c3e7633876a82456749e118f36201f575b31d3bd37a023da0197db05a1cd3d9c

Analysis

max time kernel
146s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/07/2023, 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be28520491565e_JC.exe
Size

372KB
MD5

be28520491565ea3318a58bc09dece71
SHA1

35d17caf73e2f7bb0c5cbdf299567fe18360f7e5
SHA256

c3e7633876a82456749e118f36201f575b31d3bd37a023da0197db05a1cd3d9c
SHA512

4b37b94a603bc965fe3e6085edfcd471625ac7cfbfcac60878405e24dc0fc6d78c1ac3117c4695cfe3475c1c2419901fa11b50a2a5427ebefb107bb83c6ea662
SSDEEP

3072:CEGh0o5mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGml/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99E79C61-1C75-4cbd-B762-2F7EC72FE6B5}	{373D0330-908E-4611-B725-8C47E76E53FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99E79C61-1C75-4cbd-B762-2F7EC72FE6B5}\stubpath = "C:\\Windows\\{99E79C61-1C75-4cbd-B762-2F7EC72FE6B5}.exe"	{373D0330-908E-4611-B725-8C47E76E53FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{163D8F63-FA1B-4ce3-8718-FB32926F363D}	{99E79C61-1C75-4cbd-B762-2F7EC72FE6B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FDFFE96-4573-46e6-BDAC-91996C084240}	{45B26E15-DCA2-4b10-8372-27FA39AEF2AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C05B200E-1382-49fb-8469-4BE50DD7E7F7}	{3FDFFE96-4573-46e6-BDAC-91996C084240}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4608F09-3EB5-43c2-B463-0E13EA8272D0}	{C05B200E-1382-49fb-8469-4BE50DD7E7F7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C55CC79B-4771-4fe5-BB20-002A032C4E39}	be28520491565e_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{373D0330-908E-4611-B725-8C47E76E53FF}	{1CB605C2-743A-4b90-A947-DEB7DDE0D196}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{163D8F63-FA1B-4ce3-8718-FB32926F363D}\stubpath = "C:\\Windows\\{163D8F63-FA1B-4ce3-8718-FB32926F363D}.exe"	{99E79C61-1C75-4cbd-B762-2F7EC72FE6B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1083C91C-9430-471f-A9C5-5D62EC44B121}	{163D8F63-FA1B-4ce3-8718-FB32926F363D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45B26E15-DCA2-4b10-8372-27FA39AEF2AD}\stubpath = "C:\\Windows\\{45B26E15-DCA2-4b10-8372-27FA39AEF2AD}.exe"	{1083C91C-9430-471f-A9C5-5D62EC44B121}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FDFFE96-4573-46e6-BDAC-91996C084240}\stubpath = "C:\\Windows\\{3FDFFE96-4573-46e6-BDAC-91996C084240}.exe"	{45B26E15-DCA2-4b10-8372-27FA39AEF2AD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F63F5BDC-4357-42fd-B622-AA215110507F}	{D4608F09-3EB5-43c2-B463-0E13EA8272D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB605C2-743A-4b90-A947-DEB7DDE0D196}\stubpath = "C:\\Windows\\{1CB605C2-743A-4b90-A947-DEB7DDE0D196}.exe"	{C55CC79B-4771-4fe5-BB20-002A032C4E39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{373D0330-908E-4611-B725-8C47E76E53FF}\stubpath = "C:\\Windows\\{373D0330-908E-4611-B725-8C47E76E53FF}.exe"	{1CB605C2-743A-4b90-A947-DEB7DDE0D196}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C05B200E-1382-49fb-8469-4BE50DD7E7F7}\stubpath = "C:\\Windows\\{C05B200E-1382-49fb-8469-4BE50DD7E7F7}.exe"	{3FDFFE96-4573-46e6-BDAC-91996C084240}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4608F09-3EB5-43c2-B463-0E13EA8272D0}\stubpath = "C:\\Windows\\{D4608F09-3EB5-43c2-B463-0E13EA8272D0}.exe"	{C05B200E-1382-49fb-8469-4BE50DD7E7F7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F63F5BDC-4357-42fd-B622-AA215110507F}\stubpath = "C:\\Windows\\{F63F5BDC-4357-42fd-B622-AA215110507F}.exe"	{D4608F09-3EB5-43c2-B463-0E13EA8272D0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE046431-EC37-4f9a-89C1-18BC5194A806}	{F63F5BDC-4357-42fd-B622-AA215110507F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE046431-EC37-4f9a-89C1-18BC5194A806}\stubpath = "C:\\Windows\\{EE046431-EC37-4f9a-89C1-18BC5194A806}.exe"	{F63F5BDC-4357-42fd-B622-AA215110507F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1083C91C-9430-471f-A9C5-5D62EC44B121}\stubpath = "C:\\Windows\\{1083C91C-9430-471f-A9C5-5D62EC44B121}.exe"	{163D8F63-FA1B-4ce3-8718-FB32926F363D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45B26E15-DCA2-4b10-8372-27FA39AEF2AD}	{1083C91C-9430-471f-A9C5-5D62EC44B121}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C55CC79B-4771-4fe5-BB20-002A032C4E39}\stubpath = "C:\\Windows\\{C55CC79B-4771-4fe5-BB20-002A032C4E39}.exe"	be28520491565e_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1CB605C2-743A-4b90-A947-DEB7DDE0D196}	{C55CC79B-4771-4fe5-BB20-002A032C4E39}.exe

Executes dropped EXE 12 IoCs

pid	Process
2156	{C55CC79B-4771-4fe5-BB20-002A032C4E39}.exe
4524	{1CB605C2-743A-4b90-A947-DEB7DDE0D196}.exe
216	{373D0330-908E-4611-B725-8C47E76E53FF}.exe
1184	{99E79C61-1C75-4cbd-B762-2F7EC72FE6B5}.exe
1400	{163D8F63-FA1B-4ce3-8718-FB32926F363D}.exe
2988	{1083C91C-9430-471f-A9C5-5D62EC44B121}.exe
1140	{45B26E15-DCA2-4b10-8372-27FA39AEF2AD}.exe
3700	{3FDFFE96-4573-46e6-BDAC-91996C084240}.exe
4584	{C05B200E-1382-49fb-8469-4BE50DD7E7F7}.exe
1992	{D4608F09-3EB5-43c2-B463-0E13EA8272D0}.exe
2520	{F63F5BDC-4357-42fd-B622-AA215110507F}.exe
3460	{EE046431-EC37-4f9a-89C1-18BC5194A806}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C05B200E-1382-49fb-8469-4BE50DD7E7F7}.exe	{3FDFFE96-4573-46e6-BDAC-91996C084240}.exe
File created	C:\Windows\{F63F5BDC-4357-42fd-B622-AA215110507F}.exe	{D4608F09-3EB5-43c2-B463-0E13EA8272D0}.exe
File created	C:\Windows\{1CB605C2-743A-4b90-A947-DEB7DDE0D196}.exe	{C55CC79B-4771-4fe5-BB20-002A032C4E39}.exe
File created	C:\Windows\{45B26E15-DCA2-4b10-8372-27FA39AEF2AD}.exe	{1083C91C-9430-471f-A9C5-5D62EC44B121}.exe
File created	C:\Windows\{99E79C61-1C75-4cbd-B762-2F7EC72FE6B5}.exe	{373D0330-908E-4611-B725-8C47E76E53FF}.exe
File created	C:\Windows\{163D8F63-FA1B-4ce3-8718-FB32926F363D}.exe	{99E79C61-1C75-4cbd-B762-2F7EC72FE6B5}.exe
File created	C:\Windows\{1083C91C-9430-471f-A9C5-5D62EC44B121}.exe	{163D8F63-FA1B-4ce3-8718-FB32926F363D}.exe
File created	C:\Windows\{3FDFFE96-4573-46e6-BDAC-91996C084240}.exe	{45B26E15-DCA2-4b10-8372-27FA39AEF2AD}.exe
File created	C:\Windows\{D4608F09-3EB5-43c2-B463-0E13EA8272D0}.exe	{C05B200E-1382-49fb-8469-4BE50DD7E7F7}.exe
File created	C:\Windows\{EE046431-EC37-4f9a-89C1-18BC5194A806}.exe	{F63F5BDC-4357-42fd-B622-AA215110507F}.exe
File created	C:\Windows\{C55CC79B-4771-4fe5-BB20-002A032C4E39}.exe	be28520491565e_JC.exe
File created	C:\Windows\{373D0330-908E-4611-B725-8C47E76E53FF}.exe	{1CB605C2-743A-4b90-A947-DEB7DDE0D196}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4016	be28520491565e_JC.exe
Token: SeIncBasePriorityPrivilege	2156	{C55CC79B-4771-4fe5-BB20-002A032C4E39}.exe
Token: SeIncBasePriorityPrivilege	4524	{1CB605C2-743A-4b90-A947-DEB7DDE0D196}.exe
Token: SeIncBasePriorityPrivilege	216	{373D0330-908E-4611-B725-8C47E76E53FF}.exe
Token: SeIncBasePriorityPrivilege	1184	{99E79C61-1C75-4cbd-B762-2F7EC72FE6B5}.exe
Token: SeIncBasePriorityPrivilege	1400	{163D8F63-FA1B-4ce3-8718-FB32926F363D}.exe
Token: SeIncBasePriorityPrivilege	2988	{1083C91C-9430-471f-A9C5-5D62EC44B121}.exe
Token: SeIncBasePriorityPrivilege	1140	{45B26E15-DCA2-4b10-8372-27FA39AEF2AD}.exe
Token: SeIncBasePriorityPrivilege	3700	{3FDFFE96-4573-46e6-BDAC-91996C084240}.exe
Token: SeIncBasePriorityPrivilege	4584	{C05B200E-1382-49fb-8469-4BE50DD7E7F7}.exe
Token: SeIncBasePriorityPrivilege	1992	{D4608F09-3EB5-43c2-B463-0E13EA8272D0}.exe
Token: SeIncBasePriorityPrivilege	2520	{F63F5BDC-4357-42fd-B622-AA215110507F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 2156	4016	be28520491565e_JC.exe	90
PID 4016 wrote to memory of 2156	4016	be28520491565e_JC.exe	90
PID 4016 wrote to memory of 2156	4016	be28520491565e_JC.exe	90
PID 4016 wrote to memory of 2428	4016	be28520491565e_JC.exe	91
PID 4016 wrote to memory of 2428	4016	be28520491565e_JC.exe	91
PID 4016 wrote to memory of 2428	4016	be28520491565e_JC.exe	91
PID 2156 wrote to memory of 4524	2156	{C55CC79B-4771-4fe5-BB20-002A032C4E39}.exe	94
PID 2156 wrote to memory of 4524	2156	{C55CC79B-4771-4fe5-BB20-002A032C4E39}.exe	94
PID 2156 wrote to memory of 4524	2156	{C55CC79B-4771-4fe5-BB20-002A032C4E39}.exe	94
PID 2156 wrote to memory of 1380	2156	{C55CC79B-4771-4fe5-BB20-002A032C4E39}.exe	95
PID 2156 wrote to memory of 1380	2156	{C55CC79B-4771-4fe5-BB20-002A032C4E39}.exe	95
PID 2156 wrote to memory of 1380	2156	{C55CC79B-4771-4fe5-BB20-002A032C4E39}.exe	95
PID 4524 wrote to memory of 216	4524	{1CB605C2-743A-4b90-A947-DEB7DDE0D196}.exe	98
PID 4524 wrote to memory of 216	4524	{1CB605C2-743A-4b90-A947-DEB7DDE0D196}.exe	98
PID 4524 wrote to memory of 216	4524	{1CB605C2-743A-4b90-A947-DEB7DDE0D196}.exe	98
PID 4524 wrote to memory of 224	4524	{1CB605C2-743A-4b90-A947-DEB7DDE0D196}.exe	97
PID 4524 wrote to memory of 224	4524	{1CB605C2-743A-4b90-A947-DEB7DDE0D196}.exe	97
PID 4524 wrote to memory of 224	4524	{1CB605C2-743A-4b90-A947-DEB7DDE0D196}.exe	97
PID 216 wrote to memory of 1184	216	{373D0330-908E-4611-B725-8C47E76E53FF}.exe	100
PID 216 wrote to memory of 1184	216	{373D0330-908E-4611-B725-8C47E76E53FF}.exe	100
PID 216 wrote to memory of 1184	216	{373D0330-908E-4611-B725-8C47E76E53FF}.exe	100
PID 216 wrote to memory of 3040	216	{373D0330-908E-4611-B725-8C47E76E53FF}.exe	101
PID 216 wrote to memory of 3040	216	{373D0330-908E-4611-B725-8C47E76E53FF}.exe	101
PID 216 wrote to memory of 3040	216	{373D0330-908E-4611-B725-8C47E76E53FF}.exe	101
PID 1184 wrote to memory of 1400	1184	{99E79C61-1C75-4cbd-B762-2F7EC72FE6B5}.exe	102
PID 1184 wrote to memory of 1400	1184	{99E79C61-1C75-4cbd-B762-2F7EC72FE6B5}.exe	102
PID 1184 wrote to memory of 1400	1184	{99E79C61-1C75-4cbd-B762-2F7EC72FE6B5}.exe	102
PID 1184 wrote to memory of 1992	1184	{99E79C61-1C75-4cbd-B762-2F7EC72FE6B5}.exe	103
PID 1184 wrote to memory of 1992	1184	{99E79C61-1C75-4cbd-B762-2F7EC72FE6B5}.exe	103
PID 1184 wrote to memory of 1992	1184	{99E79C61-1C75-4cbd-B762-2F7EC72FE6B5}.exe	103
PID 1400 wrote to memory of 2988	1400	{163D8F63-FA1B-4ce3-8718-FB32926F363D}.exe	105
PID 1400 wrote to memory of 2988	1400	{163D8F63-FA1B-4ce3-8718-FB32926F363D}.exe	105
PID 1400 wrote to memory of 2988	1400	{163D8F63-FA1B-4ce3-8718-FB32926F363D}.exe	105
PID 1400 wrote to memory of 572	1400	{163D8F63-FA1B-4ce3-8718-FB32926F363D}.exe	106
PID 1400 wrote to memory of 572	1400	{163D8F63-FA1B-4ce3-8718-FB32926F363D}.exe	106
PID 1400 wrote to memory of 572	1400	{163D8F63-FA1B-4ce3-8718-FB32926F363D}.exe	106
PID 2988 wrote to memory of 1140	2988	{1083C91C-9430-471f-A9C5-5D62EC44B121}.exe	108
PID 2988 wrote to memory of 1140	2988	{1083C91C-9430-471f-A9C5-5D62EC44B121}.exe	108
PID 2988 wrote to memory of 1140	2988	{1083C91C-9430-471f-A9C5-5D62EC44B121}.exe	108
PID 2988 wrote to memory of 4508	2988	{1083C91C-9430-471f-A9C5-5D62EC44B121}.exe	107
PID 2988 wrote to memory of 4508	2988	{1083C91C-9430-471f-A9C5-5D62EC44B121}.exe	107
PID 2988 wrote to memory of 4508	2988	{1083C91C-9430-471f-A9C5-5D62EC44B121}.exe	107
PID 1140 wrote to memory of 3700	1140	{45B26E15-DCA2-4b10-8372-27FA39AEF2AD}.exe	109
PID 1140 wrote to memory of 3700	1140	{45B26E15-DCA2-4b10-8372-27FA39AEF2AD}.exe	109
PID 1140 wrote to memory of 3700	1140	{45B26E15-DCA2-4b10-8372-27FA39AEF2AD}.exe	109
PID 1140 wrote to memory of 1860	1140	{45B26E15-DCA2-4b10-8372-27FA39AEF2AD}.exe	110
PID 1140 wrote to memory of 1860	1140	{45B26E15-DCA2-4b10-8372-27FA39AEF2AD}.exe	110
PID 1140 wrote to memory of 1860	1140	{45B26E15-DCA2-4b10-8372-27FA39AEF2AD}.exe	110
PID 3700 wrote to memory of 4584	3700	{3FDFFE96-4573-46e6-BDAC-91996C084240}.exe	117
PID 3700 wrote to memory of 4584	3700	{3FDFFE96-4573-46e6-BDAC-91996C084240}.exe	117
PID 3700 wrote to memory of 4584	3700	{3FDFFE96-4573-46e6-BDAC-91996C084240}.exe	117
PID 3700 wrote to memory of 1416	3700	{3FDFFE96-4573-46e6-BDAC-91996C084240}.exe	118
PID 3700 wrote to memory of 1416	3700	{3FDFFE96-4573-46e6-BDAC-91996C084240}.exe	118
PID 3700 wrote to memory of 1416	3700	{3FDFFE96-4573-46e6-BDAC-91996C084240}.exe	118
PID 4584 wrote to memory of 1992	4584	{C05B200E-1382-49fb-8469-4BE50DD7E7F7}.exe	120
PID 4584 wrote to memory of 1992	4584	{C05B200E-1382-49fb-8469-4BE50DD7E7F7}.exe	120
PID 4584 wrote to memory of 1992	4584	{C05B200E-1382-49fb-8469-4BE50DD7E7F7}.exe	120
PID 4584 wrote to memory of 2964	4584	{C05B200E-1382-49fb-8469-4BE50DD7E7F7}.exe	121
PID 4584 wrote to memory of 2964	4584	{C05B200E-1382-49fb-8469-4BE50DD7E7F7}.exe	121
PID 4584 wrote to memory of 2964	4584	{C05B200E-1382-49fb-8469-4BE50DD7E7F7}.exe	121
PID 1992 wrote to memory of 2520	1992	{D4608F09-3EB5-43c2-B463-0E13EA8272D0}.exe	122
PID 1992 wrote to memory of 2520	1992	{D4608F09-3EB5-43c2-B463-0E13EA8272D0}.exe	122
PID 1992 wrote to memory of 2520	1992	{D4608F09-3EB5-43c2-B463-0E13EA8272D0}.exe	122
PID 1992 wrote to memory of 2036	1992	{D4608F09-3EB5-43c2-B463-0E13EA8272D0}.exe	123

C:\Users\Admin\AppData\Local\Temp\be28520491565e_JC.exe
"C:\Users\Admin\AppData\Local\Temp\be28520491565e_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Windows\{C55CC79B-4771-4fe5-BB20-002A032C4E39}.exe
  C:\Windows\{C55CC79B-4771-4fe5-BB20-002A032C4E39}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\{1CB605C2-743A-4b90-A947-DEB7DDE0D196}.exe
    C:\Windows\{1CB605C2-743A-4b90-A947-DEB7DDE0D196}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1CB60~1.EXE > nul
      4⤵
      PID:224
  - - C:\Windows\{373D0330-908E-4611-B725-8C47E76E53FF}.exe
      C:\Windows\{373D0330-908E-4611-B725-8C47E76E53FF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:216
    - - C:\Windows\{99E79C61-1C75-4cbd-B762-2F7EC72FE6B5}.exe
        
        C:\Windows\{99E79C61-1C75-4cbd-B762-2F7EC72FE6B5}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1184
      - C:\Windows\{163D8F63-FA1B-4ce3-8718-FB32926F363D}.exe
        
        C:\Windows\{163D8F63-FA1B-4ce3-8718-FB32926F363D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1400
        
        C:\Windows\{1083C91C-9430-471f-A9C5-5D62EC44B121}.exe
        
        C:\Windows\{1083C91C-9430-471f-A9C5-5D62EC44B121}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1083C~1.EXE > nul
        8⤵
        
        PID:4508
        
        C:\Windows\{45B26E15-DCA2-4b10-8372-27FA39AEF2AD}.exe
        
        C:\Windows\{45B26E15-DCA2-4b10-8372-27FA39AEF2AD}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\{3FDFFE96-4573-46e6-BDAC-91996C084240}.exe
        
        C:\Windows\{3FDFFE96-4573-46e6-BDAC-91996C084240}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3700
        
        C:\Windows\{C05B200E-1382-49fb-8469-4BE50DD7E7F7}.exe
        
        C:\Windows\{C05B200E-1382-49fb-8469-4BE50DD7E7F7}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4584
        
        C:\Windows\{D4608F09-3EB5-43c2-B463-0E13EA8272D0}.exe
        
        C:\Windows\{D4608F09-3EB5-43c2-B463-0E13EA8272D0}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\{F63F5BDC-4357-42fd-B622-AA215110507F}.exe
        
        C:\Windows\{F63F5BDC-4357-42fd-B622-AA215110507F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\{EE046431-EC37-4f9a-89C1-18BC5194A806}.exe
        
        C:\Windows\{EE046431-EC37-4f9a-89C1-18BC5194A806}.exe
        13⤵
        Executes dropped EXE
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F63F5~1.EXE > nul
        13⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4608~1.EXE > nul
        12⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C05B2~1.EXE > nul
        11⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FDFF~1.EXE > nul
        10⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45B26~1.EXE > nul
        9⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{163D8~1.EXE > nul
        7⤵
        
        PID:572
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99E79~1.EXE > nul
        6⤵
        
        PID:1992
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{373D0~1.EXE > nul
        5⤵
        
        PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C55CC~1.EXE > nul
    3⤵
    PID:1380
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BE2852~1.EXE > nul
  2⤵
  PID:2428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1083C91C-9430-471f-A9C5-5D62EC44B121}.exe

Filesize
372KB

MD5
2d49e2baecda8d2f98527c1988b04e44

SHA1
1d619b9fa6bb8ef29d4263e4bb0db23e82b8dec1

SHA256
6a422e1b64bf4d4a6cb00f084a9949c0af9f9a126650b4e3c351fc331cc57be9

SHA512
71a6f6e4dc994d1728bd0d023f9555873210e7bc96c5dceede72d1b9161aab54b0ccd0a9009c3ebdf732a8085a7e30320a96bd736dd90207a237390b73d24d77

Download Submit
C:\Windows\{1083C91C-9430-471f-A9C5-5D62EC44B121}.exe

Filesize
372KB

MD5
2d49e2baecda8d2f98527c1988b04e44

SHA1
1d619b9fa6bb8ef29d4263e4bb0db23e82b8dec1

SHA256
6a422e1b64bf4d4a6cb00f084a9949c0af9f9a126650b4e3c351fc331cc57be9

SHA512
71a6f6e4dc994d1728bd0d023f9555873210e7bc96c5dceede72d1b9161aab54b0ccd0a9009c3ebdf732a8085a7e30320a96bd736dd90207a237390b73d24d77

Download Submit
C:\Windows\{163D8F63-FA1B-4ce3-8718-FB32926F363D}.exe

Filesize
372KB

MD5
6b168c52d6b536e634ab0ac72e7ea590

SHA1
04dd75ebe30a42fb424cb6e06be7c2a9c66e25e3

SHA256
603267773f44b2aba937c98867384c91f7e8d643bd6c319d470dd85d606d453a

SHA512
f96befd7054d70b4e5fec31eab5c117a3fd0960a11bdb239bdab8e5f332ae7748eb34fd8af4e1a8952a999b3997eb5939a1910592e9562d20da7b5a22fb184f5

Download Submit
C:\Windows\{163D8F63-FA1B-4ce3-8718-FB32926F363D}.exe

Filesize
372KB

MD5
6b168c52d6b536e634ab0ac72e7ea590

SHA1
04dd75ebe30a42fb424cb6e06be7c2a9c66e25e3

SHA256
603267773f44b2aba937c98867384c91f7e8d643bd6c319d470dd85d606d453a

SHA512
f96befd7054d70b4e5fec31eab5c117a3fd0960a11bdb239bdab8e5f332ae7748eb34fd8af4e1a8952a999b3997eb5939a1910592e9562d20da7b5a22fb184f5

Download Submit
C:\Windows\{1CB605C2-743A-4b90-A947-DEB7DDE0D196}.exe

Filesize
372KB

MD5
bdb0fcfd01e173a897d772498c22ef99

SHA1
1dfad6dbf9e85aedf381a6611e83516ade030206

SHA256
e7257fca66e698d0f15ac503528a7d99daca7b4da9eb17f573c3dfbd50dd52ec

SHA512
10486f65ea56e2994f6480421ca8d82da3d901b6f0e4cb8815c67b457be2146935d6a9854af71264992c9641f1e3295d0389052b390bbc55e6be982bbd70d11e

Download Submit
C:\Windows\{1CB605C2-743A-4b90-A947-DEB7DDE0D196}.exe

Filesize
372KB

MD5
bdb0fcfd01e173a897d772498c22ef99

SHA1
1dfad6dbf9e85aedf381a6611e83516ade030206

SHA256
e7257fca66e698d0f15ac503528a7d99daca7b4da9eb17f573c3dfbd50dd52ec

SHA512
10486f65ea56e2994f6480421ca8d82da3d901b6f0e4cb8815c67b457be2146935d6a9854af71264992c9641f1e3295d0389052b390bbc55e6be982bbd70d11e

Download Submit
C:\Windows\{373D0330-908E-4611-B725-8C47E76E53FF}.exe

Filesize
372KB

MD5
cc6590e644a6d260d68ea86c69f25555

SHA1
f17810ab51d0d9f07fb63a3dc3d813d7e51990b5

SHA256
b3927ae310736d44e1ba85c0b66400878846ab59a4f2bccfdd825386445dfd43

SHA512
7ecb6f300db140d52b0abde6fc5d704eaec8d94ece185af19cf6481e4935c13f142f91f0f2706c4b94ed1fd4e6f307746ee3057ff6a5cc8dd8fde915a34d3ac3

Download Submit
C:\Windows\{373D0330-908E-4611-B725-8C47E76E53FF}.exe

Filesize
372KB

MD5
cc6590e644a6d260d68ea86c69f25555

SHA1
f17810ab51d0d9f07fb63a3dc3d813d7e51990b5

SHA256
b3927ae310736d44e1ba85c0b66400878846ab59a4f2bccfdd825386445dfd43

SHA512
7ecb6f300db140d52b0abde6fc5d704eaec8d94ece185af19cf6481e4935c13f142f91f0f2706c4b94ed1fd4e6f307746ee3057ff6a5cc8dd8fde915a34d3ac3

Download Submit
C:\Windows\{373D0330-908E-4611-B725-8C47E76E53FF}.exe

Filesize
372KB

MD5
cc6590e644a6d260d68ea86c69f25555

SHA1
f17810ab51d0d9f07fb63a3dc3d813d7e51990b5

SHA256
b3927ae310736d44e1ba85c0b66400878846ab59a4f2bccfdd825386445dfd43

SHA512
7ecb6f300db140d52b0abde6fc5d704eaec8d94ece185af19cf6481e4935c13f142f91f0f2706c4b94ed1fd4e6f307746ee3057ff6a5cc8dd8fde915a34d3ac3

Download Submit
C:\Windows\{3FDFFE96-4573-46e6-BDAC-91996C084240}.exe

Filesize
372KB

MD5
425b818fb9ebf4cd6c02a553a5616d93

SHA1
d3aed0c5587d9163323c9ca3779f1639cbf27036

SHA256
7c1ed6fdf067c0d51a3762bab2855d4e934f7e31963c2437d36150c8d79fe8d7

SHA512
fdbc611e819c7646da72df8f8f655961388df7621c85699b3f6e1e941f5bbe5051199df098512cace8704e8c3c1dcc6e8c65b80abfa4d57bf6a9d35cbd94e452

Download Submit
C:\Windows\{3FDFFE96-4573-46e6-BDAC-91996C084240}.exe

Filesize
372KB

MD5
425b818fb9ebf4cd6c02a553a5616d93

SHA1
d3aed0c5587d9163323c9ca3779f1639cbf27036

SHA256
7c1ed6fdf067c0d51a3762bab2855d4e934f7e31963c2437d36150c8d79fe8d7

SHA512
fdbc611e819c7646da72df8f8f655961388df7621c85699b3f6e1e941f5bbe5051199df098512cace8704e8c3c1dcc6e8c65b80abfa4d57bf6a9d35cbd94e452

Download Submit
C:\Windows\{45B26E15-DCA2-4b10-8372-27FA39AEF2AD}.exe

Filesize
372KB

MD5
13ca528d191eb9c54f69e06bd7dd6738

SHA1
799a4f1a7ca4285aec13adc6f33a74f3084ef2db

SHA256
fbeaa0813c6efd4c508787d992da6e92e7bee685c961db69d6e7d30b7a9e733b

SHA512
2f98f41705cb87c4296866cbfba18cb66e5de6ac78f910c5a7bb7c33b6ad517a705d50c1a19efe864507aef2c7989609e2198755464f1d9462276bb939d7cadd

Download Submit
C:\Windows\{45B26E15-DCA2-4b10-8372-27FA39AEF2AD}.exe

Filesize
372KB

MD5
13ca528d191eb9c54f69e06bd7dd6738

SHA1
799a4f1a7ca4285aec13adc6f33a74f3084ef2db

SHA256
fbeaa0813c6efd4c508787d992da6e92e7bee685c961db69d6e7d30b7a9e733b

SHA512
2f98f41705cb87c4296866cbfba18cb66e5de6ac78f910c5a7bb7c33b6ad517a705d50c1a19efe864507aef2c7989609e2198755464f1d9462276bb939d7cadd

Download Submit
C:\Windows\{99E79C61-1C75-4cbd-B762-2F7EC72FE6B5}.exe

Filesize
372KB

MD5
fe973029798b7d16e45d2167bbca47c9

SHA1
a3ad82c5e0715b5db107974c31318c57ac52bcf7

SHA256
34fced363c91f84161696eb678635f0fce570c60d1d4dc9dbd8c2dff493bf5f1

SHA512
984702ec0716146a707e607c9e35862db2eb1b2c95a37c0d73e3938f862b966de4fa903d04cbb844c6c4598c364741eaf807ce548d3b63dfa60165cf8c761fe0

Download Submit
C:\Windows\{99E79C61-1C75-4cbd-B762-2F7EC72FE6B5}.exe

Filesize
372KB

MD5
fe973029798b7d16e45d2167bbca47c9

SHA1
a3ad82c5e0715b5db107974c31318c57ac52bcf7

SHA256
34fced363c91f84161696eb678635f0fce570c60d1d4dc9dbd8c2dff493bf5f1

SHA512
984702ec0716146a707e607c9e35862db2eb1b2c95a37c0d73e3938f862b966de4fa903d04cbb844c6c4598c364741eaf807ce548d3b63dfa60165cf8c761fe0

Download Submit
C:\Windows\{C05B200E-1382-49fb-8469-4BE50DD7E7F7}.exe

Filesize
372KB

MD5
210f08625d4def26cd370db1925a5cdc

SHA1
590db45c581ecefec7be7830f247fb98740e24ba

SHA256
6fad0421af2d1db871615bc39acf336fc40bb9b5ef6b4b2d013b060f42b17fe2

SHA512
5eb0f78f5bf6b0de9bf0beb715344677cf291fc9e76f237f48e9515283eb8e08c0c2d8339724db970197c1c755c1bd8580f8ca734e9336cb5b991dd2ac83118f

Download Submit
C:\Windows\{C05B200E-1382-49fb-8469-4BE50DD7E7F7}.exe

Filesize
372KB

MD5
210f08625d4def26cd370db1925a5cdc

SHA1
590db45c581ecefec7be7830f247fb98740e24ba

SHA256
6fad0421af2d1db871615bc39acf336fc40bb9b5ef6b4b2d013b060f42b17fe2

SHA512
5eb0f78f5bf6b0de9bf0beb715344677cf291fc9e76f237f48e9515283eb8e08c0c2d8339724db970197c1c755c1bd8580f8ca734e9336cb5b991dd2ac83118f

Download Submit
C:\Windows\{C55CC79B-4771-4fe5-BB20-002A032C4E39}.exe

Filesize
372KB

MD5
0ac7eafa1a08de3f89e34b0e25f3a9bd

SHA1
b0c0f79f0b91e6d5a9aae179b4ce6c6a4ad210a0

SHA256
8fa2a7137d5093c4b93a06e5755bdaa4044ae72c812f17a481e41a2e3587b3ea

SHA512
a16e1968766e0d361b0a6457d4f4ded9466faaf6b9e91dfa037a2011c2ab638a7fd5d5f9d8c0b65781205d7f413b1ba7df082b467785108db91690721e8ab9fb

Download Submit
C:\Windows\{C55CC79B-4771-4fe5-BB20-002A032C4E39}.exe

Filesize
372KB

MD5
0ac7eafa1a08de3f89e34b0e25f3a9bd

SHA1
b0c0f79f0b91e6d5a9aae179b4ce6c6a4ad210a0

SHA256
8fa2a7137d5093c4b93a06e5755bdaa4044ae72c812f17a481e41a2e3587b3ea

SHA512
a16e1968766e0d361b0a6457d4f4ded9466faaf6b9e91dfa037a2011c2ab638a7fd5d5f9d8c0b65781205d7f413b1ba7df082b467785108db91690721e8ab9fb

Download Submit
C:\Windows\{D4608F09-3EB5-43c2-B463-0E13EA8272D0}.exe

Filesize
372KB

MD5
bb91aaaa14d0de2d3d362afc7434fea2

SHA1
0909fdc54fe20e26ddc4a7c3a2bf0885f7872d12

SHA256
a9a28a4c4a9be6270bdb29e2034903cd139e70310ef78b4ccae53dbc255c272c

SHA512
b6a23aa0c0a39c7a041d4e52cbd874e4accd0f45046cd2e5ae5c83b72f006de5c92aab6e6365ff5be651a5f2ef92fe290ac07ab955884e6493b37c2c07a8c18c

Download Submit
C:\Windows\{D4608F09-3EB5-43c2-B463-0E13EA8272D0}.exe

Filesize
372KB

MD5
bb91aaaa14d0de2d3d362afc7434fea2

SHA1
0909fdc54fe20e26ddc4a7c3a2bf0885f7872d12

SHA256
a9a28a4c4a9be6270bdb29e2034903cd139e70310ef78b4ccae53dbc255c272c

SHA512
b6a23aa0c0a39c7a041d4e52cbd874e4accd0f45046cd2e5ae5c83b72f006de5c92aab6e6365ff5be651a5f2ef92fe290ac07ab955884e6493b37c2c07a8c18c

Download Submit
C:\Windows\{EE046431-EC37-4f9a-89C1-18BC5194A806}.exe

Filesize
372KB

MD5
65a0f32da2fd50efcd40374a5a8bc85b

SHA1
9419f28e78d32438edb6f71c91c22628cb517277

SHA256
cfac51a50ca33206befd7dac31e56f9d06de972921b9f740722ecaf56ae269f8

SHA512
0b6801c9abc22c050a20eab9c920ac7480edcc3a483abcbf745b0357175b427c874b661e9c18cc86d986a78bb53f4299cc2ee7089dc5552f516e1007d2223b69

Download Submit
C:\Windows\{EE046431-EC37-4f9a-89C1-18BC5194A806}.exe

Filesize
372KB

MD5
65a0f32da2fd50efcd40374a5a8bc85b

SHA1
9419f28e78d32438edb6f71c91c22628cb517277

SHA256
cfac51a50ca33206befd7dac31e56f9d06de972921b9f740722ecaf56ae269f8

SHA512
0b6801c9abc22c050a20eab9c920ac7480edcc3a483abcbf745b0357175b427c874b661e9c18cc86d986a78bb53f4299cc2ee7089dc5552f516e1007d2223b69

Download Submit
C:\Windows\{F63F5BDC-4357-42fd-B622-AA215110507F}.exe

Filesize
372KB

MD5
3d3c9676daa4592e46d666c768812d89

SHA1
10f29d3c433dc94d29f81bcaa129afb404b9afe0

SHA256
33b324dce5d8dd178086ce9549ba54ff5520a141f8f399d31eb881bd21a26815

SHA512
f7052d567f7f7a1055276486b6f272d2ca7aca524509b646aa44e08561d2b139f61ce97bc5174d25a07d88ffe10ca9891c40a60c950a18703d2f248f3bc11cab

Download Submit
C:\Windows\{F63F5BDC-4357-42fd-B622-AA215110507F}.exe

Filesize
372KB

MD5
3d3c9676daa4592e46d666c768812d89

SHA1
10f29d3c433dc94d29f81bcaa129afb404b9afe0

SHA256
33b324dce5d8dd178086ce9549ba54ff5520a141f8f399d31eb881bd21a26815

SHA512
f7052d567f7f7a1055276486b6f272d2ca7aca524509b646aa44e08561d2b139f61ce97bc5174d25a07d88ffe10ca9891c40a60c950a18703d2f248f3bc11cab

Download Submit