b269366593e7d9015a62a989d54360d1449172092f650df2f9e74ce7ffd482bc

Analysis

max time kernel
147s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
16/07/2023, 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

791393ce21ee56_JC.exe
Size

216KB
MD5

791393ce21ee56da523401ce20781e96
SHA1

5a60e4008785d7e4e8f0c3e3eb6a79473d3488a9
SHA256

b269366593e7d9015a62a989d54360d1449172092f650df2f9e74ce7ffd482bc
SHA512

c1e40c19c0d68c36dda68eabcd78152c12b1e3b8e04a8814d631b81f3ef207b51ad7a6d5961a5ed473d71b98fff4441a51ad72b1547d5be873b890c8b1018a99
SSDEEP

3072:jEGh0oAl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGqlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46EFC717-8726-4221-8624-12BDC159B2EC}	{C08872DE-98FD-4f7e-B416-88D8914C2E00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBE9CC7F-935A-4826-8EE8-864FE81DA109}	{46EFC717-8726-4221-8624-12BDC159B2EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F789FAF-CB97-4869-AF09-14AC6645DF8C}	{C74AE4C4-8F2A-4e24-A853-72A1C76E08B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E49F50C0-2BE2-4735-9633-5C1128E1A8A8}\stubpath = "C:\\Windows\\{E49F50C0-2BE2-4735-9633-5C1128E1A8A8}.exe"	{DD5FFADC-7CE0-4938-B745-839C7BBC34B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD5FFADC-7CE0-4938-B745-839C7BBC34B3}\stubpath = "C:\\Windows\\{DD5FFADC-7CE0-4938-B745-839C7BBC34B3}.exe"	{C4559631-DD23-4107-A0EF-C91AEF644AF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E49F50C0-2BE2-4735-9633-5C1128E1A8A8}	{DD5FFADC-7CE0-4938-B745-839C7BBC34B3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{234407C8-0924-4f1e-8801-89529EB6F8B5}\stubpath = "C:\\Windows\\{234407C8-0924-4f1e-8801-89529EB6F8B5}.exe"	791393ce21ee56_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59B6BBF7-158E-4d37-90A3-EDA45F22F2D4}	{234407C8-0924-4f1e-8801-89529EB6F8B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{46EFC717-8726-4221-8624-12BDC159B2EC}\stubpath = "C:\\Windows\\{46EFC717-8726-4221-8624-12BDC159B2EC}.exe"	{C08872DE-98FD-4f7e-B416-88D8914C2E00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3F789FAF-CB97-4869-AF09-14AC6645DF8C}\stubpath = "C:\\Windows\\{3F789FAF-CB97-4869-AF09-14AC6645DF8C}.exe"	{C74AE4C4-8F2A-4e24-A853-72A1C76E08B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4559631-DD23-4107-A0EF-C91AEF644AF4}\stubpath = "C:\\Windows\\{C4559631-DD23-4107-A0EF-C91AEF644AF4}.exe"	{3F789FAF-CB97-4869-AF09-14AC6645DF8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DD5FFADC-7CE0-4938-B745-839C7BBC34B3}	{C4559631-DD23-4107-A0EF-C91AEF644AF4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FFACD68-8C7A-4fee-A8F8-FC6E63B3787C}\stubpath = "C:\\Windows\\{0FFACD68-8C7A-4fee-A8F8-FC6E63B3787C}.exe"	{E49F50C0-2BE2-4735-9633-5C1128E1A8A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{782C9BA5-F63F-4233-91BD-7C5014B07D01}	{0FFACD68-8C7A-4fee-A8F8-FC6E63B3787C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{234407C8-0924-4f1e-8801-89529EB6F8B5}	791393ce21ee56_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C08872DE-98FD-4f7e-B416-88D8914C2E00}	{59B6BBF7-158E-4d37-90A3-EDA45F22F2D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4559631-DD23-4107-A0EF-C91AEF644AF4}	{3F789FAF-CB97-4869-AF09-14AC6645DF8C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FFACD68-8C7A-4fee-A8F8-FC6E63B3787C}	{E49F50C0-2BE2-4735-9633-5C1128E1A8A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59B6BBF7-158E-4d37-90A3-EDA45F22F2D4}\stubpath = "C:\\Windows\\{59B6BBF7-158E-4d37-90A3-EDA45F22F2D4}.exe"	{234407C8-0924-4f1e-8801-89529EB6F8B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C08872DE-98FD-4f7e-B416-88D8914C2E00}\stubpath = "C:\\Windows\\{C08872DE-98FD-4f7e-B416-88D8914C2E00}.exe"	{59B6BBF7-158E-4d37-90A3-EDA45F22F2D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBE9CC7F-935A-4826-8EE8-864FE81DA109}\stubpath = "C:\\Windows\\{DBE9CC7F-935A-4826-8EE8-864FE81DA109}.exe"	{46EFC717-8726-4221-8624-12BDC159B2EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C74AE4C4-8F2A-4e24-A853-72A1C76E08B7}	{DBE9CC7F-935A-4826-8EE8-864FE81DA109}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C74AE4C4-8F2A-4e24-A853-72A1C76E08B7}\stubpath = "C:\\Windows\\{C74AE4C4-8F2A-4e24-A853-72A1C76E08B7}.exe"	{DBE9CC7F-935A-4826-8EE8-864FE81DA109}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{782C9BA5-F63F-4233-91BD-7C5014B07D01}\stubpath = "C:\\Windows\\{782C9BA5-F63F-4233-91BD-7C5014B07D01}.exe"	{0FFACD68-8C7A-4fee-A8F8-FC6E63B3787C}.exe

Executes dropped EXE 12 IoCs

pid	Process
4644	{234407C8-0924-4f1e-8801-89529EB6F8B5}.exe
3208	{59B6BBF7-158E-4d37-90A3-EDA45F22F2D4}.exe
1256	{C08872DE-98FD-4f7e-B416-88D8914C2E00}.exe
4180	{46EFC717-8726-4221-8624-12BDC159B2EC}.exe
4772	{DBE9CC7F-935A-4826-8EE8-864FE81DA109}.exe
1924	{C74AE4C4-8F2A-4e24-A853-72A1C76E08B7}.exe
4296	{3F789FAF-CB97-4869-AF09-14AC6645DF8C}.exe
3716	{C4559631-DD23-4107-A0EF-C91AEF644AF4}.exe
716	{DD5FFADC-7CE0-4938-B745-839C7BBC34B3}.exe
4992	{E49F50C0-2BE2-4735-9633-5C1128E1A8A8}.exe
2792	{0FFACD68-8C7A-4fee-A8F8-FC6E63B3787C}.exe
2980	{782C9BA5-F63F-4233-91BD-7C5014B07D01}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{59B6BBF7-158E-4d37-90A3-EDA45F22F2D4}.exe	{234407C8-0924-4f1e-8801-89529EB6F8B5}.exe
File created	C:\Windows\{C08872DE-98FD-4f7e-B416-88D8914C2E00}.exe	{59B6BBF7-158E-4d37-90A3-EDA45F22F2D4}.exe
File created	C:\Windows\{46EFC717-8726-4221-8624-12BDC159B2EC}.exe	{C08872DE-98FD-4f7e-B416-88D8914C2E00}.exe
File created	C:\Windows\{DBE9CC7F-935A-4826-8EE8-864FE81DA109}.exe	{46EFC717-8726-4221-8624-12BDC159B2EC}.exe
File created	C:\Windows\{C74AE4C4-8F2A-4e24-A853-72A1C76E08B7}.exe	{DBE9CC7F-935A-4826-8EE8-864FE81DA109}.exe
File created	C:\Windows\{C4559631-DD23-4107-A0EF-C91AEF644AF4}.exe	{3F789FAF-CB97-4869-AF09-14AC6645DF8C}.exe
File created	C:\Windows\{DD5FFADC-7CE0-4938-B745-839C7BBC34B3}.exe	{C4559631-DD23-4107-A0EF-C91AEF644AF4}.exe
File created	C:\Windows\{782C9BA5-F63F-4233-91BD-7C5014B07D01}.exe	{0FFACD68-8C7A-4fee-A8F8-FC6E63B3787C}.exe
File created	C:\Windows\{234407C8-0924-4f1e-8801-89529EB6F8B5}.exe	791393ce21ee56_JC.exe
File created	C:\Windows\{3F789FAF-CB97-4869-AF09-14AC6645DF8C}.exe	{C74AE4C4-8F2A-4e24-A853-72A1C76E08B7}.exe
File created	C:\Windows\{E49F50C0-2BE2-4735-9633-5C1128E1A8A8}.exe	{DD5FFADC-7CE0-4938-B745-839C7BBC34B3}.exe
File created	C:\Windows\{0FFACD68-8C7A-4fee-A8F8-FC6E63B3787C}.exe	{E49F50C0-2BE2-4735-9633-5C1128E1A8A8}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4540	791393ce21ee56_JC.exe
Token: SeIncBasePriorityPrivilege	4644	{234407C8-0924-4f1e-8801-89529EB6F8B5}.exe
Token: SeIncBasePriorityPrivilege	3208	{59B6BBF7-158E-4d37-90A3-EDA45F22F2D4}.exe
Token: SeIncBasePriorityPrivilege	1256	{C08872DE-98FD-4f7e-B416-88D8914C2E00}.exe
Token: SeIncBasePriorityPrivilege	4180	{46EFC717-8726-4221-8624-12BDC159B2EC}.exe
Token: SeIncBasePriorityPrivilege	4772	{DBE9CC7F-935A-4826-8EE8-864FE81DA109}.exe
Token: SeIncBasePriorityPrivilege	1924	{C74AE4C4-8F2A-4e24-A853-72A1C76E08B7}.exe
Token: SeIncBasePriorityPrivilege	4296	{3F789FAF-CB97-4869-AF09-14AC6645DF8C}.exe
Token: SeIncBasePriorityPrivilege	3716	{C4559631-DD23-4107-A0EF-C91AEF644AF4}.exe
Token: SeIncBasePriorityPrivilege	716	{DD5FFADC-7CE0-4938-B745-839C7BBC34B3}.exe
Token: SeIncBasePriorityPrivilege	4992	{E49F50C0-2BE2-4735-9633-5C1128E1A8A8}.exe
Token: SeIncBasePriorityPrivilege	2792	{0FFACD68-8C7A-4fee-A8F8-FC6E63B3787C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 4644	4540	791393ce21ee56_JC.exe	95
PID 4540 wrote to memory of 4644	4540	791393ce21ee56_JC.exe	95
PID 4540 wrote to memory of 4644	4540	791393ce21ee56_JC.exe	95
PID 4540 wrote to memory of 1580	4540	791393ce21ee56_JC.exe	96
PID 4540 wrote to memory of 1580	4540	791393ce21ee56_JC.exe	96
PID 4540 wrote to memory of 1580	4540	791393ce21ee56_JC.exe	96
PID 4644 wrote to memory of 3208	4644	{234407C8-0924-4f1e-8801-89529EB6F8B5}.exe	99
PID 4644 wrote to memory of 3208	4644	{234407C8-0924-4f1e-8801-89529EB6F8B5}.exe	99
PID 4644 wrote to memory of 3208	4644	{234407C8-0924-4f1e-8801-89529EB6F8B5}.exe	99
PID 4644 wrote to memory of 4612	4644	{234407C8-0924-4f1e-8801-89529EB6F8B5}.exe	100
PID 4644 wrote to memory of 4612	4644	{234407C8-0924-4f1e-8801-89529EB6F8B5}.exe	100
PID 4644 wrote to memory of 4612	4644	{234407C8-0924-4f1e-8801-89529EB6F8B5}.exe	100
PID 3208 wrote to memory of 1256	3208	{59B6BBF7-158E-4d37-90A3-EDA45F22F2D4}.exe	102
PID 3208 wrote to memory of 1256	3208	{59B6BBF7-158E-4d37-90A3-EDA45F22F2D4}.exe	102
PID 3208 wrote to memory of 1256	3208	{59B6BBF7-158E-4d37-90A3-EDA45F22F2D4}.exe	102
PID 3208 wrote to memory of 4980	3208	{59B6BBF7-158E-4d37-90A3-EDA45F22F2D4}.exe	103
PID 3208 wrote to memory of 4980	3208	{59B6BBF7-158E-4d37-90A3-EDA45F22F2D4}.exe	103
PID 3208 wrote to memory of 4980	3208	{59B6BBF7-158E-4d37-90A3-EDA45F22F2D4}.exe	103
PID 1256 wrote to memory of 4180	1256	{C08872DE-98FD-4f7e-B416-88D8914C2E00}.exe	104
PID 1256 wrote to memory of 4180	1256	{C08872DE-98FD-4f7e-B416-88D8914C2E00}.exe	104
PID 1256 wrote to memory of 4180	1256	{C08872DE-98FD-4f7e-B416-88D8914C2E00}.exe	104
PID 1256 wrote to memory of 2476	1256	{C08872DE-98FD-4f7e-B416-88D8914C2E00}.exe	105
PID 1256 wrote to memory of 2476	1256	{C08872DE-98FD-4f7e-B416-88D8914C2E00}.exe	105
PID 1256 wrote to memory of 2476	1256	{C08872DE-98FD-4f7e-B416-88D8914C2E00}.exe	105
PID 4180 wrote to memory of 4772	4180	{46EFC717-8726-4221-8624-12BDC159B2EC}.exe	106
PID 4180 wrote to memory of 4772	4180	{46EFC717-8726-4221-8624-12BDC159B2EC}.exe	106
PID 4180 wrote to memory of 4772	4180	{46EFC717-8726-4221-8624-12BDC159B2EC}.exe	106
PID 4180 wrote to memory of 5092	4180	{46EFC717-8726-4221-8624-12BDC159B2EC}.exe	107
PID 4180 wrote to memory of 5092	4180	{46EFC717-8726-4221-8624-12BDC159B2EC}.exe	107
PID 4180 wrote to memory of 5092	4180	{46EFC717-8726-4221-8624-12BDC159B2EC}.exe	107
PID 4772 wrote to memory of 1924	4772	{DBE9CC7F-935A-4826-8EE8-864FE81DA109}.exe	108
PID 4772 wrote to memory of 1924	4772	{DBE9CC7F-935A-4826-8EE8-864FE81DA109}.exe	108
PID 4772 wrote to memory of 1924	4772	{DBE9CC7F-935A-4826-8EE8-864FE81DA109}.exe	108
PID 4772 wrote to memory of 2248	4772	{DBE9CC7F-935A-4826-8EE8-864FE81DA109}.exe	109
PID 4772 wrote to memory of 2248	4772	{DBE9CC7F-935A-4826-8EE8-864FE81DA109}.exe	109
PID 4772 wrote to memory of 2248	4772	{DBE9CC7F-935A-4826-8EE8-864FE81DA109}.exe	109
PID 1924 wrote to memory of 4296	1924	{C74AE4C4-8F2A-4e24-A853-72A1C76E08B7}.exe	110
PID 1924 wrote to memory of 4296	1924	{C74AE4C4-8F2A-4e24-A853-72A1C76E08B7}.exe	110
PID 1924 wrote to memory of 4296	1924	{C74AE4C4-8F2A-4e24-A853-72A1C76E08B7}.exe	110
PID 1924 wrote to memory of 4884	1924	{C74AE4C4-8F2A-4e24-A853-72A1C76E08B7}.exe	111
PID 1924 wrote to memory of 4884	1924	{C74AE4C4-8F2A-4e24-A853-72A1C76E08B7}.exe	111
PID 1924 wrote to memory of 4884	1924	{C74AE4C4-8F2A-4e24-A853-72A1C76E08B7}.exe	111
PID 4296 wrote to memory of 3716	4296	{3F789FAF-CB97-4869-AF09-14AC6645DF8C}.exe	112
PID 4296 wrote to memory of 3716	4296	{3F789FAF-CB97-4869-AF09-14AC6645DF8C}.exe	112
PID 4296 wrote to memory of 3716	4296	{3F789FAF-CB97-4869-AF09-14AC6645DF8C}.exe	112
PID 4296 wrote to memory of 4516	4296	{3F789FAF-CB97-4869-AF09-14AC6645DF8C}.exe	113
PID 4296 wrote to memory of 4516	4296	{3F789FAF-CB97-4869-AF09-14AC6645DF8C}.exe	113
PID 4296 wrote to memory of 4516	4296	{3F789FAF-CB97-4869-AF09-14AC6645DF8C}.exe	113
PID 3716 wrote to memory of 716	3716	{C4559631-DD23-4107-A0EF-C91AEF644AF4}.exe	114
PID 3716 wrote to memory of 716	3716	{C4559631-DD23-4107-A0EF-C91AEF644AF4}.exe	114
PID 3716 wrote to memory of 716	3716	{C4559631-DD23-4107-A0EF-C91AEF644AF4}.exe	114
PID 3716 wrote to memory of 2392	3716	{C4559631-DD23-4107-A0EF-C91AEF644AF4}.exe	115
PID 3716 wrote to memory of 2392	3716	{C4559631-DD23-4107-A0EF-C91AEF644AF4}.exe	115
PID 3716 wrote to memory of 2392	3716	{C4559631-DD23-4107-A0EF-C91AEF644AF4}.exe	115
PID 716 wrote to memory of 4992	716	{DD5FFADC-7CE0-4938-B745-839C7BBC34B3}.exe	116
PID 716 wrote to memory of 4992	716	{DD5FFADC-7CE0-4938-B745-839C7BBC34B3}.exe	116
PID 716 wrote to memory of 4992	716	{DD5FFADC-7CE0-4938-B745-839C7BBC34B3}.exe	116
PID 716 wrote to memory of 1132	716	{DD5FFADC-7CE0-4938-B745-839C7BBC34B3}.exe	117
PID 716 wrote to memory of 1132	716	{DD5FFADC-7CE0-4938-B745-839C7BBC34B3}.exe	117
PID 716 wrote to memory of 1132	716	{DD5FFADC-7CE0-4938-B745-839C7BBC34B3}.exe	117
PID 4992 wrote to memory of 2792	4992	{E49F50C0-2BE2-4735-9633-5C1128E1A8A8}.exe	118
PID 4992 wrote to memory of 2792	4992	{E49F50C0-2BE2-4735-9633-5C1128E1A8A8}.exe	118
PID 4992 wrote to memory of 2792	4992	{E49F50C0-2BE2-4735-9633-5C1128E1A8A8}.exe	118
PID 4992 wrote to memory of 3940	4992	{E49F50C0-2BE2-4735-9633-5C1128E1A8A8}.exe	119

C:\Users\Admin\AppData\Local\Temp\791393ce21ee56_JC.exe
"C:\Users\Admin\AppData\Local\Temp\791393ce21ee56_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\{234407C8-0924-4f1e-8801-89529EB6F8B5}.exe
  C:\Windows\{234407C8-0924-4f1e-8801-89529EB6F8B5}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\{59B6BBF7-158E-4d37-90A3-EDA45F22F2D4}.exe
    C:\Windows\{59B6BBF7-158E-4d37-90A3-EDA45F22F2D4}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3208
  - - C:\Windows\{C08872DE-98FD-4f7e-B416-88D8914C2E00}.exe
      C:\Windows\{C08872DE-98FD-4f7e-B416-88D8914C2E00}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1256
    - - C:\Windows\{46EFC717-8726-4221-8624-12BDC159B2EC}.exe
        
        C:\Windows\{46EFC717-8726-4221-8624-12BDC159B2EC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4180
      - C:\Windows\{DBE9CC7F-935A-4826-8EE8-864FE81DA109}.exe
        
        C:\Windows\{DBE9CC7F-935A-4826-8EE8-864FE81DA109}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\{C74AE4C4-8F2A-4e24-A853-72A1C76E08B7}.exe
        
        C:\Windows\{C74AE4C4-8F2A-4e24-A853-72A1C76E08B7}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\{3F789FAF-CB97-4869-AF09-14AC6645DF8C}.exe
        
        C:\Windows\{3F789FAF-CB97-4869-AF09-14AC6645DF8C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4296
        
        C:\Windows\{C4559631-DD23-4107-A0EF-C91AEF644AF4}.exe
        
        C:\Windows\{C4559631-DD23-4107-A0EF-C91AEF644AF4}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3716
        
        C:\Windows\{DD5FFADC-7CE0-4938-B745-839C7BBC34B3}.exe
        
        C:\Windows\{DD5FFADC-7CE0-4938-B745-839C7BBC34B3}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:716
        
        C:\Windows\{E49F50C0-2BE2-4735-9633-5C1128E1A8A8}.exe
        
        C:\Windows\{E49F50C0-2BE2-4735-9633-5C1128E1A8A8}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\{0FFACD68-8C7A-4fee-A8F8-FC6E63B3787C}.exe
        
        C:\Windows\{0FFACD68-8C7A-4fee-A8F8-FC6E63B3787C}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\{782C9BA5-F63F-4233-91BD-7C5014B07D01}.exe
        
        C:\Windows\{782C9BA5-F63F-4233-91BD-7C5014B07D01}.exe
        13⤵
        Executes dropped EXE
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FFAC~1.EXE > nul
        13⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E49F5~1.EXE > nul
        12⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DD5FF~1.EXE > nul
        11⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4559~1.EXE > nul
        10⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3F789~1.EXE > nul
        9⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C74AE~1.EXE > nul
        8⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBE9C~1.EXE > nul
        7⤵
        
        PID:2248
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46EFC~1.EXE > nul
        6⤵
        
        PID:5092
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0887~1.EXE > nul
        5⤵
        
        PID:2476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{59B6B~1.EXE > nul
      4⤵
      PID:4980
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{23440~1.EXE > nul
    3⤵
    PID:4612
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\791393~1.EXE > nul
  2⤵
  PID:1580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FFACD68-8C7A-4fee-A8F8-FC6E63B3787C}.exe

Filesize
216KB

MD5
9a6b11834eb006535d199b6a0fdb4c23

SHA1
0f36a6627f3e330e1bdeb3e59c91b745cc8f97af

SHA256
898e85c15f8455bc5a1e638d88573655655d8582c126fbc2a58dc11f8a10972f

SHA512
daa27c7dda41dd9fbf13260b1873cfdea562208ec47dcc2ddf940bb787a9c983576db8c4a0f96fae4ce2e5327eb16623eae837d839f096e33b2049029634e08c

Download Submit
C:\Windows\{0FFACD68-8C7A-4fee-A8F8-FC6E63B3787C}.exe

Filesize
216KB

MD5
9a6b11834eb006535d199b6a0fdb4c23

SHA1
0f36a6627f3e330e1bdeb3e59c91b745cc8f97af

SHA256
898e85c15f8455bc5a1e638d88573655655d8582c126fbc2a58dc11f8a10972f

SHA512
daa27c7dda41dd9fbf13260b1873cfdea562208ec47dcc2ddf940bb787a9c983576db8c4a0f96fae4ce2e5327eb16623eae837d839f096e33b2049029634e08c

Download Submit
C:\Windows\{234407C8-0924-4f1e-8801-89529EB6F8B5}.exe

Filesize
216KB

MD5
7c0a4a062e93e5b576db18d0bb9ef032

SHA1
5f9e8902c2959560ce4d2d9d9712328d1395893c

SHA256
74d117ef931fa02e7e6067f624f023e9dac6be3a2f5cfa9e0b4f1c75e98e48be

SHA512
fcda84b400ad9fb839748fed5a235ecc57bfed0f353f10a6c8ad0306037c613c80834d4891a63092c22eb6ffcb29f088c3ebe7d2a6a59f2eb38b4133554a01c6

Download Submit
C:\Windows\{234407C8-0924-4f1e-8801-89529EB6F8B5}.exe

Filesize
216KB

MD5
7c0a4a062e93e5b576db18d0bb9ef032

SHA1
5f9e8902c2959560ce4d2d9d9712328d1395893c

SHA256
74d117ef931fa02e7e6067f624f023e9dac6be3a2f5cfa9e0b4f1c75e98e48be

SHA512
fcda84b400ad9fb839748fed5a235ecc57bfed0f353f10a6c8ad0306037c613c80834d4891a63092c22eb6ffcb29f088c3ebe7d2a6a59f2eb38b4133554a01c6

Download Submit
C:\Windows\{3F789FAF-CB97-4869-AF09-14AC6645DF8C}.exe

Filesize
216KB

MD5
fa1b0bb827f6a639c5d49bb1b37ce401

SHA1
d4c3af563ac1dd14d12f0a2f477aa8606376a32a

SHA256
8148f98b2acfbd207a6f0df1d0a8a5240c7ad1f5ca59923a74213916bbe57ded

SHA512
55e0fdb5fb35a89efb22ffa1cad6dfa412b1df48de30ea9be1f2d2957cc9ccb8c6a5d5db4dbbd6d843388b2cc8f5810c18ae1a20101bf726cf5961445b6ea229

Download Submit
C:\Windows\{3F789FAF-CB97-4869-AF09-14AC6645DF8C}.exe

Filesize
216KB

MD5
fa1b0bb827f6a639c5d49bb1b37ce401

SHA1
d4c3af563ac1dd14d12f0a2f477aa8606376a32a

SHA256
8148f98b2acfbd207a6f0df1d0a8a5240c7ad1f5ca59923a74213916bbe57ded

SHA512
55e0fdb5fb35a89efb22ffa1cad6dfa412b1df48de30ea9be1f2d2957cc9ccb8c6a5d5db4dbbd6d843388b2cc8f5810c18ae1a20101bf726cf5961445b6ea229

Download Submit
C:\Windows\{46EFC717-8726-4221-8624-12BDC159B2EC}.exe

Filesize
216KB

MD5
de10b1176d2c66d75c62533915626a96

SHA1
8fa366a038c9de3b1de870110fa48555aae88f95

SHA256
a123a0f8377ae25436d37808118ee19c7acab47650bfb3b1824053c079dec6d0

SHA512
df5d5bc3ff5d0279fbb20c39ac6158c91ec3363340dfad5de6f9896372c1ea4f8edfd57b8b193c22489dd4001255bd062d4e186ea462251be9434feaff09c4bb

Download Submit
C:\Windows\{46EFC717-8726-4221-8624-12BDC159B2EC}.exe

Filesize
216KB

MD5
de10b1176d2c66d75c62533915626a96

SHA1
8fa366a038c9de3b1de870110fa48555aae88f95

SHA256
a123a0f8377ae25436d37808118ee19c7acab47650bfb3b1824053c079dec6d0

SHA512
df5d5bc3ff5d0279fbb20c39ac6158c91ec3363340dfad5de6f9896372c1ea4f8edfd57b8b193c22489dd4001255bd062d4e186ea462251be9434feaff09c4bb

Download Submit
C:\Windows\{59B6BBF7-158E-4d37-90A3-EDA45F22F2D4}.exe

Filesize
216KB

MD5
d162323b3e18331dcb1b262da43b6c3a

SHA1
d8572a90bf2be2eef44c0a2424d5509162e72065

SHA256
8a1dc10d395d8ca2b8b20a95e84848d5e5b6f99ed1ec4b722f61307c9e169093

SHA512
99f54f4f3b2bc2f066c7e7ebff4ed2f95e794fe55c9436d10b82174cc1104754952dec018d581aba6506d6a81e74f5b6f7886b8b74a1b5fd17dfaaae44cef81d

Download Submit
C:\Windows\{59B6BBF7-158E-4d37-90A3-EDA45F22F2D4}.exe

Filesize
216KB

MD5
d162323b3e18331dcb1b262da43b6c3a

SHA1
d8572a90bf2be2eef44c0a2424d5509162e72065

SHA256
8a1dc10d395d8ca2b8b20a95e84848d5e5b6f99ed1ec4b722f61307c9e169093

SHA512
99f54f4f3b2bc2f066c7e7ebff4ed2f95e794fe55c9436d10b82174cc1104754952dec018d581aba6506d6a81e74f5b6f7886b8b74a1b5fd17dfaaae44cef81d

Download Submit
C:\Windows\{782C9BA5-F63F-4233-91BD-7C5014B07D01}.exe

Filesize
216KB

MD5
85d4d5b98cca6997a7d7d6a8eb90db05

SHA1
208c079b8c0f9a4957d59322411f086043d5342e

SHA256
ea8064655631449f411b074564205cfc100866382bbd4819431dfd7c0c011ac1

SHA512
ded047fbc9a50b207618ca1b66f3a41d71ab0407a192fe70459523c46ba5f1fdc3062c06520a17d42e2a7d8892fc43fc964c321588f06dd8423c41c3a6caf493

Download Submit
C:\Windows\{782C9BA5-F63F-4233-91BD-7C5014B07D01}.exe

Filesize
216KB

MD5
85d4d5b98cca6997a7d7d6a8eb90db05

SHA1
208c079b8c0f9a4957d59322411f086043d5342e

SHA256
ea8064655631449f411b074564205cfc100866382bbd4819431dfd7c0c011ac1

SHA512
ded047fbc9a50b207618ca1b66f3a41d71ab0407a192fe70459523c46ba5f1fdc3062c06520a17d42e2a7d8892fc43fc964c321588f06dd8423c41c3a6caf493

Download Submit
C:\Windows\{C08872DE-98FD-4f7e-B416-88D8914C2E00}.exe

Filesize
216KB

MD5
fe3a10db03a7d9d288f5388ce6a46bd3

SHA1
75d3549a69e62f5570904637a7d4fbba95a1bc5b

SHA256
685cb85bf6268dc979f5d477217d7dfdfabb41ca51fa2f6e4d1e10f2b710be4f

SHA512
e35d38709dc16c8ed9ffa411415bb8422bff418d07b27d65b3d6042144691900e0ffc140ce57547c2f6f04fef5037c472c9d043e57a3a7c5cfba1842a1751c6f

Download Submit
C:\Windows\{C08872DE-98FD-4f7e-B416-88D8914C2E00}.exe

Filesize
216KB

MD5
fe3a10db03a7d9d288f5388ce6a46bd3

SHA1
75d3549a69e62f5570904637a7d4fbba95a1bc5b

SHA256
685cb85bf6268dc979f5d477217d7dfdfabb41ca51fa2f6e4d1e10f2b710be4f

SHA512
e35d38709dc16c8ed9ffa411415bb8422bff418d07b27d65b3d6042144691900e0ffc140ce57547c2f6f04fef5037c472c9d043e57a3a7c5cfba1842a1751c6f

Download Submit
C:\Windows\{C08872DE-98FD-4f7e-B416-88D8914C2E00}.exe

Filesize
216KB

MD5
fe3a10db03a7d9d288f5388ce6a46bd3

SHA1
75d3549a69e62f5570904637a7d4fbba95a1bc5b

SHA256
685cb85bf6268dc979f5d477217d7dfdfabb41ca51fa2f6e4d1e10f2b710be4f

SHA512
e35d38709dc16c8ed9ffa411415bb8422bff418d07b27d65b3d6042144691900e0ffc140ce57547c2f6f04fef5037c472c9d043e57a3a7c5cfba1842a1751c6f

Download Submit
C:\Windows\{C4559631-DD23-4107-A0EF-C91AEF644AF4}.exe

Filesize
216KB

MD5
ec24d7c0aa31c1aedc94e6ee9113f828

SHA1
b7017f7fffd656cb268c055bab4369d18202c3e0

SHA256
786a59b0d543eae8e33764d8835754e7f51dabca2f39e8bcf50b7de7f4db16d9

SHA512
a01b2b4e75600b3ac479d499a79b04e50056bbfc60f4f9d614cc12a9c393ef7c40d4800896f84be8d90a777bee83f351b4bb59d81e81e5123b893aa848d8554c

Download Submit
C:\Windows\{C4559631-DD23-4107-A0EF-C91AEF644AF4}.exe

Filesize
216KB

MD5
ec24d7c0aa31c1aedc94e6ee9113f828

SHA1
b7017f7fffd656cb268c055bab4369d18202c3e0

SHA256
786a59b0d543eae8e33764d8835754e7f51dabca2f39e8bcf50b7de7f4db16d9

SHA512
a01b2b4e75600b3ac479d499a79b04e50056bbfc60f4f9d614cc12a9c393ef7c40d4800896f84be8d90a777bee83f351b4bb59d81e81e5123b893aa848d8554c

Download Submit
C:\Windows\{C74AE4C4-8F2A-4e24-A853-72A1C76E08B7}.exe

Filesize
216KB

MD5
c410fa89f17d2eeb289c40d5da4f7c87

SHA1
e30d199abb3ee81d5d280295b93aad9ff383f79b

SHA256
641c375a5bd14eb1e504adb2451dedb1da2946f9c2e2ff6c2792f089e5fe9146

SHA512
9a9d9b71a2ebb69da47e4e268658c207d6068d12f3c71e67aacacd546b69be84d0a883f4d5215bbed7d6564efd173801a310912d304051e2db8294c1f1a46a5f

Download Submit
C:\Windows\{C74AE4C4-8F2A-4e24-A853-72A1C76E08B7}.exe

Filesize
216KB

MD5
c410fa89f17d2eeb289c40d5da4f7c87

SHA1
e30d199abb3ee81d5d280295b93aad9ff383f79b

SHA256
641c375a5bd14eb1e504adb2451dedb1da2946f9c2e2ff6c2792f089e5fe9146

SHA512
9a9d9b71a2ebb69da47e4e268658c207d6068d12f3c71e67aacacd546b69be84d0a883f4d5215bbed7d6564efd173801a310912d304051e2db8294c1f1a46a5f

Download Submit
C:\Windows\{DBE9CC7F-935A-4826-8EE8-864FE81DA109}.exe

Filesize
216KB

MD5
4881119d660e2a27d90f1d3cb7b3606b

SHA1
7b26aea870f4add1e47f76a070cb0dac1b430fbb

SHA256
6e8840a9c33c19a12b6d617e199f62c9d4d17b558ed099fe3d33fbce979ea47c

SHA512
9f13df56286c6ba013dcfccbf51d12e41e7ed89c5604176184697651168b20839aa086706bd436d03228bd65eafb4242ba738b7657a1516605ada90a4424c0e6

Download Submit
C:\Windows\{DBE9CC7F-935A-4826-8EE8-864FE81DA109}.exe

Filesize
216KB

MD5
4881119d660e2a27d90f1d3cb7b3606b

SHA1
7b26aea870f4add1e47f76a070cb0dac1b430fbb

SHA256
6e8840a9c33c19a12b6d617e199f62c9d4d17b558ed099fe3d33fbce979ea47c

SHA512
9f13df56286c6ba013dcfccbf51d12e41e7ed89c5604176184697651168b20839aa086706bd436d03228bd65eafb4242ba738b7657a1516605ada90a4424c0e6

Download Submit
C:\Windows\{DD5FFADC-7CE0-4938-B745-839C7BBC34B3}.exe

Filesize
216KB

MD5
86bfc5b87c7b273779c1919f6681fb09

SHA1
c918f856beca50eb607a5dbc5a866590b8afeb32

SHA256
42102f58cc5a39e611458cc93268b78211f13db8d9891fb223ce2655f0b73ed5

SHA512
2aa59e2cc874c82695f5ae44f6f1ea06d10138e0475b2a71d9620d4668f7a7fecc2952ad3d4a38f532182235c6feeaf6ced20b2c1320f052248a7af0b26f6bb7

Download Submit
C:\Windows\{DD5FFADC-7CE0-4938-B745-839C7BBC34B3}.exe

Filesize
216KB

MD5
86bfc5b87c7b273779c1919f6681fb09

SHA1
c918f856beca50eb607a5dbc5a866590b8afeb32

SHA256
42102f58cc5a39e611458cc93268b78211f13db8d9891fb223ce2655f0b73ed5

SHA512
2aa59e2cc874c82695f5ae44f6f1ea06d10138e0475b2a71d9620d4668f7a7fecc2952ad3d4a38f532182235c6feeaf6ced20b2c1320f052248a7af0b26f6bb7

Download Submit
C:\Windows\{E49F50C0-2BE2-4735-9633-5C1128E1A8A8}.exe

Filesize
216KB

MD5
68f8c65fc1eebc5e8cdd6bcff2904436

SHA1
a38c32b14ea0c1ad58acdafcb379f11b87c5caec

SHA256
97ae9eff923630ffd284ac47081907b2cb9f6a58de74378793641c3aa8bc9c89

SHA512
0fbedc7c579f5862a5184c7edc74eb9ad5aa64f85c7331b4d747d39fa981e05784ff46909835e121551a745ac2f8c8c11d32b3575888801786e5ba934c1562ec

Download Submit
C:\Windows\{E49F50C0-2BE2-4735-9633-5C1128E1A8A8}.exe

Filesize
216KB

MD5
68f8c65fc1eebc5e8cdd6bcff2904436

SHA1
a38c32b14ea0c1ad58acdafcb379f11b87c5caec

SHA256
97ae9eff923630ffd284ac47081907b2cb9f6a58de74378793641c3aa8bc9c89

SHA512
0fbedc7c579f5862a5184c7edc74eb9ad5aa64f85c7331b4d747d39fa981e05784ff46909835e121551a745ac2f8c8c11d32b3575888801786e5ba934c1562ec

Download Submit