d9ba8b697de8f5df09ab227e3c3b9de842466e5d0ab9f3abac01a5d675eebb34

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2023, 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

faff813bc8e1cdexeexeexeex.exe
Size

204KB
MD5

faff813bc8e1cd8a4051b8b8c5c7848e
SHA1

103a7ded65249845c4700a8dc0dead88c93ba9e8
SHA256

d9ba8b697de8f5df09ab227e3c3b9de842466e5d0ab9f3abac01a5d675eebb34
SHA512

ce6275da8dfd5fec591dbdaad1b66dac698deb4536f4e60aa676091204ac01c7e0ff5f30fb43db8464dd0744c66fa988118285502d03b6ff689a701f98e8e9f5
SSDEEP

1536:1EGh0oyl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oyl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F0FB871-79E2-4ee5-A674-CE7DFDE0B862}\stubpath = "C:\\Windows\\{4F0FB871-79E2-4ee5-A674-CE7DFDE0B862}.exe"	{8978800E-7306-4128-B673-931F37C8CF98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1A1DDBB-EDD0-482d-A417-C6ED89BF24D9}	{2D88496E-62BE-48b7-B934-18C1FEC0D808}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E1A1DDBB-EDD0-482d-A417-C6ED89BF24D9}\stubpath = "C:\\Windows\\{E1A1DDBB-EDD0-482d-A417-C6ED89BF24D9}.exe"	{2D88496E-62BE-48b7-B934-18C1FEC0D808}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0596C048-52B6-4970-99EE-982F04F7752A}\stubpath = "C:\\Windows\\{0596C048-52B6-4970-99EE-982F04F7752A}.exe"	{546A6D50-BEA3-41b9-96CB-98A8EC96C3C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0596C048-52B6-4970-99EE-982F04F7752A}	{546A6D50-BEA3-41b9-96CB-98A8EC96C3C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13B5C3D2-0FCC-48d7-A583-912CF4E3404C}\stubpath = "C:\\Windows\\{13B5C3D2-0FCC-48d7-A583-912CF4E3404C}.exe"	{0596C048-52B6-4970-99EE-982F04F7752A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8978800E-7306-4128-B673-931F37C8CF98}\stubpath = "C:\\Windows\\{8978800E-7306-4128-B673-931F37C8CF98}.exe"	{13B5C3D2-0FCC-48d7-A583-912CF4E3404C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F0FB871-79E2-4ee5-A674-CE7DFDE0B862}	{8978800E-7306-4128-B673-931F37C8CF98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE716957-D264-4a5a-B8F6-ADD2581D4CDE}\stubpath = "C:\\Windows\\{BE716957-D264-4a5a-B8F6-ADD2581D4CDE}.exe"	{C593760D-81E4-4be8-8694-65B8D62E6000}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5DF639A-C9BC-4088-B5DC-71C642E692CC}\stubpath = "C:\\Windows\\{F5DF639A-C9BC-4088-B5DC-71C642E692CC}.exe"	{28C8D31E-B859-4568-B222-C48EA0864716}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{868D2A19-9AAB-474c-AA8D-91256AF9FF35}\stubpath = "C:\\Windows\\{868D2A19-9AAB-474c-AA8D-91256AF9FF35}.exe"	faff813bc8e1cdexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{546A6D50-BEA3-41b9-96CB-98A8EC96C3C6}	{868D2A19-9AAB-474c-AA8D-91256AF9FF35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C593760D-81E4-4be8-8694-65B8D62E6000}	{4F0FB871-79E2-4ee5-A674-CE7DFDE0B862}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C593760D-81E4-4be8-8694-65B8D62E6000}\stubpath = "C:\\Windows\\{C593760D-81E4-4be8-8694-65B8D62E6000}.exe"	{4F0FB871-79E2-4ee5-A674-CE7DFDE0B862}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28C8D31E-B859-4568-B222-C48EA0864716}	{BE716957-D264-4a5a-B8F6-ADD2581D4CDE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28C8D31E-B859-4568-B222-C48EA0864716}\stubpath = "C:\\Windows\\{28C8D31E-B859-4568-B222-C48EA0864716}.exe"	{BE716957-D264-4a5a-B8F6-ADD2581D4CDE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D88496E-62BE-48b7-B934-18C1FEC0D808}	{F5DF639A-C9BC-4088-B5DC-71C642E692CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{868D2A19-9AAB-474c-AA8D-91256AF9FF35}	faff813bc8e1cdexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13B5C3D2-0FCC-48d7-A583-912CF4E3404C}	{0596C048-52B6-4970-99EE-982F04F7752A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8978800E-7306-4128-B673-931F37C8CF98}	{13B5C3D2-0FCC-48d7-A583-912CF4E3404C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE716957-D264-4a5a-B8F6-ADD2581D4CDE}	{C593760D-81E4-4be8-8694-65B8D62E6000}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F5DF639A-C9BC-4088-B5DC-71C642E692CC}	{28C8D31E-B859-4568-B222-C48EA0864716}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D88496E-62BE-48b7-B934-18C1FEC0D808}\stubpath = "C:\\Windows\\{2D88496E-62BE-48b7-B934-18C1FEC0D808}.exe"	{F5DF639A-C9BC-4088-B5DC-71C642E692CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{546A6D50-BEA3-41b9-96CB-98A8EC96C3C6}\stubpath = "C:\\Windows\\{546A6D50-BEA3-41b9-96CB-98A8EC96C3C6}.exe"	{868D2A19-9AAB-474c-AA8D-91256AF9FF35}.exe

Executes dropped EXE 12 IoCs

pid	Process
1384	{868D2A19-9AAB-474c-AA8D-91256AF9FF35}.exe
440	{546A6D50-BEA3-41b9-96CB-98A8EC96C3C6}.exe
2812	{0596C048-52B6-4970-99EE-982F04F7752A}.exe
1412	{13B5C3D2-0FCC-48d7-A583-912CF4E3404C}.exe
4676	{8978800E-7306-4128-B673-931F37C8CF98}.exe
900	{4F0FB871-79E2-4ee5-A674-CE7DFDE0B862}.exe
3684	{C593760D-81E4-4be8-8694-65B8D62E6000}.exe
872	{BE716957-D264-4a5a-B8F6-ADD2581D4CDE}.exe
1020	{28C8D31E-B859-4568-B222-C48EA0864716}.exe
4180	{F5DF639A-C9BC-4088-B5DC-71C642E692CC}.exe
3416	{2D88496E-62BE-48b7-B934-18C1FEC0D808}.exe
2852	{E1A1DDBB-EDD0-482d-A417-C6ED89BF24D9}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{546A6D50-BEA3-41b9-96CB-98A8EC96C3C6}.exe	{868D2A19-9AAB-474c-AA8D-91256AF9FF35}.exe
File created	C:\Windows\{0596C048-52B6-4970-99EE-982F04F7752A}.exe	{546A6D50-BEA3-41b9-96CB-98A8EC96C3C6}.exe
File created	C:\Windows\{28C8D31E-B859-4568-B222-C48EA0864716}.exe	{BE716957-D264-4a5a-B8F6-ADD2581D4CDE}.exe
File created	C:\Windows\{F5DF639A-C9BC-4088-B5DC-71C642E692CC}.exe	{28C8D31E-B859-4568-B222-C48EA0864716}.exe
File created	C:\Windows\{C593760D-81E4-4be8-8694-65B8D62E6000}.exe	{4F0FB871-79E2-4ee5-A674-CE7DFDE0B862}.exe
File created	C:\Windows\{BE716957-D264-4a5a-B8F6-ADD2581D4CDE}.exe	{C593760D-81E4-4be8-8694-65B8D62E6000}.exe
File created	C:\Windows\{2D88496E-62BE-48b7-B934-18C1FEC0D808}.exe	{F5DF639A-C9BC-4088-B5DC-71C642E692CC}.exe
File created	C:\Windows\{E1A1DDBB-EDD0-482d-A417-C6ED89BF24D9}.exe	{2D88496E-62BE-48b7-B934-18C1FEC0D808}.exe
File created	C:\Windows\{868D2A19-9AAB-474c-AA8D-91256AF9FF35}.exe	faff813bc8e1cdexeexeexeex.exe
File created	C:\Windows\{13B5C3D2-0FCC-48d7-A583-912CF4E3404C}.exe	{0596C048-52B6-4970-99EE-982F04F7752A}.exe
File created	C:\Windows\{8978800E-7306-4128-B673-931F37C8CF98}.exe	{13B5C3D2-0FCC-48d7-A583-912CF4E3404C}.exe
File created	C:\Windows\{4F0FB871-79E2-4ee5-A674-CE7DFDE0B862}.exe	{8978800E-7306-4128-B673-931F37C8CF98}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2176	faff813bc8e1cdexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	1384	{868D2A19-9AAB-474c-AA8D-91256AF9FF35}.exe
Token: SeIncBasePriorityPrivilege	440	{546A6D50-BEA3-41b9-96CB-98A8EC96C3C6}.exe
Token: SeIncBasePriorityPrivilege	2812	{0596C048-52B6-4970-99EE-982F04F7752A}.exe
Token: SeIncBasePriorityPrivilege	1412	{13B5C3D2-0FCC-48d7-A583-912CF4E3404C}.exe
Token: SeIncBasePriorityPrivilege	4676	{8978800E-7306-4128-B673-931F37C8CF98}.exe
Token: SeIncBasePriorityPrivilege	900	{4F0FB871-79E2-4ee5-A674-CE7DFDE0B862}.exe
Token: SeIncBasePriorityPrivilege	3684	{C593760D-81E4-4be8-8694-65B8D62E6000}.exe
Token: SeIncBasePriorityPrivilege	872	{BE716957-D264-4a5a-B8F6-ADD2581D4CDE}.exe
Token: SeIncBasePriorityPrivilege	1020	{28C8D31E-B859-4568-B222-C48EA0864716}.exe
Token: SeIncBasePriorityPrivilege	4180	{F5DF639A-C9BC-4088-B5DC-71C642E692CC}.exe
Token: SeIncBasePriorityPrivilege	3416	{2D88496E-62BE-48b7-B934-18C1FEC0D808}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 1384	2176	faff813bc8e1cdexeexeexeex.exe	95
PID 2176 wrote to memory of 1384	2176	faff813bc8e1cdexeexeexeex.exe	95
PID 2176 wrote to memory of 1384	2176	faff813bc8e1cdexeexeexeex.exe	95
PID 2176 wrote to memory of 2484	2176	faff813bc8e1cdexeexeexeex.exe	96
PID 2176 wrote to memory of 2484	2176	faff813bc8e1cdexeexeexeex.exe	96
PID 2176 wrote to memory of 2484	2176	faff813bc8e1cdexeexeexeex.exe	96
PID 1384 wrote to memory of 440	1384	{868D2A19-9AAB-474c-AA8D-91256AF9FF35}.exe	98
PID 1384 wrote to memory of 440	1384	{868D2A19-9AAB-474c-AA8D-91256AF9FF35}.exe	98
PID 1384 wrote to memory of 440	1384	{868D2A19-9AAB-474c-AA8D-91256AF9FF35}.exe	98
PID 1384 wrote to memory of 4376	1384	{868D2A19-9AAB-474c-AA8D-91256AF9FF35}.exe	99
PID 1384 wrote to memory of 4376	1384	{868D2A19-9AAB-474c-AA8D-91256AF9FF35}.exe	99
PID 1384 wrote to memory of 4376	1384	{868D2A19-9AAB-474c-AA8D-91256AF9FF35}.exe	99
PID 440 wrote to memory of 2812	440	{546A6D50-BEA3-41b9-96CB-98A8EC96C3C6}.exe	102
PID 440 wrote to memory of 2812	440	{546A6D50-BEA3-41b9-96CB-98A8EC96C3C6}.exe	102
PID 440 wrote to memory of 2812	440	{546A6D50-BEA3-41b9-96CB-98A8EC96C3C6}.exe	102
PID 440 wrote to memory of 856	440	{546A6D50-BEA3-41b9-96CB-98A8EC96C3C6}.exe	101
PID 440 wrote to memory of 856	440	{546A6D50-BEA3-41b9-96CB-98A8EC96C3C6}.exe	101
PID 440 wrote to memory of 856	440	{546A6D50-BEA3-41b9-96CB-98A8EC96C3C6}.exe	101
PID 2812 wrote to memory of 1412	2812	{0596C048-52B6-4970-99EE-982F04F7752A}.exe	103
PID 2812 wrote to memory of 1412	2812	{0596C048-52B6-4970-99EE-982F04F7752A}.exe	103
PID 2812 wrote to memory of 1412	2812	{0596C048-52B6-4970-99EE-982F04F7752A}.exe	103
PID 2812 wrote to memory of 4904	2812	{0596C048-52B6-4970-99EE-982F04F7752A}.exe	104
PID 2812 wrote to memory of 4904	2812	{0596C048-52B6-4970-99EE-982F04F7752A}.exe	104
PID 2812 wrote to memory of 4904	2812	{0596C048-52B6-4970-99EE-982F04F7752A}.exe	104
PID 1412 wrote to memory of 4676	1412	{13B5C3D2-0FCC-48d7-A583-912CF4E3404C}.exe	105
PID 1412 wrote to memory of 4676	1412	{13B5C3D2-0FCC-48d7-A583-912CF4E3404C}.exe	105
PID 1412 wrote to memory of 4676	1412	{13B5C3D2-0FCC-48d7-A583-912CF4E3404C}.exe	105
PID 1412 wrote to memory of 5104	1412	{13B5C3D2-0FCC-48d7-A583-912CF4E3404C}.exe	106
PID 1412 wrote to memory of 5104	1412	{13B5C3D2-0FCC-48d7-A583-912CF4E3404C}.exe	106
PID 1412 wrote to memory of 5104	1412	{13B5C3D2-0FCC-48d7-A583-912CF4E3404C}.exe	106
PID 4676 wrote to memory of 900	4676	{8978800E-7306-4128-B673-931F37C8CF98}.exe	107
PID 4676 wrote to memory of 900	4676	{8978800E-7306-4128-B673-931F37C8CF98}.exe	107
PID 4676 wrote to memory of 900	4676	{8978800E-7306-4128-B673-931F37C8CF98}.exe	107
PID 4676 wrote to memory of 2896	4676	{8978800E-7306-4128-B673-931F37C8CF98}.exe	108
PID 4676 wrote to memory of 2896	4676	{8978800E-7306-4128-B673-931F37C8CF98}.exe	108
PID 4676 wrote to memory of 2896	4676	{8978800E-7306-4128-B673-931F37C8CF98}.exe	108
PID 900 wrote to memory of 3684	900	{4F0FB871-79E2-4ee5-A674-CE7DFDE0B862}.exe	109
PID 900 wrote to memory of 3684	900	{4F0FB871-79E2-4ee5-A674-CE7DFDE0B862}.exe	109
PID 900 wrote to memory of 3684	900	{4F0FB871-79E2-4ee5-A674-CE7DFDE0B862}.exe	109
PID 900 wrote to memory of 3936	900	{4F0FB871-79E2-4ee5-A674-CE7DFDE0B862}.exe	110
PID 900 wrote to memory of 3936	900	{4F0FB871-79E2-4ee5-A674-CE7DFDE0B862}.exe	110
PID 900 wrote to memory of 3936	900	{4F0FB871-79E2-4ee5-A674-CE7DFDE0B862}.exe	110
PID 3684 wrote to memory of 872	3684	{C593760D-81E4-4be8-8694-65B8D62E6000}.exe	111
PID 3684 wrote to memory of 872	3684	{C593760D-81E4-4be8-8694-65B8D62E6000}.exe	111
PID 3684 wrote to memory of 872	3684	{C593760D-81E4-4be8-8694-65B8D62E6000}.exe	111
PID 3684 wrote to memory of 4692	3684	{C593760D-81E4-4be8-8694-65B8D62E6000}.exe	112
PID 3684 wrote to memory of 4692	3684	{C593760D-81E4-4be8-8694-65B8D62E6000}.exe	112
PID 3684 wrote to memory of 4692	3684	{C593760D-81E4-4be8-8694-65B8D62E6000}.exe	112
PID 872 wrote to memory of 1020	872	{BE716957-D264-4a5a-B8F6-ADD2581D4CDE}.exe	113
PID 872 wrote to memory of 1020	872	{BE716957-D264-4a5a-B8F6-ADD2581D4CDE}.exe	113
PID 872 wrote to memory of 1020	872	{BE716957-D264-4a5a-B8F6-ADD2581D4CDE}.exe	113
PID 872 wrote to memory of 3932	872	{BE716957-D264-4a5a-B8F6-ADD2581D4CDE}.exe	114
PID 872 wrote to memory of 3932	872	{BE716957-D264-4a5a-B8F6-ADD2581D4CDE}.exe	114
PID 872 wrote to memory of 3932	872	{BE716957-D264-4a5a-B8F6-ADD2581D4CDE}.exe	114
PID 1020 wrote to memory of 4180	1020	{28C8D31E-B859-4568-B222-C48EA0864716}.exe	115
PID 1020 wrote to memory of 4180	1020	{28C8D31E-B859-4568-B222-C48EA0864716}.exe	115
PID 1020 wrote to memory of 4180	1020	{28C8D31E-B859-4568-B222-C48EA0864716}.exe	115
PID 1020 wrote to memory of 4664	1020	{28C8D31E-B859-4568-B222-C48EA0864716}.exe	116
PID 1020 wrote to memory of 4664	1020	{28C8D31E-B859-4568-B222-C48EA0864716}.exe	116
PID 1020 wrote to memory of 4664	1020	{28C8D31E-B859-4568-B222-C48EA0864716}.exe	116
PID 4180 wrote to memory of 3416	4180	{F5DF639A-C9BC-4088-B5DC-71C642E692CC}.exe	117
PID 4180 wrote to memory of 3416	4180	{F5DF639A-C9BC-4088-B5DC-71C642E692CC}.exe	117
PID 4180 wrote to memory of 3416	4180	{F5DF639A-C9BC-4088-B5DC-71C642E692CC}.exe	117
PID 4180 wrote to memory of 4424	4180	{F5DF639A-C9BC-4088-B5DC-71C642E692CC}.exe	118

C:\Users\Admin\AppData\Local\Temp\faff813bc8e1cdexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\faff813bc8e1cdexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\{868D2A19-9AAB-474c-AA8D-91256AF9FF35}.exe
  C:\Windows\{868D2A19-9AAB-474c-AA8D-91256AF9FF35}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1384
- - C:\Windows\{546A6D50-BEA3-41b9-96CB-98A8EC96C3C6}.exe
    C:\Windows\{546A6D50-BEA3-41b9-96CB-98A8EC96C3C6}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{546A6~1.EXE > nul
      4⤵
      PID:856
  - - C:\Windows\{0596C048-52B6-4970-99EE-982F04F7752A}.exe
      C:\Windows\{0596C048-52B6-4970-99EE-982F04F7752A}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\{13B5C3D2-0FCC-48d7-A583-912CF4E3404C}.exe
        
        C:\Windows\{13B5C3D2-0FCC-48d7-A583-912CF4E3404C}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1412
      - C:\Windows\{8978800E-7306-4128-B673-931F37C8CF98}.exe
        
        C:\Windows\{8978800E-7306-4128-B673-931F37C8CF98}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\{4F0FB871-79E2-4ee5-A674-CE7DFDE0B862}.exe
        
        C:\Windows\{4F0FB871-79E2-4ee5-A674-CE7DFDE0B862}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:900
        
        C:\Windows\{C593760D-81E4-4be8-8694-65B8D62E6000}.exe
        
        C:\Windows\{C593760D-81E4-4be8-8694-65B8D62E6000}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\{BE716957-D264-4a5a-B8F6-ADD2581D4CDE}.exe
        
        C:\Windows\{BE716957-D264-4a5a-B8F6-ADD2581D4CDE}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\{28C8D31E-B859-4568-B222-C48EA0864716}.exe
        
        C:\Windows\{28C8D31E-B859-4568-B222-C48EA0864716}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\{F5DF639A-C9BC-4088-B5DC-71C642E692CC}.exe
        
        C:\Windows\{F5DF639A-C9BC-4088-B5DC-71C642E692CC}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4180
        
        C:\Windows\{2D88496E-62BE-48b7-B934-18C1FEC0D808}.exe
        
        C:\Windows\{2D88496E-62BE-48b7-B934-18C1FEC0D808}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3416
        
        C:\Windows\{E1A1DDBB-EDD0-482d-A417-C6ED89BF24D9}.exe
        
        C:\Windows\{E1A1DDBB-EDD0-482d-A417-C6ED89BF24D9}.exe
        13⤵
        Executes dropped EXE
        
        PID:2852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D884~1.EXE > nul
        13⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F5DF6~1.EXE > nul
        12⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28C8D~1.EXE > nul
        11⤵
        
        PID:4664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE716~1.EXE > nul
        10⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5937~1.EXE > nul
        9⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F0FB~1.EXE > nul
        8⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89788~1.EXE > nul
        7⤵
        
        PID:2896
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{13B5C~1.EXE > nul
        6⤵
        
        PID:5104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0596C~1.EXE > nul
        5⤵
        
        PID:4904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{868D2~1.EXE > nul
    3⤵
    PID:4376
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\FAFF81~1.EXE > nul
  2⤵
  PID:2484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0596C048-52B6-4970-99EE-982F04F7752A}.exe

Filesize
204KB

MD5
00022ae5698576be7356c13c26f626f7

SHA1
b5d26f9d51bfe8796397f6cd3bf8308919714f7b

SHA256
e3c26fa42a9506ae888f57a749fcbdf2be2244068d309d74eee1c1d2c4deedbb

SHA512
43dd015a5a166b149b5eb246e47c617290ab13b005de516c3e4d00db0cdf2df4049fba74cfa6be4be68666983bfc252248d2d0d970f45a14711695221982d57a

Download Submit
C:\Windows\{0596C048-52B6-4970-99EE-982F04F7752A}.exe

Filesize
204KB

MD5
00022ae5698576be7356c13c26f626f7

SHA1
b5d26f9d51bfe8796397f6cd3bf8308919714f7b

SHA256
e3c26fa42a9506ae888f57a749fcbdf2be2244068d309d74eee1c1d2c4deedbb

SHA512
43dd015a5a166b149b5eb246e47c617290ab13b005de516c3e4d00db0cdf2df4049fba74cfa6be4be68666983bfc252248d2d0d970f45a14711695221982d57a

Download Submit
C:\Windows\{0596C048-52B6-4970-99EE-982F04F7752A}.exe

Filesize
204KB

MD5
00022ae5698576be7356c13c26f626f7

SHA1
b5d26f9d51bfe8796397f6cd3bf8308919714f7b

SHA256
e3c26fa42a9506ae888f57a749fcbdf2be2244068d309d74eee1c1d2c4deedbb

SHA512
43dd015a5a166b149b5eb246e47c617290ab13b005de516c3e4d00db0cdf2df4049fba74cfa6be4be68666983bfc252248d2d0d970f45a14711695221982d57a

Download Submit
C:\Windows\{13B5C3D2-0FCC-48d7-A583-912CF4E3404C}.exe

Filesize
204KB

MD5
5f957ae2c123cf57925b14d31c424f1d

SHA1
0f436af0b6def5b13a1c9b5fce201fb6b6da624c

SHA256
a6ac3e4a4fe7b82f38c1467e96bc9fdd01ad8fe6ac919c765279a1b27bf8cc46

SHA512
92309c1a5ee568ce0558abb425a4f6344d213aef16536327477f6a5b0911ab954f8e38e8e6d9e1fc98f3ce1934be0275bd6f402d8a5167606c0012bfdd80f8ac

Download Submit
C:\Windows\{13B5C3D2-0FCC-48d7-A583-912CF4E3404C}.exe

Filesize
204KB

MD5
5f957ae2c123cf57925b14d31c424f1d

SHA1
0f436af0b6def5b13a1c9b5fce201fb6b6da624c

SHA256
a6ac3e4a4fe7b82f38c1467e96bc9fdd01ad8fe6ac919c765279a1b27bf8cc46

SHA512
92309c1a5ee568ce0558abb425a4f6344d213aef16536327477f6a5b0911ab954f8e38e8e6d9e1fc98f3ce1934be0275bd6f402d8a5167606c0012bfdd80f8ac

Download Submit
C:\Windows\{28C8D31E-B859-4568-B222-C48EA0864716}.exe

Filesize
204KB

MD5
e53e1da8aee5066870e1fbee1332b36b

SHA1
c539e56712a8f2b5af6410b60ebb6911313f790d

SHA256
3297b314ac324c6ca49de077a05e5f2a2742fc9085dd12e196632b48a92030b1

SHA512
2949096a2f1363a01aa67e97eee32797d198d2dc5b3c53f51b1f79937029158a3cb4c51eec7b221feb40295ae0b253e6d6458a5146848baaec7a1f30013f2d05

Download Submit
C:\Windows\{28C8D31E-B859-4568-B222-C48EA0864716}.exe

Filesize
204KB

MD5
e53e1da8aee5066870e1fbee1332b36b

SHA1
c539e56712a8f2b5af6410b60ebb6911313f790d

SHA256
3297b314ac324c6ca49de077a05e5f2a2742fc9085dd12e196632b48a92030b1

SHA512
2949096a2f1363a01aa67e97eee32797d198d2dc5b3c53f51b1f79937029158a3cb4c51eec7b221feb40295ae0b253e6d6458a5146848baaec7a1f30013f2d05

Download Submit
C:\Windows\{2D88496E-62BE-48b7-B934-18C1FEC0D808}.exe

Filesize
204KB

MD5
6b0b41065b6966da0a10fbc3c886c69e

SHA1
96f44bd9ab732c596c5ff0b047b134041cfb06eb

SHA256
48893eff8598c8f4f322bb9d25dcf8851aafba9207b0dc7ef6e64cd67bc556de

SHA512
236f5d56eff3d683b95dc5e893048824f2447e70467ed877b8bf0a23dfe6f95103e687651c56f8586be72c02bceb5798b41b5b1ee16ad9e582a07863b176449d

Download Submit
C:\Windows\{2D88496E-62BE-48b7-B934-18C1FEC0D808}.exe

Filesize
204KB

MD5
6b0b41065b6966da0a10fbc3c886c69e

SHA1
96f44bd9ab732c596c5ff0b047b134041cfb06eb

SHA256
48893eff8598c8f4f322bb9d25dcf8851aafba9207b0dc7ef6e64cd67bc556de

SHA512
236f5d56eff3d683b95dc5e893048824f2447e70467ed877b8bf0a23dfe6f95103e687651c56f8586be72c02bceb5798b41b5b1ee16ad9e582a07863b176449d

Download Submit
C:\Windows\{4F0FB871-79E2-4ee5-A674-CE7DFDE0B862}.exe

Filesize
204KB

MD5
e1558098f2e2d7c747eaa2b2ab097e31

SHA1
272c83823ea092de601de23032c19aa693ee6366

SHA256
c85bde6c68e2421e6e95138d1e73b1b84568f275d88437374345aa182fca6dad

SHA512
d2de99da9ae4b97d39c549463d0db10f0c3bc44b3fde83ba7de884fd9f223002e29d932c2aa269961750e2fab52c182ba871831c74d7f85ff9df86f9f1e6d39a

Download Submit
C:\Windows\{4F0FB871-79E2-4ee5-A674-CE7DFDE0B862}.exe

Filesize
204KB

MD5
e1558098f2e2d7c747eaa2b2ab097e31

SHA1
272c83823ea092de601de23032c19aa693ee6366

SHA256
c85bde6c68e2421e6e95138d1e73b1b84568f275d88437374345aa182fca6dad

SHA512
d2de99da9ae4b97d39c549463d0db10f0c3bc44b3fde83ba7de884fd9f223002e29d932c2aa269961750e2fab52c182ba871831c74d7f85ff9df86f9f1e6d39a

Download Submit
C:\Windows\{546A6D50-BEA3-41b9-96CB-98A8EC96C3C6}.exe

Filesize
204KB

MD5
d6a00592c5fe70d43d45ebc5bcbdd4d0

SHA1
2c0df670cfabc284b7d800a430d93baea1d559e6

SHA256
b8045c1a61aae9b52fb4b3c454cd75c729ae09f58809ec3d6612dafd8fca7c45

SHA512
87d33bf0c59094bd009ff25974f8761112f23dcbddec36a858090337aa767bf0f61b5dfb325c6b23ad4f408a33fd39e496204168ff05023918f034cbb49953a1

Download Submit
C:\Windows\{546A6D50-BEA3-41b9-96CB-98A8EC96C3C6}.exe

Filesize
204KB

MD5
d6a00592c5fe70d43d45ebc5bcbdd4d0

SHA1
2c0df670cfabc284b7d800a430d93baea1d559e6

SHA256
b8045c1a61aae9b52fb4b3c454cd75c729ae09f58809ec3d6612dafd8fca7c45

SHA512
87d33bf0c59094bd009ff25974f8761112f23dcbddec36a858090337aa767bf0f61b5dfb325c6b23ad4f408a33fd39e496204168ff05023918f034cbb49953a1

Download Submit
C:\Windows\{868D2A19-9AAB-474c-AA8D-91256AF9FF35}.exe

Filesize
204KB

MD5
bfeb5226abc5461ec100d73fef03ef0f

SHA1
dc2797f1981dc34f8a9d6fb0b62ac29609a92b8c

SHA256
2359335a740c47d33d97b612d809b72392f782134c7b62b02501f8f8f640cc83

SHA512
c4f391784dfe319866a8abf0255494ef9fc412067f2c63d08c3b18be3b34fba07b447a1115fe13ba84456e3c4854f38220c5ae610467ec0c87aba50929cc6c98

Download Submit
C:\Windows\{868D2A19-9AAB-474c-AA8D-91256AF9FF35}.exe

Filesize
204KB

MD5
bfeb5226abc5461ec100d73fef03ef0f

SHA1
dc2797f1981dc34f8a9d6fb0b62ac29609a92b8c

SHA256
2359335a740c47d33d97b612d809b72392f782134c7b62b02501f8f8f640cc83

SHA512
c4f391784dfe319866a8abf0255494ef9fc412067f2c63d08c3b18be3b34fba07b447a1115fe13ba84456e3c4854f38220c5ae610467ec0c87aba50929cc6c98

Download Submit
C:\Windows\{8978800E-7306-4128-B673-931F37C8CF98}.exe

Filesize
204KB

MD5
ddb60a0ca65b0a7838651466c966fa62

SHA1
afec1423ae2259eb14ec03ec01a120ee8f5d7727

SHA256
b2690ec1bb576b7b4fd9d09a28078b95f7ed9dfec9491a25d040475a45385c0b

SHA512
54e52a3c43a5a00435e2d9634c217dd096fc7c13403544d215c1e05501975383ccfc39e7fc12ba6f66c039b176f9fc227e7e809a2d2e0f2c3d110e441fa4bdd5

Download Submit
C:\Windows\{8978800E-7306-4128-B673-931F37C8CF98}.exe

Filesize
204KB

MD5
ddb60a0ca65b0a7838651466c966fa62

SHA1
afec1423ae2259eb14ec03ec01a120ee8f5d7727

SHA256
b2690ec1bb576b7b4fd9d09a28078b95f7ed9dfec9491a25d040475a45385c0b

SHA512
54e52a3c43a5a00435e2d9634c217dd096fc7c13403544d215c1e05501975383ccfc39e7fc12ba6f66c039b176f9fc227e7e809a2d2e0f2c3d110e441fa4bdd5

Download Submit
C:\Windows\{BE716957-D264-4a5a-B8F6-ADD2581D4CDE}.exe

Filesize
204KB

MD5
15e1ad8fb25d39c09212df6f83b705eb

SHA1
4f99b76a1f2da1bb18d7685a43de6ea8621a3a78

SHA256
6c3f0decc3a55eeeae728ff8035eb8258c2fb3cd4633b3f299135763632deb86

SHA512
9bd2ab2c83d0c57523d2ac67fc0a09ba8dda0a7f7f44329279adcd7a9e05073111e365c1564db169ad650ec1943d02f2bd56cbe7176079c02330d0d7d3e8beab

Download Submit
C:\Windows\{BE716957-D264-4a5a-B8F6-ADD2581D4CDE}.exe

Filesize
204KB

MD5
15e1ad8fb25d39c09212df6f83b705eb

SHA1
4f99b76a1f2da1bb18d7685a43de6ea8621a3a78

SHA256
6c3f0decc3a55eeeae728ff8035eb8258c2fb3cd4633b3f299135763632deb86

SHA512
9bd2ab2c83d0c57523d2ac67fc0a09ba8dda0a7f7f44329279adcd7a9e05073111e365c1564db169ad650ec1943d02f2bd56cbe7176079c02330d0d7d3e8beab

Download Submit
C:\Windows\{C593760D-81E4-4be8-8694-65B8D62E6000}.exe

Filesize
204KB

MD5
342e1976216842a54671197502d74561

SHA1
0115005c486080a8b85f8f239259d6076d5d090f

SHA256
27aeb752c66c78c145868704cb78fc9c687a1982b29741e3a67e035ce8249524

SHA512
9841d9ed3ef87138605369994c9ba1d3fe69eb4b19cc06d6aeb33e1d216e803dd64b792040c9457d4cd6281897af243e5e128d9b2d65dbbf7d45df3df0d7cdaa

Download Submit
C:\Windows\{C593760D-81E4-4be8-8694-65B8D62E6000}.exe

Filesize
204KB

MD5
342e1976216842a54671197502d74561

SHA1
0115005c486080a8b85f8f239259d6076d5d090f

SHA256
27aeb752c66c78c145868704cb78fc9c687a1982b29741e3a67e035ce8249524

SHA512
9841d9ed3ef87138605369994c9ba1d3fe69eb4b19cc06d6aeb33e1d216e803dd64b792040c9457d4cd6281897af243e5e128d9b2d65dbbf7d45df3df0d7cdaa

Download Submit
C:\Windows\{E1A1DDBB-EDD0-482d-A417-C6ED89BF24D9}.exe

Filesize
204KB

MD5
a3799057927939eb36009102eb4c23e5

SHA1
94365e106e041bc7a2528a30239f45648261377b

SHA256
bffeef10e78b853a888c5343b22b139664eb01874b0f4c54b66a2bb1689161ff

SHA512
64a2c24bd105564471f5e49b651a988a69503918a0dc29169eb51c4c64e296c0132d321b0a7bc10a53fb6c532818094045355e4c0d3d1e40574c1a6c8ee243fe

Download Submit
C:\Windows\{E1A1DDBB-EDD0-482d-A417-C6ED89BF24D9}.exe

Filesize
204KB

MD5
a3799057927939eb36009102eb4c23e5

SHA1
94365e106e041bc7a2528a30239f45648261377b

SHA256
bffeef10e78b853a888c5343b22b139664eb01874b0f4c54b66a2bb1689161ff

SHA512
64a2c24bd105564471f5e49b651a988a69503918a0dc29169eb51c4c64e296c0132d321b0a7bc10a53fb6c532818094045355e4c0d3d1e40574c1a6c8ee243fe

Download Submit
C:\Windows\{F5DF639A-C9BC-4088-B5DC-71C642E692CC}.exe

Filesize
204KB

MD5
6be4aaef2107e8068369a99e7fd7be05

SHA1
9d84ac153b38288cec59c7a765b889876610a3d9

SHA256
e3bda62d3347d398779a46448f5191e2959734f1c665a45516d951b2820853b2

SHA512
fce3258c5016bf271d3f162804e85857d4c8583a73a6553134888cdff83afa60924a80e24b4247da30c21b44757f4a659a5dc1588be32bf6323e5fb64eaeaa00

Download Submit
C:\Windows\{F5DF639A-C9BC-4088-B5DC-71C642E692CC}.exe

Filesize
204KB

MD5
6be4aaef2107e8068369a99e7fd7be05

SHA1
9d84ac153b38288cec59c7a765b889876610a3d9

SHA256
e3bda62d3347d398779a46448f5191e2959734f1c665a45516d951b2820853b2

SHA512
fce3258c5016bf271d3f162804e85857d4c8583a73a6553134888cdff83afa60924a80e24b4247da30c21b44757f4a659a5dc1588be32bf6323e5fb64eaeaa00

Download Submit