f1164fc9e43da66883ca128c611c2463a473c2807527bc9293ddf56932bb1e49

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16-07-2023 11:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

687e8e3dc53c70_JC.exe
Size

168KB
MD5

687e8e3dc53c70c43f9f9f7e2dbad89a
SHA1

95793278be6b19e5b79bd37a51227e7c71dae1c6
SHA256

f1164fc9e43da66883ca128c611c2463a473c2807527bc9293ddf56932bb1e49
SHA512

f49352f5f8fcbd6bb15b17bdd48e16573dea616960e53f9728eaf38c5b3721dc09d3674837c2c25c43f1cfee338b3a4ec985c1eedf2327da3ed2f74b27c80040
SSDEEP

1536:1EGh0oLlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oLlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EB53DF4-5A40-45eb-90C2-DE4794C5EB5C}\stubpath = "C:\\Windows\\{3EB53DF4-5A40-45eb-90C2-DE4794C5EB5C}.exe"	{CBA30AE7-BD1B-4ab2-8648-EED321A07C8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CD5057D-ADDB-42c1-860D-A07B363E76FC}\stubpath = "C:\\Windows\\{5CD5057D-ADDB-42c1-860D-A07B363E76FC}.exe"	{DB8468DD-5960-4c48-8BD5-98BCFC610432}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{276EFC33-8008-44a6-BA6B-C6E66191B8AA}	687e8e3dc53c70_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{276EFC33-8008-44a6-BA6B-C6E66191B8AA}\stubpath = "C:\\Windows\\{276EFC33-8008-44a6-BA6B-C6E66191B8AA}.exe"	687e8e3dc53c70_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20E615E3-ABA6-41f1-8774-B7551701BDB1}	{1BC83D9B-423B-4550-8757-111DEC4C769A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBA30AE7-BD1B-4ab2-8648-EED321A07C8D}	{627AE642-7F27-4da4-B150-F2AE73F2E732}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CBA30AE7-BD1B-4ab2-8648-EED321A07C8D}\stubpath = "C:\\Windows\\{CBA30AE7-BD1B-4ab2-8648-EED321A07C8D}.exe"	{627AE642-7F27-4da4-B150-F2AE73F2E732}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EB53DF4-5A40-45eb-90C2-DE4794C5EB5C}	{CBA30AE7-BD1B-4ab2-8648-EED321A07C8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{627AE642-7F27-4da4-B150-F2AE73F2E732}\stubpath = "C:\\Windows\\{627AE642-7F27-4da4-B150-F2AE73F2E732}.exe"	{D3C9B5FE-125A-4d22-924C-0C1186A67E83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0CF250D-4DAF-45b6-B17F-4DA26F6246F8}\stubpath = "C:\\Windows\\{B0CF250D-4DAF-45b6-B17F-4DA26F6246F8}.exe"	{3EB53DF4-5A40-45eb-90C2-DE4794C5EB5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB8468DD-5960-4c48-8BD5-98BCFC610432}\stubpath = "C:\\Windows\\{DB8468DD-5960-4c48-8BD5-98BCFC610432}.exe"	{FBDC047F-4F49-40cb-8852-D4CB52EBF5E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BC83D9B-423B-4550-8757-111DEC4C769A}	{276EFC33-8008-44a6-BA6B-C6E66191B8AA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BC83D9B-423B-4550-8757-111DEC4C769A}\stubpath = "C:\\Windows\\{1BC83D9B-423B-4550-8757-111DEC4C769A}.exe"	{276EFC33-8008-44a6-BA6B-C6E66191B8AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3C9B5FE-125A-4d22-924C-0C1186A67E83}	{20E615E3-ABA6-41f1-8774-B7551701BDB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B0CF250D-4DAF-45b6-B17F-4DA26F6246F8}	{3EB53DF4-5A40-45eb-90C2-DE4794C5EB5C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBDC047F-4F49-40cb-8852-D4CB52EBF5E9}\stubpath = "C:\\Windows\\{FBDC047F-4F49-40cb-8852-D4CB52EBF5E9}.exe"	{B0CF250D-4DAF-45b6-B17F-4DA26F6246F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20E615E3-ABA6-41f1-8774-B7551701BDB1}\stubpath = "C:\\Windows\\{20E615E3-ABA6-41f1-8774-B7551701BDB1}.exe"	{1BC83D9B-423B-4550-8757-111DEC4C769A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3C9B5FE-125A-4d22-924C-0C1186A67E83}\stubpath = "C:\\Windows\\{D3C9B5FE-125A-4d22-924C-0C1186A67E83}.exe"	{20E615E3-ABA6-41f1-8774-B7551701BDB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{627AE642-7F27-4da4-B150-F2AE73F2E732}	{D3C9B5FE-125A-4d22-924C-0C1186A67E83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBDC047F-4F49-40cb-8852-D4CB52EBF5E9}	{B0CF250D-4DAF-45b6-B17F-4DA26F6246F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB8468DD-5960-4c48-8BD5-98BCFC610432}	{FBDC047F-4F49-40cb-8852-D4CB52EBF5E9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CD5057D-ADDB-42c1-860D-A07B363E76FC}	{DB8468DD-5960-4c48-8BD5-98BCFC610432}.exe

Executes dropped EXE 11 IoCs

pid	Process
3916	{276EFC33-8008-44a6-BA6B-C6E66191B8AA}.exe
2672	{1BC83D9B-423B-4550-8757-111DEC4C769A}.exe
1352	{20E615E3-ABA6-41f1-8774-B7551701BDB1}.exe
4420	{D3C9B5FE-125A-4d22-924C-0C1186A67E83}.exe
4940	{627AE642-7F27-4da4-B150-F2AE73F2E732}.exe
2140	{CBA30AE7-BD1B-4ab2-8648-EED321A07C8D}.exe
3992	{3EB53DF4-5A40-45eb-90C2-DE4794C5EB5C}.exe
4864	{B0CF250D-4DAF-45b6-B17F-4DA26F6246F8}.exe
496	{FBDC047F-4F49-40cb-8852-D4CB52EBF5E9}.exe
3412	{DB8468DD-5960-4c48-8BD5-98BCFC610432}.exe
4892	{5CD5057D-ADDB-42c1-860D-A07B363E76FC}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FBDC047F-4F49-40cb-8852-D4CB52EBF5E9}.exe	{B0CF250D-4DAF-45b6-B17F-4DA26F6246F8}.exe
File created	C:\Windows\{DB8468DD-5960-4c48-8BD5-98BCFC610432}.exe	{FBDC047F-4F49-40cb-8852-D4CB52EBF5E9}.exe
File created	C:\Windows\{276EFC33-8008-44a6-BA6B-C6E66191B8AA}.exe	687e8e3dc53c70_JC.exe
File created	C:\Windows\{627AE642-7F27-4da4-B150-F2AE73F2E732}.exe	{D3C9B5FE-125A-4d22-924C-0C1186A67E83}.exe
File created	C:\Windows\{3EB53DF4-5A40-45eb-90C2-DE4794C5EB5C}.exe	{CBA30AE7-BD1B-4ab2-8648-EED321A07C8D}.exe
File created	C:\Windows\{B0CF250D-4DAF-45b6-B17F-4DA26F6246F8}.exe	{3EB53DF4-5A40-45eb-90C2-DE4794C5EB5C}.exe
File created	C:\Windows\{5CD5057D-ADDB-42c1-860D-A07B363E76FC}.exe	{DB8468DD-5960-4c48-8BD5-98BCFC610432}.exe
File created	C:\Windows\{1BC83D9B-423B-4550-8757-111DEC4C769A}.exe	{276EFC33-8008-44a6-BA6B-C6E66191B8AA}.exe
File created	C:\Windows\{20E615E3-ABA6-41f1-8774-B7551701BDB1}.exe	{1BC83D9B-423B-4550-8757-111DEC4C769A}.exe
File created	C:\Windows\{D3C9B5FE-125A-4d22-924C-0C1186A67E83}.exe	{20E615E3-ABA6-41f1-8774-B7551701BDB1}.exe
File created	C:\Windows\{CBA30AE7-BD1B-4ab2-8648-EED321A07C8D}.exe	{627AE642-7F27-4da4-B150-F2AE73F2E732}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4076	687e8e3dc53c70_JC.exe
Token: SeIncBasePriorityPrivilege	3916	{276EFC33-8008-44a6-BA6B-C6E66191B8AA}.exe
Token: SeIncBasePriorityPrivilege	2672	{1BC83D9B-423B-4550-8757-111DEC4C769A}.exe
Token: SeIncBasePriorityPrivilege	1352	{20E615E3-ABA6-41f1-8774-B7551701BDB1}.exe
Token: SeIncBasePriorityPrivilege	4420	{D3C9B5FE-125A-4d22-924C-0C1186A67E83}.exe
Token: SeIncBasePriorityPrivilege	4940	{627AE642-7F27-4da4-B150-F2AE73F2E732}.exe
Token: SeIncBasePriorityPrivilege	2140	{CBA30AE7-BD1B-4ab2-8648-EED321A07C8D}.exe
Token: SeIncBasePriorityPrivilege	3992	{3EB53DF4-5A40-45eb-90C2-DE4794C5EB5C}.exe
Token: SeIncBasePriorityPrivilege	4864	{B0CF250D-4DAF-45b6-B17F-4DA26F6246F8}.exe
Token: SeIncBasePriorityPrivilege	496	{FBDC047F-4F49-40cb-8852-D4CB52EBF5E9}.exe
Token: SeIncBasePriorityPrivilege	3412	{DB8468DD-5960-4c48-8BD5-98BCFC610432}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 3916	4076	687e8e3dc53c70_JC.exe	93
PID 4076 wrote to memory of 3916	4076	687e8e3dc53c70_JC.exe	93
PID 4076 wrote to memory of 3916	4076	687e8e3dc53c70_JC.exe	93
PID 4076 wrote to memory of 4280	4076	687e8e3dc53c70_JC.exe	94
PID 4076 wrote to memory of 4280	4076	687e8e3dc53c70_JC.exe	94
PID 4076 wrote to memory of 4280	4076	687e8e3dc53c70_JC.exe	94
PID 3916 wrote to memory of 2672	3916	{276EFC33-8008-44a6-BA6B-C6E66191B8AA}.exe	95
PID 3916 wrote to memory of 2672	3916	{276EFC33-8008-44a6-BA6B-C6E66191B8AA}.exe	95
PID 3916 wrote to memory of 2672	3916	{276EFC33-8008-44a6-BA6B-C6E66191B8AA}.exe	95
PID 3916 wrote to memory of 4976	3916	{276EFC33-8008-44a6-BA6B-C6E66191B8AA}.exe	96
PID 3916 wrote to memory of 4976	3916	{276EFC33-8008-44a6-BA6B-C6E66191B8AA}.exe	96
PID 3916 wrote to memory of 4976	3916	{276EFC33-8008-44a6-BA6B-C6E66191B8AA}.exe	96
PID 2672 wrote to memory of 1352	2672	{1BC83D9B-423B-4550-8757-111DEC4C769A}.exe	103
PID 2672 wrote to memory of 1352	2672	{1BC83D9B-423B-4550-8757-111DEC4C769A}.exe	103
PID 2672 wrote to memory of 1352	2672	{1BC83D9B-423B-4550-8757-111DEC4C769A}.exe	103
PID 2672 wrote to memory of 3192	2672	{1BC83D9B-423B-4550-8757-111DEC4C769A}.exe	102
PID 2672 wrote to memory of 3192	2672	{1BC83D9B-423B-4550-8757-111DEC4C769A}.exe	102
PID 2672 wrote to memory of 3192	2672	{1BC83D9B-423B-4550-8757-111DEC4C769A}.exe	102
PID 1352 wrote to memory of 4420	1352	{20E615E3-ABA6-41f1-8774-B7551701BDB1}.exe	108
PID 1352 wrote to memory of 4420	1352	{20E615E3-ABA6-41f1-8774-B7551701BDB1}.exe	108
PID 1352 wrote to memory of 4420	1352	{20E615E3-ABA6-41f1-8774-B7551701BDB1}.exe	108
PID 1352 wrote to memory of 3028	1352	{20E615E3-ABA6-41f1-8774-B7551701BDB1}.exe	109
PID 1352 wrote to memory of 3028	1352	{20E615E3-ABA6-41f1-8774-B7551701BDB1}.exe	109
PID 1352 wrote to memory of 3028	1352	{20E615E3-ABA6-41f1-8774-B7551701BDB1}.exe	109
PID 4420 wrote to memory of 4940	4420	{D3C9B5FE-125A-4d22-924C-0C1186A67E83}.exe	110
PID 4420 wrote to memory of 4940	4420	{D3C9B5FE-125A-4d22-924C-0C1186A67E83}.exe	110
PID 4420 wrote to memory of 4940	4420	{D3C9B5FE-125A-4d22-924C-0C1186A67E83}.exe	110
PID 4420 wrote to memory of 1236	4420	{D3C9B5FE-125A-4d22-924C-0C1186A67E83}.exe	111
PID 4420 wrote to memory of 1236	4420	{D3C9B5FE-125A-4d22-924C-0C1186A67E83}.exe	111
PID 4420 wrote to memory of 1236	4420	{D3C9B5FE-125A-4d22-924C-0C1186A67E83}.exe	111
PID 4940 wrote to memory of 2140	4940	{627AE642-7F27-4da4-B150-F2AE73F2E732}.exe	112
PID 4940 wrote to memory of 2140	4940	{627AE642-7F27-4da4-B150-F2AE73F2E732}.exe	112
PID 4940 wrote to memory of 2140	4940	{627AE642-7F27-4da4-B150-F2AE73F2E732}.exe	112
PID 4940 wrote to memory of 4772	4940	{627AE642-7F27-4da4-B150-F2AE73F2E732}.exe	113
PID 4940 wrote to memory of 4772	4940	{627AE642-7F27-4da4-B150-F2AE73F2E732}.exe	113
PID 4940 wrote to memory of 4772	4940	{627AE642-7F27-4da4-B150-F2AE73F2E732}.exe	113
PID 2140 wrote to memory of 3992	2140	{CBA30AE7-BD1B-4ab2-8648-EED321A07C8D}.exe	115
PID 2140 wrote to memory of 3992	2140	{CBA30AE7-BD1B-4ab2-8648-EED321A07C8D}.exe	115
PID 2140 wrote to memory of 3992	2140	{CBA30AE7-BD1B-4ab2-8648-EED321A07C8D}.exe	115
PID 2140 wrote to memory of 2164	2140	{CBA30AE7-BD1B-4ab2-8648-EED321A07C8D}.exe	116
PID 2140 wrote to memory of 2164	2140	{CBA30AE7-BD1B-4ab2-8648-EED321A07C8D}.exe	116
PID 2140 wrote to memory of 2164	2140	{CBA30AE7-BD1B-4ab2-8648-EED321A07C8D}.exe	116
PID 3992 wrote to memory of 4864	3992	{3EB53DF4-5A40-45eb-90C2-DE4794C5EB5C}.exe	117
PID 3992 wrote to memory of 4864	3992	{3EB53DF4-5A40-45eb-90C2-DE4794C5EB5C}.exe	117
PID 3992 wrote to memory of 4864	3992	{3EB53DF4-5A40-45eb-90C2-DE4794C5EB5C}.exe	117
PID 3992 wrote to memory of 4808	3992	{3EB53DF4-5A40-45eb-90C2-DE4794C5EB5C}.exe	118
PID 3992 wrote to memory of 4808	3992	{3EB53DF4-5A40-45eb-90C2-DE4794C5EB5C}.exe	118
PID 3992 wrote to memory of 4808	3992	{3EB53DF4-5A40-45eb-90C2-DE4794C5EB5C}.exe	118
PID 4864 wrote to memory of 496	4864	{B0CF250D-4DAF-45b6-B17F-4DA26F6246F8}.exe	120
PID 4864 wrote to memory of 496	4864	{B0CF250D-4DAF-45b6-B17F-4DA26F6246F8}.exe	120
PID 4864 wrote to memory of 496	4864	{B0CF250D-4DAF-45b6-B17F-4DA26F6246F8}.exe	120
PID 4864 wrote to memory of 1160	4864	{B0CF250D-4DAF-45b6-B17F-4DA26F6246F8}.exe	119
PID 4864 wrote to memory of 1160	4864	{B0CF250D-4DAF-45b6-B17F-4DA26F6246F8}.exe	119
PID 4864 wrote to memory of 1160	4864	{B0CF250D-4DAF-45b6-B17F-4DA26F6246F8}.exe	119
PID 496 wrote to memory of 3412	496	{FBDC047F-4F49-40cb-8852-D4CB52EBF5E9}.exe	121
PID 496 wrote to memory of 3412	496	{FBDC047F-4F49-40cb-8852-D4CB52EBF5E9}.exe	121
PID 496 wrote to memory of 3412	496	{FBDC047F-4F49-40cb-8852-D4CB52EBF5E9}.exe	121
PID 496 wrote to memory of 1000	496	{FBDC047F-4F49-40cb-8852-D4CB52EBF5E9}.exe	122
PID 496 wrote to memory of 1000	496	{FBDC047F-4F49-40cb-8852-D4CB52EBF5E9}.exe	122
PID 496 wrote to memory of 1000	496	{FBDC047F-4F49-40cb-8852-D4CB52EBF5E9}.exe	122
PID 3412 wrote to memory of 4892	3412	{DB8468DD-5960-4c48-8BD5-98BCFC610432}.exe	123
PID 3412 wrote to memory of 4892	3412	{DB8468DD-5960-4c48-8BD5-98BCFC610432}.exe	123
PID 3412 wrote to memory of 4892	3412	{DB8468DD-5960-4c48-8BD5-98BCFC610432}.exe	123
PID 3412 wrote to memory of 4040	3412	{DB8468DD-5960-4c48-8BD5-98BCFC610432}.exe	124

C:\Users\Admin\AppData\Local\Temp\687e8e3dc53c70_JC.exe
"C:\Users\Admin\AppData\Local\Temp\687e8e3dc53c70_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\{276EFC33-8008-44a6-BA6B-C6E66191B8AA}.exe
  C:\Windows\{276EFC33-8008-44a6-BA6B-C6E66191B8AA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3916
- - C:\Windows\{1BC83D9B-423B-4550-8757-111DEC4C769A}.exe
    C:\Windows\{1BC83D9B-423B-4550-8757-111DEC4C769A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1BC83~1.EXE > nul
      4⤵
      PID:3192
  - - C:\Windows\{20E615E3-ABA6-41f1-8774-B7551701BDB1}.exe
      C:\Windows\{20E615E3-ABA6-41f1-8774-B7551701BDB1}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1352
    - - C:\Windows\{D3C9B5FE-125A-4d22-924C-0C1186A67E83}.exe
        
        C:\Windows\{D3C9B5FE-125A-4d22-924C-0C1186A67E83}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4420
      - C:\Windows\{627AE642-7F27-4da4-B150-F2AE73F2E732}.exe
        
        C:\Windows\{627AE642-7F27-4da4-B150-F2AE73F2E732}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\{CBA30AE7-BD1B-4ab2-8648-EED321A07C8D}.exe
        
        C:\Windows\{CBA30AE7-BD1B-4ab2-8648-EED321A07C8D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\{3EB53DF4-5A40-45eb-90C2-DE4794C5EB5C}.exe
        
        C:\Windows\{3EB53DF4-5A40-45eb-90C2-DE4794C5EB5C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\{B0CF250D-4DAF-45b6-B17F-4DA26F6246F8}.exe
        
        C:\Windows\{B0CF250D-4DAF-45b6-B17F-4DA26F6246F8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B0CF2~1.EXE > nul
        10⤵
        
        PID:1160
        
        C:\Windows\{FBDC047F-4F49-40cb-8852-D4CB52EBF5E9}.exe
        
        C:\Windows\{FBDC047F-4F49-40cb-8852-D4CB52EBF5E9}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:496
        
        C:\Windows\{DB8468DD-5960-4c48-8BD5-98BCFC610432}.exe
        
        C:\Windows\{DB8468DD-5960-4c48-8BD5-98BCFC610432}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\{5CD5057D-ADDB-42c1-860D-A07B363E76FC}.exe
        
        C:\Windows\{5CD5057D-ADDB-42c1-860D-A07B363E76FC}.exe
        12⤵
        Executes dropped EXE
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB846~1.EXE > nul
        12⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FBDC0~1.EXE > nul
        11⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3EB53~1.EXE > nul
        9⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBA30~1.EXE > nul
        8⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{627AE~1.EXE > nul
        7⤵
        
        PID:4772
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3C9B~1.EXE > nul
        6⤵
        
        PID:1236
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20E61~1.EXE > nul
        5⤵
        
        PID:3028
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{276EF~1.EXE > nul
    3⤵
    PID:4976
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\687E8E~1.EXE > nul
  2⤵
  PID:4280

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1BC83D9B-423B-4550-8757-111DEC4C769A}.exe

Filesize
168KB

MD5
1c1a327afa0adbd29914ce5731067b4e

SHA1
e81ba23d770c6ac3cf5c29e5f34cb72c92dc0acf

SHA256
1e8bc35ea852b25f30bee04b4b35717447dc233a33a0ae5d61d6c18eb07181a7

SHA512
5931ff55cf6521d4794d3d10369d38ad524c95cace9be88338b6f6c1f65e6dc883b18d70caef57465ae73680abc92ae21b5ef1eb9a3a6e658e9c354d65d53de1

Download Submit
C:\Windows\{1BC83D9B-423B-4550-8757-111DEC4C769A}.exe

Filesize
168KB

MD5
1c1a327afa0adbd29914ce5731067b4e

SHA1
e81ba23d770c6ac3cf5c29e5f34cb72c92dc0acf

SHA256
1e8bc35ea852b25f30bee04b4b35717447dc233a33a0ae5d61d6c18eb07181a7

SHA512
5931ff55cf6521d4794d3d10369d38ad524c95cace9be88338b6f6c1f65e6dc883b18d70caef57465ae73680abc92ae21b5ef1eb9a3a6e658e9c354d65d53de1

Download Submit
C:\Windows\{20E615E3-ABA6-41f1-8774-B7551701BDB1}.exe

Filesize
168KB

MD5
1b0baa98330343b8bcbf4e05b92716b1

SHA1
40f7dd52c87017210b0a832bcd049f92a90088da

SHA256
33d9c910369edaecf422868676dcc4c6f8605e97f1fa627fc731db7eff28cc18

SHA512
88a9ea34b8699e42e7161820a7f697589b1634eeced37b583a5ba3cf1b401091a6ce8d6674cfb7e443c16989827c2e04dfa4c6309ebbdf75cd59fcc5d3fd27fb

Download Submit
C:\Windows\{20E615E3-ABA6-41f1-8774-B7551701BDB1}.exe

Filesize
168KB

MD5
1b0baa98330343b8bcbf4e05b92716b1

SHA1
40f7dd52c87017210b0a832bcd049f92a90088da

SHA256
33d9c910369edaecf422868676dcc4c6f8605e97f1fa627fc731db7eff28cc18

SHA512
88a9ea34b8699e42e7161820a7f697589b1634eeced37b583a5ba3cf1b401091a6ce8d6674cfb7e443c16989827c2e04dfa4c6309ebbdf75cd59fcc5d3fd27fb

Download Submit
C:\Windows\{20E615E3-ABA6-41f1-8774-B7551701BDB1}.exe

Filesize
168KB

MD5
1b0baa98330343b8bcbf4e05b92716b1

SHA1
40f7dd52c87017210b0a832bcd049f92a90088da

SHA256
33d9c910369edaecf422868676dcc4c6f8605e97f1fa627fc731db7eff28cc18

SHA512
88a9ea34b8699e42e7161820a7f697589b1634eeced37b583a5ba3cf1b401091a6ce8d6674cfb7e443c16989827c2e04dfa4c6309ebbdf75cd59fcc5d3fd27fb

Download Submit
C:\Windows\{276EFC33-8008-44a6-BA6B-C6E66191B8AA}.exe

Filesize
168KB

MD5
9a4aac50e195ec1325d7ee7f3db66454

SHA1
be2f9f9398ec3f55cb2941f3b09fdc80dd9623b3

SHA256
12d88e0c5a3f378bd197aabcf0b3d906016fbbae2e2dde815473c4e05ce66a59

SHA512
76324f812572cfd61876716533c3734d308ee781abd9b4b285062c68fc4dcb8092db2a6e0769aefa6d8494b8fe436d817a73daa510a3a647cad6f59d2666099b

Download Submit
C:\Windows\{276EFC33-8008-44a6-BA6B-C6E66191B8AA}.exe

Filesize
168KB

MD5
9a4aac50e195ec1325d7ee7f3db66454

SHA1
be2f9f9398ec3f55cb2941f3b09fdc80dd9623b3

SHA256
12d88e0c5a3f378bd197aabcf0b3d906016fbbae2e2dde815473c4e05ce66a59

SHA512
76324f812572cfd61876716533c3734d308ee781abd9b4b285062c68fc4dcb8092db2a6e0769aefa6d8494b8fe436d817a73daa510a3a647cad6f59d2666099b

Download Submit
C:\Windows\{3EB53DF4-5A40-45eb-90C2-DE4794C5EB5C}.exe

Filesize
168KB

MD5
1650e1b2342595fe4b32da119209092c

SHA1
b9ec1cf733b288eccb1172ca4dd1d95b03be3de0

SHA256
f2e6311d5fb99360e33773117b733d10c032505f67ade7168200e3348217bc36

SHA512
deb4d8342d4571dcb81850664f9bfd79fe3bc67ccd8197611a39791f56d9adef00a13a8e653a05f3af20636fcb27515ee503c2e109908bb834ff2a5ef77169d5

Download Submit
C:\Windows\{3EB53DF4-5A40-45eb-90C2-DE4794C5EB5C}.exe

Filesize
168KB

MD5
1650e1b2342595fe4b32da119209092c

SHA1
b9ec1cf733b288eccb1172ca4dd1d95b03be3de0

SHA256
f2e6311d5fb99360e33773117b733d10c032505f67ade7168200e3348217bc36

SHA512
deb4d8342d4571dcb81850664f9bfd79fe3bc67ccd8197611a39791f56d9adef00a13a8e653a05f3af20636fcb27515ee503c2e109908bb834ff2a5ef77169d5

Download Submit
C:\Windows\{5CD5057D-ADDB-42c1-860D-A07B363E76FC}.exe

Filesize
168KB

MD5
059bb09aea3d36fed6ba0cd341e6ead3

SHA1
ac67c9dbf4cf81c27961d84a191a4785e30f01f4

SHA256
8d8301c510d309deac9c89ffe19046bbab9db03f1cbb89c4012d50ca04cb9de3

SHA512
05e9568b2b9618eea64c5c6d5bf80d86fb63a3b6acb6c0f6cac9fb06e2055f77ee4586dca855c248db719feb2517e16e0ccd9c91c4dadf2bceede65291573df8

Download Submit
C:\Windows\{5CD5057D-ADDB-42c1-860D-A07B363E76FC}.exe

Filesize
168KB

MD5
059bb09aea3d36fed6ba0cd341e6ead3

SHA1
ac67c9dbf4cf81c27961d84a191a4785e30f01f4

SHA256
8d8301c510d309deac9c89ffe19046bbab9db03f1cbb89c4012d50ca04cb9de3

SHA512
05e9568b2b9618eea64c5c6d5bf80d86fb63a3b6acb6c0f6cac9fb06e2055f77ee4586dca855c248db719feb2517e16e0ccd9c91c4dadf2bceede65291573df8

Download Submit
C:\Windows\{627AE642-7F27-4da4-B150-F2AE73F2E732}.exe

Filesize
168KB

MD5
225579e926a4e06f77d76b05d1440619

SHA1
de6c4d480fa36ffa8939c369654eefb9235cfe0f

SHA256
31d7bce4ae7cfa306783e7ee7f23269ba81fe99b51f7c68401dfbabcaa29ba65

SHA512
75d438eb2fc1c2ddad1ec5bd3fdd283fc6dc3b9f33fc140486f84cf30f7e9130d69a11d4558f66d78249fdb849dbb372c54ff9fef9865aa30ae05c60c7ac7c2e

Download Submit
C:\Windows\{627AE642-7F27-4da4-B150-F2AE73F2E732}.exe

Filesize
168KB

MD5
225579e926a4e06f77d76b05d1440619

SHA1
de6c4d480fa36ffa8939c369654eefb9235cfe0f

SHA256
31d7bce4ae7cfa306783e7ee7f23269ba81fe99b51f7c68401dfbabcaa29ba65

SHA512
75d438eb2fc1c2ddad1ec5bd3fdd283fc6dc3b9f33fc140486f84cf30f7e9130d69a11d4558f66d78249fdb849dbb372c54ff9fef9865aa30ae05c60c7ac7c2e

Download Submit
C:\Windows\{B0CF250D-4DAF-45b6-B17F-4DA26F6246F8}.exe

Filesize
168KB

MD5
19b3ee0c3dc9d3821cf408020f9ca806

SHA1
409a5547ef21372493c1c9e0e6ad88808599eac7

SHA256
bf721a894b48a1d0fe25d7bcb60ad3423047a31f726f1b7698c610e1eb9bff13

SHA512
a3c4fb85fc11a76a3dbfc90af80801ae4747d30b3121188911853b5503ffe803c073c2f76541033642b001871de3e15b9a5986efa5ca1935a694aa7b9b32a7a9

Download Submit
C:\Windows\{B0CF250D-4DAF-45b6-B17F-4DA26F6246F8}.exe

Filesize
168KB

MD5
19b3ee0c3dc9d3821cf408020f9ca806

SHA1
409a5547ef21372493c1c9e0e6ad88808599eac7

SHA256
bf721a894b48a1d0fe25d7bcb60ad3423047a31f726f1b7698c610e1eb9bff13

SHA512
a3c4fb85fc11a76a3dbfc90af80801ae4747d30b3121188911853b5503ffe803c073c2f76541033642b001871de3e15b9a5986efa5ca1935a694aa7b9b32a7a9

Download Submit
C:\Windows\{CBA30AE7-BD1B-4ab2-8648-EED321A07C8D}.exe

Filesize
168KB

MD5
59caf25ec3186e78ae218a5b7c2fe69f

SHA1
52276bc737c1504a3bcce8fc66f08a56989b6774

SHA256
3b7d824a8086a3cea1011220bd2653482d96072197f7feb3ba8cebf79c7bdefd

SHA512
b187070826d6e97f47bcc27d5b542d915624cb841a71b9a5ce034af58b508a0f4316e70f6d2304c681a500579ea6e7ce348a58248502abf5aac81ba5db190f30

Download Submit
C:\Windows\{CBA30AE7-BD1B-4ab2-8648-EED321A07C8D}.exe

Filesize
168KB

MD5
59caf25ec3186e78ae218a5b7c2fe69f

SHA1
52276bc737c1504a3bcce8fc66f08a56989b6774

SHA256
3b7d824a8086a3cea1011220bd2653482d96072197f7feb3ba8cebf79c7bdefd

SHA512
b187070826d6e97f47bcc27d5b542d915624cb841a71b9a5ce034af58b508a0f4316e70f6d2304c681a500579ea6e7ce348a58248502abf5aac81ba5db190f30

Download Submit
C:\Windows\{D3C9B5FE-125A-4d22-924C-0C1186A67E83}.exe

Filesize
168KB

MD5
dd453ece18f8d93894d0bffde3a82740

SHA1
79ee73884f0526e703ddafa0f5740271160bda70

SHA256
dd67e18a30cb63086cee87a481a665eefe43c8058a4c10eb39176b9e3510e110

SHA512
cf6ffcb4dba6762be7d3f1f4330f3d94710edaf3da6280a58441f73ce37006747eb17b17b9016303f094ce4c6fe31a8657dbb487fac352da16ad05bb45095d28

Download Submit
C:\Windows\{D3C9B5FE-125A-4d22-924C-0C1186A67E83}.exe

Filesize
168KB

MD5
dd453ece18f8d93894d0bffde3a82740

SHA1
79ee73884f0526e703ddafa0f5740271160bda70

SHA256
dd67e18a30cb63086cee87a481a665eefe43c8058a4c10eb39176b9e3510e110

SHA512
cf6ffcb4dba6762be7d3f1f4330f3d94710edaf3da6280a58441f73ce37006747eb17b17b9016303f094ce4c6fe31a8657dbb487fac352da16ad05bb45095d28

Download Submit
C:\Windows\{DB8468DD-5960-4c48-8BD5-98BCFC610432}.exe

Filesize
168KB

MD5
63a64c3805ae6efa4ecb86afcb99b578

SHA1
f1d753508f43e191ca637da3ad8c1d32cadc525d

SHA256
8cb0e39cc86019976aa0bedfa3de62dbf8fde040ad068182202029c439339997

SHA512
8a37a39a3a81cba3ff98676016b43bbd068ee8637a27bc22ee3a86103293459ac49f01eb932fbeb902e9640fe0e4714302bedaa5e7b2b6be3a84d554608a08ed

Download Submit
C:\Windows\{DB8468DD-5960-4c48-8BD5-98BCFC610432}.exe

Filesize
168KB

MD5
63a64c3805ae6efa4ecb86afcb99b578

SHA1
f1d753508f43e191ca637da3ad8c1d32cadc525d

SHA256
8cb0e39cc86019976aa0bedfa3de62dbf8fde040ad068182202029c439339997

SHA512
8a37a39a3a81cba3ff98676016b43bbd068ee8637a27bc22ee3a86103293459ac49f01eb932fbeb902e9640fe0e4714302bedaa5e7b2b6be3a84d554608a08ed

Download Submit
C:\Windows\{FBDC047F-4F49-40cb-8852-D4CB52EBF5E9}.exe

Filesize
168KB

MD5
d16d08408cdb271fc5a8dcdd0562a91f

SHA1
85b07ba62511d47589166fa5e5126cc23fd3b282

SHA256
7b3d693ecead5c9113f2cd0f042a9942fc4d188e511e87071f82cf2ae10caf55

SHA512
d5517198cfde02b37b6c3e22288c6f1f4e636753e516190bd6451eaec28f314905e03118ad410865a488497e2fe6d79521c4a36a035338c653059179c8e9f158

Download Submit
C:\Windows\{FBDC047F-4F49-40cb-8852-D4CB52EBF5E9}.exe

Filesize
168KB

MD5
d16d08408cdb271fc5a8dcdd0562a91f

SHA1
85b07ba62511d47589166fa5e5126cc23fd3b282

SHA256
7b3d693ecead5c9113f2cd0f042a9942fc4d188e511e87071f82cf2ae10caf55

SHA512
d5517198cfde02b37b6c3e22288c6f1f4e636753e516190bd6451eaec28f314905e03118ad410865a488497e2fe6d79521c4a36a035338c653059179c8e9f158

Download Submit