9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 01:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe
Size

91KB
MD5

6aaa82a1a35c888202a679ac95600143
SHA1

eedffc86062dbea12402bc12f7a421c3e0eeb688
SHA256

9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973
SHA512

f2e354120f5737297c6a2bb592b31bc5a851cedfc23e61bf4208b8c9dd3e68d7cf3c69647a25ffdf222d29aa83c7d01ae75c64ea4350fc402711ce0f31466d13
SSDEEP

768:5vw9816uhKiroZ4/wQNNrfrunMxVFA3b7t:lEGkmoZlCunMxVS3Ht

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84E3B941-3370-45ce-82F7-DAEB6891333A}\stubpath = "C:\\Windows\\{84E3B941-3370-45ce-82F7-DAEB6891333A}.exe"	{EA3815D8-AF68-4ea7-8DAF-5662B991D5B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E09CCF96-666E-4a8f-8DE0-95B81C632C39}\stubpath = "C:\\Windows\\{E09CCF96-666E-4a8f-8DE0-95B81C632C39}.exe"	{84E3B941-3370-45ce-82F7-DAEB6891333A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEC1A464-4222-4c62-9F0A-1A80052BC306}	{E09CCF96-666E-4a8f-8DE0-95B81C632C39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A01626C-4AED-477f-B7AE-3B28375E17B6}\stubpath = "C:\\Windows\\{9A01626C-4AED-477f-B7AE-3B28375E17B6}.exe"	{FEC1A464-4222-4c62-9F0A-1A80052BC306}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37722EFD-DA1F-4614-83E0-8B4F2CD36FC2}	{9A01626C-4AED-477f-B7AE-3B28375E17B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04BD50CB-D648-4068-AB57-59FF3F6D5F14}\stubpath = "C:\\Windows\\{04BD50CB-D648-4068-AB57-59FF3F6D5F14}.exe"	{37722EFD-DA1F-4614-83E0-8B4F2CD36FC2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA3815D8-AF68-4ea7-8DAF-5662B991D5B4}\stubpath = "C:\\Windows\\{EA3815D8-AF68-4ea7-8DAF-5662B991D5B4}.exe"	9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E09CCF96-666E-4a8f-8DE0-95B81C632C39}	{84E3B941-3370-45ce-82F7-DAEB6891333A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A01626C-4AED-477f-B7AE-3B28375E17B6}	{FEC1A464-4222-4c62-9F0A-1A80052BC306}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7976CD4-1994-41f8-9599-33503C486A7B}	{BCA498AF-8683-4af7-92CD-42E4BAC00341}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB7A7E54-FD4B-4fb1-A841-7B9C10E04B7E}	{A7976CD4-1994-41f8-9599-33503C486A7B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB7A7E54-FD4B-4fb1-A841-7B9C10E04B7E}\stubpath = "C:\\Windows\\{BB7A7E54-FD4B-4fb1-A841-7B9C10E04B7E}.exe"	{A7976CD4-1994-41f8-9599-33503C486A7B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9ECCABEC-AFA7-4fcb-A3B7-339193E4C771}	{BB7A7E54-FD4B-4fb1-A841-7B9C10E04B7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84E3B941-3370-45ce-82F7-DAEB6891333A}	{EA3815D8-AF68-4ea7-8DAF-5662B991D5B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37722EFD-DA1F-4614-83E0-8B4F2CD36FC2}\stubpath = "C:\\Windows\\{37722EFD-DA1F-4614-83E0-8B4F2CD36FC2}.exe"	{9A01626C-4AED-477f-B7AE-3B28375E17B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04BD50CB-D648-4068-AB57-59FF3F6D5F14}	{37722EFD-DA1F-4614-83E0-8B4F2CD36FC2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCA498AF-8683-4af7-92CD-42E4BAC00341}	{04BD50CB-D648-4068-AB57-59FF3F6D5F14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BCA498AF-8683-4af7-92CD-42E4BAC00341}\stubpath = "C:\\Windows\\{BCA498AF-8683-4af7-92CD-42E4BAC00341}.exe"	{04BD50CB-D648-4068-AB57-59FF3F6D5F14}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9ECCABEC-AFA7-4fcb-A3B7-339193E4C771}\stubpath = "C:\\Windows\\{9ECCABEC-AFA7-4fcb-A3B7-339193E4C771}.exe"	{BB7A7E54-FD4B-4fb1-A841-7B9C10E04B7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EA3815D8-AF68-4ea7-8DAF-5662B991D5B4}	9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FEC1A464-4222-4c62-9F0A-1A80052BC306}\stubpath = "C:\\Windows\\{FEC1A464-4222-4c62-9F0A-1A80052BC306}.exe"	{E09CCF96-666E-4a8f-8DE0-95B81C632C39}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7976CD4-1994-41f8-9599-33503C486A7B}\stubpath = "C:\\Windows\\{A7976CD4-1994-41f8-9599-33503C486A7B}.exe"	{BCA498AF-8683-4af7-92CD-42E4BAC00341}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF3FCF63-1BF2-4965-A491-7B7D86D989A2}	{9ECCABEC-AFA7-4fcb-A3B7-339193E4C771}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF3FCF63-1BF2-4965-A491-7B7D86D989A2}\stubpath = "C:\\Windows\\{FF3FCF63-1BF2-4965-A491-7B7D86D989A2}.exe"	{9ECCABEC-AFA7-4fcb-A3B7-339193E4C771}.exe

Executes dropped EXE 12 IoCs

pid	Process
3608	{EA3815D8-AF68-4ea7-8DAF-5662B991D5B4}.exe
2436	{84E3B941-3370-45ce-82F7-DAEB6891333A}.exe
1188	{E09CCF96-666E-4a8f-8DE0-95B81C632C39}.exe
1464	{FEC1A464-4222-4c62-9F0A-1A80052BC306}.exe
4576	{9A01626C-4AED-477f-B7AE-3B28375E17B6}.exe
4264	{37722EFD-DA1F-4614-83E0-8B4F2CD36FC2}.exe
4660	{04BD50CB-D648-4068-AB57-59FF3F6D5F14}.exe
2664	{BCA498AF-8683-4af7-92CD-42E4BAC00341}.exe
224	{A7976CD4-1994-41f8-9599-33503C486A7B}.exe
4772	{BB7A7E54-FD4B-4fb1-A841-7B9C10E04B7E}.exe
4200	{9ECCABEC-AFA7-4fcb-A3B7-339193E4C771}.exe
5112	{FF3FCF63-1BF2-4965-A491-7B7D86D989A2}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{FEC1A464-4222-4c62-9F0A-1A80052BC306}.exe	{E09CCF96-666E-4a8f-8DE0-95B81C632C39}.exe
File created	C:\Windows\{9A01626C-4AED-477f-B7AE-3B28375E17B6}.exe	{FEC1A464-4222-4c62-9F0A-1A80052BC306}.exe
File created	C:\Windows\{04BD50CB-D648-4068-AB57-59FF3F6D5F14}.exe	{37722EFD-DA1F-4614-83E0-8B4F2CD36FC2}.exe
File created	C:\Windows\{A7976CD4-1994-41f8-9599-33503C486A7B}.exe	{BCA498AF-8683-4af7-92CD-42E4BAC00341}.exe
File created	C:\Windows\{BB7A7E54-FD4B-4fb1-A841-7B9C10E04B7E}.exe	{A7976CD4-1994-41f8-9599-33503C486A7B}.exe
File created	C:\Windows\{9ECCABEC-AFA7-4fcb-A3B7-339193E4C771}.exe	{BB7A7E54-FD4B-4fb1-A841-7B9C10E04B7E}.exe
File created	C:\Windows\{EA3815D8-AF68-4ea7-8DAF-5662B991D5B4}.exe	9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe
File created	C:\Windows\{84E3B941-3370-45ce-82F7-DAEB6891333A}.exe	{EA3815D8-AF68-4ea7-8DAF-5662B991D5B4}.exe
File created	C:\Windows\{E09CCF96-666E-4a8f-8DE0-95B81C632C39}.exe	{84E3B941-3370-45ce-82F7-DAEB6891333A}.exe
File created	C:\Windows\{37722EFD-DA1F-4614-83E0-8B4F2CD36FC2}.exe	{9A01626C-4AED-477f-B7AE-3B28375E17B6}.exe
File created	C:\Windows\{BCA498AF-8683-4af7-92CD-42E4BAC00341}.exe	{04BD50CB-D648-4068-AB57-59FF3F6D5F14}.exe
File created	C:\Windows\{FF3FCF63-1BF2-4965-A491-7B7D86D989A2}.exe	{9ECCABEC-AFA7-4fcb-A3B7-339193E4C771}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BB7A7E54-FD4B-4fb1-A841-7B9C10E04B7E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EA3815D8-AF68-4ea7-8DAF-5662B991D5B4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{84E3B941-3370-45ce-82F7-DAEB6891333A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{37722EFD-DA1F-4614-83E0-8B4F2CD36FC2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FF3FCF63-1BF2-4965-A491-7B7D86D989A2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A7976CD4-1994-41f8-9599-33503C486A7B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9A01626C-4AED-477f-B7AE-3B28375E17B6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9ECCABEC-AFA7-4fcb-A3B7-339193E4C771}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FEC1A464-4222-4c62-9F0A-1A80052BC306}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E09CCF96-666E-4a8f-8DE0-95B81C632C39}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BCA498AF-8683-4af7-92CD-42E4BAC00341}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{04BD50CB-D648-4068-AB57-59FF3F6D5F14}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1772	9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe
Token: SeIncBasePriorityPrivilege	3608	{EA3815D8-AF68-4ea7-8DAF-5662B991D5B4}.exe
Token: SeIncBasePriorityPrivilege	2436	{84E3B941-3370-45ce-82F7-DAEB6891333A}.exe
Token: SeIncBasePriorityPrivilege	1188	{E09CCF96-666E-4a8f-8DE0-95B81C632C39}.exe
Token: SeIncBasePriorityPrivilege	1464	{FEC1A464-4222-4c62-9F0A-1A80052BC306}.exe
Token: SeIncBasePriorityPrivilege	4576	{9A01626C-4AED-477f-B7AE-3B28375E17B6}.exe
Token: SeIncBasePriorityPrivilege	4264	{37722EFD-DA1F-4614-83E0-8B4F2CD36FC2}.exe
Token: SeIncBasePriorityPrivilege	4660	{04BD50CB-D648-4068-AB57-59FF3F6D5F14}.exe
Token: SeIncBasePriorityPrivilege	2664	{BCA498AF-8683-4af7-92CD-42E4BAC00341}.exe
Token: SeIncBasePriorityPrivilege	224	{A7976CD4-1994-41f8-9599-33503C486A7B}.exe
Token: SeIncBasePriorityPrivilege	4772	{BB7A7E54-FD4B-4fb1-A841-7B9C10E04B7E}.exe
Token: SeIncBasePriorityPrivilege	4200	{9ECCABEC-AFA7-4fcb-A3B7-339193E4C771}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1772 wrote to memory of 3608	1772	9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe	95
PID 1772 wrote to memory of 3608	1772	9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe	95
PID 1772 wrote to memory of 3608	1772	9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe	95
PID 1772 wrote to memory of 2544	1772	9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe	96
PID 1772 wrote to memory of 2544	1772	9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe	96
PID 1772 wrote to memory of 2544	1772	9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe	96
PID 3608 wrote to memory of 2436	3608	{EA3815D8-AF68-4ea7-8DAF-5662B991D5B4}.exe	97
PID 3608 wrote to memory of 2436	3608	{EA3815D8-AF68-4ea7-8DAF-5662B991D5B4}.exe	97
PID 3608 wrote to memory of 2436	3608	{EA3815D8-AF68-4ea7-8DAF-5662B991D5B4}.exe	97
PID 3608 wrote to memory of 1904	3608	{EA3815D8-AF68-4ea7-8DAF-5662B991D5B4}.exe	98
PID 3608 wrote to memory of 1904	3608	{EA3815D8-AF68-4ea7-8DAF-5662B991D5B4}.exe	98
PID 3608 wrote to memory of 1904	3608	{EA3815D8-AF68-4ea7-8DAF-5662B991D5B4}.exe	98
PID 2436 wrote to memory of 1188	2436	{84E3B941-3370-45ce-82F7-DAEB6891333A}.exe	101
PID 2436 wrote to memory of 1188	2436	{84E3B941-3370-45ce-82F7-DAEB6891333A}.exe	101
PID 2436 wrote to memory of 1188	2436	{84E3B941-3370-45ce-82F7-DAEB6891333A}.exe	101
PID 2436 wrote to memory of 1240	2436	{84E3B941-3370-45ce-82F7-DAEB6891333A}.exe	102
PID 2436 wrote to memory of 1240	2436	{84E3B941-3370-45ce-82F7-DAEB6891333A}.exe	102
PID 2436 wrote to memory of 1240	2436	{84E3B941-3370-45ce-82F7-DAEB6891333A}.exe	102
PID 1188 wrote to memory of 1464	1188	{E09CCF96-666E-4a8f-8DE0-95B81C632C39}.exe	103
PID 1188 wrote to memory of 1464	1188	{E09CCF96-666E-4a8f-8DE0-95B81C632C39}.exe	103
PID 1188 wrote to memory of 1464	1188	{E09CCF96-666E-4a8f-8DE0-95B81C632C39}.exe	103
PID 1188 wrote to memory of 2356	1188	{E09CCF96-666E-4a8f-8DE0-95B81C632C39}.exe	104
PID 1188 wrote to memory of 2356	1188	{E09CCF96-666E-4a8f-8DE0-95B81C632C39}.exe	104
PID 1188 wrote to memory of 2356	1188	{E09CCF96-666E-4a8f-8DE0-95B81C632C39}.exe	104
PID 1464 wrote to memory of 4576	1464	{FEC1A464-4222-4c62-9F0A-1A80052BC306}.exe	106
PID 1464 wrote to memory of 4576	1464	{FEC1A464-4222-4c62-9F0A-1A80052BC306}.exe	106
PID 1464 wrote to memory of 4576	1464	{FEC1A464-4222-4c62-9F0A-1A80052BC306}.exe	106
PID 1464 wrote to memory of 2124	1464	{FEC1A464-4222-4c62-9F0A-1A80052BC306}.exe	107
PID 1464 wrote to memory of 2124	1464	{FEC1A464-4222-4c62-9F0A-1A80052BC306}.exe	107
PID 1464 wrote to memory of 2124	1464	{FEC1A464-4222-4c62-9F0A-1A80052BC306}.exe	107
PID 4576 wrote to memory of 4264	4576	{9A01626C-4AED-477f-B7AE-3B28375E17B6}.exe	109
PID 4576 wrote to memory of 4264	4576	{9A01626C-4AED-477f-B7AE-3B28375E17B6}.exe	109
PID 4576 wrote to memory of 4264	4576	{9A01626C-4AED-477f-B7AE-3B28375E17B6}.exe	109
PID 4576 wrote to memory of 3172	4576	{9A01626C-4AED-477f-B7AE-3B28375E17B6}.exe	110
PID 4576 wrote to memory of 3172	4576	{9A01626C-4AED-477f-B7AE-3B28375E17B6}.exe	110
PID 4576 wrote to memory of 3172	4576	{9A01626C-4AED-477f-B7AE-3B28375E17B6}.exe	110
PID 4264 wrote to memory of 4660	4264	{37722EFD-DA1F-4614-83E0-8B4F2CD36FC2}.exe	111
PID 4264 wrote to memory of 4660	4264	{37722EFD-DA1F-4614-83E0-8B4F2CD36FC2}.exe	111
PID 4264 wrote to memory of 4660	4264	{37722EFD-DA1F-4614-83E0-8B4F2CD36FC2}.exe	111
PID 4264 wrote to memory of 2948	4264	{37722EFD-DA1F-4614-83E0-8B4F2CD36FC2}.exe	112
PID 4264 wrote to memory of 2948	4264	{37722EFD-DA1F-4614-83E0-8B4F2CD36FC2}.exe	112
PID 4264 wrote to memory of 2948	4264	{37722EFD-DA1F-4614-83E0-8B4F2CD36FC2}.exe	112
PID 4660 wrote to memory of 2664	4660	{04BD50CB-D648-4068-AB57-59FF3F6D5F14}.exe	115
PID 4660 wrote to memory of 2664	4660	{04BD50CB-D648-4068-AB57-59FF3F6D5F14}.exe	115
PID 4660 wrote to memory of 2664	4660	{04BD50CB-D648-4068-AB57-59FF3F6D5F14}.exe	115
PID 4660 wrote to memory of 464	4660	{04BD50CB-D648-4068-AB57-59FF3F6D5F14}.exe	116
PID 4660 wrote to memory of 464	4660	{04BD50CB-D648-4068-AB57-59FF3F6D5F14}.exe	116
PID 4660 wrote to memory of 464	4660	{04BD50CB-D648-4068-AB57-59FF3F6D5F14}.exe	116
PID 2664 wrote to memory of 224	2664	{BCA498AF-8683-4af7-92CD-42E4BAC00341}.exe	119
PID 2664 wrote to memory of 224	2664	{BCA498AF-8683-4af7-92CD-42E4BAC00341}.exe	119
PID 2664 wrote to memory of 224	2664	{BCA498AF-8683-4af7-92CD-42E4BAC00341}.exe	119
PID 2664 wrote to memory of 3768	2664	{BCA498AF-8683-4af7-92CD-42E4BAC00341}.exe	120
PID 2664 wrote to memory of 3768	2664	{BCA498AF-8683-4af7-92CD-42E4BAC00341}.exe	120
PID 2664 wrote to memory of 3768	2664	{BCA498AF-8683-4af7-92CD-42E4BAC00341}.exe	120
PID 224 wrote to memory of 4772	224	{A7976CD4-1994-41f8-9599-33503C486A7B}.exe	121
PID 224 wrote to memory of 4772	224	{A7976CD4-1994-41f8-9599-33503C486A7B}.exe	121
PID 224 wrote to memory of 4772	224	{A7976CD4-1994-41f8-9599-33503C486A7B}.exe	121
PID 224 wrote to memory of 2960	224	{A7976CD4-1994-41f8-9599-33503C486A7B}.exe	122
PID 224 wrote to memory of 2960	224	{A7976CD4-1994-41f8-9599-33503C486A7B}.exe	122
PID 224 wrote to memory of 2960	224	{A7976CD4-1994-41f8-9599-33503C486A7B}.exe	122
PID 4772 wrote to memory of 4200	4772	{BB7A7E54-FD4B-4fb1-A841-7B9C10E04B7E}.exe	123
PID 4772 wrote to memory of 4200	4772	{BB7A7E54-FD4B-4fb1-A841-7B9C10E04B7E}.exe	123
PID 4772 wrote to memory of 4200	4772	{BB7A7E54-FD4B-4fb1-A841-7B9C10E04B7E}.exe	123
PID 4772 wrote to memory of 3892	4772	{BB7A7E54-FD4B-4fb1-A841-7B9C10E04B7E}.exe	124

C:\Users\Admin\AppData\Local\Temp\9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe
"C:\Users\Admin\AppData\Local\Temp\9e5d336a755c0f271a610e42f9b9bc0f828b1a700d187cd119c3560e57d13973.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1772
- C:\Windows\{EA3815D8-AF68-4ea7-8DAF-5662B991D5B4}.exe
  C:\Windows\{EA3815D8-AF68-4ea7-8DAF-5662B991D5B4}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3608
- - C:\Windows\{84E3B941-3370-45ce-82F7-DAEB6891333A}.exe
    C:\Windows\{84E3B941-3370-45ce-82F7-DAEB6891333A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2436
  - - C:\Windows\{E09CCF96-666E-4a8f-8DE0-95B81C632C39}.exe
      C:\Windows\{E09CCF96-666E-4a8f-8DE0-95B81C632C39}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1188
    - - C:\Windows\{FEC1A464-4222-4c62-9F0A-1A80052BC306}.exe
        
        C:\Windows\{FEC1A464-4222-4c62-9F0A-1A80052BC306}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1464
      - C:\Windows\{9A01626C-4AED-477f-B7AE-3B28375E17B6}.exe
        
        C:\Windows\{9A01626C-4AED-477f-B7AE-3B28375E17B6}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\{37722EFD-DA1F-4614-83E0-8B4F2CD36FC2}.exe
        
        C:\Windows\{37722EFD-DA1F-4614-83E0-8B4F2CD36FC2}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Windows\{04BD50CB-D648-4068-AB57-59FF3F6D5F14}.exe
        
        C:\Windows\{04BD50CB-D648-4068-AB57-59FF3F6D5F14}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\{BCA498AF-8683-4af7-92CD-42E4BAC00341}.exe
        
        C:\Windows\{BCA498AF-8683-4af7-92CD-42E4BAC00341}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\{A7976CD4-1994-41f8-9599-33503C486A7B}.exe
        
        C:\Windows\{A7976CD4-1994-41f8-9599-33503C486A7B}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Windows\{BB7A7E54-FD4B-4fb1-A841-7B9C10E04B7E}.exe
        
        C:\Windows\{BB7A7E54-FD4B-4fb1-A841-7B9C10E04B7E}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4772
        
        C:\Windows\{9ECCABEC-AFA7-4fcb-A3B7-339193E4C771}.exe
        
        C:\Windows\{9ECCABEC-AFA7-4fcb-A3B7-339193E4C771}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4200
        
        C:\Windows\{FF3FCF63-1BF2-4965-A491-7B7D86D989A2}.exe
        
        C:\Windows\{FF3FCF63-1BF2-4965-A491-7B7D86D989A2}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9ECCA~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB7A7~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7976~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BCA49~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3768
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{04BD5~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37722~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9A016~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3172
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FEC1A~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2124
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E09CC~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{84E3B~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1240
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EA381~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1904
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9E5D33~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04BD50CB-D648-4068-AB57-59FF3F6D5F14}.exe

Filesize
91KB

MD5
9e060fe857aaa3babe3eaaebaf6ab0bc

SHA1
0b80c8e2bf8300014af745c78e1be5ea5a27a42c

SHA256
6305338e241227754a69cd3630e23f9d975c867a06a6c5247aeb33da30eeeab5

SHA512
6bcaa2126634f0fec89497bb1573720e96630f5be163f4d7e53d799d0895fb6f872bf852f6b6d3b976de38a0eabf6334f64abff5be91678db5b615ca57ccb227

Download Submit
C:\Windows\{37722EFD-DA1F-4614-83E0-8B4F2CD36FC2}.exe

Filesize
91KB

MD5
709dd2cb7af4f929aa9f9319b16a78c5

SHA1
93aa22581a3317a990181a9b405484bd16888357

SHA256
fd2ca72ae7211e9e7d91f2bc14bdb5c849f33f6bf6dba0f1fec078714af632d6

SHA512
9016fa07b273f8f5c6d3fb27f71bc34f714b947d806b4b6321c42e66418bc9bfbd3dd2b05f502831fe784055b18197dd0f651a80a1df74145474ebc003794c91

Download Submit
C:\Windows\{84E3B941-3370-45ce-82F7-DAEB6891333A}.exe

Filesize
91KB

MD5
7f53a229f1b4b1b6355215f9f6fa1c37

SHA1
1e01830a48b1b0d7c507e21a742c7cc377513e7e

SHA256
7b0027939d39ba619b652b4d78d2c502639db8e6bbaad63733cd62308ec3636e

SHA512
12b4faf6256191c59106a90f1468a4ac4f47be02916e42e290453b1994eca854fef62c8fc7e8cc619bd8478f5ea9fe9988af089ffe75eb80d56cb649cff7181d

Download Submit
C:\Windows\{9A01626C-4AED-477f-B7AE-3B28375E17B6}.exe

Filesize
91KB

MD5
0f49354961199c71b4f72d33e8d972fe

SHA1
6e28e27d3db0bef1db024ec6d3bb47fe7ec062cf

SHA256
10f79db2a9d88455b92e29f0dceb97fb2ab4081f5a4942df4fa18fb6fbfbd6f5

SHA512
4e4a1b751b1589b738582ee7375d3f6c70d92a41a67073970b9a7a2537a4a78f63071652ab4cdc93c6ea025095446484a1d7af2d31322093be54996fa0ac5c39

Download Submit
C:\Windows\{9ECCABEC-AFA7-4fcb-A3B7-339193E4C771}.exe

Filesize
91KB

MD5
a783ce1f904e520425e6f71f977983d2

SHA1
e3798b3df7c6af0112e0e828fd314f8d455e8c1b

SHA256
4c8d07a0202e5eac43fd213e47f25978e6aa43edfa6d963df6f64d975d80647e

SHA512
f36687eb199430d3307c5e0912cf60c02dc6f109c19e8472cb4c6d1bce7de9a03ad1b102cc4006d076bde3a3f744c39cfa43f3e8bcadde5494c6a3b2fcb2cd94

Download Submit
C:\Windows\{A7976CD4-1994-41f8-9599-33503C486A7B}.exe

Filesize
91KB

MD5
37635122643f6ccb41f316e135da0a32

SHA1
a3e5febcd916f02901e6135110128571079a21e0

SHA256
3ba6a4ecedb90eb9629cb84687d762e6387052e0e4e9526774743283d30f28ac

SHA512
3acfc7650294438dd8c365dba41c9aaecdc2c19ca2842af48c3e2d4cad6a2ee849b871a5e71491df0fddf87630f10403cdd598aea5519aa8b05d471f17914578

Download Submit
C:\Windows\{BB7A7E54-FD4B-4fb1-A841-7B9C10E04B7E}.exe

Filesize
91KB

MD5
3259e3acc58c62d968124842d766f0dc

SHA1
2cb7d3aebbfdeba444331c692c775e8efaa1b0a7

SHA256
aa18540df0bf356ceadf33ce32f2e4a83731d8080ce86ef154605aed8d7c9dba

SHA512
66e857483a0716091b9f96969c3ae95d15311f26261703d9e373d3f185d79544859ba88636b196a19da344f4733536204f4f9870063ed3fca223ec4ceffc6b9a

Download Submit
C:\Windows\{BCA498AF-8683-4af7-92CD-42E4BAC00341}.exe

Filesize
91KB

MD5
bb1403a881a199a76c49b4071b969959

SHA1
72952a5af061075eb8a1f3d3ba618a95a83e469c

SHA256
bf562b94357e62cf2e8577d50190a4087e630ed3f7421f1b26ad94fb123c0de3

SHA512
4a22652c0d30efe0e8ffaed8721a6ba59a1f851eab7ebb24e1397727c236dde9c7df281db7ab14dffd0c65d6d33c90fc456169f7b857c3e438a587028be9754f

Download Submit
C:\Windows\{E09CCF96-666E-4a8f-8DE0-95B81C632C39}.exe

Filesize
91KB

MD5
37d6491ae473f29822448d5398fe9bd4

SHA1
4c3fba7fd1d6491aadd9350609aa045aac5eeefa

SHA256
a62037b4c24b42554de3eb9787e13f717a2b6b5818421ebde44b70804cd480ea

SHA512
d7e3a77330c31016ba934b4c1d092ac777831db60e55587e82a79274875b2a38e5a4d72113842b0ed77a5500bede3db6f88175b6ee25b9d42880c8050bba2c5c

Download Submit
C:\Windows\{EA3815D8-AF68-4ea7-8DAF-5662B991D5B4}.exe

Filesize
91KB

MD5
7845a47128b4a3bd86623d13d5080c46

SHA1
82d249da39a8e2b5198471a37340b91bfa0dfaab

SHA256
a857444f730fc5b603c530f3bf1e3a3ccfa064f9e4892e839db37c3aad777537

SHA512
010d65368a91e88239dce8633922ba666fa2a58af21dbd6b8862246afbcf287720ba741d213a6a128c0a88948d33e9829586e7e966374bb5323148da279043b3

Download Submit
C:\Windows\{FEC1A464-4222-4c62-9F0A-1A80052BC306}.exe

Filesize
91KB

MD5
4fc0dd551f05716b755f3fd20d4103b1

SHA1
3344dff769d3773be388601d7f7707a8ceae3583

SHA256
0ec8018a54d3eeb19eba64738ab339f642d0d437abce281e9c108cf55448755d

SHA512
9576846a43bbd5ebcb1f9fe55ec2b28e3520a8bcfb96731eef1ade63b34c5e302ef90f39855da500369f85b7c93b9304ebb18e6681e7dad3827e84d264fc3b1a

Download Submit
C:\Windows\{FF3FCF63-1BF2-4965-A491-7B7D86D989A2}.exe

Filesize
91KB

MD5
2b4ffa19b7aa5553451f4a1b234ec3c9

SHA1
40237e03711ccf07916a1f5d214b1a26328c7c64

SHA256
4f1b39325bea2efecb2cf9984fdeabc65b715f88d504d3bd8c0998083d217ad0

SHA512
fc0a0f1c33484045f2875ee118e8bccbdee6baa14689832fcf35cd0380eed1e384a9b6668140146289816542c10347687bd498b571a14acaaf07b4109234d111

Download Submit
memory/224-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/224-61-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1188-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1188-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1464-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1464-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1772-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1772-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1772-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2436-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2436-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2664-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2664-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3608-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3608-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3608-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4200-67-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4200-72-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4264-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4264-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4576-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4576-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4660-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4660-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4772-66-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5112-73-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads