6c4ccecff27b65dcb598caf7e920774215465446c89a9a6a95e3710f1f405af9

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2023 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44eb2b44caf1e3exeexe_JC.exe
Size

192KB
MD5

44eb2b44caf1e3124b8bf1e4841b0286
SHA1

3c663efd3ff150c95a44fc6cdc86879b49eab765
SHA256

6c4ccecff27b65dcb598caf7e920774215465446c89a9a6a95e3710f1f405af9
SHA512

f2bdaed1eaa75a668d27923f1fa5700b5107689ce011fd0888e0f4f87419f0bd553a5ae57ab671a5d2b1bef7805735bf3d1f353ba14660215bee29bc274190ec
SSDEEP

1536:1EGh0oBl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oBl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CFCCC1C-3BD0-4873-A066-9302574EDB42}	{4052906E-C670-46c3-8758-58F5820958AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1216906B-11B6-4b15-8C17-8B1E06326786}	{B6B8FD58-8E51-4a0b-9251-0365CB1D827B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E25B6131-E863-4251-B37C-62B8F40EF1D7}	{1216906B-11B6-4b15-8C17-8B1E06326786}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71F71D02-8E14-48ec-AEF8-1A9A87F233EB}	{AA37C907-39C0-4395-87DA-60FCAEFE64CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83A3D195-2DCA-4eef-84EF-C5011B95A004}\stubpath = "C:\\Windows\\{83A3D195-2DCA-4eef-84EF-C5011B95A004}.exe"	{919FC367-A607-4d52-8277-0940120216E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2A5F43B-E1D9-459d-AF99-E1D164AD311B}	{83A3D195-2DCA-4eef-84EF-C5011B95A004}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4052906E-C670-46c3-8758-58F5820958AB}	{C8CF1489-90DB-442f-B604-16CC271EC5BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4052906E-C670-46c3-8758-58F5820958AB}\stubpath = "C:\\Windows\\{4052906E-C670-46c3-8758-58F5820958AB}.exe"	{C8CF1489-90DB-442f-B604-16CC271EC5BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71F71D02-8E14-48ec-AEF8-1A9A87F233EB}\stubpath = "C:\\Windows\\{71F71D02-8E14-48ec-AEF8-1A9A87F233EB}.exe"	{AA37C907-39C0-4395-87DA-60FCAEFE64CA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8336A9DC-10EA-4aef-ADA6-8D778BDF57BC}	{71F71D02-8E14-48ec-AEF8-1A9A87F233EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{919FC367-A607-4d52-8277-0940120216E1}	44eb2b44caf1e3exeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83A3D195-2DCA-4eef-84EF-C5011B95A004}	{919FC367-A607-4d52-8277-0940120216E1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8CF1489-90DB-442f-B604-16CC271EC5BE}	{A2A5F43B-E1D9-459d-AF99-E1D164AD311B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6B8FD58-8E51-4a0b-9251-0365CB1D827B}	{5CFCCC1C-3BD0-4873-A066-9302574EDB42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA37C907-39C0-4395-87DA-60FCAEFE64CA}\stubpath = "C:\\Windows\\{AA37C907-39C0-4395-87DA-60FCAEFE64CA}.exe"	{E25B6131-E863-4251-B37C-62B8F40EF1D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{919FC367-A607-4d52-8277-0940120216E1}\stubpath = "C:\\Windows\\{919FC367-A607-4d52-8277-0940120216E1}.exe"	44eb2b44caf1e3exeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A2A5F43B-E1D9-459d-AF99-E1D164AD311B}\stubpath = "C:\\Windows\\{A2A5F43B-E1D9-459d-AF99-E1D164AD311B}.exe"	{83A3D195-2DCA-4eef-84EF-C5011B95A004}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CFCCC1C-3BD0-4873-A066-9302574EDB42}\stubpath = "C:\\Windows\\{5CFCCC1C-3BD0-4873-A066-9302574EDB42}.exe"	{4052906E-C670-46c3-8758-58F5820958AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA37C907-39C0-4395-87DA-60FCAEFE64CA}	{E25B6131-E863-4251-B37C-62B8F40EF1D7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8336A9DC-10EA-4aef-ADA6-8D778BDF57BC}\stubpath = "C:\\Windows\\{8336A9DC-10EA-4aef-ADA6-8D778BDF57BC}.exe"	{71F71D02-8E14-48ec-AEF8-1A9A87F233EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8CF1489-90DB-442f-B604-16CC271EC5BE}\stubpath = "C:\\Windows\\{C8CF1489-90DB-442f-B604-16CC271EC5BE}.exe"	{A2A5F43B-E1D9-459d-AF99-E1D164AD311B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6B8FD58-8E51-4a0b-9251-0365CB1D827B}\stubpath = "C:\\Windows\\{B6B8FD58-8E51-4a0b-9251-0365CB1D827B}.exe"	{5CFCCC1C-3BD0-4873-A066-9302574EDB42}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1216906B-11B6-4b15-8C17-8B1E06326786}\stubpath = "C:\\Windows\\{1216906B-11B6-4b15-8C17-8B1E06326786}.exe"	{B6B8FD58-8E51-4a0b-9251-0365CB1D827B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E25B6131-E863-4251-B37C-62B8F40EF1D7}\stubpath = "C:\\Windows\\{E25B6131-E863-4251-B37C-62B8F40EF1D7}.exe"	{1216906B-11B6-4b15-8C17-8B1E06326786}.exe

Executes dropped EXE 12 IoCs

pid	Process
2872	{919FC367-A607-4d52-8277-0940120216E1}.exe
820	{83A3D195-2DCA-4eef-84EF-C5011B95A004}.exe
1780	{A2A5F43B-E1D9-459d-AF99-E1D164AD311B}.exe
4964	{C8CF1489-90DB-442f-B604-16CC271EC5BE}.exe
1776	{4052906E-C670-46c3-8758-58F5820958AB}.exe
4316	{5CFCCC1C-3BD0-4873-A066-9302574EDB42}.exe
1456	{B6B8FD58-8E51-4a0b-9251-0365CB1D827B}.exe
2024	{1216906B-11B6-4b15-8C17-8B1E06326786}.exe
4360	{E25B6131-E863-4251-B37C-62B8F40EF1D7}.exe
3924	{AA37C907-39C0-4395-87DA-60FCAEFE64CA}.exe
3216	{71F71D02-8E14-48ec-AEF8-1A9A87F233EB}.exe
4032	{8336A9DC-10EA-4aef-ADA6-8D778BDF57BC}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1216906B-11B6-4b15-8C17-8B1E06326786}.exe	{B6B8FD58-8E51-4a0b-9251-0365CB1D827B}.exe
File created	C:\Windows\{E25B6131-E863-4251-B37C-62B8F40EF1D7}.exe	{1216906B-11B6-4b15-8C17-8B1E06326786}.exe
File created	C:\Windows\{83A3D195-2DCA-4eef-84EF-C5011B95A004}.exe	{919FC367-A607-4d52-8277-0940120216E1}.exe
File created	C:\Windows\{A2A5F43B-E1D9-459d-AF99-E1D164AD311B}.exe	{83A3D195-2DCA-4eef-84EF-C5011B95A004}.exe
File created	C:\Windows\{4052906E-C670-46c3-8758-58F5820958AB}.exe	{C8CF1489-90DB-442f-B604-16CC271EC5BE}.exe
File created	C:\Windows\{B6B8FD58-8E51-4a0b-9251-0365CB1D827B}.exe	{5CFCCC1C-3BD0-4873-A066-9302574EDB42}.exe
File created	C:\Windows\{71F71D02-8E14-48ec-AEF8-1A9A87F233EB}.exe	{AA37C907-39C0-4395-87DA-60FCAEFE64CA}.exe
File created	C:\Windows\{8336A9DC-10EA-4aef-ADA6-8D778BDF57BC}.exe	{71F71D02-8E14-48ec-AEF8-1A9A87F233EB}.exe
File created	C:\Windows\{919FC367-A607-4d52-8277-0940120216E1}.exe	44eb2b44caf1e3exeexe_JC.exe
File created	C:\Windows\{C8CF1489-90DB-442f-B604-16CC271EC5BE}.exe	{A2A5F43B-E1D9-459d-AF99-E1D164AD311B}.exe
File created	C:\Windows\{5CFCCC1C-3BD0-4873-A066-9302574EDB42}.exe	{4052906E-C670-46c3-8758-58F5820958AB}.exe
File created	C:\Windows\{AA37C907-39C0-4395-87DA-60FCAEFE64CA}.exe	{E25B6131-E863-4251-B37C-62B8F40EF1D7}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	400	44eb2b44caf1e3exeexe_JC.exe
Token: SeIncBasePriorityPrivilege	2872	{919FC367-A607-4d52-8277-0940120216E1}.exe
Token: SeIncBasePriorityPrivilege	820	{83A3D195-2DCA-4eef-84EF-C5011B95A004}.exe
Token: SeIncBasePriorityPrivilege	1780	{A2A5F43B-E1D9-459d-AF99-E1D164AD311B}.exe
Token: SeIncBasePriorityPrivilege	4964	{C8CF1489-90DB-442f-B604-16CC271EC5BE}.exe
Token: SeIncBasePriorityPrivilege	1776	{4052906E-C670-46c3-8758-58F5820958AB}.exe
Token: SeIncBasePriorityPrivilege	4316	{5CFCCC1C-3BD0-4873-A066-9302574EDB42}.exe
Token: SeIncBasePriorityPrivilege	1456	{B6B8FD58-8E51-4a0b-9251-0365CB1D827B}.exe
Token: SeIncBasePriorityPrivilege	2024	{1216906B-11B6-4b15-8C17-8B1E06326786}.exe
Token: SeIncBasePriorityPrivilege	4360	{E25B6131-E863-4251-B37C-62B8F40EF1D7}.exe
Token: SeIncBasePriorityPrivilege	3924	{AA37C907-39C0-4395-87DA-60FCAEFE64CA}.exe
Token: SeIncBasePriorityPrivilege	3216	{71F71D02-8E14-48ec-AEF8-1A9A87F233EB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 400 wrote to memory of 2872	400	44eb2b44caf1e3exeexe_JC.exe	91
PID 400 wrote to memory of 2872	400	44eb2b44caf1e3exeexe_JC.exe	91
PID 400 wrote to memory of 2872	400	44eb2b44caf1e3exeexe_JC.exe	91
PID 400 wrote to memory of 1552	400	44eb2b44caf1e3exeexe_JC.exe	92
PID 400 wrote to memory of 1552	400	44eb2b44caf1e3exeexe_JC.exe	92
PID 400 wrote to memory of 1552	400	44eb2b44caf1e3exeexe_JC.exe	92
PID 2872 wrote to memory of 820	2872	{919FC367-A607-4d52-8277-0940120216E1}.exe	94
PID 2872 wrote to memory of 820	2872	{919FC367-A607-4d52-8277-0940120216E1}.exe	94
PID 2872 wrote to memory of 820	2872	{919FC367-A607-4d52-8277-0940120216E1}.exe	94
PID 2872 wrote to memory of 960	2872	{919FC367-A607-4d52-8277-0940120216E1}.exe	95
PID 2872 wrote to memory of 960	2872	{919FC367-A607-4d52-8277-0940120216E1}.exe	95
PID 2872 wrote to memory of 960	2872	{919FC367-A607-4d52-8277-0940120216E1}.exe	95
PID 820 wrote to memory of 1780	820	{83A3D195-2DCA-4eef-84EF-C5011B95A004}.exe	101
PID 820 wrote to memory of 1780	820	{83A3D195-2DCA-4eef-84EF-C5011B95A004}.exe	101
PID 820 wrote to memory of 1780	820	{83A3D195-2DCA-4eef-84EF-C5011B95A004}.exe	101
PID 820 wrote to memory of 2716	820	{83A3D195-2DCA-4eef-84EF-C5011B95A004}.exe	100
PID 820 wrote to memory of 2716	820	{83A3D195-2DCA-4eef-84EF-C5011B95A004}.exe	100
PID 820 wrote to memory of 2716	820	{83A3D195-2DCA-4eef-84EF-C5011B95A004}.exe	100
PID 1780 wrote to memory of 4964	1780	{A2A5F43B-E1D9-459d-AF99-E1D164AD311B}.exe	106
PID 1780 wrote to memory of 4964	1780	{A2A5F43B-E1D9-459d-AF99-E1D164AD311B}.exe	106
PID 1780 wrote to memory of 4964	1780	{A2A5F43B-E1D9-459d-AF99-E1D164AD311B}.exe	106
PID 1780 wrote to memory of 4568	1780	{A2A5F43B-E1D9-459d-AF99-E1D164AD311B}.exe	107
PID 1780 wrote to memory of 4568	1780	{A2A5F43B-E1D9-459d-AF99-E1D164AD311B}.exe	107
PID 1780 wrote to memory of 4568	1780	{A2A5F43B-E1D9-459d-AF99-E1D164AD311B}.exe	107
PID 4964 wrote to memory of 1776	4964	{C8CF1489-90DB-442f-B604-16CC271EC5BE}.exe	108
PID 4964 wrote to memory of 1776	4964	{C8CF1489-90DB-442f-B604-16CC271EC5BE}.exe	108
PID 4964 wrote to memory of 1776	4964	{C8CF1489-90DB-442f-B604-16CC271EC5BE}.exe	108
PID 4964 wrote to memory of 2012	4964	{C8CF1489-90DB-442f-B604-16CC271EC5BE}.exe	109
PID 4964 wrote to memory of 2012	4964	{C8CF1489-90DB-442f-B604-16CC271EC5BE}.exe	109
PID 4964 wrote to memory of 2012	4964	{C8CF1489-90DB-442f-B604-16CC271EC5BE}.exe	109
PID 1776 wrote to memory of 4316	1776	{4052906E-C670-46c3-8758-58F5820958AB}.exe	111
PID 1776 wrote to memory of 4316	1776	{4052906E-C670-46c3-8758-58F5820958AB}.exe	111
PID 1776 wrote to memory of 4316	1776	{4052906E-C670-46c3-8758-58F5820958AB}.exe	111
PID 1776 wrote to memory of 4176	1776	{4052906E-C670-46c3-8758-58F5820958AB}.exe	110
PID 1776 wrote to memory of 4176	1776	{4052906E-C670-46c3-8758-58F5820958AB}.exe	110
PID 1776 wrote to memory of 4176	1776	{4052906E-C670-46c3-8758-58F5820958AB}.exe	110
PID 4316 wrote to memory of 1456	4316	{5CFCCC1C-3BD0-4873-A066-9302574EDB42}.exe	113
PID 4316 wrote to memory of 1456	4316	{5CFCCC1C-3BD0-4873-A066-9302574EDB42}.exe	113
PID 4316 wrote to memory of 1456	4316	{5CFCCC1C-3BD0-4873-A066-9302574EDB42}.exe	113
PID 4316 wrote to memory of 1252	4316	{5CFCCC1C-3BD0-4873-A066-9302574EDB42}.exe	114
PID 4316 wrote to memory of 1252	4316	{5CFCCC1C-3BD0-4873-A066-9302574EDB42}.exe	114
PID 4316 wrote to memory of 1252	4316	{5CFCCC1C-3BD0-4873-A066-9302574EDB42}.exe	114
PID 1456 wrote to memory of 2024	1456	{B6B8FD58-8E51-4a0b-9251-0365CB1D827B}.exe	115
PID 1456 wrote to memory of 2024	1456	{B6B8FD58-8E51-4a0b-9251-0365CB1D827B}.exe	115
PID 1456 wrote to memory of 2024	1456	{B6B8FD58-8E51-4a0b-9251-0365CB1D827B}.exe	115
PID 1456 wrote to memory of 936	1456	{B6B8FD58-8E51-4a0b-9251-0365CB1D827B}.exe	116
PID 1456 wrote to memory of 936	1456	{B6B8FD58-8E51-4a0b-9251-0365CB1D827B}.exe	116
PID 1456 wrote to memory of 936	1456	{B6B8FD58-8E51-4a0b-9251-0365CB1D827B}.exe	116
PID 2024 wrote to memory of 4360	2024	{1216906B-11B6-4b15-8C17-8B1E06326786}.exe	117
PID 2024 wrote to memory of 4360	2024	{1216906B-11B6-4b15-8C17-8B1E06326786}.exe	117
PID 2024 wrote to memory of 4360	2024	{1216906B-11B6-4b15-8C17-8B1E06326786}.exe	117
PID 2024 wrote to memory of 1888	2024	{1216906B-11B6-4b15-8C17-8B1E06326786}.exe	118
PID 2024 wrote to memory of 1888	2024	{1216906B-11B6-4b15-8C17-8B1E06326786}.exe	118
PID 2024 wrote to memory of 1888	2024	{1216906B-11B6-4b15-8C17-8B1E06326786}.exe	118
PID 4360 wrote to memory of 3924	4360	{E25B6131-E863-4251-B37C-62B8F40EF1D7}.exe	119
PID 4360 wrote to memory of 3924	4360	{E25B6131-E863-4251-B37C-62B8F40EF1D7}.exe	119
PID 4360 wrote to memory of 3924	4360	{E25B6131-E863-4251-B37C-62B8F40EF1D7}.exe	119
PID 4360 wrote to memory of 4004	4360	{E25B6131-E863-4251-B37C-62B8F40EF1D7}.exe	120
PID 4360 wrote to memory of 4004	4360	{E25B6131-E863-4251-B37C-62B8F40EF1D7}.exe	120
PID 4360 wrote to memory of 4004	4360	{E25B6131-E863-4251-B37C-62B8F40EF1D7}.exe	120
PID 3924 wrote to memory of 3216	3924	{AA37C907-39C0-4395-87DA-60FCAEFE64CA}.exe	122
PID 3924 wrote to memory of 3216	3924	{AA37C907-39C0-4395-87DA-60FCAEFE64CA}.exe	122
PID 3924 wrote to memory of 3216	3924	{AA37C907-39C0-4395-87DA-60FCAEFE64CA}.exe	122
PID 3924 wrote to memory of 2596	3924	{AA37C907-39C0-4395-87DA-60FCAEFE64CA}.exe	121

C:\Users\Admin\AppData\Local\Temp\44eb2b44caf1e3exeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\44eb2b44caf1e3exeexe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400
- C:\Windows\{919FC367-A607-4d52-8277-0940120216E1}.exe
  C:\Windows\{919FC367-A607-4d52-8277-0940120216E1}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\{83A3D195-2DCA-4eef-84EF-C5011B95A004}.exe
    C:\Windows\{83A3D195-2DCA-4eef-84EF-C5011B95A004}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:820
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{83A3D~1.EXE > nul
      4⤵
      PID:2716
  - - C:\Windows\{A2A5F43B-E1D9-459d-AF99-E1D164AD311B}.exe
      C:\Windows\{A2A5F43B-E1D9-459d-AF99-E1D164AD311B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1780
    - - C:\Windows\{C8CF1489-90DB-442f-B604-16CC271EC5BE}.exe
        
        C:\Windows\{C8CF1489-90DB-442f-B604-16CC271EC5BE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4964
      - C:\Windows\{4052906E-C670-46c3-8758-58F5820958AB}.exe
        
        C:\Windows\{4052906E-C670-46c3-8758-58F5820958AB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40529~1.EXE > nul
        7⤵
        
        PID:4176
        
        C:\Windows\{5CFCCC1C-3BD0-4873-A066-9302574EDB42}.exe
        
        C:\Windows\{5CFCCC1C-3BD0-4873-A066-9302574EDB42}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\{B6B8FD58-8E51-4a0b-9251-0365CB1D827B}.exe
        
        C:\Windows\{B6B8FD58-8E51-4a0b-9251-0365CB1D827B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\{1216906B-11B6-4b15-8C17-8B1E06326786}.exe
        
        C:\Windows\{1216906B-11B6-4b15-8C17-8B1E06326786}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2024
        
        C:\Windows\{E25B6131-E863-4251-B37C-62B8F40EF1D7}.exe
        
        C:\Windows\{E25B6131-E863-4251-B37C-62B8F40EF1D7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\{AA37C907-39C0-4395-87DA-60FCAEFE64CA}.exe
        
        C:\Windows\{AA37C907-39C0-4395-87DA-60FCAEFE64CA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA37C~1.EXE > nul
        12⤵
        
        PID:2596
        
        C:\Windows\{71F71D02-8E14-48ec-AEF8-1A9A87F233EB}.exe
        
        C:\Windows\{71F71D02-8E14-48ec-AEF8-1A9A87F233EB}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3216
        
        C:\Windows\{8336A9DC-10EA-4aef-ADA6-8D778BDF57BC}.exe
        
        C:\Windows\{8336A9DC-10EA-4aef-ADA6-8D778BDF57BC}.exe
        13⤵
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71F71~1.EXE > nul
        13⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E25B6~1.EXE > nul
        11⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{12169~1.EXE > nul
        10⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B6B8F~1.EXE > nul
        9⤵
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CFCC~1.EXE > nul
        8⤵
        
        PID:1252
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8CF1~1.EXE > nul
        6⤵
        
        PID:2012
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A2A5F~1.EXE > nul
        5⤵
        
        PID:4568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{919FC~1.EXE > nul
    3⤵
    PID:960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\44EB2B~1.EXE > nul
  2⤵
  PID:1552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1216906B-11B6-4b15-8C17-8B1E06326786}.exe

Filesize
192KB

MD5
7b6dd9c8abd34d2db2888428c4af2b2c

SHA1
8fe88428fca68ff2a244eb5d2c2f07ad5da059ba

SHA256
2646ebb61435fb68441003ad2d92b145c2d3c4500039add25dadcc7c14237a6c

SHA512
fd987553044f4a474b229e6b8ef9916595d1c6011bc681c8fa3820e93376b6b221cd95f108db1cf69a5aab971e5ce5fc19bb2b83d5809609feb8a4d9f994e154

Download Submit
C:\Windows\{1216906B-11B6-4b15-8C17-8B1E06326786}.exe

Filesize
192KB

MD5
7b6dd9c8abd34d2db2888428c4af2b2c

SHA1
8fe88428fca68ff2a244eb5d2c2f07ad5da059ba

SHA256
2646ebb61435fb68441003ad2d92b145c2d3c4500039add25dadcc7c14237a6c

SHA512
fd987553044f4a474b229e6b8ef9916595d1c6011bc681c8fa3820e93376b6b221cd95f108db1cf69a5aab971e5ce5fc19bb2b83d5809609feb8a4d9f994e154

Download Submit
C:\Windows\{4052906E-C670-46c3-8758-58F5820958AB}.exe

Filesize
192KB

MD5
6040cf00d5b095d52c0e19c10ada345d

SHA1
53b4d91c7ff3e2553271c68f2f7b9d0017989ad4

SHA256
889c81d7beeb8c10bdc6ac94e6339324c1b2e330febe017af7a5c0799d1c2c5c

SHA512
7f5bed22aa5fdf24a228168c27b8929db2b2035dcde16b77c7d92cba7fa0b7f1f091711a81c5314dd220dc0d60b72b54e970b2a1338e7efdb3496a86b4bee1e8

Download Submit
C:\Windows\{4052906E-C670-46c3-8758-58F5820958AB}.exe

Filesize
192KB

MD5
6040cf00d5b095d52c0e19c10ada345d

SHA1
53b4d91c7ff3e2553271c68f2f7b9d0017989ad4

SHA256
889c81d7beeb8c10bdc6ac94e6339324c1b2e330febe017af7a5c0799d1c2c5c

SHA512
7f5bed22aa5fdf24a228168c27b8929db2b2035dcde16b77c7d92cba7fa0b7f1f091711a81c5314dd220dc0d60b72b54e970b2a1338e7efdb3496a86b4bee1e8

Download Submit
C:\Windows\{5CFCCC1C-3BD0-4873-A066-9302574EDB42}.exe

Filesize
192KB

MD5
d7fcedc9d5c610281399bb7748a3348a

SHA1
0c0e58f9d1483c3fe1271d5fc8cd82d7e34f5b63

SHA256
dcbfb725ff518d4ae5bd91a616fbc0508f04ac5fd6a19f6c5b95bc5fee5d00e6

SHA512
c21f2fcf7ebeb38a3cf74bd8442d6fa71e2719253f09cc00ed2abb34e1b32cc50838ffba4ae99c5e416379627ebdaa9fbaab811396e7b53e980095d21ba8f526

Download Submit
C:\Windows\{5CFCCC1C-3BD0-4873-A066-9302574EDB42}.exe

Filesize
192KB

MD5
d7fcedc9d5c610281399bb7748a3348a

SHA1
0c0e58f9d1483c3fe1271d5fc8cd82d7e34f5b63

SHA256
dcbfb725ff518d4ae5bd91a616fbc0508f04ac5fd6a19f6c5b95bc5fee5d00e6

SHA512
c21f2fcf7ebeb38a3cf74bd8442d6fa71e2719253f09cc00ed2abb34e1b32cc50838ffba4ae99c5e416379627ebdaa9fbaab811396e7b53e980095d21ba8f526

Download Submit
C:\Windows\{71F71D02-8E14-48ec-AEF8-1A9A87F233EB}.exe

Filesize
192KB

MD5
9f41e625cfc169633d2486508eb179c5

SHA1
5033a4265a2b403ebf22183604053a2e4cf8cb9f

SHA256
426dd617b28b4a9ff230e7f71e27817eec728cbeca9c40534d4206e9b8c3c2cf

SHA512
fc779bacdfdb0f4a7777c0e44f7be9a885b8b46935a6f7f6342047339ed82e9573a7c5eb0beecac57adb73a8a452d38ec189e3b5f0881840cc7dfce81b3206b7

Download Submit
C:\Windows\{71F71D02-8E14-48ec-AEF8-1A9A87F233EB}.exe

Filesize
192KB

MD5
9f41e625cfc169633d2486508eb179c5

SHA1
5033a4265a2b403ebf22183604053a2e4cf8cb9f

SHA256
426dd617b28b4a9ff230e7f71e27817eec728cbeca9c40534d4206e9b8c3c2cf

SHA512
fc779bacdfdb0f4a7777c0e44f7be9a885b8b46935a6f7f6342047339ed82e9573a7c5eb0beecac57adb73a8a452d38ec189e3b5f0881840cc7dfce81b3206b7

Download Submit
C:\Windows\{8336A9DC-10EA-4aef-ADA6-8D778BDF57BC}.exe

Filesize
192KB

MD5
f73ec1d3acfcfb87c38d2b7ba587df47

SHA1
1dbba6ff634c75999c9fad42754791c1033c4a19

SHA256
776508d50bc1ad4f0aa22fe97525a3e552e71e7fa6f8cd21520b658785a9349c

SHA512
c6071e33753a6b04b9b9dd633399c0bb96e4a1a78b0a9d7d4369065ae4e64ab8babfc6ab1bb16dda3fe3222959ac02a6d57308cdd0c621e3a67526af4da080ba

Download Submit
C:\Windows\{8336A9DC-10EA-4aef-ADA6-8D778BDF57BC}.exe

Filesize
192KB

MD5
f73ec1d3acfcfb87c38d2b7ba587df47

SHA1
1dbba6ff634c75999c9fad42754791c1033c4a19

SHA256
776508d50bc1ad4f0aa22fe97525a3e552e71e7fa6f8cd21520b658785a9349c

SHA512
c6071e33753a6b04b9b9dd633399c0bb96e4a1a78b0a9d7d4369065ae4e64ab8babfc6ab1bb16dda3fe3222959ac02a6d57308cdd0c621e3a67526af4da080ba

Download Submit
C:\Windows\{83A3D195-2DCA-4eef-84EF-C5011B95A004}.exe

Filesize
192KB

MD5
c65d751143172cf8f366784f87770c3b

SHA1
7a4c08cf01471e78b7bd6d70555d26d5d7ace703

SHA256
5de1d137e4b62fb68be3058500355b3d34cebebae6d026770a4786b50a1259d3

SHA512
b342b70257c82c4b9a9d5aed370e3a69aa651c8fcd2462b6d5b79af1ae2532fd551ee56bfecebf8806fcb930458ea55358655bec5badef2d13393d21e8fd5f34

Download Submit
C:\Windows\{83A3D195-2DCA-4eef-84EF-C5011B95A004}.exe

Filesize
192KB

MD5
c65d751143172cf8f366784f87770c3b

SHA1
7a4c08cf01471e78b7bd6d70555d26d5d7ace703

SHA256
5de1d137e4b62fb68be3058500355b3d34cebebae6d026770a4786b50a1259d3

SHA512
b342b70257c82c4b9a9d5aed370e3a69aa651c8fcd2462b6d5b79af1ae2532fd551ee56bfecebf8806fcb930458ea55358655bec5badef2d13393d21e8fd5f34

Download Submit
C:\Windows\{919FC367-A607-4d52-8277-0940120216E1}.exe

Filesize
192KB

MD5
42e0702c93bcda6454aa8b1cfd35730a

SHA1
a1e1dcd0fe2f401ccca655410aaa897c53f11045

SHA256
85e3a2d055d79a1f53f9ba7b2540c07c16204ed4cc893d294b63d15f52315dca

SHA512
e281706b5ec4bd88ef95964cfe6430e50e52f4b94a24406a5e713deb0f3bcb82b3e142bc83525e20249e54cf6a543fbed3639d6542909b50fee94ad13ea01374

Download Submit
C:\Windows\{919FC367-A607-4d52-8277-0940120216E1}.exe

Filesize
192KB

MD5
42e0702c93bcda6454aa8b1cfd35730a

SHA1
a1e1dcd0fe2f401ccca655410aaa897c53f11045

SHA256
85e3a2d055d79a1f53f9ba7b2540c07c16204ed4cc893d294b63d15f52315dca

SHA512
e281706b5ec4bd88ef95964cfe6430e50e52f4b94a24406a5e713deb0f3bcb82b3e142bc83525e20249e54cf6a543fbed3639d6542909b50fee94ad13ea01374

Download Submit
C:\Windows\{A2A5F43B-E1D9-459d-AF99-E1D164AD311B}.exe

Filesize
192KB

MD5
1c0f69a71ba3b4b8df782b4aa0da0387

SHA1
3114c2bc75e1c4c678adff2effaf6586562d15d5

SHA256
12aebe6a03ba225acd4b76a857d5b3fe2b3a0f8a1f00c0d1338978237699f2ad

SHA512
c573e14929a1c549a4b4f045eef8622e7db0dbfc08d715ee5a9b1178ce0feff58a359a3e95042818b4c5f937d5ce4f42f48f3a1d752af7d4a881a5a4fda8e28e

Download Submit
C:\Windows\{A2A5F43B-E1D9-459d-AF99-E1D164AD311B}.exe

Filesize
192KB

MD5
1c0f69a71ba3b4b8df782b4aa0da0387

SHA1
3114c2bc75e1c4c678adff2effaf6586562d15d5

SHA256
12aebe6a03ba225acd4b76a857d5b3fe2b3a0f8a1f00c0d1338978237699f2ad

SHA512
c573e14929a1c549a4b4f045eef8622e7db0dbfc08d715ee5a9b1178ce0feff58a359a3e95042818b4c5f937d5ce4f42f48f3a1d752af7d4a881a5a4fda8e28e

Download Submit
C:\Windows\{A2A5F43B-E1D9-459d-AF99-E1D164AD311B}.exe

Filesize
192KB

MD5
1c0f69a71ba3b4b8df782b4aa0da0387

SHA1
3114c2bc75e1c4c678adff2effaf6586562d15d5

SHA256
12aebe6a03ba225acd4b76a857d5b3fe2b3a0f8a1f00c0d1338978237699f2ad

SHA512
c573e14929a1c549a4b4f045eef8622e7db0dbfc08d715ee5a9b1178ce0feff58a359a3e95042818b4c5f937d5ce4f42f48f3a1d752af7d4a881a5a4fda8e28e

Download Submit
C:\Windows\{AA37C907-39C0-4395-87DA-60FCAEFE64CA}.exe

Filesize
192KB

MD5
0cc2aa09fbd5c315e3c0f9e4a2b59ea5

SHA1
eaa8b792d308fed99ff92c9147be797f7053221b

SHA256
a894039097c67f234d115ba38934c0aa429596c662a9ba4900abec06128f8392

SHA512
ff0766a31648eaf1a8ee324826c9d556a0f822540c14c25046ea6398400fd6bfbb5b08ee428a144f5af837ba673065e9583b61539fcd11f051808ccd393c5fb4

Download Submit
C:\Windows\{AA37C907-39C0-4395-87DA-60FCAEFE64CA}.exe

Filesize
192KB

MD5
0cc2aa09fbd5c315e3c0f9e4a2b59ea5

SHA1
eaa8b792d308fed99ff92c9147be797f7053221b

SHA256
a894039097c67f234d115ba38934c0aa429596c662a9ba4900abec06128f8392

SHA512
ff0766a31648eaf1a8ee324826c9d556a0f822540c14c25046ea6398400fd6bfbb5b08ee428a144f5af837ba673065e9583b61539fcd11f051808ccd393c5fb4

Download Submit
C:\Windows\{B6B8FD58-8E51-4a0b-9251-0365CB1D827B}.exe

Filesize
192KB

MD5
59968f3bafc17ae39ef95d06dfa2f8cf

SHA1
8cbae2bc93c3a78e90b09a5c099f6a68fbf81877

SHA256
1006dd3bd6a350ab541fc643cc57cb6311b65856ba97e1e59dbc4ed3333f6cbb

SHA512
bb3c4debd3a5bc5ccd3b43ac526ad8af60eec9a66ec3d2428e32dd83738f1d4bfefffa61d2100d08437a4ecc7b859fad3c0ba6b89184fcc95627a0dd678fc4c0

Download Submit
C:\Windows\{B6B8FD58-8E51-4a0b-9251-0365CB1D827B}.exe

Filesize
192KB

MD5
59968f3bafc17ae39ef95d06dfa2f8cf

SHA1
8cbae2bc93c3a78e90b09a5c099f6a68fbf81877

SHA256
1006dd3bd6a350ab541fc643cc57cb6311b65856ba97e1e59dbc4ed3333f6cbb

SHA512
bb3c4debd3a5bc5ccd3b43ac526ad8af60eec9a66ec3d2428e32dd83738f1d4bfefffa61d2100d08437a4ecc7b859fad3c0ba6b89184fcc95627a0dd678fc4c0

Download Submit
C:\Windows\{C8CF1489-90DB-442f-B604-16CC271EC5BE}.exe

Filesize
192KB

MD5
aa8b1784b5bc99667ed8a0fce6f07e9f

SHA1
e77b44c299f239148521319505a5bad9af8292b3

SHA256
43db1875d89073e9c094131ecd428b7a27c79b8b3e5d7955a8c0122080b2b559

SHA512
3948ff1e9ff150600975cb42598aaf7c358ab454dc4cdcf4094f0fa83f12f21c0b5f19296b99684a8aaaabaaa9cb4eb897c0d8fc179ad5fb05a06fde881aea91

Download Submit
C:\Windows\{C8CF1489-90DB-442f-B604-16CC271EC5BE}.exe

Filesize
192KB

MD5
aa8b1784b5bc99667ed8a0fce6f07e9f

SHA1
e77b44c299f239148521319505a5bad9af8292b3

SHA256
43db1875d89073e9c094131ecd428b7a27c79b8b3e5d7955a8c0122080b2b559

SHA512
3948ff1e9ff150600975cb42598aaf7c358ab454dc4cdcf4094f0fa83f12f21c0b5f19296b99684a8aaaabaaa9cb4eb897c0d8fc179ad5fb05a06fde881aea91

Download Submit
C:\Windows\{E25B6131-E863-4251-B37C-62B8F40EF1D7}.exe

Filesize
192KB

MD5
fb1c019fb695dff5f4554192ad116d70

SHA1
df8c73eb93f72bd50e35f5ea0485914d46e9f41a

SHA256
f1f01d864318edfc8430916ffaf262c6b8034527aea8b82a66a09420b01a768d

SHA512
8f07cdaa0359ca1e960981d88f9585bc8ac46259f0597395273ed46890894cf88daea7cae2855d355637b00473deb5b2208e0abfda179d095b36a9a36e13c767

Download Submit
C:\Windows\{E25B6131-E863-4251-B37C-62B8F40EF1D7}.exe

Filesize
192KB

MD5
fb1c019fb695dff5f4554192ad116d70

SHA1
df8c73eb93f72bd50e35f5ea0485914d46e9f41a

SHA256
f1f01d864318edfc8430916ffaf262c6b8034527aea8b82a66a09420b01a768d

SHA512
8f07cdaa0359ca1e960981d88f9585bc8ac46259f0597395273ed46890894cf88daea7cae2855d355637b00473deb5b2208e0abfda179d095b36a9a36e13c767

Download Submit