bc9887fdafee0225ef78807ffc48bc365a95bc26edf003f5499ad8039ff24b39

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2023 16:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ceab760c94e2dexeexe_JC.exe
Size

204KB
MD5

2ceab760c94e2decf01dfae7804516e2
SHA1

6df230a0cd62b469f634b1668eaff306898b3671
SHA256

bc9887fdafee0225ef78807ffc48bc365a95bc26edf003f5499ad8039ff24b39
SHA512

3da6cd361b1adc86283f1676ac2026bd7ccad4416a637e4b42e9ec448b6306044a923957519cb4b6e9e93c7ffc58b2e202d3eca2452c51874829852aeb2ce797
SSDEEP

1536:1EGh0osl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0osl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CFEEA37-7E32-45b0-BD8E-2CF70A7B5A7B}	{42698C54-1314-49e8-96CE-E8955D4A6DA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA22BF19-39AB-4e37-9FDD-A107BC1AD6B1}	{1CFEEA37-7E32-45b0-BD8E-2CF70A7B5A7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA22BF19-39AB-4e37-9FDD-A107BC1AD6B1}\stubpath = "C:\\Windows\\{CA22BF19-39AB-4e37-9FDD-A107BC1AD6B1}.exe"	{1CFEEA37-7E32-45b0-BD8E-2CF70A7B5A7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B37E3E6-C803-4c0a-8AA5-B14DB1170DA6}	{314BB02E-7624-49b7-9E52-19488FFE5ABD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4931330F-01B8-4cc7-85C7-23C7CE61A797}	{F516669A-18C3-47b5-8A82-6A0A92D76C2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11501CB2-C33B-4d81-9B30-75B1E7AFAC96}	{4931330F-01B8-4cc7-85C7-23C7CE61A797}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11501CB2-C33B-4d81-9B30-75B1E7AFAC96}\stubpath = "C:\\Windows\\{11501CB2-C33B-4d81-9B30-75B1E7AFAC96}.exe"	{4931330F-01B8-4cc7-85C7-23C7CE61A797}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39CDCE7C-196E-4b9c-B7EC-7D05D618FDA9}\stubpath = "C:\\Windows\\{39CDCE7C-196E-4b9c-B7EC-7D05D618FDA9}.exe"	{11501CB2-C33B-4d81-9B30-75B1E7AFAC96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D33D74B-1FFA-4b08-9C6E-4B01829CBC4E}\stubpath = "C:\\Windows\\{5D33D74B-1FFA-4b08-9C6E-4B01829CBC4E}.exe"	{4D73B2F1-CDC9-436c-BAE3-41CF24DBB046}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42698C54-1314-49e8-96CE-E8955D4A6DA8}	{06B9FB63-445F-416b-80DB-60D0916E94B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B37E3E6-C803-4c0a-8AA5-B14DB1170DA6}\stubpath = "C:\\Windows\\{5B37E3E6-C803-4c0a-8AA5-B14DB1170DA6}.exe"	{314BB02E-7624-49b7-9E52-19488FFE5ABD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F516669A-18C3-47b5-8A82-6A0A92D76C2F}\stubpath = "C:\\Windows\\{F516669A-18C3-47b5-8A82-6A0A92D76C2F}.exe"	2ceab760c94e2dexeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4931330F-01B8-4cc7-85C7-23C7CE61A797}\stubpath = "C:\\Windows\\{4931330F-01B8-4cc7-85C7-23C7CE61A797}.exe"	{F516669A-18C3-47b5-8A82-6A0A92D76C2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D73B2F1-CDC9-436c-BAE3-41CF24DBB046}\stubpath = "C:\\Windows\\{4D73B2F1-CDC9-436c-BAE3-41CF24DBB046}.exe"	{39CDCE7C-196E-4b9c-B7EC-7D05D618FDA9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06B9FB63-445F-416b-80DB-60D0916E94B9}\stubpath = "C:\\Windows\\{06B9FB63-445F-416b-80DB-60D0916E94B9}.exe"	{5D33D74B-1FFA-4b08-9C6E-4B01829CBC4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42698C54-1314-49e8-96CE-E8955D4A6DA8}\stubpath = "C:\\Windows\\{42698C54-1314-49e8-96CE-E8955D4A6DA8}.exe"	{06B9FB63-445F-416b-80DB-60D0916E94B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{314BB02E-7624-49b7-9E52-19488FFE5ABD}	{CA22BF19-39AB-4e37-9FDD-A107BC1AD6B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F516669A-18C3-47b5-8A82-6A0A92D76C2F}	2ceab760c94e2dexeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{39CDCE7C-196E-4b9c-B7EC-7D05D618FDA9}	{11501CB2-C33B-4d81-9B30-75B1E7AFAC96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{06B9FB63-445F-416b-80DB-60D0916E94B9}	{5D33D74B-1FFA-4b08-9C6E-4B01829CBC4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CFEEA37-7E32-45b0-BD8E-2CF70A7B5A7B}\stubpath = "C:\\Windows\\{1CFEEA37-7E32-45b0-BD8E-2CF70A7B5A7B}.exe"	{42698C54-1314-49e8-96CE-E8955D4A6DA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{314BB02E-7624-49b7-9E52-19488FFE5ABD}\stubpath = "C:\\Windows\\{314BB02E-7624-49b7-9E52-19488FFE5ABD}.exe"	{CA22BF19-39AB-4e37-9FDD-A107BC1AD6B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D73B2F1-CDC9-436c-BAE3-41CF24DBB046}	{39CDCE7C-196E-4b9c-B7EC-7D05D618FDA9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5D33D74B-1FFA-4b08-9C6E-4B01829CBC4E}	{4D73B2F1-CDC9-436c-BAE3-41CF24DBB046}.exe

Executes dropped EXE 12 IoCs

pid	Process
716	{F516669A-18C3-47b5-8A82-6A0A92D76C2F}.exe
4416	{4931330F-01B8-4cc7-85C7-23C7CE61A797}.exe
5100	{11501CB2-C33B-4d81-9B30-75B1E7AFAC96}.exe
3088	{39CDCE7C-196E-4b9c-B7EC-7D05D618FDA9}.exe
3968	{4D73B2F1-CDC9-436c-BAE3-41CF24DBB046}.exe
2668	{5D33D74B-1FFA-4b08-9C6E-4B01829CBC4E}.exe
4332	{06B9FB63-445F-416b-80DB-60D0916E94B9}.exe
4076	{42698C54-1314-49e8-96CE-E8955D4A6DA8}.exe
4036	{1CFEEA37-7E32-45b0-BD8E-2CF70A7B5A7B}.exe
3316	{CA22BF19-39AB-4e37-9FDD-A107BC1AD6B1}.exe
5040	{314BB02E-7624-49b7-9E52-19488FFE5ABD}.exe
3964	{5B37E3E6-C803-4c0a-8AA5-B14DB1170DA6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F516669A-18C3-47b5-8A82-6A0A92D76C2F}.exe	2ceab760c94e2dexeexe_JC.exe
File created	C:\Windows\{11501CB2-C33B-4d81-9B30-75B1E7AFAC96}.exe	{4931330F-01B8-4cc7-85C7-23C7CE61A797}.exe
File created	C:\Windows\{5D33D74B-1FFA-4b08-9C6E-4B01829CBC4E}.exe	{4D73B2F1-CDC9-436c-BAE3-41CF24DBB046}.exe
File created	C:\Windows\{06B9FB63-445F-416b-80DB-60D0916E94B9}.exe	{5D33D74B-1FFA-4b08-9C6E-4B01829CBC4E}.exe
File created	C:\Windows\{1CFEEA37-7E32-45b0-BD8E-2CF70A7B5A7B}.exe	{42698C54-1314-49e8-96CE-E8955D4A6DA8}.exe
File created	C:\Windows\{314BB02E-7624-49b7-9E52-19488FFE5ABD}.exe	{CA22BF19-39AB-4e37-9FDD-A107BC1AD6B1}.exe
File created	C:\Windows\{5B37E3E6-C803-4c0a-8AA5-B14DB1170DA6}.exe	{314BB02E-7624-49b7-9E52-19488FFE5ABD}.exe
File created	C:\Windows\{4931330F-01B8-4cc7-85C7-23C7CE61A797}.exe	{F516669A-18C3-47b5-8A82-6A0A92D76C2F}.exe
File created	C:\Windows\{39CDCE7C-196E-4b9c-B7EC-7D05D618FDA9}.exe	{11501CB2-C33B-4d81-9B30-75B1E7AFAC96}.exe
File created	C:\Windows\{4D73B2F1-CDC9-436c-BAE3-41CF24DBB046}.exe	{39CDCE7C-196E-4b9c-B7EC-7D05D618FDA9}.exe
File created	C:\Windows\{42698C54-1314-49e8-96CE-E8955D4A6DA8}.exe	{06B9FB63-445F-416b-80DB-60D0916E94B9}.exe
File created	C:\Windows\{CA22BF19-39AB-4e37-9FDD-A107BC1AD6B1}.exe	{1CFEEA37-7E32-45b0-BD8E-2CF70A7B5A7B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4380	2ceab760c94e2dexeexe_JC.exe
Token: SeIncBasePriorityPrivilege	716	{F516669A-18C3-47b5-8A82-6A0A92D76C2F}.exe
Token: SeIncBasePriorityPrivilege	4416	{4931330F-01B8-4cc7-85C7-23C7CE61A797}.exe
Token: SeIncBasePriorityPrivilege	5100	{11501CB2-C33B-4d81-9B30-75B1E7AFAC96}.exe
Token: SeIncBasePriorityPrivilege	3088	{39CDCE7C-196E-4b9c-B7EC-7D05D618FDA9}.exe
Token: SeIncBasePriorityPrivilege	3968	{4D73B2F1-CDC9-436c-BAE3-41CF24DBB046}.exe
Token: SeIncBasePriorityPrivilege	2668	{5D33D74B-1FFA-4b08-9C6E-4B01829CBC4E}.exe
Token: SeIncBasePriorityPrivilege	4332	{06B9FB63-445F-416b-80DB-60D0916E94B9}.exe
Token: SeIncBasePriorityPrivilege	4076	{42698C54-1314-49e8-96CE-E8955D4A6DA8}.exe
Token: SeIncBasePriorityPrivilege	4036	{1CFEEA37-7E32-45b0-BD8E-2CF70A7B5A7B}.exe
Token: SeIncBasePriorityPrivilege	3316	{CA22BF19-39AB-4e37-9FDD-A107BC1AD6B1}.exe
Token: SeIncBasePriorityPrivilege	5040	{314BB02E-7624-49b7-9E52-19488FFE5ABD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 716	4380	2ceab760c94e2dexeexe_JC.exe	94
PID 4380 wrote to memory of 716	4380	2ceab760c94e2dexeexe_JC.exe	94
PID 4380 wrote to memory of 716	4380	2ceab760c94e2dexeexe_JC.exe	94
PID 4380 wrote to memory of 1132	4380	2ceab760c94e2dexeexe_JC.exe	95
PID 4380 wrote to memory of 1132	4380	2ceab760c94e2dexeexe_JC.exe	95
PID 4380 wrote to memory of 1132	4380	2ceab760c94e2dexeexe_JC.exe	95
PID 716 wrote to memory of 4416	716	{F516669A-18C3-47b5-8A82-6A0A92D76C2F}.exe	98
PID 716 wrote to memory of 4416	716	{F516669A-18C3-47b5-8A82-6A0A92D76C2F}.exe	98
PID 716 wrote to memory of 4416	716	{F516669A-18C3-47b5-8A82-6A0A92D76C2F}.exe	98
PID 716 wrote to memory of 2264	716	{F516669A-18C3-47b5-8A82-6A0A92D76C2F}.exe	99
PID 716 wrote to memory of 2264	716	{F516669A-18C3-47b5-8A82-6A0A92D76C2F}.exe	99
PID 716 wrote to memory of 2264	716	{F516669A-18C3-47b5-8A82-6A0A92D76C2F}.exe	99
PID 4416 wrote to memory of 5100	4416	{4931330F-01B8-4cc7-85C7-23C7CE61A797}.exe	103
PID 4416 wrote to memory of 5100	4416	{4931330F-01B8-4cc7-85C7-23C7CE61A797}.exe	103
PID 4416 wrote to memory of 5100	4416	{4931330F-01B8-4cc7-85C7-23C7CE61A797}.exe	103
PID 4416 wrote to memory of 4424	4416	{4931330F-01B8-4cc7-85C7-23C7CE61A797}.exe	102
PID 4416 wrote to memory of 4424	4416	{4931330F-01B8-4cc7-85C7-23C7CE61A797}.exe	102
PID 4416 wrote to memory of 4424	4416	{4931330F-01B8-4cc7-85C7-23C7CE61A797}.exe	102
PID 5100 wrote to memory of 3088	5100	{11501CB2-C33B-4d81-9B30-75B1E7AFAC96}.exe	104
PID 5100 wrote to memory of 3088	5100	{11501CB2-C33B-4d81-9B30-75B1E7AFAC96}.exe	104
PID 5100 wrote to memory of 3088	5100	{11501CB2-C33B-4d81-9B30-75B1E7AFAC96}.exe	104
PID 5100 wrote to memory of 3368	5100	{11501CB2-C33B-4d81-9B30-75B1E7AFAC96}.exe	105
PID 5100 wrote to memory of 3368	5100	{11501CB2-C33B-4d81-9B30-75B1E7AFAC96}.exe	105
PID 5100 wrote to memory of 3368	5100	{11501CB2-C33B-4d81-9B30-75B1E7AFAC96}.exe	105
PID 3088 wrote to memory of 3968	3088	{39CDCE7C-196E-4b9c-B7EC-7D05D618FDA9}.exe	106
PID 3088 wrote to memory of 3968	3088	{39CDCE7C-196E-4b9c-B7EC-7D05D618FDA9}.exe	106
PID 3088 wrote to memory of 3968	3088	{39CDCE7C-196E-4b9c-B7EC-7D05D618FDA9}.exe	106
PID 3088 wrote to memory of 1104	3088	{39CDCE7C-196E-4b9c-B7EC-7D05D618FDA9}.exe	107
PID 3088 wrote to memory of 1104	3088	{39CDCE7C-196E-4b9c-B7EC-7D05D618FDA9}.exe	107
PID 3088 wrote to memory of 1104	3088	{39CDCE7C-196E-4b9c-B7EC-7D05D618FDA9}.exe	107
PID 3968 wrote to memory of 2668	3968	{4D73B2F1-CDC9-436c-BAE3-41CF24DBB046}.exe	108
PID 3968 wrote to memory of 2668	3968	{4D73B2F1-CDC9-436c-BAE3-41CF24DBB046}.exe	108
PID 3968 wrote to memory of 2668	3968	{4D73B2F1-CDC9-436c-BAE3-41CF24DBB046}.exe	108
PID 3968 wrote to memory of 3568	3968	{4D73B2F1-CDC9-436c-BAE3-41CF24DBB046}.exe	109
PID 3968 wrote to memory of 3568	3968	{4D73B2F1-CDC9-436c-BAE3-41CF24DBB046}.exe	109
PID 3968 wrote to memory of 3568	3968	{4D73B2F1-CDC9-436c-BAE3-41CF24DBB046}.exe	109
PID 2668 wrote to memory of 4332	2668	{5D33D74B-1FFA-4b08-9C6E-4B01829CBC4E}.exe	111
PID 2668 wrote to memory of 4332	2668	{5D33D74B-1FFA-4b08-9C6E-4B01829CBC4E}.exe	111
PID 2668 wrote to memory of 4332	2668	{5D33D74B-1FFA-4b08-9C6E-4B01829CBC4E}.exe	111
PID 2668 wrote to memory of 2880	2668	{5D33D74B-1FFA-4b08-9C6E-4B01829CBC4E}.exe	112
PID 2668 wrote to memory of 2880	2668	{5D33D74B-1FFA-4b08-9C6E-4B01829CBC4E}.exe	112
PID 2668 wrote to memory of 2880	2668	{5D33D74B-1FFA-4b08-9C6E-4B01829CBC4E}.exe	112
PID 4332 wrote to memory of 4076	4332	{06B9FB63-445F-416b-80DB-60D0916E94B9}.exe	113
PID 4332 wrote to memory of 4076	4332	{06B9FB63-445F-416b-80DB-60D0916E94B9}.exe	113
PID 4332 wrote to memory of 4076	4332	{06B9FB63-445F-416b-80DB-60D0916E94B9}.exe	113
PID 4332 wrote to memory of 3708	4332	{06B9FB63-445F-416b-80DB-60D0916E94B9}.exe	114
PID 4332 wrote to memory of 3708	4332	{06B9FB63-445F-416b-80DB-60D0916E94B9}.exe	114
PID 4332 wrote to memory of 3708	4332	{06B9FB63-445F-416b-80DB-60D0916E94B9}.exe	114
PID 4076 wrote to memory of 4036	4076	{42698C54-1314-49e8-96CE-E8955D4A6DA8}.exe	115
PID 4076 wrote to memory of 4036	4076	{42698C54-1314-49e8-96CE-E8955D4A6DA8}.exe	115
PID 4076 wrote to memory of 4036	4076	{42698C54-1314-49e8-96CE-E8955D4A6DA8}.exe	115
PID 4076 wrote to memory of 4952	4076	{42698C54-1314-49e8-96CE-E8955D4A6DA8}.exe	116
PID 4076 wrote to memory of 4952	4076	{42698C54-1314-49e8-96CE-E8955D4A6DA8}.exe	116
PID 4076 wrote to memory of 4952	4076	{42698C54-1314-49e8-96CE-E8955D4A6DA8}.exe	116
PID 4036 wrote to memory of 3316	4036	{1CFEEA37-7E32-45b0-BD8E-2CF70A7B5A7B}.exe	117
PID 4036 wrote to memory of 3316	4036	{1CFEEA37-7E32-45b0-BD8E-2CF70A7B5A7B}.exe	117
PID 4036 wrote to memory of 3316	4036	{1CFEEA37-7E32-45b0-BD8E-2CF70A7B5A7B}.exe	117
PID 4036 wrote to memory of 4104	4036	{1CFEEA37-7E32-45b0-BD8E-2CF70A7B5A7B}.exe	118
PID 4036 wrote to memory of 4104	4036	{1CFEEA37-7E32-45b0-BD8E-2CF70A7B5A7B}.exe	118
PID 4036 wrote to memory of 4104	4036	{1CFEEA37-7E32-45b0-BD8E-2CF70A7B5A7B}.exe	118
PID 3316 wrote to memory of 5040	3316	{CA22BF19-39AB-4e37-9FDD-A107BC1AD6B1}.exe	119
PID 3316 wrote to memory of 5040	3316	{CA22BF19-39AB-4e37-9FDD-A107BC1AD6B1}.exe	119
PID 3316 wrote to memory of 5040	3316	{CA22BF19-39AB-4e37-9FDD-A107BC1AD6B1}.exe	119
PID 3316 wrote to memory of 4432	3316	{CA22BF19-39AB-4e37-9FDD-A107BC1AD6B1}.exe	120

C:\Users\Admin\AppData\Local\Temp\2ceab760c94e2dexeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2ceab760c94e2dexeexe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Windows\{F516669A-18C3-47b5-8A82-6A0A92D76C2F}.exe
  C:\Windows\{F516669A-18C3-47b5-8A82-6A0A92D76C2F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:716
- - C:\Windows\{4931330F-01B8-4cc7-85C7-23C7CE61A797}.exe
    C:\Windows\{4931330F-01B8-4cc7-85C7-23C7CE61A797}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4416
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{49313~1.EXE > nul
      4⤵
      PID:4424
  - - C:\Windows\{11501CB2-C33B-4d81-9B30-75B1E7AFAC96}.exe
      C:\Windows\{11501CB2-C33B-4d81-9B30-75B1E7AFAC96}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5100
    - - C:\Windows\{39CDCE7C-196E-4b9c-B7EC-7D05D618FDA9}.exe
        
        C:\Windows\{39CDCE7C-196E-4b9c-B7EC-7D05D618FDA9}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3088
      - C:\Windows\{4D73B2F1-CDC9-436c-BAE3-41CF24DBB046}.exe
        
        C:\Windows\{4D73B2F1-CDC9-436c-BAE3-41CF24DBB046}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\{5D33D74B-1FFA-4b08-9C6E-4B01829CBC4E}.exe
        
        C:\Windows\{5D33D74B-1FFA-4b08-9C6E-4B01829CBC4E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\{06B9FB63-445F-416b-80DB-60D0916E94B9}.exe
        
        C:\Windows\{06B9FB63-445F-416b-80DB-60D0916E94B9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\{42698C54-1314-49e8-96CE-E8955D4A6DA8}.exe
        
        C:\Windows\{42698C54-1314-49e8-96CE-E8955D4A6DA8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\{1CFEEA37-7E32-45b0-BD8E-2CF70A7B5A7B}.exe
        
        C:\Windows\{1CFEEA37-7E32-45b0-BD8E-2CF70A7B5A7B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4036
        
        C:\Windows\{CA22BF19-39AB-4e37-9FDD-A107BC1AD6B1}.exe
        
        C:\Windows\{CA22BF19-39AB-4e37-9FDD-A107BC1AD6B1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\{314BB02E-7624-49b7-9E52-19488FFE5ABD}.exe
        
        C:\Windows\{314BB02E-7624-49b7-9E52-19488FFE5ABD}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5040
        
        C:\Windows\{5B37E3E6-C803-4c0a-8AA5-B14DB1170DA6}.exe
        
        C:\Windows\{5B37E3E6-C803-4c0a-8AA5-B14DB1170DA6}.exe
        13⤵
        Executes dropped EXE
        
        PID:3964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{314BB~1.EXE > nul
        13⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA22B~1.EXE > nul
        12⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CFEE~1.EXE > nul
        11⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42698~1.EXE > nul
        10⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{06B9F~1.EXE > nul
        9⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5D33D~1.EXE > nul
        8⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D73B~1.EXE > nul
        7⤵
        
        PID:3568
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{39CDC~1.EXE > nul
        6⤵
        
        PID:1104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11501~1.EXE > nul
        5⤵
        
        PID:3368
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F5166~1.EXE > nul
    3⤵
    PID:2264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2CEAB7~1.EXE > nul
  2⤵
  PID:1132

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{06B9FB63-445F-416b-80DB-60D0916E94B9}.exe

Filesize
204KB

MD5
c4c3495a9d6ea75bab90fe82674e419f

SHA1
471df50f445556fee4c7293cc1e43b733072efe4

SHA256
859032ca81fcd48c3794d1c734e325187130af9a1ffb9055cd2ca7cba855f9fc

SHA512
f45eaad9260d905b4bef207c27a977667d6285ab9af572e2187e94ef43b6121319a9b853ec0e619a0d846f62a0fe54a7022cc54124aec48bd3b0a02d5061f4dd

Download Submit
C:\Windows\{06B9FB63-445F-416b-80DB-60D0916E94B9}.exe

Filesize
204KB

MD5
c4c3495a9d6ea75bab90fe82674e419f

SHA1
471df50f445556fee4c7293cc1e43b733072efe4

SHA256
859032ca81fcd48c3794d1c734e325187130af9a1ffb9055cd2ca7cba855f9fc

SHA512
f45eaad9260d905b4bef207c27a977667d6285ab9af572e2187e94ef43b6121319a9b853ec0e619a0d846f62a0fe54a7022cc54124aec48bd3b0a02d5061f4dd

Download Submit
C:\Windows\{11501CB2-C33B-4d81-9B30-75B1E7AFAC96}.exe

Filesize
204KB

MD5
c5ded3d6d0db71a018d3fc4aaf0e7e2d

SHA1
0c52d878ac4bcac01e8b9825f66a8b3ef0724d5a

SHA256
f298471f0b484cf4d781ad9a17ce096a45e8a7f73a80aabaf9f3092866c819ab

SHA512
c487cdf5b4c152e3fb71a06e65f0a5f8391cedca4ae490f7d90b2ce8d1317850d0c8d69d031e51c0809190e5d9d1ee3e155e1de3e4db666d63c5057ef5931998

Download Submit
C:\Windows\{11501CB2-C33B-4d81-9B30-75B1E7AFAC96}.exe

Filesize
204KB

MD5
c5ded3d6d0db71a018d3fc4aaf0e7e2d

SHA1
0c52d878ac4bcac01e8b9825f66a8b3ef0724d5a

SHA256
f298471f0b484cf4d781ad9a17ce096a45e8a7f73a80aabaf9f3092866c819ab

SHA512
c487cdf5b4c152e3fb71a06e65f0a5f8391cedca4ae490f7d90b2ce8d1317850d0c8d69d031e51c0809190e5d9d1ee3e155e1de3e4db666d63c5057ef5931998

Download Submit
C:\Windows\{11501CB2-C33B-4d81-9B30-75B1E7AFAC96}.exe

Filesize
204KB

MD5
c5ded3d6d0db71a018d3fc4aaf0e7e2d

SHA1
0c52d878ac4bcac01e8b9825f66a8b3ef0724d5a

SHA256
f298471f0b484cf4d781ad9a17ce096a45e8a7f73a80aabaf9f3092866c819ab

SHA512
c487cdf5b4c152e3fb71a06e65f0a5f8391cedca4ae490f7d90b2ce8d1317850d0c8d69d031e51c0809190e5d9d1ee3e155e1de3e4db666d63c5057ef5931998

Download Submit
C:\Windows\{1CFEEA37-7E32-45b0-BD8E-2CF70A7B5A7B}.exe

Filesize
204KB

MD5
2a8b175ca1690bbf5e63586720c5d511

SHA1
9eee5d7f2a6f2114d40eb7d17120dd7e4a856764

SHA256
9b01f5a8f177c1f984f808af1a0e7b9aa1d9448e4abe0f694e77695557070ec5

SHA512
0a04a52e8d01805e5b405acd58ddea82d84038d228653238d1af701a189ebba5e67aee3155b051513914e461d0f00eca81d455ea9e900470417adf76589786b3

Download Submit
C:\Windows\{1CFEEA37-7E32-45b0-BD8E-2CF70A7B5A7B}.exe

Filesize
204KB

MD5
2a8b175ca1690bbf5e63586720c5d511

SHA1
9eee5d7f2a6f2114d40eb7d17120dd7e4a856764

SHA256
9b01f5a8f177c1f984f808af1a0e7b9aa1d9448e4abe0f694e77695557070ec5

SHA512
0a04a52e8d01805e5b405acd58ddea82d84038d228653238d1af701a189ebba5e67aee3155b051513914e461d0f00eca81d455ea9e900470417adf76589786b3

Download Submit
C:\Windows\{314BB02E-7624-49b7-9E52-19488FFE5ABD}.exe

Filesize
204KB

MD5
e2387d9334914f4b5381a09b32faf346

SHA1
3265b5e0367ac5f0b57fb6571c17c39b92349091

SHA256
63c3154d981eec6abb17cc8fde6001239ae4c8e1b00b66c776b5a1e209d06e03

SHA512
18eebaf9d68b12b0e610f22620827c4f101a31991bba10e1c446efb65e02de9fae9a0f846f09bc7881a41c30d99b04d709f454bd17e2bfd29ceda878a8c694e3

Download Submit
C:\Windows\{314BB02E-7624-49b7-9E52-19488FFE5ABD}.exe

Filesize
204KB

MD5
e2387d9334914f4b5381a09b32faf346

SHA1
3265b5e0367ac5f0b57fb6571c17c39b92349091

SHA256
63c3154d981eec6abb17cc8fde6001239ae4c8e1b00b66c776b5a1e209d06e03

SHA512
18eebaf9d68b12b0e610f22620827c4f101a31991bba10e1c446efb65e02de9fae9a0f846f09bc7881a41c30d99b04d709f454bd17e2bfd29ceda878a8c694e3

Download Submit
C:\Windows\{39CDCE7C-196E-4b9c-B7EC-7D05D618FDA9}.exe

Filesize
204KB

MD5
f9a09fa4a7c1f576a6a2ee95ebbe3805

SHA1
7eb33c9acc941f7655ccfeb70cde9e6f49f8cc02

SHA256
e65f713bfb21edbee5a10a541051f44d57b2406122e70c909a6092a5758dce40

SHA512
321bb6d81dc5046b5fb1c1852a4c4dd08040abc4ef77a8d9f769273e05f9dd66e2d3a7d9a20d82ae38d1d28505fafb7d8cb889ed72982e114a2f0c24d8a6b5e8

Download Submit
C:\Windows\{39CDCE7C-196E-4b9c-B7EC-7D05D618FDA9}.exe

Filesize
204KB

MD5
f9a09fa4a7c1f576a6a2ee95ebbe3805

SHA1
7eb33c9acc941f7655ccfeb70cde9e6f49f8cc02

SHA256
e65f713bfb21edbee5a10a541051f44d57b2406122e70c909a6092a5758dce40

SHA512
321bb6d81dc5046b5fb1c1852a4c4dd08040abc4ef77a8d9f769273e05f9dd66e2d3a7d9a20d82ae38d1d28505fafb7d8cb889ed72982e114a2f0c24d8a6b5e8

Download Submit
C:\Windows\{42698C54-1314-49e8-96CE-E8955D4A6DA8}.exe

Filesize
204KB

MD5
88653636e3beaaf33051aee812a6c091

SHA1
37834ba7909dbca7d935bcefa7907e2d9c5cba39

SHA256
a36c5d957ea8f1232af6328b3dac98baa6741c76d9cb0ad0d76e687063901cca

SHA512
d0db7cc91e15d9214caef60f747404bb7015b0f861ed7d09f8d0c608a865edcf3ea291eafb17b70ef2c9007538fb09c71bba4faec9014a4bdbedf7140c02e7a0

Download Submit
C:\Windows\{42698C54-1314-49e8-96CE-E8955D4A6DA8}.exe

Filesize
204KB

MD5
88653636e3beaaf33051aee812a6c091

SHA1
37834ba7909dbca7d935bcefa7907e2d9c5cba39

SHA256
a36c5d957ea8f1232af6328b3dac98baa6741c76d9cb0ad0d76e687063901cca

SHA512
d0db7cc91e15d9214caef60f747404bb7015b0f861ed7d09f8d0c608a865edcf3ea291eafb17b70ef2c9007538fb09c71bba4faec9014a4bdbedf7140c02e7a0

Download Submit
C:\Windows\{4931330F-01B8-4cc7-85C7-23C7CE61A797}.exe

Filesize
204KB

MD5
64512c57f55888fdc9f822bcadc3ed83

SHA1
796db75f0059f64604496babdac5c8857a92f99b

SHA256
7044ee3b5b227bc4d3135bc27a99ce9e9f280472983ad0e68f04b6d53a646250

SHA512
1ac913530e5c076ab524f70dd56930f39539be3cb8049e2c75aa13ffe8d3b6812f99ec8449c8fd85a8e79e2d4bd3dc5c2ea253ed48814cafda1c8c3b7a61a18f

Download Submit
C:\Windows\{4931330F-01B8-4cc7-85C7-23C7CE61A797}.exe

Filesize
204KB

MD5
64512c57f55888fdc9f822bcadc3ed83

SHA1
796db75f0059f64604496babdac5c8857a92f99b

SHA256
7044ee3b5b227bc4d3135bc27a99ce9e9f280472983ad0e68f04b6d53a646250

SHA512
1ac913530e5c076ab524f70dd56930f39539be3cb8049e2c75aa13ffe8d3b6812f99ec8449c8fd85a8e79e2d4bd3dc5c2ea253ed48814cafda1c8c3b7a61a18f

Download Submit
C:\Windows\{4D73B2F1-CDC9-436c-BAE3-41CF24DBB046}.exe

Filesize
204KB

MD5
e82355aca6bc797bc42062193bd8c804

SHA1
32a28a3602d19c13309a52ae812ffb6ca8a567a3

SHA256
b8145f05cfcc4797f2cb1080b5d1a3ccbcff4a8546ed49c0ca2c20ae841a4441

SHA512
040cee8d7fc101d2cdd1c528d50229c00eef72003e3b490ee31c9c54ceeb16ca16043d719db05a72eb9c7df136dc701ff09bda6ae930af99689c04a1d220324e

Download Submit
C:\Windows\{4D73B2F1-CDC9-436c-BAE3-41CF24DBB046}.exe

Filesize
204KB

MD5
e82355aca6bc797bc42062193bd8c804

SHA1
32a28a3602d19c13309a52ae812ffb6ca8a567a3

SHA256
b8145f05cfcc4797f2cb1080b5d1a3ccbcff4a8546ed49c0ca2c20ae841a4441

SHA512
040cee8d7fc101d2cdd1c528d50229c00eef72003e3b490ee31c9c54ceeb16ca16043d719db05a72eb9c7df136dc701ff09bda6ae930af99689c04a1d220324e

