50a1f44956d3521d7cdaa719682646ee33f4936ed327a1d24274fa9a2eb37bea

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
16/07/2023, 16:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

786b8f45ff73b2_JC.exe
Size

168KB
MD5

786b8f45ff73b2908c621b972fdee5de
SHA1

85fa897507ef077b9fa00524c13c48646fc774dd
SHA256

50a1f44956d3521d7cdaa719682646ee33f4936ed327a1d24274fa9a2eb37bea
SHA512

c1610822833534227a6a5073a47f6f08d33402130dfee5d5a5b07e808b7f52800f70929459d3c42fc8f3dd95014f5820c7536b28cc90d068d197b95b97172a1e
SSDEEP

1536:1EGh0oilq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oilqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8B94DF0-88BF-4ee9-891E-58FF24E9FF05}	{556B88ED-D515-490e-B468-0AFBB6D4C3CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B8B94DF0-88BF-4ee9-891E-58FF24E9FF05}\stubpath = "C:\\Windows\\{B8B94DF0-88BF-4ee9-891E-58FF24E9FF05}.exe"	{556B88ED-D515-490e-B468-0AFBB6D4C3CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A2F08EC-2325-4cfa-BA4B-6C2EA809D2C3}\stubpath = "C:\\Windows\\{9A2F08EC-2325-4cfa-BA4B-6C2EA809D2C3}.exe"	{B8B94DF0-88BF-4ee9-891E-58FF24E9FF05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D2B559A-F16E-4ca7-8B9E-B93B5C8D224A}	{83FDDD9A-FE25-4902-810F-DEE4509579D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AB2211B-6F95-4b38-B73D-C4F20805303A}\stubpath = "C:\\Windows\\{8AB2211B-6F95-4b38-B73D-C4F20805303A}.exe"	{1500FCB5-F4BD-44aa-B263-C3AF9D840EE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{350F4AF3-0DAB-40a6-AC28-6C103C364C87}	{8AB2211B-6F95-4b38-B73D-C4F20805303A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{332E17A7-A085-4bb0-A315-232C37B7FBD3}\stubpath = "C:\\Windows\\{332E17A7-A085-4bb0-A315-232C37B7FBD3}.exe"	{350F4AF3-0DAB-40a6-AC28-6C103C364C87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{556B88ED-D515-490e-B468-0AFBB6D4C3CA}	786b8f45ff73b2_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83FDDD9A-FE25-4902-810F-DEE4509579D2}	{EF70282C-780D-4cf6-8F88-42878FC46236}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83FDDD9A-FE25-4902-810F-DEE4509579D2}\stubpath = "C:\\Windows\\{83FDDD9A-FE25-4902-810F-DEE4509579D2}.exe"	{EF70282C-780D-4cf6-8F88-42878FC46236}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1500FCB5-F4BD-44aa-B263-C3AF9D840EE8}	{8D2B559A-F16E-4ca7-8B9E-B93B5C8D224A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{350F4AF3-0DAB-40a6-AC28-6C103C364C87}\stubpath = "C:\\Windows\\{350F4AF3-0DAB-40a6-AC28-6C103C364C87}.exe"	{8AB2211B-6F95-4b38-B73D-C4F20805303A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{332E17A7-A085-4bb0-A315-232C37B7FBD3}	{350F4AF3-0DAB-40a6-AC28-6C103C364C87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{556B88ED-D515-490e-B468-0AFBB6D4C3CA}\stubpath = "C:\\Windows\\{556B88ED-D515-490e-B468-0AFBB6D4C3CA}.exe"	786b8f45ff73b2_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9A2F08EC-2325-4cfa-BA4B-6C2EA809D2C3}	{B8B94DF0-88BF-4ee9-891E-58FF24E9FF05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF70282C-780D-4cf6-8F88-42878FC46236}\stubpath = "C:\\Windows\\{EF70282C-780D-4cf6-8F88-42878FC46236}.exe"	{100BA6C2-0F4F-44ca-A268-96250471DF4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8D2B559A-F16E-4ca7-8B9E-B93B5C8D224A}\stubpath = "C:\\Windows\\{8D2B559A-F16E-4ca7-8B9E-B93B5C8D224A}.exe"	{83FDDD9A-FE25-4902-810F-DEE4509579D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AB2211B-6F95-4b38-B73D-C4F20805303A}	{1500FCB5-F4BD-44aa-B263-C3AF9D840EE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{100BA6C2-0F4F-44ca-A268-96250471DF4F}	{9A2F08EC-2325-4cfa-BA4B-6C2EA809D2C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{100BA6C2-0F4F-44ca-A268-96250471DF4F}\stubpath = "C:\\Windows\\{100BA6C2-0F4F-44ca-A268-96250471DF4F}.exe"	{9A2F08EC-2325-4cfa-BA4B-6C2EA809D2C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EF70282C-780D-4cf6-8F88-42878FC46236}	{100BA6C2-0F4F-44ca-A268-96250471DF4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1500FCB5-F4BD-44aa-B263-C3AF9D840EE8}\stubpath = "C:\\Windows\\{1500FCB5-F4BD-44aa-B263-C3AF9D840EE8}.exe"	{8D2B559A-F16E-4ca7-8B9E-B93B5C8D224A}.exe

Deletes itself 1 IoCs

pid	Process
2140	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2360	{556B88ED-D515-490e-B468-0AFBB6D4C3CA}.exe
2500	{B8B94DF0-88BF-4ee9-891E-58FF24E9FF05}.exe
2844	{9A2F08EC-2325-4cfa-BA4B-6C2EA809D2C3}.exe
2960	{100BA6C2-0F4F-44ca-A268-96250471DF4F}.exe
3012	{EF70282C-780D-4cf6-8F88-42878FC46236}.exe
2996	{83FDDD9A-FE25-4902-810F-DEE4509579D2}.exe
2888	{8D2B559A-F16E-4ca7-8B9E-B93B5C8D224A}.exe
2728	{1500FCB5-F4BD-44aa-B263-C3AF9D840EE8}.exe
2492	{8AB2211B-6F95-4b38-B73D-C4F20805303A}.exe
2700	{350F4AF3-0DAB-40a6-AC28-6C103C364C87}.exe
1668	{332E17A7-A085-4bb0-A315-232C37B7FBD3}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{556B88ED-D515-490e-B468-0AFBB6D4C3CA}.exe	786b8f45ff73b2_JC.exe
File created	C:\Windows\{B8B94DF0-88BF-4ee9-891E-58FF24E9FF05}.exe	{556B88ED-D515-490e-B468-0AFBB6D4C3CA}.exe
File created	C:\Windows\{100BA6C2-0F4F-44ca-A268-96250471DF4F}.exe	{9A2F08EC-2325-4cfa-BA4B-6C2EA809D2C3}.exe
File created	C:\Windows\{1500FCB5-F4BD-44aa-B263-C3AF9D840EE8}.exe	{8D2B559A-F16E-4ca7-8B9E-B93B5C8D224A}.exe
File created	C:\Windows\{8AB2211B-6F95-4b38-B73D-C4F20805303A}.exe	{1500FCB5-F4BD-44aa-B263-C3AF9D840EE8}.exe
File created	C:\Windows\{9A2F08EC-2325-4cfa-BA4B-6C2EA809D2C3}.exe	{B8B94DF0-88BF-4ee9-891E-58FF24E9FF05}.exe
File created	C:\Windows\{EF70282C-780D-4cf6-8F88-42878FC46236}.exe	{100BA6C2-0F4F-44ca-A268-96250471DF4F}.exe
File created	C:\Windows\{83FDDD9A-FE25-4902-810F-DEE4509579D2}.exe	{EF70282C-780D-4cf6-8F88-42878FC46236}.exe
File created	C:\Windows\{8D2B559A-F16E-4ca7-8B9E-B93B5C8D224A}.exe	{83FDDD9A-FE25-4902-810F-DEE4509579D2}.exe
File created	C:\Windows\{350F4AF3-0DAB-40a6-AC28-6C103C364C87}.exe	{8AB2211B-6F95-4b38-B73D-C4F20805303A}.exe
File created	C:\Windows\{332E17A7-A085-4bb0-A315-232C37B7FBD3}.exe	{350F4AF3-0DAB-40a6-AC28-6C103C364C87}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2796	786b8f45ff73b2_JC.exe
Token: SeIncBasePriorityPrivilege	2360	{556B88ED-D515-490e-B468-0AFBB6D4C3CA}.exe
Token: SeIncBasePriorityPrivilege	2500	{B8B94DF0-88BF-4ee9-891E-58FF24E9FF05}.exe
Token: SeIncBasePriorityPrivilege	2844	{9A2F08EC-2325-4cfa-BA4B-6C2EA809D2C3}.exe
Token: SeIncBasePriorityPrivilege	2960	{100BA6C2-0F4F-44ca-A268-96250471DF4F}.exe
Token: SeIncBasePriorityPrivilege	3012	{EF70282C-780D-4cf6-8F88-42878FC46236}.exe
Token: SeIncBasePriorityPrivilege	2996	{83FDDD9A-FE25-4902-810F-DEE4509579D2}.exe
Token: SeIncBasePriorityPrivilege	2888	{8D2B559A-F16E-4ca7-8B9E-B93B5C8D224A}.exe
Token: SeIncBasePriorityPrivilege	2728	{1500FCB5-F4BD-44aa-B263-C3AF9D840EE8}.exe
Token: SeIncBasePriorityPrivilege	2492	{8AB2211B-6F95-4b38-B73D-C4F20805303A}.exe
Token: SeIncBasePriorityPrivilege	2700	{350F4AF3-0DAB-40a6-AC28-6C103C364C87}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2360	2796	786b8f45ff73b2_JC.exe	28
PID 2796 wrote to memory of 2360	2796	786b8f45ff73b2_JC.exe	28
PID 2796 wrote to memory of 2360	2796	786b8f45ff73b2_JC.exe	28
PID 2796 wrote to memory of 2360	2796	786b8f45ff73b2_JC.exe	28
PID 2796 wrote to memory of 2140	2796	786b8f45ff73b2_JC.exe	29
PID 2796 wrote to memory of 2140	2796	786b8f45ff73b2_JC.exe	29
PID 2796 wrote to memory of 2140	2796	786b8f45ff73b2_JC.exe	29
PID 2796 wrote to memory of 2140	2796	786b8f45ff73b2_JC.exe	29
PID 2360 wrote to memory of 2500	2360	{556B88ED-D515-490e-B468-0AFBB6D4C3CA}.exe	32
PID 2360 wrote to memory of 2500	2360	{556B88ED-D515-490e-B468-0AFBB6D4C3CA}.exe	32
PID 2360 wrote to memory of 2500	2360	{556B88ED-D515-490e-B468-0AFBB6D4C3CA}.exe	32
PID 2360 wrote to memory of 2500	2360	{556B88ED-D515-490e-B468-0AFBB6D4C3CA}.exe	32
PID 2360 wrote to memory of 1044	2360	{556B88ED-D515-490e-B468-0AFBB6D4C3CA}.exe	33
PID 2360 wrote to memory of 1044	2360	{556B88ED-D515-490e-B468-0AFBB6D4C3CA}.exe	33
PID 2360 wrote to memory of 1044	2360	{556B88ED-D515-490e-B468-0AFBB6D4C3CA}.exe	33
PID 2360 wrote to memory of 1044	2360	{556B88ED-D515-490e-B468-0AFBB6D4C3CA}.exe	33
PID 2500 wrote to memory of 2844	2500	{B8B94DF0-88BF-4ee9-891E-58FF24E9FF05}.exe	34
PID 2500 wrote to memory of 2844	2500	{B8B94DF0-88BF-4ee9-891E-58FF24E9FF05}.exe	34
PID 2500 wrote to memory of 2844	2500	{B8B94DF0-88BF-4ee9-891E-58FF24E9FF05}.exe	34
PID 2500 wrote to memory of 2844	2500	{B8B94DF0-88BF-4ee9-891E-58FF24E9FF05}.exe	34
PID 2500 wrote to memory of 2940	2500	{B8B94DF0-88BF-4ee9-891E-58FF24E9FF05}.exe	35
PID 2500 wrote to memory of 2940	2500	{B8B94DF0-88BF-4ee9-891E-58FF24E9FF05}.exe	35
PID 2500 wrote to memory of 2940	2500	{B8B94DF0-88BF-4ee9-891E-58FF24E9FF05}.exe	35
PID 2500 wrote to memory of 2940	2500	{B8B94DF0-88BF-4ee9-891E-58FF24E9FF05}.exe	35
PID 2844 wrote to memory of 2960	2844	{9A2F08EC-2325-4cfa-BA4B-6C2EA809D2C3}.exe	36
PID 2844 wrote to memory of 2960	2844	{9A2F08EC-2325-4cfa-BA4B-6C2EA809D2C3}.exe	36
PID 2844 wrote to memory of 2960	2844	{9A2F08EC-2325-4cfa-BA4B-6C2EA809D2C3}.exe	36
PID 2844 wrote to memory of 2960	2844	{9A2F08EC-2325-4cfa-BA4B-6C2EA809D2C3}.exe	36
PID 2844 wrote to memory of 2860	2844	{9A2F08EC-2325-4cfa-BA4B-6C2EA809D2C3}.exe	37
PID 2844 wrote to memory of 2860	2844	{9A2F08EC-2325-4cfa-BA4B-6C2EA809D2C3}.exe	37
PID 2844 wrote to memory of 2860	2844	{9A2F08EC-2325-4cfa-BA4B-6C2EA809D2C3}.exe	37
PID 2844 wrote to memory of 2860	2844	{9A2F08EC-2325-4cfa-BA4B-6C2EA809D2C3}.exe	37
PID 2960 wrote to memory of 3012	2960	{100BA6C2-0F4F-44ca-A268-96250471DF4F}.exe	38
PID 2960 wrote to memory of 3012	2960	{100BA6C2-0F4F-44ca-A268-96250471DF4F}.exe	38
PID 2960 wrote to memory of 3012	2960	{100BA6C2-0F4F-44ca-A268-96250471DF4F}.exe	38
PID 2960 wrote to memory of 3012	2960	{100BA6C2-0F4F-44ca-A268-96250471DF4F}.exe	38
PID 2960 wrote to memory of 2920	2960	{100BA6C2-0F4F-44ca-A268-96250471DF4F}.exe	39
PID 2960 wrote to memory of 2920	2960	{100BA6C2-0F4F-44ca-A268-96250471DF4F}.exe	39
PID 2960 wrote to memory of 2920	2960	{100BA6C2-0F4F-44ca-A268-96250471DF4F}.exe	39
PID 2960 wrote to memory of 2920	2960	{100BA6C2-0F4F-44ca-A268-96250471DF4F}.exe	39
PID 3012 wrote to memory of 2996	3012	{EF70282C-780D-4cf6-8F88-42878FC46236}.exe	40
PID 3012 wrote to memory of 2996	3012	{EF70282C-780D-4cf6-8F88-42878FC46236}.exe	40
PID 3012 wrote to memory of 2996	3012	{EF70282C-780D-4cf6-8F88-42878FC46236}.exe	40
PID 3012 wrote to memory of 2996	3012	{EF70282C-780D-4cf6-8F88-42878FC46236}.exe	40
PID 3012 wrote to memory of 2144	3012	{EF70282C-780D-4cf6-8F88-42878FC46236}.exe	41
PID 3012 wrote to memory of 2144	3012	{EF70282C-780D-4cf6-8F88-42878FC46236}.exe	41
PID 3012 wrote to memory of 2144	3012	{EF70282C-780D-4cf6-8F88-42878FC46236}.exe	41
PID 3012 wrote to memory of 2144	3012	{EF70282C-780D-4cf6-8F88-42878FC46236}.exe	41
PID 2996 wrote to memory of 2888	2996	{83FDDD9A-FE25-4902-810F-DEE4509579D2}.exe	43
PID 2996 wrote to memory of 2888	2996	{83FDDD9A-FE25-4902-810F-DEE4509579D2}.exe	43
PID 2996 wrote to memory of 2888	2996	{83FDDD9A-FE25-4902-810F-DEE4509579D2}.exe	43
PID 2996 wrote to memory of 2888	2996	{83FDDD9A-FE25-4902-810F-DEE4509579D2}.exe	43
PID 2996 wrote to memory of 2948	2996	{83FDDD9A-FE25-4902-810F-DEE4509579D2}.exe	42
PID 2996 wrote to memory of 2948	2996	{83FDDD9A-FE25-4902-810F-DEE4509579D2}.exe	42
PID 2996 wrote to memory of 2948	2996	{83FDDD9A-FE25-4902-810F-DEE4509579D2}.exe	42
PID 2996 wrote to memory of 2948	2996	{83FDDD9A-FE25-4902-810F-DEE4509579D2}.exe	42
PID 2888 wrote to memory of 2728	2888	{8D2B559A-F16E-4ca7-8B9E-B93B5C8D224A}.exe	44
PID 2888 wrote to memory of 2728	2888	{8D2B559A-F16E-4ca7-8B9E-B93B5C8D224A}.exe	44
PID 2888 wrote to memory of 2728	2888	{8D2B559A-F16E-4ca7-8B9E-B93B5C8D224A}.exe	44
PID 2888 wrote to memory of 2728	2888	{8D2B559A-F16E-4ca7-8B9E-B93B5C8D224A}.exe	44
PID 2888 wrote to memory of 2788	2888	{8D2B559A-F16E-4ca7-8B9E-B93B5C8D224A}.exe	45
PID 2888 wrote to memory of 2788	2888	{8D2B559A-F16E-4ca7-8B9E-B93B5C8D224A}.exe	45
PID 2888 wrote to memory of 2788	2888	{8D2B559A-F16E-4ca7-8B9E-B93B5C8D224A}.exe	45
PID 2888 wrote to memory of 2788	2888	{8D2B559A-F16E-4ca7-8B9E-B93B5C8D224A}.exe	45

C:\Users\Admin\AppData\Local\Temp\786b8f45ff73b2_JC.exe
"C:\Users\Admin\AppData\Local\Temp\786b8f45ff73b2_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\{556B88ED-D515-490e-B468-0AFBB6D4C3CA}.exe
  C:\Windows\{556B88ED-D515-490e-B468-0AFBB6D4C3CA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\{B8B94DF0-88BF-4ee9-891E-58FF24E9FF05}.exe
    C:\Windows\{B8B94DF0-88BF-4ee9-891E-58FF24E9FF05}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\{9A2F08EC-2325-4cfa-BA4B-6C2EA809D2C3}.exe
      C:\Windows\{9A2F08EC-2325-4cfa-BA4B-6C2EA809D2C3}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\{100BA6C2-0F4F-44ca-A268-96250471DF4F}.exe
        
        C:\Windows\{100BA6C2-0F4F-44ca-A268-96250471DF4F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
      - C:\Windows\{EF70282C-780D-4cf6-8F88-42878FC46236}.exe
        
        C:\Windows\{EF70282C-780D-4cf6-8F88-42878FC46236}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\{83FDDD9A-FE25-4902-810F-DEE4509579D2}.exe
        
        C:\Windows\{83FDDD9A-FE25-4902-810F-DEE4509579D2}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83FDD~1.EXE > nul
        8⤵
        
        PID:2948
        
        C:\Windows\{8D2B559A-F16E-4ca7-8B9E-B93B5C8D224A}.exe
        
        C:\Windows\{8D2B559A-F16E-4ca7-8B9E-B93B5C8D224A}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
        
        C:\Windows\{1500FCB5-F4BD-44aa-B263-C3AF9D840EE8}.exe
        
        C:\Windows\{1500FCB5-F4BD-44aa-B263-C3AF9D840EE8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\{8AB2211B-6F95-4b38-B73D-C4F20805303A}.exe
        
        C:\Windows\{8AB2211B-6F95-4b38-B73D-C4F20805303A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AB22~1.EXE > nul
        11⤵
        
        PID:692
        
        C:\Windows\{350F4AF3-0DAB-40a6-AC28-6C103C364C87}.exe
        
        C:\Windows\{350F4AF3-0DAB-40a6-AC28-6C103C364C87}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\{332E17A7-A085-4bb0-A315-232C37B7FBD3}.exe
        
        C:\Windows\{332E17A7-A085-4bb0-A315-232C37B7FBD3}.exe
        12⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{350F4~1.EXE > nul
        12⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1500F~1.EXE > nul
        10⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D2B5~1.EXE > nul
        9⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EF702~1.EXE > nul
        7⤵
        
        PID:2144
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{100BA~1.EXE > nul
        6⤵
        
        PID:2920
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A2F0~1.EXE > nul
        5⤵
        
        PID:2860
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B8B94~1.EXE > nul
      4⤵
      PID:2940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{556B8~1.EXE > nul
    3⤵
    PID:1044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\786B8F~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2140

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{100BA6C2-0F4F-44ca-A268-96250471DF4F}.exe

Filesize
168KB

MD5
2f2b8d6894c00a2d85986f528d4e4c13

SHA1
399fdb89003fcb6e6c4c1f714d57dbf22ffab18b

SHA256
b5c195ca34c777988a4b24a99a848bf1aeca7571fdd6441886403dbed1aeec09

SHA512
eb996d9829f298830fa492b0b066cc76e67f7f0c0c54eaee3d075b0f6c4fee2f8b52ac727780ee615ff197e1f95a1d1d57fee9910fc0aa0b8034f1aefe20d7cf

Download Submit
C:\Windows\{100BA6C2-0F4F-44ca-A268-96250471DF4F}.exe

Filesize
168KB

MD5
2f2b8d6894c00a2d85986f528d4e4c13

SHA1
399fdb89003fcb6e6c4c1f714d57dbf22ffab18b

SHA256
b5c195ca34c777988a4b24a99a848bf1aeca7571fdd6441886403dbed1aeec09

SHA512
eb996d9829f298830fa492b0b066cc76e67f7f0c0c54eaee3d075b0f6c4fee2f8b52ac727780ee615ff197e1f95a1d1d57fee9910fc0aa0b8034f1aefe20d7cf

Download Submit
C:\Windows\{1500FCB5-F4BD-44aa-B263-C3AF9D840EE8}.exe

Filesize
168KB

MD5
87c326015f8722e0011efee4ef2ed5ec

SHA1
20baa91906a90b78447101955e33d6bce386667e

SHA256
6553d10df389348a8f4f3494e4d0d3eff12d3b4025340e1e65761b1897141ac4

SHA512
17c7e06da55def5cd71cf71b12a54dfe49427d7e234cd0bd81124d7a7c4b81ba075a1d02527910179c0c7c27109495dbf2211b21fd2cdf7b9c9376c025e38ade

Download Submit
C:\Windows\{1500FCB5-F4BD-44aa-B263-C3AF9D840EE8}.exe

Filesize
168KB

MD5
87c326015f8722e0011efee4ef2ed5ec

SHA1
20baa91906a90b78447101955e33d6bce386667e

SHA256
6553d10df389348a8f4f3494e4d0d3eff12d3b4025340e1e65761b1897141ac4

SHA512
17c7e06da55def5cd71cf71b12a54dfe49427d7e234cd0bd81124d7a7c4b81ba075a1d02527910179c0c7c27109495dbf2211b21fd2cdf7b9c9376c025e38ade

Download Submit
C:\Windows\{332E17A7-A085-4bb0-A315-232C37B7FBD3}.exe

Filesize
168KB

MD5
d40478a9f947f7f4e6da96591fa1195b

SHA1
fdafca0783d0a290cab01e5c5b6e957f80aa44de

SHA256
4164b4301eeaefa077d68993137eaf0ed1d6bf05c26e84e052cfe8cd62457053

SHA512
cc3e9095cd13f55e71c5aa9a515727876b3711f39f8780556eeb9e49295764d45f068efd2b86dd54df15222ca233ac75855a2112595af7001837ce84e5df1f8e

Download Submit
C:\Windows\{350F4AF3-0DAB-40a6-AC28-6C103C364C87}.exe

Filesize
168KB

MD5
8ea2946990cbeff7c79517d93de88cd4

SHA1
50450866e5737b1c2af21df7bd7937dc2f4148fd

SHA256
e2ec07f2b60de8181d5e4139f1e94f51fc2af63989449e8e3003420075254ea4

SHA512
0e9a9d82c4cfb8e5b0d72a5ed9a67f7ff215d56f61d05345ab87f8e1c2386cad04a24a0c74b0930e4507d307490976442a06d9fc68cdec5f48da8ae99f1dade3

Download Submit
C:\Windows\{350F4AF3-0DAB-40a6-AC28-6C103C364C87}.exe

Filesize
168KB

MD5
8ea2946990cbeff7c79517d93de88cd4

SHA1
50450866e5737b1c2af21df7bd7937dc2f4148fd

SHA256
e2ec07f2b60de8181d5e4139f1e94f51fc2af63989449e8e3003420075254ea4

SHA512
0e9a9d82c4cfb8e5b0d72a5ed9a67f7ff215d56f61d05345ab87f8e1c2386cad04a24a0c74b0930e4507d307490976442a06d9fc68cdec5f48da8ae99f1dade3

Download Submit
C:\Windows\{556B88ED-D515-490e-B468-0AFBB6D4C3CA}.exe

Filesize
168KB

MD5
045eee68274bcbf5554f797049a64ef2

SHA1
daf6e4f2618ea61b3d0632287e291b124db55ec3

SHA256
244a183f47ad942ac22957a5f7404eb0e1226377cf1e175203583b42ec3ab20e

SHA512
f8feb7f9a82000fb60cadd37601a494fb1191ae82690d862bd24dd2512a9a257ddbb40656d1b26d9445bb89872bdfb8beb14f86f7ea64c0c3e80e1267e7e24da

Download Submit
C:\Windows\{556B88ED-D515-490e-B468-0AFBB6D4C3CA}.exe

Filesize
168KB

MD5
045eee68274bcbf5554f797049a64ef2

SHA1
daf6e4f2618ea61b3d0632287e291b124db55ec3

SHA256
244a183f47ad942ac22957a5f7404eb0e1226377cf1e175203583b42ec3ab20e

SHA512
f8feb7f9a82000fb60cadd37601a494fb1191ae82690d862bd24dd2512a9a257ddbb40656d1b26d9445bb89872bdfb8beb14f86f7ea64c0c3e80e1267e7e24da

Download Submit
C:\Windows\{556B88ED-D515-490e-B468-0AFBB6D4C3CA}.exe

Filesize
168KB

MD5
045eee68274bcbf5554f797049a64ef2

SHA1
daf6e4f2618ea61b3d0632287e291b124db55ec3

SHA256
244a183f47ad942ac22957a5f7404eb0e1226377cf1e175203583b42ec3ab20e

SHA512
f8feb7f9a82000fb60cadd37601a494fb1191ae82690d862bd24dd2512a9a257ddbb40656d1b26d9445bb89872bdfb8beb14f86f7ea64c0c3e80e1267e7e24da

Download Submit
C:\Windows\{83FDDD9A-FE25-4902-810F-DEE4509579D2}.exe

Filesize
168KB

MD5
5529f8de4b12d89f553b13c7ab2564c0

SHA1
e1164ffeebddf7a88b7ccad3c39aad137c83f71d

SHA256
e085480a239dfd0879be8a99f77c0a6d6d750552e5d0884bea61561bbffe41f8

SHA512
f4313fb33c67e12196fc573a995d7953dbe180bb5cff0a211173f7a4916b681aae00109914ad1d9d995f08d907f541b70496039b20f7dd19c925baa1cc5009b1

Download Submit
C:\Windows\{83FDDD9A-FE25-4902-810F-DEE4509579D2}.exe

Filesize
168KB

MD5
5529f8de4b12d89f553b13c7ab2564c0

SHA1
e1164ffeebddf7a88b7ccad3c39aad137c83f71d

SHA256
e085480a239dfd0879be8a99f77c0a6d6d750552e5d0884bea61561bbffe41f8

SHA512
f4313fb33c67e12196fc573a995d7953dbe180bb5cff0a211173f7a4916b681aae00109914ad1d9d995f08d907f541b70496039b20f7dd19c925baa1cc5009b1

Download Submit
C:\Windows\{8AB2211B-6F95-4b38-B73D-C4F20805303A}.exe

Filesize
168KB

MD5
7d0fab390c381a02f2bb40c6a7523564

SHA1
5fce04c0bad58ad44b038fac354ff3d5d7acd11a

SHA256
30ce539d9e5b54246fdaa1732d8de939d7a722a395fe4c322ebd92fd377027c9

SHA512
25ab06686bcdd34a8c7cc0aade565cdaeb542cfe61d60d35c84cc43f3566309ee9c1dd48ad2b7648864ceb2d724d00b593a342410a4d3a9155dedb3001cf1fca

Download Submit
C:\Windows\{8AB2211B-6F95-4b38-B73D-C4F20805303A}.exe

Filesize
168KB

MD5
7d0fab390c381a02f2bb40c6a7523564

SHA1
5fce04c0bad58ad44b038fac354ff3d5d7acd11a

SHA256
30ce539d9e5b54246fdaa1732d8de939d7a722a395fe4c322ebd92fd377027c9

SHA512
25ab06686bcdd34a8c7cc0aade565cdaeb542cfe61d60d35c84cc43f3566309ee9c1dd48ad2b7648864ceb2d724d00b593a342410a4d3a9155dedb3001cf1fca

Download Submit
C:\Windows\{8D2B559A-F16E-4ca7-8B9E-B93B5C8D224A}.exe

Filesize
168KB

MD5
ab34b0e55d037630c69be4fe12f1ad3b

SHA1
5d16377042f2c395495c38efd38df35f7461ea12

SHA256
11c8205ccb754a2b7e5ce9a8573c5b8012fa5b383cba2b159b2327133b4a83b6

SHA512
a8462e7bca77b182299a903272e6a023e9f9356d144950a2dad8919c41f548bb1c292f584a2dfbdfac88cfab9592521922d38a6c01acbf56e1338275f7510cd0

Download Submit
C:\Windows\{8D2B559A-F16E-4ca7-8B9E-B93B5C8D224A}.exe

Filesize
168KB

MD5
ab34b0e55d037630c69be4fe12f1ad3b

SHA1
5d16377042f2c395495c38efd38df35f7461ea12

SHA256
11c8205ccb754a2b7e5ce9a8573c5b8012fa5b383cba2b159b2327133b4a83b6

SHA512
a8462e7bca77b182299a903272e6a023e9f9356d144950a2dad8919c41f548bb1c292f584a2dfbdfac88cfab9592521922d38a6c01acbf56e1338275f7510cd0

Download Submit
C:\Windows\{9A2F08EC-2325-4cfa-BA4B-6C2EA809D2C3}.exe

Filesize
168KB

MD5
7d75383ab3d2e20365a402405b8c945c

SHA1
ba0646f58ada855910df4456c116dbf15f6c75f6

SHA256
94c8dfe7adb21b58dc8bf53403019cd3acaec71926bcd129b44262fb5fc27f25

SHA512
f9639abd106c1a9972f184674754e73accf79ed6ebec1d5ca4cc735b415269511a8234950da51b0d304aa74e42af9109b654caa60ea08b9730ad66606d657d78

Download Submit
C:\Windows\{9A2F08EC-2325-4cfa-BA4B-6C2EA809D2C3}.exe

Filesize
168KB

MD5
7d75383ab3d2e20365a402405b8c945c

SHA1
ba0646f58ada855910df4456c116dbf15f6c75f6

SHA256
94c8dfe7adb21b58dc8bf53403019cd3acaec71926bcd129b44262fb5fc27f25

SHA512
f9639abd106c1a9972f184674754e73accf79ed6ebec1d5ca4cc735b415269511a8234950da51b0d304aa74e42af9109b654caa60ea08b9730ad66606d657d78

Download Submit
C:\Windows\{B8B94DF0-88BF-4ee9-891E-58FF24E9FF05}.exe

Filesize
168KB

MD5
5bd93ffa432cf0cd34883952d06fbd89

SHA1
f87f16904cc67020f172c4a083f7eb1a64501aac

SHA256
48e3b0f384e13ed2c2cb038ad1cd4835d9b3a7dcc741405d602e4a80e9f10b87

SHA512
06ef27e7d88c2a0a9d59491ed4938b13f8205289eed4744cfc73422cb1941712ba01563da79dec5bff354d9f6a7db9bd251ca1c1ce52050782b1860b18869d69

Download Submit
C:\Windows\{B8B94DF0-88BF-4ee9-891E-58FF24E9FF05}.exe

Filesize
168KB

MD5
5bd93ffa432cf0cd34883952d06fbd89

SHA1
f87f16904cc67020f172c4a083f7eb1a64501aac

SHA256
48e3b0f384e13ed2c2cb038ad1cd4835d9b3a7dcc741405d602e4a80e9f10b87

SHA512
06ef27e7d88c2a0a9d59491ed4938b13f8205289eed4744cfc73422cb1941712ba01563da79dec5bff354d9f6a7db9bd251ca1c1ce52050782b1860b18869d69

Download Submit
C:\Windows\{EF70282C-780D-4cf6-8F88-42878FC46236}.exe

Filesize
168KB

MD5
6a4b0d7ae71de7b171046f754a9f0359

SHA1
2428af321558b47a269b3f4bc0e917aa2beeb82d

SHA256
588de4033db2795b8d0b3219d3170d616f34e7e3e831357cc392d2b93aea4256

SHA512
bbdc880c4c022cbace2cd5008e959cef9ccd0742eec39a109087772bc0a415ca0f0a8c1e8e612cc5b49ec5268b64c6d851622e32fda155c546fba185c06fd879

Download Submit
C:\Windows\{EF70282C-780D-4cf6-8F88-42878FC46236}.exe

Filesize
168KB

MD5
6a4b0d7ae71de7b171046f754a9f0359

SHA1
2428af321558b47a269b3f4bc0e917aa2beeb82d

SHA256
588de4033db2795b8d0b3219d3170d616f34e7e3e831357cc392d2b93aea4256

SHA512
bbdc880c4c022cbace2cd5008e959cef9ccd0742eec39a109087772bc0a415ca0f0a8c1e8e612cc5b49ec5268b64c6d851622e32fda155c546fba185c06fd879

Download Submit