f1164fc9e43da66883ca128c611c2463a473c2807527bc9293ddf56932bb1e49

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
16/07/2023, 11:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

687e8e3dc53c70_JC.exe
Size

168KB
MD5

687e8e3dc53c70c43f9f9f7e2dbad89a
SHA1

95793278be6b19e5b79bd37a51227e7c71dae1c6
SHA256

f1164fc9e43da66883ca128c611c2463a473c2807527bc9293ddf56932bb1e49
SHA512

f49352f5f8fcbd6bb15b17bdd48e16573dea616960e53f9728eaf38c5b3721dc09d3674837c2c25c43f1cfee338b3a4ec985c1eedf2327da3ed2f74b27c80040
SSDEEP

1536:1EGh0oLlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oLlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35522148-EA8B-43b5-A113-CC718766658C}	{59A09774-93F2-4e5a-BC7A-7C3527AF2119}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A10D4C12-1A61-432d-9AA7-B3D8466D285C}\stubpath = "C:\\Windows\\{A10D4C12-1A61-432d-9AA7-B3D8466D285C}.exe"	{35522148-EA8B-43b5-A113-CC718766658C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71C57602-A907-4613-8388-FA56FB0D5E6C}\stubpath = "C:\\Windows\\{71C57602-A907-4613-8388-FA56FB0D5E6C}.exe"	{A10D4C12-1A61-432d-9AA7-B3D8466D285C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB2F87C1-1A91-495b-9AA7-A5A2482F9EC9}	{71C57602-A907-4613-8388-FA56FB0D5E6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB2F87C1-1A91-495b-9AA7-A5A2482F9EC9}\stubpath = "C:\\Windows\\{AB2F87C1-1A91-495b-9AA7-A5A2482F9EC9}.exe"	{71C57602-A907-4613-8388-FA56FB0D5E6C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EC21F4B-6A57-4994-889A-2E60161DAF7F}	{AB2F87C1-1A91-495b-9AA7-A5A2482F9EC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA593BC2-6DED-4aee-82D4-BF57724C1AF2}	{4EC21F4B-6A57-4994-889A-2E60161DAF7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC21B86C-126C-4796-9EC7-B70FC89F535C}\stubpath = "C:\\Windows\\{BC21B86C-126C-4796-9EC7-B70FC89F535C}.exe"	687e8e3dc53c70_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D373FD93-E835-4913-B4DA-6AF64CF99C3D}	{AA593BC2-6DED-4aee-82D4-BF57724C1AF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA593BC2-6DED-4aee-82D4-BF57724C1AF2}\stubpath = "C:\\Windows\\{AA593BC2-6DED-4aee-82D4-BF57724C1AF2}.exe"	{4EC21F4B-6A57-4994-889A-2E60161DAF7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59A09774-93F2-4e5a-BC7A-7C3527AF2119}	{BC21B86C-126C-4796-9EC7-B70FC89F535C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A10D4C12-1A61-432d-9AA7-B3D8466D285C}	{35522148-EA8B-43b5-A113-CC718766658C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92C30A1A-B115-4864-B6BC-1006B7C242F4}	{D378AD3C-2D18-4a84-8F5A-CCD254E25DAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BC21B86C-126C-4796-9EC7-B70FC89F535C}	687e8e3dc53c70_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4EC21F4B-6A57-4994-889A-2E60161DAF7F}\stubpath = "C:\\Windows\\{4EC21F4B-6A57-4994-889A-2E60161DAF7F}.exe"	{AB2F87C1-1A91-495b-9AA7-A5A2482F9EC9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D378AD3C-2D18-4a84-8F5A-CCD254E25DAF}	{D373FD93-E835-4913-B4DA-6AF64CF99C3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92C30A1A-B115-4864-B6BC-1006B7C242F4}\stubpath = "C:\\Windows\\{92C30A1A-B115-4864-B6BC-1006B7C242F4}.exe"	{D378AD3C-2D18-4a84-8F5A-CCD254E25DAF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35522148-EA8B-43b5-A113-CC718766658C}\stubpath = "C:\\Windows\\{35522148-EA8B-43b5-A113-CC718766658C}.exe"	{59A09774-93F2-4e5a-BC7A-7C3527AF2119}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71C57602-A907-4613-8388-FA56FB0D5E6C}	{A10D4C12-1A61-432d-9AA7-B3D8466D285C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D373FD93-E835-4913-B4DA-6AF64CF99C3D}\stubpath = "C:\\Windows\\{D373FD93-E835-4913-B4DA-6AF64CF99C3D}.exe"	{AA593BC2-6DED-4aee-82D4-BF57724C1AF2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D378AD3C-2D18-4a84-8F5A-CCD254E25DAF}\stubpath = "C:\\Windows\\{D378AD3C-2D18-4a84-8F5A-CCD254E25DAF}.exe"	{D373FD93-E835-4913-B4DA-6AF64CF99C3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59A09774-93F2-4e5a-BC7A-7C3527AF2119}\stubpath = "C:\\Windows\\{59A09774-93F2-4e5a-BC7A-7C3527AF2119}.exe"	{BC21B86C-126C-4796-9EC7-B70FC89F535C}.exe

Deletes itself 1 IoCs

pid	Process
948	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1192	{BC21B86C-126C-4796-9EC7-B70FC89F535C}.exe
2284	{59A09774-93F2-4e5a-BC7A-7C3527AF2119}.exe
2516	{35522148-EA8B-43b5-A113-CC718766658C}.exe
1156	{A10D4C12-1A61-432d-9AA7-B3D8466D285C}.exe
2932	{71C57602-A907-4613-8388-FA56FB0D5E6C}.exe
3000	{AB2F87C1-1A91-495b-9AA7-A5A2482F9EC9}.exe
2984	{4EC21F4B-6A57-4994-889A-2E60161DAF7F}.exe
2744	{AA593BC2-6DED-4aee-82D4-BF57724C1AF2}.exe
2764	{D373FD93-E835-4913-B4DA-6AF64CF99C3D}.exe
2780	{D378AD3C-2D18-4a84-8F5A-CCD254E25DAF}.exe
368	{92C30A1A-B115-4864-B6BC-1006B7C242F4}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{59A09774-93F2-4e5a-BC7A-7C3527AF2119}.exe	{BC21B86C-126C-4796-9EC7-B70FC89F535C}.exe
File created	C:\Windows\{35522148-EA8B-43b5-A113-CC718766658C}.exe	{59A09774-93F2-4e5a-BC7A-7C3527AF2119}.exe
File created	C:\Windows\{A10D4C12-1A61-432d-9AA7-B3D8466D285C}.exe	{35522148-EA8B-43b5-A113-CC718766658C}.exe
File created	C:\Windows\{71C57602-A907-4613-8388-FA56FB0D5E6C}.exe	{A10D4C12-1A61-432d-9AA7-B3D8466D285C}.exe
File created	C:\Windows\{AB2F87C1-1A91-495b-9AA7-A5A2482F9EC9}.exe	{71C57602-A907-4613-8388-FA56FB0D5E6C}.exe
File created	C:\Windows\{4EC21F4B-6A57-4994-889A-2E60161DAF7F}.exe	{AB2F87C1-1A91-495b-9AA7-A5A2482F9EC9}.exe
File created	C:\Windows\{D378AD3C-2D18-4a84-8F5A-CCD254E25DAF}.exe	{D373FD93-E835-4913-B4DA-6AF64CF99C3D}.exe
File created	C:\Windows\{92C30A1A-B115-4864-B6BC-1006B7C242F4}.exe	{D378AD3C-2D18-4a84-8F5A-CCD254E25DAF}.exe
File created	C:\Windows\{BC21B86C-126C-4796-9EC7-B70FC89F535C}.exe	687e8e3dc53c70_JC.exe
File created	C:\Windows\{AA593BC2-6DED-4aee-82D4-BF57724C1AF2}.exe	{4EC21F4B-6A57-4994-889A-2E60161DAF7F}.exe
File created	C:\Windows\{D373FD93-E835-4913-B4DA-6AF64CF99C3D}.exe	{AA593BC2-6DED-4aee-82D4-BF57724C1AF2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	840	687e8e3dc53c70_JC.exe
Token: SeIncBasePriorityPrivilege	1192	{BC21B86C-126C-4796-9EC7-B70FC89F535C}.exe
Token: SeIncBasePriorityPrivilege	2284	{59A09774-93F2-4e5a-BC7A-7C3527AF2119}.exe
Token: SeIncBasePriorityPrivilege	2516	{35522148-EA8B-43b5-A113-CC718766658C}.exe
Token: SeIncBasePriorityPrivilege	1156	{A10D4C12-1A61-432d-9AA7-B3D8466D285C}.exe
Token: SeIncBasePriorityPrivilege	2932	{71C57602-A907-4613-8388-FA56FB0D5E6C}.exe
Token: SeIncBasePriorityPrivilege	3000	{AB2F87C1-1A91-495b-9AA7-A5A2482F9EC9}.exe
Token: SeIncBasePriorityPrivilege	2984	{4EC21F4B-6A57-4994-889A-2E60161DAF7F}.exe
Token: SeIncBasePriorityPrivilege	2744	{AA593BC2-6DED-4aee-82D4-BF57724C1AF2}.exe
Token: SeIncBasePriorityPrivilege	2764	{D373FD93-E835-4913-B4DA-6AF64CF99C3D}.exe
Token: SeIncBasePriorityPrivilege	2780	{D378AD3C-2D18-4a84-8F5A-CCD254E25DAF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 1192	840	687e8e3dc53c70_JC.exe	28
PID 840 wrote to memory of 1192	840	687e8e3dc53c70_JC.exe	28
PID 840 wrote to memory of 1192	840	687e8e3dc53c70_JC.exe	28
PID 840 wrote to memory of 1192	840	687e8e3dc53c70_JC.exe	28
PID 840 wrote to memory of 948	840	687e8e3dc53c70_JC.exe	29
PID 840 wrote to memory of 948	840	687e8e3dc53c70_JC.exe	29
PID 840 wrote to memory of 948	840	687e8e3dc53c70_JC.exe	29
PID 840 wrote to memory of 948	840	687e8e3dc53c70_JC.exe	29
PID 1192 wrote to memory of 2284	1192	{BC21B86C-126C-4796-9EC7-B70FC89F535C}.exe	32
PID 1192 wrote to memory of 2284	1192	{BC21B86C-126C-4796-9EC7-B70FC89F535C}.exe	32
PID 1192 wrote to memory of 2284	1192	{BC21B86C-126C-4796-9EC7-B70FC89F535C}.exe	32
PID 1192 wrote to memory of 2284	1192	{BC21B86C-126C-4796-9EC7-B70FC89F535C}.exe	32
PID 1192 wrote to memory of 1984	1192	{BC21B86C-126C-4796-9EC7-B70FC89F535C}.exe	33
PID 1192 wrote to memory of 1984	1192	{BC21B86C-126C-4796-9EC7-B70FC89F535C}.exe	33
PID 1192 wrote to memory of 1984	1192	{BC21B86C-126C-4796-9EC7-B70FC89F535C}.exe	33
PID 1192 wrote to memory of 1984	1192	{BC21B86C-126C-4796-9EC7-B70FC89F535C}.exe	33
PID 2284 wrote to memory of 2516	2284	{59A09774-93F2-4e5a-BC7A-7C3527AF2119}.exe	35
PID 2284 wrote to memory of 2516	2284	{59A09774-93F2-4e5a-BC7A-7C3527AF2119}.exe	35
PID 2284 wrote to memory of 2516	2284	{59A09774-93F2-4e5a-BC7A-7C3527AF2119}.exe	35
PID 2284 wrote to memory of 2516	2284	{59A09774-93F2-4e5a-BC7A-7C3527AF2119}.exe	35
PID 2284 wrote to memory of 2232	2284	{59A09774-93F2-4e5a-BC7A-7C3527AF2119}.exe	34
PID 2284 wrote to memory of 2232	2284	{59A09774-93F2-4e5a-BC7A-7C3527AF2119}.exe	34
PID 2284 wrote to memory of 2232	2284	{59A09774-93F2-4e5a-BC7A-7C3527AF2119}.exe	34
PID 2284 wrote to memory of 2232	2284	{59A09774-93F2-4e5a-BC7A-7C3527AF2119}.exe	34
PID 2516 wrote to memory of 1156	2516	{35522148-EA8B-43b5-A113-CC718766658C}.exe	36
PID 2516 wrote to memory of 1156	2516	{35522148-EA8B-43b5-A113-CC718766658C}.exe	36
PID 2516 wrote to memory of 1156	2516	{35522148-EA8B-43b5-A113-CC718766658C}.exe	36
PID 2516 wrote to memory of 1156	2516	{35522148-EA8B-43b5-A113-CC718766658C}.exe	36
PID 2516 wrote to memory of 2100	2516	{35522148-EA8B-43b5-A113-CC718766658C}.exe	37
PID 2516 wrote to memory of 2100	2516	{35522148-EA8B-43b5-A113-CC718766658C}.exe	37
PID 2516 wrote to memory of 2100	2516	{35522148-EA8B-43b5-A113-CC718766658C}.exe	37
PID 2516 wrote to memory of 2100	2516	{35522148-EA8B-43b5-A113-CC718766658C}.exe	37
PID 1156 wrote to memory of 2932	1156	{A10D4C12-1A61-432d-9AA7-B3D8466D285C}.exe	39
PID 1156 wrote to memory of 2932	1156	{A10D4C12-1A61-432d-9AA7-B3D8466D285C}.exe	39
PID 1156 wrote to memory of 2932	1156	{A10D4C12-1A61-432d-9AA7-B3D8466D285C}.exe	39
PID 1156 wrote to memory of 2932	1156	{A10D4C12-1A61-432d-9AA7-B3D8466D285C}.exe	39
PID 1156 wrote to memory of 2960	1156	{A10D4C12-1A61-432d-9AA7-B3D8466D285C}.exe	38
PID 1156 wrote to memory of 2960	1156	{A10D4C12-1A61-432d-9AA7-B3D8466D285C}.exe	38
PID 1156 wrote to memory of 2960	1156	{A10D4C12-1A61-432d-9AA7-B3D8466D285C}.exe	38
PID 1156 wrote to memory of 2960	1156	{A10D4C12-1A61-432d-9AA7-B3D8466D285C}.exe	38
PID 2932 wrote to memory of 3000	2932	{71C57602-A907-4613-8388-FA56FB0D5E6C}.exe	40
PID 2932 wrote to memory of 3000	2932	{71C57602-A907-4613-8388-FA56FB0D5E6C}.exe	40
PID 2932 wrote to memory of 3000	2932	{71C57602-A907-4613-8388-FA56FB0D5E6C}.exe	40
PID 2932 wrote to memory of 3000	2932	{71C57602-A907-4613-8388-FA56FB0D5E6C}.exe	40
PID 2932 wrote to memory of 2724	2932	{71C57602-A907-4613-8388-FA56FB0D5E6C}.exe	41
PID 2932 wrote to memory of 2724	2932	{71C57602-A907-4613-8388-FA56FB0D5E6C}.exe	41
PID 2932 wrote to memory of 2724	2932	{71C57602-A907-4613-8388-FA56FB0D5E6C}.exe	41
PID 2932 wrote to memory of 2724	2932	{71C57602-A907-4613-8388-FA56FB0D5E6C}.exe	41
PID 3000 wrote to memory of 2984	3000	{AB2F87C1-1A91-495b-9AA7-A5A2482F9EC9}.exe	42
PID 3000 wrote to memory of 2984	3000	{AB2F87C1-1A91-495b-9AA7-A5A2482F9EC9}.exe	42
PID 3000 wrote to memory of 2984	3000	{AB2F87C1-1A91-495b-9AA7-A5A2482F9EC9}.exe	42
PID 3000 wrote to memory of 2984	3000	{AB2F87C1-1A91-495b-9AA7-A5A2482F9EC9}.exe	42
PID 3000 wrote to memory of 2836	3000	{AB2F87C1-1A91-495b-9AA7-A5A2482F9EC9}.exe	43
PID 3000 wrote to memory of 2836	3000	{AB2F87C1-1A91-495b-9AA7-A5A2482F9EC9}.exe	43
PID 3000 wrote to memory of 2836	3000	{AB2F87C1-1A91-495b-9AA7-A5A2482F9EC9}.exe	43
PID 3000 wrote to memory of 2836	3000	{AB2F87C1-1A91-495b-9AA7-A5A2482F9EC9}.exe	43
PID 2984 wrote to memory of 2744	2984	{4EC21F4B-6A57-4994-889A-2E60161DAF7F}.exe	44
PID 2984 wrote to memory of 2744	2984	{4EC21F4B-6A57-4994-889A-2E60161DAF7F}.exe	44
PID 2984 wrote to memory of 2744	2984	{4EC21F4B-6A57-4994-889A-2E60161DAF7F}.exe	44
PID 2984 wrote to memory of 2744	2984	{4EC21F4B-6A57-4994-889A-2E60161DAF7F}.exe	44
PID 2984 wrote to memory of 1088	2984	{4EC21F4B-6A57-4994-889A-2E60161DAF7F}.exe	45
PID 2984 wrote to memory of 1088	2984	{4EC21F4B-6A57-4994-889A-2E60161DAF7F}.exe	45
PID 2984 wrote to memory of 1088	2984	{4EC21F4B-6A57-4994-889A-2E60161DAF7F}.exe	45
PID 2984 wrote to memory of 1088	2984	{4EC21F4B-6A57-4994-889A-2E60161DAF7F}.exe	45

C:\Users\Admin\AppData\Local\Temp\687e8e3dc53c70_JC.exe
"C:\Users\Admin\AppData\Local\Temp\687e8e3dc53c70_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840
- C:\Windows\{BC21B86C-126C-4796-9EC7-B70FC89F535C}.exe
  C:\Windows\{BC21B86C-126C-4796-9EC7-B70FC89F535C}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\{59A09774-93F2-4e5a-BC7A-7C3527AF2119}.exe
    C:\Windows\{59A09774-93F2-4e5a-BC7A-7C3527AF2119}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{59A09~1.EXE > nul
      4⤵
      PID:2232
  - - C:\Windows\{35522148-EA8B-43b5-A113-CC718766658C}.exe
      C:\Windows\{35522148-EA8B-43b5-A113-CC718766658C}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2516
    - - C:\Windows\{A10D4C12-1A61-432d-9AA7-B3D8466D285C}.exe
        
        C:\Windows\{A10D4C12-1A61-432d-9AA7-B3D8466D285C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1156
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A10D4~1.EXE > nul
        6⤵
        
        PID:2960
      - C:\Windows\{71C57602-A907-4613-8388-FA56FB0D5E6C}.exe
        
        C:\Windows\{71C57602-A907-4613-8388-FA56FB0D5E6C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\{AB2F87C1-1A91-495b-9AA7-A5A2482F9EC9}.exe
        
        C:\Windows\{AB2F87C1-1A91-495b-9AA7-A5A2482F9EC9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\{4EC21F4B-6A57-4994-889A-2E60161DAF7F}.exe
        
        C:\Windows\{4EC21F4B-6A57-4994-889A-2E60161DAF7F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\{AA593BC2-6DED-4aee-82D4-BF57724C1AF2}.exe
        
        C:\Windows\{AA593BC2-6DED-4aee-82D4-BF57724C1AF2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA593~1.EXE > nul
        10⤵
        
        PID:2728
        
        C:\Windows\{D373FD93-E835-4913-B4DA-6AF64CF99C3D}.exe
        
        C:\Windows\{D373FD93-E835-4913-B4DA-6AF64CF99C3D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D373F~1.EXE > nul
        11⤵
        
        PID:1888
        
        C:\Windows\{D378AD3C-2D18-4a84-8F5A-CCD254E25DAF}.exe
        
        C:\Windows\{D378AD3C-2D18-4a84-8F5A-CCD254E25DAF}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D378A~1.EXE > nul
        12⤵
        
        PID:1208
        
        C:\Windows\{92C30A1A-B115-4864-B6BC-1006B7C242F4}.exe
        
        C:\Windows\{92C30A1A-B115-4864-B6BC-1006B7C242F4}.exe
        12⤵
        Executes dropped EXE
        
        PID:368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4EC21~1.EXE > nul
        9⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB2F8~1.EXE > nul
        8⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71C57~1.EXE > nul
        7⤵
        
        PID:2724
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35522~1.EXE > nul
        5⤵
        
        PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BC21B~1.EXE > nul
    3⤵
    PID:1984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\687E8E~1.EXE > nul
  2⤵
  - Deletes itself
  PID:948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{35522148-EA8B-43b5-A113-CC718766658C}.exe

Filesize
168KB

MD5
e76a69165f54c4ab38f712e2fbef4c2d

SHA1
98f4364a1309106d114e5be924b4fbbd2eb583b2

SHA256
41de79a74aef575fa9695695ec70f0fa9bb3cdac69d69a0773b62e2197d35be0

SHA512
2e14a4d39e54d95487abbf3a8eb081deb2189684e94d85a86e7d4823f666f0ae864d79c384dd8976dcf7f4aead7897304d828a010ec2f8db07ad5a3072071e7e

Download Submit
C:\Windows\{35522148-EA8B-43b5-A113-CC718766658C}.exe

Filesize
168KB

MD5
e76a69165f54c4ab38f712e2fbef4c2d

SHA1
98f4364a1309106d114e5be924b4fbbd2eb583b2

SHA256
41de79a74aef575fa9695695ec70f0fa9bb3cdac69d69a0773b62e2197d35be0

SHA512
2e14a4d39e54d95487abbf3a8eb081deb2189684e94d85a86e7d4823f666f0ae864d79c384dd8976dcf7f4aead7897304d828a010ec2f8db07ad5a3072071e7e

Download Submit
C:\Windows\{4EC21F4B-6A57-4994-889A-2E60161DAF7F}.exe

Filesize
168KB

MD5
4bad75b52b0e757c24dd2399e8274647

SHA1
b340d8dc038ea2daaf41c835bccfd250e4d8cdbf

SHA256
402c080f0d6825111d717cceb0f0445db8c96a8a28475efca95ec2f3eaa3802a

SHA512
1e806cb3cf98f4b58573662e521352fa36e4bd3ecada87459faaeadcb8e55ae263bbb419fc963e974d8790a02f01af8594e5a9297917a7734be6f432d3068641

Download Submit
C:\Windows\{4EC21F4B-6A57-4994-889A-2E60161DAF7F}.exe

Filesize
168KB

MD5
4bad75b52b0e757c24dd2399e8274647

SHA1
b340d8dc038ea2daaf41c835bccfd250e4d8cdbf

SHA256
402c080f0d6825111d717cceb0f0445db8c96a8a28475efca95ec2f3eaa3802a

SHA512
1e806cb3cf98f4b58573662e521352fa36e4bd3ecada87459faaeadcb8e55ae263bbb419fc963e974d8790a02f01af8594e5a9297917a7734be6f432d3068641

Download Submit
C:\Windows\{59A09774-93F2-4e5a-BC7A-7C3527AF2119}.exe

Filesize
168KB

MD5
1c880f195a08f6db6706a3b1bef5d648

SHA1
eae0266ab1d89d7a7d0e2fe7c8837b5943e59fa4

SHA256
6e3c6c187526de72fb52dcf1ac967157b13565bae66d3b66ee72ba1232b9bbfa

SHA512
8494292bcf96809b91a180f25f44e9b5cc4c793f65826c8291d5f3682858f36faeea80c2d53f15274b6aebf0139935f3987a2fd58313b14dcd9e9fe868235226

Download Submit
C:\Windows\{59A09774-93F2-4e5a-BC7A-7C3527AF2119}.exe

Filesize
168KB

MD5
1c880f195a08f6db6706a3b1bef5d648

SHA1
eae0266ab1d89d7a7d0e2fe7c8837b5943e59fa4

SHA256
6e3c6c187526de72fb52dcf1ac967157b13565bae66d3b66ee72ba1232b9bbfa

SHA512
8494292bcf96809b91a180f25f44e9b5cc4c793f65826c8291d5f3682858f36faeea80c2d53f15274b6aebf0139935f3987a2fd58313b14dcd9e9fe868235226

Download Submit
C:\Windows\{71C57602-A907-4613-8388-FA56FB0D5E6C}.exe

Filesize
168KB

MD5
6f74a5b57270d92a0afc85274b8ac94f

SHA1
195cd86187d67841f5ea45b0fdc98c45fe773039

SHA256
a744d8ab8ea7abb0250cfa451d85a8b7c3a46842db49d6110239372f1d3d1698

SHA512
bf77e4f6551e1d10acd9c8a3a8b949b02196df3797812314e34e0b6799a784a01cd158f40177e6cd82b868db00293df1528a233e5a4a73eabdc3141622675cb3

Download Submit
C:\Windows\{71C57602-A907-4613-8388-FA56FB0D5E6C}.exe

Filesize
168KB

MD5
6f74a5b57270d92a0afc85274b8ac94f

SHA1
195cd86187d67841f5ea45b0fdc98c45fe773039

SHA256
a744d8ab8ea7abb0250cfa451d85a8b7c3a46842db49d6110239372f1d3d1698

SHA512
bf77e4f6551e1d10acd9c8a3a8b949b02196df3797812314e34e0b6799a784a01cd158f40177e6cd82b868db00293df1528a233e5a4a73eabdc3141622675cb3

Download Submit
C:\Windows\{92C30A1A-B115-4864-B6BC-1006B7C242F4}.exe

Filesize
168KB

MD5
c4718a04bfc9ceda5c5c6313ca0f753f

SHA1
ccb309db948592c5d84616e295083c078811e37b

SHA256
26954b84ac703d555bf72f370c595a9df48f85338d256b100907f4f971810453

SHA512
59e6130872c40cb508709809abb1d43d452fd9c86ee44ceb6e5cb9ad7f77381adefa2d7d458779131be7a0a84029ec54f76a778fca30944feb9ca64ba83c05be

Download Submit
C:\Windows\{A10D4C12-1A61-432d-9AA7-B3D8466D285C}.exe

Filesize
168KB

MD5
a8d06e6cb77b0f7d8adfebf2cf745723

SHA1
9b8c0131226dd3989a66d09120af1fa4f9e73d75

SHA256
7d640fc858bbef7f6d95b4f08bb11520b4f590a11128b8959f4967b4d5e96182

SHA512
748d9b01a56ca696cbd310b72c743fcfbed21ca0222e85d4195df717d73dc13e6353363abff73f63f373f452679c55d8c505bf3d6f4daf0dffcfb3e5d57602f8

Download Submit
C:\Windows\{A10D4C12-1A61-432d-9AA7-B3D8466D285C}.exe

Filesize
168KB

MD5
a8d06e6cb77b0f7d8adfebf2cf745723

SHA1
9b8c0131226dd3989a66d09120af1fa4f9e73d75

SHA256
7d640fc858bbef7f6d95b4f08bb11520b4f590a11128b8959f4967b4d5e96182

SHA512
748d9b01a56ca696cbd310b72c743fcfbed21ca0222e85d4195df717d73dc13e6353363abff73f63f373f452679c55d8c505bf3d6f4daf0dffcfb3e5d57602f8

Download Submit
C:\Windows\{AA593BC2-6DED-4aee-82D4-BF57724C1AF2}.exe

Filesize
168KB

MD5
12e7064c70a48c12bbc3b36c4beb3145

SHA1
3dc011ac2a2fcc1e07effe2a019ca9b2b8cb965b

SHA256
20990c05d34426196cf1ee1eea32e056a1f899b95a2236ca7f40911a5ba62eeb

SHA512
a1b88c89dbf0d3ad3476df1785ecf8c8a973e2ac2f95e166025ff4b2c97a3c84519c5ce034d55f731d826f0016d4efe6bc61b60639c101554ac98ca0beba18e6

Download Submit
C:\Windows\{AA593BC2-6DED-4aee-82D4-BF57724C1AF2}.exe

Filesize
168KB

MD5
12e7064c70a48c12bbc3b36c4beb3145

SHA1
3dc011ac2a2fcc1e07effe2a019ca9b2b8cb965b

SHA256
20990c05d34426196cf1ee1eea32e056a1f899b95a2236ca7f40911a5ba62eeb

SHA512
a1b88c89dbf0d3ad3476df1785ecf8c8a973e2ac2f95e166025ff4b2c97a3c84519c5ce034d55f731d826f0016d4efe6bc61b60639c101554ac98ca0beba18e6

Download Submit
C:\Windows\{AB2F87C1-1A91-495b-9AA7-A5A2482F9EC9}.exe

Filesize
168KB

MD5
e36348f586242630f262a808723406ef

SHA1
0be9c6415fb8e7afbbab1a25dbe2c56909554d92

SHA256
9d7c4551ea5fa0ef4ea78e9753594520a2775242d8cc6efc876bf95b17f14995

SHA512
b7eb3b14f29762ae94b89369c4e0c190e80abd7a5f6ef0fdaa37bd81982f127d31257b7c90e1552ce79862ca596eaddf18a285f2190ae32e78cc16d8d5be8a40

Download Submit
C:\Windows\{AB2F87C1-1A91-495b-9AA7-A5A2482F9EC9}.exe

Filesize
168KB

MD5
e36348f586242630f262a808723406ef

SHA1
0be9c6415fb8e7afbbab1a25dbe2c56909554d92

SHA256
9d7c4551ea5fa0ef4ea78e9753594520a2775242d8cc6efc876bf95b17f14995

SHA512
b7eb3b14f29762ae94b89369c4e0c190e80abd7a5f6ef0fdaa37bd81982f127d31257b7c90e1552ce79862ca596eaddf18a285f2190ae32e78cc16d8d5be8a40

Download Submit
C:\Windows\{BC21B86C-126C-4796-9EC7-B70FC89F535C}.exe

Filesize
168KB

MD5
8eabeebf5ecdcd2f8e4c280e0dbdffe1

SHA1
d78a149b19d4386d7e4eda4546bd0396af873e75

SHA256
da485ad553bd55aaa32cc44b8d6e54cb95f42f7d9f415f97ad37f4770a9d7b88

SHA512
3b162e96e6cd02ff1963776893011332691b557951a936825792ef92ca086b08fd8287032258cb0511721a7f44404e6d8f96e6e97d019292f9db98ada1a1852c

Download Submit
C:\Windows\{BC21B86C-126C-4796-9EC7-B70FC89F535C}.exe

Filesize
168KB

MD5
8eabeebf5ecdcd2f8e4c280e0dbdffe1

SHA1
d78a149b19d4386d7e4eda4546bd0396af873e75

SHA256
da485ad553bd55aaa32cc44b8d6e54cb95f42f7d9f415f97ad37f4770a9d7b88

SHA512
3b162e96e6cd02ff1963776893011332691b557951a936825792ef92ca086b08fd8287032258cb0511721a7f44404e6d8f96e6e97d019292f9db98ada1a1852c

Download Submit
C:\Windows\{BC21B86C-126C-4796-9EC7-B70FC89F535C}.exe

Filesize
168KB

MD5
8eabeebf5ecdcd2f8e4c280e0dbdffe1

SHA1
d78a149b19d4386d7e4eda4546bd0396af873e75

SHA256
da485ad553bd55aaa32cc44b8d6e54cb95f42f7d9f415f97ad37f4770a9d7b88

SHA512
3b162e96e6cd02ff1963776893011332691b557951a936825792ef92ca086b08fd8287032258cb0511721a7f44404e6d8f96e6e97d019292f9db98ada1a1852c

Download Submit
C:\Windows\{D373FD93-E835-4913-B4DA-6AF64CF99C3D}.exe

Filesize
168KB

MD5
520d636565425cb17a0970cdc7fa91cc

SHA1
102a8dc8c48521cf8e5bab08b8aca99ae140b059

SHA256
8cd2741a6234865f8a659710517a270f176529f01018d38a748bad7b975080b2

SHA512
b01c9464e48c4e5cfc362c2891734b3ea48a6fcef9643f632ec7ab1efcaead91a78fecf6d889c0db798174556446036ec2e0c09070ccb634e271408c3f6d4ec1

Download Submit
C:\Windows\{D373FD93-E835-4913-B4DA-6AF64CF99C3D}.exe

Filesize
168KB

MD5
520d636565425cb17a0970cdc7fa91cc

SHA1
102a8dc8c48521cf8e5bab08b8aca99ae140b059

SHA256
8cd2741a6234865f8a659710517a270f176529f01018d38a748bad7b975080b2

SHA512
b01c9464e48c4e5cfc362c2891734b3ea48a6fcef9643f632ec7ab1efcaead91a78fecf6d889c0db798174556446036ec2e0c09070ccb634e271408c3f6d4ec1

Download Submit
C:\Windows\{D378AD3C-2D18-4a84-8F5A-CCD254E25DAF}.exe

Filesize
168KB

MD5
08bb37356fa5759643ab491f02f93963

SHA1
7ad0a675421e678094d5b50d65987b1c9143c965

SHA256
3f4182a6e8d5457cbe424400229545c29682d7f623f09c3b4c911b350bac18eb

SHA512
5240277ccbb5cd9b2685fd7286fb66598aa64f689b65a934640ac6ed346dd4e89e0838dd63d403ccf5b9193da98b283bee410171f8a0f545266ae92ed5fe8117

Download Submit
C:\Windows\{D378AD3C-2D18-4a84-8F5A-CCD254E25DAF}.exe

Filesize
168KB

MD5
08bb37356fa5759643ab491f02f93963

SHA1
7ad0a675421e678094d5b50d65987b1c9143c965

SHA256
3f4182a6e8d5457cbe424400229545c29682d7f623f09c3b4c911b350bac18eb

SHA512
5240277ccbb5cd9b2685fd7286fb66598aa64f689b65a934640ac6ed346dd4e89e0838dd63d403ccf5b9193da98b283bee410171f8a0f545266ae92ed5fe8117

Download Submit