2eaf34cb92269f6b509f88b156a2ed547e01dfbe06c5e96c0a2f31b22e095c27

Analysis

max time kernel
149s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 11:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab212332e34ee7fbea0dd19dcabc25d0N.exe
Size

79KB
MD5

ab212332e34ee7fbea0dd19dcabc25d0
SHA1

d951ceda1c2b6fe7c4bd11f1c20ba5ecca17de79
SHA256

2eaf34cb92269f6b509f88b156a2ed547e01dfbe06c5e96c0a2f31b22e095c27
SHA512

e9f4ee211bb5b10ace0d0edf79769197418d017971bbf2579c7e94ab8c27cf6af97d5957063c2d748d4845f6dcdb066119d0d665cfcc76495efc4e8c34297b6c
SSDEEP

768:4vw9816vhKQLroR4/wQpWMZ3XOQ69zbjlAAX5e9zz:wEGh0oRloWMZ3izbR9Xwzz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{882698E2-1943-4316-B04C-340D432C9DE8}\stubpath = "C:\\Windows\\{882698E2-1943-4316-B04C-340D432C9DE8}.exe"	{B799FE86-AE7C-4281-887E-1160D6AF1415}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A97D9E4A-9502-494b-AD29-7DF0390FE411}	{882698E2-1943-4316-B04C-340D432C9DE8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEB545A2-8EE2-44b5-9A03-27E262F7D173}\stubpath = "C:\\Windows\\{AEB545A2-8EE2-44b5-9A03-27E262F7D173}.exe"	{A97D9E4A-9502-494b-AD29-7DF0390FE411}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EE2170F-18DB-4a54-9739-B7F50125A26B}\stubpath = "C:\\Windows\\{2EE2170F-18DB-4a54-9739-B7F50125A26B}.exe"	{DABB453F-56B5-420b-B9CB-05F344A331AC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B799FE86-AE7C-4281-887E-1160D6AF1415}\stubpath = "C:\\Windows\\{B799FE86-AE7C-4281-887E-1160D6AF1415}.exe"	{2EE2170F-18DB-4a54-9739-B7F50125A26B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6200158F-B938-4841-B1A8-9EEA48EA4086}	{AEB545A2-8EE2-44b5-9A03-27E262F7D173}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44DC89B4-2316-494b-95FE-5812BF8021B8}	{AFE6BBF5-39DB-49ca-B30B-B49816C7A045}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B901051F-B359-438c-97C4-7DCE49B7F261}	ab212332e34ee7fbea0dd19dcabc25d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64F00603-E978-4584-B1EB-6EFCF2A18F6A}	{B901051F-B359-438c-97C4-7DCE49B7F261}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{64F00603-E978-4584-B1EB-6EFCF2A18F6A}\stubpath = "C:\\Windows\\{64F00603-E978-4584-B1EB-6EFCF2A18F6A}.exe"	{B901051F-B359-438c-97C4-7DCE49B7F261}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2EE2170F-18DB-4a54-9739-B7F50125A26B}	{DABB453F-56B5-420b-B9CB-05F344A331AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B799FE86-AE7C-4281-887E-1160D6AF1415}	{2EE2170F-18DB-4a54-9739-B7F50125A26B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{882698E2-1943-4316-B04C-340D432C9DE8}	{B799FE86-AE7C-4281-887E-1160D6AF1415}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFE6BBF5-39DB-49ca-B30B-B49816C7A045}	{6200158F-B938-4841-B1A8-9EEA48EA4086}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B901051F-B359-438c-97C4-7DCE49B7F261}\stubpath = "C:\\Windows\\{B901051F-B359-438c-97C4-7DCE49B7F261}.exe"	ab212332e34ee7fbea0dd19dcabc25d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DABB453F-56B5-420b-B9CB-05F344A331AC}	{64F00603-E978-4584-B1EB-6EFCF2A18F6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DABB453F-56B5-420b-B9CB-05F344A331AC}\stubpath = "C:\\Windows\\{DABB453F-56B5-420b-B9CB-05F344A331AC}.exe"	{64F00603-E978-4584-B1EB-6EFCF2A18F6A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AFE6BBF5-39DB-49ca-B30B-B49816C7A045}\stubpath = "C:\\Windows\\{AFE6BBF5-39DB-49ca-B30B-B49816C7A045}.exe"	{6200158F-B938-4841-B1A8-9EEA48EA4086}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44DC89B4-2316-494b-95FE-5812BF8021B8}\stubpath = "C:\\Windows\\{44DC89B4-2316-494b-95FE-5812BF8021B8}.exe"	{AFE6BBF5-39DB-49ca-B30B-B49816C7A045}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1638740-299F-421a-B3B4-D36BB22A31BE}	{44DC89B4-2316-494b-95FE-5812BF8021B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F1638740-299F-421a-B3B4-D36BB22A31BE}\stubpath = "C:\\Windows\\{F1638740-299F-421a-B3B4-D36BB22A31BE}.exe"	{44DC89B4-2316-494b-95FE-5812BF8021B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A97D9E4A-9502-494b-AD29-7DF0390FE411}\stubpath = "C:\\Windows\\{A97D9E4A-9502-494b-AD29-7DF0390FE411}.exe"	{882698E2-1943-4316-B04C-340D432C9DE8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AEB545A2-8EE2-44b5-9A03-27E262F7D173}	{A97D9E4A-9502-494b-AD29-7DF0390FE411}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6200158F-B938-4841-B1A8-9EEA48EA4086}\stubpath = "C:\\Windows\\{6200158F-B938-4841-B1A8-9EEA48EA4086}.exe"	{AEB545A2-8EE2-44b5-9A03-27E262F7D173}.exe

Executes dropped EXE 12 IoCs

pid	Process
4772	{B901051F-B359-438c-97C4-7DCE49B7F261}.exe
388	{64F00603-E978-4584-B1EB-6EFCF2A18F6A}.exe
3396	{DABB453F-56B5-420b-B9CB-05F344A331AC}.exe
1640	{2EE2170F-18DB-4a54-9739-B7F50125A26B}.exe
3860	{B799FE86-AE7C-4281-887E-1160D6AF1415}.exe
3512	{882698E2-1943-4316-B04C-340D432C9DE8}.exe
4320	{A97D9E4A-9502-494b-AD29-7DF0390FE411}.exe
1372	{AEB545A2-8EE2-44b5-9A03-27E262F7D173}.exe
3612	{6200158F-B938-4841-B1A8-9EEA48EA4086}.exe
4920	{AFE6BBF5-39DB-49ca-B30B-B49816C7A045}.exe
3856	{44DC89B4-2316-494b-95FE-5812BF8021B8}.exe
2344	{F1638740-299F-421a-B3B4-D36BB22A31BE}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{44DC89B4-2316-494b-95FE-5812BF8021B8}.exe	{AFE6BBF5-39DB-49ca-B30B-B49816C7A045}.exe
File created	C:\Windows\{F1638740-299F-421a-B3B4-D36BB22A31BE}.exe	{44DC89B4-2316-494b-95FE-5812BF8021B8}.exe
File created	C:\Windows\{64F00603-E978-4584-B1EB-6EFCF2A18F6A}.exe	{B901051F-B359-438c-97C4-7DCE49B7F261}.exe
File created	C:\Windows\{B799FE86-AE7C-4281-887E-1160D6AF1415}.exe	{2EE2170F-18DB-4a54-9739-B7F50125A26B}.exe
File created	C:\Windows\{882698E2-1943-4316-B04C-340D432C9DE8}.exe	{B799FE86-AE7C-4281-887E-1160D6AF1415}.exe
File created	C:\Windows\{A97D9E4A-9502-494b-AD29-7DF0390FE411}.exe	{882698E2-1943-4316-B04C-340D432C9DE8}.exe
File created	C:\Windows\{AEB545A2-8EE2-44b5-9A03-27E262F7D173}.exe	{A97D9E4A-9502-494b-AD29-7DF0390FE411}.exe
File created	C:\Windows\{6200158F-B938-4841-B1A8-9EEA48EA4086}.exe	{AEB545A2-8EE2-44b5-9A03-27E262F7D173}.exe
File created	C:\Windows\{AFE6BBF5-39DB-49ca-B30B-B49816C7A045}.exe	{6200158F-B938-4841-B1A8-9EEA48EA4086}.exe
File created	C:\Windows\{B901051F-B359-438c-97C4-7DCE49B7F261}.exe	ab212332e34ee7fbea0dd19dcabc25d0N.exe
File created	C:\Windows\{DABB453F-56B5-420b-B9CB-05F344A331AC}.exe	{64F00603-E978-4584-B1EB-6EFCF2A18F6A}.exe
File created	C:\Windows\{2EE2170F-18DB-4a54-9739-B7F50125A26B}.exe	{DABB453F-56B5-420b-B9CB-05F344A331AC}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab212332e34ee7fbea0dd19dcabc25d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{64F00603-E978-4584-B1EB-6EFCF2A18F6A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{44DC89B4-2316-494b-95FE-5812BF8021B8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F1638740-299F-421a-B3B4-D36BB22A31BE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2EE2170F-18DB-4a54-9739-B7F50125A26B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AFE6BBF5-39DB-49ca-B30B-B49816C7A045}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B799FE86-AE7C-4281-887E-1160D6AF1415}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DABB453F-56B5-420b-B9CB-05F344A331AC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{882698E2-1943-4316-B04C-340D432C9DE8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A97D9E4A-9502-494b-AD29-7DF0390FE411}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AEB545A2-8EE2-44b5-9A03-27E262F7D173}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6200158F-B938-4841-B1A8-9EEA48EA4086}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B901051F-B359-438c-97C4-7DCE49B7F261}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4988	ab212332e34ee7fbea0dd19dcabc25d0N.exe
Token: SeIncBasePriorityPrivilege	4772	{B901051F-B359-438c-97C4-7DCE49B7F261}.exe
Token: SeIncBasePriorityPrivilege	388	{64F00603-E978-4584-B1EB-6EFCF2A18F6A}.exe
Token: SeIncBasePriorityPrivilege	3396	{DABB453F-56B5-420b-B9CB-05F344A331AC}.exe
Token: SeIncBasePriorityPrivilege	1640	{2EE2170F-18DB-4a54-9739-B7F50125A26B}.exe
Token: SeIncBasePriorityPrivilege	3860	{B799FE86-AE7C-4281-887E-1160D6AF1415}.exe
Token: SeIncBasePriorityPrivilege	3512	{882698E2-1943-4316-B04C-340D432C9DE8}.exe
Token: SeIncBasePriorityPrivilege	4320	{A97D9E4A-9502-494b-AD29-7DF0390FE411}.exe
Token: SeIncBasePriorityPrivilege	1372	{AEB545A2-8EE2-44b5-9A03-27E262F7D173}.exe
Token: SeIncBasePriorityPrivilege	3612	{6200158F-B938-4841-B1A8-9EEA48EA4086}.exe
Token: SeIncBasePriorityPrivilege	4920	{AFE6BBF5-39DB-49ca-B30B-B49816C7A045}.exe
Token: SeIncBasePriorityPrivilege	3856	{44DC89B4-2316-494b-95FE-5812BF8021B8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 4772	4988	ab212332e34ee7fbea0dd19dcabc25d0N.exe	94
PID 4988 wrote to memory of 4772	4988	ab212332e34ee7fbea0dd19dcabc25d0N.exe	94
PID 4988 wrote to memory of 4772	4988	ab212332e34ee7fbea0dd19dcabc25d0N.exe	94
PID 4988 wrote to memory of 2488	4988	ab212332e34ee7fbea0dd19dcabc25d0N.exe	95
PID 4988 wrote to memory of 2488	4988	ab212332e34ee7fbea0dd19dcabc25d0N.exe	95
PID 4988 wrote to memory of 2488	4988	ab212332e34ee7fbea0dd19dcabc25d0N.exe	95
PID 4772 wrote to memory of 388	4772	{B901051F-B359-438c-97C4-7DCE49B7F261}.exe	96
PID 4772 wrote to memory of 388	4772	{B901051F-B359-438c-97C4-7DCE49B7F261}.exe	96
PID 4772 wrote to memory of 388	4772	{B901051F-B359-438c-97C4-7DCE49B7F261}.exe	96
PID 4772 wrote to memory of 4532	4772	{B901051F-B359-438c-97C4-7DCE49B7F261}.exe	97
PID 4772 wrote to memory of 4532	4772	{B901051F-B359-438c-97C4-7DCE49B7F261}.exe	97
PID 4772 wrote to memory of 4532	4772	{B901051F-B359-438c-97C4-7DCE49B7F261}.exe	97
PID 388 wrote to memory of 3396	388	{64F00603-E978-4584-B1EB-6EFCF2A18F6A}.exe	101
PID 388 wrote to memory of 3396	388	{64F00603-E978-4584-B1EB-6EFCF2A18F6A}.exe	101
PID 388 wrote to memory of 3396	388	{64F00603-E978-4584-B1EB-6EFCF2A18F6A}.exe	101
PID 388 wrote to memory of 3832	388	{64F00603-E978-4584-B1EB-6EFCF2A18F6A}.exe	102
PID 388 wrote to memory of 3832	388	{64F00603-E978-4584-B1EB-6EFCF2A18F6A}.exe	102
PID 388 wrote to memory of 3832	388	{64F00603-E978-4584-B1EB-6EFCF2A18F6A}.exe	102
PID 3396 wrote to memory of 1640	3396	{DABB453F-56B5-420b-B9CB-05F344A331AC}.exe	103
PID 3396 wrote to memory of 1640	3396	{DABB453F-56B5-420b-B9CB-05F344A331AC}.exe	103
PID 3396 wrote to memory of 1640	3396	{DABB453F-56B5-420b-B9CB-05F344A331AC}.exe	103
PID 3396 wrote to memory of 1696	3396	{DABB453F-56B5-420b-B9CB-05F344A331AC}.exe	104
PID 3396 wrote to memory of 1696	3396	{DABB453F-56B5-420b-B9CB-05F344A331AC}.exe	104
PID 3396 wrote to memory of 1696	3396	{DABB453F-56B5-420b-B9CB-05F344A331AC}.exe	104
PID 1640 wrote to memory of 3860	1640	{2EE2170F-18DB-4a54-9739-B7F50125A26B}.exe	105
PID 1640 wrote to memory of 3860	1640	{2EE2170F-18DB-4a54-9739-B7F50125A26B}.exe	105
PID 1640 wrote to memory of 3860	1640	{2EE2170F-18DB-4a54-9739-B7F50125A26B}.exe	105
PID 1640 wrote to memory of 876	1640	{2EE2170F-18DB-4a54-9739-B7F50125A26B}.exe	106
PID 1640 wrote to memory of 876	1640	{2EE2170F-18DB-4a54-9739-B7F50125A26B}.exe	106
PID 1640 wrote to memory of 876	1640	{2EE2170F-18DB-4a54-9739-B7F50125A26B}.exe	106
PID 3860 wrote to memory of 3512	3860	{B799FE86-AE7C-4281-887E-1160D6AF1415}.exe	108
PID 3860 wrote to memory of 3512	3860	{B799FE86-AE7C-4281-887E-1160D6AF1415}.exe	108
PID 3860 wrote to memory of 3512	3860	{B799FE86-AE7C-4281-887E-1160D6AF1415}.exe	108
PID 3860 wrote to memory of 2080	3860	{B799FE86-AE7C-4281-887E-1160D6AF1415}.exe	109
PID 3860 wrote to memory of 2080	3860	{B799FE86-AE7C-4281-887E-1160D6AF1415}.exe	109
PID 3860 wrote to memory of 2080	3860	{B799FE86-AE7C-4281-887E-1160D6AF1415}.exe	109
PID 3512 wrote to memory of 4320	3512	{882698E2-1943-4316-B04C-340D432C9DE8}.exe	110
PID 3512 wrote to memory of 4320	3512	{882698E2-1943-4316-B04C-340D432C9DE8}.exe	110
PID 3512 wrote to memory of 4320	3512	{882698E2-1943-4316-B04C-340D432C9DE8}.exe	110
PID 3512 wrote to memory of 1152	3512	{882698E2-1943-4316-B04C-340D432C9DE8}.exe	111
PID 3512 wrote to memory of 1152	3512	{882698E2-1943-4316-B04C-340D432C9DE8}.exe	111
PID 3512 wrote to memory of 1152	3512	{882698E2-1943-4316-B04C-340D432C9DE8}.exe	111
PID 4320 wrote to memory of 1372	4320	{A97D9E4A-9502-494b-AD29-7DF0390FE411}.exe	114
PID 4320 wrote to memory of 1372	4320	{A97D9E4A-9502-494b-AD29-7DF0390FE411}.exe	114
PID 4320 wrote to memory of 1372	4320	{A97D9E4A-9502-494b-AD29-7DF0390FE411}.exe	114
PID 4320 wrote to memory of 3680	4320	{A97D9E4A-9502-494b-AD29-7DF0390FE411}.exe	115
PID 4320 wrote to memory of 3680	4320	{A97D9E4A-9502-494b-AD29-7DF0390FE411}.exe	115
PID 4320 wrote to memory of 3680	4320	{A97D9E4A-9502-494b-AD29-7DF0390FE411}.exe	115
PID 1372 wrote to memory of 3612	1372	{AEB545A2-8EE2-44b5-9A03-27E262F7D173}.exe	121
PID 1372 wrote to memory of 3612	1372	{AEB545A2-8EE2-44b5-9A03-27E262F7D173}.exe	121
PID 1372 wrote to memory of 3612	1372	{AEB545A2-8EE2-44b5-9A03-27E262F7D173}.exe	121
PID 1372 wrote to memory of 1896	1372	{AEB545A2-8EE2-44b5-9A03-27E262F7D173}.exe	122
PID 1372 wrote to memory of 1896	1372	{AEB545A2-8EE2-44b5-9A03-27E262F7D173}.exe	122
PID 1372 wrote to memory of 1896	1372	{AEB545A2-8EE2-44b5-9A03-27E262F7D173}.exe	122
PID 3612 wrote to memory of 4920	3612	{6200158F-B938-4841-B1A8-9EEA48EA4086}.exe	123
PID 3612 wrote to memory of 4920	3612	{6200158F-B938-4841-B1A8-9EEA48EA4086}.exe	123
PID 3612 wrote to memory of 4920	3612	{6200158F-B938-4841-B1A8-9EEA48EA4086}.exe	123
PID 3612 wrote to memory of 1072	3612	{6200158F-B938-4841-B1A8-9EEA48EA4086}.exe	124
PID 3612 wrote to memory of 1072	3612	{6200158F-B938-4841-B1A8-9EEA48EA4086}.exe	124
PID 3612 wrote to memory of 1072	3612	{6200158F-B938-4841-B1A8-9EEA48EA4086}.exe	124
PID 4920 wrote to memory of 3856	4920	{AFE6BBF5-39DB-49ca-B30B-B49816C7A045}.exe	125
PID 4920 wrote to memory of 3856	4920	{AFE6BBF5-39DB-49ca-B30B-B49816C7A045}.exe	125
PID 4920 wrote to memory of 3856	4920	{AFE6BBF5-39DB-49ca-B30B-B49816C7A045}.exe	125
PID 4920 wrote to memory of 2216	4920	{AFE6BBF5-39DB-49ca-B30B-B49816C7A045}.exe	126

C:\Users\Admin\AppData\Local\Temp\ab212332e34ee7fbea0dd19dcabc25d0N.exe
"C:\Users\Admin\AppData\Local\Temp\ab212332e34ee7fbea0dd19dcabc25d0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\{B901051F-B359-438c-97C4-7DCE49B7F261}.exe
  C:\Windows\{B901051F-B359-438c-97C4-7DCE49B7F261}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\{64F00603-E978-4584-B1EB-6EFCF2A18F6A}.exe
    C:\Windows\{64F00603-E978-4584-B1EB-6EFCF2A18F6A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:388
  - - C:\Windows\{DABB453F-56B5-420b-B9CB-05F344A331AC}.exe
      C:\Windows\{DABB453F-56B5-420b-B9CB-05F344A331AC}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3396
    - - C:\Windows\{2EE2170F-18DB-4a54-9739-B7F50125A26B}.exe
        
        C:\Windows\{2EE2170F-18DB-4a54-9739-B7F50125A26B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1640
      - C:\Windows\{B799FE86-AE7C-4281-887E-1160D6AF1415}.exe
        
        C:\Windows\{B799FE86-AE7C-4281-887E-1160D6AF1415}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\{882698E2-1943-4316-B04C-340D432C9DE8}.exe
        
        C:\Windows\{882698E2-1943-4316-B04C-340D432C9DE8}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3512
        
        C:\Windows\{A97D9E4A-9502-494b-AD29-7DF0390FE411}.exe
        
        C:\Windows\{A97D9E4A-9502-494b-AD29-7DF0390FE411}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\{AEB545A2-8EE2-44b5-9A03-27E262F7D173}.exe
        
        C:\Windows\{AEB545A2-8EE2-44b5-9A03-27E262F7D173}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\{6200158F-B938-4841-B1A8-9EEA48EA4086}.exe
        
        C:\Windows\{6200158F-B938-4841-B1A8-9EEA48EA4086}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3612
        
        C:\Windows\{AFE6BBF5-39DB-49ca-B30B-B49816C7A045}.exe
        
        C:\Windows\{AFE6BBF5-39DB-49ca-B30B-B49816C7A045}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4920
        
        C:\Windows\{44DC89B4-2316-494b-95FE-5812BF8021B8}.exe
        
        C:\Windows\{44DC89B4-2316-494b-95FE-5812BF8021B8}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3856
        
        C:\Windows\{F1638740-299F-421a-B3B4-D36BB22A31BE}.exe
        
        C:\Windows\{F1638740-299F-421a-B3B4-D36BB22A31BE}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44DC8~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AFE6B~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62001~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AEB54~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A97D9~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{88269~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B799F~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2EE21~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DABB4~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1696
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{64F00~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3832
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B9010~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AB2123~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2EE2170F-18DB-4a54-9739-B7F50125A26B}.exe

Filesize
79KB

MD5
4b178692426658ea25446067355c29b0

SHA1
896946409fe74fa643aa6fb7656a8f3aaa5901c5

SHA256
49b6ea6fa06f77abb7c150f71f1965f4b5ab2f29c47e73783484dcd4ec5a26e4

SHA512
6d6b36b6fd481654e6ec9843b47c55b0a2f9778335e277e46c405fe7cb0f0c707ac2f1c7b937dbff24daec85c24b346b9baf588c5549122a4f5143048643ce6d

Download Submit
C:\Windows\{44DC89B4-2316-494b-95FE-5812BF8021B8}.exe

Filesize
79KB

MD5
11b667d5628e443cd086494da2515134

SHA1
cd87dee8c55dcf8aafccc54ed9b01cadff8cccc8

SHA256
e5485c7f4a34cd8c0f7dff11a54f56cf4a284777a30a2815098bbfd213cee05b

SHA512
c3dd9cdc18fe4f06f64ffe3657571173f0aa17ce2624de50c534ccce640c62afb5182a137ddfed0466863d5f0a47f85bbbf0e43b7d54ea900dfee6ff861c2312

Download Submit
C:\Windows\{6200158F-B938-4841-B1A8-9EEA48EA4086}.exe

Filesize
79KB

MD5
8e6afcba3015e7e492b247df9f68842e

SHA1
d62136e7a38c119fcba82460812d4793a9db6847

SHA256
43dffd96b38793ce8b31ab7122e42c9fde797149bf1a55d9f49d9a65b05ae30d

SHA512
1d102d356ed01175157e27378177cd436c54a9a5d73f6de864f287c660973721def5798bf97c5246b53f9ea4b21f0421b501a31bd3b8b950eb891bb2fca85188

Download Submit
C:\Windows\{64F00603-E978-4584-B1EB-6EFCF2A18F6A}.exe

Filesize
79KB

MD5
b1ec35fd0a7ccdffd0641ce41125cc07

SHA1
7c7a130c762ad1470ed4b3867bf1dd49294e2e01

SHA256
8197ea22f25892c21f706f23b2ddad62d9588580a8cba7018d010f3bef1a223e

SHA512
b2adb4b2756be18a1b48812fc2818b48dc2ac289d0f1e198e97cf5e3f30e932a7b5f0027b652672cd172ab3fb5578462c8016a9f84e88bdc47f7e3ae4434c27b

Download Submit
C:\Windows\{882698E2-1943-4316-B04C-340D432C9DE8}.exe

Filesize
79KB

MD5
c765bc169f948e39900fbf99ded8e802

SHA1
c8ad839e16c78b3bcb36715f429bfe9f8acdac6a

SHA256
8a554a3baedeb27f17be53eb7e9751247f761fc1f05b8eed1353edddc62bce1e

SHA512
e71dd5e72df1eee6ddc7f941f319d7c50c7f2b38642bd872405519ce34c426b5f271025fe8ff830163a7e43fd85530e1c7e953d7c74b563ebc01f48306c96b57

Download Submit
C:\Windows\{A97D9E4A-9502-494b-AD29-7DF0390FE411}.exe

Filesize
79KB

MD5
59783262442b897c8c488f6298ffd7b4

SHA1
d2c88024af109a4ac63cf871a5c9834de5672624

SHA256
782098a18237172b9b6644a5c1d1fa1dd1e9ca03586d158d38f58694332463e8

SHA512
53f3b00d5cd82ca761ee3a7d8e373385dd3bb5639b2946aa8be95b55a9daf2fe0a8a4b3e954d2bedce24966acd5d1ee6a57a4874704ecc9c915ad8b1ed1a65d9

Download Submit
C:\Windows\{AEB545A2-8EE2-44b5-9A03-27E262F7D173}.exe

Filesize
79KB

MD5
9580e56aaa36500ef4e0784a16606437

SHA1
a94049de1c81a8a8961b34d3777442bf6e5c1178

SHA256
70ba153a5ad3c50a3f512c943dab0440e57a836d4bcce2a80e521051c7891340

SHA512
38e44f1f8250c1c0da61488cc5bf0da20822cc92270064e8561360475d25b0dd43c02d79b5644f22d25b5c4e0d99795d6726ce54e0a9fe911bb7b0236b5cb50f

Download Submit
C:\Windows\{AFE6BBF5-39DB-49ca-B30B-B49816C7A045}.exe

Filesize
79KB

MD5
fbebb7bfa30e7d63a3acbf52fcd5a3a6

SHA1
06c64705d98d49c2bf21eba28804e1043a8b40e0

SHA256
ac4300582bedc1010730ffa68d86a9485e410b8946f2ce3aba7605bcb1511206

SHA512
6e834ff843abe10ad7ebac7a37165d2fd11910bea35e2c7c7554021fc76a4eabd5539b149d53fac164182742dced8c38523cf129bf610fdfabed7a9033ae5422

Download Submit
C:\Windows\{B799FE86-AE7C-4281-887E-1160D6AF1415}.exe

Filesize
79KB

MD5
1ce78d6992857c9544aa33ebc8e4d93e

SHA1
f3ec8f691f6ae2fb664afb5ac8335eff0d74611e

SHA256
8043361831ed839930dd230a563b0f4980523f2a1afeed83201d3a80e23d8311

SHA512
d081b8a7cd303e954c378a1e9d1cc3afa927f12f34f32e97047ca739f14c40ffad9e4839457701d63b7d732fb503b931d04750887038e792360e1958dbe9894d

Download Submit
C:\Windows\{B901051F-B359-438c-97C4-7DCE49B7F261}.exe

Filesize
79KB

MD5
59756931f8ac69984cc78ea22c713389

SHA1
ed979b871cbf8a066cb7cab7130aa688f182a2ba

SHA256
9503db07ea5c8494d905a8b764200c9ab07dff8510cabd64618ec4bae6bbdb20

SHA512
4339463369ce0749159d6263e2f5fba70d966d2cf734bf4d66f03fed70c85f4fadd9b2b189c748c746127cc0b2a5d4d471362421fa01859ace6ff30dfa4a2b59

Download Submit
C:\Windows\{DABB453F-56B5-420b-B9CB-05F344A331AC}.exe

Filesize
79KB

MD5
b6136dc6acfb52c57374b39ce0286638

SHA1
a807e08ad408c0fde1912d685b24ebfb816660dd

SHA256
4e9bb04bfa43d9219d001190451fee052507a7af1766722f12e4a6de4adebc18

SHA512
9e561bb3f064ac35f3d80724dd2fa4d6a9e73ac2ef929f68ca577d8380f144ddd730bc7837c9a7445dc65a79bbfacc342ca29dadc9efe322ba8ea58574726f18

Download Submit
C:\Windows\{F1638740-299F-421a-B3B4-D36BB22A31BE}.exe

Filesize
79KB

MD5
c088ed8413cc080d6e28a4256fdfc1c4

SHA1
6bf987a6eb6cc30bf258d7a2c0291aa4659be1fa

SHA256
6f9f4482e61753fe4c72fcaa2cb610390a5f339e6852ede70086f137f59cd8f7

SHA512
f04951be85eda3c4129b597de625a596fa461b6830541831aed011ee0b59cdeb0fd0ae285547924b4d319d360fe8c705b0ddbedfa20e7753a70a16c0c97a4362

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads