522555764d7702aa33a966e1f1c17cd48bc77e50df751fc0c8f26044b7ac8fff

Analysis

max time kernel
149s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

522555764d7702aa33a966e1f1c17cd48bc77e50df751fc0c8f26044b7ac8fff.exe
Size

98KB
MD5

075f83ccf1c96e5a0693ade441a985d3
SHA1

71a3883e999cd337f7e50e03c93b0fdff528386b
SHA256

522555764d7702aa33a966e1f1c17cd48bc77e50df751fc0c8f26044b7ac8fff
SHA512

4d83111f4d7a3cdc53a770486591294c765c0e3ea3d658f1ce384a59ed534e0222770866f10c7723fde1a9c1996d87e066af5ab47d434d28fae58ef024438500
SSDEEP

768:5vw98169hKjroy4/wQCNrfrunMxVFA3b7glw6:lEG/HoylxunMxVS3Hgl

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{B4F9F999-4D15-4444-8207-65D6834515FE}.exe{6503C825-FE98-45e5-8169-902472C14608}.exe{2590882D-F8B4-4d2b-ACE3-7A5A2ABA6E2C}.exe{606A9314-9EE8-470c-8D86-92CC70B16D4C}.exe{EC5AF6E2-6330-4717-BB65-7E4BB3734448}.exe522555764d7702aa33a966e1f1c17cd48bc77e50df751fc0c8f26044b7ac8fff.exe{750CD811-CB02-4080-A588-E99B3FAB8371}.exe{099136D8-6471-4e8e-9FF3-5B30E0D44297}.exe{9F8C9A41-D3A5-4e60-915D-6CA1F4B2013B}.exe{A7A50E07-5A46-424c-8D2A-5C8827AC8C79}.exe{6C3C9E66-CCE7-4eb5-ACBA-1E5C9E3CD0C7}.exe{FBDFEDC9-593F-480f-BD64-5B8FD3D79DCA}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6503C825-FE98-45e5-8169-902472C14608}	{B4F9F999-4D15-4444-8207-65D6834515FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6503C825-FE98-45e5-8169-902472C14608}\stubpath = "C:\\Windows\\{6503C825-FE98-45e5-8169-902472C14608}.exe"	{B4F9F999-4D15-4444-8207-65D6834515FE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2590882D-F8B4-4d2b-ACE3-7A5A2ABA6E2C}	{6503C825-FE98-45e5-8169-902472C14608}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{606A9314-9EE8-470c-8D86-92CC70B16D4C}\stubpath = "C:\\Windows\\{606A9314-9EE8-470c-8D86-92CC70B16D4C}.exe"	{2590882D-F8B4-4d2b-ACE3-7A5A2ABA6E2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F8C9A41-D3A5-4e60-915D-6CA1F4B2013B}\stubpath = "C:\\Windows\\{9F8C9A41-D3A5-4e60-915D-6CA1F4B2013B}.exe"	{606A9314-9EE8-470c-8D86-92CC70B16D4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA8C0555-3D56-43a7-89FB-5E935C567FDF}	{EC5AF6E2-6330-4717-BB65-7E4BB3734448}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{750CD811-CB02-4080-A588-E99B3FAB8371}\stubpath = "C:\\Windows\\{750CD811-CB02-4080-A588-E99B3FAB8371}.exe"	522555764d7702aa33a966e1f1c17cd48bc77e50df751fc0c8f26044b7ac8fff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{099136D8-6471-4e8e-9FF3-5B30E0D44297}\stubpath = "C:\\Windows\\{099136D8-6471-4e8e-9FF3-5B30E0D44297}.exe"	{750CD811-CB02-4080-A588-E99B3FAB8371}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4F9F999-4D15-4444-8207-65D6834515FE}	{099136D8-6471-4e8e-9FF3-5B30E0D44297}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B4F9F999-4D15-4444-8207-65D6834515FE}\stubpath = "C:\\Windows\\{B4F9F999-4D15-4444-8207-65D6834515FE}.exe"	{099136D8-6471-4e8e-9FF3-5B30E0D44297}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBDFEDC9-593F-480f-BD64-5B8FD3D79DCA}\stubpath = "C:\\Windows\\{FBDFEDC9-593F-480f-BD64-5B8FD3D79DCA}.exe"	{9F8C9A41-D3A5-4e60-915D-6CA1F4B2013B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA8C0555-3D56-43a7-89FB-5E935C567FDF}\stubpath = "C:\\Windows\\{BA8C0555-3D56-43a7-89FB-5E935C567FDF}.exe"	{EC5AF6E2-6330-4717-BB65-7E4BB3734448}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{750CD811-CB02-4080-A588-E99B3FAB8371}	522555764d7702aa33a966e1f1c17cd48bc77e50df751fc0c8f26044b7ac8fff.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C3C9E66-CCE7-4eb5-ACBA-1E5C9E3CD0C7}\stubpath = "C:\\Windows\\{6C3C9E66-CCE7-4eb5-ACBA-1E5C9E3CD0C7}.exe"	{A7A50E07-5A46-424c-8D2A-5C8827AC8C79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC5AF6E2-6330-4717-BB65-7E4BB3734448}\stubpath = "C:\\Windows\\{EC5AF6E2-6330-4717-BB65-7E4BB3734448}.exe"	{6C3C9E66-CCE7-4eb5-ACBA-1E5C9E3CD0C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6C3C9E66-CCE7-4eb5-ACBA-1E5C9E3CD0C7}	{A7A50E07-5A46-424c-8D2A-5C8827AC8C79}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2590882D-F8B4-4d2b-ACE3-7A5A2ABA6E2C}\stubpath = "C:\\Windows\\{2590882D-F8B4-4d2b-ACE3-7A5A2ABA6E2C}.exe"	{6503C825-FE98-45e5-8169-902472C14608}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{606A9314-9EE8-470c-8D86-92CC70B16D4C}	{2590882D-F8B4-4d2b-ACE3-7A5A2ABA6E2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9F8C9A41-D3A5-4e60-915D-6CA1F4B2013B}	{606A9314-9EE8-470c-8D86-92CC70B16D4C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBDFEDC9-593F-480f-BD64-5B8FD3D79DCA}	{9F8C9A41-D3A5-4e60-915D-6CA1F4B2013B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7A50E07-5A46-424c-8D2A-5C8827AC8C79}	{FBDFEDC9-593F-480f-BD64-5B8FD3D79DCA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7A50E07-5A46-424c-8D2A-5C8827AC8C79}\stubpath = "C:\\Windows\\{A7A50E07-5A46-424c-8D2A-5C8827AC8C79}.exe"	{FBDFEDC9-593F-480f-BD64-5B8FD3D79DCA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC5AF6E2-6330-4717-BB65-7E4BB3734448}	{6C3C9E66-CCE7-4eb5-ACBA-1E5C9E3CD0C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{099136D8-6471-4e8e-9FF3-5B30E0D44297}	{750CD811-CB02-4080-A588-E99B3FAB8371}.exe

Executes dropped EXE 12 IoCs

Processes:

{750CD811-CB02-4080-A588-E99B3FAB8371}.exe{099136D8-6471-4e8e-9FF3-5B30E0D44297}.exe{B4F9F999-4D15-4444-8207-65D6834515FE}.exe{6503C825-FE98-45e5-8169-902472C14608}.exe{2590882D-F8B4-4d2b-ACE3-7A5A2ABA6E2C}.exe{606A9314-9EE8-470c-8D86-92CC70B16D4C}.exe{9F8C9A41-D3A5-4e60-915D-6CA1F4B2013B}.exe{FBDFEDC9-593F-480f-BD64-5B8FD3D79DCA}.exe{A7A50E07-5A46-424c-8D2A-5C8827AC8C79}.exe{6C3C9E66-CCE7-4eb5-ACBA-1E5C9E3CD0C7}.exe{EC5AF6E2-6330-4717-BB65-7E4BB3734448}.exe{BA8C0555-3D56-43a7-89FB-5E935C567FDF}.exe

pid	process
3136	{750CD811-CB02-4080-A588-E99B3FAB8371}.exe
4536	{099136D8-6471-4e8e-9FF3-5B30E0D44297}.exe
3512	{B4F9F999-4D15-4444-8207-65D6834515FE}.exe
1244	{6503C825-FE98-45e5-8169-902472C14608}.exe
4284	{2590882D-F8B4-4d2b-ACE3-7A5A2ABA6E2C}.exe
3644	{606A9314-9EE8-470c-8D86-92CC70B16D4C}.exe
4280	{9F8C9A41-D3A5-4e60-915D-6CA1F4B2013B}.exe
2348	{FBDFEDC9-593F-480f-BD64-5B8FD3D79DCA}.exe
2600	{A7A50E07-5A46-424c-8D2A-5C8827AC8C79}.exe
5108	{6C3C9E66-CCE7-4eb5-ACBA-1E5C9E3CD0C7}.exe
4228	{EC5AF6E2-6330-4717-BB65-7E4BB3734448}.exe
1436	{BA8C0555-3D56-43a7-89FB-5E935C567FDF}.exe

Drops file in Windows directory 12 IoCs

Processes:

{099136D8-6471-4e8e-9FF3-5B30E0D44297}.exe{B4F9F999-4D15-4444-8207-65D6834515FE}.exe{6503C825-FE98-45e5-8169-902472C14608}.exe{606A9314-9EE8-470c-8D86-92CC70B16D4C}.exe{9F8C9A41-D3A5-4e60-915D-6CA1F4B2013B}.exe522555764d7702aa33a966e1f1c17cd48bc77e50df751fc0c8f26044b7ac8fff.exe{750CD811-CB02-4080-A588-E99B3FAB8371}.exe{2590882D-F8B4-4d2b-ACE3-7A5A2ABA6E2C}.exe{FBDFEDC9-593F-480f-BD64-5B8FD3D79DCA}.exe{A7A50E07-5A46-424c-8D2A-5C8827AC8C79}.exe{6C3C9E66-CCE7-4eb5-ACBA-1E5C9E3CD0C7}.exe{EC5AF6E2-6330-4717-BB65-7E4BB3734448}.exe

description	ioc	process
File created	C:\Windows\{B4F9F999-4D15-4444-8207-65D6834515FE}.exe	{099136D8-6471-4e8e-9FF3-5B30E0D44297}.exe
File created	C:\Windows\{6503C825-FE98-45e5-8169-902472C14608}.exe	{B4F9F999-4D15-4444-8207-65D6834515FE}.exe
File created	C:\Windows\{2590882D-F8B4-4d2b-ACE3-7A5A2ABA6E2C}.exe	{6503C825-FE98-45e5-8169-902472C14608}.exe
File created	C:\Windows\{9F8C9A41-D3A5-4e60-915D-6CA1F4B2013B}.exe	{606A9314-9EE8-470c-8D86-92CC70B16D4C}.exe
File created	C:\Windows\{FBDFEDC9-593F-480f-BD64-5B8FD3D79DCA}.exe	{9F8C9A41-D3A5-4e60-915D-6CA1F4B2013B}.exe
File created	C:\Windows\{750CD811-CB02-4080-A588-E99B3FAB8371}.exe	522555764d7702aa33a966e1f1c17cd48bc77e50df751fc0c8f26044b7ac8fff.exe
File created	C:\Windows\{099136D8-6471-4e8e-9FF3-5B30E0D44297}.exe	{750CD811-CB02-4080-A588-E99B3FAB8371}.exe
File created	C:\Windows\{606A9314-9EE8-470c-8D86-92CC70B16D4C}.exe	{2590882D-F8B4-4d2b-ACE3-7A5A2ABA6E2C}.exe
File created	C:\Windows\{A7A50E07-5A46-424c-8D2A-5C8827AC8C79}.exe	{FBDFEDC9-593F-480f-BD64-5B8FD3D79DCA}.exe
File created	C:\Windows\{6C3C9E66-CCE7-4eb5-ACBA-1E5C9E3CD0C7}.exe	{A7A50E07-5A46-424c-8D2A-5C8827AC8C79}.exe
File created	C:\Windows\{EC5AF6E2-6330-4717-BB65-7E4BB3734448}.exe	{6C3C9E66-CCE7-4eb5-ACBA-1E5C9E3CD0C7}.exe
File created	C:\Windows\{BA8C0555-3D56-43a7-89FB-5E935C567FDF}.exe	{EC5AF6E2-6330-4717-BB65-7E4BB3734448}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

522555764d7702aa33a966e1f1c17cd48bc77e50df751fc0c8f26044b7ac8fff.exe{750CD811-CB02-4080-A588-E99B3FAB8371}.exe{099136D8-6471-4e8e-9FF3-5B30E0D44297}.exe{B4F9F999-4D15-4444-8207-65D6834515FE}.exe{6503C825-FE98-45e5-8169-902472C14608}.exe{2590882D-F8B4-4d2b-ACE3-7A5A2ABA6E2C}.exe{606A9314-9EE8-470c-8D86-92CC70B16D4C}.exe{9F8C9A41-D3A5-4e60-915D-6CA1F4B2013B}.exe{FBDFEDC9-593F-480f-BD64-5B8FD3D79DCA}.exe{A7A50E07-5A46-424c-8D2A-5C8827AC8C79}.exe{6C3C9E66-CCE7-4eb5-ACBA-1E5C9E3CD0C7}.exe{EC5AF6E2-6330-4717-BB65-7E4BB3734448}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3080	522555764d7702aa33a966e1f1c17cd48bc77e50df751fc0c8f26044b7ac8fff.exe
Token: SeIncBasePriorityPrivilege	3136	{750CD811-CB02-4080-A588-E99B3FAB8371}.exe
Token: SeIncBasePriorityPrivilege	4536	{099136D8-6471-4e8e-9FF3-5B30E0D44297}.exe
Token: SeIncBasePriorityPrivilege	3512	{B4F9F999-4D15-4444-8207-65D6834515FE}.exe
Token: SeIncBasePriorityPrivilege	1244	{6503C825-FE98-45e5-8169-902472C14608}.exe
Token: SeIncBasePriorityPrivilege	4284	{2590882D-F8B4-4d2b-ACE3-7A5A2ABA6E2C}.exe
Token: SeIncBasePriorityPrivilege	3644	{606A9314-9EE8-470c-8D86-92CC70B16D4C}.exe
Token: SeIncBasePriorityPrivilege	4280	{9F8C9A41-D3A5-4e60-915D-6CA1F4B2013B}.exe
Token: SeIncBasePriorityPrivilege	2348	{FBDFEDC9-593F-480f-BD64-5B8FD3D79DCA}.exe
Token: SeIncBasePriorityPrivilege	2600	{A7A50E07-5A46-424c-8D2A-5C8827AC8C79}.exe
Token: SeIncBasePriorityPrivilege	5108	{6C3C9E66-CCE7-4eb5-ACBA-1E5C9E3CD0C7}.exe
Token: SeIncBasePriorityPrivilege	4228	{EC5AF6E2-6330-4717-BB65-7E4BB3734448}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 3080 wrote to memory of 3136	3080	522555764d7702aa33a966e1f1c17cd48bc77e50df751fc0c8f26044b7ac8fff.exe	{750CD811-CB02-4080-A588-E99B3FAB8371}.exe
PID 3080 wrote to memory of 3136	3080	522555764d7702aa33a966e1f1c17cd48bc77e50df751fc0c8f26044b7ac8fff.exe	{750CD811-CB02-4080-A588-E99B3FAB8371}.exe
PID 3080 wrote to memory of 3136	3080	522555764d7702aa33a966e1f1c17cd48bc77e50df751fc0c8f26044b7ac8fff.exe	{750CD811-CB02-4080-A588-E99B3FAB8371}.exe
PID 3080 wrote to memory of 3960	3080	522555764d7702aa33a966e1f1c17cd48bc77e50df751fc0c8f26044b7ac8fff.exe	cmd.exe
PID 3080 wrote to memory of 3960	3080	522555764d7702aa33a966e1f1c17cd48bc77e50df751fc0c8f26044b7ac8fff.exe	cmd.exe
PID 3080 wrote to memory of 3960	3080	522555764d7702aa33a966e1f1c17cd48bc77e50df751fc0c8f26044b7ac8fff.exe	cmd.exe
PID 3136 wrote to memory of 4536	3136	{750CD811-CB02-4080-A588-E99B3FAB8371}.exe	{099136D8-6471-4e8e-9FF3-5B30E0D44297}.exe
PID 3136 wrote to memory of 4536	3136	{750CD811-CB02-4080-A588-E99B3FAB8371}.exe	{099136D8-6471-4e8e-9FF3-5B30E0D44297}.exe
PID 3136 wrote to memory of 4536	3136	{750CD811-CB02-4080-A588-E99B3FAB8371}.exe	{099136D8-6471-4e8e-9FF3-5B30E0D44297}.exe
PID 3136 wrote to memory of 3788	3136	{750CD811-CB02-4080-A588-E99B3FAB8371}.exe	cmd.exe
PID 3136 wrote to memory of 3788	3136	{750CD811-CB02-4080-A588-E99B3FAB8371}.exe	cmd.exe
PID 3136 wrote to memory of 3788	3136	{750CD811-CB02-4080-A588-E99B3FAB8371}.exe	cmd.exe
PID 4536 wrote to memory of 3512	4536	{099136D8-6471-4e8e-9FF3-5B30E0D44297}.exe	{B4F9F999-4D15-4444-8207-65D6834515FE}.exe
PID 4536 wrote to memory of 3512	4536	{099136D8-6471-4e8e-9FF3-5B30E0D44297}.exe	{B4F9F999-4D15-4444-8207-65D6834515FE}.exe
PID 4536 wrote to memory of 3512	4536	{099136D8-6471-4e8e-9FF3-5B30E0D44297}.exe	{B4F9F999-4D15-4444-8207-65D6834515FE}.exe
PID 4536 wrote to memory of 2168	4536	{099136D8-6471-4e8e-9FF3-5B30E0D44297}.exe	cmd.exe
PID 4536 wrote to memory of 2168	4536	{099136D8-6471-4e8e-9FF3-5B30E0D44297}.exe	cmd.exe
PID 4536 wrote to memory of 2168	4536	{099136D8-6471-4e8e-9FF3-5B30E0D44297}.exe	cmd.exe
PID 3512 wrote to memory of 1244	3512	{B4F9F999-4D15-4444-8207-65D6834515FE}.exe	{6503C825-FE98-45e5-8169-902472C14608}.exe
PID 3512 wrote to memory of 1244	3512	{B4F9F999-4D15-4444-8207-65D6834515FE}.exe	{6503C825-FE98-45e5-8169-902472C14608}.exe
PID 3512 wrote to memory of 1244	3512	{B4F9F999-4D15-4444-8207-65D6834515FE}.exe	{6503C825-FE98-45e5-8169-902472C14608}.exe
PID 3512 wrote to memory of 4704	3512	{B4F9F999-4D15-4444-8207-65D6834515FE}.exe	cmd.exe
PID 3512 wrote to memory of 4704	3512	{B4F9F999-4D15-4444-8207-65D6834515FE}.exe	cmd.exe
PID 3512 wrote to memory of 4704	3512	{B4F9F999-4D15-4444-8207-65D6834515FE}.exe	cmd.exe
PID 1244 wrote to memory of 4284	1244	{6503C825-FE98-45e5-8169-902472C14608}.exe	{2590882D-F8B4-4d2b-ACE3-7A5A2ABA6E2C}.exe
PID 1244 wrote to memory of 4284	1244	{6503C825-FE98-45e5-8169-902472C14608}.exe	{2590882D-F8B4-4d2b-ACE3-7A5A2ABA6E2C}.exe
PID 1244 wrote to memory of 4284	1244	{6503C825-FE98-45e5-8169-902472C14608}.exe	{2590882D-F8B4-4d2b-ACE3-7A5A2ABA6E2C}.exe
PID 1244 wrote to memory of 1684	1244	{6503C825-FE98-45e5-8169-902472C14608}.exe	cmd.exe
PID 1244 wrote to memory of 1684	1244	{6503C825-FE98-45e5-8169-902472C14608}.exe	cmd.exe
PID 1244 wrote to memory of 1684	1244	{6503C825-FE98-45e5-8169-902472C14608}.exe	cmd.exe
PID 4284 wrote to memory of 3644	4284	{2590882D-F8B4-4d2b-ACE3-7A5A2ABA6E2C}.exe	{606A9314-9EE8-470c-8D86-92CC70B16D4C}.exe
PID 4284 wrote to memory of 3644	4284	{2590882D-F8B4-4d2b-ACE3-7A5A2ABA6E2C}.exe	{606A9314-9EE8-470c-8D86-92CC70B16D4C}.exe
PID 4284 wrote to memory of 3644	4284	{2590882D-F8B4-4d2b-ACE3-7A5A2ABA6E2C}.exe	{606A9314-9EE8-470c-8D86-92CC70B16D4C}.exe
PID 4284 wrote to memory of 3032	4284	{2590882D-F8B4-4d2b-ACE3-7A5A2ABA6E2C}.exe	cmd.exe
PID 4284 wrote to memory of 3032	4284	{2590882D-F8B4-4d2b-ACE3-7A5A2ABA6E2C}.exe	cmd.exe
PID 4284 wrote to memory of 3032	4284	{2590882D-F8B4-4d2b-ACE3-7A5A2ABA6E2C}.exe	cmd.exe
PID 3644 wrote to memory of 4280	3644	{606A9314-9EE8-470c-8D86-92CC70B16D4C}.exe	{9F8C9A41-D3A5-4e60-915D-6CA1F4B2013B}.exe
PID 3644 wrote to memory of 4280	3644	{606A9314-9EE8-470c-8D86-92CC70B16D4C}.exe	{9F8C9A41-D3A5-4e60-915D-6CA1F4B2013B}.exe
PID 3644 wrote to memory of 4280	3644	{606A9314-9EE8-470c-8D86-92CC70B16D4C}.exe	{9F8C9A41-D3A5-4e60-915D-6CA1F4B2013B}.exe
PID 3644 wrote to memory of 4992	3644	{606A9314-9EE8-470c-8D86-92CC70B16D4C}.exe	cmd.exe
PID 3644 wrote to memory of 4992	3644	{606A9314-9EE8-470c-8D86-92CC70B16D4C}.exe	cmd.exe
PID 3644 wrote to memory of 4992	3644	{606A9314-9EE8-470c-8D86-92CC70B16D4C}.exe	cmd.exe
PID 4280 wrote to memory of 2348	4280	{9F8C9A41-D3A5-4e60-915D-6CA1F4B2013B}.exe	{FBDFEDC9-593F-480f-BD64-5B8FD3D79DCA}.exe
PID 4280 wrote to memory of 2348	4280	{9F8C9A41-D3A5-4e60-915D-6CA1F4B2013B}.exe	{FBDFEDC9-593F-480f-BD64-5B8FD3D79DCA}.exe
PID 4280 wrote to memory of 2348	4280	{9F8C9A41-D3A5-4e60-915D-6CA1F4B2013B}.exe	{FBDFEDC9-593F-480f-BD64-5B8FD3D79DCA}.exe
PID 4280 wrote to memory of 4896	4280	{9F8C9A41-D3A5-4e60-915D-6CA1F4B2013B}.exe	cmd.exe
PID 4280 wrote to memory of 4896	4280	{9F8C9A41-D3A5-4e60-915D-6CA1F4B2013B}.exe	cmd.exe
PID 4280 wrote to memory of 4896	4280	{9F8C9A41-D3A5-4e60-915D-6CA1F4B2013B}.exe	cmd.exe
PID 2348 wrote to memory of 2600	2348	{FBDFEDC9-593F-480f-BD64-5B8FD3D79DCA}.exe	{A7A50E07-5A46-424c-8D2A-5C8827AC8C79}.exe
PID 2348 wrote to memory of 2600	2348	{FBDFEDC9-593F-480f-BD64-5B8FD3D79DCA}.exe	{A7A50E07-5A46-424c-8D2A-5C8827AC8C79}.exe
PID 2348 wrote to memory of 2600	2348	{FBDFEDC9-593F-480f-BD64-5B8FD3D79DCA}.exe	{A7A50E07-5A46-424c-8D2A-5C8827AC8C79}.exe
PID 2348 wrote to memory of 4044	2348	{FBDFEDC9-593F-480f-BD64-5B8FD3D79DCA}.exe	cmd.exe
PID 2348 wrote to memory of 4044	2348	{FBDFEDC9-593F-480f-BD64-5B8FD3D79DCA}.exe	cmd.exe
PID 2348 wrote to memory of 4044	2348	{FBDFEDC9-593F-480f-BD64-5B8FD3D79DCA}.exe	cmd.exe
PID 2600 wrote to memory of 5108	2600	{A7A50E07-5A46-424c-8D2A-5C8827AC8C79}.exe	{6C3C9E66-CCE7-4eb5-ACBA-1E5C9E3CD0C7}.exe
PID 2600 wrote to memory of 5108	2600	{A7A50E07-5A46-424c-8D2A-5C8827AC8C79}.exe	{6C3C9E66-CCE7-4eb5-ACBA-1E5C9E3CD0C7}.exe
PID 2600 wrote to memory of 5108	2600	{A7A50E07-5A46-424c-8D2A-5C8827AC8C79}.exe	{6C3C9E66-CCE7-4eb5-ACBA-1E5C9E3CD0C7}.exe
PID 2600 wrote to memory of 520	2600	{A7A50E07-5A46-424c-8D2A-5C8827AC8C79}.exe	cmd.exe
PID 2600 wrote to memory of 520	2600	{A7A50E07-5A46-424c-8D2A-5C8827AC8C79}.exe	cmd.exe
PID 2600 wrote to memory of 520	2600	{A7A50E07-5A46-424c-8D2A-5C8827AC8C79}.exe	cmd.exe
PID 5108 wrote to memory of 4228	5108	{6C3C9E66-CCE7-4eb5-ACBA-1E5C9E3CD0C7}.exe	{EC5AF6E2-6330-4717-BB65-7E4BB3734448}.exe
PID 5108 wrote to memory of 4228	5108	{6C3C9E66-CCE7-4eb5-ACBA-1E5C9E3CD0C7}.exe	{EC5AF6E2-6330-4717-BB65-7E4BB3734448}.exe
PID 5108 wrote to memory of 4228	5108	{6C3C9E66-CCE7-4eb5-ACBA-1E5C9E3CD0C7}.exe	{EC5AF6E2-6330-4717-BB65-7E4BB3734448}.exe
PID 5108 wrote to memory of 2540	5108	{6C3C9E66-CCE7-4eb5-ACBA-1E5C9E3CD0C7}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\522555764d7702aa33a966e1f1c17cd48bc77e50df751fc0c8f26044b7ac8fff.exe
"C:\Users\Admin\AppData\Local\Temp\522555764d7702aa33a966e1f1c17cd48bc77e50df751fc0c8f26044b7ac8fff.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3080

C:\Windows\{750CD811-CB02-4080-A588-E99B3FAB8371}.exe
C:\Windows\{750CD811-CB02-4080-A588-E99B3FAB8371}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3136

C:\Windows\{099136D8-6471-4e8e-9FF3-5B30E0D44297}.exe
C:\Windows\{099136D8-6471-4e8e-9FF3-5B30E0D44297}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4536

C:\Windows\{B4F9F999-4D15-4444-8207-65D6834515FE}.exe
C:\Windows\{B4F9F999-4D15-4444-8207-65D6834515FE}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\{6503C825-FE98-45e5-8169-902472C14608}.exe
C:\Windows\{6503C825-FE98-45e5-8169-902472C14608}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1244

C:\Windows\{2590882D-F8B4-4d2b-ACE3-7A5A2ABA6E2C}.exe
C:\Windows\{2590882D-F8B4-4d2b-ACE3-7A5A2ABA6E2C}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\{606A9314-9EE8-470c-8D86-92CC70B16D4C}.exe
C:\Windows\{606A9314-9EE8-470c-8D86-92CC70B16D4C}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\{9F8C9A41-D3A5-4e60-915D-6CA1F4B2013B}.exe
C:\Windows\{9F8C9A41-D3A5-4e60-915D-6CA1F4B2013B}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\{FBDFEDC9-593F-480f-BD64-5B8FD3D79DCA}.exe
C:\Windows\{FBDFEDC9-593F-480f-BD64-5B8FD3D79DCA}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348

C:\Windows\{A7A50E07-5A46-424c-8D2A-5C8827AC8C79}.exe
C:\Windows\{A7A50E07-5A46-424c-8D2A-5C8827AC8C79}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\{6C3C9E66-CCE7-4eb5-ACBA-1E5C9E3CD0C7}.exe
C:\Windows\{6C3C9E66-CCE7-4eb5-ACBA-1E5C9E3CD0C7}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108

C:\Windows\{EC5AF6E2-6330-4717-BB65-7E4BB3734448}.exe
C:\Windows\{EC5AF6E2-6330-4717-BB65-7E4BB3734448}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\{BA8C0555-3D56-43a7-89FB-5E935C567FDF}.exe
C:\Windows\{BA8C0555-3D56-43a7-89FB-5E935C567FDF}.exe
13⤵
- Executes dropped EXE
PID:1436

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EC5AF~1.EXE > nul
13⤵
PID:2980

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6C3C9~1.EXE > nul
12⤵
PID:2540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A7A50~1.EXE > nul
11⤵
PID:520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FBDFE~1.EXE > nul
10⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9F8C9~1.EXE > nul
9⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{606A9~1.EXE > nul
8⤵
PID:4992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{25908~1.EXE > nul
7⤵
PID:3032

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{6503C~1.EXE > nul
6⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B4F9F~1.EXE > nul
5⤵
PID:4704

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{09913~1.EXE > nul
4⤵
PID:2168

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{750CD~1.EXE > nul
3⤵
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\522555~1.EXE > nul
2⤵
PID:3960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{099136D8-6471-4e8e-9FF3-5B30E0D44297}.exe

Filesize
98KB

MD5
db18ddbfcd3cc5d2842f63ee21bc9d12

SHA1
8d4848bddfead97c09988c9a07bb958f280b6083

SHA256
c0d424cb12568d3b7516a706183440bad996416c2b05592e07200bed2c187993

SHA512
1fa9553bac95f63abc751f41dfcda0c6ac592fddaeb446c334530a264d011014d89f2e10cf974cc0dfda7bd1e5f68dddb7e8db3c9a7e4578e3800b532684db36

Download Submit
C:\Windows\{2590882D-F8B4-4d2b-ACE3-7A5A2ABA6E2C}.exe

Filesize
98KB

MD5
c224aa4f86c5a1c246a7586d39e6463a

SHA1
1d20172edbd5a88fa3270cd887e54f16a539fd96

SHA256
f8627d7b6c720fe5e700da219ea1787c33480cfb7fbc8ebcc029b5eb1b6c4e22

SHA512
6bdf56c7b8945b8ef2dbe2726bd42af761aa4780adf966d4274efafe972a9ae214124b68604d8c3a88341d37e7c2251bf8eaa006fcaa4a59516887a4cbc188dc

Download Submit
C:\Windows\{606A9314-9EE8-470c-8D86-92CC70B16D4C}.exe

Filesize
98KB

MD5
35faac005e12e16459a0db24a468a908

SHA1
40919c7c5edb7760b927ed272b76ded44a72855e

SHA256
a22824df355d5a1e231e293c646037c54d8654e44a5e5ad55af893fd8179bc55

SHA512
9b69c2faf105852bcd1e6092e0e8c4342525140208f41040218e800dba4faede4d96ea9d9b4243516657adfcfff611b1a2d5680be772331dfdfabf5c0e5e63fc

Download Submit
C:\Windows\{6503C825-FE98-45e5-8169-902472C14608}.exe

Filesize
98KB

MD5
856e78a89691b70c53a5fa20661702be

SHA1
173538498abe03f6bc7ea71556ceb3bd8f00042c

SHA256
a510908159eb32f70cf50fecbd450e1e90ecb721db891a3dd69076598b02e576

SHA512
77c1cfbd01301271dd979ee407a04ba32919779d3587e6fb6f7289df95164147522f05aa1d62ebba0793c27f1e3d55b951aa3b4cb1f27ea99dba938d80943c9e

Download Submit
C:\Windows\{6C3C9E66-CCE7-4eb5-ACBA-1E5C9E3CD0C7}.exe

Filesize
98KB

MD5
2540cdd2dc0bddb358934498de49d086

SHA1
be55905cac682d16d79a8f93bba85a150394b777

SHA256
3e5ad8faf64070618f193bcd3247ba61955df36963cdea03c2d9d26e7df22ce7

SHA512
8f9a23c7fabd72a0a0ed6004e5bce50cbba0110ba291c1ad593dde25856888283d7bf79c5c116f613ee1cb22559124ce55e57e9367dc49b1badb953d78cc0c17

Download Submit
C:\Windows\{750CD811-CB02-4080-A588-E99B3FAB8371}.exe

Filesize
98KB

MD5
3e4b9e4b61de6284e7bdd972cca8d37b

SHA1
c26337e5f7b2bbad32a86ba790c7fd714ce8d4e6

SHA256
c9e44b67aa5fed8fabc9e4d183af27e6023687cf07d88eebd14bbec44a1f5624

SHA512
0b615519081936545cacd2c697b67acb253c90976cde330caffdbc2e0a2bd72f9b891a07a7bf050f9c1fb94fb09d2e940ae58479c19f6a7e2ab2ecc68dd030d7

Download Submit
C:\Windows\{9F8C9A41-D3A5-4e60-915D-6CA1F4B2013B}.exe

Filesize
98KB

MD5
b648adc756943b0058d77e6ce0f245b3

SHA1
b7ad5cdbf64f2e0930cbf7aef0cd75ebc5e4ed64

SHA256
2c49ac487c8d69fc69938e75dbb1d7afd6ad6e62514aa0036e02bc2368e49bb6

SHA512
c726c917576f8c762646e2625ba51bf7bd496e2a0649f1e4fb955efa838b6662fb90b4307c329bb1dce98f6cf3aee4196f36c5cf0cbead26ae1c83598e34e347

Download Submit
C:\Windows\{A7A50E07-5A46-424c-8D2A-5C8827AC8C79}.exe

Filesize
98KB

MD5
887c43ab846a958c3c52209687a58425

SHA1
9c99becc52de6647541eee27ca48522eacc2b9a7

SHA256
8a8311c9e8a033af2a9fd7bcf5475192436f944efce3122257dcc5d250748b69

SHA512
3996d73f9d16da116a117a773766208fe86cbb84d30ab1c490141f80eee76f64efe565aaa7b7e9a59f8af0e536aa8d30f8ba0183453cc47321ee7c435e335269

Download Submit
C:\Windows\{B4F9F999-4D15-4444-8207-65D6834515FE}.exe

Filesize
98KB

MD5
0dd8d900b197ecded960b63c1dd5f72b

SHA1
60fd57fab0c837776a567ecce696f4ab794cd04c

SHA256
6804a26c15e126981fd173fcdcf6e770b38856e99f3097e6c048210612ee4a57

SHA512
c99e9ed7c862d14dba804ec2dd8755d277cf90a800e1ae141d72ff790ffe8736a098177885d5c66aac98ab22858eee5e0f206592cc51edb9bdf23fa35ec4425b

Download Submit
C:\Windows\{BA8C0555-3D56-43a7-89FB-5E935C567FDF}.exe

Filesize
98KB

MD5
93ab05a8aeaed17356db447c3bde444e

SHA1
88cd647226864a7f044d5c6700f9868612e21de4

SHA256
a049fb157b72cb746f22d0dedfefef214a7fbeef4e0cdadc6be400324d580059

SHA512
36c34181423b23bc1af53457203d89cf04cabdaf5ba680d4cbcc8fc82b41c73cfa3aa84c0f3f7a2effeff4ed0cb9dcb51781d8777a1495ab5cd2f1e5719bfa0a

Download Submit
C:\Windows\{EC5AF6E2-6330-4717-BB65-7E4BB3734448}.exe

Filesize
98KB

MD5
36a49ac0f32bb28ce6035f7480eb8f47

SHA1
71ad25d024f793a62facf0d4b0030d6f96e977bd

SHA256
c5064a594c2daa258c443d4cd8ee56473ab1065a8e2d75e505c618a28ba59e04

SHA512
493f0ebfaa40d78cf590beb7a97d19602e697f60d89de4e46079b3ee3706bcfb8946e9df8e243d55c78eccc1c7a56c5e64586ed8791b01f89f9f296acf4e4aad

Download Submit
C:\Windows\{FBDFEDC9-593F-480f-BD64-5B8FD3D79DCA}.exe

Filesize
98KB

MD5
fd2100a05c2255a5bb816919ecda8968

SHA1
11bc1768b4e990f05fe6632e81daef265e58d27f

SHA256
481b0b8adea57d92477662c334a2331420f6b40b8afb0860d131636c5f110161

SHA512
6ba9a3c96ab30942beac435f2842ce0c42cfab065d7d4c6ed9dd0d65fb0eecf6a44c1c632437d307140530894fe3d0df19f811360869f072e4858cc43cd9ca77

Download Submit
memory/1244-23-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1244-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1436-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2348-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2600-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2600-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3080-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3080-4-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3136-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3136-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3512-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3512-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3644-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3644-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4228-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4228-70-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4280-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4280-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4284-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4284-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4536-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4536-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5108-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5108-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download