3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/08/2024, 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe
Size

89KB
MD5

2aef6586334840096ed23ceb9fab1320
SHA1

48bc4b2663a531b88565fbf7edee55acf7ce99c0
SHA256

3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f
SHA512

5cde108e2b2f220cc9dafa11dfaa99b2ec4710b4d9aa864fc4a4da2b482290cea2b413d6a246bef73bfb800b18d8f5a44a29984b49468f965bfd8e562d7c4813
SSDEEP

768:Qvw9816vhKQLrov4/wQRNrfrunMxVFA3b7glL:YEGh0ovl2unMxVS3Hg9

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{918696D4-3A9A-4c67-B998-681325211ED9}	3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E92F53B-9FB3-4b1d-8C94-9306E5A1BF15}	{E9809191-F55D-46f7-BBEA-54AFF7C54943}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3622DE45-6341-4bcd-885A-1A34C41AD1AC}	{A45C9E28-DF72-43af-BFFE-31214D39E260}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77571060-D545-43b4-AE14-440063FFD266}	{0D8C6D01-28BE-4127-AA6C-1EE1BB0AB9AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7BA286E-8CF4-44b0-AEF6-692B15512382}\stubpath = "C:\\Windows\\{D7BA286E-8CF4-44b0-AEF6-692B15512382}.exe"	{77571060-D545-43b4-AE14-440063FFD266}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4F9CE39-D911-45de-BD50-094B7588AC4F}\stubpath = "C:\\Windows\\{A4F9CE39-D911-45de-BD50-094B7588AC4F}.exe"	{FD696837-8B06-4f6b-A53F-3C8805F5647C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2F719C9-249C-48cc-A742-FFDE8A68D76B}\stubpath = "C:\\Windows\\{F2F719C9-249C-48cc-A742-FFDE8A68D76B}.exe"	{A4F9CE39-D911-45de-BD50-094B7588AC4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4F9CE39-D911-45de-BD50-094B7588AC4F}	{FD696837-8B06-4f6b-A53F-3C8805F5647C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{918696D4-3A9A-4c67-B998-681325211ED9}\stubpath = "C:\\Windows\\{918696D4-3A9A-4c67-B998-681325211ED9}.exe"	3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5E92F53B-9FB3-4b1d-8C94-9306E5A1BF15}\stubpath = "C:\\Windows\\{5E92F53B-9FB3-4b1d-8C94-9306E5A1BF15}.exe"	{E9809191-F55D-46f7-BBEA-54AFF7C54943}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A45C9E28-DF72-43af-BFFE-31214D39E260}	{5E92F53B-9FB3-4b1d-8C94-9306E5A1BF15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3622DE45-6341-4bcd-885A-1A34C41AD1AC}\stubpath = "C:\\Windows\\{3622DE45-6341-4bcd-885A-1A34C41AD1AC}.exe"	{A45C9E28-DF72-43af-BFFE-31214D39E260}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D7BA286E-8CF4-44b0-AEF6-692B15512382}	{77571060-D545-43b4-AE14-440063FFD266}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD696837-8B06-4f6b-A53F-3C8805F5647C}	{67B85507-7CDF-4efc-869B-C45413846841}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FD696837-8B06-4f6b-A53F-3C8805F5647C}\stubpath = "C:\\Windows\\{FD696837-8B06-4f6b-A53F-3C8805F5647C}.exe"	{67B85507-7CDF-4efc-869B-C45413846841}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9809191-F55D-46f7-BBEA-54AFF7C54943}\stubpath = "C:\\Windows\\{E9809191-F55D-46f7-BBEA-54AFF7C54943}.exe"	{918696D4-3A9A-4c67-B998-681325211ED9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D8C6D01-28BE-4127-AA6C-1EE1BB0AB9AB}	{3622DE45-6341-4bcd-885A-1A34C41AD1AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2F719C9-249C-48cc-A742-FFDE8A68D76B}	{A4F9CE39-D911-45de-BD50-094B7588AC4F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9809191-F55D-46f7-BBEA-54AFF7C54943}	{918696D4-3A9A-4c67-B998-681325211ED9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A45C9E28-DF72-43af-BFFE-31214D39E260}\stubpath = "C:\\Windows\\{A45C9E28-DF72-43af-BFFE-31214D39E260}.exe"	{5E92F53B-9FB3-4b1d-8C94-9306E5A1BF15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0D8C6D01-28BE-4127-AA6C-1EE1BB0AB9AB}\stubpath = "C:\\Windows\\{0D8C6D01-28BE-4127-AA6C-1EE1BB0AB9AB}.exe"	{3622DE45-6341-4bcd-885A-1A34C41AD1AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77571060-D545-43b4-AE14-440063FFD266}\stubpath = "C:\\Windows\\{77571060-D545-43b4-AE14-440063FFD266}.exe"	{0D8C6D01-28BE-4127-AA6C-1EE1BB0AB9AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67B85507-7CDF-4efc-869B-C45413846841}	{D7BA286E-8CF4-44b0-AEF6-692B15512382}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67B85507-7CDF-4efc-869B-C45413846841}\stubpath = "C:\\Windows\\{67B85507-7CDF-4efc-869B-C45413846841}.exe"	{D7BA286E-8CF4-44b0-AEF6-692B15512382}.exe

Executes dropped EXE 12 IoCs

pid	Process
3808	{918696D4-3A9A-4c67-B998-681325211ED9}.exe
2520	{E9809191-F55D-46f7-BBEA-54AFF7C54943}.exe
4980	{5E92F53B-9FB3-4b1d-8C94-9306E5A1BF15}.exe
3420	{A45C9E28-DF72-43af-BFFE-31214D39E260}.exe
876	{3622DE45-6341-4bcd-885A-1A34C41AD1AC}.exe
1848	{0D8C6D01-28BE-4127-AA6C-1EE1BB0AB9AB}.exe
788	{77571060-D545-43b4-AE14-440063FFD266}.exe
3764	{D7BA286E-8CF4-44b0-AEF6-692B15512382}.exe
3788	{67B85507-7CDF-4efc-869B-C45413846841}.exe
4724	{FD696837-8B06-4f6b-A53F-3C8805F5647C}.exe
3276	{A4F9CE39-D911-45de-BD50-094B7588AC4F}.exe
4812	{F2F719C9-249C-48cc-A742-FFDE8A68D76B}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{E9809191-F55D-46f7-BBEA-54AFF7C54943}.exe	{918696D4-3A9A-4c67-B998-681325211ED9}.exe
File created	C:\Windows\{0D8C6D01-28BE-4127-AA6C-1EE1BB0AB9AB}.exe	{3622DE45-6341-4bcd-885A-1A34C41AD1AC}.exe
File created	C:\Windows\{77571060-D545-43b4-AE14-440063FFD266}.exe	{0D8C6D01-28BE-4127-AA6C-1EE1BB0AB9AB}.exe
File created	C:\Windows\{67B85507-7CDF-4efc-869B-C45413846841}.exe	{D7BA286E-8CF4-44b0-AEF6-692B15512382}.exe
File created	C:\Windows\{FD696837-8B06-4f6b-A53F-3C8805F5647C}.exe	{67B85507-7CDF-4efc-869B-C45413846841}.exe
File created	C:\Windows\{A4F9CE39-D911-45de-BD50-094B7588AC4F}.exe	{FD696837-8B06-4f6b-A53F-3C8805F5647C}.exe
File created	C:\Windows\{F2F719C9-249C-48cc-A742-FFDE8A68D76B}.exe	{A4F9CE39-D911-45de-BD50-094B7588AC4F}.exe
File created	C:\Windows\{918696D4-3A9A-4c67-B998-681325211ED9}.exe	3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe
File created	C:\Windows\{5E92F53B-9FB3-4b1d-8C94-9306E5A1BF15}.exe	{E9809191-F55D-46f7-BBEA-54AFF7C54943}.exe
File created	C:\Windows\{A45C9E28-DF72-43af-BFFE-31214D39E260}.exe	{5E92F53B-9FB3-4b1d-8C94-9306E5A1BF15}.exe
File created	C:\Windows\{3622DE45-6341-4bcd-885A-1A34C41AD1AC}.exe	{A45C9E28-DF72-43af-BFFE-31214D39E260}.exe
File created	C:\Windows\{D7BA286E-8CF4-44b0-AEF6-692B15512382}.exe	{77571060-D545-43b4-AE14-440063FFD266}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{918696D4-3A9A-4c67-B998-681325211ED9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{77571060-D545-43b4-AE14-440063FFD266}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D7BA286E-8CF4-44b0-AEF6-692B15512382}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5E92F53B-9FB3-4b1d-8C94-9306E5A1BF15}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3622DE45-6341-4bcd-885A-1A34C41AD1AC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{67B85507-7CDF-4efc-869B-C45413846841}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E9809191-F55D-46f7-BBEA-54AFF7C54943}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A45C9E28-DF72-43af-BFFE-31214D39E260}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F2F719C9-249C-48cc-A742-FFDE8A68D76B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0D8C6D01-28BE-4127-AA6C-1EE1BB0AB9AB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FD696837-8B06-4f6b-A53F-3C8805F5647C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A4F9CE39-D911-45de-BD50-094B7588AC4F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3708	3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe
Token: SeIncBasePriorityPrivilege	3808	{918696D4-3A9A-4c67-B998-681325211ED9}.exe
Token: SeIncBasePriorityPrivilege	2520	{E9809191-F55D-46f7-BBEA-54AFF7C54943}.exe
Token: SeIncBasePriorityPrivilege	4980	{5E92F53B-9FB3-4b1d-8C94-9306E5A1BF15}.exe
Token: SeIncBasePriorityPrivilege	3420	{A45C9E28-DF72-43af-BFFE-31214D39E260}.exe
Token: SeIncBasePriorityPrivilege	876	{3622DE45-6341-4bcd-885A-1A34C41AD1AC}.exe
Token: SeIncBasePriorityPrivilege	1848	{0D8C6D01-28BE-4127-AA6C-1EE1BB0AB9AB}.exe
Token: SeIncBasePriorityPrivilege	788	{77571060-D545-43b4-AE14-440063FFD266}.exe
Token: SeIncBasePriorityPrivilege	3764	{D7BA286E-8CF4-44b0-AEF6-692B15512382}.exe
Token: SeIncBasePriorityPrivilege	3788	{67B85507-7CDF-4efc-869B-C45413846841}.exe
Token: SeIncBasePriorityPrivilege	4724	{FD696837-8B06-4f6b-A53F-3C8805F5647C}.exe
Token: SeIncBasePriorityPrivilege	3276	{A4F9CE39-D911-45de-BD50-094B7588AC4F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 3808	3708	3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe	86
PID 3708 wrote to memory of 3808	3708	3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe	86
PID 3708 wrote to memory of 3808	3708	3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe	86
PID 3708 wrote to memory of 1412	3708	3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe	87
PID 3708 wrote to memory of 1412	3708	3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe	87
PID 3708 wrote to memory of 1412	3708	3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe	87
PID 3808 wrote to memory of 2520	3808	{918696D4-3A9A-4c67-B998-681325211ED9}.exe	88
PID 3808 wrote to memory of 2520	3808	{918696D4-3A9A-4c67-B998-681325211ED9}.exe	88
PID 3808 wrote to memory of 2520	3808	{918696D4-3A9A-4c67-B998-681325211ED9}.exe	88
PID 3808 wrote to memory of 2168	3808	{918696D4-3A9A-4c67-B998-681325211ED9}.exe	89
PID 3808 wrote to memory of 2168	3808	{918696D4-3A9A-4c67-B998-681325211ED9}.exe	89
PID 3808 wrote to memory of 2168	3808	{918696D4-3A9A-4c67-B998-681325211ED9}.exe	89
PID 2520 wrote to memory of 4980	2520	{E9809191-F55D-46f7-BBEA-54AFF7C54943}.exe	92
PID 2520 wrote to memory of 4980	2520	{E9809191-F55D-46f7-BBEA-54AFF7C54943}.exe	92
PID 2520 wrote to memory of 4980	2520	{E9809191-F55D-46f7-BBEA-54AFF7C54943}.exe	92
PID 2520 wrote to memory of 4784	2520	{E9809191-F55D-46f7-BBEA-54AFF7C54943}.exe	93
PID 2520 wrote to memory of 4784	2520	{E9809191-F55D-46f7-BBEA-54AFF7C54943}.exe	93
PID 2520 wrote to memory of 4784	2520	{E9809191-F55D-46f7-BBEA-54AFF7C54943}.exe	93
PID 4980 wrote to memory of 3420	4980	{5E92F53B-9FB3-4b1d-8C94-9306E5A1BF15}.exe	95
PID 4980 wrote to memory of 3420	4980	{5E92F53B-9FB3-4b1d-8C94-9306E5A1BF15}.exe	95
PID 4980 wrote to memory of 3420	4980	{5E92F53B-9FB3-4b1d-8C94-9306E5A1BF15}.exe	95
PID 4980 wrote to memory of 3868	4980	{5E92F53B-9FB3-4b1d-8C94-9306E5A1BF15}.exe	96
PID 4980 wrote to memory of 3868	4980	{5E92F53B-9FB3-4b1d-8C94-9306E5A1BF15}.exe	96
PID 4980 wrote to memory of 3868	4980	{5E92F53B-9FB3-4b1d-8C94-9306E5A1BF15}.exe	96
PID 3420 wrote to memory of 876	3420	{A45C9E28-DF72-43af-BFFE-31214D39E260}.exe	97
PID 3420 wrote to memory of 876	3420	{A45C9E28-DF72-43af-BFFE-31214D39E260}.exe	97
PID 3420 wrote to memory of 876	3420	{A45C9E28-DF72-43af-BFFE-31214D39E260}.exe	97
PID 3420 wrote to memory of 1004	3420	{A45C9E28-DF72-43af-BFFE-31214D39E260}.exe	98
PID 3420 wrote to memory of 1004	3420	{A45C9E28-DF72-43af-BFFE-31214D39E260}.exe	98
PID 3420 wrote to memory of 1004	3420	{A45C9E28-DF72-43af-BFFE-31214D39E260}.exe	98
PID 876 wrote to memory of 1848	876	{3622DE45-6341-4bcd-885A-1A34C41AD1AC}.exe	99
PID 876 wrote to memory of 1848	876	{3622DE45-6341-4bcd-885A-1A34C41AD1AC}.exe	99
PID 876 wrote to memory of 1848	876	{3622DE45-6341-4bcd-885A-1A34C41AD1AC}.exe	99
PID 876 wrote to memory of 3220	876	{3622DE45-6341-4bcd-885A-1A34C41AD1AC}.exe	100
PID 876 wrote to memory of 3220	876	{3622DE45-6341-4bcd-885A-1A34C41AD1AC}.exe	100
PID 876 wrote to memory of 3220	876	{3622DE45-6341-4bcd-885A-1A34C41AD1AC}.exe	100
PID 1848 wrote to memory of 788	1848	{0D8C6D01-28BE-4127-AA6C-1EE1BB0AB9AB}.exe	101
PID 1848 wrote to memory of 788	1848	{0D8C6D01-28BE-4127-AA6C-1EE1BB0AB9AB}.exe	101
PID 1848 wrote to memory of 788	1848	{0D8C6D01-28BE-4127-AA6C-1EE1BB0AB9AB}.exe	101
PID 1848 wrote to memory of 512	1848	{0D8C6D01-28BE-4127-AA6C-1EE1BB0AB9AB}.exe	102
PID 1848 wrote to memory of 512	1848	{0D8C6D01-28BE-4127-AA6C-1EE1BB0AB9AB}.exe	102
PID 1848 wrote to memory of 512	1848	{0D8C6D01-28BE-4127-AA6C-1EE1BB0AB9AB}.exe	102
PID 788 wrote to memory of 3764	788	{77571060-D545-43b4-AE14-440063FFD266}.exe	103
PID 788 wrote to memory of 3764	788	{77571060-D545-43b4-AE14-440063FFD266}.exe	103
PID 788 wrote to memory of 3764	788	{77571060-D545-43b4-AE14-440063FFD266}.exe	103
PID 788 wrote to memory of 728	788	{77571060-D545-43b4-AE14-440063FFD266}.exe	104
PID 788 wrote to memory of 728	788	{77571060-D545-43b4-AE14-440063FFD266}.exe	104
PID 788 wrote to memory of 728	788	{77571060-D545-43b4-AE14-440063FFD266}.exe	104
PID 3764 wrote to memory of 3788	3764	{D7BA286E-8CF4-44b0-AEF6-692B15512382}.exe	105
PID 3764 wrote to memory of 3788	3764	{D7BA286E-8CF4-44b0-AEF6-692B15512382}.exe	105
PID 3764 wrote to memory of 3788	3764	{D7BA286E-8CF4-44b0-AEF6-692B15512382}.exe	105
PID 3764 wrote to memory of 3320	3764	{D7BA286E-8CF4-44b0-AEF6-692B15512382}.exe	106
PID 3764 wrote to memory of 3320	3764	{D7BA286E-8CF4-44b0-AEF6-692B15512382}.exe	106
PID 3764 wrote to memory of 3320	3764	{D7BA286E-8CF4-44b0-AEF6-692B15512382}.exe	106
PID 3788 wrote to memory of 4724	3788	{67B85507-7CDF-4efc-869B-C45413846841}.exe	107
PID 3788 wrote to memory of 4724	3788	{67B85507-7CDF-4efc-869B-C45413846841}.exe	107
PID 3788 wrote to memory of 4724	3788	{67B85507-7CDF-4efc-869B-C45413846841}.exe	107
PID 3788 wrote to memory of 516	3788	{67B85507-7CDF-4efc-869B-C45413846841}.exe	108
PID 3788 wrote to memory of 516	3788	{67B85507-7CDF-4efc-869B-C45413846841}.exe	108
PID 3788 wrote to memory of 516	3788	{67B85507-7CDF-4efc-869B-C45413846841}.exe	108
PID 4724 wrote to memory of 3276	4724	{FD696837-8B06-4f6b-A53F-3C8805F5647C}.exe	109
PID 4724 wrote to memory of 3276	4724	{FD696837-8B06-4f6b-A53F-3C8805F5647C}.exe	109
PID 4724 wrote to memory of 3276	4724	{FD696837-8B06-4f6b-A53F-3C8805F5647C}.exe	109
PID 4724 wrote to memory of 2908	4724	{FD696837-8B06-4f6b-A53F-3C8805F5647C}.exe	110

C:\Users\Admin\AppData\Local\Temp\3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe
"C:\Users\Admin\AppData\Local\Temp\3adaca9309ad20260b935223ca0720c0ee28b9068fc4482ecaffc267ffbe1c9f.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3708
- C:\Windows\{918696D4-3A9A-4c67-B998-681325211ED9}.exe
  C:\Windows\{918696D4-3A9A-4c67-B998-681325211ED9}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Windows\{E9809191-F55D-46f7-BBEA-54AFF7C54943}.exe
    C:\Windows\{E9809191-F55D-46f7-BBEA-54AFF7C54943}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\{5E92F53B-9FB3-4b1d-8C94-9306E5A1BF15}.exe
      C:\Windows\{5E92F53B-9FB3-4b1d-8C94-9306E5A1BF15}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4980
    - - C:\Windows\{A45C9E28-DF72-43af-BFFE-31214D39E260}.exe
        
        C:\Windows\{A45C9E28-DF72-43af-BFFE-31214D39E260}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3420
      - C:\Windows\{3622DE45-6341-4bcd-885A-1A34C41AD1AC}.exe
        
        C:\Windows\{3622DE45-6341-4bcd-885A-1A34C41AD1AC}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:876
        
        C:\Windows\{0D8C6D01-28BE-4127-AA6C-1EE1BB0AB9AB}.exe
        
        C:\Windows\{0D8C6D01-28BE-4127-AA6C-1EE1BB0AB9AB}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\{77571060-D545-43b4-AE14-440063FFD266}.exe
        
        C:\Windows\{77571060-D545-43b4-AE14-440063FFD266}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:788
        
        C:\Windows\{D7BA286E-8CF4-44b0-AEF6-692B15512382}.exe
        
        C:\Windows\{D7BA286E-8CF4-44b0-AEF6-692B15512382}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\{67B85507-7CDF-4efc-869B-C45413846841}.exe
        
        C:\Windows\{67B85507-7CDF-4efc-869B-C45413846841}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\{FD696837-8B06-4f6b-A53F-3C8805F5647C}.exe
        
        C:\Windows\{FD696837-8B06-4f6b-A53F-3C8805F5647C}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\{A4F9CE39-D911-45de-BD50-094B7588AC4F}.exe
        
        C:\Windows\{A4F9CE39-D911-45de-BD50-094B7588AC4F}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3276
        
        C:\Windows\{F2F719C9-249C-48cc-A742-FFDE8A68D76B}.exe
        
        C:\Windows\{F2F719C9-249C-48cc-A742-FFDE8A68D76B}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4F9C~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FD696~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{67B85~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D7BA2~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{77571~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0D8C6~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:512
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3622D~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3220
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A45C9~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1004
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E92F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3868
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E9809~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{91869~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2168
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3ADACA~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0D8C6D01-28BE-4127-AA6C-1EE1BB0AB9AB}.exe

Filesize
89KB

MD5
c43ecd05d802de115b0f080006f4caa2

SHA1
2b1dd523990b4ed2b4e63a738949a50095d098b2

SHA256
4981132b9f547ca2d76e2c67605ebaa8cd50dac28cf62016fefa68f8fb2c5cb1

SHA512
c28318b3b25e4c68527a12bac955e43b81242a0da8b8a802c1fbf115d914831c79ee77a6b807c1f1521076071617e90a0906bfb621d2c4dbb7a165b5f8b7b2b4

Download Submit
C:\Windows\{3622DE45-6341-4bcd-885A-1A34C41AD1AC}.exe

Filesize
89KB

MD5
11b46be70fcea20618a0e975b4c97f9d

SHA1
9bca4c057ec5556dab470eb5e28e71807f31607a

SHA256
c3a2b5ac97258b8a4f1fe9ae7ed34a114201b027c7792809a2bffeacf27ece5c

SHA512
5d6a7457228a06ae45739c55c20b13c9447a3e32863afb4ce517dda4f6996f92fd9dca6e459cd240abf6bb8b055460d21bfc796b7607bf045188ed54e5caecf5

Download Submit
C:\Windows\{5E92F53B-9FB3-4b1d-8C94-9306E5A1BF15}.exe

Filesize
89KB

MD5
34ff16ffda71efc03f362e935a58c379

SHA1
2536cf81d7b464af0d9b016f051f138a297219d1

SHA256
515f850b14c307dfcc50c687c7c3921e7212dc5c68a2652354db6b38c5e97170

SHA512
bbc640c71302f08d2bd682be6873c6d42a514e4195bc6f5a849a866b51b8227ef28a4ea56ba00548dedf6d465ab262dbd47090ba0da7b887f60869d7c890ff78

Download Submit
C:\Windows\{67B85507-7CDF-4efc-869B-C45413846841}.exe

Filesize
89KB

MD5
e5926a170948b570b69b25864b2dbe4c

SHA1
ead26546764e838344bc530c6b468f9744bfe1b9

SHA256
61fc95e53c79feacde7c410516e77c46f3224fa435c77f28a4c33bf1a37eaa58

SHA512
c291a3053898f620f73596cd154279054ccd9de193e5ebd822072dd22626f877d9f3ab42ebf74bb2e4c747843df6389ee785e7bf59e9e1e50cebc0fba2a8572a

Download Submit
C:\Windows\{77571060-D545-43b4-AE14-440063FFD266}.exe

Filesize
89KB

MD5
fd2fd777c60316b4605c920f86b4cebf

SHA1
93cc2d46f153de54d0539095c794ca13c80cd97a

SHA256
4aed87c0d26ad858f65910c6b9d56eba91b31a323c8441fdc0b6b2835d8aa2a0

SHA512
56eb928a630ec449e0f747ef94882d1e2446d47d6a30504353024c709a02391f2921634cec97ea3c7e74df9380e479c544b310668d1648f06bf0e1d66ce49313

Download Submit
C:\Windows\{918696D4-3A9A-4c67-B998-681325211ED9}.exe

Filesize
89KB

MD5
537df42fe0b68bc8abe20e7f19ebf7ff

SHA1
9957d73f5f84efaf0601819180ff9ee4573f2604

SHA256
e5c58e9ed9cc6b5e4ac8222cc5293329d59fa7d7b5c40e007cfabe459cec7941

SHA512
c3babd2e4cebb4d4b0c9198f23e1dcbc196f3e6b35494d0ac326bfdb719c351c45acdec1abf5b72593e1dc9c0c87b490628578a493fd6bce39403635be4ed137

Download Submit
C:\Windows\{A45C9E28-DF72-43af-BFFE-31214D39E260}.exe

Filesize
89KB

MD5
072882f30b541f0ff115aba6d3e131b9

SHA1
0eef9317578c6c1ad7bc7336d765a993d1fbbf63

SHA256
9e4c4833d8c0145214fe3a9821530719d88fabf247e96c34382f2a0f709a20de

SHA512
ab30c5f4c5f9690ddac149701eb884bc28de3366b0639a315914bae9d9083697d4f53673a1880894aa594d43be486dc0f33647839fa173014414b4b85e96d028

Download Submit
C:\Windows\{A4F9CE39-D911-45de-BD50-094B7588AC4F}.exe

Filesize
89KB

MD5
7e87ee1a41b06eddb0f15f447f49d294

SHA1
9d48671dc22c427b140b019cd69aa21bf15640a7

SHA256
ddd8959f0dd1703bed3d0cec3703191b63dff91a7275564fdf55abad07d93bde

SHA512
69b5fe147f211e2428893a843ac528a9a871fddee45fe6dcfa492987c2c8ede33960fc4665f8af0ff458e65ea032308e5f2aba45b58f9a78612cbbee70ca953d

Download Submit
C:\Windows\{D7BA286E-8CF4-44b0-AEF6-692B15512382}.exe

Filesize
89KB

MD5
dd5ddf0a429d34fec40ca5c233b1784e

SHA1
1755eec8fac3cda230741f52bc2e23993db22520

SHA256
5d031e1ec59db3461808021d642bbdcbe60e77c53b107f4cbb5ca0affdff5ca4

SHA512
6f2e4c54a495f2addb21eacace68df58e50e96002b15c3e400fc14ff28d062adb59c65d72547bf121ca028e0a12b402f392a173896ae94fbb917a95803c6f96f

Download Submit
C:\Windows\{E9809191-F55D-46f7-BBEA-54AFF7C54943}.exe

Filesize
89KB

MD5
c0096197a9d77868702f90207a02fd70

SHA1
66dd6c12d8610a26cbd1f970bcc8c0b74f342e13

SHA256
94af6cc0609b808a141b89359f0b6daf69ad968348501753eb5567ea0df64d63

SHA512
141a6f5bab0997e3138892d0bea6cee179ae503846ed523fad4e639ecc0498902ed02f34b331d7f0e618625ea6298cafab69ecbbd4fffab70c7865b7f6b1283a

Download Submit
C:\Windows\{F2F719C9-249C-48cc-A742-FFDE8A68D76B}.exe

Filesize
89KB

MD5
661c486d22b2061889ca5a4594718b91

SHA1
049f60dbed37ce18c9f661812fd46a403ad4e7db

SHA256
74de42c5c0eaaf06c4ef552d9acddb2cfe68067de14e0cc3e2ee1e80efd479e3

SHA512
b03fdcbfa0c345f26d519e2465c5681ddd93eeab86de91031aada1be3cce47b6fae79e50fec51024aba55487e0638342677c838b42c5c6fac11b1b1a5c36675f

Download Submit
C:\Windows\{FD696837-8B06-4f6b-A53F-3C8805F5647C}.exe

Filesize
89KB

MD5
1979ae4a620d05571c6825aeadefa061

SHA1
cd2ea8eeb8b84bce4fad4804e47a3f14faeed915

SHA256
c5ee638749c665d7675e7af66e200bd765033286940fdaace72dd5c6870afdd0

SHA512
d4655447c3eb25e1a974d14aae93053595392e147703f63666c9d4ab2bb3fa305bae6aea21f577ae46fb6bc0b48144a7c625a0771aa1a0a3ab3331ea74747627

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads