4bea97068a5ef0867c2512ebf1102e9d0f52c491ce2c1171de221fbd9a1cde3d

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2023 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c876b72b2d93afexeexeexeex.exe
Size

168KB
MD5

c876b72b2d93afdc0aeaf9cdd22cdbe9
SHA1

0fab487e2638c16383fb4369b28073ad507f31c0
SHA256

4bea97068a5ef0867c2512ebf1102e9d0f52c491ce2c1171de221fbd9a1cde3d
SHA512

67901bcd42cc8d6c35a31f8b1804a1ed70243d4fdcdca4bcf03bd6eb05b30fe13091c50ad593c66744d214864b01edc849fbe6bed7d340336afbc687deac5cf4
SSDEEP

1536:1EGh0oFlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oFlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F88775B4-08F7-4226-957B-76EBB06A913A}	{81626CC6-2A02-4e72-819E-BD11F7056A5F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0E9F9BF-60AC-40c7-99AC-1D21854B5FF6}\stubpath = "C:\\Windows\\{A0E9F9BF-60AC-40c7-99AC-1D21854B5FF6}.exe"	{9B4E28A1-25B3-40e3-9209-25A3CC21F8D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{627E98F8-50B1-4c5e-9C64-91890C4C3F4B}	{20C992AB-FA8C-4697-AFA4-B76EF2BC020C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2D150C2-5306-4ff8-914E-EF732C29DFAA}	{627E98F8-50B1-4c5e-9C64-91890C4C3F4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E96A60A0-52D9-4e26-BF9B-175789A7FE11}	{F2D150C2-5306-4ff8-914E-EF732C29DFAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C45DDAB-8ABB-4ffd-B5D5-EE315EFE09EE}	c876b72b2d93afexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6236E5AF-E814-4194-BCB4-2AC5349965B0}	{7C45DDAB-8ABB-4ffd-B5D5-EE315EFE09EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62BBBE2E-F2FF-4173-8164-09F7C591CF23}	{6236E5AF-E814-4194-BCB4-2AC5349965B0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E96A60A0-52D9-4e26-BF9B-175789A7FE11}\stubpath = "C:\\Windows\\{E96A60A0-52D9-4e26-BF9B-175789A7FE11}.exe"	{F2D150C2-5306-4ff8-914E-EF732C29DFAA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B4E28A1-25B3-40e3-9209-25A3CC21F8D9}\stubpath = "C:\\Windows\\{9B4E28A1-25B3-40e3-9209-25A3CC21F8D9}.exe"	{F88775B4-08F7-4226-957B-76EBB06A913A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{627E98F8-50B1-4c5e-9C64-91890C4C3F4B}\stubpath = "C:\\Windows\\{627E98F8-50B1-4c5e-9C64-91890C4C3F4B}.exe"	{20C992AB-FA8C-4697-AFA4-B76EF2BC020C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2D150C2-5306-4ff8-914E-EF732C29DFAA}\stubpath = "C:\\Windows\\{F2D150C2-5306-4ff8-914E-EF732C29DFAA}.exe"	{627E98F8-50B1-4c5e-9C64-91890C4C3F4B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8189EE73-1C62-47c1-90D3-7C61DC9BD9C5}	{E96A60A0-52D9-4e26-BF9B-175789A7FE11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C45DDAB-8ABB-4ffd-B5D5-EE315EFE09EE}\stubpath = "C:\\Windows\\{7C45DDAB-8ABB-4ffd-B5D5-EE315EFE09EE}.exe"	c876b72b2d93afexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62BBBE2E-F2FF-4173-8164-09F7C591CF23}\stubpath = "C:\\Windows\\{62BBBE2E-F2FF-4173-8164-09F7C591CF23}.exe"	{6236E5AF-E814-4194-BCB4-2AC5349965B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81626CC6-2A02-4e72-819E-BD11F7056A5F}	{62BBBE2E-F2FF-4173-8164-09F7C591CF23}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8189EE73-1C62-47c1-90D3-7C61DC9BD9C5}\stubpath = "C:\\Windows\\{8189EE73-1C62-47c1-90D3-7C61DC9BD9C5}.exe"	{E96A60A0-52D9-4e26-BF9B-175789A7FE11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6236E5AF-E814-4194-BCB4-2AC5349965B0}\stubpath = "C:\\Windows\\{6236E5AF-E814-4194-BCB4-2AC5349965B0}.exe"	{7C45DDAB-8ABB-4ffd-B5D5-EE315EFE09EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F88775B4-08F7-4226-957B-76EBB06A913A}\stubpath = "C:\\Windows\\{F88775B4-08F7-4226-957B-76EBB06A913A}.exe"	{81626CC6-2A02-4e72-819E-BD11F7056A5F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B4E28A1-25B3-40e3-9209-25A3CC21F8D9}	{F88775B4-08F7-4226-957B-76EBB06A913A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20C992AB-FA8C-4697-AFA4-B76EF2BC020C}\stubpath = "C:\\Windows\\{20C992AB-FA8C-4697-AFA4-B76EF2BC020C}.exe"	{A0E9F9BF-60AC-40c7-99AC-1D21854B5FF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{81626CC6-2A02-4e72-819E-BD11F7056A5F}\stubpath = "C:\\Windows\\{81626CC6-2A02-4e72-819E-BD11F7056A5F}.exe"	{62BBBE2E-F2FF-4173-8164-09F7C591CF23}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0E9F9BF-60AC-40c7-99AC-1D21854B5FF6}	{9B4E28A1-25B3-40e3-9209-25A3CC21F8D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{20C992AB-FA8C-4697-AFA4-B76EF2BC020C}	{A0E9F9BF-60AC-40c7-99AC-1D21854B5FF6}.exe

Executes dropped EXE 12 IoCs

pid	Process
2896	{7C45DDAB-8ABB-4ffd-B5D5-EE315EFE09EE}.exe
5036	{6236E5AF-E814-4194-BCB4-2AC5349965B0}.exe
3588	{62BBBE2E-F2FF-4173-8164-09F7C591CF23}.exe
2056	{81626CC6-2A02-4e72-819E-BD11F7056A5F}.exe
4376	{F88775B4-08F7-4226-957B-76EBB06A913A}.exe
2920	{9B4E28A1-25B3-40e3-9209-25A3CC21F8D9}.exe
3044	{A0E9F9BF-60AC-40c7-99AC-1D21854B5FF6}.exe
1156	{20C992AB-FA8C-4697-AFA4-B76EF2BC020C}.exe
2692	{627E98F8-50B1-4c5e-9C64-91890C4C3F4B}.exe
4560	{F2D150C2-5306-4ff8-914E-EF732C29DFAA}.exe
2160	{E96A60A0-52D9-4e26-BF9B-175789A7FE11}.exe
2812	{8189EE73-1C62-47c1-90D3-7C61DC9BD9C5}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7C45DDAB-8ABB-4ffd-B5D5-EE315EFE09EE}.exe	c876b72b2d93afexeexeexeex.exe
File created	C:\Windows\{81626CC6-2A02-4e72-819E-BD11F7056A5F}.exe	{62BBBE2E-F2FF-4173-8164-09F7C591CF23}.exe
File created	C:\Windows\{20C992AB-FA8C-4697-AFA4-B76EF2BC020C}.exe	{A0E9F9BF-60AC-40c7-99AC-1D21854B5FF6}.exe
File created	C:\Windows\{627E98F8-50B1-4c5e-9C64-91890C4C3F4B}.exe	{20C992AB-FA8C-4697-AFA4-B76EF2BC020C}.exe
File created	C:\Windows\{F2D150C2-5306-4ff8-914E-EF732C29DFAA}.exe	{627E98F8-50B1-4c5e-9C64-91890C4C3F4B}.exe
File created	C:\Windows\{6236E5AF-E814-4194-BCB4-2AC5349965B0}.exe	{7C45DDAB-8ABB-4ffd-B5D5-EE315EFE09EE}.exe
File created	C:\Windows\{62BBBE2E-F2FF-4173-8164-09F7C591CF23}.exe	{6236E5AF-E814-4194-BCB4-2AC5349965B0}.exe
File created	C:\Windows\{F88775B4-08F7-4226-957B-76EBB06A913A}.exe	{81626CC6-2A02-4e72-819E-BD11F7056A5F}.exe
File created	C:\Windows\{9B4E28A1-25B3-40e3-9209-25A3CC21F8D9}.exe	{F88775B4-08F7-4226-957B-76EBB06A913A}.exe
File created	C:\Windows\{A0E9F9BF-60AC-40c7-99AC-1D21854B5FF6}.exe	{9B4E28A1-25B3-40e3-9209-25A3CC21F8D9}.exe
File created	C:\Windows\{E96A60A0-52D9-4e26-BF9B-175789A7FE11}.exe	{F2D150C2-5306-4ff8-914E-EF732C29DFAA}.exe
File created	C:\Windows\{8189EE73-1C62-47c1-90D3-7C61DC9BD9C5}.exe	{E96A60A0-52D9-4e26-BF9B-175789A7FE11}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1076	c876b72b2d93afexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2896	{7C45DDAB-8ABB-4ffd-B5D5-EE315EFE09EE}.exe
Token: SeIncBasePriorityPrivilege	5036	{6236E5AF-E814-4194-BCB4-2AC5349965B0}.exe
Token: SeIncBasePriorityPrivilege	3588	{62BBBE2E-F2FF-4173-8164-09F7C591CF23}.exe
Token: SeIncBasePriorityPrivilege	2056	{81626CC6-2A02-4e72-819E-BD11F7056A5F}.exe
Token: SeIncBasePriorityPrivilege	4376	{F88775B4-08F7-4226-957B-76EBB06A913A}.exe
Token: SeIncBasePriorityPrivilege	2920	{9B4E28A1-25B3-40e3-9209-25A3CC21F8D9}.exe
Token: SeIncBasePriorityPrivilege	3044	{A0E9F9BF-60AC-40c7-99AC-1D21854B5FF6}.exe
Token: SeIncBasePriorityPrivilege	1156	{20C992AB-FA8C-4697-AFA4-B76EF2BC020C}.exe
Token: SeIncBasePriorityPrivilege	2692	{627E98F8-50B1-4c5e-9C64-91890C4C3F4B}.exe
