b6395e0874fac3e85d9a0b5f1a78f9a8dd4550fb27583169f053b356990522f1

Analysis

max time kernel
118s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2024 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c679ce72a7db8ead783f1446b4843c0N.exe
Size

168KB
MD5

0c679ce72a7db8ead783f1446b4843c0
SHA1

c464df0d5506a3fec2ec300a42a99042e2bc4c69
SHA256

b6395e0874fac3e85d9a0b5f1a78f9a8dd4550fb27583169f053b356990522f1
SHA512

a0dc326cdfce98d3e58ae95b10a6f67d88f2b4d5fbeac50dc79d8b8c39d40e7e1c01997e327a42db90c84c846432eebf1e8baf0a7da9e0a33db9be70ec3a6bdb
SSDEEP

192:pbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqw6Ur4/CFxyNhoy5t:pbLwOs8AHsc4sMfwhKQLronr4/CFsrd

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EA3E905-D729-488b-BB31-7FFB8293585E}\stubpath = "C:\\Windows\\{2EA3E905-D729-488b-BB31-7FFB8293585E}.exe"	0c679ce72a7db8ead783f1446b4843c0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F909E65C-F067-48c2-9AF1-3ACDACF1EE61}\stubpath = "C:\\Windows\\{F909E65C-F067-48c2-9AF1-3ACDACF1EE61}.exe"	{C230CDFC-087A-4e77-804E-2B65FEDA7E41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A27A9C4-2ABE-405a-BEE6-809261085481}	{F3862676-182F-402b-98B9-EFF67F3675B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EA3E905-D729-488b-BB31-7FFB8293585E}	0c679ce72a7db8ead783f1446b4843c0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C230CDFC-087A-4e77-804E-2B65FEDA7E41}	{2EA3E905-D729-488b-BB31-7FFB8293585E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C230CDFC-087A-4e77-804E-2B65FEDA7E41}\stubpath = "C:\\Windows\\{C230CDFC-087A-4e77-804E-2B65FEDA7E41}.exe"	{2EA3E905-D729-488b-BB31-7FFB8293585E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{959D2E75-7FA4-4a9b-9E9B-AD4F457DD451}\stubpath = "C:\\Windows\\{959D2E75-7FA4-4a9b-9E9B-AD4F457DD451}.exe"	{F909E65C-F067-48c2-9AF1-3ACDACF1EE61}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F909E65C-F067-48c2-9AF1-3ACDACF1EE61}	{C230CDFC-087A-4e77-804E-2B65FEDA7E41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{959D2E75-7FA4-4a9b-9E9B-AD4F457DD451}	{F909E65C-F067-48c2-9AF1-3ACDACF1EE61}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEA20F52-BDE1-4986-8332-8051CFFA100E}\stubpath = "C:\\Windows\\{AEA20F52-BDE1-4986-8332-8051CFFA100E}.exe"	{959D2E75-7FA4-4a9b-9E9B-AD4F457DD451}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3862676-182F-402b-98B9-EFF67F3675B0}\stubpath = "C:\\Windows\\{F3862676-182F-402b-98B9-EFF67F3675B0}.exe"	{AEA20F52-BDE1-4986-8332-8051CFFA100E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A27A9C4-2ABE-405a-BEE6-809261085481}\stubpath = "C:\\Windows\\{0A27A9C4-2ABE-405a-BEE6-809261085481}.exe"	{F3862676-182F-402b-98B9-EFF67F3675B0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEA20F52-BDE1-4986-8332-8051CFFA100E}	{959D2E75-7FA4-4a9b-9E9B-AD4F457DD451}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3862676-182F-402b-98B9-EFF67F3675B0}	{AEA20F52-BDE1-4986-8332-8051CFFA100E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFEA1916-2AE5-4022-90E8-6CAD69307B15}	{0A27A9C4-2ABE-405a-BEE6-809261085481}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CFEA1916-2AE5-4022-90E8-6CAD69307B15}\stubpath = "C:\\Windows\\{CFEA1916-2AE5-4022-90E8-6CAD69307B15}.exe"	{0A27A9C4-2ABE-405a-BEE6-809261085481}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9282F07B-9086-48c3-8ACD-18CC3CC0A090}	{CFEA1916-2AE5-4022-90E8-6CAD69307B15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9282F07B-9086-48c3-8ACD-18CC3CC0A090}\stubpath = "C:\\Windows\\{9282F07B-9086-48c3-8ACD-18CC3CC0A090}.exe"	{CFEA1916-2AE5-4022-90E8-6CAD69307B15}.exe

Executes dropped EXE 8 IoCs

pid	Process
2856	{2EA3E905-D729-488b-BB31-7FFB8293585E}.exe
1592	{C230CDFC-087A-4e77-804E-2B65FEDA7E41}.exe
1740	{F909E65C-F067-48c2-9AF1-3ACDACF1EE61}.exe
2388	{959D2E75-7FA4-4a9b-9E9B-AD4F457DD451}.exe
4312	{F3862676-182F-402b-98B9-EFF67F3675B0}.exe
1624	{0A27A9C4-2ABE-405a-BEE6-809261085481}.exe
3808	{CFEA1916-2AE5-4022-90E8-6CAD69307B15}.exe
1844	{9282F07B-9086-48c3-8ACD-18CC3CC0A090}.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\{959D2E75-7FA4-4a9b-9E9B-AD4F457DD451}.exe	{F909E65C-F067-48c2-9AF1-3ACDACF1EE61}.exe
File created	C:\Windows\{F3862676-182F-402b-98B9-EFF67F3675B0}.exe	{AEA20F52-BDE1-4986-8332-8051CFFA100E}.exe
File created	C:\Windows\{0A27A9C4-2ABE-405a-BEE6-809261085481}.exe	{F3862676-182F-402b-98B9-EFF67F3675B0}.exe
File created	C:\Windows\{CFEA1916-2AE5-4022-90E8-6CAD69307B15}.exe	{0A27A9C4-2ABE-405a-BEE6-809261085481}.exe
File created	C:\Windows\{9282F07B-9086-48c3-8ACD-18CC3CC0A090}.exe	{CFEA1916-2AE5-4022-90E8-6CAD69307B15}.exe
File created	C:\Windows\{2EA3E905-D729-488b-BB31-7FFB8293585E}.exe	0c679ce72a7db8ead783f1446b4843c0N.exe
File created	C:\Windows\{C230CDFC-087A-4e77-804E-2B65FEDA7E41}.exe	{2EA3E905-D729-488b-BB31-7FFB8293585E}.exe
File created	C:\Windows\{F909E65C-F067-48c2-9AF1-3ACDACF1EE61}.exe	{C230CDFC-087A-4e77-804E-2B65FEDA7E41}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F3862676-182F-402b-98B9-EFF67F3675B0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AEA20F52-BDE1-4986-8332-8051CFFA100E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0A27A9C4-2ABE-405a-BEE6-809261085481}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2EA3E905-D729-488b-BB31-7FFB8293585E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F909E65C-F067-48c2-9AF1-3ACDACF1EE61}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c679ce72a7db8ead783f1446b4843c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CFEA1916-2AE5-4022-90E8-6CAD69307B15}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9282F07B-9086-48c3-8ACD-18CC3CC0A090}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C230CDFC-087A-4e77-804E-2B65FEDA7E41}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{959D2E75-7FA4-4a9b-9E9B-AD4F457DD451}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	5076	0c679ce72a7db8ead783f1446b4843c0N.exe
Token: SeIncBasePriorityPrivilege	2856	{2EA3E905-D729-488b-BB31-7FFB8293585E}.exe
Token: SeIncBasePriorityPrivilege	1592	{C230CDFC-087A-4e77-804E-2B65FEDA7E41}.exe
Token: SeIncBasePriorityPrivilege	1740	{F909E65C-F067-48c2-9AF1-3ACDACF1EE61}.exe
Token: SeIncBasePriorityPrivilege	2032	{AEA20F52-BDE1-4986-8332-8051CFFA100E}.exe
Token: SeIncBasePriorityPrivilege	4312	{F3862676-182F-402b-98B9-EFF67F3675B0}.exe
Token: SeIncBasePriorityPrivilege	1624	{0A27A9C4-2ABE-405a-BEE6-809261085481}.exe
Token: SeIncBasePriorityPrivilege	3808	{CFEA1916-2AE5-4022-90E8-6CAD69307B15}.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 2856	5076	0c679ce72a7db8ead783f1446b4843c0N.exe	94
PID 5076 wrote to memory of 2856	5076	0c679ce72a7db8ead783f1446b4843c0N.exe	94
PID 5076 wrote to memory of 2856	5076	0c679ce72a7db8ead783f1446b4843c0N.exe	94
PID 5076 wrote to memory of 4744	5076	0c679ce72a7db8ead783f1446b4843c0N.exe	95
PID 5076 wrote to memory of 4744	5076	0c679ce72a7db8ead783f1446b4843c0N.exe	95
PID 5076 wrote to memory of 4744	5076	0c679ce72a7db8ead783f1446b4843c0N.exe	95
PID 2856 wrote to memory of 1592	2856	{2EA3E905-D729-488b-BB31-7FFB8293585E}.exe	96
PID 2856 wrote to memory of 1592	2856	{2EA3E905-D729-488b-BB31-7FFB8293585E}.exe	96
PID 2856 wrote to memory of 1592	2856	{2EA3E905-D729-488b-BB31-7FFB8293585E}.exe	96
PID 2856 wrote to memory of 4328	2856	{2EA3E905-D729-488b-BB31-7FFB8293585E}.exe	97
PID 2856 wrote to memory of 4328	2856	{2EA3E905-D729-488b-BB31-7FFB8293585E}.exe	97
PID 2856 wrote to memory of 4328	2856	{2EA3E905-D729-488b-BB31-7FFB8293585E}.exe	97
PID 1592 wrote to memory of 1740	1592	{C230CDFC-087A-4e77-804E-2B65FEDA7E41}.exe	101
PID 1592 wrote to memory of 1740	1592	{C230CDFC-087A-4e77-804E-2B65FEDA7E41}.exe	101
PID 1592 wrote to memory of 1740	1592	{C230CDFC-087A-4e77-804E-2B65FEDA7E41}.exe	101
PID 1592 wrote to memory of 2876	1592	{C230CDFC-087A-4e77-804E-2B65FEDA7E41}.exe	102
PID 1592 wrote to memory of 2876	1592	{C230CDFC-087A-4e77-804E-2B65FEDA7E41}.exe	102
PID 1592 wrote to memory of 2876	1592	{C230CDFC-087A-4e77-804E-2B65FEDA7E41}.exe	102
PID 1740 wrote to memory of 2388	1740	{F909E65C-F067-48c2-9AF1-3ACDACF1EE61}.exe	103
PID 1740 wrote to memory of 2388	1740	{F909E65C-F067-48c2-9AF1-3ACDACF1EE61}.exe	103
PID 1740 wrote to memory of 2388	1740	{F909E65C-F067-48c2-9AF1-3ACDACF1EE61}.exe	103
PID 1740 wrote to memory of 2368	1740	{F909E65C-F067-48c2-9AF1-3ACDACF1EE61}.exe	104
PID 1740 wrote to memory of 2368	1740	{F909E65C-F067-48c2-9AF1-3ACDACF1EE61}.exe	104
PID 1740 wrote to memory of 2368	1740	{F909E65C-F067-48c2-9AF1-3ACDACF1EE61}.exe	104
PID 2032 wrote to memory of 4312	2032	{AEA20F52-BDE1-4986-8332-8051CFFA100E}.exe	108
PID 2032 wrote to memory of 4312	2032	{AEA20F52-BDE1-4986-8332-8051CFFA100E}.exe	108
PID 2032 wrote to memory of 4312	2032	{AEA20F52-BDE1-4986-8332-8051CFFA100E}.exe	108
PID 2032 wrote to memory of 2108	2032	{AEA20F52-BDE1-4986-8332-8051CFFA100E}.exe	109
PID 2032 wrote to memory of 2108	2032	{AEA20F52-BDE1-4986-8332-8051CFFA100E}.exe	109
PID 2032 wrote to memory of 2108	2032	{AEA20F52-BDE1-4986-8332-8051CFFA100E}.exe	109
PID 4312 wrote to memory of 1624	4312	{F3862676-182F-402b-98B9-EFF67F3675B0}.exe	110
PID 4312 wrote to memory of 1624	4312	{F3862676-182F-402b-98B9-EFF67F3675B0}.exe	110
PID 4312 wrote to memory of 1624	4312	{F3862676-182F-402b-98B9-EFF67F3675B0}.exe	110
PID 4312 wrote to memory of 2192	4312	{F3862676-182F-402b-98B9-EFF67F3675B0}.exe	111
PID 4312 wrote to memory of 2192	4312	{F3862676-182F-402b-98B9-EFF67F3675B0}.exe	111
PID 4312 wrote to memory of 2192	4312	{F3862676-182F-402b-98B9-EFF67F3675B0}.exe	111
PID 1624 wrote to memory of 3808	1624	{0A27A9C4-2ABE-405a-BEE6-809261085481}.exe	112
PID 1624 wrote to memory of 3808	1624	{0A27A9C4-2ABE-405a-BEE6-809261085481}.exe	112
PID 1624 wrote to memory of 3808	1624	{0A27A9C4-2ABE-405a-BEE6-809261085481}.exe	112
PID 1624 wrote to memory of 4688	1624	{0A27A9C4-2ABE-405a-BEE6-809261085481}.exe	113
PID 1624 wrote to memory of 4688	1624	{0A27A9C4-2ABE-405a-BEE6-809261085481}.exe	113
PID 1624 wrote to memory of 4688	1624	{0A27A9C4-2ABE-405a-BEE6-809261085481}.exe	113
PID 3808 wrote to memory of 1844	3808	{CFEA1916-2AE5-4022-90E8-6CAD69307B15}.exe	121
PID 3808 wrote to memory of 1844	3808	{CFEA1916-2AE5-4022-90E8-6CAD69307B15}.exe	121
PID 3808 wrote to memory of 1844	3808	{CFEA1916-2AE5-4022-90E8-6CAD69307B15}.exe	121
PID 3808 wrote to memory of 2144	3808	{CFEA1916-2AE5-4022-90E8-6CAD69307B15}.exe	122
PID 3808 wrote to memory of 2144	3808	{CFEA1916-2AE5-4022-90E8-6CAD69307B15}.exe	122
PID 3808 wrote to memory of 2144	3808	{CFEA1916-2AE5-4022-90E8-6CAD69307B15}.exe	122

C:\Users\Admin\AppData\Local\Temp\0c679ce72a7db8ead783f1446b4843c0N.exe
"C:\Users\Admin\AppData\Local\Temp\0c679ce72a7db8ead783f1446b4843c0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\{2EA3E905-D729-488b-BB31-7FFB8293585E}.exe
  C:\Windows\{2EA3E905-D729-488b-BB31-7FFB8293585E}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Windows\{C230CDFC-087A-4e77-804E-2B65FEDA7E41}.exe
    C:\Windows\{C230CDFC-087A-4e77-804E-2B65FEDA7E41}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Windows\{F909E65C-F067-48c2-9AF1-3ACDACF1EE61}.exe
      C:\Windows\{F909E65C-F067-48c2-9AF1-3ACDACF1EE61}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1740
    - - C:\Windows\{959D2E75-7FA4-4a9b-9E9B-AD4F457DD451}.exe
        
        C:\Windows\{959D2E75-7FA4-4a9b-9E9B-AD4F457DD451}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2388
      - C:\Windows\{AEA20F52-BDE1-4986-8332-8051CFFA100E}.exe
        
        C:\Windows\{AEA20F52-BDE1-4986-8332-8051CFFA100E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\{F3862676-182F-402b-98B9-EFF67F3675B0}.exe
        
        C:\Windows\{F3862676-182F-402b-98B9-EFF67F3675B0}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Windows\{0A27A9C4-2ABE-405a-BEE6-809261085481}.exe
        
        C:\Windows\{0A27A9C4-2ABE-405a-BEE6-809261085481}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\{CFEA1916-2AE5-4022-90E8-6CAD69307B15}.exe
        
        C:\Windows\{CFEA1916-2AE5-4022-90E8-6CAD69307B15}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\{9282F07B-9086-48c3-8ACD-18CC3CC0A090}.exe
        
        C:\Windows\{9282F07B-9086-48c3-8ACD-18CC3CC0A090}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CFEA1~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A27A~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F3862~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEA20~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{959D2~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F909E~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C230C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{2EA3E~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4328
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0C679C~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A27A9C4-2ABE-405a-BEE6-809261085481}.exe

Filesize
168KB

MD5
7673d74ad700ce2c51967bf2aed2f1c7

SHA1
996d299e9f16f8df909c1aba4da617da0aa1e836

SHA256
e26a066fa2553eff821328f2330204b2e6708ef20ae2ef0442b837076c612c32

SHA512
6f4f8cb231907b5f5aa7d5a489fc8500c47dc85cdd796f41747fa3c812df4e1e4462d1f0d6bf268010daaaf187018cd297a17683de3fa2533a39bf7341766f7f

Download Submit
C:\Windows\{2EA3E905-D729-488b-BB31-7FFB8293585E}.exe

Filesize
168KB

MD5
51bf58aea035d1ff8e23757b45df48e5

SHA1
74366277f0094b24b02dd2ee7b13f1b298244b23

SHA256
bf49183110292e5b3589d105daeb24086c9c27f498a6d0c0e2aecdb1fd925e01

SHA512
16231764b4bc976e3253337cb4894be8b2e9c30d60a0a63ee9ec3b0d16b4af713a63491f196352b6fbfda5b4afb0d6f4f70cd71d21798107ce75e06c09804a08

Download Submit
C:\Windows\{9282F07B-9086-48c3-8ACD-18CC3CC0A090}.exe

Filesize
168KB

MD5
1003552fabe4b872b94e835bedc19873

SHA1
8cc11275c51bf9efd49d89bcae99086423086069

SHA256
e47c737559162b0525689c119d6605eedd42eb8d5bf1f86dcc0cafe6866ef92d

SHA512
385b19a46b8cb36173809e1deb312e201010071ae2fc62612694b018e2339e9dce15b4475ccc0d4359632d55502ae713a1030a38de77e8f1747ed8a6a662b456

Download Submit
C:\Windows\{959D2E75-7FA4-4a9b-9E9B-AD4F457DD451}.exe

Filesize
168KB

MD5
fe0e3442b58a58302cb17c04da3b6452

SHA1
a8db44585b25c8dfb0f2465b8b3ee571ef92be93

SHA256
5f671c857cd1c8e5c1194d244a56a11d72ca02b6e0e07982f92a9f90081c2919

SHA512
a06396d3f2217701352cad8eaf8b8d8e6e7bc8abdab239fc3ced3c60eb9273aafad06618d342d60e4532c736f0bf73473fdd50b69c6b201422288cab55857d41

Download Submit
C:\Windows\{C230CDFC-087A-4e77-804E-2B65FEDA7E41}.exe

Filesize
168KB

MD5
06ae08e535c000b78d1b1b41ebc7ae44

SHA1
bb91aa62fdb880a6345b30ded05f2e6cc106a042

SHA256
83db73605d6c052fb47387a23fc7027bbb9216ca019cdfeb24adf59e7694eae8

SHA512
c52b6fb8dcd6c51aa9c42f5c7169946b6d5f9c8170d30eecc856bb3f14e7199b5ff8a50d59d669ead353b8dd9ab991446b5f70ac769c2ebf0a5117f5e5b76b64

Download Submit
C:\Windows\{CFEA1916-2AE5-4022-90E8-6CAD69307B15}.exe

Filesize
168KB

MD5
b84709778116783345404d991e787ea2

SHA1
ddb7d73672eb0a2e0f0ad186a04d10cf1e164fec

SHA256
04d5b1a3ba0b3807d179da0a42bebf2e270f376ad678954d0222d06637c57848

SHA512
edef2140dd390e88e7cd2c0f94d22adf7257d0d80678c373ad6c2b4ae997a616880c4503df9ee0818e1ebfb442590f6ec83be23a4091641a8672d1dd86b39db1

Download Submit
C:\Windows\{F3862676-182F-402b-98B9-EFF67F3675B0}.exe

Filesize
168KB

MD5
078b2a3e33a32800f3f59bd01eb59fac

SHA1
8e7b5ad42ee1e69f2a9b9a79e825e6ed3cefebae

SHA256
e31aae1db70227170f5165e349739fdbfbf1f43d821a5af4542ca32127770095

SHA512
3bdc57e0c2e4683d18870e5c055d3cd896f39184168c7d613b94d7f53999c347881d3b70de1ba344f5008ca5cec36e9e4fd7efffea6b4152bd516084955b02a1

Download Submit
C:\Windows\{F909E65C-F067-48c2-9AF1-3ACDACF1EE61}.exe

Filesize
168KB

MD5
cbade321cf44c6067ba2f20b88da6e90

SHA1
77c85ea01dc0fc84b06a156e777620d6236a74fa

SHA256
a8bb00cc7d50eaf2c94ee02e4804e19e0c01ffd5f0b121d5e3b091d77d89e5b7

SHA512
1e59015aff5e3a2048df61aa94a225cb1f0f9ba2f80aca0ded6301ea07090c8edd019af7371748daa22fce5f5cb859a2567094c4f0574e083e3ede4b6d6b1c56

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads