a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773

Analysis

max time kernel
144s
max time network
121s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe
Size

60KB
MD5

82b2fcad7e278b7e87e35b9042bfa94b
SHA1

734df9d0e852d59b5e77be42d506562c73400444
SHA256

a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773
SHA512

f6c9b2a20f29a638188bf055c739b2da73d85929c9a904b879686620dd09196902fa3b04558833f5ccf522b42af1fe62e61362d519ae057bd9f48bcee511394f
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLroy4/CFsrdHWMZ:vvw9816vhKQLroy4/wQpWMZ

Score

9^/10

persistence

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{417C25D3-BA86-4492-BC94-B10894F73EBE}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{4422BCE8-9A96-44ff-8032-31A7E41B04B1}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{0968E080-568A-4288-95D4-636A6EB12E93}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{EAD04B80-DC26-4856-A008-97F961858210}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe{417C25D3-BA86-4492-BC94-B10894F73EBE}.exe{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe{4422BCE8-9A96-44ff-8032-31A7E41B04B1}.exe{0968E080-568A-4288-95D4-636A6EB12E93}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}\stubpath = "C:\\Windows\\{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe"	a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A1DE429-BA85-466a-922F-88EE05D9230C}	{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1171DDA-6041-4ee3-80C7-36C002998BE0}\stubpath = "C:\\Windows\\{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe"	{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}\stubpath = "C:\\Windows\\{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe"	{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4422BCE8-9A96-44ff-8032-31A7E41B04B1}\stubpath = "C:\\Windows\\{4422BCE8-9A96-44ff-8032-31A7E41B04B1}.exe"	{417C25D3-BA86-4492-BC94-B10894F73EBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}	a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}\stubpath = "C:\\Windows\\{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe"	{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}	{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4422BCE8-9A96-44ff-8032-31A7E41B04B1}	{417C25D3-BA86-4492-BC94-B10894F73EBE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}	{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}\stubpath = "C:\\Windows\\{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe"	{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C1171DDA-6041-4ee3-80C7-36C002998BE0}	{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{417C25D3-BA86-4492-BC94-B10894F73EBE}\stubpath = "C:\\Windows\\{417C25D3-BA86-4492-BC94-B10894F73EBE}.exe"	{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0968E080-568A-4288-95D4-636A6EB12E93}	{4422BCE8-9A96-44ff-8032-31A7E41B04B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAD04B80-DC26-4856-A008-97F961858210}\stubpath = "C:\\Windows\\{EAD04B80-DC26-4856-A008-97F961858210}.exe"	{0968E080-568A-4288-95D4-636A6EB12E93}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAD04B80-DC26-4856-A008-97F961858210}	{0968E080-568A-4288-95D4-636A6EB12E93}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A1DE429-BA85-466a-922F-88EE05D9230C}\stubpath = "C:\\Windows\\{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe"	{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}	{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}\stubpath = "C:\\Windows\\{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe"	{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}	{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{417C25D3-BA86-4492-BC94-B10894F73EBE}	{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0968E080-568A-4288-95D4-636A6EB12E93}\stubpath = "C:\\Windows\\{0968E080-568A-4288-95D4-636A6EB12E93}.exe"	{4422BCE8-9A96-44ff-8032-31A7E41B04B1}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1300 cmd.exe

pid	process
1300	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe{417C25D3-BA86-4492-BC94-B10894F73EBE}.exe{4422BCE8-9A96-44ff-8032-31A7E41B04B1}.exe{0968E080-568A-4288-95D4-636A6EB12E93}.exe{EAD04B80-DC26-4856-A008-97F961858210}.exe

pid	process
2096	{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe
2696	{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe
2564	{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe
3032	{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe
2912	{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe
276	{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe
2240	{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe
2452	{417C25D3-BA86-4492-BC94-B10894F73EBE}.exe
2316	{4422BCE8-9A96-44ff-8032-31A7E41B04B1}.exe
2116	{0968E080-568A-4288-95D4-636A6EB12E93}.exe
1308	{EAD04B80-DC26-4856-A008-97F961858210}.exe

Drops file in Windows directory 11 IoCs

Processes:

{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe{4422BCE8-9A96-44ff-8032-31A7E41B04B1}.exe{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe{417C25D3-BA86-4492-BC94-B10894F73EBE}.exe{0968E080-568A-4288-95D4-636A6EB12E93}.exea5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe

description	ioc	process
File created	C:\Windows\{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe	{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe
File created	C:\Windows\{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe	{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe
File created	C:\Windows\{417C25D3-BA86-4492-BC94-B10894F73EBE}.exe	{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe
File created	C:\Windows\{0968E080-568A-4288-95D4-636A6EB12E93}.exe	{4422BCE8-9A96-44ff-8032-31A7E41B04B1}.exe
File created	C:\Windows\{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe	{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe
File created	C:\Windows\{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe	{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe
File created	C:\Windows\{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe	{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe
File created	C:\Windows\{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe	{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe
File created	C:\Windows\{4422BCE8-9A96-44ff-8032-31A7E41B04B1}.exe	{417C25D3-BA86-4492-BC94-B10894F73EBE}.exe
File created	C:\Windows\{EAD04B80-DC26-4856-A008-97F961858210}.exe	{0968E080-568A-4288-95D4-636A6EB12E93}.exe
File created	C:\Windows\{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe	a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe{417C25D3-BA86-4492-BC94-B10894F73EBE}.exe{4422BCE8-9A96-44ff-8032-31A7E41B04B1}.exe{0968E080-568A-4288-95D4-636A6EB12E93}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2164	a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe
Token: SeIncBasePriorityPrivilege	2096	{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe
Token: SeIncBasePriorityPrivilege	2696	{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe
Token: SeIncBasePriorityPrivilege	2564	{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe
Token: SeIncBasePriorityPrivilege	3032	{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe
Token: SeIncBasePriorityPrivilege	2912	{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe
Token: SeIncBasePriorityPrivilege	276	{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe
Token: SeIncBasePriorityPrivilege	2240	{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe
Token: SeIncBasePriorityPrivilege	2452	{417C25D3-BA86-4492-BC94-B10894F73EBE}.exe
Token: SeIncBasePriorityPrivilege	2316	{4422BCE8-9A96-44ff-8032-31A7E41B04B1}.exe
Token: SeIncBasePriorityPrivilege	2116	{0968E080-568A-4288-95D4-636A6EB12E93}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2164 wrote to memory of 2096	2164	a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe	{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe
PID 2164 wrote to memory of 2096	2164	a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe	{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe
PID 2164 wrote to memory of 2096	2164	a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe	{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe
PID 2164 wrote to memory of 2096	2164	a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe	{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe
PID 2164 wrote to memory of 1300	2164	a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe	cmd.exe
PID 2164 wrote to memory of 1300	2164	a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe	cmd.exe
PID 2164 wrote to memory of 1300	2164	a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe	cmd.exe
PID 2164 wrote to memory of 1300	2164	a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe	cmd.exe
PID 2096 wrote to memory of 2696	2096	{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe	{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe
PID 2096 wrote to memory of 2696	2096	{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe	{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe
PID 2096 wrote to memory of 2696	2096	{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe	{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe
PID 2096 wrote to memory of 2696	2096	{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe	{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe
PID 2096 wrote to memory of 2544	2096	{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe	cmd.exe
PID 2096 wrote to memory of 2544	2096	{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe	cmd.exe
PID 2096 wrote to memory of 2544	2096	{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe	cmd.exe
PID 2096 wrote to memory of 2544	2096	{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe	cmd.exe
PID 2696 wrote to memory of 2564	2696	{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe	{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe
PID 2696 wrote to memory of 2564	2696	{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe	{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe
PID 2696 wrote to memory of 2564	2696	{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe	{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe
PID 2696 wrote to memory of 2564	2696	{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe	{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe
PID 2696 wrote to memory of 2768	2696	{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe	cmd.exe
PID 2696 wrote to memory of 2768	2696	{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe	cmd.exe
PID 2696 wrote to memory of 2768	2696	{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe	cmd.exe
PID 2696 wrote to memory of 2768	2696	{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe	cmd.exe
PID 2564 wrote to memory of 3032	2564	{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe	{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe
PID 2564 wrote to memory of 3032	2564	{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe	{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe
PID 2564 wrote to memory of 3032	2564	{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe	{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe
PID 2564 wrote to memory of 3032	2564	{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe	{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe
PID 2564 wrote to memory of 2428	2564	{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe	cmd.exe
PID 2564 wrote to memory of 2428	2564	{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe	cmd.exe
PID 2564 wrote to memory of 2428	2564	{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe	cmd.exe
PID 2564 wrote to memory of 2428	2564	{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe	cmd.exe
PID 3032 wrote to memory of 2912	3032	{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe	{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe
PID 3032 wrote to memory of 2912	3032	{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe	{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe
PID 3032 wrote to memory of 2912	3032	{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe	{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe
PID 3032 wrote to memory of 2912	3032	{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe	{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe
PID 3032 wrote to memory of 2576	3032	{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe	cmd.exe
PID 3032 wrote to memory of 2576	3032	{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe	cmd.exe
PID 3032 wrote to memory of 2576	3032	{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe	cmd.exe
PID 3032 wrote to memory of 2576	3032	{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe	cmd.exe
PID 2912 wrote to memory of 276	2912	{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe	{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe
PID 2912 wrote to memory of 276	2912	{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe	{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe
PID 2912 wrote to memory of 276	2912	{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe	{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe
PID 2912 wrote to memory of 276	2912	{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe	{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe
PID 2912 wrote to memory of 1668	2912	{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe	cmd.exe
PID 2912 wrote to memory of 1668	2912	{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe	cmd.exe
PID 2912 wrote to memory of 1668	2912	{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe	cmd.exe
PID 2912 wrote to memory of 1668	2912	{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe	cmd.exe
PID 276 wrote to memory of 2240	276	{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe	{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe
PID 276 wrote to memory of 2240	276	{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe	{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe
PID 276 wrote to memory of 2240	276	{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe	{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe
PID 276 wrote to memory of 2240	276	{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe	{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe
PID 276 wrote to memory of 1552	276	{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe	cmd.exe
PID 276 wrote to memory of 1552	276	{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe	cmd.exe
PID 276 wrote to memory of 1552	276	{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe	cmd.exe
PID 276 wrote to memory of 1552	276	{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe	cmd.exe
PID 2240 wrote to memory of 2452	2240	{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe	{417C25D3-BA86-4492-BC94-B10894F73EBE}.exe
PID 2240 wrote to memory of 2452	2240	{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe	{417C25D3-BA86-4492-BC94-B10894F73EBE}.exe
PID 2240 wrote to memory of 2452	2240	{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe	{417C25D3-BA86-4492-BC94-B10894F73EBE}.exe
PID 2240 wrote to memory of 2452	2240	{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe	{417C25D3-BA86-4492-BC94-B10894F73EBE}.exe
PID 2240 wrote to memory of 1516	2240	{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe	cmd.exe
PID 2240 wrote to memory of 1516	2240	{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe	cmd.exe
PID 2240 wrote to memory of 1516	2240	{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe	cmd.exe
PID 2240 wrote to memory of 1516	2240	{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe
"C:\Users\Admin\AppData\Local\Temp\a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe
C:\Windows\{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe
C:\Windows\{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe
C:\Windows\{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe
C:\Windows\{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe
C:\Windows\{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe
C:\Windows\{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:276

C:\Windows\{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe
C:\Windows\{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\{417C25D3-BA86-4492-BC94-B10894F73EBE}.exe
C:\Windows\{417C25D3-BA86-4492-BC94-B10894F73EBE}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Windows\{4422BCE8-9A96-44ff-8032-31A7E41B04B1}.exe
C:\Windows\{4422BCE8-9A96-44ff-8032-31A7E41B04B1}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2316

C:\Windows\{0968E080-568A-4288-95D4-636A6EB12E93}.exe
C:\Windows\{0968E080-568A-4288-95D4-636A6EB12E93}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2116

C:\Windows\{EAD04B80-DC26-4856-A008-97F961858210}.exe
C:\Windows\{EAD04B80-DC26-4856-A008-97F961858210}.exe
12⤵
- Executes dropped EXE
PID:1308

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0968E~1.EXE > nul
12⤵
PID:1492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4422B~1.EXE > nul
11⤵
PID:320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{417C2~1.EXE > nul
10⤵
PID:2960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{89618~1.EXE > nul
9⤵
PID:1516

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C1171~1.EXE > nul
8⤵
PID:1552

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{FB2F5~1.EXE > nul
7⤵
PID:1668

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3EDAB~1.EXE > nul
6⤵
PID:2576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{CEFA4~1.EXE > nul
5⤵
PID:2428

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0A1DE~1.EXE > nul
4⤵
PID:2768

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{91A5C~1.EXE > nul
3⤵
PID:2544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A5D185~1.EXE > nul
2⤵
- Deletes itself
PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0968E080-568A-4288-95D4-636A6EB12E93}.exe

Filesize
60KB

MD5
7127bf7b9e0ebc1b1407e487abfa0434

SHA1
8f980a5a9418292e72eadade40e8368c9ac54565

SHA256
35479ab4fe66c0009305321414e5781dd1817f581d0f1f238dd16d5f2381eaec

SHA512
83f71eacf74b8bfc9e1d3aafe3c2932915ece1a4c50230c2cd646951495e6270e205d8b2f0ed618a9c95204b02f98f41069360d8bd20d56af3b6bb92f7bc5922

Download Submit
C:\Windows\{0A1DE429-BA85-466a-922F-88EE05D9230C}.exe

Filesize
60KB

MD5
580a75781dfdcced93cc2004733a6b20

SHA1
b3504c6a17b9b631dda44812473d01bb116d1aa3

SHA256
b0bc58c68799360ead7a1746aac9e79dda0eb75a8e5eb2c3da353753b37c0672

SHA512
9c73c07f0defc6a96363187a09c6280b9050bb0952f6b5504b8ac09148e2b6be31fdc2ab1f1f8a604029dbd5263c19e2ccf8995c89b4da7070758f718b2c2a61

Download Submit
C:\Windows\{3EDAB3EF-CEAF-4f48-90CB-4889C32062DA}.exe

Filesize
60KB

MD5
8f552613e7e6186739dedb623f86d215

SHA1
16ad0024f1a34d3d0703c5754de414be3b409f9e

SHA256
d48dd800ce5de240f720e88e35042905d461f9a142741d6f507649b8be88d6dd

SHA512
f046d45667f18187984d48528363b50540fc7ad304d4948e612247f2bb8bac6ff7da3201e4e0d46c6fc26970166be335a493256fa02584fa4438504d5b691fe4

Download Submit
C:\Windows\{417C25D3-BA86-4492-BC94-B10894F73EBE}.exe

Filesize
60KB

MD5
1895776e2fe485f2fdecca7da6f246cc

SHA1
3f4b9a12c80945eb69baff407cf56f81cfc6e8dc

SHA256
d5dbc7ce7b14d764f589635e6a57410c820eb0603f5d220df3f1f3177f00bbca

SHA512
9cc63318f65e9ccd4bc65041a33c255449bbadf6f9d03225778895faae0bba6cbb10f5381d1b8858da1b98f18f35eea8f4a881c7ba1e50ede3add585ea94ed85

Download Submit
C:\Windows\{4422BCE8-9A96-44ff-8032-31A7E41B04B1}.exe

Filesize
60KB

MD5
e01084966621b4cdbb9537556a61daf6

SHA1
06ebf7b4379d10dd9899289c3ad36eccaf6927ec

SHA256
b586d102619ae32edfe49d69c3b9ea0c496de66551d39d954a231c6302a4083e

SHA512
814b5c285b1da2b45354cccde100788560360ed28fc4d5dfa64eee1ee24f714c3bf672db4abdfa5f41a64b9d8dc04a35a40821a82eea47418536f23b0237ed44

Download Submit
C:\Windows\{89618C91-0C9F-41ed-85BB-E2F91F0CD89D}.exe

Filesize
60KB

MD5
327d43fe3aecaca4368e205c16068153

SHA1
c9bc825289506f7c3eed6474e822f1b6926bf18e

SHA256
77c2e8f2d83e3a8649a4ac0b11ac3dd27338d32b5683a7777bd638650a2a559b

SHA512
9a72d1388e2b6f25a02df6a3f5bb6c631f081da53951c4f5cdd96c8b94d29bf453612be4a26e76a2e5d9e945432a5abd3f3fbeb55140d825b8010b79668061d6

Download Submit
C:\Windows\{91A5C274-9A51-42f5-AB4C-AE17DC23F8A2}.exe

Filesize
60KB

MD5
975e0863ab1ed0dbcb0f9d5f7325493d

SHA1
517fdd899c83f8901f73a3f367444b97c4289f58

SHA256
7da1b30b03e6202dd10b73a17065a6e0bf39bfcd530f05eb6decf99dbd1e87d8

SHA512
a863e98fbc3de480f5977158a28ff78be65a0fe8c5990d4290d1ac78a78b5b244bc20dd651bc403739c7e92eae939f66a651d8786d74831d3d25ba864899531c

Download Submit
C:\Windows\{C1171DDA-6041-4ee3-80C7-36C002998BE0}.exe

Filesize
60KB

MD5
397f199ec9c89826c62cf9b3109ae0d7

SHA1
3eabd627e07c609097a8af0e456737eb7e1517ab

SHA256
5ebc29f6c5427a5d61058ed5d90f8dfb2aed29b5e1ede2743f1fd084ae969680

SHA512
33ce6c88521413a8422f6a818514fa17b4538e293d975dffe3f27b82b15d7029ca4d07481a3a49ecac2c20cb6fa8c41cc8203d973056dc89813d4df5d53c1541

Download Submit
C:\Windows\{CEFA4F7A-6EAA-4aaf-9C7E-57AEF62C3EA4}.exe

Filesize
60KB

MD5
fdc133cc8f5cd0e1632d8378991a7b86

SHA1
d8cbac303dfce35fb92e55c1bd2a2cc346d89100

SHA256
16fbcf6dcfb005ede34b6da743aeed6d5a9e184252086dfc52483954dc77585d

SHA512
691f54f3332e186659d46b19d55aba986688baad61e957e6514d52e8010d7055ad7c42f7df883a728900edb5697bc79e43366731bdf33e97220c07615b6bbcc5

Download Submit
C:\Windows\{EAD04B80-DC26-4856-A008-97F961858210}.exe

Filesize
60KB

MD5
53c1d2faf0c70aa2791665f1ae3c47c9

SHA1
73a12624c867c04bb1de2c6dc752aadd4555df3e

SHA256
d8b66544dbfa4dc325c9fbf872d8e31e910f2637b4d8425353d0e62b673b5cb8

SHA512
4cc882e65554d0192dc66b00733ca76687d936232a7c1ced3da0d8b551016052add45257cc29fb33f3d31197d0e557c650734ebd851b7c1bdac8a1f8508a703b

Download Submit
C:\Windows\{FB2F53FA-6A3C-4410-B214-B383DCB2CECC}.exe

Filesize
60KB

MD5
c94623c448ffbf5205d3ca8e6ac30cec

SHA1
4211516c6af66570bda59b7da0b3bcf53b9ef2b9

SHA256
4c99765e82f5034a5a1a54ccb77e71c14306988ff24532b06d44030a2b54bb3b

SHA512
9b915fd1addce9e3420b9952f4dbe773940389007ac4d7f4fe0de1dfb5a58e19f09b3986a913942634779f4915f5985e2b7ac1c886dcdf56688eacc93772ead8

Download Submit