7730f8957e88eb4a02b4b4a4f64c8903b1bc380b164f626a1c8149e5dc873551

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2023, 07:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

546eabb692dab6_JC.exe
Size

192KB
MD5

546eabb692dab6cd66b7199045361123
SHA1

203f7016e23ab7b7d5511d3fe0c1cd544ba7c337
SHA256

7730f8957e88eb4a02b4b4a4f64c8903b1bc380b164f626a1c8149e5dc873551
SHA512

376583e0e9d7970bebd6bac2438da34197e8d3d54ae00de3da2608c184046d2cd6d1f39d15f6b015b89c135e3cefd8700088740f4779b489af2ca634122989d3
SSDEEP

1536:1EGh0oHl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oHl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01AB1F4C-A4F5-4163-ADC9-B72C9DD4CE65}\stubpath = "C:\\Windows\\{01AB1F4C-A4F5-4163-ADC9-B72C9DD4CE65}.exe"	{B5D2E80B-3E7C-472a-9EDC-3C757F9245E4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E45CF7B5-E07A-4b63-BD75-53B2616B155C}\stubpath = "C:\\Windows\\{E45CF7B5-E07A-4b63-BD75-53B2616B155C}.exe"	{01AB1F4C-A4F5-4163-ADC9-B72C9DD4CE65}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DF54AB6-63F9-4dd0-BAE5-1D297E04947A}\stubpath = "C:\\Windows\\{4DF54AB6-63F9-4dd0-BAE5-1D297E04947A}.exe"	{E45CF7B5-E07A-4b63-BD75-53B2616B155C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2116B60-B2D6-43a2-8652-46A6E0B3673C}	{C8BA2FA9-670A-4729-97C3-0A3959B3C030}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3B76007-72F2-4fef-904A-60D3326677B9}	{085A97DD-0042-4088-8305-1FEFA5FA6D03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3B76007-72F2-4fef-904A-60D3326677B9}\stubpath = "C:\\Windows\\{C3B76007-72F2-4fef-904A-60D3326677B9}.exe"	{085A97DD-0042-4088-8305-1FEFA5FA6D03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5D2E80B-3E7C-472a-9EDC-3C757F9245E4}	{C3B76007-72F2-4fef-904A-60D3326677B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DF54AB6-63F9-4dd0-BAE5-1D297E04947A}	{E45CF7B5-E07A-4b63-BD75-53B2616B155C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76B02DD5-D34B-4fbf-8DBE-13F09141985B}\stubpath = "C:\\Windows\\{76B02DD5-D34B-4fbf-8DBE-13F09141985B}.exe"	{590C2432-2B34-4b88-89CA-43E366E2CF30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83CDFBF0-ABBD-4084-8871-94E8C5B74BCA}	{76B02DD5-D34B-4fbf-8DBE-13F09141985B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8BA2FA9-670A-4729-97C3-0A3959B3C030}\stubpath = "C:\\Windows\\{C8BA2FA9-670A-4729-97C3-0A3959B3C030}.exe"	{8717188E-3D0E-47a1-90BB-3620B28D2E85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{085A97DD-0042-4088-8305-1FEFA5FA6D03}	546eabb692dab6_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{085A97DD-0042-4088-8305-1FEFA5FA6D03}\stubpath = "C:\\Windows\\{085A97DD-0042-4088-8305-1FEFA5FA6D03}.exe"	546eabb692dab6_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{590C2432-2B34-4b88-89CA-43E366E2CF30}	{4DF54AB6-63F9-4dd0-BAE5-1D297E04947A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{590C2432-2B34-4b88-89CA-43E366E2CF30}\stubpath = "C:\\Windows\\{590C2432-2B34-4b88-89CA-43E366E2CF30}.exe"	{4DF54AB6-63F9-4dd0-BAE5-1D297E04947A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8717188E-3D0E-47a1-90BB-3620B28D2E85}	{83CDFBF0-ABBD-4084-8871-94E8C5B74BCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8717188E-3D0E-47a1-90BB-3620B28D2E85}\stubpath = "C:\\Windows\\{8717188E-3D0E-47a1-90BB-3620B28D2E85}.exe"	{83CDFBF0-ABBD-4084-8871-94E8C5B74BCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5D2E80B-3E7C-472a-9EDC-3C757F9245E4}\stubpath = "C:\\Windows\\{B5D2E80B-3E7C-472a-9EDC-3C757F9245E4}.exe"	{C3B76007-72F2-4fef-904A-60D3326677B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01AB1F4C-A4F5-4163-ADC9-B72C9DD4CE65}	{B5D2E80B-3E7C-472a-9EDC-3C757F9245E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E45CF7B5-E07A-4b63-BD75-53B2616B155C}	{01AB1F4C-A4F5-4163-ADC9-B72C9DD4CE65}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76B02DD5-D34B-4fbf-8DBE-13F09141985B}	{590C2432-2B34-4b88-89CA-43E366E2CF30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83CDFBF0-ABBD-4084-8871-94E8C5B74BCA}\stubpath = "C:\\Windows\\{83CDFBF0-ABBD-4084-8871-94E8C5B74BCA}.exe"	{76B02DD5-D34B-4fbf-8DBE-13F09141985B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8BA2FA9-670A-4729-97C3-0A3959B3C030}	{8717188E-3D0E-47a1-90BB-3620B28D2E85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2116B60-B2D6-43a2-8652-46A6E0B3673C}\stubpath = "C:\\Windows\\{C2116B60-B2D6-43a2-8652-46A6E0B3673C}.exe"	{C8BA2FA9-670A-4729-97C3-0A3959B3C030}.exe

