b6ce3c930186db4d237692caf0c44ea8dfbdf5b8d878ef20003d03f11ac9f09c

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2023, 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22f85caee0abc6exeexe_JC.exe
Size

216KB
MD5

22f85caee0abc6015c7f22fd2cd19c1e
SHA1

3ca86b920ed78a61130fd0bf8083c1204527a8e5
SHA256

b6ce3c930186db4d237692caf0c44ea8dfbdf5b8d878ef20003d03f11ac9f09c
SHA512

abc48b6409eb986589fa4968a85d1a976e66ce11168c54577efe2876ccccae8be50b5dae55210ce65bad0e0f191b72d5a23b1d54e8687fc38355906d9f68c601
SSDEEP

3072:jEGh0oRl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGflEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F095AB7-E50F-4425-BE1A-BB8F654B4492}\stubpath = "C:\\Windows\\{1F095AB7-E50F-4425-BE1A-BB8F654B4492}.exe"	{47D46709-4B1D-45e9-B60E-B25B08D46BA8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{084B4C04-4CB8-4cc9-AD7D-360A77CCF049}\stubpath = "C:\\Windows\\{084B4C04-4CB8-4cc9-AD7D-360A77CCF049}.exe"	{16BD914F-ECC9-4961-A179-A91E33DC017E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2B3142B-3F5F-46b9-9185-B9E5FB39FB7B}\stubpath = "C:\\Windows\\{F2B3142B-3F5F-46b9-9185-B9E5FB39FB7B}.exe"	{E4B5A3B2-1D3C-4bc5-AA9C-FD94BDC69F6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{755EA49D-F4F7-43f6-83C5-5910CE36F674}\stubpath = "C:\\Windows\\{755EA49D-F4F7-43f6-83C5-5910CE36F674}.exe"	{DCBED69F-9F58-4781-933C-4EAF760E6D9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47D46709-4B1D-45e9-B60E-B25B08D46BA8}\stubpath = "C:\\Windows\\{47D46709-4B1D-45e9-B60E-B25B08D46BA8}.exe"	{6EB25791-F19D-4691-A388-2B752260C2AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1F095AB7-E50F-4425-BE1A-BB8F654B4492}	{47D46709-4B1D-45e9-B60E-B25B08D46BA8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16BD914F-ECC9-4961-A179-A91E33DC017E}	{1F095AB7-E50F-4425-BE1A-BB8F654B4492}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{084B4C04-4CB8-4cc9-AD7D-360A77CCF049}	{16BD914F-ECC9-4961-A179-A91E33DC017E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD1BDF35-2FAC-4ada-BBA9-F5E507693485}\stubpath = "C:\\Windows\\{AD1BDF35-2FAC-4ada-BBA9-F5E507693485}.exe"	{084B4C04-4CB8-4cc9-AD7D-360A77CCF049}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4B5A3B2-1D3C-4bc5-AA9C-FD94BDC69F6B}	{755EA49D-F4F7-43f6-83C5-5910CE36F674}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFCE301D-7A05-4cb1-B164-F8C373F8652A}	{F2B3142B-3F5F-46b9-9185-B9E5FB39FB7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A8E0808-A313-4a83-9197-B15F5A10ADDB}\stubpath = "C:\\Windows\\{9A8E0808-A313-4a83-9197-B15F5A10ADDB}.exe"	{AFCE301D-7A05-4cb1-B164-F8C373F8652A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EB25791-F19D-4691-A388-2B752260C2AF}	22f85caee0abc6exeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EB25791-F19D-4691-A388-2B752260C2AF}\stubpath = "C:\\Windows\\{6EB25791-F19D-4691-A388-2B752260C2AF}.exe"	22f85caee0abc6exeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47D46709-4B1D-45e9-B60E-B25B08D46BA8}	{6EB25791-F19D-4691-A388-2B752260C2AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCBED69F-9F58-4781-933C-4EAF760E6D9E}	{AD1BDF35-2FAC-4ada-BBA9-F5E507693485}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCBED69F-9F58-4781-933C-4EAF760E6D9E}\stubpath = "C:\\Windows\\{DCBED69F-9F58-4781-933C-4EAF760E6D9E}.exe"	{AD1BDF35-2FAC-4ada-BBA9-F5E507693485}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFCE301D-7A05-4cb1-B164-F8C373F8652A}\stubpath = "C:\\Windows\\{AFCE301D-7A05-4cb1-B164-F8C373F8652A}.exe"	{F2B3142B-3F5F-46b9-9185-B9E5FB39FB7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A8E0808-A313-4a83-9197-B15F5A10ADDB}	{AFCE301D-7A05-4cb1-B164-F8C373F8652A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16BD914F-ECC9-4961-A179-A91E33DC017E}\stubpath = "C:\\Windows\\{16BD914F-ECC9-4961-A179-A91E33DC017E}.exe"	{1F095AB7-E50F-4425-BE1A-BB8F654B4492}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD1BDF35-2FAC-4ada-BBA9-F5E507693485}	{084B4C04-4CB8-4cc9-AD7D-360A77CCF049}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{755EA49D-F4F7-43f6-83C5-5910CE36F674}	{DCBED69F-9F58-4781-933C-4EAF760E6D9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4B5A3B2-1D3C-4bc5-AA9C-FD94BDC69F6B}\stubpath = "C:\\Windows\\{E4B5A3B2-1D3C-4bc5-AA9C-FD94BDC69F6B}.exe"	{755EA49D-F4F7-43f6-83C5-5910CE36F674}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2B3142B-3F5F-46b9-9185-B9E5FB39FB7B}	{E4B5A3B2-1D3C-4bc5-AA9C-FD94BDC69F6B}.exe

Executes dropped EXE 12 IoCs

pid	Process
1812	{6EB25791-F19D-4691-A388-2B752260C2AF}.exe
5020	{47D46709-4B1D-45e9-B60E-B25B08D46BA8}.exe
376	{1F095AB7-E50F-4425-BE1A-BB8F654B4492}.exe
3036	{16BD914F-ECC9-4961-A179-A91E33DC017E}.exe
2160	{084B4C04-4CB8-4cc9-AD7D-360A77CCF049}.exe
3788	{AD1BDF35-2FAC-4ada-BBA9-F5E507693485}.exe
4800	{DCBED69F-9F58-4781-933C-4EAF760E6D9E}.exe
3752	{755EA49D-F4F7-43f6-83C5-5910CE36F674}.exe
4328	{E4B5A3B2-1D3C-4bc5-AA9C-FD94BDC69F6B}.exe
3872	{F2B3142B-3F5F-46b9-9185-B9E5FB39FB7B}.exe
3472	{AFCE301D-7A05-4cb1-B164-F8C373F8652A}.exe
4252	{9A8E0808-A313-4a83-9197-B15F5A10ADDB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DCBED69F-9F58-4781-933C-4EAF760E6D9E}.exe	{AD1BDF35-2FAC-4ada-BBA9-F5E507693485}.exe
File created	C:\Windows\{755EA49D-F4F7-43f6-83C5-5910CE36F674}.exe	{DCBED69F-9F58-4781-933C-4EAF760E6D9E}.exe
File created	C:\Windows\{9A8E0808-A313-4a83-9197-B15F5A10ADDB}.exe	{AFCE301D-7A05-4cb1-B164-F8C373F8652A}.exe
File created	C:\Windows\{1F095AB7-E50F-4425-BE1A-BB8F654B4492}.exe	{47D46709-4B1D-45e9-B60E-B25B08D46BA8}.exe
File created	C:\Windows\{084B4C04-4CB8-4cc9-AD7D-360A77CCF049}.exe	{16BD914F-ECC9-4961-A179-A91E33DC017E}.exe
File created	C:\Windows\{16BD914F-ECC9-4961-A179-A91E33DC017E}.exe	{1F095AB7-E50F-4425-BE1A-BB8F654B4492}.exe
File created	C:\Windows\{AD1BDF35-2FAC-4ada-BBA9-F5E507693485}.exe	{084B4C04-4CB8-4cc9-AD7D-360A77CCF049}.exe
File created	C:\Windows\{E4B5A3B2-1D3C-4bc5-AA9C-FD94BDC69F6B}.exe	{755EA49D-F4F7-43f6-83C5-5910CE36F674}.exe
File created	C:\Windows\{F2B3142B-3F5F-46b9-9185-B9E5FB39FB7B}.exe	{E4B5A3B2-1D3C-4bc5-AA9C-FD94BDC69F6B}.exe
File created	C:\Windows\{AFCE301D-7A05-4cb1-B164-F8C373F8652A}.exe	{F2B3142B-3F5F-46b9-9185-B9E5FB39FB7B}.exe
File created	C:\Windows\{6EB25791-F19D-4691-A388-2B752260C2AF}.exe	22f85caee0abc6exeexe_JC.exe
File created	C:\Windows\{47D46709-4B1D-45e9-B60E-B25B08D46BA8}.exe	{6EB25791-F19D-4691-A388-2B752260C2AF}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3136	22f85caee0abc6exeexe_JC.exe
Token: SeIncBasePriorityPrivilege	1812	{6EB25791-F19D-4691-A388-2B752260C2AF}.exe
Token: SeIncBasePriorityPrivilege	5020	{47D46709-4B1D-45e9-B60E-B25B08D46BA8}.exe
Token: SeIncBasePriorityPrivilege	376	{1F095AB7-E50F-4425-BE1A-BB8F654B4492}.exe
Token: SeIncBasePriorityPrivilege	3036	{16BD914F-ECC9-4961-A179-A91E33DC017E}.exe
Token: SeIncBasePriorityPrivilege	2160	{084B4C04-4CB8-4cc9-AD7D-360A77CCF049}.exe
Token: SeIncBasePriorityPrivilege	3788	{AD1BDF35-2FAC-4ada-BBA9-F5E507693485}.exe
Token: SeIncBasePriorityPrivilege	4800	{DCBED69F-9F58-4781-933C-4EAF760E6D9E}.exe
Token: SeIncBasePriorityPrivilege	3752	{755EA49D-F4F7-43f6-83C5-5910CE36F674}.exe
Token: SeIncBasePriorityPrivilege	4328	{E4B5A3B2-1D3C-4bc5-AA9C-FD94BDC69F6B}.exe
Token: SeIncBasePriorityPrivilege	3872	{F2B3142B-3F5F-46b9-9185-B9E5FB39FB7B}.exe
Token: SeIncBasePriorityPrivilege	3472	{AFCE301D-7A05-4cb1-B164-F8C373F8652A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3136 wrote to memory of 1812	3136	22f85caee0abc6exeexe_JC.exe	94
PID 3136 wrote to memory of 1812	3136	22f85caee0abc6exeexe_JC.exe	94
PID 3136 wrote to memory of 1812	3136	22f85caee0abc6exeexe_JC.exe	94
PID 3136 wrote to memory of 1016	3136	22f85caee0abc6exeexe_JC.exe	95
PID 3136 wrote to memory of 1016	3136	22f85caee0abc6exeexe_JC.exe	95
PID 3136 wrote to memory of 1016	3136	22f85caee0abc6exeexe_JC.exe	95
PID 1812 wrote to memory of 5020	1812	{6EB25791-F19D-4691-A388-2B752260C2AF}.exe	100
PID 1812 wrote to memory of 5020	1812	{6EB25791-F19D-4691-A388-2B752260C2AF}.exe	100
PID 1812 wrote to memory of 5020	1812	{6EB25791-F19D-4691-A388-2B752260C2AF}.exe	100
PID 1812 wrote to memory of 4404	1812	{6EB25791-F19D-4691-A388-2B752260C2AF}.exe	101
PID 1812 wrote to memory of 4404	1812	{6EB25791-F19D-4691-A388-2B752260C2AF}.exe	101
PID 1812 wrote to memory of 4404	1812	{6EB25791-F19D-4691-A388-2B752260C2AF}.exe	101
PID 5020 wrote to memory of 376	5020	{47D46709-4B1D-45e9-B60E-B25B08D46BA8}.exe	104
PID 5020 wrote to memory of 376	5020	{47D46709-4B1D-45e9-B60E-B25B08D46BA8}.exe	104
PID 5020 wrote to memory of 376	5020	{47D46709-4B1D-45e9-B60E-B25B08D46BA8}.exe	104
PID 5020 wrote to memory of 4760	5020	{47D46709-4B1D-45e9-B60E-B25B08D46BA8}.exe	103
PID 5020 wrote to memory of 4760	5020	{47D46709-4B1D-45e9-B60E-B25B08D46BA8}.exe	103
PID 5020 wrote to memory of 4760	5020	{47D46709-4B1D-45e9-B60E-B25B08D46BA8}.exe	103
PID 376 wrote to memory of 3036	376	{1F095AB7-E50F-4425-BE1A-BB8F654B4492}.exe	105
PID 376 wrote to memory of 3036	376	{1F095AB7-E50F-4425-BE1A-BB8F654B4492}.exe	105
PID 376 wrote to memory of 3036	376	{1F095AB7-E50F-4425-BE1A-BB8F654B4492}.exe	105
PID 376 wrote to memory of 408	376	{1F095AB7-E50F-4425-BE1A-BB8F654B4492}.exe	106
PID 376 wrote to memory of 408	376	{1F095AB7-E50F-4425-BE1A-BB8F654B4492}.exe	106
PID 376 wrote to memory of 408	376	{1F095AB7-E50F-4425-BE1A-BB8F654B4492}.exe	106
PID 3036 wrote to memory of 2160	3036	{16BD914F-ECC9-4961-A179-A91E33DC017E}.exe	107
PID 3036 wrote to memory of 2160	3036	{16BD914F-ECC9-4961-A179-A91E33DC017E}.exe	107
PID 3036 wrote to memory of 2160	3036	{16BD914F-ECC9-4961-A179-A91E33DC017E}.exe	107
PID 3036 wrote to memory of 4436	3036	{16BD914F-ECC9-4961-A179-A91E33DC017E}.exe	108
PID 3036 wrote to memory of 4436	3036	{16BD914F-ECC9-4961-A179-A91E33DC017E}.exe	108
PID 3036 wrote to memory of 4436	3036	{16BD914F-ECC9-4961-A179-A91E33DC017E}.exe	108
PID 2160 wrote to memory of 3788	2160	{084B4C04-4CB8-4cc9-AD7D-360A77CCF049}.exe	109
PID 2160 wrote to memory of 3788	2160	{084B4C04-4CB8-4cc9-AD7D-360A77CCF049}.exe	109
PID 2160 wrote to memory of 3788	2160	{084B4C04-4CB8-4cc9-AD7D-360A77CCF049}.exe	109
PID 2160 wrote to memory of 740	2160	{084B4C04-4CB8-4cc9-AD7D-360A77CCF049}.exe	110
PID 2160 wrote to memory of 740	2160	{084B4C04-4CB8-4cc9-AD7D-360A77CCF049}.exe	110
PID 2160 wrote to memory of 740	2160	{084B4C04-4CB8-4cc9-AD7D-360A77CCF049}.exe	110
PID 3788 wrote to memory of 4800	3788	{AD1BDF35-2FAC-4ada-BBA9-F5E507693485}.exe	111
PID 3788 wrote to memory of 4800	3788	{AD1BDF35-2FAC-4ada-BBA9-F5E507693485}.exe	111
PID 3788 wrote to memory of 4800	3788	{AD1BDF35-2FAC-4ada-BBA9-F5E507693485}.exe	111
PID 3788 wrote to memory of 3296	3788	{AD1BDF35-2FAC-4ada-BBA9-F5E507693485}.exe	112
PID 3788 wrote to memory of 3296	3788	{AD1BDF35-2FAC-4ada-BBA9-F5E507693485}.exe	112
PID 3788 wrote to memory of 3296	3788	{AD1BDF35-2FAC-4ada-BBA9-F5E507693485}.exe	112
PID 4800 wrote to memory of 3752	4800	{DCBED69F-9F58-4781-933C-4EAF760E6D9E}.exe	113
PID 4800 wrote to memory of 3752	4800	{DCBED69F-9F58-4781-933C-4EAF760E6D9E}.exe	113
PID 4800 wrote to memory of 3752	4800	{DCBED69F-9F58-4781-933C-4EAF760E6D9E}.exe	113
PID 4800 wrote to memory of 3856	4800	{DCBED69F-9F58-4781-933C-4EAF760E6D9E}.exe	114
PID 4800 wrote to memory of 3856	4800	{DCBED69F-9F58-4781-933C-4EAF760E6D9E}.exe	114
PID 4800 wrote to memory of 3856	4800	{DCBED69F-9F58-4781-933C-4EAF760E6D9E}.exe	114
PID 3752 wrote to memory of 4328	3752	{755EA49D-F4F7-43f6-83C5-5910CE36F674}.exe	115
PID 3752 wrote to memory of 4328	3752	{755EA49D-F4F7-43f6-83C5-5910CE36F674}.exe	115
PID 3752 wrote to memory of 4328	3752	{755EA49D-F4F7-43f6-83C5-5910CE36F674}.exe	115
PID 3752 wrote to memory of 4524	3752	{755EA49D-F4F7-43f6-83C5-5910CE36F674}.exe	116
PID 3752 wrote to memory of 4524	3752	{755EA49D-F4F7-43f6-83C5-5910CE36F674}.exe	116
PID 3752 wrote to memory of 4524	3752	{755EA49D-F4F7-43f6-83C5-5910CE36F674}.exe	116
PID 4328 wrote to memory of 3872	4328	{E4B5A3B2-1D3C-4bc5-AA9C-FD94BDC69F6B}.exe	117
PID 4328 wrote to memory of 3872	4328	{E4B5A3B2-1D3C-4bc5-AA9C-FD94BDC69F6B}.exe	117
PID 4328 wrote to memory of 3872	4328	{E4B5A3B2-1D3C-4bc5-AA9C-FD94BDC69F6B}.exe	117
PID 4328 wrote to memory of 824	4328	{E4B5A3B2-1D3C-4bc5-AA9C-FD94BDC69F6B}.exe	118
PID 4328 wrote to memory of 824	4328	{E4B5A3B2-1D3C-4bc5-AA9C-FD94BDC69F6B}.exe	118
PID 4328 wrote to memory of 824	4328	{E4B5A3B2-1D3C-4bc5-AA9C-FD94BDC69F6B}.exe	118
PID 3872 wrote to memory of 3472	3872	{F2B3142B-3F5F-46b9-9185-B9E5FB39FB7B}.exe	119
PID 3872 wrote to memory of 3472	3872	{F2B3142B-3F5F-46b9-9185-B9E5FB39FB7B}.exe	119
PID 3872 wrote to memory of 3472	3872	{F2B3142B-3F5F-46b9-9185-B9E5FB39FB7B}.exe	119
PID 3872 wrote to memory of 544	3872	{F2B3142B-3F5F-46b9-9185-B9E5FB39FB7B}.exe	120

C:\Users\Admin\AppData\Local\Temp\22f85caee0abc6exeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\22f85caee0abc6exeexe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Windows\{6EB25791-F19D-4691-A388-2B752260C2AF}.exe
  C:\Windows\{6EB25791-F19D-4691-A388-2B752260C2AF}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1812
- - C:\Windows\{47D46709-4B1D-45e9-B60E-B25B08D46BA8}.exe
    C:\Windows\{47D46709-4B1D-45e9-B60E-B25B08D46BA8}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{47D46~1.EXE > nul
      4⤵
      PID:4760
  - - C:\Windows\{1F095AB7-E50F-4425-BE1A-BB8F654B4492}.exe
      C:\Windows\{1F095AB7-E50F-4425-BE1A-BB8F654B4492}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:376
    - - C:\Windows\{16BD914F-ECC9-4961-A179-A91E33DC017E}.exe
        
        C:\Windows\{16BD914F-ECC9-4961-A179-A91E33DC017E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3036
      - C:\Windows\{084B4C04-4CB8-4cc9-AD7D-360A77CCF049}.exe
        
        C:\Windows\{084B4C04-4CB8-4cc9-AD7D-360A77CCF049}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\{AD1BDF35-2FAC-4ada-BBA9-F5E507693485}.exe
        
        C:\Windows\{AD1BDF35-2FAC-4ada-BBA9-F5E507693485}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\{DCBED69F-9F58-4781-933C-4EAF760E6D9E}.exe
        
        C:\Windows\{DCBED69F-9F58-4781-933C-4EAF760E6D9E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\{755EA49D-F4F7-43f6-83C5-5910CE36F674}.exe
        
        C:\Windows\{755EA49D-F4F7-43f6-83C5-5910CE36F674}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Windows\{E4B5A3B2-1D3C-4bc5-AA9C-FD94BDC69F6B}.exe
        
        C:\Windows\{E4B5A3B2-1D3C-4bc5-AA9C-FD94BDC69F6B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\{F2B3142B-3F5F-46b9-9185-B9E5FB39FB7B}.exe
        
        C:\Windows\{F2B3142B-3F5F-46b9-9185-B9E5FB39FB7B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\{AFCE301D-7A05-4cb1-B164-F8C373F8652A}.exe
        
        C:\Windows\{AFCE301D-7A05-4cb1-B164-F8C373F8652A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3472
        
        C:\Windows\{9A8E0808-A313-4a83-9197-B15F5A10ADDB}.exe
        
        C:\Windows\{9A8E0808-A313-4a83-9197-B15F5A10ADDB}.exe
        13⤵
        Executes dropped EXE
        
        PID:4252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFCE3~1.EXE > nul
        13⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2B31~1.EXE > nul
        12⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4B5A~1.EXE > nul
        11⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{755EA~1.EXE > nul
        10⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCBED~1.EXE > nul
        9⤵
        
        PID:3856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD1BD~1.EXE > nul
        8⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{084B4~1.EXE > nul
        7⤵
        
        PID:740
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16BD9~1.EXE > nul
        6⤵
        
        PID:4436
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F095~1.EXE > nul
        5⤵
        
        PID:408
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6EB25~1.EXE > nul
    3⤵
    PID:4404
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\22F85C~1.EXE > nul
  2⤵
  PID:1016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{084B4C04-4CB8-4cc9-AD7D-360A77CCF049}.exe

Filesize
216KB

MD5
17843495165cd120eb424297097f1050

SHA1
5e3d30f6c1ca0cbfa75d8bc2166382fb39b768dc

SHA256
42b27b5e7962a066c1ad8a70e5018f7cebaa2f858824ca2d990c40c84a5dac0d

SHA512
abdba9da1ba5865c25bbfc89ddce97925f2b18d8c3f5567294ddd1036b102948ba9db1a06b1b6ab4c4db2d9207e20e9266f71428d4a6624cc81e50cf181ce6c4

Download Submit
C:\Windows\{084B4C04-4CB8-4cc9-AD7D-360A77CCF049}.exe

Filesize
216KB

MD5
17843495165cd120eb424297097f1050

SHA1
5e3d30f6c1ca0cbfa75d8bc2166382fb39b768dc

SHA256
42b27b5e7962a066c1ad8a70e5018f7cebaa2f858824ca2d990c40c84a5dac0d

SHA512
abdba9da1ba5865c25bbfc89ddce97925f2b18d8c3f5567294ddd1036b102948ba9db1a06b1b6ab4c4db2d9207e20e9266f71428d4a6624cc81e50cf181ce6c4

Download Submit
C:\Windows\{16BD914F-ECC9-4961-A179-A91E33DC017E}.exe

Filesize
216KB

MD5
ba82605a11f67d6ea513fe2ecf49259c

SHA1
7bb0a31679cc648c5d7b7da08ef94c590e35fce0

SHA256
673050db66f6dd0cad26ab97678888429939e92e3da26b5134f4c7cdcd94e256

SHA512
7b008b50bffab10389460e7590cbe71ce61f823255de8490cf013495236e58559969f79b5531bbca14c610a778f573ab6e7bab12fdaf1d6f8fce2966c6d556be

Download Submit
C:\Windows\{16BD914F-ECC9-4961-A179-A91E33DC017E}.exe

Filesize
216KB

MD5
ba82605a11f67d6ea513fe2ecf49259c

SHA1
7bb0a31679cc648c5d7b7da08ef94c590e35fce0

SHA256
673050db66f6dd0cad26ab97678888429939e92e3da26b5134f4c7cdcd94e256

SHA512
7b008b50bffab10389460e7590cbe71ce61f823255de8490cf013495236e58559969f79b5531bbca14c610a778f573ab6e7bab12fdaf1d6f8fce2966c6d556be

Download Submit
C:\Windows\{1F095AB7-E50F-4425-BE1A-BB8F654B4492}.exe

Filesize
216KB

MD5
31d1b31647d5e3b1fc0f47d600f87cbb

SHA1
7083cdb3de18d39483ab1058872b2b445273b935

SHA256
ac7ec25fe23461ec5fcb4295975535eb89f66312efd781bff782ba1ac4c045d5

SHA512
3626563373cb383370c64487fde14db9daccc77d2c71b65c5a05b2ed1368077df59739247b13d10cd825c345058ff1521334de95874108f3ff0f84b0cc98c9fe

Download Submit
C:\Windows\{1F095AB7-E50F-4425-BE1A-BB8F654B4492}.exe

Filesize
216KB

MD5
31d1b31647d5e3b1fc0f47d600f87cbb

SHA1
7083cdb3de18d39483ab1058872b2b445273b935

SHA256
ac7ec25fe23461ec5fcb4295975535eb89f66312efd781bff782ba1ac4c045d5

SHA512
3626563373cb383370c64487fde14db9daccc77d2c71b65c5a05b2ed1368077df59739247b13d10cd825c345058ff1521334de95874108f3ff0f84b0cc98c9fe

Download Submit
C:\Windows\{1F095AB7-E50F-4425-BE1A-BB8F654B4492}.exe

Filesize
216KB

MD5
31d1b31647d5e3b1fc0f47d600f87cbb

SHA1
7083cdb3de18d39483ab1058872b2b445273b935

SHA256
ac7ec25fe23461ec5fcb4295975535eb89f66312efd781bff782ba1ac4c045d5

SHA512
3626563373cb383370c64487fde14db9daccc77d2c71b65c5a05b2ed1368077df59739247b13d10cd825c345058ff1521334de95874108f3ff0f84b0cc98c9fe

Download Submit
C:\Windows\{47D46709-4B1D-45e9-B60E-B25B08D46BA8}.exe

Filesize
216KB

MD5
56d4764681ad7eefc609c2c03f1f15dd

SHA1
a56dd61372527e68155635c9c8c0b5bc392255c7

SHA256
ab7191644f1d206029cf89b08b4b8a5972636231299c2dac6b32286c5a4a62b0

SHA512
47f58f745e978a837e5f2c34143e8319027e7a3b7f001535e67ac586ce0245af42e3c4c8612afc94554d0ffcab01adc92deb32fe2f196ab50f063a09deeb55ea

Download Submit
C:\Windows\{47D46709-4B1D-45e9-B60E-B25B08D46BA8}.exe

Filesize
216KB

MD5
56d4764681ad7eefc609c2c03f1f15dd

SHA1
a56dd61372527e68155635c9c8c0b5bc392255c7

SHA256
ab7191644f1d206029cf89b08b4b8a5972636231299c2dac6b32286c5a4a62b0

SHA512
47f58f745e978a837e5f2c34143e8319027e7a3b7f001535e67ac586ce0245af42e3c4c8612afc94554d0ffcab01adc92deb32fe2f196ab50f063a09deeb55ea

Download Submit
C:\Windows\{6EB25791-F19D-4691-A388-2B752260C2AF}.exe

Filesize
216KB

MD5
92533b54dd2fd7331597245767adc2c9

SHA1
d1a15b35cccbd8193bc1f307249be00485846e4b

SHA256
ffdbe8929923ea4f07502a7deb819a805e59de9fa69ea3a45ab67bd09c0465fb

SHA512
5125a2f8d423a618ddc7f25d9119d53f60e510154a0a163fffcaf68eab54b62398105770779a90cb6e57d88b2a8b46c826f5038d481f9ba4e85d2a4e55caa9da

Download Submit
C:\Windows\{6EB25791-F19D-4691-A388-2B752260C2AF}.exe

Filesize
216KB

MD5
92533b54dd2fd7331597245767adc2c9

SHA1
d1a15b35cccbd8193bc1f307249be00485846e4b

SHA256
ffdbe8929923ea4f07502a7deb819a805e59de9fa69ea3a45ab67bd09c0465fb

SHA512
5125a2f8d423a618ddc7f25d9119d53f60e510154a0a163fffcaf68eab54b62398105770779a90cb6e57d88b2a8b46c826f5038d481f9ba4e85d2a4e55caa9da

Download Submit
C:\Windows\{755EA49D-F4F7-43f6-83C5-5910CE36F674}.exe

Filesize
216KB

MD5
25b63b07e03d71e239bd960f2a6e4c67

SHA1
8e3333b4c37c80143bcac7a104ebea10a8285247

SHA256
ff50321d9739396d075ca0bbc799659f9b3f5c137926a42d4230f062302fca96

SHA512
556a82877dbd977ffb04e628b170f07ce65408c0ed33694cb3e8e72a2432edea46a9dcf00d5f1c02ae13bcf8b30f3b1cef59285ac23dba07e8db083dc1ba7579

Download Submit
C:\Windows\{755EA49D-F4F7-43f6-83C5-5910CE36F674}.exe

Filesize
216KB

MD5
25b63b07e03d71e239bd960f2a6e4c67

SHA1
8e3333b4c37c80143bcac7a104ebea10a8285247

SHA256
ff50321d9739396d075ca0bbc799659f9b3f5c137926a42d4230f062302fca96

SHA512
556a82877dbd977ffb04e628b170f07ce65408c0ed33694cb3e8e72a2432edea46a9dcf00d5f1c02ae13bcf8b30f3b1cef59285ac23dba07e8db083dc1ba7579

Download Submit
C:\Windows\{9A8E0808-A313-4a83-9197-B15F5A10ADDB}.exe

Filesize
216KB

MD5
cbf48decc335573b143a528ba1b204d5

SHA1
a8a2465d647cfbbfc5e9221bf02b30eb9f037b2b

SHA256
9eae67d38684401bea9ac4abc68622636e4afa2872be771724ef41372596f53c

SHA512
80f1b5bc7506db8addc2306cd523495753d53c412f3e3aafa01ce787a010e71d85f364b4e4a1e113e69fa1592dd4eacde5b3a7e83e8debd93c792a8395e7dae4

Download Submit
C:\Windows\{9A8E0808-A313-4a83-9197-B15F5A10ADDB}.exe

Filesize
216KB

MD5
cbf48decc335573b143a528ba1b204d5

SHA1
a8a2465d647cfbbfc5e9221bf02b30eb9f037b2b

SHA256
9eae67d38684401bea9ac4abc68622636e4afa2872be771724ef41372596f53c

SHA512
80f1b5bc7506db8addc2306cd523495753d53c412f3e3aafa01ce787a010e71d85f364b4e4a1e113e69fa1592dd4eacde5b3a7e83e8debd93c792a8395e7dae4

Download Submit
C:\Windows\{AD1BDF35-2FAC-4ada-BBA9-F5E507693485}.exe

Filesize
216KB

MD5
9cc0fadf0a35ca2fa3b69a150eb94389

SHA1
fd9c957448024fbf4eee59c2090389809ad14a11

SHA256
9243575d184773e1e239611baa82734a20751f4f84002438a09cf33b5322aadc

SHA512
f4f464410f89886b91348895dfbba8f81a1cb9875f4ab953038bb8526a33eee4696f7c020925061a3040fbbbb136c09af6600aeee0b501f7c3c06025a361e9f3

Download Submit
C:\Windows\{AD1BDF35-2FAC-4ada-BBA9-F5E507693485}.exe

Filesize
216KB

MD5
9cc0fadf0a35ca2fa3b69a150eb94389

SHA1
fd9c957448024fbf4eee59c2090389809ad14a11

SHA256
9243575d184773e1e239611baa82734a20751f4f84002438a09cf33b5322aadc

SHA512
f4f464410f89886b91348895dfbba8f81a1cb9875f4ab953038bb8526a33eee4696f7c020925061a3040fbbbb136c09af6600aeee0b501f7c3c06025a361e9f3

Download Submit
C:\Windows\{AFCE301D-7A05-4cb1-B164-F8C373F8652A}.exe

Filesize
216KB

MD5
2ba8534bf37a3cd768f11447b43a581f

SHA1
84c1e5ad7ab7363770bac716001db029375ff3ce

SHA256
eda6652e31436e04c5e11545087fd6eb04c056de261c61c17d7b68f2247e0658

SHA512
101c82237ab2a1a7672e99f61d181d9f33c6305cc9e3189eda8019423273a83a86c1c29c35627537555439d992b18cbb9f772c822e00ac5b8da4b703e4451259

Download Submit
C:\Windows\{AFCE301D-7A05-4cb1-B164-F8C373F8652A}.exe

Filesize
216KB

MD5
2ba8534bf37a3cd768f11447b43a581f

SHA1
84c1e5ad7ab7363770bac716001db029375ff3ce

SHA256
eda6652e31436e04c5e11545087fd6eb04c056de261c61c17d7b68f2247e0658

SHA512
101c82237ab2a1a7672e99f61d181d9f33c6305cc9e3189eda8019423273a83a86c1c29c35627537555439d992b18cbb9f772c822e00ac5b8da4b703e4451259

Download Submit
C:\Windows\{DCBED69F-9F58-4781-933C-4EAF760E6D9E}.exe

Filesize
216KB

MD5
c2aa027001d45e66ebc1e6a225c5c51c

SHA1
36bb27ac8f1dac01ab958b373f2df5901071a63e

SHA256
8364377ad5c57b52ae42cb0d4c1554d860fa89525e4a2785c3ce3b94dab66e37

SHA512
be3dc455b98cf214e0ce4d11ccdf2d7f324dc4993eb3c6f566b512ce8dcc0397ecfdb6270f1c25ec96bdce98a71f067a64ed924cb4ab12009e0633b823e029a2

Download Submit
C:\Windows\{DCBED69F-9F58-4781-933C-4EAF760E6D9E}.exe

Filesize
216KB

MD5
c2aa027001d45e66ebc1e6a225c5c51c

SHA1
36bb27ac8f1dac01ab958b373f2df5901071a63e

SHA256
8364377ad5c57b52ae42cb0d4c1554d860fa89525e4a2785c3ce3b94dab66e37

SHA512
be3dc455b98cf214e0ce4d11ccdf2d7f324dc4993eb3c6f566b512ce8dcc0397ecfdb6270f1c25ec96bdce98a71f067a64ed924cb4ab12009e0633b823e029a2

Download Submit
C:\Windows\{E4B5A3B2-1D3C-4bc5-AA9C-FD94BDC69F6B}.exe

Filesize
216KB

MD5
3360f936bd027a1134f6fa98b2e08b12

SHA1
87018e20c67bc70df2ba83764cb8b24f33039a84

SHA256
9dfaa7a6b9457674a7a92346f0676060687604405b8c07d4c59f8f839cf5af9f

SHA512
90f65eb2038790744c559bb70d735c9c0e1fdc0098b761998e54e8e33271546c9436cec9d37601746a28975331979045a293c107479400b925d6b0da0ea7c5ad

Download Submit
C:\Windows\{E4B5A3B2-1D3C-4bc5-AA9C-FD94BDC69F6B}.exe

Filesize
216KB

MD5
3360f936bd027a1134f6fa98b2e08b12

SHA1
87018e20c67bc70df2ba83764cb8b24f33039a84

SHA256
9dfaa7a6b9457674a7a92346f0676060687604405b8c07d4c59f8f839cf5af9f

SHA512
90f65eb2038790744c559bb70d735c9c0e1fdc0098b761998e54e8e33271546c9436cec9d37601746a28975331979045a293c107479400b925d6b0da0ea7c5ad

Download Submit
C:\Windows\{F2B3142B-3F5F-46b9-9185-B9E5FB39FB7B}.exe

Filesize
216KB

MD5
d9c55301768334de96de4c97ffd69a86

SHA1
1aa58fc08aa4746895578b4f501043e1f8c6dab5

SHA256
5cb0d9575e1b34042467ef1c13a98e95eb5903e25e90f880b90ef5b3d84903df

SHA512
5f7a1cb8d627b3765a84214f831afe551451bf43cb5e1058c2e2bde021ffd704f7e0ff3226b84eaa815294b1e6898f0171bad6f9e995613568966b24c6e24669

Download Submit
C:\Windows\{F2B3142B-3F5F-46b9-9185-B9E5FB39FB7B}.exe

Filesize
216KB

MD5
d9c55301768334de96de4c97ffd69a86

SHA1
1aa58fc08aa4746895578b4f501043e1f8c6dab5

SHA256
5cb0d9575e1b34042467ef1c13a98e95eb5903e25e90f880b90ef5b3d84903df

SHA512
5f7a1cb8d627b3765a84214f831afe551451bf43cb5e1058c2e2bde021ffd704f7e0ff3226b84eaa815294b1e6898f0171bad6f9e995613568966b24c6e24669

Download Submit