71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a

Analysis

max time kernel
149s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
01/06/2024, 22:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe
Size

64KB
MD5

3d60802b54394b4ee05a5b7a6ef4aace
SHA1

327bbdecd3e4e2a51643fe3e60bb016458a4c540
SHA256

71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a
SHA512

a7d4fb7db3d249f96e1f2aa90a40ac1fbeafe8d2dd2c62b930a01273c671899a8bb3e1f9e19ddb02d65b748779a8c9332facaa781753d6b56c51f315e0f61b23
SSDEEP

384:ObIwOs8AHsc4sMDwhKQLro/4/CFsrdHWMZp:OEw9816vhKQLro/4/wQpWMZp

Score

9^/10

persistence

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 36 IoCs

resource	yara_rule
behavioral2/memory/4116-0-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000700000002340c-3.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3320-5-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4116-6-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0008000000023405-11.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3320-10-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3140-12-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0008000000023412-13.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3140-15-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/824-17-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0009000000023405-21.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2464-24-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/824-23-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2464-28-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000d0000000217e3-27.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2856-30-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000b0000000217e7-33.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2856-34-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1660-35-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000e0000000217e3-39.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1660-40-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3584-45-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0003000000000705-44.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1476-46-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1476-51-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0003000000000707-50.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2268-52-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2268-56-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0004000000000705-58.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1000-59-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1000-64-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/748-65-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0004000000000707-63.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0005000000000705-69.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/748-68-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4536-70-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1D12C15-6D89-4a03-B93E-886914BF2DA6}	71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28B0F3DE-8736-4f03-9546-B0748262C841}	{F12D2ECB-F285-4c33-897A-430BD2E109DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8C2071B-3A8F-43ca-AA31-A60632932D08}\stubpath = "C:\\Windows\\{E8C2071B-3A8F-43ca-AA31-A60632932D08}.exe"	{E4F9C073-1768-400a-85A0-E4117D9A2B2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{041CD063-22DC-4cb2-9415-24E428D2DC97}	{E35791D9-FBD2-4406-896C-3DA0C93E33CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{041CD063-22DC-4cb2-9415-24E428D2DC97}\stubpath = "C:\\Windows\\{041CD063-22DC-4cb2-9415-24E428D2DC97}.exe"	{E35791D9-FBD2-4406-896C-3DA0C93E33CE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5752F1B3-7641-49ed-B356-2B850B7FA066}\stubpath = "C:\\Windows\\{5752F1B3-7641-49ed-B356-2B850B7FA066}.exe"	{8D80327D-C359-4260-B61A-0F18592E1DB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE37F5D4-51A9-4c96-AB2B-9D9564ED3EBA}\stubpath = "C:\\Windows\\{AE37F5D4-51A9-4c96-AB2B-9D9564ED3EBA}.exe"	{EEA93026-FFFC-4607-B6F6-A7F09FC94227}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4F9C073-1768-400a-85A0-E4117D9A2B2C}	{AE37F5D4-51A9-4c96-AB2B-9D9564ED3EBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4F9C073-1768-400a-85A0-E4117D9A2B2C}\stubpath = "C:\\Windows\\{E4F9C073-1768-400a-85A0-E4117D9A2B2C}.exe"	{AE37F5D4-51A9-4c96-AB2B-9D9564ED3EBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E35791D9-FBD2-4406-896C-3DA0C93E33CE}	{96EFF816-63A9-4eec-847B-38547FA71A31}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D80327D-C359-4260-B61A-0F18592E1DB7}	{F1D12C15-6D89-4a03-B93E-886914BF2DA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D80327D-C359-4260-B61A-0F18592E1DB7}\stubpath = "C:\\Windows\\{8D80327D-C359-4260-B61A-0F18592E1DB7}.exe"	{F1D12C15-6D89-4a03-B93E-886914BF2DA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F12D2ECB-F285-4c33-897A-430BD2E109DF}	{5752F1B3-7641-49ed-B356-2B850B7FA066}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28B0F3DE-8736-4f03-9546-B0748262C841}\stubpath = "C:\\Windows\\{28B0F3DE-8736-4f03-9546-B0748262C841}.exe"	{F12D2ECB-F285-4c33-897A-430BD2E109DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEA93026-FFFC-4607-B6F6-A7F09FC94227}\stubpath = "C:\\Windows\\{EEA93026-FFFC-4607-B6F6-A7F09FC94227}.exe"	{28B0F3DE-8736-4f03-9546-B0748262C841}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE37F5D4-51A9-4c96-AB2B-9D9564ED3EBA}	{EEA93026-FFFC-4607-B6F6-A7F09FC94227}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96EFF816-63A9-4eec-847B-38547FA71A31}	{E8C2071B-3A8F-43ca-AA31-A60632932D08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{96EFF816-63A9-4eec-847B-38547FA71A31}\stubpath = "C:\\Windows\\{96EFF816-63A9-4eec-847B-38547FA71A31}.exe"	{E8C2071B-3A8F-43ca-AA31-A60632932D08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1D12C15-6D89-4a03-B93E-886914BF2DA6}\stubpath = "C:\\Windows\\{F1D12C15-6D89-4a03-B93E-886914BF2DA6}.exe"	71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5752F1B3-7641-49ed-B356-2B850B7FA066}	{8D80327D-C359-4260-B61A-0F18592E1DB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F12D2ECB-F285-4c33-897A-430BD2E109DF}\stubpath = "C:\\Windows\\{F12D2ECB-F285-4c33-897A-430BD2E109DF}.exe"	{5752F1B3-7641-49ed-B356-2B850B7FA066}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EEA93026-FFFC-4607-B6F6-A7F09FC94227}	{28B0F3DE-8736-4f03-9546-B0748262C841}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E8C2071B-3A8F-43ca-AA31-A60632932D08}	{E4F9C073-1768-400a-85A0-E4117D9A2B2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E35791D9-FBD2-4406-896C-3DA0C93E33CE}\stubpath = "C:\\Windows\\{E35791D9-FBD2-4406-896C-3DA0C93E33CE}.exe"	{96EFF816-63A9-4eec-847B-38547FA71A31}.exe

Executes dropped EXE 12 IoCs

pid	Process
3320	{F1D12C15-6D89-4a03-B93E-886914BF2DA6}.exe
3140	{8D80327D-C359-4260-B61A-0F18592E1DB7}.exe
824	{5752F1B3-7641-49ed-B356-2B850B7FA066}.exe
2464	{F12D2ECB-F285-4c33-897A-430BD2E109DF}.exe
2856	{28B0F3DE-8736-4f03-9546-B0748262C841}.exe
1660	{EEA93026-FFFC-4607-B6F6-A7F09FC94227}.exe
3584	{AE37F5D4-51A9-4c96-AB2B-9D9564ED3EBA}.exe
1476	{E4F9C073-1768-400a-85A0-E4117D9A2B2C}.exe
2268	{E8C2071B-3A8F-43ca-AA31-A60632932D08}.exe
1000	{96EFF816-63A9-4eec-847B-38547FA71A31}.exe
748	{E35791D9-FBD2-4406-896C-3DA0C93E33CE}.exe
4536	{041CD063-22DC-4cb2-9415-24E428D2DC97}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F1D12C15-6D89-4a03-B93E-886914BF2DA6}.exe	71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe
File created	C:\Windows\{8D80327D-C359-4260-B61A-0F18592E1DB7}.exe	{F1D12C15-6D89-4a03-B93E-886914BF2DA6}.exe
File created	C:\Windows\{5752F1B3-7641-49ed-B356-2B850B7FA066}.exe	{8D80327D-C359-4260-B61A-0F18592E1DB7}.exe
File created	C:\Windows\{F12D2ECB-F285-4c33-897A-430BD2E109DF}.exe	{5752F1B3-7641-49ed-B356-2B850B7FA066}.exe
File created	C:\Windows\{28B0F3DE-8736-4f03-9546-B0748262C841}.exe	{F12D2ECB-F285-4c33-897A-430BD2E109DF}.exe
File created	C:\Windows\{E4F9C073-1768-400a-85A0-E4117D9A2B2C}.exe	{AE37F5D4-51A9-4c96-AB2B-9D9564ED3EBA}.exe
File created	C:\Windows\{E8C2071B-3A8F-43ca-AA31-A60632932D08}.exe	{E4F9C073-1768-400a-85A0-E4117D9A2B2C}.exe
File created	C:\Windows\{E35791D9-FBD2-4406-896C-3DA0C93E33CE}.exe	{96EFF816-63A9-4eec-847B-38547FA71A31}.exe
File created	C:\Windows\{041CD063-22DC-4cb2-9415-24E428D2DC97}.exe	{E35791D9-FBD2-4406-896C-3DA0C93E33CE}.exe
File created	C:\Windows\{EEA93026-FFFC-4607-B6F6-A7F09FC94227}.exe	{28B0F3DE-8736-4f03-9546-B0748262C841}.exe
File created	C:\Windows\{AE37F5D4-51A9-4c96-AB2B-9D9564ED3EBA}.exe	{EEA93026-FFFC-4607-B6F6-A7F09FC94227}.exe
File created	C:\Windows\{96EFF816-63A9-4eec-847B-38547FA71A31}.exe	{E8C2071B-3A8F-43ca-AA31-A60632932D08}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4116	71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe
Token: SeIncBasePriorityPrivilege	3320	{F1D12C15-6D89-4a03-B93E-886914BF2DA6}.exe
Token: SeIncBasePriorityPrivilege	3140	{8D80327D-C359-4260-B61A-0F18592E1DB7}.exe
Token: SeIncBasePriorityPrivilege	824	{5752F1B3-7641-49ed-B356-2B850B7FA066}.exe
Token: SeIncBasePriorityPrivilege	2464	{F12D2ECB-F285-4c33-897A-430BD2E109DF}.exe
Token: SeIncBasePriorityPrivilege	2856	{28B0F3DE-8736-4f03-9546-B0748262C841}.exe
Token: SeIncBasePriorityPrivilege	1660	{EEA93026-FFFC-4607-B6F6-A7F09FC94227}.exe
Token: SeIncBasePriorityPrivilege	3584	{AE37F5D4-51A9-4c96-AB2B-9D9564ED3EBA}.exe
Token: SeIncBasePriorityPrivilege	1476	{E4F9C073-1768-400a-85A0-E4117D9A2B2C}.exe
Token: SeIncBasePriorityPrivilege	2268	{E8C2071B-3A8F-43ca-AA31-A60632932D08}.exe
Token: SeIncBasePriorityPrivilege	1000	{96EFF816-63A9-4eec-847B-38547FA71A31}.exe
Token: SeIncBasePriorityPrivilege	748	{E35791D9-FBD2-4406-896C-3DA0C93E33CE}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4116 wrote to memory of 3320	4116	71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe	91
PID 4116 wrote to memory of 3320	4116	71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe	91
PID 4116 wrote to memory of 3320	4116	71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe	91
PID 4116 wrote to memory of 3888	4116	71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe	92
PID 4116 wrote to memory of 3888	4116	71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe	92
PID 4116 wrote to memory of 3888	4116	71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe	92
PID 3320 wrote to memory of 3140	3320	{F1D12C15-6D89-4a03-B93E-886914BF2DA6}.exe	93
PID 3320 wrote to memory of 3140	3320	{F1D12C15-6D89-4a03-B93E-886914BF2DA6}.exe	93
PID 3320 wrote to memory of 3140	3320	{F1D12C15-6D89-4a03-B93E-886914BF2DA6}.exe	93
PID 3320 wrote to memory of 772	3320	{F1D12C15-6D89-4a03-B93E-886914BF2DA6}.exe	94
PID 3320 wrote to memory of 772	3320	{F1D12C15-6D89-4a03-B93E-886914BF2DA6}.exe	94
PID 3320 wrote to memory of 772	3320	{F1D12C15-6D89-4a03-B93E-886914BF2DA6}.exe	94
PID 3140 wrote to memory of 824	3140	{8D80327D-C359-4260-B61A-0F18592E1DB7}.exe	96
PID 3140 wrote to memory of 824	3140	{8D80327D-C359-4260-B61A-0F18592E1DB7}.exe	96
PID 3140 wrote to memory of 824	3140	{8D80327D-C359-4260-B61A-0F18592E1DB7}.exe	96
PID 3140 wrote to memory of 2372	3140	{8D80327D-C359-4260-B61A-0F18592E1DB7}.exe	97
PID 3140 wrote to memory of 2372	3140	{8D80327D-C359-4260-B61A-0F18592E1DB7}.exe	97
PID 3140 wrote to memory of 2372	3140	{8D80327D-C359-4260-B61A-0F18592E1DB7}.exe	97
PID 824 wrote to memory of 2464	824	{5752F1B3-7641-49ed-B356-2B850B7FA066}.exe	98
PID 824 wrote to memory of 2464	824	{5752F1B3-7641-49ed-B356-2B850B7FA066}.exe	98
PID 824 wrote to memory of 2464	824	{5752F1B3-7641-49ed-B356-2B850B7FA066}.exe	98
PID 824 wrote to memory of 1808	824	{5752F1B3-7641-49ed-B356-2B850B7FA066}.exe	99
PID 824 wrote to memory of 1808	824	{5752F1B3-7641-49ed-B356-2B850B7FA066}.exe	99
PID 824 wrote to memory of 1808	824	{5752F1B3-7641-49ed-B356-2B850B7FA066}.exe	99
PID 2464 wrote to memory of 2856	2464	{F12D2ECB-F285-4c33-897A-430BD2E109DF}.exe	100
PID 2464 wrote to memory of 2856	2464	{F12D2ECB-F285-4c33-897A-430BD2E109DF}.exe	100
PID 2464 wrote to memory of 2856	2464	{F12D2ECB-F285-4c33-897A-430BD2E109DF}.exe	100
PID 2464 wrote to memory of 1392	2464	{F12D2ECB-F285-4c33-897A-430BD2E109DF}.exe	101
PID 2464 wrote to memory of 1392	2464	{F12D2ECB-F285-4c33-897A-430BD2E109DF}.exe	101
PID 2464 wrote to memory of 1392	2464	{F12D2ECB-F285-4c33-897A-430BD2E109DF}.exe	101
PID 2856 wrote to memory of 1660	2856	{28B0F3DE-8736-4f03-9546-B0748262C841}.exe	102
PID 2856 wrote to memory of 1660	2856	{28B0F3DE-8736-4f03-9546-B0748262C841}.exe	102
PID 2856 wrote to memory of 1660	2856	{28B0F3DE-8736-4f03-9546-B0748262C841}.exe	102
PID 2856 wrote to memory of 3560	2856	{28B0F3DE-8736-4f03-9546-B0748262C841}.exe	103
PID 2856 wrote to memory of 3560	2856	{28B0F3DE-8736-4f03-9546-B0748262C841}.exe	103
PID 2856 wrote to memory of 3560	2856	{28B0F3DE-8736-4f03-9546-B0748262C841}.exe	103
PID 1660 wrote to memory of 3584	1660	{EEA93026-FFFC-4607-B6F6-A7F09FC94227}.exe	104
PID 1660 wrote to memory of 3584	1660	{EEA93026-FFFC-4607-B6F6-A7F09FC94227}.exe	104
PID 1660 wrote to memory of 3584	1660	{EEA93026-FFFC-4607-B6F6-A7F09FC94227}.exe	104
PID 1660 wrote to memory of 3012	1660	{EEA93026-FFFC-4607-B6F6-A7F09FC94227}.exe	105
PID 1660 wrote to memory of 3012	1660	{EEA93026-FFFC-4607-B6F6-A7F09FC94227}.exe	105
PID 1660 wrote to memory of 3012	1660	{EEA93026-FFFC-4607-B6F6-A7F09FC94227}.exe	105
PID 3584 wrote to memory of 1476	3584	{AE37F5D4-51A9-4c96-AB2B-9D9564ED3EBA}.exe	106
PID 3584 wrote to memory of 1476	3584	{AE37F5D4-51A9-4c96-AB2B-9D9564ED3EBA}.exe	106
PID 3584 wrote to memory of 1476	3584	{AE37F5D4-51A9-4c96-AB2B-9D9564ED3EBA}.exe	106
PID 3584 wrote to memory of 828	3584	{AE37F5D4-51A9-4c96-AB2B-9D9564ED3EBA}.exe	107
PID 3584 wrote to memory of 828	3584	{AE37F5D4-51A9-4c96-AB2B-9D9564ED3EBA}.exe	107
PID 3584 wrote to memory of 828	3584	{AE37F5D4-51A9-4c96-AB2B-9D9564ED3EBA}.exe	107
PID 1476 wrote to memory of 2268	1476	{E4F9C073-1768-400a-85A0-E4117D9A2B2C}.exe	108
PID 1476 wrote to memory of 2268	1476	{E4F9C073-1768-400a-85A0-E4117D9A2B2C}.exe	108
PID 1476 wrote to memory of 2268	1476	{E4F9C073-1768-400a-85A0-E4117D9A2B2C}.exe	108
PID 1476 wrote to memory of 4220	1476	{E4F9C073-1768-400a-85A0-E4117D9A2B2C}.exe	109
PID 1476 wrote to memory of 4220	1476	{E4F9C073-1768-400a-85A0-E4117D9A2B2C}.exe	109
PID 1476 wrote to memory of 4220	1476	{E4F9C073-1768-400a-85A0-E4117D9A2B2C}.exe	109
PID 2268 wrote to memory of 1000	2268	{E8C2071B-3A8F-43ca-AA31-A60632932D08}.exe	110
PID 2268 wrote to memory of 1000	2268	{E8C2071B-3A8F-43ca-AA31-A60632932D08}.exe	110
PID 2268 wrote to memory of 1000	2268	{E8C2071B-3A8F-43ca-AA31-A60632932D08}.exe	110
PID 2268 wrote to memory of 940	2268	{E8C2071B-3A8F-43ca-AA31-A60632932D08}.exe	111
PID 2268 wrote to memory of 940	2268	{E8C2071B-3A8F-43ca-AA31-A60632932D08}.exe	111
PID 2268 wrote to memory of 940	2268	{E8C2071B-3A8F-43ca-AA31-A60632932D08}.exe	111
PID 1000 wrote to memory of 748	1000	{96EFF816-63A9-4eec-847B-38547FA71A31}.exe	112
PID 1000 wrote to memory of 748	1000	{96EFF816-63A9-4eec-847B-38547FA71A31}.exe	112
PID 1000 wrote to memory of 748	1000	{96EFF816-63A9-4eec-847B-38547FA71A31}.exe	112
PID 1000 wrote to memory of 2072	1000	{96EFF816-63A9-4eec-847B-38547FA71A31}.exe	113

C:\Users\Admin\AppData\Local\Temp\71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe
"C:\Users\Admin\AppData\Local\Temp\71057d56ec7722b95cb71997fdd18139924e5fb3599efdd72545477cecdf149a.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Windows\{F1D12C15-6D89-4a03-B93E-886914BF2DA6}.exe
  C:\Windows\{F1D12C15-6D89-4a03-B93E-886914BF2DA6}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Windows\{8D80327D-C359-4260-B61A-0F18592E1DB7}.exe
    C:\Windows\{8D80327D-C359-4260-B61A-0F18592E1DB7}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3140
  - - C:\Windows\{5752F1B3-7641-49ed-B356-2B850B7FA066}.exe
      C:\Windows\{5752F1B3-7641-49ed-B356-2B850B7FA066}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:824
    - - C:\Windows\{F12D2ECB-F285-4c33-897A-430BD2E109DF}.exe
        
        C:\Windows\{F12D2ECB-F285-4c33-897A-430BD2E109DF}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2464
      - C:\Windows\{28B0F3DE-8736-4f03-9546-B0748262C841}.exe
        
        C:\Windows\{28B0F3DE-8736-4f03-9546-B0748262C841}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2856
        
        C:\Windows\{EEA93026-FFFC-4607-B6F6-A7F09FC94227}.exe
        
        C:\Windows\{EEA93026-FFFC-4607-B6F6-A7F09FC94227}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\{AE37F5D4-51A9-4c96-AB2B-9D9564ED3EBA}.exe
        
        C:\Windows\{AE37F5D4-51A9-4c96-AB2B-9D9564ED3EBA}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3584
        
        C:\Windows\{E4F9C073-1768-400a-85A0-E4117D9A2B2C}.exe
        
        C:\Windows\{E4F9C073-1768-400a-85A0-E4117D9A2B2C}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\{E8C2071B-3A8F-43ca-AA31-A60632932D08}.exe
        
        C:\Windows\{E8C2071B-3A8F-43ca-AA31-A60632932D08}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\{96EFF816-63A9-4eec-847B-38547FA71A31}.exe
        
        C:\Windows\{96EFF816-63A9-4eec-847B-38547FA71A31}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1000
        
        C:\Windows\{E35791D9-FBD2-4406-896C-3DA0C93E33CE}.exe
        
        C:\Windows\{E35791D9-FBD2-4406-896C-3DA0C93E33CE}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:748
        
        C:\Windows\{041CD063-22DC-4cb2-9415-24E428D2DC97}.exe
        
        C:\Windows\{041CD063-22DC-4cb2-9415-24E428D2DC97}.exe
        13⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E3579~1.EXE > nul
        13⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{96EFF~1.EXE > nul
        12⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E8C20~1.EXE > nul
        11⤵
        
        PID:940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E4F9C~1.EXE > nul
        10⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE37F~1.EXE > nul
        9⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EEA93~1.EXE > nul
        8⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28B0F~1.EXE > nul
        7⤵
        
        PID:3560
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F12D2~1.EXE > nul
        6⤵
        
        PID:1392
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5752F~1.EXE > nul
        5⤵
        
        PID:1808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8D803~1.EXE > nul
      4⤵
      PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F1D12~1.EXE > nul
    3⤵
    PID:772
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\71057D~1.EXE > nul
  2⤵
  PID:3888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{041CD063-22DC-4cb2-9415-24E428D2DC97}.exe

Filesize
64KB

MD5
79ec61f3ea06fd1580fb04f857505d0c

SHA1
136b79059fe5fe9cf8b33f5110c46850cfd04597

SHA256
10c61e4f9fa663806c252c2b483afc184e707f41551bc0e0bb3f2c97fae9fda3

SHA512
6849a1d62165f70a37d14a4e0e7e35f65d6fa0a67bb3d8a22689e996a63d79b913a4eb0b0facd503c83b810cb66b953509f062e7e446e04de9e0028ba5ea5c90

Download Submit
C:\Windows\{28B0F3DE-8736-4f03-9546-B0748262C841}.exe

Filesize
64KB

MD5
8785ad16acadeef1a4e1e0e22d0460b7

SHA1
4a17783b2a0ec06f433a7813954f3a5e2f462527

SHA256
d16be0c9834ac2b2ab525f056bb0ffb612349f86112c639ad3f80f2eb6ddfdf0

SHA512
95e60e7f8ccfc2e010e9e76ddada87f216ebddd0e0f3ba2dd5a86961adacf810dcb2a1c086c263fdb21619d82287806680b75f2e308a6e4481b98f312046f882

Download Submit
C:\Windows\{5752F1B3-7641-49ed-B356-2B850B7FA066}.exe

Filesize
64KB

MD5
605e7d71bcca15dfa7c73086e2cc4112

SHA1
858256d616b612fc1a8c682890e1db9c06084eb5

SHA256
53ef791f8ab30658596f8e16cf70d910a9ae07518e55008b063261c8e58bc2ed

SHA512
d5224941ed1f2f227a1c0697f6359427f24c26ed72b18197d21e5af46539d1b628799b78494e5686708266ecb64a0c12384fe07112e7e3b4d3a8dc26ed1f122a

Download Submit
C:\Windows\{8D80327D-C359-4260-B61A-0F18592E1DB7}.exe

Filesize
64KB

MD5
653a56ba844f164ce48837d59a9537fe

SHA1
a6974d49053afa8cac447916045418700c57564c

SHA256
b6351753e7632a392563c3397ecf8e1869f93e0a440d23375efccc0c62c5ad2c

SHA512
b1e8aa684e2a917abf359e5f82b592c3761dbd7a90bf160902d5f21b47ae5f305b4bb02a4b1b6b59feb83ce5639f51ddb4b5947f5df525d7ae5e1282a1d9c462

Download Submit
C:\Windows\{96EFF816-63A9-4eec-847B-38547FA71A31}.exe

Filesize
64KB

MD5
da69c5299c3b44c1adf56b276f87ca49

SHA1
3f5ea006d6c314054bfcb7856c7172b0fdfcadf5

SHA256
4b27845009f068a6ef707268f493fadffcaa7e8f9fecec84651e1bd0fd459092

SHA512
6d37aa06ff0a3f5af2237492df50f6b7a10d1b08deda43e9eaaf051f3c543a6e1a5ac756e94d1251413567f60ad01c676720c26ef593a74bfed7e132a4644e60

Download Submit
C:\Windows\{AE37F5D4-51A9-4c96-AB2B-9D9564ED3EBA}.exe

Filesize
64KB

MD5
622cb61345b30835542322887010d380

SHA1
07d028139a4dfafd373c60fb2100fbddf1f9420b

SHA256
2fa99006b65178d9ec88ab4abc95c6a8bcff48bb49eedb316e372095d70f5e35

SHA512
7ad9378ca974bdcd798b920d3ac178527f3bbfc35886dce7cfa871b4bdcd2c129c053673564c3396bb062ab838463ad0fadaaf083d08b419495635c804a824de

Download Submit
C:\Windows\{E35791D9-FBD2-4406-896C-3DA0C93E33CE}.exe

Filesize
64KB

MD5
9e287a12f9863a9d4685dba9c5522bcf

SHA1
1a3fc62d7059b2c957e18150e838faa03ec38e06

SHA256
e18d64bde7648e28e085c54fef35d031b607ce0eb5b174607019ddf6901a2605

SHA512
d13f7e3686bcab5dafdffd86925c9a35520e3377514e9dd9774940b2f64283838ebf43cb51de8a1ad3863f401b007bc6ad8e640b966f841d50a6c46d239f4988

Download Submit
C:\Windows\{E4F9C073-1768-400a-85A0-E4117D9A2B2C}.exe

Filesize
64KB

MD5
2947f5c90b74ae33fdc3a24ff6b7900d

SHA1
536d50cb61567ce87204376c5bf27356875d67d6

SHA256
d84122307da0ee1e0136a1747be256df6a055d00108604b8a2a8e22cf951b231

SHA512
467ae81e65f7f7907c8f51dd2c53aa7a500a07d105fcabe4ca22295741d82376cb7c68925ced3b99acc7608c8011d367f4964c3133bba13821e2ab150e214bc0

Download Submit
C:\Windows\{E8C2071B-3A8F-43ca-AA31-A60632932D08}.exe

Filesize
64KB

MD5
f37e73aa24814b0c41d3d25c4f2f3e62

SHA1
6ddda1453867e9d61f052bebfd34e1f8925fea7e

SHA256
68228bf971ddd716eb60782d04306957882cc7f9e661952aa7b6e7a8f36cbe40

SHA512
f0b02a1123495dbfcf663c398b3fdcec08e0c9d3dcd1a7c6255507382cd63a3dc37bd823da330b4dbdc43b52491925c597cddb974f0f1d3f5f6785114e3334f2

Download Submit
C:\Windows\{EEA93026-FFFC-4607-B6F6-A7F09FC94227}.exe

Filesize
64KB

MD5
e5a5750ea61d116ff23f752a7f6b3e18

SHA1
cba30ddae3894b2b6c0a098477eb2dbc754f4eb0

SHA256
43c1c5c2ecae55fe70489551f6d1edecd22e57c2d288aa2c5e3f347108bbb630

SHA512
5cff8efa00f2de05d0d8478c2854f529909a3ad2049b4c0b4cb5fcd89e0716ae4a9aa1cdbf6104f0671af939168ddbb11bd46736f1488a769509fc765bba1c20

Download Submit
C:\Windows\{F12D2ECB-F285-4c33-897A-430BD2E109DF}.exe

Filesize
64KB

MD5
2a34655803aafef18f946f92eb6b772c

SHA1
b0280e740019330e2872980d134d38a54877907d

SHA256
a9ae64968b3dd4e5e122775406007c68ec0bdd4ec6f8679f3aadbe701e141f14

SHA512
14bb39056bfe92e09930e7841d05d46f4f4f91451151fcf2a181e8cfb21041627da32495cabe3b7a34edbc1a29d8016433b53cd4be7a21abec5789cb563ace1f

Download Submit
C:\Windows\{F1D12C15-6D89-4a03-B93E-886914BF2DA6}.exe

Filesize
64KB

MD5
8e15556fb3cc07c2613c634d96efbb11

SHA1
7789c12bae6baa70a793ee34db1abe2bd8e98695

SHA256
1ab7d52de13940a8d6518a47cc67f601b787c006913edb8f192eb30ca9976199

SHA512
997a9183e02bb5b16170bd2cb8bcebf18912d0218c04a519349646e6857d3d0608f4bdc9c416d6f3b0ddad4f7f09c9a531d31b92036453dc77c50dbe6fb7d685

Download Submit
memory/748-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/748-68-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/824-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/824-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1000-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1000-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1476-51-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1476-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1660-35-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1660-40-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2268-52-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2268-56-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2464-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2464-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2856-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2856-30-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3140-15-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3140-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3320-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3320-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3584-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4116-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4116-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4536-70-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads