c895d8f7f9a83765e8edbf00302b6715d2ace0f61f54488045b5c18a83ddad47

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2023, 13:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4bb145baa7b37dexeexe_JC.exe
Size

168KB
MD5

4bb145baa7b37d1e658b2a3279f3d648
SHA1

74769720b0abb13e0ead58661b8fd9b9defc4783
SHA256

c895d8f7f9a83765e8edbf00302b6715d2ace0f61f54488045b5c18a83ddad47
SHA512

cefbade7b850f9a11f2e531e01f66306bc44cc7cf46f1068608334fe6c7346b44e45a9b96a61ff75fed80aa3ec4b72c01ecfa10daae3adf1d8024a6ba2202e16
SSDEEP

1536:1EGh0oelq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oelqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2881070-CF79-4336-A927-04E6D018CC00}\stubpath = "C:\\Windows\\{B2881070-CF79-4336-A927-04E6D018CC00}.exe"	{66B3E6E9-BA93-4c14-BB07-BF151D92824B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73E7FC96-DF5D-4a1b-8AD1-73EB2AE8982E}\stubpath = "C:\\Windows\\{73E7FC96-DF5D-4a1b-8AD1-73EB2AE8982E}.exe"	{B2881070-CF79-4336-A927-04E6D018CC00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{377BDA63-60B8-4959-923A-5039191C0F44}	{73E7FC96-DF5D-4a1b-8AD1-73EB2AE8982E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{377BDA63-60B8-4959-923A-5039191C0F44}\stubpath = "C:\\Windows\\{377BDA63-60B8-4959-923A-5039191C0F44}.exe"	{73E7FC96-DF5D-4a1b-8AD1-73EB2AE8982E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF0BEB94-333E-4c4a-BAC6-7C366B2F5001}\stubpath = "C:\\Windows\\{EF0BEB94-333E-4c4a-BAC6-7C366B2F5001}.exe"	{377BDA63-60B8-4959-923A-5039191C0F44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C5670BC-3550-4f30-B324-034341047044}	4bb145baa7b37dexeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C5670BC-3550-4f30-B324-034341047044}\stubpath = "C:\\Windows\\{7C5670BC-3550-4f30-B324-034341047044}.exe"	4bb145baa7b37dexeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D83CBC62-52C9-4e4d-9F95-E996366AC723}\stubpath = "C:\\Windows\\{D83CBC62-52C9-4e4d-9F95-E996366AC723}.exe"	{1A25AEFF-1B37-4ef6-96AC-1A03A8B0EAB9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BC1ED87-2E23-4d2e-B32B-1F28C702A641}\stubpath = "C:\\Windows\\{1BC1ED87-2E23-4d2e-B32B-1F28C702A641}.exe"	{AB965B72-F645-48ce-B249-11AFD6725F15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73E7FC96-DF5D-4a1b-8AD1-73EB2AE8982E}	{B2881070-CF79-4336-A927-04E6D018CC00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF0BEB94-333E-4c4a-BAC6-7C366B2F5001}	{377BDA63-60B8-4959-923A-5039191C0F44}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D417678C-F9EE-4a3c-97CF-C77A5450A083}	{D83CBC62-52C9-4e4d-9F95-E996366AC723}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D417678C-F9EE-4a3c-97CF-C77A5450A083}\stubpath = "C:\\Windows\\{D417678C-F9EE-4a3c-97CF-C77A5450A083}.exe"	{D83CBC62-52C9-4e4d-9F95-E996366AC723}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2881070-CF79-4336-A927-04E6D018CC00}	{66B3E6E9-BA93-4c14-BB07-BF151D92824B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BC1ED87-2E23-4d2e-B32B-1F28C702A641}	{AB965B72-F645-48ce-B249-11AFD6725F15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53E99854-FADC-49ae-8F93-50CDA87BA0AF}\stubpath = "C:\\Windows\\{53E99854-FADC-49ae-8F93-50CDA87BA0AF}.exe"	{1BC1ED87-2E23-4d2e-B32B-1F28C702A641}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A25AEFF-1B37-4ef6-96AC-1A03A8B0EAB9}	{7C5670BC-3550-4f30-B324-034341047044}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A25AEFF-1B37-4ef6-96AC-1A03A8B0EAB9}\stubpath = "C:\\Windows\\{1A25AEFF-1B37-4ef6-96AC-1A03A8B0EAB9}.exe"	{7C5670BC-3550-4f30-B324-034341047044}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB965B72-F645-48ce-B249-11AFD6725F15}	{EF0BEB94-333E-4c4a-BAC6-7C366B2F5001}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB965B72-F645-48ce-B249-11AFD6725F15}\stubpath = "C:\\Windows\\{AB965B72-F645-48ce-B249-11AFD6725F15}.exe"	{EF0BEB94-333E-4c4a-BAC6-7C366B2F5001}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53E99854-FADC-49ae-8F93-50CDA87BA0AF}	{1BC1ED87-2E23-4d2e-B32B-1F28C702A641}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D83CBC62-52C9-4e4d-9F95-E996366AC723}	{1A25AEFF-1B37-4ef6-96AC-1A03A8B0EAB9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66B3E6E9-BA93-4c14-BB07-BF151D92824B}	{D417678C-F9EE-4a3c-97CF-C77A5450A083}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{66B3E6E9-BA93-4c14-BB07-BF151D92824B}\stubpath = "C:\\Windows\\{66B3E6E9-BA93-4c14-BB07-BF151D92824B}.exe"	{D417678C-F9EE-4a3c-97CF-C77A5450A083}.exe

Executes dropped EXE 12 IoCs

pid	Process
4572	{7C5670BC-3550-4f30-B324-034341047044}.exe
3516	{1A25AEFF-1B37-4ef6-96AC-1A03A8B0EAB9}.exe
4008	{D83CBC62-52C9-4e4d-9F95-E996366AC723}.exe
2588	{D417678C-F9EE-4a3c-97CF-C77A5450A083}.exe
1864	{66B3E6E9-BA93-4c14-BB07-BF151D92824B}.exe
1680	{B2881070-CF79-4336-A927-04E6D018CC00}.exe
816	{73E7FC96-DF5D-4a1b-8AD1-73EB2AE8982E}.exe
4968	{377BDA63-60B8-4959-923A-5039191C0F44}.exe
824	{EF0BEB94-333E-4c4a-BAC6-7C366B2F5001}.exe
3852	{AB965B72-F645-48ce-B249-11AFD6725F15}.exe
2776	{1BC1ED87-2E23-4d2e-B32B-1F28C702A641}.exe
3040	{53E99854-FADC-49ae-8F93-50CDA87BA0AF}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{53E99854-FADC-49ae-8F93-50CDA87BA0AF}.exe	{1BC1ED87-2E23-4d2e-B32B-1F28C702A641}.exe
File created	C:\Windows\{7C5670BC-3550-4f30-B324-034341047044}.exe	4bb145baa7b37dexeexe_JC.exe
File created	C:\Windows\{1A25AEFF-1B37-4ef6-96AC-1A03A8B0EAB9}.exe	{7C5670BC-3550-4f30-B324-034341047044}.exe
File created	C:\Windows\{D417678C-F9EE-4a3c-97CF-C77A5450A083}.exe	{D83CBC62-52C9-4e4d-9F95-E996366AC723}.exe
File created	C:\Windows\{EF0BEB94-333E-4c4a-BAC6-7C366B2F5001}.exe	{377BDA63-60B8-4959-923A-5039191C0F44}.exe
File created	C:\Windows\{1BC1ED87-2E23-4d2e-B32B-1F28C702A641}.exe	{AB965B72-F645-48ce-B249-11AFD6725F15}.exe
File created	C:\Windows\{AB965B72-F645-48ce-B249-11AFD6725F15}.exe	{EF0BEB94-333E-4c4a-BAC6-7C366B2F5001}.exe
File created	C:\Windows\{D83CBC62-52C9-4e4d-9F95-E996366AC723}.exe	{1A25AEFF-1B37-4ef6-96AC-1A03A8B0EAB9}.exe
File created	C:\Windows\{66B3E6E9-BA93-4c14-BB07-BF151D92824B}.exe	{D417678C-F9EE-4a3c-97CF-C77A5450A083}.exe
File created	C:\Windows\{B2881070-CF79-4336-A927-04E6D018CC00}.exe	{66B3E6E9-BA93-4c14-BB07-BF151D92824B}.exe
File created	C:\Windows\{73E7FC96-DF5D-4a1b-8AD1-73EB2AE8982E}.exe	{B2881070-CF79-4336-A927-04E6D018CC00}.exe
File created	C:\Windows\{377BDA63-60B8-4959-923A-5039191C0F44}.exe	{73E7FC96-DF5D-4a1b-8AD1-73EB2AE8982E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4548	4bb145baa7b37dexeexe_JC.exe
Token: SeIncBasePriorityPrivilege	4572	{7C5670BC-3550-4f30-B324-034341047044}.exe
Token: SeIncBasePriorityPrivilege	3516	{1A25AEFF-1B37-4ef6-96AC-1A03A8B0EAB9}.exe
Token: SeIncBasePriorityPrivilege	4008	{D83CBC62-52C9-4e4d-9F95-E996366AC723}.exe
Token: SeIncBasePriorityPrivilege	2588	{D417678C-F9EE-4a3c-97CF-C77A5450A083}.exe
Token: SeIncBasePriorityPrivilege	1864	{66B3E6E9-BA93-4c14-BB07-BF151D92824B}.exe
Token: SeIncBasePriorityPrivilege	1680	{B2881070-CF79-4336-A927-04E6D018CC00}.exe
Token: SeIncBasePriorityPrivilege	816	{73E7FC96-DF5D-4a1b-8AD1-73EB2AE8982E}.exe
Token: SeIncBasePriorityPrivilege	4968	{377BDA63-60B8-4959-923A-5039191C0F44}.exe
Token: SeIncBasePriorityPrivilege	824	{EF0BEB94-333E-4c4a-BAC6-7C366B2F5001}.exe
Token: SeIncBasePriorityPrivilege	3852	{AB965B72-F645-48ce-B249-11AFD6725F15}.exe
Token: SeIncBasePriorityPrivilege	2776	{1BC1ED87-2E23-4d2e-B32B-1F28C702A641}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 4572	4548	4bb145baa7b37dexeexe_JC.exe	91
PID 4548 wrote to memory of 4572	4548	4bb145baa7b37dexeexe_JC.exe	91
PID 4548 wrote to memory of 4572	4548	4bb145baa7b37dexeexe_JC.exe	91
PID 4548 wrote to memory of 4616	4548	4bb145baa7b37dexeexe_JC.exe	92
PID 4548 wrote to memory of 4616	4548	4bb145baa7b37dexeexe_JC.exe	92
PID 4548 wrote to memory of 4616	4548	4bb145baa7b37dexeexe_JC.exe	92
PID 4572 wrote to memory of 3516	4572	{7C5670BC-3550-4f30-B324-034341047044}.exe	94
PID 4572 wrote to memory of 3516	4572	{7C5670BC-3550-4f30-B324-034341047044}.exe	94
PID 4572 wrote to memory of 3516	4572	{7C5670BC-3550-4f30-B324-034341047044}.exe	94
PID 4572 wrote to memory of 1388	4572	{7C5670BC-3550-4f30-B324-034341047044}.exe	95
PID 4572 wrote to memory of 1388	4572	{7C5670BC-3550-4f30-B324-034341047044}.exe	95
PID 4572 wrote to memory of 1388	4572	{7C5670BC-3550-4f30-B324-034341047044}.exe	95
PID 3516 wrote to memory of 4008	3516	{1A25AEFF-1B37-4ef6-96AC-1A03A8B0EAB9}.exe	98
PID 3516 wrote to memory of 4008	3516	{1A25AEFF-1B37-4ef6-96AC-1A03A8B0EAB9}.exe	98
PID 3516 wrote to memory of 4008	3516	{1A25AEFF-1B37-4ef6-96AC-1A03A8B0EAB9}.exe	98
PID 3516 wrote to memory of 4828	3516	{1A25AEFF-1B37-4ef6-96AC-1A03A8B0EAB9}.exe	99
PID 3516 wrote to memory of 4828	3516	{1A25AEFF-1B37-4ef6-96AC-1A03A8B0EAB9}.exe	99
PID 3516 wrote to memory of 4828	3516	{1A25AEFF-1B37-4ef6-96AC-1A03A8B0EAB9}.exe	99
PID 4008 wrote to memory of 2588	4008	{D83CBC62-52C9-4e4d-9F95-E996366AC723}.exe	100
PID 4008 wrote to memory of 2588	4008	{D83CBC62-52C9-4e4d-9F95-E996366AC723}.exe	100
PID 4008 wrote to memory of 2588	4008	{D83CBC62-52C9-4e4d-9F95-E996366AC723}.exe	100
PID 4008 wrote to memory of 1876	4008	{D83CBC62-52C9-4e4d-9F95-E996366AC723}.exe	101
PID 4008 wrote to memory of 1876	4008	{D83CBC62-52C9-4e4d-9F95-E996366AC723}.exe	101
PID 4008 wrote to memory of 1876	4008	{D83CBC62-52C9-4e4d-9F95-E996366AC723}.exe	101
PID 2588 wrote to memory of 1864	2588	{D417678C-F9EE-4a3c-97CF-C77A5450A083}.exe	102
PID 2588 wrote to memory of 1864	2588	{D417678C-F9EE-4a3c-97CF-C77A5450A083}.exe	102
PID 2588 wrote to memory of 1864	2588	{D417678C-F9EE-4a3c-97CF-C77A5450A083}.exe	102
PID 2588 wrote to memory of 4200	2588	{D417678C-F9EE-4a3c-97CF-C77A5450A083}.exe	103
PID 2588 wrote to memory of 4200	2588	{D417678C-F9EE-4a3c-97CF-C77A5450A083}.exe	103
PID 2588 wrote to memory of 4200	2588	{D417678C-F9EE-4a3c-97CF-C77A5450A083}.exe	103
PID 1864 wrote to memory of 1680	1864	{66B3E6E9-BA93-4c14-BB07-BF151D92824B}.exe	105
PID 1864 wrote to memory of 1680	1864	{66B3E6E9-BA93-4c14-BB07-BF151D92824B}.exe	105
PID 1864 wrote to memory of 1680	1864	{66B3E6E9-BA93-4c14-BB07-BF151D92824B}.exe	105
PID 1864 wrote to memory of 1596	1864	{66B3E6E9-BA93-4c14-BB07-BF151D92824B}.exe	106
PID 1864 wrote to memory of 1596	1864	{66B3E6E9-BA93-4c14-BB07-BF151D92824B}.exe	106
PID 1864 wrote to memory of 1596	1864	{66B3E6E9-BA93-4c14-BB07-BF151D92824B}.exe	106
PID 1680 wrote to memory of 816	1680	{B2881070-CF79-4336-A927-04E6D018CC00}.exe	107
PID 1680 wrote to memory of 816	1680	{B2881070-CF79-4336-A927-04E6D018CC00}.exe	107
PID 1680 wrote to memory of 816	1680	{B2881070-CF79-4336-A927-04E6D018CC00}.exe	107
PID 1680 wrote to memory of 4188	1680	{B2881070-CF79-4336-A927-04E6D018CC00}.exe	108
PID 1680 wrote to memory of 4188	1680	{B2881070-CF79-4336-A927-04E6D018CC00}.exe	108
PID 1680 wrote to memory of 4188	1680	{B2881070-CF79-4336-A927-04E6D018CC00}.exe	108
PID 816 wrote to memory of 4968	816	{73E7FC96-DF5D-4a1b-8AD1-73EB2AE8982E}.exe	109
PID 816 wrote to memory of 4968	816	{73E7FC96-DF5D-4a1b-8AD1-73EB2AE8982E}.exe	109
PID 816 wrote to memory of 4968	816	{73E7FC96-DF5D-4a1b-8AD1-73EB2AE8982E}.exe	109
PID 816 wrote to memory of 2464	816	{73E7FC96-DF5D-4a1b-8AD1-73EB2AE8982E}.exe	110
PID 816 wrote to memory of 2464	816	{73E7FC96-DF5D-4a1b-8AD1-73EB2AE8982E}.exe	110
PID 816 wrote to memory of 2464	816	{73E7FC96-DF5D-4a1b-8AD1-73EB2AE8982E}.exe	110
PID 4968 wrote to memory of 824	4968	{377BDA63-60B8-4959-923A-5039191C0F44}.exe	118
PID 4968 wrote to memory of 824	4968	{377BDA63-60B8-4959-923A-5039191C0F44}.exe	118
PID 4968 wrote to memory of 824	4968	{377BDA63-60B8-4959-923A-5039191C0F44}.exe	118
PID 4968 wrote to memory of 552	4968	{377BDA63-60B8-4959-923A-5039191C0F44}.exe	119
PID 4968 wrote to memory of 552	4968	{377BDA63-60B8-4959-923A-5039191C0F44}.exe	119
PID 4968 wrote to memory of 552	4968	{377BDA63-60B8-4959-923A-5039191C0F44}.exe	119
PID 824 wrote to memory of 3852	824	{EF0BEB94-333E-4c4a-BAC6-7C366B2F5001}.exe	120
PID 824 wrote to memory of 3852	824	{EF0BEB94-333E-4c4a-BAC6-7C366B2F5001}.exe	120
PID 824 wrote to memory of 3852	824	{EF0BEB94-333E-4c4a-BAC6-7C366B2F5001}.exe	120
PID 824 wrote to memory of 1900	824	{EF0BEB94-333E-4c4a-BAC6-7C366B2F5001}.exe	121
PID 824 wrote to memory of 1900	824	{EF0BEB94-333E-4c4a-BAC6-7C366B2F5001}.exe	121
PID 824 wrote to memory of 1900	824	{EF0BEB94-333E-4c4a-BAC6-7C366B2F5001}.exe	121
PID 3852 wrote to memory of 2776	3852	{AB965B72-F645-48ce-B249-11AFD6725F15}.exe	123
PID 3852 wrote to memory of 2776	3852	{AB965B72-F645-48ce-B249-11AFD6725F15}.exe	123
PID 3852 wrote to memory of 2776	3852	{AB965B72-F645-48ce-B249-11AFD6725F15}.exe	123
PID 3852 wrote to memory of 4716	3852	{AB965B72-F645-48ce-B249-11AFD6725F15}.exe	122

C:\Users\Admin\AppData\Local\Temp\4bb145baa7b37dexeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\4bb145baa7b37dexeexe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Windows\{7C5670BC-3550-4f30-B324-034341047044}.exe
  C:\Windows\{7C5670BC-3550-4f30-B324-034341047044}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\{1A25AEFF-1B37-4ef6-96AC-1A03A8B0EAB9}.exe
    C:\Windows\{1A25AEFF-1B37-4ef6-96AC-1A03A8B0EAB9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Windows\{D83CBC62-52C9-4e4d-9F95-E996366AC723}.exe
      C:\Windows\{D83CBC62-52C9-4e4d-9F95-E996366AC723}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4008
    - - C:\Windows\{D417678C-F9EE-4a3c-97CF-C77A5450A083}.exe
        
        C:\Windows\{D417678C-F9EE-4a3c-97CF-C77A5450A083}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2588
      - C:\Windows\{66B3E6E9-BA93-4c14-BB07-BF151D92824B}.exe
        
        C:\Windows\{66B3E6E9-BA93-4c14-BB07-BF151D92824B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\{B2881070-CF79-4336-A927-04E6D018CC00}.exe
        
        C:\Windows\{B2881070-CF79-4336-A927-04E6D018CC00}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\{73E7FC96-DF5D-4a1b-8AD1-73EB2AE8982E}.exe
        
        C:\Windows\{73E7FC96-DF5D-4a1b-8AD1-73EB2AE8982E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:816
        
        C:\Windows\{377BDA63-60B8-4959-923A-5039191C0F44}.exe
        
        C:\Windows\{377BDA63-60B8-4959-923A-5039191C0F44}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\{EF0BEB94-333E-4c4a-BAC6-7C366B2F5001}.exe
        
        C:\Windows\{EF0BEB94-333E-4c4a-BAC6-7C366B2F5001}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\{AB965B72-F645-48ce-B249-11AFD6725F15}.exe
        
        C:\Windows\{AB965B72-F645-48ce-B249-11AFD6725F15}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB965~1.EXE > nul
        12⤵
        
        PID:4716
        
        C:\Windows\{1BC1ED87-2E23-4d2e-B32B-1F28C702A641}.exe
        
        C:\Windows\{1BC1ED87-2E23-4d2e-B32B-1F28C702A641}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\{53E99854-FADC-49ae-8F93-50CDA87BA0AF}.exe
        
        C:\Windows\{53E99854-FADC-49ae-8F93-50CDA87BA0AF}.exe
        13⤵
        Executes dropped EXE
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1BC1E~1.EXE > nul
        13⤵
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF0BE~1.EXE > nul
        11⤵
        
        PID:1900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{377BD~1.EXE > nul
        10⤵
        
        PID:552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{73E7F~1.EXE > nul
        9⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2881~1.EXE > nul
        8⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{66B3E~1.EXE > nul
        7⤵
        
        PID:1596
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4176~1.EXE > nul
        6⤵
        
        PID:4200
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D83CB~1.EXE > nul
        5⤵
        
        PID:1876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1A25A~1.EXE > nul
      4⤵
      PID:4828
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7C567~1.EXE > nul
    3⤵
    PID:1388
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\4BB145~1.EXE > nul
  2⤵
  PID:4616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A25AEFF-1B37-4ef6-96AC-1A03A8B0EAB9}.exe

Filesize
168KB

MD5
1af2a580a94f00478aaa571b9086e454

SHA1
d1416c964987ab0af3994f30f461971cd3f40dba

SHA256
384a00be2782c741c2b0d52efac75408c40f1fcb7ab1f5baeeae6d95aec247ca

SHA512
32c1d95e926b1a7f8dcac5263b577998610d3b22598b98473fcff155f4f75601413916a691f5b40fd8e93daa21c1e3bf834f21fcb1bf26e01044e6ed51a12554

Download Submit
C:\Windows\{1A25AEFF-1B37-4ef6-96AC-1A03A8B0EAB9}.exe

Filesize
168KB

MD5
1af2a580a94f00478aaa571b9086e454

SHA1
d1416c964987ab0af3994f30f461971cd3f40dba

SHA256
384a00be2782c741c2b0d52efac75408c40f1fcb7ab1f5baeeae6d95aec247ca

SHA512
32c1d95e926b1a7f8dcac5263b577998610d3b22598b98473fcff155f4f75601413916a691f5b40fd8e93daa21c1e3bf834f21fcb1bf26e01044e6ed51a12554

Download Submit
C:\Windows\{1BC1ED87-2E23-4d2e-B32B-1F28C702A641}.exe

Filesize
168KB

MD5
ca4003afb92bb606ce79cd72a6dba7e7

SHA1
92f576bb57ab35f1d0494d555d1f7f46d826b58e

SHA256
d05e955a6a14005284af105bcfacd190bb7a876793631211b916bda63931d314

SHA512
9cafab5eb53cae850fe38ad6c58fc61725baf8a197cfa014153bf5955992fdcc0eed429c8357b285e7148dc3f761adf573e6105808ef6a252732142e60f549fb

Download Submit
C:\Windows\{1BC1ED87-2E23-4d2e-B32B-1F28C702A641}.exe

Filesize
168KB

MD5
ca4003afb92bb606ce79cd72a6dba7e7

SHA1
92f576bb57ab35f1d0494d555d1f7f46d826b58e

SHA256
d05e955a6a14005284af105bcfacd190bb7a876793631211b916bda63931d314

SHA512
9cafab5eb53cae850fe38ad6c58fc61725baf8a197cfa014153bf5955992fdcc0eed429c8357b285e7148dc3f761adf573e6105808ef6a252732142e60f549fb

Download Submit
C:\Windows\{377BDA63-60B8-4959-923A-5039191C0F44}.exe

Filesize
168KB

MD5
1bf0487b5531176d6a6356b591480003

SHA1
b17d13bbf7223b31783071ce6edf28db700fa9b5

SHA256
3fbb1033ea27ed1ff1d182291b8f6bd7ad84a75693e52d96bab9df7919d26ed6

SHA512
eb836cfb2b525094d80fe67c762306e8640e0771bfd691bf4c0eefeb1e93574e9f3a732e5f791891def2c2d53a3e7f2ad4a873b511f041ebfa77f174bd8d7a26

Download Submit
C:\Windows\{377BDA63-60B8-4959-923A-5039191C0F44}.exe

Filesize
168KB

MD5
1bf0487b5531176d6a6356b591480003

SHA1
b17d13bbf7223b31783071ce6edf28db700fa9b5

SHA256
3fbb1033ea27ed1ff1d182291b8f6bd7ad84a75693e52d96bab9df7919d26ed6

SHA512
eb836cfb2b525094d80fe67c762306e8640e0771bfd691bf4c0eefeb1e93574e9f3a732e5f791891def2c2d53a3e7f2ad4a873b511f041ebfa77f174bd8d7a26

Download Submit
C:\Windows\{53E99854-FADC-49ae-8F93-50CDA87BA0AF}.exe

Filesize
168KB

MD5
2fb64b3255f67424bb7f65dd9e8f8fa4

SHA1
c4a81cd8ba9ad7cbde2bab7796fed32d9c8fe6b8

SHA256
fb75ddf9e468355111eecfdad98a9af1fcdfe0d8ed097f9b620e1970ce3b2326

SHA512
099a26e2c807e065da826c5c780b0de2ecca2193bcd7d7fa93a1402f8d7b0a000a1651f4a72666653f751cb42a2b92c23564f7a40ead14116c34c95dba88911a

Download Submit
C:\Windows\{53E99854-FADC-49ae-8F93-50CDA87BA0AF}.exe

Filesize
168KB

MD5
2fb64b3255f67424bb7f65dd9e8f8fa4

SHA1
c4a81cd8ba9ad7cbde2bab7796fed32d9c8fe6b8

SHA256
fb75ddf9e468355111eecfdad98a9af1fcdfe0d8ed097f9b620e1970ce3b2326

SHA512
099a26e2c807e065da826c5c780b0de2ecca2193bcd7d7fa93a1402f8d7b0a000a1651f4a72666653f751cb42a2b92c23564f7a40ead14116c34c95dba88911a

Download Submit
C:\Windows\{66B3E6E9-BA93-4c14-BB07-BF151D92824B}.exe

Filesize
168KB

MD5
121a924b92cef8f3d9651519d9a37273

SHA1
a5a5a822380c71ae6c71b6d33471fe64eb7da1ab

SHA256
84c4a165ff0ce1a7884ee32c327484f0a4ebbfa694537eb94826e3be55265c5a

SHA512
4ce5df87c0bcc9fecc71fbed44a82a3a662b05e670b529cf78cfc05ca386c0c44ffe4411c6e4436fd492717494b9d2c2e821edc4ba91a66c07cb6fba15308a3c

Download Submit
C:\Windows\{66B3E6E9-BA93-4c14-BB07-BF151D92824B}.exe

Filesize
168KB

MD5
121a924b92cef8f3d9651519d9a37273

SHA1
a5a5a822380c71ae6c71b6d33471fe64eb7da1ab

SHA256
84c4a165ff0ce1a7884ee32c327484f0a4ebbfa694537eb94826e3be55265c5a

SHA512
4ce5df87c0bcc9fecc71fbed44a82a3a662b05e670b529cf78cfc05ca386c0c44ffe4411c6e4436fd492717494b9d2c2e821edc4ba91a66c07cb6fba15308a3c

Download Submit
C:\Windows\{73E7FC96-DF5D-4a1b-8AD1-73EB2AE8982E}.exe

Filesize
168KB

MD5
c200968532afc611d8df901680cfd05e

SHA1
4fe1f1490d71b8fcf6fdae232110a5de23c81312

SHA256
d4850e5a4ac0fc25243ccfdcd48f21a58601c20f5ef1baaa7ab1dafb994ecf44

SHA512
91fb8355939ce5f20f9c5d01ee73fa5b7f174406b2a632443ab60da93e69f0fdcc838be726d9557bd89657ee7a9d716753dd694b1d6c66db91bad6aa46501951

Download Submit
C:\Windows\{73E7FC96-DF5D-4a1b-8AD1-73EB2AE8982E}.exe

Filesize
168KB

MD5
c200968532afc611d8df901680cfd05e

SHA1
4fe1f1490d71b8fcf6fdae232110a5de23c81312

SHA256
d4850e5a4ac0fc25243ccfdcd48f21a58601c20f5ef1baaa7ab1dafb994ecf44

SHA512
91fb8355939ce5f20f9c5d01ee73fa5b7f174406b2a632443ab60da93e69f0fdcc838be726d9557bd89657ee7a9d716753dd694b1d6c66db91bad6aa46501951

Download Submit
C:\Windows\{7C5670BC-3550-4f30-B324-034341047044}.exe

Filesize
168KB

MD5
06edb74e1b8df81d0cce5864f0216f60

SHA1
ff4b68ddd4ee438f969900c15c9d062143b72850

SHA256
324cd2220623fc95528686c77ce7883baf45b9f92b0878a87cd77eb37e6457f2

SHA512
e1a30cedea607c3157a97ddf97cbe673ef44ecbe9734bb04f7bbfcd8d08df038a03e618db811c07438c37602a7dcf9c7851af7816b5e37e7d4cb82bb7dbd578d

Download Submit
C:\Windows\{7C5670BC-3550-4f30-B324-034341047044}.exe

Filesize
168KB

MD5
06edb74e1b8df81d0cce5864f0216f60

SHA1
ff4b68ddd4ee438f969900c15c9d062143b72850

SHA256
324cd2220623fc95528686c77ce7883baf45b9f92b0878a87cd77eb37e6457f2

SHA512
e1a30cedea607c3157a97ddf97cbe673ef44ecbe9734bb04f7bbfcd8d08df038a03e618db811c07438c37602a7dcf9c7851af7816b5e37e7d4cb82bb7dbd578d

Download Submit
C:\Windows\{AB965B72-F645-48ce-B249-11AFD6725F15}.exe

Filesize
168KB

MD5
a71ce0d4fc907be3611a72c65dd8a087

SHA1
b4afd886c1f4f5a04c5a731624cff1da6cf9a325

SHA256
7813d627ea7eb1edee1f6b682f4feb1f1a18d885c839bfb4730a77ebd7c374ef

SHA512
c15d6d35277e6c7387511310b15851e23dbb32eeb800f8f52e490faf0f1d9584a3e83f6e37091148e3eb937bffd225d1c5189b7e84f7bba4bd4eed395e74d801

Download Submit
C:\Windows\{AB965B72-F645-48ce-B249-11AFD6725F15}.exe

Filesize
168KB

MD5
a71ce0d4fc907be3611a72c65dd8a087

SHA1
b4afd886c1f4f5a04c5a731624cff1da6cf9a325

SHA256
7813d627ea7eb1edee1f6b682f4feb1f1a18d885c839bfb4730a77ebd7c374ef

SHA512
c15d6d35277e6c7387511310b15851e23dbb32eeb800f8f52e490faf0f1d9584a3e83f6e37091148e3eb937bffd225d1c5189b7e84f7bba4bd4eed395e74d801

Download Submit
C:\Windows\{B2881070-CF79-4336-A927-04E6D018CC00}.exe

Filesize
168KB

MD5
ad07e2f36e05241945d0e2c16f449bb3

SHA1
046bf64ca7bdfe3e2edfa94aed88971f3f4dc393

SHA256
fbd9fab00dabc6e4d326a4d917b9513cbf102d1bdc60f2a0297cd90e71276f36

SHA512
e53c45f2a411df3ced08811770e934da8d70177beef16e4df7b7f594fe01478da0a73c5eaeb37a52c6e833d308d7b0e17121253f45dc4ee5b1225502ef5f7884

Download Submit
C:\Windows\{B2881070-CF79-4336-A927-04E6D018CC00}.exe

Filesize
168KB

MD5
ad07e2f36e05241945d0e2c16f449bb3

SHA1
046bf64ca7bdfe3e2edfa94aed88971f3f4dc393

SHA256
fbd9fab00dabc6e4d326a4d917b9513cbf102d1bdc60f2a0297cd90e71276f36

SHA512
e53c45f2a411df3ced08811770e934da8d70177beef16e4df7b7f594fe01478da0a73c5eaeb37a52c6e833d308d7b0e17121253f45dc4ee5b1225502ef5f7884

Download Submit
C:\Windows\{D417678C-F9EE-4a3c-97CF-C77A5450A083}.exe

Filesize
168KB

MD5
3238bb8aa1e97eb7c2c1ffb795969610

SHA1
20551feea58fa7cd4d199dfd7bc88022f7fff5ac

SHA256
6cbe5762d80654c2bc473941348530f62fe02623f2211abd2228adbbcb2ccb40

SHA512
676a01cdfb0d047f9a1a13b00ab524496966b8b6171555ccd4ac942ba53bbf66aa86788a9cafc4f5078a8fe13d21d2bd88b695f087157e36d833dfe3794f40f0

Download Submit
C:\Windows\{D417678C-F9EE-4a3c-97CF-C77A5450A083}.exe

Filesize
168KB

MD5
3238bb8aa1e97eb7c2c1ffb795969610

SHA1
20551feea58fa7cd4d199dfd7bc88022f7fff5ac

SHA256
6cbe5762d80654c2bc473941348530f62fe02623f2211abd2228adbbcb2ccb40

SHA512
676a01cdfb0d047f9a1a13b00ab524496966b8b6171555ccd4ac942ba53bbf66aa86788a9cafc4f5078a8fe13d21d2bd88b695f087157e36d833dfe3794f40f0

Download Submit
C:\Windows\{D83CBC62-52C9-4e4d-9F95-E996366AC723}.exe

Filesize
168KB

MD5
6c9df88c671dcc42e7de5df24bcdd437

SHA1
762bd7bc80bdfaffc93d2c9a99cc3021b4fd2247

SHA256
81c32cdc57f46f7f3b99e26210f63fa72fed60ebab42b5b10f38e8d046494cc3

SHA512
973a195b1f5f7a4c66d297b65f34d5b46d952c5d70e4b1aae502711ec352f8cdc8c0408457c8ef87fa427153ab3a177015afb678020680fd6d5cffd50f921cda

Download Submit
C:\Windows\{D83CBC62-52C9-4e4d-9F95-E996366AC723}.exe

Filesize
168KB

MD5
6c9df88c671dcc42e7de5df24bcdd437

SHA1
762bd7bc80bdfaffc93d2c9a99cc3021b4fd2247

SHA256
81c32cdc57f46f7f3b99e26210f63fa72fed60ebab42b5b10f38e8d046494cc3

SHA512
973a195b1f5f7a4c66d297b65f34d5b46d952c5d70e4b1aae502711ec352f8cdc8c0408457c8ef87fa427153ab3a177015afb678020680fd6d5cffd50f921cda

Download Submit
C:\Windows\{D83CBC62-52C9-4e4d-9F95-E996366AC723}.exe

Filesize
168KB

MD5
6c9df88c671dcc42e7de5df24bcdd437

SHA1
762bd7bc80bdfaffc93d2c9a99cc3021b4fd2247

SHA256
81c32cdc57f46f7f3b99e26210f63fa72fed60ebab42b5b10f38e8d046494cc3

SHA512
973a195b1f5f7a4c66d297b65f34d5b46d952c5d70e4b1aae502711ec352f8cdc8c0408457c8ef87fa427153ab3a177015afb678020680fd6d5cffd50f921cda

Download Submit
C:\Windows\{EF0BEB94-333E-4c4a-BAC6-7C366B2F5001}.exe

Filesize
168KB

MD5
c13f5ed834813db7b2ac7966635ae0f6

SHA1
22efce878459b56b1276ca150fc4c52736ac1bf7

SHA256
b03a4a9f62f9aef1f4a3509e876a70bcc7d942ffef93b325a040f467f931d743

SHA512
d0a12c0872f78c885c7f594f0a30db0cdd393cf641991260ec36a96cf1812dde7d970a0f93e033dc32bc9895bccf30790f435f542cb87d572eab75a65e2dcd3c

Download Submit
C:\Windows\{EF0BEB94-333E-4c4a-BAC6-7C366B2F5001}.exe

Filesize
168KB

MD5
c13f5ed834813db7b2ac7966635ae0f6

SHA1
22efce878459b56b1276ca150fc4c52736ac1bf7

SHA256
b03a4a9f62f9aef1f4a3509e876a70bcc7d942ffef93b325a040f467f931d743

SHA512
d0a12c0872f78c885c7f594f0a30db0cdd393cf641991260ec36a96cf1812dde7d970a0f93e033dc32bc9895bccf30790f435f542cb87d572eab75a65e2dcd3c

Download Submit