629fe5544a0d9620f0284fd2669a374ce9afe69a711a29f36818b29d55294f09

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2023, 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e22ba5460d5192exe_JC.exe
Size

204KB
MD5

e22ba5460d5192a9a270f91dcf6faa0f
SHA1

268059cbd3066d568ff29d65ec9a3f56746a58f4
SHA256

629fe5544a0d9620f0284fd2669a374ce9afe69a711a29f36818b29d55294f09
SHA512

e03081ae42862b347e1a546e1f26586d6a2d506a593a27b50bcb34e53c597882e1356efba7051eb059c373464e84920a932345a7ec9802060b01084170c76fd3
SSDEEP

1536:1EGh0oWl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oWl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C60EBC3-5FAB-494a-8AD2-87EF900D8AAC}	{23411184-7E5C-4c63-B3CD-C96C70A54510}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1267EF77-144B-4c3d-85C6-7F70A34511BF}\stubpath = "C:\\Windows\\{1267EF77-144B-4c3d-85C6-7F70A34511BF}.exe"	{32AD874B-C94D-4e55-8AE6-EF15344E83FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9757624-C447-4e5d-ABF0-155EB79FB20D}	{3BD928DA-A867-4762-ACA1-5BFAD4C8E433}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9757624-C447-4e5d-ABF0-155EB79FB20D}\stubpath = "C:\\Windows\\{C9757624-C447-4e5d-ABF0-155EB79FB20D}.exe"	{3BD928DA-A867-4762-ACA1-5BFAD4C8E433}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{109A75C7-65C5-4450-A7EC-81CBD47031F9}\stubpath = "C:\\Windows\\{109A75C7-65C5-4450-A7EC-81CBD47031F9}.exe"	{ED2A5A54-A3ED-4e0a-9220-81FF1A03BE75}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23411184-7E5C-4c63-B3CD-C96C70A54510}\stubpath = "C:\\Windows\\{23411184-7E5C-4c63-B3CD-C96C70A54510}.exe"	e22ba5460d5192exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32AD874B-C94D-4e55-8AE6-EF15344E83FE}	{1C60EBC3-5FAB-494a-8AD2-87EF900D8AAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32AD874B-C94D-4e55-8AE6-EF15344E83FE}\stubpath = "C:\\Windows\\{32AD874B-C94D-4e55-8AE6-EF15344E83FE}.exe"	{1C60EBC3-5FAB-494a-8AD2-87EF900D8AAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D8350A2-69A5-4451-84EC-CF22F6E51C20}\stubpath = "C:\\Windows\\{6D8350A2-69A5-4451-84EC-CF22F6E51C20}.exe"	{1267EF77-144B-4c3d-85C6-7F70A34511BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA451E2B-E8F9-4466-A750-A11B7EEC765F}	{6D8350A2-69A5-4451-84EC-CF22F6E51C20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A7BE66F-1573-4413-AA95-6679DE521F91}\stubpath = "C:\\Windows\\{9A7BE66F-1573-4413-AA95-6679DE521F91}.exe"	{90477378-D944-4a24-8BE8-CC3FB713AC92}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA451E2B-E8F9-4466-A750-A11B7EEC765F}\stubpath = "C:\\Windows\\{BA451E2B-E8F9-4466-A750-A11B7EEC765F}.exe"	{6D8350A2-69A5-4451-84EC-CF22F6E51C20}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BD928DA-A867-4762-ACA1-5BFAD4C8E433}\stubpath = "C:\\Windows\\{3BD928DA-A867-4762-ACA1-5BFAD4C8E433}.exe"	{BA451E2B-E8F9-4466-A750-A11B7EEC765F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90477378-D944-4a24-8BE8-CC3FB713AC92}	{C9757624-C447-4e5d-ABF0-155EB79FB20D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A7BE66F-1573-4413-AA95-6679DE521F91}	{90477378-D944-4a24-8BE8-CC3FB713AC92}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED2A5A54-A3ED-4e0a-9220-81FF1A03BE75}	{9A7BE66F-1573-4413-AA95-6679DE521F91}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED2A5A54-A3ED-4e0a-9220-81FF1A03BE75}\stubpath = "C:\\Windows\\{ED2A5A54-A3ED-4e0a-9220-81FF1A03BE75}.exe"	{9A7BE66F-1573-4413-AA95-6679DE521F91}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23411184-7E5C-4c63-B3CD-C96C70A54510}	e22ba5460d5192exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C60EBC3-5FAB-494a-8AD2-87EF900D8AAC}\stubpath = "C:\\Windows\\{1C60EBC3-5FAB-494a-8AD2-87EF900D8AAC}.exe"	{23411184-7E5C-4c63-B3CD-C96C70A54510}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1267EF77-144B-4c3d-85C6-7F70A34511BF}	{32AD874B-C94D-4e55-8AE6-EF15344E83FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D8350A2-69A5-4451-84EC-CF22F6E51C20}	{1267EF77-144B-4c3d-85C6-7F70A34511BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BD928DA-A867-4762-ACA1-5BFAD4C8E433}	{BA451E2B-E8F9-4466-A750-A11B7EEC765F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90477378-D944-4a24-8BE8-CC3FB713AC92}\stubpath = "C:\\Windows\\{90477378-D944-4a24-8BE8-CC3FB713AC92}.exe"	{C9757624-C447-4e5d-ABF0-155EB79FB20D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{109A75C7-65C5-4450-A7EC-81CBD47031F9}	{ED2A5A54-A3ED-4e0a-9220-81FF1A03BE75}.exe

Executes dropped EXE 12 IoCs

pid	Process
3492	{23411184-7E5C-4c63-B3CD-C96C70A54510}.exe
1368	{1C60EBC3-5FAB-494a-8AD2-87EF900D8AAC}.exe
1916	{32AD874B-C94D-4e55-8AE6-EF15344E83FE}.exe
4820	{1267EF77-144B-4c3d-85C6-7F70A34511BF}.exe
3480	{6D8350A2-69A5-4451-84EC-CF22F6E51C20}.exe
1568	{BA451E2B-E8F9-4466-A750-A11B7EEC765F}.exe
408	{3BD928DA-A867-4762-ACA1-5BFAD4C8E433}.exe
4512	{C9757624-C447-4e5d-ABF0-155EB79FB20D}.exe
4068	{90477378-D944-4a24-8BE8-CC3FB713AC92}.exe
1336	{9A7BE66F-1573-4413-AA95-6679DE521F91}.exe
1632	{ED2A5A54-A3ED-4e0a-9220-81FF1A03BE75}.exe
2540	{109A75C7-65C5-4450-A7EC-81CBD47031F9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{109A75C7-65C5-4450-A7EC-81CBD47031F9}.exe	{ED2A5A54-A3ED-4e0a-9220-81FF1A03BE75}.exe
File created	C:\Windows\{23411184-7E5C-4c63-B3CD-C96C70A54510}.exe	e22ba5460d5192exe_JC.exe
File created	C:\Windows\{1C60EBC3-5FAB-494a-8AD2-87EF900D8AAC}.exe	{23411184-7E5C-4c63-B3CD-C96C70A54510}.exe
File created	C:\Windows\{32AD874B-C94D-4e55-8AE6-EF15344E83FE}.exe	{1C60EBC3-5FAB-494a-8AD2-87EF900D8AAC}.exe
File created	C:\Windows\{ED2A5A54-A3ED-4e0a-9220-81FF1A03BE75}.exe	{9A7BE66F-1573-4413-AA95-6679DE521F91}.exe
File created	C:\Windows\{C9757624-C447-4e5d-ABF0-155EB79FB20D}.exe	{3BD928DA-A867-4762-ACA1-5BFAD4C8E433}.exe
File created	C:\Windows\{90477378-D944-4a24-8BE8-CC3FB713AC92}.exe	{C9757624-C447-4e5d-ABF0-155EB79FB20D}.exe
File created	C:\Windows\{9A7BE66F-1573-4413-AA95-6679DE521F91}.exe	{90477378-D944-4a24-8BE8-CC3FB713AC92}.exe
File created	C:\Windows\{1267EF77-144B-4c3d-85C6-7F70A34511BF}.exe	{32AD874B-C94D-4e55-8AE6-EF15344E83FE}.exe
File created	C:\Windows\{6D8350A2-69A5-4451-84EC-CF22F6E51C20}.exe	{1267EF77-144B-4c3d-85C6-7F70A34511BF}.exe
File created	C:\Windows\{BA451E2B-E8F9-4466-A750-A11B7EEC765F}.exe	{6D8350A2-69A5-4451-84EC-CF22F6E51C20}.exe
File created	C:\Windows\{3BD928DA-A867-4762-ACA1-5BFAD4C8E433}.exe	{BA451E2B-E8F9-4466-A750-A11B7EEC765F}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2372	e22ba5460d5192exe_JC.exe
Token: SeIncBasePriorityPrivilege	3492	{23411184-7E5C-4c63-B3CD-C96C70A54510}.exe
Token: SeIncBasePriorityPrivilege	1368	{1C60EBC3-5FAB-494a-8AD2-87EF900D8AAC}.exe
Token: SeIncBasePriorityPrivilege	1916	{32AD874B-C94D-4e55-8AE6-EF15344E83FE}.exe
Token: SeIncBasePriorityPrivilege	4820	{1267EF77-144B-4c3d-85C6-7F70A34511BF}.exe
Token: SeIncBasePriorityPrivilege	3480	{6D8350A2-69A5-4451-84EC-CF22F6E51C20}.exe
Token: SeIncBasePriorityPrivilege	1568	{BA451E2B-E8F9-4466-A750-A11B7EEC765F}.exe
Token: SeIncBasePriorityPrivilege	408	{3BD928DA-A867-4762-ACA1-5BFAD4C8E433}.exe
Token: SeIncBasePriorityPrivilege	4512	{C9757624-C447-4e5d-ABF0-155EB79FB20D}.exe
Token: SeIncBasePriorityPrivilege	4068	{90477378-D944-4a24-8BE8-CC3FB713AC92}.exe
Token: SeIncBasePriorityPrivilege	1336	{9A7BE66F-1573-4413-AA95-6679DE521F91}.exe
Token: SeIncBasePriorityPrivilege	1632	{ED2A5A54-A3ED-4e0a-9220-81FF1A03BE75}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 3492	2372	e22ba5460d5192exe_JC.exe	90
PID 2372 wrote to memory of 3492	2372	e22ba5460d5192exe_JC.exe	90
PID 2372 wrote to memory of 3492	2372	e22ba5460d5192exe_JC.exe	90
PID 2372 wrote to memory of 4576	2372	e22ba5460d5192exe_JC.exe	91
PID 2372 wrote to memory of 4576	2372	e22ba5460d5192exe_JC.exe	91
PID 2372 wrote to memory of 4576	2372	e22ba5460d5192exe_JC.exe	91
PID 3492 wrote to memory of 1368	3492	{23411184-7E5C-4c63-B3CD-C96C70A54510}.exe	95
PID 3492 wrote to memory of 1368	3492	{23411184-7E5C-4c63-B3CD-C96C70A54510}.exe	95
PID 3492 wrote to memory of 1368	3492	{23411184-7E5C-4c63-B3CD-C96C70A54510}.exe	95
PID 3492 wrote to memory of 4356	3492	{23411184-7E5C-4c63-B3CD-C96C70A54510}.exe	96
PID 3492 wrote to memory of 4356	3492	{23411184-7E5C-4c63-B3CD-C96C70A54510}.exe	96
PID 3492 wrote to memory of 4356	3492	{23411184-7E5C-4c63-B3CD-C96C70A54510}.exe	96
PID 1368 wrote to memory of 1916	1368	{1C60EBC3-5FAB-494a-8AD2-87EF900D8AAC}.exe	99
PID 1368 wrote to memory of 1916	1368	{1C60EBC3-5FAB-494a-8AD2-87EF900D8AAC}.exe	99
PID 1368 wrote to memory of 1916	1368	{1C60EBC3-5FAB-494a-8AD2-87EF900D8AAC}.exe	99
PID 1368 wrote to memory of 2676	1368	{1C60EBC3-5FAB-494a-8AD2-87EF900D8AAC}.exe	100
PID 1368 wrote to memory of 2676	1368	{1C60EBC3-5FAB-494a-8AD2-87EF900D8AAC}.exe	100
PID 1368 wrote to memory of 2676	1368	{1C60EBC3-5FAB-494a-8AD2-87EF900D8AAC}.exe	100
PID 1916 wrote to memory of 4820	1916	{32AD874B-C94D-4e55-8AE6-EF15344E83FE}.exe	101
PID 1916 wrote to memory of 4820	1916	{32AD874B-C94D-4e55-8AE6-EF15344E83FE}.exe	101
PID 1916 wrote to memory of 4820	1916	{32AD874B-C94D-4e55-8AE6-EF15344E83FE}.exe	101
PID 1916 wrote to memory of 1632	1916	{32AD874B-C94D-4e55-8AE6-EF15344E83FE}.exe	102
PID 1916 wrote to memory of 1632	1916	{32AD874B-C94D-4e55-8AE6-EF15344E83FE}.exe	102
PID 1916 wrote to memory of 1632	1916	{32AD874B-C94D-4e55-8AE6-EF15344E83FE}.exe	102
PID 4820 wrote to memory of 3480	4820	{1267EF77-144B-4c3d-85C6-7F70A34511BF}.exe	103
PID 4820 wrote to memory of 3480	4820	{1267EF77-144B-4c3d-85C6-7F70A34511BF}.exe	103
PID 4820 wrote to memory of 3480	4820	{1267EF77-144B-4c3d-85C6-7F70A34511BF}.exe	103
PID 4820 wrote to memory of 1364	4820	{1267EF77-144B-4c3d-85C6-7F70A34511BF}.exe	104
PID 4820 wrote to memory of 1364	4820	{1267EF77-144B-4c3d-85C6-7F70A34511BF}.exe	104
PID 4820 wrote to memory of 1364	4820	{1267EF77-144B-4c3d-85C6-7F70A34511BF}.exe	104
PID 3480 wrote to memory of 1568	3480	{6D8350A2-69A5-4451-84EC-CF22F6E51C20}.exe	106
PID 3480 wrote to memory of 1568	3480	{6D8350A2-69A5-4451-84EC-CF22F6E51C20}.exe	106
PID 3480 wrote to memory of 1568	3480	{6D8350A2-69A5-4451-84EC-CF22F6E51C20}.exe	106
PID 3480 wrote to memory of 1804	3480	{6D8350A2-69A5-4451-84EC-CF22F6E51C20}.exe	107
PID 3480 wrote to memory of 1804	3480	{6D8350A2-69A5-4451-84EC-CF22F6E51C20}.exe	107
PID 3480 wrote to memory of 1804	3480	{6D8350A2-69A5-4451-84EC-CF22F6E51C20}.exe	107
PID 1568 wrote to memory of 408	1568	{BA451E2B-E8F9-4466-A750-A11B7EEC765F}.exe	108
PID 1568 wrote to memory of 408	1568	{BA451E2B-E8F9-4466-A750-A11B7EEC765F}.exe	108
PID 1568 wrote to memory of 408	1568	{BA451E2B-E8F9-4466-A750-A11B7EEC765F}.exe	108
PID 1568 wrote to memory of 3432	1568	{BA451E2B-E8F9-4466-A750-A11B7EEC765F}.exe	109
PID 1568 wrote to memory of 3432	1568	{BA451E2B-E8F9-4466-A750-A11B7EEC765F}.exe	109
PID 1568 wrote to memory of 3432	1568	{BA451E2B-E8F9-4466-A750-A11B7EEC765F}.exe	109
PID 408 wrote to memory of 4512	408	{3BD928DA-A867-4762-ACA1-5BFAD4C8E433}.exe	110
PID 408 wrote to memory of 4512	408	{3BD928DA-A867-4762-ACA1-5BFAD4C8E433}.exe	110
PID 408 wrote to memory of 4512	408	{3BD928DA-A867-4762-ACA1-5BFAD4C8E433}.exe	110
PID 408 wrote to memory of 4964	408	{3BD928DA-A867-4762-ACA1-5BFAD4C8E433}.exe	111
PID 408 wrote to memory of 4964	408	{3BD928DA-A867-4762-ACA1-5BFAD4C8E433}.exe	111
PID 408 wrote to memory of 4964	408	{3BD928DA-A867-4762-ACA1-5BFAD4C8E433}.exe	111
PID 4512 wrote to memory of 4068	4512	{C9757624-C447-4e5d-ABF0-155EB79FB20D}.exe	118
PID 4512 wrote to memory of 4068	4512	{C9757624-C447-4e5d-ABF0-155EB79FB20D}.exe	118
PID 4512 wrote to memory of 4068	4512	{C9757624-C447-4e5d-ABF0-155EB79FB20D}.exe	118
PID 4512 wrote to memory of 4052	4512	{C9757624-C447-4e5d-ABF0-155EB79FB20D}.exe	119
PID 4512 wrote to memory of 4052	4512	{C9757624-C447-4e5d-ABF0-155EB79FB20D}.exe	119
PID 4512 wrote to memory of 4052	4512	{C9757624-C447-4e5d-ABF0-155EB79FB20D}.exe	119
PID 4068 wrote to memory of 1336	4068	{90477378-D944-4a24-8BE8-CC3FB713AC92}.exe	120
PID 4068 wrote to memory of 1336	4068	{90477378-D944-4a24-8BE8-CC3FB713AC92}.exe	120
PID 4068 wrote to memory of 1336	4068	{90477378-D944-4a24-8BE8-CC3FB713AC92}.exe	120
PID 4068 wrote to memory of 4572	4068	{90477378-D944-4a24-8BE8-CC3FB713AC92}.exe	121
PID 4068 wrote to memory of 4572	4068	{90477378-D944-4a24-8BE8-CC3FB713AC92}.exe	121
PID 4068 wrote to memory of 4572	4068	{90477378-D944-4a24-8BE8-CC3FB713AC92}.exe	121
PID 1336 wrote to memory of 1632	1336	{9A7BE66F-1573-4413-AA95-6679DE521F91}.exe	122
PID 1336 wrote to memory of 1632	1336	{9A7BE66F-1573-4413-AA95-6679DE521F91}.exe	122
PID 1336 wrote to memory of 1632	1336	{9A7BE66F-1573-4413-AA95-6679DE521F91}.exe	122
PID 1336 wrote to memory of 4344	1336	{9A7BE66F-1573-4413-AA95-6679DE521F91}.exe	123

C:\Users\Admin\AppData\Local\Temp\e22ba5460d5192exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\e22ba5460d5192exe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\{23411184-7E5C-4c63-B3CD-C96C70A54510}.exe
  C:\Windows\{23411184-7E5C-4c63-B3CD-C96C70A54510}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Windows\{1C60EBC3-5FAB-494a-8AD2-87EF900D8AAC}.exe
    C:\Windows\{1C60EBC3-5FAB-494a-8AD2-87EF900D8AAC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - C:\Windows\{32AD874B-C94D-4e55-8AE6-EF15344E83FE}.exe
      C:\Windows\{32AD874B-C94D-4e55-8AE6-EF15344E83FE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Windows\{1267EF77-144B-4c3d-85C6-7F70A34511BF}.exe
        
        C:\Windows\{1267EF77-144B-4c3d-85C6-7F70A34511BF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4820
      - C:\Windows\{6D8350A2-69A5-4451-84EC-CF22F6E51C20}.exe
        
        C:\Windows\{6D8350A2-69A5-4451-84EC-CF22F6E51C20}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3480
        
        C:\Windows\{BA451E2B-E8F9-4466-A750-A11B7EEC765F}.exe
        
        C:\Windows\{BA451E2B-E8F9-4466-A750-A11B7EEC765F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1568
        
        C:\Windows\{3BD928DA-A867-4762-ACA1-5BFAD4C8E433}.exe
        
        C:\Windows\{3BD928DA-A867-4762-ACA1-5BFAD4C8E433}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\{C9757624-C447-4e5d-ABF0-155EB79FB20D}.exe
        
        C:\Windows\{C9757624-C447-4e5d-ABF0-155EB79FB20D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\{90477378-D944-4a24-8BE8-CC3FB713AC92}.exe
        
        C:\Windows\{90477378-D944-4a24-8BE8-CC3FB713AC92}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\Windows\{9A7BE66F-1573-4413-AA95-6679DE521F91}.exe
        
        C:\Windows\{9A7BE66F-1573-4413-AA95-6679DE521F91}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\{ED2A5A54-A3ED-4e0a-9220-81FF1A03BE75}.exe
        
        C:\Windows\{ED2A5A54-A3ED-4e0a-9220-81FF1A03BE75}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\{109A75C7-65C5-4450-A7EC-81CBD47031F9}.exe
        
        C:\Windows\{109A75C7-65C5-4450-A7EC-81CBD47031F9}.exe
        13⤵
        Executes dropped EXE
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED2A5~1.EXE > nul
        13⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A7BE~1.EXE > nul
        12⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90477~1.EXE > nul
        11⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9757~1.EXE > nul
        10⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BD92~1.EXE > nul
        9⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BA451~1.EXE > nul
        8⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D835~1.EXE > nul
        7⤵
        
        PID:1804
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1267E~1.EXE > nul
        6⤵
        
        PID:1364
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32AD8~1.EXE > nul
        5⤵
        
        PID:1632
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1C60E~1.EXE > nul
      4⤵
      PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{23411~1.EXE > nul
    3⤵
    PID:4356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E22BA5~1.EXE > nul
  2⤵
  PID:4576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{109A75C7-65C5-4450-A7EC-81CBD47031F9}.exe

Filesize
204KB

MD5
be6bd95b59f9316eac2991869ce36598

SHA1
c36d60e291e6535874a42ef042e733908857a82d

SHA256
2a9f0092a5da59c949850fa34604ec53883a3c8a2f8ddca59729258f78341eb9

SHA512
51c301e69392aa23306838f55e6692711e0f51a560c69ab8309e7a33749e2d24575834f6f7c618465287d2fb60767375113c141575b06e5f977f783f8203f959

Download Submit
C:\Windows\{109A75C7-65C5-4450-A7EC-81CBD47031F9}.exe

Filesize
204KB

MD5
be6bd95b59f9316eac2991869ce36598

SHA1
c36d60e291e6535874a42ef042e733908857a82d

SHA256
2a9f0092a5da59c949850fa34604ec53883a3c8a2f8ddca59729258f78341eb9

SHA512
51c301e69392aa23306838f55e6692711e0f51a560c69ab8309e7a33749e2d24575834f6f7c618465287d2fb60767375113c141575b06e5f977f783f8203f959

Download Submit
C:\Windows\{1267EF77-144B-4c3d-85C6-7F70A34511BF}.exe

Filesize
204KB

MD5
fcaf68a3083d5358efb28805f6065295

SHA1
07673d80dfb7851972fc9829e037959172de12d3

SHA256
54974c2157ab2cbe0332ea1018e8b54f2966e5fe73c5d7c95618e1a22e9bb06b

SHA512
2b49047bfd080a46febe6a8c790f6118425594f1bacabd482bbc608a4a159d8e55cb424558babca0929b1ad32a50958b225351ce266d05dd2e36b0672469287a

Download Submit
C:\Windows\{1267EF77-144B-4c3d-85C6-7F70A34511BF}.exe

Filesize
204KB

MD5
fcaf68a3083d5358efb28805f6065295

SHA1
07673d80dfb7851972fc9829e037959172de12d3

SHA256
54974c2157ab2cbe0332ea1018e8b54f2966e5fe73c5d7c95618e1a22e9bb06b

SHA512
2b49047bfd080a46febe6a8c790f6118425594f1bacabd482bbc608a4a159d8e55cb424558babca0929b1ad32a50958b225351ce266d05dd2e36b0672469287a

Download Submit
C:\Windows\{1C60EBC3-5FAB-494a-8AD2-87EF900D8AAC}.exe

Filesize
204KB

MD5
fcde2ff4009216b3f26ec11039a8d6c9

SHA1
3355bc3ff309fd23ba4c0e49317148f0d3864eab

SHA256
4e1900ad492f7ebe8c17dac195c4efb6279ca1ed395ba8d67338608958cfe71a

SHA512
9f5f3edc28d6b8f9f1ac508a85892809194baf7c8255f1c69f9250d40bd9d19aad50dcc154cb8e63d03d7c72710d93b1b22a1a2411a0fd73fcf99d1d4618f078

Download Submit
C:\Windows\{1C60EBC3-5FAB-494a-8AD2-87EF900D8AAC}.exe

Filesize
204KB

MD5
fcde2ff4009216b3f26ec11039a8d6c9

SHA1
3355bc3ff309fd23ba4c0e49317148f0d3864eab

SHA256
4e1900ad492f7ebe8c17dac195c4efb6279ca1ed395ba8d67338608958cfe71a

SHA512
9f5f3edc28d6b8f9f1ac508a85892809194baf7c8255f1c69f9250d40bd9d19aad50dcc154cb8e63d03d7c72710d93b1b22a1a2411a0fd73fcf99d1d4618f078

Download Submit
C:\Windows\{23411184-7E5C-4c63-B3CD-C96C70A54510}.exe

Filesize
204KB

MD5
392cc496a923874070e307bbf1001d6b

SHA1
f9476ec5f0cfdef2b2d470713a571bd942b24fda

SHA256
b7235c64bdd0a26e441f4d257a8ac58ad12bf9888198f9b68648a0926195a25a

SHA512
903a2f07d4c655c4835fa3f475372723121b1eb62b8e4fa3446d6bd688390b071ee5cddf8e2d0f3a25640029b3b4d9d7de9b5c14bbdb5df101df141ec2acb0b5

Download Submit
C:\Windows\{23411184-7E5C-4c63-B3CD-C96C70A54510}.exe

Filesize
204KB

MD5
392cc496a923874070e307bbf1001d6b

SHA1
f9476ec5f0cfdef2b2d470713a571bd942b24fda

SHA256
b7235c64bdd0a26e441f4d257a8ac58ad12bf9888198f9b68648a0926195a25a

SHA512
903a2f07d4c655c4835fa3f475372723121b1eb62b8e4fa3446d6bd688390b071ee5cddf8e2d0f3a25640029b3b4d9d7de9b5c14bbdb5df101df141ec2acb0b5

Download Submit
C:\Windows\{32AD874B-C94D-4e55-8AE6-EF15344E83FE}.exe

Filesize
204KB

MD5
29038d47bdb8df7af8e03ffe40cc05e9

SHA1
734c2fe630635cd242d388f766c94e6deffa0040

SHA256
bcfbae7d87ffeb36b2cd4f454fb5c700c070e6a4af9ff07918cab152cb890284

SHA512
5aae7d49ba40f02bc87b2e6440ca6ddcee91ebb1557763bcfeb6d4097fc15b5abf4791857395e664778fb5bd2087cb8296eca929acb943a21c8772a2fccb3fa4

Download Submit
C:\Windows\{32AD874B-C94D-4e55-8AE6-EF15344E83FE}.exe

Filesize
204KB

MD5
29038d47bdb8df7af8e03ffe40cc05e9

SHA1
734c2fe630635cd242d388f766c94e6deffa0040

SHA256
bcfbae7d87ffeb36b2cd4f454fb5c700c070e6a4af9ff07918cab152cb890284

SHA512
5aae7d49ba40f02bc87b2e6440ca6ddcee91ebb1557763bcfeb6d4097fc15b5abf4791857395e664778fb5bd2087cb8296eca929acb943a21c8772a2fccb3fa4

Download Submit
C:\Windows\{32AD874B-C94D-4e55-8AE6-EF15344E83FE}.exe

Filesize
204KB

MD5
29038d47bdb8df7af8e03ffe40cc05e9

SHA1
734c2fe630635cd242d388f766c94e6deffa0040

SHA256
bcfbae7d87ffeb36b2cd4f454fb5c700c070e6a4af9ff07918cab152cb890284

SHA512
5aae7d49ba40f02bc87b2e6440ca6ddcee91ebb1557763bcfeb6d4097fc15b5abf4791857395e664778fb5bd2087cb8296eca929acb943a21c8772a2fccb3fa4

Download Submit
C:\Windows\{3BD928DA-A867-4762-ACA1-5BFAD4C8E433}.exe

Filesize
204KB

MD5
d8d63a5f520f670ac7872ce1e8dd015b

SHA1
812e0a9c341989dc50ca44fda37f60ac0421edd4

SHA256
22f55a4c89da3104f202b50cc5d265aa61133408eb7a61ecddb11b983ad05467

SHA512
0a7f37f646fea30c6a222098c7445fd1869b4c80dad781cb226a1f9d46ffa462c821d72f566c05504d94d6d6e9939e9b15e8e030f6987ab1f78b477c3a2e4bab

Download Submit
C:\Windows\{3BD928DA-A867-4762-ACA1-5BFAD4C8E433}.exe

Filesize
204KB

MD5
d8d63a5f520f670ac7872ce1e8dd015b

SHA1
812e0a9c341989dc50ca44fda37f60ac0421edd4

SHA256
22f55a4c89da3104f202b50cc5d265aa61133408eb7a61ecddb11b983ad05467

SHA512
0a7f37f646fea30c6a222098c7445fd1869b4c80dad781cb226a1f9d46ffa462c821d72f566c05504d94d6d6e9939e9b15e8e030f6987ab1f78b477c3a2e4bab

Download Submit
C:\Windows\{6D8350A2-69A5-4451-84EC-CF22F6E51C20}.exe

Filesize
204KB

MD5
31a7b319dd6e78e086a6a53f0e07a291

SHA1
9ada2b307c5e955c5fc057eab638c5c989d6357c

SHA256
b2c2d2da53b7560f6a3b7b3de09e67864a4757fb39abd3b90bdd866664ba4cfc

SHA512
197dda56cffdbcd562abf4c27d0acc34c88ef829a272ab9c5742222e06d8b7d80e7465a3bd6a739157c6e49f50fa76baf6d4628b0558dbc97c3cd7d5ce1618ec

Download Submit
C:\Windows\{6D8350A2-69A5-4451-84EC-CF22F6E51C20}.exe

Filesize
204KB

MD5
31a7b319dd6e78e086a6a53f0e07a291

SHA1
9ada2b307c5e955c5fc057eab638c5c989d6357c

SHA256
b2c2d2da53b7560f6a3b7b3de09e67864a4757fb39abd3b90bdd866664ba4cfc

SHA512
197dda56cffdbcd562abf4c27d0acc34c88ef829a272ab9c5742222e06d8b7d80e7465a3bd6a739157c6e49f50fa76baf6d4628b0558dbc97c3cd7d5ce1618ec

Download Submit
C:\Windows\{90477378-D944-4a24-8BE8-CC3FB713AC92}.exe

Filesize
204KB

MD5
6a4d4fce87dcbcdffa7e62ffad45b77a

SHA1
78fcec3332c9e427bc52409f8896b043e87fdc7c

SHA256
18d7fd69d3fbde1b308ed450006be0ac65075eb7b47cc1207ebbf848261fab72

SHA512
a71b231cad957b4def4a8959453df83be05091b85c6e98effc748f6a32b915a8c066d6af88b9bd10684ae4e175b5b1b35d81a69fd9d8725fc0a58bb4167e84bb

Download Submit
C:\Windows\{90477378-D944-4a24-8BE8-CC3FB713AC92}.exe

Filesize
204KB

MD5
6a4d4fce87dcbcdffa7e62ffad45b77a

SHA1
78fcec3332c9e427bc52409f8896b043e87fdc7c

SHA256
18d7fd69d3fbde1b308ed450006be0ac65075eb7b47cc1207ebbf848261fab72

SHA512
a71b231cad957b4def4a8959453df83be05091b85c6e98effc748f6a32b915a8c066d6af88b9bd10684ae4e175b5b1b35d81a69fd9d8725fc0a58bb4167e84bb

Download Submit
C:\Windows\{9A7BE66F-1573-4413-AA95-6679DE521F91}.exe

Filesize
204KB

MD5
690c8db00ee93f278810f532f6fd9058

SHA1
6a97d6e319da28d5d6731f2d3dfa0db7f4bd0f24

SHA256
8639217c52b8a275aae039cd071ad8b2e38f9be1c1b7f2f17e67c3fc3491f12d

SHA512
b89925276782c66daef6b39caeca0ddee22d98b625ac826980494c87a969b9f15a37f6aa5155f04ce46275bdddb7e5afc942d3b772278145804148370c37f4c8

Download Submit
C:\Windows\{9A7BE66F-1573-4413-AA95-6679DE521F91}.exe

Filesize
204KB

MD5
690c8db00ee93f278810f532f6fd9058

SHA1
6a97d6e319da28d5d6731f2d3dfa0db7f4bd0f24

SHA256
8639217c52b8a275aae039cd071ad8b2e38f9be1c1b7f2f17e67c3fc3491f12d

SHA512
b89925276782c66daef6b39caeca0ddee22d98b625ac826980494c87a969b9f15a37f6aa5155f04ce46275bdddb7e5afc942d3b772278145804148370c37f4c8

Download Submit
C:\Windows\{BA451E2B-E8F9-4466-A750-A11B7EEC765F}.exe

Filesize
204KB

MD5
0ccbba22ee2bda1a889e2532cd63182f

SHA1
0641b9f64de7d1c53da01b4eb3c49ae9b8309eed

SHA256
ab72b43d2abfe925de25c2af31b3f3a2d26638fca90f90283699e1c07a1e5350

SHA512
5357e2f61dd8ba1336a97571ec3c55f9f6f699eaec882cf3266e996cbdb954cb7dca492abb6fadf2b567dc66f007bdef71582b61945c0f9c6a9fc83d89664c16

Download Submit
C:\Windows\{BA451E2B-E8F9-4466-A750-A11B7EEC765F}.exe

Filesize
204KB

MD5
0ccbba22ee2bda1a889e2532cd63182f

SHA1
0641b9f64de7d1c53da01b4eb3c49ae9b8309eed

SHA256
ab72b43d2abfe925de25c2af31b3f3a2d26638fca90f90283699e1c07a1e5350

SHA512
5357e2f61dd8ba1336a97571ec3c55f9f6f699eaec882cf3266e996cbdb954cb7dca492abb6fadf2b567dc66f007bdef71582b61945c0f9c6a9fc83d89664c16

Download Submit
C:\Windows\{C9757624-C447-4e5d-ABF0-155EB79FB20D}.exe

Filesize
204KB

MD5
2c4e6229ce2a0f7a03e95fdc40f35131

SHA1
5cc0c01709227c04fa4d83208a34199b8848ee75

SHA256
b9e4017d735f806b50d3405a361434c85256edcf60d5dcd2c987724d285d10d7

SHA512
e52cccf4e0a59b4ab5a7e14936ee9ad395e3d39905f961f88eec9024ba171094bfc028381c319dabd5b44d99ba4eb4aac96e01f7b1439c9fb23ca7a13ea15d6b

Download Submit
C:\Windows\{C9757624-C447-4e5d-ABF0-155EB79FB20D}.exe

Filesize
204KB

MD5
2c4e6229ce2a0f7a03e95fdc40f35131

SHA1
5cc0c01709227c04fa4d83208a34199b8848ee75

SHA256
b9e4017d735f806b50d3405a361434c85256edcf60d5dcd2c987724d285d10d7

SHA512
e52cccf4e0a59b4ab5a7e14936ee9ad395e3d39905f961f88eec9024ba171094bfc028381c319dabd5b44d99ba4eb4aac96e01f7b1439c9fb23ca7a13ea15d6b

Download Submit
C:\Windows\{ED2A5A54-A3ED-4e0a-9220-81FF1A03BE75}.exe

Filesize
204KB

MD5
9b7f3864ef73207b3716c8b9ad9d0b1f

SHA1
d342dc1acf1099491e31d12c1a4cb87662e4d6d9

SHA256
6b4314e78afe3e0a38da716d183d19845bdd4fcb8c0ebf28fac3efeca4f0174e

SHA512
2c7dd04e1015626b8c79dc03c055b8ce3d145b73e79dc6ec3ce034032ed158d53f8ef425c31dc7794bd5d27b2cf60beaf6bd973e66d4ce169171769cd4c7e6a3

Download Submit
C:\Windows\{ED2A5A54-A3ED-4e0a-9220-81FF1A03BE75}.exe

Filesize
204KB

MD5
9b7f3864ef73207b3716c8b9ad9d0b1f

SHA1
d342dc1acf1099491e31d12c1a4cb87662e4d6d9

SHA256
6b4314e78afe3e0a38da716d183d19845bdd4fcb8c0ebf28fac3efeca4f0174e

SHA512
2c7dd04e1015626b8c79dc03c055b8ce3d145b73e79dc6ec3ce034032ed158d53f8ef425c31dc7794bd5d27b2cf60beaf6bd973e66d4ce169171769cd4c7e6a3

Download Submit