26e9e52144822899a4fa10f538036b69f4da3948904e916368a515d211113160

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/07/2023, 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb62073c00a7f6_JC.exe
Size

168KB
MD5

cb62073c00a7f60fa7e06e7d839fb5fb
SHA1

4a17a1a833429c66156e8dfc0a1ca0e88fd83fc3
SHA256

26e9e52144822899a4fa10f538036b69f4da3948904e916368a515d211113160
SHA512

548553abdc59026271132b1559a9a61e327eb43e036f55aa0bf0331ee7d1baeaa7518a9f524940cc0f1f63b0bd8ea8271f32a9cac7875e9488858c1e6f97f1f9
SSDEEP

1536:1EGh0orlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0orlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F29055B3-E9AF-46e8-935B-A2B301AC3C7F}\stubpath = "C:\\Windows\\{F29055B3-E9AF-46e8-935B-A2B301AC3C7F}.exe"	{8F017EEA-A508-4b8d-8FFC-B4CD2351067B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FCC0CAE-7ECC-4375-9055-B560B3AB4614}	{86FC2979-8A0A-4200-993D-CB186B73DB12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{662D0378-61D4-4019-AAB8-38A88C70D740}	{989519D4-4966-49c7-A53A-01FAE2A86728}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCB6CA1C-E2F9-4cac-B67B-B66A16D2D31D}\stubpath = "C:\\Windows\\{DCB6CA1C-E2F9-4cac-B67B-B66A16D2D31D}.exe"	{662D0378-61D4-4019-AAB8-38A88C70D740}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D9E2B3F-27EE-4173-8EB8-30BBBDAF5A7E}\stubpath = "C:\\Windows\\{9D9E2B3F-27EE-4173-8EB8-30BBBDAF5A7E}.exe"	{DCB6CA1C-E2F9-4cac-B67B-B66A16D2D31D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F24D5617-C820-45b2-866F-0F4EEE0823E6}\stubpath = "C:\\Windows\\{F24D5617-C820-45b2-866F-0F4EEE0823E6}.exe"	{F9E0F95D-8098-44da-884A-826FA4E23CAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F017EEA-A508-4b8d-8FFC-B4CD2351067B}\stubpath = "C:\\Windows\\{8F017EEA-A508-4b8d-8FFC-B4CD2351067B}.exe"	{F27BD3D8-74DE-458f-863B-313EE63F9D8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86FC2979-8A0A-4200-993D-CB186B73DB12}\stubpath = "C:\\Windows\\{86FC2979-8A0A-4200-993D-CB186B73DB12}.exe"	{F29055B3-E9AF-46e8-935B-A2B301AC3C7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FCC0CAE-7ECC-4375-9055-B560B3AB4614}\stubpath = "C:\\Windows\\{9FCC0CAE-7ECC-4375-9055-B560B3AB4614}.exe"	{86FC2979-8A0A-4200-993D-CB186B73DB12}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{989519D4-4966-49c7-A53A-01FAE2A86728}\stubpath = "C:\\Windows\\{989519D4-4966-49c7-A53A-01FAE2A86728}.exe"	{9FCC0CAE-7ECC-4375-9055-B560B3AB4614}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E148CE0-6C78-4891-95F5-AB26D9CDE2F2}	{F24D5617-C820-45b2-866F-0F4EEE0823E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F27BD3D8-74DE-458f-863B-313EE63F9D8F}	cb62073c00a7f6_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86FC2979-8A0A-4200-993D-CB186B73DB12}	{F29055B3-E9AF-46e8-935B-A2B301AC3C7F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{662D0378-61D4-4019-AAB8-38A88C70D740}\stubpath = "C:\\Windows\\{662D0378-61D4-4019-AAB8-38A88C70D740}.exe"	{989519D4-4966-49c7-A53A-01FAE2A86728}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCB6CA1C-E2F9-4cac-B67B-B66A16D2D31D}	{662D0378-61D4-4019-AAB8-38A88C70D740}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9E0F95D-8098-44da-884A-826FA4E23CAC}	{9D9E2B3F-27EE-4173-8EB8-30BBBDAF5A7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9E0F95D-8098-44da-884A-826FA4E23CAC}\stubpath = "C:\\Windows\\{F9E0F95D-8098-44da-884A-826FA4E23CAC}.exe"	{9D9E2B3F-27EE-4173-8EB8-30BBBDAF5A7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F27BD3D8-74DE-458f-863B-313EE63F9D8F}\stubpath = "C:\\Windows\\{F27BD3D8-74DE-458f-863B-313EE63F9D8F}.exe"	cb62073c00a7f6_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F29055B3-E9AF-46e8-935B-A2B301AC3C7F}	{8F017EEA-A508-4b8d-8FFC-B4CD2351067B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{989519D4-4966-49c7-A53A-01FAE2A86728}	{9FCC0CAE-7ECC-4375-9055-B560B3AB4614}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D9E2B3F-27EE-4173-8EB8-30BBBDAF5A7E}	{DCB6CA1C-E2F9-4cac-B67B-B66A16D2D31D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F24D5617-C820-45b2-866F-0F4EEE0823E6}	{F9E0F95D-8098-44da-884A-826FA4E23CAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3E148CE0-6C78-4891-95F5-AB26D9CDE2F2}\stubpath = "C:\\Windows\\{3E148CE0-6C78-4891-95F5-AB26D9CDE2F2}.exe"	{F24D5617-C820-45b2-866F-0F4EEE0823E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F017EEA-A508-4b8d-8FFC-B4CD2351067B}	{F27BD3D8-74DE-458f-863B-313EE63F9D8F}.exe

