7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe
Size

64KB
MD5

34bfba5217ca64941b08ae342a9f10f2
SHA1

1c7371ef4e74b44a712fc5572a3f8377e64fbce0
SHA256

7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd
SHA512

ce93fae3640b6d2a60ccbfa3e62faafa920bb45abf7f53e1121cc5f39a17e2028ad6a21f12c237e0abc6a057950095505308016f9332a87272584212237f7336
SSDEEP

192:ObOzawOs81elJHsc45ecRZOgtShcWaOT2QLrCqwtY04/CFxyNhoy5tF:ObLwOs8AHsc4QMfwhKQLro/4/CFsrdF

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{F9D2D9D0-F12C-4b61-A9B6-730A33284692}.exe{2A349459-E751-469e-AB81-F2771114FFCB}.exe{82BCCB7B-6FD4-421c-86BE-731077A3680C}.exe{7D5F83DD-AC22-4b2d-AC0F-437241052351}.exe{BC4B8CD1-7F49-42d9-9BC4-4199BDEB3602}.exe{94FE3FCF-B099-454e-B567-13B2AFE77B96}.exe{51E6BEF0-A62D-4fe9-8C80-2218ED3305B3}.exe{8E4F486F-D680-403d-98E5-5D586B44D64A}.exe{F9936154-2001-4370-B620-A325967B31B1}.exe7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe{29EEE028-4E7A-4985-B7EB-27C563E2CDC1}.exe{E293AB0F-8042-4d99-8DF5-6FF6F53C1C45}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A349459-E751-469e-AB81-F2771114FFCB}	{F9D2D9D0-F12C-4b61-A9B6-730A33284692}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A349459-E751-469e-AB81-F2771114FFCB}\stubpath = "C:\\Windows\\{2A349459-E751-469e-AB81-F2771114FFCB}.exe"	{F9D2D9D0-F12C-4b61-A9B6-730A33284692}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82BCCB7B-6FD4-421c-86BE-731077A3680C}\stubpath = "C:\\Windows\\{82BCCB7B-6FD4-421c-86BE-731077A3680C}.exe"	{2A349459-E751-469e-AB81-F2771114FFCB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29EEE028-4E7A-4985-B7EB-27C563E2CDC1}\stubpath = "C:\\Windows\\{29EEE028-4E7A-4985-B7EB-27C563E2CDC1}.exe"	{82BCCB7B-6FD4-421c-86BE-731077A3680C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC4B8CD1-7F49-42d9-9BC4-4199BDEB3602}	{7D5F83DD-AC22-4b2d-AC0F-437241052351}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94FE3FCF-B099-454e-B567-13B2AFE77B96}	{BC4B8CD1-7F49-42d9-9BC4-4199BDEB3602}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94FE3FCF-B099-454e-B567-13B2AFE77B96}\stubpath = "C:\\Windows\\{94FE3FCF-B099-454e-B567-13B2AFE77B96}.exe"	{BC4B8CD1-7F49-42d9-9BC4-4199BDEB3602}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9936154-2001-4370-B620-A325967B31B1}\stubpath = "C:\\Windows\\{F9936154-2001-4370-B620-A325967B31B1}.exe"	{94FE3FCF-B099-454e-B567-13B2AFE77B96}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E293AB0F-8042-4d99-8DF5-6FF6F53C1C45}	{51E6BEF0-A62D-4fe9-8C80-2218ED3305B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D5F83DD-AC22-4b2d-AC0F-437241052351}	{8E4F486F-D680-403d-98E5-5D586B44D64A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D5F83DD-AC22-4b2d-AC0F-437241052351}\stubpath = "C:\\Windows\\{7D5F83DD-AC22-4b2d-AC0F-437241052351}.exe"	{8E4F486F-D680-403d-98E5-5D586B44D64A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51E6BEF0-A62D-4fe9-8C80-2218ED3305B3}	{F9936154-2001-4370-B620-A325967B31B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9D2D9D0-F12C-4b61-A9B6-730A33284692}	7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{82BCCB7B-6FD4-421c-86BE-731077A3680C}	{2A349459-E751-469e-AB81-F2771114FFCB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9936154-2001-4370-B620-A325967B31B1}	{94FE3FCF-B099-454e-B567-13B2AFE77B96}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51E6BEF0-A62D-4fe9-8C80-2218ED3305B3}\stubpath = "C:\\Windows\\{51E6BEF0-A62D-4fe9-8C80-2218ED3305B3}.exe"	{F9936154-2001-4370-B620-A325967B31B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9D2D9D0-F12C-4b61-A9B6-730A33284692}\stubpath = "C:\\Windows\\{F9D2D9D0-F12C-4b61-A9B6-730A33284692}.exe"	7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29EEE028-4E7A-4985-B7EB-27C563E2CDC1}	{82BCCB7B-6FD4-421c-86BE-731077A3680C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E4F486F-D680-403d-98E5-5D586B44D64A}	{29EEE028-4E7A-4985-B7EB-27C563E2CDC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E4F486F-D680-403d-98E5-5D586B44D64A}\stubpath = "C:\\Windows\\{8E4F486F-D680-403d-98E5-5D586B44D64A}.exe"	{29EEE028-4E7A-4985-B7EB-27C563E2CDC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BC4B8CD1-7F49-42d9-9BC4-4199BDEB3602}\stubpath = "C:\\Windows\\{BC4B8CD1-7F49-42d9-9BC4-4199BDEB3602}.exe"	{7D5F83DD-AC22-4b2d-AC0F-437241052351}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E293AB0F-8042-4d99-8DF5-6FF6F53C1C45}\stubpath = "C:\\Windows\\{E293AB0F-8042-4d99-8DF5-6FF6F53C1C45}.exe"	{51E6BEF0-A62D-4fe9-8C80-2218ED3305B3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6251062-6077-479b-8038-925204236C2E}	{E293AB0F-8042-4d99-8DF5-6FF6F53C1C45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A6251062-6077-479b-8038-925204236C2E}\stubpath = "C:\\Windows\\{A6251062-6077-479b-8038-925204236C2E}.exe"	{E293AB0F-8042-4d99-8DF5-6FF6F53C1C45}.exe

Executes dropped EXE 12 IoCs

Processes:

{F9D2D9D0-F12C-4b61-A9B6-730A33284692}.exe{2A349459-E751-469e-AB81-F2771114FFCB}.exe{82BCCB7B-6FD4-421c-86BE-731077A3680C}.exe{29EEE028-4E7A-4985-B7EB-27C563E2CDC1}.exe{8E4F486F-D680-403d-98E5-5D586B44D64A}.exe{7D5F83DD-AC22-4b2d-AC0F-437241052351}.exe{BC4B8CD1-7F49-42d9-9BC4-4199BDEB3602}.exe{94FE3FCF-B099-454e-B567-13B2AFE77B96}.exe{F9936154-2001-4370-B620-A325967B31B1}.exe{51E6BEF0-A62D-4fe9-8C80-2218ED3305B3}.exe{E293AB0F-8042-4d99-8DF5-6FF6F53C1C45}.exe{A6251062-6077-479b-8038-925204236C2E}.exe

pid	process
520	{F9D2D9D0-F12C-4b61-A9B6-730A33284692}.exe
4312	{2A349459-E751-469e-AB81-F2771114FFCB}.exe
1680	{82BCCB7B-6FD4-421c-86BE-731077A3680C}.exe
3740	{29EEE028-4E7A-4985-B7EB-27C563E2CDC1}.exe
2568	{8E4F486F-D680-403d-98E5-5D586B44D64A}.exe
2056	{7D5F83DD-AC22-4b2d-AC0F-437241052351}.exe
5040	{BC4B8CD1-7F49-42d9-9BC4-4199BDEB3602}.exe
4296	{94FE3FCF-B099-454e-B567-13B2AFE77B96}.exe
224	{F9936154-2001-4370-B620-A325967B31B1}.exe
1844	{51E6BEF0-A62D-4fe9-8C80-2218ED3305B3}.exe
3856	{E293AB0F-8042-4d99-8DF5-6FF6F53C1C45}.exe
1720	{A6251062-6077-479b-8038-925204236C2E}.exe

Drops file in Windows directory 12 IoCs

Processes:

{82BCCB7B-6FD4-421c-86BE-731077A3680C}.exe{8E4F486F-D680-403d-98E5-5D586B44D64A}.exe{7D5F83DD-AC22-4b2d-AC0F-437241052351}.exe{BC4B8CD1-7F49-42d9-9BC4-4199BDEB3602}.exe{94FE3FCF-B099-454e-B567-13B2AFE77B96}.exe{F9936154-2001-4370-B620-A325967B31B1}.exe{F9D2D9D0-F12C-4b61-A9B6-730A33284692}.exe{2A349459-E751-469e-AB81-F2771114FFCB}.exe{51E6BEF0-A62D-4fe9-8C80-2218ED3305B3}.exe{E293AB0F-8042-4d99-8DF5-6FF6F53C1C45}.exe7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe{29EEE028-4E7A-4985-B7EB-27C563E2CDC1}.exe

description	ioc	process
File created	C:\Windows\{29EEE028-4E7A-4985-B7EB-27C563E2CDC1}.exe	{82BCCB7B-6FD4-421c-86BE-731077A3680C}.exe
File created	C:\Windows\{7D5F83DD-AC22-4b2d-AC0F-437241052351}.exe	{8E4F486F-D680-403d-98E5-5D586B44D64A}.exe
File created	C:\Windows\{BC4B8CD1-7F49-42d9-9BC4-4199BDEB3602}.exe	{7D5F83DD-AC22-4b2d-AC0F-437241052351}.exe
File created	C:\Windows\{94FE3FCF-B099-454e-B567-13B2AFE77B96}.exe	{BC4B8CD1-7F49-42d9-9BC4-4199BDEB3602}.exe
File created	C:\Windows\{F9936154-2001-4370-B620-A325967B31B1}.exe	{94FE3FCF-B099-454e-B567-13B2AFE77B96}.exe
File created	C:\Windows\{51E6BEF0-A62D-4fe9-8C80-2218ED3305B3}.exe	{F9936154-2001-4370-B620-A325967B31B1}.exe
File created	C:\Windows\{2A349459-E751-469e-AB81-F2771114FFCB}.exe	{F9D2D9D0-F12C-4b61-A9B6-730A33284692}.exe
File created	C:\Windows\{82BCCB7B-6FD4-421c-86BE-731077A3680C}.exe	{2A349459-E751-469e-AB81-F2771114FFCB}.exe
File created	C:\Windows\{E293AB0F-8042-4d99-8DF5-6FF6F53C1C45}.exe	{51E6BEF0-A62D-4fe9-8C80-2218ED3305B3}.exe
File created	C:\Windows\{A6251062-6077-479b-8038-925204236C2E}.exe	{E293AB0F-8042-4d99-8DF5-6FF6F53C1C45}.exe
File created	C:\Windows\{F9D2D9D0-F12C-4b61-A9B6-730A33284692}.exe	7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe
File created	C:\Windows\{8E4F486F-D680-403d-98E5-5D586B44D64A}.exe	{29EEE028-4E7A-4985-B7EB-27C563E2CDC1}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe{F9D2D9D0-F12C-4b61-A9B6-730A33284692}.exe{2A349459-E751-469e-AB81-F2771114FFCB}.exe{82BCCB7B-6FD4-421c-86BE-731077A3680C}.exe{29EEE028-4E7A-4985-B7EB-27C563E2CDC1}.exe{8E4F486F-D680-403d-98E5-5D586B44D64A}.exe{7D5F83DD-AC22-4b2d-AC0F-437241052351}.exe{BC4B8CD1-7F49-42d9-9BC4-4199BDEB3602}.exe{94FE3FCF-B099-454e-B567-13B2AFE77B96}.exe{F9936154-2001-4370-B620-A325967B31B1}.exe{51E6BEF0-A62D-4fe9-8C80-2218ED3305B3}.exe{E293AB0F-8042-4d99-8DF5-6FF6F53C1C45}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1740	7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe
Token: SeIncBasePriorityPrivilege	520	{F9D2D9D0-F12C-4b61-A9B6-730A33284692}.exe
Token: SeIncBasePriorityPrivilege	4312	{2A349459-E751-469e-AB81-F2771114FFCB}.exe
Token: SeIncBasePriorityPrivilege	1680	{82BCCB7B-6FD4-421c-86BE-731077A3680C}.exe
Token: SeIncBasePriorityPrivilege	3740	{29EEE028-4E7A-4985-B7EB-27C563E2CDC1}.exe
Token: SeIncBasePriorityPrivilege	2568	{8E4F486F-D680-403d-98E5-5D586B44D64A}.exe
Token: SeIncBasePriorityPrivilege	2056	{7D5F83DD-AC22-4b2d-AC0F-437241052351}.exe
Token: SeIncBasePriorityPrivilege	5040	{BC4B8CD1-7F49-42d9-9BC4-4199BDEB3602}.exe
Token: SeIncBasePriorityPrivilege	4296	{94FE3FCF-B099-454e-B567-13B2AFE77B96}.exe
Token: SeIncBasePriorityPrivilege	224	{F9936154-2001-4370-B620-A325967B31B1}.exe
Token: SeIncBasePriorityPrivilege	1844	{51E6BEF0-A62D-4fe9-8C80-2218ED3305B3}.exe
Token: SeIncBasePriorityPrivilege	3856	{E293AB0F-8042-4d99-8DF5-6FF6F53C1C45}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 1740 wrote to memory of 520	1740	7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe	{F9D2D9D0-F12C-4b61-A9B6-730A33284692}.exe
PID 1740 wrote to memory of 520	1740	7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe	{F9D2D9D0-F12C-4b61-A9B6-730A33284692}.exe
PID 1740 wrote to memory of 520	1740	7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe	{F9D2D9D0-F12C-4b61-A9B6-730A33284692}.exe
PID 1740 wrote to memory of 2700	1740	7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe	cmd.exe
PID 1740 wrote to memory of 2700	1740	7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe	cmd.exe
PID 1740 wrote to memory of 2700	1740	7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe	cmd.exe
PID 520 wrote to memory of 4312	520	{F9D2D9D0-F12C-4b61-A9B6-730A33284692}.exe	{2A349459-E751-469e-AB81-F2771114FFCB}.exe
PID 520 wrote to memory of 4312	520	{F9D2D9D0-F12C-4b61-A9B6-730A33284692}.exe	{2A349459-E751-469e-AB81-F2771114FFCB}.exe
PID 520 wrote to memory of 4312	520	{F9D2D9D0-F12C-4b61-A9B6-730A33284692}.exe	{2A349459-E751-469e-AB81-F2771114FFCB}.exe
PID 520 wrote to memory of 4708	520	{F9D2D9D0-F12C-4b61-A9B6-730A33284692}.exe	cmd.exe
PID 520 wrote to memory of 4708	520	{F9D2D9D0-F12C-4b61-A9B6-730A33284692}.exe	cmd.exe
PID 520 wrote to memory of 4708	520	{F9D2D9D0-F12C-4b61-A9B6-730A33284692}.exe	cmd.exe
PID 4312 wrote to memory of 1680	4312	{2A349459-E751-469e-AB81-F2771114FFCB}.exe	{82BCCB7B-6FD4-421c-86BE-731077A3680C}.exe
PID 4312 wrote to memory of 1680	4312	{2A349459-E751-469e-AB81-F2771114FFCB}.exe	{82BCCB7B-6FD4-421c-86BE-731077A3680C}.exe
PID 4312 wrote to memory of 1680	4312	{2A349459-E751-469e-AB81-F2771114FFCB}.exe	{82BCCB7B-6FD4-421c-86BE-731077A3680C}.exe
PID 4312 wrote to memory of 2308	4312	{2A349459-E751-469e-AB81-F2771114FFCB}.exe	cmd.exe
PID 4312 wrote to memory of 2308	4312	{2A349459-E751-469e-AB81-F2771114FFCB}.exe	cmd.exe
PID 4312 wrote to memory of 2308	4312	{2A349459-E751-469e-AB81-F2771114FFCB}.exe	cmd.exe
PID 1680 wrote to memory of 3740	1680	{82BCCB7B-6FD4-421c-86BE-731077A3680C}.exe	{29EEE028-4E7A-4985-B7EB-27C563E2CDC1}.exe
PID 1680 wrote to memory of 3740	1680	{82BCCB7B-6FD4-421c-86BE-731077A3680C}.exe	{29EEE028-4E7A-4985-B7EB-27C563E2CDC1}.exe
PID 1680 wrote to memory of 3740	1680	{82BCCB7B-6FD4-421c-86BE-731077A3680C}.exe	{29EEE028-4E7A-4985-B7EB-27C563E2CDC1}.exe
PID 1680 wrote to memory of 2996	1680	{82BCCB7B-6FD4-421c-86BE-731077A3680C}.exe	cmd.exe
PID 1680 wrote to memory of 2996	1680	{82BCCB7B-6FD4-421c-86BE-731077A3680C}.exe	cmd.exe
PID 1680 wrote to memory of 2996	1680	{82BCCB7B-6FD4-421c-86BE-731077A3680C}.exe	cmd.exe
PID 3740 wrote to memory of 2568	3740	{29EEE028-4E7A-4985-B7EB-27C563E2CDC1}.exe	{8E4F486F-D680-403d-98E5-5D586B44D64A}.exe
PID 3740 wrote to memory of 2568	3740	{29EEE028-4E7A-4985-B7EB-27C563E2CDC1}.exe	{8E4F486F-D680-403d-98E5-5D586B44D64A}.exe
PID 3740 wrote to memory of 2568	3740	{29EEE028-4E7A-4985-B7EB-27C563E2CDC1}.exe	{8E4F486F-D680-403d-98E5-5D586B44D64A}.exe
PID 3740 wrote to memory of 2992	3740	{29EEE028-4E7A-4985-B7EB-27C563E2CDC1}.exe	cmd.exe
PID 3740 wrote to memory of 2992	3740	{29EEE028-4E7A-4985-B7EB-27C563E2CDC1}.exe	cmd.exe
PID 3740 wrote to memory of 2992	3740	{29EEE028-4E7A-4985-B7EB-27C563E2CDC1}.exe	cmd.exe
PID 2568 wrote to memory of 2056	2568	{8E4F486F-D680-403d-98E5-5D586B44D64A}.exe	{7D5F83DD-AC22-4b2d-AC0F-437241052351}.exe
PID 2568 wrote to memory of 2056	2568	{8E4F486F-D680-403d-98E5-5D586B44D64A}.exe	{7D5F83DD-AC22-4b2d-AC0F-437241052351}.exe
PID 2568 wrote to memory of 2056	2568	{8E4F486F-D680-403d-98E5-5D586B44D64A}.exe	{7D5F83DD-AC22-4b2d-AC0F-437241052351}.exe
PID 2568 wrote to memory of 3952	2568	{8E4F486F-D680-403d-98E5-5D586B44D64A}.exe	cmd.exe
PID 2568 wrote to memory of 3952	2568	{8E4F486F-D680-403d-98E5-5D586B44D64A}.exe	cmd.exe
PID 2568 wrote to memory of 3952	2568	{8E4F486F-D680-403d-98E5-5D586B44D64A}.exe	cmd.exe
PID 2056 wrote to memory of 5040	2056	{7D5F83DD-AC22-4b2d-AC0F-437241052351}.exe	{BC4B8CD1-7F49-42d9-9BC4-4199BDEB3602}.exe
PID 2056 wrote to memory of 5040	2056	{7D5F83DD-AC22-4b2d-AC0F-437241052351}.exe	{BC4B8CD1-7F49-42d9-9BC4-4199BDEB3602}.exe
PID 2056 wrote to memory of 5040	2056	{7D5F83DD-AC22-4b2d-AC0F-437241052351}.exe	{BC4B8CD1-7F49-42d9-9BC4-4199BDEB3602}.exe
PID 2056 wrote to memory of 2148	2056	{7D5F83DD-AC22-4b2d-AC0F-437241052351}.exe	cmd.exe
PID 2056 wrote to memory of 2148	2056	{7D5F83DD-AC22-4b2d-AC0F-437241052351}.exe	cmd.exe
PID 2056 wrote to memory of 2148	2056	{7D5F83DD-AC22-4b2d-AC0F-437241052351}.exe	cmd.exe
PID 5040 wrote to memory of 4296	5040	{BC4B8CD1-7F49-42d9-9BC4-4199BDEB3602}.exe	{94FE3FCF-B099-454e-B567-13B2AFE77B96}.exe
PID 5040 wrote to memory of 4296	5040	{BC4B8CD1-7F49-42d9-9BC4-4199BDEB3602}.exe	{94FE3FCF-B099-454e-B567-13B2AFE77B96}.exe
PID 5040 wrote to memory of 4296	5040	{BC4B8CD1-7F49-42d9-9BC4-4199BDEB3602}.exe	{94FE3FCF-B099-454e-B567-13B2AFE77B96}.exe
PID 5040 wrote to memory of 1940	5040	{BC4B8CD1-7F49-42d9-9BC4-4199BDEB3602}.exe	cmd.exe
PID 5040 wrote to memory of 1940	5040	{BC4B8CD1-7F49-42d9-9BC4-4199BDEB3602}.exe	cmd.exe
PID 5040 wrote to memory of 1940	5040	{BC4B8CD1-7F49-42d9-9BC4-4199BDEB3602}.exe	cmd.exe
PID 4296 wrote to memory of 224	4296	{94FE3FCF-B099-454e-B567-13B2AFE77B96}.exe	{F9936154-2001-4370-B620-A325967B31B1}.exe
PID 4296 wrote to memory of 224	4296	{94FE3FCF-B099-454e-B567-13B2AFE77B96}.exe	{F9936154-2001-4370-B620-A325967B31B1}.exe
PID 4296 wrote to memory of 224	4296	{94FE3FCF-B099-454e-B567-13B2AFE77B96}.exe	{F9936154-2001-4370-B620-A325967B31B1}.exe
PID 4296 wrote to memory of 3616	4296	{94FE3FCF-B099-454e-B567-13B2AFE77B96}.exe	cmd.exe
PID 4296 wrote to memory of 3616	4296	{94FE3FCF-B099-454e-B567-13B2AFE77B96}.exe	cmd.exe
PID 4296 wrote to memory of 3616	4296	{94FE3FCF-B099-454e-B567-13B2AFE77B96}.exe	cmd.exe
PID 224 wrote to memory of 1844	224	{F9936154-2001-4370-B620-A325967B31B1}.exe	{51E6BEF0-A62D-4fe9-8C80-2218ED3305B3}.exe
PID 224 wrote to memory of 1844	224	{F9936154-2001-4370-B620-A325967B31B1}.exe	{51E6BEF0-A62D-4fe9-8C80-2218ED3305B3}.exe
PID 224 wrote to memory of 1844	224	{F9936154-2001-4370-B620-A325967B31B1}.exe	{51E6BEF0-A62D-4fe9-8C80-2218ED3305B3}.exe
PID 224 wrote to memory of 2976	224	{F9936154-2001-4370-B620-A325967B31B1}.exe	cmd.exe
PID 224 wrote to memory of 2976	224	{F9936154-2001-4370-B620-A325967B31B1}.exe	cmd.exe
PID 224 wrote to memory of 2976	224	{F9936154-2001-4370-B620-A325967B31B1}.exe	cmd.exe
PID 1844 wrote to memory of 3856	1844	{51E6BEF0-A62D-4fe9-8C80-2218ED3305B3}.exe	{E293AB0F-8042-4d99-8DF5-6FF6F53C1C45}.exe
PID 1844 wrote to memory of 3856	1844	{51E6BEF0-A62D-4fe9-8C80-2218ED3305B3}.exe	{E293AB0F-8042-4d99-8DF5-6FF6F53C1C45}.exe
PID 1844 wrote to memory of 3856	1844	{51E6BEF0-A62D-4fe9-8C80-2218ED3305B3}.exe	{E293AB0F-8042-4d99-8DF5-6FF6F53C1C45}.exe
PID 1844 wrote to memory of 4044	1844	{51E6BEF0-A62D-4fe9-8C80-2218ED3305B3}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe
"C:\Users\Admin\AppData\Local\Temp\7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\{F9D2D9D0-F12C-4b61-A9B6-730A33284692}.exe
C:\Windows\{F9D2D9D0-F12C-4b61-A9B6-730A33284692}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\{2A349459-E751-469e-AB81-F2771114FFCB}.exe
C:\Windows\{2A349459-E751-469e-AB81-F2771114FFCB}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\{82BCCB7B-6FD4-421c-86BE-731077A3680C}.exe
C:\Windows\{82BCCB7B-6FD4-421c-86BE-731077A3680C}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\{29EEE028-4E7A-4985-B7EB-27C563E2CDC1}.exe
C:\Windows\{29EEE028-4E7A-4985-B7EB-27C563E2CDC1}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3740

C:\Windows\{8E4F486F-D680-403d-98E5-5D586B44D64A}.exe
C:\Windows\{8E4F486F-D680-403d-98E5-5D586B44D64A}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\{7D5F83DD-AC22-4b2d-AC0F-437241052351}.exe
C:\Windows\{7D5F83DD-AC22-4b2d-AC0F-437241052351}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056

C:\Windows\{BC4B8CD1-7F49-42d9-9BC4-4199BDEB3602}.exe
C:\Windows\{BC4B8CD1-7F49-42d9-9BC4-4199BDEB3602}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040

C:\Windows\{94FE3FCF-B099-454e-B567-13B2AFE77B96}.exe
C:\Windows\{94FE3FCF-B099-454e-B567-13B2AFE77B96}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\{F9936154-2001-4370-B620-A325967B31B1}.exe
C:\Windows\{F9936154-2001-4370-B620-A325967B31B1}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\{51E6BEF0-A62D-4fe9-8C80-2218ED3305B3}.exe
C:\Windows\{51E6BEF0-A62D-4fe9-8C80-2218ED3305B3}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1844

C:\Windows\{E293AB0F-8042-4d99-8DF5-6FF6F53C1C45}.exe
C:\Windows\{E293AB0F-8042-4d99-8DF5-6FF6F53C1C45}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3856

C:\Windows\{A6251062-6077-479b-8038-925204236C2E}.exe
C:\Windows\{A6251062-6077-479b-8038-925204236C2E}.exe
13⤵
- Executes dropped EXE
PID:1720

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E293A~1.EXE > nul
13⤵
PID:3804

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{51E6B~1.EXE > nul
12⤵
PID:4044

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F9936~1.EXE > nul
11⤵
PID:2976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{94FE3~1.EXE > nul
10⤵
PID:3616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BC4B8~1.EXE > nul
9⤵
PID:1940

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7D5F8~1.EXE > nul
8⤵
PID:2148

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8E4F4~1.EXE > nul
7⤵
PID:3952

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{29EEE~1.EXE > nul
6⤵
PID:2992

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{82BCC~1.EXE > nul
5⤵
PID:2996

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2A349~1.EXE > nul
4⤵
PID:2308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F9D2D~1.EXE > nul
3⤵
PID:4708

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7F44F4~1.EXE > nul
2⤵
PID:2700

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{29EEE028-4E7A-4985-B7EB-27C563E2CDC1}.exe
Filesize
64KB

MD5
76bc2ba8db222e0ba7cea8ac8b3e9966

SHA1
1ec3f30076ccf6c57fdece6a4c9a057994d742f5

SHA256
3b201ff7f2ce9113a6b517954763f8761688bcea7afb8b1c60415a39757e649b

SHA512
8cc5f65df3553fee5f7e52af196f364f6c9c45d98ee8879c8367319464e6d2ca0ae4121b9cb8b2a3d036e059eb530746cda3d2c22071d1a6f2c19699c515f8b5

Download Submit
C:\Windows\{2A349459-E751-469e-AB81-F2771114FFCB}.exe
Filesize
64KB

MD5
6681a2ce336f5c006bd8c5331a842d42

SHA1
b8b5972c95e9228bfbf3f4f47cfa179b73ecc4de

SHA256
9ee1b45e74c7ca0629ecf555df039f88d326014411a20512d896234dae83fb8e

SHA512
6a8c7e77a7385840a96e6d9d78eb5a948ff5409dd4967def9cd3f9c1ae89d48b65276aff407556bb56ba2c405cea528a47284ba6cd4baf0ec6fc587b9b33b4b1

Download Submit
C:\Windows\{51E6BEF0-A62D-4fe9-8C80-2218ED3305B3}.exe
Filesize
64KB

MD5
ff20a56c013d739965c984b8c8e4f3f5

SHA1
c8570320f4d955e3067fd4edefd8dc24685c97fa

SHA256
3ebefb33d196b601f4e49652c130062c26fcbcb7ea4eae74bf054c9389895bfc

SHA512
6b3428a482c5c481e70aae3f2c15d4adac269528151d540c2612f2045f75fc3d9f29dbfc0593123e21f3e84d1f444945524dea5306f6cdd764c4d5a3a032db7d

Download Submit
C:\Windows\{7D5F83DD-AC22-4b2d-AC0F-437241052351}.exe
Filesize
64KB

MD5
d1d0de8eb0c1e7e2d3818e9ee7a7a23c

SHA1
67b17d620e8d5280cc2c8b7251ba26643546e900

SHA256
f5e93c2ce67562200e1832f33c0b26cb2eb4d6d7d24eb918cc72e1e2d40a4de2

SHA512
3a2745664840655c973fab6465eec13e34a8a2dfe4802ba9f9e77af15a61df434ae2f7859fe1f645815338fbe67b8380c00de3acee65a2fe3a561b2b3b57a70d

Download Submit
C:\Windows\{82BCCB7B-6FD4-421c-86BE-731077A3680C}.exe
Filesize
64KB

MD5
4fee49d631bb5d466be53cbf3180c643

SHA1
9c97df0c93b7f5f7d16fb9e155661856a162fa35

SHA256
3ab0e026d3665e644a24317b6d19c10360188e45f06a460859457ca00607ef85

SHA512
259ad7ec7c9b63277df1031e3f9e8223f8cdd67672d46da3d4263eb41d08ed2ba0be0e46de82b4f1d7e048f1a0ad7b6ff463059495f98604e63e5ab3a67a00a7

Download Submit
C:\Windows\{8E4F486F-D680-403d-98E5-5D586B44D64A}.exe
Filesize
64KB

MD5
71f9392f6367cdae69912d2455e115ee

SHA1
35e3e1abae017392ab84855304f5cc081f8f313a

SHA256
eddedc3d064c756ea3f7521a9139cb591e3aa5e8f7cb443b8ad7dccf9ac9a7da

SHA512
b41afce47ee4be3e8305781e158fe455cbb1a9bd2a7161fa7f183ccf3b80aa36e0ae1f9b10dbf2058eed6cfc71d5d4e9867d350e49189e8ebf64681009e4fa59

Download Submit
C:\Windows\{94FE3FCF-B099-454e-B567-13B2AFE77B96}.exe
Filesize
64KB

MD5
b681f8cbc1fec8fd8c9cb39f87b5ad7b

SHA1
7a9d3d127cc2f5910dd0a354e82dfb58e09fbf46

SHA256
115af53815cae55a6b6accbce1c4da1cf3a28ac6326538ff33197a82de8a00c0

SHA512
5425f0d10d554419294d3ca3b850d2f19fb232d7982e59c5413844ebf0af68b68f17e429a78413c6d658c611b677b56eeb690f89fadc535f43b20ce9c49939fb

Download Submit
C:\Windows\{A6251062-6077-479b-8038-925204236C2E}.exe
Filesize
64KB

MD5
aeabab64fcfa3ed99f8fa8f7a4f45895

SHA1
7005f6a262f2169751ecd878c61f40212d319884

SHA256
7fd8713aeb924ca5efb627450b6755fb3a248df0c85db20c355a6409ff5ab1af

SHA512
093fba8108eee84b8b9f613c5e548b8a43d675872e5c2af83d13ebc94391351c782b39ab9f3410bf75d2452634d1386360ef3db36a4496299c7b797e0c619bc8

Download Submit
C:\Windows\{BC4B8CD1-7F49-42d9-9BC4-4199BDEB3602}.exe
Filesize
64KB

MD5
831406f88da8aa1ec1aeae0bf745bf6e

SHA1
73c94db9e36f49fcbe667dde388daa5bae9043f3

SHA256
9a3d364c8f6ffc8dfb783cdaa87ef53b739e167a08a0a123bfca14bad97542bc

SHA512
db3dee492a4a23e5a109597440785de8cba53689aad2cdb922f812c304b516253c9032245dbb3f0c9e3b09a8a146e9df965df6e252f08662e6dc3babffa8d01a

Download Submit
C:\Windows\{E293AB0F-8042-4d99-8DF5-6FF6F53C1C45}.exe
Filesize
64KB

MD5
5379384ffcedc500c6d6a2557495ff27

SHA1
72591716b6eee6dc98ad118e5372c95bafd5e243

SHA256
ebcbc412b8f7ae494857367dc943b5ef9d7fc366de2ba645740fb3dea5e903d6

SHA512
2bd4598e3e453590061c010f3b9575e9965d8e13954c09a5b381d24e4d61f0480d0d830a97b2377395eb4c137098bd9a225c29b4c53d84a8ffb85b480f966535

Download Submit
C:\Windows\{F9936154-2001-4370-B620-A325967B31B1}.exe
Filesize
64KB

MD5
17010c04ff9c4809f33516022b086be5

SHA1
fce8651ed20b076cf2d521d5e3c2c51918832395

SHA256
cb766345d59707c54ed42b241d23b9ddb13c9882a4be1032a10d50384813aba1

SHA512
45b004ff82f067d83deef116a52c70f17371c18a6034eafb1e7d78228f42a33211bec5d77b158c9ebf997c51d1d9420dbd43d516aa3b2a30244e111902b4287d

Download Submit
C:\Windows\{F9D2D9D0-F12C-4b61-A9B6-730A33284692}.exe
Filesize
64KB

MD5
a592afd2ead47d3b75755aacac08a442

SHA1
71344433925a64eb34651d658579a3cc6ab7a1f3

SHA256
5a43836532a12cf26fdbca021b167c342705c191bdc3a50ed6cd4b3b137254a5

SHA512
05e0e8ca2cdb293aae320141fc64e8bdf43fb5df0d231c45039e7eca384575053dd3adbb1d71f619bb9bdaca3544f7a0284a9bd5228d856784b04ec6641ea945

Download Submit
memory/224-58-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/224-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/520-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/520-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1680-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1680-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1720-70-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1740-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1740-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1844-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1844-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2056-39-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2568-33-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2568-30-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3740-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3740-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3856-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3856-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4296-51-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4296-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4312-16-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4312-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5040-41-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5040-44-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download