c3e7633876a82456749e118f36201f575b31d3bd37a023da0197db05a1cd3d9c

Analysis

max time kernel
144s
max time network
124s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18/07/2023, 15:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be28520491565e_JC.exe
Size

372KB
MD5

be28520491565ea3318a58bc09dece71
SHA1

35d17caf73e2f7bb0c5cbdf299567fe18360f7e5
SHA256

c3e7633876a82456749e118f36201f575b31d3bd37a023da0197db05a1cd3d9c
SHA512

4b37b94a603bc965fe3e6085edfcd471625ac7cfbfcac60878405e24dc0fc6d78c1ac3117c4695cfe3475c1c2419901fa11b50a2a5427ebefb107bb83c6ea662
SSDEEP

3072:CEGh0o5mlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGml/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6EB2643-6A97-4bdb-93D7-B205115F8E69}\stubpath = "C:\\Windows\\{F6EB2643-6A97-4bdb-93D7-B205115F8E69}.exe"	{5FE506B0-D0F5-4aaa-8C95-8D93170121AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5356E65-263D-44c4-A612-6D62E239C19A}	{F6EB2643-6A97-4bdb-93D7-B205115F8E69}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABD87EB7-FCDE-4b29-AD36-DBF350E683B6}	{150BC7D4-A3FE-40ac-B83C-4F144354268A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA633EA1-58CB-4436-AC10-9E3628ADF3EB}	{ABD87EB7-FCDE-4b29-AD36-DBF350E683B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18AE81BC-3783-4d2d-979D-957C7F0F36C4}	{AA633EA1-58CB-4436-AC10-9E3628ADF3EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{18AE81BC-3783-4d2d-979D-957C7F0F36C4}\stubpath = "C:\\Windows\\{18AE81BC-3783-4d2d-979D-957C7F0F36C4}.exe"	{AA633EA1-58CB-4436-AC10-9E3628ADF3EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{850485FA-C1BB-401a-B5E7-476075691A71}	{9C33C122-A4D5-4169-B8F5-FE466D47C3AF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FE506B0-D0F5-4aaa-8C95-8D93170121AB}	{850485FA-C1BB-401a-B5E7-476075691A71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AD8173F-C86F-416c-9956-7206ECA3736F}	be28520491565e_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ABD87EB7-FCDE-4b29-AD36-DBF350E683B6}\stubpath = "C:\\Windows\\{ABD87EB7-FCDE-4b29-AD36-DBF350E683B6}.exe"	{150BC7D4-A3FE-40ac-B83C-4F144354268A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6EB2643-6A97-4bdb-93D7-B205115F8E69}	{5FE506B0-D0F5-4aaa-8C95-8D93170121AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B5356E65-263D-44c4-A612-6D62E239C19A}\stubpath = "C:\\Windows\\{B5356E65-263D-44c4-A612-6D62E239C19A}.exe"	{F6EB2643-6A97-4bdb-93D7-B205115F8E69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2AD8173F-C86F-416c-9956-7206ECA3736F}\stubpath = "C:\\Windows\\{2AD8173F-C86F-416c-9956-7206ECA3736F}.exe"	be28520491565e_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C928024-9483-4f94-8A29-4B9F9BE035ED}\stubpath = "C:\\Windows\\{0C928024-9483-4f94-8A29-4B9F9BE035ED}.exe"	{2AD8173F-C86F-416c-9956-7206ECA3736F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{150BC7D4-A3FE-40ac-B83C-4F144354268A}\stubpath = "C:\\Windows\\{150BC7D4-A3FE-40ac-B83C-4F144354268A}.exe"	{0C928024-9483-4f94-8A29-4B9F9BE035ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA633EA1-58CB-4436-AC10-9E3628ADF3EB}\stubpath = "C:\\Windows\\{AA633EA1-58CB-4436-AC10-9E3628ADF3EB}.exe"	{ABD87EB7-FCDE-4b29-AD36-DBF350E683B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C33C122-A4D5-4169-B8F5-FE466D47C3AF}	{18AE81BC-3783-4d2d-979D-957C7F0F36C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C33C122-A4D5-4169-B8F5-FE466D47C3AF}\stubpath = "C:\\Windows\\{9C33C122-A4D5-4169-B8F5-FE466D47C3AF}.exe"	{18AE81BC-3783-4d2d-979D-957C7F0F36C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{850485FA-C1BB-401a-B5E7-476075691A71}\stubpath = "C:\\Windows\\{850485FA-C1BB-401a-B5E7-476075691A71}.exe"	{9C33C122-A4D5-4169-B8F5-FE466D47C3AF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5FE506B0-D0F5-4aaa-8C95-8D93170121AB}\stubpath = "C:\\Windows\\{5FE506B0-D0F5-4aaa-8C95-8D93170121AB}.exe"	{850485FA-C1BB-401a-B5E7-476075691A71}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C928024-9483-4f94-8A29-4B9F9BE035ED}	{2AD8173F-C86F-416c-9956-7206ECA3736F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{150BC7D4-A3FE-40ac-B83C-4F144354268A}	{0C928024-9483-4f94-8A29-4B9F9BE035ED}.exe

