881019f1b2963b7e243f93a4fa7a9fd718c39ea6bb805406c6ee56ce53fdbc74

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
13/07/2023, 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a6f1cff181ff6exe_JC.exe
Size

168KB
MD5

0a6f1cff181ff6401fc7e792ebaff453
SHA1

6eccf75bc64d86eb89ac747cbde0c367c0b79aee
SHA256

881019f1b2963b7e243f93a4fa7a9fd718c39ea6bb805406c6ee56ce53fdbc74
SHA512

e778fed0b708303c6d4c9b6654a4346c3dd9fe5600340f8b8abb14691a6f6cbf2228954e69c5a74d7b36c2b6e865e7c0e2a250e22f6a95edd1d17fe4e19b4485
SSDEEP

1536:1EGh0odlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0odlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89DB3190-327F-4466-9747-27BABA786CF6}\stubpath = "C:\\Windows\\{89DB3190-327F-4466-9747-27BABA786CF6}.exe"	{CE94904A-2C70-412b-A1C8-5867449C567E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB7D127E-3A86-41db-8084-7F79E9F6F1CB}\stubpath = "C:\\Windows\\{EB7D127E-3A86-41db-8084-7F79E9F6F1CB}.exe"	{C173CED9-12F8-4c64-A5CF-F393100FC807}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97AA5D2C-CE3E-4081-951B-7C3436DDD7EE}	{10E4F563-CEB1-4cc6-9A73-6E56400C731D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97F75920-1A94-42be-B27B-EE0CBE894398}\stubpath = "C:\\Windows\\{97F75920-1A94-42be-B27B-EE0CBE894398}.exe"	{97AA5D2C-CE3E-4081-951B-7C3436DDD7EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE94904A-2C70-412b-A1C8-5867449C567E}\stubpath = "C:\\Windows\\{CE94904A-2C70-412b-A1C8-5867449C567E}.exe"	0a6f1cff181ff6exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C173CED9-12F8-4c64-A5CF-F393100FC807}\stubpath = "C:\\Windows\\{C173CED9-12F8-4c64-A5CF-F393100FC807}.exe"	{89DB3190-327F-4466-9747-27BABA786CF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDF49752-1342-4221-AF1C-89DA9768B847}\stubpath = "C:\\Windows\\{CDF49752-1342-4221-AF1C-89DA9768B847}.exe"	{EB7D127E-3A86-41db-8084-7F79E9F6F1CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{396BAF28-0877-4c83-9571-07F9EE684242}\stubpath = "C:\\Windows\\{396BAF28-0877-4c83-9571-07F9EE684242}.exe"	{778AA7A7-1E5D-400c-B86C-7D2C5A2A6B1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97F75920-1A94-42be-B27B-EE0CBE894398}	{97AA5D2C-CE3E-4081-951B-7C3436DDD7EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CE94904A-2C70-412b-A1C8-5867449C567E}	0a6f1cff181ff6exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C173CED9-12F8-4c64-A5CF-F393100FC807}	{89DB3190-327F-4466-9747-27BABA786CF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{778AA7A7-1E5D-400c-B86C-7D2C5A2A6B1F}\stubpath = "C:\\Windows\\{778AA7A7-1E5D-400c-B86C-7D2C5A2A6B1F}.exe"	{A423967D-B129-4878-A038-2EE367E94C54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{396BAF28-0877-4c83-9571-07F9EE684242}	{778AA7A7-1E5D-400c-B86C-7D2C5A2A6B1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10E4F563-CEB1-4cc6-9A73-6E56400C731D}\stubpath = "C:\\Windows\\{10E4F563-CEB1-4cc6-9A73-6E56400C731D}.exe"	{396BAF28-0877-4c83-9571-07F9EE684242}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97AA5D2C-CE3E-4081-951B-7C3436DDD7EE}\stubpath = "C:\\Windows\\{97AA5D2C-CE3E-4081-951B-7C3436DDD7EE}.exe"	{10E4F563-CEB1-4cc6-9A73-6E56400C731D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89DB3190-327F-4466-9747-27BABA786CF6}	{CE94904A-2C70-412b-A1C8-5867449C567E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB7D127E-3A86-41db-8084-7F79E9F6F1CB}	{C173CED9-12F8-4c64-A5CF-F393100FC807}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CDF49752-1342-4221-AF1C-89DA9768B847}	{EB7D127E-3A86-41db-8084-7F79E9F6F1CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A423967D-B129-4878-A038-2EE367E94C54}	{CDF49752-1342-4221-AF1C-89DA9768B847}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A423967D-B129-4878-A038-2EE367E94C54}\stubpath = "C:\\Windows\\{A423967D-B129-4878-A038-2EE367E94C54}.exe"	{CDF49752-1342-4221-AF1C-89DA9768B847}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{778AA7A7-1E5D-400c-B86C-7D2C5A2A6B1F}	{A423967D-B129-4878-A038-2EE367E94C54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{10E4F563-CEB1-4cc6-9A73-6E56400C731D}	{396BAF28-0877-4c83-9571-07F9EE684242}.exe

Deletes itself 1 IoCs

pid	Process
2816	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2064	{CE94904A-2C70-412b-A1C8-5867449C567E}.exe
2436	{89DB3190-327F-4466-9747-27BABA786CF6}.exe
2128	{C173CED9-12F8-4c64-A5CF-F393100FC807}.exe
2888	{EB7D127E-3A86-41db-8084-7F79E9F6F1CB}.exe
2740	{CDF49752-1342-4221-AF1C-89DA9768B847}.exe
2516	{A423967D-B129-4878-A038-2EE367E94C54}.exe
568	{778AA7A7-1E5D-400c-B86C-7D2C5A2A6B1F}.exe
584	{396BAF28-0877-4c83-9571-07F9EE684242}.exe
2904	{10E4F563-CEB1-4cc6-9A73-6E56400C731D}.exe
2320	{97AA5D2C-CE3E-4081-951B-7C3436DDD7EE}.exe
2900	{97F75920-1A94-42be-B27B-EE0CBE894398}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{89DB3190-327F-4466-9747-27BABA786CF6}.exe	{CE94904A-2C70-412b-A1C8-5867449C567E}.exe
File created	C:\Windows\{EB7D127E-3A86-41db-8084-7F79E9F6F1CB}.exe	{C173CED9-12F8-4c64-A5CF-F393100FC807}.exe
File created	C:\Windows\{CDF49752-1342-4221-AF1C-89DA9768B847}.exe	{EB7D127E-3A86-41db-8084-7F79E9F6F1CB}.exe
File created	C:\Windows\{778AA7A7-1E5D-400c-B86C-7D2C5A2A6B1F}.exe	{A423967D-B129-4878-A038-2EE367E94C54}.exe
File created	C:\Windows\{10E4F563-CEB1-4cc6-9A73-6E56400C731D}.exe	{396BAF28-0877-4c83-9571-07F9EE684242}.exe
File created	C:\Windows\{97AA5D2C-CE3E-4081-951B-7C3436DDD7EE}.exe	{10E4F563-CEB1-4cc6-9A73-6E56400C731D}.exe
File created	C:\Windows\{97F75920-1A94-42be-B27B-EE0CBE894398}.exe	{97AA5D2C-CE3E-4081-951B-7C3436DDD7EE}.exe
File created	C:\Windows\{CE94904A-2C70-412b-A1C8-5867449C567E}.exe	0a6f1cff181ff6exe_JC.exe
File created	C:\Windows\{C173CED9-12F8-4c64-A5CF-F393100FC807}.exe	{89DB3190-327F-4466-9747-27BABA786CF6}.exe
File created	C:\Windows\{A423967D-B129-4878-A038-2EE367E94C54}.exe	{CDF49752-1342-4221-AF1C-89DA9768B847}.exe
File created	C:\Windows\{396BAF28-0877-4c83-9571-07F9EE684242}.exe	{778AA7A7-1E5D-400c-B86C-7D2C5A2A6B1F}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2556	0a6f1cff181ff6exe_JC.exe
Token: SeIncBasePriorityPrivilege	2064	{CE94904A-2C70-412b-A1C8-5867449C567E}.exe
Token: SeIncBasePriorityPrivilege	2436	{89DB3190-327F-4466-9747-27BABA786CF6}.exe
Token: SeIncBasePriorityPrivilege	2128	{C173CED9-12F8-4c64-A5CF-F393100FC807}.exe
Token: SeIncBasePriorityPrivilege	2888	{EB7D127E-3A86-41db-8084-7F79E9F6F1CB}.exe
Token: SeIncBasePriorityPrivilege	2740	{CDF49752-1342-4221-AF1C-89DA9768B847}.exe
Token: SeIncBasePriorityPrivilege	2516	{A423967D-B129-4878-A038-2EE367E94C54}.exe
Token: SeIncBasePriorityPrivilege	568	{778AA7A7-1E5D-400c-B86C-7D2C5A2A6B1F}.exe
Token: SeIncBasePriorityPrivilege	584	{396BAF28-0877-4c83-9571-07F9EE684242}.exe
Token: SeIncBasePriorityPrivilege	2904	{10E4F563-CEB1-4cc6-9A73-6E56400C731D}.exe
Token: SeIncBasePriorityPrivilege	2320	{97AA5D2C-CE3E-4081-951B-7C3436DDD7EE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2064	2556	0a6f1cff181ff6exe_JC.exe	28
PID 2556 wrote to memory of 2064	2556	0a6f1cff181ff6exe_JC.exe	28
PID 2556 wrote to memory of 2064	2556	0a6f1cff181ff6exe_JC.exe	28
PID 2556 wrote to memory of 2064	2556	0a6f1cff181ff6exe_JC.exe	28
PID 2556 wrote to memory of 2816	2556	0a6f1cff181ff6exe_JC.exe	29
PID 2556 wrote to memory of 2816	2556	0a6f1cff181ff6exe_JC.exe	29
PID 2556 wrote to memory of 2816	2556	0a6f1cff181ff6exe_JC.exe	29
PID 2556 wrote to memory of 2816	2556	0a6f1cff181ff6exe_JC.exe	29
PID 2064 wrote to memory of 2436	2064	{CE94904A-2C70-412b-A1C8-5867449C567E}.exe	32
PID 2064 wrote to memory of 2436	2064	{CE94904A-2C70-412b-A1C8-5867449C567E}.exe	32
PID 2064 wrote to memory of 2436	2064	{CE94904A-2C70-412b-A1C8-5867449C567E}.exe	32
PID 2064 wrote to memory of 2436	2064	{CE94904A-2C70-412b-A1C8-5867449C567E}.exe	32
PID 2064 wrote to memory of 2144	2064	{CE94904A-2C70-412b-A1C8-5867449C567E}.exe	33
PID 2064 wrote to memory of 2144	2064	{CE94904A-2C70-412b-A1C8-5867449C567E}.exe	33
PID 2064 wrote to memory of 2144	2064	{CE94904A-2C70-412b-A1C8-5867449C567E}.exe	33
PID 2064 wrote to memory of 2144	2064	{CE94904A-2C70-412b-A1C8-5867449C567E}.exe	33
PID 2436 wrote to memory of 2128	2436	{89DB3190-327F-4466-9747-27BABA786CF6}.exe	34
PID 2436 wrote to memory of 2128	2436	{89DB3190-327F-4466-9747-27BABA786CF6}.exe	34
PID 2436 wrote to memory of 2128	2436	{89DB3190-327F-4466-9747-27BABA786CF6}.exe	34
PID 2436 wrote to memory of 2128	2436	{89DB3190-327F-4466-9747-27BABA786CF6}.exe	34
PID 2436 wrote to memory of 2384	2436	{89DB3190-327F-4466-9747-27BABA786CF6}.exe	35
PID 2436 wrote to memory of 2384	2436	{89DB3190-327F-4466-9747-27BABA786CF6}.exe	35
PID 2436 wrote to memory of 2384	2436	{89DB3190-327F-4466-9747-27BABA786CF6}.exe	35
PID 2436 wrote to memory of 2384	2436	{89DB3190-327F-4466-9747-27BABA786CF6}.exe	35
PID 2128 wrote to memory of 2888	2128	{C173CED9-12F8-4c64-A5CF-F393100FC807}.exe	36
PID 2128 wrote to memory of 2888	2128	{C173CED9-12F8-4c64-A5CF-F393100FC807}.exe	36
PID 2128 wrote to memory of 2888	2128	{C173CED9-12F8-4c64-A5CF-F393100FC807}.exe	36
PID 2128 wrote to memory of 2888	2128	{C173CED9-12F8-4c64-A5CF-F393100FC807}.exe	36
PID 2128 wrote to memory of 2780	2128	{C173CED9-12F8-4c64-A5CF-F393100FC807}.exe	37
PID 2128 wrote to memory of 2780	2128	{C173CED9-12F8-4c64-A5CF-F393100FC807}.exe	37
PID 2128 wrote to memory of 2780	2128	{C173CED9-12F8-4c64-A5CF-F393100FC807}.exe	37
PID 2128 wrote to memory of 2780	2128	{C173CED9-12F8-4c64-A5CF-F393100FC807}.exe	37
PID 2888 wrote to memory of 2740	2888	{EB7D127E-3A86-41db-8084-7F79E9F6F1CB}.exe	38
PID 2888 wrote to memory of 2740	2888	{EB7D127E-3A86-41db-8084-7F79E9F6F1CB}.exe	38
PID 2888 wrote to memory of 2740	2888	{EB7D127E-3A86-41db-8084-7F79E9F6F1CB}.exe	38
PID 2888 wrote to memory of 2740	2888	{EB7D127E-3A86-41db-8084-7F79E9F6F1CB}.exe	38
PID 2888 wrote to memory of 2800	2888	{EB7D127E-3A86-41db-8084-7F79E9F6F1CB}.exe	39
PID 2888 wrote to memory of 2800	2888	{EB7D127E-3A86-41db-8084-7F79E9F6F1CB}.exe	39
PID 2888 wrote to memory of 2800	2888	{EB7D127E-3A86-41db-8084-7F79E9F6F1CB}.exe	39
PID 2888 wrote to memory of 2800	2888	{EB7D127E-3A86-41db-8084-7F79E9F6F1CB}.exe	39
PID 2740 wrote to memory of 2516	2740	{CDF49752-1342-4221-AF1C-89DA9768B847}.exe	40
PID 2740 wrote to memory of 2516	2740	{CDF49752-1342-4221-AF1C-89DA9768B847}.exe	40
PID 2740 wrote to memory of 2516	2740	{CDF49752-1342-4221-AF1C-89DA9768B847}.exe	40
PID 2740 wrote to memory of 2516	2740	{CDF49752-1342-4221-AF1C-89DA9768B847}.exe	40
PID 2740 wrote to memory of 1648	2740	{CDF49752-1342-4221-AF1C-89DA9768B847}.exe	41
PID 2740 wrote to memory of 1648	2740	{CDF49752-1342-4221-AF1C-89DA9768B847}.exe	41
PID 2740 wrote to memory of 1648	2740	{CDF49752-1342-4221-AF1C-89DA9768B847}.exe	41
PID 2740 wrote to memory of 1648	2740	{CDF49752-1342-4221-AF1C-89DA9768B847}.exe	41
PID 2516 wrote to memory of 568	2516	{A423967D-B129-4878-A038-2EE367E94C54}.exe	42
PID 2516 wrote to memory of 568	2516	{A423967D-B129-4878-A038-2EE367E94C54}.exe	42
PID 2516 wrote to memory of 568	2516	{A423967D-B129-4878-A038-2EE367E94C54}.exe	42
PID 2516 wrote to memory of 568	2516	{A423967D-B129-4878-A038-2EE367E94C54}.exe	42
PID 2516 wrote to memory of 1188	2516	{A423967D-B129-4878-A038-2EE367E94C54}.exe	43
PID 2516 wrote to memory of 1188	2516	{A423967D-B129-4878-A038-2EE367E94C54}.exe	43
PID 2516 wrote to memory of 1188	2516	{A423967D-B129-4878-A038-2EE367E94C54}.exe	43
PID 2516 wrote to memory of 1188	2516	{A423967D-B129-4878-A038-2EE367E94C54}.exe	43
PID 568 wrote to memory of 584	568	{778AA7A7-1E5D-400c-B86C-7D2C5A2A6B1F}.exe	44
PID 568 wrote to memory of 584	568	{778AA7A7-1E5D-400c-B86C-7D2C5A2A6B1F}.exe	44
PID 568 wrote to memory of 584	568	{778AA7A7-1E5D-400c-B86C-7D2C5A2A6B1F}.exe	44
PID 568 wrote to memory of 584	568	{778AA7A7-1E5D-400c-B86C-7D2C5A2A6B1F}.exe	44
PID 568 wrote to memory of 1476	568	{778AA7A7-1E5D-400c-B86C-7D2C5A2A6B1F}.exe	45
PID 568 wrote to memory of 1476	568	{778AA7A7-1E5D-400c-B86C-7D2C5A2A6B1F}.exe	45
PID 568 wrote to memory of 1476	568	{778AA7A7-1E5D-400c-B86C-7D2C5A2A6B1F}.exe	45
PID 568 wrote to memory of 1476	568	{778AA7A7-1E5D-400c-B86C-7D2C5A2A6B1F}.exe	45

C:\Users\Admin\AppData\Local\Temp\0a6f1cff181ff6exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\0a6f1cff181ff6exe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\{CE94904A-2C70-412b-A1C8-5867449C567E}.exe
  C:\Windows\{CE94904A-2C70-412b-A1C8-5867449C567E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\{89DB3190-327F-4466-9747-27BABA786CF6}.exe
    C:\Windows\{89DB3190-327F-4466-9747-27BABA786CF6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\{C173CED9-12F8-4c64-A5CF-F393100FC807}.exe
      C:\Windows\{C173CED9-12F8-4c64-A5CF-F393100FC807}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2128
    - - C:\Windows\{EB7D127E-3A86-41db-8084-7F79E9F6F1CB}.exe
        
        C:\Windows\{EB7D127E-3A86-41db-8084-7F79E9F6F1CB}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2888
      - C:\Windows\{CDF49752-1342-4221-AF1C-89DA9768B847}.exe
        
        C:\Windows\{CDF49752-1342-4221-AF1C-89DA9768B847}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\{A423967D-B129-4878-A038-2EE367E94C54}.exe
        
        C:\Windows\{A423967D-B129-4878-A038-2EE367E94C54}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\{778AA7A7-1E5D-400c-B86C-7D2C5A2A6B1F}.exe
        
        C:\Windows\{778AA7A7-1E5D-400c-B86C-7D2C5A2A6B1F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\{396BAF28-0877-4c83-9571-07F9EE684242}.exe
        
        C:\Windows\{396BAF28-0877-4c83-9571-07F9EE684242}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
        
        C:\Windows\{10E4F563-CEB1-4cc6-9A73-6E56400C731D}.exe
        
        C:\Windows\{10E4F563-CEB1-4cc6-9A73-6E56400C731D}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\{97AA5D2C-CE3E-4081-951B-7C3436DDD7EE}.exe
        
        C:\Windows\{97AA5D2C-CE3E-4081-951B-7C3436DDD7EE}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\{97F75920-1A94-42be-B27B-EE0CBE894398}.exe
        
        C:\Windows\{97F75920-1A94-42be-B27B-EE0CBE894398}.exe
        12⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97AA5~1.EXE > nul
        12⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10E4F~1.EXE > nul
        11⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{396BA~1.EXE > nul
        10⤵
        
        PID:2316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{778AA~1.EXE > nul
        9⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4239~1.EXE > nul
        8⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CDF49~1.EXE > nul
        7⤵
        
        PID:1648
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB7D1~1.EXE > nul
        6⤵
        
        PID:2800
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C173C~1.EXE > nul
        5⤵
        
        PID:2780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{89DB3~1.EXE > nul
      4⤵
      PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CE949~1.EXE > nul
    3⤵
    PID:2144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0A6F1C~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{10E4F563-CEB1-4cc6-9A73-6E56400C731D}.exe

Filesize
168KB

MD5
84acdb97f7b725498949ddd3a3ac2d86

SHA1
7a15c547deb7f824d0dc8b10eb5b51d0614e8c3d

SHA256
9b2b5eac50f430ccbcc105cd58c49946353d96333918b951cfc30c65173dc304

SHA512
f23e702e0d4abef72c3d7f87cf8d684a7a0cd19574ad5a1fbee5c7c9df925790e1747fbd116357aeadb95b9b20d368233ec346b481941b76b6df0327147d9483

Download Submit
C:\Windows\{10E4F563-CEB1-4cc6-9A73-6E56400C731D}.exe

Filesize
168KB

MD5
84acdb97f7b725498949ddd3a3ac2d86

SHA1
7a15c547deb7f824d0dc8b10eb5b51d0614e8c3d

SHA256
9b2b5eac50f430ccbcc105cd58c49946353d96333918b951cfc30c65173dc304

SHA512
f23e702e0d4abef72c3d7f87cf8d684a7a0cd19574ad5a1fbee5c7c9df925790e1747fbd116357aeadb95b9b20d368233ec346b481941b76b6df0327147d9483

Download Submit
C:\Windows\{396BAF28-0877-4c83-9571-07F9EE684242}.exe

Filesize
168KB

MD5
04418ecc09580150b8de31f904204ce7

SHA1
b250de61e84bbc1f46f2526d7ff6c56f2bf8dde8

SHA256
fd32cdbb931d6203d4e903bff2bb021a6de136d7822720d615283fff2b9ffb13

SHA512
d417242ff6b2805618dfc0065596fba68cee755ac3f11de63f81aa741b3fb8216bfef7a2415ef3c4a207e4f1b18c33910a9b473eeb0549d34838b593635bcc3d

Download Submit
C:\Windows\{396BAF28-0877-4c83-9571-07F9EE684242}.exe

Filesize
168KB

MD5
04418ecc09580150b8de31f904204ce7

SHA1
b250de61e84bbc1f46f2526d7ff6c56f2bf8dde8

SHA256
fd32cdbb931d6203d4e903bff2bb021a6de136d7822720d615283fff2b9ffb13

SHA512
d417242ff6b2805618dfc0065596fba68cee755ac3f11de63f81aa741b3fb8216bfef7a2415ef3c4a207e4f1b18c33910a9b473eeb0549d34838b593635bcc3d

Download Submit
C:\Windows\{778AA7A7-1E5D-400c-B86C-7D2C5A2A6B1F}.exe

Filesize
168KB

MD5
d82b89b5b9bc58781415288f52661358

SHA1
880514ed1669ea547ab29d8ee04e0e0ea632a0f1

SHA256
5687995767bed8d0495cc06da882f7fc9691bc1e713ac208348020e1ea2d0cf2

SHA512
94878fcd446253614cd92dce730c343446682b8b37efebbc9beb143c0e51634038af16ece5d26ef971e22b86cecbd03abb02a8ec21aedfc21e4ecdd4c11fb446

Download Submit
C:\Windows\{778AA7A7-1E5D-400c-B86C-7D2C5A2A6B1F}.exe

Filesize
168KB

MD5
d82b89b5b9bc58781415288f52661358

SHA1
880514ed1669ea547ab29d8ee04e0e0ea632a0f1

SHA256
5687995767bed8d0495cc06da882f7fc9691bc1e713ac208348020e1ea2d0cf2

SHA512
94878fcd446253614cd92dce730c343446682b8b37efebbc9beb143c0e51634038af16ece5d26ef971e22b86cecbd03abb02a8ec21aedfc21e4ecdd4c11fb446

Download Submit
C:\Windows\{89DB3190-327F-4466-9747-27BABA786CF6}.exe

Filesize
168KB

MD5
93bd576e25b4a5459c09141a12546028

SHA1
dd19c282e34461590a767a3d2a0473bdb932cff6

SHA256
34147e6b299924daeeb849e0c38132ce945d01c0860fb6b8ac1744687abc0e02

SHA512
acf9d8aaf57cd7cc60dc1c28d3e1dc9d3e09d5fc48a6a67f51043ec05052ad14a5358401fd5aee5e3a3fc4ab27b0d30660ba5eacfc93af422545c0e330dcecd5

Download Submit
C:\Windows\{89DB3190-327F-4466-9747-27BABA786CF6}.exe

Filesize
168KB

MD5
93bd576e25b4a5459c09141a12546028

SHA1
dd19c282e34461590a767a3d2a0473bdb932cff6

SHA256
34147e6b299924daeeb849e0c38132ce945d01c0860fb6b8ac1744687abc0e02

SHA512
acf9d8aaf57cd7cc60dc1c28d3e1dc9d3e09d5fc48a6a67f51043ec05052ad14a5358401fd5aee5e3a3fc4ab27b0d30660ba5eacfc93af422545c0e330dcecd5

Download Submit
C:\Windows\{97AA5D2C-CE3E-4081-951B-7C3436DDD7EE}.exe

Filesize
168KB

MD5
94d764707cfb02af2d65349af2ca9a5d

SHA1
0b247ce92a73a2861fc9ab1b405509c0ce15bc9d

SHA256
23c105d380407da660c8db887f6a830ca1304327ae94f88372532bb927f7ea30

SHA512
d7d8006d1333c6317808d6b03da9b6bdd83b024ad66d9f440cf7f777fda26dc2b1318a2e9eddc1f4a88fa35f55a0c038cbbd386bd5b655b81e332969f7fb260c

Download Submit
C:\Windows\{97AA5D2C-CE3E-4081-951B-7C3436DDD7EE}.exe

Filesize
168KB

MD5
94d764707cfb02af2d65349af2ca9a5d

SHA1
0b247ce92a73a2861fc9ab1b405509c0ce15bc9d

SHA256
23c105d380407da660c8db887f6a830ca1304327ae94f88372532bb927f7ea30

SHA512
d7d8006d1333c6317808d6b03da9b6bdd83b024ad66d9f440cf7f777fda26dc2b1318a2e9eddc1f4a88fa35f55a0c038cbbd386bd5b655b81e332969f7fb260c

Download Submit
C:\Windows\{97F75920-1A94-42be-B27B-EE0CBE894398}.exe

Filesize
168KB

MD5
1393c298f04317b37112fbdc64616c70

SHA1
823e51367ab25009526809572896886d5fa3f51d

SHA256
b3e4e578e85c758c466589b382805f488ea1ce1c022d373f100b918e3c50d892

SHA512
544e981a40edb5af200ba3621fe3521b00d938676458c04bfcaa97196a80a9ac00641136c567c07e68f275adf571c2b3487b3b0685f64b37cfaba181aa1fb648

Download Submit
C:\Windows\{A423967D-B129-4878-A038-2EE367E94C54}.exe

Filesize
168KB

MD5
c1ec08e40c12aa9f63a29b479f39b464

SHA1
9c447efd89a38d2425e004cd1546becb3c6adc94

SHA256
958c5ee805ed5b9776e9c762256bd457b8f7a1bcb42af3b5ada337b038e97e36

SHA512
09b3694eff5f448400dfe29d0616417de6ebc51ac97f7f7d34c4e63908266393902bd1e52345f9e5ae9aab4090fdfc16ecff1af1cbe261f249ab4221382495ae

Download Submit
C:\Windows\{A423967D-B129-4878-A038-2EE367E94C54}.exe

Filesize
168KB

MD5
c1ec08e40c12aa9f63a29b479f39b464

SHA1
9c447efd89a38d2425e004cd1546becb3c6adc94

SHA256
958c5ee805ed5b9776e9c762256bd457b8f7a1bcb42af3b5ada337b038e97e36

SHA512
09b3694eff5f448400dfe29d0616417de6ebc51ac97f7f7d34c4e63908266393902bd1e52345f9e5ae9aab4090fdfc16ecff1af1cbe261f249ab4221382495ae

Download Submit
C:\Windows\{C173CED9-12F8-4c64-A5CF-F393100FC807}.exe

Filesize
168KB

MD5
039858dde52ca6246c1b58c980448a98

SHA1
0c7ea9e6120d11ca43ecfc736449c4a1188ebccf

SHA256
d01d67fd83b95430db35b460fea29c7c4f805d6325479aa1bb1650706edfd0a0

SHA512
185bc98ced18dd9752acacbd36af11f1a6ffb4dc406c588c0f5558ad1f6afa4449ee731857eff9f0dcdaf92a553c0703be6826089a74316005c72cbfb7208343

Download Submit
C:\Windows\{C173CED9-12F8-4c64-A5CF-F393100FC807}.exe

Filesize
168KB

MD5
039858dde52ca6246c1b58c980448a98

SHA1
0c7ea9e6120d11ca43ecfc736449c4a1188ebccf

SHA256
d01d67fd83b95430db35b460fea29c7c4f805d6325479aa1bb1650706edfd0a0

SHA512
185bc98ced18dd9752acacbd36af11f1a6ffb4dc406c588c0f5558ad1f6afa4449ee731857eff9f0dcdaf92a553c0703be6826089a74316005c72cbfb7208343

Download Submit
C:\Windows\{CDF49752-1342-4221-AF1C-89DA9768B847}.exe

Filesize
168KB

MD5
58cc0a7d436e4efb75d9d1143b7a2222

SHA1
bc42da95721f4e8a92550f04218865fb0b738469

SHA256
8256ff2dae6c1454ee72aab98cfd3fb0fce2c3f70514940493333913912cad10

SHA512
8efc0cc0498e1549223749c8414b7d454c80d1e51abce08f0502e9a5faf950efd40930156b0f38a016c5ef1f460f40f51964d1c4e85de751a3e427d9b2a085f5

Download Submit
C:\Windows\{CDF49752-1342-4221-AF1C-89DA9768B847}.exe

Filesize
168KB

MD5
58cc0a7d436e4efb75d9d1143b7a2222

SHA1
bc42da95721f4e8a92550f04218865fb0b738469

SHA256
8256ff2dae6c1454ee72aab98cfd3fb0fce2c3f70514940493333913912cad10

SHA512
8efc0cc0498e1549223749c8414b7d454c80d1e51abce08f0502e9a5faf950efd40930156b0f38a016c5ef1f460f40f51964d1c4e85de751a3e427d9b2a085f5

Download Submit
C:\Windows\{CE94904A-2C70-412b-A1C8-5867449C567E}.exe

Filesize
168KB

MD5
511e012928fdc6d6ba0d4c80fc84781d

SHA1
2c62f9fdbfb76ca090912c0cfac43c3ba0223062

SHA256
f868b3d89136b72fb61299c659544a62ab99a676e101d2649ded4aeab82d27d0

SHA512
060bc3a155aa2f06ac23b30f16bfd74c39521b1672b3be0c250d3ff2655484f75ce6f0877f3fbde3cdec54397eb37ce803bc0116e53edf1b44b5d537de3a14d3

Download Submit
C:\Windows\{CE94904A-2C70-412b-A1C8-5867449C567E}.exe

Filesize
168KB

MD5
511e012928fdc6d6ba0d4c80fc84781d

SHA1
2c62f9fdbfb76ca090912c0cfac43c3ba0223062

SHA256
f868b3d89136b72fb61299c659544a62ab99a676e101d2649ded4aeab82d27d0

SHA512
060bc3a155aa2f06ac23b30f16bfd74c39521b1672b3be0c250d3ff2655484f75ce6f0877f3fbde3cdec54397eb37ce803bc0116e53edf1b44b5d537de3a14d3

Download Submit
C:\Windows\{CE94904A-2C70-412b-A1C8-5867449C567E}.exe

Filesize
168KB

MD5
511e012928fdc6d6ba0d4c80fc84781d

SHA1
2c62f9fdbfb76ca090912c0cfac43c3ba0223062

SHA256
f868b3d89136b72fb61299c659544a62ab99a676e101d2649ded4aeab82d27d0

SHA512
060bc3a155aa2f06ac23b30f16bfd74c39521b1672b3be0c250d3ff2655484f75ce6f0877f3fbde3cdec54397eb37ce803bc0116e53edf1b44b5d537de3a14d3

Download Submit
C:\Windows\{EB7D127E-3A86-41db-8084-7F79E9F6F1CB}.exe

Filesize
168KB

MD5
eaedc64271ddcbe94cdfbf369f4dd178

SHA1
52623975a05a0881b8a664ab4b3e3235e67eecdb

SHA256
d6fe370f52cf9a35f4ceae22aa4786ad9fe8fdd4640c9f4550df98210691614c

SHA512
c4f90ec34d82737a1b53e84f592f39f71e7500c37eaa1a20d80ace5c206e4b7d49ce07f3e8a7c45b5ecc472408b61147773364b4c4b3fb95c026579ba7786af9

Download Submit
C:\Windows\{EB7D127E-3A86-41db-8084-7F79E9F6F1CB}.exe

Filesize
168KB

MD5
eaedc64271ddcbe94cdfbf369f4dd178

SHA1
52623975a05a0881b8a664ab4b3e3235e67eecdb

SHA256
d6fe370f52cf9a35f4ceae22aa4786ad9fe8fdd4640c9f4550df98210691614c

SHA512
c4f90ec34d82737a1b53e84f592f39f71e7500c37eaa1a20d80ace5c206e4b7d49ce07f3e8a7c45b5ecc472408b61147773364b4c4b3fb95c026579ba7786af9

Download Submit