b6ce3c930186db4d237692caf0c44ea8dfbdf5b8d878ef20003d03f11ac9f09c

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
14-07-2023 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22f85caee0abc6exeexe_JC.exe
Size

216KB
MD5

22f85caee0abc6015c7f22fd2cd19c1e
SHA1

3ca86b920ed78a61130fd0bf8083c1204527a8e5
SHA256

b6ce3c930186db4d237692caf0c44ea8dfbdf5b8d878ef20003d03f11ac9f09c
SHA512

abc48b6409eb986589fa4968a85d1a976e66ce11168c54577efe2876ccccae8be50b5dae55210ce65bad0e0f191b72d5a23b1d54e8687fc38355906d9f68c601
SSDEEP

3072:jEGh0oRl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGflEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8D3AFA4-DD26-4af5-8BFA-48D4C3109696}\stubpath = "C:\\Windows\\{E8D3AFA4-DD26-4af5-8BFA-48D4C3109696}.exe"	{11C1F7D6-ED09-43ee-90AB-6C2B909F2B24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57B640BA-2357-43c0-B747-CC51857E4E6B}\stubpath = "C:\\Windows\\{57B640BA-2357-43c0-B747-CC51857E4E6B}.exe"	{E8D3AFA4-DD26-4af5-8BFA-48D4C3109696}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B59AC01C-714A-476e-9855-2B70842B2634}	{31DDE2E3-380B-42cf-9026-2B06BFC45B67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B21D7B98-E9DF-4da2-B9C3-5CD2B80F4EAC}	{B59AC01C-714A-476e-9855-2B70842B2634}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B21D7B98-E9DF-4da2-B9C3-5CD2B80F4EAC}\stubpath = "C:\\Windows\\{B21D7B98-E9DF-4da2-B9C3-5CD2B80F4EAC}.exe"	{B59AC01C-714A-476e-9855-2B70842B2634}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E0075D2-8B81-4b06-B8FC-8DFE5A3868BD}\stubpath = "C:\\Windows\\{5E0075D2-8B81-4b06-B8FC-8DFE5A3868BD}.exe"	22f85caee0abc6exeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11C1F7D6-ED09-43ee-90AB-6C2B909F2B24}	{5E0075D2-8B81-4b06-B8FC-8DFE5A3868BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8D3AFA4-DD26-4af5-8BFA-48D4C3109696}	{11C1F7D6-ED09-43ee-90AB-6C2B909F2B24}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B400DFA-DB03-46f7-AD4C-B873A5B75923}\stubpath = "C:\\Windows\\{6B400DFA-DB03-46f7-AD4C-B873A5B75923}.exe"	{B21D7B98-E9DF-4da2-B9C3-5CD2B80F4EAC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B02F67F2-9471-4032-B594-6C9426B29C6B}	{6B400DFA-DB03-46f7-AD4C-B873A5B75923}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5DCBE9A-A39B-4d50-8B7B-BC4018387646}	{B02F67F2-9471-4032-B594-6C9426B29C6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31DDE2E3-380B-42cf-9026-2B06BFC45B67}\stubpath = "C:\\Windows\\{31DDE2E3-380B-42cf-9026-2B06BFC45B67}.exe"	{59355112-E9A4-4f4b-9F97-0FC1A59930EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6B400DFA-DB03-46f7-AD4C-B873A5B75923}	{B21D7B98-E9DF-4da2-B9C3-5CD2B80F4EAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B02F67F2-9471-4032-B594-6C9426B29C6B}\stubpath = "C:\\Windows\\{B02F67F2-9471-4032-B594-6C9426B29C6B}.exe"	{6B400DFA-DB03-46f7-AD4C-B873A5B75923}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59355112-E9A4-4f4b-9F97-0FC1A59930EC}	{57B640BA-2357-43c0-B747-CC51857E4E6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{59355112-E9A4-4f4b-9F97-0FC1A59930EC}\stubpath = "C:\\Windows\\{59355112-E9A4-4f4b-9F97-0FC1A59930EC}.exe"	{57B640BA-2357-43c0-B747-CC51857E4E6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{31DDE2E3-380B-42cf-9026-2B06BFC45B67}	{59355112-E9A4-4f4b-9F97-0FC1A59930EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B59AC01C-714A-476e-9855-2B70842B2634}\stubpath = "C:\\Windows\\{B59AC01C-714A-476e-9855-2B70842B2634}.exe"	{31DDE2E3-380B-42cf-9026-2B06BFC45B67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5DCBE9A-A39B-4d50-8B7B-BC4018387646}\stubpath = "C:\\Windows\\{C5DCBE9A-A39B-4d50-8B7B-BC4018387646}.exe"	{B02F67F2-9471-4032-B594-6C9426B29C6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E0075D2-8B81-4b06-B8FC-8DFE5A3868BD}	22f85caee0abc6exeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11C1F7D6-ED09-43ee-90AB-6C2B909F2B24}\stubpath = "C:\\Windows\\{11C1F7D6-ED09-43ee-90AB-6C2B909F2B24}.exe"	{5E0075D2-8B81-4b06-B8FC-8DFE5A3868BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{57B640BA-2357-43c0-B747-CC51857E4E6B}	{E8D3AFA4-DD26-4af5-8BFA-48D4C3109696}.exe

Deletes itself 1 IoCs

pid	Process
2572	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2584	{5E0075D2-8B81-4b06-B8FC-8DFE5A3868BD}.exe
1608	{11C1F7D6-ED09-43ee-90AB-6C2B909F2B24}.exe
1640	{E8D3AFA4-DD26-4af5-8BFA-48D4C3109696}.exe
2940	{57B640BA-2357-43c0-B747-CC51857E4E6B}.exe
2880	{59355112-E9A4-4f4b-9F97-0FC1A59930EC}.exe
2736	{31DDE2E3-380B-42cf-9026-2B06BFC45B67}.exe
2828	{B59AC01C-714A-476e-9855-2B70842B2634}.exe
2896	{B21D7B98-E9DF-4da2-B9C3-5CD2B80F4EAC}.exe
2744	{6B400DFA-DB03-46f7-AD4C-B873A5B75923}.exe
2408	{B02F67F2-9471-4032-B594-6C9426B29C6B}.exe
1956	{C5DCBE9A-A39B-4d50-8B7B-BC4018387646}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{11C1F7D6-ED09-43ee-90AB-6C2B909F2B24}.exe	{5E0075D2-8B81-4b06-B8FC-8DFE5A3868BD}.exe
File created	C:\Windows\{59355112-E9A4-4f4b-9F97-0FC1A59930EC}.exe	{57B640BA-2357-43c0-B747-CC51857E4E6B}.exe
File created	C:\Windows\{B59AC01C-714A-476e-9855-2B70842B2634}.exe	{31DDE2E3-380B-42cf-9026-2B06BFC45B67}.exe
File created	C:\Windows\{B21D7B98-E9DF-4da2-B9C3-5CD2B80F4EAC}.exe	{B59AC01C-714A-476e-9855-2B70842B2634}.exe
File created	C:\Windows\{6B400DFA-DB03-46f7-AD4C-B873A5B75923}.exe	{B21D7B98-E9DF-4da2-B9C3-5CD2B80F4EAC}.exe
File created	C:\Windows\{B02F67F2-9471-4032-B594-6C9426B29C6B}.exe	{6B400DFA-DB03-46f7-AD4C-B873A5B75923}.exe
File created	C:\Windows\{5E0075D2-8B81-4b06-B8FC-8DFE5A3868BD}.exe	22f85caee0abc6exeexe_JC.exe
File created	C:\Windows\{57B640BA-2357-43c0-B747-CC51857E4E6B}.exe	{E8D3AFA4-DD26-4af5-8BFA-48D4C3109696}.exe
File created	C:\Windows\{31DDE2E3-380B-42cf-9026-2B06BFC45B67}.exe	{59355112-E9A4-4f4b-9F97-0FC1A59930EC}.exe
File created	C:\Windows\{C5DCBE9A-A39B-4d50-8B7B-BC4018387646}.exe	{B02F67F2-9471-4032-B594-6C9426B29C6B}.exe
File created	C:\Windows\{E8D3AFA4-DD26-4af5-8BFA-48D4C3109696}.exe	{11C1F7D6-ED09-43ee-90AB-6C2B909F2B24}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2664	22f85caee0abc6exeexe_JC.exe
Token: SeIncBasePriorityPrivilege	2584	{5E0075D2-8B81-4b06-B8FC-8DFE5A3868BD}.exe
Token: SeIncBasePriorityPrivilege	1608	{11C1F7D6-ED09-43ee-90AB-6C2B909F2B24}.exe
Token: SeIncBasePriorityPrivilege	1640	{E8D3AFA4-DD26-4af5-8BFA-48D4C3109696}.exe
Token: SeIncBasePriorityPrivilege	2940	{57B640BA-2357-43c0-B747-CC51857E4E6B}.exe
Token: SeIncBasePriorityPrivilege	2880	{59355112-E9A4-4f4b-9F97-0FC1A59930EC}.exe
Token: SeIncBasePriorityPrivilege	2736	{31DDE2E3-380B-42cf-9026-2B06BFC45B67}.exe
Token: SeIncBasePriorityPrivilege	2828	{B59AC01C-714A-476e-9855-2B70842B2634}.exe
Token: SeIncBasePriorityPrivilege	2896	{B21D7B98-E9DF-4da2-B9C3-5CD2B80F4EAC}.exe
Token: SeIncBasePriorityPrivilege	2744	{6B400DFA-DB03-46f7-AD4C-B873A5B75923}.exe
Token: SeIncBasePriorityPrivilege	2408	{B02F67F2-9471-4032-B594-6C9426B29C6B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2584	2664	22f85caee0abc6exeexe_JC.exe	28
PID 2664 wrote to memory of 2584	2664	22f85caee0abc6exeexe_JC.exe	28
PID 2664 wrote to memory of 2584	2664	22f85caee0abc6exeexe_JC.exe	28
PID 2664 wrote to memory of 2584	2664	22f85caee0abc6exeexe_JC.exe	28
PID 2664 wrote to memory of 2572	2664	22f85caee0abc6exeexe_JC.exe	29
PID 2664 wrote to memory of 2572	2664	22f85caee0abc6exeexe_JC.exe	29
PID 2664 wrote to memory of 2572	2664	22f85caee0abc6exeexe_JC.exe	29
PID 2664 wrote to memory of 2572	2664	22f85caee0abc6exeexe_JC.exe	29
PID 2584 wrote to memory of 1608	2584	{5E0075D2-8B81-4b06-B8FC-8DFE5A3868BD}.exe	32
PID 2584 wrote to memory of 1608	2584	{5E0075D2-8B81-4b06-B8FC-8DFE5A3868BD}.exe	32
PID 2584 wrote to memory of 1608	2584	{5E0075D2-8B81-4b06-B8FC-8DFE5A3868BD}.exe	32
PID 2584 wrote to memory of 1608	2584	{5E0075D2-8B81-4b06-B8FC-8DFE5A3868BD}.exe	32
PID 2584 wrote to memory of 2024	2584	{5E0075D2-8B81-4b06-B8FC-8DFE5A3868BD}.exe	33
PID 2584 wrote to memory of 2024	2584	{5E0075D2-8B81-4b06-B8FC-8DFE5A3868BD}.exe	33
PID 2584 wrote to memory of 2024	2584	{5E0075D2-8B81-4b06-B8FC-8DFE5A3868BD}.exe	33
PID 2584 wrote to memory of 2024	2584	{5E0075D2-8B81-4b06-B8FC-8DFE5A3868BD}.exe	33
PID 1608 wrote to memory of 1640	1608	{11C1F7D6-ED09-43ee-90AB-6C2B909F2B24}.exe	34
PID 1608 wrote to memory of 1640	1608	{11C1F7D6-ED09-43ee-90AB-6C2B909F2B24}.exe	34
PID 1608 wrote to memory of 1640	1608	{11C1F7D6-ED09-43ee-90AB-6C2B909F2B24}.exe	34
PID 1608 wrote to memory of 1640	1608	{11C1F7D6-ED09-43ee-90AB-6C2B909F2B24}.exe	34
PID 1608 wrote to memory of 2464	1608	{11C1F7D6-ED09-43ee-90AB-6C2B909F2B24}.exe	35
PID 1608 wrote to memory of 2464	1608	{11C1F7D6-ED09-43ee-90AB-6C2B909F2B24}.exe	35
PID 1608 wrote to memory of 2464	1608	{11C1F7D6-ED09-43ee-90AB-6C2B909F2B24}.exe	35
PID 1608 wrote to memory of 2464	1608	{11C1F7D6-ED09-43ee-90AB-6C2B909F2B24}.exe	35
PID 1640 wrote to memory of 2940	1640	{E8D3AFA4-DD26-4af5-8BFA-48D4C3109696}.exe	36
PID 1640 wrote to memory of 2940	1640	{E8D3AFA4-DD26-4af5-8BFA-48D4C3109696}.exe	36
PID 1640 wrote to memory of 2940	1640	{E8D3AFA4-DD26-4af5-8BFA-48D4C3109696}.exe	36
PID 1640 wrote to memory of 2940	1640	{E8D3AFA4-DD26-4af5-8BFA-48D4C3109696}.exe	36
PID 1640 wrote to memory of 2976	1640	{E8D3AFA4-DD26-4af5-8BFA-48D4C3109696}.exe	37
PID 1640 wrote to memory of 2976	1640	{E8D3AFA4-DD26-4af5-8BFA-48D4C3109696}.exe	37
PID 1640 wrote to memory of 2976	1640	{E8D3AFA4-DD26-4af5-8BFA-48D4C3109696}.exe	37
PID 1640 wrote to memory of 2976	1640	{E8D3AFA4-DD26-4af5-8BFA-48D4C3109696}.exe	37
PID 2940 wrote to memory of 2880	2940	{57B640BA-2357-43c0-B747-CC51857E4E6B}.exe	38
PID 2940 wrote to memory of 2880	2940	{57B640BA-2357-43c0-B747-CC51857E4E6B}.exe	38
PID 2940 wrote to memory of 2880	2940	{57B640BA-2357-43c0-B747-CC51857E4E6B}.exe	38
PID 2940 wrote to memory of 2880	2940	{57B640BA-2357-43c0-B747-CC51857E4E6B}.exe	38
PID 2940 wrote to memory of 2008	2940	{57B640BA-2357-43c0-B747-CC51857E4E6B}.exe	39
PID 2940 wrote to memory of 2008	2940	{57B640BA-2357-43c0-B747-CC51857E4E6B}.exe	39
PID 2940 wrote to memory of 2008	2940	{57B640BA-2357-43c0-B747-CC51857E4E6B}.exe	39
PID 2940 wrote to memory of 2008	2940	{57B640BA-2357-43c0-B747-CC51857E4E6B}.exe	39
PID 2880 wrote to memory of 2736	2880	{59355112-E9A4-4f4b-9F97-0FC1A59930EC}.exe	40
PID 2880 wrote to memory of 2736	2880	{59355112-E9A4-4f4b-9F97-0FC1A59930EC}.exe	40
PID 2880 wrote to memory of 2736	2880	{59355112-E9A4-4f4b-9F97-0FC1A59930EC}.exe	40
PID 2880 wrote to memory of 2736	2880	{59355112-E9A4-4f4b-9F97-0FC1A59930EC}.exe	40
PID 2880 wrote to memory of 2844	2880	{59355112-E9A4-4f4b-9F97-0FC1A59930EC}.exe	41
PID 2880 wrote to memory of 2844	2880	{59355112-E9A4-4f4b-9F97-0FC1A59930EC}.exe	41
PID 2880 wrote to memory of 2844	2880	{59355112-E9A4-4f4b-9F97-0FC1A59930EC}.exe	41
PID 2880 wrote to memory of 2844	2880	{59355112-E9A4-4f4b-9F97-0FC1A59930EC}.exe	41
PID 2736 wrote to memory of 2828	2736	{31DDE2E3-380B-42cf-9026-2B06BFC45B67}.exe	42
PID 2736 wrote to memory of 2828	2736	{31DDE2E3-380B-42cf-9026-2B06BFC45B67}.exe	42
PID 2736 wrote to memory of 2828	2736	{31DDE2E3-380B-42cf-9026-2B06BFC45B67}.exe	42
PID 2736 wrote to memory of 2828	2736	{31DDE2E3-380B-42cf-9026-2B06BFC45B67}.exe	42
PID 2736 wrote to memory of 3068	2736	{31DDE2E3-380B-42cf-9026-2B06BFC45B67}.exe	43
PID 2736 wrote to memory of 3068	2736	{31DDE2E3-380B-42cf-9026-2B06BFC45B67}.exe	43
PID 2736 wrote to memory of 3068	2736	{31DDE2E3-380B-42cf-9026-2B06BFC45B67}.exe	43
PID 2736 wrote to memory of 3068	2736	{31DDE2E3-380B-42cf-9026-2B06BFC45B67}.exe	43
PID 2828 wrote to memory of 2896	2828	{B59AC01C-714A-476e-9855-2B70842B2634}.exe	44
PID 2828 wrote to memory of 2896	2828	{B59AC01C-714A-476e-9855-2B70842B2634}.exe	44
PID 2828 wrote to memory of 2896	2828	{B59AC01C-714A-476e-9855-2B70842B2634}.exe	44
PID 2828 wrote to memory of 2896	2828	{B59AC01C-714A-476e-9855-2B70842B2634}.exe	44
PID 2828 wrote to memory of 2784	2828	{B59AC01C-714A-476e-9855-2B70842B2634}.exe	45
PID 2828 wrote to memory of 2784	2828	{B59AC01C-714A-476e-9855-2B70842B2634}.exe	45
PID 2828 wrote to memory of 2784	2828	{B59AC01C-714A-476e-9855-2B70842B2634}.exe	45
PID 2828 wrote to memory of 2784	2828	{B59AC01C-714A-476e-9855-2B70842B2634}.exe	45

C:\Users\Admin\AppData\Local\Temp\22f85caee0abc6exeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\22f85caee0abc6exeexe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\{5E0075D2-8B81-4b06-B8FC-8DFE5A3868BD}.exe
  C:\Windows\{5E0075D2-8B81-4b06-B8FC-8DFE5A3868BD}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\{11C1F7D6-ED09-43ee-90AB-6C2B909F2B24}.exe
    C:\Windows\{11C1F7D6-ED09-43ee-90AB-6C2B909F2B24}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\{E8D3AFA4-DD26-4af5-8BFA-48D4C3109696}.exe
      C:\Windows\{E8D3AFA4-DD26-4af5-8BFA-48D4C3109696}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1640
    - - C:\Windows\{57B640BA-2357-43c0-B747-CC51857E4E6B}.exe
        
        C:\Windows\{57B640BA-2357-43c0-B747-CC51857E4E6B}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\{59355112-E9A4-4f4b-9F97-0FC1A59930EC}.exe
        
        C:\Windows\{59355112-E9A4-4f4b-9F97-0FC1A59930EC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\{31DDE2E3-380B-42cf-9026-2B06BFC45B67}.exe
        
        C:\Windows\{31DDE2E3-380B-42cf-9026-2B06BFC45B67}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\{B59AC01C-714A-476e-9855-2B70842B2634}.exe
        
        C:\Windows\{B59AC01C-714A-476e-9855-2B70842B2634}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
        
        C:\Windows\{B21D7B98-E9DF-4da2-B9C3-5CD2B80F4EAC}.exe
        
        C:\Windows\{B21D7B98-E9DF-4da2-B9C3-5CD2B80F4EAC}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\{6B400DFA-DB03-46f7-AD4C-B873A5B75923}.exe
        
        C:\Windows\{6B400DFA-DB03-46f7-AD4C-B873A5B75923}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\{B02F67F2-9471-4032-B594-6C9426B29C6B}.exe
        
        C:\Windows\{B02F67F2-9471-4032-B594-6C9426B29C6B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B02F6~1.EXE > nul
        12⤵
        
        PID:2656
        
        C:\Windows\{C5DCBE9A-A39B-4d50-8B7B-BC4018387646}.exe
        
        C:\Windows\{C5DCBE9A-A39B-4d50-8B7B-BC4018387646}.exe
        12⤵
        Executes dropped EXE
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6B400~1.EXE > nul
        11⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B21D7~1.EXE > nul
        10⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B59AC~1.EXE > nul
        9⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{31DDE~1.EXE > nul
        8⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{59355~1.EXE > nul
        7⤵
        
        PID:2844
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{57B64~1.EXE > nul
        6⤵
        
        PID:2008
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8D3A~1.EXE > nul
        5⤵
        
        PID:2976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{11C1F~1.EXE > nul
      4⤵
      PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5E007~1.EXE > nul
    3⤵
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\22F85C~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11C1F7D6-ED09-43ee-90AB-6C2B909F2B24}.exe

Filesize
216KB

MD5
824eceb60a547d2fc7b39895b899e59b

SHA1
327d255bccb29730571493ff68e11d1337a9cd3f

SHA256
35474617194dce6bc2dbb155b5087ac3a38317c82b3d91ef213d2e0f576d7e0a

SHA512
6c52ef72b89045c378c9de5695796dcc86b2d4e3d3a56a79020a37c98d1d4a7e489cfee18fd5e7a912835e47dbf54be2e76a99baa7991f99b19b383c43765699

Download Submit
C:\Windows\{11C1F7D6-ED09-43ee-90AB-6C2B909F2B24}.exe

Filesize
216KB

MD5
824eceb60a547d2fc7b39895b899e59b

SHA1
327d255bccb29730571493ff68e11d1337a9cd3f

SHA256
35474617194dce6bc2dbb155b5087ac3a38317c82b3d91ef213d2e0f576d7e0a

SHA512
6c52ef72b89045c378c9de5695796dcc86b2d4e3d3a56a79020a37c98d1d4a7e489cfee18fd5e7a912835e47dbf54be2e76a99baa7991f99b19b383c43765699

Download Submit
C:\Windows\{31DDE2E3-380B-42cf-9026-2B06BFC45B67}.exe

Filesize
216KB

MD5
e98b8c166ecdee28f9197891382e5527

SHA1
c3ef233c3f4b72165f41cf38cf74dcb3e5edbfe1

SHA256
02bd00cd41a502ad08f69f5d94b11745237ee3b0da15086d1163e8a48a704b88

SHA512
c9d080e641980e8fcdba7f5d85f4bf13eaf190c98c76a203e1cf5cb071347f85236edb02edb1afe79bc906dea0695f1d73762cdf57be74f62d9d07895c3d0d84

Download Submit
C:\Windows\{31DDE2E3-380B-42cf-9026-2B06BFC45B67}.exe

Filesize
216KB

MD5
e98b8c166ecdee28f9197891382e5527

SHA1
c3ef233c3f4b72165f41cf38cf74dcb3e5edbfe1

SHA256
02bd00cd41a502ad08f69f5d94b11745237ee3b0da15086d1163e8a48a704b88

SHA512
c9d080e641980e8fcdba7f5d85f4bf13eaf190c98c76a203e1cf5cb071347f85236edb02edb1afe79bc906dea0695f1d73762cdf57be74f62d9d07895c3d0d84

Download Submit
C:\Windows\{57B640BA-2357-43c0-B747-CC51857E4E6B}.exe

Filesize
216KB

MD5
b26102980e202460475ff452944b6f6b

SHA1
505ad8176322cc6c309e6671328ab3388ea7fd83

SHA256
4118547afe18c4a3baff9ca25b86decb6d088892c734fafb33626495f70041ab

SHA512
bf5eb6c6f9c235b1f6f65b8d4fb4869ef61c763e5a5db40d56c35cbd5904a6bb05db0b4f95e135c9f5020e7b029c1979f2639ae4e40cb548bd73f3d35ae4710c

Download Submit
C:\Windows\{57B640BA-2357-43c0-B747-CC51857E4E6B}.exe

Filesize
216KB

MD5
b26102980e202460475ff452944b6f6b

SHA1
505ad8176322cc6c309e6671328ab3388ea7fd83

SHA256
4118547afe18c4a3baff9ca25b86decb6d088892c734fafb33626495f70041ab

SHA512
bf5eb6c6f9c235b1f6f65b8d4fb4869ef61c763e5a5db40d56c35cbd5904a6bb05db0b4f95e135c9f5020e7b029c1979f2639ae4e40cb548bd73f3d35ae4710c

Download Submit
C:\Windows\{59355112-E9A4-4f4b-9F97-0FC1A59930EC}.exe

Filesize
216KB

MD5
ea985becc69fff0164685860af8e3cd4

SHA1
523b56e2028c2ddcf98ad036778e151548d798d1

SHA256
7bddf9bb52afed1ab805e746083ed087e7545761a7a68addaa105c4db2b7a271

SHA512
2c55bc5d7762e63f043b833c89af540806c93216d4fcfefc2dc99c91be1a0358e752344cc05862a950875ea9e46efd27478b40044b096436439f075090773268

Download Submit
C:\Windows\{59355112-E9A4-4f4b-9F97-0FC1A59930EC}.exe

Filesize
216KB

MD5
ea985becc69fff0164685860af8e3cd4

SHA1
523b56e2028c2ddcf98ad036778e151548d798d1

SHA256
7bddf9bb52afed1ab805e746083ed087e7545761a7a68addaa105c4db2b7a271

SHA512
2c55bc5d7762e63f043b833c89af540806c93216d4fcfefc2dc99c91be1a0358e752344cc05862a950875ea9e46efd27478b40044b096436439f075090773268

Download Submit
C:\Windows\{5E0075D2-8B81-4b06-B8FC-8DFE5A3868BD}.exe

Filesize
216KB

MD5
bdfe16f2b9fb1180155b68dbea8e6d25

SHA1
582e1775b4d3187aab6a90aae3af1b9b2412e6f4

SHA256
60bd0342fcc50b4c4f8d3309669774b56c279281f59f06f8f91af5d9c70734e9

SHA512
c491f66250b2273e0773df9e89a948a724d20a3ed8eefbe4875521010c242226876dc5de0d805f66d26880d61ed385d45d285aa2d9d18e959d55221d755172ca

Download Submit
C:\Windows\{5E0075D2-8B81-4b06-B8FC-8DFE5A3868BD}.exe

Filesize
216KB

MD5
bdfe16f2b9fb1180155b68dbea8e6d25

SHA1
582e1775b4d3187aab6a90aae3af1b9b2412e6f4

SHA256
60bd0342fcc50b4c4f8d3309669774b56c279281f59f06f8f91af5d9c70734e9

SHA512
c491f66250b2273e0773df9e89a948a724d20a3ed8eefbe4875521010c242226876dc5de0d805f66d26880d61ed385d45d285aa2d9d18e959d55221d755172ca

Download Submit
C:\Windows\{5E0075D2-8B81-4b06-B8FC-8DFE5A3868BD}.exe

Filesize
216KB

MD5
bdfe16f2b9fb1180155b68dbea8e6d25

SHA1
582e1775b4d3187aab6a90aae3af1b9b2412e6f4

SHA256
60bd0342fcc50b4c4f8d3309669774b56c279281f59f06f8f91af5d9c70734e9

SHA512
c491f66250b2273e0773df9e89a948a724d20a3ed8eefbe4875521010c242226876dc5de0d805f66d26880d61ed385d45d285aa2d9d18e959d55221d755172ca

Download Submit
C:\Windows\{6B400DFA-DB03-46f7-AD4C-B873A5B75923}.exe

Filesize
216KB

MD5
57fa0c93f60f2f6aa1f6538f66d61daa

SHA1
fa883ec1ecce2216431bd7952d0dc476c5303467

SHA256
c6730ff52c1a99ac38d5721045953a49d1f9c3e1d5b57ea356834ac7129e388f

SHA512
8a529f53f158140589e043a223bb783ed473336f1e944094b81fc9c4e30098a3dcc0a92fc976c0b4ab8e140bf4b8cd9a4b346b0b87aae74a2d846f3ff6d36bdb

Download Submit
C:\Windows\{6B400DFA-DB03-46f7-AD4C-B873A5B75923}.exe

Filesize
216KB

MD5
57fa0c93f60f2f6aa1f6538f66d61daa

SHA1
fa883ec1ecce2216431bd7952d0dc476c5303467

SHA256
c6730ff52c1a99ac38d5721045953a49d1f9c3e1d5b57ea356834ac7129e388f

SHA512
8a529f53f158140589e043a223bb783ed473336f1e944094b81fc9c4e30098a3dcc0a92fc976c0b4ab8e140bf4b8cd9a4b346b0b87aae74a2d846f3ff6d36bdb

Download Submit
C:\Windows\{B02F67F2-9471-4032-B594-6C9426B29C6B}.exe

Filesize
216KB

MD5
f4c7693920671151bf7f8e37bb7f0aba

SHA1
186051a3cc088a86519a5574fa96da7bfbf27904

SHA256
6cae8d98d6ecb3d500343c800aba9c0c3f2463c5d016f4acaae4a6d8824e3051

SHA512
f735fd28a5223368dafe637a3d09e6866002f4bb8cdf9005eef7eb54c71bd82d1b9cb751045309590e5dadc69ee1198adfa75170ccf6a00637be2d95815624b1

Download Submit
C:\Windows\{B02F67F2-9471-4032-B594-6C9426B29C6B}.exe

Filesize
216KB

MD5
f4c7693920671151bf7f8e37bb7f0aba

SHA1
186051a3cc088a86519a5574fa96da7bfbf27904

SHA256
6cae8d98d6ecb3d500343c800aba9c0c3f2463c5d016f4acaae4a6d8824e3051

SHA512
f735fd28a5223368dafe637a3d09e6866002f4bb8cdf9005eef7eb54c71bd82d1b9cb751045309590e5dadc69ee1198adfa75170ccf6a00637be2d95815624b1

Download Submit
C:\Windows\{B21D7B98-E9DF-4da2-B9C3-5CD2B80F4EAC}.exe

Filesize
216KB

MD5
f7fa4f9aa68c2174fdba96f5cad819bb

SHA1
66d9a2470ae40f79885afca62aa19823668a4157

SHA256
9b1c0c67577629aad6756d55dc038619fe5c4126ee2c20931f7d25c3680b1b64

SHA512
f2c06a63616a32bce2ea8ff25abe9b7ba7daa5ebd226e07cd7827c380710a892b2b43eade90bbe1f540d9c96ba93a852be19ac5aac953fd1ee1212f0a3e57917

Download Submit
C:\Windows\{B21D7B98-E9DF-4da2-B9C3-5CD2B80F4EAC}.exe

Filesize
216KB

MD5
f7fa4f9aa68c2174fdba96f5cad819bb

SHA1
66d9a2470ae40f79885afca62aa19823668a4157

SHA256
9b1c0c67577629aad6756d55dc038619fe5c4126ee2c20931f7d25c3680b1b64

SHA512
f2c06a63616a32bce2ea8ff25abe9b7ba7daa5ebd226e07cd7827c380710a892b2b43eade90bbe1f540d9c96ba93a852be19ac5aac953fd1ee1212f0a3e57917

Download Submit
C:\Windows\{B59AC01C-714A-476e-9855-2B70842B2634}.exe

Filesize
216KB

MD5
5375641cc7bd6001ba26e248ae1e949d

SHA1
ea41675871e22634100636947b49ccd8b4868bcd

SHA256
50fa5f9af18e7d3def647d95a7fa1778ecc5e983b88b743dd2821fcfcd312093

SHA512
75e17ebf9cb885d207a3f20f5333e4b64e3c46ee0f5fe423f091c34f260b57ad19648bf4a1100f20cdc4b3ecdbe843f824376b14bb312be456e07ddf190a8108

Download Submit
C:\Windows\{B59AC01C-714A-476e-9855-2B70842B2634}.exe

Filesize
216KB

MD5
5375641cc7bd6001ba26e248ae1e949d

SHA1
ea41675871e22634100636947b49ccd8b4868bcd

SHA256
50fa5f9af18e7d3def647d95a7fa1778ecc5e983b88b743dd2821fcfcd312093

SHA512
75e17ebf9cb885d207a3f20f5333e4b64e3c46ee0f5fe423f091c34f260b57ad19648bf4a1100f20cdc4b3ecdbe843f824376b14bb312be456e07ddf190a8108

Download Submit
C:\Windows\{C5DCBE9A-A39B-4d50-8B7B-BC4018387646}.exe

Filesize
216KB

MD5
f0cd37c3832f95ad6e2aacf20a91f9f2

SHA1
401ec20f2a82deb08acfe17b9038839b9e08d636

SHA256
d864f8d805f3c55599a62088901bdbd329a89fdc9b888414a5cb880d84fd3e66

SHA512
e8a4f992f00b2ae18d2d17b310cecc382fa3a040cfea24070d855d313d558c23802c54430e8a7a309327eb3ceaac6993e3b42a5bce96a6c725ac32a381f5b72c

Download Submit
C:\Windows\{E8D3AFA4-DD26-4af5-8BFA-48D4C3109696}.exe

Filesize
216KB

MD5
5df98aeaae813ad3b3e012b3f056a7de

SHA1
8144a35fcca0837e7dfbc9c828815cbe9a59dc2b

SHA256
b7d186980aebe1cffb7f3b09c39b055627b6ff24506cebd5ab0121f0b58a9347

SHA512
b55033d13c95df4855f5d2802a0d8574666cdea5a9574dd965bd07bd884cc4e34bbd0e0221e177112022a45682de3ba7af901c397423eb2cc43aa6f880a33e5c

Download Submit
C:\Windows\{E8D3AFA4-DD26-4af5-8BFA-48D4C3109696}.exe

Filesize
216KB

MD5
5df98aeaae813ad3b3e012b3f056a7de

SHA1
8144a35fcca0837e7dfbc9c828815cbe9a59dc2b

SHA256
b7d186980aebe1cffb7f3b09c39b055627b6ff24506cebd5ab0121f0b58a9347

SHA512
b55033d13c95df4855f5d2802a0d8574666cdea5a9574dd965bd07bd884cc4e34bbd0e0221e177112022a45682de3ba7af901c397423eb2cc43aa6f880a33e5c

Download Submit