9103e877b70306f32a00eca2f034b0b0921af89fd76b341e5c958e67fbda27a4

Analysis

max time kernel
144s
max time network
126s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
15/07/2023, 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40942bd47f9ea9exeexe_JC.exe
Size

372KB
MD5

40942bd47f9ea9e9a5bd092d8f966449
SHA1

be7443f7dac94324b516245325c5b9d623dc69ba
SHA256

9103e877b70306f32a00eca2f034b0b0921af89fd76b341e5c958e67fbda27a4
SHA512

125b592883fb6be443a826d76a92530c7bc99adbbfe0b1e5bd309a45a6167addd7614769003398f540b240e5eb80006ccfb5dd20cd32209ab9473c3e5d560cd7
SSDEEP

3072:CEGh0oBmlJOiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBE:CEGel/Oe2MUVg3vTeKcAEciTBqr3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{988036EF-E843-4e44-9E6E-D0E02BAAB05F}\stubpath = "C:\\Windows\\{988036EF-E843-4e44-9E6E-D0E02BAAB05F}.exe"	{BD7D52EE-42D4-4a4d-9DA6-BF728AD28B7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FC8DBB3-B7C9-4d32-8B73-B37709D0E61E}\stubpath = "C:\\Windows\\{8FC8DBB3-B7C9-4d32-8B73-B37709D0E61E}.exe"	{988036EF-E843-4e44-9E6E-D0E02BAAB05F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7FDB129-1CCC-4cd7-AD12-F347A79CFDCF}	{8FC8DBB3-B7C9-4d32-8B73-B37709D0E61E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BC343F6-0771-4662-B85E-6F065F0394D1}\stubpath = "C:\\Windows\\{9BC343F6-0771-4662-B85E-6F065F0394D1}.exe"	{E7FDB129-1CCC-4cd7-AD12-F347A79CFDCF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B8977E3-B44E-4ba3-8705-57FB6B49BB0C}\stubpath = "C:\\Windows\\{8B8977E3-B44E-4ba3-8705-57FB6B49BB0C}.exe"	{9BC343F6-0771-4662-B85E-6F065F0394D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7999AF35-54DF-4ceb-A31D-99550ED2D98A}	{93473A3A-B9DD-40a2-9766-37FA4D32AD79}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD7D52EE-42D4-4a4d-9DA6-BF728AD28B7D}	40942bd47f9ea9exeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DC0E836-9BD8-414e-95EC-68569DF3AD27}	{8B8977E3-B44E-4ba3-8705-57FB6B49BB0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9DC0E836-9BD8-414e-95EC-68569DF3AD27}\stubpath = "C:\\Windows\\{9DC0E836-9BD8-414e-95EC-68569DF3AD27}.exe"	{8B8977E3-B44E-4ba3-8705-57FB6B49BB0C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93473A3A-B9DD-40a2-9766-37FA4D32AD79}\stubpath = "C:\\Windows\\{93473A3A-B9DD-40a2-9766-37FA4D32AD79}.exe"	{9DC0E836-9BD8-414e-95EC-68569DF3AD27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F864057-B65D-443f-8FC3-683DEA82DF9A}	{B53059F2-847C-4629-BDD5-61D7A2B9A8BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F864057-B65D-443f-8FC3-683DEA82DF9A}\stubpath = "C:\\Windows\\{1F864057-B65D-443f-8FC3-683DEA82DF9A}.exe"	{B53059F2-847C-4629-BDD5-61D7A2B9A8BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8FC8DBB3-B7C9-4d32-8B73-B37709D0E61E}	{988036EF-E843-4e44-9E6E-D0E02BAAB05F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{93473A3A-B9DD-40a2-9766-37FA4D32AD79}	{9DC0E836-9BD8-414e-95EC-68569DF3AD27}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B53059F2-847C-4629-BDD5-61D7A2B9A8BB}	{7999AF35-54DF-4ceb-A31D-99550ED2D98A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B53059F2-847C-4629-BDD5-61D7A2B9A8BB}\stubpath = "C:\\Windows\\{B53059F2-847C-4629-BDD5-61D7A2B9A8BB}.exe"	{7999AF35-54DF-4ceb-A31D-99550ED2D98A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD7D52EE-42D4-4a4d-9DA6-BF728AD28B7D}\stubpath = "C:\\Windows\\{BD7D52EE-42D4-4a4d-9DA6-BF728AD28B7D}.exe"	40942bd47f9ea9exeexe_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{988036EF-E843-4e44-9E6E-D0E02BAAB05F}	{BD7D52EE-42D4-4a4d-9DA6-BF728AD28B7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E7FDB129-1CCC-4cd7-AD12-F347A79CFDCF}\stubpath = "C:\\Windows\\{E7FDB129-1CCC-4cd7-AD12-F347A79CFDCF}.exe"	{8FC8DBB3-B7C9-4d32-8B73-B37709D0E61E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9BC343F6-0771-4662-B85E-6F065F0394D1}	{E7FDB129-1CCC-4cd7-AD12-F347A79CFDCF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B8977E3-B44E-4ba3-8705-57FB6B49BB0C}	{9BC343F6-0771-4662-B85E-6F065F0394D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7999AF35-54DF-4ceb-A31D-99550ED2D98A}\stubpath = "C:\\Windows\\{7999AF35-54DF-4ceb-A31D-99550ED2D98A}.exe"	{93473A3A-B9DD-40a2-9766-37FA4D32AD79}.exe

Deletes itself 1 IoCs

pid	Process
2648	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1976	{BD7D52EE-42D4-4a4d-9DA6-BF728AD28B7D}.exe
2512	{988036EF-E843-4e44-9E6E-D0E02BAAB05F}.exe
1044	{8FC8DBB3-B7C9-4d32-8B73-B37709D0E61E}.exe
2932	{E7FDB129-1CCC-4cd7-AD12-F347A79CFDCF}.exe
2832	{9BC343F6-0771-4662-B85E-6F065F0394D1}.exe
2912	{8B8977E3-B44E-4ba3-8705-57FB6B49BB0C}.exe
1692	{9DC0E836-9BD8-414e-95EC-68569DF3AD27}.exe
2748	{93473A3A-B9DD-40a2-9766-37FA4D32AD79}.exe
2756	{7999AF35-54DF-4ceb-A31D-99550ED2D98A}.exe
1896	{B53059F2-847C-4629-BDD5-61D7A2B9A8BB}.exe
1912	{1F864057-B65D-443f-8FC3-683DEA82DF9A}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7999AF35-54DF-4ceb-A31D-99550ED2D98A}.exe	{93473A3A-B9DD-40a2-9766-37FA4D32AD79}.exe
File created	C:\Windows\{B53059F2-847C-4629-BDD5-61D7A2B9A8BB}.exe	{7999AF35-54DF-4ceb-A31D-99550ED2D98A}.exe
File created	C:\Windows\{988036EF-E843-4e44-9E6E-D0E02BAAB05F}.exe	{BD7D52EE-42D4-4a4d-9DA6-BF728AD28B7D}.exe
File created	C:\Windows\{E7FDB129-1CCC-4cd7-AD12-F347A79CFDCF}.exe	{8FC8DBB3-B7C9-4d32-8B73-B37709D0E61E}.exe
File created	C:\Windows\{9BC343F6-0771-4662-B85E-6F065F0394D1}.exe	{E7FDB129-1CCC-4cd7-AD12-F347A79CFDCF}.exe
File created	C:\Windows\{8B8977E3-B44E-4ba3-8705-57FB6B49BB0C}.exe	{9BC343F6-0771-4662-B85E-6F065F0394D1}.exe
File created	C:\Windows\{9DC0E836-9BD8-414e-95EC-68569DF3AD27}.exe	{8B8977E3-B44E-4ba3-8705-57FB6B49BB0C}.exe
File created	C:\Windows\{93473A3A-B9DD-40a2-9766-37FA4D32AD79}.exe	{9DC0E836-9BD8-414e-95EC-68569DF3AD27}.exe
File created	C:\Windows\{BD7D52EE-42D4-4a4d-9DA6-BF728AD28B7D}.exe	40942bd47f9ea9exeexe_JC.exe
File created	C:\Windows\{8FC8DBB3-B7C9-4d32-8B73-B37709D0E61E}.exe	{988036EF-E843-4e44-9E6E-D0E02BAAB05F}.exe
File created	C:\Windows\{1F864057-B65D-443f-8FC3-683DEA82DF9A}.exe	{B53059F2-847C-4629-BDD5-61D7A2B9A8BB}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1120	40942bd47f9ea9exeexe_JC.exe
Token: SeIncBasePriorityPrivilege	1976	{BD7D52EE-42D4-4a4d-9DA6-BF728AD28B7D}.exe
Token: SeIncBasePriorityPrivilege	2512	{988036EF-E843-4e44-9E6E-D0E02BAAB05F}.exe
Token: SeIncBasePriorityPrivilege	1044	{8FC8DBB3-B7C9-4d32-8B73-B37709D0E61E}.exe
Token: SeIncBasePriorityPrivilege	2932	{E7FDB129-1CCC-4cd7-AD12-F347A79CFDCF}.exe
Token: SeIncBasePriorityPrivilege	2832	{9BC343F6-0771-4662-B85E-6F065F0394D1}.exe
Token: SeIncBasePriorityPrivilege	2912	{8B8977E3-B44E-4ba3-8705-57FB6B49BB0C}.exe
Token: SeIncBasePriorityPrivilege	1692	{9DC0E836-9BD8-414e-95EC-68569DF3AD27}.exe
Token: SeIncBasePriorityPrivilege	2748	{93473A3A-B9DD-40a2-9766-37FA4D32AD79}.exe
Token: SeIncBasePriorityPrivilege	2756	{7999AF35-54DF-4ceb-A31D-99550ED2D98A}.exe
Token: SeIncBasePriorityPrivilege	1896	{B53059F2-847C-4629-BDD5-61D7A2B9A8BB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 1976	1120	40942bd47f9ea9exeexe_JC.exe	28
PID 1120 wrote to memory of 1976	1120	40942bd47f9ea9exeexe_JC.exe	28
PID 1120 wrote to memory of 1976	1120	40942bd47f9ea9exeexe_JC.exe	28
PID 1120 wrote to memory of 1976	1120	40942bd47f9ea9exeexe_JC.exe	28
PID 1120 wrote to memory of 2648	1120	40942bd47f9ea9exeexe_JC.exe	29
PID 1120 wrote to memory of 2648	1120	40942bd47f9ea9exeexe_JC.exe	29
PID 1120 wrote to memory of 2648	1120	40942bd47f9ea9exeexe_JC.exe	29
PID 1120 wrote to memory of 2648	1120	40942bd47f9ea9exeexe_JC.exe	29
PID 1976 wrote to memory of 2512	1976	{BD7D52EE-42D4-4a4d-9DA6-BF728AD28B7D}.exe	32
PID 1976 wrote to memory of 2512	1976	{BD7D52EE-42D4-4a4d-9DA6-BF728AD28B7D}.exe	32
PID 1976 wrote to memory of 2512	1976	{BD7D52EE-42D4-4a4d-9DA6-BF728AD28B7D}.exe	32
PID 1976 wrote to memory of 2512	1976	{BD7D52EE-42D4-4a4d-9DA6-BF728AD28B7D}.exe	32
PID 1976 wrote to memory of 2892	1976	{BD7D52EE-42D4-4a4d-9DA6-BF728AD28B7D}.exe	33
PID 1976 wrote to memory of 2892	1976	{BD7D52EE-42D4-4a4d-9DA6-BF728AD28B7D}.exe	33
PID 1976 wrote to memory of 2892	1976	{BD7D52EE-42D4-4a4d-9DA6-BF728AD28B7D}.exe	33
PID 1976 wrote to memory of 2892	1976	{BD7D52EE-42D4-4a4d-9DA6-BF728AD28B7D}.exe	33
PID 2512 wrote to memory of 1044	2512	{988036EF-E843-4e44-9E6E-D0E02BAAB05F}.exe	34
PID 2512 wrote to memory of 1044	2512	{988036EF-E843-4e44-9E6E-D0E02BAAB05F}.exe	34
PID 2512 wrote to memory of 1044	2512	{988036EF-E843-4e44-9E6E-D0E02BAAB05F}.exe	34
PID 2512 wrote to memory of 1044	2512	{988036EF-E843-4e44-9E6E-D0E02BAAB05F}.exe	34
PID 2512 wrote to memory of 2848	2512	{988036EF-E843-4e44-9E6E-D0E02BAAB05F}.exe	35
PID 2512 wrote to memory of 2848	2512	{988036EF-E843-4e44-9E6E-D0E02BAAB05F}.exe	35
PID 2512 wrote to memory of 2848	2512	{988036EF-E843-4e44-9E6E-D0E02BAAB05F}.exe	35
PID 2512 wrote to memory of 2848	2512	{988036EF-E843-4e44-9E6E-D0E02BAAB05F}.exe	35
PID 1044 wrote to memory of 2932	1044	{8FC8DBB3-B7C9-4d32-8B73-B37709D0E61E}.exe	37
PID 1044 wrote to memory of 2932	1044	{8FC8DBB3-B7C9-4d32-8B73-B37709D0E61E}.exe	37
PID 1044 wrote to memory of 2932	1044	{8FC8DBB3-B7C9-4d32-8B73-B37709D0E61E}.exe	37
PID 1044 wrote to memory of 2932	1044	{8FC8DBB3-B7C9-4d32-8B73-B37709D0E61E}.exe	37
PID 1044 wrote to memory of 2292	1044	{8FC8DBB3-B7C9-4d32-8B73-B37709D0E61E}.exe	36
PID 1044 wrote to memory of 2292	1044	{8FC8DBB3-B7C9-4d32-8B73-B37709D0E61E}.exe	36
PID 1044 wrote to memory of 2292	1044	{8FC8DBB3-B7C9-4d32-8B73-B37709D0E61E}.exe	36
PID 1044 wrote to memory of 2292	1044	{8FC8DBB3-B7C9-4d32-8B73-B37709D0E61E}.exe	36
PID 2932 wrote to memory of 2832	2932	{E7FDB129-1CCC-4cd7-AD12-F347A79CFDCF}.exe	38
PID 2932 wrote to memory of 2832	2932	{E7FDB129-1CCC-4cd7-AD12-F347A79CFDCF}.exe	38
PID 2932 wrote to memory of 2832	2932	{E7FDB129-1CCC-4cd7-AD12-F347A79CFDCF}.exe	38
PID 2932 wrote to memory of 2832	2932	{E7FDB129-1CCC-4cd7-AD12-F347A79CFDCF}.exe	38
PID 2932 wrote to memory of 2900	2932	{E7FDB129-1CCC-4cd7-AD12-F347A79CFDCF}.exe	39
PID 2932 wrote to memory of 2900	2932	{E7FDB129-1CCC-4cd7-AD12-F347A79CFDCF}.exe	39
PID 2932 wrote to memory of 2900	2932	{E7FDB129-1CCC-4cd7-AD12-F347A79CFDCF}.exe	39
PID 2932 wrote to memory of 2900	2932	{E7FDB129-1CCC-4cd7-AD12-F347A79CFDCF}.exe	39
PID 2832 wrote to memory of 2912	2832	{9BC343F6-0771-4662-B85E-6F065F0394D1}.exe	40
PID 2832 wrote to memory of 2912	2832	{9BC343F6-0771-4662-B85E-6F065F0394D1}.exe	40
PID 2832 wrote to memory of 2912	2832	{9BC343F6-0771-4662-B85E-6F065F0394D1}.exe	40
PID 2832 wrote to memory of 2912	2832	{9BC343F6-0771-4662-B85E-6F065F0394D1}.exe	40
PID 2832 wrote to memory of 2740	2832	{9BC343F6-0771-4662-B85E-6F065F0394D1}.exe	41
PID 2832 wrote to memory of 2740	2832	{9BC343F6-0771-4662-B85E-6F065F0394D1}.exe	41
PID 2832 wrote to memory of 2740	2832	{9BC343F6-0771-4662-B85E-6F065F0394D1}.exe	41
PID 2832 wrote to memory of 2740	2832	{9BC343F6-0771-4662-B85E-6F065F0394D1}.exe	41
PID 2912 wrote to memory of 1692	2912	{8B8977E3-B44E-4ba3-8705-57FB6B49BB0C}.exe	43
PID 2912 wrote to memory of 1692	2912	{8B8977E3-B44E-4ba3-8705-57FB6B49BB0C}.exe	43
PID 2912 wrote to memory of 1692	2912	{8B8977E3-B44E-4ba3-8705-57FB6B49BB0C}.exe	43
PID 2912 wrote to memory of 1692	2912	{8B8977E3-B44E-4ba3-8705-57FB6B49BB0C}.exe	43
PID 2912 wrote to memory of 2876	2912	{8B8977E3-B44E-4ba3-8705-57FB6B49BB0C}.exe	42
PID 2912 wrote to memory of 2876	2912	{8B8977E3-B44E-4ba3-8705-57FB6B49BB0C}.exe	42
PID 2912 wrote to memory of 2876	2912	{8B8977E3-B44E-4ba3-8705-57FB6B49BB0C}.exe	42
PID 2912 wrote to memory of 2876	2912	{8B8977E3-B44E-4ba3-8705-57FB6B49BB0C}.exe	42
PID 1692 wrote to memory of 2748	1692	{9DC0E836-9BD8-414e-95EC-68569DF3AD27}.exe	44
PID 1692 wrote to memory of 2748	1692	{9DC0E836-9BD8-414e-95EC-68569DF3AD27}.exe	44
PID 1692 wrote to memory of 2748	1692	{9DC0E836-9BD8-414e-95EC-68569DF3AD27}.exe	44
PID 1692 wrote to memory of 2748	1692	{9DC0E836-9BD8-414e-95EC-68569DF3AD27}.exe	44
PID 1692 wrote to memory of 2716	1692	{9DC0E836-9BD8-414e-95EC-68569DF3AD27}.exe	45
PID 1692 wrote to memory of 2716	1692	{9DC0E836-9BD8-414e-95EC-68569DF3AD27}.exe	45
PID 1692 wrote to memory of 2716	1692	{9DC0E836-9BD8-414e-95EC-68569DF3AD27}.exe	45
PID 1692 wrote to memory of 2716	1692	{9DC0E836-9BD8-414e-95EC-68569DF3AD27}.exe	45

C:\Users\Admin\AppData\Local\Temp\40942bd47f9ea9exeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\40942bd47f9ea9exeexe_JC.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\{BD7D52EE-42D4-4a4d-9DA6-BF728AD28B7D}.exe
  C:\Windows\{BD7D52EE-42D4-4a4d-9DA6-BF728AD28B7D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\{988036EF-E843-4e44-9E6E-D0E02BAAB05F}.exe
    C:\Windows\{988036EF-E843-4e44-9E6E-D0E02BAAB05F}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\{8FC8DBB3-B7C9-4d32-8B73-B37709D0E61E}.exe
      C:\Windows\{8FC8DBB3-B7C9-4d32-8B73-B37709D0E61E}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8FC8D~1.EXE > nul
        5⤵
        
        PID:2292
    - - C:\Windows\{E7FDB129-1CCC-4cd7-AD12-F347A79CFDCF}.exe
        
        C:\Windows\{E7FDB129-1CCC-4cd7-AD12-F347A79CFDCF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Windows\{9BC343F6-0771-4662-B85E-6F065F0394D1}.exe
        
        C:\Windows\{9BC343F6-0771-4662-B85E-6F065F0394D1}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\{8B8977E3-B44E-4ba3-8705-57FB6B49BB0C}.exe
        
        C:\Windows\{8B8977E3-B44E-4ba3-8705-57FB6B49BB0C}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B897~1.EXE > nul
        8⤵
        
        PID:2876
        
        C:\Windows\{9DC0E836-9BD8-414e-95EC-68569DF3AD27}.exe
        
        C:\Windows\{9DC0E836-9BD8-414e-95EC-68569DF3AD27}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\{93473A3A-B9DD-40a2-9766-37FA4D32AD79}.exe
        
        C:\Windows\{93473A3A-B9DD-40a2-9766-37FA4D32AD79}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\{7999AF35-54DF-4ceb-A31D-99550ED2D98A}.exe
        
        C:\Windows\{7999AF35-54DF-4ceb-A31D-99550ED2D98A}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\{B53059F2-847C-4629-BDD5-61D7A2B9A8BB}.exe
        
        C:\Windows\{B53059F2-847C-4629-BDD5-61D7A2B9A8BB}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5305~1.EXE > nul
        12⤵
        
        PID:2948
        
        C:\Windows\{1F864057-B65D-443f-8FC3-683DEA82DF9A}.exe
        
        C:\Windows\{1F864057-B65D-443f-8FC3-683DEA82DF9A}.exe
        12⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7999A~1.EXE > nul
        11⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93473~1.EXE > nul
        10⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9DC0E~1.EXE > nul
        9⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9BC34~1.EXE > nul
        7⤵
        
        PID:2740
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7FDB~1.EXE > nul
        6⤵
        
        PID:2900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{98803~1.EXE > nul
      4⤵
      PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BD7D5~1.EXE > nul
    3⤵
    PID:2892
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\40942B~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1F864057-B65D-443f-8FC3-683DEA82DF9A}.exe

Filesize
372KB

MD5
2c42ce90efe60b44307cfa13430a438d

SHA1
dc6e9b6743ecf50d44260851dd5927dafe10ccd7

SHA256
1f5d2a23e6f94d5c45197d491726ae66b09d27fa29fcf77486388d4810df37e8

SHA512
460a9cd826156b3ea2fd42a2e389d10e72519dbafc6c7f3ee192c2fe6395bb5a2842c00d5719bda9329d33550ac05f4fad6cccd353e086ce655847b7a98a03a5

Download Submit
C:\Windows\{7999AF35-54DF-4ceb-A31D-99550ED2D98A}.exe

Filesize
372KB

MD5
3a62f36245e9ab4321d8e49e5a8a4f17

SHA1
d9a6b26a2474eef00df6ad38d2e2b41a14377cd6

SHA256
ef8d733b5412fa6ea72f9abeaff90adf61bf39d8f771211d2ab6946cf51e850c

SHA512
36cc80560aef058be8527aa1e2956cc829baf5d15892162b91fe70b4287e5c4566a27e541424fa1c35f4060a45eb294d6c120ea3d35e2378f3329e7da523e4a0

Download Submit
C:\Windows\{7999AF35-54DF-4ceb-A31D-99550ED2D98A}.exe

Filesize
372KB

MD5
3a62f36245e9ab4321d8e49e5a8a4f17

SHA1
d9a6b26a2474eef00df6ad38d2e2b41a14377cd6

SHA256
ef8d733b5412fa6ea72f9abeaff90adf61bf39d8f771211d2ab6946cf51e850c

SHA512
36cc80560aef058be8527aa1e2956cc829baf5d15892162b91fe70b4287e5c4566a27e541424fa1c35f4060a45eb294d6c120ea3d35e2378f3329e7da523e4a0

Download Submit
C:\Windows\{8B8977E3-B44E-4ba3-8705-57FB6B49BB0C}.exe

Filesize
372KB

MD5
60ec95e7616539bac0e8419cdc7e422e

SHA1
4dd140728ec0455e94d782ef64898102ff37a2bf

SHA256
a165111e84d7cc85f2291b89c6b4b7415cadc1df7bab6058ff2bc616d7269f52

SHA512
9761c4609f3ef4e06fb20ce7af6320352523b5e19dcb8a1078438d30c4893eed10dcf729edb8a4143e2841bd48332ad4039a4e0533b0af907af70574d4eea7bb

Download Submit
C:\Windows\{8B8977E3-B44E-4ba3-8705-57FB6B49BB0C}.exe

Filesize
372KB

MD5
60ec95e7616539bac0e8419cdc7e422e

SHA1
4dd140728ec0455e94d782ef64898102ff37a2bf

SHA256
a165111e84d7cc85f2291b89c6b4b7415cadc1df7bab6058ff2bc616d7269f52

SHA512
9761c4609f3ef4e06fb20ce7af6320352523b5e19dcb8a1078438d30c4893eed10dcf729edb8a4143e2841bd48332ad4039a4e0533b0af907af70574d4eea7bb

Download Submit
C:\Windows\{8FC8DBB3-B7C9-4d32-8B73-B37709D0E61E}.exe

Filesize
372KB

MD5
57900454d32e01a43cfe1c39bb99db4f

SHA1
605a001ec530ad627211db7f115801b114c0b0f9

SHA256
da6655fec1b2393776ae6ccb6e7f4328adfccbd61c884b075240557eb26b0399

SHA512
780d024aaeb2bd1c31b2e1b42947e7a57ee27183431af6c604946a01209d021e04bbd93d75f9bae839f73cdde18a9c5f55596266c9998532bdf3cb9e9b3c54db

Download Submit
C:\Windows\{8FC8DBB3-B7C9-4d32-8B73-B37709D0E61E}.exe

Filesize
372KB

MD5
57900454d32e01a43cfe1c39bb99db4f

SHA1
605a001ec530ad627211db7f115801b114c0b0f9

SHA256
da6655fec1b2393776ae6ccb6e7f4328adfccbd61c884b075240557eb26b0399

SHA512
780d024aaeb2bd1c31b2e1b42947e7a57ee27183431af6c604946a01209d021e04bbd93d75f9bae839f73cdde18a9c5f55596266c9998532bdf3cb9e9b3c54db

Download Submit
C:\Windows\{93473A3A-B9DD-40a2-9766-37FA4D32AD79}.exe

Filesize
372KB

MD5
1eb26399d6327652383e25a28df7c1c5

SHA1
34209eecbf1626512b1d1f936842e8a9e1d7ce3c

SHA256
e4d36fca4810fa48ec0303304f3beed5836b9602db0451b452a546a4456824a2

SHA512
63345add246a78a8ae86053e78287f19e92ca88714f43ac08ae3d16eb462718febdf92c4942a13f2cd0e6325cc6716819ad7b5fcc7d076485a3e2a15f8237fdb

Download Submit
C:\Windows\{93473A3A-B9DD-40a2-9766-37FA4D32AD79}.exe

Filesize
372KB

MD5
1eb26399d6327652383e25a28df7c1c5

SHA1
34209eecbf1626512b1d1f936842e8a9e1d7ce3c

SHA256
e4d36fca4810fa48ec0303304f3beed5836b9602db0451b452a546a4456824a2

SHA512
63345add246a78a8ae86053e78287f19e92ca88714f43ac08ae3d16eb462718febdf92c4942a13f2cd0e6325cc6716819ad7b5fcc7d076485a3e2a15f8237fdb

Download Submit
C:\Windows\{988036EF-E843-4e44-9E6E-D0E02BAAB05F}.exe

Filesize
372KB

MD5
cd1be0a5683ccdcc9d42ebd05cbbaf0c

SHA1
4d426adb0d475b43d6084f65d72b7261c4316e60

SHA256
77e5e526c0ff6644773d014b9fa11aa7b8240d7cbef9f0df1c29811a5b90811d

SHA512
22efe840fd5dcd2063947337611f33fe0555a840577ad3e232912b2820215f022a77b8283cf5169d26f612cce22cb8b63f74a9ed695a559d8cbc07917427177a

Download Submit
C:\Windows\{988036EF-E843-4e44-9E6E-D0E02BAAB05F}.exe

Filesize
372KB

MD5
cd1be0a5683ccdcc9d42ebd05cbbaf0c

SHA1
4d426adb0d475b43d6084f65d72b7261c4316e60

SHA256
77e5e526c0ff6644773d014b9fa11aa7b8240d7cbef9f0df1c29811a5b90811d

SHA512
22efe840fd5dcd2063947337611f33fe0555a840577ad3e232912b2820215f022a77b8283cf5169d26f612cce22cb8b63f74a9ed695a559d8cbc07917427177a

Download Submit
C:\Windows\{9BC343F6-0771-4662-B85E-6F065F0394D1}.exe

Filesize
372KB

MD5
bede916c603bbeae624bedb0f57372d6

SHA1
02608d85e549051a876d9fdf164743092fa072a3

SHA256
bf3afcca68d5fe7616a5cc161ed355abc75f43ca777a9e33c862c3375f075568

SHA512
a11f62896757414a5e56dea3f59e633ec787400cd6c6afff99ef11d1bdbb53acad71aa210d7b24ef0878b5de0a66f8355f11ea273a74fa0bf579578d856d2a09

Download Submit
C:\Windows\{9BC343F6-0771-4662-B85E-6F065F0394D1}.exe

Filesize
372KB

MD5
bede916c603bbeae624bedb0f57372d6

SHA1
02608d85e549051a876d9fdf164743092fa072a3

SHA256
bf3afcca68d5fe7616a5cc161ed355abc75f43ca777a9e33c862c3375f075568

SHA512
a11f62896757414a5e56dea3f59e633ec787400cd6c6afff99ef11d1bdbb53acad71aa210d7b24ef0878b5de0a66f8355f11ea273a74fa0bf579578d856d2a09

Download Submit
C:\Windows\{9DC0E836-9BD8-414e-95EC-68569DF3AD27}.exe

Filesize
372KB

MD5
7f5e93c2fc1763772cbc3020195213d6

SHA1
5e3f977b39ec95ea2197b214a738efb87534511d

SHA256
68d0f123918a9e5fbcbecdb38ad6d73f6198eb8f0072315cc96f3c710703fb6f

SHA512
74d62965b0afcca95baa2ad445705809ba8671f742b55dccf7ad626449dbfe30a90b66eef783fe0b87a295707a6ef91d8f9616cdecaf1a21bf1bf728528a3d5f

Download Submit
C:\Windows\{9DC0E836-9BD8-414e-95EC-68569DF3AD27}.exe

Filesize
372KB

MD5
7f5e93c2fc1763772cbc3020195213d6

SHA1
5e3f977b39ec95ea2197b214a738efb87534511d

SHA256
68d0f123918a9e5fbcbecdb38ad6d73f6198eb8f0072315cc96f3c710703fb6f

SHA512
74d62965b0afcca95baa2ad445705809ba8671f742b55dccf7ad626449dbfe30a90b66eef783fe0b87a295707a6ef91d8f9616cdecaf1a21bf1bf728528a3d5f

Download Submit
C:\Windows\{B53059F2-847C-4629-BDD5-61D7A2B9A8BB}.exe

Filesize
372KB

MD5
3de931d13612f2faf7f106b813e0812b

SHA1
539695b2775724e72721b53925e2a52a3bc01765

SHA256
7eb9d991e28ef4ae76e1b5042d8acad690c2727ff3c3310534d73212cfc4fdc0

SHA512
9dd420c96f5cd8aefc38e501cdf1270ac50d55592395562f6889d37ec34cb2a818171f3cdbf554442688f02699f9c33a27f5f1795c0af18b1d6f24664184bc51

Download Submit
C:\Windows\{B53059F2-847C-4629-BDD5-61D7A2B9A8BB}.exe

Filesize
372KB

MD5
3de931d13612f2faf7f106b813e0812b

SHA1
539695b2775724e72721b53925e2a52a3bc01765

SHA256
7eb9d991e28ef4ae76e1b5042d8acad690c2727ff3c3310534d73212cfc4fdc0

SHA512
9dd420c96f5cd8aefc38e501cdf1270ac50d55592395562f6889d37ec34cb2a818171f3cdbf554442688f02699f9c33a27f5f1795c0af18b1d6f24664184bc51

Download Submit
C:\Windows\{BD7D52EE-42D4-4a4d-9DA6-BF728AD28B7D}.exe

Filesize
372KB

MD5
af9b735529044ce099d58a9dcf74b5d9

SHA1
0a33bf4c5e8fd82547ba883fcc1ecf1662856037

SHA256
af351492fcd64fad7bc30ad94f5d21b486326059e74562943fcbec7106104a96

SHA512
ad19a32f7d28f5b15a971fa265eb0de4f11e1d00d349568e337890ad9f9b576018b0031948ba430058ab808f53662012e1a20bbab3338411beadc2b58b3353cb

Download Submit
C:\Windows\{BD7D52EE-42D4-4a4d-9DA6-BF728AD28B7D}.exe

Filesize
372KB

MD5
af9b735529044ce099d58a9dcf74b5d9

SHA1
0a33bf4c5e8fd82547ba883fcc1ecf1662856037

SHA256
af351492fcd64fad7bc30ad94f5d21b486326059e74562943fcbec7106104a96

SHA512
ad19a32f7d28f5b15a971fa265eb0de4f11e1d00d349568e337890ad9f9b576018b0031948ba430058ab808f53662012e1a20bbab3338411beadc2b58b3353cb

Download Submit
C:\Windows\{BD7D52EE-42D4-4a4d-9DA6-BF728AD28B7D}.exe

Filesize
372KB

MD5
af9b735529044ce099d58a9dcf74b5d9

SHA1
0a33bf4c5e8fd82547ba883fcc1ecf1662856037

SHA256
af351492fcd64fad7bc30ad94f5d21b486326059e74562943fcbec7106104a96

SHA512
ad19a32f7d28f5b15a971fa265eb0de4f11e1d00d349568e337890ad9f9b576018b0031948ba430058ab808f53662012e1a20bbab3338411beadc2b58b3353cb

Download Submit
C:\Windows\{E7FDB129-1CCC-4cd7-AD12-F347A79CFDCF}.exe

Filesize
372KB

MD5
2b3a493dd0b290c489b8ee283e078fdf

SHA1
3b2905bd9cdf3a540f873b218cdf712bd991d010

SHA256
9a09eab23db7c6d97a1dd5f59b6727aaeca22643c1aae8863e85b16a04dfe0fd

SHA512
4101721d80cfe675aeddf7f0051180cef92b8d85afeef6d9a9c766e02be8c8bf36060b7b7c90acd661de0fd1ed982701180a738d998d561a397bfe0ef45d8110

Download Submit
C:\Windows\{E7FDB129-1CCC-4cd7-AD12-F347A79CFDCF}.exe

Filesize
372KB

MD5
2b3a493dd0b290c489b8ee283e078fdf

SHA1
3b2905bd9cdf3a540f873b218cdf712bd991d010

SHA256
9a09eab23db7c6d97a1dd5f59b6727aaeca22643c1aae8863e85b16a04dfe0fd

SHA512
4101721d80cfe675aeddf7f0051180cef92b8d85afeef6d9a9c766e02be8c8bf36060b7b7c90acd661de0fd1ed982701180a738d998d561a397bfe0ef45d8110

Download Submit