861621fe116eae9959e8d2f436a44c6598ac6525e246411d7e66f3b20174de38

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17/07/2023, 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8695cebcb834f9_JC.exe
Size

204KB
MD5

8695cebcb834f9a04192b105bab8f1ef
SHA1

be231b03ceb89bfcf762f8b2a5df7d8d933c065a
SHA256

861621fe116eae9959e8d2f436a44c6598ac6525e246411d7e66f3b20174de38
SHA512

74988abc802d3766eb12b68189f5c99b6b92552156edfe5a74da52001dccb437c46862c3dd7dedc6ec03c2f18770ff4f1fe77cf0c6b8340d37dfb2e076c911d1
SSDEEP

1536:1EGh0oDl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oDl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB022C2F-F602-42b6-94FF-3900D25636EE}	{67B6C11E-A2AD-4a7f-B5A5-B5D01036DB56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A30E6884-83F6-42f1-8108-94E7072C6297}	{0A13FFD2-AA47-45ef-A398-0AF0397DA38B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFFE621E-1548-4950-92D1-4D2A1B737462}\stubpath = "C:\\Windows\\{BFFE621E-1548-4950-92D1-4D2A1B737462}.exe"	{A30E6884-83F6-42f1-8108-94E7072C6297}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6E27BA3-A056-4f57-B039-0A7D701593C0}\stubpath = "C:\\Windows\\{E6E27BA3-A056-4f57-B039-0A7D701593C0}.exe"	{BFFE621E-1548-4950-92D1-4D2A1B737462}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C584610E-7111-44c0-8D92-31E74F342653}\stubpath = "C:\\Windows\\{C584610E-7111-44c0-8D92-31E74F342653}.exe"	{E6E27BA3-A056-4f57-B039-0A7D701593C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26391E6D-BC5E-4ae5-A86D-5F215C8EC89F}	{C584610E-7111-44c0-8D92-31E74F342653}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{26391E6D-BC5E-4ae5-A86D-5F215C8EC89F}\stubpath = "C:\\Windows\\{26391E6D-BC5E-4ae5-A86D-5F215C8EC89F}.exe"	{C584610E-7111-44c0-8D92-31E74F342653}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67B6C11E-A2AD-4a7f-B5A5-B5D01036DB56}\stubpath = "C:\\Windows\\{67B6C11E-A2AD-4a7f-B5A5-B5D01036DB56}.exe"	{26391E6D-BC5E-4ae5-A86D-5F215C8EC89F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AB022C2F-F602-42b6-94FF-3900D25636EE}\stubpath = "C:\\Windows\\{AB022C2F-F602-42b6-94FF-3900D25636EE}.exe"	{67B6C11E-A2AD-4a7f-B5A5-B5D01036DB56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A30E6884-83F6-42f1-8108-94E7072C6297}\stubpath = "C:\\Windows\\{A30E6884-83F6-42f1-8108-94E7072C6297}.exe"	{0A13FFD2-AA47-45ef-A398-0AF0397DA38B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D9DA4A7-03D1-4d99-85C0-D72A15083BD8}\stubpath = "C:\\Windows\\{0D9DA4A7-03D1-4d99-85C0-D72A15083BD8}.exe"	{AB022C2F-F602-42b6-94FF-3900D25636EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FECF7BDD-7C19-45af-AD3C-0DDF4BAE783F}\stubpath = "C:\\Windows\\{FECF7BDD-7C19-45af-AD3C-0DDF4BAE783F}.exe"	{0D9DA4A7-03D1-4d99-85C0-D72A15083BD8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CE79CA1-2A5A-41ef-AFBD-B1708E202094}	{FECF7BDD-7C19-45af-AD3C-0DDF4BAE783F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A13FFD2-AA47-45ef-A398-0AF0397DA38B}	8695cebcb834f9_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A13FFD2-AA47-45ef-A398-0AF0397DA38B}\stubpath = "C:\\Windows\\{0A13FFD2-AA47-45ef-A398-0AF0397DA38B}.exe"	8695cebcb834f9_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFFE621E-1548-4950-92D1-4D2A1B737462}	{A30E6884-83F6-42f1-8108-94E7072C6297}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E6E27BA3-A056-4f57-B039-0A7D701593C0}	{BFFE621E-1548-4950-92D1-4D2A1B737462}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C584610E-7111-44c0-8D92-31E74F342653}	{E6E27BA3-A056-4f57-B039-0A7D701593C0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{67B6C11E-A2AD-4a7f-B5A5-B5D01036DB56}	{26391E6D-BC5E-4ae5-A86D-5F215C8EC89F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0D9DA4A7-03D1-4d99-85C0-D72A15083BD8}	{AB022C2F-F602-42b6-94FF-3900D25636EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FECF7BDD-7C19-45af-AD3C-0DDF4BAE783F}	{0D9DA4A7-03D1-4d99-85C0-D72A15083BD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7CE79CA1-2A5A-41ef-AFBD-B1708E202094}\stubpath = "C:\\Windows\\{7CE79CA1-2A5A-41ef-AFBD-B1708E202094}.exe"	{FECF7BDD-7C19-45af-AD3C-0DDF4BAE783F}.exe

Deletes itself 1 IoCs

pid	Process
2240	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2324	{0A13FFD2-AA47-45ef-A398-0AF0397DA38B}.exe
2944	{A30E6884-83F6-42f1-8108-94E7072C6297}.exe
2888	{BFFE621E-1548-4950-92D1-4D2A1B737462}.exe
2812	{E6E27BA3-A056-4f57-B039-0A7D701593C0}.exe
2772	{C584610E-7111-44c0-8D92-31E74F342653}.exe
2600	{26391E6D-BC5E-4ae5-A86D-5F215C8EC89F}.exe
1080	{67B6C11E-A2AD-4a7f-B5A5-B5D01036DB56}.exe
1932	{AB022C2F-F602-42b6-94FF-3900D25636EE}.exe
2880	{0D9DA4A7-03D1-4d99-85C0-D72A15083BD8}.exe
624	{FECF7BDD-7C19-45af-AD3C-0DDF4BAE783F}.exe
1632	{7CE79CA1-2A5A-41ef-AFBD-B1708E202094}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{AB022C2F-F602-42b6-94FF-3900D25636EE}.exe	{67B6C11E-A2AD-4a7f-B5A5-B5D01036DB56}.exe
File created	C:\Windows\{BFFE621E-1548-4950-92D1-4D2A1B737462}.exe	{A30E6884-83F6-42f1-8108-94E7072C6297}.exe
File created	C:\Windows\{E6E27BA3-A056-4f57-B039-0A7D701593C0}.exe	{BFFE621E-1548-4950-92D1-4D2A1B737462}.exe
File created	C:\Windows\{C584610E-7111-44c0-8D92-31E74F342653}.exe	{E6E27BA3-A056-4f57-B039-0A7D701593C0}.exe
File created	C:\Windows\{67B6C11E-A2AD-4a7f-B5A5-B5D01036DB56}.exe	{26391E6D-BC5E-4ae5-A86D-5F215C8EC89F}.exe
File created	C:\Windows\{0D9DA4A7-03D1-4d99-85C0-D72A15083BD8}.exe	{AB022C2F-F602-42b6-94FF-3900D25636EE}.exe
File created	C:\Windows\{FECF7BDD-7C19-45af-AD3C-0DDF4BAE783F}.exe	{0D9DA4A7-03D1-4d99-85C0-D72A15083BD8}.exe
File created	C:\Windows\{7CE79CA1-2A5A-41ef-AFBD-B1708E202094}.exe	{FECF7BDD-7C19-45af-AD3C-0DDF4BAE783F}.exe
File created	C:\Windows\{0A13FFD2-AA47-45ef-A398-0AF0397DA38B}.exe	8695cebcb834f9_JC.exe
File created	C:\Windows\{A30E6884-83F6-42f1-8108-94E7072C6297}.exe	{0A13FFD2-AA47-45ef-A398-0AF0397DA38B}.exe
File created	C:\Windows\{26391E6D-BC5E-4ae5-A86D-5F215C8EC89F}.exe	{C584610E-7111-44c0-8D92-31E74F342653}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2512	8695cebcb834f9_JC.exe
Token: SeIncBasePriorityPrivilege	2324	{0A13FFD2-AA47-45ef-A398-0AF0397DA38B}.exe
Token: SeIncBasePriorityPrivilege	2944	{A30E6884-83F6-42f1-8108-94E7072C6297}.exe
Token: SeIncBasePriorityPrivilege	2888	{BFFE621E-1548-4950-92D1-4D2A1B737462}.exe
Token: SeIncBasePriorityPrivilege	2812	{E6E27BA3-A056-4f57-B039-0A7D701593C0}.exe
Token: SeIncBasePriorityPrivilege	2772	{C584610E-7111-44c0-8D92-31E74F342653}.exe
Token: SeIncBasePriorityPrivilege	2600	{26391E6D-BC5E-4ae5-A86D-5F215C8EC89F}.exe
Token: SeIncBasePriorityPrivilege	1080	{67B6C11E-A2AD-4a7f-B5A5-B5D01036DB56}.exe
Token: SeIncBasePriorityPrivilege	1932	{AB022C2F-F602-42b6-94FF-3900D25636EE}.exe
Token: SeIncBasePriorityPrivilege	2880	{0D9DA4A7-03D1-4d99-85C0-D72A15083BD8}.exe
Token: SeIncBasePriorityPrivilege	624	{FECF7BDD-7C19-45af-AD3C-0DDF4BAE783F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2324	2512	8695cebcb834f9_JC.exe	28
PID 2512 wrote to memory of 2324	2512	8695cebcb834f9_JC.exe	28
PID 2512 wrote to memory of 2324	2512	8695cebcb834f9_JC.exe	28
PID 2512 wrote to memory of 2324	2512	8695cebcb834f9_JC.exe	28
PID 2512 wrote to memory of 2240	2512	8695cebcb834f9_JC.exe	29
PID 2512 wrote to memory of 2240	2512	8695cebcb834f9_JC.exe	29
PID 2512 wrote to memory of 2240	2512	8695cebcb834f9_JC.exe	29
PID 2512 wrote to memory of 2240	2512	8695cebcb834f9_JC.exe	29
PID 2324 wrote to memory of 2944	2324	{0A13FFD2-AA47-45ef-A398-0AF0397DA38B}.exe	30
PID 2324 wrote to memory of 2944	2324	{0A13FFD2-AA47-45ef-A398-0AF0397DA38B}.exe	30
PID 2324 wrote to memory of 2944	2324	{0A13FFD2-AA47-45ef-A398-0AF0397DA38B}.exe	30
PID 2324 wrote to memory of 2944	2324	{0A13FFD2-AA47-45ef-A398-0AF0397DA38B}.exe	30
PID 2324 wrote to memory of 2852	2324	{0A13FFD2-AA47-45ef-A398-0AF0397DA38B}.exe	31
PID 2324 wrote to memory of 2852	2324	{0A13FFD2-AA47-45ef-A398-0AF0397DA38B}.exe	31
PID 2324 wrote to memory of 2852	2324	{0A13FFD2-AA47-45ef-A398-0AF0397DA38B}.exe	31
PID 2324 wrote to memory of 2852	2324	{0A13FFD2-AA47-45ef-A398-0AF0397DA38B}.exe	31
PID 2944 wrote to memory of 2888	2944	{A30E6884-83F6-42f1-8108-94E7072C6297}.exe	34
PID 2944 wrote to memory of 2888	2944	{A30E6884-83F6-42f1-8108-94E7072C6297}.exe	34
PID 2944 wrote to memory of 2888	2944	{A30E6884-83F6-42f1-8108-94E7072C6297}.exe	34
PID 2944 wrote to memory of 2888	2944	{A30E6884-83F6-42f1-8108-94E7072C6297}.exe	34
PID 2944 wrote to memory of 2864	2944	{A30E6884-83F6-42f1-8108-94E7072C6297}.exe	35
PID 2944 wrote to memory of 2864	2944	{A30E6884-83F6-42f1-8108-94E7072C6297}.exe	35
PID 2944 wrote to memory of 2864	2944	{A30E6884-83F6-42f1-8108-94E7072C6297}.exe	35
PID 2944 wrote to memory of 2864	2944	{A30E6884-83F6-42f1-8108-94E7072C6297}.exe	35
PID 2888 wrote to memory of 2812	2888	{BFFE621E-1548-4950-92D1-4D2A1B737462}.exe	36
PID 2888 wrote to memory of 2812	2888	{BFFE621E-1548-4950-92D1-4D2A1B737462}.exe	36
PID 2888 wrote to memory of 2812	2888	{BFFE621E-1548-4950-92D1-4D2A1B737462}.exe	36
PID 2888 wrote to memory of 2812	2888	{BFFE621E-1548-4950-92D1-4D2A1B737462}.exe	36
PID 2888 wrote to memory of 2716	2888	{BFFE621E-1548-4950-92D1-4D2A1B737462}.exe	37
PID 2888 wrote to memory of 2716	2888	{BFFE621E-1548-4950-92D1-4D2A1B737462}.exe	37
PID 2888 wrote to memory of 2716	2888	{BFFE621E-1548-4950-92D1-4D2A1B737462}.exe	37
PID 2888 wrote to memory of 2716	2888	{BFFE621E-1548-4950-92D1-4D2A1B737462}.exe	37
PID 2812 wrote to memory of 2772	2812	{E6E27BA3-A056-4f57-B039-0A7D701593C0}.exe	38
PID 2812 wrote to memory of 2772	2812	{E6E27BA3-A056-4f57-B039-0A7D701593C0}.exe	38
PID 2812 wrote to memory of 2772	2812	{E6E27BA3-A056-4f57-B039-0A7D701593C0}.exe	38
PID 2812 wrote to memory of 2772	2812	{E6E27BA3-A056-4f57-B039-0A7D701593C0}.exe	38
PID 2812 wrote to memory of 1672	2812	{E6E27BA3-A056-4f57-B039-0A7D701593C0}.exe	39
PID 2812 wrote to memory of 1672	2812	{E6E27BA3-A056-4f57-B039-0A7D701593C0}.exe	39
PID 2812 wrote to memory of 1672	2812	{E6E27BA3-A056-4f57-B039-0A7D701593C0}.exe	39
PID 2812 wrote to memory of 1672	2812	{E6E27BA3-A056-4f57-B039-0A7D701593C0}.exe	39
PID 2772 wrote to memory of 2600	2772	{C584610E-7111-44c0-8D92-31E74F342653}.exe	40
PID 2772 wrote to memory of 2600	2772	{C584610E-7111-44c0-8D92-31E74F342653}.exe	40
PID 2772 wrote to memory of 2600	2772	{C584610E-7111-44c0-8D92-31E74F342653}.exe	40
PID 2772 wrote to memory of 2600	2772	{C584610E-7111-44c0-8D92-31E74F342653}.exe	40
PID 2772 wrote to memory of 336	2772	{C584610E-7111-44c0-8D92-31E74F342653}.exe	41
PID 2772 wrote to memory of 336	2772	{C584610E-7111-44c0-8D92-31E74F342653}.exe	41
PID 2772 wrote to memory of 336	2772	{C584610E-7111-44c0-8D92-31E74F342653}.exe	41
PID 2772 wrote to memory of 336	2772	{C584610E-7111-44c0-8D92-31E74F342653}.exe	41
PID 2600 wrote to memory of 1080	2600	{26391E6D-BC5E-4ae5-A86D-5F215C8EC89F}.exe	42
PID 2600 wrote to memory of 1080	2600	{26391E6D-BC5E-4ae5-A86D-5F215C8EC89F}.exe	42
PID 2600 wrote to memory of 1080	2600	{26391E6D-BC5E-4ae5-A86D-5F215C8EC89F}.exe	42
PID 2600 wrote to memory of 1080	2600	{26391E6D-BC5E-4ae5-A86D-5F215C8EC89F}.exe	42
PID 2600 wrote to memory of 240	2600	{26391E6D-BC5E-4ae5-A86D-5F215C8EC89F}.exe	43
PID 2600 wrote to memory of 240	2600	{26391E6D-BC5E-4ae5-A86D-5F215C8EC89F}.exe	43
PID 2600 wrote to memory of 240	2600	{26391E6D-BC5E-4ae5-A86D-5F215C8EC89F}.exe	43
PID 2600 wrote to memory of 240	2600	{26391E6D-BC5E-4ae5-A86D-5F215C8EC89F}.exe	43
PID 1080 wrote to memory of 1932	1080	{67B6C11E-A2AD-4a7f-B5A5-B5D01036DB56}.exe	44
PID 1080 wrote to memory of 1932	1080	{67B6C11E-A2AD-4a7f-B5A5-B5D01036DB56}.exe	44
PID 1080 wrote to memory of 1932	1080	{67B6C11E-A2AD-4a7f-B5A5-B5D01036DB56}.exe	44
PID 1080 wrote to memory of 1932	1080	{67B6C11E-A2AD-4a7f-B5A5-B5D01036DB56}.exe	44
PID 1080 wrote to memory of 580	1080	{67B6C11E-A2AD-4a7f-B5A5-B5D01036DB56}.exe	45
PID 1080 wrote to memory of 580	1080	{67B6C11E-A2AD-4a7f-B5A5-B5D01036DB56}.exe	45
PID 1080 wrote to memory of 580	1080	{67B6C11E-A2AD-4a7f-B5A5-B5D01036DB56}.exe	45
PID 1080 wrote to memory of 580	1080	{67B6C11E-A2AD-4a7f-B5A5-B5D01036DB56}.exe	45

C:\Users\Admin\AppData\Local\Temp\8695cebcb834f9_JC.exe
"C:\Users\Admin\AppData\Local\Temp\8695cebcb834f9_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\{0A13FFD2-AA47-45ef-A398-0AF0397DA38B}.exe
  C:\Windows\{0A13FFD2-AA47-45ef-A398-0AF0397DA38B}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\{A30E6884-83F6-42f1-8108-94E7072C6297}.exe
    C:\Windows\{A30E6884-83F6-42f1-8108-94E7072C6297}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\{BFFE621E-1548-4950-92D1-4D2A1B737462}.exe
      C:\Windows\{BFFE621E-1548-4950-92D1-4D2A1B737462}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\{E6E27BA3-A056-4f57-B039-0A7D701593C0}.exe
        
        C:\Windows\{E6E27BA3-A056-4f57-B039-0A7D701593C0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
      - C:\Windows\{C584610E-7111-44c0-8D92-31E74F342653}.exe
        
        C:\Windows\{C584610E-7111-44c0-8D92-31E74F342653}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\{26391E6D-BC5E-4ae5-A86D-5F215C8EC89F}.exe
        
        C:\Windows\{26391E6D-BC5E-4ae5-A86D-5F215C8EC89F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\{67B6C11E-A2AD-4a7f-B5A5-B5D01036DB56}.exe
        
        C:\Windows\{67B6C11E-A2AD-4a7f-B5A5-B5D01036DB56}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\{AB022C2F-F602-42b6-94FF-3900D25636EE}.exe
        
        C:\Windows\{AB022C2F-F602-42b6-94FF-3900D25636EE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\{0D9DA4A7-03D1-4d99-85C0-D72A15083BD8}.exe
        
        C:\Windows\{0D9DA4A7-03D1-4d99-85C0-D72A15083BD8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
        
        C:\Windows\{FECF7BDD-7C19-45af-AD3C-0DDF4BAE783F}.exe
        
        C:\Windows\{FECF7BDD-7C19-45af-AD3C-0DDF4BAE783F}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
        
        C:\Windows\{7CE79CA1-2A5A-41ef-AFBD-B1708E202094}.exe
        
        C:\Windows\{7CE79CA1-2A5A-41ef-AFBD-B1708E202094}.exe
        12⤵
        Executes dropped EXE
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FECF7~1.EXE > nul
        12⤵
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D9DA~1.EXE > nul
        11⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB022~1.EXE > nul
        10⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67B6C~1.EXE > nul
        9⤵
        
        PID:580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{26391~1.EXE > nul
        8⤵
        
        PID:240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5846~1.EXE > nul
        7⤵
        
        PID:336
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6E27~1.EXE > nul
        6⤵
        
        PID:1672
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFFE6~1.EXE > nul
        5⤵
        
        PID:2716
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A30E6~1.EXE > nul
      4⤵
      PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0A13F~1.EXE > nul
    3⤵
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8695CE~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2240

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A13FFD2-AA47-45ef-A398-0AF0397DA38B}.exe

Filesize
204KB

MD5
2d61828ca2cec738fd06814dea0ea5fe

SHA1
d8128e89d7f00cb134a93234fd40cd476253ea86

SHA256
9c173c8a05e861f5d98df45afb0d045b0cf0b5ede15f72a8a13d71c606dce2f7

SHA512
1ee4b72ab5036f5ba98073c9b076438913255a123c93ef87ec7d37e16b455071b53859fc611bb872fafb19b3cc8318c81d0492518a2bb2080b7151ffd364ffe3

Download Submit
C:\Windows\{0A13FFD2-AA47-45ef-A398-0AF0397DA38B}.exe

Filesize
204KB

MD5
2d61828ca2cec738fd06814dea0ea5fe

SHA1
d8128e89d7f00cb134a93234fd40cd476253ea86

SHA256
9c173c8a05e861f5d98df45afb0d045b0cf0b5ede15f72a8a13d71c606dce2f7

SHA512
1ee4b72ab5036f5ba98073c9b076438913255a123c93ef87ec7d37e16b455071b53859fc611bb872fafb19b3cc8318c81d0492518a2bb2080b7151ffd364ffe3

Download Submit
C:\Windows\{0A13FFD2-AA47-45ef-A398-0AF0397DA38B}.exe

Filesize
204KB

MD5
2d61828ca2cec738fd06814dea0ea5fe

SHA1
d8128e89d7f00cb134a93234fd40cd476253ea86

SHA256
9c173c8a05e861f5d98df45afb0d045b0cf0b5ede15f72a8a13d71c606dce2f7

SHA512
1ee4b72ab5036f5ba98073c9b076438913255a123c93ef87ec7d37e16b455071b53859fc611bb872fafb19b3cc8318c81d0492518a2bb2080b7151ffd364ffe3

Download Submit
C:\Windows\{0D9DA4A7-03D1-4d99-85C0-D72A15083BD8}.exe

Filesize
204KB

MD5
3508d9c0af6923fd5aacfa803c4dba88

SHA1
68b80a7ef060e350f084e2d3800a9f1f50e7abb8

SHA256
fb86e309ccae6470fa0dbbccdb14c539a85d7b84de0f0bfef98d99fa8e57626c

SHA512
2028d7e79e9bbb15fcea14f8054572d7a3c21c65100800ee8e767387f3de5b0c6d5b4e20dad2ce4cd899a082482250b549bab1ae5d486cbcf181842316ce5c3a

Download Submit
C:\Windows\{0D9DA4A7-03D1-4d99-85C0-D72A15083BD8}.exe

Filesize
204KB

MD5
3508d9c0af6923fd5aacfa803c4dba88

SHA1
68b80a7ef060e350f084e2d3800a9f1f50e7abb8

SHA256
fb86e309ccae6470fa0dbbccdb14c539a85d7b84de0f0bfef98d99fa8e57626c

SHA512
2028d7e79e9bbb15fcea14f8054572d7a3c21c65100800ee8e767387f3de5b0c6d5b4e20dad2ce4cd899a082482250b549bab1ae5d486cbcf181842316ce5c3a

Download Submit
C:\Windows\{26391E6D-BC5E-4ae5-A86D-5F215C8EC89F}.exe

Filesize
204KB

MD5
fdb5b97b6159f3555cb2bc5a59aa5bd5

SHA1
6e1700cb0721673e27a6e076bbf8d2b03cf3e537

SHA256
46f5052b50ffffb37241226aafe9c739ae05061233d6d1fca44f9eb23355779a

SHA512
5a6aec62aecd828a5a4eaa0aafb3d9edcfcc21595cb185e057e7e34ca3f40fc639d512565112dd43702f5c43c3a3547b0301aba32db8192d0dbdc75d222964dd

Download Submit
C:\Windows\{26391E6D-BC5E-4ae5-A86D-5F215C8EC89F}.exe

Filesize
204KB

MD5
fdb5b97b6159f3555cb2bc5a59aa5bd5

SHA1
6e1700cb0721673e27a6e076bbf8d2b03cf3e537

SHA256
46f5052b50ffffb37241226aafe9c739ae05061233d6d1fca44f9eb23355779a

SHA512
5a6aec62aecd828a5a4eaa0aafb3d9edcfcc21595cb185e057e7e34ca3f40fc639d512565112dd43702f5c43c3a3547b0301aba32db8192d0dbdc75d222964dd

Download Submit
C:\Windows\{67B6C11E-A2AD-4a7f-B5A5-B5D01036DB56}.exe

Filesize
204KB

MD5
ab49712aeafa3d031d2b37f03d086fa1

SHA1
d97afba74d6d913e3e8e486dfc92f7a37d698819

SHA256
22903e56fb609ef4839500d51ed926f05a76041f971ad4a34eda6b5f5c29cc76

SHA512
fa6204172f6da8a02765a82df163a7c77ec8d2e3255b2601c094745a07f370348fcda085b53a9be9b9229b6609575504e4f8ff587a31691bfa05e10e374b164d

Download Submit
C:\Windows\{67B6C11E-A2AD-4a7f-B5A5-B5D01036DB56}.exe

Filesize
204KB

MD5
ab49712aeafa3d031d2b37f03d086fa1

SHA1
d97afba74d6d913e3e8e486dfc92f7a37d698819

SHA256
22903e56fb609ef4839500d51ed926f05a76041f971ad4a34eda6b5f5c29cc76

SHA512
fa6204172f6da8a02765a82df163a7c77ec8d2e3255b2601c094745a07f370348fcda085b53a9be9b9229b6609575504e4f8ff587a31691bfa05e10e374b164d

Download Submit
C:\Windows\{7CE79CA1-2A5A-41ef-AFBD-B1708E202094}.exe

Filesize
204KB

MD5
3852fd2f942fc68502fcb974966d6e9e

SHA1
aa50e75c23fddf195324231388374c6ce800de02

SHA256
472aa5a480039dd8a0e124bfe83c4435970b796cb2fa687bb69d9ecc276314aa

SHA512
e111321b8f722f240f48d9c2ad788a77220b08398e0022c879b47b883137ce44c6b63ec4530eee12063c49d845790188896f0e3a6c90eb9e0a2ce4350c85e651

Download Submit
C:\Windows\{A30E6884-83F6-42f1-8108-94E7072C6297}.exe

Filesize
204KB

MD5
c99d844c4ddb5dfd1d91f5e26f6aecd2

SHA1
8a854037a5e5ff307a1aa1d8ea799130377f4dd1

SHA256
1fcf7df2a448681da91799027a9d2766257b6441e848c4b25af5e9bcdd9ba1b4

SHA512
cf94493a3553ddc80019f74b56d07fd6a6acb15901a3a0d7599ebe86f88d79ea24b752fda88a19a47b51965b1442bb6faa02d44caaab8e7771d462fca7388049

Download Submit
C:\Windows\{A30E6884-83F6-42f1-8108-94E7072C6297}.exe

Filesize
204KB

MD5
c99d844c4ddb5dfd1d91f5e26f6aecd2

SHA1
8a854037a5e5ff307a1aa1d8ea799130377f4dd1

SHA256
1fcf7df2a448681da91799027a9d2766257b6441e848c4b25af5e9bcdd9ba1b4

SHA512
cf94493a3553ddc80019f74b56d07fd6a6acb15901a3a0d7599ebe86f88d79ea24b752fda88a19a47b51965b1442bb6faa02d44caaab8e7771d462fca7388049

Download Submit
C:\Windows\{AB022C2F-F602-42b6-94FF-3900D25636EE}.exe

Filesize
204KB

MD5
1350fe8e7896e13e0068104f195f14b5

SHA1
da09fded793a2ab13ddfd227b00c4cedfec6ffa9

SHA256
7e635f1991e6bb0a99c39a6fc02ca480fa3f652da3be24dab6031a2b6b5917dc

SHA512
3510034a2235be3a61a1359b1cd9d6d026e51d3cf256a1400ad9532a879546e60341f4af3334c905e15c617a4f122bb66325aec45244ff6c00631e5dd32eea76

Download Submit
C:\Windows\{AB022C2F-F602-42b6-94FF-3900D25636EE}.exe

Filesize
204KB

MD5
1350fe8e7896e13e0068104f195f14b5

SHA1
da09fded793a2ab13ddfd227b00c4cedfec6ffa9

SHA256
7e635f1991e6bb0a99c39a6fc02ca480fa3f652da3be24dab6031a2b6b5917dc

SHA512
3510034a2235be3a61a1359b1cd9d6d026e51d3cf256a1400ad9532a879546e60341f4af3334c905e15c617a4f122bb66325aec45244ff6c00631e5dd32eea76

Download Submit
C:\Windows\{BFFE621E-1548-4950-92D1-4D2A1B737462}.exe

Filesize
204KB

MD5
84ade1e28c702f0fba90054a28207c98

SHA1
0d772a8fed4b311bed84ae4424fdb1df13d8b269

SHA256
ec0c8e956cfca8fe13879b3e3873e3faaabf96fea24c2f0c0a1715a725703f57

SHA512
693c8d36d0b079dafef3bf18597f6012f0700c2605414cba215fc0a4ac7a994e8f895ae5f4a19367a18dcac0af344fbcf37a9d4d3e3d98b2316fbd045dbc2e1f

Download Submit
C:\Windows\{BFFE621E-1548-4950-92D1-4D2A1B737462}.exe

Filesize
204KB

MD5
84ade1e28c702f0fba90054a28207c98

SHA1
0d772a8fed4b311bed84ae4424fdb1df13d8b269

SHA256
ec0c8e956cfca8fe13879b3e3873e3faaabf96fea24c2f0c0a1715a725703f57

SHA512
693c8d36d0b079dafef3bf18597f6012f0700c2605414cba215fc0a4ac7a994e8f895ae5f4a19367a18dcac0af344fbcf37a9d4d3e3d98b2316fbd045dbc2e1f

Download Submit
C:\Windows\{C584610E-7111-44c0-8D92-31E74F342653}.exe

Filesize
204KB

MD5
7e361c23904bccd1abe38bfb71fd61e2

SHA1
f76f5956255669cb202230e0ce1192e3e54ea26b

SHA256
6fcfd6d4eeafefaab30f2eba3d29fc6c6e4486718c447a1ce2546d95add17c8f

SHA512
d0341b127c7ac7a28d907aaa3396b645ebb0113c5821bd3538ce50b9c76b36015be450bb3af341ede513a42c108e577373c161b86ad29a8604a1495ecc9dc970

Download Submit
C:\Windows\{C584610E-7111-44c0-8D92-31E74F342653}.exe

Filesize
204KB

MD5
7e361c23904bccd1abe38bfb71fd61e2

SHA1
f76f5956255669cb202230e0ce1192e3e54ea26b

SHA256
6fcfd6d4eeafefaab30f2eba3d29fc6c6e4486718c447a1ce2546d95add17c8f

SHA512
d0341b127c7ac7a28d907aaa3396b645ebb0113c5821bd3538ce50b9c76b36015be450bb3af341ede513a42c108e577373c161b86ad29a8604a1495ecc9dc970

Download Submit
C:\Windows\{E6E27BA3-A056-4f57-B039-0A7D701593C0}.exe

Filesize
204KB

MD5
185a31c08e2e5cbaf9b42d5f3e6240f1

SHA1
8653f7f9976d7d1ddf5931064ba85416118ae536

SHA256
53f68978765f52dd62116107463ffe12e4e4a5b90216e7638eb0e67d0c2b7bb1

SHA512
25d6a859d625f3850946b422cc3a794f72d5ce7bb538e9c43244c331f777213040fc13c43843bc28ee4db304b61870625509d1373aec9d0111d933f01f4569df

Download Submit
C:\Windows\{E6E27BA3-A056-4f57-B039-0A7D701593C0}.exe

Filesize
204KB

MD5
185a31c08e2e5cbaf9b42d5f3e6240f1

SHA1
8653f7f9976d7d1ddf5931064ba85416118ae536

SHA256
53f68978765f52dd62116107463ffe12e4e4a5b90216e7638eb0e67d0c2b7bb1

SHA512
25d6a859d625f3850946b422cc3a794f72d5ce7bb538e9c43244c331f777213040fc13c43843bc28ee4db304b61870625509d1373aec9d0111d933f01f4569df

Download Submit
C:\Windows\{FECF7BDD-7C19-45af-AD3C-0DDF4BAE783F}.exe

Filesize
204KB

MD5
8d1e4f70585e6e82619f5c34c221b38e

SHA1
603c5e09809519f8a873e089caae9715dc881bd4

SHA256
1aac2e674ed9539e469f933a3008ee024a7983d8c6febba954c577a18e150de1

SHA512
19f8ab426f9d628abb89e307a1277b814c8af8829509896083f81e8e859e63169732a936310a389794f08679b63ce66571bd1b337be2924d0b6ead3b61cfb92e

Download Submit
C:\Windows\{FECF7BDD-7C19-45af-AD3C-0DDF4BAE783F}.exe

Filesize
204KB

MD5
8d1e4f70585e6e82619f5c34c221b38e

SHA1
603c5e09809519f8a873e089caae9715dc881bd4

SHA256
1aac2e674ed9539e469f933a3008ee024a7983d8c6febba954c577a18e150de1

SHA512
19f8ab426f9d628abb89e307a1277b814c8af8829509896083f81e8e859e63169732a936310a389794f08679b63ce66571bd1b337be2924d0b6ead3b61cfb92e

Download Submit