12c91546a90b0043944d1166a5abb8eff6b00b107bc55f109dab83216ff966b6

Analysis

max time kernel
149s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

12c91546a90b0043944d1166a5abb8eff6b00b107bc55f109dab83216ff966b6.exe
Size

90KB
MD5

3c849686a1b6f718acd2a5dec301fd1f
SHA1

ffd03f4965e20dd554f635705f39b00d427ea61f
SHA256

12c91546a90b0043944d1166a5abb8eff6b00b107bc55f109dab83216ff966b6
SHA512

81ff85999f51866ae561342caf604033ca894d22ef07eb3b1696a2979806fc413a9b4cd0a9abfa236157c56e147b5992a0aaf0b6e39268ff2ef622bc173159db
SSDEEP

768:5vw981UMhKQLroN4/wQ4pNrfrunMxVFA3b:lEG00oNl3zunMxVS3

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{457BC123-3DE1-4d49-989A-0E2996876874}.exe{61932FE0-C5A2-47e9-92CB-76829BD6119A}.exe{214123D1-9A3C-4d9d-9692-BD21E158188C}.exe{787B279B-B889-4037-A0CA-41659D154B17}.exe12c91546a90b0043944d1166a5abb8eff6b00b107bc55f109dab83216ff966b6.exe{B3D0F05F-C509-42e2-84B1-A91DFEDFF9A7}.exe{9FE0837A-BDF3-4ac0-B5D2-8FC48F383C97}.exe{F17E8EF8-C1F3-45d4-AF2E-F6ED65F66CC2}.exe{F859EDD5-7CF0-4322-8E03-08DC5DED923E}.exe{3D27C8DC-4633-457d-9746-EFC12F2073D0}.exe{9AB93757-1F81-420b-ABD5-13252E427314}.exe{F09D9ACE-6CDF-42ed-8BF8-0C904897D719}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AB93757-1F81-420b-ABD5-13252E427314}	{457BC123-3DE1-4d49-989A-0E2996876874}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F17E8EF8-C1F3-45d4-AF2E-F6ED65F66CC2}	{61932FE0-C5A2-47e9-92CB-76829BD6119A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F09D9ACE-6CDF-42ed-8BF8-0C904897D719}\stubpath = "C:\\Windows\\{F09D9ACE-6CDF-42ed-8BF8-0C904897D719}.exe"	{214123D1-9A3C-4d9d-9692-BD21E158188C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{214123D1-9A3C-4d9d-9692-BD21E158188C}	{787B279B-B889-4037-A0CA-41659D154B17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3D0F05F-C509-42e2-84B1-A91DFEDFF9A7}	12c91546a90b0043944d1166a5abb8eff6b00b107bc55f109dab83216ff966b6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{457BC123-3DE1-4d49-989A-0E2996876874}	{B3D0F05F-C509-42e2-84B1-A91DFEDFF9A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D27C8DC-4633-457d-9746-EFC12F2073D0}	{9FE0837A-BDF3-4ac0-B5D2-8FC48F383C97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F859EDD5-7CF0-4322-8E03-08DC5DED923E}	{F17E8EF8-C1F3-45d4-AF2E-F6ED65F66CC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{787B279B-B889-4037-A0CA-41659D154B17}	{F859EDD5-7CF0-4322-8E03-08DC5DED923E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61932FE0-C5A2-47e9-92CB-76829BD6119A}	{3D27C8DC-4633-457d-9746-EFC12F2073D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F859EDD5-7CF0-4322-8E03-08DC5DED923E}\stubpath = "C:\\Windows\\{F859EDD5-7CF0-4322-8E03-08DC5DED923E}.exe"	{F17E8EF8-C1F3-45d4-AF2E-F6ED65F66CC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{214123D1-9A3C-4d9d-9692-BD21E158188C}\stubpath = "C:\\Windows\\{214123D1-9A3C-4d9d-9692-BD21E158188C}.exe"	{787B279B-B889-4037-A0CA-41659D154B17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3D0F05F-C509-42e2-84B1-A91DFEDFF9A7}\stubpath = "C:\\Windows\\{B3D0F05F-C509-42e2-84B1-A91DFEDFF9A7}.exe"	12c91546a90b0043944d1166a5abb8eff6b00b107bc55f109dab83216ff966b6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AB93757-1F81-420b-ABD5-13252E427314}\stubpath = "C:\\Windows\\{9AB93757-1F81-420b-ABD5-13252E427314}.exe"	{457BC123-3DE1-4d49-989A-0E2996876874}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FE0837A-BDF3-4ac0-B5D2-8FC48F383C97}	{9AB93757-1F81-420b-ABD5-13252E427314}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9FE0837A-BDF3-4ac0-B5D2-8FC48F383C97}\stubpath = "C:\\Windows\\{9FE0837A-BDF3-4ac0-B5D2-8FC48F383C97}.exe"	{9AB93757-1F81-420b-ABD5-13252E427314}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D27C8DC-4633-457d-9746-EFC12F2073D0}\stubpath = "C:\\Windows\\{3D27C8DC-4633-457d-9746-EFC12F2073D0}.exe"	{9FE0837A-BDF3-4ac0-B5D2-8FC48F383C97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7B00D2E-B35A-4101-AFAB-DE1D07E1A831}	{F09D9ACE-6CDF-42ed-8BF8-0C904897D719}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7B00D2E-B35A-4101-AFAB-DE1D07E1A831}\stubpath = "C:\\Windows\\{D7B00D2E-B35A-4101-AFAB-DE1D07E1A831}.exe"	{F09D9ACE-6CDF-42ed-8BF8-0C904897D719}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{457BC123-3DE1-4d49-989A-0E2996876874}\stubpath = "C:\\Windows\\{457BC123-3DE1-4d49-989A-0E2996876874}.exe"	{B3D0F05F-C509-42e2-84B1-A91DFEDFF9A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61932FE0-C5A2-47e9-92CB-76829BD6119A}\stubpath = "C:\\Windows\\{61932FE0-C5A2-47e9-92CB-76829BD6119A}.exe"	{3D27C8DC-4633-457d-9746-EFC12F2073D0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F17E8EF8-C1F3-45d4-AF2E-F6ED65F66CC2}\stubpath = "C:\\Windows\\{F17E8EF8-C1F3-45d4-AF2E-F6ED65F66CC2}.exe"	{61932FE0-C5A2-47e9-92CB-76829BD6119A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{787B279B-B889-4037-A0CA-41659D154B17}\stubpath = "C:\\Windows\\{787B279B-B889-4037-A0CA-41659D154B17}.exe"	{F859EDD5-7CF0-4322-8E03-08DC5DED923E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F09D9ACE-6CDF-42ed-8BF8-0C904897D719}	{214123D1-9A3C-4d9d-9692-BD21E158188C}.exe

Executes dropped EXE 11 IoCs

Processes:

{B3D0F05F-C509-42e2-84B1-A91DFEDFF9A7}.exe{457BC123-3DE1-4d49-989A-0E2996876874}.exe{9AB93757-1F81-420b-ABD5-13252E427314}.exe{3D27C8DC-4633-457d-9746-EFC12F2073D0}.exe{61932FE0-C5A2-47e9-92CB-76829BD6119A}.exe{F17E8EF8-C1F3-45d4-AF2E-F6ED65F66CC2}.exe{F859EDD5-7CF0-4322-8E03-08DC5DED923E}.exe{787B279B-B889-4037-A0CA-41659D154B17}.exe{214123D1-9A3C-4d9d-9692-BD21E158188C}.exe{F09D9ACE-6CDF-42ed-8BF8-0C904897D719}.exe{D7B00D2E-B35A-4101-AFAB-DE1D07E1A831}.exe

pid	process
2608	{B3D0F05F-C509-42e2-84B1-A91DFEDFF9A7}.exe
436	{457BC123-3DE1-4d49-989A-0E2996876874}.exe
952	{9AB93757-1F81-420b-ABD5-13252E427314}.exe
3064	{3D27C8DC-4633-457d-9746-EFC12F2073D0}.exe
1692	{61932FE0-C5A2-47e9-92CB-76829BD6119A}.exe
996	{F17E8EF8-C1F3-45d4-AF2E-F6ED65F66CC2}.exe
3000	{F859EDD5-7CF0-4322-8E03-08DC5DED923E}.exe
2120	{787B279B-B889-4037-A0CA-41659D154B17}.exe
4692	{214123D1-9A3C-4d9d-9692-BD21E158188C}.exe
216	{F09D9ACE-6CDF-42ed-8BF8-0C904897D719}.exe
4008	{D7B00D2E-B35A-4101-AFAB-DE1D07E1A831}.exe

Drops file in Windows directory 11 IoCs

Processes:

{61932FE0-C5A2-47e9-92CB-76829BD6119A}.exe{F859EDD5-7CF0-4322-8E03-08DC5DED923E}.exe{787B279B-B889-4037-A0CA-41659D154B17}.exe{214123D1-9A3C-4d9d-9692-BD21E158188C}.exe{F09D9ACE-6CDF-42ed-8BF8-0C904897D719}.exe12c91546a90b0043944d1166a5abb8eff6b00b107bc55f109dab83216ff966b6.exe{B3D0F05F-C509-42e2-84B1-A91DFEDFF9A7}.exe{457BC123-3DE1-4d49-989A-0E2996876874}.exe{9FE0837A-BDF3-4ac0-B5D2-8FC48F383C97}.exe{3D27C8DC-4633-457d-9746-EFC12F2073D0}.exe{F17E8EF8-C1F3-45d4-AF2E-F6ED65F66CC2}.exe

description	ioc	process
File created	C:\Windows\{F17E8EF8-C1F3-45d4-AF2E-F6ED65F66CC2}.exe	{61932FE0-C5A2-47e9-92CB-76829BD6119A}.exe
File created	C:\Windows\{787B279B-B889-4037-A0CA-41659D154B17}.exe	{F859EDD5-7CF0-4322-8E03-08DC5DED923E}.exe
File created	C:\Windows\{214123D1-9A3C-4d9d-9692-BD21E158188C}.exe	{787B279B-B889-4037-A0CA-41659D154B17}.exe
File created	C:\Windows\{F09D9ACE-6CDF-42ed-8BF8-0C904897D719}.exe	{214123D1-9A3C-4d9d-9692-BD21E158188C}.exe
File created	C:\Windows\{D7B00D2E-B35A-4101-AFAB-DE1D07E1A831}.exe	{F09D9ACE-6CDF-42ed-8BF8-0C904897D719}.exe
File created	C:\Windows\{B3D0F05F-C509-42e2-84B1-A91DFEDFF9A7}.exe	12c91546a90b0043944d1166a5abb8eff6b00b107bc55f109dab83216ff966b6.exe
File created	C:\Windows\{457BC123-3DE1-4d49-989A-0E2996876874}.exe	{B3D0F05F-C509-42e2-84B1-A91DFEDFF9A7}.exe
File created	C:\Windows\{9AB93757-1F81-420b-ABD5-13252E427314}.exe	{457BC123-3DE1-4d49-989A-0E2996876874}.exe
File created	C:\Windows\{3D27C8DC-4633-457d-9746-EFC12F2073D0}.exe	{9FE0837A-BDF3-4ac0-B5D2-8FC48F383C97}.exe
File created	C:\Windows\{61932FE0-C5A2-47e9-92CB-76829BD6119A}.exe	{3D27C8DC-4633-457d-9746-EFC12F2073D0}.exe
File created	C:\Windows\{F859EDD5-7CF0-4322-8E03-08DC5DED923E}.exe	{F17E8EF8-C1F3-45d4-AF2E-F6ED65F66CC2}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

12c91546a90b0043944d1166a5abb8eff6b00b107bc55f109dab83216ff966b6.exe{B3D0F05F-C509-42e2-84B1-A91DFEDFF9A7}.exe{457BC123-3DE1-4d49-989A-0E2996876874}.exe{9FE0837A-BDF3-4ac0-B5D2-8FC48F383C97}.exe{3D27C8DC-4633-457d-9746-EFC12F2073D0}.exe{61932FE0-C5A2-47e9-92CB-76829BD6119A}.exe{F17E8EF8-C1F3-45d4-AF2E-F6ED65F66CC2}.exe{F859EDD5-7CF0-4322-8E03-08DC5DED923E}.exe{787B279B-B889-4037-A0CA-41659D154B17}.exe{214123D1-9A3C-4d9d-9692-BD21E158188C}.exe{F09D9ACE-6CDF-42ed-8BF8-0C904897D719}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	4504	12c91546a90b0043944d1166a5abb8eff6b00b107bc55f109dab83216ff966b6.exe
Token: SeIncBasePriorityPrivilege	2608	{B3D0F05F-C509-42e2-84B1-A91DFEDFF9A7}.exe
Token: SeIncBasePriorityPrivilege	436	{457BC123-3DE1-4d49-989A-0E2996876874}.exe
Token: SeIncBasePriorityPrivilege	1204	{9FE0837A-BDF3-4ac0-B5D2-8FC48F383C97}.exe
Token: SeIncBasePriorityPrivilege	3064	{3D27C8DC-4633-457d-9746-EFC12F2073D0}.exe
Token: SeIncBasePriorityPrivilege	1692	{61932FE0-C5A2-47e9-92CB-76829BD6119A}.exe
Token: SeIncBasePriorityPrivilege	996	{F17E8EF8-C1F3-45d4-AF2E-F6ED65F66CC2}.exe
Token: SeIncBasePriorityPrivilege	3000	{F859EDD5-7CF0-4322-8E03-08DC5DED923E}.exe
Token: SeIncBasePriorityPrivilege	2120	{787B279B-B889-4037-A0CA-41659D154B17}.exe
Token: SeIncBasePriorityPrivilege	4692	{214123D1-9A3C-4d9d-9692-BD21E158188C}.exe
Token: SeIncBasePriorityPrivilege	216	{F09D9ACE-6CDF-42ed-8BF8-0C904897D719}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 4504 wrote to memory of 2608	4504	12c91546a90b0043944d1166a5abb8eff6b00b107bc55f109dab83216ff966b6.exe	{B3D0F05F-C509-42e2-84B1-A91DFEDFF9A7}.exe
PID 4504 wrote to memory of 2608	4504	12c91546a90b0043944d1166a5abb8eff6b00b107bc55f109dab83216ff966b6.exe	{B3D0F05F-C509-42e2-84B1-A91DFEDFF9A7}.exe
PID 4504 wrote to memory of 2608	4504	12c91546a90b0043944d1166a5abb8eff6b00b107bc55f109dab83216ff966b6.exe	{B3D0F05F-C509-42e2-84B1-A91DFEDFF9A7}.exe
PID 4504 wrote to memory of 820	4504	12c91546a90b0043944d1166a5abb8eff6b00b107bc55f109dab83216ff966b6.exe	cmd.exe
PID 4504 wrote to memory of 820	4504	12c91546a90b0043944d1166a5abb8eff6b00b107bc55f109dab83216ff966b6.exe	cmd.exe
PID 4504 wrote to memory of 820	4504	12c91546a90b0043944d1166a5abb8eff6b00b107bc55f109dab83216ff966b6.exe	cmd.exe
PID 2608 wrote to memory of 436	2608	{B3D0F05F-C509-42e2-84B1-A91DFEDFF9A7}.exe	{457BC123-3DE1-4d49-989A-0E2996876874}.exe
PID 2608 wrote to memory of 436	2608	{B3D0F05F-C509-42e2-84B1-A91DFEDFF9A7}.exe	{457BC123-3DE1-4d49-989A-0E2996876874}.exe
PID 2608 wrote to memory of 436	2608	{B3D0F05F-C509-42e2-84B1-A91DFEDFF9A7}.exe	{457BC123-3DE1-4d49-989A-0E2996876874}.exe
PID 2608 wrote to memory of 3660	2608	{B3D0F05F-C509-42e2-84B1-A91DFEDFF9A7}.exe	cmd.exe
PID 2608 wrote to memory of 3660	2608	{B3D0F05F-C509-42e2-84B1-A91DFEDFF9A7}.exe	cmd.exe
PID 2608 wrote to memory of 3660	2608	{B3D0F05F-C509-42e2-84B1-A91DFEDFF9A7}.exe	cmd.exe
PID 436 wrote to memory of 952	436	{457BC123-3DE1-4d49-989A-0E2996876874}.exe	{9AB93757-1F81-420b-ABD5-13252E427314}.exe
PID 436 wrote to memory of 952	436	{457BC123-3DE1-4d49-989A-0E2996876874}.exe	{9AB93757-1F81-420b-ABD5-13252E427314}.exe
PID 436 wrote to memory of 952	436	{457BC123-3DE1-4d49-989A-0E2996876874}.exe	{9AB93757-1F81-420b-ABD5-13252E427314}.exe
PID 436 wrote to memory of 4452	436	{457BC123-3DE1-4d49-989A-0E2996876874}.exe	cmd.exe
PID 436 wrote to memory of 4452	436	{457BC123-3DE1-4d49-989A-0E2996876874}.exe	cmd.exe
PID 436 wrote to memory of 4452	436	{457BC123-3DE1-4d49-989A-0E2996876874}.exe	cmd.exe
PID 1204 wrote to memory of 3064	1204	{9FE0837A-BDF3-4ac0-B5D2-8FC48F383C97}.exe	{3D27C8DC-4633-457d-9746-EFC12F2073D0}.exe
PID 1204 wrote to memory of 3064	1204	{9FE0837A-BDF3-4ac0-B5D2-8FC48F383C97}.exe	{3D27C8DC-4633-457d-9746-EFC12F2073D0}.exe
PID 1204 wrote to memory of 3064	1204	{9FE0837A-BDF3-4ac0-B5D2-8FC48F383C97}.exe	{3D27C8DC-4633-457d-9746-EFC12F2073D0}.exe
PID 1204 wrote to memory of 2312	1204	{9FE0837A-BDF3-4ac0-B5D2-8FC48F383C97}.exe	cmd.exe
PID 1204 wrote to memory of 2312	1204	{9FE0837A-BDF3-4ac0-B5D2-8FC48F383C97}.exe	cmd.exe
PID 1204 wrote to memory of 2312	1204	{9FE0837A-BDF3-4ac0-B5D2-8FC48F383C97}.exe	cmd.exe
PID 3064 wrote to memory of 1692	3064	{3D27C8DC-4633-457d-9746-EFC12F2073D0}.exe	{61932FE0-C5A2-47e9-92CB-76829BD6119A}.exe
PID 3064 wrote to memory of 1692	3064	{3D27C8DC-4633-457d-9746-EFC12F2073D0}.exe	{61932FE0-C5A2-47e9-92CB-76829BD6119A}.exe
PID 3064 wrote to memory of 1692	3064	{3D27C8DC-4633-457d-9746-EFC12F2073D0}.exe	{61932FE0-C5A2-47e9-92CB-76829BD6119A}.exe
PID 3064 wrote to memory of 4280	3064	{3D27C8DC-4633-457d-9746-EFC12F2073D0}.exe	cmd.exe
PID 3064 wrote to memory of 4280	3064	{3D27C8DC-4633-457d-9746-EFC12F2073D0}.exe	cmd.exe
PID 3064 wrote to memory of 4280	3064	{3D27C8DC-4633-457d-9746-EFC12F2073D0}.exe	cmd.exe
PID 1692 wrote to memory of 996	1692	{61932FE0-C5A2-47e9-92CB-76829BD6119A}.exe	{F17E8EF8-C1F3-45d4-AF2E-F6ED65F66CC2}.exe
PID 1692 wrote to memory of 996	1692	{61932FE0-C5A2-47e9-92CB-76829BD6119A}.exe	{F17E8EF8-C1F3-45d4-AF2E-F6ED65F66CC2}.exe
PID 1692 wrote to memory of 996	1692	{61932FE0-C5A2-47e9-92CB-76829BD6119A}.exe	{F17E8EF8-C1F3-45d4-AF2E-F6ED65F66CC2}.exe
PID 1692 wrote to memory of 3740	1692	{61932FE0-C5A2-47e9-92CB-76829BD6119A}.exe	cmd.exe
PID 1692 wrote to memory of 3740	1692	{61932FE0-C5A2-47e9-92CB-76829BD6119A}.exe	cmd.exe
PID 1692 wrote to memory of 3740	1692	{61932FE0-C5A2-47e9-92CB-76829BD6119A}.exe	cmd.exe
PID 996 wrote to memory of 3000	996	{F17E8EF8-C1F3-45d4-AF2E-F6ED65F66CC2}.exe	{F859EDD5-7CF0-4322-8E03-08DC5DED923E}.exe
PID 996 wrote to memory of 3000	996	{F17E8EF8-C1F3-45d4-AF2E-F6ED65F66CC2}.exe	{F859EDD5-7CF0-4322-8E03-08DC5DED923E}.exe
PID 996 wrote to memory of 3000	996	{F17E8EF8-C1F3-45d4-AF2E-F6ED65F66CC2}.exe	{F859EDD5-7CF0-4322-8E03-08DC5DED923E}.exe
PID 996 wrote to memory of 3012	996	{F17E8EF8-C1F3-45d4-AF2E-F6ED65F66CC2}.exe	cmd.exe
PID 996 wrote to memory of 3012	996	{F17E8EF8-C1F3-45d4-AF2E-F6ED65F66CC2}.exe	cmd.exe
PID 996 wrote to memory of 3012	996	{F17E8EF8-C1F3-45d4-AF2E-F6ED65F66CC2}.exe	cmd.exe
PID 3000 wrote to memory of 2120	3000	{F859EDD5-7CF0-4322-8E03-08DC5DED923E}.exe	{787B279B-B889-4037-A0CA-41659D154B17}.exe
PID 3000 wrote to memory of 2120	3000	{F859EDD5-7CF0-4322-8E03-08DC5DED923E}.exe	{787B279B-B889-4037-A0CA-41659D154B17}.exe
PID 3000 wrote to memory of 2120	3000	{F859EDD5-7CF0-4322-8E03-08DC5DED923E}.exe	{787B279B-B889-4037-A0CA-41659D154B17}.exe
PID 3000 wrote to memory of 432	3000	{F859EDD5-7CF0-4322-8E03-08DC5DED923E}.exe	cmd.exe
PID 3000 wrote to memory of 432	3000	{F859EDD5-7CF0-4322-8E03-08DC5DED923E}.exe	cmd.exe
PID 3000 wrote to memory of 432	3000	{F859EDD5-7CF0-4322-8E03-08DC5DED923E}.exe	cmd.exe
PID 2120 wrote to memory of 4692	2120	{787B279B-B889-4037-A0CA-41659D154B17}.exe	{214123D1-9A3C-4d9d-9692-BD21E158188C}.exe
PID 2120 wrote to memory of 4692	2120	{787B279B-B889-4037-A0CA-41659D154B17}.exe	{214123D1-9A3C-4d9d-9692-BD21E158188C}.exe
PID 2120 wrote to memory of 4692	2120	{787B279B-B889-4037-A0CA-41659D154B17}.exe	{214123D1-9A3C-4d9d-9692-BD21E158188C}.exe
PID 2120 wrote to memory of 892	2120	{787B279B-B889-4037-A0CA-41659D154B17}.exe	cmd.exe
PID 2120 wrote to memory of 892	2120	{787B279B-B889-4037-A0CA-41659D154B17}.exe	cmd.exe
PID 2120 wrote to memory of 892	2120	{787B279B-B889-4037-A0CA-41659D154B17}.exe	cmd.exe
PID 4692 wrote to memory of 216	4692	{214123D1-9A3C-4d9d-9692-BD21E158188C}.exe	{F09D9ACE-6CDF-42ed-8BF8-0C904897D719}.exe
PID 4692 wrote to memory of 216	4692	{214123D1-9A3C-4d9d-9692-BD21E158188C}.exe	{F09D9ACE-6CDF-42ed-8BF8-0C904897D719}.exe
PID 4692 wrote to memory of 216	4692	{214123D1-9A3C-4d9d-9692-BD21E158188C}.exe	{F09D9ACE-6CDF-42ed-8BF8-0C904897D719}.exe
PID 4692 wrote to memory of 3268	4692	{214123D1-9A3C-4d9d-9692-BD21E158188C}.exe	cmd.exe
PID 4692 wrote to memory of 3268	4692	{214123D1-9A3C-4d9d-9692-BD21E158188C}.exe	cmd.exe
PID 4692 wrote to memory of 3268	4692	{214123D1-9A3C-4d9d-9692-BD21E158188C}.exe	cmd.exe
PID 216 wrote to memory of 4008	216	{F09D9ACE-6CDF-42ed-8BF8-0C904897D719}.exe	{D7B00D2E-B35A-4101-AFAB-DE1D07E1A831}.exe
PID 216 wrote to memory of 4008	216	{F09D9ACE-6CDF-42ed-8BF8-0C904897D719}.exe	{D7B00D2E-B35A-4101-AFAB-DE1D07E1A831}.exe
PID 216 wrote to memory of 4008	216	{F09D9ACE-6CDF-42ed-8BF8-0C904897D719}.exe	{D7B00D2E-B35A-4101-AFAB-DE1D07E1A831}.exe
PID 216 wrote to memory of 1976	216	{F09D9ACE-6CDF-42ed-8BF8-0C904897D719}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\12c91546a90b0043944d1166a5abb8eff6b00b107bc55f109dab83216ff966b6.exe
"C:\Users\Admin\AppData\Local\Temp\12c91546a90b0043944d1166a5abb8eff6b00b107bc55f109dab83216ff966b6.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504

C:\Windows\{B3D0F05F-C509-42e2-84B1-A91DFEDFF9A7}.exe
C:\Windows\{B3D0F05F-C509-42e2-84B1-A91DFEDFF9A7}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\{457BC123-3DE1-4d49-989A-0E2996876874}.exe
C:\Windows\{457BC123-3DE1-4d49-989A-0E2996876874}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\{9AB93757-1F81-420b-ABD5-13252E427314}.exe
C:\Windows\{9AB93757-1F81-420b-ABD5-13252E427314}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
PID:952

C:\Windows\{9FE0837A-BDF3-4ac0-B5D2-8FC48F383C97}.exe
C:\Windows\{9FE0837A-BDF3-4ac0-B5D2-8FC48F383C97}.exe
5⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1204

C:\Windows\{3D27C8DC-4633-457d-9746-EFC12F2073D0}.exe
C:\Windows\{3D27C8DC-4633-457d-9746-EFC12F2073D0}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\{61932FE0-C5A2-47e9-92CB-76829BD6119A}.exe
C:\Windows\{61932FE0-C5A2-47e9-92CB-76829BD6119A}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\{F17E8EF8-C1F3-45d4-AF2E-F6ED65F66CC2}.exe
C:\Windows\{F17E8EF8-C1F3-45d4-AF2E-F6ED65F66CC2}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\{F859EDD5-7CF0-4322-8E03-08DC5DED923E}.exe
C:\Windows\{F859EDD5-7CF0-4322-8E03-08DC5DED923E}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\{787B279B-B889-4037-A0CA-41659D154B17}.exe
C:\Windows\{787B279B-B889-4037-A0CA-41659D154B17}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120

C:\Windows\{214123D1-9A3C-4d9d-9692-BD21E158188C}.exe
C:\Windows\{214123D1-9A3C-4d9d-9692-BD21E158188C}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4692

C:\Windows\{F09D9ACE-6CDF-42ed-8BF8-0C904897D719}.exe
C:\Windows\{F09D9ACE-6CDF-42ed-8BF8-0C904897D719}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:216

C:\Windows\{D7B00D2E-B35A-4101-AFAB-DE1D07E1A831}.exe
C:\Windows\{D7B00D2E-B35A-4101-AFAB-DE1D07E1A831}.exe
13⤵
- Executes dropped EXE
PID:4008

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F09D9~1.EXE > nul
13⤵
PID:1976

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{21412~1.EXE > nul
12⤵
PID:3268

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{787B2~1.EXE > nul
11⤵
PID:892

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F859E~1.EXE > nul
10⤵
PID:432

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F17E8~1.EXE > nul
9⤵
PID:3012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{61932~1.EXE > nul
8⤵
PID:3740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3D27C~1.EXE > nul
7⤵
PID:4280

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9FE08~1.EXE > nul
6⤵
PID:2312

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{9AB93~1.EXE > nul
5⤵
PID:2964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{457BC~1.EXE > nul
4⤵
PID:4452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B3D0F~1.EXE > nul
3⤵
PID:3660

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\12C915~1.EXE > nul
2⤵
PID:820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{214123D1-9A3C-4d9d-9692-BD21E158188C}.exe

Filesize
90KB

MD5
2cfb17a26096d14b175793d97da9e1d6

SHA1
02222900e1573d9dc1a7620a211f6871feb0bf5e

SHA256
b38e0a2ccec84eeb91390375bdac19f3bd690118975d173ab833a89b48368978

SHA512
cd4c958564b6c5dbd89245dd89e568fa1a6301a9b508d50433fb69a0be931e4a870151ddb0b56a7d5f2ff53e92ea325f071a8df5f1427a53639b16ddcd031e16

Download Submit
C:\Windows\{3D27C8DC-4633-457d-9746-EFC12F2073D0}.exe

Filesize
90KB

MD5
38424c842f2884d2c6930b5291718ede

SHA1
594e58e22f611a6bbd83352e93352b5cbf0806c5

SHA256
929e8465053f8925f930820b8b069ef757b3f9022ccd81058842c1f64c2fd20e

SHA512
5948433c9e6939c915ec3aedece716b7f3c7e051051f77a5843b7cb7e88fbef01c099d7379587f2cfeee11e4ae90cf6857465318c0c489ef945e8f69383cee74

Download Submit
C:\Windows\{457BC123-3DE1-4d49-989A-0E2996876874}.exe

Filesize
90KB

MD5
c0e688f833a068b60c285f5811776067

SHA1
ed5550f32324c3a7ba13e7b20291897f04cdf201

SHA256
e94373cceca3d2ab1f6f475afae9db40276cf673ef0943f354bab8c8672d6254

SHA512
1c04ff17f0c9d0bd47cf9acd81d4483a534520be9304bb77d20a26cf207f0a0f1aa783d18957ce4a53fb7ce5f3e2f2f9e52ec05a1ade601352d7a5760354be33

Download Submit
C:\Windows\{61932FE0-C5A2-47e9-92CB-76829BD6119A}.exe

Filesize
90KB

MD5
eb34ad3f7a16a8c20ad8819b6ca2a915

SHA1
c6df06dc710d120dce6b3cb1c7948b63a50be464

SHA256
208937b051d6cab920865465bdd602f5edc85372d420df2ddd05236ae9ba0d9a

SHA512
99d9d9c3eb012e695f1e108498baf36aef8d8ef87070132a644de382b9031777b5c2bd53ef6f4a6deed7d72e29d63c0b454794510ccf2f95663ad58f7ae2242a

Download Submit
C:\Windows\{787B279B-B889-4037-A0CA-41659D154B17}.exe

Filesize
90KB

MD5
82fdcfa223018ee9d5d8354cc6a7cdee

SHA1
9d4a1ad7fa08aeec4b554a54e50572768c53ceff

SHA256
e165f2aaf881ad314734e034d22fb09c118fe2c720d66f9c5bbd7ad8cc72badd

SHA512
10fddc9003039d13ec48872c03b5b5622bad8671ac05fd52e5734cfd400ab47bd8872fa4ee4c69a17eac4ab0213ae66804b2ca157a19e10ec3adf95d1e052980

Download Submit
C:\Windows\{9AB93757-1F81-420b-ABD5-13252E427314}.exe

Filesize
90KB

MD5
d159f5507e77de5d2ffe37da4c1f481e

SHA1
a7d6c46c1e3084369598a96b091c6633f59d4260

SHA256
c2400f154cd0fe1d1b8be5eca15afa0184d4b88f2e456f74446d85293073544f

SHA512
56c2315dbffc9f35171ece12f603e19ad2026b56375c2d3a13aa815f7cf2aba1f35ebd43b8b7def8a739c45c49fce0f77a7f155e6a9710115907f0e23618349f

Download Submit
C:\Windows\{B3D0F05F-C509-42e2-84B1-A91DFEDFF9A7}.exe

Filesize
90KB

MD5
a83033562db53e259937b4fcba78b67e

SHA1
4ef9ddb748a38f5a61303e6f2a700a49355f60ae

SHA256
8fe3bce4adcab013d5afe7d90157fb6f3a80ed116aefcde8dd7a14ee77592c97

SHA512
0949ca6018880aea22ce5dfa9873e8eadc685793496135930318ed7bf8443ee0db99bdfca3c555ef7a029950e6a56833ba9efaf55fae7e646f23b28797db26f6

Download Submit
C:\Windows\{D7B00D2E-B35A-4101-AFAB-DE1D07E1A831}.exe

Filesize
90KB

MD5
ef2ecbb94d10eea1c47bf13a9b893ecb

SHA1
a48b2cfe8a864a53c497e7282dd1e4dc878da0b8

SHA256
861dd878c3f32dfb77eb5c36989ac577cdd966ead4f3d584694f218bb6443e40

SHA512
33453fb1ed5834634d27bbff3e9694a20219d8003939bb506c863661b605d734f3e6262fc9d31d97d3aa39c496f246924f9bbaf1e5fc60f5a1c6682008bd33ff

Download Submit
C:\Windows\{F09D9ACE-6CDF-42ed-8BF8-0C904897D719}.exe

Filesize
90KB

MD5
473d6885da5b4c8129f5a3c2272feed6

SHA1
6942df3fa27213ea5346938ccd72ac3a62c40b07

SHA256
eff40feedb1333df6d314d9cefde065c3db1bddfff6ed374571cb9bfa920496b

SHA512
791bed3cc54b13083cb9319d72050b66f29f26f81c11a7ed134092e43fb2893309dd53b5dfa91c6d48a89a0f75ffd2322b23eb0bdb4e610b395750c6f1f8ec8e

Download Submit
C:\Windows\{F17E8EF8-C1F3-45d4-AF2E-F6ED65F66CC2}.exe

Filesize
90KB

MD5
2ad451aa59e8a0612856a40301fb0caa

SHA1
e9fec1cf21ac044754f4f4e4f11f0b8d19fd4fae

SHA256
0be3a00c5bee786f7adc7d9bec6089495ce375c30a1e0cfc9a68c1c68c7e76ea

SHA512
aa783809809899777aab0477bf4472dcc3da71481e98aa111d6a3405269c21220a9306e66fdaf3b9876e96244d29d4c026a444c68f19c0ee0112c28c8f59ecc5

Download Submit
C:\Windows\{F859EDD5-7CF0-4322-8E03-08DC5DED923E}.exe

Filesize
90KB

MD5
f9bb59d2e486b8b3b3262262c1b1c278

SHA1
f4b89381c279e672517a0fcbfca699b14f0507e5

SHA256
51de07575cfb68bda7940d6468409540ed7ed02f6d0cb2ded9c31c427b787af7

SHA512
2caa0ab94e6df298bc8d80ee4182c4a70ba45595c925112bd309a7d7475ebbec0984d14012a18745104db28bb98de3662a1e561b926556201e7cc80dfc77d24c

Download Submit
memory/216-62-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/436-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/436-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/952-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/952-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/996-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1204-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1204-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1692-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1692-32-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2120-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2608-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2608-4-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3000-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3064-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3064-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4008-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4504-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4504-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4692-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4692-57-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download