86449ac057e23bb7b53fe72c2a94d51bc948cc0a667f44cb284c96b30441b0ab

Analysis

max time kernel
156s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2023, 13:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ab25c62926fc2314474c62a86906e290_JC.exe
Size

93KB
MD5

ab25c62926fc2314474c62a86906e290
SHA1

fa30bcc2e234a1a7a383f7cd1a3c0a407aa000c5
SHA256

86449ac057e23bb7b53fe72c2a94d51bc948cc0a667f44cb284c96b30441b0ab
SHA512

d138e97b5df3bae6a93fa0ce0d633a31643dc2933b526402fb2be6dc9e7bde88ea21b37eafa9b630d7d49b63fbb7e2b403a4e05d5e0fe5de049459790dffd52e
SSDEEP

768:Qvw9816vhKQLro54/wQRNrfrunMxVFA3b7glwRjMJ:YEGh0o5l2unMxVS3HgB

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67CC67B2-D214-4750-9FF0-B8BA04D71539}\stubpath = "C:\\Windows\\{67CC67B2-D214-4750-9FF0-B8BA04D71539}.exe"	{D9475CE7-7562-444f-A2C4-0862C21D3CD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30A0BB7F-83B6-4510-93B2-81E6C7E9BE6D}\stubpath = "C:\\Windows\\{30A0BB7F-83B6-4510-93B2-81E6C7E9BE6D}.exe"	{67CC67B2-D214-4750-9FF0-B8BA04D71539}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED21C230-6829-4c61-8E07-D748D3A28C27}	{30A0BB7F-83B6-4510-93B2-81E6C7E9BE6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C37C7EF-C80A-40e0-9011-3A5A1325D54B}	{A8FC574B-143C-4b8c-876A-847830766E96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89649A32-15BE-485d-AAB7-4AE8CB3BEA27}\stubpath = "C:\\Windows\\{89649A32-15BE-485d-AAB7-4AE8CB3BEA27}.exe"	{230F8B01-6293-4619-864A-55E7C498D9CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A23E6263-A8E3-496b-8E22-910CB4B5D129}\stubpath = "C:\\Windows\\{A23E6263-A8E3-496b-8E22-910CB4B5D129}.exe"	ab25c62926fc2314474c62a86906e290_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED21C230-6829-4c61-8E07-D748D3A28C27}\stubpath = "C:\\Windows\\{ED21C230-6829-4c61-8E07-D748D3A28C27}.exe"	{30A0BB7F-83B6-4510-93B2-81E6C7E9BE6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A64A3C2A-DE33-4868-BB1A-F2EFCAE2BE2D}\stubpath = "C:\\Windows\\{A64A3C2A-DE33-4868-BB1A-F2EFCAE2BE2D}.exe"	{0C37C7EF-C80A-40e0-9011-3A5A1325D54B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89649A32-15BE-485d-AAB7-4AE8CB3BEA27}	{230F8B01-6293-4619-864A-55E7C498D9CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0B93C07-0581-4270-8C1D-AA42E461A938}\stubpath = "C:\\Windows\\{C0B93C07-0581-4270-8C1D-AA42E461A938}.exe"	{A23E6263-A8E3-496b-8E22-910CB4B5D129}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9475CE7-7562-444f-A2C4-0862C21D3CD8}	{C0B93C07-0581-4270-8C1D-AA42E461A938}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30A0BB7F-83B6-4510-93B2-81E6C7E9BE6D}	{67CC67B2-D214-4750-9FF0-B8BA04D71539}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A64A3C2A-DE33-4868-BB1A-F2EFCAE2BE2D}	{0C37C7EF-C80A-40e0-9011-3A5A1325D54B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{230F8B01-6293-4619-864A-55E7C498D9CC}	{A64A3C2A-DE33-4868-BB1A-F2EFCAE2BE2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D56FFB33-604A-468b-87D8-E53E309A2BD6}	{89649A32-15BE-485d-AAB7-4AE8CB3BEA27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0B93C07-0581-4270-8C1D-AA42E461A938}	{A23E6263-A8E3-496b-8E22-910CB4B5D129}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9475CE7-7562-444f-A2C4-0862C21D3CD8}\stubpath = "C:\\Windows\\{D9475CE7-7562-444f-A2C4-0862C21D3CD8}.exe"	{C0B93C07-0581-4270-8C1D-AA42E461A938}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67CC67B2-D214-4750-9FF0-B8BA04D71539}	{D9475CE7-7562-444f-A2C4-0862C21D3CD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8FC574B-143C-4b8c-876A-847830766E96}	{ED21C230-6829-4c61-8E07-D748D3A28C27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8FC574B-143C-4b8c-876A-847830766E96}\stubpath = "C:\\Windows\\{A8FC574B-143C-4b8c-876A-847830766E96}.exe"	{ED21C230-6829-4c61-8E07-D748D3A28C27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C37C7EF-C80A-40e0-9011-3A5A1325D54B}\stubpath = "C:\\Windows\\{0C37C7EF-C80A-40e0-9011-3A5A1325D54B}.exe"	{A8FC574B-143C-4b8c-876A-847830766E96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{230F8B01-6293-4619-864A-55E7C498D9CC}\stubpath = "C:\\Windows\\{230F8B01-6293-4619-864A-55E7C498D9CC}.exe"	{A64A3C2A-DE33-4868-BB1A-F2EFCAE2BE2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D56FFB33-604A-468b-87D8-E53E309A2BD6}\stubpath = "C:\\Windows\\{D56FFB33-604A-468b-87D8-E53E309A2BD6}.exe"	{89649A32-15BE-485d-AAB7-4AE8CB3BEA27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A23E6263-A8E3-496b-8E22-910CB4B5D129}	ab25c62926fc2314474c62a86906e290_JC.exe

Executes dropped EXE 12 IoCs

pid	Process
4308	{A23E6263-A8E3-496b-8E22-910CB4B5D129}.exe
1676	{C0B93C07-0581-4270-8C1D-AA42E461A938}.exe
1236	{D9475CE7-7562-444f-A2C4-0862C21D3CD8}.exe
4956	{67CC67B2-D214-4750-9FF0-B8BA04D71539}.exe
4436	{30A0BB7F-83B6-4510-93B2-81E6C7E9BE6D}.exe
456	{ED21C230-6829-4c61-8E07-D748D3A28C27}.exe
692	{A8FC574B-143C-4b8c-876A-847830766E96}.exe
1380	{0C37C7EF-C80A-40e0-9011-3A5A1325D54B}.exe
4636	{A64A3C2A-DE33-4868-BB1A-F2EFCAE2BE2D}.exe
472	{230F8B01-6293-4619-864A-55E7C498D9CC}.exe
3020	{89649A32-15BE-485d-AAB7-4AE8CB3BEA27}.exe
4968	{D56FFB33-604A-468b-87D8-E53E309A2BD6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{30A0BB7F-83B6-4510-93B2-81E6C7E9BE6D}.exe	{67CC67B2-D214-4750-9FF0-B8BA04D71539}.exe
File created	C:\Windows\{A8FC574B-143C-4b8c-876A-847830766E96}.exe	{ED21C230-6829-4c61-8E07-D748D3A28C27}.exe
File created	C:\Windows\{0C37C7EF-C80A-40e0-9011-3A5A1325D54B}.exe	{A8FC574B-143C-4b8c-876A-847830766E96}.exe
File created	C:\Windows\{89649A32-15BE-485d-AAB7-4AE8CB3BEA27}.exe	{230F8B01-6293-4619-864A-55E7C498D9CC}.exe
File created	C:\Windows\{A23E6263-A8E3-496b-8E22-910CB4B5D129}.exe	ab25c62926fc2314474c62a86906e290_JC.exe
File created	C:\Windows\{D9475CE7-7562-444f-A2C4-0862C21D3CD8}.exe	{C0B93C07-0581-4270-8C1D-AA42E461A938}.exe
File created	C:\Windows\{67CC67B2-D214-4750-9FF0-B8BA04D71539}.exe	{D9475CE7-7562-444f-A2C4-0862C21D3CD8}.exe
File created	C:\Windows\{230F8B01-6293-4619-864A-55E7C498D9CC}.exe	{A64A3C2A-DE33-4868-BB1A-F2EFCAE2BE2D}.exe
File created	C:\Windows\{D56FFB33-604A-468b-87D8-E53E309A2BD6}.exe	{89649A32-15BE-485d-AAB7-4AE8CB3BEA27}.exe
File created	C:\Windows\{C0B93C07-0581-4270-8C1D-AA42E461A938}.exe	{A23E6263-A8E3-496b-8E22-910CB4B5D129}.exe
File created	C:\Windows\{ED21C230-6829-4c61-8E07-D748D3A28C27}.exe	{30A0BB7F-83B6-4510-93B2-81E6C7E9BE6D}.exe
File created	C:\Windows\{A64A3C2A-DE33-4868-BB1A-F2EFCAE2BE2D}.exe	{0C37C7EF-C80A-40e0-9011-3A5A1325D54B}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1332	ab25c62926fc2314474c62a86906e290_JC.exe
Token: SeIncBasePriorityPrivilege	4308	{A23E6263-A8E3-496b-8E22-910CB4B5D129}.exe
Token: SeIncBasePriorityPrivilege	1676	{C0B93C07-0581-4270-8C1D-AA42E461A938}.exe
Token: SeIncBasePriorityPrivilege	1236	{D9475CE7-7562-444f-A2C4-0862C21D3CD8}.exe
Token: SeIncBasePriorityPrivilege	4956	{67CC67B2-D214-4750-9FF0-B8BA04D71539}.exe
Token: SeIncBasePriorityPrivilege	4436	{30A0BB7F-83B6-4510-93B2-81E6C7E9BE6D}.exe
Token: SeIncBasePriorityPrivilege	456	{ED21C230-6829-4c61-8E07-D748D3A28C27}.exe
Token: SeIncBasePriorityPrivilege	692	{A8FC574B-143C-4b8c-876A-847830766E96}.exe
Token: SeIncBasePriorityPrivilege	1380	{0C37C7EF-C80A-40e0-9011-3A5A1325D54B}.exe
Token: SeIncBasePriorityPrivilege	4636	{A64A3C2A-DE33-4868-BB1A-F2EFCAE2BE2D}.exe
Token: SeIncBasePriorityPrivilege	472	{230F8B01-6293-4619-864A-55E7C498D9CC}.exe
Token: SeIncBasePriorityPrivilege	3020	{89649A32-15BE-485d-AAB7-4AE8CB3BEA27}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1332 wrote to memory of 4308	1332	ab25c62926fc2314474c62a86906e290_JC.exe	92
PID 1332 wrote to memory of 4308	1332	ab25c62926fc2314474c62a86906e290_JC.exe	92
PID 1332 wrote to memory of 4308	1332	ab25c62926fc2314474c62a86906e290_JC.exe	92
PID 1332 wrote to memory of 3668	1332	ab25c62926fc2314474c62a86906e290_JC.exe	93
PID 1332 wrote to memory of 3668	1332	ab25c62926fc2314474c62a86906e290_JC.exe	93
PID 1332 wrote to memory of 3668	1332	ab25c62926fc2314474c62a86906e290_JC.exe	93
PID 4308 wrote to memory of 1676	4308	{A23E6263-A8E3-496b-8E22-910CB4B5D129}.exe	98
PID 4308 wrote to memory of 1676	4308	{A23E6263-A8E3-496b-8E22-910CB4B5D129}.exe	98
PID 4308 wrote to memory of 1676	4308	{A23E6263-A8E3-496b-8E22-910CB4B5D129}.exe	98
PID 4308 wrote to memory of 3624	4308	{A23E6263-A8E3-496b-8E22-910CB4B5D129}.exe	99
PID 4308 wrote to memory of 3624	4308	{A23E6263-A8E3-496b-8E22-910CB4B5D129}.exe	99
PID 4308 wrote to memory of 3624	4308	{A23E6263-A8E3-496b-8E22-910CB4B5D129}.exe	99
PID 1676 wrote to memory of 1236	1676	{C0B93C07-0581-4270-8C1D-AA42E461A938}.exe	101
PID 1676 wrote to memory of 1236	1676	{C0B93C07-0581-4270-8C1D-AA42E461A938}.exe	101
PID 1676 wrote to memory of 1236	1676	{C0B93C07-0581-4270-8C1D-AA42E461A938}.exe	101
PID 1676 wrote to memory of 892	1676	{C0B93C07-0581-4270-8C1D-AA42E461A938}.exe	102
PID 1676 wrote to memory of 892	1676	{C0B93C07-0581-4270-8C1D-AA42E461A938}.exe	102
PID 1676 wrote to memory of 892	1676	{C0B93C07-0581-4270-8C1D-AA42E461A938}.exe	102
PID 1236 wrote to memory of 4956	1236	{D9475CE7-7562-444f-A2C4-0862C21D3CD8}.exe	103
PID 1236 wrote to memory of 4956	1236	{D9475CE7-7562-444f-A2C4-0862C21D3CD8}.exe	103
PID 1236 wrote to memory of 4956	1236	{D9475CE7-7562-444f-A2C4-0862C21D3CD8}.exe	103
PID 1236 wrote to memory of 568	1236	{D9475CE7-7562-444f-A2C4-0862C21D3CD8}.exe	104
PID 1236 wrote to memory of 568	1236	{D9475CE7-7562-444f-A2C4-0862C21D3CD8}.exe	104
PID 1236 wrote to memory of 568	1236	{D9475CE7-7562-444f-A2C4-0862C21D3CD8}.exe	104
PID 4956 wrote to memory of 4436	4956	{67CC67B2-D214-4750-9FF0-B8BA04D71539}.exe	105
PID 4956 wrote to memory of 4436	4956	{67CC67B2-D214-4750-9FF0-B8BA04D71539}.exe	105
PID 4956 wrote to memory of 4436	4956	{67CC67B2-D214-4750-9FF0-B8BA04D71539}.exe	105
PID 4956 wrote to memory of 4896	4956	{67CC67B2-D214-4750-9FF0-B8BA04D71539}.exe	106
PID 4956 wrote to memory of 4896	4956	{67CC67B2-D214-4750-9FF0-B8BA04D71539}.exe	106
PID 4956 wrote to memory of 4896	4956	{67CC67B2-D214-4750-9FF0-B8BA04D71539}.exe	106
PID 4436 wrote to memory of 456	4436	{30A0BB7F-83B6-4510-93B2-81E6C7E9BE6D}.exe	108
PID 4436 wrote to memory of 456	4436	{30A0BB7F-83B6-4510-93B2-81E6C7E9BE6D}.exe	108
PID 4436 wrote to memory of 456	4436	{30A0BB7F-83B6-4510-93B2-81E6C7E9BE6D}.exe	108
PID 4436 wrote to memory of 836	4436	{30A0BB7F-83B6-4510-93B2-81E6C7E9BE6D}.exe	109
PID 4436 wrote to memory of 836	4436	{30A0BB7F-83B6-4510-93B2-81E6C7E9BE6D}.exe	109
PID 4436 wrote to memory of 836	4436	{30A0BB7F-83B6-4510-93B2-81E6C7E9BE6D}.exe	109
PID 456 wrote to memory of 692	456	{ED21C230-6829-4c61-8E07-D748D3A28C27}.exe	110
PID 456 wrote to memory of 692	456	{ED21C230-6829-4c61-8E07-D748D3A28C27}.exe	110
PID 456 wrote to memory of 692	456	{ED21C230-6829-4c61-8E07-D748D3A28C27}.exe	110
PID 456 wrote to memory of 1972	456	{ED21C230-6829-4c61-8E07-D748D3A28C27}.exe	111
PID 456 wrote to memory of 1972	456	{ED21C230-6829-4c61-8E07-D748D3A28C27}.exe	111
PID 456 wrote to memory of 1972	456	{ED21C230-6829-4c61-8E07-D748D3A28C27}.exe	111
PID 692 wrote to memory of 1380	692	{A8FC574B-143C-4b8c-876A-847830766E96}.exe	112
PID 692 wrote to memory of 1380	692	{A8FC574B-143C-4b8c-876A-847830766E96}.exe	112
PID 692 wrote to memory of 1380	692	{A8FC574B-143C-4b8c-876A-847830766E96}.exe	112
PID 692 wrote to memory of 232	692	{A8FC574B-143C-4b8c-876A-847830766E96}.exe	113
PID 692 wrote to memory of 232	692	{A8FC574B-143C-4b8c-876A-847830766E96}.exe	113
PID 692 wrote to memory of 232	692	{A8FC574B-143C-4b8c-876A-847830766E96}.exe	113
PID 1380 wrote to memory of 4636	1380	{0C37C7EF-C80A-40e0-9011-3A5A1325D54B}.exe	118
PID 1380 wrote to memory of 4636	1380	{0C37C7EF-C80A-40e0-9011-3A5A1325D54B}.exe	118
PID 1380 wrote to memory of 4636	1380	{0C37C7EF-C80A-40e0-9011-3A5A1325D54B}.exe	118
PID 1380 wrote to memory of 3624	1380	{0C37C7EF-C80A-40e0-9011-3A5A1325D54B}.exe	119
PID 1380 wrote to memory of 3624	1380	{0C37C7EF-C80A-40e0-9011-3A5A1325D54B}.exe	119
PID 1380 wrote to memory of 3624	1380	{0C37C7EF-C80A-40e0-9011-3A5A1325D54B}.exe	119
PID 4636 wrote to memory of 472	4636	{A64A3C2A-DE33-4868-BB1A-F2EFCAE2BE2D}.exe	123
PID 4636 wrote to memory of 472	4636	{A64A3C2A-DE33-4868-BB1A-F2EFCAE2BE2D}.exe	123
PID 4636 wrote to memory of 472	4636	{A64A3C2A-DE33-4868-BB1A-F2EFCAE2BE2D}.exe	123
PID 4636 wrote to memory of 1532	4636	{A64A3C2A-DE33-4868-BB1A-F2EFCAE2BE2D}.exe	124
PID 4636 wrote to memory of 1532	4636	{A64A3C2A-DE33-4868-BB1A-F2EFCAE2BE2D}.exe	124
PID 4636 wrote to memory of 1532	4636	{A64A3C2A-DE33-4868-BB1A-F2EFCAE2BE2D}.exe	124
PID 472 wrote to memory of 3020	472	{230F8B01-6293-4619-864A-55E7C498D9CC}.exe	125
PID 472 wrote to memory of 3020	472	{230F8B01-6293-4619-864A-55E7C498D9CC}.exe	125
PID 472 wrote to memory of 3020	472	{230F8B01-6293-4619-864A-55E7C498D9CC}.exe	125
PID 472 wrote to memory of 1688	472	{230F8B01-6293-4619-864A-55E7C498D9CC}.exe	126

C:\Users\Admin\AppData\Local\Temp\ab25c62926fc2314474c62a86906e290_JC.exe
"C:\Users\Admin\AppData\Local\Temp\ab25c62926fc2314474c62a86906e290_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\{A23E6263-A8E3-496b-8E22-910CB4B5D129}.exe
  C:\Windows\{A23E6263-A8E3-496b-8E22-910CB4B5D129}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\{C0B93C07-0581-4270-8C1D-AA42E461A938}.exe
    C:\Windows\{C0B93C07-0581-4270-8C1D-AA42E461A938}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Windows\{D9475CE7-7562-444f-A2C4-0862C21D3CD8}.exe
      C:\Windows\{D9475CE7-7562-444f-A2C4-0862C21D3CD8}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1236
    - - C:\Windows\{67CC67B2-D214-4750-9FF0-B8BA04D71539}.exe
        
        C:\Windows\{67CC67B2-D214-4750-9FF0-B8BA04D71539}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4956
      - C:\Windows\{30A0BB7F-83B6-4510-93B2-81E6C7E9BE6D}.exe
        
        C:\Windows\{30A0BB7F-83B6-4510-93B2-81E6C7E9BE6D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4436
        
        C:\Windows\{ED21C230-6829-4c61-8E07-D748D3A28C27}.exe
        
        C:\Windows\{ED21C230-6829-4c61-8E07-D748D3A28C27}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\{A8FC574B-143C-4b8c-876A-847830766E96}.exe
        
        C:\Windows\{A8FC574B-143C-4b8c-876A-847830766E96}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\{0C37C7EF-C80A-40e0-9011-3A5A1325D54B}.exe
        
        C:\Windows\{0C37C7EF-C80A-40e0-9011-3A5A1325D54B}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\{A64A3C2A-DE33-4868-BB1A-F2EFCAE2BE2D}.exe
        
        C:\Windows\{A64A3C2A-DE33-4868-BB1A-F2EFCAE2BE2D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\{230F8B01-6293-4619-864A-55E7C498D9CC}.exe
        
        C:\Windows\{230F8B01-6293-4619-864A-55E7C498D9CC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:472
        
        C:\Windows\{89649A32-15BE-485d-AAB7-4AE8CB3BEA27}.exe
        
        C:\Windows\{89649A32-15BE-485d-AAB7-4AE8CB3BEA27}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\{D56FFB33-604A-468b-87D8-E53E309A2BD6}.exe
        
        C:\Windows\{D56FFB33-604A-468b-87D8-E53E309A2BD6}.exe
        13⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89649~1.EXE > nul
        13⤵
        
        PID:4780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{230F8~1.EXE > nul
        12⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A64A3~1.EXE > nul
        11⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C37C~1.EXE > nul
        10⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8FC5~1.EXE > nul
        9⤵
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED21C~1.EXE > nul
        8⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30A0B~1.EXE > nul
        7⤵
        
        PID:836
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67CC6~1.EXE > nul
        6⤵
        
        PID:4896
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9475~1.EXE > nul
        5⤵
        
        PID:568
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C0B93~1.EXE > nul
      4⤵
      PID:892
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A23E6~1.EXE > nul
    3⤵
    PID:3624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AB25C6~1.EXE > nul
  2⤵
  PID:3668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C37C7EF-C80A-40e0-9011-3A5A1325D54B}.exe

Filesize
93KB

MD5
c1bc3376028bf25e9d3cb21c40cbb9c6

SHA1
454dfd4270e9fd0d5a0722c23927a94ffb47f36b

SHA256
9dabe16b092256d290bbe818add13e7b47d4172e9fa5cb58818f53cc142223fe

SHA512
b05818099c508ca82f335e4b47743897dca26abe7288cf485362a154063f7a1fbcf4ed3f75fa12cf2d394a84612a479276289ce8cabc6c9ddbc09e7ff3af517c

Download Submit
C:\Windows\{0C37C7EF-C80A-40e0-9011-3A5A1325D54B}.exe

Filesize
93KB

MD5
c1bc3376028bf25e9d3cb21c40cbb9c6

SHA1
454dfd4270e9fd0d5a0722c23927a94ffb47f36b

SHA256
9dabe16b092256d290bbe818add13e7b47d4172e9fa5cb58818f53cc142223fe

SHA512
b05818099c508ca82f335e4b47743897dca26abe7288cf485362a154063f7a1fbcf4ed3f75fa12cf2d394a84612a479276289ce8cabc6c9ddbc09e7ff3af517c

Download Submit
C:\Windows\{230F8B01-6293-4619-864A-55E7C498D9CC}.exe

Filesize
93KB

MD5
cb83dbbacbb5b8f3f3efcd22e104098f

SHA1
0fcb807e9a402398c0df8b40f2a7dfe70f009fb2

SHA256
1891477b70ff37c0b837970bba740cbd316cb25c133bf8bdd1d9acbb6a3cf3d5

SHA512
77fd2e27ade5895a99aef91d9ac404e64dbbf70be98b4f841c2bdaee404254902f27530428cfde486f4fbc2edc11f2e351135e40c9c2ecb1863e0a967d5e6b04

Download Submit
C:\Windows\{230F8B01-6293-4619-864A-55E7C498D9CC}.exe

Filesize
93KB

MD5
cb83dbbacbb5b8f3f3efcd22e104098f

SHA1
0fcb807e9a402398c0df8b40f2a7dfe70f009fb2

SHA256
1891477b70ff37c0b837970bba740cbd316cb25c133bf8bdd1d9acbb6a3cf3d5

SHA512
77fd2e27ade5895a99aef91d9ac404e64dbbf70be98b4f841c2bdaee404254902f27530428cfde486f4fbc2edc11f2e351135e40c9c2ecb1863e0a967d5e6b04

Download Submit
C:\Windows\{30A0BB7F-83B6-4510-93B2-81E6C7E9BE6D}.exe

Filesize
93KB

MD5
e0341c6267b9b7fcfa8163a313a21e5c

SHA1
cd942d7d1dd57730d08fd1790c3c2b0ca8897831

SHA256
0529bb838f9a7f2eeac8eea1f40cd65fdee1edb4c01e30a4d761d1d758d84d18

SHA512
fb6e5bba193c5d42236a2db928285aaebba6657fbddb3bfb17f5cbf1214bc68db96d9c8e326f903453875f9650ea86834b0810ec6c82c0619b9890cd8071e3e7

Download Submit
C:\Windows\{30A0BB7F-83B6-4510-93B2-81E6C7E9BE6D}.exe

Filesize
93KB

MD5
e0341c6267b9b7fcfa8163a313a21e5c

SHA1
cd942d7d1dd57730d08fd1790c3c2b0ca8897831

SHA256
0529bb838f9a7f2eeac8eea1f40cd65fdee1edb4c01e30a4d761d1d758d84d18

SHA512
fb6e5bba193c5d42236a2db928285aaebba6657fbddb3bfb17f5cbf1214bc68db96d9c8e326f903453875f9650ea86834b0810ec6c82c0619b9890cd8071e3e7

Download Submit
C:\Windows\{67CC67B2-D214-4750-9FF0-B8BA04D71539}.exe

Filesize
93KB

MD5
c3e04c19194807d01c69128aa2a072ef

SHA1
6b519fdc9654d58a5a59a85c67fd32d7e66d62f8

SHA256
7d903e91cf0103f0fd1d7d9e7aec2ef41eefa919cfca8d31079215945b9da92d

SHA512
2af21a32706d17672df52f4c9ba3d4c0aa8ba1704cf8c937a5e65e12c83d152179d980c78481d0018b4210fcb7d5ee771dc87976825a63aa6fc027df19490142

Download Submit
C:\Windows\{67CC67B2-D214-4750-9FF0-B8BA04D71539}.exe

Filesize
93KB

MD5
c3e04c19194807d01c69128aa2a072ef

SHA1
6b519fdc9654d58a5a59a85c67fd32d7e66d62f8

SHA256
7d903e91cf0103f0fd1d7d9e7aec2ef41eefa919cfca8d31079215945b9da92d

SHA512
2af21a32706d17672df52f4c9ba3d4c0aa8ba1704cf8c937a5e65e12c83d152179d980c78481d0018b4210fcb7d5ee771dc87976825a63aa6fc027df19490142

Download Submit
C:\Windows\{89649A32-15BE-485d-AAB7-4AE8CB3BEA27}.exe

Filesize
93KB

MD5
0d3ca449acaf52e61c6d107769b0f2d2

SHA1
24acf59201935f217ad674484e61d8f89f4b1652

SHA256
3541aaf0cb1005c68025318ecfbc97d819c8dcc0ccefc111f0888e6f475573e1

SHA512
159a9c1ef73e2ef341aa10b20489e28d26c469aa4b5c31a305e188a5e811fb161828eee9e00c045c05ab902e86f2c4fdb769698e6e919bc8493f055006dfe2ba

Download Submit
C:\Windows\{89649A32-15BE-485d-AAB7-4AE8CB3BEA27}.exe

Filesize
93KB

MD5
0d3ca449acaf52e61c6d107769b0f2d2

SHA1
24acf59201935f217ad674484e61d8f89f4b1652

SHA256
3541aaf0cb1005c68025318ecfbc97d819c8dcc0ccefc111f0888e6f475573e1

SHA512
159a9c1ef73e2ef341aa10b20489e28d26c469aa4b5c31a305e188a5e811fb161828eee9e00c045c05ab902e86f2c4fdb769698e6e919bc8493f055006dfe2ba

Download Submit
C:\Windows\{A23E6263-A8E3-496b-8E22-910CB4B5D129}.exe

Filesize
93KB

MD5
6707809cf7cf188746b38243d6f2487e

SHA1
7205ba0bca49f881f2c71a4790e81b0d52dbe9f0

SHA256
82096c80c28b2e8633aa906e95cccc0a2a741ea666c2b0d307f727ddc48199eb

SHA512
d0a0e9fea05b349940db9369bbae8f89c8f22884837db0884f6337ae67aa55aeca2db5ea69d0ed025719f9b4aab935dc0569d01999d570a87010b93cb8c5335e

Download Submit
C:\Windows\{A23E6263-A8E3-496b-8E22-910CB4B5D129}.exe

Filesize
93KB

MD5
6707809cf7cf188746b38243d6f2487e

SHA1
7205ba0bca49f881f2c71a4790e81b0d52dbe9f0

SHA256
82096c80c28b2e8633aa906e95cccc0a2a741ea666c2b0d307f727ddc48199eb

SHA512
d0a0e9fea05b349940db9369bbae8f89c8f22884837db0884f6337ae67aa55aeca2db5ea69d0ed025719f9b4aab935dc0569d01999d570a87010b93cb8c5335e

Download Submit
C:\Windows\{A64A3C2A-DE33-4868-BB1A-F2EFCAE2BE2D}.exe

Filesize
93KB

MD5
98f2fac0d4ac92650ff4b5ca27a8d4af

SHA1
7262b27612652c272590898f8e7ce7b83b3fd8a4

SHA256
a04688b51dfbeb081ad8389e6c0031b3f201917b712c2ec499c44dde4c8660db

SHA512
3e0021ccd41f24f793f8735b0ee20e8c531de3504c855d736e0c0fc2823fda11b7522efbddc128558153e638208221117bb9a68d05f3a7c2a3d65823c35bbb07

Download Submit
C:\Windows\{A64A3C2A-DE33-4868-BB1A-F2EFCAE2BE2D}.exe

Filesize
93KB

MD5
98f2fac0d4ac92650ff4b5ca27a8d4af

SHA1
7262b27612652c272590898f8e7ce7b83b3fd8a4

SHA256
a04688b51dfbeb081ad8389e6c0031b3f201917b712c2ec499c44dde4c8660db

SHA512
3e0021ccd41f24f793f8735b0ee20e8c531de3504c855d736e0c0fc2823fda11b7522efbddc128558153e638208221117bb9a68d05f3a7c2a3d65823c35bbb07

Download Submit
C:\Windows\{A8FC574B-143C-4b8c-876A-847830766E96}.exe

Filesize
93KB

MD5
7f975290fca1e60eaf17282c42056350

SHA1
cb6b97380caa7b4734eeae139068b22b98b0e3d5

SHA256
a3d5c25f0ea30dd2bcfabeb43e18a5b7ab7fe4c01a63c13b2cdb9ce003003cbc

SHA512
8718f50f1e392a39937163af616aefcf8098e0d6240d6c9b03bb6f7c09b9fa029af6d68ae5fa693c425e0917cfb880fe9c60133f61c641e11d02433043968076

Download Submit
C:\Windows\{A8FC574B-143C-4b8c-876A-847830766E96}.exe

Filesize
93KB

MD5
7f975290fca1e60eaf17282c42056350

SHA1
cb6b97380caa7b4734eeae139068b22b98b0e3d5

SHA256
a3d5c25f0ea30dd2bcfabeb43e18a5b7ab7fe4c01a63c13b2cdb9ce003003cbc

SHA512
8718f50f1e392a39937163af616aefcf8098e0d6240d6c9b03bb6f7c09b9fa029af6d68ae5fa693c425e0917cfb880fe9c60133f61c641e11d02433043968076

Download Submit
C:\Windows\{C0B93C07-0581-4270-8C1D-AA42E461A938}.exe

Filesize
93KB

MD5
05b3989e02deee3329d9f095b4908aef

SHA1
ff51ed202342768427dd5099a15b0aff95d83737

SHA256
55df9f5434ed675ca7f92198da244244c89d773a3036ed2ee17781888d248c9c

SHA512
360c90e4b7d7fd14c36fadc526181b6ef5630ecee2438ed39b5807886cdcde02543295a8d68cc17a2a5f86eae32a90ee4e78b6a9eb3f4332bf57b700112de030

Download Submit
C:\Windows\{C0B93C07-0581-4270-8C1D-AA42E461A938}.exe

Filesize
93KB

MD5
05b3989e02deee3329d9f095b4908aef

SHA1
ff51ed202342768427dd5099a15b0aff95d83737

SHA256
55df9f5434ed675ca7f92198da244244c89d773a3036ed2ee17781888d248c9c

SHA512
360c90e4b7d7fd14c36fadc526181b6ef5630ecee2438ed39b5807886cdcde02543295a8d68cc17a2a5f86eae32a90ee4e78b6a9eb3f4332bf57b700112de030

Download Submit
C:\Windows\{D56FFB33-604A-468b-87D8-E53E309A2BD6}.exe

Filesize
93KB

MD5
cc1474662ce8984d3ff8c0e2d5fc7a0c

SHA1
71e75d814d3496c73931bb14626005a273bc1ee3

SHA256
548f5d85a967b04e7d9b9964e7643c312f7bbefba19a7b1eb45e3248f811fc43

SHA512
62ca5debcfa7accc84e417a7e2af599219f9d1ec9d2d9fb93edd7ffa9f56e0ab0175747d6a783009260512729f7f5429a7e527eed521a1ad5a31935f558c7a89

Download Submit
C:\Windows\{D56FFB33-604A-468b-87D8-E53E309A2BD6}.exe

Filesize
93KB

MD5
cc1474662ce8984d3ff8c0e2d5fc7a0c

SHA1
71e75d814d3496c73931bb14626005a273bc1ee3

SHA256
548f5d85a967b04e7d9b9964e7643c312f7bbefba19a7b1eb45e3248f811fc43

SHA512
62ca5debcfa7accc84e417a7e2af599219f9d1ec9d2d9fb93edd7ffa9f56e0ab0175747d6a783009260512729f7f5429a7e527eed521a1ad5a31935f558c7a89

Download Submit
C:\Windows\{D9475CE7-7562-444f-A2C4-0862C21D3CD8}.exe

Filesize
93KB

MD5
ffd8e3a53e0e0fa6174c6f50243de68a

SHA1
9eabfd29ad9ed2cbf30d3345daa7fab064f4c53a

SHA256
48735d54d57e6b17351c8cccf5ad4d08bf39b4de6e35a9c04f31e1f3d254ba4c

SHA512
de5b1831368da537404938f6b0ad1e94d9acfe836a40118f5f6e65582a94ff93b2315aa65146ef9898846ae46db1258dba9ea153e94677f7ee5ed3f46f01b850

Download Submit
C:\Windows\{D9475CE7-7562-444f-A2C4-0862C21D3CD8}.exe

Filesize
93KB

MD5
ffd8e3a53e0e0fa6174c6f50243de68a

SHA1
9eabfd29ad9ed2cbf30d3345daa7fab064f4c53a

SHA256
48735d54d57e6b17351c8cccf5ad4d08bf39b4de6e35a9c04f31e1f3d254ba4c

SHA512
de5b1831368da537404938f6b0ad1e94d9acfe836a40118f5f6e65582a94ff93b2315aa65146ef9898846ae46db1258dba9ea153e94677f7ee5ed3f46f01b850

Download Submit
C:\Windows\{D9475CE7-7562-444f-A2C4-0862C21D3CD8}.exe

Filesize
93KB

MD5
ffd8e3a53e0e0fa6174c6f50243de68a

SHA1
9eabfd29ad9ed2cbf30d3345daa7fab064f4c53a

SHA256
48735d54d57e6b17351c8cccf5ad4d08bf39b4de6e35a9c04f31e1f3d254ba4c

SHA512
de5b1831368da537404938f6b0ad1e94d9acfe836a40118f5f6e65582a94ff93b2315aa65146ef9898846ae46db1258dba9ea153e94677f7ee5ed3f46f01b850

Download Submit
C:\Windows\{ED21C230-6829-4c61-8E07-D748D3A28C27}.exe

Filesize
93KB

MD5
cc6439d170d7beae708e525cd5e78613

SHA1
027d57b13d009b461f0688a0089a88e744c64967

SHA256
450afe7b57f996473394ab2f40ddfd11978ef39f905e93e4c7d023b596004dfb

SHA512
382d100422c0e01405fbf2009e2ded44d353b0ae45d0914cfc29ea136ee58ea6fb8f87c42526039e0ca7a4f4e681b46211701487ac739ff864631f5cf6827fe5

Download Submit
C:\Windows\{ED21C230-6829-4c61-8E07-D748D3A28C27}.exe

Filesize
93KB

MD5
cc6439d170d7beae708e525cd5e78613

SHA1
027d57b13d009b461f0688a0089a88e744c64967

SHA256
450afe7b57f996473394ab2f40ddfd11978ef39f905e93e4c7d023b596004dfb

SHA512
382d100422c0e01405fbf2009e2ded44d353b0ae45d0914cfc29ea136ee58ea6fb8f87c42526039e0ca7a4f4e681b46211701487ac739ff864631f5cf6827fe5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads