62658f5d962eddf14d948b431d182db04eed10768f573eda239dbbeaff9c75af

Analysis

max time kernel
118s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17/08/2024, 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc2813934e8ac0e1c668f59471123b90N.exe
Size

213KB
MD5

fc2813934e8ac0e1c668f59471123b90
SHA1

2d04662dccafc7a766edbefc4932337fe1275360
SHA256

62658f5d962eddf14d948b431d182db04eed10768f573eda239dbbeaff9c75af
SHA512

1420233ae06b5e727b1cfb60495907fbab3c0d1ff32bfbc3e70c9011052c4a8efc158a0b0c234636dd78591a59bbe5607bb64ff36428e0b143365943dc21fd90
SSDEEP

1536:YEGh0oll2unMxVS3HgdoKjhLJhzrryLPAneS3DquFSS4efk6kF/y+Ic7e/FtPt+A:YEGh0ollvMUyNjhLJhXrhnJ3D4IF

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3499A4B1-419D-43e1-9488-A4DBF4333F0A}\stubpath = "C:\\Windows\\{3499A4B1-419D-43e1-9488-A4DBF4333F0A}.exe"	{B58BE84B-70B3-468a-9838-AEB22A12A3D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC6E7983-E8DB-4364-A722-010C4A3162C4}	{7DBC60B8-9117-4f20-B23D-2F484BC8BF54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{960F4EB4-89A1-4567-B638-A3B7A82FB62E}	{9D9FC08A-0DC1-40b4-B20E-D987427CF495}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DBC60B8-9117-4f20-B23D-2F484BC8BF54}\stubpath = "C:\\Windows\\{7DBC60B8-9117-4f20-B23D-2F484BC8BF54}.exe"	{3499A4B1-419D-43e1-9488-A4DBF4333F0A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C50232F-A863-4b39-B36C-FDD3EF08C47D}	{DC6E7983-E8DB-4364-A722-010C4A3162C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{960F4EB4-89A1-4567-B638-A3B7A82FB62E}\stubpath = "C:\\Windows\\{960F4EB4-89A1-4567-B638-A3B7A82FB62E}.exe"	{9D9FC08A-0DC1-40b4-B20E-D987427CF495}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1395D9BB-D809-445c-8F5C-5C132157D02E}\stubpath = "C:\\Windows\\{1395D9BB-D809-445c-8F5C-5C132157D02E}.exe"	{960F4EB4-89A1-4567-B638-A3B7A82FB62E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3499A4B1-419D-43e1-9488-A4DBF4333F0A}	{B58BE84B-70B3-468a-9838-AEB22A12A3D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7DBC60B8-9117-4f20-B23D-2F484BC8BF54}	{3499A4B1-419D-43e1-9488-A4DBF4333F0A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C50232F-A863-4b39-B36C-FDD3EF08C47D}\stubpath = "C:\\Windows\\{7C50232F-A863-4b39-B36C-FDD3EF08C47D}.exe"	{DC6E7983-E8DB-4364-A722-010C4A3162C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1395D9BB-D809-445c-8F5C-5C132157D02E}	{960F4EB4-89A1-4567-B638-A3B7A82FB62E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D5DEBA5-0E46-44d0-B71A-522FCBFDEFB1}\stubpath = "C:\\Windows\\{8D5DEBA5-0E46-44d0-B71A-522FCBFDEFB1}.exe"	{7C50232F-A863-4b39-B36C-FDD3EF08C47D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D9FC08A-0DC1-40b4-B20E-D987427CF495}	{8D5DEBA5-0E46-44d0-B71A-522FCBFDEFB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9D9FC08A-0DC1-40b4-B20E-D987427CF495}\stubpath = "C:\\Windows\\{9D9FC08A-0DC1-40b4-B20E-D987427CF495}.exe"	{8D5DEBA5-0E46-44d0-B71A-522FCBFDEFB1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B58BE84B-70B3-468a-9838-AEB22A12A3D9}	fc2813934e8ac0e1c668f59471123b90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B58BE84B-70B3-468a-9838-AEB22A12A3D9}\stubpath = "C:\\Windows\\{B58BE84B-70B3-468a-9838-AEB22A12A3D9}.exe"	fc2813934e8ac0e1c668f59471123b90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DC6E7983-E8DB-4364-A722-010C4A3162C4}\stubpath = "C:\\Windows\\{DC6E7983-E8DB-4364-A722-010C4A3162C4}.exe"	{7DBC60B8-9117-4f20-B23D-2F484BC8BF54}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D5DEBA5-0E46-44d0-B71A-522FCBFDEFB1}	{7C50232F-A863-4b39-B36C-FDD3EF08C47D}.exe

Executes dropped EXE 9 IoCs

pid	Process
3036	{B58BE84B-70B3-468a-9838-AEB22A12A3D9}.exe
5080	{3499A4B1-419D-43e1-9488-A4DBF4333F0A}.exe
2008	{7DBC60B8-9117-4f20-B23D-2F484BC8BF54}.exe
1236	{DC6E7983-E8DB-4364-A722-010C4A3162C4}.exe
764	{7C50232F-A863-4b39-B36C-FDD3EF08C47D}.exe
1620	{8D5DEBA5-0E46-44d0-B71A-522FCBFDEFB1}.exe
3504	{9D9FC08A-0DC1-40b4-B20E-D987427CF495}.exe
3320	{960F4EB4-89A1-4567-B638-A3B7A82FB62E}.exe
1056	{1395D9BB-D809-445c-8F5C-5C132157D02E}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{960F4EB4-89A1-4567-B638-A3B7A82FB62E}.exe	{9D9FC08A-0DC1-40b4-B20E-D987427CF495}.exe
File created	C:\Windows\{B58BE84B-70B3-468a-9838-AEB22A12A3D9}.exe	fc2813934e8ac0e1c668f59471123b90N.exe
File created	C:\Windows\{7DBC60B8-9117-4f20-B23D-2F484BC8BF54}.exe	{3499A4B1-419D-43e1-9488-A4DBF4333F0A}.exe
File created	C:\Windows\{DC6E7983-E8DB-4364-A722-010C4A3162C4}.exe	{7DBC60B8-9117-4f20-B23D-2F484BC8BF54}.exe
File created	C:\Windows\{8D5DEBA5-0E46-44d0-B71A-522FCBFDEFB1}.exe	{7C50232F-A863-4b39-B36C-FDD3EF08C47D}.exe
File created	C:\Windows\{3499A4B1-419D-43e1-9488-A4DBF4333F0A}.exe	{B58BE84B-70B3-468a-9838-AEB22A12A3D9}.exe
File created	C:\Windows\{7C50232F-A863-4b39-B36C-FDD3EF08C47D}.exe	{DC6E7983-E8DB-4364-A722-010C4A3162C4}.exe
File created	C:\Windows\{9D9FC08A-0DC1-40b4-B20E-D987427CF495}.exe	{8D5DEBA5-0E46-44d0-B71A-522FCBFDEFB1}.exe
File created	C:\Windows\{1395D9BB-D809-445c-8F5C-5C132157D02E}.exe	{960F4EB4-89A1-4567-B638-A3B7A82FB62E}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7C50232F-A863-4b39-B36C-FDD3EF08C47D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fc2813934e8ac0e1c668f59471123b90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3499A4B1-419D-43e1-9488-A4DBF4333F0A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8D5DEBA5-0E46-44d0-B71A-522FCBFDEFB1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9D9FC08A-0DC1-40b4-B20E-D987427CF495}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7DBC60B8-9117-4f20-B23D-2F484BC8BF54}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B58BE84B-70B3-468a-9838-AEB22A12A3D9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DC6E7983-E8DB-4364-A722-010C4A3162C4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{960F4EB4-89A1-4567-B638-A3B7A82FB62E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1395D9BB-D809-445c-8F5C-5C132157D02E}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4792	fc2813934e8ac0e1c668f59471123b90N.exe
Token: SeIncBasePriorityPrivilege	3036	{B58BE84B-70B3-468a-9838-AEB22A12A3D9}.exe
Token: SeIncBasePriorityPrivilege	5080	{3499A4B1-419D-43e1-9488-A4DBF4333F0A}.exe
Token: SeIncBasePriorityPrivilege	2008	{7DBC60B8-9117-4f20-B23D-2F484BC8BF54}.exe
Token: SeIncBasePriorityPrivilege	1236	{DC6E7983-E8DB-4364-A722-010C4A3162C4}.exe
Token: SeIncBasePriorityPrivilege	764	{7C50232F-A863-4b39-B36C-FDD3EF08C47D}.exe
Token: SeIncBasePriorityPrivilege	1620	{8D5DEBA5-0E46-44d0-B71A-522FCBFDEFB1}.exe
Token: SeIncBasePriorityPrivilege	3504	{9D9FC08A-0DC1-40b4-B20E-D987427CF495}.exe
Token: SeIncBasePriorityPrivilege	3320	{960F4EB4-89A1-4567-B638-A3B7A82FB62E}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4792 wrote to memory of 3036	4792	fc2813934e8ac0e1c668f59471123b90N.exe	94
PID 4792 wrote to memory of 3036	4792	fc2813934e8ac0e1c668f59471123b90N.exe	94
PID 4792 wrote to memory of 3036	4792	fc2813934e8ac0e1c668f59471123b90N.exe	94
PID 4792 wrote to memory of 3200	4792	fc2813934e8ac0e1c668f59471123b90N.exe	95
PID 4792 wrote to memory of 3200	4792	fc2813934e8ac0e1c668f59471123b90N.exe	95
PID 4792 wrote to memory of 3200	4792	fc2813934e8ac0e1c668f59471123b90N.exe	95
PID 3036 wrote to memory of 5080	3036	{B58BE84B-70B3-468a-9838-AEB22A12A3D9}.exe	96
PID 3036 wrote to memory of 5080	3036	{B58BE84B-70B3-468a-9838-AEB22A12A3D9}.exe	96
PID 3036 wrote to memory of 5080	3036	{B58BE84B-70B3-468a-9838-AEB22A12A3D9}.exe	96
PID 3036 wrote to memory of 4784	3036	{B58BE84B-70B3-468a-9838-AEB22A12A3D9}.exe	97
PID 3036 wrote to memory of 4784	3036	{B58BE84B-70B3-468a-9838-AEB22A12A3D9}.exe	97
PID 3036 wrote to memory of 4784	3036	{B58BE84B-70B3-468a-9838-AEB22A12A3D9}.exe	97
PID 5080 wrote to memory of 2008	5080	{3499A4B1-419D-43e1-9488-A4DBF4333F0A}.exe	101
PID 5080 wrote to memory of 2008	5080	{3499A4B1-419D-43e1-9488-A4DBF4333F0A}.exe	101
PID 5080 wrote to memory of 2008	5080	{3499A4B1-419D-43e1-9488-A4DBF4333F0A}.exe	101
PID 5080 wrote to memory of 3080	5080	{3499A4B1-419D-43e1-9488-A4DBF4333F0A}.exe	102
PID 5080 wrote to memory of 3080	5080	{3499A4B1-419D-43e1-9488-A4DBF4333F0A}.exe	102
PID 5080 wrote to memory of 3080	5080	{3499A4B1-419D-43e1-9488-A4DBF4333F0A}.exe	102
PID 2008 wrote to memory of 1236	2008	{7DBC60B8-9117-4f20-B23D-2F484BC8BF54}.exe	103
PID 2008 wrote to memory of 1236	2008	{7DBC60B8-9117-4f20-B23D-2F484BC8BF54}.exe	103
PID 2008 wrote to memory of 1236	2008	{7DBC60B8-9117-4f20-B23D-2F484BC8BF54}.exe	103
PID 2008 wrote to memory of 3492	2008	{7DBC60B8-9117-4f20-B23D-2F484BC8BF54}.exe	104
PID 2008 wrote to memory of 3492	2008	{7DBC60B8-9117-4f20-B23D-2F484BC8BF54}.exe	104
PID 2008 wrote to memory of 3492	2008	{7DBC60B8-9117-4f20-B23D-2F484BC8BF54}.exe	104
PID 1236 wrote to memory of 764	1236	{DC6E7983-E8DB-4364-A722-010C4A3162C4}.exe	105
PID 1236 wrote to memory of 764	1236	{DC6E7983-E8DB-4364-A722-010C4A3162C4}.exe	105
PID 1236 wrote to memory of 764	1236	{DC6E7983-E8DB-4364-A722-010C4A3162C4}.exe	105
PID 1236 wrote to memory of 3828	1236	{DC6E7983-E8DB-4364-A722-010C4A3162C4}.exe	106
PID 1236 wrote to memory of 3828	1236	{DC6E7983-E8DB-4364-A722-010C4A3162C4}.exe	106
PID 1236 wrote to memory of 3828	1236	{DC6E7983-E8DB-4364-A722-010C4A3162C4}.exe	106
PID 764 wrote to memory of 1620	764	{7C50232F-A863-4b39-B36C-FDD3EF08C47D}.exe	108
PID 764 wrote to memory of 1620	764	{7C50232F-A863-4b39-B36C-FDD3EF08C47D}.exe	108
PID 764 wrote to memory of 1620	764	{7C50232F-A863-4b39-B36C-FDD3EF08C47D}.exe	108
PID 764 wrote to memory of 3140	764	{7C50232F-A863-4b39-B36C-FDD3EF08C47D}.exe	109
PID 764 wrote to memory of 3140	764	{7C50232F-A863-4b39-B36C-FDD3EF08C47D}.exe	109
PID 764 wrote to memory of 3140	764	{7C50232F-A863-4b39-B36C-FDD3EF08C47D}.exe	109
PID 1620 wrote to memory of 3504	1620	{8D5DEBA5-0E46-44d0-B71A-522FCBFDEFB1}.exe	110
PID 1620 wrote to memory of 3504	1620	{8D5DEBA5-0E46-44d0-B71A-522FCBFDEFB1}.exe	110
PID 1620 wrote to memory of 3504	1620	{8D5DEBA5-0E46-44d0-B71A-522FCBFDEFB1}.exe	110
PID 1620 wrote to memory of 3892	1620	{8D5DEBA5-0E46-44d0-B71A-522FCBFDEFB1}.exe	111
PID 1620 wrote to memory of 3892	1620	{8D5DEBA5-0E46-44d0-B71A-522FCBFDEFB1}.exe	111
PID 1620 wrote to memory of 3892	1620	{8D5DEBA5-0E46-44d0-B71A-522FCBFDEFB1}.exe	111
PID 3504 wrote to memory of 3320	3504	{9D9FC08A-0DC1-40b4-B20E-D987427CF495}.exe	114
PID 3504 wrote to memory of 3320	3504	{9D9FC08A-0DC1-40b4-B20E-D987427CF495}.exe	114
PID 3504 wrote to memory of 3320	3504	{9D9FC08A-0DC1-40b4-B20E-D987427CF495}.exe	114
PID 3504 wrote to memory of 860	3504	{9D9FC08A-0DC1-40b4-B20E-D987427CF495}.exe	115
PID 3504 wrote to memory of 860	3504	{9D9FC08A-0DC1-40b4-B20E-D987427CF495}.exe	115
PID 3504 wrote to memory of 860	3504	{9D9FC08A-0DC1-40b4-B20E-D987427CF495}.exe	115
PID 3320 wrote to memory of 1056	3320	{960F4EB4-89A1-4567-B638-A3B7A82FB62E}.exe	118
PID 3320 wrote to memory of 1056	3320	{960F4EB4-89A1-4567-B638-A3B7A82FB62E}.exe	118
PID 3320 wrote to memory of 1056	3320	{960F4EB4-89A1-4567-B638-A3B7A82FB62E}.exe	118
PID 3320 wrote to memory of 4172	3320	{960F4EB4-89A1-4567-B638-A3B7A82FB62E}.exe	119
PID 3320 wrote to memory of 4172	3320	{960F4EB4-89A1-4567-B638-A3B7A82FB62E}.exe	119
PID 3320 wrote to memory of 4172	3320	{960F4EB4-89A1-4567-B638-A3B7A82FB62E}.exe	119

C:\Users\Admin\AppData\Local\Temp\fc2813934e8ac0e1c668f59471123b90N.exe
"C:\Users\Admin\AppData\Local\Temp\fc2813934e8ac0e1c668f59471123b90N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\{B58BE84B-70B3-468a-9838-AEB22A12A3D9}.exe
  C:\Windows\{B58BE84B-70B3-468a-9838-AEB22A12A3D9}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\{3499A4B1-419D-43e1-9488-A4DBF4333F0A}.exe
    C:\Windows\{3499A4B1-419D-43e1-9488-A4DBF4333F0A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Windows\{7DBC60B8-9117-4f20-B23D-2F484BC8BF54}.exe
      C:\Windows\{7DBC60B8-9117-4f20-B23D-2F484BC8BF54}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2008
    - - C:\Windows\{DC6E7983-E8DB-4364-A722-010C4A3162C4}.exe
        
        C:\Windows\{DC6E7983-E8DB-4364-A722-010C4A3162C4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1236
      - C:\Windows\{7C50232F-A863-4b39-B36C-FDD3EF08C47D}.exe
        
        C:\Windows\{7C50232F-A863-4b39-B36C-FDD3EF08C47D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:764
        
        C:\Windows\{8D5DEBA5-0E46-44d0-B71A-522FCBFDEFB1}.exe
        
        C:\Windows\{8D5DEBA5-0E46-44d0-B71A-522FCBFDEFB1}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1620
        
        C:\Windows\{9D9FC08A-0DC1-40b4-B20E-D987427CF495}.exe
        
        C:\Windows\{9D9FC08A-0DC1-40b4-B20E-D987427CF495}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\{960F4EB4-89A1-4567-B638-A3B7A82FB62E}.exe
        
        C:\Windows\{960F4EB4-89A1-4567-B638-A3B7A82FB62E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\{1395D9BB-D809-445c-8F5C-5C132157D02E}.exe
        
        C:\Windows\{1395D9BB-D809-445c-8F5C-5C132157D02E}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{960F4~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9D9FC~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D5DE~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C502~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3140
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DC6E7~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3828
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DBC6~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3499A~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B58BE~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4784
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\FC2813~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1395D9BB-D809-445c-8F5C-5C132157D02E}.exe

Filesize
213KB

MD5
5e0761a398e8b5144a6a7f8f4feaca9a

SHA1
640cb6fdc4b32f3715409db554a5a01ea298d6f3

SHA256
e7cdcd3fe05284cdf4f943dbe412e3758cb5a9229f4bb9733453f4c8e0760726

SHA512
2459d64f67ffbdc4b961692ac56904afee576cdc32c5b0a1f01ea31039d135c778c2fb99f4efc421f43874bf9e1e492b4594079a73ca276103893b279384c56d

Download Submit
C:\Windows\{3499A4B1-419D-43e1-9488-A4DBF4333F0A}.exe

Filesize
213KB

MD5
c6bccb921a47b927b121727531cc1818

SHA1
05f4411619d60bb11d9b94843dc41f1a0bcf71e7

SHA256
b535782e197205fdc40ac32169d8bae9590ff356b4190413bc76282748c14866

SHA512
7daa2c049a6b64dc1a45f020917f6c2d6dc7dd24cb144f1f5df616b90572314c355f421efc2db5fea62893a62b65909d4eccf2aa3057c0c7952ddd7b76e46cfe

Download Submit
C:\Windows\{7C50232F-A863-4b39-B36C-FDD3EF08C47D}.exe

Filesize
213KB

MD5
0bce5b190c6e0368bbab75fc7b19e601

SHA1
0c87b9fc7942e474b1c3eb07f7cd337cbe96c109

SHA256
79d54504c360ba2e85e1d21906ba83da8bd9abae482441bc4ef3b866886bcac2

SHA512
cb66463a3f6945a9c12d107b4978ecd33898eecb6cabfd86e65778babe8938d500209bdea6a0fcfe4400eea68d8094569bba422e5a76bf737a17594740082a51

Download Submit
C:\Windows\{7DBC60B8-9117-4f20-B23D-2F484BC8BF54}.exe

Filesize
213KB

MD5
1ed8ab6fbf3608b4f610f234b69011be

SHA1
245c672d27c122e04de52a993e21a9068fa6968c

SHA256
a9408cf201998b7b789e7e002a6d5f2ad250faa0706979ee11f1942fe49e0ba4

SHA512
a08215913a3917cbf172ac6d844fc75988f409ccb5f29ea43ca883e28885ce351f5c40c2bbf5e6d733d739e63df4cb0ad9d9a3360afb35e7c1d875a2d03ec242

Download Submit
C:\Windows\{8D5DEBA5-0E46-44d0-B71A-522FCBFDEFB1}.exe

Filesize
213KB

MD5
129e612a89e5843402229a0add8a2ad1

SHA1
eac9029baf2fc86c8aa218487de2fd1487a87619

SHA256
49210a735cbac09c962d518fc166d19d1a2f1988e0d4f06ac1b48883bb0b1bed

SHA512
eee5f88689c51550d9af6b3fc80a0a2b63b0fcb2d40665084a591451262f6e7c4af466c31807443ffd1e8da6c3b4c0a0400fa89fa0fdf6e4fd06201600f95dd5

Download Submit
C:\Windows\{960F4EB4-89A1-4567-B638-A3B7A82FB62E}.exe

Filesize
213KB

MD5
ab4ff6f2d2df9e2aea3b5300daaac764

SHA1
cb0c6d7d235bc36f30c86e4b2452abe380b1c4b6

SHA256
21a211e6354ed7ecc91031f57aed7a792065704a71ce9afb17d47ae23c2f1571

SHA512
1775cc239e0b06aff77fbab3973655c67ba3faf9cd67e3e4988dd63e68c58a37c594889f2dd9b4bfaadfd856511fed270cbdf131295312dfe7500e195cb06d2d

Download Submit
C:\Windows\{9D9FC08A-0DC1-40b4-B20E-D987427CF495}.exe

Filesize
213KB

MD5
c6c51618af1aa6a30056efdb0c70bed6

SHA1
be3e15df12baa8b66b8b652a20c2335aef27bc32

SHA256
a68f41e27e6cd4b0ce2ed2af097b67b9fa2f3326620a91bbae1696e1b2b7ce3b

SHA512
b74b823295cfb9b7e1b98feccb3145ed650e9c2ef9a6f2ec06a2f5154c02de44515f6dbb4cdf1604f6318e94fdd690e341ec41b44b61169a0426b70ba94e2da2

Download Submit
C:\Windows\{B58BE84B-70B3-468a-9838-AEB22A12A3D9}.exe

Filesize
213KB

MD5
d2e65df65800620ddc84ddd973984d99

SHA1
b2cb7e86c76beab59ccb856f5a4e432cfda2d1b9

SHA256
2f864360f96ab234655941e42c539efd8083435c0722d05e11f7fba6ade3ff74

SHA512
4892dbfb4776b24dbe1644b4c1752934a17a6971ffdda3e237d8af58b5fceeb2a53b89d5da161b9b9b5c76841154883acb35f8c84bc91a09eb93288a1916abf6

Download Submit
C:\Windows\{DC6E7983-E8DB-4364-A722-010C4A3162C4}.exe

Filesize
213KB

MD5
dcff44a341f01095b375327242ae6782

SHA1
e9f97a539e74a2fe04909eea8ddcdc71745132c8

SHA256
b755f449db7617b9d5edfbbe8642e12d8fc393498773cc788f25c0ac8afdd102

SHA512
ef776445684f2fbacf329a653d2a49d61b582d7f54dbc23303862106adef5211c5fff0b794e4c84cfbfe04161318202d4e82f172c16fd1e13253ef7997777750

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads