583e90a072bb042c13e2200019fb31b751acb7a250cbecba6bc9045f1fd81fa5

Analysis

max time kernel
144s
max time network
127s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
19/07/2023, 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e54a562bfbaa58exe_JC.exe
Size

372KB
MD5

e54a562bfbaa580621cec0282fb2ec9a
SHA1

0de7dfbf5ca1900ab17751b0ceb68069d95ed767
SHA256

583e90a072bb042c13e2200019fb31b751acb7a250cbecba6bc9045f1fd81fa5
SHA512

15b9ab577697910d5c099d95f8c04d4175f4009988dcb3e1ea0f7fc4648fab33f35540ec278c3bf4b9e91823373ebfd8387f0e7fcb3ed4b637af29091302547c
SSDEEP

3072:CEGh0oqmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGdl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50B49FEC-8ECC-48c1-A5DB-5859418B29E6}	{84F41417-F617-4a54-9E39-CD653BA1259A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE1E7FC9-DE8D-4294-9B0E-AE1568AA3747}	{50B49FEC-8ECC-48c1-A5DB-5859418B29E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BE1E7FC9-DE8D-4294-9B0E-AE1568AA3747}\stubpath = "C:\\Windows\\{BE1E7FC9-DE8D-4294-9B0E-AE1568AA3747}.exe"	{50B49FEC-8ECC-48c1-A5DB-5859418B29E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C29DFB4B-969E-4754-9E5A-89BA220F10A3}\stubpath = "C:\\Windows\\{C29DFB4B-969E-4754-9E5A-89BA220F10A3}.exe"	{DF547F50-AE95-4237-8F92-6B3F22237C70}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E42FBA35-DE6F-430f-A09D-7F9CA0EADD4B}\stubpath = "C:\\Windows\\{E42FBA35-DE6F-430f-A09D-7F9CA0EADD4B}.exe"	{C29DFB4B-969E-4754-9E5A-89BA220F10A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88BA5B12-D37D-424a-A5BC-DE727E084C6B}	{E42FBA35-DE6F-430f-A09D-7F9CA0EADD4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B50FE3E7-5AAD-4267-85E4-7A9894B09E63}	{22DFBF5D-C6A0-4694-8CEC-4142E6A68491}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84F41417-F617-4a54-9E39-CD653BA1259A}	e54a562bfbaa58exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECCCC758-9C89-4d71-A9E5-49D927E52518}\stubpath = "C:\\Windows\\{ECCCC758-9C89-4d71-A9E5-49D927E52518}.exe"	{74A0F2BC-4E58-4089-AF70-0565419C229C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{88BA5B12-D37D-424a-A5BC-DE727E084C6B}\stubpath = "C:\\Windows\\{88BA5B12-D37D-424a-A5BC-DE727E084C6B}.exe"	{E42FBA35-DE6F-430f-A09D-7F9CA0EADD4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B50FE3E7-5AAD-4267-85E4-7A9894B09E63}\stubpath = "C:\\Windows\\{B50FE3E7-5AAD-4267-85E4-7A9894B09E63}.exe"	{22DFBF5D-C6A0-4694-8CEC-4142E6A68491}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E42FBA35-DE6F-430f-A09D-7F9CA0EADD4B}	{C29DFB4B-969E-4754-9E5A-89BA220F10A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF547F50-AE95-4237-8F92-6B3F22237C70}	{BE1E7FC9-DE8D-4294-9B0E-AE1568AA3747}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C29DFB4B-969E-4754-9E5A-89BA220F10A3}	{DF547F50-AE95-4237-8F92-6B3F22237C70}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22DFBF5D-C6A0-4694-8CEC-4142E6A68491}	{88BA5B12-D37D-424a-A5BC-DE727E084C6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{22DFBF5D-C6A0-4694-8CEC-4142E6A68491}\stubpath = "C:\\Windows\\{22DFBF5D-C6A0-4694-8CEC-4142E6A68491}.exe"	{88BA5B12-D37D-424a-A5BC-DE727E084C6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74A0F2BC-4E58-4089-AF70-0565419C229C}	{B50FE3E7-5AAD-4267-85E4-7A9894B09E63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ECCCC758-9C89-4d71-A9E5-49D927E52518}	{74A0F2BC-4E58-4089-AF70-0565419C229C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84F41417-F617-4a54-9E39-CD653BA1259A}\stubpath = "C:\\Windows\\{84F41417-F617-4a54-9E39-CD653BA1259A}.exe"	e54a562bfbaa58exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DF547F50-AE95-4237-8F92-6B3F22237C70}\stubpath = "C:\\Windows\\{DF547F50-AE95-4237-8F92-6B3F22237C70}.exe"	{BE1E7FC9-DE8D-4294-9B0E-AE1568AA3747}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74A0F2BC-4E58-4089-AF70-0565419C229C}\stubpath = "C:\\Windows\\{74A0F2BC-4E58-4089-AF70-0565419C229C}.exe"	{B50FE3E7-5AAD-4267-85E4-7A9894B09E63}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50B49FEC-8ECC-48c1-A5DB-5859418B29E6}\stubpath = "C:\\Windows\\{50B49FEC-8ECC-48c1-A5DB-5859418B29E6}.exe"	{84F41417-F617-4a54-9E39-CD653BA1259A}.exe

Deletes itself 1 IoCs

pid	Process
1760	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
928	{84F41417-F617-4a54-9E39-CD653BA1259A}.exe
2308	{50B49FEC-8ECC-48c1-A5DB-5859418B29E6}.exe
2412	{BE1E7FC9-DE8D-4294-9B0E-AE1568AA3747}.exe
1348	{DF547F50-AE95-4237-8F92-6B3F22237C70}.exe
2348	{C29DFB4B-969E-4754-9E5A-89BA220F10A3}.exe
2972	{E42FBA35-DE6F-430f-A09D-7F9CA0EADD4B}.exe
3056	{88BA5B12-D37D-424a-A5BC-DE727E084C6B}.exe
3052	{22DFBF5D-C6A0-4694-8CEC-4142E6A68491}.exe
2736	{B50FE3E7-5AAD-4267-85E4-7A9894B09E63}.exe
2724	{74A0F2BC-4E58-4089-AF70-0565419C229C}.exe
2136	{ECCCC758-9C89-4d71-A9E5-49D927E52518}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{B50FE3E7-5AAD-4267-85E4-7A9894B09E63}.exe	{22DFBF5D-C6A0-4694-8CEC-4142E6A68491}.exe
File created	C:\Windows\{74A0F2BC-4E58-4089-AF70-0565419C229C}.exe	{B50FE3E7-5AAD-4267-85E4-7A9894B09E63}.exe
File created	C:\Windows\{ECCCC758-9C89-4d71-A9E5-49D927E52518}.exe	{74A0F2BC-4E58-4089-AF70-0565419C229C}.exe
File created	C:\Windows\{84F41417-F617-4a54-9E39-CD653BA1259A}.exe	e54a562bfbaa58exe_JC.exe
File created	C:\Windows\{BE1E7FC9-DE8D-4294-9B0E-AE1568AA3747}.exe	{50B49FEC-8ECC-48c1-A5DB-5859418B29E6}.exe
File created	C:\Windows\{DF547F50-AE95-4237-8F92-6B3F22237C70}.exe	{BE1E7FC9-DE8D-4294-9B0E-AE1568AA3747}.exe
File created	C:\Windows\{88BA5B12-D37D-424a-A5BC-DE727E084C6B}.exe	{E42FBA35-DE6F-430f-A09D-7F9CA0EADD4B}.exe
File created	C:\Windows\{50B49FEC-8ECC-48c1-A5DB-5859418B29E6}.exe	{84F41417-F617-4a54-9E39-CD653BA1259A}.exe
File created	C:\Windows\{C29DFB4B-969E-4754-9E5A-89BA220F10A3}.exe	{DF547F50-AE95-4237-8F92-6B3F22237C70}.exe
File created	C:\Windows\{E42FBA35-DE6F-430f-A09D-7F9CA0EADD4B}.exe	{C29DFB4B-969E-4754-9E5A-89BA220F10A3}.exe
File created	C:\Windows\{22DFBF5D-C6A0-4694-8CEC-4142E6A68491}.exe	{88BA5B12-D37D-424a-A5BC-DE727E084C6B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1732	e54a562bfbaa58exe_JC.exe
Token: SeIncBasePriorityPrivilege	928	{84F41417-F617-4a54-9E39-CD653BA1259A}.exe
Token: SeIncBasePriorityPrivilege	2308	{50B49FEC-8ECC-48c1-A5DB-5859418B29E6}.exe
Token: SeIncBasePriorityPrivilege	2412	{BE1E7FC9-DE8D-4294-9B0E-AE1568AA3747}.exe
Token: SeIncBasePriorityPrivilege	1348	{DF547F50-AE95-4237-8F92-6B3F22237C70}.exe
Token: SeIncBasePriorityPrivilege	2348	{C29DFB4B-969E-4754-9E5A-89BA220F10A3}.exe
Token: SeIncBasePriorityPrivilege	2972	{E42FBA35-DE6F-430f-A09D-7F9CA0EADD4B}.exe
Token: SeIncBasePriorityPrivilege	3056	{88BA5B12-D37D-424a-A5BC-DE727E084C6B}.exe
Token: SeIncBasePriorityPrivilege	3052	{22DFBF5D-C6A0-4694-8CEC-4142E6A68491}.exe
Token: SeIncBasePriorityPrivilege	2736	{B50FE3E7-5AAD-4267-85E4-7A9894B09E63}.exe
Token: SeIncBasePriorityPrivilege	2724	{74A0F2BC-4E58-4089-AF70-0565419C229C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 928	1732	e54a562bfbaa58exe_JC.exe	30
PID 1732 wrote to memory of 928	1732	e54a562bfbaa58exe_JC.exe	30
PID 1732 wrote to memory of 928	1732	e54a562bfbaa58exe_JC.exe	30
PID 1732 wrote to memory of 928	1732	e54a562bfbaa58exe_JC.exe	30
PID 1732 wrote to memory of 1760	1732	e54a562bfbaa58exe_JC.exe	31
PID 1732 wrote to memory of 1760	1732	e54a562bfbaa58exe_JC.exe	31
PID 1732 wrote to memory of 1760	1732	e54a562bfbaa58exe_JC.exe	31
PID 1732 wrote to memory of 1760	1732	e54a562bfbaa58exe_JC.exe	31
PID 928 wrote to memory of 2308	928	{84F41417-F617-4a54-9E39-CD653BA1259A}.exe	32
PID 928 wrote to memory of 2308	928	{84F41417-F617-4a54-9E39-CD653BA1259A}.exe	32
PID 928 wrote to memory of 2308	928	{84F41417-F617-4a54-9E39-CD653BA1259A}.exe	32
PID 928 wrote to memory of 2308	928	{84F41417-F617-4a54-9E39-CD653BA1259A}.exe	32
PID 928 wrote to memory of 2800	928	{84F41417-F617-4a54-9E39-CD653BA1259A}.exe	33
PID 928 wrote to memory of 2800	928	{84F41417-F617-4a54-9E39-CD653BA1259A}.exe	33
PID 928 wrote to memory of 2800	928	{84F41417-F617-4a54-9E39-CD653BA1259A}.exe	33
PID 928 wrote to memory of 2800	928	{84F41417-F617-4a54-9E39-CD653BA1259A}.exe	33
PID 2308 wrote to memory of 2412	2308	{50B49FEC-8ECC-48c1-A5DB-5859418B29E6}.exe	34
PID 2308 wrote to memory of 2412	2308	{50B49FEC-8ECC-48c1-A5DB-5859418B29E6}.exe	34
PID 2308 wrote to memory of 2412	2308	{50B49FEC-8ECC-48c1-A5DB-5859418B29E6}.exe	34
PID 2308 wrote to memory of 2412	2308	{50B49FEC-8ECC-48c1-A5DB-5859418B29E6}.exe	34
PID 2308 wrote to memory of 2168	2308	{50B49FEC-8ECC-48c1-A5DB-5859418B29E6}.exe	35
PID 2308 wrote to memory of 2168	2308	{50B49FEC-8ECC-48c1-A5DB-5859418B29E6}.exe	35
PID 2308 wrote to memory of 2168	2308	{50B49FEC-8ECC-48c1-A5DB-5859418B29E6}.exe	35
PID 2308 wrote to memory of 2168	2308	{50B49FEC-8ECC-48c1-A5DB-5859418B29E6}.exe	35
PID 2412 wrote to memory of 1348	2412	{BE1E7FC9-DE8D-4294-9B0E-AE1568AA3747}.exe	37
PID 2412 wrote to memory of 1348	2412	{BE1E7FC9-DE8D-4294-9B0E-AE1568AA3747}.exe	37
PID 2412 wrote to memory of 1348	2412	{BE1E7FC9-DE8D-4294-9B0E-AE1568AA3747}.exe	37
PID 2412 wrote to memory of 1348	2412	{BE1E7FC9-DE8D-4294-9B0E-AE1568AA3747}.exe	37
PID 2412 wrote to memory of 2512	2412	{BE1E7FC9-DE8D-4294-9B0E-AE1568AA3747}.exe	36
PID 2412 wrote to memory of 2512	2412	{BE1E7FC9-DE8D-4294-9B0E-AE1568AA3747}.exe	36
PID 2412 wrote to memory of 2512	2412	{BE1E7FC9-DE8D-4294-9B0E-AE1568AA3747}.exe	36
PID 2412 wrote to memory of 2512	2412	{BE1E7FC9-DE8D-4294-9B0E-AE1568AA3747}.exe	36
PID 1348 wrote to memory of 2348	1348	{DF547F50-AE95-4237-8F92-6B3F22237C70}.exe	39
PID 1348 wrote to memory of 2348	1348	{DF547F50-AE95-4237-8F92-6B3F22237C70}.exe	39
PID 1348 wrote to memory of 2348	1348	{DF547F50-AE95-4237-8F92-6B3F22237C70}.exe	39
PID 1348 wrote to memory of 2348	1348	{DF547F50-AE95-4237-8F92-6B3F22237C70}.exe	39
PID 1348 wrote to memory of 2880	1348	{DF547F50-AE95-4237-8F92-6B3F22237C70}.exe	38
PID 1348 wrote to memory of 2880	1348	{DF547F50-AE95-4237-8F92-6B3F22237C70}.exe	38
PID 1348 wrote to memory of 2880	1348	{DF547F50-AE95-4237-8F92-6B3F22237C70}.exe	38
PID 1348 wrote to memory of 2880	1348	{DF547F50-AE95-4237-8F92-6B3F22237C70}.exe	38
PID 2348 wrote to memory of 2972	2348	{C29DFB4B-969E-4754-9E5A-89BA220F10A3}.exe	41
PID 2348 wrote to memory of 2972	2348	{C29DFB4B-969E-4754-9E5A-89BA220F10A3}.exe	41
PID 2348 wrote to memory of 2972	2348	{C29DFB4B-969E-4754-9E5A-89BA220F10A3}.exe	41
PID 2348 wrote to memory of 2972	2348	{C29DFB4B-969E-4754-9E5A-89BA220F10A3}.exe	41
PID 2348 wrote to memory of 2876	2348	{C29DFB4B-969E-4754-9E5A-89BA220F10A3}.exe	40
PID 2348 wrote to memory of 2876	2348	{C29DFB4B-969E-4754-9E5A-89BA220F10A3}.exe	40
PID 2348 wrote to memory of 2876	2348	{C29DFB4B-969E-4754-9E5A-89BA220F10A3}.exe	40
PID 2348 wrote to memory of 2876	2348	{C29DFB4B-969E-4754-9E5A-89BA220F10A3}.exe	40
PID 2972 wrote to memory of 3056	2972	{E42FBA35-DE6F-430f-A09D-7F9CA0EADD4B}.exe	43
PID 2972 wrote to memory of 3056	2972	{E42FBA35-DE6F-430f-A09D-7F9CA0EADD4B}.exe	43
PID 2972 wrote to memory of 3056	2972	{E42FBA35-DE6F-430f-A09D-7F9CA0EADD4B}.exe	43
PID 2972 wrote to memory of 3056	2972	{E42FBA35-DE6F-430f-A09D-7F9CA0EADD4B}.exe	43
PID 2972 wrote to memory of 2856	2972	{E42FBA35-DE6F-430f-A09D-7F9CA0EADD4B}.exe	42
PID 2972 wrote to memory of 2856	2972	{E42FBA35-DE6F-430f-A09D-7F9CA0EADD4B}.exe	42
PID 2972 wrote to memory of 2856	2972	{E42FBA35-DE6F-430f-A09D-7F9CA0EADD4B}.exe	42
PID 2972 wrote to memory of 2856	2972	{E42FBA35-DE6F-430f-A09D-7F9CA0EADD4B}.exe	42
PID 3056 wrote to memory of 3052	3056	{88BA5B12-D37D-424a-A5BC-DE727E084C6B}.exe	45
PID 3056 wrote to memory of 3052	3056	{88BA5B12-D37D-424a-A5BC-DE727E084C6B}.exe	45
PID 3056 wrote to memory of 3052	3056	{88BA5B12-D37D-424a-A5BC-DE727E084C6B}.exe	45
PID 3056 wrote to memory of 3052	3056	{88BA5B12-D37D-424a-A5BC-DE727E084C6B}.exe	45
PID 3056 wrote to memory of 2748	3056	{88BA5B12-D37D-424a-A5BC-DE727E084C6B}.exe	44
PID 3056 wrote to memory of 2748	3056	{88BA5B12-D37D-424a-A5BC-DE727E084C6B}.exe	44
PID 3056 wrote to memory of 2748	3056	{88BA5B12-D37D-424a-A5BC-DE727E084C6B}.exe	44
PID 3056 wrote to memory of 2748	3056	{88BA5B12-D37D-424a-A5BC-DE727E084C6B}.exe	44

C:\Users\Admin\AppData\Local\Temp\e54a562bfbaa58exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\e54a562bfbaa58exe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\{84F41417-F617-4a54-9E39-CD653BA1259A}.exe
  C:\Windows\{84F41417-F617-4a54-9E39-CD653BA1259A}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:928
- - C:\Windows\{50B49FEC-8ECC-48c1-A5DB-5859418B29E6}.exe
    C:\Windows\{50B49FEC-8ECC-48c1-A5DB-5859418B29E6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Windows\{BE1E7FC9-DE8D-4294-9B0E-AE1568AA3747}.exe
      C:\Windows\{BE1E7FC9-DE8D-4294-9B0E-AE1568AA3747}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2412
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE1E7~1.EXE > nul
        5⤵
        
        PID:2512
    - - C:\Windows\{DF547F50-AE95-4237-8F92-6B3F22237C70}.exe
        
        C:\Windows\{DF547F50-AE95-4237-8F92-6B3F22237C70}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1348
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF547~1.EXE > nul
        6⤵
        
        PID:2880
      - C:\Windows\{C29DFB4B-969E-4754-9E5A-89BA220F10A3}.exe
        
        C:\Windows\{C29DFB4B-969E-4754-9E5A-89BA220F10A3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C29DF~1.EXE > nul
        7⤵
        
        PID:2876
        
        C:\Windows\{E42FBA35-DE6F-430f-A09D-7F9CA0EADD4B}.exe
        
        C:\Windows\{E42FBA35-DE6F-430f-A09D-7F9CA0EADD4B}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E42FB~1.EXE > nul
        8⤵
        
        PID:2856
        
        C:\Windows\{88BA5B12-D37D-424a-A5BC-DE727E084C6B}.exe
        
        C:\Windows\{88BA5B12-D37D-424a-A5BC-DE727E084C6B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88BA5~1.EXE > nul
        9⤵
        
        PID:2748
        
        C:\Windows\{22DFBF5D-C6A0-4694-8CEC-4142E6A68491}.exe
        
        C:\Windows\{22DFBF5D-C6A0-4694-8CEC-4142E6A68491}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22DFB~1.EXE > nul
        10⤵
        
        PID:2888
        
        C:\Windows\{B50FE3E7-5AAD-4267-85E4-7A9894B09E63}.exe
        
        C:\Windows\{B50FE3E7-5AAD-4267-85E4-7A9894B09E63}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B50FE~1.EXE > nul
        11⤵
        
        PID:2764
        
        C:\Windows\{74A0F2BC-4E58-4089-AF70-0565419C229C}.exe
        
        C:\Windows\{74A0F2BC-4E58-4089-AF70-0565419C229C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74A0F~1.EXE > nul
        12⤵
        
        PID:2160
        
        C:\Windows\{ECCCC758-9C89-4d71-A9E5-49D927E52518}.exe
        
        C:\Windows\{ECCCC758-9C89-4d71-A9E5-49D927E52518}.exe
        12⤵
        Executes dropped EXE
        
        PID:2136
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{50B49~1.EXE > nul
      4⤵
      PID:2168
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{84F41~1.EXE > nul
    3⤵
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E54A56~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{22DFBF5D-C6A0-4694-8CEC-4142E6A68491}.exe

Filesize
372KB

MD5
bea4895686ed67a20fa4134651b45794

SHA1
f13143e4d3d4392a600747aa67efaca9eb95ec06

SHA256
fbe682bb8bb1757fdb28b1dd8a749808eaa8762b134252b787ddf6af8f0d9679

SHA512
2fa9da6b77cbf2fa32566b9ef029c40cb943bf5f20d2e93ad787bae70f286134e1e193097559d906adccdc39a1db49824b7713ab62927ea35ef87f2bba9f8d8d

Download Submit
C:\Windows\{22DFBF5D-C6A0-4694-8CEC-4142E6A68491}.exe

Filesize
372KB

MD5
bea4895686ed67a20fa4134651b45794

SHA1
f13143e4d3d4392a600747aa67efaca9eb95ec06

SHA256
fbe682bb8bb1757fdb28b1dd8a749808eaa8762b134252b787ddf6af8f0d9679

SHA512
2fa9da6b77cbf2fa32566b9ef029c40cb943bf5f20d2e93ad787bae70f286134e1e193097559d906adccdc39a1db49824b7713ab62927ea35ef87f2bba9f8d8d

Download Submit
C:\Windows\{50B49FEC-8ECC-48c1-A5DB-5859418B29E6}.exe

Filesize
372KB

MD5
428454b1cf10571a8551f26ec5edadb5

SHA1
b65f469b20d7ae0547ba006958b0d73d1c757b7a

SHA256
f6cdd87dc29ab469a07d459215347e975370f67fcf4995c00c13cac35f5f0f97

SHA512
081809e58207f542157ff279ca36680dfb4ee6636bd436bc904a5f8699c7d6e9385dd50bff4fa8aa1ef0a32d56b950c1c970d3b7a47cffe88ab8e061c4a256f6

Download Submit
C:\Windows\{50B49FEC-8ECC-48c1-A5DB-5859418B29E6}.exe

Filesize
372KB

MD5
428454b1cf10571a8551f26ec5edadb5

SHA1
b65f469b20d7ae0547ba006958b0d73d1c757b7a

SHA256
f6cdd87dc29ab469a07d459215347e975370f67fcf4995c00c13cac35f5f0f97

SHA512
081809e58207f542157ff279ca36680dfb4ee6636bd436bc904a5f8699c7d6e9385dd50bff4fa8aa1ef0a32d56b950c1c970d3b7a47cffe88ab8e061c4a256f6

Download Submit
C:\Windows\{74A0F2BC-4E58-4089-AF70-0565419C229C}.exe

Filesize
372KB

MD5
4e3870419fc48be91fbaf05b7928c5a6

SHA1
d755fb47f2a66ea4c73e140eb6237745b3d18dbd

SHA256
b3a021213c76c7be65e1b4ecc1dfa8876da7b15937509ddb4af82277fefa595b

SHA512
0eeb57edb0999626815037b52befc2801274a86f9bbd974baa179a22036a44169eb704289092a2edd6b40f3e9c876900befe7e77ae0b90f5b89d75317d828c63

Download Submit
C:\Windows\{74A0F2BC-4E58-4089-AF70-0565419C229C}.exe

Filesize
372KB

MD5
4e3870419fc48be91fbaf05b7928c5a6

SHA1
d755fb47f2a66ea4c73e140eb6237745b3d18dbd

SHA256
b3a021213c76c7be65e1b4ecc1dfa8876da7b15937509ddb4af82277fefa595b

SHA512
0eeb57edb0999626815037b52befc2801274a86f9bbd974baa179a22036a44169eb704289092a2edd6b40f3e9c876900befe7e77ae0b90f5b89d75317d828c63

Download Submit
C:\Windows\{84F41417-F617-4a54-9E39-CD653BA1259A}.exe

Filesize
372KB

MD5
44a979b1b8b6fe141bddede16df5b952

SHA1
a4c4c5387c40d9d73608b290e41097697d416ef6

SHA256
89491095852e46a04dfb50b7b0761caaa2651339cc6b65e2c5ba0d6329e4499c

SHA512
1e2f8ad67f08cb04585458982ffaac4e1bcd074d6520cc660014f0486609f23267381e47fe31f1f0783d3178fdb5585d0d32a4c57ece825facf2dd4bde33fea6

Download Submit
C:\Windows\{84F41417-F617-4a54-9E39-CD653BA1259A}.exe

Filesize
372KB

MD5
44a979b1b8b6fe141bddede16df5b952

SHA1
a4c4c5387c40d9d73608b290e41097697d416ef6

SHA256
89491095852e46a04dfb50b7b0761caaa2651339cc6b65e2c5ba0d6329e4499c

SHA512
1e2f8ad67f08cb04585458982ffaac4e1bcd074d6520cc660014f0486609f23267381e47fe31f1f0783d3178fdb5585d0d32a4c57ece825facf2dd4bde33fea6

Download Submit
C:\Windows\{84F41417-F617-4a54-9E39-CD653BA1259A}.exe

Filesize
372KB

MD5
44a979b1b8b6fe141bddede16df5b952

SHA1
a4c4c5387c40d9d73608b290e41097697d416ef6

SHA256
89491095852e46a04dfb50b7b0761caaa2651339cc6b65e2c5ba0d6329e4499c

SHA512
1e2f8ad67f08cb04585458982ffaac4e1bcd074d6520cc660014f0486609f23267381e47fe31f1f0783d3178fdb5585d0d32a4c57ece825facf2dd4bde33fea6

Download Submit
C:\Windows\{88BA5B12-D37D-424a-A5BC-DE727E084C6B}.exe

Filesize
372KB

MD5
66ca5d7e7d0919f9815e3a6e5530b072

SHA1
7629ff19e4d4915bc9795c1918e36f2b0da4fbc8

SHA256
6fcfe96ab4f1b566d43cd69c0765cb793275842cf96b58d8fdef54507482442d

SHA512
4fa5142ce233699c5e972e0d70831cf77f7d959310a8660621c9f212ae59998e91cbe525f47273a6ec62fa923a2a552222bbeb7622fb0c004c965379e83662ac

Download Submit
C:\Windows\{88BA5B12-D37D-424a-A5BC-DE727E084C6B}.exe

Filesize
372KB

MD5
66ca5d7e7d0919f9815e3a6e5530b072

SHA1
7629ff19e4d4915bc9795c1918e36f2b0da4fbc8

SHA256
6fcfe96ab4f1b566d43cd69c0765cb793275842cf96b58d8fdef54507482442d

SHA512
4fa5142ce233699c5e972e0d70831cf77f7d959310a8660621c9f212ae59998e91cbe525f47273a6ec62fa923a2a552222bbeb7622fb0c004c965379e83662ac

Download Submit
C:\Windows\{B50FE3E7-5AAD-4267-85E4-7A9894B09E63}.exe

Filesize
372KB

MD5
f5a0d89f881dc21d8450e5e7665c3c31

SHA1
820ad54b611f3864c83e4de73bd5f05bc0fca85a

SHA256
b962b9415330c1251e90413cb3dcc34de9be8d59b564660fa926449a359d9b97

SHA512
1c134cd90f8310d606a444a5deaf498d3b7d9e2998cc283adf24b1d9585402971286e3150b9b9cdebce7ffe248a2106d9ee4dec75732a8d9e1ee4e385e4cc5e8

Download Submit
C:\Windows\{B50FE3E7-5AAD-4267-85E4-7A9894B09E63}.exe

Filesize
372KB

MD5
f5a0d89f881dc21d8450e5e7665c3c31

SHA1
820ad54b611f3864c83e4de73bd5f05bc0fca85a

SHA256
b962b9415330c1251e90413cb3dcc34de9be8d59b564660fa926449a359d9b97

SHA512
1c134cd90f8310d606a444a5deaf498d3b7d9e2998cc283adf24b1d9585402971286e3150b9b9cdebce7ffe248a2106d9ee4dec75732a8d9e1ee4e385e4cc5e8

Download Submit
C:\Windows\{BE1E7FC9-DE8D-4294-9B0E-AE1568AA3747}.exe

Filesize
372KB

MD5
fe3b384a7c41f897b6beed77da0b0ad4

SHA1
226429700d48645612cd9a1b3d07b7823b632b42

SHA256
02fb591438d6aa1dfc787e74dd31f625b56404e25c0263625446bd9dd1fb7158

SHA512
6ffab4dce43c4a01377fecc33aa35be9c34d8e8ddbac0a8dd584d478ec31e5e5b33dbca45a8ce50ccf24647f5b6f382038d7b054e29f736bfa811bb96f313f80

Download Submit
C:\Windows\{BE1E7FC9-DE8D-4294-9B0E-AE1568AA3747}.exe

Filesize
372KB

MD5
fe3b384a7c41f897b6beed77da0b0ad4

SHA1
226429700d48645612cd9a1b3d07b7823b632b42

SHA256
02fb591438d6aa1dfc787e74dd31f625b56404e25c0263625446bd9dd1fb7158

SHA512
6ffab4dce43c4a01377fecc33aa35be9c34d8e8ddbac0a8dd584d478ec31e5e5b33dbca45a8ce50ccf24647f5b6f382038d7b054e29f736bfa811bb96f313f80

Download Submit
C:\Windows\{C29DFB4B-969E-4754-9E5A-89BA220F10A3}.exe

Filesize
372KB

MD5
4526757956a8728680da974ae45f66a4

SHA1
58e87031e4c5a80572b1cb8602789399e800dec2

SHA256
5d245d2ded92fc835937b660bd52fd8920961552d592a49d8260eeb491566e76

SHA512
e3eb82513c27197be356be6b23ef3756edf3c0d9745f847aba399cfbab52e3be03ed894dc22ba4dfc80131b4b0158ae5207d8b40d4836dd9d88e09070da6965a

Download Submit
C:\Windows\{C29DFB4B-969E-4754-9E5A-89BA220F10A3}.exe

Filesize
372KB

MD5
4526757956a8728680da974ae45f66a4

SHA1
58e87031e4c5a80572b1cb8602789399e800dec2

SHA256
5d245d2ded92fc835937b660bd52fd8920961552d592a49d8260eeb491566e76

SHA512
e3eb82513c27197be356be6b23ef3756edf3c0d9745f847aba399cfbab52e3be03ed894dc22ba4dfc80131b4b0158ae5207d8b40d4836dd9d88e09070da6965a

Download Submit
C:\Windows\{DF547F50-AE95-4237-8F92-6B3F22237C70}.exe

Filesize
372KB

MD5
1dd014e84f7d58f0e826c3981a104cef

SHA1
bc63fe4a94e80ff0f537fddab457a96d69fe8f5d

SHA256
36e434c6a7b2557f228dc3ef3cab863767f8befc04c31e6a8f7d13dfa74c0db9

SHA512
84704648a419231220deac51f71e017ac45fcea832e10cacbf510c9190148e8f127fc7bb3dc6ce67739b7e0bfed663b912ef9f13d1bb12c8311cc07da693eb97

Download Submit
C:\Windows\{DF547F50-AE95-4237-8F92-6B3F22237C70}.exe

Filesize
372KB

MD5
1dd014e84f7d58f0e826c3981a104cef

SHA1
bc63fe4a94e80ff0f537fddab457a96d69fe8f5d

SHA256
36e434c6a7b2557f228dc3ef3cab863767f8befc04c31e6a8f7d13dfa74c0db9

SHA512
84704648a419231220deac51f71e017ac45fcea832e10cacbf510c9190148e8f127fc7bb3dc6ce67739b7e0bfed663b912ef9f13d1bb12c8311cc07da693eb97

Download Submit
C:\Windows\{E42FBA35-DE6F-430f-A09D-7F9CA0EADD4B}.exe

Filesize
372KB

MD5
5159c18a99ecd0b0979e2c4d0e7475ab

SHA1
23446eeaa8c012aa1f3a9c02cd8fb26d19274cdd

SHA256
66d5df58a9a6aed2557d28e2c79bcca640d7e37eeb0dd9c28551db5cf02ba80f

SHA512
45b22bf39e8ee75b71e5535c70d0e82d6f8295fffac7be0aac90e765f3e8465b49958f19da4cfd5ca26161cde9520322cd37c88ff0e1ecd2a1bb7e3969088875

Download Submit
C:\Windows\{E42FBA35-DE6F-430f-A09D-7F9CA0EADD4B}.exe

Filesize
372KB

MD5
5159c18a99ecd0b0979e2c4d0e7475ab

SHA1
23446eeaa8c012aa1f3a9c02cd8fb26d19274cdd

SHA256
66d5df58a9a6aed2557d28e2c79bcca640d7e37eeb0dd9c28551db5cf02ba80f

SHA512
45b22bf39e8ee75b71e5535c70d0e82d6f8295fffac7be0aac90e765f3e8465b49958f19da4cfd5ca26161cde9520322cd37c88ff0e1ecd2a1bb7e3969088875

Download Submit
C:\Windows\{ECCCC758-9C89-4d71-A9E5-49D927E52518}.exe

Filesize
372KB

MD5
87949f57a78f5b3c8f0c024536e14ae3

SHA1
b98b1f845c537954399537ea78c2058d2a1052ba

SHA256
7be42291bcc378d20fdf95cf36381c9e3d44e8b6bfe3f59e10ecc4a14c40de05

SHA512
b0d94bbfae0fb33e4c152d860558ee3bd4fafb8d3af728c7a886766e2064b4004814e20f9835b70dd74b8e44bb771d1858f359563b0540636d82d6223593a7f0

Download Submit