851ab2844a44635f3c5a4200f2cbda718b01d93b91a43445d9c99756afefb8b0

Analysis

max time kernel
150s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14-07-2023 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

14412b53c5f2ccexe_JC.exe
Size

372KB
MD5

14412b53c5f2ccecd82d0d9b42aef425
SHA1

846a3dfc4f553bc8538beedcd00f4b656a864b83
SHA256

851ab2844a44635f3c5a4200f2cbda718b01d93b91a43445d9c99756afefb8b0
SHA512

401942d4ddcbfa815b910272bb3b0cfd9e9cbd941d329476ea8e5b710b1bdfe699837d1bf8533cd138d7f153656d1660fddc8a3caacc9ee6cb6e2bc3f7de749f
SSDEEP

3072:CEGh0oEmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGTl/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE0B69F9-EF3A-46f7-91E1-75BA6E5EE524}\stubpath = "C:\\Windows\\{CE0B69F9-EF3A-46f7-91E1-75BA6E5EE524}.exe"	14412b53c5f2ccexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B648517-D4A4-4555-B42C-7C3A7653B25F}	{CE0B69F9-EF3A-46f7-91E1-75BA6E5EE524}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1271C169-D6C6-44d7-9326-8C5777CD608F}	{000AA4F9-7B9C-480b-B8AE-D40B314B7D3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1271C169-D6C6-44d7-9326-8C5777CD608F}\stubpath = "C:\\Windows\\{1271C169-D6C6-44d7-9326-8C5777CD608F}.exe"	{000AA4F9-7B9C-480b-B8AE-D40B314B7D3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1C49982-0022-4d8f-A7FE-CFC98C4DDD79}	{403AD950-3BAE-4605-AFFE-E3B75BD54611}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{403AD950-3BAE-4605-AFFE-E3B75BD54611}\stubpath = "C:\\Windows\\{403AD950-3BAE-4605-AFFE-E3B75BD54611}.exe"	{1271C169-D6C6-44d7-9326-8C5777CD608F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C73EA251-40F0-48d8-B25A-F78BCA33B45C}	{C1C49982-0022-4d8f-A7FE-CFC98C4DDD79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C3899F1-7D6C-470d-B85C-96673B465396}\stubpath = "C:\\Windows\\{2C3899F1-7D6C-470d-B85C-96673B465396}.exe"	{9AB7ACBF-73CA-4cfa-830B-C0B182FB1215}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30ACAFA7-50C2-4eb8-9FAC-7C6CD156D333}	{2C3899F1-7D6C-470d-B85C-96673B465396}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{30ACAFA7-50C2-4eb8-9FAC-7C6CD156D333}\stubpath = "C:\\Windows\\{30ACAFA7-50C2-4eb8-9FAC-7C6CD156D333}.exe"	{2C3899F1-7D6C-470d-B85C-96673B465396}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{000AA4F9-7B9C-480b-B8AE-D40B314B7D3D}	{8B648517-D4A4-4555-B42C-7C3A7653B25F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{000AA4F9-7B9C-480b-B8AE-D40B314B7D3D}\stubpath = "C:\\Windows\\{000AA4F9-7B9C-480b-B8AE-D40B314B7D3D}.exe"	{8B648517-D4A4-4555-B42C-7C3A7653B25F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C73EA251-40F0-48d8-B25A-F78BCA33B45C}\stubpath = "C:\\Windows\\{C73EA251-40F0-48d8-B25A-F78BCA33B45C}.exe"	{C1C49982-0022-4d8f-A7FE-CFC98C4DDD79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C3899F1-7D6C-470d-B85C-96673B465396}	{9AB7ACBF-73CA-4cfa-830B-C0B182FB1215}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AB7ACBF-73CA-4cfa-830B-C0B182FB1215}\stubpath = "C:\\Windows\\{9AB7ACBF-73CA-4cfa-830B-C0B182FB1215}.exe"	{C73EA251-40F0-48d8-B25A-F78BCA33B45C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A69D897-4627-418d-B9EC-6AD341CC2CC7}	{30ACAFA7-50C2-4eb8-9FAC-7C6CD156D333}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A69D897-4627-418d-B9EC-6AD341CC2CC7}\stubpath = "C:\\Windows\\{5A69D897-4627-418d-B9EC-6AD341CC2CC7}.exe"	{30ACAFA7-50C2-4eb8-9FAC-7C6CD156D333}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE0B69F9-EF3A-46f7-91E1-75BA6E5EE524}	14412b53c5f2ccexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B648517-D4A4-4555-B42C-7C3A7653B25F}\stubpath = "C:\\Windows\\{8B648517-D4A4-4555-B42C-7C3A7653B25F}.exe"	{CE0B69F9-EF3A-46f7-91E1-75BA6E5EE524}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{403AD950-3BAE-4605-AFFE-E3B75BD54611}	{1271C169-D6C6-44d7-9326-8C5777CD608F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1C49982-0022-4d8f-A7FE-CFC98C4DDD79}\stubpath = "C:\\Windows\\{C1C49982-0022-4d8f-A7FE-CFC98C4DDD79}.exe"	{403AD950-3BAE-4605-AFFE-E3B75BD54611}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AB7ACBF-73CA-4cfa-830B-C0B182FB1215}	{C73EA251-40F0-48d8-B25A-F78BCA33B45C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7ED4E93-6FE4-4627-BB6B-77EE8CC110E4}	{5A69D897-4627-418d-B9EC-6AD341CC2CC7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B7ED4E93-6FE4-4627-BB6B-77EE8CC110E4}\stubpath = "C:\\Windows\\{B7ED4E93-6FE4-4627-BB6B-77EE8CC110E4}.exe"	{5A69D897-4627-418d-B9EC-6AD341CC2CC7}.exe

Executes dropped EXE 12 IoCs

pid	Process
2952	{CE0B69F9-EF3A-46f7-91E1-75BA6E5EE524}.exe
1548	{8B648517-D4A4-4555-B42C-7C3A7653B25F}.exe
2424	{000AA4F9-7B9C-480b-B8AE-D40B314B7D3D}.exe
3952	{1271C169-D6C6-44d7-9326-8C5777CD608F}.exe
4332	{403AD950-3BAE-4605-AFFE-E3B75BD54611}.exe
2296	{C1C49982-0022-4d8f-A7FE-CFC98C4DDD79}.exe
264	{C73EA251-40F0-48d8-B25A-F78BCA33B45C}.exe
5068	{9AB7ACBF-73CA-4cfa-830B-C0B182FB1215}.exe
2220	{2C3899F1-7D6C-470d-B85C-96673B465396}.exe
1936	{30ACAFA7-50C2-4eb8-9FAC-7C6CD156D333}.exe
3812	{5A69D897-4627-418d-B9EC-6AD341CC2CC7}.exe
2516	{B7ED4E93-6FE4-4627-BB6B-77EE8CC110E4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5A69D897-4627-418d-B9EC-6AD341CC2CC7}.exe	{30ACAFA7-50C2-4eb8-9FAC-7C6CD156D333}.exe
File created	C:\Windows\{B7ED4E93-6FE4-4627-BB6B-77EE8CC110E4}.exe	{5A69D897-4627-418d-B9EC-6AD341CC2CC7}.exe
File created	C:\Windows\{8B648517-D4A4-4555-B42C-7C3A7653B25F}.exe	{CE0B69F9-EF3A-46f7-91E1-75BA6E5EE524}.exe
File created	C:\Windows\{000AA4F9-7B9C-480b-B8AE-D40B314B7D3D}.exe	{8B648517-D4A4-4555-B42C-7C3A7653B25F}.exe
File created	C:\Windows\{1271C169-D6C6-44d7-9326-8C5777CD608F}.exe	{000AA4F9-7B9C-480b-B8AE-D40B314B7D3D}.exe
File created	C:\Windows\{C73EA251-40F0-48d8-B25A-F78BCA33B45C}.exe	{C1C49982-0022-4d8f-A7FE-CFC98C4DDD79}.exe
File created	C:\Windows\{2C3899F1-7D6C-470d-B85C-96673B465396}.exe	{9AB7ACBF-73CA-4cfa-830B-C0B182FB1215}.exe
File created	C:\Windows\{30ACAFA7-50C2-4eb8-9FAC-7C6CD156D333}.exe	{2C3899F1-7D6C-470d-B85C-96673B465396}.exe
File created	C:\Windows\{CE0B69F9-EF3A-46f7-91E1-75BA6E5EE524}.exe	14412b53c5f2ccexe_JC.exe
File created	C:\Windows\{403AD950-3BAE-4605-AFFE-E3B75BD54611}.exe	{1271C169-D6C6-44d7-9326-8C5777CD608F}.exe
File created	C:\Windows\{C1C49982-0022-4d8f-A7FE-CFC98C4DDD79}.exe	{403AD950-3BAE-4605-AFFE-E3B75BD54611}.exe
File created	C:\Windows\{9AB7ACBF-73CA-4cfa-830B-C0B182FB1215}.exe	{C73EA251-40F0-48d8-B25A-F78BCA33B45C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1004	14412b53c5f2ccexe_JC.exe
Token: SeIncBasePriorityPrivilege	2952	{CE0B69F9-EF3A-46f7-91E1-75BA6E5EE524}.exe
Token: SeIncBasePriorityPrivilege	1548	{8B648517-D4A4-4555-B42C-7C3A7653B25F}.exe
Token: SeIncBasePriorityPrivilege	2424	{000AA4F9-7B9C-480b-B8AE-D40B314B7D3D}.exe
Token: SeIncBasePriorityPrivilege	3952	{1271C169-D6C6-44d7-9326-8C5777CD608F}.exe
Token: SeIncBasePriorityPrivilege	4332	{403AD950-3BAE-4605-AFFE-E3B75BD54611}.exe
Token: SeIncBasePriorityPrivilege	2296	{C1C49982-0022-4d8f-A7FE-CFC98C4DDD79}.exe
Token: SeIncBasePriorityPrivilege	264	{C73EA251-40F0-48d8-B25A-F78BCA33B45C}.exe
Token: SeIncBasePriorityPrivilege	5068	{9AB7ACBF-73CA-4cfa-830B-C0B182FB1215}.exe
Token: SeIncBasePriorityPrivilege	2220	{2C3899F1-7D6C-470d-B85C-96673B465396}.exe
Token: SeIncBasePriorityPrivilege	1936	{30ACAFA7-50C2-4eb8-9FAC-7C6CD156D333}.exe
Token: SeIncBasePriorityPrivilege	3812	{5A69D897-4627-418d-B9EC-6AD341CC2CC7}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1004 wrote to memory of 2952	1004	14412b53c5f2ccexe_JC.exe	93
PID 1004 wrote to memory of 2952	1004	14412b53c5f2ccexe_JC.exe	93
PID 1004 wrote to memory of 2952	1004	14412b53c5f2ccexe_JC.exe	93
PID 1004 wrote to memory of 4024	1004	14412b53c5f2ccexe_JC.exe	94
PID 1004 wrote to memory of 4024	1004	14412b53c5f2ccexe_JC.exe	94
PID 1004 wrote to memory of 4024	1004	14412b53c5f2ccexe_JC.exe	94
PID 2952 wrote to memory of 1548	2952	{CE0B69F9-EF3A-46f7-91E1-75BA6E5EE524}.exe	98
PID 2952 wrote to memory of 1548	2952	{CE0B69F9-EF3A-46f7-91E1-75BA6E5EE524}.exe	98
PID 2952 wrote to memory of 1548	2952	{CE0B69F9-EF3A-46f7-91E1-75BA6E5EE524}.exe	98
PID 2952 wrote to memory of 4396	2952	{CE0B69F9-EF3A-46f7-91E1-75BA6E5EE524}.exe	99
PID 2952 wrote to memory of 4396	2952	{CE0B69F9-EF3A-46f7-91E1-75BA6E5EE524}.exe	99
PID 2952 wrote to memory of 4396	2952	{CE0B69F9-EF3A-46f7-91E1-75BA6E5EE524}.exe	99
PID 1548 wrote to memory of 2424	1548	{8B648517-D4A4-4555-B42C-7C3A7653B25F}.exe	102
PID 1548 wrote to memory of 2424	1548	{8B648517-D4A4-4555-B42C-7C3A7653B25F}.exe	102
PID 1548 wrote to memory of 2424	1548	{8B648517-D4A4-4555-B42C-7C3A7653B25F}.exe	102
PID 1548 wrote to memory of 3740	1548	{8B648517-D4A4-4555-B42C-7C3A7653B25F}.exe	101
PID 1548 wrote to memory of 3740	1548	{8B648517-D4A4-4555-B42C-7C3A7653B25F}.exe	101
PID 1548 wrote to memory of 3740	1548	{8B648517-D4A4-4555-B42C-7C3A7653B25F}.exe	101
PID 2424 wrote to memory of 3952	2424	{000AA4F9-7B9C-480b-B8AE-D40B314B7D3D}.exe	103
PID 2424 wrote to memory of 3952	2424	{000AA4F9-7B9C-480b-B8AE-D40B314B7D3D}.exe	103
PID 2424 wrote to memory of 3952	2424	{000AA4F9-7B9C-480b-B8AE-D40B314B7D3D}.exe	103
PID 2424 wrote to memory of 4996	2424	{000AA4F9-7B9C-480b-B8AE-D40B314B7D3D}.exe	104
PID 2424 wrote to memory of 4996	2424	{000AA4F9-7B9C-480b-B8AE-D40B314B7D3D}.exe	104
PID 2424 wrote to memory of 4996	2424	{000AA4F9-7B9C-480b-B8AE-D40B314B7D3D}.exe	104
PID 3952 wrote to memory of 4332	3952	{1271C169-D6C6-44d7-9326-8C5777CD608F}.exe	105
PID 3952 wrote to memory of 4332	3952	{1271C169-D6C6-44d7-9326-8C5777CD608F}.exe	105
PID 3952 wrote to memory of 4332	3952	{1271C169-D6C6-44d7-9326-8C5777CD608F}.exe	105
PID 3952 wrote to memory of 4136	3952	{1271C169-D6C6-44d7-9326-8C5777CD608F}.exe	106
PID 3952 wrote to memory of 4136	3952	{1271C169-D6C6-44d7-9326-8C5777CD608F}.exe	106
PID 3952 wrote to memory of 4136	3952	{1271C169-D6C6-44d7-9326-8C5777CD608F}.exe	106
PID 4332 wrote to memory of 2296	4332	{403AD950-3BAE-4605-AFFE-E3B75BD54611}.exe	107
PID 4332 wrote to memory of 2296	4332	{403AD950-3BAE-4605-AFFE-E3B75BD54611}.exe	107
PID 4332 wrote to memory of 2296	4332	{403AD950-3BAE-4605-AFFE-E3B75BD54611}.exe	107
PID 4332 wrote to memory of 4788	4332	{403AD950-3BAE-4605-AFFE-E3B75BD54611}.exe	108
PID 4332 wrote to memory of 4788	4332	{403AD950-3BAE-4605-AFFE-E3B75BD54611}.exe	108
PID 4332 wrote to memory of 4788	4332	{403AD950-3BAE-4605-AFFE-E3B75BD54611}.exe	108
PID 2296 wrote to memory of 264	2296	{C1C49982-0022-4d8f-A7FE-CFC98C4DDD79}.exe	109
PID 2296 wrote to memory of 264	2296	{C1C49982-0022-4d8f-A7FE-CFC98C4DDD79}.exe	109
PID 2296 wrote to memory of 264	2296	{C1C49982-0022-4d8f-A7FE-CFC98C4DDD79}.exe	109
PID 2296 wrote to memory of 3332	2296	{C1C49982-0022-4d8f-A7FE-CFC98C4DDD79}.exe	110
PID 2296 wrote to memory of 3332	2296	{C1C49982-0022-4d8f-A7FE-CFC98C4DDD79}.exe	110
PID 2296 wrote to memory of 3332	2296	{C1C49982-0022-4d8f-A7FE-CFC98C4DDD79}.exe	110
PID 264 wrote to memory of 5068	264	{C73EA251-40F0-48d8-B25A-F78BCA33B45C}.exe	111
PID 264 wrote to memory of 5068	264	{C73EA251-40F0-48d8-B25A-F78BCA33B45C}.exe	111
PID 264 wrote to memory of 5068	264	{C73EA251-40F0-48d8-B25A-F78BCA33B45C}.exe	111
PID 264 wrote to memory of 2828	264	{C73EA251-40F0-48d8-B25A-F78BCA33B45C}.exe	112
PID 264 wrote to memory of 2828	264	{C73EA251-40F0-48d8-B25A-F78BCA33B45C}.exe	112
PID 264 wrote to memory of 2828	264	{C73EA251-40F0-48d8-B25A-F78BCA33B45C}.exe	112
PID 5068 wrote to memory of 2220	5068	{9AB7ACBF-73CA-4cfa-830B-C0B182FB1215}.exe	113
PID 5068 wrote to memory of 2220	5068	{9AB7ACBF-73CA-4cfa-830B-C0B182FB1215}.exe	113
PID 5068 wrote to memory of 2220	5068	{9AB7ACBF-73CA-4cfa-830B-C0B182FB1215}.exe	113
PID 5068 wrote to memory of 860	5068	{9AB7ACBF-73CA-4cfa-830B-C0B182FB1215}.exe	114
PID 5068 wrote to memory of 860	5068	{9AB7ACBF-73CA-4cfa-830B-C0B182FB1215}.exe	114
PID 5068 wrote to memory of 860	5068	{9AB7ACBF-73CA-4cfa-830B-C0B182FB1215}.exe	114
PID 2220 wrote to memory of 1936	2220	{2C3899F1-7D6C-470d-B85C-96673B465396}.exe	115
PID 2220 wrote to memory of 1936	2220	{2C3899F1-7D6C-470d-B85C-96673B465396}.exe	115
PID 2220 wrote to memory of 1936	2220	{2C3899F1-7D6C-470d-B85C-96673B465396}.exe	115
PID 2220 wrote to memory of 3336	2220	{2C3899F1-7D6C-470d-B85C-96673B465396}.exe	116
PID 2220 wrote to memory of 3336	2220	{2C3899F1-7D6C-470d-B85C-96673B465396}.exe	116
PID 2220 wrote to memory of 3336	2220	{2C3899F1-7D6C-470d-B85C-96673B465396}.exe	116
PID 1936 wrote to memory of 3812	1936	{30ACAFA7-50C2-4eb8-9FAC-7C6CD156D333}.exe	117
PID 1936 wrote to memory of 3812	1936	{30ACAFA7-50C2-4eb8-9FAC-7C6CD156D333}.exe	117
PID 1936 wrote to memory of 3812	1936	{30ACAFA7-50C2-4eb8-9FAC-7C6CD156D333}.exe	117
PID 1936 wrote to memory of 4912	1936	{30ACAFA7-50C2-4eb8-9FAC-7C6CD156D333}.exe	118

C:\Users\Admin\AppData\Local\Temp\14412b53c5f2ccexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\14412b53c5f2ccexe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1004
- C:\Windows\{CE0B69F9-EF3A-46f7-91E1-75BA6E5EE524}.exe
  C:\Windows\{CE0B69F9-EF3A-46f7-91E1-75BA6E5EE524}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\{8B648517-D4A4-4555-B42C-7C3A7653B25F}.exe
    C:\Windows\{8B648517-D4A4-4555-B42C-7C3A7653B25F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8B648~1.EXE > nul
      4⤵
      PID:3740
  - - C:\Windows\{000AA4F9-7B9C-480b-B8AE-D40B314B7D3D}.exe
      C:\Windows\{000AA4F9-7B9C-480b-B8AE-D40B314B7D3D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2424
    - - C:\Windows\{1271C169-D6C6-44d7-9326-8C5777CD608F}.exe
        
        C:\Windows\{1271C169-D6C6-44d7-9326-8C5777CD608F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3952
      - C:\Windows\{403AD950-3BAE-4605-AFFE-E3B75BD54611}.exe
        
        C:\Windows\{403AD950-3BAE-4605-AFFE-E3B75BD54611}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4332
        
        C:\Windows\{C1C49982-0022-4d8f-A7FE-CFC98C4DDD79}.exe
        
        C:\Windows\{C1C49982-0022-4d8f-A7FE-CFC98C4DDD79}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\{C73EA251-40F0-48d8-B25A-F78BCA33B45C}.exe
        
        C:\Windows\{C73EA251-40F0-48d8-B25A-F78BCA33B45C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:264
        
        C:\Windows\{9AB7ACBF-73CA-4cfa-830B-C0B182FB1215}.exe
        
        C:\Windows\{9AB7ACBF-73CA-4cfa-830B-C0B182FB1215}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5068
        
        C:\Windows\{2C3899F1-7D6C-470d-B85C-96673B465396}.exe
        
        C:\Windows\{2C3899F1-7D6C-470d-B85C-96673B465396}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\{30ACAFA7-50C2-4eb8-9FAC-7C6CD156D333}.exe
        
        C:\Windows\{30ACAFA7-50C2-4eb8-9FAC-7C6CD156D333}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\{5A69D897-4627-418d-B9EC-6AD341CC2CC7}.exe
        
        C:\Windows\{5A69D897-4627-418d-B9EC-6AD341CC2CC7}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3812
        
        C:\Windows\{B7ED4E93-6FE4-4627-BB6B-77EE8CC110E4}.exe
        
        C:\Windows\{B7ED4E93-6FE4-4627-BB6B-77EE8CC110E4}.exe
        13⤵
        Executes dropped EXE
        
        PID:2516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A69D~1.EXE > nul
        13⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{30ACA~1.EXE > nul
        12⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2C389~1.EXE > nul
        11⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AB7A~1.EXE > nul
        10⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C73EA~1.EXE > nul
        9⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1C49~1.EXE > nul
        8⤵
        
        PID:3332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{403AD~1.EXE > nul
        7⤵
        
        PID:4788
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1271C~1.EXE > nul
        6⤵
        
        PID:4136
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{000AA~1.EXE > nul
        5⤵
        
        PID:4996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CE0B6~1.EXE > nul
    3⤵
    PID:4396
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\14412B~1.EXE > nul
  2⤵
  PID:4024

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{000AA4F9-7B9C-480b-B8AE-D40B314B7D3D}.exe

Filesize
372KB

MD5
f7f3ff2b7726a62b7d4e7a1ee3aa56fd

SHA1
3ab476aecf1057e1ce1de13b73aa9310cc1cbab0

SHA256
8c94f9deca728b2719c9174e4e2ee69afdfcdc343ca27ec8b4f90e62a0408aca

SHA512
0ea1331b532e355e70e28d05379f23effb2df8ea856fcb3b7349670be6117afce09226c57a660690af67b4cf0295e7d7c88d30158b938769781b8f892468d2af

Download Submit
C:\Windows\{000AA4F9-7B9C-480b-B8AE-D40B314B7D3D}.exe

Filesize
372KB

MD5
f7f3ff2b7726a62b7d4e7a1ee3aa56fd

SHA1
3ab476aecf1057e1ce1de13b73aa9310cc1cbab0

SHA256
8c94f9deca728b2719c9174e4e2ee69afdfcdc343ca27ec8b4f90e62a0408aca

SHA512
0ea1331b532e355e70e28d05379f23effb2df8ea856fcb3b7349670be6117afce09226c57a660690af67b4cf0295e7d7c88d30158b938769781b8f892468d2af

Download Submit
C:\Windows\{000AA4F9-7B9C-480b-B8AE-D40B314B7D3D}.exe

Filesize
372KB

MD5
f7f3ff2b7726a62b7d4e7a1ee3aa56fd

SHA1
3ab476aecf1057e1ce1de13b73aa9310cc1cbab0

SHA256
8c94f9deca728b2719c9174e4e2ee69afdfcdc343ca27ec8b4f90e62a0408aca

SHA512
0ea1331b532e355e70e28d05379f23effb2df8ea856fcb3b7349670be6117afce09226c57a660690af67b4cf0295e7d7c88d30158b938769781b8f892468d2af

Download Submit
C:\Windows\{1271C169-D6C6-44d7-9326-8C5777CD608F}.exe

Filesize
372KB

MD5
01b0aa370cc3edd2cc6a51b70622a058

SHA1
0c81b43c0bf45fc7d6a76909505a7e1eeea419d9

SHA256
82070188219f865b63cc241a19f5a16826839af1525d4de06c3cfbc63d47c841

SHA512
490b3b66229a09ba90c483829d0f2771d297977d74f952b34f9e3ff09584a74b036af369a3f1b7425ca73f6a846ce97208f5c13fc3c8c47c5f7cdef20858f748

Download Submit
C:\Windows\{1271C169-D6C6-44d7-9326-8C5777CD608F}.exe

Filesize
372KB

MD5
01b0aa370cc3edd2cc6a51b70622a058

SHA1
0c81b43c0bf45fc7d6a76909505a7e1eeea419d9

SHA256
82070188219f865b63cc241a19f5a16826839af1525d4de06c3cfbc63d47c841

SHA512
490b3b66229a09ba90c483829d0f2771d297977d74f952b34f9e3ff09584a74b036af369a3f1b7425ca73f6a846ce97208f5c13fc3c8c47c5f7cdef20858f748

Download Submit
C:\Windows\{2C3899F1-7D6C-470d-B85C-96673B465396}.exe

Filesize
372KB

MD5
77f13af25f1e3203651fa41bca2d061f

SHA1
17679eea3491920f5a47c9d20ba0825ea5d0299b

SHA256
e7582563a7203f162959be7201fda2f1b63a9d3257036299df55d1626256b708

SHA512
117f855a82ef5136720c86647012b4a9f879fadbdc02117cba387df87bec2e53b4963db82a70bf5b6f3d27a4372cbe17bb640056fd61261a4570d0cf81dd0e4b

Download Submit
C:\Windows\{2C3899F1-7D6C-470d-B85C-96673B465396}.exe

Filesize
372KB

MD5
77f13af25f1e3203651fa41bca2d061f

SHA1
17679eea3491920f5a47c9d20ba0825ea5d0299b

SHA256
e7582563a7203f162959be7201fda2f1b63a9d3257036299df55d1626256b708

SHA512
117f855a82ef5136720c86647012b4a9f879fadbdc02117cba387df87bec2e53b4963db82a70bf5b6f3d27a4372cbe17bb640056fd61261a4570d0cf81dd0e4b

Download Submit
C:\Windows\{30ACAFA7-50C2-4eb8-9FAC-7C6CD156D333}.exe

Filesize
372KB

MD5
d89beb1043a3bd248e23a8fa51dfdb6c

SHA1
c320de75895c62744aca16614e5205effcdbf646

SHA256
efdb8dd81a6512eb2775d0ae1a6761d0658f703715d73d507463849c2d1eeb0a

SHA512
10b3e6b246c9c201504941013da7660e4293fa59baba759ce2aae910f960a60010560b69fda6f859c0522446cf928219e53b9eac503220a7f9373467a65c6fae

Download Submit
C:\Windows\{30ACAFA7-50C2-4eb8-9FAC-7C6CD156D333}.exe

Filesize
372KB

MD5
d89beb1043a3bd248e23a8fa51dfdb6c

SHA1
c320de75895c62744aca16614e5205effcdbf646

SHA256
efdb8dd81a6512eb2775d0ae1a6761d0658f703715d73d507463849c2d1eeb0a

SHA512
10b3e6b246c9c201504941013da7660e4293fa59baba759ce2aae910f960a60010560b69fda6f859c0522446cf928219e53b9eac503220a7f9373467a65c6fae

Download Submit
C:\Windows\{403AD950-3BAE-4605-AFFE-E3B75BD54611}.exe

Filesize
372KB

MD5
e166e3b3c3861543bb79dc0e14aa2a00

SHA1
e31b1ee786f7f80eea0401ab232ab11c33c3cae2

SHA256
2f8acd2a2f70251715d4737ba50c86d4c0fed34508f4c2ba1a0ffc608f480945

SHA512
2568576e25899a74ae3d55de254af2a625cb764063d933a3bc2ba0a73258d5722402d4d104fffb95d1c6083088116857ee94c0bdeb72658e791529166d8e3234

Download Submit
C:\Windows\{403AD950-3BAE-4605-AFFE-E3B75BD54611}.exe

Filesize
372KB

MD5
e166e3b3c3861543bb79dc0e14aa2a00

SHA1
e31b1ee786f7f80eea0401ab232ab11c33c3cae2

SHA256
2f8acd2a2f70251715d4737ba50c86d4c0fed34508f4c2ba1a0ffc608f480945

SHA512
2568576e25899a74ae3d55de254af2a625cb764063d933a3bc2ba0a73258d5722402d4d104fffb95d1c6083088116857ee94c0bdeb72658e791529166d8e3234

Download Submit
C:\Windows\{5A69D897-4627-418d-B9EC-6AD341CC2CC7}.exe

Filesize
372KB

MD5
904772d3d64fce8b56c51db687b9ea51

SHA1
919da4fa3279fed728434c4db2f4425103defeb1

SHA256
974ed27cd6356fe8cb87414f0bffaef0e3a81a8d5eeb75b91eed0eccb58819fb

SHA512
48799078ffde2735c1423580a8031939c2b385175b5ce8d0745bbeae96f0ea759feb9dd041ee75137fd36f75338327e694bd42afaf18f297bc10cbf928461937

Download Submit
C:\Windows\{5A69D897-4627-418d-B9EC-6AD341CC2CC7}.exe

Filesize
372KB

MD5
904772d3d64fce8b56c51db687b9ea51

SHA1
919da4fa3279fed728434c4db2f4425103defeb1

SHA256
974ed27cd6356fe8cb87414f0bffaef0e3a81a8d5eeb75b91eed0eccb58819fb

SHA512
48799078ffde2735c1423580a8031939c2b385175b5ce8d0745bbeae96f0ea759feb9dd041ee75137fd36f75338327e694bd42afaf18f297bc10cbf928461937

Download Submit
C:\Windows\{8B648517-D4A4-4555-B42C-7C3A7653B25F}.exe

Filesize
372KB

MD5
635aef608ea5ae24286c48bf76fe2db2

SHA1
062ed5534da72208c3b3c9d9b3203ef4ae83abd3

SHA256
8c0b4ea60216b3c50c987542de086f36a7a4a7d62f0763694b30d9c69123212a

SHA512
e2970cae9fbc0792037538a4acaf014ac361aff840df6a1d59595f9f2f84c725e92a1c8ebebe914b49054b9c2be2ceadd5e0dd38eab72420e4e527373b6c4da9

Download Submit
C:\Windows\{8B648517-D4A4-4555-B42C-7C3A7653B25F}.exe

Filesize
372KB

MD5
635aef608ea5ae24286c48bf76fe2db2

SHA1
062ed5534da72208c3b3c9d9b3203ef4ae83abd3

SHA256
8c0b4ea60216b3c50c987542de086f36a7a4a7d62f0763694b30d9c69123212a

SHA512
e2970cae9fbc0792037538a4acaf014ac361aff840df6a1d59595f9f2f84c725e92a1c8ebebe914b49054b9c2be2ceadd5e0dd38eab72420e4e527373b6c4da9

Download Submit
C:\Windows\{9AB7ACBF-73CA-4cfa-830B-C0B182FB1215}.exe

Filesize
372KB

MD5
eb8f2f4b9ee2e9af2e86dd6e032eddc0

SHA1
c5fa0ce39bb51bf4ae5c252785af2fd70f70e643

SHA256
1c8dad2f05fdb7f62804bbe19b656d4ad62c448e3213afc0d646db141b5e9879

SHA512
57d0703a7f954e858d7e3b6b085b814f881491e6bc43d13cc600a2c2269c5a25270e477f3eef1b8f813469b4ff0242bdc3e95b3375f021ceb40a154cc9b59b94

Download Submit
C:\Windows\{9AB7ACBF-73CA-4cfa-830B-C0B182FB1215}.exe

Filesize
372KB

MD5
eb8f2f4b9ee2e9af2e86dd6e032eddc0

SHA1
c5fa0ce39bb51bf4ae5c252785af2fd70f70e643

SHA256
1c8dad2f05fdb7f62804bbe19b656d4ad62c448e3213afc0d646db141b5e9879

SHA512
57d0703a7f954e858d7e3b6b085b814f881491e6bc43d13cc600a2c2269c5a25270e477f3eef1b8f813469b4ff0242bdc3e95b3375f021ceb40a154cc9b59b94

Download Submit
C:\Windows\{B7ED4E93-6FE4-4627-BB6B-77EE8CC110E4}.exe

Filesize
372KB

MD5
e1b9e694b97e4b43e161eef03f6911ab

SHA1
2ee70c85a83e6b923af82b9176b607addaac8cf6

SHA256
48cbe1c01c0c2975e2d1e4298e8cf8539ca9dd6ecc1e0f08387f7eb782c97287

SHA512
354609f2fafe00d9941e0b2eb3a08abd7da11055e36838901a8a11da674077828b9ce163f5a6942f44e0b9f7c9676065b79885f8b03865e14b7c3a2ee22cd5d5

Download Submit
C:\Windows\{B7ED4E93-6FE4-4627-BB6B-77EE8CC110E4}.exe

Filesize
372KB

MD5
e1b9e694b97e4b43e161eef03f6911ab

SHA1
2ee70c85a83e6b923af82b9176b607addaac8cf6

SHA256
48cbe1c01c0c2975e2d1e4298e8cf8539ca9dd6ecc1e0f08387f7eb782c97287

SHA512
354609f2fafe00d9941e0b2eb3a08abd7da11055e36838901a8a11da674077828b9ce163f5a6942f44e0b9f7c9676065b79885f8b03865e14b7c3a2ee22cd5d5

Download Submit
C:\Windows\{C1C49982-0022-4d8f-A7FE-CFC98C4DDD79}.exe

Filesize
372KB

MD5
a2365272ca38fa786b9b877d4fdaabc0

SHA1
93e384a3962e6f281c3d368f4a6e8d8e2cb5c7f2

SHA256
23ec93835e5611dbcd0f3d9716740ae18bc7d1609a31e1a66450f9a352f6d69a

SHA512
38884614291dac3e7c50d78bddb35763df8b4d97d30ebc8d17f4b617f136217a8d4d3d0b39441bee57853c00431c9ca22bb0ce7fca1bc1293a84ee0b54e82010

Download Submit
C:\Windows\{C1C49982-0022-4d8f-A7FE-CFC98C4DDD79}.exe

Filesize
372KB

MD5
a2365272ca38fa786b9b877d4fdaabc0

SHA1
93e384a3962e6f281c3d368f4a6e8d8e2cb5c7f2

SHA256
23ec93835e5611dbcd0f3d9716740ae18bc7d1609a31e1a66450f9a352f6d69a

SHA512
38884614291dac3e7c50d78bddb35763df8b4d97d30ebc8d17f4b617f136217a8d4d3d0b39441bee57853c00431c9ca22bb0ce7fca1bc1293a84ee0b54e82010

Download Submit
C:\Windows\{C73EA251-40F0-48d8-B25A-F78BCA33B45C}.exe

Filesize
372KB

MD5
969d3949bf82a4805ea2809ae304f913

SHA1
c7f0e1eec600d0836e3563c1636f2fadb9e24dfe

SHA256
36f85716e7018396e07c1b6f6d752481fb818b49fa15b121bfa0aeb1d18e2416

SHA512
e09c8fe92e3b533843cdfbbb2fb64f4f84472e5410a2454f60854b3d5afb4cae8d5b3d7779f0592899dab70cfb127cf2b1da5328fc28e053d04fad33e4542120

Download Submit
C:\Windows\{C73EA251-40F0-48d8-B25A-F78BCA33B45C}.exe

Filesize
372KB

MD5
969d3949bf82a4805ea2809ae304f913

SHA1
c7f0e1eec600d0836e3563c1636f2fadb9e24dfe

SHA256
36f85716e7018396e07c1b6f6d752481fb818b49fa15b121bfa0aeb1d18e2416

SHA512
e09c8fe92e3b533843cdfbbb2fb64f4f84472e5410a2454f60854b3d5afb4cae8d5b3d7779f0592899dab70cfb127cf2b1da5328fc28e053d04fad33e4542120

Download Submit
C:\Windows\{CE0B69F9-EF3A-46f7-91E1-75BA6E5EE524}.exe

Filesize
372KB

MD5
273b36f758dbac92b2501df339ef936a

SHA1
a974edaff42240b61c081464f7097eab9aac2dd1

SHA256
c2165f8551dec04618838a43f9a916ae217db83f105a63e83234aedebac2f47c

SHA512
8413a144b565d924c5042c0793bd88804098f62bd8111b9b9103c84991a6ff26e5ef24cd2e12b64bcd045e1d6c79e6d3cc16a1d14bcec02f849fce2660871338

Download Submit
C:\Windows\{CE0B69F9-EF3A-46f7-91E1-75BA6E5EE524}.exe

Filesize
372KB

MD5
273b36f758dbac92b2501df339ef936a

SHA1
a974edaff42240b61c081464f7097eab9aac2dd1

SHA256
c2165f8551dec04618838a43f9a916ae217db83f105a63e83234aedebac2f47c

SHA512
8413a144b565d924c5042c0793bd88804098f62bd8111b9b9103c84991a6ff26e5ef24cd2e12b64bcd045e1d6c79e6d3cc16a1d14bcec02f849fce2660871338

Download Submit