02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
16-05-2024 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe
Size

64KB
MD5

721e84b8d6d4567d937067738cd7170c
SHA1

5b23e8d576e6b1e5e7b3881a29af041b394b80bd
SHA256

02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a
SHA512

ee82e42ccb70283cc787a9658d6ede740559971b656757c5a8dd9fadb5d781e366d144f89a16499f08835625f4a57bed0902c0c8db7c04a5d96030bbe3d01152
SSDEEP

768:Ovw981iqhKQLroCK4/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVdk:6EGs0oCKlwWMZQcpmgDagIyS1loL7Wrk

Score

9^/10

persistence

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 37 IoCs

resource	yara_rule
behavioral2/memory/3064-0-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000a000000016fa5-3.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4108-5-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3064-6-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4224-10-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0007000000023261-9.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4108-11-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0008000000023267-13.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1592-17-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4224-16-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0009000000023261-21.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3436-24-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1592-22-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4600-30-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0009000000023267-29.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3436-28-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4600-33-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x00020000000219e9-34.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4192-35-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x00020000000219ea-40.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4192-39-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1748-41-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000300000000070d-46.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1748-45-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4736-47-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000300000000070f-51.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4736-52-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2580-53-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2580-58-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4372-59-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0006000000000026-57.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4372-63-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0005000000000507-64.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2280-65-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2280-69-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000400000000070d-70.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/5092-71-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FDF8AFE-1608-49b8-958A-F220EB508AF9}\stubpath = "C:\\Windows\\{4FDF8AFE-1608-49b8-958A-F220EB508AF9}.exe"	{A0979317-B9D5-4d85-9D3E-05667911CC3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{159AB4D2-2914-46a5-A78E-08F4D43CF409}\stubpath = "C:\\Windows\\{159AB4D2-2914-46a5-A78E-08F4D43CF409}.exe"	{4938BD4C-AB90-4fb1-B5E7-747E718C0D88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67285900-129D-4e09-A800-009C611E11B9}	02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BB7317E-FBB9-4606-B4FE-0BE6E2A210F2}	{E5C8E9B3-9310-4cf8-9C54-AD771AD7922E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2C14238-68F1-4a16-826A-6A7D42F9E458}\stubpath = "C:\\Windows\\{E2C14238-68F1-4a16-826A-6A7D42F9E458}.exe"	{F71CA19E-9B2C-4066-A47A-9125956006D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2C14238-68F1-4a16-826A-6A7D42F9E458}	{F71CA19E-9B2C-4066-A47A-9125956006D8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4938BD4C-AB90-4fb1-B5E7-747E718C0D88}\stubpath = "C:\\Windows\\{4938BD4C-AB90-4fb1-B5E7-747E718C0D88}.exe"	{D2330EA5-00EE-41c5-A6A6-58AA72024749}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67285900-129D-4e09-A800-009C611E11B9}\stubpath = "C:\\Windows\\{67285900-129D-4e09-A800-009C611E11B9}.exe"	02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BB7317E-FBB9-4606-B4FE-0BE6E2A210F2}\stubpath = "C:\\Windows\\{7BB7317E-FBB9-4606-B4FE-0BE6E2A210F2}.exe"	{E5C8E9B3-9310-4cf8-9C54-AD771AD7922E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F71CA19E-9B2C-4066-A47A-9125956006D8}\stubpath = "C:\\Windows\\{F71CA19E-9B2C-4066-A47A-9125956006D8}.exe"	{B14DAC69-BF56-4353-8184-282C9A096DEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0979317-B9D5-4d85-9D3E-05667911CC3D}\stubpath = "C:\\Windows\\{A0979317-B9D5-4d85-9D3E-05667911CC3D}.exe"	{E2C14238-68F1-4a16-826A-6A7D42F9E458}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2330EA5-00EE-41c5-A6A6-58AA72024749}\stubpath = "C:\\Windows\\{D2330EA5-00EE-41c5-A6A6-58AA72024749}.exe"	{4FDF8AFE-1608-49b8-958A-F220EB508AF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4938BD4C-AB90-4fb1-B5E7-747E718C0D88}	{D2330EA5-00EE-41c5-A6A6-58AA72024749}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{159AB4D2-2914-46a5-A78E-08F4D43CF409}	{4938BD4C-AB90-4fb1-B5E7-747E718C0D88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F960CDE-3DFB-4b18-A9E0-D72941A6C16F}	{159AB4D2-2914-46a5-A78E-08F4D43CF409}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B14DAC69-BF56-4353-8184-282C9A096DEC}	{7BB7317E-FBB9-4606-B4FE-0BE6E2A210F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B14DAC69-BF56-4353-8184-282C9A096DEC}\stubpath = "C:\\Windows\\{B14DAC69-BF56-4353-8184-282C9A096DEC}.exe"	{7BB7317E-FBB9-4606-B4FE-0BE6E2A210F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F71CA19E-9B2C-4066-A47A-9125956006D8}	{B14DAC69-BF56-4353-8184-282C9A096DEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FDF8AFE-1608-49b8-958A-F220EB508AF9}	{A0979317-B9D5-4d85-9D3E-05667911CC3D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2330EA5-00EE-41c5-A6A6-58AA72024749}	{4FDF8AFE-1608-49b8-958A-F220EB508AF9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F960CDE-3DFB-4b18-A9E0-D72941A6C16F}\stubpath = "C:\\Windows\\{7F960CDE-3DFB-4b18-A9E0-D72941A6C16F}.exe"	{159AB4D2-2914-46a5-A78E-08F4D43CF409}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5C8E9B3-9310-4cf8-9C54-AD771AD7922E}	{67285900-129D-4e09-A800-009C611E11B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5C8E9B3-9310-4cf8-9C54-AD771AD7922E}\stubpath = "C:\\Windows\\{E5C8E9B3-9310-4cf8-9C54-AD771AD7922E}.exe"	{67285900-129D-4e09-A800-009C611E11B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A0979317-B9D5-4d85-9D3E-05667911CC3D}	{E2C14238-68F1-4a16-826A-6A7D42F9E458}.exe

Executes dropped EXE 12 IoCs

pid	Process
4108	{67285900-129D-4e09-A800-009C611E11B9}.exe
4224	{E5C8E9B3-9310-4cf8-9C54-AD771AD7922E}.exe
1592	{7BB7317E-FBB9-4606-B4FE-0BE6E2A210F2}.exe
3436	{B14DAC69-BF56-4353-8184-282C9A096DEC}.exe
4600	{F71CA19E-9B2C-4066-A47A-9125956006D8}.exe
4192	{E2C14238-68F1-4a16-826A-6A7D42F9E458}.exe
1748	{A0979317-B9D5-4d85-9D3E-05667911CC3D}.exe
4736	{4FDF8AFE-1608-49b8-958A-F220EB508AF9}.exe
2580	{D2330EA5-00EE-41c5-A6A6-58AA72024749}.exe
4372	{4938BD4C-AB90-4fb1-B5E7-747E718C0D88}.exe
2280	{159AB4D2-2914-46a5-A78E-08F4D43CF409}.exe
5092	{7F960CDE-3DFB-4b18-A9E0-D72941A6C16F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{4FDF8AFE-1608-49b8-958A-F220EB508AF9}.exe	{A0979317-B9D5-4d85-9D3E-05667911CC3D}.exe
File created	C:\Windows\{D2330EA5-00EE-41c5-A6A6-58AA72024749}.exe	{4FDF8AFE-1608-49b8-958A-F220EB508AF9}.exe
File created	C:\Windows\{159AB4D2-2914-46a5-A78E-08F4D43CF409}.exe	{4938BD4C-AB90-4fb1-B5E7-747E718C0D88}.exe
File created	C:\Windows\{E5C8E9B3-9310-4cf8-9C54-AD771AD7922E}.exe	{67285900-129D-4e09-A800-009C611E11B9}.exe
File created	C:\Windows\{7BB7317E-FBB9-4606-B4FE-0BE6E2A210F2}.exe	{E5C8E9B3-9310-4cf8-9C54-AD771AD7922E}.exe
File created	C:\Windows\{F71CA19E-9B2C-4066-A47A-9125956006D8}.exe	{B14DAC69-BF56-4353-8184-282C9A096DEC}.exe
File created	C:\Windows\{E2C14238-68F1-4a16-826A-6A7D42F9E458}.exe	{F71CA19E-9B2C-4066-A47A-9125956006D8}.exe
File created	C:\Windows\{A0979317-B9D5-4d85-9D3E-05667911CC3D}.exe	{E2C14238-68F1-4a16-826A-6A7D42F9E458}.exe
File created	C:\Windows\{7F960CDE-3DFB-4b18-A9E0-D72941A6C16F}.exe	{159AB4D2-2914-46a5-A78E-08F4D43CF409}.exe
File created	C:\Windows\{67285900-129D-4e09-A800-009C611E11B9}.exe	02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe
File created	C:\Windows\{B14DAC69-BF56-4353-8184-282C9A096DEC}.exe	{7BB7317E-FBB9-4606-B4FE-0BE6E2A210F2}.exe
File created	C:\Windows\{4938BD4C-AB90-4fb1-B5E7-747E718C0D88}.exe	{D2330EA5-00EE-41c5-A6A6-58AA72024749}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3064	02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe
Token: SeIncBasePriorityPrivilege	4108	{67285900-129D-4e09-A800-009C611E11B9}.exe
Token: SeIncBasePriorityPrivilege	4224	{E5C8E9B3-9310-4cf8-9C54-AD771AD7922E}.exe
Token: SeIncBasePriorityPrivilege	1592	{7BB7317E-FBB9-4606-B4FE-0BE6E2A210F2}.exe
Token: SeIncBasePriorityPrivilege	3436	{B14DAC69-BF56-4353-8184-282C9A096DEC}.exe
Token: SeIncBasePriorityPrivilege	4600	{F71CA19E-9B2C-4066-A47A-9125956006D8}.exe
Token: SeIncBasePriorityPrivilege	4192	{E2C14238-68F1-4a16-826A-6A7D42F9E458}.exe
Token: SeIncBasePriorityPrivilege	1748	{A0979317-B9D5-4d85-9D3E-05667911CC3D}.exe
Token: SeIncBasePriorityPrivilege	4736	{4FDF8AFE-1608-49b8-958A-F220EB508AF9}.exe
Token: SeIncBasePriorityPrivilege	2580	{D2330EA5-00EE-41c5-A6A6-58AA72024749}.exe
Token: SeIncBasePriorityPrivilege	4372	{4938BD4C-AB90-4fb1-B5E7-747E718C0D88}.exe
Token: SeIncBasePriorityPrivilege	2280	{159AB4D2-2914-46a5-A78E-08F4D43CF409}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 4108	3064	02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe	94
PID 3064 wrote to memory of 4108	3064	02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe	94
PID 3064 wrote to memory of 4108	3064	02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe	94
PID 3064 wrote to memory of 556	3064	02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe	95
PID 3064 wrote to memory of 556	3064	02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe	95
PID 3064 wrote to memory of 556	3064	02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe	95
PID 4108 wrote to memory of 4224	4108	{67285900-129D-4e09-A800-009C611E11B9}.exe	101
PID 4108 wrote to memory of 4224	4108	{67285900-129D-4e09-A800-009C611E11B9}.exe	101
PID 4108 wrote to memory of 4224	4108	{67285900-129D-4e09-A800-009C611E11B9}.exe	101
PID 4108 wrote to memory of 4700	4108	{67285900-129D-4e09-A800-009C611E11B9}.exe	102
PID 4108 wrote to memory of 4700	4108	{67285900-129D-4e09-A800-009C611E11B9}.exe	102
PID 4108 wrote to memory of 4700	4108	{67285900-129D-4e09-A800-009C611E11B9}.exe	102
PID 4224 wrote to memory of 1592	4224	{E5C8E9B3-9310-4cf8-9C54-AD771AD7922E}.exe	104
PID 4224 wrote to memory of 1592	4224	{E5C8E9B3-9310-4cf8-9C54-AD771AD7922E}.exe	104
PID 4224 wrote to memory of 1592	4224	{E5C8E9B3-9310-4cf8-9C54-AD771AD7922E}.exe	104
PID 4224 wrote to memory of 3816	4224	{E5C8E9B3-9310-4cf8-9C54-AD771AD7922E}.exe	105
PID 4224 wrote to memory of 3816	4224	{E5C8E9B3-9310-4cf8-9C54-AD771AD7922E}.exe	105
PID 4224 wrote to memory of 3816	4224	{E5C8E9B3-9310-4cf8-9C54-AD771AD7922E}.exe	105
PID 1592 wrote to memory of 3436	1592	{7BB7317E-FBB9-4606-B4FE-0BE6E2A210F2}.exe	107
PID 1592 wrote to memory of 3436	1592	{7BB7317E-FBB9-4606-B4FE-0BE6E2A210F2}.exe	107
PID 1592 wrote to memory of 3436	1592	{7BB7317E-FBB9-4606-B4FE-0BE6E2A210F2}.exe	107
PID 1592 wrote to memory of 4384	1592	{7BB7317E-FBB9-4606-B4FE-0BE6E2A210F2}.exe	108
PID 1592 wrote to memory of 4384	1592	{7BB7317E-FBB9-4606-B4FE-0BE6E2A210F2}.exe	108
PID 1592 wrote to memory of 4384	1592	{7BB7317E-FBB9-4606-B4FE-0BE6E2A210F2}.exe	108
PID 3436 wrote to memory of 4600	3436	{B14DAC69-BF56-4353-8184-282C9A096DEC}.exe	109
PID 3436 wrote to memory of 4600	3436	{B14DAC69-BF56-4353-8184-282C9A096DEC}.exe	109
PID 3436 wrote to memory of 4600	3436	{B14DAC69-BF56-4353-8184-282C9A096DEC}.exe	109
PID 3436 wrote to memory of 4432	3436	{B14DAC69-BF56-4353-8184-282C9A096DEC}.exe	110
PID 3436 wrote to memory of 4432	3436	{B14DAC69-BF56-4353-8184-282C9A096DEC}.exe	110
PID 3436 wrote to memory of 4432	3436	{B14DAC69-BF56-4353-8184-282C9A096DEC}.exe	110
PID 4600 wrote to memory of 4192	4600	{F71CA19E-9B2C-4066-A47A-9125956006D8}.exe	111
PID 4600 wrote to memory of 4192	4600	{F71CA19E-9B2C-4066-A47A-9125956006D8}.exe	111
PID 4600 wrote to memory of 4192	4600	{F71CA19E-9B2C-4066-A47A-9125956006D8}.exe	111
PID 4600 wrote to memory of 1896	4600	{F71CA19E-9B2C-4066-A47A-9125956006D8}.exe	112
PID 4600 wrote to memory of 1896	4600	{F71CA19E-9B2C-4066-A47A-9125956006D8}.exe	112
PID 4600 wrote to memory of 1896	4600	{F71CA19E-9B2C-4066-A47A-9125956006D8}.exe	112
PID 4192 wrote to memory of 1748	4192	{E2C14238-68F1-4a16-826A-6A7D42F9E458}.exe	113
PID 4192 wrote to memory of 1748	4192	{E2C14238-68F1-4a16-826A-6A7D42F9E458}.exe	113
PID 4192 wrote to memory of 1748	4192	{E2C14238-68F1-4a16-826A-6A7D42F9E458}.exe	113
PID 4192 wrote to memory of 700	4192	{E2C14238-68F1-4a16-826A-6A7D42F9E458}.exe	114
PID 4192 wrote to memory of 700	4192	{E2C14238-68F1-4a16-826A-6A7D42F9E458}.exe	114
PID 4192 wrote to memory of 700	4192	{E2C14238-68F1-4a16-826A-6A7D42F9E458}.exe	114
PID 1748 wrote to memory of 4736	1748	{A0979317-B9D5-4d85-9D3E-05667911CC3D}.exe	115
PID 1748 wrote to memory of 4736	1748	{A0979317-B9D5-4d85-9D3E-05667911CC3D}.exe	115
PID 1748 wrote to memory of 4736	1748	{A0979317-B9D5-4d85-9D3E-05667911CC3D}.exe	115
PID 1748 wrote to memory of 1956	1748	{A0979317-B9D5-4d85-9D3E-05667911CC3D}.exe	116
PID 1748 wrote to memory of 1956	1748	{A0979317-B9D5-4d85-9D3E-05667911CC3D}.exe	116
PID 1748 wrote to memory of 1956	1748	{A0979317-B9D5-4d85-9D3E-05667911CC3D}.exe	116
PID 4736 wrote to memory of 2580	4736	{4FDF8AFE-1608-49b8-958A-F220EB508AF9}.exe	117
PID 4736 wrote to memory of 2580	4736	{4FDF8AFE-1608-49b8-958A-F220EB508AF9}.exe	117
PID 4736 wrote to memory of 2580	4736	{4FDF8AFE-1608-49b8-958A-F220EB508AF9}.exe	117
PID 4736 wrote to memory of 4492	4736	{4FDF8AFE-1608-49b8-958A-F220EB508AF9}.exe	118
PID 4736 wrote to memory of 4492	4736	{4FDF8AFE-1608-49b8-958A-F220EB508AF9}.exe	118
PID 4736 wrote to memory of 4492	4736	{4FDF8AFE-1608-49b8-958A-F220EB508AF9}.exe	118
PID 2580 wrote to memory of 4372	2580	{D2330EA5-00EE-41c5-A6A6-58AA72024749}.exe	119
PID 2580 wrote to memory of 4372	2580	{D2330EA5-00EE-41c5-A6A6-58AA72024749}.exe	119
PID 2580 wrote to memory of 4372	2580	{D2330EA5-00EE-41c5-A6A6-58AA72024749}.exe	119
PID 2580 wrote to memory of 2168	2580	{D2330EA5-00EE-41c5-A6A6-58AA72024749}.exe	120
PID 2580 wrote to memory of 2168	2580	{D2330EA5-00EE-41c5-A6A6-58AA72024749}.exe	120
PID 2580 wrote to memory of 2168	2580	{D2330EA5-00EE-41c5-A6A6-58AA72024749}.exe	120
PID 4372 wrote to memory of 2280	4372	{4938BD4C-AB90-4fb1-B5E7-747E718C0D88}.exe	121
PID 4372 wrote to memory of 2280	4372	{4938BD4C-AB90-4fb1-B5E7-747E718C0D88}.exe	121
PID 4372 wrote to memory of 2280	4372	{4938BD4C-AB90-4fb1-B5E7-747E718C0D88}.exe	121
PID 4372 wrote to memory of 4988	4372	{4938BD4C-AB90-4fb1-B5E7-747E718C0D88}.exe	122

C:\Users\Admin\AppData\Local\Temp\02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe
"C:\Users\Admin\AppData\Local\Temp\02776df650a7e49614d1fe9b198872726f60b40e0f63002bdf86ca9f628a621a.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\{67285900-129D-4e09-A800-009C611E11B9}.exe
  C:\Windows\{67285900-129D-4e09-A800-009C611E11B9}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Windows\{E5C8E9B3-9310-4cf8-9C54-AD771AD7922E}.exe
    C:\Windows\{E5C8E9B3-9310-4cf8-9C54-AD771AD7922E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4224
  - - C:\Windows\{7BB7317E-FBB9-4606-B4FE-0BE6E2A210F2}.exe
      C:\Windows\{7BB7317E-FBB9-4606-B4FE-0BE6E2A210F2}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1592
    - - C:\Windows\{B14DAC69-BF56-4353-8184-282C9A096DEC}.exe
        
        C:\Windows\{B14DAC69-BF56-4353-8184-282C9A096DEC}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3436
      - C:\Windows\{F71CA19E-9B2C-4066-A47A-9125956006D8}.exe
        
        C:\Windows\{F71CA19E-9B2C-4066-A47A-9125956006D8}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4600
        
        C:\Windows\{E2C14238-68F1-4a16-826A-6A7D42F9E458}.exe
        
        C:\Windows\{E2C14238-68F1-4a16-826A-6A7D42F9E458}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\{A0979317-B9D5-4d85-9D3E-05667911CC3D}.exe
        
        C:\Windows\{A0979317-B9D5-4d85-9D3E-05667911CC3D}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\{4FDF8AFE-1608-49b8-958A-F220EB508AF9}.exe
        
        C:\Windows\{4FDF8AFE-1608-49b8-958A-F220EB508AF9}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\{D2330EA5-00EE-41c5-A6A6-58AA72024749}.exe
        
        C:\Windows\{D2330EA5-00EE-41c5-A6A6-58AA72024749}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
        
        C:\Windows\{4938BD4C-AB90-4fb1-B5E7-747E718C0D88}.exe
        
        C:\Windows\{4938BD4C-AB90-4fb1-B5E7-747E718C0D88}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4372
        
        C:\Windows\{159AB4D2-2914-46a5-A78E-08F4D43CF409}.exe
        
        C:\Windows\{159AB4D2-2914-46a5-A78E-08F4D43CF409}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\{7F960CDE-3DFB-4b18-A9E0-D72941A6C16F}.exe
        
        C:\Windows\{7F960CDE-3DFB-4b18-A9E0-D72941A6C16F}.exe
        13⤵
        Executes dropped EXE
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{159AB~1.EXE > nul
        13⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4938B~1.EXE > nul
        12⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2330~1.EXE > nul
        11⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FDF8~1.EXE > nul
        10⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A0979~1.EXE > nul
        9⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2C14~1.EXE > nul
        8⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F71CA~1.EXE > nul
        7⤵
        
        PID:1896
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B14DA~1.EXE > nul
        6⤵
        
        PID:4432
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BB73~1.EXE > nul
        5⤵
        
        PID:4384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E5C8E~1.EXE > nul
      4⤵
      PID:3816
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{67285~1.EXE > nul
    3⤵
    PID:4700
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\02776D~1.EXE > nul
  2⤵
  PID:556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5248 --field-trial-handle=2236,i,5367110156796017614,12594004256180761011,262144 --variations-seed-version /prefetch:8
1⤵
PID:3584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{159AB4D2-2914-46a5-A78E-08F4D43CF409}.exe

Filesize
64KB

MD5
8ac5781c8a18979620dab69f64608565

SHA1
647a819faad20c250122d84a3d3ac74beba85f97

SHA256
a4d569b2178401c87a4cb346e133890415c5d4eb6ab663b022d73ab181278498

SHA512
db3dcd94f3f2ec5488b8b1f287a68497f60489930f854655799f458109b72141070b77cd0a81f2b5cb32be5832d968c12799c2ee7501850c4b80fd26d0891019

Download Submit
C:\Windows\{4938BD4C-AB90-4fb1-B5E7-747E718C0D88}.exe

Filesize
64KB

MD5
82889a758bfdd8445fcbaa3b01696e39

SHA1
e77df282dd6856851044d2197814d12db6c30f8b

SHA256
7377ee5ebffdda6445d42769d9b936c27fcedfc9f711f03efb266fc19a7684bd

SHA512
97e2f8ff81dee2daf2e6303da2b01959a8da49699f7b2d2601257285da6422feb9e721fa169b94ca915e4fde422a3d931b5e47ae9d8751cce19369c3740e0715

Download Submit
C:\Windows\{4FDF8AFE-1608-49b8-958A-F220EB508AF9}.exe

Filesize
64KB

MD5
9816fe5526154653d526243921fc9c4b

SHA1
c28373a7d7d053532daa21a9575b805e8615ab45

SHA256
c646664243e85a77fa115eecf5cb18c082719a6d942095303b4f4b614bab7fc1

SHA512
899db2b4ec87d7ae37aebe4e62b86e0f3afd6c059287e5db501a5a4757436620dbce918949ed631714f16bbebe52dd7c8395ac30c10c6f5b6c7feb56c6e23f5c

Download Submit
C:\Windows\{67285900-129D-4e09-A800-009C611E11B9}.exe

Filesize
64KB

MD5
990cb73931c0784cddeb1d930c904cee

SHA1
9ec2181ff0687c175602a29d187d22fa432af19d

SHA256
003c7b8f809a6d2226f33b6d4b86f95c85038cd9bdae5fbf9385d84905c704ef

SHA512
b415a53befa4a9f3c1830f849d10108751a4b66587c76038dd41095b4be23b4f8f315e09b2454fbb5983294382edc001f9f2fcae71e316a9ed2f4827025eaa4f

Download Submit
C:\Windows\{7BB7317E-FBB9-4606-B4FE-0BE6E2A210F2}.exe

Filesize
64KB

MD5
b81753026e786bcf60a6a10988fb3cb8

SHA1
9b446994118205734de70b2a8f97ecb08ac07881

SHA256
ab4b10e6616390cd0ca28b5e8fd6a655b1d885ab53a15e1664ce166dd9b0323b

SHA512
92c7eede62858f3244f2e64cb26b92b147055f988c18b3c99d04e192fc3bb9c210b4c22045a17143612f9f3057112d5f14845ccc3118b65f606cc659f8946c47

Download Submit
C:\Windows\{7F960CDE-3DFB-4b18-A9E0-D72941A6C16F}.exe

Filesize
64KB

MD5
1278d3660edcde836eecf184b5bbe40b

SHA1
1be1ff2e7ff08b0e1bf3b9862129fbbded3d2d86

SHA256
7d38c005cb034a970e1055a8f6bacb34f55fbb27492163d8f68728d0ad018600

SHA512
50dbfc260b7ead5471dcaa94e542944be28034541286bc2ee40f84d14d8b0ff8392114a37037436e360853ac1e678d776db0954dbfc7e67db3a034a944a35bb3

Download Submit
C:\Windows\{A0979317-B9D5-4d85-9D3E-05667911CC3D}.exe

Filesize
64KB

MD5
eca0cec220e4517f46f0f136443d7d49

SHA1
9a8991c416149976221c4efd76fece4ada78050c

SHA256
8853fc8c402b0adb0082f61498b17a46b076155ea6ade5081e444585cb02a5f8

SHA512
f436abde13e4a1db37f3420db4be75470e4d9afb177389440b0a4d7d971aadd55ef9f3671807be31af103434a2a39d12893e9d1a677e6b06b48ac4f20e22148e

Download Submit
C:\Windows\{B14DAC69-BF56-4353-8184-282C9A096DEC}.exe

Filesize
64KB

MD5
6a2ff21990ba93d275f54308e84382b7

SHA1
f1bcf9e46d372b7dbf2b9aa5c8acee73e0d26c50

SHA256
a5c4b1f796048436ce9de792b4cf6759a81db0c7daac97775aedabc6c8b3f5dc

SHA512
acfd01cc81fe1613898674118066853e2ce3b7c27f0795de5cca497f061249a31f722ecdd88654f5b4d59eb37185ea73f545be8efda69cb20beb4680fb3639b9

Download Submit
C:\Windows\{D2330EA5-00EE-41c5-A6A6-58AA72024749}.exe

Filesize
64KB

MD5
c4a901146fcb6cd88a825cf1492e67cb

SHA1
c2feec7ff5557bc78dc7dc87f7841c3013d07911

SHA256
6de3ff77a2976cf93a104fcf64eb5e26fed14417a8c6286744b40da85225ced8

SHA512
a18f19d3320495e6fa4f8750ab86d43498c2587a36a34bf876b95060cee27a187b1fc25332b1165728c44481988e0b24263cb7722f37e6aee193498d7baf28cf

Download Submit
C:\Windows\{E2C14238-68F1-4a16-826A-6A7D42F9E458}.exe

Filesize
64KB

MD5
c7879f76405b264879cbd48ae2a13b3f

SHA1
3ec10c33178eacfb6ad52e07e8413ad045f5fdf4

SHA256
2b0df9567c87f8acd73d2593957cc27ee9736758e689d1e150b6451996199a12

SHA512
3c2b6fc5a5a4259cb119b1ef9018ad4a7591de8479d092e9d194c5a183743fc4ffbf2f2497735056dab78a934946104d740d0f31bcd3e4a49c7f50842c2fd402

Download Submit
C:\Windows\{E5C8E9B3-9310-4cf8-9C54-AD771AD7922E}.exe

Filesize
64KB

MD5
b95a483d4122aa04964fa73df787d799

SHA1
2aa4477162222bc10c8df94e97e02635ea9e1348

SHA256
7bbd20af81dc1399c4b6b52c57fcfa1d0f7e843688bbf04873e541befd5181b7

SHA512
055a80a9e8de596d8869146c63d20019b491e0230ec7c8df2e1e6df49514d36a2f1efef9fc95b93ca3ad417529809fff539e9794b643136364384d0f612d0ee3

Download Submit
C:\Windows\{F71CA19E-9B2C-4066-A47A-9125956006D8}.exe

Filesize
64KB

MD5
a4254ceaa51bee99c33ae5c1bf93349c

SHA1
21f1e0945366cf7192df8a27352ac164d3c1afa3

SHA256
4a2d3724bf7bfdbcd92b3914c33b9190b30be09bfc3a04afd56d0bd6e29af905

SHA512
8fc462e7bebf1e875dd27179b6199acd1621f81367fff1225c9cf7912408b0c5f86740c0705bd7af5e64f6900c9e09d860a7d6a654886b9490a95a7062a56613

Download Submit
memory/1592-22-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1592-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1748-41-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1748-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2280-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2280-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2580-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2580-58-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3064-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3064-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3436-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3436-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4108-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4108-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4192-35-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4192-39-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4224-16-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4224-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4372-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4372-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4600-33-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4600-30-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4736-52-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4736-47-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5092-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads