9f463d24d86c14a8b7aba98764d75b7b8ad1f4de3df782e0c80bcf90b23a3c64

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17-07-2023 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87fb0497b9b7ac_JC.exe
Size

192KB
MD5

87fb0497b9b7ac68c0ac54516f0af048
SHA1

927195981badab7d6d065edfb0b38357c6a8d348
SHA256

9f463d24d86c14a8b7aba98764d75b7b8ad1f4de3df782e0c80bcf90b23a3c64
SHA512

b51f0800b81fffd668127efa9889642198fd02b94138df2aea1c206551b14299c36ea7744bc46d451a43d8538a8cf6373741492e61df35a4658e5e5c30d8926b
SSDEEP

1536:1EGh0oZl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0oZl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB4C9346-FC30-4982-BF78-27AA63265CAE}	{F738091E-7B3F-4760-9E44-4A6E90BBC664}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B12F268-9A26-45f0-998C-83F113886043}	{B2CF4E90-48D8-4d48-8A76-42C81154504D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9B12F268-9A26-45f0-998C-83F113886043}\stubpath = "C:\\Windows\\{9B12F268-9A26-45f0-998C-83F113886043}.exe"	{B2CF4E90-48D8-4d48-8A76-42C81154504D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F738091E-7B3F-4760-9E44-4A6E90BBC664}\stubpath = "C:\\Windows\\{F738091E-7B3F-4760-9E44-4A6E90BBC664}.exe"	87fb0497b9b7ac_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB4C9346-FC30-4982-BF78-27AA63265CAE}\stubpath = "C:\\Windows\\{EB4C9346-FC30-4982-BF78-27AA63265CAE}.exe"	{F738091E-7B3F-4760-9E44-4A6E90BBC664}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8C85A73-056A-40cb-A2F9-D845CA18525E}\stubpath = "C:\\Windows\\{E8C85A73-056A-40cb-A2F9-D845CA18525E}.exe"	{EB825480-519C-442f-BF9E-5E525F859909}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA96AA61-3BAB-4c7a-90E1-6EBD4B2BE5D5}	{FAE385CE-9EFA-4371-8947-6DBBF794B2A9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DA96AA61-3BAB-4c7a-90E1-6EBD4B2BE5D5}\stubpath = "C:\\Windows\\{DA96AA61-3BAB-4c7a-90E1-6EBD4B2BE5D5}.exe"	{FAE385CE-9EFA-4371-8947-6DBBF794B2A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F738091E-7B3F-4760-9E44-4A6E90BBC664}	87fb0497b9b7ac_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1735E75-9F9E-47c9-A27E-709DC42B3337}	{EB4C9346-FC30-4982-BF78-27AA63265CAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EC75890-5E63-47a4-859C-04B1ECB58388}\stubpath = "C:\\Windows\\{0EC75890-5E63-47a4-859C-04B1ECB58388}.exe"	{D1735E75-9F9E-47c9-A27E-709DC42B3337}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E893410E-649D-4c30-8121-ED1E1FDCA19E}\stubpath = "C:\\Windows\\{E893410E-649D-4c30-8121-ED1E1FDCA19E}.exe"	{DA96AA61-3BAB-4c7a-90E1-6EBD4B2BE5D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2CF4E90-48D8-4d48-8A76-42C81154504D}	{E893410E-649D-4c30-8121-ED1E1FDCA19E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAE385CE-9EFA-4371-8947-6DBBF794B2A9}	{E8C85A73-056A-40cb-A2F9-D845CA18525E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAE385CE-9EFA-4371-8947-6DBBF794B2A9}\stubpath = "C:\\Windows\\{FAE385CE-9EFA-4371-8947-6DBBF794B2A9}.exe"	{E8C85A73-056A-40cb-A2F9-D845CA18525E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E893410E-649D-4c30-8121-ED1E1FDCA19E}	{DA96AA61-3BAB-4c7a-90E1-6EBD4B2BE5D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D1735E75-9F9E-47c9-A27E-709DC42B3337}\stubpath = "C:\\Windows\\{D1735E75-9F9E-47c9-A27E-709DC42B3337}.exe"	{EB4C9346-FC30-4982-BF78-27AA63265CAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0EC75890-5E63-47a4-859C-04B1ECB58388}	{D1735E75-9F9E-47c9-A27E-709DC42B3337}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB825480-519C-442f-BF9E-5E525F859909}	{0EC75890-5E63-47a4-859C-04B1ECB58388}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EB825480-519C-442f-BF9E-5E525F859909}\stubpath = "C:\\Windows\\{EB825480-519C-442f-BF9E-5E525F859909}.exe"	{0EC75890-5E63-47a4-859C-04B1ECB58388}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E8C85A73-056A-40cb-A2F9-D845CA18525E}	{EB825480-519C-442f-BF9E-5E525F859909}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B2CF4E90-48D8-4d48-8A76-42C81154504D}\stubpath = "C:\\Windows\\{B2CF4E90-48D8-4d48-8A76-42C81154504D}.exe"	{E893410E-649D-4c30-8121-ED1E1FDCA19E}.exe

