8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f

Analysis

max time kernel
144s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
21/05/2024, 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe
Size

64KB
MD5

b50487e4994bb7f9b5a0afec46dacd76
SHA1

623f01398519e8805c2d07dd3f47c02542c6711a
SHA256

8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f
SHA512

c9549c597d31cf1de80f44d3e4613239ebd5656405e69c13f1aa50dfa9180f4f43768af9cb2cca53436c4de629e23a028b6ab19426d2f4ed6312d982c9086ad1
SSDEEP

768:Ovw9816ihKQLroCB4/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVdu:6EGU0oCBlwWMZQcpmgDagIyS1loL7Wru

Score

9^/10

persistence

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 32 IoCs

resource	yara_rule
behavioral1/memory/2428-0-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000c00000001227b-5.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1836-9-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2428-7-0x0000000000270000-0x0000000000280000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2428-10-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0038000000015c7f-18.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2732-19-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1836-17-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2732-26-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2052-28-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000d00000001227b-27.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2052-35-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0038000000015c93-36.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2528-37-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0004000000004ed7-45.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2528-44-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000e00000001227b-53.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2264-52-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1428-54-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1428-62-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0005000000004ed7-61.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2868-63-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000f00000001227b-71.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2868-70-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1492-79-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0006000000004ed7-78.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1680-86-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x001000000001227b-87.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/480-88-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/480-95-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/592-97-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0007000000004ed7-96.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2AAFF10-159D-4421-9F3C-22D6E67EDE25}\stubpath = "C:\\Windows\\{E2AAFF10-159D-4421-9F3C-22D6E67EDE25}.exe"	{9EC6BFE5-5049-46df-8F62-A5C50B40D18C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A356C48E-34D7-4b3f-B5EE-D04633FB73AE}	{E2AAFF10-159D-4421-9F3C-22D6E67EDE25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F90BE5F-7537-45fa-A34B-E359AD9DDFE3}	{A356C48E-34D7-4b3f-B5EE-D04633FB73AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEAE6E54-C0F5-4ad6-BED9-8FBC3FA45155}	{8121AEEC-B5CD-441e-97CA-B6E097E54295}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E5CF5E7-0286-4999-A800-52D401AA4BF6}\stubpath = "C:\\Windows\\{2E5CF5E7-0286-4999-A800-52D401AA4BF6}.exe"	{0CF719D4-3493-4a1e-BA92-C2E23DEB3C64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EC6BFE5-5049-46df-8F62-A5C50B40D18C}\stubpath = "C:\\Windows\\{9EC6BFE5-5049-46df-8F62-A5C50B40D18C}.exe"	{F9E6AEFA-1D8A-4b90-B578-4B285D5EBB4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E2AAFF10-159D-4421-9F3C-22D6E67EDE25}	{9EC6BFE5-5049-46df-8F62-A5C50B40D18C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C754563B-774F-44e0-B460-D088AE5AA335}\stubpath = "C:\\Windows\\{C754563B-774F-44e0-B460-D088AE5AA335}.exe"	{0F90BE5F-7537-45fa-A34B-E359AD9DDFE3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8121AEEC-B5CD-441e-97CA-B6E097E54295}\stubpath = "C:\\Windows\\{8121AEEC-B5CD-441e-97CA-B6E097E54295}.exe"	{C754563B-774F-44e0-B460-D088AE5AA335}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FEAE6E54-C0F5-4ad6-BED9-8FBC3FA45155}\stubpath = "C:\\Windows\\{FEAE6E54-C0F5-4ad6-BED9-8FBC3FA45155}.exe"	{8121AEEC-B5CD-441e-97CA-B6E097E54295}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CF719D4-3493-4a1e-BA92-C2E23DEB3C64}\stubpath = "C:\\Windows\\{0CF719D4-3493-4a1e-BA92-C2E23DEB3C64}.exe"	{368FC8CB-E13A-42ef-88C0-C9FF81A67DC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9EC6BFE5-5049-46df-8F62-A5C50B40D18C}	{F9E6AEFA-1D8A-4b90-B578-4B285D5EBB4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0CF719D4-3493-4a1e-BA92-C2E23DEB3C64}	{368FC8CB-E13A-42ef-88C0-C9FF81A67DC8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9E6AEFA-1D8A-4b90-B578-4B285D5EBB4F}	8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A356C48E-34D7-4b3f-B5EE-D04633FB73AE}\stubpath = "C:\\Windows\\{A356C48E-34D7-4b3f-B5EE-D04633FB73AE}.exe"	{E2AAFF10-159D-4421-9F3C-22D6E67EDE25}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0F90BE5F-7537-45fa-A34B-E359AD9DDFE3}\stubpath = "C:\\Windows\\{0F90BE5F-7537-45fa-A34B-E359AD9DDFE3}.exe"	{A356C48E-34D7-4b3f-B5EE-D04633FB73AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C754563B-774F-44e0-B460-D088AE5AA335}	{0F90BE5F-7537-45fa-A34B-E359AD9DDFE3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{8121AEEC-B5CD-441e-97CA-B6E097E54295}	{C754563B-774F-44e0-B460-D088AE5AA335}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{368FC8CB-E13A-42ef-88C0-C9FF81A67DC8}	{FEAE6E54-C0F5-4ad6-BED9-8FBC3FA45155}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{368FC8CB-E13A-42ef-88C0-C9FF81A67DC8}\stubpath = "C:\\Windows\\{368FC8CB-E13A-42ef-88C0-C9FF81A67DC8}.exe"	{FEAE6E54-C0F5-4ad6-BED9-8FBC3FA45155}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2E5CF5E7-0286-4999-A800-52D401AA4BF6}	{0CF719D4-3493-4a1e-BA92-C2E23DEB3C64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9E6AEFA-1D8A-4b90-B578-4B285D5EBB4F}\stubpath = "C:\\Windows\\{F9E6AEFA-1D8A-4b90-B578-4B285D5EBB4F}.exe"	8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe

Deletes itself 1 IoCs

pid	Process
3044	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1836	{F9E6AEFA-1D8A-4b90-B578-4B285D5EBB4F}.exe
2732	{9EC6BFE5-5049-46df-8F62-A5C50B40D18C}.exe
2052	{E2AAFF10-159D-4421-9F3C-22D6E67EDE25}.exe
2528	{A356C48E-34D7-4b3f-B5EE-D04633FB73AE}.exe
2264	{0F90BE5F-7537-45fa-A34B-E359AD9DDFE3}.exe
1428	{C754563B-774F-44e0-B460-D088AE5AA335}.exe
2868	{8121AEEC-B5CD-441e-97CA-B6E097E54295}.exe
1492	{FEAE6E54-C0F5-4ad6-BED9-8FBC3FA45155}.exe
1680	{368FC8CB-E13A-42ef-88C0-C9FF81A67DC8}.exe
480	{0CF719D4-3493-4a1e-BA92-C2E23DEB3C64}.exe
592	{2E5CF5E7-0286-4999-A800-52D401AA4BF6}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{FEAE6E54-C0F5-4ad6-BED9-8FBC3FA45155}.exe	{8121AEEC-B5CD-441e-97CA-B6E097E54295}.exe
File created	C:\Windows\{0CF719D4-3493-4a1e-BA92-C2E23DEB3C64}.exe	{368FC8CB-E13A-42ef-88C0-C9FF81A67DC8}.exe
File created	C:\Windows\{F9E6AEFA-1D8A-4b90-B578-4B285D5EBB4F}.exe	8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe
File created	C:\Windows\{0F90BE5F-7537-45fa-A34B-E359AD9DDFE3}.exe	{A356C48E-34D7-4b3f-B5EE-D04633FB73AE}.exe
File created	C:\Windows\{8121AEEC-B5CD-441e-97CA-B6E097E54295}.exe	{C754563B-774F-44e0-B460-D088AE5AA335}.exe
File created	C:\Windows\{C754563B-774F-44e0-B460-D088AE5AA335}.exe	{0F90BE5F-7537-45fa-A34B-E359AD9DDFE3}.exe
File created	C:\Windows\{368FC8CB-E13A-42ef-88C0-C9FF81A67DC8}.exe	{FEAE6E54-C0F5-4ad6-BED9-8FBC3FA45155}.exe
File created	C:\Windows\{2E5CF5E7-0286-4999-A800-52D401AA4BF6}.exe	{0CF719D4-3493-4a1e-BA92-C2E23DEB3C64}.exe
File created	C:\Windows\{9EC6BFE5-5049-46df-8F62-A5C50B40D18C}.exe	{F9E6AEFA-1D8A-4b90-B578-4B285D5EBB4F}.exe
File created	C:\Windows\{E2AAFF10-159D-4421-9F3C-22D6E67EDE25}.exe	{9EC6BFE5-5049-46df-8F62-A5C50B40D18C}.exe
File created	C:\Windows\{A356C48E-34D7-4b3f-B5EE-D04633FB73AE}.exe	{E2AAFF10-159D-4421-9F3C-22D6E67EDE25}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2428	8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe
Token: SeIncBasePriorityPrivilege	1836	{F9E6AEFA-1D8A-4b90-B578-4B285D5EBB4F}.exe
Token: SeIncBasePriorityPrivilege	2732	{9EC6BFE5-5049-46df-8F62-A5C50B40D18C}.exe
Token: SeIncBasePriorityPrivilege	2052	{E2AAFF10-159D-4421-9F3C-22D6E67EDE25}.exe
Token: SeIncBasePriorityPrivilege	2528	{A356C48E-34D7-4b3f-B5EE-D04633FB73AE}.exe
Token: SeIncBasePriorityPrivilege	2264	{0F90BE5F-7537-45fa-A34B-E359AD9DDFE3}.exe
Token: SeIncBasePriorityPrivilege	1428	{C754563B-774F-44e0-B460-D088AE5AA335}.exe
Token: SeIncBasePriorityPrivilege	2868	{8121AEEC-B5CD-441e-97CA-B6E097E54295}.exe
Token: SeIncBasePriorityPrivilege	1492	{FEAE6E54-C0F5-4ad6-BED9-8FBC3FA45155}.exe
Token: SeIncBasePriorityPrivilege	1680	{368FC8CB-E13A-42ef-88C0-C9FF81A67DC8}.exe
Token: SeIncBasePriorityPrivilege	480	{0CF719D4-3493-4a1e-BA92-C2E23DEB3C64}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 1836	2428	8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe	28
PID 2428 wrote to memory of 1836	2428	8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe	28
PID 2428 wrote to memory of 1836	2428	8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe	28
PID 2428 wrote to memory of 1836	2428	8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe	28
PID 2428 wrote to memory of 3044	2428	8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe	29
PID 2428 wrote to memory of 3044	2428	8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe	29
PID 2428 wrote to memory of 3044	2428	8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe	29
PID 2428 wrote to memory of 3044	2428	8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe	29
PID 1836 wrote to memory of 2732	1836	{F9E6AEFA-1D8A-4b90-B578-4B285D5EBB4F}.exe	30
PID 1836 wrote to memory of 2732	1836	{F9E6AEFA-1D8A-4b90-B578-4B285D5EBB4F}.exe	30
PID 1836 wrote to memory of 2732	1836	{F9E6AEFA-1D8A-4b90-B578-4B285D5EBB4F}.exe	30
PID 1836 wrote to memory of 2732	1836	{F9E6AEFA-1D8A-4b90-B578-4B285D5EBB4F}.exe	30
PID 1836 wrote to memory of 2660	1836	{F9E6AEFA-1D8A-4b90-B578-4B285D5EBB4F}.exe	31
PID 1836 wrote to memory of 2660	1836	{F9E6AEFA-1D8A-4b90-B578-4B285D5EBB4F}.exe	31
PID 1836 wrote to memory of 2660	1836	{F9E6AEFA-1D8A-4b90-B578-4B285D5EBB4F}.exe	31
PID 1836 wrote to memory of 2660	1836	{F9E6AEFA-1D8A-4b90-B578-4B285D5EBB4F}.exe	31
PID 2732 wrote to memory of 2052	2732	{9EC6BFE5-5049-46df-8F62-A5C50B40D18C}.exe	32
PID 2732 wrote to memory of 2052	2732	{9EC6BFE5-5049-46df-8F62-A5C50B40D18C}.exe	32
PID 2732 wrote to memory of 2052	2732	{9EC6BFE5-5049-46df-8F62-A5C50B40D18C}.exe	32
PID 2732 wrote to memory of 2052	2732	{9EC6BFE5-5049-46df-8F62-A5C50B40D18C}.exe	32
PID 2732 wrote to memory of 2536	2732	{9EC6BFE5-5049-46df-8F62-A5C50B40D18C}.exe	33
PID 2732 wrote to memory of 2536	2732	{9EC6BFE5-5049-46df-8F62-A5C50B40D18C}.exe	33
PID 2732 wrote to memory of 2536	2732	{9EC6BFE5-5049-46df-8F62-A5C50B40D18C}.exe	33
PID 2732 wrote to memory of 2536	2732	{9EC6BFE5-5049-46df-8F62-A5C50B40D18C}.exe	33
PID 2052 wrote to memory of 2528	2052	{E2AAFF10-159D-4421-9F3C-22D6E67EDE25}.exe	36
PID 2052 wrote to memory of 2528	2052	{E2AAFF10-159D-4421-9F3C-22D6E67EDE25}.exe	36
PID 2052 wrote to memory of 2528	2052	{E2AAFF10-159D-4421-9F3C-22D6E67EDE25}.exe	36
PID 2052 wrote to memory of 2528	2052	{E2AAFF10-159D-4421-9F3C-22D6E67EDE25}.exe	36
PID 2052 wrote to memory of 2824	2052	{E2AAFF10-159D-4421-9F3C-22D6E67EDE25}.exe	37
PID 2052 wrote to memory of 2824	2052	{E2AAFF10-159D-4421-9F3C-22D6E67EDE25}.exe	37
PID 2052 wrote to memory of 2824	2052	{E2AAFF10-159D-4421-9F3C-22D6E67EDE25}.exe	37
PID 2052 wrote to memory of 2824	2052	{E2AAFF10-159D-4421-9F3C-22D6E67EDE25}.exe	37
PID 2528 wrote to memory of 2264	2528	{A356C48E-34D7-4b3f-B5EE-D04633FB73AE}.exe	38
PID 2528 wrote to memory of 2264	2528	{A356C48E-34D7-4b3f-B5EE-D04633FB73AE}.exe	38
PID 2528 wrote to memory of 2264	2528	{A356C48E-34D7-4b3f-B5EE-D04633FB73AE}.exe	38
PID 2528 wrote to memory of 2264	2528	{A356C48E-34D7-4b3f-B5EE-D04633FB73AE}.exe	38
PID 2528 wrote to memory of 2076	2528	{A356C48E-34D7-4b3f-B5EE-D04633FB73AE}.exe	39
PID 2528 wrote to memory of 2076	2528	{A356C48E-34D7-4b3f-B5EE-D04633FB73AE}.exe	39
PID 2528 wrote to memory of 2076	2528	{A356C48E-34D7-4b3f-B5EE-D04633FB73AE}.exe	39
PID 2528 wrote to memory of 2076	2528	{A356C48E-34D7-4b3f-B5EE-D04633FB73AE}.exe	39
PID 2264 wrote to memory of 1428	2264	{0F90BE5F-7537-45fa-A34B-E359AD9DDFE3}.exe	40
PID 2264 wrote to memory of 1428	2264	{0F90BE5F-7537-45fa-A34B-E359AD9DDFE3}.exe	40
PID 2264 wrote to memory of 1428	2264	{0F90BE5F-7537-45fa-A34B-E359AD9DDFE3}.exe	40
PID 2264 wrote to memory of 1428	2264	{0F90BE5F-7537-45fa-A34B-E359AD9DDFE3}.exe	40
PID 2264 wrote to memory of 2748	2264	{0F90BE5F-7537-45fa-A34B-E359AD9DDFE3}.exe	41
PID 2264 wrote to memory of 2748	2264	{0F90BE5F-7537-45fa-A34B-E359AD9DDFE3}.exe	41
PID 2264 wrote to memory of 2748	2264	{0F90BE5F-7537-45fa-A34B-E359AD9DDFE3}.exe	41
PID 2264 wrote to memory of 2748	2264	{0F90BE5F-7537-45fa-A34B-E359AD9DDFE3}.exe	41
PID 1428 wrote to memory of 2868	1428	{C754563B-774F-44e0-B460-D088AE5AA335}.exe	42
PID 1428 wrote to memory of 2868	1428	{C754563B-774F-44e0-B460-D088AE5AA335}.exe	42
PID 1428 wrote to memory of 2868	1428	{C754563B-774F-44e0-B460-D088AE5AA335}.exe	42
PID 1428 wrote to memory of 2868	1428	{C754563B-774F-44e0-B460-D088AE5AA335}.exe	42
PID 1428 wrote to memory of 2460	1428	{C754563B-774F-44e0-B460-D088AE5AA335}.exe	43
PID 1428 wrote to memory of 2460	1428	{C754563B-774F-44e0-B460-D088AE5AA335}.exe	43
PID 1428 wrote to memory of 2460	1428	{C754563B-774F-44e0-B460-D088AE5AA335}.exe	43
PID 1428 wrote to memory of 2460	1428	{C754563B-774F-44e0-B460-D088AE5AA335}.exe	43
PID 2868 wrote to memory of 1492	2868	{8121AEEC-B5CD-441e-97CA-B6E097E54295}.exe	44
PID 2868 wrote to memory of 1492	2868	{8121AEEC-B5CD-441e-97CA-B6E097E54295}.exe	44
PID 2868 wrote to memory of 1492	2868	{8121AEEC-B5CD-441e-97CA-B6E097E54295}.exe	44
PID 2868 wrote to memory of 1492	2868	{8121AEEC-B5CD-441e-97CA-B6E097E54295}.exe	44
PID 2868 wrote to memory of 1384	2868	{8121AEEC-B5CD-441e-97CA-B6E097E54295}.exe	45
PID 2868 wrote to memory of 1384	2868	{8121AEEC-B5CD-441e-97CA-B6E097E54295}.exe	45
PID 2868 wrote to memory of 1384	2868	{8121AEEC-B5CD-441e-97CA-B6E097E54295}.exe	45
PID 2868 wrote to memory of 1384	2868	{8121AEEC-B5CD-441e-97CA-B6E097E54295}.exe	45

C:\Users\Admin\AppData\Local\Temp\8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe
"C:\Users\Admin\AppData\Local\Temp\8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Windows\{F9E6AEFA-1D8A-4b90-B578-4B285D5EBB4F}.exe
  C:\Windows\{F9E6AEFA-1D8A-4b90-B578-4B285D5EBB4F}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1836
- - C:\Windows\{9EC6BFE5-5049-46df-8F62-A5C50B40D18C}.exe
    C:\Windows\{9EC6BFE5-5049-46df-8F62-A5C50B40D18C}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\{E2AAFF10-159D-4421-9F3C-22D6E67EDE25}.exe
      C:\Windows\{E2AAFF10-159D-4421-9F3C-22D6E67EDE25}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2052
    - - C:\Windows\{A356C48E-34D7-4b3f-B5EE-D04633FB73AE}.exe
        
        C:\Windows\{A356C48E-34D7-4b3f-B5EE-D04633FB73AE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
      - C:\Windows\{0F90BE5F-7537-45fa-A34B-E359AD9DDFE3}.exe
        
        C:\Windows\{0F90BE5F-7537-45fa-A34B-E359AD9DDFE3}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2264
        
        C:\Windows\{C754563B-774F-44e0-B460-D088AE5AA335}.exe
        
        C:\Windows\{C754563B-774F-44e0-B460-D088AE5AA335}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\{8121AEEC-B5CD-441e-97CA-B6E097E54295}.exe
        
        C:\Windows\{8121AEEC-B5CD-441e-97CA-B6E097E54295}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\{FEAE6E54-C0F5-4ad6-BED9-8FBC3FA45155}.exe
        
        C:\Windows\{FEAE6E54-C0F5-4ad6-BED9-8FBC3FA45155}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\{368FC8CB-E13A-42ef-88C0-C9FF81A67DC8}.exe
        
        C:\Windows\{368FC8CB-E13A-42ef-88C0-C9FF81A67DC8}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\{0CF719D4-3493-4a1e-BA92-C2E23DEB3C64}.exe
        
        C:\Windows\{0CF719D4-3493-4a1e-BA92-C2E23DEB3C64}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:480
        
        C:\Windows\{2E5CF5E7-0286-4999-A800-52D401AA4BF6}.exe
        
        C:\Windows\{2E5CF5E7-0286-4999-A800-52D401AA4BF6}.exe
        12⤵
        Executes dropped EXE
        
        PID:592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0CF71~1.EXE > nul
        12⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{368FC~1.EXE > nul
        11⤵
        
        PID:300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEAE6~1.EXE > nul
        10⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8121A~1.EXE > nul
        9⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7545~1.EXE > nul
        8⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F90B~1.EXE > nul
        7⤵
        
        PID:2748
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A356C~1.EXE > nul
        6⤵
        
        PID:2076
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2AAF~1.EXE > nul
        5⤵
        
        PID:2824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9EC6B~1.EXE > nul
      4⤵
      PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F9E6A~1.EXE > nul
    3⤵
    PID:2660
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8302E6~1.EXE > nul
  2⤵
  - Deletes itself
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0CF719D4-3493-4a1e-BA92-C2E23DEB3C64}.exe

Filesize
64KB

MD5
a10020941598781afbaf7a42f14e6404

SHA1
8dec2cb85f7d94f85645a57ecbc5dddec1d79851

SHA256
d592d6456f30fd606c796d15f78f3ddf5e5a9b43052f6a518f3506f563721cbb

SHA512
d38cc9f73563e335efd228ea413ffaa28719e2dc7cd83298f1c39ee39e990b768b4c6d6b19b489b4051490f12a739f5234726cb08088f28c9eb91de87b058905

Download Submit
C:\Windows\{0F90BE5F-7537-45fa-A34B-E359AD9DDFE3}.exe

Filesize
64KB

MD5
ff55269dcc9698355ac0c4100d66b667

SHA1
7079934d6b90b77b37e206994bdce21f6fbd2748

SHA256
7f5bbb9b9bbe322c98d5f545da59d93c010be65279d967bf1fb41960c7a88470

SHA512
400fa05922cb61d1830444b87516fc3fdb830b8f66b8066187e650b142f64e03209828bcd732fed8e33a458254c54a9a0c2b57a2daf2fd50974e05fe3da9dc68

Download Submit
C:\Windows\{2E5CF5E7-0286-4999-A800-52D401AA4BF6}.exe

Filesize
64KB

MD5
95aa32a53db24674721ac670865c4a56

SHA1
3798dbdcb6a5ec0453c5dceb13ea699755f10e9e

SHA256
dc46035a3d9fc9a3b530787848fc074e5c321effc055efe9860fc50a7994adee

SHA512
4929cb66193f950e51c4c9bd5c7f094b2c5fbc509a91f12ba0fa42e9f139c9d9c144e70a9d40dce617ee231ed97d99cf1036c50e62b2c1b87712372b9f9e34a8

Download Submit
C:\Windows\{368FC8CB-E13A-42ef-88C0-C9FF81A67DC8}.exe

Filesize
64KB

MD5
83087f2efab75ad6cac922deca070b05

SHA1
e7177dbc5cf4cb1ce9c8d3fb8a39d02983882193

SHA256
69d021a3878d7b494fa5827d0ee59e3bdc54d3d6ade1ab1980716a2ddd0149ed

SHA512
a36762861e511f44018cb6900c50d78262d250465b7bb3142a6a8c83fe0928f1ca5b841c2f5da2982227b19a92696ccfe975ce253496cabb34819564c54c8c6e

Download Submit
C:\Windows\{8121AEEC-B5CD-441e-97CA-B6E097E54295}.exe

Filesize
64KB

MD5
d6dcdc5e08de92843624db99c37e0c0f

SHA1
7053cfd2f29d1caa558ff58cdd5433a7d14264a0

SHA256
e6dc4420465d2e51b9b792c81669bb83f4eb7662ee0c7314d220d4779bdfbd7c

SHA512
57f3db2a11e638a7121eb74342173c2abd8944f1a35e06dd5d1b06a2ef9ea794bd510845ca60e6622922d7c739683976c6fa8ff71384a7cf5bbbdc5ff98bc368

Download Submit
C:\Windows\{9EC6BFE5-5049-46df-8F62-A5C50B40D18C}.exe

Filesize
64KB

MD5
637537584054eb2f3e3d22aa0f177c15

SHA1
660604eec29f4ccaa12028b4028142d3933e8e18

SHA256
16f3470db9d146482f112b61c57b521069b64a1bc3453d6e1585e61786d636c9

SHA512
380f79c5a1303f727d871a2ea40e63fd782a1dbf2ae4e183ce247e1387ec394fcd23f7254f57345488d4e8ef36261994d3e751408d3c43d0535ed3fc40d042f5

Download Submit
C:\Windows\{A356C48E-34D7-4b3f-B5EE-D04633FB73AE}.exe

Filesize
64KB

MD5
a83e7b34516a59583e7636427b99d6ab

SHA1
b18e903749f24e30397d8ea09360e81ebcd87369

SHA256
81aff688fc70f3b1ca534de91daf2c981777ce5ed52ae70f27ac87fa2c79d2b1

SHA512
c54e75c07a7eeb5072df2e5d03904cdbc5bd23b8b310482ee70dc93d1c6b41c91a7e463c73873f253180ef9484e333691c8d1b8269da2680331be3f25bf0b328

Download Submit
C:\Windows\{C754563B-774F-44e0-B460-D088AE5AA335}.exe

Filesize
64KB

MD5
be7c7c1743818b6d9798cdbf3849928f

SHA1
3e28f4ba4cda51168f4f524cf9f6d6d5bea5bbd3

SHA256
24c8b947e0521b8e254ad4be3f352071b0b4aaca9d8c78d1cf6f0b120a8b1ef7

SHA512
0ec46f91e828743571d28071d1953242252030a589e7235b28db632cb40b14710015ca214beef6b66004ffa7ef4c4f28a2d48d4877c6e9db13e89543c20e4572

Download Submit
C:\Windows\{E2AAFF10-159D-4421-9F3C-22D6E67EDE25}.exe

Filesize
64KB

MD5
648540f591a39b90fcf55e17bc9ca9bc

SHA1
bd905c023b1692fe3beb250332c4d7369f13869b

SHA256
7f54261d1e8a608e01a2865a0fb251fe130eaf258a51e414b660de6b124cdc7b

SHA512
5fb9a2b4223539fadaaa19419c25dc1fa6c04be1011235dd2f0603cc2a955a5a042013b441b598fed7f3cf2a5bc2d3ecc860a91dc1cb536ae88df9f3ef5a2d5e

Download Submit
C:\Windows\{F9E6AEFA-1D8A-4b90-B578-4B285D5EBB4F}.exe

Filesize
64KB

MD5
f404ac4fb2f8695db0592c62209d14b2

SHA1
b24126c7d1cbc497138f4e503a2ec54fb702f2ad

SHA256
5da26287bf94feb6fefe3375a30861306fb2fec2e2ebf0e37a0068fabee43d90

SHA512
2dd568cea152f6c78e77f3139c8c7f17556a176390dea5f78cbb512897520d0ec47d1d528d9aa160b2b6edc7c3600504bc1ae8832adbd4d96b89c9c8ddcc3958

Download Submit
C:\Windows\{FEAE6E54-C0F5-4ad6-BED9-8FBC3FA45155}.exe

Filesize
64KB

MD5
d9bb30ce35a4c7be0d6e10407a6e5bac

SHA1
df627dc8f633b60b140d868f8cb16c14bd1a3dde

SHA256
81119816f524337e2ec988a8a9be1f47016bae772312d98f56127037bd56ad67

SHA512
b43f865ca3c482da0976e6f68020a4316caa244e858f386913bcb54a7fc122bdfa79877f1caeaacc8f2779e0fae7efffc1ecbc46c021cef5271280f45bd06c4e

Download Submit
memory/480-95-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/480-88-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/592-97-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1428-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1428-54-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1492-79-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1680-86-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1836-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1836-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2052-35-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2052-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2264-52-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2428-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2428-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2428-7-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2428-8-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2528-44-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2528-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2732-26-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2732-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2868-70-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2868-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads