9103e877b70306f32a00eca2f034b0b0921af89fd76b341e5c958e67fbda27a4

Analysis

max time kernel
148s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2023 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40942bd47f9ea9exeexe_JC.exe
Size

372KB
MD5

40942bd47f9ea9e9a5bd092d8f966449
SHA1

be7443f7dac94324b516245325c5b9d623dc69ba
SHA256

9103e877b70306f32a00eca2f034b0b0921af89fd76b341e5c958e67fbda27a4
SHA512

125b592883fb6be443a826d76a92530c7bc99adbbfe0b1e5bd309a45a6167addd7614769003398f540b240e5eb80006ccfb5dd20cd32209ab9473c3e5d560cd7
SSDEEP

3072:CEGh0oBmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGel/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D1EC57C-8F86-4345-9868-98EA17973484}\stubpath = "C:\\Windows\\{9D1EC57C-8F86-4345-9868-98EA17973484}.exe"	{FCCAB478-C20D-4578-B4B4-06BEFBBD8D28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8889BCF-01A4-4c6c-BB6E-373768E28003}	{9D1EC57C-8F86-4345-9868-98EA17973484}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80432F73-6977-489c-88E9-03F45C7F6F6A}	{7E350577-675E-424b-AD5C-AAEEAD1D0308}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A792352A-5F98-4d79-A48A-E174664209D2}\stubpath = "C:\\Windows\\{A792352A-5F98-4d79-A48A-E174664209D2}.exe"	{5DB3C07F-0D0D-4a7a-81B2-D07773D9A9C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCCAB478-C20D-4578-B4B4-06BEFBBD8D28}\stubpath = "C:\\Windows\\{FCCAB478-C20D-4578-B4B4-06BEFBBD8D28}.exe"	{C3DF1830-4ED0-41fe-80F5-D311E54F07BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C8889BCF-01A4-4c6c-BB6E-373768E28003}\stubpath = "C:\\Windows\\{C8889BCF-01A4-4c6c-BB6E-373768E28003}.exe"	{9D1EC57C-8F86-4345-9868-98EA17973484}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{325B891D-F8BE-474b-8F99-5A56DA0E181A}	{80432F73-6977-489c-88E9-03F45C7F6F6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB874AF9-8329-4ea9-9122-839F04A40F2D}	{325B891D-F8BE-474b-8F99-5A56DA0E181A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB874AF9-8329-4ea9-9122-839F04A40F2D}\stubpath = "C:\\Windows\\{EB874AF9-8329-4ea9-9122-839F04A40F2D}.exe"	{325B891D-F8BE-474b-8F99-5A56DA0E181A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DB3C07F-0D0D-4a7a-81B2-D07773D9A9C8}\stubpath = "C:\\Windows\\{5DB3C07F-0D0D-4a7a-81B2-D07773D9A9C8}.exe"	40942bd47f9ea9exeexe_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6958C22-F7F5-4228-9FFE-E3F4576A4D6A}\stubpath = "C:\\Windows\\{E6958C22-F7F5-4228-9FFE-E3F4576A4D6A}.exe"	{A792352A-5F98-4d79-A48A-E174664209D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3DF1830-4ED0-41fe-80F5-D311E54F07BD}\stubpath = "C:\\Windows\\{C3DF1830-4ED0-41fe-80F5-D311E54F07BD}.exe"	{CD02F88C-1A2E-4856-BAC8-F3D7E49D60EC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E350577-675E-424b-AD5C-AAEEAD1D0308}\stubpath = "C:\\Windows\\{7E350577-675E-424b-AD5C-AAEEAD1D0308}.exe"	{C8889BCF-01A4-4c6c-BB6E-373768E28003}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{325B891D-F8BE-474b-8F99-5A56DA0E181A}\stubpath = "C:\\Windows\\{325B891D-F8BE-474b-8F99-5A56DA0E181A}.exe"	{80432F73-6977-489c-88E9-03F45C7F6F6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5DB3C07F-0D0D-4a7a-81B2-D07773D9A9C8}	40942bd47f9ea9exeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A792352A-5F98-4d79-A48A-E174664209D2}	{5DB3C07F-0D0D-4a7a-81B2-D07773D9A9C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD02F88C-1A2E-4856-BAC8-F3D7E49D60EC}\stubpath = "C:\\Windows\\{CD02F88C-1A2E-4856-BAC8-F3D7E49D60EC}.exe"	{E6958C22-F7F5-4228-9FFE-E3F4576A4D6A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3DF1830-4ED0-41fe-80F5-D311E54F07BD}	{CD02F88C-1A2E-4856-BAC8-F3D7E49D60EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCCAB478-C20D-4578-B4B4-06BEFBBD8D28}	{C3DF1830-4ED0-41fe-80F5-D311E54F07BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D1EC57C-8F86-4345-9868-98EA17973484}	{FCCAB478-C20D-4578-B4B4-06BEFBBD8D28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7E350577-675E-424b-AD5C-AAEEAD1D0308}	{C8889BCF-01A4-4c6c-BB6E-373768E28003}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80432F73-6977-489c-88E9-03F45C7F6F6A}\stubpath = "C:\\Windows\\{80432F73-6977-489c-88E9-03F45C7F6F6A}.exe"	{7E350577-675E-424b-AD5C-AAEEAD1D0308}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6958C22-F7F5-4228-9FFE-E3F4576A4D6A}	{A792352A-5F98-4d79-A48A-E174664209D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD02F88C-1A2E-4856-BAC8-F3D7E49D60EC}	{E6958C22-F7F5-4228-9FFE-E3F4576A4D6A}.exe

Executes dropped EXE 12 IoCs

pid	Process
4932	{5DB3C07F-0D0D-4a7a-81B2-D07773D9A9C8}.exe
2660	{A792352A-5F98-4d79-A48A-E174664209D2}.exe
1376	{E6958C22-F7F5-4228-9FFE-E3F4576A4D6A}.exe
1336	{CD02F88C-1A2E-4856-BAC8-F3D7E49D60EC}.exe
456	{C3DF1830-4ED0-41fe-80F5-D311E54F07BD}.exe
1680	{FCCAB478-C20D-4578-B4B4-06BEFBBD8D28}.exe
4176	{9D1EC57C-8F86-4345-9868-98EA17973484}.exe
4760	{C8889BCF-01A4-4c6c-BB6E-373768E28003}.exe
968	{7E350577-675E-424b-AD5C-AAEEAD1D0308}.exe
224	{80432F73-6977-489c-88E9-03F45C7F6F6A}.exe
2660	{325B891D-F8BE-474b-8F99-5A56DA0E181A}.exe
4676	{EB874AF9-8329-4ea9-9122-839F04A40F2D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{CD02F88C-1A2E-4856-BAC8-F3D7E49D60EC}.exe	{E6958C22-F7F5-4228-9FFE-E3F4576A4D6A}.exe
File created	C:\Windows\{C3DF1830-4ED0-41fe-80F5-D311E54F07BD}.exe	{CD02F88C-1A2E-4856-BAC8-F3D7E49D60EC}.exe
File created	C:\Windows\{FCCAB478-C20D-4578-B4B4-06BEFBBD8D28}.exe	{C3DF1830-4ED0-41fe-80F5-D311E54F07BD}.exe
File created	C:\Windows\{7E350577-675E-424b-AD5C-AAEEAD1D0308}.exe	{C8889BCF-01A4-4c6c-BB6E-373768E28003}.exe
File created	C:\Windows\{325B891D-F8BE-474b-8F99-5A56DA0E181A}.exe	{80432F73-6977-489c-88E9-03F45C7F6F6A}.exe
File created	C:\Windows\{EB874AF9-8329-4ea9-9122-839F04A40F2D}.exe	{325B891D-F8BE-474b-8F99-5A56DA0E181A}.exe
File created	C:\Windows\{5DB3C07F-0D0D-4a7a-81B2-D07773D9A9C8}.exe	40942bd47f9ea9exeexe_JC.exe
File created	C:\Windows\{A792352A-5F98-4d79-A48A-E174664209D2}.exe	{5DB3C07F-0D0D-4a7a-81B2-D07773D9A9C8}.exe
File created	C:\Windows\{E6958C22-F7F5-4228-9FFE-E3F4576A4D6A}.exe	{A792352A-5F98-4d79-A48A-E174664209D2}.exe
File created	C:\Windows\{9D1EC57C-8F86-4345-9868-98EA17973484}.exe	{FCCAB478-C20D-4578-B4B4-06BEFBBD8D28}.exe
File created	C:\Windows\{C8889BCF-01A4-4c6c-BB6E-373768E28003}.exe	{9D1EC57C-8F86-4345-9868-98EA17973484}.exe
File created	C:\Windows\{80432F73-6977-489c-88E9-03F45C7F6F6A}.exe	{7E350577-675E-424b-AD5C-AAEEAD1D0308}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3976	40942bd47f9ea9exeexe_JC.exe
Token: SeIncBasePriorityPrivilege	4932	{5DB3C07F-0D0D-4a7a-81B2-D07773D9A9C8}.exe
Token: SeIncBasePriorityPrivilege	2660	{A792352A-5F98-4d79-A48A-E174664209D2}.exe
Token: SeIncBasePriorityPrivilege	1376	{E6958C22-F7F5-4228-9FFE-E3F4576A4D6A}.exe
Token: SeIncBasePriorityPrivilege	1336	{CD02F88C-1A2E-4856-BAC8-F3D7E49D60EC}.exe
Token: SeIncBasePriorityPrivilege	456	{C3DF1830-4ED0-41fe-80F5-D311E54F07BD}.exe
Token: SeIncBasePriorityPrivilege	1680	{FCCAB478-C20D-4578-B4B4-06BEFBBD8D28}.exe
Token: SeIncBasePriorityPrivilege	4176	{9D1EC57C-8F86-4345-9868-98EA17973484}.exe
Token: SeIncBasePriorityPrivilege	4760	{C8889BCF-01A4-4c6c-BB6E-373768E28003}.exe
Token: SeIncBasePriorityPrivilege	968	{7E350577-675E-424b-AD5C-AAEEAD1D0308}.exe
Token: SeIncBasePriorityPrivilege	224	{80432F73-6977-489c-88E9-03F45C7F6F6A}.exe
Token: SeIncBasePriorityPrivilege	2660	{325B891D-F8BE-474b-8F99-5A56DA0E181A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 4932	3976	40942bd47f9ea9exeexe_JC.exe	89
PID 3976 wrote to memory of 4932	3976	40942bd47f9ea9exeexe_JC.exe	89
PID 3976 wrote to memory of 4932	3976	40942bd47f9ea9exeexe_JC.exe	89
PID 3976 wrote to memory of 4012	3976	40942bd47f9ea9exeexe_JC.exe	90
PID 3976 wrote to memory of 4012	3976	40942bd47f9ea9exeexe_JC.exe	90
PID 3976 wrote to memory of 4012	3976	40942bd47f9ea9exeexe_JC.exe	90
PID 4932 wrote to memory of 2660	4932	{5DB3C07F-0D0D-4a7a-81B2-D07773D9A9C8}.exe	94
PID 4932 wrote to memory of 2660	4932	{5DB3C07F-0D0D-4a7a-81B2-D07773D9A9C8}.exe	94
PID 4932 wrote to memory of 2660	4932	{5DB3C07F-0D0D-4a7a-81B2-D07773D9A9C8}.exe	94
PID 4932 wrote to memory of 2560	4932	{5DB3C07F-0D0D-4a7a-81B2-D07773D9A9C8}.exe	95
PID 4932 wrote to memory of 2560	4932	{5DB3C07F-0D0D-4a7a-81B2-D07773D9A9C8}.exe	95
PID 4932 wrote to memory of 2560	4932	{5DB3C07F-0D0D-4a7a-81B2-D07773D9A9C8}.exe	95
PID 2660 wrote to memory of 1376	2660	{A792352A-5F98-4d79-A48A-E174664209D2}.exe	99
PID 2660 wrote to memory of 1376	2660	{A792352A-5F98-4d79-A48A-E174664209D2}.exe	99
PID 2660 wrote to memory of 1376	2660	{A792352A-5F98-4d79-A48A-E174664209D2}.exe	99
PID 2660 wrote to memory of 2084	2660	{A792352A-5F98-4d79-A48A-E174664209D2}.exe	98
PID 2660 wrote to memory of 2084	2660	{A792352A-5F98-4d79-A48A-E174664209D2}.exe	98
PID 2660 wrote to memory of 2084	2660	{A792352A-5F98-4d79-A48A-E174664209D2}.exe	98
PID 1376 wrote to memory of 1336	1376	{E6958C22-F7F5-4228-9FFE-E3F4576A4D6A}.exe	100
PID 1376 wrote to memory of 1336	1376	{E6958C22-F7F5-4228-9FFE-E3F4576A4D6A}.exe	100
PID 1376 wrote to memory of 1336	1376	{E6958C22-F7F5-4228-9FFE-E3F4576A4D6A}.exe	100
PID 1376 wrote to memory of 5068	1376	{E6958C22-F7F5-4228-9FFE-E3F4576A4D6A}.exe	101
PID 1376 wrote to memory of 5068	1376	{E6958C22-F7F5-4228-9FFE-E3F4576A4D6A}.exe	101
PID 1376 wrote to memory of 5068	1376	{E6958C22-F7F5-4228-9FFE-E3F4576A4D6A}.exe	101
PID 1336 wrote to memory of 456	1336	{CD02F88C-1A2E-4856-BAC8-F3D7E49D60EC}.exe	102
PID 1336 wrote to memory of 456	1336	{CD02F88C-1A2E-4856-BAC8-F3D7E49D60EC}.exe	102
PID 1336 wrote to memory of 456	1336	{CD02F88C-1A2E-4856-BAC8-F3D7E49D60EC}.exe	102
PID 1336 wrote to memory of 3780	1336	{CD02F88C-1A2E-4856-BAC8-F3D7E49D60EC}.exe	103
PID 1336 wrote to memory of 3780	1336	{CD02F88C-1A2E-4856-BAC8-F3D7E49D60EC}.exe	103
PID 1336 wrote to memory of 3780	1336	{CD02F88C-1A2E-4856-BAC8-F3D7E49D60EC}.exe	103
PID 456 wrote to memory of 1680	456	{C3DF1830-4ED0-41fe-80F5-D311E54F07BD}.exe	109
PID 456 wrote to memory of 1680	456	{C3DF1830-4ED0-41fe-80F5-D311E54F07BD}.exe	109
PID 456 wrote to memory of 1680	456	{C3DF1830-4ED0-41fe-80F5-D311E54F07BD}.exe	109
PID 456 wrote to memory of 4296	456	{C3DF1830-4ED0-41fe-80F5-D311E54F07BD}.exe	110
PID 456 wrote to memory of 4296	456	{C3DF1830-4ED0-41fe-80F5-D311E54F07BD}.exe	110
PID 456 wrote to memory of 4296	456	{C3DF1830-4ED0-41fe-80F5-D311E54F07BD}.exe	110
PID 1680 wrote to memory of 4176	1680	{FCCAB478-C20D-4578-B4B4-06BEFBBD8D28}.exe	111
PID 1680 wrote to memory of 4176	1680	{FCCAB478-C20D-4578-B4B4-06BEFBBD8D28}.exe	111
PID 1680 wrote to memory of 4176	1680	{FCCAB478-C20D-4578-B4B4-06BEFBBD8D28}.exe	111
PID 1680 wrote to memory of 640	1680	{FCCAB478-C20D-4578-B4B4-06BEFBBD8D28}.exe	112
PID 1680 wrote to memory of 640	1680	{FCCAB478-C20D-4578-B4B4-06BEFBBD8D28}.exe	112
PID 1680 wrote to memory of 640	1680	{FCCAB478-C20D-4578-B4B4-06BEFBBD8D28}.exe	112
PID 4176 wrote to memory of 4760	4176	{9D1EC57C-8F86-4345-9868-98EA17973484}.exe	114
PID 4176 wrote to memory of 4760	4176	{9D1EC57C-8F86-4345-9868-98EA17973484}.exe	114
PID 4176 wrote to memory of 4760	4176	{9D1EC57C-8F86-4345-9868-98EA17973484}.exe	114
PID 4176 wrote to memory of 2276	4176	{9D1EC57C-8F86-4345-9868-98EA17973484}.exe	113
PID 4176 wrote to memory of 2276	4176	{9D1EC57C-8F86-4345-9868-98EA17973484}.exe	113
PID 4176 wrote to memory of 2276	4176	{9D1EC57C-8F86-4345-9868-98EA17973484}.exe	113
PID 4760 wrote to memory of 968	4760	{C8889BCF-01A4-4c6c-BB6E-373768E28003}.exe	117
PID 4760 wrote to memory of 968	4760	{C8889BCF-01A4-4c6c-BB6E-373768E28003}.exe	117
PID 4760 wrote to memory of 968	4760	{C8889BCF-01A4-4c6c-BB6E-373768E28003}.exe	117
PID 4760 wrote to memory of 3304	4760	{C8889BCF-01A4-4c6c-BB6E-373768E28003}.exe	118
PID 4760 wrote to memory of 3304	4760	{C8889BCF-01A4-4c6c-BB6E-373768E28003}.exe	118
PID 4760 wrote to memory of 3304	4760	{C8889BCF-01A4-4c6c-BB6E-373768E28003}.exe	118
PID 968 wrote to memory of 224	968	{7E350577-675E-424b-AD5C-AAEEAD1D0308}.exe	119
PID 968 wrote to memory of 224	968	{7E350577-675E-424b-AD5C-AAEEAD1D0308}.exe	119
PID 968 wrote to memory of 224	968	{7E350577-675E-424b-AD5C-AAEEAD1D0308}.exe	119
PID 968 wrote to memory of 500	968	{7E350577-675E-424b-AD5C-AAEEAD1D0308}.exe	120
PID 968 wrote to memory of 500	968	{7E350577-675E-424b-AD5C-AAEEAD1D0308}.exe	120
PID 968 wrote to memory of 500	968	{7E350577-675E-424b-AD5C-AAEEAD1D0308}.exe	120
PID 224 wrote to memory of 2660	224	{80432F73-6977-489c-88E9-03F45C7F6F6A}.exe	121
PID 224 wrote to memory of 2660	224	{80432F73-6977-489c-88E9-03F45C7F6F6A}.exe	121
PID 224 wrote to memory of 2660	224	{80432F73-6977-489c-88E9-03F45C7F6F6A}.exe	121
PID 224 wrote to memory of 4576	224	{80432F73-6977-489c-88E9-03F45C7F6F6A}.exe	122

C:\Users\Admin\AppData\Local\Temp\40942bd47f9ea9exeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\40942bd47f9ea9exeexe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Windows\{5DB3C07F-0D0D-4a7a-81B2-D07773D9A9C8}.exe
  C:\Windows\{5DB3C07F-0D0D-4a7a-81B2-D07773D9A9C8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\{A792352A-5F98-4d79-A48A-E174664209D2}.exe
    C:\Windows\{A792352A-5F98-4d79-A48A-E174664209D2}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A7923~1.EXE > nul
      4⤵
      PID:2084
  - - C:\Windows\{E6958C22-F7F5-4228-9FFE-E3F4576A4D6A}.exe
      C:\Windows\{E6958C22-F7F5-4228-9FFE-E3F4576A4D6A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1376
    - - C:\Windows\{CD02F88C-1A2E-4856-BAC8-F3D7E49D60EC}.exe
        
        C:\Windows\{CD02F88C-1A2E-4856-BAC8-F3D7E49D60EC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1336
      - C:\Windows\{C3DF1830-4ED0-41fe-80F5-D311E54F07BD}.exe
        
        C:\Windows\{C3DF1830-4ED0-41fe-80F5-D311E54F07BD}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\{FCCAB478-C20D-4578-B4B4-06BEFBBD8D28}.exe
        
        C:\Windows\{FCCAB478-C20D-4578-B4B4-06BEFBBD8D28}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\{9D1EC57C-8F86-4345-9868-98EA17973484}.exe
        
        C:\Windows\{9D1EC57C-8F86-4345-9868-98EA17973484}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4176
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D1EC~1.EXE > nul
        9⤵
        
        PID:2276
        
        C:\Windows\{C8889BCF-01A4-4c6c-BB6E-373768E28003}.exe
        
        C:\Windows\{C8889BCF-01A4-4c6c-BB6E-373768E28003}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\{7E350577-675E-424b-AD5C-AAEEAD1D0308}.exe
        
        C:\Windows\{7E350577-675E-424b-AD5C-AAEEAD1D0308}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Windows\{80432F73-6977-489c-88E9-03F45C7F6F6A}.exe
        
        C:\Windows\{80432F73-6977-489c-88E9-03F45C7F6F6A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\{325B891D-F8BE-474b-8F99-5A56DA0E181A}.exe
        
        C:\Windows\{325B891D-F8BE-474b-8F99-5A56DA0E181A}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\{EB874AF9-8329-4ea9-9122-839F04A40F2D}.exe
        
        C:\Windows\{EB874AF9-8329-4ea9-9122-839F04A40F2D}.exe
        13⤵
        Executes dropped EXE
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{325B8~1.EXE > nul
        13⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80432~1.EXE > nul
        12⤵
        
        PID:4576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7E350~1.EXE > nul
        11⤵
        
        PID:500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8889~1.EXE > nul
        10⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCCAB~1.EXE > nul
        8⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3DF1~1.EXE > nul
        7⤵
        
        PID:4296
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD02F~1.EXE > nul
        6⤵
        
        PID:3780
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6958~1.EXE > nul
        5⤵
        
        PID:5068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5DB3C~1.EXE > nul
    3⤵
    PID:2560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\40942B~1.EXE > nul
  2⤵
  PID:4012

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{325B891D-F8BE-474b-8F99-5A56DA0E181A}.exe

Filesize
372KB

MD5
30d6ad789875ee27d201a5994ed29991

SHA1
2811fac815cf1a32874a68eeff6c98466706ef28

SHA256
19612155d8ace0ed02b98dbcd420ba72d15c80ee83e52f7ed7b43da39a725900

SHA512
3900208702b673a85de2d71bf3cef2fc3ea142e988b1dc564de81035c0b8acb841d242373c2388faf50dbd77c24d7d0112a40f49e5f1dcf3095cd801a6bdfc75

Download Submit
C:\Windows\{325B891D-F8BE-474b-8F99-5A56DA0E181A}.exe

Filesize
372KB

MD5
30d6ad789875ee27d201a5994ed29991

SHA1
2811fac815cf1a32874a68eeff6c98466706ef28

SHA256
19612155d8ace0ed02b98dbcd420ba72d15c80ee83e52f7ed7b43da39a725900

SHA512
3900208702b673a85de2d71bf3cef2fc3ea142e988b1dc564de81035c0b8acb841d242373c2388faf50dbd77c24d7d0112a40f49e5f1dcf3095cd801a6bdfc75

Download Submit
C:\Windows\{5DB3C07F-0D0D-4a7a-81B2-D07773D9A9C8}.exe

Filesize
372KB

MD5
91b586cd29084c39b9f92d0e669715ff

SHA1
d97bdc8047cad271c1f3e0cba10fc3724a2d35db

SHA256
64f848678d0f32632af50f3d297489ca9cda8e46f005e7341eb70d7fac8a021d

SHA512
b33f9fb64d3573748a8bd45fba2d5b854591f9cf1f7a5e5a380cddb655207cf45af518da0a6c09ed551d2863c8ec95207decbcd3e1ace8d07a944075dd15f32c

Download Submit
C:\Windows\{5DB3C07F-0D0D-4a7a-81B2-D07773D9A9C8}.exe

Filesize
372KB

MD5
91b586cd29084c39b9f92d0e669715ff

SHA1
d97bdc8047cad271c1f3e0cba10fc3724a2d35db

SHA256
64f848678d0f32632af50f3d297489ca9cda8e46f005e7341eb70d7fac8a021d

SHA512
b33f9fb64d3573748a8bd45fba2d5b854591f9cf1f7a5e5a380cddb655207cf45af518da0a6c09ed551d2863c8ec95207decbcd3e1ace8d07a944075dd15f32c

Download Submit
C:\Windows\{7E350577-675E-424b-AD5C-AAEEAD1D0308}.exe

Filesize
372KB

MD5
e98741821d602961b5f2e56df059a685

SHA1
8fd448436ea653a507dc957a2590939bc9b07855

SHA256
e1500d6f780dde7a6cd42d331d2cbeb0bf80fd5f0844879d1f4647436c445406

SHA512
1673e84ff7917b1bab3e3c8ae4e37ca649b9a1df8c05b90c9cf73ee0aca9da4b085bd089c6698ca96df52c5f97b827e8b684c7543a88c32860b2655abb00ff28

Download Submit
C:\Windows\{7E350577-675E-424b-AD5C-AAEEAD1D0308}.exe

Filesize
372KB

MD5
e98741821d602961b5f2e56df059a685

SHA1
8fd448436ea653a507dc957a2590939bc9b07855

SHA256
e1500d6f780dde7a6cd42d331d2cbeb0bf80fd5f0844879d1f4647436c445406

SHA512
1673e84ff7917b1bab3e3c8ae4e37ca649b9a1df8c05b90c9cf73ee0aca9da4b085bd089c6698ca96df52c5f97b827e8b684c7543a88c32860b2655abb00ff28

Download Submit
C:\Windows\{80432F73-6977-489c-88E9-03F45C7F6F6A}.exe

Filesize
372KB

MD5
7f6cf3aefe0e93626224777ba064c11a

SHA1
eebc7d9823c5dcd1afe8bdd1e85e14cf9d8fba68

SHA256
04744b19a74d6c23b26f73b81f29ec67ebff15f9c01227a602ea11881da61cd3

SHA512
bc266bb394f137234633b789153d16d5c7b143fde965621720399d25eb00a30addd53eee2c5372c207e72fef1017827af9ba4727c7f2ad2fe05ae96d68142419

Download Submit
C:\Windows\{80432F73-6977-489c-88E9-03F45C7F6F6A}.exe

Filesize
372KB

MD5
7f6cf3aefe0e93626224777ba064c11a

SHA1
eebc7d9823c5dcd1afe8bdd1e85e14cf9d8fba68

SHA256
04744b19a74d6c23b26f73b81f29ec67ebff15f9c01227a602ea11881da61cd3

SHA512
bc266bb394f137234633b789153d16d5c7b143fde965621720399d25eb00a30addd53eee2c5372c207e72fef1017827af9ba4727c7f2ad2fe05ae96d68142419

Download Submit
C:\Windows\{9D1EC57C-8F86-4345-9868-98EA17973484}.exe

Filesize
372KB

MD5
31d76e75833c81d66ad94dbfbe1f1307

SHA1
a114b9fe594cd5aaca293f64f81f945b2a6e6c9f

SHA256
38d57df3386934d7ffdc9bd1282879fc4ef8468bf033a2332777934c62752ce7

SHA512
00c447e3cf4a8e12572f7b137d01b0ce9058b5fb33264b287c784010df18fdef307d1f03d9fd5dd75e68b2e23a212722b57e9bf6111dd7a3fa38d3f40e3da09f

Download Submit
C:\Windows\{9D1EC57C-8F86-4345-9868-98EA17973484}.exe

Filesize
372KB

MD5
31d76e75833c81d66ad94dbfbe1f1307

SHA1
a114b9fe594cd5aaca293f64f81f945b2a6e6c9f

SHA256
38d57df3386934d7ffdc9bd1282879fc4ef8468bf033a2332777934c62752ce7

SHA512
00c447e3cf4a8e12572f7b137d01b0ce9058b5fb33264b287c784010df18fdef307d1f03d9fd5dd75e68b2e23a212722b57e9bf6111dd7a3fa38d3f40e3da09f

Download Submit
C:\Windows\{A792352A-5F98-4d79-A48A-E174664209D2}.exe

Filesize
372KB

MD5
3647caf1df0f35284674c9cc70e80ec7

SHA1
d7b21ae48537b1d12834a9d5dff91cfb40d3d18a

SHA256
2789f25a7892be8a9ffd43c149391a029fe176e5ffb0a877e7d21017b29466bc

SHA512
d16942c0ef7215dbf94ef90951459820bd0775f79b690aa5d84b83188e5dc9096b55df97493e608f7763010968dc9256076d1fd15c2e56935092d8f887308876

Download Submit
C:\Windows\{A792352A-5F98-4d79-A48A-E174664209D2}.exe

Filesize
372KB

MD5
3647caf1df0f35284674c9cc70e80ec7

SHA1
d7b21ae48537b1d12834a9d5dff91cfb40d3d18a

SHA256
2789f25a7892be8a9ffd43c149391a029fe176e5ffb0a877e7d21017b29466bc

SHA512
d16942c0ef7215dbf94ef90951459820bd0775f79b690aa5d84b83188e5dc9096b55df97493e608f7763010968dc9256076d1fd15c2e56935092d8f887308876

Download Submit
C:\Windows\{C3DF1830-4ED0-41fe-80F5-D311E54F07BD}.exe

Filesize
372KB

MD5
0eea1759674e405bae0a88b8dd130e38

SHA1
e879bd6412cb462e70524bd7d3fc7db987337a4f

SHA256
9de112328cedf346bfbf55038be2baaca03f837e9e555d75704c6e758098a198

SHA512
0e80a3e4bfa6549c55585d34356992bae96b0c59e0b7c45a1c471f9601a90e8dab65997e9e0d7b16508bc1dc38f7318c8e17110556881e8754991fb6be599014

Download Submit
C:\Windows\{C3DF1830-4ED0-41fe-80F5-D311E54F07BD}.exe

Filesize
372KB

MD5
0eea1759674e405bae0a88b8dd130e38

SHA1
e879bd6412cb462e70524bd7d3fc7db987337a4f

SHA256
9de112328cedf346bfbf55038be2baaca03f837e9e555d75704c6e758098a198

SHA512
0e80a3e4bfa6549c55585d34356992bae96b0c59e0b7c45a1c471f9601a90e8dab65997e9e0d7b16508bc1dc38f7318c8e17110556881e8754991fb6be599014

Download Submit
C:\Windows\{C8889BCF-01A4-4c6c-BB6E-373768E28003}.exe

Filesize
372KB

MD5
770c3960a68daf2ba7a3771685ab92ea

SHA1
c6d2eb7e87b43df77eeb1647a6f68e1c2f45fd8e

SHA256
2021b2c8670916bb26eb4ace599913c9bfd3c6147184407f1ec995d18928e9b1

SHA512
770ec8dc54fbed7a6db21ac9b32a77a8ee3f1592b16eeda0298cc43da6b2913ee1f62b226a20696aa426d0bda70dba71f4534041bb8b698ca715d0aee675ec40

Download Submit
C:\Windows\{C8889BCF-01A4-4c6c-BB6E-373768E28003}.exe

Filesize
372KB

MD5
770c3960a68daf2ba7a3771685ab92ea

SHA1
c6d2eb7e87b43df77eeb1647a6f68e1c2f45fd8e

SHA256
2021b2c8670916bb26eb4ace599913c9bfd3c6147184407f1ec995d18928e9b1

SHA512
770ec8dc54fbed7a6db21ac9b32a77a8ee3f1592b16eeda0298cc43da6b2913ee1f62b226a20696aa426d0bda70dba71f4534041bb8b698ca715d0aee675ec40

Download Submit
C:\Windows\{CD02F88C-1A2E-4856-BAC8-F3D7E49D60EC}.exe

Filesize
372KB

MD5
be93a503aa363a5c9dc8ff607023311c

SHA1
a2d53e7689294d4508101bfc778fa3d7615d4012

SHA256
7cd6c67deb47cfcdde1f1f3436601315b720bf9afae6cfbeb322469b79329a4f

SHA512
b2c572a90e76d9fa5937425c26eb46215f369a9dd0fb3ea21c8d8a374bfb4c40d10d067c8dca290302b9ce3dc051725f1ea58e40d307837c13feb1a30fb41dba

Download Submit
C:\Windows\{CD02F88C-1A2E-4856-BAC8-F3D7E49D60EC}.exe

Filesize
372KB

MD5
be93a503aa363a5c9dc8ff607023311c

SHA1
a2d53e7689294d4508101bfc778fa3d7615d4012

SHA256
7cd6c67deb47cfcdde1f1f3436601315b720bf9afae6cfbeb322469b79329a4f

SHA512
b2c572a90e76d9fa5937425c26eb46215f369a9dd0fb3ea21c8d8a374bfb4c40d10d067c8dca290302b9ce3dc051725f1ea58e40d307837c13feb1a30fb41dba

Download Submit
C:\Windows\{E6958C22-F7F5-4228-9FFE-E3F4576A4D6A}.exe

Filesize
372KB

MD5
6a882b95554c184fa4ac74725475c6f5

SHA1
3d5338ca0df2ac180266acee647e71440591b6dd

SHA256
885b754c5376799858a9df7c7c1c5668c4c099f28fd25c93b8f912a2f3b4230c

SHA512
a4bf1cd041af23854ba7ae9aa275fabc8a7c726de9eff506a2969e48b70e6d3b3eb3ad3a9c4e49a1de2292e5470df1e7e4a6628fed36f07439c1f5f058333b92

Download Submit
C:\Windows\{E6958C22-F7F5-4228-9FFE-E3F4576A4D6A}.exe

Filesize
372KB

MD5
6a882b95554c184fa4ac74725475c6f5

SHA1
3d5338ca0df2ac180266acee647e71440591b6dd

SHA256
885b754c5376799858a9df7c7c1c5668c4c099f28fd25c93b8f912a2f3b4230c

SHA512
a4bf1cd041af23854ba7ae9aa275fabc8a7c726de9eff506a2969e48b70e6d3b3eb3ad3a9c4e49a1de2292e5470df1e7e4a6628fed36f07439c1f5f058333b92

Download Submit
C:\Windows\{E6958C22-F7F5-4228-9FFE-E3F4576A4D6A}.exe

Filesize
372KB

MD5
6a882b95554c184fa4ac74725475c6f5

SHA1
3d5338ca0df2ac180266acee647e71440591b6dd

SHA256
885b754c5376799858a9df7c7c1c5668c4c099f28fd25c93b8f912a2f3b4230c

SHA512
a4bf1cd041af23854ba7ae9aa275fabc8a7c726de9eff506a2969e48b70e6d3b3eb3ad3a9c4e49a1de2292e5470df1e7e4a6628fed36f07439c1f5f058333b92

Download Submit
C:\Windows\{EB874AF9-8329-4ea9-9122-839F04A40F2D}.exe

Filesize
372KB

MD5
a628555001ec00964e6924bd4028135c

SHA1
b8529dd1bfe849c340a1a58be4b4bf8fb1355722

SHA256
8bbedcf6b1b606ffbcd50568a1623d2715fdc95a9b2094bda4e4066d1fdc234b

SHA512
89ddfceb404d85ef1b8d5e1e3dbf91d305be29f096c80ecf73cff530ec0a9eeef033f6fd02b38b0d6a467ef0089027076ff52b8a10c67b6705a0e1b198ae17cd

Download Submit
C:\Windows\{EB874AF9-8329-4ea9-9122-839F04A40F2D}.exe

Filesize
372KB

MD5
a628555001ec00964e6924bd4028135c

SHA1
b8529dd1bfe849c340a1a58be4b4bf8fb1355722

SHA256
8bbedcf6b1b606ffbcd50568a1623d2715fdc95a9b2094bda4e4066d1fdc234b

SHA512
89ddfceb404d85ef1b8d5e1e3dbf91d305be29f096c80ecf73cff530ec0a9eeef033f6fd02b38b0d6a467ef0089027076ff52b8a10c67b6705a0e1b198ae17cd

Download Submit
C:\Windows\{FCCAB478-C20D-4578-B4B4-06BEFBBD8D28}.exe

Filesize
372KB

MD5
5f7b34357c830207143594a2c565752a

SHA1
8716087d40b0c998aa243103488118ef7181cef1

SHA256
56cff9fa5c2e4373a76441947863ecb3fbb7db8a2ba784de71e8ef524e10ff0a

SHA512
e0c0649b31f7f0411c9f89c211ccc5ce5771532d5850a54321f2da27cc746a83dd51ebddea778a463e96a72538a6249954df28d4c0be5461ec9766caf1dc93d4

Download Submit
C:\Windows\{FCCAB478-C20D-4578-B4B4-06BEFBBD8D28}.exe

Filesize
372KB

MD5
5f7b34357c830207143594a2c565752a

SHA1
8716087d40b0c998aa243103488118ef7181cef1

SHA256
56cff9fa5c2e4373a76441947863ecb3fbb7db8a2ba784de71e8ef524e10ff0a

SHA512
e0c0649b31f7f0411c9f89c211ccc5ce5771532d5850a54321f2da27cc746a83dd51ebddea778a463e96a72538a6249954df28d4c0be5461ec9766caf1dc93d4

Download Submit