e744cfc438529ab2da6a88ce28786d0e5a1ed373e35d61912823de2562eb376e

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17/07/2023, 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83ed375ab53b3f_JC.exe
Size

372KB
MD5

83ed375ab53b3f62ea77103bdd7758ae
SHA1

1ec42cfbf85d2c3bf6c46319bb6468684b1108fd
SHA256

e744cfc438529ab2da6a88ce28786d0e5a1ed373e35d61912823de2562eb376e
SHA512

e165c27c9fecb31f5af7d64f127082c901560c118c847e2a9823786b06d19e1bde10ac316af4da50ad90d4b6a4b881c388bbf5b7ce9b3d912f5eaf2cd06d335f
SSDEEP

3072:CEGh0oOmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGhl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27DFA345-87BC-4ec7-9D49-7252E052AF3F}\stubpath = "C:\\Windows\\{27DFA345-87BC-4ec7-9D49-7252E052AF3F}.exe"	{1C7B178E-B118-4415-BB95-7B1E4A641441}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05283644-2D84-4a9a-9685-F422B1FC8FC5}	{27DFA345-87BC-4ec7-9D49-7252E052AF3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{05283644-2D84-4a9a-9685-F422B1FC8FC5}\stubpath = "C:\\Windows\\{05283644-2D84-4a9a-9685-F422B1FC8FC5}.exe"	{27DFA345-87BC-4ec7-9D49-7252E052AF3F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEB03A87-57F5-4f32-83C1-1844D85EF26E}\stubpath = "C:\\Windows\\{BEB03A87-57F5-4f32-83C1-1844D85EF26E}.exe"	{BA5392E4-0345-4da5-B455-8C67D06A7C22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5360FC80-06C6-4729-BA70-114736A1BA95}	83ed375ab53b3f_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1712DF9B-8309-4236-8D10-FC17B796CEF7}\stubpath = "C:\\Windows\\{1712DF9B-8309-4236-8D10-FC17B796CEF7}.exe"	{5360FC80-06C6-4729-BA70-114736A1BA95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46A2CDE7-C229-43fa-BC26-1492E1811A48}	{8F12EB71-6517-424c-AEE6-560C5B3D6FAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C7B178E-B118-4415-BB95-7B1E4A641441}\stubpath = "C:\\Windows\\{1C7B178E-B118-4415-BB95-7B1E4A641441}.exe"	{46A2CDE7-C229-43fa-BC26-1492E1811A48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEB03A87-57F5-4f32-83C1-1844D85EF26E}	{BA5392E4-0345-4da5-B455-8C67D06A7C22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5360FC80-06C6-4729-BA70-114736A1BA95}\stubpath = "C:\\Windows\\{5360FC80-06C6-4729-BA70-114736A1BA95}.exe"	83ed375ab53b3f_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F12EB71-6517-424c-AEE6-560C5B3D6FAB}	{1712DF9B-8309-4236-8D10-FC17B796CEF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46A2CDE7-C229-43fa-BC26-1492E1811A48}\stubpath = "C:\\Windows\\{46A2CDE7-C229-43fa-BC26-1492E1811A48}.exe"	{8F12EB71-6517-424c-AEE6-560C5B3D6FAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{27DFA345-87BC-4ec7-9D49-7252E052AF3F}	{1C7B178E-B118-4415-BB95-7B1E4A641441}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD47AB76-5269-40f1-9710-D872F58A1598}\stubpath = "C:\\Windows\\{AD47AB76-5269-40f1-9710-D872F58A1598}.exe"	{BEB03A87-57F5-4f32-83C1-1844D85EF26E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9635CD4-493E-4959-9130-AB90E85A82FF}	{AD47AB76-5269-40f1-9710-D872F58A1598}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1712DF9B-8309-4236-8D10-FC17B796CEF7}	{5360FC80-06C6-4729-BA70-114736A1BA95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F12EB71-6517-424c-AEE6-560C5B3D6FAB}\stubpath = "C:\\Windows\\{8F12EB71-6517-424c-AEE6-560C5B3D6FAB}.exe"	{1712DF9B-8309-4236-8D10-FC17B796CEF7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C7B178E-B118-4415-BB95-7B1E4A641441}	{46A2CDE7-C229-43fa-BC26-1492E1811A48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA5392E4-0345-4da5-B455-8C67D06A7C22}	{05283644-2D84-4a9a-9685-F422B1FC8FC5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BA5392E4-0345-4da5-B455-8C67D06A7C22}\stubpath = "C:\\Windows\\{BA5392E4-0345-4da5-B455-8C67D06A7C22}.exe"	{05283644-2D84-4a9a-9685-F422B1FC8FC5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD47AB76-5269-40f1-9710-D872F58A1598}	{BEB03A87-57F5-4f32-83C1-1844D85EF26E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E9635CD4-493E-4959-9130-AB90E85A82FF}\stubpath = "C:\\Windows\\{E9635CD4-493E-4959-9130-AB90E85A82FF}.exe"	{AD47AB76-5269-40f1-9710-D872F58A1598}.exe

Deletes itself 1 IoCs

pid	Process
2808	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2792	{5360FC80-06C6-4729-BA70-114736A1BA95}.exe
2948	{1712DF9B-8309-4236-8D10-FC17B796CEF7}.exe
2720	{8F12EB71-6517-424c-AEE6-560C5B3D6FAB}.exe
2692	{46A2CDE7-C229-43fa-BC26-1492E1811A48}.exe
2044	{1C7B178E-B118-4415-BB95-7B1E4A641441}.exe
528	{27DFA345-87BC-4ec7-9D49-7252E052AF3F}.exe
1388	{05283644-2D84-4a9a-9685-F422B1FC8FC5}.exe
1624	{BA5392E4-0345-4da5-B455-8C67D06A7C22}.exe
2768	{BEB03A87-57F5-4f32-83C1-1844D85EF26E}.exe
840	{AD47AB76-5269-40f1-9710-D872F58A1598}.exe
684	{E9635CD4-493E-4959-9130-AB90E85A82FF}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{46A2CDE7-C229-43fa-BC26-1492E1811A48}.exe	{8F12EB71-6517-424c-AEE6-560C5B3D6FAB}.exe
File created	C:\Windows\{1C7B178E-B118-4415-BB95-7B1E4A641441}.exe	{46A2CDE7-C229-43fa-BC26-1492E1811A48}.exe
File created	C:\Windows\{05283644-2D84-4a9a-9685-F422B1FC8FC5}.exe	{27DFA345-87BC-4ec7-9D49-7252E052AF3F}.exe
File created	C:\Windows\{BA5392E4-0345-4da5-B455-8C67D06A7C22}.exe	{05283644-2D84-4a9a-9685-F422B1FC8FC5}.exe
File created	C:\Windows\{AD47AB76-5269-40f1-9710-D872F58A1598}.exe	{BEB03A87-57F5-4f32-83C1-1844D85EF26E}.exe
File created	C:\Windows\{E9635CD4-493E-4959-9130-AB90E85A82FF}.exe	{AD47AB76-5269-40f1-9710-D872F58A1598}.exe
File created	C:\Windows\{5360FC80-06C6-4729-BA70-114736A1BA95}.exe	83ed375ab53b3f_JC.exe
File created	C:\Windows\{1712DF9B-8309-4236-8D10-FC17B796CEF7}.exe	{5360FC80-06C6-4729-BA70-114736A1BA95}.exe
File created	C:\Windows\{8F12EB71-6517-424c-AEE6-560C5B3D6FAB}.exe	{1712DF9B-8309-4236-8D10-FC17B796CEF7}.exe
File created	C:\Windows\{27DFA345-87BC-4ec7-9D49-7252E052AF3F}.exe	{1C7B178E-B118-4415-BB95-7B1E4A641441}.exe
File created	C:\Windows\{BEB03A87-57F5-4f32-83C1-1844D85EF26E}.exe	{BA5392E4-0345-4da5-B455-8C67D06A7C22}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2644	83ed375ab53b3f_JC.exe
Token: SeIncBasePriorityPrivilege	2792	{5360FC80-06C6-4729-BA70-114736A1BA95}.exe
Token: SeIncBasePriorityPrivilege	2948	{1712DF9B-8309-4236-8D10-FC17B796CEF7}.exe
Token: SeIncBasePriorityPrivilege	2720	{8F12EB71-6517-424c-AEE6-560C5B3D6FAB}.exe
Token: SeIncBasePriorityPrivilege	2692	{46A2CDE7-C229-43fa-BC26-1492E1811A48}.exe
Token: SeIncBasePriorityPrivilege	2044	{1C7B178E-B118-4415-BB95-7B1E4A641441}.exe
Token: SeIncBasePriorityPrivilege	528	{27DFA345-87BC-4ec7-9D49-7252E052AF3F}.exe
Token: SeIncBasePriorityPrivilege	1388	{05283644-2D84-4a9a-9685-F422B1FC8FC5}.exe
Token: SeIncBasePriorityPrivilege	1624	{BA5392E4-0345-4da5-B455-8C67D06A7C22}.exe
Token: SeIncBasePriorityPrivilege	2768	{BEB03A87-57F5-4f32-83C1-1844D85EF26E}.exe
Token: SeIncBasePriorityPrivilege	840	{AD47AB76-5269-40f1-9710-D872F58A1598}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2792	2644	83ed375ab53b3f_JC.exe	28
PID 2644 wrote to memory of 2792	2644	83ed375ab53b3f_JC.exe	28
PID 2644 wrote to memory of 2792	2644	83ed375ab53b3f_JC.exe	28
PID 2644 wrote to memory of 2792	2644	83ed375ab53b3f_JC.exe	28
PID 2644 wrote to memory of 2808	2644	83ed375ab53b3f_JC.exe	29
PID 2644 wrote to memory of 2808	2644	83ed375ab53b3f_JC.exe	29
PID 2644 wrote to memory of 2808	2644	83ed375ab53b3f_JC.exe	29
PID 2644 wrote to memory of 2808	2644	83ed375ab53b3f_JC.exe	29
PID 2792 wrote to memory of 2948	2792	{5360FC80-06C6-4729-BA70-114736A1BA95}.exe	30
PID 2792 wrote to memory of 2948	2792	{5360FC80-06C6-4729-BA70-114736A1BA95}.exe	30
PID 2792 wrote to memory of 2948	2792	{5360FC80-06C6-4729-BA70-114736A1BA95}.exe	30
PID 2792 wrote to memory of 2948	2792	{5360FC80-06C6-4729-BA70-114736A1BA95}.exe	30
PID 2792 wrote to memory of 2856	2792	{5360FC80-06C6-4729-BA70-114736A1BA95}.exe	31
PID 2792 wrote to memory of 2856	2792	{5360FC80-06C6-4729-BA70-114736A1BA95}.exe	31
PID 2792 wrote to memory of 2856	2792	{5360FC80-06C6-4729-BA70-114736A1BA95}.exe	31
PID 2792 wrote to memory of 2856	2792	{5360FC80-06C6-4729-BA70-114736A1BA95}.exe	31
PID 2948 wrote to memory of 2720	2948	{1712DF9B-8309-4236-8D10-FC17B796CEF7}.exe	35
PID 2948 wrote to memory of 2720	2948	{1712DF9B-8309-4236-8D10-FC17B796CEF7}.exe	35
PID 2948 wrote to memory of 2720	2948	{1712DF9B-8309-4236-8D10-FC17B796CEF7}.exe	35
PID 2948 wrote to memory of 2720	2948	{1712DF9B-8309-4236-8D10-FC17B796CEF7}.exe	35
PID 2948 wrote to memory of 2752	2948	{1712DF9B-8309-4236-8D10-FC17B796CEF7}.exe	34
PID 2948 wrote to memory of 2752	2948	{1712DF9B-8309-4236-8D10-FC17B796CEF7}.exe	34
PID 2948 wrote to memory of 2752	2948	{1712DF9B-8309-4236-8D10-FC17B796CEF7}.exe	34
PID 2948 wrote to memory of 2752	2948	{1712DF9B-8309-4236-8D10-FC17B796CEF7}.exe	34
PID 2720 wrote to memory of 2692	2720	{8F12EB71-6517-424c-AEE6-560C5B3D6FAB}.exe	36
PID 2720 wrote to memory of 2692	2720	{8F12EB71-6517-424c-AEE6-560C5B3D6FAB}.exe	36
PID 2720 wrote to memory of 2692	2720	{8F12EB71-6517-424c-AEE6-560C5B3D6FAB}.exe	36
PID 2720 wrote to memory of 2692	2720	{8F12EB71-6517-424c-AEE6-560C5B3D6FAB}.exe	36
PID 2720 wrote to memory of 2756	2720	{8F12EB71-6517-424c-AEE6-560C5B3D6FAB}.exe	37
PID 2720 wrote to memory of 2756	2720	{8F12EB71-6517-424c-AEE6-560C5B3D6FAB}.exe	37
PID 2720 wrote to memory of 2756	2720	{8F12EB71-6517-424c-AEE6-560C5B3D6FAB}.exe	37
PID 2720 wrote to memory of 2756	2720	{8F12EB71-6517-424c-AEE6-560C5B3D6FAB}.exe	37
PID 2692 wrote to memory of 2044	2692	{46A2CDE7-C229-43fa-BC26-1492E1811A48}.exe	38
PID 2692 wrote to memory of 2044	2692	{46A2CDE7-C229-43fa-BC26-1492E1811A48}.exe	38
PID 2692 wrote to memory of 2044	2692	{46A2CDE7-C229-43fa-BC26-1492E1811A48}.exe	38
PID 2692 wrote to memory of 2044	2692	{46A2CDE7-C229-43fa-BC26-1492E1811A48}.exe	38
PID 2692 wrote to memory of 1440	2692	{46A2CDE7-C229-43fa-BC26-1492E1811A48}.exe	39
PID 2692 wrote to memory of 1440	2692	{46A2CDE7-C229-43fa-BC26-1492E1811A48}.exe	39
PID 2692 wrote to memory of 1440	2692	{46A2CDE7-C229-43fa-BC26-1492E1811A48}.exe	39
PID 2692 wrote to memory of 1440	2692	{46A2CDE7-C229-43fa-BC26-1492E1811A48}.exe	39
PID 2044 wrote to memory of 528	2044	{1C7B178E-B118-4415-BB95-7B1E4A641441}.exe	40
PID 2044 wrote to memory of 528	2044	{1C7B178E-B118-4415-BB95-7B1E4A641441}.exe	40
PID 2044 wrote to memory of 528	2044	{1C7B178E-B118-4415-BB95-7B1E4A641441}.exe	40
PID 2044 wrote to memory of 528	2044	{1C7B178E-B118-4415-BB95-7B1E4A641441}.exe	40
PID 2044 wrote to memory of 564	2044	{1C7B178E-B118-4415-BB95-7B1E4A641441}.exe	41
PID 2044 wrote to memory of 564	2044	{1C7B178E-B118-4415-BB95-7B1E4A641441}.exe	41
PID 2044 wrote to memory of 564	2044	{1C7B178E-B118-4415-BB95-7B1E4A641441}.exe	41
PID 2044 wrote to memory of 564	2044	{1C7B178E-B118-4415-BB95-7B1E4A641441}.exe	41
PID 528 wrote to memory of 1388	528	{27DFA345-87BC-4ec7-9D49-7252E052AF3F}.exe	42
PID 528 wrote to memory of 1388	528	{27DFA345-87BC-4ec7-9D49-7252E052AF3F}.exe	42
PID 528 wrote to memory of 1388	528	{27DFA345-87BC-4ec7-9D49-7252E052AF3F}.exe	42
PID 528 wrote to memory of 1388	528	{27DFA345-87BC-4ec7-9D49-7252E052AF3F}.exe	42
PID 528 wrote to memory of 1960	528	{27DFA345-87BC-4ec7-9D49-7252E052AF3F}.exe	43
PID 528 wrote to memory of 1960	528	{27DFA345-87BC-4ec7-9D49-7252E052AF3F}.exe	43
PID 528 wrote to memory of 1960	528	{27DFA345-87BC-4ec7-9D49-7252E052AF3F}.exe	43
PID 528 wrote to memory of 1960	528	{27DFA345-87BC-4ec7-9D49-7252E052AF3F}.exe	43
PID 1388 wrote to memory of 1624	1388	{05283644-2D84-4a9a-9685-F422B1FC8FC5}.exe	44
PID 1388 wrote to memory of 1624	1388	{05283644-2D84-4a9a-9685-F422B1FC8FC5}.exe	44
PID 1388 wrote to memory of 1624	1388	{05283644-2D84-4a9a-9685-F422B1FC8FC5}.exe	44
PID 1388 wrote to memory of 1624	1388	{05283644-2D84-4a9a-9685-F422B1FC8FC5}.exe	44
PID 1388 wrote to memory of 532	1388	{05283644-2D84-4a9a-9685-F422B1FC8FC5}.exe	45
PID 1388 wrote to memory of 532	1388	{05283644-2D84-4a9a-9685-F422B1FC8FC5}.exe	45
PID 1388 wrote to memory of 532	1388	{05283644-2D84-4a9a-9685-F422B1FC8FC5}.exe	45
PID 1388 wrote to memory of 532	1388	{05283644-2D84-4a9a-9685-F422B1FC8FC5}.exe	45

C:\Users\Admin\AppData\Local\Temp\83ed375ab53b3f_JC.exe
"C:\Users\Admin\AppData\Local\Temp\83ed375ab53b3f_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\{5360FC80-06C6-4729-BA70-114736A1BA95}.exe
  C:\Windows\{5360FC80-06C6-4729-BA70-114736A1BA95}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\{1712DF9B-8309-4236-8D10-FC17B796CEF7}.exe
    C:\Windows\{1712DF9B-8309-4236-8D10-FC17B796CEF7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1712D~1.EXE > nul
      4⤵
      PID:2752
  - - C:\Windows\{8F12EB71-6517-424c-AEE6-560C5B3D6FAB}.exe
      C:\Windows\{8F12EB71-6517-424c-AEE6-560C5B3D6FAB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2720
    - - C:\Windows\{46A2CDE7-C229-43fa-BC26-1492E1811A48}.exe
        
        C:\Windows\{46A2CDE7-C229-43fa-BC26-1492E1811A48}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
      - C:\Windows\{1C7B178E-B118-4415-BB95-7B1E4A641441}.exe
        
        C:\Windows\{1C7B178E-B118-4415-BB95-7B1E4A641441}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\{27DFA345-87BC-4ec7-9D49-7252E052AF3F}.exe
        
        C:\Windows\{27DFA345-87BC-4ec7-9D49-7252E052AF3F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:528
        
        C:\Windows\{05283644-2D84-4a9a-9685-F422B1FC8FC5}.exe
        
        C:\Windows\{05283644-2D84-4a9a-9685-F422B1FC8FC5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\{BA5392E4-0345-4da5-B455-8C67D06A7C22}.exe
        
        C:\Windows\{BA5392E4-0345-4da5-B455-8C67D06A7C22}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\{BEB03A87-57F5-4f32-83C1-1844D85EF26E}.exe
        
        C:\Windows\{BEB03A87-57F5-4f32-83C1-1844D85EF26E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEB03~1.EXE > nul
        11⤵
        
        PID:1996
        
        C:\Windows\{AD47AB76-5269-40f1-9710-D872F58A1598}.exe
        
        C:\Windows\{AD47AB76-5269-40f1-9710-D872F58A1598}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
        
        C:\Windows\{E9635CD4-493E-4959-9130-AB90E85A82FF}.exe
        
        C:\Windows\{E9635CD4-493E-4959-9130-AB90E85A82FF}.exe
        12⤵
        Executes dropped EXE
        
        PID:684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD47A~1.EXE > nul
        12⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA539~1.EXE > nul
        10⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{05283~1.EXE > nul
        9⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{27DFA~1.EXE > nul
        8⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C7B1~1.EXE > nul
        7⤵
        
        PID:564
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{46A2C~1.EXE > nul
        6⤵
        
        PID:1440
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F12E~1.EXE > nul
        5⤵
        
        PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5360F~1.EXE > nul
    3⤵
    PID:2856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\83ED37~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{05283644-2D84-4a9a-9685-F422B1FC8FC5}.exe

Filesize
372KB

MD5
99ea823e4da9b3f1452f5c8768775ba6

SHA1
4a1043e04db9daca398a41aa6c5d994d6fed906b

SHA256
72381a0d7434706dece986dadb010570531ca8e4050959796bc43e97a6bd6910

SHA512
a85ae14a90fb7fc74c801dc6d83d6174e00d65a921cd654795ac35ba6dd34bf88075b5247529ebb97a9a68ec6c2837ee1296c485f125b87a6b01f371323506fb

Download Submit
C:\Windows\{05283644-2D84-4a9a-9685-F422B1FC8FC5}.exe

Filesize
372KB

MD5
99ea823e4da9b3f1452f5c8768775ba6

SHA1
4a1043e04db9daca398a41aa6c5d994d6fed906b

SHA256
72381a0d7434706dece986dadb010570531ca8e4050959796bc43e97a6bd6910

SHA512
a85ae14a90fb7fc74c801dc6d83d6174e00d65a921cd654795ac35ba6dd34bf88075b5247529ebb97a9a68ec6c2837ee1296c485f125b87a6b01f371323506fb

Download Submit
C:\Windows\{1712DF9B-8309-4236-8D10-FC17B796CEF7}.exe

Filesize
372KB

MD5
02b8ce417db518008238d87ba3eb6f87

SHA1
f84220e1249fe2f2b112a2968a1c66523ad21001

SHA256
f44a4e0162d70a1fceaefb8f0d0ca006d67cc03cc348701132ba77014baaa8b0

SHA512
8f33bf61da20f9fa5dad7cc3b969a56b566a46951963ea510edc6870036e5cb0183d89e987718a808e1cdf8ba94612daef8269c5685c8b09af9c1b3a65542331

Download Submit
C:\Windows\{1712DF9B-8309-4236-8D10-FC17B796CEF7}.exe

Filesize
372KB

MD5
02b8ce417db518008238d87ba3eb6f87

SHA1
f84220e1249fe2f2b112a2968a1c66523ad21001

SHA256
f44a4e0162d70a1fceaefb8f0d0ca006d67cc03cc348701132ba77014baaa8b0

SHA512
8f33bf61da20f9fa5dad7cc3b969a56b566a46951963ea510edc6870036e5cb0183d89e987718a808e1cdf8ba94612daef8269c5685c8b09af9c1b3a65542331

Download Submit
C:\Windows\{1C7B178E-B118-4415-BB95-7B1E4A641441}.exe

Filesize
372KB

MD5
2b3c77e0619332ed2ffe32cef6b6407c

SHA1
c6f50ea424977b60b7af279300e18da83d021d9a

SHA256
8c732da43dd92b33248d56e914ebc29f60c495e6d6f24eb135d03da9db48b16e

SHA512
494b76361705c567d3b17f995e67356f5f2ec372b5b530cb39adc7a915b1cd1896f87155a22a52fb19afe9a89287a3f68a3c22554c38a658470befec2dd8e5f2

Download Submit
C:\Windows\{1C7B178E-B118-4415-BB95-7B1E4A641441}.exe

Filesize
372KB

MD5
2b3c77e0619332ed2ffe32cef6b6407c

SHA1
c6f50ea424977b60b7af279300e18da83d021d9a

SHA256
8c732da43dd92b33248d56e914ebc29f60c495e6d6f24eb135d03da9db48b16e

SHA512
494b76361705c567d3b17f995e67356f5f2ec372b5b530cb39adc7a915b1cd1896f87155a22a52fb19afe9a89287a3f68a3c22554c38a658470befec2dd8e5f2

Download Submit
C:\Windows\{27DFA345-87BC-4ec7-9D49-7252E052AF3F}.exe

Filesize
372KB

MD5
401a26fd970c022061034edb5a591cfa

SHA1
c180c11711b4514ef751b499f504fdbf3804e0e3

SHA256
f6ca2804eb7ee33f6393cac91a3a86e62f9fe47805bda893c10b5be9f7d9877e

SHA512
20404c7cb8d13d04eb801f2835c83e42db74a228b2eb3343172ff2263fc3aa037fd87245ce79e6374c5767dad5601dfb824ea163c2a36c5d58158fc458c20560

Download Submit
C:\Windows\{27DFA345-87BC-4ec7-9D49-7252E052AF3F}.exe

Filesize
372KB

MD5
401a26fd970c022061034edb5a591cfa

SHA1
c180c11711b4514ef751b499f504fdbf3804e0e3

SHA256
f6ca2804eb7ee33f6393cac91a3a86e62f9fe47805bda893c10b5be9f7d9877e

SHA512
20404c7cb8d13d04eb801f2835c83e42db74a228b2eb3343172ff2263fc3aa037fd87245ce79e6374c5767dad5601dfb824ea163c2a36c5d58158fc458c20560

Download Submit
C:\Windows\{46A2CDE7-C229-43fa-BC26-1492E1811A48}.exe

Filesize
372KB

MD5
f458566076d5197e87b8856ae6ee4939

SHA1
e7fcbaec8cfc7b9c023c2335dbb830c74d4d2a04

SHA256
dd3bd664f255f997557d032e98f05bfd06e0a01cfaf032cc7a34bab7f08dab44

SHA512
83cf32d4c9bd5fb0ad5b845daa92f120e424dfacfa894e12eeba876a9d7821c733e4eddde31e29f1bbd7fc7305ff0ceeda8fb55d51c9a06e2e063c159d683c60

Download Submit
C:\Windows\{46A2CDE7-C229-43fa-BC26-1492E1811A48}.exe

Filesize
372KB

MD5
f458566076d5197e87b8856ae6ee4939

SHA1
e7fcbaec8cfc7b9c023c2335dbb830c74d4d2a04

SHA256
dd3bd664f255f997557d032e98f05bfd06e0a01cfaf032cc7a34bab7f08dab44

SHA512
83cf32d4c9bd5fb0ad5b845daa92f120e424dfacfa894e12eeba876a9d7821c733e4eddde31e29f1bbd7fc7305ff0ceeda8fb55d51c9a06e2e063c159d683c60

Download Submit
C:\Windows\{5360FC80-06C6-4729-BA70-114736A1BA95}.exe

Filesize
372KB

MD5
26503353a2cc2221298384716e7199cd

SHA1
787b6ce24bbf6e981d744c185c5c9281bebbabcb

SHA256
ea49c8b85ff728ef43543d54a8f4227a9d2e31d513d1664a95738aec06e0596b

SHA512
6af5922e5e7c092a0a8383e5a7e5a4de5f5ae80564573053fcfab3b09077116019a55606e952e45a4c138785d8a5a926ffffae1423aa75d05de83564850a88ba

Download Submit
C:\Windows\{5360FC80-06C6-4729-BA70-114736A1BA95}.exe

Filesize
372KB

MD5
26503353a2cc2221298384716e7199cd

SHA1
787b6ce24bbf6e981d744c185c5c9281bebbabcb

SHA256
ea49c8b85ff728ef43543d54a8f4227a9d2e31d513d1664a95738aec06e0596b

SHA512
6af5922e5e7c092a0a8383e5a7e5a4de5f5ae80564573053fcfab3b09077116019a55606e952e45a4c138785d8a5a926ffffae1423aa75d05de83564850a88ba

Download Submit
C:\Windows\{5360FC80-06C6-4729-BA70-114736A1BA95}.exe

Filesize
372KB

MD5
26503353a2cc2221298384716e7199cd

SHA1
787b6ce24bbf6e981d744c185c5c9281bebbabcb

SHA256
ea49c8b85ff728ef43543d54a8f4227a9d2e31d513d1664a95738aec06e0596b

SHA512
6af5922e5e7c092a0a8383e5a7e5a4de5f5ae80564573053fcfab3b09077116019a55606e952e45a4c138785d8a5a926ffffae1423aa75d05de83564850a88ba

Download Submit
C:\Windows\{8F12EB71-6517-424c-AEE6-560C5B3D6FAB}.exe

Filesize
372KB

MD5
4f35408903effe54b620b23966b92e7e

SHA1
bba06cc2a4438358e8daf987dbe18f66b1976751

SHA256
d6377f5717f321997ccc28cc2212f2daf964bdd50eacedfb20409c1d280beb52

SHA512
1a323f648702ff33b6b3cfad1ce447f3b8a280b477d8b667f8125d8270a8ecd00ac41f27bb64e86c16cdbf32ce29e1b14972351d88129a8ccce01300c2327aaf

Download Submit
C:\Windows\{8F12EB71-6517-424c-AEE6-560C5B3D6FAB}.exe

Filesize
372KB

MD5
4f35408903effe54b620b23966b92e7e

SHA1
bba06cc2a4438358e8daf987dbe18f66b1976751

SHA256
d6377f5717f321997ccc28cc2212f2daf964bdd50eacedfb20409c1d280beb52

SHA512
1a323f648702ff33b6b3cfad1ce447f3b8a280b477d8b667f8125d8270a8ecd00ac41f27bb64e86c16cdbf32ce29e1b14972351d88129a8ccce01300c2327aaf

Download Submit
C:\Windows\{AD47AB76-5269-40f1-9710-D872F58A1598}.exe

Filesize
372KB

MD5
4145b2fa3a2309ee9a919037b3e48e6e

SHA1
78de7228c67402d7be144a1533f09c7bdedce10f

SHA256
9c2c5d76b6ee798fd04eafdc8f3c57c096fd60d0f6fbe705c1639440f47e8c09

SHA512
d4da428c434f91f8883452c98d46f17f82b09ec48b18d70c89c8482f93d00e8d9017d82dd915dfed0740804329580296a8bcbd683186268aa4426be1b825b1ac

Download Submit
C:\Windows\{AD47AB76-5269-40f1-9710-D872F58A1598}.exe

Filesize
372KB

MD5
4145b2fa3a2309ee9a919037b3e48e6e

SHA1
78de7228c67402d7be144a1533f09c7bdedce10f

SHA256
9c2c5d76b6ee798fd04eafdc8f3c57c096fd60d0f6fbe705c1639440f47e8c09

SHA512
d4da428c434f91f8883452c98d46f17f82b09ec48b18d70c89c8482f93d00e8d9017d82dd915dfed0740804329580296a8bcbd683186268aa4426be1b825b1ac

Download Submit
C:\Windows\{BA5392E4-0345-4da5-B455-8C67D06A7C22}.exe

Filesize
372KB

MD5
b31c0da1a8243cfeb591d4827946d8ca

SHA1
8bac320402d80a659475131569bd40484c2f275e

SHA256
9d036b3fbb8f40a2e54f94ce8df06f3964a7d8b6893dbd5ae5957f5a728f98c0

SHA512
e1e7b2aae7520a531bc9a133e7d06155043d705fa401e0d2564309f4b1bac2480c394707e820557a1f1b0e076a9514b5c4aac428996003b17752175b1f017938

Download Submit
C:\Windows\{BA5392E4-0345-4da5-B455-8C67D06A7C22}.exe

Filesize
372KB

MD5
b31c0da1a8243cfeb591d4827946d8ca

SHA1
8bac320402d80a659475131569bd40484c2f275e

SHA256
9d036b3fbb8f40a2e54f94ce8df06f3964a7d8b6893dbd5ae5957f5a728f98c0

SHA512
e1e7b2aae7520a531bc9a133e7d06155043d705fa401e0d2564309f4b1bac2480c394707e820557a1f1b0e076a9514b5c4aac428996003b17752175b1f017938

Download Submit
C:\Windows\{BEB03A87-57F5-4f32-83C1-1844D85EF26E}.exe

Filesize
372KB

MD5
a5cd501da3a891d4275046e2a0f9155f

SHA1
72d1992bcba31ab66ed94092aba091a4c7f7a3e1

SHA256
4872fbe59557e018132a76093778b2839eca3320b14537cd8e138a44307e0e93

SHA512
443192bb960648e7cc0d3542b16161913bbee272c85573514f34600710ddeb73e10c0520878aa2fa9f818c8571a39394590957118920a8cd75728bb238d6e9d6

Download Submit
C:\Windows\{BEB03A87-57F5-4f32-83C1-1844D85EF26E}.exe

Filesize
372KB

MD5
a5cd501da3a891d4275046e2a0f9155f

SHA1
72d1992bcba31ab66ed94092aba091a4c7f7a3e1

SHA256
4872fbe59557e018132a76093778b2839eca3320b14537cd8e138a44307e0e93

SHA512
443192bb960648e7cc0d3542b16161913bbee272c85573514f34600710ddeb73e10c0520878aa2fa9f818c8571a39394590957118920a8cd75728bb238d6e9d6

Download Submit
C:\Windows\{E9635CD4-493E-4959-9130-AB90E85A82FF}.exe

Filesize
372KB

MD5
e7431dca109d3f1257b7fa2b577f3e49

SHA1
362558380f1da13680c8de62068f5ec5c8ae7d24

SHA256
c2decdd8e89dd8f4cd79b0cf5024247b37e40c05fa7d584af2f8bfba48d042dd

SHA512
a59a4152872deff07479d8130ee9dfb984dd06c04d2b99b46f6112c375124823ee7485dcdbf15e995e28bced3c350a022de359fe350565b7d2138b52742b56fe

Download Submit