8a0f844ed670dd5985c14ddb7a5d9d5f35b3aab9e507e85e506685d8f27918c5

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/07/2023, 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e3bb8d8327f78_JC.exe
Size

168KB
MD5

9e3bb8d8327f78444b4aec882199a0f9
SHA1

544a2b56d3e0e582029c3099910197462cd03320
SHA256

8a0f844ed670dd5985c14ddb7a5d9d5f35b3aab9e507e85e506685d8f27918c5
SHA512

829a5dc284f632688274fad12c71f0efbe8307479b1bb974c5fc1e8b5942cb210e92d74241fd882f07160e8bd1dd1bca145ab6c017c12e819b61bb2fd1010d61
SSDEEP

1536:1EGh0oDlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oDlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F8A298A-A8D3-4bfe-A7B7-E851B69B9623}	{2932C126-1697-47c5-BAB4-0CB66E296576}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F8A298A-A8D3-4bfe-A7B7-E851B69B9623}\stubpath = "C:\\Windows\\{2F8A298A-A8D3-4bfe-A7B7-E851B69B9623}.exe"	{2932C126-1697-47c5-BAB4-0CB66E296576}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62D8288B-D55A-4ab5-A6F9-B3F05366300D}\stubpath = "C:\\Windows\\{62D8288B-D55A-4ab5-A6F9-B3F05366300D}.exe"	{2F8A298A-A8D3-4bfe-A7B7-E851B69B9623}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE3D6EE5-7720-4fd6-B19D-1A9A37A1A566}\stubpath = "C:\\Windows\\{DE3D6EE5-7720-4fd6-B19D-1A9A37A1A566}.exe"	{62D8288B-D55A-4ab5-A6F9-B3F05366300D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A41F2D3-361A-4d0c-9AB6-112BB1D0C995}\stubpath = "C:\\Windows\\{2A41F2D3-361A-4d0c-9AB6-112BB1D0C995}.exe"	{AD388AD0-4E21-4035-A232-4DA15FB57BD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E288BD3-6762-4001-9C83-C15007384F99}	{F1E1CACE-F993-4a83-BDD9-B911232A3F40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB02CEDD-81EB-4a25-8131-081F3A0CB321}\stubpath = "C:\\Windows\\{CB02CEDD-81EB-4a25-8131-081F3A0CB321}.exe"	{4E288BD3-6762-4001-9C83-C15007384F99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1E1CACE-F993-4a83-BDD9-B911232A3F40}	{DCA98089-CF16-498a-BDE5-9E49045A2125}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB02CEDD-81EB-4a25-8131-081F3A0CB321}	{4E288BD3-6762-4001-9C83-C15007384F99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF8BADF6-5334-474f-9582-02048B6540D4}\stubpath = "C:\\Windows\\{DF8BADF6-5334-474f-9582-02048B6540D4}.exe"	{CB02CEDD-81EB-4a25-8131-081F3A0CB321}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE3D6EE5-7720-4fd6-B19D-1A9A37A1A566}	{62D8288B-D55A-4ab5-A6F9-B3F05366300D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{286FCF54-81F0-4a7b-8953-C7F96C8A3710}	{DE3D6EE5-7720-4fd6-B19D-1A9A37A1A566}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD388AD0-4E21-4035-A232-4DA15FB57BD0}	{286FCF54-81F0-4a7b-8953-C7F96C8A3710}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCA98089-CF16-498a-BDE5-9E49045A2125}	9e3bb8d8327f78_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCA98089-CF16-498a-BDE5-9E49045A2125}\stubpath = "C:\\Windows\\{DCA98089-CF16-498a-BDE5-9E49045A2125}.exe"	9e3bb8d8327f78_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A41F2D3-361A-4d0c-9AB6-112BB1D0C995}	{AD388AD0-4E21-4035-A232-4DA15FB57BD0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62D8288B-D55A-4ab5-A6F9-B3F05366300D}	{2F8A298A-A8D3-4bfe-A7B7-E851B69B9623}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E288BD3-6762-4001-9C83-C15007384F99}\stubpath = "C:\\Windows\\{4E288BD3-6762-4001-9C83-C15007384F99}.exe"	{F1E1CACE-F993-4a83-BDD9-B911232A3F40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF8BADF6-5334-474f-9582-02048B6540D4}	{CB02CEDD-81EB-4a25-8131-081F3A0CB321}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2932C126-1697-47c5-BAB4-0CB66E296576}\stubpath = "C:\\Windows\\{2932C126-1697-47c5-BAB4-0CB66E296576}.exe"	{DF8BADF6-5334-474f-9582-02048B6540D4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{286FCF54-81F0-4a7b-8953-C7F96C8A3710}\stubpath = "C:\\Windows\\{286FCF54-81F0-4a7b-8953-C7F96C8A3710}.exe"	{DE3D6EE5-7720-4fd6-B19D-1A9A37A1A566}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AD388AD0-4E21-4035-A232-4DA15FB57BD0}\stubpath = "C:\\Windows\\{AD388AD0-4E21-4035-A232-4DA15FB57BD0}.exe"	{286FCF54-81F0-4a7b-8953-C7F96C8A3710}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1E1CACE-F993-4a83-BDD9-B911232A3F40}\stubpath = "C:\\Windows\\{F1E1CACE-F993-4a83-BDD9-B911232A3F40}.exe"	{DCA98089-CF16-498a-BDE5-9E49045A2125}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2932C126-1697-47c5-BAB4-0CB66E296576}	{DF8BADF6-5334-474f-9582-02048B6540D4}.exe

Executes dropped EXE 12 IoCs

pid	Process
3448	{DCA98089-CF16-498a-BDE5-9E49045A2125}.exe
756	{F1E1CACE-F993-4a83-BDD9-B911232A3F40}.exe
2056	{4E288BD3-6762-4001-9C83-C15007384F99}.exe
1180	{CB02CEDD-81EB-4a25-8131-081F3A0CB321}.exe
1784	{DF8BADF6-5334-474f-9582-02048B6540D4}.exe
1620	{2932C126-1697-47c5-BAB4-0CB66E296576}.exe
4384	{2F8A298A-A8D3-4bfe-A7B7-E851B69B9623}.exe
1712	{62D8288B-D55A-4ab5-A6F9-B3F05366300D}.exe
3472	{DE3D6EE5-7720-4fd6-B19D-1A9A37A1A566}.exe
3320	{286FCF54-81F0-4a7b-8953-C7F96C8A3710}.exe
2744	{AD388AD0-4E21-4035-A232-4DA15FB57BD0}.exe
3928	{2A41F2D3-361A-4d0c-9AB6-112BB1D0C995}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{62D8288B-D55A-4ab5-A6F9-B3F05366300D}.exe	{2F8A298A-A8D3-4bfe-A7B7-E851B69B9623}.exe
File created	C:\Windows\{286FCF54-81F0-4a7b-8953-C7F96C8A3710}.exe	{DE3D6EE5-7720-4fd6-B19D-1A9A37A1A566}.exe
File created	C:\Windows\{DCA98089-CF16-498a-BDE5-9E49045A2125}.exe	9e3bb8d8327f78_JC.exe
File created	C:\Windows\{F1E1CACE-F993-4a83-BDD9-B911232A3F40}.exe	{DCA98089-CF16-498a-BDE5-9E49045A2125}.exe
File created	C:\Windows\{4E288BD3-6762-4001-9C83-C15007384F99}.exe	{F1E1CACE-F993-4a83-BDD9-B911232A3F40}.exe
File created	C:\Windows\{CB02CEDD-81EB-4a25-8131-081F3A0CB321}.exe	{4E288BD3-6762-4001-9C83-C15007384F99}.exe
File created	C:\Windows\{AD388AD0-4E21-4035-A232-4DA15FB57BD0}.exe	{286FCF54-81F0-4a7b-8953-C7F96C8A3710}.exe
File created	C:\Windows\{2A41F2D3-361A-4d0c-9AB6-112BB1D0C995}.exe	{AD388AD0-4E21-4035-A232-4DA15FB57BD0}.exe
File created	C:\Windows\{DF8BADF6-5334-474f-9582-02048B6540D4}.exe	{CB02CEDD-81EB-4a25-8131-081F3A0CB321}.exe
File created	C:\Windows\{2932C126-1697-47c5-BAB4-0CB66E296576}.exe	{DF8BADF6-5334-474f-9582-02048B6540D4}.exe
File created	C:\Windows\{2F8A298A-A8D3-4bfe-A7B7-E851B69B9623}.exe	{2932C126-1697-47c5-BAB4-0CB66E296576}.exe
File created	C:\Windows\{DE3D6EE5-7720-4fd6-B19D-1A9A37A1A566}.exe	{62D8288B-D55A-4ab5-A6F9-B3F05366300D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2052	9e3bb8d8327f78_JC.exe
Token: SeIncBasePriorityPrivilege	3448	{DCA98089-CF16-498a-BDE5-9E49045A2125}.exe
Token: SeIncBasePriorityPrivilege	756	{F1E1CACE-F993-4a83-BDD9-B911232A3F40}.exe
Token: SeIncBasePriorityPrivilege	2056	{4E288BD3-6762-4001-9C83-C15007384F99}.exe
Token: SeIncBasePriorityPrivilege	1180	{CB02CEDD-81EB-4a25-8131-081F3A0CB321}.exe
Token: SeIncBasePriorityPrivilege	1784	{DF8BADF6-5334-474f-9582-02048B6540D4}.exe
Token: SeIncBasePriorityPrivilege	1620	{2932C126-1697-47c5-BAB4-0CB66E296576}.exe
Token: SeIncBasePriorityPrivilege	4384	{2F8A298A-A8D3-4bfe-A7B7-E851B69B9623}.exe
Token: SeIncBasePriorityPrivilege	1712	{62D8288B-D55A-4ab5-A6F9-B3F05366300D}.exe
Token: SeIncBasePriorityPrivilege	3472	{DE3D6EE5-7720-4fd6-B19D-1A9A37A1A566}.exe
Token: SeIncBasePriorityPrivilege	3320	{286FCF54-81F0-4a7b-8953-C7F96C8A3710}.exe
Token: SeIncBasePriorityPrivilege	2744	{AD388AD0-4E21-4035-A232-4DA15FB57BD0}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 3448	2052	9e3bb8d8327f78_JC.exe	99
PID 2052 wrote to memory of 3448	2052	9e3bb8d8327f78_JC.exe	99
PID 2052 wrote to memory of 3448	2052	9e3bb8d8327f78_JC.exe	99
PID 2052 wrote to memory of 2560	2052	9e3bb8d8327f78_JC.exe	100
PID 2052 wrote to memory of 2560	2052	9e3bb8d8327f78_JC.exe	100
PID 2052 wrote to memory of 2560	2052	9e3bb8d8327f78_JC.exe	100
PID 3448 wrote to memory of 756	3448	{DCA98089-CF16-498a-BDE5-9E49045A2125}.exe	101
PID 3448 wrote to memory of 756	3448	{DCA98089-CF16-498a-BDE5-9E49045A2125}.exe	101
PID 3448 wrote to memory of 756	3448	{DCA98089-CF16-498a-BDE5-9E49045A2125}.exe	101
PID 3448 wrote to memory of 4968	3448	{DCA98089-CF16-498a-BDE5-9E49045A2125}.exe	102
PID 3448 wrote to memory of 4968	3448	{DCA98089-CF16-498a-BDE5-9E49045A2125}.exe	102
PID 3448 wrote to memory of 4968	3448	{DCA98089-CF16-498a-BDE5-9E49045A2125}.exe	102
PID 756 wrote to memory of 2056	756	{F1E1CACE-F993-4a83-BDD9-B911232A3F40}.exe	105
PID 756 wrote to memory of 2056	756	{F1E1CACE-F993-4a83-BDD9-B911232A3F40}.exe	105
PID 756 wrote to memory of 2056	756	{F1E1CACE-F993-4a83-BDD9-B911232A3F40}.exe	105
PID 756 wrote to memory of 3720	756	{F1E1CACE-F993-4a83-BDD9-B911232A3F40}.exe	106
PID 756 wrote to memory of 3720	756	{F1E1CACE-F993-4a83-BDD9-B911232A3F40}.exe	106
PID 756 wrote to memory of 3720	756	{F1E1CACE-F993-4a83-BDD9-B911232A3F40}.exe	106
PID 2056 wrote to memory of 1180	2056	{4E288BD3-6762-4001-9C83-C15007384F99}.exe	107
PID 2056 wrote to memory of 1180	2056	{4E288BD3-6762-4001-9C83-C15007384F99}.exe	107
PID 2056 wrote to memory of 1180	2056	{4E288BD3-6762-4001-9C83-C15007384F99}.exe	107
PID 2056 wrote to memory of 572	2056	{4E288BD3-6762-4001-9C83-C15007384F99}.exe	108
PID 2056 wrote to memory of 572	2056	{4E288BD3-6762-4001-9C83-C15007384F99}.exe	108
PID 2056 wrote to memory of 572	2056	{4E288BD3-6762-4001-9C83-C15007384F99}.exe	108
PID 1180 wrote to memory of 1784	1180	{CB02CEDD-81EB-4a25-8131-081F3A0CB321}.exe	109
PID 1180 wrote to memory of 1784	1180	{CB02CEDD-81EB-4a25-8131-081F3A0CB321}.exe	109
PID 1180 wrote to memory of 1784	1180	{CB02CEDD-81EB-4a25-8131-081F3A0CB321}.exe	109
PID 1180 wrote to memory of 1168	1180	{CB02CEDD-81EB-4a25-8131-081F3A0CB321}.exe	110
PID 1180 wrote to memory of 1168	1180	{CB02CEDD-81EB-4a25-8131-081F3A0CB321}.exe	110
PID 1180 wrote to memory of 1168	1180	{CB02CEDD-81EB-4a25-8131-081F3A0CB321}.exe	110
PID 1784 wrote to memory of 1620	1784	{DF8BADF6-5334-474f-9582-02048B6540D4}.exe	111
PID 1784 wrote to memory of 1620	1784	{DF8BADF6-5334-474f-9582-02048B6540D4}.exe	111
PID 1784 wrote to memory of 1620	1784	{DF8BADF6-5334-474f-9582-02048B6540D4}.exe	111
PID 1784 wrote to memory of 1204	1784	{DF8BADF6-5334-474f-9582-02048B6540D4}.exe	112
PID 1784 wrote to memory of 1204	1784	{DF8BADF6-5334-474f-9582-02048B6540D4}.exe	112
PID 1784 wrote to memory of 1204	1784	{DF8BADF6-5334-474f-9582-02048B6540D4}.exe	112
PID 1620 wrote to memory of 4384	1620	{2932C126-1697-47c5-BAB4-0CB66E296576}.exe	114
PID 1620 wrote to memory of 4384	1620	{2932C126-1697-47c5-BAB4-0CB66E296576}.exe	114
PID 1620 wrote to memory of 4384	1620	{2932C126-1697-47c5-BAB4-0CB66E296576}.exe	114
PID 1620 wrote to memory of 4484	1620	{2932C126-1697-47c5-BAB4-0CB66E296576}.exe	115
PID 1620 wrote to memory of 4484	1620	{2932C126-1697-47c5-BAB4-0CB66E296576}.exe	115
PID 1620 wrote to memory of 4484	1620	{2932C126-1697-47c5-BAB4-0CB66E296576}.exe	115
PID 4384 wrote to memory of 1712	4384	{2F8A298A-A8D3-4bfe-A7B7-E851B69B9623}.exe	116
PID 4384 wrote to memory of 1712	4384	{2F8A298A-A8D3-4bfe-A7B7-E851B69B9623}.exe	116
PID 4384 wrote to memory of 1712	4384	{2F8A298A-A8D3-4bfe-A7B7-E851B69B9623}.exe	116
PID 4384 wrote to memory of 4532	4384	{2F8A298A-A8D3-4bfe-A7B7-E851B69B9623}.exe	117
PID 4384 wrote to memory of 4532	4384	{2F8A298A-A8D3-4bfe-A7B7-E851B69B9623}.exe	117
PID 4384 wrote to memory of 4532	4384	{2F8A298A-A8D3-4bfe-A7B7-E851B69B9623}.exe	117
PID 1712 wrote to memory of 3472	1712	{62D8288B-D55A-4ab5-A6F9-B3F05366300D}.exe	118
PID 1712 wrote to memory of 3472	1712	{62D8288B-D55A-4ab5-A6F9-B3F05366300D}.exe	118
PID 1712 wrote to memory of 3472	1712	{62D8288B-D55A-4ab5-A6F9-B3F05366300D}.exe	118
PID 1712 wrote to memory of 4992	1712	{62D8288B-D55A-4ab5-A6F9-B3F05366300D}.exe	119
PID 1712 wrote to memory of 4992	1712	{62D8288B-D55A-4ab5-A6F9-B3F05366300D}.exe	119
PID 1712 wrote to memory of 4992	1712	{62D8288B-D55A-4ab5-A6F9-B3F05366300D}.exe	119
PID 3472 wrote to memory of 3320	3472	{DE3D6EE5-7720-4fd6-B19D-1A9A37A1A566}.exe	120
PID 3472 wrote to memory of 3320	3472	{DE3D6EE5-7720-4fd6-B19D-1A9A37A1A566}.exe	120
PID 3472 wrote to memory of 3320	3472	{DE3D6EE5-7720-4fd6-B19D-1A9A37A1A566}.exe	120
PID 3472 wrote to memory of 3704	3472	{DE3D6EE5-7720-4fd6-B19D-1A9A37A1A566}.exe	121
PID 3472 wrote to memory of 3704	3472	{DE3D6EE5-7720-4fd6-B19D-1A9A37A1A566}.exe	121
PID 3472 wrote to memory of 3704	3472	{DE3D6EE5-7720-4fd6-B19D-1A9A37A1A566}.exe	121
PID 3320 wrote to memory of 2744	3320	{286FCF54-81F0-4a7b-8953-C7F96C8A3710}.exe	122
PID 3320 wrote to memory of 2744	3320	{286FCF54-81F0-4a7b-8953-C7F96C8A3710}.exe	122
PID 3320 wrote to memory of 2744	3320	{286FCF54-81F0-4a7b-8953-C7F96C8A3710}.exe	122
PID 3320 wrote to memory of 2052	3320	{286FCF54-81F0-4a7b-8953-C7F96C8A3710}.exe	123

C:\Users\Admin\AppData\Local\Temp\9e3bb8d8327f78_JC.exe
"C:\Users\Admin\AppData\Local\Temp\9e3bb8d8327f78_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\{DCA98089-CF16-498a-BDE5-9E49045A2125}.exe
  C:\Windows\{DCA98089-CF16-498a-BDE5-9E49045A2125}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3448
- - C:\Windows\{F1E1CACE-F993-4a83-BDD9-B911232A3F40}.exe
    C:\Windows\{F1E1CACE-F993-4a83-BDD9-B911232A3F40}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Windows\{4E288BD3-6762-4001-9C83-C15007384F99}.exe
      C:\Windows\{4E288BD3-6762-4001-9C83-C15007384F99}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2056
    - - C:\Windows\{CB02CEDD-81EB-4a25-8131-081F3A0CB321}.exe
        
        C:\Windows\{CB02CEDD-81EB-4a25-8131-081F3A0CB321}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1180
      - C:\Windows\{DF8BADF6-5334-474f-9582-02048B6540D4}.exe
        
        C:\Windows\{DF8BADF6-5334-474f-9582-02048B6540D4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\{2932C126-1697-47c5-BAB4-0CB66E296576}.exe
        
        C:\Windows\{2932C126-1697-47c5-BAB4-0CB66E296576}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\{2F8A298A-A8D3-4bfe-A7B7-E851B69B9623}.exe
        
        C:\Windows\{2F8A298A-A8D3-4bfe-A7B7-E851B69B9623}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\{62D8288B-D55A-4ab5-A6F9-B3F05366300D}.exe
        
        C:\Windows\{62D8288B-D55A-4ab5-A6F9-B3F05366300D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\{DE3D6EE5-7720-4fd6-B19D-1A9A37A1A566}.exe
        
        C:\Windows\{DE3D6EE5-7720-4fd6-B19D-1A9A37A1A566}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3472
        
        C:\Windows\{286FCF54-81F0-4a7b-8953-C7F96C8A3710}.exe
        
        C:\Windows\{286FCF54-81F0-4a7b-8953-C7F96C8A3710}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\{AD388AD0-4E21-4035-A232-4DA15FB57BD0}.exe
        
        C:\Windows\{AD388AD0-4E21-4035-A232-4DA15FB57BD0}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\{2A41F2D3-361A-4d0c-9AB6-112BB1D0C995}.exe
        
        C:\Windows\{2A41F2D3-361A-4d0c-9AB6-112BB1D0C995}.exe
        13⤵
        Executes dropped EXE
        
        PID:3928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD388~1.EXE > nul
        13⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{286FC~1.EXE > nul
        12⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DE3D6~1.EXE > nul
        11⤵
        
        PID:3704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62D82~1.EXE > nul
        10⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F8A2~1.EXE > nul
        9⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2932C~1.EXE > nul
        8⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF8BA~1.EXE > nul
        7⤵
        
        PID:1204
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB02C~1.EXE > nul
        6⤵
        
        PID:1168
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4E288~1.EXE > nul
        5⤵
        
        PID:572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F1E1C~1.EXE > nul
      4⤵
      PID:3720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DCA98~1.EXE > nul
    3⤵
    PID:4968
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9E3BB8~1.EXE > nul
  2⤵
  PID:2560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{286FCF54-81F0-4a7b-8953-C7F96C8A3710}.exe

Filesize
168KB

MD5
bf9b5e519030e42dfc526cae92681a89

SHA1
081f3301a96c111f4f651a03c0d2818b5a7631ca

SHA256
8a74c3be552503fe85cb335f9667135b9b1aef9f5295ec753752b039aa534b84

SHA512
753c09a4ef4130a0b26cc1b017f29cfa9d949386ae7950ac5e9c58702b295abdcbc367298e38c5cd9133b96a04a74b56c59f41e658d925073beae7b5aebc7ae2

Download Submit
C:\Windows\{286FCF54-81F0-4a7b-8953-C7F96C8A3710}.exe

Filesize
168KB

MD5
bf9b5e519030e42dfc526cae92681a89

SHA1
081f3301a96c111f4f651a03c0d2818b5a7631ca

SHA256
8a74c3be552503fe85cb335f9667135b9b1aef9f5295ec753752b039aa534b84

SHA512
753c09a4ef4130a0b26cc1b017f29cfa9d949386ae7950ac5e9c58702b295abdcbc367298e38c5cd9133b96a04a74b56c59f41e658d925073beae7b5aebc7ae2

Download Submit
C:\Windows\{2932C126-1697-47c5-BAB4-0CB66E296576}.exe

Filesize
168KB

MD5
be5d8b5e65292e3a20f6944231e21eac

SHA1
f30741f10850304fbcef9354fa9740e1f057f4a4

SHA256
432223582559f33fa999fa0b76f5b6d0a39caca823a62f23b0e830e88c239006

SHA512
08f83842a2132d5112535a46680504e74b078084cc08a4c5d0bf5190a776e9ac37e5dae131d421131add9f5894ebc11df6621425bfd05d193365421157a5ada2

Download Submit
C:\Windows\{2932C126-1697-47c5-BAB4-0CB66E296576}.exe

Filesize
168KB

MD5
be5d8b5e65292e3a20f6944231e21eac

SHA1
f30741f10850304fbcef9354fa9740e1f057f4a4

SHA256
432223582559f33fa999fa0b76f5b6d0a39caca823a62f23b0e830e88c239006

SHA512
08f83842a2132d5112535a46680504e74b078084cc08a4c5d0bf5190a776e9ac37e5dae131d421131add9f5894ebc11df6621425bfd05d193365421157a5ada2

Download Submit
C:\Windows\{2A41F2D3-361A-4d0c-9AB6-112BB1D0C995}.exe

Filesize
168KB

MD5
573c4728ad56c0a149a060f1f5d97908

SHA1
ed59c520882d99d8e9879f52de053a266e40adba

SHA256
93e23f74981f22051daed5e62953e9f0ea2e81ad6766ab04187383986a7fd7ba

SHA512
a6411feeb231f6162dadf40dac65e14cd4c7d3382b32c4cddb35e63546bdcede3983745f7d59a40fd932f0cb059fa79975e92e90da2baa6ed25e16f00ea6fb3b

Download Submit
C:\Windows\{2A41F2D3-361A-4d0c-9AB6-112BB1D0C995}.exe

Filesize
168KB

MD5
573c4728ad56c0a149a060f1f5d97908

SHA1
ed59c520882d99d8e9879f52de053a266e40adba

SHA256
93e23f74981f22051daed5e62953e9f0ea2e81ad6766ab04187383986a7fd7ba

SHA512
a6411feeb231f6162dadf40dac65e14cd4c7d3382b32c4cddb35e63546bdcede3983745f7d59a40fd932f0cb059fa79975e92e90da2baa6ed25e16f00ea6fb3b

Download Submit
C:\Windows\{2F8A298A-A8D3-4bfe-A7B7-E851B69B9623}.exe

Filesize
168KB

MD5
b915c0b41762f29d6b6a2d85ec5b38b5

SHA1
dbd74f39275d5bc6ad06fdd83ec8113a94a4ee02

SHA256
c3f602c1e1107ece02abc17e85cccadb29e72e2e5d9ba7ea5ed3c6701de07c0f

SHA512
93be49ac75fb39dfc5075301d9398fba3c930fb08ed9a53b53273b989d2139136b1672487e95a3014fcb1131c039a2562a056cf5f34e4b247cb1786802f2e7c5

Download Submit
C:\Windows\{2F8A298A-A8D3-4bfe-A7B7-E851B69B9623}.exe

Filesize
168KB

MD5
b915c0b41762f29d6b6a2d85ec5b38b5

SHA1
dbd74f39275d5bc6ad06fdd83ec8113a94a4ee02

SHA256
c3f602c1e1107ece02abc17e85cccadb29e72e2e5d9ba7ea5ed3c6701de07c0f

SHA512
93be49ac75fb39dfc5075301d9398fba3c930fb08ed9a53b53273b989d2139136b1672487e95a3014fcb1131c039a2562a056cf5f34e4b247cb1786802f2e7c5

Download Submit
C:\Windows\{4E288BD3-6762-4001-9C83-C15007384F99}.exe

Filesize
168KB

MD5
ce83905687ebb7994c5ac58871d12c71

SHA1
1ffc52dfb929c04b81f1b4285c1e47df59b090d1

SHA256
d02dd36c67c32633a244bd60344d001f2d4a5de8e41fd41c15bc7877fa0f1fe4

SHA512
1b384b0eea122b6e9dffd73ea0b699f44baf627c1f86f8aa471fb8a4352d2901c73ccef5bcafc640b0fad48fb4dfa0ef9c78aab512634c99980c251f01958c6d

Download Submit
C:\Windows\{4E288BD3-6762-4001-9C83-C15007384F99}.exe

Filesize
168KB

MD5
ce83905687ebb7994c5ac58871d12c71

SHA1
1ffc52dfb929c04b81f1b4285c1e47df59b090d1

SHA256
d02dd36c67c32633a244bd60344d001f2d4a5de8e41fd41c15bc7877fa0f1fe4

SHA512
1b384b0eea122b6e9dffd73ea0b699f44baf627c1f86f8aa471fb8a4352d2901c73ccef5bcafc640b0fad48fb4dfa0ef9c78aab512634c99980c251f01958c6d

Download Submit
C:\Windows\{4E288BD3-6762-4001-9C83-C15007384F99}.exe

Filesize
168KB

MD5
ce83905687ebb7994c5ac58871d12c71

SHA1
1ffc52dfb929c04b81f1b4285c1e47df59b090d1

SHA256
d02dd36c67c32633a244bd60344d001f2d4a5de8e41fd41c15bc7877fa0f1fe4

SHA512
1b384b0eea122b6e9dffd73ea0b699f44baf627c1f86f8aa471fb8a4352d2901c73ccef5bcafc640b0fad48fb4dfa0ef9c78aab512634c99980c251f01958c6d

Download Submit
C:\Windows\{62D8288B-D55A-4ab5-A6F9-B3F05366300D}.exe

Filesize
168KB

MD5
40fa823070a85c17b5f02669a5bd865e

SHA1
df2b80cac497e5f0a80061e1829e279d005cac1b

SHA256
4d40e5c1f98956db7b7c37c2175096690a3f77fbf32a87543c2c4290f01cfd41

SHA512
02d38bdb58756066de13ce0ef366dd393651633215d90a88fb28ec78072f2314836556eb6e65765ad0ea13f30146de22a7ecf607d4649f729d8e0be14c56d89e

Download Submit
C:\Windows\{62D8288B-D55A-4ab5-A6F9-B3F05366300D}.exe

Filesize
168KB

MD5
40fa823070a85c17b5f02669a5bd865e

SHA1
df2b80cac497e5f0a80061e1829e279d005cac1b

SHA256
4d40e5c1f98956db7b7c37c2175096690a3f77fbf32a87543c2c4290f01cfd41

SHA512
02d38bdb58756066de13ce0ef366dd393651633215d90a88fb28ec78072f2314836556eb6e65765ad0ea13f30146de22a7ecf607d4649f729d8e0be14c56d89e

Download Submit
C:\Windows\{AD388AD0-4E21-4035-A232-4DA15FB57BD0}.exe

Filesize
168KB

MD5
dd41a56d04bbbd2accd735274069ee79

SHA1
b7ee959a4a7de2a4ece05fda7baf44958e48ad62

SHA256
6410c90589f6dcd73b85881f005b43b40745b87af23a6216b0ebaab5fcf02f60

SHA512
208c07fdb4d314ca38fb5b7cc4a57ae216616fb65e6544e7e656bd26d8fb54ee6488adccb5824119e9a15b756fba514b70ebf73c839d19f3675ffbf71baa1428

Download Submit
C:\Windows\{AD388AD0-4E21-4035-A232-4DA15FB57BD0}.exe

Filesize
168KB

MD5
dd41a56d04bbbd2accd735274069ee79

SHA1
b7ee959a4a7de2a4ece05fda7baf44958e48ad62

SHA256
6410c90589f6dcd73b85881f005b43b40745b87af23a6216b0ebaab5fcf02f60

SHA512
208c07fdb4d314ca38fb5b7cc4a57ae216616fb65e6544e7e656bd26d8fb54ee6488adccb5824119e9a15b756fba514b70ebf73c839d19f3675ffbf71baa1428

Download Submit
C:\Windows\{CB02CEDD-81EB-4a25-8131-081F3A0CB321}.exe

Filesize
168KB

MD5
4505f3dbda31303eda21d13cb96bf0d3

SHA1
695ea26410d7902a7683d1d62df840e1d6fcb987

SHA256
1388c0bf1363a293e5e68f0f3c4c88947943a608f69a35df9910287548ab84ab

SHA512
c2c3d0958190e98f66c6efeadf98fff72e265339d919ab379255993d33e8f090a2a52287a3008a3b6aa14f5cbb843650f501cc6e524825b9198dc0ba90b51984

Download Submit
C:\Windows\{CB02CEDD-81EB-4a25-8131-081F3A0CB321}.exe

Filesize
168KB

MD5
4505f3dbda31303eda21d13cb96bf0d3

SHA1
695ea26410d7902a7683d1d62df840e1d6fcb987

SHA256
1388c0bf1363a293e5e68f0f3c4c88947943a608f69a35df9910287548ab84ab

SHA512
c2c3d0958190e98f66c6efeadf98fff72e265339d919ab379255993d33e8f090a2a52287a3008a3b6aa14f5cbb843650f501cc6e524825b9198dc0ba90b51984

Download Submit
C:\Windows\{DCA98089-CF16-498a-BDE5-9E49045A2125}.exe

Filesize
168KB

MD5
a10c125afc8bdfa83d9a31d96f2e1fff

SHA1
e90c39c7aa54706c4dafb0e1b87d41763fef14c1

SHA256
d4c6a44aae4ae716565278d659a583d68652ba1861d14db80ac4f37d4256e90c

SHA512
22e793e119f7c5f31435829a692b5c584df019e768156cdc85cd9a658f091d7e4b74eb6b27c8b606b5c6382bd3607ed9d8fc32acd303445259a7688f18a6ce7b

Download Submit
C:\Windows\{DCA98089-CF16-498a-BDE5-9E49045A2125}.exe

Filesize
168KB

MD5
a10c125afc8bdfa83d9a31d96f2e1fff

SHA1
e90c39c7aa54706c4dafb0e1b87d41763fef14c1

SHA256
d4c6a44aae4ae716565278d659a583d68652ba1861d14db80ac4f37d4256e90c

SHA512
22e793e119f7c5f31435829a692b5c584df019e768156cdc85cd9a658f091d7e4b74eb6b27c8b606b5c6382bd3607ed9d8fc32acd303445259a7688f18a6ce7b

Download Submit
C:\Windows\{DE3D6EE5-7720-4fd6-B19D-1A9A37A1A566}.exe

Filesize
168KB

MD5
fa2b0779d0fbf2ed144619989519759b

SHA1
08b878162f1f3a4a34d28351ae20f3702cd75697

SHA256
bd0f4a7e20263d6093cd1433f32b80f3343aabc5d519df97710b2f2f75e39f02

SHA512
9415cceb6ce57643c7e45728f5129f1da152ba611f638f4fd0325d311622ad1b5ba22868cd24f2e8c169fd574c5c6080c52cff91a3ce54cef977176e856b53d3

Download Submit
C:\Windows\{DE3D6EE5-7720-4fd6-B19D-1A9A37A1A566}.exe

Filesize
168KB

MD5
fa2b0779d0fbf2ed144619989519759b

SHA1
08b878162f1f3a4a34d28351ae20f3702cd75697

SHA256
bd0f4a7e20263d6093cd1433f32b80f3343aabc5d519df97710b2f2f75e39f02

SHA512
9415cceb6ce57643c7e45728f5129f1da152ba611f638f4fd0325d311622ad1b5ba22868cd24f2e8c169fd574c5c6080c52cff91a3ce54cef977176e856b53d3

Download Submit
C:\Windows\{DF8BADF6-5334-474f-9582-02048B6540D4}.exe

Filesize
168KB

MD5
0645e404f4f4c51efb79d96811e7dca2

SHA1
eb8fb91ed4f9a22989159c7fc7e4da803cde847f

SHA256
794669764d6e4cd3f42ba2dd2b1ccae6049a01a0e2d0dcc7d6c02d3502a5afb7

SHA512
d10472c9683c47b7fd31d057c4809155230f222d9f0b131a771592b5eeaad615e5103a2c506a352f045f12bfd1f0c1f51e620439a4ab75e67dd25e915393fd48

Download Submit
C:\Windows\{DF8BADF6-5334-474f-9582-02048B6540D4}.exe

Filesize
168KB

MD5
0645e404f4f4c51efb79d96811e7dca2

SHA1
eb8fb91ed4f9a22989159c7fc7e4da803cde847f

SHA256
794669764d6e4cd3f42ba2dd2b1ccae6049a01a0e2d0dcc7d6c02d3502a5afb7

SHA512
d10472c9683c47b7fd31d057c4809155230f222d9f0b131a771592b5eeaad615e5103a2c506a352f045f12bfd1f0c1f51e620439a4ab75e67dd25e915393fd48

Download Submit
C:\Windows\{F1E1CACE-F993-4a83-BDD9-B911232A3F40}.exe

Filesize
168KB

MD5
2bf7cf6a81653d63cf811286a53b5786

SHA1
e0fa152d3a0084dabf65c70e69ba6f2df82f6b0d

SHA256
7a8f5dd15bc0b38d3ac0b9c95c03b55c65d71ca9d573931c36ae7b6d174da496

SHA512
8f5290d472e011d5c864c8d64a4485f4c8c03f6afd0220b5ac926285c1edff84df89b5541931ea266e583fa12b7a8c79587723b4b49b978ac29390afa37ec0e6

Download Submit
C:\Windows\{F1E1CACE-F993-4a83-BDD9-B911232A3F40}.exe

Filesize
168KB

MD5
2bf7cf6a81653d63cf811286a53b5786

SHA1
e0fa152d3a0084dabf65c70e69ba6f2df82f6b0d

SHA256
7a8f5dd15bc0b38d3ac0b9c95c03b55c65d71ca9d573931c36ae7b6d174da496

SHA512
8f5290d472e011d5c864c8d64a4485f4c8c03f6afd0220b5ac926285c1edff84df89b5541931ea266e583fa12b7a8c79587723b4b49b978ac29390afa37ec0e6

Download Submit