74645255227d518895ced60e1b41f5d471025f69de8bdd2366c706389e33fa30

Analysis

max time kernel
144s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2023 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c4402d0ddf309exe_JC.exe
Size

372KB
MD5

1c4402d0ddf309efec5d82a90ff6b254
SHA1

33be19474af1402f457f8823e1ce5f9f40f73b98
SHA256

74645255227d518895ced60e1b41f5d471025f69de8bdd2366c706389e33fa30
SHA512

e6d8a90de55878e351595878b3972537b912c57ad60cea313e11f9e7e6affafb86542d2ba18ad412648993de2d0e554e68c0e79db8c98ac6d8fe807adacc3ff5
SSDEEP

3072:CEGh0oFmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGml/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{210DE6D1-F0CC-4622-BE37-FEFD764A963A}	{3275B8FE-A7F8-49fa-8D0E-8257BC51005B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFF1825A-7874-47d3-8105-4104C9869DFD}\stubpath = "C:\\Windows\\{FFF1825A-7874-47d3-8105-4104C9869DFD}.exe"	{210DE6D1-F0CC-4622-BE37-FEFD764A963A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53DB2C75-EDD1-4258-AC36-5EA2938ED7DA}	1c4402d0ddf309exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F797C86-268C-4be3-8E4C-3253D4F67075}	{84595696-F75B-4711-8D42-75421D5378D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EB2DC56-2D24-4d35-90FC-1DF7CAE1A0A9}	{11BD3A17-36BE-4fca-9C88-2EBEE0923A7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8EB2DC56-2D24-4d35-90FC-1DF7CAE1A0A9}\stubpath = "C:\\Windows\\{8EB2DC56-2D24-4d35-90FC-1DF7CAE1A0A9}.exe"	{11BD3A17-36BE-4fca-9C88-2EBEE0923A7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11BD3A17-36BE-4fca-9C88-2EBEE0923A7D}\stubpath = "C:\\Windows\\{11BD3A17-36BE-4fca-9C88-2EBEE0923A7D}.exe"	{1A30F623-DB42-45f4-B248-5AD95F4058D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{53DB2C75-EDD1-4258-AC36-5EA2938ED7DA}\stubpath = "C:\\Windows\\{53DB2C75-EDD1-4258-AC36-5EA2938ED7DA}.exe"	1c4402d0ddf309exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{622B73B9-7BF9-4514-882C-D69867B4F97D}\stubpath = "C:\\Windows\\{622B73B9-7BF9-4514-882C-D69867B4F97D}.exe"	{8E4FE395-9C70-4e4a-AAB9-B9DB3971905B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A30F623-DB42-45f4-B248-5AD95F4058D1}\stubpath = "C:\\Windows\\{1A30F623-DB42-45f4-B248-5AD95F4058D1}.exe"	{622B73B9-7BF9-4514-882C-D69867B4F97D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11BD3A17-36BE-4fca-9C88-2EBEE0923A7D}	{1A30F623-DB42-45f4-B248-5AD95F4058D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{210DE6D1-F0CC-4622-BE37-FEFD764A963A}\stubpath = "C:\\Windows\\{210DE6D1-F0CC-4622-BE37-FEFD764A963A}.exe"	{3275B8FE-A7F8-49fa-8D0E-8257BC51005B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84595696-F75B-4711-8D42-75421D5378D6}\stubpath = "C:\\Windows\\{84595696-F75B-4711-8D42-75421D5378D6}.exe"	{53DB2C75-EDD1-4258-AC36-5EA2938ED7DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F797C86-268C-4be3-8E4C-3253D4F67075}\stubpath = "C:\\Windows\\{3F797C86-268C-4be3-8E4C-3253D4F67075}.exe"	{84595696-F75B-4711-8D42-75421D5378D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E4FE395-9C70-4e4a-AAB9-B9DB3971905B}\stubpath = "C:\\Windows\\{8E4FE395-9C70-4e4a-AAB9-B9DB3971905B}.exe"	{3F797C86-268C-4be3-8E4C-3253D4F67075}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{622B73B9-7BF9-4514-882C-D69867B4F97D}	{8E4FE395-9C70-4e4a-AAB9-B9DB3971905B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3275B8FE-A7F8-49fa-8D0E-8257BC51005B}\stubpath = "C:\\Windows\\{3275B8FE-A7F8-49fa-8D0E-8257BC51005B}.exe"	{8EB2DC56-2D24-4d35-90FC-1DF7CAE1A0A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FFF1825A-7874-47d3-8105-4104C9869DFD}	{210DE6D1-F0CC-4622-BE37-FEFD764A963A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84595696-F75B-4711-8D42-75421D5378D6}	{53DB2C75-EDD1-4258-AC36-5EA2938ED7DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E4FE395-9C70-4e4a-AAB9-B9DB3971905B}	{3F797C86-268C-4be3-8E4C-3253D4F67075}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A30F623-DB42-45f4-B248-5AD95F4058D1}	{622B73B9-7BF9-4514-882C-D69867B4F97D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3275B8FE-A7F8-49fa-8D0E-8257BC51005B}	{8EB2DC56-2D24-4d35-90FC-1DF7CAE1A0A9}.exe

Executes dropped EXE 11 IoCs

pid	Process
2164	{53DB2C75-EDD1-4258-AC36-5EA2938ED7DA}.exe
1240	{84595696-F75B-4711-8D42-75421D5378D6}.exe
2424	{3F797C86-268C-4be3-8E4C-3253D4F67075}.exe
1664	{8E4FE395-9C70-4e4a-AAB9-B9DB3971905B}.exe
3648	{622B73B9-7BF9-4514-882C-D69867B4F97D}.exe
1620	{1A30F623-DB42-45f4-B248-5AD95F4058D1}.exe
4984	{11BD3A17-36BE-4fca-9C88-2EBEE0923A7D}.exe
2076	{8EB2DC56-2D24-4d35-90FC-1DF7CAE1A0A9}.exe
1172	{3275B8FE-A7F8-49fa-8D0E-8257BC51005B}.exe
2988	{210DE6D1-F0CC-4622-BE37-FEFD764A963A}.exe
4312	{FFF1825A-7874-47d3-8105-4104C9869DFD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{84595696-F75B-4711-8D42-75421D5378D6}.exe	{53DB2C75-EDD1-4258-AC36-5EA2938ED7DA}.exe
File created	C:\Windows\{3F797C86-268C-4be3-8E4C-3253D4F67075}.exe	{84595696-F75B-4711-8D42-75421D5378D6}.exe
File created	C:\Windows\{1A30F623-DB42-45f4-B248-5AD95F4058D1}.exe	{622B73B9-7BF9-4514-882C-D69867B4F97D}.exe
File created	C:\Windows\{210DE6D1-F0CC-4622-BE37-FEFD764A963A}.exe	{3275B8FE-A7F8-49fa-8D0E-8257BC51005B}.exe
File created	C:\Windows\{FFF1825A-7874-47d3-8105-4104C9869DFD}.exe	{210DE6D1-F0CC-4622-BE37-FEFD764A963A}.exe
File created	C:\Windows\{53DB2C75-EDD1-4258-AC36-5EA2938ED7DA}.exe	1c4402d0ddf309exe_JC.exe
File created	C:\Windows\{8E4FE395-9C70-4e4a-AAB9-B9DB3971905B}.exe	{3F797C86-268C-4be3-8E4C-3253D4F67075}.exe
File created	C:\Windows\{622B73B9-7BF9-4514-882C-D69867B4F97D}.exe	{8E4FE395-9C70-4e4a-AAB9-B9DB3971905B}.exe
File created	C:\Windows\{11BD3A17-36BE-4fca-9C88-2EBEE0923A7D}.exe	{1A30F623-DB42-45f4-B248-5AD95F4058D1}.exe
File created	C:\Windows\{8EB2DC56-2D24-4d35-90FC-1DF7CAE1A0A9}.exe	{11BD3A17-36BE-4fca-9C88-2EBEE0923A7D}.exe
File created	C:\Windows\{3275B8FE-A7F8-49fa-8D0E-8257BC51005B}.exe	{8EB2DC56-2D24-4d35-90FC-1DF7CAE1A0A9}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3204	1c4402d0ddf309exe_JC.exe
Token: SeIncBasePriorityPrivilege	2164	{53DB2C75-EDD1-4258-AC36-5EA2938ED7DA}.exe
Token: SeIncBasePriorityPrivilege	1240	{84595696-F75B-4711-8D42-75421D5378D6}.exe
Token: SeIncBasePriorityPrivilege	2424	{3F797C86-268C-4be3-8E4C-3253D4F67075}.exe
Token: SeIncBasePriorityPrivilege	1664	{8E4FE395-9C70-4e4a-AAB9-B9DB3971905B}.exe
Token: SeIncBasePriorityPrivilege	3648	{622B73B9-7BF9-4514-882C-D69867B4F97D}.exe
Token: SeIncBasePriorityPrivilege	1620	{1A30F623-DB42-45f4-B248-5AD95F4058D1}.exe
Token: SeIncBasePriorityPrivilege	4984	{11BD3A17-36BE-4fca-9C88-2EBEE0923A7D}.exe
Token: SeIncBasePriorityPrivilege	2076	{8EB2DC56-2D24-4d35-90FC-1DF7CAE1A0A9}.exe
Token: SeIncBasePriorityPrivilege	1172	{3275B8FE-A7F8-49fa-8D0E-8257BC51005B}.exe
Token: SeIncBasePriorityPrivilege	2988	{210DE6D1-F0CC-4622-BE37-FEFD764A963A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3204 wrote to memory of 2164	3204	1c4402d0ddf309exe_JC.exe	98
PID 3204 wrote to memory of 2164	3204	1c4402d0ddf309exe_JC.exe	98
PID 3204 wrote to memory of 2164	3204	1c4402d0ddf309exe_JC.exe	98
PID 3204 wrote to memory of 4968	3204	1c4402d0ddf309exe_JC.exe	99
PID 3204 wrote to memory of 4968	3204	1c4402d0ddf309exe_JC.exe	99
PID 3204 wrote to memory of 4968	3204	1c4402d0ddf309exe_JC.exe	99
PID 2164 wrote to memory of 1240	2164	{53DB2C75-EDD1-4258-AC36-5EA2938ED7DA}.exe	100
PID 2164 wrote to memory of 1240	2164	{53DB2C75-EDD1-4258-AC36-5EA2938ED7DA}.exe	100
PID 2164 wrote to memory of 1240	2164	{53DB2C75-EDD1-4258-AC36-5EA2938ED7DA}.exe	100
PID 2164 wrote to memory of 2176	2164	{53DB2C75-EDD1-4258-AC36-5EA2938ED7DA}.exe	101
PID 2164 wrote to memory of 2176	2164	{53DB2C75-EDD1-4258-AC36-5EA2938ED7DA}.exe	101
PID 2164 wrote to memory of 2176	2164	{53DB2C75-EDD1-4258-AC36-5EA2938ED7DA}.exe	101
PID 1240 wrote to memory of 2424	1240	{84595696-F75B-4711-8D42-75421D5378D6}.exe	104
PID 1240 wrote to memory of 2424	1240	{84595696-F75B-4711-8D42-75421D5378D6}.exe	104
PID 1240 wrote to memory of 2424	1240	{84595696-F75B-4711-8D42-75421D5378D6}.exe	104
PID 1240 wrote to memory of 4316	1240	{84595696-F75B-4711-8D42-75421D5378D6}.exe	105
PID 1240 wrote to memory of 4316	1240	{84595696-F75B-4711-8D42-75421D5378D6}.exe	105
PID 1240 wrote to memory of 4316	1240	{84595696-F75B-4711-8D42-75421D5378D6}.exe	105
PID 2424 wrote to memory of 1664	2424	{3F797C86-268C-4be3-8E4C-3253D4F67075}.exe	106
PID 2424 wrote to memory of 1664	2424	{3F797C86-268C-4be3-8E4C-3253D4F67075}.exe	106
PID 2424 wrote to memory of 1664	2424	{3F797C86-268C-4be3-8E4C-3253D4F67075}.exe	106
PID 2424 wrote to memory of 3392	2424	{3F797C86-268C-4be3-8E4C-3253D4F67075}.exe	107
PID 2424 wrote to memory of 3392	2424	{3F797C86-268C-4be3-8E4C-3253D4F67075}.exe	107
PID 2424 wrote to memory of 3392	2424	{3F797C86-268C-4be3-8E4C-3253D4F67075}.exe	107
PID 1664 wrote to memory of 3648	1664	{8E4FE395-9C70-4e4a-AAB9-B9DB3971905B}.exe	108
PID 1664 wrote to memory of 3648	1664	{8E4FE395-9C70-4e4a-AAB9-B9DB3971905B}.exe	108
PID 1664 wrote to memory of 3648	1664	{8E4FE395-9C70-4e4a-AAB9-B9DB3971905B}.exe	108
PID 1664 wrote to memory of 4600	1664	{8E4FE395-9C70-4e4a-AAB9-B9DB3971905B}.exe	109
PID 1664 wrote to memory of 4600	1664	{8E4FE395-9C70-4e4a-AAB9-B9DB3971905B}.exe	109
PID 1664 wrote to memory of 4600	1664	{8E4FE395-9C70-4e4a-AAB9-B9DB3971905B}.exe	109
PID 3648 wrote to memory of 1620	3648	{622B73B9-7BF9-4514-882C-D69867B4F97D}.exe	110
PID 3648 wrote to memory of 1620	3648	{622B73B9-7BF9-4514-882C-D69867B4F97D}.exe	110
PID 3648 wrote to memory of 1620	3648	{622B73B9-7BF9-4514-882C-D69867B4F97D}.exe	110
PID 3648 wrote to memory of 3128	3648	{622B73B9-7BF9-4514-882C-D69867B4F97D}.exe	111
PID 3648 wrote to memory of 3128	3648	{622B73B9-7BF9-4514-882C-D69867B4F97D}.exe	111
PID 3648 wrote to memory of 3128	3648	{622B73B9-7BF9-4514-882C-D69867B4F97D}.exe	111
PID 1620 wrote to memory of 4984	1620	{1A30F623-DB42-45f4-B248-5AD95F4058D1}.exe	113
PID 1620 wrote to memory of 4984	1620	{1A30F623-DB42-45f4-B248-5AD95F4058D1}.exe	113
PID 1620 wrote to memory of 4984	1620	{1A30F623-DB42-45f4-B248-5AD95F4058D1}.exe	113
PID 1620 wrote to memory of 2976	1620	{1A30F623-DB42-45f4-B248-5AD95F4058D1}.exe	114
PID 1620 wrote to memory of 2976	1620	{1A30F623-DB42-45f4-B248-5AD95F4058D1}.exe	114
PID 1620 wrote to memory of 2976	1620	{1A30F623-DB42-45f4-B248-5AD95F4058D1}.exe	114
PID 4984 wrote to memory of 2076	4984	{11BD3A17-36BE-4fca-9C88-2EBEE0923A7D}.exe	115
PID 4984 wrote to memory of 2076	4984	{11BD3A17-36BE-4fca-9C88-2EBEE0923A7D}.exe	115
PID 4984 wrote to memory of 2076	4984	{11BD3A17-36BE-4fca-9C88-2EBEE0923A7D}.exe	115
PID 4984 wrote to memory of 1468	4984	{11BD3A17-36BE-4fca-9C88-2EBEE0923A7D}.exe	116
PID 4984 wrote to memory of 1468	4984	{11BD3A17-36BE-4fca-9C88-2EBEE0923A7D}.exe	116
PID 4984 wrote to memory of 1468	4984	{11BD3A17-36BE-4fca-9C88-2EBEE0923A7D}.exe	116
PID 2076 wrote to memory of 1172	2076	{8EB2DC56-2D24-4d35-90FC-1DF7CAE1A0A9}.exe	117
PID 2076 wrote to memory of 1172	2076	{8EB2DC56-2D24-4d35-90FC-1DF7CAE1A0A9}.exe	117
PID 2076 wrote to memory of 1172	2076	{8EB2DC56-2D24-4d35-90FC-1DF7CAE1A0A9}.exe	117
PID 2076 wrote to memory of 1124	2076	{8EB2DC56-2D24-4d35-90FC-1DF7CAE1A0A9}.exe	118
PID 2076 wrote to memory of 1124	2076	{8EB2DC56-2D24-4d35-90FC-1DF7CAE1A0A9}.exe	118
PID 2076 wrote to memory of 1124	2076	{8EB2DC56-2D24-4d35-90FC-1DF7CAE1A0A9}.exe	118
PID 1172 wrote to memory of 2988	1172	{3275B8FE-A7F8-49fa-8D0E-8257BC51005B}.exe	120
PID 1172 wrote to memory of 2988	1172	{3275B8FE-A7F8-49fa-8D0E-8257BC51005B}.exe	120
PID 1172 wrote to memory of 2988	1172	{3275B8FE-A7F8-49fa-8D0E-8257BC51005B}.exe	120
PID 1172 wrote to memory of 3040	1172	{3275B8FE-A7F8-49fa-8D0E-8257BC51005B}.exe	119
PID 1172 wrote to memory of 3040	1172	{3275B8FE-A7F8-49fa-8D0E-8257BC51005B}.exe	119
PID 1172 wrote to memory of 3040	1172	{3275B8FE-A7F8-49fa-8D0E-8257BC51005B}.exe	119
PID 2988 wrote to memory of 4312	2988	{210DE6D1-F0CC-4622-BE37-FEFD764A963A}.exe	121
PID 2988 wrote to memory of 4312	2988	{210DE6D1-F0CC-4622-BE37-FEFD764A963A}.exe	121
PID 2988 wrote to memory of 4312	2988	{210DE6D1-F0CC-4622-BE37-FEFD764A963A}.exe	121
PID 2988 wrote to memory of 4960	2988	{210DE6D1-F0CC-4622-BE37-FEFD764A963A}.exe	122

C:\Users\Admin\AppData\Local\Temp\1c4402d0ddf309exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\1c4402d0ddf309exe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204
- C:\Windows\{53DB2C75-EDD1-4258-AC36-5EA2938ED7DA}.exe
  C:\Windows\{53DB2C75-EDD1-4258-AC36-5EA2938ED7DA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\{84595696-F75B-4711-8D42-75421D5378D6}.exe
    C:\Windows\{84595696-F75B-4711-8D42-75421D5378D6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Windows\{3F797C86-268C-4be3-8E4C-3253D4F67075}.exe
      C:\Windows\{3F797C86-268C-4be3-8E4C-3253D4F67075}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Windows\{8E4FE395-9C70-4e4a-AAB9-B9DB3971905B}.exe
        
        C:\Windows\{8E4FE395-9C70-4e4a-AAB9-B9DB3971905B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
      - C:\Windows\{622B73B9-7BF9-4514-882C-D69867B4F97D}.exe
        
        C:\Windows\{622B73B9-7BF9-4514-882C-D69867B4F97D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\{1A30F623-DB42-45f4-B248-5AD95F4058D1}.exe
        
        C:\Windows\{1A30F623-DB42-45f4-B248-5AD95F4058D1}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\{11BD3A17-36BE-4fca-9C88-2EBEE0923A7D}.exe
        
        C:\Windows\{11BD3A17-36BE-4fca-9C88-2EBEE0923A7D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\{8EB2DC56-2D24-4d35-90FC-1DF7CAE1A0A9}.exe
        
        C:\Windows\{8EB2DC56-2D24-4d35-90FC-1DF7CAE1A0A9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2076
        
        C:\Windows\{3275B8FE-A7F8-49fa-8D0E-8257BC51005B}.exe
        
        C:\Windows\{3275B8FE-A7F8-49fa-8D0E-8257BC51005B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3275B~1.EXE > nul
        11⤵
        
        PID:3040
        
        C:\Windows\{210DE6D1-F0CC-4622-BE37-FEFD764A963A}.exe
        
        C:\Windows\{210DE6D1-F0CC-4622-BE37-FEFD764A963A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\{FFF1825A-7874-47d3-8105-4104C9869DFD}.exe
        
        C:\Windows\{FFF1825A-7874-47d3-8105-4104C9869DFD}.exe
        12⤵
        Executes dropped EXE
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{210DE~1.EXE > nul
        12⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8EB2D~1.EXE > nul
        10⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{11BD3~1.EXE > nul
        9⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A30F~1.EXE > nul
        8⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{622B7~1.EXE > nul
        7⤵
        
        PID:3128
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E4FE~1.EXE > nul
        6⤵
        
        PID:4600
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F797~1.EXE > nul
        5⤵
        
        PID:3392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{84595~1.EXE > nul
      4⤵
      PID:4316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{53DB2~1.EXE > nul
    3⤵
    PID:2176
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\1C4402~1.EXE > nul
  2⤵
  PID:4968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11BD3A17-36BE-4fca-9C88-2EBEE0923A7D}.exe

Filesize
372KB

MD5
b11f1ba75ae8a6d6ad9f5b4ba64a2562

SHA1
1e9621d58dc559f2ecdab486cdb84d9a044de4c3

SHA256
e4cc104d7ae501623cbb7c218618bbcc7c8261bd9556f610a8bae342f2604799

SHA512
7f703b8738f73b09157610dd23cea3e958219c293a719b70001966a9b31550da716d5bb6f9872d4a7b258ece353457b8b6ffe9af2123d22e5451b0cf67e2f4c6

Download Submit
C:\Windows\{11BD3A17-36BE-4fca-9C88-2EBEE0923A7D}.exe

Filesize
372KB

MD5
b11f1ba75ae8a6d6ad9f5b4ba64a2562

SHA1
1e9621d58dc559f2ecdab486cdb84d9a044de4c3

SHA256
e4cc104d7ae501623cbb7c218618bbcc7c8261bd9556f610a8bae342f2604799

SHA512
7f703b8738f73b09157610dd23cea3e958219c293a719b70001966a9b31550da716d5bb6f9872d4a7b258ece353457b8b6ffe9af2123d22e5451b0cf67e2f4c6

Download Submit
C:\Windows\{1A30F623-DB42-45f4-B248-5AD95F4058D1}.exe

Filesize
372KB

MD5
159deb4d807d76a496cd2fa4e6995bfc

SHA1
f20e67198dfc5d1c418f388961b8f332d556d42c

SHA256
0ea1ff4adde31625a917680ecb138b503e361c6d3216a95bf1f5de50369b93eb

SHA512
e789e524606b34d29b9e6b2acc4d8e1db51f1c72d48efde307484dfa0f97f4628cc97a6d73e0726cc15619d490ee4273235376b4becd53e7d9423b70c594ae5d

Download Submit
C:\Windows\{1A30F623-DB42-45f4-B248-5AD95F4058D1}.exe

Filesize
372KB

MD5
159deb4d807d76a496cd2fa4e6995bfc

SHA1
f20e67198dfc5d1c418f388961b8f332d556d42c

SHA256
0ea1ff4adde31625a917680ecb138b503e361c6d3216a95bf1f5de50369b93eb

SHA512
e789e524606b34d29b9e6b2acc4d8e1db51f1c72d48efde307484dfa0f97f4628cc97a6d73e0726cc15619d490ee4273235376b4becd53e7d9423b70c594ae5d

Download Submit
C:\Windows\{210DE6D1-F0CC-4622-BE37-FEFD764A963A}.exe

Filesize
372KB

MD5
817d64633601d0f6e071a0842bd8c361

SHA1
8a935d9df898e3de765c10bc3ad8eae4a94959de

SHA256
e8d93e226d73c86e48556be9243029b994c7e1a38427b441c733f0b437b5d279

SHA512
185faf8c28e08f9f4956cee259d3ac43746235ebf30026ffc8a2398e0f16a550758ac395959c9d6f1786e563b08cb8ad1a6342f36212c629575e5afd595dabda

Download Submit
C:\Windows\{210DE6D1-F0CC-4622-BE37-FEFD764A963A}.exe

Filesize
372KB

MD5
817d64633601d0f6e071a0842bd8c361

SHA1
8a935d9df898e3de765c10bc3ad8eae4a94959de

SHA256
e8d93e226d73c86e48556be9243029b994c7e1a38427b441c733f0b437b5d279

SHA512
185faf8c28e08f9f4956cee259d3ac43746235ebf30026ffc8a2398e0f16a550758ac395959c9d6f1786e563b08cb8ad1a6342f36212c629575e5afd595dabda

Download Submit
C:\Windows\{3275B8FE-A7F8-49fa-8D0E-8257BC51005B}.exe

Filesize
372KB

MD5
d699da0a2e13a82091828c994fad9611

SHA1
12b801380aef1e26e21cb64130a05e6d8ad08eb0

SHA256
8494d1e44145aab3ca56a43bc8a3fea1fc6bd65e9f6da4d90623fde67e22298d

SHA512
a897120730c4a7a99d47b9be3edc26db3d9a1e460569879c0f9e7a8ae41be63562719211f752f884f01fe108167a14b5fb06e5cd7463043996215f1f9e61c382

Download Submit
C:\Windows\{3275B8FE-A7F8-49fa-8D0E-8257BC51005B}.exe

Filesize
372KB

MD5
d699da0a2e13a82091828c994fad9611

SHA1
12b801380aef1e26e21cb64130a05e6d8ad08eb0

SHA256
8494d1e44145aab3ca56a43bc8a3fea1fc6bd65e9f6da4d90623fde67e22298d

SHA512
a897120730c4a7a99d47b9be3edc26db3d9a1e460569879c0f9e7a8ae41be63562719211f752f884f01fe108167a14b5fb06e5cd7463043996215f1f9e61c382

Download Submit
C:\Windows\{3F797C86-268C-4be3-8E4C-3253D4F67075}.exe

Filesize
372KB

MD5
7fea846fa6d4b106e0bd1624feaf4fd2

SHA1
45923e0d6953df7312fb048509b94e6bb3e502d0

SHA256
d5d1b07793e5129eefc8006701216e03b48e7e06250996fb8e514c473eeb9899

SHA512
1739387765a691b69b63701985afb8cfdfb29e1c90e3ffa9d8c4aaccb84863af08cd948a8c055a4ddf259d8fe293c56b8e41e30ed255d72c6b2b82b56a0c57da

Download Submit
C:\Windows\{3F797C86-268C-4be3-8E4C-3253D4F67075}.exe

Filesize
372KB

MD5
7fea846fa6d4b106e0bd1624feaf4fd2

SHA1
45923e0d6953df7312fb048509b94e6bb3e502d0

SHA256
d5d1b07793e5129eefc8006701216e03b48e7e06250996fb8e514c473eeb9899

SHA512
1739387765a691b69b63701985afb8cfdfb29e1c90e3ffa9d8c4aaccb84863af08cd948a8c055a4ddf259d8fe293c56b8e41e30ed255d72c6b2b82b56a0c57da

Download Submit
C:\Windows\{3F797C86-268C-4be3-8E4C-3253D4F67075}.exe

Filesize
372KB

MD5
7fea846fa6d4b106e0bd1624feaf4fd2

SHA1
45923e0d6953df7312fb048509b94e6bb3e502d0

SHA256
d5d1b07793e5129eefc8006701216e03b48e7e06250996fb8e514c473eeb9899

SHA512
1739387765a691b69b63701985afb8cfdfb29e1c90e3ffa9d8c4aaccb84863af08cd948a8c055a4ddf259d8fe293c56b8e41e30ed255d72c6b2b82b56a0c57da

Download Submit
C:\Windows\{53DB2C75-EDD1-4258-AC36-5EA2938ED7DA}.exe

Filesize
372KB

MD5
2f04a7049bc6f182030b18359267fd9f

SHA1
963bc4558895f2f27e76f5d49eb667f3dc90f152

SHA256
0ea56c73d90eb6b8f32d19ffad4362aa10acbe4197c55c20e3508f6cd3f946db

SHA512
f57f29c09f86f8f1ff00dfcf6d9873f7bc2b8a4ff3ca4b6eeecfb238b9b11fc9e4e00e7ccb7a45e323c7c9ccbe4890a512cabe4fee211e37dff8794e79c46247

Download Submit
C:\Windows\{53DB2C75-EDD1-4258-AC36-5EA2938ED7DA}.exe

Filesize
372KB

MD5
2f04a7049bc6f182030b18359267fd9f

SHA1
963bc4558895f2f27e76f5d49eb667f3dc90f152

SHA256
0ea56c73d90eb6b8f32d19ffad4362aa10acbe4197c55c20e3508f6cd3f946db

SHA512
f57f29c09f86f8f1ff00dfcf6d9873f7bc2b8a4ff3ca4b6eeecfb238b9b11fc9e4e00e7ccb7a45e323c7c9ccbe4890a512cabe4fee211e37dff8794e79c46247

Download Submit
C:\Windows\{622B73B9-7BF9-4514-882C-D69867B4F97D}.exe

Filesize
372KB

MD5
1f8c7f7cb67dc13b4c5386113e9a4196

SHA1
d6eaf0a0fc56695cfedffb3879a971d9e823b136

SHA256
c2d98ffabe5601a01abd1e3be3f4afac75358ba2d36661688dccd29501c7ebd0

SHA512
36c438ce47bcb467d329d5b3213b77d387a1654d94404e803beb87e42d459d7a2cb9e0198f5214c0668641bf9bbc403d7adec20c440228970f8d2cfae02fe43c

Download Submit
C:\Windows\{622B73B9-7BF9-4514-882C-D69867B4F97D}.exe

Filesize
372KB

MD5
1f8c7f7cb67dc13b4c5386113e9a4196

SHA1
d6eaf0a0fc56695cfedffb3879a971d9e823b136

SHA256
c2d98ffabe5601a01abd1e3be3f4afac75358ba2d36661688dccd29501c7ebd0

SHA512
36c438ce47bcb467d329d5b3213b77d387a1654d94404e803beb87e42d459d7a2cb9e0198f5214c0668641bf9bbc403d7adec20c440228970f8d2cfae02fe43c

Download Submit
C:\Windows\{84595696-F75B-4711-8D42-75421D5378D6}.exe

Filesize
372KB

MD5
5f43e830840b2fa3e15ae954b24660a9

SHA1
a0cd258d4d5e02da3e3f051beea76d7efc4f49ef

SHA256
bacfda20a5b7c5489587a65924c4dcc07877f17fa3b14ee97913c8cb32170131

SHA512
86edfccf70c403ec701e0ac8eeac9bb9ff2467b27fc609db5e0d1df8abc05f0682163cbc99867911b2d1d1820d8ba7e567aee203ee55ffebbee2901d7d426dbb

Download Submit
C:\Windows\{84595696-F75B-4711-8D42-75421D5378D6}.exe

Filesize
372KB

MD5
5f43e830840b2fa3e15ae954b24660a9

SHA1
a0cd258d4d5e02da3e3f051beea76d7efc4f49ef

SHA256
bacfda20a5b7c5489587a65924c4dcc07877f17fa3b14ee97913c8cb32170131

SHA512
86edfccf70c403ec701e0ac8eeac9bb9ff2467b27fc609db5e0d1df8abc05f0682163cbc99867911b2d1d1820d8ba7e567aee203ee55ffebbee2901d7d426dbb

Download Submit
C:\Windows\{8E4FE395-9C70-4e4a-AAB9-B9DB3971905B}.exe

Filesize
372KB

MD5
1cd1f40d96c2f61815fc4ebf6c06455c

SHA1
03dfe3f13ac891ee706f73bacc5e71d51f19dbfb

SHA256
9c6e7bc05aefdd4dc7177711236b537f463fdc546d96ccf724ff9c90068ab25b

SHA512
b79f7229ffdbac924c198be8b51a8d2a871314b497e5c8e66d98cd855c85e3e56b3d8c3c2041480383876d83ce6fc27cfd7c1d33d9c4baa7c3f8e77daad65c5a

Download Submit
C:\Windows\{8E4FE395-9C70-4e4a-AAB9-B9DB3971905B}.exe

Filesize
372KB

MD5
1cd1f40d96c2f61815fc4ebf6c06455c

SHA1
03dfe3f13ac891ee706f73bacc5e71d51f19dbfb

SHA256
9c6e7bc05aefdd4dc7177711236b537f463fdc546d96ccf724ff9c90068ab25b

SHA512
b79f7229ffdbac924c198be8b51a8d2a871314b497e5c8e66d98cd855c85e3e56b3d8c3c2041480383876d83ce6fc27cfd7c1d33d9c4baa7c3f8e77daad65c5a

Download Submit
C:\Windows\{8EB2DC56-2D24-4d35-90FC-1DF7CAE1A0A9}.exe

Filesize
372KB

MD5
c1377a95b4e6f25dc63c89ec0a2c89e3

SHA1
987117aae6c9c54db3ac800a06a4d4a6ea3685f5

SHA256
00b8411f0a7ba024a650a20ca3a77b917ea3f3f3978598442ee8aa91856b3153

SHA512
899609dc65650b52752f916866e0b3747b543c9af58dc5786969e33ab3b327a016432381af5920af989c7fc7dee3a35a6d3df0c329ff7329a42e73858d903dae

Download Submit
C:\Windows\{8EB2DC56-2D24-4d35-90FC-1DF7CAE1A0A9}.exe

Filesize
372KB

MD5
c1377a95b4e6f25dc63c89ec0a2c89e3

SHA1
987117aae6c9c54db3ac800a06a4d4a6ea3685f5

SHA256
00b8411f0a7ba024a650a20ca3a77b917ea3f3f3978598442ee8aa91856b3153

SHA512
899609dc65650b52752f916866e0b3747b543c9af58dc5786969e33ab3b327a016432381af5920af989c7fc7dee3a35a6d3df0c329ff7329a42e73858d903dae

Download Submit
C:\Windows\{FFF1825A-7874-47d3-8105-4104C9869DFD}.exe

Filesize
372KB

MD5
72863f0b920e8a89dbd055360ac5e6ac

SHA1
98205381d5f189b15353434b8581f00eae2e7f1a

SHA256
b898323d48d9e016f0e347c40cd9e3eb1c2358f0cd47ebba5842f0b9bd2b1bef

SHA512
dcd891a6a83a4cc88d906e6ff444bda17110394810c6928e7382151a7dd896b0d1d62c85e2fccba526fc3a6dc6649d1ff2446ad69ac23e358eb6d30675330475

Download Submit
C:\Windows\{FFF1825A-7874-47d3-8105-4104C9869DFD}.exe

Filesize
372KB

MD5
72863f0b920e8a89dbd055360ac5e6ac

SHA1
98205381d5f189b15353434b8581f00eae2e7f1a

SHA256
b898323d48d9e016f0e347c40cd9e3eb1c2358f0cd47ebba5842f0b9bd2b1bef

SHA512
dcd891a6a83a4cc88d906e6ff444bda17110394810c6928e7382151a7dd896b0d1d62c85e2fccba526fc3a6dc6649d1ff2446ad69ac23e358eb6d30675330475

Download Submit