1119400bd56e20c268f43a99e8eaa3295c036d9000c9f9d46182e16d98f6450a

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
17/07/2023, 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d2515080aaa36_JC.exe
Size

168KB
MD5

9d2515080aaa3636a8d50348ac55a575
SHA1

4466f9652d324d8f7811f0e453c133d34962ea20
SHA256

1119400bd56e20c268f43a99e8eaa3295c036d9000c9f9d46182e16d98f6450a
SHA512

36807a78317f109d67616c888102d1ad59e534baac1bbfcf40b83b7f0ea78939d4349765593fc88495840f5b490b9c2c38b97ca004396c9da4a67d387e4bdc13
SSDEEP

1536:1EGh0o5lq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0o5lqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E4E279E-5AB4-45a4-8595-184E9476840C}	{41E50A4F-E986-4593-81A7-EF63F41BA095}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0E4E279E-5AB4-45a4-8595-184E9476840C}\stubpath = "C:\\Windows\\{0E4E279E-5AB4-45a4-8595-184E9476840C}.exe"	{41E50A4F-E986-4593-81A7-EF63F41BA095}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FFD68E3-2214-4f53-AE4D-B1357FE03162}	{3E1BC1C2-111C-4e85-9784-E96C17738E37}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCBD110B-60AB-4c0e-8601-A90961383794}	{1FFD68E3-2214-4f53-AE4D-B1357FE03162}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71E8F391-CA7C-43a9-8FEF-FB26189D6D6D}	{FCBD110B-60AB-4c0e-8601-A90961383794}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{71E8F391-CA7C-43a9-8FEF-FB26189D6D6D}\stubpath = "C:\\Windows\\{71E8F391-CA7C-43a9-8FEF-FB26189D6D6D}.exe"	{FCBD110B-60AB-4c0e-8601-A90961383794}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6684D93B-278A-41e6-97B9-C599FF87DB76}\stubpath = "C:\\Windows\\{6684D93B-278A-41e6-97B9-C599FF87DB76}.exe"	9d2515080aaa36_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B81F700-3D31-4862-A326-97C45B5F9749}\stubpath = "C:\\Windows\\{0B81F700-3D31-4862-A326-97C45B5F9749}.exe"	{6684D93B-278A-41e6-97B9-C599FF87DB76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B22C64CB-C72E-4bdf-9A47-6B04BB8FE522}\stubpath = "C:\\Windows\\{B22C64CB-C72E-4bdf-9A47-6B04BB8FE522}.exe"	{BFE6CEF5-0E0E-4d8b-B079-AC2ED0EE30A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E1BC1C2-111C-4e85-9784-E96C17738E37}\stubpath = "C:\\Windows\\{3E1BC1C2-111C-4e85-9784-E96C17738E37}.exe"	{0E4E279E-5AB4-45a4-8595-184E9476840C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE37DD3C-1DB9-4dbb-B03F-1EAC8BCEFE85}	{71E8F391-CA7C-43a9-8FEF-FB26189D6D6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B81F700-3D31-4862-A326-97C45B5F9749}	{6684D93B-278A-41e6-97B9-C599FF87DB76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{214D2F39-4DB7-4031-BE85-43523B8D56FF}\stubpath = "C:\\Windows\\{214D2F39-4DB7-4031-BE85-43523B8D56FF}.exe"	{0B81F700-3D31-4862-A326-97C45B5F9749}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFE6CEF5-0E0E-4d8b-B079-AC2ED0EE30A2}\stubpath = "C:\\Windows\\{BFE6CEF5-0E0E-4d8b-B079-AC2ED0EE30A2}.exe"	{214D2F39-4DB7-4031-BE85-43523B8D56FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B22C64CB-C72E-4bdf-9A47-6B04BB8FE522}	{BFE6CEF5-0E0E-4d8b-B079-AC2ED0EE30A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41E50A4F-E986-4593-81A7-EF63F41BA095}\stubpath = "C:\\Windows\\{41E50A4F-E986-4593-81A7-EF63F41BA095}.exe"	{B22C64CB-C72E-4bdf-9A47-6B04BB8FE522}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E1BC1C2-111C-4e85-9784-E96C17738E37}	{0E4E279E-5AB4-45a4-8595-184E9476840C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCBD110B-60AB-4c0e-8601-A90961383794}\stubpath = "C:\\Windows\\{FCBD110B-60AB-4c0e-8601-A90961383794}.exe"	{1FFD68E3-2214-4f53-AE4D-B1357FE03162}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE37DD3C-1DB9-4dbb-B03F-1EAC8BCEFE85}\stubpath = "C:\\Windows\\{CE37DD3C-1DB9-4dbb-B03F-1EAC8BCEFE85}.exe"	{71E8F391-CA7C-43a9-8FEF-FB26189D6D6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6684D93B-278A-41e6-97B9-C599FF87DB76}	9d2515080aaa36_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{214D2F39-4DB7-4031-BE85-43523B8D56FF}	{0B81F700-3D31-4862-A326-97C45B5F9749}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFE6CEF5-0E0E-4d8b-B079-AC2ED0EE30A2}	{214D2F39-4DB7-4031-BE85-43523B8D56FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41E50A4F-E986-4593-81A7-EF63F41BA095}	{B22C64CB-C72E-4bdf-9A47-6B04BB8FE522}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FFD68E3-2214-4f53-AE4D-B1357FE03162}\stubpath = "C:\\Windows\\{1FFD68E3-2214-4f53-AE4D-B1357FE03162}.exe"	{3E1BC1C2-111C-4e85-9784-E96C17738E37}.exe

Executes dropped EXE 12 IoCs

pid	Process
2900	{6684D93B-278A-41e6-97B9-C599FF87DB76}.exe
552	{0B81F700-3D31-4862-A326-97C45B5F9749}.exe
4184	{214D2F39-4DB7-4031-BE85-43523B8D56FF}.exe
3992	{BFE6CEF5-0E0E-4d8b-B079-AC2ED0EE30A2}.exe
2760	{B22C64CB-C72E-4bdf-9A47-6B04BB8FE522}.exe
2988	{41E50A4F-E986-4593-81A7-EF63F41BA095}.exe
3100	{0E4E279E-5AB4-45a4-8595-184E9476840C}.exe
2516	{3E1BC1C2-111C-4e85-9784-E96C17738E37}.exe
1376	{1FFD68E3-2214-4f53-AE4D-B1357FE03162}.exe
4932	{FCBD110B-60AB-4c0e-8601-A90961383794}.exe
3992	{71E8F391-CA7C-43a9-8FEF-FB26189D6D6D}.exe
1220	{CE37DD3C-1DB9-4dbb-B03F-1EAC8BCEFE85}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0B81F700-3D31-4862-A326-97C45B5F9749}.exe	{6684D93B-278A-41e6-97B9-C599FF87DB76}.exe
File created	C:\Windows\{BFE6CEF5-0E0E-4d8b-B079-AC2ED0EE30A2}.exe	{214D2F39-4DB7-4031-BE85-43523B8D56FF}.exe
File created	C:\Windows\{1FFD68E3-2214-4f53-AE4D-B1357FE03162}.exe	{3E1BC1C2-111C-4e85-9784-E96C17738E37}.exe
File created	C:\Windows\{FCBD110B-60AB-4c0e-8601-A90961383794}.exe	{1FFD68E3-2214-4f53-AE4D-B1357FE03162}.exe
File created	C:\Windows\{CE37DD3C-1DB9-4dbb-B03F-1EAC8BCEFE85}.exe	{71E8F391-CA7C-43a9-8FEF-FB26189D6D6D}.exe
File created	C:\Windows\{3E1BC1C2-111C-4e85-9784-E96C17738E37}.exe	{0E4E279E-5AB4-45a4-8595-184E9476840C}.exe
File created	C:\Windows\{71E8F391-CA7C-43a9-8FEF-FB26189D6D6D}.exe	{FCBD110B-60AB-4c0e-8601-A90961383794}.exe
File created	C:\Windows\{6684D93B-278A-41e6-97B9-C599FF87DB76}.exe	9d2515080aaa36_JC.exe
File created	C:\Windows\{214D2F39-4DB7-4031-BE85-43523B8D56FF}.exe	{0B81F700-3D31-4862-A326-97C45B5F9749}.exe
File created	C:\Windows\{B22C64CB-C72E-4bdf-9A47-6B04BB8FE522}.exe	{BFE6CEF5-0E0E-4d8b-B079-AC2ED0EE30A2}.exe
File created	C:\Windows\{41E50A4F-E986-4593-81A7-EF63F41BA095}.exe	{B22C64CB-C72E-4bdf-9A47-6B04BB8FE522}.exe
File created	C:\Windows\{0E4E279E-5AB4-45a4-8595-184E9476840C}.exe	{41E50A4F-E986-4593-81A7-EF63F41BA095}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2968	9d2515080aaa36_JC.exe
Token: SeIncBasePriorityPrivilege	2900	{6684D93B-278A-41e6-97B9-C599FF87DB76}.exe
Token: SeIncBasePriorityPrivilege	552	{0B81F700-3D31-4862-A326-97C45B5F9749}.exe
Token: SeIncBasePriorityPrivilege	4184	{214D2F39-4DB7-4031-BE85-43523B8D56FF}.exe
Token: SeIncBasePriorityPrivilege	3992	{BFE6CEF5-0E0E-4d8b-B079-AC2ED0EE30A2}.exe
Token: SeIncBasePriorityPrivilege	2760	{B22C64CB-C72E-4bdf-9A47-6B04BB8FE522}.exe
Token: SeIncBasePriorityPrivilege	2988	{41E50A4F-E986-4593-81A7-EF63F41BA095}.exe
Token: SeIncBasePriorityPrivilege	3100	{0E4E279E-5AB4-45a4-8595-184E9476840C}.exe
Token: SeIncBasePriorityPrivilege	2516	{3E1BC1C2-111C-4e85-9784-E96C17738E37}.exe
Token: SeIncBasePriorityPrivilege	1376	{1FFD68E3-2214-4f53-AE4D-B1357FE03162}.exe
Token: SeIncBasePriorityPrivilege	4932	{FCBD110B-60AB-4c0e-8601-A90961383794}.exe
Token: SeIncBasePriorityPrivilege	3992	{71E8F391-CA7C-43a9-8FEF-FB26189D6D6D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2900	2968	9d2515080aaa36_JC.exe	91
PID 2968 wrote to memory of 2900	2968	9d2515080aaa36_JC.exe	91
PID 2968 wrote to memory of 2900	2968	9d2515080aaa36_JC.exe	91
PID 2968 wrote to memory of 4024	2968	9d2515080aaa36_JC.exe	92
PID 2968 wrote to memory of 4024	2968	9d2515080aaa36_JC.exe	92
PID 2968 wrote to memory of 4024	2968	9d2515080aaa36_JC.exe	92
PID 2900 wrote to memory of 552	2900	{6684D93B-278A-41e6-97B9-C599FF87DB76}.exe	95
PID 2900 wrote to memory of 552	2900	{6684D93B-278A-41e6-97B9-C599FF87DB76}.exe	95
PID 2900 wrote to memory of 552	2900	{6684D93B-278A-41e6-97B9-C599FF87DB76}.exe	95
PID 2900 wrote to memory of 4644	2900	{6684D93B-278A-41e6-97B9-C599FF87DB76}.exe	96
PID 2900 wrote to memory of 4644	2900	{6684D93B-278A-41e6-97B9-C599FF87DB76}.exe	96
PID 2900 wrote to memory of 4644	2900	{6684D93B-278A-41e6-97B9-C599FF87DB76}.exe	96
PID 552 wrote to memory of 4184	552	{0B81F700-3D31-4862-A326-97C45B5F9749}.exe	100
PID 552 wrote to memory of 4184	552	{0B81F700-3D31-4862-A326-97C45B5F9749}.exe	100
PID 552 wrote to memory of 4184	552	{0B81F700-3D31-4862-A326-97C45B5F9749}.exe	100
PID 552 wrote to memory of 3972	552	{0B81F700-3D31-4862-A326-97C45B5F9749}.exe	99
PID 552 wrote to memory of 3972	552	{0B81F700-3D31-4862-A326-97C45B5F9749}.exe	99
PID 552 wrote to memory of 3972	552	{0B81F700-3D31-4862-A326-97C45B5F9749}.exe	99
PID 4184 wrote to memory of 3992	4184	{214D2F39-4DB7-4031-BE85-43523B8D56FF}.exe	101
PID 4184 wrote to memory of 3992	4184	{214D2F39-4DB7-4031-BE85-43523B8D56FF}.exe	101
PID 4184 wrote to memory of 3992	4184	{214D2F39-4DB7-4031-BE85-43523B8D56FF}.exe	101
PID 4184 wrote to memory of 2312	4184	{214D2F39-4DB7-4031-BE85-43523B8D56FF}.exe	102
PID 4184 wrote to memory of 2312	4184	{214D2F39-4DB7-4031-BE85-43523B8D56FF}.exe	102
PID 4184 wrote to memory of 2312	4184	{214D2F39-4DB7-4031-BE85-43523B8D56FF}.exe	102
PID 3992 wrote to memory of 2760	3992	{BFE6CEF5-0E0E-4d8b-B079-AC2ED0EE30A2}.exe	103
PID 3992 wrote to memory of 2760	3992	{BFE6CEF5-0E0E-4d8b-B079-AC2ED0EE30A2}.exe	103
PID 3992 wrote to memory of 2760	3992	{BFE6CEF5-0E0E-4d8b-B079-AC2ED0EE30A2}.exe	103
PID 3992 wrote to memory of 2052	3992	{BFE6CEF5-0E0E-4d8b-B079-AC2ED0EE30A2}.exe	104
PID 3992 wrote to memory of 2052	3992	{BFE6CEF5-0E0E-4d8b-B079-AC2ED0EE30A2}.exe	104
PID 3992 wrote to memory of 2052	3992	{BFE6CEF5-0E0E-4d8b-B079-AC2ED0EE30A2}.exe	104
PID 2760 wrote to memory of 2988	2760	{B22C64CB-C72E-4bdf-9A47-6B04BB8FE522}.exe	106
PID 2760 wrote to memory of 2988	2760	{B22C64CB-C72E-4bdf-9A47-6B04BB8FE522}.exe	106
PID 2760 wrote to memory of 2988	2760	{B22C64CB-C72E-4bdf-9A47-6B04BB8FE522}.exe	106
PID 2760 wrote to memory of 2680	2760	{B22C64CB-C72E-4bdf-9A47-6B04BB8FE522}.exe	107
PID 2760 wrote to memory of 2680	2760	{B22C64CB-C72E-4bdf-9A47-6B04BB8FE522}.exe	107
PID 2760 wrote to memory of 2680	2760	{B22C64CB-C72E-4bdf-9A47-6B04BB8FE522}.exe	107
PID 2988 wrote to memory of 3100	2988	{41E50A4F-E986-4593-81A7-EF63F41BA095}.exe	108
PID 2988 wrote to memory of 3100	2988	{41E50A4F-E986-4593-81A7-EF63F41BA095}.exe	108
PID 2988 wrote to memory of 3100	2988	{41E50A4F-E986-4593-81A7-EF63F41BA095}.exe	108
PID 2988 wrote to memory of 4984	2988	{41E50A4F-E986-4593-81A7-EF63F41BA095}.exe	109
PID 2988 wrote to memory of 4984	2988	{41E50A4F-E986-4593-81A7-EF63F41BA095}.exe	109
PID 2988 wrote to memory of 4984	2988	{41E50A4F-E986-4593-81A7-EF63F41BA095}.exe	109
PID 3100 wrote to memory of 2516	3100	{0E4E279E-5AB4-45a4-8595-184E9476840C}.exe	110
PID 3100 wrote to memory of 2516	3100	{0E4E279E-5AB4-45a4-8595-184E9476840C}.exe	110
PID 3100 wrote to memory of 2516	3100	{0E4E279E-5AB4-45a4-8595-184E9476840C}.exe	110
PID 3100 wrote to memory of 3240	3100	{0E4E279E-5AB4-45a4-8595-184E9476840C}.exe	111
PID 3100 wrote to memory of 3240	3100	{0E4E279E-5AB4-45a4-8595-184E9476840C}.exe	111
PID 3100 wrote to memory of 3240	3100	{0E4E279E-5AB4-45a4-8595-184E9476840C}.exe	111
PID 2516 wrote to memory of 1376	2516	{3E1BC1C2-111C-4e85-9784-E96C17738E37}.exe	119
PID 2516 wrote to memory of 1376	2516	{3E1BC1C2-111C-4e85-9784-E96C17738E37}.exe	119
PID 2516 wrote to memory of 1376	2516	{3E1BC1C2-111C-4e85-9784-E96C17738E37}.exe	119
PID 2516 wrote to memory of 5076	2516	{3E1BC1C2-111C-4e85-9784-E96C17738E37}.exe	120
PID 2516 wrote to memory of 5076	2516	{3E1BC1C2-111C-4e85-9784-E96C17738E37}.exe	120
PID 2516 wrote to memory of 5076	2516	{3E1BC1C2-111C-4e85-9784-E96C17738E37}.exe	120
PID 1376 wrote to memory of 4932	1376	{1FFD68E3-2214-4f53-AE4D-B1357FE03162}.exe	121
PID 1376 wrote to memory of 4932	1376	{1FFD68E3-2214-4f53-AE4D-B1357FE03162}.exe	121
PID 1376 wrote to memory of 4932	1376	{1FFD68E3-2214-4f53-AE4D-B1357FE03162}.exe	121
PID 1376 wrote to memory of 3040	1376	{1FFD68E3-2214-4f53-AE4D-B1357FE03162}.exe	122
PID 1376 wrote to memory of 3040	1376	{1FFD68E3-2214-4f53-AE4D-B1357FE03162}.exe	122
PID 1376 wrote to memory of 3040	1376	{1FFD68E3-2214-4f53-AE4D-B1357FE03162}.exe	122
PID 4932 wrote to memory of 3992	4932	{FCBD110B-60AB-4c0e-8601-A90961383794}.exe	123
PID 4932 wrote to memory of 3992	4932	{FCBD110B-60AB-4c0e-8601-A90961383794}.exe	123
PID 4932 wrote to memory of 3992	4932	{FCBD110B-60AB-4c0e-8601-A90961383794}.exe	123
PID 4932 wrote to memory of 2292	4932	{FCBD110B-60AB-4c0e-8601-A90961383794}.exe	124

C:\Users\Admin\AppData\Local\Temp\9d2515080aaa36_JC.exe
"C:\Users\Admin\AppData\Local\Temp\9d2515080aaa36_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\{6684D93B-278A-41e6-97B9-C599FF87DB76}.exe
  C:\Windows\{6684D93B-278A-41e6-97B9-C599FF87DB76}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Windows\{0B81F700-3D31-4862-A326-97C45B5F9749}.exe
    C:\Windows\{0B81F700-3D31-4862-A326-97C45B5F9749}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:552
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0B81F~1.EXE > nul
      4⤵
      PID:3972
  - - C:\Windows\{214D2F39-4DB7-4031-BE85-43523B8D56FF}.exe
      C:\Windows\{214D2F39-4DB7-4031-BE85-43523B8D56FF}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4184
    - - C:\Windows\{BFE6CEF5-0E0E-4d8b-B079-AC2ED0EE30A2}.exe
        
        C:\Windows\{BFE6CEF5-0E0E-4d8b-B079-AC2ED0EE30A2}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3992
      - C:\Windows\{B22C64CB-C72E-4bdf-9A47-6B04BB8FE522}.exe
        
        C:\Windows\{B22C64CB-C72E-4bdf-9A47-6B04BB8FE522}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\{41E50A4F-E986-4593-81A7-EF63F41BA095}.exe
        
        C:\Windows\{41E50A4F-E986-4593-81A7-EF63F41BA095}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\{0E4E279E-5AB4-45a4-8595-184E9476840C}.exe
        
        C:\Windows\{0E4E279E-5AB4-45a4-8595-184E9476840C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Windows\{3E1BC1C2-111C-4e85-9784-E96C17738E37}.exe
        
        C:\Windows\{3E1BC1C2-111C-4e85-9784-E96C17738E37}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\{1FFD68E3-2214-4f53-AE4D-B1357FE03162}.exe
        
        C:\Windows\{1FFD68E3-2214-4f53-AE4D-B1357FE03162}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Windows\{FCBD110B-60AB-4c0e-8601-A90961383794}.exe
        
        C:\Windows\{FCBD110B-60AB-4c0e-8601-A90961383794}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\{71E8F391-CA7C-43a9-8FEF-FB26189D6D6D}.exe
        
        C:\Windows\{71E8F391-CA7C-43a9-8FEF-FB26189D6D6D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3992
        
        C:\Windows\{CE37DD3C-1DB9-4dbb-B03F-1EAC8BCEFE85}.exe
        
        C:\Windows\{CE37DD3C-1DB9-4dbb-B03F-1EAC8BCEFE85}.exe
        13⤵
        Executes dropped EXE
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71E8F~1.EXE > nul
        13⤵
        
        PID:572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCBD1~1.EXE > nul
        12⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1FFD6~1.EXE > nul
        11⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E1BC~1.EXE > nul
        10⤵
        
        PID:5076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0E4E2~1.EXE > nul
        9⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41E50~1.EXE > nul
        8⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B22C6~1.EXE > nul
        7⤵
        
        PID:2680
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFE6C~1.EXE > nul
        6⤵
        
        PID:2052
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{214D2~1.EXE > nul
        5⤵
        
        PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6684D~1.EXE > nul
    3⤵
    PID:4644
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9D2515~1.EXE > nul
  2⤵
  PID:4024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B81F700-3D31-4862-A326-97C45B5F9749}.exe

Filesize
168KB

MD5
65b7aca80a38629352261069620a1420

SHA1
abb9a99ab5fcf129a00d53c66b0473102c4a1e64

SHA256
6c795f2163ab93883b55eae0347f09ebd04160154c2b4f28468141a4eb73d788

SHA512
87d2cf620c97d82c4d5305ad1c2d1922d17e7122421cfce606337cf5b70430434a949fe70eb670f17990b56381cc454de754b32ec59bffb777bd580e83082ffb

Download Submit
C:\Windows\{0B81F700-3D31-4862-A326-97C45B5F9749}.exe

Filesize
168KB

MD5
65b7aca80a38629352261069620a1420

SHA1
abb9a99ab5fcf129a00d53c66b0473102c4a1e64

SHA256
6c795f2163ab93883b55eae0347f09ebd04160154c2b4f28468141a4eb73d788

SHA512
87d2cf620c97d82c4d5305ad1c2d1922d17e7122421cfce606337cf5b70430434a949fe70eb670f17990b56381cc454de754b32ec59bffb777bd580e83082ffb

Download Submit
C:\Windows\{0E4E279E-5AB4-45a4-8595-184E9476840C}.exe

Filesize
168KB

MD5
2d8e2f6ff39fdeb751bd3cfcdfe34491

SHA1
40b2e52aec1ae231711f2c321253878f36b64e5c

SHA256
1baef5acaf05bb2f7718fef14ff3b7915b25b0e7b972b8195225fb2928e562b1

SHA512
929e5a123873eb30c24a114397d1827b317e653acdc1677137502a48e0a74d6ffe0dab969bee0849706333cd1c51d144dbadc29b0d2898a65daab5117de3c5da

Download Submit
C:\Windows\{0E4E279E-5AB4-45a4-8595-184E9476840C}.exe

Filesize
168KB

MD5
2d8e2f6ff39fdeb751bd3cfcdfe34491

SHA1
40b2e52aec1ae231711f2c321253878f36b64e5c

SHA256
1baef5acaf05bb2f7718fef14ff3b7915b25b0e7b972b8195225fb2928e562b1

SHA512
929e5a123873eb30c24a114397d1827b317e653acdc1677137502a48e0a74d6ffe0dab969bee0849706333cd1c51d144dbadc29b0d2898a65daab5117de3c5da

Download Submit
C:\Windows\{1FFD68E3-2214-4f53-AE4D-B1357FE03162}.exe

Filesize
168KB

MD5
3d2ca3b43f30a51195a8a8a8494caa14

SHA1
f3aee271e22d79bb7dabac0ee9d5f51a2e7bac3d

SHA256
78913350d345f4a0954ea4c0965d8e6942e51ba4b68c1325c00b38536d2f4138

SHA512
7dd7d921737b836baa612709d56f5e5871387fe5ec1aee2611b862d014ba53c4a05a73a143cc68560cd7cb43602db74fce6a8555c8fd678f32f41c5e25f6d39d

Download Submit
C:\Windows\{1FFD68E3-2214-4f53-AE4D-B1357FE03162}.exe

Filesize
168KB

MD5
3d2ca3b43f30a51195a8a8a8494caa14

SHA1
f3aee271e22d79bb7dabac0ee9d5f51a2e7bac3d

SHA256
78913350d345f4a0954ea4c0965d8e6942e51ba4b68c1325c00b38536d2f4138

SHA512
7dd7d921737b836baa612709d56f5e5871387fe5ec1aee2611b862d014ba53c4a05a73a143cc68560cd7cb43602db74fce6a8555c8fd678f32f41c5e25f6d39d

Download Submit
C:\Windows\{214D2F39-4DB7-4031-BE85-43523B8D56FF}.exe

Filesize
168KB

MD5
d75804df3b386c61c03984d026231e30

SHA1
bf5faba3a825c78100ba2f63ab3d81cbeaedd0f7

SHA256
81e74f9dbbd00ced6854bea9fe558e23e7d1bf288f2dfc936000c46a8ef2e67b

SHA512
f994227d2e1b1b9661242712c5eaac0de38f2322a6d38b478eb8393b4b537aacc90128b4f85fe4fc41c977127b7ee89ac1499c746176ea1398f25511eedce6e4

Download Submit
C:\Windows\{214D2F39-4DB7-4031-BE85-43523B8D56FF}.exe

Filesize
168KB

MD5
d75804df3b386c61c03984d026231e30

SHA1
bf5faba3a825c78100ba2f63ab3d81cbeaedd0f7

SHA256
81e74f9dbbd00ced6854bea9fe558e23e7d1bf288f2dfc936000c46a8ef2e67b

SHA512
f994227d2e1b1b9661242712c5eaac0de38f2322a6d38b478eb8393b4b537aacc90128b4f85fe4fc41c977127b7ee89ac1499c746176ea1398f25511eedce6e4

Download Submit
C:\Windows\{214D2F39-4DB7-4031-BE85-43523B8D56FF}.exe

Filesize
168KB

MD5
d75804df3b386c61c03984d026231e30

SHA1
bf5faba3a825c78100ba2f63ab3d81cbeaedd0f7

SHA256
81e74f9dbbd00ced6854bea9fe558e23e7d1bf288f2dfc936000c46a8ef2e67b

SHA512
f994227d2e1b1b9661242712c5eaac0de38f2322a6d38b478eb8393b4b537aacc90128b4f85fe4fc41c977127b7ee89ac1499c746176ea1398f25511eedce6e4

Download Submit
C:\Windows\{3E1BC1C2-111C-4e85-9784-E96C17738E37}.exe

Filesize
168KB

MD5
4b078e37a168df0794d377f02c8cc7c2

SHA1
000a060cd7f6679939c6e3c49eaede6d215f3f6a

SHA256
e79b36edcda8e56758716df1a7f462f8ab7dd74336ad353d9c4fadc88561bcac

SHA512
1815a7b3239219ddc48e2eddbbdc20efc535068556a0d8eff1566ef58b3e20ed5a777aa580da29dddc3af3931e66830a791051e76d18bee2e6e161c8f290b280

Download Submit
C:\Windows\{3E1BC1C2-111C-4e85-9784-E96C17738E37}.exe

Filesize
168KB

MD5
4b078e37a168df0794d377f02c8cc7c2

SHA1
000a060cd7f6679939c6e3c49eaede6d215f3f6a

SHA256
e79b36edcda8e56758716df1a7f462f8ab7dd74336ad353d9c4fadc88561bcac

SHA512
1815a7b3239219ddc48e2eddbbdc20efc535068556a0d8eff1566ef58b3e20ed5a777aa580da29dddc3af3931e66830a791051e76d18bee2e6e161c8f290b280

Download Submit
C:\Windows\{41E50A4F-E986-4593-81A7-EF63F41BA095}.exe

Filesize
168KB

MD5
2064d8b12eeb5ed3d6c76a2fa5fc24f0

SHA1
a5457ed2fff7744db8cc16446dcc0d26d4e2d925

SHA256
85a6313bf35f1939a4a6443a796527426790464016bb8a14098ee6cd858f4143

SHA512
275033a09367d26f860df761d933709121a6512edab63c12a30a1858d12e9c06e089b615400a75b670ffb13ac379bfbefad0e8e7739192a38b0d803d66cec469

Download Submit
C:\Windows\{41E50A4F-E986-4593-81A7-EF63F41BA095}.exe

Filesize
168KB

MD5
2064d8b12eeb5ed3d6c76a2fa5fc24f0

SHA1
a5457ed2fff7744db8cc16446dcc0d26d4e2d925

SHA256
85a6313bf35f1939a4a6443a796527426790464016bb8a14098ee6cd858f4143

SHA512
275033a09367d26f860df761d933709121a6512edab63c12a30a1858d12e9c06e089b615400a75b670ffb13ac379bfbefad0e8e7739192a38b0d803d66cec469

Download Submit
C:\Windows\{6684D93B-278A-41e6-97B9-C599FF87DB76}.exe

Filesize
168KB

MD5
88a9395b18fedc2e01993f6bdef92239

SHA1
86613d0415a1330d0cd84f94e86b8dd3c317a658

SHA256
af444fca6e64f716a0e79b64219c071c92f021494fdafb0fda1cb2b2ba3ab2ae

SHA512
e34cd6216a5fe46a23b56c845ffd62f95d012e51375850ba7f9b2c9bb8e5e9087a8a8bd57cb90af755a26207875a632bafa8e0415f239a569c5b051b8aaab0fd

Download Submit
C:\Windows\{6684D93B-278A-41e6-97B9-C599FF87DB76}.exe

Filesize
168KB

MD5
88a9395b18fedc2e01993f6bdef92239

SHA1
86613d0415a1330d0cd84f94e86b8dd3c317a658

SHA256
af444fca6e64f716a0e79b64219c071c92f021494fdafb0fda1cb2b2ba3ab2ae

SHA512
e34cd6216a5fe46a23b56c845ffd62f95d012e51375850ba7f9b2c9bb8e5e9087a8a8bd57cb90af755a26207875a632bafa8e0415f239a569c5b051b8aaab0fd

Download Submit
C:\Windows\{71E8F391-CA7C-43a9-8FEF-FB26189D6D6D}.exe

Filesize
168KB

MD5
b5acad0b1cceca9a49287c7e33ad5d2f

SHA1
dbabb5098f000c444a93d9d50204d91f1ec94fc8

SHA256
c1a3b52dada8a6eae2015653ae9dff4724b308f2a93eec22cb3f57ace190b288

SHA512
fd0a3f34ba13d57eb31574c0560c2ec774560991f0fd2b9a489200282e95b040bc058dd28790b6d2ad2fe9f7e78db175cfe10f2144f142f61af8a8d6d0675f61

Download Submit
C:\Windows\{71E8F391-CA7C-43a9-8FEF-FB26189D6D6D}.exe

Filesize
168KB

MD5
b5acad0b1cceca9a49287c7e33ad5d2f

SHA1
dbabb5098f000c444a93d9d50204d91f1ec94fc8

SHA256
c1a3b52dada8a6eae2015653ae9dff4724b308f2a93eec22cb3f57ace190b288

SHA512
fd0a3f34ba13d57eb31574c0560c2ec774560991f0fd2b9a489200282e95b040bc058dd28790b6d2ad2fe9f7e78db175cfe10f2144f142f61af8a8d6d0675f61

Download Submit
C:\Windows\{B22C64CB-C72E-4bdf-9A47-6B04BB8FE522}.exe

Filesize
168KB

MD5
deb9e4a583ef37758a3f01faa6d36928

SHA1
5b2d6cea81053bf7ad6848e467c0ebab66a96726

SHA256
5bd03c29eb1b5d476c8fe5162d8958bb2f809c506c2661b66364b941dd981bec

SHA512
7ab4633a272dfdc708ec8c05ab7302dfa02c6d3321eb86e03416644a438d10076bbf85b8c00817713fedd3159e03810eff0040a5ba45f791fc2cfbfc0be319c9

Download Submit
C:\Windows\{B22C64CB-C72E-4bdf-9A47-6B04BB8FE522}.exe

Filesize
168KB

MD5
deb9e4a583ef37758a3f01faa6d36928

SHA1
5b2d6cea81053bf7ad6848e467c0ebab66a96726

SHA256
5bd03c29eb1b5d476c8fe5162d8958bb2f809c506c2661b66364b941dd981bec

SHA512
7ab4633a272dfdc708ec8c05ab7302dfa02c6d3321eb86e03416644a438d10076bbf85b8c00817713fedd3159e03810eff0040a5ba45f791fc2cfbfc0be319c9

Download Submit
C:\Windows\{BFE6CEF5-0E0E-4d8b-B079-AC2ED0EE30A2}.exe

Filesize
168KB

MD5
0748d1fe06823b0e58ab3742a50ff27a

SHA1
f14b84a38116d570496570ebb1a417c5ee20a326

SHA256
1b077bb3e36d7755115fcde426c00013e7d0a33dc2999a4283107aa68cb67175

SHA512
a88f784731b8ef825c2a87f8c91091450ce7bedbd0d2f04ae3c55f79a79ccb5e85ad0c556cc072db06c3a23026efa3d327d1eb9cd92d530ad5eaff1bb96fc35b

Download Submit
C:\Windows\{BFE6CEF5-0E0E-4d8b-B079-AC2ED0EE30A2}.exe

Filesize
168KB

MD5
0748d1fe06823b0e58ab3742a50ff27a

SHA1
f14b84a38116d570496570ebb1a417c5ee20a326

SHA256
1b077bb3e36d7755115fcde426c00013e7d0a33dc2999a4283107aa68cb67175

SHA512
a88f784731b8ef825c2a87f8c91091450ce7bedbd0d2f04ae3c55f79a79ccb5e85ad0c556cc072db06c3a23026efa3d327d1eb9cd92d530ad5eaff1bb96fc35b

Download Submit
C:\Windows\{CE37DD3C-1DB9-4dbb-B03F-1EAC8BCEFE85}.exe

Filesize
168KB

MD5
0dc437ab8a8569b40fa804394904a33f

SHA1
3b142c6905c425166cedf2300b6e45fbc10fbb00

SHA256
1a8e2b7eb22f3bb9935590aaf5b69117ef5eea33afd5aa0f451e3a8425f4e0f7

SHA512
166eb709760e390bb26c8b1c1245882c0c91daf113aeb31b1722736094498af543dac27a2fd3f67b02dbd954a06f4222e003dfd23c2b5f36f1a677a2c80cff7c

Download Submit
C:\Windows\{CE37DD3C-1DB9-4dbb-B03F-1EAC8BCEFE85}.exe

Filesize
168KB

MD5
0dc437ab8a8569b40fa804394904a33f

SHA1
3b142c6905c425166cedf2300b6e45fbc10fbb00

SHA256
1a8e2b7eb22f3bb9935590aaf5b69117ef5eea33afd5aa0f451e3a8425f4e0f7

SHA512
166eb709760e390bb26c8b1c1245882c0c91daf113aeb31b1722736094498af543dac27a2fd3f67b02dbd954a06f4222e003dfd23c2b5f36f1a677a2c80cff7c

Download Submit
C:\Windows\{FCBD110B-60AB-4c0e-8601-A90961383794}.exe

Filesize
168KB

MD5
70d95eca95db4418a17a98d10e83a62f

SHA1
ce86c9d619632e0a33684c59da86d014352d6649

SHA256
f664835866422a41daed83002daf89b46bd3b92ada0077b149967046f40aada8

SHA512
0adb65a1f31c8160ec9a966b7f8ae9648ed9560d6e10a887b969d4264a4a7dce274e31169a721d9526c0c9891a60b061ca8c93e5325cb26898d3b6ccafe264ac

Download Submit
C:\Windows\{FCBD110B-60AB-4c0e-8601-A90961383794}.exe

Filesize
168KB

MD5
70d95eca95db4418a17a98d10e83a62f

SHA1
ce86c9d619632e0a33684c59da86d014352d6649

SHA256
f664835866422a41daed83002daf89b46bd3b92ada0077b149967046f40aada8

SHA512
0adb65a1f31c8160ec9a966b7f8ae9648ed9560d6e10a887b969d4264a4a7dce274e31169a721d9526c0c9891a60b061ca8c93e5325cb26898d3b6ccafe264ac

Download Submit