Executes dropped EXE 12 IoCs

pid	Process
4244	{F27BD3D8-74DE-458f-863B-313EE63F9D8F}.exe
2904	{8F017EEA-A508-4b8d-8FFC-B4CD2351067B}.exe
4980	{F29055B3-E9AF-46e8-935B-A2B301AC3C7F}.exe
3964	{86FC2979-8A0A-4200-993D-CB186B73DB12}.exe
4188	{9FCC0CAE-7ECC-4375-9055-B560B3AB4614}.exe
1408	{989519D4-4966-49c7-A53A-01FAE2A86728}.exe
3996	{662D0378-61D4-4019-AAB8-38A88C70D740}.exe
4292	{DCB6CA1C-E2F9-4cac-B67B-B66A16D2D31D}.exe
2052	{9D9E2B3F-27EE-4173-8EB8-30BBBDAF5A7E}.exe
4460	{F9E0F95D-8098-44da-884A-826FA4E23CAC}.exe
548	{F24D5617-C820-45b2-866F-0F4EEE0823E6}.exe
4392	{3E148CE0-6C78-4891-95F5-AB26D9CDE2F2}.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{41D1583B-39DA-4325-92B1-8FDFD6F22487}.catalogItem	svchost.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F27BD3D8-74DE-458f-863B-313EE63F9D8F}.exe	cb62073c00a7f6_JC.exe
File created	C:\Windows\{F29055B3-E9AF-46e8-935B-A2B301AC3C7F}.exe	{8F017EEA-A508-4b8d-8FFC-B4CD2351067B}.exe
File created	C:\Windows\{9FCC0CAE-7ECC-4375-9055-B560B3AB4614}.exe	{86FC2979-8A0A-4200-993D-CB186B73DB12}.exe
File created	C:\Windows\{662D0378-61D4-4019-AAB8-38A88C70D740}.exe	{989519D4-4966-49c7-A53A-01FAE2A86728}.exe
File created	C:\Windows\{DCB6CA1C-E2F9-4cac-B67B-B66A16D2D31D}.exe	{662D0378-61D4-4019-AAB8-38A88C70D740}.exe
File created	C:\Windows\{F24D5617-C820-45b2-866F-0F4EEE0823E6}.exe	{F9E0F95D-8098-44da-884A-826FA4E23CAC}.exe
File created	C:\Windows\{8F017EEA-A508-4b8d-8FFC-B4CD2351067B}.exe	{F27BD3D8-74DE-458f-863B-313EE63F9D8F}.exe
File created	C:\Windows\{86FC2979-8A0A-4200-993D-CB186B73DB12}.exe	{F29055B3-E9AF-46e8-935B-A2B301AC3C7F}.exe
File created	C:\Windows\{989519D4-4966-49c7-A53A-01FAE2A86728}.exe	{9FCC0CAE-7ECC-4375-9055-B560B3AB4614}.exe
File created	C:\Windows\{9D9E2B3F-27EE-4173-8EB8-30BBBDAF5A7E}.exe	{DCB6CA1C-E2F9-4cac-B67B-B66A16D2D31D}.exe
File created	C:\Windows\{F9E0F95D-8098-44da-884A-826FA4E23CAC}.exe	{9D9E2B3F-27EE-4173-8EB8-30BBBDAF5A7E}.exe
File created	C:\Windows\{3E148CE0-6C78-4891-95F5-AB26D9CDE2F2}.exe	{F24D5617-C820-45b2-866F-0F4EEE0823E6}.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4308	cb62073c00a7f6_JC.exe
Token: SeIncBasePriorityPrivilege	4244	{F27BD3D8-74DE-458f-863B-313EE63F9D8F}.exe
Token: SeIncBasePriorityPrivilege	2904	{8F017EEA-A508-4b8d-8FFC-B4CD2351067B}.exe
Token: SeIncBasePriorityPrivilege	4980	{F29055B3-E9AF-46e8-935B-A2B301AC3C7F}.exe
Token: SeIncBasePriorityPrivilege	3964	{86FC2979-8A0A-4200-993D-CB186B73DB12}.exe
Token: SeIncBasePriorityPrivilege	4188	{9FCC0CAE-7ECC-4375-9055-B560B3AB4614}.exe
Token: SeIncBasePriorityPrivilege	1408	{989519D4-4966-49c7-A53A-01FAE2A86728}.exe
Token: SeIncBasePriorityPrivilege	3996	{662D0378-61D4-4019-AAB8-38A88C70D740}.exe
Token: SeIncBasePriorityPrivilege	4292	{DCB6CA1C-E2F9-4cac-B67B-B66A16D2D31D}.exe
Token: SeIncBasePriorityPrivilege	2052	{9D9E2B3F-27EE-4173-8EB8-30BBBDAF5A7E}.exe
Token: SeIncBasePriorityPrivilege	4460	{F9E0F95D-8098-44da-884A-826FA4E23CAC}.exe
Token: SeIncBasePriorityPrivilege	548	{F24D5617-C820-45b2-866F-0F4EEE0823E6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4308 wrote to memory of 4244	4308	cb62073c00a7f6_JC.exe	96
PID 4308 wrote to memory of 4244	4308	cb62073c00a7f6_JC.exe	96
PID 4308 wrote to memory of 4244	4308	cb62073c00a7f6_JC.exe	96
PID 4308 wrote to memory of 3548	4308	cb62073c00a7f6_JC.exe	97
PID 4308 wrote to memory of 3548	4308	cb62073c00a7f6_JC.exe	97
PID 4308 wrote to memory of 3548	4308	cb62073c00a7f6_JC.exe	97
PID 4244 wrote to memory of 2904	4244	{F27BD3D8-74DE-458f-863B-313EE63F9D8F}.exe	98
PID 4244 wrote to memory of 2904	4244	{F27BD3D8-74DE-458f-863B-313EE63F9D8F}.exe	98
PID 4244 wrote to memory of 2904	4244	{F27BD3D8-74DE-458f-863B-313EE63F9D8F}.exe	98
PID 4244 wrote to memory of 2248	4244	{F27BD3D8-74DE-458f-863B-313EE63F9D8F}.exe	99
PID 4244 wrote to memory of 2248	4244	{F27BD3D8-74DE-458f-863B-313EE63F9D8F}.exe	99
PID 4244 wrote to memory of 2248	4244	{F27BD3D8-74DE-458f-863B-313EE63F9D8F}.exe	99
PID 2904 wrote to memory of 4980	2904	{8F017EEA-A508-4b8d-8FFC-B4CD2351067B}.exe	103
PID 2904 wrote to memory of 4980	2904	{8F017EEA-A508-4b8d-8FFC-B4CD2351067B}.exe	103
PID 2904 wrote to memory of 4980	2904	{8F017EEA-A508-4b8d-8FFC-B4CD2351067B}.exe	103
PID 2904 wrote to memory of 4920	2904	{8F017EEA-A508-4b8d-8FFC-B4CD2351067B}.exe	102
PID 2904 wrote to memory of 4920	2904	{8F017EEA-A508-4b8d-8FFC-B4CD2351067B}.exe	102
PID 2904 wrote to memory of 4920	2904	{8F017EEA-A508-4b8d-8FFC-B4CD2351067B}.exe	102
PID 4980 wrote to memory of 3964	4980	{F29055B3-E9AF-46e8-935B-A2B301AC3C7F}.exe	104
PID 4980 wrote to memory of 3964	4980	{F29055B3-E9AF-46e8-935B-A2B301AC3C7F}.exe	104
PID 4980 wrote to memory of 3964	4980	{F29055B3-E9AF-46e8-935B-A2B301AC3C7F}.exe	104
PID 4980 wrote to memory of 484	4980	{F29055B3-E9AF-46e8-935B-A2B301AC3C7F}.exe	105
PID 4980 wrote to memory of 484	4980	{F29055B3-E9AF-46e8-935B-A2B301AC3C7F}.exe	105
PID 4980 wrote to memory of 484	4980	{F29055B3-E9AF-46e8-935B-A2B301AC3C7F}.exe	105
PID 3964 wrote to memory of 4188	3964	{86FC2979-8A0A-4200-993D-CB186B73DB12}.exe	106
PID 3964 wrote to memory of 4188	3964	{86FC2979-8A0A-4200-993D-CB186B73DB12}.exe	106
PID 3964 wrote to memory of 4188	3964	{86FC2979-8A0A-4200-993D-CB186B73DB12}.exe	106
PID 3964 wrote to memory of 3736	3964	{86FC2979-8A0A-4200-993D-CB186B73DB12}.exe	107
PID 3964 wrote to memory of 3736	3964	{86FC2979-8A0A-4200-993D-CB186B73DB12}.exe	107
PID 3964 wrote to memory of 3736	3964	{86FC2979-8A0A-4200-993D-CB186B73DB12}.exe	107
PID 4188 wrote to memory of 1408	4188	{9FCC0CAE-7ECC-4375-9055-B560B3AB4614}.exe	109
PID 4188 wrote to memory of 1408	4188	{9FCC0CAE-7ECC-4375-9055-B560B3AB4614}.exe	109
PID 4188 wrote to memory of 1408	4188	{9FCC0CAE-7ECC-4375-9055-B560B3AB4614}.exe	109
PID 4188 wrote to memory of 4004	4188	{9FCC0CAE-7ECC-4375-9055-B560B3AB4614}.exe	110
PID 4188 wrote to memory of 4004	4188	{9FCC0CAE-7ECC-4375-9055-B560B3AB4614}.exe	110
PID 4188 wrote to memory of 4004	4188	{9FCC0CAE-7ECC-4375-9055-B560B3AB4614}.exe	110
PID 1408 wrote to memory of 3996	1408	{989519D4-4966-49c7-A53A-01FAE2A86728}.exe	111
PID 1408 wrote to memory of 3996	1408	{989519D4-4966-49c7-A53A-01FAE2A86728}.exe	111
PID 1408 wrote to memory of 3996	1408	{989519D4-4966-49c7-A53A-01FAE2A86728}.exe	111
PID 1408 wrote to memory of 2908	1408	{989519D4-4966-49c7-A53A-01FAE2A86728}.exe	112
PID 1408 wrote to memory of 2908	1408	{989519D4-4966-49c7-A53A-01FAE2A86728}.exe	112
PID 1408 wrote to memory of 2908	1408	{989519D4-4966-49c7-A53A-01FAE2A86728}.exe	112
PID 3996 wrote to memory of 4292	3996	{662D0378-61D4-4019-AAB8-38A88C70D740}.exe	113
PID 3996 wrote to memory of 4292	3996	{662D0378-61D4-4019-AAB8-38A88C70D740}.exe	113
PID 3996 wrote to memory of 4292	3996	{662D0378-61D4-4019-AAB8-38A88C70D740}.exe	113
PID 3996 wrote to memory of 2692	3996	{662D0378-61D4-4019-AAB8-38A88C70D740}.exe	114
PID 3996 wrote to memory of 2692	3996	{662D0378-61D4-4019-AAB8-38A88C70D740}.exe	114
PID 3996 wrote to memory of 2692	3996	{662D0378-61D4-4019-AAB8-38A88C70D740}.exe	114
PID 4292 wrote to memory of 2052	4292	{DCB6CA1C-E2F9-4cac-B67B-B66A16D2D31D}.exe	121
PID 4292 wrote to memory of 2052	4292	{DCB6CA1C-E2F9-4cac-B67B-B66A16D2D31D}.exe	121
PID 4292 wrote to memory of 2052	4292	{DCB6CA1C-E2F9-4cac-B67B-B66A16D2D31D}.exe	121
PID 4292 wrote to memory of 832	4292	{DCB6CA1C-E2F9-4cac-B67B-B66A16D2D31D}.exe	122
PID 4292 wrote to memory of 832	4292	{DCB6CA1C-E2F9-4cac-B67B-B66A16D2D31D}.exe	122
PID 4292 wrote to memory of 832	4292	{DCB6CA1C-E2F9-4cac-B67B-B66A16D2D31D}.exe	122
PID 2052 wrote to memory of 4460	2052	{9D9E2B3F-27EE-4173-8EB8-30BBBDAF5A7E}.exe	123
PID 2052 wrote to memory of 4460	2052	{9D9E2B3F-27EE-4173-8EB8-30BBBDAF5A7E}.exe	123
PID 2052 wrote to memory of 4460	2052	{9D9E2B3F-27EE-4173-8EB8-30BBBDAF5A7E}.exe	123
PID 2052 wrote to memory of 3824	2052	{9D9E2B3F-27EE-4173-8EB8-30BBBDAF5A7E}.exe	124
PID 2052 wrote to memory of 3824	2052	{9D9E2B3F-27EE-4173-8EB8-30BBBDAF5A7E}.exe	124
PID 2052 wrote to memory of 3824	2052	{9D9E2B3F-27EE-4173-8EB8-30BBBDAF5A7E}.exe	124
PID 4460 wrote to memory of 548	4460	{F9E0F95D-8098-44da-884A-826FA4E23CAC}.exe	125
PID 4460 wrote to memory of 548	4460	{F9E0F95D-8098-44da-884A-826FA4E23CAC}.exe	125
PID 4460 wrote to memory of 548	4460	{F9E0F95D-8098-44da-884A-826FA4E23CAC}.exe	125
PID 4460 wrote to memory of 2124	4460	{F9E0F95D-8098-44da-884A-826FA4E23CAC}.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cb62073c00a7f6_JC.exe
"C:\Users\Admin\AppData\Local\Temp\cb62073c00a7f6_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308
- C:\Windows\{F27BD3D8-74DE-458f-863B-313EE63F9D8F}.exe
  C:\Windows\{F27BD3D8-74DE-458f-863B-313EE63F9D8F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4244
- - C:\Windows\{8F017EEA-A508-4b8d-8FFC-B4CD2351067B}.exe
    C:\Windows\{8F017EEA-A508-4b8d-8FFC-B4CD2351067B}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8F017~1.EXE > nul
      4⤵
      PID:4920
  - - C:\Windows\{F29055B3-E9AF-46e8-935B-A2B301AC3C7F}.exe
      C:\Windows\{F29055B3-E9AF-46e8-935B-A2B301AC3C7F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4980
    - - C:\Windows\{86FC2979-8A0A-4200-993D-CB186B73DB12}.exe
        
        C:\Windows\{86FC2979-8A0A-4200-993D-CB186B73DB12}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3964
      - C:\Windows\{9FCC0CAE-7ECC-4375-9055-B560B3AB4614}.exe
        
        C:\Windows\{9FCC0CAE-7ECC-4375-9055-B560B3AB4614}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\{989519D4-4966-49c7-A53A-01FAE2A86728}.exe
        
        C:\Windows\{989519D4-4966-49c7-A53A-01FAE2A86728}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\{662D0378-61D4-4019-AAB8-38A88C70D740}.exe
        
        C:\Windows\{662D0378-61D4-4019-AAB8-38A88C70D740}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3996
        
        C:\Windows\{DCB6CA1C-E2F9-4cac-B67B-B66A16D2D31D}.exe
        
        C:\Windows\{DCB6CA1C-E2F9-4cac-B67B-B66A16D2D31D}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4292
        
        C:\Windows\{9D9E2B3F-27EE-4173-8EB8-30BBBDAF5A7E}.exe
        
        C:\Windows\{9D9E2B3F-27EE-4173-8EB8-30BBBDAF5A7E}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\{F9E0F95D-8098-44da-884A-826FA4E23CAC}.exe
        
        C:\Windows\{F9E0F95D-8098-44da-884A-826FA4E23CAC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4460
        
        C:\Windows\{F24D5617-C820-45b2-866F-0F4EEE0823E6}.exe
        
        C:\Windows\{F24D5617-C820-45b2-866F-0F4EEE0823E6}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\{3E148CE0-6C78-4891-95F5-AB26D9CDE2F2}.exe
        
        C:\Windows\{3E148CE0-6C78-4891-95F5-AB26D9CDE2F2}.exe
        13⤵
        Executes dropped EXE
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F24D5~1.EXE > nul
        13⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9E0F~1.EXE > nul
        12⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D9E2~1.EXE > nul
        11⤵
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCB6C~1.EXE > nul
        10⤵
        
        PID:832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{662D0~1.EXE > nul
        9⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98951~1.EXE > nul
        8⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9FCC0~1.EXE > nul
        7⤵
        
        PID:4004
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86FC2~1.EXE > nul
        6⤵
        
        PID:3736
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2905~1.EXE > nul
        5⤵
        
        PID:484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F27BD~1.EXE > nul
    3⤵
    PID:2248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CB6207~1.EXE > nul
  2⤵
  PID:3548

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:4572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3E148CE0-6C78-4891-95F5-AB26D9CDE2F2}.exe

Filesize
168KB

MD5
8c6f7b0c81717aaf3a80e538d62186c5

SHA1
56cda9ad44afbc093a862756295cba210b307dfd

SHA256
d60dd340c5676728b953278812ccadfc40fe0199a6b2d8eb76078d5341975ec7

SHA512
a1215df3ec19480b8b1859cbba1c813b4b1aaabef5de8e04248be8bb91ca68fb96beb68680984479665287110af1e7bf701d0e1936a5ff3252cf572d74990288

Download Submit
C:\Windows\{3E148CE0-6C78-4891-95F5-AB26D9CDE2F2}.exe

Filesize
168KB

MD5
8c6f7b0c81717aaf3a80e538d62186c5

SHA1
56cda9ad44afbc093a862756295cba210b307dfd

SHA256
d60dd340c5676728b953278812ccadfc40fe0199a6b2d8eb76078d5341975ec7

SHA512
a1215df3ec19480b8b1859cbba1c813b4b1aaabef5de8e04248be8bb91ca68fb96beb68680984479665287110af1e7bf701d0e1936a5ff3252cf572d74990288

Download Submit
C:\Windows\{662D0378-61D4-4019-AAB8-38A88C70D740}.exe

Filesize
168KB

MD5
dede1a3a595569f095af532e283cdd82

SHA1
038cb6a2834e16480df4e82f56242c92ca869753

SHA256
928389417053306fd3948f867ce62a5fc8950cc395c61204926a6a08d7fdeecb

SHA512
caa62dd58f08faebc8dc765c635ed18dd8510d97ffc30ef87668592fd12c8100feb727018ebf40543e05949a366cb5438362243f74a368709312dfd2baf8b48b

Download Submit
C:\Windows\{662D0378-61D4-4019-AAB8-38A88C70D740}.exe

Filesize
168KB

MD5
dede1a3a595569f095af532e283cdd82

SHA1
038cb6a2834e16480df4e82f56242c92ca869753

SHA256
928389417053306fd3948f867ce62a5fc8950cc395c61204926a6a08d7fdeecb

SHA512
caa62dd58f08faebc8dc765c635ed18dd8510d97ffc30ef87668592fd12c8100feb727018ebf40543e05949a366cb5438362243f74a368709312dfd2baf8b48b

Download Submit
C:\Windows\{86FC2979-8A0A-4200-993D-CB186B73DB12}.exe

Filesize
168KB

MD5
638a6d24802d62d0419c0bc12f3f8783

SHA1
eaf0516dcc5f25d395ad9e6c52d0dd5555df5b87

SHA256
0982f45d1ae105444f15744df57741ecacbdc8aac67102ee022a11141f2b49f4

SHA512
f6a888489725b6e5b3945f85effaeb7530dfaea2a40ec32724c2f39c890e45f611df30a8472dcc873b13221dbfb8210df0f1f1bcc4b5e663f1f105e581ef0497

Download Submit
C:\Windows\{86FC2979-8A0A-4200-993D-CB186B73DB12}.exe

Filesize
168KB

MD5
638a6d24802d62d0419c0bc12f3f8783

SHA1
eaf0516dcc5f25d395ad9e6c52d0dd5555df5b87

SHA256
0982f45d1ae105444f15744df57741ecacbdc8aac67102ee022a11141f2b49f4

SHA512
f6a888489725b6e5b3945f85effaeb7530dfaea2a40ec32724c2f39c890e45f611df30a8472dcc873b13221dbfb8210df0f1f1bcc4b5e663f1f105e581ef0497

Download Submit
C:\Windows\{8F017EEA-A508-4b8d-8FFC-B4CD2351067B}.exe

Filesize
168KB

MD5
21a6da7c1c341d42c5932de57ace451e

SHA1
fca77e6a7f83219d43c10fd25994a838309a7ecf

SHA256
36ec86a46c4a381978a71f12f576b691046de5b806b5b224c8f4895248a070c1

SHA512
99c4462bc75006bb232037f6376c8eacee5a73eb32b75d4857560011fcd91bbc3a398f1e950616aa39b812685455ed4f7c7137ffc1d7ff137ba25eae0671d5b8

Download Submit
C:\Windows\{8F017EEA-A508-4b8d-8FFC-B4CD2351067B}.exe

Filesize
168KB

MD5
21a6da7c1c341d42c5932de57ace451e

SHA1
fca77e6a7f83219d43c10fd25994a838309a7ecf

SHA256
36ec86a46c4a381978a71f12f576b691046de5b806b5b224c8f4895248a070c1

SHA512
99c4462bc75006bb232037f6376c8eacee5a73eb32b75d4857560011fcd91bbc3a398f1e950616aa39b812685455ed4f7c7137ffc1d7ff137ba25eae0671d5b8

Download Submit
C:\Windows\{989519D4-4966-49c7-A53A-01FAE2A86728}.exe

Filesize
168KB

MD5
bfdc69e58c0857217c0edc2196b2d092

SHA1
5da9ad5a3ba626a963fe358ba1e24362731fe116

SHA256
84b32b1405b06d3e1f832bdbcefee601e70e5490e71c81ff9ba2fe285724f1de

SHA512
61323edfc64a62522699b6544cf9f50710be221e83e5e46ff0295c872462e13761a3ac5f4c83e80444002e7ec5b6cf93b822337d0bd4077a7c09cea14b06e9ca

Download Submit
C:\Windows\{989519D4-4966-49c7-A53A-01FAE2A86728}.exe

Filesize
168KB

MD5
bfdc69e58c0857217c0edc2196b2d092

SHA1
5da9ad5a3ba626a963fe358ba1e24362731fe116

SHA256
84b32b1405b06d3e1f832bdbcefee601e70e5490e71c81ff9ba2fe285724f1de

SHA512
61323edfc64a62522699b6544cf9f50710be221e83e5e46ff0295c872462e13761a3ac5f4c83e80444002e7ec5b6cf93b822337d0bd4077a7c09cea14b06e9ca

Download Submit
C:\Windows\{9D9E2B3F-27EE-4173-8EB8-30BBBDAF5A7E}.exe

Filesize
168KB

MD5
695fe2bb167b6ac9a3d972da27b52889

SHA1
41086939b4f4bc597ccd528039086d1d63a9c45e

SHA256
673bd3f65d72757f814a914c457cbd147b6e4643fd700f1b111a02010b46204e

SHA512
3751253da3ae2fd4ee5ad0987b0d3422f3dcfe3405fa35dba968898cd2a1a495a693358a62b9c1617f0da49cbd40ef6de65290f9c9d61ddb9dbceeb6feaa5c49

Download Submit
C:\Windows\{9D9E2B3F-27EE-4173-8EB8-30BBBDAF5A7E}.exe

Filesize
168KB

MD5
695fe2bb167b6ac9a3d972da27b52889

SHA1
41086939b4f4bc597ccd528039086d1d63a9c45e

SHA256
673bd3f65d72757f814a914c457cbd147b6e4643fd700f1b111a02010b46204e

SHA512
3751253da3ae2fd4ee5ad0987b0d3422f3dcfe3405fa35dba968898cd2a1a495a693358a62b9c1617f0da49cbd40ef6de65290f9c9d61ddb9dbceeb6feaa5c49

Download Submit
C:\Windows\{9FCC0CAE-7ECC-4375-9055-B560B3AB4614}.exe

Filesize
168KB

MD5
a48bf008a4b79bac0e27ab382a93ba39

SHA1
f313fdfa6edf04d586f368c4a47309db1f2f4aa1

SHA256
93914111135874ff2a09df69f96924902c8bf734441f52adb1d320cd7ff6c676

SHA512
7381d13899b427e91fe5422ef235b7062bcb7b2b0e23cc72b3d05321334741301b19eac48e0ece0e590ee65b3ce8d7b7bd11b0e881ff38df12c39ecd5c846291

Download Submit
C:\Windows\{9FCC0CAE-7ECC-4375-9055-B560B3AB4614}.exe

Filesize
168KB

MD5
a48bf008a4b79bac0e27ab382a93ba39

SHA1
f313fdfa6edf04d586f368c4a47309db1f2f4aa1

SHA256
93914111135874ff2a09df69f96924902c8bf734441f52adb1d320cd7ff6c676

SHA512
7381d13899b427e91fe5422ef235b7062bcb7b2b0e23cc72b3d05321334741301b19eac48e0ece0e590ee65b3ce8d7b7bd11b0e881ff38df12c39ecd5c846291

Download Submit
C:\Windows\{DCB6CA1C-E2F9-4cac-B67B-B66A16D2D31D}.exe

Filesize
168KB

MD5
3080c93eafe9fffb525a22e99246def6

SHA1
ac0aa808e5374c5740a0c860fc0c8c8b27f6c5ec

SHA256
9e4aafe116c2475e8b39e41520337fe4f6d26bbb0d5ecda7fc9097bf0f858a11

SHA512
1296995cb23a4536ac219e4afc1c23972950159896dd02f7e8ca036354cde43584dfee48919a0856daf3f7a1884ec3b1b5021472a1d7159e24dade08970f61a5

Download Submit
C:\Windows\{DCB6CA1C-E2F9-4cac-B67B-B66A16D2D31D}.exe

Filesize
168KB

MD5
3080c93eafe9fffb525a22e99246def6

SHA1
ac0aa808e5374c5740a0c860fc0c8c8b27f6c5ec

SHA256
9e4aafe116c2475e8b39e41520337fe4f6d26bbb0d5ecda7fc9097bf0f858a11

SHA512
1296995cb23a4536ac219e4afc1c23972950159896dd02f7e8ca036354cde43584dfee48919a0856daf3f7a1884ec3b1b5021472a1d7159e24dade08970f61a5

Download Submit
C:\Windows\{F24D5617-C820-45b2-866F-0F4EEE0823E6}.exe

Filesize
168KB

MD5
a5d0cf53ddf289c88c49dd17434b3656

SHA1
618411ceef3de126e59ea86f4ccaa63324abc76f

SHA256
f8bb221540e0537f6162208431ea3bc2af6d626a6dca5d61338a5ca5bbf0fba9

SHA512
c899700268670eb60034d37fa59c783277a72da032a722520e6df1f021f92e070a07017acec89ff1f67547789c518a445d76a5a8963e9ac69edfefc2cb4da797

Download Submit
C:\Windows\{F24D5617-C820-45b2-866F-0F4EEE0823E6}.exe

Filesize
168KB

MD5
a5d0cf53ddf289c88c49dd17434b3656

SHA1
618411ceef3de126e59ea86f4ccaa63324abc76f

SHA256
f8bb221540e0537f6162208431ea3bc2af6d626a6dca5d61338a5ca5bbf0fba9

SHA512
c899700268670eb60034d37fa59c783277a72da032a722520e6df1f021f92e070a07017acec89ff1f67547789c518a445d76a5a8963e9ac69edfefc2cb4da797

Download Submit
C:\Windows\{F27BD3D8-74DE-458f-863B-313EE63F9D8F}.exe

Filesize
168KB

MD5
390aec4ce0025584e26f5b5f31b40021

SHA1
f5a0272889782ed201c2ae81226f980f78c6fea2

SHA256
8d6e21f421e3b149c4ba6e17ea0f53460bdbe0cc554d71b4720ef08c7abc21fe

SHA512
f8e4ed7845037533dad2cb9fa71b6d2986fc45ac927c1c0e3d8d8dfebc25344f56e40165510a57cf3786bd990fe274a04bf34954a17b0a697c3999ca43a92ec8

Download Submit
C:\Windows\{F27BD3D8-74DE-458f-863B-313EE63F9D8F}.exe

Filesize
168KB

MD5
390aec4ce0025584e26f5b5f31b40021

SHA1
f5a0272889782ed201c2ae81226f980f78c6fea2

SHA256
8d6e21f421e3b149c4ba6e17ea0f53460bdbe0cc554d71b4720ef08c7abc21fe

SHA512
f8e4ed7845037533dad2cb9fa71b6d2986fc45ac927c1c0e3d8d8dfebc25344f56e40165510a57cf3786bd990fe274a04bf34954a17b0a697c3999ca43a92ec8

Download Submit
C:\Windows\{F29055B3-E9AF-46e8-935B-A2B301AC3C7F}.exe

Filesize
168KB

MD5
ae99e8acbbfef358eeabe38f75b0ce5b

SHA1
84265ff4b49653f61ef504bd9cc66b8290e8bfb2

SHA256
dbadebbd3aca7f3b4060eb93835c8f18b5942be3b9e25b9a2d1861ddcd501640

SHA512
84e64c85dcbb5405f42b97f5ff91d1e0aecf2df6384753e66bc09c056d5f3055fd62649f025dc850aa1526a0489ca5da7f04fd794ecb2b59c04e25914d6c2f5b

Download Submit
C:\Windows\{F29055B3-E9AF-46e8-935B-A2B301AC3C7F}.exe

Filesize
168KB

MD5
ae99e8acbbfef358eeabe38f75b0ce5b

SHA1
84265ff4b49653f61ef504bd9cc66b8290e8bfb2

SHA256
dbadebbd3aca7f3b4060eb93835c8f18b5942be3b9e25b9a2d1861ddcd501640

SHA512
84e64c85dcbb5405f42b97f5ff91d1e0aecf2df6384753e66bc09c056d5f3055fd62649f025dc850aa1526a0489ca5da7f04fd794ecb2b59c04e25914d6c2f5b

Download Submit
C:\Windows\{F29055B3-E9AF-46e8-935B-A2B301AC3C7F}.exe

Filesize
168KB

MD5
ae99e8acbbfef358eeabe38f75b0ce5b

SHA1
84265ff4b49653f61ef504bd9cc66b8290e8bfb2

SHA256
dbadebbd3aca7f3b4060eb93835c8f18b5942be3b9e25b9a2d1861ddcd501640

SHA512
84e64c85dcbb5405f42b97f5ff91d1e0aecf2df6384753e66bc09c056d5f3055fd62649f025dc850aa1526a0489ca5da7f04fd794ecb2b59c04e25914d6c2f5b

Download Submit
C:\Windows\{F9E0F95D-8098-44da-884A-826FA4E23CAC}.exe

Filesize
168KB

MD5
08c88b16f554489d956e5ebfc7659f60

SHA1
b011786cc3ad5608e257667b5119d2561c11eb88

SHA256
41c19b40171aaef82d7c844052a7f733efe453fa0f4fa717925a17ce5e2180e5

SHA512
f408a7d1fe5d09d817610efcfeedc2c0a029ad6e0f9cc30cba5227a6b71087443a860f961fb7ec753c8ff14cbb6d554dcec2d4aed85f3a03edf6531327ceceea

Download Submit
C:\Windows\{F9E0F95D-8098-44da-884A-826FA4E23CAC}.exe

Filesize
168KB

MD5
08c88b16f554489d956e5ebfc7659f60

SHA1
b011786cc3ad5608e257667b5119d2561c11eb88

SHA256
41c19b40171aaef82d7c844052a7f733efe453fa0f4fa717925a17ce5e2180e5

SHA512
f408a7d1fe5d09d817610efcfeedc2c0a029ad6e0f9cc30cba5227a6b71087443a860f961fb7ec753c8ff14cbb6d554dcec2d4aed85f3a03edf6531327ceceea

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads