8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe
Size

64KB
MD5

b50487e4994bb7f9b5a0afec46dacd76
SHA1

623f01398519e8805c2d07dd3f47c02542c6711a
SHA256

8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f
SHA512

c9549c597d31cf1de80f44d3e4613239ebd5656405e69c13f1aa50dfa9180f4f43768af9cb2cca53436c4de629e23a028b6ab19426d2f4ed6312d982c9086ad1
SSDEEP

768:Ovw9816ihKQLroCB4/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVdu:6EGU0oCBlwWMZQcpmgDagIyS1loL7Wru

Score

9^/10

persistence

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 36 IoCs

resource	yara_rule
behavioral2/memory/4296-0-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000900000002340c-3.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3676-6-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4296-5-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3676-11-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0011000000023412-10.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3040-12-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000800000002341a-13.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3040-15-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1900-17-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0012000000023412-23.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1900-22-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4588-28-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000900000002341a-27.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4556-26-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4588-34-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4900-35-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0015000000023412-33.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000a00000002341a-38.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4900-39-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3796-40-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3796-44-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0008000000023430-45.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1412-46-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1412-51-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3216-52-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000f00000002341a-50.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0009000000023420-59.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4516-58-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3216-57-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x001000000002341a-63.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4516-62-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2284-64-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2284-70-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0008000000022973-69.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4032-71-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F139C8B3-B683-4e07-AADF-1114F72897AE}	{E9980700-45D5-406d-8EF7-2808E4F82662}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88F29C34-B933-4b86-858B-78E20B36145E}	{C000C014-15F3-4b50-A313-B6AB992C824F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{88F29C34-B933-4b86-858B-78E20B36145E}\stubpath = "C:\\Windows\\{88F29C34-B933-4b86-858B-78E20B36145E}.exe"	{C000C014-15F3-4b50-A313-B6AB992C824F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF67C4BA-E298-4c96-988A-9505A0615DD2}\stubpath = "C:\\Windows\\{CF67C4BA-E298-4c96-988A-9505A0615DD2}.exe"	{88F29C34-B933-4b86-858B-78E20B36145E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41DE9EB9-D8ED-44b8-8B9E-E90811104AF3}\stubpath = "C:\\Windows\\{41DE9EB9-D8ED-44b8-8B9E-E90811104AF3}.exe"	{4D8F48F4-701B-44b8-91FF-15394FB9B986}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9980700-45D5-406d-8EF7-2808E4F82662}	{338700B5-28EF-42e3-8FA4-BCB04EEF695E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F139C8B3-B683-4e07-AADF-1114F72897AE}\stubpath = "C:\\Windows\\{F139C8B3-B683-4e07-AADF-1114F72897AE}.exe"	{E9980700-45D5-406d-8EF7-2808E4F82662}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F905C07-DE1B-4d2d-B047-94D583420FC7}	{F139C8B3-B683-4e07-AADF-1114F72897AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3C70458-CCED-4af6-8D55-181A60358D27}\stubpath = "C:\\Windows\\{D3C70458-CCED-4af6-8D55-181A60358D27}.exe"	{CF67C4BA-E298-4c96-988A-9505A0615DD2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D8F48F4-701B-44b8-91FF-15394FB9B986}	{D3C70458-CCED-4af6-8D55-181A60358D27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D8F48F4-701B-44b8-91FF-15394FB9B986}\stubpath = "C:\\Windows\\{4D8F48F4-701B-44b8-91FF-15394FB9B986}.exe"	{D3C70458-CCED-4af6-8D55-181A60358D27}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A149086-84F5-461d-8640-9F65C9310A1F}\stubpath = "C:\\Windows\\{3A149086-84F5-461d-8640-9F65C9310A1F}.exe"	{41DE9EB9-D8ED-44b8-8B9E-E90811104AF3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8505BD20-12B6-4110-B0E9-B394608BFB2D}\stubpath = "C:\\Windows\\{8505BD20-12B6-4110-B0E9-B394608BFB2D}.exe"	8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{338700B5-28EF-42e3-8FA4-BCB04EEF695E}	{8505BD20-12B6-4110-B0E9-B394608BFB2D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C000C014-15F3-4b50-A313-B6AB992C824F}	{2F905C07-DE1B-4d2d-B047-94D583420FC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF67C4BA-E298-4c96-988A-9505A0615DD2}	{88F29C34-B933-4b86-858B-78E20B36145E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A149086-84F5-461d-8640-9F65C9310A1F}	{41DE9EB9-D8ED-44b8-8B9E-E90811104AF3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8505BD20-12B6-4110-B0E9-B394608BFB2D}	8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{338700B5-28EF-42e3-8FA4-BCB04EEF695E}\stubpath = "C:\\Windows\\{338700B5-28EF-42e3-8FA4-BCB04EEF695E}.exe"	{8505BD20-12B6-4110-B0E9-B394608BFB2D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9980700-45D5-406d-8EF7-2808E4F82662}\stubpath = "C:\\Windows\\{E9980700-45D5-406d-8EF7-2808E4F82662}.exe"	{338700B5-28EF-42e3-8FA4-BCB04EEF695E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F905C07-DE1B-4d2d-B047-94D583420FC7}\stubpath = "C:\\Windows\\{2F905C07-DE1B-4d2d-B047-94D583420FC7}.exe"	{F139C8B3-B683-4e07-AADF-1114F72897AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C000C014-15F3-4b50-A313-B6AB992C824F}\stubpath = "C:\\Windows\\{C000C014-15F3-4b50-A313-B6AB992C824F}.exe"	{2F905C07-DE1B-4d2d-B047-94D583420FC7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3C70458-CCED-4af6-8D55-181A60358D27}	{CF67C4BA-E298-4c96-988A-9505A0615DD2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41DE9EB9-D8ED-44b8-8B9E-E90811104AF3}	{4D8F48F4-701B-44b8-91FF-15394FB9B986}.exe

Executes dropped EXE 12 IoCs

pid	Process
3676	{8505BD20-12B6-4110-B0E9-B394608BFB2D}.exe
3040	{338700B5-28EF-42e3-8FA4-BCB04EEF695E}.exe
1900	{E9980700-45D5-406d-8EF7-2808E4F82662}.exe
4556	{F139C8B3-B683-4e07-AADF-1114F72897AE}.exe
4588	{2F905C07-DE1B-4d2d-B047-94D583420FC7}.exe
4900	{C000C014-15F3-4b50-A313-B6AB992C824F}.exe
3796	{88F29C34-B933-4b86-858B-78E20B36145E}.exe
1412	{CF67C4BA-E298-4c96-988A-9505A0615DD2}.exe
3216	{D3C70458-CCED-4af6-8D55-181A60358D27}.exe
4516	{4D8F48F4-701B-44b8-91FF-15394FB9B986}.exe
2284	{41DE9EB9-D8ED-44b8-8B9E-E90811104AF3}.exe
4032	{3A149086-84F5-461d-8640-9F65C9310A1F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{3A149086-84F5-461d-8640-9F65C9310A1F}.exe	{41DE9EB9-D8ED-44b8-8B9E-E90811104AF3}.exe
File created	C:\Windows\{338700B5-28EF-42e3-8FA4-BCB04EEF695E}.exe	{8505BD20-12B6-4110-B0E9-B394608BFB2D}.exe
File created	C:\Windows\{E9980700-45D5-406d-8EF7-2808E4F82662}.exe	{338700B5-28EF-42e3-8FA4-BCB04EEF695E}.exe
File created	C:\Windows\{F139C8B3-B683-4e07-AADF-1114F72897AE}.exe	{E9980700-45D5-406d-8EF7-2808E4F82662}.exe
File created	C:\Windows\{2F905C07-DE1B-4d2d-B047-94D583420FC7}.exe	{F139C8B3-B683-4e07-AADF-1114F72897AE}.exe
File created	C:\Windows\{88F29C34-B933-4b86-858B-78E20B36145E}.exe	{C000C014-15F3-4b50-A313-B6AB992C824F}.exe
File created	C:\Windows\{CF67C4BA-E298-4c96-988A-9505A0615DD2}.exe	{88F29C34-B933-4b86-858B-78E20B36145E}.exe
File created	C:\Windows\{41DE9EB9-D8ED-44b8-8B9E-E90811104AF3}.exe	{4D8F48F4-701B-44b8-91FF-15394FB9B986}.exe
File created	C:\Windows\{8505BD20-12B6-4110-B0E9-B394608BFB2D}.exe	8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe
File created	C:\Windows\{C000C014-15F3-4b50-A313-B6AB992C824F}.exe	{2F905C07-DE1B-4d2d-B047-94D583420FC7}.exe
File created	C:\Windows\{D3C70458-CCED-4af6-8D55-181A60358D27}.exe	{CF67C4BA-E298-4c96-988A-9505A0615DD2}.exe
File created	C:\Windows\{4D8F48F4-701B-44b8-91FF-15394FB9B986}.exe	{D3C70458-CCED-4af6-8D55-181A60358D27}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4296	8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe
Token: SeIncBasePriorityPrivilege	3676	{8505BD20-12B6-4110-B0E9-B394608BFB2D}.exe
Token: SeIncBasePriorityPrivilege	3040	{338700B5-28EF-42e3-8FA4-BCB04EEF695E}.exe
Token: SeIncBasePriorityPrivilege	1900	{E9980700-45D5-406d-8EF7-2808E4F82662}.exe
Token: SeIncBasePriorityPrivilege	4556	{F139C8B3-B683-4e07-AADF-1114F72897AE}.exe
Token: SeIncBasePriorityPrivilege	4588	{2F905C07-DE1B-4d2d-B047-94D583420FC7}.exe
Token: SeIncBasePriorityPrivilege	4900	{C000C014-15F3-4b50-A313-B6AB992C824F}.exe
Token: SeIncBasePriorityPrivilege	3796	{88F29C34-B933-4b86-858B-78E20B36145E}.exe
Token: SeIncBasePriorityPrivilege	1412	{CF67C4BA-E298-4c96-988A-9505A0615DD2}.exe
Token: SeIncBasePriorityPrivilege	3216	{D3C70458-CCED-4af6-8D55-181A60358D27}.exe
Token: SeIncBasePriorityPrivilege	4516	{4D8F48F4-701B-44b8-91FF-15394FB9B986}.exe
Token: SeIncBasePriorityPrivilege	2284	{41DE9EB9-D8ED-44b8-8B9E-E90811104AF3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 3676	4296	8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe	94
PID 4296 wrote to memory of 3676	4296	8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe	94
PID 4296 wrote to memory of 3676	4296	8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe	94
PID 4296 wrote to memory of 3416	4296	8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe	95
PID 4296 wrote to memory of 3416	4296	8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe	95
PID 4296 wrote to memory of 3416	4296	8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe	95
PID 3676 wrote to memory of 3040	3676	{8505BD20-12B6-4110-B0E9-B394608BFB2D}.exe	97
PID 3676 wrote to memory of 3040	3676	{8505BD20-12B6-4110-B0E9-B394608BFB2D}.exe	97
PID 3676 wrote to memory of 3040	3676	{8505BD20-12B6-4110-B0E9-B394608BFB2D}.exe	97
PID 3676 wrote to memory of 4992	3676	{8505BD20-12B6-4110-B0E9-B394608BFB2D}.exe	98
PID 3676 wrote to memory of 4992	3676	{8505BD20-12B6-4110-B0E9-B394608BFB2D}.exe	98
PID 3676 wrote to memory of 4992	3676	{8505BD20-12B6-4110-B0E9-B394608BFB2D}.exe	98
PID 3040 wrote to memory of 1900	3040	{338700B5-28EF-42e3-8FA4-BCB04EEF695E}.exe	101
PID 3040 wrote to memory of 1900	3040	{338700B5-28EF-42e3-8FA4-BCB04EEF695E}.exe	101
PID 3040 wrote to memory of 1900	3040	{338700B5-28EF-42e3-8FA4-BCB04EEF695E}.exe	101
PID 3040 wrote to memory of 3224	3040	{338700B5-28EF-42e3-8FA4-BCB04EEF695E}.exe	102
PID 3040 wrote to memory of 3224	3040	{338700B5-28EF-42e3-8FA4-BCB04EEF695E}.exe	102
PID 3040 wrote to memory of 3224	3040	{338700B5-28EF-42e3-8FA4-BCB04EEF695E}.exe	102
PID 1900 wrote to memory of 4556	1900	{E9980700-45D5-406d-8EF7-2808E4F82662}.exe	103
PID 1900 wrote to memory of 4556	1900	{E9980700-45D5-406d-8EF7-2808E4F82662}.exe	103
PID 1900 wrote to memory of 4556	1900	{E9980700-45D5-406d-8EF7-2808E4F82662}.exe	103
PID 1900 wrote to memory of 4088	1900	{E9980700-45D5-406d-8EF7-2808E4F82662}.exe	104
PID 1900 wrote to memory of 4088	1900	{E9980700-45D5-406d-8EF7-2808E4F82662}.exe	104
PID 1900 wrote to memory of 4088	1900	{E9980700-45D5-406d-8EF7-2808E4F82662}.exe	104
PID 4556 wrote to memory of 4588	4556	{F139C8B3-B683-4e07-AADF-1114F72897AE}.exe	105
PID 4556 wrote to memory of 4588	4556	{F139C8B3-B683-4e07-AADF-1114F72897AE}.exe	105
PID 4556 wrote to memory of 4588	4556	{F139C8B3-B683-4e07-AADF-1114F72897AE}.exe	105
PID 4556 wrote to memory of 3940	4556	{F139C8B3-B683-4e07-AADF-1114F72897AE}.exe	106
PID 4556 wrote to memory of 3940	4556	{F139C8B3-B683-4e07-AADF-1114F72897AE}.exe	106
PID 4556 wrote to memory of 3940	4556	{F139C8B3-B683-4e07-AADF-1114F72897AE}.exe	106
PID 4588 wrote to memory of 4900	4588	{2F905C07-DE1B-4d2d-B047-94D583420FC7}.exe	108
PID 4588 wrote to memory of 4900	4588	{2F905C07-DE1B-4d2d-B047-94D583420FC7}.exe	108
PID 4588 wrote to memory of 4900	4588	{2F905C07-DE1B-4d2d-B047-94D583420FC7}.exe	108
PID 4588 wrote to memory of 1640	4588	{2F905C07-DE1B-4d2d-B047-94D583420FC7}.exe	109
PID 4588 wrote to memory of 1640	4588	{2F905C07-DE1B-4d2d-B047-94D583420FC7}.exe	109
PID 4588 wrote to memory of 1640	4588	{2F905C07-DE1B-4d2d-B047-94D583420FC7}.exe	109
PID 4900 wrote to memory of 3796	4900	{C000C014-15F3-4b50-A313-B6AB992C824F}.exe	110
PID 4900 wrote to memory of 3796	4900	{C000C014-15F3-4b50-A313-B6AB992C824F}.exe	110
PID 4900 wrote to memory of 3796	4900	{C000C014-15F3-4b50-A313-B6AB992C824F}.exe	110
PID 4900 wrote to memory of 1736	4900	{C000C014-15F3-4b50-A313-B6AB992C824F}.exe	111
PID 4900 wrote to memory of 1736	4900	{C000C014-15F3-4b50-A313-B6AB992C824F}.exe	111
PID 4900 wrote to memory of 1736	4900	{C000C014-15F3-4b50-A313-B6AB992C824F}.exe	111
PID 3796 wrote to memory of 1412	3796	{88F29C34-B933-4b86-858B-78E20B36145E}.exe	115
PID 3796 wrote to memory of 1412	3796	{88F29C34-B933-4b86-858B-78E20B36145E}.exe	115
PID 3796 wrote to memory of 1412	3796	{88F29C34-B933-4b86-858B-78E20B36145E}.exe	115
PID 3796 wrote to memory of 1184	3796	{88F29C34-B933-4b86-858B-78E20B36145E}.exe	116
PID 3796 wrote to memory of 1184	3796	{88F29C34-B933-4b86-858B-78E20B36145E}.exe	116
PID 3796 wrote to memory of 1184	3796	{88F29C34-B933-4b86-858B-78E20B36145E}.exe	116
PID 1412 wrote to memory of 3216	1412	{CF67C4BA-E298-4c96-988A-9505A0615DD2}.exe	120
PID 1412 wrote to memory of 3216	1412	{CF67C4BA-E298-4c96-988A-9505A0615DD2}.exe	120
PID 1412 wrote to memory of 3216	1412	{CF67C4BA-E298-4c96-988A-9505A0615DD2}.exe	120
PID 1412 wrote to memory of 3224	1412	{CF67C4BA-E298-4c96-988A-9505A0615DD2}.exe	121
PID 1412 wrote to memory of 3224	1412	{CF67C4BA-E298-4c96-988A-9505A0615DD2}.exe	121
PID 1412 wrote to memory of 3224	1412	{CF67C4BA-E298-4c96-988A-9505A0615DD2}.exe	121
PID 3216 wrote to memory of 4516	3216	{D3C70458-CCED-4af6-8D55-181A60358D27}.exe	122
PID 3216 wrote to memory of 4516	3216	{D3C70458-CCED-4af6-8D55-181A60358D27}.exe	122
PID 3216 wrote to memory of 4516	3216	{D3C70458-CCED-4af6-8D55-181A60358D27}.exe	122
PID 3216 wrote to memory of 2272	3216	{D3C70458-CCED-4af6-8D55-181A60358D27}.exe	123
PID 3216 wrote to memory of 2272	3216	{D3C70458-CCED-4af6-8D55-181A60358D27}.exe	123
PID 3216 wrote to memory of 2272	3216	{D3C70458-CCED-4af6-8D55-181A60358D27}.exe	123
PID 4516 wrote to memory of 2284	4516	{4D8F48F4-701B-44b8-91FF-15394FB9B986}.exe	124
PID 4516 wrote to memory of 2284	4516	{4D8F48F4-701B-44b8-91FF-15394FB9B986}.exe	124
PID 4516 wrote to memory of 2284	4516	{4D8F48F4-701B-44b8-91FF-15394FB9B986}.exe	124
PID 4516 wrote to memory of 1780	4516	{4D8F48F4-701B-44b8-91FF-15394FB9B986}.exe	125

C:\Users\Admin\AppData\Local\Temp\8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe
"C:\Users\Admin\AppData\Local\Temp\8302e66fb5aaa11b1905303bdb969c13a598a12e170f1d599710c4986570424f.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\{8505BD20-12B6-4110-B0E9-B394608BFB2D}.exe
  C:\Windows\{8505BD20-12B6-4110-B0E9-B394608BFB2D}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Windows\{338700B5-28EF-42e3-8FA4-BCB04EEF695E}.exe
    C:\Windows\{338700B5-28EF-42e3-8FA4-BCB04EEF695E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3040
  - - C:\Windows\{E9980700-45D5-406d-8EF7-2808E4F82662}.exe
      C:\Windows\{E9980700-45D5-406d-8EF7-2808E4F82662}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1900
    - - C:\Windows\{F139C8B3-B683-4e07-AADF-1114F72897AE}.exe
        
        C:\Windows\{F139C8B3-B683-4e07-AADF-1114F72897AE}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4556
      - C:\Windows\{2F905C07-DE1B-4d2d-B047-94D583420FC7}.exe
        
        C:\Windows\{2F905C07-DE1B-4d2d-B047-94D583420FC7}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4588
        
        C:\Windows\{C000C014-15F3-4b50-A313-B6AB992C824F}.exe
        
        C:\Windows\{C000C014-15F3-4b50-A313-B6AB992C824F}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4900
        
        C:\Windows\{88F29C34-B933-4b86-858B-78E20B36145E}.exe
        
        C:\Windows\{88F29C34-B933-4b86-858B-78E20B36145E}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3796
        
        C:\Windows\{CF67C4BA-E298-4c96-988A-9505A0615DD2}.exe
        
        C:\Windows\{CF67C4BA-E298-4c96-988A-9505A0615DD2}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1412
        
        C:\Windows\{D3C70458-CCED-4af6-8D55-181A60358D27}.exe
        
        C:\Windows\{D3C70458-CCED-4af6-8D55-181A60358D27}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\{4D8F48F4-701B-44b8-91FF-15394FB9B986}.exe
        
        C:\Windows\{4D8F48F4-701B-44b8-91FF-15394FB9B986}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\{41DE9EB9-D8ED-44b8-8B9E-E90811104AF3}.exe
        
        C:\Windows\{41DE9EB9-D8ED-44b8-8B9E-E90811104AF3}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\{3A149086-84F5-461d-8640-9F65C9310A1F}.exe
        
        C:\Windows\{3A149086-84F5-461d-8640-9F65C9310A1F}.exe
        13⤵
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41DE9~1.EXE > nul
        13⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D8F4~1.EXE > nul
        12⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3C70~1.EXE > nul
        11⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF67C~1.EXE > nul
        10⤵
        
        PID:3224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88F29~1.EXE > nul
        9⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C000C~1.EXE > nul
        8⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F905~1.EXE > nul
        7⤵
        
        PID:1640
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F139C~1.EXE > nul
        6⤵
        
        PID:3940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9980~1.EXE > nul
        5⤵
        
        PID:4088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{33870~1.EXE > nul
      4⤵
      PID:3224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8505B~1.EXE > nul
    3⤵
    PID:4992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8302E6~1.EXE > nul
  2⤵
  PID:3416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2F905C07-DE1B-4d2d-B047-94D583420FC7}.exe

Filesize
64KB

MD5
02c2a6b0832e0787f2c65b0e5ee3912b

SHA1
c4381b7d5d5d880e846dc7b6b28246c860d789c3

SHA256
d45d7d24edbcf850ce28a95cb8482b76dd0796c9a1539e562c8481afa4bdd04b

SHA512
8bc0baa0cc212488a2a7265c7b481deb4216237bf7b24df7d391928cb38e7f8820fc9e175eb058969b21205b20ceb5cced9b25e0daafa5a3d7c1f8baf060b7f2

Download Submit
C:\Windows\{338700B5-28EF-42e3-8FA4-BCB04EEF695E}.exe

Filesize
64KB

MD5
a569d608c17980c202350b1c7b348973

SHA1
25deefb444b885189fcade134871b5da036b66cb

SHA256
119c34a235816b561d18d7c548a6f550a06d897c20847565d3162dc76d94f82b

SHA512
f9968dead42996ab186941f93ee46392a65a69fc0e03d9dd0299373be2741c6d37f43e5a87598973de342b4160b59a5f0f69ede9e5cee0e316b51d72ff522c7c

Download Submit
C:\Windows\{3A149086-84F5-461d-8640-9F65C9310A1F}.exe

Filesize
64KB

MD5
2ca416193fb0107159b37ec4dc07456b

SHA1
7320accd6856311713cc7da3bed116b4fed397ac

SHA256
dad2d3154da405e0178dc2e917041f12acec4ef2eb43d97e2cd35a191e0e4096

SHA512
db59ef01a734238c7d012f698fefedb0b8513257aef20b923207e7e41e25c791fadca9ffa41b84d61be51f228fb106617bacbe8d17f70b56fe3ad6b379258322

Download Submit
C:\Windows\{41DE9EB9-D8ED-44b8-8B9E-E90811104AF3}.exe

Filesize
64KB

MD5
920819978e4f58e00b59257f095eaa85

SHA1
242049a577f949e3c2e6bcce90bfd7f231ff9aa9

SHA256
0dd63072e0c26f6b39d476921ec52103afd24a30243ed7e4803ac63ad7c837ae

SHA512
7c4d2a259da26134da846ff62115cdd06b93a6f3b1c89534a478ebe56b7bd9bdc050711059ce2520872fbe6de1034af15511b5adb75abd9aeb19577eabd9c8db

Download Submit
C:\Windows\{4D8F48F4-701B-44b8-91FF-15394FB9B986}.exe

Filesize
64KB

MD5
0eef316204cf4572933156a56d8b65f1

SHA1
757ce67f95be6d25c66d9487a517bdae0a49aa42

SHA256
532cefab2058f5038f1a46c214ae68b2cc02602070f01a8ec4a4642a381f9634

SHA512
f32d13621d822a931edb32ad3496243032d53e0b6ccb0757d9377d30eadacf9328d90bf63563ac0ff3d89b530042c88c29a2f2c9ada2ab21ce9eb587a6c37e31

Download Submit
C:\Windows\{8505BD20-12B6-4110-B0E9-B394608BFB2D}.exe

Filesize
64KB

MD5
4b42de7544a41f29e1dfe3dd34b184e9

SHA1
7aae72cfc1a75006b3cdbd5aa778209b419ce141

SHA256
015b26f79b5d3ffc9dcd985fc94dab961fb1925b2a7e0f5f447a2bb550c2135c

SHA512
7fec3f5f1755597b9d8c1b28b14402105e7e9da0483d81af072057d836b828b8e61f61ef1026e65293abf9854d4a6fb35387628dd981db2b3733974976db6697

Download Submit
C:\Windows\{88F29C34-B933-4b86-858B-78E20B36145E}.exe

Filesize
64KB

MD5
33f254c8e8ef7a1daef7019104921e8d

SHA1
1daea9f0288e632726fe477f923f35094234cacb

SHA256
6d6a25bafafabbf592eeeb4e1d20cf7f482a59cb82173849e9c3c5194a1110fd

SHA512
979c0c47e974f2bbe6b80adb2b4d7636e34c306b07c3ac44837ad535f4312bfb6484c7f477bc43daa9bb058dfb765a9a7037cba0350bebdd725830ffe8b8f343

Download Submit
C:\Windows\{C000C014-15F3-4b50-A313-B6AB992C824F}.exe

Filesize
64KB

MD5
e6f920a73d610ebc56b09b583aad730a

SHA1
b453efa5eeab989f2a78a600367a38d98618daba

SHA256
dfa9e0649fb5b5a8a7a43bd2ba3578d2877d90a239395b3a94859679e9879c2e

SHA512
a7a65fe64e631a7c09a3ad2d101b8b4ea3b16056a995b263fdbae09f5f488963b0c59b98bdf19e0bcbd390321b2baf956f7b59f61f90a7aee7c420cad5cc1ae3

Download Submit
C:\Windows\{CF67C4BA-E298-4c96-988A-9505A0615DD2}.exe

Filesize
64KB

MD5
9e14d454a5428aa13238cb19c2f43853

SHA1
69c220f5840b83dbe7dcf31fab5b9318d22176b9

SHA256
64744d90b1942d0c82eeae405502f664a033b997410bce69d535641e68c615b7

SHA512
f4fbb030cd783637c5449fd6b4341af0bd0b81fd9162905b4523c4830dc7f0e8696d591d293459201d52f8c5c563100a3415ab21bf02c12c7277d6c23cb4bbfc

Download Submit
C:\Windows\{D3C70458-CCED-4af6-8D55-181A60358D27}.exe

Filesize
64KB

MD5
64fbe25aa44c87794c8f65fa840d2fbb

SHA1
1d1029bbea071f7ec2f847221111f04ea35d3901

SHA256
72ffb8e7e1dc2c75568443e1197a15bee72f0342796150030b462e4bcb5ea652

SHA512
e0f551f758499402113f02c2ab4074f2f71ebd3cf5f70feefc851c6dcc78a34191e6fd783b2624cce4f052dca74c5fa43e4cfd209f74fc6215260b50514f7a22

Download Submit
C:\Windows\{E9980700-45D5-406d-8EF7-2808E4F82662}.exe

Filesize
64KB

MD5
94246ddef2613be351bc39c593e0f8a1

SHA1
5e64b7fa1eda303cdd10d6c748609bfa90878f07

SHA256
26cff1e9e9f13c606949cf7010f280ed5161b361abf76b799948aa0f98f60be4

SHA512
f2e6abeb0741a13986a58f9efe7770210dd76d8ce8c0f2163e55e1410d1a00cfc824bab00cb196fe5092fa286246138a36c15b0214e140fde0c176893400f26f

Download Submit
C:\Windows\{F139C8B3-B683-4e07-AADF-1114F72897AE}.exe

Filesize
64KB

MD5
777f12e94ce8fff01aba50660495c675

SHA1
33e27cf430a5dc4a7c8b1dbc77729000f75553e4

SHA256
66302b42e050dde613913b570ad6b0b6d64ba16574b1876cb0d6fdac833818b7

SHA512
7235fc29bf738e274bfaedd7c65566e0135feae88fd9a45354b995ed4ba63eae35625ea03a92c73135ca12d439cf370e3f8b07cadd68b0117f3df52b7c982684

Download Submit
memory/1412-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1412-51-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1900-22-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1900-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2284-70-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2284-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3040-15-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3040-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3216-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3216-52-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3676-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3676-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3796-44-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3796-40-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4032-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4296-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4296-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4516-58-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4516-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4556-26-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4588-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4588-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4900-39-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4900-35-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads