d9ba8b697de8f5df09ab227e3c3b9de842466e5d0ab9f3abac01a5d675eebb34

Analysis

max time kernel
145s
max time network
33s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
11/07/2023, 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

faff813bc8e1cdexeexeexeex.exe
Size

204KB
MD5

faff813bc8e1cd8a4051b8b8c5c7848e
SHA1

103a7ded65249845c4700a8dc0dead88c93ba9e8
SHA256

d9ba8b697de8f5df09ab227e3c3b9de842466e5d0ab9f3abac01a5d675eebb34
SHA512

ce6275da8dfd5fec591dbdaad1b66dac698deb4536f4e60aa676091204ac01c7e0ff5f30fb43db8464dd0744c66fa988118285502d03b6ff689a701f98e8e9f5
SSDEEP

1536:1EGh0oyl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oyl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C59F8D0D-8A46-476e-9B31-4BB5799B1FB1}\stubpath = "C:\\Windows\\{C59F8D0D-8A46-476e-9B31-4BB5799B1FB1}.exe"	{D098B388-7D00-46db-843D-3811B33F83CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DD8A694-D3E4-4b5b-80BF-16A2A7B378F8}	{C59F8D0D-8A46-476e-9B31-4BB5799B1FB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DD8A694-D3E4-4b5b-80BF-16A2A7B378F8}\stubpath = "C:\\Windows\\{7DD8A694-D3E4-4b5b-80BF-16A2A7B378F8}.exe"	{C59F8D0D-8A46-476e-9B31-4BB5799B1FB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFB67CC4-03F9-4d72-85A2-8E05088A079C}	{202592FA-37DB-41fc-A653-3FBF2332D744}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DFB67CC4-03F9-4d72-85A2-8E05088A079C}\stubpath = "C:\\Windows\\{DFB67CC4-03F9-4d72-85A2-8E05088A079C}.exe"	{202592FA-37DB-41fc-A653-3FBF2332D744}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74FBEE53-B790-4d8c-9444-AC530B40C3D1}	{DFB67CC4-03F9-4d72-85A2-8E05088A079C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEBC7892-43B3-4bb1-8C44-A0EEF28D8B2D}\stubpath = "C:\\Windows\\{FEBC7892-43B3-4bb1-8C44-A0EEF28D8B2D}.exe"	faff813bc8e1cdexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D098B388-7D00-46db-843D-3811B33F83CB}	{313BCB26-4199-4b36-B272-3CD10618F18D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEED8CEC-326A-464e-BFDF-B197114C117E}\stubpath = "C:\\Windows\\{BEED8CEC-326A-464e-BFDF-B197114C117E}.exe"	{08C7F66E-21AB-4f8a-9F48-5BB1946DDB82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13D2B912-F9F0-4148-AD94-963551BB52CC}	{50AB5C48-105E-431f-BD6D-8D5C902CE0BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{202592FA-37DB-41fc-A653-3FBF2332D744}	{7DD8A694-D3E4-4b5b-80BF-16A2A7B378F8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08C7F66E-21AB-4f8a-9F48-5BB1946DDB82}	{74FBEE53-B790-4d8c-9444-AC530B40C3D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{071D9A0B-71CF-4461-A6A1-EA1CA93987FC}\stubpath = "C:\\Windows\\{071D9A0B-71CF-4461-A6A1-EA1CA93987FC}.exe"	{BEED8CEC-326A-464e-BFDF-B197114C117E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEBC7892-43B3-4bb1-8C44-A0EEF28D8B2D}	faff813bc8e1cdexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{313BCB26-4199-4b36-B272-3CD10618F18D}	{FEBC7892-43B3-4bb1-8C44-A0EEF28D8B2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{202592FA-37DB-41fc-A653-3FBF2332D744}\stubpath = "C:\\Windows\\{202592FA-37DB-41fc-A653-3FBF2332D744}.exe"	{7DD8A694-D3E4-4b5b-80BF-16A2A7B378F8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{74FBEE53-B790-4d8c-9444-AC530B40C3D1}\stubpath = "C:\\Windows\\{74FBEE53-B790-4d8c-9444-AC530B40C3D1}.exe"	{DFB67CC4-03F9-4d72-85A2-8E05088A079C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{08C7F66E-21AB-4f8a-9F48-5BB1946DDB82}\stubpath = "C:\\Windows\\{08C7F66E-21AB-4f8a-9F48-5BB1946DDB82}.exe"	{74FBEE53-B790-4d8c-9444-AC530B40C3D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{071D9A0B-71CF-4461-A6A1-EA1CA93987FC}	{BEED8CEC-326A-464e-BFDF-B197114C117E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50AB5C48-105E-431f-BD6D-8D5C902CE0BC}	{071D9A0B-71CF-4461-A6A1-EA1CA93987FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{13D2B912-F9F0-4148-AD94-963551BB52CC}\stubpath = "C:\\Windows\\{13D2B912-F9F0-4148-AD94-963551BB52CC}.exe"	{50AB5C48-105E-431f-BD6D-8D5C902CE0BC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D098B388-7D00-46db-843D-3811B33F83CB}\stubpath = "C:\\Windows\\{D098B388-7D00-46db-843D-3811B33F83CB}.exe"	{313BCB26-4199-4b36-B272-3CD10618F18D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C59F8D0D-8A46-476e-9B31-4BB5799B1FB1}	{D098B388-7D00-46db-843D-3811B33F83CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{50AB5C48-105E-431f-BD6D-8D5C902CE0BC}\stubpath = "C:\\Windows\\{50AB5C48-105E-431f-BD6D-8D5C902CE0BC}.exe"	{071D9A0B-71CF-4461-A6A1-EA1CA93987FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{313BCB26-4199-4b36-B272-3CD10618F18D}\stubpath = "C:\\Windows\\{313BCB26-4199-4b36-B272-3CD10618F18D}.exe"	{FEBC7892-43B3-4bb1-8C44-A0EEF28D8B2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BEED8CEC-326A-464e-BFDF-B197114C117E}	{08C7F66E-21AB-4f8a-9F48-5BB1946DDB82}.exe

Deletes itself 1 IoCs

pid	Process
3036	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2276	{FEBC7892-43B3-4bb1-8C44-A0EEF28D8B2D}.exe
3068	{313BCB26-4199-4b36-B272-3CD10618F18D}.exe
2916	{D098B388-7D00-46db-843D-3811B33F83CB}.exe
1628	{C59F8D0D-8A46-476e-9B31-4BB5799B1FB1}.exe
2132	{7DD8A694-D3E4-4b5b-80BF-16A2A7B378F8}.exe
2116	{202592FA-37DB-41fc-A653-3FBF2332D744}.exe
1172	{DFB67CC4-03F9-4d72-85A2-8E05088A079C}.exe
2080	{74FBEE53-B790-4d8c-9444-AC530B40C3D1}.exe
632	{08C7F66E-21AB-4f8a-9F48-5BB1946DDB82}.exe
2696	{BEED8CEC-326A-464e-BFDF-B197114C117E}.exe
2688	{071D9A0B-71CF-4461-A6A1-EA1CA93987FC}.exe
2864	{50AB5C48-105E-431f-BD6D-8D5C902CE0BC}.exe
2840	{13D2B912-F9F0-4148-AD94-963551BB52CC}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{13D2B912-F9F0-4148-AD94-963551BB52CC}.exe	{50AB5C48-105E-431f-BD6D-8D5C902CE0BC}.exe
File created	C:\Windows\{D098B388-7D00-46db-843D-3811B33F83CB}.exe	{313BCB26-4199-4b36-B272-3CD10618F18D}.exe
File created	C:\Windows\{C59F8D0D-8A46-476e-9B31-4BB5799B1FB1}.exe	{D098B388-7D00-46db-843D-3811B33F83CB}.exe
File created	C:\Windows\{202592FA-37DB-41fc-A653-3FBF2332D744}.exe	{7DD8A694-D3E4-4b5b-80BF-16A2A7B378F8}.exe
File created	C:\Windows\{74FBEE53-B790-4d8c-9444-AC530B40C3D1}.exe	{DFB67CC4-03F9-4d72-85A2-8E05088A079C}.exe
File created	C:\Windows\{08C7F66E-21AB-4f8a-9F48-5BB1946DDB82}.exe	{74FBEE53-B790-4d8c-9444-AC530B40C3D1}.exe
File created	C:\Windows\{071D9A0B-71CF-4461-A6A1-EA1CA93987FC}.exe	{BEED8CEC-326A-464e-BFDF-B197114C117E}.exe
File created	C:\Windows\{50AB5C48-105E-431f-BD6D-8D5C902CE0BC}.exe	{071D9A0B-71CF-4461-A6A1-EA1CA93987FC}.exe
File created	C:\Windows\{FEBC7892-43B3-4bb1-8C44-A0EEF28D8B2D}.exe	faff813bc8e1cdexeexeexeex.exe
File created	C:\Windows\{313BCB26-4199-4b36-B272-3CD10618F18D}.exe	{FEBC7892-43B3-4bb1-8C44-A0EEF28D8B2D}.exe
File created	C:\Windows\{7DD8A694-D3E4-4b5b-80BF-16A2A7B378F8}.exe	{C59F8D0D-8A46-476e-9B31-4BB5799B1FB1}.exe
File created	C:\Windows\{DFB67CC4-03F9-4d72-85A2-8E05088A079C}.exe	{202592FA-37DB-41fc-A653-3FBF2332D744}.exe
File created	C:\Windows\{BEED8CEC-326A-464e-BFDF-B197114C117E}.exe	{08C7F66E-21AB-4f8a-9F48-5BB1946DDB82}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2368	faff813bc8e1cdexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2276	{FEBC7892-43B3-4bb1-8C44-A0EEF28D8B2D}.exe
Token: SeIncBasePriorityPrivilege	3068	{313BCB26-4199-4b36-B272-3CD10618F18D}.exe
Token: SeIncBasePriorityPrivilege	2916	{D098B388-7D00-46db-843D-3811B33F83CB}.exe
Token: SeIncBasePriorityPrivilege	1628	{C59F8D0D-8A46-476e-9B31-4BB5799B1FB1}.exe
Token: SeIncBasePriorityPrivilege	2132	{7DD8A694-D3E4-4b5b-80BF-16A2A7B378F8}.exe
Token: SeIncBasePriorityPrivilege	2116	{202592FA-37DB-41fc-A653-3FBF2332D744}.exe
Token: SeIncBasePriorityPrivilege	1172	{DFB67CC4-03F9-4d72-85A2-8E05088A079C}.exe
Token: SeIncBasePriorityPrivilege	2080	{74FBEE53-B790-4d8c-9444-AC530B40C3D1}.exe
Token: SeIncBasePriorityPrivilege	632	{08C7F66E-21AB-4f8a-9F48-5BB1946DDB82}.exe
Token: SeIncBasePriorityPrivilege	2696	{BEED8CEC-326A-464e-BFDF-B197114C117E}.exe
Token: SeIncBasePriorityPrivilege	2688	{071D9A0B-71CF-4461-A6A1-EA1CA93987FC}.exe
Token: SeIncBasePriorityPrivilege	2864	{50AB5C48-105E-431f-BD6D-8D5C902CE0BC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2276	2368	faff813bc8e1cdexeexeexeex.exe	29
PID 2368 wrote to memory of 2276	2368	faff813bc8e1cdexeexeexeex.exe	29
PID 2368 wrote to memory of 2276	2368	faff813bc8e1cdexeexeexeex.exe	29
PID 2368 wrote to memory of 2276	2368	faff813bc8e1cdexeexeexeex.exe	29
PID 2368 wrote to memory of 3036	2368	faff813bc8e1cdexeexeexeex.exe	30
PID 2368 wrote to memory of 3036	2368	faff813bc8e1cdexeexeexeex.exe	30
PID 2368 wrote to memory of 3036	2368	faff813bc8e1cdexeexeexeex.exe	30
PID 2368 wrote to memory of 3036	2368	faff813bc8e1cdexeexeexeex.exe	30
PID 2276 wrote to memory of 3068	2276	{FEBC7892-43B3-4bb1-8C44-A0EEF28D8B2D}.exe	31
PID 2276 wrote to memory of 3068	2276	{FEBC7892-43B3-4bb1-8C44-A0EEF28D8B2D}.exe	31
PID 2276 wrote to memory of 3068	2276	{FEBC7892-43B3-4bb1-8C44-A0EEF28D8B2D}.exe	31
PID 2276 wrote to memory of 3068	2276	{FEBC7892-43B3-4bb1-8C44-A0EEF28D8B2D}.exe	31
PID 2276 wrote to memory of 2328	2276	{FEBC7892-43B3-4bb1-8C44-A0EEF28D8B2D}.exe	32
PID 2276 wrote to memory of 2328	2276	{FEBC7892-43B3-4bb1-8C44-A0EEF28D8B2D}.exe	32
PID 2276 wrote to memory of 2328	2276	{FEBC7892-43B3-4bb1-8C44-A0EEF28D8B2D}.exe	32
PID 2276 wrote to memory of 2328	2276	{FEBC7892-43B3-4bb1-8C44-A0EEF28D8B2D}.exe	32
PID 3068 wrote to memory of 2916	3068	{313BCB26-4199-4b36-B272-3CD10618F18D}.exe	33
PID 3068 wrote to memory of 2916	3068	{313BCB26-4199-4b36-B272-3CD10618F18D}.exe	33
PID 3068 wrote to memory of 2916	3068	{313BCB26-4199-4b36-B272-3CD10618F18D}.exe	33
PID 3068 wrote to memory of 2916	3068	{313BCB26-4199-4b36-B272-3CD10618F18D}.exe	33
PID 3068 wrote to memory of 2996	3068	{313BCB26-4199-4b36-B272-3CD10618F18D}.exe	34
PID 3068 wrote to memory of 2996	3068	{313BCB26-4199-4b36-B272-3CD10618F18D}.exe	34
PID 3068 wrote to memory of 2996	3068	{313BCB26-4199-4b36-B272-3CD10618F18D}.exe	34
PID 3068 wrote to memory of 2996	3068	{313BCB26-4199-4b36-B272-3CD10618F18D}.exe	34
PID 2916 wrote to memory of 1628	2916	{D098B388-7D00-46db-843D-3811B33F83CB}.exe	36
PID 2916 wrote to memory of 1628	2916	{D098B388-7D00-46db-843D-3811B33F83CB}.exe	36
PID 2916 wrote to memory of 1628	2916	{D098B388-7D00-46db-843D-3811B33F83CB}.exe	36
PID 2916 wrote to memory of 1628	2916	{D098B388-7D00-46db-843D-3811B33F83CB}.exe	36
PID 2916 wrote to memory of 1596	2916	{D098B388-7D00-46db-843D-3811B33F83CB}.exe	35
PID 2916 wrote to memory of 1596	2916	{D098B388-7D00-46db-843D-3811B33F83CB}.exe	35
PID 2916 wrote to memory of 1596	2916	{D098B388-7D00-46db-843D-3811B33F83CB}.exe	35
PID 2916 wrote to memory of 1596	2916	{D098B388-7D00-46db-843D-3811B33F83CB}.exe	35
PID 1628 wrote to memory of 2132	1628	{C59F8D0D-8A46-476e-9B31-4BB5799B1FB1}.exe	37
PID 1628 wrote to memory of 2132	1628	{C59F8D0D-8A46-476e-9B31-4BB5799B1FB1}.exe	37
PID 1628 wrote to memory of 2132	1628	{C59F8D0D-8A46-476e-9B31-4BB5799B1FB1}.exe	37
PID 1628 wrote to memory of 2132	1628	{C59F8D0D-8A46-476e-9B31-4BB5799B1FB1}.exe	37
PID 1628 wrote to memory of 2160	1628	{C59F8D0D-8A46-476e-9B31-4BB5799B1FB1}.exe	38
PID 1628 wrote to memory of 2160	1628	{C59F8D0D-8A46-476e-9B31-4BB5799B1FB1}.exe	38
PID 1628 wrote to memory of 2160	1628	{C59F8D0D-8A46-476e-9B31-4BB5799B1FB1}.exe	38
PID 1628 wrote to memory of 2160	1628	{C59F8D0D-8A46-476e-9B31-4BB5799B1FB1}.exe	38
PID 2132 wrote to memory of 2116	2132	{7DD8A694-D3E4-4b5b-80BF-16A2A7B378F8}.exe	39
PID 2132 wrote to memory of 2116	2132	{7DD8A694-D3E4-4b5b-80BF-16A2A7B378F8}.exe	39
PID 2132 wrote to memory of 2116	2132	{7DD8A694-D3E4-4b5b-80BF-16A2A7B378F8}.exe	39
PID 2132 wrote to memory of 2116	2132	{7DD8A694-D3E4-4b5b-80BF-16A2A7B378F8}.exe	39
PID 2132 wrote to memory of 1656	2132	{7DD8A694-D3E4-4b5b-80BF-16A2A7B378F8}.exe	40
PID 2132 wrote to memory of 1656	2132	{7DD8A694-D3E4-4b5b-80BF-16A2A7B378F8}.exe	40
PID 2132 wrote to memory of 1656	2132	{7DD8A694-D3E4-4b5b-80BF-16A2A7B378F8}.exe	40
PID 2132 wrote to memory of 1656	2132	{7DD8A694-D3E4-4b5b-80BF-16A2A7B378F8}.exe	40
PID 2116 wrote to memory of 1172	2116	{202592FA-37DB-41fc-A653-3FBF2332D744}.exe	41
PID 2116 wrote to memory of 1172	2116	{202592FA-37DB-41fc-A653-3FBF2332D744}.exe	41
PID 2116 wrote to memory of 1172	2116	{202592FA-37DB-41fc-A653-3FBF2332D744}.exe	41
PID 2116 wrote to memory of 1172	2116	{202592FA-37DB-41fc-A653-3FBF2332D744}.exe	41
PID 2116 wrote to memory of 984	2116	{202592FA-37DB-41fc-A653-3FBF2332D744}.exe	42
PID 2116 wrote to memory of 984	2116	{202592FA-37DB-41fc-A653-3FBF2332D744}.exe	42
PID 2116 wrote to memory of 984	2116	{202592FA-37DB-41fc-A653-3FBF2332D744}.exe	42
PID 2116 wrote to memory of 984	2116	{202592FA-37DB-41fc-A653-3FBF2332D744}.exe	42
PID 1172 wrote to memory of 2080	1172	{DFB67CC4-03F9-4d72-85A2-8E05088A079C}.exe	43
PID 1172 wrote to memory of 2080	1172	{DFB67CC4-03F9-4d72-85A2-8E05088A079C}.exe	43
PID 1172 wrote to memory of 2080	1172	{DFB67CC4-03F9-4d72-85A2-8E05088A079C}.exe	43
PID 1172 wrote to memory of 2080	1172	{DFB67CC4-03F9-4d72-85A2-8E05088A079C}.exe	43
PID 1172 wrote to memory of 916	1172	{DFB67CC4-03F9-4d72-85A2-8E05088A079C}.exe	44
PID 1172 wrote to memory of 916	1172	{DFB67CC4-03F9-4d72-85A2-8E05088A079C}.exe	44
PID 1172 wrote to memory of 916	1172	{DFB67CC4-03F9-4d72-85A2-8E05088A079C}.exe	44
PID 1172 wrote to memory of 916	1172	{DFB67CC4-03F9-4d72-85A2-8E05088A079C}.exe	44

C:\Users\Admin\AppData\Local\Temp\faff813bc8e1cdexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\faff813bc8e1cdexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\{FEBC7892-43B3-4bb1-8C44-A0EEF28D8B2D}.exe
  C:\Windows\{FEBC7892-43B3-4bb1-8C44-A0EEF28D8B2D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\{313BCB26-4199-4b36-B272-3CD10618F18D}.exe
    C:\Windows\{313BCB26-4199-4b36-B272-3CD10618F18D}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\{D098B388-7D00-46db-843D-3811B33F83CB}.exe
      C:\Windows\{D098B388-7D00-46db-843D-3811B33F83CB}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D098B~1.EXE > nul
        5⤵
        
        PID:1596
    - - C:\Windows\{C59F8D0D-8A46-476e-9B31-4BB5799B1FB1}.exe
        
        C:\Windows\{C59F8D0D-8A46-476e-9B31-4BB5799B1FB1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1628
      - C:\Windows\{7DD8A694-D3E4-4b5b-80BF-16A2A7B378F8}.exe
        
        C:\Windows\{7DD8A694-D3E4-4b5b-80BF-16A2A7B378F8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\{202592FA-37DB-41fc-A653-3FBF2332D744}.exe
        
        C:\Windows\{202592FA-37DB-41fc-A653-3FBF2332D744}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Windows\{DFB67CC4-03F9-4d72-85A2-8E05088A079C}.exe
        
        C:\Windows\{DFB67CC4-03F9-4d72-85A2-8E05088A079C}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\{74FBEE53-B790-4d8c-9444-AC530B40C3D1}.exe
        
        C:\Windows\{74FBEE53-B790-4d8c-9444-AC530B40C3D1}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\{08C7F66E-21AB-4f8a-9F48-5BB1946DDB82}.exe
        
        C:\Windows\{08C7F66E-21AB-4f8a-9F48-5BB1946DDB82}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
        
        C:\Windows\{BEED8CEC-326A-464e-BFDF-B197114C117E}.exe
        
        C:\Windows\{BEED8CEC-326A-464e-BFDF-B197114C117E}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\{071D9A0B-71CF-4461-A6A1-EA1CA93987FC}.exe
        
        C:\Windows\{071D9A0B-71CF-4461-A6A1-EA1CA93987FC}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{071D9~1.EXE > nul
        13⤵
        
        PID:2484
        
        C:\Windows\{50AB5C48-105E-431f-BD6D-8D5C902CE0BC}.exe
        
        C:\Windows\{50AB5C48-105E-431f-BD6D-8D5C902CE0BC}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\{13D2B912-F9F0-4148-AD94-963551BB52CC}.exe
        
        C:\Windows\{13D2B912-F9F0-4148-AD94-963551BB52CC}.exe
        14⤵
        Executes dropped EXE
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{50AB5~1.EXE > nul
        14⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEED8~1.EXE > nul
        12⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{08C7F~1.EXE > nul
        11⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74FBE~1.EXE > nul
        10⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFB67~1.EXE > nul
        9⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20259~1.EXE > nul
        8⤵
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DD8A~1.EXE > nul
        7⤵
        
        PID:1656
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C59F8~1.EXE > nul
        6⤵
        
        PID:2160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{313BC~1.EXE > nul
      4⤵
      PID:2996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{FEBC7~1.EXE > nul
    3⤵
    PID:2328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\FAFF81~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{071D9A0B-71CF-4461-A6A1-EA1CA93987FC}.exe

Filesize
204KB

MD5
324de595545d4d6fd3e771e7347ea034

SHA1
754e32ff0f9c32d65337dbe2c0705499c1fb8f4f

SHA256
614811e88d9e29c0782056398c301fb11ff530aece01f33dfe90ccf3de20ad99

SHA512
068e6cd751c59ced5e0482de12216164534217dca63283c3f5e38c8cbf3919994ad065e77ba205583256dee76ad05b4108a5a19a7ba9713ea8c692de21b5618c

Download Submit
C:\Windows\{071D9A0B-71CF-4461-A6A1-EA1CA93987FC}.exe

Filesize
204KB

MD5
324de595545d4d6fd3e771e7347ea034

SHA1
754e32ff0f9c32d65337dbe2c0705499c1fb8f4f

SHA256
614811e88d9e29c0782056398c301fb11ff530aece01f33dfe90ccf3de20ad99

SHA512
068e6cd751c59ced5e0482de12216164534217dca63283c3f5e38c8cbf3919994ad065e77ba205583256dee76ad05b4108a5a19a7ba9713ea8c692de21b5618c

Download Submit
C:\Windows\{08C7F66E-21AB-4f8a-9F48-5BB1946DDB82}.exe

Filesize
204KB

MD5
f1fc3ad0e9c9601a643d3ab109658797

SHA1
72dec09a66dd5cadef82a2c237a979adcf90e16c

SHA256
423d32264812af64c54b6e1e2a92341a8b8c5a6eb4e7f1726955bad1bf351540

SHA512
602032f8690a03dfc38b3e4c19ad7cc68434d0e3be28fa832bf28900f96541a6dcde87a154646ba352a047d40779642d2af43ce48c77c3ea422e08373c6985ad

Download Submit
C:\Windows\{08C7F66E-21AB-4f8a-9F48-5BB1946DDB82}.exe

Filesize
204KB

MD5
f1fc3ad0e9c9601a643d3ab109658797

SHA1
72dec09a66dd5cadef82a2c237a979adcf90e16c

SHA256
423d32264812af64c54b6e1e2a92341a8b8c5a6eb4e7f1726955bad1bf351540

SHA512
602032f8690a03dfc38b3e4c19ad7cc68434d0e3be28fa832bf28900f96541a6dcde87a154646ba352a047d40779642d2af43ce48c77c3ea422e08373c6985ad

Download Submit
C:\Windows\{13D2B912-F9F0-4148-AD94-963551BB52CC}.exe

Filesize
204KB

MD5
14189595c02d244f87496ce6a67b25b8

SHA1
e181c0c409a729fadd048d46825e86dad6fe3fc4

SHA256
7d627320c869ec2b26655cda7d7cdf2b32e664cfbb0c49e8472508240153ec22

SHA512
87c5cc02eda3df4c2e9850eb3601a6d9dfc618ba1bd862a784af3e6d990b1db0b8e9444a2eb93265dacd060d91cb1c9501a19c7e1706a0e3b10bd0713a475691

Download Submit
C:\Windows\{202592FA-37DB-41fc-A653-3FBF2332D744}.exe

Filesize
204KB

MD5
a0a952e56b5eb8c410cd67d7ecbf359b

SHA1
c905b3a276189d2290244420d44750779c990b72

SHA256
e5d40dfd083412dc9fcd4cee4075355396e99e36ed507b6992f4be2a7702abe3

SHA512
cc236d4375fb16d3fe7968366e4dbc509a1ceb244f3cbd402a4175889d75389172e9f09b14f01b41f070a7b5e25c03e2c370b719af7c8b3cfe193487d0f9356b

Download Submit
C:\Windows\{202592FA-37DB-41fc-A653-3FBF2332D744}.exe

Filesize
204KB

MD5
a0a952e56b5eb8c410cd67d7ecbf359b

SHA1
c905b3a276189d2290244420d44750779c990b72

SHA256
e5d40dfd083412dc9fcd4cee4075355396e99e36ed507b6992f4be2a7702abe3

SHA512
cc236d4375fb16d3fe7968366e4dbc509a1ceb244f3cbd402a4175889d75389172e9f09b14f01b41f070a7b5e25c03e2c370b719af7c8b3cfe193487d0f9356b

Download Submit
C:\Windows\{313BCB26-4199-4b36-B272-3CD10618F18D}.exe

Filesize
204KB

MD5
33217def3de8534aa72c5479485ab36e

SHA1
262a10e1048effedc97e9a7e2ae5a7b5626cfab5

SHA256
2931573a878cec560014c95fe53762f0f4ebe05959d0156cf4a17caecbffca53

SHA512
19445a71ca0067d2aba6c0bfb39bf775f0a652581fc1002e1aaa694f39be0482c53858bc3597aa603d03af7a4cc7cf754b9104d52f2163b6807d803e71f31337

Download Submit
C:\Windows\{313BCB26-4199-4b36-B272-3CD10618F18D}.exe

Filesize
204KB

MD5
33217def3de8534aa72c5479485ab36e

SHA1
262a10e1048effedc97e9a7e2ae5a7b5626cfab5

SHA256
2931573a878cec560014c95fe53762f0f4ebe05959d0156cf4a17caecbffca53

SHA512
19445a71ca0067d2aba6c0bfb39bf775f0a652581fc1002e1aaa694f39be0482c53858bc3597aa603d03af7a4cc7cf754b9104d52f2163b6807d803e71f31337

Download Submit
C:\Windows\{50AB5C48-105E-431f-BD6D-8D5C902CE0BC}.exe

Filesize
204KB

MD5
f8d0693f56c93689c58a3abb11a9b20d

SHA1
3ea6aba4508602aa75c77d8dd29a3ecaba0fb85f

SHA256
051b0fac439712e45ce4509b3e73f5e2e6644dbb76af9479f992d0b30a8126d6

SHA512
05c9f23a41c4cf522b2a64812a9012074029ad414775310422d68c0cc9c11ea5a37772c4b9f705a1c749f7d07d852bcbc1b9ef176c08b3842790b54c74e66ef7

Download Submit
C:\Windows\{50AB5C48-105E-431f-BD6D-8D5C902CE0BC}.exe

Filesize
204KB

MD5
f8d0693f56c93689c58a3abb11a9b20d

SHA1
3ea6aba4508602aa75c77d8dd29a3ecaba0fb85f

SHA256
051b0fac439712e45ce4509b3e73f5e2e6644dbb76af9479f992d0b30a8126d6

SHA512
05c9f23a41c4cf522b2a64812a9012074029ad414775310422d68c0cc9c11ea5a37772c4b9f705a1c749f7d07d852bcbc1b9ef176c08b3842790b54c74e66ef7

Download Submit
C:\Windows\{74FBEE53-B790-4d8c-9444-AC530B40C3D1}.exe

Filesize
204KB

MD5
a8084c07877174f8ba414cc67d22f510

SHA1
bc2745a88fa7167cb69ff4706cc1a0bd4f3fd20b

SHA256
8823c1ab594511528ff0be59cfae69f0ea0b5c26bdaf1fd28fbf3a70a3195e48

SHA512
0eeac0dffdd1afd85f8a64bcf023fa05b62e3a6e82a12a620136e2243fdade0b4b9531d17f728f96443770eebea6a05dac4c180b0d634f669c7ec716a36ba939

Download Submit
C:\Windows\{74FBEE53-B790-4d8c-9444-AC530B40C3D1}.exe

Filesize
204KB

MD5
a8084c07877174f8ba414cc67d22f510

SHA1
bc2745a88fa7167cb69ff4706cc1a0bd4f3fd20b

SHA256
8823c1ab594511528ff0be59cfae69f0ea0b5c26bdaf1fd28fbf3a70a3195e48

SHA512
0eeac0dffdd1afd85f8a64bcf023fa05b62e3a6e82a12a620136e2243fdade0b4b9531d17f728f96443770eebea6a05dac4c180b0d634f669c7ec716a36ba939

Download Submit
C:\Windows\{7DD8A694-D3E4-4b5b-80BF-16A2A7B378F8}.exe

Filesize
204KB

MD5
e9bf0b3d84e109870e8bd5fc547d5ff4

SHA1
b78e24b536798a9d215205c8824610881cea8655

SHA256
5c4f136ec8c05ecfacf7351081f8bd50f6d0cb5990c557f3c2f6295f81bef477

SHA512
b40c6d5382b57dec1b6b4296deed1879a80cd4108091f819ce05f075178827873eab0341621a753d4a9eb7bba4d45456497bf704bfa0d3df84effa9595b8ea96

Download Submit
C:\Windows\{7DD8A694-D3E4-4b5b-80BF-16A2A7B378F8}.exe

Filesize
204KB

MD5
e9bf0b3d84e109870e8bd5fc547d5ff4

SHA1
b78e24b536798a9d215205c8824610881cea8655

SHA256
5c4f136ec8c05ecfacf7351081f8bd50f6d0cb5990c557f3c2f6295f81bef477

SHA512
b40c6d5382b57dec1b6b4296deed1879a80cd4108091f819ce05f075178827873eab0341621a753d4a9eb7bba4d45456497bf704bfa0d3df84effa9595b8ea96

Download Submit
C:\Windows\{BEED8CEC-326A-464e-BFDF-B197114C117E}.exe

Filesize
204KB

MD5
41934a79149276ec93e876a81e16fc9e

SHA1
ebf8827b4519a5834e29551795ae7fe4e62c79ed

SHA256
8c560c81df182aa52ed54c7c601699308745e44937a015cb364a4c50490cd7a9

SHA512
ef65dfdcc483d0aaf72397cf75d984ea26e58ddf8be2c6717517f81b0e3a63cde152d378c5388758e54918724fbc3bb521778253891608043fe5d7651dc33f83

Download Submit
C:\Windows\{BEED8CEC-326A-464e-BFDF-B197114C117E}.exe

Filesize
204KB

MD5
41934a79149276ec93e876a81e16fc9e

SHA1
ebf8827b4519a5834e29551795ae7fe4e62c79ed

SHA256
8c560c81df182aa52ed54c7c601699308745e44937a015cb364a4c50490cd7a9

SHA512
ef65dfdcc483d0aaf72397cf75d984ea26e58ddf8be2c6717517f81b0e3a63cde152d378c5388758e54918724fbc3bb521778253891608043fe5d7651dc33f83

Download Submit
C:\Windows\{C59F8D0D-8A46-476e-9B31-4BB5799B1FB1}.exe

Filesize
204KB

MD5
c2eb8898024af0022d471e4168a63ccd

SHA1
ff127e33b77c39234ca0a70d981c94f61449e3e9

SHA256
14930f30054c2a850760e39c0c7d99b6e0010837f18c212bca9be8e0aee4d14d

SHA512
2ccae0bd3917d4daa6ca4876518a69eb151cadac02cb5d18ad28a35bbc860c34c13f1e79c20300a6bd55baaa95a7213bcd75fa809c5aa96b9808b58a5d2407aa

Download Submit
C:\Windows\{C59F8D0D-8A46-476e-9B31-4BB5799B1FB1}.exe

Filesize
204KB

MD5
c2eb8898024af0022d471e4168a63ccd

SHA1
ff127e33b77c39234ca0a70d981c94f61449e3e9

SHA256
14930f30054c2a850760e39c0c7d99b6e0010837f18c212bca9be8e0aee4d14d

SHA512
2ccae0bd3917d4daa6ca4876518a69eb151cadac02cb5d18ad28a35bbc860c34c13f1e79c20300a6bd55baaa95a7213bcd75fa809c5aa96b9808b58a5d2407aa

Download Submit
C:\Windows\{D098B388-7D00-46db-843D-3811B33F83CB}.exe

Filesize
204KB

MD5
a9bf07c12057f6d70934b8b12d3dfbae

SHA1
b7e8744b843024eddf51df4a44eb4c89ca3d4abf

SHA256
bac5a6c9e68c398b6991e1bd58c2d824f40961786623b581f3b2597dacbab9b3

SHA512
7cb6d78dc923ab64cbe8b027ef1db21215a51eadfbd56bcfe284b9ccc3a2d7931693884eccef03a4d275fb7ab424516b479e2a79d84fb6da3b372be8bc342ba5

Download Submit
C:\Windows\{D098B388-7D00-46db-843D-3811B33F83CB}.exe

Filesize
204KB

MD5
a9bf07c12057f6d70934b8b12d3dfbae

SHA1
b7e8744b843024eddf51df4a44eb4c89ca3d4abf

SHA256
bac5a6c9e68c398b6991e1bd58c2d824f40961786623b581f3b2597dacbab9b3

SHA512
7cb6d78dc923ab64cbe8b027ef1db21215a51eadfbd56bcfe284b9ccc3a2d7931693884eccef03a4d275fb7ab424516b479e2a79d84fb6da3b372be8bc342ba5

Download Submit
C:\Windows\{DFB67CC4-03F9-4d72-85A2-8E05088A079C}.exe

Filesize
204KB

MD5
8b6ead80389ef218a1c6c7daaa40e8ef

SHA1
334a78f6428c462e83a16465cef7d83f948bb54c

SHA256
cf3cefcf54a9f5910bd9aa4d42a8c947595548693ad14461e92cc6bcfc79fb29

SHA512
545f6bd96fd5d8b67c93b4002fd7fa41fbd12a08f47ca621c3f22b198cc524043e7e5fee2c9e9dbc1dd7c34ca0340a9fa3442f1d2d96dca9fd729303ff56441d

Download Submit
C:\Windows\{DFB67CC4-03F9-4d72-85A2-8E05088A079C}.exe

Filesize
204KB

MD5
8b6ead80389ef218a1c6c7daaa40e8ef

SHA1
334a78f6428c462e83a16465cef7d83f948bb54c

SHA256
cf3cefcf54a9f5910bd9aa4d42a8c947595548693ad14461e92cc6bcfc79fb29

SHA512
545f6bd96fd5d8b67c93b4002fd7fa41fbd12a08f47ca621c3f22b198cc524043e7e5fee2c9e9dbc1dd7c34ca0340a9fa3442f1d2d96dca9fd729303ff56441d

Download Submit
C:\Windows\{FEBC7892-43B3-4bb1-8C44-A0EEF28D8B2D}.exe

Filesize
204KB

MD5
d4d89cb98609151c9ea5a23c9413ac2c

SHA1
de2d082c8d11a0f111cb2f25d60af078c6d35fcd

SHA256
1f9625dc42b6ace57a9a6d9a52373417ae7974ab11b1a26be29ead7b6c257150

SHA512
6371dd7e80c1d51402ba9f3d331503fe7cdac30332d1aedc44dfdace78d98d162e36f41a6386f5bfea41caa345cd9d55e4be434ada7b4f9663034cde6cc62a5c

Download Submit
C:\Windows\{FEBC7892-43B3-4bb1-8C44-A0EEF28D8B2D}.exe

Filesize
204KB

MD5
d4d89cb98609151c9ea5a23c9413ac2c

SHA1
de2d082c8d11a0f111cb2f25d60af078c6d35fcd

SHA256
1f9625dc42b6ace57a9a6d9a52373417ae7974ab11b1a26be29ead7b6c257150

SHA512
6371dd7e80c1d51402ba9f3d331503fe7cdac30332d1aedc44dfdace78d98d162e36f41a6386f5bfea41caa345cd9d55e4be434ada7b4f9663034cde6cc62a5c

Download Submit
C:\Windows\{FEBC7892-43B3-4bb1-8C44-A0EEF28D8B2D}.exe

Filesize
204KB

MD5
d4d89cb98609151c9ea5a23c9413ac2c

SHA1
de2d082c8d11a0f111cb2f25d60af078c6d35fcd

SHA256
1f9625dc42b6ace57a9a6d9a52373417ae7974ab11b1a26be29ead7b6c257150

SHA512
6371dd7e80c1d51402ba9f3d331503fe7cdac30332d1aedc44dfdace78d98d162e36f41a6386f5bfea41caa345cd9d55e4be434ada7b4f9663034cde6cc62a5c

Download Submit