2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd

Analysis

max time kernel
149s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 19:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe
Size

90KB
MD5

0a28f476335d4936951694495f12e0e9
SHA1

63da632a0cc81e3e9213a32a1d1f5f70a92fcdd9
SHA256

2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd
SHA512

38d848dd3fddbd63c865bf8353492f234526b216335c07495037341ee354442780517273a8856185435b75497e08b32a4023dfe48df007a3c387a91a921fb0a9
SSDEEP

768:Qvw9816vhKQLrom4/wQRNrfrunMxVFA3b7glws:YEGh0oml2unMxVS3Hgz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69F53076-DA77-4b64-A827-61B643818F21}	{A67CD667-DFDB-43b8-8D3B-3C81D4DFEE95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74347FC4-700C-44da-8988-DE49A2A68A00}\stubpath = "C:\\Windows\\{74347FC4-700C-44da-8988-DE49A2A68A00}.exe"	{5431F08B-1176-4eba-98FD-75A9F6904D5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AE57D35-FF4B-4ba7-8662-D67A67E424AA}	{04A6E531-7B67-49c2-A044-9D891B115A8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07D80DCA-ADCD-4802-BD85-1126205CE709}	{4AE57D35-FF4B-4ba7-8662-D67A67E424AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{74347FC4-700C-44da-8988-DE49A2A68A00}	{5431F08B-1176-4eba-98FD-75A9F6904D5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04A6E531-7B67-49c2-A044-9D891B115A8A}	{1580A55A-131B-4a03-A514-23134F42675A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A67CD667-DFDB-43b8-8D3B-3C81D4DFEE95}\stubpath = "C:\\Windows\\{A67CD667-DFDB-43b8-8D3B-3C81D4DFEE95}.exe"	{33D3F41C-EB1F-4b13-B8BC-935127A9A3C8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{329E7025-B240-4f3c-BDCF-57FD5FE422CC}	{0F8D4636-9CE0-4517-AB7A-F44FAF297A47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A67CD667-DFDB-43b8-8D3B-3C81D4DFEE95}	{33D3F41C-EB1F-4b13-B8BC-935127A9A3C8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69F53076-DA77-4b64-A827-61B643818F21}\stubpath = "C:\\Windows\\{69F53076-DA77-4b64-A827-61B643818F21}.exe"	{A67CD667-DFDB-43b8-8D3B-3C81D4DFEE95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC22EBB0-75BD-4bd5-8F0A-AB621C2E388A}	{74347FC4-700C-44da-8988-DE49A2A68A00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1580A55A-131B-4a03-A514-23134F42675A}	2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AE57D35-FF4B-4ba7-8662-D67A67E424AA}\stubpath = "C:\\Windows\\{4AE57D35-FF4B-4ba7-8662-D67A67E424AA}.exe"	{04A6E531-7B67-49c2-A044-9D891B115A8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{07D80DCA-ADCD-4802-BD85-1126205CE709}\stubpath = "C:\\Windows\\{07D80DCA-ADCD-4802-BD85-1126205CE709}.exe"	{4AE57D35-FF4B-4ba7-8662-D67A67E424AA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F8D4636-9CE0-4517-AB7A-F44FAF297A47}	{07D80DCA-ADCD-4802-BD85-1126205CE709}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F8D4636-9CE0-4517-AB7A-F44FAF297A47}\stubpath = "C:\\Windows\\{0F8D4636-9CE0-4517-AB7A-F44FAF297A47}.exe"	{07D80DCA-ADCD-4802-BD85-1126205CE709}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{329E7025-B240-4f3c-BDCF-57FD5FE422CC}\stubpath = "C:\\Windows\\{329E7025-B240-4f3c-BDCF-57FD5FE422CC}.exe"	{0F8D4636-9CE0-4517-AB7A-F44FAF297A47}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33D3F41C-EB1F-4b13-B8BC-935127A9A3C8}	{329E7025-B240-4f3c-BDCF-57FD5FE422CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{33D3F41C-EB1F-4b13-B8BC-935127A9A3C8}\stubpath = "C:\\Windows\\{33D3F41C-EB1F-4b13-B8BC-935127A9A3C8}.exe"	{329E7025-B240-4f3c-BDCF-57FD5FE422CC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1580A55A-131B-4a03-A514-23134F42675A}\stubpath = "C:\\Windows\\{1580A55A-131B-4a03-A514-23134F42675A}.exe"	2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04A6E531-7B67-49c2-A044-9D891B115A8A}\stubpath = "C:\\Windows\\{04A6E531-7B67-49c2-A044-9D891B115A8A}.exe"	{1580A55A-131B-4a03-A514-23134F42675A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC22EBB0-75BD-4bd5-8F0A-AB621C2E388A}\stubpath = "C:\\Windows\\{CC22EBB0-75BD-4bd5-8F0A-AB621C2E388A}.exe"	{74347FC4-700C-44da-8988-DE49A2A68A00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5431F08B-1176-4eba-98FD-75A9F6904D5C}	{69F53076-DA77-4b64-A827-61B643818F21}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5431F08B-1176-4eba-98FD-75A9F6904D5C}\stubpath = "C:\\Windows\\{5431F08B-1176-4eba-98FD-75A9F6904D5C}.exe"	{69F53076-DA77-4b64-A827-61B643818F21}.exe

Executes dropped EXE 12 IoCs

pid	Process
5052	{1580A55A-131B-4a03-A514-23134F42675A}.exe
2208	{04A6E531-7B67-49c2-A044-9D891B115A8A}.exe
3920	{4AE57D35-FF4B-4ba7-8662-D67A67E424AA}.exe
4352	{07D80DCA-ADCD-4802-BD85-1126205CE709}.exe
2168	{0F8D4636-9CE0-4517-AB7A-F44FAF297A47}.exe
4728	{329E7025-B240-4f3c-BDCF-57FD5FE422CC}.exe
2452	{33D3F41C-EB1F-4b13-B8BC-935127A9A3C8}.exe
3672	{A67CD667-DFDB-43b8-8D3B-3C81D4DFEE95}.exe
2752	{69F53076-DA77-4b64-A827-61B643818F21}.exe
4044	{5431F08B-1176-4eba-98FD-75A9F6904D5C}.exe
4536	{74347FC4-700C-44da-8988-DE49A2A68A00}.exe
4728	{CC22EBB0-75BD-4bd5-8F0A-AB621C2E388A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5431F08B-1176-4eba-98FD-75A9F6904D5C}.exe	{69F53076-DA77-4b64-A827-61B643818F21}.exe
File created	C:\Windows\{CC22EBB0-75BD-4bd5-8F0A-AB621C2E388A}.exe	{74347FC4-700C-44da-8988-DE49A2A68A00}.exe
File created	C:\Windows\{04A6E531-7B67-49c2-A044-9D891B115A8A}.exe	{1580A55A-131B-4a03-A514-23134F42675A}.exe
File created	C:\Windows\{4AE57D35-FF4B-4ba7-8662-D67A67E424AA}.exe	{04A6E531-7B67-49c2-A044-9D891B115A8A}.exe
File created	C:\Windows\{0F8D4636-9CE0-4517-AB7A-F44FAF297A47}.exe	{07D80DCA-ADCD-4802-BD85-1126205CE709}.exe
File created	C:\Windows\{329E7025-B240-4f3c-BDCF-57FD5FE422CC}.exe	{0F8D4636-9CE0-4517-AB7A-F44FAF297A47}.exe
File created	C:\Windows\{33D3F41C-EB1F-4b13-B8BC-935127A9A3C8}.exe	{329E7025-B240-4f3c-BDCF-57FD5FE422CC}.exe
File created	C:\Windows\{A67CD667-DFDB-43b8-8D3B-3C81D4DFEE95}.exe	{33D3F41C-EB1F-4b13-B8BC-935127A9A3C8}.exe
File created	C:\Windows\{1580A55A-131B-4a03-A514-23134F42675A}.exe	2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe
File created	C:\Windows\{07D80DCA-ADCD-4802-BD85-1126205CE709}.exe	{4AE57D35-FF4B-4ba7-8662-D67A67E424AA}.exe
File created	C:\Windows\{69F53076-DA77-4b64-A827-61B643818F21}.exe	{A67CD667-DFDB-43b8-8D3B-3C81D4DFEE95}.exe
File created	C:\Windows\{74347FC4-700C-44da-8988-DE49A2A68A00}.exe	{5431F08B-1176-4eba-98FD-75A9F6904D5C}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{33D3F41C-EB1F-4b13-B8BC-935127A9A3C8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5431F08B-1176-4eba-98FD-75A9F6904D5C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{69F53076-DA77-4b64-A827-61B643818F21}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{74347FC4-700C-44da-8988-DE49A2A68A00}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A67CD667-DFDB-43b8-8D3B-3C81D4DFEE95}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{07D80DCA-ADCD-4802-BD85-1126205CE709}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{329E7025-B240-4f3c-BDCF-57FD5FE422CC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CC22EBB0-75BD-4bd5-8F0A-AB621C2E388A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4AE57D35-FF4B-4ba7-8662-D67A67E424AA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0F8D4636-9CE0-4517-AB7A-F44FAF297A47}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1580A55A-131B-4a03-A514-23134F42675A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{04A6E531-7B67-49c2-A044-9D891B115A8A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1576	2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe
Token: SeIncBasePriorityPrivilege	5052	{1580A55A-131B-4a03-A514-23134F42675A}.exe
Token: SeIncBasePriorityPrivilege	2208	{04A6E531-7B67-49c2-A044-9D891B115A8A}.exe
Token: SeIncBasePriorityPrivilege	3920	{4AE57D35-FF4B-4ba7-8662-D67A67E424AA}.exe
Token: SeIncBasePriorityPrivilege	4352	{07D80DCA-ADCD-4802-BD85-1126205CE709}.exe
Token: SeIncBasePriorityPrivilege	2168	{0F8D4636-9CE0-4517-AB7A-F44FAF297A47}.exe
Token: SeIncBasePriorityPrivilege	4728	{329E7025-B240-4f3c-BDCF-57FD5FE422CC}.exe
Token: SeIncBasePriorityPrivilege	2452	{33D3F41C-EB1F-4b13-B8BC-935127A9A3C8}.exe
Token: SeIncBasePriorityPrivilege	3672	{A67CD667-DFDB-43b8-8D3B-3C81D4DFEE95}.exe
Token: SeIncBasePriorityPrivilege	2752	{69F53076-DA77-4b64-A827-61B643818F21}.exe
Token: SeIncBasePriorityPrivilege	4044	{5431F08B-1176-4eba-98FD-75A9F6904D5C}.exe
Token: SeIncBasePriorityPrivilege	4536	{74347FC4-700C-44da-8988-DE49A2A68A00}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 5052	1576	2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe	95
PID 1576 wrote to memory of 5052	1576	2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe	95
PID 1576 wrote to memory of 5052	1576	2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe	95
PID 1576 wrote to memory of 5076	1576	2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe	96
PID 1576 wrote to memory of 5076	1576	2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe	96
PID 1576 wrote to memory of 5076	1576	2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe	96
PID 5052 wrote to memory of 2208	5052	{1580A55A-131B-4a03-A514-23134F42675A}.exe	97
PID 5052 wrote to memory of 2208	5052	{1580A55A-131B-4a03-A514-23134F42675A}.exe	97
PID 5052 wrote to memory of 2208	5052	{1580A55A-131B-4a03-A514-23134F42675A}.exe	97
PID 5052 wrote to memory of 2436	5052	{1580A55A-131B-4a03-A514-23134F42675A}.exe	98
PID 5052 wrote to memory of 2436	5052	{1580A55A-131B-4a03-A514-23134F42675A}.exe	98
PID 5052 wrote to memory of 2436	5052	{1580A55A-131B-4a03-A514-23134F42675A}.exe	98
PID 2208 wrote to memory of 3920	2208	{04A6E531-7B67-49c2-A044-9D891B115A8A}.exe	102
PID 2208 wrote to memory of 3920	2208	{04A6E531-7B67-49c2-A044-9D891B115A8A}.exe	102
PID 2208 wrote to memory of 3920	2208	{04A6E531-7B67-49c2-A044-9D891B115A8A}.exe	102
PID 2208 wrote to memory of 4236	2208	{04A6E531-7B67-49c2-A044-9D891B115A8A}.exe	103
PID 2208 wrote to memory of 4236	2208	{04A6E531-7B67-49c2-A044-9D891B115A8A}.exe	103
PID 2208 wrote to memory of 4236	2208	{04A6E531-7B67-49c2-A044-9D891B115A8A}.exe	103
PID 3920 wrote to memory of 4352	3920	{4AE57D35-FF4B-4ba7-8662-D67A67E424AA}.exe	104
PID 3920 wrote to memory of 4352	3920	{4AE57D35-FF4B-4ba7-8662-D67A67E424AA}.exe	104
PID 3920 wrote to memory of 4352	3920	{4AE57D35-FF4B-4ba7-8662-D67A67E424AA}.exe	104
PID 3920 wrote to memory of 3280	3920	{4AE57D35-FF4B-4ba7-8662-D67A67E424AA}.exe	105
PID 3920 wrote to memory of 3280	3920	{4AE57D35-FF4B-4ba7-8662-D67A67E424AA}.exe	105
PID 3920 wrote to memory of 3280	3920	{4AE57D35-FF4B-4ba7-8662-D67A67E424AA}.exe	105
PID 4352 wrote to memory of 2168	4352	{07D80DCA-ADCD-4802-BD85-1126205CE709}.exe	106
PID 4352 wrote to memory of 2168	4352	{07D80DCA-ADCD-4802-BD85-1126205CE709}.exe	106
PID 4352 wrote to memory of 2168	4352	{07D80DCA-ADCD-4802-BD85-1126205CE709}.exe	106
PID 4352 wrote to memory of 2324	4352	{07D80DCA-ADCD-4802-BD85-1126205CE709}.exe	107
PID 4352 wrote to memory of 2324	4352	{07D80DCA-ADCD-4802-BD85-1126205CE709}.exe	107
PID 4352 wrote to memory of 2324	4352	{07D80DCA-ADCD-4802-BD85-1126205CE709}.exe	107
PID 2168 wrote to memory of 4728	2168	{0F8D4636-9CE0-4517-AB7A-F44FAF297A47}.exe	110
PID 2168 wrote to memory of 4728	2168	{0F8D4636-9CE0-4517-AB7A-F44FAF297A47}.exe	110
PID 2168 wrote to memory of 4728	2168	{0F8D4636-9CE0-4517-AB7A-F44FAF297A47}.exe	110
PID 2168 wrote to memory of 2204	2168	{0F8D4636-9CE0-4517-AB7A-F44FAF297A47}.exe	111
PID 2168 wrote to memory of 2204	2168	{0F8D4636-9CE0-4517-AB7A-F44FAF297A47}.exe	111
PID 2168 wrote to memory of 2204	2168	{0F8D4636-9CE0-4517-AB7A-F44FAF297A47}.exe	111
PID 4728 wrote to memory of 2452	4728	{329E7025-B240-4f3c-BDCF-57FD5FE422CC}.exe	112
PID 4728 wrote to memory of 2452	4728	{329E7025-B240-4f3c-BDCF-57FD5FE422CC}.exe	112
PID 4728 wrote to memory of 2452	4728	{329E7025-B240-4f3c-BDCF-57FD5FE422CC}.exe	112
PID 4728 wrote to memory of 2444	4728	{329E7025-B240-4f3c-BDCF-57FD5FE422CC}.exe	113
PID 4728 wrote to memory of 2444	4728	{329E7025-B240-4f3c-BDCF-57FD5FE422CC}.exe	113
PID 4728 wrote to memory of 2444	4728	{329E7025-B240-4f3c-BDCF-57FD5FE422CC}.exe	113
PID 2452 wrote to memory of 3672	2452	{33D3F41C-EB1F-4b13-B8BC-935127A9A3C8}.exe	116
PID 2452 wrote to memory of 3672	2452	{33D3F41C-EB1F-4b13-B8BC-935127A9A3C8}.exe	116
PID 2452 wrote to memory of 3672	2452	{33D3F41C-EB1F-4b13-B8BC-935127A9A3C8}.exe	116
PID 2452 wrote to memory of 4456	2452	{33D3F41C-EB1F-4b13-B8BC-935127A9A3C8}.exe	117
PID 2452 wrote to memory of 4456	2452	{33D3F41C-EB1F-4b13-B8BC-935127A9A3C8}.exe	117
PID 2452 wrote to memory of 4456	2452	{33D3F41C-EB1F-4b13-B8BC-935127A9A3C8}.exe	117
PID 3672 wrote to memory of 2752	3672	{A67CD667-DFDB-43b8-8D3B-3C81D4DFEE95}.exe	124
PID 3672 wrote to memory of 2752	3672	{A67CD667-DFDB-43b8-8D3B-3C81D4DFEE95}.exe	124
PID 3672 wrote to memory of 2752	3672	{A67CD667-DFDB-43b8-8D3B-3C81D4DFEE95}.exe	124
PID 3672 wrote to memory of 3244	3672	{A67CD667-DFDB-43b8-8D3B-3C81D4DFEE95}.exe	125
PID 3672 wrote to memory of 3244	3672	{A67CD667-DFDB-43b8-8D3B-3C81D4DFEE95}.exe	125
PID 3672 wrote to memory of 3244	3672	{A67CD667-DFDB-43b8-8D3B-3C81D4DFEE95}.exe	125
PID 2752 wrote to memory of 4044	2752	{69F53076-DA77-4b64-A827-61B643818F21}.exe	126
PID 2752 wrote to memory of 4044	2752	{69F53076-DA77-4b64-A827-61B643818F21}.exe	126
PID 2752 wrote to memory of 4044	2752	{69F53076-DA77-4b64-A827-61B643818F21}.exe	126
PID 2752 wrote to memory of 2880	2752	{69F53076-DA77-4b64-A827-61B643818F21}.exe	127
PID 2752 wrote to memory of 2880	2752	{69F53076-DA77-4b64-A827-61B643818F21}.exe	127
PID 2752 wrote to memory of 2880	2752	{69F53076-DA77-4b64-A827-61B643818F21}.exe	127
PID 4044 wrote to memory of 4536	4044	{5431F08B-1176-4eba-98FD-75A9F6904D5C}.exe	131
PID 4044 wrote to memory of 4536	4044	{5431F08B-1176-4eba-98FD-75A9F6904D5C}.exe	131
PID 4044 wrote to memory of 4536	4044	{5431F08B-1176-4eba-98FD-75A9F6904D5C}.exe	131
PID 4044 wrote to memory of 2928	4044	{5431F08B-1176-4eba-98FD-75A9F6904D5C}.exe	132

C:\Users\Admin\AppData\Local\Temp\2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe
"C:\Users\Admin\AppData\Local\Temp\2650037c995170067985fdb2d53fc6da592e76201e0af08d1d44626b4824f2bd.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\{1580A55A-131B-4a03-A514-23134F42675A}.exe
  C:\Windows\{1580A55A-131B-4a03-A514-23134F42675A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5052
- - C:\Windows\{04A6E531-7B67-49c2-A044-9D891B115A8A}.exe
    C:\Windows\{04A6E531-7B67-49c2-A044-9D891B115A8A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\{4AE57D35-FF4B-4ba7-8662-D67A67E424AA}.exe
      C:\Windows\{4AE57D35-FF4B-4ba7-8662-D67A67E424AA}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3920
    - - C:\Windows\{07D80DCA-ADCD-4802-BD85-1126205CE709}.exe
        
        C:\Windows\{07D80DCA-ADCD-4802-BD85-1126205CE709}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4352
      - C:\Windows\{0F8D4636-9CE0-4517-AB7A-F44FAF297A47}.exe
        
        C:\Windows\{0F8D4636-9CE0-4517-AB7A-F44FAF297A47}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\{329E7025-B240-4f3c-BDCF-57FD5FE422CC}.exe
        
        C:\Windows\{329E7025-B240-4f3c-BDCF-57FD5FE422CC}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\{33D3F41C-EB1F-4b13-B8BC-935127A9A3C8}.exe
        
        C:\Windows\{33D3F41C-EB1F-4b13-B8BC-935127A9A3C8}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\{A67CD667-DFDB-43b8-8D3B-3C81D4DFEE95}.exe
        
        C:\Windows\{A67CD667-DFDB-43b8-8D3B-3C81D4DFEE95}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\{69F53076-DA77-4b64-A827-61B643818F21}.exe
        
        C:\Windows\{69F53076-DA77-4b64-A827-61B643818F21}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\{5431F08B-1176-4eba-98FD-75A9F6904D5C}.exe
        
        C:\Windows\{5431F08B-1176-4eba-98FD-75A9F6904D5C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4044
        
        C:\Windows\{74347FC4-700C-44da-8988-DE49A2A68A00}.exe
        
        C:\Windows\{74347FC4-700C-44da-8988-DE49A2A68A00}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4536
        
        C:\Windows\{CC22EBB0-75BD-4bd5-8F0A-AB621C2E388A}.exe
        
        C:\Windows\{CC22EBB0-75BD-4bd5-8F0A-AB621C2E388A}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74347~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5431F~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69F53~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A67CD~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{33D3F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{329E7~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F8D4~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07D80~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2324
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AE57~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3280
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{04A6E~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1580A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\265003~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04A6E531-7B67-49c2-A044-9D891B115A8A}.exe

Filesize
90KB

MD5
360bb8e5402e052ffcf7207a97490731

SHA1
55b6f1d2cafe4cf0e250edad00e4305f53bbb013

SHA256
0764dbd87012c15d2acce77f522625d9bb6a9bd23ead3e5fbbd9bfeb5db2b934

SHA512
ef9145ff9ef61e9916d40206a645372d196a3f71515ce720c00bf8be8d1e803cbd06886ba463710f4fae0073ac1ea2102bb3c788f8a9f29ee6497e9b217e1376

Download Submit
C:\Windows\{07D80DCA-ADCD-4802-BD85-1126205CE709}.exe

Filesize
90KB

MD5
07efb9606dc0d2b6b9ff34be39c0e59c

SHA1
484c441f2b9759f4477ff65a8d2708b57619c6c8

SHA256
2b70785773e7c88317fde6f64137726a62876289d8290dac6c1299d794acf4b8

SHA512
f34b770e98654f5cf6d3a091e22cd4cc6026606942f9d441149512a56f24cca023b87f7607b61b3e522c52e52105aee35262c9c191e12f52002f73e1dca8d32d

Download Submit
C:\Windows\{0F8D4636-9CE0-4517-AB7A-F44FAF297A47}.exe

Filesize
90KB

MD5
510f51d59d98b40c19dea8d0caabf55e

SHA1
47fe01fefaf2d9d115baa6e3dfa6a11adcec4497

SHA256
12dbe47197411035df156b00df5bdc82cae38bb490f4c30e77a0739800ceb567

SHA512
722fb86c07bc2630e0fd6991da26f792b6b575d2ff3c60bfdd4e77a1cc24783f6ff38d569db6303488fb2205af1a5cb320d3a3bd55cd3fbea55acceaf5782cf4

Download Submit
C:\Windows\{1580A55A-131B-4a03-A514-23134F42675A}.exe

Filesize
90KB

MD5
4c3a16119943bfb7986a7efa76bd1648

SHA1
2042b25948cd55862a64711e35e21ecd5efce993

SHA256
ac7d60dc098a4eaace2811ca6f3303e3833d32c6adde4f57d413ad090a504eaf

SHA512
a50a69510d54e3b03ccbd98802e3289f5d293bc0023adf7f2f7c5cd8f236e234d21447e6ec58c26990a02ff4e250f05b7f964cf7cc4cfa3886519fe8fd3263f0

Download Submit
C:\Windows\{329E7025-B240-4f3c-BDCF-57FD5FE422CC}.exe

Filesize
90KB

MD5
e131520ab68e604b84f1c26440899509

SHA1
2a5045ba248fdb7931f099bcf6d46d234edc8c95

SHA256
d640c5e36beb197f7f24f3974902e00bb32c817edad06d4b1d3f994e090188ac

SHA512
f2ff221adde1abee3dbfc100bcd78bee9a9f863ea376bc8e9e7f426e9fa683aa8150558d9b25b949d6b3b677b78e82d81e46839df9e53075589a2c318794da5e

Download Submit
C:\Windows\{33D3F41C-EB1F-4b13-B8BC-935127A9A3C8}.exe

Filesize
90KB

MD5
0de76cc374b406e936c9f776ff950585

SHA1
d009c1d6b94081167ddc12f42ba074d3a582c76e

SHA256
dbe7c249cb2189f765f306a7505a1165118d3aa23f7fbff22a9641bae859dbc0

SHA512
3c28a1a19736666bf3fc3a822fd9097fcd6669bf8493e2409a9642c3271e524d5479141b236cfa22df1da874a1a7e64f80c00c9a98469408271457e1df87145e

Download Submit
C:\Windows\{4AE57D35-FF4B-4ba7-8662-D67A67E424AA}.exe

Filesize
90KB

MD5
5e74c0b38385f4a42dca364f16e2a2b2

SHA1
d842eafd97fe4e60ff01a37b9055473d4c0881a4

SHA256
7ba6f7c0bb042d9549df98c603ccc5c1cf0a838f7b083d4ccbfbba0d6822ab68

SHA512
46e45b5333f482c55b52bbd8e22b8ec0618b1fed8f439e42442e02b6f1dedbbc4fe98a927ea243490de9b364f8d95ac113f2263f1b845437bd6e70b20e8200c8

Download Submit
C:\Windows\{5431F08B-1176-4eba-98FD-75A9F6904D5C}.exe

Filesize
90KB

MD5
bffc899fb010e74cea78cfbb2a02528b

SHA1
2ec2ebf2d03051ecad2be1a4c7078490d51122ee

SHA256
dced6cab48d67408e4758faaf195f933be194d583fa4d18bd92669b6c4009f4e

SHA512
44f8f790bcd561d6c6e87505adf58929ef816a10badbf6541f251fc3aaad7f8425a3c97acc23c202abbf45c03e566a69e1e35bec12c63c00ce7698e7b5abcd70

Download Submit
C:\Windows\{69F53076-DA77-4b64-A827-61B643818F21}.exe

Filesize
90KB

MD5
9c64f6dd959b790f6f5a1ed9f72afd68

SHA1
c96b890387884cb5733864a1c680427169409be6

SHA256
a45ed62ed72439d3dc4d0a49f32d4f9d4687ec9805f27a246041a34624448ff1

SHA512
e66c83a3b0cd85ecce1a578ae46d2b99cbeb5583a80708e292afb57100d4c516aca28d44ddbc0bf70dc22fe21e7cac3cb7bb1487a3653f329cca1ce53ff95c4b

Download Submit
C:\Windows\{74347FC4-700C-44da-8988-DE49A2A68A00}.exe

Filesize
90KB

MD5
8767aebcb1baad93fc8bb9bc65902c83

SHA1
704f440485432739df67d657213ee176ed59e5f8

SHA256
19685a4c40b28897736759428d62f938f843ff76f7bd7469acdbbdb2fcfa36f7

SHA512
1e9156c8d47a00697c63727d73efb7b20397c38b9a2f049f01a340f8a3e8591eb14cf81f034f7657ad10e3b8676cc29760f2badea06b05b0ee16fec1073ea9b4

Download Submit
C:\Windows\{A67CD667-DFDB-43b8-8D3B-3C81D4DFEE95}.exe

Filesize
90KB

MD5
7172461a2a82a41bcc57802d7700c619

SHA1
2a46329be304da26f88e769592c7e9ebc0be0746

SHA256
766432e70f81eca90a63d2f76fca19f0b355375f80251ab9079395161db087d9

SHA512
bbadd97ed061fae87be9f47fa0b904c973f2651f7a5bd553636c7be924c55ccd4465376bac35b06a6d36160aa42a6d0cddd6aa86bee39f5a44a259b4dc0befd6

Download Submit
C:\Windows\{CC22EBB0-75BD-4bd5-8F0A-AB621C2E388A}.exe

Filesize
90KB

MD5
84bcb3534613fe40dc48b3c246c70a76

SHA1
6b70d3e43c97b64d0e554ff8850c2f821820bd90

SHA256
3358020c45575524047ae7a8c3863af3dab807e7ab7f0ed154cf9c676722eec3

SHA512
4f662981fb9722828046503ac0604be82716246a2564a22c2849ed0a1cf711137b33a8fdda843704de495dc0803c659c87a8e5a65759b9aefad34034c862ed83

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads