5209aa65df4ce90b21dbe263e8086882229741a554664d992cdba3fbff734ac0

Analysis

max time kernel
151s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2023 17:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

015d70f24c9708exe_JC.exe
Size

204KB
MD5

015d70f24c97082724d785d6327e3458
SHA1

f466bd387c85360f9841dae92593f9d1f1d73e5b
SHA256

5209aa65df4ce90b21dbe263e8086882229741a554664d992cdba3fbff734ac0
SHA512

3ef25bea687a1507f80fe3bd09849b73171179c1e84bbb49c76572d7039881ee85f9795f9d2117ee08e256a58199d030db84380fa5e88369f73e2cf5f2c178d0
SSDEEP

1536:1EGh0ohl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0ohl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{567BA8A7-4E12-4718-8E0E-76DD465C3643}	{25253D42-ABE2-4a82-BE4D-20F3282B5127}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4DA7B1-9913-41d0-82BA-22D54E1580A8}	{2EFB8F23-9846-4870-A6F0-311FF9EC0D1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5582D2C-43A8-4f7d-A967-85FED2DA95D1}	{8C5A92CB-FEA3-48d5-BD34-9B0A905ADD6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B6AAC8C-4D91-4849-A3B0-A639B4C8D197}	{E5582D2C-43A8-4f7d-A967-85FED2DA95D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C5A92CB-FEA3-48d5-BD34-9B0A905ADD6D}\stubpath = "C:\\Windows\\{8C5A92CB-FEA3-48d5-BD34-9B0A905ADD6D}.exe"	{3524D2DE-04A5-472c-9C1D-C6D0B480D074}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18DA15EF-580F-4a25-ADD4-3C835AEC8E58}	{F4FB63DA-E597-4d25-B539-385991CD0B31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25253D42-ABE2-4a82-BE4D-20F3282B5127}	015d70f24c9708exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{567BA8A7-4E12-4718-8E0E-76DD465C3643}\stubpath = "C:\\Windows\\{567BA8A7-4E12-4718-8E0E-76DD465C3643}.exe"	{25253D42-ABE2-4a82-BE4D-20F3282B5127}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{984AA945-E813-40e4-8486-8CA8A625052B}	{567BA8A7-4E12-4718-8E0E-76DD465C3643}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDA29278-6AC4-48ec-8D25-32729105C341}\stubpath = "C:\\Windows\\{EDA29278-6AC4-48ec-8D25-32729105C341}.exe"	{CE4DA7B1-9913-41d0-82BA-22D54E1580A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3524D2DE-04A5-472c-9C1D-C6D0B480D074}	{EDA29278-6AC4-48ec-8D25-32729105C341}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4FB63DA-E597-4d25-B539-385991CD0B31}\stubpath = "C:\\Windows\\{F4FB63DA-E597-4d25-B539-385991CD0B31}.exe"	{8B6AAC8C-4D91-4849-A3B0-A639B4C8D197}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{984AA945-E813-40e4-8486-8CA8A625052B}\stubpath = "C:\\Windows\\{984AA945-E813-40e4-8486-8CA8A625052B}.exe"	{567BA8A7-4E12-4718-8E0E-76DD465C3643}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE4DA7B1-9913-41d0-82BA-22D54E1580A8}\stubpath = "C:\\Windows\\{CE4DA7B1-9913-41d0-82BA-22D54E1580A8}.exe"	{2EFB8F23-9846-4870-A6F0-311FF9EC0D1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDA29278-6AC4-48ec-8D25-32729105C341}	{CE4DA7B1-9913-41d0-82BA-22D54E1580A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3524D2DE-04A5-472c-9C1D-C6D0B480D074}\stubpath = "C:\\Windows\\{3524D2DE-04A5-472c-9C1D-C6D0B480D074}.exe"	{EDA29278-6AC4-48ec-8D25-32729105C341}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C5A92CB-FEA3-48d5-BD34-9B0A905ADD6D}	{3524D2DE-04A5-472c-9C1D-C6D0B480D074}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4FB63DA-E597-4d25-B539-385991CD0B31}	{8B6AAC8C-4D91-4849-A3B0-A639B4C8D197}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18DA15EF-580F-4a25-ADD4-3C835AEC8E58}\stubpath = "C:\\Windows\\{18DA15EF-580F-4a25-ADD4-3C835AEC8E58}.exe"	{F4FB63DA-E597-4d25-B539-385991CD0B31}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25253D42-ABE2-4a82-BE4D-20F3282B5127}\stubpath = "C:\\Windows\\{25253D42-ABE2-4a82-BE4D-20F3282B5127}.exe"	015d70f24c9708exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EFB8F23-9846-4870-A6F0-311FF9EC0D1F}	{984AA945-E813-40e4-8486-8CA8A625052B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EFB8F23-9846-4870-A6F0-311FF9EC0D1F}\stubpath = "C:\\Windows\\{2EFB8F23-9846-4870-A6F0-311FF9EC0D1F}.exe"	{984AA945-E813-40e4-8486-8CA8A625052B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5582D2C-43A8-4f7d-A967-85FED2DA95D1}\stubpath = "C:\\Windows\\{E5582D2C-43A8-4f7d-A967-85FED2DA95D1}.exe"	{8C5A92CB-FEA3-48d5-BD34-9B0A905ADD6D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B6AAC8C-4D91-4849-A3B0-A639B4C8D197}\stubpath = "C:\\Windows\\{8B6AAC8C-4D91-4849-A3B0-A639B4C8D197}.exe"	{E5582D2C-43A8-4f7d-A967-85FED2DA95D1}.exe

Executes dropped EXE 12 IoCs

pid	Process
5004	{25253D42-ABE2-4a82-BE4D-20F3282B5127}.exe
1260	{567BA8A7-4E12-4718-8E0E-76DD465C3643}.exe
1436	{984AA945-E813-40e4-8486-8CA8A625052B}.exe
1048	{2EFB8F23-9846-4870-A6F0-311FF9EC0D1F}.exe
1980	{CE4DA7B1-9913-41d0-82BA-22D54E1580A8}.exe
4956	{EDA29278-6AC4-48ec-8D25-32729105C341}.exe
5020	{3524D2DE-04A5-472c-9C1D-C6D0B480D074}.exe
2288	{8C5A92CB-FEA3-48d5-BD34-9B0A905ADD6D}.exe
2604	{E5582D2C-43A8-4f7d-A967-85FED2DA95D1}.exe
4600	{8B6AAC8C-4D91-4849-A3B0-A639B4C8D197}.exe
3916	{F4FB63DA-E597-4d25-B539-385991CD0B31}.exe
4948	{18DA15EF-580F-4a25-ADD4-3C835AEC8E58}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{8B6AAC8C-4D91-4849-A3B0-A639B4C8D197}.exe	{E5582D2C-43A8-4f7d-A967-85FED2DA95D1}.exe
File created	C:\Windows\{18DA15EF-580F-4a25-ADD4-3C835AEC8E58}.exe	{F4FB63DA-E597-4d25-B539-385991CD0B31}.exe
File created	C:\Windows\{25253D42-ABE2-4a82-BE4D-20F3282B5127}.exe	015d70f24c9708exe_JC.exe
File created	C:\Windows\{567BA8A7-4E12-4718-8E0E-76DD465C3643}.exe	{25253D42-ABE2-4a82-BE4D-20F3282B5127}.exe
File created	C:\Windows\{984AA945-E813-40e4-8486-8CA8A625052B}.exe	{567BA8A7-4E12-4718-8E0E-76DD465C3643}.exe
File created	C:\Windows\{CE4DA7B1-9913-41d0-82BA-22D54E1580A8}.exe	{2EFB8F23-9846-4870-A6F0-311FF9EC0D1F}.exe
File created	C:\Windows\{EDA29278-6AC4-48ec-8D25-32729105C341}.exe	{CE4DA7B1-9913-41d0-82BA-22D54E1580A8}.exe
File created	C:\Windows\{E5582D2C-43A8-4f7d-A967-85FED2DA95D1}.exe	{8C5A92CB-FEA3-48d5-BD34-9B0A905ADD6D}.exe
File created	C:\Windows\{2EFB8F23-9846-4870-A6F0-311FF9EC0D1F}.exe	{984AA945-E813-40e4-8486-8CA8A625052B}.exe
File created	C:\Windows\{3524D2DE-04A5-472c-9C1D-C6D0B480D074}.exe	{EDA29278-6AC4-48ec-8D25-32729105C341}.exe
File created	C:\Windows\{8C5A92CB-FEA3-48d5-BD34-9B0A905ADD6D}.exe	{3524D2DE-04A5-472c-9C1D-C6D0B480D074}.exe
File created	C:\Windows\{F4FB63DA-E597-4d25-B539-385991CD0B31}.exe	{8B6AAC8C-4D91-4849-A3B0-A639B4C8D197}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2820	015d70f24c9708exe_JC.exe
Token: SeIncBasePriorityPrivilege	5004	{25253D42-ABE2-4a82-BE4D-20F3282B5127}.exe
Token: SeIncBasePriorityPrivilege	1260	{567BA8A7-4E12-4718-8E0E-76DD465C3643}.exe
Token: SeIncBasePriorityPrivilege	1436	{984AA945-E813-40e4-8486-8CA8A625052B}.exe
Token: SeIncBasePriorityPrivilege	1048	{2EFB8F23-9846-4870-A6F0-311FF9EC0D1F}.exe
Token: SeIncBasePriorityPrivilege	1980	{CE4DA7B1-9913-41d0-82BA-22D54E1580A8}.exe
Token: SeIncBasePriorityPrivilege	4956	{EDA29278-6AC4-48ec-8D25-32729105C341}.exe
Token: SeIncBasePriorityPrivilege	5020	{3524D2DE-04A5-472c-9C1D-C6D0B480D074}.exe
Token: SeIncBasePriorityPrivilege	2288	{8C5A92CB-FEA3-48d5-BD34-9B0A905ADD6D}.exe
Token: SeIncBasePriorityPrivilege	2604	{E5582D2C-43A8-4f7d-A967-85FED2DA95D1}.exe
Token: SeIncBasePriorityPrivilege	4600	{8B6AAC8C-4D91-4849-A3B0-A639B4C8D197}.exe
Token: SeIncBasePriorityPrivilege	3916	{F4FB63DA-E597-4d25-B539-385991CD0B31}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 5004	2820	015d70f24c9708exe_JC.exe	90
PID 2820 wrote to memory of 5004	2820	015d70f24c9708exe_JC.exe	90
PID 2820 wrote to memory of 5004	2820	015d70f24c9708exe_JC.exe	90
PID 2820 wrote to memory of 3948	2820	015d70f24c9708exe_JC.exe	91
PID 2820 wrote to memory of 3948	2820	015d70f24c9708exe_JC.exe	91
PID 2820 wrote to memory of 3948	2820	015d70f24c9708exe_JC.exe	91
PID 5004 wrote to memory of 1260	5004	{25253D42-ABE2-4a82-BE4D-20F3282B5127}.exe	94
PID 5004 wrote to memory of 1260	5004	{25253D42-ABE2-4a82-BE4D-20F3282B5127}.exe	94
PID 5004 wrote to memory of 1260	5004	{25253D42-ABE2-4a82-BE4D-20F3282B5127}.exe	94
PID 5004 wrote to memory of 3104	5004	{25253D42-ABE2-4a82-BE4D-20F3282B5127}.exe	95
PID 5004 wrote to memory of 3104	5004	{25253D42-ABE2-4a82-BE4D-20F3282B5127}.exe	95
PID 5004 wrote to memory of 3104	5004	{25253D42-ABE2-4a82-BE4D-20F3282B5127}.exe	95
PID 1260 wrote to memory of 1436	1260	{567BA8A7-4E12-4718-8E0E-76DD465C3643}.exe	98
PID 1260 wrote to memory of 1436	1260	{567BA8A7-4E12-4718-8E0E-76DD465C3643}.exe	98
PID 1260 wrote to memory of 1436	1260	{567BA8A7-4E12-4718-8E0E-76DD465C3643}.exe	98
PID 1260 wrote to memory of 3404	1260	{567BA8A7-4E12-4718-8E0E-76DD465C3643}.exe	99
PID 1260 wrote to memory of 3404	1260	{567BA8A7-4E12-4718-8E0E-76DD465C3643}.exe	99
PID 1260 wrote to memory of 3404	1260	{567BA8A7-4E12-4718-8E0E-76DD465C3643}.exe	99
PID 1436 wrote to memory of 1048	1436	{984AA945-E813-40e4-8486-8CA8A625052B}.exe	100
PID 1436 wrote to memory of 1048	1436	{984AA945-E813-40e4-8486-8CA8A625052B}.exe	100
PID 1436 wrote to memory of 1048	1436	{984AA945-E813-40e4-8486-8CA8A625052B}.exe	100
PID 1436 wrote to memory of 2324	1436	{984AA945-E813-40e4-8486-8CA8A625052B}.exe	101
PID 1436 wrote to memory of 2324	1436	{984AA945-E813-40e4-8486-8CA8A625052B}.exe	101
PID 1436 wrote to memory of 2324	1436	{984AA945-E813-40e4-8486-8CA8A625052B}.exe	101
PID 1048 wrote to memory of 1980	1048	{2EFB8F23-9846-4870-A6F0-311FF9EC0D1F}.exe	102
PID 1048 wrote to memory of 1980	1048	{2EFB8F23-9846-4870-A6F0-311FF9EC0D1F}.exe	102
PID 1048 wrote to memory of 1980	1048	{2EFB8F23-9846-4870-A6F0-311FF9EC0D1F}.exe	102
PID 1048 wrote to memory of 4692	1048	{2EFB8F23-9846-4870-A6F0-311FF9EC0D1F}.exe	103
PID 1048 wrote to memory of 4692	1048	{2EFB8F23-9846-4870-A6F0-311FF9EC0D1F}.exe	103
PID 1048 wrote to memory of 4692	1048	{2EFB8F23-9846-4870-A6F0-311FF9EC0D1F}.exe	103
PID 1980 wrote to memory of 4956	1980	{CE4DA7B1-9913-41d0-82BA-22D54E1580A8}.exe	105
PID 1980 wrote to memory of 4956	1980	{CE4DA7B1-9913-41d0-82BA-22D54E1580A8}.exe	105
PID 1980 wrote to memory of 4956	1980	{CE4DA7B1-9913-41d0-82BA-22D54E1580A8}.exe	105
PID 1980 wrote to memory of 4124	1980	{CE4DA7B1-9913-41d0-82BA-22D54E1580A8}.exe	106
PID 1980 wrote to memory of 4124	1980	{CE4DA7B1-9913-41d0-82BA-22D54E1580A8}.exe	106
PID 1980 wrote to memory of 4124	1980	{CE4DA7B1-9913-41d0-82BA-22D54E1580A8}.exe	106
PID 4956 wrote to memory of 5020	4956	{EDA29278-6AC4-48ec-8D25-32729105C341}.exe	107
PID 4956 wrote to memory of 5020	4956	{EDA29278-6AC4-48ec-8D25-32729105C341}.exe	107
PID 4956 wrote to memory of 5020	4956	{EDA29278-6AC4-48ec-8D25-32729105C341}.exe	107
PID 4956 wrote to memory of 2272	4956	{EDA29278-6AC4-48ec-8D25-32729105C341}.exe	108
PID 4956 wrote to memory of 2272	4956	{EDA29278-6AC4-48ec-8D25-32729105C341}.exe	108
PID 4956 wrote to memory of 2272	4956	{EDA29278-6AC4-48ec-8D25-32729105C341}.exe	108
PID 5020 wrote to memory of 2288	5020	{3524D2DE-04A5-472c-9C1D-C6D0B480D074}.exe	109
PID 5020 wrote to memory of 2288	5020	{3524D2DE-04A5-472c-9C1D-C6D0B480D074}.exe	109
PID 5020 wrote to memory of 2288	5020	{3524D2DE-04A5-472c-9C1D-C6D0B480D074}.exe	109
PID 5020 wrote to memory of 924	5020	{3524D2DE-04A5-472c-9C1D-C6D0B480D074}.exe	110
PID 5020 wrote to memory of 924	5020	{3524D2DE-04A5-472c-9C1D-C6D0B480D074}.exe	110
PID 5020 wrote to memory of 924	5020	{3524D2DE-04A5-472c-9C1D-C6D0B480D074}.exe	110
PID 2288 wrote to memory of 2604	2288	{8C5A92CB-FEA3-48d5-BD34-9B0A905ADD6D}.exe	117
PID 2288 wrote to memory of 2604	2288	{8C5A92CB-FEA3-48d5-BD34-9B0A905ADD6D}.exe	117
PID 2288 wrote to memory of 2604	2288	{8C5A92CB-FEA3-48d5-BD34-9B0A905ADD6D}.exe	117
PID 2288 wrote to memory of 3712	2288	{8C5A92CB-FEA3-48d5-BD34-9B0A905ADD6D}.exe	118
PID 2288 wrote to memory of 3712	2288	{8C5A92CB-FEA3-48d5-BD34-9B0A905ADD6D}.exe	118
PID 2288 wrote to memory of 3712	2288	{8C5A92CB-FEA3-48d5-BD34-9B0A905ADD6D}.exe	118
PID 2604 wrote to memory of 4600	2604	{E5582D2C-43A8-4f7d-A967-85FED2DA95D1}.exe	119
PID 2604 wrote to memory of 4600	2604	{E5582D2C-43A8-4f7d-A967-85FED2DA95D1}.exe	119
PID 2604 wrote to memory of 4600	2604	{E5582D2C-43A8-4f7d-A967-85FED2DA95D1}.exe	119
PID 2604 wrote to memory of 3116	2604	{E5582D2C-43A8-4f7d-A967-85FED2DA95D1}.exe	120
PID 2604 wrote to memory of 3116	2604	{E5582D2C-43A8-4f7d-A967-85FED2DA95D1}.exe	120
PID 2604 wrote to memory of 3116	2604	{E5582D2C-43A8-4f7d-A967-85FED2DA95D1}.exe	120
PID 4600 wrote to memory of 3916	4600	{8B6AAC8C-4D91-4849-A3B0-A639B4C8D197}.exe	121
PID 4600 wrote to memory of 3916	4600	{8B6AAC8C-4D91-4849-A3B0-A639B4C8D197}.exe	121
PID 4600 wrote to memory of 3916	4600	{8B6AAC8C-4D91-4849-A3B0-A639B4C8D197}.exe	121
PID 4600 wrote to memory of 2252	4600	{8B6AAC8C-4D91-4849-A3B0-A639B4C8D197}.exe	122

C:\Users\Admin\AppData\Local\Temp\015d70f24c9708exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\015d70f24c9708exe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\{25253D42-ABE2-4a82-BE4D-20F3282B5127}.exe
  C:\Windows\{25253D42-ABE2-4a82-BE4D-20F3282B5127}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5004
- - C:\Windows\{567BA8A7-4E12-4718-8E0E-76DD465C3643}.exe
    C:\Windows\{567BA8A7-4E12-4718-8E0E-76DD465C3643}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - C:\Windows\{984AA945-E813-40e4-8486-8CA8A625052B}.exe
      C:\Windows\{984AA945-E813-40e4-8486-8CA8A625052B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1436
    - - C:\Windows\{2EFB8F23-9846-4870-A6F0-311FF9EC0D1F}.exe
        
        C:\Windows\{2EFB8F23-9846-4870-A6F0-311FF9EC0D1F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1048
      - C:\Windows\{CE4DA7B1-9913-41d0-82BA-22D54E1580A8}.exe
        
        C:\Windows\{CE4DA7B1-9913-41d0-82BA-22D54E1580A8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\{EDA29278-6AC4-48ec-8D25-32729105C341}.exe
        
        C:\Windows\{EDA29278-6AC4-48ec-8D25-32729105C341}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Windows\{3524D2DE-04A5-472c-9C1D-C6D0B480D074}.exe
        
        C:\Windows\{3524D2DE-04A5-472c-9C1D-C6D0B480D074}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\{8C5A92CB-FEA3-48d5-BD34-9B0A905ADD6D}.exe
        
        C:\Windows\{8C5A92CB-FEA3-48d5-BD34-9B0A905ADD6D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\{E5582D2C-43A8-4f7d-A967-85FED2DA95D1}.exe
        
        C:\Windows\{E5582D2C-43A8-4f7d-A967-85FED2DA95D1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\{8B6AAC8C-4D91-4849-A3B0-A639B4C8D197}.exe
        
        C:\Windows\{8B6AAC8C-4D91-4849-A3B0-A639B4C8D197}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\{F4FB63DA-E597-4d25-B539-385991CD0B31}.exe
        
        C:\Windows\{F4FB63DA-E597-4d25-B539-385991CD0B31}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916
        
        C:\Windows\{18DA15EF-580F-4a25-ADD4-3C835AEC8E58}.exe
        
        C:\Windows\{18DA15EF-580F-4a25-ADD4-3C835AEC8E58}.exe
        13⤵
        Executes dropped EXE
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4FB6~1.EXE > nul
        13⤵
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B6AA~1.EXE > nul
        12⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5582~1.EXE > nul
        11⤵
        
        PID:3116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C5A9~1.EXE > nul
        10⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3524D~1.EXE > nul
        9⤵
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDA29~1.EXE > nul
        8⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE4DA~1.EXE > nul
        7⤵
        
        PID:4124
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EFB8~1.EXE > nul
        6⤵
        
        PID:4692
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{984AA~1.EXE > nul
        5⤵
        
        PID:2324
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{567BA~1.EXE > nul
      4⤵
      PID:3404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{25253~1.EXE > nul
    3⤵
    PID:3104
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\015D70~1.EXE > nul
  2⤵
  PID:3948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{18DA15EF-580F-4a25-ADD4-3C835AEC8E58}.exe

Filesize
204KB

MD5
d1dd5b677d2783ef2d4d1898f692ec94

SHA1
4112b5eba0e3a12cb9ba270670d3c5432b317112

SHA256
54ad7ecdd64c9e5baff8afa02c982ed6a4e8f1e9b338bf677ee6cc66537ec10c

SHA512
bd54613bb9af46ea0f8515c817129928aec0ee1a7de4546b90da070b608e3018dbbbe7315f0f634e2379455a96831311eeb5f622d9a3499b5911108cd8794865

Download Submit
C:\Windows\{18DA15EF-580F-4a25-ADD4-3C835AEC8E58}.exe

Filesize
204KB

MD5
d1dd5b677d2783ef2d4d1898f692ec94

SHA1
4112b5eba0e3a12cb9ba270670d3c5432b317112

SHA256
54ad7ecdd64c9e5baff8afa02c982ed6a4e8f1e9b338bf677ee6cc66537ec10c

SHA512
bd54613bb9af46ea0f8515c817129928aec0ee1a7de4546b90da070b608e3018dbbbe7315f0f634e2379455a96831311eeb5f622d9a3499b5911108cd8794865

Download Submit
C:\Windows\{25253D42-ABE2-4a82-BE4D-20F3282B5127}.exe

Filesize
204KB

MD5
858689d0d42e337abec82123055d92eb

SHA1
fd124cab7327bf10c007340cf394b9edd37a368e

SHA256
bc07cf1984d2dc01e0a87cd9d90995a3dc9f39afe5cb8dc64e406f62d39996f3

SHA512
c721a9d3ad3657f6d9be5372cd3088be084f5446c58ba8e969ca13e51ed171389afa7e2a00a771fa162d4763740a9d85594e7f68d3cd505078e733c836951e2c

Download Submit
C:\Windows\{25253D42-ABE2-4a82-BE4D-20F3282B5127}.exe

Filesize
204KB

MD5
858689d0d42e337abec82123055d92eb

SHA1
fd124cab7327bf10c007340cf394b9edd37a368e

SHA256
bc07cf1984d2dc01e0a87cd9d90995a3dc9f39afe5cb8dc64e406f62d39996f3

SHA512
c721a9d3ad3657f6d9be5372cd3088be084f5446c58ba8e969ca13e51ed171389afa7e2a00a771fa162d4763740a9d85594e7f68d3cd505078e733c836951e2c

Download Submit
C:\Windows\{2EFB8F23-9846-4870-A6F0-311FF9EC0D1F}.exe

Filesize
204KB

MD5
9e4bee98345498570a886a063bc6cee7

SHA1
3e1d019ae4dad747e3f454dcf49302e27e0ae164

SHA256
96a7015903fa1a4b9501c0b971b5224a1dc5a2769cd944eddd23e56e703a0ff8

SHA512
004e9e70e910fc685fae5f0d71783c8effdf68c69f8ac8457d41f50e4d66ee6c8cf9d8a2046ee77ccff1684a2305808bbcde0f25c790270fbe1a9ec54527ce04

Download Submit
C:\Windows\{2EFB8F23-9846-4870-A6F0-311FF9EC0D1F}.exe

Filesize
204KB

MD5
9e4bee98345498570a886a063bc6cee7

SHA1
3e1d019ae4dad747e3f454dcf49302e27e0ae164

SHA256
96a7015903fa1a4b9501c0b971b5224a1dc5a2769cd944eddd23e56e703a0ff8

SHA512
004e9e70e910fc685fae5f0d71783c8effdf68c69f8ac8457d41f50e4d66ee6c8cf9d8a2046ee77ccff1684a2305808bbcde0f25c790270fbe1a9ec54527ce04

Download Submit
C:\Windows\{3524D2DE-04A5-472c-9C1D-C6D0B480D074}.exe

Filesize
204KB

MD5
5e4d47e0b6b654122c538d67fa67fa82

SHA1
8dabcf0ed3f8ba820c573cc13eb05471a53daf31

SHA256
5434f39179fb4bf750f3ddba41db8506872ecd845b77ff4ceac922ae9f4532e9

SHA512
daafd50ccc60c7786a244fb9a464e6f53f5423d0cd7792f78130b2e89940d702b0d23737cb27496a040c0058e677ba3cb0859951002796df8d3ca2948ec4c37c

Download Submit
C:\Windows\{3524D2DE-04A5-472c-9C1D-C6D0B480D074}.exe

Filesize
204KB

MD5
5e4d47e0b6b654122c538d67fa67fa82

SHA1
8dabcf0ed3f8ba820c573cc13eb05471a53daf31

SHA256
5434f39179fb4bf750f3ddba41db8506872ecd845b77ff4ceac922ae9f4532e9

SHA512
daafd50ccc60c7786a244fb9a464e6f53f5423d0cd7792f78130b2e89940d702b0d23737cb27496a040c0058e677ba3cb0859951002796df8d3ca2948ec4c37c

Download Submit
C:\Windows\{567BA8A7-4E12-4718-8E0E-76DD465C3643}.exe

Filesize
204KB

MD5
e3379d1013aa76e6e87c374863b90f15

SHA1
d6e45fbbae93ff137b5f4d635407d22724f3bb68

SHA256
078845380fa63cff0e0ef29c7595928740faab006ca5e8a3313fa38829b14ee6

SHA512
401e3dd2d73e25efde0d906f056ba62fff54b15027d37e42b7c17335e360a1a9379b2a1ea6604db7eca0d1569c6d51bb6b6af40690d235fea06e239efabd9108

Download Submit
C:\Windows\{567BA8A7-4E12-4718-8E0E-76DD465C3643}.exe

Filesize
204KB

MD5
e3379d1013aa76e6e87c374863b90f15

SHA1
d6e45fbbae93ff137b5f4d635407d22724f3bb68

SHA256
078845380fa63cff0e0ef29c7595928740faab006ca5e8a3313fa38829b14ee6

SHA512
401e3dd2d73e25efde0d906f056ba62fff54b15027d37e42b7c17335e360a1a9379b2a1ea6604db7eca0d1569c6d51bb6b6af40690d235fea06e239efabd9108

Download Submit
C:\Windows\{8B6AAC8C-4D91-4849-A3B0-A639B4C8D197}.exe

Filesize
204KB

MD5
b09a5874e6286e1fd1f85fdd95b930ec

SHA1
770841db4406d35940e67f702899887bbfaf6b84

SHA256
9a7d4fc3809ee02ebeea9f033788b8097f4ae82043a9cf33ac40926c83e92968

SHA512
3020f979e083782b5b270c5021d50dd83318131cc2a08a321ea6f5e881140d969333f27edcbdde8a7eee8ffa3302fc6fbb250a6c553cd3b1afb14d2b93b513c0

Download Submit
C:\Windows\{8B6AAC8C-4D91-4849-A3B0-A639B4C8D197}.exe

Filesize
204KB

MD5
b09a5874e6286e1fd1f85fdd95b930ec

SHA1
770841db4406d35940e67f702899887bbfaf6b84

SHA256
9a7d4fc3809ee02ebeea9f033788b8097f4ae82043a9cf33ac40926c83e92968

SHA512
3020f979e083782b5b270c5021d50dd83318131cc2a08a321ea6f5e881140d969333f27edcbdde8a7eee8ffa3302fc6fbb250a6c553cd3b1afb14d2b93b513c0

Download Submit
C:\Windows\{8C5A92CB-FEA3-48d5-BD34-9B0A905ADD6D}.exe

Filesize
204KB

MD5
f6011837193ce37b229d09442e8aa435

SHA1
5891c398eb3f71dbd6e1e5b8173726f105f251db

SHA256
03e5425abcf8004f4946e6e7e7b454d8688a444a1227a86d0ce0dbc865e9a586

SHA512
0c9db8f5886587d46d0b1be39024b457c0c5993566687d812acb540c70b751abd582d6c37cb1d1a3ac702e7fd53e0ac95f2e5d9fad2840704af169a0e52e6f6b

Download Submit
C:\Windows\{8C5A92CB-FEA3-48d5-BD34-9B0A905ADD6D}.exe

Filesize
204KB

MD5
f6011837193ce37b229d09442e8aa435

SHA1
5891c398eb3f71dbd6e1e5b8173726f105f251db

SHA256
03e5425abcf8004f4946e6e7e7b454d8688a444a1227a86d0ce0dbc865e9a586

SHA512
0c9db8f5886587d46d0b1be39024b457c0c5993566687d812acb540c70b751abd582d6c37cb1d1a3ac702e7fd53e0ac95f2e5d9fad2840704af169a0e52e6f6b

Download Submit
C:\Windows\{984AA945-E813-40e4-8486-8CA8A625052B}.exe

Filesize
204KB

MD5
9e6359ca0c17a3bd74b99939352fbfeb

SHA1
907921173f23ee8c8f7438d532110301a559defd

SHA256
6993f9b0e23c92ee9fb47d1323b62c96d27c35699754ed5874cb5569bb294014

SHA512
508d9e9a695c06da95a5684e41f6236e5e6e6eff4f8ef60a59012a0690df66227bf07d455b63065651cf15979a67bfaf4451b8d3be83d6fdec234f50f8a61f02

Download Submit
C:\Windows\{984AA945-E813-40e4-8486-8CA8A625052B}.exe

Filesize
204KB

MD5
9e6359ca0c17a3bd74b99939352fbfeb

SHA1
907921173f23ee8c8f7438d532110301a559defd

SHA256
6993f9b0e23c92ee9fb47d1323b62c96d27c35699754ed5874cb5569bb294014

SHA512
508d9e9a695c06da95a5684e41f6236e5e6e6eff4f8ef60a59012a0690df66227bf07d455b63065651cf15979a67bfaf4451b8d3be83d6fdec234f50f8a61f02

Download Submit
C:\Windows\{984AA945-E813-40e4-8486-8CA8A625052B}.exe

Filesize
204KB

MD5
9e6359ca0c17a3bd74b99939352fbfeb

SHA1
907921173f23ee8c8f7438d532110301a559defd

SHA256
6993f9b0e23c92ee9fb47d1323b62c96d27c35699754ed5874cb5569bb294014

SHA512
508d9e9a695c06da95a5684e41f6236e5e6e6eff4f8ef60a59012a0690df66227bf07d455b63065651cf15979a67bfaf4451b8d3be83d6fdec234f50f8a61f02

Download Submit
C:\Windows\{CE4DA7B1-9913-41d0-82BA-22D54E1580A8}.exe

Filesize
204KB

MD5
1c906ba52f0690e7d4fa9e4cf3018076

SHA1
aa3c06c98935037b06dda8541dc3b07822f6cf14

SHA256
007171575a05edf79721abfbf1ba851655b6dd2701d83ed40b4d8bcf481ca1d8

SHA512
9bf158a4585e9befa30ac64fa906181ad73d0083e45209c0f2d80b3a6782ac68c8d50bb438b9aa97662d51e093216f7f1688795e9b0426f15f5e367f0d61bc27

Download Submit
C:\Windows\{CE4DA7B1-9913-41d0-82BA-22D54E1580A8}.exe

Filesize
204KB

MD5
1c906ba52f0690e7d4fa9e4cf3018076

SHA1
aa3c06c98935037b06dda8541dc3b07822f6cf14

SHA256
007171575a05edf79721abfbf1ba851655b6dd2701d83ed40b4d8bcf481ca1d8

SHA512
9bf158a4585e9befa30ac64fa906181ad73d0083e45209c0f2d80b3a6782ac68c8d50bb438b9aa97662d51e093216f7f1688795e9b0426f15f5e367f0d61bc27

Download Submit
C:\Windows\{E5582D2C-43A8-4f7d-A967-85FED2DA95D1}.exe

Filesize
204KB

MD5
030bd2b4df99c9319ac5cfdaa9a841ce

SHA1
604c4a3fee207d07fa21e1fddee4bc54029652fc

SHA256
e55eafd820c826bdfbf8db58447f8764bd3fd9fb1da027fbffadd946e6b90792

SHA512
937880cca9a8f6a794bfecfa3826c62e6bd2ad4fd144eb8c3291f506c489a78a3e37ca0399830252c3986ea0da2266e55a7c70327736431856e451ef41d353c8

Download Submit
C:\Windows\{E5582D2C-43A8-4f7d-A967-85FED2DA95D1}.exe

Filesize
204KB

MD5
030bd2b4df99c9319ac5cfdaa9a841ce

SHA1
604c4a3fee207d07fa21e1fddee4bc54029652fc

SHA256
e55eafd820c826bdfbf8db58447f8764bd3fd9fb1da027fbffadd946e6b90792

SHA512
937880cca9a8f6a794bfecfa3826c62e6bd2ad4fd144eb8c3291f506c489a78a3e37ca0399830252c3986ea0da2266e55a7c70327736431856e451ef41d353c8

Download Submit
C:\Windows\{EDA29278-6AC4-48ec-8D25-32729105C341}.exe

Filesize
204KB

MD5
8b440011bfe380133e35a1c2cb9f6d56

SHA1
c97ea0db524df15a667e516b2638e000070aecb1

SHA256
5a72b5328e1b81267c62f0bfd0366fdba8660b6b270dc36bfe018cd590453ebc

SHA512
b491dd6a5a3c48c88a38bfd85e15aea84c64467bb8e3afb3816c1e4fcd63380393806841742d425557807bf8342c3ffed9e48f91288c07319d8754b4a23ae35b

Download Submit
C:\Windows\{EDA29278-6AC4-48ec-8D25-32729105C341}.exe

Filesize
204KB

MD5
8b440011bfe380133e35a1c2cb9f6d56

SHA1
c97ea0db524df15a667e516b2638e000070aecb1

SHA256
5a72b5328e1b81267c62f0bfd0366fdba8660b6b270dc36bfe018cd590453ebc

SHA512
b491dd6a5a3c48c88a38bfd85e15aea84c64467bb8e3afb3816c1e4fcd63380393806841742d425557807bf8342c3ffed9e48f91288c07319d8754b4a23ae35b

Download Submit
C:\Windows\{F4FB63DA-E597-4d25-B539-385991CD0B31}.exe

Filesize
204KB

MD5
75dce569a080b7c1d5db61a39d89c87c

SHA1
7e9f3a29fb8fa0d541dd001d601bd2057b4a9181

SHA256
1de406bf052839b33998c4103bddb7b7639d29f0731286450b56e32cbd8aa415

SHA512
77b0b5535af1f641db242077383d750c795bfc2d3806a7924379909cc0faea656629f3b0101cd1b4fe4c63b9e71eb362cda9a5b313a040ec2b161e98a1abcef2

Download Submit
C:\Windows\{F4FB63DA-E597-4d25-B539-385991CD0B31}.exe

Filesize
204KB

MD5
75dce569a080b7c1d5db61a39d89c87c

SHA1
7e9f3a29fb8fa0d541dd001d601bd2057b4a9181

SHA256
1de406bf052839b33998c4103bddb7b7639d29f0731286450b56e32cbd8aa415

SHA512
77b0b5535af1f641db242077383d750c795bfc2d3806a7924379909cc0faea656629f3b0101cd1b4fe4c63b9e71eb362cda9a5b313a040ec2b161e98a1abcef2

Download Submit