03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498

Analysis

max time kernel
144s
max time network
119s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
08-06-2024 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe
Size

64KB
MD5

01fa4792e3df2f4e2452e6dd3fac8fb9
SHA1

571b92ac5c787394f2d3e458cb179b9677b06b60
SHA256

03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498
SHA512

2d3337a1db7813c8ac3e97a7dd0809d942b274041b6e924f29bef2038cb1f20b4c25c2bfdb954185bd3d9429a868ca244a818f5174c146d626f608854f132108
SSDEEP

384:ObLwOs8AHsc4sMfwhKQLrov4/CFsrdHWMZH:Ovw9816jhKQLrov4/wQpWMZH

Score

9^/10

persistence

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 31 IoCs

resource	yara_rule
behavioral1/memory/1720-0-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2604-8-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0008000000012034-6.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1720-9-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2604-17-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000b00000001226e-16.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2680-27-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2756-26-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0009000000012034-25.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2756-24-0x0000000000380000-0x0000000000390000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2680-35-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x002e000000015b37-34.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2580-44-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0004000000004ed7-43.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/872-53-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1492-52-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000a000000012034-51.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1528-62-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/872-61-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0005000000004ed7-60.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1528-70-0x0000000000270000-0x0000000000280000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000b000000012034-71.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1528-72-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1772-81-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/3048-80-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0006000000004ed7-79.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1772-89-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x000c000000012034-88.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1044-96-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/files/0x0007000000004ed7-97.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1524-98-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Modifies Installed Components in the registry 2 TTPs 22 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1828D73E-13BA-4581-A291-9A2CC93D1DF4}	03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F283C7B3-11C8-4035-8A9C-1CFFB6AB0F06}\stubpath = "C:\\Windows\\{F283C7B3-11C8-4035-8A9C-1CFFB6AB0F06}.exe"	{1828D73E-13BA-4581-A291-9A2CC93D1DF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61AB9B03-367D-4d0d-835D-A06B677AA52D}	{B4704F34-59E5-44c5-9F11-65EB622C8713}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7B169F8-2EF6-46d1-A07C-9CC2C5D3B04E}	{9E50E98E-DEB4-4bef-94D3-1A339E3F90FC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A7B169F8-2EF6-46d1-A07C-9CC2C5D3B04E}\stubpath = "C:\\Windows\\{A7B169F8-2EF6-46d1-A07C-9CC2C5D3B04E}.exe"	{9E50E98E-DEB4-4bef-94D3-1A339E3F90FC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD412769-8700-4caf-91E4-29A37B985286}	{C0289F3B-D736-4d9c-827C-14F480E9A465}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0289F3B-D736-4d9c-827C-14F480E9A465}\stubpath = "C:\\Windows\\{C0289F3B-D736-4d9c-827C-14F480E9A465}.exe"	{3E25948E-16BB-4002-86E2-5F65CDFA4497}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43502A35-F9AD-407b-B4C5-F8F615DFCF8D}\stubpath = "C:\\Windows\\{43502A35-F9AD-407b-B4C5-F8F615DFCF8D}.exe"	{FD412769-8700-4caf-91E4-29A37B985286}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C0289F3B-D736-4d9c-827C-14F480E9A465}	{3E25948E-16BB-4002-86E2-5F65CDFA4497}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F283C7B3-11C8-4035-8A9C-1CFFB6AB0F06}	{1828D73E-13BA-4581-A291-9A2CC93D1DF4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4704F34-59E5-44c5-9F11-65EB622C8713}\stubpath = "C:\\Windows\\{B4704F34-59E5-44c5-9F11-65EB622C8713}.exe"	{F283C7B3-11C8-4035-8A9C-1CFFB6AB0F06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{61AB9B03-367D-4d0d-835D-A06B677AA52D}\stubpath = "C:\\Windows\\{61AB9B03-367D-4d0d-835D-A06B677AA52D}.exe"	{B4704F34-59E5-44c5-9F11-65EB622C8713}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E50E98E-DEB4-4bef-94D3-1A339E3F90FC}	{61AB9B03-367D-4d0d-835D-A06B677AA52D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E50E98E-DEB4-4bef-94D3-1A339E3F90FC}\stubpath = "C:\\Windows\\{9E50E98E-DEB4-4bef-94D3-1A339E3F90FC}.exe"	{61AB9B03-367D-4d0d-835D-A06B677AA52D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E25948E-16BB-4002-86E2-5F65CDFA4497}	{A7B169F8-2EF6-46d1-A07C-9CC2C5D3B04E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3E25948E-16BB-4002-86E2-5F65CDFA4497}\stubpath = "C:\\Windows\\{3E25948E-16BB-4002-86E2-5F65CDFA4497}.exe"	{A7B169F8-2EF6-46d1-A07C-9CC2C5D3B04E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FD412769-8700-4caf-91E4-29A37B985286}\stubpath = "C:\\Windows\\{FD412769-8700-4caf-91E4-29A37B985286}.exe"	{C0289F3B-D736-4d9c-827C-14F480E9A465}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{43502A35-F9AD-407b-B4C5-F8F615DFCF8D}	{FD412769-8700-4caf-91E4-29A37B985286}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AEEFA23-0D3D-4658-8788-717D9CA3735F}	{43502A35-F9AD-407b-B4C5-F8F615DFCF8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3AEEFA23-0D3D-4658-8788-717D9CA3735F}\stubpath = "C:\\Windows\\{3AEEFA23-0D3D-4658-8788-717D9CA3735F}.exe"	{43502A35-F9AD-407b-B4C5-F8F615DFCF8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1828D73E-13BA-4581-A291-9A2CC93D1DF4}\stubpath = "C:\\Windows\\{1828D73E-13BA-4581-A291-9A2CC93D1DF4}.exe"	03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B4704F34-59E5-44c5-9F11-65EB622C8713}	{F283C7B3-11C8-4035-8A9C-1CFFB6AB0F06}.exe

Deletes itself 1 IoCs

pid	Process
2656	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2604	{1828D73E-13BA-4581-A291-9A2CC93D1DF4}.exe
2756	{F283C7B3-11C8-4035-8A9C-1CFFB6AB0F06}.exe
2680	{B4704F34-59E5-44c5-9F11-65EB622C8713}.exe
2580	{61AB9B03-367D-4d0d-835D-A06B677AA52D}.exe
1492	{9E50E98E-DEB4-4bef-94D3-1A339E3F90FC}.exe
872	{A7B169F8-2EF6-46d1-A07C-9CC2C5D3B04E}.exe
1528	{3E25948E-16BB-4002-86E2-5F65CDFA4497}.exe
3048	{C0289F3B-D736-4d9c-827C-14F480E9A465}.exe
1772	{FD412769-8700-4caf-91E4-29A37B985286}.exe
1044	{43502A35-F9AD-407b-B4C5-F8F615DFCF8D}.exe
1524	{3AEEFA23-0D3D-4658-8788-717D9CA3735F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{1828D73E-13BA-4581-A291-9A2CC93D1DF4}.exe	03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe
File created	C:\Windows\{F283C7B3-11C8-4035-8A9C-1CFFB6AB0F06}.exe	{1828D73E-13BA-4581-A291-9A2CC93D1DF4}.exe
File created	C:\Windows\{61AB9B03-367D-4d0d-835D-A06B677AA52D}.exe	{B4704F34-59E5-44c5-9F11-65EB622C8713}.exe
File created	C:\Windows\{9E50E98E-DEB4-4bef-94D3-1A339E3F90FC}.exe	{61AB9B03-367D-4d0d-835D-A06B677AA52D}.exe
File created	C:\Windows\{3E25948E-16BB-4002-86E2-5F65CDFA4497}.exe	{A7B169F8-2EF6-46d1-A07C-9CC2C5D3B04E}.exe
File created	C:\Windows\{C0289F3B-D736-4d9c-827C-14F480E9A465}.exe	{3E25948E-16BB-4002-86E2-5F65CDFA4497}.exe
File created	C:\Windows\{FD412769-8700-4caf-91E4-29A37B985286}.exe	{C0289F3B-D736-4d9c-827C-14F480E9A465}.exe
File created	C:\Windows\{B4704F34-59E5-44c5-9F11-65EB622C8713}.exe	{F283C7B3-11C8-4035-8A9C-1CFFB6AB0F06}.exe
File created	C:\Windows\{A7B169F8-2EF6-46d1-A07C-9CC2C5D3B04E}.exe	{9E50E98E-DEB4-4bef-94D3-1A339E3F90FC}.exe
File created	C:\Windows\{43502A35-F9AD-407b-B4C5-F8F615DFCF8D}.exe	{FD412769-8700-4caf-91E4-29A37B985286}.exe
File created	C:\Windows\{3AEEFA23-0D3D-4658-8788-717D9CA3735F}.exe	{43502A35-F9AD-407b-B4C5-F8F615DFCF8D}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1720	03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe
Token: SeIncBasePriorityPrivilege	2604	{1828D73E-13BA-4581-A291-9A2CC93D1DF4}.exe
Token: SeIncBasePriorityPrivilege	2756	{F283C7B3-11C8-4035-8A9C-1CFFB6AB0F06}.exe
Token: SeIncBasePriorityPrivilege	2680	{B4704F34-59E5-44c5-9F11-65EB622C8713}.exe
Token: SeIncBasePriorityPrivilege	2580	{61AB9B03-367D-4d0d-835D-A06B677AA52D}.exe
Token: SeIncBasePriorityPrivilege	1492	{9E50E98E-DEB4-4bef-94D3-1A339E3F90FC}.exe
Token: SeIncBasePriorityPrivilege	872	{A7B169F8-2EF6-46d1-A07C-9CC2C5D3B04E}.exe
Token: SeIncBasePriorityPrivilege	1528	{3E25948E-16BB-4002-86E2-5F65CDFA4497}.exe
Token: SeIncBasePriorityPrivilege	3048	{C0289F3B-D736-4d9c-827C-14F480E9A465}.exe
Token: SeIncBasePriorityPrivilege	1772	{FD412769-8700-4caf-91E4-29A37B985286}.exe
Token: SeIncBasePriorityPrivilege	1044	{43502A35-F9AD-407b-B4C5-F8F615DFCF8D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2604	1720	03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe	28
PID 1720 wrote to memory of 2604	1720	03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe	28
PID 1720 wrote to memory of 2604	1720	03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe	28
PID 1720 wrote to memory of 2604	1720	03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe	28
PID 1720 wrote to memory of 2656	1720	03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe	29
PID 1720 wrote to memory of 2656	1720	03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe	29
PID 1720 wrote to memory of 2656	1720	03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe	29
PID 1720 wrote to memory of 2656	1720	03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe	29
PID 2604 wrote to memory of 2756	2604	{1828D73E-13BA-4581-A291-9A2CC93D1DF4}.exe	30
PID 2604 wrote to memory of 2756	2604	{1828D73E-13BA-4581-A291-9A2CC93D1DF4}.exe	30
PID 2604 wrote to memory of 2756	2604	{1828D73E-13BA-4581-A291-9A2CC93D1DF4}.exe	30
PID 2604 wrote to memory of 2756	2604	{1828D73E-13BA-4581-A291-9A2CC93D1DF4}.exe	30
PID 2604 wrote to memory of 2628	2604	{1828D73E-13BA-4581-A291-9A2CC93D1DF4}.exe	31
PID 2604 wrote to memory of 2628	2604	{1828D73E-13BA-4581-A291-9A2CC93D1DF4}.exe	31
PID 2604 wrote to memory of 2628	2604	{1828D73E-13BA-4581-A291-9A2CC93D1DF4}.exe	31
PID 2604 wrote to memory of 2628	2604	{1828D73E-13BA-4581-A291-9A2CC93D1DF4}.exe	31
PID 2756 wrote to memory of 2680	2756	{F283C7B3-11C8-4035-8A9C-1CFFB6AB0F06}.exe	32
PID 2756 wrote to memory of 2680	2756	{F283C7B3-11C8-4035-8A9C-1CFFB6AB0F06}.exe	32
PID 2756 wrote to memory of 2680	2756	{F283C7B3-11C8-4035-8A9C-1CFFB6AB0F06}.exe	32
PID 2756 wrote to memory of 2680	2756	{F283C7B3-11C8-4035-8A9C-1CFFB6AB0F06}.exe	32
PID 2756 wrote to memory of 2624	2756	{F283C7B3-11C8-4035-8A9C-1CFFB6AB0F06}.exe	33
PID 2756 wrote to memory of 2624	2756	{F283C7B3-11C8-4035-8A9C-1CFFB6AB0F06}.exe	33
PID 2756 wrote to memory of 2624	2756	{F283C7B3-11C8-4035-8A9C-1CFFB6AB0F06}.exe	33
PID 2756 wrote to memory of 2624	2756	{F283C7B3-11C8-4035-8A9C-1CFFB6AB0F06}.exe	33
PID 2680 wrote to memory of 2580	2680	{B4704F34-59E5-44c5-9F11-65EB622C8713}.exe	36
PID 2680 wrote to memory of 2580	2680	{B4704F34-59E5-44c5-9F11-65EB622C8713}.exe	36
PID 2680 wrote to memory of 2580	2680	{B4704F34-59E5-44c5-9F11-65EB622C8713}.exe	36
PID 2680 wrote to memory of 2580	2680	{B4704F34-59E5-44c5-9F11-65EB622C8713}.exe	36
PID 2680 wrote to memory of 2704	2680	{B4704F34-59E5-44c5-9F11-65EB622C8713}.exe	37
PID 2680 wrote to memory of 2704	2680	{B4704F34-59E5-44c5-9F11-65EB622C8713}.exe	37
PID 2680 wrote to memory of 2704	2680	{B4704F34-59E5-44c5-9F11-65EB622C8713}.exe	37
PID 2680 wrote to memory of 2704	2680	{B4704F34-59E5-44c5-9F11-65EB622C8713}.exe	37
PID 2580 wrote to memory of 1492	2580	{61AB9B03-367D-4d0d-835D-A06B677AA52D}.exe	38
PID 2580 wrote to memory of 1492	2580	{61AB9B03-367D-4d0d-835D-A06B677AA52D}.exe	38
PID 2580 wrote to memory of 1492	2580	{61AB9B03-367D-4d0d-835D-A06B677AA52D}.exe	38
PID 2580 wrote to memory of 1492	2580	{61AB9B03-367D-4d0d-835D-A06B677AA52D}.exe	38
PID 2580 wrote to memory of 2876	2580	{61AB9B03-367D-4d0d-835D-A06B677AA52D}.exe	39
PID 2580 wrote to memory of 2876	2580	{61AB9B03-367D-4d0d-835D-A06B677AA52D}.exe	39
PID 2580 wrote to memory of 2876	2580	{61AB9B03-367D-4d0d-835D-A06B677AA52D}.exe	39
PID 2580 wrote to memory of 2876	2580	{61AB9B03-367D-4d0d-835D-A06B677AA52D}.exe	39
PID 1492 wrote to memory of 872	1492	{9E50E98E-DEB4-4bef-94D3-1A339E3F90FC}.exe	40
PID 1492 wrote to memory of 872	1492	{9E50E98E-DEB4-4bef-94D3-1A339E3F90FC}.exe	40
PID 1492 wrote to memory of 872	1492	{9E50E98E-DEB4-4bef-94D3-1A339E3F90FC}.exe	40
PID 1492 wrote to memory of 872	1492	{9E50E98E-DEB4-4bef-94D3-1A339E3F90FC}.exe	40
PID 1492 wrote to memory of 1868	1492	{9E50E98E-DEB4-4bef-94D3-1A339E3F90FC}.exe	41
PID 1492 wrote to memory of 1868	1492	{9E50E98E-DEB4-4bef-94D3-1A339E3F90FC}.exe	41
PID 1492 wrote to memory of 1868	1492	{9E50E98E-DEB4-4bef-94D3-1A339E3F90FC}.exe	41
PID 1492 wrote to memory of 1868	1492	{9E50E98E-DEB4-4bef-94D3-1A339E3F90FC}.exe	41
PID 872 wrote to memory of 1528	872	{A7B169F8-2EF6-46d1-A07C-9CC2C5D3B04E}.exe	42
PID 872 wrote to memory of 1528	872	{A7B169F8-2EF6-46d1-A07C-9CC2C5D3B04E}.exe	42
PID 872 wrote to memory of 1528	872	{A7B169F8-2EF6-46d1-A07C-9CC2C5D3B04E}.exe	42
PID 872 wrote to memory of 1528	872	{A7B169F8-2EF6-46d1-A07C-9CC2C5D3B04E}.exe	42
PID 872 wrote to memory of 792	872	{A7B169F8-2EF6-46d1-A07C-9CC2C5D3B04E}.exe	43
PID 872 wrote to memory of 792	872	{A7B169F8-2EF6-46d1-A07C-9CC2C5D3B04E}.exe	43
PID 872 wrote to memory of 792	872	{A7B169F8-2EF6-46d1-A07C-9CC2C5D3B04E}.exe	43
PID 872 wrote to memory of 792	872	{A7B169F8-2EF6-46d1-A07C-9CC2C5D3B04E}.exe	43
PID 1528 wrote to memory of 3048	1528	{3E25948E-16BB-4002-86E2-5F65CDFA4497}.exe	44
PID 1528 wrote to memory of 3048	1528	{3E25948E-16BB-4002-86E2-5F65CDFA4497}.exe	44
PID 1528 wrote to memory of 3048	1528	{3E25948E-16BB-4002-86E2-5F65CDFA4497}.exe	44
PID 1528 wrote to memory of 3048	1528	{3E25948E-16BB-4002-86E2-5F65CDFA4497}.exe	44
PID 1528 wrote to memory of 2896	1528	{3E25948E-16BB-4002-86E2-5F65CDFA4497}.exe	45
PID 1528 wrote to memory of 2896	1528	{3E25948E-16BB-4002-86E2-5F65CDFA4497}.exe	45
PID 1528 wrote to memory of 2896	1528	{3E25948E-16BB-4002-86E2-5F65CDFA4497}.exe	45
PID 1528 wrote to memory of 2896	1528	{3E25948E-16BB-4002-86E2-5F65CDFA4497}.exe	45

C:\Users\Admin\AppData\Local\Temp\03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe
"C:\Users\Admin\AppData\Local\Temp\03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\{1828D73E-13BA-4581-A291-9A2CC93D1DF4}.exe
  C:\Windows\{1828D73E-13BA-4581-A291-9A2CC93D1DF4}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\{F283C7B3-11C8-4035-8A9C-1CFFB6AB0F06}.exe
    C:\Windows\{F283C7B3-11C8-4035-8A9C-1CFFB6AB0F06}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\{B4704F34-59E5-44c5-9F11-65EB622C8713}.exe
      C:\Windows\{B4704F34-59E5-44c5-9F11-65EB622C8713}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\{61AB9B03-367D-4d0d-835D-A06B677AA52D}.exe
        
        C:\Windows\{61AB9B03-367D-4d0d-835D-A06B677AA52D}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Windows\{9E50E98E-DEB4-4bef-94D3-1A339E3F90FC}.exe
        
        C:\Windows\{9E50E98E-DEB4-4bef-94D3-1A339E3F90FC}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\{A7B169F8-2EF6-46d1-A07C-9CC2C5D3B04E}.exe
        
        C:\Windows\{A7B169F8-2EF6-46d1-A07C-9CC2C5D3B04E}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\{3E25948E-16BB-4002-86E2-5F65CDFA4497}.exe
        
        C:\Windows\{3E25948E-16BB-4002-86E2-5F65CDFA4497}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\{C0289F3B-D736-4d9c-827C-14F480E9A465}.exe
        
        C:\Windows\{C0289F3B-D736-4d9c-827C-14F480E9A465}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\{FD412769-8700-4caf-91E4-29A37B985286}.exe
        
        C:\Windows\{FD412769-8700-4caf-91E4-29A37B985286}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\{43502A35-F9AD-407b-B4C5-F8F615DFCF8D}.exe
        
        C:\Windows\{43502A35-F9AD-407b-B4C5-F8F615DFCF8D}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\{3AEEFA23-0D3D-4658-8788-717D9CA3735F}.exe
        
        C:\Windows\{3AEEFA23-0D3D-4658-8788-717D9CA3735F}.exe
        12⤵
        Executes dropped EXE
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43502~1.EXE > nul
        12⤵
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD412~1.EXE > nul
        11⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0289~1.EXE > nul
        10⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3E259~1.EXE > nul
        9⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7B16~1.EXE > nul
        8⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E50E~1.EXE > nul
        7⤵
        
        PID:1868
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61AB9~1.EXE > nul
        6⤵
        
        PID:2876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B4704~1.EXE > nul
        5⤵
        
        PID:2704
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F283C~1.EXE > nul
      4⤵
      PID:2624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1828D~1.EXE > nul
    3⤵
    PID:2628
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\03A2CF~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1828D73E-13BA-4581-A291-9A2CC93D1DF4}.exe

Filesize
64KB

MD5
57408074eeea079dd698bb83e6a77eaa

SHA1
88b403b19c46ae106225c7b6d35242b6a7638389

SHA256
3208aca3ef49a3c24259f2e0e6486bf18cfb10fdb90d2dcd5c40e03c52bf3375

SHA512
7bbca48cb6ef3d5e384e63e0d71a98638263e4c26e385ab147d35053b42cd7507237536f1357d0e26dd8e835e257a9e9591557b243152bc54143703cb03751ab

Download Submit
C:\Windows\{3AEEFA23-0D3D-4658-8788-717D9CA3735F}.exe

Filesize
64KB

MD5
f83a7444c8807c568a9f6f0ff0ef2bf4

SHA1
663f24c4c42eb1f480f3dfbf50cd941e029a6c7a

SHA256
df26f4bec204c3a37ec180ab1637a93cb27ed055aca0b7f9d304248bb3e3706d

SHA512
0106100dad5d64b1a7e63cd0538e82226bba9cf1bfc132437e34e3a1e936594e8ea2134f5af2e279ffb0a2674c10ee412e2d4563a988895df8a22cdb7a7e9cd0

Download Submit
C:\Windows\{3E25948E-16BB-4002-86E2-5F65CDFA4497}.exe

Filesize
64KB

MD5
c80d487935467394bcb9543fbbac2b07

SHA1
62922a74bf3a8e226895fdf5f4fc5a3241b9f46c

SHA256
bce8e58859b18ca9329db307734ad87bc1bec9373b4288f306d758ea884f0a14

SHA512
789f2d7ce04d81019741a8edbf4817a9fbd574d91af7e34f7a9dce07a20c4db5c3a341cfb96337dd9e858a535e00ea19ba9c2629fe0a4b4ae04dbf3f377c763f

Download Submit
C:\Windows\{43502A35-F9AD-407b-B4C5-F8F615DFCF8D}.exe

Filesize
64KB

MD5
d7e9767f387ef0f6a0b2a5aab5129eba

SHA1
ca850d70c8d3f9350fed27d872221b1e8e55d6d5

SHA256
421301bced35e1cc685d4d8a451174d4d097290da9218d562f39a52320e7a11f

SHA512
1e201c4b88912f1d3906c7fd977802b371d75deac203d233783db5ce05bb874582c256966f08d84d89626189f4dc681053534ea7a020183e5abcc663312c2e34

Download Submit
C:\Windows\{61AB9B03-367D-4d0d-835D-A06B677AA52D}.exe

Filesize
64KB

MD5
3977212dfc8f934050c312907420fb5f

SHA1
3d21008643ea109c010ac4c9939b1fda495d5e8d

SHA256
92978cfcc78580150ebbc2080bda6adde4e49028e3ccc6112e7d4312136dd244

SHA512
4349322616b1362d35badeb706bf948e056d87deff436b8eb6528bbdd9f0adccd027cd78993ef5a5001e77fab0e1c381e357795b790cfc24e42fb5111968c464

Download Submit
C:\Windows\{9E50E98E-DEB4-4bef-94D3-1A339E3F90FC}.exe

Filesize
64KB

MD5
6ccc1046436e244420bd63d56236302d

SHA1
eb4691455b85fe73e7070142382e9c67e0906f4e

SHA256
459d0887ac40db0939b2b20075a2eda8062bde6f8f3ee7910b23165b51cc61bc

SHA512
b7d66fa7b330473edbe2ad7df240f3cad4647f0b2bc70ac932c5bd404a69962db4b11c67bcdf35032c94b47bb4fb2e9917021af8537415f05f1a646796e55f34

Download Submit
C:\Windows\{A7B169F8-2EF6-46d1-A07C-9CC2C5D3B04E}.exe

Filesize
64KB

MD5
e4543693df51f9db3ff5eb885ebd712b

SHA1
0019dec64d76bc1bcacc3159cfc0ff3972e76e24

SHA256
e0aa8993909fe7cb0afda29dea3bbfb965377130e79117a5c29f3fec5b90799a

SHA512
a2067e208e2a7e959cb88573fe108a6ab2c3c1f41f79cc75e5a6e717b353138760e6d47a88d4f0871ff8aa625e847a600823d0fe7475ff8f2ec71ce4a33328eb

Download Submit
C:\Windows\{B4704F34-59E5-44c5-9F11-65EB622C8713}.exe

Filesize
64KB

MD5
270f78ca9b8446ac80d2b998ff268282

SHA1
89d9ad5fbf64d9201e493f74caa3b65370a67731

SHA256
eec0b58edca89730ec3e5bdc5099ec9a959a75dc93990d0b989910e3576ad8a3

SHA512
c9e2e5ebffc676c92045d88fc48f440ae89fd8785992d8df47024b7971db02f75fe6946e8292030576e432bfbe8ca40d464f522cee05ce890c7c59f5899e5bd2

Download Submit
C:\Windows\{C0289F3B-D736-4d9c-827C-14F480E9A465}.exe

Filesize
64KB

MD5
9578387dff7d61d89d19960cab570ade

SHA1
09136c827417642f39ce042a66e53d27c90ff790

SHA256
4a646725bb65b28a550eb62717a4ce4f80c384b954ee2e6a23610f756691d462

SHA512
b4c55c2b4bdd4a95e63f032bfc11011e682104cb76721be4869c2c124c034364360dcdc664871245fde7335d506cf7cd28bcf17b57693b31296e81bdba0b42d4

Download Submit
C:\Windows\{F283C7B3-11C8-4035-8A9C-1CFFB6AB0F06}.exe

Filesize
64KB

MD5
9cebc0ea4fd194966933fadccf536605

SHA1
05805ba308f974588c56103036608c5c29bf0583

SHA256
6fd5605738aeac43508b0d83c7ee74f3819607a1b81c65b1f78e89af95d3ad6e

SHA512
cf38b36b86314d4ecd8ab1ff27da7fa01beaa81e364399087e997a4a51008a0541bc14fea5403551516dafdfbf5b9bcf25ebaf75f1721fce1091900fda10d6fd

Download Submit
C:\Windows\{FD412769-8700-4caf-91E4-29A37B985286}.exe

Filesize
64KB

MD5
82525d616e590eb602dfada93d215e1a

SHA1
a27ed2dbec158d14c49173b5b5e6b9e87b3eb97f

SHA256
ec2aaa394ded436b1d3fc6c8ce62a84c77ea47432e3510d445cf098490ea0f01

SHA512
537be8a147a9451cf7f4c73190a61e9a60054b0d7fda06a38952dc01ac707c6f03ab5035fc13c9e3ffd4ace57c1b95a90ef0d36dc31effe938924e7af3102cd0

Download Submit
memory/872-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/872-61-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1044-96-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1492-52-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1524-98-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1528-68-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/1528-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1528-72-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1528-70-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/1720-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1720-7-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/1720-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1772-89-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1772-81-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2580-42-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2580-44-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2604-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2604-8-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2680-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2680-35-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2756-26-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2756-24-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/3048-80-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads