103943b36b4956314cd30bed05f1326eebbf0943a567a1a88fdb3866bcef5a9a

Analysis

max time kernel
118s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01-09-2024 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9fbccbefff3b5ccf910d697a1e627a40N.exe
Size

89KB
MD5

9fbccbefff3b5ccf910d697a1e627a40
SHA1

ab28b2d25acc841d93a1b8ea88bf4c3da276e5ac
SHA256

103943b36b4956314cd30bed05f1326eebbf0943a567a1a88fdb3866bcef5a9a
SHA512

ac7f40bc378907294ead6a8f77bea29f84d338cb08680b0dba0f9b98c24e9d20b5b471449d42fdcc09707f4e96e30ed1d5dea998f0432f01f7654708b6873942
SSDEEP

768:Qvw9816vhKQLroU4/wQRNrfrunMxVFA3b7gl5:YEGh0oUl2unMxVS3HgX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90D63223-4850-4816-9814-6EEA3AD8A990}\stubpath = "C:\\Windows\\{90D63223-4850-4816-9814-6EEA3AD8A990}.exe"	9fbccbefff3b5ccf910d697a1e627a40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE7DBD70-A5A9-484b-B558-AE40E7AC03C4}\stubpath = "C:\\Windows\\{BE7DBD70-A5A9-484b-B558-AE40E7AC03C4}.exe"	{7CD4E721-D53D-4165-AC2D-C3D97914AAEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B62E7324-FF4B-4646-8358-C67FF09FE9A6}\stubpath = "C:\\Windows\\{B62E7324-FF4B-4646-8358-C67FF09FE9A6}.exe"	{BE7DBD70-A5A9-484b-B558-AE40E7AC03C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8073C9DD-1646-4066-866B-0F66AA049C78}\stubpath = "C:\\Windows\\{8073C9DD-1646-4066-866B-0F66AA049C78}.exe"	{CB5DF0C3-6D37-4a55-A030-18EA33219408}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67F1742B-72B7-441a-8C66-8D198670B115}	{8073C9DD-1646-4066-866B-0F66AA049C78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{737F10F5-855B-4771-8DF6-B70B6A69856B}	{90D63223-4850-4816-9814-6EEA3AD8A990}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CD4E721-D53D-4165-AC2D-C3D97914AAEA}\stubpath = "C:\\Windows\\{7CD4E721-D53D-4165-AC2D-C3D97914AAEA}.exe"	{737F10F5-855B-4771-8DF6-B70B6A69856B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BE7DBD70-A5A9-484b-B558-AE40E7AC03C4}	{7CD4E721-D53D-4165-AC2D-C3D97914AAEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8073C9DD-1646-4066-866B-0F66AA049C78}	{CB5DF0C3-6D37-4a55-A030-18EA33219408}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67F1742B-72B7-441a-8C66-8D198670B115}\stubpath = "C:\\Windows\\{67F1742B-72B7-441a-8C66-8D198670B115}.exe"	{8073C9DD-1646-4066-866B-0F66AA049C78}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90D63223-4850-4816-9814-6EEA3AD8A990}	9fbccbefff3b5ccf910d697a1e627a40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{737F10F5-855B-4771-8DF6-B70B6A69856B}\stubpath = "C:\\Windows\\{737F10F5-855B-4771-8DF6-B70B6A69856B}.exe"	{90D63223-4850-4816-9814-6EEA3AD8A990}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B62E7324-FF4B-4646-8358-C67FF09FE9A6}	{BE7DBD70-A5A9-484b-B558-AE40E7AC03C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7CD4E721-D53D-4165-AC2D-C3D97914AAEA}	{737F10F5-855B-4771-8DF6-B70B6A69856B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6BD948F-85C2-4755-A454-B4A2E955E993}	{B62E7324-FF4B-4646-8358-C67FF09FE9A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6BD948F-85C2-4755-A454-B4A2E955E993}\stubpath = "C:\\Windows\\{D6BD948F-85C2-4755-A454-B4A2E955E993}.exe"	{B62E7324-FF4B-4646-8358-C67FF09FE9A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB5DF0C3-6D37-4a55-A030-18EA33219408}	{D6BD948F-85C2-4755-A454-B4A2E955E993}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CB5DF0C3-6D37-4a55-A030-18EA33219408}\stubpath = "C:\\Windows\\{CB5DF0C3-6D37-4a55-A030-18EA33219408}.exe"	{D6BD948F-85C2-4755-A454-B4A2E955E993}.exe

Executes dropped EXE 9 IoCs

pid	Process
2828	{90D63223-4850-4816-9814-6EEA3AD8A990}.exe
876	{737F10F5-855B-4771-8DF6-B70B6A69856B}.exe
2524	{7CD4E721-D53D-4165-AC2D-C3D97914AAEA}.exe
4972	{BE7DBD70-A5A9-484b-B558-AE40E7AC03C4}.exe
3516	{B62E7324-FF4B-4646-8358-C67FF09FE9A6}.exe
1904	{D6BD948F-85C2-4755-A454-B4A2E955E993}.exe
1512	{CB5DF0C3-6D37-4a55-A030-18EA33219408}.exe
3696	{8073C9DD-1646-4066-866B-0F66AA049C78}.exe
4384	{67F1742B-72B7-441a-8C66-8D198670B115}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{CB5DF0C3-6D37-4a55-A030-18EA33219408}.exe	{D6BD948F-85C2-4755-A454-B4A2E955E993}.exe
File created	C:\Windows\{90D63223-4850-4816-9814-6EEA3AD8A990}.exe	9fbccbefff3b5ccf910d697a1e627a40N.exe
File created	C:\Windows\{737F10F5-855B-4771-8DF6-B70B6A69856B}.exe	{90D63223-4850-4816-9814-6EEA3AD8A990}.exe
File created	C:\Windows\{7CD4E721-D53D-4165-AC2D-C3D97914AAEA}.exe	{737F10F5-855B-4771-8DF6-B70B6A69856B}.exe
File created	C:\Windows\{BE7DBD70-A5A9-484b-B558-AE40E7AC03C4}.exe	{7CD4E721-D53D-4165-AC2D-C3D97914AAEA}.exe
File created	C:\Windows\{B62E7324-FF4B-4646-8358-C67FF09FE9A6}.exe	{BE7DBD70-A5A9-484b-B558-AE40E7AC03C4}.exe
File created	C:\Windows\{D6BD948F-85C2-4755-A454-B4A2E955E993}.exe	{B62E7324-FF4B-4646-8358-C67FF09FE9A6}.exe
File created	C:\Windows\{8073C9DD-1646-4066-866B-0F66AA049C78}.exe	{CB5DF0C3-6D37-4a55-A030-18EA33219408}.exe
File created	C:\Windows\{67F1742B-72B7-441a-8C66-8D198670B115}.exe	{8073C9DD-1646-4066-866B-0F66AA049C78}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9fbccbefff3b5ccf910d697a1e627a40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7CD4E721-D53D-4165-AC2D-C3D97914AAEA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BE7DBD70-A5A9-484b-B558-AE40E7AC03C4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D6BD948F-85C2-4755-A454-B4A2E955E993}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{67F1742B-72B7-441a-8C66-8D198670B115}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{90D63223-4850-4816-9814-6EEA3AD8A990}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B62E7324-FF4B-4646-8358-C67FF09FE9A6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CB5DF0C3-6D37-4a55-A030-18EA33219408}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8073C9DD-1646-4066-866B-0F66AA049C78}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{737F10F5-855B-4771-8DF6-B70B6A69856B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	368	9fbccbefff3b5ccf910d697a1e627a40N.exe
Token: SeIncBasePriorityPrivilege	2828	{90D63223-4850-4816-9814-6EEA3AD8A990}.exe
Token: SeIncBasePriorityPrivilege	876	{737F10F5-855B-4771-8DF6-B70B6A69856B}.exe
Token: SeIncBasePriorityPrivilege	2524	{7CD4E721-D53D-4165-AC2D-C3D97914AAEA}.exe
Token: SeIncBasePriorityPrivilege	4972	{BE7DBD70-A5A9-484b-B558-AE40E7AC03C4}.exe
Token: SeIncBasePriorityPrivilege	3516	{B62E7324-FF4B-4646-8358-C67FF09FE9A6}.exe
Token: SeIncBasePriorityPrivilege	1904	{D6BD948F-85C2-4755-A454-B4A2E955E993}.exe
Token: SeIncBasePriorityPrivilege	1512	{CB5DF0C3-6D37-4a55-A030-18EA33219408}.exe
Token: SeIncBasePriorityPrivilege	3696	{8073C9DD-1646-4066-866B-0F66AA049C78}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 368 wrote to memory of 2828	368	9fbccbefff3b5ccf910d697a1e627a40N.exe	95
PID 368 wrote to memory of 2828	368	9fbccbefff3b5ccf910d697a1e627a40N.exe	95
PID 368 wrote to memory of 2828	368	9fbccbefff3b5ccf910d697a1e627a40N.exe	95
PID 368 wrote to memory of 3508	368	9fbccbefff3b5ccf910d697a1e627a40N.exe	96
PID 368 wrote to memory of 3508	368	9fbccbefff3b5ccf910d697a1e627a40N.exe	96
PID 368 wrote to memory of 3508	368	9fbccbefff3b5ccf910d697a1e627a40N.exe	96
PID 2828 wrote to memory of 876	2828	{90D63223-4850-4816-9814-6EEA3AD8A990}.exe	97
PID 2828 wrote to memory of 876	2828	{90D63223-4850-4816-9814-6EEA3AD8A990}.exe	97
PID 2828 wrote to memory of 876	2828	{90D63223-4850-4816-9814-6EEA3AD8A990}.exe	97
PID 2828 wrote to memory of 1528	2828	{90D63223-4850-4816-9814-6EEA3AD8A990}.exe	98
PID 2828 wrote to memory of 1528	2828	{90D63223-4850-4816-9814-6EEA3AD8A990}.exe	98
PID 2828 wrote to memory of 1528	2828	{90D63223-4850-4816-9814-6EEA3AD8A990}.exe	98
PID 876 wrote to memory of 2524	876	{737F10F5-855B-4771-8DF6-B70B6A69856B}.exe	102
PID 876 wrote to memory of 2524	876	{737F10F5-855B-4771-8DF6-B70B6A69856B}.exe	102
PID 876 wrote to memory of 2524	876	{737F10F5-855B-4771-8DF6-B70B6A69856B}.exe	102
PID 876 wrote to memory of 5020	876	{737F10F5-855B-4771-8DF6-B70B6A69856B}.exe	103
PID 876 wrote to memory of 5020	876	{737F10F5-855B-4771-8DF6-B70B6A69856B}.exe	103
PID 876 wrote to memory of 5020	876	{737F10F5-855B-4771-8DF6-B70B6A69856B}.exe	103
PID 2524 wrote to memory of 4972	2524	{7CD4E721-D53D-4165-AC2D-C3D97914AAEA}.exe	104
PID 2524 wrote to memory of 4972	2524	{7CD4E721-D53D-4165-AC2D-C3D97914AAEA}.exe	104
PID 2524 wrote to memory of 4972	2524	{7CD4E721-D53D-4165-AC2D-C3D97914AAEA}.exe	104
PID 2524 wrote to memory of 2256	2524	{7CD4E721-D53D-4165-AC2D-C3D97914AAEA}.exe	105
PID 2524 wrote to memory of 2256	2524	{7CD4E721-D53D-4165-AC2D-C3D97914AAEA}.exe	105
PID 2524 wrote to memory of 2256	2524	{7CD4E721-D53D-4165-AC2D-C3D97914AAEA}.exe	105
PID 4972 wrote to memory of 3516	4972	{BE7DBD70-A5A9-484b-B558-AE40E7AC03C4}.exe	106
PID 4972 wrote to memory of 3516	4972	{BE7DBD70-A5A9-484b-B558-AE40E7AC03C4}.exe	106
PID 4972 wrote to memory of 3516	4972	{BE7DBD70-A5A9-484b-B558-AE40E7AC03C4}.exe	106
PID 4972 wrote to memory of 840	4972	{BE7DBD70-A5A9-484b-B558-AE40E7AC03C4}.exe	107
PID 4972 wrote to memory of 840	4972	{BE7DBD70-A5A9-484b-B558-AE40E7AC03C4}.exe	107
PID 4972 wrote to memory of 840	4972	{BE7DBD70-A5A9-484b-B558-AE40E7AC03C4}.exe	107
PID 3516 wrote to memory of 1904	3516	{B62E7324-FF4B-4646-8358-C67FF09FE9A6}.exe	109
PID 3516 wrote to memory of 1904	3516	{B62E7324-FF4B-4646-8358-C67FF09FE9A6}.exe	109
PID 3516 wrote to memory of 1904	3516	{B62E7324-FF4B-4646-8358-C67FF09FE9A6}.exe	109
PID 3516 wrote to memory of 2292	3516	{B62E7324-FF4B-4646-8358-C67FF09FE9A6}.exe	110
PID 3516 wrote to memory of 2292	3516	{B62E7324-FF4B-4646-8358-C67FF09FE9A6}.exe	110
PID 3516 wrote to memory of 2292	3516	{B62E7324-FF4B-4646-8358-C67FF09FE9A6}.exe	110
PID 1904 wrote to memory of 1512	1904	{D6BD948F-85C2-4755-A454-B4A2E955E993}.exe	111
PID 1904 wrote to memory of 1512	1904	{D6BD948F-85C2-4755-A454-B4A2E955E993}.exe	111
PID 1904 wrote to memory of 1512	1904	{D6BD948F-85C2-4755-A454-B4A2E955E993}.exe	111
PID 1904 wrote to memory of 440	1904	{D6BD948F-85C2-4755-A454-B4A2E955E993}.exe	112
PID 1904 wrote to memory of 440	1904	{D6BD948F-85C2-4755-A454-B4A2E955E993}.exe	112
PID 1904 wrote to memory of 440	1904	{D6BD948F-85C2-4755-A454-B4A2E955E993}.exe	112
PID 1512 wrote to memory of 3696	1512	{CB5DF0C3-6D37-4a55-A030-18EA33219408}.exe	115
PID 1512 wrote to memory of 3696	1512	{CB5DF0C3-6D37-4a55-A030-18EA33219408}.exe	115
PID 1512 wrote to memory of 3696	1512	{CB5DF0C3-6D37-4a55-A030-18EA33219408}.exe	115
PID 1512 wrote to memory of 1660	1512	{CB5DF0C3-6D37-4a55-A030-18EA33219408}.exe	116
PID 1512 wrote to memory of 1660	1512	{CB5DF0C3-6D37-4a55-A030-18EA33219408}.exe	116
PID 1512 wrote to memory of 1660	1512	{CB5DF0C3-6D37-4a55-A030-18EA33219408}.exe	116
PID 3696 wrote to memory of 4384	3696	{8073C9DD-1646-4066-866B-0F66AA049C78}.exe	123
PID 3696 wrote to memory of 4384	3696	{8073C9DD-1646-4066-866B-0F66AA049C78}.exe	123
PID 3696 wrote to memory of 4384	3696	{8073C9DD-1646-4066-866B-0F66AA049C78}.exe	123
PID 3696 wrote to memory of 4244	3696	{8073C9DD-1646-4066-866B-0F66AA049C78}.exe	124
PID 3696 wrote to memory of 4244	3696	{8073C9DD-1646-4066-866B-0F66AA049C78}.exe	124
PID 3696 wrote to memory of 4244	3696	{8073C9DD-1646-4066-866B-0F66AA049C78}.exe	124

C:\Users\Admin\AppData\Local\Temp\9fbccbefff3b5ccf910d697a1e627a40N.exe
"C:\Users\Admin\AppData\Local\Temp\9fbccbefff3b5ccf910d697a1e627a40N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:368
- C:\Windows\{90D63223-4850-4816-9814-6EEA3AD8A990}.exe
  C:\Windows\{90D63223-4850-4816-9814-6EEA3AD8A990}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\{737F10F5-855B-4771-8DF6-B70B6A69856B}.exe
    C:\Windows\{737F10F5-855B-4771-8DF6-B70B6A69856B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Windows\{7CD4E721-D53D-4165-AC2D-C3D97914AAEA}.exe
      C:\Windows\{7CD4E721-D53D-4165-AC2D-C3D97914AAEA}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2524
    - - C:\Windows\{BE7DBD70-A5A9-484b-B558-AE40E7AC03C4}.exe
        
        C:\Windows\{BE7DBD70-A5A9-484b-B558-AE40E7AC03C4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4972
      - C:\Windows\{B62E7324-FF4B-4646-8358-C67FF09FE9A6}.exe
        
        C:\Windows\{B62E7324-FF4B-4646-8358-C67FF09FE9A6}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3516
        
        C:\Windows\{D6BD948F-85C2-4755-A454-B4A2E955E993}.exe
        
        C:\Windows\{D6BD948F-85C2-4755-A454-B4A2E955E993}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\{CB5DF0C3-6D37-4a55-A030-18EA33219408}.exe
        
        C:\Windows\{CB5DF0C3-6D37-4a55-A030-18EA33219408}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\{8073C9DD-1646-4066-866B-0F66AA049C78}.exe
        
        C:\Windows\{8073C9DD-1646-4066-866B-0F66AA049C78}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3696
        
        C:\Windows\{67F1742B-72B7-441a-8C66-8D198670B115}.exe
        
        C:\Windows\{67F1742B-72B7-441a-8C66-8D198670B115}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8073C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB5DF~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D6BD9~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B62E7~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BE7DB~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:840
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7CD4E~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{737F1~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:5020
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{90D63~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1528
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9FBCCB~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{67F1742B-72B7-441a-8C66-8D198670B115}.exe

Filesize
89KB

MD5
96b54c9742f10db37ad0868a53dac136

SHA1
dfb38de74f9efa8a4dcaad7616ac37002884fd77

SHA256
9c521214c28a68a0f5eb86b8b75113b373bfce30c25d7e410a29da7d4707bd3a

SHA512
e23f4b3b8925acac1b11fc6c4cae6d68da7fa4b9e99ef4a25644b5923bd891d46205ed8939e21410a15a28058cc9fd30cf17c8156eeb2916b552d94a4310b7df

Download Submit
C:\Windows\{737F10F5-855B-4771-8DF6-B70B6A69856B}.exe

Filesize
89KB

MD5
6d18c326d6dd0e4f77508f7c9ac80046

SHA1
a3d2dbe3347abd2db0d85b46ebb241c7e2ec7129

SHA256
3c7ae6cd3a5471b986d7610c9d3bcda5168ae81f638fce2c5963287cb203e058

SHA512
92f7f520500dadd837428835c8ed812db1347678c986516d80f7a9ce3811ac79c74a3068a2710714d0b1f1c9f6634ae54663338da483762f21ba76d1edcd48c0

Download Submit
C:\Windows\{7CD4E721-D53D-4165-AC2D-C3D97914AAEA}.exe

Filesize
89KB

MD5
d059e4fbea0fd7377742fe34049f45cb

SHA1
71dfbc2c0ab065f87dc9b6e1f876517415d86603

SHA256
8eebebff1fb4bcc2d7cd100f5d815ecbf00982bbb45830cad46b6651bce270db

SHA512
4b970ee2aad13daa39282479a988726e00e705af428b344be42a93854b3c78c1fc5f8c25d494842930f282efbeb5a10e28684638ad6dda055fa9f037b5599471

Download Submit
C:\Windows\{8073C9DD-1646-4066-866B-0F66AA049C78}.exe

Filesize
89KB

MD5
0b90b39724c05dc1abe3581129465662

SHA1
3f59d5985d6b16fc5d6920deb9082ca60ee55e42

SHA256
702c660e4f7122297816da757c87786234804fd73e6cb99f6f37b37847a735e3

SHA512
261253d636980ff813651a4bb01650d0bccfd70b9ac6a5c2d491f5d402a51d0a9c400ae8404df24cc7d5f6ab56d1179c6e2a2429eb8e3a3268baf53318ce0b81

Download Submit
C:\Windows\{90D63223-4850-4816-9814-6EEA3AD8A990}.exe

Filesize
89KB

MD5
2720a1f8c1b96ee28244ef2c02655715

SHA1
1d27c29cf5947c217ffdb54857762efbc6216dcb

SHA256
ae51b5155da4e8abce0df2e990c7e246f3bb25db1638fc07d76f482b25829619

SHA512
3052ea9c6e1e861be11ebae32bfbba761d62d7dee6338d57b3295e6ebbc0db28d22bc01e26334706af7e8362d507ee931f32a40f3b1c306711e8dd0156957607

Download Submit
C:\Windows\{B62E7324-FF4B-4646-8358-C67FF09FE9A6}.exe

Filesize
89KB

MD5
6f1deb71ada9f892ac6533a82e58d038

SHA1
f8114a9fbb93a9b683bb6e7ff50c10f43d49f6a4

SHA256
8b9cdeb7818a362e789d09c8bc2c0b14b493c987e3207f160715a457d27ecfc2

SHA512
220340b842432318cd59d06052ee38fe7d299cc3c1962e6f3e3cbb1bdfebb62ea5aef1035c2ee1fbe6f4a0c3b2f1be5b506378f1d87302941d9576a0e67a8113

Download Submit
C:\Windows\{BE7DBD70-A5A9-484b-B558-AE40E7AC03C4}.exe

Filesize
89KB

MD5
c0d1a92b7ad185ee1789ca2d833f5e0d

SHA1
6e7c789c058b6d709cc57bbd555134215431fef0

SHA256
048f731c8408bf709978f8c6faa3f5ad4910c97e315e2f42a698db16ec957372

SHA512
234d78a829c0ff25aa0e2a479d6e2ac979e29c71faabf6192537673feeac48d3d38ca92dd36da93abdd2672849eed11c83889513d3835d7fa1bb0a5a87a88909

Download Submit
C:\Windows\{CB5DF0C3-6D37-4a55-A030-18EA33219408}.exe

Filesize
89KB

MD5
8c271ce3868191a980cc77e85dab416a

SHA1
b61b361c96e01c4bbcee83e65e5f324ac96c77d3

SHA256
6f73dfc41810906415c4dd66618f6cc65b8cb091ecdee54fc38221b53084bb57

SHA512
d6d6bcbed725d0afced19a3f3a683d2f3660e157c7e9077d9cb138ef0a99182a71dbe1e5d649e8494c04a45f7aaa5c4d462f9c460333e5c59c2411302a04231a

Download Submit
C:\Windows\{D6BD948F-85C2-4755-A454-B4A2E955E993}.exe

Filesize
89KB

MD5
bad880e687f6f1efd4b17b126ab76df4

SHA1
7209b81c2699b5cb0753c06df0141102753c0126

SHA256
d6c08f6552920a38437f8ed5e797029c635342523aee3b1f23e82165e58731ef

SHA512
5ee0dc6b2b2939f8cb02dfb107040dc8649d9dce789fb383c2317044950725712972e5e8e03ec1485fd1f35bc295d4342fa83d7d6a38eeb3fbbd1cc026bce01c

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads