d2785cb7d8431c0d349ae48

SHA256
4469d944df4134c6cb66334ef0c495c2f94d823e785b29702ba41197975f1082

SHA512
88c97be88d70544a008a1f3e1c931991eeeeb9ba997a56408e4125c733eec692357b660df8fb788c4397d003e8f7a356ad4d7cf1c843358c34a61ff5bffe7f0f

Download Submit
C:\Windows\{6C378214-EBD9-4cd9-B593-C6387DC6A66C}.exe

Filesize
168KB

MD5
d62c1aa80675800403dfeaaeeaa5e92d

SHA1
cc9314f73937c58566c46719635b505efede9227

SHA256
3e653ce2681b6500ad23801a9d7d44126c10c8b0e141aad5d5dd656853347ac9

SHA512
f4e7115a9ea5e4f2a8f93d6728336348ad0c7f948dbcda81efcafd9472a20d8b5877a4ee7265917fe243dd8f55569bc0be2c1f96144ed43cb9fff195a7979974

Download Submit
C:\Windows\{6C378214-EBD9-4cd9-B593-C6387DC6A66C}.exe

Filesize
168KB

MD5
d62c1aa80675800403dfeaaeeaa5e92d

SHA1
cc9314f73937c58566c46719635b505efede9227

SHA256
3e653ce2681b6500ad23801a9d7d44126c10c8b0e141aad5d5dd656853347ac9

SHA512
f4e7115a9ea5e4f2a8f93d6728336348ad0c7f948dbcda81efcafd9472a20d8b5877a4ee7265917fe243dd8f55569bc0be2c1f96144ed43cb9fff195a7979974

Download Submit
C:\Windows\{76B0913E-EEB1-47e6-967D-74DFDBC08BB7}.exe

Filesize
168KB

MD5
4496a4e9acd6801da9bf329bf43316d1

SHA1
a386c89390717f7228d6aefdaf9d34cfabf7659f

SHA256
48f5d855cde34ab31b79716573e724b69f35fd0a692f5cdb507cf18e1adc610d

SHA512
ac54f5f49386eb45da480b570896761c1b6a2642366d702b5ce04326b42c98e15e9c53bf328efbd05a8706ad26ed8ba5a7e7d5b0ab151b5e48a7cd7aa17cf0d2

Download Submit
C:\Windows\{76B0913E-EEB1-47e6-967D-74DFDBC08BB7}.exe

Filesize
168KB

MD5
4496a4e9acd6801da9bf329bf43316d1

SHA1
a386c89390717f7228d6aefdaf9d34cfabf7659f

SHA256
48f5d855cde34ab31b79716573e724b69f35fd0a692f5cdb507cf18e1adc610d

SHA512
ac54f5f49386eb45da480b570896761c1b6a2642366d702b5ce04326b42c98e15e9c53bf328efbd05a8706ad26ed8ba5a7e7d5b0ab151b5e48a7cd7aa17cf0d2

Download Submit
C:\Windows\{7982D617-8831-4c05-84CD-1AF6B201AA24}.exe

Filesize
168KB

MD5
d106e3756da3f1abcadbc0ece1062ed5

SHA1
562fff7f71aaa43741042bde6aa386058683bc8b

SHA256
058937442c345113a85f69bae22d5a8556a4bf19f9d93e8f1762174c956dc985

SHA512
4d8879566a455ac498187bf408855e3f1c56997afe9e1fa14e064591dbd87c5992474e5091fc1949e70fa1d7fcd6726c8bce9eedb838b503597b86a0ed3d1882

Download Submit
C:\Windows\{7982D617-8831-4c05-84CD-1AF6B201AA24}.exe

Filesize
168KB

MD5
d106e3756da3f1abcadbc0ece1062ed5

SHA1
562fff7f71aaa43741042bde6aa386058683bc8b

SHA256
058937442c345113a85f69bae22d5a8556a4bf19f9d93e8f1762174c956dc985

SHA512
4d8879566a455ac498187bf408855e3f1c56997afe9e1fa14e064591dbd87c5992474e5091fc1949e70fa1d7fcd6726c8bce9eedb838b503597b86a0ed3d1882

Download Submit
C:\Windows\{8E712895-DF66-40ed-AAD0-182731F6C724}.exe

Filesize
168KB

MD5
fb90bfa948e1fa4a4fe79c84420d21cd

SHA1
c0c9ba7b410f99cbd2cfa778f33ccbc42d3304f1

SHA256
c49973e032aa8734170fd75b76cf85c78e3622eb0f9985420442970ba17c0448

SHA512
88aca5b5028294e03e2898f1c20ff218d6be0ae871625345e037a6c9aea746e2b1847b2d4db6eaf348b3b7094f9f6532d2e848b8439d4b088f0d14377a53e06c

Download Submit
C:\Windows\{8E712895-DF66-40ed-AAD0-182731F6C724}.exe

Filesize
168KB

MD5
fb90bfa948e1fa4a4fe79c84420d21cd

SHA1
c0c9ba7b410f99cbd2cfa778f33ccbc42d3304f1

SHA256
c49973e032aa8734170fd75b76cf85c78e3622eb0f9985420442970ba17c0448

SHA512
88aca5b5028294e03e2898f1c20ff218d6be0ae871625345e037a6c9aea746e2b1847b2d4db6eaf348b3b7094f9f6532d2e848b8439d4b088f0d14377a53e06c

Download Submit
C:\Windows\{94DF00AC-E49E-465c-9269-2BBA98057531}.exe

Filesize
168KB

MD5
1a42cbb0204cec4357a815cf8f415a2e

SHA1
69511ccb700fd762a7a4d2640580ec37028d9359

SHA256
8395f99088d24e990bbaaaa7b66caaa324538e00edbb6967381dc35a0dc1cc62

SHA512
9b16c99deff98049ff5eb1d8b5e69c650e8c760e9a08519674567aa183dc8fa634d1e625bb467e9d51266488bac2d9198ec8169c34c53265c2b700741962af0a

Download Submit
C:\Windows\{94DF00AC-E49E-465c-9269-2BBA98057531}.exe

Filesize
168KB

MD5
1a42cbb0204cec4357a815cf8f415a2e

SHA1
69511ccb700fd762a7a4d2640580ec37028d9359

SHA256
8395f99088d24e990bbaaaa7b66caaa324538e00edbb6967381dc35a0dc1cc62

SHA512
9b16c99deff98049ff5eb1d8b5e69c650e8c760e9a08519674567aa183dc8fa634d1e625bb467e9d51266488bac2d9198ec8169c34c53265c2b700741962af0a

Download Submit
C:\Windows\{94DF00AC-E49E-465c-9269-2BBA98057531}.exe

Filesize
168KB

MD5
1a42cbb0204cec4357a815cf8f415a2e

SHA1
69511ccb700fd762a7a4d2640580ec37028d9359

SHA256
8395f99088d24e990bbaaaa7b66caaa324538e00edbb6967381dc35a0dc1cc62

SHA512
9b16c99deff98049ff5eb1d8b5e69c650e8c760e9a08519674567aa183dc8fa634d1e625bb467e9d51266488bac2d9198ec8169c34c53265c2b700741962af0a

Download Submit
C:\Windows\{AE0A9028-044F-487a-8522-FA327C19A654}.exe

Filesize
168KB

MD5
ff3bc44ae609614b99d27d08511e8603

SHA1
399fb1681f5065f7101947a96f6c376b30f8f976

SHA256
3e2e3fa21e9786f5e886bf345f10a9ea0ac58a1f37c284c6d0a653fc70fe778c

SHA512
e2fc0e04c5dc53679ae05540f6a01052270c08be383bbf112a3e585e445d1879f6c9b59a1794ef3e8faba63a6789e46b48857e1500d4f956fbe1cddc374b1095

Download Submit
C:\Windows\{AE0A9028-044F-487a-8522-FA327C19A654}.exe

Filesize
168KB

MD5
ff3bc44ae609614b99d27d08511e8603

SHA1
399fb1681f5065f7101947a96f6c376b30f8f976

SHA256
3e2e3fa21e9786f5e886bf345f10a9ea0ac58a1f37c284c6d0a653fc70fe778c

SHA512
e2fc0e04c5dc53679ae05540f6a01052270c08be383bbf112a3e585e445d1879f6c9b59a1794ef3e8faba63a6789e46b48857e1500d4f956fbe1cddc374b1095

Download Submit
C:\Windows\{B91D7FA7-DAD5-4881-A292-77A2A0782D23}.exe

Filesize
168KB

MD5
9a17d340167a10284f02b84deda284b3

SHA1
bf559a9060f837e996a3420f87e485a6685727de

SHA256
b19e410db95a84681237f4cb0a5c39b9738817ce1f3882bd00d345de7ada672b

SHA512
4b9b97128ce700e3d4f7e39c0601a52f749d84bda7ad1791502970ff7f8557d0bc18c7f37d9276256bc618484594a1dfdf441dc36046f2abdb4920113b4444d7

Download Submit
C:\Windows\{B91D7FA7-DAD5-4881-A292-77A2A0782D23}.exe

Filesize
168KB

MD5
9a17d340167a10284f02b84deda284b3

SHA1
bf559a9060f837e996a3420f87e485a6685727de

SHA256
b19e410db95a84681237f4cb0a5c39b9738817ce1f3882bd00d345de7ada672b

SHA512
4b9b97128ce700e3d4f7e39c0601a52f749d84bda7ad1791502970ff7f8557d0bc18c7f37d9276256bc618484594a1dfdf441dc36046f2abdb4920113b4444d7

Download Submit
C:\Windows\{D33E2605-2B47-4b2e-B902-8E1D8C9AD334}.exe

Filesize
168KB

MD5
bc9d6c8232eb2504c6bfc430460bba6a

SHA1
b721113a8531e5270fc5441db98ecbc878f0d2f4

SHA256
c115085a02bc1e23af20d871f5c9cd9de0a025476513544793c959696b292631

SHA512
bc502caef0602e1d2d9366610f09d48dd990324fd01ead62d931e85d1fa7691164722a685708259e0f24022c96eb31965592aa9f6cbbdc3649177737189ffa25

Download Submit
C:\Windows\{D33E2605-2B47-4b2e-B902-8E1D8C9AD334}.exe

Filesize
168KB

MD5
bc9d6c8232eb2504c6bfc430460bba6a

SHA1
b721113a8531e5270fc5441db98ecbc878f0d2f4

SHA256
c115085a02bc1e23af20d871f5c9cd9de0a025476513544793c959696b292631

SHA512
bc502caef0602e1d2d9366610f09d48dd990324fd01ead62d931e85d1fa7691164722a685708259e0f24022c96eb31965592aa9f6cbbdc3649177737189ffa25

Download Submit
C:\Windows\{DC136C8F-4D6D-4e50-8548-AD8439E675F3}.exe

Filesize
168KB

MD5
62c749eae49b33490cbb1fdefc9046c3

SHA1
02a8fee10e2f2eadcc6ddab8db039e0cc6fd9f16

SHA256
833ffdd4abac5091d8bc90806840f65328cac10e8b2f0ae10d4ddc5099889d21

SHA512
069618383db7a376511c833bb7672a258deee0d98d4d3a5ecbb4ace2f2fa6c283aaa972b700fd4cc02a72e08c42aa484dbf76f4af8f4febe5b1d3226a4e54072

Download Submit
C:\Windows\{DC136C8F-4D6D-4e50-8548-AD8439E675F3}.exe

Filesize
168KB

MD5
62c749eae49b33490cbb1fdefc9046c3

SHA1
02a8fee10e2f2eadcc6ddab8db039e0cc6fd9f16

SHA256
833ffdd4abac5091d8bc90806840f65328cac10e8b2f0ae10d4ddc5099889d21

SHA512
069618383db7a376511c833bb7672a258deee0d98d4d3a5ecbb4ace2f2fa6c283aaa972b700fd4cc02a72e08c42aa484dbf76f4af8f4febe5b1d3226a4e54072

Download Submit
C:\Windows\{E627DDAB-5EDB-4078-9B2A-4BD179DFCAF4}.exe

Filesize
168KB

MD5
f290c009f8723dd72c745293bee80a35

SHA1
a4beb089c93a10f52f02ce1802a28555857faf0f

SHA256
0c634d39b1c9d4cfbb9b875f935e4304b2d7d2e59e9847e2f5e2b24814c4730f

SHA512
62aa45eea7f5e36f8b8b22f80e34d8469d348514b6c29a61bed5f62610f5490c3b11e728e0228b031b3d3ace8d2038f84fb4aa51bd64d4561478218ea99d2e13

Download Submit
C:\Windows\{E627DDAB-5EDB-4078-9B2A-4BD179DFCAF4}.exe

Filesize
168KB

MD5
f290c009f8723dd72c745293bee80a35

SHA1
a4beb089c93a10f52f02ce1802a28555857faf0f

SHA256
0c634d39b1c9d4cfbb9b875f935e4304b2d7d2e59e9847e2f5e2b24814c4730f

SHA512
62aa45eea7f5e36f8b8b22f80e34d8469d348514b6c29a61bed5f62610f5490c3b11e728e0228b031b3d3ace8d2038f84fb4aa51bd64d4561478218ea99d2e13

Download Submit