4e0d19bca441647f4fe979f8760114fb4d52a0af60c3c6fafbaa3aab59d0f296

Analysis

max time kernel
149s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2023 14:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eeb99f84fd0a5bexe_JC.exe
Size

204KB
MD5

eeb99f84fd0a5bd8fc49c2e9b40c4f33
SHA1

a4b51fe08f5fbe1a5bd27d643e40c57edbbafb18
SHA256

4e0d19bca441647f4fe979f8760114fb4d52a0af60c3c6fafbaa3aab59d0f296
SHA512

42a6f816059f612c4da54883223c5348d606a211af33b4b8793d47c633694e997d2e7a6722d79c5a8509e6c4c76635041d7ea4b18c73b1559374ee672801dc28
SSDEEP

1536:1EGh0oLl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oLl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E64562DE-BBA1-48ca-B22F-372BAA9C087E}\stubpath = "C:\\Windows\\{E64562DE-BBA1-48ca-B22F-372BAA9C087E}.exe"	{4A38F12C-1C9C-4ac3-A2ED-E3693EB07C9D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62916E7F-0602-4a10-8BD5-0D3C0082F522}\stubpath = "C:\\Windows\\{62916E7F-0602-4a10-8BD5-0D3C0082F522}.exe"	{E64562DE-BBA1-48ca-B22F-372BAA9C087E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02B63EBF-D91F-4446-BED7-0415A4FB5591}	{2B1DF007-FD2F-4194-8542-BC2AE7C3D74B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FABBF7F-59E1-49f9-A310-DE34CEF989A5}	{0830C0C2-2E46-490e-9E4A-5DAD782A8D9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E64562DE-BBA1-48ca-B22F-372BAA9C087E}	{4A38F12C-1C9C-4ac3-A2ED-E3693EB07C9D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13ED2E8D-FA8C-40ce-BF70-38E52B4C4066}	{62916E7F-0602-4a10-8BD5-0D3C0082F522}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13ED2E8D-FA8C-40ce-BF70-38E52B4C4066}\stubpath = "C:\\Windows\\{13ED2E8D-FA8C-40ce-BF70-38E52B4C4066}.exe"	{62916E7F-0602-4a10-8BD5-0D3C0082F522}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0830C0C2-2E46-490e-9E4A-5DAD782A8D9B}\stubpath = "C:\\Windows\\{0830C0C2-2E46-490e-9E4A-5DAD782A8D9B}.exe"	{02B63EBF-D91F-4446-BED7-0415A4FB5591}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1BDDF0E-1753-43e6-9633-A8F54CFEEC08}\stubpath = "C:\\Windows\\{E1BDDF0E-1753-43e6-9633-A8F54CFEEC08}.exe"	{0FABBF7F-59E1-49f9-A310-DE34CEF989A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E402426-BEF7-4f36-849D-28D5C2BA4FDA}	{E1BDDF0E-1753-43e6-9633-A8F54CFEEC08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A38F12C-1C9C-4ac3-A2ED-E3693EB07C9D}\stubpath = "C:\\Windows\\{4A38F12C-1C9C-4ac3-A2ED-E3693EB07C9D}.exe"	eeb99f84fd0a5bexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62916E7F-0602-4a10-8BD5-0D3C0082F522}	{E64562DE-BBA1-48ca-B22F-372BAA9C087E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{452168F0-4B29-434b-8851-E3D7D15AB4A9}	{13ED2E8D-FA8C-40ce-BF70-38E52B4C4066}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{452168F0-4B29-434b-8851-E3D7D15AB4A9}\stubpath = "C:\\Windows\\{452168F0-4B29-434b-8851-E3D7D15AB4A9}.exe"	{13ED2E8D-FA8C-40ce-BF70-38E52B4C4066}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0974640-14FB-4c41-9C05-3389855C2F4E}	{452168F0-4B29-434b-8851-E3D7D15AB4A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B1DF007-FD2F-4194-8542-BC2AE7C3D74B}\stubpath = "C:\\Windows\\{2B1DF007-FD2F-4194-8542-BC2AE7C3D74B}.exe"	{F0974640-14FB-4c41-9C05-3389855C2F4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02B63EBF-D91F-4446-BED7-0415A4FB5591}\stubpath = "C:\\Windows\\{02B63EBF-D91F-4446-BED7-0415A4FB5591}.exe"	{2B1DF007-FD2F-4194-8542-BC2AE7C3D74B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E402426-BEF7-4f36-849D-28D5C2BA4FDA}\stubpath = "C:\\Windows\\{7E402426-BEF7-4f36-849D-28D5C2BA4FDA}.exe"	{E1BDDF0E-1753-43e6-9633-A8F54CFEEC08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A38F12C-1C9C-4ac3-A2ED-E3693EB07C9D}	eeb99f84fd0a5bexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B1DF007-FD2F-4194-8542-BC2AE7C3D74B}	{F0974640-14FB-4c41-9C05-3389855C2F4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0830C0C2-2E46-490e-9E4A-5DAD782A8D9B}	{02B63EBF-D91F-4446-BED7-0415A4FB5591}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FABBF7F-59E1-49f9-A310-DE34CEF989A5}\stubpath = "C:\\Windows\\{0FABBF7F-59E1-49f9-A310-DE34CEF989A5}.exe"	{0830C0C2-2E46-490e-9E4A-5DAD782A8D9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1BDDF0E-1753-43e6-9633-A8F54CFEEC08}	{0FABBF7F-59E1-49f9-A310-DE34CEF989A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0974640-14FB-4c41-9C05-3389855C2F4E}\stubpath = "C:\\Windows\\{F0974640-14FB-4c41-9C05-3389855C2F4E}.exe"	{452168F0-4B29-434b-8851-E3D7D15AB4A9}.exe

Executes dropped EXE 12 IoCs

pid	Process
1916	{4A38F12C-1C9C-4ac3-A2ED-E3693EB07C9D}.exe
3708	{E64562DE-BBA1-48ca-B22F-372BAA9C087E}.exe
3792	{62916E7F-0602-4a10-8BD5-0D3C0082F522}.exe
2200	{13ED2E8D-FA8C-40ce-BF70-38E52B4C4066}.exe
3508	{452168F0-4B29-434b-8851-E3D7D15AB4A9}.exe
3312	{F0974640-14FB-4c41-9C05-3389855C2F4E}.exe
368	{2B1DF007-FD2F-4194-8542-BC2AE7C3D74B}.exe
4348	{02B63EBF-D91F-4446-BED7-0415A4FB5591}.exe
2900	{0830C0C2-2E46-490e-9E4A-5DAD782A8D9B}.exe
3212	{0FABBF7F-59E1-49f9-A310-DE34CEF989A5}.exe
4692	{E1BDDF0E-1753-43e6-9633-A8F54CFEEC08}.exe
2780	{7E402426-BEF7-4f36-849D-28D5C2BA4FDA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{452168F0-4B29-434b-8851-E3D7D15AB4A9}.exe	{13ED2E8D-FA8C-40ce-BF70-38E52B4C4066}.exe
File created	C:\Windows\{F0974640-14FB-4c41-9C05-3389855C2F4E}.exe	{452168F0-4B29-434b-8851-E3D7D15AB4A9}.exe
File created	C:\Windows\{02B63EBF-D91F-4446-BED7-0415A4FB5591}.exe	{2B1DF007-FD2F-4194-8542-BC2AE7C3D74B}.exe
File created	C:\Windows\{0830C0C2-2E46-490e-9E4A-5DAD782A8D9B}.exe	{02B63EBF-D91F-4446-BED7-0415A4FB5591}.exe
File created	C:\Windows\{0FABBF7F-59E1-49f9-A310-DE34CEF989A5}.exe	{0830C0C2-2E46-490e-9E4A-5DAD782A8D9B}.exe
File created	C:\Windows\{13ED2E8D-FA8C-40ce-BF70-38E52B4C4066}.exe	{62916E7F-0602-4a10-8BD5-0D3C0082F522}.exe
File created	C:\Windows\{E64562DE-BBA1-48ca-B22F-372BAA9C087E}.exe	{4A38F12C-1C9C-4ac3-A2ED-E3693EB07C9D}.exe
File created	C:\Windows\{62916E7F-0602-4a10-8BD5-0D3C0082F522}.exe	{E64562DE-BBA1-48ca-B22F-372BAA9C087E}.exe
File created	C:\Windows\{2B1DF007-FD2F-4194-8542-BC2AE7C3D74B}.exe	{F0974640-14FB-4c41-9C05-3389855C2F4E}.exe
File created	C:\Windows\{E1BDDF0E-1753-43e6-9633-A8F54CFEEC08}.exe	{0FABBF7F-59E1-49f9-A310-DE34CEF989A5}.exe
File created	C:\Windows\{7E402426-BEF7-4f36-849D-28D5C2BA4FDA}.exe	{E1BDDF0E-1753-43e6-9633-A8F54CFEEC08}.exe
File created	C:\Windows\{4A38F12C-1C9C-4ac3-A2ED-E3693EB07C9D}.exe	eeb99f84fd0a5bexe_JC.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2356	eeb99f84fd0a5bexe_JC.exe
Token: SeIncBasePriorityPrivilege	1916	{4A38F12C-1C9C-4ac3-A2ED-E3693EB07C9D}.exe
Token: SeIncBasePriorityPrivilege	3708	{E64562DE-BBA1-48ca-B22F-372BAA9C087E}.exe
Token: SeIncBasePriorityPrivilege	3792	{62916E7F-0602-4a10-8BD5-0D3C0082F522}.exe
Token: SeIncBasePriorityPrivilege	2200	{13ED2E8D-FA8C-40ce-BF70-38E52B4C4066}.exe
Token: SeIncBasePriorityPrivilege	3508	{452168F0-4B29-434b-8851-E3D7D15AB4A9}.exe
Token: SeIncBasePriorityPrivilege	3312	{F0974640-14FB-4c41-9C05-3389855C2F4E}.exe
Token: SeIncBasePriorityPrivilege	368	{2B1DF007-FD2F-4194-8542-BC2AE7C3D74B}.exe
Token: SeIncBasePriorityPrivilege	4348	{02B63EBF-D91F-4446-BED7-0415A4FB5591}.exe
Token: SeIncBasePriorityPrivilege	2900	{0830C0C2-2E46-490e-9E4A-5DAD782A8D9B}.exe
Token: SeIncBasePriorityPrivilege	3212	{0FABBF7F-59E1-49f9-A310-DE34CEF989A5}.exe
Token: SeIncBasePriorityPrivilege	4692	{E1BDDF0E-1753-43e6-9633-A8F54CFEEC08}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2356 wrote to memory of 1916	2356	eeb99f84fd0a5bexe_JC.exe	90
PID 2356 wrote to memory of 1916	2356	eeb99f84fd0a5bexe_JC.exe	90
PID 2356 wrote to memory of 1916	2356	eeb99f84fd0a5bexe_JC.exe	90
PID 2356 wrote to memory of 1480	2356	eeb99f84fd0a5bexe_JC.exe	91
PID 2356 wrote to memory of 1480	2356	eeb99f84fd0a5bexe_JC.exe	91
PID 2356 wrote to memory of 1480	2356	eeb99f84fd0a5bexe_JC.exe	91
PID 1916 wrote to memory of 3708	1916	{4A38F12C-1C9C-4ac3-A2ED-E3693EB07C9D}.exe	94
PID 1916 wrote to memory of 3708	1916	{4A38F12C-1C9C-4ac3-A2ED-E3693EB07C9D}.exe	94
PID 1916 wrote to memory of 3708	1916	{4A38F12C-1C9C-4ac3-A2ED-E3693EB07C9D}.exe	94
PID 1916 wrote to memory of 1436	1916	{4A38F12C-1C9C-4ac3-A2ED-E3693EB07C9D}.exe	95
PID 1916 wrote to memory of 1436	1916	{4A38F12C-1C9C-4ac3-A2ED-E3693EB07C9D}.exe	95
PID 1916 wrote to memory of 1436	1916	{4A38F12C-1C9C-4ac3-A2ED-E3693EB07C9D}.exe	95
PID 3708 wrote to memory of 3792	3708	{E64562DE-BBA1-48ca-B22F-372BAA9C087E}.exe	99
PID 3708 wrote to memory of 3792	3708	{E64562DE-BBA1-48ca-B22F-372BAA9C087E}.exe	99
PID 3708 wrote to memory of 3792	3708	{E64562DE-BBA1-48ca-B22F-372BAA9C087E}.exe	99
PID 3708 wrote to memory of 5100	3708	{E64562DE-BBA1-48ca-B22F-372BAA9C087E}.exe	98
PID 3708 wrote to memory of 5100	3708	{E64562DE-BBA1-48ca-B22F-372BAA9C087E}.exe	98
PID 3708 wrote to memory of 5100	3708	{E64562DE-BBA1-48ca-B22F-372BAA9C087E}.exe	98
PID 3792 wrote to memory of 2200	3792	{62916E7F-0602-4a10-8BD5-0D3C0082F522}.exe	100
PID 3792 wrote to memory of 2200	3792	{62916E7F-0602-4a10-8BD5-0D3C0082F522}.exe	100
PID 3792 wrote to memory of 2200	3792	{62916E7F-0602-4a10-8BD5-0D3C0082F522}.exe	100
PID 3792 wrote to memory of 4160	3792	{62916E7F-0602-4a10-8BD5-0D3C0082F522}.exe	101
PID 3792 wrote to memory of 4160	3792	{62916E7F-0602-4a10-8BD5-0D3C0082F522}.exe	101
PID 3792 wrote to memory of 4160	3792	{62916E7F-0602-4a10-8BD5-0D3C0082F522}.exe	101
PID 2200 wrote to memory of 3508	2200	{13ED2E8D-FA8C-40ce-BF70-38E52B4C4066}.exe	102
PID 2200 wrote to memory of 3508	2200	{13ED2E8D-FA8C-40ce-BF70-38E52B4C4066}.exe	102
PID 2200 wrote to memory of 3508	2200	{13ED2E8D-FA8C-40ce-BF70-38E52B4C4066}.exe	102
PID 2200 wrote to memory of 1648	2200	{13ED2E8D-FA8C-40ce-BF70-38E52B4C4066}.exe	103
PID 2200 wrote to memory of 1648	2200	{13ED2E8D-FA8C-40ce-BF70-38E52B4C4066}.exe	103
PID 2200 wrote to memory of 1648	2200	{13ED2E8D-FA8C-40ce-BF70-38E52B4C4066}.exe	103
PID 3508 wrote to memory of 3312	3508	{452168F0-4B29-434b-8851-E3D7D15AB4A9}.exe	110
PID 3508 wrote to memory of 3312	3508	{452168F0-4B29-434b-8851-E3D7D15AB4A9}.exe	110
PID 3508 wrote to memory of 3312	3508	{452168F0-4B29-434b-8851-E3D7D15AB4A9}.exe	110
PID 3508 wrote to memory of 4220	3508	{452168F0-4B29-434b-8851-E3D7D15AB4A9}.exe	109
PID 3508 wrote to memory of 4220	3508	{452168F0-4B29-434b-8851-E3D7D15AB4A9}.exe	109
PID 3508 wrote to memory of 4220	3508	{452168F0-4B29-434b-8851-E3D7D15AB4A9}.exe	109
PID 3312 wrote to memory of 368	3312	{F0974640-14FB-4c41-9C05-3389855C2F4E}.exe	111
PID 3312 wrote to memory of 368	3312	{F0974640-14FB-4c41-9C05-3389855C2F4E}.exe	111
PID 3312 wrote to memory of 368	3312	{F0974640-14FB-4c41-9C05-3389855C2F4E}.exe	111
PID 3312 wrote to memory of 2588	3312	{F0974640-14FB-4c41-9C05-3389855C2F4E}.exe	112
PID 3312 wrote to memory of 2588	3312	{F0974640-14FB-4c41-9C05-3389855C2F4E}.exe	112
PID 3312 wrote to memory of 2588	3312	{F0974640-14FB-4c41-9C05-3389855C2F4E}.exe	112
PID 368 wrote to memory of 4348	368	{2B1DF007-FD2F-4194-8542-BC2AE7C3D74B}.exe	113
PID 368 wrote to memory of 4348	368	{2B1DF007-FD2F-4194-8542-BC2AE7C3D74B}.exe	113
PID 368 wrote to memory of 4348	368	{2B1DF007-FD2F-4194-8542-BC2AE7C3D74B}.exe	113
PID 368 wrote to memory of 5044	368	{2B1DF007-FD2F-4194-8542-BC2AE7C3D74B}.exe	114
PID 368 wrote to memory of 5044	368	{2B1DF007-FD2F-4194-8542-BC2AE7C3D74B}.exe	114
PID 368 wrote to memory of 5044	368	{2B1DF007-FD2F-4194-8542-BC2AE7C3D74B}.exe	114
PID 4348 wrote to memory of 2900	4348	{02B63EBF-D91F-4446-BED7-0415A4FB5591}.exe	117
PID 4348 wrote to memory of 2900	4348	{02B63EBF-D91F-4446-BED7-0415A4FB5591}.exe	117
PID 4348 wrote to memory of 2900	4348	{02B63EBF-D91F-4446-BED7-0415A4FB5591}.exe	117
PID 4348 wrote to memory of 4988	4348	{02B63EBF-D91F-4446-BED7-0415A4FB5591}.exe	118
PID 4348 wrote to memory of 4988	4348	{02B63EBF-D91F-4446-BED7-0415A4FB5591}.exe	118
PID 4348 wrote to memory of 4988	4348	{02B63EBF-D91F-4446-BED7-0415A4FB5591}.exe	118
PID 2900 wrote to memory of 3212	2900	{0830C0C2-2E46-490e-9E4A-5DAD782A8D9B}.exe	119
PID 2900 wrote to memory of 3212	2900	{0830C0C2-2E46-490e-9E4A-5DAD782A8D9B}.exe	119
PID 2900 wrote to memory of 3212	2900	{0830C0C2-2E46-490e-9E4A-5DAD782A8D9B}.exe	119
PID 2900 wrote to memory of 536	2900	{0830C0C2-2E46-490e-9E4A-5DAD782A8D9B}.exe	120
PID 2900 wrote to memory of 536	2900	{0830C0C2-2E46-490e-9E4A-5DAD782A8D9B}.exe	120
PID 2900 wrote to memory of 536	2900	{0830C0C2-2E46-490e-9E4A-5DAD782A8D9B}.exe	120
PID 3212 wrote to memory of 4692	3212	{0FABBF7F-59E1-49f9-A310-DE34CEF989A5}.exe	121
PID 3212 wrote to memory of 4692	3212	{0FABBF7F-59E1-49f9-A310-DE34CEF989A5}.exe	121
PID 3212 wrote to memory of 4692	3212	{0FABBF7F-59E1-49f9-A310-DE34CEF989A5}.exe	121
PID 3212 wrote to memory of 4684	3212	{0FABBF7F-59E1-49f9-A310-DE34CEF989A5}.exe	122

C:\Users\Admin\AppData\Local\Temp\eeb99f84fd0a5bexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\eeb99f84fd0a5bexe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\{4A38F12C-1C9C-4ac3-A2ED-E3693EB07C9D}.exe
  C:\Windows\{4A38F12C-1C9C-4ac3-A2ED-E3693EB07C9D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\{E64562DE-BBA1-48ca-B22F-372BAA9C087E}.exe
    C:\Windows\{E64562DE-BBA1-48ca-B22F-372BAA9C087E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3708
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E6456~1.EXE > nul
      4⤵
      PID:5100
  - - C:\Windows\{62916E7F-0602-4a10-8BD5-0D3C0082F522}.exe
      C:\Windows\{62916E7F-0602-4a10-8BD5-0D3C0082F522}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3792
    - - C:\Windows\{13ED2E8D-FA8C-40ce-BF70-38E52B4C4066}.exe
        
        C:\Windows\{13ED2E8D-FA8C-40ce-BF70-38E52B4C4066}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
      - C:\Windows\{452168F0-4B29-434b-8851-E3D7D15AB4A9}.exe
        
        C:\Windows\{452168F0-4B29-434b-8851-E3D7D15AB4A9}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45216~1.EXE > nul
        7⤵
        
        PID:4220
        
        C:\Windows\{F0974640-14FB-4c41-9C05-3389855C2F4E}.exe
        
        C:\Windows\{F0974640-14FB-4c41-9C05-3389855C2F4E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3312
        
        C:\Windows\{2B1DF007-FD2F-4194-8542-BC2AE7C3D74B}.exe
        
        C:\Windows\{2B1DF007-FD2F-4194-8542-BC2AE7C3D74B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\{02B63EBF-D91F-4446-BED7-0415A4FB5591}.exe
        
        C:\Windows\{02B63EBF-D91F-4446-BED7-0415A4FB5591}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4348
        
        C:\Windows\{0830C0C2-2E46-490e-9E4A-5DAD782A8D9B}.exe
        
        C:\Windows\{0830C0C2-2E46-490e-9E4A-5DAD782A8D9B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\{0FABBF7F-59E1-49f9-A310-DE34CEF989A5}.exe
        
        C:\Windows\{0FABBF7F-59E1-49f9-A310-DE34CEF989A5}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3212
        
        C:\Windows\{E1BDDF0E-1753-43e6-9633-A8F54CFEEC08}.exe
        
        C:\Windows\{E1BDDF0E-1753-43e6-9633-A8F54CFEEC08}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4692
        
        C:\Windows\{7E402426-BEF7-4f36-849D-28D5C2BA4FDA}.exe
        
        C:\Windows\{7E402426-BEF7-4f36-849D-28D5C2BA4FDA}.exe
        13⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1BDD~1.EXE > nul
        13⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FABB~1.EXE > nul
        12⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0830C~1.EXE > nul
        11⤵
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02B63~1.EXE > nul
        10⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B1DF~1.EXE > nul
        9⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0974~1.EXE > nul
        8⤵
        
        PID:2588
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13ED2~1.EXE > nul
        6⤵
        
        PID:1648
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62916~1.EXE > nul
        5⤵
        
        PID:4160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4A38F~1.EXE > nul
    3⤵
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EEB99F~1.EXE > nul
  2⤵
  PID:1480

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02B63EBF-D91F-4446-BED7-0415A4FB5591}.exe

Filesize
204KB

MD5
e864d64013d3c48586fdbfc1f011e867

SHA1
7f1d319280c32227f7169a6fa2913c4c17ca40aa

SHA256
0f4ec9d4c28ff0089d8e5753bf9e3f6de47240b20ca28d42ba2343bf8dcb39a8

SHA512
0d8f3a28a8f0a8022e3d368816f080bc2bd9abf4e311aeb9232775063238d79d7615e80863956f7e3bf206c7791ef0909c748efdefd807887bc3534a796af546

Download Submit
C:\Windows\{02B63EBF-D91F-4446-BED7-0415A4FB5591}.exe

Filesize
204KB

MD5
e864d64013d3c48586fdbfc1f011e867

SHA1
7f1d319280c32227f7169a6fa2913c4c17ca40aa

SHA256
0f4ec9d4c28ff0089d8e5753bf9e3f6de47240b20ca28d42ba2343bf8dcb39a8

SHA512
0d8f3a28a8f0a8022e3d368816f080bc2bd9abf4e311aeb9232775063238d79d7615e80863956f7e3bf206c7791ef0909c748efdefd807887bc3534a796af546

Download Submit
C:\Windows\{0830C0C2-2E46-490e-9E4A-5DAD782A8D9B}.exe

Filesize
204KB

MD5
b5880b23c346ccd06274539447ccbea7

SHA1
cb39e8230b98a108c3c842883950c99d6ef3d5ad

SHA256
a8fb26656e2b11e9b9ae3e56f366aeaf827f6e6555cfcf720ba146c439d1beb0

SHA512
06fd4754a1f46d0db0b9641ecd9a1a61d36c1a0cc02774fc3420c728a9c31f5b9e0818335cc35821a1c1a284219903db2606f42e2eba2e11610b28735cf7385d

Download Submit
C:\Windows\{0830C0C2-2E46-490e-9E4A-5DAD782A8D9B}.exe

Filesize
204KB

MD5
b5880b23c346ccd06274539447ccbea7

SHA1
cb39e8230b98a108c3c842883950c99d6ef3d5ad

SHA256
a8fb26656e2b11e9b9ae3e56f366aeaf827f6e6555cfcf720ba146c439d1beb0

SHA512
06fd4754a1f46d0db0b9641ecd9a1a61d36c1a0cc02774fc3420c728a9c31f5b9e0818335cc35821a1c1a284219903db2606f42e2eba2e11610b28735cf7385d

Download Submit
C:\Windows\{0FABBF7F-59E1-49f9-A310-DE34CEF989A5}.exe

Filesize
204KB

MD5
b6b2acb232c861be59cd323f209ea285

SHA1
e943aa3614521c1ae5f00dc70b9cb9854e3534ef

SHA256
585a748f9cb27a2fcb7c5a159f242a69dca1356062d1b06e8fbe023a60aba3c8

SHA512
2aa1595adeb78b97b85b36b3db2256aa8917a884798fe06cde718f36bd2683373efcf752a3823a76cf96b0ed5c500b22ab19d9e8a9c52c27878fdb50bed83e29

Download Submit
C:\Windows\{0FABBF7F-59E1-49f9-A310-DE34CEF989A5}.exe

Filesize
204KB

MD5
b6b2acb232c861be59cd323f209ea285

SHA1
e943aa3614521c1ae5f00dc70b9cb9854e3534ef

SHA256
585a748f9cb27a2fcb7c5a159f242a69dca1356062d1b06e8fbe023a60aba3c8

SHA512
2aa1595adeb78b97b85b36b3db2256aa8917a884798fe06cde718f36bd2683373efcf752a3823a76cf96b0ed5c500b22ab19d9e8a9c52c27878fdb50bed83e29

Download Submit
C:\Windows\{13ED2E8D-FA8C-40ce-BF70-38E52B4C4066}.exe

Filesize
204KB

MD5
ee160f492b3e528737d8611063097cf6

SHA1
c23ce03766b758a18e078f3561f489719a04998e

SHA256
336bd75ba7110207953cd0fc57d762a7a455ed74f7d662436508e9130e90cd3f

SHA512
9dcff2c116c99e759369112e1a90317a343dbda063d67b8472a202d96351f88d6c63ce09ded8074f41409394afe04fe5b0b0986422ee29184d9294eebacab89d

Download Submit
C:\Windows\{13ED2E8D-FA8C-40ce-BF70-38E52B4C4066}.exe

Filesize
204KB

MD5
ee160f492b3e528737d8611063097cf6

SHA1
c23ce03766b758a18e078f3561f489719a04998e

SHA256
336bd75ba7110207953cd0fc57d762a7a455ed74f7d662436508e9130e90cd3f

SHA512
9dcff2c116c99e759369112e1a90317a343dbda063d67b8472a202d96351f88d6c63ce09ded8074f41409394afe04fe5b0b0986422ee29184d9294eebacab89d

Download Submit
C:\Windows\{2B1DF007-FD2F-4194-8542-BC2AE7C3D74B}.exe

Filesize
204KB

MD5
1034b9a090265eddf3fc17997055a041

SHA1
d49ce5103fea12fe60013c09dd5a67a1391f1135

SHA256
0d7f5593aebb090c8eda18f30fbf7916b68f20fd09acc1a8d6e383be543d57bf

SHA512
4365b94d8184a446d34d330c429cdf46b1583178d3d7061956db180b96244fa464097db29936c9e538ceaad7a540df8d2f53e7bab695cca99cd68b78a5435107

Download Submit
C:\Windows\{2B1DF007-FD2F-4194-8542-BC2AE7C3D74B}.exe

Filesize
204KB

MD5
1034b9a090265eddf3fc17997055a041

SHA1
d49ce5103fea12fe60013c09dd5a67a1391f1135

SHA256
0d7f5593aebb090c8eda18f30fbf7916b68f20fd09acc1a8d6e383be543d57bf

SHA512
4365b94d8184a446d34d330c429cdf46b1583178d3d7061956db180b96244fa464097db29936c9e538ceaad7a540df8d2f53e7bab695cca99cd68b78a5435107

Download Submit
C:\Windows\{452168F0-4B29-434b-8851-E3D7D15AB4A9}.exe

Filesize
204KB

MD5
27cb2dc4e4072851f3ab7419a065cb28

SHA1
e216a5b2432f84ba289ea0c3ae887f3aba623141

SHA256
545910cffa8c3521dfc671f8072ab5512d2840086374dc3d8a725312d3ad21e5

SHA512
5a128df8ee2e16d8ba91fc83a1d38d6d6520c25438f8e77f7c7509a3399d92ad72f8db9f75c93099c87e5f5cedf013b12db9ae033eb6b28e882b87bd7e845f0c

Download Submit
C:\Windows\{452168F0-4B29-434b-8851-E3D7D15AB4A9}.exe

Filesize
204KB

MD5
27cb2dc4e4072851f3ab7419a065cb28

SHA1
e216a5b2432f84ba289ea0c3ae887f3aba623141

SHA256
545910cffa8c3521dfc671f8072ab5512d2840086374dc3d8a725312d3ad21e5

SHA512
5a128df8ee2e16d8ba91fc83a1d38d6d6520c25438f8e77f7c7509a3399d92ad72f8db9f75c93099c87e5f5cedf013b12db9ae033eb6b28e882b87bd7e845f0c

Download Submit
C:\Windows\{4A38F12C-1C9C-4ac3-A2ED-E3693EB07C9D}.exe

Filesize
204KB

MD5
d9c2d5bdd2ffb9c0999e5ed7406ab016

SHA1
04120a482ab1569bb28381ef318b5ad3c328c600

SHA256
b16b863890231843a2ecbc51595600c6283bb2fc36dce97a8c5d56797c5a6f4c

SHA512
003cffb9c14c8cf9ddc67a179b9d25019ab8826bb2ccce2f9d5494920d066e53f20b5d1227abe8f19d0295cdde7d78dbd25b652b3b1c3fed6da52dbdc4778b27

Download Submit
C:\Windows\{4A38F12C-1C9C-4ac3-A2ED-E3693EB07C9D}.exe

Filesize
204KB

MD5
d9c2d5bdd2ffb9c0999e5ed7406ab016

SHA1
04120a482ab1569bb28381ef318b5ad3c328c600

SHA256
b16b863890231843a2ecbc51595600c6283bb2fc36dce97a8c5d56797c5a6f4c

SHA512
003cffb9c14c8cf9ddc67a179b9d25019ab8826bb2ccce2f9d5494920d066e53f20b5d1227abe8f19d0295cdde7d78dbd25b652b3b1c3fed6da52dbdc4778b27

Download Submit
C:\Windows\{62916E7F-0602-4a10-8BD5-0D3C0082F522}.exe

Filesize
204KB

MD5
910941382d7a1d1b0e33454f9e14fc12

SHA1
489e9f1349de73bbb8c649f0a2be3b307c7385e1

SHA256
eb4ac932cbda73d2c71753d03f494cf6f69e83ccb349e4dd9794f727ae7c9eb3

SHA512
ee095438451b8911deb0f0bf400abb12f9f58b87befdfe5f8595d7f215d824695494605adae25c812c610a8b2c16921eebd591db9af82b6d3fcd7c28315795af

Download Submit
C:\Windows\{62916E7F-0602-4a10-8BD5-0D3C0082F522}.exe

Filesize
204KB

MD5
910941382d7a1d1b0e33454f9e14fc12

SHA1
489e9f1349de73bbb8c649f0a2be3b307c7385e1

SHA256
eb4ac932cbda73d2c71753d03f494cf6f69e83ccb349e4dd9794f727ae7c9eb3

SHA512
ee095438451b8911deb0f0bf400abb12f9f58b87befdfe5f8595d7f215d824695494605adae25c812c610a8b2c16921eebd591db9af82b6d3fcd7c28315795af

Download Submit
C:\Windows\{62916E7F-0602-4a10-8BD5-0D3C0082F522}.exe

Filesize
204KB

MD5
910941382d7a1d1b0e33454f9e14fc12

SHA1
489e9f1349de73bbb8c649f0a2be3b307c7385e1

SHA256
eb4ac932cbda73d2c71753d03f494cf6f69e83ccb349e4dd9794f727ae7c9eb3

SHA512
ee095438451b8911deb0f0bf400abb12f9f58b87befdfe5f8595d7f215d824695494605adae25c812c610a8b2c16921eebd591db9af82b6d3fcd7c28315795af

Download Submit
C:\Windows\{7E402426-BEF7-4f36-849D-28D5C2BA4FDA}.exe

Filesize
204KB

MD5
1fdcd589b8c0dbd86a6e8ea68c77b42e

SHA1
b7a972737636f79d20c0b91176f184e6639e57f3

SHA256
3ef47f7791abd10e04f19e845c2adcb7e42bd439832cdbf33f90a29ba010c525

SHA512
f1067b63ec868b53979a2372b3db1497d79f46e6d8dd3573b3a0ec501179f98900045a92d0058394ba308f80b32af1da14907c5be900f7fbee6cff4a77a2c850

Download Submit
C:\Windows\{7E402426-BEF7-4f36-849D-28D5C2BA4FDA}.exe

Filesize
204KB

MD5
1fdcd589b8c0dbd86a6e8ea68c77b42e

SHA1
b7a972737636f79d20c0b91176f184e6639e57f3

SHA256
3ef47f7791abd10e04f19e845c2adcb7e42bd439832cdbf33f90a29ba010c525

SHA512
f1067b63ec868b53979a2372b3db1497d79f46e6d8dd3573b3a0ec501179f98900045a92d0058394ba308f80b32af1da14907c5be900f7fbee6cff4a77a2c850

Download Submit
C:\Windows\{E1BDDF0E-1753-43e6-9633-A8F54CFEEC08}.exe

Filesize
204KB

MD5
e9652f2f2f35bb1ba9a96a54546da192

SHA1
6c09517fa299225dfe52b78950df79b98893b5d6

SHA256
865ab6cef26b74568bc1e8c9264d8bc30d817eccfd72d762ffecefd0e533b8f1

SHA512
befd51f7c54ad8c71fa100441882f00f7cf423c805a084c496fc31266d2a1a0e0e84e83a6c1c79f8832d3d5187ae7d0e73714a025adc44a5eb8028432c5e64c4

Download Submit
C:\Windows\{E1BDDF0E-1753-43e6-9633-A8F54CFEEC08}.exe

Filesize
204KB

MD5
e9652f2f2f35bb1ba9a96a54546da192

SHA1
6c09517fa299225dfe52b78950df79b98893b5d6

SHA256
865ab6cef26b74568bc1e8c9264d8bc30d817eccfd72d762ffecefd0e533b8f1

SHA512
befd51f7c54ad8c71fa100441882f00f7cf423c805a084c496fc31266d2a1a0e0e84e83a6c1c79f8832d3d5187ae7d0e73714a025adc44a5eb8028432c5e64c4

Download Submit
C:\Windows\{E64562DE-BBA1-48ca-B22F-372BAA9C087E}.exe

Filesize
204KB

MD5
397d5766e085da05f10e2483cba56456

SHA1
439c1f22062bbbd020b691d662694d4056da6d5a

SHA256
c2b3fe33b38e97b6263f0930b2db80710fcb83db0a07127127488b26950d1993

SHA512
f94c5a992395883d1b39f648e4e34bd8a67ecfe645a851f7d8446c641318864dd7a7694680161775ee3312c440c58d7af81dd414afe666511c4d4f61e256e61e

Download Submit
C:\Windows\{E64562DE-BBA1-48ca-B22F-372BAA9C087E}.exe

Filesize
204KB

MD5
397d5766e085da05f10e2483cba56456

SHA1
439c1f22062bbbd020b691d662694d4056da6d5a

SHA256
c2b3fe33b38e97b6263f0930b2db80710fcb83db0a07127127488b26950d1993

SHA512
f94c5a992395883d1b39f648e4e34bd8a67ecfe645a851f7d8446c641318864dd7a7694680161775ee3312c440c58d7af81dd414afe666511c4d4f61e256e61e

Download Submit
C:\Windows\{F0974640-14FB-4c41-9C05-3389855C2F4E}.exe

Filesize
204KB

MD5
5eee45b0ef4d2804109db8b36854b0d5

SHA1
a3252a55bb4536ae58053ce453bed7aedf5e630e

SHA256
45ab6c6b75e636fa0829930cdeab1952b4e0d0b44c4a6f43ca9a0469531c4f63

SHA512
3dc6db7df09f3e846749a450e1833ca1ad3ec8ca46414639681216e2788c3e2a79faef3ce235ad4a54b57aaee593691cdbceded339a94642695b003705e17c66

Download Submit
C:\Windows\{F0974640-14FB-4c41-9C05-3389855C2F4E}.exe

Filesize
204KB

MD5
5eee45b0ef4d2804109db8b36854b0d5

SHA1
a3252a55bb4536ae58053ce453bed7aedf5e630e

SHA256
45ab6c6b75e636fa0829930cdeab1952b4e0d0b44c4a6f43ca9a0469531c4f63

SHA512
3dc6db7df09f3e846749a450e1833ca1ad3ec8ca46414639681216e2788c3e2a79faef3ce235ad4a54b57aaee593691cdbceded339a94642695b003705e17c66

Download Submit