bc448b561a3d6fd8322896610fc27c624e028d8ddec9aa1566fc506197e32c12

Analysis

max time kernel
150s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/07/2023, 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b64ac2db1b0c4f_JC.exe
Size

168KB
MD5

b64ac2db1b0c4f9a7e19f214a658fc02
SHA1

e10eb9d86e57a6e9f04a38a5c481efa9c0bb44f1
SHA256

bc448b561a3d6fd8322896610fc27c624e028d8ddec9aa1566fc506197e32c12
SHA512

22af6039355b12a43ca96ed318fbaf3328ac1369d116e7cc7d716d9e0c1dacb37d8cb0e6f501605a0b9144bc13319f8393bc971d5d29ed636783d9d65599adda
SSDEEP

1536:1EGh0oRlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oRlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{845C4E5D-5847-4abc-B1FD-056720C4D853}	{AE3D724F-DE67-4328-AF84-4C9A7FDD0BE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{845C4E5D-5847-4abc-B1FD-056720C4D853}\stubpath = "C:\\Windows\\{845C4E5D-5847-4abc-B1FD-056720C4D853}.exe"	{AE3D724F-DE67-4328-AF84-4C9A7FDD0BE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A9A69E4-6087-4200-8456-3898623F42A9}	{AA9BD458-43E2-406f-A511-5B951700AC7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A9A69E4-6087-4200-8456-3898623F42A9}\stubpath = "C:\\Windows\\{5A9A69E4-6087-4200-8456-3898623F42A9}.exe"	{AA9BD458-43E2-406f-A511-5B951700AC7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E9853C8-9F8C-4b0b-9FBF-A21203FF12CE}	{5A9A69E4-6087-4200-8456-3898623F42A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5F082AE-09D7-411c-8936-1999C3094F00}\stubpath = "C:\\Windows\\{E5F082AE-09D7-411c-8936-1999C3094F00}.exe"	{0E1585D5-5CE7-440f-8BB7-4A76779D9AF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7774AA0F-D5A2-4feb-8986-A26999248232}	{F043A705-88E2-4a2c-AF50-15975234CB7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7774AA0F-D5A2-4feb-8986-A26999248232}\stubpath = "C:\\Windows\\{7774AA0F-D5A2-4feb-8986-A26999248232}.exe"	{F043A705-88E2-4a2c-AF50-15975234CB7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA9BD458-43E2-406f-A511-5B951700AC7F}\stubpath = "C:\\Windows\\{AA9BD458-43E2-406f-A511-5B951700AC7F}.exe"	{7774AA0F-D5A2-4feb-8986-A26999248232}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D86EB25F-4331-4f76-8E02-3ECD95E021E6}	{2E9853C8-9F8C-4b0b-9FBF-A21203FF12CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D86EB25F-4331-4f76-8E02-3ECD95E021E6}\stubpath = "C:\\Windows\\{D86EB25F-4331-4f76-8E02-3ECD95E021E6}.exe"	{2E9853C8-9F8C-4b0b-9FBF-A21203FF12CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E1585D5-5CE7-440f-8BB7-4A76779D9AF3}\stubpath = "C:\\Windows\\{0E1585D5-5CE7-440f-8BB7-4A76779D9AF3}.exe"	{D86EB25F-4331-4f76-8E02-3ECD95E021E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5F082AE-09D7-411c-8936-1999C3094F00}	{0E1585D5-5CE7-440f-8BB7-4A76779D9AF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76ADBA58-7950-4df5-95D3-19FEB2DBD91D}\stubpath = "C:\\Windows\\{76ADBA58-7950-4df5-95D3-19FEB2DBD91D}.exe"	{845C4E5D-5847-4abc-B1FD-056720C4D853}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA9BD458-43E2-406f-A511-5B951700AC7F}	{7774AA0F-D5A2-4feb-8986-A26999248232}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E1585D5-5CE7-440f-8BB7-4A76779D9AF3}	{D86EB25F-4331-4f76-8E02-3ECD95E021E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE3D724F-DE67-4328-AF84-4C9A7FDD0BE9}	b64ac2db1b0c4f_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE3D724F-DE67-4328-AF84-4C9A7FDD0BE9}\stubpath = "C:\\Windows\\{AE3D724F-DE67-4328-AF84-4C9A7FDD0BE9}.exe"	b64ac2db1b0c4f_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76ADBA58-7950-4df5-95D3-19FEB2DBD91D}	{845C4E5D-5847-4abc-B1FD-056720C4D853}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F043A705-88E2-4a2c-AF50-15975234CB7E}	{76ADBA58-7950-4df5-95D3-19FEB2DBD91D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F043A705-88E2-4a2c-AF50-15975234CB7E}\stubpath = "C:\\Windows\\{F043A705-88E2-4a2c-AF50-15975234CB7E}.exe"	{76ADBA58-7950-4df5-95D3-19FEB2DBD91D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E9853C8-9F8C-4b0b-9FBF-A21203FF12CE}\stubpath = "C:\\Windows\\{2E9853C8-9F8C-4b0b-9FBF-A21203FF12CE}.exe"	{5A9A69E4-6087-4200-8456-3898623F42A9}.exe

Executes dropped EXE 11 IoCs

pid	Process
3984	{AE3D724F-DE67-4328-AF84-4C9A7FDD0BE9}.exe
916	{845C4E5D-5847-4abc-B1FD-056720C4D853}.exe
1880	{76ADBA58-7950-4df5-95D3-19FEB2DBD91D}.exe
4832	{F043A705-88E2-4a2c-AF50-15975234CB7E}.exe
2740	{7774AA0F-D5A2-4feb-8986-A26999248232}.exe
4456	{AA9BD458-43E2-406f-A511-5B951700AC7F}.exe
4352	{5A9A69E4-6087-4200-8456-3898623F42A9}.exe
3240	{2E9853C8-9F8C-4b0b-9FBF-A21203FF12CE}.exe
3036	{D86EB25F-4331-4f76-8E02-3ECD95E021E6}.exe
4368	{0E1585D5-5CE7-440f-8BB7-4A76779D9AF3}.exe
3688	{E5F082AE-09D7-411c-8936-1999C3094F00}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AE3D724F-DE67-4328-AF84-4C9A7FDD0BE9}.exe	b64ac2db1b0c4f_JC.exe
File created	C:\Windows\{AA9BD458-43E2-406f-A511-5B951700AC7F}.exe	{7774AA0F-D5A2-4feb-8986-A26999248232}.exe
File created	C:\Windows\{D86EB25F-4331-4f76-8E02-3ECD95E021E6}.exe	{2E9853C8-9F8C-4b0b-9FBF-A21203FF12CE}.exe
File created	C:\Windows\{E5F082AE-09D7-411c-8936-1999C3094F00}.exe	{0E1585D5-5CE7-440f-8BB7-4A76779D9AF3}.exe
File created	C:\Windows\{845C4E5D-5847-4abc-B1FD-056720C4D853}.exe	{AE3D724F-DE67-4328-AF84-4C9A7FDD0BE9}.exe
File created	C:\Windows\{76ADBA58-7950-4df5-95D3-19FEB2DBD91D}.exe	{845C4E5D-5847-4abc-B1FD-056720C4D853}.exe
File created	C:\Windows\{F043A705-88E2-4a2c-AF50-15975234CB7E}.exe	{76ADBA58-7950-4df5-95D3-19FEB2DBD91D}.exe
File created	C:\Windows\{7774AA0F-D5A2-4feb-8986-A26999248232}.exe	{F043A705-88E2-4a2c-AF50-15975234CB7E}.exe
File created	C:\Windows\{5A9A69E4-6087-4200-8456-3898623F42A9}.exe	{AA9BD458-43E2-406f-A511-5B951700AC7F}.exe
File created	C:\Windows\{2E9853C8-9F8C-4b0b-9FBF-A21203FF12CE}.exe	{5A9A69E4-6087-4200-8456-3898623F42A9}.exe
File created	C:\Windows\{0E1585D5-5CE7-440f-8BB7-4A76779D9AF3}.exe	{D86EB25F-4331-4f76-8E02-3ECD95E021E6}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3240	b64ac2db1b0c4f_JC.exe
Token: SeIncBasePriorityPrivilege	3984	{AE3D724F-DE67-4328-AF84-4C9A7FDD0BE9}.exe
Token: SeIncBasePriorityPrivilege	916	{845C4E5D-5847-4abc-B1FD-056720C4D853}.exe
Token: SeIncBasePriorityPrivilege	1880	{76ADBA58-7950-4df5-95D3-19FEB2DBD91D}.exe
Token: SeIncBasePriorityPrivilege	4832	{F043A705-88E2-4a2c-AF50-15975234CB7E}.exe
Token: SeIncBasePriorityPrivilege	2740	{7774AA0F-D5A2-4feb-8986-A26999248232}.exe
Token: SeIncBasePriorityPrivilege	4456	{AA9BD458-43E2-406f-A511-5B951700AC7F}.exe
Token: SeIncBasePriorityPrivilege	4352	{5A9A69E4-6087-4200-8456-3898623F42A9}.exe
Token: SeIncBasePriorityPrivilege	3240	{2E9853C8-9F8C-4b0b-9FBF-A21203FF12CE}.exe
Token: SeIncBasePriorityPrivilege	3036	{D86EB25F-4331-4f76-8E02-3ECD95E021E6}.exe
Token: SeIncBasePriorityPrivilege	4368	{0E1585D5-5CE7-440f-8BB7-4A76779D9AF3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 3984	3240	b64ac2db1b0c4f_JC.exe	93
PID 3240 wrote to memory of 3984	3240	b64ac2db1b0c4f_JC.exe	93
PID 3240 wrote to memory of 3984	3240	b64ac2db1b0c4f_JC.exe	93
PID 3240 wrote to memory of 1084	3240	b64ac2db1b0c4f_JC.exe	94
PID 3240 wrote to memory of 1084	3240	b64ac2db1b0c4f_JC.exe	94
PID 3240 wrote to memory of 1084	3240	b64ac2db1b0c4f_JC.exe	94
PID 3984 wrote to memory of 916	3984	{AE3D724F-DE67-4328-AF84-4C9A7FDD0BE9}.exe	97
PID 3984 wrote to memory of 916	3984	{AE3D724F-DE67-4328-AF84-4C9A7FDD0BE9}.exe	97
PID 3984 wrote to memory of 916	3984	{AE3D724F-DE67-4328-AF84-4C9A7FDD0BE9}.exe	97
PID 3984 wrote to memory of 2844	3984	{AE3D724F-DE67-4328-AF84-4C9A7FDD0BE9}.exe	96
PID 3984 wrote to memory of 2844	3984	{AE3D724F-DE67-4328-AF84-4C9A7FDD0BE9}.exe	96
PID 3984 wrote to memory of 2844	3984	{AE3D724F-DE67-4328-AF84-4C9A7FDD0BE9}.exe	96
PID 916 wrote to memory of 1880	916	{845C4E5D-5847-4abc-B1FD-056720C4D853}.exe	100
PID 916 wrote to memory of 1880	916	{845C4E5D-5847-4abc-B1FD-056720C4D853}.exe	100
PID 916 wrote to memory of 1880	916	{845C4E5D-5847-4abc-B1FD-056720C4D853}.exe	100
PID 916 wrote to memory of 4924	916	{845C4E5D-5847-4abc-B1FD-056720C4D853}.exe	99
PID 916 wrote to memory of 4924	916	{845C4E5D-5847-4abc-B1FD-056720C4D853}.exe	99
PID 916 wrote to memory of 4924	916	{845C4E5D-5847-4abc-B1FD-056720C4D853}.exe	99
PID 1880 wrote to memory of 4832	1880	{76ADBA58-7950-4df5-95D3-19FEB2DBD91D}.exe	101
PID 1880 wrote to memory of 4832	1880	{76ADBA58-7950-4df5-95D3-19FEB2DBD91D}.exe	101
PID 1880 wrote to memory of 4832	1880	{76ADBA58-7950-4df5-95D3-19FEB2DBD91D}.exe	101
PID 1880 wrote to memory of 2156	1880	{76ADBA58-7950-4df5-95D3-19FEB2DBD91D}.exe	102
PID 1880 wrote to memory of 2156	1880	{76ADBA58-7950-4df5-95D3-19FEB2DBD91D}.exe	102
PID 1880 wrote to memory of 2156	1880	{76ADBA58-7950-4df5-95D3-19FEB2DBD91D}.exe	102
PID 4832 wrote to memory of 2740	4832	{F043A705-88E2-4a2c-AF50-15975234CB7E}.exe	105
PID 4832 wrote to memory of 2740	4832	{F043A705-88E2-4a2c-AF50-15975234CB7E}.exe	105
PID 4832 wrote to memory of 2740	4832	{F043A705-88E2-4a2c-AF50-15975234CB7E}.exe	105
PID 4832 wrote to memory of 3964	4832	{F043A705-88E2-4a2c-AF50-15975234CB7E}.exe	106
PID 4832 wrote to memory of 3964	4832	{F043A705-88E2-4a2c-AF50-15975234CB7E}.exe	106
PID 4832 wrote to memory of 3964	4832	{F043A705-88E2-4a2c-AF50-15975234CB7E}.exe	106
PID 2740 wrote to memory of 4456	2740	{7774AA0F-D5A2-4feb-8986-A26999248232}.exe	110
PID 2740 wrote to memory of 4456	2740	{7774AA0F-D5A2-4feb-8986-A26999248232}.exe	110
PID 2740 wrote to memory of 4456	2740	{7774AA0F-D5A2-4feb-8986-A26999248232}.exe	110
PID 2740 wrote to memory of 3640	2740	{7774AA0F-D5A2-4feb-8986-A26999248232}.exe	111
PID 2740 wrote to memory of 3640	2740	{7774AA0F-D5A2-4feb-8986-A26999248232}.exe	111
PID 2740 wrote to memory of 3640	2740	{7774AA0F-D5A2-4feb-8986-A26999248232}.exe	111
PID 4456 wrote to memory of 4352	4456	{AA9BD458-43E2-406f-A511-5B951700AC7F}.exe	112
PID 4456 wrote to memory of 4352	4456	{AA9BD458-43E2-406f-A511-5B951700AC7F}.exe	112
PID 4456 wrote to memory of 4352	4456	{AA9BD458-43E2-406f-A511-5B951700AC7F}.exe	112
PID 4456 wrote to memory of 4300	4456	{AA9BD458-43E2-406f-A511-5B951700AC7F}.exe	113
PID 4456 wrote to memory of 4300	4456	{AA9BD458-43E2-406f-A511-5B951700AC7F}.exe	113
PID 4456 wrote to memory of 4300	4456	{AA9BD458-43E2-406f-A511-5B951700AC7F}.exe	113
PID 4352 wrote to memory of 3240	4352	{5A9A69E4-6087-4200-8456-3898623F42A9}.exe	116
PID 4352 wrote to memory of 3240	4352	{5A9A69E4-6087-4200-8456-3898623F42A9}.exe	116
PID 4352 wrote to memory of 3240	4352	{5A9A69E4-6087-4200-8456-3898623F42A9}.exe	116
PID 4352 wrote to memory of 4280	4352	{5A9A69E4-6087-4200-8456-3898623F42A9}.exe	117
PID 4352 wrote to memory of 4280	4352	{5A9A69E4-6087-4200-8456-3898623F42A9}.exe	117
PID 4352 wrote to memory of 4280	4352	{5A9A69E4-6087-4200-8456-3898623F42A9}.exe	117
PID 3240 wrote to memory of 3036	3240	{2E9853C8-9F8C-4b0b-9FBF-A21203FF12CE}.exe	118
PID 3240 wrote to memory of 3036	3240	{2E9853C8-9F8C-4b0b-9FBF-A21203FF12CE}.exe	118
PID 3240 wrote to memory of 3036	3240	{2E9853C8-9F8C-4b0b-9FBF-A21203FF12CE}.exe	118
PID 3240 wrote to memory of 3952	3240	{2E9853C8-9F8C-4b0b-9FBF-A21203FF12CE}.exe	119
PID 3240 wrote to memory of 3952	3240	{2E9853C8-9F8C-4b0b-9FBF-A21203FF12CE}.exe	119
PID 3240 wrote to memory of 3952	3240	{2E9853C8-9F8C-4b0b-9FBF-A21203FF12CE}.exe	119
PID 3036 wrote to memory of 4368	3036	{D86EB25F-4331-4f76-8E02-3ECD95E021E6}.exe	120
PID 3036 wrote to memory of 4368	3036	{D86EB25F-4331-4f76-8E02-3ECD95E021E6}.exe	120
PID 3036 wrote to memory of 4368	3036	{D86EB25F-4331-4f76-8E02-3ECD95E021E6}.exe	120
PID 3036 wrote to memory of 4000	3036	{D86EB25F-4331-4f76-8E02-3ECD95E021E6}.exe	121
PID 3036 wrote to memory of 4000	3036	{D86EB25F-4331-4f76-8E02-3ECD95E021E6}.exe	121
PID 3036 wrote to memory of 4000	3036	{D86EB25F-4331-4f76-8E02-3ECD95E021E6}.exe	121
PID 4368 wrote to memory of 3688	4368	{0E1585D5-5CE7-440f-8BB7-4A76779D9AF3}.exe	123
PID 4368 wrote to memory of 3688	4368	{0E1585D5-5CE7-440f-8BB7-4A76779D9AF3}.exe	123
PID 4368 wrote to memory of 3688	4368	{0E1585D5-5CE7-440f-8BB7-4A76779D9AF3}.exe	123
PID 4368 wrote to memory of 2340	4368	{0E1585D5-5CE7-440f-8BB7-4A76779D9AF3}.exe	124

C:\Users\Admin\AppData\Local\Temp\b64ac2db1b0c4f_JC.exe
"C:\Users\Admin\AppData\Local\Temp\b64ac2db1b0c4f_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Windows\{AE3D724F-DE67-4328-AF84-4C9A7FDD0BE9}.exe
  C:\Windows\{AE3D724F-DE67-4328-AF84-4C9A7FDD0BE9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AE3D7~1.EXE > nul
    3⤵
    PID:2844
- - C:\Windows\{845C4E5D-5847-4abc-B1FD-056720C4D853}.exe
    C:\Windows\{845C4E5D-5847-4abc-B1FD-056720C4D853}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:916
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{845C4~1.EXE > nul
      4⤵
      PID:4924
  - - C:\Windows\{76ADBA58-7950-4df5-95D3-19FEB2DBD91D}.exe
      C:\Windows\{76ADBA58-7950-4df5-95D3-19FEB2DBD91D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1880
    - - C:\Windows\{F043A705-88E2-4a2c-AF50-15975234CB7E}.exe
        
        C:\Windows\{F043A705-88E2-4a2c-AF50-15975234CB7E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4832
      - C:\Windows\{7774AA0F-D5A2-4feb-8986-A26999248232}.exe
        
        C:\Windows\{7774AA0F-D5A2-4feb-8986-A26999248232}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\{AA9BD458-43E2-406f-A511-5B951700AC7F}.exe
        
        C:\Windows\{AA9BD458-43E2-406f-A511-5B951700AC7F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4456
        
        C:\Windows\{5A9A69E4-6087-4200-8456-3898623F42A9}.exe
        
        C:\Windows\{5A9A69E4-6087-4200-8456-3898623F42A9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\{2E9853C8-9F8C-4b0b-9FBF-A21203FF12CE}.exe
        
        C:\Windows\{2E9853C8-9F8C-4b0b-9FBF-A21203FF12CE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3240
        
        C:\Windows\{D86EB25F-4331-4f76-8E02-3ECD95E021E6}.exe
        
        C:\Windows\{D86EB25F-4331-4f76-8E02-3ECD95E021E6}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\{0E1585D5-5CE7-440f-8BB7-4A76779D9AF3}.exe
        
        C:\Windows\{0E1585D5-5CE7-440f-8BB7-4A76779D9AF3}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Windows\{E5F082AE-09D7-411c-8936-1999C3094F00}.exe
        
        C:\Windows\{E5F082AE-09D7-411c-8936-1999C3094F00}.exe
        12⤵
        Executes dropped EXE
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E158~1.EXE > nul
        12⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D86EB~1.EXE > nul
        11⤵
        
        PID:4000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E985~1.EXE > nul
        10⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A9A6~1.EXE > nul
        9⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA9BD~1.EXE > nul
        8⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7774A~1.EXE > nul
        7⤵
        
        PID:3640
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F043A~1.EXE > nul
        6⤵
        
        PID:3964
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76ADB~1.EXE > nul
        5⤵
        
        PID:2156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B64AC2~1.EXE > nul
  2⤵
  PID:1084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0E1585D5-5CE7-440f-8BB7-4A76779D9AF3}.exe

Filesize
168KB

MD5
f125506b181bc15ac9cfa5b2878f98c8

SHA1
c2bca9a02b7baf81ad283a5e29d1b0700827612b

SHA256
463544b24de0edcebff1a7999e1afce54ccd157aef116b4447594b524b06e2c2

SHA512
f1d9c2d463e95f7bfc62ec27ecc0c022b686131cb19152178e89a330f0325ea8166d7d876dd3b9efbd6fec9f227f0dad14f03df1b91f26a08652e301953e68d7

Download Submit
C:\Windows\{0E1585D5-5CE7-440f-8BB7-4A76779D9AF3}.exe

Filesize
168KB

MD5
f125506b181bc15ac9cfa5b2878f98c8

SHA1
c2bca9a02b7baf81ad283a5e29d1b0700827612b

SHA256
463544b24de0edcebff1a7999e1afce54ccd157aef116b4447594b524b06e2c2

SHA512
f1d9c2d463e95f7bfc62ec27ecc0c022b686131cb19152178e89a330f0325ea8166d7d876dd3b9efbd6fec9f227f0dad14f03df1b91f26a08652e301953e68d7

Download Submit
C:\Windows\{2E9853C8-9F8C-4b0b-9FBF-A21203FF12CE}.exe

Filesize
168KB

MD5
563687b897a3e80a9a45d5f6d83fcbe2

SHA1
47844ab946d1205ae6ad8ca4fd15c4d5938315cd

SHA256
1db8cad3b6acde0a25fad2d4907db0db840bcb903f13d5fb791f17e083faffe1

SHA512
31f14fcc6e8124ad36760a43a670f306033da2ddef9473d074fb8b287321dd38ec47f5bce1ab277cb3673cbc9b77e5703687dff7158a5b12bbe33c590e7f10d0

Download Submit
C:\Windows\{2E9853C8-9F8C-4b0b-9FBF-A21203FF12CE}.exe

Filesize
168KB

MD5
563687b897a3e80a9a45d5f6d83fcbe2

SHA1
47844ab946d1205ae6ad8ca4fd15c4d5938315cd

SHA256
1db8cad3b6acde0a25fad2d4907db0db840bcb903f13d5fb791f17e083faffe1

SHA512
31f14fcc6e8124ad36760a43a670f306033da2ddef9473d074fb8b287321dd38ec47f5bce1ab277cb3673cbc9b77e5703687dff7158a5b12bbe33c590e7f10d0

Download Submit
C:\Windows\{5A9A69E4-6087-4200-8456-3898623F42A9}.exe

Filesize
168KB

MD5
f0775ff523b815c029c084afb2d8e2c4

SHA1
ecfe8d8b299f41a20ffaca3e1e2cca45eb68d037

SHA256
20d41fc380b83c53f2e81c5f0171d95368faf436ec621e5eb73613e68522e739

SHA512
a6140f52611cebbcbf41931ae76d81a75fba1cdc0271f15bb088b22f08dfa60bfa68e291e9b10b10a5d65792c72e7752237fc26dabd4339f415f477c693edb1a

Download Submit
C:\Windows\{5A9A69E4-6087-4200-8456-3898623F42A9}.exe

Filesize
168KB

MD5
f0775ff523b815c029c084afb2d8e2c4

SHA1
ecfe8d8b299f41a20ffaca3e1e2cca45eb68d037

SHA256
20d41fc380b83c53f2e81c5f0171d95368faf436ec621e5eb73613e68522e739

SHA512
a6140f52611cebbcbf41931ae76d81a75fba1cdc0271f15bb088b22f08dfa60bfa68e291e9b10b10a5d65792c72e7752237fc26dabd4339f415f477c693edb1a

Download Submit
C:\Windows\{76ADBA58-7950-4df5-95D3-19FEB2DBD91D}.exe

Filesize
168KB

MD5
62e1b1b81d9d300ba5255c5287b95c4c

SHA1
8179c91e66d095b129b1e03790a7328f604113e2

SHA256
31b901da1c5205dcd36ba04d9cd315f7b4fc602a4821175d98cb2ed3c9999f61

SHA512
2991c773595ce35cdc5cb36db26b0db4f023e1b97b6314ac17f10a390b48b29e96823808a5e6ea6acf007036c9822cdc2cc2d4475b23cf94d782fae6f911360f

Download Submit
C:\Windows\{76ADBA58-7950-4df5-95D3-19FEB2DBD91D}.exe

Filesize
168KB

MD5
62e1b1b81d9d300ba5255c5287b95c4c

SHA1
8179c91e66d095b129b1e03790a7328f604113e2

SHA256
31b901da1c5205dcd36ba04d9cd315f7b4fc602a4821175d98cb2ed3c9999f61

SHA512
2991c773595ce35cdc5cb36db26b0db4f023e1b97b6314ac17f10a390b48b29e96823808a5e6ea6acf007036c9822cdc2cc2d4475b23cf94d782fae6f911360f

Download Submit
C:\Windows\{76ADBA58-7950-4df5-95D3-19FEB2DBD91D}.exe

Filesize
168KB

MD5
62e1b1b81d9d300ba5255c5287b95c4c

SHA1
8179c91e66d095b129b1e03790a7328f604113e2

SHA256
31b901da1c5205dcd36ba04d9cd315f7b4fc602a4821175d98cb2ed3c9999f61

SHA512
2991c773595ce35cdc5cb36db26b0db4f023e1b97b6314ac17f10a390b48b29e96823808a5e6ea6acf007036c9822cdc2cc2d4475b23cf94d782fae6f911360f

Download Submit
C:\Windows\{7774AA0F-D5A2-4feb-8986-A26999248232}.exe

Filesize
168KB

MD5
9ee2d87d2c65758996cbdc46fd72e2f6

SHA1
00885c3eef95b9a32251335395fdb167d049cc24

SHA256
750d03ba0cb0330dbee77f443c2695b10203c8fb0a5d513689a154454ca1cc63

SHA512
db8b6399e2eb97b3c360abf95988ca06cc460b638217ef1f64851b65616afb9bf96f266655ed2700c5a0575d2e62a54c23b8ced39fcecec9df630c3175ad832d

Download Submit
C:\Windows\{7774AA0F-D5A2-4feb-8986-A26999248232}.exe

Filesize
168KB

MD5
9ee2d87d2c65758996cbdc46fd72e2f6

SHA1
00885c3eef95b9a32251335395fdb167d049cc24

SHA256
750d03ba0cb0330dbee77f443c2695b10203c8fb0a5d513689a154454ca1cc63

SHA512
db8b6399e2eb97b3c360abf95988ca06cc460b638217ef1f64851b65616afb9bf96f266655ed2700c5a0575d2e62a54c23b8ced39fcecec9df630c3175ad832d

Download Submit
C:\Windows\{845C4E5D-5847-4abc-B1FD-056720C4D853}.exe

Filesize
168KB

MD5
6ce6f673871e1343066bfeb79355c8d1

SHA1
2791cb850a364c7273d547d80a89d583331dc1f5

SHA256
b1311354033c4538570686ba60112ea321222590e0c20634ba020cfeb2087c4e

SHA512
77653dda6a55596f4afd81856b4fad2c4f48d8e8543a1ac775246979d6d226d338a1602f9c8dfaa771c6be55bc28a1d982024755047d86908082a2bbf4bdb033

Download Submit
C:\Windows\{845C4E5D-5847-4abc-B1FD-056720C4D853}.exe

Filesize
168KB

MD5
6ce6f673871e1343066bfeb79355c8d1

SHA1
2791cb850a364c7273d547d80a89d583331dc1f5

SHA256
b1311354033c4538570686ba60112ea321222590e0c20634ba020cfeb2087c4e

SHA512
77653dda6a55596f4afd81856b4fad2c4f48d8e8543a1ac775246979d6d226d338a1602f9c8dfaa771c6be55bc28a1d982024755047d86908082a2bbf4bdb033

Download Submit
C:\Windows\{AA9BD458-43E2-406f-A511-5B951700AC7F}.exe

Filesize
168KB

MD5
74e4011e67c1152fce3bf1f91f32f86f

SHA1
05e6e8bb1ec0263e7538a8ca5c40efc43fb4775c

SHA256
2aaa4adc0149898830920396d0883ccaf66057dc1c5dedfc699157320b22379d

SHA512
7a5f4d63c99c421cc270513448fe15c9156717eeed4c3b7ddf04269051ebedc3316bb32ae8802534fd637733e8b4e3f867f97c341751e71a54ebac4657dd86fb

Download Submit
C:\Windows\{AA9BD458-43E2-406f-A511-5B951700AC7F}.exe

Filesize
168KB

MD5
74e4011e67c1152fce3bf1f91f32f86f

SHA1
05e6e8bb1ec0263e7538a8ca5c40efc43fb4775c

SHA256
2aaa4adc0149898830920396d0883ccaf66057dc1c5dedfc699157320b22379d

SHA512
7a5f4d63c99c421cc270513448fe15c9156717eeed4c3b7ddf04269051ebedc3316bb32ae8802534fd637733e8b4e3f867f97c341751e71a54ebac4657dd86fb

Download Submit
C:\Windows\{AE3D724F-DE67-4328-AF84-4C9A7FDD0BE9}.exe

Filesize
168KB

MD5
fd20e9ee0b8d13a4df79d4ad95335ae5

SHA1
8df515eb574bb546a3fb6e07b507aa32cbf89f94

SHA256
4e8be39538eb4244390de7fe38938dd5f2050a479988d265ab1ce68f4405d46b

SHA512
1baca03713db8b9343009f5e515431da604e0a2ddd128f1cb7779e3a139a1ba6c8112e3ae50bce4c21b4d25bd8db18446a4525c41474b5a53a730b8ee18a5531

Download Submit
C:\Windows\{AE3D724F-DE67-4328-AF84-4C9A7FDD0BE9}.exe

Filesize
168KB

MD5
fd20e9ee0b8d13a4df79d4ad95335ae5

SHA1
8df515eb574bb546a3fb6e07b507aa32cbf89f94

SHA256
4e8be39538eb4244390de7fe38938dd5f2050a479988d265ab1ce68f4405d46b

SHA512
1baca03713db8b9343009f5e515431da604e0a2ddd128f1cb7779e3a139a1ba6c8112e3ae50bce4c21b4d25bd8db18446a4525c41474b5a53a730b8ee18a5531

Download Submit
C:\Windows\{D86EB25F-4331-4f76-8E02-3ECD95E021E6}.exe

Filesize
168KB

MD5
28c4686e30f13a430336b15bb9b1aa62

SHA1
54b1760446b88c580c6450497d30328e6eaa82af

SHA256
25a5a6a8d2830c47ab732a6323575d46db0bd5784af8375b62858f9e6078dd48

SHA512
eb8987e583c3bc76d926680b5b7ad2916dd397ed167fb54f82fdc0a9e18ff474171e2b76b50109d66fae92b6033654ed6da74afc0c6556a21fa3886c7824c0c6

Download Submit
C:\Windows\{D86EB25F-4331-4f76-8E02-3ECD95E021E6}.exe

Filesize
168KB

MD5
28c4686e30f13a430336b15bb9b1aa62

SHA1
54b1760446b88c580c6450497d30328e6eaa82af

SHA256
25a5a6a8d2830c47ab732a6323575d46db0bd5784af8375b62858f9e6078dd48

SHA512
eb8987e583c3bc76d926680b5b7ad2916dd397ed167fb54f82fdc0a9e18ff474171e2b76b50109d66fae92b6033654ed6da74afc0c6556a21fa3886c7824c0c6

Download Submit
C:\Windows\{E5F082AE-09D7-411c-8936-1999C3094F00}.exe

Filesize
168KB

MD5
6321564a386689db0e45e2d357c2e2a7

SHA1
ede0e4f799f863dbb5754f73de6d6a798b2aabc8

SHA256
3bc2bbb4433760a6f29adebfb77c48e4b74299507b0240255ca3ee603098f693

SHA512
a816a725cfb76d891386dc789ac744f6614d8fc71df70f28b60adad86b22f66ec657f5df3f6be8cb1449053c510b7eabf5f8246cafc41115052b2386562f58fe

Download Submit
C:\Windows\{E5F082AE-09D7-411c-8936-1999C3094F00}.exe

Filesize
168KB

MD5
6321564a386689db0e45e2d357c2e2a7

SHA1
ede0e4f799f863dbb5754f73de6d6a798b2aabc8

SHA256
3bc2bbb4433760a6f29adebfb77c48e4b74299507b0240255ca3ee603098f693

SHA512
a816a725cfb76d891386dc789ac744f6614d8fc71df70f28b60adad86b22f66ec657f5df3f6be8cb1449053c510b7eabf5f8246cafc41115052b2386562f58fe

Download Submit
C:\Windows\{F043A705-88E2-4a2c-AF50-15975234CB7E}.exe

Filesize
168KB

MD5
1e7f57d6376eab9898094328b45244ac

SHA1
b4e7fff3b51de8ee4aa0b381aa2feec75f7ec2bd

SHA256
b34cdff089ca32b88f67aad394770511858cf704d3ef711b2036fe4c5abfacc7

SHA512
43815520822b92c29985eeb46c8b7ce29a89366f76143ef08d7f9d82c0999766857d2596d7d235ba2cdf53ed17193256e0845463b4aeea9427a4d32e30af0429

Download Submit
C:\Windows\{F043A705-88E2-4a2c-AF50-15975234CB7E}.exe

Filesize
168KB

MD5
1e7f57d6376eab9898094328b45244ac

SHA1
b4e7fff3b51de8ee4aa0b381aa2feec75f7ec2bd

SHA256
b34cdff089ca32b88f67aad394770511858cf704d3ef711b2036fe4c5abfacc7

SHA512
43815520822b92c29985eeb46c8b7ce29a89366f76143ef08d7f9d82c0999766857d2596d7d235ba2cdf53ed17193256e0845463b4aeea9427a4d32e30af0429

Download Submit