d49d2e8b177d1524d66408246abe96144157f345f36e416f63b0a5b0acafc3d0

Analysis

max time kernel
147s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2023, 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

04929b0063cbe1exe_JC.exe
Size

204KB
MD5

04929b0063cbe1d2466bb956cc215983
SHA1

c615002d8e95ca598d3f8458dc85a784fa5cd181
SHA256

d49d2e8b177d1524d66408246abe96144157f345f36e416f63b0a5b0acafc3d0
SHA512

dae393d8a4c5da020d0c041e328a9d7d36d31a7b628c405cd780206bddec982d01df77e5a485a4641c91d48f5745d922b5a6db67cf35862a21a69ada4d0c17ee
SSDEEP

1536:1EGh0o/l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o/l1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BCB3EB1-6412-494f-BDBD-E125E09B2125}\stubpath = "C:\\Windows\\{2BCB3EB1-6412-494f-BDBD-E125E09B2125}.exe"	{7709B734-545D-4d50-BC3B-1FA82040CF93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CB83B1F-6CA7-466f-9EA7-B1316EB1AED7}\stubpath = "C:\\Windows\\{5CB83B1F-6CA7-466f-9EA7-B1316EB1AED7}.exe"	{FB3D014C-E737-4998-A4AD-ABAFA0781C84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13E3468F-0A54-4bf3-AE95-89BF91F9D27C}\stubpath = "C:\\Windows\\{13E3468F-0A54-4bf3-AE95-89BF91F9D27C}.exe"	{5CB83B1F-6CA7-466f-9EA7-B1316EB1AED7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7695A0D-2D61-4e59-BF83-71D3FDDB3AD9}\stubpath = "C:\\Windows\\{C7695A0D-2D61-4e59-BF83-71D3FDDB3AD9}.exe"	{13E3468F-0A54-4bf3-AE95-89BF91F9D27C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96312C70-1F6E-43e4-A376-20CB01CF5A89}\stubpath = "C:\\Windows\\{96312C70-1F6E-43e4-A376-20CB01CF5A89}.exe"	{E2EAF390-7E7F-4a5e-B1B9-83307E23DBF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6755EAF-0FA3-47dd-92B8-6483D0DF5833}\stubpath = "C:\\Windows\\{B6755EAF-0FA3-47dd-92B8-6483D0DF5833}.exe"	04929b0063cbe1exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB3D014C-E737-4998-A4AD-ABAFA0781C84}	{2BCB3EB1-6412-494f-BDBD-E125E09B2125}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CB83B1F-6CA7-466f-9EA7-B1316EB1AED7}	{FB3D014C-E737-4998-A4AD-ABAFA0781C84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2EAF390-7E7F-4a5e-B1B9-83307E23DBF2}\stubpath = "C:\\Windows\\{E2EAF390-7E7F-4a5e-B1B9-83307E23DBF2}.exe"	{8553F64B-60CD-426e-94A7-9B55764C37CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8553F64B-60CD-426e-94A7-9B55764C37CC}	{C7695A0D-2D61-4e59-BF83-71D3FDDB3AD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96312C70-1F6E-43e4-A376-20CB01CF5A89}	{E2EAF390-7E7F-4a5e-B1B9-83307E23DBF2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6755EAF-0FA3-47dd-92B8-6483D0DF5833}	04929b0063cbe1exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BCB3EB1-6412-494f-BDBD-E125E09B2125}	{7709B734-545D-4d50-BC3B-1FA82040CF93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB3D014C-E737-4998-A4AD-ABAFA0781C84}\stubpath = "C:\\Windows\\{FB3D014C-E737-4998-A4AD-ABAFA0781C84}.exe"	{2BCB3EB1-6412-494f-BDBD-E125E09B2125}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13E3468F-0A54-4bf3-AE95-89BF91F9D27C}	{5CB83B1F-6CA7-466f-9EA7-B1316EB1AED7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C7695A0D-2D61-4e59-BF83-71D3FDDB3AD9}	{13E3468F-0A54-4bf3-AE95-89BF91F9D27C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8553F64B-60CD-426e-94A7-9B55764C37CC}\stubpath = "C:\\Windows\\{8553F64B-60CD-426e-94A7-9B55764C37CC}.exe"	{C7695A0D-2D61-4e59-BF83-71D3FDDB3AD9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2EAF390-7E7F-4a5e-B1B9-83307E23DBF2}	{8553F64B-60CD-426e-94A7-9B55764C37CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{640857FB-90DD-4738-B612-7BFBDCC92C21}	{96312C70-1F6E-43e4-A376-20CB01CF5A89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED0F907B-DDB7-4b1b-9A9F-2346A00C5811}	{B6755EAF-0FA3-47dd-92B8-6483D0DF5833}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED0F907B-DDB7-4b1b-9A9F-2346A00C5811}\stubpath = "C:\\Windows\\{ED0F907B-DDB7-4b1b-9A9F-2346A00C5811}.exe"	{B6755EAF-0FA3-47dd-92B8-6483D0DF5833}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7709B734-545D-4d50-BC3B-1FA82040CF93}	{ED0F907B-DDB7-4b1b-9A9F-2346A00C5811}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7709B734-545D-4d50-BC3B-1FA82040CF93}\stubpath = "C:\\Windows\\{7709B734-545D-4d50-BC3B-1FA82040CF93}.exe"	{ED0F907B-DDB7-4b1b-9A9F-2346A00C5811}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{640857FB-90DD-4738-B612-7BFBDCC92C21}\stubpath = "C:\\Windows\\{640857FB-90DD-4738-B612-7BFBDCC92C21}.exe"	{96312C70-1F6E-43e4-A376-20CB01CF5A89}.exe

Executes dropped EXE 12 IoCs

pid	Process
1948	{B6755EAF-0FA3-47dd-92B8-6483D0DF5833}.exe
1428	{ED0F907B-DDB7-4b1b-9A9F-2346A00C5811}.exe
2820	{7709B734-545D-4d50-BC3B-1FA82040CF93}.exe
4688	{2BCB3EB1-6412-494f-BDBD-E125E09B2125}.exe
3592	{FB3D014C-E737-4998-A4AD-ABAFA0781C84}.exe
4652	{5CB83B1F-6CA7-466f-9EA7-B1316EB1AED7}.exe
4124	{13E3468F-0A54-4bf3-AE95-89BF91F9D27C}.exe
3596	{C7695A0D-2D61-4e59-BF83-71D3FDDB3AD9}.exe
3784	{8553F64B-60CD-426e-94A7-9B55764C37CC}.exe
840	{E2EAF390-7E7F-4a5e-B1B9-83307E23DBF2}.exe
3388	{96312C70-1F6E-43e4-A376-20CB01CF5A89}.exe
3952	{640857FB-90DD-4738-B612-7BFBDCC92C21}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B6755EAF-0FA3-47dd-92B8-6483D0DF5833}.exe	04929b0063cbe1exe_JC.exe
File created	C:\Windows\{7709B734-545D-4d50-BC3B-1FA82040CF93}.exe	{ED0F907B-DDB7-4b1b-9A9F-2346A00C5811}.exe
File created	C:\Windows\{FB3D014C-E737-4998-A4AD-ABAFA0781C84}.exe	{2BCB3EB1-6412-494f-BDBD-E125E09B2125}.exe
File created	C:\Windows\{13E3468F-0A54-4bf3-AE95-89BF91F9D27C}.exe	{5CB83B1F-6CA7-466f-9EA7-B1316EB1AED7}.exe
File created	C:\Windows\{C7695A0D-2D61-4e59-BF83-71D3FDDB3AD9}.exe	{13E3468F-0A54-4bf3-AE95-89BF91F9D27C}.exe
File created	C:\Windows\{96312C70-1F6E-43e4-A376-20CB01CF5A89}.exe	{E2EAF390-7E7F-4a5e-B1B9-83307E23DBF2}.exe
File created	C:\Windows\{640857FB-90DD-4738-B612-7BFBDCC92C21}.exe	{96312C70-1F6E-43e4-A376-20CB01CF5A89}.exe
File created	C:\Windows\{ED0F907B-DDB7-4b1b-9A9F-2346A00C5811}.exe	{B6755EAF-0FA3-47dd-92B8-6483D0DF5833}.exe
File created	C:\Windows\{2BCB3EB1-6412-494f-BDBD-E125E09B2125}.exe	{7709B734-545D-4d50-BC3B-1FA82040CF93}.exe
File created	C:\Windows\{5CB83B1F-6CA7-466f-9EA7-B1316EB1AED7}.exe	{FB3D014C-E737-4998-A4AD-ABAFA0781C84}.exe
File created	C:\Windows\{8553F64B-60CD-426e-94A7-9B55764C37CC}.exe	{C7695A0D-2D61-4e59-BF83-71D3FDDB3AD9}.exe
File created	C:\Windows\{E2EAF390-7E7F-4a5e-B1B9-83307E23DBF2}.exe	{8553F64B-60CD-426e-94A7-9B55764C37CC}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	744	04929b0063cbe1exe_JC.exe
Token: SeIncBasePriorityPrivilege	1948	{B6755EAF-0FA3-47dd-92B8-6483D0DF5833}.exe
Token: SeIncBasePriorityPrivilege	1428	{ED0F907B-DDB7-4b1b-9A9F-2346A00C5811}.exe
Token: SeIncBasePriorityPrivilege	2820	{7709B734-545D-4d50-BC3B-1FA82040CF93}.exe
Token: SeIncBasePriorityPrivilege	4688	{2BCB3EB1-6412-494f-BDBD-E125E09B2125}.exe
Token: SeIncBasePriorityPrivilege	3592	{FB3D014C-E737-4998-A4AD-ABAFA0781C84}.exe
Token: SeIncBasePriorityPrivilege	4652	{5CB83B1F-6CA7-466f-9EA7-B1316EB1AED7}.exe
Token: SeIncBasePriorityPrivilege	4124	{13E3468F-0A54-4bf3-AE95-89BF91F9D27C}.exe
Token: SeIncBasePriorityPrivilege	3596	{C7695A0D-2D61-4e59-BF83-71D3FDDB3AD9}.exe
Token: SeIncBasePriorityPrivilege	3784	{8553F64B-60CD-426e-94A7-9B55764C37CC}.exe
Token: SeIncBasePriorityPrivilege	840	{E2EAF390-7E7F-4a5e-B1B9-83307E23DBF2}.exe
Token: SeIncBasePriorityPrivilege	3388	{96312C70-1F6E-43e4-A376-20CB01CF5A89}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 744 wrote to memory of 1948	744	04929b0063cbe1exe_JC.exe	88
PID 744 wrote to memory of 1948	744	04929b0063cbe1exe_JC.exe	88
PID 744 wrote to memory of 1948	744	04929b0063cbe1exe_JC.exe	88
PID 744 wrote to memory of 3404	744	04929b0063cbe1exe_JC.exe	89
PID 744 wrote to memory of 3404	744	04929b0063cbe1exe_JC.exe	89
PID 744 wrote to memory of 3404	744	04929b0063cbe1exe_JC.exe	89
PID 1948 wrote to memory of 1428	1948	{B6755EAF-0FA3-47dd-92B8-6483D0DF5833}.exe	94
PID 1948 wrote to memory of 1428	1948	{B6755EAF-0FA3-47dd-92B8-6483D0DF5833}.exe	94
PID 1948 wrote to memory of 1428	1948	{B6755EAF-0FA3-47dd-92B8-6483D0DF5833}.exe	94
PID 1948 wrote to memory of 980	1948	{B6755EAF-0FA3-47dd-92B8-6483D0DF5833}.exe	95
PID 1948 wrote to memory of 980	1948	{B6755EAF-0FA3-47dd-92B8-6483D0DF5833}.exe	95
PID 1948 wrote to memory of 980	1948	{B6755EAF-0FA3-47dd-92B8-6483D0DF5833}.exe	95
PID 1428 wrote to memory of 2820	1428	{ED0F907B-DDB7-4b1b-9A9F-2346A00C5811}.exe	99
PID 1428 wrote to memory of 2820	1428	{ED0F907B-DDB7-4b1b-9A9F-2346A00C5811}.exe	99
PID 1428 wrote to memory of 2820	1428	{ED0F907B-DDB7-4b1b-9A9F-2346A00C5811}.exe	99
PID 1428 wrote to memory of 4756	1428	{ED0F907B-DDB7-4b1b-9A9F-2346A00C5811}.exe	98
PID 1428 wrote to memory of 4756	1428	{ED0F907B-DDB7-4b1b-9A9F-2346A00C5811}.exe	98
PID 1428 wrote to memory of 4756	1428	{ED0F907B-DDB7-4b1b-9A9F-2346A00C5811}.exe	98
PID 2820 wrote to memory of 4688	2820	{7709B734-545D-4d50-BC3B-1FA82040CF93}.exe	100
PID 2820 wrote to memory of 4688	2820	{7709B734-545D-4d50-BC3B-1FA82040CF93}.exe	100
PID 2820 wrote to memory of 4688	2820	{7709B734-545D-4d50-BC3B-1FA82040CF93}.exe	100
PID 2820 wrote to memory of 4684	2820	{7709B734-545D-4d50-BC3B-1FA82040CF93}.exe	101
PID 2820 wrote to memory of 4684	2820	{7709B734-545D-4d50-BC3B-1FA82040CF93}.exe	101
PID 2820 wrote to memory of 4684	2820	{7709B734-545D-4d50-BC3B-1FA82040CF93}.exe	101
PID 4688 wrote to memory of 3592	4688	{2BCB3EB1-6412-494f-BDBD-E125E09B2125}.exe	102
PID 4688 wrote to memory of 3592	4688	{2BCB3EB1-6412-494f-BDBD-E125E09B2125}.exe	102
PID 4688 wrote to memory of 3592	4688	{2BCB3EB1-6412-494f-BDBD-E125E09B2125}.exe	102
PID 4688 wrote to memory of 3728	4688	{2BCB3EB1-6412-494f-BDBD-E125E09B2125}.exe	103
PID 4688 wrote to memory of 3728	4688	{2BCB3EB1-6412-494f-BDBD-E125E09B2125}.exe	103
PID 4688 wrote to memory of 3728	4688	{2BCB3EB1-6412-494f-BDBD-E125E09B2125}.exe	103
PID 3592 wrote to memory of 4652	3592	{FB3D014C-E737-4998-A4AD-ABAFA0781C84}.exe	105
PID 3592 wrote to memory of 4652	3592	{FB3D014C-E737-4998-A4AD-ABAFA0781C84}.exe	105
PID 3592 wrote to memory of 4652	3592	{FB3D014C-E737-4998-A4AD-ABAFA0781C84}.exe	105
PID 3592 wrote to memory of 2488	3592	{FB3D014C-E737-4998-A4AD-ABAFA0781C84}.exe	106
PID 3592 wrote to memory of 2488	3592	{FB3D014C-E737-4998-A4AD-ABAFA0781C84}.exe	106
PID 3592 wrote to memory of 2488	3592	{FB3D014C-E737-4998-A4AD-ABAFA0781C84}.exe	106
PID 4652 wrote to memory of 4124	4652	{5CB83B1F-6CA7-466f-9EA7-B1316EB1AED7}.exe	107
PID 4652 wrote to memory of 4124	4652	{5CB83B1F-6CA7-466f-9EA7-B1316EB1AED7}.exe	107
PID 4652 wrote to memory of 4124	4652	{5CB83B1F-6CA7-466f-9EA7-B1316EB1AED7}.exe	107
PID 4652 wrote to memory of 5044	4652	{5CB83B1F-6CA7-466f-9EA7-B1316EB1AED7}.exe	108
PID 4652 wrote to memory of 5044	4652	{5CB83B1F-6CA7-466f-9EA7-B1316EB1AED7}.exe	108
PID 4652 wrote to memory of 5044	4652	{5CB83B1F-6CA7-466f-9EA7-B1316EB1AED7}.exe	108
PID 4124 wrote to memory of 3596	4124	{13E3468F-0A54-4bf3-AE95-89BF91F9D27C}.exe	109
PID 4124 wrote to memory of 3596	4124	{13E3468F-0A54-4bf3-AE95-89BF91F9D27C}.exe	109
PID 4124 wrote to memory of 3596	4124	{13E3468F-0A54-4bf3-AE95-89BF91F9D27C}.exe	109
PID 4124 wrote to memory of 2928	4124	{13E3468F-0A54-4bf3-AE95-89BF91F9D27C}.exe	110
PID 4124 wrote to memory of 2928	4124	{13E3468F-0A54-4bf3-AE95-89BF91F9D27C}.exe	110
PID 4124 wrote to memory of 2928	4124	{13E3468F-0A54-4bf3-AE95-89BF91F9D27C}.exe	110
PID 3596 wrote to memory of 3784	3596	{C7695A0D-2D61-4e59-BF83-71D3FDDB3AD9}.exe	117
PID 3596 wrote to memory of 3784	3596	{C7695A0D-2D61-4e59-BF83-71D3FDDB3AD9}.exe	117
PID 3596 wrote to memory of 3784	3596	{C7695A0D-2D61-4e59-BF83-71D3FDDB3AD9}.exe	117
PID 3596 wrote to memory of 3380	3596	{C7695A0D-2D61-4e59-BF83-71D3FDDB3AD9}.exe	118
PID 3596 wrote to memory of 3380	3596	{C7695A0D-2D61-4e59-BF83-71D3FDDB3AD9}.exe	118
PID 3596 wrote to memory of 3380	3596	{C7695A0D-2D61-4e59-BF83-71D3FDDB3AD9}.exe	118
PID 3784 wrote to memory of 840	3784	{8553F64B-60CD-426e-94A7-9B55764C37CC}.exe	119
PID 3784 wrote to memory of 840	3784	{8553F64B-60CD-426e-94A7-9B55764C37CC}.exe	119
PID 3784 wrote to memory of 840	3784	{8553F64B-60CD-426e-94A7-9B55764C37CC}.exe	119
PID 3784 wrote to memory of 2596	3784	{8553F64B-60CD-426e-94A7-9B55764C37CC}.exe	120
PID 3784 wrote to memory of 2596	3784	{8553F64B-60CD-426e-94A7-9B55764C37CC}.exe	120
PID 3784 wrote to memory of 2596	3784	{8553F64B-60CD-426e-94A7-9B55764C37CC}.exe	120
PID 840 wrote to memory of 3388	840	{E2EAF390-7E7F-4a5e-B1B9-83307E23DBF2}.exe	121
PID 840 wrote to memory of 3388	840	{E2EAF390-7E7F-4a5e-B1B9-83307E23DBF2}.exe	121
PID 840 wrote to memory of 3388	840	{E2EAF390-7E7F-4a5e-B1B9-83307E23DBF2}.exe	121
PID 840 wrote to memory of 5104	840	{E2EAF390-7E7F-4a5e-B1B9-83307E23DBF2}.exe	122

C:\Users\Admin\AppData\Local\Temp\04929b0063cbe1exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\04929b0063cbe1exe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:744
- C:\Windows\{B6755EAF-0FA3-47dd-92B8-6483D0DF5833}.exe
  C:\Windows\{B6755EAF-0FA3-47dd-92B8-6483D0DF5833}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\{ED0F907B-DDB7-4b1b-9A9F-2346A00C5811}.exe
    C:\Windows\{ED0F907B-DDB7-4b1b-9A9F-2346A00C5811}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{ED0F9~1.EXE > nul
      4⤵
      PID:4756
  - - C:\Windows\{7709B734-545D-4d50-BC3B-1FA82040CF93}.exe
      C:\Windows\{7709B734-545D-4d50-BC3B-1FA82040CF93}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Windows\{2BCB3EB1-6412-494f-BDBD-E125E09B2125}.exe
        
        C:\Windows\{2BCB3EB1-6412-494f-BDBD-E125E09B2125}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4688
      - C:\Windows\{FB3D014C-E737-4998-A4AD-ABAFA0781C84}.exe
        
        C:\Windows\{FB3D014C-E737-4998-A4AD-ABAFA0781C84}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3592
        
        C:\Windows\{5CB83B1F-6CA7-466f-9EA7-B1316EB1AED7}.exe
        
        C:\Windows\{5CB83B1F-6CA7-466f-9EA7-B1316EB1AED7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\{13E3468F-0A54-4bf3-AE95-89BF91F9D27C}.exe
        
        C:\Windows\{13E3468F-0A54-4bf3-AE95-89BF91F9D27C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Windows\{C7695A0D-2D61-4e59-BF83-71D3FDDB3AD9}.exe
        
        C:\Windows\{C7695A0D-2D61-4e59-BF83-71D3FDDB3AD9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3596
        
        C:\Windows\{8553F64B-60CD-426e-94A7-9B55764C37CC}.exe
        
        C:\Windows\{8553F64B-60CD-426e-94A7-9B55764C37CC}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3784
        
        C:\Windows\{E2EAF390-7E7F-4a5e-B1B9-83307E23DBF2}.exe
        
        C:\Windows\{E2EAF390-7E7F-4a5e-B1B9-83307E23DBF2}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\{96312C70-1F6E-43e4-A376-20CB01CF5A89}.exe
        
        C:\Windows\{96312C70-1F6E-43e4-A376-20CB01CF5A89}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3388
        
        C:\Windows\{640857FB-90DD-4738-B612-7BFBDCC92C21}.exe
        
        C:\Windows\{640857FB-90DD-4738-B612-7BFBDCC92C21}.exe
        13⤵
        Executes dropped EXE
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96312~1.EXE > nul
        13⤵
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2EAF~1.EXE > nul
        12⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8553F~1.EXE > nul
        11⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7695~1.EXE > nul
        10⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13E34~1.EXE > nul
        9⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CB83~1.EXE > nul
        8⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB3D0~1.EXE > nul
        7⤵
        
        PID:2488
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BCB3~1.EXE > nul
        6⤵
        
        PID:3728
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7709B~1.EXE > nul
        5⤵
        
        PID:4684
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B6755~1.EXE > nul
    3⤵
    PID:980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\04929B~1.EXE > nul
  2⤵
  PID:3404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{13E3468F-0A54-4bf3-AE95-89BF91F9D27C}.exe

Filesize
204KB

MD5
aa3bc66588c2c257042455b69b95f974

SHA1
c23edeabef46a4ca42414453771226aff9a719b0

SHA256
f6d4005afb51e7234e95290028f41e4cb14c283331256e00f1004ef884f62399

SHA512
e5b6dc23543f3f04cec8fb4e4da40bc237491e0a77f948f8e7cb25b1103a4d4fb20ef73deb82b6f7bddd7735c35fb5833f3ede4fbae7c109983facfbc7bffb69

Download Submit
C:\Windows\{13E3468F-0A54-4bf3-AE95-89BF91F9D27C}.exe

Filesize
204KB

MD5
aa3bc66588c2c257042455b69b95f974

SHA1
c23edeabef46a4ca42414453771226aff9a719b0

SHA256
f6d4005afb51e7234e95290028f41e4cb14c283331256e00f1004ef884f62399

SHA512
e5b6dc23543f3f04cec8fb4e4da40bc237491e0a77f948f8e7cb25b1103a4d4fb20ef73deb82b6f7bddd7735c35fb5833f3ede4fbae7c109983facfbc7bffb69

Download Submit
C:\Windows\{2BCB3EB1-6412-494f-BDBD-E125E09B2125}.exe

Filesize
204KB

MD5
d93a5bf8fb01f93a80a62d64ae7df8e2

SHA1
ef171349ca75b00bbc119428ca733f3ae0fc51e2

SHA256
0b4d9de1394ac46e88de2485b82a47591f985135e279485a1b6bbe4ca0466157

SHA512
935f8acd5959119a73327198565dcdc6f90d97ed48d9859900adde9dec76045562dc40be12b92d3ea10a996a8dc644e73828dc7c23fefa3335159573a114c72d

Download Submit
C:\Windows\{2BCB3EB1-6412-494f-BDBD-E125E09B2125}.exe

Filesize
204KB

MD5
d93a5bf8fb01f93a80a62d64ae7df8e2

SHA1
ef171349ca75b00bbc119428ca733f3ae0fc51e2

SHA256
0b4d9de1394ac46e88de2485b82a47591f985135e279485a1b6bbe4ca0466157

SHA512
935f8acd5959119a73327198565dcdc6f90d97ed48d9859900adde9dec76045562dc40be12b92d3ea10a996a8dc644e73828dc7c23fefa3335159573a114c72d

Download Submit
C:\Windows\{5CB83B1F-6CA7-466f-9EA7-B1316EB1AED7}.exe

Filesize
204KB

MD5
6ac1fe83f762c649a02427c5b9b030fc

SHA1
cea80dff876964faa79b4c8ed7d4f06d3b2b7c21

SHA256
fc6df3b2a4df8ad9922978700f98ad5bf7498b3b7876b30fbb5cecc21da71925

SHA512
6bea7e0769429a1ab5d2b2eb31cefe118cf71bfc876f27c2ef311d598e7df7af28373bbbe4e4aef4c34bf51bef3f00e9cb89e9869ddab4f6708489615c86f177

Download Submit
C:\Windows\{5CB83B1F-6CA7-466f-9EA7-B1316EB1AED7}.exe

Filesize
204KB

MD5
6ac1fe83f762c649a02427c5b9b030fc

SHA1
cea80dff876964faa79b4c8ed7d4f06d3b2b7c21

SHA256
fc6df3b2a4df8ad9922978700f98ad5bf7498b3b7876b30fbb5cecc21da71925

SHA512
6bea7e0769429a1ab5d2b2eb31cefe118cf71bfc876f27c2ef311d598e7df7af28373bbbe4e4aef4c34bf51bef3f00e9cb89e9869ddab4f6708489615c86f177

Download Submit
C:\Windows\{640857FB-90DD-4738-B612-7BFBDCC92C21}.exe

Filesize
204KB

MD5
bdaa4826d8be25901f809801040cb1b7

SHA1
0bf62fb67a4afc1e1966260497ecf0a177250768

SHA256
5da12c7d980c35bccd2750cdbb167dac77a7138dd6154e999be6f81f78ee6259

SHA512
e8544b4769cfa66d54be3325690532ffb4dc663b01083cab0a7073695f9615c404ab72f718c4eff2e3c4e960625b48a2de1da48fbf2262f078be7eb7ccdbafc4

Download Submit
C:\Windows\{640857FB-90DD-4738-B612-7BFBDCC92C21}.exe

Filesize
204KB

MD5
bdaa4826d8be25901f809801040cb1b7

SHA1
0bf62fb67a4afc1e1966260497ecf0a177250768

SHA256
5da12c7d980c35bccd2750cdbb167dac77a7138dd6154e999be6f81f78ee6259

SHA512
e8544b4769cfa66d54be3325690532ffb4dc663b01083cab0a7073695f9615c404ab72f718c4eff2e3c4e960625b48a2de1da48fbf2262f078be7eb7ccdbafc4

Download Submit
C:\Windows\{7709B734-545D-4d50-BC3B-1FA82040CF93}.exe

Filesize
204KB

MD5
3c2bff5b637a8181da981bf65234b431

SHA1
0632cfab3de8a2ed98ab5ec237970698341f3a11

SHA256
84a232eccd4c3131e7ab0c082c52a7bd6c045e9597016f0d0cca41965b55a51e

SHA512
a5f9b1b70904a45a561631293bf28025aba77bd9a289573f2e132234f60fa189b45a03d710e49d2350ce00691e25c72777f1fcff1351e697811d8ca34a699fdf

Download Submit
C:\Windows\{7709B734-545D-4d50-BC3B-1FA82040CF93}.exe

Filesize
204KB

MD5
3c2bff5b637a8181da981bf65234b431

SHA1
0632cfab3de8a2ed98ab5ec237970698341f3a11

SHA256
84a232eccd4c3131e7ab0c082c52a7bd6c045e9597016f0d0cca41965b55a51e

SHA512
a5f9b1b70904a45a561631293bf28025aba77bd9a289573f2e132234f60fa189b45a03d710e49d2350ce00691e25c72777f1fcff1351e697811d8ca34a699fdf

Download Submit
C:\Windows\{7709B734-545D-4d50-BC3B-1FA82040CF93}.exe

Filesize
204KB

MD5
3c2bff5b637a8181da981bf65234b431

SHA1
0632cfab3de8a2ed98ab5ec237970698341f3a11

SHA256
84a232eccd4c3131e7ab0c082c52a7bd6c045e9597016f0d0cca41965b55a51e

SHA512
a5f9b1b70904a45a561631293bf28025aba77bd9a289573f2e132234f60fa189b45a03d710e49d2350ce00691e25c72777f1fcff1351e697811d8ca34a699fdf

Download Submit
C:\Windows\{8553F64B-60CD-426e-94A7-9B55764C37CC}.exe

Filesize
204KB

MD5
375c88b2cc6093388119a7d42fb8be54

SHA1
5b8c7accf352a3d18ee4b16e14f640994f925f5c

SHA256
17a052d47b5b8209740d0de806b761761ee0c3ae189ad1e1d259a438656082a5

SHA512
292c3a6a76781581296ff53113abf93c9a9ecfccb14d7e2aee6067ad7a9cde1e1e531cb3d64bb36b21bc17d275858f4200148b6808f5de4a0dd62bc5eec19d19

Download Submit
C:\Windows\{8553F64B-60CD-426e-94A7-9B55764C37CC}.exe

Filesize
204KB

MD5
375c88b2cc6093388119a7d42fb8be54

SHA1
5b8c7accf352a3d18ee4b16e14f640994f925f5c

SHA256
17a052d47b5b8209740d0de806b761761ee0c3ae189ad1e1d259a438656082a5

SHA512
292c3a6a76781581296ff53113abf93c9a9ecfccb14d7e2aee6067ad7a9cde1e1e531cb3d64bb36b21bc17d275858f4200148b6808f5de4a0dd62bc5eec19d19

Download Submit
C:\Windows\{96312C70-1F6E-43e4-A376-20CB01CF5A89}.exe

Filesize
204KB

MD5
53fbbfaf05f89873693b8740d2429f44

SHA1
d05871f4d25248bfb77e59b2e59dab87c870310e

SHA256
06cff0afd32bc218555cc40e8ce68a258a99823b1b1599db966e11cb9f456a92

SHA512
7364556565129d9c4e168f650aa898c6b26a54ab57de4f1f1039f25c2cb83362513dda1063c299105c397cf9326ca340e4de7984f676dc4a99deef43a8178eec

Download Submit
C:\Windows\{96312C70-1F6E-43e4-A376-20CB01CF5A89}.exe

Filesize
204KB

MD5
53fbbfaf05f89873693b8740d2429f44

SHA1
d05871f4d25248bfb77e59b2e59dab87c870310e

SHA256
06cff0afd32bc218555cc40e8ce68a258a99823b1b1599db966e11cb9f456a92

SHA512
7364556565129d9c4e168f650aa898c6b26a54ab57de4f1f1039f25c2cb83362513dda1063c299105c397cf9326ca340e4de7984f676dc4a99deef43a8178eec

Download Submit
C:\Windows\{B6755EAF-0FA3-47dd-92B8-6483D0DF5833}.exe

Filesize
204KB

MD5
e48991e7b998f1c94999fcdcd9a2317a

SHA1
d9dca6f84fb44ab6763f64211402bb57026f85c8

SHA256
f0a24d4153f26aa0023ae82aa50df4918c2ae57f0c845aabc1ebd9e5b19a1959

SHA512
21c5b45965b4bb3246cc35d240cee0e5b6169addd99bfde00433b849c2420c3643a89d71d00d70f311a365c2d911d8ec61d06cca65ce4f72d0b87eac53321f2f

Download Submit
C:\Windows\{B6755EAF-0FA3-47dd-92B8-6483D0DF5833}.exe

Filesize
204KB

MD5
e48991e7b998f1c94999fcdcd9a2317a

SHA1
d9dca6f84fb44ab6763f64211402bb57026f85c8

SHA256
f0a24d4153f26aa0023ae82aa50df4918c2ae57f0c845aabc1ebd9e5b19a1959

SHA512
21c5b45965b4bb3246cc35d240cee0e5b6169addd99bfde00433b849c2420c3643a89d71d00d70f311a365c2d911d8ec61d06cca65ce4f72d0b87eac53321f2f

Download Submit
C:\Windows\{C7695A0D-2D61-4e59-BF83-71D3FDDB3AD9}.exe

Filesize
204KB

MD5
cc08ae7f97f3c6e0e78fdab76bb4ea8f

SHA1
15f52891a1e09e9af617d3635f767aafc3029975

SHA256
442a0c379d0e4fa2d029498615502f506f329b4cc9ba42d2a3a0e5430eaeeffa

SHA512
27efb29107699f465115ea180f7d899c2f20444291613a167675b03336d9cb2fb25e21c57c725a09deb3a6cb4850c993333de069285708250d91849e825cc290

Download Submit
C:\Windows\{C7695A0D-2D61-4e59-BF83-71D3FDDB3AD9}.exe

Filesize
204KB

MD5
cc08ae7f97f3c6e0e78fdab76bb4ea8f

SHA1
15f52891a1e09e9af617d3635f767aafc3029975

SHA256
442a0c379d0e4fa2d029498615502f506f329b4cc9ba42d2a3a0e5430eaeeffa

SHA512
27efb29107699f465115ea180f7d899c2f20444291613a167675b03336d9cb2fb25e21c57c725a09deb3a6cb4850c993333de069285708250d91849e825cc290

Download Submit
C:\Windows\{E2EAF390-7E7F-4a5e-B1B9-83307E23DBF2}.exe

Filesize
204KB

MD5
e7b6c9fa4e768959ecfff92bdd14ffc2

SHA1
1b1449db5ca4dbe03ca5500553c49ff1c097c1a4

SHA256
279a14c784002449654086e330ca8cb61e00131f03767fb5ada556f6ffc4e3ef

SHA512
14ec3a5e1f5cdf78ab938e1a5c6c9ad7ac90188bf340f0897a8427681891b072d2c7f86a79acdf8f563bd7f138528356556994e6b1c226fac2b0a49c5afc9582

Download Submit
C:\Windows\{E2EAF390-7E7F-4a5e-B1B9-83307E23DBF2}.exe

Filesize
204KB

MD5
e7b6c9fa4e768959ecfff92bdd14ffc2

SHA1
1b1449db5ca4dbe03ca5500553c49ff1c097c1a4

SHA256
279a14c784002449654086e330ca8cb61e00131f03767fb5ada556f6ffc4e3ef

SHA512
14ec3a5e1f5cdf78ab938e1a5c6c9ad7ac90188bf340f0897a8427681891b072d2c7f86a79acdf8f563bd7f138528356556994e6b1c226fac2b0a49c5afc9582

Download Submit
C:\Windows\{ED0F907B-DDB7-4b1b-9A9F-2346A00C5811}.exe

Filesize
204KB

MD5
9f052a85c0cceaf95dd55ce494530b64

SHA1
eea722c62d4a016fd7a146c60800366dfc2b0049

SHA256
a9f77db3e9bea2db101e52d51bc6accb3fcbad47c15fa15817432b71e4c39aec

SHA512
439fb15cc092abad8021daabfc985d5cffa0916bd8884cc800fbf8e0a905eafc9d905bf5495c95a5326f00cf637bfaa7e51760015e1b05b66e86958076dcbe0b

Download Submit
C:\Windows\{ED0F907B-DDB7-4b1b-9A9F-2346A00C5811}.exe

Filesize
204KB

MD5
9f052a85c0cceaf95dd55ce494530b64

SHA1
eea722c62d4a016fd7a146c60800366dfc2b0049

SHA256
a9f77db3e9bea2db101e52d51bc6accb3fcbad47c15fa15817432b71e4c39aec

SHA512
439fb15cc092abad8021daabfc985d5cffa0916bd8884cc800fbf8e0a905eafc9d905bf5495c95a5326f00cf637bfaa7e51760015e1b05b66e86958076dcbe0b

Download Submit
C:\Windows\{FB3D014C-E737-4998-A4AD-ABAFA0781C84}.exe

Filesize
204KB

MD5
6562d229742147b5f68fe40854eabfa3

SHA1
941f4742f5cda1ded39d80df76c0c74fcf1b1872

SHA256
98d253711183a4322ce248df519b732c3644eceded54dabc328ad2fde77e3926

SHA512
4561e4e870be9a753cafed84a553c078ba845a3b0fbb6e4d52813f5d9b57497bb46662c03cf78afdca2015c439d17b6cfb2b28d519eb85d1e7c9f0655cc32556

Download Submit
C:\Windows\{FB3D014C-E737-4998-A4AD-ABAFA0781C84}.exe

Filesize
204KB

MD5
6562d229742147b5f68fe40854eabfa3

SHA1
941f4742f5cda1ded39d80df76c0c74fcf1b1872

SHA256
98d253711183a4322ce248df519b732c3644eceded54dabc328ad2fde77e3926

SHA512
4561e4e870be9a753cafed84a553c078ba845a3b0fbb6e4d52813f5d9b57497bb46662c03cf78afdca2015c439d17b6cfb2b28d519eb85d1e7c9f0655cc32556

Download Submit