d49d2e8b177d1524d66408246abe96144157f345f36e416f63b0a5b0acafc3d0

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
13/07/2023, 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04929b0063cbe1exe_JC.exe
Size

204KB
MD5

04929b0063cbe1d2466bb956cc215983
SHA1

c615002d8e95ca598d3f8458dc85a784fa5cd181
SHA256

d49d2e8b177d1524d66408246abe96144157f345f36e416f63b0a5b0acafc3d0
SHA512

dae393d8a4c5da020d0c041e328a9d7d36d31a7b628c405cd780206bddec982d01df77e5a485a4641c91d48f5745d922b5a6db67cf35862a21a69ada4d0c17ee
SSDEEP

1536:1EGh0o/l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o/l1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81687CA4-160D-4cea-BD0B-DCAC76C1229D}\stubpath = "C:\\Windows\\{81687CA4-160D-4cea-BD0B-DCAC76C1229D}.exe"	{ADEA6DA3-3E7F-4ab8-8F86-02B33A2B3012}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4DE30CD-9C38-4a58-9AD3-547834516894}\stubpath = "C:\\Windows\\{A4DE30CD-9C38-4a58-9AD3-547834516894}.exe"	{81687CA4-160D-4cea-BD0B-DCAC76C1229D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{673EA6EC-EBD6-4c23-A2A5-A989EC1482C1}\stubpath = "C:\\Windows\\{673EA6EC-EBD6-4c23-A2A5-A989EC1482C1}.exe"	{E926FEA8-FAAF-4dc6-88C5-C864E177DD66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D7C3EA7-01DF-41ce-802A-060DB2534D51}\stubpath = "C:\\Windows\\{8D7C3EA7-01DF-41ce-802A-060DB2534D51}.exe"	{BC508C81-F1BB-4184-9D32-1BD28D91FE4E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C4E1B92-DEA2-4057-A5A9-B7F4F145ECC6}\stubpath = "C:\\Windows\\{2C4E1B92-DEA2-4057-A5A9-B7F4F145ECC6}.exe"	{673EA6EC-EBD6-4c23-A2A5-A989EC1482C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A90C8DFD-85E8-4746-9284-C8A7D10D36DE}	{2C4E1B92-DEA2-4057-A5A9-B7F4F145ECC6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC508C81-F1BB-4184-9D32-1BD28D91FE4E}	{A90C8DFD-85E8-4746-9284-C8A7D10D36DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC508C81-F1BB-4184-9D32-1BD28D91FE4E}\stubpath = "C:\\Windows\\{BC508C81-F1BB-4184-9D32-1BD28D91FE4E}.exe"	{A90C8DFD-85E8-4746-9284-C8A7D10D36DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADEA6DA3-3E7F-4ab8-8F86-02B33A2B3012}	{93E45EA9-F0A6-4b1f-8D9E-3A88FFA52DD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{81687CA4-160D-4cea-BD0B-DCAC76C1229D}	{ADEA6DA3-3E7F-4ab8-8F86-02B33A2B3012}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{673EA6EC-EBD6-4c23-A2A5-A989EC1482C1}	{E926FEA8-FAAF-4dc6-88C5-C864E177DD66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C4E1B92-DEA2-4057-A5A9-B7F4F145ECC6}	{673EA6EC-EBD6-4c23-A2A5-A989EC1482C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4DE30CD-9C38-4a58-9AD3-547834516894}	{81687CA4-160D-4cea-BD0B-DCAC76C1229D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E926FEA8-FAAF-4dc6-88C5-C864E177DD66}\stubpath = "C:\\Windows\\{E926FEA8-FAAF-4dc6-88C5-C864E177DD66}.exe"	04929b0063cbe1exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D7C3EA7-01DF-41ce-802A-060DB2534D51}	{BC508C81-F1BB-4184-9D32-1BD28D91FE4E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7C87413-5A08-449f-8ADE-D68D72343D3F}	{8D7C3EA7-01DF-41ce-802A-060DB2534D51}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7C87413-5A08-449f-8ADE-D68D72343D3F}\stubpath = "C:\\Windows\\{B7C87413-5A08-449f-8ADE-D68D72343D3F}.exe"	{8D7C3EA7-01DF-41ce-802A-060DB2534D51}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93E45EA9-F0A6-4b1f-8D9E-3A88FFA52DD1}	{B7C87413-5A08-449f-8ADE-D68D72343D3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93E45EA9-F0A6-4b1f-8D9E-3A88FFA52DD1}\stubpath = "C:\\Windows\\{93E45EA9-F0A6-4b1f-8D9E-3A88FFA52DD1}.exe"	{B7C87413-5A08-449f-8ADE-D68D72343D3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADEA6DA3-3E7F-4ab8-8F86-02B33A2B3012}\stubpath = "C:\\Windows\\{ADEA6DA3-3E7F-4ab8-8F86-02B33A2B3012}.exe"	{93E45EA9-F0A6-4b1f-8D9E-3A88FFA52DD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E926FEA8-FAAF-4dc6-88C5-C864E177DD66}	04929b0063cbe1exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A90C8DFD-85E8-4746-9284-C8A7D10D36DE}\stubpath = "C:\\Windows\\{A90C8DFD-85E8-4746-9284-C8A7D10D36DE}.exe"	{2C4E1B92-DEA2-4057-A5A9-B7F4F145ECC6}.exe

Deletes itself 1 IoCs

pid	Process
2808	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2032	{E926FEA8-FAAF-4dc6-88C5-C864E177DD66}.exe
2332	{673EA6EC-EBD6-4c23-A2A5-A989EC1482C1}.exe
2836	{2C4E1B92-DEA2-4057-A5A9-B7F4F145ECC6}.exe
1928	{A90C8DFD-85E8-4746-9284-C8A7D10D36DE}.exe
2744	{BC508C81-F1BB-4184-9D32-1BD28D91FE4E}.exe
2608	{8D7C3EA7-01DF-41ce-802A-060DB2534D51}.exe
1468	{B7C87413-5A08-449f-8ADE-D68D72343D3F}.exe
1444	{93E45EA9-F0A6-4b1f-8D9E-3A88FFA52DD1}.exe
1464	{ADEA6DA3-3E7F-4ab8-8F86-02B33A2B3012}.exe
3036	{81687CA4-160D-4cea-BD0B-DCAC76C1229D}.exe
2564	{A4DE30CD-9C38-4a58-9AD3-547834516894}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E926FEA8-FAAF-4dc6-88C5-C864E177DD66}.exe	04929b0063cbe1exe_JC.exe
File created	C:\Windows\{BC508C81-F1BB-4184-9D32-1BD28D91FE4E}.exe	{A90C8DFD-85E8-4746-9284-C8A7D10D36DE}.exe
File created	C:\Windows\{8D7C3EA7-01DF-41ce-802A-060DB2534D51}.exe	{BC508C81-F1BB-4184-9D32-1BD28D91FE4E}.exe
File created	C:\Windows\{B7C87413-5A08-449f-8ADE-D68D72343D3F}.exe	{8D7C3EA7-01DF-41ce-802A-060DB2534D51}.exe
File created	C:\Windows\{ADEA6DA3-3E7F-4ab8-8F86-02B33A2B3012}.exe	{93E45EA9-F0A6-4b1f-8D9E-3A88FFA52DD1}.exe
File created	C:\Windows\{81687CA4-160D-4cea-BD0B-DCAC76C1229D}.exe	{ADEA6DA3-3E7F-4ab8-8F86-02B33A2B3012}.exe
File created	C:\Windows\{A4DE30CD-9C38-4a58-9AD3-547834516894}.exe	{81687CA4-160D-4cea-BD0B-DCAC76C1229D}.exe
File created	C:\Windows\{673EA6EC-EBD6-4c23-A2A5-A989EC1482C1}.exe	{E926FEA8-FAAF-4dc6-88C5-C864E177DD66}.exe
File created	C:\Windows\{2C4E1B92-DEA2-4057-A5A9-B7F4F145ECC6}.exe	{673EA6EC-EBD6-4c23-A2A5-A989EC1482C1}.exe
File created	C:\Windows\{A90C8DFD-85E8-4746-9284-C8A7D10D36DE}.exe	{2C4E1B92-DEA2-4057-A5A9-B7F4F145ECC6}.exe
File created	C:\Windows\{93E45EA9-F0A6-4b1f-8D9E-3A88FFA52DD1}.exe	{B7C87413-5A08-449f-8ADE-D68D72343D3F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2964	04929b0063cbe1exe_JC.exe
Token: SeIncBasePriorityPrivilege	2032	{E926FEA8-FAAF-4dc6-88C5-C864E177DD66}.exe
Token: SeIncBasePriorityPrivilege	2332	{673EA6EC-EBD6-4c23-A2A5-A989EC1482C1}.exe
Token: SeIncBasePriorityPrivilege	2836	{2C4E1B92-DEA2-4057-A5A9-B7F4F145ECC6}.exe
Token: SeIncBasePriorityPrivilege	1928	{A90C8DFD-85E8-4746-9284-C8A7D10D36DE}.exe
Token: SeIncBasePriorityPrivilege	2744	{BC508C81-F1BB-4184-9D32-1BD28D91FE4E}.exe
Token: SeIncBasePriorityPrivilege	2608	{8D7C3EA7-01DF-41ce-802A-060DB2534D51}.exe
Token: SeIncBasePriorityPrivilege	1468	{B7C87413-5A08-449f-8ADE-D68D72343D3F}.exe
Token: SeIncBasePriorityPrivilege	1444	{93E45EA9-F0A6-4b1f-8D9E-3A88FFA52DD1}.exe
Token: SeIncBasePriorityPrivilege	1464	{ADEA6DA3-3E7F-4ab8-8F86-02B33A2B3012}.exe
Token: SeIncBasePriorityPrivilege	3036	{81687CA4-160D-4cea-BD0B-DCAC76C1229D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 2032	2964	04929b0063cbe1exe_JC.exe	28
PID 2964 wrote to memory of 2032	2964	04929b0063cbe1exe_JC.exe	28
PID 2964 wrote to memory of 2032	2964	04929b0063cbe1exe_JC.exe	28
PID 2964 wrote to memory of 2032	2964	04929b0063cbe1exe_JC.exe	28
PID 2964 wrote to memory of 2808	2964	04929b0063cbe1exe_JC.exe	29
PID 2964 wrote to memory of 2808	2964	04929b0063cbe1exe_JC.exe	29
PID 2964 wrote to memory of 2808	2964	04929b0063cbe1exe_JC.exe	29
PID 2964 wrote to memory of 2808	2964	04929b0063cbe1exe_JC.exe	29
PID 2032 wrote to memory of 2332	2032	{E926FEA8-FAAF-4dc6-88C5-C864E177DD66}.exe	32
PID 2032 wrote to memory of 2332	2032	{E926FEA8-FAAF-4dc6-88C5-C864E177DD66}.exe	32
PID 2032 wrote to memory of 2332	2032	{E926FEA8-FAAF-4dc6-88C5-C864E177DD66}.exe	32
PID 2032 wrote to memory of 2332	2032	{E926FEA8-FAAF-4dc6-88C5-C864E177DD66}.exe	32
PID 2032 wrote to memory of 2700	2032	{E926FEA8-FAAF-4dc6-88C5-C864E177DD66}.exe	33
PID 2032 wrote to memory of 2700	2032	{E926FEA8-FAAF-4dc6-88C5-C864E177DD66}.exe	33
PID 2032 wrote to memory of 2700	2032	{E926FEA8-FAAF-4dc6-88C5-C864E177DD66}.exe	33
PID 2032 wrote to memory of 2700	2032	{E926FEA8-FAAF-4dc6-88C5-C864E177DD66}.exe	33
PID 2332 wrote to memory of 2836	2332	{673EA6EC-EBD6-4c23-A2A5-A989EC1482C1}.exe	34
PID 2332 wrote to memory of 2836	2332	{673EA6EC-EBD6-4c23-A2A5-A989EC1482C1}.exe	34
PID 2332 wrote to memory of 2836	2332	{673EA6EC-EBD6-4c23-A2A5-A989EC1482C1}.exe	34
PID 2332 wrote to memory of 2836	2332	{673EA6EC-EBD6-4c23-A2A5-A989EC1482C1}.exe	34
PID 2332 wrote to memory of 2712	2332	{673EA6EC-EBD6-4c23-A2A5-A989EC1482C1}.exe	35
PID 2332 wrote to memory of 2712	2332	{673EA6EC-EBD6-4c23-A2A5-A989EC1482C1}.exe	35
PID 2332 wrote to memory of 2712	2332	{673EA6EC-EBD6-4c23-A2A5-A989EC1482C1}.exe	35
PID 2332 wrote to memory of 2712	2332	{673EA6EC-EBD6-4c23-A2A5-A989EC1482C1}.exe	35
PID 2836 wrote to memory of 1928	2836	{2C4E1B92-DEA2-4057-A5A9-B7F4F145ECC6}.exe	36
PID 2836 wrote to memory of 1928	2836	{2C4E1B92-DEA2-4057-A5A9-B7F4F145ECC6}.exe	36
PID 2836 wrote to memory of 1928	2836	{2C4E1B92-DEA2-4057-A5A9-B7F4F145ECC6}.exe	36
PID 2836 wrote to memory of 1928	2836	{2C4E1B92-DEA2-4057-A5A9-B7F4F145ECC6}.exe	36
PID 2836 wrote to memory of 2684	2836	{2C4E1B92-DEA2-4057-A5A9-B7F4F145ECC6}.exe	37
PID 2836 wrote to memory of 2684	2836	{2C4E1B92-DEA2-4057-A5A9-B7F4F145ECC6}.exe	37
PID 2836 wrote to memory of 2684	2836	{2C4E1B92-DEA2-4057-A5A9-B7F4F145ECC6}.exe	37
PID 2836 wrote to memory of 2684	2836	{2C4E1B92-DEA2-4057-A5A9-B7F4F145ECC6}.exe	37
PID 1928 wrote to memory of 2744	1928	{A90C8DFD-85E8-4746-9284-C8A7D10D36DE}.exe	38
PID 1928 wrote to memory of 2744	1928	{A90C8DFD-85E8-4746-9284-C8A7D10D36DE}.exe	38
PID 1928 wrote to memory of 2744	1928	{A90C8DFD-85E8-4746-9284-C8A7D10D36DE}.exe	38
PID 1928 wrote to memory of 2744	1928	{A90C8DFD-85E8-4746-9284-C8A7D10D36DE}.exe	38
PID 1928 wrote to memory of 2404	1928	{A90C8DFD-85E8-4746-9284-C8A7D10D36DE}.exe	39
PID 1928 wrote to memory of 2404	1928	{A90C8DFD-85E8-4746-9284-C8A7D10D36DE}.exe	39
PID 1928 wrote to memory of 2404	1928	{A90C8DFD-85E8-4746-9284-C8A7D10D36DE}.exe	39
PID 1928 wrote to memory of 2404	1928	{A90C8DFD-85E8-4746-9284-C8A7D10D36DE}.exe	39
PID 2744 wrote to memory of 2608	2744	{BC508C81-F1BB-4184-9D32-1BD28D91FE4E}.exe	40
PID 2744 wrote to memory of 2608	2744	{BC508C81-F1BB-4184-9D32-1BD28D91FE4E}.exe	40
PID 2744 wrote to memory of 2608	2744	{BC508C81-F1BB-4184-9D32-1BD28D91FE4E}.exe	40
PID 2744 wrote to memory of 2608	2744	{BC508C81-F1BB-4184-9D32-1BD28D91FE4E}.exe	40
PID 2744 wrote to memory of 436	2744	{BC508C81-F1BB-4184-9D32-1BD28D91FE4E}.exe	41
PID 2744 wrote to memory of 436	2744	{BC508C81-F1BB-4184-9D32-1BD28D91FE4E}.exe	41
PID 2744 wrote to memory of 436	2744	{BC508C81-F1BB-4184-9D32-1BD28D91FE4E}.exe	41
PID 2744 wrote to memory of 436	2744	{BC508C81-F1BB-4184-9D32-1BD28D91FE4E}.exe	41
PID 2608 wrote to memory of 1468	2608	{8D7C3EA7-01DF-41ce-802A-060DB2534D51}.exe	42
PID 2608 wrote to memory of 1468	2608	{8D7C3EA7-01DF-41ce-802A-060DB2534D51}.exe	42
PID 2608 wrote to memory of 1468	2608	{8D7C3EA7-01DF-41ce-802A-060DB2534D51}.exe	42
PID 2608 wrote to memory of 1468	2608	{8D7C3EA7-01DF-41ce-802A-060DB2534D51}.exe	42
PID 2608 wrote to memory of 2644	2608	{8D7C3EA7-01DF-41ce-802A-060DB2534D51}.exe	43
PID 2608 wrote to memory of 2644	2608	{8D7C3EA7-01DF-41ce-802A-060DB2534D51}.exe	43
PID 2608 wrote to memory of 2644	2608	{8D7C3EA7-01DF-41ce-802A-060DB2534D51}.exe	43
PID 2608 wrote to memory of 2644	2608	{8D7C3EA7-01DF-41ce-802A-060DB2534D51}.exe	43
PID 1468 wrote to memory of 1444	1468	{B7C87413-5A08-449f-8ADE-D68D72343D3F}.exe	44
PID 1468 wrote to memory of 1444	1468	{B7C87413-5A08-449f-8ADE-D68D72343D3F}.exe	44
PID 1468 wrote to memory of 1444	1468	{B7C87413-5A08-449f-8ADE-D68D72343D3F}.exe	44
PID 1468 wrote to memory of 1444	1468	{B7C87413-5A08-449f-8ADE-D68D72343D3F}.exe	44
PID 1468 wrote to memory of 568	1468	{B7C87413-5A08-449f-8ADE-D68D72343D3F}.exe	45
PID 1468 wrote to memory of 568	1468	{B7C87413-5A08-449f-8ADE-D68D72343D3F}.exe	45
PID 1468 wrote to memory of 568	1468	{B7C87413-5A08-449f-8ADE-D68D72343D3F}.exe	45
PID 1468 wrote to memory of 568	1468	{B7C87413-5A08-449f-8ADE-D68D72343D3F}.exe	45

C:\Users\Admin\AppData\Local\Temp\04929b0063cbe1exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\04929b0063cbe1exe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\{E926FEA8-FAAF-4dc6-88C5-C864E177DD66}.exe
  C:\Windows\{E926FEA8-FAAF-4dc6-88C5-C864E177DD66}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\{673EA6EC-EBD6-4c23-A2A5-A989EC1482C1}.exe
    C:\Windows\{673EA6EC-EBD6-4c23-A2A5-A989EC1482C1}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\{2C4E1B92-DEA2-4057-A5A9-B7F4F145ECC6}.exe
      C:\Windows\{2C4E1B92-DEA2-4057-A5A9-B7F4F145ECC6}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\{A90C8DFD-85E8-4746-9284-C8A7D10D36DE}.exe
        
        C:\Windows\{A90C8DFD-85E8-4746-9284-C8A7D10D36DE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1928
      - C:\Windows\{BC508C81-F1BB-4184-9D32-1BD28D91FE4E}.exe
        
        C:\Windows\{BC508C81-F1BB-4184-9D32-1BD28D91FE4E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\{8D7C3EA7-01DF-41ce-802A-060DB2534D51}.exe
        
        C:\Windows\{8D7C3EA7-01DF-41ce-802A-060DB2534D51}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2608
        
        C:\Windows\{B7C87413-5A08-449f-8ADE-D68D72343D3F}.exe
        
        C:\Windows\{B7C87413-5A08-449f-8ADE-D68D72343D3F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1468
        
        C:\Windows\{93E45EA9-F0A6-4b1f-8D9E-3A88FFA52DD1}.exe
        
        C:\Windows\{93E45EA9-F0A6-4b1f-8D9E-3A88FFA52DD1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
        
        C:\Windows\{ADEA6DA3-3E7F-4ab8-8F86-02B33A2B3012}.exe
        
        C:\Windows\{ADEA6DA3-3E7F-4ab8-8F86-02B33A2B3012}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\{81687CA4-160D-4cea-BD0B-DCAC76C1229D}.exe
        
        C:\Windows\{81687CA4-160D-4cea-BD0B-DCAC76C1229D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\{A4DE30CD-9C38-4a58-9AD3-547834516894}.exe
        
        C:\Windows\{A4DE30CD-9C38-4a58-9AD3-547834516894}.exe
        12⤵
        Executes dropped EXE
        
        PID:2564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81687~1.EXE > nul
        12⤵
        
        PID:808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADEA6~1.EXE > nul
        11⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93E45~1.EXE > nul
        10⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7C87~1.EXE > nul
        9⤵
        
        PID:568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D7C3~1.EXE > nul
        8⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BC508~1.EXE > nul
        7⤵
        
        PID:436
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A90C8~1.EXE > nul
        6⤵
        
        PID:2404
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C4E1~1.EXE > nul
        5⤵
        
        PID:2684
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{673EA~1.EXE > nul
      4⤵
      PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E926F~1.EXE > nul
    3⤵
    PID:2700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\04929B~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2C4E1B92-DEA2-4057-A5A9-B7F4F145ECC6}.exe

Filesize
204KB

MD5
5dd8ffd5cf46e62d3c95999ed0d5c1af

SHA1
70de504c95706926941c1dc3c377d7749fa8769a

SHA256
beef661d3ee7310bfff430bfd3ca4df4daed2406a7020c2009123ac1790b3822

SHA512
eefb632b95838d95cb11050d50bd3ccd672022150f70014eaea1e99d97a5ca2146d323633067a2113e7f4181363a9bc8ecfed49287a0edb1e245ef3997678654

Download Submit
C:\Windows\{2C4E1B92-DEA2-4057-A5A9-B7F4F145ECC6}.exe

Filesize
204KB

MD5
5dd8ffd5cf46e62d3c95999ed0d5c1af

SHA1
70de504c95706926941c1dc3c377d7749fa8769a

SHA256
beef661d3ee7310bfff430bfd3ca4df4daed2406a7020c2009123ac1790b3822

SHA512
eefb632b95838d95cb11050d50bd3ccd672022150f70014eaea1e99d97a5ca2146d323633067a2113e7f4181363a9bc8ecfed49287a0edb1e245ef3997678654

Download Submit
C:\Windows\{673EA6EC-EBD6-4c23-A2A5-A989EC1482C1}.exe

Filesize
204KB

MD5
afddd4391ca6f570024aa8c1af003ea3

SHA1
e0c000f8abb0d67f5e947c13028e1fd50f4c78fa

SHA256
23e5e92bf0453259f92a7685c9ac9428532e5083f3afef7cf6e58c00a08ce03f

SHA512
f02d22537835fcf22de56cfbc370c9e4c8784d576e35f3b35388a8682cee04080a41e62190a486a5065e60bd19e0c7b3bb9145bfbccfd3942a6d1cbbad6f2b30

Download Submit
C:\Windows\{673EA6EC-EBD6-4c23-A2A5-A989EC1482C1}.exe

Filesize
204KB

MD5
afddd4391ca6f570024aa8c1af003ea3

SHA1
e0c000f8abb0d67f5e947c13028e1fd50f4c78fa

SHA256
23e5e92bf0453259f92a7685c9ac9428532e5083f3afef7cf6e58c00a08ce03f

SHA512
f02d22537835fcf22de56cfbc370c9e4c8784d576e35f3b35388a8682cee04080a41e62190a486a5065e60bd19e0c7b3bb9145bfbccfd3942a6d1cbbad6f2b30

Download Submit
C:\Windows\{81687CA4-160D-4cea-BD0B-DCAC76C1229D}.exe

Filesize
204KB

MD5
2507b3f25d5a8fb3db788ad0ce9d9718

SHA1
68f0d4989a7b33a084f516798a3631533b8318f0

SHA256
841636223d9bc9840fbc8321fa07b6ec7b85ed3a6d99fcc47b7473b21d80b971

SHA512
31f6b9bdae8e5badd32d79a0c60264171113494cc78aa0654f23ac23655ef85a6762432e89225399f6a17810fb3c63086805c72b7840244d6c071c1af28722fc

Download Submit
C:\Windows\{81687CA4-160D-4cea-BD0B-DCAC76C1229D}.exe

Filesize
204KB

MD5
2507b3f25d5a8fb3db788ad0ce9d9718

SHA1
68f0d4989a7b33a084f516798a3631533b8318f0

SHA256
841636223d9bc9840fbc8321fa07b6ec7b85ed3a6d99fcc47b7473b21d80b971

SHA512
31f6b9bdae8e5badd32d79a0c60264171113494cc78aa0654f23ac23655ef85a6762432e89225399f6a17810fb3c63086805c72b7840244d6c071c1af28722fc

Download Submit
C:\Windows\{8D7C3EA7-01DF-41ce-802A-060DB2534D51}.exe

Filesize
204KB

MD5
ad654df92b4a3a5882bc4bc44173d2cd

SHA1
540ebf2c5576c9ba78bf94957828afedbeee2b79

SHA256
9d10ff03455167261c7fefa190f619810c307af2a42509618659cd7d89dc0c10

SHA512
0a60b14f274162ae9c54734634784c3e8b464f46d5d020ba712a1f752fb0e353170e2d3e114d394ab7fb6b368e19fe12276b679445790889fa8728c07887a152

Download Submit
C:\Windows\{8D7C3EA7-01DF-41ce-802A-060DB2534D51}.exe

Filesize
204KB

MD5
ad654df92b4a3a5882bc4bc44173d2cd

SHA1
540ebf2c5576c9ba78bf94957828afedbeee2b79

SHA256
9d10ff03455167261c7fefa190f619810c307af2a42509618659cd7d89dc0c10

SHA512
0a60b14f274162ae9c54734634784c3e8b464f46d5d020ba712a1f752fb0e353170e2d3e114d394ab7fb6b368e19fe12276b679445790889fa8728c07887a152

Download Submit
C:\Windows\{93E45EA9-F0A6-4b1f-8D9E-3A88FFA52DD1}.exe

Filesize
204KB

MD5
0a792325bd7b9583dc433db8e6c735d2

SHA1
1bec2587a8ac095790ddd3dc51827a7e3c6ee0f3

SHA256
452758277f483da0a1422250c80e43dab929f920ac4372733b2252e0a6d887de

SHA512
facbeacd6055162e80d447daa0067974a83a7a0d0773ee571729639f9e83d41b9780caf68b49b71627da125b41095b9b499a33fcf4e9b295243d263d637c3835

Download Submit
C:\Windows\{93E45EA9-F0A6-4b1f-8D9E-3A88FFA52DD1}.exe

Filesize
204KB

MD5
0a792325bd7b9583dc433db8e6c735d2

SHA1
1bec2587a8ac095790ddd3dc51827a7e3c6ee0f3

SHA256
452758277f483da0a1422250c80e43dab929f920ac4372733b2252e0a6d887de

SHA512
facbeacd6055162e80d447daa0067974a83a7a0d0773ee571729639f9e83d41b9780caf68b49b71627da125b41095b9b499a33fcf4e9b295243d263d637c3835

Download Submit
C:\Windows\{A4DE30CD-9C38-4a58-9AD3-547834516894}.exe

Filesize
204KB

MD5
2d7796c909a269bab1f3c35dc4f725cf

SHA1
9b8d40d8623ecdfe1712bda1ecf4a0725e15a435

SHA256
7b799640356a36ca7b179d4f72c23f9562eafe89013cd53fbc499d8c2d8415be

SHA512
d68ca36f95a5c8908975a26a64c6e0735dbdbdb9698c1fa5cdb5384911070c83eeb19b2867b36f76ec1056fb9a8704a118e416d48e1a5e366bb352661d4b9cd5

Download Submit
C:\Windows\{A90C8DFD-85E8-4746-9284-C8A7D10D36DE}.exe

Filesize
204KB

MD5
7f8b1a56f5b85677859b950073ea377b

SHA1
8c75d8dad18d51cc058749cbee060c9b2fcc4d4e

SHA256
2c2b2cd9e293550e77d7d6cf09b0931b1bb9454b36711663e961c4b0cda19d58

SHA512
7f05178ae95bcb8288273720c02c0ef14a76a05b730fa3321fe64b1aa2b48a4350ac4116eb91a1e3a3ea838470b2feaf6a6da8492708fa21edd1456c7297b934

Download Submit
C:\Windows\{A90C8DFD-85E8-4746-9284-C8A7D10D36DE}.exe

Filesize
204KB

MD5
7f8b1a56f5b85677859b950073ea377b

SHA1
8c75d8dad18d51cc058749cbee060c9b2fcc4d4e

SHA256
2c2b2cd9e293550e77d7d6cf09b0931b1bb9454b36711663e961c4b0cda19d58

SHA512
7f05178ae95bcb8288273720c02c0ef14a76a05b730fa3321fe64b1aa2b48a4350ac4116eb91a1e3a3ea838470b2feaf6a6da8492708fa21edd1456c7297b934

Download Submit
C:\Windows\{ADEA6DA3-3E7F-4ab8-8F86-02B33A2B3012}.exe

Filesize
204KB

MD5
9176bf21e5eead6ebca62ecbca3d9dfc

SHA1
bd5f56f35becc36d53546915a7557eed03f5ca29

SHA256
657083f2c36e1a14519b029d7ad0b80ecda3708d06b07fda704d322e3369953d

SHA512
a1d786492624960b88ae31314c78b7de2200a5485bc9ed7d483f3c101b7313e2aaef00e7fa92b37c1ebd419f52e52902cabed0cecc96ab1d1b6bda7daa2f2505

Download Submit
C:\Windows\{ADEA6DA3-3E7F-4ab8-8F86-02B33A2B3012}.exe

Filesize
204KB

MD5
9176bf21e5eead6ebca62ecbca3d9dfc

SHA1
bd5f56f35becc36d53546915a7557eed03f5ca29

SHA256
657083f2c36e1a14519b029d7ad0b80ecda3708d06b07fda704d322e3369953d

SHA512
a1d786492624960b88ae31314c78b7de2200a5485bc9ed7d483f3c101b7313e2aaef00e7fa92b37c1ebd419f52e52902cabed0cecc96ab1d1b6bda7daa2f2505

Download Submit
C:\Windows\{B7C87413-5A08-449f-8ADE-D68D72343D3F}.exe

Filesize
204KB

MD5
a9b2174c5d46c5172ba7b981f7853c7a

SHA1
4be5f936492cb4c9938b2c9bbf455952741c4741

SHA256
d96f23d02bd53cfe351f0104abd27cf324a030ea9d7459187596fc7960e21a96

SHA512
4c3f017eed98f83a06f1d0327e345c68a57bd518b90f64b5d5def266cd347e968bb94d2daccea8baec393e08dd68b8c1c77f9c624cd107afdf997a4ce5278d9c

Download Submit
C:\Windows\{B7C87413-5A08-449f-8ADE-D68D72343D3F}.exe

Filesize
204KB

MD5
a9b2174c5d46c5172ba7b981f7853c7a

SHA1
4be5f936492cb4c9938b2c9bbf455952741c4741

SHA256
d96f23d02bd53cfe351f0104abd27cf324a030ea9d7459187596fc7960e21a96

SHA512
4c3f017eed98f83a06f1d0327e345c68a57bd518b90f64b5d5def266cd347e968bb94d2daccea8baec393e08dd68b8c1c77f9c624cd107afdf997a4ce5278d9c

Download Submit
C:\Windows\{BC508C81-F1BB-4184-9D32-1BD28D91FE4E}.exe

Filesize
204KB

MD5
ac574c6436c9a965f43fd2fcb44bb762

SHA1
e0c4ff807425cfad2bc1ce9e8a9410ae05b63012

SHA256
560c9576b2011f1da6cc65a4a4fac12c8c8e6bfa11e1ed8e8c124c02249cf66b

SHA512
2f77dda4815f3cfd5df961c7f2fd285ebfbb03531cad2eed829edd3e2a25c65d86ffd64e9f365af555b73800167d9d9d916429e598a4339918a15099442106fc

Download Submit
C:\Windows\{BC508C81-F1BB-4184-9D32-1BD28D91FE4E}.exe

Filesize
204KB

MD5
ac574c6436c9a965f43fd2fcb44bb762

SHA1
e0c4ff807425cfad2bc1ce9e8a9410ae05b63012

SHA256
560c9576b2011f1da6cc65a4a4fac12c8c8e6bfa11e1ed8e8c124c02249cf66b

SHA512
2f77dda4815f3cfd5df961c7f2fd285ebfbb03531cad2eed829edd3e2a25c65d86ffd64e9f365af555b73800167d9d9d916429e598a4339918a15099442106fc

Download Submit
C:\Windows\{E926FEA8-FAAF-4dc6-88C5-C864E177DD66}.exe

Filesize
204KB

MD5
ea784b132427729dc8fc9da4bca7a588

SHA1
13cfd0ecd556f69efdff9ec0b1be98873646a1df

SHA256
4aefa6a2023a1525bf3b17d9c3cd5f5fd3b680d6c8873bbbc3a2a9a4d2fc4fc6

SHA512
f086246d8b64b793906ca47befff311a60726dbef63600dc83e78905d24d27f533a9f66239006e47cabfdf3230e2a892568019e9ffc5f6ef07cdb7222f0f1c04

Download Submit
C:\Windows\{E926FEA8-FAAF-4dc6-88C5-C864E177DD66}.exe

Filesize
204KB

MD5
ea784b132427729dc8fc9da4bca7a588

SHA1
13cfd0ecd556f69efdff9ec0b1be98873646a1df

SHA256
4aefa6a2023a1525bf3b17d9c3cd5f5fd3b680d6c8873bbbc3a2a9a4d2fc4fc6

SHA512
f086246d8b64b793906ca47befff311a60726dbef63600dc83e78905d24d27f533a9f66239006e47cabfdf3230e2a892568019e9ffc5f6ef07cdb7222f0f1c04

Download Submit
C:\Windows\{E926FEA8-FAAF-4dc6-88C5-C864E177DD66}.exe

Filesize
204KB

MD5
ea784b132427729dc8fc9da4bca7a588

SHA1
13cfd0ecd556f69efdff9ec0b1be98873646a1df

SHA256
4aefa6a2023a1525bf3b17d9c3cd5f5fd3b680d6c8873bbbc3a2a9a4d2fc4fc6

SHA512
f086246d8b64b793906ca47befff311a60726dbef63600dc83e78905d24d27f533a9f66239006e47cabfdf3230e2a892568019e9ffc5f6ef07cdb7222f0f1c04

Download Submit