42d6f5bfbe875136ccab4c70e1dfcd094679e3b017096da516f376bbd0589bce

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/08/2024, 21:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42d6f5bfbe875136ccab4c70e1dfcd094679e3b017096da516f376bbd0589bce.exe
Size

168KB
MD5

91a1c84ea25b6c01ee61a56f98d8ecd5
SHA1

5b77dfd2b06c523b783d6d335951ff6efa4d8309
SHA256

42d6f5bfbe875136ccab4c70e1dfcd094679e3b017096da516f376bbd0589bce
SHA512

281cf1f843532a5da4c2d84e3772b2ad386da467d0933b5b4f89428a5db13e59e08131215c0c70aac2ed406aea041121202908b08553717e29f30ad46f132406
SSDEEP

192:pbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwiUr4/CFxyNhoy5t:pbLwOs8AHsc4sMfwhKQLrofr4/CFsrd

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1560E014-CC56-4a82-9B8E-F48C275FADB1}\stubpath = "C:\\Windows\\{1560E014-CC56-4a82-9B8E-F48C275FADB1}.exe"	{D3967BCC-B956-45a9-A0FC-89694E02673B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5213628B-E1A6-41a8-90C4-ACB99C38E42E}	{F599AB7B-745D-4a47-B6D9-F9A1C2B64D98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5213628B-E1A6-41a8-90C4-ACB99C38E42E}\stubpath = "C:\\Windows\\{5213628B-E1A6-41a8-90C4-ACB99C38E42E}.exe"	{F599AB7B-745D-4a47-B6D9-F9A1C2B64D98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3662D7ED-0D1D-422d-8BA1-D160C75B34FF}	{5213628B-E1A6-41a8-90C4-ACB99C38E42E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5AB878B-AC0B-4308-8F95-568A9857F073}	{E84AD622-33DE-4b22-A236-C86FADE18EA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3967BCC-B956-45a9-A0FC-89694E02673B}	{B5AB878B-AC0B-4308-8F95-568A9857F073}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA6F6D98-B821-48bf-933B-DD87E16906E0}	{9B8FE425-A293-4bc3-80B7-26C2FA031862}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1560E014-CC56-4a82-9B8E-F48C275FADB1}	{D3967BCC-B956-45a9-A0FC-89694E02673B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3662D7ED-0D1D-422d-8BA1-D160C75B34FF}\stubpath = "C:\\Windows\\{3662D7ED-0D1D-422d-8BA1-D160C75B34FF}.exe"	{5213628B-E1A6-41a8-90C4-ACB99C38E42E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69553452-CEB3-4ada-95F8-A739A17190A5}	{3662D7ED-0D1D-422d-8BA1-D160C75B34FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59AB9BD9-0CF9-472e-8DC7-93AFA703C741}\stubpath = "C:\\Windows\\{59AB9BD9-0CF9-472e-8DC7-93AFA703C741}.exe"	{69553452-CEB3-4ada-95F8-A739A17190A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD70DCB4-75A0-4378-A22F-98B92B71D3FF}	42d6f5bfbe875136ccab4c70e1dfcd094679e3b017096da516f376bbd0589bce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BD70DCB4-75A0-4378-A22F-98B92B71D3FF}\stubpath = "C:\\Windows\\{BD70DCB4-75A0-4378-A22F-98B92B71D3FF}.exe"	42d6f5bfbe875136ccab4c70e1dfcd094679e3b017096da516f376bbd0589bce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F599AB7B-745D-4a47-B6D9-F9A1C2B64D98}	{1560E014-CC56-4a82-9B8E-F48C275FADB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69553452-CEB3-4ada-95F8-A739A17190A5}\stubpath = "C:\\Windows\\{69553452-CEB3-4ada-95F8-A739A17190A5}.exe"	{3662D7ED-0D1D-422d-8BA1-D160C75B34FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{59AB9BD9-0CF9-472e-8DC7-93AFA703C741}	{69553452-CEB3-4ada-95F8-A739A17190A5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B8FE425-A293-4bc3-80B7-26C2FA031862}	{BD70DCB4-75A0-4378-A22F-98B92B71D3FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9B8FE425-A293-4bc3-80B7-26C2FA031862}\stubpath = "C:\\Windows\\{9B8FE425-A293-4bc3-80B7-26C2FA031862}.exe"	{BD70DCB4-75A0-4378-A22F-98B92B71D3FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E84AD622-33DE-4b22-A236-C86FADE18EA5}\stubpath = "C:\\Windows\\{E84AD622-33DE-4b22-A236-C86FADE18EA5}.exe"	{DA6F6D98-B821-48bf-933B-DD87E16906E0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5AB878B-AC0B-4308-8F95-568A9857F073}\stubpath = "C:\\Windows\\{B5AB878B-AC0B-4308-8F95-568A9857F073}.exe"	{E84AD622-33DE-4b22-A236-C86FADE18EA5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3967BCC-B956-45a9-A0FC-89694E02673B}\stubpath = "C:\\Windows\\{D3967BCC-B956-45a9-A0FC-89694E02673B}.exe"	{B5AB878B-AC0B-4308-8F95-568A9857F073}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F599AB7B-745D-4a47-B6D9-F9A1C2B64D98}\stubpath = "C:\\Windows\\{F599AB7B-745D-4a47-B6D9-F9A1C2B64D98}.exe"	{1560E014-CC56-4a82-9B8E-F48C275FADB1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA6F6D98-B821-48bf-933B-DD87E16906E0}\stubpath = "C:\\Windows\\{DA6F6D98-B821-48bf-933B-DD87E16906E0}.exe"	{9B8FE425-A293-4bc3-80B7-26C2FA031862}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E84AD622-33DE-4b22-A236-C86FADE18EA5}	{DA6F6D98-B821-48bf-933B-DD87E16906E0}.exe

Executes dropped EXE 12 IoCs

pid	Process
2816	{BD70DCB4-75A0-4378-A22F-98B92B71D3FF}.exe
3672	{9B8FE425-A293-4bc3-80B7-26C2FA031862}.exe
4640	{DA6F6D98-B821-48bf-933B-DD87E16906E0}.exe
1108	{E84AD622-33DE-4b22-A236-C86FADE18EA5}.exe
2568	{B5AB878B-AC0B-4308-8F95-568A9857F073}.exe
3440	{D3967BCC-B956-45a9-A0FC-89694E02673B}.exe
5000	{1560E014-CC56-4a82-9B8E-F48C275FADB1}.exe
4536	{F599AB7B-745D-4a47-B6D9-F9A1C2B64D98}.exe
920	{5213628B-E1A6-41a8-90C4-ACB99C38E42E}.exe
1068	{3662D7ED-0D1D-422d-8BA1-D160C75B34FF}.exe
3412	{69553452-CEB3-4ada-95F8-A739A17190A5}.exe
1424	{59AB9BD9-0CF9-472e-8DC7-93AFA703C741}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{9B8FE425-A293-4bc3-80B7-26C2FA031862}.exe	{BD70DCB4-75A0-4378-A22F-98B92B71D3FF}.exe
File created	C:\Windows\{E84AD622-33DE-4b22-A236-C86FADE18EA5}.exe	{DA6F6D98-B821-48bf-933B-DD87E16906E0}.exe
File created	C:\Windows\{D3967BCC-B956-45a9-A0FC-89694E02673B}.exe	{B5AB878B-AC0B-4308-8F95-568A9857F073}.exe
File created	C:\Windows\{F599AB7B-745D-4a47-B6D9-F9A1C2B64D98}.exe	{1560E014-CC56-4a82-9B8E-F48C275FADB1}.exe
File created	C:\Windows\{59AB9BD9-0CF9-472e-8DC7-93AFA703C741}.exe	{69553452-CEB3-4ada-95F8-A739A17190A5}.exe
File created	C:\Windows\{BD70DCB4-75A0-4378-A22F-98B92B71D3FF}.exe	42d6f5bfbe875136ccab4c70e1dfcd094679e3b017096da516f376bbd0589bce.exe
File created	C:\Windows\{DA6F6D98-B821-48bf-933B-DD87E16906E0}.exe	{9B8FE425-A293-4bc3-80B7-26C2FA031862}.exe
File created	C:\Windows\{B5AB878B-AC0B-4308-8F95-568A9857F073}.exe	{E84AD622-33DE-4b22-A236-C86FADE18EA5}.exe
File created	C:\Windows\{1560E014-CC56-4a82-9B8E-F48C275FADB1}.exe	{D3967BCC-B956-45a9-A0FC-89694E02673B}.exe
File created	C:\Windows\{5213628B-E1A6-41a8-90C4-ACB99C38E42E}.exe	{F599AB7B-745D-4a47-B6D9-F9A1C2B64D98}.exe
File created	C:\Windows\{3662D7ED-0D1D-422d-8BA1-D160C75B34FF}.exe	{5213628B-E1A6-41a8-90C4-ACB99C38E42E}.exe
File created	C:\Windows\{69553452-CEB3-4ada-95F8-A739A17190A5}.exe	{3662D7ED-0D1D-422d-8BA1-D160C75B34FF}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D3967BCC-B956-45a9-A0FC-89694E02673B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9B8FE425-A293-4bc3-80B7-26C2FA031862}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{59AB9BD9-0CF9-472e-8DC7-93AFA703C741}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E84AD622-33DE-4b22-A236-C86FADE18EA5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B5AB878B-AC0B-4308-8F95-568A9857F073}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DA6F6D98-B821-48bf-933B-DD87E16906E0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	