b269366593e7d9015a62a989d54360d1449172092f650df2f9e74ce7ffd482bc

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
16/07/2023, 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

791393ce21ee56_JC.exe
Size

216KB
MD5

791393ce21ee56da523401ce20781e96
SHA1

5a60e4008785d7e4e8f0c3e3eb6a79473d3488a9
SHA256

b269366593e7d9015a62a989d54360d1449172092f650df2f9e74ce7ffd482bc
SHA512

c1e40c19c0d68c36dda68eabcd78152c12b1e3b8e04a8814d631b81f3ef207b51ad7a6d5961a5ed473d71b98fff4441a51ad72b1547d5be873b890c8b1018a99
SSDEEP

3072:jEGh0oAl+Oso7ie+rcC4F0fJGRIS8Rfd7eQEcGcrcMUy:jEGqlEeKcAEcGy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B394612-CAEA-4e37-99B2-4A5F42B6F66B}	{380A6406-60E2-4235-94CF-8BAE957A2108}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E51C5E60-A535-4248-9887-FC580A8D18C9}	{F19DB162-C969-4cda-A26F-46C7B8B866C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D2D121E-9C32-4dfc-BB2F-8169105A08D2}\stubpath = "C:\\Windows\\{3D2D121E-9C32-4dfc-BB2F-8169105A08D2}.exe"	{E51C5E60-A535-4248-9887-FC580A8D18C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61E4088F-CB65-4f84-A0E0-48A3CCCFA4C1}\stubpath = "C:\\Windows\\{61E4088F-CB65-4f84-A0E0-48A3CCCFA4C1}.exe"	{3D2D121E-9C32-4dfc-BB2F-8169105A08D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1310B223-7F1A-48f0-AE4C-26D40253234A}	{2B394612-CAEA-4e37-99B2-4A5F42B6F66B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F19DB162-C969-4cda-A26F-46C7B8B866C8}	{10815408-2AC8-4852-926A-9A38D779C07A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F19DB162-C969-4cda-A26F-46C7B8B866C8}\stubpath = "C:\\Windows\\{F19DB162-C969-4cda-A26F-46C7B8B866C8}.exe"	{10815408-2AC8-4852-926A-9A38D779C07A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61E4088F-CB65-4f84-A0E0-48A3CCCFA4C1}	{3D2D121E-9C32-4dfc-BB2F-8169105A08D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2E33894-3B99-4e62-9DCC-EE6510CAB18C}	{61E4088F-CB65-4f84-A0E0-48A3CCCFA4C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2E33894-3B99-4e62-9DCC-EE6510CAB18C}\stubpath = "C:\\Windows\\{B2E33894-3B99-4e62-9DCC-EE6510CAB18C}.exe"	{61E4088F-CB65-4f84-A0E0-48A3CCCFA4C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{380A6406-60E2-4235-94CF-8BAE957A2108}\stubpath = "C:\\Windows\\{380A6406-60E2-4235-94CF-8BAE957A2108}.exe"	791393ce21ee56_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2B394612-CAEA-4e37-99B2-4A5F42B6F66B}\stubpath = "C:\\Windows\\{2B394612-CAEA-4e37-99B2-4A5F42B6F66B}.exe"	{380A6406-60E2-4235-94CF-8BAE957A2108}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FF30261-D9AE-4b35-A156-4C53590BB213}	{1310B223-7F1A-48f0-AE4C-26D40253234A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9FF30261-D9AE-4b35-A156-4C53590BB213}\stubpath = "C:\\Windows\\{9FF30261-D9AE-4b35-A156-4C53590BB213}.exe"	{1310B223-7F1A-48f0-AE4C-26D40253234A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3D2D121E-9C32-4dfc-BB2F-8169105A08D2}	{E51C5E60-A535-4248-9887-FC580A8D18C9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10815408-2AC8-4852-926A-9A38D779C07A}\stubpath = "C:\\Windows\\{10815408-2AC8-4852-926A-9A38D779C07A}.exe"	{156F4DD1-30E1-425d-895C-90D7B0694C21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E51C5E60-A535-4248-9887-FC580A8D18C9}\stubpath = "C:\\Windows\\{E51C5E60-A535-4248-9887-FC580A8D18C9}.exe"	{F19DB162-C969-4cda-A26F-46C7B8B866C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{380A6406-60E2-4235-94CF-8BAE957A2108}	791393ce21ee56_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1310B223-7F1A-48f0-AE4C-26D40253234A}\stubpath = "C:\\Windows\\{1310B223-7F1A-48f0-AE4C-26D40253234A}.exe"	{2B394612-CAEA-4e37-99B2-4A5F42B6F66B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{156F4DD1-30E1-425d-895C-90D7B0694C21}	{9FF30261-D9AE-4b35-A156-4C53590BB213}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{156F4DD1-30E1-425d-895C-90D7B0694C21}\stubpath = "C:\\Windows\\{156F4DD1-30E1-425d-895C-90D7B0694C21}.exe"	{9FF30261-D9AE-4b35-A156-4C53590BB213}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10815408-2AC8-4852-926A-9A38D779C07A}	{156F4DD1-30E1-425d-895C-90D7B0694C21}.exe

Deletes itself 1 IoCs

pid	Process
2616	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1808	{380A6406-60E2-4235-94CF-8BAE957A2108}.exe
2508	{2B394612-CAEA-4e37-99B2-4A5F42B6F66B}.exe
2436	{1310B223-7F1A-48f0-AE4C-26D40253234A}.exe
2312	{9FF30261-D9AE-4b35-A156-4C53590BB213}.exe
2108	{156F4DD1-30E1-425d-895C-90D7B0694C21}.exe
2988	{10815408-2AC8-4852-926A-9A38D779C07A}.exe
2840	{F19DB162-C969-4cda-A26F-46C7B8B866C8}.exe
3000	{E51C5E60-A535-4248-9887-FC580A8D18C9}.exe
1540	{3D2D121E-9C32-4dfc-BB2F-8169105A08D2}.exe
2716	{61E4088F-CB65-4f84-A0E0-48A3CCCFA4C1}.exe
1660	{B2E33894-3B99-4e62-9DCC-EE6510CAB18C}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{156F4DD1-30E1-425d-895C-90D7B0694C21}.exe	{9FF30261-D9AE-4b35-A156-4C53590BB213}.exe
File created	C:\Windows\{3D2D121E-9C32-4dfc-BB2F-8169105A08D2}.exe	{E51C5E60-A535-4248-9887-FC580A8D18C9}.exe
File created	C:\Windows\{380A6406-60E2-4235-94CF-8BAE957A2108}.exe	791393ce21ee56_JC.exe
File created	C:\Windows\{2B394612-CAEA-4e37-99B2-4A5F42B6F66B}.exe	{380A6406-60E2-4235-94CF-8BAE957A2108}.exe
File created	C:\Windows\{10815408-2AC8-4852-926A-9A38D779C07A}.exe	{156F4DD1-30E1-425d-895C-90D7B0694C21}.exe
File created	C:\Windows\{F19DB162-C969-4cda-A26F-46C7B8B866C8}.exe	{10815408-2AC8-4852-926A-9A38D779C07A}.exe
File created	C:\Windows\{E51C5E60-A535-4248-9887-FC580A8D18C9}.exe	{F19DB162-C969-4cda-A26F-46C7B8B866C8}.exe
File created	C:\Windows\{61E4088F-CB65-4f84-A0E0-48A3CCCFA4C1}.exe	{3D2D121E-9C32-4dfc-BB2F-8169105A08D2}.exe
File created	C:\Windows\{B2E33894-3B99-4e62-9DCC-EE6510CAB18C}.exe	{61E4088F-CB65-4f84-A0E0-48A3CCCFA4C1}.exe
File created	C:\Windows\{1310B223-7F1A-48f0-AE4C-26D40253234A}.exe	{2B394612-CAEA-4e37-99B2-4A5F42B6F66B}.exe
File created	C:\Windows\{9FF30261-D9AE-4b35-A156-4C53590BB213}.exe	{1310B223-7F1A-48f0-AE4C-26D40253234A}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2080	791393ce21ee56_JC.exe
Token: SeIncBasePriorityPrivilege	1808	{380A6406-60E2-4235-94CF-8BAE957A2108}.exe
Token: SeIncBasePriorityPrivilege	2508	{2B394612-CAEA-4e37-99B2-4A5F42B6F66B}.exe
Token: SeIncBasePriorityPrivilege	2436	{1310B223-7F1A-48f0-AE4C-26D40253234A}.exe
Token: SeIncBasePriorityPrivilege	2312	{9FF30261-D9AE-4b35-A156-4C53590BB213}.exe
Token: SeIncBasePriorityPrivilege	2108	{156F4DD1-30E1-425d-895C-90D7B0694C21}.exe
Token: SeIncBasePriorityPrivilege	2988	{10815408-2AC8-4852-926A-9A38D779C07A}.exe
Token: SeIncBasePriorityPrivilege	2840	{F19DB162-C969-4cda-A26F-46C7B8B866C8}.exe
Token: SeIncBasePriorityPrivilege	3000	{E51C5E60-A535-4248-9887-FC580A8D18C9}.exe
Token: SeIncBasePriorityPrivilege	1540	{3D2D121E-9C32-4dfc-BB2F-8169105A08D2}.exe
Token: SeIncBasePriorityPrivilege	2716	{61E4088F-CB65-4f84-A0E0-48A3CCCFA4C1}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 1808	2080	791393ce21ee56_JC.exe	30
PID 2080 wrote to memory of 1808	2080	791393ce21ee56_JC.exe	30
PID 2080 wrote to memory of 1808	2080	791393ce21ee56_JC.exe	30
PID 2080 wrote to memory of 1808	2080	791393ce21ee56_JC.exe	30
PID 2080 wrote to memory of 2616	2080	791393ce21ee56_JC.exe	31
PID 2080 wrote to memory of 2616	2080	791393ce21ee56_JC.exe	31
PID 2080 wrote to memory of 2616	2080	791393ce21ee56_JC.exe	31
PID 2080 wrote to memory of 2616	2080	791393ce21ee56_JC.exe	31
PID 1808 wrote to memory of 2508	1808	{380A6406-60E2-4235-94CF-8BAE957A2108}.exe	32
PID 1808 wrote to memory of 2508	1808	{380A6406-60E2-4235-94CF-8BAE957A2108}.exe	32
PID 1808 wrote to memory of 2508	1808	{380A6406-60E2-4235-94CF-8BAE957A2108}.exe	32
PID 1808 wrote to memory of 2508	1808	{380A6406-60E2-4235-94CF-8BAE957A2108}.exe	32
PID 1808 wrote to memory of 2124	1808	{380A6406-60E2-4235-94CF-8BAE957A2108}.exe	33
PID 1808 wrote to memory of 2124	1808	{380A6406-60E2-4235-94CF-8BAE957A2108}.exe	33
PID 1808 wrote to memory of 2124	1808	{380A6406-60E2-4235-94CF-8BAE957A2108}.exe	33
PID 1808 wrote to memory of 2124	1808	{380A6406-60E2-4235-94CF-8BAE957A2108}.exe	33
PID 2508 wrote to memory of 2436	2508	{2B394612-CAEA-4e37-99B2-4A5F42B6F66B}.exe	34
PID 2508 wrote to memory of 2436	2508	{2B394612-CAEA-4e37-99B2-4A5F42B6F66B}.exe	34
PID 2508 wrote to memory of 2436	2508	{2B394612-CAEA-4e37-99B2-4A5F42B6F66B}.exe	34
PID 2508 wrote to memory of 2436	2508	{2B394612-CAEA-4e37-99B2-4A5F42B6F66B}.exe	34
PID 2508 wrote to memory of 2192	2508	{2B394612-CAEA-4e37-99B2-4A5F42B6F66B}.exe	35
PID 2508 wrote to memory of 2192	2508	{2B394612-CAEA-4e37-99B2-4A5F42B6F66B}.exe	35
PID 2508 wrote to memory of 2192	2508	{2B394612-CAEA-4e37-99B2-4A5F42B6F66B}.exe	35
PID 2508 wrote to memory of 2192	2508	{2B394612-CAEA-4e37-99B2-4A5F42B6F66B}.exe	35
PID 2436 wrote to memory of 2312	2436	{1310B223-7F1A-48f0-AE4C-26D40253234A}.exe	36
PID 2436 wrote to memory of 2312	2436	{1310B223-7F1A-48f0-AE4C-26D40253234A}.exe	36
PID 2436 wrote to memory of 2312	2436	{1310B223-7F1A-48f0-AE4C-26D40253234A}.exe	36
PID 2436 wrote to memory of 2312	2436	{1310B223-7F1A-48f0-AE4C-26D40253234A}.exe	36
PID 2436 wrote to memory of 2668	2436	{1310B223-7F1A-48f0-AE4C-26D40253234A}.exe	37
PID 2436 wrote to memory of 2668	2436	{1310B223-7F1A-48f0-AE4C-26D40253234A}.exe	37
PID 2436 wrote to memory of 2668	2436	{1310B223-7F1A-48f0-AE4C-26D40253234A}.exe	37
PID 2436 wrote to memory of 2668	2436	{1310B223-7F1A-48f0-AE4C-26D40253234A}.exe	37
PID 2312 wrote to memory of 2108	2312	{9FF30261-D9AE-4b35-A156-4C53590BB213}.exe	38
PID 2312 wrote to memory of 2108	2312	{9FF30261-D9AE-4b35-A156-4C53590BB213}.exe	38
PID 2312 wrote to memory of 2108	2312	{9FF30261-D9AE-4b35-A156-4C53590BB213}.exe	38
PID 2312 wrote to memory of 2108	2312	{9FF30261-D9AE-4b35-A156-4C53590BB213}.exe	38
PID 2312 wrote to memory of 2928	2312	{9FF30261-D9AE-4b35-A156-4C53590BB213}.exe	39
PID 2312 wrote to memory of 2928	2312	{9FF30261-D9AE-4b35-A156-4C53590BB213}.exe	39
PID 2312 wrote to memory of 2928	2312	{9FF30261-D9AE-4b35-A156-4C53590BB213}.exe	39
PID 2312 wrote to memory of 2928	2312	{9FF30261-D9AE-4b35-A156-4C53590BB213}.exe	39
PID 2108 wrote to memory of 2988	2108	{156F4DD1-30E1-425d-895C-90D7B0694C21}.exe	40
PID 2108 wrote to memory of 2988	2108	{156F4DD1-30E1-425d-895C-90D7B0694C21}.exe	40
PID 2108 wrote to memory of 2988	2108	{156F4DD1-30E1-425d-895C-90D7B0694C21}.exe	40
PID 2108 wrote to memory of 2988	2108	{156F4DD1-30E1-425d-895C-90D7B0694C21}.exe	40
PID 2108 wrote to memory of 2852	2108	{156F4DD1-30E1-425d-895C-90D7B0694C21}.exe	41
PID 2108 wrote to memory of 2852	2108	{156F4DD1-30E1-425d-895C-90D7B0694C21}.exe	41
PID 2108 wrote to memory of 2852	2108	{156F4DD1-30E1-425d-895C-90D7B0694C21}.exe	41
PID 2108 wrote to memory of 2852	2108	{156F4DD1-30E1-425d-895C-90D7B0694C21}.exe	41
PID 2988 wrote to memory of 2840	2988	{10815408-2AC8-4852-926A-9A38D779C07A}.exe	42
PID 2988 wrote to memory of 2840	2988	{10815408-2AC8-4852-926A-9A38D779C07A}.exe	42
PID 2988 wrote to memory of 2840	2988	{10815408-2AC8-4852-926A-9A38D779C07A}.exe	42
PID 2988 wrote to memory of 2840	2988	{10815408-2AC8-4852-926A-9A38D779C07A}.exe	42
PID 2988 wrote to memory of 2940	2988	{10815408-2AC8-4852-926A-9A38D779C07A}.exe	43
PID 2988 wrote to memory of 2940	2988	{10815408-2AC8-4852-926A-9A38D779C07A}.exe	43
PID 2988 wrote to memory of 2940	2988	{10815408-2AC8-4852-926A-9A38D779C07A}.exe	43
PID 2988 wrote to memory of 2940	2988	{10815408-2AC8-4852-926A-9A38D779C07A}.exe	43
PID 2840 wrote to memory of 3000	2840	{F19DB162-C969-4cda-A26F-46C7B8B866C8}.exe	44
PID 2840 wrote to memory of 3000	2840	{F19DB162-C969-4cda-A26F-46C7B8B866C8}.exe	44
PID 2840 wrote to memory of 3000	2840	{F19DB162-C969-4cda-A26F-46C7B8B866C8}.exe	44
PID 2840 wrote to memory of 3000	2840	{F19DB162-C969-4cda-A26F-46C7B8B866C8}.exe	44
PID 2840 wrote to memory of 1952	2840	{F19DB162-C969-4cda-A26F-46C7B8B866C8}.exe	45
PID 2840 wrote to memory of 1952	2840	{F19DB162-C969-4cda-A26F-46C7B8B866C8}.exe	45
PID 2840 wrote to memory of 1952	2840	{F19DB162-C969-4cda-A26F-46C7B8B866C8}.exe	45
PID 2840 wrote to memory of 1952	2840	{F19DB162-C969-4cda-A26F-46C7B8B866C8}.exe	45

C:\Users\Admin\AppData\Local\Temp\791393ce21ee56_JC.exe
"C:\Users\Admin\AppData\Local\Temp\791393ce21ee56_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\{380A6406-60E2-4235-94CF-8BAE957A2108}.exe
  C:\Windows\{380A6406-60E2-4235-94CF-8BAE957A2108}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\{2B394612-CAEA-4e37-99B2-4A5F42B6F66B}.exe
    C:\Windows\{2B394612-CAEA-4e37-99B2-4A5F42B6F66B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\{1310B223-7F1A-48f0-AE4C-26D40253234A}.exe
      C:\Windows\{1310B223-7F1A-48f0-AE4C-26D40253234A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2436
    - - C:\Windows\{9FF30261-D9AE-4b35-A156-4C53590BB213}.exe
        
        C:\Windows\{9FF30261-D9AE-4b35-A156-4C53590BB213}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
      - C:\Windows\{156F4DD1-30E1-425d-895C-90D7B0694C21}.exe
        
        C:\Windows\{156F4DD1-30E1-425d-895C-90D7B0694C21}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\{10815408-2AC8-4852-926A-9A38D779C07A}.exe
        
        C:\Windows\{10815408-2AC8-4852-926A-9A38D779C07A}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\{F19DB162-C969-4cda-A26F-46C7B8B866C8}.exe
        
        C:\Windows\{F19DB162-C969-4cda-A26F-46C7B8B866C8}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\{E51C5E60-A535-4248-9887-FC580A8D18C9}.exe
        
        C:\Windows\{E51C5E60-A535-4248-9887-FC580A8D18C9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\{3D2D121E-9C32-4dfc-BB2F-8169105A08D2}.exe
        
        C:\Windows\{3D2D121E-9C32-4dfc-BB2F-8169105A08D2}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\{61E4088F-CB65-4f84-A0E0-48A3CCCFA4C1}.exe
        
        C:\Windows\{61E4088F-CB65-4f84-A0E0-48A3CCCFA4C1}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\{B2E33894-3B99-4e62-9DCC-EE6510CAB18C}.exe
        
        C:\Windows\{B2E33894-3B99-4e62-9DCC-EE6510CAB18C}.exe
        12⤵
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61E40~1.EXE > nul
        12⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3D2D1~1.EXE > nul
        11⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E51C5~1.EXE > nul
        10⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F19DB~1.EXE > nul
        9⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10815~1.EXE > nul
        8⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{156F4~1.EXE > nul
        7⤵
        
        PID:2852
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FF30~1.EXE > nul
        6⤵
        
        PID:2928
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1310B~1.EXE > nul
        5⤵
        
        PID:2668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2B394~1.EXE > nul
      4⤵
      PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{380A6~1.EXE > nul
    3⤵
    PID:2124
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\791393~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10815408-2AC8-4852-926A-9A38D779C07A}.exe

Filesize
216KB

MD5
bce0628687d3512c4238a6fb3e67428f

SHA1
61190ccfe129598ead743e1ded804df0e6f9bbbd

SHA256
8dd9604e3dc1301db789a7f5fae4cb22c3162e46d4d37e14f3a8d3de4a63ab70

SHA512
22d453f85c9749d5bee699d4f119a13b2f9fe03f3f2050abc460b2bbd7e6c5a5489b7dc01d782fd85fe04094ab7eef2ca2e13fdc050b748d1806e96cb9a37139

Download Submit
C:\Windows\{10815408-2AC8-4852-926A-9A38D779C07A}.exe

Filesize
216KB

MD5
bce0628687d3512c4238a6fb3e67428f

SHA1
61190ccfe129598ead743e1ded804df0e6f9bbbd

SHA256
8dd9604e3dc1301db789a7f5fae4cb22c3162e46d4d37e14f3a8d3de4a63ab70

SHA512
22d453f85c9749d5bee699d4f119a13b2f9fe03f3f2050abc460b2bbd7e6c5a5489b7dc01d782fd85fe04094ab7eef2ca2e13fdc050b748d1806e96cb9a37139

Download Submit
C:\Windows\{1310B223-7F1A-48f0-AE4C-26D40253234A}.exe

Filesize
216KB

MD5
c9f794fad3c7d6ff0e1802254107ec04

SHA1
b2a959db9d67b2b8000fe18a8d87a57e79a88c96

SHA256
767ce362de956df6229db50732001950b4dac733aae250cc895662a407a824a8

SHA512
1b195e86a87074764f5955dc0c88f8c1c2fcc9c172b22f9a07600ab0ec0ff939c6f599191d8d53edf16dbd23706daac4be383dc87d0cb2663ab12cedcb27d0f7

Download Submit
C:\Windows\{1310B223-7F1A-48f0-AE4C-26D40253234A}.exe

Filesize
216KB

MD5
c9f794fad3c7d6ff0e1802254107ec04

SHA1
b2a959db9d67b2b8000fe18a8d87a57e79a88c96

SHA256
767ce362de956df6229db50732001950b4dac733aae250cc895662a407a824a8

SHA512
1b195e86a87074764f5955dc0c88f8c1c2fcc9c172b22f9a07600ab0ec0ff939c6f599191d8d53edf16dbd23706daac4be383dc87d0cb2663ab12cedcb27d0f7

Download Submit
C:\Windows\{156F4DD1-30E1-425d-895C-90D7B0694C21}.exe

Filesize
216KB

MD5
a22faecc4a04d2e743ba84355a497280

SHA1
8cb4a0010d1fcedaca56c0a59f7a57221b650dbc

SHA256
3872fab2ea612c9e682441c64cd8e5756fd5686f23719d5e248cfd53e89ccb9f

SHA512
422fe284ec4061fcde8cc0f5a2e3806af8f731bc0986c4730528158b66461c5bbb40b5ecbf0a76d42eb6f345c091eb7c2b7fb34b793414ae0adf86641cf2a85c

Download Submit
C:\Windows\{156F4DD1-30E1-425d-895C-90D7B0694C21}.exe

Filesize
216KB

MD5
a22faecc4a04d2e743ba84355a497280

SHA1
8cb4a0010d1fcedaca56c0a59f7a57221b650dbc

SHA256
3872fab2ea612c9e682441c64cd8e5756fd5686f23719d5e248cfd53e89ccb9f

SHA512
422fe284ec4061fcde8cc0f5a2e3806af8f731bc0986c4730528158b66461c5bbb40b5ecbf0a76d42eb6f345c091eb7c2b7fb34b793414ae0adf86641cf2a85c

Download Submit
C:\Windows\{2B394612-CAEA-4e37-99B2-4A5F42B6F66B}.exe

Filesize
216KB

MD5
3ab08ea3008304bf54d530458336076d

SHA1
609ea8a4ca0a338bd82d96f1d1bdd26ead546c32

SHA256
5989258768a87f0d845b8c7d6df3f8e410c558ef291deff0ee5e8bae6b82aa6b

SHA512
85eff587b90d3d442876f4f6814b1d7c4f211d0e3af7b8b66548f37dab908410611965c11b05211d5352f11ad5239eaec9c075a54e5756ddb87099ede3312969

Download Submit
C:\Windows\{2B394612-CAEA-4e37-99B2-4A5F42B6F66B}.exe

Filesize
216KB

MD5
3ab08ea3008304bf54d530458336076d

SHA1
609ea8a4ca0a338bd82d96f1d1bdd26ead546c32

SHA256
5989258768a87f0d845b8c7d6df3f8e410c558ef291deff0ee5e8bae6b82aa6b

SHA512
85eff587b90d3d442876f4f6814b1d7c4f211d0e3af7b8b66548f37dab908410611965c11b05211d5352f11ad5239eaec9c075a54e5756ddb87099ede3312969

Download Submit
C:\Windows\{380A6406-60E2-4235-94CF-8BAE957A2108}.exe

Filesize
216KB

MD5
5354bcb66bfe88312db661c487e45f34

SHA1
a4f7d0c6d01e023c102004c6b32e5d48d73274a7

SHA256
4a1fe5ed2fe837c28e35b28d0bb699e1579e894e671f2ac10fafaea540010fbc

SHA512
faf10b082c0f748a1a81a7c9b99d5da8f7450cc41db934cb9739a631a4c4dc519b6780ccb11984e312b892f8ec4b11310a079bd8482c307eedfb20cae6772815

Download Submit
C:\Windows\{380A6406-60E2-4235-94CF-8BAE957A2108}.exe

Filesize
216KB

MD5
5354bcb66bfe88312db661c487e45f34

SHA1
a4f7d0c6d01e023c102004c6b32e5d48d73274a7

SHA256
4a1fe5ed2fe837c28e35b28d0bb699e1579e894e671f2ac10fafaea540010fbc

SHA512
faf10b082c0f748a1a81a7c9b99d5da8f7450cc41db934cb9739a631a4c4dc519b6780ccb11984e312b892f8ec4b11310a079bd8482c307eedfb20cae6772815

Download Submit
C:\Windows\{380A6406-60E2-4235-94CF-8BAE957A2108}.exe

Filesize
216KB

MD5
5354bcb66bfe88312db661c487e45f34

SHA1
a4f7d0c6d01e023c102004c6b32e5d48d73274a7

SHA256
4a1fe5ed2fe837c28e35b28d0bb699e1579e894e671f2ac10fafaea540010fbc

SHA512
faf10b082c0f748a1a81a7c9b99d5da8f7450cc41db934cb9739a631a4c4dc519b6780ccb11984e312b892f8ec4b11310a079bd8482c307eedfb20cae6772815

Download Submit
C:\Windows\{3D2D121E-9C32-4dfc-BB2F-8169105A08D2}.exe

Filesize
216KB

MD5
20abe10399354ab8ed6007b76a180c83

SHA1
73f350547fd90e913f0ecc2dbdaf0b9decb42736

SHA256
61248d2c280b69fe488bcdfa4d1f81950871d7537d7af7fe6c6c5605fc855ad5

SHA512
e603531beb735fb6ec1e1f1c024e9f2e55b064dff581c6c8ce3231a05c1f6cd3597940a8b7851e6ff9a8e5779d03ac292f2cdfa59169d6ada6f063e83241169d

Download Submit
C:\Windows\{3D2D121E-9C32-4dfc-BB2F-8169105A08D2}.exe

Filesize
216KB

MD5
20abe10399354ab8ed6007b76a180c83

SHA1
73f350547fd90e913f0ecc2dbdaf0b9decb42736

SHA256
61248d2c280b69fe488bcdfa4d1f81950871d7537d7af7fe6c6c5605fc855ad5

SHA512
e603531beb735fb6ec1e1f1c024e9f2e55b064dff581c6c8ce3231a05c1f6cd3597940a8b7851e6ff9a8e5779d03ac292f2cdfa59169d6ada6f063e83241169d

Download Submit
C:\Windows\{61E4088F-CB65-4f84-A0E0-48A3CCCFA4C1}.exe

Filesize
216KB

MD5
229066b8f5ae47c068fe3502944ed245

SHA1
4fef623a455697fc6fc7aebaec3e9e7c2c8ee63d

SHA256
9e085b57f33d72c571e19daae3313f279738037021f4686cfe97aac27a4d8557

SHA512
f5a4a79a935ecff4e981ec95ede7bf1096983de51eae2a3fab6e205f7bf418408ab998ba62dc974d500d9a28a9580ad8ee141d90bfcfa184f7cb323661f58c79

Download Submit
C:\Windows\{61E4088F-CB65-4f84-A0E0-48A3CCCFA4C1}.exe

Filesize
216KB

MD5
229066b8f5ae47c068fe3502944ed245

SHA1
4fef623a455697fc6fc7aebaec3e9e7c2c8ee63d

SHA256
9e085b57f33d72c571e19daae3313f279738037021f4686cfe97aac27a4d8557

SHA512
f5a4a79a935ecff4e981ec95ede7bf1096983de51eae2a3fab6e205f7bf418408ab998ba62dc974d500d9a28a9580ad8ee141d90bfcfa184f7cb323661f58c79

Download Submit
C:\Windows\{9FF30261-D9AE-4b35-A156-4C53590BB213}.exe

Filesize
216KB

MD5
01d4bfdb9c66e3f42d8d157b6709475f

SHA1
15d452c625958d3dabbda2beb6d72ffd95261387

SHA256
9d000d451a4e300182f20b0b978ed8fc2f6a59f122ec558994606aec2a9e07db

SHA512
51a378324fcbaa5a59255981bfa6b0f1978fdb212ef20a479ef580401b68576f26bb053152baae3de13eca94fe920eeae0c19270bcdcb8ab122a968ad3eb22c0

Download Submit
C:\Windows\{9FF30261-D9AE-4b35-A156-4C53590BB213}.exe

Filesize
216KB

MD5
01d4bfdb9c66e3f42d8d157b6709475f

SHA1
15d452c625958d3dabbda2beb6d72ffd95261387

SHA256
9d000d451a4e300182f20b0b978ed8fc2f6a59f122ec558994606aec2a9e07db

SHA512
51a378324fcbaa5a59255981bfa6b0f1978fdb212ef20a479ef580401b68576f26bb053152baae3de13eca94fe920eeae0c19270bcdcb8ab122a968ad3eb22c0

Download Submit
C:\Windows\{B2E33894-3B99-4e62-9DCC-EE6510CAB18C}.exe

Filesize
216KB

MD5
fdcf43e14eed735586f62ef260b6825c

SHA1
159a83ed3e71385e0afa9d5a5e6f6701143dc49d

SHA256
f9043255ef86fbe76e4ea26ca6c66af1189e370aa235bdfe88c7c6f366793d37

SHA512
9dd014dd488c02996c9767d8f95dff35db207920feac40a71138a7bc2da9a7489666cc3bc756249a05f7e6399b981e828468eee58a727d9d39d1a05ca0fbca7d

Download Submit
C:\Windows\{E51C5E60-A535-4248-9887-FC580A8D18C9}.exe

Filesize
216KB

MD5
7afc61fb6b2cd7e4d1b05a2f28210ea7

SHA1
6bbba892aadb8890d28724351e571ff72fce784d

SHA256
8363948cdf71736163c9afb29b4b228992d1da1802ce743a355de05965e28e2a

SHA512
3b50baa3236362a79b02f01135c33d6cf66bb0afb62a8b917c6c976c70695b3ab05421d8283cfdcef8228ee4640a5d97321c54bd6f2cb091b82e4e21480ab4f5

Download Submit
C:\Windows\{E51C5E60-A535-4248-9887-FC580A8D18C9}.exe

Filesize
216KB

MD5
7afc61fb6b2cd7e4d1b05a2f28210ea7

SHA1
6bbba892aadb8890d28724351e571ff72fce784d

SHA256
8363948cdf71736163c9afb29b4b228992d1da1802ce743a355de05965e28e2a

SHA512
3b50baa3236362a79b02f01135c33d6cf66bb0afb62a8b917c6c976c70695b3ab05421d8283cfdcef8228ee4640a5d97321c54bd6f2cb091b82e4e21480ab4f5

Download Submit
C:\Windows\{F19DB162-C969-4cda-A26F-46C7B8B866C8}.exe

Filesize
216KB

MD5
e5c68989a6be560d9aaebca604c5b8e4

SHA1
eb58dd3715668960194ad31534bdf377ee630d1b

SHA256
78341b2e3031775d80595ffe566b453419049d32e448da73851e8d9773a88974

SHA512
209c32d12a21ecd95c35d4d3b1e833ddbbc78370a6f530e5f84ebbc81995550a61d54ac9bb0df6b55c61c411310f211d78fa04389f4303cd3833c93592f3e9e8

Download Submit
C:\Windows\{F19DB162-C969-4cda-A26F-46C7B8B866C8}.exe

Filesize
216KB

MD5
e5c68989a6be560d9aaebca604c5b8e4

SHA1
eb58dd3715668960194ad31534bdf377ee630d1b

SHA256
78341b2e3031775d80595ffe566b453419049d32e448da73851e8d9773a88974

SHA512
209c32d12a21ecd95c35d4d3b1e833ddbbc78370a6f530e5f84ebbc81995550a61d54ac9bb0df6b55c61c411310f211d78fa04389f4303cd3833c93592f3e9e8

Download Submit