74e3e271d5be0f82dee2a0b1f7bec99f498e123860a69bc80a58cd521cf9324a

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74e3e271d5be0f82dee2a0b1f7bec99f498e123860a69bc80a58cd521cf9324a.exe
Size

98KB
MD5

8b79e64494cf88f07b7540c5fb9edc34
SHA1

85bb15b19b79929bbed8bb07ad36e541d7735e75
SHA256

74e3e271d5be0f82dee2a0b1f7bec99f498e123860a69bc80a58cd521cf9324a
SHA512

7fbe33f913b6bf0d8762e56c44751d936ef14e09032c0de60bcc62d0d7e3270463ebb6fb5209ce8a1def6268d5426b95f7ce2a3d96abd8efdc4b6eef127be607
SSDEEP

768:5vw9816thKQLrou4/wQkNrfrunMxVFA3b7glws:lEG/0oulbunMxVS3Hgz

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{A1745B04-A6F1-4c0d-ABCD-B56A6F18CD35}.exe74e3e271d5be0f82dee2a0b1f7bec99f498e123860a69bc80a58cd521cf9324a.exe{1FA86654-6A9D-4131-81E4-7A6156DB7EE4}.exe{83DF52C5-49B9-4568-AF9F-C147693DD492}.exe{4A34B8AF-4319-4c5e-9370-D47C38D3C64C}.exe{D3340677-2968-4f73-9080-17E6A98CA4DD}.exe{797DF91D-F4A8-4538-95F0-E32B61DC089A}.exe{BE595D9E-D06F-48a8-B505-577D9D4BC1B9}.exe{FB30C3CA-E251-423f-A65B-BBE61C2F3921}.exe{0983E865-8F16-42ea-AE80-13F7E2F75230}.exe{7DD712DD-1E40-4196-8D35-19F29833DC80}.exe{B2111D28-885C-48c9-A055-896A7AE498C3}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{668F7ED8-5BBD-407f-9F33-EA9C9257504A}\stubpath = "C:\\Windows\\{668F7ED8-5BBD-407f-9F33-EA9C9257504A}.exe"	{A1745B04-A6F1-4c0d-ABCD-B56A6F18CD35}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0983E865-8F16-42ea-AE80-13F7E2F75230}\stubpath = "C:\\Windows\\{0983E865-8F16-42ea-AE80-13F7E2F75230}.exe"	74e3e271d5be0f82dee2a0b1f7bec99f498e123860a69bc80a58cd521cf9324a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{797DF91D-F4A8-4538-95F0-E32B61DC089A}	{1FA86654-6A9D-4131-81E4-7A6156DB7EE4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A34B8AF-4319-4c5e-9370-D47C38D3C64C}	{83DF52C5-49B9-4568-AF9F-C147693DD492}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3340677-2968-4f73-9080-17E6A98CA4DD}	{4A34B8AF-4319-4c5e-9370-D47C38D3C64C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3340677-2968-4f73-9080-17E6A98CA4DD}\stubpath = "C:\\Windows\\{D3340677-2968-4f73-9080-17E6A98CA4DD}.exe"	{4A34B8AF-4319-4c5e-9370-D47C38D3C64C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2111D28-885C-48c9-A055-896A7AE498C3}\stubpath = "C:\\Windows\\{B2111D28-885C-48c9-A055-896A7AE498C3}.exe"	{D3340677-2968-4f73-9080-17E6A98CA4DD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0983E865-8F16-42ea-AE80-13F7E2F75230}	74e3e271d5be0f82dee2a0b1f7bec99f498e123860a69bc80a58cd521cf9324a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE595D9E-D06F-48a8-B505-577D9D4BC1B9}	{797DF91D-F4A8-4538-95F0-E32B61DC089A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83DF52C5-49B9-4568-AF9F-C147693DD492}	{BE595D9E-D06F-48a8-B505-577D9D4BC1B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A34B8AF-4319-4c5e-9370-D47C38D3C64C}\stubpath = "C:\\Windows\\{4A34B8AF-4319-4c5e-9370-D47C38D3C64C}.exe"	{83DF52C5-49B9-4568-AF9F-C147693DD492}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1745B04-A6F1-4c0d-ABCD-B56A6F18CD35}	{FB30C3CA-E251-423f-A65B-BBE61C2F3921}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{668F7ED8-5BBD-407f-9F33-EA9C9257504A}	{A1745B04-A6F1-4c0d-ABCD-B56A6F18CD35}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DD712DD-1E40-4196-8D35-19F29833DC80}	{0983E865-8F16-42ea-AE80-13F7E2F75230}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DD712DD-1E40-4196-8D35-19F29833DC80}\stubpath = "C:\\Windows\\{7DD712DD-1E40-4196-8D35-19F29833DC80}.exe"	{0983E865-8F16-42ea-AE80-13F7E2F75230}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FA86654-6A9D-4131-81E4-7A6156DB7EE4}	{7DD712DD-1E40-4196-8D35-19F29833DC80}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB30C3CA-E251-423f-A65B-BBE61C2F3921}	{B2111D28-885C-48c9-A055-896A7AE498C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1745B04-A6F1-4c0d-ABCD-B56A6F18CD35}\stubpath = "C:\\Windows\\{A1745B04-A6F1-4c0d-ABCD-B56A6F18CD35}.exe"	{FB30C3CA-E251-423f-A65B-BBE61C2F3921}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1FA86654-6A9D-4131-81E4-7A6156DB7EE4}\stubpath = "C:\\Windows\\{1FA86654-6A9D-4131-81E4-7A6156DB7EE4}.exe"	{7DD712DD-1E40-4196-8D35-19F29833DC80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{797DF91D-F4A8-4538-95F0-E32B61DC089A}\stubpath = "C:\\Windows\\{797DF91D-F4A8-4538-95F0-E32B61DC089A}.exe"	{1FA86654-6A9D-4131-81E4-7A6156DB7EE4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE595D9E-D06F-48a8-B505-577D9D4BC1B9}\stubpath = "C:\\Windows\\{BE595D9E-D06F-48a8-B505-577D9D4BC1B9}.exe"	{797DF91D-F4A8-4538-95F0-E32B61DC089A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{83DF52C5-49B9-4568-AF9F-C147693DD492}\stubpath = "C:\\Windows\\{83DF52C5-49B9-4568-AF9F-C147693DD492}.exe"	{BE595D9E-D06F-48a8-B505-577D9D4BC1B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2111D28-885C-48c9-A055-896A7AE498C3}	{D3340677-2968-4f73-9080-17E6A98CA4DD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB30C3CA-E251-423f-A65B-BBE61C2F3921}\stubpath = "C:\\Windows\\{FB30C3CA-E251-423f-A65B-BBE61C2F3921}.exe"	{B2111D28-885C-48c9-A055-896A7AE498C3}.exe

Executes dropped EXE 12 IoCs

Processes:

{0983E865-8F16-42ea-AE80-13F7E2F75230}.exe{7DD712DD-1E40-4196-8D35-19F29833DC80}.exe{1FA86654-6A9D-4131-81E4-7A6156DB7EE4}.exe{797DF91D-F4A8-4538-95F0-E32B61DC089A}.exe{BE595D9E-D06F-48a8-B505-577D9D4BC1B9}.exe{83DF52C5-49B9-4568-AF9F-C147693DD492}.exe{4A34B8AF-4319-4c5e-9370-D47C38D3C64C}.exe{D3340677-2968-4f73-9080-17E6A98CA4DD}.exe{B2111D28-885C-48c9-A055-896A7AE498C3}.exe{FB30C3CA-E251-423f-A65B-BBE61C2F3921}.exe{A1745B04-A6F1-4c0d-ABCD-B56A6F18CD35}.exe{668F7ED8-5BBD-407f-9F33-EA9C9257504A}.exe

pid	process
4856	{0983E865-8F16-42ea-AE80-13F7E2F75230}.exe
5024	{7DD712DD-1E40-4196-8D35-19F29833DC80}.exe
3604	{1FA86654-6A9D-4131-81E4-7A6156DB7EE4}.exe
2460	{797DF91D-F4A8-4538-95F0-E32B61DC089A}.exe
2364	{BE595D9E-D06F-48a8-B505-577D9D4BC1B9}.exe
4472	{83DF52C5-49B9-4568-AF9F-C147693DD492}.exe
3380	{4A34B8AF-4319-4c5e-9370-D47C38D3C64C}.exe
3212	{D3340677-2968-4f73-9080-17E6A98CA4DD}.exe
4740	{B2111D28-885C-48c9-A055-896A7AE498C3}.exe
1896	{FB30C3CA-E251-423f-A65B-BBE61C2F3921}.exe
4032	{A1745B04-A6F1-4c0d-ABCD-B56A6F18CD35}.exe
2868	{668F7ED8-5BBD-407f-9F33-EA9C9257504A}.exe

Drops file in Windows directory 12 IoCs

Processes:

{83DF52C5-49B9-4568-AF9F-C147693DD492}.exe{D3340677-2968-4f73-9080-17E6A98CA4DD}.exe{B2111D28-885C-48c9-A055-896A7AE498C3}.exe{FB30C3CA-E251-423f-A65B-BBE61C2F3921}.exe{A1745B04-A6F1-4c0d-ABCD-B56A6F18CD35}.exe{797DF91D-F4A8-4538-95F0-E32B61DC089A}.exe{BE595D9E-D06F-48a8-B505-577D9D4BC1B9}.exe{7DD712DD-1E40-4196-8D35-19F29833DC80}.exe{1FA86654-6A9D-4131-81E4-7A6156DB7EE4}.exe{4A34B8AF-4319-4c5e-9370-D47C38D3C64C}.exe74e3e271d5be0f82dee2a0b1f7bec99f498e123860a69bc80a58cd521cf9324a.exe{0983E865-8F16-42ea-AE80-13F7E2F75230}.exe

description	ioc	process
File created	C:\Windows\{4A34B8AF-4319-4c5e-9370-D47C38D3C64C}.exe	{83DF52C5-49B9-4568-AF9F-C147693DD492}.exe
File created	C:\Windows\{B2111D28-885C-48c9-A055-896A7AE498C3}.exe	{D3340677-2968-4f73-9080-17E6A98CA4DD}.exe
File created	C:\Windows\{FB30C3CA-E251-423f-A65B-BBE61C2F3921}.exe	{B2111D28-885C-48c9-A055-896A7AE498C3}.exe
File created	C:\Windows\{A1745B04-A6F1-4c0d-ABCD-B56A6F18CD35}.exe	{FB30C3CA-E251-423f-A65B-BBE61C2F3921}.exe
File created	C:\Windows\{668F7ED8-5BBD-407f-9F33-EA9C9257504A}.exe	{A1745B04-A6F1-4c0d-ABCD-B56A6F18CD35}.exe
File created	C:\Windows\{BE595D9E-D06F-48a8-B505-577D9D4BC1B9}.exe	{797DF91D-F4A8-4538-95F0-E32B61DC089A}.exe
File created	C:\Windows\{83DF52C5-49B9-4568-AF9F-C147693DD492}.exe	{BE595D9E-D06F-48a8-B505-577D9D4BC1B9}.exe
File created	C:\Windows\{1FA86654-6A9D-4131-81E4-7A6156DB7EE4}.exe	{7DD712DD-1E40-4196-8D35-19F29833DC80}.exe
File created	C:\Windows\{797DF91D-F4A8-4538-95F0-E32B61DC089A}.exe	{1FA86654-6A9D-4131-81E4-7A6156DB7EE4}.exe
File created	C:\Windows\{D3340677-2968-4f73-9080-17E6A98CA4DD}.exe	{4A34B8AF-4319-4c5e-9370-D47C38D3C64C}.exe
File created	C:\Windows\{0983E865-8F16-42ea-AE80-13F7E2F75230}.exe	74e3e271d5be0f82dee2a0b1f7bec99f498e123860a69bc80a58cd521cf9324a.exe
File created	C:\Windows\{7DD712DD-1E40-4196-8D35-19F29833DC80}.exe	{0983E865-8F16-42ea-AE80-13F7E2F75230}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

74e3e271d5be0f82dee2a0b1f7bec99f498e123860a69bc80a58cd521cf9324a.exe{0983E865-8F16-42ea-AE80-13F7E2F75230}.exe{7DD712DD-1E40-4196-8D35-19F29833DC80}.exe{1FA86654-6A9D-4131-81E4-7A6156DB7EE4}.exe{797DF91D-F4A8-4538-95F0-E32B61DC089A}.exe{BE595D9E-D06F-48a8-B505-577D9D4BC1B9}.exe{83DF52C5-49B9-4568-AF9F-C147693DD492}.exe{4A34B8AF-4319-4c5e-9370-D47C38D3C64C}.exe{D3340677-2968-4f73-9080-17E6A98CA4DD}.exe{B2111D28-885C-48c9-A055-896A7AE498C3}.exe{FB30C3CA-E251-423f-A65B-BBE61C2F3921}.exe{A1745B04-A6F1-4c0d-ABCD-B56A6F18CD35}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1160	74e3e271d5be0f82dee2a0b1f7bec99f498e123860a69bc80a58cd521cf9324a.exe
Token: SeIncBasePriorityPrivilege	4856	{0983E865-8F16-42ea-AE80-13F7E2F75230}.exe
Token: SeIncBasePriorityPrivilege	5024	{7DD712DD-1E40-4196-8D35-19F29833DC80}.exe
Token: SeIncBasePriorityPrivilege	3604	{1FA86654-6A9D-4131-81E4-7A6156DB7EE4}.exe
Token: SeIncBasePriorityPrivilege	2460	{797DF91D-F4A8-4538-95F0-E32B61DC089A}.exe
Token: SeIncBasePriorityPrivilege	2364	{BE595D9E-D06F-48a8-B505-577D9D4BC1B9}.exe
Token: SeIncBasePriorityPrivilege	4472	{83DF52C5-49B9-4568-AF9F-C147693DD492}.exe
Token: SeIncBasePriorityPrivilege	3380	{4A34B8AF-4319-4c5e-9370-D47C38D3C64C}.exe
Token: SeIncBasePriorityPrivilege	3212	{D3340677-2968-4f73-9080-17E6A98CA4DD}.exe
Token: SeIncBasePriorityPrivilege	4740	{B2111D28-885C-48c9-A055-896A7AE498C3}.exe
Token: SeIncBasePriorityPrivilege	1896	{FB30C3CA-E251-423f-A65B-BBE61C2F3921}.exe
Token: SeIncBasePriorityPrivilege	4032	{A1745B04-A6F1-4c0d-ABCD-B56A6F18CD35}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1160 wrote to memory of 4856	1160	74e3e271d5be0f82dee2a0b1f7bec99f498e123860a69bc80a58cd521cf9324a.exe	{0983E865-8F16-42ea-AE80-13F7E2F75230}.exe
PID 1160 wrote to memory of 4856	1160	74e3e271d5be0f82dee2a0b1f7bec99f498e123860a69bc80a58cd521cf9324a.exe	{0983E865-8F16-42ea-AE80-13F7E2F75230}.exe
PID 1160 wrote to memory of 4856	1160	74e3e271d5be0f82dee2a0b1f7bec99f498e123860a69bc80a58cd521cf9324a.exe	{0983E865-8F16-42ea-AE80-13F7E2F75230}.exe
PID 1160 wrote to memory of 3344	1160	74e3e271d5be0f82dee2a0b1f7bec99f498e123860a69bc80a58cd521cf9324a.exe	cmd.exe
PID 1160 wrote to memory of 3344	1160	74e3e271d5be0f82dee2a0b1f7bec99f498e123860a69bc80a58cd521cf9324a.exe	cmd.exe
PID 1160 wrote to memory of 3344	1160	74e3e271d5be0f82dee2a0b1f7bec99f498e123860a69bc80a58cd521cf9324a.exe	cmd.exe
PID 4856 wrote to memory of 5024	4856	{0983E865-8F16-42ea-AE80-13F7E2F75230}.exe	{7DD712DD-1E40-4196-8D35-19F29833DC80}.exe
PID 4856 wrote to memory of 5024	4856	{0983E865-8F16-42ea-AE80-13F7E2F75230}.exe	{7DD712DD-1E40-4196-8D35-19F29833DC80}.exe
PID 4856 wrote to memory of 5024	4856	{0983E865-8F16-42ea-AE80-13F7E2F75230}.exe	{7DD712DD-1E40-4196-8D35-19F29833DC80}.exe
PID 4856 wrote to memory of 2196	4856	{0983E865-8F16-42ea-AE80-13F7E2F75230}.exe	cmd.exe
PID 4856 wrote to memory of 2196	4856	{0983E865-8F16-42ea-AE80-13F7E2F75230}.exe	cmd.exe
PID 4856 wrote to memory of 2196	4856	{0983E865-8F16-42ea-AE80-13F7E2F75230}.exe	cmd.exe
PID 5024 wrote to memory of 3604	5024	{7DD712DD-1E40-4196-8D35-19F29833DC80}.exe	{1FA86654-6A9D-4131-81E4-7A6156DB7EE4}.exe
PID 5024 wrote to memory of 3604	5024	{7DD712DD-1E40-4196-8D35-19F29833DC80}.exe	{1FA86654-6A9D-4131-81E4-7A6156DB7EE4}.exe
PID 5024 wrote to memory of 3604	5024	{7DD712DD-1E40-4196-8D35-19F29833DC80}.exe	{1FA86654-6A9D-4131-81E4-7A6156DB7EE4}.exe
PID 5024 wrote to memory of 3680	5024	{7DD712DD-1E40-4196-8D35-19F29833DC80}.exe	cmd.exe
PID 5024 wrote to memory of 3680	5024	{7DD712DD-1E40-4196-8D35-19F29833DC80}.exe	cmd.exe
PID 5024 wrote to memory of 3680	5024	{7DD712DD-1E40-4196-8D35-19F29833DC80}.exe	cmd.exe
PID 3604 wrote to memory of 2460	3604	{1FA86654-6A9D-4131-81E4-7A6156DB7EE4}.exe	{797DF91D-F4A8-4538-95F0-E32B61DC089A}.exe
PID 3604 wrote to memory of 2460	3604	{1FA86654-6A9D-4131-81E4-7A6156DB7EE4}.exe	{797DF91D-F4A8-4538-95F0-E32B61DC089A}.exe
PID 3604 wrote to memory of 2460	3604	{1FA86654-6A9D-4131-81E4-7A6156DB7EE4}.exe	{797DF91D-F4A8-4538-95F0-E32B61DC089A}.exe
PID 3604 wrote to memory of 3180	3604	{1FA86654-6A9D-4131-81E4-7A6156DB7EE4}.exe	cmd.exe
PID 3604 wrote to memory of 3180	3604	{1FA86654-6A9D-4131-81E4-7A6156DB7EE4}.exe	cmd.exe
PID 3604 wrote to memory of 3180	3604	{1FA86654-6A9D-4131-81E4-7A6156DB7EE4}.exe	cmd.exe
PID 2460 wrote to memory of 2364	2460	{797DF91D-F4A8-4538-95F0-E32B61DC089A}.exe	{BE595D9E-D06F-48a8-B505-577D9D4BC1B9}.exe
PID 2460 wrote to memory of 2364	2460	{797DF91D-F4A8-4538-95F0-E32B61DC089A}.exe	{BE595D9E-D06F-48a8-B505-577D9D4BC1B9}.exe
PID 2460 wrote to memory of 2364	2460	{797DF91D-F4A8-4538-95F0-E32B61DC089A}.exe	{BE595D9E-D06F-48a8-B505-577D9D4BC1B9}.exe
PID 2460 wrote to memory of 1600	2460	{797DF91D-F4A8-4538-95F0-E32B61DC089A}.exe	cmd.exe
PID 2460 wrote to memory of 1600	2460	{797DF91D-F4A8-4538-95F0-E32B61DC089A}.exe	cmd.exe
PID 2460 wrote to memory of 1600	2460	{797DF91D-F4A8-4538-95F0-E32B61DC089A}.exe	cmd.exe
PID 2364 wrote to memory of 4472	2364	{BE595D9E-D06F-48a8-B505-577D9D4BC1B9}.exe	{83DF52C5-49B9-4568-AF9F-C147693DD492}.exe
PID 2364 wrote to memory of 4472	2364	{BE595D9E-D06F-48a8-B505-577D9D4BC1B9}.exe	{83DF52C5-49B9-4568-AF9F-C147693DD492}.exe
PID 2364 wrote to memory of 4472	2364	{BE595D9E-D06F-48a8-B505-577D9D4BC1B9}.exe	{83DF52C5-49B9-4568-AF9F-C147693DD492}.exe
PID 2364 wrote to memory of 4924	2364	{BE595D9E-D06F-48a8-B505-577D9D4BC1B9}.exe	cmd.exe
PID 2364 wrote to memory of 4924	2364	{BE595D9E-D06F-48a8-B505-577D9D4BC1B9}.exe	cmd.exe
PID 2364 wrote to memory of 4924	2364	{BE595D9E-D06F-48a8-B505-577D9D4BC1B9}.exe	cmd.exe
PID 4472 wrote to memory of 3380	4472	{83DF52C5-49B9-4568-AF9F-C147693DD492}.exe	{4A34B8AF-4319-4c5e-9370-D47C38D3C64C}.exe
PID 4472 wrote to memory of 3380	4472	{83DF52C5-49B9-4568-AF9F-C147693DD492}.exe	{4A34B8AF-4319-4c5e-9370-D47C38D3C64C}.exe
PID 4472 wrote to memory of 3380	4472	{83DF52C5-49B9-4568-AF9F-C147693DD492}.exe	{4A34B8AF-4319-4c5e-9370-D47C38D3C64C}.exe
PID 4472 wrote to memory of 5064	4472	{83DF52C5-49B9-4568-AF9F-C147693DD492}.exe	cmd.exe
PID 4472 wrote to memory of 5064	4472	{83DF52C5-49B9-4568-AF9F-C147693DD492}.exe	cmd.exe
PID 4472 wrote to memory of 5064	4472	{83DF52C5-49B9-4568-AF9F-C147693DD492}.exe	cmd.exe
PID 3380 wrote to memory of 3212	3380	{4A34B8AF-4319-4c5e-9370-D47C38D3C64C}.exe	{D3340677-2968-4f73-9080-17E6A98CA4DD}.exe
PID 3380 wrote to memory of 3212	3380	{4A34B8AF-4319-4c5e-9370-D47C38D3C64C}.exe	{D3340677-2968-4f73-9080-17E6A98CA4DD}.exe
PID 3380 wrote to memory of 3212	3380	{4A34B8AF-4319-4c5e-9370-D47C38D3C64C}.exe	{D3340677-2968-4f73-9080-17E6A98CA4DD}.exe
PID 3380 wrote to memory of 1392	3380	{4A34B8AF-4319-4c5e-9370-D47C38D3C64C}.exe	cmd.exe
PID 3380 wrote to memory of 1392	3380	{4A34B8AF-4319-4c5e-9370-D47C38D3C64C}.exe	cmd.exe
PID 3380 wrote to memory of 1392	3380	{4A34B8AF-4319-4c5e-9370-D47C38D3C64C}.exe	cmd.exe
PID 3212 wrote to memory of 4740	3212	{D3340677-2968-4f73-9080-17E6A98CA4DD}.exe	{B2111D28-885C-48c9-A055-896A7AE498C3}.exe
PID 3212 wrote to memory of 4740	3212	{D3340677-2968-4f73-9080-17E6A98CA4DD}.exe	{B2111D28-885C-48c9-A055-896A7AE498C3}.exe
PID 3212 wrote to memory of 4740	3212	{D3340677-2968-4f73-9080-17E6A98CA4DD}.exe	{B2111D28-885C-48c9-A055-896A7AE498C3}.exe
PID 3212 wrote to memory of 4636	3212	{D3340677-2968-4f73-9080-17E6A98CA4DD}.exe	cmd.exe
PID 3212 wrote to memory of 4636	3212	{D3340677-2968-4f73-9080-17E6A98CA4DD}.exe	cmd.exe
PID 3212 wrote to memory of 4636	3212	{D3340677-2968-4f73-9080-17E6A98CA4DD}.exe	cmd.exe
PID 4740 wrote to memory of 1896	4740	{B2111D28-885C-48c9-A055-896A7AE498C3}.exe	{FB30C3CA-E251-423f-A65B-BBE61C2F3921}.exe
PID 4740 wrote to memory of 1896	4740	{B2111D28-885C-48c9-A055-896A7AE498C3}.exe	{FB30C3CA-E251-423f-A65B-BBE61C2F3921}.exe
PID 4740 wrote to memory of 1896	4740	{B2111D28-885C-48c9-A055-896A7AE498C3}.exe	{FB30C3CA-E251-423f-A65B-BBE61C2F3921}.exe
PID 4740 wrote to memory of 3920	4740	{B2111D28-885C-48c9-A055-896A7AE498C3}.exe	cmd.exe
PID 4740 wrote to memory of 3920	4740	{B2111D28-885C-48c9-A055-896A7AE498C3}.exe	cmd.exe
PID 4740 wrote to memory of 3920	4740	{B2111D28-885C-48c9-A055-896A7AE498C3}.exe	cmd.exe
PID 1896 wrote to memory of 4032	1896	{FB30C3CA-E251-423f-A65B-BBE61C2F3921}.exe	{A1745B04-A6F1-4c0d-ABCD-B56A6F18CD35}.exe
PID 1896 wrote to memory of 4032	1896	{FB30C3CA-E251-423f-A65B-BBE61C2F3921}.exe	{A1745B04-A6F1-4c0d-ABCD-B56A6F18CD35}.exe
PID 1896 wrote to memory of 4032	1896	{FB30C3CA-E251-423f-A65B-BBE61C2F3921}.exe	{A1745B04-A6F1-4c0d-ABCD-B56A6F18CD35}.exe
PID 1896 wrote to memory of 4944	1896	{FB30C3CA-E251-423f-A65B-BBE61C2F3921}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\74e3e271d5be0f82dee2a0b1f7bec99f498e123860a69bc80a58cd521cf9324a.exe
"C:\Users\Admin\AppData\Local\Temp\74e3e271d5be0f82dee2a0b1f7bec99f498e123860a69bc80a58cd521cf9324a.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\{0983E865-8F16-42ea-AE80-13F7E2F75230}.exe
C:\Windows\{0983E865-8F16-42ea-AE80-13F7E2F75230}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4856

C:\Windows\{7DD712DD-1E40-4196-8D35-19F29833DC80}.exe
C:\Windows\{7DD712DD-1E40-4196-8D35-19F29833DC80}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\{1FA86654-6A9D-4131-81E4-7A6156DB7EE4}.exe
C:\Windows\{1FA86654-6A9D-4131-81E4-7A6156DB7EE4}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3604

C:\Windows\{797DF91D-F4A8-4538-95F0-E32B61DC089A}.exe
C:\Windows\{797DF91D-F4A8-4538-95F0-E32B61DC089A}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460

C:\Windows\{BE595D9E-D06F-48a8-B505-577D9D4BC1B9}.exe
C:\Windows\{BE595D9E-D06F-48a8-B505-577D9D4BC1B9}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364

C:\Windows\{83DF52C5-49B9-4568-AF9F-C147693DD492}.exe
C:\Windows\{83DF52C5-49B9-4568-AF9F-C147693DD492}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4472

C:\Windows\{4A34B8AF-4319-4c5e-9370-D47C38D3C64C}.exe
C:\Windows\{4A34B8AF-4319-4c5e-9370-D47C38D3C64C}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3380

C:\Windows\{D3340677-2968-4f73-9080-17E6A98CA4DD}.exe
C:\Windows\{D3340677-2968-4f73-9080-17E6A98CA4DD}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3212

C:\Windows\{B2111D28-885C-48c9-A055-896A7AE498C3}.exe
C:\Windows\{B2111D28-885C-48c9-A055-896A7AE498C3}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\{FB30C3CA-E251-423f-A65B-BBE61C2F3921}.exe
C:\Windows\{FB30C3CA-E251-423f-A65B-BBE61C2F3921}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1896

C:\Windows\{A1745B04-A6F1-4c0d-ABCD-B56A6F18CD35}.exe
C:\Windows\{A1745B04-A6F1-4c0d-ABCD-B56A6F18CD35}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\{668F7ED8-5BBD-407f-9F33-EA9C9257504A}.exe
C:\Windows\{668F7ED8-5BBD-407f-9F33-EA9C9257504A}.exe
13⤵
- Executes dropped EXE
PID:2868

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A1745~1.EXE > nul
13⤵
PID:4276

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FB30C~1.EXE > nul
12⤵
PID:4944

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B2111~1.EXE > nul
11⤵
PID:3920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D3340~1.EXE > nul
10⤵
PID:4636

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4A34B~1.EXE > nul
9⤵
PID:1392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{83DF5~1.EXE > nul
8⤵
PID:5064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BE595~1.EXE > nul
7⤵
PID:4924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{797DF~1.EXE > nul
6⤵
PID:1600

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1FA86~1.EXE > nul
5⤵
PID:3180

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7DD71~1.EXE > nul
4⤵
PID:3680

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0983E~1.EXE > nul
3⤵
PID:2196

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\74E3E2~1.EXE > nul
2⤵
PID:3344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0983E865-8F16-42ea-AE80-13F7E2F75230}.exe

Filesize
98KB

MD5
de62c6ccee552376c576142ecc7d3ef4

SHA1
d704ac0249e7d90ef8e262caa3f4cf80b02db669

SHA256
7f12be3f7c7a494bdcfaae28e72c114f5d9873d6cd4d1e7bb58159de134318e3

SHA512
5059b6fee27d9f89283334e853380bbea5f5814c4f67f108ddae71c51162e2ce999c995de9e60f060ec243b20e76f28fd4fffcfb44508e9a77df1136d95d68b1

Download Submit
C:\Windows\{1FA86654-6A9D-4131-81E4-7A6156DB7EE4}.exe

Filesize
98KB

MD5
386613f6c553967fb6a7d25b68bd470a

SHA1
60e1fbd1771acc731b460aacdafdd9b781789eee

SHA256
a270710c5cc6ebb39ec048477f271da9116edbab699eab9086e3a8e907af2c0e

SHA512
c1211ebecee01c3942a27762c9c3b128a18f725379272c1c8972858e020a3a24088777eb7e80a520881dc1facdbb950176067aaacf9815a5117003673690bcfc

Download Submit
C:\Windows\{4A34B8AF-4319-4c5e-9370-D47C38D3C64C}.exe

Filesize
98KB

MD5
efa1304a795b8828050b7399baedd222

SHA1
7145b0b6b73940f6bec58411af8a25e3a3155c77

SHA256
140b41ed6187553c7e8d0717483168068b0158db978f34a5082c67ef37531b50

SHA512
26357487da8c03916a698244aed6fcfde5582e034a63f5a8a140246c9649cfd5e5f3d462b0c3a82cb4d7176586401c07ff63e7797ed9e04e63b1437e9ea2ce1a

Download Submit
C:\Windows\{668F7ED8-5BBD-407f-9F33-EA9C9257504A}.exe

Filesize
98KB

MD5
c803c347f5f018f4c25d59297b32465f

SHA1
a8ab46d6df4a4c71da0fed98a44aaee37ab68e45

SHA256
cdb2937cfee9bc21e74a8eeff5601e8e86bc92a74db3d998e5b551d5d3457259

SHA512
00c229b5a8032120b3acf910ec42c813490aad95bd29e9d5fb0f9d3c1cba8cb2d3d320c55b9be21ce2c33570eb7e01d3479fe95c79ee7a71472d9e649dd28a33

Download Submit
C:\Windows\{797DF91D-F4A8-4538-95F0-E32B61DC089A}.exe

Filesize
98KB

MD5
284de5c280b96ad6a484d75d63a36eb0

SHA1
37d3d675c19fa13054f9d1a46581214959ce7455

SHA256
81f0aecbfd956a12470bfc2e94e114dcc8c1eeb3e14789d1d9f2d578bc55676a

SHA512
6b3f21ed163fd41bc9c21cd1c14fa19e44e03f486c85bcc31998b44d5335d847fb6986d2d375608d5b7cde21ea9a84a6119276c2cb2c25e497719e450514e58d

Download Submit
C:\Windows\{7DD712DD-1E40-4196-8D35-19F29833DC80}.exe

Filesize
98KB

MD5
081f11592f9e30424d067125146cc354

SHA1
7aff544b9388aff2fa8ec9530776ed2b5960d601

SHA256
1f55f8f29d99dd532e4239134351de95f88e578fb8c451b39aff6daec215596f

SHA512
f7fa62916976d743e3b38b94aff0a6ebea7b7313211366547ce09ad3e3aae23884c68162334ea85a8db999059ba807428a4953d28b979de7ab5803b9ce3ae6bb

Download Submit
C:\Windows\{83DF52C5-49B9-4568-AF9F-C147693DD492}.exe

Filesize
98KB

MD5
b4d1988996430edbfc6295a9c0516cc8

SHA1
54fac3f7b00f1163e86490261f58483fdf879eaa

SHA256
beba19f187aeacd532d5457dbc74c21326e4fdb5bb7a5be80dfb947f3fc80067

SHA512
ba65f8c21e690b4a18be8276ba2e8b66e3837e26699afbe7468ac597a69d2bad064adbbad2f1cffafdd2930013c74889b09610efceb5d475bd09109f929930b9

Download Submit
C:\Windows\{A1745B04-A6F1-4c0d-ABCD-B56A6F18CD35}.exe

Filesize
98KB

MD5
eac5c2c09bf0873238726f0fe9186581

SHA1
6a35e1c7092e0417cdb6758d2d4da17a0b3b177b

SHA256
6672cd1dea27a52e8cc1299a9e6744b82c5bc06b2a9e1a10a6dd68f0f184e878

SHA512
a6106878941b80c8121576b81ea990eede987f99e6342e93ed14642799500cd83b5f2c76e2bef1eb2d52ebe63a51f5a6ee36c3d1aaac3cfa35161919bebaecb8

Download Submit
C:\Windows\{B2111D28-885C-48c9-A055-896A7AE498C3}.exe

Filesize
98KB

MD5
2cd2320fc1a7bea33ef55710debbbd65

SHA1
0c973b64cc345a3df2fa6e5557af25718e454be4

SHA256
286b960145f0ffa5e3437d3a1cc17c98067e9ce76e5c72794a0a707529425319

SHA512
a496ea07f1bc7b791ace4297fdfe393b89b832c4fe0ab8bdd604156dbd4eb00ceac81940a6156aae9989a6a6e86e4104708232b36806f5f87f433c8ba8cd7e8c

Download Submit
C:\Windows\{BE595D9E-D06F-48a8-B505-577D9D4BC1B9}.exe

Filesize
98KB

MD5
06f304940e5612e85fa8d0233362996d

SHA1
6c42d3f4d1f87fec3e5a87b9d4c43fcfecd222df

SHA256
35a908fadcc95ea58bda01d793162d09bb1563d17877da1c5c72c3776cb85624

SHA512
967b3fec7aaa84a1a5ab1cff864ff3475b50da782a2dc90c36b5627e65c3a6002ce6effd94d45327f9872e1a55be2929a3154a74cb7421ab82750c8cdbb53b5a

Download Submit
C:\Windows\{D3340677-2968-4f73-9080-17E6A98CA4DD}.exe

Filesize
98KB

MD5
781124bc6189e2e79b06eedca4685b42

SHA1
7409cb029d59b86aa9e75a607ea245c96a2ac191

SHA256
9adf172eadafa7908a6be9874888297a28d6653ae50430d70f2c7d1de496ec37

SHA512
b931877ffee7d790b30c3e14141e99ad393a1f7b22ff20509ba2f3ed97110456d7117e481a65a6ff1fb682f4cab42360fb62b39d0cc29947062b5bb498a04d3c

Download Submit
C:\Windows\{FB30C3CA-E251-423f-A65B-BBE61C2F3921}.exe

Filesize
98KB

MD5
dc158abfd44a8037e0b7f2a3b7f0af27

SHA1
3f51d9340de4cb3ca65b62f19540be26a845a49b

SHA256
123d8980cda76115dbcc2848c2e80996410f9bac1abcb0b65ef183543341e3c7

SHA512
aa0a548b2f36f81fbd2af58fe03a4d8943b1de6035e32d7a26e1a13c8e22cb1fc7abb7b08dc0be87e3414b4d0143e69b431cc137b06c37ce4ab51acf19e604d9

Download Submit
memory/1160-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1160-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1896-61-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1896-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2364-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2364-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2460-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2460-23-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2868-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3212-45-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3212-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3380-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3604-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3604-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4032-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4032-67-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4472-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4740-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4856-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4856-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5024-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5024-15-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download