a9eb72f5b506fb14b1f659bf7a0914f1247cc72c30499f655ae2b72de2b42b49

Analysis

max time kernel
144s
max time network
125s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
18/07/2023, 18:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cd92792f5c44a2_JC.exe
Size

168KB
MD5

cd92792f5c44a29a08b40c31f7cbe024
SHA1

fb993e91893656476777cca4d759d6b7f02511d7
SHA256

a9eb72f5b506fb14b1f659bf7a0914f1247cc72c30499f655ae2b72de2b42b49
SHA512

d02041002731924f03b77af1282bfa6013219508abf46c06955e145b19c2d4a1f96dcd55ea7b02e2c1e74d60f4aed2735ef41b9b54aadea41a8cf014be17c92b
SSDEEP

1536:1EGh0oPlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oPlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{500BE895-41B6-4f3d-ABBD-C8023A21EE76}	{1EEBF958-EE65-45a7-88DD-6290588B7CDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F256726-185C-4540-9ED9-2B824C7D5A98}\stubpath = "C:\\Windows\\{9F256726-185C-4540-9ED9-2B824C7D5A98}.exe"	{500BE895-41B6-4f3d-ABBD-C8023A21EE76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48E1A8FF-5C5E-4705-8FAB-EC9E16F563C8}\stubpath = "C:\\Windows\\{48E1A8FF-5C5E-4705-8FAB-EC9E16F563C8}.exe"	{9F256726-185C-4540-9ED9-2B824C7D5A98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48DA16B0-5F4F-4f8c-B9F1-D6F2FF11B1F3}	{83D6B890-48E7-4189-B0AF-EB2B1B7032A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65FFF0D4-1AF3-4995-863D-911A4144DD67}	{D6212282-37D0-440f-9FF6-46A2C846D04A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EEBF958-EE65-45a7-88DD-6290588B7CDE}	cd92792f5c44a2_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9F256726-185C-4540-9ED9-2B824C7D5A98}	{500BE895-41B6-4f3d-ABBD-C8023A21EE76}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83D6B890-48E7-4189-B0AF-EB2B1B7032A4}	{48E1A8FF-5C5E-4705-8FAB-EC9E16F563C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65FFF0D4-1AF3-4995-863D-911A4144DD67}\stubpath = "C:\\Windows\\{65FFF0D4-1AF3-4995-863D-911A4144DD67}.exe"	{D6212282-37D0-440f-9FF6-46A2C846D04A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFBA0A48-F957-4e33-A895-43537BB11111}\stubpath = "C:\\Windows\\{DFBA0A48-F957-4e33-A895-43537BB11111}.exe"	{65FFF0D4-1AF3-4995-863D-911A4144DD67}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A27AF8C9-7265-48b5-9133-1892294BAA19}\stubpath = "C:\\Windows\\{A27AF8C9-7265-48b5-9133-1892294BAA19}.exe"	{DFBA0A48-F957-4e33-A895-43537BB11111}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{500BE895-41B6-4f3d-ABBD-C8023A21EE76}\stubpath = "C:\\Windows\\{500BE895-41B6-4f3d-ABBD-C8023A21EE76}.exe"	{1EEBF958-EE65-45a7-88DD-6290588B7CDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83D6B890-48E7-4189-B0AF-EB2B1B7032A4}\stubpath = "C:\\Windows\\{83D6B890-48E7-4189-B0AF-EB2B1B7032A4}.exe"	{48E1A8FF-5C5E-4705-8FAB-EC9E16F563C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48DA16B0-5F4F-4f8c-B9F1-D6F2FF11B1F3}\stubpath = "C:\\Windows\\{48DA16B0-5F4F-4f8c-B9F1-D6F2FF11B1F3}.exe"	{83D6B890-48E7-4189-B0AF-EB2B1B7032A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D86335F-9474-42f3-98C4-E709ECAF76E5}	{48DA16B0-5F4F-4f8c-B9F1-D6F2FF11B1F3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9D86335F-9474-42f3-98C4-E709ECAF76E5}\stubpath = "C:\\Windows\\{9D86335F-9474-42f3-98C4-E709ECAF76E5}.exe"	{48DA16B0-5F4F-4f8c-B9F1-D6F2FF11B1F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6212282-37D0-440f-9FF6-46A2C846D04A}	{9D86335F-9474-42f3-98C4-E709ECAF76E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1EEBF958-EE65-45a7-88DD-6290588B7CDE}\stubpath = "C:\\Windows\\{1EEBF958-EE65-45a7-88DD-6290588B7CDE}.exe"	cd92792f5c44a2_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48E1A8FF-5C5E-4705-8FAB-EC9E16F563C8}	{9F256726-185C-4540-9ED9-2B824C7D5A98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D6212282-37D0-440f-9FF6-46A2C846D04A}\stubpath = "C:\\Windows\\{D6212282-37D0-440f-9FF6-46A2C846D04A}.exe"	{9D86335F-9474-42f3-98C4-E709ECAF76E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFBA0A48-F957-4e33-A895-43537BB11111}	{65FFF0D4-1AF3-4995-863D-911A4144DD67}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A27AF8C9-7265-48b5-9133-1892294BAA19}	{DFBA0A48-F957-4e33-A895-43537BB11111}.exe

Deletes itself 1 IoCs

pid	Process
1580	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2300	{1EEBF958-EE65-45a7-88DD-6290588B7CDE}.exe
2488	{500BE895-41B6-4f3d-ABBD-C8023A21EE76}.exe
2928	{9F256726-185C-4540-9ED9-2B824C7D5A98}.exe
2152	{48E1A8FF-5C5E-4705-8FAB-EC9E16F563C8}.exe
2944	{83D6B890-48E7-4189-B0AF-EB2B1B7032A4}.exe
2848	{48DA16B0-5F4F-4f8c-B9F1-D6F2FF11B1F3}.exe
2720	{9D86335F-9474-42f3-98C4-E709ECAF76E5}.exe
2388	{D6212282-37D0-440f-9FF6-46A2C846D04A}.exe
1524	{65FFF0D4-1AF3-4995-863D-911A4144DD67}.exe
972	{DFBA0A48-F957-4e33-A895-43537BB11111}.exe
2076	{A27AF8C9-7265-48b5-9133-1892294BAA19}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{9F256726-185C-4540-9ED9-2B824C7D5A98}.exe	{500BE895-41B6-4f3d-ABBD-C8023A21EE76}.exe
File created	C:\Windows\{48E1A8FF-5C5E-4705-8FAB-EC9E16F563C8}.exe	{9F256726-185C-4540-9ED9-2B824C7D5A98}.exe
File created	C:\Windows\{83D6B890-48E7-4189-B0AF-EB2B1B7032A4}.exe	{48E1A8FF-5C5E-4705-8FAB-EC9E16F563C8}.exe
File created	C:\Windows\{48DA16B0-5F4F-4f8c-B9F1-D6F2FF11B1F3}.exe	{83D6B890-48E7-4189-B0AF-EB2B1B7032A4}.exe
File created	C:\Windows\{A27AF8C9-7265-48b5-9133-1892294BAA19}.exe	{DFBA0A48-F957-4e33-A895-43537BB11111}.exe
File created	C:\Windows\{1EEBF958-EE65-45a7-88DD-6290588B7CDE}.exe	cd92792f5c44a2_JC.exe
File created	C:\Windows\{500BE895-41B6-4f3d-ABBD-C8023A21EE76}.exe	{1EEBF958-EE65-45a7-88DD-6290588B7CDE}.exe
File created	C:\Windows\{9D86335F-9474-42f3-98C4-E709ECAF76E5}.exe	{48DA16B0-5F4F-4f8c-B9F1-D6F2FF11B1F3}.exe
File created	C:\Windows\{D6212282-37D0-440f-9FF6-46A2C846D04A}.exe	{9D86335F-9474-42f3-98C4-E709ECAF76E5}.exe
File created	C:\Windows\{65FFF0D4-1AF3-4995-863D-911A4144DD67}.exe	{D6212282-37D0-440f-9FF6-46A2C846D04A}.exe
File created	C:\Windows\{DFBA0A48-F957-4e33-A895-43537BB11111}.exe	{65FFF0D4-1AF3-4995-863D-911A4144DD67}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2224	cd92792f5c44a2_JC.exe
Token: SeIncBasePriorityPrivilege	2300	{1EEBF958-EE65-45a7-88DD-6290588B7CDE}.exe
Token: SeIncBasePriorityPrivilege	2488	{500BE895-41B6-4f3d-ABBD-C8023A21EE76}.exe
Token: SeIncBasePriorityPrivilege	2928	{9F256726-185C-4540-9ED9-2B824C7D5A98}.exe
Token: SeIncBasePriorityPrivilege	2152	{48E1A8FF-5C5E-4705-8FAB-EC9E16F563C8}.exe
Token: SeIncBasePriorityPrivilege	2944	{83D6B890-48E7-4189-B0AF-EB2B1B7032A4}.exe
Token: SeIncBasePriorityPrivilege	2848	{48DA16B0-5F4F-4f8c-B9F1-D6F2FF11B1F3}.exe
Token: SeIncBasePriorityPrivilege	2720	{9D86335F-9474-42f3-98C4-E709ECAF76E5}.exe
Token: SeIncBasePriorityPrivilege	2388	{D6212282-37D0-440f-9FF6-46A2C846D04A}.exe
Token: SeIncBasePriorityPrivilege	1524	{65FFF0D4-1AF3-4995-863D-911A4144DD67}.exe
Token: SeIncBasePriorityPrivilege	972	{DFBA0A48-F957-4e33-A895-43537BB11111}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2300	2224	cd92792f5c44a2_JC.exe	28
PID 2224 wrote to memory of 2300	2224	cd92792f5c44a2_JC.exe	28
PID 2224 wrote to memory of 2300	2224	cd92792f5c44a2_JC.exe	28
PID 2224 wrote to memory of 2300	2224	cd92792f5c44a2_JC.exe	28
PID 2224 wrote to memory of 1580	2224	cd92792f5c44a2_JC.exe	29
PID 2224 wrote to memory of 1580	2224	cd92792f5c44a2_JC.exe	29
PID 2224 wrote to memory of 1580	2224	cd92792f5c44a2_JC.exe	29
PID 2224 wrote to memory of 1580	2224	cd92792f5c44a2_JC.exe	29
PID 2300 wrote to memory of 2488	2300	{1EEBF958-EE65-45a7-88DD-6290588B7CDE}.exe	32
PID 2300 wrote to memory of 2488	2300	{1EEBF958-EE65-45a7-88DD-6290588B7CDE}.exe	32
PID 2300 wrote to memory of 2488	2300	{1EEBF958-EE65-45a7-88DD-6290588B7CDE}.exe	32
PID 2300 wrote to memory of 2488	2300	{1EEBF958-EE65-45a7-88DD-6290588B7CDE}.exe	32
PID 2300 wrote to memory of 2852	2300	{1EEBF958-EE65-45a7-88DD-6290588B7CDE}.exe	33
PID 2300 wrote to memory of 2852	2300	{1EEBF958-EE65-45a7-88DD-6290588B7CDE}.exe	33
PID 2300 wrote to memory of 2852	2300	{1EEBF958-EE65-45a7-88DD-6290588B7CDE}.exe	33
PID 2300 wrote to memory of 2852	2300	{1EEBF958-EE65-45a7-88DD-6290588B7CDE}.exe	33
PID 2488 wrote to memory of 2928	2488	{500BE895-41B6-4f3d-ABBD-C8023A21EE76}.exe	34
PID 2488 wrote to memory of 2928	2488	{500BE895-41B6-4f3d-ABBD-C8023A21EE76}.exe	34
PID 2488 wrote to memory of 2928	2488	{500BE895-41B6-4f3d-ABBD-C8023A21EE76}.exe	34
PID 2488 wrote to memory of 2928	2488	{500BE895-41B6-4f3d-ABBD-C8023A21EE76}.exe	34
PID 2488 wrote to memory of 2864	2488	{500BE895-41B6-4f3d-ABBD-C8023A21EE76}.exe	35
PID 2488 wrote to memory of 2864	2488	{500BE895-41B6-4f3d-ABBD-C8023A21EE76}.exe	35
PID 2488 wrote to memory of 2864	2488	{500BE895-41B6-4f3d-ABBD-C8023A21EE76}.exe	35
PID 2488 wrote to memory of 2864	2488	{500BE895-41B6-4f3d-ABBD-C8023A21EE76}.exe	35
PID 2928 wrote to memory of 2152	2928	{9F256726-185C-4540-9ED9-2B824C7D5A98}.exe	36
PID 2928 wrote to memory of 2152	2928	{9F256726-185C-4540-9ED9-2B824C7D5A98}.exe	36
PID 2928 wrote to memory of 2152	2928	{9F256726-185C-4540-9ED9-2B824C7D5A98}.exe	36
PID 2928 wrote to memory of 2152	2928	{9F256726-185C-4540-9ED9-2B824C7D5A98}.exe	36
PID 2928 wrote to memory of 2996	2928	{9F256726-185C-4540-9ED9-2B824C7D5A98}.exe	37
PID 2928 wrote to memory of 2996	2928	{9F256726-185C-4540-9ED9-2B824C7D5A98}.exe	37
PID 2928 wrote to memory of 2996	2928	{9F256726-185C-4540-9ED9-2B824C7D5A98}.exe	37
PID 2928 wrote to memory of 2996	2928	{9F256726-185C-4540-9ED9-2B824C7D5A98}.exe	37
PID 2152 wrote to memory of 2944	2152	{48E1A8FF-5C5E-4705-8FAB-EC9E16F563C8}.exe	39
PID 2152 wrote to memory of 2944	2152	{48E1A8FF-5C5E-4705-8FAB-EC9E16F563C8}.exe	39
PID 2152 wrote to memory of 2944	2152	{48E1A8FF-5C5E-4705-8FAB-EC9E16F563C8}.exe	39
PID 2152 wrote to memory of 2944	2152	{48E1A8FF-5C5E-4705-8FAB-EC9E16F563C8}.exe	39
PID 2152 wrote to memory of 884	2152	{48E1A8FF-5C5E-4705-8FAB-EC9E16F563C8}.exe	38
PID 2152 wrote to memory of 884	2152	{48E1A8FF-5C5E-4705-8FAB-EC9E16F563C8}.exe	38
PID 2152 wrote to memory of 884	2152	{48E1A8FF-5C5E-4705-8FAB-EC9E16F563C8}.exe	38
PID 2152 wrote to memory of 884	2152	{48E1A8FF-5C5E-4705-8FAB-EC9E16F563C8}.exe	38
PID 2944 wrote to memory of 2848	2944	{83D6B890-48E7-4189-B0AF-EB2B1B7032A4}.exe	41
PID 2944 wrote to memory of 2848	2944	{83D6B890-48E7-4189-B0AF-EB2B1B7032A4}.exe	41
PID 2944 wrote to memory of 2848	2944	{83D6B890-48E7-4189-B0AF-EB2B1B7032A4}.exe	41
PID 2944 wrote to memory of 2848	2944	{83D6B890-48E7-4189-B0AF-EB2B1B7032A4}.exe	41
PID 2944 wrote to memory of 2824	2944	{83D6B890-48E7-4189-B0AF-EB2B1B7032A4}.exe	40
PID 2944 wrote to memory of 2824	2944	{83D6B890-48E7-4189-B0AF-EB2B1B7032A4}.exe	40
PID 2944 wrote to memory of 2824	2944	{83D6B890-48E7-4189-B0AF-EB2B1B7032A4}.exe	40
PID 2944 wrote to memory of 2824	2944	{83D6B890-48E7-4189-B0AF-EB2B1B7032A4}.exe	40
PID 2848 wrote to memory of 2720	2848	{48DA16B0-5F4F-4f8c-B9F1-D6F2FF11B1F3}.exe	42
PID 2848 wrote to memory of 2720	2848	{48DA16B0-5F4F-4f8c-B9F1-D6F2FF11B1F3}.exe	42
PID 2848 wrote to memory of 2720	2848	{48DA16B0-5F4F-4f8c-B9F1-D6F2FF11B1F3}.exe	42
PID 2848 wrote to memory of 2720	2848	{48DA16B0-5F4F-4f8c-B9F1-D6F2FF11B1F3}.exe	42
PID 2848 wrote to memory of 2784	2848	{48DA16B0-5F4F-4f8c-B9F1-D6F2FF11B1F3}.exe	43
PID 2848 wrote to memory of 2784	2848	{48DA16B0-5F4F-4f8c-B9F1-D6F2FF11B1F3}.exe	43
PID 2848 wrote to memory of 2784	2848	{48DA16B0-5F4F-4f8c-B9F1-D6F2FF11B1F3}.exe	43
PID 2848 wrote to memory of 2784	2848	{48DA16B0-5F4F-4f8c-B9F1-D6F2FF11B1F3}.exe	43
PID 2720 wrote to memory of 2388	2720	{9D86335F-9474-42f3-98C4-E709ECAF76E5}.exe	44
PID 2720 wrote to memory of 2388	2720	{9D86335F-9474-42f3-98C4-E709ECAF76E5}.exe	44
PID 2720 wrote to memory of 2388	2720	{9D86335F-9474-42f3-98C4-E709ECAF76E5}.exe	44
PID 2720 wrote to memory of 2388	2720	{9D86335F-9474-42f3-98C4-E709ECAF76E5}.exe	44
PID 2720 wrote to memory of 2632	2720	{9D86335F-9474-42f3-98C4-E709ECAF76E5}.exe	45
PID 2720 wrote to memory of 2632	2720	{9D86335F-9474-42f3-98C4-E709ECAF76E5}.exe	45
PID 2720 wrote to memory of 2632	2720	{9D86335F-9474-42f3-98C4-E709ECAF76E5}.exe	45
PID 2720 wrote to memory of 2632	2720	{9D86335F-9474-42f3-98C4-E709ECAF76E5}.exe	45

C:\Users\Admin\AppData\Local\Temp\cd92792f5c44a2_JC.exe
"C:\Users\Admin\AppData\Local\Temp\cd92792f5c44a2_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\{1EEBF958-EE65-45a7-88DD-6290588B7CDE}.exe
  C:\Windows\{1EEBF958-EE65-45a7-88DD-6290588B7CDE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\{500BE895-41B6-4f3d-ABBD-C8023A21EE76}.exe
    C:\Windows\{500BE895-41B6-4f3d-ABBD-C8023A21EE76}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\{9F256726-185C-4540-9ED9-2B824C7D5A98}.exe
      C:\Windows\{9F256726-185C-4540-9ED9-2B824C7D5A98}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Windows\{48E1A8FF-5C5E-4705-8FAB-EC9E16F563C8}.exe
        
        C:\Windows\{48E1A8FF-5C5E-4705-8FAB-EC9E16F563C8}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48E1A~1.EXE > nul
        6⤵
        
        PID:884
      - C:\Windows\{83D6B890-48E7-4189-B0AF-EB2B1B7032A4}.exe
        
        C:\Windows\{83D6B890-48E7-4189-B0AF-EB2B1B7032A4}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83D6B~1.EXE > nul
        7⤵
        
        PID:2824
        
        C:\Windows\{48DA16B0-5F4F-4f8c-B9F1-D6F2FF11B1F3}.exe
        
        C:\Windows\{48DA16B0-5F4F-4f8c-B9F1-D6F2FF11B1F3}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\{9D86335F-9474-42f3-98C4-E709ECAF76E5}.exe
        
        C:\Windows\{9D86335F-9474-42f3-98C4-E709ECAF76E5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\{D6212282-37D0-440f-9FF6-46A2C846D04A}.exe
        
        C:\Windows\{D6212282-37D0-440f-9FF6-46A2C846D04A}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6212~1.EXE > nul
        10⤵
        
        PID:1940
        
        C:\Windows\{65FFF0D4-1AF3-4995-863D-911A4144DD67}.exe
        
        C:\Windows\{65FFF0D4-1AF3-4995-863D-911A4144DD67}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\{DFBA0A48-F957-4e33-A895-43537BB11111}.exe
        
        C:\Windows\{DFBA0A48-F957-4e33-A895-43537BB11111}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFBA0~1.EXE > nul
        12⤵
        
        PID:3016
        
        C:\Windows\{A27AF8C9-7265-48b5-9133-1892294BAA19}.exe
        
        C:\Windows\{A27AF8C9-7265-48b5-9133-1892294BAA19}.exe
        12⤵
        Executes dropped EXE
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65FFF~1.EXE > nul
        11⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D863~1.EXE > nul
        9⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48DA1~1.EXE > nul
        8⤵
        
        PID:2784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9F256~1.EXE > nul
        5⤵
        
        PID:2996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{500BE~1.EXE > nul
      4⤵
      PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1EEBF~1.EXE > nul
    3⤵
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\CD9279~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1EEBF958-EE65-45a7-88DD-6290588B7CDE}.exe

Filesize
168KB

MD5
3b43331036067c60732594ccbc8ef9c3

SHA1
76bd6adcfa9b7baee7522d27da46e4021a11a793

SHA256
c081ee37e44e7bf473f9d01cca05cde2b350316c4929d9597a825be1d252a14f

SHA512
374c81439efe77784f3d695de49719d3459570bdb594f3d9156b0245c7d4c66b73e540a2b300926cee5e43940c5a729f9a7141b015d186178168f61312cc4db5

Download Submit
C:\Windows\{1EEBF958-EE65-45a7-88DD-6290588B7CDE}.exe

Filesize
168KB

MD5
3b43331036067c60732594ccbc8ef9c3

SHA1
76bd6adcfa9b7baee7522d27da46e4021a11a793

SHA256
c081ee37e44e7bf473f9d01cca05cde2b350316c4929d9597a825be1d252a14f

SHA512
374c81439efe77784f3d695de49719d3459570bdb594f3d9156b0245c7d4c66b73e540a2b300926cee5e43940c5a729f9a7141b015d186178168f61312cc4db5

Download Submit
C:\Windows\{1EEBF958-EE65-45a7-88DD-6290588B7CDE}.exe

Filesize
168KB

MD5
3b43331036067c60732594ccbc8ef9c3

SHA1
76bd6adcfa9b7baee7522d27da46e4021a11a793

SHA256
c081ee37e44e7bf473f9d01cca05cde2b350316c4929d9597a825be1d252a14f

SHA512
374c81439efe77784f3d695de49719d3459570bdb594f3d9156b0245c7d4c66b73e540a2b300926cee5e43940c5a729f9a7141b015d186178168f61312cc4db5

Download Submit
C:\Windows\{48DA16B0-5F4F-4f8c-B9F1-D6F2FF11B1F3}.exe

Filesize
168KB

MD5
0cd31270b4d834d9896e7046e0c1e02d

SHA1
a4039bfd711bf152244edc61d88ce36cd4bb8327

SHA256
04c33bc8c7d0eb1b8ed86c89475de6e91f7009b1f702856b17ea34ea721c98e6

SHA512
698341012bb20685bceb72df0e22da80e7f1a56b0c8d36f28b59ec72a43a756713070e8ad106b182b3b5a8af9e1a9ece634ee7caa76c0835d474169c1ccb4ee9

Download Submit
C:\Windows\{48DA16B0-5F4F-4f8c-B9F1-D6F2FF11B1F3}.exe

Filesize
168KB

MD5
0cd31270b4d834d9896e7046e0c1e02d

SHA1
a4039bfd711bf152244edc61d88ce36cd4bb8327

SHA256
04c33bc8c7d0eb1b8ed86c89475de6e91f7009b1f702856b17ea34ea721c98e6

SHA512
698341012bb20685bceb72df0e22da80e7f1a56b0c8d36f28b59ec72a43a756713070e8ad106b182b3b5a8af9e1a9ece634ee7caa76c0835d474169c1ccb4ee9

Download Submit
C:\Windows\{48E1A8FF-5C5E-4705-8FAB-EC9E16F563C8}.exe

Filesize
168KB

MD5
d2f8cf0eb9e675ed4596e19b70913e71

SHA1
1191ddc8037b9c17caf34e85baecf9f7ada2f9f0

SHA256
18f98768ab3f89a4423c19a0234848c250dcc6cba43158005854440831c3a519

SHA512
7313f0ad9949231188f85e2888e4d91781e9c474a0333990dd5089ee042fca20963e8b429d2a759cc4814f1d38291316fa3cf20a6c7821e7da2fbd4d0d27c57d

Download Submit
C:\Windows\{48E1A8FF-5C5E-4705-8FAB-EC9E16F563C8}.exe

Filesize
168KB

MD5
d2f8cf0eb9e675ed4596e19b70913e71

SHA1
1191ddc8037b9c17caf34e85baecf9f7ada2f9f0

SHA256
18f98768ab3f89a4423c19a0234848c250dcc6cba43158005854440831c3a519

SHA512
7313f0ad9949231188f85e2888e4d91781e9c474a0333990dd5089ee042fca20963e8b429d2a759cc4814f1d38291316fa3cf20a6c7821e7da2fbd4d0d27c57d

Download Submit
C:\Windows\{500BE895-41B6-4f3d-ABBD-C8023A21EE76}.exe

Filesize
168KB

MD5
8b9be4672054e2dd6b6b4fba41243e9c

SHA1
b9780ab4f5dde85ae8896bb2966216d549e067a7

SHA256
5bc4a2095f43345753598e5f1c345847e8106b520903f7be4096b7fb96d89e20

SHA512
942a95266f4a6b53424c91f9c90a054f7a40347f3073731c291b9eb9a22e7c78630bfb0122c5e801f25f7c5e8be0ea1b5442f008a0a75d8366299923bb693baa

Download Submit
C:\Windows\{500BE895-41B6-4f3d-ABBD-C8023A21EE76}.exe

Filesize
168KB

MD5
8b9be4672054e2dd6b6b4fba41243e9c

SHA1
b9780ab4f5dde85ae8896bb2966216d549e067a7

SHA256
5bc4a2095f43345753598e5f1c345847e8106b520903f7be4096b7fb96d89e20

SHA512
942a95266f4a6b53424c91f9c90a054f7a40347f3073731c291b9eb9a22e7c78630bfb0122c5e801f25f7c5e8be0ea1b5442f008a0a75d8366299923bb693baa

Download Submit
C:\Windows\{65FFF0D4-1AF3-4995-863D-911A4144DD67}.exe

Filesize
168KB

MD5
0bfa3c6aef455fc3cb7b65e7f7a5d08d

SHA1
992d462149cdc1a406a6bdaced7d8c53c74f9288

SHA256
a9f0ad68d3a219d58eafdcac2decb1c6d7f6c9da6f28b31d8917fb9110d8bda0

SHA512
afd94df2d4c1f7ce97c28f47bbada1d4d768d431eb214c210aca095db1c827d0a9147d43839af5dd283a0e5ee3b1c4b7ab47def5ff17aafdfd1a7203b375cfed

Download Submit
C:\Windows\{65FFF0D4-1AF3-4995-863D-911A4144DD67}.exe

Filesize
168KB

MD5
0bfa3c6aef455fc3cb7b65e7f7a5d08d

SHA1
992d462149cdc1a406a6bdaced7d8c53c74f9288

SHA256
a9f0ad68d3a219d58eafdcac2decb1c6d7f6c9da6f28b31d8917fb9110d8bda0

SHA512
afd94df2d4c1f7ce97c28f47bbada1d4d768d431eb214c210aca095db1c827d0a9147d43839af5dd283a0e5ee3b1c4b7ab47def5ff17aafdfd1a7203b375cfed

Download Submit
C:\Windows\{83D6B890-48E7-4189-B0AF-EB2B1B7032A4}.exe

Filesize
168KB

MD5
9aab409b03bec1ede01baa9b14bc0343

SHA1
ed55cc5bf7da7de64aeb5f40c3b670cef5ef19f1

SHA256
4c6efb3e3cc460fefd71fbb0d75db0a497a03cb976ab5f8391dc1fff856d9a2f

SHA512
e9384c7c4b76a2ccfa33921c1f39292a65c6e67a9cbc87f1b511d4b9d588a5dee157e5904cdba4bfc49ddcf8688124c59bf7d0da6c7f1a80d3ff983c85440481

Download Submit
C:\Windows\{83D6B890-48E7-4189-B0AF-EB2B1B7032A4}.exe

Filesize
168KB

MD5
9aab409b03bec1ede01baa9b14bc0343

SHA1
ed55cc5bf7da7de64aeb5f40c3b670cef5ef19f1

SHA256
4c6efb3e3cc460fefd71fbb0d75db0a497a03cb976ab5f8391dc1fff856d9a2f

SHA512
e9384c7c4b76a2ccfa33921c1f39292a65c6e67a9cbc87f1b511d4b9d588a5dee157e5904cdba4bfc49ddcf8688124c59bf7d0da6c7f1a80d3ff983c85440481

Download Submit
C:\Windows\{9D86335F-9474-42f3-98C4-E709ECAF76E5}.exe

Filesize
168KB

MD5
137a74f8887ed228871c6a4d9892845a

SHA1
8c3161f93bd2695f60fb2fe107b164c91da1b41b

SHA256
29524e4daffcd7c71768ffb6cdcb8c81e13224548d73e99d7876a865c4dbff88

SHA512
d492a5ce1795b56d179244e533aac2440ef04506c01cc5310a78cff1566c8c0e1619d1ec395d6d97262cd20e21582711791cfc962602b3eebebb266d560a87fa

Download Submit
C:\Windows\{9D86335F-9474-42f3-98C4-E709ECAF76E5}.exe

Filesize
168KB

MD5
137a74f8887ed228871c6a4d9892845a

SHA1
8c3161f93bd2695f60fb2fe107b164c91da1b41b

SHA256
29524e4daffcd7c71768ffb6cdcb8c81e13224548d73e99d7876a865c4dbff88

SHA512
d492a5ce1795b56d179244e533aac2440ef04506c01cc5310a78cff1566c8c0e1619d1ec395d6d97262cd20e21582711791cfc962602b3eebebb266d560a87fa

Download Submit
C:\Windows\{9F256726-185C-4540-9ED9-2B824C7D5A98}.exe

Filesize
168KB

MD5
e074266203253de0fe2d4955dd7ab9ce

SHA1
fab1a984f60c5f4450d24f8f03be4aebc0bf7a89

SHA256
5e736d77ef6da9d2ead9c1fa4dc94697efdf68100ae008069c8a4291ea637564

SHA512
10e32ad424162888698c5dc3dac3699e51f8c6ab20c49fe7938d59cc37cad1d1b7711b93bfc938e9821f3e1efa61962420e8c8d355c5ad1b8567f5ce7a0d2c0c

Download Submit
C:\Windows\{9F256726-185C-4540-9ED9-2B824C7D5A98}.exe

Filesize
168KB

MD5
e074266203253de0fe2d4955dd7ab9ce

SHA1
fab1a984f60c5f4450d24f8f03be4aebc0bf7a89

SHA256
5e736d77ef6da9d2ead9c1fa4dc94697efdf68100ae008069c8a4291ea637564

SHA512
10e32ad424162888698c5dc3dac3699e51f8c6ab20c49fe7938d59cc37cad1d1b7711b93bfc938e9821f3e1efa61962420e8c8d355c5ad1b8567f5ce7a0d2c0c

Download Submit
C:\Windows\{A27AF8C9-7265-48b5-9133-1892294BAA19}.exe

Filesize
168KB

MD5
42c726d88d8538ee782768ac61eb5f8c

SHA1
483b48446cbfecc33d646dbfd7ef6de4419a2e05

SHA256
14d08a85c61ebb81afcd8fb4e7d9c126af47db684cef381248ce0bba8238c701

SHA512
b02bc5a85e63a5634b95d3158727e13be147674f28b30b1eb8ed60c2f601254de2429de23a7061217d80bf4aff9e1f97adb271bcd5f6a247043f9104eb96d7bd

Download Submit
C:\Windows\{D6212282-37D0-440f-9FF6-46A2C846D04A}.exe

Filesize
168KB

MD5
33256e10410f3a5063ba705fc3fb0ce7

SHA1
f76a3fe3ddb301cb93bc1b04425b9d50f8f1b6ae

SHA256
3024a7bd14791d08faacc33d4f3973018adc496e9a2948595699284159356648

SHA512
203a5a3d0226632198134588ad5e4f12272abf8657836470a751905af2301b5db0d601e5bd21b3dee394f6c0bbed8094c9f0dbdfa6f5d0899793098fbb3e10eb

Download Submit
C:\Windows\{D6212282-37D0-440f-9FF6-46A2C846D04A}.exe

Filesize
168KB

MD5
33256e10410f3a5063ba705fc3fb0ce7

SHA1
f76a3fe3ddb301cb93bc1b04425b9d50f8f1b6ae

SHA256
3024a7bd14791d08faacc33d4f3973018adc496e9a2948595699284159356648

SHA512
203a5a3d0226632198134588ad5e4f12272abf8657836470a751905af2301b5db0d601e5bd21b3dee394f6c0bbed8094c9f0dbdfa6f5d0899793098fbb3e10eb

Download Submit
C:\Windows\{DFBA0A48-F957-4e33-A895-43537BB11111}.exe

Filesize
168KB

MD5
49aaa33342918900fdcb13dfe88a76dc

SHA1
76f27f1daf5e23c46baea22ef0a67a561f27cdcc

SHA256
821c1f0232f29548ca0669294846f8a60eb03ddf11667f5adbb713ffe5e80700

SHA512
7994a2c5d9f10e8ef98080780ded71446da53032d55cc0f5bb1b96e75aedf731f7676ea144a286cba1826e0b54681c0491ea33ad41b2bed9c5158f1e478f983a

Download Submit
C:\Windows\{DFBA0A48-F957-4e33-A895-43537BB11111}.exe

Filesize
168KB

MD5
49aaa33342918900fdcb13dfe88a76dc

SHA1
76f27f1daf5e23c46baea22ef0a67a561f27cdcc

SHA256
821c1f0232f29548ca0669294846f8a60eb03ddf11667f5adbb713ffe5e80700

SHA512
7994a2c5d9f10e8ef98080780ded71446da53032d55cc0f5bb1b96e75aedf731f7676ea144a286cba1826e0b54681c0491ea33ad41b2bed9c5158f1e478f983a

Download Submit