Deletes itself 1 IoCs

pid	Process
528	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2624	{F738091E-7B3F-4760-9E44-4A6E90BBC664}.exe
2900	{EB4C9346-FC30-4982-BF78-27AA63265CAE}.exe
2728	{D1735E75-9F9E-47c9-A27E-709DC42B3337}.exe
1824	{0EC75890-5E63-47a4-859C-04B1ECB58388}.exe
2732	{EB825480-519C-442f-BF9E-5E525F859909}.exe
2292	{E8C85A73-056A-40cb-A2F9-D845CA18525E}.exe
292	{FAE385CE-9EFA-4371-8947-6DBBF794B2A9}.exe
1200	{DA96AA61-3BAB-4c7a-90E1-6EBD4B2BE5D5}.exe
548	{E893410E-649D-4c30-8121-ED1E1FDCA19E}.exe
3044	{B2CF4E90-48D8-4d48-8A76-42C81154504D}.exe
2552	{9B12F268-9A26-45f0-998C-83F113886043}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{EB4C9346-FC30-4982-BF78-27AA63265CAE}.exe	{F738091E-7B3F-4760-9E44-4A6E90BBC664}.exe
File created	C:\Windows\{D1735E75-9F9E-47c9-A27E-709DC42B3337}.exe	{EB4C9346-FC30-4982-BF78-27AA63265CAE}.exe
File created	C:\Windows\{FAE385CE-9EFA-4371-8947-6DBBF794B2A9}.exe	{E8C85A73-056A-40cb-A2F9-D845CA18525E}.exe
File created	C:\Windows\{DA96AA61-3BAB-4c7a-90E1-6EBD4B2BE5D5}.exe	{FAE385CE-9EFA-4371-8947-6DBBF794B2A9}.exe
File created	C:\Windows\{E893410E-649D-4c30-8121-ED1E1FDCA19E}.exe	{DA96AA61-3BAB-4c7a-90E1-6EBD4B2BE5D5}.exe
File created	C:\Windows\{9B12F268-9A26-45f0-998C-83F113886043}.exe	{B2CF4E90-48D8-4d48-8A76-42C81154504D}.exe
File created	C:\Windows\{F738091E-7B3F-4760-9E44-4A6E90BBC664}.exe	87fb0497b9b7ac_JC.exe
File created	C:\Windows\{0EC75890-5E63-47a4-859C-04B1ECB58388}.exe	{D1735E75-9F9E-47c9-A27E-709DC42B3337}.exe
File created	C:\Windows\{EB825480-519C-442f-BF9E-5E525F859909}.exe	{0EC75890-5E63-47a4-859C-04B1ECB58388}.exe
File created	C:\Windows\{E8C85A73-056A-40cb-A2F9-D845CA18525E}.exe	{EB825480-519C-442f-BF9E-5E525F859909}.exe
File created	C:\Windows\{B2CF4E90-48D8-4d48-8A76-42C81154504D}.exe	{E893410E-649D-4c30-8121-ED1E1FDCA19E}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2276	87fb0497b9b7ac_JC.exe
Token: SeIncBasePriorityPrivilege	2624	{F738091E-7B3F-4760-9E44-4A6E90BBC664}.exe
Token: SeIncBasePriorityPrivilege	2900	{EB4C9346-FC30-4982-BF78-27AA63265CAE}.exe
Token: SeIncBasePriorityPrivilege	2728	{D1735E75-9F9E-47c9-A27E-709DC42B3337}.exe
Token: SeIncBasePriorityPrivilege	1824	{0EC75890-5E63-47a4-859C-04B1ECB58388}.exe
Token: SeIncBasePriorityPrivilege	2732	{EB825480-519C-442f-BF9E-5E525F859909}.exe
Token: SeIncBasePriorityPrivilege	2292	{E8C85A73-056A-40cb-A2F9-D845CA18525E}.exe
Token: SeIncBasePriorityPrivilege	292	{FAE385CE-9EFA-4371-8947-6DBBF794B2A9}.exe
Token: SeIncBasePriorityPrivilege	1200	{DA96AA61-3BAB-4c7a-90E1-6EBD4B2BE5D5}.exe
Token: SeIncBasePriorityPrivilege	548	{E893410E-649D-4c30-8121-ED1E1FDCA19E}.exe
Token: SeIncBasePriorityPrivilege	3044	{B2CF4E90-48D8-4d48-8A76-42C81154504D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2624	2276	87fb0497b9b7ac_JC.exe	28
PID 2276 wrote to memory of 2624	2276	87fb0497b9b7ac_JC.exe	28
PID 2276 wrote to memory of 2624	2276	87fb0497b9b7ac_JC.exe	28
PID 2276 wrote to memory of 2624	2276	87fb0497b9b7ac_JC.exe	28
PID 2276 wrote to memory of 528	2276	87fb0497b9b7ac_JC.exe	29
PID 2276 wrote to memory of 528	2276	87fb0497b9b7ac_JC.exe	29
PID 2276 wrote to memory of 528	2276	87fb0497b9b7ac_JC.exe	29
PID 2276 wrote to memory of 528	2276	87fb0497b9b7ac_JC.exe	29
PID 2624 wrote to memory of 2900	2624	{F738091E-7B3F-4760-9E44-4A6E90BBC664}.exe	32
PID 2624 wrote to memory of 2900	2624	{F738091E-7B3F-4760-9E44-4A6E90BBC664}.exe	32
PID 2624 wrote to memory of 2900	2624	{F738091E-7B3F-4760-9E44-4A6E90BBC664}.exe	32
PID 2624 wrote to memory of 2900	2624	{F738091E-7B3F-4760-9E44-4A6E90BBC664}.exe	32
PID 2624 wrote to memory of 2436	2624	{F738091E-7B3F-4760-9E44-4A6E90BBC664}.exe	33
PID 2624 wrote to memory of 2436	2624	{F738091E-7B3F-4760-9E44-4A6E90BBC664}.exe	33
PID 2624 wrote to memory of 2436	2624	{F738091E-7B3F-4760-9E44-4A6E90BBC664}.exe	33
PID 2624 wrote to memory of 2436	2624	{F738091E-7B3F-4760-9E44-4A6E90BBC664}.exe	33
PID 2900 wrote to memory of 2728	2900	{EB4C9346-FC30-4982-BF78-27AA63265CAE}.exe	34
PID 2900 wrote to memory of 2728	2900	{EB4C9346-FC30-4982-BF78-27AA63265CAE}.exe	34
PID 2900 wrote to memory of 2728	2900	{EB4C9346-FC30-4982-BF78-27AA63265CAE}.exe	34
PID 2900 wrote to memory of 2728	2900	{EB4C9346-FC30-4982-BF78-27AA63265CAE}.exe	34
PID 2900 wrote to memory of 2724	2900	{EB4C9346-FC30-4982-BF78-27AA63265CAE}.exe	35
PID 2900 wrote to memory of 2724	2900	{EB4C9346-FC30-4982-BF78-27AA63265CAE}.exe	35
PID 2900 wrote to memory of 2724	2900	{EB4C9346-FC30-4982-BF78-27AA63265CAE}.exe	35
PID 2900 wrote to memory of 2724	2900	{EB4C9346-FC30-4982-BF78-27AA63265CAE}.exe	35
PID 2728 wrote to memory of 1824	2728	{D1735E75-9F9E-47c9-A27E-709DC42B3337}.exe	36
PID 2728 wrote to memory of 1824	2728	{D1735E75-9F9E-47c9-A27E-709DC42B3337}.exe	36
PID 2728 wrote to memory of 1824	2728	{D1735E75-9F9E-47c9-A27E-709DC42B3337}.exe	36
PID 2728 wrote to memory of 1824	2728	{D1735E75-9F9E-47c9-A27E-709DC42B3337}.exe	36
PID 2728 wrote to memory of 2704	2728	{D1735E75-9F9E-47c9-A27E-709DC42B3337}.exe	37
PID 2728 wrote to memory of 2704	2728	{D1735E75-9F9E-47c9-A27E-709DC42B3337}.exe	37
PID 2728 wrote to memory of 2704	2728	{D1735E75-9F9E-47c9-A27E-709DC42B3337}.exe	37
PID 2728 wrote to memory of 2704	2728	{D1735E75-9F9E-47c9-A27E-709DC42B3337}.exe	37
PID 1824 wrote to memory of 2732	1824	{0EC75890-5E63-47a4-859C-04B1ECB58388}.exe	38
PID 1824 wrote to memory of 2732	1824	{0EC75890-5E63-47a4-859C-04B1ECB58388}.exe	38
PID 1824 wrote to memory of 2732	1824	{0EC75890-5E63-47a4-859C-04B1ECB58388}.exe	38
PID 1824 wrote to memory of 2732	1824	{0EC75890-5E63-47a4-859C-04B1ECB58388}.exe	38
PID 1824 wrote to memory of 2640	1824	{0EC75890-5E63-47a4-859C-04B1ECB58388}.exe	39
PID 1824 wrote to memory of 2640	1824	{0EC75890-5E63-47a4-859C-04B1ECB58388}.exe	39
PID 1824 wrote to memory of 2640	1824	{0EC75890-5E63-47a4-859C-04B1ECB58388}.exe	39
PID 1824 wrote to memory of 2640	1824	{0EC75890-5E63-47a4-859C-04B1ECB58388}.exe	39
PID 2732 wrote to memory of 2292	2732	{EB825480-519C-442f-BF9E-5E525F859909}.exe	40
PID 2732 wrote to memory of 2292	2732	{EB825480-519C-442f-BF9E-5E525F859909}.exe	40
PID 2732 wrote to memory of 2292	2732	{EB825480-519C-442f-BF9E-5E525F859909}.exe	40
PID 2732 wrote to memory of 2292	2732	{EB825480-519C-442f-BF9E-5E525F859909}.exe	40
PID 2732 wrote to memory of 268	2732	{EB825480-519C-442f-BF9E-5E525F859909}.exe	41
PID 2732 wrote to memory of 268	2732	{EB825480-519C-442f-BF9E-5E525F859909}.exe	41
PID 2732 wrote to memory of 268	2732	{EB825480-519C-442f-BF9E-5E525F859909}.exe	41
PID 2732 wrote to memory of 268	2732	{EB825480-519C-442f-BF9E-5E525F859909}.exe	41
PID 2292 wrote to memory of 292	2292	{E8C85A73-056A-40cb-A2F9-D845CA18525E}.exe	42
PID 2292 wrote to memory of 292	2292	{E8C85A73-056A-40cb-A2F9-D845CA18525E}.exe	42
PID 2292 wrote to memory of 292	2292	{E8C85A73-056A-40cb-A2F9-D845CA18525E}.exe	42
PID 2292 wrote to memory of 292	2292	{E8C85A73-056A-40cb-A2F9-D845CA18525E}.exe	42
PID 2292 wrote to memory of 564	2292	{E8C85A73-056A-40cb-A2F9-D845CA18525E}.exe	43
PID 2292 wrote to memory of 564	2292	{E8C85A73-056A-40cb-A2F9-D845CA18525E}.exe	43
PID 2292 wrote to memory of 564	2292	{E8C85A73-056A-40cb-A2F9-D845CA18525E}.exe	43
PID 2292 wrote to memory of 564	2292	{E8C85A73-056A-40cb-A2F9-D845CA18525E}.exe	43
PID 292 wrote to memory of 1200	292	{FAE385CE-9EFA-4371-8947-6DBBF794B2A9}.exe	44
PID 292 wrote to memory of 1200	292	{FAE385CE-9EFA-4371-8947-6DBBF794B2A9}.exe	44
PID 292 wrote to memory of 1200	292	{FAE385CE-9EFA-4371-8947-6DBBF794B2A9}.exe	44
PID 292 wrote to memory of 1200	292	{FAE385CE-9EFA-4371-8947-6DBBF794B2A9}.exe	44
PID 292 wrote to memory of 1100	292	{FAE385CE-9EFA-4371-8947-6DBBF794B2A9}.exe	45
PID 292 wrote to memory of 1100	292	{FAE385CE-9EFA-4371-8947-6DBBF794B2A9}.exe	45
PID 292 wrote to memory of 1100	292	{FAE385CE-9EFA-4371-8947-6DBBF794B2A9}.exe	45
PID 292 wrote to memory of 1100	292	{FAE385CE-9EFA-4371-8947-6DBBF794B2A9}.exe	45

C:\Users\Admin\AppData\Local\Temp\87fb0497b9b7ac_JC.exe
"C:\Users\Admin\AppData\Local\Temp\87fb0497b9b7ac_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\{F738091E-7B3F-4760-9E44-4A6E90BBC664}.exe
  C:\Windows\{F738091E-7B3F-4760-9E44-4A6E90BBC664}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Windows\{EB4C9346-FC30-4982-BF78-27AA63265CAE}.exe
    C:\Windows\{EB4C9346-FC30-4982-BF78-27AA63265CAE}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\{D1735E75-9F9E-47c9-A27E-709DC42B3337}.exe
      C:\Windows\{D1735E75-9F9E-47c9-A27E-709DC42B3337}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\{0EC75890-5E63-47a4-859C-04B1ECB58388}.exe
        
        C:\Windows\{0EC75890-5E63-47a4-859C-04B1ECB58388}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1824
      - C:\Windows\{EB825480-519C-442f-BF9E-5E525F859909}.exe
        
        C:\Windows\{EB825480-519C-442f-BF9E-5E525F859909}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\{E8C85A73-056A-40cb-A2F9-D845CA18525E}.exe
        
        C:\Windows\{E8C85A73-056A-40cb-A2F9-D845CA18525E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\{FAE385CE-9EFA-4371-8947-6DBBF794B2A9}.exe
        
        C:\Windows\{FAE385CE-9EFA-4371-8947-6DBBF794B2A9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:292
        
        C:\Windows\{DA96AA61-3BAB-4c7a-90E1-6EBD4B2BE5D5}.exe
        
        C:\Windows\{DA96AA61-3BAB-4c7a-90E1-6EBD4B2BE5D5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
        
        C:\Windows\{E893410E-649D-4c30-8121-ED1E1FDCA19E}.exe
        
        C:\Windows\{E893410E-649D-4c30-8121-ED1E1FDCA19E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\{B2CF4E90-48D8-4d48-8A76-42C81154504D}.exe
        
        C:\Windows\{B2CF4E90-48D8-4d48-8A76-42C81154504D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B2CF4~1.EXE > nul
        12⤵
        
        PID:2092
        
        C:\Windows\{9B12F268-9A26-45f0-998C-83F113886043}.exe
        
        C:\Windows\{9B12F268-9A26-45f0-998C-83F113886043}.exe
        12⤵
        Executes dropped EXE
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8934~1.EXE > nul
        11⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA96A~1.EXE > nul
        10⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAE38~1.EXE > nul
        9⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8C85~1.EXE > nul
        8⤵
        
        PID:564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB825~1.EXE > nul
        7⤵
        
        PID:268
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0EC75~1.EXE > nul
        6⤵
        
        PID:2640
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D1735~1.EXE > nul
        5⤵
        
        PID:2704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EB4C9~1.EXE > nul
      4⤵
      PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F7380~1.EXE > nul
    3⤵
    PID:2436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\87FB04~1.EXE > nul
  2⤵
  - Deletes itself
  PID:528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0EC75890-5E63-47a4-859C-04B1ECB58388}.exe

Filesize
192KB

MD5
9693454f81745f42e0dc3bafcc6eb675

SHA1
9d074237d5fc150cc9c162d291d9d4a72f790411

SHA256
e57d05b781159f0c0258426ec19945b33852d2fb782d63c9f0a0aa3e43f50c6c

SHA512
cc5953c6e371b5a97596e6643a25434ec24d5047ee57b4a58fe4919f301b2717864a39134467de847d6654a47d5720f948132a638e90f564479168901a9f795a

Download Submit
C:\Windows\{0EC75890-5E63-47a4-859C-04B1ECB58388}.exe

Filesize
192KB

MD5
9693454f81745f42e0dc3bafcc6eb675

SHA1
9d074237d5fc150cc9c162d291d9d4a72f790411

SHA256
e57d05b781159f0c0258426ec19945b33852d2fb782d63c9f0a0aa3e43f50c6c

SHA512
cc5953c6e371b5a97596e6643a25434ec24d5047ee57b4a58fe4919f301b2717864a39134467de847d6654a47d5720f948132a638e90f564479168901a9f795a

Download Submit
C:\Windows\{9B12F268-9A26-45f0-998C-83F113886043}.exe

Filesize
192KB

MD5
c646fec95f782a1fa55c02211d610bc9

SHA1
10613001fce3022cbca79e0f418de3794f6a43af

SHA256
86f244944af3cb2393f0ae24307f8c298799ca587d12c33b650a0ac90097189f

SHA512
c7fd4091081e898e913c18e7bb7d9156fad3fe321b723f9a3bdb96a112b0f4073e01305bb944b16a04142a2977d942d807dd52cba55d691dd3a33e7b479cd461

Download Submit
C:\Windows\{B2CF4E90-48D8-4d48-8A76-42C81154504D}.exe

Filesize
192KB

MD5
405c3edcf4b8fa75f583919b3e2e8510

SHA1
770b55cbb9ce9a62709bb2d895a3a77f4392d66f

SHA256
e18c0aa862b9298e197ef4d4fdeae75211f38587dae3a724521d35230fe55bcc

SHA512
63151b5b0596f3600baa3f1d0dc3abdf6c556cd946a18c92c883fe829ba348a3a6c61b9c23b5af4687a86aa476aa3eada216d4d5ab431a01311afaf15b9ee1e5

Download Submit
C:\Windows\{B2CF4E90-48D8-4d48-8A76-42C81154504D}.exe

Filesize
192KB

MD5
405c3edcf4b8fa75f583919b3e2e8510

SHA1
770b55cbb9ce9a62709bb2d895a3a77f4392d66f

SHA256
e18c0aa862b9298e197ef4d4fdeae75211f38587dae3a724521d35230fe55bcc

SHA512
63151b5b0596f3600baa3f1d0dc3abdf6c556cd946a18c92c883fe829ba348a3a6c61b9c23b5af4687a86aa476aa3eada216d4d5ab431a01311afaf15b9ee1e5

Download Submit
C:\Windows\{D1735E75-9F9E-47c9-A27E-709DC42B3337}.exe

Filesize
192KB

MD5
d274b05893d827c41621651390805dbe

SHA1
9fab8c06fe8c23f25bfe9c26e7ee67adbc6e01e5

SHA256
9f9273cbf8414561466765ad504d60c6fa3fa6111c4b17d75d72fc0f49070dc3

SHA512
91fefc22ecc0a25039124b7bc66f6be4913179ca484bc34305cf338bac1276a055d455700376c4c123d14256397ed821dbeb01a31e00127cccb30ee1e9e6ad18

Download Submit
C:\Windows\{D1735E75-9F9E-47c9-A27E-709DC42B3337}.exe

Filesize
192KB

MD5
d274b05893d827c41621651390805dbe

SHA1
9fab8c06fe8c23f25bfe9c26e7ee67adbc6e01e5

SHA256
9f9273cbf8414561466765ad504d60c6fa3fa6111c4b17d75d72fc0f49070dc3

SHA512
91fefc22ecc0a25039124b7bc66f6be4913179ca484bc34305cf338bac1276a055d455700376c4c123d14256397ed821dbeb01a31e00127cccb30ee1e9e6ad18

Download Submit
C:\Windows\{DA96AA61-3BAB-4c7a-90E1-6EBD4B2BE5D5}.exe

Filesize
192KB

MD5
cafec7fe90d7fc3f7a5d7a3cc42a43b3

SHA1
ef1656360d76ba206e597cc1e919b87b093acaed

SHA256
23318eab8e13be4089df0f190b80fd7a61badba584a7f50646d4eff7d42b12c8

SHA512
dbd14ce62fdf90cb7ba2eaed7303c0df9cb1a78dbbb232f7f3ccc8a8bc22bf26673f1f1dd57edb84f9435637e4cb3324bc76a598cbe2d02241732e80e74ef955

Download Submit
C:\Windows\{DA96AA61-3BAB-4c7a-90E1-6EBD4B2BE5D5}.exe

Filesize
192KB

MD5
cafec7fe90d7fc3f7a5d7a3cc42a43b3

SHA1
ef1656360d76ba206e597cc1e919b87b093acaed

SHA256
23318eab8e13be4089df0f190b80fd7a61badba584a7f50646d4eff7d42b12c8

SHA512
dbd14ce62fdf90cb7ba2eaed7303c0df9cb1a78dbbb232f7f3ccc8a8bc22bf26673f1f1dd57edb84f9435637e4cb3324bc76a598cbe2d02241732e80e74ef955

Download Submit
C:\Windows\{E893410E-649D-4c30-8121-ED1E1FDCA19E}.exe

Filesize
192KB

MD5
7ed5f068b40a47ee1251b89ade668a47

SHA1
12f740d0d8c5572e43e39cc965f0f18e9402f1f5

SHA256
225b5806c60d89981aa7ff8f2fdb8986d013e35b3e09f1799d08260732a89cb8

SHA512
ef0478fae2ad02bf434510052947e4a5aa5c87c946aecad172cf99dedffd07c6d13c56154559d2b7bf2fa10d90671f52c3b36a3597f6f0d4c8203a5c45c8c47a

Download Submit
C:\Windows\{E893410E-649D-4c30-8121-ED1E1FDCA19E}.exe

Filesize
192KB

MD5
7ed5f068b40a47ee1251b89ade668a47

SHA1
12f740d0d8c5572e43e39cc965f0f18e9402f1f5

SHA256
225b5806c60d89981aa7ff8f2fdb8986d013e35b3e09f1799d08260732a89cb8

SHA512
ef0478fae2ad02bf434510052947e4a5aa5c87c946aecad172cf99dedffd07c6d13c56154559d2b7bf2fa10d90671f52c3b36a3597f6f0d4c8203a5c45c8c47a

Download Submit
C:\Windows\{E8C85A73-056A-40cb-A2F9-D845CA18525E}.exe

Filesize
192KB

MD5
34a8f50652d872289831b1b5252e10d8

SHA1
4a62ec2ae47316d81ff646cf4300092dd8d4f538

SHA256
7a4b196e650c6193aaa41e2bf99202a03f69f055a6c1cbb8779184054521138b

SHA512
c22454748ed6a6d718e2234e401f59fb809c1513803846006ec1b022ca8339b8f1acb061bb3ebbd830333c7798cd37a5668eefebf730fe5946b9c17f8d742f5d

Download Submit
C:\Windows\{E8C85A73-056A-40cb-A2F9-D845CA18525E}.exe

Filesize
192KB

MD5
34a8f50652d872289831b1b5252e10d8

SHA1
4a62ec2ae47316d81ff646cf4300092dd8d4f538

SHA256
7a4b196e650c6193aaa41e2bf99202a03f69f055a6c1cbb8779184054521138b

SHA512
c22454748ed6a6d718e2234e401f59fb809c1513803846006ec1b022ca8339b8f1acb061bb3ebbd830333c7798cd37a5668eefebf730fe5946b9c17f8d742f5d

Download Submit
C:\Windows\{EB4C9346-FC30-4982-BF78-27AA63265CAE}.exe

Filesize
192KB

MD5
8af150802a24ef39fdcad8f9e2747a70

SHA1
7929c03971c066bdb8d6ee97a50656e6188adc37

SHA256
aabd8359f69775843be0517c97296879422e265ba03d2a79368788f5f6a5efea

SHA512
536df1352c4f384074192399838b600fad4fc3ef7eda4680f25af11664b8525a12561d9a030319b470290737272a036b72486b70c0e103bf2b653cf56bf04291

Download Submit
C:\Windows\{EB4C9346-FC30-4982-BF78-27AA63265CAE}.exe

Filesize
192KB

MD5
8af150802a24ef39fdcad8f9e2747a70

SHA1
7929c03971c066bdb8d6ee97a50656e6188adc37

SHA256
aabd8359f69775843be0517c97296879422e265ba03d2a79368788f5f6a5efea

SHA512
536df1352c4f384074192399838b600fad4fc3ef7eda4680f25af11664b8525a12561d9a030319b470290737272a036b72486b70c0e103bf2b653cf56bf04291

Download Submit
C:\Windows\{EB825480-519C-442f-BF9E-5E525F859909}.exe

Filesize
192KB

MD5
1d297345841a2736f2e23fd07a5a7b83

SHA1
dc973fb027d7dc5e757648ad7fc498311d844e89

SHA256
9367b0c82bdb06f79754a0a330ce2cf9307312e688b16cc755ee9dcdde325bf1

SHA512
b8af528301389876b0d5a0b4af346030a39faf27b1db5867f2e97fa31aefad3cb2b0b1d5b3847cc4d0c4471b65ebb9f6dc4bf1a8e0dc689f89b2ea12074c1c90

Download Submit
C:\Windows\{EB825480-519C-442f-BF9E-5E525F859909}.exe

Filesize
192KB

MD5
1d297345841a2736f2e23fd07a5a7b83

SHA1
dc973fb027d7dc5e757648ad7fc498311d844e89

SHA256
9367b0c82bdb06f79754a0a330ce2cf9307312e688b16cc755ee9dcdde325bf1

SHA512
b8af528301389876b0d5a0b4af346030a39faf27b1db5867f2e97fa31aefad3cb2b0b1d5b3847cc4d0c4471b65ebb9f6dc4bf1a8e0dc689f89b2ea12074c1c90

Download Submit
C:\Windows\{F738091E-7B3F-4760-9E44-4A6E90BBC664}.exe

Filesize
192KB

MD5
b19eac1acd93fe83bdc4fcfc49bdf314

SHA1
ecdd8e528615bceb504a2d605d4dfdfd756a51e3

SHA256
e946763f3397d08d3d04aad7a581cb376506b71bb1a76e5bb84b3ba94a2ce5ad

SHA512
1cea86faf076d0d0da05e19e3df4c5794aff67c2be6784aa5d5cdfb17c961a4bafaa1fb9768a94dadb4be4b5072790400dec449c6ecef77876ff60e30ebce1a7

Download Submit
C:\Windows\{F738091E-7B3F-4760-9E44-4A6E90BBC664}.exe

Filesize
192KB

MD5
b19eac1acd93fe83bdc4fcfc49bdf314

SHA1
ecdd8e528615bceb504a2d605d4dfdfd756a51e3

SHA256
e946763f3397d08d3d04aad7a581cb376506b71bb1a76e5bb84b3ba94a2ce5ad

SHA512
1cea86faf076d0d0da05e19e3df4c5794aff67c2be6784aa5d5cdfb17c961a4bafaa1fb9768a94dadb4be4b5072790400dec449c6ecef77876ff60e30ebce1a7

Download Submit
C:\Windows\{F738091E-7B3F-4760-9E44-4A6E90BBC664}.exe

Filesize
192KB

MD5
b19eac1acd93fe83bdc4fcfc49bdf314

SHA1
ecdd8e528615bceb504a2d605d4dfdfd756a51e3

SHA256
e946763f3397d08d3d04aad7a581cb376506b71bb1a76e5bb84b3ba94a2ce5ad

SHA512
1cea86faf076d0d0da05e19e3df4c5794aff67c2be6784aa5d5cdfb17c961a4bafaa1fb9768a94dadb4be4b5072790400dec449c6ecef77876ff60e30ebce1a7

Download Submit
C:\Windows\{FAE385CE-9EFA-4371-8947-6DBBF794B2A9}.exe

Filesize
192KB

MD5
95c5a000a6a30486b2c7d63e8d06f5e4

SHA1
e8ec49c2e4f1109fe3789d88561ccf01f1dde7ee

SHA256
60f53812d87912779032355bb82c10f59fe2b492e3a95fec0f350543f54e5463

SHA512
d5186191fb4fb30c0189c23e26484ff1d428fe33450652bc10275e18c47227c01f76c1a843a620ce8bffb8ee91e8bb1d0a17e79f52c3e33b4f6d18ebce6c3796

Download Submit
C:\Windows\{FAE385CE-9EFA-4371-8947-6DBBF794B2A9}.exe

Filesize
192KB

MD5
95c5a000a6a30486b2c7d63e8d06f5e4

SHA1
e8ec49c2e4f1109fe3789d88561ccf01f1dde7ee

SHA256
60f53812d87912779032355bb82c10f59fe2b492e3a95fec0f350543f54e5463

SHA512
d5186191fb4fb30c0189c23e26484ff1d428fe33450652bc10275e18c47227c01f76c1a843a620ce8bffb8ee91e8bb1d0a17e79f52c3e33b4f6d18ebce6c3796

Download Submit