70b0a2e8c19e573ee6baac4cd49de62798ac7195179b3b3ee38d87949ec7912b

Analysis

max time kernel
149s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2024, 23:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70b0a2e8c19e573ee6baac4cd49de62798ac7195179b3b3ee38d87949ec7912b.exe
Size

90KB
MD5

99cf1c2b45399f13d9887685cc5135d1
SHA1

e1d8bed90aaafaa9ff9024b02041b2d85b982adc
SHA256

70b0a2e8c19e573ee6baac4cd49de62798ac7195179b3b3ee38d87949ec7912b
SHA512

8cfb2ced2be002cf18d67070340b7a94dd295d17e12c8aab65cd7486620ae1aeb428d5626da015638187372dccdb351fdd3efc40d8af8db5490077799a78bf9d
SSDEEP

768:Qvw9816vhKQLrov4/wQRNrfrunMxVFA3b7glws:YEGh0ovl2unMxVS3Hgz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F4872E7-1006-4d35-A292-FCE0B09F82D1}	{9BF2160C-F8D0-495e-9D08-10E663CC6F9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D36A350-2702-49f6-8637-D96EEF53C385}\stubpath = "C:\\Windows\\{8D36A350-2702-49f6-8637-D96EEF53C385}.exe"	{86CD02FD-98E1-4697-B0B7-256CEF9FB4E6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB745FAC-FA87-4a53-B7BD-D9F28BECBB7E}\stubpath = "C:\\Windows\\{EB745FAC-FA87-4a53-B7BD-D9F28BECBB7E}.exe"	{6522D8BA-5547-4d7f-9E9E-E62B43BDEC8A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19AE8156-A30C-41dd-BEA2-BED12226E3CC}	{EB745FAC-FA87-4a53-B7BD-D9F28BECBB7E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35FC2BD1-5FEB-4194-8DDB-C064D7F038E6}	{19AE8156-A30C-41dd-BEA2-BED12226E3CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAE627DB-6BFB-43b8-93C1-F8F07EBBC732}	{35FC2BD1-5FEB-4194-8DDB-C064D7F038E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BF2160C-F8D0-495e-9D08-10E663CC6F9F}	70b0a2e8c19e573ee6baac4cd49de62798ac7195179b3b3ee38d87949ec7912b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F4872E7-1006-4d35-A292-FCE0B09F82D1}\stubpath = "C:\\Windows\\{7F4872E7-1006-4d35-A292-FCE0B09F82D1}.exe"	{9BF2160C-F8D0-495e-9D08-10E663CC6F9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A63D0ED7-3625-4b73-8A1C-A6F711449DC4}	{8D36A350-2702-49f6-8637-D96EEF53C385}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A63D0ED7-3625-4b73-8A1C-A6F711449DC4}\stubpath = "C:\\Windows\\{A63D0ED7-3625-4b73-8A1C-A6F711449DC4}.exe"	{8D36A350-2702-49f6-8637-D96EEF53C385}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B28D276F-54F6-4ae0-8C54-69C77BD3367C}\stubpath = "C:\\Windows\\{B28D276F-54F6-4ae0-8C54-69C77BD3367C}.exe"	{58EFC5F8-4453-48a4-BFCC-2FD9BAC706C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6522D8BA-5547-4d7f-9E9E-E62B43BDEC8A}\stubpath = "C:\\Windows\\{6522D8BA-5547-4d7f-9E9E-E62B43BDEC8A}.exe"	{B28D276F-54F6-4ae0-8C54-69C77BD3367C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19AE8156-A30C-41dd-BEA2-BED12226E3CC}\stubpath = "C:\\Windows\\{19AE8156-A30C-41dd-BEA2-BED12226E3CC}.exe"	{EB745FAC-FA87-4a53-B7BD-D9F28BECBB7E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{35FC2BD1-5FEB-4194-8DDB-C064D7F038E6}\stubpath = "C:\\Windows\\{35FC2BD1-5FEB-4194-8DDB-C064D7F038E6}.exe"	{19AE8156-A30C-41dd-BEA2-BED12226E3CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86CD02FD-98E1-4697-B0B7-256CEF9FB4E6}	{7F4872E7-1006-4d35-A292-FCE0B09F82D1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D36A350-2702-49f6-8637-D96EEF53C385}	{86CD02FD-98E1-4697-B0B7-256CEF9FB4E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58EFC5F8-4453-48a4-BFCC-2FD9BAC706C6}	{A63D0ED7-3625-4b73-8A1C-A6F711449DC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B28D276F-54F6-4ae0-8C54-69C77BD3367C}	{58EFC5F8-4453-48a4-BFCC-2FD9BAC706C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6522D8BA-5547-4d7f-9E9E-E62B43BDEC8A}	{B28D276F-54F6-4ae0-8C54-69C77BD3367C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9BF2160C-F8D0-495e-9D08-10E663CC6F9F}\stubpath = "C:\\Windows\\{9BF2160C-F8D0-495e-9D08-10E663CC6F9F}.exe"	70b0a2e8c19e573ee6baac4cd49de62798ac7195179b3b3ee38d87949ec7912b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86CD02FD-98E1-4697-B0B7-256CEF9FB4E6}\stubpath = "C:\\Windows\\{86CD02FD-98E1-4697-B0B7-256CEF9FB4E6}.exe"	{7F4872E7-1006-4d35-A292-FCE0B09F82D1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{58EFC5F8-4453-48a4-BFCC-2FD9BAC706C6}\stubpath = "C:\\Windows\\{58EFC5F8-4453-48a4-BFCC-2FD9BAC706C6}.exe"	{A63D0ED7-3625-4b73-8A1C-A6F711449DC4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EB745FAC-FA87-4a53-B7BD-D9F28BECBB7E}	{6522D8BA-5547-4d7f-9E9E-E62B43BDEC8A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CAE627DB-6BFB-43b8-93C1-F8F07EBBC732}\stubpath = "C:\\Windows\\{CAE627DB-6BFB-43b8-93C1-F8F07EBBC732}.exe"	{35FC2BD1-5FEB-4194-8DDB-C064D7F038E6}.exe

Executes dropped EXE 12 IoCs

pid	Process
744	{9BF2160C-F8D0-495e-9D08-10E663CC6F9F}.exe
3520	{7F4872E7-1006-4d35-A292-FCE0B09F82D1}.exe
5064	{86CD02FD-98E1-4697-B0B7-256CEF9FB4E6}.exe
2984	{8D36A350-2702-49f6-8637-D96EEF53C385}.exe
1908	{A63D0ED7-3625-4b73-8A1C-A6F711449DC4}.exe
4660	{58EFC5F8-4453-48a4-BFCC-2FD9BAC706C6}.exe
3084	{B28D276F-54F6-4ae0-8C54-69C77BD3367C}.exe
4408	{6522D8BA-5547-4d7f-9E9E-E62B43BDEC8A}.exe
2044	{EB745FAC-FA87-4a53-B7BD-D9F28BECBB7E}.exe
4316	{19AE8156-A30C-41dd-BEA2-BED12226E3CC}.exe
1976	{35FC2BD1-5FEB-4194-8DDB-C064D7F038E6}.exe
3252	{CAE627DB-6BFB-43b8-93C1-F8F07EBBC732}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{58EFC5F8-4453-48a4-BFCC-2FD9BAC706C6}.exe	{A63D0ED7-3625-4b73-8A1C-A6F711449DC4}.exe
File created	C:\Windows\{B28D276F-54F6-4ae0-8C54-69C77BD3367C}.exe	{58EFC5F8-4453-48a4-BFCC-2FD9BAC706C6}.exe
File created	C:\Windows\{EB745FAC-FA87-4a53-B7BD-D9F28BECBB7E}.exe	{6522D8BA-5547-4d7f-9E9E-E62B43BDEC8A}.exe
File created	C:\Windows\{19AE8156-A30C-41dd-BEA2-BED12226E3CC}.exe	{EB745FAC-FA87-4a53-B7BD-D9F28BECBB7E}.exe
File created	C:\Windows\{35FC2BD1-5FEB-4194-8DDB-C064D7F038E6}.exe	{19AE8156-A30C-41dd-BEA2-BED12226E3CC}.exe
File created	C:\Windows\{86CD02FD-98E1-4697-B0B7-256CEF9FB4E6}.exe	{7F4872E7-1006-4d35-A292-FCE0B09F82D1}.exe
File created	C:\Windows\{7F4872E7-1006-4d35-A292-FCE0B09F82D1}.exe	{9BF2160C-F8D0-495e-9D08-10E663CC6F9F}.exe
File created	C:\Windows\{8D36A350-2702-49f6-8637-D96EEF53C385}.exe	{86CD02FD-98E1-4697-B0B7-256CEF9FB4E6}.exe
File created	C:\Windows\{A63D0ED7-3625-4b73-8A1C-A6F711449DC4}.exe	{8D36A350-2702-49f6-8637-D96EEF53C385}.exe
File created	C:\Windows\{6522D8BA-5547-4d7f-9E9E-E62B43BDEC8A}.exe	{B28D276F-54F6-4ae0-8C54-69C77BD3367C}.exe
File created	C:\Windows\{CAE627DB-6BFB-43b8-93C1-F8F07EBBC732}.exe	{35FC2BD1-5FEB-4194-8DDB-C064D7F038E6}.exe
File created	C:\Windows\{9BF2160C-F8D0-495e-9D08-10E663CC6F9F}.exe	70b0a2e8c19e573ee6baac4cd49de62798ac7195179b3b3ee38d87949ec7912b.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70b0a2e8c19e573ee6baac4cd49de62798ac7195179b3b3ee38d87949ec7912b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{86CD02FD-98E1-4697-B0B7-256CEF9FB4E6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{35FC2BD1-5FEB-4194-8DDB-C064D7F038E6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CAE627DB-6BFB-43b8-93C1-F8F07EBBC732}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9BF2160C-F8D0-495e-9D08-10E663CC6F9F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8D36A350-2702-49f6-8637-D96EEF53C385}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A63D0ED7-3625-4b73-8A1C-A6F711449DC4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B28D276F-54F6-4ae0-8C54-69C77BD3367C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{19AE8156-A30C-41dd-BEA2-BED12226E3CC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{58EFC5F8-4453-48a4-BFCC-2FD9BAC706C6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7F4872E7-1006-4d35-A292-FCE0B09F82D1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6522D8BA-5547-4d7f-9E9E-E62B43BDEC8A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EB745FAC-FA87-4a53-B7BD-D9F28BECBB7E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4408	70b0a2e8c19e573ee6baac4cd49de62798ac7195179b3b3ee38d87949ec7912b.exe
Token: SeIncBasePriorityPrivilege	744	{9BF2160C-F8D0-495e-9D08-10E663CC6F9F}.exe
Token: SeIncBasePriorityPrivilege	3520	{7F4872E7-1006-4d35-A292-FCE0B09F82D1}.exe
Token: SeIncBasePriorityPrivilege	5064	{86CD02FD-98E1-4697-B0B7-256CEF9FB4E6}.exe
Token: SeIncBasePriorityPrivilege	2984	{8D36A350-2702-49f6-8637-D96EEF53C385}.exe
Token: SeIncBasePriorityPrivilege	1908	{A63D0ED7-3625-4b73-8A1C-A6F711449DC4}.exe
Token: SeIncBasePriorityPrivilege	4660	{58EFC5F8-4453-48a4-BFCC-2FD9BAC706C6}.exe
Token: SeIncBasePriorityPrivilege	3084	{B28D276F-54F6-4ae0-8C54-69C77BD3367C}.exe
Token: SeIncBasePriorityPrivilege	4408	{6522D8BA-5547-4d7f-9E9E-E62B43BDEC8A}.exe
Token: SeIncBasePriorityPrivilege	2044	{EB745FAC-FA87-4a53-B7BD-D9F28BECBB7E}.exe
Token: SeIncBasePriorityPrivilege	4316	{19AE8156-A30C-41dd-BEA2-BED12226E3CC}.exe
Token: SeIncBasePriorityPrivilege	1976	{35FC2BD1-5FEB-4194-8DDB-C064D7F038E6}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 744	4408	70b0a2e8c19e573ee6baac4cd49de62798ac7195179b3b3ee38d87949ec7912b.exe	93
PID 4408 wrote to memory of 744	4408	70b0a2e8c19e573ee6baac4cd49de62798ac7195179b3b3ee38d87949ec7912b.exe	93
PID 4408 wrote to memory of 744	4408	70b0a2e8c19e573ee6baac4cd49de62798ac7195179b3b3ee38d87949ec7912b.exe	93
PID 4408 wrote to memory of 1624	4408	70b0a2e8c19e573ee6baac4cd49de62798ac7195179b3b3ee38d87949ec7912b.exe	94
PID 4408 wrote to memory of 1624	4408	70b0a2e8c19e573ee6baac4cd49de62798ac7195179b3b3ee38d87949ec7912b.exe	94
PID 4408 wrote to memory of 1624	4408	70b0a2e8c19e573ee6baac4cd49de62798ac7195179b3b3ee38d87949ec7912b.exe	94
PID 744 wrote to memory of 3520	744	{9BF2160C-F8D0-495e-9D08-10E663CC6F9F}.exe	97
PID 744 wrote to memory of 3520	744	{9BF2160C-F8D0-495e-9D08-10E663CC6F9F}.exe	97
PID 744 wrote to memory of 3520	744	{9BF2160C-F8D0-495e-9D08-10E663CC6F9F}.exe	97
PID 744 wrote to memory of 2140	744	{9BF2160C-F8D0-495e-9D08-10E663CC6F9F}.exe	98
PID 744 wrote to memory of 2140	744	{9BF2160C-F8D0-495e-9D08-10E663CC6F9F}.exe	98
PID 744 wrote to memory of 2140	744	{9BF2160C-F8D0-495e-9D08-10E663CC6F9F}.exe	98
PID 3520 wrote to memory of 5064	3520	{7F4872E7-1006-4d35-A292-FCE0B09F82D1}.exe	101
PID 3520 wrote to memory of 5064	3520	{7F4872E7-1006-4d35-A292-FCE0B09F82D1}.exe	101
PID 3520 wrote to memory of 5064	3520	{7F4872E7-1006-4d35-A292-FCE0B09F82D1}.exe	101
PID 3520 wrote to memory of 624	3520	{7F4872E7-1006-4d35-A292-FCE0B09F82D1}.exe	102
PID 3520 wrote to memory of 624	3520	{7F4872E7-1006-4d35-A292-FCE0B09F82D1}.exe	102
PID 3520 wrote to memory of 624	3520	{7F4872E7-1006-4d35-A292-FCE0B09F82D1}.exe	102
PID 5064 wrote to memory of 2984	5064	{86CD02FD-98E1-4697-B0B7-256CEF9FB4E6}.exe	104
PID 5064 wrote to memory of 2984	5064	{86CD02FD-98E1-4697-B0B7-256CEF9FB4E6}.exe	104
PID 5064 wrote to memory of 2984	5064	{86CD02FD-98E1-4697-B0B7-256CEF9FB4E6}.exe	104
PID 5064 wrote to memory of 3772	5064	{86CD02FD-98E1-4697-B0B7-256CEF9FB4E6}.exe	105
PID 5064 wrote to memory of 3772	5064	{86CD02FD-98E1-4697-B0B7-256CEF9FB4E6}.exe	105
PID 5064 wrote to memory of 3772	5064	{86CD02FD-98E1-4697-B0B7-256CEF9FB4E6}.exe	105
PID 2984 wrote to memory of 1908	2984	{8D36A350-2702-49f6-8637-D96EEF53C385}.exe	106
PID 2984 wrote to memory of 1908	2984	{8D36A350-2702-49f6-8637-D96EEF53C385}.exe	106
PID 2984 wrote to memory of 1908	2984	{8D36A350-2702-49f6-8637-D96EEF53C385}.exe	106
PID 2984 wrote to memory of 3460	2984	{8D36A350-2702-49f6-8637-D96EEF53C385}.exe	107
PID 2984 wrote to memory of 3460	2984	{8D36A350-2702-49f6-8637-D96EEF53C385}.exe	107
PID 2984 wrote to memory of 3460	2984	{8D36A350-2702-49f6-8637-D96EEF53C385}.exe	107
PID 1908 wrote to memory of 4660	1908	{A63D0ED7-3625-4b73-8A1C-A6F711449DC4}.exe	109
PID 1908 wrote to memory of 4660	1908	{A63D0ED7-3625-4b73-8A1C-A6F711449DC4}.exe	109
PID 1908 wrote to memory of 4660	1908	{A63D0ED7-3625-4b73-8A1C-A6F711449DC4}.exe	109
PID 1908 wrote to memory of 112	1908	{A63D0ED7-3625-4b73-8A1C-A6F711449DC4}.exe	110
PID 1908 wrote to memory of 112	1908	{A63D0ED7-3625-4b73-8A1C-A6F711449DC4}.exe	110
PID 1908 wrote to memory of 112	1908	{A63D0ED7-3625-4b73-8A1C-A6F711449DC4}.exe	110
PID 4660 wrote to memory of 3084	4660	{58EFC5F8-4453-48a4-BFCC-2FD9BAC706C6}.exe	111
PID 4660 wrote to memory of 3084	4660	{58EFC5F8-4453-48a4-BFCC-2FD9BAC706C6}.exe	111
PID 4660 wrote to memory of 3084	4660	{58EFC5F8-4453-48a4-BFCC-2FD9BAC706C6}.exe	111
PID 4660 wrote to memory of 2908	4660	{58EFC5F8-4453-48a4-BFCC-2FD9BAC706C6}.exe	112
PID 4660 wrote to memory of 2908	4660	{58EFC5F8-4453-48a4-BFCC-2FD9BAC706C6}.exe	112
PID 4660 wrote to memory of 2908	4660	{58EFC5F8-4453-48a4-BFCC-2FD9BAC706C6}.exe	112
PID 3084 wrote to memory of 4408	3084	{B28D276F-54F6-4ae0-8C54-69C77BD3367C}.exe	113
PID 3084 wrote to memory of 4408	3084	{B28D276F-54F6-4ae0-8C54-69C77BD3367C}.exe	113
PID 3084 wrote to memory of 4408	3084	{B28D276F-54F6-4ae0-8C54-69C77BD3367C}.exe	113
PID 3084 wrote to memory of 5036	3084	{B28D276F-54F6-4ae0-8C54-69C77BD3367C}.exe	114
PID 3084 wrote to memory of 5036	3084	{B28D276F-54F6-4ae0-8C54-69C77BD3367C}.exe	114
PID 3084 wrote to memory of 5036	3084	{B28D276F-54F6-4ae0-8C54-69C77BD3367C}.exe	114
PID 4408 wrote to memory of 2044	4408	{6522D8BA-5547-4d7f-9E9E-E62B43BDEC8A}.exe	119
PID 4408 wrote to memory of 2044	4408	{6522D8BA-5547-4d7f-9E9E-E62B43BDEC8A}.exe	119
PID 4408 wrote to memory of 2044	4408	{6522D8BA-5547-4d7f-9E9E-E62B43BDEC8A}.exe	119
PID 4408 wrote to memory of 3144	4408	{6522D8BA-5547-4d7f-9E9E-E62B43BDEC8A}.exe	120
PID 4408 wrote to memory of 3144	4408	{6522D8BA-5547-4d7f-9E9E-E62B43BDEC8A}.exe	120
PID 4408 wrote to memory of 3144	4408	{6522D8BA-5547-4d7f-9E9E-E62B43BDEC8A}.exe	120
PID 2044 wrote to memory of 4316	2044	{EB745FAC-FA87-4a53-B7BD-D9F28BECBB7E}.exe	121
PID 2044 wrote to memory of 4316	2044	{EB745FAC-FA87-4a53-B7BD-D9F28BECBB7E}.exe	121
PID 2044 wrote to memory of 4316	2044	{EB745FAC-FA87-4a53-B7BD-D9F28BECBB7E}.exe	121
PID 2044 wrote to memory of 4364	2044	{EB745FAC-FA87-4a53-B7BD-D9F28BECBB7E}.exe	122
PID 2044 wrote to memory of 4364	2044	{EB745FAC-FA87-4a53-B7BD-D9F28BECBB7E}.exe	122
PID 2044 wrote to memory of 4364	2044	{EB745FAC-FA87-4a53-B7BD-D9F28BECBB7E}.exe	122
PID 4316 wrote to memory of 1976	4316	{19AE8156-A30C-41dd-BEA2-BED12226E3CC}.exe	128
PID 4316 wrote to memory of 1976	4316	{19AE8156-A30C-41dd-BEA2-BED12226E3CC}.exe	128
PID 4316 wrote to memory of 1976	4316	{19AE8156-A30C-41dd-BEA2-BED12226E3CC}.exe	128
PID 4316 wrote to memory of 3344	4316	{19AE8156-A30C-41dd-BEA2-BED12226E3CC}.exe	129

C:\Users\Admin\AppData\Local\Temp\70b0a2e8c19e573ee6baac4cd49de62798ac7195179b3b3ee38d87949ec7912b.exe
"C:\Users\Admin\AppData\Local\Temp\70b0a2e8c19e573ee6baac4cd49de62798ac7195179b3b3ee38d87949ec7912b.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Windows\{9BF2160C-F8D0-495e-9D08-10E663CC6F9F}.exe
  C:\Windows\{9BF2160C-F8D0-495e-9D08-10E663CC6F9F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Windows\{7F4872E7-1006-4d35-A292-FCE0B09F82D1}.exe
    C:\Windows\{7F4872E7-1006-4d35-A292-FCE0B09F82D1}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3520
  - - C:\Windows\{86CD02FD-98E1-4697-B0B7-256CEF9FB4E6}.exe
      C:\Windows\{86CD02FD-98E1-4697-B0B7-256CEF9FB4E6}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5064
    - - C:\Windows\{8D36A350-2702-49f6-8637-D96EEF53C385}.exe
        
        C:\Windows\{8D36A350-2702-49f6-8637-D96EEF53C385}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
      - C:\Windows\{A63D0ED7-3625-4b73-8A1C-A6F711449DC4}.exe
        
        C:\Windows\{A63D0ED7-3625-4b73-8A1C-A6F711449DC4}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1908
        
        C:\Windows\{58EFC5F8-4453-48a4-BFCC-2FD9BAC706C6}.exe
        
        C:\Windows\{58EFC5F8-4453-48a4-BFCC-2FD9BAC706C6}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\{B28D276F-54F6-4ae0-8C54-69C77BD3367C}.exe
        
        C:\Windows\{B28D276F-54F6-4ae0-8C54-69C77BD3367C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3084
        
        C:\Windows\{6522D8BA-5547-4d7f-9E9E-E62B43BDEC8A}.exe
        
        C:\Windows\{6522D8BA-5547-4d7f-9E9E-E62B43BDEC8A}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4408
        
        C:\Windows\{EB745FAC-FA87-4a53-B7BD-D9F28BECBB7E}.exe
        
        C:\Windows\{EB745FAC-FA87-4a53-B7BD-D9F28BECBB7E}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\{19AE8156-A30C-41dd-BEA2-BED12226E3CC}.exe
        
        C:\Windows\{19AE8156-A30C-41dd-BEA2-BED12226E3CC}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4316
        
        C:\Windows\{35FC2BD1-5FEB-4194-8DDB-C064D7F038E6}.exe
        
        C:\Windows\{35FC2BD1-5FEB-4194-8DDB-C064D7F038E6}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\{CAE627DB-6BFB-43b8-93C1-F8F07EBBC732}.exe
        
        C:\Windows\{CAE627DB-6BFB-43b8-93C1-F8F07EBBC732}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{35FC2~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19AE8~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3344
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EB745~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6522D~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B28D2~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{58EFC~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A63D0~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:112
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D36A~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{86CD0~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3772
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7F487~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:624
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9BF21~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\70B0A2~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{19AE8156-A30C-41dd-BEA2-BED12226E3CC}.exe

Filesize
90KB

MD5
95a0a172cc87bb2510015131e039a5ba

SHA1
002f1d5ee7e33f67c955eef6d78b140e028d1d9c

SHA256
2056da3d001e806ff035b8ef4e004c09f095ed92ff8d940836f89beacfc3462b

SHA512
5e76178848bb77ebac23f756a185a7a363a536be14db9899b77790c7d8eaabc0eea2bbb486293f0d82e8f119a5cb73205464a83a5a7c7c291031d78783cd55ae

Download Submit
C:\Windows\{35FC2BD1-5FEB-4194-8DDB-C064D7F038E6}.exe

Filesize
90KB

MD5
14f76f0b784f96b689053e8d8cf42e03

SHA1
cf6a8a7ad036dfb91dc9187ef1a3a974b80b1c3c

SHA256
e48df43b978397555ebc1009dee4f0a380386678ad28e92729323d6ae12d7480

SHA512
a89778359f8ddedd113e16f1d1afba198918745db48cb11ba3944af6dc1a385244d044e35377312086d1a38cdd6a3fe64fa25914aed579f9169893a54d663471

Download Submit
C:\Windows\{58EFC5F8-4453-48a4-BFCC-2FD9BAC706C6}.exe

Filesize
90KB

MD5
4212baefd621ba6d42a0b93d2bcc85d6

SHA1
e27bf1706ed3494f54cc560a5a984987b82ab5b8

SHA256
47dd87623c3ff3a68babf8f40aee1e79252197e8d6f433a780912a2018cf91d1

SHA512
2fb927c1ca728a736e1fd92447999e580669e183373279e6fbc0e448ea3a8543d64be2f311867abc8ab6ed1f8f16e08ea8eba2790f99ed52add564b668c04f60

Download Submit
C:\Windows\{6522D8BA-5547-4d7f-9E9E-E62B43BDEC8A}.exe

Filesize
90KB

MD5
96d8d79233479aa028cfcc6ab3d0dc2f

SHA1
31a61f86f4a3b9c70362007f915c6daa6b083b12

SHA256
45a3af70c5c65e3978dd3ae6778de9118059c69b95529d3fa5d166a0077a25e6

SHA512
fec1b47524e1da0823cebb59ac54202056d5111b9ec1d29dfe2e19109fb4a5a75d2a928687eb2b4ae7d6f0d935a3316ff01f3caf82f3845c640e7eb7bd6644fd

Download Submit
C:\Windows\{7F4872E7-1006-4d35-A292-FCE0B09F82D1}.exe

Filesize
90KB

MD5
7be8cc617a00a2acd02b1b82e5b98be2

SHA1
cdbad1291e8ea37d849289aafb6e37f68469e8e8

SHA256
5aa5016df49a861049408d041b08cb63943c262ccfdcc8b70d61ca727256d6fb

SHA512
d36b9812d6a25dc950ae4b005fbd7815fa6a4ac92639ef7caae6d02fa8a05a5670d56bca2144e335c3821081944a0ef394b3d3b3ab3fdf42d12dacb111b3a6a1

Download Submit
C:\Windows\{86CD02FD-98E1-4697-B0B7-256CEF9FB4E6}.exe

Filesize
90KB

MD5
795008d294ab33d1df857c2543a470db

SHA1
6041332ef35bfd62b2cc8d09df1bf49467b4c122

SHA256
adafc8c8c07d307ab8a39f724c3ee395ed7397cea96f1f99e903c8c8c92e13f7

SHA512
1c225a89d65e9c9c4033084eac57a033c020a0d8852a382a88c773411cdf8bad71dfacf7e8a608a882f97586dccdf030f7e8aad75725687b4bd6f65ccfddd440

Download Submit
C:\Windows\{8D36A350-2702-49f6-8637-D96EEF53C385}.exe

Filesize
90KB

MD5
2d7a028c21e81538d1fc429bfd5f3605

SHA1
22406b4ba8d9df6436fdba34d05afd5ee183c422

SHA256
ab62ec94040fdadeec7b344d56556e9544a529995a54b7643d6d3f6a02ef4d64

SHA512
e4791d8fcb4e919e62628b31849878b598c0073af95a0fb7b0a82905b9e97b270cb1bd52117030a35335f252e9719edfd302e6aa4c3ef940dd40a53381511157

Download Submit
C:\Windows\{9BF2160C-F8D0-495e-9D08-10E663CC6F9F}.exe

Filesize
90KB

MD5
13e9087b3bf8c20af5ad872e9e53444d

SHA1
0d9f996fa782e308904330c63f4f935b7a6b2be2

SHA256
4cc0b27eaab7a17a1e65278b7ba19714975c01ae70be289ac035a9e29764ee5f

SHA512
1302af7697cdd2828606c50ab5a99025f71cc705d3a7b78cd0d6b61db7958f59e3f5bd5e7f175aea3e7296eb472a292fb7617808ba372cd60091ca4058b76f48

Download Submit
C:\Windows\{A63D0ED7-3625-4b73-8A1C-A6F711449DC4}.exe

Filesize
90KB

MD5
b2d990b6f91dd310fc21e48add283ce2

SHA1
3cb22382d24512b9315000b6e3bbecf3eb8a71e8

SHA256
d53292326d58adfc446f92d6dd26ec4ade5e1f08bf7b0dbcd4f25cf4283b907d

SHA512
17e2dd38f2036cc8ddd8e151724c9faaf80d523fcd306df354507803d94f04a1320c3b07457352963c1d48d2614364d77ca96fd1b9d132c63aec8670731e5a00

Download Submit
C:\Windows\{B28D276F-54F6-4ae0-8C54-69C77BD3367C}.exe

Filesize
90KB

MD5
d7c56a0d135e29772ad1ced8628cf591

SHA1
b9e3d80b28d8d15b854679255ff7094cc42effff

SHA256
37e8e3edbb3d918c49c2f810d04303f79e7a9895147fbb0625320d02582f2246

SHA512
d1ad797fffa6eb21fd2991d563e4f87cc0fcfc2f149112fb0923d3466b0eb2a8feda544250266906a5c44d72e2db1b31f57b677a20935643fdcad241e04ccfa9

Download Submit
C:\Windows\{CAE627DB-6BFB-43b8-93C1-F8F07EBBC732}.exe

Filesize
90KB

MD5
9f13140cf5e59ffe0411980d9c082713

SHA1
09b07e5ba893ccb1e8a7853edb6a23ee160d0422

SHA256
15d0a89bd67c92307b43235c0531be50285562b253ff11b9f00b2ba342b39291

SHA512
9f11f430e4dbca7f997d1804886611332782ee04cca042aab515e6ab0f6430550f90b11420856c6d53277280ef839b1021c30adaab1b64a6d381f5f25d7ba812

Download Submit
C:\Windows\{EB745FAC-FA87-4a53-B7BD-D9F28BECBB7E}.exe

Filesize
90KB

MD5
015609b19d20b1f17c39c866a9590ae0

SHA1
0746d9e8c85f757a5809e1b75a5438cafd3824ba

SHA256
ea8ef4e830edbfd69f194fd53ff8b4a4765b0fce46aa80abe01b4331ff531c2d

SHA512
516063c914ac1ece956f12a43ae57cdf36e3f9f76ee150820057a2abf89ead8dafcc2b60cc8ba9e40b0e16271afcc328143ef32822187769c361fb38ed4042d8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads