8a0f844ed670dd5985c14ddb7a5d9d5f35b3aab9e507e85e506685d8f27918c5

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
17-07-2023 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e3bb8d8327f78_JC.exe
Size

168KB
MD5

9e3bb8d8327f78444b4aec882199a0f9
SHA1

544a2b56d3e0e582029c3099910197462cd03320
SHA256

8a0f844ed670dd5985c14ddb7a5d9d5f35b3aab9e507e85e506685d8f27918c5
SHA512

829a5dc284f632688274fad12c71f0efbe8307479b1bb974c5fc1e8b5942cb210e92d74241fd882f07160e8bd1dd1bca145ab6c017c12e819b61bb2fd1010d61
SSDEEP

1536:1EGh0oDlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oDlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{399D1408-A4EA-40d5-858D-E965F107A60E}	9e3bb8d8327f78_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8DB1DC5-AA9E-4aac-B962-73B5BAFEBD90}	{169E4BA5-6948-422a-97F9-E6BE3186ECAE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3D311BB-58AC-498c-B6F7-0AFCA98DAFF3}	{87B22CE8-C49D-43ce-8C14-68853DEDB276}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34870D0A-9B77-42a5-8169-7FB45490701E}	{E3D311BB-58AC-498c-B6F7-0AFCA98DAFF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D35EAE96-CE76-4a21-9DFD-441028EE3A89}	{34870D0A-9B77-42a5-8169-7FB45490701E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87B22CE8-C49D-43ce-8C14-68853DEDB276}	{C8DB1DC5-AA9E-4aac-B962-73B5BAFEBD90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{87B22CE8-C49D-43ce-8C14-68853DEDB276}\stubpath = "C:\\Windows\\{87B22CE8-C49D-43ce-8C14-68853DEDB276}.exe"	{C8DB1DC5-AA9E-4aac-B962-73B5BAFEBD90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04F11988-4A3D-496c-9828-567E26DF5E8B}	{D35EAE96-CE76-4a21-9DFD-441028EE3A89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{788866FA-30DD-486e-B6B3-9551368ADD49}\stubpath = "C:\\Windows\\{788866FA-30DD-486e-B6B3-9551368ADD49}.exe"	{04F11988-4A3D-496c-9828-567E26DF5E8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E198EA57-511D-42d3-93EB-94EED6F98C74}\stubpath = "C:\\Windows\\{E198EA57-511D-42d3-93EB-94EED6F98C74}.exe"	{788866FA-30DD-486e-B6B3-9551368ADD49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E198EA57-511D-42d3-93EB-94EED6F98C74}	{788866FA-30DD-486e-B6B3-9551368ADD49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7C61A11-FB3A-4fc8-A90B-87CCD396C2BC}	{399D1408-A4EA-40d5-858D-E965F107A60E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7C61A11-FB3A-4fc8-A90B-87CCD396C2BC}\stubpath = "C:\\Windows\\{C7C61A11-FB3A-4fc8-A90B-87CCD396C2BC}.exe"	{399D1408-A4EA-40d5-858D-E965F107A60E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{169E4BA5-6948-422a-97F9-E6BE3186ECAE}\stubpath = "C:\\Windows\\{169E4BA5-6948-422a-97F9-E6BE3186ECAE}.exe"	{C7C61A11-FB3A-4fc8-A90B-87CCD396C2BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8DB1DC5-AA9E-4aac-B962-73B5BAFEBD90}\stubpath = "C:\\Windows\\{C8DB1DC5-AA9E-4aac-B962-73B5BAFEBD90}.exe"	{169E4BA5-6948-422a-97F9-E6BE3186ECAE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D35EAE96-CE76-4a21-9DFD-441028EE3A89}\stubpath = "C:\\Windows\\{D35EAE96-CE76-4a21-9DFD-441028EE3A89}.exe"	{34870D0A-9B77-42a5-8169-7FB45490701E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04F11988-4A3D-496c-9828-567E26DF5E8B}\stubpath = "C:\\Windows\\{04F11988-4A3D-496c-9828-567E26DF5E8B}.exe"	{D35EAE96-CE76-4a21-9DFD-441028EE3A89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{399D1408-A4EA-40d5-858D-E965F107A60E}\stubpath = "C:\\Windows\\{399D1408-A4EA-40d5-858D-E965F107A60E}.exe"	9e3bb8d8327f78_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{169E4BA5-6948-422a-97F9-E6BE3186ECAE}	{C7C61A11-FB3A-4fc8-A90B-87CCD396C2BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E3D311BB-58AC-498c-B6F7-0AFCA98DAFF3}\stubpath = "C:\\Windows\\{E3D311BB-58AC-498c-B6F7-0AFCA98DAFF3}.exe"	{87B22CE8-C49D-43ce-8C14-68853DEDB276}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34870D0A-9B77-42a5-8169-7FB45490701E}\stubpath = "C:\\Windows\\{34870D0A-9B77-42a5-8169-7FB45490701E}.exe"	{E3D311BB-58AC-498c-B6F7-0AFCA98DAFF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{788866FA-30DD-486e-B6B3-9551368ADD49}	{04F11988-4A3D-496c-9828-567E26DF5E8B}.exe

Deletes itself 1 IoCs

pid	Process
2272	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2404	{399D1408-A4EA-40d5-858D-E965F107A60E}.exe
1620	{C7C61A11-FB3A-4fc8-A90B-87CCD396C2BC}.exe
2904	{169E4BA5-6948-422a-97F9-E6BE3186ECAE}.exe
2780	{C8DB1DC5-AA9E-4aac-B962-73B5BAFEBD90}.exe
2720	{87B22CE8-C49D-43ce-8C14-68853DEDB276}.exe
2344	{E3D311BB-58AC-498c-B6F7-0AFCA98DAFF3}.exe
792	{34870D0A-9B77-42a5-8169-7FB45490701E}.exe
1468	{D35EAE96-CE76-4a21-9DFD-441028EE3A89}.exe
616	{04F11988-4A3D-496c-9828-567E26DF5E8B}.exe
2996	{788866FA-30DD-486e-B6B3-9551368ADD49}.exe
2248	{E198EA57-511D-42d3-93EB-94EED6F98C74}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{87B22CE8-C49D-43ce-8C14-68853DEDB276}.exe	{C8DB1DC5-AA9E-4aac-B962-73B5BAFEBD90}.exe
File created	C:\Windows\{34870D0A-9B77-42a5-8169-7FB45490701E}.exe	{E3D311BB-58AC-498c-B6F7-0AFCA98DAFF3}.exe
File created	C:\Windows\{D35EAE96-CE76-4a21-9DFD-441028EE3A89}.exe	{34870D0A-9B77-42a5-8169-7FB45490701E}.exe
File created	C:\Windows\{04F11988-4A3D-496c-9828-567E26DF5E8B}.exe	{D35EAE96-CE76-4a21-9DFD-441028EE3A89}.exe
File created	C:\Windows\{788866FA-30DD-486e-B6B3-9551368ADD49}.exe	{04F11988-4A3D-496c-9828-567E26DF5E8B}.exe
File created	C:\Windows\{C7C61A11-FB3A-4fc8-A90B-87CCD396C2BC}.exe	{399D1408-A4EA-40d5-858D-E965F107A60E}.exe
File created	C:\Windows\{169E4BA5-6948-422a-97F9-E6BE3186ECAE}.exe	{C7C61A11-FB3A-4fc8-A90B-87CCD396C2BC}.exe
File created	C:\Windows\{C8DB1DC5-AA9E-4aac-B962-73B5BAFEBD90}.exe	{169E4BA5-6948-422a-97F9-E6BE3186ECAE}.exe
File created	C:\Windows\{E198EA57-511D-42d3-93EB-94EED6F98C74}.exe	{788866FA-30DD-486e-B6B3-9551368ADD49}.exe
File created	C:\Windows\{399D1408-A4EA-40d5-858D-E965F107A60E}.exe	9e3bb8d8327f78_JC.exe
File created	C:\Windows\{E3D311BB-58AC-498c-B6F7-0AFCA98DAFF3}.exe	{87B22CE8-C49D-43ce-8C14-68853DEDB276}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1576	9e3bb8d8327f78_JC.exe
Token: SeIncBasePriorityPrivilege	2404	{399D1408-A4EA-40d5-858D-E965F107A60E}.exe
Token: SeIncBasePriorityPrivilege	1620	{C7C61A11-FB3A-4fc8-A90B-87CCD396C2BC}.exe
Token: SeIncBasePriorityPrivilege	2904	{169E4BA5-6948-422a-97F9-E6BE3186ECAE}.exe
Token: SeIncBasePriorityPrivilege	2780	{C8DB1DC5-AA9E-4aac-B962-73B5BAFEBD90}.exe
Token: SeIncBasePriorityPrivilege	2720	{87B22CE8-C49D-43ce-8C14-68853DEDB276}.exe
Token: SeIncBasePriorityPrivilege	2344	{E3D311BB-58AC-498c-B6F7-0AFCA98DAFF3}.exe
Token: SeIncBasePriorityPrivilege	792	{34870D0A-9B77-42a5-8169-7FB45490701E}.exe
Token: SeIncBasePriorityPrivilege	1468	{D35EAE96-CE76-4a21-9DFD-441028EE3A89}.exe
Token: SeIncBasePriorityPrivilege	616	{04F11988-4A3D-496c-9828-567E26DF5E8B}.exe
Token: SeIncBasePriorityPrivilege	2996	{788866FA-30DD-486e-B6B3-9551368ADD49}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 2404	1576	9e3bb8d8327f78_JC.exe	28
PID 1576 wrote to memory of 2404	1576	9e3bb8d8327f78_JC.exe	28
PID 1576 wrote to memory of 2404	1576	9e3bb8d8327f78_JC.exe	28
PID 1576 wrote to memory of 2404	1576	9e3bb8d8327f78_JC.exe	28
PID 1576 wrote to memory of 2272	1576	9e3bb8d8327f78_JC.exe	29
PID 1576 wrote to memory of 2272	1576	9e3bb8d8327f78_JC.exe	29
PID 1576 wrote to memory of 2272	1576	9e3bb8d8327f78_JC.exe	29
PID 1576 wrote to memory of 2272	1576	9e3bb8d8327f78_JC.exe	29
PID 2404 wrote to memory of 1620	2404	{399D1408-A4EA-40d5-858D-E965F107A60E}.exe	32
PID 2404 wrote to memory of 1620	2404	{399D1408-A4EA-40d5-858D-E965F107A60E}.exe	32
PID 2404 wrote to memory of 1620	2404	{399D1408-A4EA-40d5-858D-E965F107A60E}.exe	32
PID 2404 wrote to memory of 1620	2404	{399D1408-A4EA-40d5-858D-E965F107A60E}.exe	32
PID 2404 wrote to memory of 2696	2404	{399D1408-A4EA-40d5-858D-E965F107A60E}.exe	33
PID 2404 wrote to memory of 2696	2404	{399D1408-A4EA-40d5-858D-E965F107A60E}.exe	33
PID 2404 wrote to memory of 2696	2404	{399D1408-A4EA-40d5-858D-E965F107A60E}.exe	33
PID 2404 wrote to memory of 2696	2404	{399D1408-A4EA-40d5-858D-E965F107A60E}.exe	33
PID 1620 wrote to memory of 2904	1620	{C7C61A11-FB3A-4fc8-A90B-87CCD396C2BC}.exe	34
PID 1620 wrote to memory of 2904	1620	{C7C61A11-FB3A-4fc8-A90B-87CCD396C2BC}.exe	34
PID 1620 wrote to memory of 2904	1620	{C7C61A11-FB3A-4fc8-A90B-87CCD396C2BC}.exe	34
PID 1620 wrote to memory of 2904	1620	{C7C61A11-FB3A-4fc8-A90B-87CCD396C2BC}.exe	34
PID 1620 wrote to memory of 2884	1620	{C7C61A11-FB3A-4fc8-A90B-87CCD396C2BC}.exe	35
PID 1620 wrote to memory of 2884	1620	{C7C61A11-FB3A-4fc8-A90B-87CCD396C2BC}.exe	35
PID 1620 wrote to memory of 2884	1620	{C7C61A11-FB3A-4fc8-A90B-87CCD396C2BC}.exe	35
PID 1620 wrote to memory of 2884	1620	{C7C61A11-FB3A-4fc8-A90B-87CCD396C2BC}.exe	35
PID 2904 wrote to memory of 2780	2904	{169E4BA5-6948-422a-97F9-E6BE3186ECAE}.exe	37
PID 2904 wrote to memory of 2780	2904	{169E4BA5-6948-422a-97F9-E6BE3186ECAE}.exe	37
PID 2904 wrote to memory of 2780	2904	{169E4BA5-6948-422a-97F9-E6BE3186ECAE}.exe	37
PID 2904 wrote to memory of 2780	2904	{169E4BA5-6948-422a-97F9-E6BE3186ECAE}.exe	37
PID 2904 wrote to memory of 2680	2904	{169E4BA5-6948-422a-97F9-E6BE3186ECAE}.exe	36
PID 2904 wrote to memory of 2680	2904	{169E4BA5-6948-422a-97F9-E6BE3186ECAE}.exe	36
PID 2904 wrote to memory of 2680	2904	{169E4BA5-6948-422a-97F9-E6BE3186ECAE}.exe	36
PID 2904 wrote to memory of 2680	2904	{169E4BA5-6948-422a-97F9-E6BE3186ECAE}.exe	36
PID 2780 wrote to memory of 2720	2780	{C8DB1DC5-AA9E-4aac-B962-73B5BAFEBD90}.exe	38
PID 2780 wrote to memory of 2720	2780	{C8DB1DC5-AA9E-4aac-B962-73B5BAFEBD90}.exe	38
PID 2780 wrote to memory of 2720	2780	{C8DB1DC5-AA9E-4aac-B962-73B5BAFEBD90}.exe	38
PID 2780 wrote to memory of 2720	2780	{C8DB1DC5-AA9E-4aac-B962-73B5BAFEBD90}.exe	38
PID 2780 wrote to memory of 2328	2780	{C8DB1DC5-AA9E-4aac-B962-73B5BAFEBD90}.exe	39
PID 2780 wrote to memory of 2328	2780	{C8DB1DC5-AA9E-4aac-B962-73B5BAFEBD90}.exe	39
PID 2780 wrote to memory of 2328	2780	{C8DB1DC5-AA9E-4aac-B962-73B5BAFEBD90}.exe	39
PID 2780 wrote to memory of 2328	2780	{C8DB1DC5-AA9E-4aac-B962-73B5BAFEBD90}.exe	39
PID 2720 wrote to memory of 2344	2720	{87B22CE8-C49D-43ce-8C14-68853DEDB276}.exe	40
PID 2720 wrote to memory of 2344	2720	{87B22CE8-C49D-43ce-8C14-68853DEDB276}.exe	40
PID 2720 wrote to memory of 2344	2720	{87B22CE8-C49D-43ce-8C14-68853DEDB276}.exe	40
PID 2720 wrote to memory of 2344	2720	{87B22CE8-C49D-43ce-8C14-68853DEDB276}.exe	40
PID 2720 wrote to memory of 524	2720	{87B22CE8-C49D-43ce-8C14-68853DEDB276}.exe	41
PID 2720 wrote to memory of 524	2720	{87B22CE8-C49D-43ce-8C14-68853DEDB276}.exe	41
PID 2720 wrote to memory of 524	2720	{87B22CE8-C49D-43ce-8C14-68853DEDB276}.exe	41
PID 2720 wrote to memory of 524	2720	{87B22CE8-C49D-43ce-8C14-68853DEDB276}.exe	41
PID 2344 wrote to memory of 792	2344	{E3D311BB-58AC-498c-B6F7-0AFCA98DAFF3}.exe	42
PID 2344 wrote to memory of 792	2344	{E3D311BB-58AC-498c-B6F7-0AFCA98DAFF3}.exe	42
PID 2344 wrote to memory of 792	2344	{E3D311BB-58AC-498c-B6F7-0AFCA98DAFF3}.exe	42
PID 2344 wrote to memory of 792	2344	{E3D311BB-58AC-498c-B6F7-0AFCA98DAFF3}.exe	42
PID 2344 wrote to memory of 560	2344	{E3D311BB-58AC-498c-B6F7-0AFCA98DAFF3}.exe	43
PID 2344 wrote to memory of 560	2344	{E3D311BB-58AC-498c-B6F7-0AFCA98DAFF3}.exe	43
PID 2344 wrote to memory of 560	2344	{E3D311BB-58AC-498c-B6F7-0AFCA98DAFF3}.exe	43
PID 2344 wrote to memory of 560	2344	{E3D311BB-58AC-498c-B6F7-0AFCA98DAFF3}.exe	43
PID 792 wrote to memory of 1468	792	{34870D0A-9B77-42a5-8169-7FB45490701E}.exe	44
PID 792 wrote to memory of 1468	792	{34870D0A-9B77-42a5-8169-7FB45490701E}.exe	44
PID 792 wrote to memory of 1468	792	{34870D0A-9B77-42a5-8169-7FB45490701E}.exe	44
PID 792 wrote to memory of 1468	792	{34870D0A-9B77-42a5-8169-7FB45490701E}.exe	44
PID 792 wrote to memory of 2128	792	{34870D0A-9B77-42a5-8169-7FB45490701E}.exe	45
PID 792 wrote to memory of 2128	792	{34870D0A-9B77-42a5-8169-7FB45490701E}.exe	45
PID 792 wrote to memory of 2128	792	{34870D0A-9B77-42a5-8169-7FB45490701E}.exe	45
PID 792 wrote to memory of 2128	792	{34870D0A-9B77-42a5-8169-7FB45490701E}.exe	45

C:\Users\Admin\AppData\Local\Temp\9e3bb8d8327f78_JC.exe
"C:\Users\Admin\AppData\Local\Temp\9e3bb8d8327f78_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\{399D1408-A4EA-40d5-858D-E965F107A60E}.exe
  C:\Windows\{399D1408-A4EA-40d5-858D-E965F107A60E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Windows\{C7C61A11-FB3A-4fc8-A90B-87CCD396C2BC}.exe
    C:\Windows\{C7C61A11-FB3A-4fc8-A90B-87CCD396C2BC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Windows\{169E4BA5-6948-422a-97F9-E6BE3186ECAE}.exe
      C:\Windows\{169E4BA5-6948-422a-97F9-E6BE3186ECAE}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{169E4~1.EXE > nul
        5⤵
        
        PID:2680
    - - C:\Windows\{C8DB1DC5-AA9E-4aac-B962-73B5BAFEBD90}.exe
        
        C:\Windows\{C8DB1DC5-AA9E-4aac-B962-73B5BAFEBD90}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
      - C:\Windows\{87B22CE8-C49D-43ce-8C14-68853DEDB276}.exe
        
        C:\Windows\{87B22CE8-C49D-43ce-8C14-68853DEDB276}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\{E3D311BB-58AC-498c-B6F7-0AFCA98DAFF3}.exe
        
        C:\Windows\{E3D311BB-58AC-498c-B6F7-0AFCA98DAFF3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\{34870D0A-9B77-42a5-8169-7FB45490701E}.exe
        
        C:\Windows\{34870D0A-9B77-42a5-8169-7FB45490701E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:792
        
        C:\Windows\{D35EAE96-CE76-4a21-9DFD-441028EE3A89}.exe
        
        C:\Windows\{D35EAE96-CE76-4a21-9DFD-441028EE3A89}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
        
        C:\Windows\{04F11988-4A3D-496c-9828-567E26DF5E8B}.exe
        
        C:\Windows\{04F11988-4A3D-496c-9828-567E26DF5E8B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
        
        C:\Windows\{788866FA-30DD-486e-B6B3-9551368ADD49}.exe
        
        C:\Windows\{788866FA-30DD-486e-B6B3-9551368ADD49}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\{E198EA57-511D-42d3-93EB-94EED6F98C74}.exe
        
        C:\Windows\{E198EA57-511D-42d3-93EB-94EED6F98C74}.exe
        12⤵
        Executes dropped EXE
        
        PID:2248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78886~1.EXE > nul
        12⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04F11~1.EXE > nul
        11⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D35EA~1.EXE > nul
        10⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34870~1.EXE > nul
        9⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3D31~1.EXE > nul
        8⤵
        
        PID:560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{87B22~1.EXE > nul
        7⤵
        
        PID:524
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8DB1~1.EXE > nul
        6⤵
        
        PID:2328
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C7C61~1.EXE > nul
      4⤵
      PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{399D1~1.EXE > nul
    3⤵
    PID:2696
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9E3BB8~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04F11988-4A3D-496c-9828-567E26DF5E8B}.exe

Filesize
168KB

MD5
7fa4ef2644848faa1f02b482eb430143

SHA1
d27326b76a0f7b617695b9088f11d7cb6bed011d

SHA256
743282a8bd724779a07ffdd14e5d65141df7a6305b64e4acef8329a5e028290c

SHA512
151e36ba59ff028cc422bd64ed726ef4ab04fac9fc04ee283312c01ba99d4ed7beee981708e6b35176f952d24ccbcb743989a8185378bb51ec0314a2a6554f9c

Download Submit
C:\Windows\{04F11988-4A3D-496c-9828-567E26DF5E8B}.exe

Filesize
168KB

MD5
7fa4ef2644848faa1f02b482eb430143

SHA1
d27326b76a0f7b617695b9088f11d7cb6bed011d

SHA256
743282a8bd724779a07ffdd14e5d65141df7a6305b64e4acef8329a5e028290c

SHA512
151e36ba59ff028cc422bd64ed726ef4ab04fac9fc04ee283312c01ba99d4ed7beee981708e6b35176f952d24ccbcb743989a8185378bb51ec0314a2a6554f9c

Download Submit
C:\Windows\{169E4BA5-6948-422a-97F9-E6BE3186ECAE}.exe

Filesize
168KB

MD5
eb205a03bfc7d047379f2c828209af8c

SHA1
1587c457eef46f0f34a91824c35223ade570d23c

SHA256
06f1e057d9f3040f66601ee82238783d06a939ae9e1be311aeaf44bbcf40dca5

SHA512
ec529310abe3456a53321f20a150d02d417be636786a17bfbe7c7528852d917e39e04f6d227929a8d841105dfa8687feb99153c694e941d0a4e4144eb49be75c

Download Submit
C:\Windows\{169E4BA5-6948-422a-97F9-E6BE3186ECAE}.exe

Filesize
168KB

MD5
eb205a03bfc7d047379f2c828209af8c

SHA1
1587c457eef46f0f34a91824c35223ade570d23c

SHA256
06f1e057d9f3040f66601ee82238783d06a939ae9e1be311aeaf44bbcf40dca5

SHA512
ec529310abe3456a53321f20a150d02d417be636786a17bfbe7c7528852d917e39e04f6d227929a8d841105dfa8687feb99153c694e941d0a4e4144eb49be75c

Download Submit
C:\Windows\{34870D0A-9B77-42a5-8169-7FB45490701E}.exe

Filesize
168KB

MD5
ef81a7fc23da3a50580e77bc4dfbdc5a

SHA1
96d8c936ab515bf799e53c5ba5d254b2dd54bc19

SHA256
28de9d44680a9087488e691b7323767aa136f76e7cb6d2e4d535a61b140e531a

SHA512
b3ebe036d2a2dcbce0d01d9cb5c810386309866d0581cefd642459793958226c84cc49a3c619c176b43d5dfcef10764989b295d6cf8610f13f55cb10aa505682

Download Submit
C:\Windows\{34870D0A-9B77-42a5-8169-7FB45490701E}.exe

Filesize
168KB

MD5
ef81a7fc23da3a50580e77bc4dfbdc5a

SHA1
96d8c936ab515bf799e53c5ba5d254b2dd54bc19

SHA256
28de9d44680a9087488e691b7323767aa136f76e7cb6d2e4d535a61b140e531a

SHA512
b3ebe036d2a2dcbce0d01d9cb5c810386309866d0581cefd642459793958226c84cc49a3c619c176b43d5dfcef10764989b295d6cf8610f13f55cb10aa505682

Download Submit
C:\Windows\{399D1408-A4EA-40d5-858D-E965F107A60E}.exe

Filesize
168KB

MD5
8cbc4992dd9f4df53bcf2b48f88ca97c

SHA1
33e11029dc77099892a3eb53928e63944179dea7

SHA256
cf27f2295f4741d799b4e4536da1582b622e0f37cc608aadc9efa4e0dd50ad6c

SHA512
93d7acad484f5a5e9e5fd28abcf70a85a9adcb678d59c37a866a4f72c42462faa359b242a03d455d3f1ba4c6d4174aae4c40dc4f47996ee15a7eca4f33d3fb9b

Download Submit
C:\Windows\{399D1408-A4EA-40d5-858D-E965F107A60E}.exe

Filesize
168KB

MD5
8cbc4992dd9f4df53bcf2b48f88ca97c

SHA1
33e11029dc77099892a3eb53928e63944179dea7

SHA256
cf27f2295f4741d799b4e4536da1582b622e0f37cc608aadc9efa4e0dd50ad6c

SHA512
93d7acad484f5a5e9e5fd28abcf70a85a9adcb678d59c37a866a4f72c42462faa359b242a03d455d3f1ba4c6d4174aae4c40dc4f47996ee15a7eca4f33d3fb9b

Download Submit
C:\Windows\{399D1408-A4EA-40d5-858D-E965F107A60E}.exe

Filesize
168KB

MD5
8cbc4992dd9f4df53bcf2b48f88ca97c

SHA1
33e11029dc77099892a3eb53928e63944179dea7

SHA256
cf27f2295f4741d799b4e4536da1582b622e0f37cc608aadc9efa4e0dd50ad6c

SHA512
93d7acad484f5a5e9e5fd28abcf70a85a9adcb678d59c37a866a4f72c42462faa359b242a03d455d3f1ba4c6d4174aae4c40dc4f47996ee15a7eca4f33d3fb9b

Download Submit
C:\Windows\{788866FA-30DD-486e-B6B3-9551368ADD49}.exe

Filesize
168KB

MD5
f3c3be494ef0c68ff71dd4ad8e91f28b

SHA1
aff759145d44cf2da4ba46f1b36d28b04babef63

SHA256
dc155c4fb39f0de8e4968df441a53572579c381889da8db126d228a5ecb5650a

SHA512
7274d4505d6eef04e20295ca8940f556eb81bf5304ba15ae6119ca051e3ce145e63260ee88a1c71b054066a830acd3131f8cbddaa66eca5bedcac1019af2fea3

Download Submit
C:\Windows\{788866FA-30DD-486e-B6B3-9551368ADD49}.exe

Filesize
168KB

MD5
f3c3be494ef0c68ff71dd4ad8e91f28b

SHA1
aff759145d44cf2da4ba46f1b36d28b04babef63

SHA256
dc155c4fb39f0de8e4968df441a53572579c381889da8db126d228a5ecb5650a

SHA512
7274d4505d6eef04e20295ca8940f556eb81bf5304ba15ae6119ca051e3ce145e63260ee88a1c71b054066a830acd3131f8cbddaa66eca5bedcac1019af2fea3

Download Submit
C:\Windows\{87B22CE8-C49D-43ce-8C14-68853DEDB276}.exe

Filesize
168KB

MD5
b8d1e957c71de5a7b46616815b61fc05

SHA1
36ce80207247d806bbcf6c1206977693611fabeb

SHA256
2733ce8749588fdcbfc69c463f2f2331fb4bc13602195d65f0d7585d4c80131f

SHA512
e5c5f35fa963fd58ec902fd85427ae2c7ab27cfc9bc9792537d9e72d16481f37aff413aa0f2b4907a3916fe8f2aeb1f7ce85cd12de4f50bf67307b4600d0c203

Download Submit
C:\Windows\{87B22CE8-C49D-43ce-8C14-68853DEDB276}.exe

Filesize
168KB

MD5
b8d1e957c71de5a7b46616815b61fc05

SHA1
36ce80207247d806bbcf6c1206977693611fabeb

SHA256
2733ce8749588fdcbfc69c463f2f2331fb4bc13602195d65f0d7585d4c80131f

SHA512
e5c5f35fa963fd58ec902fd85427ae2c7ab27cfc9bc9792537d9e72d16481f37aff413aa0f2b4907a3916fe8f2aeb1f7ce85cd12de4f50bf67307b4600d0c203

Download Submit
C:\Windows\{C7C61A11-FB3A-4fc8-A90B-87CCD396C2BC}.exe

Filesize
168KB

MD5
bb09fe187ce2ab4978acd6cf95b7f2bf

SHA1
8c467ec1a5ac4f3f77884fd9a68e75e5932bbcfe

SHA256
99a2d90e6c09613f2b6f51d7ffb2897bfac8484a190e39e2fd324d558bc7e79b

SHA512
9d635af076bbec12c775832f53f97ffc5bf223ccc4af7cd73ea018c78ff7c7a080fac38f4c31e447e28da826f88abbebfcca0d74499925eb236aabd14c5937d2

Download Submit
C:\Windows\{C7C61A11-FB3A-4fc8-A90B-87CCD396C2BC}.exe

Filesize
168KB

MD5
bb09fe187ce2ab4978acd6cf95b7f2bf

SHA1
8c467ec1a5ac4f3f77884fd9a68e75e5932bbcfe

SHA256
99a2d90e6c09613f2b6f51d7ffb2897bfac8484a190e39e2fd324d558bc7e79b

SHA512
9d635af076bbec12c775832f53f97ffc5bf223ccc4af7cd73ea018c78ff7c7a080fac38f4c31e447e28da826f88abbebfcca0d74499925eb236aabd14c5937d2

Download Submit
C:\Windows\{C8DB1DC5-AA9E-4aac-B962-73B5BAFEBD90}.exe

Filesize
168KB

MD5
db78aa8f8c62f0eb4ed49b145e800051

SHA1
66829e47fa4d653c120b1167658d536692ed2720

SHA256
112e6bbbe65da3e6bd6052f17b42b95be2f06a62d47b91231f3e3bd05085ffac

SHA512
f86de1614306734974adb6d9dda2557294569efbad709b6429bea26898951fb136f111b2cf7a49670a74dee8d457e4e9fa207c54350bab439ad9f140e3969a76

Download Submit
C:\Windows\{C8DB1DC5-AA9E-4aac-B962-73B5BAFEBD90}.exe

Filesize
168KB

MD5
db78aa8f8c62f0eb4ed49b145e800051

SHA1
66829e47fa4d653c120b1167658d536692ed2720

SHA256
112e6bbbe65da3e6bd6052f17b42b95be2f06a62d47b91231f3e3bd05085ffac

SHA512
f86de1614306734974adb6d9dda2557294569efbad709b6429bea26898951fb136f111b2cf7a49670a74dee8d457e4e9fa207c54350bab439ad9f140e3969a76

Download Submit
C:\Windows\{D35EAE96-CE76-4a21-9DFD-441028EE3A89}.exe

Filesize
168KB

MD5
07c59e2132f36115942ecdb6ce7fa69d

SHA1
dd78ea697d3d039bb929f61515f339a565809666

SHA256
7153ad503f37f1b722dea18d2a78f5351503372a8a391832d0656d4df408e374

SHA512
da7ee931f8b847fc70db301372156300f6147335fde26122dbeb2a6eaf2b0ff0cbc89e77255ecd51d08904629793b6fa926ce438b8526f617677f7e48c7fc359

Download Submit
C:\Windows\{D35EAE96-CE76-4a21-9DFD-441028EE3A89}.exe

Filesize
168KB

MD5
07c59e2132f36115942ecdb6ce7fa69d

SHA1
dd78ea697d3d039bb929f61515f339a565809666

SHA256
7153ad503f37f1b722dea18d2a78f5351503372a8a391832d0656d4df408e374

SHA512
da7ee931f8b847fc70db301372156300f6147335fde26122dbeb2a6eaf2b0ff0cbc89e77255ecd51d08904629793b6fa926ce438b8526f617677f7e48c7fc359

Download Submit
C:\Windows\{E198EA57-511D-42d3-93EB-94EED6F98C74}.exe

Filesize
168KB

MD5
effa9eee41ac4a90dbbf92384e78a35b

SHA1
f02875c08f31a4645e63e294f9e8ff9b7a9d5f0a

SHA256
3cf5bd72ea78579be23fd35da6829adc3c82edb1acc09dea09fccd02189bd53e

SHA512
e59122dcb88ab4a0bdcb7f69477cef63431f9cc3d57e02e4dcf4a897d5bc03b4f3af7e5fc6c11c6dfff934bbefa71b9932e8bf1a1c92923ce1dc671fc943b4b8

Download Submit
C:\Windows\{E3D311BB-58AC-498c-B6F7-0AFCA98DAFF3}.exe

Filesize
168KB

MD5
bc06b133751a7c5f7d51b674180a594d

SHA1
f6fa64f330b16033aa8af6886b5611a63220a328

SHA256
a40d6075fbf59a0a8fa84af53d65a2a5aa2ac3ec07f62f777be039e6e122da77

SHA512
17dd3f1a347c96294b2063d81f12c488360d860b4e4da5385bd7909c4190f56e6274f218a8b514d2268e6694385aa9cf1f9cec85958ead40f7e1ff9bf17b8e94

Download Submit
C:\Windows\{E3D311BB-58AC-498c-B6F7-0AFCA98DAFF3}.exe

Filesize
168KB

MD5
bc06b133751a7c5f7d51b674180a594d

SHA1
f6fa64f330b16033aa8af6886b5611a63220a328

SHA256
a40d6075fbf59a0a8fa84af53d65a2a5aa2ac3ec07f62f777be039e6e122da77

SHA512
17dd3f1a347c96294b2063d81f12c488360d860b4e4da5385bd7909c4190f56e6274f218a8b514d2268e6694385aa9cf1f9cec85958ead40f7e1ff9bf17b8e94

Download Submit