2ff5227dbb41b6318e1d65183d6ff1dc7d9d211742b3d7880935862cc7771f54

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2023, 17:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fdd508df1863baexeexeexeex.exe
Size

168KB
MD5

fdd508df1863bab6e6a0b82451beed95
SHA1

d3772509a39428145aabc8d04541c6f43e391031
SHA256

2ff5227dbb41b6318e1d65183d6ff1dc7d9d211742b3d7880935862cc7771f54
SHA512

cb1dc7c34873d1c864dfa23ff3e7e92cc6ea58a0aabd48b85f7653ed9bb259efe6ba4820cc0b8075aed048af557d0074087b44bcee911b97c0142ce462d59a75
SSDEEP

1536:1EGh0oDlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oDlqOPOe2MUVg3Ve+rX

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{824DAED2-F0C6-4d6b-A6A9-6EE4BBE0C736}	{C82EAFF8-F698-428d-8EDC-692456110A58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B76F0D7-38F0-46d4-A1F8-7BE0EFC246D5}\stubpath = "C:\\Windows\\{1B76F0D7-38F0-46d4-A1F8-7BE0EFC246D5}.exe"	{824DAED2-F0C6-4d6b-A6A9-6EE4BBE0C736}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9838288A-4B88-4287-AFDE-239A60217456}\stubpath = "C:\\Windows\\{9838288A-4B88-4287-AFDE-239A60217456}.exe"	{C176278A-4810-4604-A7B6-9BF008C71140}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9CC15DF-4AE9-4750-8262-8AF665B394E2}	{9838288A-4B88-4287-AFDE-239A60217456}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C82EAFF8-F698-428d-8EDC-692456110A58}\stubpath = "C:\\Windows\\{C82EAFF8-F698-428d-8EDC-692456110A58}.exe"	{0FCFE3F2-1640-4a7a-B9B9-3370C4C920BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{824DAED2-F0C6-4d6b-A6A9-6EE4BBE0C736}\stubpath = "C:\\Windows\\{824DAED2-F0C6-4d6b-A6A9-6EE4BBE0C736}.exe"	{C82EAFF8-F698-428d-8EDC-692456110A58}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C176278A-4810-4604-A7B6-9BF008C71140}	{1B76F0D7-38F0-46d4-A1F8-7BE0EFC246D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{905E53BE-4A8A-46d8-9FC7-8A7C4E8392F5}	{D9CC15DF-4AE9-4750-8262-8AF665B394E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB43AA94-EFA5-4a5d-9A7B-54B6764C2778}	fdd508df1863baexeexeexeex.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB43AA94-EFA5-4a5d-9A7B-54B6764C2778}\stubpath = "C:\\Windows\\{DB43AA94-EFA5-4a5d-9A7B-54B6764C2778}.exe"	fdd508df1863baexeexeexeex.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{665A182E-71F2-477d-96A7-42D730BA6825}	{DB43AA94-EFA5-4a5d-9A7B-54B6764C2778}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A218111-CE80-47ee-BA0C-4DAACC96D682}\stubpath = "C:\\Windows\\{4A218111-CE80-47ee-BA0C-4DAACC96D682}.exe"	{665A182E-71F2-477d-96A7-42D730BA6825}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA98F80A-9AB9-476b-A84F-0C9EEFEB214E}	{4A218111-CE80-47ee-BA0C-4DAACC96D682}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B76F0D7-38F0-46d4-A1F8-7BE0EFC246D5}	{824DAED2-F0C6-4d6b-A6A9-6EE4BBE0C736}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C176278A-4810-4604-A7B6-9BF008C71140}\stubpath = "C:\\Windows\\{C176278A-4810-4604-A7B6-9BF008C71140}.exe"	{1B76F0D7-38F0-46d4-A1F8-7BE0EFC246D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9838288A-4B88-4287-AFDE-239A60217456}	{C176278A-4810-4604-A7B6-9BF008C71140}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{905E53BE-4A8A-46d8-9FC7-8A7C4E8392F5}\stubpath = "C:\\Windows\\{905E53BE-4A8A-46d8-9FC7-8A7C4E8392F5}.exe"	{D9CC15DF-4AE9-4750-8262-8AF665B394E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{665A182E-71F2-477d-96A7-42D730BA6825}\stubpath = "C:\\Windows\\{665A182E-71F2-477d-96A7-42D730BA6825}.exe"	{DB43AA94-EFA5-4a5d-9A7B-54B6764C2778}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A218111-CE80-47ee-BA0C-4DAACC96D682}	{665A182E-71F2-477d-96A7-42D730BA6825}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FA98F80A-9AB9-476b-A84F-0C9EEFEB214E}\stubpath = "C:\\Windows\\{FA98F80A-9AB9-476b-A84F-0C9EEFEB214E}.exe"	{4A218111-CE80-47ee-BA0C-4DAACC96D682}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FCFE3F2-1640-4a7a-B9B9-3370C4C920BE}	{FA98F80A-9AB9-476b-A84F-0C9EEFEB214E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FCFE3F2-1640-4a7a-B9B9-3370C4C920BE}\stubpath = "C:\\Windows\\{0FCFE3F2-1640-4a7a-B9B9-3370C4C920BE}.exe"	{FA98F80A-9AB9-476b-A84F-0C9EEFEB214E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C82EAFF8-F698-428d-8EDC-692456110A58}	{0FCFE3F2-1640-4a7a-B9B9-3370C4C920BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D9CC15DF-4AE9-4750-8262-8AF665B394E2}\stubpath = "C:\\Windows\\{D9CC15DF-4AE9-4750-8262-8AF665B394E2}.exe"	{9838288A-4B88-4287-AFDE-239A60217456}.exe

Executes dropped EXE 12 IoCs

pid	Process
3580	{DB43AA94-EFA5-4a5d-9A7B-54B6764C2778}.exe
772	{665A182E-71F2-477d-96A7-42D730BA6825}.exe
4624	{4A218111-CE80-47ee-BA0C-4DAACC96D682}.exe
3984	{FA98F80A-9AB9-476b-A84F-0C9EEFEB214E}.exe
4060	{0FCFE3F2-1640-4a7a-B9B9-3370C4C920BE}.exe
3272	{C82EAFF8-F698-428d-8EDC-692456110A58}.exe
4132	{824DAED2-F0C6-4d6b-A6A9-6EE4BBE0C736}.exe
568	{1B76F0D7-38F0-46d4-A1F8-7BE0EFC246D5}.exe
1992	{C176278A-4810-4604-A7B6-9BF008C71140}.exe
2924	{9838288A-4B88-4287-AFDE-239A60217456}.exe
3204	{D9CC15DF-4AE9-4750-8262-8AF665B394E2}.exe
3312	{905E53BE-4A8A-46d8-9FC7-8A7C4E8392F5}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{DB43AA94-EFA5-4a5d-9A7B-54B6764C2778}.exe	fdd508df1863baexeexeexeex.exe
File created	C:\Windows\{665A182E-71F2-477d-96A7-42D730BA6825}.exe	{DB43AA94-EFA5-4a5d-9A7B-54B6764C2778}.exe
File created	C:\Windows\{FA98F80A-9AB9-476b-A84F-0C9EEFEB214E}.exe	{4A218111-CE80-47ee-BA0C-4DAACC96D682}.exe
File created	C:\Windows\{824DAED2-F0C6-4d6b-A6A9-6EE4BBE0C736}.exe	{C82EAFF8-F698-428d-8EDC-692456110A58}.exe
File created	C:\Windows\{C176278A-4810-4604-A7B6-9BF008C71140}.exe	{1B76F0D7-38F0-46d4-A1F8-7BE0EFC246D5}.exe
File created	C:\Windows\{9838288A-4B88-4287-AFDE-239A60217456}.exe	{C176278A-4810-4604-A7B6-9BF008C71140}.exe
File created	C:\Windows\{D9CC15DF-4AE9-4750-8262-8AF665B394E2}.exe	{9838288A-4B88-4287-AFDE-239A60217456}.exe
File created	C:\Windows\{4A218111-CE80-47ee-BA0C-4DAACC96D682}.exe	{665A182E-71F2-477d-96A7-42D730BA6825}.exe
File created	C:\Windows\{0FCFE3F2-1640-4a7a-B9B9-3370C4C920BE}.exe	{FA98F80A-9AB9-476b-A84F-0C9EEFEB214E}.exe
File created	C:\Windows\{C82EAFF8-F698-428d-8EDC-692456110A58}.exe	{0FCFE3F2-1640-4a7a-B9B9-3370C4C920BE}.exe
File created	C:\Windows\{1B76F0D7-38F0-46d4-A1F8-7BE0EFC246D5}.exe	{824DAED2-F0C6-4d6b-A6A9-6EE4BBE0C736}.exe
File created	C:\Windows\{905E53BE-4A8A-46d8-9FC7-8A7C4E8392F5}.exe	{D9CC15DF-4AE9-4750-8262-8AF665B394E2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1020	fdd508df1863baexeexeexeex.exe
Token: SeIncBasePriorityPrivilege	3580	{DB43AA94-EFA5-4a5d-9A7B-54B6764C2778}.exe
Token: SeIncBasePriorityPrivilege	772	{665A182E-71F2-477d-96A7-42D730BA6825}.exe
Token: SeIncBasePriorityPrivilege	4624	{4A218111-CE80-47ee-BA0C-4DAACC96D682}.exe
Token: SeIncBasePriorityPrivilege	3984	{FA98F80A-9AB9-476b-A84F-0C9EEFEB214E}.exe
Token: SeIncBasePriorityPrivilege	4060	{0FCFE3F2-1640-4a7a-B9B9-3370C4C920BE}.exe
Token: SeIncBasePriorityPrivilege	3272	{C82EAFF8-F698-428d-8EDC-692456110A58}.exe
Token: SeIncBasePriorityPrivilege	4132	{824DAED2-F0C6-4d6b-A6A9-6EE4BBE0C736}.exe
Token: SeIncBasePriorityPrivilege	568	{1B76F0D7-38F0-46d4-A1F8-7BE0EFC246D5}.exe
Token: SeIncBasePriorityPrivilege	1992	{C176278A-4810-4604-A7B6-9BF008C71140}.exe
Token: SeIncBasePriorityPrivilege	2924	{9838288A-4B88-4287-AFDE-239A60217456}.exe
Token: SeIncBasePriorityPrivilege	3204	{D9CC15DF-4AE9-4750-8262-8AF665B394E2}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 3580	1020	fdd508df1863baexeexeexeex.exe	96
PID 1020 wrote to memory of 3580	1020	fdd508df1863baexeexeexeex.exe	96
PID 1020 wrote to memory of 3580	1020	fdd508df1863baexeexeexeex.exe	96
PID 1020 wrote to memory of 4548	1020	fdd508df1863baexeexeexeex.exe	97
PID 1020 wrote to memory of 4548	1020	fdd508df1863baexeexeexeex.exe	97
PID 1020 wrote to memory of 4548	1020	fdd508df1863baexeexeexeex.exe	97
PID 3580 wrote to memory of 772	3580	{DB43AA94-EFA5-4a5d-9A7B-54B6764C2778}.exe	100
PID 3580 wrote to memory of 772	3580	{DB43AA94-EFA5-4a5d-9A7B-54B6764C2778}.exe	100
PID 3580 wrote to memory of 772	3580	{DB43AA94-EFA5-4a5d-9A7B-54B6764C2778}.exe	100
PID 3580 wrote to memory of 2392	3580	{DB43AA94-EFA5-4a5d-9A7B-54B6764C2778}.exe	101
PID 3580 wrote to memory of 2392	3580	{DB43AA94-EFA5-4a5d-9A7B-54B6764C2778}.exe	101
PID 3580 wrote to memory of 2392	3580	{DB43AA94-EFA5-4a5d-9A7B-54B6764C2778}.exe	101
PID 772 wrote to memory of 4624	772	{665A182E-71F2-477d-96A7-42D730BA6825}.exe	104
PID 772 wrote to memory of 4624	772	{665A182E-71F2-477d-96A7-42D730BA6825}.exe	104
PID 772 wrote to memory of 4624	772	{665A182E-71F2-477d-96A7-42D730BA6825}.exe	104
PID 772 wrote to memory of 4224	772	{665A182E-71F2-477d-96A7-42D730BA6825}.exe	103
PID 772 wrote to memory of 4224	772	{665A182E-71F2-477d-96A7-42D730BA6825}.exe	103
PID 772 wrote to memory of 4224	772	{665A182E-71F2-477d-96A7-42D730BA6825}.exe	103
PID 4624 wrote to memory of 3984	4624	{4A218111-CE80-47ee-BA0C-4DAACC96D682}.exe	105
PID 4624 wrote to memory of 3984	4624	{4A218111-CE80-47ee-BA0C-4DAACC96D682}.exe	105
PID 4624 wrote to memory of 3984	4624	{4A218111-CE80-47ee-BA0C-4DAACC96D682}.exe	105
PID 4624 wrote to memory of 2996	4624	{4A218111-CE80-47ee-BA0C-4DAACC96D682}.exe	106
PID 4624 wrote to memory of 2996	4624	{4A218111-CE80-47ee-BA0C-4DAACC96D682}.exe	106
PID 4624 wrote to memory of 2996	4624	{4A218111-CE80-47ee-BA0C-4DAACC96D682}.exe	106
PID 3984 wrote to memory of 4060	3984	{FA98F80A-9AB9-476b-A84F-0C9EEFEB214E}.exe	107
PID 3984 wrote to memory of 4060	3984	{FA98F80A-9AB9-476b-A84F-0C9EEFEB214E}.exe	107
PID 3984 wrote to memory of 4060	3984	{FA98F80A-9AB9-476b-A84F-0C9EEFEB214E}.exe	107
PID 3984 wrote to memory of 1916	3984	{FA98F80A-9AB9-476b-A84F-0C9EEFEB214E}.exe	108
PID 3984 wrote to memory of 1916	3984	{FA98F80A-9AB9-476b-A84F-0C9EEFEB214E}.exe	108
PID 3984 wrote to memory of 1916	3984	{FA98F80A-9AB9-476b-A84F-0C9EEFEB214E}.exe	108
PID 4060 wrote to memory of 3272	4060	{0FCFE3F2-1640-4a7a-B9B9-3370C4C920BE}.exe	109
PID 4060 wrote to memory of 3272	4060	{0FCFE3F2-1640-4a7a-B9B9-3370C4C920BE}.exe	109
PID 4060 wrote to memory of 3272	4060	{0FCFE3F2-1640-4a7a-B9B9-3370C4C920BE}.exe	109
PID 4060 wrote to memory of 3704	4060	{0FCFE3F2-1640-4a7a-B9B9-3370C4C920BE}.exe	110
PID 4060 wrote to memory of 3704	4060	{0FCFE3F2-1640-4a7a-B9B9-3370C4C920BE}.exe	110
PID 4060 wrote to memory of 3704	4060	{0FCFE3F2-1640-4a7a-B9B9-3370C4C920BE}.exe	110
PID 3272 wrote to memory of 4132	3272	{C82EAFF8-F698-428d-8EDC-692456110A58}.exe	111
PID 3272 wrote to memory of 4132	3272	{C82EAFF8-F698-428d-8EDC-692456110A58}.exe	111
PID 3272 wrote to memory of 4132	3272	{C82EAFF8-F698-428d-8EDC-692456110A58}.exe	111
PID 3272 wrote to memory of 4264	3272	{C82EAFF8-F698-428d-8EDC-692456110A58}.exe	112
PID 3272 wrote to memory of 4264	3272	{C82EAFF8-F698-428d-8EDC-692456110A58}.exe	112
PID 3272 wrote to memory of 4264	3272	{C82EAFF8-F698-428d-8EDC-692456110A58}.exe	112
PID 4132 wrote to memory of 568	4132	{824DAED2-F0C6-4d6b-A6A9-6EE4BBE0C736}.exe	113
PID 4132 wrote to memory of 568	4132	{824DAED2-F0C6-4d6b-A6A9-6EE4BBE0C736}.exe	113
PID 4132 wrote to memory of 568	4132	{824DAED2-F0C6-4d6b-A6A9-6EE4BBE0C736}.exe	113
PID 4132 wrote to memory of 1524	4132	{824DAED2-F0C6-4d6b-A6A9-6EE4BBE0C736}.exe	114
PID 4132 wrote to memory of 1524	4132	{824DAED2-F0C6-4d6b-A6A9-6EE4BBE0C736}.exe	114
PID 4132 wrote to memory of 1524	4132	{824DAED2-F0C6-4d6b-A6A9-6EE4BBE0C736}.exe	114
PID 568 wrote to memory of 1992	568	{1B76F0D7-38F0-46d4-A1F8-7BE0EFC246D5}.exe	115
PID 568 wrote to memory of 1992	568	{1B76F0D7-38F0-46d4-A1F8-7BE0EFC246D5}.exe	115
PID 568 wrote to memory of 1992	568	{1B76F0D7-38F0-46d4-A1F8-7BE0EFC246D5}.exe	115
PID 568 wrote to memory of 4804	568	{1B76F0D7-38F0-46d4-A1F8-7BE0EFC246D5}.exe	116
PID 568 wrote to memory of 4804	568	{1B76F0D7-38F0-46d4-A1F8-7BE0EFC246D5}.exe	116
PID 568 wrote to memory of 4804	568	{1B76F0D7-38F0-46d4-A1F8-7BE0EFC246D5}.exe	116
PID 1992 wrote to memory of 2924	1992	{C176278A-4810-4604-A7B6-9BF008C71140}.exe	117
PID 1992 wrote to memory of 2924	1992	{C176278A-4810-4604-A7B6-9BF008C71140}.exe	117
PID 1992 wrote to memory of 2924	1992	{C176278A-4810-4604-A7B6-9BF008C71140}.exe	117
PID 1992 wrote to memory of 2652	1992	{C176278A-4810-4604-A7B6-9BF008C71140}.exe	118
PID 1992 wrote to memory of 2652	1992	{C176278A-4810-4604-A7B6-9BF008C71140}.exe	118
PID 1992 wrote to memory of 2652	1992	{C176278A-4810-4604-A7B6-9BF008C71140}.exe	118
PID 2924 wrote to memory of 3204	2924	{9838288A-4B88-4287-AFDE-239A60217456}.exe	119
PID 2924 wrote to memory of 3204	2924	{9838288A-4B88-4287-AFDE-239A60217456}.exe	119
PID 2924 wrote to memory of 3204	2924	{9838288A-4B88-4287-AFDE-239A60217456}.exe	119
PID 2924 wrote to memory of 2168	2924	{9838288A-4B88-4287-AFDE-239A60217456}.exe	120

C:\Users\Admin\AppData\Local\Temp\fdd508df1863baexeexeexeex.exe
"C:\Users\Admin\AppData\Local\Temp\fdd508df1863baexeexeexeex.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Windows\{DB43AA94-EFA5-4a5d-9A7B-54B6764C2778}.exe
  C:\Windows\{DB43AA94-EFA5-4a5d-9A7B-54B6764C2778}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3580
- - C:\Windows\{665A182E-71F2-477d-96A7-42D730BA6825}.exe
    C:\Windows\{665A182E-71F2-477d-96A7-42D730BA6825}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{665A1~1.EXE > nul
      4⤵
      PID:4224
  - - C:\Windows\{4A218111-CE80-47ee-BA0C-4DAACC96D682}.exe
      C:\Windows\{4A218111-CE80-47ee-BA0C-4DAACC96D682}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4624
    - - C:\Windows\{FA98F80A-9AB9-476b-A84F-0C9EEFEB214E}.exe
        
        C:\Windows\{FA98F80A-9AB9-476b-A84F-0C9EEFEB214E}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3984
      - C:\Windows\{0FCFE3F2-1640-4a7a-B9B9-3370C4C920BE}.exe
        
        C:\Windows\{0FCFE3F2-1640-4a7a-B9B9-3370C4C920BE}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\{C82EAFF8-F698-428d-8EDC-692456110A58}.exe
        
        C:\Windows\{C82EAFF8-F698-428d-8EDC-692456110A58}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\{824DAED2-F0C6-4d6b-A6A9-6EE4BBE0C736}.exe
        
        C:\Windows\{824DAED2-F0C6-4d6b-A6A9-6EE4BBE0C736}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\{1B76F0D7-38F0-46d4-A1F8-7BE0EFC246D5}.exe
        
        C:\Windows\{1B76F0D7-38F0-46d4-A1F8-7BE0EFC246D5}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:568
        
        C:\Windows\{C176278A-4810-4604-A7B6-9BF008C71140}.exe
        
        C:\Windows\{C176278A-4810-4604-A7B6-9BF008C71140}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Windows\{9838288A-4B88-4287-AFDE-239A60217456}.exe
        
        C:\Windows\{9838288A-4B88-4287-AFDE-239A60217456}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2924
        
        C:\Windows\{D9CC15DF-4AE9-4750-8262-8AF665B394E2}.exe
        
        C:\Windows\{D9CC15DF-4AE9-4750-8262-8AF665B394E2}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3204
        
        C:\Windows\{905E53BE-4A8A-46d8-9FC7-8A7C4E8392F5}.exe
        
        C:\Windows\{905E53BE-4A8A-46d8-9FC7-8A7C4E8392F5}.exe
        13⤵
        Executes dropped EXE
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D9CC1~1.EXE > nul
        13⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98382~1.EXE > nul
        12⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C1762~1.EXE > nul
        11⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B76F~1.EXE > nul
        10⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{824DA~1.EXE > nul
        9⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C82EA~1.EXE > nul
        8⤵
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FCFE~1.EXE > nul
        7⤵
        
        PID:3704
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FA98F~1.EXE > nul
        6⤵
        
        PID:1916
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A218~1.EXE > nul
        5⤵
        
        PID:2996
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DB43A~1.EXE > nul
    3⤵
    PID:2392
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\FDD508~1.EXE > nul
  2⤵
  PID:4548

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FCFE3F2-1640-4a7a-B9B9-3370C4C920BE}.exe

Filesize
168KB

MD5
571bb3827eba599a78f0b8ddde6cfb04

SHA1
c0c3fdd3eb56df02cfd8947e8784e03e7056bc77

SHA256
69ec8dc79c18ed559f53d4c4cbc19ba7e5be8d52ef694438f614e116def9b26c

SHA512
c9911f38cdc140b07d882cc82fb6cbbf47a32560bfec7dbcc0ab1c8c7efd43d1cdda1d778654d63bda06706b77cb4e9dab7cb635f70f4fed1236fc77f12207cb

Download Submit
C:\Windows\{0FCFE3F2-1640-4a7a-B9B9-3370C4C920BE}.exe

Filesize
168KB

MD5
571bb3827eba599a78f0b8ddde6cfb04

SHA1
c0c3fdd3eb56df02cfd8947e8784e03e7056bc77

SHA256
69ec8dc79c18ed559f53d4c4cbc19ba7e5be8d52ef694438f614e116def9b26c

SHA512
c9911f38cdc140b07d882cc82fb6cbbf47a32560bfec7dbcc0ab1c8c7efd43d1cdda1d778654d63bda06706b77cb4e9dab7cb635f70f4fed1236fc77f12207cb

Download Submit
C:\Windows\{1B76F0D7-38F0-46d4-A1F8-7BE0EFC246D5}.exe

Filesize
168KB

MD5
9db17df565c726981b86a30a9d2ea6c1

SHA1
52b0362abfecb92eae0ed8263282229b526922b8

SHA256
5e13c1f8771d9f8e9380b01d4e6ead0a165c34fd776a2833ce8f388f2acb6661

SHA512
692050fbfbeb8ce5d3f11d79c6792ab5b16928c7b75bee1f03821bf971ff45f5167752b338da3298ef65b7eb815405aa8a042a6d232dde819399b9b7c2644c77

Download Submit
C:\Windows\{1B76F0D7-38F0-46d4-A1F8-7BE0EFC246D5}.exe

Filesize
168KB

MD5
9db17df565c726981b86a30a9d2ea6c1

SHA1
52b0362abfecb92eae0ed8263282229b526922b8

SHA256
5e13c1f8771d9f8e9380b01d4e6ead0a165c34fd776a2833ce8f388f2acb6661

SHA512
692050fbfbeb8ce5d3f11d79c6792ab5b16928c7b75bee1f03821bf971ff45f5167752b338da3298ef65b7eb815405aa8a042a6d232dde819399b9b7c2644c77

Download Submit
C:\Windows\{4A218111-CE80-47ee-BA0C-4DAACC96D682}.exe

Filesize
168KB

MD5
0e0040d90e0718757011f4404a6f04cb

SHA1
a4059e3626723b1d9550e388bb19cd9cfbd7e579

SHA256
3b33816493e0698aa299b215636e1171ca0958d3be2f0f16084921a23cc3e2fa

SHA512
92634cdc35a60ad980f6fd20a44202b941eae5c2cb87b2b678f955bf39396907d07206f01e8af29ee6aa05727a78c3ba0dbd131858a8e203ae5a7ef587360ee2

Download Submit
C:\Windows\{4A218111-CE80-47ee-BA0C-4DAACC96D682}.exe

Filesize
168KB

MD5
0e0040d90e0718757011f4404a6f04cb

SHA1
a4059e3626723b1d9550e388bb19cd9cfbd7e579

SHA256
3b33816493e0698aa299b215636e1171ca0958d3be2f0f16084921a23cc3e2fa

SHA512
92634cdc35a60ad980f6fd20a44202b941eae5c2cb87b2b678f955bf39396907d07206f01e8af29ee6aa05727a78c3ba0dbd131858a8e203ae5a7ef587360ee2

Download Submit
C:\Windows\{4A218111-CE80-47ee-BA0C-4DAACC96D682}.exe

Filesize
168KB

MD5
0e0040d90e0718757011f4404a6f04cb

SHA1
a4059e3626723b1d9550e388bb19cd9cfbd7e579

SHA256
3b33816493e0698aa299b215636e1171ca0958d3be2f0f16084921a23cc3e2fa

SHA512
92634cdc35a60ad980f6fd20a44202b941eae5c2cb87b2b678f955bf39396907d07206f01e8af29ee6aa05727a78c3ba0dbd131858a8e203ae5a7ef587360ee2

Download Submit
C:\Windows\{665A182E-71F2-477d-96A7-42D730BA6825}.exe

Filesize
168KB

MD5
cbd1e92c51ee579baf1eb4730fad6baf

SHA1
ecc69271fe04b22afb9831e7aa1e6d38d5ebe31a

SHA256
f86843a36265584db7359c479c4714d1fd667ba9de31e80149b359e79d62029f

SHA512
3e4500e29e4ad7ee08aeb33437bb9daa40f63a79c85ec8afcd9f54e9dac1f50407555869a853a400b463bf1bcddba05e0fa52f8fd1fa526c2d6d9646877b2673

Download Submit
C:\Windows\{665A182E-71F2-477d-96A7-42D730BA6825}.exe

Filesize
168KB

MD5
cbd1e92c51ee579baf1eb4730fad6baf

SHA1
ecc69271fe04b22afb9831e7aa1e6d38d5ebe31a

SHA256
f86843a36265584db7359c479c4714d1fd667ba9de31e80149b359e79d62029f

SHA512
3e4500e29e4ad7ee08aeb33437bb9daa40f63a79c85ec8afcd9f54e9dac1f50407555869a853a400b463bf1bcddba05e0fa52f8fd1fa526c2d6d9646877b2673

Download Submit
C:\Windows\{824DAED2-F0C6-4d6b-A6A9-6EE4BBE0C736}.exe

Filesize
168KB

MD5
f6599fc586f8dc54c4c87ca8f69c7fe3

SHA1
10f9437697e75075f943043e9f94c95033216a95

SHA256
3d53eef64be5379d500d03aa3f802f4a38a498415fd8151e4d2f214d547400c9

SHA512
a263fa1403fd88222c4ddcc7e3c88d7b3f09f9474b5313026f66776757ba384c14f485db0e92059b4011c40ae55dac141ec89bdbd028e50ed8f1c539d86856ba

Download Submit
C:\Windows\{824DAED2-F0C6-4d6b-A6A9-6EE4BBE0C736}.exe

Filesize
168KB

MD5
f6599fc586f8dc54c4c87ca8f69c7fe3

SHA1
10f9437697e75075f943043e9f94c95033216a95

SHA256
3d53eef64be5379d500d03aa3f802f4a38a498415fd8151e4d2f214d547400c9

SHA512
a263fa1403fd88222c4ddcc7e3c88d7b3f09f9474b5313026f66776757ba384c14f485db0e92059b4011c40ae55dac141ec89bdbd028e50ed8f1c539d86856ba

Download Submit
C:\Windows\{905E53BE-4A8A-46d8-9FC7-8A7C4E8392F5}.exe

Filesize
168KB

MD5
2686beed3d877bb55d34df91efff54eb

SHA1
718fae25a9bb0a29b257641ae7a9d04c1fdc7ef5

SHA256
76ca2e535810968e01289d51c704e4fe2a8cb2298b10d060b75601b72cbdc31b

SHA512
85837da28a585b0ccceeabbe40439793b4a23d7bfdb138667e80c124664144bc4a4e55590b243c6c45e79494bfa294c7ec4f53851af4a3c45c2e0a582296db85

Download Submit
C:\Windows\{905E53BE-4A8A-46d8-9FC7-8A7C4E8392F5}.exe

Filesize
168KB

MD5
2686beed3d877bb55d34df91efff54eb

SHA1
718fae25a9bb0a29b257641ae7a9d04c1fdc7ef5

SHA256
76ca2e535810968e01289d51c704e4fe2a8cb2298b10d060b75601b72cbdc31b

SHA512
85837da28a585b0ccceeabbe40439793b4a23d7bfdb138667e80c124664144bc4a4e55590b243c6c45e79494bfa294c7ec4f53851af4a3c45c2e0a582296db85

Download Submit
C:\Windows\{9838288A-4B88-4287-AFDE-239A60217456}.exe

Filesize
168KB

MD5
520c79d8c6f59f83e51acf97590a9305

SHA1
45ac84e62579f9cb8b2ba4106aa17be04992ec0d

SHA256
f389060c58aead6d50758e79acb3668ae58f19a2b759f729586c59d7d44c1c5f

SHA512
d3459603b1973a5ab0db78186a4706fce8509872dadbc20f6ba30a6341ce1c16e9e7f322a6b848dddebbd58ca9870ed0568afa1215d35d97dcc912765dd1ecbe

Download Submit
C:\Windows\{9838288A-4B88-4287-AFDE-239A60217456}.exe

Filesize
168KB

MD5
520c79d8c6f59f83e51acf97590a9305

SHA1
45ac84e62579f9cb8b2ba4106aa17be04992ec0d

SHA256
f389060c58aead6d50758e79acb3668ae58f19a2b759f729586c59d7d44c1c5f

SHA512
d3459603b1973a5ab0db78186a4706fce8509872dadbc20f6ba30a6341ce1c16e9e7f322a6b848dddebbd58ca9870ed0568afa1215d35d97dcc912765dd1ecbe

Download Submit
C:\Windows\{C176278A-4810-4604-A7B6-9BF008C71140}.exe

Filesize
168KB

MD5
aae2673786ea3081ed895ed5576f972a

SHA1
fffe01c5b28c67c06d9f5fcce16343c05e228fb4

SHA256
96b92d90c6892443db5b753a812a51a484db29f1b8771875a71e03b86f95cc98

SHA512
395fa9e8ce404cdce0b98d9e0e898cb6310687d59e6c1f93f689763a8209239f8ed1c960a972c6070b7879e2c82194696b41b103d60a915a22e91f0f176328ae

Download Submit
C:\Windows\{C176278A-4810-4604-A7B6-9BF008C71140}.exe

Filesize
168KB

MD5
aae2673786ea3081ed895ed5576f972a

SHA1
fffe01c5b28c67c06d9f5fcce16343c05e228fb4

SHA256
96b92d90c6892443db5b753a812a51a484db29f1b8771875a71e03b86f95cc98

SHA512
395fa9e8ce404cdce0b98d9e0e898cb6310687d59e6c1f93f689763a8209239f8ed1c960a972c6070b7879e2c82194696b41b103d60a915a22e91f0f176328ae

Download Submit
C:\Windows\{C82EAFF8-F698-428d-8EDC-692456110A58}.exe

Filesize
168KB

MD5
606fac1116f9ac9946556b5d11c82c1e

SHA1
c2609e0988c3975c6f2c958397955deeb5489043

SHA256
a800c64d2437c42b8b911313e9a21a9166affac61c16a697e29b8a3c2ca99e57

SHA512
d5097aeb7c661a1d21417d2deb39d8a43c7052206134129bbb5466a29e1147fabc7faf70fda0591d1902da0578fdd4d953ca07e81c1fc428aa0ee29bea1f7fcb

Download Submit
C:\Windows\{C82EAFF8-F698-428d-8EDC-692456110A58}.exe

Filesize
168KB

MD5
606fac1116f9ac9946556b5d11c82c1e

SHA1
c2609e0988c3975c6f2c958397955deeb5489043

SHA256
a800c64d2437c42b8b911313e9a21a9166affac61c16a697e29b8a3c2ca99e57

SHA512
d5097aeb7c661a1d21417d2deb39d8a43c7052206134129bbb5466a29e1147fabc7faf70fda0591d1902da0578fdd4d953ca07e81c1fc428aa0ee29bea1f7fcb

Download Submit
C:\Windows\{D9CC15DF-4AE9-4750-8262-8AF665B394E2}.exe

Filesize
168KB

MD5
da5a4dfdafd5bbb33e67bde1397ebf4e

SHA1
a62520f2798d83d62bc147d807ff7d1de7b4458b

SHA256
6dfec5e7868c471c3b50f293d3106160075f57a48e77b4a83f65714c45a5fa8a

SHA512
5a494fa198f639141904bbf7466d546cce665de0df065132a85838cae94b753afd9ba730d1108f2cd3f10de767067ad7545d262aa7435a39cd1dcdd9addc19dc

Download Submit
C:\Windows\{D9CC15DF-4AE9-4750-8262-8AF665B394E2}.exe

Filesize
168KB

MD5
da5a4dfdafd5bbb33e67bde1397ebf4e

SHA1
a62520f2798d83d62bc147d807ff7d1de7b4458b

SHA256
6dfec5e7868c471c3b50f293d3106160075f57a48e77b4a83f65714c45a5fa8a

SHA512
5a494fa198f639141904bbf7466d546cce665de0df065132a85838cae94b753afd9ba730d1108f2cd3f10de767067ad7545d262aa7435a39cd1dcdd9addc19dc

Download Submit
C:\Windows\{DB43AA94-EFA5-4a5d-9A7B-54B6764C2778}.exe

Filesize
168KB

MD5
982b58ccce29a453fbfffd70e4c62495

SHA1
16b66ae4439a72fa114f2fd9f12ed9e179864a80

SHA256
a7cfc1fcca0c9fe6489b44810eb3c9e4254cdbd4675994214c05f33ecc63e14d

SHA512
513f77d499aae494bb0fe26bd031b99295692ef41ab1f1c40b89dd6c904b6cdb92dcd62c105c61bc3591a50d54607b9883a940929dac788af37f6267c0e07ecd

Download Submit
C:\Windows\{DB43AA94-EFA5-4a5d-9A7B-54B6764C2778}.exe

Filesize
168KB

MD5
982b58ccce29a453fbfffd70e4c62495

SHA1
16b66ae4439a72fa114f2fd9f12ed9e179864a80

SHA256
a7cfc1fcca0c9fe6489b44810eb3c9e4254cdbd4675994214c05f33ecc63e14d

SHA512
513f77d499aae494bb0fe26bd031b99295692ef41ab1f1c40b89dd6c904b6cdb92dcd62c105c61bc3591a50d54607b9883a940929dac788af37f6267c0e07ecd

Download Submit
C:\Windows\{FA98F80A-9AB9-476b-A84F-0C9EEFEB214E}.exe

Filesize
168KB

MD5
4546520c49a2a5d45146bbff38cf1f77

SHA1
23f27e45505c6fc4c51c88fa459a5ccccd3e7f68

SHA256
1cc03b7a13e8553ff6b1bc4b1a8bb85910b6d689e551b1a2cf9e4ccbcf28f67a

SHA512
513348098db77759ef7dc1f1c63ef50621be1d129a710cdd2f0c39bb3960c0a0a258882bd3f5865d6cb3e631a8260a8a70d1c01d20dbe81a7c88e770f1060106

Download Submit
C:\Windows\{FA98F80A-9AB9-476b-A84F-0C9EEFEB214E}.exe

Filesize
168KB

MD5
4546520c49a2a5d45146bbff38cf1f77

SHA1
23f27e45505c6fc4c51c88fa459a5ccccd3e7f68

SHA256
1cc03b7a13e8553ff6b1bc4b1a8bb85910b6d689e551b1a2cf9e4ccbcf28f67a

SHA512
513348098db77759ef7dc1f1c63ef50621be1d129a710cdd2f0c39bb3960c0a0a258882bd3f5865d6cb3e631a8260a8a70d1c01d20dbe81a7c88e770f1060106

Download Submit