4bea97068a5ef0867c2512ebf1102e9d0f52c491ce2c1171de221fbd9a1cde3d

Analysis

max time kernel
145s
max time network
32s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
10-07-2023 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c876b72b2d93afexeexeexeex.exe
Size

168KB
MD5

c876b72b2d93afdc0aeaf9cdd22cdbe9
SHA1

0fab487e2638c16383fb4369b28073ad507f31c0
SHA256

4bea97068a5ef0867c2512ebf1102e9d0f52c491ce2c1171de221fbd9a1cde3d
SHA512

67901bcd42cc8d6c35a31f8b1804a1ed70243d4fdcdca4bcf03bd6eb05b30fe13091c50ad593c66744d214864b01edc849fbe6bed7d340336afbc687deac5cf4
SSDEEP

1536:1EGh0oFlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oFlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}	{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}\stubpath = "C:\\Windows\\{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe"	{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48CEF946-23CE-49f7-943F-346BCAE56ECF}	{A52BE811-B48E-48c8-B6B0-C33FDAFD04D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E134877E-CB14-4d7b-A7D7-23F550177B6B}	{C8D717DD-FE05-484d-A4B3-73396D704A22}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E134877E-CB14-4d7b-A7D7-23F550177B6B}\stubpath = "C:\\Windows\\{E134877E-CB14-4d7b-A7D7-23F550177B6B}.exe"	{C8D717DD-FE05-484d-A4B3-73396D704A22}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{224B37F7-38ED-40d6-8802-7E3EB5E5124F}	{E134877E-CB14-4d7b-A7D7-23F550177B6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4C87E01-3A3F-4f0a-9713-07BC73AB8D4D}\stubpath = "C:\\Windows\\{E4C87E01-3A3F-4f0a-9713-07BC73AB8D4D}.exe"	{224B37F7-38ED-40d6-8802-7E3EB5E5124F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0545B58-EF21-4082-B5E3-E81118B7F83A}\stubpath = "C:\\Windows\\{F0545B58-EF21-4082-B5E3-E81118B7F83A}.exe"	{E4C87E01-3A3F-4f0a-9713-07BC73AB8D4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24C9EA62-FDAB-43df-A944-C54A5536E713}\stubpath = "C:\\Windows\\{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe"	c876b72b2d93afexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}\stubpath = "C:\\Windows\\{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe"	{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}	{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E074CE17-FEA0-40af-8691-D9EA043709ED}	{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E074CE17-FEA0-40af-8691-D9EA043709ED}\stubpath = "C:\\Windows\\{E074CE17-FEA0-40af-8691-D9EA043709ED}.exe"	{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A52BE811-B48E-48c8-B6B0-C33FDAFD04D9}	{E074CE17-FEA0-40af-8691-D9EA043709ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{48CEF946-23CE-49f7-943F-346BCAE56ECF}\stubpath = "C:\\Windows\\{48CEF946-23CE-49f7-943F-346BCAE56ECF}.exe"	{A52BE811-B48E-48c8-B6B0-C33FDAFD04D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8D717DD-FE05-484d-A4B3-73396D704A22}\stubpath = "C:\\Windows\\{C8D717DD-FE05-484d-A4B3-73396D704A22}.exe"	{48CEF946-23CE-49f7-943F-346BCAE56ECF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E4C87E01-3A3F-4f0a-9713-07BC73AB8D4D}	{224B37F7-38ED-40d6-8802-7E3EB5E5124F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0545B58-EF21-4082-B5E3-E81118B7F83A}	{E4C87E01-3A3F-4f0a-9713-07BC73AB8D4D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84570F70-7F63-445c-9505-D3070DEFA9F0}\stubpath = "C:\\Windows\\{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe"	{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{595EBBCC-50B8-445d-9FED-33906ACA12D6}	{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A52BE811-B48E-48c8-B6B0-C33FDAFD04D9}\stubpath = "C:\\Windows\\{A52BE811-B48E-48c8-B6B0-C33FDAFD04D9}.exe"	{E074CE17-FEA0-40af-8691-D9EA043709ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{224B37F7-38ED-40d6-8802-7E3EB5E5124F}\stubpath = "C:\\Windows\\{224B37F7-38ED-40d6-8802-7E3EB5E5124F}.exe"	{E134877E-CB14-4d7b-A7D7-23F550177B6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{24C9EA62-FDAB-43df-A944-C54A5536E713}	c876b72b2d93afexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{84570F70-7F63-445c-9505-D3070DEFA9F0}	{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{595EBBCC-50B8-445d-9FED-33906ACA12D6}\stubpath = "C:\\Windows\\{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe"	{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C8D717DD-FE05-484d-A4B3-73396D704A22}	{48CEF946-23CE-49f7-943F-346BCAE56ECF}.exe

Deletes itself 1 IoCs

pid	Process
2324	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2192	{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe
2096	{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe
1708	{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe
768	{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe
2108	{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe
2996	{E074CE17-FEA0-40af-8691-D9EA043709ED}.exe
2976	{A52BE811-B48E-48c8-B6B0-C33FDAFD04D9}.exe
2032	{48CEF946-23CE-49f7-943F-346BCAE56ECF}.exe
672	{C8D717DD-FE05-484d-A4B3-73396D704A22}.exe
2708	{E134877E-CB14-4d7b-A7D7-23F550177B6B}.exe
2612	{224B37F7-38ED-40d6-8802-7E3EB5E5124F}.exe
2516	{E4C87E01-3A3F-4f0a-9713-07BC73AB8D4D}.exe
2616	{F0545B58-EF21-4082-B5E3-E81118B7F83A}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe	c876b72b2d93afexeexeexeex.exe
File created	C:\Windows\{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe	{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe
File created	C:\Windows\{A52BE811-B48E-48c8-B6B0-C33FDAFD04D9}.exe	{E074CE17-FEA0-40af-8691-D9EA043709ED}.exe
File created	C:\Windows\{48CEF946-23CE-49f7-943F-346BCAE56ECF}.exe	{A52BE811-B48E-48c8-B6B0-C33FDAFD04D9}.exe
File created	C:\Windows\{E4C87E01-3A3F-4f0a-9713-07BC73AB8D4D}.exe	{224B37F7-38ED-40d6-8802-7E3EB5E5124F}.exe
File created	C:\Windows\{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe	{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe
File created	C:\Windows\{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe	{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe
File created	C:\Windows\{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe	{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe
File created	C:\Windows\{E074CE17-FEA0-40af-8691-D9EA043709ED}.exe	{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe
File created	C:\Windows\{C8D717DD-FE05-484d-A4B3-73396D704A22}.exe	{48CEF946-23CE-49f7-943F-346BCAE56ECF}.exe
File created	C:\Windows\{E134877E-CB14-4d7b-A7D7-23F550177B6B}.exe	{C8D717DD-FE05-484d-A4B3-73396D704A22}.exe
File created	C:\Windows\{224B37F7-38ED-40d6-8802-7E3EB5E5124F}.exe	{E134877E-CB14-4d7b-A7D7-23F550177B6B}.exe
File created	C:\Windows\{F0545B58-EF21-4082-B5E3-E81118B7F83A}.exe	{E4C87E01-3A3F-4f0a-9713-07BC73AB8D4D}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2376	c876b72b2d93afexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2192	{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe
Token: SeIncBasePriorityPrivilege	2096	{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe
Token: SeIncBasePriorityPrivilege	1708	{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe
Token: SeIncBasePriorityPrivilege	768	{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe
Token: SeIncBasePriorityPrivilege	2108	{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe
Token: SeIncBasePriorityPrivilege	2996	{E074CE17-FEA0-40af-8691-D9EA043709ED}.exe
Token: SeIncBasePriorityPrivilege	2976	{A52BE811-B48E-48c8-B6B0-C33FDAFD04D9}.exe
Token: SeIncBasePriorityPrivilege	2032	{48CEF946-23CE-49f7-943F-346BCAE56ECF}.exe
Token: SeIncBasePriorityPrivilege	672	{C8D717DD-FE05-484d-A4B3-73396D704A22}.exe
Token: SeIncBasePriorityPrivilege	2708	{E134877E-CB14-4d7b-A7D7-23F550177B6B}.exe
Token: SeIncBasePriorityPrivilege	2612	{224B37F7-38ED-40d6-8802-7E3EB5E5124F}.exe
Token: SeIncBasePriorityPrivilege	2516	{E4C87E01-3A3F-4f0a-9713-07BC73AB8D4D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2192	2376	c876b72b2d93afexeexeexeex.exe	29
PID 2376 wrote to memory of 2192	2376	c876b72b2d93afexeexeexeex.exe	29
PID 2376 wrote to memory of 2192	2376	c876b72b2d93afexeexeexeex.exe	29
PID 2376 wrote to memory of 2192	2376	c876b72b2d93afexeexeexeex.exe	29
PID 2376 wrote to memory of 2324	2376	c876b72b2d93afexeexeexeex.exe	30
PID 2376 wrote to memory of 2324	2376	c876b72b2d93afexeexeexeex.exe	30
PID 2376 wrote to memory of 2324	2376	c876b72b2d93afexeexeexeex.exe	30
PID 2376 wrote to memory of 2324	2376	c876b72b2d93afexeexeexeex.exe	30
PID 2192 wrote to memory of 2096	2192	{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe	32
PID 2192 wrote to memory of 2096	2192	{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe	32
PID 2192 wrote to memory of 2096	2192	{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe	32
PID 2192 wrote to memory of 2096	2192	{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe	32
PID 2192 wrote to memory of 1856	2192	{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe	31
PID 2192 wrote to memory of 1856	2192	{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe	31
PID 2192 wrote to memory of 1856	2192	{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe	31
PID 2192 wrote to memory of 1856	2192	{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe	31
PID 2096 wrote to memory of 1708	2096	{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe	34
PID 2096 wrote to memory of 1708	2096	{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe	34
PID 2096 wrote to memory of 1708	2096	{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe	34
PID 2096 wrote to memory of 1708	2096	{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe	34
PID 2096 wrote to memory of 2564	2096	{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe	33
PID 2096 wrote to memory of 2564	2096	{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe	33
PID 2096 wrote to memory of 2564	2096	{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe	33
PID 2096 wrote to memory of 2564	2096	{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe	33
PID 1708 wrote to memory of 768	1708	{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe	36
PID 1708 wrote to memory of 768	1708	{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe	36
PID 1708 wrote to memory of 768	1708	{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe	36
PID 1708 wrote to memory of 768	1708	{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe	36
PID 1708 wrote to memory of 268	1708	{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe	35
PID 1708 wrote to memory of 268	1708	{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe	35
PID 1708 wrote to memory of 268	1708	{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe	35
PID 1708 wrote to memory of 268	1708	{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe	35
PID 768 wrote to memory of 2108	768	{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe	37
PID 768 wrote to memory of 2108	768	{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe	37
PID 768 wrote to memory of 2108	768	{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe	37
PID 768 wrote to memory of 2108	768	{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe	37
PID 768 wrote to memory of 2980	768	{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe	38
PID 768 wrote to memory of 2980	768	{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe	38
PID 768 wrote to memory of 2980	768	{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe	38
PID 768 wrote to memory of 2980	768	{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe	38
PID 2108 wrote to memory of 2996	2108	{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe	40
PID 2108 wrote to memory of 2996	2108	{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe	40
PID 2108 wrote to memory of 2996	2108	{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe	40
PID 2108 wrote to memory of 2996	2108	{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe	40
PID 2108 wrote to memory of 3060	2108	{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe	39
PID 2108 wrote to memory of 3060	2108	{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe	39
PID 2108 wrote to memory of 3060	2108	{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe	39
PID 2108 wrote to memory of 3060	2108	{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe	39
PID 2996 wrote to memory of 2976	2996	{E074CE17-FEA0-40af-8691-D9EA043709ED}.exe	41
PID 2996 wrote to memory of 2976	2996	{E074CE17-FEA0-40af-8691-D9EA043709ED}.exe	41
PID 2996 wrote to memory of 2976	2996	{E074CE17-FEA0-40af-8691-D9EA043709ED}.exe	41
PID 2996 wrote to memory of 2976	2996	{E074CE17-FEA0-40af-8691-D9EA043709ED}.exe	41
PID 2996 wrote to memory of 1832	2996	{E074CE17-FEA0-40af-8691-D9EA043709ED}.exe	42
PID 2996 wrote to memory of 1832	2996	{E074CE17-FEA0-40af-8691-D9EA043709ED}.exe	42
PID 2996 wrote to memory of 1832	2996	{E074CE17-FEA0-40af-8691-D9EA043709ED}.exe	42
PID 2996 wrote to memory of 1832	2996	{E074CE17-FEA0-40af-8691-D9EA043709ED}.exe	42
PID 2976 wrote to memory of 2032	2976	{A52BE811-B48E-48c8-B6B0-C33FDAFD04D9}.exe	43
PID 2976 wrote to memory of 2032	2976	{A52BE811-B48E-48c8-B6B0-C33FDAFD04D9}.exe	43
PID 2976 wrote to memory of 2032	2976	{A52BE811-B48E-48c8-B6B0-C33FDAFD04D9}.exe	43
PID 2976 wrote to memory of 2032	2976	{A52BE811-B48E-48c8-B6B0-C33FDAFD04D9}.exe	43
PID 2976 wrote to memory of 1656	2976	{A52BE811-B48E-48c8-B6B0-C33FDAFD04D9}.exe	44
PID 2976 wrote to memory of 1656	2976	{A52BE811-B48E-48c8-B6B0-C33FDAFD04D9}.exe	44
PID 2976 wrote to memory of 1656	2976	{A52BE811-B48E-48c8-B6B0-C33FDAFD04D9}.exe	44
PID 2976 wrote to memory of 1656	2976	{A52BE811-B48E-48c8-B6B0-C33FDAFD04D9}.exe	44

C:\Users\Admin\AppData\Local\Temp\c876b72b2d93afexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\c876b72b2d93afexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe
  C:\Windows\{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{24C9E~1.EXE > nul
    3⤵
    PID:1856
- - C:\Windows\{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe
    C:\Windows\{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{84570~1.EXE > nul
      4⤵
      PID:2564
  - - C:\Windows\{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe
      C:\Windows\{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{896CF~1.EXE > nul
        5⤵
        
        PID:268
    - - C:\Windows\{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe
        
        C:\Windows\{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:768
      - C:\Windows\{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe
        
        C:\Windows\{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{595EB~1.EXE > nul
        7⤵
        
        PID:3060
        
        C:\Windows\{E074CE17-FEA0-40af-8691-D9EA043709ED}.exe
        
        C:\Windows\{E074CE17-FEA0-40af-8691-D9EA043709ED}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\{A52BE811-B48E-48c8-B6B0-C33FDAFD04D9}.exe
        
        C:\Windows\{A52BE811-B48E-48c8-B6B0-C33FDAFD04D9}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2976
        
        C:\Windows\{48CEF946-23CE-49f7-943F-346BCAE56ECF}.exe
        
        C:\Windows\{48CEF946-23CE-49f7-943F-346BCAE56ECF}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{48CEF~1.EXE > nul
        10⤵
        
        PID:2700
        
        C:\Windows\{C8D717DD-FE05-484d-A4B3-73396D704A22}.exe
        
        C:\Windows\{C8D717DD-FE05-484d-A4B3-73396D704A22}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:672
        
        C:\Windows\{E134877E-CB14-4d7b-A7D7-23F550177B6B}.exe
        
        C:\Windows\{E134877E-CB14-4d7b-A7D7-23F550177B6B}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\{224B37F7-38ED-40d6-8802-7E3EB5E5124F}.exe
        
        C:\Windows\{224B37F7-38ED-40d6-8802-7E3EB5E5124F}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\{E4C87E01-3A3F-4f0a-9713-07BC73AB8D4D}.exe
        
        C:\Windows\{E4C87E01-3A3F-4f0a-9713-07BC73AB8D4D}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Windows\{F0545B58-EF21-4082-B5E3-E81118B7F83A}.exe
        
        C:\Windows\{F0545B58-EF21-4082-B5E3-E81118B7F83A}.exe
        14⤵
        Executes dropped EXE
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4C87~1.EXE > nul
        14⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{224B3~1.EXE > nul
        13⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E1348~1.EXE > nul
        12⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C8D71~1.EXE > nul
        11⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A52BE~1.EXE > nul
        9⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E074C~1.EXE > nul
        8⤵
        
        PID:1832
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D94A3~1.EXE > nul
        6⤵
        
        PID:2980
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C876B7~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{224B37F7-38ED-40d6-8802-7E3EB5E5124F}.exe

Filesize
168KB

MD5
7c278ed9314b2e4a0d79732d676de58c

SHA1
fdd182041ec90554a67b167ea2bb107a50671048

SHA256
8656f7b242c0fc0c353e64aa2d5a4d630abf9b129abc5c32d1cdbc6857b5b342

SHA512
35bff876458650952cb1ac2c4c7770a910b746cc791eae6c924fee44ccb43743594d963f5fea5aa01c90aa98126e9c6a7d8b3f5e054168aba0b185cb634b96fc

Download Submit
C:\Windows\{224B37F7-38ED-40d6-8802-7E3EB5E5124F}.exe

Filesize
168KB

MD5
7c278ed9314b2e4a0d79732d676de58c

SHA1
fdd182041ec90554a67b167ea2bb107a50671048

SHA256
8656f7b242c0fc0c353e64aa2d5a4d630abf9b129abc5c32d1cdbc6857b5b342

SHA512
35bff876458650952cb1ac2c4c7770a910b746cc791eae6c924fee44ccb43743594d963f5fea5aa01c90aa98126e9c6a7d8b3f5e054168aba0b185cb634b96fc

Download Submit
C:\Windows\{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe

Filesize
168KB

MD5
21fbbb723190977a24bc07901af79a84

SHA1
8cfefb87feb7c7cf695ebcf3053d7ebb2200ce85

SHA256
ecead467b11eb304cb8a3c3515e64f23fa7d0aef1e99cd37cf18d1066fee0014

SHA512
3059fd0943b385cf6c00d98102f08a24fbee10f2b0e55455bc5a90aa5e49895a0a21840d8e21da02e40909265c5f08e7769e65e614a650019de26df049474698

Download Submit
C:\Windows\{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe

Filesize
168KB

MD5
21fbbb723190977a24bc07901af79a84

SHA1
8cfefb87feb7c7cf695ebcf3053d7ebb2200ce85

SHA256
ecead467b11eb304cb8a3c3515e64f23fa7d0aef1e99cd37cf18d1066fee0014

SHA512
3059fd0943b385cf6c00d98102f08a24fbee10f2b0e55455bc5a90aa5e49895a0a21840d8e21da02e40909265c5f08e7769e65e614a650019de26df049474698

Download Submit
C:\Windows\{24C9EA62-FDAB-43df-A944-C54A5536E713}.exe

Filesize
168KB

MD5
21fbbb723190977a24bc07901af79a84

SHA1
8cfefb87feb7c7cf695ebcf3053d7ebb2200ce85

SHA256
ecead467b11eb304cb8a3c3515e64f23fa7d0aef1e99cd37cf18d1066fee0014

SHA512
3059fd0943b385cf6c00d98102f08a24fbee10f2b0e55455bc5a90aa5e49895a0a21840d8e21da02e40909265c5f08e7769e65e614a650019de26df049474698

Download Submit
C:\Windows\{48CEF946-23CE-49f7-943F-346BCAE56ECF}.exe

Filesize
168KB

MD5
91411f4abacf5213ccdf41b903689274

SHA1
f600a2f7ced9076fe3a52b1e1c33e0fcec8c0dac

SHA256
6520817fbc13cb6cd2c586e4e0479c4e5d53e428aefab458057486bfa88f7e96

SHA512
d4cea152ed00619c855cd1377fbec5bef12ac85b2bfeeaf655812e3af110f8d4927eb17458f0b3a5dcfcb7c03863c69a4b0efd4b0abe8d5a99d9b9aa9f2978e0

Download Submit
C:\Windows\{48CEF946-23CE-49f7-943F-346BCAE56ECF}.exe

Filesize
168KB

MD5
91411f4abacf5213ccdf41b903689274

SHA1
f600a2f7ced9076fe3a52b1e1c33e0fcec8c0dac

SHA256
6520817fbc13cb6cd2c586e4e0479c4e5d53e428aefab458057486bfa88f7e96

SHA512
d4cea152ed00619c855cd1377fbec5bef12ac85b2bfeeaf655812e3af110f8d4927eb17458f0b3a5dcfcb7c03863c69a4b0efd4b0abe8d5a99d9b9aa9f2978e0

Download Submit
C:\Windows\{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe

Filesize
168KB

MD5
fdf372a63ed7b3438dee55c987c444c3

SHA1
1d78685d5da2b4cfb1628849a18ac284d8329c81

SHA256
542320454a39223c5afb491b5b25895b217b810e5f25258deeabd9c5c8d35e2d

SHA512
8eb7fd4d5269da4cb06836f52f3557cbd7e288629cf6254530071717713d4e2d832f10099e929689235c17897b8328d4592dfd321709ad7748cb6fb989f02365

Download Submit
C:\Windows\{595EBBCC-50B8-445d-9FED-33906ACA12D6}.exe

Filesize
168KB

MD5
fdf372a63ed7b3438dee55c987c444c3

SHA1
1d78685d5da2b4cfb1628849a18ac284d8329c81

SHA256
542320454a39223c5afb491b5b25895b217b810e5f25258deeabd9c5c8d35e2d

SHA512
8eb7fd4d5269da4cb06836f52f3557cbd7e288629cf6254530071717713d4e2d832f10099e929689235c17897b8328d4592dfd321709ad7748cb6fb989f02365

Download Submit
C:\Windows\{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe

Filesize
168KB

MD5
1e1ea0cd47baf0966d98f831cca119ba

SHA1
1492dc88ef7688de3b4d7301b73321c100b190c6

SHA256
40f1f29c1c951d9f669dc3b462b8010e58b3768ddfe88358725e3651d77c5628

SHA512
e082c8acc796b9135db356f634d72380b5ba48a4fc3be5bbdc32d8ce109ae58edeb52f195242daaf811dda33c8c45174fb2b1cd89255137ff5c453c8e13631dd

Download Submit
C:\Windows\{84570F70-7F63-445c-9505-D3070DEFA9F0}.exe

Filesize
168KB

MD5
1e1ea0cd47baf0966d98f831cca119ba

SHA1
1492dc88ef7688de3b4d7301b73321c100b190c6

SHA256
40f1f29c1c951d9f669dc3b462b8010e58b3768ddfe88358725e3651d77c5628

SHA512
e082c8acc796b9135db356f634d72380b5ba48a4fc3be5bbdc32d8ce109ae58edeb52f195242daaf811dda33c8c45174fb2b1cd89255137ff5c453c8e13631dd

Download Submit
C:\Windows\{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe

Filesize
168KB

MD5
7ec1057f3406dc40f512de651ac7f369

SHA1
4d392f9574b6c1523c932df9afc1530c72133928

SHA256
0aa6865967b4f49935331ba5f87a2e9a6993822a8781d36be87d4f1c44f591ad

SHA512
0a9fc5834ebb2bb291aace4b9e44fa05d73f2d0c3e1bf1493ad8323a4d2226ed30cee0937d80afa07605d5bf0dc63bd634a237b35fbb4d23b6bc6db8b24d8530

Download Submit
C:\Windows\{896CFD63-0C4B-46a3-885B-1E6FEE9FFE6D}.exe

Filesize
168KB

MD5
7ec1057f3406dc40f512de651ac7f369

SHA1
4d392f9574b6c1523c932df9afc1530c72133928

SHA256
0aa6865967b4f49935331ba5f87a2e9a6993822a8781d36be87d4f1c44f591ad

SHA512
0a9fc5834ebb2bb291aace4b9e44fa05d73f2d0c3e1bf1493ad8323a4d2226ed30cee0937d80afa07605d5bf0dc63bd634a237b35fbb4d23b6bc6db8b24d8530

Download Submit
C:\Windows\{A52BE811-B48E-48c8-B6B0-C33FDAFD04D9}.exe

Filesize
168KB

MD5
3b0ad3c67ad197a2d1a255b5c5f73307

SHA1
eb7c547e2ebb50520b82ece9cf079d9377f515c6

SHA256
7a0fe24114f3dbb7e6e5a029840c039484811e6f24bcdf200ff8f6f66e0d8c48

SHA512
ed0b93d246dceb239e4a9f6e11be47fc974b33ec32eb56a7331f957a8979fc99e5da684f4e1a3994d6631dce2356559e5ddbddf1a90d3394bb944166f788572b

Download Submit
C:\Windows\{A52BE811-B48E-48c8-B6B0-C33FDAFD04D9}.exe

Filesize
168KB

MD5
3b0ad3c67ad197a2d1a255b5c5f73307

SHA1
eb7c547e2ebb50520b82ece9cf079d9377f515c6

SHA256
7a0fe24114f3dbb7e6e5a029840c039484811e6f24bcdf200ff8f6f66e0d8c48

SHA512
ed0b93d246dceb239e4a9f6e11be47fc974b33ec32eb56a7331f957a8979fc99e5da684f4e1a3994d6631dce2356559e5ddbddf1a90d3394bb944166f788572b

Download Submit
C:\Windows\{C8D717DD-FE05-484d-A4B3-73396D704A22}.exe

Filesize
168KB

MD5
1ab5a2655876ef9fdd06098e0aeed5b0

SHA1
b5dd144064061f707a0549d9fe7ff8a529a91c2c

SHA256
d3e8c1c80a78c6e7b02b31972d0113839e2548ce710aa0e8e24c6103f19cedb0

SHA512
1d850db846b28b1639d0ee01908d9ba1a577cfee3933f28e642c0c38e7712ef7770b61a959dc9e60134849e836f226c158f7cc82606e6343794af7030365a5a5

Download Submit
C:\Windows\{C8D717DD-FE05-484d-A4B3-73396D704A22}.exe

Filesize
168KB

MD5
1ab5a2655876ef9fdd06098e0aeed5b0

SHA1
b5dd144064061f707a0549d9fe7ff8a529a91c2c

SHA256
d3e8c1c80a78c6e7b02b31972d0113839e2548ce710aa0e8e24c6103f19cedb0

SHA512
1d850db846b28b1639d0ee01908d9ba1a577cfee3933f28e642c0c38e7712ef7770b61a959dc9e60134849e836f226c158f7cc82606e6343794af7030365a5a5

Download Submit
C:\Windows\{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe

Filesize
168KB

MD5
f66079993c015643b47f6128f637e6d7

SHA1
411be7130a71ab62607aabd92caef6b4c2594a69

SHA256
0a082f31bcdcb971095b69560ad7570d1065cc4bdfd1b4450f4fe34cc6826729

SHA512
ffff9ccd59e7413d269bee87bf11c71d63dca10eb696c1d90bff673f4461fd84d977488df228e2d7dbcd98aabd4de31f62266d763acbc5f6acec4fff4e2b82f2

Download Submit
C:\Windows\{D94A3882-1FC0-4b36-910D-AFD0A277DBA4}.exe

Filesize
168KB

MD5
f66079993c015643b47f6128f637e6d7

SHA1
411be7130a71ab62607aabd92caef6b4c2594a69

SHA256
0a082f31bcdcb971095b69560ad7570d1065cc4bdfd1b4450f4fe34cc6826729

SHA512
ffff9ccd59e7413d269bee87bf11c71d63dca10eb696c1d90bff673f4461fd84d977488df228e2d7dbcd98aabd4de31f62266d763acbc5f6acec4fff4e2b82f2

Download Submit
C:\Windows\{E074CE17-FEA0-40af-8691-D9EA043709ED}.exe

Filesize
168KB

MD5
5b405cbdb12658888afde03d816794e7

SHA1
1d34b006c451e79160a11fa2b3f289dfbdff90be

SHA256
e080b5befb85fda4edf8f87652dfecc8487f51a0b71a5ed395667e805db759b8

SHA512
a751b66f229a64611ff0cd7a9ce2e8e5251bf92ea7da3360c6d45749287c740112662114106827312a4dd5070bc06344c9c006dd7842ee1a51fba2b0d182fcf1

Download Submit
C:\Windows\{E074CE17-FEA0-40af-8691-D9EA043709ED}.exe

Filesize
168KB

MD5
5b405cbdb12658888afde03d816794e7

SHA1
1d34b006c451e79160a11fa2b3f289dfbdff90be

SHA256
e080b5befb85fda4edf8f87652dfecc8487f51a0b71a5ed395667e805db759b8

SHA512
a751b66f229a64611ff0cd7a9ce2e8e5251bf92ea7da3360c6d45749287c740112662114106827312a4dd5070bc06344c9c006dd7842ee1a51fba2b0d182fcf1

Download Submit
C:\Windows\{E134877E-CB14-4d7b-A7D7-23F550177B6B}.exe

Filesize
168KB

MD5
08c877b69958a7e1d6ec5e851a598d4e

SHA1
bebd6aa3317d65a60ddbf76a5433f8b7b7f26247

SHA256
cdd5cbcc0129788ffcd7b85d0f2a1ea5e167dcd539510f71afd5c569931f1c01

SHA512
3799cbf4b9dccb9a214b1b79b487af487bf34567b8d830905664759b8c2ea05bdd8c958c53a5c76c1d73bb069f353fa54cd750db44735ea0ec31081d9ee18c1c

Download Submit
C:\Windows\{E134877E-CB14-4d7b-A7D7-23F550177B6B}.exe

Filesize
168KB

MD5
08c877b69958a7e1d6ec5e851a598d4e

SHA1
bebd6aa3317d65a60ddbf76a5433f8b7b7f26247

SHA256
cdd5cbcc0129788ffcd7b85d0f2a1ea5e167dcd539510f71afd5c569931f1c01

SHA512
3799cbf4b9dccb9a214b1b79b487af487bf34567b8d830905664759b8c2ea05bdd8c958c53a5c76c1d73bb069f353fa54cd750db44735ea0ec31081d9ee18c1c

Download Submit
C:\Windows\{E4C87E01-3A3F-4f0a-9713-07BC73AB8D4D}.exe

Filesize
168KB

MD5
6fdf01cb11382331e3af5abf09c5585a

SHA1
65719d8288135010f27031ce782a46f0957fca74

SHA256
45b0716f16575aefac0709ca80c9a4f2ca847c5c7fc8549cf3f46c5fdf75a2bd

SHA512
5141299212c814f874c22ee811c54bd168ae9fbc19c291236985e6c46210cd97e838f9f7df3d3c87776f93d29ec1d6613b020cce65dc02b005f6210adcd9fced

Download Submit
C:\Windows\{E4C87E01-3A3F-4f0a-9713-07BC73AB8D4D}.exe

Filesize
168KB

MD5
6fdf01cb11382331e3af5abf09c5585a

SHA1
65719d8288135010f27031ce782a46f0957fca74

SHA256
45b0716f16575aefac0709ca80c9a4f2ca847c5c7fc8549cf3f46c5fdf75a2bd

SHA512
5141299212c814f874c22ee811c54bd168ae9fbc19c291236985e6c46210cd97e838f9f7df3d3c87776f93d29ec1d6613b020cce65dc02b005f6210adcd9fced

Download Submit
C:\Windows\{F0545B58-EF21-4082-B5E3-E81118B7F83A}.exe

Filesize
168KB

MD5
6a8822d7f1b0416c70b5e916fa3ce187

SHA1
af7ecaf1e1e29c96cf437341b4961557fb3fdbda

SHA256
9f489f60ce8dcbe3d5874159d2b69be568049a4cf2e5ce853623ef57677f9f82

SHA512
68b85602f2302f100acd226362c0725fe7effdbbcad49a88ae14110c105a0400a3c0188e89992657989448a1b81f0b38278c29cfad508971bbe2af39c25e24a2

Download Submit