42d6f5bfbe875136ccab4c70e1dfcd094679e3b017096da516f376bbd0589bce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1560E014-CC56-4a82-9B8E-F48C275FADB1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3662D7ED-0D1D-422d-8BA1-D160C75B34FF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BD70DCB4-75A0-4378-A22F-98B92B71D3FF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5213628B-E1A6-41a8-90C4-ACB99C38E42E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{69553452-CEB3-4ada-95F8-A739A17190A5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F599AB7B-745D-4a47-B6D9-F9A1C2B64D98}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1572	42d6f5bfbe875136ccab4c70e1dfcd094679e3b017096da516f376bbd0589bce.exe
Token: SeIncBasePriorityPrivilege	2816	{BD70DCB4-75A0-4378-A22F-98B92B71D3FF}.exe
Token: SeIncBasePriorityPrivilege	3672	{9B8FE425-A293-4bc3-80B7-26C2FA031862}.exe
Token: SeIncBasePriorityPrivilege	4640	{DA6F6D98-B821-48bf-933B-DD87E16906E0}.exe
Token: SeIncBasePriorityPrivilege	1108	{E84AD622-33DE-4b22-A236-C86FADE18EA5}.exe
Token: SeIncBasePriorityPrivilege	2568	{B5AB878B-AC0B-4308-8F95-568A9857F073}.exe
Token: SeIncBasePriorityPrivilege	3440	{D3967BCC-B956-45a9-A0FC-89694E02673B}.exe
Token: SeIncBasePriorityPrivilege	5000	{1560E014-CC56-4a82-9B8E-F48C275FADB1}.exe
Token: SeIncBasePriorityPrivilege	4536	{F599AB7B-745D-4a47-B6D9-F9A1C2B64D98}.exe
Token: SeIncBasePriorityPrivilege	920	{5213628B-E1A6-41a8-90C4-ACB99C38E42E}.exe
Token: SeIncBasePriorityPrivilege	1068	{3662D7ED-0D1D-422d-8BA1-D160C75B34FF}.exe
Token: SeIncBasePriorityPrivilege	3412	{69553452-CEB3-4ada-95F8-A739A17190A5}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 2816	1572	42d6f5bfbe875136ccab4c70e1dfcd094679e3b017096da516f376bbd0589bce.exe	97
PID 1572 wrote to memory of 2816	1572	42d6f5bfbe875136ccab4c70e1dfcd094679e3b017096da516f376bbd0589bce.exe	97
PID 1572 wrote to memory of 2816	1572	42d6f5bfbe875136ccab4c70e1dfcd094679e3b017096da516f376bbd0589bce.exe	97
PID 1572 wrote to memory of 1004	1572	42d6f5bfbe875136ccab4c70e1dfcd094679e3b017096da516f376bbd0589bce.exe	98
PID 1572 wrote to memory of 1004	1572	42d6f5bfbe875136ccab4c70e1dfcd094679e3b017096da516f376bbd0589bce.exe	98
PID 1572 wrote to memory of 1004	1572	42d6f5bfbe875136ccab4c70e1dfcd094679e3b017096da516f376bbd0589bce.exe	98
PID 2816 wrote to memory of 3672	2816	{BD70DCB4-75A0-4378-A22F-98B92B71D3FF}.exe	99
PID 2816 wrote to memory of 3672	2816	{BD70DCB4-75A0-4378-A22F-98B92B71D3FF}.exe	99
PID 2816 wrote to memory of 3672	2816	{BD70DCB4-75A0-4378-A22F-98B92B71D3FF}.exe	99
PID 2816 wrote to memory of 1624	2816	{BD70DCB4-75A0-4378-A22F-98B92B71D3FF}.exe	100
PID 2816 wrote to memory of 1624	2816	{BD70DCB4-75A0-4378-A22F-98B92B71D3FF}.exe	100
PID 2816 wrote to memory of 1624	2816	{BD70DCB4-75A0-4378-A22F-98B92B71D3FF}.exe	100
PID 3672 wrote to memory of 4640	3672	{9B8FE425-A293-4bc3-80B7-26C2FA031862}.exe	104
PID 3672 wrote to memory of 4640	3672	{9B8FE425-A293-4bc3-80B7-26C2FA031862}.exe	104
PID 3672 wrote to memory of 4640	3672	{9B8FE425-A293-4bc3-80B7-26C2FA031862}.exe	104
PID 3672 wrote to memory of 2376	3672	{9B8FE425-A293-4bc3-80B7-26C2FA031862}.exe	105
PID 3672 wrote to memory of 2376	3672	{9B8FE425-A293-4bc3-80B7-26C2FA031862}.exe	105
PID 3672 wrote to memory of 2376	3672	{9B8FE425-A293-4bc3-80B7-26C2FA031862}.exe	105
PID 4640 wrote to memory of 1108	4640	{DA6F6D98-B821-48bf-933B-DD87E16906E0}.exe	106
PID 4640 wrote to memory of 1108	4640	{DA6F6D98-B821-48bf-933B-DD87E16906E0}.exe	106
PID 4640 wrote to memory of 1108	4640	{DA6F6D98-B821-48bf-933B-DD87E16906E0}.exe	106
PID 4640 wrote to memory of 4976	4640	{DA6F6D98-B821-48bf-933B-DD87E16906E0}.exe	107
PID 4640 wrote to memory of 4976	4640	{DA6F6D98-B821-48bf-933B-DD87E16906E0}.exe	107
PID 4640 wrote to memory of 4976	4640	{DA6F6D98-B821-48bf-933B-DD87E16906E0}.exe	107
PID 1108 wrote to memory of 2568	1108	{E84AD622-33DE-4b22-A236-C86FADE18EA5}.exe	108
PID 1108 wrote to memory of 2568	1108	{E84AD622-33DE-4b22-A236-C86FADE18EA5}.exe	108
PID 1108 wrote to memory of 2568	1108	{E84AD622-33DE-4b22-A236-C86FADE18EA5}.exe	108
PID 1108 wrote to memory of 4852	1108	{E84AD622-33DE-4b22-A236-C86FADE18EA5}.exe	109
PID 1108 wrote to memory of 4852	1108	{E84AD622-33DE-4b22-A236-C86FADE18EA5}.exe	109
PID 1108 wrote to memory of 4852	1108	{E84AD622-33DE-4b22-A236-C86FADE18EA5}.exe	109
PID 2568 wrote to memory of 3440	2568	{B5AB878B-AC0B-4308-8F95-568A9857F073}.exe	111
PID 2568 wrote to memory of 3440	2568	{B5AB878B-AC0B-4308-8F95-568A9857F073}.exe	111
PID 2568 wrote to memory of 3440	2568	{B5AB878B-AC0B-4308-8F95-568A9857F073}.exe	111
PID 2568 wrote to memory of 3948	2568	{B5AB878B-AC0B-4308-8F95-568A9857F073}.exe	112
PID 2568 wrote to memory of 3948	2568	{B5AB878B-AC0B-4308-8F95-568A9857F073}.exe	112
PID 2568 wrote to memory of 3948	2568	{B5AB878B-AC0B-4308-8F95-568A9857F073}.exe	112
PID 3440 wrote to memory of 5000	3440	{D3967BCC-B956-45a9-A0FC-89694E02673B}.exe	113
PID 3440 wrote to memory of 5000	3440	{D3967BCC-B956-45a9-A0FC-89694E02673B}.exe	113
PID 3440 wrote to memory of 5000	3440	{D3967BCC-B956-45a9-A0FC-89694E02673B}.exe	113
PID 3440 wrote to memory of 4140	3440	{D3967BCC-B956-45a9-A0FC-89694E02673B}.exe	114
PID 3440 wrote to memory of 4140	3440	{D3967BCC-B956-45a9-A0FC-89694E02673B}.exe	114
PID 3440 wrote to memory of 4140	3440	{D3967BCC-B956-45a9-A0FC-89694E02673B}.exe	114
PID 5000 wrote to memory of 4536	5000	{1560E014-CC56-4a82-9B8E-F48C275FADB1}.exe	115
PID 5000 wrote to memory of 4536	5000	{1560E014-CC56-4a82-9B8E-F48C275FADB1}.exe	115
PID 5000 wrote to memory of 4536	5000	{1560E014-CC56-4a82-9B8E-F48C275FADB1}.exe	115
PID 5000 wrote to memory of 4084	5000	{1560E014-CC56-4a82-9B8E-F48C275FADB1}.exe	116
PID 5000 wrote to memory of 4084	5000	{1560E014-CC56-4a82-9B8E-F48C275FADB1}.exe	116
PID 5000 wrote to memory of 4084	5000	{1560E014-CC56-4a82-9B8E-F48C275FADB1}.exe	116
PID 4536 wrote to memory of 920	4536	{F599AB7B-745D-4a47-B6D9-F9A1C2B64D98}.exe	125
PID 4536 wrote to memory of 920	4536	{F599AB7B-745D-4a47-B6D9-F9A1C2B64D98}.exe	125
PID 4536 wrote to memory of 920	4536	{F599AB7B-745D-4a47-B6D9-F9A1C2B64D98}.exe	125
PID 4536 wrote to memory of 892	4536	{F599AB7B-745D-4a47-B6D9-F9A1C2B64D98}.exe	126
PID 4536 wrote to memory of 892	4536	{F599AB7B-745D-4a47-B6D9-F9A1C2B64D98}.exe	126
PID 4536 wrote to memory of 892	4536	{F599AB7B-745D-4a47-B6D9-F9A1C2B64D98}.exe	126
PID 920 wrote to memory of 1068	920	{5213628B-E1A6-41a8-90C4-ACB99C38E42E}.exe	127
PID 920 wrote to memory of 1068	920	{5213628B-E1A6-41a8-90C4-ACB99C38E42E}.exe	127
PID 920 wrote to memory of 1068	920	{5213628B-E1A6-41a8-90C4-ACB99C38E42E}.exe	127
PID 920 wrote to memory of 984	920	{5213628B-E1A6-41a8-90C4-ACB99C38E42E}.exe	128
PID 920 wrote to memory of 984	920	{5213628B-E1A6-41a8-90C4-ACB99C38E42E}.exe	128
PID 920 wrote to memory of 984	920	{5213628B-E1A6-41a8-90C4-ACB99C38E42E}.exe	128
PID 1068 wrote to memory of 3412	1068	{3662D7ED-0D1D-422d-8BA1-D160C75B34FF}.exe	132
PID 1068 wrote to memory of 3412	1068	{3662D7ED-0D1D-422d-8BA1-D160C75B34FF}.exe	132
PID 1068 wrote to memory of 3412	1068	{3662D7ED-0D1D-422d-8BA1-D160C75B34FF}.exe	132
PID 1068 wrote to memory of 408	1068	{3662D7ED-0D1D-422d-8BA1-D160C75B34FF}.exe	133

C:\Users\Admin\AppData\Local\Temp\42d6f5bfbe875136ccab4c70e1dfcd094679e3b017096da516f376bbd0589bce.exe
"C:\Users\Admin\AppData\Local\Temp\42d6f5bfbe875136ccab4c70e1dfcd094679e3b017096da516f376bbd0589bce.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Windows\{BD70DCB4-75A0-4378-A22F-98B92B71D3FF}.exe
  C:\Windows\{BD70DCB4-75A0-4378-A22F-98B92B71D3FF}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\{9B8FE425-A293-4bc3-80B7-26C2FA031862}.exe
    C:\Windows\{9B8FE425-A293-4bc3-80B7-26C2FA031862}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3672
  - - C:\Windows\{DA6F6D98-B821-48bf-933B-DD87E16906E0}.exe
      C:\Windows\{DA6F6D98-B821-48bf-933B-DD87E16906E0}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4640
    - - C:\Windows\{E84AD622-33DE-4b22-A236-C86FADE18EA5}.exe
        
        C:\Windows\{E84AD622-33DE-4b22-A236-C86FADE18EA5}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1108
      - C:\Windows\{B5AB878B-AC0B-4308-8F95-568A9857F073}.exe
        
        C:\Windows\{B5AB878B-AC0B-4308-8F95-568A9857F073}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Windows\{D3967BCC-B956-45a9-A0FC-89694E02673B}.exe
        
        C:\Windows\{D3967BCC-B956-45a9-A0FC-89694E02673B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\{1560E014-CC56-4a82-9B8E-F48C275FADB1}.exe
        
        C:\Windows\{1560E014-CC56-4a82-9B8E-F48C275FADB1}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5000
        
        C:\Windows\{F599AB7B-745D-4a47-B6D9-F9A1C2B64D98}.exe
        
        C:\Windows\{F599AB7B-745D-4a47-B6D9-F9A1C2B64D98}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4536
        
        C:\Windows\{5213628B-E1A6-41a8-90C4-ACB99C38E42E}.exe
        
        C:\Windows\{5213628B-E1A6-41a8-90C4-ACB99C38E42E}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\{3662D7ED-0D1D-422d-8BA1-D160C75B34FF}.exe
        
        C:\Windows\{3662D7ED-0D1D-422d-8BA1-D160C75B34FF}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\{69553452-CEB3-4ada-95F8-A739A17190A5}.exe
        
        C:\Windows\{69553452-CEB3-4ada-95F8-A739A17190A5}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3412
        
        C:\Windows\{59AB9BD9-0CF9-472e-8DC7-93AFA703C741}.exe
        
        C:\Windows\{59AB9BD9-0CF9-472e-8DC7-93AFA703C741}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69553~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3662D~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{52136~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:984
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F599A~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1560E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D3967~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4140
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B5AB8~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3948
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E84AD~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4852
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA6F6~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4976
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{9B8FE~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2376
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{BD70D~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1624
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\42D6F5~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1560E014-CC56-4a82-9B8E-F48C275FADB1}.exe

Filesize
168KB

MD5
f248fb79d882897ab48ab5fd750c1f8e

SHA1
b463e1ab111eb43b04ef0d6d0a05923bd7559d62

SHA256
873ce35d77280277a2ac7d07dbec85f3255622dad0da6cfbba2cb30012f8565a

SHA512
26db2f070ed3cefba28d681b7c27e1a4b2b79aba71dfb77251e6bc510f1304983c17183abfa70e48879d45d07de22ae7947a41379684aed392bc81c7ccdc45c9

Download Submit
C:\Windows\{3662D7ED-0D1D-422d-8BA1-D160C75B34FF}.exe

Filesize
168KB

MD5
8fd7c82141141356c19b7fbb85c9d6ec

SHA1
9442b3cf807a25fd9a9b86c1911683c1c597caa9

SHA256
a61b0760db8b0b0a7d4e03047deef69bf138c751fc2972fcb26c464a1d42e208

SHA512
46b426187471c76e205278faad720a3e6ab59c4bd138dce22ff280fc8163ea695a8f227c20a99783b24662cc02d74da0b4d414849323af9738a863f8746fb124

Download Submit
C:\Windows\{5213628B-E1A6-41a8-90C4-ACB99C38E42E}.exe

Filesize
168KB

MD5
849fbdf0113315bbf27708b4577c8a66

SHA1
7b377265ca005adedbe4356655436cfac5755729

SHA256
fa69ed43e993d39165b35e4217394fc00c935d42a7ed5390cdf5b8b32e215ca9

SHA512
84157c51dd9bef0e594229fdeb1fa2b207cbd91084ba2ecb3abc1cf21daa29089662cde67f4e224a2a44643aca37506dfd854c1ed2177c31fe791b630b664046

Download Submit
C:\Windows\{59AB9BD9-0CF9-472e-8DC7-93AFA703C741}.exe

Filesize
168KB

MD5
f8f9f954de96400be7282a04813768bd

SHA1
11116c99209408ebd951e25d68ce9f9af0095065

SHA256
c1ec3e0f447e15cacfa3f0ec482b3c87a62211a9ccaa9774eef525dd19237650

SHA512
2b4f349c335a6af53e266ad2999e0c49b919a81d1c140132c85530493c859637fa17c6fa7b6c3a73e0076406e21024f6bd33ec19beb1c27d17197de1d62c0345

Download Submit
C:\Windows\{69553452-CEB3-4ada-95F8-A739A17190A5}.exe

Filesize
168KB

MD5
d542e5cc5f91ba9edaf7b91957ff229d

SHA1
2047eeec4457c184d54f6651256fe063b4f48e87

SHA256
d6b2eae0929e7136d1eec8fadc07870c5f8a9da4be30afee0b05cbb640661e3f

SHA512
077ecacc30251cec9826cb5a078051a0eadf7f322f08c53c559bfdc34d944063d906fbdf411c6bf73304161011518610f07e802dfba75e945cb0932b78467cb2

Download Submit
C:\Windows\{9B8FE425-A293-4bc3-80B7-26C2FA031862}.exe

Filesize
168KB

MD5
4c2d9287d242776c74b9a7904505e848

SHA1
164f2fcd0ff70d7fc0955c718158a64b1ad6b896

SHA256
55cdf1528e4f621d0b4974447b7b0c77075f055e02afb129e8af93ec667899e2

SHA512
94817a642347f874842b5d05a4435eaf39bea234689831dd0edaefeecb29c437aadbbf9b2de53f8a00951d0ad7347c902a44f506962149f4245d7e76a3bc13d3

Download Submit
C:\Windows\{B5AB878B-AC0B-4308-8F95-568A9857F073}.exe

Filesize
168KB

MD5
b56740bde8506feb7b3fefa4ecaad70e

SHA1
ba1b6d0f1ec7beb52176ee489fb7544d53ee4008

SHA256
396bab71437e41daa821ce5b0784d2b335644e5e26ff6389c4d20de1d9578fa8

SHA512
8190eae4af7232d5c6388513d229e373f4b56f36b045895179892cd3e11ee5aa999ab551a7fc068022105ac40b5432b064e908d227636f4e62c974619021dd68

Download Submit
C:\Windows\{BD70DCB4-75A0-4378-A22F-98B92B71D3FF}.exe

Filesize
168KB

MD5
68fda165bb96b1b43e70267447201de8

SHA1
a6e957d669889303d042c52a1e35fec3eeb5cf90

SHA256
2024dd01d435a7a0662271061211dd4ebc1cb17e5db2fcb31209ca781566e789

SHA512
8b68d47c8445e309fdff9cbb92cd2be42c8b6ae1324dd5d01b3b5fd79e8099009e054460f84d0f85e39f8fcf69080060d4816b8e19a547af9020f6576a73efb0

Download Submit
C:\Windows\{D3967BCC-B956-45a9-A0FC-89694E02673B}.exe

Filesize
168KB

MD5
9b0edd21c519420b6eb57b29528f8294

SHA1
ed7eec37ff2fc782fac293e47db85df794af9048

SHA256
b6e6e856ae558bb87931420fd54f570f5a6cbfd1ce879938bdc1aab72f659cd3

SHA512
e23a6df61f8a7f30ab1147339dc5116f62ed3a0a0e4a1035957528c2ee223db6f30bb0dd4783db2f41ff2bc85f16451adda8ef60a7674b5d4a47c46cb1533e97

Download Submit
C:\Windows\{DA6F6D98-B821-48bf-933B-DD87E16906E0}.exe

Filesize
168KB

MD5
aa70f09106193a7e1da987a3c38bc94e

SHA1
997841abbba229b348c7ac27a00a2cd69d7dbe24

SHA256
9e2232506a7f66476dde0d914854cda9729b0a89ea78f0d09e3112450968a6c9

SHA512
ce12cf37773c4a6299b5aa277c9b9eddd61ea1d8435c84835133ec5ca9b47cb17b5de4a3f123ddd7ddb610615ffffef93587da49386f3e73bc2658890f2255fd

Download Submit
C:\Windows\{E84AD622-33DE-4b22-A236-C86FADE18EA5}.exe

Filesize
168KB

MD5
fdc3b75566df26f7c723dd3960c03040

SHA1
b4db0e7a0d37167dfe1556e1598f6c3805b16415

SHA256
39ff9df48276ce2ddb90c48540530e792604cdea0b6d8adc3319dfb3fad00bb6

SHA512
8729d8f6592100304e86864ebab18b887661f416dc14de1b09030ed4599b2110b7cbc3c621a7f354a8348bc4cb5205afadb1d0bd6c62ee152084f4cfaa2fe12f

Download Submit
C:\Windows\{F599AB7B-745D-4a47-B6D9-F9A1C2B64D98}.exe

Filesize
168KB

MD5
6c4c83b856c8a6d51b20df89ef4c88fd

SHA1
98cf01c073386c92636d56b9c7108ccac4685b9c

SHA256
903e0597340ef204ae90eaef04d1c898efd5bc22d66a0ed7baf80999c58f245f

SHA512
acc5771b33caa179b59c4af8e006e324e6d6568719d5d2296d9481ce1349889dedcc24f1f6ca1bcf84d071faf09c721c67cf6e2a33d8e394a06d999e286424aa

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads