26e9e52144822899a4fa10f538036b69f4da3948904e916368a515d211113160

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18-07-2023 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb62073c00a7f6_JC.exe
Size

168KB
MD5

cb62073c00a7f60fa7e06e7d839fb5fb
SHA1

4a17a1a833429c66156e8dfc0a1ca0e88fd83fc3
SHA256

26e9e52144822899a4fa10f538036b69f4da3948904e916368a515d211113160
SHA512

548553abdc59026271132b1559a9a61e327eb43e036f55aa0bf0331ee7d1baeaa7518a9f524940cc0f1f63b0bd8ea8271f32a9cac7875e9488858c1e6f97f1f9
SSDEEP

1536:1EGh0orlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0orlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7E0C9EB-6E78-4240-B82D-79EDF1C80C89}	cb62073c00a7f6_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD908AB1-6A31-4031-8941-A5192F1B4B9C}	{5451A878-F746-42b6-808A-BA710D9384D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{505D43DA-EFEA-4b12-97EB-8CA774E83F7F}	{65CCB1FF-8EE4-450f-A03A-A85A472D55FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{505D43DA-EFEA-4b12-97EB-8CA774E83F7F}\stubpath = "C:\\Windows\\{505D43DA-EFEA-4b12-97EB-8CA774E83F7F}.exe"	{65CCB1FF-8EE4-450f-A03A-A85A472D55FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAF15714-99C2-41bd-9661-80D27F3A6D85}\stubpath = "C:\\Windows\\{FAF15714-99C2-41bd-9661-80D27F3A6D85}.exe"	{505D43DA-EFEA-4b12-97EB-8CA774E83F7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D4E8D79-21D9-4c14-82E2-929E0C17295F}	{FAF15714-99C2-41bd-9661-80D27F3A6D85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7E0C9EB-6E78-4240-B82D-79EDF1C80C89}\stubpath = "C:\\Windows\\{C7E0C9EB-6E78-4240-B82D-79EDF1C80C89}.exe"	cb62073c00a7f6_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CDDF2F5-8E08-4d68-9635-6BC0E66DE5B7}	{ADEB4EEA-3373-4d69-B8D3-E2AD0B960082}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5451A878-F746-42b6-808A-BA710D9384D3}	{1CDDF2F5-8E08-4d68-9635-6BC0E66DE5B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD908AB1-6A31-4031-8941-A5192F1B4B9C}\stubpath = "C:\\Windows\\{CD908AB1-6A31-4031-8941-A5192F1B4B9C}.exe"	{5451A878-F746-42b6-808A-BA710D9384D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65CCB1FF-8EE4-450f-A03A-A85A472D55FE}	{CD908AB1-6A31-4031-8941-A5192F1B4B9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FAF15714-99C2-41bd-9661-80D27F3A6D85}	{505D43DA-EFEA-4b12-97EB-8CA774E83F7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F775A22-25C7-4f5c-97FA-8427DEAECCAA}\stubpath = "C:\\Windows\\{9F775A22-25C7-4f5c-97FA-8427DEAECCAA}.exe"	{62BE7A57-1D2B-4d5b-BCC3-5572D619AC18}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1CDDF2F5-8E08-4d68-9635-6BC0E66DE5B7}\stubpath = "C:\\Windows\\{1CDDF2F5-8E08-4d68-9635-6BC0E66DE5B7}.exe"	{ADEB4EEA-3373-4d69-B8D3-E2AD0B960082}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADEB4EEA-3373-4d69-B8D3-E2AD0B960082}	{C7E0C9EB-6E78-4240-B82D-79EDF1C80C89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{ADEB4EEA-3373-4d69-B8D3-E2AD0B960082}\stubpath = "C:\\Windows\\{ADEB4EEA-3373-4d69-B8D3-E2AD0B960082}.exe"	{C7E0C9EB-6E78-4240-B82D-79EDF1C80C89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5451A878-F746-42b6-808A-BA710D9384D3}\stubpath = "C:\\Windows\\{5451A878-F746-42b6-808A-BA710D9384D3}.exe"	{1CDDF2F5-8E08-4d68-9635-6BC0E66DE5B7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65CCB1FF-8EE4-450f-A03A-A85A472D55FE}\stubpath = "C:\\Windows\\{65CCB1FF-8EE4-450f-A03A-A85A472D55FE}.exe"	{CD908AB1-6A31-4031-8941-A5192F1B4B9C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D4E8D79-21D9-4c14-82E2-929E0C17295F}\stubpath = "C:\\Windows\\{9D4E8D79-21D9-4c14-82E2-929E0C17295F}.exe"	{FAF15714-99C2-41bd-9661-80D27F3A6D85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62BE7A57-1D2B-4d5b-BCC3-5572D619AC18}	{9D4E8D79-21D9-4c14-82E2-929E0C17295F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{62BE7A57-1D2B-4d5b-BCC3-5572D619AC18}\stubpath = "C:\\Windows\\{62BE7A57-1D2B-4d5b-BCC3-5572D619AC18}.exe"	{9D4E8D79-21D9-4c14-82E2-929E0C17295F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F775A22-25C7-4f5c-97FA-8427DEAECCAA}	{62BE7A57-1D2B-4d5b-BCC3-5572D619AC18}.exe

Deletes itself 1 IoCs

pid	Process
2988	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1508	{C7E0C9EB-6E78-4240-B82D-79EDF1C80C89}.exe
2408	{ADEB4EEA-3373-4d69-B8D3-E2AD0B960082}.exe
2928	{1CDDF2F5-8E08-4d68-9635-6BC0E66DE5B7}.exe
2976	{5451A878-F746-42b6-808A-BA710D9384D3}.exe
2864	{CD908AB1-6A31-4031-8941-A5192F1B4B9C}.exe
3012	{65CCB1FF-8EE4-450f-A03A-A85A472D55FE}.exe
2692	{505D43DA-EFEA-4b12-97EB-8CA774E83F7F}.exe
2824	{FAF15714-99C2-41bd-9661-80D27F3A6D85}.exe
2480	{9D4E8D79-21D9-4c14-82E2-929E0C17295F}.exe
3040	{62BE7A57-1D2B-4d5b-BCC3-5572D619AC18}.exe
2132	{9F775A22-25C7-4f5c-97FA-8427DEAECCAA}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1CDDF2F5-8E08-4d68-9635-6BC0E66DE5B7}.exe	{ADEB4EEA-3373-4d69-B8D3-E2AD0B960082}.exe
File created	C:\Windows\{65CCB1FF-8EE4-450f-A03A-A85A472D55FE}.exe	{CD908AB1-6A31-4031-8941-A5192F1B4B9C}.exe
File created	C:\Windows\{62BE7A57-1D2B-4d5b-BCC3-5572D619AC18}.exe	{9D4E8D79-21D9-4c14-82E2-929E0C17295F}.exe
File created	C:\Windows\{ADEB4EEA-3373-4d69-B8D3-E2AD0B960082}.exe	{C7E0C9EB-6E78-4240-B82D-79EDF1C80C89}.exe
File created	C:\Windows\{5451A878-F746-42b6-808A-BA710D9384D3}.exe	{1CDDF2F5-8E08-4d68-9635-6BC0E66DE5B7}.exe
File created	C:\Windows\{CD908AB1-6A31-4031-8941-A5192F1B4B9C}.exe	{5451A878-F746-42b6-808A-BA710D9384D3}.exe
File created	C:\Windows\{505D43DA-EFEA-4b12-97EB-8CA774E83F7F}.exe	{65CCB1FF-8EE4-450f-A03A-A85A472D55FE}.exe
File created	C:\Windows\{FAF15714-99C2-41bd-9661-80D27F3A6D85}.exe	{505D43DA-EFEA-4b12-97EB-8CA774E83F7F}.exe
File created	C:\Windows\{9D4E8D79-21D9-4c14-82E2-929E0C17295F}.exe	{FAF15714-99C2-41bd-9661-80D27F3A6D85}.exe
File created	C:\Windows\{9F775A22-25C7-4f5c-97FA-8427DEAECCAA}.exe	{62BE7A57-1D2B-4d5b-BCC3-5572D619AC18}.exe
File created	C:\Windows\{C7E0C9EB-6E78-4240-B82D-79EDF1C80C89}.exe	cb62073c00a7f6_JC.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1856	cb62073c00a7f6_JC.exe
Token: SeIncBasePriorityPrivilege	1508	{C7E0C9EB-6E78-4240-B82D-79EDF1C80C89}.exe
Token: SeIncBasePriorityPrivilege	2408	{ADEB4EEA-3373-4d69-B8D3-E2AD0B960082}.exe
Token: SeIncBasePriorityPrivilege	2928	{1CDDF2F5-8E08-4d68-9635-6BC0E66DE5B7}.exe
Token: SeIncBasePriorityPrivilege	2976	{5451A878-F746-42b6-808A-BA710D9384D3}.exe
Token: SeIncBasePriorityPrivilege	2864	{CD908AB1-6A31-4031-8941-A5192F1B4B9C}.exe
Token: SeIncBasePriorityPrivilege	3012	{65CCB1FF-8EE4-450f-A03A-A85A472D55FE}.exe
Token: SeIncBasePriorityPrivilege	2692	{505D43DA-EFEA-4b12-97EB-8CA774E83F7F}.exe
Token: SeIncBasePriorityPrivilege	2824	{FAF15714-99C2-41bd-9661-80D27F3A6D85}.exe
Token: SeIncBasePriorityPrivilege	2480	{9D4E8D79-21D9-4c14-82E2-929E0C17295F}.exe
Token: SeIncBasePriorityPrivilege	3040	{62BE7A57-1D2B-4d5b-BCC3-5572D619AC18}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 1508	1856	cb62073c00a7f6_JC.exe	28
PID 1856 wrote to memory of 1508	1856	cb62073c00a7f6_JC.exe	28
PID 1856 wrote to memory of 1508	1856	cb62073c00a7f6_JC.exe	28
PID 1856 wrote to memory of 1508	1856	cb62073c00a7f6_JC.exe	28
PID 1856 wrote to memory of 2988	1856	cb62073c00a7f6_JC.exe	29
PID 1856 wrote to memory of 2988	1856	cb62073c00a7f6_JC.exe	29
PID 1856 wrote to memory of 2988	1856	cb62073c00a7f6_JC.exe	29
PID 1856 wrote to memory of 2988	1856	cb62073c00a7f6_JC.exe	29
PID 1508 wrote to memory of 2408	1508	{C7E0C9EB-6E78-4240-B82D-79EDF1C80C89}.exe	32
PID 1508 wrote to memory of 2408	1508	{C7E0C9EB-6E78-4240-B82D-79EDF1C80C89}.exe	32
PID 1508 wrote to memory of 2408	1508	{C7E0C9EB-6E78-4240-B82D-79EDF1C80C89}.exe	32
PID 1508 wrote to memory of 2408	1508	{C7E0C9EB-6E78-4240-B82D-79EDF1C80C89}.exe	32
PID 1508 wrote to memory of 2832	1508	{C7E0C9EB-6E78-4240-B82D-79EDF1C80C89}.exe	33
PID 1508 wrote to memory of 2832	1508	{C7E0C9EB-6E78-4240-B82D-79EDF1C80C89}.exe	33
PID 1508 wrote to memory of 2832	1508	{C7E0C9EB-6E78-4240-B82D-79EDF1C80C89}.exe	33
PID 1508 wrote to memory of 2832	1508	{C7E0C9EB-6E78-4240-B82D-79EDF1C80C89}.exe	33
PID 2408 wrote to memory of 2928	2408	{ADEB4EEA-3373-4d69-B8D3-E2AD0B960082}.exe	34
PID 2408 wrote to memory of 2928	2408	{ADEB4EEA-3373-4d69-B8D3-E2AD0B960082}.exe	34
PID 2408 wrote to memory of 2928	2408	{ADEB4EEA-3373-4d69-B8D3-E2AD0B960082}.exe	34
PID 2408 wrote to memory of 2928	2408	{ADEB4EEA-3373-4d69-B8D3-E2AD0B960082}.exe	34
PID 2408 wrote to memory of 2860	2408	{ADEB4EEA-3373-4d69-B8D3-E2AD0B960082}.exe	35
PID 2408 wrote to memory of 2860	2408	{ADEB4EEA-3373-4d69-B8D3-E2AD0B960082}.exe	35
PID 2408 wrote to memory of 2860	2408	{ADEB4EEA-3373-4d69-B8D3-E2AD0B960082}.exe	35
PID 2408 wrote to memory of 2860	2408	{ADEB4EEA-3373-4d69-B8D3-E2AD0B960082}.exe	35
PID 2928 wrote to memory of 2976	2928	{1CDDF2F5-8E08-4d68-9635-6BC0E66DE5B7}.exe	36
PID 2928 wrote to memory of 2976	2928	{1CDDF2F5-8E08-4d68-9635-6BC0E66DE5B7}.exe	36
PID 2928 wrote to memory of 2976	2928	{1CDDF2F5-8E08-4d68-9635-6BC0E66DE5B7}.exe	36
PID 2928 wrote to memory of 2976	2928	{1CDDF2F5-8E08-4d68-9635-6BC0E66DE5B7}.exe	36
PID 2928 wrote to memory of 2512	2928	{1CDDF2F5-8E08-4d68-9635-6BC0E66DE5B7}.exe	37
PID 2928 wrote to memory of 2512	2928	{1CDDF2F5-8E08-4d68-9635-6BC0E66DE5B7}.exe	37
PID 2928 wrote to memory of 2512	2928	{1CDDF2F5-8E08-4d68-9635-6BC0E66DE5B7}.exe	37
PID 2928 wrote to memory of 2512	2928	{1CDDF2F5-8E08-4d68-9635-6BC0E66DE5B7}.exe	37
PID 2976 wrote to memory of 2864	2976	{5451A878-F746-42b6-808A-BA710D9384D3}.exe	38
PID 2976 wrote to memory of 2864	2976	{5451A878-F746-42b6-808A-BA710D9384D3}.exe	38
PID 2976 wrote to memory of 2864	2976	{5451A878-F746-42b6-808A-BA710D9384D3}.exe	38
PID 2976 wrote to memory of 2864	2976	{5451A878-F746-42b6-808A-BA710D9384D3}.exe	38
PID 2976 wrote to memory of 3000	2976	{5451A878-F746-42b6-808A-BA710D9384D3}.exe	39
PID 2976 wrote to memory of 3000	2976	{5451A878-F746-42b6-808A-BA710D9384D3}.exe	39
PID 2976 wrote to memory of 3000	2976	{5451A878-F746-42b6-808A-BA710D9384D3}.exe	39
PID 2976 wrote to memory of 3000	2976	{5451A878-F746-42b6-808A-BA710D9384D3}.exe	39
PID 2864 wrote to memory of 3012	2864	{CD908AB1-6A31-4031-8941-A5192F1B4B9C}.exe	40
PID 2864 wrote to memory of 3012	2864	{CD908AB1-6A31-4031-8941-A5192F1B4B9C}.exe	40
PID 2864 wrote to memory of 3012	2864	{CD908AB1-6A31-4031-8941-A5192F1B4B9C}.exe	40
PID 2864 wrote to memory of 3012	2864	{CD908AB1-6A31-4031-8941-A5192F1B4B9C}.exe	40
PID 2864 wrote to memory of 2756	2864	{CD908AB1-6A31-4031-8941-A5192F1B4B9C}.exe	41
PID 2864 wrote to memory of 2756	2864	{CD908AB1-6A31-4031-8941-A5192F1B4B9C}.exe	41
PID 2864 wrote to memory of 2756	2864	{CD908AB1-6A31-4031-8941-A5192F1B4B9C}.exe	41
PID 2864 wrote to memory of 2756	2864	{CD908AB1-6A31-4031-8941-A5192F1B4B9C}.exe	41
PID 3012 wrote to memory of 2692	3012	{65CCB1FF-8EE4-450f-A03A-A85A472D55FE}.exe	42
PID 3012 wrote to memory of 2692	3012	{65CCB1FF-8EE4-450f-A03A-A85A472D55FE}.exe	42
PID 3012 wrote to memory of 2692	3012	{65CCB1FF-8EE4-450f-A03A-A85A472D55FE}.exe	42
PID 3012 wrote to memory of 2692	3012	{65CCB1FF-8EE4-450f-A03A-A85A472D55FE}.exe	42
PID 3012 wrote to memory of 2752	3012	{65CCB1FF-8EE4-450f-A03A-A85A472D55FE}.exe	43
PID 3012 wrote to memory of 2752	3012	{65CCB1FF-8EE4-450f-A03A-A85A472D55FE}.exe	43
PID 3012 wrote to memory of 2752	3012	{65CCB1FF-8EE4-450f-A03A-A85A472D55FE}.exe	43
PID 3012 wrote to memory of 2752	3012	{65CCB1FF-8EE4-450f-A03A-A85A472D55FE}.exe	43
PID 2692 wrote to memory of 2824	2692	{505D43DA-EFEA-4b12-97EB-8CA774E83F7F}.exe	44
PID 2692 wrote to memory of 2824	2692	{505D43DA-EFEA-4b12-97EB-8CA774E83F7F}.exe	44
PID 2692 wrote to memory of 2824	2692	{505D43DA-EFEA-4b12-97EB-8CA774E83F7F}.exe	44
PID 2692 wrote to memory of 2824	2692	{505D43DA-EFEA-4b12-97EB-8CA774E83F7F}.exe	44
PID 2692 wrote to memory of 2744	2692	{505D43DA-EFEA-4b12-97EB-8CA774E83F7F}.exe	45
PID 2692 wrote to memory of 2744	2692	{505D43DA-EFEA-4b12-97EB-8CA774E83F7F}.exe	45
PID 2692 wrote to memory of 2744	2692	{505D43DA-EFEA-4b12-97EB-8CA774E83F7F}.exe	45
PID 2692 wrote to memory of 2744	2692	{505D43DA-EFEA-4b12-97EB-8CA774E83F7F}.exe	45

C:\Users\Admin\AppData\Local\Temp\cb62073c00a7f6_JC.exe
"C:\Users\Admin\AppData\Local\Temp\cb62073c00a7f6_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Windows\{C7E0C9EB-6E78-4240-B82D-79EDF1C80C89}.exe
  C:\Windows\{C7E0C9EB-6E78-4240-B82D-79EDF1C80C89}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\{ADEB4EEA-3373-4d69-B8D3-E2AD0B960082}.exe
    C:\Windows\{ADEB4EEA-3373-4d69-B8D3-E2AD0B960082}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Windows\{1CDDF2F5-8E08-4d68-9635-6BC0E66DE5B7}.exe
      C:\Windows\{1CDDF2F5-8E08-4d68-9635-6BC0E66DE5B7}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Windows\{5451A878-F746-42b6-808A-BA710D9384D3}.exe
        
        C:\Windows\{5451A878-F746-42b6-808A-BA710D9384D3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2976
      - C:\Windows\{CD908AB1-6A31-4031-8941-A5192F1B4B9C}.exe
        
        C:\Windows\{CD908AB1-6A31-4031-8941-A5192F1B4B9C}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\{65CCB1FF-8EE4-450f-A03A-A85A472D55FE}.exe
        
        C:\Windows\{65CCB1FF-8EE4-450f-A03A-A85A472D55FE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
        
        C:\Windows\{505D43DA-EFEA-4b12-97EB-8CA774E83F7F}.exe
        
        C:\Windows\{505D43DA-EFEA-4b12-97EB-8CA774E83F7F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\{FAF15714-99C2-41bd-9661-80D27F3A6D85}.exe
        
        C:\Windows\{FAF15714-99C2-41bd-9661-80D27F3A6D85}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\{9D4E8D79-21D9-4c14-82E2-929E0C17295F}.exe
        
        C:\Windows\{9D4E8D79-21D9-4c14-82E2-929E0C17295F}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\{62BE7A57-1D2B-4d5b-BCC3-5572D619AC18}.exe
        
        C:\Windows\{62BE7A57-1D2B-4d5b-BCC3-5572D619AC18}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\{9F775A22-25C7-4f5c-97FA-8427DEAECCAA}.exe
        
        C:\Windows\{9F775A22-25C7-4f5c-97FA-8427DEAECCAA}.exe
        12⤵
        Executes dropped EXE
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62BE7~1.EXE > nul
        12⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D4E8~1.EXE > nul
        11⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAF15~1.EXE > nul
        10⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{505D4~1.EXE > nul
        9⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65CCB~1.EXE > nul
        8⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD908~1.EXE > nul
        7⤵
        
        PID:2756
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5451A~1.EXE > nul
        6⤵
        
        PID:3000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1CDDF~1.EXE > nul
        5⤵
        
        PID:2512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{ADEB4~1.EXE > nul
      4⤵
      PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C7E0C~1.EXE > nul
    3⤵
    PID:2832
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CB6207~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1CDDF2F5-8E08-4d68-9635-6BC0E66DE5B7}.exe

Filesize
168KB

MD5
91d1f9890a0d29bb7ef5539b29413a67

SHA1
da47b5467e899ba95a134b8f7b1a59fa0ef6a3fd

SHA256
6a01131c1b3f47e6edaafa2ff896b0b64667b2cd4039be2ccf26ebb393b0e793

SHA512
7fd16c7e782e6024281cdffe78f3d86297a4cb9dc521b53ce4ecc0d93608faa677731523cc5ca5e69aebf9fea3357e774c0bee15282133f1cbb7ff5934137319

Download Submit
C:\Windows\{1CDDF2F5-8E08-4d68-9635-6BC0E66DE5B7}.exe

Filesize
168KB

MD5
91d1f9890a0d29bb7ef5539b29413a67

SHA1
da47b5467e899ba95a134b8f7b1a59fa0ef6a3fd

SHA256
6a01131c1b3f47e6edaafa2ff896b0b64667b2cd4039be2ccf26ebb393b0e793

SHA512
7fd16c7e782e6024281cdffe78f3d86297a4cb9dc521b53ce4ecc0d93608faa677731523cc5ca5e69aebf9fea3357e774c0bee15282133f1cbb7ff5934137319

Download Submit
C:\Windows\{505D43DA-EFEA-4b12-97EB-8CA774E83F7F}.exe

Filesize
168KB

MD5
215cfbc3ffc4f537a70151a0b937b1dd

SHA1
1791e8a6463381a17508da0d91cb2052536b5756

SHA256
3a9bb4b1b749e9aaeb2031ba33641a46f782237f4ccdc640f0dc30795e26ec5f

SHA512
0a3f15c0d3554f496b5ef2baa1135ac105e59aa6d9a07d8f4b611b74d1af475270aa6a3c1c4c336e19d9b27196b498ccbc0ce1e84c662ec68f58d1fc141a1037

Download Submit
C:\Windows\{505D43DA-EFEA-4b12-97EB-8CA774E83F7F}.exe

Filesize
168KB

MD5
215cfbc3ffc4f537a70151a0b937b1dd

SHA1
1791e8a6463381a17508da0d91cb2052536b5756

SHA256
3a9bb4b1b749e9aaeb2031ba33641a46f782237f4ccdc640f0dc30795e26ec5f

SHA512
0a3f15c0d3554f496b5ef2baa1135ac105e59aa6d9a07d8f4b611b74d1af475270aa6a3c1c4c336e19d9b27196b498ccbc0ce1e84c662ec68f58d1fc141a1037

Download Submit
C:\Windows\{5451A878-F746-42b6-808A-BA710D9384D3}.exe

Filesize
168KB

MD5
e9cdd08af42c4426890ccc4fbb6f7b2a

SHA1
055eb2952aa3827b1d592aa9ef191c7c60501b10

SHA256
5fdd80ecc9d733d34a1843e423c02a85eb217e3b76cbc7b1042f892410d2f8fc

SHA512
daf6f559c22a459a90dd23d83818793c039bc755daacfd6e9d53eee7f67bcbd02025d8c00e69ab5b125c63879b1acbfbac3b14e155448d1cec17f933ccc5295b

Download Submit
C:\Windows\{5451A878-F746-42b6-808A-BA710D9384D3}.exe

Filesize
168KB

MD5
e9cdd08af42c4426890ccc4fbb6f7b2a

SHA1
055eb2952aa3827b1d592aa9ef191c7c60501b10

SHA256
5fdd80ecc9d733d34a1843e423c02a85eb217e3b76cbc7b1042f892410d2f8fc

SHA512
daf6f559c22a459a90dd23d83818793c039bc755daacfd6e9d53eee7f67bcbd02025d8c00e69ab5b125c63879b1acbfbac3b14e155448d1cec17f933ccc5295b

Download Submit
C:\Windows\{62BE7A57-1D2B-4d5b-BCC3-5572D619AC18}.exe

Filesize
168KB

MD5
cdd4f0cdc46f892bd31d3aac3e65787d

SHA1
c189c505f48f75a4d1e55afd742c052a8b90ab5e

SHA256
db27cd96f2ecfe2f3f851d0607f72b643afa84338671c1ce9eb13d31ecd1d016

SHA512
70bb2748defffefeff2c64ee628af6eb5d0d16839c348492e6465e7868dec39100bf3176d222ab5038add4cb97272d0236e570aa4c1546f6cbe57656fc4d05ab

Download Submit
C:\Windows\{62BE7A57-1D2B-4d5b-BCC3-5572D619AC18}.exe

Filesize
168KB

MD5
cdd4f0cdc46f892bd31d3aac3e65787d

SHA1
c189c505f48f75a4d1e55afd742c052a8b90ab5e

SHA256
db27cd96f2ecfe2f3f851d0607f72b643afa84338671c1ce9eb13d31ecd1d016

SHA512
70bb2748defffefeff2c64ee628af6eb5d0d16839c348492e6465e7868dec39100bf3176d222ab5038add4cb97272d0236e570aa4c1546f6cbe57656fc4d05ab

Download Submit
C:\Windows\{65CCB1FF-8EE4-450f-A03A-A85A472D55FE}.exe

Filesize
168KB

MD5
89422ba6474e9764128db4271be9d4e0

SHA1
ffb2c67c80fb4230336c385691c2fbfe3894546b

SHA256
6c02e2e1590bd06d1a68f833b6a4d72efc80b147f9f0f932e8b38dff56d0c61a

SHA512
303c17352fbca713be44a0ebf1c552604a5e6e963209ed525825cd5fd50e0dadae2119fee009e3012825cf3d4afc7f8186bf7640b7989ddf8488ec20621f7f5d

Download Submit
C:\Windows\{65CCB1FF-8EE4-450f-A03A-A85A472D55FE}.exe

Filesize
168KB

MD5
89422ba6474e9764128db4271be9d4e0

SHA1
ffb2c67c80fb4230336c385691c2fbfe3894546b

SHA256
6c02e2e1590bd06d1a68f833b6a4d72efc80b147f9f0f932e8b38dff56d0c61a

SHA512
303c17352fbca713be44a0ebf1c552604a5e6e963209ed525825cd5fd50e0dadae2119fee009e3012825cf3d4afc7f8186bf7640b7989ddf8488ec20621f7f5d

Download Submit
C:\Windows\{9D4E8D79-21D9-4c14-82E2-929E0C17295F}.exe

Filesize
168KB

MD5
e26fc234254335250fadcdfaed863905

SHA1
3adb15ec83f2c6324fd9c290e0874a3fe02513b8

SHA256
75785804f68c0fd08926588daec7260cf4181e373147c21c459f96856f5efbdc

SHA512
434e01b74bb641e3ebe2c985c2a88b85990234f8c4530b065c9a42ad9eb86abea7c2187205124a9173c72362b8ff1376bf97f957cdddb77d6404e37ed6b10ead

Download Submit
C:\Windows\{9D4E8D79-21D9-4c14-82E2-929E0C17295F}.exe

Filesize
168KB

MD5
e26fc234254335250fadcdfaed863905

SHA1
3adb15ec83f2c6324fd9c290e0874a3fe02513b8

SHA256
75785804f68c0fd08926588daec7260cf4181e373147c21c459f96856f5efbdc

SHA512
434e01b74bb641e3ebe2c985c2a88b85990234f8c4530b065c9a42ad9eb86abea7c2187205124a9173c72362b8ff1376bf97f957cdddb77d6404e37ed6b10ead

Download Submit
C:\Windows\{9F775A22-25C7-4f5c-97FA-8427DEAECCAA}.exe

Filesize
168KB

MD5
f8fd6f1ad8022b660f1492798c04a0a6

SHA1
a069d4f370040b4ab65dddb5dcab5b30e4c76852

SHA256
ac3a5e291b526bd17c5f190aa11b536a7ff489a8364be126bbbdebc52e67a196

SHA512
8e4b5e79df10733cdf7d570ee5bc2a25a6b92576ddda3a5f170601f960472a61903c08bb2238bb2e5b79a7c71a54720b9200cd9d7b38223ac8841afbe41e62c4

Download Submit
C:\Windows\{ADEB4EEA-3373-4d69-B8D3-E2AD0B960082}.exe

Filesize
168KB

MD5
16a3724b97a6b72edc9b4b0d3a2e1113

SHA1
6605ea6ee461f44c05f76fbd308524bd0cc38eb0

SHA256
cb1d4c69321c32321f580bf26294c0bbc436e1e22df364cad5d7e79bc0f62749

SHA512
6d3bb2093d86f6cb64fe9867fdf758b75e22ad9f659f156fbcc7117e7311902bb2dca496bdc12e9bb430fdb869e07ca42545e9a43348d68d04e8b370f039806a

Download Submit
C:\Windows\{ADEB4EEA-3373-4d69-B8D3-E2AD0B960082}.exe

Filesize
168KB

MD5
16a3724b97a6b72edc9b4b0d3a2e1113

SHA1
6605ea6ee461f44c05f76fbd308524bd0cc38eb0

SHA256
cb1d4c69321c32321f580bf26294c0bbc436e1e22df364cad5d7e79bc0f62749

SHA512
6d3bb2093d86f6cb64fe9867fdf758b75e22ad9f659f156fbcc7117e7311902bb2dca496bdc12e9bb430fdb869e07ca42545e9a43348d68d04e8b370f039806a

Download Submit
C:\Windows\{C7E0C9EB-6E78-4240-B82D-79EDF1C80C89}.exe

Filesize
168KB

MD5
d1f52d7c98e25420fd478653e70a52a7

SHA1
7cd8c24b5c9f16b60581dd45c3c2f7e2d4df866b

SHA256
ca59b7940cbb7383fdf5259be0f006fcb42551f9009309e460e07f0c5d7b4469

SHA512
7539d5717cd8ebeb07627a1a86f9294490d2332ee10af59b01c14ffe8e0f0b979584dd41a2814a03ea981bc8ef3d8bc4ad33158421facf077e2b1339141e0efd

Download Submit
C:\Windows\{C7E0C9EB-6E78-4240-B82D-79EDF1C80C89}.exe

Filesize
168KB

MD5
d1f52d7c98e25420fd478653e70a52a7

SHA1
7cd8c24b5c9f16b60581dd45c3c2f7e2d4df866b

SHA256
ca59b7940cbb7383fdf5259be0f006fcb42551f9009309e460e07f0c5d7b4469

SHA512
7539d5717cd8ebeb07627a1a86f9294490d2332ee10af59b01c14ffe8e0f0b979584dd41a2814a03ea981bc8ef3d8bc4ad33158421facf077e2b1339141e0efd

Download Submit
C:\Windows\{C7E0C9EB-6E78-4240-B82D-79EDF1C80C89}.exe

Filesize
168KB

MD5
d1f52d7c98e25420fd478653e70a52a7

SHA1
7cd8c24b5c9f16b60581dd45c3c2f7e2d4df866b

SHA256
ca59b7940cbb7383fdf5259be0f006fcb42551f9009309e460e07f0c5d7b4469

SHA512
7539d5717cd8ebeb07627a1a86f9294490d2332ee10af59b01c14ffe8e0f0b979584dd41a2814a03ea981bc8ef3d8bc4ad33158421facf077e2b1339141e0efd

Download Submit
C:\Windows\{CD908AB1-6A31-4031-8941-A5192F1B4B9C}.exe

Filesize
168KB

MD5
9fbfe60ffffbba851bd2c0edb3c23f01

SHA1
bd10613cfdc4c021d8a0f5a5dcec9425e47db809

SHA256
f4fdec67897b2bd40c76c7e3d4029f399ddee4c590e58d54f9b4f48bf9817080

SHA512
002a32d6e82ec55e325424d2f2ab1922c3c01411080ed4a24f92113044537d92c985a336abadff757275f2fe470cb1a347756cdec93fcb07f3b6cb84c97679dc

Download Submit
C:\Windows\{CD908AB1-6A31-4031-8941-A5192F1B4B9C}.exe

Filesize
168KB

MD5
9fbfe60ffffbba851bd2c0edb3c23f01

SHA1
bd10613cfdc4c021d8a0f5a5dcec9425e47db809

SHA256
f4fdec67897b2bd40c76c7e3d4029f399ddee4c590e58d54f9b4f48bf9817080

SHA512
002a32d6e82ec55e325424d2f2ab1922c3c01411080ed4a24f92113044537d92c985a336abadff757275f2fe470cb1a347756cdec93fcb07f3b6cb84c97679dc

Download Submit
C:\Windows\{FAF15714-99C2-41bd-9661-80D27F3A6D85}.exe

Filesize
168KB

MD5
a14ffc2a730789e47b0ccb044bc7e57c

SHA1
273a780e9d238512f50a6c9041ff832e0849b471

SHA256
78c550d64d798f95edf4644ca6e55b6edaefa4bcc93834e308e7f4e40f42a2f1

SHA512
a73942926421d1d01f297d9a2d3fb13524c54939b891bbef77bf5b52de3ef99623859d1d172b833f04099bda542ad99d2bb1f9cc64f543d22bd026a8f1e9ac75

Download Submit
C:\Windows\{FAF15714-99C2-41bd-9661-80D27F3A6D85}.exe

Filesize
168KB

MD5
a14ffc2a730789e47b0ccb044bc7e57c

SHA1
273a780e9d238512f50a6c9041ff832e0849b471

SHA256
78c550d64d798f95edf4644ca6e55b6edaefa4bcc93834e308e7f4e40f42a2f1

SHA512
a73942926421d1d01f297d9a2d3fb13524c54939b891bbef77bf5b52de3ef99623859d1d172b833f04099bda542ad99d2bb1f9cc64f543d22bd026a8f1e9ac75

Download Submit