731157c2e8b65ebeee14111fc47a0b71cd91b13cbd5bd1418d82d5bf5b59bdd8

Analysis

max time kernel
145s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15/07/2023, 12:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

43567acf1ec431exeexe_JC.exe
Size

216KB
MD5

43567acf1ec43124fada490f70bfb363
SHA1

6436c1d4218d7cd75c04cdab3f470e6c768f5946
SHA256

731157c2e8b65ebeee14111fc47a0b71cd91b13cbd5bd1418d82d5bf5b59bdd8
SHA512

ec15160cd2d8e4427c6c3d4459954a32e7775eba20c3d03653f478ed3f656673dea1418c5b89a2385ce30b39ea7f390d2846b139c86daddcd715d9bc58ba2d5a
SSDEEP

3072:jEGh0o4l+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGelEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6BB924B-8358-4f58-BFB1-F0596C6925AE}\stubpath = "C:\\Windows\\{A6BB924B-8358-4f58-BFB1-F0596C6925AE}.exe"	{EDA53F6B-642D-4a38-9C63-1CD8BF5BE46A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{935B3C44-E05E-49ef-B096-46444DA063EF}\stubpath = "C:\\Windows\\{935B3C44-E05E-49ef-B096-46444DA063EF}.exe"	{C28C481E-274D-47a7-8802-797A6CC6D75F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48C3F5B4-F9FF-4d06-84E9-C19F9BD23AF0}\stubpath = "C:\\Windows\\{48C3F5B4-F9FF-4d06-84E9-C19F9BD23AF0}.exe"	{935B3C44-E05E-49ef-B096-46444DA063EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{090FE95F-ACF2-4e52-BFFC-5777D047B105}\stubpath = "C:\\Windows\\{090FE95F-ACF2-4e52-BFFC-5777D047B105}.exe"	43567acf1ec431exeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6BB924B-8358-4f58-BFB1-F0596C6925AE}	{EDA53F6B-642D-4a38-9C63-1CD8BF5BE46A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC1DB542-85E9-4782-8D22-CD4D84A15F59}\stubpath = "C:\\Windows\\{CC1DB542-85E9-4782-8D22-CD4D84A15F59}.exe"	{A6BB924B-8358-4f58-BFB1-F0596C6925AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58A9FAB4-95E8-4063-BB62-FCBDBCF1A2FB}	{CC1DB542-85E9-4782-8D22-CD4D84A15F59}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FBB535C-A348-40fc-8F23-018888C08532}	{58A9FAB4-95E8-4063-BB62-FCBDBCF1A2FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42BA0ADC-D77E-40e7-A57C-015A15FA8AA7}	{090FE95F-ACF2-4e52-BFFC-5777D047B105}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEBE813A-36B5-40fe-A469-CED3250AE04B}	{42BA0ADC-D77E-40e7-A57C-015A15FA8AA7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC1DB542-85E9-4782-8D22-CD4D84A15F59}	{A6BB924B-8358-4f58-BFB1-F0596C6925AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58A9FAB4-95E8-4063-BB62-FCBDBCF1A2FB}\stubpath = "C:\\Windows\\{58A9FAB4-95E8-4063-BB62-FCBDBCF1A2FB}.exe"	{CC1DB542-85E9-4782-8D22-CD4D84A15F59}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3FBB535C-A348-40fc-8F23-018888C08532}\stubpath = "C:\\Windows\\{3FBB535C-A348-40fc-8F23-018888C08532}.exe"	{58A9FAB4-95E8-4063-BB62-FCBDBCF1A2FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88CDB486-99DB-4ec2-91ED-0B8DD6643D30}	{3FBB535C-A348-40fc-8F23-018888C08532}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88CDB486-99DB-4ec2-91ED-0B8DD6643D30}\stubpath = "C:\\Windows\\{88CDB486-99DB-4ec2-91ED-0B8DD6643D30}.exe"	{3FBB535C-A348-40fc-8F23-018888C08532}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{935B3C44-E05E-49ef-B096-46444DA063EF}	{C28C481E-274D-47a7-8802-797A6CC6D75F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{42BA0ADC-D77E-40e7-A57C-015A15FA8AA7}\stubpath = "C:\\Windows\\{42BA0ADC-D77E-40e7-A57C-015A15FA8AA7}.exe"	{090FE95F-ACF2-4e52-BFFC-5777D047B105}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDA53F6B-642D-4a38-9C63-1CD8BF5BE46A}	{DEBE813A-36B5-40fe-A469-CED3250AE04B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDA53F6B-642D-4a38-9C63-1CD8BF5BE46A}\stubpath = "C:\\Windows\\{EDA53F6B-642D-4a38-9C63-1CD8BF5BE46A}.exe"	{DEBE813A-36B5-40fe-A469-CED3250AE04B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C28C481E-274D-47a7-8802-797A6CC6D75F}	{88CDB486-99DB-4ec2-91ED-0B8DD6643D30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C28C481E-274D-47a7-8802-797A6CC6D75F}\stubpath = "C:\\Windows\\{C28C481E-274D-47a7-8802-797A6CC6D75F}.exe"	{88CDB486-99DB-4ec2-91ED-0B8DD6643D30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{48C3F5B4-F9FF-4d06-84E9-C19F9BD23AF0}	{935B3C44-E05E-49ef-B096-46444DA063EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{090FE95F-ACF2-4e52-BFFC-5777D047B105}	43567acf1ec431exeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DEBE813A-36B5-40fe-A469-CED3250AE04B}\stubpath = "C:\\Windows\\{DEBE813A-36B5-40fe-A469-CED3250AE04B}.exe"	{42BA0ADC-D77E-40e7-A57C-015A15FA8AA7}.exe

Executes dropped EXE 12 IoCs

pid	Process
2724	{090FE95F-ACF2-4e52-BFFC-5777D047B105}.exe
972	{42BA0ADC-D77E-40e7-A57C-015A15FA8AA7}.exe
5036	{DEBE813A-36B5-40fe-A469-CED3250AE04B}.exe
4912	{EDA53F6B-642D-4a38-9C63-1CD8BF5BE46A}.exe
4712	{A6BB924B-8358-4f58-BFB1-F0596C6925AE}.exe
4016	{CC1DB542-85E9-4782-8D22-CD4D84A15F59}.exe
3196	{58A9FAB4-95E8-4063-BB62-FCBDBCF1A2FB}.exe
4280	{3FBB535C-A348-40fc-8F23-018888C08532}.exe
4596	{88CDB486-99DB-4ec2-91ED-0B8DD6643D30}.exe
4972	{C28C481E-274D-47a7-8802-797A6CC6D75F}.exe
2488	{935B3C44-E05E-49ef-B096-46444DA063EF}.exe
2968	{48C3F5B4-F9FF-4d06-84E9-C19F9BD23AF0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CC1DB542-85E9-4782-8D22-CD4D84A15F59}.exe	{A6BB924B-8358-4f58-BFB1-F0596C6925AE}.exe
File created	C:\Windows\{3FBB535C-A348-40fc-8F23-018888C08532}.exe	{58A9FAB4-95E8-4063-BB62-FCBDBCF1A2FB}.exe
File created	C:\Windows\{DEBE813A-36B5-40fe-A469-CED3250AE04B}.exe	{42BA0ADC-D77E-40e7-A57C-015A15FA8AA7}.exe
File created	C:\Windows\{42BA0ADC-D77E-40e7-A57C-015A15FA8AA7}.exe	{090FE95F-ACF2-4e52-BFFC-5777D047B105}.exe
File created	C:\Windows\{EDA53F6B-642D-4a38-9C63-1CD8BF5BE46A}.exe	{DEBE813A-36B5-40fe-A469-CED3250AE04B}.exe
File created	C:\Windows\{A6BB924B-8358-4f58-BFB1-F0596C6925AE}.exe	{EDA53F6B-642D-4a38-9C63-1CD8BF5BE46A}.exe
File created	C:\Windows\{58A9FAB4-95E8-4063-BB62-FCBDBCF1A2FB}.exe	{CC1DB542-85E9-4782-8D22-CD4D84A15F59}.exe
File created	C:\Windows\{88CDB486-99DB-4ec2-91ED-0B8DD6643D30}.exe	{3FBB535C-A348-40fc-8F23-018888C08532}.exe
File created	C:\Windows\{C28C481E-274D-47a7-8802-797A6CC6D75F}.exe	{88CDB486-99DB-4ec2-91ED-0B8DD6643D30}.exe
File created	C:\Windows\{935B3C44-E05E-49ef-B096-46444DA063EF}.exe	{C28C481E-274D-47a7-8802-797A6CC6D75F}.exe
File created	C:\Windows\{090FE95F-ACF2-4e52-BFFC-5777D047B105}.exe	43567acf1ec431exeexe_JC.exe
File created	C:\Windows\{48C3F5B4-F9FF-4d06-84E9-C19F9BD23AF0}.exe	{935B3C44-E05E-49ef-B096-46444DA063EF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1896	43567acf1ec431exeexe_JC.exe
Token: SeIncBasePriorityPrivilege	2724	{090FE95F-ACF2-4e52-BFFC-5777D047B105}.exe
Token: SeIncBasePriorityPrivilege	972	{42BA0ADC-D77E-40e7-A57C-015A15FA8AA7}.exe
Token: SeIncBasePriorityPrivilege	5036	{DEBE813A-36B5-40fe-A469-CED3250AE04B}.exe
Token: SeIncBasePriorityPrivilege	4912	{EDA53F6B-642D-4a38-9C63-1CD8BF5BE46A}.exe
Token: SeIncBasePriorityPrivilege	4712	{A6BB924B-8358-4f58-BFB1-F0596C6925AE}.exe
Token: SeIncBasePriorityPrivilege	4016	{CC1DB542-85E9-4782-8D22-CD4D84A15F59}.exe
Token: SeIncBasePriorityPrivilege	3196	{58A9FAB4-95E8-4063-BB62-FCBDBCF1A2FB}.exe
Token: SeIncBasePriorityPrivilege	4280	{3FBB535C-A348-40fc-8F23-018888C08532}.exe
Token: SeIncBasePriorityPrivilege	4596	{88CDB486-99DB-4ec2-91ED-0B8DD6643D30}.exe
