185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe
Size

60KB
MD5

7ae9dc3fdf7f2d09a7a475d049b16b6b
SHA1

081a1f616d62048116d58e0648b490351a37e857
SHA256

185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8
SHA512

950fca39bad00c6df6af6a358d434e3abbb66281674f4f94f05ef434d6d8e6ab6f20c221a5b505f266005fe7e406b4040d6af2df65714dd593db466c44e23135
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLroP4/CFsrdHWMZ:vvw9816vhKQLroP4/wQpWMZ

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FD45D09-AA73-470a-92F9-C4BA68AF9B63}\stubpath = "C:\\Windows\\{2FD45D09-AA73-470a-92F9-C4BA68AF9B63}.exe"	{5F8C38CD-F641-4c44-8E6D-5CB1FDB01B03}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A486D962-E00B-4c9a-97B9-B832B426D892}	185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6478D120-6DA2-43ad-B744-FEAE8993CD5A}\stubpath = "C:\\Windows\\{6478D120-6DA2-43ad-B744-FEAE8993CD5A}.exe"	{56BE46E1-8619-497d-8CB7-387B1FFE86DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90D7E54F-9BB5-42db-BA96-804BDCA649FF}\stubpath = "C:\\Windows\\{90D7E54F-9BB5-42db-BA96-804BDCA649FF}.exe"	{CB41EBD2-3E7E-4385-AA4B-2BA9B0AC201B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98E2330C-A361-44c5-8744-FB1718DA97F2}\stubpath = "C:\\Windows\\{98E2330C-A361-44c5-8744-FB1718DA97F2}.exe"	{072CA3FB-82E1-4b7f-B904-9E27D2C6DAF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2FD45D09-AA73-470a-92F9-C4BA68AF9B63}	{5F8C38CD-F641-4c44-8E6D-5CB1FDB01B03}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04AEDFCD-680C-4b36-9797-07FA8AA3662F}\stubpath = "C:\\Windows\\{04AEDFCD-680C-4b36-9797-07FA8AA3662F}.exe"	{2FD45D09-AA73-470a-92F9-C4BA68AF9B63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6478D120-6DA2-43ad-B744-FEAE8993CD5A}	{56BE46E1-8619-497d-8CB7-387B1FFE86DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB41EBD2-3E7E-4385-AA4B-2BA9B0AC201B}\stubpath = "C:\\Windows\\{CB41EBD2-3E7E-4385-AA4B-2BA9B0AC201B}.exe"	{6478D120-6DA2-43ad-B744-FEAE8993CD5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98E2330C-A361-44c5-8744-FB1718DA97F2}	{072CA3FB-82E1-4b7f-B904-9E27D2C6DAF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35723A75-2D86-4700-B057-FD3DB32D186A}	{E05E4EED-5370-48bb-BBC3-97E4C073FCE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F8C38CD-F641-4c44-8E6D-5CB1FDB01B03}\stubpath = "C:\\Windows\\{5F8C38CD-F641-4c44-8E6D-5CB1FDB01B03}.exe"	{35723A75-2D86-4700-B057-FD3DB32D186A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56BE46E1-8619-497d-8CB7-387B1FFE86DF}\stubpath = "C:\\Windows\\{56BE46E1-8619-497d-8CB7-387B1FFE86DF}.exe"	{A486D962-E00B-4c9a-97B9-B832B426D892}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90D7E54F-9BB5-42db-BA96-804BDCA649FF}	{CB41EBD2-3E7E-4385-AA4B-2BA9B0AC201B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04AEDFCD-680C-4b36-9797-07FA8AA3662F}	{2FD45D09-AA73-470a-92F9-C4BA68AF9B63}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E05E4EED-5370-48bb-BBC3-97E4C073FCE0}	{98E2330C-A361-44c5-8744-FB1718DA97F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E05E4EED-5370-48bb-BBC3-97E4C073FCE0}\stubpath = "C:\\Windows\\{E05E4EED-5370-48bb-BBC3-97E4C073FCE0}.exe"	{98E2330C-A361-44c5-8744-FB1718DA97F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35723A75-2D86-4700-B057-FD3DB32D186A}\stubpath = "C:\\Windows\\{35723A75-2D86-4700-B057-FD3DB32D186A}.exe"	{E05E4EED-5370-48bb-BBC3-97E4C073FCE0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A486D962-E00B-4c9a-97B9-B832B426D892}\stubpath = "C:\\Windows\\{A486D962-E00B-4c9a-97B9-B832B426D892}.exe"	185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56BE46E1-8619-497d-8CB7-387B1FFE86DF}	{A486D962-E00B-4c9a-97B9-B832B426D892}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB41EBD2-3E7E-4385-AA4B-2BA9B0AC201B}	{6478D120-6DA2-43ad-B744-FEAE8993CD5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{072CA3FB-82E1-4b7f-B904-9E27D2C6DAF5}	{90D7E54F-9BB5-42db-BA96-804BDCA649FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{072CA3FB-82E1-4b7f-B904-9E27D2C6DAF5}\stubpath = "C:\\Windows\\{072CA3FB-82E1-4b7f-B904-9E27D2C6DAF5}.exe"	{90D7E54F-9BB5-42db-BA96-804BDCA649FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F8C38CD-F641-4c44-8E6D-5CB1FDB01B03}	{35723A75-2D86-4700-B057-FD3DB32D186A}.exe

Executes dropped EXE 12 IoCs

pid	Process
4576	{A486D962-E00B-4c9a-97B9-B832B426D892}.exe
1988	{56BE46E1-8619-497d-8CB7-387B1FFE86DF}.exe
3124	{6478D120-6DA2-43ad-B744-FEAE8993CD5A}.exe
832	{CB41EBD2-3E7E-4385-AA4B-2BA9B0AC201B}.exe
1228	{90D7E54F-9BB5-42db-BA96-804BDCA649FF}.exe
2080	{072CA3FB-82E1-4b7f-B904-9E27D2C6DAF5}.exe
1476	{98E2330C-A361-44c5-8744-FB1718DA97F2}.exe
1552	{E05E4EED-5370-48bb-BBC3-97E4C073FCE0}.exe
1172	{35723A75-2D86-4700-B057-FD3DB32D186A}.exe
1980	{5F8C38CD-F641-4c44-8E6D-5CB1FDB01B03}.exe
3308	{2FD45D09-AA73-470a-92F9-C4BA68AF9B63}.exe
892	{04AEDFCD-680C-4b36-9797-07FA8AA3662F}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{90D7E54F-9BB5-42db-BA96-804BDCA649FF}.exe	{CB41EBD2-3E7E-4385-AA4B-2BA9B0AC201B}.exe
File created	C:\Windows\{072CA3FB-82E1-4b7f-B904-9E27D2C6DAF5}.exe	{90D7E54F-9BB5-42db-BA96-804BDCA649FF}.exe
File created	C:\Windows\{98E2330C-A361-44c5-8744-FB1718DA97F2}.exe	{072CA3FB-82E1-4b7f-B904-9E27D2C6DAF5}.exe
File created	C:\Windows\{35723A75-2D86-4700-B057-FD3DB32D186A}.exe	{E05E4EED-5370-48bb-BBC3-97E4C073FCE0}.exe
File created	C:\Windows\{A486D962-E00B-4c9a-97B9-B832B426D892}.exe	185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe
File created	C:\Windows\{56BE46E1-8619-497d-8CB7-387B1FFE86DF}.exe	{A486D962-E00B-4c9a-97B9-B832B426D892}.exe
File created	C:\Windows\{6478D120-6DA2-43ad-B744-FEAE8993CD5A}.exe	{56BE46E1-8619-497d-8CB7-387B1FFE86DF}.exe
File created	C:\Windows\{CB41EBD2-3E7E-4385-AA4B-2BA9B0AC201B}.exe	{6478D120-6DA2-43ad-B744-FEAE8993CD5A}.exe
File created	C:\Windows\{2FD45D09-AA73-470a-92F9-C4BA68AF9B63}.exe	{5F8C38CD-F641-4c44-8E6D-5CB1FDB01B03}.exe
File created	C:\Windows\{04AEDFCD-680C-4b36-9797-07FA8AA3662F}.exe	{2FD45D09-AA73-470a-92F9-C4BA68AF9B63}.exe
File created	C:\Windows\{E05E4EED-5370-48bb-BBC3-97E4C073FCE0}.exe	{98E2330C-A361-44c5-8744-FB1718DA97F2}.exe
File created	C:\Windows\{5F8C38CD-F641-4c44-8E6D-5CB1FDB01B03}.exe	{35723A75-2D86-4700-B057-FD3DB32D186A}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{98E2330C-A361-44c5-8744-FB1718DA97F2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5F8C38CD-F641-4c44-8E6D-5CB1FDB01B03}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{04AEDFCD-680C-4b36-9797-07FA8AA3662F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A486D962-E00B-4c9a-97B9-B832B426D892}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CB41EBD2-3E7E-4385-AA4B-2BA9B0AC201B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{35723A75-2D86-4700-B057-FD3DB32D186A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6478D120-6DA2-43ad-B744-FEAE8993CD5A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{90D7E54F-9BB5-42db-BA96-804BDCA649FF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2FD45D09-AA73-470a-92F9-C4BA68AF9B63}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E05E4EED-5370-48bb-BBC3-97E4C073FCE0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{56BE46E1-8619-497d-8CB7-387B1FFE86DF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{072CA3FB-82E1-4b7f-B904-9E27D2C6DAF5}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1340	185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe
Token: SeIncBasePriorityPrivilege	4576	{A486D962-E00B-4c9a-97B9-B832B426D892}.exe
Token: SeIncBasePriorityPrivilege	1988	{56BE46E1-8619-497d-8CB7-387B1FFE86DF}.exe
Token: SeIncBasePriorityPrivilege	3124	{6478D120-6DA2-43ad-B744-FEAE8993CD5A}.exe
Token: SeIncBasePriorityPrivilege	832	{CB41EBD2-3E7E-4385-AA4B-2BA9B0AC201B}.exe
Token: SeIncBasePriorityPrivilege	1228	{90D7E54F-9BB5-42db-BA96-804BDCA649FF}.exe
Token: SeIncBasePriorityPrivilege	2080	{072CA3FB-82E1-4b7f-B904-9E27D2C6DAF5}.exe
Token: SeIncBasePriorityPrivilege	1476	{98E2330C-A361-44c5-8744-FB1718DA97F2}.exe
Token: SeIncBasePriorityPrivilege	1552	{E05E4EED-5370-48bb-BBC3-97E4C073FCE0}.exe
Token: SeIncBasePriorityPrivilege	1172	{35723A75-2D86-4700-B057-FD3DB32D186A}.exe
Token: SeIncBasePriorityPrivilege	1980	{5F8C38CD-F641-4c44-8E6D-5CB1FDB01B03}.exe
Token: SeIncBasePriorityPrivilege	3308	{2FD45D09-AA73-470a-92F9-C4BA68AF9B63}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 4576	1340	185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe	94
PID 1340 wrote to memory of 4576	1340	185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe	94
PID 1340 wrote to memory of 4576	1340	185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe	94
PID 1340 wrote to memory of 1552	1340	185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe	95
PID 1340 wrote to memory of 1552	1340	185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe	95
PID 1340 wrote to memory of 1552	1340	185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe	95
PID 4576 wrote to memory of 1988	4576	{A486D962-E00B-4c9a-97B9-B832B426D892}.exe	96
PID 4576 wrote to memory of 1988	4576	{A486D962-E00B-4c9a-97B9-B832B426D892}.exe	96
PID 4576 wrote to memory of 1988	4576	{A486D962-E00B-4c9a-97B9-B832B426D892}.exe	96
PID 4576 wrote to memory of 3444	4576	{A486D962-E00B-4c9a-97B9-B832B426D892}.exe	97
PID 4576 wrote to memory of 3444	4576	{A486D962-E00B-4c9a-97B9-B832B426D892}.exe	97
PID 4576 wrote to memory of 3444	4576	{A486D962-E00B-4c9a-97B9-B832B426D892}.exe	97
PID 1988 wrote to memory of 3124	1988	{56BE46E1-8619-497d-8CB7-387B1FFE86DF}.exe	101
PID 1988 wrote to memory of 3124	1988	{56BE46E1-8619-497d-8CB7-387B1FFE86DF}.exe	101
PID 1988 wrote to memory of 3124	1988	{56BE46E1-8619-497d-8CB7-387B1FFE86DF}.exe	101
PID 1988 wrote to memory of 1928	1988	{56BE46E1-8619-497d-8CB7-387B1FFE86DF}.exe	102
PID 1988 wrote to memory of 1928	1988	{56BE46E1-8619-497d-8CB7-387B1FFE86DF}.exe	102
PID 1988 wrote to memory of 1928	1988	{56BE46E1-8619-497d-8CB7-387B1FFE86DF}.exe	102
PID 3124 wrote to memory of 832	3124	{6478D120-6DA2-43ad-B744-FEAE8993CD5A}.exe	103
PID 3124 wrote to memory of 832	3124	{6478D120-6DA2-43ad-B744-FEAE8993CD5A}.exe	103
PID 3124 wrote to memory of 832	3124	{6478D120-6DA2-43ad-B744-FEAE8993CD5A}.exe	103
PID 3124 wrote to memory of 2896	3124	{6478D120-6DA2-43ad-B744-FEAE8993CD5A}.exe	104
PID 3124 wrote to memory of 2896	3124	{6478D120-6DA2-43ad-B744-FEAE8993CD5A}.exe	104
PID 3124 wrote to memory of 2896	3124	{6478D120-6DA2-43ad-B744-FEAE8993CD5A}.exe	104
PID 832 wrote to memory of 1228	832	{CB41EBD2-3E7E-4385-AA4B-2BA9B0AC201B}.exe	105
PID 832 wrote to memory of 1228	832	{CB41EBD2-3E7E-4385-AA4B-2BA9B0AC201B}.exe	105
PID 832 wrote to memory of 1228	832	{CB41EBD2-3E7E-4385-AA4B-2BA9B0AC201B}.exe	105
PID 832 wrote to memory of 1940	832	{CB41EBD2-3E7E-4385-AA4B-2BA9B0AC201B}.exe	106
PID 832 wrote to memory of 1940	832	{CB41EBD2-3E7E-4385-AA4B-2BA9B0AC201B}.exe	106
PID 832 wrote to memory of 1940	832	{CB41EBD2-3E7E-4385-AA4B-2BA9B0AC201B}.exe	106
PID 1228 wrote to memory of 2080	1228	{90D7E54F-9BB5-42db-BA96-804BDCA649FF}.exe	107
PID 1228 wrote to memory of 2080	1228	{90D7E54F-9BB5-42db-BA96-804BDCA649FF}.exe	107
PID 1228 wrote to memory of 2080	1228	{90D7E54F-9BB5-42db-BA96-804BDCA649FF}.exe	107
PID 1228 wrote to memory of 2728	1228	{90D7E54F-9BB5-42db-BA96-804BDCA649FF}.exe	108
PID 1228 wrote to memory of 2728	1228	{90D7E54F-9BB5-42db-BA96-804BDCA649FF}.exe	108
PID 1228 wrote to memory of 2728	1228	{90D7E54F-9BB5-42db-BA96-804BDCA649FF}.exe	108
PID 2080 wrote to memory of 1476	2080	{072CA3FB-82E1-4b7f-B904-9E27D2C6DAF5}.exe	109
PID 2080 wrote to memory of 1476	2080	{072CA3FB-82E1-4b7f-B904-9E27D2C6DAF5}.exe	109
PID 2080 wrote to memory of 1476	2080	{072CA3FB-82E1-4b7f-B904-9E27D2C6DAF5}.exe	109
PID 2080 wrote to memory of 348	2080	{072CA3FB-82E1-4b7f-B904-9E27D2C6DAF5}.exe	110
PID 2080 wrote to memory of 348	2080	{072CA3FB-82E1-4b7f-B904-9E27D2C6DAF5}.exe	110
PID 2080 wrote to memory of 348	2080	{072CA3FB-82E1-4b7f-B904-9E27D2C6DAF5}.exe	110
PID 1476 wrote to memory of 1552	1476	{98E2330C-A361-44c5-8744-FB1718DA97F2}.exe	111
PID 1476 wrote to memory of 1552	1476	{98E2330C-A361-44c5-8744-FB1718DA97F2}.exe	111
PID 1476 wrote to memory of 1552	1476	{98E2330C-A361-44c5-8744-FB1718DA97F2}.exe	111
PID 1476 wrote to memory of 1700	1476	{98E2330C-A361-44c5-8744-FB1718DA97F2}.exe	112
PID 1476 wrote to memory of 1700	1476	{98E2330C-A361-44c5-8744-FB1718DA97F2}.exe	112
PID 1476 wrote to memory of 1700	1476	{98E2330C-A361-44c5-8744-FB1718DA97F2}.exe	112
PID 1552 wrote to memory of 1172	1552	{E05E4EED-5370-48bb-BBC3-97E4C073FCE0}.exe	113
PID 1552 wrote to memory of 1172	1552	{E05E4EED-5370-48bb-BBC3-97E4C073FCE0}.exe	113
PID 1552 wrote to memory of 1172	1552	{E05E4EED-5370-48bb-BBC3-97E4C073FCE0}.exe	113
PID 1552 wrote to memory of 820	1552	{E05E4EED-5370-48bb-BBC3-97E4C073FCE0}.exe	114
PID 1552 wrote to memory of 820	1552	{E05E4EED-5370-48bb-BBC3-97E4C073FCE0}.exe	114
PID 1552 wrote to memory of 820	1552	{E05E4EED-5370-48bb-BBC3-97E4C073FCE0}.exe	114
PID 1172 wrote to memory of 1980	1172	{35723A75-2D86-4700-B057-FD3DB32D186A}.exe	115
PID 1172 wrote to memory of 1980	1172	{35723A75-2D86-4700-B057-FD3DB32D186A}.exe	115
PID 1172 wrote to memory of 1980	1172	{35723A75-2D86-4700-B057-FD3DB32D186A}.exe	115
PID 1172 wrote to memory of 1648	1172	{35723A75-2D86-4700-B057-FD3DB32D186A}.exe	116
PID 1172 wrote to memory of 1648	1172	{35723A75-2D86-4700-B057-FD3DB32D186A}.exe	116
PID 1172 wrote to memory of 1648	1172	{35723A75-2D86-4700-B057-FD3DB32D186A}.exe	116
PID 1980 wrote to memory of 3308	1980	{5F8C38CD-F641-4c44-8E6D-5CB1FDB01B03}.exe	117
PID 1980 wrote to memory of 3308	1980	{5F8C38CD-F641-4c44-8E6D-5CB1FDB01B03}.exe	117
PID 1980 wrote to memory of 3308	1980	{5F8C38CD-F641-4c44-8E6D-5CB1FDB01B03}.exe	117
PID 1980 wrote to memory of 2136	1980	{5F8C38CD-F641-4c44-8E6D-5CB1FDB01B03}.exe	118

C:\Users\Admin\AppData\Local\Temp\185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe
"C:\Users\Admin\AppData\Local\Temp\185c560fd281f9c88ac946bca5aae0752897fb852f9d9340a0d3215866eeb3c8.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\{A486D962-E00B-4c9a-97B9-B832B426D892}.exe
  C:\Windows\{A486D962-E00B-4c9a-97B9-B832B426D892}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4576
- - C:\Windows\{56BE46E1-8619-497d-8CB7-387B1FFE86DF}.exe
    C:\Windows\{56BE46E1-8619-497d-8CB7-387B1FFE86DF}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\{6478D120-6DA2-43ad-B744-FEAE8993CD5A}.exe
      C:\Windows\{6478D120-6DA2-43ad-B744-FEAE8993CD5A}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3124
    - - C:\Windows\{CB41EBD2-3E7E-4385-AA4B-2BA9B0AC201B}.exe
        
        C:\Windows\{CB41EBD2-3E7E-4385-AA4B-2BA9B0AC201B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:832
      - C:\Windows\{90D7E54F-9BB5-42db-BA96-804BDCA649FF}.exe
        
        C:\Windows\{90D7E54F-9BB5-42db-BA96-804BDCA649FF}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\{072CA3FB-82E1-4b7f-B904-9E27D2C6DAF5}.exe
        
        C:\Windows\{072CA3FB-82E1-4b7f-B904-9E27D2C6DAF5}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\{98E2330C-A361-44c5-8744-FB1718DA97F2}.exe
        
        C:\Windows\{98E2330C-A361-44c5-8744-FB1718DA97F2}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\{E05E4EED-5370-48bb-BBC3-97E4C073FCE0}.exe
        
        C:\Windows\{E05E4EED-5370-48bb-BBC3-97E4C073FCE0}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1552
        
        C:\Windows\{35723A75-2D86-4700-B057-FD3DB32D186A}.exe
        
        C:\Windows\{35723A75-2D86-4700-B057-FD3DB32D186A}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\{5F8C38CD-F641-4c44-8E6D-5CB1FDB01B03}.exe
        
        C:\Windows\{5F8C38CD-F641-4c44-8E6D-5CB1FDB01B03}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\{2FD45D09-AA73-470a-92F9-C4BA68AF9B63}.exe
        
        C:\Windows\{2FD45D09-AA73-470a-92F9-C4BA68AF9B63}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3308
        
        C:\Windows\{04AEDFCD-680C-4b36-9797-07FA8AA3662F}.exe
        
        C:\Windows\{04AEDFCD-680C-4b36-9797-07FA8AA3662F}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2FD45~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F8C3~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35723~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E05E4~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98E23~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{072CA~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{90D7E~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB41E~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1940
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6478D~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{56BE4~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1928
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A486D~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\185C56~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1048,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=3908 /prefetch:8
1⤵
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04AEDFCD-680C-4b36-9797-07FA8AA3662F}.exe

Filesize
60KB

MD5
a976cbb91ed6127ee06f18ebfaee193e

SHA1
be4fbf040cbe354097186761eb3d2f5d05eff905

SHA256
6af16c86cb122f59accc46bc340260b683b5847a4c44a2a5af473b38ac22c44f

SHA512
06f97c7b8e4cd5d02c5027eebe72e991b9a856e543e163df408c0fe18130adf32fa8f233f3db35d2a6d3b153009198df07d00ab5458c6b6ca93dc5425ba9facf

Download Submit
C:\Windows\{072CA3FB-82E1-4b7f-B904-9E27D2C6DAF5}.exe

Filesize
60KB

MD5
afcfa72e3d6e6bbeab32d617e978e6a9

SHA1
3fe0d02103c10312712274fbd44f8a542e6d3acd

SHA256
8be1e5a2077295803d0ef51d0b9089abdaa192ab396460b14cf106c5ec4fb194

SHA512
980353dbcbae118be39b4e20b4bece21a68dce625ccafbc5d2eed03583015431bbf30733deac86e3905a6f4dd8398f3cf2369b9d040122f605b6d0fe8bfd491a

Download Submit
C:\Windows\{2FD45D09-AA73-470a-92F9-C4BA68AF9B63}.exe

Filesize
60KB

MD5
e01afd1c788700905fc7e2c96bf5a1d4

SHA1
fb53b0c247ca0e4d58484f661b63feb27c374f35

SHA256
5bff3a33b9d596d06b0c91a17bb35fa5d9f972116a285f7d42ce378fa07175d0

SHA512
9f4ec8b0a075b7daa980c845fec1ada2c9a0894bfa7e990d6dbc27208887cc719f4584e270c44f1c0e6d8a749099295a1bd09e39f315bbf07e95325bf7f51014

Download Submit
C:\Windows\{35723A75-2D86-4700-B057-FD3DB32D186A}.exe

Filesize
60KB

MD5
f0a4d52471566dc6ad575801c3f825ce

SHA1
5cbf2b3b30869fc4970132959d56a009979b5f41

SHA256
9fcdd2554de9d691417a01582579273a1ffd38db14ed1bc2c836dbe03a431d93

SHA512
6b734a0b62a90fc6fa856727bf16ff204f728716c063edc3066e5a0e7fa1e27d60f7c5b6c011ad29106cf714b8df0b499f8d15e83f570d2fb74363fb7035d69c

Download Submit
C:\Windows\{56BE46E1-8619-497d-8CB7-387B1FFE86DF}.exe

Filesize
60KB

MD5
066c54a438484be9aafa62f1ded3d703

SHA1
22b861b43d932783ef7412d38048fcfd3bbe24ef

SHA256
d0a1a6e785a1f02446c61609c66d5c86ac40f6e1182c2fb688dcb10e80900069

SHA512
d21bd09d4edeffe9e49b0da942adda36954b180d24ceb9003f01c7de3b2973a8d03d4a424efed7d38b8d11cd804b981e9120a18a0203b80de01528ea6cb9c15c

Download Submit
C:\Windows\{5F8C38CD-F641-4c44-8E6D-5CB1FDB01B03}.exe

Filesize
60KB

MD5
8657d9461eff5eab7e161fc114e2921f

SHA1
84a35c2b3099fa6e1fa1f72d17d90ee44b17589a

SHA256
33476f25f01acc1d0bf7de156e8c3e7230a162002d271606faaed15d41fc7b15

SHA512
2e6063fc063b34995b0c83295ed37a96e52a7d147f50624a4f73b3dc24ea7c3513ff159f8e6d0dc8a59584812cf0d98e0fad20d9bc2adf94303844250e5f32b2

Download Submit
C:\Windows\{6478D120-6DA2-43ad-B744-FEAE8993CD5A}.exe

Filesize
60KB

MD5
0a26ad1f6479212bf3f8a027b4c00a7c

SHA1
51166e8cd62c6c181898632d266faf4a91a25ad3

SHA256
06c0c60f03b13114ce380cb8c2d5c0ffe8372964ffe9c2bfe938f918245aeac9

SHA512
3b0b658f6d53ef9333c6a40c4b9789167af379ba59ae7956246dce44520f8c85d6fced520ad850e7111013159e3194b525f971c7eae2f321607dbeaf4cd69cee

Download Submit
C:\Windows\{90D7E54F-9BB5-42db-BA96-804BDCA649FF}.exe

Filesize
60KB

MD5
c584451a85d4d547fffd00cab3a0d725

SHA1
46090a8af279c68d5233f45acbaf3dd315a0e161

SHA256
d1c1a8d3edcac73cbb06253fc9d813a03d50a5d6f716e4d9c84e4ae317294908

SHA512
424e74f174c345ddc7c02a16a64c635578e5397dd142e5183e4add62a62ca96da9cef0f79b62840a9c9746f9206e1a84e3054b5fffe31b3bb7cec02cff46002d

Download Submit
C:\Windows\{98E2330C-A361-44c5-8744-FB1718DA97F2}.exe

Filesize
60KB

MD5
3bd5a27dcb78230029de2242671c936e

SHA1
5d0f6ce95429191eb2782570445284118e7d3194

SHA256
9833df4f135851f1045d7a0de73f97cf78b9c464e6ffefe375dc1234584cfbd0

SHA512
cf8e7b638aae26d6742c0543962dbb288bc36365a947c1db929c563a722208a7689ba42ffee341e04e7b22e898a0d502ee3c73799a1134580f7238261a83562e

Download Submit
C:\Windows\{A486D962-E00B-4c9a-97B9-B832B426D892}.exe

Filesize
60KB

MD5
c02bd4fa02f608c28d0e847a998734d5

SHA1
1996c6e923b97e57f8f8590a6a6b5837445ebd52

SHA256
709616ecd29adb0eaf70f40f1002ce36a5377dab47ebad26ce1745e715c34cfd

SHA512
93f5742404696d21363689a9d0328938ef9cfcd5628e5a2f2922c4c32018e35db4d8ae7cbe70fac2fbcbf4c84e25ef4b62d0c8e3a0cab0ff1a7f51c59857695a

Download Submit
C:\Windows\{CB41EBD2-3E7E-4385-AA4B-2BA9B0AC201B}.exe

Filesize
60KB

MD5
f6bf7c81bb1a41166ddc12882a3fb5bf

SHA1
ad94783ae7532f715245bb0d549dbda666e58fb4

SHA256
6c9439f95b524974a9aa5d5966a8301432503c12a16d1c8faf33426e1e2f7e49

SHA512
9b5755e0f719ce3767faab63574dd9de458cafefe84ae7f24cf8cb7810202051b8ce7f6ca32a621caf9f26a39e17cfac9820eb782cdded51cf6d5b5f63b9266d

Download Submit
C:\Windows\{E05E4EED-5370-48bb-BBC3-97E4C073FCE0}.exe

Filesize
60KB

MD5
e64f33dbbebf9df2d795e9769bdf3e66

SHA1
2a77bfbe80e7d957eee50dc3b371cb26d6e86b08

SHA256
317f9202749a946d5af1da49195344595c7485c010311322059ac95fa59c4ff9

SHA512
38fca9387bdb570c9f647a448c8c2799277dae8c260b88fb476f5ca2bef8fb063ed02b1e2f0c5be1190b62b959369cf3dad2104502b91f743c983fe4a549ea45

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads