629fe5544a0d9620f0284fd2669a374ce9afe69a711a29f36818b29d55294f09

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
19/07/2023, 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e22ba5460d5192exe_JC.exe
Size

204KB
MD5

e22ba5460d5192a9a270f91dcf6faa0f
SHA1

268059cbd3066d568ff29d65ec9a3f56746a58f4
SHA256

629fe5544a0d9620f0284fd2669a374ce9afe69a711a29f36818b29d55294f09
SHA512

e03081ae42862b347e1a546e1f26586d6a2d506a593a27b50bcb34e53c597882e1356efba7051eb059c373464e84920a932345a7ec9802060b01084170c76fd3
SSDEEP

1536:1EGh0oWl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oWl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6E6AB00-36BA-4509-8FA7-5557413F3749}\stubpath = "C:\\Windows\\{C6E6AB00-36BA-4509-8FA7-5557413F3749}.exe"	{AE050282-5B4B-48d0-B3D5-C3CEB0828220}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{032F6B4F-05C2-4143-BE52-2F597FAA31A8}	{C6E6AB00-36BA-4509-8FA7-5557413F3749}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AD2FD2B-1ECC-46e3-89FD-286B0C0CE867}	{032F6B4F-05C2-4143-BE52-2F597FAA31A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{845E0099-8419-4838-AB07-1C15337AE98B}	{8AD2FD2B-1ECC-46e3-89FD-286B0C0CE867}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0990467-B6D1-439d-87E7-BC64CA9C6B9E}\stubpath = "C:\\Windows\\{E0990467-B6D1-439d-87E7-BC64CA9C6B9E}.exe"	{845E0099-8419-4838-AB07-1C15337AE98B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34A9A9F2-6A5D-459e-B333-191AD8FE5C1D}	{5B668BB5-61AA-4b49-8B3B-A47A7ABE7791}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE050282-5B4B-48d0-B3D5-C3CEB0828220}	{21C756A3-368E-4b37-843E-321151D7DBF0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21C756A3-368E-4b37-843E-321151D7DBF0}	{E817CCAA-FB04-432b-991D-E507D9383391}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21C756A3-368E-4b37-843E-321151D7DBF0}\stubpath = "C:\\Windows\\{21C756A3-368E-4b37-843E-321151D7DBF0}.exe"	{E817CCAA-FB04-432b-991D-E507D9383391}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C6E6AB00-36BA-4509-8FA7-5557413F3749}	{AE050282-5B4B-48d0-B3D5-C3CEB0828220}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{845E0099-8419-4838-AB07-1C15337AE98B}\stubpath = "C:\\Windows\\{845E0099-8419-4838-AB07-1C15337AE98B}.exe"	{8AD2FD2B-1ECC-46e3-89FD-286B0C0CE867}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBE16218-316F-43eb-98EC-FB35877C0807}	{E0990467-B6D1-439d-87E7-BC64CA9C6B9E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B668BB5-61AA-4b49-8B3B-A47A7ABE7791}	{CBE16218-316F-43eb-98EC-FB35877C0807}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B668BB5-61AA-4b49-8B3B-A47A7ABE7791}\stubpath = "C:\\Windows\\{5B668BB5-61AA-4b49-8B3B-A47A7ABE7791}.exe"	{CBE16218-316F-43eb-98EC-FB35877C0807}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E817CCAA-FB04-432b-991D-E507D9383391}\stubpath = "C:\\Windows\\{E817CCAA-FB04-432b-991D-E507D9383391}.exe"	e22ba5460d5192exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34A9A9F2-6A5D-459e-B333-191AD8FE5C1D}\stubpath = "C:\\Windows\\{34A9A9F2-6A5D-459e-B333-191AD8FE5C1D}.exe"	{5B668BB5-61AA-4b49-8B3B-A47A7ABE7791}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{032F6B4F-05C2-4143-BE52-2F597FAA31A8}\stubpath = "C:\\Windows\\{032F6B4F-05C2-4143-BE52-2F597FAA31A8}.exe"	{C6E6AB00-36BA-4509-8FA7-5557413F3749}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0990467-B6D1-439d-87E7-BC64CA9C6B9E}	{845E0099-8419-4838-AB07-1C15337AE98B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CBE16218-316F-43eb-98EC-FB35877C0807}\stubpath = "C:\\Windows\\{CBE16218-316F-43eb-98EC-FB35877C0807}.exe"	{E0990467-B6D1-439d-87E7-BC64CA9C6B9E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AE050282-5B4B-48d0-B3D5-C3CEB0828220}\stubpath = "C:\\Windows\\{AE050282-5B4B-48d0-B3D5-C3CEB0828220}.exe"	{21C756A3-368E-4b37-843E-321151D7DBF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8AD2FD2B-1ECC-46e3-89FD-286B0C0CE867}\stubpath = "C:\\Windows\\{8AD2FD2B-1ECC-46e3-89FD-286B0C0CE867}.exe"	{032F6B4F-05C2-4143-BE52-2F597FAA31A8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E817CCAA-FB04-432b-991D-E507D9383391}	e22ba5460d5192exe_JC.exe

Deletes itself 1 IoCs

pid	Process
1148	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2600	{E817CCAA-FB04-432b-991D-E507D9383391}.exe
2920	{21C756A3-368E-4b37-843E-321151D7DBF0}.exe
2740	{AE050282-5B4B-48d0-B3D5-C3CEB0828220}.exe
2880	{C6E6AB00-36BA-4509-8FA7-5557413F3749}.exe
2744	{032F6B4F-05C2-4143-BE52-2F597FAA31A8}.exe
2540	{8AD2FD2B-1ECC-46e3-89FD-286B0C0CE867}.exe
472	{845E0099-8419-4838-AB07-1C15337AE98B}.exe
1132	{E0990467-B6D1-439d-87E7-BC64CA9C6B9E}.exe
832	{CBE16218-316F-43eb-98EC-FB35877C0807}.exe
2372	{5B668BB5-61AA-4b49-8B3B-A47A7ABE7791}.exe
3056	{34A9A9F2-6A5D-459e-B333-191AD8FE5C1D}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{E817CCAA-FB04-432b-991D-E507D9383391}.exe	e22ba5460d5192exe_JC.exe
File created	C:\Windows\{032F6B4F-05C2-4143-BE52-2F597FAA31A8}.exe	{C6E6AB00-36BA-4509-8FA7-5557413F3749}.exe
File created	C:\Windows\{5B668BB5-61AA-4b49-8B3B-A47A7ABE7791}.exe	{CBE16218-316F-43eb-98EC-FB35877C0807}.exe
File created	C:\Windows\{845E0099-8419-4838-AB07-1C15337AE98B}.exe	{8AD2FD2B-1ECC-46e3-89FD-286B0C0CE867}.exe
File created	C:\Windows\{E0990467-B6D1-439d-87E7-BC64CA9C6B9E}.exe	{845E0099-8419-4838-AB07-1C15337AE98B}.exe
File created	C:\Windows\{CBE16218-316F-43eb-98EC-FB35877C0807}.exe	{E0990467-B6D1-439d-87E7-BC64CA9C6B9E}.exe
File created	C:\Windows\{34A9A9F2-6A5D-459e-B333-191AD8FE5C1D}.exe	{5B668BB5-61AA-4b49-8B3B-A47A7ABE7791}.exe
File created	C:\Windows\{21C756A3-368E-4b37-843E-321151D7DBF0}.exe	{E817CCAA-FB04-432b-991D-E507D9383391}.exe
File created	C:\Windows\{AE050282-5B4B-48d0-B3D5-C3CEB0828220}.exe	{21C756A3-368E-4b37-843E-321151D7DBF0}.exe
File created	C:\Windows\{C6E6AB00-36BA-4509-8FA7-5557413F3749}.exe	{AE050282-5B4B-48d0-B3D5-C3CEB0828220}.exe
File created	C:\Windows\{8AD2FD2B-1ECC-46e3-89FD-286B0C0CE867}.exe	{032F6B4F-05C2-4143-BE52-2F597FAA31A8}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2236	e22ba5460d5192exe_JC.exe
Token: SeIncBasePriorityPrivilege	2600	{E817CCAA-FB04-432b-991D-E507D9383391}.exe
Token: SeIncBasePriorityPrivilege	2920	{21C756A3-368E-4b37-843E-321151D7DBF0}.exe
Token: SeIncBasePriorityPrivilege	2740	{AE050282-5B4B-48d0-B3D5-C3CEB0828220}.exe
Token: SeIncBasePriorityPrivilege	2880	{C6E6AB00-36BA-4509-8FA7-5557413F3749}.exe
Token: SeIncBasePriorityPrivilege	2744	{032F6B4F-05C2-4143-BE52-2F597FAA31A8}.exe
Token: SeIncBasePriorityPrivilege	2540	{8AD2FD2B-1ECC-46e3-89FD-286B0C0CE867}.exe
Token: SeIncBasePriorityPrivilege	472	{845E0099-8419-4838-AB07-1C15337AE98B}.exe
Token: SeIncBasePriorityPrivilege	1132	{E0990467-B6D1-439d-87E7-BC64CA9C6B9E}.exe
Token: SeIncBasePriorityPrivilege	832	{CBE16218-316F-43eb-98EC-FB35877C0807}.exe
Token: SeIncBasePriorityPrivilege	2372	{5B668BB5-61AA-4b49-8B3B-A47A7ABE7791}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2600	2236	e22ba5460d5192exe_JC.exe	28
PID 2236 wrote to memory of 2600	2236	e22ba5460d5192exe_JC.exe	28
PID 2236 wrote to memory of 2600	2236	e22ba5460d5192exe_JC.exe	28
PID 2236 wrote to memory of 2600	2236	e22ba5460d5192exe_JC.exe	28
PID 2236 wrote to memory of 1148	2236	e22ba5460d5192exe_JC.exe	29
PID 2236 wrote to memory of 1148	2236	e22ba5460d5192exe_JC.exe	29
PID 2236 wrote to memory of 1148	2236	e22ba5460d5192exe_JC.exe	29
PID 2236 wrote to memory of 1148	2236	e22ba5460d5192exe_JC.exe	29
PID 2600 wrote to memory of 2920	2600	{E817CCAA-FB04-432b-991D-E507D9383391}.exe	32
PID 2600 wrote to memory of 2920	2600	{E817CCAA-FB04-432b-991D-E507D9383391}.exe	32
PID 2600 wrote to memory of 2920	2600	{E817CCAA-FB04-432b-991D-E507D9383391}.exe	32
PID 2600 wrote to memory of 2920	2600	{E817CCAA-FB04-432b-991D-E507D9383391}.exe	32
PID 2600 wrote to memory of 2960	2600	{E817CCAA-FB04-432b-991D-E507D9383391}.exe	33
PID 2600 wrote to memory of 2960	2600	{E817CCAA-FB04-432b-991D-E507D9383391}.exe	33
PID 2600 wrote to memory of 2960	2600	{E817CCAA-FB04-432b-991D-E507D9383391}.exe	33
PID 2600 wrote to memory of 2960	2600	{E817CCAA-FB04-432b-991D-E507D9383391}.exe	33
PID 2920 wrote to memory of 2740	2920	{21C756A3-368E-4b37-843E-321151D7DBF0}.exe	34
PID 2920 wrote to memory of 2740	2920	{21C756A3-368E-4b37-843E-321151D7DBF0}.exe	34
PID 2920 wrote to memory of 2740	2920	{21C756A3-368E-4b37-843E-321151D7DBF0}.exe	34
PID 2920 wrote to memory of 2740	2920	{21C756A3-368E-4b37-843E-321151D7DBF0}.exe	34
PID 2920 wrote to memory of 2192	2920	{21C756A3-368E-4b37-843E-321151D7DBF0}.exe	35
PID 2920 wrote to memory of 2192	2920	{21C756A3-368E-4b37-843E-321151D7DBF0}.exe	35
PID 2920 wrote to memory of 2192	2920	{21C756A3-368E-4b37-843E-321151D7DBF0}.exe	35
PID 2920 wrote to memory of 2192	2920	{21C756A3-368E-4b37-843E-321151D7DBF0}.exe	35
PID 2740 wrote to memory of 2880	2740	{AE050282-5B4B-48d0-B3D5-C3CEB0828220}.exe	37
PID 2740 wrote to memory of 2880	2740	{AE050282-5B4B-48d0-B3D5-C3CEB0828220}.exe	37
PID 2740 wrote to memory of 2880	2740	{AE050282-5B4B-48d0-B3D5-C3CEB0828220}.exe	37
PID 2740 wrote to memory of 2880	2740	{AE050282-5B4B-48d0-B3D5-C3CEB0828220}.exe	37
PID 2740 wrote to memory of 2712	2740	{AE050282-5B4B-48d0-B3D5-C3CEB0828220}.exe	36
PID 2740 wrote to memory of 2712	2740	{AE050282-5B4B-48d0-B3D5-C3CEB0828220}.exe	36
PID 2740 wrote to memory of 2712	2740	{AE050282-5B4B-48d0-B3D5-C3CEB0828220}.exe	36
PID 2740 wrote to memory of 2712	2740	{AE050282-5B4B-48d0-B3D5-C3CEB0828220}.exe	36
PID 2880 wrote to memory of 2744	2880	{C6E6AB00-36BA-4509-8FA7-5557413F3749}.exe	38
PID 2880 wrote to memory of 2744	2880	{C6E6AB00-36BA-4509-8FA7-5557413F3749}.exe	38
PID 2880 wrote to memory of 2744	2880	{C6E6AB00-36BA-4509-8FA7-5557413F3749}.exe	38
PID 2880 wrote to memory of 2744	2880	{C6E6AB00-36BA-4509-8FA7-5557413F3749}.exe	38
PID 2880 wrote to memory of 2832	2880	{C6E6AB00-36BA-4509-8FA7-5557413F3749}.exe	39
PID 2880 wrote to memory of 2832	2880	{C6E6AB00-36BA-4509-8FA7-5557413F3749}.exe	39
PID 2880 wrote to memory of 2832	2880	{C6E6AB00-36BA-4509-8FA7-5557413F3749}.exe	39
PID 2880 wrote to memory of 2832	2880	{C6E6AB00-36BA-4509-8FA7-5557413F3749}.exe	39
PID 2744 wrote to memory of 2540	2744	{032F6B4F-05C2-4143-BE52-2F597FAA31A8}.exe	40
PID 2744 wrote to memory of 2540	2744	{032F6B4F-05C2-4143-BE52-2F597FAA31A8}.exe	40
PID 2744 wrote to memory of 2540	2744	{032F6B4F-05C2-4143-BE52-2F597FAA31A8}.exe	40
PID 2744 wrote to memory of 2540	2744	{032F6B4F-05C2-4143-BE52-2F597FAA31A8}.exe	40
PID 2744 wrote to memory of 524	2744	{032F6B4F-05C2-4143-BE52-2F597FAA31A8}.exe	41
PID 2744 wrote to memory of 524	2744	{032F6B4F-05C2-4143-BE52-2F597FAA31A8}.exe	41
PID 2744 wrote to memory of 524	2744	{032F6B4F-05C2-4143-BE52-2F597FAA31A8}.exe	41
PID 2744 wrote to memory of 524	2744	{032F6B4F-05C2-4143-BE52-2F597FAA31A8}.exe	41
PID 2540 wrote to memory of 472	2540	{8AD2FD2B-1ECC-46e3-89FD-286B0C0CE867}.exe	42
PID 2540 wrote to memory of 472	2540	{8AD2FD2B-1ECC-46e3-89FD-286B0C0CE867}.exe	42
PID 2540 wrote to memory of 472	2540	{8AD2FD2B-1ECC-46e3-89FD-286B0C0CE867}.exe	42
PID 2540 wrote to memory of 472	2540	{8AD2FD2B-1ECC-46e3-89FD-286B0C0CE867}.exe	42
PID 2540 wrote to memory of 1484	2540	{8AD2FD2B-1ECC-46e3-89FD-286B0C0CE867}.exe	43
PID 2540 wrote to memory of 1484	2540	{8AD2FD2B-1ECC-46e3-89FD-286B0C0CE867}.exe	43
PID 2540 wrote to memory of 1484	2540	{8AD2FD2B-1ECC-46e3-89FD-286B0C0CE867}.exe	43
PID 2540 wrote to memory of 1484	2540	{8AD2FD2B-1ECC-46e3-89FD-286B0C0CE867}.exe	43
PID 472 wrote to memory of 1132	472	{845E0099-8419-4838-AB07-1C15337AE98B}.exe	44
PID 472 wrote to memory of 1132	472	{845E0099-8419-4838-AB07-1C15337AE98B}.exe	44
PID 472 wrote to memory of 1132	472	{845E0099-8419-4838-AB07-1C15337AE98B}.exe	44
PID 472 wrote to memory of 1132	472	{845E0099-8419-4838-AB07-1C15337AE98B}.exe	44
PID 472 wrote to memory of 2008	472	{845E0099-8419-4838-AB07-1C15337AE98B}.exe	45
PID 472 wrote to memory of 2008	472	{845E0099-8419-4838-AB07-1C15337AE98B}.exe	45
PID 472 wrote to memory of 2008	472	{845E0099-8419-4838-AB07-1C15337AE98B}.exe	45
PID 472 wrote to memory of 2008	472	{845E0099-8419-4838-AB07-1C15337AE98B}.exe	45

C:\Users\Admin\AppData\Local\Temp\e22ba5460d5192exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\e22ba5460d5192exe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\{E817CCAA-FB04-432b-991D-E507D9383391}.exe
  C:\Windows\{E817CCAA-FB04-432b-991D-E507D9383391}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2600
- - C:\Windows\{21C756A3-368E-4b37-843E-321151D7DBF0}.exe
    C:\Windows\{21C756A3-368E-4b37-843E-321151D7DBF0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2920
  - - C:\Windows\{AE050282-5B4B-48d0-B3D5-C3CEB0828220}.exe
      C:\Windows\{AE050282-5B4B-48d0-B3D5-C3CEB0828220}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE050~1.EXE > nul
        5⤵
        
        PID:2712
    - - C:\Windows\{C6E6AB00-36BA-4509-8FA7-5557413F3749}.exe
        
        C:\Windows\{C6E6AB00-36BA-4509-8FA7-5557413F3749}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2880
      - C:\Windows\{032F6B4F-05C2-4143-BE52-2F597FAA31A8}.exe
        
        C:\Windows\{032F6B4F-05C2-4143-BE52-2F597FAA31A8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2744
        
        C:\Windows\{8AD2FD2B-1ECC-46e3-89FD-286B0C0CE867}.exe
        
        C:\Windows\{8AD2FD2B-1ECC-46e3-89FD-286B0C0CE867}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\{845E0099-8419-4838-AB07-1C15337AE98B}.exe
        
        C:\Windows\{845E0099-8419-4838-AB07-1C15337AE98B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:472
        
        C:\Windows\{E0990467-B6D1-439d-87E7-BC64CA9C6B9E}.exe
        
        C:\Windows\{E0990467-B6D1-439d-87E7-BC64CA9C6B9E}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
        
        C:\Windows\{CBE16218-316F-43eb-98EC-FB35877C0807}.exe
        
        C:\Windows\{CBE16218-316F-43eb-98EC-FB35877C0807}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
        
        C:\Windows\{5B668BB5-61AA-4b49-8B3B-A47A7ABE7791}.exe
        
        C:\Windows\{5B668BB5-61AA-4b49-8B3B-A47A7ABE7791}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\{34A9A9F2-6A5D-459e-B333-191AD8FE5C1D}.exe
        
        C:\Windows\{34A9A9F2-6A5D-459e-B333-191AD8FE5C1D}.exe
        12⤵
        Executes dropped EXE
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B668~1.EXE > nul
        12⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CBE16~1.EXE > nul
        11⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0990~1.EXE > nul
        10⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{845E0~1.EXE > nul
        9⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8AD2F~1.EXE > nul
        8⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{032F6~1.EXE > nul
        7⤵
        
        PID:524
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C6E6A~1.EXE > nul
        6⤵
        
        PID:2832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{21C75~1.EXE > nul
      4⤵
      PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E817C~1.EXE > nul
    3⤵
    PID:2960
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E22BA5~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1148

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{032F6B4F-05C2-4143-BE52-2F597FAA31A8}.exe

Filesize
204KB

MD5
50253c1efa3e3cd2cd0a4684efbaf221

SHA1
1e8dd684ea7d8e341ee551331076fb3fe505c08c

SHA256
14a5b4cb011eee02bb728fa386d6cfa10d54adbfe79ba4d9c5379f62f1c3e042

SHA512
0ab7fc74b9aeaabc5402bf359fabed154f7424b9f5385d06e43a58857f54fd708848882a5c4dc2582f0f8e3dda4fd4ce426b74c2c5854fbd42573ece526a6bfb

Download Submit
C:\Windows\{032F6B4F-05C2-4143-BE52-2F597FAA31A8}.exe

Filesize
204KB

MD5
50253c1efa3e3cd2cd0a4684efbaf221

SHA1
1e8dd684ea7d8e341ee551331076fb3fe505c08c

SHA256
14a5b4cb011eee02bb728fa386d6cfa10d54adbfe79ba4d9c5379f62f1c3e042

SHA512
0ab7fc74b9aeaabc5402bf359fabed154f7424b9f5385d06e43a58857f54fd708848882a5c4dc2582f0f8e3dda4fd4ce426b74c2c5854fbd42573ece526a6bfb

Download Submit
C:\Windows\{21C756A3-368E-4b37-843E-321151D7DBF0}.exe

Filesize
204KB

MD5
314530cea1437a05dbcc649b7f42d2fa

SHA1
39dc89407d3d1c1c0dbc1124b4756aa6200b59c0

SHA256
19e174febcb256fe1c17fbb661132967c3908a776101cc290600687c56784a26

SHA512
5e6d7f4f837431ca8d941ba7bd46c00587d07f5b833696451eeed63294314f38dbaa9d125e558cd4091280ec132660f3982bdb8f7c1bf8eba1ba0308373270f7

Download Submit
C:\Windows\{21C756A3-368E-4b37-843E-321151D7DBF0}.exe

Filesize
204KB

MD5
314530cea1437a05dbcc649b7f42d2fa

SHA1
39dc89407d3d1c1c0dbc1124b4756aa6200b59c0

SHA256
19e174febcb256fe1c17fbb661132967c3908a776101cc290600687c56784a26

SHA512
5e6d7f4f837431ca8d941ba7bd46c00587d07f5b833696451eeed63294314f38dbaa9d125e558cd4091280ec132660f3982bdb8f7c1bf8eba1ba0308373270f7

Download Submit
C:\Windows\{34A9A9F2-6A5D-459e-B333-191AD8FE5C1D}.exe

Filesize
204KB

MD5
b2da80ba02814de3f6afad6ea67c769d

SHA1
5ef1d3db794a9c65880cfc16859664cef139eb96

SHA256
b659eca5638625efa2401371bd38f9e167243e3c8caca8097beb008034074bc2

SHA512
78e39892fb2f66b134d30ac965fb505dbb8eeab8f3b66715ba567fa2c75269fb81bb2aad1fd2c925f0efdd42773b0c9a898a87ae8503caf413f3b6a00202ab20

Download Submit
C:\Windows\{5B668BB5-61AA-4b49-8B3B-A47A7ABE7791}.exe

Filesize
204KB

MD5
24f58f2a00f73e10f9026d56f2a583fe

SHA1
077a12d6332ce22968f3a1aef62afac02badd0f7

SHA256
d98969f7d2dd173007f091c0ada0937c14da7ff62fc2f0e6b82c9b9454980dc7

SHA512
f03fd6a412f43ed737453d985bb1a283e266fba90dd7bb7cd6d11637e7d9be5faad39faaadb03c3c0c0679fbbc1c39c057b4299da13ef528d2ef8ba59efaa079

Download Submit
C:\Windows\{5B668BB5-61AA-4b49-8B3B-A47A7ABE7791}.exe

Filesize
204KB

MD5
24f58f2a00f73e10f9026d56f2a583fe

SHA1
077a12d6332ce22968f3a1aef62afac02badd0f7

SHA256
d98969f7d2dd173007f091c0ada0937c14da7ff62fc2f0e6b82c9b9454980dc7

SHA512
f03fd6a412f43ed737453d985bb1a283e266fba90dd7bb7cd6d11637e7d9be5faad39faaadb03c3c0c0679fbbc1c39c057b4299da13ef528d2ef8ba59efaa079

Download Submit
C:\Windows\{845E0099-8419-4838-AB07-1C15337AE98B}.exe

Filesize
204KB

MD5
72d6c09c940031363b03e0ac262ffe02

SHA1
2c490ca73802cf4078a6ec74e8255094757a0077

SHA256
a63e70fac1c51e0b92dae4d25de68d1cd8aac9b3a5e90a8c4b0f4ea7026cdf64

SHA512
26ffeb840b551a7834b3a604bb32acd437b15b65b86d4d3ce4e11406d05657d35522710425370c390af04c376410aabfe2ddedee558d49723451a2fd3be6004e

Download Submit
C:\Windows\{845E0099-8419-4838-AB07-1C15337AE98B}.exe

Filesize
204KB

MD5
72d6c09c940031363b03e0ac262ffe02

SHA1
2c490ca73802cf4078a6ec74e8255094757a0077

SHA256
a63e70fac1c51e0b92dae4d25de68d1cd8aac9b3a5e90a8c4b0f4ea7026cdf64

SHA512
26ffeb840b551a7834b3a604bb32acd437b15b65b86d4d3ce4e11406d05657d35522710425370c390af04c376410aabfe2ddedee558d49723451a2fd3be6004e

Download Submit
C:\Windows\{8AD2FD2B-1ECC-46e3-89FD-286B0C0CE867}.exe

Filesize
204KB

MD5
2441706ebf43a263a15aaf1235789869

SHA1
094f1079ec0c8a6b6ff8e39c632651d47f6f5488

SHA256
fc16de69c74bbbd7b5e0b04e417df94b768d8b46eb508a42fd0d71346f00cb66

SHA512
64ec421cdd5140af6881d4ff61ada6ad41487cd96d16ce1538545baef0cd4e2d5d493e1748a5bd54740bcc7c45abe525fd9743741f6272098abaee5b4c460268

Download Submit
C:\Windows\{8AD2FD2B-1ECC-46e3-89FD-286B0C0CE867}.exe

Filesize
204KB

MD5
2441706ebf43a263a15aaf1235789869

SHA1
094f1079ec0c8a6b6ff8e39c632651d47f6f5488

SHA256
fc16de69c74bbbd7b5e0b04e417df94b768d8b46eb508a42fd0d71346f00cb66

SHA512
64ec421cdd5140af6881d4ff61ada6ad41487cd96d16ce1538545baef0cd4e2d5d493e1748a5bd54740bcc7c45abe525fd9743741f6272098abaee5b4c460268

Download Submit
C:\Windows\{AE050282-5B4B-48d0-B3D5-C3CEB0828220}.exe

Filesize
204KB

MD5
bd4c6f74299712147d3d2a3196872bb7

SHA1
19d5b6f42246b3750f839de566812ce2b08db906

SHA256
ec73e28cb12c75c2888c1abfa26301de1addb35283b0622cd8def5f1cf0143a6

SHA512
eed8c329efa484d4a365a990f677a5de7d2d86bb7f5c29236447248e7f3f281b28595fc1a7bd0af4f19b72676e0b4c66f3ee98335e4b338c521f49787eb425c1

Download Submit
C:\Windows\{AE050282-5B4B-48d0-B3D5-C3CEB0828220}.exe

Filesize
204KB

MD5
bd4c6f74299712147d3d2a3196872bb7

SHA1
19d5b6f42246b3750f839de566812ce2b08db906

SHA256
ec73e28cb12c75c2888c1abfa26301de1addb35283b0622cd8def5f1cf0143a6

SHA512
eed8c329efa484d4a365a990f677a5de7d2d86bb7f5c29236447248e7f3f281b28595fc1a7bd0af4f19b72676e0b4c66f3ee98335e4b338c521f49787eb425c1

Download Submit
C:\Windows\{C6E6AB00-36BA-4509-8FA7-5557413F3749}.exe

Filesize
204KB

MD5
627824eef83a25dba41d7cedf822c6d2

SHA1
5c39e8c8d0e8801da38ece61635f43cec3a2f532

SHA256
6c737e60a072d325ae191f315a81a53d9a184c4bd157f36687ec40d4c16f74ef

SHA512
b182aa0d7dabbca5da4c08ed723e80672909a1bfd8feca78fa366c86e891c70e7cfb54a72b44cbbf7d0838faee82fe3de45be4c970683194656d025947fbaf9c

Download Submit
C:\Windows\{C6E6AB00-36BA-4509-8FA7-5557413F3749}.exe

Filesize
204KB

MD5
627824eef83a25dba41d7cedf822c6d2

SHA1
5c39e8c8d0e8801da38ece61635f43cec3a2f532

SHA256
6c737e60a072d325ae191f315a81a53d9a184c4bd157f36687ec40d4c16f74ef

SHA512
b182aa0d7dabbca5da4c08ed723e80672909a1bfd8feca78fa366c86e891c70e7cfb54a72b44cbbf7d0838faee82fe3de45be4c970683194656d025947fbaf9c

Download Submit
C:\Windows\{CBE16218-316F-43eb-98EC-FB35877C0807}.exe

Filesize
204KB

MD5
b1dd74233212fce214688af70c84256c

SHA1
926e26ab2d0310f5fa33cc4637a4a325818c728f

SHA256
e9e7623ceee733e33164f9b5a61b88c4c7b85ac4b1762e79deb57c4d8a8ba11b

SHA512
7dce5b862315ec20428c711919214c05188ef58d69b13103a9ca0e0e17a82cb029ec698bc5e50e90b2957cae671f68a99194380e6f14ecaf7ece8d4447baf600

Download Submit
C:\Windows\{CBE16218-316F-43eb-98EC-FB35877C0807}.exe

Filesize
204KB

MD5
b1dd74233212fce214688af70c84256c

SHA1
926e26ab2d0310f5fa33cc4637a4a325818c728f

SHA256
e9e7623ceee733e33164f9b5a61b88c4c7b85ac4b1762e79deb57c4d8a8ba11b

SHA512
7dce5b862315ec20428c711919214c05188ef58d69b13103a9ca0e0e17a82cb029ec698bc5e50e90b2957cae671f68a99194380e6f14ecaf7ece8d4447baf600

Download Submit
C:\Windows\{E0990467-B6D1-439d-87E7-BC64CA9C6B9E}.exe

Filesize
204KB

MD5
0972434e1943b6f779cddf66bdf83ca8

SHA1
73d86a62044abb44b439335ec228becf60904235

SHA256
794de00703c750cf2b9a47dd0fd6d10874060d428c4a9ae16a1afb1fc17d58eb

SHA512
be2f2a8cf3f2c46599254acd3bd29d22928fe25bff2144c3642be2456ebba53486ba7b81620f2004b2e12ccf770de4212241e361b75a7c7cfafa56fb5437a6f1

Download Submit
C:\Windows\{E0990467-B6D1-439d-87E7-BC64CA9C6B9E}.exe

Filesize
204KB

MD5
0972434e1943b6f779cddf66bdf83ca8

SHA1
73d86a62044abb44b439335ec228becf60904235

SHA256
794de00703c750cf2b9a47dd0fd6d10874060d428c4a9ae16a1afb1fc17d58eb

SHA512
be2f2a8cf3f2c46599254acd3bd29d22928fe25bff2144c3642be2456ebba53486ba7b81620f2004b2e12ccf770de4212241e361b75a7c7cfafa56fb5437a6f1

Download Submit
C:\Windows\{E817CCAA-FB04-432b-991D-E507D9383391}.exe

Filesize
204KB

MD5
a18bfcfe3b7341fa8a48b0705cb98d0c

SHA1
9acc8d3b20e38809525616e107d0a4bca0c62645

SHA256
c10cf7aa02c6678c3d5eda49087c95f965de52769d7604a92810da4251cc8e90

SHA512
3febf9e8d86878c6f891cd572bb57e389d761a6be2062dcec5744362f60da11e7b9d00ad5ff6f6d488320e007b63c688bfb17587695745fdf8f6ab5b72157d5e

Download Submit
C:\Windows\{E817CCAA-FB04-432b-991D-E507D9383391}.exe

Filesize
204KB

MD5
a18bfcfe3b7341fa8a48b0705cb98d0c

SHA1
9acc8d3b20e38809525616e107d0a4bca0c62645

SHA256
c10cf7aa02c6678c3d5eda49087c95f965de52769d7604a92810da4251cc8e90

SHA512
3febf9e8d86878c6f891cd572bb57e389d761a6be2062dcec5744362f60da11e7b9d00ad5ff6f6d488320e007b63c688bfb17587695745fdf8f6ab5b72157d5e

Download Submit
C:\Windows\{E817CCAA-FB04-432b-991D-E507D9383391}.exe

Filesize
204KB

MD5
a18bfcfe3b7341fa8a48b0705cb98d0c

SHA1
9acc8d3b20e38809525616e107d0a4bca0c62645

SHA256
c10cf7aa02c6678c3d5eda49087c95f965de52769d7604a92810da4251cc8e90

SHA512
3febf9e8d86878c6f891cd572bb57e389d761a6be2062dcec5744362f60da11e7b9d00ad5ff6f6d488320e007b63c688bfb17587695745fdf8f6ab5b72157d5e

Download Submit