7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd

Analysis

max time kernel
144s
max time network
123s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe
Size

64KB
MD5

34bfba5217ca64941b08ae342a9f10f2
SHA1

1c7371ef4e74b44a712fc5572a3f8377e64fbce0
SHA256

7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd
SHA512

ce93fae3640b6d2a60ccbfa3e62faafa920bb45abf7f53e1121cc5f39a17e2028ad6a21f12c237e0abc6a057950095505308016f9332a87272584212237f7336
SSDEEP

192:ObOzawOs81elJHsc45ecRZOgtShcWaOT2QLrCqwtY04/CFxyNhoy5tF:ObLwOs8AHsc4QMfwhKQLro/4/CFsrdF

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{4F233ABF-4676-4013-9305-6CE3F2654FAF}.exe{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}.exe{8EA3E164-1898-488d-8B5A-503FEA8506A6}.exe{1A6A0ED0-4E20-4829-937C-CF86F490A7C4}.exe{9742371B-3B84-419e-A33B-BC3DD0E46BEE}.exe{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}.exe{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}.exe{EAE10D49-96E1-49de-AAE7-27A276AF849E}.exe{98735686-5AD0-456f-A919-509784020AAF}.exe7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}\stubpath = "C:\\Windows\\{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}.exe"	{4F233ABF-4676-4013-9305-6CE3F2654FAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EA3E164-1898-488d-8B5A-503FEA8506A6}	{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F233ABF-4676-4013-9305-6CE3F2654FAF}	{8EA3E164-1898-488d-8B5A-503FEA8506A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}	{4F233ABF-4676-4013-9305-6CE3F2654FAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9742371B-3B84-419e-A33B-BC3DD0E46BEE}	{1A6A0ED0-4E20-4829-937C-CF86F490A7C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9742371B-3B84-419e-A33B-BC3DD0E46BEE}\stubpath = "C:\\Windows\\{9742371B-3B84-419e-A33B-BC3DD0E46BEE}.exe"	{1A6A0ED0-4E20-4829-937C-CF86F490A7C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F1E9FE3-3BD1-4c75-8433-457C07B0C836}\stubpath = "C:\\Windows\\{8F1E9FE3-3BD1-4c75-8433-457C07B0C836}.exe"	{9742371B-3B84-419e-A33B-BC3DD0E46BEE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}	{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAE10D49-96E1-49de-AAE7-27A276AF849E}	{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}	{EAE10D49-96E1-49de-AAE7-27A276AF849E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}\stubpath = "C:\\Windows\\{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}.exe"	{EAE10D49-96E1-49de-AAE7-27A276AF849E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4F233ABF-4676-4013-9305-6CE3F2654FAF}\stubpath = "C:\\Windows\\{4F233ABF-4676-4013-9305-6CE3F2654FAF}.exe"	{8EA3E164-1898-488d-8B5A-503FEA8506A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A6A0ED0-4E20-4829-937C-CF86F490A7C4}	{98735686-5AD0-456f-A919-509784020AAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}	7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}\stubpath = "C:\\Windows\\{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}.exe"	7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{EAE10D49-96E1-49de-AAE7-27A276AF849E}\stubpath = "C:\\Windows\\{EAE10D49-96E1-49de-AAE7-27A276AF849E}.exe"	{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98735686-5AD0-456f-A919-509784020AAF}\stubpath = "C:\\Windows\\{98735686-5AD0-456f-A919-509784020AAF}.exe"	{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A6A0ED0-4E20-4829-937C-CF86F490A7C4}\stubpath = "C:\\Windows\\{1A6A0ED0-4E20-4829-937C-CF86F490A7C4}.exe"	{98735686-5AD0-456f-A919-509784020AAF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8F1E9FE3-3BD1-4c75-8433-457C07B0C836}	{9742371B-3B84-419e-A33B-BC3DD0E46BEE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}\stubpath = "C:\\Windows\\{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}.exe"	{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8EA3E164-1898-488d-8B5A-503FEA8506A6}\stubpath = "C:\\Windows\\{8EA3E164-1898-488d-8B5A-503FEA8506A6}.exe"	{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{98735686-5AD0-456f-A919-509784020AAF}	{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2136 cmd.exe

pid	process
2136	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}.exe{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}.exe{EAE10D49-96E1-49de-AAE7-27A276AF849E}.exe{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}.exe{8EA3E164-1898-488d-8B5A-503FEA8506A6}.exe{4F233ABF-4676-4013-9305-6CE3F2654FAF}.exe{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}.exe{98735686-5AD0-456f-A919-509784020AAF}.exe{1A6A0ED0-4E20-4829-937C-CF86F490A7C4}.exe{9742371B-3B84-419e-A33B-BC3DD0E46BEE}.exe{8F1E9FE3-3BD1-4c75-8433-457C07B0C836}.exe

pid	process
2936	{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}.exe
2632	{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}.exe
2548	{EAE10D49-96E1-49de-AAE7-27A276AF849E}.exe
1284	{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}.exe
2912	{8EA3E164-1898-488d-8B5A-503FEA8506A6}.exe
2500	{4F233ABF-4676-4013-9305-6CE3F2654FAF}.exe
2768	{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}.exe
1520	{98735686-5AD0-456f-A919-509784020AAF}.exe
2820	{1A6A0ED0-4E20-4829-937C-CF86F490A7C4}.exe
984	{9742371B-3B84-419e-A33B-BC3DD0E46BEE}.exe
1788	{8F1E9FE3-3BD1-4c75-8433-457C07B0C836}.exe

Drops file in Windows directory 11 IoCs

Processes:

{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}.exe{9742371B-3B84-419e-A33B-BC3DD0E46BEE}.exe{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}.exe{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}.exe{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}.exe{4F233ABF-4676-4013-9305-6CE3F2654FAF}.exe{1A6A0ED0-4E20-4829-937C-CF86F490A7C4}.exe7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe{EAE10D49-96E1-49de-AAE7-27A276AF849E}.exe{8EA3E164-1898-488d-8B5A-503FEA8506A6}.exe{98735686-5AD0-456f-A919-509784020AAF}.exe

description	ioc	process
File created	C:\Windows\{98735686-5AD0-456f-A919-509784020AAF}.exe	{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}.exe
File created	C:\Windows\{8F1E9FE3-3BD1-4c75-8433-457C07B0C836}.exe	{9742371B-3B84-419e-A33B-BC3DD0E46BEE}.exe
File created	C:\Windows\{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}.exe	{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}.exe
File created	C:\Windows\{EAE10D49-96E1-49de-AAE7-27A276AF849E}.exe	{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}.exe
File created	C:\Windows\{8EA3E164-1898-488d-8B5A-503FEA8506A6}.exe	{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}.exe
File created	C:\Windows\{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}.exe	{4F233ABF-4676-4013-9305-6CE3F2654FAF}.exe
File created	C:\Windows\{9742371B-3B84-419e-A33B-BC3DD0E46BEE}.exe	{1A6A0ED0-4E20-4829-937C-CF86F490A7C4}.exe
File created	C:\Windows\{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}.exe	7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe
File created	C:\Windows\{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}.exe	{EAE10D49-96E1-49de-AAE7-27A276AF849E}.exe
File created	C:\Windows\{4F233ABF-4676-4013-9305-6CE3F2654FAF}.exe	{8EA3E164-1898-488d-8B5A-503FEA8506A6}.exe
File created	C:\Windows\{1A6A0ED0-4E20-4829-937C-CF86F490A7C4}.exe	{98735686-5AD0-456f-A919-509784020AAF}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}.exe{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}.exe{EAE10D49-96E1-49de-AAE7-27A276AF849E}.exe{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}.exe{8EA3E164-1898-488d-8B5A-503FEA8506A6}.exe{4F233ABF-4676-4013-9305-6CE3F2654FAF}.exe{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}.exe{98735686-5AD0-456f-A919-509784020AAF}.exe{1A6A0ED0-4E20-4829-937C-CF86F490A7C4}.exe{9742371B-3B84-419e-A33B-BC3DD0E46BEE}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	3048	7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe
Token: SeIncBasePriorityPrivilege	2936	{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}.exe
Token: SeIncBasePriorityPrivilege	2632	{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}.exe
Token: SeIncBasePriorityPrivilege	2548	{EAE10D49-96E1-49de-AAE7-27A276AF849E}.exe
Token: SeIncBasePriorityPrivilege	1284	{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}.exe
Token: SeIncBasePriorityPrivilege	2912	{8EA3E164-1898-488d-8B5A-503FEA8506A6}.exe
Token: SeIncBasePriorityPrivilege	2500	{4F233ABF-4676-4013-9305-6CE3F2654FAF}.exe
Token: SeIncBasePriorityPrivilege	2768	{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}.exe
Token: SeIncBasePriorityPrivilege	1520	{98735686-5AD0-456f-A919-509784020AAF}.exe
Token: SeIncBasePriorityPrivilege	2820	{1A6A0ED0-4E20-4829-937C-CF86F490A7C4}.exe
Token: SeIncBasePriorityPrivilege	984	{9742371B-3B84-419e-A33B-BC3DD0E46BEE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 3048 wrote to memory of 2936	3048	7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe	{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}.exe
PID 3048 wrote to memory of 2936	3048	7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe	{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}.exe
PID 3048 wrote to memory of 2936	3048	7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe	{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}.exe
PID 3048 wrote to memory of 2936	3048	7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe	{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}.exe
PID 3048 wrote to memory of 2136	3048	7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe	cmd.exe
PID 3048 wrote to memory of 2136	3048	7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe	cmd.exe
PID 3048 wrote to memory of 2136	3048	7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe	cmd.exe
PID 3048 wrote to memory of 2136	3048	7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe	cmd.exe
PID 2936 wrote to memory of 2632	2936	{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}.exe	{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}.exe
PID 2936 wrote to memory of 2632	2936	{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}.exe	{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}.exe
PID 2936 wrote to memory of 2632	2936	{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}.exe	{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}.exe
PID 2936 wrote to memory of 2632	2936	{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}.exe	{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}.exe
PID 2936 wrote to memory of 2792	2936	{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}.exe	cmd.exe
PID 2936 wrote to memory of 2792	2936	{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}.exe	cmd.exe
PID 2936 wrote to memory of 2792	2936	{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}.exe	cmd.exe
PID 2936 wrote to memory of 2792	2936	{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}.exe	cmd.exe
PID 2632 wrote to memory of 2548	2632	{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}.exe	{EAE10D49-96E1-49de-AAE7-27A276AF849E}.exe
PID 2632 wrote to memory of 2548	2632	{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}.exe	{EAE10D49-96E1-49de-AAE7-27A276AF849E}.exe
PID 2632 wrote to memory of 2548	2632	{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}.exe	{EAE10D49-96E1-49de-AAE7-27A276AF849E}.exe
PID 2632 wrote to memory of 2548	2632	{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}.exe	{EAE10D49-96E1-49de-AAE7-27A276AF849E}.exe
PID 2632 wrote to memory of 2696	2632	{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}.exe	cmd.exe
PID 2632 wrote to memory of 2696	2632	{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}.exe	cmd.exe
PID 2632 wrote to memory of 2696	2632	{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}.exe	cmd.exe
PID 2632 wrote to memory of 2696	2632	{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}.exe	cmd.exe
PID 2548 wrote to memory of 1284	2548	{EAE10D49-96E1-49de-AAE7-27A276AF849E}.exe	{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}.exe
PID 2548 wrote to memory of 1284	2548	{EAE10D49-96E1-49de-AAE7-27A276AF849E}.exe	{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}.exe
PID 2548 wrote to memory of 1284	2548	{EAE10D49-96E1-49de-AAE7-27A276AF849E}.exe	{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}.exe
PID 2548 wrote to memory of 1284	2548	{EAE10D49-96E1-49de-AAE7-27A276AF849E}.exe	{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}.exe
PID 2548 wrote to memory of 2848	2548	{EAE10D49-96E1-49de-AAE7-27A276AF849E}.exe	cmd.exe
PID 2548 wrote to memory of 2848	2548	{EAE10D49-96E1-49de-AAE7-27A276AF849E}.exe	cmd.exe
PID 2548 wrote to memory of 2848	2548	{EAE10D49-96E1-49de-AAE7-27A276AF849E}.exe	cmd.exe
PID 2548 wrote to memory of 2848	2548	{EAE10D49-96E1-49de-AAE7-27A276AF849E}.exe	cmd.exe
PID 1284 wrote to memory of 2912	1284	{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}.exe	{8EA3E164-1898-488d-8B5A-503FEA8506A6}.exe
PID 1284 wrote to memory of 2912	1284	{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}.exe	{8EA3E164-1898-488d-8B5A-503FEA8506A6}.exe
PID 1284 wrote to memory of 2912	1284	{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}.exe	{8EA3E164-1898-488d-8B5A-503FEA8506A6}.exe
PID 1284 wrote to memory of 2912	1284	{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}.exe	{8EA3E164-1898-488d-8B5A-503FEA8506A6}.exe
PID 1284 wrote to memory of 1572	1284	{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}.exe	cmd.exe
PID 1284 wrote to memory of 1572	1284	{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}.exe	cmd.exe
PID 1284 wrote to memory of 1572	1284	{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}.exe	cmd.exe
PID 1284 wrote to memory of 1572	1284	{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}.exe	cmd.exe
PID 2912 wrote to memory of 2500	2912	{8EA3E164-1898-488d-8B5A-503FEA8506A6}.exe	{4F233ABF-4676-4013-9305-6CE3F2654FAF}.exe
PID 2912 wrote to memory of 2500	2912	{8EA3E164-1898-488d-8B5A-503FEA8506A6}.exe	{4F233ABF-4676-4013-9305-6CE3F2654FAF}.exe
PID 2912 wrote to memory of 2500	2912	{8EA3E164-1898-488d-8B5A-503FEA8506A6}.exe	{4F233ABF-4676-4013-9305-6CE3F2654FAF}.exe
PID 2912 wrote to memory of 2500	2912	{8EA3E164-1898-488d-8B5A-503FEA8506A6}.exe	{4F233ABF-4676-4013-9305-6CE3F2654FAF}.exe
PID 2912 wrote to memory of 2012	2912	{8EA3E164-1898-488d-8B5A-503FEA8506A6}.exe	cmd.exe
PID 2912 wrote to memory of 2012	2912	{8EA3E164-1898-488d-8B5A-503FEA8506A6}.exe	cmd.exe
PID 2912 wrote to memory of 2012	2912	{8EA3E164-1898-488d-8B5A-503FEA8506A6}.exe	cmd.exe
PID 2912 wrote to memory of 2012	2912	{8EA3E164-1898-488d-8B5A-503FEA8506A6}.exe	cmd.exe
PID 2500 wrote to memory of 2768	2500	{4F233ABF-4676-4013-9305-6CE3F2654FAF}.exe	{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}.exe
PID 2500 wrote to memory of 2768	2500	{4F233ABF-4676-4013-9305-6CE3F2654FAF}.exe	{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}.exe
PID 2500 wrote to memory of 2768	2500	{4F233ABF-4676-4013-9305-6CE3F2654FAF}.exe	{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}.exe
PID 2500 wrote to memory of 2768	2500	{4F233ABF-4676-4013-9305-6CE3F2654FAF}.exe	{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}.exe
PID 2500 wrote to memory of 2592	2500	{4F233ABF-4676-4013-9305-6CE3F2654FAF}.exe	cmd.exe
PID 2500 wrote to memory of 2592	2500	{4F233ABF-4676-4013-9305-6CE3F2654FAF}.exe	cmd.exe
PID 2500 wrote to memory of 2592	2500	{4F233ABF-4676-4013-9305-6CE3F2654FAF}.exe	cmd.exe
PID 2500 wrote to memory of 2592	2500	{4F233ABF-4676-4013-9305-6CE3F2654FAF}.exe	cmd.exe
PID 2768 wrote to memory of 1520	2768	{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}.exe	{98735686-5AD0-456f-A919-509784020AAF}.exe
PID 2768 wrote to memory of 1520	2768	{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}.exe	{98735686-5AD0-456f-A919-509784020AAF}.exe
PID 2768 wrote to memory of 1520	2768	{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}.exe	{98735686-5AD0-456f-A919-509784020AAF}.exe
PID 2768 wrote to memory of 1520	2768	{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}.exe	{98735686-5AD0-456f-A919-509784020AAF}.exe
PID 2768 wrote to memory of 2264	2768	{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}.exe	cmd.exe
PID 2768 wrote to memory of 2264	2768	{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}.exe	cmd.exe
PID 2768 wrote to memory of 2264	2768	{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}.exe	cmd.exe
PID 2768 wrote to memory of 2264	2768	{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe
"C:\Users\Admin\AppData\Local\Temp\7f44f4a3963a91b85a4eed6d12152c706a8936409fefc56210495ed259eb44fd.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}.exe
C:\Windows\{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}.exe
2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}.exe
C:\Windows\{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}.exe
3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2632

C:\Windows\{EAE10D49-96E1-49de-AAE7-27A276AF849E}.exe
C:\Windows\{EAE10D49-96E1-49de-AAE7-27A276AF849E}.exe
4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2548

C:\Windows\{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}.exe
C:\Windows\{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}.exe
5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\{8EA3E164-1898-488d-8B5A-503FEA8506A6}.exe
C:\Windows\{8EA3E164-1898-488d-8B5A-503FEA8506A6}.exe
6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912

C:\Windows\{4F233ABF-4676-4013-9305-6CE3F2654FAF}.exe
C:\Windows\{4F233ABF-4676-4013-9305-6CE3F2654FAF}.exe
7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500

C:\Windows\{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}.exe
C:\Windows\{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}.exe
8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\{98735686-5AD0-456f-A919-509784020AAF}.exe
C:\Windows\{98735686-5AD0-456f-A919-509784020AAF}.exe
9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\{1A6A0ED0-4E20-4829-937C-CF86F490A7C4}.exe
C:\Windows\{1A6A0ED0-4E20-4829-937C-CF86F490A7C4}.exe
10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\{9742371B-3B84-419e-A33B-BC3DD0E46BEE}.exe
C:\Windows\{9742371B-3B84-419e-A33B-BC3DD0E46BEE}.exe
11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:984

C:\Windows\{8F1E9FE3-3BD1-4c75-8433-457C07B0C836}.exe
C:\Windows\{8F1E9FE3-3BD1-4c75-8433-457C07B0C836}.exe
12⤵
- Executes dropped EXE
PID:1788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{97423~1.EXE > nul
12⤵
PID:2492

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{1A6A0~1.EXE > nul
11⤵
PID:1476

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{98735~1.EXE > nul
10⤵
PID:2740

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A77DB~1.EXE > nul
9⤵
PID:2264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{4F233~1.EXE > nul
8⤵
PID:2592

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{8EA3E~1.EXE > nul
7⤵
PID:2012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{40ABD~1.EXE > nul
6⤵
PID:1572

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{EAE10~1.EXE > nul
5⤵
PID:2848

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{16B1B~1.EXE > nul
4⤵
PID:2696

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{C7EFC~1.EXE > nul
3⤵
PID:2792

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7F44F4~1.EXE > nul
2⤵
- Deletes itself
PID:2136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{16B1BD39-2B67-40ff-8F6D-2BEED0F63449}.exe

Filesize
64KB

MD5
db8fd1c9f82233e03f95e568e0acc3e8

SHA1
754445beb8481653da3408bbaa17e3c115040cf0

SHA256
21be22e1c4e0ab252c6dc1e92fff3d18cfc3d261c634c873db34d766f91975bd

SHA512
4f5eaf3ade7728dbae9d841cf437f3dfe63ac3e3f780785f08c7cfbbb2ac8d50926b5ed861929579ddc63098e0fcf72a07ee4e9df1596d7a47f73d3e13398fe9

Download Submit
C:\Windows\{1A6A0ED0-4E20-4829-937C-CF86F490A7C4}.exe

Filesize
64KB

MD5
27f971e3851acf517c52b6d97475222a

SHA1
7a310c3cddda0b58bbc3f5dd43fe7d4578a72ebb

SHA256
ef7b78b7269117b1fbe1db3446bf79209fd825aae45a4e4e31f361b1d4e86798

SHA512
5d19abbbb81bf3af0f88d2c62dc67c9be2420cf53cf7df9f360038962405eab9cdaae79b5264d20d71f930f50abe3f81e8d380ebe3c1cea11e93485d38e4a8a9

Download Submit
C:\Windows\{40ABDCC1-EB32-4ec9-BF8C-DC528AF084C6}.exe

Filesize
64KB

MD5
baade01f008888338c76fd37b8c82020

SHA1
205dc19a6a80749283d048bac5c1ecc826bf384c

SHA256
6c9a04efdd4dc6459afd8b8312cce8259f24ac7decaed42000466b797e973fb8

SHA512
18b340d25564f6ea664d4fb9093ba11d364df64ed1c6b27a2c31201f163497b65aa97482c867b3d9f92b97e068ae4753c7d018458d5395a2b8befeddae4d2430

Download Submit
C:\Windows\{4F233ABF-4676-4013-9305-6CE3F2654FAF}.exe

Filesize
64KB

MD5
bd0414e835e61a817f111d79bbe81a3a

SHA1
d9c3402fe3fc15104d5aa2ac90107f7adedf14a7

SHA256
5dd0e791949f7b2c772b4d7ac0d116cc911ab2e82392dc50739ea7f9ea797c32

SHA512
43621e15fe26e5c22befe9248083e8513b81488b80d98400edfb6efd757224ae3988f0034769f54b4d322c6d4c738486b68598473e09857e6db3ae7042eef5c6

Download Submit
C:\Windows\{8EA3E164-1898-488d-8B5A-503FEA8506A6}.exe

Filesize
64KB

MD5
2151d6fbe9f9da25e779a2d062c0cd25

SHA1
23e1e578a4dc7e2d2d922ed2504a0fe7c7c9306b

SHA256
d6a00d4e8bda3f9e3a1b5b364ff6063f241c6afe7184f631fa2b2426211c7956

SHA512
4fc9879fa5692ca202fb9c5dfd20c84f9e7fba9621c0e911df9417d00ec1a54e18b08da02bf91495e0aa4c531da57dec6d23f086da902183e907b358bd202ef9

Download Submit
C:\Windows\{8F1E9FE3-3BD1-4c75-8433-457C07B0C836}.exe

Filesize
64KB

MD5
331f6829ad6b06789e472cd9bc887aca

SHA1
cc337f1f18425e5ffdb5a50a2551de4535cb05b5

SHA256
4b7584d18f5c45ff912c04c6504472591afc38ccadc37728472711ffbeb04116

SHA512
91520986fa896cc9721d70488faa78b78911fdb3c6f143bf9902cc4723b3178f26cd6d98e3b36205d05fc029fc7b06baeca9f2adc7f98414958284ac4798403c

Download Submit
C:\Windows\{9742371B-3B84-419e-A33B-BC3DD0E46BEE}.exe

Filesize
64KB

MD5
71faf47cbcaf5eb18e5e30ad7ecd6938

SHA1
c07c0122c208126c52f2a84218f69a1a002b36db

SHA256
8618412fd4e3ee28b98f4400f6819a712d7817540f10e5e2a360ea7ac92cc979

SHA512
32bd9b1f55a35a072c14d6e67635355a90dd740a4e3000818515779ff853db7ad758c624285cc657873cb05c6ab5e78bc507fb3dbe1f9c125e2ad1b5dfeef290

Download Submit
C:\Windows\{98735686-5AD0-456f-A919-509784020AAF}.exe

Filesize
64KB

MD5
acccfca5f195b59fb287e2642bb3df68

SHA1
17b76bf977e0fde2d3afe1fc12eff146afa02e2a

SHA256
98b1bd27db240e090c9cc7c24ad0018bad38264527cebe63e0fa0dd913b17c2b

SHA512
c00d2e31dedf9d98f54a28c0218dc6e7ad43a7758ea42545a8cf4ebed66074d21c97b18756071e20376504a02c743651b0f7712e50f8b6ade161e9c2e8d15d24

Download Submit
C:\Windows\{A77DB236-B2BE-4465-AD77-F14DD9A83ACF}.exe

Filesize
64KB

MD5
e662710107231afb903ba04e49cafa64

SHA1
b200d725fd39c6f5df267c4a190ccf144fef61ca

SHA256
d9f0b658442905a2900df5cf86b69da095f4bae92962431cf4162b73815e32dd

SHA512
068ba6c64223c43dde7185f33faea8162132393fa184d87220247ee6b53e5e2b22ccc6b4b842106c17fc4e1ee7aef5f633b33cd0d1ace9db97ffab5fc11f9ab7

Download Submit
C:\Windows\{C7EFC7D7-1DF1-46dd-8880-A152BCB88960}.exe

Filesize
64KB

MD5
56d4235cc6facf627e0437b4a4755e6e

SHA1
04a03553b0713a835673d7d3ffd0030245dbcebf

SHA256
0be0921c2e84ff1bf8253bc238d77ce9c9e39fffbdc8f420407052882fe2f173

SHA512
0b7899ec480ab050b0713bd656cea3b6d7cd52a2456355bc22f4cb8fb454d2a5e062e6fe0c3c067888f3616e4103b07730a8788726040fe166ac52503e584c5e

Download Submit
C:\Windows\{EAE10D49-96E1-49de-AAE7-27A276AF849E}.exe

Filesize
64KB

MD5
5fb5d8f9659b2d631dbdb128530e6a07

SHA1
cdd205b1feca210b8b4a6c5147e671ae47cb133d

SHA256
ab65ee4b882ba2cfbe260657e092a74b7460cbcf0b039017b9f7ada3c0db666b

SHA512
943112ef867d549045cecd36e39e9364eefe7bd4518d2f53874c44407fd883cdaec4ab4bb40664dee7a818aac5dc9ded7c4acfd2eca8d4b2d181e80e253a36cf

Download Submit
memory/984-89-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/984-97-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1284-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1284-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1520-78-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2500-55-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2500-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2548-36-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2548-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2632-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2632-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2768-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2820-80-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2820-87-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2912-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2912-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2936-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2936-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3048-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3048-7-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/3048-8-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/3048-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download