Token: SeIncBasePriorityPrivilege	4972	{C28C481E-274D-47a7-8802-797A6CC6D75F}.exe
Token: SeIncBasePriorityPrivilege	2488	{935B3C44-E05E-49ef-B096-46444DA063EF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1896 wrote to memory of 2724	1896	43567acf1ec431exeexe_JC.exe	93
PID 1896 wrote to memory of 2724	1896	43567acf1ec431exeexe_JC.exe	93
PID 1896 wrote to memory of 2724	1896	43567acf1ec431exeexe_JC.exe	93
PID 1896 wrote to memory of 1472	1896	43567acf1ec431exeexe_JC.exe	94
PID 1896 wrote to memory of 1472	1896	43567acf1ec431exeexe_JC.exe	94
PID 1896 wrote to memory of 1472	1896	43567acf1ec431exeexe_JC.exe	94
PID 2724 wrote to memory of 972	2724	{090FE95F-ACF2-4e52-BFFC-5777D047B105}.exe	95
PID 2724 wrote to memory of 972	2724	{090FE95F-ACF2-4e52-BFFC-5777D047B105}.exe	95
PID 2724 wrote to memory of 972	2724	{090FE95F-ACF2-4e52-BFFC-5777D047B105}.exe	95
PID 2724 wrote to memory of 1872	2724	{090FE95F-ACF2-4e52-BFFC-5777D047B105}.exe	96
PID 2724 wrote to memory of 1872	2724	{090FE95F-ACF2-4e52-BFFC-5777D047B105}.exe	96
PID 2724 wrote to memory of 1872	2724	{090FE95F-ACF2-4e52-BFFC-5777D047B105}.exe	96
PID 972 wrote to memory of 5036	972	{42BA0ADC-D77E-40e7-A57C-015A15FA8AA7}.exe	102
PID 972 wrote to memory of 5036	972	{42BA0ADC-D77E-40e7-A57C-015A15FA8AA7}.exe	102
PID 972 wrote to memory of 5036	972	{42BA0ADC-D77E-40e7-A57C-015A15FA8AA7}.exe	102
PID 972 wrote to memory of 964	972	{42BA0ADC-D77E-40e7-A57C-015A15FA8AA7}.exe	101
PID 972 wrote to memory of 964	972	{42BA0ADC-D77E-40e7-A57C-015A15FA8AA7}.exe	101
PID 972 wrote to memory of 964	972	{42BA0ADC-D77E-40e7-A57C-015A15FA8AA7}.exe	101
PID 5036 wrote to memory of 4912	5036	{DEBE813A-36B5-40fe-A469-CED3250AE04B}.exe	107
PID 5036 wrote to memory of 4912	5036	{DEBE813A-36B5-40fe-A469-CED3250AE04B}.exe	107
PID 5036 wrote to memory of 4912	5036	{DEBE813A-36B5-40fe-A469-CED3250AE04B}.exe	107
PID 5036 wrote to memory of 1332	5036	{DEBE813A-36B5-40fe-A469-CED3250AE04B}.exe	108
PID 5036 wrote to memory of 1332	5036	{DEBE813A-36B5-40fe-A469-CED3250AE04B}.exe	108
PID 5036 wrote to memory of 1332	5036	{DEBE813A-36B5-40fe-A469-CED3250AE04B}.exe	108
PID 4912 wrote to memory of 4712	4912	{EDA53F6B-642D-4a38-9C63-1CD8BF5BE46A}.exe	109
PID 4912 wrote to memory of 4712	4912	{EDA53F6B-642D-4a38-9C63-1CD8BF5BE46A}.exe	109
PID 4912 wrote to memory of 4712	4912	{EDA53F6B-642D-4a38-9C63-1CD8BF5BE46A}.exe	109
PID 4912 wrote to memory of 4448	4912	{EDA53F6B-642D-4a38-9C63-1CD8BF5BE46A}.exe	110
PID 4912 wrote to memory of 4448	4912	{EDA53F6B-642D-4a38-9C63-1CD8BF5BE46A}.exe	110
PID 4912 wrote to memory of 4448	4912	{EDA53F6B-642D-4a38-9C63-1CD8BF5BE46A}.exe	110
PID 4712 wrote to memory of 4016	4712	{A6BB924B-8358-4f58-BFB1-F0596C6925AE}.exe	111
PID 4712 wrote to memory of 4016	4712	{A6BB924B-8358-4f58-BFB1-F0596C6925AE}.exe	111
PID 4712 wrote to memory of 4016	4712	{A6BB924B-8358-4f58-BFB1-F0596C6925AE}.exe	111
PID 4712 wrote to memory of 1244	4712	{A6BB924B-8358-4f58-BFB1-F0596C6925AE}.exe	112
PID 4712 wrote to memory of 1244	4712	{A6BB924B-8358-4f58-BFB1-F0596C6925AE}.exe	112
PID 4712 wrote to memory of 1244	4712	{A6BB924B-8358-4f58-BFB1-F0596C6925AE}.exe	112
PID 4016 wrote to memory of 3196	4016	{CC1DB542-85E9-4782-8D22-CD4D84A15F59}.exe	114
PID 4016 wrote to memory of 3196	4016	{CC1DB542-85E9-4782-8D22-CD4D84A15F59}.exe	114
PID 4016 wrote to memory of 3196	4016	{CC1DB542-85E9-4782-8D22-CD4D84A15F59}.exe	114
PID 4016 wrote to memory of 4588	4016	{CC1DB542-85E9-4782-8D22-CD4D84A15F59}.exe	115
PID 4016 wrote to memory of 4588	4016	{CC1DB542-85E9-4782-8D22-CD4D84A15F59}.exe	115
PID 4016 wrote to memory of 4588	4016	{CC1DB542-85E9-4782-8D22-CD4D84A15F59}.exe	115
PID 3196 wrote to memory of 4280	3196	{58A9FAB4-95E8-4063-BB62-FCBDBCF1A2FB}.exe	116
PID 3196 wrote to memory of 4280	3196	{58A9FAB4-95E8-4063-BB62-FCBDBCF1A2FB}.exe	116
PID 3196 wrote to memory of 4280	3196	{58A9FAB4-95E8-4063-BB62-FCBDBCF1A2FB}.exe	116
PID 3196 wrote to memory of 4600	3196	{58A9FAB4-95E8-4063-BB62-FCBDBCF1A2FB}.exe	117
PID 3196 wrote to memory of 4600	3196	{58A9FAB4-95E8-4063-BB62-FCBDBCF1A2FB}.exe	117
PID 3196 wrote to memory of 4600	3196	{58A9FAB4-95E8-4063-BB62-FCBDBCF1A2FB}.exe	117
PID 4280 wrote to memory of 4596	4280	{3FBB535C-A348-40fc-8F23-018888C08532}.exe	118
PID 4280 wrote to memory of 4596	4280	{3FBB535C-A348-40fc-8F23-018888C08532}.exe	118
PID 4280 wrote to memory of 4596	4280	{3FBB535C-A348-40fc-8F23-018888C08532}.exe	118
PID 4280 wrote to memory of 1352	4280	{3FBB535C-A348-40fc-8F23-018888C08532}.exe	119
PID 4280 wrote to memory of 1352	4280	{3FBB535C-A348-40fc-8F23-018888C08532}.exe	119
PID 4280 wrote to memory of 1352	4280	{3FBB535C-A348-40fc-8F23-018888C08532}.exe	119
PID 4596 wrote to memory of 4972	4596	{88CDB486-99DB-4ec2-91ED-0B8DD6643D30}.exe	120
PID 4596 wrote to memory of 4972	4596	{88CDB486-99DB-4ec2-91ED-0B8DD6643D30}.exe	120
PID 4596 wrote to memory of 4972	4596	{88CDB486-99DB-4ec2-91ED-0B8DD6643D30}.exe	120
PID 4596 wrote to memory of 3912	4596	{88CDB486-99DB-4ec2-91ED-0B8DD6643D30}.exe	121
PID 4596 wrote to memory of 3912	4596	{88CDB486-99DB-4ec2-91ED-0B8DD6643D30}.exe	121
PID 4596 wrote to memory of 3912	4596	{88CDB486-99DB-4ec2-91ED-0B8DD6643D30}.exe	121
PID 4972 wrote to memory of 2488	4972	{C28C481E-274D-47a7-8802-797A6CC6D75F}.exe	122
PID 4972 wrote to memory of 2488	4972	{C28C481E-274D-47a7-8802-797A6CC6D75F}.exe	122
PID 4972 wrote to memory of 2488	4972	{C28C481E-274D-47a7-8802-797A6CC6D75F}.exe	122
PID 4972 wrote to memory of 3608	4972	{C28C481E-274D-47a7-8802-797A6CC6D75F}.exe	123

C:\Users\Admin\AppData\Local\Temp\43567acf1ec431exeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\43567acf1ec431exeexe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896
- C:\Windows\{090FE95F-ACF2-4e52-BFFC-5777D047B105}.exe
  C:\Windows\{090FE95F-ACF2-4e52-BFFC-5777D047B105}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\{42BA0ADC-D77E-40e7-A57C-015A15FA8AA7}.exe
    C:\Windows\{42BA0ADC-D77E-40e7-A57C-015A15FA8AA7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{42BA0~1.EXE > nul
      4⤵
      PID:964
  - - C:\Windows\{DEBE813A-36B5-40fe-A469-CED3250AE04B}.exe
      C:\Windows\{DEBE813A-36B5-40fe-A469-CED3250AE04B}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5036
    - - C:\Windows\{EDA53F6B-642D-4a38-9C63-1CD8BF5BE46A}.exe
        
        C:\Windows\{EDA53F6B-642D-4a38-9C63-1CD8BF5BE46A}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4912
      - C:\Windows\{A6BB924B-8358-4f58-BFB1-F0596C6925AE}.exe
        
        C:\Windows\{A6BB924B-8358-4f58-BFB1-F0596C6925AE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\{CC1DB542-85E9-4782-8D22-CD4D84A15F59}.exe
        
        C:\Windows\{CC1DB542-85E9-4782-8D22-CD4D84A15F59}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\{58A9FAB4-95E8-4063-BB62-FCBDBCF1A2FB}.exe
        
        C:\Windows\{58A9FAB4-95E8-4063-BB62-FCBDBCF1A2FB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3196
        
        C:\Windows\{3FBB535C-A348-40fc-8F23-018888C08532}.exe
        
        C:\Windows\{3FBB535C-A348-40fc-8F23-018888C08532}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4280
        
        C:\Windows\{88CDB486-99DB-4ec2-91ED-0B8DD6643D30}.exe
        
        C:\Windows\{88CDB486-99DB-4ec2-91ED-0B8DD6643D30}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\{C28C481E-274D-47a7-8802-797A6CC6D75F}.exe
        
        C:\Windows\{C28C481E-274D-47a7-8802-797A6CC6D75F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\{935B3C44-E05E-49ef-B096-46444DA063EF}.exe
        
        C:\Windows\{935B3C44-E05E-49ef-B096-46444DA063EF}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\{48C3F5B4-F9FF-4d06-84E9-C19F9BD23AF0}.exe
        
        C:\Windows\{48C3F5B4-F9FF-4d06-84E9-C19F9BD23AF0}.exe
        13⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{935B3~1.EXE > nul
        13⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C28C4~1.EXE > nul
        12⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88CDB~1.EXE > nul
        11⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3FBB5~1.EXE > nul
        10⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58A9F~1.EXE > nul
        9⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC1DB~1.EXE > nul
        8⤵
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A6BB9~1.EXE > nul
        7⤵
        
        PID:1244
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDA53~1.EXE > nul
        6⤵
        
        PID:4448
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DEBE8~1.EXE > nul
        5⤵
        
        PID:1332
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{090FE~1.EXE > nul
    3⤵
    PID:1872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\43567A~1.EXE > nul
  2⤵
  PID:1472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{090FE95F-ACF2-4e52-BFFC-5777D047B105}.exe

Filesize
216KB

MD5
f8ece19223c7e2d9fde248dac9aede6a

SHA1
6220a57ecd18577db79873123add112e36eec280

SHA256
a3cac239460a96e85297a962f59fb7d32388dbcd35fbe7c3c08b12cfac48ea97

SHA512
fc9f7b1484f8e076cdf28db1f4174f65e4cbe4a3166bbf3f22f55ab7542e5719f011aadbcf425b29b3a6f07f74a328c5dd9bffb4160111b95a9a6456044537ab

Download Submit
C:\Windows\{090FE95F-ACF2-4e52-BFFC-5777D047B105}.exe

Filesize
216KB

MD5
f8ece19223c7e2d9fde248dac9aede6a

SHA1
6220a57ecd18577db79873123add112e36eec280

SHA256
a3cac239460a96e85297a962f59fb7d32388dbcd35fbe7c3c08b12cfac48ea97

SHA512
fc9f7b1484f8e076cdf28db1f4174f65e4cbe4a3166bbf3f22f55ab7542e5719f011aadbcf425b29b3a6f07f74a328c5dd9bffb4160111b95a9a6456044537ab

Download Submit
C:\Windows\{3FBB535C-A348-40fc-8F23-018888C08532}.exe

Filesize
216KB

MD5
f2a0e115bd20cf3b55e841cc6031e6a4

SHA1
6ecab5e4a668e0d33b17d13af94a72d67141136d

SHA256
293118fe56475856c37a04857ea9e7cd9e0657bab403082c33bfcf41c19146b7

SHA512
b4200bb1c66fc6ae1b594c4a976d121b48b5264ffa70e17757c956dc47963c9adf91b3e2c848113d635539d6f14d31e43b2f219a334a290dce9a315981e72f49

Download Submit
C:\Windows\{3FBB535C-A348-40fc-8F23-018888C08532}.exe

Filesize
216KB

MD5
f2a0e115bd20cf3b55e841cc6031e6a4

SHA1
6ecab5e4a668e0d33b17d13af94a72d67141136d

SHA256
293118fe56475856c37a04857ea9e7cd9e0657bab403082c33bfcf41c19146b7

SHA512
b4200bb1c66fc6ae1b594c4a976d121b48b5264ffa70e17757c956dc47963c9adf91b3e2c848113d635539d6f14d31e43b2f219a334a290dce9a315981e72f49

Download Submit
C:\Windows\{42BA0ADC-D77E-40e7-A57C-015A15FA8AA7}.exe

Filesize
216KB

MD5
3c39aa7c54e9776bc5811d6b32d36d8f

SHA1
312617e84854083296740cc2604151a92feec8fb

SHA256
14b12243d9478bb9f940ce66facc411c6ced3976a1af3f22eda6396d20f41e13

SHA512
df93073be2e797a75e2cfa8b1337c1ce1a62ff0987be46d0b96019e25bda1241cad8ddbcc4200b14aa00d277a8d3c3d38cd39543ace5fd56d332583af7f5fb64

Download Submit
C:\Windows\{42BA0ADC-D77E-40e7-A57C-015A15FA8AA7}.exe

Filesize
216KB

MD5
3c39aa7c54e9776bc5811d6b32d36d8f

SHA1
312617e84854083296740cc2604151a92feec8fb

SHA256
14b12243d9478bb9f940ce66facc411c6ced3976a1af3f22eda6396d20f41e13

SHA512
df93073be2e797a75e2cfa8b1337c1ce1a62ff0987be46d0b96019e25bda1241cad8ddbcc4200b14aa00d277a8d3c3d38cd39543ace5fd56d332583af7f5fb64

Download Submit
C:\Windows\{48C3F5B4-F9FF-4d06-84E9-C19F9BD23AF0}.exe

Filesize
216KB

MD5
bfc6289070455f0d3fcc7b1cc35c857a

SHA1
2efa8e5d61d452b06564fef269799990fee07036

SHA256
dae8895d5f8d435404baaa4b45287ae75b06600312a7f05ea5f43423101c7786

SHA512
ac39459f6b3ef33f0055e51c03a135b1faa53774bdc4315a5b617bedcd316ec97b0a141dcad857f954b57e08696122e6bc9ba9f28520e51b836332877d41950b

Download Submit
C:\Windows\{48C3F5B4-F9FF-4d06-84E9-C19F9BD23AF0}.exe

Filesize
216KB

MD5
bfc6289070455f0d3fcc7b1cc35c857a

SHA1
2efa8e5d61d452b06564fef269799990fee07036

SHA256
dae8895d5f8d435404baaa4b45287ae75b06600312a7f05ea5f43423101c7786

SHA512
ac39459f6b3ef33f0055e51c03a135b1faa53774bdc4315a5b617bedcd316ec97b0a141dcad857f954b57e08696122e6bc9ba9f28520e51b836332877d41950b

Download Submit
C:\Windows\{58A9FAB4-95E8-4063-BB62-FCBDBCF1A2FB}.exe

Filesize
216KB

MD5
a84524714cf48a452c5a035e7db8617f

SHA1
784f7c856908f730080c36ce6c9e5cda4a51992c

SHA256
4d6ecbef8f08bfe88d45f7545044df0bc292b0049b836e87693dde07678e16c9

SHA512
47d5c6dbbdbca5f9fbffb02557b65769d75b1f054570c310d13747df852435c17d974c7596a8e2499a516766b9c3f79af3965b2d5a3ac6f8f7e735837ff66b36

Download Submit
C:\Windows\{58A9FAB4-95E8-4063-BB62-FCBDBCF1A2FB}.exe

Filesize
216KB

MD5
a84524714cf48a452c5a035e7db8617f

SHA1
784f7c856908f730080c36ce6c9e5cda4a51992c

SHA256
4d6ecbef8f08bfe88d45f7545044df0bc292b0049b836e87693dde07678e16c9

SHA512
47d5c6dbbdbca5f9fbffb02557b65769d75b1f054570c310d13747df852435c17d974c7596a8e2499a516766b9c3f79af3965b2d5a3ac6f8f7e735837ff66b36

Download Submit
C:\Windows\{88CDB486-99DB-4ec2-91ED-0B8DD6643D30}.exe

Filesize
216KB

MD5
39b68b6c457411dcba85c86e9eedc873

SHA1
fe57e33cc988d2ace87cc98ba87ff1e2ad0bc9e8

SHA256
2b815967c2694a2a3b1b4819c33ea7aede7907f1b994462d86a7d5493fcbd6fe

SHA512
5eb404306ccb89d33193d5d1124770c6020674809eb139fcbc3471e93d6cf58df7cefb4dfa4a4e47bb83e576bb9e07d35810ff2626df7f748da7ec5b98a3419d

Download Submit
C:\Windows\{88CDB486-99DB-4ec2-91ED-0B8DD6643D30}.exe

Filesize
216KB

MD5
39b68b6c457411dcba85c86e9eedc873

SHA1
fe57e33cc988d2ace87cc98ba87ff1e2ad0bc9e8

SHA256
2b815967c2694a2a3b1b4819c33ea7aede7907f1b994462d86a7d5493fcbd6fe

SHA512
5eb404306ccb89d33193d5d1124770c6020674809eb139fcbc3471e93d6cf58df7cefb4dfa4a4e47bb83e576bb9e07d35810ff2626df7f748da7ec5b98a3419d

Download Submit
C:\Windows\{935B3C44-E05E-49ef-B096-46444DA063EF}.exe

Filesize
216KB

MD5
14118384ebc6010da85082e232bf2d21

SHA1
bbadafa977dc43e56c45a4384b5be6f78810828c

SHA256
fb62bd4d30e4c7031a82f6c3786678475433c38302e6fbe08391f703ce043bf5

SHA512
b01e59c8de86e5433641b64b421c18e2135bedf2edab570c0d1469aca3b1c735a682dc2f636763fee108d64f01fe6c5326d274baaf1ed7d80211d269fbaaeed8

Download Submit
C:\Windows\{935B3C44-E05E-49ef-B096-46444DA063EF}.exe

Filesize
216KB

MD5
14118384ebc6010da85082e232bf2d21

SHA1
bbadafa977dc43e56c45a4384b5be6f78810828c

SHA256
fb62bd4d30e4c7031a82f6c3786678475433c38302e6fbe08391f703ce043bf5

SHA512
b01e59c8de86e5433641b64b421c18e2135bedf2edab570c0d1469aca3b1c735a682dc2f636763fee108d64f01fe6c5326d274baaf1ed7d80211d269fbaaeed8

Download Submit
C:\Windows\{A6BB924B-8358-4f58-BFB1-F0596C6925AE}.exe

Filesize
216KB

MD5
2e449a94d5c4667f4e9574abb3cabe6b

SHA1
73ef326621574420719483fe961bae6a2a41edd0

SHA256
a9c87550cd54191775820ed9dcd31f34ad15bd52e8088e47f52028e7e0b23295

SHA512
fbe4bb413b6ec9151c3977cc5c3b214aca52ae07ba72a6776deee03929d8a6311abbc1d9d7f01f91aabc7de63d4d313f40ba8f1adef421c00961fb822e974950

Download Submit
C:\Windows\{A6BB924B-8358-4f58-BFB1-F0596C6925AE}.exe

Filesize
216KB

MD5
2e449a94d5c4667f4e9574abb3cabe6b

SHA1
73ef326621574420719483fe961bae6a2a41edd0

SHA256
a9c87550cd54191775820ed9dcd31f34ad15bd52e8088e47f52028e7e0b23295

SHA512
fbe4bb413b6ec9151c3977cc5c3b214aca52ae07ba72a6776deee03929d8a6311abbc1d9d7f01f91aabc7de63d4d313f40ba8f1adef421c00961fb822e974950

Download Submit
C:\Windows\{C28C481E-274D-47a7-8802-797A6CC6D75F}.exe

Filesize
216KB

MD5
c9099b979aab1a8ad2d32e375f8472e2

SHA1
31d8acd2a44914e775aee8f01fe9ce3049defd05

SHA256
22e680a45e8f97e1e1e96abbbc1df9ee468436e1627b8be31808d80c304385ca

SHA512
f3181c55c3c89dfb69d175364a09f8b98eedc477194033ae57f01b5e45e68d49b6adf20719b968b223d1171353ff9e300c0d959268ecfecb6e173e516498f90d

Download Submit
C:\Windows\{C28C481E-274D-47a7-8802-797A6CC6D75F}.exe

Filesize
216KB

MD5
c9099b979aab1a8ad2d32e375f8472e2

SHA1
31d8acd2a44914e775aee8f01fe9ce3049defd05

SHA256
22e680a45e8f97e1e1e96abbbc1df9ee468436e1627b8be31808d80c304385ca

SHA512
f3181c55c3c89dfb69d175364a09f8b98eedc477194033ae57f01b5e45e68d49b6adf20719b968b223d1171353ff9e300c0d959268ecfecb6e173e516498f90d

Download Submit
C:\Windows\{CC1DB542-85E9-4782-8D22-CD4D84A15F59}.exe

Filesize
216KB

MD5
2c2789ecee64f8e92b7f9b379c060c40

SHA1
9a422238c8ff109234aef3aea3205a22ce67568a

SHA256
9b92b8bdd249ec5fdd31ff83e4d3b361b58bcb4bea4a89d89da6e5f679150a93

SHA512
c0ad7a09cbdfc01f01ec7fd66e43ab60a9c6f75627b6c6b3647d6240af440a2a3a4d7502176810de6630f3a70dd011fa390fc693975bbc2ee7672711e9b9ccbf

Download Submit
C:\Windows\{CC1DB542-85E9-4782-8D22-CD4D84A15F59}.exe

Filesize
216KB

MD5
2c2789ecee64f8e92b7f9b379c060c40

SHA1
9a422238c8ff109234aef3aea3205a22ce67568a

SHA256
9b92b8bdd249ec5fdd31ff83e4d3b361b58bcb4bea4a89d89da6e5f679150a93

SHA512
c0ad7a09cbdfc01f01ec7fd66e43ab60a9c6f75627b6c6b3647d6240af440a2a3a4d7502176810de6630f3a70dd011fa390fc693975bbc2ee7672711e9b9ccbf

Download Submit
C:\Windows\{DEBE813A-36B5-40fe-A469-CED3250AE04B}.exe

Filesize
216KB

MD5
ae30b7a4c9e1757f206486ef027b9fbc

SHA1
b0dec58cd6123638689f871d5f53eddb927cac23

SHA256
e7c309cd3d85dec8a6b3dd21a0ae6edd9a8cc8a8a64455098c31989d38d64d70

SHA512
a92828c61e95c32a2eec6229dec378d3ef9c61bb26a1b68164d24b405f722f104e9c82091a07452a0b711c47c8bb49ff03c84485da03f9e9d922f6067087f843

Download Submit
C:\Windows\{DEBE813A-36B5-40fe-A469-CED3250AE04B}.exe

Filesize
216KB

MD5
ae30b7a4c9e1757f206486ef027b9fbc

SHA1
b0dec58cd6123638689f871d5f53eddb927cac23

SHA256
e7c309cd3d85dec8a6b3dd21a0ae6edd9a8cc8a8a64455098c31989d38d64d70

SHA512
a92828c61e95c32a2eec6229dec378d3ef9c61bb26a1b68164d24b405f722f104e9c82091a07452a0b711c47c8bb49ff03c84485da03f9e9d922f6067087f843

Download Submit
C:\Windows\{DEBE813A-36B5-40fe-A469-CED3250AE04B}.exe

Filesize
216KB

MD5
ae30b7a4c9e1757f206486ef027b9fbc

SHA1
b0dec58cd6123638689f871d5f53eddb927cac23

SHA256
e7c309cd3d85dec8a6b3dd21a0ae6edd9a8cc8a8a64455098c31989d38d64d70

SHA512
a92828c61e95c32a2eec6229dec378d3ef9c61bb26a1b68164d24b405f722f104e9c82091a07452a0b711c47c8bb49ff03c84485da03f9e9d922f6067087f843

Download Submit
C:\Windows\{EDA53F6B-642D-4a38-9C63-1CD8BF5BE46A}.exe

Filesize
216KB

MD5
93d337e0819c0765416a79a106931d64

SHA1
eda75af908210dfab8522a0fcd416cc089618745

SHA256
52dee4636f8be62f0d00a7dbd289ae3a68d959dc1d9cb02009b420d216815508

SHA512
1ea7201773c70ceacd70a0cdb5088942d5a471899e55288b152fdf03d9e3d34503b8270ef7a5795ab3c858ce95c66982d486e19121fe9798c8164a26907cb16a

Download Submit
C:\Windows\{EDA53F6B-642D-4a38-9C63-1CD8BF5BE46A}.exe

Filesize
216KB

MD5
93d337e0819c0765416a79a106931d64

SHA1
eda75af908210dfab8522a0fcd416cc089618745

SHA256
52dee4636f8be62f0d00a7dbd289ae3a68d959dc1d9cb02009b420d216815508

SHA512
1ea7201773c70ceacd70a0cdb5088942d5a471899e55288b152fdf03d9e3d34503b8270ef7a5795ab3c858ce95c66982d486e19121fe9798c8164a26907cb16a

Download Submit