e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658

Analysis

max time kernel
149s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe
Size

64KB
MD5

548bf9609260f39464e76d217a17e227
SHA1

2a3bc7885c2a5d41377e4d08724b8d3739e730e4
SHA256

e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658
SHA512

945413f5e0760107164b662124bd3c8427d2d53f8949d5ed0a1b2bdb5c333b87590218c038c013e4d134500667dd9f9d80dc23ed4a059a54de450d420190b882
SSDEEP

384:ObLwOs8AHsc4HMPwhKQLroh4/CFsrdHWMZw:Ovw981xvhKQLroh4/wQpWMZw

Score

9^/10

persistence

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 33 IoCs

resource	yara_rule
behavioral2/memory/4560-0-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0009000000023370-3.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2596-6-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4560-5-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0009000000023373-9.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3552-12-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2596-10-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000800000001e3da-13.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3552-16-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4328-18-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000a000000023373-21.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4348-24-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4328-23-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4348-28-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000900000001e3da-29.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3360-34-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000d000000023373-33.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000a00000001e3da-37.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4636-38-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/432-40-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/432-43-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000a000000023406-45.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2012-48-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000a00000002340d-49.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3724-50-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3724-56-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4816-57-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000b000000023406-55.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000b000000023413-60.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4816-61-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4724-63-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4724-67-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000c000000023406-68.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8019245E-110F-4307-A7AB-E2827156FFF4}\stubpath = "C:\\Windows\\{8019245E-110F-4307-A7AB-E2827156FFF4}.exe"	{C200AFC5-B0AC-43ae-B956-E06191FED2D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C59EA4A1-C70E-488c-ACD1-54CB4BBF72D6}\stubpath = "C:\\Windows\\{C59EA4A1-C70E-488c-ACD1-54CB4BBF72D6}.exe"	{44DDA118-08B8-4af5-B284-0D57D6DB0D82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{838B2C3E-62F1-4952-826F-F5DA723A59BA}	e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{838B2C3E-62F1-4952-826F-F5DA723A59BA}\stubpath = "C:\\Windows\\{838B2C3E-62F1-4952-826F-F5DA723A59BA}.exe"	e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32855B52-83AF-4cdb-B2C6-8503DB751876}	{855BAD9C-AB18-443e-8AF9-34B3E5A2F2F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44DDA118-08B8-4af5-B284-0D57D6DB0D82}\stubpath = "C:\\Windows\\{44DDA118-08B8-4af5-B284-0D57D6DB0D82}.exe"	{AB30BBFD-8540-4d43-BA2E-F29E95A73EAA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C59EA4A1-C70E-488c-ACD1-54CB4BBF72D6}	{44DDA118-08B8-4af5-B284-0D57D6DB0D82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B5499A5-A4F1-42f1-B05F-8C2C5B6ACED9}	{BBD194A6-1A9E-4343-9065-23C9614FFFEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{32855B52-83AF-4cdb-B2C6-8503DB751876}\stubpath = "C:\\Windows\\{32855B52-83AF-4cdb-B2C6-8503DB751876}.exe"	{855BAD9C-AB18-443e-8AF9-34B3E5A2F2F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB30BBFD-8540-4d43-BA2E-F29E95A73EAA}	{8019245E-110F-4307-A7AB-E2827156FFF4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AB30BBFD-8540-4d43-BA2E-F29E95A73EAA}\stubpath = "C:\\Windows\\{AB30BBFD-8540-4d43-BA2E-F29E95A73EAA}.exe"	{8019245E-110F-4307-A7AB-E2827156FFF4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{855BAD9C-AB18-443e-8AF9-34B3E5A2F2F1}\stubpath = "C:\\Windows\\{855BAD9C-AB18-443e-8AF9-34B3E5A2F2F1}.exe"	{4B5499A5-A4F1-42f1-B05F-8C2C5B6ACED9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37DA57E4-51B7-462e-8466-8BD6253A4D36}	{32855B52-83AF-4cdb-B2C6-8503DB751876}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C200AFC5-B0AC-43ae-B956-E06191FED2D3}	{C2AE832E-D5D7-4eb8-A41F-3CC984A9D18F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{855BAD9C-AB18-443e-8AF9-34B3E5A2F2F1}	{4B5499A5-A4F1-42f1-B05F-8C2C5B6ACED9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37DA57E4-51B7-462e-8466-8BD6253A4D36}\stubpath = "C:\\Windows\\{37DA57E4-51B7-462e-8466-8BD6253A4D36}.exe"	{32855B52-83AF-4cdb-B2C6-8503DB751876}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2AE832E-D5D7-4eb8-A41F-3CC984A9D18F}	{37DA57E4-51B7-462e-8466-8BD6253A4D36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C2AE832E-D5D7-4eb8-A41F-3CC984A9D18F}\stubpath = "C:\\Windows\\{C2AE832E-D5D7-4eb8-A41F-3CC984A9D18F}.exe"	{37DA57E4-51B7-462e-8466-8BD6253A4D36}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C200AFC5-B0AC-43ae-B956-E06191FED2D3}\stubpath = "C:\\Windows\\{C200AFC5-B0AC-43ae-B956-E06191FED2D3}.exe"	{C2AE832E-D5D7-4eb8-A41F-3CC984A9D18F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBD194A6-1A9E-4343-9065-23C9614FFFEC}	{838B2C3E-62F1-4952-826F-F5DA723A59BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBD194A6-1A9E-4343-9065-23C9614FFFEC}\stubpath = "C:\\Windows\\{BBD194A6-1A9E-4343-9065-23C9614FFFEC}.exe"	{838B2C3E-62F1-4952-826F-F5DA723A59BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4B5499A5-A4F1-42f1-B05F-8C2C5B6ACED9}\stubpath = "C:\\Windows\\{4B5499A5-A4F1-42f1-B05F-8C2C5B6ACED9}.exe"	{BBD194A6-1A9E-4343-9065-23C9614FFFEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8019245E-110F-4307-A7AB-E2827156FFF4}	{C200AFC5-B0AC-43ae-B956-E06191FED2D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44DDA118-08B8-4af5-B284-0D57D6DB0D82}	{AB30BBFD-8540-4d43-BA2E-F29E95A73EAA}.exe

Executes dropped EXE 12 IoCs

pid	Process
2596	{838B2C3E-62F1-4952-826F-F5DA723A59BA}.exe
3552	{BBD194A6-1A9E-4343-9065-23C9614FFFEC}.exe
4328	{4B5499A5-A4F1-42f1-B05F-8C2C5B6ACED9}.exe
4348	{855BAD9C-AB18-443e-8AF9-34B3E5A2F2F1}.exe
3360	{32855B52-83AF-4cdb-B2C6-8503DB751876}.exe
4636	{37DA57E4-51B7-462e-8466-8BD6253A4D36}.exe
432	{C2AE832E-D5D7-4eb8-A41F-3CC984A9D18F}.exe
2012	{C200AFC5-B0AC-43ae-B956-E06191FED2D3}.exe
3724	{8019245E-110F-4307-A7AB-E2827156FFF4}.exe
4816	{AB30BBFD-8540-4d43-BA2E-F29E95A73EAA}.exe
4724	{44DDA118-08B8-4af5-B284-0D57D6DB0D82}.exe
2140	{C59EA4A1-C70E-488c-ACD1-54CB4BBF72D6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{32855B52-83AF-4cdb-B2C6-8503DB751876}.exe	{855BAD9C-AB18-443e-8AF9-34B3E5A2F2F1}.exe
File created	C:\Windows\{C2AE832E-D5D7-4eb8-A41F-3CC984A9D18F}.exe	{37DA57E4-51B7-462e-8466-8BD6253A4D36}.exe
File created	C:\Windows\{8019245E-110F-4307-A7AB-E2827156FFF4}.exe	{C200AFC5-B0AC-43ae-B956-E06191FED2D3}.exe
File created	C:\Windows\{AB30BBFD-8540-4d43-BA2E-F29E95A73EAA}.exe	{8019245E-110F-4307-A7AB-E2827156FFF4}.exe
File created	C:\Windows\{37DA57E4-51B7-462e-8466-8BD6253A4D36}.exe	{32855B52-83AF-4cdb-B2C6-8503DB751876}.exe
File created	C:\Windows\{C200AFC5-B0AC-43ae-B956-E06191FED2D3}.exe	{C2AE832E-D5D7-4eb8-A41F-3CC984A9D18F}.exe
File created	C:\Windows\{44DDA118-08B8-4af5-B284-0D57D6DB0D82}.exe	{AB30BBFD-8540-4d43-BA2E-F29E95A73EAA}.exe
File created	C:\Windows\{C59EA4A1-C70E-488c-ACD1-54CB4BBF72D6}.exe	{44DDA118-08B8-4af5-B284-0D57D6DB0D82}.exe
File created	C:\Windows\{838B2C3E-62F1-4952-826F-F5DA723A59BA}.exe	e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe
File created	C:\Windows\{BBD194A6-1A9E-4343-9065-23C9614FFFEC}.exe	{838B2C3E-62F1-4952-826F-F5DA723A59BA}.exe
File created	C:\Windows\{4B5499A5-A4F1-42f1-B05F-8C2C5B6ACED9}.exe	{BBD194A6-1A9E-4343-9065-23C9614FFFEC}.exe
File created	C:\Windows\{855BAD9C-AB18-443e-8AF9-34B3E5A2F2F1}.exe	{4B5499A5-A4F1-42f1-B05F-8C2C5B6ACED9}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4560	e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe
Token: SeIncBasePriorityPrivilege	2596	{838B2C3E-62F1-4952-826F-F5DA723A59BA}.exe
Token: SeIncBasePriorityPrivilege	3552	{BBD194A6-1A9E-4343-9065-23C9614FFFEC}.exe
Token: SeIncBasePriorityPrivilege	4328	{4B5499A5-A4F1-42f1-B05F-8C2C5B6ACED9}.exe
Token: SeIncBasePriorityPrivilege	4348	{855BAD9C-AB18-443e-8AF9-34B3E5A2F2F1}.exe
Token: SeIncBasePriorityPrivilege	3360	{32855B52-83AF-4cdb-B2C6-8503DB751876}.exe
Token: SeIncBasePriorityPrivilege	4636	{37DA57E4-51B7-462e-8466-8BD6253A4D36}.exe
Token: SeIncBasePriorityPrivilege	432	{C2AE832E-D5D7-4eb8-A41F-3CC984A9D18F}.exe
Token: SeIncBasePriorityPrivilege	2012	{C200AFC5-B0AC-43ae-B956-E06191FED2D3}.exe
Token: SeIncBasePriorityPrivilege	3724	{8019245E-110F-4307-A7AB-E2827156FFF4}.exe
Token: SeIncBasePriorityPrivilege	4816	{AB30BBFD-8540-4d43-BA2E-F29E95A73EAA}.exe
Token: SeIncBasePriorityPrivilege	4724	{44DDA118-08B8-4af5-B284-0D57D6DB0D82}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4560 wrote to memory of 2596	4560	e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe	98
PID 4560 wrote to memory of 2596	4560	e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe	98
PID 4560 wrote to memory of 2596	4560	e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe	98
PID 4560 wrote to memory of 4868	4560	e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe	99
PID 4560 wrote to memory of 4868	4560	e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe	99
PID 4560 wrote to memory of 4868	4560	e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe	99
PID 2596 wrote to memory of 3552	2596	{838B2C3E-62F1-4952-826F-F5DA723A59BA}.exe	100
PID 2596 wrote to memory of 3552	2596	{838B2C3E-62F1-4952-826F-F5DA723A59BA}.exe	100
PID 2596 wrote to memory of 3552	2596	{838B2C3E-62F1-4952-826F-F5DA723A59BA}.exe	100
PID 2596 wrote to memory of 3400	2596	{838B2C3E-62F1-4952-826F-F5DA723A59BA}.exe	101
PID 2596 wrote to memory of 3400	2596	{838B2C3E-62F1-4952-826F-F5DA723A59BA}.exe	101
PID 2596 wrote to memory of 3400	2596	{838B2C3E-62F1-4952-826F-F5DA723A59BA}.exe	101
PID 3552 wrote to memory of 4328	3552	{BBD194A6-1A9E-4343-9065-23C9614FFFEC}.exe	104
PID 3552 wrote to memory of 4328	3552	{BBD194A6-1A9E-4343-9065-23C9614FFFEC}.exe	104
PID 3552 wrote to memory of 4328	3552	{BBD194A6-1A9E-4343-9065-23C9614FFFEC}.exe	104
PID 3552 wrote to memory of 4448	3552	{BBD194A6-1A9E-4343-9065-23C9614FFFEC}.exe	105
PID 3552 wrote to memory of 4448	3552	{BBD194A6-1A9E-4343-9065-23C9614FFFEC}.exe	105
PID 3552 wrote to memory of 4448	3552	{BBD194A6-1A9E-4343-9065-23C9614FFFEC}.exe	105
PID 4328 wrote to memory of 4348	4328	{4B5499A5-A4F1-42f1-B05F-8C2C5B6ACED9}.exe	106
PID 4328 wrote to memory of 4348	4328	{4B5499A5-A4F1-42f1-B05F-8C2C5B6ACED9}.exe	106
PID 4328 wrote to memory of 4348	4328	{4B5499A5-A4F1-42f1-B05F-8C2C5B6ACED9}.exe	106
PID 4328 wrote to memory of 4648	4328	{4B5499A5-A4F1-42f1-B05F-8C2C5B6ACED9}.exe	107
PID 4328 wrote to memory of 4648	4328	{4B5499A5-A4F1-42f1-B05F-8C2C5B6ACED9}.exe	107
PID 4328 wrote to memory of 4648	4328	{4B5499A5-A4F1-42f1-B05F-8C2C5B6ACED9}.exe	107
PID 4348 wrote to memory of 3360	4348	{855BAD9C-AB18-443e-8AF9-34B3E5A2F2F1}.exe	108
PID 4348 wrote to memory of 3360	4348	{855BAD9C-AB18-443e-8AF9-34B3E5A2F2F1}.exe	108
PID 4348 wrote to memory of 3360	4348	{855BAD9C-AB18-443e-8AF9-34B3E5A2F2F1}.exe	108
PID 4348 wrote to memory of 3584	4348	{855BAD9C-AB18-443e-8AF9-34B3E5A2F2F1}.exe	109
PID 4348 wrote to memory of 3584	4348	{855BAD9C-AB18-443e-8AF9-34B3E5A2F2F1}.exe	109
PID 4348 wrote to memory of 3584	4348	{855BAD9C-AB18-443e-8AF9-34B3E5A2F2F1}.exe	109
PID 3360 wrote to memory of 4636	3360	{32855B52-83AF-4cdb-B2C6-8503DB751876}.exe	111
PID 3360 wrote to memory of 4636	3360	{32855B52-83AF-4cdb-B2C6-8503DB751876}.exe	111
PID 3360 wrote to memory of 4636	3360	{32855B52-83AF-4cdb-B2C6-8503DB751876}.exe	111
PID 3360 wrote to memory of 2412	3360	{32855B52-83AF-4cdb-B2C6-8503DB751876}.exe	112
PID 3360 wrote to memory of 2412	3360	{32855B52-83AF-4cdb-B2C6-8503DB751876}.exe	112
PID 3360 wrote to memory of 2412	3360	{32855B52-83AF-4cdb-B2C6-8503DB751876}.exe	112
PID 4636 wrote to memory of 432	4636	{37DA57E4-51B7-462e-8466-8BD6253A4D36}.exe	113
PID 4636 wrote to memory of 432	4636	{37DA57E4-51B7-462e-8466-8BD6253A4D36}.exe	113
PID 4636 wrote to memory of 432	4636	{37DA57E4-51B7-462e-8466-8BD6253A4D36}.exe	113
PID 4636 wrote to memory of 1540	4636	{37DA57E4-51B7-462e-8466-8BD6253A4D36}.exe	114
PID 4636 wrote to memory of 1540	4636	{37DA57E4-51B7-462e-8466-8BD6253A4D36}.exe	114
PID 4636 wrote to memory of 1540	4636	{37DA57E4-51B7-462e-8466-8BD6253A4D36}.exe	114
PID 432 wrote to memory of 2012	432	{C2AE832E-D5D7-4eb8-A41F-3CC984A9D18F}.exe	116
PID 432 wrote to memory of 2012	432	{C2AE832E-D5D7-4eb8-A41F-3CC984A9D18F}.exe	116
PID 432 wrote to memory of 2012	432	{C2AE832E-D5D7-4eb8-A41F-3CC984A9D18F}.exe	116
PID 432 wrote to memory of 3412	432	{C2AE832E-D5D7-4eb8-A41F-3CC984A9D18F}.exe	117
PID 432 wrote to memory of 3412	432	{C2AE832E-D5D7-4eb8-A41F-3CC984A9D18F}.exe	117
PID 432 wrote to memory of 3412	432	{C2AE832E-D5D7-4eb8-A41F-3CC984A9D18F}.exe	117
PID 2012 wrote to memory of 3724	2012	{C200AFC5-B0AC-43ae-B956-E06191FED2D3}.exe	123
PID 2012 wrote to memory of 3724	2012	{C200AFC5-B0AC-43ae-B956-E06191FED2D3}.exe	123
PID 2012 wrote to memory of 3724	2012	{C200AFC5-B0AC-43ae-B956-E06191FED2D3}.exe	123
PID 2012 wrote to memory of 2168	2012	{C200AFC5-B0AC-43ae-B956-E06191FED2D3}.exe	124
PID 2012 wrote to memory of 2168	2012	{C200AFC5-B0AC-43ae-B956-E06191FED2D3}.exe	124
PID 2012 wrote to memory of 2168	2012	{C200AFC5-B0AC-43ae-B956-E06191FED2D3}.exe	124
PID 3724 wrote to memory of 4816	3724	{8019245E-110F-4307-A7AB-E2827156FFF4}.exe	125
PID 3724 wrote to memory of 4816	3724	{8019245E-110F-4307-A7AB-E2827156FFF4}.exe	125
PID 3724 wrote to memory of 4816	3724	{8019245E-110F-4307-A7AB-E2827156FFF4}.exe	125
PID 3724 wrote to memory of 3960	3724	{8019245E-110F-4307-A7AB-E2827156FFF4}.exe	126
PID 3724 wrote to memory of 3960	3724	{8019245E-110F-4307-A7AB-E2827156FFF4}.exe	126
PID 3724 wrote to memory of 3960	3724	{8019245E-110F-4307-A7AB-E2827156FFF4}.exe	126
PID 4816 wrote to memory of 4724	4816	{AB30BBFD-8540-4d43-BA2E-F29E95A73EAA}.exe	129
PID 4816 wrote to memory of 4724	4816	{AB30BBFD-8540-4d43-BA2E-F29E95A73EAA}.exe	129
PID 4816 wrote to memory of 4724	4816	{AB30BBFD-8540-4d43-BA2E-F29E95A73EAA}.exe	129
PID 4816 wrote to memory of 3616	4816	{AB30BBFD-8540-4d43-BA2E-F29E95A73EAA}.exe	130

C:\Users\Admin\AppData\Local\Temp\e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe
"C:\Users\Admin\AppData\Local\Temp\e0ce06ba7cbb986c611208e4ceb69c8fa2a785b9dcb572cafdf377a4d6e3b658.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560
- C:\Windows\{838B2C3E-62F1-4952-826F-F5DA723A59BA}.exe
  C:\Windows\{838B2C3E-62F1-4952-826F-F5DA723A59BA}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\{BBD194A6-1A9E-4343-9065-23C9614FFFEC}.exe
    C:\Windows\{BBD194A6-1A9E-4343-9065-23C9614FFFEC}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Windows\{4B5499A5-A4F1-42f1-B05F-8C2C5B6ACED9}.exe
      C:\Windows\{4B5499A5-A4F1-42f1-B05F-8C2C5B6ACED9}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4328
    - - C:\Windows\{855BAD9C-AB18-443e-8AF9-34B3E5A2F2F1}.exe
        
        C:\Windows\{855BAD9C-AB18-443e-8AF9-34B3E5A2F2F1}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4348
      - C:\Windows\{32855B52-83AF-4cdb-B2C6-8503DB751876}.exe
        
        C:\Windows\{32855B52-83AF-4cdb-B2C6-8503DB751876}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3360
        
        C:\Windows\{37DA57E4-51B7-462e-8466-8BD6253A4D36}.exe
        
        C:\Windows\{37DA57E4-51B7-462e-8466-8BD6253A4D36}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4636
        
        C:\Windows\{C2AE832E-D5D7-4eb8-A41F-3CC984A9D18F}.exe
        
        C:\Windows\{C2AE832E-D5D7-4eb8-A41F-3CC984A9D18F}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:432
        
        C:\Windows\{C200AFC5-B0AC-43ae-B956-E06191FED2D3}.exe
        
        C:\Windows\{C200AFC5-B0AC-43ae-B956-E06191FED2D3}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\{8019245E-110F-4307-A7AB-E2827156FFF4}.exe
        
        C:\Windows\{8019245E-110F-4307-A7AB-E2827156FFF4}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\{AB30BBFD-8540-4d43-BA2E-F29E95A73EAA}.exe
        
        C:\Windows\{AB30BBFD-8540-4d43-BA2E-F29E95A73EAA}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4816
        
        C:\Windows\{44DDA118-08B8-4af5-B284-0D57D6DB0D82}.exe
        
        C:\Windows\{44DDA118-08B8-4af5-B284-0D57D6DB0D82}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4724
        
        C:\Windows\{C59EA4A1-C70E-488c-ACD1-54CB4BBF72D6}.exe
        
        C:\Windows\{C59EA4A1-C70E-488c-ACD1-54CB4BBF72D6}.exe
        13⤵
        Executes dropped EXE
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44DDA~1.EXE > nul
        13⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AB30B~1.EXE > nul
        12⤵
        
        PID:3616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80192~1.EXE > nul
        11⤵
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C200A~1.EXE > nul
        10⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C2AE8~1.EXE > nul
        9⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37DA5~1.EXE > nul
        8⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32855~1.EXE > nul
        7⤵
        
        PID:2412
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{855BA~1.EXE > nul
        6⤵
        
        PID:3584
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4B549~1.EXE > nul
        5⤵
        
        PID:4648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BBD19~1.EXE > nul
      4⤵
      PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{838B2~1.EXE > nul
    3⤵
    PID:3400
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E0CE06~1.EXE > nul
  2⤵
  PID:4868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{32855B52-83AF-4cdb-B2C6-8503DB751876}.exe

Filesize
64KB

MD5
edb7ed5bcb02333779347211f0eafd63

SHA1
5813463e6763961a002b28c2960895f45173c43e

SHA256
8051ffc1163e0ceeb8160fb6b7c510bf97df35b46952cb5d5fbabc5b0fafcc74

SHA512
7d06cc96055dd524ebf5c5d895d58c22832127f50025cd1855f9358ec1d9c844aa33b626d9c642058e7ffa6334a385f05964c48246e1b1fef71d28a4df98b4bf

Download Submit
C:\Windows\{37DA57E4-51B7-462e-8466-8BD6253A4D36}.exe

Filesize
64KB

MD5
848adef60f22fd9ce8f3255fdb5f8dfd

SHA1
b68363940df1a4fd78022e5034bccf3656654972

SHA256
07b7389af758149f1052ce727858a8a558c0cc44e212f135ed4abb6953db8122

SHA512
cebf1f646512e32ca6b601779207b371df8f7704d27ed46636137939720a50d676d4fc4351d457bbe15061aa5a786d18b7b862d139ed40edfb9b514386a98973

Download Submit
C:\Windows\{44DDA118-08B8-4af5-B284-0D57D6DB0D82}.exe

Filesize
64KB

MD5
a56e142991a8321064a866de52a7bace

SHA1
28e26af6d8c483f9a10e0ab460581fe9ac3d7c78

SHA256
28a20a5b1de3c4b6e2b35c90d3a255a0b4a3ca06b8ab81b9640b86eb8b8e4457

SHA512
35780e27e439fff12566ce0530ba49eb5e64ebbe252f8e16d6764b1e20e24ccbbdef8b84df01b342999ab498dc4681343fbd28c8154f74521dd61fe658672734

Download Submit
C:\Windows\{4B5499A5-A4F1-42f1-B05F-8C2C5B6ACED9}.exe

Filesize
64KB

MD5
d0d9d67726da449b658fef149decf97a

SHA1
8f2cc1802a4af521fa08b760f6b720643a21310c

SHA256
cee8b67cf8787622a50b49cc2f06b330bd782b50583cee5b3fae60a3d1928876

SHA512
d4e42096e81e6b720802be84ca818761e39dcb537476343bb1b39c4151925f05709c037e88381eb183887f8f72e81feb66527f889d5e5e3f62a0a0727983c1d8

Download Submit
C:\Windows\{8019245E-110F-4307-A7AB-E2827156FFF4}.exe

Filesize
64KB

MD5
9849c04980a90789b40300572ae29f1f

SHA1
eec32d20357e0787d4f700e7cf7f4590c38eb230

SHA256
00a39642b259aab91766c01376b5d9c214c4645a60168e8e88fdc35198ffaf08

SHA512
b5180ee98f8d2291f95e4280b9f4c5aaa487e789cd34fe37307063a18dd796a92401e073afb2c608856c40867190683cec6e4e8661521addb6c0b4ee26aaf651

Download Submit
C:\Windows\{838B2C3E-62F1-4952-826F-F5DA723A59BA}.exe

Filesize
64KB

MD5
f54bfda948dcc0234f71a5c2a2cfc30f

SHA1
4d8ff40bf1f4baa8baad3ffa70d98e8674cde805

SHA256
520637956478cd66c29600f203522f73737de0c38acdb09a1e56b90608dc9602

SHA512
c9b6ad8ba9ae4d442e15617ce1057ce2e3b4f4cc5bc753a8c92d8085cfe5da90a6d6d8ca405059fe045a27ece6beffd45567797b121bdaddb888bcbbdb5378d8

Download Submit
C:\Windows\{855BAD9C-AB18-443e-8AF9-34B3E5A2F2F1}.exe

Filesize
64KB

MD5
977764e4c0d65bddf999a40a80295c3a

SHA1
ac46c830e2e784d53e75d62e8cd3da8aada92a5d

SHA256
bddac76bd43a5d623a0870946301e7254734f9a35e30b2f61901fc17915bec16

SHA512
9c61559bb6bf8e42aa62a7cf09285fa3e1843b1b1847fd64948b306b0d80d76f4ec61f7d97d0b798aa2951ed2466cf5dd43d68cf04dd1108ed6f2e1ae5e4dc89

Download Submit
C:\Windows\{AB30BBFD-8540-4d43-BA2E-F29E95A73EAA}.exe

Filesize
64KB

MD5
74fc800ce4ed7186f19ff39889ee06c9

SHA1
2eb64f5d8d40470773c6b004f5a7c5b8c74ed8c1

SHA256
8482043db6e23e3f3c03058080cd430a082138845cee30f905c97ccda0a1df88

SHA512
6ab592403231873aa3196af9ccf54d085da92de9361276418f2e69f7e79ef61268fcf77cb70633e433de3538f45e7af324ed9c6f8dea4624267f6f1614ced9b0

Download Submit
C:\Windows\{BBD194A6-1A9E-4343-9065-23C9614FFFEC}.exe

Filesize
64KB

MD5
1fa4a7737f3e053a591c3b8966addec4

SHA1
88eceddf7f260ba7838308e2164730a5ad677f17

SHA256
c3472070b108ffc7b1dd6988378f891c1c7f0fbbd0afb483533c046de9d0dc90

SHA512
eb2ca36196249b9d061e94bfec68a7b7e590ffdd214548c0d1d72b6d5937c1d25c9e7b9257453fba646ba8172f179272b4d4ff034ceb62736a650c458e9b7e51

Download Submit
C:\Windows\{C200AFC5-B0AC-43ae-B956-E06191FED2D3}.exe

Filesize
64KB

MD5
20f3bd5edee1a0d051c87c30067459fc

SHA1
a6aa8d26591ca4f14500aacc49170d1a5ef24f37

SHA256
0900c6b936a40a7caaa62df78d729ec4467d81d4263d0355333168618daf76a1

SHA512
a37107c2e1608a21f964670031a25ec7e28d3c9c4eae54662227c5c30016767f2533cc80d3362c1bb9abb23f59d95ba0d2be73205146125bc5f831dff27b5668

Download Submit
C:\Windows\{C2AE832E-D5D7-4eb8-A41F-3CC984A9D18F}.exe

Filesize
64KB

MD5
ebc4d0299bb91cba6b05512bf416040a

SHA1
096664b87d2cac4aba418ccee821670203f4a6e4

SHA256
bea211b9f232807c138660a3edb405b4ea3755ce8014581bab049ae2b96e6e63

SHA512
695e7ea8219613168ec09cf4a77eeafd90e031cfe6cd5ec2908786d3bc817446fe09cb83d9aafb502f63bf04299cea49b28eb58faab2619007d60a51006614be

Download Submit
C:\Windows\{C59EA4A1-C70E-488c-ACD1-54CB4BBF72D6}.exe

Filesize
64KB

MD5
f6ca9577a4923be50dce90410b149a17

SHA1
d1854a7408813addbd1d1011c7820e21b5696579

SHA256
283fec319ea7fefd58cbf2fb7d5031ef68caa8b25c266b2b2e299da539ee96a6

SHA512
aeb7ea7f92384052ac887776ba0c6550dc87ef393b8a6e6ea8bc029380276d52a831166bf4bf445a803d7335c67c7526112548c1ca7ea39a2e826a719742ad5a

Download Submit
memory/432-40-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/432-43-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2012-48-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2596-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2596-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3360-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3552-16-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3552-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3724-56-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3724-50-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4328-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4328-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4348-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4348-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4560-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4560-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4636-38-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4724-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4724-67-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4816-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4816-61-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads