cde221d70bab08131965367bc5b3d3c883b208b2b35be13c2853a2f6bd411017

Analysis

max time kernel
145s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2023 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05f8dabd0c8cb6exe_JC.exe
Size

204KB
MD5

05f8dabd0c8cb650856d11f9a25727e2
SHA1

6ca249c1ab1f73f3a33479567ab9a4c42899931c
SHA256

cde221d70bab08131965367bc5b3d3c883b208b2b35be13c2853a2f6bd411017
SHA512

7160594cdba50250de7cd2e31d1a9e28c75a639d83dcd05bb1858e44983cdc9f7feb0592adbb660bd2d3acf64f4ed13f2d84fbeaaeea564bc4a2f404ac387095
SSDEEP

1536:1EGh0o4l15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0o4l1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A7DC2D0-79EC-492d-B393-0316225CE846}\stubpath = "C:\\Windows\\{8A7DC2D0-79EC-492d-B393-0316225CE846}.exe"	{38DD2DA6-618E-4d85-8F86-0F2F1C9752D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89F6931C-6FC1-4085-941E-C86F2C259E77}\stubpath = "C:\\Windows\\{89F6931C-6FC1-4085-941E-C86F2C259E77}.exe"	{45DDA833-5BA4-49a2-B8B0-95EDFE427923}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7371BFBB-F183-460a-AE6D-14F868AB0AE9}\stubpath = "C:\\Windows\\{7371BFBB-F183-460a-AE6D-14F868AB0AE9}.exe"	{89F6931C-6FC1-4085-941E-C86F2C259E77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35EA756B-D7E0-435c-9A38-2597B7089DD0}\stubpath = "C:\\Windows\\{35EA756B-D7E0-435c-9A38-2597B7089DD0}.exe"	{7371BFBB-F183-460a-AE6D-14F868AB0AE9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5262FEAB-4AB7-4263-9AFD-B6116F679C1F}\stubpath = "C:\\Windows\\{5262FEAB-4AB7-4263-9AFD-B6116F679C1F}.exe"	{47176381-C840-4a28-91FE-9452E432A574}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47176381-C840-4a28-91FE-9452E432A574}	{EEEBA92A-5404-4213-921C-88FC3CA5672D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A7DC2D0-79EC-492d-B393-0316225CE846}	{38DD2DA6-618E-4d85-8F86-0F2F1C9752D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7371BFBB-F183-460a-AE6D-14F868AB0AE9}	{89F6931C-6FC1-4085-941E-C86F2C259E77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEEBA92A-5404-4213-921C-88FC3CA5672D}	{479D8F78-B23A-44ba-B068-4322AB83F25E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{455DA69A-D164-4331-B337-F8E81F2A932E}\stubpath = "C:\\Windows\\{455DA69A-D164-4331-B337-F8E81F2A932E}.exe"	{5262FEAB-4AB7-4263-9AFD-B6116F679C1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9425623E-32E8-48d9-B0E6-E9E58B477EEE}	{455DA69A-D164-4331-B337-F8E81F2A932E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38DD2DA6-618E-4d85-8F86-0F2F1C9752D2}\stubpath = "C:\\Windows\\{38DD2DA6-618E-4d85-8F86-0F2F1C9752D2}.exe"	{9425623E-32E8-48d9-B0E6-E9E58B477EEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45DDA833-5BA4-49a2-B8B0-95EDFE427923}\stubpath = "C:\\Windows\\{45DDA833-5BA4-49a2-B8B0-95EDFE427923}.exe"	{8A7DC2D0-79EC-492d-B393-0316225CE846}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89F6931C-6FC1-4085-941E-C86F2C259E77}	{45DDA833-5BA4-49a2-B8B0-95EDFE427923}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{455DA69A-D164-4331-B337-F8E81F2A932E}	{5262FEAB-4AB7-4263-9AFD-B6116F679C1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{479D8F78-B23A-44ba-B068-4322AB83F25E}\stubpath = "C:\\Windows\\{479D8F78-B23A-44ba-B068-4322AB83F25E}.exe"	05f8dabd0c8cb6exe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEEBA92A-5404-4213-921C-88FC3CA5672D}\stubpath = "C:\\Windows\\{EEEBA92A-5404-4213-921C-88FC3CA5672D}.exe"	{479D8F78-B23A-44ba-B068-4322AB83F25E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47176381-C840-4a28-91FE-9452E432A574}\stubpath = "C:\\Windows\\{47176381-C840-4a28-91FE-9452E432A574}.exe"	{EEEBA92A-5404-4213-921C-88FC3CA5672D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5262FEAB-4AB7-4263-9AFD-B6116F679C1F}	{47176381-C840-4a28-91FE-9452E432A574}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9425623E-32E8-48d9-B0E6-E9E58B477EEE}\stubpath = "C:\\Windows\\{9425623E-32E8-48d9-B0E6-E9E58B477EEE}.exe"	{455DA69A-D164-4331-B337-F8E81F2A932E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38DD2DA6-618E-4d85-8F86-0F2F1C9752D2}	{9425623E-32E8-48d9-B0E6-E9E58B477EEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45DDA833-5BA4-49a2-B8B0-95EDFE427923}	{8A7DC2D0-79EC-492d-B393-0316225CE846}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{479D8F78-B23A-44ba-B068-4322AB83F25E}	05f8dabd0c8cb6exe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35EA756B-D7E0-435c-9A38-2597B7089DD0}	{7371BFBB-F183-460a-AE6D-14F868AB0AE9}.exe

Executes dropped EXE 12 IoCs

pid	Process
1368	{479D8F78-B23A-44ba-B068-4322AB83F25E}.exe
4184	{EEEBA92A-5404-4213-921C-88FC3CA5672D}.exe
376	{47176381-C840-4a28-91FE-9452E432A574}.exe
1492	{5262FEAB-4AB7-4263-9AFD-B6116F679C1F}.exe
2408	{455DA69A-D164-4331-B337-F8E81F2A932E}.exe
4228	{9425623E-32E8-48d9-B0E6-E9E58B477EEE}.exe
4836	{38DD2DA6-618E-4d85-8F86-0F2F1C9752D2}.exe
1352	{8A7DC2D0-79EC-492d-B393-0316225CE846}.exe
3820	{45DDA833-5BA4-49a2-B8B0-95EDFE427923}.exe
4300	{89F6931C-6FC1-4085-941E-C86F2C259E77}.exe
116	{7371BFBB-F183-460a-AE6D-14F868AB0AE9}.exe
4376	{35EA756B-D7E0-435c-9A38-2597B7089DD0}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9425623E-32E8-48d9-B0E6-E9E58B477EEE}.exe	{455DA69A-D164-4331-B337-F8E81F2A932E}.exe
File created	C:\Windows\{8A7DC2D0-79EC-492d-B393-0316225CE846}.exe	{38DD2DA6-618E-4d85-8F86-0F2F1C9752D2}.exe
File created	C:\Windows\{47176381-C840-4a28-91FE-9452E432A574}.exe	{EEEBA92A-5404-4213-921C-88FC3CA5672D}.exe
File created	C:\Windows\{455DA69A-D164-4331-B337-F8E81F2A932E}.exe	{5262FEAB-4AB7-4263-9AFD-B6116F679C1F}.exe
File created	C:\Windows\{5262FEAB-4AB7-4263-9AFD-B6116F679C1F}.exe	{47176381-C840-4a28-91FE-9452E432A574}.exe
File created	C:\Windows\{38DD2DA6-618E-4d85-8F86-0F2F1C9752D2}.exe	{9425623E-32E8-48d9-B0E6-E9E58B477EEE}.exe
File created	C:\Windows\{45DDA833-5BA4-49a2-B8B0-95EDFE427923}.exe	{8A7DC2D0-79EC-492d-B393-0316225CE846}.exe
File created	C:\Windows\{89F6931C-6FC1-4085-941E-C86F2C259E77}.exe	{45DDA833-5BA4-49a2-B8B0-95EDFE427923}.exe
File created	C:\Windows\{7371BFBB-F183-460a-AE6D-14F868AB0AE9}.exe	{89F6931C-6FC1-4085-941E-C86F2C259E77}.exe
File created	C:\Windows\{35EA756B-D7E0-435c-9A38-2597B7089DD0}.exe	{7371BFBB-F183-460a-AE6D-14F868AB0AE9}.exe
File created	C:\Windows\{479D8F78-B23A-44ba-B068-4322AB83F25E}.exe	05f8dabd0c8cb6exe_JC.exe
File created	C:\Windows\{EEEBA92A-5404-4213-921C-88FC3CA5672D}.exe	{479D8F78-B23A-44ba-B068-4322AB83F25E}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3432	05f8dabd0c8cb6exe_JC.exe
Token: SeIncBasePriorityPrivilege	1368	{479D8F78-B23A-44ba-B068-4322AB83F25E}.exe
Token: SeIncBasePriorityPrivilege	4184	{EEEBA92A-5404-4213-921C-88FC3CA5672D}.exe
Token: SeIncBasePriorityPrivilege	376	{47176381-C840-4a28-91FE-9452E432A574}.exe
Token: SeIncBasePriorityPrivilege	1492	{5262FEAB-4AB7-4263-9AFD-B6116F679C1F}.exe
Token: SeIncBasePriorityPrivilege	2408	{455DA69A-D164-4331-B337-F8E81F2A932E}.exe
Token: SeIncBasePriorityPrivilege	4228	{9425623E-32E8-48d9-B0E6-E9E58B477EEE}.exe
Token: SeIncBasePriorityPrivilege	4836	{38DD2DA6-618E-4d85-8F86-0F2F1C9752D2}.exe
Token: SeIncBasePriorityPrivilege	1352	{8A7DC2D0-79EC-492d-B393-0316225CE846}.exe
Token: SeIncBasePriorityPrivilege	3820	{45DDA833-5BA4-49a2-B8B0-95EDFE427923}.exe
Token: SeIncBasePriorityPrivilege	4300	{89F6931C-6FC1-4085-941E-C86F2C259E77}.exe
Token: SeIncBasePriorityPrivilege	116	{7371BFBB-F183-460a-AE6D-14F868AB0AE9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 1368	3432	05f8dabd0c8cb6exe_JC.exe	95
PID 3432 wrote to memory of 1368	3432	05f8dabd0c8cb6exe_JC.exe	95
PID 3432 wrote to memory of 1368	3432	05f8dabd0c8cb6exe_JC.exe	95
PID 3432 wrote to memory of 1424	3432	05f8dabd0c8cb6exe_JC.exe	96
PID 3432 wrote to memory of 1424	3432	05f8dabd0c8cb6exe_JC.exe	96
PID 3432 wrote to memory of 1424	3432	05f8dabd0c8cb6exe_JC.exe	96
PID 1368 wrote to memory of 4184	1368	{479D8F78-B23A-44ba-B068-4322AB83F25E}.exe	98
PID 1368 wrote to memory of 4184	1368	{479D8F78-B23A-44ba-B068-4322AB83F25E}.exe	98
PID 1368 wrote to memory of 4184	1368	{479D8F78-B23A-44ba-B068-4322AB83F25E}.exe	98
PID 1368 wrote to memory of 5040	1368	{479D8F78-B23A-44ba-B068-4322AB83F25E}.exe	99
PID 1368 wrote to memory of 5040	1368	{479D8F78-B23A-44ba-B068-4322AB83F25E}.exe	99
PID 1368 wrote to memory of 5040	1368	{479D8F78-B23A-44ba-B068-4322AB83F25E}.exe	99
PID 4184 wrote to memory of 376	4184	{EEEBA92A-5404-4213-921C-88FC3CA5672D}.exe	102
PID 4184 wrote to memory of 376	4184	{EEEBA92A-5404-4213-921C-88FC3CA5672D}.exe	102
PID 4184 wrote to memory of 376	4184	{EEEBA92A-5404-4213-921C-88FC3CA5672D}.exe	102
PID 4184 wrote to memory of 3500	4184	{EEEBA92A-5404-4213-921C-88FC3CA5672D}.exe	101
PID 4184 wrote to memory of 3500	4184	{EEEBA92A-5404-4213-921C-88FC3CA5672D}.exe	101
PID 4184 wrote to memory of 3500	4184	{EEEBA92A-5404-4213-921C-88FC3CA5672D}.exe	101
PID 376 wrote to memory of 1492	376	{47176381-C840-4a28-91FE-9452E432A574}.exe	103
PID 376 wrote to memory of 1492	376	{47176381-C840-4a28-91FE-9452E432A574}.exe	103
PID 376 wrote to memory of 1492	376	{47176381-C840-4a28-91FE-9452E432A574}.exe	103
PID 376 wrote to memory of 4876	376	{47176381-C840-4a28-91FE-9452E432A574}.exe	104
PID 376 wrote to memory of 4876	376	{47176381-C840-4a28-91FE-9452E432A574}.exe	104
PID 376 wrote to memory of 4876	376	{47176381-C840-4a28-91FE-9452E432A574}.exe	104
PID 1492 wrote to memory of 2408	1492	{5262FEAB-4AB7-4263-9AFD-B6116F679C1F}.exe	105
PID 1492 wrote to memory of 2408	1492	{5262FEAB-4AB7-4263-9AFD-B6116F679C1F}.exe	105
PID 1492 wrote to memory of 2408	1492	{5262FEAB-4AB7-4263-9AFD-B6116F679C1F}.exe	105
PID 1492 wrote to memory of 5024	1492	{5262FEAB-4AB7-4263-9AFD-B6116F679C1F}.exe	106
PID 1492 wrote to memory of 5024	1492	{5262FEAB-4AB7-4263-9AFD-B6116F679C1F}.exe	106
PID 1492 wrote to memory of 5024	1492	{5262FEAB-4AB7-4263-9AFD-B6116F679C1F}.exe	106
PID 2408 wrote to memory of 4228	2408	{455DA69A-D164-4331-B337-F8E81F2A932E}.exe	107
PID 2408 wrote to memory of 4228	2408	{455DA69A-D164-4331-B337-F8E81F2A932E}.exe	107
PID 2408 wrote to memory of 4228	2408	{455DA69A-D164-4331-B337-F8E81F2A932E}.exe	107
PID 2408 wrote to memory of 5004	2408	{455DA69A-D164-4331-B337-F8E81F2A932E}.exe	108
PID 2408 wrote to memory of 5004	2408	{455DA69A-D164-4331-B337-F8E81F2A932E}.exe	108
PID 2408 wrote to memory of 5004	2408	{455DA69A-D164-4331-B337-F8E81F2A932E}.exe	108
PID 4228 wrote to memory of 4836	4228	{9425623E-32E8-48d9-B0E6-E9E58B477EEE}.exe	109
PID 4228 wrote to memory of 4836	4228	{9425623E-32E8-48d9-B0E6-E9E58B477EEE}.exe	109
PID 4228 wrote to memory of 4836	4228	{9425623E-32E8-48d9-B0E6-E9E58B477EEE}.exe	109
PID 4228 wrote to memory of 2132	4228	{9425623E-32E8-48d9-B0E6-E9E58B477EEE}.exe	110
PID 4228 wrote to memory of 2132	4228	{9425623E-32E8-48d9-B0E6-E9E58B477EEE}.exe	110
PID 4228 wrote to memory of 2132	4228	{9425623E-32E8-48d9-B0E6-E9E58B477EEE}.exe	110
PID 4836 wrote to memory of 1352	4836	{38DD2DA6-618E-4d85-8F86-0F2F1C9752D2}.exe	111
PID 4836 wrote to memory of 1352	4836	{38DD2DA6-618E-4d85-8F86-0F2F1C9752D2}.exe	111
PID 4836 wrote to memory of 1352	4836	{38DD2DA6-618E-4d85-8F86-0F2F1C9752D2}.exe	111
PID 4836 wrote to memory of 1132	4836	{38DD2DA6-618E-4d85-8F86-0F2F1C9752D2}.exe	112
PID 4836 wrote to memory of 1132	4836	{38DD2DA6-618E-4d85-8F86-0F2F1C9752D2}.exe	112
PID 4836 wrote to memory of 1132	4836	{38DD2DA6-618E-4d85-8F86-0F2F1C9752D2}.exe	112
PID 1352 wrote to memory of 3820	1352	{8A7DC2D0-79EC-492d-B393-0316225CE846}.exe	113
PID 1352 wrote to memory of 3820	1352	{8A7DC2D0-79EC-492d-B393-0316225CE846}.exe	113
PID 1352 wrote to memory of 3820	1352	{8A7DC2D0-79EC-492d-B393-0316225CE846}.exe	113
PID 1352 wrote to memory of 4396	1352	{8A7DC2D0-79EC-492d-B393-0316225CE846}.exe	114
PID 1352 wrote to memory of 4396	1352	{8A7DC2D0-79EC-492d-B393-0316225CE846}.exe	114
PID 1352 wrote to memory of 4396	1352	{8A7DC2D0-79EC-492d-B393-0316225CE846}.exe	114
PID 3820 wrote to memory of 4300	3820	{45DDA833-5BA4-49a2-B8B0-95EDFE427923}.exe	115
PID 3820 wrote to memory of 4300	3820	{45DDA833-5BA4-49a2-B8B0-95EDFE427923}.exe	115
PID 3820 wrote to memory of 4300	3820	{45DDA833-5BA4-49a2-B8B0-95EDFE427923}.exe	115
PID 3820 wrote to memory of 3408	3820	{45DDA833-5BA4-49a2-B8B0-95EDFE427923}.exe	116
PID 3820 wrote to memory of 3408	3820	{45DDA833-5BA4-49a2-B8B0-95EDFE427923}.exe	116
PID 3820 wrote to memory of 3408	3820	{45DDA833-5BA4-49a2-B8B0-95EDFE427923}.exe	116
PID 4300 wrote to memory of 116	4300	{89F6931C-6FC1-4085-941E-C86F2C259E77}.exe	117
PID 4300 wrote to memory of 116	4300	{89F6931C-6FC1-4085-941E-C86F2C259E77}.exe	117
PID 4300 wrote to memory of 116	4300	{89F6931C-6FC1-4085-941E-C86F2C259E77}.exe	117
PID 4300 wrote to memory of 4424	4300	{89F6931C-6FC1-4085-941E-C86F2C259E77}.exe	118

C:\Users\Admin\AppData\Local\Temp\05f8dabd0c8cb6exe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\05f8dabd0c8cb6exe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Windows\{479D8F78-B23A-44ba-B068-4322AB83F25E}.exe
  C:\Windows\{479D8F78-B23A-44ba-B068-4322AB83F25E}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1368
- - C:\Windows\{EEEBA92A-5404-4213-921C-88FC3CA5672D}.exe
    C:\Windows\{EEEBA92A-5404-4213-921C-88FC3CA5672D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4184
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{EEEBA~1.EXE > nul
      4⤵
      PID:3500
  - - C:\Windows\{47176381-C840-4a28-91FE-9452E432A574}.exe
      C:\Windows\{47176381-C840-4a28-91FE-9452E432A574}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:376
    - - C:\Windows\{5262FEAB-4AB7-4263-9AFD-B6116F679C1F}.exe
        
        C:\Windows\{5262FEAB-4AB7-4263-9AFD-B6116F679C1F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1492
      - C:\Windows\{455DA69A-D164-4331-B337-F8E81F2A932E}.exe
        
        C:\Windows\{455DA69A-D164-4331-B337-F8E81F2A932E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\{9425623E-32E8-48d9-B0E6-E9E58B477EEE}.exe
        
        C:\Windows\{9425623E-32E8-48d9-B0E6-E9E58B477EEE}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4228
        
        C:\Windows\{38DD2DA6-618E-4d85-8F86-0F2F1C9752D2}.exe
        
        C:\Windows\{38DD2DA6-618E-4d85-8F86-0F2F1C9752D2}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4836
        
        C:\Windows\{8A7DC2D0-79EC-492d-B393-0316225CE846}.exe
        
        C:\Windows\{8A7DC2D0-79EC-492d-B393-0316225CE846}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1352
        
        C:\Windows\{45DDA833-5BA4-49a2-B8B0-95EDFE427923}.exe
        
        C:\Windows\{45DDA833-5BA4-49a2-B8B0-95EDFE427923}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\{89F6931C-6FC1-4085-941E-C86F2C259E77}.exe
        
        C:\Windows\{89F6931C-6FC1-4085-941E-C86F2C259E77}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4300
        
        C:\Windows\{7371BFBB-F183-460a-AE6D-14F868AB0AE9}.exe
        
        C:\Windows\{7371BFBB-F183-460a-AE6D-14F868AB0AE9}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:116
        
        C:\Windows\{35EA756B-D7E0-435c-9A38-2597B7089DD0}.exe
        
        C:\Windows\{35EA756B-D7E0-435c-9A38-2597B7089DD0}.exe
        13⤵
        Executes dropped EXE
        
        PID:4376
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7371B~1.EXE > nul
        13⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89F69~1.EXE > nul
        12⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45DDA~1.EXE > nul
        11⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A7DC~1.EXE > nul
        10⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{38DD2~1.EXE > nul
        9⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94256~1.EXE > nul
        8⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{455DA~1.EXE > nul
        7⤵
        
        PID:5004
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5262F~1.EXE > nul
        6⤵
        
        PID:5024
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47176~1.EXE > nul
        5⤵
        
        PID:4876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{479D8~1.EXE > nul
    3⤵
    PID:5040
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\05F8DA~1.EXE > nul
  2⤵
  PID:1424

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{35EA756B-D7E0-435c-9A38-2597B7089DD0}.exe

Filesize
204KB

MD5
1755e1b347f8f89cb28f8f1fd31ed145

SHA1
4137f0451692ccb2937cf80c79d93fd5df9895e1

SHA256
10e4b7efcf57ef676fe36edab7d4fbdd390953339a9b409a136cd41ebd57b8e9

SHA512
2957c2ac8e5059aeae5d387f43bbcc43f837a7c339321dfd6a34a3667d508fffed17dcf28eb18f9399d1a2be068c7e1cc081e16b06d16a2104564a1bf48e81de

Download Submit
C:\Windows\{35EA756B-D7E0-435c-9A38-2597B7089DD0}.exe

Filesize
204KB

MD5
1755e1b347f8f89cb28f8f1fd31ed145

SHA1
4137f0451692ccb2937cf80c79d93fd5df9895e1

SHA256
10e4b7efcf57ef676fe36edab7d4fbdd390953339a9b409a136cd41ebd57b8e9

SHA512
2957c2ac8e5059aeae5d387f43bbcc43f837a7c339321dfd6a34a3667d508fffed17dcf28eb18f9399d1a2be068c7e1cc081e16b06d16a2104564a1bf48e81de

Download Submit
C:\Windows\{38DD2DA6-618E-4d85-8F86-0F2F1C9752D2}.exe

Filesize
204KB

MD5
b3859571afdcde7313bb75147dba617a

SHA1
fd8a0e032a250b945022d355016b1afb258e1c69

SHA256
61f81ab282fa57d10e9e03b2ed46f23fe64352fe0e5ffae59d345ae419d78d4b

SHA512
8bd9a32ce1f4febbc7538ab0f0857b61265439fd887e8469f146728f8585737a8769607b36cfe37ca749137ed07b2d3ba4ed5e8243498c0dfd14abd623f1f6a9

Download Submit
C:\Windows\{38DD2DA6-618E-4d85-8F86-0F2F1C9752D2}.exe

Filesize
204KB

MD5
b3859571afdcde7313bb75147dba617a

SHA1
fd8a0e032a250b945022d355016b1afb258e1c69

SHA256
61f81ab282fa57d10e9e03b2ed46f23fe64352fe0e5ffae59d345ae419d78d4b

SHA512
8bd9a32ce1f4febbc7538ab0f0857b61265439fd887e8469f146728f8585737a8769607b36cfe37ca749137ed07b2d3ba4ed5e8243498c0dfd14abd623f1f6a9

Download Submit
C:\Windows\{455DA69A-D164-4331-B337-F8E81F2A932E}.exe

Filesize
204KB

MD5
197e55cf90f4e826f54ac8de38f0c68b

SHA1
8a462251081cc6b8bbd9800555b0e277231568c2

SHA256
49ec324fab4c22e91b902d85dc7685f702ccdcb509ad48dbef6722ae685f70a9

SHA512
7c423ff8886f8549d63658c009d0101dfec1cdae8afe72ffbd28de1e18a6157e09149901897c75e6d808f2b73b7635808cb459116bc8829c3a237d1da364c5af

Download Submit
C:\Windows\{455DA69A-D164-4331-B337-F8E81F2A932E}.exe

Filesize
204KB

MD5
197e55cf90f4e826f54ac8de38f0c68b

SHA1
8a462251081cc6b8bbd9800555b0e277231568c2

SHA256
49ec324fab4c22e91b902d85dc7685f702ccdcb509ad48dbef6722ae685f70a9

SHA512
7c423ff8886f8549d63658c009d0101dfec1cdae8afe72ffbd28de1e18a6157e09149901897c75e6d808f2b73b7635808cb459116bc8829c3a237d1da364c5af

Download Submit
C:\Windows\{45DDA833-5BA4-49a2-B8B0-95EDFE427923}.exe

Filesize
204KB

MD5
39fbd2eff01ba63b9bbdf9eaf8199258

SHA1
a60c93fde286940c012073a237b7d558dd47bd6c

SHA256
e41bbe5540e3efa365382128ffc5da33b25b6b34602b6de621c8d83a28d532a2

SHA512
6d7a4f5e2a6125fd26c0c7eaf3d6562fc3c7a2e896e6d9596a4c5ab4a4858a2da982c7549a31992662e1f3c308223ee7586060c92b7aabea7216ebd2f152a179

Download Submit
C:\Windows\{45DDA833-5BA4-49a2-B8B0-95EDFE427923}.exe

Filesize
204KB

MD5
39fbd2eff01ba63b9bbdf9eaf8199258

SHA1
a60c93fde286940c012073a237b7d558dd47bd6c

SHA256
e41bbe5540e3efa365382128ffc5da33b25b6b34602b6de621c8d83a28d532a2

SHA512
6d7a4f5e2a6125fd26c0c7eaf3d6562fc3c7a2e896e6d9596a4c5ab4a4858a2da982c7549a31992662e1f3c308223ee7586060c92b7aabea7216ebd2f152a179

Download Submit
C:\Windows\{47176381-C840-4a28-91FE-9452E432A574}.exe

Filesize
204KB

MD5
6c5e9e176fa8a17d8cb5ca6ec6071973

SHA1
ac889888571e503d99772198937f31d1211570bd

SHA256
63344054a6a8a40362d87cffb1cc9b168c14527fa0408be90b44d985ed3e827f

SHA512
6709ba9c45f445d1c0afc3e67a0dd2ade46fe3f51da957f332e433919cce0258219e12b54878a80a71049c06431f6eae0d086fd9e9ed1cfcca39469bb9139825

Download Submit
C:\Windows\{47176381-C840-4a28-91FE-9452E432A574}.exe

Filesize
204KB

MD5
6c5e9e176fa8a17d8cb5ca6ec6071973

SHA1
ac889888571e503d99772198937f31d1211570bd

SHA256
63344054a6a8a40362d87cffb1cc9b168c14527fa0408be90b44d985ed3e827f

SHA512
6709ba9c45f445d1c0afc3e67a0dd2ade46fe3f51da957f332e433919cce0258219e12b54878a80a71049c06431f6eae0d086fd9e9ed1cfcca39469bb9139825

Download Submit
C:\Windows\{47176381-C840-4a28-91FE-9452E432A574}.exe

Filesize
204KB

MD5
6c5e9e176fa8a17d8cb5ca6ec6071973

SHA1
ac889888571e503d99772198937f31d1211570bd

SHA256
63344054a6a8a40362d87cffb1cc9b168c14527fa0408be90b44d985ed3e827f

SHA512
6709ba9c45f445d1c0afc3e67a0dd2ade46fe3f51da957f332e433919cce0258219e12b54878a80a71049c06431f6eae0d086fd9e9ed1cfcca39469bb9139825

Download Submit
C:\Windows\{479D8F78-B23A-44ba-B068-4322AB83F25E}.exe

Filesize
204KB

MD5
dcc4c39bc581510a6478872aff2162b1

SHA1
97cb9ecfd009b2109ea0d44f70f052de3e9ebed4

SHA256
8aacfb6ac0499869682acf62bae4e8b52b425ac259cfcfd8294994f4904c423e

SHA512
040a16b7c55fa3c1c1d656ca7421f1f814a499de8d8f1d815999bfe24bb2b80b77da9f5665f5384110c0c694fd88bd5e51d917d29bfc490e33c2ae6f1098c114

Download Submit
C:\Windows\{479D8F78-B23A-44ba-B068-4322AB83F25E}.exe

Filesize
204KB

MD5
dcc4c39bc581510a6478872aff2162b1

SHA1
97cb9ecfd009b2109ea0d44f70f052de3e9ebed4

SHA256
8aacfb6ac0499869682acf62bae4e8b52b425ac259cfcfd8294994f4904c423e

SHA512
040a16b7c55fa3c1c1d656ca7421f1f814a499de8d8f1d815999bfe24bb2b80b77da9f5665f5384110c0c694fd88bd5e51d917d29bfc490e33c2ae6f1098c114

Download Submit
C:\Windows\{5262FEAB-4AB7-4263-9AFD-B6116F679C1F}.exe

Filesize
204KB

MD5
fa4cd4514622d8276433db07b043f407

SHA1
7fcd7ee909d8a3c9b948c7aec148d1c06b91f8d3

SHA256
0032ab5056acde2fde0ed62b96ae6f08118547bd358d3b8fa9f431b13e71a358

SHA512
a89420e762aae98deca2717697dd78dfaae680efa0444b665ff3531495939bed7ba34e0db214240e1705c3689c93bbafb0e9f9b61332a7c54448b077a4ffabb9

Download Submit
C:\Windows\{5262FEAB-4AB7-4263-9AFD-B6116F679C1F}.exe

Filesize
204KB

MD5
fa4cd4514622d8276433db07b043f407

SHA1
7fcd7ee909d8a3c9b948c7aec148d1c06b91f8d3

SHA256
0032ab5056acde2fde0ed62b96ae6f08118547bd358d3b8fa9f431b13e71a358

SHA512
a89420e762aae98deca2717697dd78dfaae680efa0444b665ff3531495939bed7ba34e0db214240e1705c3689c93bbafb0e9f9b61332a7c54448b077a4ffabb9

Download Submit
C:\Windows\{7371BFBB-F183-460a-AE6D-14F868AB0AE9}.exe

Filesize
204KB

MD5
955ed6e903d061b4154bd75bb90dea0d

SHA1
216e0d6d7b8159a68ce890ac7ff42b698af06c70

SHA256
5bb369879ac2c8024bec2870ad929de3e5025dbc0874e42229e9b74a0a4daf6a

SHA512
6ecd6c170741e4eeaabc1d6a42d6683a33eb034ea006d9f4fb571f379984a279076431520776df99a764192af67b98ed8897a165bc57960c5546057f2b1595ef

Download Submit
C:\Windows\{7371BFBB-F183-460a-AE6D-14F868AB0AE9}.exe

Filesize
204KB

MD5
955ed6e903d061b4154bd75bb90dea0d

SHA1
216e0d6d7b8159a68ce890ac7ff42b698af06c70

SHA256
5bb369879ac2c8024bec2870ad929de3e5025dbc0874e42229e9b74a0a4daf6a

SHA512
6ecd6c170741e4eeaabc1d6a42d6683a33eb034ea006d9f4fb571f379984a279076431520776df99a764192af67b98ed8897a165bc57960c5546057f2b1595ef

Download Submit
C:\Windows\{89F6931C-6FC1-4085-941E-C86F2C259E77}.exe

Filesize
204KB

MD5
a4453d617c04693545de52b6345c4b86

SHA1
fa49e71c6023de27bcabcc0ceecf35f46316a555

SHA256
652895c0452c9a0b081f3b46f3f19bbc1cf6c39521d2eb67e67248a03a0e23e9

SHA512
e581c74b5c916cd00366288476e69f50e489264c068d1b916653cc2eeb57b69369f0d52e1ba228d5659225a21408b7a8a2c14bf671cbf01ae51d74c63bf54520

Download Submit
C:\Windows\{89F6931C-6FC1-4085-941E-C86F2C259E77}.exe

Filesize
204KB

MD5
a4453d617c04693545de52b6345c4b86

SHA1
fa49e71c6023de27bcabcc0ceecf35f46316a555

SHA256
652895c0452c9a0b081f3b46f3f19bbc1cf6c39521d2eb67e67248a03a0e23e9

SHA512
e581c74b5c916cd00366288476e69f50e489264c068d1b916653cc2eeb57b69369f0d52e1ba228d5659225a21408b7a8a2c14bf671cbf01ae51d74c63bf54520

Download Submit
C:\Windows\{8A7DC2D0-79EC-492d-B393-0316225CE846}.exe

Filesize
204KB

MD5
d45a17b452752acd0fa29aaa2cfb07cb

SHA1
2a8807c16c36980c0f77198048dd99b3e2b38c89

SHA256
c642ab5bd674a96d7b9891b8472034e8d31c28947d144cd8d9c26f61349e6cbd

SHA512
af046fa7450ed9d98df16282d52776b91d800697c4af520d14334ba78c0927c67843d6dbbc860133bfebca53f76af2da2961c6cb460fd6d249faa3e1314f1ed2

Download Submit
C:\Windows\{8A7DC2D0-79EC-492d-B393-0316225CE846}.exe

Filesize
204KB

MD5
d45a17b452752acd0fa29aaa2cfb07cb

SHA1
2a8807c16c36980c0f77198048dd99b3e2b38c89

SHA256
c642ab5bd674a96d7b9891b8472034e8d31c28947d144cd8d9c26f61349e6cbd

SHA512
af046fa7450ed9d98df16282d52776b91d800697c4af520d14334ba78c0927c67843d6dbbc860133bfebca53f76af2da2961c6cb460fd6d249faa3e1314f1ed2

Download Submit
C:\Windows\{9425623E-32E8-48d9-B0E6-E9E58B477EEE}.exe

Filesize
204KB

MD5
8f655beab514e6505174d820792d5cdd

SHA1
2b60dd47a838e615be04f692379d691f7684b74c

SHA256
d7fc6dc52c1b81a48da45437b939caa0435d931963b608ff4c14ba23a2d844e9

SHA512
0958aa9baccd2cf5aed1dc4e98a3fa1fe9f62335d03a0c34ab1c5328b1e5c07c67fdbf1d419492dbe0f6a437777d1a6a72b4597154c32394ca3dfe91fdafe2ba

Download Submit
C:\Windows\{9425623E-32E8-48d9-B0E6-E9E58B477EEE}.exe

Filesize
204KB

MD5
8f655beab514e6505174d820792d5cdd

SHA1
2b60dd47a838e615be04f692379d691f7684b74c

SHA256
d7fc6dc52c1b81a48da45437b939caa0435d931963b608ff4c14ba23a2d844e9

SHA512
0958aa9baccd2cf5aed1dc4e98a3fa1fe9f62335d03a0c34ab1c5328b1e5c07c67fdbf1d419492dbe0f6a437777d1a6a72b4597154c32394ca3dfe91fdafe2ba

Download Submit
C:\Windows\{EEEBA92A-5404-4213-921C-88FC3CA5672D}.exe

Filesize
204KB

MD5
1c8de9178f30d31fb401cec6f017fbc7

SHA1
ca1527e51149db8fd6265692d0a9deaf5ccbc978

SHA256
9daab67bdb0dcf69eeb3c5616fa747c030cbf5d7f2dfb4de6eec639687ec5fa4

SHA512
e6430455be2d2c01ec912f5ad6eaba5337020f8ad89e2206a26b0699e494fe08de33d2a8bad1809e130d184564f1e5d5312f341356f99470110141d111ca4ee4

Download Submit
C:\Windows\{EEEBA92A-5404-4213-921C-88FC3CA5672D}.exe

Filesize
204KB

MD5
1c8de9178f30d31fb401cec6f017fbc7

SHA1
ca1527e51149db8fd6265692d0a9deaf5ccbc978

SHA256
9daab67bdb0dcf69eeb3c5616fa747c030cbf5d7f2dfb4de6eec639687ec5fa4

SHA512
e6430455be2d2c01ec912f5ad6eaba5337020f8ad89e2206a26b0699e494fe08de33d2a8bad1809e130d184564f1e5d5312f341356f99470110141d111ca4ee4

Download Submit