a52e51d8bf148e472e01542ffe2dbdeb6281a56a951fd49c18ae8980f99a7883

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
19-07-2023 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1bc5650f23dbcexe_JC.exe
Size

168KB
MD5

e1bc5650f23dbcb38a1a5673ec6148cc
SHA1

30ba847fc001d387cad96b969a2aad7b7854e8c7
SHA256

a52e51d8bf148e472e01542ffe2dbdeb6281a56a951fd49c18ae8980f99a7883
SHA512

d43dab336ed19564391cd16ad0390f0ec40c51c7055ee48698768979bdce0be84a1080b452511f888a881f149a2f41e43b0cb8ce64b4b097b0c2eae554c05ce3
SSDEEP

1536:1EGh0owlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0owlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46BEA0D1-34C6-449a-8D66-3FED24479161}	{90A84E8F-4714-4d6a-A74C-241D0B56DE79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2875D1C3-EDAC-4990-964F-AEAFF008DF2D}\stubpath = "C:\\Windows\\{2875D1C3-EDAC-4990-964F-AEAFF008DF2D}.exe"	{6EC0A8C2-FE65-4476-B23D-423E0C99BD06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71A2EAE2-CEC4-4143-AD71-DAC4293F6D7D}	{A119FB68-AB1F-4214-B999-EE5E3F05789C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EA9B93A-9A9A-4845-B6A3-E0113DEC53E0}	{8738C4E2-831D-4888-BDCD-8CC028752D54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A91CADC-E1C2-4aa8-98C9-EC5CD1843D3A}\stubpath = "C:\\Windows\\{6A91CADC-E1C2-4aa8-98C9-EC5CD1843D3A}.exe"	{35C60C27-AAF9-42cb-AB2A-CD70CAFFFF6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{46BEA0D1-34C6-449a-8D66-3FED24479161}\stubpath = "C:\\Windows\\{46BEA0D1-34C6-449a-8D66-3FED24479161}.exe"	{90A84E8F-4714-4d6a-A74C-241D0B56DE79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19FC8908-99C7-4ae0-B0AC-6B930A015B54}	{46BEA0D1-34C6-449a-8D66-3FED24479161}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EC0A8C2-FE65-4476-B23D-423E0C99BD06}\stubpath = "C:\\Windows\\{6EC0A8C2-FE65-4476-B23D-423E0C99BD06}.exe"	{19FC8908-99C7-4ae0-B0AC-6B930A015B54}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A119FB68-AB1F-4214-B999-EE5E3F05789C}\stubpath = "C:\\Windows\\{A119FB68-AB1F-4214-B999-EE5E3F05789C}.exe"	{2875D1C3-EDAC-4990-964F-AEAFF008DF2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8738C4E2-831D-4888-BDCD-8CC028752D54}\stubpath = "C:\\Windows\\{8738C4E2-831D-4888-BDCD-8CC028752D54}.exe"	{71A2EAE2-CEC4-4143-AD71-DAC4293F6D7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EA9B93A-9A9A-4845-B6A3-E0113DEC53E0}\stubpath = "C:\\Windows\\{6EA9B93A-9A9A-4845-B6A3-E0113DEC53E0}.exe"	{8738C4E2-831D-4888-BDCD-8CC028752D54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6A91CADC-E1C2-4aa8-98C9-EC5CD1843D3A}	{35C60C27-AAF9-42cb-AB2A-CD70CAFFFF6C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90A84E8F-4714-4d6a-A74C-241D0B56DE79}\stubpath = "C:\\Windows\\{90A84E8F-4714-4d6a-A74C-241D0B56DE79}.exe"	e1bc5650f23dbcexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A119FB68-AB1F-4214-B999-EE5E3F05789C}	{2875D1C3-EDAC-4990-964F-AEAFF008DF2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{71A2EAE2-CEC4-4143-AD71-DAC4293F6D7D}\stubpath = "C:\\Windows\\{71A2EAE2-CEC4-4143-AD71-DAC4293F6D7D}.exe"	{A119FB68-AB1F-4214-B999-EE5E3F05789C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8738C4E2-831D-4888-BDCD-8CC028752D54}	{71A2EAE2-CEC4-4143-AD71-DAC4293F6D7D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35C60C27-AAF9-42cb-AB2A-CD70CAFFFF6C}	{6EA9B93A-9A9A-4845-B6A3-E0113DEC53E0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90A84E8F-4714-4d6a-A74C-241D0B56DE79}	e1bc5650f23dbcexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19FC8908-99C7-4ae0-B0AC-6B930A015B54}\stubpath = "C:\\Windows\\{19FC8908-99C7-4ae0-B0AC-6B930A015B54}.exe"	{46BEA0D1-34C6-449a-8D66-3FED24479161}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{6EC0A8C2-FE65-4476-B23D-423E0C99BD06}	{19FC8908-99C7-4ae0-B0AC-6B930A015B54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2875D1C3-EDAC-4990-964F-AEAFF008DF2D}	{6EC0A8C2-FE65-4476-B23D-423E0C99BD06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{35C60C27-AAF9-42cb-AB2A-CD70CAFFFF6C}\stubpath = "C:\\Windows\\{35C60C27-AAF9-42cb-AB2A-CD70CAFFFF6C}.exe"	{6EA9B93A-9A9A-4845-B6A3-E0113DEC53E0}.exe

Executes dropped EXE 11 IoCs

pid	Process
2224	{90A84E8F-4714-4d6a-A74C-241D0B56DE79}.exe
2896	{46BEA0D1-34C6-449a-8D66-3FED24479161}.exe
2952	{19FC8908-99C7-4ae0-B0AC-6B930A015B54}.exe
2124	{6EC0A8C2-FE65-4476-B23D-423E0C99BD06}.exe
2720	{2875D1C3-EDAC-4990-964F-AEAFF008DF2D}.exe
2964	{A119FB68-AB1F-4214-B999-EE5E3F05789C}.exe
2768	{71A2EAE2-CEC4-4143-AD71-DAC4293F6D7D}.exe
2432	{8738C4E2-831D-4888-BDCD-8CC028752D54}.exe
1456	{6EA9B93A-9A9A-4845-B6A3-E0113DEC53E0}.exe
3016	{35C60C27-AAF9-42cb-AB2A-CD70CAFFFF6C}.exe
2308	{6A91CADC-E1C2-4aa8-98C9-EC5CD1843D3A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{90A84E8F-4714-4d6a-A74C-241D0B56DE79}.exe	e1bc5650f23dbcexe_JC.exe
File created	C:\Windows\{46BEA0D1-34C6-449a-8D66-3FED24479161}.exe	{90A84E8F-4714-4d6a-A74C-241D0B56DE79}.exe
File created	C:\Windows\{19FC8908-99C7-4ae0-B0AC-6B930A015B54}.exe	{46BEA0D1-34C6-449a-8D66-3FED24479161}.exe
File created	C:\Windows\{6EC0A8C2-FE65-4476-B23D-423E0C99BD06}.exe	{19FC8908-99C7-4ae0-B0AC-6B930A015B54}.exe
File created	C:\Windows\{8738C4E2-831D-4888-BDCD-8CC028752D54}.exe	{71A2EAE2-CEC4-4143-AD71-DAC4293F6D7D}.exe
File created	C:\Windows\{6EA9B93A-9A9A-4845-B6A3-E0113DEC53E0}.exe	{8738C4E2-831D-4888-BDCD-8CC028752D54}.exe
File created	C:\Windows\{6A91CADC-E1C2-4aa8-98C9-EC5CD1843D3A}.exe	{35C60C27-AAF9-42cb-AB2A-CD70CAFFFF6C}.exe
File created	C:\Windows\{2875D1C3-EDAC-4990-964F-AEAFF008DF2D}.exe	{6EC0A8C2-FE65-4476-B23D-423E0C99BD06}.exe
File created	C:\Windows\{A119FB68-AB1F-4214-B999-EE5E3F05789C}.exe	{2875D1C3-EDAC-4990-964F-AEAFF008DF2D}.exe
File created	C:\Windows\{71A2EAE2-CEC4-4143-AD71-DAC4293F6D7D}.exe	{A119FB68-AB1F-4214-B999-EE5E3F05789C}.exe
File created	C:\Windows\{35C60C27-AAF9-42cb-AB2A-CD70CAFFFF6C}.exe	{6EA9B93A-9A9A-4845-B6A3-E0113DEC53E0}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1660	e1bc5650f23dbcexe_JC.exe
Token: SeIncBasePriorityPrivilege	2224	{90A84E8F-4714-4d6a-A74C-241D0B56DE79}.exe
Token: SeIncBasePriorityPrivilege	2896	{46BEA0D1-34C6-449a-8D66-3FED24479161}.exe
Token: SeIncBasePriorityPrivilege	2952	{19FC8908-99C7-4ae0-B0AC-6B930A015B54}.exe
Token: SeIncBasePriorityPrivilege	2124	{6EC0A8C2-FE65-4476-B23D-423E0C99BD06}.exe
Token: SeIncBasePriorityPrivilege	2720	{2875D1C3-EDAC-4990-964F-AEAFF008DF2D}.exe
Token: SeIncBasePriorityPrivilege	2964	{A119FB68-AB1F-4214-B999-EE5E3F05789C}.exe
Token: SeIncBasePriorityPrivilege	2768	{71A2EAE2-CEC4-4143-AD71-DAC4293F6D7D}.exe
Token: SeIncBasePriorityPrivilege	2432	{8738C4E2-831D-4888-BDCD-8CC028752D54}.exe
Token: SeIncBasePriorityPrivilege	1456	{6EA9B93A-9A9A-4845-B6A3-E0113DEC53E0}.exe
Token: SeIncBasePriorityPrivilege	3016	{35C60C27-AAF9-42cb-AB2A-CD70CAFFFF6C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2224	1660	e1bc5650f23dbcexe_JC.exe	28
PID 1660 wrote to memory of 2224	1660	e1bc5650f23dbcexe_JC.exe	28
PID 1660 wrote to memory of 2224	1660	e1bc5650f23dbcexe_JC.exe	28
PID 1660 wrote to memory of 2224	1660	e1bc5650f23dbcexe_JC.exe	28
PID 1660 wrote to memory of 808	1660	e1bc5650f23dbcexe_JC.exe	29
PID 1660 wrote to memory of 808	1660	e1bc5650f23dbcexe_JC.exe	29
PID 1660 wrote to memory of 808	1660	e1bc5650f23dbcexe_JC.exe	29
PID 1660 wrote to memory of 808	1660	e1bc5650f23dbcexe_JC.exe	29
PID 2224 wrote to memory of 2896	2224	{90A84E8F-4714-4d6a-A74C-241D0B56DE79}.exe	32
PID 2224 wrote to memory of 2896	2224	{90A84E8F-4714-4d6a-A74C-241D0B56DE79}.exe	32
PID 2224 wrote to memory of 2896	2224	{90A84E8F-4714-4d6a-A74C-241D0B56DE79}.exe	32
PID 2224 wrote to memory of 2896	2224	{90A84E8F-4714-4d6a-A74C-241D0B56DE79}.exe	32
PID 2224 wrote to memory of 2956	2224	{90A84E8F-4714-4d6a-A74C-241D0B56DE79}.exe	33
PID 2224 wrote to memory of 2956	2224	{90A84E8F-4714-4d6a-A74C-241D0B56DE79}.exe	33
PID 2224 wrote to memory of 2956	2224	{90A84E8F-4714-4d6a-A74C-241D0B56DE79}.exe	33
PID 2224 wrote to memory of 2956	2224	{90A84E8F-4714-4d6a-A74C-241D0B56DE79}.exe	33
PID 2896 wrote to memory of 2952	2896	{46BEA0D1-34C6-449a-8D66-3FED24479161}.exe	35
PID 2896 wrote to memory of 2952	2896	{46BEA0D1-34C6-449a-8D66-3FED24479161}.exe	35
PID 2896 wrote to memory of 2952	2896	{46BEA0D1-34C6-449a-8D66-3FED24479161}.exe	35
PID 2896 wrote to memory of 2952	2896	{46BEA0D1-34C6-449a-8D66-3FED24479161}.exe	35
PID 2896 wrote to memory of 2928	2896	{46BEA0D1-34C6-449a-8D66-3FED24479161}.exe	34
PID 2896 wrote to memory of 2928	2896	{46BEA0D1-34C6-449a-8D66-3FED24479161}.exe	34
PID 2896 wrote to memory of 2928	2896	{46BEA0D1-34C6-449a-8D66-3FED24479161}.exe	34
PID 2896 wrote to memory of 2928	2896	{46BEA0D1-34C6-449a-8D66-3FED24479161}.exe	34
PID 2952 wrote to memory of 2124	2952	{19FC8908-99C7-4ae0-B0AC-6B930A015B54}.exe	36
PID 2952 wrote to memory of 2124	2952	{19FC8908-99C7-4ae0-B0AC-6B930A015B54}.exe	36
PID 2952 wrote to memory of 2124	2952	{19FC8908-99C7-4ae0-B0AC-6B930A015B54}.exe	36
PID 2952 wrote to memory of 2124	2952	{19FC8908-99C7-4ae0-B0AC-6B930A015B54}.exe	36
PID 2952 wrote to memory of 2732	2952	{19FC8908-99C7-4ae0-B0AC-6B930A015B54}.exe	37
PID 2952 wrote to memory of 2732	2952	{19FC8908-99C7-4ae0-B0AC-6B930A015B54}.exe	37
PID 2952 wrote to memory of 2732	2952	{19FC8908-99C7-4ae0-B0AC-6B930A015B54}.exe	37
PID 2952 wrote to memory of 2732	2952	{19FC8908-99C7-4ae0-B0AC-6B930A015B54}.exe	37
PID 2124 wrote to memory of 2720	2124	{6EC0A8C2-FE65-4476-B23D-423E0C99BD06}.exe	38
PID 2124 wrote to memory of 2720	2124	{6EC0A8C2-FE65-4476-B23D-423E0C99BD06}.exe	38
PID 2124 wrote to memory of 2720	2124	{6EC0A8C2-FE65-4476-B23D-423E0C99BD06}.exe	38
PID 2124 wrote to memory of 2720	2124	{6EC0A8C2-FE65-4476-B23D-423E0C99BD06}.exe	38
PID 2124 wrote to memory of 2868	2124	{6EC0A8C2-FE65-4476-B23D-423E0C99BD06}.exe	39
PID 2124 wrote to memory of 2868	2124	{6EC0A8C2-FE65-4476-B23D-423E0C99BD06}.exe	39
PID 2124 wrote to memory of 2868	2124	{6EC0A8C2-FE65-4476-B23D-423E0C99BD06}.exe	39
PID 2124 wrote to memory of 2868	2124	{6EC0A8C2-FE65-4476-B23D-423E0C99BD06}.exe	39
PID 2720 wrote to memory of 2964	2720	{2875D1C3-EDAC-4990-964F-AEAFF008DF2D}.exe	41
PID 2720 wrote to memory of 2964	2720	{2875D1C3-EDAC-4990-964F-AEAFF008DF2D}.exe	41
PID 2720 wrote to memory of 2964	2720	{2875D1C3-EDAC-4990-964F-AEAFF008DF2D}.exe	41
PID 2720 wrote to memory of 2964	2720	{2875D1C3-EDAC-4990-964F-AEAFF008DF2D}.exe	41
PID 2720 wrote to memory of 2712	2720	{2875D1C3-EDAC-4990-964F-AEAFF008DF2D}.exe	40
PID 2720 wrote to memory of 2712	2720	{2875D1C3-EDAC-4990-964F-AEAFF008DF2D}.exe	40
PID 2720 wrote to memory of 2712	2720	{2875D1C3-EDAC-4990-964F-AEAFF008DF2D}.exe	40
PID 2720 wrote to memory of 2712	2720	{2875D1C3-EDAC-4990-964F-AEAFF008DF2D}.exe	40
PID 2964 wrote to memory of 2768	2964	{A119FB68-AB1F-4214-B999-EE5E3F05789C}.exe	42
PID 2964 wrote to memory of 2768	2964	{A119FB68-AB1F-4214-B999-EE5E3F05789C}.exe	42
PID 2964 wrote to memory of 2768	2964	{A119FB68-AB1F-4214-B999-EE5E3F05789C}.exe	42
PID 2964 wrote to memory of 2768	2964	{A119FB68-AB1F-4214-B999-EE5E3F05789C}.exe	42
PID 2964 wrote to memory of 2312	2964	{A119FB68-AB1F-4214-B999-EE5E3F05789C}.exe	43
PID 2964 wrote to memory of 2312	2964	{A119FB68-AB1F-4214-B999-EE5E3F05789C}.exe	43
PID 2964 wrote to memory of 2312	2964	{A119FB68-AB1F-4214-B999-EE5E3F05789C}.exe	43
PID 2964 wrote to memory of 2312	2964	{A119FB68-AB1F-4214-B999-EE5E3F05789C}.exe	43
PID 2768 wrote to memory of 2432	2768	{71A2EAE2-CEC4-4143-AD71-DAC4293F6D7D}.exe	44
PID 2768 wrote to memory of 2432	2768	{71A2EAE2-CEC4-4143-AD71-DAC4293F6D7D}.exe	44
PID 2768 wrote to memory of 2432	2768	{71A2EAE2-CEC4-4143-AD71-DAC4293F6D7D}.exe	44
PID 2768 wrote to memory of 2432	2768	{71A2EAE2-CEC4-4143-AD71-DAC4293F6D7D}.exe	44
PID 2768 wrote to memory of 1044	2768	{71A2EAE2-CEC4-4143-AD71-DAC4293F6D7D}.exe	45
PID 2768 wrote to memory of 1044	2768	{71A2EAE2-CEC4-4143-AD71-DAC4293F6D7D}.exe	45
PID 2768 wrote to memory of 1044	2768	{71A2EAE2-CEC4-4143-AD71-DAC4293F6D7D}.exe	45
PID 2768 wrote to memory of 1044	2768	{71A2EAE2-CEC4-4143-AD71-DAC4293F6D7D}.exe	45

C:\Users\Admin\AppData\Local\Temp\e1bc5650f23dbcexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\e1bc5650f23dbcexe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\{90A84E8F-4714-4d6a-A74C-241D0B56DE79}.exe
  C:\Windows\{90A84E8F-4714-4d6a-A74C-241D0B56DE79}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\{46BEA0D1-34C6-449a-8D66-3FED24479161}.exe
    C:\Windows\{46BEA0D1-34C6-449a-8D66-3FED24479161}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{46BEA~1.EXE > nul
      4⤵
      PID:2928
  - - C:\Windows\{19FC8908-99C7-4ae0-B0AC-6B930A015B54}.exe
      C:\Windows\{19FC8908-99C7-4ae0-B0AC-6B930A015B54}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2952
    - - C:\Windows\{6EC0A8C2-FE65-4476-B23D-423E0C99BD06}.exe
        
        C:\Windows\{6EC0A8C2-FE65-4476-B23D-423E0C99BD06}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2124
      - C:\Windows\{2875D1C3-EDAC-4990-964F-AEAFF008DF2D}.exe
        
        C:\Windows\{2875D1C3-EDAC-4990-964F-AEAFF008DF2D}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2875D~1.EXE > nul
        7⤵
        
        PID:2712
        
        C:\Windows\{A119FB68-AB1F-4214-B999-EE5E3F05789C}.exe
        
        C:\Windows\{A119FB68-AB1F-4214-B999-EE5E3F05789C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\{71A2EAE2-CEC4-4143-AD71-DAC4293F6D7D}.exe
        
        C:\Windows\{71A2EAE2-CEC4-4143-AD71-DAC4293F6D7D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\{8738C4E2-831D-4888-BDCD-8CC028752D54}.exe
        
        C:\Windows\{8738C4E2-831D-4888-BDCD-8CC028752D54}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\{6EA9B93A-9A9A-4845-B6A3-E0113DEC53E0}.exe
        
        C:\Windows\{6EA9B93A-9A9A-4845-B6A3-E0113DEC53E0}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Windows\{35C60C27-AAF9-42cb-AB2A-CD70CAFFFF6C}.exe
        
        C:\Windows\{35C60C27-AAF9-42cb-AB2A-CD70CAFFFF6C}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\{6A91CADC-E1C2-4aa8-98C9-EC5CD1843D3A}.exe
        
        C:\Windows\{6A91CADC-E1C2-4aa8-98C9-EC5CD1843D3A}.exe
        12⤵
        Executes dropped EXE
        
        PID:2308
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35C60~1.EXE > nul
        12⤵
        
        PID:1444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6EA9B~1.EXE > nul
        11⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8738C~1.EXE > nul
        10⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{71A2E~1.EXE > nul
        9⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A119F~1.EXE > nul
        8⤵
        
        PID:2312
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6EC0A~1.EXE > nul
        6⤵
        
        PID:2868
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19FC8~1.EXE > nul
        5⤵
        
        PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{90A84~1.EXE > nul
    3⤵
    PID:2956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E1BC56~1.EXE > nul
  2⤵
  PID:808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19FC8908-99C7-4ae0-B0AC-6B930A015B54}.exe

Filesize
168KB

MD5
dd6f19caf627c91eca4fd5664ac897de

SHA1
487d976756f67d1fdc43823d17e4e6a7840ce4bc

SHA256
b924a0644599df5e1a52e4f6c823bcfd88b854394cbd334fb32f1ac07c778c6c

SHA512
5c653c7ee35a353760d766e2e97d2d7edeb89dcd7ab936b164c69fe30637723f0416e8a238ed10e7cde8a0620563be5ca531c2147eba5b882ff2a4e104b3315d

Download Submit
C:\Windows\{19FC8908-99C7-4ae0-B0AC-6B930A015B54}.exe

Filesize
168KB

MD5
dd6f19caf627c91eca4fd5664ac897de

SHA1
487d976756f67d1fdc43823d17e4e6a7840ce4bc

SHA256
b924a0644599df5e1a52e4f6c823bcfd88b854394cbd334fb32f1ac07c778c6c

SHA512
5c653c7ee35a353760d766e2e97d2d7edeb89dcd7ab936b164c69fe30637723f0416e8a238ed10e7cde8a0620563be5ca531c2147eba5b882ff2a4e104b3315d

Download Submit
C:\Windows\{2875D1C3-EDAC-4990-964F-AEAFF008DF2D}.exe

Filesize
168KB

MD5
61786b7569977f00c16763f4eb7b4bed

SHA1
69026a87161ad2410cea23e512412b9592c21842

SHA256
321357819c26a4d611fdb19c5d6bd8b50714f1a6eba228fd0f6c177d7e456c3e

SHA512
11824be5102264b5644995280fe51949c9242ead4c27020eeae6104b38afe4b5d55018412b7e7ccc37ef9df10837b8e285d75c314b30e1e95a14d5ac78ff9eb1

Download Submit
C:\Windows\{2875D1C3-EDAC-4990-964F-AEAFF008DF2D}.exe

Filesize
168KB

MD5
61786b7569977f00c16763f4eb7b4bed

SHA1
69026a87161ad2410cea23e512412b9592c21842

SHA256
321357819c26a4d611fdb19c5d6bd8b50714f1a6eba228fd0f6c177d7e456c3e

SHA512
11824be5102264b5644995280fe51949c9242ead4c27020eeae6104b38afe4b5d55018412b7e7ccc37ef9df10837b8e285d75c314b30e1e95a14d5ac78ff9eb1

Download Submit
C:\Windows\{35C60C27-AAF9-42cb-AB2A-CD70CAFFFF6C}.exe

Filesize
168KB

MD5
9a1f1d2aea7e2bb977a0db454cd13861

SHA1
be330772059329653289a55f3aae26c5332d10c0

SHA256
e41e5a73f4979c0fef159c25af3a485891be8d0dd4b3a4ad25ec7cdf57813be1

SHA512
ea9517247645c615f49460bebeff60fd18739b95ffb73399ee078c270b493e0cbd73eb138f73ab5301627ca0688a9eb942a9fd9213d1b59c09ead9e7687ea1e7

Download Submit
C:\Windows\{35C60C27-AAF9-42cb-AB2A-CD70CAFFFF6C}.exe

Filesize
168KB

MD5
9a1f1d2aea7e2bb977a0db454cd13861

SHA1
be330772059329653289a55f3aae26c5332d10c0

SHA256
e41e5a73f4979c0fef159c25af3a485891be8d0dd4b3a4ad25ec7cdf57813be1

SHA512
ea9517247645c615f49460bebeff60fd18739b95ffb73399ee078c270b493e0cbd73eb138f73ab5301627ca0688a9eb942a9fd9213d1b59c09ead9e7687ea1e7

Download Submit
C:\Windows\{46BEA0D1-34C6-449a-8D66-3FED24479161}.exe

Filesize
168KB

MD5
556a089c2ee5ad92ef2b787b7a710c42

SHA1
8f2851dbf0ef08a723c4d11e08c3d45934c4c184

SHA256
f6b2a3d566bc504fdbeef3095cabd9c69b231bedec786357a42df50f8a6f0dda

SHA512
48102f83d3247f2194470820386cc134fe73983367a02955ecb6c81974a0aad9bf991210349964d1d63a6f741b0f148559740a2fe2d5c01c29bc0af80a7d0a6e

Download Submit
C:\Windows\{46BEA0D1-34C6-449a-8D66-3FED24479161}.exe

Filesize
168KB

MD5
556a089c2ee5ad92ef2b787b7a710c42

SHA1
8f2851dbf0ef08a723c4d11e08c3d45934c4c184

SHA256
f6b2a3d566bc504fdbeef3095cabd9c69b231bedec786357a42df50f8a6f0dda

SHA512
48102f83d3247f2194470820386cc134fe73983367a02955ecb6c81974a0aad9bf991210349964d1d63a6f741b0f148559740a2fe2d5c01c29bc0af80a7d0a6e

Download Submit
C:\Windows\{6A91CADC-E1C2-4aa8-98C9-EC5CD1843D3A}.exe

Filesize
168KB

MD5
0ab7c04db289e6c9cc7ca63eee25320e

SHA1
5e722acd5a66b54cbe642c8747aa173362c40ace

SHA256
61d966e96deb1f110ec0c189593a060d6e9c87dad548e78cef36c119f5961a64

SHA512
47ba3ac92ba1a375de1a68af59559c65f98d664e873fcbb5271043a4a58738c20b730bd4e6022fe1014616dd8d046c8f05c6d08519d386b6ef81406aaa7f34ba

Download Submit
C:\Windows\{6EA9B93A-9A9A-4845-B6A3-E0113DEC53E0}.exe

Filesize
168KB

MD5
b62f6d2d2c308e1992b140c14973ab32

SHA1
a32975e936e33221193cda42a7322e70778113ae

SHA256
d826db8302a1551fc54a12d266d01ed16bc30aba2076c2fb5a8c9cb33f5ff4ce

SHA512
873f15197383e14eb65bd746025851eb6ceb280422ad1cae463a3c50ede153e1e86f1129b18613a1d93fbd9f5dc9e07ee32acb3b05692e1da55dbeae11fbac20

Download Submit
C:\Windows\{6EA9B93A-9A9A-4845-B6A3-E0113DEC53E0}.exe

Filesize
168KB

MD5
b62f6d2d2c308e1992b140c14973ab32

SHA1
a32975e936e33221193cda42a7322e70778113ae

SHA256
d826db8302a1551fc54a12d266d01ed16bc30aba2076c2fb5a8c9cb33f5ff4ce

SHA512
873f15197383e14eb65bd746025851eb6ceb280422ad1cae463a3c50ede153e1e86f1129b18613a1d93fbd9f5dc9e07ee32acb3b05692e1da55dbeae11fbac20

Download Submit
C:\Windows\{6EC0A8C2-FE65-4476-B23D-423E0C99BD06}.exe

Filesize
168KB

MD5
e1779e508da75587c8540015d5980f3e

SHA1
af89d8285f544faa9fedc93db5729b314f697634

SHA256
3f139725eea7b050e68147fb7ab881c34c941ac3e8c846e5d158ceb4796f1cec

SHA512
b8531e36f1d4ccb8558fc5f016572f1ba9d6fe25fbe3d7ce3d47081c86f9856883bace89d5beab46787c6371131af29e9188ba06a6b2521769e2dcc7c9c3e9e8

Download Submit
C:\Windows\{6EC0A8C2-FE65-4476-B23D-423E0C99BD06}.exe

Filesize
168KB

MD5
e1779e508da75587c8540015d5980f3e

SHA1
af89d8285f544faa9fedc93db5729b314f697634

SHA256
3f139725eea7b050e68147fb7ab881c34c941ac3e8c846e5d158ceb4796f1cec

SHA512
b8531e36f1d4ccb8558fc5f016572f1ba9d6fe25fbe3d7ce3d47081c86f9856883bace89d5beab46787c6371131af29e9188ba06a6b2521769e2dcc7c9c3e9e8

Download Submit
C:\Windows\{71A2EAE2-CEC4-4143-AD71-DAC4293F6D7D}.exe

Filesize
168KB

MD5
a39cc40026165f331a016800d170bb0b

SHA1
2aee3c0dae7dcc8c48d50b85cfe47c1b7b7d28e7

SHA256
6866033d2b54de049640d84774972d0c4e581b8b1f1b4351f05e49f8ee30e5c7

SHA512
50cf5d992633990984538c5f7e8ba41d65c289cf7bc95579c90b2d957e1d8246af6623a91e24277030b27a7095d150fe8af41aa49bfec2de362bcaa217ebea34

Download Submit
C:\Windows\{71A2EAE2-CEC4-4143-AD71-DAC4293F6D7D}.exe

Filesize
168KB

MD5
a39cc40026165f331a016800d170bb0b

SHA1
2aee3c0dae7dcc8c48d50b85cfe47c1b7b7d28e7

SHA256
6866033d2b54de049640d84774972d0c4e581b8b1f1b4351f05e49f8ee30e5c7

SHA512
50cf5d992633990984538c5f7e8ba41d65c289cf7bc95579c90b2d957e1d8246af6623a91e24277030b27a7095d150fe8af41aa49bfec2de362bcaa217ebea34

Download Submit
C:\Windows\{8738C4E2-831D-4888-BDCD-8CC028752D54}.exe

Filesize
168KB

MD5
338ede5e08d541056ae864278ac0a19d

SHA1
4e6c4233ecb78efe2e21b433adb68bc1470488c9

SHA256
55af700b3ea442f2522a9f538c12581e3e31163301a269749419e0218d16ab4f

SHA512
a98cf8eb0e00ab7fe27384db6b44633f2f7d40ec90e199ed98a1fca7b1eb88a8c13616ea29c0f9d17e4a5ce38f0ba23ad6e4031e774b2c96ae5101088053286e

Download Submit
C:\Windows\{8738C4E2-831D-4888-BDCD-8CC028752D54}.exe

Filesize
168KB

MD5
338ede5e08d541056ae864278ac0a19d

SHA1
4e6c4233ecb78efe2e21b433adb68bc1470488c9

SHA256
55af700b3ea442f2522a9f538c12581e3e31163301a269749419e0218d16ab4f

SHA512
a98cf8eb0e00ab7fe27384db6b44633f2f7d40ec90e199ed98a1fca7b1eb88a8c13616ea29c0f9d17e4a5ce38f0ba23ad6e4031e774b2c96ae5101088053286e

Download Submit
C:\Windows\{90A84E8F-4714-4d6a-A74C-241D0B56DE79}.exe

Filesize
168KB

MD5
4818ad4b18974e27f9a69df1f6fa4f21

SHA1
387e4e1935257793ada1f03f7d24cf9ed5a861d6

SHA256
caf7f2e100dddd2b25539c33b9635bac5452d398b1ac6606a935d0432777cef5

SHA512
d8d497fab26fc67d4adb7123bade5b9a8e5002b281b422b88ba7f64bb272ecb36890236ef6c832ef5a6e87eec43f7122f1968ada66a8605d0f7eb10c2acbacd8

Download Submit
C:\Windows\{90A84E8F-4714-4d6a-A74C-241D0B56DE79}.exe

Filesize
168KB

MD5
4818ad4b18974e27f9a69df1f6fa4f21

SHA1
387e4e1935257793ada1f03f7d24cf9ed5a861d6

SHA256
caf7f2e100dddd2b25539c33b9635bac5452d398b1ac6606a935d0432777cef5

SHA512
d8d497fab26fc67d4adb7123bade5b9a8e5002b281b422b88ba7f64bb272ecb36890236ef6c832ef5a6e87eec43f7122f1968ada66a8605d0f7eb10c2acbacd8

Download Submit
C:\Windows\{90A84E8F-4714-4d6a-A74C-241D0B56DE79}.exe

Filesize
168KB

MD5
4818ad4b18974e27f9a69df1f6fa4f21

SHA1
387e4e1935257793ada1f03f7d24cf9ed5a861d6

SHA256
caf7f2e100dddd2b25539c33b9635bac5452d398b1ac6606a935d0432777cef5

SHA512
d8d497fab26fc67d4adb7123bade5b9a8e5002b281b422b88ba7f64bb272ecb36890236ef6c832ef5a6e87eec43f7122f1968ada66a8605d0f7eb10c2acbacd8

Download Submit
C:\Windows\{A119FB68-AB1F-4214-B999-EE5E3F05789C}.exe

Filesize
168KB

MD5
10c04e3a904a6aacb5835ad6ca4f2e97

SHA1
7d045ff9314a5e67e2cb093d71f8b21890ea5650

SHA256
5a839333e6d3520df7c135ecaf56b105459705b1a5729bceff4eaabdc45f61ea

SHA512
da7d8267a770f757b76f8582dc601346ba7b32e7c4adb4fda1551c1f996106dd1cf7e5f6885d4a3726a02c22e7fd2d7d60bf0df0f939679a62d51a8387216c17

Download Submit
C:\Windows\{A119FB68-AB1F-4214-B999-EE5E3F05789C}.exe

Filesize
168KB

MD5
10c04e3a904a6aacb5835ad6ca4f2e97

SHA1
7d045ff9314a5e67e2cb093d71f8b21890ea5650

SHA256
5a839333e6d3520df7c135ecaf56b105459705b1a5729bceff4eaabdc45f61ea

SHA512
da7d8267a770f757b76f8582dc601346ba7b32e7c4adb4fda1551c1f996106dd1cf7e5f6885d4a3726a02c22e7fd2d7d60bf0df0f939679a62d51a8387216c17

Download Submit