861621fe116eae9959e8d2f436a44c6598ac6525e246411d7e66f3b20174de38

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/07/2023, 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8695cebcb834f9_JC.exe
Size

204KB
MD5

8695cebcb834f9a04192b105bab8f1ef
SHA1

be231b03ceb89bfcf762f8b2a5df7d8d933c065a
SHA256

861621fe116eae9959e8d2f436a44c6598ac6525e246411d7e66f3b20174de38
SHA512

74988abc802d3766eb12b68189f5c99b6b92552156edfe5a74da52001dccb437c46862c3dd7dedc6ec03c2f18770ff4f1fe77cf0c6b8340d37dfb2e076c911d1
SSDEEP

1536:1EGh0oDl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oDl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13D13B13-1BEA-4a4e-B4D6-B4378B534C5F}	{C687F5EA-56B0-4a81-B963-395D63150AFA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81F526D3-6AEA-4e59-8B0C-8A7C8A646E76}	{F08DCAD5-6B70-471d-90C9-907EB57F5282}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81F526D3-6AEA-4e59-8B0C-8A7C8A646E76}\stubpath = "C:\\Windows\\{81F526D3-6AEA-4e59-8B0C-8A7C8A646E76}.exe"	{F08DCAD5-6B70-471d-90C9-907EB57F5282}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2788331A-5F1D-491b-A8DE-7EEFC1886491}\stubpath = "C:\\Windows\\{2788331A-5F1D-491b-A8DE-7EEFC1886491}.exe"	8695cebcb834f9_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE533FBF-6966-47a5-B410-1049DE7362B5}\stubpath = "C:\\Windows\\{AE533FBF-6966-47a5-B410-1049DE7362B5}.exe"	{2788331A-5F1D-491b-A8DE-7EEFC1886491}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C687F5EA-56B0-4a81-B963-395D63150AFA}	{9BE67D90-2C6B-48aa-94D7-F8FF2402E45D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F08DCAD5-6B70-471d-90C9-907EB57F5282}\stubpath = "C:\\Windows\\{F08DCAD5-6B70-471d-90C9-907EB57F5282}.exe"	{A44BCF2F-A9D4-4c51-98A2-8BF45DDC84EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5020BA5D-7590-4406-8767-A86BEE1115D4}\stubpath = "C:\\Windows\\{5020BA5D-7590-4406-8767-A86BEE1115D4}.exe"	{8575EC4E-9F69-4847-A938-E60F26B84F2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13D13B13-1BEA-4a4e-B4D6-B4378B534C5F}\stubpath = "C:\\Windows\\{13D13B13-1BEA-4a4e-B4D6-B4378B534C5F}.exe"	{C687F5EA-56B0-4a81-B963-395D63150AFA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81BD3F3F-5B17-4501-9F38-A67635880A82}\stubpath = "C:\\Windows\\{81BD3F3F-5B17-4501-9F38-A67635880A82}.exe"	{13D13B13-1BEA-4a4e-B4D6-B4378B534C5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F08DCAD5-6B70-471d-90C9-907EB57F5282}	{A44BCF2F-A9D4-4c51-98A2-8BF45DDC84EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A44BCF2F-A9D4-4c51-98A2-8BF45DDC84EB}	{81BD3F3F-5B17-4501-9F38-A67635880A82}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A44BCF2F-A9D4-4c51-98A2-8BF45DDC84EB}\stubpath = "C:\\Windows\\{A44BCF2F-A9D4-4c51-98A2-8BF45DDC84EB}.exe"	{81BD3F3F-5B17-4501-9F38-A67635880A82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2942590D-9F30-45dd-B750-04CB43DC3DB5}	{5020BA5D-7590-4406-8767-A86BEE1115D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE533FBF-6966-47a5-B410-1049DE7362B5}	{2788331A-5F1D-491b-A8DE-7EEFC1886491}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BE67D90-2C6B-48aa-94D7-F8FF2402E45D}	{AE533FBF-6966-47a5-B410-1049DE7362B5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81BD3F3F-5B17-4501-9F38-A67635880A82}	{13D13B13-1BEA-4a4e-B4D6-B4378B534C5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8575EC4E-9F69-4847-A938-E60F26B84F2F}	{81F526D3-6AEA-4e59-8B0C-8A7C8A646E76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8575EC4E-9F69-4847-A938-E60F26B84F2F}\stubpath = "C:\\Windows\\{8575EC4E-9F69-4847-A938-E60F26B84F2F}.exe"	{81F526D3-6AEA-4e59-8B0C-8A7C8A646E76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5020BA5D-7590-4406-8767-A86BEE1115D4}	{8575EC4E-9F69-4847-A938-E60F26B84F2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2942590D-9F30-45dd-B750-04CB43DC3DB5}\stubpath = "C:\\Windows\\{2942590D-9F30-45dd-B750-04CB43DC3DB5}.exe"	{5020BA5D-7590-4406-8767-A86BEE1115D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2788331A-5F1D-491b-A8DE-7EEFC1886491}	8695cebcb834f9_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BE67D90-2C6B-48aa-94D7-F8FF2402E45D}\stubpath = "C:\\Windows\\{9BE67D90-2C6B-48aa-94D7-F8FF2402E45D}.exe"	{AE533FBF-6966-47a5-B410-1049DE7362B5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C687F5EA-56B0-4a81-B963-395D63150AFA}\stubpath = "C:\\Windows\\{C687F5EA-56B0-4a81-B963-395D63150AFA}.exe"	{9BE67D90-2C6B-48aa-94D7-F8FF2402E45D}.exe

Executes dropped EXE 12 IoCs

pid	Process
4272	{2788331A-5F1D-491b-A8DE-7EEFC1886491}.exe
4964	{AE533FBF-6966-47a5-B410-1049DE7362B5}.exe
3548	{9BE67D90-2C6B-48aa-94D7-F8FF2402E45D}.exe
644	{C687F5EA-56B0-4a81-B963-395D63150AFA}.exe
4760	{13D13B13-1BEA-4a4e-B4D6-B4378B534C5F}.exe
1676	{81BD3F3F-5B17-4501-9F38-A67635880A82}.exe
1860	{A44BCF2F-A9D4-4c51-98A2-8BF45DDC84EB}.exe
3484	{F08DCAD5-6B70-471d-90C9-907EB57F5282}.exe
844	{81F526D3-6AEA-4e59-8B0C-8A7C8A646E76}.exe
4328	{8575EC4E-9F69-4847-A938-E60F26B84F2F}.exe
3652	{5020BA5D-7590-4406-8767-A86BEE1115D4}.exe
4732	{2942590D-9F30-45dd-B750-04CB43DC3DB5}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A44BCF2F-A9D4-4c51-98A2-8BF45DDC84EB}.exe	{81BD3F3F-5B17-4501-9F38-A67635880A82}.exe
File created	C:\Windows\{F08DCAD5-6B70-471d-90C9-907EB57F5282}.exe	{A44BCF2F-A9D4-4c51-98A2-8BF45DDC84EB}.exe
File created	C:\Windows\{2788331A-5F1D-491b-A8DE-7EEFC1886491}.exe	8695cebcb834f9_JC.exe
File created	C:\Windows\{9BE67D90-2C6B-48aa-94D7-F8FF2402E45D}.exe	{AE533FBF-6966-47a5-B410-1049DE7362B5}.exe
File created	C:\Windows\{C687F5EA-56B0-4a81-B963-395D63150AFA}.exe	{9BE67D90-2C6B-48aa-94D7-F8FF2402E45D}.exe
File created	C:\Windows\{13D13B13-1BEA-4a4e-B4D6-B4378B534C5F}.exe	{C687F5EA-56B0-4a81-B963-395D63150AFA}.exe
File created	C:\Windows\{5020BA5D-7590-4406-8767-A86BEE1115D4}.exe	{8575EC4E-9F69-4847-A938-E60F26B84F2F}.exe
File created	C:\Windows\{2942590D-9F30-45dd-B750-04CB43DC3DB5}.exe	{5020BA5D-7590-4406-8767-A86BEE1115D4}.exe
File created	C:\Windows\{AE533FBF-6966-47a5-B410-1049DE7362B5}.exe	{2788331A-5F1D-491b-A8DE-7EEFC1886491}.exe
File created	C:\Windows\{81BD3F3F-5B17-4501-9F38-A67635880A82}.exe	{13D13B13-1BEA-4a4e-B4D6-B4378B534C5F}.exe
File created	C:\Windows\{81F526D3-6AEA-4e59-8B0C-8A7C8A646E76}.exe	{F08DCAD5-6B70-471d-90C9-907EB57F5282}.exe
File created	C:\Windows\{8575EC4E-9F69-4847-A938-E60F26B84F2F}.exe	{81F526D3-6AEA-4e59-8B0C-8A7C8A646E76}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2508	8695cebcb834f9_JC.exe
Token: SeIncBasePriorityPrivilege	4272	{2788331A-5F1D-491b-A8DE-7EEFC1886491}.exe
Token: SeIncBasePriorityPrivilege	4964	{AE533FBF-6966-47a5-B410-1049DE7362B5}.exe
Token: SeIncBasePriorityPrivilege	3548	{9BE67D90-2C6B-48aa-94D7-F8FF2402E45D}.exe
Token: SeIncBasePriorityPrivilege	644	{C687F5EA-56B0-4a81-B963-395D63150AFA}.exe
Token: SeIncBasePriorityPrivilege	4760	{13D13B13-1BEA-4a4e-B4D6-B4378B534C5F}.exe
Token: SeIncBasePriorityPrivilege	1676	{81BD3F3F-5B17-4501-9F38-A67635880A82}.exe
Token: SeIncBasePriorityPrivilege	1860	{A44BCF2F-A9D4-4c51-98A2-8BF45DDC84EB}.exe
Token: SeIncBasePriorityPrivilege	3484	{F08DCAD5-6B70-471d-90C9-907EB57F5282}.exe
Token: SeIncBasePriorityPrivilege	844	{81F526D3-6AEA-4e59-8B0C-8A7C8A646E76}.exe
Token: SeIncBasePriorityPrivilege	4328	{8575EC4E-9F69-4847-A938-E60F26B84F2F}.exe
Token: SeIncBasePriorityPrivilege	3652	{5020BA5D-7590-4406-8767-A86BEE1115D4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 4272	2508	8695cebcb834f9_JC.exe	96
PID 2508 wrote to memory of 4272	2508	8695cebcb834f9_JC.exe	96
PID 2508 wrote to memory of 4272	2508	8695cebcb834f9_JC.exe	96
PID 2508 wrote to memory of 3464	2508	8695cebcb834f9_JC.exe	97
PID 2508 wrote to memory of 3464	2508	8695cebcb834f9_JC.exe	97
PID 2508 wrote to memory of 3464	2508	8695cebcb834f9_JC.exe	97
PID 4272 wrote to memory of 4964	4272	{2788331A-5F1D-491b-A8DE-7EEFC1886491}.exe	98
PID 4272 wrote to memory of 4964	4272	{2788331A-5F1D-491b-A8DE-7EEFC1886491}.exe	98
PID 4272 wrote to memory of 4964	4272	{2788331A-5F1D-491b-A8DE-7EEFC1886491}.exe	98
PID 4272 wrote to memory of 3928	4272	{2788331A-5F1D-491b-A8DE-7EEFC1886491}.exe	99
PID 4272 wrote to memory of 3928	4272	{2788331A-5F1D-491b-A8DE-7EEFC1886491}.exe	99
PID 4272 wrote to memory of 3928	4272	{2788331A-5F1D-491b-A8DE-7EEFC1886491}.exe	99
PID 4964 wrote to memory of 3548	4964	{AE533FBF-6966-47a5-B410-1049DE7362B5}.exe	104
PID 4964 wrote to memory of 3548	4964	{AE533FBF-6966-47a5-B410-1049DE7362B5}.exe	104
PID 4964 wrote to memory of 3548	4964	{AE533FBF-6966-47a5-B410-1049DE7362B5}.exe	104
PID 4964 wrote to memory of 3432	4964	{AE533FBF-6966-47a5-B410-1049DE7362B5}.exe	105
PID 4964 wrote to memory of 3432	4964	{AE533FBF-6966-47a5-B410-1049DE7362B5}.exe	105
PID 4964 wrote to memory of 3432	4964	{AE533FBF-6966-47a5-B410-1049DE7362B5}.exe	105
PID 3548 wrote to memory of 644	3548	{9BE67D90-2C6B-48aa-94D7-F8FF2402E45D}.exe	112
PID 3548 wrote to memory of 644	3548	{9BE67D90-2C6B-48aa-94D7-F8FF2402E45D}.exe	112
PID 3548 wrote to memory of 644	3548	{9BE67D90-2C6B-48aa-94D7-F8FF2402E45D}.exe	112
PID 3548 wrote to memory of 1300	3548	{9BE67D90-2C6B-48aa-94D7-F8FF2402E45D}.exe	113
PID 3548 wrote to memory of 1300	3548	{9BE67D90-2C6B-48aa-94D7-F8FF2402E45D}.exe	113
PID 3548 wrote to memory of 1300	3548	{9BE67D90-2C6B-48aa-94D7-F8FF2402E45D}.exe	113
PID 644 wrote to memory of 4760	644	{C687F5EA-56B0-4a81-B963-395D63150AFA}.exe	114
PID 644 wrote to memory of 4760	644	{C687F5EA-56B0-4a81-B963-395D63150AFA}.exe	114
PID 644 wrote to memory of 4760	644	{C687F5EA-56B0-4a81-B963-395D63150AFA}.exe	114
PID 644 wrote to memory of 4984	644	{C687F5EA-56B0-4a81-B963-395D63150AFA}.exe	115
PID 644 wrote to memory of 4984	644	{C687F5EA-56B0-4a81-B963-395D63150AFA}.exe	115
PID 644 wrote to memory of 4984	644	{C687F5EA-56B0-4a81-B963-395D63150AFA}.exe	115
PID 4760 wrote to memory of 1676	4760	{13D13B13-1BEA-4a4e-B4D6-B4378B534C5F}.exe	117
PID 4760 wrote to memory of 1676	4760	{13D13B13-1BEA-4a4e-B4D6-B4378B534C5F}.exe	117
PID 4760 wrote to memory of 1676	4760	{13D13B13-1BEA-4a4e-B4D6-B4378B534C5F}.exe	117
PID 4760 wrote to memory of 4072	4760	{13D13B13-1BEA-4a4e-B4D6-B4378B534C5F}.exe	118
PID 4760 wrote to memory of 4072	4760	{13D13B13-1BEA-4a4e-B4D6-B4378B534C5F}.exe	118
PID 4760 wrote to memory of 4072	4760	{13D13B13-1BEA-4a4e-B4D6-B4378B534C5F}.exe	118
PID 1676 wrote to memory of 1860	1676	{81BD3F3F-5B17-4501-9F38-A67635880A82}.exe	119
PID 1676 wrote to memory of 1860	1676	{81BD3F3F-5B17-4501-9F38-A67635880A82}.exe	119
PID 1676 wrote to memory of 1860	1676	{81BD3F3F-5B17-4501-9F38-A67635880A82}.exe	119
PID 1676 wrote to memory of 2456	1676	{81BD3F3F-5B17-4501-9F38-A67635880A82}.exe	120
PID 1676 wrote to memory of 2456	1676	{81BD3F3F-5B17-4501-9F38-A67635880A82}.exe	120
PID 1676 wrote to memory of 2456	1676	{81BD3F3F-5B17-4501-9F38-A67635880A82}.exe	120
PID 1860 wrote to memory of 3484	1860	{A44BCF2F-A9D4-4c51-98A2-8BF45DDC84EB}.exe	121
PID 1860 wrote to memory of 3484	1860	{A44BCF2F-A9D4-4c51-98A2-8BF45DDC84EB}.exe	121
PID 1860 wrote to memory of 3484	1860	{A44BCF2F-A9D4-4c51-98A2-8BF45DDC84EB}.exe	121
PID 1860 wrote to memory of 4056	1860	{A44BCF2F-A9D4-4c51-98A2-8BF45DDC84EB}.exe	122
PID 1860 wrote to memory of 4056	1860	{A44BCF2F-A9D4-4c51-98A2-8BF45DDC84EB}.exe	122
PID 1860 wrote to memory of 4056	1860	{A44BCF2F-A9D4-4c51-98A2-8BF45DDC84EB}.exe	122
PID 3484 wrote to memory of 844	3484	{F08DCAD5-6B70-471d-90C9-907EB57F5282}.exe	123
PID 3484 wrote to memory of 844	3484	{F08DCAD5-6B70-471d-90C9-907EB57F5282}.exe	123
PID 3484 wrote to memory of 844	3484	{F08DCAD5-6B70-471d-90C9-907EB57F5282}.exe	123
PID 3484 wrote to memory of 4748	3484	{F08DCAD5-6B70-471d-90C9-907EB57F5282}.exe	124
PID 3484 wrote to memory of 4748	3484	{F08DCAD5-6B70-471d-90C9-907EB57F5282}.exe	124
PID 3484 wrote to memory of 4748	3484	{F08DCAD5-6B70-471d-90C9-907EB57F5282}.exe	124
PID 844 wrote to memory of 4328	844	{81F526D3-6AEA-4e59-8B0C-8A7C8A646E76}.exe	125
PID 844 wrote to memory of 4328	844	{81F526D3-6AEA-4e59-8B0C-8A7C8A646E76}.exe	125
PID 844 wrote to memory of 4328	844	{81F526D3-6AEA-4e59-8B0C-8A7C8A646E76}.exe	125
PID 844 wrote to memory of 3748	844	{81F526D3-6AEA-4e59-8B0C-8A7C8A646E76}.exe	126
PID 844 wrote to memory of 3748	844	{81F526D3-6AEA-4e59-8B0C-8A7C8A646E76}.exe	126
PID 844 wrote to memory of 3748	844	{81F526D3-6AEA-4e59-8B0C-8A7C8A646E76}.exe	126
PID 4328 wrote to memory of 3652	4328	{8575EC4E-9F69-4847-A938-E60F26B84F2F}.exe	127
PID 4328 wrote to memory of 3652	4328	{8575EC4E-9F69-4847-A938-E60F26B84F2F}.exe	127
PID 4328 wrote to memory of 3652	4328	{8575EC4E-9F69-4847-A938-E60F26B84F2F}.exe	127
PID 4328 wrote to memory of 2600	4328	{8575EC4E-9F69-4847-A938-E60F26B84F2F}.exe	128

C:\Users\Admin\AppData\Local\Temp\8695cebcb834f9_JC.exe
"C:\Users\Admin\AppData\Local\Temp\8695cebcb834f9_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\{2788331A-5F1D-491b-A8DE-7EEFC1886491}.exe
  C:\Windows\{2788331A-5F1D-491b-A8DE-7EEFC1886491}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Windows\{AE533FBF-6966-47a5-B410-1049DE7362B5}.exe
    C:\Windows\{AE533FBF-6966-47a5-B410-1049DE7362B5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - C:\Windows\{9BE67D90-2C6B-48aa-94D7-F8FF2402E45D}.exe
      C:\Windows\{9BE67D90-2C6B-48aa-94D7-F8FF2402E45D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3548
    - - C:\Windows\{C687F5EA-56B0-4a81-B963-395D63150AFA}.exe
        
        C:\Windows\{C687F5EA-56B0-4a81-B963-395D63150AFA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:644
      - C:\Windows\{13D13B13-1BEA-4a4e-B4D6-B4378B534C5F}.exe
        
        C:\Windows\{13D13B13-1BEA-4a4e-B4D6-B4378B534C5F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\{81BD3F3F-5B17-4501-9F38-A67635880A82}.exe
        
        C:\Windows\{81BD3F3F-5B17-4501-9F38-A67635880A82}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\{A44BCF2F-A9D4-4c51-98A2-8BF45DDC84EB}.exe
        
        C:\Windows\{A44BCF2F-A9D4-4c51-98A2-8BF45DDC84EB}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Windows\{F08DCAD5-6B70-471d-90C9-907EB57F5282}.exe
        
        C:\Windows\{F08DCAD5-6B70-471d-90C9-907EB57F5282}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\{81F526D3-6AEA-4e59-8B0C-8A7C8A646E76}.exe
        
        C:\Windows\{81F526D3-6AEA-4e59-8B0C-8A7C8A646E76}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:844
        
        C:\Windows\{8575EC4E-9F69-4847-A938-E60F26B84F2F}.exe
        
        C:\Windows\{8575EC4E-9F69-4847-A938-E60F26B84F2F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\{5020BA5D-7590-4406-8767-A86BEE1115D4}.exe
        
        C:\Windows\{5020BA5D-7590-4406-8767-A86BEE1115D4}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3652
        
        C:\Windows\{2942590D-9F30-45dd-B750-04CB43DC3DB5}.exe
        
        C:\Windows\{2942590D-9F30-45dd-B750-04CB43DC3DB5}.exe
        13⤵
        Executes dropped EXE
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5020B~1.EXE > nul
        13⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8575E~1.EXE > nul
        12⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81F52~1.EXE > nul
        11⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F08DC~1.EXE > nul
        10⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A44BC~1.EXE > nul
        9⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81BD3~1.EXE > nul
        8⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13D13~1.EXE > nul
        7⤵
        
        PID:4072
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C687F~1.EXE > nul
        6⤵
        
        PID:4984
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BE67~1.EXE > nul
        5⤵
        
        PID:1300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AE533~1.EXE > nul
      4⤵
      PID:3432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{27883~1.EXE > nul
    3⤵
    PID:3928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8695CE~1.EXE > nul
  2⤵
  PID:3464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{13D13B13-1BEA-4a4e-B4D6-B4378B534C5F}.exe

Filesize
204KB

MD5
792fa8e59292668bc5a823aafb476e0e

SHA1
81a78968efde10c7d73c6c23b00af50bb54a3493

SHA256
b87bfa3c58be61e775f17acd52fe2a60f51305b71aac18c9a645f144722d17e0

SHA512
2192bfe401a1da7740e9b1e46a8aee23e051f0e77e6cf4f53a4012eb7147ec74eebc70301919e60a4acc0ce4ecf1ce11d5222b15570657f5856c22e0c87ac20e

Download Submit
C:\Windows\{13D13B13-1BEA-4a4e-B4D6-B4378B534C5F}.exe

Filesize
204KB

MD5
792fa8e59292668bc5a823aafb476e0e

SHA1
81a78968efde10c7d73c6c23b00af50bb54a3493

SHA256
b87bfa3c58be61e775f17acd52fe2a60f51305b71aac18c9a645f144722d17e0

SHA512
2192bfe401a1da7740e9b1e46a8aee23e051f0e77e6cf4f53a4012eb7147ec74eebc70301919e60a4acc0ce4ecf1ce11d5222b15570657f5856c22e0c87ac20e

Download Submit
C:\Windows\{2788331A-5F1D-491b-A8DE-7EEFC1886491}.exe

Filesize
204KB

MD5
ca09516b7ef358924d995718832b5c94

SHA1
aa8bb2ce44c9488e4105dd21a54949d41323a72f

SHA256
9c34d913398cf7d367dfa77540e579544bdfee4e74f522be6b9a251496c0c43d

SHA512
39b630c3254c0a201691c3958b4faf1a27bbcab6058884b7c76bff09c74c4e8d8ad1ffc38d03ad3b48d185eb1eb04cb3003e2f4dc32d047664f02d0dad146d0d

Download Submit
C:\Windows\{2788331A-5F1D-491b-A8DE-7EEFC1886491}.exe

Filesize
204KB

MD5
ca09516b7ef358924d995718832b5c94

SHA1
aa8bb2ce44c9488e4105dd21a54949d41323a72f

SHA256
9c34d913398cf7d367dfa77540e579544bdfee4e74f522be6b9a251496c0c43d

SHA512
39b630c3254c0a201691c3958b4faf1a27bbcab6058884b7c76bff09c74c4e8d8ad1ffc38d03ad3b48d185eb1eb04cb3003e2f4dc32d047664f02d0dad146d0d

Download Submit
C:\Windows\{2942590D-9F30-45dd-B750-04CB43DC3DB5}.exe

Filesize
204KB

MD5
85865a2a3615c44ccd5395a6e0baa2e5

SHA1
6026a1c4926208779a3cd1472e676561c4f91a12

SHA256
899eb3ab4caeb880bf68c3391b42840c34df8eb39803629d54aae5a5827e152c

SHA512
9a5a9421b408f0d584c888b245be02ece70da9aac87f7e8c67a07c84e8f4329c01a2013d354f7989351a3fe218d545d9938218b5f2d88b273031c2a60352357c

Download Submit
C:\Windows\{2942590D-9F30-45dd-B750-04CB43DC3DB5}.exe

Filesize
204KB

MD5
85865a2a3615c44ccd5395a6e0baa2e5

SHA1
6026a1c4926208779a3cd1472e676561c4f91a12

SHA256
899eb3ab4caeb880bf68c3391b42840c34df8eb39803629d54aae5a5827e152c

SHA512
9a5a9421b408f0d584c888b245be02ece70da9aac87f7e8c67a07c84e8f4329c01a2013d354f7989351a3fe218d545d9938218b5f2d88b273031c2a60352357c

Download Submit
C:\Windows\{5020BA5D-7590-4406-8767-A86BEE1115D4}.exe

Filesize
204KB

MD5
2f16a82586e2fb26d47accb99011b86a

SHA1
6c103e5a0fa3d1cd31f5968b19a3dda84dffe9a1

SHA256
ac616b44cd52b7d190e8ff4bb5d1b124e702312dee200a8a5aa7a8759db061a6

SHA512
6263dc72dfa4d8d8910a949cfbb1f51872a7eff5b4ed235ba434ba49808d775c2a5729cfd09b70c23d0c3527d81d55155a96a34cc2124db22a7c53b79c9b24ab

Download Submit
C:\Windows\{5020BA5D-7590-4406-8767-A86BEE1115D4}.exe

Filesize
204KB

MD5
2f16a82586e2fb26d47accb99011b86a

SHA1
6c103e5a0fa3d1cd31f5968b19a3dda84dffe9a1

SHA256
ac616b44cd52b7d190e8ff4bb5d1b124e702312dee200a8a5aa7a8759db061a6

SHA512
6263dc72dfa4d8d8910a949cfbb1f51872a7eff5b4ed235ba434ba49808d775c2a5729cfd09b70c23d0c3527d81d55155a96a34cc2124db22a7c53b79c9b24ab

Download Submit
C:\Windows\{81BD3F3F-5B17-4501-9F38-A67635880A82}.exe

Filesize
204KB

MD5
d38e3736fcd8396b2c193355f510664c

SHA1
d29224cd13fd96e16c168cb3d19e5befb5b62407

SHA256
ce65ea9fa87de5078a64e6d43d11e582217d0a4eff459fd47882272dec20c010

SHA512
67835081fc180f4e2b2be1a9eaeb6c2ce7a4a1a1db4247e1b88c98ef20acdcb3e171011f7686c6c4ec756da975c1ad9814ec9c4d16ed4bf615d06e4fc024d96d

Download Submit
C:\Windows\{81BD3F3F-5B17-4501-9F38-A67635880A82}.exe

Filesize
204KB

MD5
d38e3736fcd8396b2c193355f510664c

SHA1
d29224cd13fd96e16c168cb3d19e5befb5b62407

SHA256
ce65ea9fa87de5078a64e6d43d11e582217d0a4eff459fd47882272dec20c010

SHA512
67835081fc180f4e2b2be1a9eaeb6c2ce7a4a1a1db4247e1b88c98ef20acdcb3e171011f7686c6c4ec756da975c1ad9814ec9c4d16ed4bf615d06e4fc024d96d

Download Submit
C:\Windows\{81F526D3-6AEA-4e59-8B0C-8A7C8A646E76}.exe

Filesize
204KB

MD5
ad1c099b8d147a81941a1a367a9f40e6

SHA1
fbfc26c150a9d8f553caa108fa0bd20225c84b1a

SHA256
dbe059c2642ff80c9c78d2690722487226f76cdd2cea56201deae7d011640343

SHA512
b826fe5fc1600dd58aa61ad63253c68b78e9746eb2e6000f3f94c4b297ac06273d835425d3d93792c4b7750033ab85e3808bbbe1f9e73b5def7be4f6141f4528

Download Submit
C:\Windows\{81F526D3-6AEA-4e59-8B0C-8A7C8A646E76}.exe

Filesize
204KB

MD5
ad1c099b8d147a81941a1a367a9f40e6

SHA1
fbfc26c150a9d8f553caa108fa0bd20225c84b1a

SHA256
dbe059c2642ff80c9c78d2690722487226f76cdd2cea56201deae7d011640343

SHA512
b826fe5fc1600dd58aa61ad63253c68b78e9746eb2e6000f3f94c4b297ac06273d835425d3d93792c4b7750033ab85e3808bbbe1f9e73b5def7be4f6141f4528

Download Submit
C:\Windows\{8575EC4E-9F69-4847-A938-E60F26B84F2F}.exe

Filesize
204KB

MD5
16f5d221d597b78df414a4884a2f5a64

SHA1
aa3ad42502897e4e270ac89c690ed0b5eb156176

SHA256
47257a881466f71ffb8c752bfc161b78449cf0491d7aa0045cb65751a9143cde

SHA512
a85d683d38c20de7a8e88d06a54f7543ec083dcc8bda52192636f25f049a57766cb4f0130949534e494ca7b860874107d81cbc920b26dc60fe5ffba8dc977560

Download Submit
C:\Windows\{8575EC4E-9F69-4847-A938-E60F26B84F2F}.exe

Filesize
204KB

MD5
16f5d221d597b78df414a4884a2f5a64

SHA1
aa3ad42502897e4e270ac89c690ed0b5eb156176

SHA256
47257a881466f71ffb8c752bfc161b78449cf0491d7aa0045cb65751a9143cde

SHA512
a85d683d38c20de7a8e88d06a54f7543ec083dcc8bda52192636f25f049a57766cb4f0130949534e494ca7b860874107d81cbc920b26dc60fe5ffba8dc977560

Download Submit
C:\Windows\{9BE67D90-2C6B-48aa-94D7-F8FF2402E45D}.exe

Filesize
204KB

MD5
a8db8451c3521c30ae4d920da220f3bf

SHA1
2cccc935a70b6e18489bfd1089f532bc849681c3

SHA256
85aeee108c16ca7c0c0aab198acdcf0de2e6ff0622c2901b7a442d639f6c2826

SHA512
f66dc81ddf3b0f021c3288226022f86babc41004902dfe8c207b3fead03adcae74319485852f388b5fb8f18486db09d0f2154749a89c5b2e4b857c08c2aa2fa1

Download Submit
C:\Windows\{9BE67D90-2C6B-48aa-94D7-F8FF2402E45D}.exe

Filesize
204KB

MD5
a8db8451c3521c30ae4d920da220f3bf

SHA1
2cccc935a70b6e18489bfd1089f532bc849681c3

SHA256
85aeee108c16ca7c0c0aab198acdcf0de2e6ff0622c2901b7a442d639f6c2826

SHA512
f66dc81ddf3b0f021c3288226022f86babc41004902dfe8c207b3fead03adcae74319485852f388b5fb8f18486db09d0f2154749a89c5b2e4b857c08c2aa2fa1

Download Submit
C:\Windows\{9BE67D90-2C6B-48aa-94D7-F8FF2402E45D}.exe

Filesize
204KB

MD5
a8db8451c3521c30ae4d920da220f3bf

SHA1
2cccc935a70b6e18489bfd1089f532bc849681c3

SHA256
85aeee108c16ca7c0c0aab198acdcf0de2e6ff0622c2901b7a442d639f6c2826

SHA512
f66dc81ddf3b0f021c3288226022f86babc41004902dfe8c207b3fead03adcae74319485852f388b5fb8f18486db09d0f2154749a89c5b2e4b857c08c2aa2fa1

Download Submit
C:\Windows\{A44BCF2F-A9D4-4c51-98A2-8BF45DDC84EB}.exe

Filesize
204KB

MD5
c7b27ea4056ffc3ae550a202d739fe98

SHA1
e60b2772ed949138d74ba70c853de8b37dba61d1

SHA256
74374f4a88f23248834e248aecbd47fe868d4b767abb73beaa8384b9b5c5310e

SHA512
adee4e1e137c369bafff0355265a17201441ea687d868dae69b61bf4cff795c1825bc2320c2a1632020672c650f3908c717b108c5b203a584e089be9724834f8

Download Submit
C:\Windows\{A44BCF2F-A9D4-4c51-98A2-8BF45DDC84EB}.exe

Filesize
204KB

MD5
c7b27ea4056ffc3ae550a202d739fe98

SHA1
e60b2772ed949138d74ba70c853de8b37dba61d1

SHA256
74374f4a88f23248834e248aecbd47fe868d4b767abb73beaa8384b9b5c5310e

SHA512
adee4e1e137c369bafff0355265a17201441ea687d868dae69b61bf4cff795c1825bc2320c2a1632020672c650f3908c717b108c5b203a584e089be9724834f8

Download Submit
C:\Windows\{AE533FBF-6966-47a5-B410-1049DE7362B5}.exe

Filesize
204KB

MD5
e779820fb084225c930b3244a977053e

SHA1
e1e90a1fcade224863f77904a6d4c1fafb7053db

SHA256
e03113f216fb6b5cafb78c60e2e4bea83c718d348f21ef088072a54187ab4188

SHA512
fc42ea7e10994f22dea4c5a0a7c6495a8dd69304424ca06005b3853b8c3946db54b6bd9ce262d8c125888f9b1077b5554c274095a9d9686e0e70ea41c2fd8e71

Download Submit
C:\Windows\{AE533FBF-6966-47a5-B410-1049DE7362B5}.exe

Filesize
204KB

MD5
e779820fb084225c930b3244a977053e

SHA1
e1e90a1fcade224863f77904a6d4c1fafb7053db

SHA256
e03113f216fb6b5cafb78c60e2e4bea83c718d348f21ef088072a54187ab4188

SHA512
fc42ea7e10994f22dea4c5a0a7c6495a8dd69304424ca06005b3853b8c3946db54b6bd9ce262d8c125888f9b1077b5554c274095a9d9686e0e70ea41c2fd8e71

Download Submit
C:\Windows\{C687F5EA-56B0-4a81-B963-395D63150AFA}.exe

Filesize
204KB

MD5
4a1a2843df4f28d07eecb4a424b1592c

SHA1
3cc5aee9374d005899e0cfb77d8d73c8f460a273

SHA256
afd43c239b51dba0fa1d3410eb1ef07d51726bfab1208e02c6086380940758d9

SHA512
f29fea57fd50c4e843c8a7e2aec5dda1047a2788f0cd31504e5f8a8fb4a446978a7202056b6eabf054748323fe81f08ed8bd2eb308dc040d730384e1c6857127

Download Submit
C:\Windows\{C687F5EA-56B0-4a81-B963-395D63150AFA}.exe

Filesize
204KB

MD5
4a1a2843df4f28d07eecb4a424b1592c

SHA1
3cc5aee9374d005899e0cfb77d8d73c8f460a273

SHA256
afd43c239b51dba0fa1d3410eb1ef07d51726bfab1208e02c6086380940758d9

SHA512
f29fea57fd50c4e843c8a7e2aec5dda1047a2788f0cd31504e5f8a8fb4a446978a7202056b6eabf054748323fe81f08ed8bd2eb308dc040d730384e1c6857127

Download Submit
C:\Windows\{F08DCAD5-6B70-471d-90C9-907EB57F5282}.exe

Filesize
204KB

MD5
e78217dc03de3cb7ebf88d2408d750bf

SHA1
0446ebdb4f0b28f658dcf4c2d751e807eeca1e31

SHA256
21597a78f6de81fd5f9b9b8348d569b179a5d24979bb0933e82514583fac4374

SHA512
ac9b8eac33137d5cbf96f7aa4b9dc700dd90adf81ff37dd02ec47bf090e9c41cc044aadf7bf3d3be01137c897b8a7acc4e63c991dd6c867697252f4ccd045e63

Download Submit
C:\Windows\{F08DCAD5-6B70-471d-90C9-907EB57F5282}.exe

Filesize
204KB

MD5
e78217dc03de3cb7ebf88d2408d750bf

SHA1
0446ebdb4f0b28f658dcf4c2d751e807eeca1e31

SHA256
21597a78f6de81fd5f9b9b8348d569b179a5d24979bb0933e82514583fac4374

SHA512
ac9b8eac33137d5cbf96f7aa4b9dc700dd90adf81ff37dd02ec47bf090e9c41cc044aadf7bf3d3be01137c897b8a7acc4e63c991dd6c867697252f4ccd045e63

Download Submit