7c9c4b313ffa65e47e5164d200443edfaadda2251434b1119e33a93f9f2ea217

Analysis

max time kernel
149s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04/06/2024, 23:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7c9c4b313ffa65e47e5164d200443edfaadda2251434b1119e33a93f9f2ea217.exe
Size

64KB
MD5

08c3b4aca7450472fd173763c12ca1bd
SHA1

4184657727c108b799211b95e116292a05b2d42e
SHA256

7c9c4b313ffa65e47e5164d200443edfaadda2251434b1119e33a93f9f2ea217
SHA512

eac1cd17b4f99ae34b9aa3d7f95e5ed057f9f75b4c6a5dd8895a5d077e93a85541d707566aaa2fac7ef7754cd9481ea489c2b130b29134ffcaf4d0d111c31262
SSDEEP

384:ObLwOs8AHsc4HMPwhKQLroa4/CFsrdHWMZw:Ovw981xvhKQLroa4/wQpWMZw

Score

9^/10

persistence

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 36 IoCs

resource	yara_rule
behavioral2/memory/2672-0-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2672-6-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2024-5-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0008000000023388-4.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3548-12-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2024-11-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0008000000023389-10.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000d000000023397-13.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3556-18-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3548-15-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0009000000023389-23.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3556-22-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4812-24-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3104-30-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000e000000023397-29.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4812-28-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000c000000023389-35.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2584-36-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3104-34-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000f000000023397-40.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2584-41-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000700000002341c-47.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4052-46-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4424-44-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4624-53-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4052-52-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000900000002340b-51.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000800000002340c-56.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1852-59-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4624-57-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000b000000023412-62.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1164-65-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1852-63-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000900000002340c-70.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1156-71-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1164-69-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93586E35-5068-4d57-8E54-FF22D31EFF40}\stubpath = "C:\\Windows\\{93586E35-5068-4d57-8E54-FF22D31EFF40}.exe"	{6D782D85-64C6-41de-BB5C-56243335D8B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73A148C5-01CF-4eb6-BB0F-DC60301CE12D}	{23325F23-A836-44fd-8F6F-2A87318AF36D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{73A148C5-01CF-4eb6-BB0F-DC60301CE12D}\stubpath = "C:\\Windows\\{73A148C5-01CF-4eb6-BB0F-DC60301CE12D}.exe"	{23325F23-A836-44fd-8F6F-2A87318AF36D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36F27C5E-104B-42a3-815F-5B86F4B43B88}\stubpath = "C:\\Windows\\{36F27C5E-104B-42a3-815F-5B86F4B43B88}.exe"	{DADE67DE-8198-42bc-880D-960B9B475B2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51338811-7EC9-4c59-822E-0351B6492C0B}	{7AEC1FE8-38E7-4800-811F-AA8F765E50A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DADE67DE-8198-42bc-880D-960B9B475B2A}	{2B01994C-D619-4120-AF07-59F9D0195C95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80E84CCA-AB5B-4629-B1E3-3488B2C3CF8F}	{C62FBEBA-F013-4dd8-BF0D-E09DAB362C90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AEC1FE8-38E7-4800-811F-AA8F765E50A4}	{80E84CCA-AB5B-4629-B1E3-3488B2C3CF8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AEC1FE8-38E7-4800-811F-AA8F765E50A4}\stubpath = "C:\\Windows\\{7AEC1FE8-38E7-4800-811F-AA8F765E50A4}.exe"	{80E84CCA-AB5B-4629-B1E3-3488B2C3CF8F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D782D85-64C6-41de-BB5C-56243335D8B2}\stubpath = "C:\\Windows\\{6D782D85-64C6-41de-BB5C-56243335D8B2}.exe"	{51338811-7EC9-4c59-822E-0351B6492C0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B01994C-D619-4120-AF07-59F9D0195C95}	7c9c4b313ffa65e47e5164d200443edfaadda2251434b1119e33a93f9f2ea217.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B01994C-D619-4120-AF07-59F9D0195C95}\stubpath = "C:\\Windows\\{2B01994C-D619-4120-AF07-59F9D0195C95}.exe"	7c9c4b313ffa65e47e5164d200443edfaadda2251434b1119e33a93f9f2ea217.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51338811-7EC9-4c59-822E-0351B6492C0B}\stubpath = "C:\\Windows\\{51338811-7EC9-4c59-822E-0351B6492C0B}.exe"	{7AEC1FE8-38E7-4800-811F-AA8F765E50A4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93586E35-5068-4d57-8E54-FF22D31EFF40}	{6D782D85-64C6-41de-BB5C-56243335D8B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AF31A47-BC1A-496e-99D0-90DBF0D08920}	{93586E35-5068-4d57-8E54-FF22D31EFF40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7AF31A47-BC1A-496e-99D0-90DBF0D08920}\stubpath = "C:\\Windows\\{7AF31A47-BC1A-496e-99D0-90DBF0D08920}.exe"	{93586E35-5068-4d57-8E54-FF22D31EFF40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DADE67DE-8198-42bc-880D-960B9B475B2A}\stubpath = "C:\\Windows\\{DADE67DE-8198-42bc-880D-960B9B475B2A}.exe"	{2B01994C-D619-4120-AF07-59F9D0195C95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C62FBEBA-F013-4dd8-BF0D-E09DAB362C90}\stubpath = "C:\\Windows\\{C62FBEBA-F013-4dd8-BF0D-E09DAB362C90}.exe"	{36F27C5E-104B-42a3-815F-5B86F4B43B88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80E84CCA-AB5B-4629-B1E3-3488B2C3CF8F}\stubpath = "C:\\Windows\\{80E84CCA-AB5B-4629-B1E3-3488B2C3CF8F}.exe"	{C62FBEBA-F013-4dd8-BF0D-E09DAB362C90}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D782D85-64C6-41de-BB5C-56243335D8B2}	{51338811-7EC9-4c59-822E-0351B6492C0B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23325F23-A836-44fd-8F6F-2A87318AF36D}	{7AF31A47-BC1A-496e-99D0-90DBF0D08920}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23325F23-A836-44fd-8F6F-2A87318AF36D}\stubpath = "C:\\Windows\\{23325F23-A836-44fd-8F6F-2A87318AF36D}.exe"	{7AF31A47-BC1A-496e-99D0-90DBF0D08920}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36F27C5E-104B-42a3-815F-5B86F4B43B88}	{DADE67DE-8198-42bc-880D-960B9B475B2A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C62FBEBA-F013-4dd8-BF0D-E09DAB362C90}	{36F27C5E-104B-42a3-815F-5B86F4B43B88}.exe

Executes dropped EXE 12 IoCs

pid	Process
2024	{2B01994C-D619-4120-AF07-59F9D0195C95}.exe
3548	{DADE67DE-8198-42bc-880D-960B9B475B2A}.exe
3556	{36F27C5E-104B-42a3-815F-5B86F4B43B88}.exe
4812	{C62FBEBA-F013-4dd8-BF0D-E09DAB362C90}.exe
3104	{80E84CCA-AB5B-4629-B1E3-3488B2C3CF8F}.exe
2584	{7AEC1FE8-38E7-4800-811F-AA8F765E50A4}.exe
4424	{51338811-7EC9-4c59-822E-0351B6492C0B}.exe
4052	{6D782D85-64C6-41de-BB5C-56243335D8B2}.exe
4624	{93586E35-5068-4d57-8E54-FF22D31EFF40}.exe
1852	{7AF31A47-BC1A-496e-99D0-90DBF0D08920}.exe
1164	{23325F23-A836-44fd-8F6F-2A87318AF36D}.exe
1156	{73A148C5-01CF-4eb6-BB0F-DC60301CE12D}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{7AF31A47-BC1A-496e-99D0-90DBF0D08920}.exe	{93586E35-5068-4d57-8E54-FF22D31EFF40}.exe
File created	C:\Windows\{23325F23-A836-44fd-8F6F-2A87318AF36D}.exe	{7AF31A47-BC1A-496e-99D0-90DBF0D08920}.exe
File created	C:\Windows\{73A148C5-01CF-4eb6-BB0F-DC60301CE12D}.exe	{23325F23-A836-44fd-8F6F-2A87318AF36D}.exe
File created	C:\Windows\{2B01994C-D619-4120-AF07-59F9D0195C95}.exe	7c9c4b313ffa65e47e5164d200443edfaadda2251434b1119e33a93f9f2ea217.exe
File created	C:\Windows\{36F27C5E-104B-42a3-815F-5B86F4B43B88}.exe	{DADE67DE-8198-42bc-880D-960B9B475B2A}.exe
File created	C:\Windows\{C62FBEBA-F013-4dd8-BF0D-E09DAB362C90}.exe	{36F27C5E-104B-42a3-815F-5B86F4B43B88}.exe
File created	C:\Windows\{80E84CCA-AB5B-4629-B1E3-3488B2C3CF8F}.exe	{C62FBEBA-F013-4dd8-BF0D-E09DAB362C90}.exe
File created	C:\Windows\{6D782D85-64C6-41de-BB5C-56243335D8B2}.exe	{51338811-7EC9-4c59-822E-0351B6492C0B}.exe
File created	C:\Windows\{DADE67DE-8198-42bc-880D-960B9B475B2A}.exe	{2B01994C-D619-4120-AF07-59F9D0195C95}.exe
File created	C:\Windows\{7AEC1FE8-38E7-4800-811F-AA8F765E50A4}.exe	{80E84CCA-AB5B-4629-B1E3-3488B2C3CF8F}.exe
File created	C:\Windows\{51338811-7EC9-4c59-822E-0351B6492C0B}.exe	{7AEC1FE8-38E7-4800-811F-AA8F765E50A4}.exe
File created	C:\Windows\{93586E35-5068-4d57-8E54-FF22D31EFF40}.exe	{6D782D85-64C6-41de-BB5C-56243335D8B2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2672	7c9c4b313ffa65e47e5164d200443edfaadda2251434b1119e33a93f9f2ea217.exe
Token: SeIncBasePriorityPrivilege	2024	{2B01994C-D619-4120-AF07-59F9D0195C95}.exe
Token: SeIncBasePriorityPrivilege	3548	{DADE67DE-8198-42bc-880D-960B9B475B2A}.exe
Token: SeIncBasePriorityPrivilege	3556	{36F27C5E-104B-42a3-815F-5B86F4B43B88}.exe
Token: SeIncBasePriorityPrivilege	4812	{C62FBEBA-F013-4dd8-BF0D-E09DAB362C90}.exe
Token: SeIncBasePriorityPrivilege	3104	{80E84CCA-AB5B-4629-B1E3-3488B2C3CF8F}.exe
Token: SeIncBasePriorityPrivilege	2584	{7AEC1FE8-38E7-4800-811F-AA8F765E50A4}.exe
Token: SeIncBasePriorityPrivilege	4424	{51338811-7EC9-4c59-822E-0351B6492C0B}.exe
Token: SeIncBasePriorityPrivilege	4052	{6D782D85-64C6-41de-BB5C-56243335D8B2}.exe
Token: SeIncBasePriorityPrivilege	4624	{93586E35-5068-4d57-8E54-FF22D31EFF40}.exe
Token: SeIncBasePriorityPrivilege	1852	{7AF31A47-BC1A-496e-99D0-90DBF0D08920}.exe
Token: SeIncBasePriorityPrivilege	1164	{23325F23-A836-44fd-8F6F-2A87318AF36D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 2024	2672	7c9c4b313ffa65e47e5164d200443edfaadda2251434b1119e33a93f9f2ea217.exe	96
PID 2672 wrote to memory of 2024	2672	7c9c4b313ffa65e47e5164d200443edfaadda2251434b1119e33a93f9f2ea217.exe	96
PID 2672 wrote to memory of 2024	2672	7c9c4b313ffa65e47e5164d200443edfaadda2251434b1119e33a93f9f2ea217.exe	96
PID 2672 wrote to memory of 416	2672	7c9c4b313ffa65e47e5164d200443edfaadda2251434b1119e33a93f9f2ea217.exe	97
PID 2672 wrote to memory of 416	2672	7c9c4b313ffa65e47e5164d200443edfaadda2251434b1119e33a93f9f2ea217.exe	97
PID 2672 wrote to memory of 416	2672	7c9c4b313ffa65e47e5164d200443edfaadda2251434b1119e33a93f9f2ea217.exe	97
PID 2024 wrote to memory of 3548	2024	{2B01994C-D619-4120-AF07-59F9D0195C95}.exe	98
PID 2024 wrote to memory of 3548	2024	{2B01994C-D619-4120-AF07-59F9D0195C95}.exe	98
PID 2024 wrote to memory of 3548	2024	{2B01994C-D619-4120-AF07-59F9D0195C95}.exe	98
PID 2024 wrote to memory of 4996	2024	{2B01994C-D619-4120-AF07-59F9D0195C95}.exe	99
PID 2024 wrote to memory of 4996	2024	{2B01994C-D619-4120-AF07-59F9D0195C95}.exe	99
PID 2024 wrote to memory of 4996	2024	{2B01994C-D619-4120-AF07-59F9D0195C95}.exe	99
PID 3548 wrote to memory of 3556	3548	{DADE67DE-8198-42bc-880D-960B9B475B2A}.exe	103
PID 3548 wrote to memory of 3556	3548	{DADE67DE-8198-42bc-880D-960B9B475B2A}.exe	103
PID 3548 wrote to memory of 3556	3548	{DADE67DE-8198-42bc-880D-960B9B475B2A}.exe	103
PID 3548 wrote to memory of 2700	3548	{DADE67DE-8198-42bc-880D-960B9B475B2A}.exe	104
PID 3548 wrote to memory of 2700	3548	{DADE67DE-8198-42bc-880D-960B9B475B2A}.exe	104
PID 3548 wrote to memory of 2700	3548	{DADE67DE-8198-42bc-880D-960B9B475B2A}.exe	104
PID 3556 wrote to memory of 4812	3556	{36F27C5E-104B-42a3-815F-5B86F4B43B88}.exe	105
PID 3556 wrote to memory of 4812	3556	{36F27C5E-104B-42a3-815F-5B86F4B43B88}.exe	105
PID 3556 wrote to memory of 4812	3556	{36F27C5E-104B-42a3-815F-5B86F4B43B88}.exe	105
PID 3556 wrote to memory of 4436	3556	{36F27C5E-104B-42a3-815F-5B86F4B43B88}.exe	106
PID 3556 wrote to memory of 4436	3556	{36F27C5E-104B-42a3-815F-5B86F4B43B88}.exe	106
PID 3556 wrote to memory of 4436	3556	{36F27C5E-104B-42a3-815F-5B86F4B43B88}.exe	106
PID 4812 wrote to memory of 3104	4812	{C62FBEBA-F013-4dd8-BF0D-E09DAB362C90}.exe	107
PID 4812 wrote to memory of 3104	4812	{C62FBEBA-F013-4dd8-BF0D-E09DAB362C90}.exe	107
PID 4812 wrote to memory of 3104	4812	{C62FBEBA-F013-4dd8-BF0D-E09DAB362C90}.exe	107
PID 4812 wrote to memory of 3108	4812	{C62FBEBA-F013-4dd8-BF0D-E09DAB362C90}.exe	108
PID 4812 wrote to memory of 3108	4812	{C62FBEBA-F013-4dd8-BF0D-E09DAB362C90}.exe	108
PID 4812 wrote to memory of 3108	4812	{C62FBEBA-F013-4dd8-BF0D-E09DAB362C90}.exe	108
PID 3104 wrote to memory of 2584	3104	{80E84CCA-AB5B-4629-B1E3-3488B2C3CF8F}.exe	110
PID 3104 wrote to memory of 2584	3104	{80E84CCA-AB5B-4629-B1E3-3488B2C3CF8F}.exe	110
PID 3104 wrote to memory of 2584	3104	{80E84CCA-AB5B-4629-B1E3-3488B2C3CF8F}.exe	110
PID 3104 wrote to memory of 4328	3104	{80E84CCA-AB5B-4629-B1E3-3488B2C3CF8F}.exe	111
PID 3104 wrote to memory of 4328	3104	{80E84CCA-AB5B-4629-B1E3-3488B2C3CF8F}.exe	111
PID 3104 wrote to memory of 4328	3104	{80E84CCA-AB5B-4629-B1E3-3488B2C3CF8F}.exe	111
PID 2584 wrote to memory of 4424	2584	{7AEC1FE8-38E7-4800-811F-AA8F765E50A4}.exe	112
PID 2584 wrote to memory of 4424	2584	{7AEC1FE8-38E7-4800-811F-AA8F765E50A4}.exe	112
PID 2584 wrote to memory of 4424	2584	{7AEC1FE8-38E7-4800-811F-AA8F765E50A4}.exe	112
PID 2584 wrote to memory of 4516	2584	{7AEC1FE8-38E7-4800-811F-AA8F765E50A4}.exe	113
PID 2584 wrote to memory of 4516	2584	{7AEC1FE8-38E7-4800-811F-AA8F765E50A4}.exe	113
PID 2584 wrote to memory of 4516	2584	{7AEC1FE8-38E7-4800-811F-AA8F765E50A4}.exe	113
PID 4424 wrote to memory of 4052	4424	{51338811-7EC9-4c59-822E-0351B6492C0B}.exe	117
PID 4424 wrote to memory of 4052	4424	{51338811-7EC9-4c59-822E-0351B6492C0B}.exe	117
PID 4424 wrote to memory of 4052	4424	{51338811-7EC9-4c59-822E-0351B6492C0B}.exe	117
PID 4424 wrote to memory of 4188	4424	{51338811-7EC9-4c59-822E-0351B6492C0B}.exe	118
PID 4424 wrote to memory of 4188	4424	{51338811-7EC9-4c59-822E-0351B6492C0B}.exe	118
PID 4424 wrote to memory of 4188	4424	{51338811-7EC9-4c59-822E-0351B6492C0B}.exe	118
PID 4052 wrote to memory of 4624	4052	{6D782D85-64C6-41de-BB5C-56243335D8B2}.exe	122
PID 4052 wrote to memory of 4624	4052	{6D782D85-64C6-41de-BB5C-56243335D8B2}.exe	122
PID 4052 wrote to memory of 4624	4052	{6D782D85-64C6-41de-BB5C-56243335D8B2}.exe	122
PID 4052 wrote to memory of 4652	4052	{6D782D85-64C6-41de-BB5C-56243335D8B2}.exe	123
PID 4052 wrote to memory of 4652	4052	{6D782D85-64C6-41de-BB5C-56243335D8B2}.exe	123
PID 4052 wrote to memory of 4652	4052	{6D782D85-64C6-41de-BB5C-56243335D8B2}.exe	123
PID 4624 wrote to memory of 1852	4624	{93586E35-5068-4d57-8E54-FF22D31EFF40}.exe	124
PID 4624 wrote to memory of 1852	4624	{93586E35-5068-4d57-8E54-FF22D31EFF40}.exe	124
PID 4624 wrote to memory of 1852	4624	{93586E35-5068-4d57-8E54-FF22D31EFF40}.exe	124
PID 4624 wrote to memory of 3340	4624	{93586E35-5068-4d57-8E54-FF22D31EFF40}.exe	125
PID 4624 wrote to memory of 3340	4624	{93586E35-5068-4d57-8E54-FF22D31EFF40}.exe	125
PID 4624 wrote to memory of 3340	4624	{93586E35-5068-4d57-8E54-FF22D31EFF40}.exe	125
PID 1852 wrote to memory of 1164	1852	{7AF31A47-BC1A-496e-99D0-90DBF0D08920}.exe	128
PID 1852 wrote to memory of 1164	1852	{7AF31A47-BC1A-496e-99D0-90DBF0D08920}.exe	128
PID 1852 wrote to memory of 1164	1852	{7AF31A47-BC1A-496e-99D0-90DBF0D08920}.exe	128
PID 1852 wrote to memory of 2208	1852	{7AF31A47-BC1A-496e-99D0-90DBF0D08920}.exe	129

C:\Users\Admin\AppData\Local\Temp\7c9c4b313ffa65e47e5164d200443edfaadda2251434b1119e33a93f9f2ea217.exe
"C:\Users\Admin\AppData\Local\Temp\7c9c4b313ffa65e47e5164d200443edfaadda2251434b1119e33a93f9f2ea217.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Windows\{2B01994C-D619-4120-AF07-59F9D0195C95}.exe
  C:\Windows\{2B01994C-D619-4120-AF07-59F9D0195C95}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\{DADE67DE-8198-42bc-880D-960B9B475B2A}.exe
    C:\Windows\{DADE67DE-8198-42bc-880D-960B9B475B2A}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3548
  - - C:\Windows\{36F27C5E-104B-42a3-815F-5B86F4B43B88}.exe
      C:\Windows\{36F27C5E-104B-42a3-815F-5B86F4B43B88}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3556
    - - C:\Windows\{C62FBEBA-F013-4dd8-BF0D-E09DAB362C90}.exe
        
        C:\Windows\{C62FBEBA-F013-4dd8-BF0D-E09DAB362C90}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4812
      - C:\Windows\{80E84CCA-AB5B-4629-B1E3-3488B2C3CF8F}.exe
        
        C:\Windows\{80E84CCA-AB5B-4629-B1E3-3488B2C3CF8F}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3104
        
        C:\Windows\{7AEC1FE8-38E7-4800-811F-AA8F765E50A4}.exe
        
        C:\Windows\{7AEC1FE8-38E7-4800-811F-AA8F765E50A4}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\{51338811-7EC9-4c59-822E-0351B6492C0B}.exe
        
        C:\Windows\{51338811-7EC9-4c59-822E-0351B6492C0B}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\{6D782D85-64C6-41de-BB5C-56243335D8B2}.exe
        
        C:\Windows\{6D782D85-64C6-41de-BB5C-56243335D8B2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\{93586E35-5068-4d57-8E54-FF22D31EFF40}.exe
        
        C:\Windows\{93586E35-5068-4d57-8E54-FF22D31EFF40}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4624
        
        C:\Windows\{7AF31A47-BC1A-496e-99D0-90DBF0D08920}.exe
        
        C:\Windows\{7AF31A47-BC1A-496e-99D0-90DBF0D08920}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\{23325F23-A836-44fd-8F6F-2A87318AF36D}.exe
        
        C:\Windows\{23325F23-A836-44fd-8F6F-2A87318AF36D}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
        
        C:\Windows\{73A148C5-01CF-4eb6-BB0F-DC60301CE12D}.exe
        
        C:\Windows\{73A148C5-01CF-4eb6-BB0F-DC60301CE12D}.exe
        13⤵
        Executes dropped EXE
        
        PID:1156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23325~1.EXE > nul
        13⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AF31~1.EXE > nul
        12⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93586~1.EXE > nul
        11⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6D782~1.EXE > nul
        10⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{51338~1.EXE > nul
        9⤵
        
        PID:4188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7AEC1~1.EXE > nul
        8⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80E84~1.EXE > nul
        7⤵
        
        PID:4328
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C62FB~1.EXE > nul
        6⤵
        
        PID:3108
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{36F27~1.EXE > nul
        5⤵
        
        PID:4436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DADE6~1.EXE > nul
      4⤵
      PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2B019~1.EXE > nul
    3⤵
    PID:4996
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7C9C4B~1.EXE > nul
  2⤵
  PID:416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{23325F23-A836-44fd-8F6F-2A87318AF36D}.exe

Filesize
64KB

MD5
993a429961a553741913351eb3bc1d9b

SHA1
c644010db3c7298c1a7eb1eea1b1bebafd0af003

SHA256
6803ad48b2c95218b040678b6cb3f59cd94980f79de5fdd398eae99ac998f98b

SHA512
00a420ec7604b30ade110b8b35ebd509f309b42de1983f9256fe703bfcc133bf8198e7bb51d7a98036c313aaa11f6d304fa331e73d88586fdcbacf8d200f10b6

Download Submit
C:\Windows\{2B01994C-D619-4120-AF07-59F9D0195C95}.exe

Filesize
64KB

MD5
33b7c09f3dfc77fbdb0a86b9f26efa2a

SHA1
476b8a441c30db88a29de644caa4dd082474e39f

SHA256
6df8d0c219f83ea8ecec5a2c6534cfb7f1324cdcce0b85d525e537e20bc02241

SHA512
0c7749d15e8afb133165da5f7caed252b367b4624f02c9c945c8716b59fb81938ed4b36ebf7f98d4e58a1d43eb0f0559dfe397db1889ad82f16708de7d2980e5

Download Submit
C:\Windows\{36F27C5E-104B-42a3-815F-5B86F4B43B88}.exe

Filesize
64KB

MD5
06cd110a341db850dc346230a8d77915

SHA1
3af17a09196761040ee3c26eabf5eedfe0e5ec78

SHA256
9289e9968ce4acb9e2a935afbeb24680326d60e4518c27663b4266353151c769

SHA512
5f66503ecbb13089445c61d6273c72eeddfab89b40910c1ec8e4e9ab578b3a989fd03cb0ac1867f0cbe1d3c3016f4233c312d8e39057988738978956a47f12cc

Download Submit
C:\Windows\{51338811-7EC9-4c59-822E-0351B6492C0B}.exe

Filesize
64KB

MD5
3e212e462ab8e101a07a62d57c9caf4d

SHA1
32e9e706951366cd2f33a02ce60ca1fd4e1e41b7

SHA256
fb4078fd02fa0b5ca33c7c035e178ac59660a7b8f77c3c47a2224cb6acde093e

SHA512
e7cc45901e61a55c771bddcff3504544dee8ead866c381c501fe1671650ad5964ee2e57f7c6be255a822ae15a352bf1ff40f08355563846cc82ba443c097871a

Download Submit
C:\Windows\{6D782D85-64C6-41de-BB5C-56243335D8B2}.exe

Filesize
64KB

MD5
cffe8afb01c7b9536ef30c2963357d3c

SHA1
f07356e770d6febc99cba2438678d645b105fc97

SHA256
f21a7cbe70c95146377dfe657939ee38ca8a2a173be9819f9f7f87428e978f8b

SHA512
26a985c75d6bfed925859fd270ec6d75a8569b411d77dabf3088921ebd657a1aacb30f2c149d0df9cbf17328c5d5e7cc74edf589ade299884e415b12566b4e7c

Download Submit
C:\Windows\{73A148C5-01CF-4eb6-BB0F-DC60301CE12D}.exe

Filesize
64KB

MD5
21620e187a3200f9a3b494decce6cd09

SHA1
c86f3cc38f6008b2ab32e27acfcc38bda149a1b2

SHA256
4f363af2cd23f20cc91cc00f768c0887ff38793799c5b118f6de973d33fca93d

SHA512
ceda3a1bfbabbf6563823bc9b8daa5ae4dd8c95f020241b9d555836fdf1a7d7b402a91e46b4957c290156899c5a6e87cda2ddc8a5684bd8f289e6152fdce37bb

Download Submit
C:\Windows\{7AEC1FE8-38E7-4800-811F-AA8F765E50A4}.exe

Filesize
64KB

MD5
d9abf0c9a3f0fa14f5b1cddc7e1d651a

SHA1
b7abf322e79ff64b014612966050c5760717327c

SHA256
883c20baea4019bf27a35e0d7085845553ccb53ef617b39998a4e3908e4fb507

SHA512
9e82150c1dbe66221716624e275d740e7cb9e56385a338e7678bcfaf4102f2f30fa3cbcc9cd5be161634120d38191f29710e92cb9c8849a272e94f5deab4c1de

Download Submit
C:\Windows\{7AF31A47-BC1A-496e-99D0-90DBF0D08920}.exe

Filesize
64KB

MD5
6e4020e46a4f20856171c33a7849bd4a

SHA1
b9e93ff4bdf7ec11ec28e6a5483f3fc18201d8fa

SHA256
8e48aee03c47f08be11357943996ba148bf3279d2923b1e348d9de9adff99120

SHA512
2f6617a1a942b01e6e517ee134925202104e68f8e55c4dd64b57f7750e195a5852cf4e6a631b4fbbb593c3d8f2f5848ee41be02117eaad71520b3cd17b074e19

Download Submit
C:\Windows\{80E84CCA-AB5B-4629-B1E3-3488B2C3CF8F}.exe

Filesize
64KB

MD5
f52deebb08a936a0021272e38464fc90

SHA1
3903e77407df14506f299db6403e0eabf1df0486

SHA256
b90762d1bc65176223b019d54f7197fc866e60575ce6ac9ff20fb486606ae1ce

SHA512
9667c971d72c44c0b518e8c8d9864dbe5a49edba654f46dcb465432dc4596069583f6e7feeb79ca1f3ff4b57e7de7b4e8c3db7619bfa2b49778f3ac254e9aab5

Download Submit
C:\Windows\{93586E35-5068-4d57-8E54-FF22D31EFF40}.exe

Filesize
64KB

MD5
20f3c725fe4af9d9d5020d553c826f0e

SHA1
e8d6a7af3b5f99169eda882bdadc4458b185cf70

SHA256
e702df7bd828f63319688f28f7178c8c868eac40a00146545312b28887290de8

SHA512
4d7fe72f17b9c79094c8606bff953803d3b862ffe95fb5ed0fadcc1ce29290cee2bdfdd9c75dc117372c3a6a30a0ffc0cab20ed1d69651b47ce2a73d1fe8d517

Download Submit
C:\Windows\{C62FBEBA-F013-4dd8-BF0D-E09DAB362C90}.exe

Filesize
64KB

MD5
0bcb578cd91e5e1e4bdf0f89bd8775a9

SHA1
c00869b5d9f49de5f688533aa46b45c080958eae

SHA256
de3a385c5215f48400214896a84d2cb9baf0fa7de5d4936ac0e8ba6daddf17d0

SHA512
6f8bead9051fe7e6fa724a75ea7ae5a0b83f0ebaaac1bd0f38387d0cc541b8940481c033d90e95bfd5128e142a4546a84cabee9579883f62834d2d89307f0ea4

Download Submit
C:\Windows\{DADE67DE-8198-42bc-880D-960B9B475B2A}.exe

Filesize
64KB

MD5
3f4e7e1b1f4e0a754d09dabc6e9d5caa

SHA1
f9eca01c27bef6bd4a0f1110140ef2722b9fd814

SHA256
2311445e4e052be9cfa3cc6427f2bdf772abbf744e21dd85967974ad1d289288

SHA512
a949df1cff73ef931a38911f5c075a7063c8465c15623af08c4f4b4a6a7c572ca91e41deea4fa88c2cdde1ec47ef68e433675bc7fc9a355941cc2ba8a3a82b7a

Download Submit
memory/1156-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1164-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1164-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1852-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1852-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2024-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2024-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2584-36-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2584-41-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2672-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2672-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3104-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3104-30-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3548-15-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3548-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3556-22-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3556-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4052-52-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4052-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4424-44-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4624-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4624-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4812-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4812-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads