48052be116ef0365ef0aa88ef6f845471ac7b8542707d53d82778b4b96340953

Analysis

max time kernel
149s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

48052be116ef0365ef0aa88ef6f845471ac7b8542707d53d82778b4b96340953.exe
Size

90KB
MD5

23818e2b50c077610d449eaee547aae0
SHA1

86ac4d2e4e28d89781d9b5570f62098e7e60e613
SHA256

48052be116ef0365ef0aa88ef6f845471ac7b8542707d53d82778b4b96340953
SHA512

1da1dbe81d8315c9257c8ea7d3cb98a390c75fc536918ad09f300ca18b019474e675e6421521c7e1dbcfbfab69463070aa7b7948b3bcfe62e0bb73d2320c9afc
SSDEEP

768:5vw9816thKQLroJ4/wQkNrfrunMxVFA3bA:lEG/0oJlbunMxVS3c

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

48052be116ef0365ef0aa88ef6f845471ac7b8542707d53d82778b4b96340953.exe{A1FA1F4C-A396-4023-B98F-2790464214D8}.exe{04F68372-624B-4da3-BAB9-B2341AF881D5}.exe{FC39C5D1-6425-4392-9B5F-FCC852D00AE0}.exe{62B49D70-B4F0-46ea-9C10-1C97239D48EB}.exe{0273A6F9-6F71-4576-912F-1B67532C0027}.exe{5A23C87B-0641-4c22-A310-37B4BFE115B8}.exe{01FD67ED-4D45-4a3a-8CC4-8F08C13A9249}.exe{2458486E-BBA3-4122-A100-F514229557C4}.exe{E3FDD91A-0771-44a7-94DA-5AE5521118CA}.exe{342BCBDF-9167-4ac3-B088-A42483410314}.exe{AF7B51FA-C917-4dac-A243-F726D00CF320}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1FA1F4C-A396-4023-B98F-2790464214D8}	48052be116ef0365ef0aa88ef6f845471ac7b8542707d53d82778b4b96340953.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04F68372-624B-4da3-BAB9-B2341AF881D5}	{A1FA1F4C-A396-4023-B98F-2790464214D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF7B51FA-C917-4dac-A243-F726D00CF320}	{04F68372-624B-4da3-BAB9-B2341AF881D5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF7B51FA-C917-4dac-A243-F726D00CF320}\stubpath = "C:\\Windows\\{AF7B51FA-C917-4dac-A243-F726D00CF320}.exe"	{04F68372-624B-4da3-BAB9-B2341AF881D5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62B49D70-B4F0-46ea-9C10-1C97239D48EB}	{FC39C5D1-6425-4392-9B5F-FCC852D00AE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62B49D70-B4F0-46ea-9C10-1C97239D48EB}\stubpath = "C:\\Windows\\{62B49D70-B4F0-46ea-9C10-1C97239D48EB}.exe"	{FC39C5D1-6425-4392-9B5F-FCC852D00AE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0273A6F9-6F71-4576-912F-1B67532C0027}\stubpath = "C:\\Windows\\{0273A6F9-6F71-4576-912F-1B67532C0027}.exe"	{62B49D70-B4F0-46ea-9C10-1C97239D48EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{342BCBDF-9167-4ac3-B088-A42483410314}\stubpath = "C:\\Windows\\{342BCBDF-9167-4ac3-B088-A42483410314}.exe"	{0273A6F9-6F71-4576-912F-1B67532C0027}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01FD67ED-4D45-4a3a-8CC4-8F08C13A9249}\stubpath = "C:\\Windows\\{01FD67ED-4D45-4a3a-8CC4-8F08C13A9249}.exe"	{5A23C87B-0641-4c22-A310-37B4BFE115B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2458486E-BBA3-4122-A100-F514229557C4}\stubpath = "C:\\Windows\\{2458486E-BBA3-4122-A100-F514229557C4}.exe"	{01FD67ED-4D45-4a3a-8CC4-8F08C13A9249}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3FDD91A-0771-44a7-94DA-5AE5521118CA}	{2458486E-BBA3-4122-A100-F514229557C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E3FDD91A-0771-44a7-94DA-5AE5521118CA}\stubpath = "C:\\Windows\\{E3FDD91A-0771-44a7-94DA-5AE5521118CA}.exe"	{2458486E-BBA3-4122-A100-F514229557C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A31562BA-0020-4bd9-838E-D7B86B10E15E}	{E3FDD91A-0771-44a7-94DA-5AE5521118CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04F68372-624B-4da3-BAB9-B2341AF881D5}\stubpath = "C:\\Windows\\{04F68372-624B-4da3-BAB9-B2341AF881D5}.exe"	{A1FA1F4C-A396-4023-B98F-2790464214D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{342BCBDF-9167-4ac3-B088-A42483410314}	{0273A6F9-6F71-4576-912F-1B67532C0027}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A23C87B-0641-4c22-A310-37B4BFE115B8}\stubpath = "C:\\Windows\\{5A23C87B-0641-4c22-A310-37B4BFE115B8}.exe"	{342BCBDF-9167-4ac3-B088-A42483410314}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2458486E-BBA3-4122-A100-F514229557C4}	{01FD67ED-4D45-4a3a-8CC4-8F08C13A9249}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A31562BA-0020-4bd9-838E-D7B86B10E15E}\stubpath = "C:\\Windows\\{A31562BA-0020-4bd9-838E-D7B86B10E15E}.exe"	{E3FDD91A-0771-44a7-94DA-5AE5521118CA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1FA1F4C-A396-4023-B98F-2790464214D8}\stubpath = "C:\\Windows\\{A1FA1F4C-A396-4023-B98F-2790464214D8}.exe"	48052be116ef0365ef0aa88ef6f845471ac7b8542707d53d82778b4b96340953.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC39C5D1-6425-4392-9B5F-FCC852D00AE0}	{AF7B51FA-C917-4dac-A243-F726D00CF320}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0273A6F9-6F71-4576-912F-1B67532C0027}	{62B49D70-B4F0-46ea-9C10-1C97239D48EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC39C5D1-6425-4392-9B5F-FCC852D00AE0}\stubpath = "C:\\Windows\\{FC39C5D1-6425-4392-9B5F-FCC852D00AE0}.exe"	{AF7B51FA-C917-4dac-A243-F726D00CF320}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5A23C87B-0641-4c22-A310-37B4BFE115B8}	{342BCBDF-9167-4ac3-B088-A42483410314}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{01FD67ED-4D45-4a3a-8CC4-8F08C13A9249}	{5A23C87B-0641-4c22-A310-37B4BFE115B8}.exe

Executes dropped EXE 12 IoCs

Processes:

{A1FA1F4C-A396-4023-B98F-2790464214D8}.exe{04F68372-624B-4da3-BAB9-B2341AF881D5}.exe{AF7B51FA-C917-4dac-A243-F726D00CF320}.exe{FC39C5D1-6425-4392-9B5F-FCC852D00AE0}.exe{62B49D70-B4F0-46ea-9C10-1C97239D48EB}.exe{0273A6F9-6F71-4576-912F-1B67532C0027}.exe{342BCBDF-9167-4ac3-B088-A42483410314}.exe{5A23C87B-0641-4c22-A310-37B4BFE115B8}.exe{01FD67ED-4D45-4a3a-8CC4-8F08C13A9249}.exe{2458486E-BBA3-4122-A100-F514229557C4}.exe{E3FDD91A-0771-44a7-94DA-5AE5521118CA}.exe{A31562BA-0020-4bd9-838E-D7B86B10E15E}.exe

pid	process
1156	{A1FA1F4C-A396-4023-B98F-2790464214D8}.exe
4884	{04F68372-624B-4da3-BAB9-B2341AF881D5}.exe
4592	{AF7B51FA-C917-4dac-A243-F726D00CF320}.exe
1472	{FC39C5D1-6425-4392-9B5F-FCC852D00AE0}.exe
5008	{62B49D70-B4F0-46ea-9C10-1C97239D48EB}.exe
4060	{0273A6F9-6F71-4576-912F-1B67532C0027}.exe
4916	{342BCBDF-9167-4ac3-B088-A42483410314}.exe
424	{5A23C87B-0641-4c22-A310-37B4BFE115B8}.exe
2940	{01FD67ED-4D45-4a3a-8CC4-8F08C13A9249}.exe
2012	{2458486E-BBA3-4122-A100-F514229557C4}.exe
1444	{E3FDD91A-0771-44a7-94DA-5AE5521118CA}.exe
1192	{A31562BA-0020-4bd9-838E-D7B86B10E15E}.exe

Drops file in Windows directory 12 IoCs

Processes:

{62B49D70-B4F0-46ea-9C10-1C97239D48EB}.exe{342BCBDF-9167-4ac3-B088-A42483410314}.exe{5A23C87B-0641-4c22-A310-37B4BFE115B8}.exe{01FD67ED-4D45-4a3a-8CC4-8F08C13A9249}.exe{2458486E-BBA3-4122-A100-F514229557C4}.exe48052be116ef0365ef0aa88ef6f845471ac7b8542707d53d82778b4b96340953.exe{AF7B51FA-C917-4dac-A243-F726D00CF320}.exe{FC39C5D1-6425-4392-9B5F-FCC852D00AE0}.exe{E3FDD91A-0771-44a7-94DA-5AE5521118CA}.exe{A1FA1F4C-A396-4023-B98F-2790464214D8}.exe{04F68372-624B-4da3-BAB9-B2341AF881D5}.exe{0273A6F9-6F71-4576-912F-1B67532C0027}.exe

description	ioc	process
File created	C:\Windows\{0273A6F9-6F71-4576-912F-1B67532C0027}.exe	{62B49D70-B4F0-46ea-9C10-1C97239D48EB}.exe
File created	C:\Windows\{5A23C87B-0641-4c22-A310-37B4BFE115B8}.exe	{342BCBDF-9167-4ac3-B088-A42483410314}.exe
File created	C:\Windows\{01FD67ED-4D45-4a3a-8CC4-8F08C13A9249}.exe	{5A23C87B-0641-4c22-A310-37B4BFE115B8}.exe
File created	C:\Windows\{2458486E-BBA3-4122-A100-F514229557C4}.exe	{01FD67ED-4D45-4a3a-8CC4-8F08C13A9249}.exe
File created	C:\Windows\{E3FDD91A-0771-44a7-94DA-5AE5521118CA}.exe	{2458486E-BBA3-4122-A100-F514229557C4}.exe
File created	C:\Windows\{A1FA1F4C-A396-4023-B98F-2790464214D8}.exe	48052be116ef0365ef0aa88ef6f845471ac7b8542707d53d82778b4b96340953.exe
File created	C:\Windows\{FC39C5D1-6425-4392-9B5F-FCC852D00AE0}.exe	{AF7B51FA-C917-4dac-A243-F726D00CF320}.exe
File created	C:\Windows\{62B49D70-B4F0-46ea-9C10-1C97239D48EB}.exe	{FC39C5D1-6425-4392-9B5F-FCC852D00AE0}.exe
File created	C:\Windows\{A31562BA-0020-4bd9-838E-D7B86B10E15E}.exe	{E3FDD91A-0771-44a7-94DA-5AE5521118CA}.exe
File created	C:\Windows\{04F68372-624B-4da3-BAB9-B2341AF881D5}.exe	{A1FA1F4C-A396-4023-B98F-2790464214D8}.exe
File created	C:\Windows\{AF7B51FA-C917-4dac-A243-F726D00CF320}.exe	{04F68372-624B-4da3-BAB9-B2341AF881D5}.exe
File created	C:\Windows\{342BCBDF-9167-4ac3-B088-A42483410314}.exe	{0273A6F9-6F71-4576-912F-1B67532C0027}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

48052be116ef0365ef0aa88ef6f845471ac7b8542707d53d82778b4b96340953.exe{A1FA1F4C-A396-4023-B98F-2790464214D8}.exe{04F68372-624B-4da3-BAB9-B2341AF881D5}.exe{AF7B51FA-C917-4dac-A243-F726D00CF320}.exe{FC39C5D1-6425-4392-9B5F-FCC852D00AE0}.exe{62B49D70-B4F0-46ea-9C10-1C97239D48EB}.exe{0273A6F9-6F71-4576-912F-1B67532C0027}.exe{342BCBDF-9167-4ac3-B088-A42483410314}.exe{5A23C87B-0641-4c22-A310-37B4BFE115B8}.exe{01FD67ED-4D45-4a3a-8CC4-8F08C13A9249}.exe{2458486E-BBA3-4122-A100-F514229557C4}.exe{E3FDD91A-0771-44a7-94DA-5AE5521118CA}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2276	48052be116ef0365ef0aa88ef6f845471ac7b8542707d53d82778b4b96340953.exe
Token: SeIncBasePriorityPrivilege	1156	{A1FA1F4C-A396-4023-B98F-2790464214D8}.exe
Token: SeIncBasePriorityPrivilege	4884	{04F68372-624B-4da3-BAB9-B2341AF881D5}.exe
Token: SeIncBasePriorityPrivilege	4592	{AF7B51FA-C917-4dac-A243-F726D00CF320}.exe
Token: SeIncBasePriorityPrivilege	1472	{FC39C5D1-6425-4392-9B5F-FCC852D00AE0}.exe
Token: SeIncBasePriorityPrivilege	5008	{62B49D70-B4F0-46ea-9C10-1C97239D48EB}.exe
Token: SeIncBasePriorityPrivilege	4060	{0273A6F9-6F71-4576-912F-1B67532C0027}.exe
Token: SeIncBasePriorityPrivilege	4916	{342BCBDF-9167-4ac3-B088-A42483410314}.exe
Token: SeIncBasePriorityPrivilege	424	{5A23C87B-0641-4c22-A310-37B4BFE115B8}.exe
Token: SeIncBasePriorityPrivilege	2940	{01FD67ED-4D45-4a3a-8CC4-8F08C13A9249}.exe
Token: SeIncBasePriorityPrivilege	2012	{2458486E-BBA3-4122-A100-F514229557C4}.exe
Token: SeIncBasePriorityPrivilege	1444	{E3FDD91A-0771-44a7-94DA-5AE5521118CA}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

48052be116ef0365ef0aa88ef6f845471ac7b8542707d53d82778b4b96340953.exe{A1FA1F4C-A396-4023-B98F-2790464214D8}.exe{04F68372-624B-4da3-BAB9-B2341AF881D5}.exe{AF7B51FA-C917-4dac-A243-F726D00CF320}.exe{FC39C5D1-6425-4392-9B5F-FCC852D00AE0}.exe{62B49D70-B4F0-46ea-9C10-1C97239D48EB}.exe{0273A6F9-6F71-4576-912F-1B67532C0027}.exe{342BCBDF-9167-4ac3-B088-A42483410314}.exe{5A23C87B-0641-4c22-A310-37B4BFE115B8}.exe{01FD67ED-4D45-4a3a-8CC4-8F08C13A9249}.exe{2458486E-BBA3-4122-A100-F514229557C4}.exe

description	pid	process	target process
PID 2276 wrote to memory of 1156	2276	48052be116ef0365ef0aa88ef6f845471ac7b8542707d53d82778b4b96340953.exe	{A1FA1F4C-A396-4023-B98F-2790464214D8}.exe
PID 2276 wrote to memory of 1156	2276	48052be116ef0365ef0aa88ef6f845471ac7b8542707d53d82778b4b96340953.exe	{A1FA1F4C-A396-4023-B98F-2790464214D8}.exe
PID 2276 wrote to memory of 1156	2276	48052be116ef0365ef0aa88ef6f845471ac7b8542707d53d82778b4b96340953.exe	{A1FA1F4C-A396-4023-B98F-2790464214D8}.exe
PID 2276 wrote to memory of 1384	2276	48052be116ef0365ef0aa88ef6f845471ac7b8542707d53d82778b4b96340953.exe	cmd.exe
PID 2276 wrote to memory of 1384	2276	48052be116ef0365ef0aa88ef6f845471ac7b8542707d53d82778b4b96340953.exe	cmd.exe
PID 2276 wrote to memory of 1384	2276	48052be116ef0365ef0aa88ef6f845471ac7b8542707d53d82778b4b96340953.exe	cmd.exe
PID 1156 wrote to memory of 4884	1156	{A1FA1F4C-A396-4023-B98F-2790464214D8}.exe	{04F68372-624B-4da3-BAB9-B2341AF881D5}.exe
PID 1156 wrote to memory of 4884	1156	{A1FA1F4C-A396-4023-B98F-2790464214D8}.exe	{04F68372-624B-4da3-BAB9-B2341AF881D5}.exe
PID 1156 wrote to memory of 4884	1156	{A1FA1F4C-A396-4023-B98F-2790464214D8}.exe	{04F68372-624B-4da3-BAB9-B2341AF881D5}.exe
PID 1156 wrote to memory of 1356	1156	{A1FA1F4C-A396-4023-B98F-2790464214D8}.exe	cmd.exe
PID 1156 wrote to memory of 1356	1156	{A1FA1F4C-A396-4023-B98F-2790464214D8}.exe	cmd.exe
PID 1156 wrote to memory of 1356	1156	{A1FA1F4C-A396-4023-B98F-2790464214D8}.exe	cmd.exe
PID 4884 wrote to memory of 4592	4884	{04F68372-624B-4da3-BAB9-B2341AF881D5}.exe	{AF7B51FA-C917-4dac-A243-F726D00CF320}.exe
PID 4884 wrote to memory of 4592	4884	{04F68372-624B-4da3-BAB9-B2341AF881D5}.exe	{AF7B51FA-C917-4dac-A243-F726D00CF320}.exe
PID 4884 wrote to memory of 4592	4884	{04F68372-624B-4da3-BAB9-B2341AF881D5}.exe	{AF7B51FA-C917-4dac-A243-F726D00CF320}.exe
PID 4884 wrote to memory of 3640	4884	{04F68372-624B-4da3-BAB9-B2341AF881D5}.exe	cmd.exe
PID 4884 wrote to memory of 3640	4884	{04F68372-624B-4da3-BAB9-B2341AF881D5}.exe	cmd.exe
PID 4884 wrote to memory of 3640	4884	{04F68372-624B-4da3-BAB9-B2341AF881D5}.exe	cmd.exe
PID 4592 wrote to memory of 1472	4592	{AF7B51FA-C917-4dac-A243-F726D00CF320}.exe	{FC39C5D1-6425-4392-9B5F-FCC852D00AE0}.exe
PID 4592 wrote to memory of 1472	4592	{AF7B51FA-C917-4dac-A243-F726D00CF320}.exe	{FC39C5D1-6425-4392-9B5F-FCC852D00AE0}.exe
PID 4592 wrote to memory of 1472	4592	{AF7B51FA-C917-4dac-A243-F726D00CF320}.exe	{FC39C5D1-6425-4392-9B5F-FCC852D00AE0}.exe
PID 4592 wrote to memory of 2356	4592	{AF7B51FA-C917-4dac-A243-F726D00CF320}.exe	cmd.exe
PID 4592 wrote to memory of 2356	4592	{AF7B51FA-C917-4dac-A243-F726D00CF320}.exe	cmd.exe
PID 4592 wrote to memory of 2356	4592	{AF7B51FA-C917-4dac-A243-F726D00CF320}.exe	cmd.exe
PID 1472 wrote to memory of 5008	1472	{FC39C5D1-6425-4392-9B5F-FCC852D00AE0}.exe	{62B49D70-B4F0-46ea-9C10-1C97239D48EB}.exe
PID 1472 wrote to memory of 5008	1472	{FC39C5D1-6425-4392-9B5F-FCC852D00AE0}.exe	{62B49D70-B4F0-46ea-9C10-1C97239D48EB}.exe
PID 1472 wrote to memory of 5008	1472	{FC39C5D1-6425-4392-9B5F-FCC852D00AE0}.exe	{62B49D70-B4F0-46ea-9C10-1C97239D48EB}.exe
PID 1472 wrote to memory of 1748	1472	{FC39C5D1-6425-4392-9B5F-FCC852D00AE0}.exe	cmd.exe
PID 1472 wrote to memory of 1748	1472	{FC39C5D1-6425-4392-9B5F-FCC852D00AE0}.exe	cmd.exe
PID 1472 wrote to memory of 1748	1472	{FC39C5D1-6425-4392-9B5F-FCC852D00AE0}.exe	cmd.exe
PID 5008 wrote to memory of 4060	5008	{62B49D70-B4F0-46ea-9C10-1C97239D48EB}.exe	{0273A6F9-6F71-4576-912F-1B67532C0027}.exe
PID 5008 wrote to memory of 4060	5008	{62B49D70-B4F0-46ea-9C10-1C97239D48EB}.exe	{0273A6F9-6F71-4576-912F-1B67532C0027}.exe
PID 5008 wrote to memory of 4060	5008	{62B49D70-B4F0-46ea-9C10-1C97239D48EB}.exe	{0273A6F9-6F71-4576-912F-1B67532C0027}.exe
PID 5008 wrote to memory of 3912	5008	{62B49D70-B4F0-46ea-9C10-1C97239D48EB}.exe	cmd.exe
PID 5008 wrote to memory of 3912	5008	{62B49D70-B4F0-46ea-9C10-1C97239D48EB}.exe	cmd.exe
PID 5008 wrote to memory of 3912	5008	{62B49D70-B4F0-46ea-9C10-1C97239D48EB}.exe	cmd.exe
PID 4060 wrote to memory of 4916	4060	{0273A6F9-6F71-4576-912F-1B67532C0027}.exe	{342BCBDF-9167-4ac3-B088-A42483410314}.exe
PID 4060 wrote to memory of 4916	4060	{0273A6F9-6F71-4576-912F-1B67532C0027}.exe	{342BCBDF-9167-4ac3-B088-A42483410314}.exe
PID 4060 wrote to memory of 4916	4060	{0273A6F9-6F71-4576-912F-1B67532C0027}.exe	{342BCBDF-9167-4ac3-B088-A42483410314}.exe
PID 4060 wrote to memory of 736	4060	{0273A6F9-6F71-4576-912F-1B67532C0027}.exe	cmd.exe
PID 4060 wrote to memory of 736	4060	{0273A6F9-6F71-4576-912F-1B67532C0027}.exe	cmd.exe
PID 4060 wrote to memory of 736	4060	{0273A6F9-6F71-4576-912F-1B67532C0027}.exe	cmd.exe
PID 4916 wrote to memory of 424	4916	{342BCBDF-9167-4ac3-B088-A42483410314}.exe	{5A23C87B-0641-4c22-A310-37B4BFE115B8}.exe
PID 4916 wrote to memory of 424	4916	{342BCBDF-9167-4ac3-B088-A42483410314}.exe	{5A23C87B-0641-4c22-A310-37B4BFE115B8}.exe
PID 4916 wrote to memory of 424	4916	{342BCBDF-9167-4ac3-B088-A42483410314}.exe	{5A23C87B-0641-4c22-A310-37B4BFE115B8}.exe
PID 4916 wrote to memory of 1360	4916	{342BCBDF-9167-4ac3-B088-A42483410314}.exe	cmd.exe
PID 4916 wrote to memory of 1360	4916	{342BCBDF-9167-4ac3-B088-A42483410314}.exe	cmd.exe
PID 4916 wrote to memory of 1360	4916	{342BCBDF-9167-4ac3-B088-A42483410314}.exe	cmd.exe
PID 424 wrote to memory of 2940	424	{5A23C87B-0641-4c22-A310-37B4BFE115B8}.exe	{01FD67ED-4D45-4a3a-8CC4-8F08C13A9249}.exe
PID 424 wrote to memory of 2940	424	{5A23C87B-0641-4c22-A310-37B4BFE115B8}.exe	{01FD67ED-4D45-4a3a-8CC4-8F08C13A9249}.exe
PID 424 wrote to memory of 2940	424	{5A23C87B-0641-4c22-A310-37B4BFE115B8}.exe	{01FD67ED-4D45-4a3a-8CC4-8F08C13A9249}.exe
PID 424 wrote to memory of 1464	424	{5A23C87B-0641-4c22-A310-37B4BFE115B8}.exe	cmd.exe
PID 424 wrote to memory of 1464	424	{5A23C87B-0641-4c22-A310-37B4BFE115B8}.exe	cmd.exe
PID 424 wrote to memory of 1464	424	{5A23C87B-0641-4c22-A310-37B4BFE115B8}.exe	cmd.exe
PID 2940 wrote to memory of 2012	2940	{01FD67ED-4D45-4a3a-8CC4-8F08C13A9249}.exe	{2458486E-BBA3-4122-A100-F514229557C4}.exe
PID 2940 wrote to memory of 2012	2940	{01FD67ED-4D45-4a3a-8CC4-8F08C13A9249}.exe	{2458486E-BBA3-4122-A100-F514229557C4}.exe
PID 2940 wrote to memory of 2012	2940	{01FD67ED-4D45-4a3a-8CC4-8F08C13A9249}.exe	{2458486E-BBA3-4122-A100-F514229557C4}.exe
PID 2940 wrote to memory of 3548	2940	{01FD67ED-4D45-4a3a-8CC4-8F08C13A9249}.exe	cmd.exe
PID 2940 wrote to memory of 3548	2940	{01FD67ED-4D45-4a3a-8CC4-8F08C13A9249}.exe	cmd.exe
PID 2940 wrote to memory of 3548	2940	{01FD67ED-4D45-4a3a-8CC4-8F08C13A9249}.exe	cmd.exe
PID 2012 wrote to memory of 1444	2012	{2458486E-BBA3-4122-A100-F514229557C4}.exe	{E3FDD91A-0771-44a7-94DA-5AE5521118CA}.exe
PID 2012 wrote to memory of 1444	2012	{2458486E-BBA3-4122-A100-F514229557C4}.exe	{E3FDD91A-0771-44a7-94DA-5AE5521118CA}.exe
PID 2012 wrote to memory of 1444	2012	{2458486E-BBA3-4122-A100-F514229557C4}.exe	{E3FDD91A-0771-44a7-94DA-5AE5521118CA}.exe
PID 2012 wrote to memory of 4336	2012	{2458486E-BBA3-4122-A100-F514229557C4}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\48052be116ef0365ef0aa88ef6f845471ac7b8542707d53d82778b4b96340953.exe
"C:\Users\Admin\AppData\Local\Temp\48052be116ef0365ef0aa88ef6f845471ac7b8542707d53d82778b4b96340953.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\{A1FA1F4C-A396-4023-B98F-2790464214D8}.exe
  C:\Windows\{A1FA1F4C-A396-4023-B98F-2790464214D8}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1156
- - C:\Windows\{04F68372-624B-4da3-BAB9-B2341AF881D5}.exe
    C:\Windows\{04F68372-624B-4da3-BAB9-B2341AF881D5}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Windows\{AF7B51FA-C917-4dac-A243-F726D00CF320}.exe
      C:\Windows\{AF7B51FA-C917-4dac-A243-F726D00CF320}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4592
    - - C:\Windows\{FC39C5D1-6425-4392-9B5F-FCC852D00AE0}.exe
        
        C:\Windows\{FC39C5D1-6425-4392-9B5F-FCC852D00AE0}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1472
      - C:\Windows\{62B49D70-B4F0-46ea-9C10-1C97239D48EB}.exe
        
        C:\Windows\{62B49D70-B4F0-46ea-9C10-1C97239D48EB}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\{0273A6F9-6F71-4576-912F-1B67532C0027}.exe
        
        C:\Windows\{0273A6F9-6F71-4576-912F-1B67532C0027}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4060
        
        C:\Windows\{342BCBDF-9167-4ac3-B088-A42483410314}.exe
        
        C:\Windows\{342BCBDF-9167-4ac3-B088-A42483410314}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\{5A23C87B-0641-4c22-A310-37B4BFE115B8}.exe
        
        C:\Windows\{5A23C87B-0641-4c22-A310-37B4BFE115B8}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:424
        
        C:\Windows\{01FD67ED-4D45-4a3a-8CC4-8F08C13A9249}.exe
        
        C:\Windows\{01FD67ED-4D45-4a3a-8CC4-8F08C13A9249}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\{2458486E-BBA3-4122-A100-F514229557C4}.exe
        
        C:\Windows\{2458486E-BBA3-4122-A100-F514229557C4}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\{E3FDD91A-0771-44a7-94DA-5AE5521118CA}.exe
        
        C:\Windows\{E3FDD91A-0771-44a7-94DA-5AE5521118CA}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
        
        C:\Windows\{A31562BA-0020-4bd9-838E-D7B86B10E15E}.exe
        
        C:\Windows\{A31562BA-0020-4bd9-838E-D7B86B10E15E}.exe
        13⤵
        Executes dropped EXE
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3FDD~1.EXE > nul
        13⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{24584~1.EXE > nul
        12⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{01FD6~1.EXE > nul
        11⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5A23C~1.EXE > nul
        10⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{342BC~1.EXE > nul
        9⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0273A~1.EXE > nul
        8⤵
        
        PID:736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62B49~1.EXE > nul
        7⤵
        
        PID:3912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC39C~1.EXE > nul
        6⤵
        
        PID:1748
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF7B5~1.EXE > nul
        5⤵
        
        PID:2356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{04F68~1.EXE > nul
      4⤵
      PID:3640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A1FA1~1.EXE > nul
    3⤵
    PID:1356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\48052B~1.EXE > nul
  2⤵
  PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{01FD67ED-4D45-4a3a-8CC4-8F08C13A9249}.exe

Filesize
90KB

MD5
8f87af20e61cd0e34a9a51dce46181a8

SHA1
944db5e5d1fbfbfc02076e66fff0acc024c9051a

SHA256
3dd865f575b357da7a1b85600ac0a4a447506ad429735fa3a7a8a2251a22f92c

SHA512
bd411c41628f8590a1fc0f1d1ea7f1187074071ac41b4ffb388e2c310b317ebc37f7f47ae5804e06493eb92c9720d2938b584fd0712eba117d833c280c69624f

Download Submit
C:\Windows\{0273A6F9-6F71-4576-912F-1B67532C0027}.exe

Filesize
90KB

MD5
78c4b689b1ee08493b7731fd7a9e5ca5

SHA1
c4351a00c15d7d9784c0c13c90053a7cc925c677

SHA256
640f351277c1444047ba8f3fd6658df9a40992d3885122078c15cfb4d920703b

SHA512
ae368e88082fb40126859082d1afea013736e9e4c41e90a5eb757bf36fc490c665cc77237ceef4e22f2e00018754bd29a23849792ef10835295dd8c54d67142a

Download Submit
C:\Windows\{04F68372-624B-4da3-BAB9-B2341AF881D5}.exe

Filesize
90KB

MD5
22b2a29738b34df1615406c67c00ea1f

SHA1
57eb14c81691f73261d6153f64e436fcde27e37a

SHA256
f344d02c39a0d9ed42e22d3c5fa3d18618796f93f914df15c9327d202a0e59a2

SHA512
02486c3d2cb55da0d670dbf88d794fcbcbe5ce41255eb5967ba9eff0de1e85f21012187d5f3512992767f252efabcec24d06088b960614be133f84f48a14824d

Download Submit
C:\Windows\{2458486E-BBA3-4122-A100-F514229557C4}.exe

Filesize
90KB

MD5
47cae79f556a64ea4f8ccef9421bffa6

SHA1
335b7412b3c10558fa1b9bd5a73cf65ab5ccf387

SHA256
3fd9ddec4a6bb5a3d3966396cf2dfb396607d884ebd6b2f5df513aaf024836e2

SHA512
c24e9771312f53bcf5944a821d80c49331821b095599706b4a75566d427a66b57c0b4327494e55712efec1c1051daf42421aa294dc010bd45a5ee583b669df68

Download Submit
C:\Windows\{342BCBDF-9167-4ac3-B088-A42483410314}.exe

Filesize
90KB

MD5
7c8de0e15b795803549395e835d6f710

SHA1
11fda597b3c8b85093b2cc9d480760400ffeac89

SHA256
1b42a79fec099a0b57b01f4e8964e1d776a1126ec8b0c7432d454868bd19c538

SHA512
e35a956833bbe48bf66fe175aa3fbba41a76b6dba0812e8c8c4970fda80afa11dbff429b3dc2e8f4f63392afd43a365935f4cdf648c84e5740ac80ac35da1850

Download Submit
C:\Windows\{5A23C87B-0641-4c22-A310-37B4BFE115B8}.exe

Filesize
90KB

MD5
867f52c605f8ad45fc4d1b63137d88e7

SHA1
3ffb6ab6fd1ac54ec28864130fd07b73bb034213

SHA256
d673758cdfcac371114752a9b208cf8a6aab28e5d12a1ef4de4cfd53149126eb

SHA512
b7e650243689efb1b9af04506410dc53f07ba0724f1f3f3c5f685073269d62c0612406fae8738a8299e745d56272db4058e5cffdc89068c23d6713ef7e3e5e7f

Download Submit
C:\Windows\{62B49D70-B4F0-46ea-9C10-1C97239D48EB}.exe

Filesize
90KB

MD5
e99a900259295ac7a204778c2224d4ce

SHA1
ad2ee635de13d8fda521c51f274d5b20c20ea1ac

SHA256
6b9125c2ebf5f9ef14c425c6b170ad8b81d8092fdb57ff5434961ea7c9beddeb

SHA512
500066e3587d9444adc610aef7fb9c530546e6d4c85b682b40dba565d969b670fe09fd76d2999def7d7d7d1a1432c5f8158d63ff1b4380766aa1802a46f48a5b

Download Submit
C:\Windows\{A1FA1F4C-A396-4023-B98F-2790464214D8}.exe

Filesize
90KB

MD5
dcaee2a9a0fc8356cefcffbec1428c98

SHA1
bde6761f40d3d638ac5d540933078b21f6cbbee5

SHA256
de33f7ca5078ce5e21a23532bcb87bfa94c30fc47953e0c285fefe7898dd7928

SHA512
d2782fbcbe165b2b3b167acde5aab012538269f1fbfd8efb76e1cee0ebb6de39104859879e9641e47c614c2ca93231e64ea18b9e1787d6b79e63dedd440f035a

Download Submit
C:\Windows\{A31562BA-0020-4bd9-838E-D7B86B10E15E}.exe

Filesize
90KB

MD5
d89ad97251a5e7f9d3ac8d5ba790c8f3

SHA1
f4fd5b1812458a9a8271f7f8f5d20bb0afb568b6

SHA256
c279720574212929a0caceb98cf24af04160c347db725368ee10052a05b1408a

SHA512
ffb7846c5081feee6bc9a9652edf1504ceecda5d358c8febb79133f499fd2dc0a1e5847ecef2f95fce687c30e83bf2b20a308a9c6d999e18a86fb2b6c400d33e

Download Submit
C:\Windows\{AF7B51FA-C917-4dac-A243-F726D00CF320}.exe

Filesize
90KB

MD5
b7107b5b6b44bbf7f1656ab0969171c0

SHA1
4782c65525c383419119904e5e9fd74fe543e7e2

SHA256
4a59a05c342fbf2b8da3541982341dfbbe4d32ac7bd7ee761ff2dc4f500b8068

SHA512
5351beff96168e5189917db9fdf5c82d9157799441832ca087b693e15f23d480368aeb36953ccaadf83ed2b71958117a43f860c1f272038dc27d249aa4b1ae3d

Download Submit
C:\Windows\{E3FDD91A-0771-44a7-94DA-5AE5521118CA}.exe

Filesize
90KB

MD5
e6ac60ba49333aa17ac60e6f105459dd

SHA1
f1431e3aa35c03403ee1b315cf6ca57ef269d936

SHA256
afb0d2ea4948e5785edb86591550b46eee83f99cf0688c01463fa1a79990ecdc

SHA512
d474c1015003f49645e8b7b3ba38eb103ce0cd317d18511ced277dc4ffb109bdfd659a83e1b110085ae83d464a0d6a1d2f91875d10d268e4d1c800ca9cee644a

Download Submit
C:\Windows\{FC39C5D1-6425-4392-9B5F-FCC852D00AE0}.exe

Filesize
90KB

MD5
6413eb49afe8b883486296a55e18cc5d

SHA1
6e499e7ba13c97b59176351493e93f2a12431c8e

SHA256
0de03059695f6eedd908f2431fa1ba549eb4bfb34d4d47cfbe982be665e0ed6f

SHA512
347989d15af2a9f45ad5d07db40ef17c5aea83e918379e35497d5270ddcc9e36448a29454ddfa56d4256c124986b6cb0b4d3879727cf3e8fcd01001abc96304f

Download Submit
memory/424-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1156-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1156-4-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1444-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1444-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1472-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1472-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2012-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2012-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2276-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2276-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2940-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2940-51-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4060-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4060-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4592-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4592-23-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4884-15-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4884-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4916-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4916-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5008-33-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download