66be1734daa3da969d53d0f05df760349328ec3f4d167bc86df31a4279b4f5e8

Analysis

max time kernel
149s
max time network
92s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 22:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66be1734daa3da969d53d0f05df760349328ec3f4d167bc86df31a4279b4f5e8.exe
Size

90KB
MD5

42e2d6db2e515d89ee4c2b8eae045609
SHA1

5bec0ca1c773ce276b9bec3206559eb00e096cff
SHA256

66be1734daa3da969d53d0f05df760349328ec3f4d167bc86df31a4279b4f5e8
SHA512

db55b24951e9cb9352482ed2d849a07ba9f6a9805e4dc74271427117341c049fe682c50f1f010a77e929930672f8a3f56470ec7ed76bdce9984b36b6fd69efe8
SSDEEP

768:5vw9816thKQLroL4/wQkNrfrunMxVFA3bA:lEG/0oLlbunMxVS3c

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{594E413C-0E39-4b2c-830B-DD07AE8829B9}	{BE18FA03-A307-4a64-8823-106278B27E87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F96CBC4-C2A4-45b1-9E14-1363DF9E1ED0}\stubpath = "C:\\Windows\\{6F96CBC4-C2A4-45b1-9E14-1363DF9E1ED0}.exe"	{594E413C-0E39-4b2c-830B-DD07AE8829B9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F828D3A-4385-4655-A083-E4CB31C6FBF6}\stubpath = "C:\\Windows\\{0F828D3A-4385-4655-A083-E4CB31C6FBF6}.exe"	{6F96CBC4-C2A4-45b1-9E14-1363DF9E1ED0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B1F1518-50C6-4381-8F3C-7D10805F95C2}\stubpath = "C:\\Windows\\{8B1F1518-50C6-4381-8F3C-7D10805F95C2}.exe"	{0F828D3A-4385-4655-A083-E4CB31C6FBF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B084C92-B336-4d35-BDB7-779505564557}	{F7830C3C-4347-44ad-91AA-781158BD9BF7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4F3069B-34D2-435e-B95F-227C3D332963}\stubpath = "C:\\Windows\\{F4F3069B-34D2-435e-B95F-227C3D332963}.exe"	{2B084C92-B336-4d35-BDB7-779505564557}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFB57254-D280-40c1-AB06-248771D2354A}\stubpath = "C:\\Windows\\{EFB57254-D280-40c1-AB06-248771D2354A}.exe"	66be1734daa3da969d53d0f05df760349328ec3f4d167bc86df31a4279b4f5e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4931F24D-2752-4097-96D9-2CAF50636E77}	{02AECF48-14C6-4cb7-A034-B5FB4DAF6099}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02AECF48-14C6-4cb7-A034-B5FB4DAF6099}\stubpath = "C:\\Windows\\{02AECF48-14C6-4cb7-A034-B5FB4DAF6099}.exe"	{EFB57254-D280-40c1-AB06-248771D2354A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FACDE89-C848-4edc-9891-390A2DE44AA2}	{4931F24D-2752-4097-96D9-2CAF50636E77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE18FA03-A307-4a64-8823-106278B27E87}\stubpath = "C:\\Windows\\{BE18FA03-A307-4a64-8823-106278B27E87}.exe"	{4FACDE89-C848-4edc-9891-390A2DE44AA2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EFB57254-D280-40c1-AB06-248771D2354A}	66be1734daa3da969d53d0f05df760349328ec3f4d167bc86df31a4279b4f5e8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{02AECF48-14C6-4cb7-A034-B5FB4DAF6099}	{EFB57254-D280-40c1-AB06-248771D2354A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4F3069B-34D2-435e-B95F-227C3D332963}	{2B084C92-B336-4d35-BDB7-779505564557}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE18FA03-A307-4a64-8823-106278B27E87}	{4FACDE89-C848-4edc-9891-390A2DE44AA2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{594E413C-0E39-4b2c-830B-DD07AE8829B9}\stubpath = "C:\\Windows\\{594E413C-0E39-4b2c-830B-DD07AE8829B9}.exe"	{BE18FA03-A307-4a64-8823-106278B27E87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F96CBC4-C2A4-45b1-9E14-1363DF9E1ED0}	{594E413C-0E39-4b2c-830B-DD07AE8829B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F828D3A-4385-4655-A083-E4CB31C6FBF6}	{6F96CBC4-C2A4-45b1-9E14-1363DF9E1ED0}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B1F1518-50C6-4381-8F3C-7D10805F95C2}	{0F828D3A-4385-4655-A083-E4CB31C6FBF6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7830C3C-4347-44ad-91AA-781158BD9BF7}	{8B1F1518-50C6-4381-8F3C-7D10805F95C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4931F24D-2752-4097-96D9-2CAF50636E77}\stubpath = "C:\\Windows\\{4931F24D-2752-4097-96D9-2CAF50636E77}.exe"	{02AECF48-14C6-4cb7-A034-B5FB4DAF6099}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4FACDE89-C848-4edc-9891-390A2DE44AA2}\stubpath = "C:\\Windows\\{4FACDE89-C848-4edc-9891-390A2DE44AA2}.exe"	{4931F24D-2752-4097-96D9-2CAF50636E77}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7830C3C-4347-44ad-91AA-781158BD9BF7}\stubpath = "C:\\Windows\\{F7830C3C-4347-44ad-91AA-781158BD9BF7}.exe"	{8B1F1518-50C6-4381-8F3C-7D10805F95C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B084C92-B336-4d35-BDB7-779505564557}\stubpath = "C:\\Windows\\{2B084C92-B336-4d35-BDB7-779505564557}.exe"	{F7830C3C-4347-44ad-91AA-781158BD9BF7}.exe

Executes dropped EXE 12 IoCs

pid	Process
4456	{EFB57254-D280-40c1-AB06-248771D2354A}.exe
2756	{02AECF48-14C6-4cb7-A034-B5FB4DAF6099}.exe
2360	{4931F24D-2752-4097-96D9-2CAF50636E77}.exe
2052	{4FACDE89-C848-4edc-9891-390A2DE44AA2}.exe
1716	{BE18FA03-A307-4a64-8823-106278B27E87}.exe
1700	{594E413C-0E39-4b2c-830B-DD07AE8829B9}.exe
3340	{6F96CBC4-C2A4-45b1-9E14-1363DF9E1ED0}.exe
1428	{0F828D3A-4385-4655-A083-E4CB31C6FBF6}.exe
4504	{8B1F1518-50C6-4381-8F3C-7D10805F95C2}.exe
1496	{F7830C3C-4347-44ad-91AA-781158BD9BF7}.exe
1640	{2B084C92-B336-4d35-BDB7-779505564557}.exe
4452	{F4F3069B-34D2-435e-B95F-227C3D332963}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{EFB57254-D280-40c1-AB06-248771D2354A}.exe	66be1734daa3da969d53d0f05df760349328ec3f4d167bc86df31a4279b4f5e8.exe
File created	C:\Windows\{02AECF48-14C6-4cb7-A034-B5FB4DAF6099}.exe	{EFB57254-D280-40c1-AB06-248771D2354A}.exe
File created	C:\Windows\{4931F24D-2752-4097-96D9-2CAF50636E77}.exe	{02AECF48-14C6-4cb7-A034-B5FB4DAF6099}.exe
File created	C:\Windows\{594E413C-0E39-4b2c-830B-DD07AE8829B9}.exe	{BE18FA03-A307-4a64-8823-106278B27E87}.exe
File created	C:\Windows\{6F96CBC4-C2A4-45b1-9E14-1363DF9E1ED0}.exe	{594E413C-0E39-4b2c-830B-DD07AE8829B9}.exe
File created	C:\Windows\{0F828D3A-4385-4655-A083-E4CB31C6FBF6}.exe	{6F96CBC4-C2A4-45b1-9E14-1363DF9E1ED0}.exe
File created	C:\Windows\{8B1F1518-50C6-4381-8F3C-7D10805F95C2}.exe	{0F828D3A-4385-4655-A083-E4CB31C6FBF6}.exe
File created	C:\Windows\{F7830C3C-4347-44ad-91AA-781158BD9BF7}.exe	{8B1F1518-50C6-4381-8F3C-7D10805F95C2}.exe
File created	C:\Windows\{4FACDE89-C848-4edc-9891-390A2DE44AA2}.exe	{4931F24D-2752-4097-96D9-2CAF50636E77}.exe
File created	C:\Windows\{BE18FA03-A307-4a64-8823-106278B27E87}.exe	{4FACDE89-C848-4edc-9891-390A2DE44AA2}.exe
File created	C:\Windows\{2B084C92-B336-4d35-BDB7-779505564557}.exe	{F7830C3C-4347-44ad-91AA-781158BD9BF7}.exe
File created	C:\Windows\{F4F3069B-34D2-435e-B95F-227C3D332963}.exe	{2B084C92-B336-4d35-BDB7-779505564557}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6F96CBC4-C2A4-45b1-9E14-1363DF9E1ED0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F7830C3C-4347-44ad-91AA-781158BD9BF7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BE18FA03-A307-4a64-8823-106278B27E87}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4931F24D-2752-4097-96D9-2CAF50636E77}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4FACDE89-C848-4edc-9891-390A2DE44AA2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66be1734daa3da969d53d0f05df760349328ec3f4d167bc86df31a4279b4f5e8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EFB57254-D280-40c1-AB06-248771D2354A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{594E413C-0E39-4b2c-830B-DD07AE8829B9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0F828D3A-4385-4655-A083-E4CB31C6FBF6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{02AECF48-14C6-4cb7-A034-B5FB4DAF6099}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F4F3069B-34D2-435e-B95F-227C3D332963}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2B084C92-B336-4d35-BDB7-779505564557}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8B1F1518-50C6-4381-8F3C-7D10805F95C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3192	66be1734daa3da969d53d0f05df760349328ec3f4d167bc86df31a4279b4f5e8.exe
Token: SeIncBasePriorityPrivilege	4456	{EFB57254-D280-40c1-AB06-248771D2354A}.exe
Token: SeIncBasePriorityPrivilege	2756	{02AECF48-14C6-4cb7-A034-B5FB4DAF6099}.exe
Token: SeIncBasePriorityPrivilege	2360	{4931F24D-2752-4097-96D9-2CAF50636E77}.exe
Token: SeIncBasePriorityPrivilege	2052	{4FACDE89-C848-4edc-9891-390A2DE44AA2}.exe
Token: SeIncBasePriorityPrivilege	1716	{BE18FA03-A307-4a64-8823-106278B27E87}.exe
Token: SeIncBasePriorityPrivilege	1700	{594E413C-0E39-4b2c-830B-DD07AE8829B9}.exe
Token: SeIncBasePriorityPrivilege	3340	{6F96CBC4-C2A4-45b1-9E14-1363DF9E1ED0}.exe
Token: SeIncBasePriorityPrivilege	1428	{0F828D3A-4385-4655-A083-E4CB31C6FBF6}.exe
Token: SeIncBasePriorityPrivilege	4504	{8B1F1518-50C6-4381-8F3C-7D10805F95C2}.exe
Token: SeIncBasePriorityPrivilege	1496	{F7830C3C-4347-44ad-91AA-781158BD9BF7}.exe
Token: SeIncBasePriorityPrivilege	1640	{2B084C92-B336-4d35-BDB7-779505564557}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 4456	3192	66be1734daa3da969d53d0f05df760349328ec3f4d167bc86df31a4279b4f5e8.exe	88
PID 3192 wrote to memory of 4456	3192	66be1734daa3da969d53d0f05df760349328ec3f4d167bc86df31a4279b4f5e8.exe	88
PID 3192 wrote to memory of 4456	3192	66be1734daa3da969d53d0f05df760349328ec3f4d167bc86df31a4279b4f5e8.exe	88
PID 3192 wrote to memory of 1804	3192	66be1734daa3da969d53d0f05df760349328ec3f4d167bc86df31a4279b4f5e8.exe	89
PID 3192 wrote to memory of 1804	3192	66be1734daa3da969d53d0f05df760349328ec3f4d167bc86df31a4279b4f5e8.exe	89
PID 3192 wrote to memory of 1804	3192	66be1734daa3da969d53d0f05df760349328ec3f4d167bc86df31a4279b4f5e8.exe	89
PID 4456 wrote to memory of 2756	4456	{EFB57254-D280-40c1-AB06-248771D2354A}.exe	90
PID 4456 wrote to memory of 2756	4456	{EFB57254-D280-40c1-AB06-248771D2354A}.exe	90
PID 4456 wrote to memory of 2756	4456	{EFB57254-D280-40c1-AB06-248771D2354A}.exe	90
PID 4456 wrote to memory of 4088	4456	{EFB57254-D280-40c1-AB06-248771D2354A}.exe	91
PID 4456 wrote to memory of 4088	4456	{EFB57254-D280-40c1-AB06-248771D2354A}.exe	91
PID 4456 wrote to memory of 4088	4456	{EFB57254-D280-40c1-AB06-248771D2354A}.exe	91
PID 2756 wrote to memory of 2360	2756	{02AECF48-14C6-4cb7-A034-B5FB4DAF6099}.exe	95
PID 2756 wrote to memory of 2360	2756	{02AECF48-14C6-4cb7-A034-B5FB4DAF6099}.exe	95
PID 2756 wrote to memory of 2360	2756	{02AECF48-14C6-4cb7-A034-B5FB4DAF6099}.exe	95
PID 2756 wrote to memory of 3240	2756	{02AECF48-14C6-4cb7-A034-B5FB4DAF6099}.exe	96
PID 2756 wrote to memory of 3240	2756	{02AECF48-14C6-4cb7-A034-B5FB4DAF6099}.exe	96
PID 2756 wrote to memory of 3240	2756	{02AECF48-14C6-4cb7-A034-B5FB4DAF6099}.exe	96
PID 2360 wrote to memory of 2052	2360	{4931F24D-2752-4097-96D9-2CAF50636E77}.exe	97
PID 2360 wrote to memory of 2052	2360	{4931F24D-2752-4097-96D9-2CAF50636E77}.exe	97
PID 2360 wrote to memory of 2052	2360	{4931F24D-2752-4097-96D9-2CAF50636E77}.exe	97
PID 2360 wrote to memory of 4992	2360	{4931F24D-2752-4097-96D9-2CAF50636E77}.exe	98
PID 2360 wrote to memory of 4992	2360	{4931F24D-2752-4097-96D9-2CAF50636E77}.exe	98
PID 2360 wrote to memory of 4992	2360	{4931F24D-2752-4097-96D9-2CAF50636E77}.exe	98
PID 2052 wrote to memory of 1716	2052	{4FACDE89-C848-4edc-9891-390A2DE44AA2}.exe	99
PID 2052 wrote to memory of 1716	2052	{4FACDE89-C848-4edc-9891-390A2DE44AA2}.exe	99
PID 2052 wrote to memory of 1716	2052	{4FACDE89-C848-4edc-9891-390A2DE44AA2}.exe	99
PID 2052 wrote to memory of 4048	2052	{4FACDE89-C848-4edc-9891-390A2DE44AA2}.exe	100
PID 2052 wrote to memory of 4048	2052	{4FACDE89-C848-4edc-9891-390A2DE44AA2}.exe	100
PID 2052 wrote to memory of 4048	2052	{4FACDE89-C848-4edc-9891-390A2DE44AA2}.exe	100
PID 1716 wrote to memory of 1700	1716	{BE18FA03-A307-4a64-8823-106278B27E87}.exe	101
PID 1716 wrote to memory of 1700	1716	{BE18FA03-A307-4a64-8823-106278B27E87}.exe	101
PID 1716 wrote to memory of 1700	1716	{BE18FA03-A307-4a64-8823-106278B27E87}.exe	101
PID 1716 wrote to memory of 2244	1716	{BE18FA03-A307-4a64-8823-106278B27E87}.exe	102
PID 1716 wrote to memory of 2244	1716	{BE18FA03-A307-4a64-8823-106278B27E87}.exe	102
PID 1716 wrote to memory of 2244	1716	{BE18FA03-A307-4a64-8823-106278B27E87}.exe	102
PID 1700 wrote to memory of 3340	1700	{594E413C-0E39-4b2c-830B-DD07AE8829B9}.exe	103
PID 1700 wrote to memory of 3340	1700	{594E413C-0E39-4b2c-830B-DD07AE8829B9}.exe	103
PID 1700 wrote to memory of 3340	1700	{594E413C-0E39-4b2c-830B-DD07AE8829B9}.exe	103
PID 1700 wrote to memory of 1472	1700	{594E413C-0E39-4b2c-830B-DD07AE8829B9}.exe	104
PID 1700 wrote to memory of 1472	1700	{594E413C-0E39-4b2c-830B-DD07AE8829B9}.exe	104
PID 1700 wrote to memory of 1472	1700	{594E413C-0E39-4b2c-830B-DD07AE8829B9}.exe	104
PID 3340 wrote to memory of 1428	3340	{6F96CBC4-C2A4-45b1-9E14-1363DF9E1ED0}.exe	105
PID 3340 wrote to memory of 1428	3340	{6F96CBC4-C2A4-45b1-9E14-1363DF9E1ED0}.exe	105
PID 3340 wrote to memory of 1428	3340	{6F96CBC4-C2A4-45b1-9E14-1363DF9E1ED0}.exe	105
PID 3340 wrote to memory of 2648	3340	{6F96CBC4-C2A4-45b1-9E14-1363DF9E1ED0}.exe	106
PID 3340 wrote to memory of 2648	3340	{6F96CBC4-C2A4-45b1-9E14-1363DF9E1ED0}.exe	106
PID 3340 wrote to memory of 2648	3340	{6F96CBC4-C2A4-45b1-9E14-1363DF9E1ED0}.exe	106
PID 1428 wrote to memory of 4504	1428	{0F828D3A-4385-4655-A083-E4CB31C6FBF6}.exe	107
PID 1428 wrote to memory of 4504	1428	{0F828D3A-4385-4655-A083-E4CB31C6FBF6}.exe	107
PID 1428 wrote to memory of 4504	1428	{0F828D3A-4385-4655-A083-E4CB31C6FBF6}.exe	107
PID 1428 wrote to memory of 4708	1428	{0F828D3A-4385-4655-A083-E4CB31C6FBF6}.exe	108
PID 1428 wrote to memory of 4708	1428	{0F828D3A-4385-4655-A083-E4CB31C6FBF6}.exe	108
PID 1428 wrote to memory of 4708	1428	{0F828D3A-4385-4655-A083-E4CB31C6FBF6}.exe	108
PID 4504 wrote to memory of 1496	4504	{8B1F1518-50C6-4381-8F3C-7D10805F95C2}.exe	109
PID 4504 wrote to memory of 1496	4504	{8B1F1518-50C6-4381-8F3C-7D10805F95C2}.exe	109
PID 4504 wrote to memory of 1496	4504	{8B1F1518-50C6-4381-8F3C-7D10805F95C2}.exe	109
PID 4504 wrote to memory of 1204	4504	{8B1F1518-50C6-4381-8F3C-7D10805F95C2}.exe	110
PID 4504 wrote to memory of 1204	4504	{8B1F1518-50C6-4381-8F3C-7D10805F95C2}.exe	110
PID 4504 wrote to memory of 1204	4504	{8B1F1518-50C6-4381-8F3C-7D10805F95C2}.exe	110
PID 1496 wrote to memory of 1640	1496	{F7830C3C-4347-44ad-91AA-781158BD9BF7}.exe	111
PID 1496 wrote to memory of 1640	1496	{F7830C3C-4347-44ad-91AA-781158BD9BF7}.exe	111
PID 1496 wrote to memory of 1640	1496	{F7830C3C-4347-44ad-91AA-781158BD9BF7}.exe	111
PID 1496 wrote to memory of 2364	1496	{F7830C3C-4347-44ad-91AA-781158BD9BF7}.exe	112

C:\Users\Admin\AppData\Local\Temp\66be1734daa3da969d53d0f05df760349328ec3f4d167bc86df31a4279b4f5e8.exe
"C:\Users\Admin\AppData\Local\Temp\66be1734daa3da969d53d0f05df760349328ec3f4d167bc86df31a4279b4f5e8.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\{EFB57254-D280-40c1-AB06-248771D2354A}.exe
  C:\Windows\{EFB57254-D280-40c1-AB06-248771D2354A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Windows\{02AECF48-14C6-4cb7-A034-B5FB4DAF6099}.exe
    C:\Windows\{02AECF48-14C6-4cb7-A034-B5FB4DAF6099}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\{4931F24D-2752-4097-96D9-2CAF50636E77}.exe
      C:\Windows\{4931F24D-2752-4097-96D9-2CAF50636E77}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\{4FACDE89-C848-4edc-9891-390A2DE44AA2}.exe
        
        C:\Windows\{4FACDE89-C848-4edc-9891-390A2DE44AA2}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2052
      - C:\Windows\{BE18FA03-A307-4a64-8823-106278B27E87}.exe
        
        C:\Windows\{BE18FA03-A307-4a64-8823-106278B27E87}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\{594E413C-0E39-4b2c-830B-DD07AE8829B9}.exe
        
        C:\Windows\{594E413C-0E39-4b2c-830B-DD07AE8829B9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1700
        
        C:\Windows\{6F96CBC4-C2A4-45b1-9E14-1363DF9E1ED0}.exe
        
        C:\Windows\{6F96CBC4-C2A4-45b1-9E14-1363DF9E1ED0}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3340
        
        C:\Windows\{0F828D3A-4385-4655-A083-E4CB31C6FBF6}.exe
        
        C:\Windows\{0F828D3A-4385-4655-A083-E4CB31C6FBF6}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1428
        
        C:\Windows\{8B1F1518-50C6-4381-8F3C-7D10805F95C2}.exe
        
        C:\Windows\{8B1F1518-50C6-4381-8F3C-7D10805F95C2}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\{F7830C3C-4347-44ad-91AA-781158BD9BF7}.exe
        
        C:\Windows\{F7830C3C-4347-44ad-91AA-781158BD9BF7}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1496
        
        C:\Windows\{2B084C92-B336-4d35-BDB7-779505564557}.exe
        
        C:\Windows\{2B084C92-B336-4d35-BDB7-779505564557}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
        
        C:\Windows\{F4F3069B-34D2-435e-B95F-227C3D332963}.exe
        
        C:\Windows\{F4F3069B-34D2-435e-B95F-227C3D332963}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B084~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7830~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B1F1~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F828~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F96C~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{594E4~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE18F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2244
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4FACD~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4048
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4931F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{02AEC~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EFB57~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4088
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\66BE17~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{02AECF48-14C6-4cb7-A034-B5FB4DAF6099}.exe

Filesize
90KB

MD5
55686c933a2503b0c90a1e9490a39a79

SHA1
69ba1ba41564744b5533ae169c430b6581b4f5fe

SHA256
7183cd0f6b4a94c5ff3f0d08a5af191a2184b1e00a8112724e267c6f8c4bd63a

SHA512
70687144fe01872527b8bc15a4bc2838eef840fdc8cddf950d6fb2ab53f50be4c9aea83c62132ca9674ca07c4cc8086d3d69fcdcf9b34d43c84b2abb88243a9a

Download Submit
C:\Windows\{0F828D3A-4385-4655-A083-E4CB31C6FBF6}.exe

Filesize
90KB

MD5
f74d19cd0d68ce12c5627698b67d5b1c

SHA1
83b7d5d21ff701b503a36bdd210c3fd9c1a9d11f

SHA256
c262b695d85899178fba9f11441ab88f2aa1edcdf290660ba9d4709904513be7

SHA512
5a0367a41bff5dabd26a9610e6158d17a1f45904e87a01b2fe7a58102e7ea508fdf6c5e1300292174fae9aa1bc2336f582e67c63d820ab6af353402ef892cdf0

Download Submit
C:\Windows\{2B084C92-B336-4d35-BDB7-779505564557}.exe

Filesize
90KB

MD5
01b01e9824e9c3d931345ae4cb1990e1

SHA1
b43e04c72af3bcdfa2d037d2f41d9ce6543d0a98

SHA256
ac431866ddffc39fe19ac00d9f751d4b8eeee6ab4902c76423fe8e9f00760919

SHA512
cff8d6647c32766877e89f720a744639ea7d7b774d8819279e8b6cb04c44f10cce0a93103be5a2b1584743c65d73d908c1989557a801fd29a037d90a3d0908f8

Download Submit
C:\Windows\{4931F24D-2752-4097-96D9-2CAF50636E77}.exe

Filesize
90KB

MD5
32add19be0ccef2a9c5cbe0a013703c8

SHA1
2f8fc478d618452892d54a20465558661a2e64cc

SHA256
305950ba971be46c74829c8cee8567d500211cabbf362f30770fc9075829c72e

SHA512
8f9a44338533362d781d72928e0e77142989e48733242376b97a7954d00241f440b28cd62d8df11af9d78717578a89ac21cf03e7627f1207426e5100e876c1b0

Download Submit
C:\Windows\{4FACDE89-C848-4edc-9891-390A2DE44AA2}.exe

Filesize
90KB

MD5
ced8f8fdc1605718ea3d6ba3c4354df1

SHA1
d41d1353f500b2d55affd49b06c841afe5598e97

SHA256
8ca61a1d43ed3b373c93c9ff86a293cf17c655882b8385e6a26d2f1a3bed8579

SHA512
0b23138c2d980c6fcaf32f0331b4f0d9c34222f3ed55ad8c87de63972406a463920094cc8c2053292405781a7602a16245c39260e27c672c60d433801dac48c5

Download Submit
C:\Windows\{594E413C-0E39-4b2c-830B-DD07AE8829B9}.exe

Filesize
90KB

MD5
2aff4d41e6dd28ecebd4388c0f557fb1

SHA1
706f67db8ed9266a4ea6d81d5c37ae8c5ca6d803

SHA256
eb2e3fa5c35a4016095d753b8c06155249f80eeb772953aa27e5a9edee6a6490

SHA512
b3e351250ba74750e1ffac88b9d96a99de6056b51b165821090fcaa9fcd05cae3a1ed9b6e1049b751e20aaa91a299cf2229700b96fb525624f7d4e305565aa1f

Download Submit
C:\Windows\{6F96CBC4-C2A4-45b1-9E14-1363DF9E1ED0}.exe

Filesize
90KB

MD5
ab66572dcee256315412568fedddbe07

SHA1
627ae4cf086f76b705cc19896340713d6a52080a

SHA256
c7438d88b3e99099f3a1f639eb24d9a3c0dba4dca13bc27f89a775a76ef43497

SHA512
9f971161a787a560ae46984b6c96d09fc59b1faa82e5680860cefea42c1b08ddc86870afe67cc32ed9241edcee1b92039f71ba5c94b5b2121b8278a994dcab51

Download Submit
C:\Windows\{8B1F1518-50C6-4381-8F3C-7D10805F95C2}.exe

Filesize
90KB

MD5
4e4b3b32bf0a43d398edb70886129d67

SHA1
f3bb467f2ca09f09ea84513bfbd95443a87614f5

SHA256
8e3a63e3ea24575b6831aaa75151a172d394f2a17ddd9f20dfbfa19c3ab73295

SHA512
a3864b07a8e6659190bd1cdba2fb088954b7b0485afc8fb85bd7faaf82e6b091ee88170b1a664a038303be3a8d3a67251274ca2f1e937dc663b2501b1b45f1b1

Download Submit
C:\Windows\{BE18FA03-A307-4a64-8823-106278B27E87}.exe

Filesize
90KB

MD5
7debbc48f74074e31e9e8bd41507285b

SHA1
09ac47ec53606c1a4e0551621c866843ff9c65c9

SHA256
655c22ee973ea623afd8d0db2c277569dba3e898bc7b740e48e9daf6788f33a5

SHA512
5d2310e0c40c0fff01d07025eaee801802cac5985783784b5d0a9d9625a3633c31550fa4b50f40c5a4bb1b446cf8dbe2bf4d2d57b28f74afd4499037533d5e3a

Download Submit
C:\Windows\{EFB57254-D280-40c1-AB06-248771D2354A}.exe

Filesize
90KB

MD5
f03c5635d3db2c7f44a0ec5c1f76629f

SHA1
a2e7efae53e99f9413ffa9914c193829c80813f0

SHA256
6aa71dff52e846feb1f0202d3b3b67609e76de81d32e55dea4a3c90aa5a14033

SHA512
0113088b53c18268c840e2f10f9725e7e9ac45da70a739714e1889e00a754b0c64181149d4ad24754a1f79c42e777ee087b3ae528f50efcc9e5adf8c6b355274

Download Submit
C:\Windows\{F4F3069B-34D2-435e-B95F-227C3D332963}.exe

Filesize
90KB

MD5
ff91b654eefbb7f32cd1ccfefb59ccf3

SHA1
3535d12d0dd3cb239ff9cfa0aadbe0274c5b9a7b

SHA256
c310991180bb0b811e531a80a68baef73d95da34abe53f1792cd6cc90b42c967

SHA512
b32e169a0023ffc547c419e90d83c1c46e29fb81fe0699850d8376ae069ae2ef1fbd6a51785516f037ff1a46d6026a39bebace70911cf99eaaac488f67c9b769

Download Submit
C:\Windows\{F7830C3C-4347-44ad-91AA-781158BD9BF7}.exe

Filesize
90KB

MD5
674566ac5bd297cd9ada0cc17378161c

SHA1
c25d169984899ecffc056704554e7918659202ca

SHA256
0be03cfd2964cf1e7a01e7666ea68ce0eb4980c5b2c9eb63f00b3830dab9a3ef

SHA512
eb2eb39b018850cd573eab30c871ab26392825e3962cbedac4aa53dafdc2d1ec568b167d6f0143a806d38552e55b42faf666f2bc3d4b65484953ff2efe350b4e

Download Submit
memory/1428-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1428-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1496-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1496-63-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1640-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1640-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1700-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1700-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1716-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2052-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2052-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2360-23-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2360-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2756-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2756-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3192-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3192-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3340-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4452-69-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4456-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4456-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4504-51-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4504-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads