b3ef14043b6347b5996ffe1e1d2b57f63c31352bdeb67cc409a7de53b063552e

Analysis

max time kernel
151s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16-07-2023 12:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ff3e2ac2421bb_JC.exe
Size

408KB
MD5

6ff3e2ac2421bb0fecb374c93bef1f9e
SHA1

dd84c186514a383103950b4d501c1d19826091c3
SHA256

b3ef14043b6347b5996ffe1e1d2b57f63c31352bdeb67cc409a7de53b063552e
SHA512

c53701758a60205dd78c28f32c895efdc181ab5d0fd90a79ed17e871d478d17f0f22580e4a0718bf46804085b505af4dc8ecda2ade532d8854186b8799a11b8d
SSDEEP

3072:CEGh0oLl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEGVldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B58EE39-7B53-4d47-9B2E-FFF1CBE165EC}\stubpath = "C:\\Windows\\{0B58EE39-7B53-4d47-9B2E-FFF1CBE165EC}.exe"	{AB0B9ACD-8F3F-4e12-9DEC-BD47E473F605}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{946D3344-FA7E-46fb-923A-39BBF76CCA96}	{7F8F7BC0-7DBF-4ff6-B74A-C5D0C4D33D80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB0B9ACD-8F3F-4e12-9DEC-BD47E473F605}\stubpath = "C:\\Windows\\{AB0B9ACD-8F3F-4e12-9DEC-BD47E473F605}.exe"	{946D3344-FA7E-46fb-923A-39BBF76CCA96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{636A0C77-BEAE-4e71-9BCD-F0751F2509F4}\stubpath = "C:\\Windows\\{636A0C77-BEAE-4e71-9BCD-F0751F2509F4}.exe"	{0B58EE39-7B53-4d47-9B2E-FFF1CBE165EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{367A6DE1-9B56-4965-92FD-FAF49B0B023E}	{636A0C77-BEAE-4e71-9BCD-F0751F2509F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{626EE283-452A-4a91-95F2-54040C12DC5A}	{367A6DE1-9B56-4965-92FD-FAF49B0B023E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C84BCD5A-E919-426d-B475-E3BD40639079}	{626EE283-452A-4a91-95F2-54040C12DC5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{745A7275-E213-49c0-A64B-2FD7DDB9FA07}	{B6D02452-859D-460e-A75E-1870573C8E2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F8F7BC0-7DBF-4ff6-B74A-C5D0C4D33D80}	{745A7275-E213-49c0-A64B-2FD7DDB9FA07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB0B9ACD-8F3F-4e12-9DEC-BD47E473F605}	{946D3344-FA7E-46fb-923A-39BBF76CCA96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{636A0C77-BEAE-4e71-9BCD-F0751F2509F4}	{0B58EE39-7B53-4d47-9B2E-FFF1CBE165EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{367A6DE1-9B56-4965-92FD-FAF49B0B023E}\stubpath = "C:\\Windows\\{367A6DE1-9B56-4965-92FD-FAF49B0B023E}.exe"	{636A0C77-BEAE-4e71-9BCD-F0751F2509F4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{626EE283-452A-4a91-95F2-54040C12DC5A}\stubpath = "C:\\Windows\\{626EE283-452A-4a91-95F2-54040C12DC5A}.exe"	{367A6DE1-9B56-4965-92FD-FAF49B0B023E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C84BCD5A-E919-426d-B475-E3BD40639079}\stubpath = "C:\\Windows\\{C84BCD5A-E919-426d-B475-E3BD40639079}.exe"	{626EE283-452A-4a91-95F2-54040C12DC5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{888960D0-3573-4436-B640-69A949D69CD4}\stubpath = "C:\\Windows\\{888960D0-3573-4436-B640-69A949D69CD4}.exe"	6ff3e2ac2421bb_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{745A7275-E213-49c0-A64B-2FD7DDB9FA07}\stubpath = "C:\\Windows\\{745A7275-E213-49c0-A64B-2FD7DDB9FA07}.exe"	{B6D02452-859D-460e-A75E-1870573C8E2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6D02452-859D-460e-A75E-1870573C8E2C}\stubpath = "C:\\Windows\\{B6D02452-859D-460e-A75E-1870573C8E2C}.exe"	{888960D0-3573-4436-B640-69A949D69CD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F8F7BC0-7DBF-4ff6-B74A-C5D0C4D33D80}\stubpath = "C:\\Windows\\{7F8F7BC0-7DBF-4ff6-B74A-C5D0C4D33D80}.exe"	{745A7275-E213-49c0-A64B-2FD7DDB9FA07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{946D3344-FA7E-46fb-923A-39BBF76CCA96}\stubpath = "C:\\Windows\\{946D3344-FA7E-46fb-923A-39BBF76CCA96}.exe"	{7F8F7BC0-7DBF-4ff6-B74A-C5D0C4D33D80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B58EE39-7B53-4d47-9B2E-FFF1CBE165EC}	{AB0B9ACD-8F3F-4e12-9DEC-BD47E473F605}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B02DFA39-E0FE-40be-8F02-F28F8CC1D08D}	{C84BCD5A-E919-426d-B475-E3BD40639079}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B02DFA39-E0FE-40be-8F02-F28F8CC1D08D}\stubpath = "C:\\Windows\\{B02DFA39-E0FE-40be-8F02-F28F8CC1D08D}.exe"	{C84BCD5A-E919-426d-B475-E3BD40639079}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{888960D0-3573-4436-B640-69A949D69CD4}	6ff3e2ac2421bb_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6D02452-859D-460e-A75E-1870573C8E2C}	{888960D0-3573-4436-B640-69A949D69CD4}.exe

Executes dropped EXE 12 IoCs

pid	Process
5012	{888960D0-3573-4436-B640-69A949D69CD4}.exe
4164	{B6D02452-859D-460e-A75E-1870573C8E2C}.exe
1588	{745A7275-E213-49c0-A64B-2FD7DDB9FA07}.exe
904	{7F8F7BC0-7DBF-4ff6-B74A-C5D0C4D33D80}.exe
1140	{946D3344-FA7E-46fb-923A-39BBF76CCA96}.exe
32	{AB0B9ACD-8F3F-4e12-9DEC-BD47E473F605}.exe
2864	{0B58EE39-7B53-4d47-9B2E-FFF1CBE165EC}.exe
4772	{636A0C77-BEAE-4e71-9BCD-F0751F2509F4}.exe
1120	{367A6DE1-9B56-4965-92FD-FAF49B0B023E}.exe
2796	{626EE283-452A-4a91-95F2-54040C12DC5A}.exe
260	{C84BCD5A-E919-426d-B475-E3BD40639079}.exe
1244	{B02DFA39-E0FE-40be-8F02-F28F8CC1D08D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{367A6DE1-9B56-4965-92FD-FAF49B0B023E}.exe	{636A0C77-BEAE-4e71-9BCD-F0751F2509F4}.exe
File created	C:\Windows\{B02DFA39-E0FE-40be-8F02-F28F8CC1D08D}.exe	{C84BCD5A-E919-426d-B475-E3BD40639079}.exe
File created	C:\Windows\{888960D0-3573-4436-B640-69A949D69CD4}.exe	6ff3e2ac2421bb_JC.exe
File created	C:\Windows\{636A0C77-BEAE-4e71-9BCD-F0751F2509F4}.exe	{0B58EE39-7B53-4d47-9B2E-FFF1CBE165EC}.exe
File created	C:\Windows\{7F8F7BC0-7DBF-4ff6-B74A-C5D0C4D33D80}.exe	{745A7275-E213-49c0-A64B-2FD7DDB9FA07}.exe
File created	C:\Windows\{946D3344-FA7E-46fb-923A-39BBF76CCA96}.exe	{7F8F7BC0-7DBF-4ff6-B74A-C5D0C4D33D80}.exe
File created	C:\Windows\{AB0B9ACD-8F3F-4e12-9DEC-BD47E473F605}.exe	{946D3344-FA7E-46fb-923A-39BBF76CCA96}.exe
File created	C:\Windows\{0B58EE39-7B53-4d47-9B2E-FFF1CBE165EC}.exe	{AB0B9ACD-8F3F-4e12-9DEC-BD47E473F605}.exe
File created	C:\Windows\{626EE283-452A-4a91-95F2-54040C12DC5A}.exe	{367A6DE1-9B56-4965-92FD-FAF49B0B023E}.exe
File created	C:\Windows\{C84BCD5A-E919-426d-B475-E3BD40639079}.exe	{626EE283-452A-4a91-95F2-54040C12DC5A}.exe
File created	C:\Windows\{B6D02452-859D-460e-A75E-1870573C8E2C}.exe	{888960D0-3573-4436-B640-69A949D69CD4}.exe
File created	C:\Windows\{745A7275-E213-49c0-A64B-2FD7DDB9FA07}.exe	{B6D02452-859D-460e-A75E-1870573C8E2C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1152	6ff3e2ac2421bb_JC.exe
Token: SeIncBasePriorityPrivilege	5012	{888960D0-3573-4436-B640-69A949D69CD4}.exe
Token: SeIncBasePriorityPrivilege	4164	{B6D02452-859D-460e-A75E-1870573C8E2C}.exe
Token: SeIncBasePriorityPrivilege	1588	{745A7275-E213-49c0-A64B-2FD7DDB9FA07}.exe
Token: SeIncBasePriorityPrivilege	904	{7F8F7BC0-7DBF-4ff6-B74A-C5D0C4D33D80}.exe
Token: SeIncBasePriorityPrivilege	1140	{946D3344-FA7E-46fb-923A-39BBF76CCA96}.exe
Token: SeIncBasePriorityPrivilege	32	{AB0B9ACD-8F3F-4e12-9DEC-BD47E473F605}.exe
Token: SeIncBasePriorityPrivilege	2864	{0B58EE39-7B53-4d47-9B2E-FFF1CBE165EC}.exe
Token: SeIncBasePriorityPrivilege	4772	{636A0C77-BEAE-4e71-9BCD-F0751F2509F4}.exe
Token: SeIncBasePriorityPrivilege	1120	{367A6DE1-9B56-4965-92FD-FAF49B0B023E}.exe
Token: SeIncBasePriorityPrivilege	2796	{626EE283-452A-4a91-95F2-54040C12DC5A}.exe
Token: SeIncBasePriorityPrivilege	260	{C84BCD5A-E919-426d-B475-E3BD40639079}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 5012	1152	6ff3e2ac2421bb_JC.exe	91
PID 1152 wrote to memory of 5012	1152	6ff3e2ac2421bb_JC.exe	91
PID 1152 wrote to memory of 5012	1152	6ff3e2ac2421bb_JC.exe	91
PID 1152 wrote to memory of 3908	1152	6ff3e2ac2421bb_JC.exe	92
PID 1152 wrote to memory of 3908	1152	6ff3e2ac2421bb_JC.exe	92
PID 1152 wrote to memory of 3908	1152	6ff3e2ac2421bb_JC.exe	92
PID 5012 wrote to memory of 4164	5012	{888960D0-3573-4436-B640-69A949D69CD4}.exe	95
PID 5012 wrote to memory of 4164	5012	{888960D0-3573-4436-B640-69A949D69CD4}.exe	95
PID 5012 wrote to memory of 4164	5012	{888960D0-3573-4436-B640-69A949D69CD4}.exe	95
PID 5012 wrote to memory of 4032	5012	{888960D0-3573-4436-B640-69A949D69CD4}.exe	96
PID 5012 wrote to memory of 4032	5012	{888960D0-3573-4436-B640-69A949D69CD4}.exe	96
PID 5012 wrote to memory of 4032	5012	{888960D0-3573-4436-B640-69A949D69CD4}.exe	96
PID 4164 wrote to memory of 1588	4164	{B6D02452-859D-460e-A75E-1870573C8E2C}.exe	99
PID 4164 wrote to memory of 1588	4164	{B6D02452-859D-460e-A75E-1870573C8E2C}.exe	99
PID 4164 wrote to memory of 1588	4164	{B6D02452-859D-460e-A75E-1870573C8E2C}.exe	99
PID 4164 wrote to memory of 1136	4164	{B6D02452-859D-460e-A75E-1870573C8E2C}.exe	100
PID 4164 wrote to memory of 1136	4164	{B6D02452-859D-460e-A75E-1870573C8E2C}.exe	100
PID 4164 wrote to memory of 1136	4164	{B6D02452-859D-460e-A75E-1870573C8E2C}.exe	100
PID 1588 wrote to memory of 904	1588	{745A7275-E213-49c0-A64B-2FD7DDB9FA07}.exe	101
PID 1588 wrote to memory of 904	1588	{745A7275-E213-49c0-A64B-2FD7DDB9FA07}.exe	101
PID 1588 wrote to memory of 904	1588	{745A7275-E213-49c0-A64B-2FD7DDB9FA07}.exe	101
PID 1588 wrote to memory of 1304	1588	{745A7275-E213-49c0-A64B-2FD7DDB9FA07}.exe	102
PID 1588 wrote to memory of 1304	1588	{745A7275-E213-49c0-A64B-2FD7DDB9FA07}.exe	102
PID 1588 wrote to memory of 1304	1588	{745A7275-E213-49c0-A64B-2FD7DDB9FA07}.exe	102
PID 904 wrote to memory of 1140	904	{7F8F7BC0-7DBF-4ff6-B74A-C5D0C4D33D80}.exe	103
PID 904 wrote to memory of 1140	904	{7F8F7BC0-7DBF-4ff6-B74A-C5D0C4D33D80}.exe	103
PID 904 wrote to memory of 1140	904	{7F8F7BC0-7DBF-4ff6-B74A-C5D0C4D33D80}.exe	103
PID 904 wrote to memory of 1908	904	{7F8F7BC0-7DBF-4ff6-B74A-C5D0C4D33D80}.exe	104
PID 904 wrote to memory of 1908	904	{7F8F7BC0-7DBF-4ff6-B74A-C5D0C4D33D80}.exe	104
PID 904 wrote to memory of 1908	904	{7F8F7BC0-7DBF-4ff6-B74A-C5D0C4D33D80}.exe	104
PID 1140 wrote to memory of 32	1140	{946D3344-FA7E-46fb-923A-39BBF76CCA96}.exe	106
PID 1140 wrote to memory of 32	1140	{946D3344-FA7E-46fb-923A-39BBF76CCA96}.exe	106
PID 1140 wrote to memory of 32	1140	{946D3344-FA7E-46fb-923A-39BBF76CCA96}.exe	106
PID 1140 wrote to memory of 3352	1140	{946D3344-FA7E-46fb-923A-39BBF76CCA96}.exe	107
PID 1140 wrote to memory of 3352	1140	{946D3344-FA7E-46fb-923A-39BBF76CCA96}.exe	107
PID 1140 wrote to memory of 3352	1140	{946D3344-FA7E-46fb-923A-39BBF76CCA96}.exe	107
PID 32 wrote to memory of 2864	32	{AB0B9ACD-8F3F-4e12-9DEC-BD47E473F605}.exe	108
PID 32 wrote to memory of 2864	32	{AB0B9ACD-8F3F-4e12-9DEC-BD47E473F605}.exe	108
PID 32 wrote to memory of 2864	32	{AB0B9ACD-8F3F-4e12-9DEC-BD47E473F605}.exe	108
PID 32 wrote to memory of 2852	32	{AB0B9ACD-8F3F-4e12-9DEC-BD47E473F605}.exe	109
PID 32 wrote to memory of 2852	32	{AB0B9ACD-8F3F-4e12-9DEC-BD47E473F605}.exe	109
PID 32 wrote to memory of 2852	32	{AB0B9ACD-8F3F-4e12-9DEC-BD47E473F605}.exe	109
PID 2864 wrote to memory of 4772	2864	{0B58EE39-7B53-4d47-9B2E-FFF1CBE165EC}.exe	110
PID 2864 wrote to memory of 4772	2864	{0B58EE39-7B53-4d47-9B2E-FFF1CBE165EC}.exe	110
PID 2864 wrote to memory of 4772	2864	{0B58EE39-7B53-4d47-9B2E-FFF1CBE165EC}.exe	110
PID 2864 wrote to memory of 2220	2864	{0B58EE39-7B53-4d47-9B2E-FFF1CBE165EC}.exe	111
PID 2864 wrote to memory of 2220	2864	{0B58EE39-7B53-4d47-9B2E-FFF1CBE165EC}.exe	111
PID 2864 wrote to memory of 2220	2864	{0B58EE39-7B53-4d47-9B2E-FFF1CBE165EC}.exe	111
PID 4772 wrote to memory of 1120	4772	{636A0C77-BEAE-4e71-9BCD-F0751F2509F4}.exe	118
PID 4772 wrote to memory of 1120	4772	{636A0C77-BEAE-4e71-9BCD-F0751F2509F4}.exe	118
PID 4772 wrote to memory of 1120	4772	{636A0C77-BEAE-4e71-9BCD-F0751F2509F4}.exe	118
PID 4772 wrote to memory of 4512	4772	{636A0C77-BEAE-4e71-9BCD-F0751F2509F4}.exe	119
PID 4772 wrote to memory of 4512	4772	{636A0C77-BEAE-4e71-9BCD-F0751F2509F4}.exe	119
PID 4772 wrote to memory of 4512	4772	{636A0C77-BEAE-4e71-9BCD-F0751F2509F4}.exe	119
PID 1120 wrote to memory of 2796	1120	{367A6DE1-9B56-4965-92FD-FAF49B0B023E}.exe	120
PID 1120 wrote to memory of 2796	1120	{367A6DE1-9B56-4965-92FD-FAF49B0B023E}.exe	120
PID 1120 wrote to memory of 2796	1120	{367A6DE1-9B56-4965-92FD-FAF49B0B023E}.exe	120
PID 1120 wrote to memory of 3412	1120	{367A6DE1-9B56-4965-92FD-FAF49B0B023E}.exe	121
PID 1120 wrote to memory of 3412	1120	{367A6DE1-9B56-4965-92FD-FAF49B0B023E}.exe	121
PID 1120 wrote to memory of 3412	1120	{367A6DE1-9B56-4965-92FD-FAF49B0B023E}.exe	121
PID 2796 wrote to memory of 260	2796	{626EE283-452A-4a91-95F2-54040C12DC5A}.exe	123
PID 2796 wrote to memory of 260	2796	{626EE283-452A-4a91-95F2-54040C12DC5A}.exe	123
PID 2796 wrote to memory of 260	2796	{626EE283-452A-4a91-95F2-54040C12DC5A}.exe	123
PID 2796 wrote to memory of 1892	2796	{626EE283-452A-4a91-95F2-54040C12DC5A}.exe	122

C:\Users\Admin\AppData\Local\Temp\6ff3e2ac2421bb_JC.exe
"C:\Users\Admin\AppData\Local\Temp\6ff3e2ac2421bb_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\{888960D0-3573-4436-B640-69A949D69CD4}.exe
  C:\Windows\{888960D0-3573-4436-B640-69A949D69CD4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\{B6D02452-859D-460e-A75E-1870573C8E2C}.exe
    C:\Windows\{B6D02452-859D-460e-A75E-1870573C8E2C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Windows\{745A7275-E213-49c0-A64B-2FD7DDB9FA07}.exe
      C:\Windows\{745A7275-E213-49c0-A64B-2FD7DDB9FA07}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1588
    - - C:\Windows\{7F8F7BC0-7DBF-4ff6-B74A-C5D0C4D33D80}.exe
        
        C:\Windows\{7F8F7BC0-7DBF-4ff6-B74A-C5D0C4D33D80}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:904
      - C:\Windows\{946D3344-FA7E-46fb-923A-39BBF76CCA96}.exe
        
        C:\Windows\{946D3344-FA7E-46fb-923A-39BBF76CCA96}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\{AB0B9ACD-8F3F-4e12-9DEC-BD47E473F605}.exe
        
        C:\Windows\{AB0B9ACD-8F3F-4e12-9DEC-BD47E473F605}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:32
        
        C:\Windows\{0B58EE39-7B53-4d47-9B2E-FFF1CBE165EC}.exe
        
        C:\Windows\{0B58EE39-7B53-4d47-9B2E-FFF1CBE165EC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\{636A0C77-BEAE-4e71-9BCD-F0751F2509F4}.exe
        
        C:\Windows\{636A0C77-BEAE-4e71-9BCD-F0751F2509F4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\{367A6DE1-9B56-4965-92FD-FAF49B0B023E}.exe
        
        C:\Windows\{367A6DE1-9B56-4965-92FD-FAF49B0B023E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1120
        
        C:\Windows\{626EE283-452A-4a91-95F2-54040C12DC5A}.exe
        
        C:\Windows\{626EE283-452A-4a91-95F2-54040C12DC5A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{626EE~1.EXE > nul
        12⤵
        
        PID:1892
        
        C:\Windows\{C84BCD5A-E919-426d-B475-E3BD40639079}.exe
        
        C:\Windows\{C84BCD5A-E919-426d-B475-E3BD40639079}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:260
        
        C:\Windows\{B02DFA39-E0FE-40be-8F02-F28F8CC1D08D}.exe
        
        C:\Windows\{B02DFA39-E0FE-40be-8F02-F28F8CC1D08D}.exe
        13⤵
        Executes dropped EXE
        
        PID:1244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C84BC~1.EXE > nul
        13⤵
        
        PID:3628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{367A6~1.EXE > nul
        11⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{636A0~1.EXE > nul
        10⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0B58E~1.EXE > nul
        9⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB0B9~1.EXE > nul
        8⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{946D3~1.EXE > nul
        7⤵
        
        PID:3352
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F8F7~1.EXE > nul
        6⤵
        
        PID:1908
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{745A7~1.EXE > nul
        5⤵
        
        PID:1304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B6D02~1.EXE > nul
      4⤵
      PID:1136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{88896~1.EXE > nul
    3⤵
    PID:4032
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\6FF3E2~1.EXE > nul
  2⤵
  PID:3908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B58EE39-7B53-4d47-9B2E-FFF1CBE165EC}.exe

Filesize
408KB

MD5
e3d29134193e109a2e604fe8fd5496bf

SHA1
b2d8e418a249effd3137b9bedf7da325fd36f95b

SHA256
c65055d966e6fa874fc78d4b25f2ddc7b6ee00f1d43479a24baa4bb937165d7b

SHA512
a4acb0f696fd12afb6dff2da2d71d0b9875df0ef0b4fa05dc687b4a2980b104bc8cce767f01c8732d0c2e881374638021faf7ed83cefe28ceeaaf9da0898f169

Download Submit
C:\Windows\{0B58EE39-7B53-4d47-9B2E-FFF1CBE165EC}.exe

Filesize
408KB

MD5
e3d29134193e109a2e604fe8fd5496bf

SHA1
b2d8e418a249effd3137b9bedf7da325fd36f95b

SHA256
c65055d966e6fa874fc78d4b25f2ddc7b6ee00f1d43479a24baa4bb937165d7b

SHA512
a4acb0f696fd12afb6dff2da2d71d0b9875df0ef0b4fa05dc687b4a2980b104bc8cce767f01c8732d0c2e881374638021faf7ed83cefe28ceeaaf9da0898f169

Download Submit
C:\Windows\{367A6DE1-9B56-4965-92FD-FAF49B0B023E}.exe

Filesize
408KB

MD5
0791e881b74d0e584b301549a56f6a24

SHA1
4f5b453ce25007084af33849b2ac7a2c31b8ddd7

SHA256
cab9afa6c6363d86cbfef63cb0c804e208e3762c25af1a11cbcd5ea00e1531cd

SHA512
2ee5e6152e997f8cd24fd98b426d30f149820b131bf11f863ccc306c32335f72196d8be74627d38e9b3b7462a93b5fa8a062bd8c76fa3ef14f7722ee9e501c8d

Download Submit
C:\Windows\{367A6DE1-9B56-4965-92FD-FAF49B0B023E}.exe

Filesize
408KB

MD5
0791e881b74d0e584b301549a56f6a24

SHA1
4f5b453ce25007084af33849b2ac7a2c31b8ddd7

SHA256
cab9afa6c6363d86cbfef63cb0c804e208e3762c25af1a11cbcd5ea00e1531cd

SHA512
2ee5e6152e997f8cd24fd98b426d30f149820b131bf11f863ccc306c32335f72196d8be74627d38e9b3b7462a93b5fa8a062bd8c76fa3ef14f7722ee9e501c8d

Download Submit
C:\Windows\{626EE283-452A-4a91-95F2-54040C12DC5A}.exe

Filesize
408KB

MD5
029f3027cb0749cb9a04c72b225a5e42

SHA1
550feeae5328879e0e60600987aa9abc0403244d

SHA256
cc7ebe204c52ad577d7c426e3da5fe3a6343d62f13877661c6a0366badbebeae

SHA512
f24e2044f43504d50839cf1a5605116a0d5dcfda850aa12a6f9007284baecc8dc64eb14ff16823eba2bc81248b21088f8c7a5b2e70be9cc410ae2837d27528b1

Download Submit
C:\Windows\{626EE283-452A-4a91-95F2-54040C12DC5A}.exe

Filesize
408KB

MD5
029f3027cb0749cb9a04c72b225a5e42

SHA1
550feeae5328879e0e60600987aa9abc0403244d

SHA256
cc7ebe204c52ad577d7c426e3da5fe3a6343d62f13877661c6a0366badbebeae

SHA512
f24e2044f43504d50839cf1a5605116a0d5dcfda850aa12a6f9007284baecc8dc64eb14ff16823eba2bc81248b21088f8c7a5b2e70be9cc410ae2837d27528b1

Download Submit
C:\Windows\{636A0C77-BEAE-4e71-9BCD-F0751F2509F4}.exe

Filesize
408KB

MD5
3cee9d56b9a7501dd67f6a1bdf8b0d3f

SHA1
8846104af6b63aa53fd30585e4a3acafb869f624

SHA256
21c6692cf3c003a2c8bc897655d6ba54d705a3ff018bc23f345b1bbb00ed135f

SHA512
134832b60d02aee37bd98605e0128df11718e07db504a7826fa4a5ee81c30f7d69182bbf151f086e8651b7375e63dbddb414957c7260592596277b5901b76aac

Download Submit
C:\Windows\{636A0C77-BEAE-4e71-9BCD-F0751F2509F4}.exe

Filesize
408KB

MD5
3cee9d56b9a7501dd67f6a1bdf8b0d3f

SHA1
8846104af6b63aa53fd30585e4a3acafb869f624

SHA256
21c6692cf3c003a2c8bc897655d6ba54d705a3ff018bc23f345b1bbb00ed135f

SHA512
134832b60d02aee37bd98605e0128df11718e07db504a7826fa4a5ee81c30f7d69182bbf151f086e8651b7375e63dbddb414957c7260592596277b5901b76aac

Download Submit
C:\Windows\{745A7275-E213-49c0-A64B-2FD7DDB9FA07}.exe

Filesize
408KB

MD5
fed21fdf56e331601c48e9f57f7da85d

SHA1
d4276aad7f2f8c4f3f11ddbe3f275223a41368b8

SHA256
1f808bb2bddeee8b3d2818051482b5ec2c123bba2afa51cedb82156e1a2059ec

SHA512
ff85eadf5f7d53197dc057f3576281504910485d1a925a4dff842ddd5589a91ceafd68a871257f530f75c92e7c2b4828aea50e094dec329838c316efa0ed2e4e

Download Submit
C:\Windows\{745A7275-E213-49c0-A64B-2FD7DDB9FA07}.exe

Filesize
408KB

MD5
fed21fdf56e331601c48e9f57f7da85d

SHA1
d4276aad7f2f8c4f3f11ddbe3f275223a41368b8

SHA256
1f808bb2bddeee8b3d2818051482b5ec2c123bba2afa51cedb82156e1a2059ec

SHA512
ff85eadf5f7d53197dc057f3576281504910485d1a925a4dff842ddd5589a91ceafd68a871257f530f75c92e7c2b4828aea50e094dec329838c316efa0ed2e4e

Download Submit
C:\Windows\{745A7275-E213-49c0-A64B-2FD7DDB9FA07}.exe

Filesize
408KB

MD5
fed21fdf56e331601c48e9f57f7da85d

SHA1
d4276aad7f2f8c4f3f11ddbe3f275223a41368b8

SHA256
1f808bb2bddeee8b3d2818051482b5ec2c123bba2afa51cedb82156e1a2059ec

SHA512
ff85eadf5f7d53197dc057f3576281504910485d1a925a4dff842ddd5589a91ceafd68a871257f530f75c92e7c2b4828aea50e094dec329838c316efa0ed2e4e

Download Submit
C:\Windows\{7F8F7BC0-7DBF-4ff6-B74A-C5D0C4D33D80}.exe

Filesize
408KB

MD5
6c3bb583dd65472388350c2c1607950d

SHA1
2489e36c4117ba7b536513de683d86e42015820f

SHA256
66d6e6f7d929ee6f8fcef45d5a9dda99ff7100fadff54313c38878970e1e8472

SHA512
bb62c273f608efe9e2d49e1d9d4aecf5b2d00ede35bafa4b038633fda4d4139ceb8956542772a596f92785150e139d881a458de49db61b2b72e2bd9452e88a58

Download Submit
C:\Windows\{7F8F7BC0-7DBF-4ff6-B74A-C5D0C4D33D80}.exe

Filesize
408KB

MD5
6c3bb583dd65472388350c2c1607950d

SHA1
2489e36c4117ba7b536513de683d86e42015820f

SHA256
66d6e6f7d929ee6f8fcef45d5a9dda99ff7100fadff54313c38878970e1e8472

SHA512
bb62c273f608efe9e2d49e1d9d4aecf5b2d00ede35bafa4b038633fda4d4139ceb8956542772a596f92785150e139d881a458de49db61b2b72e2bd9452e88a58

Download Submit
C:\Windows\{888960D0-3573-4436-B640-69A949D69CD4}.exe

Filesize
408KB

MD5
92fd5b03bfd7523b3e12e0357785bda3

SHA1
4c1a873b7c9e994b3d8fa58959d6fcafc9ad6698

SHA256
be7977e6fbde57ff7ca20da240ade4706148f8b28e93947eb781cfe1387e6556

SHA512
e8e248bb4f72682f76b92a16d50ab133f5cb770ce99328e47a8fbe8df8c4864874f5fc6e92da8dfe6428e95179b7bfc30c1fccfbf69898b3cd9d67f7c309728b

Download Submit
C:\Windows\{888960D0-3573-4436-B640-69A949D69CD4}.exe

Filesize
408KB

MD5
92fd5b03bfd7523b3e12e0357785bda3

SHA1
4c1a873b7c9e994b3d8fa58959d6fcafc9ad6698

SHA256
be7977e6fbde57ff7ca20da240ade4706148f8b28e93947eb781cfe1387e6556

SHA512
e8e248bb4f72682f76b92a16d50ab133f5cb770ce99328e47a8fbe8df8c4864874f5fc6e92da8dfe6428e95179b7bfc30c1fccfbf69898b3cd9d67f7c309728b

Download Submit
C:\Windows\{946D3344-FA7E-46fb-923A-39BBF76CCA96}.exe

Filesize
408KB

MD5
568b9a80ef7a4994446d687746461e58

SHA1
ff18be9f65c1c6918c1235729edcd210874419f5

SHA256
1c4cd016b943e7796304be3f094bbe6998350709baaa1463c6378b22dc1f1014

SHA512
fdf09a99e0f93b1b96754f36244bc56df4f4ebdd3feb19bbf1e7bd0a8fb0eaa0f0b00044dfe67629c3bfa584e99b878d2b13ccede6849c8d68b919d4463ed54d

Download Submit
C:\Windows\{946D3344-FA7E-46fb-923A-39BBF76CCA96}.exe

Filesize
408KB

MD5
568b9a80ef7a4994446d687746461e58

SHA1
ff18be9f65c1c6918c1235729edcd210874419f5

SHA256
1c4cd016b943e7796304be3f094bbe6998350709baaa1463c6378b22dc1f1014

SHA512
fdf09a99e0f93b1b96754f36244bc56df4f4ebdd3feb19bbf1e7bd0a8fb0eaa0f0b00044dfe67629c3bfa584e99b878d2b13ccede6849c8d68b919d4463ed54d

Download Submit
C:\Windows\{AB0B9ACD-8F3F-4e12-9DEC-BD47E473F605}.exe

Filesize
408KB

MD5
8b842d65c6aafa948b5365be7276c11d

SHA1
ed3210a0f91bf28378672c042272b468200309eb

SHA256
bb8491a46d7cf5e0f59908d32e5647c45f75ecc27dbcda9cba6bc6b13b36665d

SHA512
1c4c535edc447673d5d5eee2d251a03c539973707df63edd65daa008c4b0f63cc06f84aeba8036ddc629e8152925877fa56eed3fbbd355c46b2c9a144485b0dc

Download Submit
C:\Windows\{AB0B9ACD-8F3F-4e12-9DEC-BD47E473F605}.exe

Filesize
408KB

MD5
8b842d65c6aafa948b5365be7276c11d

SHA1
ed3210a0f91bf28378672c042272b468200309eb

SHA256
bb8491a46d7cf5e0f59908d32e5647c45f75ecc27dbcda9cba6bc6b13b36665d

SHA512
1c4c535edc447673d5d5eee2d251a03c539973707df63edd65daa008c4b0f63cc06f84aeba8036ddc629e8152925877fa56eed3fbbd355c46b2c9a144485b0dc

Download Submit
C:\Windows\{B02DFA39-E0FE-40be-8F02-F28F8CC1D08D}.exe

Filesize
408KB

MD5
effff7f04c9ac04d1b719b4f801ecd70

SHA1
ddcedc0ab28503050fedb58364cee6d4b3909cb3

SHA256
165127c2b020f66b72907373bbb2f9823a20908eee11ebd3b50bfcf88ca1a81d

SHA512
fe74799d9d1087f84d961b3686e7084c8f1bc806981f40a25587209c3b994550ca39577914c2143eac6a651fb6732b069f82480a56b71a91de5628bc8e24dbe0

Download Submit
C:\Windows\{B02DFA39-E0FE-40be-8F02-F28F8CC1D08D}.exe

Filesize
408KB

MD5
effff7f04c9ac04d1b719b4f801ecd70

SHA1
ddcedc0ab28503050fedb58364cee6d4b3909cb3

SHA256
165127c2b020f66b72907373bbb2f9823a20908eee11ebd3b50bfcf88ca1a81d

SHA512
fe74799d9d1087f84d961b3686e7084c8f1bc806981f40a25587209c3b994550ca39577914c2143eac6a651fb6732b069f82480a56b71a91de5628bc8e24dbe0

Download Submit
C:\Windows\{B6D02452-859D-460e-A75E-1870573C8E2C}.exe

Filesize
408KB

MD5
922e3aa27399b80ee98ef6d3ff9ddb67

SHA1
3673038604412b724d2057fe444c615438380b59

SHA256
3bdf30022cd59b881e09b05d1025d756bd8a554bcc7e3abe1d405e8f12bb93e2

SHA512
9690101ba7c5dc4d17aaf4f374cdcdf3f7591473833896f04407fcf270f6cc10e2de7dc2be30581e10dc9721d575f63aca7eebbe65beff95f1f4556baed09040

Download Submit
C:\Windows\{B6D02452-859D-460e-A75E-1870573C8E2C}.exe

Filesize
408KB

MD5
922e3aa27399b80ee98ef6d3ff9ddb67

SHA1
3673038604412b724d2057fe444c615438380b59

SHA256
3bdf30022cd59b881e09b05d1025d756bd8a554bcc7e3abe1d405e8f12bb93e2

SHA512
9690101ba7c5dc4d17aaf4f374cdcdf3f7591473833896f04407fcf270f6cc10e2de7dc2be30581e10dc9721d575f63aca7eebbe65beff95f1f4556baed09040

Download Submit
C:\Windows\{C84BCD5A-E919-426d-B475-E3BD40639079}.exe

Filesize
408KB

MD5
40dffcd64746f3a6f3fe93b96f37b80b

SHA1
a01f93082db7c57c81f2b8f6a218081a57b680df

SHA256
a9d9f8f845bfb37274b34caa0a76048288fb84572bbda792803393c2afa7feed

SHA512
2df1d50c8003c17271bb273a92448622360e043c6f016484abdfb304a0e5a29925cfc837692ef3de8c25a964ad3c5b3710d29de9e1844beb0c1dd9241a085a7a

Download Submit
C:\Windows\{C84BCD5A-E919-426d-B475-E3BD40639079}.exe

Filesize
408KB

MD5
40dffcd64746f3a6f3fe93b96f37b80b

SHA1
a01f93082db7c57c81f2b8f6a218081a57b680df

SHA256
a9d9f8f845bfb37274b34caa0a76048288fb84572bbda792803393c2afa7feed

SHA512
2df1d50c8003c17271bb273a92448622360e043c6f016484abdfb304a0e5a29925cfc837692ef3de8c25a964ad3c5b3710d29de9e1844beb0c1dd9241a085a7a

Download Submit