Token: SeIncBasePriorityPrivilege	4560	{F2D150C2-5306-4ff8-914E-EF732C29DFAA}.exe
Token: SeIncBasePriorityPrivilege	2160	{E96A60A0-52D9-4e26-BF9B-175789A7FE11}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 2896	1076	c876b72b2d93afexeexeexeex.exe	89
PID 1076 wrote to memory of 2896	1076	c876b72b2d93afexeexeexeex.exe	89
PID 1076 wrote to memory of 2896	1076	c876b72b2d93afexeexeexeex.exe	89
PID 1076 wrote to memory of 2756	1076	c876b72b2d93afexeexeexeex.exe	90
PID 1076 wrote to memory of 2756	1076	c876b72b2d93afexeexeexeex.exe	90
PID 1076 wrote to memory of 2756	1076	c876b72b2d93afexeexeexeex.exe	90
PID 2896 wrote to memory of 5036	2896	{7C45DDAB-8ABB-4ffd-B5D5-EE315EFE09EE}.exe	91
PID 2896 wrote to memory of 5036	2896	{7C45DDAB-8ABB-4ffd-B5D5-EE315EFE09EE}.exe	91
PID 2896 wrote to memory of 5036	2896	{7C45DDAB-8ABB-4ffd-B5D5-EE315EFE09EE}.exe	91
PID 2896 wrote to memory of 3972	2896	{7C45DDAB-8ABB-4ffd-B5D5-EE315EFE09EE}.exe	92
PID 2896 wrote to memory of 3972	2896	{7C45DDAB-8ABB-4ffd-B5D5-EE315EFE09EE}.exe	92
PID 2896 wrote to memory of 3972	2896	{7C45DDAB-8ABB-4ffd-B5D5-EE315EFE09EE}.exe	92
PID 5036 wrote to memory of 3588	5036	{6236E5AF-E814-4194-BCB4-2AC5349965B0}.exe	96
PID 5036 wrote to memory of 3588	5036	{6236E5AF-E814-4194-BCB4-2AC5349965B0}.exe	96
PID 5036 wrote to memory of 3588	5036	{6236E5AF-E814-4194-BCB4-2AC5349965B0}.exe	96
PID 5036 wrote to memory of 4872	5036	{6236E5AF-E814-4194-BCB4-2AC5349965B0}.exe	97
PID 5036 wrote to memory of 4872	5036	{6236E5AF-E814-4194-BCB4-2AC5349965B0}.exe	97
PID 5036 wrote to memory of 4872	5036	{6236E5AF-E814-4194-BCB4-2AC5349965B0}.exe	97
PID 3588 wrote to memory of 2056	3588	{62BBBE2E-F2FF-4173-8164-09F7C591CF23}.exe	98
PID 3588 wrote to memory of 2056	3588	{62BBBE2E-F2FF-4173-8164-09F7C591CF23}.exe	98
PID 3588 wrote to memory of 2056	3588	{62BBBE2E-F2FF-4173-8164-09F7C591CF23}.exe	98
PID 3588 wrote to memory of 1456	3588	{62BBBE2E-F2FF-4173-8164-09F7C591CF23}.exe	99
PID 3588 wrote to memory of 1456	3588	{62BBBE2E-F2FF-4173-8164-09F7C591CF23}.exe	99
PID 3588 wrote to memory of 1456	3588	{62BBBE2E-F2FF-4173-8164-09F7C591CF23}.exe	99
PID 2056 wrote to memory of 4376	2056	{81626CC6-2A02-4e72-819E-BD11F7056A5F}.exe	100
PID 2056 wrote to memory of 4376	2056	{81626CC6-2A02-4e72-819E-BD11F7056A5F}.exe	100
PID 2056 wrote to memory of 4376	2056	{81626CC6-2A02-4e72-819E-BD11F7056A5F}.exe	100
PID 2056 wrote to memory of 224	2056	{81626CC6-2A02-4e72-819E-BD11F7056A5F}.exe	101
PID 2056 wrote to memory of 224	2056	{81626CC6-2A02-4e72-819E-BD11F7056A5F}.exe	101
PID 2056 wrote to memory of 224	2056	{81626CC6-2A02-4e72-819E-BD11F7056A5F}.exe	101
PID 4376 wrote to memory of 2920	4376	{F88775B4-08F7-4226-957B-76EBB06A913A}.exe	103
PID 4376 wrote to memory of 2920	4376	{F88775B4-08F7-4226-957B-76EBB06A913A}.exe	103
PID 4376 wrote to memory of 2920	4376	{F88775B4-08F7-4226-957B-76EBB06A913A}.exe	103
PID 4376 wrote to memory of 4084	4376	{F88775B4-08F7-4226-957B-76EBB06A913A}.exe	104
PID 4376 wrote to memory of 4084	4376	{F88775B4-08F7-4226-957B-76EBB06A913A}.exe	104
PID 4376 wrote to memory of 4084	4376	{F88775B4-08F7-4226-957B-76EBB06A913A}.exe	104
PID 2920 wrote to memory of 3044	2920	{9B4E28A1-25B3-40e3-9209-25A3CC21F8D9}.exe	105
PID 2920 wrote to memory of 3044	2920	{9B4E28A1-25B3-40e3-9209-25A3CC21F8D9}.exe	105
PID 2920 wrote to memory of 3044	2920	{9B4E28A1-25B3-40e3-9209-25A3CC21F8D9}.exe	105
PID 2920 wrote to memory of 3788	2920	{9B4E28A1-25B3-40e3-9209-25A3CC21F8D9}.exe	106
PID 2920 wrote to memory of 3788	2920	{9B4E28A1-25B3-40e3-9209-25A3CC21F8D9}.exe	106
PID 2920 wrote to memory of 3788	2920	{9B4E28A1-25B3-40e3-9209-25A3CC21F8D9}.exe	106
PID 3044 wrote to memory of 1156	3044	{A0E9F9BF-60AC-40c7-99AC-1D21854B5FF6}.exe	107
PID 3044 wrote to memory of 1156	3044	{A0E9F9BF-60AC-40c7-99AC-1D21854B5FF6}.exe	107
PID 3044 wrote to memory of 1156	3044	{A0E9F9BF-60AC-40c7-99AC-1D21854B5FF6}.exe	107
PID 3044 wrote to memory of 4776	3044	{A0E9F9BF-60AC-40c7-99AC-1D21854B5FF6}.exe	108
PID 3044 wrote to memory of 4776	3044	{A0E9F9BF-60AC-40c7-99AC-1D21854B5FF6}.exe	108
PID 3044 wrote to memory of 4776	3044	{A0E9F9BF-60AC-40c7-99AC-1D21854B5FF6}.exe	108
PID 1156 wrote to memory of 2692	1156	{20C992AB-FA8C-4697-AFA4-B76EF2BC020C}.exe	109
PID 1156 wrote to memory of 2692	1156	{20C992AB-FA8C-4697-AFA4-B76EF2BC020C}.exe	109
PID 1156 wrote to memory of 2692	1156	{20C992AB-FA8C-4697-AFA4-B76EF2BC020C}.exe	109
PID 1156 wrote to memory of 1496	1156	{20C992AB-FA8C-4697-AFA4-B76EF2BC020C}.exe	110
PID 1156 wrote to memory of 1496	1156	{20C992AB-FA8C-4697-AFA4-B76EF2BC020C}.exe	110
PID 1156 wrote to memory of 1496	1156	{20C992AB-FA8C-4697-AFA4-B76EF2BC020C}.exe	110
PID 2692 wrote to memory of 4560	2692	{627E98F8-50B1-4c5e-9C64-91890C4C3F4B}.exe	111
PID 2692 wrote to memory of 4560	2692	{627E98F8-50B1-4c5e-9C64-91890C4C3F4B}.exe	111
PID 2692 wrote to memory of 4560	2692	{627E98F8-50B1-4c5e-9C64-91890C4C3F4B}.exe	111
PID 2692 wrote to memory of 4336	2692	{627E98F8-50B1-4c5e-9C64-91890C4C3F4B}.exe	112
PID 2692 wrote to memory of 4336	2692	{627E98F8-50B1-4c5e-9C64-91890C4C3F4B}.exe	112
PID 2692 wrote to memory of 4336	2692	{627E98F8-50B1-4c5e-9C64-91890C4C3F4B}.exe	112
PID 4560 wrote to memory of 2160	4560	{F2D150C2-5306-4ff8-914E-EF732C29DFAA}.exe	113
PID 4560 wrote to memory of 2160	4560	{F2D150C2-5306-4ff8-914E-EF732C29DFAA}.exe	113
PID 4560 wrote to memory of 2160	4560	{F2D150C2-5306-4ff8-914E-EF732C29DFAA}.exe	113
PID 4560 wrote to memory of 4412	4560	{F2D150C2-5306-4ff8-914E-EF732C29DFAA}.exe	114

C:\Users\Admin\AppData\Local\Temp\c876b72b2d93afexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\c876b72b2d93afexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Windows\{7C45DDAB-8ABB-4ffd-B5D5-EE315EFE09EE}.exe
  C:\Windows\{7C45DDAB-8ABB-4ffd-B5D5-EE315EFE09EE}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\{6236E5AF-E814-4194-BCB4-2AC5349965B0}.exe
    C:\Windows\{6236E5AF-E814-4194-BCB4-2AC5349965B0}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Windows\{62BBBE2E-F2FF-4173-8164-09F7C591CF23}.exe
      C:\Windows\{62BBBE2E-F2FF-4173-8164-09F7C591CF23}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3588
    - - C:\Windows\{81626CC6-2A02-4e72-819E-BD11F7056A5F}.exe
        
        C:\Windows\{81626CC6-2A02-4e72-819E-BD11F7056A5F}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
      - C:\Windows\{F88775B4-08F7-4226-957B-76EBB06A913A}.exe
        
        C:\Windows\{F88775B4-08F7-4226-957B-76EBB06A913A}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\{9B4E28A1-25B3-40e3-9209-25A3CC21F8D9}.exe
        
        C:\Windows\{9B4E28A1-25B3-40e3-9209-25A3CC21F8D9}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\{A0E9F9BF-60AC-40c7-99AC-1D21854B5FF6}.exe
        
        C:\Windows\{A0E9F9BF-60AC-40c7-99AC-1D21854B5FF6}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\{20C992AB-FA8C-4697-AFA4-B76EF2BC020C}.exe
        
        C:\Windows\{20C992AB-FA8C-4697-AFA4-B76EF2BC020C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\{627E98F8-50B1-4c5e-9C64-91890C4C3F4B}.exe
        
        C:\Windows\{627E98F8-50B1-4c5e-9C64-91890C4C3F4B}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\{F2D150C2-5306-4ff8-914E-EF732C29DFAA}.exe
        
        C:\Windows\{F2D150C2-5306-4ff8-914E-EF732C29DFAA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\{E96A60A0-52D9-4e26-BF9B-175789A7FE11}.exe
        
        C:\Windows\{E96A60A0-52D9-4e26-BF9B-175789A7FE11}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\{8189EE73-1C62-47c1-90D3-7C61DC9BD9C5}.exe
        
        C:\Windows\{8189EE73-1C62-47c1-90D3-7C61DC9BD9C5}.exe
        13⤵
        Executes dropped EXE
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E96A6~1.EXE > nul
        13⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2D15~1.EXE > nul
        12⤵
        
        PID:4412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{627E9~1.EXE > nul
        11⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20C99~1.EXE > nul
        10⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0E9F~1.EXE > nul
        9⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9B4E2~1.EXE > nul
        8⤵
        
        PID:3788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F8877~1.EXE > nul
        7⤵
        
        PID:4084
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{81626~1.EXE > nul
        6⤵
        
        PID:224
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62BBB~1.EXE > nul
        5⤵
        
        PID:1456
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6236E~1.EXE > nul
      4⤵
      PID:4872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7C45D~1.EXE > nul
    3⤵
    PID:3972
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C876B7~1.EXE > nul
  2⤵
  PID:2756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{20C992AB-FA8C-4697-AFA4-B76EF2BC020C}.exe

Filesize
168KB

MD5
bb84183dbe2b857f88b80fe31f2dcef7

SHA1
7218f482b57de9a6455c4af1123d7a01b87f99d7

SHA256
25d6053ed6fdd108a999297c4070aa0324ffa91b921339bc263bfad98c6a516d

SHA512
5b552acd009e3313c70d64095eadcaab3ca5f8d9e5be6335f462832b0a3f66a81c06d0e12f364743afefa8b6379767841c226d9f5fc256c6ecddb45969606e51

Download Submit
C:\Windows\{20C992AB-FA8C-4697-AFA4-B76EF2BC020C}.exe

Filesize
168KB

MD5
bb84183dbe2b857f88b80fe31f2dcef7

SHA1
7218f482b57de9a6455c4af1123d7a01b87f99d7

SHA256
25d6053ed6fdd108a999297c4070aa0324ffa91b921339bc263bfad98c6a516d

SHA512
5b552acd009e3313c70d64095eadcaab3ca5f8d9e5be6335f462832b0a3f66a81c06d0e12f364743afefa8b6379767841c226d9f5fc256c6ecddb45969606e51

Download Submit
C:\Windows\{6236E5AF-E814-4194-BCB4-2AC5349965B0}.exe

Filesize
168KB

MD5
2a087ca686197bdc6093913fe6ab98af

SHA1
f37f0ea3fd6bf4c95a84a96c4ee05c42db722779

SHA256
880eaeef512860de633f169e39dcb10cd08d416c667a1e647caf294e28df0120

SHA512
dd478455009396793e8a734192b67f708780210291f003b30f0c948698bc81fb7e36e68dea52b854827a6a7c9dd65a19f6a7514fdc1d5938764a446793ade2e4

Download Submit
C:\Windows\{6236E5AF-E814-4194-BCB4-2AC5349965B0}.exe

Filesize
168KB

MD5
2a087ca686197bdc6093913fe6ab98af

SHA1
f37f0ea3fd6bf4c95a84a96c4ee05c42db722779

SHA256
880eaeef512860de633f169e39dcb10cd08d416c667a1e647caf294e28df0120

SHA512
dd478455009396793e8a734192b67f708780210291f003b30f0c948698bc81fb7e36e68dea52b854827a6a7c9dd65a19f6a7514fdc1d5938764a446793ade2e4

Download Submit
C:\Windows\{627E98F8-50B1-4c5e-9C64-91890C4C3F4B}.exe

Filesize
168KB

MD5
39bd73c99bb9b6bfcc2ee7d90328a2aa

SHA1
e821a40a2bf40c8cf8e44774cac6ccee5b4d2427

SHA256
176451d8e9e716b32fb80c8771927d65f6a7ba9dd56278d21a5ee72de2228934

SHA512
85b64659a3053db5e06bfc6a1d44bd7a41afb2551f3bd0824cafe220c9ea35ddb524d5210d6bb7803d60c3462264db65eebc74f183e0293464958dc9eb4c6d1e

Download Submit
C:\Windows\{627E98F8-50B1-4c5e-9C64-91890C4C3F4B}.exe

Filesize
168KB

MD5
39bd73c99bb9b6bfcc2ee7d90328a2aa

SHA1
e821a40a2bf40c8cf8e44774cac6ccee5b4d2427

SHA256
176451d8e9e716b32fb80c8771927d65f6a7ba9dd56278d21a5ee72de2228934

SHA512
85b64659a3053db5e06bfc6a1d44bd7a41afb2551f3bd0824cafe220c9ea35ddb524d5210d6bb7803d60c3462264db65eebc74f183e0293464958dc9eb4c6d1e

Download Submit
C:\Windows\{62BBBE2E-F2FF-4173-8164-09F7C591CF23}.exe

Filesize
168KB

MD5
58b371f1eb3c27d58e4f76ee4ac3672e

SHA1
6e502acd84e84964d997eef717658c93ab359148

SHA256
ed7d8bd6245990eb56c8cda87678ab7a1d6d058da70174c4495e86b5818cbe81

SHA512
caa8b2f9681434cd5a769582d2665917641bedcdcaf4385bf42723b9b819946e87add20c844b029364a23a2c8e962ce1d23fa8b1538c82fc2e99dbd41ff4fa4c

Download Submit
C:\Windows\{62BBBE2E-F2FF-4173-8164-09F7C591CF23}.exe

Filesize
168KB

MD5
58b371f1eb3c27d58e4f76ee4ac3672e

SHA1
6e502acd84e84964d997eef717658c93ab359148

SHA256
ed7d8bd6245990eb56c8cda87678ab7a1d6d058da70174c4495e86b5818cbe81

SHA512
caa8b2f9681434cd5a769582d2665917641bedcdcaf4385bf42723b9b819946e87add20c844b029364a23a2c8e962ce1d23fa8b1538c82fc2e99dbd41ff4fa4c

Download Submit
C:\Windows\{62BBBE2E-F2FF-4173-8164-09F7C591CF23}.exe

Filesize
168KB

MD5
58b371f1eb3c27d58e4f76ee4ac3672e

SHA1
6e502acd84e84964d997eef717658c93ab359148

SHA256
ed7d8bd6245990eb56c8cda87678ab7a1d6d058da70174c4495e86b5818cbe81

SHA512
caa8b2f9681434cd5a769582d2665917641bedcdcaf4385bf42723b9b819946e87add20c844b029364a23a2c8e962ce1d23fa8b1538c82fc2e99dbd41ff4fa4c

Download Submit
C:\Windows\{7C45DDAB-8ABB-4ffd-B5D5-EE315EFE09EE}.exe

Filesize
168KB

MD5
f29e59ebad9fe0d050da260bde66c2a4

SHA1
bdfc0ef5e2c709ac400100880c0e6f1248351b1e

SHA256
db30255fcbebe7a4feb7bb958c598984f222e6abdb4d875fb5fe4bd57992c7dc

SHA512
1ebfefcea8ee802e93fe6fe24da2edf61bf67eb437375b0d651caeff63d67fb9387a3d60367de7347f7482179ad60045796ba6b6221f41f48d17904576500e4d

Download Submit
C:\Windows\{7C45DDAB-8ABB-4ffd-B5D5-EE315EFE09EE}.exe

Filesize
168KB

MD5
f29e59ebad9fe0d050da260bde66c2a4

SHA1
bdfc0ef5e2c709ac400100880c0e6f1248351b1e

SHA256
db30255fcbebe7a4feb7bb958c598984f222e6abdb4d875fb5fe4bd57992c7dc

SHA512
1ebfefcea8ee802e93fe6fe24da2edf61bf67eb437375b0d651caeff63d67fb9387a3d60367de7347f7482179ad60045796ba6b6221f41f48d17904576500e4d

Download Submit
C:\Windows\{81626CC6-2A02-4e72-819E-BD11F7056A5F}.exe

Filesize
168KB

MD5
212dcca733c20c336f121c95654bacfb

SHA1
a2b429eda26354b2b11b341e09ce8d1d291818ba

SHA256
683d95ab85b249200e5a3f405d85d13dbc270b1464259b7ae0e41156089ffdb2

SHA512
e05252301733aa043a9ec8f2fa37c08e90e39bef6de862e4ddcd9b68538ecaa055a4c970d590b2ae9e6ca8346556c8ed51d94945224470981acb024012da0aa4

Download Submit
C:\Windows\{81626CC6-2A02-4e72-819E-BD11F7056A5F}.exe

Filesize
168KB

MD5
212dcca733c20c336f121c95654bacfb

SHA1
a2b429eda26354b2b11b341e09ce8d1d291818ba

SHA256
683d95ab85b249200e5a3f405d85d13dbc270b1464259b7ae0e41156089ffdb2

SHA512
e05252301733aa043a9ec8f2fa37c08e90e39bef6de862e4ddcd9b68538ecaa055a4c970d590b2ae9e6ca8346556c8ed51d94945224470981acb024012da0aa4

Download Submit
C:\Windows\{8189EE73-1C62-47c1-90D3-7C61DC9BD9C5}.exe

Filesize
168KB

MD5
5bf0ae0fbe0e3722119b5787ad8ed6ee

SHA1
889888d862ef666417c21339f934abb904ec6518

SHA256
e8b18e9155a6c41c64b01757794066ff4a7adae380b9caed0e88fd72d65d5173

SHA512
5decfa33527c909c42e654ebcdfde70c8ea816ac52e757e7c1b7267429871fb5332d0d8d996b4b9a8cc2fa51f615ab29a7e888ee43e9480c1262c30b8256d541

Download Submit
C:\Windows\{8189EE73-1C62-47c1-90D3-7C61DC9BD9C5}.exe

Filesize
168KB

MD5
5bf0ae0fbe0e3722119b5787ad8ed6ee

SHA1
889888d862ef666417c21339f934abb904ec6518

SHA256
e8b18e9155a6c41c64b01757794066ff4a7adae380b9caed0e88fd72d65d5173

SHA512
5decfa33527c909c42e654ebcdfde70c8ea816ac52e757e7c1b7267429871fb5332d0d8d996b4b9a8cc2fa51f615ab29a7e888ee43e9480c1262c30b8256d541

Download Submit
C:\Windows\{9B4E28A1-25B3-40e3-9209-25A3CC21F8D9}.exe

Filesize
168KB

MD5
4198a968528f04a099d659b6c643a399

SHA1
4da32da84ebfa92bcbfe79db547621c57b0fb2d2

SHA256
02812b55467ec52dccb1071ec84c0ddb9c5a935d755f09785df5a38c8b643205

SHA512
4b56dc77e01affac6f4fd50297b0e05281f938fd642c7d447ec53130e82ce1f1ddff8154279e419759036abcb19556dff4ca5fb68ba9218d4b0dec3ebf6245d6

Download Submit
C:\Windows\{9B4E28A1-25B3-40e3-9209-25A3CC21F8D9}.exe

Filesize
168KB

MD5
4198a968528f04a099d659b6c643a399

SHA1
4da32da84ebfa92bcbfe79db547621c57b0fb2d2

SHA256
02812b55467ec52dccb1071ec84c0ddb9c5a935d755f09785df5a38c8b643205

SHA512
4b56dc77e01affac6f4fd50297b0e05281f938fd642c7d447ec53130e82ce1f1ddff8154279e419759036abcb19556dff4ca5fb68ba9218d4b0dec3ebf6245d6

Download Submit
C:\Windows\{A0E9F9BF-60AC-40c7-99AC-1D21854B5FF6}.exe

Filesize
168KB

MD5
ca817077671e8e54e1c4b7137473c59f

SHA1
00bfb73eb814161235dc8821ace0eabc564a47af

SHA256
6df31972e6d322dbee1772445425a2c039d7621329471e7b8b5f461b1d9d6082

SHA512
d4a7b2cbb7d8b38513b6fe2e746d2f9f6a403f613ba6c47c602b87b89957f4053036016a82797d09913d8c96c1e242f3901766e6d53bf1ff94d59b3177bf28d3

Download Submit
C:\Windows\{A0E9F9BF-60AC-40c7-99AC-1D21854B5FF6}.exe

Filesize
168KB

MD5
ca817077671e8e54e1c4b7137473c59f

SHA1
00bfb73eb814161235dc8821ace0eabc564a47af

SHA256
6df31972e6d322dbee1772445425a2c039d7621329471e7b8b5f461b1d9d6082

SHA512
d4a7b2cbb7d8b38513b6fe2e746d2f9f6a403f613ba6c47c602b87b89957f4053036016a82797d09913d8c96c1e242f3901766e6d53bf1ff94d59b3177bf28d3

Download Submit
C:\Windows\{E96A60A0-52D9-4e26-BF9B-175789A7FE11}.exe

Filesize
168KB

MD5
81dcebb24a5ec0c335b02c98e774fd33

SHA1
e9d6d163c50e2f5f57cfe97813b3c1d738fd91e0

SHA256
e3178f13f07c623d7916b36d705004413c6eda0154232d20d7bdcfd94c738830

SHA512
70a927bb355a86ee83d5dfda5943f3cac238080b880f4a4d70b2a0be8897b205d070b0b52004dec0ad33395940f7ad8c5fe644b81f11ec9f16dac229b957576f

Download Submit
C:\Windows\{E96A60A0-52D9-4e26-BF9B-175789A7FE11}.exe

Filesize
168KB

MD5
81dcebb24a5ec0c335b02c98e774fd33

SHA1
e9d6d163c50e2f5f57cfe97813b3c1d738fd91e0

SHA256
e3178f13f07c623d7916b36d705004413c6eda0154232d20d7bdcfd94c738830

SHA512
70a927bb355a86ee83d5dfda5943f3cac238080b880f4a4d70b2a0be8897b205d070b0b52004dec0ad33395940f7ad8c5fe644b81f11ec9f16dac229b957576f

Download Submit
C:\Windows\{F2D150C2-5306-4ff8-914E-EF732C29DFAA}.exe

Filesize
168KB

MD5
08c31617e0ce5a255ca89f044c40654b

SHA1
b16b874c76fee79c62d20e1419836fe1464ffaf1

SHA256
41204dafb301266cae0ae6c7ec8b8972b6ccad904f52856af277c0e78a1ae629

SHA512
a1dbe34dccc299bc0a6d13ed227fa8c06c560b6546f260db050bc038f84d17e2a400830667aa3d9bf9068c0ef5a5f573b61960ee758d2c31d227c213d39895f2

Download Submit
C:\Windows\{F2D150C2-5306-4ff8-914E-EF732C29DFAA}.exe

Filesize
168KB

MD5
08c31617e0ce5a255ca89f044c40654b

SHA1
b16b874c76fee79c62d20e1419836fe1464ffaf1

SHA256
41204dafb301266cae0ae6c7ec8b8972b6ccad904f52856af277c0e78a1ae629

SHA512
a1dbe34dccc299bc0a6d13ed227fa8c06c560b6546f260db050bc038f84d17e2a400830667aa3d9bf9068c0ef5a5f573b61960ee758d2c31d227c213d39895f2

Download Submit
C:\Windows\{F88775B4-08F7-4226-957B-76EBB06A913A}.exe

Filesize
168KB

MD5
4c824da3c8af10676d8ac33eb27d37e9

SHA1
ba8bd935b26dc0a344929affce0b0b5df56333d2

SHA256
62fa8a69151b7678d5da7fde662bfdb095d739f2a4603ac3ee2d76eccc94d3d7

SHA512
b103fe5e24d512e284864d8e6016a36c12f953dd7b7763e56858eab8f41babd05877be60b4354a2542170ffad30e4a466d2706182671180e845e7d6c05b9b5eb

Download Submit
C:\Windows\{F88775B4-08F7-4226-957B-76EBB06A913A}.exe

Filesize
168KB

MD5
4c824da3c8af10676d8ac33eb27d37e9

SHA1
ba8bd935b26dc0a344929affce0b0b5df56333d2

SHA256
62fa8a69151b7678d5da7fde662bfdb095d739f2a4603ac3ee2d76eccc94d3d7

SHA512
b103fe5e24d512e284864d8e6016a36c12f953dd7b7763e56858eab8f41babd05877be60b4354a2542170ffad30e4a466d2706182671180e845e7d6c05b9b5eb

Download Submit