03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498

Analysis

max time kernel
149s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08-06-2024 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe
Size

64KB
MD5

01fa4792e3df2f4e2452e6dd3fac8fb9
SHA1

571b92ac5c787394f2d3e458cb179b9677b06b60
SHA256

03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498
SHA512

2d3337a1db7813c8ac3e97a7dd0809d942b274041b6e924f29bef2038cb1f20b4c25c2bfdb954185bd3d9429a868ca244a818f5174c146d626f608854f132108
SSDEEP

384:ObLwOs8AHsc4sMfwhKQLrov4/CFsrdHWMZH:Ovw9816jhKQLrov4/wQpWMZH

Score

9^/10

persistence

Malware Config

Signatures

Detects Windows executables referencing non-Windows User-Agents 34 IoCs

resource	yara_rule
behavioral2/memory/1496-0-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0005000000022970-2.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1496-5-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2252-6-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x00110000000233e3-9.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2252-11-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x00080000000233e9-12.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1488-16-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/2008-14-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1488-20-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x00120000000233e3-21.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x00090000000233e9-25.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3396-27-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4504-28-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x00130000000233e3-34.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3288-33-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4504-31-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x000a0000000233e9-37.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/3288-38-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4408-40-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0003000000000735-44.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4408-43-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/404-45-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/404-49-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1360-51-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0003000000000737-50.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0004000000000735-57.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1832-58-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1360-56-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0004000000000737-61.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/1832-62-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/files/0x0005000000000735-69.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4256-68-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral2/memory/4028-67-0x0000000000400000-0x0000000000410000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Modifies Installed Components in the registry 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D40690AB-D558-4166-9157-59778610B68D}	{3BA2820C-CE63-4491-A732-B3052971735E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D40690AB-D558-4166-9157-59778610B68D}\stubpath = "C:\\Windows\\{D40690AB-D558-4166-9157-59778610B68D}.exe"	{3BA2820C-CE63-4491-A732-B3052971735E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61FA9449-7C40-40f5-9FF5-BFAC814E2659}\stubpath = "C:\\Windows\\{61FA9449-7C40-40f5-9FF5-BFAC814E2659}.exe"	{4070BFDF-65AD-47ad-A7CE-C23AA20685D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99EB5980-FC42-4d4f-A093-13CFD1BF74BB}	{61FA9449-7C40-40f5-9FF5-BFAC814E2659}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{834CDA16-C992-44c0-BAFA-85B3863F2E5E}	{B07434E5-6096-4765-9C66-7333E6CAB139}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F270767-DC9F-4b2d-84E5-6228D384AB2F}	{834CDA16-C992-44c0-BAFA-85B3863F2E5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2F270767-DC9F-4b2d-84E5-6228D384AB2F}\stubpath = "C:\\Windows\\{2F270767-DC9F-4b2d-84E5-6228D384AB2F}.exe"	{834CDA16-C992-44c0-BAFA-85B3863F2E5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{126BF2EB-5E02-464e-8F4F-F9D699F231A5}\stubpath = "C:\\Windows\\{126BF2EB-5E02-464e-8F4F-F9D699F231A5}.exe"	{D40690AB-D558-4166-9157-59778610B68D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{696DEA22-90C6-465d-B7F4-1CAF56F8CD62}	{126BF2EB-5E02-464e-8F4F-F9D699F231A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{696DEA22-90C6-465d-B7F4-1CAF56F8CD62}\stubpath = "C:\\Windows\\{696DEA22-90C6-465d-B7F4-1CAF56F8CD62}.exe"	{126BF2EB-5E02-464e-8F4F-F9D699F231A5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4070BFDF-65AD-47ad-A7CE-C23AA20685D1}\stubpath = "C:\\Windows\\{4070BFDF-65AD-47ad-A7CE-C23AA20685D1}.exe"	{696DEA22-90C6-465d-B7F4-1CAF56F8CD62}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CB5323E-4CE2-44bb-AC7E-D1A7FFFC8613}	{99EB5980-FC42-4d4f-A093-13CFD1BF74BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B07434E5-6096-4765-9C66-7333E6CAB139}	03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BA2820C-CE63-4491-A732-B3052971735E}\stubpath = "C:\\Windows\\{3BA2820C-CE63-4491-A732-B3052971735E}.exe"	{8A2847F5-9916-4d5d-875A-87BED98041F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{126BF2EB-5E02-464e-8F4F-F9D699F231A5}	{D40690AB-D558-4166-9157-59778610B68D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CB5323E-4CE2-44bb-AC7E-D1A7FFFC8613}\stubpath = "C:\\Windows\\{3CB5323E-4CE2-44bb-AC7E-D1A7FFFC8613}.exe"	{99EB5980-FC42-4d4f-A093-13CFD1BF74BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{834CDA16-C992-44c0-BAFA-85B3863F2E5E}\stubpath = "C:\\Windows\\{834CDA16-C992-44c0-BAFA-85B3863F2E5E}.exe"	{B07434E5-6096-4765-9C66-7333E6CAB139}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BA2820C-CE63-4491-A732-B3052971735E}	{8A2847F5-9916-4d5d-875A-87BED98041F3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61FA9449-7C40-40f5-9FF5-BFAC814E2659}	{4070BFDF-65AD-47ad-A7CE-C23AA20685D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4070BFDF-65AD-47ad-A7CE-C23AA20685D1}	{696DEA22-90C6-465d-B7F4-1CAF56F8CD62}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99EB5980-FC42-4d4f-A093-13CFD1BF74BB}\stubpath = "C:\\Windows\\{99EB5980-FC42-4d4f-A093-13CFD1BF74BB}.exe"	{61FA9449-7C40-40f5-9FF5-BFAC814E2659}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B07434E5-6096-4765-9C66-7333E6CAB139}\stubpath = "C:\\Windows\\{B07434E5-6096-4765-9C66-7333E6CAB139}.exe"	03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A2847F5-9916-4d5d-875A-87BED98041F3}	{2F270767-DC9F-4b2d-84E5-6228D384AB2F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8A2847F5-9916-4d5d-875A-87BED98041F3}\stubpath = "C:\\Windows\\{8A2847F5-9916-4d5d-875A-87BED98041F3}.exe"	{2F270767-DC9F-4b2d-84E5-6228D384AB2F}.exe

Executes dropped EXE 12 IoCs

pid	Process
2252	{B07434E5-6096-4765-9C66-7333E6CAB139}.exe
2008	{834CDA16-C992-44c0-BAFA-85B3863F2E5E}.exe
1488	{2F270767-DC9F-4b2d-84E5-6228D384AB2F}.exe
3396	{8A2847F5-9916-4d5d-875A-87BED98041F3}.exe
4504	{3BA2820C-CE63-4491-A732-B3052971735E}.exe
3288	{D40690AB-D558-4166-9157-59778610B68D}.exe
4408	{126BF2EB-5E02-464e-8F4F-F9D699F231A5}.exe
404	{696DEA22-90C6-465d-B7F4-1CAF56F8CD62}.exe
1360	{4070BFDF-65AD-47ad-A7CE-C23AA20685D1}.exe
1832	{61FA9449-7C40-40f5-9FF5-BFAC814E2659}.exe
4028	{99EB5980-FC42-4d4f-A093-13CFD1BF74BB}.exe
4256	{3CB5323E-4CE2-44bb-AC7E-D1A7FFFC8613}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2F270767-DC9F-4b2d-84E5-6228D384AB2F}.exe	{834CDA16-C992-44c0-BAFA-85B3863F2E5E}.exe
File created	C:\Windows\{8A2847F5-9916-4d5d-875A-87BED98041F3}.exe	{2F270767-DC9F-4b2d-84E5-6228D384AB2F}.exe
File created	C:\Windows\{3BA2820C-CE63-4491-A732-B3052971735E}.exe	{8A2847F5-9916-4d5d-875A-87BED98041F3}.exe
File created	C:\Windows\{61FA9449-7C40-40f5-9FF5-BFAC814E2659}.exe	{4070BFDF-65AD-47ad-A7CE-C23AA20685D1}.exe
File created	C:\Windows\{99EB5980-FC42-4d4f-A093-13CFD1BF74BB}.exe	{61FA9449-7C40-40f5-9FF5-BFAC814E2659}.exe
File created	C:\Windows\{B07434E5-6096-4765-9C66-7333E6CAB139}.exe	03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe
File created	C:\Windows\{834CDA16-C992-44c0-BAFA-85B3863F2E5E}.exe	{B07434E5-6096-4765-9C66-7333E6CAB139}.exe
File created	C:\Windows\{D40690AB-D558-4166-9157-59778610B68D}.exe	{3BA2820C-CE63-4491-A732-B3052971735E}.exe
File created	C:\Windows\{126BF2EB-5E02-464e-8F4F-F9D699F231A5}.exe	{D40690AB-D558-4166-9157-59778610B68D}.exe
File created	C:\Windows\{696DEA22-90C6-465d-B7F4-1CAF56F8CD62}.exe	{126BF2EB-5E02-464e-8F4F-F9D699F231A5}.exe
File created	C:\Windows\{4070BFDF-65AD-47ad-A7CE-C23AA20685D1}.exe	{696DEA22-90C6-465d-B7F4-1CAF56F8CD62}.exe
File created	C:\Windows\{3CB5323E-4CE2-44bb-AC7E-D1A7FFFC8613}.exe	{99EB5980-FC42-4d4f-A093-13CFD1BF74BB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1496	03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe
Token: SeIncBasePriorityPrivilege	2252	{B07434E5-6096-4765-9C66-7333E6CAB139}.exe
Token: SeIncBasePriorityPrivilege	2008	{834CDA16-C992-44c0-BAFA-85B3863F2E5E}.exe
Token: SeIncBasePriorityPrivilege	1488	{2F270767-DC9F-4b2d-84E5-6228D384AB2F}.exe
Token: SeIncBasePriorityPrivilege	3396	{8A2847F5-9916-4d5d-875A-87BED98041F3}.exe
Token: SeIncBasePriorityPrivilege	4504	{3BA2820C-CE63-4491-A732-B3052971735E}.exe
Token: SeIncBasePriorityPrivilege	3288	{D40690AB-D558-4166-9157-59778610B68D}.exe
Token: SeIncBasePriorityPrivilege	4408	{126BF2EB-5E02-464e-8F4F-F9D699F231A5}.exe
Token: SeIncBasePriorityPrivilege	404	{696DEA22-90C6-465d-B7F4-1CAF56F8CD62}.exe
Token: SeIncBasePriorityPrivilege	1360	{4070BFDF-65AD-47ad-A7CE-C23AA20685D1}.exe
Token: SeIncBasePriorityPrivilege	1832	{61FA9449-7C40-40f5-9FF5-BFAC814E2659}.exe
Token: SeIncBasePriorityPrivilege	4028	{99EB5980-FC42-4d4f-A093-13CFD1BF74BB}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 2252	1496	03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe	90
PID 1496 wrote to memory of 2252	1496	03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe	90
PID 1496 wrote to memory of 2252	1496	03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe	90
PID 1496 wrote to memory of 988	1496	03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe	91
PID 1496 wrote to memory of 988	1496	03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe	91
PID 1496 wrote to memory of 988	1496	03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe	91
PID 2252 wrote to memory of 2008	2252	{B07434E5-6096-4765-9C66-7333E6CAB139}.exe	94
PID 2252 wrote to memory of 2008	2252	{B07434E5-6096-4765-9C66-7333E6CAB139}.exe	94
PID 2252 wrote to memory of 2008	2252	{B07434E5-6096-4765-9C66-7333E6CAB139}.exe	94
PID 2252 wrote to memory of 3876	2252	{B07434E5-6096-4765-9C66-7333E6CAB139}.exe	95
PID 2252 wrote to memory of 3876	2252	{B07434E5-6096-4765-9C66-7333E6CAB139}.exe	95
PID 2252 wrote to memory of 3876	2252	{B07434E5-6096-4765-9C66-7333E6CAB139}.exe	95
PID 2008 wrote to memory of 1488	2008	{834CDA16-C992-44c0-BAFA-85B3863F2E5E}.exe	97
PID 2008 wrote to memory of 1488	2008	{834CDA16-C992-44c0-BAFA-85B3863F2E5E}.exe	97
PID 2008 wrote to memory of 1488	2008	{834CDA16-C992-44c0-BAFA-85B3863F2E5E}.exe	97
PID 2008 wrote to memory of 3320	2008	{834CDA16-C992-44c0-BAFA-85B3863F2E5E}.exe	98
PID 2008 wrote to memory of 3320	2008	{834CDA16-C992-44c0-BAFA-85B3863F2E5E}.exe	98
PID 2008 wrote to memory of 3320	2008	{834CDA16-C992-44c0-BAFA-85B3863F2E5E}.exe	98
PID 1488 wrote to memory of 3396	1488	{2F270767-DC9F-4b2d-84E5-6228D384AB2F}.exe	99
PID 1488 wrote to memory of 3396	1488	{2F270767-DC9F-4b2d-84E5-6228D384AB2F}.exe	99
PID 1488 wrote to memory of 3396	1488	{2F270767-DC9F-4b2d-84E5-6228D384AB2F}.exe	99
PID 1488 wrote to memory of 1336	1488	{2F270767-DC9F-4b2d-84E5-6228D384AB2F}.exe	100
PID 1488 wrote to memory of 1336	1488	{2F270767-DC9F-4b2d-84E5-6228D384AB2F}.exe	100
PID 1488 wrote to memory of 1336	1488	{2F270767-DC9F-4b2d-84E5-6228D384AB2F}.exe	100
PID 3396 wrote to memory of 4504	3396	{8A2847F5-9916-4d5d-875A-87BED98041F3}.exe	101
PID 3396 wrote to memory of 4504	3396	{8A2847F5-9916-4d5d-875A-87BED98041F3}.exe	101
PID 3396 wrote to memory of 4504	3396	{8A2847F5-9916-4d5d-875A-87BED98041F3}.exe	101
PID 3396 wrote to memory of 4996	3396	{8A2847F5-9916-4d5d-875A-87BED98041F3}.exe	102
PID 3396 wrote to memory of 4996	3396	{8A2847F5-9916-4d5d-875A-87BED98041F3}.exe	102
PID 3396 wrote to memory of 4996	3396	{8A2847F5-9916-4d5d-875A-87BED98041F3}.exe	102
PID 4504 wrote to memory of 3288	4504	{3BA2820C-CE63-4491-A732-B3052971735E}.exe	103
PID 4504 wrote to memory of 3288	4504	{3BA2820C-CE63-4491-A732-B3052971735E}.exe	103
PID 4504 wrote to memory of 3288	4504	{3BA2820C-CE63-4491-A732-B3052971735E}.exe	103
PID 4504 wrote to memory of 4456	4504	{3BA2820C-CE63-4491-A732-B3052971735E}.exe	104
PID 4504 wrote to memory of 4456	4504	{3BA2820C-CE63-4491-A732-B3052971735E}.exe	104
PID 4504 wrote to memory of 4456	4504	{3BA2820C-CE63-4491-A732-B3052971735E}.exe	104
PID 3288 wrote to memory of 4408	3288	{D40690AB-D558-4166-9157-59778610B68D}.exe	105
PID 3288 wrote to memory of 4408	3288	{D40690AB-D558-4166-9157-59778610B68D}.exe	105
PID 3288 wrote to memory of 4408	3288	{D40690AB-D558-4166-9157-59778610B68D}.exe	105
PID 3288 wrote to memory of 4044	3288	{D40690AB-D558-4166-9157-59778610B68D}.exe	106
PID 3288 wrote to memory of 4044	3288	{D40690AB-D558-4166-9157-59778610B68D}.exe	106
PID 3288 wrote to memory of 4044	3288	{D40690AB-D558-4166-9157-59778610B68D}.exe	106
PID 4408 wrote to memory of 404	4408	{126BF2EB-5E02-464e-8F4F-F9D699F231A5}.exe	107
PID 4408 wrote to memory of 404	4408	{126BF2EB-5E02-464e-8F4F-F9D699F231A5}.exe	107
PID 4408 wrote to memory of 404	4408	{126BF2EB-5E02-464e-8F4F-F9D699F231A5}.exe	107
PID 4408 wrote to memory of 4956	4408	{126BF2EB-5E02-464e-8F4F-F9D699F231A5}.exe	108
PID 4408 wrote to memory of 4956	4408	{126BF2EB-5E02-464e-8F4F-F9D699F231A5}.exe	108
PID 4408 wrote to memory of 4956	4408	{126BF2EB-5E02-464e-8F4F-F9D699F231A5}.exe	108
PID 404 wrote to memory of 1360	404	{696DEA22-90C6-465d-B7F4-1CAF56F8CD62}.exe	109
PID 404 wrote to memory of 1360	404	{696DEA22-90C6-465d-B7F4-1CAF56F8CD62}.exe	109
PID 404 wrote to memory of 1360	404	{696DEA22-90C6-465d-B7F4-1CAF56F8CD62}.exe	109
PID 404 wrote to memory of 3684	404	{696DEA22-90C6-465d-B7F4-1CAF56F8CD62}.exe	110
PID 404 wrote to memory of 3684	404	{696DEA22-90C6-465d-B7F4-1CAF56F8CD62}.exe	110
PID 404 wrote to memory of 3684	404	{696DEA22-90C6-465d-B7F4-1CAF56F8CD62}.exe	110
PID 1360 wrote to memory of 1832	1360	{4070BFDF-65AD-47ad-A7CE-C23AA20685D1}.exe	111
PID 1360 wrote to memory of 1832	1360	{4070BFDF-65AD-47ad-A7CE-C23AA20685D1}.exe	111
PID 1360 wrote to memory of 1832	1360	{4070BFDF-65AD-47ad-A7CE-C23AA20685D1}.exe	111
PID 1360 wrote to memory of 4688	1360	{4070BFDF-65AD-47ad-A7CE-C23AA20685D1}.exe	112
PID 1360 wrote to memory of 4688	1360	{4070BFDF-65AD-47ad-A7CE-C23AA20685D1}.exe	112
PID 1360 wrote to memory of 4688	1360	{4070BFDF-65AD-47ad-A7CE-C23AA20685D1}.exe	112
PID 1832 wrote to memory of 4028	1832	{61FA9449-7C40-40f5-9FF5-BFAC814E2659}.exe	113
PID 1832 wrote to memory of 4028	1832	{61FA9449-7C40-40f5-9FF5-BFAC814E2659}.exe	113
PID 1832 wrote to memory of 4028	1832	{61FA9449-7C40-40f5-9FF5-BFAC814E2659}.exe	113
PID 1832 wrote to memory of 4592	1832	{61FA9449-7C40-40f5-9FF5-BFAC814E2659}.exe	114

C:\Users\Admin\AppData\Local\Temp\03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe
"C:\Users\Admin\AppData\Local\Temp\03a2cf48ea751df6fd076c5a620b223a61cd050d44a932c25dfdb2fe1ef61498.exe"
1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\{B07434E5-6096-4765-9C66-7333E6CAB139}.exe
  C:\Windows\{B07434E5-6096-4765-9C66-7333E6CAB139}.exe
  2⤵
  - Modifies Installed Components in the registry
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\{834CDA16-C992-44c0-BAFA-85B3863F2E5E}.exe
    C:\Windows\{834CDA16-C992-44c0-BAFA-85B3863F2E5E}.exe
    3⤵
    - Modifies Installed Components in the registry
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Windows\{2F270767-DC9F-4b2d-84E5-6228D384AB2F}.exe
      C:\Windows\{2F270767-DC9F-4b2d-84E5-6228D384AB2F}.exe
      4⤵
      Modifies Installed Components in the registry
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1488
    - - C:\Windows\{8A2847F5-9916-4d5d-875A-87BED98041F3}.exe
        
        C:\Windows\{8A2847F5-9916-4d5d-875A-87BED98041F3}.exe
        5⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3396
      - C:\Windows\{3BA2820C-CE63-4491-A732-B3052971735E}.exe
        
        C:\Windows\{3BA2820C-CE63-4491-A732-B3052971735E}.exe
        6⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\{D40690AB-D558-4166-9157-59778610B68D}.exe
        
        C:\Windows\{D40690AB-D558-4166-9157-59778610B68D}.exe
        7⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3288
        
        C:\Windows\{126BF2EB-5E02-464e-8F4F-F9D699F231A5}.exe
        
        C:\Windows\{126BF2EB-5E02-464e-8F4F-F9D699F231A5}.exe
        8⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\{696DEA22-90C6-465d-B7F4-1CAF56F8CD62}.exe
        
        C:\Windows\{696DEA22-90C6-465d-B7F4-1CAF56F8CD62}.exe
        9⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\{4070BFDF-65AD-47ad-A7CE-C23AA20685D1}.exe
        
        C:\Windows\{4070BFDF-65AD-47ad-A7CE-C23AA20685D1}.exe
        10⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\{61FA9449-7C40-40f5-9FF5-BFAC814E2659}.exe
        
        C:\Windows\{61FA9449-7C40-40f5-9FF5-BFAC814E2659}.exe
        11⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\{99EB5980-FC42-4d4f-A093-13CFD1BF74BB}.exe
        
        C:\Windows\{99EB5980-FC42-4d4f-A093-13CFD1BF74BB}.exe
        12⤵
        Modifies Installed Components in the registry
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4028
        
        C:\Windows\{3CB5323E-4CE2-44bb-AC7E-D1A7FFFC8613}.exe
        
        C:\Windows\{3CB5323E-4CE2-44bb-AC7E-D1A7FFFC8613}.exe
        13⤵
        Executes dropped EXE
        
        PID:4256
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99EB5~1.EXE > nul
        13⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61FA9~1.EXE > nul
        12⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4070B~1.EXE > nul
        11⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{696DE~1.EXE > nul
        10⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{126BF~1.EXE > nul
        9⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D4069~1.EXE > nul
        8⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BA28~1.EXE > nul
        7⤵
        
        PID:4456
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8A284~1.EXE > nul
        6⤵
        
        PID:4996
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2F270~1.EXE > nul
        5⤵
        
        PID:1336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{834CD~1.EXE > nul
      4⤵
      PID:3320
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B0743~1.EXE > nul
    3⤵
    PID:3876
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\03A2CF~1.EXE > nul
  2⤵
  PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{126BF2EB-5E02-464e-8F4F-F9D699F231A5}.exe

Filesize
64KB

MD5
92766bf934dd301fbf9698d4d05e9148

SHA1
8ae93419e188c12726b6a3ae739d5af20b5e9eb4

SHA256
4fc2503e7f448aa6c96d9a2a40a4079d05dff47ab267c5573678f3b028a2dd74

SHA512
6dd7f59c81f33ddd83b64d745c87c2e68254df9b99019540f0889c325e0624cd33e1098c6daf9ca1f20bb32cb0db4c8702bfac0f13e11eef37ddeb47b99b1a34

Download Submit
C:\Windows\{2F270767-DC9F-4b2d-84E5-6228D384AB2F}.exe

Filesize
64KB

MD5
24c70ad2c5b1f895ced6676075845132

SHA1
5ed8c18ca0e88a67c8f6f3a6450df124500ef4c2

SHA256
290454cad443747f2cb08dd704bad6f9c4b99258cca054e655c2fc7f9b2ccb63

SHA512
b7a7d8b5e509a7eb0768fe3c4edf0d1c51578ff79e5786def2275ba09ff04081d01ef41f0cd82f646374704c6800314f2c21c3f2e8e12b4bb9d40724bbfd0d58

Download Submit
C:\Windows\{3BA2820C-CE63-4491-A732-B3052971735E}.exe

Filesize
64KB

MD5
4353e302ed93843e70650021caa40dea

SHA1
ae710094288690d7e8bb3f0fc8fb47a33d7a84ef

SHA256
63cdd79b74723281cf356086fcfe69d2aa95ae585131bb6ce07244aaa0057cf8

SHA512
4ba3504fe2db56d0faadf2d6509177235aeee9aa43d3e6e740e317c1c421e842f5e4b6301629fb62dbf50da9c65756541231f79e64bd84e1f8c26034b5346ecb

Download Submit
C:\Windows\{3CB5323E-4CE2-44bb-AC7E-D1A7FFFC8613}.exe

Filesize
64KB

MD5
a2cd0e213f44be25563670c6022d6b13

SHA1
f03ab63d1247f30ef1c4d5973949a7f4dc18c8e0

SHA256
fe35846afcf21d9bc4baba35e14d8351958d16ff1fe4ee41843650c2b9cc6b8f

SHA512
affbac3e10696dd16d7675bf88ca78d43389bb6b2ec6477149838d5e6db34c2d7461e9361f9dccaf476b15a6d0fdf7e27d510054215ef6b9f374ea8c902a5124

Download Submit
C:\Windows\{4070BFDF-65AD-47ad-A7CE-C23AA20685D1}.exe

Filesize
64KB

MD5
5cb1869abec5c0917841ded6059e0314

SHA1
c8a9263a395c9c46026198909bdc7568a59c0483

SHA256
feb7662901fab934ce1a4b67c7bf2d83746aeeaa3d2a35035c96490d27c269b8

SHA512
24c4aa55b6ecef34f96f1900a2e6ad1912c593cf05b8b0eb32373225eed0cbc793ebca54315618b880abcdfc37a30b14eabf4a23d0c29ac92f71ccd78cac6fde

Download Submit
C:\Windows\{61FA9449-7C40-40f5-9FF5-BFAC814E2659}.exe

Filesize
64KB

MD5
4da6e510943b0e9fda7d5d694430b63f

SHA1
640fff596de78d8ab57269644ea5f208515a821d

SHA256
8fe1ad63ca96d441d604262925c9cc216b83bade0217d9b9210b89def5964723

SHA512
0c77db0caf49ce260fee929beb06185c82fb6930a0c920338d49fa0d8d3c98754934a97f6a9747e3bc21f1daef0c666189406993cfc749eafa0dae28168005a2

Download Submit
C:\Windows\{696DEA22-90C6-465d-B7F4-1CAF56F8CD62}.exe

Filesize
64KB

MD5
52f7da7149b9740a80e5252d76bbcf7f

SHA1
4ddd48ae5fcfd02822f6c0b4b91cc1f3dd606237

SHA256
bdbcfd425626d670f76a16b6196eb18684758cd886e8cc4475ce3611058d9268

SHA512
78e6b4e5ed4b45f3f289d46858e4399af6f4e62d276f3f29590e6fe5c8ed266b16b6ed4e8ece4c9568dcdbca886862a836ee27a68e1e1c307abe0d7a11f358c9

Download Submit
C:\Windows\{834CDA16-C992-44c0-BAFA-85B3863F2E5E}.exe

Filesize
64KB

MD5
d1caecddc073042def284dcd23ec11e2

SHA1
34ba97d8d38a078e065ac7521e4f80edc6d76b6a

SHA256
aadd3956cf8e3aeca16dc6118fdde64b95ff8ec2515e27eb07dfad30c0bf585e

SHA512
94707b520e8a88911479e25962101c2eeb38f018a68b72f2650ae97561bb2ebd5dcd381cc19651b21e49dc9354dad744b26fbe257640c5f2fd0f90a9409c834f

Download Submit
C:\Windows\{8A2847F5-9916-4d5d-875A-87BED98041F3}.exe

Filesize
64KB

MD5
69548177c462de0eaa017ce0aab816c5

SHA1
916aba7882e47b78c756737cf9ba82f8f7884854

SHA256
aa20c8327bd2bace50352e843f391d04d34b3c8db8d7105da03f6d60a228f7c6

SHA512
4d529ec11eaf930af7d231d2c7577832cd083adda9c4bdeb0852c73c292c93772b0f6dcfd06575566f0edd6fa63c30a649261be67132bed46e299900148c9697

Download Submit
C:\Windows\{99EB5980-FC42-4d4f-A093-13CFD1BF74BB}.exe

Filesize
64KB

MD5
532776d3364435189cf66e3725b126eb

SHA1
e36ad6b4ee39cf7286d08508664c8792440282f5

SHA256
e45b565bdea6e2e91b76d66edd75ee0891e369007b159534e572edde923d3bb4

SHA512
ff2305d64573eeabb49dc70a13915233d2326d9bd2731e3e605d3948144212cbca7cba273ac22885ad07f4ff3206b7a3b25e6c551335beb859e47b02ccc6611b

Download Submit
C:\Windows\{B07434E5-6096-4765-9C66-7333E6CAB139}.exe

Filesize
64KB

MD5
7597ee4b23428d672a0649932966a519

SHA1
75db464ac7a10f0baffcb6c9b0d15ec2504c6b86

SHA256
b7fde3932c9cfdacccdfcacd4b3c28271f7ae101bd966c258a2d698527e2f2c1

SHA512
672438fc129fe4f1f7c4fc4b92f420fdfd30416d4cf7e197e1f9d8954e8e47f1ac5ae3daf719f4411a365f0d66b925a28fe045d0826f486e1ce4dc94f4f4fa8a

Download Submit
C:\Windows\{D40690AB-D558-4166-9157-59778610B68D}.exe

Filesize
64KB

MD5
1db71168ba2ae6d086009688ddd1c1ce

SHA1
4076ea3094564a5b1b09577707c4ff1950ddd145

SHA256
1d0d66777ee929daf333eb6a34090c20188ed23de33fee1ffc2fb9146c7c07b9

SHA512
b75b18a383617a4e19f78fe4528edfd528726c75e41468dd289e559fce002d74845b73ff3d5eb1d665aef3e48ddb3b2cc18866fa0d14507cd3dab0b688ce2d67

Download Submit
memory/404-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/404-49-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1360-56-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1360-51-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1488-20-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1488-16-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1496-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1496-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1832-62-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1832-58-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2008-14-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2252-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2252-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3288-38-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3288-33-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3396-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4028-67-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4256-68-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4408-43-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4408-40-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4504-31-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4504-28-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads