a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe
Size

60KB
MD5

82b2fcad7e278b7e87e35b9042bfa94b
SHA1

734df9d0e852d59b5e77be42d506562c73400444
SHA256

a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773
SHA512

f6c9b2a20f29a638188bf055c739b2da73d85929c9a904b879686620dd09196902fa3b04558833f5ccf522b42af1fe62e61362d519ae057bd9f48bcee511394f
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLroy4/CFsrdHWMZ:vvw9816vhKQLroy4/wQpWMZ

Score

9^/10

persistence

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 11 IoCs

Processes:

resource	yara_rule
C:\Windows\{7847DBF3-030D-4142-8012-049F52819CCC}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{7D8FEEBD-0D47-4c44-9F7A-EAB89600A9A7}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{2F1B3AB7-9405-44fc-9CAF-46367EEB3E3D}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{B23E4EB9-AE41-4d75-A06B-E1AE709BAB3C}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{E4F61AFA-FCAB-4603-BFE1-069919BABF66}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{A0D04785-3E09-4cde-97BC-221F34978E64}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{7D98CBBC-912F-48ce-9D59-48C48F4D2645}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{E777E8A5-9213-4576-A566-21EC354E6778}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{21011CD7-D4CE-4e8b-BD81-57057B8A6B3B}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{85C4F59B-8EA0-4cba-8040-CD830D85C64B}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
C:\Windows\{7AF6DFCA-49C9-430e-8377-7CB78F2A1078}.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{21011CD7-D4CE-4e8b-BD81-57057B8A6B3B}.exe{7D8FEEBD-0D47-4c44-9F7A-EAB89600A9A7}.exe{2F1B3AB7-9405-44fc-9CAF-46367EEB3E3D}.exe{A0D04785-3E09-4cde-97BC-221F34978E64}.exe{E777E8A5-9213-4576-A566-21EC354E6778}.exe{85C4F59B-8EA0-4cba-8040-CD830D85C64B}.exe{7AF6DFCA-49C9-430e-8377-7CB78F2A1078}.exea5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe{7847DBF3-030D-4142-8012-049F52819CCC}.exe{E4F61AFA-FCAB-4603-BFE1-069919BABF66}.exe{7D98CBBC-912F-48ce-9D59-48C48F4D2645}.exe{B23E4EB9-AE41-4d75-A06B-E1AE709BAB3C}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85C4F59B-8EA0-4cba-8040-CD830D85C64B}	{21011CD7-D4CE-4e8b-BD81-57057B8A6B3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F1B3AB7-9405-44fc-9CAF-46367EEB3E3D}	{7D8FEEBD-0D47-4c44-9F7A-EAB89600A9A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F1B3AB7-9405-44fc-9CAF-46367EEB3E3D}\stubpath = "C:\\Windows\\{2F1B3AB7-9405-44fc-9CAF-46367EEB3E3D}.exe"	{7D8FEEBD-0D47-4c44-9F7A-EAB89600A9A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B23E4EB9-AE41-4d75-A06B-E1AE709BAB3C}	{2F1B3AB7-9405-44fc-9CAF-46367EEB3E3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D98CBBC-912F-48ce-9D59-48C48F4D2645}\stubpath = "C:\\Windows\\{7D98CBBC-912F-48ce-9D59-48C48F4D2645}.exe"	{A0D04785-3E09-4cde-97BC-221F34978E64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21011CD7-D4CE-4e8b-BD81-57057B8A6B3B}\stubpath = "C:\\Windows\\{21011CD7-D4CE-4e8b-BD81-57057B8A6B3B}.exe"	{E777E8A5-9213-4576-A566-21EC354E6778}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AF6DFCA-49C9-430e-8377-7CB78F2A1078}\stubpath = "C:\\Windows\\{7AF6DFCA-49C9-430e-8377-7CB78F2A1078}.exe"	{85C4F59B-8EA0-4cba-8040-CD830D85C64B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE56E291-322A-415f-A953-63AF9FD26814}	{7AF6DFCA-49C9-430e-8377-7CB78F2A1078}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7847DBF3-030D-4142-8012-049F52819CCC}\stubpath = "C:\\Windows\\{7847DBF3-030D-4142-8012-049F52819CCC}.exe"	a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE56E291-322A-415f-A953-63AF9FD26814}\stubpath = "C:\\Windows\\{CE56E291-322A-415f-A953-63AF9FD26814}.exe"	{7AF6DFCA-49C9-430e-8377-7CB78F2A1078}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D8FEEBD-0D47-4c44-9F7A-EAB89600A9A7}	{7847DBF3-030D-4142-8012-049F52819CCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D8FEEBD-0D47-4c44-9F7A-EAB89600A9A7}\stubpath = "C:\\Windows\\{7D8FEEBD-0D47-4c44-9F7A-EAB89600A9A7}.exe"	{7847DBF3-030D-4142-8012-049F52819CCC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B23E4EB9-AE41-4d75-A06B-E1AE709BAB3C}\stubpath = "C:\\Windows\\{B23E4EB9-AE41-4d75-A06B-E1AE709BAB3C}.exe"	{2F1B3AB7-9405-44fc-9CAF-46367EEB3E3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0D04785-3E09-4cde-97BC-221F34978E64}	{E4F61AFA-FCAB-4603-BFE1-069919BABF66}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0D04785-3E09-4cde-97BC-221F34978E64}\stubpath = "C:\\Windows\\{A0D04785-3E09-4cde-97BC-221F34978E64}.exe"	{E4F61AFA-FCAB-4603-BFE1-069919BABF66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E777E8A5-9213-4576-A566-21EC354E6778}	{7D98CBBC-912F-48ce-9D59-48C48F4D2645}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E777E8A5-9213-4576-A566-21EC354E6778}\stubpath = "C:\\Windows\\{E777E8A5-9213-4576-A566-21EC354E6778}.exe"	{7D98CBBC-912F-48ce-9D59-48C48F4D2645}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7847DBF3-030D-4142-8012-049F52819CCC}	a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AF6DFCA-49C9-430e-8377-7CB78F2A1078}	{85C4F59B-8EA0-4cba-8040-CD830D85C64B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4F61AFA-FCAB-4603-BFE1-069919BABF66}\stubpath = "C:\\Windows\\{E4F61AFA-FCAB-4603-BFE1-069919BABF66}.exe"	{B23E4EB9-AE41-4d75-A06B-E1AE709BAB3C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D98CBBC-912F-48ce-9D59-48C48F4D2645}	{A0D04785-3E09-4cde-97BC-221F34978E64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21011CD7-D4CE-4e8b-BD81-57057B8A6B3B}	{E777E8A5-9213-4576-A566-21EC354E6778}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85C4F59B-8EA0-4cba-8040-CD830D85C64B}\stubpath = "C:\\Windows\\{85C4F59B-8EA0-4cba-8040-CD830D85C64B}.exe"	{21011CD7-D4CE-4e8b-BD81-57057B8A6B3B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4F61AFA-FCAB-4603-BFE1-069919BABF66}	{B23E4EB9-AE41-4d75-A06B-E1AE709BAB3C}.exe

Executes dropped EXE 11 IoCs

Processes:

{7847DBF3-030D-4142-8012-049F52819CCC}.exe{7D8FEEBD-0D47-4c44-9F7A-EAB89600A9A7}.exe{2F1B3AB7-9405-44fc-9CAF-46367EEB3E3D}.exe{B23E4EB9-AE41-4d75-A06B-E1AE709BAB3C}.exe{E4F61AFA-FCAB-4603-BFE1-069919BABF66}.exe{A0D04785-3E09-4cde-97BC-221F34978E64}.exe{7D98CBBC-912F-48ce-9D59-48C48F4D2645}.exe{E777E8A5-9213-4576-A566-21EC354E6778}.exe{21011CD7-D4CE-4e8b-BD81-57057B8A6B3B}.exe{85C4F59B-8EA0-4cba-8040-CD830D85C64B}.exe{7AF6DFCA-49C9-430e-8377-7CB78F2A1078}.exe

pid	process
408	{7847DBF3-030D-4142-8012-049F52819CCC}.exe
4548	{7D8FEEBD-0D47-4c44-9F7A-EAB89600A9A7}.exe
2316	{2F1B3AB7-9405-44fc-9CAF-46367EEB3E3D}.exe
3008	{B23E4EB9-AE41-4d75-A06B-E1AE709BAB3C}.exe
4464	{E4F61AFA-FCAB-4603-BFE1-069919BABF66}.exe
4912	{A0D04785-3E09-4cde-97BC-221F34978E64}.exe
1932	{7D98CBBC-912F-48ce-9D59-48C48F4D2645}.exe
1176	{E777E8A5-9213-4576-A566-21EC354E6778}.exe
3636	{21011CD7-D4CE-4e8b-BD81-57057B8A6B3B}.exe
2448	{85C4F59B-8EA0-4cba-8040-CD830D85C64B}.exe
4120	{7AF6DFCA-49C9-430e-8377-7CB78F2A1078}.exe

Drops file in Windows directory 12 IoCs

Processes:

{7847DBF3-030D-4142-8012-049F52819CCC}.exe{B23E4EB9-AE41-4d75-A06B-E1AE709BAB3C}.exe{7D98CBBC-912F-48ce-9D59-48C48F4D2645}.exe{E777E8A5-9213-4576-A566-21EC354E6778}.exe{85C4F59B-8EA0-4cba-8040-CD830D85C64B}.exea5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe{7D8FEEBD-0D47-4c44-9F7A-EAB89600A9A7}.exe{2F1B3AB7-9405-44fc-9CAF-46367EEB3E3D}.exe{E4F61AFA-FCAB-4603-BFE1-069919BABF66}.exe{A0D04785-3E09-4cde-97BC-221F34978E64}.exe{21011CD7-D4CE-4e8b-BD81-57057B8A6B3B}.exe{7AF6DFCA-49C9-430e-8377-7CB78F2A1078}.exe

description	ioc	process
File created	C:\Windows\{7D8FEEBD-0D47-4c44-9F7A-EAB89600A9A7}.exe	{7847DBF3-030D-4142-8012-049F52819CCC}.exe
File created	C:\Windows\{E4F61AFA-FCAB-4603-BFE1-069919BABF66}.exe	{B23E4EB9-AE41-4d75-A06B-E1AE709BAB3C}.exe
File created	C:\Windows\{E777E8A5-9213-4576-A566-21EC354E6778}.exe	{7D98CBBC-912F-48ce-9D59-48C48F4D2645}.exe
File created	C:\Windows\{21011CD7-D4CE-4e8b-BD81-57057B8A6B3B}.exe	{E777E8A5-9213-4576-A566-21EC354E6778}.exe
File created	C:\Windows\{7AF6DFCA-49C9-430e-8377-7CB78F2A1078}.exe	{85C4F59B-8EA0-4cba-8040-CD830D85C64B}.exe
File created	C:\Windows\{7847DBF3-030D-4142-8012-049F52819CCC}.exe	a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe
File created	C:\Windows\{2F1B3AB7-9405-44fc-9CAF-46367EEB3E3D}.exe	{7D8FEEBD-0D47-4c44-9F7A-EAB89600A9A7}.exe
File created	C:\Windows\{B23E4EB9-AE41-4d75-A06B-E1AE709BAB3C}.exe	{2F1B3AB7-9405-44fc-9CAF-46367EEB3E3D}.exe
File created	C:\Windows\{A0D04785-3E09-4cde-97BC-221F34978E64}.exe	{E4F61AFA-FCAB-4603-BFE1-069919BABF66}.exe
File created	C:\Windows\{7D98CBBC-912F-48ce-9D59-48C48F4D2645}.exe	{A0D04785-3E09-4cde-97BC-221F34978E64}.exe
File created	C:\Windows\{85C4F59B-8EA0-4cba-8040-CD830D85C64B}.exe	{21011CD7-D4CE-4e8b-BD81-57057B8A6B3B}.exe
File created	C:\Windows\{CE56E291-322A-415f-A953-63AF9FD26814}.exe	{7AF6DFCA-49C9-430e-8377-7CB78F2A1078}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe{7847DBF3-030D-4142-8012-049F52819CCC}.exe{7D8FEEBD-0D47-4c44-9F7A-EAB89600A9A7}.exe{2F1B3AB7-9405-44fc-9CAF-46367EEB3E3D}.exe{B23E4EB9-AE41-4d75-A06B-E1AE709BAB3C}.exe{E4F61AFA-FCAB-4603-BFE1-069919BABF66}.exe{A0D04785-3E09-4cde-97BC-221F34978E64}.exe{7D98CBBC-912F-48ce-9D59-48C48F4D2645}.exe{E777E8A5-9213-4576-A566-21EC354E6778}.exe{21011CD7-D4CE-4e8b-BD81-57057B8A6B3B}.exe{85C4F59B-8EA0-4cba-8040-CD830D85C64B}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3192	a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe
Token: SeIncBasePriorityPrivilege	408	{7847DBF3-030D-4142-8012-049F52819CCC}.exe
Token: SeIncBasePriorityPrivilege	4548	{7D8FEEBD-0D47-4c44-9F7A-EAB89600A9A7}.exe
Token: SeIncBasePriorityPrivilege	2316	{2F1B3AB7-9405-44fc-9CAF-46367EEB3E3D}.exe
Token: SeIncBasePriorityPrivilege	3008	{B23E4EB9-AE41-4d75-A06B-E1AE709BAB3C}.exe
Token: SeIncBasePriorityPrivilege	4464	{E4F61AFA-FCAB-4603-BFE1-069919BABF66}.exe
Token: SeIncBasePriorityPrivilege	4912	{A0D04785-3E09-4cde-97BC-221F34978E64}.exe
Token: SeIncBasePriorityPrivilege	1932	{7D98CBBC-912F-48ce-9D59-48C48F4D2645}.exe
Token: SeIncBasePriorityPrivilege	1176	{E777E8A5-9213-4576-A566-21EC354E6778}.exe
Token: SeIncBasePriorityPrivilege	3636	{21011CD7-D4CE-4e8b-BD81-57057B8A6B3B}.exe
Token: SeIncBasePriorityPrivilege	2448	{85C4F59B-8EA0-4cba-8040-CD830D85C64B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 3192 wrote to memory of 408	3192	a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe	{7847DBF3-030D-4142-8012-049F52819CCC}.exe
PID 3192 wrote to memory of 408	3192	a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe	{7847DBF3-030D-4142-8012-049F52819CCC}.exe
PID 3192 wrote to memory of 408	3192	a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe	{7847DBF3-030D-4142-8012-049F52819CCC}.exe
PID 3192 wrote to memory of 3224	3192	a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe	cmd.exe
PID 3192 wrote to memory of 3224	3192	a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe	cmd.exe
PID 3192 wrote to memory of 3224	3192	a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe	cmd.exe
PID 408 wrote to memory of 4548	408	{7847DBF3-030D-4142-8012-049F52819CCC}.exe	{7D8FEEBD-0D47-4c44-9F7A-EAB89600A9A7}.exe
PID 408 wrote to memory of 4548	408	{7847DBF3-030D-4142-8012-049F52819CCC}.exe	{7D8FEEBD-0D47-4c44-9F7A-EAB89600A9A7}.exe
PID 408 wrote to memory of 4548	408	{7847DBF3-030D-4142-8012-049F52819CCC}.exe	{7D8FEEBD-0D47-4c44-9F7A-EAB89600A9A7}.exe
PID 408 wrote to memory of 968	408	{7847DBF3-030D-4142-8012-049F52819CCC}.exe	cmd.exe
PID 408 wrote to memory of 968	408	{7847DBF3-030D-4142-8012-049F52819CCC}.exe	cmd.exe
PID 408 wrote to memory of 968	408	{7847DBF3-030D-4142-8012-049F52819CCC}.exe	cmd.exe
PID 4548 wrote to memory of 2316	4548	{7D8FEEBD-0D47-4c44-9F7A-EAB89600A9A7}.exe	{2F1B3AB7-9405-44fc-9CAF-46367EEB3E3D}.exe
PID 4548 wrote to memory of 2316	4548	{7D8FEEBD-0D47-4c44-9F7A-EAB89600A9A7}.exe	{2F1B3AB7-9405-44fc-9CAF-46367EEB3E3D}.exe
PID 4548 wrote to memory of 2316	4548	{7D8FEEBD-0D47-4c44-9F7A-EAB89600A9A7}.exe	{2F1B3AB7-9405-44fc-9CAF-46367EEB3E3D}.exe
PID 4548 wrote to memory of 3948	4548	{7D8FEEBD-0D47-4c44-9F7A-EAB89600A9A7}.exe	cmd.exe
PID 4548 wrote to memory of 3948	4548	{7D8FEEBD-0D47-4c44-9F7A-EAB89600A9A7}.exe	cmd.exe
PID 4548 wrote to memory of 3948	4548	{7D8FEEBD-0D47-4c44-9F7A-EAB89600A9A7}.exe	cmd.exe
PID 2316 wrote to memory of 3008	2316	{2F1B3AB7-9405-44fc-9CAF-46367EEB3E3D}.exe	{B23E4EB9-AE41-4d75-A06B-E1AE709BAB3C}.exe
PID 2316 wrote to memory of 3008	2316	{2F1B3AB7-9405-44fc-9CAF-46367EEB3E3D}.exe	{B23E4EB9-AE41-4d75-A06B-E1AE709BAB3C}.exe
PID 2316 wrote to memory of 3008	2316	{2F1B3AB7-9405-44fc-9CAF-46367EEB3E3D}.exe	{B23E4EB9-AE41-4d75-A06B-E1AE709BAB3C}.exe
PID 2316 wrote to memory of 4688	2316	{2F1B3AB7-9405-44fc-9CAF-46367EEB3E3D}.exe	cmd.exe
PID 2316 wrote to memory of 4688	2316	{2F1B3AB7-9405-44fc-9CAF-46367EEB3E3D}.exe	cmd.exe
PID 2316 wrote to memory of 4688	2316	{2F1B3AB7-9405-44fc-9CAF-46367EEB3E3D}.exe	cmd.exe
PID 3008 wrote to memory of 4464	3008	{B23E4EB9-AE41-4d75-A06B-E1AE709BAB3C}.exe	{E4F61AFA-FCAB-4603-BFE1-069919BABF66}.exe
PID 3008 wrote to memory of 4464	3008	{B23E4EB9-AE41-4d75-A06B-E1AE709BAB3C}.exe	{E4F61AFA-FCAB-4603-BFE1-069919BABF66}.exe
PID 3008 wrote to memory of 4464	3008	{B23E4EB9-AE41-4d75-A06B-E1AE709BAB3C}.exe	{E4F61AFA-FCAB-4603-BFE1-069919BABF66}.exe
PID 3008 wrote to memory of 1508	3008	{B23E4EB9-AE41-4d75-A06B-E1AE709BAB3C}.exe	cmd.exe
PID 3008 wrote to memory of 1508	3008	{B23E4EB9-AE41-4d75-A06B-E1AE709BAB3C}.exe	cmd.exe
PID 3008 wrote to memory of 1508	3008	{B23E4EB9-AE41-4d75-A06B-E1AE709BAB3C}.exe	cmd.exe
PID 4464 wrote to memory of 4912	4464	{E4F61AFA-FCAB-4603-BFE1-069919BABF66}.exe	{A0D04785-3E09-4cde-97BC-221F34978E64}.exe
PID 4464 wrote to memory of 4912	4464	{E4F61AFA-FCAB-4603-BFE1-069919BABF66}.exe	{A0D04785-3E09-4cde-97BC-221F34978E64}.exe
PID 4464 wrote to memory of 4912	4464	{E4F61AFA-FCAB-4603-BFE1-069919BABF66}.exe	{A0D04785-3E09-4cde-97BC-221F34978E64}.exe
PID 4464 wrote to memory of 3324	4464	{E4F61AFA-FCAB-4603-BFE1-069919BABF66}.exe	cmd.exe
PID 4464 wrote to memory of 3324	4464	{E4F61AFA-FCAB-4603-BFE1-069919BABF66}.exe	cmd.exe
PID 4464 wrote to memory of 3324	4464	{E4F61AFA-FCAB-4603-BFE1-069919BABF66}.exe	cmd.exe
PID 4912 wrote to memory of 1932	4912	{A0D04785-3E09-4cde-97BC-221F34978E64}.exe	{7D98CBBC-912F-48ce-9D59-48C48F4D2645}.exe
PID 4912 wrote to memory of 1932	4912	{A0D04785-3E09-4cde-97BC-221F34978E64}.exe	{7D98CBBC-912F-48ce-9D59-48C48F4D2645}.exe
PID 4912 wrote to memory of 1932	4912	{A0D04785-3E09-4cde-97BC-221F34978E64}.exe	{7D98CBBC-912F-48ce-9D59-48C48F4D2645}.exe
PID 4912 wrote to memory of 3616	4912	{A0D04785-3E09-4cde-97BC-221F34978E64}.exe	cmd.exe
PID 4912 wrote to memory of 3616	4912	{A0D04785-3E09-4cde-97BC-221F34978E64}.exe	cmd.exe
PID 4912 wrote to memory of 3616	4912	{A0D04785-3E09-4cde-97BC-221F34978E64}.exe	cmd.exe
PID 1932 wrote to memory of 1176	1932	{7D98CBBC-912F-48ce-9D59-48C48F4D2645}.exe	{E777E8A5-9213-4576-A566-21EC354E6778}.exe
PID 1932 wrote to memory of 1176	1932	{7D98CBBC-912F-48ce-9D59-48C48F4D2645}.exe	{E777E8A5-9213-4576-A566-21EC354E6778}.exe
PID 1932 wrote to memory of 1176	1932	{7D98CBBC-912F-48ce-9D59-48C48F4D2645}.exe	{E777E8A5-9213-4576-A566-21EC354E6778}.exe
PID 1932 wrote to memory of 4700	1932	{7D98CBBC-912F-48ce-9D59-48C48F4D2645}.exe	cmd.exe
PID 1932 wrote to memory of 4700	1932	{7D98CBBC-912F-48ce-9D59-48C48F4D2645}.exe	cmd.exe
PID 1932 wrote to memory of 4700	1932	{7D98CBBC-912F-48ce-9D59-48C48F4D2645}.exe	cmd.exe
PID 1176 wrote to memory of 3636	1176	{E777E8A5-9213-4576-A566-21EC354E6778}.exe	{21011CD7-D4CE-4e8b-BD81-57057B8A6B3B}.exe
PID 1176 wrote to memory of 3636	1176	{E777E8A5-9213-4576-A566-21EC354E6778}.exe	{21011CD7-D4CE-4e8b-BD81-57057B8A6B3B}.exe
PID 1176 wrote to memory of 3636	1176	{E777E8A5-9213-4576-A566-21EC354E6778}.exe	{21011CD7-D4CE-4e8b-BD81-57057B8A6B3B}.exe
PID 1176 wrote to memory of 3608	1176	{E777E8A5-9213-4576-A566-21EC354E6778}.exe	cmd.exe
PID 1176 wrote to memory of 3608	1176	{E777E8A5-9213-4576-A566-21EC354E6778}.exe	cmd.exe
PID 1176 wrote to memory of 3608	1176	{E777E8A5-9213-4576-A566-21EC354E6778}.exe	cmd.exe
PID 3636 wrote to memory of 2448	3636	{21011CD7-D4CE-4e8b-BD81-57057B8A6B3B}.exe	{85C4F59B-8EA0-4cba-8040-CD830D85C64B}.exe
PID 3636 wrote to memory of 2448	3636	{21011CD7-D4CE-4e8b-BD81-57057B8A6B3B}.exe	{85C4F59B-8EA0-4cba-8040-CD830D85C64B}.exe
PID 3636 wrote to memory of 2448	3636	{21011CD7-D4CE-4e8b-BD81-57057B8A6B3B}.exe	{85C4F59B-8EA0-4cba-8040-CD830D85C64B}.exe
PID 3636 wrote to memory of 224	3636	{21011CD7-D4CE-4e8b-BD81-57057B8A6B3B}.exe	cmd.exe
PID 3636 wrote to memory of 224	3636	{21011CD7-D4CE-4e8b-BD81-57057B8A6B3B}.exe	cmd.exe
PID 3636 wrote to memory of 224	3636	{21011CD7-D4CE-4e8b-BD81-57057B8A6B3B}.exe	cmd.exe
PID 2448 wrote to memory of 4120	2448	{85C4F59B-8EA0-4cba-8040-CD830D85C64B}.exe	{7AF6DFCA-49C9-430e-8377-7CB78F2A1078}.exe
PID 2448 wrote to memory of 4120	2448	{85C4F59B-8EA0-4cba-8040-CD830D85C64B}.exe	{7AF6DFCA-49C9-430e-8377-7CB78F2A1078}.exe
PID 2448 wrote to memory of 4120	2448	{85C4F59B-8EA0-4cba-8040-CD830D85C64B}.exe	{7AF6DFCA-49C9-430e-8377-7CB78F2A1078}.exe
PID 2448 wrote to memory of 2416	2448	{85C4F59B-8EA0-4cba-8040-CD830D85C64B}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe
"C:\Users\Admin\AppData\Local\Temp\a5d18583fcb1799fc9cb8556041264543258986d5b6922775cd869d788ef4773.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192

C:\Windows\{7847DBF3-030D-4142-8012-049F52819CCC}.exe
C:\Windows\{7847DBF3-030D-4142-8012-049F52819CCC}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408

C:\Windows\{7D8FEEBD-0D47-4c44-9F7A-EAB89600A9A7}.exe
C:\Windows\{7D8FEEBD-0D47-4c44-9F7A-EAB89600A9A7}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\{2F1B3AB7-9405-44fc-9CAF-46367EEB3E3D}.exe
C:\Windows\{2F1B3AB7-9405-44fc-9CAF-46367EEB3E3D}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\{B23E4EB9-AE41-4d75-A06B-E1AE709BAB3C}.exe
C:\Windows\{B23E4EB9-AE41-4d75-A06B-E1AE709BAB3C}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\{E4F61AFA-FCAB-4603-BFE1-069919BABF66}.exe
C:\Windows\{E4F61AFA-FCAB-4603-BFE1-069919BABF66}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\{A0D04785-3E09-4cde-97BC-221F34978E64}.exe
C:\Windows\{A0D04785-3E09-4cde-97BC-221F34978E64}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912

C:\Windows\{7D98CBBC-912F-48ce-9D59-48C48F4D2645}.exe
C:\Windows\{7D98CBBC-912F-48ce-9D59-48C48F4D2645}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Windows\{E777E8A5-9213-4576-A566-21EC354E6778}.exe
C:\Windows\{E777E8A5-9213-4576-A566-21EC354E6778}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176

C:\Windows\{21011CD7-D4CE-4e8b-BD81-57057B8A6B3B}.exe
C:\Windows\{21011CD7-D4CE-4e8b-BD81-57057B8A6B3B}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3636

C:\Windows\{85C4F59B-8EA0-4cba-8040-CD830D85C64B}.exe
C:\Windows\{85C4F59B-8EA0-4cba-8040-CD830D85C64B}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448

C:\Windows\{7AF6DFCA-49C9-430e-8377-7CB78F2A1078}.exe
C:\Windows\{7AF6DFCA-49C9-430e-8377-7CB78F2A1078}.exe
12⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
PID:4120

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{85C4F~1.EXE > nul
12⤵
PID:2416

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{21011~1.EXE > nul
11⤵
PID:224

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E777E~1.EXE > nul
10⤵
PID:3608

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7D98C~1.EXE > nul
9⤵
PID:4700

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A0D04~1.EXE > nul
8⤵
PID:3616

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{E4F61~1.EXE > nul
7⤵
PID:3324

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{B23E4~1.EXE > nul
6⤵
PID:1508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{2F1B3~1.EXE > nul
5⤵
PID:4688

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7D8FE~1.EXE > nul
4⤵
PID:3948

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{7847D~1.EXE > nul
3⤵
PID:968

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A5D185~1.EXE > nul
2⤵
PID:3224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3412 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{21011CD7-D4CE-4e8b-BD81-57057B8A6B3B}.exe

Filesize
60KB

MD5
8e67556cb027f28af3afa731c4e8e2db

SHA1
bc77c644fbffeb1f52e5d9e00893e2a06477c2c5

SHA256
e222d7465897ea0d6223a70a888aac16a03a791cf8635b875d973d930536357b

SHA512
6e88dd935384ace41641e5d4bd8aa1903b16c65f72235a599817e102bcb1dfb2a16f1a748bcd57e62d6bf39cc9d07978c8de4b11a1a0e305531a416b4bab5053

Download Submit
C:\Windows\{2F1B3AB7-9405-44fc-9CAF-46367EEB3E3D}.exe

Filesize
60KB

MD5
3d1b5b37df82b71bcfca5ef3bb901e18

SHA1
78d65efd639baf55fe504c090a9302a29af2f520

SHA256
7bce2c02137286fc1f26b4c2271906ddcdbbd197a977a71b953b6a5b35f74228

SHA512
7112d9bb149c944601da6d25d2cf4e97ea05cc1a1a8786da3ab336f3da0265160aecd29440997447befbbca6aae11081affcca7bc7b232e60f56bfd90a65310b

Download Submit
C:\Windows\{7847DBF3-030D-4142-8012-049F52819CCC}.exe

Filesize
60KB

MD5
7ae1e65266e62b4d5c0be5315432155f

SHA1
4f88cf2b9465d25597ba841a6dbb33dead7d89e7

SHA256
422d0051ac60586433d493091ee4ada971f2667c85302852081efc1ca2975740

SHA512
3778978a276706955d6f55e0beb2b2db812d5137a7cc5b59eef8804cb8f13f180b8007ea2118dc310ef35d33f5b288f3b50ed655fc0a2328f2fab02cc5622782

Download Submit
C:\Windows\{7AF6DFCA-49C9-430e-8377-7CB78F2A1078}.exe

Filesize
60KB

MD5
6dcbb1a9d7fd687d131a22e1b4b056ca

SHA1
cee3def4f0d5a69df037e2121264f5434d824897

SHA256
1a70c69ff6be0ef0e483a7edb1bf7834281475c456b9e316255bbad4843af271

SHA512
d1d60d7a65d9f181aa0a7f64116bdd9896efc65c0d77bfa36fcdba96a3cdb930b6e5e4a7e3d035d239ea5889920c63c9cb11e8e2d66e72bef724c8e77b01b752

Download Submit
C:\Windows\{7D8FEEBD-0D47-4c44-9F7A-EAB89600A9A7}.exe

Filesize
60KB

MD5
2b1e7110a796ba99d1e7688dd3aee03b

SHA1
fe81663b414082b7cdb15f0463aacecf0ff346e9

SHA256
cb52defba6894d2d139ff7b5a5834e5d4b73d1355298d573ef2361beae579ac4

SHA512
613e40c3e0ac9aacefcc9f4e035610ce366cea7aa29a6087e4f3b89402fe0e80323a898c204015ab878abdb1f9f0429a6c8f2b5dae3eb284146a40f683c00222

Download Submit
C:\Windows\{7D98CBBC-912F-48ce-9D59-48C48F4D2645}.exe

Filesize
60KB

MD5
1cb94ee51f45989bf9bf51f81edec9bf

SHA1
bf5371127e9d9d22f47dbf81a870a41d499da4c2

SHA256
e8f7aff6ba81855be2e5dfc77bc4492afce88c670069bf027efccbb732fa0027

SHA512
b53d49123a33e2a40f6a5d42d1008417eaa8201e799505784ae2b1dbc2aa98c05fe95726cb1b57f7cebca5c47932e903b41454a0d4acf8c39bfebbd6337bfddb

Download Submit
C:\Windows\{85C4F59B-8EA0-4cba-8040-CD830D85C64B}.exe

Filesize
60KB

MD5
648662ffbff37e978957b0b07f6481c0

SHA1
0792f45fdd8351a77933df0b364bb1b0882d6860

SHA256
a209349cf77513fa148890d99aed8b1096b1f9865ae9b00e82e920d15735617d

SHA512
f36e0a711ccc698c56b8667a54218b3af2a737e6bead46449a20b310b428addf66ab6913ebe448ae0529126481f3cb6e02e2ba106877ee3003fa03030c86d8eb

Download Submit
C:\Windows\{A0D04785-3E09-4cde-97BC-221F34978E64}.exe

Filesize
60KB

MD5
d82be528738dbd65e72871626497a8d9

SHA1
9bfea2eb6129197a5c9337521aa9d638f9232733

SHA256
58dbbc156d431aea3f8e2cebdcf8309d29db65b4ca2c7492e038b6e8b0c9a116

SHA512
ec6f1352b0b65ddb1663a417c5f0baa2457ed30f9fb290cf19263adec7d7d4a5039e73e28612fc211ec301779230af452bde7d3d3aec9e07eed3fbd6da83a5e3

Download Submit
C:\Windows\{B23E4EB9-AE41-4d75-A06B-E1AE709BAB3C}.exe

Filesize
60KB

MD5
a69b85309a4868baf4ce2e209171c618

SHA1
7fd239070c8d2e8f7b18ef9b2dd39b0f1a2c1781

SHA256
9a6bf088a667ed26a634e447efc79a383d6928497447c685fd1f1b734797b665

SHA512
ff6ff2fdd4cea03ca6dd9e67db54257ede3b79b965bf050a9b6066adcca0c661ec0d303a70d6bb651882b70626dd640d0dbb713df91e2cc86a31051756a883f2

Download Submit
C:\Windows\{E4F61AFA-FCAB-4603-BFE1-069919BABF66}.exe

Filesize
60KB

MD5
5e5830d1c2b30ddc71771cdbb8ebec93

SHA1
7d19784f29a570c0a024e25183b0c89951ba35df

SHA256
781c11e22ca87648d85c52c92acbc27b00197bdeea6e599351040976cbecce38

SHA512
1636e17fc960bec2e5e5288a55c1303e1b0c967f224548800345b0f6f99eb6abb33d29d396b160b65391afad8002a24f597004f67dbda79ba44f3b1e1fc1b646

Download Submit
C:\Windows\{E777E8A5-9213-4576-A566-21EC354E6778}.exe

Filesize
60KB

MD5
2ade3c8764ef9a8f25f52d3eceb6a446

SHA1
8d340e2d9e3a22f31a600a8e6b6ef0be889240a9

SHA256
2f94a0e0a3ee89ab227ad74ef1925e60d6dcbafadedb083179e56502a1bb3f65

SHA512
14fe47b49154777fd7f14119372dd32cf880da03d6b698ee33e592313c95fcfd12238c7f761d8dabf52aaf333fedc296a4e988a9d052c1c3ed5bab31147e946a

Download Submit