Deletes itself 1 IoCs

pid	Process
2248	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1324	{2AD8173F-C86F-416c-9956-7206ECA3736F}.exe
2340	{0C928024-9483-4f94-8A29-4B9F9BE035ED}.exe
2968	{150BC7D4-A3FE-40ac-B83C-4F144354268A}.exe
2708	{ABD87EB7-FCDE-4b29-AD36-DBF350E683B6}.exe
2876	{AA633EA1-58CB-4436-AC10-9E3628ADF3EB}.exe
1848	{18AE81BC-3783-4d2d-979D-957C7F0F36C4}.exe
2716	{9C33C122-A4D5-4169-B8F5-FE466D47C3AF}.exe
2444	{850485FA-C1BB-401a-B5E7-476075691A71}.exe
532	{5FE506B0-D0F5-4aaa-8C95-8D93170121AB}.exe
548	{F6EB2643-6A97-4bdb-93D7-B205115F8E69}.exe
240	{B5356E65-263D-44c4-A612-6D62E239C19A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{ABD87EB7-FCDE-4b29-AD36-DBF350E683B6}.exe	{150BC7D4-A3FE-40ac-B83C-4F144354268A}.exe
File created	C:\Windows\{AA633EA1-58CB-4436-AC10-9E3628ADF3EB}.exe	{ABD87EB7-FCDE-4b29-AD36-DBF350E683B6}.exe
File created	C:\Windows\{18AE81BC-3783-4d2d-979D-957C7F0F36C4}.exe	{AA633EA1-58CB-4436-AC10-9E3628ADF3EB}.exe
File created	C:\Windows\{9C33C122-A4D5-4169-B8F5-FE466D47C3AF}.exe	{18AE81BC-3783-4d2d-979D-957C7F0F36C4}.exe
File created	C:\Windows\{850485FA-C1BB-401a-B5E7-476075691A71}.exe	{9C33C122-A4D5-4169-B8F5-FE466D47C3AF}.exe
File created	C:\Windows\{5FE506B0-D0F5-4aaa-8C95-8D93170121AB}.exe	{850485FA-C1BB-401a-B5E7-476075691A71}.exe
File created	C:\Windows\{F6EB2643-6A97-4bdb-93D7-B205115F8E69}.exe	{5FE506B0-D0F5-4aaa-8C95-8D93170121AB}.exe
File created	C:\Windows\{2AD8173F-C86F-416c-9956-7206ECA3736F}.exe	be28520491565e_JC.exe
File created	C:\Windows\{0C928024-9483-4f94-8A29-4B9F9BE035ED}.exe	{2AD8173F-C86F-416c-9956-7206ECA3736F}.exe
File created	C:\Windows\{150BC7D4-A3FE-40ac-B83C-4F144354268A}.exe	{0C928024-9483-4f94-8A29-4B9F9BE035ED}.exe
File created	C:\Windows\{B5356E65-263D-44c4-A612-6D62E239C19A}.exe	{F6EB2643-6A97-4bdb-93D7-B205115F8E69}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2544	be28520491565e_JC.exe
Token: SeIncBasePriorityPrivilege	1324	{2AD8173F-C86F-416c-9956-7206ECA3736F}.exe
Token: SeIncBasePriorityPrivilege	2340	{0C928024-9483-4f94-8A29-4B9F9BE035ED}.exe
Token: SeIncBasePriorityPrivilege	2968	{150BC7D4-A3FE-40ac-B83C-4F144354268A}.exe
Token: SeIncBasePriorityPrivilege	2708	{ABD87EB7-FCDE-4b29-AD36-DBF350E683B6}.exe
Token: SeIncBasePriorityPrivilege	2876	{AA633EA1-58CB-4436-AC10-9E3628ADF3EB}.exe
Token: SeIncBasePriorityPrivilege	1848	{18AE81BC-3783-4d2d-979D-957C7F0F36C4}.exe
Token: SeIncBasePriorityPrivilege	2716	{9C33C122-A4D5-4169-B8F5-FE466D47C3AF}.exe
Token: SeIncBasePriorityPrivilege	2444	{850485FA-C1BB-401a-B5E7-476075691A71}.exe
Token: SeIncBasePriorityPrivilege	532	{5FE506B0-D0F5-4aaa-8C95-8D93170121AB}.exe
Token: SeIncBasePriorityPrivilege	548	{F6EB2643-6A97-4bdb-93D7-B205115F8E69}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 1324	2544	be28520491565e_JC.exe	28
PID 2544 wrote to memory of 1324	2544	be28520491565e_JC.exe	28
PID 2544 wrote to memory of 1324	2544	be28520491565e_JC.exe	28
PID 2544 wrote to memory of 1324	2544	be28520491565e_JC.exe	28
PID 2544 wrote to memory of 2248	2544	be28520491565e_JC.exe	29
PID 2544 wrote to memory of 2248	2544	be28520491565e_JC.exe	29
PID 2544 wrote to memory of 2248	2544	be28520491565e_JC.exe	29
PID 2544 wrote to memory of 2248	2544	be28520491565e_JC.exe	29
PID 1324 wrote to memory of 2340	1324	{2AD8173F-C86F-416c-9956-7206ECA3736F}.exe	32
PID 1324 wrote to memory of 2340	1324	{2AD8173F-C86F-416c-9956-7206ECA3736F}.exe	32
PID 1324 wrote to memory of 2340	1324	{2AD8173F-C86F-416c-9956-7206ECA3736F}.exe	32
PID 1324 wrote to memory of 2340	1324	{2AD8173F-C86F-416c-9956-7206ECA3736F}.exe	32
PID 1324 wrote to memory of 2852	1324	{2AD8173F-C86F-416c-9956-7206ECA3736F}.exe	33
PID 1324 wrote to memory of 2852	1324	{2AD8173F-C86F-416c-9956-7206ECA3736F}.exe	33
PID 1324 wrote to memory of 2852	1324	{2AD8173F-C86F-416c-9956-7206ECA3736F}.exe	33
PID 1324 wrote to memory of 2852	1324	{2AD8173F-C86F-416c-9956-7206ECA3736F}.exe	33
PID 2340 wrote to memory of 2968	2340	{0C928024-9483-4f94-8A29-4B9F9BE035ED}.exe	34
PID 2340 wrote to memory of 2968	2340	{0C928024-9483-4f94-8A29-4B9F9BE035ED}.exe	34
PID 2340 wrote to memory of 2968	2340	{0C928024-9483-4f94-8A29-4B9F9BE035ED}.exe	34
PID 2340 wrote to memory of 2968	2340	{0C928024-9483-4f94-8A29-4B9F9BE035ED}.exe	34
PID 2340 wrote to memory of 2808	2340	{0C928024-9483-4f94-8A29-4B9F9BE035ED}.exe	35
PID 2340 wrote to memory of 2808	2340	{0C928024-9483-4f94-8A29-4B9F9BE035ED}.exe	35
PID 2340 wrote to memory of 2808	2340	{0C928024-9483-4f94-8A29-4B9F9BE035ED}.exe	35
PID 2340 wrote to memory of 2808	2340	{0C928024-9483-4f94-8A29-4B9F9BE035ED}.exe	35
PID 2968 wrote to memory of 2708	2968	{150BC7D4-A3FE-40ac-B83C-4F144354268A}.exe	36
PID 2968 wrote to memory of 2708	2968	{150BC7D4-A3FE-40ac-B83C-4F144354268A}.exe	36
PID 2968 wrote to memory of 2708	2968	{150BC7D4-A3FE-40ac-B83C-4F144354268A}.exe	36
PID 2968 wrote to memory of 2708	2968	{150BC7D4-A3FE-40ac-B83C-4F144354268A}.exe	36
PID 2968 wrote to memory of 2980	2968	{150BC7D4-A3FE-40ac-B83C-4F144354268A}.exe	37
PID 2968 wrote to memory of 2980	2968	{150BC7D4-A3FE-40ac-B83C-4F144354268A}.exe	37
PID 2968 wrote to memory of 2980	2968	{150BC7D4-A3FE-40ac-B83C-4F144354268A}.exe	37
PID 2968 wrote to memory of 2980	2968	{150BC7D4-A3FE-40ac-B83C-4F144354268A}.exe	37
PID 2708 wrote to memory of 2876	2708	{ABD87EB7-FCDE-4b29-AD36-DBF350E683B6}.exe	38
PID 2708 wrote to memory of 2876	2708	{ABD87EB7-FCDE-4b29-AD36-DBF350E683B6}.exe	38
PID 2708 wrote to memory of 2876	2708	{ABD87EB7-FCDE-4b29-AD36-DBF350E683B6}.exe	38
PID 2708 wrote to memory of 2876	2708	{ABD87EB7-FCDE-4b29-AD36-DBF350E683B6}.exe	38
PID 2708 wrote to memory of 2728	2708	{ABD87EB7-FCDE-4b29-AD36-DBF350E683B6}.exe	39
PID 2708 wrote to memory of 2728	2708	{ABD87EB7-FCDE-4b29-AD36-DBF350E683B6}.exe	39
PID 2708 wrote to memory of 2728	2708	{ABD87EB7-FCDE-4b29-AD36-DBF350E683B6}.exe	39
PID 2708 wrote to memory of 2728	2708	{ABD87EB7-FCDE-4b29-AD36-DBF350E683B6}.exe	39
PID 2876 wrote to memory of 1848	2876	{AA633EA1-58CB-4436-AC10-9E3628ADF3EB}.exe	40
PID 2876 wrote to memory of 1848	2876	{AA633EA1-58CB-4436-AC10-9E3628ADF3EB}.exe	40
PID 2876 wrote to memory of 1848	2876	{AA633EA1-58CB-4436-AC10-9E3628ADF3EB}.exe	40
PID 2876 wrote to memory of 1848	2876	{AA633EA1-58CB-4436-AC10-9E3628ADF3EB}.exe	40
PID 2876 wrote to memory of 2924	2876	{AA633EA1-58CB-4436-AC10-9E3628ADF3EB}.exe	41
PID 2876 wrote to memory of 2924	2876	{AA633EA1-58CB-4436-AC10-9E3628ADF3EB}.exe	41
PID 2876 wrote to memory of 2924	2876	{AA633EA1-58CB-4436-AC10-9E3628ADF3EB}.exe	41
PID 2876 wrote to memory of 2924	2876	{AA633EA1-58CB-4436-AC10-9E3628ADF3EB}.exe	41
PID 1848 wrote to memory of 2716	1848	{18AE81BC-3783-4d2d-979D-957C7F0F36C4}.exe	42
PID 1848 wrote to memory of 2716	1848	{18AE81BC-3783-4d2d-979D-957C7F0F36C4}.exe	42
PID 1848 wrote to memory of 2716	1848	{18AE81BC-3783-4d2d-979D-957C7F0F36C4}.exe	42
PID 1848 wrote to memory of 2716	1848	{18AE81BC-3783-4d2d-979D-957C7F0F36C4}.exe	42
PID 1848 wrote to memory of 2760	1848	{18AE81BC-3783-4d2d-979D-957C7F0F36C4}.exe	43
PID 1848 wrote to memory of 2760	1848	{18AE81BC-3783-4d2d-979D-957C7F0F36C4}.exe	43
PID 1848 wrote to memory of 2760	1848	{18AE81BC-3783-4d2d-979D-957C7F0F36C4}.exe	43
PID 1848 wrote to memory of 2760	1848	{18AE81BC-3783-4d2d-979D-957C7F0F36C4}.exe	43
PID 2716 wrote to memory of 2444	2716	{9C33C122-A4D5-4169-B8F5-FE466D47C3AF}.exe	44
PID 2716 wrote to memory of 2444	2716	{9C33C122-A4D5-4169-B8F5-FE466D47C3AF}.exe	44
PID 2716 wrote to memory of 2444	2716	{9C33C122-A4D5-4169-B8F5-FE466D47C3AF}.exe	44
PID 2716 wrote to memory of 2444	2716	{9C33C122-A4D5-4169-B8F5-FE466D47C3AF}.exe	44
PID 2716 wrote to memory of 2404	2716	{9C33C122-A4D5-4169-B8F5-FE466D47C3AF}.exe	45
PID 2716 wrote to memory of 2404	2716	{9C33C122-A4D5-4169-B8F5-FE466D47C3AF}.exe	45
PID 2716 wrote to memory of 2404	2716	{9C33C122-A4D5-4169-B8F5-FE466D47C3AF}.exe	45
PID 2716 wrote to memory of 2404	2716	{9C33C122-A4D5-4169-B8F5-FE466D47C3AF}.exe	45

C:\Users\Admin\AppData\Local\Temp\be28520491565e_JC.exe
"C:\Users\Admin\AppData\Local\Temp\be28520491565e_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Windows\{2AD8173F-C86F-416c-9956-7206ECA3736F}.exe
  C:\Windows\{2AD8173F-C86F-416c-9956-7206ECA3736F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\{0C928024-9483-4f94-8A29-4B9F9BE035ED}.exe
    C:\Windows\{0C928024-9483-4f94-8A29-4B9F9BE035ED}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\{150BC7D4-A3FE-40ac-B83C-4F144354268A}.exe
      C:\Windows\{150BC7D4-A3FE-40ac-B83C-4F144354268A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\{ABD87EB7-FCDE-4b29-AD36-DBF350E683B6}.exe
        
        C:\Windows\{ABD87EB7-FCDE-4b29-AD36-DBF350E683B6}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\{AA633EA1-58CB-4436-AC10-9E3628ADF3EB}.exe
        
        C:\Windows\{AA633EA1-58CB-4436-AC10-9E3628ADF3EB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2876
        
        C:\Windows\{18AE81BC-3783-4d2d-979D-957C7F0F36C4}.exe
        
        C:\Windows\{18AE81BC-3783-4d2d-979D-957C7F0F36C4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\{9C33C122-A4D5-4169-B8F5-FE466D47C3AF}.exe
        
        C:\Windows\{9C33C122-A4D5-4169-B8F5-FE466D47C3AF}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\{850485FA-C1BB-401a-B5E7-476075691A71}.exe
        
        C:\Windows\{850485FA-C1BB-401a-B5E7-476075691A71}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\{5FE506B0-D0F5-4aaa-8C95-8D93170121AB}.exe
        
        C:\Windows\{5FE506B0-D0F5-4aaa-8C95-8D93170121AB}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
        
        C:\Windows\{F6EB2643-6A97-4bdb-93D7-B205115F8E69}.exe
        
        C:\Windows\{F6EB2643-6A97-4bdb-93D7-B205115F8E69}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\{B5356E65-263D-44c4-A612-6D62E239C19A}.exe
        
        C:\Windows\{B5356E65-263D-44c4-A612-6D62E239C19A}.exe
        12⤵
        Executes dropped EXE
        
        PID:240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6EB2~1.EXE > nul
        12⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FE50~1.EXE > nul
        11⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85048~1.EXE > nul
        10⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C33C~1.EXE > nul
        9⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{18AE8~1.EXE > nul
        8⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA633~1.EXE > nul
        7⤵
        
        PID:2924
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ABD87~1.EXE > nul
        6⤵
        
        PID:2728
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{150BC~1.EXE > nul
        5⤵
        
        PID:2980
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0C928~1.EXE > nul
      4⤵
      PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2AD81~1.EXE > nul
    3⤵
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\BE2852~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2248

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C928024-9483-4f94-8A29-4B9F9BE035ED}.exe

Filesize
372KB

MD5
db376443811fd4063ec228867e4f81be

SHA1
785cef6c652392a944fb3a77f8314a96b53245a4

SHA256
117c056d9055ccacce1917ddf62450f06168949ab65aaa43fd035e289f3c94a5

SHA512
61cbbe43a7156c04bfe8abd0be3fff584b7d34cb9f788b9562bb144530d0e41e03861c4a437c0f6e76e65f95144de1c0298bc17142d217ee4c69c44002eb586b

Download Submit
C:\Windows\{0C928024-9483-4f94-8A29-4B9F9BE035ED}.exe

Filesize
372KB

MD5
db376443811fd4063ec228867e4f81be

SHA1
785cef6c652392a944fb3a77f8314a96b53245a4

SHA256
117c056d9055ccacce1917ddf62450f06168949ab65aaa43fd035e289f3c94a5

SHA512
61cbbe43a7156c04bfe8abd0be3fff584b7d34cb9f788b9562bb144530d0e41e03861c4a437c0f6e76e65f95144de1c0298bc17142d217ee4c69c44002eb586b

Download Submit
C:\Windows\{150BC7D4-A3FE-40ac-B83C-4F144354268A}.exe

Filesize
372KB

MD5
b19fa432482a86965048d47b472cd336

SHA1
3bcee9d3e8b1d7d7ed947742519d40c6a5b9b184

SHA256
0b54345bdcd5600236e137851566d049fadef96748178f96a4df51b784270ad7

SHA512
77eb609364be25d1af571e30829704d756eb905336258f45273c26d7976e1aa93b73f2039366ef002bb1a40cc387825c6278c05fee9dcd400b0e83ec3662a3b7

Download Submit
C:\Windows\{150BC7D4-A3FE-40ac-B83C-4F144354268A}.exe

Filesize
372KB

MD5
b19fa432482a86965048d47b472cd336

SHA1
3bcee9d3e8b1d7d7ed947742519d40c6a5b9b184

SHA256
0b54345bdcd5600236e137851566d049fadef96748178f96a4df51b784270ad7

SHA512
77eb609364be25d1af571e30829704d756eb905336258f45273c26d7976e1aa93b73f2039366ef002bb1a40cc387825c6278c05fee9dcd400b0e83ec3662a3b7

Download Submit
C:\Windows\{18AE81BC-3783-4d2d-979D-957C7F0F36C4}.exe

Filesize
372KB

MD5
3c18ee3d384509a276c7abf2b61e202d

SHA1
b98bdf3f5d0001972df2105d777086547ed44f19

SHA256
7465d7a693cedf90c3e12b549717c9e1477e8bcf9b9c2dcd385ce9c9fa83f98a

SHA512
7cdd507c120be6b063a4c9348fc0f8594848d1d518f2b6a60611d86ae357c2ccf83a7d942fb18fabcab7b7e5b8976787d2fc6b48caaea7af0d7151e2ed545780

Download Submit
C:\Windows\{18AE81BC-3783-4d2d-979D-957C7F0F36C4}.exe

Filesize
372KB

MD5
3c18ee3d384509a276c7abf2b61e202d

SHA1
b98bdf3f5d0001972df2105d777086547ed44f19

SHA256
7465d7a693cedf90c3e12b549717c9e1477e8bcf9b9c2dcd385ce9c9fa83f98a

SHA512
7cdd507c120be6b063a4c9348fc0f8594848d1d518f2b6a60611d86ae357c2ccf83a7d942fb18fabcab7b7e5b8976787d2fc6b48caaea7af0d7151e2ed545780

Download Submit
C:\Windows\{2AD8173F-C86F-416c-9956-7206ECA3736F}.exe

Filesize
372KB

MD5
2745bc16490b94c626c4c00411290b43

SHA1
b098ab3bc40a68802dd69dffcd53981687a26e57

SHA256
cc6737b8f7c8d10ef1fd6d3c603b2d5942d88e2d14e397b9c5d5ab20f5ac163e

SHA512
c03cd6daed9dda7c7e61d9d77fb729981a4bbb71b68a900cb762be0644372b146eefb401980faff2dff14f4df469e7a7432f3f7c04634aaabb01071b86e5feae

Download Submit
C:\Windows\{2AD8173F-C86F-416c-9956-7206ECA3736F}.exe

Filesize
372KB

MD5
2745bc16490b94c626c4c00411290b43

SHA1
b098ab3bc40a68802dd69dffcd53981687a26e57

SHA256
cc6737b8f7c8d10ef1fd6d3c603b2d5942d88e2d14e397b9c5d5ab20f5ac163e

SHA512
c03cd6daed9dda7c7e61d9d77fb729981a4bbb71b68a900cb762be0644372b146eefb401980faff2dff14f4df469e7a7432f3f7c04634aaabb01071b86e5feae

Download Submit
C:\Windows\{2AD8173F-C86F-416c-9956-7206ECA3736F}.exe

Filesize
372KB

MD5
2745bc16490b94c626c4c00411290b43

SHA1
b098ab3bc40a68802dd69dffcd53981687a26e57

SHA256
cc6737b8f7c8d10ef1fd6d3c603b2d5942d88e2d14e397b9c5d5ab20f5ac163e

SHA512
c03cd6daed9dda7c7e61d9d77fb729981a4bbb71b68a900cb762be0644372b146eefb401980faff2dff14f4df469e7a7432f3f7c04634aaabb01071b86e5feae

Download Submit
C:\Windows\{5FE506B0-D0F5-4aaa-8C95-8D93170121AB}.exe

Filesize
372KB

MD5
5ce388d70c1efbb585f84650270cbf82

SHA1
7875984677da8c073067ca61faf6be6ae819fc98

SHA256
e6e78abf8d53e9c3ee4ace12bc01efc64d20f6e7b8d640791df96020c5400f1b

SHA512
c5b9af5c34e9a0489b69ade16ab121b0eade73dbb65d923aad05610ab441d5e1f99e2aa0475de05b1d12825b8773dc79c12600c490630aa05defda075ebe61df

Download Submit
C:\Windows\{5FE506B0-D0F5-4aaa-8C95-8D93170121AB}.exe

Filesize
372KB

MD5
5ce388d70c1efbb585f84650270cbf82

SHA1
7875984677da8c073067ca61faf6be6ae819fc98

SHA256
e6e78abf8d53e9c3ee4ace12bc01efc64d20f6e7b8d640791df96020c5400f1b

SHA512
c5b9af5c34e9a0489b69ade16ab121b0eade73dbb65d923aad05610ab441d5e1f99e2aa0475de05b1d12825b8773dc79c12600c490630aa05defda075ebe61df

Download Submit
C:\Windows\{850485FA-C1BB-401a-B5E7-476075691A71}.exe

Filesize
372KB

MD5
994644f7ca351680df00d45b17584871

SHA1
f735c3f841282d64238772c929ca0974c8f7a96a

SHA256
d733b662564b4c02a0590a66e95556a602bdb2bf348d70dfdd37ec0e5b675da5

SHA512
d9813d49e96ada302a3d755b9be57f8ae90796c5d7bbb1f82a54d50165cf3301c66f6053f05f19088c999f3695f1c923eea55bb5cb8a07af4882444681740450

Download Submit
C:\Windows\{850485FA-C1BB-401a-B5E7-476075691A71}.exe

Filesize
372KB

MD5
994644f7ca351680df00d45b17584871

SHA1
f735c3f841282d64238772c929ca0974c8f7a96a

SHA256
d733b662564b4c02a0590a66e95556a602bdb2bf348d70dfdd37ec0e5b675da5

SHA512
d9813d49e96ada302a3d755b9be57f8ae90796c5d7bbb1f82a54d50165cf3301c66f6053f05f19088c999f3695f1c923eea55bb5cb8a07af4882444681740450

Download Submit
C:\Windows\{9C33C122-A4D5-4169-B8F5-FE466D47C3AF}.exe

Filesize
372KB

MD5
20c698cd36c3ab9133288eee917be8a5

SHA1
9464ae95c744830972ff51f3996233090374ff4e

SHA256
87083fafb63bb51e9f785cd184ee3d2aa9b77e004f065e87134fa585f514da10

SHA512
b946f46b1475f95e3ca1e91b93ea9d1bb66223a0e30501d69c2a51799054beb90e87c8821972b0b368cbceae82b4492f7435e737e90916242a47c918deb96758

Download Submit
C:\Windows\{9C33C122-A4D5-4169-B8F5-FE466D47C3AF}.exe

Filesize
372KB

MD5
20c698cd36c3ab9133288eee917be8a5

SHA1
9464ae95c744830972ff51f3996233090374ff4e

SHA256
87083fafb63bb51e9f785cd184ee3d2aa9b77e004f065e87134fa585f514da10

SHA512
b946f46b1475f95e3ca1e91b93ea9d1bb66223a0e30501d69c2a51799054beb90e87c8821972b0b368cbceae82b4492f7435e737e90916242a47c918deb96758

Download Submit
C:\Windows\{AA633EA1-58CB-4436-AC10-9E3628ADF3EB}.exe

Filesize
372KB

MD5
ee8064eb01993f30913bf64a7178c0e6

SHA1
c71ecf407bb7e2cff919bc376b6e3c6890276e47

SHA256
d934bd0ef8596a972358f5e2184f17bf7f2fd592772f4f54e1cde8ee8a252b6b

SHA512
3972716565936e72b3ec8aee542562200d68a8dc18c00cd1149ba54e21227bef7c8652393565cca2a5ef6f80726bba1e1511586176e4b360e9a918faa8895053

Download Submit
C:\Windows\{AA633EA1-58CB-4436-AC10-9E3628ADF3EB}.exe

Filesize
372KB

MD5
ee8064eb01993f30913bf64a7178c0e6

SHA1
c71ecf407bb7e2cff919bc376b6e3c6890276e47

SHA256
d934bd0ef8596a972358f5e2184f17bf7f2fd592772f4f54e1cde8ee8a252b6b

SHA512
3972716565936e72b3ec8aee542562200d68a8dc18c00cd1149ba54e21227bef7c8652393565cca2a5ef6f80726bba1e1511586176e4b360e9a918faa8895053

Download Submit
C:\Windows\{ABD87EB7-FCDE-4b29-AD36-DBF350E683B6}.exe

Filesize
372KB

MD5
a29c7090ba865301f9b2415b8e49e7e2

SHA1
38c51107796d02e92cd28cb17a4015b6f3e0ce9c

SHA256
382f73b00d3d9962eed8559e6e4f26bfc2523f2a272994e91ed83e787e4ecfe5

SHA512
ed3b68e6a97035ac87e99b0e65871810fa80f7c65083f7db8d49549a11919b130d7a86760a3a6ba980da96acc8d91207ce8c63829acb0f5b38ddcfbd27616922

Download Submit
C:\Windows\{ABD87EB7-FCDE-4b29-AD36-DBF350E683B6}.exe

Filesize
372KB

MD5
a29c7090ba865301f9b2415b8e49e7e2

SHA1
38c51107796d02e92cd28cb17a4015b6f3e0ce9c

SHA256
382f73b00d3d9962eed8559e6e4f26bfc2523f2a272994e91ed83e787e4ecfe5

SHA512
ed3b68e6a97035ac87e99b0e65871810fa80f7c65083f7db8d49549a11919b130d7a86760a3a6ba980da96acc8d91207ce8c63829acb0f5b38ddcfbd27616922

Download Submit
C:\Windows\{B5356E65-263D-44c4-A612-6D62E239C19A}.exe

Filesize
372KB

MD5
373f4ea6deffb1b7ad0ae4fb0f08d98d

SHA1
1a47fd4cabd7b6aefa13e7f4cdcdb5cdefc1ad4d

SHA256
bd53c153af0ef12cedad1b3d3e8d49f1cce3105ab8fa80e529e404f7794708ca

SHA512
753cd791aa88df3de52e209dd4620683c535ac6b20ff330d6f3faf57cc2e36230a8a931b743e08fa3c0a9d12d43b2fcc7465cddf0fb0c2e0e693424c2f0d4662

Download Submit
C:\Windows\{F6EB2643-6A97-4bdb-93D7-B205115F8E69}.exe

Filesize
372KB

MD5
44ea1f4bd2cced7453120df187fe7b76

SHA1
039e1b02ec4d2c3eb2c2026ba82c75f2a38802f9

SHA256
9c835d372bf47f1706e6ae94d24fae4c3c761802a874603d7b0b26546e0f935c

SHA512
c0636afb3d9643798f20300f45aef303c2c1629d11422eb6a7d492c086cdae2d61fc817e2d8f393f3c617707fbf46a4cb3da16cb7d4c3b6355cd31347a6e48b1

Download Submit
C:\Windows\{F6EB2643-6A97-4bdb-93D7-B205115F8E69}.exe

Filesize
372KB

MD5
44ea1f4bd2cced7453120df187fe7b76

SHA1
039e1b02ec4d2c3eb2c2026ba82c75f2a38802f9

SHA256
9c835d372bf47f1706e6ae94d24fae4c3c761802a874603d7b0b26546e0f935c

SHA512
c0636afb3d9643798f20300f45aef303c2c1629d11422eb6a7d492c086cdae2d61fc817e2d8f393f3c617707fbf46a4cb3da16cb7d4c3b6355cd31347a6e48b1

Download Submit