Download Submit
C:\Windows\{5B37E3E6-C803-4c0a-8AA5-B14DB1170DA6}.exe

Filesize
204KB

MD5
625121713c87bf10c530fb630457bef7

SHA1
f341d87990a7c9a112fcdc566773d33e0b919548

SHA256
d0ae059f32b24d4843b7fb41ae2583e40658d89edfa0133b6052f903eb576999

SHA512
799ab73119028b84ad5eee48df785d4364a88fd8f255c9c8d18a7e7d21c897240205c808068ca28a890de06724b3f307fbec448a2141136ce818f1459509b13d

Download Submit
C:\Windows\{5B37E3E6-C803-4c0a-8AA5-B14DB1170DA6}.exe

Filesize
204KB

MD5
625121713c87bf10c530fb630457bef7

SHA1
f341d87990a7c9a112fcdc566773d33e0b919548

SHA256
d0ae059f32b24d4843b7fb41ae2583e40658d89edfa0133b6052f903eb576999

SHA512
799ab73119028b84ad5eee48df785d4364a88fd8f255c9c8d18a7e7d21c897240205c808068ca28a890de06724b3f307fbec448a2141136ce818f1459509b13d

Download Submit
C:\Windows\{5D33D74B-1FFA-4b08-9C6E-4B01829CBC4E}.exe

Filesize
204KB

MD5
34e86fb5de99739049261da2053da644

SHA1
c17dc5dc403cb56670b63335daa35fafcbc85d47

SHA256
49a58d4595f58f9badad14d98c06eea4318254a7186e173ae979175e0ebd6324

SHA512
3c5a5b51e36185f2b0ee2e562c493919d2100375e70a7d95716df875866c743322740cbb009fc5d41c5239c4d7ba4a9fdd38086721026ca685642f81e7915d00

Download Submit
C:\Windows\{5D33D74B-1FFA-4b08-9C6E-4B01829CBC4E}.exe

Filesize
204KB

MD5
34e86fb5de99739049261da2053da644

SHA1
c17dc5dc403cb56670b63335daa35fafcbc85d47

SHA256
49a58d4595f58f9badad14d98c06eea4318254a7186e173ae979175e0ebd6324

SHA512
3c5a5b51e36185f2b0ee2e562c493919d2100375e70a7d95716df875866c743322740cbb009fc5d41c5239c4d7ba4a9fdd38086721026ca685642f81e7915d00

Download Submit
C:\Windows\{CA22BF19-39AB-4e37-9FDD-A107BC1AD6B1}.exe

Filesize
204KB

MD5
fcc27fec12f2a37075ffebc1f2f33f9d

SHA1
168cf691c044efdc93874172637cb89a15cb3b86

SHA256
31fef050c16c921bdf19de0b182c86d7e4c2a5710874c0226105815856ab83fe

SHA512
1618d2ae404e8ec21fd897b6dc31c03083ddf8be664f483f69b10458ccd61cc02ecebf74d0a927fe62fde1d35b772b30ce3777d2f8ed042312c731c4a77803f2

Download Submit
C:\Windows\{CA22BF19-39AB-4e37-9FDD-A107BC1AD6B1}.exe

Filesize
204KB

MD5
fcc27fec12f2a37075ffebc1f2f33f9d

SHA1
168cf691c044efdc93874172637cb89a15cb3b86

SHA256
31fef050c16c921bdf19de0b182c86d7e4c2a5710874c0226105815856ab83fe

SHA512
1618d2ae404e8ec21fd897b6dc31c03083ddf8be664f483f69b10458ccd61cc02ecebf74d0a927fe62fde1d35b772b30ce3777d2f8ed042312c731c4a77803f2

Download Submit
C:\Windows\{F516669A-18C3-47b5-8A82-6A0A92D76C2F}.exe

Filesize
204KB

MD5
605727b6d5d890b786cdd1749260f84c

SHA1
3abd9f85c3dd2bb27a38999624afdb4ece51d801

SHA256
c9a613bb3bdaabd22f8b8a80edacce7433c91882eaf17e6ff732dd88f2c6dd63

SHA512
b4be8df52de4f47274d79026e9cc7c0dd129826238b50d1b5c108676da8e47b4767df9294e59400d064c090a1b583f3e376fa9c5fb0caed9b2607368fac7e34e

Download Submit
C:\Windows\{F516669A-18C3-47b5-8A82-6A0A92D76C2F}.exe

Filesize
204KB

MD5
605727b6d5d890b786cdd1749260f84c

SHA1
3abd9f85c3dd2bb27a38999624afdb4ece51d801

SHA256
c9a613bb3bdaabd22f8b8a80edacce7433c91882eaf17e6ff732dd88f2c6dd63

SHA512
b4be8df52de4f47274d79026e9cc7c0dd129826238b50d1b5c108676da8e47b4767df9294e59400d064c090a1b583f3e376fa9c5fb0caed9b2607368fac7e34e

Download Submit