a52e51d8bf148e472e01542ffe2dbdeb6281a56a951fd49c18ae8980f99a7883

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2023, 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1bc5650f23dbcexe_JC.exe
Size

168KB
MD5

e1bc5650f23dbcb38a1a5673ec6148cc
SHA1

30ba847fc001d387cad96b969a2aad7b7854e8c7
SHA256

a52e51d8bf148e472e01542ffe2dbdeb6281a56a951fd49c18ae8980f99a7883
SHA512

d43dab336ed19564391cd16ad0390f0ec40c51c7055ee48698768979bdce0be84a1080b452511f888a881f149a2f41e43b0cb8ce64b4b097b0c2eae554c05ce3
SSDEEP

1536:1EGh0owlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0owlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{999D4006-02D8-4235-82D9-1E06FF43ED07}	{94822F37-C65B-426b-A460-409B6E2650C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{999D4006-02D8-4235-82D9-1E06FF43ED07}\stubpath = "C:\\Windows\\{999D4006-02D8-4235-82D9-1E06FF43ED07}.exe"	{94822F37-C65B-426b-A460-409B6E2650C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E4D3E08-10FA-484c-BB6A-226A8B228040}	{3B803450-A82E-4101-8953-CBF908E2C5C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1B6D806-1268-4316-AEF9-347E12704CAB}\stubpath = "C:\\Windows\\{E1B6D806-1268-4316-AEF9-347E12704CAB}.exe"	{29DE46B2-40C5-48d6-BC58-AC7F39C83722}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE13C5CB-3A4A-4eb7-9A5E-278CE86F6D8B}	{E1B6D806-1268-4316-AEF9-347E12704CAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94822F37-C65B-426b-A460-409B6E2650C8}\stubpath = "C:\\Windows\\{94822F37-C65B-426b-A460-409B6E2650C8}.exe"	e1bc5650f23dbcexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CB1E41A-8655-4744-98C8-2E80ED204C78}	{999D4006-02D8-4235-82D9-1E06FF43ED07}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62273A4E-B7CD-423d-81D9-D03113EEA373}\stubpath = "C:\\Windows\\{62273A4E-B7CD-423d-81D9-D03113EEA373}.exe"	{980ACBBC-243B-4198-9172-EEA2B6C21A1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1B6D806-1268-4316-AEF9-347E12704CAB}	{29DE46B2-40C5-48d6-BC58-AC7F39C83722}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{980ACBBC-243B-4198-9172-EEA2B6C21A1A}\stubpath = "C:\\Windows\\{980ACBBC-243B-4198-9172-EEA2B6C21A1A}.exe"	{7E4D3E08-10FA-484c-BB6A-226A8B228040}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62273A4E-B7CD-423d-81D9-D03113EEA373}	{980ACBBC-243B-4198-9172-EEA2B6C21A1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78BB2867-3912-4515-BB02-E14BBE3A6637}\stubpath = "C:\\Windows\\{78BB2867-3912-4515-BB02-E14BBE3A6637}.exe"	{62273A4E-B7CD-423d-81D9-D03113EEA373}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94822F37-C65B-426b-A460-409B6E2650C8}	e1bc5650f23dbcexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40B1E058-600B-4d04-A191-0DB460A3B444}\stubpath = "C:\\Windows\\{40B1E058-600B-4d04-A191-0DB460A3B444}.exe"	{3CB1E41A-8655-4744-98C8-2E80ED204C78}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B803450-A82E-4101-8953-CBF908E2C5C7}\stubpath = "C:\\Windows\\{3B803450-A82E-4101-8953-CBF908E2C5C7}.exe"	{40B1E058-600B-4d04-A191-0DB460A3B444}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E4D3E08-10FA-484c-BB6A-226A8B228040}\stubpath = "C:\\Windows\\{7E4D3E08-10FA-484c-BB6A-226A8B228040}.exe"	{3B803450-A82E-4101-8953-CBF908E2C5C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78BB2867-3912-4515-BB02-E14BBE3A6637}	{62273A4E-B7CD-423d-81D9-D03113EEA373}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29DE46B2-40C5-48d6-BC58-AC7F39C83722}	{78BB2867-3912-4515-BB02-E14BBE3A6637}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29DE46B2-40C5-48d6-BC58-AC7F39C83722}\stubpath = "C:\\Windows\\{29DE46B2-40C5-48d6-BC58-AC7F39C83722}.exe"	{78BB2867-3912-4515-BB02-E14BBE3A6637}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE13C5CB-3A4A-4eb7-9A5E-278CE86F6D8B}\stubpath = "C:\\Windows\\{CE13C5CB-3A4A-4eb7-9A5E-278CE86F6D8B}.exe"	{E1B6D806-1268-4316-AEF9-347E12704CAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CB1E41A-8655-4744-98C8-2E80ED204C78}\stubpath = "C:\\Windows\\{3CB1E41A-8655-4744-98C8-2E80ED204C78}.exe"	{999D4006-02D8-4235-82D9-1E06FF43ED07}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40B1E058-600B-4d04-A191-0DB460A3B444}	{3CB1E41A-8655-4744-98C8-2E80ED204C78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3B803450-A82E-4101-8953-CBF908E2C5C7}	{40B1E058-600B-4d04-A191-0DB460A3B444}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{980ACBBC-243B-4198-9172-EEA2B6C21A1A}	{7E4D3E08-10FA-484c-BB6A-226A8B228040}.exe

Executes dropped EXE 12 IoCs

pid	Process
1840	{94822F37-C65B-426b-A460-409B6E2650C8}.exe
4512	{999D4006-02D8-4235-82D9-1E06FF43ED07}.exe
2668	{3CB1E41A-8655-4744-98C8-2E80ED204C78}.exe
4060	{40B1E058-600B-4d04-A191-0DB460A3B444}.exe
3996	{3B803450-A82E-4101-8953-CBF908E2C5C7}.exe
2252	{7E4D3E08-10FA-484c-BB6A-226A8B228040}.exe
828	{980ACBBC-243B-4198-9172-EEA2B6C21A1A}.exe
5032	{62273A4E-B7CD-423d-81D9-D03113EEA373}.exe
876	{78BB2867-3912-4515-BB02-E14BBE3A6637}.exe
4992	{29DE46B2-40C5-48d6-BC58-AC7F39C83722}.exe
996	{E1B6D806-1268-4316-AEF9-347E12704CAB}.exe
2500	{CE13C5CB-3A4A-4eb7-9A5E-278CE86F6D8B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{999D4006-02D8-4235-82D9-1E06FF43ED07}.exe	{94822F37-C65B-426b-A460-409B6E2650C8}.exe
File created	C:\Windows\{3CB1E41A-8655-4744-98C8-2E80ED204C78}.exe	{999D4006-02D8-4235-82D9-1E06FF43ED07}.exe
File created	C:\Windows\{40B1E058-600B-4d04-A191-0DB460A3B444}.exe	{3CB1E41A-8655-4744-98C8-2E80ED204C78}.exe
File created	C:\Windows\{980ACBBC-243B-4198-9172-EEA2B6C21A1A}.exe	{7E4D3E08-10FA-484c-BB6A-226A8B228040}.exe
File created	C:\Windows\{62273A4E-B7CD-423d-81D9-D03113EEA373}.exe	{980ACBBC-243B-4198-9172-EEA2B6C21A1A}.exe
File created	C:\Windows\{78BB2867-3912-4515-BB02-E14BBE3A6637}.exe	{62273A4E-B7CD-423d-81D9-D03113EEA373}.exe
File created	C:\Windows\{E1B6D806-1268-4316-AEF9-347E12704CAB}.exe	{29DE46B2-40C5-48d6-BC58-AC7F39C83722}.exe
File created	C:\Windows\{94822F37-C65B-426b-A460-409B6E2650C8}.exe	e1bc5650f23dbcexe_JC.exe
File created	C:\Windows\{3B803450-A82E-4101-8953-CBF908E2C5C7}.exe	{40B1E058-600B-4d04-A191-0DB460A3B444}.exe
File created	C:\Windows\{7E4D3E08-10FA-484c-BB6A-226A8B228040}.exe	{3B803450-A82E-4101-8953-CBF908E2C5C7}.exe
File created	C:\Windows\{29DE46B2-40C5-48d6-BC58-AC7F39C83722}.exe	{78BB2867-3912-4515-BB02-E14BBE3A6637}.exe
File created	C:\Windows\{CE13C5CB-3A4A-4eb7-9A5E-278CE86F6D8B}.exe	{E1B6D806-1268-4316-AEF9-347E12704CAB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	948	e1bc5650f23dbcexe_JC.exe
Token: SeIncBasePriorityPrivilege	1840	{94822F37-C65B-426b-A460-409B6E2650C8}.exe
Token: SeIncBasePriorityPrivilege	4512	{999D4006-02D8-4235-82D9-1E06FF43ED07}.exe
Token: SeIncBasePriorityPrivilege	2668	{3CB1E41A-8655-4744-98C8-2E80ED204C78}.exe
Token: SeIncBasePriorityPrivilege	4060	{40B1E058-600B-4d04-A191-0DB460A3B444}.exe
Token: SeIncBasePriorityPrivilege	3996	{3B803450-A82E-4101-8953-CBF908E2C5C7}.exe
Token: SeIncBasePriorityPrivilege	2252	{7E4D3E08-10FA-484c-BB6A-226A8B228040}.exe
Token: SeIncBasePriorityPrivilege	828	{980ACBBC-243B-4198-9172-EEA2B6C21A1A}.exe
Token: SeIncBasePriorityPrivilege	5032	{62273A4E-B7CD-423d-81D9-D03113EEA373}.exe
Token: SeIncBasePriorityPrivilege	876	{78BB2867-3912-4515-BB02-E14BBE3A6637}.exe
Token: SeIncBasePriorityPrivilege	4992	{29DE46B2-40C5-48d6-BC58-AC7F39C83722}.exe
Token: SeIncBasePriorityPrivilege	996	{E1B6D806-1268-4316-AEF9-347E12704CAB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 948 wrote to memory of 1840	948	e1bc5650f23dbcexe_JC.exe	97
PID 948 wrote to memory of 1840	948	e1bc5650f23dbcexe_JC.exe	97
PID 948 wrote to memory of 1840	948	e1bc5650f23dbcexe_JC.exe	97
PID 948 wrote to memory of 4304	948	e1bc5650f23dbcexe_JC.exe	98
PID 948 wrote to memory of 4304	948	e1bc5650f23dbcexe_JC.exe	98
PID 948 wrote to memory of 4304	948	e1bc5650f23dbcexe_JC.exe	98
PID 1840 wrote to memory of 4512	1840	{94822F37-C65B-426b-A460-409B6E2650C8}.exe	99
PID 1840 wrote to memory of 4512	1840	{94822F37-C65B-426b-A460-409B6E2650C8}.exe	99
PID 1840 wrote to memory of 4512	1840	{94822F37-C65B-426b-A460-409B6E2650C8}.exe	99
PID 1840 wrote to memory of 4496	1840	{94822F37-C65B-426b-A460-409B6E2650C8}.exe	100
PID 1840 wrote to memory of 4496	1840	{94822F37-C65B-426b-A460-409B6E2650C8}.exe	100
PID 1840 wrote to memory of 4496	1840	{94822F37-C65B-426b-A460-409B6E2650C8}.exe	100
PID 4512 wrote to memory of 2668	4512	{999D4006-02D8-4235-82D9-1E06FF43ED07}.exe	105
PID 4512 wrote to memory of 2668	4512	{999D4006-02D8-4235-82D9-1E06FF43ED07}.exe	105
PID 4512 wrote to memory of 2668	4512	{999D4006-02D8-4235-82D9-1E06FF43ED07}.exe	105
PID 4512 wrote to memory of 212	4512	{999D4006-02D8-4235-82D9-1E06FF43ED07}.exe	106
PID 4512 wrote to memory of 212	4512	{999D4006-02D8-4235-82D9-1E06FF43ED07}.exe	106
PID 4512 wrote to memory of 212	4512	{999D4006-02D8-4235-82D9-1E06FF43ED07}.exe	106
PID 2668 wrote to memory of 4060	2668	{3CB1E41A-8655-4744-98C8-2E80ED204C78}.exe	111
PID 2668 wrote to memory of 4060	2668	{3CB1E41A-8655-4744-98C8-2E80ED204C78}.exe	111
PID 2668 wrote to memory of 4060	2668	{3CB1E41A-8655-4744-98C8-2E80ED204C78}.exe	111
PID 2668 wrote to memory of 948	2668	{3CB1E41A-8655-4744-98C8-2E80ED204C78}.exe	112
PID 2668 wrote to memory of 948	2668	{3CB1E41A-8655-4744-98C8-2E80ED204C78}.exe	112
PID 2668 wrote to memory of 948	2668	{3CB1E41A-8655-4744-98C8-2E80ED204C78}.exe	112
PID 4060 wrote to memory of 3996	4060	{40B1E058-600B-4d04-A191-0DB460A3B444}.exe	113
PID 4060 wrote to memory of 3996	4060	{40B1E058-600B-4d04-A191-0DB460A3B444}.exe	113
PID 4060 wrote to memory of 3996	4060	{40B1E058-600B-4d04-A191-0DB460A3B444}.exe	113
PID 4060 wrote to memory of 2948	4060	{40B1E058-600B-4d04-A191-0DB460A3B444}.exe	114
PID 4060 wrote to memory of 2948	4060	{40B1E058-600B-4d04-A191-0DB460A3B444}.exe	114
PID 4060 wrote to memory of 2948	4060	{40B1E058-600B-4d04-A191-0DB460A3B444}.exe	114
PID 3996 wrote to memory of 2252	3996	{3B803450-A82E-4101-8953-CBF908E2C5C7}.exe	115
PID 3996 wrote to memory of 2252	3996	{3B803450-A82E-4101-8953-CBF908E2C5C7}.exe	115
PID 3996 wrote to memory of 2252	3996	{3B803450-A82E-4101-8953-CBF908E2C5C7}.exe	115
PID 3996 wrote to memory of 4712	3996	{3B803450-A82E-4101-8953-CBF908E2C5C7}.exe	116
PID 3996 wrote to memory of 4712	3996	{3B803450-A82E-4101-8953-CBF908E2C5C7}.exe	116
PID 3996 wrote to memory of 4712	3996	{3B803450-A82E-4101-8953-CBF908E2C5C7}.exe	116
PID 2252 wrote to memory of 828	2252	{7E4D3E08-10FA-484c-BB6A-226A8B228040}.exe	118
PID 2252 wrote to memory of 828	2252	{7E4D3E08-10FA-484c-BB6A-226A8B228040}.exe	118
PID 2252 wrote to memory of 828	2252	{7E4D3E08-10FA-484c-BB6A-226A8B228040}.exe	118
PID 2252 wrote to memory of 500	2252	{7E4D3E08-10FA-484c-BB6A-226A8B228040}.exe	119
PID 2252 wrote to memory of 500	2252	{7E4D3E08-10FA-484c-BB6A-226A8B228040}.exe	119
PID 2252 wrote to memory of 500	2252	{7E4D3E08-10FA-484c-BB6A-226A8B228040}.exe	119
PID 828 wrote to memory of 5032	828	{980ACBBC-243B-4198-9172-EEA2B6C21A1A}.exe	120
PID 828 wrote to memory of 5032	828	{980ACBBC-243B-4198-9172-EEA2B6C21A1A}.exe	120
PID 828 wrote to memory of 5032	828	{980ACBBC-243B-4198-9172-EEA2B6C21A1A}.exe	120
PID 828 wrote to memory of 4356	828	{980ACBBC-243B-4198-9172-EEA2B6C21A1A}.exe	121
PID 828 wrote to memory of 4356	828	{980ACBBC-243B-4198-9172-EEA2B6C21A1A}.exe	121
PID 828 wrote to memory of 4356	828	{980ACBBC-243B-4198-9172-EEA2B6C21A1A}.exe	121
PID 5032 wrote to memory of 876	5032	{62273A4E-B7CD-423d-81D9-D03113EEA373}.exe	122
PID 5032 wrote to memory of 876	5032	{62273A4E-B7CD-423d-81D9-D03113EEA373}.exe	122
PID 5032 wrote to memory of 876	5032	{62273A4E-B7CD-423d-81D9-D03113EEA373}.exe	122
PID 5032 wrote to memory of 4192	5032	{62273A4E-B7CD-423d-81D9-D03113EEA373}.exe	123
PID 5032 wrote to memory of 4192	5032	{62273A4E-B7CD-423d-81D9-D03113EEA373}.exe	123
PID 5032 wrote to memory of 4192	5032	{62273A4E-B7CD-423d-81D9-D03113EEA373}.exe	123
PID 876 wrote to memory of 4992	876	{78BB2867-3912-4515-BB02-E14BBE3A6637}.exe	124
PID 876 wrote to memory of 4992	876	{78BB2867-3912-4515-BB02-E14BBE3A6637}.exe	124
PID 876 wrote to memory of 4992	876	{78BB2867-3912-4515-BB02-E14BBE3A6637}.exe	124
PID 876 wrote to memory of 4636	876	{78BB2867-3912-4515-BB02-E14BBE3A6637}.exe	125
PID 876 wrote to memory of 4636	876	{78BB2867-3912-4515-BB02-E14BBE3A6637}.exe	125
PID 876 wrote to memory of 4636	876	{78BB2867-3912-4515-BB02-E14BBE3A6637}.exe	125
PID 4992 wrote to memory of 996	4992	{29DE46B2-40C5-48d6-BC58-AC7F39C83722}.exe	126
PID 4992 wrote to memory of 996	4992	{29DE46B2-40C5-48d6-BC58-AC7F39C83722}.exe	126
PID 4992 wrote to memory of 996	4992	{29DE46B2-40C5-48d6-BC58-AC7F39C83722}.exe	126
PID 4992 wrote to memory of 1872	4992	{29DE46B2-40C5-48d6-BC58-AC7F39C83722}.exe	127

C:\Users\Admin\AppData\Local\Temp\e1bc5650f23dbcexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\e1bc5650f23dbcexe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\{94822F37-C65B-426b-A460-409B6E2650C8}.exe
  C:\Windows\{94822F37-C65B-426b-A460-409B6E2650C8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1840
- - C:\Windows\{999D4006-02D8-4235-82D9-1E06FF43ED07}.exe
    C:\Windows\{999D4006-02D8-4235-82D9-1E06FF43ED07}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4512
  - - C:\Windows\{3CB1E41A-8655-4744-98C8-2E80ED204C78}.exe
      C:\Windows\{3CB1E41A-8655-4744-98C8-2E80ED204C78}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\{40B1E058-600B-4d04-A191-0DB460A3B444}.exe
        
        C:\Windows\{40B1E058-600B-4d04-A191-0DB460A3B444}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4060
      - C:\Windows\{3B803450-A82E-4101-8953-CBF908E2C5C7}.exe
        
        C:\Windows\{3B803450-A82E-4101-8953-CBF908E2C5C7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\{7E4D3E08-10FA-484c-BB6A-226A8B228040}.exe
        
        C:\Windows\{7E4D3E08-10FA-484c-BB6A-226A8B228040}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\{980ACBBC-243B-4198-9172-EEA2B6C21A1A}.exe
        
        C:\Windows\{980ACBBC-243B-4198-9172-EEA2B6C21A1A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\{62273A4E-B7CD-423d-81D9-D03113EEA373}.exe
        
        C:\Windows\{62273A4E-B7CD-423d-81D9-D03113EEA373}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\{78BB2867-3912-4515-BB02-E14BBE3A6637}.exe
        
        C:\Windows\{78BB2867-3912-4515-BB02-E14BBE3A6637}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\{29DE46B2-40C5-48d6-BC58-AC7F39C83722}.exe
        
        C:\Windows\{29DE46B2-40C5-48d6-BC58-AC7F39C83722}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\{E1B6D806-1268-4316-AEF9-347E12704CAB}.exe
        
        C:\Windows\{E1B6D806-1268-4316-AEF9-347E12704CAB}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
        
        C:\Windows\{CE13C5CB-3A4A-4eb7-9A5E-278CE86F6D8B}.exe
        
        C:\Windows\{CE13C5CB-3A4A-4eb7-9A5E-278CE86F6D8B}.exe
        13⤵
        Executes dropped EXE
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1B6D~1.EXE > nul
        13⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29DE4~1.EXE > nul
        12⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78BB2~1.EXE > nul
        11⤵
        
        PID:4636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62273~1.EXE > nul
        10⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{980AC~1.EXE > nul
        9⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E4D3~1.EXE > nul
        8⤵
        
        PID:500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3B803~1.EXE > nul
        7⤵
        
        PID:4712
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40B1E~1.EXE > nul
        6⤵
        
        PID:2948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CB1E~1.EXE > nul
        5⤵
        
        PID:948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{999D4~1.EXE > nul
      4⤵
      PID:212
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{94822~1.EXE > nul
    3⤵
    PID:4496
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E1BC56~1.EXE > nul
  2⤵
  PID:4304

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{29DE46B2-40C5-48d6-BC58-AC7F39C83722}.exe

Filesize
168KB

MD5
a1f52cedd4038f469635ce50ac623d2b

SHA1
60412ec7b72d423ead872aed01da98590dddd611

SHA256
2e0952aa9b4cc4dddf4e9fa0996ab5e1de99634ecfb15c65f1582fe3c82fd5a8

SHA512
30bd32b86ea30a914b5a329998f63ca9ba54968b8e0c0e02bb2675b6e7b33923dadf7be46ba145575e6f1969ae7f5f90ae9911910df72b0ee0f69e2dabdf53d1

Download Submit
C:\Windows\{29DE46B2-40C5-48d6-BC58-AC7F39C83722}.exe

Filesize
168KB

MD5
a1f52cedd4038f469635ce50ac623d2b

SHA1
60412ec7b72d423ead872aed01da98590dddd611

SHA256
2e0952aa9b4cc4dddf4e9fa0996ab5e1de99634ecfb15c65f1582fe3c82fd5a8

SHA512
30bd32b86ea30a914b5a329998f63ca9ba54968b8e0c0e02bb2675b6e7b33923dadf7be46ba145575e6f1969ae7f5f90ae9911910df72b0ee0f69e2dabdf53d1

Download Submit
C:\Windows\{3B803450-A82E-4101-8953-CBF908E2C5C7}.exe

Filesize
168KB

MD5
c3ff5b17a1c4b39dfd909cba3af2f38a

SHA1
fac47caaa14b4439ebf7aae85835908e2b43b9a1

SHA256
5e7e1481a2c0219cfa20fb259940fa6117e66d1876abb18783dd9e840fc74fd8

SHA512
ed69927ff9625e99e7406de0f0d41020efd8ecac819833520a10dc4cdbf9a7b96f3117dd255730d4b4446e94e23ab8a21582d4ca2620d36740d8ac501201edaa

Download Submit
C:\Windows\{3B803450-A82E-4101-8953-CBF908E2C5C7}.exe

Filesize
168KB

MD5
c3ff5b17a1c4b39dfd909cba3af2f38a

SHA1
fac47caaa14b4439ebf7aae85835908e2b43b9a1

SHA256
5e7e1481a2c0219cfa20fb259940fa6117e66d1876abb18783dd9e840fc74fd8

SHA512
ed69927ff9625e99e7406de0f0d41020efd8ecac819833520a10dc4cdbf9a7b96f3117dd255730d4b4446e94e23ab8a21582d4ca2620d36740d8ac501201edaa

Download Submit
C:\Windows\{3CB1E41A-8655-4744-98C8-2E80ED204C78}.exe

Filesize
168KB

MD5
d633a79230a9fba64a09c7c18c7b55a1

SHA1
d367c68de87072c48314663e6515bf61fb6b91a3

SHA256
350e2c8b0e7f1d22d221dee6f7dec6e37ce7e798d77ca0aacb6a5389b6231c12

SHA512
46975c27f0849eb47f05727baa23e913e826643db5f95a38e0f5078c929ba549f15f58b33cd524b14a87c143f0148bf8aaac5fcfa5a64a0e076d8f97811bd274

Download Submit
C:\Windows\{3CB1E41A-8655-4744-98C8-2E80ED204C78}.exe

Filesize
168KB

MD5
d633a79230a9fba64a09c7c18c7b55a1

SHA1
d367c68de87072c48314663e6515bf61fb6b91a3

SHA256
350e2c8b0e7f1d22d221dee6f7dec6e37ce7e798d77ca0aacb6a5389b6231c12

SHA512
46975c27f0849eb47f05727baa23e913e826643db5f95a38e0f5078c929ba549f15f58b33cd524b14a87c143f0148bf8aaac5fcfa5a64a0e076d8f97811bd274

Download Submit
C:\Windows\{3CB1E41A-8655-4744-98C8-2E80ED204C78}.exe

Filesize
168KB

MD5
d633a79230a9fba64a09c7c18c7b55a1

SHA1
d367c68de87072c48314663e6515bf61fb6b91a3

SHA256
350e2c8b0e7f1d22d221dee6f7dec6e37ce7e798d77ca0aacb6a5389b6231c12

SHA512
46975c27f0849eb47f05727baa23e913e826643db5f95a38e0f5078c929ba549f15f58b33cd524b14a87c143f0148bf8aaac5fcfa5a64a0e076d8f97811bd274

Download Submit
C:\Windows\{40B1E058-600B-4d04-A191-0DB460A3B444}.exe

Filesize
168KB

MD5
bd96bb91f67eaaf15964cb63cb68f9c8

SHA1
12d3afd594cbad9eb9457a6880c9db702c7eaf41

SHA256
72d3c4b7d5a157e95737806bebe66af8ab1d501df6f9e80178e699c68ad76088

SHA512
a03259aa69904c9954515fd407c176fd674625ca974776fdf47e5e73618d3b29c3f686130032e18aca7d085092e9e7d386d53920668469d17271568fe4164198

Download Submit
C:\Windows\{40B1E058-600B-4d04-A191-0DB460A3B444}.exe

Filesize
168KB

MD5
bd96bb91f67eaaf15964cb63cb68f9c8

SHA1
12d3afd594cbad9eb9457a6880c9db702c7eaf41

SHA256
72d3c4b7d5a157e95737806bebe66af8ab1d501df6f9e80178e699c68ad76088

SHA512
a03259aa69904c9954515fd407c176fd674625ca974776fdf47e5e73618d3b29c3f686130032e18aca7d085092e9e7d386d53920668469d17271568fe4164198

Download Submit
C:\Windows\{62273A4E-B7CD-423d-81D9-D03113EEA373}.exe

Filesize
168KB

MD5
edd3a91677705b334c3c5d3f6b1a850e

SHA1
d098a67ba01db326b4376c64fd763796041d3697

SHA256
672c87896341fb0cb897f919204961407f223dbe7d94f106a9f261e13419cf27

SHA512
a1e739c2e9c2819dff414c6eeecc68d8ba313143ebbe06222e88f863364800915ef50dcc66e87518314b16347d7148b20245d1bafa53e5f477d8d22061968c33

Download Submit
C:\Windows\{62273A4E-B7CD-423d-81D9-D03113EEA373}.exe

Filesize
168KB

MD5
edd3a91677705b334c3c5d3f6b1a850e

SHA1
d098a67ba01db326b4376c64fd763796041d3697

SHA256
672c87896341fb0cb897f919204961407f223dbe7d94f106a9f261e13419cf27

SHA512
a1e739c2e9c2819dff414c6eeecc68d8ba313143ebbe06222e88f863364800915ef50dcc66e87518314b16347d7148b20245d1bafa53e5f477d8d22061968c33

Download Submit
C:\Windows\{78BB2867-3912-4515-BB02-E14BBE3A6637}.exe

Filesize
168KB

MD5
644bc509ba1de8ef6aecdf89898b89d6

SHA1
ecebe416a41031981e6865377a380da75afa03c6

SHA256
91a66e12a524084b389a8f6eddec7d194978fb37e10dce3045a7a1a97215d2a3

SHA512
5464bb624d9605a7f6311d43c5fb170d53b1e4d2d1930d3718f17ce66e68b57520318b206191e0599cfae1e5545454792f340f4f000d32265831409fb63459b7

Download Submit
C:\Windows\{78BB2867-3912-4515-BB02-E14BBE3A6637}.exe

Filesize
168KB

MD5
644bc509ba1de8ef6aecdf89898b89d6

SHA1
ecebe416a41031981e6865377a380da75afa03c6

SHA256
91a66e12a524084b389a8f6eddec7d194978fb37e10dce3045a7a1a97215d2a3

SHA512
5464bb624d9605a7f6311d43c5fb170d53b1e4d2d1930d3718f17ce66e68b57520318b206191e0599cfae1e5545454792f340f4f000d32265831409fb63459b7

Download Submit
C:\Windows\{7E4D3E08-10FA-484c-BB6A-226A8B228040}.exe

Filesize
168KB

MD5
f00207371f21717822fc8365fd791b0c

SHA1
0924aaf1b9482d6b123e2cbdb10926644e9bb4a9

SHA256
688d3123d4ce2180f8ecc218cfed8e6dcc085185d9c3a32616433d1e29ea196a

SHA512
2e311fd3477c9dfff34fc6d1b8278e2e7a045e4f63a134ab9e71ac40dd700f429cdc23d3446393c7277e4be69496a83378851210941ac4e7205fc39483ac1fe1

Download Submit
C:\Windows\{7E4D3E08-10FA-484c-BB6A-226A8B228040}.exe

Filesize
168KB

MD5
f00207371f21717822fc8365fd791b0c

SHA1
0924aaf1b9482d6b123e2cbdb10926644e9bb4a9

SHA256
688d3123d4ce2180f8ecc218cfed8e6dcc085185d9c3a32616433d1e29ea196a

SHA512
2e311fd3477c9dfff34fc6d1b8278e2e7a045e4f63a134ab9e71ac40dd700f429cdc23d3446393c7277e4be69496a83378851210941ac4e7205fc39483ac1fe1

Download Submit
C:\Windows\{94822F37-C65B-426b-A460-409B6E2650C8}.exe

Filesize
168KB

MD5
31b1f8537fd8e13f34b8275ef2b1c668

SHA1
d0946fba6fd096d5740bb1d9b04ae4ea0e8b317f

SHA256
3e669c0cc4725065cd7d68c655ac6a625bb6d89440e182b0d6985de281ef69e6

SHA512
be30562f22868dd89c41ae08b7d6dcc11faf9a992227a884d2c8651e9af009caa7e0b628d76e22612d2cfb913b39f638149176035b9d130877acaaa1e564c56c

Download Submit
C:\Windows\{94822F37-C65B-426b-A460-409B6E2650C8}.exe

Filesize
168KB

MD5
31b1f8537fd8e13f34b8275ef2b1c668

SHA1
d0946fba6fd096d5740bb1d9b04ae4ea0e8b317f

SHA256
3e669c0cc4725065cd7d68c655ac6a625bb6d89440e182b0d6985de281ef69e6

SHA512
be30562f22868dd89c41ae08b7d6dcc11faf9a992227a884d2c8651e9af009caa7e0b628d76e22612d2cfb913b39f638149176035b9d130877acaaa1e564c56c

Download Submit
C:\Windows\{980ACBBC-243B-4198-9172-EEA2B6C21A1A}.exe

Filesize
168KB

MD5
8d544780a3ae17adbb571e0b2675a53c

SHA1
deb50b5ba244fd8015e5944e2abe582ae2aae48d

SHA256
ade63211b15f9bc927a4da5d5d613935ad48f2dee6cfc52f28ed9c5010b5fd05

SHA512
6f8d12147832c2be2bbfaeef6c6d03d099525042a4f0791e555c551f89c6a7b06739ad14ab229b6086743a9763138dd6fb14284ac15b357a176f70395444db24

Download Submit
C:\Windows\{980ACBBC-243B-4198-9172-EEA2B6C21A1A}.exe

Filesize
168KB

MD5
8d544780a3ae17adbb571e0b2675a53c

SHA1
deb50b5ba244fd8015e5944e2abe582ae2aae48d

SHA256
ade63211b15f9bc927a4da5d5d613935ad48f2dee6cfc52f28ed9c5010b5fd05

SHA512
6f8d12147832c2be2bbfaeef6c6d03d099525042a4f0791e555c551f89c6a7b06739ad14ab229b6086743a9763138dd6fb14284ac15b357a176f70395444db24

Download Submit
C:\Windows\{999D4006-02D8-4235-82D9-1E06FF43ED07}.exe

Filesize
168KB

MD5
111f487a14dca03ebefeb421b4c653da

SHA1
2ad352410d7430452bbc9489ca61cbb4f5bb0fef

SHA256
f6fb271657647adaa743e9ec15162a46d281b6f61accec15d392a4e7aa9efb19

SHA512
e7f0a15d2f88c3d2a64b1036bfab36e2a0b878a1cbc87fe9a8c463bc094825563d5e358f38ac01d922355cd5fe3266c8773118531f679d8a57857161a905fc46

Download Submit
C:\Windows\{999D4006-02D8-4235-82D9-1E06FF43ED07}.exe

Filesize
168KB

MD5
111f487a14dca03ebefeb421b4c653da

SHA1
2ad352410d7430452bbc9489ca61cbb4f5bb0fef

SHA256
f6fb271657647adaa743e9ec15162a46d281b6f61accec15d392a4e7aa9efb19

SHA512
e7f0a15d2f88c3d2a64b1036bfab36e2a0b878a1cbc87fe9a8c463bc094825563d5e358f38ac01d922355cd5fe3266c8773118531f679d8a57857161a905fc46

Download Submit
C:\Windows\{CE13C5CB-3A4A-4eb7-9A5E-278CE86F6D8B}.exe

Filesize
168KB

MD5
ab5697fc87aceda05339de5ba9a67661

SHA1
1645f9df0e5ddf3f29e6c5a86e542ef3c0e1818e

SHA256
21949b0b4c0057e7d2332d1d358b3320b90cbd73284444d997556da3bb9c50f6

SHA512
9d8498943e474046d8bd834ebb4fb3ff145ee8c72bde85f51aacbf758d5ce6179b1898c33e3b3b344049a70575250b4991366554fdc0fb85f8ac6033a5b10d6a

Download Submit
C:\Windows\{CE13C5CB-3A4A-4eb7-9A5E-278CE86F6D8B}.exe

Filesize
168KB

MD5
ab5697fc87aceda05339de5ba9a67661

SHA1
1645f9df0e5ddf3f29e6c5a86e542ef3c0e1818e

SHA256
21949b0b4c0057e7d2332d1d358b3320b90cbd73284444d997556da3bb9c50f6

SHA512
9d8498943e474046d8bd834ebb4fb3ff145ee8c72bde85f51aacbf758d5ce6179b1898c33e3b3b344049a70575250b4991366554fdc0fb85f8ac6033a5b10d6a

Download Submit
C:\Windows\{E1B6D806-1268-4316-AEF9-347E12704CAB}.exe

Filesize
168KB

MD5
9a50fb743f4452afc8f4d3e400c16104

SHA1
2286b9fac3650dd8efb04561374413cae4dc5eb5

SHA256
230786f3e3cd2a42a46b6154908014d81f84ebc039d9307b0ca76c90189f8428

SHA512
0a0f3dcafcfb5647c4c4868b5812f3e19f00acad660c5b60dbfb89688f36bd2ab7e1195da1fc8fd276888d7e2459727a901c220d872b7c24016e6c63802025b0

Download Submit
C:\Windows\{E1B6D806-1268-4316-AEF9-347E12704CAB}.exe

Filesize
168KB

MD5
9a50fb743f4452afc8f4d3e400c16104

SHA1
2286b9fac3650dd8efb04561374413cae4dc5eb5

SHA256
230786f3e3cd2a42a46b6154908014d81f84ebc039d9307b0ca76c90189f8428

SHA512
0a0f3dcafcfb5647c4c4868b5812f3e19f00acad660c5b60dbfb89688f36bd2ab7e1195da1fc8fd276888d7e2459727a901c220d872b7c24016e6c63802025b0

Download Submit