07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe
Size

64KB
MD5

02985d25bd794c2b97a604b3607ede70
SHA1

87e91e18cea9c9edd41c5aca1664902d4ff11e0d
SHA256

07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a
SHA512

b7dcefc5693ed1b0701a8ca6e9ccc9d0769f17c12b464aa878fd00fc2802eef0a8905cf9a62bd4e4fa74fc7dff72714ece386d25865ff36d295f198e819dcee3
SSDEEP

768:Ovw9816ihKQLroCL4/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVdu:6EGU0oCLlwWMZQcpmgDagIyS1loL7Wru

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{7F0AD31F-3021-4a1c-8E65-FDC861715C94}.exe{C1A0777E-CB56-4116-8258-6DE3ABF8A78B}.exe{1BA861B0-CED8-4f49-B057-5197B7E84079}.exe{FD24CC04-DE87-4778-B89B-2B77DEBDC874}.exe{74B8A384-10E9-40b9-815F-6787BBA9DF77}.exe{EE4B0464-5AF6-4eac-93D4-489217FE96D6}.exe07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe{8442DA82-03C2-421a-A945-5A730ACC1B8B}.exe{6EE59D33-427F-46af-83CB-7621D1A49B9A}.exe{9B810378-5371-45c4-BA26-B98CEF850179}.exe{C05AD4F6-0E5E-4ad0-A7A2-2DF89F2EAC30}.exe{C533980F-8C8B-42a9-9B9B-294E3F61BC09}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C05AD4F6-0E5E-4ad0-A7A2-2DF89F2EAC30}	{7F0AD31F-3021-4a1c-8E65-FDC861715C94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C533980F-8C8B-42a9-9B9B-294E3F61BC09}	{C1A0777E-CB56-4116-8258-6DE3ABF8A78B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD24CC04-DE87-4778-B89B-2B77DEBDC874}	{1BA861B0-CED8-4f49-B057-5197B7E84079}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EE59D33-427F-46af-83CB-7621D1A49B9A}\stubpath = "C:\\Windows\\{6EE59D33-427F-46af-83CB-7621D1A49B9A}.exe"	{FD24CC04-DE87-4778-B89B-2B77DEBDC874}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B810378-5371-45c4-BA26-B98CEF850179}	{74B8A384-10E9-40b9-815F-6787BBA9DF77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6C203D1-EB0B-4430-9523-32F7044A4285}\stubpath = "C:\\Windows\\{D6C203D1-EB0B-4430-9523-32F7044A4285}.exe"	{EE4B0464-5AF6-4eac-93D4-489217FE96D6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F0AD31F-3021-4a1c-8E65-FDC861715C94}	07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1A0777E-CB56-4116-8258-6DE3ABF8A78B}\stubpath = "C:\\Windows\\{C1A0777E-CB56-4116-8258-6DE3ABF8A78B}.exe"	{8442DA82-03C2-421a-A945-5A730ACC1B8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C533980F-8C8B-42a9-9B9B-294E3F61BC09}\stubpath = "C:\\Windows\\{C533980F-8C8B-42a9-9B9B-294E3F61BC09}.exe"	{C1A0777E-CB56-4116-8258-6DE3ABF8A78B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74B8A384-10E9-40b9-815F-6787BBA9DF77}\stubpath = "C:\\Windows\\{74B8A384-10E9-40b9-815F-6787BBA9DF77}.exe"	{6EE59D33-427F-46af-83CB-7621D1A49B9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE4B0464-5AF6-4eac-93D4-489217FE96D6}	{9B810378-5371-45c4-BA26-B98CEF850179}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8442DA82-03C2-421a-A945-5A730ACC1B8B}	{C05AD4F6-0E5E-4ad0-A7A2-2DF89F2EAC30}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8442DA82-03C2-421a-A945-5A730ACC1B8B}\stubpath = "C:\\Windows\\{8442DA82-03C2-421a-A945-5A730ACC1B8B}.exe"	{C05AD4F6-0E5E-4ad0-A7A2-2DF89F2EAC30}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BA861B0-CED8-4f49-B057-5197B7E84079}	{C533980F-8C8B-42a9-9B9B-294E3F61BC09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BA861B0-CED8-4f49-B057-5197B7E84079}\stubpath = "C:\\Windows\\{1BA861B0-CED8-4f49-B057-5197B7E84079}.exe"	{C533980F-8C8B-42a9-9B9B-294E3F61BC09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD24CC04-DE87-4778-B89B-2B77DEBDC874}\stubpath = "C:\\Windows\\{FD24CC04-DE87-4778-B89B-2B77DEBDC874}.exe"	{1BA861B0-CED8-4f49-B057-5197B7E84079}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EE59D33-427F-46af-83CB-7621D1A49B9A}	{FD24CC04-DE87-4778-B89B-2B77DEBDC874}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6C203D1-EB0B-4430-9523-32F7044A4285}	{EE4B0464-5AF6-4eac-93D4-489217FE96D6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C05AD4F6-0E5E-4ad0-A7A2-2DF89F2EAC30}\stubpath = "C:\\Windows\\{C05AD4F6-0E5E-4ad0-A7A2-2DF89F2EAC30}.exe"	{7F0AD31F-3021-4a1c-8E65-FDC861715C94}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1A0777E-CB56-4116-8258-6DE3ABF8A78B}	{8442DA82-03C2-421a-A945-5A730ACC1B8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74B8A384-10E9-40b9-815F-6787BBA9DF77}	{6EE59D33-427F-46af-83CB-7621D1A49B9A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B810378-5371-45c4-BA26-B98CEF850179}\stubpath = "C:\\Windows\\{9B810378-5371-45c4-BA26-B98CEF850179}.exe"	{74B8A384-10E9-40b9-815F-6787BBA9DF77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE4B0464-5AF6-4eac-93D4-489217FE96D6}\stubpath = "C:\\Windows\\{EE4B0464-5AF6-4eac-93D4-489217FE96D6}.exe"	{9B810378-5371-45c4-BA26-B98CEF850179}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F0AD31F-3021-4a1c-8E65-FDC861715C94}\stubpath = "C:\\Windows\\{7F0AD31F-3021-4a1c-8E65-FDC861715C94}.exe"	07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe

Executes dropped EXE 12 IoCs

Processes:

{7F0AD31F-3021-4a1c-8E65-FDC861715C94}.exe{C05AD4F6-0E5E-4ad0-A7A2-2DF89F2EAC30}.exe{8442DA82-03C2-421a-A945-5A730ACC1B8B}.exe{C1A0777E-CB56-4116-8258-6DE3ABF8A78B}.exe{C533980F-8C8B-42a9-9B9B-294E3F61BC09}.exe{1BA861B0-CED8-4f49-B057-5197B7E84079}.exe{FD24CC04-DE87-4778-B89B-2B77DEBDC874}.exe{6EE59D33-427F-46af-83CB-7621D1A49B9A}.exe{74B8A384-10E9-40b9-815F-6787BBA9DF77}.exe{9B810378-5371-45c4-BA26-B98CEF850179}.exe{EE4B0464-5AF6-4eac-93D4-489217FE96D6}.exe{D6C203D1-EB0B-4430-9523-32F7044A4285}.exe

pid	process
2452	{7F0AD31F-3021-4a1c-8E65-FDC861715C94}.exe
3336	{C05AD4F6-0E5E-4ad0-A7A2-2DF89F2EAC30}.exe
1484	{8442DA82-03C2-421a-A945-5A730ACC1B8B}.exe
3736	{C1A0777E-CB56-4116-8258-6DE3ABF8A78B}.exe
1832	{C533980F-8C8B-42a9-9B9B-294E3F61BC09}.exe
3484	{1BA861B0-CED8-4f49-B057-5197B7E84079}.exe
2244	{FD24CC04-DE87-4778-B89B-2B77DEBDC874}.exe
3772	{6EE59D33-427F-46af-83CB-7621D1A49B9A}.exe
4256	{74B8A384-10E9-40b9-815F-6787BBA9DF77}.exe
968	{9B810378-5371-45c4-BA26-B98CEF850179}.exe
3368	{EE4B0464-5AF6-4eac-93D4-489217FE96D6}.exe
948	{D6C203D1-EB0B-4430-9523-32F7044A4285}.exe

Drops file in Windows directory 12 IoCs

Processes:

{C1A0777E-CB56-4116-8258-6DE3ABF8A78B}.exe{C533980F-8C8B-42a9-9B9B-294E3F61BC09}.exe{1BA861B0-CED8-4f49-B057-5197B7E84079}.exe07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe{7F0AD31F-3021-4a1c-8E65-FDC861715C94}.exe{C05AD4F6-0E5E-4ad0-A7A2-2DF89F2EAC30}.exe{74B8A384-10E9-40b9-815F-6787BBA9DF77}.exe{9B810378-5371-45c4-BA26-B98CEF850179}.exe{EE4B0464-5AF6-4eac-93D4-489217FE96D6}.exe{8442DA82-03C2-421a-A945-5A730ACC1B8B}.exe{FD24CC04-DE87-4778-B89B-2B77DEBDC874}.exe{6EE59D33-427F-46af-83CB-7621D1A49B9A}.exe

description	ioc	process
File created	C:\Windows\{C533980F-8C8B-42a9-9B9B-294E3F61BC09}.exe	{C1A0777E-CB56-4116-8258-6DE3ABF8A78B}.exe
File created	C:\Windows\{1BA861B0-CED8-4f49-B057-5197B7E84079}.exe	{C533980F-8C8B-42a9-9B9B-294E3F61BC09}.exe
File created	C:\Windows\{FD24CC04-DE87-4778-B89B-2B77DEBDC874}.exe	{1BA861B0-CED8-4f49-B057-5197B7E84079}.exe
File created	C:\Windows\{7F0AD31F-3021-4a1c-8E65-FDC861715C94}.exe	07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe
File created	C:\Windows\{C05AD4F6-0E5E-4ad0-A7A2-2DF89F2EAC30}.exe	{7F0AD31F-3021-4a1c-8E65-FDC861715C94}.exe
File created	C:\Windows\{8442DA82-03C2-421a-A945-5A730ACC1B8B}.exe	{C05AD4F6-0E5E-4ad0-A7A2-2DF89F2EAC30}.exe
File created	C:\Windows\{9B810378-5371-45c4-BA26-B98CEF850179}.exe	{74B8A384-10E9-40b9-815F-6787BBA9DF77}.exe
File created	C:\Windows\{EE4B0464-5AF6-4eac-93D4-489217FE96D6}.exe	{9B810378-5371-45c4-BA26-B98CEF850179}.exe
File created	C:\Windows\{D6C203D1-EB0B-4430-9523-32F7044A4285}.exe	{EE4B0464-5AF6-4eac-93D4-489217FE96D6}.exe
File created	C:\Windows\{C1A0777E-CB56-4116-8258-6DE3ABF8A78B}.exe	{8442DA82-03C2-421a-A945-5A730ACC1B8B}.exe
File created	C:\Windows\{6EE59D33-427F-46af-83CB-7621D1A49B9A}.exe	{FD24CC04-DE87-4778-B89B-2B77DEBDC874}.exe
File created	C:\Windows\{74B8A384-10E9-40b9-815F-6787BBA9DF77}.exe	{6EE59D33-427F-46af-83CB-7621D1A49B9A}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe{7F0AD31F-3021-4a1c-8E65-FDC861715C94}.exe{C05AD4F6-0E5E-4ad0-A7A2-2DF89F2EAC30}.exe{8442DA82-03C2-421a-A945-5A730ACC1B8B}.exe{C1A0777E-CB56-4116-8258-6DE3ABF8A78B}.exe{C533980F-8C8B-42a9-9B9B-294E3F61BC09}.exe{1BA861B0-CED8-4f49-B057-5197B7E84079}.exe{FD24CC04-DE87-4778-B89B-2B77DEBDC874}.exe{6EE59D33-427F-46af-83CB-7621D1A49B9A}.exe{74B8A384-10E9-40b9-815F-6787BBA9DF77}.exe{9B810378-5371-45c4-BA26-B98CEF850179}.exe{EE4B0464-5AF6-4eac-93D4-489217FE96D6}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1884	07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe
Token: SeIncBasePriorityPrivilege	2452	{7F0AD31F-3021-4a1c-8E65-FDC861715C94}.exe
Token: SeIncBasePriorityPrivilege	3336	{C05AD4F6-0E5E-4ad0-A7A2-2DF89F2EAC30}.exe
Token: SeIncBasePriorityPrivilege	1484	{8442DA82-03C2-421a-A945-5A730ACC1B8B}.exe
Token: SeIncBasePriorityPrivilege	3736	{C1A0777E-CB56-4116-8258-6DE3ABF8A78B}.exe
Token: SeIncBasePriorityPrivilege	1832	{C533980F-8C8B-42a9-9B9B-294E3F61BC09}.exe
Token: SeIncBasePriorityPrivilege	3484	{1BA861B0-CED8-4f49-B057-5197B7E84079}.exe
Token: SeIncBasePriorityPrivilege	2244	{FD24CC04-DE87-4778-B89B-2B77DEBDC874}.exe
Token: SeIncBasePriorityPrivilege	3772	{6EE59D33-427F-46af-83CB-7621D1A49B9A}.exe
Token: SeIncBasePriorityPrivilege	4256	{74B8A384-10E9-40b9-815F-6787BBA9DF77}.exe
Token: SeIncBasePriorityPrivilege	968	{9B810378-5371-45c4-BA26-B98CEF850179}.exe
Token: SeIncBasePriorityPrivilege	3368	{EE4B0464-5AF6-4eac-93D4-489217FE96D6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1884 wrote to memory of 2452	1884	07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe	{7F0AD31F-3021-4a1c-8E65-FDC861715C94}.exe
PID 1884 wrote to memory of 2452	1884	07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe	{7F0AD31F-3021-4a1c-8E65-FDC861715C94}.exe
PID 1884 wrote to memory of 2452	1884	07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe	{7F0AD31F-3021-4a1c-8E65-FDC861715C94}.exe
PID 1884 wrote to memory of 3256	1884	07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe	cmd.exe
PID 1884 wrote to memory of 3256	1884	07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe	cmd.exe
PID 1884 wrote to memory of 3256	1884	07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe	cmd.exe
PID 2452 wrote to memory of 3336	2452	{7F0AD31F-3021-4a1c-8E65-FDC861715C94}.exe	{C05AD4F6-0E5E-4ad0-A7A2-2DF89F2EAC30}.exe
PID 2452 wrote to memory of 3336	2452	{7F0AD31F-3021-4a1c-8E65-FDC861715C94}.exe	{C05AD4F6-0E5E-4ad0-A7A2-2DF89F2EAC30}.exe
PID 2452 wrote to memory of 3336	2452	{7F0AD31F-3021-4a1c-8E65-FDC861715C94}.exe	{C05AD4F6-0E5E-4ad0-A7A2-2DF89F2EAC30}.exe
PID 2452 wrote to memory of 2124	2452	{7F0AD31F-3021-4a1c-8E65-FDC861715C94}.exe	cmd.exe
PID 2452 wrote to memory of 2124	2452	{7F0AD31F-3021-4a1c-8E65-FDC861715C94}.exe	cmd.exe
PID 2452 wrote to memory of 2124	2452	{7F0AD31F-3021-4a1c-8E65-FDC861715C94}.exe	cmd.exe
PID 3336 wrote to memory of 1484	3336	{C05AD4F6-0E5E-4ad0-A7A2-2DF89F2EAC30}.exe	{8442DA82-03C2-421a-A945-5A730ACC1B8B}.exe
PID 3336 wrote to memory of 1484	3336	{C05AD4F6-0E5E-4ad0-A7A2-2DF89F2EAC30}.exe	{8442DA82-03C2-421a-A945-5A730ACC1B8B}.exe
PID 3336 wrote to memory of 1484	3336	{C05AD4F6-0E5E-4ad0-A7A2-2DF89F2EAC30}.exe	{8442DA82-03C2-421a-A945-5A730ACC1B8B}.exe
PID 3336 wrote to memory of 2832	3336	{C05AD4F6-0E5E-4ad0-A7A2-2DF89F2EAC30}.exe	cmd.exe
PID 3336 wrote to memory of 2832	3336	{C05AD4F6-0E5E-4ad0-A7A2-2DF89F2EAC30}.exe	cmd.exe
PID 3336 wrote to memory of 2832	3336	{C05AD4F6-0E5E-4ad0-A7A2-2DF89F2EAC30}.exe	cmd.exe
PID 1484 wrote to memory of 3736	1484	{8442DA82-03C2-421a-A945-5A730ACC1B8B}.exe	{C1A0777E-CB56-4116-8258-6DE3ABF8A78B}.exe
PID 1484 wrote to memory of 3736	1484	{8442DA82-03C2-421a-A945-5A730ACC1B8B}.exe	{C1A0777E-CB56-4116-8258-6DE3ABF8A78B}.exe
PID 1484 wrote to memory of 3736	1484	{8442DA82-03C2-421a-A945-5A730ACC1B8B}.exe	{C1A0777E-CB56-4116-8258-6DE3ABF8A78B}.exe
PID 1484 wrote to memory of 3436	1484	{8442DA82-03C2-421a-A945-5A730ACC1B8B}.exe	cmd.exe
PID 1484 wrote to memory of 3436	1484	{8442DA82-03C2-421a-A945-5A730ACC1B8B}.exe	cmd.exe
PID 1484 wrote to memory of 3436	1484	{8442DA82-03C2-421a-A945-5A730ACC1B8B}.exe	cmd.exe
PID 3736 wrote to memory of 1832	3736	{C1A0777E-CB56-4116-8258-6DE3ABF8A78B}.exe	{C533980F-8C8B-42a9-9B9B-294E3F61BC09}.exe
PID 3736 wrote to memory of 1832	3736	{C1A0777E-CB56-4116-8258-6DE3ABF8A78B}.exe	{C533980F-8C8B-42a9-9B9B-294E3F61BC09}.exe
PID 3736 wrote to memory of 1832	3736	{C1A0777E-CB56-4116-8258-6DE3ABF8A78B}.exe	{C533980F-8C8B-42a9-9B9B-294E3F61BC09}.exe
PID 3736 wrote to memory of 2340	3736	{C1A0777E-CB56-4116-8258-6DE3ABF8A78B}.exe	cmd.exe
PID 3736 wrote to memory of 2340	3736	{C1A0777E-CB56-4116-8258-6DE3ABF8A78B}.exe	cmd.exe
PID 3736 wrote to memory of 2340	3736	{C1A0777E-CB56-4116-8258-6DE3ABF8A78B}.exe	cmd.exe
PID 1832 wrote to memory of 3484	1832	{C533980F-8C8B-42a9-9B9B-294E3F61BC09}.exe	{1BA861B0-CED8-4f49-B057-5197B7E84079}.exe
PID 1832 wrote to memory of 3484	1832	{C533980F-8C8B-42a9-9B9B-294E3F61BC09}.exe	{1BA861B0-CED8-4f49-B057-5197B7E84079}.exe
PID 1832 wrote to memory of 3484	1832	{C533980F-8C8B-42a9-9B9B-294E3F61BC09}.exe	{1BA861B0-CED8-4f49-B057-5197B7E84079}.exe
PID 1832 wrote to memory of 3372	1832	{C533980F-8C8B-42a9-9B9B-294E3F61BC09}.exe	cmd.exe
PID 1832 wrote to memory of 3372	1832	{C533980F-8C8B-42a9-9B9B-294E3F61BC09}.exe	cmd.exe
PID 1832 wrote to memory of 3372	1832	{C533980F-8C8B-42a9-9B9B-294E3F61BC09}.exe	cmd.exe
PID 3484 wrote to memory of 2244	3484	{1BA861B0-CED8-4f49-B057-5197B7E84079}.exe	{FD24CC04-DE87-4778-B89B-2B77DEBDC874}.exe
PID 3484 wrote to memory of 2244	3484	{1BA861B0-CED8-4f49-B057-5197B7E84079}.exe	{FD24CC04-DE87-4778-B89B-2B77DEBDC874}.exe
PID 3484 wrote to memory of 2244	3484	{1BA861B0-CED8-4f49-B057-5197B7E84079}.exe	{FD24CC04-DE87-4778-B89B-2B77DEBDC874}.exe
PID 3484 wrote to memory of 388	3484	{1BA861B0-CED8-4f49-B057-5197B7E84079}.exe	cmd.exe
PID 3484 wrote to memory of 388	3484	{1BA861B0-CED8-4f49-B057-5197B7E84079}.exe	cmd.exe
PID 3484 wrote to memory of 388	3484	{1BA861B0-CED8-4f49-B057-5197B7E84079}.exe	cmd.exe
PID 2244 wrote to memory of 3772	2244	{FD24CC04-DE87-4778-B89B-2B77DEBDC874}.exe	{6EE59D33-427F-46af-83CB-7621D1A49B9A}.exe
PID 2244 wrote to memory of 3772	2244	{FD24CC04-DE87-4778-B89B-2B77DEBDC874}.exe	{6EE59D33-427F-46af-83CB-7621D1A49B9A}.exe
PID 2244 wrote to memory of 3772	2244	{FD24CC04-DE87-4778-B89B-2B77DEBDC874}.exe	{6EE59D33-427F-46af-83CB-7621D1A49B9A}.exe
PID 2244 wrote to memory of 4376	2244	{FD24CC04-DE87-4778-B89B-2B77DEBDC874}.exe	cmd.exe
PID 2244 wrote to memory of 4376	2244	{FD24CC04-DE87-4778-B89B-2B77DEBDC874}.exe	cmd.exe
PID 2244 wrote to memory of 4376	2244	{FD24CC04-DE87-4778-B89B-2B77DEBDC874}.exe	cmd.exe
PID 3772 wrote to memory of 4256	3772	{6EE59D33-427F-46af-83CB-7621D1A49B9A}.exe	{74B8A384-10E9-40b9-815F-6787BBA9DF77}.exe
PID 3772 wrote to memory of 4256	3772	{6EE59D33-427F-46af-83CB-7621D1A49B9A}.exe	{74B8A384-10E9-40b9-815F-6787BBA9DF77}.exe
PID 3772 wrote to memory of 4256	3772	{6EE59D33-427F-46af-83CB-7621D1A49B9A}.exe	{74B8A384-10E9-40b9-815F-6787BBA9DF77}.exe
PID 3772 wrote to memory of 3608	3772	{6EE59D33-427F-46af-83CB-7621D1A49B9A}.exe	cmd.exe
PID 3772 wrote to memory of 3608	3772	{6EE59D33-427F-46af-83CB-7621D1A49B9A}.exe	cmd.exe
PID 3772 wrote to memory of 3608	3772	{6EE59D33-427F-46af-83CB-7621D1A49B9A}.exe	cmd.exe
PID 4256 wrote to memory of 968	4256	{74B8A384-10E9-40b9-815F-6787BBA9DF77}.exe	{9B810378-5371-45c4-BA26-B98CEF850179}.exe
PID 4256 wrote to memory of 968	4256	{74B8A384-10E9-40b9-815F-6787BBA9DF77}.exe	{9B810378-5371-45c4-BA26-B98CEF850179}.exe
PID 4256 wrote to memory of 968	4256	{74B8A384-10E9-40b9-815F-6787BBA9DF77}.exe	{9B810378-5371-45c4-BA26-B98CEF850179}.exe
PID 4256 wrote to memory of 4900	4256	{74B8A384-10E9-40b9-815F-6787BBA9DF77}.exe	cmd.exe
PID 4256 wrote to memory of 4900	4256	{74B8A384-10E9-40b9-815F-6787BBA9DF77}.exe	cmd.exe
PID 4256 wrote to memory of 4900	4256	{74B8A384-10E9-40b9-815F-6787BBA9DF77}.exe	cmd.exe
PID 968 wrote to memory of 3368	968	{9B810378-5371-45c4-BA26-B98CEF850179}.exe	{EE4B0464-5AF6-4eac-93D4-489217FE96D6}.exe
PID 968 wrote to memory of 3368	968	{9B810378-5371-45c4-BA26-B98CEF850179}.exe	{EE4B0464-5AF6-4eac-93D4-489217FE96D6}.exe
PID 968 wrote to memory of 3368	968	{9B810378-5371-45c4-BA26-B98CEF850179}.exe	{EE4B0464-5AF6-4eac-93D4-489217FE96D6}.exe
PID 968 wrote to memory of 1208	968	{9B810378-5371-45c4-BA26-B98CEF850179}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe
"C:\Users\Admin\AppData\Local\Temp\07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1884

C:\Windows\{7F0AD31F-3021-4a1c-8E65-FDC861715C94}.exe
C:\Windows\{7F0AD31F-3021-4a1c-8E65-FDC861715C94}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452

C:\Windows\{C05AD4F6-0E5E-4ad0-A7A2-2DF89F2EAC30}.exe
C:\Windows\{C05AD4F6-0E5E-4ad0-A7A2-2DF89F2EAC30}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3336

C:\Windows\{8442DA82-03C2-421a-A945-5A730ACC1B8B}.exe
C:\Windows\{8442DA82-03C2-421a-A945-5A730ACC1B8B}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484

C:\Windows\{C1A0777E-CB56-4116-8258-6DE3ABF8A78B}.exe
C:\Windows\{C1A0777E-CB56-4116-8258-6DE3ABF8A78B}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3736

C:\Windows\{C533980F-8C8B-42a9-9B9B-294E3F61BC09}.exe
C:\Windows\{C533980F-8C8B-42a9-9B9B-294E3F61BC09}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832

C:\Windows\{1BA861B0-CED8-4f49-B057-5197B7E84079}.exe
C:\Windows\{1BA861B0-CED8-4f49-B057-5197B7E84079}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3484

C:\Windows\{FD24CC04-DE87-4778-B89B-2B77DEBDC874}.exe
C:\Windows\{FD24CC04-DE87-4778-B89B-2B77DEBDC874}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\{6EE59D33-427F-46af-83CB-7621D1A49B9A}.exe
C:\Windows\{6EE59D33-427F-46af-83CB-7621D1A49B9A}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772

C:\Windows\{74B8A384-10E9-40b9-815F-6787BBA9DF77}.exe
C:\Windows\{74B8A384-10E9-40b9-815F-6787BBA9DF77}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4256

C:\Windows\{9B810378-5371-45c4-BA26-B98CEF850179}.exe
C:\Windows\{9B810378-5371-45c4-BA26-B98CEF850179}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\{EE4B0464-5AF6-4eac-93D4-489217FE96D6}.exe
C:\Windows\{EE4B0464-5AF6-4eac-93D4-489217FE96D6}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Windows\{D6C203D1-EB0B-4430-9523-32F7044A4285}.exe
C:\Windows\{D6C203D1-EB0B-4430-9523-32F7044A4285}.exe
13⤵
- Executes dropped EXE
PID:948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EE4B0~1.EXE > nul
13⤵
PID:4476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9B810~1.EXE > nul
12⤵
PID:1208

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{74B8A~1.EXE > nul
11⤵
PID:4900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6EE59~1.EXE > nul
10⤵
PID:3608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FD24C~1.EXE > nul
9⤵
PID:4376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1BA86~1.EXE > nul
8⤵
PID:388

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C5339~1.EXE > nul
7⤵
PID:3372

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C1A07~1.EXE > nul
6⤵
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8442D~1.EXE > nul
5⤵
PID:3436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C05AD~1.EXE > nul
4⤵
PID:2832

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7F0AD~1.EXE > nul
3⤵
PID:2124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\07480C~1.EXE > nul
2⤵
PID:3256

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1BA861B0-CED8-4f49-B057-5197B7E84079}.exe
Filesize
64KB

MD5
73decb4543d5d51086e1c7b1cf928c21

SHA1
36e9b23ecee019ae540883fb2c90f28f944d39e0

SHA256
f73f3445ea7e8c283c12ea9bc8ef2a0920e3ceeb57494fa506b1e12473297919

SHA512
d58e8ad17d44d4a9c7a5b92fa0673ed74ea744c7c300e68f5dfe8770e85be241043f6a59ace2ca7e5b1f6ad404240df6ced82f0141bb806c4b2bc76d0e618314

Download Submit
C:\Windows\{6EE59D33-427F-46af-83CB-7621D1A49B9A}.exe
Filesize
64KB

MD5
70cae864258ce422ef5ea1a03c60220d

SHA1
0f950b431fafaf92c6d46ce436cc435439bea226

SHA256
b7ca6ce51a30a41a80825e30cde73b39261b44fd04ff26ec97944f85c06caf26

SHA512
97970a9c2f92dc8316a5267db2279381bfcfbb5a1858c2961dd0ef75aeb886d60cc76fdcadcc48bb2bd97b0b07f36d80a20b5d3927f587b3b10ccc4ea6e2a6f1

Download Submit
C:\Windows\{74B8A384-10E9-40b9-815F-6787BBA9DF77}.exe
Filesize
64KB

MD5
b02cbf08f9a150e1509002a5992883ef

SHA1
170cf0ae277dcb0a820c84fe30e04dfb005a46af

SHA256
d4dae4d67095cb9849da6d365dbd191e249323f16a2c022cd30f78f1a969e036

SHA512
130228b7db3519b1a10ae6f50c2270f3fa8ad0989ec24ef842760d410b5e751f19a360c8e583af63da028118b8149536fb06f2e31f040f88cb871e83d8ca588c

Download Submit
C:\Windows\{7F0AD31F-3021-4a1c-8E65-FDC861715C94}.exe
Filesize
64KB

MD5
d4ba76ac8bc2b97687fbd6f908668e93

SHA1
fd9f9c006fade01649ac52dbf5a666bae61eb154

SHA256
bfd15a04bcc6d0ea5132812f22d5a844a79de19d0c259016f8707538cfa7bbe3

SHA512
3188b92f1331dc5f80df53e9f519eb3ade8e86c7107432219ff19fc49259e60472bace9d5b1f8d09fbc46d9cc1c241a8da4b8c9416412e266302c82bb640af1d

Download Submit
C:\Windows\{8442DA82-03C2-421a-A945-5A730ACC1B8B}.exe
Filesize
64KB

MD5
ec5e6d544a0682f33073ae3e8f2bf978

SHA1
2aefc2c72bac2ef5188729b92761d57fb073f708

SHA256
08c1dae847e9c13214853f53c4d265b7397a102bdaf13541beefedd184544ad5

SHA512
6ac0dfe68b5c4f0a6a0691eadb2fa37bf5d575be6a8ae50d74721b4ec5da004216889db6165bbad24d8cdb2b64f7f64aaf6930148067734393015a26a1916819

Download Submit
C:\Windows\{9B810378-5371-45c4-BA26-B98CEF850179}.exe
Filesize
64KB

MD5
ab88f39041ac45325054f55a323247eb

SHA1
62a8c4166c34baf688dc5b95e6b90e71f8e94287

SHA256
4141b2bf8b49387ae4125a012d298737357139853a786948661a129c7983920d

SHA512
4145bef5f9420e5bb03408f097cd52408759f441541d0574a2cad540cba8685e7e169229652ff804c50f08d7e3334a60d8fb78e7df307915f95f918543f659b8

Download Submit
C:\Windows\{C05AD4F6-0E5E-4ad0-A7A2-2DF89F2EAC30}.exe
Filesize
64KB

MD5
e37c5ec7740b37d523fa2599084c8c46

SHA1
b95faf32dffca92cf70ec87e034df4e7de8d437b

SHA256
d41394128703e17b1dfe3fd05ec3d5260ac7ec5348f66913c6a2cef469995f99

SHA512
1a2c26827802ad29645d5d97a87a2364c875708c7b0f8bdb60d00d81a5f02871f180bf6e8b1f5072dd2ea67a41371973ecc9c9da35f6ad2f6f5f7d9819f43776

Download Submit
C:\Windows\{C1A0777E-CB56-4116-8258-6DE3ABF8A78B}.exe
Filesize
64KB

MD5
e08f0351446831f5c2a7d53dc014c0a1

SHA1
95b8624cd80e789d22fcf2941e6865f799cc8022

SHA256
511ed515a3cd3d0c1be7524a5b6368f990686bd15828c2430c56dc4b0b8fee04

SHA512
b2dbfb7b6bff858ca52a257e050f9a8eaf38b365c1ed00391725304d68b0446e96e8b37a1b2d20dd12846e86ed387eaa605625624448507eed430653216a805b

Download Submit
C:\Windows\{C533980F-8C8B-42a9-9B9B-294E3F61BC09}.exe
Filesize
64KB

MD5
543ddd55d8d0b0335c208b6bb6eadbf1

SHA1
5e0df9224b9ec32f379637ac75e884d7c9aba01e

SHA256
7890e194a9286202c2fa50c2a9d849d40995e26fcb7e9fb2b79e08ae7406df43

SHA512
b539569dcaf6c2001903cfde29b4be16fd3c6e82b9368686ad94d3fcec14f206accc4b538133dee28d4075b0e7903ab422fddaa007969e4d6a34fd1a4eb492db

Download Submit
C:\Windows\{D6C203D1-EB0B-4430-9523-32F7044A4285}.exe
Filesize
64KB

MD5
0bac027311b621b968687a3c17198982

SHA1
4c60cc761619d27141dae391154b210c575c7960

SHA256
f310d1e9c0ec140d87cd2c7a65cbb0c99d14fd44bfc1f204617ac8ad9938677f

SHA512
13f1ccb520406cdbc810c36dd04d2c1a1397d0fa1ce1443f97e5650bd3787a97d8db31d8bbc8b52670286b4596d6bcb02e91a62befb8c4642ea4675354997b5d

Download Submit
C:\Windows\{EE4B0464-5AF6-4eac-93D4-489217FE96D6}.exe
Filesize
64KB

MD5
8768c3e4f5c1630bf2f0045189363110

SHA1
b4aacfa2cab5acdb8ddc0b46258088ab2d15c8f6

SHA256
4a18aab128bc710ba6edbb27ac49ba7a5cd7d8f8695f2e19ee10a14c2e9f1f92

SHA512
64c2bae2d45470299fbb5902612b7322ccb0389579f5f27c74ff56b658fd32d26d0a169e4aff6ce4cd8335522b052fa2eee6da37ec13ba9383037e03f8df999f

Download Submit
C:\Windows\{FD24CC04-DE87-4778-B89B-2B77DEBDC874}.exe
Filesize
64KB

MD5
5b4b21308ccd551f269282bea281795d

SHA1
228705d5ba3fb0a289fb3959345197772346326b

SHA256
d63bd9643ea6b90425538e10cf378e5b789185f6a1e9d7600da5f2288bb39cea

SHA512
a458a86c2e4f387a3a44b249aeb043c4dac8f04772dc60e972369697dc6b07f51427fca8ce73fc39284818c6ca1b2bf3287a4d73633d4371b8e2e68cb75b29a0

Download Submit
memory/948-70-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/968-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/968-58-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1484-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1484-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1832-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1832-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1884-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1884-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2244-43-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2452-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2452-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3336-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3336-15-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3368-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3368-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3484-40-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3736-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3736-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3772-50-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3772-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4256-56-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4256-52-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download