16da9cc5368423e7ad3f5e65b02453a668f2fc6fb5c7df2cd70346162eb4f805

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16da9cc5368423e7ad3f5e65b02453a668f2fc6fb5c7df2cd70346162eb4f805.exe
Size

90KB
MD5

bc08dbd347cb80d2a8a64f7a0882664e
SHA1

4168c56fa574e48e81fa3e1f5b964e2f9ea7c6c7
SHA256

16da9cc5368423e7ad3f5e65b02453a668f2fc6fb5c7df2cd70346162eb4f805
SHA512

9acdb07d6b1292ec362e91136665fef83747d2fdb3aa89979c036ed84b0a1c1ec8bd16ff414112a7e83f47910606cc7b14bf16e8480a606874e15d16b2fda06d
SSDEEP

768:Qvw9816vhKQLron4/wQRNrfrunMxVFA3b7glw:YEGh0onl2unMxVS3Hg

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AB765E9-08D4-4f39-A3C7-A5E603770BF1}	{B9D5F03E-84F2-4e3b-901B-DA1FAC4B1849}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70A37C09-1F2D-4be8-AA46-E76F1D8CD0BA}\stubpath = "C:\\Windows\\{70A37C09-1F2D-4be8-AA46-E76F1D8CD0BA}.exe"	{8D05F33C-EF00-4f81-9ECC-8DCC179EF775}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C0D733D-B11D-455c-BA17-8CF3AC7C17ED}	{CF60A275-2939-44e7-BFA1-2A9080ADA3C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9D5F03E-84F2-4e3b-901B-DA1FAC4B1849}	{9C0D733D-B11D-455c-BA17-8CF3AC7C17ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9D5F03E-84F2-4e3b-901B-DA1FAC4B1849}\stubpath = "C:\\Windows\\{B9D5F03E-84F2-4e3b-901B-DA1FAC4B1849}.exe"	{9C0D733D-B11D-455c-BA17-8CF3AC7C17ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D05F33C-EF00-4f81-9ECC-8DCC179EF775}	{F20E9EC3-888B-43e4-B046-6807F42B668F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF60A275-2939-44e7-BFA1-2A9080ADA3C4}\stubpath = "C:\\Windows\\{CF60A275-2939-44e7-BFA1-2A9080ADA3C4}.exe"	{70A37C09-1F2D-4be8-AA46-E76F1D8CD0BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3AB765E9-08D4-4f39-A3C7-A5E603770BF1}\stubpath = "C:\\Windows\\{3AB765E9-08D4-4f39-A3C7-A5E603770BF1}.exe"	{B9D5F03E-84F2-4e3b-901B-DA1FAC4B1849}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3902081-1B01-4782-B734-CE401DF32F13}\stubpath = "C:\\Windows\\{B3902081-1B01-4782-B734-CE401DF32F13}.exe"	{5C118703-D05F-47cd-894E-61AFA39E14FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB344C4F-4D1A-4b07-A1E2-65B960B8164C}\stubpath = "C:\\Windows\\{DB344C4F-4D1A-4b07-A1E2-65B960B8164C}.exe"	{B3902081-1B01-4782-B734-CE401DF32F13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7426F27D-4015-440f-B179-7770A5925043}\stubpath = "C:\\Windows\\{7426F27D-4015-440f-B179-7770A5925043}.exe"	{F1907007-BF44-438f-AAB0-17ED5D0316F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F20E9EC3-888B-43e4-B046-6807F42B668F}	{7426F27D-4015-440f-B179-7770A5925043}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB344C4F-4D1A-4b07-A1E2-65B960B8164C}	{B3902081-1B01-4782-B734-CE401DF32F13}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1907007-BF44-438f-AAB0-17ED5D0316F1}\stubpath = "C:\\Windows\\{F1907007-BF44-438f-AAB0-17ED5D0316F1}.exe"	{DB344C4F-4D1A-4b07-A1E2-65B960B8164C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7426F27D-4015-440f-B179-7770A5925043}	{F1907007-BF44-438f-AAB0-17ED5D0316F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF60A275-2939-44e7-BFA1-2A9080ADA3C4}	{70A37C09-1F2D-4be8-AA46-E76F1D8CD0BA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F20E9EC3-888B-43e4-B046-6807F42B668F}\stubpath = "C:\\Windows\\{F20E9EC3-888B-43e4-B046-6807F42B668F}.exe"	{7426F27D-4015-440f-B179-7770A5925043}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D05F33C-EF00-4f81-9ECC-8DCC179EF775}\stubpath = "C:\\Windows\\{8D05F33C-EF00-4f81-9ECC-8DCC179EF775}.exe"	{F20E9EC3-888B-43e4-B046-6807F42B668F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70A37C09-1F2D-4be8-AA46-E76F1D8CD0BA}	{8D05F33C-EF00-4f81-9ECC-8DCC179EF775}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C0D733D-B11D-455c-BA17-8CF3AC7C17ED}\stubpath = "C:\\Windows\\{9C0D733D-B11D-455c-BA17-8CF3AC7C17ED}.exe"	{CF60A275-2939-44e7-BFA1-2A9080ADA3C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C118703-D05F-47cd-894E-61AFA39E14FB}	16da9cc5368423e7ad3f5e65b02453a668f2fc6fb5c7df2cd70346162eb4f805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5C118703-D05F-47cd-894E-61AFA39E14FB}\stubpath = "C:\\Windows\\{5C118703-D05F-47cd-894E-61AFA39E14FB}.exe"	16da9cc5368423e7ad3f5e65b02453a668f2fc6fb5c7df2cd70346162eb4f805.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B3902081-1B01-4782-B734-CE401DF32F13}	{5C118703-D05F-47cd-894E-61AFA39E14FB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1907007-BF44-438f-AAB0-17ED5D0316F1}	{DB344C4F-4D1A-4b07-A1E2-65B960B8164C}.exe

Executes dropped EXE 11 IoCs

pid	Process
1868	{5C118703-D05F-47cd-894E-61AFA39E14FB}.exe
3096	{B3902081-1B01-4782-B734-CE401DF32F13}.exe
4532	{DB344C4F-4D1A-4b07-A1E2-65B960B8164C}.exe
1152	{7426F27D-4015-440f-B179-7770A5925043}.exe
4796	{F20E9EC3-888B-43e4-B046-6807F42B668F}.exe
2412	{8D05F33C-EF00-4f81-9ECC-8DCC179EF775}.exe
4772	{70A37C09-1F2D-4be8-AA46-E76F1D8CD0BA}.exe
876	{CF60A275-2939-44e7-BFA1-2A9080ADA3C4}.exe
3632	{9C0D733D-B11D-455c-BA17-8CF3AC7C17ED}.exe
4172	{B9D5F03E-84F2-4e3b-901B-DA1FAC4B1849}.exe
4124	{3AB765E9-08D4-4f39-A3C7-A5E603770BF1}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{DB344C4F-4D1A-4b07-A1E2-65B960B8164C}.exe	{B3902081-1B01-4782-B734-CE401DF32F13}.exe
File created	C:\Windows\{8D05F33C-EF00-4f81-9ECC-8DCC179EF775}.exe	{F20E9EC3-888B-43e4-B046-6807F42B668F}.exe
File created	C:\Windows\{70A37C09-1F2D-4be8-AA46-E76F1D8CD0BA}.exe	{8D05F33C-EF00-4f81-9ECC-8DCC179EF775}.exe
File created	C:\Windows\{CF60A275-2939-44e7-BFA1-2A9080ADA3C4}.exe	{70A37C09-1F2D-4be8-AA46-E76F1D8CD0BA}.exe
File created	C:\Windows\{B9D5F03E-84F2-4e3b-901B-DA1FAC4B1849}.exe	{9C0D733D-B11D-455c-BA17-8CF3AC7C17ED}.exe
File created	C:\Windows\{5C118703-D05F-47cd-894E-61AFA39E14FB}.exe	16da9cc5368423e7ad3f5e65b02453a668f2fc6fb5c7df2cd70346162eb4f805.exe
File created	C:\Windows\{B3902081-1B01-4782-B734-CE401DF32F13}.exe	{5C118703-D05F-47cd-894E-61AFA39E14FB}.exe
File created	C:\Windows\{7426F27D-4015-440f-B179-7770A5925043}.exe	{F1907007-BF44-438f-AAB0-17ED5D0316F1}.exe
File created	C:\Windows\{F20E9EC3-888B-43e4-B046-6807F42B668F}.exe	{7426F27D-4015-440f-B179-7770A5925043}.exe
File created	C:\Windows\{9C0D733D-B11D-455c-BA17-8CF3AC7C17ED}.exe	{CF60A275-2939-44e7-BFA1-2A9080ADA3C4}.exe
File created	C:\Windows\{3AB765E9-08D4-4f39-A3C7-A5E603770BF1}.exe	{B9D5F03E-84F2-4e3b-901B-DA1FAC4B1849}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B3902081-1B01-4782-B734-CE401DF32F13}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8D05F33C-EF00-4f81-9ECC-8DCC179EF775}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3AB765E9-08D4-4f39-A3C7-A5E603770BF1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	16da9cc5368423e7ad3f5e65b02453a668f2fc6fb5c7df2cd70346162eb4f805.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5C118703-D05F-47cd-894E-61AFA39E14FB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{70A37C09-1F2D-4be8-AA46-E76F1D8CD0BA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9C0D733D-B11D-455c-BA17-8CF3AC7C17ED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DB344C4F-4D1A-4b07-A1E2-65B960B8164C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7426F27D-4015-440f-B179-7770A5925043}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B9D5F03E-84F2-4e3b-901B-DA1FAC4B1849}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F1907007-BF44-438f-AAB0-17ED5D0316F1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CF60A275-2939-44e7-BFA1-2A9080ADA3C4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F20E9EC3-888B-43e4-B046-6807F42B668F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	740	16da9cc5368423e7ad3f5e65b02453a668f2fc6fb5c7df2cd70346162eb4f805.exe
Token: SeIncBasePriorityPrivilege	1868	{5C118703-D05F-47cd-894E-61AFA39E14FB}.exe
Token: SeIncBasePriorityPrivilege	3096	{B3902081-1B01-4782-B734-CE401DF32F13}.exe
Token: SeIncBasePriorityPrivilege	4324	{F1907007-BF44-438f-AAB0-17ED5D0316F1}.exe
Token: SeIncBasePriorityPrivilege	1152	{7426F27D-4015-440f-B179-7770A5925043}.exe
Token: SeIncBasePriorityPrivilege	4796	{F20E9EC3-888B-43e4-B046-6807F42B668F}.exe
Token: SeIncBasePriorityPrivilege	2412	{8D05F33C-EF00-4f81-9ECC-8DCC179EF775}.exe
Token: SeIncBasePriorityPrivilege	4772	{70A37C09-1F2D-4be8-AA46-E76F1D8CD0BA}.exe
Token: SeIncBasePriorityPrivilege	876	{CF60A275-2939-44e7-BFA1-2A9080ADA3C4}.exe
Token: SeIncBasePriorityPrivilege	3632	{9C0D733D-B11D-455c-BA17-8CF3AC7C17ED}.exe
Token: SeIncBasePriorityPrivilege	4172	{B9D5F03E-84F2-4e3b-901B-DA1FAC4B1849}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 740 wrote to memory of 1868	740	16da9cc5368423e7ad3f5e65b02453a668f2fc6fb5c7df2cd70346162eb4f805.exe	95
PID 740 wrote to memory of 1868	740	16da9cc5368423e7ad3f5e65b02453a668f2fc6fb5c7df2cd70346162eb4f805.exe	95
PID 740 wrote to memory of 1868	740	16da9cc5368423e7ad3f5e65b02453a668f2fc6fb5c7df2cd70346162eb4f805.exe	95
PID 740 wrote to memory of 1084	740	16da9cc5368423e7ad3f5e65b02453a668f2fc6fb5c7df2cd70346162eb4f805.exe	96
PID 740 wrote to memory of 1084	740	16da9cc5368423e7ad3f5e65b02453a668f2fc6fb5c7df2cd70346162eb4f805.exe	96
PID 740 wrote to memory of 1084	740	16da9cc5368423e7ad3f5e65b02453a668f2fc6fb5c7df2cd70346162eb4f805.exe	96
PID 1868 wrote to memory of 3096	1868	{5C118703-D05F-47cd-894E-61AFA39E14FB}.exe	97
PID 1868 wrote to memory of 3096	1868	{5C118703-D05F-47cd-894E-61AFA39E14FB}.exe	97
PID 1868 wrote to memory of 3096	1868	{5C118703-D05F-47cd-894E-61AFA39E14FB}.exe	97
PID 1868 wrote to memory of 3372	1868	{5C118703-D05F-47cd-894E-61AFA39E14FB}.exe	98
PID 1868 wrote to memory of 3372	1868	{5C118703-D05F-47cd-894E-61AFA39E14FB}.exe	98
PID 1868 wrote to memory of 3372	1868	{5C118703-D05F-47cd-894E-61AFA39E14FB}.exe	98
PID 3096 wrote to memory of 4532	3096	{B3902081-1B01-4782-B734-CE401DF32F13}.exe	102
PID 3096 wrote to memory of 4532	3096	{B3902081-1B01-4782-B734-CE401DF32F13}.exe	102
PID 3096 wrote to memory of 4532	3096	{B3902081-1B01-4782-B734-CE401DF32F13}.exe	102
PID 3096 wrote to memory of 4300	3096	{B3902081-1B01-4782-B734-CE401DF32F13}.exe	103
PID 3096 wrote to memory of 4300	3096	{B3902081-1B01-4782-B734-CE401DF32F13}.exe	103
PID 3096 wrote to memory of 4300	3096	{B3902081-1B01-4782-B734-CE401DF32F13}.exe	103
PID 4324 wrote to memory of 1152	4324	{F1907007-BF44-438f-AAB0-17ED5D0316F1}.exe	106
PID 4324 wrote to memory of 1152	4324	{F1907007-BF44-438f-AAB0-17ED5D0316F1}.exe	106
PID 4324 wrote to memory of 1152	4324	{F1907007-BF44-438f-AAB0-17ED5D0316F1}.exe	106
PID 4324 wrote to memory of 3620	4324	{F1907007-BF44-438f-AAB0-17ED5D0316F1}.exe	107
PID 4324 wrote to memory of 3620	4324	{F1907007-BF44-438f-AAB0-17ED5D0316F1}.exe	107
PID 4324 wrote to memory of 3620	4324	{F1907007-BF44-438f-AAB0-17ED5D0316F1}.exe	107
PID 1152 wrote to memory of 4796	1152	{7426F27D-4015-440f-B179-7770A5925043}.exe	109
PID 1152 wrote to memory of 4796	1152	{7426F27D-4015-440f-B179-7770A5925043}.exe	109
PID 1152 wrote to memory of 4796	1152	{7426F27D-4015-440f-B179-7770A5925043}.exe	109
PID 1152 wrote to memory of 2016	1152	{7426F27D-4015-440f-B179-7770A5925043}.exe	110
PID 1152 wrote to memory of 2016	1152	{7426F27D-4015-440f-B179-7770A5925043}.exe	110
PID 1152 wrote to memory of 2016	1152	{7426F27D-4015-440f-B179-7770A5925043}.exe	110
PID 4796 wrote to memory of 2412	4796	{F20E9EC3-888B-43e4-B046-6807F42B668F}.exe	111
PID 4796 wrote to memory of 2412	4796	{F20E9EC3-888B-43e4-B046-6807F42B668F}.exe	111
PID 4796 wrote to memory of 2412	4796	{F20E9EC3-888B-43e4-B046-6807F42B668F}.exe	111
PID 4796 wrote to memory of 2628	4796	{F20E9EC3-888B-43e4-B046-6807F42B668F}.exe	112
PID 4796 wrote to memory of 2628	4796	{F20E9EC3-888B-43e4-B046-6807F42B668F}.exe	112
PID 4796 wrote to memory of 2628	4796	{F20E9EC3-888B-43e4-B046-6807F42B668F}.exe	112
PID 2412 wrote to memory of 4772	2412	{8D05F33C-EF00-4f81-9ECC-8DCC179EF775}.exe	117
PID 2412 wrote to memory of 4772	2412	{8D05F33C-EF00-4f81-9ECC-8DCC179EF775}.exe	117
PID 2412 wrote to memory of 4772	2412	{8D05F33C-EF00-4f81-9ECC-8DCC179EF775}.exe	117
PID 2412 wrote to memory of 456	2412	{8D05F33C-EF00-4f81-9ECC-8DCC179EF775}.exe	118
PID 2412 wrote to memory of 456	2412	{8D05F33C-EF00-4f81-9ECC-8DCC179EF775}.exe	118
PID 2412 wrote to memory of 456	2412	{8D05F33C-EF00-4f81-9ECC-8DCC179EF775}.exe	118
PID 4772 wrote to memory of 876	4772	{70A37C09-1F2D-4be8-AA46-E76F1D8CD0BA}.exe	123
PID 4772 wrote to memory of 876	4772	{70A37C09-1F2D-4be8-AA46-E76F1D8CD0BA}.exe	123
PID 4772 wrote to memory of 876	4772	{70A37C09-1F2D-4be8-AA46-E76F1D8CD0BA}.exe	123
PID 4772 wrote to memory of 3008	4772	{70A37C09-1F2D-4be8-AA46-E76F1D8CD0BA}.exe	124
PID 4772 wrote to memory of 3008	4772	{70A37C09-1F2D-4be8-AA46-E76F1D8CD0BA}.exe	124
PID 4772 wrote to memory of 3008	4772	{70A37C09-1F2D-4be8-AA46-E76F1D8CD0BA}.exe	124
PID 876 wrote to memory of 3632	876	{CF60A275-2939-44e7-BFA1-2A9080ADA3C4}.exe	125
PID 876 wrote to memory of 3632	876	{CF60A275-2939-44e7-BFA1-2A9080ADA3C4}.exe	125
PID 876 wrote to memory of 3632	876	{CF60A275-2939-44e7-BFA1-2A9080ADA3C4}.exe	125
PID 876 wrote to memory of 1744	876	{CF60A275-2939-44e7-BFA1-2A9080ADA3C4}.exe	126
PID 876 wrote to memory of 1744	876	{CF60A275-2939-44e7-BFA1-2A9080ADA3C4}.exe	126
PID 876 wrote to memory of 1744	876	{CF60A275-2939-44e7-BFA1-2A9080ADA3C4}.exe	126
PID 3632 wrote to memory of 4172	3632	{9C0D733D-B11D-455c-BA17-8CF3AC7C17ED}.exe	130
PID 3632 wrote to memory of 4172	3632	{9C0D733D-B11D-455c-BA17-8CF3AC7C17ED}.exe	130
PID 3632 wrote to memory of 4172	3632	{9C0D733D-B11D-455c-BA17-8CF3AC7C17ED}.exe	130
PID 3632 wrote to memory of 2040	3632	{9C0D733D-B11D-455c-BA17-8CF3AC7C17ED}.exe	131
PID 3632 wrote to memory of 2040	3632	{9C0D733D-B11D-455c-BA17-8CF3AC7C17ED}.exe	131
PID 3632 wrote to memory of 2040	3632	{9C0D733D-B11D-455c-BA17-8CF3AC7C17ED}.exe	131
PID 4172 wrote to memory of 4124	4172	{B9D5F03E-84F2-4e3b-901B-DA1FAC4B1849}.exe	132
PID 4172 wrote to memory of 4124	4172	{B9D5F03E-84F2-4e3b-901B-DA1FAC4B1849}.exe	132
PID 4172 wrote to memory of 4124	4172	{B9D5F03E-84F2-4e3b-901B-DA1FAC4B1849}.exe	132
PID 4172 wrote to memory of 1768	4172	{B9D5F03E-84F2-4e3b-901B-DA1FAC4B1849}.exe	133

C:\Users\Admin\AppData\Local\Temp\16da9cc5368423e7ad3f5e65b02453a668f2fc6fb5c7df2cd70346162eb4f805.exe
"C:\Users\Admin\AppData\Local\Temp\16da9cc5368423e7ad3f5e65b02453a668f2fc6fb5c7df2cd70346162eb4f805.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740
- C:\Windows\{5C118703-D05F-47cd-894E-61AFA39E14FB}.exe
  C:\Windows\{5C118703-D05F-47cd-894E-61AFA39E14FB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\{B3902081-1B01-4782-B734-CE401DF32F13}.exe
    C:\Windows\{B3902081-1B01-4782-B734-CE401DF32F13}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Windows\{DB344C4F-4D1A-4b07-A1E2-65B960B8164C}.exe
      C:\Windows\{DB344C4F-4D1A-4b07-A1E2-65B960B8164C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4532
    - - C:\Windows\{F1907007-BF44-438f-AAB0-17ED5D0316F1}.exe
        
        C:\Windows\{F1907007-BF44-438f-AAB0-17ED5D0316F1}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4324
      - C:\Windows\{7426F27D-4015-440f-B179-7770A5925043}.exe
        
        C:\Windows\{7426F27D-4015-440f-B179-7770A5925043}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1152
        
        C:\Windows\{F20E9EC3-888B-43e4-B046-6807F42B668F}.exe
        
        C:\Windows\{F20E9EC3-888B-43e4-B046-6807F42B668F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\{8D05F33C-EF00-4f81-9ECC-8DCC179EF775}.exe
        
        C:\Windows\{8D05F33C-EF00-4f81-9ECC-8DCC179EF775}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\{70A37C09-1F2D-4be8-AA46-E76F1D8CD0BA}.exe
        
        C:\Windows\{70A37C09-1F2D-4be8-AA46-E76F1D8CD0BA}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\{CF60A275-2939-44e7-BFA1-2A9080ADA3C4}.exe
        
        C:\Windows\{CF60A275-2939-44e7-BFA1-2A9080ADA3C4}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\{9C0D733D-B11D-455c-BA17-8CF3AC7C17ED}.exe
        
        C:\Windows\{9C0D733D-B11D-455c-BA17-8CF3AC7C17ED}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\{B9D5F03E-84F2-4e3b-901B-DA1FAC4B1849}.exe
        
        C:\Windows\{B9D5F03E-84F2-4e3b-901B-DA1FAC4B1849}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4172
        
        C:\Windows\{3AB765E9-08D4-4f39-A3C7-A5E603770BF1}.exe
        
        C:\Windows\{3AB765E9-08D4-4f39-A3C7-A5E603770BF1}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9D5F~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C0D7~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CF60A~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70A37~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D05F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F20E9~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7426F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2016
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F1907~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3620
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB344~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4272
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B3902~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{5C118~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\16DA9C~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{3AB765E9-08D4-4f39-A3C7-A5E603770BF1}.exe

Filesize
90KB

MD5
1fb1abd20463a102cb7b726af4f1f558

SHA1
c485a81df5af42312a811928930f175df3fb7e56

SHA256
3d5e8aaaaad084a7ffc0cdd3955a575b5cbcd8227db5e25565dcf15819d8383e

SHA512
06826cc58309162336d9163cc5112083611750f47f5611aed054f2fb3efa22cd9dfbb611c744108832cf067f428c1498d102dbdf8f183024315b8b6f15cd919a

Download Submit
C:\Windows\{5C118703-D05F-47cd-894E-61AFA39E14FB}.exe

Filesize
90KB

MD5
ab6d2f0ec92b6298b525b2bca569dfad

SHA1
2aa1c41e771a2a842083279af77c7f8427899352

SHA256
ca186029d93820247e0642d985bac3d2c35aabd657f2b43ba175270d06737d73

SHA512
94b81bef7c69f34170890126023d9cf8d3b628ad9804975c4d0cac3dadcaceddba4a59e6ccafecd981441eaca986e4b00b435a6a6710534b32d782f60d18d566

Download Submit
C:\Windows\{70A37C09-1F2D-4be8-AA46-E76F1D8CD0BA}.exe

Filesize
90KB

MD5
e8ad018f4a5ada07bc47e0a31a8a771c

SHA1
24ab1fe47d031b10f054d78c0a8e4c3859dd8c02

SHA256
8cb7b1f4d4f4a47b8584a0fe21be4564e1e8bae2e187288f7a155c19cabae711

SHA512
07dff867486b3586bf358e8172910251718db366516785f661c30782ce36c3f4fadd923395c40deb49de7a7afd149707101f1552e5c27b455854427989090044

Download Submit
C:\Windows\{7426F27D-4015-440f-B179-7770A5925043}.exe

Filesize
90KB

MD5
3122860870499843e204b08b3ed7c74d

SHA1
39a6f1baa1fb4c5e3b8534e94abf6b095ad4bcc6

SHA256
2055bb22501033303a1e7d8b66aab541526884bbd5aed4dc244f8b4c9e9e4adb

SHA512
28c962b83fe085f1ebf1337d08111840bca0a5480c77358977175c7d85136bfdd6363e8af96907181fc14743337e848746cef195d73bd943d64d3d0d11625e95

Download Submit
C:\Windows\{8D05F33C-EF00-4f81-9ECC-8DCC179EF775}.exe

Filesize
90KB

MD5
4aa809e2d49dc4ce262a270c48aebadd

SHA1
39fd19ee7599c89e7aeeffc54c645d40314bf459

SHA256
44564038e0c5a04f1eabdaf7de6e499e64a9527835a01434e8749724761ec924

SHA512
c2a21bda8240915465f6756b885cbab3b79720ee9ad95b68c621269d73614a2c803e49ad06ce3917c27ee58a9868f9faaed8c8c50040934832758b24ca0c6004

Download Submit
C:\Windows\{9C0D733D-B11D-455c-BA17-8CF3AC7C17ED}.exe

Filesize
90KB

MD5
1b11dbcfd5b296754a74cf20b070b402

SHA1
856de01b8f27a2522c7e44972f98e571647c2649

SHA256
6feb46e13456b874ad092987c64d473f08a767a76179246dd1a36623e89b0028

SHA512
bb350f31cde508c914a22876b26da9d755d230b9b5218b4acbd4db0e2e54a01b62b86b6386fdc69fe575213c2ff7678b166e4491e2aa62c58c61ee75212c6350

Download Submit
C:\Windows\{B3902081-1B01-4782-B734-CE401DF32F13}.exe

Filesize
90KB

MD5
4ae3d5ee37b1f50d248975257c25f68a

SHA1
f1faf2027618ff98c6a859e5800d88a26a2c746d

SHA256
d9a4721e2287441157513bebfb4959de0e3c2d88d55599780b8eba5ff3885467

SHA512
3bb5083075f054dfd0030eab53fed7fe32cbfa19a0bbd6ebb417d0463ce1f3d6abb76119bba982d0cdf7263d7a4c409f8b32a0d2efb7fc5b19b8e916b7952e58

Download Submit
C:\Windows\{B9D5F03E-84F2-4e3b-901B-DA1FAC4B1849}.exe

Filesize
90KB

MD5
3f2cf104f38d3748e7394361819f922b

SHA1
1fefeaee9df3408bf3ac777969f88c7986a62a48

SHA256
d85a115720668fad129685945f1b80cf29546a297a173d53f64dc4f5adbb4db6

SHA512
7a15970683b626ec48fd23d0e5b7ae60124c8cfd5de93880bad8e07f51c8488db7730e64e74328fb521d0f4edf43978aaf112cf6435867f7b7eb263fd42c9eae

Download Submit
C:\Windows\{CF60A275-2939-44e7-BFA1-2A9080ADA3C4}.exe

Filesize
90KB

MD5
3f604a39cb4b3dcb90fc3538ccddbe66

SHA1
53545f63c6ee6dac09ea9d6a2eef6b4697ce30bd

SHA256
3d085b6adc88f53c5bdf7320efde8bc7dd4c601001716ed93dc3568f1620b80e

SHA512
17169fe39e3f370aad93a798ff9b249dde7a84c052614f88976ac36e773f8cf9916777a9b3838352e420cac65a3346f2a90228d409abe1b5a4e73d232d542bd7

Download Submit
C:\Windows\{DB344C4F-4D1A-4b07-A1E2-65B960B8164C}.exe

Filesize
90KB

MD5
70770dda30da42bd54dd9c4aeb9719a4

SHA1
4257ef2921766e76463e0c8c43bade2be524f4a9

SHA256
3dec949350d78b610fbc3b5f0bc4d39ad90ed08611ab2dcf61b1e74a8a2bff2b

SHA512
1d6e81a08d8f12d0d3cffa4892b34e1ead151cc4524d0021a0dd523b7c5c6db776b270dc8d60b028acc4631160f7dc036b5d9ce05458f557f62a02010acc0763

Download Submit
C:\Windows\{F20E9EC3-888B-43e4-B046-6807F42B668F}.exe

Filesize
90KB

MD5
b67e10a82b7ce76441912261848d6a7b

SHA1
f72616cf2b738bd7a4171798a90105f0d6c6efa7

SHA256
cbebd326a01f043161f0f78a0907ab0d36d5f603f77b5caf8c6ae78a5035c26e

SHA512
c5304b3b11ab6f9b14f3cb694f0a765d5ae067af484e09dada066e82ad90567bc838bda539353511a187ef03a039ef1b4a21a42582b1c33937e205260e3996c5

Download Submit
memory/4532-11-0x00000000038F0000-0x00000000039CB000-memory.dmp

Filesize
876KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads