50a1f44956d3521d7cdaa719682646ee33f4936ed327a1d24274fa9a2eb37bea

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2023, 16:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

786b8f45ff73b2_JC.exe
Size

168KB
MD5

786b8f45ff73b2908c621b972fdee5de
SHA1

85fa897507ef077b9fa00524c13c48646fc774dd
SHA256

50a1f44956d3521d7cdaa719682646ee33f4936ed327a1d24274fa9a2eb37bea
SHA512

c1610822833534227a6a5073a47f6f08d33402130dfee5d5a5b07e808b7f52800f70929459d3c42fc8f3dd95014f5820c7536b28cc90d068d197b95b97172a1e
SSDEEP

1536:1EGh0oilq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oilqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF5D6EA7-D5BD-4079-863E-3A4440B3D0EC}\stubpath = "C:\\Windows\\{DF5D6EA7-D5BD-4079-863E-3A4440B3D0EC}.exe"	{471A3417-25A6-4ad8-9157-657388969BE6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78C25B7A-7938-43d3-8A99-543EF48A009E}\stubpath = "C:\\Windows\\{78C25B7A-7938-43d3-8A99-543EF48A009E}.exe"	{CA9C445E-C74B-4dc8-A5BD-5584274A6F64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{365EB828-87D2-4ccf-A7B4-470DDAB380F4}\stubpath = "C:\\Windows\\{365EB828-87D2-4ccf-A7B4-470DDAB380F4}.exe"	{78C25B7A-7938-43d3-8A99-543EF48A009E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE0B9081-9874-46b6-A973-D1D897BE9645}	{365EB828-87D2-4ccf-A7B4-470DDAB380F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55F95C75-93A9-4149-B2CC-3DBD649CECDB}	{DE0B9081-9874-46b6-A973-D1D897BE9645}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBE727FA-32A2-4d0b-956D-CD173E803940}	{8B61FC49-61D2-4222-AA36-E67F82134E07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF6BF02C-4BC5-4af1-B026-977259B270E3}	{EBE727FA-32A2-4d0b-956D-CD173E803940}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{471A3417-25A6-4ad8-9157-657388969BE6}	{D349FB18-CCF5-42c2-9063-A856521F4772}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA9C445E-C74B-4dc8-A5BD-5584274A6F64}	{DF5D6EA7-D5BD-4079-863E-3A4440B3D0EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA9C445E-C74B-4dc8-A5BD-5584274A6F64}\stubpath = "C:\\Windows\\{CA9C445E-C74B-4dc8-A5BD-5584274A6F64}.exe"	{DF5D6EA7-D5BD-4079-863E-3A4440B3D0EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{365EB828-87D2-4ccf-A7B4-470DDAB380F4}	{78C25B7A-7938-43d3-8A99-543EF48A009E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B61FC49-61D2-4222-AA36-E67F82134E07}	{2D537ADF-AA4B-49e7-884B-530441C02E32}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D349FB18-CCF5-42c2-9063-A856521F4772}	{BF6BF02C-4BC5-4af1-B026-977259B270E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF6BF02C-4BC5-4af1-B026-977259B270E3}\stubpath = "C:\\Windows\\{BF6BF02C-4BC5-4af1-B026-977259B270E3}.exe"	{EBE727FA-32A2-4d0b-956D-CD173E803940}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D349FB18-CCF5-42c2-9063-A856521F4772}\stubpath = "C:\\Windows\\{D349FB18-CCF5-42c2-9063-A856521F4772}.exe"	{BF6BF02C-4BC5-4af1-B026-977259B270E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF5D6EA7-D5BD-4079-863E-3A4440B3D0EC}	{471A3417-25A6-4ad8-9157-657388969BE6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78C25B7A-7938-43d3-8A99-543EF48A009E}	{CA9C445E-C74B-4dc8-A5BD-5584274A6F64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE0B9081-9874-46b6-A973-D1D897BE9645}\stubpath = "C:\\Windows\\{DE0B9081-9874-46b6-A973-D1D897BE9645}.exe"	{365EB828-87D2-4ccf-A7B4-470DDAB380F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D537ADF-AA4B-49e7-884B-530441C02E32}	786b8f45ff73b2_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B61FC49-61D2-4222-AA36-E67F82134E07}\stubpath = "C:\\Windows\\{8B61FC49-61D2-4222-AA36-E67F82134E07}.exe"	{2D537ADF-AA4B-49e7-884B-530441C02E32}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{471A3417-25A6-4ad8-9157-657388969BE6}\stubpath = "C:\\Windows\\{471A3417-25A6-4ad8-9157-657388969BE6}.exe"	{D349FB18-CCF5-42c2-9063-A856521F4772}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55F95C75-93A9-4149-B2CC-3DBD649CECDB}\stubpath = "C:\\Windows\\{55F95C75-93A9-4149-B2CC-3DBD649CECDB}.exe"	{DE0B9081-9874-46b6-A973-D1D897BE9645}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D537ADF-AA4B-49e7-884B-530441C02E32}\stubpath = "C:\\Windows\\{2D537ADF-AA4B-49e7-884B-530441C02E32}.exe"	786b8f45ff73b2_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EBE727FA-32A2-4d0b-956D-CD173E803940}\stubpath = "C:\\Windows\\{EBE727FA-32A2-4d0b-956D-CD173E803940}.exe"	{8B61FC49-61D2-4222-AA36-E67F82134E07}.exe

Executes dropped EXE 12 IoCs

pid	Process
4896	{2D537ADF-AA4B-49e7-884B-530441C02E32}.exe
5028	{8B61FC49-61D2-4222-AA36-E67F82134E07}.exe
3416	{EBE727FA-32A2-4d0b-956D-CD173E803940}.exe
4172	{BF6BF02C-4BC5-4af1-B026-977259B270E3}.exe
2664	{D349FB18-CCF5-42c2-9063-A856521F4772}.exe
1476	{471A3417-25A6-4ad8-9157-657388969BE6}.exe
4224	{DF5D6EA7-D5BD-4079-863E-3A4440B3D0EC}.exe
1276	{CA9C445E-C74B-4dc8-A5BD-5584274A6F64}.exe
688	{78C25B7A-7938-43d3-8A99-543EF48A009E}.exe
3844	{365EB828-87D2-4ccf-A7B4-470DDAB380F4}.exe
4244	{DE0B9081-9874-46b6-A973-D1D897BE9645}.exe
3928	{55F95C75-93A9-4149-B2CC-3DBD649CECDB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{D349FB18-CCF5-42c2-9063-A856521F4772}.exe	{BF6BF02C-4BC5-4af1-B026-977259B270E3}.exe
File created	C:\Windows\{471A3417-25A6-4ad8-9157-657388969BE6}.exe	{D349FB18-CCF5-42c2-9063-A856521F4772}.exe
File created	C:\Windows\{DF5D6EA7-D5BD-4079-863E-3A4440B3D0EC}.exe	{471A3417-25A6-4ad8-9157-657388969BE6}.exe
File created	C:\Windows\{CA9C445E-C74B-4dc8-A5BD-5584274A6F64}.exe	{DF5D6EA7-D5BD-4079-863E-3A4440B3D0EC}.exe
File created	C:\Windows\{78C25B7A-7938-43d3-8A99-543EF48A009E}.exe	{CA9C445E-C74B-4dc8-A5BD-5584274A6F64}.exe
File created	C:\Windows\{8B61FC49-61D2-4222-AA36-E67F82134E07}.exe	{2D537ADF-AA4B-49e7-884B-530441C02E32}.exe
File created	C:\Windows\{EBE727FA-32A2-4d0b-956D-CD173E803940}.exe	{8B61FC49-61D2-4222-AA36-E67F82134E07}.exe
File created	C:\Windows\{BF6BF02C-4BC5-4af1-B026-977259B270E3}.exe	{EBE727FA-32A2-4d0b-956D-CD173E803940}.exe
File created	C:\Windows\{365EB828-87D2-4ccf-A7B4-470DDAB380F4}.exe	{78C25B7A-7938-43d3-8A99-543EF48A009E}.exe
File created	C:\Windows\{DE0B9081-9874-46b6-A973-D1D897BE9645}.exe	{365EB828-87D2-4ccf-A7B4-470DDAB380F4}.exe
File created	C:\Windows\{55F95C75-93A9-4149-B2CC-3DBD649CECDB}.exe	{DE0B9081-9874-46b6-A973-D1D897BE9645}.exe
File created	C:\Windows\{2D537ADF-AA4B-49e7-884B-530441C02E32}.exe	786b8f45ff73b2_JC.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	560	786b8f45ff73b2_JC.exe
Token: SeIncBasePriorityPrivilege	4896	{2D537ADF-AA4B-49e7-884B-530441C02E32}.exe
Token: SeIncBasePriorityPrivilege	5028	{8B61FC49-61D2-4222-AA36-E67F82134E07}.exe
Token: SeIncBasePriorityPrivilege	3416	{EBE727FA-32A2-4d0b-956D-CD173E803940}.exe
Token: SeIncBasePriorityPrivilege	4172	{BF6BF02C-4BC5-4af1-B026-977259B270E3}.exe
Token: SeIncBasePriorityPrivilege	2664	{D349FB18-CCF5-42c2-9063-A856521F4772}.exe
Token: SeIncBasePriorityPrivilege	1476	{471A3417-25A6-4ad8-9157-657388969BE6}.exe
Token: SeIncBasePriorityPrivilege	4224	{DF5D6EA7-D5BD-4079-863E-3A4440B3D0EC}.exe
Token: SeIncBasePriorityPrivilege	1276	{CA9C445E-C74B-4dc8-A5BD-5584274A6F64}.exe
Token: SeIncBasePriorityPrivilege	688	{78C25B7A-7938-43d3-8A99-543EF48A009E}.exe
Token: SeIncBasePriorityPrivilege	3844	{365EB828-87D2-4ccf-A7B4-470DDAB380F4}.exe
Token: SeIncBasePriorityPrivilege	4244	{DE0B9081-9874-46b6-A973-D1D897BE9645}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 4896	560	786b8f45ff73b2_JC.exe	94
PID 560 wrote to memory of 4896	560	786b8f45ff73b2_JC.exe	94
PID 560 wrote to memory of 4896	560	786b8f45ff73b2_JC.exe	94
PID 560 wrote to memory of 3232	560	786b8f45ff73b2_JC.exe	95
PID 560 wrote to memory of 3232	560	786b8f45ff73b2_JC.exe	95
PID 560 wrote to memory of 3232	560	786b8f45ff73b2_JC.exe	95
PID 4896 wrote to memory of 5028	4896	{2D537ADF-AA4B-49e7-884B-530441C02E32}.exe	98
PID 4896 wrote to memory of 5028	4896	{2D537ADF-AA4B-49e7-884B-530441C02E32}.exe	98
PID 4896 wrote to memory of 5028	4896	{2D537ADF-AA4B-49e7-884B-530441C02E32}.exe	98
PID 4896 wrote to memory of 1728	4896	{2D537ADF-AA4B-49e7-884B-530441C02E32}.exe	99
PID 4896 wrote to memory of 1728	4896	{2D537ADF-AA4B-49e7-884B-530441C02E32}.exe	99
PID 4896 wrote to memory of 1728	4896	{2D537ADF-AA4B-49e7-884B-530441C02E32}.exe	99
PID 5028 wrote to memory of 3416	5028	{8B61FC49-61D2-4222-AA36-E67F82134E07}.exe	102
PID 5028 wrote to memory of 3416	5028	{8B61FC49-61D2-4222-AA36-E67F82134E07}.exe	102
PID 5028 wrote to memory of 3416	5028	{8B61FC49-61D2-4222-AA36-E67F82134E07}.exe	102
PID 5028 wrote to memory of 1496	5028	{8B61FC49-61D2-4222-AA36-E67F82134E07}.exe	101
PID 5028 wrote to memory of 1496	5028	{8B61FC49-61D2-4222-AA36-E67F82134E07}.exe	101
PID 5028 wrote to memory of 1496	5028	{8B61FC49-61D2-4222-AA36-E67F82134E07}.exe	101
PID 3416 wrote to memory of 4172	3416	{EBE727FA-32A2-4d0b-956D-CD173E803940}.exe	103
PID 3416 wrote to memory of 4172	3416	{EBE727FA-32A2-4d0b-956D-CD173E803940}.exe	103
PID 3416 wrote to memory of 4172	3416	{EBE727FA-32A2-4d0b-956D-CD173E803940}.exe	103
PID 3416 wrote to memory of 2680	3416	{EBE727FA-32A2-4d0b-956D-CD173E803940}.exe	104
PID 3416 wrote to memory of 2680	3416	{EBE727FA-32A2-4d0b-956D-CD173E803940}.exe	104
PID 3416 wrote to memory of 2680	3416	{EBE727FA-32A2-4d0b-956D-CD173E803940}.exe	104
PID 4172 wrote to memory of 2664	4172	{BF6BF02C-4BC5-4af1-B026-977259B270E3}.exe	105
PID 4172 wrote to memory of 2664	4172	{BF6BF02C-4BC5-4af1-B026-977259B270E3}.exe	105
PID 4172 wrote to memory of 2664	4172	{BF6BF02C-4BC5-4af1-B026-977259B270E3}.exe	105
PID 4172 wrote to memory of 2408	4172	{BF6BF02C-4BC5-4af1-B026-977259B270E3}.exe	106
PID 4172 wrote to memory of 2408	4172	{BF6BF02C-4BC5-4af1-B026-977259B270E3}.exe	106
PID 4172 wrote to memory of 2408	4172	{BF6BF02C-4BC5-4af1-B026-977259B270E3}.exe	106
PID 2664 wrote to memory of 1476	2664	{D349FB18-CCF5-42c2-9063-A856521F4772}.exe	107
PID 2664 wrote to memory of 1476	2664	{D349FB18-CCF5-42c2-9063-A856521F4772}.exe	107
PID 2664 wrote to memory of 1476	2664	{D349FB18-CCF5-42c2-9063-A856521F4772}.exe	107
PID 2664 wrote to memory of 660	2664	{D349FB18-CCF5-42c2-9063-A856521F4772}.exe	108
PID 2664 wrote to memory of 660	2664	{D349FB18-CCF5-42c2-9063-A856521F4772}.exe	108
PID 2664 wrote to memory of 660	2664	{D349FB18-CCF5-42c2-9063-A856521F4772}.exe	108
PID 1476 wrote to memory of 4224	1476	{471A3417-25A6-4ad8-9157-657388969BE6}.exe	109
PID 1476 wrote to memory of 4224	1476	{471A3417-25A6-4ad8-9157-657388969BE6}.exe	109
PID 1476 wrote to memory of 4224	1476	{471A3417-25A6-4ad8-9157-657388969BE6}.exe	109
PID 1476 wrote to memory of 4824	1476	{471A3417-25A6-4ad8-9157-657388969BE6}.exe	110
PID 1476 wrote to memory of 4824	1476	{471A3417-25A6-4ad8-9157-657388969BE6}.exe	110
PID 1476 wrote to memory of 4824	1476	{471A3417-25A6-4ad8-9157-657388969BE6}.exe	110
PID 4224 wrote to memory of 1276	4224	{DF5D6EA7-D5BD-4079-863E-3A4440B3D0EC}.exe	112
PID 4224 wrote to memory of 1276	4224	{DF5D6EA7-D5BD-4079-863E-3A4440B3D0EC}.exe	112
PID 4224 wrote to memory of 1276	4224	{DF5D6EA7-D5BD-4079-863E-3A4440B3D0EC}.exe	112
PID 4224 wrote to memory of 900	4224	{DF5D6EA7-D5BD-4079-863E-3A4440B3D0EC}.exe	111
PID 4224 wrote to memory of 900	4224	{DF5D6EA7-D5BD-4079-863E-3A4440B3D0EC}.exe	111
PID 4224 wrote to memory of 900	4224	{DF5D6EA7-D5BD-4079-863E-3A4440B3D0EC}.exe	111
PID 1276 wrote to memory of 688	1276	{CA9C445E-C74B-4dc8-A5BD-5584274A6F64}.exe	113
PID 1276 wrote to memory of 688	1276	{CA9C445E-C74B-4dc8-A5BD-5584274A6F64}.exe	113
PID 1276 wrote to memory of 688	1276	{CA9C445E-C74B-4dc8-A5BD-5584274A6F64}.exe	113
PID 1276 wrote to memory of 4976	1276	{CA9C445E-C74B-4dc8-A5BD-5584274A6F64}.exe	114
PID 1276 wrote to memory of 4976	1276	{CA9C445E-C74B-4dc8-A5BD-5584274A6F64}.exe	114
PID 1276 wrote to memory of 4976	1276	{CA9C445E-C74B-4dc8-A5BD-5584274A6F64}.exe	114
PID 688 wrote to memory of 3844	688	{78C25B7A-7938-43d3-8A99-543EF48A009E}.exe	115
PID 688 wrote to memory of 3844	688	{78C25B7A-7938-43d3-8A99-543EF48A009E}.exe	115
PID 688 wrote to memory of 3844	688	{78C25B7A-7938-43d3-8A99-543EF48A009E}.exe	115
PID 688 wrote to memory of 4680	688	{78C25B7A-7938-43d3-8A99-543EF48A009E}.exe	116
PID 688 wrote to memory of 4680	688	{78C25B7A-7938-43d3-8A99-543EF48A009E}.exe	116
PID 688 wrote to memory of 4680	688	{78C25B7A-7938-43d3-8A99-543EF48A009E}.exe	116
PID 3844 wrote to memory of 4244	3844	{365EB828-87D2-4ccf-A7B4-470DDAB380F4}.exe	117
PID 3844 wrote to memory of 4244	3844	{365EB828-87D2-4ccf-A7B4-470DDAB380F4}.exe	117
PID 3844 wrote to memory of 4244	3844	{365EB828-87D2-4ccf-A7B4-470DDAB380F4}.exe	117
PID 3844 wrote to memory of 4692	3844	{365EB828-87D2-4ccf-A7B4-470DDAB380F4}.exe	118

C:\Users\Admin\AppData\Local\Temp\786b8f45ff73b2_JC.exe
"C:\Users\Admin\AppData\Local\Temp\786b8f45ff73b2_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\{2D537ADF-AA4B-49e7-884B-530441C02E32}.exe
  C:\Windows\{2D537ADF-AA4B-49e7-884B-530441C02E32}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4896
- - C:\Windows\{8B61FC49-61D2-4222-AA36-E67F82134E07}.exe
    C:\Windows\{8B61FC49-61D2-4222-AA36-E67F82134E07}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8B61F~1.EXE > nul
      4⤵
      PID:1496
  - - C:\Windows\{EBE727FA-32A2-4d0b-956D-CD173E803940}.exe
      C:\Windows\{EBE727FA-32A2-4d0b-956D-CD173E803940}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3416
    - - C:\Windows\{BF6BF02C-4BC5-4af1-B026-977259B270E3}.exe
        
        C:\Windows\{BF6BF02C-4BC5-4af1-B026-977259B270E3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4172
      - C:\Windows\{D349FB18-CCF5-42c2-9063-A856521F4772}.exe
        
        C:\Windows\{D349FB18-CCF5-42c2-9063-A856521F4772}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\{471A3417-25A6-4ad8-9157-657388969BE6}.exe
        
        C:\Windows\{471A3417-25A6-4ad8-9157-657388969BE6}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\{DF5D6EA7-D5BD-4079-863E-3A4440B3D0EC}.exe
        
        C:\Windows\{DF5D6EA7-D5BD-4079-863E-3A4440B3D0EC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF5D6~1.EXE > nul
        9⤵
        
        PID:900
        
        C:\Windows\{CA9C445E-C74B-4dc8-A5BD-5584274A6F64}.exe
        
        C:\Windows\{CA9C445E-C74B-4dc8-A5BD-5584274A6F64}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\{78C25B7A-7938-43d3-8A99-543EF48A009E}.exe
        
        C:\Windows\{78C25B7A-7938-43d3-8A99-543EF48A009E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\{365EB828-87D2-4ccf-A7B4-470DDAB380F4}.exe
        
        C:\Windows\{365EB828-87D2-4ccf-A7B4-470DDAB380F4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3844
        
        C:\Windows\{DE0B9081-9874-46b6-A973-D1D897BE9645}.exe
        
        C:\Windows\{DE0B9081-9874-46b6-A973-D1D897BE9645}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE0B9~1.EXE > nul
        13⤵
        
        PID:4888
        
        C:\Windows\{55F95C75-93A9-4149-B2CC-3DBD649CECDB}.exe
        
        C:\Windows\{55F95C75-93A9-4149-B2CC-3DBD649CECDB}.exe
        13⤵
        Executes dropped EXE
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{365EB~1.EXE > nul
        12⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78C25~1.EXE > nul
        11⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA9C4~1.EXE > nul
        10⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{471A3~1.EXE > nul
        8⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D349F~1.EXE > nul
        7⤵
        
        PID:660
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF6BF~1.EXE > nul
        6⤵
        
        PID:2408
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EBE72~1.EXE > nul
        5⤵
        
        PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2D537~1.EXE > nul
    3⤵
    PID:1728
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\786B8F~1.EXE > nul
  2⤵
  PID:3232

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2D537ADF-AA4B-49e7-884B-530441C02E32}.exe

Filesize
168KB

MD5
4c5e4dcd9cd65cc4e00382ca53709f3b

SHA1
7057fa751507018cecd569b7fd556aa2e4a94165

SHA256
5930c56c65d517b4510fde7c7acdbc991ac10264ec6e9066935610cb8ae34389

SHA512
c7775d439673738d43a7214d190c68936f43330c386b95c50b4080fce8a1ac7cbf235c157f504053b2c294f5089a7c9bcf9fa1aeca99eaa5126c95751ed00db3

Download Submit
C:\Windows\{2D537ADF-AA4B-49e7-884B-530441C02E32}.exe

Filesize
168KB

MD5
4c5e4dcd9cd65cc4e00382ca53709f3b

SHA1
7057fa751507018cecd569b7fd556aa2e4a94165

SHA256
5930c56c65d517b4510fde7c7acdbc991ac10264ec6e9066935610cb8ae34389

SHA512
c7775d439673738d43a7214d190c68936f43330c386b95c50b4080fce8a1ac7cbf235c157f504053b2c294f5089a7c9bcf9fa1aeca99eaa5126c95751ed00db3

Download Submit
C:\Windows\{365EB828-87D2-4ccf-A7B4-470DDAB380F4}.exe

Filesize
168KB

MD5
0895e4ca646c3c67bae9d4a436a3a9b9

SHA1
4179ad8377379b75e74539102fe75dbe4146af91

SHA256
821696a84d774386bb4d489930dca6c8996ef23bc4b50e83c411eaabd0325bc8

SHA512
e22c5004a19db4cd8d689bbb6e537b7b1bd1dde7820bd44bf867bfd97af59c68dae823a53e2a7c2b4cf904f5f830108fe45330ec186b0cb2e21c1d6a427e3b68

Download Submit
C:\Windows\{365EB828-87D2-4ccf-A7B4-470DDAB380F4}.exe

Filesize
168KB

MD5
0895e4ca646c3c67bae9d4a436a3a9b9

SHA1
4179ad8377379b75e74539102fe75dbe4146af91

SHA256
821696a84d774386bb4d489930dca6c8996ef23bc4b50e83c411eaabd0325bc8

SHA512
e22c5004a19db4cd8d689bbb6e537b7b1bd1dde7820bd44bf867bfd97af59c68dae823a53e2a7c2b4cf904f5f830108fe45330ec186b0cb2e21c1d6a427e3b68

Download Submit
C:\Windows\{471A3417-25A6-4ad8-9157-657388969BE6}.exe

Filesize
168KB

MD5
0aec318950fadde7bd16ed4b99966227

SHA1
89449b0061b6b8b6a77b10b53603647cbdfc8f5f

SHA256
31a100d2b36f8af142c857decf39d8a595a93f3a3e7ccc9357c7c502d300ee3b

SHA512
7ed89f534b9b5e0d0b8210976032f214ea983eb73efa4b3959097422f5c284c4dea85092188fe3993a9fddff9470231544c754d4bc9502c6b2a2ade95b6bb3b7

Download Submit
C:\Windows\{471A3417-25A6-4ad8-9157-657388969BE6}.exe

Filesize
168KB

MD5
0aec318950fadde7bd16ed4b99966227

SHA1
89449b0061b6b8b6a77b10b53603647cbdfc8f5f

SHA256
31a100d2b36f8af142c857decf39d8a595a93f3a3e7ccc9357c7c502d300ee3b

SHA512
7ed89f534b9b5e0d0b8210976032f214ea983eb73efa4b3959097422f5c284c4dea85092188fe3993a9fddff9470231544c754d4bc9502c6b2a2ade95b6bb3b7

Download Submit
C:\Windows\{55F95C75-93A9-4149-B2CC-3DBD649CECDB}.exe

Filesize
168KB

MD5
7b24f89234f2dc09001827f790333c06

SHA1
08d5544ab0230d870bf4d08eda5b02b466891efd

SHA256
cece01e4398afad45df8a4c7442149a7b6271143d618e2e3f3e2437acfd3268d

SHA512
1af3fddcf49e9e0d56f2da71245d7ea2c11d0cd8d333ff9afd410295d25149207189970e4520263d727e44700e64469f754e00acb7bfe7c389dc737a8f3a62e6

Download Submit
C:\Windows\{55F95C75-93A9-4149-B2CC-3DBD649CECDB}.exe

Filesize
168KB

MD5
7b24f89234f2dc09001827f790333c06

SHA1
08d5544ab0230d870bf4d08eda5b02b466891efd

SHA256
cece01e4398afad45df8a4c7442149a7b6271143d618e2e3f3e2437acfd3268d

SHA512
1af3fddcf49e9e0d56f2da71245d7ea2c11d0cd8d333ff9afd410295d25149207189970e4520263d727e44700e64469f754e00acb7bfe7c389dc737a8f3a62e6

Download Submit
C:\Windows\{78C25B7A-7938-43d3-8A99-543EF48A009E}.exe

Filesize
168KB

MD5
a766cbcf7f6f9dc6a61e252b8a7771ab

SHA1
93978e22134b1cf490cd6cd38c9237dd6fd15238

SHA256
79cfe566b98ce3692df7142bc6f3b58ab4d0d4a77008ad8d6f5254ec80ce27b4

SHA512
b7e54a7b074adbe130074d3c6f014555aa6a6158ce3ea5ed7390a79d9fe06fb19fd24fff721b877dfc1c851cda0f61db20bce5b5be55e3f20bf340d5c3793d11

Download Submit
C:\Windows\{78C25B7A-7938-43d3-8A99-543EF48A009E}.exe

Filesize
168KB

MD5
a766cbcf7f6f9dc6a61e252b8a7771ab

SHA1
93978e22134b1cf490cd6cd38c9237dd6fd15238

SHA256
79cfe566b98ce3692df7142bc6f3b58ab4d0d4a77008ad8d6f5254ec80ce27b4

SHA512
b7e54a7b074adbe130074d3c6f014555aa6a6158ce3ea5ed7390a79d9fe06fb19fd24fff721b877dfc1c851cda0f61db20bce5b5be55e3f20bf340d5c3793d11

Download Submit
C:\Windows\{8B61FC49-61D2-4222-AA36-E67F82134E07}.exe

Filesize
168KB

MD5
92094ed94ec2d093c9d4611de1093cf8

SHA1
b553356406550af069deca734265f6b293c5dcd5

SHA256
7152542a5dcf8a6d201df1cb0849b3b29ae0fc40187406b76f0d73e71fdcb24a

SHA512
0fa61ce84dab496f7b983aad18080026389f518e53fe5a069e1feb55f42a6005382b1a61eb3126281ea9646142fa302fa43a0ba7242c94adbd95bc9ea19f5918

Download Submit
C:\Windows\{8B61FC49-61D2-4222-AA36-E67F82134E07}.exe

Filesize
168KB

MD5
92094ed94ec2d093c9d4611de1093cf8

SHA1
b553356406550af069deca734265f6b293c5dcd5

SHA256
7152542a5dcf8a6d201df1cb0849b3b29ae0fc40187406b76f0d73e71fdcb24a

SHA512
0fa61ce84dab496f7b983aad18080026389f518e53fe5a069e1feb55f42a6005382b1a61eb3126281ea9646142fa302fa43a0ba7242c94adbd95bc9ea19f5918

Download Submit
C:\Windows\{BF6BF02C-4BC5-4af1-B026-977259B270E3}.exe

Filesize
168KB

MD5
f7fa456c021c7e9aa90480b84c10d50d

SHA1
f9c04ea227fb1315c3481b9c5909c2a34d55e174

SHA256
5ac1ab1ab77d5da180b3b4230d5373a46543ee75c88fc0e7c9555914730acaa2

SHA512
b6db223c71fa4b08d55790abaac7e8aa73b7d493c6451d795d9e7e9961c45344e982d886540353fd783f0ee3fe9d56d37b001e30d1848e5d0768a4d320fdfc36

Download Submit
C:\Windows\{BF6BF02C-4BC5-4af1-B026-977259B270E3}.exe

Filesize
168KB

MD5
f7fa456c021c7e9aa90480b84c10d50d

SHA1
f9c04ea227fb1315c3481b9c5909c2a34d55e174

SHA256
5ac1ab1ab77d5da180b3b4230d5373a46543ee75c88fc0e7c9555914730acaa2

SHA512
b6db223c71fa4b08d55790abaac7e8aa73b7d493c6451d795d9e7e9961c45344e982d886540353fd783f0ee3fe9d56d37b001e30d1848e5d0768a4d320fdfc36

Download Submit
C:\Windows\{CA9C445E-C74B-4dc8-A5BD-5584274A6F64}.exe

Filesize
168KB

MD5
8b054caab72e1f01a9cf989b48cef830

SHA1
7db02430b40cbda950cd1b9eca28628dc88ee841

SHA256
1f34b5df1b3c7c12826d99e07b8b9c6d5e8076f27479e0e0736280cbb67864a9

SHA512
edf04a5740e30ce582230526c1038894cd93aa555d6be304722e2835e7e8f1c8e1da1bbfd0a9c82fb4a4ae28359dc8474fa60c73dce342c6a8d3e6124d4e2dc3

Download Submit
C:\Windows\{CA9C445E-C74B-4dc8-A5BD-5584274A6F64}.exe

Filesize
168KB

MD5
8b054caab72e1f01a9cf989b48cef830

SHA1
7db02430b40cbda950cd1b9eca28628dc88ee841

SHA256
1f34b5df1b3c7c12826d99e07b8b9c6d5e8076f27479e0e0736280cbb67864a9

SHA512
edf04a5740e30ce582230526c1038894cd93aa555d6be304722e2835e7e8f1c8e1da1bbfd0a9c82fb4a4ae28359dc8474fa60c73dce342c6a8d3e6124d4e2dc3

Download Submit
C:\Windows\{D349FB18-CCF5-42c2-9063-A856521F4772}.exe

Filesize
168KB

MD5
3a6243144b57b5c127a16da44f5e74a8

SHA1
edd7ddcd3b6b2bfed6671d0576e644fed056a078

SHA256
41154b23954f2bdc1f44c335f3881cec44884e189b6e9567fd4174db29a466c3

SHA512
6cb4368bbbd904b467bea4705487fbd205e2ca3af172af098ce317a41146537e2c50d6b2d86ad96b031fcf5f2f33845fb896d0a4ac5ece2fe791041d7cf51537

Download Submit
C:\Windows\{D349FB18-CCF5-42c2-9063-A856521F4772}.exe

Filesize
168KB

MD5
3a6243144b57b5c127a16da44f5e74a8

SHA1
edd7ddcd3b6b2bfed6671d0576e644fed056a078

SHA256
41154b23954f2bdc1f44c335f3881cec44884e189b6e9567fd4174db29a466c3

SHA512
6cb4368bbbd904b467bea4705487fbd205e2ca3af172af098ce317a41146537e2c50d6b2d86ad96b031fcf5f2f33845fb896d0a4ac5ece2fe791041d7cf51537

Download Submit
C:\Windows\{DE0B9081-9874-46b6-A973-D1D897BE9645}.exe

Filesize
168KB

MD5
2a89800fec5b36070c6342ce90e22cc9

SHA1
bf8a23cc22db5f9b84beb0a676e7ff557d9b5b85

SHA256
9454fc7e9167db1ef63a240024a2be8a3fda073afce414a01af350d8876a4758

SHA512
0f5123447057abc6a48349d3c3136026b994a981fecec75892524538cc34fda0a15d34be37b0dbeb169341667c149597c6e84e6a19129f2cedd2a124f70b69a9

Download Submit
C:\Windows\{DE0B9081-9874-46b6-A973-D1D897BE9645}.exe

Filesize
168KB

MD5
2a89800fec5b36070c6342ce90e22cc9

SHA1
bf8a23cc22db5f9b84beb0a676e7ff557d9b5b85

SHA256
9454fc7e9167db1ef63a240024a2be8a3fda073afce414a01af350d8876a4758

SHA512
0f5123447057abc6a48349d3c3136026b994a981fecec75892524538cc34fda0a15d34be37b0dbeb169341667c149597c6e84e6a19129f2cedd2a124f70b69a9

Download Submit
C:\Windows\{DF5D6EA7-D5BD-4079-863E-3A4440B3D0EC}.exe

Filesize
168KB

MD5
6afbab27834ee77bf77947afc004a37a

SHA1
9d66884375c90687a37b61ae4a57b1df8e75dc49

SHA256
b50fb13350380be74a525abe8d3fafcd09367230772206b357bede403b960116

SHA512
2934cd6b0b3e833f9a6a50e58b10ba68804be09d42223f630f38e927d6d6733f7a8456ff0e903d2c3a6b82a774389239c69ad1ed6b851ab7b1103e5dce0ccf07

Download Submit
C:\Windows\{DF5D6EA7-D5BD-4079-863E-3A4440B3D0EC}.exe

Filesize
168KB

MD5
6afbab27834ee77bf77947afc004a37a

SHA1
9d66884375c90687a37b61ae4a57b1df8e75dc49

SHA256
b50fb13350380be74a525abe8d3fafcd09367230772206b357bede403b960116

SHA512
2934cd6b0b3e833f9a6a50e58b10ba68804be09d42223f630f38e927d6d6733f7a8456ff0e903d2c3a6b82a774389239c69ad1ed6b851ab7b1103e5dce0ccf07

Download Submit
C:\Windows\{EBE727FA-32A2-4d0b-956D-CD173E803940}.exe

Filesize
168KB

MD5
7cdc99a3a3ad5e9ff070b3e8f152e199

SHA1
cefe8f13ca51954db2529e75d5dd0d8ab6bc5b6b

SHA256
50ab6b5de84d0b3d0a9529ff720cda34575782e8f32673c5c83fc18543d97dcb

SHA512
75476b23f49a5ac59ce7391d39369307dcdf5bed1db6a119e577689c741c12556b3223207ae37810365837a01775c1aeebd36f633bb5dec55dfb14c9c727996a

Download Submit
C:\Windows\{EBE727FA-32A2-4d0b-956D-CD173E803940}.exe

Filesize
168KB

MD5
7cdc99a3a3ad5e9ff070b3e8f152e199

SHA1
cefe8f13ca51954db2529e75d5dd0d8ab6bc5b6b

SHA256
50ab6b5de84d0b3d0a9529ff720cda34575782e8f32673c5c83fc18543d97dcb

SHA512
75476b23f49a5ac59ce7391d39369307dcdf5bed1db6a119e577689c741c12556b3223207ae37810365837a01775c1aeebd36f633bb5dec55dfb14c9c727996a

Download Submit
C:\Windows\{EBE727FA-32A2-4d0b-956D-CD173E803940}.exe

Filesize
168KB

MD5
7cdc99a3a3ad5e9ff070b3e8f152e199

SHA1
cefe8f13ca51954db2529e75d5dd0d8ab6bc5b6b

SHA256
50ab6b5de84d0b3d0a9529ff720cda34575782e8f32673c5c83fc18543d97dcb

SHA512
75476b23f49a5ac59ce7391d39369307dcdf5bed1db6a119e577689c741c12556b3223207ae37810365837a01775c1aeebd36f633bb5dec55dfb14c9c727996a

Download Submit