1d8da639ba395d5d46272b38bb70ea12482a47bdaf563e7d59642395eb1944aa

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 19:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1d8da639ba395d5d46272b38bb70ea12482a47bdaf563e7d59642395eb1944aa.exe
Size

64KB
MD5

abc4b320b4ace8a47abf1203df136f72
SHA1

be6b4e48f93102fc7f6d3f5d36e3737b0d5a59ec
SHA256

1d8da639ba395d5d46272b38bb70ea12482a47bdaf563e7d59642395eb1944aa
SHA512

c65a9a1a15c6587fbe3c66a7b2ce108f7bc885fdd969812675dc13700efdaa2e41fa00bd854775b07dae8a65e7bf587e10cd23ba7b737122fa31d4680ab5585d
SSDEEP

384:ObLwOs8AHsc42MfwhKQLroD4/CFsrdHWMZE:Ovw981EvhKQLroD4/wQpWMZE

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02C065C9-C272-4570-A590-2E55C5FCF901}\stubpath = "C:\\Windows\\{02C065C9-C272-4570-A590-2E55C5FCF901}.exe"	{D468D073-D904-45af-9118-459965171FE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B7CBC0F-3E57-40bc-9E2E-A497B1D5E7DF}	{02C065C9-C272-4570-A590-2E55C5FCF901}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A48109DE-4ECB-40fa-A7FE-4435E5DA250A}	{1B7CBC0F-3E57-40bc-9E2E-A497B1D5E7DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DA0DF7E-C30E-4ca1-8C40-9E4B20CD4C77}\stubpath = "C:\\Windows\\{8DA0DF7E-C30E-4ca1-8C40-9E4B20CD4C77}.exe"	{4A8357EC-B43B-4395-BA3B-DE13517EAD37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B1D63BF-5AAA-4e41-AD6F-4B4BCC9BA4B9}\stubpath = "C:\\Windows\\{5B1D63BF-5AAA-4e41-AD6F-4B4BCC9BA4B9}.exe"	{8DA0DF7E-C30E-4ca1-8C40-9E4B20CD4C77}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF77896A-D884-4959-8F7E-6DF490302613}	{AF68A448-0D59-4a4b-B3D1-E188BBC9B99E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF77896A-D884-4959-8F7E-6DF490302613}\stubpath = "C:\\Windows\\{AF77896A-D884-4959-8F7E-6DF490302613}.exe"	{AF68A448-0D59-4a4b-B3D1-E188BBC9B99E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF68A448-0D59-4a4b-B3D1-E188BBC9B99E}	{5B1D63BF-5AAA-4e41-AD6F-4B4BCC9BA4B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9198D350-E99A-4c08-B51B-86472242120A}	{AF77896A-D884-4959-8F7E-6DF490302613}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D468D073-D904-45af-9118-459965171FE2}\stubpath = "C:\\Windows\\{D468D073-D904-45af-9118-459965171FE2}.exe"	{9198D350-E99A-4c08-B51B-86472242120A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02C065C9-C272-4570-A590-2E55C5FCF901}	{D468D073-D904-45af-9118-459965171FE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A00E6AB-50C1-4fbc-8E15-978B74B0028D}	1d8da639ba395d5d46272b38bb70ea12482a47bdaf563e7d59642395eb1944aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A00E6AB-50C1-4fbc-8E15-978B74B0028D}\stubpath = "C:\\Windows\\{7A00E6AB-50C1-4fbc-8E15-978B74B0028D}.exe"	1d8da639ba395d5d46272b38bb70ea12482a47bdaf563e7d59642395eb1944aa.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A8357EC-B43B-4395-BA3B-DE13517EAD37}\stubpath = "C:\\Windows\\{4A8357EC-B43B-4395-BA3B-DE13517EAD37}.exe"	{FBE8A7F7-0D62-4d55-9A73-9DFF692D872C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DA0DF7E-C30E-4ca1-8C40-9E4B20CD4C77}	{4A8357EC-B43B-4395-BA3B-DE13517EAD37}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A48109DE-4ECB-40fa-A7FE-4435E5DA250A}\stubpath = "C:\\Windows\\{A48109DE-4ECB-40fa-A7FE-4435E5DA250A}.exe"	{1B7CBC0F-3E57-40bc-9E2E-A497B1D5E7DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBE8A7F7-0D62-4d55-9A73-9DFF692D872C}	{7A00E6AB-50C1-4fbc-8E15-978B74B0028D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF68A448-0D59-4a4b-B3D1-E188BBC9B99E}\stubpath = "C:\\Windows\\{AF68A448-0D59-4a4b-B3D1-E188BBC9B99E}.exe"	{5B1D63BF-5AAA-4e41-AD6F-4B4BCC9BA4B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D468D073-D904-45af-9118-459965171FE2}	{9198D350-E99A-4c08-B51B-86472242120A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B7CBC0F-3E57-40bc-9E2E-A497B1D5E7DF}\stubpath = "C:\\Windows\\{1B7CBC0F-3E57-40bc-9E2E-A497B1D5E7DF}.exe"	{02C065C9-C272-4570-A590-2E55C5FCF901}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FBE8A7F7-0D62-4d55-9A73-9DFF692D872C}\stubpath = "C:\\Windows\\{FBE8A7F7-0D62-4d55-9A73-9DFF692D872C}.exe"	{7A00E6AB-50C1-4fbc-8E15-978B74B0028D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A8357EC-B43B-4395-BA3B-DE13517EAD37}	{FBE8A7F7-0D62-4d55-9A73-9DFF692D872C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5B1D63BF-5AAA-4e41-AD6F-4B4BCC9BA4B9}	{8DA0DF7E-C30E-4ca1-8C40-9E4B20CD4C77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9198D350-E99A-4c08-B51B-86472242120A}\stubpath = "C:\\Windows\\{9198D350-E99A-4c08-B51B-86472242120A}.exe"	{AF77896A-D884-4959-8F7E-6DF490302613}.exe

Executes dropped EXE 12 IoCs

pid	Process
1284	{7A00E6AB-50C1-4fbc-8E15-978B74B0028D}.exe
3092	{FBE8A7F7-0D62-4d55-9A73-9DFF692D872C}.exe
1540	{4A8357EC-B43B-4395-BA3B-DE13517EAD37}.exe
4248	{8DA0DF7E-C30E-4ca1-8C40-9E4B20CD4C77}.exe
1380	{5B1D63BF-5AAA-4e41-AD6F-4B4BCC9BA4B9}.exe
1776	{AF68A448-0D59-4a4b-B3D1-E188BBC9B99E}.exe
4524	{AF77896A-D884-4959-8F7E-6DF490302613}.exe
3404	{9198D350-E99A-4c08-B51B-86472242120A}.exe
3244	{D468D073-D904-45af-9118-459965171FE2}.exe
2004	{02C065C9-C272-4570-A590-2E55C5FCF901}.exe
3572	{1B7CBC0F-3E57-40bc-9E2E-A497B1D5E7DF}.exe
4340	{A48109DE-4ECB-40fa-A7FE-4435E5DA250A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{1B7CBC0F-3E57-40bc-9E2E-A497B1D5E7DF}.exe	{02C065C9-C272-4570-A590-2E55C5FCF901}.exe
File created	C:\Windows\{A48109DE-4ECB-40fa-A7FE-4435E5DA250A}.exe	{1B7CBC0F-3E57-40bc-9E2E-A497B1D5E7DF}.exe
File created	C:\Windows\{7A00E6AB-50C1-4fbc-8E15-978B74B0028D}.exe	1d8da639ba395d5d46272b38bb70ea12482a47bdaf563e7d59642395eb1944aa.exe
File created	C:\Windows\{4A8357EC-B43B-4395-BA3B-DE13517EAD37}.exe	{FBE8A7F7-0D62-4d55-9A73-9DFF692D872C}.exe
File created	C:\Windows\{8DA0DF7E-C30E-4ca1-8C40-9E4B20CD4C77}.exe	{4A8357EC-B43B-4395-BA3B-DE13517EAD37}.exe
File created	C:\Windows\{5B1D63BF-5AAA-4e41-AD6F-4B4BCC9BA4B9}.exe	{8DA0DF7E-C30E-4ca1-8C40-9E4B20CD4C77}.exe
File created	C:\Windows\{02C065C9-C272-4570-A590-2E55C5FCF901}.exe	{D468D073-D904-45af-9118-459965171FE2}.exe
File created	C:\Windows\{FBE8A7F7-0D62-4d55-9A73-9DFF692D872C}.exe	{7A00E6AB-50C1-4fbc-8E15-978B74B0028D}.exe
File created	C:\Windows\{AF68A448-0D59-4a4b-B3D1-E188BBC9B99E}.exe	{5B1D63BF-5AAA-4e41-AD6F-4B4BCC9BA4B9}.exe
File created	C:\Windows\{AF77896A-D884-4959-8F7E-6DF490302613}.exe	{AF68A448-0D59-4a4b-B3D1-E188BBC9B99E}.exe
File created	C:\Windows\{9198D350-E99A-4c08-B51B-86472242120A}.exe	{AF77896A-D884-4959-8F7E-6DF490302613}.exe
File created	C:\Windows\{D468D073-D904-45af-9118-459965171FE2}.exe	{9198D350-E99A-4c08-B51B-86472242120A}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1B7CBC0F-3E57-40bc-9E2E-A497B1D5E7DF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D468D073-D904-45af-9118-459965171FE2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{02C065C9-C272-4570-A590-2E55C5FCF901}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FBE8A7F7-0D62-4d55-9A73-9DFF692D872C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4A8357EC-B43B-4395-BA3B-DE13517EAD37}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A48109DE-4ECB-40fa-A7FE-4435E5DA250A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AF77896A-D884-4959-8F7E-6DF490302613}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9198D350-E99A-4c08-B51B-86472242120A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1d8da639ba395d5d46272b38bb70ea12482a47bdaf563e7d59642395eb1944aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5B1D63BF-5AAA-4e41-AD6F-4B4BCC9BA4B9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7A00E6AB-50C1-4fbc-8E15-978B74B0028D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8DA0DF7E-C30E-4ca1-8C40-9E4B20CD4C77}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AF68A448-0D59-4a4b-B3D1-E188BBC9B99E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4740	1d8da639ba395d5d46272b38bb70ea12482a47bdaf563e7d59642395eb1944aa.exe
Token: SeIncBasePriorityPrivilege	1284	{7A00E6AB-50C1-4fbc-8E15-978B74B0028D}.exe
Token: SeIncBasePriorityPrivilege	3092	{FBE8A7F7-0D62-4d55-9A73-9DFF692D872C}.exe
Token: SeIncBasePriorityPrivilege	1540	{4A8357EC-B43B-4395-BA3B-DE13517EAD37}.exe
Token: SeIncBasePriorityPrivilege	4248	{8DA0DF7E-C30E-4ca1-8C40-9E4B20CD4C77}.exe
Token: SeIncBasePriorityPrivilege	1380	{5B1D63BF-5AAA-4e41-AD6F-4B4BCC9BA4B9}.exe
Token: SeIncBasePriorityPrivilege	1776	{AF68A448-0D59-4a4b-B3D1-E188BBC9B99E}.exe
Token: SeIncBasePriorityPrivilege	4524	{AF77896A-D884-4959-8F7E-6DF490302613}.exe
Token: SeIncBasePriorityPrivilege	3404	{9198D350-E99A-4c08-B51B-86472242120A}.exe
Token: SeIncBasePriorityPrivilege	3244	{D468D073-D904-45af-9118-459965171FE2}.exe
Token: SeIncBasePriorityPrivilege	2004	{02C065C9-C272-4570-A590-2E55C5FCF901}.exe
Token: SeIncBasePriorityPrivilege	3572	{1B7CBC0F-3E57-40bc-9E2E-A497B1D5E7DF}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4740 wrote to memory of 1284	4740	1d8da639ba395d5d46272b38bb70ea12482a47bdaf563e7d59642395eb1944aa.exe	92
PID 4740 wrote to memory of 1284	4740	1d8da639ba395d5d46272b38bb70ea12482a47bdaf563e7d59642395eb1944aa.exe	92
PID 4740 wrote to memory of 1284	4740	1d8da639ba395d5d46272b38bb70ea12482a47bdaf563e7d59642395eb1944aa.exe	92
PID 4740 wrote to memory of 4196	4740	1d8da639ba395d5d46272b38bb70ea12482a47bdaf563e7d59642395eb1944aa.exe	93
PID 4740 wrote to memory of 4196	4740	1d8da639ba395d5d46272b38bb70ea12482a47bdaf563e7d59642395eb1944aa.exe	93
PID 4740 wrote to memory of 4196	4740	1d8da639ba395d5d46272b38bb70ea12482a47bdaf563e7d59642395eb1944aa.exe	93
PID 1284 wrote to memory of 3092	1284	{7A00E6AB-50C1-4fbc-8E15-978B74B0028D}.exe	96
PID 1284 wrote to memory of 3092	1284	{7A00E6AB-50C1-4fbc-8E15-978B74B0028D}.exe	96
PID 1284 wrote to memory of 3092	1284	{7A00E6AB-50C1-4fbc-8E15-978B74B0028D}.exe	96
PID 1284 wrote to memory of 4240	1284	{7A00E6AB-50C1-4fbc-8E15-978B74B0028D}.exe	97
PID 1284 wrote to memory of 4240	1284	{7A00E6AB-50C1-4fbc-8E15-978B74B0028D}.exe	97
PID 1284 wrote to memory of 4240	1284	{7A00E6AB-50C1-4fbc-8E15-978B74B0028D}.exe	97
PID 3092 wrote to memory of 1540	3092	{FBE8A7F7-0D62-4d55-9A73-9DFF692D872C}.exe	100
PID 3092 wrote to memory of 1540	3092	{FBE8A7F7-0D62-4d55-9A73-9DFF692D872C}.exe	100
PID 3092 wrote to memory of 1540	3092	{FBE8A7F7-0D62-4d55-9A73-9DFF692D872C}.exe	100
PID 3092 wrote to memory of 4852	3092	{FBE8A7F7-0D62-4d55-9A73-9DFF692D872C}.exe	101
PID 3092 wrote to memory of 4852	3092	{FBE8A7F7-0D62-4d55-9A73-9DFF692D872C}.exe	101
PID 3092 wrote to memory of 4852	3092	{FBE8A7F7-0D62-4d55-9A73-9DFF692D872C}.exe	101
PID 1540 wrote to memory of 4248	1540	{4A8357EC-B43B-4395-BA3B-DE13517EAD37}.exe	109
PID 1540 wrote to memory of 4248	1540	{4A8357EC-B43B-4395-BA3B-DE13517EAD37}.exe	109
PID 1540 wrote to memory of 4248	1540	{4A8357EC-B43B-4395-BA3B-DE13517EAD37}.exe	109
PID 1540 wrote to memory of 1560	1540	{4A8357EC-B43B-4395-BA3B-DE13517EAD37}.exe	110
PID 1540 wrote to memory of 1560	1540	{4A8357EC-B43B-4395-BA3B-DE13517EAD37}.exe	110
PID 1540 wrote to memory of 1560	1540	{4A8357EC-B43B-4395-BA3B-DE13517EAD37}.exe	110
PID 4248 wrote to memory of 1380	4248	{8DA0DF7E-C30E-4ca1-8C40-9E4B20CD4C77}.exe	111
PID 4248 wrote to memory of 1380	4248	{8DA0DF7E-C30E-4ca1-8C40-9E4B20CD4C77}.exe	111
PID 4248 wrote to memory of 1380	4248	{8DA0DF7E-C30E-4ca1-8C40-9E4B20CD4C77}.exe	111
PID 4248 wrote to memory of 1936	4248	{8DA0DF7E-C30E-4ca1-8C40-9E4B20CD4C77}.exe	112
PID 4248 wrote to memory of 1936	4248	{8DA0DF7E-C30E-4ca1-8C40-9E4B20CD4C77}.exe	112
PID 4248 wrote to memory of 1936	4248	{8DA0DF7E-C30E-4ca1-8C40-9E4B20CD4C77}.exe	112
PID 1380 wrote to memory of 1776	1380	{5B1D63BF-5AAA-4e41-AD6F-4B4BCC9BA4B9}.exe	113
PID 1380 wrote to memory of 1776	1380	{5B1D63BF-5AAA-4e41-AD6F-4B4BCC9BA4B9}.exe	113
PID 1380 wrote to memory of 1776	1380	{5B1D63BF-5AAA-4e41-AD6F-4B4BCC9BA4B9}.exe	113
PID 1380 wrote to memory of 2840	1380	{5B1D63BF-5AAA-4e41-AD6F-4B4BCC9BA4B9}.exe	114
PID 1380 wrote to memory of 2840	1380	{5B1D63BF-5AAA-4e41-AD6F-4B4BCC9BA4B9}.exe	114
PID 1380 wrote to memory of 2840	1380	{5B1D63BF-5AAA-4e41-AD6F-4B4BCC9BA4B9}.exe	114
PID 1776 wrote to memory of 4524	1776	{AF68A448-0D59-4a4b-B3D1-E188BBC9B99E}.exe	116
PID 1776 wrote to memory of 4524	1776	{AF68A448-0D59-4a4b-B3D1-E188BBC9B99E}.exe	116
PID 1776 wrote to memory of 4524	1776	{AF68A448-0D59-4a4b-B3D1-E188BBC9B99E}.exe	116
PID 1776 wrote to memory of 1784	1776	{AF68A448-0D59-4a4b-B3D1-E188BBC9B99E}.exe	117
PID 1776 wrote to memory of 1784	1776	{AF68A448-0D59-4a4b-B3D1-E188BBC9B99E}.exe	117
PID 1776 wrote to memory of 1784	1776	{AF68A448-0D59-4a4b-B3D1-E188BBC9B99E}.exe	117
PID 4524 wrote to memory of 3404	4524	{AF77896A-D884-4959-8F7E-6DF490302613}.exe	118
PID 4524 wrote to memory of 3404	4524	{AF77896A-D884-4959-8F7E-6DF490302613}.exe	118
PID 4524 wrote to memory of 3404	4524	{AF77896A-D884-4959-8F7E-6DF490302613}.exe	118
PID 4524 wrote to memory of 2092	4524	{AF77896A-D884-4959-8F7E-6DF490302613}.exe	119
PID 4524 wrote to memory of 2092	4524	{AF77896A-D884-4959-8F7E-6DF490302613}.exe	119
PID 4524 wrote to memory of 2092	4524	{AF77896A-D884-4959-8F7E-6DF490302613}.exe	119
PID 3404 wrote to memory of 3244	3404	{9198D350-E99A-4c08-B51B-86472242120A}.exe	120
PID 3404 wrote to memory of 3244	3404	{9198D350-E99A-4c08-B51B-86472242120A}.exe	120
PID 3404 wrote to memory of 3244	3404	{9198D350-E99A-4c08-B51B-86472242120A}.exe	120
PID 3404 wrote to memory of 4352	3404	{9198D350-E99A-4c08-B51B-86472242120A}.exe	121
PID 3404 wrote to memory of 4352	3404	{9198D350-E99A-4c08-B51B-86472242120A}.exe	121
PID 3404 wrote to memory of 4352	3404	{9198D350-E99A-4c08-B51B-86472242120A}.exe	121
PID 3244 wrote to memory of 2004	3244	{D468D073-D904-45af-9118-459965171FE2}.exe	122
PID 3244 wrote to memory of 2004	3244	{D468D073-D904-45af-9118-459965171FE2}.exe	122
PID 3244 wrote to memory of 2004	3244	{D468D073-D904-45af-9118-459965171FE2}.exe	122
PID 3244 wrote to memory of 4196	3244	{D468D073-D904-45af-9118-459965171FE2}.exe	123
PID 3244 wrote to memory of 4196	3244	{D468D073-D904-45af-9118-459965171FE2}.exe	123
PID 3244 wrote to memory of 4196	3244	{D468D073-D904-45af-9118-459965171FE2}.exe	123
PID 2004 wrote to memory of 3572	2004	{02C065C9-C272-4570-A590-2E55C5FCF901}.exe	124
PID 2004 wrote to memory of 3572	2004	{02C065C9-C272-4570-A590-2E55C5FCF901}.exe	124
PID 2004 wrote to memory of 3572	2004	{02C065C9-C272-4570-A590-2E55C5FCF901}.exe	124
PID 2004 wrote to memory of 112	2004	{02C065C9-C272-4570-A590-2E55C5FCF901}.exe	125

C:\Users\Admin\AppData\Local\Temp\1d8da639ba395d5d46272b38bb70ea12482a47bdaf563e7d59642395eb1944aa.exe
"C:\Users\Admin\AppData\Local\Temp\1d8da639ba395d5d46272b38bb70ea12482a47bdaf563e7d59642395eb1944aa.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740
- C:\Windows\{7A00E6AB-50C1-4fbc-8E15-978B74B0028D}.exe
  C:\Windows\{7A00E6AB-50C1-4fbc-8E15-978B74B0028D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\{FBE8A7F7-0D62-4d55-9A73-9DFF692D872C}.exe
    C:\Windows\{FBE8A7F7-0D62-4d55-9A73-9DFF692D872C}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3092
  - - C:\Windows\{4A8357EC-B43B-4395-BA3B-DE13517EAD37}.exe
      C:\Windows\{4A8357EC-B43B-4395-BA3B-DE13517EAD37}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1540
    - - C:\Windows\{8DA0DF7E-C30E-4ca1-8C40-9E4B20CD4C77}.exe
        
        C:\Windows\{8DA0DF7E-C30E-4ca1-8C40-9E4B20CD4C77}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4248
      - C:\Windows\{5B1D63BF-5AAA-4e41-AD6F-4B4BCC9BA4B9}.exe
        
        C:\Windows\{5B1D63BF-5AAA-4e41-AD6F-4B4BCC9BA4B9}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\{AF68A448-0D59-4a4b-B3D1-E188BBC9B99E}.exe
        
        C:\Windows\{AF68A448-0D59-4a4b-B3D1-E188BBC9B99E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1776
        
        C:\Windows\{AF77896A-D884-4959-8F7E-6DF490302613}.exe
        
        C:\Windows\{AF77896A-D884-4959-8F7E-6DF490302613}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\{9198D350-E99A-4c08-B51B-86472242120A}.exe
        
        C:\Windows\{9198D350-E99A-4c08-B51B-86472242120A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\{D468D073-D904-45af-9118-459965171FE2}.exe
        
        C:\Windows\{D468D073-D904-45af-9118-459965171FE2}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\{02C065C9-C272-4570-A590-2E55C5FCF901}.exe
        
        C:\Windows\{02C065C9-C272-4570-A590-2E55C5FCF901}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2004
        
        C:\Windows\{1B7CBC0F-3E57-40bc-9E2E-A497B1D5E7DF}.exe
        
        C:\Windows\{1B7CBC0F-3E57-40bc-9E2E-A497B1D5E7DF}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3572
        
        C:\Windows\{A48109DE-4ECB-40fa-A7FE-4435E5DA250A}.exe
        
        C:\Windows\{A48109DE-4ECB-40fa-A7FE-4435E5DA250A}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4340
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B7CB~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02C06~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D468D~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9198D~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF778~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF68A~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B1D6~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2840
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DA0D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1936
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A835~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FBE8A~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4852
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{7A00E~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\1D8DA6~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02C065C9-C272-4570-A590-2E55C5FCF901}.exe

Filesize
64KB

MD5
3317f05b7e6e07c268d48bfa47d6bd68

SHA1
2d702b7f6fa67d6c1c311d42560eea66421c334f

SHA256
b79396b32e77b3c7de5e25dc394a4770d3aca13e1f342725509a8087f6c8ba38

SHA512
ac39edb25a2b34b40bbe5e0f90fb170eb0f8dbf70eccd1061aaa3b410deb4b993008c91cc42f21b99e6df371f63ee7da23084cdab9f55e45ee6c211ea95ba46f

Download Submit
C:\Windows\{1B7CBC0F-3E57-40bc-9E2E-A497B1D5E7DF}.exe

Filesize
64KB

MD5
99c39aa5a36614d86585259a986d8c53

SHA1
126ccc8b70e15fa1a2a2e3635ed08d88ae1e6951

SHA256
9040a02f100510cb5c624c226b3ea26d3f182119aaa96bd3b50af6667e6c762b

SHA512
25e070c0a9147b6826325092de89eb45f5555ec50d3f72ddaf19808ebee8a7233f17ae0798456d94e2a479f2b78325f8552e430a21e1ea38d394cc62ec68dfed

Download Submit
C:\Windows\{4A8357EC-B43B-4395-BA3B-DE13517EAD37}.exe

Filesize
64KB

MD5
7ba750feea041659e5a5f6221e737e93

SHA1
c97bbc020f00afe2a61f7c2e8561fbcf16b906b4

SHA256
722ee809ac7ea8e9941faf05d7c303d6cbccd03f6ae12da99018e3f0120ff849

SHA512
cfdf84289d1479ca8618ab2d29746462cb00710d889da0daa809608f04a2507e4331446510f9f43f0ec75c5415e1eb094dbd5a8d4905c1db84e1f15ff5f2b43a

Download Submit
C:\Windows\{5B1D63BF-5AAA-4e41-AD6F-4B4BCC9BA4B9}.exe

Filesize
64KB

MD5
29c93bb57625b65f8a919544a609eb7d

SHA1
43974713cea1ad31f2d61c7eae56b6860fe1e439

SHA256
cf8b4459fb98d83ca49862c6a947b637469f56cbe8c7dcfa1123b256729fe4b2

SHA512
34a3fa5eb7f5b852c68d4fe66bf4640c5fe633427754ebda765ccd1b679ac19bac447807490b1d8dd6dbb87d377fd56bbe3b03143a6708be3f6028a84fafdbdb

Download Submit
C:\Windows\{7A00E6AB-50C1-4fbc-8E15-978B74B0028D}.exe

Filesize
64KB

MD5
2a6b9cc1c291301c2cb9a6431ca3ee35

SHA1
b295db1dd79632e4d4c0145f5966e97f585943b4

SHA256
43410eb5610cd4f6432d0b5a5ed637464cea8e6e8586f9f269242482036507f5

SHA512
66fd1ace5b722ea44172600481ae6c411c3c02165c9e5b2a2a98c074759f4361cf8073bd91333000815b4269a9a331ea6a272aac300621724a25a58cae71d5ec

Download Submit
C:\Windows\{8DA0DF7E-C30E-4ca1-8C40-9E4B20CD4C77}.exe

Filesize
64KB

MD5
e8007e652ddb929bf38385452fbb0459

SHA1
009538d8795ea19cb36a9ae37fd4424a9df19339

SHA256
8992089ace2ec73c9eb4c7f6479d19424d243fb5bc18aa19da76be15cb40a055

SHA512
41d3152ceba69f3ea2efaa5d7ea86062cd53ab1eef690991230591d6818e6b20c1262023c3b82db9b2f1a3bba2f77c9264d102c19cace9a37e62393d38c2dded

Download Submit
C:\Windows\{9198D350-E99A-4c08-B51B-86472242120A}.exe

Filesize
64KB

MD5
5dbe071daf627a063c906387ad2db373

SHA1
582e29ad0e5e4ec64a610e2d07a07330d211160d

SHA256
da32904eaaabfcbbd7f20644c3adb5ff2ff1827378bb8c620a1d0546d3d3d08d

SHA512
a891b98ae68ebec835d41651905e45f98b1888ff5fd974cfd5b5cdfa1b6fb8ad03f859c2d1e736c88d18669ec671fde1cc1903fe3b11becd81a53ab13be80550

Download Submit
C:\Windows\{A48109DE-4ECB-40fa-A7FE-4435E5DA250A}.exe

Filesize
64KB

MD5
4a9e93449ed9d27282ecadff7f78a78d

SHA1
a8eaa6a62338ade9051657f86aff5b6e663df392

SHA256
cfffffbd5f7b1188e28aca7fa327c6be97bc428523dcae9d79da2bb6c72a3a71

SHA512
62c8c43f9ff212e6c5aa574cbb7b572208473a90931e591fd3faf05a88bbdc1cf7b734116a2a9dc9fa0afad52fd0e3463fb098244d35eee2e89d01539217937b

Download Submit
C:\Windows\{AF68A448-0D59-4a4b-B3D1-E188BBC9B99E}.exe

Filesize
64KB

MD5
c9ecf101c837799d6df8db20dbbdbe68

SHA1
d899755856b94c1dab80e942590ca5d2e1773e0a

SHA256
f421e04dd45cace9d522632b85afe1d84c788d343243260a23382b1b70479d19

SHA512
af5fa2e30c61887196b4ec37b84f8ac93852ee9be56a225c0b873fb08ae95cca63e7e10a16993a7058a0aadb3f896fc6551e77feae36c836df750e2db1f5c903

Download Submit
C:\Windows\{AF77896A-D884-4959-8F7E-6DF490302613}.exe

Filesize
64KB

MD5
3d520306db648ba3b6bcbfc7bf581252

SHA1
405a576bf0d822ce53a7555a1c652e18329b002f

SHA256
724bfa04edc3f2ef305cf37d53ea3afefa60565b5129c9c0913ff6b32c61bb5e

SHA512
c4d898cda975f8326e62acb3e4b8b5917f230f8a9ec2ab3e7e78501dc02ee95ab15b6f90cdf84cc833f6d866f506ec3f565621dda310f5c120f5e7a78fefe4fa

Download Submit
C:\Windows\{D468D073-D904-45af-9118-459965171FE2}.exe

Filesize
64KB

MD5
c2bcdaf4398c78aff4d596bd3f787fc2

SHA1
f5ba245faea99005d03280283e1e2fc00a4093cd

SHA256
d9250f111e12e2524c018583eea0e2732fadc052f9dcba174b73e00783e911d2

SHA512
753148ce787092720ba5c104295f90806540e2eb146d46d81082b798564f0e754f312e072055f2b7013e3ee15da1803e575c7ac98a80efb22e6a3be8f8cddefc

Download Submit
C:\Windows\{FBE8A7F7-0D62-4d55-9A73-9DFF692D872C}.exe

Filesize
64KB

MD5
8f574c63c7c8059f6ff12b729831a06e

SHA1
609f959c0230d79c23c17e452e24f4528b94d0e3

SHA256
9daca96d0c36d5301c34407f6dc75e9743cfd0da06711c79e9d89b60dbe282bb

SHA512
f541b503a1664896386f3119999d25636f2e717ef438dfc0037644b207d858ef4c795adef6e9bde8ab421d738c10e1911fd43c379279e06b5a2fd58eddda7d12

Download Submit
memory/1284-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1284-4-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1380-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1380-30-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1540-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1540-22-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1776-41-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1776-35-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2004-58-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2004-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3092-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3092-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3244-56-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3244-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3404-51-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3572-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3572-70-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4248-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4248-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4340-69-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4524-47-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4524-42-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4740-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4740-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads