e744cfc438529ab2da6a88ce28786d0e5a1ed373e35d61912823de2562eb376e

Analysis

max time kernel
150s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/07/2023, 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83ed375ab53b3f_JC.exe
Size

372KB
MD5

83ed375ab53b3f62ea77103bdd7758ae
SHA1

1ec42cfbf85d2c3bf6c46319bb6468684b1108fd
SHA256

e744cfc438529ab2da6a88ce28786d0e5a1ed373e35d61912823de2562eb376e
SHA512

e165c27c9fecb31f5af7d64f127082c901560c118c847e2a9823786b06d19e1bde10ac316af4da50ad90d4b6a4b881c388bbf5b7ce9b3d912f5eaf2cd06d335f
SSDEEP

3072:CEGh0oOmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGhl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1642D0A5-6B89-495b-B901-F82109B528DC}	83ed375ab53b3f_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B23B6C88-B8B8-4e2c-8081-3679CC5D3CA8}\stubpath = "C:\\Windows\\{B23B6C88-B8B8-4e2c-8081-3679CC5D3CA8}.exe"	{1642D0A5-6B89-495b-B901-F82109B528DC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC50CFCC-C29A-42f9-B3A9-1C30167462BB}\stubpath = "C:\\Windows\\{EC50CFCC-C29A-42f9-B3A9-1C30167462BB}.exe"	{B23B6C88-B8B8-4e2c-8081-3679CC5D3CA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2092EC62-7406-449f-A88A-55349EBC5ECA}\stubpath = "C:\\Windows\\{2092EC62-7406-449f-A88A-55349EBC5ECA}.exe"	{045A8A75-B2EF-4b61-9590-2845B1F6BF77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CBBFC81-51A6-490f-B746-6E7D40E462D9}	{2092EC62-7406-449f-A88A-55349EBC5ECA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78297DA4-71AE-4ae7-9DF7-E6BF588A1E00}	{7CBBFC81-51A6-490f-B746-6E7D40E462D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2642D4D3-DCD8-4dd5-88EE-26042C7C81DD}	{78297DA4-71AE-4ae7-9DF7-E6BF588A1E00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2642D4D3-DCD8-4dd5-88EE-26042C7C81DD}\stubpath = "C:\\Windows\\{2642D4D3-DCD8-4dd5-88EE-26042C7C81DD}.exe"	{78297DA4-71AE-4ae7-9DF7-E6BF588A1E00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3149942-A42E-4597-A387-FDFD414942D7}	{CACDD5C0-9D61-44c1-9EB8-E4CF03E82288}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1642D0A5-6B89-495b-B901-F82109B528DC}\stubpath = "C:\\Windows\\{1642D0A5-6B89-495b-B901-F82109B528DC}.exe"	83ed375ab53b3f_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CACDD5C0-9D61-44c1-9EB8-E4CF03E82288}	{2642D4D3-DCD8-4dd5-88EE-26042C7C81DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B23B6C88-B8B8-4e2c-8081-3679CC5D3CA8}	{1642D0A5-6B89-495b-B901-F82109B528DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F7E3139-561F-432f-8992-74788E34EC40}	{EC50CFCC-C29A-42f9-B3A9-1C30167462BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A730A32-D50D-4f1d-8257-247618085B09}\stubpath = "C:\\Windows\\{2A730A32-D50D-4f1d-8257-247618085B09}.exe"	{9F7E3139-561F-432f-8992-74788E34EC40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{045A8A75-B2EF-4b61-9590-2845B1F6BF77}\stubpath = "C:\\Windows\\{045A8A75-B2EF-4b61-9590-2845B1F6BF77}.exe"	{2A730A32-D50D-4f1d-8257-247618085B09}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2092EC62-7406-449f-A88A-55349EBC5ECA}	{045A8A75-B2EF-4b61-9590-2845B1F6BF77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78297DA4-71AE-4ae7-9DF7-E6BF588A1E00}\stubpath = "C:\\Windows\\{78297DA4-71AE-4ae7-9DF7-E6BF588A1E00}.exe"	{7CBBFC81-51A6-490f-B746-6E7D40E462D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3149942-A42E-4597-A387-FDFD414942D7}\stubpath = "C:\\Windows\\{A3149942-A42E-4597-A387-FDFD414942D7}.exe"	{CACDD5C0-9D61-44c1-9EB8-E4CF03E82288}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC50CFCC-C29A-42f9-B3A9-1C30167462BB}	{B23B6C88-B8B8-4e2c-8081-3679CC5D3CA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F7E3139-561F-432f-8992-74788E34EC40}\stubpath = "C:\\Windows\\{9F7E3139-561F-432f-8992-74788E34EC40}.exe"	{EC50CFCC-C29A-42f9-B3A9-1C30167462BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A730A32-D50D-4f1d-8257-247618085B09}	{9F7E3139-561F-432f-8992-74788E34EC40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{045A8A75-B2EF-4b61-9590-2845B1F6BF77}	{2A730A32-D50D-4f1d-8257-247618085B09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CBBFC81-51A6-490f-B746-6E7D40E462D9}\stubpath = "C:\\Windows\\{7CBBFC81-51A6-490f-B746-6E7D40E462D9}.exe"	{2092EC62-7406-449f-A88A-55349EBC5ECA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CACDD5C0-9D61-44c1-9EB8-E4CF03E82288}\stubpath = "C:\\Windows\\{CACDD5C0-9D61-44c1-9EB8-E4CF03E82288}.exe"	{2642D4D3-DCD8-4dd5-88EE-26042C7C81DD}.exe

Executes dropped EXE 12 IoCs

pid	Process
1484	{1642D0A5-6B89-495b-B901-F82109B528DC}.exe
772	{B23B6C88-B8B8-4e2c-8081-3679CC5D3CA8}.exe
3284	{EC50CFCC-C29A-42f9-B3A9-1C30167462BB}.exe
4864	{9F7E3139-561F-432f-8992-74788E34EC40}.exe
3736	{2A730A32-D50D-4f1d-8257-247618085B09}.exe
756	{045A8A75-B2EF-4b61-9590-2845B1F6BF77}.exe
3476	{2092EC62-7406-449f-A88A-55349EBC5ECA}.exe
4476	{7CBBFC81-51A6-490f-B746-6E7D40E462D9}.exe
2152	{78297DA4-71AE-4ae7-9DF7-E6BF588A1E00}.exe
4020	{2642D4D3-DCD8-4dd5-88EE-26042C7C81DD}.exe
2480	{CACDD5C0-9D61-44c1-9EB8-E4CF03E82288}.exe
1676	{A3149942-A42E-4597-A387-FDFD414942D7}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{045A8A75-B2EF-4b61-9590-2845B1F6BF77}.exe	{2A730A32-D50D-4f1d-8257-247618085B09}.exe
File created	C:\Windows\{78297DA4-71AE-4ae7-9DF7-E6BF588A1E00}.exe	{7CBBFC81-51A6-490f-B746-6E7D40E462D9}.exe
File created	C:\Windows\{CACDD5C0-9D61-44c1-9EB8-E4CF03E82288}.exe	{2642D4D3-DCD8-4dd5-88EE-26042C7C81DD}.exe
File created	C:\Windows\{A3149942-A42E-4597-A387-FDFD414942D7}.exe	{CACDD5C0-9D61-44c1-9EB8-E4CF03E82288}.exe
File created	C:\Windows\{7CBBFC81-51A6-490f-B746-6E7D40E462D9}.exe	{2092EC62-7406-449f-A88A-55349EBC5ECA}.exe
File created	C:\Windows\{2642D4D3-DCD8-4dd5-88EE-26042C7C81DD}.exe	{78297DA4-71AE-4ae7-9DF7-E6BF588A1E00}.exe
File created	C:\Windows\{1642D0A5-6B89-495b-B901-F82109B528DC}.exe	83ed375ab53b3f_JC.exe
File created	C:\Windows\{B23B6C88-B8B8-4e2c-8081-3679CC5D3CA8}.exe	{1642D0A5-6B89-495b-B901-F82109B528DC}.exe
File created	C:\Windows\{EC50CFCC-C29A-42f9-B3A9-1C30167462BB}.exe	{B23B6C88-B8B8-4e2c-8081-3679CC5D3CA8}.exe
File created	C:\Windows\{9F7E3139-561F-432f-8992-74788E34EC40}.exe	{EC50CFCC-C29A-42f9-B3A9-1C30167462BB}.exe
File created	C:\Windows\{2A730A32-D50D-4f1d-8257-247618085B09}.exe	{9F7E3139-561F-432f-8992-74788E34EC40}.exe
File created	C:\Windows\{2092EC62-7406-449f-A88A-55349EBC5ECA}.exe	{045A8A75-B2EF-4b61-9590-2845B1F6BF77}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2304	83ed375ab53b3f_JC.exe
Token: SeIncBasePriorityPrivilege	1484	{1642D0A5-6B89-495b-B901-F82109B528DC}.exe
Token: SeIncBasePriorityPrivilege	772	{B23B6C88-B8B8-4e2c-8081-3679CC5D3CA8}.exe
Token: SeIncBasePriorityPrivilege	3284	{EC50CFCC-C29A-42f9-B3A9-1C30167462BB}.exe
Token: SeIncBasePriorityPrivilege	4864	{9F7E3139-561F-432f-8992-74788E34EC40}.exe
Token: SeIncBasePriorityPrivilege	3736	{2A730A32-D50D-4f1d-8257-247618085B09}.exe
Token: SeIncBasePriorityPrivilege	756	{045A8A75-B2EF-4b61-9590-2845B1F6BF77}.exe
Token: SeIncBasePriorityPrivilege	3476	{2092EC62-7406-449f-A88A-55349EBC5ECA}.exe
Token: SeIncBasePriorityPrivilege	4476	{7CBBFC81-51A6-490f-B746-6E7D40E462D9}.exe
Token: SeIncBasePriorityPrivilege	2152	{78297DA4-71AE-4ae7-9DF7-E6BF588A1E00}.exe
Token: SeIncBasePriorityPrivilege	4020	{2642D4D3-DCD8-4dd5-88EE-26042C7C81DD}.exe
Token: SeIncBasePriorityPrivilege	2480	{CACDD5C0-9D61-44c1-9EB8-E4CF03E82288}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2304 wrote to memory of 1484	2304	83ed375ab53b3f_JC.exe	90
PID 2304 wrote to memory of 1484	2304	83ed375ab53b3f_JC.exe	90
PID 2304 wrote to memory of 1484	2304	83ed375ab53b3f_JC.exe	90
PID 2304 wrote to memory of 4420	2304	83ed375ab53b3f_JC.exe	91
PID 2304 wrote to memory of 4420	2304	83ed375ab53b3f_JC.exe	91
PID 2304 wrote to memory of 4420	2304	83ed375ab53b3f_JC.exe	91
PID 1484 wrote to memory of 772	1484	{1642D0A5-6B89-495b-B901-F82109B528DC}.exe	95
PID 1484 wrote to memory of 772	1484	{1642D0A5-6B89-495b-B901-F82109B528DC}.exe	95
PID 1484 wrote to memory of 772	1484	{1642D0A5-6B89-495b-B901-F82109B528DC}.exe	95
PID 1484 wrote to memory of 3172	1484	{1642D0A5-6B89-495b-B901-F82109B528DC}.exe	96
PID 1484 wrote to memory of 3172	1484	{1642D0A5-6B89-495b-B901-F82109B528DC}.exe	96
PID 1484 wrote to memory of 3172	1484	{1642D0A5-6B89-495b-B901-F82109B528DC}.exe	96
PID 772 wrote to memory of 3284	772	{B23B6C88-B8B8-4e2c-8081-3679CC5D3CA8}.exe	99
PID 772 wrote to memory of 3284	772	{B23B6C88-B8B8-4e2c-8081-3679CC5D3CA8}.exe	99
PID 772 wrote to memory of 3284	772	{B23B6C88-B8B8-4e2c-8081-3679CC5D3CA8}.exe	99
PID 772 wrote to memory of 4016	772	{B23B6C88-B8B8-4e2c-8081-3679CC5D3CA8}.exe	100
PID 772 wrote to memory of 4016	772	{B23B6C88-B8B8-4e2c-8081-3679CC5D3CA8}.exe	100
PID 772 wrote to memory of 4016	772	{B23B6C88-B8B8-4e2c-8081-3679CC5D3CA8}.exe	100
PID 3284 wrote to memory of 4864	3284	{EC50CFCC-C29A-42f9-B3A9-1C30167462BB}.exe	101
PID 3284 wrote to memory of 4864	3284	{EC50CFCC-C29A-42f9-B3A9-1C30167462BB}.exe	101
PID 3284 wrote to memory of 4864	3284	{EC50CFCC-C29A-42f9-B3A9-1C30167462BB}.exe	101
PID 3284 wrote to memory of 3148	3284	{EC50CFCC-C29A-42f9-B3A9-1C30167462BB}.exe	102
PID 3284 wrote to memory of 3148	3284	{EC50CFCC-C29A-42f9-B3A9-1C30167462BB}.exe	102
PID 3284 wrote to memory of 3148	3284	{EC50CFCC-C29A-42f9-B3A9-1C30167462BB}.exe	102
PID 4864 wrote to memory of 3736	4864	{9F7E3139-561F-432f-8992-74788E34EC40}.exe	103
PID 4864 wrote to memory of 3736	4864	{9F7E3139-561F-432f-8992-74788E34EC40}.exe	103
PID 4864 wrote to memory of 3736	4864	{9F7E3139-561F-432f-8992-74788E34EC40}.exe	103
PID 4864 wrote to memory of 1676	4864	{9F7E3139-561F-432f-8992-74788E34EC40}.exe	104
PID 4864 wrote to memory of 1676	4864	{9F7E3139-561F-432f-8992-74788E34EC40}.exe	104
PID 4864 wrote to memory of 1676	4864	{9F7E3139-561F-432f-8992-74788E34EC40}.exe	104
PID 3736 wrote to memory of 756	3736	{2A730A32-D50D-4f1d-8257-247618085B09}.exe	106
PID 3736 wrote to memory of 756	3736	{2A730A32-D50D-4f1d-8257-247618085B09}.exe	106
PID 3736 wrote to memory of 756	3736	{2A730A32-D50D-4f1d-8257-247618085B09}.exe	106
PID 3736 wrote to memory of 1424	3736	{2A730A32-D50D-4f1d-8257-247618085B09}.exe	107
PID 3736 wrote to memory of 1424	3736	{2A730A32-D50D-4f1d-8257-247618085B09}.exe	107
PID 3736 wrote to memory of 1424	3736	{2A730A32-D50D-4f1d-8257-247618085B09}.exe	107
PID 756 wrote to memory of 3476	756	{045A8A75-B2EF-4b61-9590-2845B1F6BF77}.exe	108
PID 756 wrote to memory of 3476	756	{045A8A75-B2EF-4b61-9590-2845B1F6BF77}.exe	108
PID 756 wrote to memory of 3476	756	{045A8A75-B2EF-4b61-9590-2845B1F6BF77}.exe	108
PID 756 wrote to memory of 3296	756	{045A8A75-B2EF-4b61-9590-2845B1F6BF77}.exe	109
PID 756 wrote to memory of 3296	756	{045A8A75-B2EF-4b61-9590-2845B1F6BF77}.exe	109
PID 756 wrote to memory of 3296	756	{045A8A75-B2EF-4b61-9590-2845B1F6BF77}.exe	109
PID 3476 wrote to memory of 4476	3476	{2092EC62-7406-449f-A88A-55349EBC5ECA}.exe	110
PID 3476 wrote to memory of 4476	3476	{2092EC62-7406-449f-A88A-55349EBC5ECA}.exe	110
PID 3476 wrote to memory of 4476	3476	{2092EC62-7406-449f-A88A-55349EBC5ECA}.exe	110
PID 3476 wrote to memory of 540	3476	{2092EC62-7406-449f-A88A-55349EBC5ECA}.exe	111
PID 3476 wrote to memory of 540	3476	{2092EC62-7406-449f-A88A-55349EBC5ECA}.exe	111
PID 3476 wrote to memory of 540	3476	{2092EC62-7406-449f-A88A-55349EBC5ECA}.exe	111
PID 4476 wrote to memory of 2152	4476	{7CBBFC81-51A6-490f-B746-6E7D40E462D9}.exe	119
PID 4476 wrote to memory of 2152	4476	{7CBBFC81-51A6-490f-B746-6E7D40E462D9}.exe	119
PID 4476 wrote to memory of 2152	4476	{7CBBFC81-51A6-490f-B746-6E7D40E462D9}.exe	119
PID 4476 wrote to memory of 948	4476	{7CBBFC81-51A6-490f-B746-6E7D40E462D9}.exe	120
PID 4476 wrote to memory of 948	4476	{7CBBFC81-51A6-490f-B746-6E7D40E462D9}.exe	120
PID 4476 wrote to memory of 948	4476	{7CBBFC81-51A6-490f-B746-6E7D40E462D9}.exe	120
PID 2152 wrote to memory of 4020	2152	{78297DA4-71AE-4ae7-9DF7-E6BF588A1E00}.exe	121
PID 2152 wrote to memory of 4020	2152	{78297DA4-71AE-4ae7-9DF7-E6BF588A1E00}.exe	121
PID 2152 wrote to memory of 4020	2152	{78297DA4-71AE-4ae7-9DF7-E6BF588A1E00}.exe	121
PID 2152 wrote to memory of 772	2152	{78297DA4-71AE-4ae7-9DF7-E6BF588A1E00}.exe	122
PID 2152 wrote to memory of 772	2152	{78297DA4-71AE-4ae7-9DF7-E6BF588A1E00}.exe	122
PID 2152 wrote to memory of 772	2152	{78297DA4-71AE-4ae7-9DF7-E6BF588A1E00}.exe	122
PID 4020 wrote to memory of 2480	4020	{2642D4D3-DCD8-4dd5-88EE-26042C7C81DD}.exe	123
PID 4020 wrote to memory of 2480	4020	{2642D4D3-DCD8-4dd5-88EE-26042C7C81DD}.exe	123
PID 4020 wrote to memory of 2480	4020	{2642D4D3-DCD8-4dd5-88EE-26042C7C81DD}.exe	123
PID 4020 wrote to memory of 2864	4020	{2642D4D3-DCD8-4dd5-88EE-26042C7C81DD}.exe	124

C:\Users\Admin\AppData\Local\Temp\83ed375ab53b3f_JC.exe
"C:\Users\Admin\AppData\Local\Temp\83ed375ab53b3f_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2304
- C:\Windows\{1642D0A5-6B89-495b-B901-F82109B528DC}.exe
  C:\Windows\{1642D0A5-6B89-495b-B901-F82109B528DC}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\{B23B6C88-B8B8-4e2c-8081-3679CC5D3CA8}.exe
    C:\Windows\{B23B6C88-B8B8-4e2c-8081-3679CC5D3CA8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Windows\{EC50CFCC-C29A-42f9-B3A9-1C30167462BB}.exe
      C:\Windows\{EC50CFCC-C29A-42f9-B3A9-1C30167462BB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3284
    - - C:\Windows\{9F7E3139-561F-432f-8992-74788E34EC40}.exe
        
        C:\Windows\{9F7E3139-561F-432f-8992-74788E34EC40}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4864
      - C:\Windows\{2A730A32-D50D-4f1d-8257-247618085B09}.exe
        
        C:\Windows\{2A730A32-D50D-4f1d-8257-247618085B09}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3736
        
        C:\Windows\{045A8A75-B2EF-4b61-9590-2845B1F6BF77}.exe
        
        C:\Windows\{045A8A75-B2EF-4b61-9590-2845B1F6BF77}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:756
        
        C:\Windows\{2092EC62-7406-449f-A88A-55349EBC5ECA}.exe
        
        C:\Windows\{2092EC62-7406-449f-A88A-55349EBC5ECA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3476
        
        C:\Windows\{7CBBFC81-51A6-490f-B746-6E7D40E462D9}.exe
        
        C:\Windows\{7CBBFC81-51A6-490f-B746-6E7D40E462D9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\{78297DA4-71AE-4ae7-9DF7-E6BF588A1E00}.exe
        
        C:\Windows\{78297DA4-71AE-4ae7-9DF7-E6BF588A1E00}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\{2642D4D3-DCD8-4dd5-88EE-26042C7C81DD}.exe
        
        C:\Windows\{2642D4D3-DCD8-4dd5-88EE-26042C7C81DD}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\{CACDD5C0-9D61-44c1-9EB8-E4CF03E82288}.exe
        
        C:\Windows\{CACDD5C0-9D61-44c1-9EB8-E4CF03E82288}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\{A3149942-A42E-4597-A387-FDFD414942D7}.exe
        
        C:\Windows\{A3149942-A42E-4597-A387-FDFD414942D7}.exe
        13⤵
        Executes dropped EXE
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CACDD~1.EXE > nul
        13⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2642D~1.EXE > nul
        12⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78297~1.EXE > nul
        11⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CBBF~1.EXE > nul
        10⤵
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2092E~1.EXE > nul
        9⤵
        
        PID:540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{045A8~1.EXE > nul
        8⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A730~1.EXE > nul
        7⤵
        
        PID:1424
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F7E3~1.EXE > nul
        6⤵
        
        PID:1676
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC50C~1.EXE > nul
        5⤵
        
        PID:3148
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B23B6~1.EXE > nul
      4⤵
      PID:4016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1642D~1.EXE > nul
    3⤵
    PID:3172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\83ED37~1.EXE > nul
  2⤵
  PID:4420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{045A8A75-B2EF-4b61-9590-2845B1F6BF77}.exe

Filesize
372KB

MD5
d0b4246f3045aca4bfd36f2bd553b837

SHA1
34962f9de857386397e8c430b7e3f3676c5efe03

SHA256
805bdc3a902b5d668fa946ba01788b8d32fc5459ad96e8648f71c603c2aacecf

SHA512
d6bbc0d9f49f6360b853ea6f12139bd5f06c8ffba9d374191e13b5555f4c85bff62cd215abde82e0f9a831fb0a1613eb775d991e186797cdb183c563533d5ffd

Download Submit
C:\Windows\{045A8A75-B2EF-4b61-9590-2845B1F6BF77}.exe

Filesize
372KB

MD5
d0b4246f3045aca4bfd36f2bd553b837

SHA1
34962f9de857386397e8c430b7e3f3676c5efe03

SHA256
805bdc3a902b5d668fa946ba01788b8d32fc5459ad96e8648f71c603c2aacecf

SHA512
d6bbc0d9f49f6360b853ea6f12139bd5f06c8ffba9d374191e13b5555f4c85bff62cd215abde82e0f9a831fb0a1613eb775d991e186797cdb183c563533d5ffd

Download Submit
C:\Windows\{1642D0A5-6B89-495b-B901-F82109B528DC}.exe

Filesize
372KB

MD5
46638b2609bf87021a33397b9fed8b75

SHA1
525fcf792f100fd7aa571654b25bdd2ac45c8765

SHA256
07433179ed0b077fa70705a37d1f2317978e0c59545e5120222d8463a3d31807

SHA512
0c1c12de29f94ced27755dcf318699b0f9b3d3a2006c7daf7f65ec91cb5e92b00ec979d46997ca19a12067fba9306d1d66e8eaae3e89a384896da3cf85675b92

Download Submit
C:\Windows\{1642D0A5-6B89-495b-B901-F82109B528DC}.exe

Filesize
372KB

MD5
46638b2609bf87021a33397b9fed8b75

SHA1
525fcf792f100fd7aa571654b25bdd2ac45c8765

SHA256
07433179ed0b077fa70705a37d1f2317978e0c59545e5120222d8463a3d31807

SHA512
0c1c12de29f94ced27755dcf318699b0f9b3d3a2006c7daf7f65ec91cb5e92b00ec979d46997ca19a12067fba9306d1d66e8eaae3e89a384896da3cf85675b92

Download Submit
C:\Windows\{2092EC62-7406-449f-A88A-55349EBC5ECA}.exe

Filesize
372KB

MD5
2f159b815fa51287d668ed2a5144b07b

SHA1
6336415326c1d6e05ed732dc777900004620af57

SHA256
3cbcab14609e374869a82f3aa6db752000260af66358d7be6c5daaf1a27e16a1

SHA512
bd068997def3b77177648c010d8b64425297238f06f41ba9d135518915b88847cf3250cca7989def604aa487e026b2ea9fe5345abbbf2c48e4adf42f15897794

Download Submit
C:\Windows\{2092EC62-7406-449f-A88A-55349EBC5ECA}.exe

Filesize
372KB

MD5
2f159b815fa51287d668ed2a5144b07b

SHA1
6336415326c1d6e05ed732dc777900004620af57

SHA256
3cbcab14609e374869a82f3aa6db752000260af66358d7be6c5daaf1a27e16a1

SHA512
bd068997def3b77177648c010d8b64425297238f06f41ba9d135518915b88847cf3250cca7989def604aa487e026b2ea9fe5345abbbf2c48e4adf42f15897794

Download Submit
C:\Windows\{2642D4D3-DCD8-4dd5-88EE-26042C7C81DD}.exe

Filesize
372KB

MD5
bce8e73494f4abc1c339e314c59f3c89

SHA1
28a02bb01b22288fa9ed1ffd62dfbe43f3d9d1f6

SHA256
c972010a74b35f1a058e998db1dbf7d0c80b0ed2053cb487b86b91f9057e8190

SHA512
43ba3aab7fcc9e201a303fc5ef1c299c8e08bf2e3f8ec4d79c6db4bf2f6295b36d5f3c383d4cc8eb7cd299f57c119f80cf104e6270d116436bbf3a2ce0a4dfa4

Download Submit
C:\Windows\{2642D4D3-DCD8-4dd5-88EE-26042C7C81DD}.exe

Filesize
372KB

MD5
bce8e73494f4abc1c339e314c59f3c89

SHA1
28a02bb01b22288fa9ed1ffd62dfbe43f3d9d1f6

SHA256
c972010a74b35f1a058e998db1dbf7d0c80b0ed2053cb487b86b91f9057e8190

SHA512
43ba3aab7fcc9e201a303fc5ef1c299c8e08bf2e3f8ec4d79c6db4bf2f6295b36d5f3c383d4cc8eb7cd299f57c119f80cf104e6270d116436bbf3a2ce0a4dfa4

Download Submit
C:\Windows\{2A730A32-D50D-4f1d-8257-247618085B09}.exe

Filesize
372KB

MD5
a3aea96d4793ce986b0357183d7f64d6

SHA1
6a5e94d247657c6a36ef4be2378e1d1b99d54976

SHA256
944cb1794dfe5957bc37c3ee5caae8a2116606095dd2fec237f677e41fd8eb00

SHA512
4841ae4d01fb3aaa8f90804d8eecacb1cb3eb555088f8720ee3f6ba8a2610705b70661e3c8c338c7b4628b6868072037fc741ab327e2454e749969639d368634

Download Submit
C:\Windows\{2A730A32-D50D-4f1d-8257-247618085B09}.exe

Filesize
372KB

MD5
a3aea96d4793ce986b0357183d7f64d6

SHA1
6a5e94d247657c6a36ef4be2378e1d1b99d54976

SHA256
944cb1794dfe5957bc37c3ee5caae8a2116606095dd2fec237f677e41fd8eb00

SHA512
4841ae4d01fb3aaa8f90804d8eecacb1cb3eb555088f8720ee3f6ba8a2610705b70661e3c8c338c7b4628b6868072037fc741ab327e2454e749969639d368634

Download Submit
C:\Windows\{78297DA4-71AE-4ae7-9DF7-E6BF588A1E00}.exe

Filesize
372KB

MD5
7aa016308347ed430855705d0a9c29b9

SHA1
c568a8f5cd791267657d60c5615f1ed40760a7d7

SHA256
7f36e8e3ccac2f448ab3049c504ff277d98aabb98c597732cfae1376a98026ed

SHA512
8977ebc5dffe2d3c97afb4a53bce934b27074f63bd90f73573ec55d0c2e3ac8e59fe20fcbeb78a4bf10e02bb1d774ec745d963c27b9b581447930a335a96edc6

Download Submit
C:\Windows\{78297DA4-71AE-4ae7-9DF7-E6BF588A1E00}.exe

Filesize
372KB

MD5
7aa016308347ed430855705d0a9c29b9

SHA1
c568a8f5cd791267657d60c5615f1ed40760a7d7

SHA256
7f36e8e3ccac2f448ab3049c504ff277d98aabb98c597732cfae1376a98026ed

SHA512
8977ebc5dffe2d3c97afb4a53bce934b27074f63bd90f73573ec55d0c2e3ac8e59fe20fcbeb78a4bf10e02bb1d774ec745d963c27b9b581447930a335a96edc6

Download Submit
C:\Windows\{7CBBFC81-51A6-490f-B746-6E7D40E462D9}.exe

Filesize
372KB

MD5
5ee4b3bfcb06d3f363667d3de76ea324

SHA1
608d9c098426864c64af0fd76303f8f915e327e3

SHA256
d0cfad3c2dce7a9ae874c21409eb887c7dde8fc1ed692015d2e2d817a065d439

SHA512
0fdbbc1ff64e7613147925c8149b77c319e49311e364b18646a98a99e75d2bcbf38cd413190b19834f69c770968519300c3c39f0ab5d915581252d23390bced0

Download Submit
C:\Windows\{7CBBFC81-51A6-490f-B746-6E7D40E462D9}.exe

Filesize
372KB

MD5
5ee4b3bfcb06d3f363667d3de76ea324

SHA1
608d9c098426864c64af0fd76303f8f915e327e3

SHA256
d0cfad3c2dce7a9ae874c21409eb887c7dde8fc1ed692015d2e2d817a065d439

SHA512
0fdbbc1ff64e7613147925c8149b77c319e49311e364b18646a98a99e75d2bcbf38cd413190b19834f69c770968519300c3c39f0ab5d915581252d23390bced0

Download Submit
C:\Windows\{9F7E3139-561F-432f-8992-74788E34EC40}.exe

Filesize
372KB

MD5
6a58b56f11f8f996075aeb1d8e1d25b3

SHA1
be0d0deffd8b09f908e6ed315316441cae072c10

SHA256
5c0a541b0ecbf6a0d7633f419d9ca128755ea6ebff502f99c207a63dfda5a4f7

SHA512
6be01b4571c320d57c60ce054274c90ed4b35720ca330257d603623c3ba55bb67328dd7b1e4ed9789aeae8262b72738b8c3c4047baf67d63b2a8fe608a0ba26c

Download Submit
C:\Windows\{9F7E3139-561F-432f-8992-74788E34EC40}.exe

Filesize
372KB

MD5
6a58b56f11f8f996075aeb1d8e1d25b3

SHA1
be0d0deffd8b09f908e6ed315316441cae072c10

SHA256
5c0a541b0ecbf6a0d7633f419d9ca128755ea6ebff502f99c207a63dfda5a4f7

SHA512
6be01b4571c320d57c60ce054274c90ed4b35720ca330257d603623c3ba55bb67328dd7b1e4ed9789aeae8262b72738b8c3c4047baf67d63b2a8fe608a0ba26c

Download Submit
C:\Windows\{A3149942-A42E-4597-A387-FDFD414942D7}.exe

Filesize
372KB

MD5
0473070eefa7ca0ecd9af71af7ead91b

SHA1
04a9ef0ad17c0de20baa470e705d447a0e6dc6c3

SHA256
e9bda57e1b0df5d136371a71632aeca1bfeb3146a10d621c54f22aeea9bf43b5

SHA512
a43ebb99d9879c6a08525a518d0d370a2529bea523a25bc20920968a7a2ef7e60421bbaa11b46618805a72a2bb2e911e3ab2e774f5c9aca2124a395260613803

Download Submit
C:\Windows\{A3149942-A42E-4597-A387-FDFD414942D7}.exe

Filesize
121KB

MD5
63be1e30aa8ec94ff44b924795f5f92a

SHA1
4e33c4d4ccac0b72873fdb970130540d86fb2272

SHA256
8ebf8b5f13fad37f9c8f791a688659997d4965933575e611f658d21d3bba6e1d

SHA512
c826631967768c1f439ad0ccc627aa89adfdd0cf14c8c62feb89504ee54f986396fd2c60f732bbc01e6fa40d3a3b9c5645a43fb21a8b103e079e978ce0f33491

Download Submit
C:\Windows\{B23B6C88-B8B8-4e2c-8081-3679CC5D3CA8}.exe

Filesize
372KB

MD5
b9530739576234c2e76b0d41e69a6cac

SHA1
371f15958e4e2ead5c27665ccdc051533b1aae62

SHA256
4cd73bbc0c878e07fd46fbb905bba959f93b0d5bc7b50f54f9dcee21e06fc994

SHA512
a0b80de930f66c8db71a081e88a2d36ea564b3eff5789e5fe5ad6df67e8362ad4b6f96985d9c741c59ce56ceb47cfbe994f71984da0358b391ae8dabfada81ba

Download Submit
C:\Windows\{B23B6C88-B8B8-4e2c-8081-3679CC5D3CA8}.exe

Filesize
372KB

MD5
b9530739576234c2e76b0d41e69a6cac

SHA1
371f15958e4e2ead5c27665ccdc051533b1aae62

SHA256
4cd73bbc0c878e07fd46fbb905bba959f93b0d5bc7b50f54f9dcee21e06fc994

SHA512
a0b80de930f66c8db71a081e88a2d36ea564b3eff5789e5fe5ad6df67e8362ad4b6f96985d9c741c59ce56ceb47cfbe994f71984da0358b391ae8dabfada81ba

Download Submit
C:\Windows\{CACDD5C0-9D61-44c1-9EB8-E4CF03E82288}.exe

Filesize
372KB

MD5
9d59317c1e7b5d5e7ab55a4e5d02cc03

SHA1
49bb132c52244194367a9eec2d60cf052abfaa6b

SHA256
977aab26dd54f54cd5e713c1af6c94dd3130e5ad4f921e798a942f41a15b8e3e

SHA512
c9a4037e3e4f089d90cd5dca937df75ba625338946e7b8b49cf0a1ae4b016224b5844ce4472bd74b40204a244e6e59fe597d3f47fd986a021a338fac7c01dbf2

Download Submit
C:\Windows\{CACDD5C0-9D61-44c1-9EB8-E4CF03E82288}.exe

Filesize
372KB

MD5
9d59317c1e7b5d5e7ab55a4e5d02cc03

SHA1
49bb132c52244194367a9eec2d60cf052abfaa6b

SHA256
977aab26dd54f54cd5e713c1af6c94dd3130e5ad4f921e798a942f41a15b8e3e

SHA512
c9a4037e3e4f089d90cd5dca937df75ba625338946e7b8b49cf0a1ae4b016224b5844ce4472bd74b40204a244e6e59fe597d3f47fd986a021a338fac7c01dbf2

Download Submit
C:\Windows\{EC50CFCC-C29A-42f9-B3A9-1C30167462BB}.exe

Filesize
372KB

MD5
836a0d86c21ae8aa4347859641e6b740

SHA1
c940c90e423a3098331991603a2a8ddcf9fe6d92

SHA256
37799ce1113567567cfaeeeb1e86bd9dc94496057b34d163a2e52391d5b447a7

SHA512
c6e254b4f33ae5adee2ba7af2168fd9b722b7bb5a025587f6336ba884746a1b73cf36505e73d84b1f7125fb44a7cbbbfc459558e189a3f61aab36183f6a475e0

Download Submit
C:\Windows\{EC50CFCC-C29A-42f9-B3A9-1C30167462BB}.exe

Filesize
372KB

MD5
836a0d86c21ae8aa4347859641e6b740

SHA1
c940c90e423a3098331991603a2a8ddcf9fe6d92

SHA256
37799ce1113567567cfaeeeb1e86bd9dc94496057b34d163a2e52391d5b447a7

SHA512
c6e254b4f33ae5adee2ba7af2168fd9b722b7bb5a025587f6336ba884746a1b73cf36505e73d84b1f7125fb44a7cbbbfc459558e189a3f61aab36183f6a475e0

Download Submit
C:\Windows\{EC50CFCC-C29A-42f9-B3A9-1C30167462BB}.exe

Filesize
372KB

MD5
836a0d86c21ae8aa4347859641e6b740

SHA1
c940c90e423a3098331991603a2a8ddcf9fe6d92

SHA256
37799ce1113567567cfaeeeb1e86bd9dc94496057b34d163a2e52391d5b447a7

SHA512
c6e254b4f33ae5adee2ba7af2168fd9b722b7bb5a025587f6336ba884746a1b73cf36505e73d84b1f7125fb44a7cbbbfc459558e189a3f61aab36183f6a475e0

Download Submit