38f0e03d8d24dcdeff6bb71adb7cd8498a7652219711a4858d229b885af2ed13

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 20:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38f0e03d8d24dcdeff6bb71adb7cd8498a7652219711a4858d229b885af2ed13.exe
Size

90KB
MD5

f535e0785a5bc873f14ed58062b50d32
SHA1

e5dfd90b4df5a07efdf3da0b175e6129b840250e
SHA256

38f0e03d8d24dcdeff6bb71adb7cd8498a7652219711a4858d229b885af2ed13
SHA512

80d77f7c8be28de1aa98f20a689f89b75c2fb35f63775ca32fcc397e4553867bef590eb401365d8e874dbea8035252e7c6c4c486edd8f28b59b3f2df64ef98d7
SSDEEP

768:Qvw9816vhKQLroi4/wQRNrfrunMxVFA3b7glws:YEGh0oil2unMxVS3Hgz

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

38f0e03d8d24dcdeff6bb71adb7cd8498a7652219711a4858d229b885af2ed13.exe{AB4FEBED-3EC0-4f52-8407-969296B3F08D}.exe{D52EA9F8-4E75-47bd-9E1B-48CAA322E629}.exe{8ABCB907-64D7-4eae-82DA-F7DAB8BC4744}.exe{5B374389-6E13-4d14-9E47-D9D23A30CE0A}.exe{696D0C96-0338-48c5-83F5-4B523A368851}.exe{00386AB7-DCD5-4fc8-BD3D-87C64E444090}.exe{D47AE181-89EF-4e09-B7B1-19A520D32CD8}.exe{0A9A2AC4-FCD9-4f2f-867A-07943EA06EAD}.exe{C4EB37B3-4958-4c7a-9CD5-8C60E6260D5B}.exe{96BC0FB3-1B86-445f-9B98-21BDE0F801E2}.exe{709E2D03-85BE-44eb-ADA9-7FDAF3576E2F}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{696D0C96-0338-48c5-83F5-4B523A368851}	38f0e03d8d24dcdeff6bb71adb7cd8498a7652219711a4858d229b885af2ed13.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{709E2D03-85BE-44eb-ADA9-7FDAF3576E2F}\stubpath = "C:\\Windows\\{709E2D03-85BE-44eb-ADA9-7FDAF3576E2F}.exe"	{AB4FEBED-3EC0-4f52-8407-969296B3F08D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8ABCB907-64D7-4eae-82DA-F7DAB8BC4744}\stubpath = "C:\\Windows\\{8ABCB907-64D7-4eae-82DA-F7DAB8BC4744}.exe"	{D52EA9F8-4E75-47bd-9E1B-48CAA322E629}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B374389-6E13-4d14-9E47-D9D23A30CE0A}	{8ABCB907-64D7-4eae-82DA-F7DAB8BC4744}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4EB37B3-4958-4c7a-9CD5-8C60E6260D5B}\stubpath = "C:\\Windows\\{C4EB37B3-4958-4c7a-9CD5-8C60E6260D5B}.exe"	{5B374389-6E13-4d14-9E47-D9D23A30CE0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96BC0FB3-1B86-445f-9B98-21BDE0F801E2}\stubpath = "C:\\Windows\\{96BC0FB3-1B86-445f-9B98-21BDE0F801E2}.exe"	{696D0C96-0338-48c5-83F5-4B523A368851}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D47AE181-89EF-4e09-B7B1-19A520D32CD8}\stubpath = "C:\\Windows\\{D47AE181-89EF-4e09-B7B1-19A520D32CD8}.exe"	{00386AB7-DCD5-4fc8-BD3D-87C64E444090}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A9A2AC4-FCD9-4f2f-867A-07943EA06EAD}	{D47AE181-89EF-4e09-B7B1-19A520D32CD8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5296929F-6D59-43cb-8540-B650E3598203}\stubpath = "C:\\Windows\\{5296929F-6D59-43cb-8540-B650E3598203}.exe"	{0A9A2AC4-FCD9-4f2f-867A-07943EA06EAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00386AB7-DCD5-4fc8-BD3D-87C64E444090}	{C4EB37B3-4958-4c7a-9CD5-8C60E6260D5B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{696D0C96-0338-48c5-83F5-4B523A368851}\stubpath = "C:\\Windows\\{696D0C96-0338-48c5-83F5-4B523A368851}.exe"	38f0e03d8d24dcdeff6bb71adb7cd8498a7652219711a4858d229b885af2ed13.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96BC0FB3-1B86-445f-9B98-21BDE0F801E2}	{696D0C96-0338-48c5-83F5-4B523A368851}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB4FEBED-3EC0-4f52-8407-969296B3F08D}	{96BC0FB3-1B86-445f-9B98-21BDE0F801E2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB4FEBED-3EC0-4f52-8407-969296B3F08D}\stubpath = "C:\\Windows\\{AB4FEBED-3EC0-4f52-8407-969296B3F08D}.exe"	{96BC0FB3-1B86-445f-9B98-21BDE0F801E2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D52EA9F8-4E75-47bd-9E1B-48CAA322E629}	{709E2D03-85BE-44eb-ADA9-7FDAF3576E2F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8ABCB907-64D7-4eae-82DA-F7DAB8BC4744}	{D52EA9F8-4E75-47bd-9E1B-48CAA322E629}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4EB37B3-4958-4c7a-9CD5-8C60E6260D5B}	{5B374389-6E13-4d14-9E47-D9D23A30CE0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5296929F-6D59-43cb-8540-B650E3598203}	{0A9A2AC4-FCD9-4f2f-867A-07943EA06EAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{709E2D03-85BE-44eb-ADA9-7FDAF3576E2F}	{AB4FEBED-3EC0-4f52-8407-969296B3F08D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D52EA9F8-4E75-47bd-9E1B-48CAA322E629}\stubpath = "C:\\Windows\\{D52EA9F8-4E75-47bd-9E1B-48CAA322E629}.exe"	{709E2D03-85BE-44eb-ADA9-7FDAF3576E2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B374389-6E13-4d14-9E47-D9D23A30CE0A}\stubpath = "C:\\Windows\\{5B374389-6E13-4d14-9E47-D9D23A30CE0A}.exe"	{8ABCB907-64D7-4eae-82DA-F7DAB8BC4744}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00386AB7-DCD5-4fc8-BD3D-87C64E444090}\stubpath = "C:\\Windows\\{00386AB7-DCD5-4fc8-BD3D-87C64E444090}.exe"	{C4EB37B3-4958-4c7a-9CD5-8C60E6260D5B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D47AE181-89EF-4e09-B7B1-19A520D32CD8}	{00386AB7-DCD5-4fc8-BD3D-87C64E444090}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A9A2AC4-FCD9-4f2f-867A-07943EA06EAD}\stubpath = "C:\\Windows\\{0A9A2AC4-FCD9-4f2f-867A-07943EA06EAD}.exe"	{D47AE181-89EF-4e09-B7B1-19A520D32CD8}.exe

Executes dropped EXE 12 IoCs

Processes:

{696D0C96-0338-48c5-83F5-4B523A368851}.exe{96BC0FB3-1B86-445f-9B98-21BDE0F801E2}.exe{AB4FEBED-3EC0-4f52-8407-969296B3F08D}.exe{709E2D03-85BE-44eb-ADA9-7FDAF3576E2F}.exe{D52EA9F8-4E75-47bd-9E1B-48CAA322E629}.exe{8ABCB907-64D7-4eae-82DA-F7DAB8BC4744}.exe{5B374389-6E13-4d14-9E47-D9D23A30CE0A}.exe{C4EB37B3-4958-4c7a-9CD5-8C60E6260D5B}.exe{00386AB7-DCD5-4fc8-BD3D-87C64E444090}.exe{D47AE181-89EF-4e09-B7B1-19A520D32CD8}.exe{0A9A2AC4-FCD9-4f2f-867A-07943EA06EAD}.exe{5296929F-6D59-43cb-8540-B650E3598203}.exe

pid	process
4144	{696D0C96-0338-48c5-83F5-4B523A368851}.exe
4284	{96BC0FB3-1B86-445f-9B98-21BDE0F801E2}.exe
4568	{AB4FEBED-3EC0-4f52-8407-969296B3F08D}.exe
2748	{709E2D03-85BE-44eb-ADA9-7FDAF3576E2F}.exe
4548	{D52EA9F8-4E75-47bd-9E1B-48CAA322E629}.exe
2676	{8ABCB907-64D7-4eae-82DA-F7DAB8BC4744}.exe
1988	{5B374389-6E13-4d14-9E47-D9D23A30CE0A}.exe
3144	{C4EB37B3-4958-4c7a-9CD5-8C60E6260D5B}.exe
4968	{00386AB7-DCD5-4fc8-BD3D-87C64E444090}.exe
1820	{D47AE181-89EF-4e09-B7B1-19A520D32CD8}.exe
4164	{0A9A2AC4-FCD9-4f2f-867A-07943EA06EAD}.exe
1792	{5296929F-6D59-43cb-8540-B650E3598203}.exe

Drops file in Windows directory 12 IoCs

Processes:

{96BC0FB3-1B86-445f-9B98-21BDE0F801E2}.exe{709E2D03-85BE-44eb-ADA9-7FDAF3576E2F}.exe{5B374389-6E13-4d14-9E47-D9D23A30CE0A}.exe{C4EB37B3-4958-4c7a-9CD5-8C60E6260D5B}.exe38f0e03d8d24dcdeff6bb71adb7cd8498a7652219711a4858d229b885af2ed13.exe{696D0C96-0338-48c5-83F5-4B523A368851}.exe{8ABCB907-64D7-4eae-82DA-F7DAB8BC4744}.exe{00386AB7-DCD5-4fc8-BD3D-87C64E444090}.exe{D47AE181-89EF-4e09-B7B1-19A520D32CD8}.exe{0A9A2AC4-FCD9-4f2f-867A-07943EA06EAD}.exe{AB4FEBED-3EC0-4f52-8407-969296B3F08D}.exe{D52EA9F8-4E75-47bd-9E1B-48CAA322E629}.exe

description	ioc	process
File created	C:\Windows\{AB4FEBED-3EC0-4f52-8407-969296B3F08D}.exe	{96BC0FB3-1B86-445f-9B98-21BDE0F801E2}.exe
File created	C:\Windows\{D52EA9F8-4E75-47bd-9E1B-48CAA322E629}.exe	{709E2D03-85BE-44eb-ADA9-7FDAF3576E2F}.exe
File created	C:\Windows\{C4EB37B3-4958-4c7a-9CD5-8C60E6260D5B}.exe	{5B374389-6E13-4d14-9E47-D9D23A30CE0A}.exe
File created	C:\Windows\{00386AB7-DCD5-4fc8-BD3D-87C64E444090}.exe	{C4EB37B3-4958-4c7a-9CD5-8C60E6260D5B}.exe
File created	C:\Windows\{696D0C96-0338-48c5-83F5-4B523A368851}.exe	38f0e03d8d24dcdeff6bb71adb7cd8498a7652219711a4858d229b885af2ed13.exe
File created	C:\Windows\{96BC0FB3-1B86-445f-9B98-21BDE0F801E2}.exe	{696D0C96-0338-48c5-83F5-4B523A368851}.exe
File created	C:\Windows\{5B374389-6E13-4d14-9E47-D9D23A30CE0A}.exe	{8ABCB907-64D7-4eae-82DA-F7DAB8BC4744}.exe
File created	C:\Windows\{D47AE181-89EF-4e09-B7B1-19A520D32CD8}.exe	{00386AB7-DCD5-4fc8-BD3D-87C64E444090}.exe
File created	C:\Windows\{0A9A2AC4-FCD9-4f2f-867A-07943EA06EAD}.exe	{D47AE181-89EF-4e09-B7B1-19A520D32CD8}.exe
File created	C:\Windows\{5296929F-6D59-43cb-8540-B650E3598203}.exe	{0A9A2AC4-FCD9-4f2f-867A-07943EA06EAD}.exe
File created	C:\Windows\{709E2D03-85BE-44eb-ADA9-7FDAF3576E2F}.exe	{AB4FEBED-3EC0-4f52-8407-969296B3F08D}.exe
File created	C:\Windows\{8ABCB907-64D7-4eae-82DA-F7DAB8BC4744}.exe	{D52EA9F8-4E75-47bd-9E1B-48CAA322E629}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

38f0e03d8d24dcdeff6bb71adb7cd8498a7652219711a4858d229b885af2ed13.exe{696D0C96-0338-48c5-83F5-4B523A368851}.exe{96BC0FB3-1B86-445f-9B98-21BDE0F801E2}.exe{AB4FEBED-3EC0-4f52-8407-969296B3F08D}.exe{709E2D03-85BE-44eb-ADA9-7FDAF3576E2F}.exe{D52EA9F8-4E75-47bd-9E1B-48CAA322E629}.exe{8ABCB907-64D7-4eae-82DA-F7DAB8BC4744}.exe{5B374389-6E13-4d14-9E47-D9D23A30CE0A}.exe{C4EB37B3-4958-4c7a-9CD5-8C60E6260D5B}.exe{00386AB7-DCD5-4fc8-BD3D-87C64E444090}.exe{D47AE181-89EF-4e09-B7B1-19A520D32CD8}.exe{0A9A2AC4-FCD9-4f2f-867A-07943EA06EAD}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	832	38f0e03d8d24dcdeff6bb71adb7cd8498a7652219711a4858d229b885af2ed13.exe
Token: SeIncBasePriorityPrivilege	4144	{696D0C96-0338-48c5-83F5-4B523A368851}.exe
Token: SeIncBasePriorityPrivilege	4284	{96BC0FB3-1B86-445f-9B98-21BDE0F801E2}.exe
Token: SeIncBasePriorityPrivilege	4568	{AB4FEBED-3EC0-4f52-8407-969296B3F08D}.exe
Token: SeIncBasePriorityPrivilege	2748	{709E2D03-85BE-44eb-ADA9-7FDAF3576E2F}.exe
Token: SeIncBasePriorityPrivilege	4548	{D52EA9F8-4E75-47bd-9E1B-48CAA322E629}.exe
Token: SeIncBasePriorityPrivilege	2676	{8ABCB907-64D7-4eae-82DA-F7DAB8BC4744}.exe
Token: SeIncBasePriorityPrivilege	1988	{5B374389-6E13-4d14-9E47-D9D23A30CE0A}.exe
Token: SeIncBasePriorityPrivilege	3144	{C4EB37B3-4958-4c7a-9CD5-8C60E6260D5B}.exe
Token: SeIncBasePriorityPrivilege	4968	{00386AB7-DCD5-4fc8-BD3D-87C64E444090}.exe
Token: SeIncBasePriorityPrivilege	1820	{D47AE181-89EF-4e09-B7B1-19A520D32CD8}.exe
Token: SeIncBasePriorityPrivilege	4164	{0A9A2AC4-FCD9-4f2f-867A-07943EA06EAD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 832 wrote to memory of 4144	832	38f0e03d8d24dcdeff6bb71adb7cd8498a7652219711a4858d229b885af2ed13.exe	{696D0C96-0338-48c5-83F5-4B523A368851}.exe
PID 832 wrote to memory of 4144	832	38f0e03d8d24dcdeff6bb71adb7cd8498a7652219711a4858d229b885af2ed13.exe	{696D0C96-0338-48c5-83F5-4B523A368851}.exe
PID 832 wrote to memory of 4144	832	38f0e03d8d24dcdeff6bb71adb7cd8498a7652219711a4858d229b885af2ed13.exe	{696D0C96-0338-48c5-83F5-4B523A368851}.exe
PID 832 wrote to memory of 3588	832	38f0e03d8d24dcdeff6bb71adb7cd8498a7652219711a4858d229b885af2ed13.exe	cmd.exe
PID 832 wrote to memory of 3588	832	38f0e03d8d24dcdeff6bb71adb7cd8498a7652219711a4858d229b885af2ed13.exe	cmd.exe
PID 832 wrote to memory of 3588	832	38f0e03d8d24dcdeff6bb71adb7cd8498a7652219711a4858d229b885af2ed13.exe	cmd.exe
PID 4144 wrote to memory of 4284	4144	{696D0C96-0338-48c5-83F5-4B523A368851}.exe	{96BC0FB3-1B86-445f-9B98-21BDE0F801E2}.exe
PID 4144 wrote to memory of 4284	4144	{696D0C96-0338-48c5-83F5-4B523A368851}.exe	{96BC0FB3-1B86-445f-9B98-21BDE0F801E2}.exe
PID 4144 wrote to memory of 4284	4144	{696D0C96-0338-48c5-83F5-4B523A368851}.exe	{96BC0FB3-1B86-445f-9B98-21BDE0F801E2}.exe
PID 4144 wrote to memory of 2504	4144	{696D0C96-0338-48c5-83F5-4B523A368851}.exe	cmd.exe
PID 4144 wrote to memory of 2504	4144	{696D0C96-0338-48c5-83F5-4B523A368851}.exe	cmd.exe
PID 4144 wrote to memory of 2504	4144	{696D0C96-0338-48c5-83F5-4B523A368851}.exe	cmd.exe
PID 4284 wrote to memory of 4568	4284	{96BC0FB3-1B86-445f-9B98-21BDE0F801E2}.exe	{AB4FEBED-3EC0-4f52-8407-969296B3F08D}.exe
PID 4284 wrote to memory of 4568	4284	{96BC0FB3-1B86-445f-9B98-21BDE0F801E2}.exe	{AB4FEBED-3EC0-4f52-8407-969296B3F08D}.exe
PID 4284 wrote to memory of 4568	4284	{96BC0FB3-1B86-445f-9B98-21BDE0F801E2}.exe	{AB4FEBED-3EC0-4f52-8407-969296B3F08D}.exe
PID 4284 wrote to memory of 1824	4284	{96BC0FB3-1B86-445f-9B98-21BDE0F801E2}.exe	cmd.exe
PID 4284 wrote to memory of 1824	4284	{96BC0FB3-1B86-445f-9B98-21BDE0F801E2}.exe	cmd.exe
PID 4284 wrote to memory of 1824	4284	{96BC0FB3-1B86-445f-9B98-21BDE0F801E2}.exe	cmd.exe
PID 4568 wrote to memory of 2748	4568	{AB4FEBED-3EC0-4f52-8407-969296B3F08D}.exe	{709E2D03-85BE-44eb-ADA9-7FDAF3576E2F}.exe
PID 4568 wrote to memory of 2748	4568	{AB4FEBED-3EC0-4f52-8407-969296B3F08D}.exe	{709E2D03-85BE-44eb-ADA9-7FDAF3576E2F}.exe
PID 4568 wrote to memory of 2748	4568	{AB4FEBED-3EC0-4f52-8407-969296B3F08D}.exe	{709E2D03-85BE-44eb-ADA9-7FDAF3576E2F}.exe
PID 4568 wrote to memory of 4540	4568	{AB4FEBED-3EC0-4f52-8407-969296B3F08D}.exe	cmd.exe
PID 4568 wrote to memory of 4540	4568	{AB4FEBED-3EC0-4f52-8407-969296B3F08D}.exe	cmd.exe
PID 4568 wrote to memory of 4540	4568	{AB4FEBED-3EC0-4f52-8407-969296B3F08D}.exe	cmd.exe
PID 2748 wrote to memory of 4548	2748	{709E2D03-85BE-44eb-ADA9-7FDAF3576E2F}.exe	{D52EA9F8-4E75-47bd-9E1B-48CAA322E629}.exe
PID 2748 wrote to memory of 4548	2748	{709E2D03-85BE-44eb-ADA9-7FDAF3576E2F}.exe	{D52EA9F8-4E75-47bd-9E1B-48CAA322E629}.exe
PID 2748 wrote to memory of 4548	2748	{709E2D03-85BE-44eb-ADA9-7FDAF3576E2F}.exe	{D52EA9F8-4E75-47bd-9E1B-48CAA322E629}.exe
PID 2748 wrote to memory of 3568	2748	{709E2D03-85BE-44eb-ADA9-7FDAF3576E2F}.exe	cmd.exe
PID 2748 wrote to memory of 3568	2748	{709E2D03-85BE-44eb-ADA9-7FDAF3576E2F}.exe	cmd.exe
PID 2748 wrote to memory of 3568	2748	{709E2D03-85BE-44eb-ADA9-7FDAF3576E2F}.exe	cmd.exe
PID 4548 wrote to memory of 2676	4548	{D52EA9F8-4E75-47bd-9E1B-48CAA322E629}.exe	{8ABCB907-64D7-4eae-82DA-F7DAB8BC4744}.exe
PID 4548 wrote to memory of 2676	4548	{D52EA9F8-4E75-47bd-9E1B-48CAA322E629}.exe	{8ABCB907-64D7-4eae-82DA-F7DAB8BC4744}.exe
PID 4548 wrote to memory of 2676	4548	{D52EA9F8-4E75-47bd-9E1B-48CAA322E629}.exe	{8ABCB907-64D7-4eae-82DA-F7DAB8BC4744}.exe
PID 4548 wrote to memory of 1840	4548	{D52EA9F8-4E75-47bd-9E1B-48CAA322E629}.exe	cmd.exe
PID 4548 wrote to memory of 1840	4548	{D52EA9F8-4E75-47bd-9E1B-48CAA322E629}.exe	cmd.exe
PID 4548 wrote to memory of 1840	4548	{D52EA9F8-4E75-47bd-9E1B-48CAA322E629}.exe	cmd.exe
PID 2676 wrote to memory of 1988	2676	{8ABCB907-64D7-4eae-82DA-F7DAB8BC4744}.exe	{5B374389-6E13-4d14-9E47-D9D23A30CE0A}.exe
PID 2676 wrote to memory of 1988	2676	{8ABCB907-64D7-4eae-82DA-F7DAB8BC4744}.exe	{5B374389-6E13-4d14-9E47-D9D23A30CE0A}.exe
PID 2676 wrote to memory of 1988	2676	{8ABCB907-64D7-4eae-82DA-F7DAB8BC4744}.exe	{5B374389-6E13-4d14-9E47-D9D23A30CE0A}.exe
PID 2676 wrote to memory of 1640	2676	{8ABCB907-64D7-4eae-82DA-F7DAB8BC4744}.exe	cmd.exe
PID 2676 wrote to memory of 1640	2676	{8ABCB907-64D7-4eae-82DA-F7DAB8BC4744}.exe	cmd.exe
PID 2676 wrote to memory of 1640	2676	{8ABCB907-64D7-4eae-82DA-F7DAB8BC4744}.exe	cmd.exe
PID 1988 wrote to memory of 3144	1988	{5B374389-6E13-4d14-9E47-D9D23A30CE0A}.exe	{C4EB37B3-4958-4c7a-9CD5-8C60E6260D5B}.exe
PID 1988 wrote to memory of 3144	1988	{5B374389-6E13-4d14-9E47-D9D23A30CE0A}.exe	{C4EB37B3-4958-4c7a-9CD5-8C60E6260D5B}.exe
PID 1988 wrote to memory of 3144	1988	{5B374389-6E13-4d14-9E47-D9D23A30CE0A}.exe	{C4EB37B3-4958-4c7a-9CD5-8C60E6260D5B}.exe
PID 1988 wrote to memory of 4060	1988	{5B374389-6E13-4d14-9E47-D9D23A30CE0A}.exe	cmd.exe
PID 1988 wrote to memory of 4060	1988	{5B374389-6E13-4d14-9E47-D9D23A30CE0A}.exe	cmd.exe
PID 1988 wrote to memory of 4060	1988	{5B374389-6E13-4d14-9E47-D9D23A30CE0A}.exe	cmd.exe
PID 3144 wrote to memory of 4968	3144	{C4EB37B3-4958-4c7a-9CD5-8C60E6260D5B}.exe	{00386AB7-DCD5-4fc8-BD3D-87C64E444090}.exe
PID 3144 wrote to memory of 4968	3144	{C4EB37B3-4958-4c7a-9CD5-8C60E6260D5B}.exe	{00386AB7-DCD5-4fc8-BD3D-87C64E444090}.exe
PID 3144 wrote to memory of 4968	3144	{C4EB37B3-4958-4c7a-9CD5-8C60E6260D5B}.exe	{00386AB7-DCD5-4fc8-BD3D-87C64E444090}.exe
PID 3144 wrote to memory of 4896	3144	{C4EB37B3-4958-4c7a-9CD5-8C60E6260D5B}.exe	cmd.exe
PID 3144 wrote to memory of 4896	3144	{C4EB37B3-4958-4c7a-9CD5-8C60E6260D5B}.exe	cmd.exe
PID 3144 wrote to memory of 4896	3144	{C4EB37B3-4958-4c7a-9CD5-8C60E6260D5B}.exe	cmd.exe
PID 4968 wrote to memory of 1820	4968	{00386AB7-DCD5-4fc8-BD3D-87C64E444090}.exe	{D47AE181-89EF-4e09-B7B1-19A520D32CD8}.exe
PID 4968 wrote to memory of 1820	4968	{00386AB7-DCD5-4fc8-BD3D-87C64E444090}.exe	{D47AE181-89EF-4e09-B7B1-19A520D32CD8}.exe
PID 4968 wrote to memory of 1820	4968	{00386AB7-DCD5-4fc8-BD3D-87C64E444090}.exe	{D47AE181-89EF-4e09-B7B1-19A520D32CD8}.exe
PID 4968 wrote to memory of 4828	4968	{00386AB7-DCD5-4fc8-BD3D-87C64E444090}.exe	cmd.exe
PID 4968 wrote to memory of 4828	4968	{00386AB7-DCD5-4fc8-BD3D-87C64E444090}.exe	cmd.exe
PID 4968 wrote to memory of 4828	4968	{00386AB7-DCD5-4fc8-BD3D-87C64E444090}.exe	cmd.exe
PID 1820 wrote to memory of 4164	1820	{D47AE181-89EF-4e09-B7B1-19A520D32CD8}.exe	{0A9A2AC4-FCD9-4f2f-867A-07943EA06EAD}.exe
PID 1820 wrote to memory of 4164	1820	{D47AE181-89EF-4e09-B7B1-19A520D32CD8}.exe	{0A9A2AC4-FCD9-4f2f-867A-07943EA06EAD}.exe
PID 1820 wrote to memory of 4164	1820	{D47AE181-89EF-4e09-B7B1-19A520D32CD8}.exe	{0A9A2AC4-FCD9-4f2f-867A-07943EA06EAD}.exe
PID 1820 wrote to memory of 336	1820	{D47AE181-89EF-4e09-B7B1-19A520D32CD8}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\38f0e03d8d24dcdeff6bb71adb7cd8498a7652219711a4858d229b885af2ed13.exe
"C:\Users\Admin\AppData\Local\Temp\38f0e03d8d24dcdeff6bb71adb7cd8498a7652219711a4858d229b885af2ed13.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\{696D0C96-0338-48c5-83F5-4B523A368851}.exe
C:\Windows\{696D0C96-0338-48c5-83F5-4B523A368851}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4144

C:\Windows\{96BC0FB3-1B86-445f-9B98-21BDE0F801E2}.exe
C:\Windows\{96BC0FB3-1B86-445f-9B98-21BDE0F801E2}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284

C:\Windows\{AB4FEBED-3EC0-4f52-8407-969296B3F08D}.exe
C:\Windows\{AB4FEBED-3EC0-4f52-8407-969296B3F08D}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568

C:\Windows\{709E2D03-85BE-44eb-ADA9-7FDAF3576E2F}.exe
C:\Windows\{709E2D03-85BE-44eb-ADA9-7FDAF3576E2F}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2748

C:\Windows\{D52EA9F8-4E75-47bd-9E1B-48CAA322E629}.exe
C:\Windows\{D52EA9F8-4E75-47bd-9E1B-48CAA322E629}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\{8ABCB907-64D7-4eae-82DA-F7DAB8BC4744}.exe
C:\Windows\{8ABCB907-64D7-4eae-82DA-F7DAB8BC4744}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\{5B374389-6E13-4d14-9E47-D9D23A30CE0A}.exe
C:\Windows\{5B374389-6E13-4d14-9E47-D9D23A30CE0A}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\{C4EB37B3-4958-4c7a-9CD5-8C60E6260D5B}.exe
C:\Windows\{C4EB37B3-4958-4c7a-9CD5-8C60E6260D5B}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\{00386AB7-DCD5-4fc8-BD3D-87C64E444090}.exe
C:\Windows\{00386AB7-DCD5-4fc8-BD3D-87C64E444090}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\{D47AE181-89EF-4e09-B7B1-19A520D32CD8}.exe
C:\Windows\{D47AE181-89EF-4e09-B7B1-19A520D32CD8}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820

C:\Windows\{0A9A2AC4-FCD9-4f2f-867A-07943EA06EAD}.exe
C:\Windows\{0A9A2AC4-FCD9-4f2f-867A-07943EA06EAD}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Windows\{5296929F-6D59-43cb-8540-B650E3598203}.exe
C:\Windows\{5296929F-6D59-43cb-8540-B650E3598203}.exe
13⤵
- Executes dropped EXE
PID:1792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0A9A2~1.EXE > nul
13⤵
PID:1900

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D47AE~1.EXE > nul
12⤵
PID:336

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{00386~1.EXE > nul
11⤵
PID:4828

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C4EB3~1.EXE > nul
10⤵
PID:4896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{5B374~1.EXE > nul
9⤵
PID:4060

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8ABCB~1.EXE > nul
8⤵
PID:1640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{D52EA~1.EXE > nul
7⤵
PID:1840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{709E2~1.EXE > nul
6⤵
PID:3568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AB4FE~1.EXE > nul
5⤵
PID:4540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{96BC0~1.EXE > nul
4⤵
PID:1824

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{696D0~1.EXE > nul
3⤵
PID:2504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\38F0E0~1.EXE > nul
2⤵
PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00386AB7-DCD5-4fc8-BD3D-87C64E444090}.exe

Filesize
90KB

MD5
fa419aca02a884c7e892a98551114fb9

SHA1
6a37c0efcd48a4ee6543ed0a5f906faa39807a06

SHA256
162d472dc486f8022bf15d338a0a136c247f44d3e99027bc815f5fb169c5c234

SHA512
cc57108ebd0d17258a04dcb8b9b96fe0fcf6509f6850ba3f1bb6b6c00db3cf01d6b8c389a841acfc2cd8c23b32edb97b4d63485f6ba70b899834a6025c1a756d

Download Submit
C:\Windows\{0A9A2AC4-FCD9-4f2f-867A-07943EA06EAD}.exe

Filesize
90KB

MD5
01b3fc1875fd143dd77071e5f3469471

SHA1
ce6228dbc8949cd1ab5987646d17f0c93902db70

SHA256
b53e6aec94a928e859503265305a506353c8482f8a9ddec087e1bb4f58762b7c

SHA512
7763e297ee017c7d4f3dede75ac44d396a39ef3b702a79e842193878692a88482e4940097626200b363cd1797bee26427a0386a3f9a87fec378e73666f62423b

Download Submit
C:\Windows\{5296929F-6D59-43cb-8540-B650E3598203}.exe

Filesize
90KB

MD5
0f7c35078824c59223270c06d210efb3

SHA1
616bbe4784addd487444e38c61f1e6bc54354e86

SHA256
e6b938ecda213e02c38f2b57c8789f806ca8f142761f23ede2d0ff1d41cdb566

SHA512
20b225d32eb10db395ef1ad296403799336c51fb6a0cb80bb552e33cf9703ed1b505f11ee0015ad03f28fc541f65885bec2a6269dd27f58dc2407312e724afc5

Download Submit
C:\Windows\{5B374389-6E13-4d14-9E47-D9D23A30CE0A}.exe

Filesize
90KB

MD5
f09e262b93300f17e1f392e049f6ce0b

SHA1
e541a6e6bd5596f43278de0f09cec4efba451074

SHA256
e8d952cc5b66c36c574800f14721065fdde2fb6db0bbac4c5fc1ad37c5fd6e13

SHA512
457ee307e1f4f33dd9f6d43cdb34862ebc9a88b66dc0ec4ad98f2991848ad5c740fe949addfc3b73b0bf2884755abf9c726d2d9d892ec4174c66e30cdde5ec8c

Download Submit
C:\Windows\{696D0C96-0338-48c5-83F5-4B523A368851}.exe

Filesize
90KB

MD5
c0390e74e48307eeec97bfaf9828d754

SHA1
7a5000db23ba66f49faf5f5ac0daab224f828ad8

SHA256
94e7c9e54c33cab646a4c452cd13f1b70aa72e3914e4d38f48877e178ecf0c87

SHA512
cc27e396ce74a8569b727ffd180f6b06ae53948aaae13cb695ee58d9f6563dcb0ce3d1d40510bdb6b0fdbef8217e7d3ff8210744eba7d4465cc0002eb3b15bb6

Download Submit
C:\Windows\{709E2D03-85BE-44eb-ADA9-7FDAF3576E2F}.exe

Filesize
90KB

MD5
d364ac843fdcee4f9967a2e772b4c31b

SHA1
8e49bb2981066a74395868c3aeb4fbe509b45996

SHA256
5182b506a00535e1ee48ef52cf8627025c8ebdea578ebc0701ef1c262dccbda6

SHA512
669f6dd73bf0c331839977488f38e9b1658608be345fe560aaba3da30d50f45339072e76cd68a52bfe6b1f4725ed6d47d0b3f8cf86ecef2fb99c28b5aed69a81

Download Submit
C:\Windows\{8ABCB907-64D7-4eae-82DA-F7DAB8BC4744}.exe

Filesize
90KB

MD5
ee8afd17af2f8fe915ea64e9be684da8

SHA1
97169e945e267e6b290492fb16ba92b82d23ed01

SHA256
b96cd5ee0d17d6011a5c23c59b8f7f53bd1a6d0a2ee9587ea56783a03c2dc916

SHA512
64971d6dc56a584bec8e937eef8cffb4a4025998bfdcd3fd6e5e5c5a2d6a6f553f2482905d02c9dccd0ba0063618dfb767825523bbf13c0a37258e1852da80d8

Download Submit
C:\Windows\{96BC0FB3-1B86-445f-9B98-21BDE0F801E2}.exe

Filesize
90KB

MD5
12c662f6a217186900859e019561f26c

SHA1
21e8b4b950e4e3af3dcc70bc872dc9d0e9b7d4fd

SHA256
c90490f2a03a30837634ea3ded6e36a2db48e3643c3b99e08e0191f8040c7c67

SHA512
727f9c78677e84a145ca557c3fcd10ce958a4669322a8ff643d63c2f89668d0e2d827e9a4dbf7bea69d8da4d66bbdb239e90d669d8927f8a8f1ae67e367d3809

Download Submit
C:\Windows\{AB4FEBED-3EC0-4f52-8407-969296B3F08D}.exe

Filesize
90KB

MD5
d05760dd7ab6d2477692dabe69209f05

SHA1
9fb49d7ee2e9a9b6dfc414e0d07e980595e53f0d

SHA256
d335513a0463f934e8160db32295118d412c103599b515be3f3fb43a5fc98afb

SHA512
482fbf90f150d34ea06f347770dffe8fede2aedb811e248bb4c7bb1a1c88d2c48f2cfe7b3edf7e104a8a981b59da85f6f108fb0d00df6923bdf5073908c2283a

Download Submit
C:\Windows\{C4EB37B3-4958-4c7a-9CD5-8C60E6260D5B}.exe

Filesize
90KB

MD5
f99a22fb624dbe883890431ab893569b

SHA1
1c700cb9c26cf6509ba7e2d363d090548375dca9

SHA256
9a6b9a92f96fcb2d0f9834e38c602c747e1e411ad959df7821be1bf3d1dac576

SHA512
7e6a0929d96591c7de3e0d0afcaeb464e07cf8f9a7ed5ffc10940c571f464cdde5dc6369d3f61d98c12f262fdd55c7baf52acbc63149089102a504b86b3e7419

Download Submit
C:\Windows\{D47AE181-89EF-4e09-B7B1-19A520D32CD8}.exe

Filesize
90KB

MD5
ef0fb7fa22385a5e7f9276ae52339334

SHA1
17d57c4eafab4938b7ca586a952110146dc6924c

SHA256
68d27764286ce91d47de4080befff5633228e06ddafefdb60bab46de336cb580

SHA512
576df18c091265d4475daadf7c7d45a1382589cd6088c05b2a279b5395af6279aa8dcff1af9c6d293482e1dc624177952bd41f88d2ad8b83233504f22c6054a5

Download Submit
C:\Windows\{D52EA9F8-4E75-47bd-9E1B-48CAA322E629}.exe

Filesize
90KB

MD5
fe2e169efb3ebcfc605075b034e68118

SHA1
dd77792fbb06c836d8c2c878e5770b8693a303f5

SHA256
f9ac3acd5c2bf038f023116b97e234f6594e464ed655795b63507e4d3eaa5637

SHA512
6a3a671c25415842cd045c50770e41fdc0e5eda6a3cd8757ff8e0f86a911065e30fc046def12e8881b6204343bba233420ac9b84cb4d347f6a0cd66fc0250531

Download Submit