Executes dropped EXE 12 IoCs

pid	Process
3920	{085A97DD-0042-4088-8305-1FEFA5FA6D03}.exe
4500	{C3B76007-72F2-4fef-904A-60D3326677B9}.exe
5060	{B5D2E80B-3E7C-472a-9EDC-3C757F9245E4}.exe
2384	{01AB1F4C-A4F5-4163-ADC9-B72C9DD4CE65}.exe
3276	{E45CF7B5-E07A-4b63-BD75-53B2616B155C}.exe
1628	{4DF54AB6-63F9-4dd0-BAE5-1D297E04947A}.exe
3248	{590C2432-2B34-4b88-89CA-43E366E2CF30}.exe
4600	{76B02DD5-D34B-4fbf-8DBE-13F09141985B}.exe
1768	{83CDFBF0-ABBD-4084-8871-94E8C5B74BCA}.exe
2428	{8717188E-3D0E-47a1-90BB-3620B28D2E85}.exe
1476	{C8BA2FA9-670A-4729-97C3-0A3959B3C030}.exe
1184	{C2116B60-B2D6-43a2-8652-46A6E0B3673C}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B5D2E80B-3E7C-472a-9EDC-3C757F9245E4}.exe	{C3B76007-72F2-4fef-904A-60D3326677B9}.exe
File created	C:\Windows\{01AB1F4C-A4F5-4163-ADC9-B72C9DD4CE65}.exe	{B5D2E80B-3E7C-472a-9EDC-3C757F9245E4}.exe
File created	C:\Windows\{4DF54AB6-63F9-4dd0-BAE5-1D297E04947A}.exe	{E45CF7B5-E07A-4b63-BD75-53B2616B155C}.exe
File created	C:\Windows\{590C2432-2B34-4b88-89CA-43E366E2CF30}.exe	{4DF54AB6-63F9-4dd0-BAE5-1D297E04947A}.exe
File created	C:\Windows\{76B02DD5-D34B-4fbf-8DBE-13F09141985B}.exe	{590C2432-2B34-4b88-89CA-43E366E2CF30}.exe
File created	C:\Windows\{83CDFBF0-ABBD-4084-8871-94E8C5B74BCA}.exe	{76B02DD5-D34B-4fbf-8DBE-13F09141985B}.exe
File created	C:\Windows\{085A97DD-0042-4088-8305-1FEFA5FA6D03}.exe	546eabb692dab6_JC.exe
File created	C:\Windows\{C3B76007-72F2-4fef-904A-60D3326677B9}.exe	{085A97DD-0042-4088-8305-1FEFA5FA6D03}.exe
File created	C:\Windows\{E45CF7B5-E07A-4b63-BD75-53B2616B155C}.exe	{01AB1F4C-A4F5-4163-ADC9-B72C9DD4CE65}.exe
File created	C:\Windows\{8717188E-3D0E-47a1-90BB-3620B28D2E85}.exe	{83CDFBF0-ABBD-4084-8871-94E8C5B74BCA}.exe
File created	C:\Windows\{C8BA2FA9-670A-4729-97C3-0A3959B3C030}.exe	{8717188E-3D0E-47a1-90BB-3620B28D2E85}.exe
File created	C:\Windows\{C2116B60-B2D6-43a2-8652-46A6E0B3673C}.exe	{C8BA2FA9-670A-4729-97C3-0A3959B3C030}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4204	546eabb692dab6_JC.exe
Token: SeIncBasePriorityPrivilege	3920	{085A97DD-0042-4088-8305-1FEFA5FA6D03}.exe
Token: SeIncBasePriorityPrivilege	4500	{C3B76007-72F2-4fef-904A-60D3326677B9}.exe
Token: SeIncBasePriorityPrivilege	5060	{B5D2E80B-3E7C-472a-9EDC-3C757F9245E4}.exe
Token: SeIncBasePriorityPrivilege	2384	{01AB1F4C-A4F5-4163-ADC9-B72C9DD4CE65}.exe
Token: SeIncBasePriorityPrivilege	3276	{E45CF7B5-E07A-4b63-BD75-53B2616B155C}.exe
Token: SeIncBasePriorityPrivilege	1628	{4DF54AB6-63F9-4dd0-BAE5-1D297E04947A}.exe
Token: SeIncBasePriorityPrivilege	3248	{590C2432-2B34-4b88-89CA-43E366E2CF30}.exe
Token: SeIncBasePriorityPrivilege	4600	{76B02DD5-D34B-4fbf-8DBE-13F09141985B}.exe
Token: SeIncBasePriorityPrivilege	1768	{83CDFBF0-ABBD-4084-8871-94E8C5B74BCA}.exe
Token: SeIncBasePriorityPrivilege	2428	{8717188E-3D0E-47a1-90BB-3620B28D2E85}.exe
Token: SeIncBasePriorityPrivilege	1476	{C8BA2FA9-670A-4729-97C3-0A3959B3C030}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 3920	4204	546eabb692dab6_JC.exe	94
PID 4204 wrote to memory of 3920	4204	546eabb692dab6_JC.exe	94
PID 4204 wrote to memory of 3920	4204	546eabb692dab6_JC.exe	94
PID 4204 wrote to memory of 3380	4204	546eabb692dab6_JC.exe	95
PID 4204 wrote to memory of 3380	4204	546eabb692dab6_JC.exe	95
PID 4204 wrote to memory of 3380	4204	546eabb692dab6_JC.exe	95
PID 3920 wrote to memory of 4500	3920	{085A97DD-0042-4088-8305-1FEFA5FA6D03}.exe	97
PID 3920 wrote to memory of 4500	3920	{085A97DD-0042-4088-8305-1FEFA5FA6D03}.exe	97
PID 3920 wrote to memory of 4500	3920	{085A97DD-0042-4088-8305-1FEFA5FA6D03}.exe	97
PID 3920 wrote to memory of 5068	3920	{085A97DD-0042-4088-8305-1FEFA5FA6D03}.exe	98
PID 3920 wrote to memory of 5068	3920	{085A97DD-0042-4088-8305-1FEFA5FA6D03}.exe	98
PID 3920 wrote to memory of 5068	3920	{085A97DD-0042-4088-8305-1FEFA5FA6D03}.exe	98
PID 4500 wrote to memory of 5060	4500	{C3B76007-72F2-4fef-904A-60D3326677B9}.exe	102
PID 4500 wrote to memory of 5060	4500	{C3B76007-72F2-4fef-904A-60D3326677B9}.exe	102
PID 4500 wrote to memory of 5060	4500	{C3B76007-72F2-4fef-904A-60D3326677B9}.exe	102
PID 4500 wrote to memory of 2084	4500	{C3B76007-72F2-4fef-904A-60D3326677B9}.exe	101
PID 4500 wrote to memory of 2084	4500	{C3B76007-72F2-4fef-904A-60D3326677B9}.exe	101
PID 4500 wrote to memory of 2084	4500	{C3B76007-72F2-4fef-904A-60D3326677B9}.exe	101
PID 5060 wrote to memory of 2384	5060	{B5D2E80B-3E7C-472a-9EDC-3C757F9245E4}.exe	103
PID 5060 wrote to memory of 2384	5060	{B5D2E80B-3E7C-472a-9EDC-3C757F9245E4}.exe	103
PID 5060 wrote to memory of 2384	5060	{B5D2E80B-3E7C-472a-9EDC-3C757F9245E4}.exe	103
PID 5060 wrote to memory of 2388	5060	{B5D2E80B-3E7C-472a-9EDC-3C757F9245E4}.exe	104
PID 5060 wrote to memory of 2388	5060	{B5D2E80B-3E7C-472a-9EDC-3C757F9245E4}.exe	104
PID 5060 wrote to memory of 2388	5060	{B5D2E80B-3E7C-472a-9EDC-3C757F9245E4}.exe	104
PID 2384 wrote to memory of 3276	2384	{01AB1F4C-A4F5-4163-ADC9-B72C9DD4CE65}.exe	105
PID 2384 wrote to memory of 3276	2384	{01AB1F4C-A4F5-4163-ADC9-B72C9DD4CE65}.exe	105
PID 2384 wrote to memory of 3276	2384	{01AB1F4C-A4F5-4163-ADC9-B72C9DD4CE65}.exe	105
PID 2384 wrote to memory of 3880	2384	{01AB1F4C-A4F5-4163-ADC9-B72C9DD4CE65}.exe	106
PID 2384 wrote to memory of 3880	2384	{01AB1F4C-A4F5-4163-ADC9-B72C9DD4CE65}.exe	106
PID 2384 wrote to memory of 3880	2384	{01AB1F4C-A4F5-4163-ADC9-B72C9DD4CE65}.exe	106
PID 3276 wrote to memory of 1628	3276	{E45CF7B5-E07A-4b63-BD75-53B2616B155C}.exe	107
PID 3276 wrote to memory of 1628	3276	{E45CF7B5-E07A-4b63-BD75-53B2616B155C}.exe	107
PID 3276 wrote to memory of 1628	3276	{E45CF7B5-E07A-4b63-BD75-53B2616B155C}.exe	107
PID 3276 wrote to memory of 3468	3276	{E45CF7B5-E07A-4b63-BD75-53B2616B155C}.exe	108
PID 3276 wrote to memory of 3468	3276	{E45CF7B5-E07A-4b63-BD75-53B2616B155C}.exe	108
PID 3276 wrote to memory of 3468	3276	{E45CF7B5-E07A-4b63-BD75-53B2616B155C}.exe	108
PID 1628 wrote to memory of 3248	1628	{4DF54AB6-63F9-4dd0-BAE5-1D297E04947A}.exe	112
PID 1628 wrote to memory of 3248	1628	{4DF54AB6-63F9-4dd0-BAE5-1D297E04947A}.exe	112
PID 1628 wrote to memory of 3248	1628	{4DF54AB6-63F9-4dd0-BAE5-1D297E04947A}.exe	112
PID 1628 wrote to memory of 4556	1628	{4DF54AB6-63F9-4dd0-BAE5-1D297E04947A}.exe	113
PID 1628 wrote to memory of 4556	1628	{4DF54AB6-63F9-4dd0-BAE5-1D297E04947A}.exe	113
PID 1628 wrote to memory of 4556	1628	{4DF54AB6-63F9-4dd0-BAE5-1D297E04947A}.exe	113
PID 3248 wrote to memory of 4600	3248	{590C2432-2B34-4b88-89CA-43E366E2CF30}.exe	114
PID 3248 wrote to memory of 4600	3248	{590C2432-2B34-4b88-89CA-43E366E2CF30}.exe	114
PID 3248 wrote to memory of 4600	3248	{590C2432-2B34-4b88-89CA-43E366E2CF30}.exe	114
PID 3248 wrote to memory of 4304	3248	{590C2432-2B34-4b88-89CA-43E366E2CF30}.exe	115
PID 3248 wrote to memory of 4304	3248	{590C2432-2B34-4b88-89CA-43E366E2CF30}.exe	115
PID 3248 wrote to memory of 4304	3248	{590C2432-2B34-4b88-89CA-43E366E2CF30}.exe	115
PID 4600 wrote to memory of 1768	4600	{76B02DD5-D34B-4fbf-8DBE-13F09141985B}.exe	116
PID 4600 wrote to memory of 1768	4600	{76B02DD5-D34B-4fbf-8DBE-13F09141985B}.exe	116
PID 4600 wrote to memory of 1768	4600	{76B02DD5-D34B-4fbf-8DBE-13F09141985B}.exe	116
PID 4600 wrote to memory of 2104	4600	{76B02DD5-D34B-4fbf-8DBE-13F09141985B}.exe	117
PID 4600 wrote to memory of 2104	4600	{76B02DD5-D34B-4fbf-8DBE-13F09141985B}.exe	117
PID 4600 wrote to memory of 2104	4600	{76B02DD5-D34B-4fbf-8DBE-13F09141985B}.exe	117
PID 1768 wrote to memory of 2428	1768	{83CDFBF0-ABBD-4084-8871-94E8C5B74BCA}.exe	118
PID 1768 wrote to memory of 2428	1768	{83CDFBF0-ABBD-4084-8871-94E8C5B74BCA}.exe	118
PID 1768 wrote to memory of 2428	1768	{83CDFBF0-ABBD-4084-8871-94E8C5B74BCA}.exe	118
PID 1768 wrote to memory of 4016	1768	{83CDFBF0-ABBD-4084-8871-94E8C5B74BCA}.exe	119
PID 1768 wrote to memory of 4016	1768	{83CDFBF0-ABBD-4084-8871-94E8C5B74BCA}.exe	119
PID 1768 wrote to memory of 4016	1768	{83CDFBF0-ABBD-4084-8871-94E8C5B74BCA}.exe	119
PID 2428 wrote to memory of 1476	2428	{8717188E-3D0E-47a1-90BB-3620B28D2E85}.exe	120
PID 2428 wrote to memory of 1476	2428	{8717188E-3D0E-47a1-90BB-3620B28D2E85}.exe	120
PID 2428 wrote to memory of 1476	2428	{8717188E-3D0E-47a1-90BB-3620B28D2E85}.exe	120
PID 2428 wrote to memory of 3988	2428	{8717188E-3D0E-47a1-90BB-3620B28D2E85}.exe	121

C:\Users\Admin\AppData\Local\Temp\546eabb692dab6_JC.exe
"C:\Users\Admin\AppData\Local\Temp\546eabb692dab6_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Windows\{085A97DD-0042-4088-8305-1FEFA5FA6D03}.exe
  C:\Windows\{085A97DD-0042-4088-8305-1FEFA5FA6D03}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Windows\{C3B76007-72F2-4fef-904A-60D3326677B9}.exe
    C:\Windows\{C3B76007-72F2-4fef-904A-60D3326677B9}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4500
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C3B76~1.EXE > nul
      4⤵
      PID:2084
  - - C:\Windows\{B5D2E80B-3E7C-472a-9EDC-3C757F9245E4}.exe
      C:\Windows\{B5D2E80B-3E7C-472a-9EDC-3C757F9245E4}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5060
    - - C:\Windows\{01AB1F4C-A4F5-4163-ADC9-B72C9DD4CE65}.exe
        
        C:\Windows\{01AB1F4C-A4F5-4163-ADC9-B72C9DD4CE65}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2384
      - C:\Windows\{E45CF7B5-E07A-4b63-BD75-53B2616B155C}.exe
        
        C:\Windows\{E45CF7B5-E07A-4b63-BD75-53B2616B155C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3276
        
        C:\Windows\{4DF54AB6-63F9-4dd0-BAE5-1D297E04947A}.exe
        
        C:\Windows\{4DF54AB6-63F9-4dd0-BAE5-1D297E04947A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Windows\{590C2432-2B34-4b88-89CA-43E366E2CF30}.exe
        
        C:\Windows\{590C2432-2B34-4b88-89CA-43E366E2CF30}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\{76B02DD5-D34B-4fbf-8DBE-13F09141985B}.exe
        
        C:\Windows\{76B02DD5-D34B-4fbf-8DBE-13F09141985B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\{83CDFBF0-ABBD-4084-8871-94E8C5B74BCA}.exe
        
        C:\Windows\{83CDFBF0-ABBD-4084-8871-94E8C5B74BCA}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1768
        
        C:\Windows\{8717188E-3D0E-47a1-90BB-3620B28D2E85}.exe
        
        C:\Windows\{8717188E-3D0E-47a1-90BB-3620B28D2E85}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\{C8BA2FA9-670A-4729-97C3-0A3959B3C030}.exe
        
        C:\Windows\{C8BA2FA9-670A-4729-97C3-0A3959B3C030}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8BA2~1.EXE > nul
        13⤵
        
        PID:2008
        
        C:\Windows\{C2116B60-B2D6-43a2-8652-46A6E0B3673C}.exe
        
        C:\Windows\{C2116B60-B2D6-43a2-8652-46A6E0B3673C}.exe
        13⤵
        Executes dropped EXE
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87171~1.EXE > nul
        12⤵
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83CDF~1.EXE > nul
        11⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76B02~1.EXE > nul
        10⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{590C2~1.EXE > nul
        9⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DF54~1.EXE > nul
        8⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E45CF~1.EXE > nul
        7⤵
        
        PID:3468
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01AB1~1.EXE > nul
        6⤵
        
        PID:3880
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5D2E~1.EXE > nul
        5⤵
        
        PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{085A9~1.EXE > nul
    3⤵
    PID:5068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\546EAB~1.EXE > nul
  2⤵
  PID:3380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01AB1F4C-A4F5-4163-ADC9-B72C9DD4CE65}.exe

Filesize
192KB

MD5
94da12ecb90ccfbf38fba1ebdbfcdb93

SHA1
2cb85f878095fec8de870c9dbcd0844dade0634c

SHA256
a022ab4e3c3c42d41c920f797a9d132bc3a42f49dcbca7541c2461a121b5d4ae

SHA512
0d672e768772e20c622398ec0e64a07d36f3d6b305c593f62ad1e5ca43b8510ae4fada4f6802bcb50ed4d700a5c694439f9bb8f707c014e9feb6e5973ee31ad7

Download Submit
C:\Windows\{01AB1F4C-A4F5-4163-ADC9-B72C9DD4CE65}.exe

Filesize
192KB

MD5
94da12ecb90ccfbf38fba1ebdbfcdb93

SHA1
2cb85f878095fec8de870c9dbcd0844dade0634c

SHA256
a022ab4e3c3c42d41c920f797a9d132bc3a42f49dcbca7541c2461a121b5d4ae

SHA512
0d672e768772e20c622398ec0e64a07d36f3d6b305c593f62ad1e5ca43b8510ae4fada4f6802bcb50ed4d700a5c694439f9bb8f707c014e9feb6e5973ee31ad7

Download Submit
C:\Windows\{085A97DD-0042-4088-8305-1FEFA5FA6D03}.exe

Filesize
192KB

MD5
b966f076e32ccafe4e6cee95cde74c02

SHA1
54a47b12c0fd5bba49562390a6e230db034375a1

SHA256
cf417e7c452e136e090b95a7b74e22fb5722527699d600560e50c2192fdc972e

SHA512
6930602eba246a7787e02c53a3cf00e8934696f1aff5d316e7805687a5131a959ee8a66a5c7e4b5bd610f1c723266911d72b82e0f427c7d309cd1f5a5d2f16de

Download Submit
C:\Windows\{085A97DD-0042-4088-8305-1FEFA5FA6D03}.exe

Filesize
192KB

MD5
b966f076e32ccafe4e6cee95cde74c02

SHA1
54a47b12c0fd5bba49562390a6e230db034375a1

SHA256
cf417e7c452e136e090b95a7b74e22fb5722527699d600560e50c2192fdc972e

SHA512
6930602eba246a7787e02c53a3cf00e8934696f1aff5d316e7805687a5131a959ee8a66a5c7e4b5bd610f1c723266911d72b82e0f427c7d309cd1f5a5d2f16de

Download Submit
C:\Windows\{4DF54AB6-63F9-4dd0-BAE5-1D297E04947A}.exe

Filesize
192KB

MD5
04ba2d6c3aefd03a85e214c775e5aa42

SHA1
b6a77e1e61386940f1bdbc84d19aeff7c2956c0c

SHA256
4619ce63ff5f16cad30d821ae41f4bb53fb5cf7b8bc8615cb29723e325eee351

SHA512
f94d6f9c99b1e04fdb2068d41390cf02c668fcaceb440109afc3b89281554c1ba311d4abbdfd72dc177ee296122f398cc8eaacf214cc002c401d29213d6433c9

Download Submit
C:\Windows\{4DF54AB6-63F9-4dd0-BAE5-1D297E04947A}.exe

Filesize
192KB

MD5
04ba2d6c3aefd03a85e214c775e5aa42

SHA1
b6a77e1e61386940f1bdbc84d19aeff7c2956c0c

SHA256
4619ce63ff5f16cad30d821ae41f4bb53fb5cf7b8bc8615cb29723e325eee351

SHA512
f94d6f9c99b1e04fdb2068d41390cf02c668fcaceb440109afc3b89281554c1ba311d4abbdfd72dc177ee296122f398cc8eaacf214cc002c401d29213d6433c9

Download Submit
C:\Windows\{590C2432-2B34-4b88-89CA-43E366E2CF30}.exe

Filesize
192KB

MD5
d51ed6c5cd40a900160f039866c6855a

SHA1
8b82bd3216d1ff811478e89e781c61484b86c0cb

SHA256
0cb9a5f127bfea7bbd622322a23aad5102fb3dfb941120f6fafc43dc0d37979c

SHA512
f2f628a2992bdc1d1425b260ba2f14645e7e3facc649aa4226de6c17a46c984d7b3de39f223b6af7fabfc177d48320927963556bc940c542f3803b8f3376d9c3

Download Submit
C:\Windows\{590C2432-2B34-4b88-89CA-43E366E2CF30}.exe

Filesize
192KB

MD5
d51ed6c5cd40a900160f039866c6855a

SHA1
8b82bd3216d1ff811478e89e781c61484b86c0cb

SHA256
0cb9a5f127bfea7bbd622322a23aad5102fb3dfb941120f6fafc43dc0d37979c

SHA512
f2f628a2992bdc1d1425b260ba2f14645e7e3facc649aa4226de6c17a46c984d7b3de39f223b6af7fabfc177d48320927963556bc940c542f3803b8f3376d9c3

Download Submit
C:\Windows\{76B02DD5-D34B-4fbf-8DBE-13F09141985B}.exe

Filesize
192KB

MD5
6fc1a56674271028b4cd38aff805598b

SHA1
955342799cb45fdeb17b95775b050fad3b13b4ef

SHA256
df82cd00bc2539acd91eca1aaaedff9c0bb2212f66a395a5e205ce2c737a74a6

SHA512
d6df1522fd8cb726fb2f1d8c8da1bf17dcfc5c232a6d01f08c4684d0188be4ef8bc99257bf3ca16be905a908d0131419ddcfc267b14eff64f5d9882036162a0e

Download Submit
C:\Windows\{76B02DD5-D34B-4fbf-8DBE-13F09141985B}.exe

Filesize
192KB

MD5
6fc1a56674271028b4cd38aff805598b

SHA1
955342799cb45fdeb17b95775b050fad3b13b4ef

SHA256
df82cd00bc2539acd91eca1aaaedff9c0bb2212f66a395a5e205ce2c737a74a6

SHA512
d6df1522fd8cb726fb2f1d8c8da1bf17dcfc5c232a6d01f08c4684d0188be4ef8bc99257bf3ca16be905a908d0131419ddcfc267b14eff64f5d9882036162a0e

Download Submit
C:\Windows\{83CDFBF0-ABBD-4084-8871-94E8C5B74BCA}.exe

Filesize
192KB

MD5
87cfcc263f8f1b112bfa66fddb47cde4

SHA1
45011e2612b2c4257657d5c5b8405c819bcf7044

SHA256
c549252c19ddcb879570e3b96eea0cd3e1fac985af3139a98053fc69ce0c3e48

SHA512
f24ae9b09aee2bea52dc0068e29d8188a6076974ad8420eae3b22a16a191350c487e41313247a891dfb6a35cc2f23b0ac6926bfef2cd8e39d40f7bd95e05c33f

Download Submit
C:\Windows\{83CDFBF0-ABBD-4084-8871-94E8C5B74BCA}.exe

Filesize
192KB

MD5
87cfcc263f8f1b112bfa66fddb47cde4

SHA1
45011e2612b2c4257657d5c5b8405c819bcf7044

SHA256
c549252c19ddcb879570e3b96eea0cd3e1fac985af3139a98053fc69ce0c3e48

SHA512
f24ae9b09aee2bea52dc0068e29d8188a6076974ad8420eae3b22a16a191350c487e41313247a891dfb6a35cc2f23b0ac6926bfef2cd8e39d40f7bd95e05c33f

Download Submit
C:\Windows\{8717188E-3D0E-47a1-90BB-3620B28D2E85}.exe

Filesize
192KB

MD5
1e04155f5a3b0f8c59de7960d3c8fe6b

SHA1
b658ef88fbb92435b8a5223e52e02bc1e1037fee

SHA256
450d2c7f1e7df178513a6cb71a2b9a18424e7068c51014367bb7aabe2d003940

SHA512
1af797846c7039a27f575342e1169a424477c6b1e1ac5728fd32d09a73b7f6c33c75b06bb81c6187c4f8fc84fa1f07be61663b3b693e9331c27db35615d74672

Download Submit
C:\Windows\{8717188E-3D0E-47a1-90BB-3620B28D2E85}.exe

Filesize
192KB

MD5
1e04155f5a3b0f8c59de7960d3c8fe6b

SHA1
b658ef88fbb92435b8a5223e52e02bc1e1037fee

SHA256
450d2c7f1e7df178513a6cb71a2b9a18424e7068c51014367bb7aabe2d003940

SHA512
1af797846c7039a27f575342e1169a424477c6b1e1ac5728fd32d09a73b7f6c33c75b06bb81c6187c4f8fc84fa1f07be61663b3b693e9331c27db35615d74672

Download Submit
C:\Windows\{B5D2E80B-3E7C-472a-9EDC-3C757F9245E4}.exe

Filesize
192KB

MD5
7b44b58ee6fcd5590afe1fd825cdcc82

SHA1
daafc433b6f05aa5ad1f432ef2ba5e0943292ad3

SHA256
c60d685de3f264ca22f7ebafb322e85b86927d620559dfedabd1dec9385e4730

SHA512
d1db1a365df675b09e7ea892d351b37207e7d389d11126264175b2cb7cf5daa7287497188010d47f4f71ac82e6ef6e7fefa8dfda35dbea3de654883cdadfb4df

Download Submit
C:\Windows\{B5D2E80B-3E7C-472a-9EDC-3C757F9245E4}.exe

Filesize
192KB

MD5
7b44b58ee6fcd5590afe1fd825cdcc82

SHA1
daafc433b6f05aa5ad1f432ef2ba5e0943292ad3

SHA256
c60d685de3f264ca22f7ebafb322e85b86927d620559dfedabd1dec9385e4730

SHA512
d1db1a365df675b09e7ea892d351b37207e7d389d11126264175b2cb7cf5daa7287497188010d47f4f71ac82e6ef6e7fefa8dfda35dbea3de654883cdadfb4df

Download Submit
C:\Windows\{B5D2E80B-3E7C-472a-9EDC-3C757F9245E4}.exe

Filesize
192KB

MD5
7b44b58ee6fcd5590afe1fd825cdcc82

SHA1
daafc433b6f05aa5ad1f432ef2ba5e0943292ad3

SHA256
c60d685de3f264ca22f7ebafb322e85b86927d620559dfedabd1dec9385e4730

SHA512
d1db1a365df675b09e7ea892d351b37207e7d389d11126264175b2cb7cf5daa7287497188010d47f4f71ac82e6ef6e7fefa8dfda35dbea3de654883cdadfb4df

Download Submit
C:\Windows\{C2116B60-B2D6-43a2-8652-46A6E0B3673C}.exe

Filesize
192KB

MD5
8569b684216f610537d4937a974c0ca6

SHA1
6ab633338c65dd2290eced25fa6f5fd40cc193e5

SHA256
1645593619e4314a94a7b0874a80c25a7fafb7495593c5be8cd2f6965087f388

SHA512
c0984dcdad83d3560c2ff4e1425e8d91c32a64ef47723330470cc26f88f03cc4dca34b2114d28c426b3aa4f150df9053307328ebea719f2fa5ae44a53d15065a

Download Submit
C:\Windows\{C2116B60-B2D6-43a2-8652-46A6E0B3673C}.exe

Filesize
192KB

MD5
8569b684216f610537d4937a974c0ca6

SHA1
6ab633338c65dd2290eced25fa6f5fd40cc193e5

SHA256
1645593619e4314a94a7b0874a80c25a7fafb7495593c5be8cd2f6965087f388

SHA512
c0984dcdad83d3560c2ff4e1425e8d91c32a64ef47723330470cc26f88f03cc4dca34b2114d28c426b3aa4f150df9053307328ebea719f2fa5ae44a53d15065a

Download Submit
C:\Windows\{C3B76007-72F2-4fef-904A-60D3326677B9}.exe

Filesize
192KB

MD5
00056958ef3260d5979e29730751105e

SHA1
6326ea12574cc15920117d81b7e72ab6105b79cb

SHA256
0551426b8ac922c608c362bab383ec1f759599351f8ffbffbaec2a70ffcd91c5

SHA512
03aa1b91f020e775ece15aaead29d8afd708a538454745f8a4e4e3f2ea1ca0ee6b83f562910a39c23ce15fa7245abc22113182d766f2781c1945df50a9ffafeb

Download Submit
C:\Windows\{C3B76007-72F2-4fef-904A-60D3326677B9}.exe

Filesize
192KB

MD5
00056958ef3260d5979e29730751105e

SHA1
6326ea12574cc15920117d81b7e72ab6105b79cb

SHA256
0551426b8ac922c608c362bab383ec1f759599351f8ffbffbaec2a70ffcd91c5

SHA512
03aa1b91f020e775ece15aaead29d8afd708a538454745f8a4e4e3f2ea1ca0ee6b83f562910a39c23ce15fa7245abc22113182d766f2781c1945df50a9ffafeb

Download Submit
C:\Windows\{C8BA2FA9-670A-4729-97C3-0A3959B3C030}.exe

Filesize
192KB

MD5
16dd4ffe13ff46b826c74a7dccb7e156

SHA1
b441894717b7345e792923e5489db62926a56f3d

SHA256
69f351ac1925a66c60f7119ee2087f6bb6ffd919cf43c84c4f687bcec58e094e

SHA512
380360b315cc6e9b54ca0af6ae8382c82e812cdc9359a2fe148ef1f6b8967cf5603f19e03982e149104a71f0832ea517146ee797cb483328ade86cb66f645c34

Download Submit
C:\Windows\{C8BA2FA9-670A-4729-97C3-0A3959B3C030}.exe

Filesize
192KB

MD5
16dd4ffe13ff46b826c74a7dccb7e156

SHA1
b441894717b7345e792923e5489db62926a56f3d

SHA256
69f351ac1925a66c60f7119ee2087f6bb6ffd919cf43c84c4f687bcec58e094e

SHA512
380360b315cc6e9b54ca0af6ae8382c82e812cdc9359a2fe148ef1f6b8967cf5603f19e03982e149104a71f0832ea517146ee797cb483328ade86cb66f645c34

Download Submit
C:\Windows\{E45CF7B5-E07A-4b63-BD75-53B2616B155C}.exe

Filesize
192KB

MD5
4f3757a8ae2d3b0f43d305aad673edaa

SHA1
d60dbe21af05a2301dd47401b0905f5ba4894f72

SHA256
d9340fa78f9a83d59c7c81292a442f2150766dae7f8478541e0d81276911b50a

SHA512
4e1700c2157b2269bc8c597be28e09020c4f8392db1f87ead55bd5ecda060497ad164b7a11c526d0d20df82410408f716c15a4d7e0a766a358b7b7e0ea4e671d

Download Submit
C:\Windows\{E45CF7B5-E07A-4b63-BD75-53B2616B155C}.exe

Filesize
192KB

MD5
4f3757a8ae2d3b0f43d305aad673edaa

SHA1
d60dbe21af05a2301dd47401b0905f5ba4894f72

SHA256
d9340fa78f9a83d59c7c81292a442f2150766dae7f8478541e0d81276911b50a

SHA512
4e1700c2157b2269bc8c597be28e09020c4f8392db1f87ead55bd5ecda060497ad164b7a11c526d0d20df82410408f716c15a4d7e0a766a358b7b7e0ea4e671d

Download Submit