fe641b76031eb92c11881f0228bd2cee6887ef8b4a9b705fec28d29e9cc2de84

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b3f7e5e0f3fe29377c1e03071bd60e0.exe
Size

89KB
MD5

0b3f7e5e0f3fe29377c1e03071bd60e0
SHA1

55943b671ea9cd6e6f4ab5518bc724ffec3b9935
SHA256

fe641b76031eb92c11881f0228bd2cee6887ef8b4a9b705fec28d29e9cc2de84
SHA512

50f362b74715ab8c59955b81c0458a3229feea9d9d608b8202a41d1e781622174b60ea2421fefdf74ca7d2659ba0771b904714a55c1a282e12b47aded601a7a3
SSDEEP

768:Qvw9816vhKQLroa4/wQRNrfrunMxVFA3b7glL:YEGh0oal2unMxVS3Hg9

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D954F10C-6464-4471-A7A7-D6328FED77AE}	{9AE6A92A-F654-404f-AA2E-5672F5E45C45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35448CEB-6FB8-4068-9A4F-E844853FC5FA}\stubpath = "C:\\Windows\\{35448CEB-6FB8-4068-9A4F-E844853FC5FA}.exe"	{29184193-7BB8-438b-BBB0-0F636FFAE4A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF3CE628-4246-46b0-85E6-84F19AB86CF9}\stubpath = "C:\\Windows\\{AF3CE628-4246-46b0-85E6-84F19AB86CF9}.exe"	{EA6AD967-81AE-49dd-9B69-FA5C933148EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA613723-95C7-42e5-9509-C28ED684AAAB}	0b3f7e5e0f3fe29377c1e03071bd60e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EFC2051-2AF3-4232-A028-113258EBB0FB}\stubpath = "C:\\Windows\\{2EFC2051-2AF3-4232-A028-113258EBB0FB}.exe"	{AA613723-95C7-42e5-9509-C28ED684AAAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AE6A92A-F654-404f-AA2E-5672F5E45C45}\stubpath = "C:\\Windows\\{9AE6A92A-F654-404f-AA2E-5672F5E45C45}.exe"	{473B5C99-6C9C-4bd1-9099-0312519EE37D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29184193-7BB8-438b-BBB0-0F636FFAE4A6}	{D954F10C-6464-4471-A7A7-D6328FED77AE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{29184193-7BB8-438b-BBB0-0F636FFAE4A6}\stubpath = "C:\\Windows\\{29184193-7BB8-438b-BBB0-0F636FFAE4A6}.exe"	{D954F10C-6464-4471-A7A7-D6328FED77AE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA6AD967-81AE-49dd-9B69-FA5C933148EE}	{35448CEB-6FB8-4068-9A4F-E844853FC5FA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CACBC2F4-D68A-45a2-907B-DC2D20FE1699}\stubpath = "C:\\Windows\\{CACBC2F4-D68A-45a2-907B-DC2D20FE1699}.exe"	{A4FA302F-F42F-4060-933D-732AF3AF5F06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{473B5C99-6C9C-4bd1-9099-0312519EE37D}	{2EFC2051-2AF3-4232-A028-113258EBB0FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{473B5C99-6C9C-4bd1-9099-0312519EE37D}\stubpath = "C:\\Windows\\{473B5C99-6C9C-4bd1-9099-0312519EE37D}.exe"	{2EFC2051-2AF3-4232-A028-113258EBB0FB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D954F10C-6464-4471-A7A7-D6328FED77AE}\stubpath = "C:\\Windows\\{D954F10C-6464-4471-A7A7-D6328FED77AE}.exe"	{9AE6A92A-F654-404f-AA2E-5672F5E45C45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4FA302F-F42F-4060-933D-732AF3AF5F06}\stubpath = "C:\\Windows\\{A4FA302F-F42F-4060-933D-732AF3AF5F06}.exe"	{AF3CE628-4246-46b0-85E6-84F19AB86CF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56EA9F4A-3FC6-4a12-A486-9C235FC4F4D4}	{CACBC2F4-D68A-45a2-907B-DC2D20FE1699}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{56EA9F4A-3FC6-4a12-A486-9C235FC4F4D4}\stubpath = "C:\\Windows\\{56EA9F4A-3FC6-4a12-A486-9C235FC4F4D4}.exe"	{CACBC2F4-D68A-45a2-907B-DC2D20FE1699}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA613723-95C7-42e5-9509-C28ED684AAAB}\stubpath = "C:\\Windows\\{AA613723-95C7-42e5-9509-C28ED684AAAB}.exe"	0b3f7e5e0f3fe29377c1e03071bd60e0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA6AD967-81AE-49dd-9B69-FA5C933148EE}\stubpath = "C:\\Windows\\{EA6AD967-81AE-49dd-9B69-FA5C933148EE}.exe"	{35448CEB-6FB8-4068-9A4F-E844853FC5FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF3CE628-4246-46b0-85E6-84F19AB86CF9}	{EA6AD967-81AE-49dd-9B69-FA5C933148EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4FA302F-F42F-4060-933D-732AF3AF5F06}	{AF3CE628-4246-46b0-85E6-84F19AB86CF9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CACBC2F4-D68A-45a2-907B-DC2D20FE1699}	{A4FA302F-F42F-4060-933D-732AF3AF5F06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EFC2051-2AF3-4232-A028-113258EBB0FB}	{AA613723-95C7-42e5-9509-C28ED684AAAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9AE6A92A-F654-404f-AA2E-5672F5E45C45}	{473B5C99-6C9C-4bd1-9099-0312519EE37D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35448CEB-6FB8-4068-9A4F-E844853FC5FA}	{29184193-7BB8-438b-BBB0-0F636FFAE4A6}.exe

Executes dropped EXE 12 IoCs

pid	Process
4900	{AA613723-95C7-42e5-9509-C28ED684AAAB}.exe
2668	{2EFC2051-2AF3-4232-A028-113258EBB0FB}.exe
4676	{473B5C99-6C9C-4bd1-9099-0312519EE37D}.exe
3812	{9AE6A92A-F654-404f-AA2E-5672F5E45C45}.exe
3816	{D954F10C-6464-4471-A7A7-D6328FED77AE}.exe
3708	{29184193-7BB8-438b-BBB0-0F636FFAE4A6}.exe
4932	{35448CEB-6FB8-4068-9A4F-E844853FC5FA}.exe
4612	{EA6AD967-81AE-49dd-9B69-FA5C933148EE}.exe
3896	{AF3CE628-4246-46b0-85E6-84F19AB86CF9}.exe
1148	{A4FA302F-F42F-4060-933D-732AF3AF5F06}.exe
224	{CACBC2F4-D68A-45a2-907B-DC2D20FE1699}.exe
2368	{56EA9F4A-3FC6-4a12-A486-9C235FC4F4D4}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{EA6AD967-81AE-49dd-9B69-FA5C933148EE}.exe	{35448CEB-6FB8-4068-9A4F-E844853FC5FA}.exe
File created	C:\Windows\{AF3CE628-4246-46b0-85E6-84F19AB86CF9}.exe	{EA6AD967-81AE-49dd-9B69-FA5C933148EE}.exe
File created	C:\Windows\{56EA9F4A-3FC6-4a12-A486-9C235FC4F4D4}.exe	{CACBC2F4-D68A-45a2-907B-DC2D20FE1699}.exe
File created	C:\Windows\{2EFC2051-2AF3-4232-A028-113258EBB0FB}.exe	{AA613723-95C7-42e5-9509-C28ED684AAAB}.exe
File created	C:\Windows\{9AE6A92A-F654-404f-AA2E-5672F5E45C45}.exe	{473B5C99-6C9C-4bd1-9099-0312519EE37D}.exe
File created	C:\Windows\{35448CEB-6FB8-4068-9A4F-E844853FC5FA}.exe	{29184193-7BB8-438b-BBB0-0F636FFAE4A6}.exe
File created	C:\Windows\{29184193-7BB8-438b-BBB0-0F636FFAE4A6}.exe	{D954F10C-6464-4471-A7A7-D6328FED77AE}.exe
File created	C:\Windows\{A4FA302F-F42F-4060-933D-732AF3AF5F06}.exe	{AF3CE628-4246-46b0-85E6-84F19AB86CF9}.exe
File created	C:\Windows\{CACBC2F4-D68A-45a2-907B-DC2D20FE1699}.exe	{A4FA302F-F42F-4060-933D-732AF3AF5F06}.exe
File created	C:\Windows\{AA613723-95C7-42e5-9509-C28ED684AAAB}.exe	0b3f7e5e0f3fe29377c1e03071bd60e0.exe
File created	C:\Windows\{473B5C99-6C9C-4bd1-9099-0312519EE37D}.exe	{2EFC2051-2AF3-4232-A028-113258EBB0FB}.exe
File created	C:\Windows\{D954F10C-6464-4471-A7A7-D6328FED77AE}.exe	{9AE6A92A-F654-404f-AA2E-5672F5E45C45}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{473B5C99-6C9C-4bd1-9099-0312519EE37D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9AE6A92A-F654-404f-AA2E-5672F5E45C45}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{29184193-7BB8-438b-BBB0-0F636FFAE4A6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EA6AD967-81AE-49dd-9B69-FA5C933148EE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AA613723-95C7-42e5-9509-C28ED684AAAB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{35448CEB-6FB8-4068-9A4F-E844853FC5FA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CACBC2F4-D68A-45a2-907B-DC2D20FE1699}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{56EA9F4A-3FC6-4a12-A486-9C235FC4F4D4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b3f7e5e0f3fe29377c1e03071bd60e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D954F10C-6464-4471-A7A7-D6328FED77AE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AF3CE628-4246-46b0-85E6-84F19AB86CF9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A4FA302F-F42F-4060-933D-732AF3AF5F06}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2EFC2051-2AF3-4232-A028-113258EBB0FB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1564	0b3f7e5e0f3fe29377c1e03071bd60e0.exe
Token: SeIncBasePriorityPrivilege	4900	{AA613723-95C7-42e5-9509-C28ED684AAAB}.exe
Token: SeIncBasePriorityPrivilege	2668	{2EFC2051-2AF3-4232-A028-113258EBB0FB}.exe
Token: SeIncBasePriorityPrivilege	4676	{473B5C99-6C9C-4bd1-9099-0312519EE37D}.exe
Token: SeIncBasePriorityPrivilege	3812	{9AE6A92A-F654-404f-AA2E-5672F5E45C45}.exe
Token: SeIncBasePriorityPrivilege	3816	{D954F10C-6464-4471-A7A7-D6328FED77AE}.exe
Token: SeIncBasePriorityPrivilege	3708	{29184193-7BB8-438b-BBB0-0F636FFAE4A6}.exe
Token: SeIncBasePriorityPrivilege	4932	{35448CEB-6FB8-4068-9A4F-E844853FC5FA}.exe
Token: SeIncBasePriorityPrivilege	4612	{EA6AD967-81AE-49dd-9B69-FA5C933148EE}.exe
Token: SeIncBasePriorityPrivilege	3896	{AF3CE628-4246-46b0-85E6-84F19AB86CF9}.exe
Token: SeIncBasePriorityPrivilege	1148	{A4FA302F-F42F-4060-933D-732AF3AF5F06}.exe
Token: SeIncBasePriorityPrivilege	224	{CACBC2F4-D68A-45a2-907B-DC2D20FE1699}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 4900	1564	0b3f7e5e0f3fe29377c1e03071bd60e0.exe	88
PID 1564 wrote to memory of 4900	1564	0b3f7e5e0f3fe29377c1e03071bd60e0.exe	88
PID 1564 wrote to memory of 4900	1564	0b3f7e5e0f3fe29377c1e03071bd60e0.exe	88
PID 1564 wrote to memory of 5116	1564	0b3f7e5e0f3fe29377c1e03071bd60e0.exe	89
PID 1564 wrote to memory of 5116	1564	0b3f7e5e0f3fe29377c1e03071bd60e0.exe	89
PID 1564 wrote to memory of 5116	1564	0b3f7e5e0f3fe29377c1e03071bd60e0.exe	89
PID 4900 wrote to memory of 2668	4900	{AA613723-95C7-42e5-9509-C28ED684AAAB}.exe	90
PID 4900 wrote to memory of 2668	4900	{AA613723-95C7-42e5-9509-C28ED684AAAB}.exe	90
PID 4900 wrote to memory of 2668	4900	{AA613723-95C7-42e5-9509-C28ED684AAAB}.exe	90
PID 4900 wrote to memory of 1424	4900	{AA613723-95C7-42e5-9509-C28ED684AAAB}.exe	91
PID 4900 wrote to memory of 1424	4900	{AA613723-95C7-42e5-9509-C28ED684AAAB}.exe	91
PID 4900 wrote to memory of 1424	4900	{AA613723-95C7-42e5-9509-C28ED684AAAB}.exe	91
PID 2668 wrote to memory of 4676	2668	{2EFC2051-2AF3-4232-A028-113258EBB0FB}.exe	96
PID 2668 wrote to memory of 4676	2668	{2EFC2051-2AF3-4232-A028-113258EBB0FB}.exe	96
PID 2668 wrote to memory of 4676	2668	{2EFC2051-2AF3-4232-A028-113258EBB0FB}.exe	96
PID 2668 wrote to memory of 4564	2668	{2EFC2051-2AF3-4232-A028-113258EBB0FB}.exe	97
PID 2668 wrote to memory of 4564	2668	{2EFC2051-2AF3-4232-A028-113258EBB0FB}.exe	97
PID 2668 wrote to memory of 4564	2668	{2EFC2051-2AF3-4232-A028-113258EBB0FB}.exe	97
PID 4676 wrote to memory of 3812	4676	{473B5C99-6C9C-4bd1-9099-0312519EE37D}.exe	98
PID 4676 wrote to memory of 3812	4676	{473B5C99-6C9C-4bd1-9099-0312519EE37D}.exe	98
PID 4676 wrote to memory of 3812	4676	{473B5C99-6C9C-4bd1-9099-0312519EE37D}.exe	98
PID 4676 wrote to memory of 2124	4676	{473B5C99-6C9C-4bd1-9099-0312519EE37D}.exe	99
PID 4676 wrote to memory of 2124	4676	{473B5C99-6C9C-4bd1-9099-0312519EE37D}.exe	99
PID 4676 wrote to memory of 2124	4676	{473B5C99-6C9C-4bd1-9099-0312519EE37D}.exe	99
PID 3812 wrote to memory of 3816	3812	{9AE6A92A-F654-404f-AA2E-5672F5E45C45}.exe	100
PID 3812 wrote to memory of 3816	3812	{9AE6A92A-F654-404f-AA2E-5672F5E45C45}.exe	100
PID 3812 wrote to memory of 3816	3812	{9AE6A92A-F654-404f-AA2E-5672F5E45C45}.exe	100
PID 3812 wrote to memory of 1088	3812	{9AE6A92A-F654-404f-AA2E-5672F5E45C45}.exe	101
PID 3812 wrote to memory of 1088	3812	{9AE6A92A-F654-404f-AA2E-5672F5E45C45}.exe	101
PID 3812 wrote to memory of 1088	3812	{9AE6A92A-F654-404f-AA2E-5672F5E45C45}.exe	101
PID 3816 wrote to memory of 3708	3816	{D954F10C-6464-4471-A7A7-D6328FED77AE}.exe	102
PID 3816 wrote to memory of 3708	3816	{D954F10C-6464-4471-A7A7-D6328FED77AE}.exe	102
PID 3816 wrote to memory of 3708	3816	{D954F10C-6464-4471-A7A7-D6328FED77AE}.exe	102
PID 3816 wrote to memory of 400	3816	{D954F10C-6464-4471-A7A7-D6328FED77AE}.exe	103
PID 3816 wrote to memory of 400	3816	{D954F10C-6464-4471-A7A7-D6328FED77AE}.exe	103
PID 3816 wrote to memory of 400	3816	{D954F10C-6464-4471-A7A7-D6328FED77AE}.exe	103
PID 3708 wrote to memory of 4932	3708	{29184193-7BB8-438b-BBB0-0F636FFAE4A6}.exe	104
PID 3708 wrote to memory of 4932	3708	{29184193-7BB8-438b-BBB0-0F636FFAE4A6}.exe	104
PID 3708 wrote to memory of 4932	3708	{29184193-7BB8-438b-BBB0-0F636FFAE4A6}.exe	104
PID 3708 wrote to memory of 4964	3708	{29184193-7BB8-438b-BBB0-0F636FFAE4A6}.exe	105
PID 3708 wrote to memory of 4964	3708	{29184193-7BB8-438b-BBB0-0F636FFAE4A6}.exe	105
PID 3708 wrote to memory of 4964	3708	{29184193-7BB8-438b-BBB0-0F636FFAE4A6}.exe	105
PID 4932 wrote to memory of 4612	4932	{35448CEB-6FB8-4068-9A4F-E844853FC5FA}.exe	109
PID 4932 wrote to memory of 4612	4932	{35448CEB-6FB8-4068-9A4F-E844853FC5FA}.exe	109
PID 4932 wrote to memory of 4612	4932	{35448CEB-6FB8-4068-9A4F-E844853FC5FA}.exe	109
PID 4932 wrote to memory of 4700	4932	{35448CEB-6FB8-4068-9A4F-E844853FC5FA}.exe	110
PID 4932 wrote to memory of 4700	4932	{35448CEB-6FB8-4068-9A4F-E844853FC5FA}.exe	110
PID 4932 wrote to memory of 4700	4932	{35448CEB-6FB8-4068-9A4F-E844853FC5FA}.exe	110
PID 4612 wrote to memory of 3896	4612	{EA6AD967-81AE-49dd-9B69-FA5C933148EE}.exe	111
PID 4612 wrote to memory of 3896	4612	{EA6AD967-81AE-49dd-9B69-FA5C933148EE}.exe	111
PID 4612 wrote to memory of 3896	4612	{EA6AD967-81AE-49dd-9B69-FA5C933148EE}.exe	111
PID 4612 wrote to memory of 2028	4612	{EA6AD967-81AE-49dd-9B69-FA5C933148EE}.exe	112
PID 4612 wrote to memory of 2028	4612	{EA6AD967-81AE-49dd-9B69-FA5C933148EE}.exe	112
PID 4612 wrote to memory of 2028	4612	{EA6AD967-81AE-49dd-9B69-FA5C933148EE}.exe	112
PID 3896 wrote to memory of 1148	3896	{AF3CE628-4246-46b0-85E6-84F19AB86CF9}.exe	113
PID 3896 wrote to memory of 1148	3896	{AF3CE628-4246-46b0-85E6-84F19AB86CF9}.exe	113
PID 3896 wrote to memory of 1148	3896	{AF3CE628-4246-46b0-85E6-84F19AB86CF9}.exe	113
PID 3896 wrote to memory of 1688	3896	{AF3CE628-4246-46b0-85E6-84F19AB86CF9}.exe	114
PID 3896 wrote to memory of 1688	3896	{AF3CE628-4246-46b0-85E6-84F19AB86CF9}.exe	114
PID 3896 wrote to memory of 1688	3896	{AF3CE628-4246-46b0-85E6-84F19AB86CF9}.exe	114
PID 1148 wrote to memory of 224	1148	{A4FA302F-F42F-4060-933D-732AF3AF5F06}.exe	115
PID 1148 wrote to memory of 224	1148	{A4FA302F-F42F-4060-933D-732AF3AF5F06}.exe	115
PID 1148 wrote to memory of 224	1148	{A4FA302F-F42F-4060-933D-732AF3AF5F06}.exe	115
PID 1148 wrote to memory of 2896	1148	{A4FA302F-F42F-4060-933D-732AF3AF5F06}.exe	116

C:\Users\Admin\AppData\Local\Temp\0b3f7e5e0f3fe29377c1e03071bd60e0.exe
"C:\Users\Admin\AppData\Local\Temp\0b3f7e5e0f3fe29377c1e03071bd60e0.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\{AA613723-95C7-42e5-9509-C28ED684AAAB}.exe
  C:\Windows\{AA613723-95C7-42e5-9509-C28ED684AAAB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4900
- - C:\Windows\{2EFC2051-2AF3-4232-A028-113258EBB0FB}.exe
    C:\Windows\{2EFC2051-2AF3-4232-A028-113258EBB0FB}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\{473B5C99-6C9C-4bd1-9099-0312519EE37D}.exe
      C:\Windows\{473B5C99-6C9C-4bd1-9099-0312519EE37D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4676
    - - C:\Windows\{9AE6A92A-F654-404f-AA2E-5672F5E45C45}.exe
        
        C:\Windows\{9AE6A92A-F654-404f-AA2E-5672F5E45C45}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3812
      - C:\Windows\{D954F10C-6464-4471-A7A7-D6328FED77AE}.exe
        
        C:\Windows\{D954F10C-6464-4471-A7A7-D6328FED77AE}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\{29184193-7BB8-438b-BBB0-0F636FFAE4A6}.exe
        
        C:\Windows\{29184193-7BB8-438b-BBB0-0F636FFAE4A6}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\{35448CEB-6FB8-4068-9A4F-E844853FC5FA}.exe
        
        C:\Windows\{35448CEB-6FB8-4068-9A4F-E844853FC5FA}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4932
        
        C:\Windows\{EA6AD967-81AE-49dd-9B69-FA5C933148EE}.exe
        
        C:\Windows\{EA6AD967-81AE-49dd-9B69-FA5C933148EE}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\{AF3CE628-4246-46b0-85E6-84F19AB86CF9}.exe
        
        C:\Windows\{AF3CE628-4246-46b0-85E6-84F19AB86CF9}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3896
        
        C:\Windows\{A4FA302F-F42F-4060-933D-732AF3AF5F06}.exe
        
        C:\Windows\{A4FA302F-F42F-4060-933D-732AF3AF5F06}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\{CACBC2F4-D68A-45a2-907B-DC2D20FE1699}.exe
        
        C:\Windows\{CACBC2F4-D68A-45a2-907B-DC2D20FE1699}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:224
        
        C:\Windows\{56EA9F4A-3FC6-4a12-A486-9C235FC4F4D4}.exe
        
        C:\Windows\{56EA9F4A-3FC6-4a12-A486-9C235FC4F4D4}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CACBC~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4FA3~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF3CE~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EA6AD~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35448~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{29184~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D954F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:400
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9AE6A~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1088
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{473B5~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2EFC2~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{AA613~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1424
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\0B3F7E~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{29184193-7BB8-438b-BBB0-0F636FFAE4A6}.exe

Filesize
89KB

MD5
9a762233f36cb8b157f0394c11baa0e1

SHA1
4f86f724a30b8ddc029991dd64553307c327fbc6

SHA256
1beeee72ae957b044995829f0f35a2a51881bd7fddcb99bac07b868c4d18a26d

SHA512
152791309116bb8501381d670fe55f7f656646912f4a649b46b09a085acc5511552a173e5629d942343cf1b1c2b481a46804d09f02569204b6bdbc6e3598b77c

Download Submit
C:\Windows\{2EFC2051-2AF3-4232-A028-113258EBB0FB}.exe

Filesize
89KB

MD5
520e2cd88ff3010879cd909e52f8e5db

SHA1
8ca4cb4bc2ea3bfd8cbcf18cc66cf2226ce930e2

SHA256
c9161bab46074f4810639ae8ccb20a27c7b43252694daf4dd1a282100f3bfaa3

SHA512
f801dc29198103f49b47622833c79d1d5cd20208271dc0a1623872977fa275d442d0fc21cefcd4aa4f7aa06be2f5eee126acc3e106f2f976c698c81e106d2ec7

Download Submit
C:\Windows\{35448CEB-6FB8-4068-9A4F-E844853FC5FA}.exe

Filesize
89KB

MD5
6a8e3c93b4876e40756e2f5624d760ff

SHA1
baef03131c87e047ee2fc4192659292ac3c5554f

SHA256
21099ceafb319689eab054ac538f0f0f28b5692628d2b10758c826bfa6356615

SHA512
32a7672e900d6dde6979c0b82068f0773d2ee1155e8aba706b88ba8cdc03eaea5b8e24b3d9285c754e5d4dd96a86db058935b5231d4f495f0a8e1df9598ab06e

Download Submit
C:\Windows\{473B5C99-6C9C-4bd1-9099-0312519EE37D}.exe

Filesize
89KB

MD5
760903beaa9212be8b969fa89e64706f

SHA1
f861c956030b21c4e9d73b822a5033ac30ae5c4f

SHA256
9c6080bb6ab68be3c2545e2c198fe9609a0b3facc28b36dde420694947e5eb0a

SHA512
31b21446c5d2345bd9b01f0f14be0f62a9aee65e15df15ab7f2705d5071cf1000f23f9dc5298f56235120447dd5843c07601f7391e28b8597ebc99aa4a01b635

Download Submit
C:\Windows\{56EA9F4A-3FC6-4a12-A486-9C235FC4F4D4}.exe

Filesize
89KB

MD5
74e8919c9977458222a2d4124a96a395

SHA1
14b4a3de4974184d873f9cb54846c1de62ce65d6

SHA256
0f27440732ac9b1cc82ef9a77dab831fac92ba5d9aaec09249553cc591221430

SHA512
f121d6caa93522134a0b484832f370d387b45075db18b808873c43f1b5bad4b6c325d35821ef74a4e9eba41f2616b6c5666ffcc95c05e6e56a0d06512fbebbec

Download Submit
C:\Windows\{9AE6A92A-F654-404f-AA2E-5672F5E45C45}.exe

Filesize
89KB

MD5
8f7e61a1edfb470da1387a685dc709ac

SHA1
8d41293311e979a3f69ab9780901d980619d5701

SHA256
be401c918ae92d73d50a29a05032eb12d7e03589872e8767f24e8edffabe0ac5

SHA512
66812bec16c11c760034ce434c25f3f75ad31b9a3600e9437591e30f0db016201342a0dfa5290cc12e968d8edb4b4a2cfa5d47cd598f15c184d402056ade7c21

Download Submit
C:\Windows\{A4FA302F-F42F-4060-933D-732AF3AF5F06}.exe

Filesize
89KB

MD5
bfe3682a72ed70dbce57f51ad66f6e17

SHA1
749c281a2ba0c980e664d0719f3bbd3bd7ffea20

SHA256
e197d3b9726b4e0db9c0d3b0f22142aa1149d74b2468bf5e255fe48345d18143

SHA512
59cfd5194d943ba33b7539a23bd74969d2f1fef1073fd8de489a934d5e89d492016ea115a3b5693ecd1b6838d2cc44784b81773f1bf6f7a364477f08b1058605

Download Submit
C:\Windows\{AA613723-95C7-42e5-9509-C28ED684AAAB}.exe

Filesize
89KB

MD5
5891fdae544c1caf2e3f3160f4668e9f

SHA1
91b0a8e6f5d32c098b57a569be579bf204a03cf3

SHA256
ad43e6433d430de195223b47727220eea80f2f8838b5e603c4ce58ccdce75882

SHA512
b9a820199f0bec6450860d51311f2314e66efb99eb5ce8ceafa4e4edeffee056e42f5d013f4db9a2b6e85f387a740bd93dbb321d01f8089dad68f28ac4c3446f

Download Submit
C:\Windows\{AF3CE628-4246-46b0-85E6-84F19AB86CF9}.exe

Filesize
89KB

MD5
97323c55c1f3393a582f23b32c056659

SHA1
408d84947320e2c2099a6edbd7605a004ea79b1d

SHA256
416e323ee0cd7e406e31432f2ff0e4b107b9cc4148f1352bbd057977d7b8c442

SHA512
c7eb8d7c36b96e8a36719b0aab119b84c5afd1a6b39f389bb3b7169e9be6c29b253fb7b0ad26dc6d9c1e04ac1023bde2c8fe335af3face5a2d6685edbba7f557

Download Submit
C:\Windows\{CACBC2F4-D68A-45a2-907B-DC2D20FE1699}.exe

Filesize
89KB

MD5
708f09e8a6720c942b96b08b31903785

SHA1
f89c4ad03b2a89ca9760c082439432e1c1ac673b

SHA256
c5f63a9ae3e060f7eb4a31592a29e3db7bba4fc4042cb1455f4a3120dd5cc0d4

SHA512
8427e08be8c6a7eb719d3d4c95d25d498b08bec0b6082a47b3084ebe41972935951cae7c92f17359959b15b3b40350d92b4d320727fba9c181f2e9e4883cd2f4

Download Submit
C:\Windows\{D954F10C-6464-4471-A7A7-D6328FED77AE}.exe

Filesize
89KB

MD5
c49d28b8cbefad64279c74586e7e03bd

SHA1
1db28f0c20816e6d37323ff5399c9762b80fa9d8

SHA256
fab824b4d8d8002e51d902572d8153ba135cbff016b7fbe41e072f29a2322725

SHA512
50fce94c1a2e439fb10adc10c2d49d4a74bc08b7f2fdb2b6e5126f6e306821659cc3caf6be5baad6f15901f1124acc8d93fae6c43fe02736a1a1f7345fbdd195

Download Submit
C:\Windows\{EA6AD967-81AE-49dd-9B69-FA5C933148EE}.exe

Filesize
89KB

MD5
ee1cd29524b6eece6643cc788c14ad5d

SHA1
e6c6f5eff259f79687496f8cdb9f8f836bcd637d

SHA256
ebf1650b2af630656c6b4af7485e06e36f2744b8dfd94a78d06ce937868d8a59

SHA512
e23d4a2b21daa71414b7592d885308ad2d60f0a17b1a69ea10588a08e3a3ff272f56cce6c18841294c2dbdf6e204dbd865d4f8923449ab6e7b54916ea74b0a4e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads