7ad604c6c6cb82ae134241e4a70e69405581309dcaf5add6f2246356ebfda695

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2023, 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28c9daa374814bexeexe_JC.exe
Size

168KB
MD5

28c9daa374814bf33132f2c744793dd7
SHA1

495bf691c24beba4c570aad7fb9576514545b3ea
SHA256

7ad604c6c6cb82ae134241e4a70e69405581309dcaf5add6f2246356ebfda695
SHA512

63edf4af886634c521b47b8108337e3d7e7e35ab994d34fff60040bec96135e43b816061d82c6d15390c732dff82014451e9eb60f44a40005a9d4f38a95f3d80
SSDEEP

1536:1EGh0onlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0onlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{814F4C2E-D1B5-4e77-8A85-452B14FF6791}	{9AD96044-9D34-402e-9FC1-EF11F1D05A4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABAFD292-DCE4-4529-B732-217B93014236}\stubpath = "C:\\Windows\\{ABAFD292-DCE4-4529-B732-217B93014236}.exe"	{814F4C2E-D1B5-4e77-8A85-452B14FF6791}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24465D09-2CB4-462e-814B-2B58A2C6F7AA}	{ABAFD292-DCE4-4529-B732-217B93014236}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{24465D09-2CB4-462e-814B-2B58A2C6F7AA}\stubpath = "C:\\Windows\\{24465D09-2CB4-462e-814B-2B58A2C6F7AA}.exe"	{ABAFD292-DCE4-4529-B732-217B93014236}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32F3826E-C982-460d-930D-5778E2377DE9}	{A9B618F5-9231-4a71-BEDD-A0FB5C10C4F5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87D8EBA3-11AB-4277-B7A7-B80CF7D2321D}\stubpath = "C:\\Windows\\{87D8EBA3-11AB-4277-B7A7-B80CF7D2321D}.exe"	{32F3826E-C982-460d-930D-5778E2377DE9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AD96044-9D34-402e-9FC1-EF11F1D05A4F}	28c9daa374814bexeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{814F4C2E-D1B5-4e77-8A85-452B14FF6791}\stubpath = "C:\\Windows\\{814F4C2E-D1B5-4e77-8A85-452B14FF6791}.exe"	{9AD96044-9D34-402e-9FC1-EF11F1D05A4F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9B618F5-9231-4a71-BEDD-A0FB5C10C4F5}\stubpath = "C:\\Windows\\{A9B618F5-9231-4a71-BEDD-A0FB5C10C4F5}.exe"	{22E843E5-4736-4395-A4D3-C06E2C4E026C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A6A9155-E993-4759-845C-EC2A90502B38}	{87D8EBA3-11AB-4277-B7A7-B80CF7D2321D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B550D01D-35AF-49a1-8B03-6A168016E630}\stubpath = "C:\\Windows\\{B550D01D-35AF-49a1-8B03-6A168016E630}.exe"	{7A6A9155-E993-4759-845C-EC2A90502B38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B98D6051-79F6-498d-BAF7-6039C7BC24AA}	{B550D01D-35AF-49a1-8B03-6A168016E630}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B98D6051-79F6-498d-BAF7-6039C7BC24AA}\stubpath = "C:\\Windows\\{B98D6051-79F6-498d-BAF7-6039C7BC24AA}.exe"	{B550D01D-35AF-49a1-8B03-6A168016E630}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ABAFD292-DCE4-4529-B732-217B93014236}	{814F4C2E-D1B5-4e77-8A85-452B14FF6791}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D60C30D8-10D9-4bef-B1F3-73B96944334B}\stubpath = "C:\\Windows\\{D60C30D8-10D9-4bef-B1F3-73B96944334B}.exe"	{24465D09-2CB4-462e-814B-2B58A2C6F7AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22E843E5-4736-4395-A4D3-C06E2C4E026C}	{D60C30D8-10D9-4bef-B1F3-73B96944334B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{22E843E5-4736-4395-A4D3-C06E2C4E026C}\stubpath = "C:\\Windows\\{22E843E5-4736-4395-A4D3-C06E2C4E026C}.exe"	{D60C30D8-10D9-4bef-B1F3-73B96944334B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9B618F5-9231-4a71-BEDD-A0FB5C10C4F5}	{22E843E5-4736-4395-A4D3-C06E2C4E026C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32F3826E-C982-460d-930D-5778E2377DE9}\stubpath = "C:\\Windows\\{32F3826E-C982-460d-930D-5778E2377DE9}.exe"	{A9B618F5-9231-4a71-BEDD-A0FB5C10C4F5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B550D01D-35AF-49a1-8B03-6A168016E630}	{7A6A9155-E993-4759-845C-EC2A90502B38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AD96044-9D34-402e-9FC1-EF11F1D05A4F}\stubpath = "C:\\Windows\\{9AD96044-9D34-402e-9FC1-EF11F1D05A4F}.exe"	28c9daa374814bexeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D60C30D8-10D9-4bef-B1F3-73B96944334B}	{24465D09-2CB4-462e-814B-2B58A2C6F7AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{87D8EBA3-11AB-4277-B7A7-B80CF7D2321D}	{32F3826E-C982-460d-930D-5778E2377DE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A6A9155-E993-4759-845C-EC2A90502B38}\stubpath = "C:\\Windows\\{7A6A9155-E993-4759-845C-EC2A90502B38}.exe"	{87D8EBA3-11AB-4277-B7A7-B80CF7D2321D}.exe

Executes dropped EXE 12 IoCs

pid	Process
2140	{9AD96044-9D34-402e-9FC1-EF11F1D05A4F}.exe
1552	{814F4C2E-D1B5-4e77-8A85-452B14FF6791}.exe
2988	{ABAFD292-DCE4-4529-B732-217B93014236}.exe
4108	{24465D09-2CB4-462e-814B-2B58A2C6F7AA}.exe
3664	{D60C30D8-10D9-4bef-B1F3-73B96944334B}.exe
4528	{22E843E5-4736-4395-A4D3-C06E2C4E026C}.exe
3600	{A9B618F5-9231-4a71-BEDD-A0FB5C10C4F5}.exe
3916	{32F3826E-C982-460d-930D-5778E2377DE9}.exe
456	{87D8EBA3-11AB-4277-B7A7-B80CF7D2321D}.exe
3328	{7A6A9155-E993-4759-845C-EC2A90502B38}.exe
1276	{B550D01D-35AF-49a1-8B03-6A168016E630}.exe
1420	{B98D6051-79F6-498d-BAF7-6039C7BC24AA}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9AD96044-9D34-402e-9FC1-EF11F1D05A4F}.exe	28c9daa374814bexeexe_JC.exe
File created	C:\Windows\{ABAFD292-DCE4-4529-B732-217B93014236}.exe	{814F4C2E-D1B5-4e77-8A85-452B14FF6791}.exe
File created	C:\Windows\{D60C30D8-10D9-4bef-B1F3-73B96944334B}.exe	{24465D09-2CB4-462e-814B-2B58A2C6F7AA}.exe
File created	C:\Windows\{7A6A9155-E993-4759-845C-EC2A90502B38}.exe	{87D8EBA3-11AB-4277-B7A7-B80CF7D2321D}.exe
File created	C:\Windows\{814F4C2E-D1B5-4e77-8A85-452B14FF6791}.exe	{9AD96044-9D34-402e-9FC1-EF11F1D05A4F}.exe
File created	C:\Windows\{24465D09-2CB4-462e-814B-2B58A2C6F7AA}.exe	{ABAFD292-DCE4-4529-B732-217B93014236}.exe
File created	C:\Windows\{22E843E5-4736-4395-A4D3-C06E2C4E026C}.exe	{D60C30D8-10D9-4bef-B1F3-73B96944334B}.exe
File created	C:\Windows\{A9B618F5-9231-4a71-BEDD-A0FB5C10C4F5}.exe	{22E843E5-4736-4395-A4D3-C06E2C4E026C}.exe
File created	C:\Windows\{32F3826E-C982-460d-930D-5778E2377DE9}.exe	{A9B618F5-9231-4a71-BEDD-A0FB5C10C4F5}.exe
File created	C:\Windows\{87D8EBA3-11AB-4277-B7A7-B80CF7D2321D}.exe	{32F3826E-C982-460d-930D-5778E2377DE9}.exe
File created	C:\Windows\{B550D01D-35AF-49a1-8B03-6A168016E630}.exe	{7A6A9155-E993-4759-845C-EC2A90502B38}.exe
File created	C:\Windows\{B98D6051-79F6-498d-BAF7-6039C7BC24AA}.exe	{B550D01D-35AF-49a1-8B03-6A168016E630}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4644	28c9daa374814bexeexe_JC.exe
Token: SeIncBasePriorityPrivilege	2140	{9AD96044-9D34-402e-9FC1-EF11F1D05A4F}.exe
Token: SeIncBasePriorityPrivilege	1552	{814F4C2E-D1B5-4e77-8A85-452B14FF6791}.exe
Token: SeIncBasePriorityPrivilege	2988	{ABAFD292-DCE4-4529-B732-217B93014236}.exe
Token: SeIncBasePriorityPrivilege	4108	{24465D09-2CB4-462e-814B-2B58A2C6F7AA}.exe
Token: SeIncBasePriorityPrivilege	3664	{D60C30D8-10D9-4bef-B1F3-73B96944334B}.exe
Token: SeIncBasePriorityPrivilege	4528	{22E843E5-4736-4395-A4D3-C06E2C4E026C}.exe
Token: SeIncBasePriorityPrivilege	3600	{A9B618F5-9231-4a71-BEDD-A0FB5C10C4F5}.exe
Token: SeIncBasePriorityPrivilege	3916	{32F3826E-C982-460d-930D-5778E2377DE9}.exe
Token: SeIncBasePriorityPrivilege	456	{87D8EBA3-11AB-4277-B7A7-B80CF7D2321D}.exe
Token: SeIncBasePriorityPrivilege	3328	{7A6A9155-E993-4759-845C-EC2A90502B38}.exe
Token: SeIncBasePriorityPrivilege	1276	{B550D01D-35AF-49a1-8B03-6A168016E630}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 2140	4644	28c9daa374814bexeexe_JC.exe	96
PID 4644 wrote to memory of 2140	4644	28c9daa374814bexeexe_JC.exe	96
PID 4644 wrote to memory of 2140	4644	28c9daa374814bexeexe_JC.exe	96
PID 4644 wrote to memory of 1664	4644	28c9daa374814bexeexe_JC.exe	97
PID 4644 wrote to memory of 1664	4644	28c9daa374814bexeexe_JC.exe	97
PID 4644 wrote to memory of 1664	4644	28c9daa374814bexeexe_JC.exe	97
PID 2140 wrote to memory of 1552	2140	{9AD96044-9D34-402e-9FC1-EF11F1D05A4F}.exe	99
PID 2140 wrote to memory of 1552	2140	{9AD96044-9D34-402e-9FC1-EF11F1D05A4F}.exe	99
PID 2140 wrote to memory of 1552	2140	{9AD96044-9D34-402e-9FC1-EF11F1D05A4F}.exe	99
PID 2140 wrote to memory of 1816	2140	{9AD96044-9D34-402e-9FC1-EF11F1D05A4F}.exe	100
PID 2140 wrote to memory of 1816	2140	{9AD96044-9D34-402e-9FC1-EF11F1D05A4F}.exe	100
PID 2140 wrote to memory of 1816	2140	{9AD96044-9D34-402e-9FC1-EF11F1D05A4F}.exe	100
PID 1552 wrote to memory of 2988	1552	{814F4C2E-D1B5-4e77-8A85-452B14FF6791}.exe	102
PID 1552 wrote to memory of 2988	1552	{814F4C2E-D1B5-4e77-8A85-452B14FF6791}.exe	102
PID 1552 wrote to memory of 2988	1552	{814F4C2E-D1B5-4e77-8A85-452B14FF6791}.exe	102
PID 1552 wrote to memory of 1204	1552	{814F4C2E-D1B5-4e77-8A85-452B14FF6791}.exe	103
PID 1552 wrote to memory of 1204	1552	{814F4C2E-D1B5-4e77-8A85-452B14FF6791}.exe	103
PID 1552 wrote to memory of 1204	1552	{814F4C2E-D1B5-4e77-8A85-452B14FF6791}.exe	103
PID 2988 wrote to memory of 4108	2988	{ABAFD292-DCE4-4529-B732-217B93014236}.exe	104
PID 2988 wrote to memory of 4108	2988	{ABAFD292-DCE4-4529-B732-217B93014236}.exe	104
PID 2988 wrote to memory of 4108	2988	{ABAFD292-DCE4-4529-B732-217B93014236}.exe	104
PID 2988 wrote to memory of 1440	2988	{ABAFD292-DCE4-4529-B732-217B93014236}.exe	105
PID 2988 wrote to memory of 1440	2988	{ABAFD292-DCE4-4529-B732-217B93014236}.exe	105
PID 2988 wrote to memory of 1440	2988	{ABAFD292-DCE4-4529-B732-217B93014236}.exe	105
PID 4108 wrote to memory of 3664	4108	{24465D09-2CB4-462e-814B-2B58A2C6F7AA}.exe	106
PID 4108 wrote to memory of 3664	4108	{24465D09-2CB4-462e-814B-2B58A2C6F7AA}.exe	106
PID 4108 wrote to memory of 3664	4108	{24465D09-2CB4-462e-814B-2B58A2C6F7AA}.exe	106
PID 4108 wrote to memory of 4932	4108	{24465D09-2CB4-462e-814B-2B58A2C6F7AA}.exe	107
PID 4108 wrote to memory of 4932	4108	{24465D09-2CB4-462e-814B-2B58A2C6F7AA}.exe	107
PID 4108 wrote to memory of 4932	4108	{24465D09-2CB4-462e-814B-2B58A2C6F7AA}.exe	107
PID 3664 wrote to memory of 4528	3664	{D60C30D8-10D9-4bef-B1F3-73B96944334B}.exe	108
PID 3664 wrote to memory of 4528	3664	{D60C30D8-10D9-4bef-B1F3-73B96944334B}.exe	108
PID 3664 wrote to memory of 4528	3664	{D60C30D8-10D9-4bef-B1F3-73B96944334B}.exe	108
PID 3664 wrote to memory of 2716	3664	{D60C30D8-10D9-4bef-B1F3-73B96944334B}.exe	109
PID 3664 wrote to memory of 2716	3664	{D60C30D8-10D9-4bef-B1F3-73B96944334B}.exe	109
PID 3664 wrote to memory of 2716	3664	{D60C30D8-10D9-4bef-B1F3-73B96944334B}.exe	109
PID 4528 wrote to memory of 3600	4528	{22E843E5-4736-4395-A4D3-C06E2C4E026C}.exe	110
PID 4528 wrote to memory of 3600	4528	{22E843E5-4736-4395-A4D3-C06E2C4E026C}.exe	110
PID 4528 wrote to memory of 3600	4528	{22E843E5-4736-4395-A4D3-C06E2C4E026C}.exe	110
PID 4528 wrote to memory of 2256	4528	{22E843E5-4736-4395-A4D3-C06E2C4E026C}.exe	111
PID 4528 wrote to memory of 2256	4528	{22E843E5-4736-4395-A4D3-C06E2C4E026C}.exe	111
PID 4528 wrote to memory of 2256	4528	{22E843E5-4736-4395-A4D3-C06E2C4E026C}.exe	111
PID 3600 wrote to memory of 3916	3600	{A9B618F5-9231-4a71-BEDD-A0FB5C10C4F5}.exe	112
PID 3600 wrote to memory of 3916	3600	{A9B618F5-9231-4a71-BEDD-A0FB5C10C4F5}.exe	112
PID 3600 wrote to memory of 3916	3600	{A9B618F5-9231-4a71-BEDD-A0FB5C10C4F5}.exe	112
PID 3600 wrote to memory of 4476	3600	{A9B618F5-9231-4a71-BEDD-A0FB5C10C4F5}.exe	113
PID 3600 wrote to memory of 4476	3600	{A9B618F5-9231-4a71-BEDD-A0FB5C10C4F5}.exe	113
PID 3600 wrote to memory of 4476	3600	{A9B618F5-9231-4a71-BEDD-A0FB5C10C4F5}.exe	113
PID 3916 wrote to memory of 456	3916	{32F3826E-C982-460d-930D-5778E2377DE9}.exe	114
PID 3916 wrote to memory of 456	3916	{32F3826E-C982-460d-930D-5778E2377DE9}.exe	114
PID 3916 wrote to memory of 456	3916	{32F3826E-C982-460d-930D-5778E2377DE9}.exe	114
PID 3916 wrote to memory of 3176	3916	{32F3826E-C982-460d-930D-5778E2377DE9}.exe	115
PID 3916 wrote to memory of 3176	3916	{32F3826E-C982-460d-930D-5778E2377DE9}.exe	115
PID 3916 wrote to memory of 3176	3916	{32F3826E-C982-460d-930D-5778E2377DE9}.exe	115
PID 456 wrote to memory of 3328	456	{87D8EBA3-11AB-4277-B7A7-B80CF7D2321D}.exe	116
PID 456 wrote to memory of 3328	456	{87D8EBA3-11AB-4277-B7A7-B80CF7D2321D}.exe	116
PID 456 wrote to memory of 3328	456	{87D8EBA3-11AB-4277-B7A7-B80CF7D2321D}.exe	116
PID 456 wrote to memory of 3552	456	{87D8EBA3-11AB-4277-B7A7-B80CF7D2321D}.exe	117
PID 456 wrote to memory of 3552	456	{87D8EBA3-11AB-4277-B7A7-B80CF7D2321D}.exe	117
PID 456 wrote to memory of 3552	456	{87D8EBA3-11AB-4277-B7A7-B80CF7D2321D}.exe	117
PID 3328 wrote to memory of 1276	3328	{7A6A9155-E993-4759-845C-EC2A90502B38}.exe	118
PID 3328 wrote to memory of 1276	3328	{7A6A9155-E993-4759-845C-EC2A90502B38}.exe	118
PID 3328 wrote to memory of 1276	3328	{7A6A9155-E993-4759-845C-EC2A90502B38}.exe	118
PID 3328 wrote to memory of 4832	3328	{7A6A9155-E993-4759-845C-EC2A90502B38}.exe	119

C:\Users\Admin\AppData\Local\Temp\28c9daa374814bexeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\28c9daa374814bexeexe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Windows\{9AD96044-9D34-402e-9FC1-EF11F1D05A4F}.exe
  C:\Windows\{9AD96044-9D34-402e-9FC1-EF11F1D05A4F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\{814F4C2E-D1B5-4e77-8A85-452B14FF6791}.exe
    C:\Windows\{814F4C2E-D1B5-4e77-8A85-452B14FF6791}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Windows\{ABAFD292-DCE4-4529-B732-217B93014236}.exe
      C:\Windows\{ABAFD292-DCE4-4529-B732-217B93014236}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\{24465D09-2CB4-462e-814B-2B58A2C6F7AA}.exe
        
        C:\Windows\{24465D09-2CB4-462e-814B-2B58A2C6F7AA}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4108
      - C:\Windows\{D60C30D8-10D9-4bef-B1F3-73B96944334B}.exe
        
        C:\Windows\{D60C30D8-10D9-4bef-B1F3-73B96944334B}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Windows\{22E843E5-4736-4395-A4D3-C06E2C4E026C}.exe
        
        C:\Windows\{22E843E5-4736-4395-A4D3-C06E2C4E026C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4528
        
        C:\Windows\{A9B618F5-9231-4a71-BEDD-A0FB5C10C4F5}.exe
        
        C:\Windows\{A9B618F5-9231-4a71-BEDD-A0FB5C10C4F5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Windows\{32F3826E-C982-460d-930D-5778E2377DE9}.exe
        
        C:\Windows\{32F3826E-C982-460d-930D-5778E2377DE9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3916
        
        C:\Windows\{87D8EBA3-11AB-4277-B7A7-B80CF7D2321D}.exe
        
        C:\Windows\{87D8EBA3-11AB-4277-B7A7-B80CF7D2321D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\{7A6A9155-E993-4759-845C-EC2A90502B38}.exe
        
        C:\Windows\{7A6A9155-E993-4759-845C-EC2A90502B38}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3328
        
        C:\Windows\{B550D01D-35AF-49a1-8B03-6A168016E630}.exe
        
        C:\Windows\{B550D01D-35AF-49a1-8B03-6A168016E630}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
        
        C:\Windows\{B98D6051-79F6-498d-BAF7-6039C7BC24AA}.exe
        
        C:\Windows\{B98D6051-79F6-498d-BAF7-6039C7BC24AA}.exe
        13⤵
        Executes dropped EXE
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B550D~1.EXE > nul
        13⤵
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A6A9~1.EXE > nul
        12⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87D8E~1.EXE > nul
        11⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32F38~1.EXE > nul
        10⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9B61~1.EXE > nul
        9⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22E84~1.EXE > nul
        8⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D60C3~1.EXE > nul
        7⤵
        
        PID:2716
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24465~1.EXE > nul
        6⤵
        
        PID:4932
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABAFD~1.EXE > nul
        5⤵
        
        PID:1440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{814F4~1.EXE > nul
      4⤵
      PID:1204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9AD96~1.EXE > nul
    3⤵
    PID:1816
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\28C9DA~1.EXE > nul
  2⤵
  PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{22E843E5-4736-4395-A4D3-C06E2C4E026C}.exe

Filesize
168KB

MD5
9d7c31435f2445b0b816ab59c668f9be

SHA1
6d3fcf04ac4e3011b2b5fce3f2da75f8855ef760

SHA256
661eb3004825f17986f1685fe92a76f95fc7da829a4e131d2778eb803fbd074b

SHA512
0e443194a95b3d90935c85fe706254598e2bf8709a5178c3a624f1d9d89b56109bcab560c00b9e41b4a00451a82b0bf4ef582e4af38ba72e9da571db76728666

Download Submit
C:\Windows\{22E843E5-4736-4395-A4D3-C06E2C4E026C}.exe

Filesize
168KB

MD5
9d7c31435f2445b0b816ab59c668f9be

SHA1
6d3fcf04ac4e3011b2b5fce3f2da75f8855ef760

SHA256
661eb3004825f17986f1685fe92a76f95fc7da829a4e131d2778eb803fbd074b

SHA512
0e443194a95b3d90935c85fe706254598e2bf8709a5178c3a624f1d9d89b56109bcab560c00b9e41b4a00451a82b0bf4ef582e4af38ba72e9da571db76728666

Download Submit
C:\Windows\{24465D09-2CB4-462e-814B-2B58A2C6F7AA}.exe

Filesize
168KB

MD5
9fc1bcfe46f7c40550a7d86b8a74bbdf

SHA1
caa8038701d5f3c3921c3c2162410631b5062859

SHA256
37012f13a67d94dafcc4c062873d31102dafe15aee6a8e89530c49d173ceb9b5

SHA512
ad2c7c144f713ec661c35bcfdae6458afd6fda21d73a3121999d80d9289870e36a0a58111edfbdcb3221af7a7d37e7942cd178c6b506bdedd1433655d8717b78

Download Submit
C:\Windows\{24465D09-2CB4-462e-814B-2B58A2C6F7AA}.exe

Filesize
168KB

MD5
9fc1bcfe46f7c40550a7d86b8a74bbdf

SHA1
caa8038701d5f3c3921c3c2162410631b5062859

SHA256
37012f13a67d94dafcc4c062873d31102dafe15aee6a8e89530c49d173ceb9b5

SHA512
ad2c7c144f713ec661c35bcfdae6458afd6fda21d73a3121999d80d9289870e36a0a58111edfbdcb3221af7a7d37e7942cd178c6b506bdedd1433655d8717b78

Download Submit
C:\Windows\{32F3826E-C982-460d-930D-5778E2377DE9}.exe

Filesize
168KB

MD5
5144d17453bb0b72bfa8423816423acd

SHA1
f71aaf8cc7eeba17c9b91ac543052f24b075f5fd

SHA256
8aae8776ac5e5f6dd9a40381e3c80653c7411f9bd4d7218cda2dece6025e2bb5

SHA512
0f4851c0ccd2618c68484ccd3a4fe56087e3ff515cd9fae68b6ea4f9c13e2a4adb209cd269f96bda41e8d9e7a38f3648d1fb2eda81ffb75658d7f28f136c2a03

Download Submit
C:\Windows\{32F3826E-C982-460d-930D-5778E2377DE9}.exe

Filesize
168KB

MD5
5144d17453bb0b72bfa8423816423acd

SHA1
f71aaf8cc7eeba17c9b91ac543052f24b075f5fd

SHA256
8aae8776ac5e5f6dd9a40381e3c80653c7411f9bd4d7218cda2dece6025e2bb5

SHA512
0f4851c0ccd2618c68484ccd3a4fe56087e3ff515cd9fae68b6ea4f9c13e2a4adb209cd269f96bda41e8d9e7a38f3648d1fb2eda81ffb75658d7f28f136c2a03

Download Submit
C:\Windows\{7A6A9155-E993-4759-845C-EC2A90502B38}.exe

Filesize
168KB

MD5
7eaa406432f16dbfdab70974461b2643

SHA1
becd8d551eb4b132569e9450e57967aa54d5550a

SHA256
09450613d472f951fa6f806f4b3873105a36fb4e637bebb62b787bbf4c8ff350

SHA512
7c3e181ce409a1bfd2a071cd135221903c6e932aaf61e91a5bfbc40cf2834820376ac308c0f0ae7dfa632ec052576c7bf132a5b71c52b658d06a188c5dd115b9

Download Submit
C:\Windows\{7A6A9155-E993-4759-845C-EC2A90502B38}.exe

Filesize
168KB

MD5
7eaa406432f16dbfdab70974461b2643

SHA1
becd8d551eb4b132569e9450e57967aa54d5550a

SHA256
09450613d472f951fa6f806f4b3873105a36fb4e637bebb62b787bbf4c8ff350

SHA512
7c3e181ce409a1bfd2a071cd135221903c6e932aaf61e91a5bfbc40cf2834820376ac308c0f0ae7dfa632ec052576c7bf132a5b71c52b658d06a188c5dd115b9

Download Submit
C:\Windows\{814F4C2E-D1B5-4e77-8A85-452B14FF6791}.exe

Filesize
168KB

MD5
a26630d4034dfd7c0765c7c818f90fcb

SHA1
4c7e0247ec4ebfd87aaca2e65b098c10d63a1c19

SHA256
44c52fb2cdd31859652f3afcc3a38521f6c8012a1927bb2edc493a25ab0825ed

SHA512
d59af3d794ec811af9f8374c22e331dc602b40a8761e8c091b4f7a8105e4da0b87096d655f8acd2642ec4b6849e27f8736a4f25ec598b48af2573d1c912140ec

Download Submit
C:\Windows\{814F4C2E-D1B5-4e77-8A85-452B14FF6791}.exe

Filesize
168KB

MD5
a26630d4034dfd7c0765c7c818f90fcb

SHA1
4c7e0247ec4ebfd87aaca2e65b098c10d63a1c19

SHA256
44c52fb2cdd31859652f3afcc3a38521f6c8012a1927bb2edc493a25ab0825ed

SHA512
d59af3d794ec811af9f8374c22e331dc602b40a8761e8c091b4f7a8105e4da0b87096d655f8acd2642ec4b6849e27f8736a4f25ec598b48af2573d1c912140ec

Download Submit
C:\Windows\{87D8EBA3-11AB-4277-B7A7-B80CF7D2321D}.exe

Filesize
168KB

MD5
8468564ac5b6cb8bda5327689f34b213

SHA1
cba06bbe30f0de9a0486814a0e41f838890ee7b2

SHA256
34f5e08ac63f232ecd98ce925b9541cb49a324ffb9636b346f626433b15aac9a

SHA512
57ea98734bc414b053fd167cff22c4879b0a694e6815b3ecb6c5498594984421e84a060e9ef5b225008bfa1a933e4d553a21f866e552e7295c0234734afc4d96

Download Submit
C:\Windows\{87D8EBA3-11AB-4277-B7A7-B80CF7D2321D}.exe

Filesize
168KB

MD5
8468564ac5b6cb8bda5327689f34b213

SHA1
cba06bbe30f0de9a0486814a0e41f838890ee7b2

SHA256
34f5e08ac63f232ecd98ce925b9541cb49a324ffb9636b346f626433b15aac9a

SHA512
57ea98734bc414b053fd167cff22c4879b0a694e6815b3ecb6c5498594984421e84a060e9ef5b225008bfa1a933e4d553a21f866e552e7295c0234734afc4d96

Download Submit
C:\Windows\{9AD96044-9D34-402e-9FC1-EF11F1D05A4F}.exe

Filesize
168KB

MD5
d83f2248a7db8d83e9fdc3568630d8bf

SHA1
14dad6dd4885d3e0bc50810e99809075df8b6bc8

SHA256
9e03f8f4cc2da15d7750c28dfcfc01e17ff0307804b0b84df971e935a45e38f7

SHA512
589669ed1648aa2beb5b39bb25f1760e4306e621ead1e6748a65a63b4bd419e518dc775b71739bd20cbe68149a84977819bc6a6ba216c826b081099102399cdb

Download Submit
C:\Windows\{9AD96044-9D34-402e-9FC1-EF11F1D05A4F}.exe

Filesize
168KB

MD5
d83f2248a7db8d83e9fdc3568630d8bf

SHA1
14dad6dd4885d3e0bc50810e99809075df8b6bc8

SHA256
9e03f8f4cc2da15d7750c28dfcfc01e17ff0307804b0b84df971e935a45e38f7

SHA512
589669ed1648aa2beb5b39bb25f1760e4306e621ead1e6748a65a63b4bd419e518dc775b71739bd20cbe68149a84977819bc6a6ba216c826b081099102399cdb

Download Submit
C:\Windows\{A9B618F5-9231-4a71-BEDD-A0FB5C10C4F5}.exe

Filesize
168KB

MD5
c6d1715885f434381d4ec035fefe7174

SHA1
36090c63e1288d453e1e5478c6853573f6556679

SHA256
d8262bd7cb77c9e7d6cfcd59612d4c8a95a43fc54a0a2fd1363b3aca8e49681f

SHA512
a7a1f2ba215703ada0c0db59175a17e3193d769becf8a89bb653e5a229ab8d11765bce0a5b14f6a1c0e58a666a560bcfac6e38128c71a92f132220c3d51699da

Download Submit
C:\Windows\{A9B618F5-9231-4a71-BEDD-A0FB5C10C4F5}.exe

Filesize
168KB

MD5
c6d1715885f434381d4ec035fefe7174

SHA1
36090c63e1288d453e1e5478c6853573f6556679

SHA256
d8262bd7cb77c9e7d6cfcd59612d4c8a95a43fc54a0a2fd1363b3aca8e49681f

SHA512
a7a1f2ba215703ada0c0db59175a17e3193d769becf8a89bb653e5a229ab8d11765bce0a5b14f6a1c0e58a666a560bcfac6e38128c71a92f132220c3d51699da

Download Submit
C:\Windows\{ABAFD292-DCE4-4529-B732-217B93014236}.exe

Filesize
168KB

MD5
850019c303c742ae7f079d4a39e20825

SHA1
13e9b0a1a42ca9eeb62b6b5712726fec66ab1672

SHA256
2b31fc5cab6d1cb2da06753bb4ff28e00133289a641b21bddbb36c220f4f2734

SHA512
5737ddcf940a4dc83521475cffcddb12cc6357356bf74e1f4c48f965999c00861a0b9e506f9743eab16ba522642ac1f00087a4c01ee1f4d6e82850eb66847c1d

Download Submit
C:\Windows\{ABAFD292-DCE4-4529-B732-217B93014236}.exe

Filesize
168KB

MD5
850019c303c742ae7f079d4a39e20825

SHA1
13e9b0a1a42ca9eeb62b6b5712726fec66ab1672

SHA256
2b31fc5cab6d1cb2da06753bb4ff28e00133289a641b21bddbb36c220f4f2734

SHA512
5737ddcf940a4dc83521475cffcddb12cc6357356bf74e1f4c48f965999c00861a0b9e506f9743eab16ba522642ac1f00087a4c01ee1f4d6e82850eb66847c1d

Download Submit
C:\Windows\{ABAFD292-DCE4-4529-B732-217B93014236}.exe

Filesize
168KB

MD5
850019c303c742ae7f079d4a39e20825

SHA1
13e9b0a1a42ca9eeb62b6b5712726fec66ab1672

SHA256
2b31fc5cab6d1cb2da06753bb4ff28e00133289a641b21bddbb36c220f4f2734

SHA512
5737ddcf940a4dc83521475cffcddb12cc6357356bf74e1f4c48f965999c00861a0b9e506f9743eab16ba522642ac1f00087a4c01ee1f4d6e82850eb66847c1d

Download Submit
C:\Windows\{B550D01D-35AF-49a1-8B03-6A168016E630}.exe

Filesize
168KB

MD5
826bfaaf63643b0e1db88404f8037621

SHA1
6e7b36c4f1b8da7f8ff2d42fe194594ca0220330

SHA256
d250deceebad55db98c11d7f24816a04482a00a232cb9c4e72e7c26d93a94248

SHA512
ed49ba864e0bfbfbf3ad41e8127d1f9309ff5ddb6e8c08d3da2d8d2329a84f6f6cc29f48886c023d4e6e718b114f079e8bba8d63efca4294f13842467246f99d

Download Submit
C:\Windows\{B550D01D-35AF-49a1-8B03-6A168016E630}.exe

Filesize
168KB

MD5
826bfaaf63643b0e1db88404f8037621

SHA1
6e7b36c4f1b8da7f8ff2d42fe194594ca0220330

SHA256
d250deceebad55db98c11d7f24816a04482a00a232cb9c4e72e7c26d93a94248

SHA512
ed49ba864e0bfbfbf3ad41e8127d1f9309ff5ddb6e8c08d3da2d8d2329a84f6f6cc29f48886c023d4e6e718b114f079e8bba8d63efca4294f13842467246f99d

Download Submit
C:\Windows\{B98D6051-79F6-498d-BAF7-6039C7BC24AA}.exe

Filesize
168KB

MD5
b9ff3883247d6f5cb3084be0527c9465

SHA1
23a6581cf55fe517d0a1fdbea259cb18e6ff3766

SHA256
49f07dca29b6b5a14066ed8badab68fb74e72590dd0fadc53cfe17a206026280

SHA512
01f93fa73443042fdf036ddd5c73347e380580006749a216b9ecdb0de9c06376a71c0d4d181d190f400175f8d27780bc75e844d800ae010e4a606d3361af5538

Download Submit
C:\Windows\{B98D6051-79F6-498d-BAF7-6039C7BC24AA}.exe

Filesize
168KB

MD5
b9ff3883247d6f5cb3084be0527c9465

SHA1
23a6581cf55fe517d0a1fdbea259cb18e6ff3766

SHA256
49f07dca29b6b5a14066ed8badab68fb74e72590dd0fadc53cfe17a206026280

SHA512
01f93fa73443042fdf036ddd5c73347e380580006749a216b9ecdb0de9c06376a71c0d4d181d190f400175f8d27780bc75e844d800ae010e4a606d3361af5538

Download Submit
C:\Windows\{D60C30D8-10D9-4bef-B1F3-73B96944334B}.exe

Filesize
168KB

MD5
626322a348232d786ebed9efc7d59350

SHA1
cf9b4ab0e76678b38346b230d7cf7a37bb12e0f8

SHA256
f99d9da8544291ea5feba158801384659cb3030a2254fedc9a258b8ea9cdafd9

SHA512
01704fedeae39682f22f5cb1792c18bdf8d1f925e536beb5ea327befcb784c4e0f1966ff5aaef345002f5d931273660c21ed750e97d6c8f399b201116e48ca0b

Download Submit
C:\Windows\{D60C30D8-10D9-4bef-B1F3-73B96944334B}.exe

Filesize
168KB

MD5
626322a348232d786ebed9efc7d59350

SHA1
cf9b4ab0e76678b38346b230d7cf7a37bb12e0f8

SHA256
f99d9da8544291ea5feba158801384659cb3030a2254fedc9a258b8ea9cdafd9

SHA512
01704fedeae39682f22f5cb1792c18bdf8d1f925e536beb5ea327befcb784c4e0f1966ff5aaef345002f5d931273660c21ed750e97d6c8f399b201116e48ca0b

Download Submit