07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
21-05-2024 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe
Size

64KB
MD5

02985d25bd794c2b97a604b3607ede70
SHA1

87e91e18cea9c9edd41c5aca1664902d4ff11e0d
SHA256

07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a
SHA512

b7dcefc5693ed1b0701a8ca6e9ccc9d0769f17c12b464aa878fd00fc2802eef0a8905cf9a62bd4e4fa74fc7dff72714ece386d25865ff36d295f198e819dcee3
SSDEEP

768:Ovw9816ihKQLroCL4/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVdu:6EGU0oCLlwWMZQcpmgDagIyS1loL7Wru

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{78FCCB73-9576-4d32-8079-44F41E67B8E5}.exe{BFC09644-8673-4a74-92AC-707026362728}.exe{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}.exe{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}.exe{BD9CDDD1-CBBA-4540-AF79-47B0F624B20B}.exe{F3BFF208-F3F1-49fd-B419-9CBE4DCA5F55}.exe{20EB0653-B990-4aef-9C36-E60137E348EF}.exe{864BB488-01ED-4f6b-8D85-87D5EFE5A434}.exe{0498E94D-621B-465b-BE22-8009404E6955}.exe{983CF531-0536-4723-AA6D-BF063D7B7EA6}.exe07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20EB0653-B990-4aef-9C36-E60137E348EF}	{78FCCB73-9576-4d32-8079-44F41E67B8E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3BFF208-F3F1-49fd-B419-9CBE4DCA5F55}	{BFC09644-8673-4a74-92AC-707026362728}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0498E94D-621B-465b-BE22-8009404E6955}\stubpath = "C:\\Windows\\{0498E94D-621B-465b-BE22-8009404E6955}.exe"	{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD9CDDD1-CBBA-4540-AF79-47B0F624B20B}	{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD9CDDD1-CBBA-4540-AF79-47B0F624B20B}\stubpath = "C:\\Windows\\{BD9CDDD1-CBBA-4540-AF79-47B0F624B20B}.exe"	{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFC09644-8673-4a74-92AC-707026362728}	{BD9CDDD1-CBBA-4540-AF79-47B0F624B20B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F3BFF208-F3F1-49fd-B419-9CBE4DCA5F55}\stubpath = "C:\\Windows\\{F3BFF208-F3F1-49fd-B419-9CBE4DCA5F55}.exe"	{BFC09644-8673-4a74-92AC-707026362728}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B789FB4-D3DD-499b-88F3-549F564BBB65}	{F3BFF208-F3F1-49fd-B419-9CBE4DCA5F55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4B789FB4-D3DD-499b-88F3-549F564BBB65}\stubpath = "C:\\Windows\\{4B789FB4-D3DD-499b-88F3-549F564BBB65}.exe"	{F3BFF208-F3F1-49fd-B419-9CBE4DCA5F55}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BFC09644-8673-4a74-92AC-707026362728}\stubpath = "C:\\Windows\\{BFC09644-8673-4a74-92AC-707026362728}.exe"	{BD9CDDD1-CBBA-4540-AF79-47B0F624B20B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20EB0653-B990-4aef-9C36-E60137E348EF}\stubpath = "C:\\Windows\\{20EB0653-B990-4aef-9C36-E60137E348EF}.exe"	{78FCCB73-9576-4d32-8079-44F41E67B8E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{864BB488-01ED-4f6b-8D85-87D5EFE5A434}	{20EB0653-B990-4aef-9C36-E60137E348EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}	{864BB488-01ED-4f6b-8D85-87D5EFE5A434}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}\stubpath = "C:\\Windows\\{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}.exe"	{864BB488-01ED-4f6b-8D85-87D5EFE5A434}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{983CF531-0536-4723-AA6D-BF063D7B7EA6}	{0498E94D-621B-465b-BE22-8009404E6955}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{983CF531-0536-4723-AA6D-BF063D7B7EA6}\stubpath = "C:\\Windows\\{983CF531-0536-4723-AA6D-BF063D7B7EA6}.exe"	{0498E94D-621B-465b-BE22-8009404E6955}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}\stubpath = "C:\\Windows\\{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}.exe"	{983CF531-0536-4723-AA6D-BF063D7B7EA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78FCCB73-9576-4d32-8079-44F41E67B8E5}	07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78FCCB73-9576-4d32-8079-44F41E67B8E5}\stubpath = "C:\\Windows\\{78FCCB73-9576-4d32-8079-44F41E67B8E5}.exe"	07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{864BB488-01ED-4f6b-8D85-87D5EFE5A434}\stubpath = "C:\\Windows\\{864BB488-01ED-4f6b-8D85-87D5EFE5A434}.exe"	{20EB0653-B990-4aef-9C36-E60137E348EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0498E94D-621B-465b-BE22-8009404E6955}	{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}	{983CF531-0536-4723-AA6D-BF063D7B7EA6}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1208 cmd.exe

pid	process
1208	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{78FCCB73-9576-4d32-8079-44F41E67B8E5}.exe{20EB0653-B990-4aef-9C36-E60137E348EF}.exe{864BB488-01ED-4f6b-8D85-87D5EFE5A434}.exe{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}.exe{0498E94D-621B-465b-BE22-8009404E6955}.exe{983CF531-0536-4723-AA6D-BF063D7B7EA6}.exe{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}.exe{BD9CDDD1-CBBA-4540-AF79-47B0F624B20B}.exe{BFC09644-8673-4a74-92AC-707026362728}.exe{F3BFF208-F3F1-49fd-B419-9CBE4DCA5F55}.exe{4B789FB4-D3DD-499b-88F3-549F564BBB65}.exe

pid	process
2968	{78FCCB73-9576-4d32-8079-44F41E67B8E5}.exe
2828	{20EB0653-B990-4aef-9C36-E60137E348EF}.exe
2500	{864BB488-01ED-4f6b-8D85-87D5EFE5A434}.exe
1512	{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}.exe
2716	{0498E94D-621B-465b-BE22-8009404E6955}.exe
1552	{983CF531-0536-4723-AA6D-BF063D7B7EA6}.exe
2728	{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}.exe
1360	{BD9CDDD1-CBBA-4540-AF79-47B0F624B20B}.exe
2196	{BFC09644-8673-4a74-92AC-707026362728}.exe
688	{F3BFF208-F3F1-49fd-B419-9CBE4DCA5F55}.exe
1172	{4B789FB4-D3DD-499b-88F3-549F564BBB65}.exe

Drops file in Windows directory 11 IoCs

Processes:

{983CF531-0536-4723-AA6D-BF063D7B7EA6}.exe{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}.exe{F3BFF208-F3F1-49fd-B419-9CBE4DCA5F55}.exe07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe{20EB0653-B990-4aef-9C36-E60137E348EF}.exe{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}.exe{0498E94D-621B-465b-BE22-8009404E6955}.exe{78FCCB73-9576-4d32-8079-44F41E67B8E5}.exe{864BB488-01ED-4f6b-8D85-87D5EFE5A434}.exe{BD9CDDD1-CBBA-4540-AF79-47B0F624B20B}.exe{BFC09644-8673-4a74-92AC-707026362728}.exe

description	ioc	process
File created	C:\Windows\{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}.exe	{983CF531-0536-4723-AA6D-BF063D7B7EA6}.exe
File created	C:\Windows\{BD9CDDD1-CBBA-4540-AF79-47B0F624B20B}.exe	{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}.exe
File created	C:\Windows\{4B789FB4-D3DD-499b-88F3-549F564BBB65}.exe	{F3BFF208-F3F1-49fd-B419-9CBE4DCA5F55}.exe
File created	C:\Windows\{78FCCB73-9576-4d32-8079-44F41E67B8E5}.exe	07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe
File created	C:\Windows\{864BB488-01ED-4f6b-8D85-87D5EFE5A434}.exe	{20EB0653-B990-4aef-9C36-E60137E348EF}.exe
File created	C:\Windows\{0498E94D-621B-465b-BE22-8009404E6955}.exe	{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}.exe
File created	C:\Windows\{983CF531-0536-4723-AA6D-BF063D7B7EA6}.exe	{0498E94D-621B-465b-BE22-8009404E6955}.exe
File created	C:\Windows\{20EB0653-B990-4aef-9C36-E60137E348EF}.exe	{78FCCB73-9576-4d32-8079-44F41E67B8E5}.exe
File created	C:\Windows\{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}.exe	{864BB488-01ED-4f6b-8D85-87D5EFE5A434}.exe
File created	C:\Windows\{BFC09644-8673-4a74-92AC-707026362728}.exe	{BD9CDDD1-CBBA-4540-AF79-47B0F624B20B}.exe
File created	C:\Windows\{F3BFF208-F3F1-49fd-B419-9CBE4DCA5F55}.exe	{BFC09644-8673-4a74-92AC-707026362728}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe{78FCCB73-9576-4d32-8079-44F41E67B8E5}.exe{20EB0653-B990-4aef-9C36-E60137E348EF}.exe{864BB488-01ED-4f6b-8D85-87D5EFE5A434}.exe{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}.exe{0498E94D-621B-465b-BE22-8009404E6955}.exe{983CF531-0536-4723-AA6D-BF063D7B7EA6}.exe{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}.exe{BD9CDDD1-CBBA-4540-AF79-47B0F624B20B}.exe{BFC09644-8673-4a74-92AC-707026362728}.exe{F3BFF208-F3F1-49fd-B419-9CBE4DCA5F55}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2300	07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe
Token: SeIncBasePriorityPrivilege	2968	{78FCCB73-9576-4d32-8079-44F41E67B8E5}.exe
Token: SeIncBasePriorityPrivilege	2828	{20EB0653-B990-4aef-9C36-E60137E348EF}.exe
Token: SeIncBasePriorityPrivilege	2500	{864BB488-01ED-4f6b-8D85-87D5EFE5A434}.exe
Token: SeIncBasePriorityPrivilege	1512	{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}.exe
Token: SeIncBasePriorityPrivilege	2716	{0498E94D-621B-465b-BE22-8009404E6955}.exe
Token: SeIncBasePriorityPrivilege	1552	{983CF531-0536-4723-AA6D-BF063D7B7EA6}.exe
Token: SeIncBasePriorityPrivilege	2728	{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}.exe
Token: SeIncBasePriorityPrivilege	1360	{BD9CDDD1-CBBA-4540-AF79-47B0F624B20B}.exe
Token: SeIncBasePriorityPrivilege	2196	{BFC09644-8673-4a74-92AC-707026362728}.exe
Token: SeIncBasePriorityPrivilege	688	{F3BFF208-F3F1-49fd-B419-9CBE4DCA5F55}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2300 wrote to memory of 2968	2300	07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe	{78FCCB73-9576-4d32-8079-44F41E67B8E5}.exe
PID 2300 wrote to memory of 2968	2300	07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe	{78FCCB73-9576-4d32-8079-44F41E67B8E5}.exe
PID 2300 wrote to memory of 2968	2300	07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe	{78FCCB73-9576-4d32-8079-44F41E67B8E5}.exe
PID 2300 wrote to memory of 2968	2300	07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe	{78FCCB73-9576-4d32-8079-44F41E67B8E5}.exe
PID 2300 wrote to memory of 1208	2300	07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe	cmd.exe
PID 2300 wrote to memory of 1208	2300	07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe	cmd.exe
PID 2300 wrote to memory of 1208	2300	07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe	cmd.exe
PID 2300 wrote to memory of 1208	2300	07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe	cmd.exe
PID 2968 wrote to memory of 2828	2968	{78FCCB73-9576-4d32-8079-44F41E67B8E5}.exe	{20EB0653-B990-4aef-9C36-E60137E348EF}.exe
PID 2968 wrote to memory of 2828	2968	{78FCCB73-9576-4d32-8079-44F41E67B8E5}.exe	{20EB0653-B990-4aef-9C36-E60137E348EF}.exe
PID 2968 wrote to memory of 2828	2968	{78FCCB73-9576-4d32-8079-44F41E67B8E5}.exe	{20EB0653-B990-4aef-9C36-E60137E348EF}.exe
PID 2968 wrote to memory of 2828	2968	{78FCCB73-9576-4d32-8079-44F41E67B8E5}.exe	{20EB0653-B990-4aef-9C36-E60137E348EF}.exe
PID 2968 wrote to memory of 2340	2968	{78FCCB73-9576-4d32-8079-44F41E67B8E5}.exe	cmd.exe
PID 2968 wrote to memory of 2340	2968	{78FCCB73-9576-4d32-8079-44F41E67B8E5}.exe	cmd.exe
PID 2968 wrote to memory of 2340	2968	{78FCCB73-9576-4d32-8079-44F41E67B8E5}.exe	cmd.exe
PID 2968 wrote to memory of 2340	2968	{78FCCB73-9576-4d32-8079-44F41E67B8E5}.exe	cmd.exe
PID 2828 wrote to memory of 2500	2828	{20EB0653-B990-4aef-9C36-E60137E348EF}.exe	{864BB488-01ED-4f6b-8D85-87D5EFE5A434}.exe
PID 2828 wrote to memory of 2500	2828	{20EB0653-B990-4aef-9C36-E60137E348EF}.exe	{864BB488-01ED-4f6b-8D85-87D5EFE5A434}.exe
PID 2828 wrote to memory of 2500	2828	{20EB0653-B990-4aef-9C36-E60137E348EF}.exe	{864BB488-01ED-4f6b-8D85-87D5EFE5A434}.exe
PID 2828 wrote to memory of 2500	2828	{20EB0653-B990-4aef-9C36-E60137E348EF}.exe	{864BB488-01ED-4f6b-8D85-87D5EFE5A434}.exe
PID 2828 wrote to memory of 2576	2828	{20EB0653-B990-4aef-9C36-E60137E348EF}.exe	cmd.exe
PID 2828 wrote to memory of 2576	2828	{20EB0653-B990-4aef-9C36-E60137E348EF}.exe	cmd.exe
PID 2828 wrote to memory of 2576	2828	{20EB0653-B990-4aef-9C36-E60137E348EF}.exe	cmd.exe
PID 2828 wrote to memory of 2576	2828	{20EB0653-B990-4aef-9C36-E60137E348EF}.exe	cmd.exe
PID 2500 wrote to memory of 1512	2500	{864BB488-01ED-4f6b-8D85-87D5EFE5A434}.exe	{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}.exe
PID 2500 wrote to memory of 1512	2500	{864BB488-01ED-4f6b-8D85-87D5EFE5A434}.exe	{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}.exe
PID 2500 wrote to memory of 1512	2500	{864BB488-01ED-4f6b-8D85-87D5EFE5A434}.exe	{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}.exe
PID 2500 wrote to memory of 1512	2500	{864BB488-01ED-4f6b-8D85-87D5EFE5A434}.exe	{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}.exe
PID 2500 wrote to memory of 1488	2500	{864BB488-01ED-4f6b-8D85-87D5EFE5A434}.exe	cmd.exe
PID 2500 wrote to memory of 1488	2500	{864BB488-01ED-4f6b-8D85-87D5EFE5A434}.exe	cmd.exe
PID 2500 wrote to memory of 1488	2500	{864BB488-01ED-4f6b-8D85-87D5EFE5A434}.exe	cmd.exe
PID 2500 wrote to memory of 1488	2500	{864BB488-01ED-4f6b-8D85-87D5EFE5A434}.exe	cmd.exe
PID 1512 wrote to memory of 2716	1512	{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}.exe	{0498E94D-621B-465b-BE22-8009404E6955}.exe
PID 1512 wrote to memory of 2716	1512	{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}.exe	{0498E94D-621B-465b-BE22-8009404E6955}.exe
PID 1512 wrote to memory of 2716	1512	{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}.exe	{0498E94D-621B-465b-BE22-8009404E6955}.exe
PID 1512 wrote to memory of 2716	1512	{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}.exe	{0498E94D-621B-465b-BE22-8009404E6955}.exe
PID 1512 wrote to memory of 1896	1512	{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}.exe	cmd.exe
PID 1512 wrote to memory of 1896	1512	{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}.exe	cmd.exe
PID 1512 wrote to memory of 1896	1512	{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}.exe	cmd.exe
PID 1512 wrote to memory of 1896	1512	{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}.exe	cmd.exe
PID 2716 wrote to memory of 1552	2716	{0498E94D-621B-465b-BE22-8009404E6955}.exe	{983CF531-0536-4723-AA6D-BF063D7B7EA6}.exe
PID 2716 wrote to memory of 1552	2716	{0498E94D-621B-465b-BE22-8009404E6955}.exe	{983CF531-0536-4723-AA6D-BF063D7B7EA6}.exe
PID 2716 wrote to memory of 1552	2716	{0498E94D-621B-465b-BE22-8009404E6955}.exe	{983CF531-0536-4723-AA6D-BF063D7B7EA6}.exe
PID 2716 wrote to memory of 1552	2716	{0498E94D-621B-465b-BE22-8009404E6955}.exe	{983CF531-0536-4723-AA6D-BF063D7B7EA6}.exe
PID 2716 wrote to memory of 1544	2716	{0498E94D-621B-465b-BE22-8009404E6955}.exe	cmd.exe
PID 2716 wrote to memory of 1544	2716	{0498E94D-621B-465b-BE22-8009404E6955}.exe	cmd.exe
PID 2716 wrote to memory of 1544	2716	{0498E94D-621B-465b-BE22-8009404E6955}.exe	cmd.exe
PID 2716 wrote to memory of 1544	2716	{0498E94D-621B-465b-BE22-8009404E6955}.exe	cmd.exe
PID 1552 wrote to memory of 2728	1552	{983CF531-0536-4723-AA6D-BF063D7B7EA6}.exe	{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}.exe
PID 1552 wrote to memory of 2728	1552	{983CF531-0536-4723-AA6D-BF063D7B7EA6}.exe	{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}.exe
PID 1552 wrote to memory of 2728	1552	{983CF531-0536-4723-AA6D-BF063D7B7EA6}.exe	{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}.exe
PID 1552 wrote to memory of 2728	1552	{983CF531-0536-4723-AA6D-BF063D7B7EA6}.exe	{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}.exe
PID 1552 wrote to memory of 1624	1552	{983CF531-0536-4723-AA6D-BF063D7B7EA6}.exe	cmd.exe
PID 1552 wrote to memory of 1624	1552	{983CF531-0536-4723-AA6D-BF063D7B7EA6}.exe	cmd.exe
PID 1552 wrote to memory of 1624	1552	{983CF531-0536-4723-AA6D-BF063D7B7EA6}.exe	cmd.exe
PID 1552 wrote to memory of 1624	1552	{983CF531-0536-4723-AA6D-BF063D7B7EA6}.exe	cmd.exe
PID 2728 wrote to memory of 1360	2728	{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}.exe	{BD9CDDD1-CBBA-4540-AF79-47B0F624B20B}.exe
PID 2728 wrote to memory of 1360	2728	{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}.exe	{BD9CDDD1-CBBA-4540-AF79-47B0F624B20B}.exe
PID 2728 wrote to memory of 1360	2728	{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}.exe	{BD9CDDD1-CBBA-4540-AF79-47B0F624B20B}.exe
PID 2728 wrote to memory of 1360	2728	{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}.exe	{BD9CDDD1-CBBA-4540-AF79-47B0F624B20B}.exe
PID 2728 wrote to memory of 1520	2728	{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}.exe	cmd.exe
PID 2728 wrote to memory of 1520	2728	{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}.exe	cmd.exe
PID 2728 wrote to memory of 1520	2728	{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}.exe	cmd.exe
PID 2728 wrote to memory of 1520	2728	{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe
"C:\Users\Admin\AppData\Local\Temp\07480c35f06a32660604bcf480a8324bc0a7884efec7873b15358af0023be09a.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\{78FCCB73-9576-4d32-8079-44F41E67B8E5}.exe
C:\Windows\{78FCCB73-9576-4d32-8079-44F41E67B8E5}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\{20EB0653-B990-4aef-9C36-E60137E348EF}.exe
C:\Windows\{20EB0653-B990-4aef-9C36-E60137E348EF}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\{864BB488-01ED-4f6b-8D85-87D5EFE5A434}.exe
C:\Windows\{864BB488-01ED-4f6b-8D85-87D5EFE5A434}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}.exe
C:\Windows\{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1512

C:\Windows\{0498E94D-621B-465b-BE22-8009404E6955}.exe
C:\Windows\{0498E94D-621B-465b-BE22-8009404E6955}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\{983CF531-0536-4723-AA6D-BF063D7B7EA6}.exe
C:\Windows\{983CF531-0536-4723-AA6D-BF063D7B7EA6}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552

C:\Windows\{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}.exe
C:\Windows\{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\{BD9CDDD1-CBBA-4540-AF79-47B0F624B20B}.exe
C:\Windows\{BD9CDDD1-CBBA-4540-AF79-47B0F624B20B}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Windows\{BFC09644-8673-4a74-92AC-707026362728}.exe
C:\Windows\{BFC09644-8673-4a74-92AC-707026362728}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2196

C:\Windows\{F3BFF208-F3F1-49fd-B419-9CBE4DCA5F55}.exe
C:\Windows\{F3BFF208-F3F1-49fd-B419-9CBE4DCA5F55}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\{4B789FB4-D3DD-499b-88F3-549F564BBB65}.exe
C:\Windows\{4B789FB4-D3DD-499b-88F3-549F564BBB65}.exe
12⤵
- Executes dropped EXE
PID:1172

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{F3BFF~1.EXE > nul
12⤵
PID:1684

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BFC09~1.EXE > nul
11⤵
PID:580

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BD9CD~1.EXE > nul
10⤵
PID:2232

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8B7AD~1.EXE > nul
9⤵
PID:1520

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{983CF~1.EXE > nul
8⤵
PID:1624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{0498E~1.EXE > nul
7⤵
PID:1544

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4999E~1.EXE > nul
6⤵
PID:1896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{864BB~1.EXE > nul
5⤵
PID:1488

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{20EB0~1.EXE > nul
4⤵
PID:2576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{78FCC~1.EXE > nul
3⤵
PID:2340

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\07480C~1.EXE > nul
2⤵
- Deletes itself
PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0498E94D-621B-465b-BE22-8009404E6955}.exe

Filesize
64KB

MD5
f93163b9e754b175df2f79f566fea610

SHA1
c1ea6cc1e543c3d6749ccbace201df6820aa8556

SHA256
943ba88fc9acf91b6d606ba84e1a7b44afd86a1f6826d1a68887ad1828bfcc75

SHA512
8eec38822f9370cc7f2cf2f19e36f2fe3fbcdde73f061cce0f604fe3ff1ddbc01e84adb67db2b7d585a5a9a767159ae1a2d5d62dff3144fdbdfe58f7765ae4d4

Download Submit
C:\Windows\{20EB0653-B990-4aef-9C36-E60137E348EF}.exe

Filesize
64KB

MD5
3118bedb7f872393691231435c26a6d2

SHA1
5f711763bf19589441edd0b722b4f53746281866

SHA256
9ea134fc4982d52f080dbb39a77b19e61598de9e7b1803a39025e1699e48d0c8

SHA512
6c577ba02fab638f571c2561a8bbd05212ded3a5607802ebbba5e2fdb2b907fcace74c39ce954ca34dd1e372ac6a0785228863f57beb48f3f2747085c287459d

Download Submit
C:\Windows\{4999E3E8-C85B-4ba2-A294-8AF4FF0DCF12}.exe

Filesize
64KB

MD5
916483e448d891da9bc029876837b301

SHA1
5e9107101a2db6cacf55afe2393f08016f573d94

SHA256
a94f805198739b358090d08f53f383806cf7b878c68750161b96653192aa6967

SHA512
6bf2c9385a93ed84a3fb46254dabd225bfbbf3a247cfd590864faf5bc9979a073707a96ef793830d89bb436db11bd6800b3cb60fec8201bd94669e2530fd72e2

Download Submit
C:\Windows\{4B789FB4-D3DD-499b-88F3-549F564BBB65}.exe

Filesize
64KB

MD5
7ae5dad7e44a914928d6b8a417199b05

SHA1
ea22d8948e0b2b24021d0055a6573412246f4ec7

SHA256
8179874ae4971f29a455aa21d4e8be45d6282d863341d44b52f4508a66520f2a

SHA512
f4a7ba9bd7ba99ba2b806a4780095263c9b1f8d8dafe6a07f42989c98bf5aa604d4a0bdf51aca2a5ebe9d4dcb89ac6d478f57b4575ba98ae643fa5176bc7e944

Download Submit
C:\Windows\{78FCCB73-9576-4d32-8079-44F41E67B8E5}.exe

Filesize
64KB

MD5
58bb961f8fc0995c957a44051ade5b84

SHA1
c03625d89099927de489e7f5adaa24cd8d70eb75

SHA256
b6f8fe7011de27d5b5101c5becbda5a26eef07ccce26118668ba672425322116

SHA512
47e07dc6e8c20ae6496da4ef675456ef3ed1838acedc27b564edc7d0fa60c057e0b855227e989033e2b8e8e01e5f9e574dc79e56a2ed25768cab53b88a2ff1d7

Download Submit
C:\Windows\{864BB488-01ED-4f6b-8D85-87D5EFE5A434}.exe

Filesize
64KB

MD5
a91fc2260f5be8f266f8dee8d72e7717

SHA1
dd337956e372ff83c6c906a0f289e0e6ae19c1bb

SHA256
5d731933594864c252877a4170b3dd0935ef8ac3d5551e302e2b506da37eddf4

SHA512
fd66acf41adf166a76387fa7b19c942554446469b64abb2fb6e5f8a80a61c84750325f52cc8fe5b27327c3000db213e357a72480fea0da36c0756bbd17e0e052

Download Submit
C:\Windows\{8B7ADA82-986D-4f27-AA88-47885EFC7CB4}.exe

Filesize
64KB

MD5
d11be891e5bb0fa866f248ff60c5c189

SHA1
b04bbc7e69ed02233bc54be3a01d34f51a7190dd

SHA256
7f5e09298ac144b16a853565233a8cd381dea9f49b54467defd75beb7bbd2163

SHA512
2265f95e3dc761d0072f2465d41f2d9bd7d2e527e4d7702cc342e8ea154b14a7faa6b0684efd0c8d61352106508676295cc654b323a6c1eace84e1aefddfd031

Download Submit
C:\Windows\{983CF531-0536-4723-AA6D-BF063D7B7EA6}.exe

Filesize
64KB

MD5
57a88b0628043058e34cf818d49079f0

SHA1
361c5a296267b16cb19c3d84e4648c6c71488db4

SHA256
15df45612e7fed0243b5c5f72b37c7d2dd23cefa56b8260a771e0262d50053a8

SHA512
a9425706bdbfbdbb11e801c383197ee9dc61d2d146e62418b076c687804268bde94ff38d133cdce5f03a3585a27fe45dd6c59a7d782d4935b2d1a26f33b021bb

Download Submit
C:\Windows\{BD9CDDD1-CBBA-4540-AF79-47B0F624B20B}.exe

Filesize
64KB

MD5
d247130aa36f74119a928d222b5d6a4f

SHA1
4bcfbc1696e82b956f5ec4dbbbeab3f2d62dd571

SHA256
4b9450902d43f5930b367dff9ed49e7c4ecdac75f973b3019bc619768f49926f

SHA512
19e2471aeb6acaf48de46fe392aae737a2b4577a9d214bdcb70e591699ca5303a7e26a8f17c6e253426af7d861b4f141649e4faf1d03de869125216048f29b62

Download Submit
C:\Windows\{BFC09644-8673-4a74-92AC-707026362728}.exe

Filesize
64KB

MD5
864cae62a3cbc50287a1c17ff130413a

SHA1
121fa4d5b761dd69df1208f5f14cde32e7ce4e61

SHA256
5f5ebf5e12b056b9ebf4756e3b21ff9edf53972b114750d1fa293d9ea405b591

SHA512
297e46310d90825049c537eb635173809b09d55411ad1165bd258cb8b0a346c4ac65d66c1d42348c63bc4eb13daab541b10e787297ab65bc6fe19af32f047163

Download Submit
C:\Windows\{F3BFF208-F3F1-49fd-B419-9CBE4DCA5F55}.exe

Filesize
64KB

MD5
5167628abadd3045b9a63d86a07bfe8d

SHA1
e3488e0314c9eebdc284d665b4e681a5793c4fa5

SHA256
fea8793fd30ec509d305596503fb46da02ebf9146a6992f28ca8e5c4b118daef

SHA512
cd03bc740fc21936069872e27789b5bd0ecab55cb144e8eda326cf62c1df568ebf1ceb40ac9ef558b1227b527c71be7b4b082bd4aaa22440770dbbce57b694eb

Download Submit
memory/688-95-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1360-77-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1512-36-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1512-43-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1552-61-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1552-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2196-86-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2196-79-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2300-3-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2300-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2300-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2500-35-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2500-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2716-51-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2728-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2728-70-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2828-25-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2828-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2968-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2968-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download