92df5546dab16c11370bc26d62fffad8d1cac74e9be00ea4a853b0c00cf7f844

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

92df5546dab16c11370bc26d62fffad8d1cac74e9be00ea4a853b0c00cf7f844.exe
Size

80KB
MD5

f31ce28c80ba0a9c9e2134dc93b853d6
SHA1

e368fb95e9c0ee10d9dcebde39a86e47c94a50e8
SHA256

92df5546dab16c11370bc26d62fffad8d1cac74e9be00ea4a853b0c00cf7f844
SHA512

f540cd3f52c2e1253585f9e625655d051fe78bca257abd946af9d273435d3c14163f37d6f8acd2677f0a2eb61b7bf9838b318874368f83edb183eb2c1b84af5e
SSDEEP

384:vbLwOs8AHsc4sMfwhKQLroT4/CFsrdOI1Nb7g7FX7XYfruVDtM9tQ/FKlnVwUUOV:vvw9816vhKQLroT4/wQRNrfrunMxVFAi

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A0136DA-3CD9-4fd1-A522-6A88AF5DB26E}	{94647E6E-B844-499c-8675-C8915F07E479}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4821739-2212-410a-942D-9017B39D5ABA}	{4ABDB8E7-AE38-4e63-B8C6-BF947C59BE88}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7270472C-621A-47b5-90AD-7D71181B529B}\stubpath = "C:\\Windows\\{7270472C-621A-47b5-90AD-7D71181B529B}.exe"	{F4821739-2212-410a-942D-9017B39D5ABA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DF4DEC1-672C-4e7b-8F08-6677D2957D58}	{3CDF7F96-D2EA-4f05-9C7D-BA45D651D14F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00022C7F-3CAE-425c-96C5-03DECC5190A7}	92df5546dab16c11370bc26d62fffad8d1cac74e9be00ea4a853b0c00cf7f844.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9A2C454-E3EC-4083-9ED9-3A292B44520C}\stubpath = "C:\\Windows\\{A9A2C454-E3EC-4083-9ED9-3A292B44520C}.exe"	{00022C7F-3CAE-425c-96C5-03DECC5190A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CDF7F96-D2EA-4f05-9C7D-BA45D651D14F}	{231CCDED-6D62-435a-AA32-CF13D4DA2FDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3CDF7F96-D2EA-4f05-9C7D-BA45D651D14F}\stubpath = "C:\\Windows\\{3CDF7F96-D2EA-4f05-9C7D-BA45D651D14F}.exe"	{231CCDED-6D62-435a-AA32-CF13D4DA2FDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DF4DEC1-672C-4e7b-8F08-6677D2957D58}\stubpath = "C:\\Windows\\{1DF4DEC1-672C-4e7b-8F08-6677D2957D58}.exe"	{3CDF7F96-D2EA-4f05-9C7D-BA45D651D14F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9A2C454-E3EC-4083-9ED9-3A292B44520C}	{00022C7F-3CAE-425c-96C5-03DECC5190A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4ABDB8E7-AE38-4e63-B8C6-BF947C59BE88}	{2A0136DA-3CD9-4fd1-A522-6A88AF5DB26E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F4821739-2212-410a-942D-9017B39D5ABA}\stubpath = "C:\\Windows\\{F4821739-2212-410a-942D-9017B39D5ABA}.exe"	{4ABDB8E7-AE38-4e63-B8C6-BF947C59BE88}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7270472C-621A-47b5-90AD-7D71181B529B}	{F4821739-2212-410a-942D-9017B39D5ABA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{231CCDED-6D62-435a-AA32-CF13D4DA2FDC}\stubpath = "C:\\Windows\\{231CCDED-6D62-435a-AA32-CF13D4DA2FDC}.exe"	{7270472C-621A-47b5-90AD-7D71181B529B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94647E6E-B844-499c-8675-C8915F07E479}\stubpath = "C:\\Windows\\{94647E6E-B844-499c-8675-C8915F07E479}.exe"	{398AA43B-0E51-48e5-9CED-1CA57E63D730}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4ABDB8E7-AE38-4e63-B8C6-BF947C59BE88}\stubpath = "C:\\Windows\\{4ABDB8E7-AE38-4e63-B8C6-BF947C59BE88}.exe"	{2A0136DA-3CD9-4fd1-A522-6A88AF5DB26E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF1C18E6-BAFF-43fa-957F-283CE6EDBE99}\stubpath = "C:\\Windows\\{BF1C18E6-BAFF-43fa-957F-283CE6EDBE99}.exe"	{A9A2C454-E3EC-4083-9ED9-3A292B44520C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{398AA43B-0E51-48e5-9CED-1CA57E63D730}	{BF1C18E6-BAFF-43fa-957F-283CE6EDBE99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{398AA43B-0E51-48e5-9CED-1CA57E63D730}\stubpath = "C:\\Windows\\{398AA43B-0E51-48e5-9CED-1CA57E63D730}.exe"	{BF1C18E6-BAFF-43fa-957F-283CE6EDBE99}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94647E6E-B844-499c-8675-C8915F07E479}	{398AA43B-0E51-48e5-9CED-1CA57E63D730}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A0136DA-3CD9-4fd1-A522-6A88AF5DB26E}\stubpath = "C:\\Windows\\{2A0136DA-3CD9-4fd1-A522-6A88AF5DB26E}.exe"	{94647E6E-B844-499c-8675-C8915F07E479}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{231CCDED-6D62-435a-AA32-CF13D4DA2FDC}	{7270472C-621A-47b5-90AD-7D71181B529B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00022C7F-3CAE-425c-96C5-03DECC5190A7}\stubpath = "C:\\Windows\\{00022C7F-3CAE-425c-96C5-03DECC5190A7}.exe"	92df5546dab16c11370bc26d62fffad8d1cac74e9be00ea4a853b0c00cf7f844.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BF1C18E6-BAFF-43fa-957F-283CE6EDBE99}	{A9A2C454-E3EC-4083-9ED9-3A292B44520C}.exe

Executes dropped EXE 12 IoCs

pid	Process
1248	{00022C7F-3CAE-425c-96C5-03DECC5190A7}.exe
3684	{A9A2C454-E3EC-4083-9ED9-3A292B44520C}.exe
2460	{BF1C18E6-BAFF-43fa-957F-283CE6EDBE99}.exe
628	{398AA43B-0E51-48e5-9CED-1CA57E63D730}.exe
3880	{94647E6E-B844-499c-8675-C8915F07E479}.exe
32	{2A0136DA-3CD9-4fd1-A522-6A88AF5DB26E}.exe
1940	{4ABDB8E7-AE38-4e63-B8C6-BF947C59BE88}.exe
3872	{F4821739-2212-410a-942D-9017B39D5ABA}.exe
4924	{7270472C-621A-47b5-90AD-7D71181B529B}.exe
2052	{231CCDED-6D62-435a-AA32-CF13D4DA2FDC}.exe
4740	{3CDF7F96-D2EA-4f05-9C7D-BA45D651D14F}.exe
3684	{1DF4DEC1-672C-4e7b-8F08-6677D2957D58}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{A9A2C454-E3EC-4083-9ED9-3A292B44520C}.exe	{00022C7F-3CAE-425c-96C5-03DECC5190A7}.exe
File created	C:\Windows\{398AA43B-0E51-48e5-9CED-1CA57E63D730}.exe	{BF1C18E6-BAFF-43fa-957F-283CE6EDBE99}.exe
File created	C:\Windows\{94647E6E-B844-499c-8675-C8915F07E479}.exe	{398AA43B-0E51-48e5-9CED-1CA57E63D730}.exe
File created	C:\Windows\{4ABDB8E7-AE38-4e63-B8C6-BF947C59BE88}.exe	{2A0136DA-3CD9-4fd1-A522-6A88AF5DB26E}.exe
File created	C:\Windows\{1DF4DEC1-672C-4e7b-8F08-6677D2957D58}.exe	{3CDF7F96-D2EA-4f05-9C7D-BA45D651D14F}.exe
File created	C:\Windows\{3CDF7F96-D2EA-4f05-9C7D-BA45D651D14F}.exe	{231CCDED-6D62-435a-AA32-CF13D4DA2FDC}.exe
File created	C:\Windows\{00022C7F-3CAE-425c-96C5-03DECC5190A7}.exe	92df5546dab16c11370bc26d62fffad8d1cac74e9be00ea4a853b0c00cf7f844.exe
File created	C:\Windows\{BF1C18E6-BAFF-43fa-957F-283CE6EDBE99}.exe	{A9A2C454-E3EC-4083-9ED9-3A292B44520C}.exe
File created	C:\Windows\{2A0136DA-3CD9-4fd1-A522-6A88AF5DB26E}.exe	{94647E6E-B844-499c-8675-C8915F07E479}.exe
File created	C:\Windows\{F4821739-2212-410a-942D-9017B39D5ABA}.exe	{4ABDB8E7-AE38-4e63-B8C6-BF947C59BE88}.exe
File created	C:\Windows\{7270472C-621A-47b5-90AD-7D71181B529B}.exe	{F4821739-2212-410a-942D-9017B39D5ABA}.exe
File created	C:\Windows\{231CCDED-6D62-435a-AA32-CF13D4DA2FDC}.exe	{7270472C-621A-47b5-90AD-7D71181B529B}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{94647E6E-B844-499c-8675-C8915F07E479}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3CDF7F96-D2EA-4f05-9C7D-BA45D651D14F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BF1C18E6-BAFF-43fa-957F-283CE6EDBE99}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F4821739-2212-410a-942D-9017B39D5ABA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	92df5546dab16c11370bc26d62fffad8d1cac74e9be00ea4a853b0c00cf7f844.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{00022C7F-3CAE-425c-96C5-03DECC5190A7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A9A2C454-E3EC-4083-9ED9-3A292B44520C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{231CCDED-6D62-435a-AA32-CF13D4DA2FDC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2A0136DA-3CD9-4fd1-A522-6A88AF5DB26E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7270472C-621A-47b5-90AD-7D71181B529B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{398AA43B-0E51-48e5-9CED-1CA57E63D730}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4ABDB8E7-AE38-4e63-B8C6-BF947C59BE88}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1DF4DEC1-672C-4e7b-8F08-6677D2957D58}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1100	92df5546dab16c11370bc26d62fffad8d1cac74e9be00ea4a853b0c00cf7f844.exe
Token: SeIncBasePriorityPrivilege	1248	{00022C7F-3CAE-425c-96C5-03DECC5190A7}.exe
Token: SeIncBasePriorityPrivilege	3684	{A9A2C454-E3EC-4083-9ED9-3A292B44520C}.exe
Token: SeIncBasePriorityPrivilege	2460	{BF1C18E6-BAFF-43fa-957F-283CE6EDBE99}.exe
Token: SeIncBasePriorityPrivilege	628	{398AA43B-0E51-48e5-9CED-1CA57E63D730}.exe
Token: SeIncBasePriorityPrivilege	3880	{94647E6E-B844-499c-8675-C8915F07E479}.exe
Token: SeIncBasePriorityPrivilege	32	{2A0136DA-3CD9-4fd1-A522-6A88AF5DB26E}.exe
Token: SeIncBasePriorityPrivilege	1940	{4ABDB8E7-AE38-4e63-B8C6-BF947C59BE88}.exe
Token: SeIncBasePriorityPrivilege	3872	{F4821739-2212-410a-942D-9017B39D5ABA}.exe
Token: SeIncBasePriorityPrivilege	4924	{7270472C-621A-47b5-90AD-7D71181B529B}.exe
Token: SeIncBasePriorityPrivilege	2052	{231CCDED-6D62-435a-AA32-CF13D4DA2FDC}.exe
Token: SeIncBasePriorityPrivilege	4740	{3CDF7F96-D2EA-4f05-9C7D-BA45D651D14F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1248	1100	92df5546dab16c11370bc26d62fffad8d1cac74e9be00ea4a853b0c00cf7f844.exe	94
PID 1100 wrote to memory of 1248	1100	92df5546dab16c11370bc26d62fffad8d1cac74e9be00ea4a853b0c00cf7f844.exe	94
PID 1100 wrote to memory of 1248	1100	92df5546dab16c11370bc26d62fffad8d1cac74e9be00ea4a853b0c00cf7f844.exe	94
PID 1100 wrote to memory of 2016	1100	92df5546dab16c11370bc26d62fffad8d1cac74e9be00ea4a853b0c00cf7f844.exe	95
PID 1100 wrote to memory of 2016	1100	92df5546dab16c11370bc26d62fffad8d1cac74e9be00ea4a853b0c00cf7f844.exe	95
PID 1100 wrote to memory of 2016	1100	92df5546dab16c11370bc26d62fffad8d1cac74e9be00ea4a853b0c00cf7f844.exe	95
PID 1248 wrote to memory of 3684	1248	{00022C7F-3CAE-425c-96C5-03DECC5190A7}.exe	96
PID 1248 wrote to memory of 3684	1248	{00022C7F-3CAE-425c-96C5-03DECC5190A7}.exe	96
PID 1248 wrote to memory of 3684	1248	{00022C7F-3CAE-425c-96C5-03DECC5190A7}.exe	96
PID 1248 wrote to memory of 4144	1248	{00022C7F-3CAE-425c-96C5-03DECC5190A7}.exe	97
PID 1248 wrote to memory of 4144	1248	{00022C7F-3CAE-425c-96C5-03DECC5190A7}.exe	97
PID 1248 wrote to memory of 4144	1248	{00022C7F-3CAE-425c-96C5-03DECC5190A7}.exe	97
PID 3684 wrote to memory of 2460	3684	{A9A2C454-E3EC-4083-9ED9-3A292B44520C}.exe	102
PID 3684 wrote to memory of 2460	3684	{A9A2C454-E3EC-4083-9ED9-3A292B44520C}.exe	102
PID 3684 wrote to memory of 2460	3684	{A9A2C454-E3EC-4083-9ED9-3A292B44520C}.exe	102
PID 3684 wrote to memory of 4948	3684	{A9A2C454-E3EC-4083-9ED9-3A292B44520C}.exe	103
PID 3684 wrote to memory of 4948	3684	{A9A2C454-E3EC-4083-9ED9-3A292B44520C}.exe	103
PID 3684 wrote to memory of 4948	3684	{A9A2C454-E3EC-4083-9ED9-3A292B44520C}.exe	103
PID 2460 wrote to memory of 628	2460	{BF1C18E6-BAFF-43fa-957F-283CE6EDBE99}.exe	104
PID 2460 wrote to memory of 628	2460	{BF1C18E6-BAFF-43fa-957F-283CE6EDBE99}.exe	104
PID 2460 wrote to memory of 628	2460	{BF1C18E6-BAFF-43fa-957F-283CE6EDBE99}.exe	104
PID 2460 wrote to memory of 2064	2460	{BF1C18E6-BAFF-43fa-957F-283CE6EDBE99}.exe	105
PID 2460 wrote to memory of 2064	2460	{BF1C18E6-BAFF-43fa-957F-283CE6EDBE99}.exe	105
PID 2460 wrote to memory of 2064	2460	{BF1C18E6-BAFF-43fa-957F-283CE6EDBE99}.exe	105
PID 628 wrote to memory of 3880	628	{398AA43B-0E51-48e5-9CED-1CA57E63D730}.exe	107
PID 628 wrote to memory of 3880	628	{398AA43B-0E51-48e5-9CED-1CA57E63D730}.exe	107
PID 628 wrote to memory of 3880	628	{398AA43B-0E51-48e5-9CED-1CA57E63D730}.exe	107
PID 628 wrote to memory of 4872	628	{398AA43B-0E51-48e5-9CED-1CA57E63D730}.exe	108
PID 628 wrote to memory of 4872	628	{398AA43B-0E51-48e5-9CED-1CA57E63D730}.exe	108
PID 628 wrote to memory of 4872	628	{398AA43B-0E51-48e5-9CED-1CA57E63D730}.exe	108
PID 3880 wrote to memory of 32	3880	{94647E6E-B844-499c-8675-C8915F07E479}.exe	109
PID 3880 wrote to memory of 32	3880	{94647E6E-B844-499c-8675-C8915F07E479}.exe	109
PID 3880 wrote to memory of 32	3880	{94647E6E-B844-499c-8675-C8915F07E479}.exe	109
PID 3880 wrote to memory of 4040	3880	{94647E6E-B844-499c-8675-C8915F07E479}.exe	110
PID 3880 wrote to memory of 4040	3880	{94647E6E-B844-499c-8675-C8915F07E479}.exe	110
PID 3880 wrote to memory of 4040	3880	{94647E6E-B844-499c-8675-C8915F07E479}.exe	110
PID 32 wrote to memory of 1940	32	{2A0136DA-3CD9-4fd1-A522-6A88AF5DB26E}.exe	111
PID 32 wrote to memory of 1940	32	{2A0136DA-3CD9-4fd1-A522-6A88AF5DB26E}.exe	111
PID 32 wrote to memory of 1940	32	{2A0136DA-3CD9-4fd1-A522-6A88AF5DB26E}.exe	111
PID 32 wrote to memory of 3732	32	{2A0136DA-3CD9-4fd1-A522-6A88AF5DB26E}.exe	112
PID 32 wrote to memory of 3732	32	{2A0136DA-3CD9-4fd1-A522-6A88AF5DB26E}.exe	112
PID 32 wrote to memory of 3732	32	{2A0136DA-3CD9-4fd1-A522-6A88AF5DB26E}.exe	112
PID 1940 wrote to memory of 3872	1940	{4ABDB8E7-AE38-4e63-B8C6-BF947C59BE88}.exe	113
PID 1940 wrote to memory of 3872	1940	{4ABDB8E7-AE38-4e63-B8C6-BF947C59BE88}.exe	113
PID 1940 wrote to memory of 3872	1940	{4ABDB8E7-AE38-4e63-B8C6-BF947C59BE88}.exe	113
PID 1940 wrote to memory of 3144	1940	{4ABDB8E7-AE38-4e63-B8C6-BF947C59BE88}.exe	114
PID 1940 wrote to memory of 3144	1940	{4ABDB8E7-AE38-4e63-B8C6-BF947C59BE88}.exe	114
PID 1940 wrote to memory of 3144	1940	{4ABDB8E7-AE38-4e63-B8C6-BF947C59BE88}.exe	114
PID 3872 wrote to memory of 4924	3872	{F4821739-2212-410a-942D-9017B39D5ABA}.exe	115
PID 3872 wrote to memory of 4924	3872	{F4821739-2212-410a-942D-9017B39D5ABA}.exe	115
PID 3872 wrote to memory of 4924	3872	{F4821739-2212-410a-942D-9017B39D5ABA}.exe	115
PID 3872 wrote to memory of 1260	3872	{F4821739-2212-410a-942D-9017B39D5ABA}.exe	116
PID 3872 wrote to memory of 1260	3872	{F4821739-2212-410a-942D-9017B39D5ABA}.exe	116
PID 3872 wrote to memory of 1260	3872	{F4821739-2212-410a-942D-9017B39D5ABA}.exe	116
PID 4924 wrote to memory of 2052	4924	{7270472C-621A-47b5-90AD-7D71181B529B}.exe	117
PID 4924 wrote to memory of 2052	4924	{7270472C-621A-47b5-90AD-7D71181B529B}.exe	117
PID 4924 wrote to memory of 2052	4924	{7270472C-621A-47b5-90AD-7D71181B529B}.exe	117
PID 4924 wrote to memory of 208	4924	{7270472C-621A-47b5-90AD-7D71181B529B}.exe	118
PID 4924 wrote to memory of 208	4924	{7270472C-621A-47b5-90AD-7D71181B529B}.exe	118
PID 4924 wrote to memory of 208	4924	{7270472C-621A-47b5-90AD-7D71181B529B}.exe	118
PID 2052 wrote to memory of 4740	2052	{231CCDED-6D62-435a-AA32-CF13D4DA2FDC}.exe	119
PID 2052 wrote to memory of 4740	2052	{231CCDED-6D62-435a-AA32-CF13D4DA2FDC}.exe	119
PID 2052 wrote to memory of 4740	2052	{231CCDED-6D62-435a-AA32-CF13D4DA2FDC}.exe	119
PID 2052 wrote to memory of 3568	2052	{231CCDED-6D62-435a-AA32-CF13D4DA2FDC}.exe	120

C:\Users\Admin\AppData\Local\Temp\92df5546dab16c11370bc26d62fffad8d1cac74e9be00ea4a853b0c00cf7f844.exe
"C:\Users\Admin\AppData\Local\Temp\92df5546dab16c11370bc26d62fffad8d1cac74e9be00ea4a853b0c00cf7f844.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Windows\{00022C7F-3CAE-425c-96C5-03DECC5190A7}.exe
  C:\Windows\{00022C7F-3CAE-425c-96C5-03DECC5190A7}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\{A9A2C454-E3EC-4083-9ED9-3A292B44520C}.exe
    C:\Windows\{A9A2C454-E3EC-4083-9ED9-3A292B44520C}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3684
  - - C:\Windows\{BF1C18E6-BAFF-43fa-957F-283CE6EDBE99}.exe
      C:\Windows\{BF1C18E6-BAFF-43fa-957F-283CE6EDBE99}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2460
    - - C:\Windows\{398AA43B-0E51-48e5-9CED-1CA57E63D730}.exe
        
        C:\Windows\{398AA43B-0E51-48e5-9CED-1CA57E63D730}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:628
      - C:\Windows\{94647E6E-B844-499c-8675-C8915F07E479}.exe
        
        C:\Windows\{94647E6E-B844-499c-8675-C8915F07E479}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3880
        
        C:\Windows\{2A0136DA-3CD9-4fd1-A522-6A88AF5DB26E}.exe
        
        C:\Windows\{2A0136DA-3CD9-4fd1-A522-6A88AF5DB26E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:32
        
        C:\Windows\{4ABDB8E7-AE38-4e63-B8C6-BF947C59BE88}.exe
        
        C:\Windows\{4ABDB8E7-AE38-4e63-B8C6-BF947C59BE88}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\{F4821739-2212-410a-942D-9017B39D5ABA}.exe
        
        C:\Windows\{F4821739-2212-410a-942D-9017B39D5ABA}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3872
        
        C:\Windows\{7270472C-621A-47b5-90AD-7D71181B529B}.exe
        
        C:\Windows\{7270472C-621A-47b5-90AD-7D71181B529B}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\{231CCDED-6D62-435a-AA32-CF13D4DA2FDC}.exe
        
        C:\Windows\{231CCDED-6D62-435a-AA32-CF13D4DA2FDC}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\{3CDF7F96-D2EA-4f05-9C7D-BA45D651D14F}.exe
        
        C:\Windows\{3CDF7F96-D2EA-4f05-9C7D-BA45D651D14F}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4740
        
        C:\Windows\{1DF4DEC1-672C-4e7b-8F08-6677D2957D58}.exe
        
        C:\Windows\{1DF4DEC1-672C-4e7b-8F08-6677D2957D58}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3CDF7~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{231CC~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72704~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:208
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F4821~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4ABDB~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2A013~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{94647~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4040
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{398AA~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4872
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BF1C1~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A9A2C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4948
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{00022~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\92DF55~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1284,i,11251706013556949551,5157034131170452377,262144 --variations-seed-version --mojo-platform-channel-handle=3032 /prefetch:8
1⤵
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00022C7F-3CAE-425c-96C5-03DECC5190A7}.exe

Filesize
80KB

MD5
d77b8cfb77436d2960b3665abb55fe13

SHA1
318255321db02c217cc46bbeea19d039ddcc14f5

SHA256
09b6f839204316aee9bbaa391509fd98c85f82e028d2c5f29911ee6fcc900f5a

SHA512
bf957d76ea08f9e06a3789ae583a9e4cbdd1a065a8e4e93c5b8ac74f644e18e12f2c37394e5c8bfde065c951d3288b5f45be28764701991ef43ab38a376103b0

Download Submit
C:\Windows\{1DF4DEC1-672C-4e7b-8F08-6677D2957D58}.exe

Filesize
80KB

MD5
4b608e733b7b93ff2e0898253a5ba950

SHA1
d90ce75c613d390a65917af96b4752170295637a

SHA256
1f2a825709782354bf1baad1cb367355edce6231f4501f8e9c1de580361cfcc1

SHA512
cbabf008af9c121eedd3a57bec5f644e51523a1d46d2303fda1b0842b9a98dc4fb33426aad328e07462f3d999d3ec21f820c927f005310bcadee72fe917d550e

Download Submit
C:\Windows\{231CCDED-6D62-435a-AA32-CF13D4DA2FDC}.exe

Filesize
80KB

MD5
58f43ec1404ab6207e76f9b958d1387f

SHA1
aaab2fb11d91b63f63037c278aeef624ce3574e2

SHA256
600a618fe397e11d363bb6192d72093508e927f5444bfcfd9e579940d4647e44

SHA512
2a5ceaf2da0c11163e1123f518ddafb1fdfb1181ca5aab685347c11199330e2b9c5fc3ad9a97ca408925b7b3ffff36b6fa8fc09ba3e2f2437fcde1d316accb47

Download Submit
C:\Windows\{2A0136DA-3CD9-4fd1-A522-6A88AF5DB26E}.exe

Filesize
80KB

MD5
a013f392566f479bfa24fc27dd996f6e

SHA1
dfb5fe2814ca849a60ffde73d6f35d7ab45a5d2c

SHA256
89c38c2841c460d84ab61021ee277f43af580bc1bba6ae5381d3a1c40214d2f9

SHA512
6c83d9aa06e9055ad26876185f929970dc251aa0924ab993edac41f3496537bc2c6e854ce7685b15ddacc729ce005e545bfc74e059b9af3fbb90f3242feb062a

Download Submit
C:\Windows\{398AA43B-0E51-48e5-9CED-1CA57E63D730}.exe

Filesize
80KB

MD5
cd5bde0093bc0d40efbcc20acab2196d

SHA1
8696adc5554344407ef31c157d740b2fbe6a832c

SHA256
aa86f8134a16dbceb4ef702280676d87040e8b1f4d78851c182cb9fdd07047b3

SHA512
464ef5a1a2c4cbda47f1f9760001d887f9c01a3e4048ac5c1976fd8006a0f6aa4daa910f0703e0bb37998d609e48841e2d1f06369de141e7cb44863b07729019

Download Submit
C:\Windows\{3CDF7F96-D2EA-4f05-9C7D-BA45D651D14F}.exe

Filesize
80KB

MD5
0613891d607b5bd4347dedf91fe619f5

SHA1
37d98dc4b27bd0891e277a0e3e6b7569ca187eb3

SHA256
52a1a914822b2eae4597efac9f0c8bdace6d51c280ce6031891c7421dd2cac37

SHA512
61c330a84c82da16320d77eaf70a60b427e096f291882141771b1d6315afd4061225eec3300dffcf3477ac63c12ba6cff7a51215213202fe14d9ffd7cef50e31

Download Submit
C:\Windows\{4ABDB8E7-AE38-4e63-B8C6-BF947C59BE88}.exe

Filesize
80KB

MD5
f8357ab3cf4213620a3747f111cbaf41

SHA1
dd852a5ff4f1119420e0484cc1f365f4e358aae2

SHA256
325d949d62d1d8ab84b38f7ec59b8175a859c47d67fd830d985fa449e0439ff6

SHA512
ae090da405b30f6c68ff7d7fab99b6f69c67156aadf8d5561b22eaf57e9f3c2aa56fac5c526780f6f1484114c5af893a8ba26eea8db69541fc075e72525b3aea

Download Submit
C:\Windows\{7270472C-621A-47b5-90AD-7D71181B529B}.exe

Filesize
80KB

MD5
036f1738cdd8377867ae3b9f82a279c6

SHA1
2806b65d3ad5bd227f6fd10d41b009fcb420a69a

SHA256
48b65712a0e22b3984105e5851c73a5d9622da539119e97ee927a0d8174b0c78

SHA512
7fad10167ecccb8e9d612d7fcc1e0bc1ad18a2543e8b8614c0e6d5b2966c790b518012164ebba9b56fcbf1883f69abb1fa68a677c4ac9bf1d5d3a021bcfef572

Download Submit
C:\Windows\{94647E6E-B844-499c-8675-C8915F07E479}.exe

Filesize
80KB

MD5
3386fdb3c0f5db2bc8a3f1969afcf4c9

SHA1
83b8a52ada44d9dacedd755786a6e07cd53a0631

SHA256
8c7c1b0956c6138c25e4e3e27fbe8ace32f94d0314f28052d0ebffbaf1398300

SHA512
13dbcbe34dc8d725d0e24f839ea330fd453d580abee36dd8dbc45ba87a3b7cdb78db57023d6045698a63ffa6674b3c9bca42df579ce17a434af00a700366da4a

Download Submit
C:\Windows\{A9A2C454-E3EC-4083-9ED9-3A292B44520C}.exe

Filesize
80KB

MD5
9b6994ecf26c4f43b34bc4668b517d41

SHA1
bff95c40969a4995cd0f48f26fbb03a67c9c9844

SHA256
65ed0f97b9e1ad7a507baaf5dfec8162e92c5e28ecd5ee6c1949c0ec4bed3041

SHA512
6fdfa392d56315dc3f04367e057e873f13a50fd029c8927321d1cfdceec09670e005f55e81957eaa74088a6fd094ebdc4cc2c4c0bf4ee3a2a4ae38ad7e0ea7ca

Download Submit
C:\Windows\{BF1C18E6-BAFF-43fa-957F-283CE6EDBE99}.exe

Filesize
80KB

MD5
78dc782e7a7f900dcb2286af151fda23

SHA1
2ac729ef0d8d9a0a26ccbfcbc38ee0e98a151935

SHA256
dd2f0073d3803f87f18ec28456fec8d814b6c84d9b34468763a83862efa65075

SHA512
7e83c7fd06857fbd98e63f4febcb7129db023e9523d9c672942a957f8ce78c8ce8b0eb595f2eec438632c1a525f2effd7e6d4f7953e2e093c5b7c34ceef59a56

Download Submit
C:\Windows\{F4821739-2212-410a-942D-9017B39D5ABA}.exe

Filesize
80KB

MD5
f4c9cad5708e6e6927ad90fa2ef2060e

SHA1
71e92f9ba394fe19510c3e63336b57744b2ec0cc

SHA256
a2a73a98ca9e583f76e08e0842d3f87fbadb375e12d8147ab8d91d4bb99bbe92

SHA512
b2b876395bc87b7c2317cdb98bc52886374f213c7aacf6a093f666117b7d7eb6979dd5c7ae0badec0395c20b9df4909bf986e0a91fdcf0e6b9ef85bcf9922ac3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads