a9e0bed3df76a3a4399a9963ca714712d19f394883eda99a05f7fb4968956d45

Analysis

max time kernel
147s
max time network
34s
platform
windows7_x64
resource
win7-20230705-en
resource tags

arch:x64arch:x86image:win7-20230705-enlocale:en-usos:windows7-x64system
submitted
11/07/2023, 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc99d27b2a2caaexeexeexeex.exe
Size

192KB
MD5

fc99d27b2a2caa3c2adbb1f0c9be8adb
SHA1

9c35fba96fcbff61ea4f021ac60479ebb5974017
SHA256

a9e0bed3df76a3a4399a9963ca714712d19f394883eda99a05f7fb4968956d45
SHA512

da412c2225d1ca4ed90a3474135e6411a4d4cceb30345d018c94da4e8843ca6366470eddaf579d4eb3234b1c7b7fb662b3e7ac8626c822d61c26a894bb8e5783
SSDEEP

1536:1EGh0ozl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3H6:1EGh0ozl1OPOe2MUVg3Ve+rXfMUa

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CE1AC5A-2B21-460b-8108-EE8123229654}\stubpath = "C:\\Windows\\{9CE1AC5A-2B21-460b-8108-EE8123229654}.exe"	{1F54987D-0354-4c69-976A-A86433BF63CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{048B1954-1538-4243-B6A1-F9EC46D1508A}	{1C399B7B-25C5-4fd0-A627-E1C19BD1B480}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{048B1954-1538-4243-B6A1-F9EC46D1508A}\stubpath = "C:\\Windows\\{048B1954-1538-4243-B6A1-F9EC46D1508A}.exe"	{1C399B7B-25C5-4fd0-A627-E1C19BD1B480}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DD0A753-7FC1-48ce-B911-402E03B9C011}\stubpath = "C:\\Windows\\{4DD0A753-7FC1-48ce-B911-402E03B9C011}.exe"	{048B1954-1538-4243-B6A1-F9EC46D1508A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF257789-F2B2-4b0a-808F-5BF1F06FFB02}\stubpath = "C:\\Windows\\{FF257789-F2B2-4b0a-808F-5BF1F06FFB02}.exe"	{42191BC2-186A-484d-9BF5-02224BA18B90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F54987D-0354-4c69-976A-A86433BF63CC}	{FF257789-F2B2-4b0a-808F-5BF1F06FFB02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0FA17BC-FCCE-41ce-B0F6-018789BE1F13}	{E992CF1D-E367-422f-9611-B1700F8C7401}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{934DB7D8-4139-43fc-A44E-026E0FCBC7BD}	{F0FA17BC-FCCE-41ce-B0F6-018789BE1F13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42191BC2-186A-484d-9BF5-02224BA18B90}\stubpath = "C:\\Windows\\{42191BC2-186A-484d-9BF5-02224BA18B90}.exe"	{34F2555F-7F7D-4d2d-BE11-13BFBD3448FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FF257789-F2B2-4b0a-808F-5BF1F06FFB02}	{42191BC2-186A-484d-9BF5-02224BA18B90}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C399B7B-25C5-4fd0-A627-E1C19BD1B480}\stubpath = "C:\\Windows\\{1C399B7B-25C5-4fd0-A627-E1C19BD1B480}.exe"	{9CE1AC5A-2B21-460b-8108-EE8123229654}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DD0A753-7FC1-48ce-B911-402E03B9C011}	{048B1954-1538-4243-B6A1-F9EC46D1508A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E992CF1D-E367-422f-9611-B1700F8C7401}	fc99d27b2a2caaexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E992CF1D-E367-422f-9611-B1700F8C7401}\stubpath = "C:\\Windows\\{E992CF1D-E367-422f-9611-B1700F8C7401}.exe"	fc99d27b2a2caaexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60F0F6D7-44E5-473f-9CA0-B954EC1B30ED}\stubpath = "C:\\Windows\\{60F0F6D7-44E5-473f-9CA0-B954EC1B30ED}.exe"	{4DD0A753-7FC1-48ce-B911-402E03B9C011}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65AFC120-9A5F-4f2f-83AD-1AB3171265CA}	{60F0F6D7-44E5-473f-9CA0-B954EC1B30ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34F2555F-7F7D-4d2d-BE11-13BFBD3448FE}\stubpath = "C:\\Windows\\{34F2555F-7F7D-4d2d-BE11-13BFBD3448FE}.exe"	{934DB7D8-4139-43fc-A44E-026E0FCBC7BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{42191BC2-186A-484d-9BF5-02224BA18B90}	{34F2555F-7F7D-4d2d-BE11-13BFBD3448FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1C399B7B-25C5-4fd0-A627-E1C19BD1B480}	{9CE1AC5A-2B21-460b-8108-EE8123229654}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F0FA17BC-FCCE-41ce-B0F6-018789BE1F13}\stubpath = "C:\\Windows\\{F0FA17BC-FCCE-41ce-B0F6-018789BE1F13}.exe"	{E992CF1D-E367-422f-9611-B1700F8C7401}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{34F2555F-7F7D-4d2d-BE11-13BFBD3448FE}	{934DB7D8-4139-43fc-A44E-026E0FCBC7BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9CE1AC5A-2B21-460b-8108-EE8123229654}	{1F54987D-0354-4c69-976A-A86433BF63CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{60F0F6D7-44E5-473f-9CA0-B954EC1B30ED}	{4DD0A753-7FC1-48ce-B911-402E03B9C011}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65AFC120-9A5F-4f2f-83AD-1AB3171265CA}\stubpath = "C:\\Windows\\{65AFC120-9A5F-4f2f-83AD-1AB3171265CA}.exe"	{60F0F6D7-44E5-473f-9CA0-B954EC1B30ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{934DB7D8-4139-43fc-A44E-026E0FCBC7BD}\stubpath = "C:\\Windows\\{934DB7D8-4139-43fc-A44E-026E0FCBC7BD}.exe"	{F0FA17BC-FCCE-41ce-B0F6-018789BE1F13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F54987D-0354-4c69-976A-A86433BF63CC}\stubpath = "C:\\Windows\\{1F54987D-0354-4c69-976A-A86433BF63CC}.exe"	{FF257789-F2B2-4b0a-808F-5BF1F06FFB02}.exe

Deletes itself 1 IoCs

pid	Process
2884	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
2120	{E992CF1D-E367-422f-9611-B1700F8C7401}.exe
2896	{F0FA17BC-FCCE-41ce-B0F6-018789BE1F13}.exe
2020	{934DB7D8-4139-43fc-A44E-026E0FCBC7BD}.exe
2860	{34F2555F-7F7D-4d2d-BE11-13BFBD3448FE}.exe
1556	{42191BC2-186A-484d-9BF5-02224BA18B90}.exe
1992	{FF257789-F2B2-4b0a-808F-5BF1F06FFB02}.exe
2768	{1F54987D-0354-4c69-976A-A86433BF63CC}.exe
2344	{9CE1AC5A-2B21-460b-8108-EE8123229654}.exe
2272	{1C399B7B-25C5-4fd0-A627-E1C19BD1B480}.exe
2648	{048B1954-1538-4243-B6A1-F9EC46D1508A}.exe
2564	{4DD0A753-7FC1-48ce-B911-402E03B9C011}.exe
2604	{60F0F6D7-44E5-473f-9CA0-B954EC1B30ED}.exe
2600	{65AFC120-9A5F-4f2f-83AD-1AB3171265CA}.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\{F0FA17BC-FCCE-41ce-B0F6-018789BE1F13}.exe	{E992CF1D-E367-422f-9611-B1700F8C7401}.exe
File created	C:\Windows\{934DB7D8-4139-43fc-A44E-026E0FCBC7BD}.exe	{F0FA17BC-FCCE-41ce-B0F6-018789BE1F13}.exe
File created	C:\Windows\{1F54987D-0354-4c69-976A-A86433BF63CC}.exe	{FF257789-F2B2-4b0a-808F-5BF1F06FFB02}.exe
File created	C:\Windows\{4DD0A753-7FC1-48ce-B911-402E03B9C011}.exe	{048B1954-1538-4243-B6A1-F9EC46D1508A}.exe
File created	C:\Windows\{60F0F6D7-44E5-473f-9CA0-B954EC1B30ED}.exe	{4DD0A753-7FC1-48ce-B911-402E03B9C011}.exe
File created	C:\Windows\{65AFC120-9A5F-4f2f-83AD-1AB3171265CA}.exe	{60F0F6D7-44E5-473f-9CA0-B954EC1B30ED}.exe
File created	C:\Windows\{E992CF1D-E367-422f-9611-B1700F8C7401}.exe	fc99d27b2a2caaexeexeexeex.exe
File created	C:\Windows\{34F2555F-7F7D-4d2d-BE11-13BFBD3448FE}.exe	{934DB7D8-4139-43fc-A44E-026E0FCBC7BD}.exe
File created	C:\Windows\{42191BC2-186A-484d-9BF5-02224BA18B90}.exe	{34F2555F-7F7D-4d2d-BE11-13BFBD3448FE}.exe
File created	C:\Windows\{FF257789-F2B2-4b0a-808F-5BF1F06FFB02}.exe	{42191BC2-186A-484d-9BF5-02224BA18B90}.exe
File created	C:\Windows\{9CE1AC5A-2B21-460b-8108-EE8123229654}.exe	{1F54987D-0354-4c69-976A-A86433BF63CC}.exe
File created	C:\Windows\{1C399B7B-25C5-4fd0-A627-E1C19BD1B480}.exe	{9CE1AC5A-2B21-460b-8108-EE8123229654}.exe
File created	C:\Windows\{048B1954-1538-4243-B6A1-F9EC46D1508A}.exe	{1C399B7B-25C5-4fd0-A627-E1C19BD1B480}.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3040	fc99d27b2a2caaexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	2120	{E992CF1D-E367-422f-9611-B1700F8C7401}.exe
Token: SeIncBasePriorityPrivilege	2896	{F0FA17BC-FCCE-41ce-B0F6-018789BE1F13}.exe
Token: SeIncBasePriorityPrivilege	2020	{934DB7D8-4139-43fc-A44E-026E0FCBC7BD}.exe
Token: SeIncBasePriorityPrivilege	2860	{34F2555F-7F7D-4d2d-BE11-13BFBD3448FE}.exe
Token: SeIncBasePriorityPrivilege	1556	{42191BC2-186A-484d-9BF5-02224BA18B90}.exe
Token: SeIncBasePriorityPrivilege	1992	{FF257789-F2B2-4b0a-808F-5BF1F06FFB02}.exe
Token: SeIncBasePriorityPrivilege	2768	{1F54987D-0354-4c69-976A-A86433BF63CC}.exe
Token: SeIncBasePriorityPrivilege	2344	{9CE1AC5A-2B21-460b-8108-EE8123229654}.exe
Token: SeIncBasePriorityPrivilege	2272	{1C399B7B-25C5-4fd0-A627-E1C19BD1B480}.exe
Token: SeIncBasePriorityPrivilege	2648	{048B1954-1538-4243-B6A1-F9EC46D1508A}.exe
Token: SeIncBasePriorityPrivilege	2564	{4DD0A753-7FC1-48ce-B911-402E03B9C011}.exe
Token: SeIncBasePriorityPrivilege	2604	{60F0F6D7-44E5-473f-9CA0-B954EC1B30ED}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2120	3040	fc99d27b2a2caaexeexeexeex.exe	27
PID 3040 wrote to memory of 2120	3040	fc99d27b2a2caaexeexeexeex.exe	27
PID 3040 wrote to memory of 2120	3040	fc99d27b2a2caaexeexeexeex.exe	27
PID 3040 wrote to memory of 2120	3040	fc99d27b2a2caaexeexeexeex.exe	27
PID 3040 wrote to memory of 2884	3040	fc99d27b2a2caaexeexeexeex.exe	28
PID 3040 wrote to memory of 2884	3040	fc99d27b2a2caaexeexeexeex.exe	28
PID 3040 wrote to memory of 2884	3040	fc99d27b2a2caaexeexeexeex.exe	28
PID 3040 wrote to memory of 2884	3040	fc99d27b2a2caaexeexeexeex.exe	28
PID 2120 wrote to memory of 2896	2120	{E992CF1D-E367-422f-9611-B1700F8C7401}.exe	29
PID 2120 wrote to memory of 2896	2120	{E992CF1D-E367-422f-9611-B1700F8C7401}.exe	29
PID 2120 wrote to memory of 2896	2120	{E992CF1D-E367-422f-9611-B1700F8C7401}.exe	29
PID 2120 wrote to memory of 2896	2120	{E992CF1D-E367-422f-9611-B1700F8C7401}.exe	29
PID 2120 wrote to memory of 3000	2120	{E992CF1D-E367-422f-9611-B1700F8C7401}.exe	30
PID 2120 wrote to memory of 3000	2120	{E992CF1D-E367-422f-9611-B1700F8C7401}.exe	30
PID 2120 wrote to memory of 3000	2120	{E992CF1D-E367-422f-9611-B1700F8C7401}.exe	30
PID 2120 wrote to memory of 3000	2120	{E992CF1D-E367-422f-9611-B1700F8C7401}.exe	30
PID 2896 wrote to memory of 2020	2896	{F0FA17BC-FCCE-41ce-B0F6-018789BE1F13}.exe	31
PID 2896 wrote to memory of 2020	2896	{F0FA17BC-FCCE-41ce-B0F6-018789BE1F13}.exe	31
PID 2896 wrote to memory of 2020	2896	{F0FA17BC-FCCE-41ce-B0F6-018789BE1F13}.exe	31
PID 2896 wrote to memory of 2020	2896	{F0FA17BC-FCCE-41ce-B0F6-018789BE1F13}.exe	31
PID 2896 wrote to memory of 2228	2896	{F0FA17BC-FCCE-41ce-B0F6-018789BE1F13}.exe	32
PID 2896 wrote to memory of 2228	2896	{F0FA17BC-FCCE-41ce-B0F6-018789BE1F13}.exe	32
PID 2896 wrote to memory of 2228	2896	{F0FA17BC-FCCE-41ce-B0F6-018789BE1F13}.exe	32
PID 2896 wrote to memory of 2228	2896	{F0FA17BC-FCCE-41ce-B0F6-018789BE1F13}.exe	32
PID 2020 wrote to memory of 2860	2020	{934DB7D8-4139-43fc-A44E-026E0FCBC7BD}.exe	33
PID 2020 wrote to memory of 2860	2020	{934DB7D8-4139-43fc-A44E-026E0FCBC7BD}.exe	33
PID 2020 wrote to memory of 2860	2020	{934DB7D8-4139-43fc-A44E-026E0FCBC7BD}.exe	33
PID 2020 wrote to memory of 2860	2020	{934DB7D8-4139-43fc-A44E-026E0FCBC7BD}.exe	33
PID 2020 wrote to memory of 1096	2020	{934DB7D8-4139-43fc-A44E-026E0FCBC7BD}.exe	34
PID 2020 wrote to memory of 1096	2020	{934DB7D8-4139-43fc-A44E-026E0FCBC7BD}.exe	34
PID 2020 wrote to memory of 1096	2020	{934DB7D8-4139-43fc-A44E-026E0FCBC7BD}.exe	34
PID 2020 wrote to memory of 1096	2020	{934DB7D8-4139-43fc-A44E-026E0FCBC7BD}.exe	34
PID 2860 wrote to memory of 1556	2860	{34F2555F-7F7D-4d2d-BE11-13BFBD3448FE}.exe	35
PID 2860 wrote to memory of 1556	2860	{34F2555F-7F7D-4d2d-BE11-13BFBD3448FE}.exe	35
PID 2860 wrote to memory of 1556	2860	{34F2555F-7F7D-4d2d-BE11-13BFBD3448FE}.exe	35
PID 2860 wrote to memory of 1556	2860	{34F2555F-7F7D-4d2d-BE11-13BFBD3448FE}.exe	35
PID 2860 wrote to memory of 2212	2860	{34F2555F-7F7D-4d2d-BE11-13BFBD3448FE}.exe	36
PID 2860 wrote to memory of 2212	2860	{34F2555F-7F7D-4d2d-BE11-13BFBD3448FE}.exe	36
PID 2860 wrote to memory of 2212	2860	{34F2555F-7F7D-4d2d-BE11-13BFBD3448FE}.exe	36
PID 2860 wrote to memory of 2212	2860	{34F2555F-7F7D-4d2d-BE11-13BFBD3448FE}.exe	36
PID 1556 wrote to memory of 1992	1556	{42191BC2-186A-484d-9BF5-02224BA18B90}.exe	37
PID 1556 wrote to memory of 1992	1556	{42191BC2-186A-484d-9BF5-02224BA18B90}.exe	37
PID 1556 wrote to memory of 1992	1556	{42191BC2-186A-484d-9BF5-02224BA18B90}.exe	37
PID 1556 wrote to memory of 1992	1556	{42191BC2-186A-484d-9BF5-02224BA18B90}.exe	37
PID 1556 wrote to memory of 2204	1556	{42191BC2-186A-484d-9BF5-02224BA18B90}.exe	38
PID 1556 wrote to memory of 2204	1556	{42191BC2-186A-484d-9BF5-02224BA18B90}.exe	38
PID 1556 wrote to memory of 2204	1556	{42191BC2-186A-484d-9BF5-02224BA18B90}.exe	38
PID 1556 wrote to memory of 2204	1556	{42191BC2-186A-484d-9BF5-02224BA18B90}.exe	38
PID 1992 wrote to memory of 2768	1992	{FF257789-F2B2-4b0a-808F-5BF1F06FFB02}.exe	39
PID 1992 wrote to memory of 2768	1992	{FF257789-F2B2-4b0a-808F-5BF1F06FFB02}.exe	39
PID 1992 wrote to memory of 2768	1992	{FF257789-F2B2-4b0a-808F-5BF1F06FFB02}.exe	39
PID 1992 wrote to memory of 2768	1992	{FF257789-F2B2-4b0a-808F-5BF1F06FFB02}.exe	39
PID 1992 wrote to memory of 2836	1992	{FF257789-F2B2-4b0a-808F-5BF1F06FFB02}.exe	40
PID 1992 wrote to memory of 2836	1992	{FF257789-F2B2-4b0a-808F-5BF1F06FFB02}.exe	40
PID 1992 wrote to memory of 2836	1992	{FF257789-F2B2-4b0a-808F-5BF1F06FFB02}.exe	40
PID 1992 wrote to memory of 2836	1992	{FF257789-F2B2-4b0a-808F-5BF1F06FFB02}.exe	40
PID 2768 wrote to memory of 2344	2768	{1F54987D-0354-4c69-976A-A86433BF63CC}.exe	41
PID 2768 wrote to memory of 2344	2768	{1F54987D-0354-4c69-976A-A86433BF63CC}.exe	41
PID 2768 wrote to memory of 2344	2768	{1F54987D-0354-4c69-976A-A86433BF63CC}.exe	41
PID 2768 wrote to memory of 2344	2768	{1F54987D-0354-4c69-976A-A86433BF63CC}.exe	41
PID 2768 wrote to memory of 2712	2768	{1F54987D-0354-4c69-976A-A86433BF63CC}.exe	42
PID 2768 wrote to memory of 2712	2768	{1F54987D-0354-4c69-976A-A86433BF63CC}.exe	42
PID 2768 wrote to memory of 2712	2768	{1F54987D-0354-4c69-976A-A86433BF63CC}.exe	42
PID 2768 wrote to memory of 2712	2768	{1F54987D-0354-4c69-976A-A86433BF63CC}.exe	42

C:\Users\Admin\AppData\Local\Temp\fc99d27b2a2caaexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\fc99d27b2a2caaexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\{E992CF1D-E367-422f-9611-B1700F8C7401}.exe
  C:\Windows\{E992CF1D-E367-422f-9611-B1700F8C7401}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\{F0FA17BC-FCCE-41ce-B0F6-018789BE1F13}.exe
    C:\Windows\{F0FA17BC-FCCE-41ce-B0F6-018789BE1F13}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\{934DB7D8-4139-43fc-A44E-026E0FCBC7BD}.exe
      C:\Windows\{934DB7D8-4139-43fc-A44E-026E0FCBC7BD}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2020
    - - C:\Windows\{34F2555F-7F7D-4d2d-BE11-13BFBD3448FE}.exe
        
        C:\Windows\{34F2555F-7F7D-4d2d-BE11-13BFBD3448FE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
      - C:\Windows\{42191BC2-186A-484d-9BF5-02224BA18B90}.exe
        
        C:\Windows\{42191BC2-186A-484d-9BF5-02224BA18B90}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1556
        
        C:\Windows\{FF257789-F2B2-4b0a-808F-5BF1F06FFB02}.exe
        
        C:\Windows\{FF257789-F2B2-4b0a-808F-5BF1F06FFB02}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\{1F54987D-0354-4c69-976A-A86433BF63CC}.exe
        
        C:\Windows\{1F54987D-0354-4c69-976A-A86433BF63CC}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2768
        
        C:\Windows\{9CE1AC5A-2B21-460b-8108-EE8123229654}.exe
        
        C:\Windows\{9CE1AC5A-2B21-460b-8108-EE8123229654}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\{1C399B7B-25C5-4fd0-A627-E1C19BD1B480}.exe
        
        C:\Windows\{1C399B7B-25C5-4fd0-A627-E1C19BD1B480}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\{048B1954-1538-4243-B6A1-F9EC46D1508A}.exe
        
        C:\Windows\{048B1954-1538-4243-B6A1-F9EC46D1508A}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\{4DD0A753-7FC1-48ce-B911-402E03B9C011}.exe
        
        C:\Windows\{4DD0A753-7FC1-48ce-B911-402E03B9C011}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\{60F0F6D7-44E5-473f-9CA0-B954EC1B30ED}.exe
        
        C:\Windows\{60F0F6D7-44E5-473f-9CA0-B954EC1B30ED}.exe
        13⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\{65AFC120-9A5F-4f2f-83AD-1AB3171265CA}.exe
        
        C:\Windows\{65AFC120-9A5F-4f2f-83AD-1AB3171265CA}.exe
        14⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{60F0F~1.EXE > nul
        14⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DD0A~1.EXE > nul
        13⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{048B1~1.EXE > nul
        12⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C399~1.EXE > nul
        11⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CE1A~1.EXE > nul
        10⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F549~1.EXE > nul
        9⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF257~1.EXE > nul
        8⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{42191~1.EXE > nul
        7⤵
        
        PID:2204
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{34F25~1.EXE > nul
        6⤵
        
        PID:2212
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{934DB~1.EXE > nul
        5⤵
        
        PID:1096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F0FA1~1.EXE > nul
      4⤵
      PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E992C~1.EXE > nul
    3⤵
    PID:3000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\FC99D2~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{048B1954-1538-4243-B6A1-F9EC46D1508A}.exe

Filesize
192KB

MD5
a727dc561e24c95d531f89a8bec770df

SHA1
88ef25c7aae7ad39432052970c47d9ba072b351b

SHA256
a891e85335a162a4a7ad7e10d2e210ad9cf0697ac44e22dd9538e3be50a880af

SHA512
a9cb6a4f414dd1955f86b5960d2df6bfb889c2ba4d0f63cbe4f82a9a979cd7db00bc023492f04919c895bcb83f38e7d5c3591cf1d4af65e5c7b37ca83f080c9f

Download Submit
C:\Windows\{048B1954-1538-4243-B6A1-F9EC46D1508A}.exe

Filesize
192KB

MD5
a727dc561e24c95d531f89a8bec770df

SHA1
88ef25c7aae7ad39432052970c47d9ba072b351b

SHA256
a891e85335a162a4a7ad7e10d2e210ad9cf0697ac44e22dd9538e3be50a880af

SHA512
a9cb6a4f414dd1955f86b5960d2df6bfb889c2ba4d0f63cbe4f82a9a979cd7db00bc023492f04919c895bcb83f38e7d5c3591cf1d4af65e5c7b37ca83f080c9f

Download Submit
C:\Windows\{1C399B7B-25C5-4fd0-A627-E1C19BD1B480}.exe

Filesize
192KB

MD5
fa9b4ef80a57d6be1d8dc86308877831

SHA1
d48c076722ca74c48c033d91e31b0dec97dd0d5a

SHA256
b673a039edb82138bfc7eb29bedeed8bd0cbf761e6a9eeb91cf32fe21fd4f9bb

SHA512
8b1a2e2f0139c8406c97f1b1969d09b7099e784297933297510d6b5eac67855efbacae4b26dfbbe4e26e6311b7cc080bbb43e1d600456fd4bf37f3f9e213a6c7

Download Submit
C:\Windows\{1C399B7B-25C5-4fd0-A627-E1C19BD1B480}.exe

Filesize
192KB

MD5
fa9b4ef80a57d6be1d8dc86308877831

SHA1
d48c076722ca74c48c033d91e31b0dec97dd0d5a

SHA256
b673a039edb82138bfc7eb29bedeed8bd0cbf761e6a9eeb91cf32fe21fd4f9bb

SHA512
8b1a2e2f0139c8406c97f1b1969d09b7099e784297933297510d6b5eac67855efbacae4b26dfbbe4e26e6311b7cc080bbb43e1d600456fd4bf37f3f9e213a6c7

Download Submit
C:\Windows\{1F54987D-0354-4c69-976A-A86433BF63CC}.exe

Filesize
192KB

MD5
806a635f69292e8e1ffeb9ee21a41d84

SHA1
fa71e1f4b7d46e9000bfa0621df5de5fa2057381

SHA256
a9860f706267afeade616cf78399bb0dc2b22f4e1c7b1d698d5dea267fde1879

SHA512
ef6ce35ce43927cded8c472c9fbeb32192cec1e3f6970f182278ee4437f20e96d65190de63d8e0d88958c91a357846159578cb606877bd16b342d178bf88ee7c

Download Submit
C:\Windows\{1F54987D-0354-4c69-976A-A86433BF63CC}.exe

Filesize
192KB

MD5
806a635f69292e8e1ffeb9ee21a41d84

SHA1
fa71e1f4b7d46e9000bfa0621df5de5fa2057381

SHA256
a9860f706267afeade616cf78399bb0dc2b22f4e1c7b1d698d5dea267fde1879

SHA512
ef6ce35ce43927cded8c472c9fbeb32192cec1e3f6970f182278ee4437f20e96d65190de63d8e0d88958c91a357846159578cb606877bd16b342d178bf88ee7c

Download Submit
C:\Windows\{34F2555F-7F7D-4d2d-BE11-13BFBD3448FE}.exe

Filesize
192KB

MD5
5d114b707e4dd1a43ad1d9b9c67cb6a4

SHA1
ca9e6b9ae44221b5f883144b64b4650f1a499243

SHA256
aa366461fde05e6fb96923c0737b0f78434a14677482c311528f012ec9d331d5

SHA512
28f770bec6c4771ff9bcbb5b39a8402a98ac42fe31b9e3991a1f921f296d03760aa613b24fe7fe514d638133c009d4f2701a180495167a8b2e50baba235bf370

Download Submit
C:\Windows\{34F2555F-7F7D-4d2d-BE11-13BFBD3448FE}.exe

Filesize
192KB

MD5
5d114b707e4dd1a43ad1d9b9c67cb6a4

SHA1
ca9e6b9ae44221b5f883144b64b4650f1a499243

SHA256
aa366461fde05e6fb96923c0737b0f78434a14677482c311528f012ec9d331d5

SHA512
28f770bec6c4771ff9bcbb5b39a8402a98ac42fe31b9e3991a1f921f296d03760aa613b24fe7fe514d638133c009d4f2701a180495167a8b2e50baba235bf370

Download Submit
C:\Windows\{42191BC2-186A-484d-9BF5-02224BA18B90}.exe

Filesize
192KB

MD5
dce089d623e52dfe84848c632899dc14

SHA1
5183329829266a0d16934f0977690dcff44b7b5a

SHA256
b1149019ee9edf1348220dc374ce5baa877e57b5df5c2fe3291fcfb4509bb9f1

SHA512
5c3b79bb43db90f1f1659977acb93c87b45502328c8d6396bf89018a58ba564971f1aacb30ebe32efecc4885c51824f1df0270d2316ce17790683ce8643cf2a3

Download Submit
C:\Windows\{42191BC2-186A-484d-9BF5-02224BA18B90}.exe

Filesize
192KB

MD5
dce089d623e52dfe84848c632899dc14

SHA1
5183329829266a0d16934f0977690dcff44b7b5a

SHA256
b1149019ee9edf1348220dc374ce5baa877e57b5df5c2fe3291fcfb4509bb9f1

SHA512
5c3b79bb43db90f1f1659977acb93c87b45502328c8d6396bf89018a58ba564971f1aacb30ebe32efecc4885c51824f1df0270d2316ce17790683ce8643cf2a3

Download Submit
C:\Windows\{4DD0A753-7FC1-48ce-B911-402E03B9C011}.exe

Filesize
192KB

MD5
4f1e0863e3a8576990e58477b78ebe9a

SHA1
35aa903851778314f836976a0e9491c55d87aaef

SHA256
27af0fb8ae181eb12bbb34457fcd8218182141f9643bb6bd493b6d1fa81bcdf3

SHA512
862fe771da414f0317c5a80b03000c94389b718631381f3517a641e2973d912532717d3f78ab43b1ff1654210a5cd3a8875199b6ec2e4206244f2d8fb29d4340

Download Submit
C:\Windows\{4DD0A753-7FC1-48ce-B911-402E03B9C011}.exe

Filesize
192KB

MD5
4f1e0863e3a8576990e58477b78ebe9a

SHA1
35aa903851778314f836976a0e9491c55d87aaef

SHA256
27af0fb8ae181eb12bbb34457fcd8218182141f9643bb6bd493b6d1fa81bcdf3

SHA512
862fe771da414f0317c5a80b03000c94389b718631381f3517a641e2973d912532717d3f78ab43b1ff1654210a5cd3a8875199b6ec2e4206244f2d8fb29d4340

Download Submit
C:\Windows\{60F0F6D7-44E5-473f-9CA0-B954EC1B30ED}.exe

Filesize
192KB

MD5
caf9a23ac7c823a98a8dd917df31be15

SHA1
6346031400fd035fe77d699f5ce5c4c1ab0f5ba6

SHA256
f05b130b413c05fef49b5a69a1ec54585732bade95ac9aaa990057128646e963

SHA512
ae2ca5e4abd09ebec8aacd4c85d9f4975296fb7e06d9d7c776a60371fa907b529aee7f665c52081d72d5c6eeb082d87a6cb7318708f2c9abae961707d2b4660f

Download Submit
C:\Windows\{60F0F6D7-44E5-473f-9CA0-B954EC1B30ED}.exe

Filesize
192KB

MD5
caf9a23ac7c823a98a8dd917df31be15

SHA1
6346031400fd035fe77d699f5ce5c4c1ab0f5ba6

SHA256
f05b130b413c05fef49b5a69a1ec54585732bade95ac9aaa990057128646e963

SHA512
ae2ca5e4abd09ebec8aacd4c85d9f4975296fb7e06d9d7c776a60371fa907b529aee7f665c52081d72d5c6eeb082d87a6cb7318708f2c9abae961707d2b4660f

Download Submit
C:\Windows\{65AFC120-9A5F-4f2f-83AD-1AB3171265CA}.exe

Filesize
192KB

MD5
3bdee9ca40908fa21bd06ce1fa5bba1c

SHA1
aac5946129a8904ce8667f61c2d17a11b34aa7cb

SHA256
40e5502a0bb25fa54276636eee9e6b973d75ec0994dbd7ae74ee346896b5b874

SHA512
d14f0782a6144d681d8d07b3a45514c218c73d7e0d3df2af42dbcde8b2eeed8addfa0edd96dc19fd1e132f7abc56800c125c2e67afa6b82b4602cf26eb21f83c

Download Submit
C:\Windows\{934DB7D8-4139-43fc-A44E-026E0FCBC7BD}.exe

Filesize
192KB

MD5
c9e63d457c50126253abd138e33c2cc8

SHA1
bf42034b892e863fa1b9ae1405b9f9cdd5b0c889

SHA256
e3576cd5a9e6da9bef9a25784ec820005e7e73311951aa1a78059be5209f6674

SHA512
63463da2f31e5a028ad8b5e055f6966b2d6fcbe2b7d66ea52bff3c756abb19161e9e0b05d049bd3edc6a7d4c30ce883600bc771b27fb780c4daead44192aa2f4

Download Submit
C:\Windows\{934DB7D8-4139-43fc-A44E-026E0FCBC7BD}.exe

Filesize
192KB

MD5
c9e63d457c50126253abd138e33c2cc8

SHA1
bf42034b892e863fa1b9ae1405b9f9cdd5b0c889

SHA256
e3576cd5a9e6da9bef9a25784ec820005e7e73311951aa1a78059be5209f6674

SHA512
63463da2f31e5a028ad8b5e055f6966b2d6fcbe2b7d66ea52bff3c756abb19161e9e0b05d049bd3edc6a7d4c30ce883600bc771b27fb780c4daead44192aa2f4

Download Submit
C:\Windows\{9CE1AC5A-2B21-460b-8108-EE8123229654}.exe

Filesize
192KB

MD5
4a1913801ba8c5c3c1cf2656fc8a64a9

SHA1
c2bb1ec5af4e57b19528693f74abb41c43413038

SHA256
f73207a097e7431e3dc37fecc2a441a834f41b8c96ef09c490eec0f543931985

SHA512
4c37405c25a73a54a8926043d07c2ad124833b612ff3102a4db3e4c38a809fb0576bb54e1e3d454598c885b1470af9dedec4efa6912f8a4d92583d7381383a7d

Download Submit
C:\Windows\{9CE1AC5A-2B21-460b-8108-EE8123229654}.exe

Filesize
192KB

MD5
4a1913801ba8c5c3c1cf2656fc8a64a9

SHA1
c2bb1ec5af4e57b19528693f74abb41c43413038

SHA256
f73207a097e7431e3dc37fecc2a441a834f41b8c96ef09c490eec0f543931985

SHA512
4c37405c25a73a54a8926043d07c2ad124833b612ff3102a4db3e4c38a809fb0576bb54e1e3d454598c885b1470af9dedec4efa6912f8a4d92583d7381383a7d

Download Submit
C:\Windows\{E992CF1D-E367-422f-9611-B1700F8C7401}.exe

Filesize
192KB

MD5
06fa5c5c98ae660ae88cce9ad952d5d6

SHA1
b8305dda7451a132d575a4f0efb367d83d0bf147

SHA256
4261ae7994bc98b49bdeee8b4568df09c4c5d3bce07bf6bd479cf912f0e4b251

SHA512
7dda0e23f7e30bf83d864b3eccb43ed1fb8b7c0693d5c043f3ca8b6ed6e46807d5035df115486c113c88a9ae281555dd91bac7d5b6b20462ca1e25599cb584c0

Download Submit
C:\Windows\{E992CF1D-E367-422f-9611-B1700F8C7401}.exe

Filesize
192KB

MD5
06fa5c5c98ae660ae88cce9ad952d5d6

SHA1
b8305dda7451a132d575a4f0efb367d83d0bf147

SHA256
4261ae7994bc98b49bdeee8b4568df09c4c5d3bce07bf6bd479cf912f0e4b251

SHA512
7dda0e23f7e30bf83d864b3eccb43ed1fb8b7c0693d5c043f3ca8b6ed6e46807d5035df115486c113c88a9ae281555dd91bac7d5b6b20462ca1e25599cb584c0

Download Submit
C:\Windows\{E992CF1D-E367-422f-9611-B1700F8C7401}.exe

Filesize
192KB

MD5
06fa5c5c98ae660ae88cce9ad952d5d6

SHA1
b8305dda7451a132d575a4f0efb367d83d0bf147

SHA256
4261ae7994bc98b49bdeee8b4568df09c4c5d3bce07bf6bd479cf912f0e4b251

SHA512
7dda0e23f7e30bf83d864b3eccb43ed1fb8b7c0693d5c043f3ca8b6ed6e46807d5035df115486c113c88a9ae281555dd91bac7d5b6b20462ca1e25599cb584c0

Download Submit
C:\Windows\{F0FA17BC-FCCE-41ce-B0F6-018789BE1F13}.exe

Filesize
192KB

MD5
f8441f080b9a4cf3247bbf1adc6977e1

SHA1
cd7d0ae55959cb860354aec153585e0ba664ad26

SHA256
1a70f1a040ad41ac29cbe34c5aa64a654674e8fe4f94e8193f8eb21799fed087

SHA512
0a97a42af21a98c57dc27603db72e1dfd1c403eb04558d1c28b34feeb3a27ce19488f7ccb1eac5955430de2ac416fe1d54e202c91acadff9c7d16bae8786be27

Download Submit
C:\Windows\{F0FA17BC-FCCE-41ce-B0F6-018789BE1F13}.exe

Filesize
192KB

MD5
f8441f080b9a4cf3247bbf1adc6977e1

SHA1
cd7d0ae55959cb860354aec153585e0ba664ad26

SHA256
1a70f1a040ad41ac29cbe34c5aa64a654674e8fe4f94e8193f8eb21799fed087

SHA512
0a97a42af21a98c57dc27603db72e1dfd1c403eb04558d1c28b34feeb3a27ce19488f7ccb1eac5955430de2ac416fe1d54e202c91acadff9c7d16bae8786be27

Download Submit
C:\Windows\{FF257789-F2B2-4b0a-808F-5BF1F06FFB02}.exe

Filesize
192KB

MD5
4dc7695835cb53b9db65133b8d37c46a

SHA1
c166166d1bc5fb818631ada8746a6d40167e6c23

SHA256
51a7b116ff0bf7b49a3404ac63256ddcc15ac6b5efee1cf76c5e0b5b147c4c4f

SHA512
6020233916721eb225559162142404d92e3d9e2b597d4400d576307e6ec2a289075ef073c1d5a0ccbee02e5e8864d7545223dd59bd86c774def53fb193815f50

Download Submit
C:\Windows\{FF257789-F2B2-4b0a-808F-5BF1F06FFB02}.exe

Filesize
192KB

MD5
4dc7695835cb53b9db65133b8d37c46a

SHA1
c166166d1bc5fb818631ada8746a6d40167e6c23

SHA256
51a7b116ff0bf7b49a3404ac63256ddcc15ac6b5efee1cf76c5e0b5b147c4c4f

SHA512
6020233916721eb225559162142404d92e3d9e2b597d4400d576307e6ec2a289075ef073c1d5a0ccbee02e5e8864d7545223dd59bd86c774def53fb193815f50

Download Submit