b69905a308b81eb1507cad4bd030e9cf6b5351149cba92e2dfec54cd32adad62

Analysis

max time kernel
118s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 03:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f3c4e4b5a2767ab17016d6ea99fac10N.exe
Size

91KB
MD5

7f3c4e4b5a2767ab17016d6ea99fac10
SHA1

11792ae4e8923f06cedd54ec329f6761bf068bd6
SHA256

b69905a308b81eb1507cad4bd030e9cf6b5351149cba92e2dfec54cd32adad62
SHA512

74de4250f828f74ccd29cf5cc6d465d55488c9e94d2d0b1d40ead5ed29f167ebb9a259d392451e8e80cbbf5c133091f91ff3c3eecaa7397ba4b9d2b2d6b6d44c
SSDEEP

768:5vw9816uhKirosL4/wQNNrfrunMxVFA3b7t:lEGkmosLlCunMxVS3Ht

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{081C2B1B-27C6-400e-B276-26DBC6DB61D3}	{4D281794-7B39-4d16-8F3C-A8059B944B84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{081C2B1B-27C6-400e-B276-26DBC6DB61D3}\stubpath = "C:\\Windows\\{081C2B1B-27C6-400e-B276-26DBC6DB61D3}.exe"	{4D281794-7B39-4d16-8F3C-A8059B944B84}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37A84BD5-83A4-4a6b-A13A-1498259F892E}	{081C2B1B-27C6-400e-B276-26DBC6DB61D3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D742082-CE92-4a72-AE79-315535B88F85}	{4DA8A4DC-AC49-4177-9C39-27C1BB66A209}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BDF75EA-CA4B-41ea-8770-FFC2A3F16589}\stubpath = "C:\\Windows\\{3BDF75EA-CA4B-41ea-8770-FFC2A3F16589}.exe"	{6D742082-CE92-4a72-AE79-315535B88F85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CEB0617-266E-436d-87CA-5A6D2FE2F3A0}	{3BDF75EA-CA4B-41ea-8770-FFC2A3F16589}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D281794-7B39-4d16-8F3C-A8059B944B84}	{9CEB0617-266E-436d-87CA-5A6D2FE2F3A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37A84BD5-83A4-4a6b-A13A-1498259F892E}\stubpath = "C:\\Windows\\{37A84BD5-83A4-4a6b-A13A-1498259F892E}.exe"	{081C2B1B-27C6-400e-B276-26DBC6DB61D3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BE6D1BD-AD38-4520-B5BE-D15C7BB3F4C0}\stubpath = "C:\\Windows\\{6BE6D1BD-AD38-4520-B5BE-D15C7BB3F4C0}.exe"	{14E4EB10-7905-48f0-8C72-343D5C4A8687}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3BDF75EA-CA4B-41ea-8770-FFC2A3F16589}	{6D742082-CE92-4a72-AE79-315535B88F85}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9CEB0617-266E-436d-87CA-5A6D2FE2F3A0}\stubpath = "C:\\Windows\\{9CEB0617-266E-436d-87CA-5A6D2FE2F3A0}.exe"	{3BDF75EA-CA4B-41ea-8770-FFC2A3F16589}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14E4EB10-7905-48f0-8C72-343D5C4A8687}	{37A84BD5-83A4-4a6b-A13A-1498259F892E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6BE6D1BD-AD38-4520-B5BE-D15C7BB3F4C0}	{14E4EB10-7905-48f0-8C72-343D5C4A8687}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DA8A4DC-AC49-4177-9C39-27C1BB66A209}	7f3c4e4b5a2767ab17016d6ea99fac10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DA8A4DC-AC49-4177-9C39-27C1BB66A209}\stubpath = "C:\\Windows\\{4DA8A4DC-AC49-4177-9C39-27C1BB66A209}.exe"	7f3c4e4b5a2767ab17016d6ea99fac10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6D742082-CE92-4a72-AE79-315535B88F85}\stubpath = "C:\\Windows\\{6D742082-CE92-4a72-AE79-315535B88F85}.exe"	{4DA8A4DC-AC49-4177-9C39-27C1BB66A209}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D281794-7B39-4d16-8F3C-A8059B944B84}\stubpath = "C:\\Windows\\{4D281794-7B39-4d16-8F3C-A8059B944B84}.exe"	{9CEB0617-266E-436d-87CA-5A6D2FE2F3A0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{14E4EB10-7905-48f0-8C72-343D5C4A8687}\stubpath = "C:\\Windows\\{14E4EB10-7905-48f0-8C72-343D5C4A8687}.exe"	{37A84BD5-83A4-4a6b-A13A-1498259F892E}.exe

Executes dropped EXE 9 IoCs

pid	Process
3400	{4DA8A4DC-AC49-4177-9C39-27C1BB66A209}.exe
4944	{6D742082-CE92-4a72-AE79-315535B88F85}.exe
4340	{3BDF75EA-CA4B-41ea-8770-FFC2A3F16589}.exe
976	{9CEB0617-266E-436d-87CA-5A6D2FE2F3A0}.exe
2160	{4D281794-7B39-4d16-8F3C-A8059B944B84}.exe
2996	{081C2B1B-27C6-400e-B276-26DBC6DB61D3}.exe
1888	{37A84BD5-83A4-4a6b-A13A-1498259F892E}.exe
2784	{14E4EB10-7905-48f0-8C72-343D5C4A8687}.exe
2348	{6BE6D1BD-AD38-4520-B5BE-D15C7BB3F4C0}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{4DA8A4DC-AC49-4177-9C39-27C1BB66A209}.exe	7f3c4e4b5a2767ab17016d6ea99fac10N.exe
File created	C:\Windows\{6D742082-CE92-4a72-AE79-315535B88F85}.exe	{4DA8A4DC-AC49-4177-9C39-27C1BB66A209}.exe
File created	C:\Windows\{9CEB0617-266E-436d-87CA-5A6D2FE2F3A0}.exe	{3BDF75EA-CA4B-41ea-8770-FFC2A3F16589}.exe
File created	C:\Windows\{4D281794-7B39-4d16-8F3C-A8059B944B84}.exe	{9CEB0617-266E-436d-87CA-5A6D2FE2F3A0}.exe
File created	C:\Windows\{081C2B1B-27C6-400e-B276-26DBC6DB61D3}.exe	{4D281794-7B39-4d16-8F3C-A8059B944B84}.exe
File created	C:\Windows\{6BE6D1BD-AD38-4520-B5BE-D15C7BB3F4C0}.exe	{14E4EB10-7905-48f0-8C72-343D5C4A8687}.exe
File created	C:\Windows\{3BDF75EA-CA4B-41ea-8770-FFC2A3F16589}.exe	{6D742082-CE92-4a72-AE79-315535B88F85}.exe
File created	C:\Windows\{37A84BD5-83A4-4a6b-A13A-1498259F892E}.exe	{081C2B1B-27C6-400e-B276-26DBC6DB61D3}.exe
File created	C:\Windows\{14E4EB10-7905-48f0-8C72-343D5C4A8687}.exe	{37A84BD5-83A4-4a6b-A13A-1498259F892E}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4DA8A4DC-AC49-4177-9C39-27C1BB66A209}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6D742082-CE92-4a72-AE79-315535B88F85}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9CEB0617-266E-436d-87CA-5A6D2FE2F3A0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6BE6D1BD-AD38-4520-B5BE-D15C7BB3F4C0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3BDF75EA-CA4B-41ea-8770-FFC2A3F16589}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{37A84BD5-83A4-4a6b-A13A-1498259F892E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{081C2B1B-27C6-400e-B276-26DBC6DB61D3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{14E4EB10-7905-48f0-8C72-343D5C4A8687}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f3c4e4b5a2767ab17016d6ea99fac10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D281794-7B39-4d16-8F3C-A8059B944B84}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3040	7f3c4e4b5a2767ab17016d6ea99fac10N.exe
Token: SeIncBasePriorityPrivilege	3400	{4DA8A4DC-AC49-4177-9C39-27C1BB66A209}.exe
Token: SeIncBasePriorityPrivilege	4944	{6D742082-CE92-4a72-AE79-315535B88F85}.exe
Token: SeIncBasePriorityPrivilege	4340	{3BDF75EA-CA4B-41ea-8770-FFC2A3F16589}.exe
Token: SeIncBasePriorityPrivilege	976	{9CEB0617-266E-436d-87CA-5A6D2FE2F3A0}.exe
Token: SeIncBasePriorityPrivilege	2160	{4D281794-7B39-4d16-8F3C-A8059B944B84}.exe
Token: SeIncBasePriorityPrivilege	2996	{081C2B1B-27C6-400e-B276-26DBC6DB61D3}.exe
Token: SeIncBasePriorityPrivilege	1888	{37A84BD5-83A4-4a6b-A13A-1498259F892E}.exe
Token: SeIncBasePriorityPrivilege	2784	{14E4EB10-7905-48f0-8C72-343D5C4A8687}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 3400	3040	7f3c4e4b5a2767ab17016d6ea99fac10N.exe	95
PID 3040 wrote to memory of 3400	3040	7f3c4e4b5a2767ab17016d6ea99fac10N.exe	95
PID 3040 wrote to memory of 3400	3040	7f3c4e4b5a2767ab17016d6ea99fac10N.exe	95
PID 3040 wrote to memory of 2868	3040	7f3c4e4b5a2767ab17016d6ea99fac10N.exe	96
PID 3040 wrote to memory of 2868	3040	7f3c4e4b5a2767ab17016d6ea99fac10N.exe	96
PID 3040 wrote to memory of 2868	3040	7f3c4e4b5a2767ab17016d6ea99fac10N.exe	96
PID 3400 wrote to memory of 4944	3400	{4DA8A4DC-AC49-4177-9C39-27C1BB66A209}.exe	97
PID 3400 wrote to memory of 4944	3400	{4DA8A4DC-AC49-4177-9C39-27C1BB66A209}.exe	97
PID 3400 wrote to memory of 4944	3400	{4DA8A4DC-AC49-4177-9C39-27C1BB66A209}.exe	97
PID 3400 wrote to memory of 1900	3400	{4DA8A4DC-AC49-4177-9C39-27C1BB66A209}.exe	98
PID 3400 wrote to memory of 1900	3400	{4DA8A4DC-AC49-4177-9C39-27C1BB66A209}.exe	98
PID 3400 wrote to memory of 1900	3400	{4DA8A4DC-AC49-4177-9C39-27C1BB66A209}.exe	98
PID 4944 wrote to memory of 4340	4944	{6D742082-CE92-4a72-AE79-315535B88F85}.exe	102
PID 4944 wrote to memory of 4340	4944	{6D742082-CE92-4a72-AE79-315535B88F85}.exe	102
PID 4944 wrote to memory of 4340	4944	{6D742082-CE92-4a72-AE79-315535B88F85}.exe	102
PID 4944 wrote to memory of 912	4944	{6D742082-CE92-4a72-AE79-315535B88F85}.exe	103
PID 4944 wrote to memory of 912	4944	{6D742082-CE92-4a72-AE79-315535B88F85}.exe	103
PID 4944 wrote to memory of 912	4944	{6D742082-CE92-4a72-AE79-315535B88F85}.exe	103
PID 4340 wrote to memory of 976	4340	{3BDF75EA-CA4B-41ea-8770-FFC2A3F16589}.exe	104
PID 4340 wrote to memory of 976	4340	{3BDF75EA-CA4B-41ea-8770-FFC2A3F16589}.exe	104
PID 4340 wrote to memory of 976	4340	{3BDF75EA-CA4B-41ea-8770-FFC2A3F16589}.exe	104
PID 4340 wrote to memory of 376	4340	{3BDF75EA-CA4B-41ea-8770-FFC2A3F16589}.exe	105
PID 4340 wrote to memory of 376	4340	{3BDF75EA-CA4B-41ea-8770-FFC2A3F16589}.exe	105
PID 4340 wrote to memory of 376	4340	{3BDF75EA-CA4B-41ea-8770-FFC2A3F16589}.exe	105
PID 976 wrote to memory of 2160	976	{9CEB0617-266E-436d-87CA-5A6D2FE2F3A0}.exe	106
PID 976 wrote to memory of 2160	976	{9CEB0617-266E-436d-87CA-5A6D2FE2F3A0}.exe	106
PID 976 wrote to memory of 2160	976	{9CEB0617-266E-436d-87CA-5A6D2FE2F3A0}.exe	106
PID 976 wrote to memory of 3288	976	{9CEB0617-266E-436d-87CA-5A6D2FE2F3A0}.exe	107
PID 976 wrote to memory of 3288	976	{9CEB0617-266E-436d-87CA-5A6D2FE2F3A0}.exe	107
PID 976 wrote to memory of 3288	976	{9CEB0617-266E-436d-87CA-5A6D2FE2F3A0}.exe	107
PID 2160 wrote to memory of 2996	2160	{4D281794-7B39-4d16-8F3C-A8059B944B84}.exe	109
PID 2160 wrote to memory of 2996	2160	{4D281794-7B39-4d16-8F3C-A8059B944B84}.exe	109
PID 2160 wrote to memory of 2996	2160	{4D281794-7B39-4d16-8F3C-A8059B944B84}.exe	109
PID 2160 wrote to memory of 2628	2160	{4D281794-7B39-4d16-8F3C-A8059B944B84}.exe	110
PID 2160 wrote to memory of 2628	2160	{4D281794-7B39-4d16-8F3C-A8059B944B84}.exe	110
PID 2160 wrote to memory of 2628	2160	{4D281794-7B39-4d16-8F3C-A8059B944B84}.exe	110
PID 2996 wrote to memory of 1888	2996	{081C2B1B-27C6-400e-B276-26DBC6DB61D3}.exe	111
PID 2996 wrote to memory of 1888	2996	{081C2B1B-27C6-400e-B276-26DBC6DB61D3}.exe	111
PID 2996 wrote to memory of 1888	2996	{081C2B1B-27C6-400e-B276-26DBC6DB61D3}.exe	111
PID 2996 wrote to memory of 3648	2996	{081C2B1B-27C6-400e-B276-26DBC6DB61D3}.exe	112
PID 2996 wrote to memory of 3648	2996	{081C2B1B-27C6-400e-B276-26DBC6DB61D3}.exe	112
PID 2996 wrote to memory of 3648	2996	{081C2B1B-27C6-400e-B276-26DBC6DB61D3}.exe	112
PID 1888 wrote to memory of 2784	1888	{37A84BD5-83A4-4a6b-A13A-1498259F892E}.exe	117
PID 1888 wrote to memory of 2784	1888	{37A84BD5-83A4-4a6b-A13A-1498259F892E}.exe	117
PID 1888 wrote to memory of 2784	1888	{37A84BD5-83A4-4a6b-A13A-1498259F892E}.exe	117
PID 1888 wrote to memory of 3996	1888	{37A84BD5-83A4-4a6b-A13A-1498259F892E}.exe	118
PID 1888 wrote to memory of 3996	1888	{37A84BD5-83A4-4a6b-A13A-1498259F892E}.exe	118
PID 1888 wrote to memory of 3996	1888	{37A84BD5-83A4-4a6b-A13A-1498259F892E}.exe	118
PID 2784 wrote to memory of 2348	2784	{14E4EB10-7905-48f0-8C72-343D5C4A8687}.exe	123
PID 2784 wrote to memory of 2348	2784	{14E4EB10-7905-48f0-8C72-343D5C4A8687}.exe	123
PID 2784 wrote to memory of 2348	2784	{14E4EB10-7905-48f0-8C72-343D5C4A8687}.exe	123
PID 2784 wrote to memory of 3556	2784	{14E4EB10-7905-48f0-8C72-343D5C4A8687}.exe	124
PID 2784 wrote to memory of 3556	2784	{14E4EB10-7905-48f0-8C72-343D5C4A8687}.exe	124
PID 2784 wrote to memory of 3556	2784	{14E4EB10-7905-48f0-8C72-343D5C4A8687}.exe	124

C:\Users\Admin\AppData\Local\Temp\7f3c4e4b5a2767ab17016d6ea99fac10N.exe
"C:\Users\Admin\AppData\Local\Temp\7f3c4e4b5a2767ab17016d6ea99fac10N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\{4DA8A4DC-AC49-4177-9C39-27C1BB66A209}.exe
  C:\Windows\{4DA8A4DC-AC49-4177-9C39-27C1BB66A209}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Windows\{6D742082-CE92-4a72-AE79-315535B88F85}.exe
    C:\Windows\{6D742082-CE92-4a72-AE79-315535B88F85}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Windows\{3BDF75EA-CA4B-41ea-8770-FFC2A3F16589}.exe
      C:\Windows\{3BDF75EA-CA4B-41ea-8770-FFC2A3F16589}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4340
    - - C:\Windows\{9CEB0617-266E-436d-87CA-5A6D2FE2F3A0}.exe
        
        C:\Windows\{9CEB0617-266E-436d-87CA-5A6D2FE2F3A0}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:976
      - C:\Windows\{4D281794-7B39-4d16-8F3C-A8059B944B84}.exe
        
        C:\Windows\{4D281794-7B39-4d16-8F3C-A8059B944B84}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\{081C2B1B-27C6-400e-B276-26DBC6DB61D3}.exe
        
        C:\Windows\{081C2B1B-27C6-400e-B276-26DBC6DB61D3}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\{37A84BD5-83A4-4a6b-A13A-1498259F892E}.exe
        
        C:\Windows\{37A84BD5-83A4-4a6b-A13A-1498259F892E}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\{14E4EB10-7905-48f0-8C72-343D5C4A8687}.exe
        
        C:\Windows\{14E4EB10-7905-48f0-8C72-343D5C4A8687}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\{6BE6D1BD-AD38-4520-B5BE-D15C7BB3F4C0}.exe
        
        C:\Windows\{6BE6D1BD-AD38-4520-B5BE-D15C7BB3F4C0}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14E4E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{37A84~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{081C2~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D281~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9CEB0~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3288
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3BDF7~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6D742~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:912
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4DA8A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1900
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7F3C4E~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{081C2B1B-27C6-400e-B276-26DBC6DB61D3}.exe

Filesize
91KB

MD5
58d48b8a31cb198962d82729d6c64807

SHA1
6af38eacb59eff181b3c7ae0e72b1af5ef550e32

SHA256
e17999b7ee95debff3bb1c89bfbdf2344cc73534eed44d53596520c2e1a9bbc7

SHA512
33710153c5034ebee56188ed8feee5ef7ae050085cbfa3bdf13ad2348d508629f3744d9605fa6d80e4974e80f55c5dd6ded30784a8837046a8b8307cb33f6839

Download Submit
C:\Windows\{14E4EB10-7905-48f0-8C72-343D5C4A8687}.exe

Filesize
91KB

MD5
9e4a67b45f26087835eef57b100006ed

SHA1
558a9e13bc9a3d9823c5df3b95ff1eed3937d483

SHA256
f4754bf1096aaa90a73a737500b3010009cc051283e7196e2baf96b33edfe2ec

SHA512
7d9255159802a7d517144a3ef26d98b9a6d0401c04d96f0fba83c8f76a17b0ce1e2df15619b1e9e6654932482e5b1bc106aa0fe10fed98a54f4d117b3233e19c

Download Submit
C:\Windows\{37A84BD5-83A4-4a6b-A13A-1498259F892E}.exe

Filesize
91KB

MD5
44a42f783f815e7fe50b72eecc8c599a

SHA1
6eaf31f3f89694adb5775310dd1d61cb8d151412

SHA256
a3f3da62da70978a33840dd86bef8a66cd5667b8fdc86cf0e75d21fe0c28810a

SHA512
bef6a2a51236e6f276a814ad98cb29d144d67f8b4bf478aad2b3dd14fee5a80538a3d0f7de7c42825d6a6a14858b2290675cebb1ae1f9f621fe4a3a3f66cefa1

Download Submit
C:\Windows\{3BDF75EA-CA4B-41ea-8770-FFC2A3F16589}.exe

Filesize
91KB

MD5
11ca812e2d6de7dd5d99ca3de62c3566

SHA1
806d8ca2470b576832d1ae5bf2029eebf53cf852

SHA256
32b6dae94db94093850e01080e8e148c4ffb12260f2a74d2de93adff91f5d4a2

SHA512
34814038539f143931d34b5b4a294180ed5c96a8abbd7df5067b7bdafefdf695a63bdc05edb9ce644a84942eb494ae4a6d977a43f3d37e2049183a326b1b3433

Download Submit
C:\Windows\{4D281794-7B39-4d16-8F3C-A8059B944B84}.exe

Filesize
91KB

MD5
2501e925fe9eaaec271f408fd41fcd5d

SHA1
f16d1fc0636406ad89247d603332a196897e0118

SHA256
527764459b83be128947ad04433425d8d411bfdc4b70dff3cc1fa3008f853e61

SHA512
0dec0884ae5a44a747b0f4bed00ad239fc732c1efff71742580b6b1bf34f133c0202705e6f9fc998792e4b66e83cfc2c80189e23bab9efb2c05895ab81f3dfff

Download Submit
C:\Windows\{4DA8A4DC-AC49-4177-9C39-27C1BB66A209}.exe

Filesize
91KB

MD5
264178ac9f671d7efb87bfb5e7941b12

SHA1
63745c926d73ac3dece068eee8f32a434a4b9b6b

SHA256
1320dabdee405bf6d7ac28631e407e3258e4a200ce71e815a6a0786fe8b5474c

SHA512
c3cc04b4dd9a84f41aff528f2b4e4f515306f1191d7f90d91be5fa278ec9e99f602c1549765afdcb6e129cfa464ded25098880c2e64720180bac6bffda2f4fd7

Download Submit
C:\Windows\{6BE6D1BD-AD38-4520-B5BE-D15C7BB3F4C0}.exe

Filesize
91KB

MD5
6056642858231e4e52f0b2f7f445b937

SHA1
bcd555c338676fafb0304ff3c4df52c9a5f5d560

SHA256
4b24dfc3c0dc1e41e35733846edefb4e17f63d1be3e4baf7a6917634ddafb2fb

SHA512
00790e9c99109632645edb8d2b1ad387bbe2b81d1b2e1a7b46cf06bc089c7fd6566e7e08713daa3b7d823d6956d1dd88e34acabe6135728a05f747d2d68ac611

Download Submit
C:\Windows\{6D742082-CE92-4a72-AE79-315535B88F85}.exe

Filesize
91KB

MD5
95c20d5126d647d9b8bae7e7d9ab1df1

SHA1
281e702ea54cdb0efec0bfaa2444e46f338cd011

SHA256
54a3aeb5051b2dd21b576d44d479001938ba52abb5a54177b3fd0a07eefe5724

SHA512
b14190043e79f0d5aa3685027b4868bd0b4c705b26884cd73d314068cbbb926e2771768d5c7cf3156be5bcd29927a292a7c08f071da398831689f0eebf8fd5a2

Download Submit
C:\Windows\{9CEB0617-266E-436d-87CA-5A6D2FE2F3A0}.exe

Filesize
91KB

MD5
c80953ec0464655ac82ea744983f724e

SHA1
49056b71885cd68b66ced278b476feb878ac397b

SHA256
64f3553728b0308f1a1f31bb1bfed5bbcfc4a294377acf2af1d06ada832208cb

SHA512
63dd286bd88ed3bd031096c757576b5020a8300c7c951b4c792b1c81daeadfea90ddf7e078ad4e865c2cf0af559b8eacd1a42f376908eceafc7716245ad4073a

Download Submit
memory/976-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/976-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1888-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1888-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2160-32-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2160-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2348-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2784-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2784-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2996-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2996-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3040-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3040-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3040-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3400-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3400-13-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3400-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4340-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4340-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4944-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4944-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads