47a3a246d7a49999ac4a3abc534f8a954beb8d9ba675dba34369db8f4ba00110

Analysis

max time kernel
149s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2023, 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ef18495bd07b6exeexe_JC.exe
Size

168KB
MD5

4ef18495bd07b6802883b2697116c89a
SHA1

3a4e84dd9cbfab5598bf56b51cf1dba86799f4b4
SHA256

47a3a246d7a49999ac4a3abc534f8a954beb8d9ba675dba34369db8f4ba00110
SHA512

f2ddf881cbab6daff4659aaab72ba411dfcbe21b0ff99f0371e6eb341146f8afabf2a8e2920aa8236cc3740067d39be1b5721a6df443c674f8a34e4823f1d4e1
SSDEEP

1536:1EGh0ohlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0ohlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F066F529-0645-4911-A8D8-8DA50D017681}\stubpath = "C:\\Windows\\{F066F529-0645-4911-A8D8-8DA50D017681}.exe"	{729690E5-1D28-436c-A2B9-5C052530C89E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E577610-A016-46cf-8F8E-02F6AF1AB058}	{F066F529-0645-4911-A8D8-8DA50D017681}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{063A791D-3D66-48fd-9A5C-DE2AAEB724EE}	{5E577610-A016-46cf-8F8E-02F6AF1AB058}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{272865DD-F007-4b90-8503-9149551330F2}\stubpath = "C:\\Windows\\{272865DD-F007-4b90-8503-9149551330F2}.exe"	{063A791D-3D66-48fd-9A5C-DE2AAEB724EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74853A44-9F17-4a56-B0AF-5F5A9972D324}	{D8424020-389E-4a63-A7EF-F884039DFD18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71399030-2EBA-41e8-9F48-81A962FCB668}\stubpath = "C:\\Windows\\{71399030-2EBA-41e8-9F48-81A962FCB668}.exe"	{74853A44-9F17-4a56-B0AF-5F5A9972D324}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0684CB6C-F535-4ddd-9DAC-FFC3D775CB9A}\stubpath = "C:\\Windows\\{0684CB6C-F535-4ddd-9DAC-FFC3D775CB9A}.exe"	{71399030-2EBA-41e8-9F48-81A962FCB668}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D868EEB-6D8D-4107-BD9E-0A73946F1531}\stubpath = "C:\\Windows\\{7D868EEB-6D8D-4107-BD9E-0A73946F1531}.exe"	{530D0B3C-7A0B-43a4-8D44-2A749212258C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E577610-A016-46cf-8F8E-02F6AF1AB058}\stubpath = "C:\\Windows\\{5E577610-A016-46cf-8F8E-02F6AF1AB058}.exe"	{F066F529-0645-4911-A8D8-8DA50D017681}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{063A791D-3D66-48fd-9A5C-DE2AAEB724EE}\stubpath = "C:\\Windows\\{063A791D-3D66-48fd-9A5C-DE2AAEB724EE}.exe"	{5E577610-A016-46cf-8F8E-02F6AF1AB058}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8424020-389E-4a63-A7EF-F884039DFD18}	4ef18495bd07b6exeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D8424020-389E-4a63-A7EF-F884039DFD18}\stubpath = "C:\\Windows\\{D8424020-389E-4a63-A7EF-F884039DFD18}.exe"	4ef18495bd07b6exeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9396704A-BB88-458c-8AFE-F526EE186040}	{7D868EEB-6D8D-4107-BD9E-0A73946F1531}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F066F529-0645-4911-A8D8-8DA50D017681}	{729690E5-1D28-436c-A2B9-5C052530C89E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74853A44-9F17-4a56-B0AF-5F5A9972D324}\stubpath = "C:\\Windows\\{74853A44-9F17-4a56-B0AF-5F5A9972D324}.exe"	{D8424020-389E-4a63-A7EF-F884039DFD18}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D868EEB-6D8D-4107-BD9E-0A73946F1531}	{530D0B3C-7A0B-43a4-8D44-2A749212258C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{729690E5-1D28-436c-A2B9-5C052530C89E}	{9396704A-BB88-458c-8AFE-F526EE186040}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9396704A-BB88-458c-8AFE-F526EE186040}\stubpath = "C:\\Windows\\{9396704A-BB88-458c-8AFE-F526EE186040}.exe"	{7D868EEB-6D8D-4107-BD9E-0A73946F1531}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{729690E5-1D28-436c-A2B9-5C052530C89E}\stubpath = "C:\\Windows\\{729690E5-1D28-436c-A2B9-5C052530C89E}.exe"	{9396704A-BB88-458c-8AFE-F526EE186040}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{272865DD-F007-4b90-8503-9149551330F2}	{063A791D-3D66-48fd-9A5C-DE2AAEB724EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71399030-2EBA-41e8-9F48-81A962FCB668}	{74853A44-9F17-4a56-B0AF-5F5A9972D324}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0684CB6C-F535-4ddd-9DAC-FFC3D775CB9A}	{71399030-2EBA-41e8-9F48-81A962FCB668}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{530D0B3C-7A0B-43a4-8D44-2A749212258C}	{0684CB6C-F535-4ddd-9DAC-FFC3D775CB9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{530D0B3C-7A0B-43a4-8D44-2A749212258C}\stubpath = "C:\\Windows\\{530D0B3C-7A0B-43a4-8D44-2A749212258C}.exe"	{0684CB6C-F535-4ddd-9DAC-FFC3D775CB9A}.exe

Executes dropped EXE 12 IoCs

pid	Process
4920	{D8424020-389E-4a63-A7EF-F884039DFD18}.exe
3948	{74853A44-9F17-4a56-B0AF-5F5A9972D324}.exe
5056	{71399030-2EBA-41e8-9F48-81A962FCB668}.exe
4888	{0684CB6C-F535-4ddd-9DAC-FFC3D775CB9A}.exe
1948	{530D0B3C-7A0B-43a4-8D44-2A749212258C}.exe
3192	{7D868EEB-6D8D-4107-BD9E-0A73946F1531}.exe
1704	{9396704A-BB88-458c-8AFE-F526EE186040}.exe
4708	{729690E5-1D28-436c-A2B9-5C052530C89E}.exe
5032	{F066F529-0645-4911-A8D8-8DA50D017681}.exe
3812	{5E577610-A016-46cf-8F8E-02F6AF1AB058}.exe
2496	{063A791D-3D66-48fd-9A5C-DE2AAEB724EE}.exe
3076	{272865DD-F007-4b90-8503-9149551330F2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9396704A-BB88-458c-8AFE-F526EE186040}.exe	{7D868EEB-6D8D-4107-BD9E-0A73946F1531}.exe
File created	C:\Windows\{729690E5-1D28-436c-A2B9-5C052530C89E}.exe	{9396704A-BB88-458c-8AFE-F526EE186040}.exe
File created	C:\Windows\{F066F529-0645-4911-A8D8-8DA50D017681}.exe	{729690E5-1D28-436c-A2B9-5C052530C89E}.exe
File created	C:\Windows\{5E577610-A016-46cf-8F8E-02F6AF1AB058}.exe	{F066F529-0645-4911-A8D8-8DA50D017681}.exe
File created	C:\Windows\{063A791D-3D66-48fd-9A5C-DE2AAEB724EE}.exe	{5E577610-A016-46cf-8F8E-02F6AF1AB058}.exe
File created	C:\Windows\{74853A44-9F17-4a56-B0AF-5F5A9972D324}.exe	{D8424020-389E-4a63-A7EF-F884039DFD18}.exe
File created	C:\Windows\{7D868EEB-6D8D-4107-BD9E-0A73946F1531}.exe	{530D0B3C-7A0B-43a4-8D44-2A749212258C}.exe
File created	C:\Windows\{0684CB6C-F535-4ddd-9DAC-FFC3D775CB9A}.exe	{71399030-2EBA-41e8-9F48-81A962FCB668}.exe
File created	C:\Windows\{530D0B3C-7A0B-43a4-8D44-2A749212258C}.exe	{0684CB6C-F535-4ddd-9DAC-FFC3D775CB9A}.exe
File created	C:\Windows\{272865DD-F007-4b90-8503-9149551330F2}.exe	{063A791D-3D66-48fd-9A5C-DE2AAEB724EE}.exe
File created	C:\Windows\{D8424020-389E-4a63-A7EF-F884039DFD18}.exe	4ef18495bd07b6exeexe_JC.exe
File created	C:\Windows\{71399030-2EBA-41e8-9F48-81A962FCB668}.exe	{74853A44-9F17-4a56-B0AF-5F5A9972D324}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2868	4ef18495bd07b6exeexe_JC.exe
Token: SeIncBasePriorityPrivilege	4920	{D8424020-389E-4a63-A7EF-F884039DFD18}.exe
Token: SeIncBasePriorityPrivilege	3948	{74853A44-9F17-4a56-B0AF-5F5A9972D324}.exe
Token: SeIncBasePriorityPrivilege	5056	{71399030-2EBA-41e8-9F48-81A962FCB668}.exe
Token: SeIncBasePriorityPrivilege	4888	{0684CB6C-F535-4ddd-9DAC-FFC3D775CB9A}.exe
Token: SeIncBasePriorityPrivilege	1948	{530D0B3C-7A0B-43a4-8D44-2A749212258C}.exe
Token: SeIncBasePriorityPrivilege	3192	{7D868EEB-6D8D-4107-BD9E-0A73946F1531}.exe
Token: SeIncBasePriorityPrivilege	1704	{9396704A-BB88-458c-8AFE-F526EE186040}.exe
Token: SeIncBasePriorityPrivilege	4708	{729690E5-1D28-436c-A2B9-5C052530C89E}.exe
Token: SeIncBasePriorityPrivilege	5032	{F066F529-0645-4911-A8D8-8DA50D017681}.exe
Token: SeIncBasePriorityPrivilege	3812	{5E577610-A016-46cf-8F8E-02F6AF1AB058}.exe
Token: SeIncBasePriorityPrivilege	2496	{063A791D-3D66-48fd-9A5C-DE2AAEB724EE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 4920	2868	4ef18495bd07b6exeexe_JC.exe	96
PID 2868 wrote to memory of 4920	2868	4ef18495bd07b6exeexe_JC.exe	96
PID 2868 wrote to memory of 4920	2868	4ef18495bd07b6exeexe_JC.exe	96
PID 2868 wrote to memory of 3932	2868	4ef18495bd07b6exeexe_JC.exe	97
PID 2868 wrote to memory of 3932	2868	4ef18495bd07b6exeexe_JC.exe	97
PID 2868 wrote to memory of 3932	2868	4ef18495bd07b6exeexe_JC.exe	97
PID 4920 wrote to memory of 3948	4920	{D8424020-389E-4a63-A7EF-F884039DFD18}.exe	98
PID 4920 wrote to memory of 3948	4920	{D8424020-389E-4a63-A7EF-F884039DFD18}.exe	98
PID 4920 wrote to memory of 3948	4920	{D8424020-389E-4a63-A7EF-F884039DFD18}.exe	98
PID 4920 wrote to memory of 2752	4920	{D8424020-389E-4a63-A7EF-F884039DFD18}.exe	99
PID 4920 wrote to memory of 2752	4920	{D8424020-389E-4a63-A7EF-F884039DFD18}.exe	99
PID 4920 wrote to memory of 2752	4920	{D8424020-389E-4a63-A7EF-F884039DFD18}.exe	99
PID 3948 wrote to memory of 5056	3948	{74853A44-9F17-4a56-B0AF-5F5A9972D324}.exe	102
PID 3948 wrote to memory of 5056	3948	{74853A44-9F17-4a56-B0AF-5F5A9972D324}.exe	102
PID 3948 wrote to memory of 5056	3948	{74853A44-9F17-4a56-B0AF-5F5A9972D324}.exe	102
PID 3948 wrote to memory of 4236	3948	{74853A44-9F17-4a56-B0AF-5F5A9972D324}.exe	101
PID 3948 wrote to memory of 4236	3948	{74853A44-9F17-4a56-B0AF-5F5A9972D324}.exe	101
PID 3948 wrote to memory of 4236	3948	{74853A44-9F17-4a56-B0AF-5F5A9972D324}.exe	101
PID 5056 wrote to memory of 4888	5056	{71399030-2EBA-41e8-9F48-81A962FCB668}.exe	103
PID 5056 wrote to memory of 4888	5056	{71399030-2EBA-41e8-9F48-81A962FCB668}.exe	103
PID 5056 wrote to memory of 4888	5056	{71399030-2EBA-41e8-9F48-81A962FCB668}.exe	103
PID 5056 wrote to memory of 2424	5056	{71399030-2EBA-41e8-9F48-81A962FCB668}.exe	104
PID 5056 wrote to memory of 2424	5056	{71399030-2EBA-41e8-9F48-81A962FCB668}.exe	104
PID 5056 wrote to memory of 2424	5056	{71399030-2EBA-41e8-9F48-81A962FCB668}.exe	104
PID 4888 wrote to memory of 1948	4888	{0684CB6C-F535-4ddd-9DAC-FFC3D775CB9A}.exe	105
PID 4888 wrote to memory of 1948	4888	{0684CB6C-F535-4ddd-9DAC-FFC3D775CB9A}.exe	105
PID 4888 wrote to memory of 1948	4888	{0684CB6C-F535-4ddd-9DAC-FFC3D775CB9A}.exe	105
PID 4888 wrote to memory of 3480	4888	{0684CB6C-F535-4ddd-9DAC-FFC3D775CB9A}.exe	106
PID 4888 wrote to memory of 3480	4888	{0684CB6C-F535-4ddd-9DAC-FFC3D775CB9A}.exe	106
PID 4888 wrote to memory of 3480	4888	{0684CB6C-F535-4ddd-9DAC-FFC3D775CB9A}.exe	106
PID 1948 wrote to memory of 3192	1948	{530D0B3C-7A0B-43a4-8D44-2A749212258C}.exe	107
PID 1948 wrote to memory of 3192	1948	{530D0B3C-7A0B-43a4-8D44-2A749212258C}.exe	107
PID 1948 wrote to memory of 3192	1948	{530D0B3C-7A0B-43a4-8D44-2A749212258C}.exe	107
PID 1948 wrote to memory of 4332	1948	{530D0B3C-7A0B-43a4-8D44-2A749212258C}.exe	108
PID 1948 wrote to memory of 4332	1948	{530D0B3C-7A0B-43a4-8D44-2A749212258C}.exe	108
PID 1948 wrote to memory of 4332	1948	{530D0B3C-7A0B-43a4-8D44-2A749212258C}.exe	108
PID 3192 wrote to memory of 1704	3192	{7D868EEB-6D8D-4107-BD9E-0A73946F1531}.exe	109
PID 3192 wrote to memory of 1704	3192	{7D868EEB-6D8D-4107-BD9E-0A73946F1531}.exe	109
PID 3192 wrote to memory of 1704	3192	{7D868EEB-6D8D-4107-BD9E-0A73946F1531}.exe	109
PID 3192 wrote to memory of 1792	3192	{7D868EEB-6D8D-4107-BD9E-0A73946F1531}.exe	110
PID 3192 wrote to memory of 1792	3192	{7D868EEB-6D8D-4107-BD9E-0A73946F1531}.exe	110
PID 3192 wrote to memory of 1792	3192	{7D868EEB-6D8D-4107-BD9E-0A73946F1531}.exe	110
PID 1704 wrote to memory of 4708	1704	{9396704A-BB88-458c-8AFE-F526EE186040}.exe	111
PID 1704 wrote to memory of 4708	1704	{9396704A-BB88-458c-8AFE-F526EE186040}.exe	111
PID 1704 wrote to memory of 4708	1704	{9396704A-BB88-458c-8AFE-F526EE186040}.exe	111
PID 1704 wrote to memory of 216	1704	{9396704A-BB88-458c-8AFE-F526EE186040}.exe	112
PID 1704 wrote to memory of 216	1704	{9396704A-BB88-458c-8AFE-F526EE186040}.exe	112
PID 1704 wrote to memory of 216	1704	{9396704A-BB88-458c-8AFE-F526EE186040}.exe	112
PID 4708 wrote to memory of 5032	4708	{729690E5-1D28-436c-A2B9-5C052530C89E}.exe	113
PID 4708 wrote to memory of 5032	4708	{729690E5-1D28-436c-A2B9-5C052530C89E}.exe	113
PID 4708 wrote to memory of 5032	4708	{729690E5-1D28-436c-A2B9-5C052530C89E}.exe	113
PID 4708 wrote to memory of 1716	4708	{729690E5-1D28-436c-A2B9-5C052530C89E}.exe	114
PID 4708 wrote to memory of 1716	4708	{729690E5-1D28-436c-A2B9-5C052530C89E}.exe	114
PID 4708 wrote to memory of 1716	4708	{729690E5-1D28-436c-A2B9-5C052530C89E}.exe	114
PID 5032 wrote to memory of 3812	5032	{F066F529-0645-4911-A8D8-8DA50D017681}.exe	115
PID 5032 wrote to memory of 3812	5032	{F066F529-0645-4911-A8D8-8DA50D017681}.exe	115
PID 5032 wrote to memory of 3812	5032	{F066F529-0645-4911-A8D8-8DA50D017681}.exe	115
PID 5032 wrote to memory of 2940	5032	{F066F529-0645-4911-A8D8-8DA50D017681}.exe	116
PID 5032 wrote to memory of 2940	5032	{F066F529-0645-4911-A8D8-8DA50D017681}.exe	116
PID 5032 wrote to memory of 2940	5032	{F066F529-0645-4911-A8D8-8DA50D017681}.exe	116
PID 3812 wrote to memory of 2496	3812	{5E577610-A016-46cf-8F8E-02F6AF1AB058}.exe	117
PID 3812 wrote to memory of 2496	3812	{5E577610-A016-46cf-8F8E-02F6AF1AB058}.exe	117
PID 3812 wrote to memory of 2496	3812	{5E577610-A016-46cf-8F8E-02F6AF1AB058}.exe	117
PID 3812 wrote to memory of 2592	3812	{5E577610-A016-46cf-8F8E-02F6AF1AB058}.exe	118

C:\Users\Admin\AppData\Local\Temp\4ef18495bd07b6exeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\4ef18495bd07b6exeexe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Windows\{D8424020-389E-4a63-A7EF-F884039DFD18}.exe
  C:\Windows\{D8424020-389E-4a63-A7EF-F884039DFD18}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4920
- - C:\Windows\{74853A44-9F17-4a56-B0AF-5F5A9972D324}.exe
    C:\Windows\{74853A44-9F17-4a56-B0AF-5F5A9972D324}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{74853~1.EXE > nul
      4⤵
      PID:4236
  - - C:\Windows\{71399030-2EBA-41e8-9F48-81A962FCB668}.exe
      C:\Windows\{71399030-2EBA-41e8-9F48-81A962FCB668}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5056
    - - C:\Windows\{0684CB6C-F535-4ddd-9DAC-FFC3D775CB9A}.exe
        
        C:\Windows\{0684CB6C-F535-4ddd-9DAC-FFC3D775CB9A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4888
      - C:\Windows\{530D0B3C-7A0B-43a4-8D44-2A749212258C}.exe
        
        C:\Windows\{530D0B3C-7A0B-43a4-8D44-2A749212258C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\{7D868EEB-6D8D-4107-BD9E-0A73946F1531}.exe
        
        C:\Windows\{7D868EEB-6D8D-4107-BD9E-0A73946F1531}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3192
        
        C:\Windows\{9396704A-BB88-458c-8AFE-F526EE186040}.exe
        
        C:\Windows\{9396704A-BB88-458c-8AFE-F526EE186040}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\{729690E5-1D28-436c-A2B9-5C052530C89E}.exe
        
        C:\Windows\{729690E5-1D28-436c-A2B9-5C052530C89E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\{F066F529-0645-4911-A8D8-8DA50D017681}.exe
        
        C:\Windows\{F066F529-0645-4911-A8D8-8DA50D017681}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\{5E577610-A016-46cf-8F8E-02F6AF1AB058}.exe
        
        C:\Windows\{5E577610-A016-46cf-8F8E-02F6AF1AB058}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3812
        
        C:\Windows\{063A791D-3D66-48fd-9A5C-DE2AAEB724EE}.exe
        
        C:\Windows\{063A791D-3D66-48fd-9A5C-DE2AAEB724EE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\{272865DD-F007-4b90-8503-9149551330F2}.exe
        
        C:\Windows\{272865DD-F007-4b90-8503-9149551330F2}.exe
        13⤵
        Executes dropped EXE
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{063A7~1.EXE > nul
        13⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E577~1.EXE > nul
        12⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F066F~1.EXE > nul
        11⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72969~1.EXE > nul
        10⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93967~1.EXE > nul
        9⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D868~1.EXE > nul
        8⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{530D0~1.EXE > nul
        7⤵
        
        PID:4332
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0684C~1.EXE > nul
        6⤵
        
        PID:3480
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71399~1.EXE > nul
        5⤵
        
        PID:2424
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D8424~1.EXE > nul
    3⤵
    PID:2752
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4EF184~1.EXE > nul
  2⤵
  PID:3932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{063A791D-3D66-48fd-9A5C-DE2AAEB724EE}.exe

Filesize
168KB

MD5
529a689400a35e672e66159a4ee4a5c3

SHA1
17284b6f6e9d0a91177bfd096ca5911103b33bf6

SHA256
9e4b73a277273e15370c3dcd97cc83f2732ab002697c43abfd92614999bdd0d5

SHA512
1312c42e4379e9095be74f197a58258f512931e732a0ec0b2ebc4a3b5dce6d8f512fd84e9f5348153e6ecbb09fc761b855c1096e86eabbceaccd132bc0fa4744

Download Submit
C:\Windows\{063A791D-3D66-48fd-9A5C-DE2AAEB724EE}.exe

Filesize
168KB

MD5
529a689400a35e672e66159a4ee4a5c3

SHA1
17284b6f6e9d0a91177bfd096ca5911103b33bf6

SHA256
9e4b73a277273e15370c3dcd97cc83f2732ab002697c43abfd92614999bdd0d5

SHA512
1312c42e4379e9095be74f197a58258f512931e732a0ec0b2ebc4a3b5dce6d8f512fd84e9f5348153e6ecbb09fc761b855c1096e86eabbceaccd132bc0fa4744

Download Submit
C:\Windows\{0684CB6C-F535-4ddd-9DAC-FFC3D775CB9A}.exe

Filesize
168KB

MD5
4d0209eb6762ea8a214fd3c362dfeae4

SHA1
6f9da44899f58ddb8039acc17feac92ae270b815

SHA256
3a354f9c837885628223c711434391606919e2867bc2e638fc52484ca55ebe96

SHA512
709dbd6af0ac5318fb08884f0575f09547447f5bead55820395351f1c9a5d189370b6c6e52ef4dbd15fe63a7bce78b45df53c53a13432d3ecbf89ceac01b827a

Download Submit
C:\Windows\{0684CB6C-F535-4ddd-9DAC-FFC3D775CB9A}.exe

Filesize
168KB

MD5
4d0209eb6762ea8a214fd3c362dfeae4

SHA1
6f9da44899f58ddb8039acc17feac92ae270b815

SHA256
3a354f9c837885628223c711434391606919e2867bc2e638fc52484ca55ebe96

SHA512
709dbd6af0ac5318fb08884f0575f09547447f5bead55820395351f1c9a5d189370b6c6e52ef4dbd15fe63a7bce78b45df53c53a13432d3ecbf89ceac01b827a

Download Submit
C:\Windows\{272865DD-F007-4b90-8503-9149551330F2}.exe

Filesize
168KB

MD5
40ce99ea5b76ed74e50974d89cea07b7

SHA1
363f98452cd0a1364b448cf21e4b85262437bfc9

SHA256
866524d62f8a00d6543dd0c376749b9515754e21f21ed10766bf9e41cf4dda93

SHA512
4933521409b5dc1c4bd102fabee7f1bdc39f4d9394a54302b0ded3273c0c8031152d5e654d669e61761888bd87d493fc70d608e70f160c1043be62ba8adae4f9

Download Submit
C:\Windows\{272865DD-F007-4b90-8503-9149551330F2}.exe

Filesize
168KB

MD5
40ce99ea5b76ed74e50974d89cea07b7

SHA1
363f98452cd0a1364b448cf21e4b85262437bfc9

SHA256
866524d62f8a00d6543dd0c376749b9515754e21f21ed10766bf9e41cf4dda93

SHA512
4933521409b5dc1c4bd102fabee7f1bdc39f4d9394a54302b0ded3273c0c8031152d5e654d669e61761888bd87d493fc70d608e70f160c1043be62ba8adae4f9

Download Submit
C:\Windows\{530D0B3C-7A0B-43a4-8D44-2A749212258C}.exe

Filesize
168KB

MD5
be678f2a29daed9ce656368723d578fe

SHA1
a9a7c83e8c0282d23753e52a2ab66d77ef698480

SHA256
bce8dad257b2cf3911ebbca51ef1cea9c748b2ac840acfbcc3a81713bcf827df

SHA512
63ca09f011029f90ae76b6a04dc98fcf9765f60469fa7f22f770f314e12955d88dc25ba68f3cdf49f96ff2c50f8c08a61f5e5bb55114e02b1d5663f1778241dd

Download Submit
C:\Windows\{530D0B3C-7A0B-43a4-8D44-2A749212258C}.exe

Filesize
168KB

MD5
be678f2a29daed9ce656368723d578fe

SHA1
a9a7c83e8c0282d23753e52a2ab66d77ef698480

SHA256
bce8dad257b2cf3911ebbca51ef1cea9c748b2ac840acfbcc3a81713bcf827df

SHA512
63ca09f011029f90ae76b6a04dc98fcf9765f60469fa7f22f770f314e12955d88dc25ba68f3cdf49f96ff2c50f8c08a61f5e5bb55114e02b1d5663f1778241dd

Download Submit
C:\Windows\{5E577610-A016-46cf-8F8E-02F6AF1AB058}.exe

Filesize
168KB

MD5
773a5f8c82a952edf9000bbfcc3850a4

SHA1
4c8c35f9de1dff45b8c0d9255a3499d48b138283

SHA256
3b0c91399dbf4b5c7555b70a2409e2b3f1acbcc6b301c0fbbfcfea30e4a7b203

SHA512
35f36a503ecad11e77327b19caedd6277cdcf68049b55376f20c76d0b8b1f4a4bb82fd31e17d88be1782239c6b957b853df4b4f5d73173a12b06fe25e55a2487

Download Submit
C:\Windows\{5E577610-A016-46cf-8F8E-02F6AF1AB058}.exe

Filesize
168KB

MD5
773a5f8c82a952edf9000bbfcc3850a4

SHA1
4c8c35f9de1dff45b8c0d9255a3499d48b138283

SHA256
3b0c91399dbf4b5c7555b70a2409e2b3f1acbcc6b301c0fbbfcfea30e4a7b203

SHA512
35f36a503ecad11e77327b19caedd6277cdcf68049b55376f20c76d0b8b1f4a4bb82fd31e17d88be1782239c6b957b853df4b4f5d73173a12b06fe25e55a2487

Download Submit
C:\Windows\{71399030-2EBA-41e8-9F48-81A962FCB668}.exe

Filesize
168KB

MD5
30b199cea6392b33758376f0673f2e15

SHA1
2b6a69d39c4ab3c89e9ca00da156c9f426b5b31e

SHA256
23f9237ce191146aa69f954697b577f9d78b263866faf2ccb4e335843e399e72

SHA512
adad5644e17e89f771e514fb703d06d4af00f9a1da063691ecad53267c0906db155ad4b936744bb6f3cf21fb89cb44b9887426faae5e8d39e23f9b2803b469c8

Download Submit
C:\Windows\{71399030-2EBA-41e8-9F48-81A962FCB668}.exe

Filesize
168KB

MD5
30b199cea6392b33758376f0673f2e15

SHA1
2b6a69d39c4ab3c89e9ca00da156c9f426b5b31e

SHA256
23f9237ce191146aa69f954697b577f9d78b263866faf2ccb4e335843e399e72

SHA512
adad5644e17e89f771e514fb703d06d4af00f9a1da063691ecad53267c0906db155ad4b936744bb6f3cf21fb89cb44b9887426faae5e8d39e23f9b2803b469c8

Download Submit
C:\Windows\{71399030-2EBA-41e8-9F48-81A962FCB668}.exe

Filesize
168KB

MD5
30b199cea6392b33758376f0673f2e15

SHA1
2b6a69d39c4ab3c89e9ca00da156c9f426b5b31e

SHA256
23f9237ce191146aa69f954697b577f9d78b263866faf2ccb4e335843e399e72

SHA512
adad5644e17e89f771e514fb703d06d4af00f9a1da063691ecad53267c0906db155ad4b936744bb6f3cf21fb89cb44b9887426faae5e8d39e23f9b2803b469c8

Download Submit
C:\Windows\{729690E5-1D28-436c-A2B9-5C052530C89E}.exe

Filesize
168KB

MD5
24c0939d2985cda1c71ac817f0f6641a

SHA1
4b1590baea02b47fd99761b7c589893cc912c534

SHA256
0ba01483b072b01618ba93410d607eeb77301ea1a9ddc8b27ddfc63e32731eb1

SHA512
5c7349cb5d861856cff530262ff10dab55f93bd1611cfb3efa35c48c50a54836fb56777cba7b0a172d8cf0f5b6ace83a721a625d602e588059edacfe1418ea6a

Download Submit
C:\Windows\{729690E5-1D28-436c-A2B9-5C052530C89E}.exe

Filesize
168KB

MD5
24c0939d2985cda1c71ac817f0f6641a

SHA1
4b1590baea02b47fd99761b7c589893cc912c534

SHA256
0ba01483b072b01618ba93410d607eeb77301ea1a9ddc8b27ddfc63e32731eb1

SHA512
5c7349cb5d861856cff530262ff10dab55f93bd1611cfb3efa35c48c50a54836fb56777cba7b0a172d8cf0f5b6ace83a721a625d602e588059edacfe1418ea6a

Download Submit
C:\Windows\{74853A44-9F17-4a56-B0AF-5F5A9972D324}.exe

Filesize
168KB

MD5
bca3bbfda8feb2dbbe062b628e1b4c00

SHA1
986fa391774790972cc0eb744a541cf5ab1a889c

SHA256
87495a78c2127b9aa348c85652e05e6197d92d13f2f05871987728f857c38c2d

SHA512
2a685d3f30da4aa04125fe801f2db00acd5b09deb62ecbbffec0e3e7f5adbdbccfeab6bd98ac4dc2a49efb937e4aa12e168d5a9f13a53db9d8ab02667fd676af

Download Submit
C:\Windows\{74853A44-9F17-4a56-B0AF-5F5A9972D324}.exe

Filesize
168KB

MD5
bca3bbfda8feb2dbbe062b628e1b4c00

SHA1
986fa391774790972cc0eb744a541cf5ab1a889c

SHA256
87495a78c2127b9aa348c85652e05e6197d92d13f2f05871987728f857c38c2d

SHA512
2a685d3f30da4aa04125fe801f2db00acd5b09deb62ecbbffec0e3e7f5adbdbccfeab6bd98ac4dc2a49efb937e4aa12e168d5a9f13a53db9d8ab02667fd676af

Download Submit
C:\Windows\{7D868EEB-6D8D-4107-BD9E-0A73946F1531}.exe

Filesize
168KB

MD5
0d1c55894d1f0b5f35abd9221b52cc5e

SHA1
88e9629b5a0a82f746df1611f023d6a58d8b6577

SHA256
b566d4ec1c888304717ec56904cbeb47f7303019c16f3763ef2c07eaf422380b

SHA512
92a80484db93db9d8094b4e13a6528ef2fbf0117f62cbd6a5772c254f06e3e7850507d014b73b036e002d4014ba6e78df363d6f82a5009878f6ae84685a4072e

Download Submit
C:\Windows\{7D868EEB-6D8D-4107-BD9E-0A73946F1531}.exe

Filesize
168KB

MD5
0d1c55894d1f0b5f35abd9221b52cc5e

SHA1
88e9629b5a0a82f746df1611f023d6a58d8b6577

SHA256
b566d4ec1c888304717ec56904cbeb47f7303019c16f3763ef2c07eaf422380b

SHA512
92a80484db93db9d8094b4e13a6528ef2fbf0117f62cbd6a5772c254f06e3e7850507d014b73b036e002d4014ba6e78df363d6f82a5009878f6ae84685a4072e

Download Submit
C:\Windows\{9396704A-BB88-458c-8AFE-F526EE186040}.exe

Filesize
168KB

MD5
9c601676200d9a55c50ca14c1386fd6f

SHA1
53ec1370d681cfee68218848e218693a56dd53da

SHA256
ff0d9f80f18455cb5a5022cf44c517440ba7a49293aa437d15d89991946d60ea

SHA512
d8776639c230433b60b413b23c56a01581ae0c6ba5a1442fe5c01e668b4a9ff5706ca880a03d010b9dbca1dbae6bf4b1157e02535e07d90da54a4f8652ce97dc

Download Submit
C:\Windows\{9396704A-BB88-458c-8AFE-F526EE186040}.exe

Filesize
168KB

MD5
9c601676200d9a55c50ca14c1386fd6f

SHA1
53ec1370d681cfee68218848e218693a56dd53da

SHA256
ff0d9f80f18455cb5a5022cf44c517440ba7a49293aa437d15d89991946d60ea

SHA512
d8776639c230433b60b413b23c56a01581ae0c6ba5a1442fe5c01e668b4a9ff5706ca880a03d010b9dbca1dbae6bf4b1157e02535e07d90da54a4f8652ce97dc

Download Submit
C:\Windows\{D8424020-389E-4a63-A7EF-F884039DFD18}.exe

Filesize
168KB

MD5
6232267aef6dbf18171001c467c35657

SHA1
14ebaa840dbe743167e62289416fdbb38de7f3fc

SHA256
a845d3d8f067c82d9b405576d6d95b3ff0b236be6178f294f0e8bd9f3c8a9a7a

SHA512
d2d278c0c194d5190e3281f86417d3e1a409d9e1e36deeefbe3db4162bd3e2c14fd25b4b90f919427147f599c0457e9c17070b899bfae0d15bab73181dbf2e51

Download Submit
C:\Windows\{D8424020-389E-4a63-A7EF-F884039DFD18}.exe

Filesize
168KB

MD5
6232267aef6dbf18171001c467c35657

SHA1
14ebaa840dbe743167e62289416fdbb38de7f3fc

SHA256
a845d3d8f067c82d9b405576d6d95b3ff0b236be6178f294f0e8bd9f3c8a9a7a

SHA512
d2d278c0c194d5190e3281f86417d3e1a409d9e1e36deeefbe3db4162bd3e2c14fd25b4b90f919427147f599c0457e9c17070b899bfae0d15bab73181dbf2e51

Download Submit
C:\Windows\{F066F529-0645-4911-A8D8-8DA50D017681}.exe

Filesize
168KB

MD5
0f57c9b9f25a9f83dde893b4f8fb6210

SHA1
bcbe03e28215323e3d52adb5ee8cff4b153fc29f

SHA256
90ef2c9856ada2038b45e23563e0e221b1c5524534d50f874754ae2df585bb37

SHA512
4a58035c039fb5694d37c8dfa6a2edf87a9809d4d73c52910e072bbf4daa10d250bf8f904aae5910c8bb4196654016ac89079f7e00bc382cf7fd7c75004e9a6a

Download Submit
C:\Windows\{F066F529-0645-4911-A8D8-8DA50D017681}.exe

Filesize
168KB

MD5
0f57c9b9f25a9f83dde893b4f8fb6210

SHA1
bcbe03e28215323e3d52adb5ee8cff4b153fc29f

SHA256
90ef2c9856ada2038b45e23563e0e221b1c5524534d50f874754ae2df585bb37

SHA512
4a58035c039fb5694d37c8dfa6a2edf87a9809d4d73c52910e072bbf4daa10d250bf8f904aae5910c8bb4196654016ac89079f7e00bc382cf7fd7c75004e9a6a

Download Submit