e764d0cfdcfff4f78d6c4ba072bd01f4901a2e61e1154c64943f13f24882d08c

Analysis

max time kernel
149s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02/09/2024, 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e764d0cfdcfff4f78d6c4ba072bd01f4901a2e61e1154c64943f13f24882d08c.exe
Size

168KB
MD5

98b3812735a48904638761327ff848b8
SHA1

f511727d79bedec88ac82c9ead318a97410a5ba4
SHA256

e764d0cfdcfff4f78d6c4ba072bd01f4901a2e61e1154c64943f13f24882d08c
SHA512

97c3aa2d7695711a486d16104f56272f3e91549b2af7221a4d0300962387211c19f7e90c3f245eb6c974f3beb93d31085afb22eb16bbcfea1362d30337d4d81e
SSDEEP

1536:1EGh0oNlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0oNlqOPOe2MUVg3Ve+rX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{333F653B-DA46-4629-BEDA-585FF5DAC2DA}\stubpath = "C:\\Windows\\{333F653B-DA46-4629-BEDA-585FF5DAC2DA}.exe"	{6EECDC62-6C3A-4f70-9E93-868F11634082}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2EC4D50-19BF-4efb-82E9-292561D639AC}\stubpath = "C:\\Windows\\{D2EC4D50-19BF-4efb-82E9-292561D639AC}.exe"	{333F653B-DA46-4629-BEDA-585FF5DAC2DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD9F2DC4-ADAC-4f53-A0F8-7148636BA8EC}\stubpath = "C:\\Windows\\{CD9F2DC4-ADAC-4f53-A0F8-7148636BA8EC}.exe"	{005453C1-39C1-4690-8FE5-3EA29CBA89FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{519FA0A7-D376-40a5-9037-3657089B140D}\stubpath = "C:\\Windows\\{519FA0A7-D376-40a5-9037-3657089B140D}.exe"	e764d0cfdcfff4f78d6c4ba072bd01f4901a2e61e1154c64943f13f24882d08c.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EECDC62-6C3A-4f70-9E93-868F11634082}\stubpath = "C:\\Windows\\{6EECDC62-6C3A-4f70-9E93-868F11634082}.exe"	{BB49B29D-2999-4f23-B098-216936D0F72D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{005453C1-39C1-4690-8FE5-3EA29CBA89FD}	{5266CBAE-08AA-461b-8AAA-FAB0FC191A28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{627504D8-B546-41f9-B0AA-E49F9EC1E72E}	{CD9F2DC4-ADAC-4f53-A0F8-7148636BA8EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DB2AF0E-E9AE-4954-B1DE-ACDEFD9E2188}	{627504D8-B546-41f9-B0AA-E49F9EC1E72E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DB2AF0E-E9AE-4954-B1DE-ACDEFD9E2188}\stubpath = "C:\\Windows\\{2DB2AF0E-E9AE-4954-B1DE-ACDEFD9E2188}.exe"	{627504D8-B546-41f9-B0AA-E49F9EC1E72E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB49B29D-2999-4f23-B098-216936D0F72D}\stubpath = "C:\\Windows\\{BB49B29D-2999-4f23-B098-216936D0F72D}.exe"	{519FA0A7-D376-40a5-9037-3657089B140D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5266CBAE-08AA-461b-8AAA-FAB0FC191A28}\stubpath = "C:\\Windows\\{5266CBAE-08AA-461b-8AAA-FAB0FC191A28}.exe"	{21EBAEEA-EEED-4982-993B-690DCE6029E5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6EECDC62-6C3A-4f70-9E93-868F11634082}	{BB49B29D-2999-4f23-B098-216936D0F72D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{333F653B-DA46-4629-BEDA-585FF5DAC2DA}	{6EECDC62-6C3A-4f70-9E93-868F11634082}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D2EC4D50-19BF-4efb-82E9-292561D639AC}	{333F653B-DA46-4629-BEDA-585FF5DAC2DA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3ADC7624-C966-4427-8B08-89F27F4642C1}\stubpath = "C:\\Windows\\{3ADC7624-C966-4427-8B08-89F27F4642C1}.exe"	{D2EC4D50-19BF-4efb-82E9-292561D639AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{519FA0A7-D376-40a5-9037-3657089B140D}	e764d0cfdcfff4f78d6c4ba072bd01f4901a2e61e1154c64943f13f24882d08c.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB49B29D-2999-4f23-B098-216936D0F72D}	{519FA0A7-D376-40a5-9037-3657089B140D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21EBAEEA-EEED-4982-993B-690DCE6029E5}\stubpath = "C:\\Windows\\{21EBAEEA-EEED-4982-993B-690DCE6029E5}.exe"	{3ADC7624-C966-4427-8B08-89F27F4642C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5266CBAE-08AA-461b-8AAA-FAB0FC191A28}	{21EBAEEA-EEED-4982-993B-690DCE6029E5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{005453C1-39C1-4690-8FE5-3EA29CBA89FD}\stubpath = "C:\\Windows\\{005453C1-39C1-4690-8FE5-3EA29CBA89FD}.exe"	{5266CBAE-08AA-461b-8AAA-FAB0FC191A28}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CD9F2DC4-ADAC-4f53-A0F8-7148636BA8EC}	{005453C1-39C1-4690-8FE5-3EA29CBA89FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{627504D8-B546-41f9-B0AA-E49F9EC1E72E}\stubpath = "C:\\Windows\\{627504D8-B546-41f9-B0AA-E49F9EC1E72E}.exe"	{CD9F2DC4-ADAC-4f53-A0F8-7148636BA8EC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3ADC7624-C966-4427-8B08-89F27F4642C1}	{D2EC4D50-19BF-4efb-82E9-292561D639AC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{21EBAEEA-EEED-4982-993B-690DCE6029E5}	{3ADC7624-C966-4427-8B08-89F27F4642C1}.exe

Executes dropped EXE 12 IoCs

pid	Process
3972	{519FA0A7-D376-40a5-9037-3657089B140D}.exe
1344	{BB49B29D-2999-4f23-B098-216936D0F72D}.exe
2896	{6EECDC62-6C3A-4f70-9E93-868F11634082}.exe
2328	{333F653B-DA46-4629-BEDA-585FF5DAC2DA}.exe
1564	{D2EC4D50-19BF-4efb-82E9-292561D639AC}.exe
4844	{3ADC7624-C966-4427-8B08-89F27F4642C1}.exe
3164	{21EBAEEA-EEED-4982-993B-690DCE6029E5}.exe
3804	{5266CBAE-08AA-461b-8AAA-FAB0FC191A28}.exe
3608	{005453C1-39C1-4690-8FE5-3EA29CBA89FD}.exe
3044	{CD9F2DC4-ADAC-4f53-A0F8-7148636BA8EC}.exe
1468	{627504D8-B546-41f9-B0AA-E49F9EC1E72E}.exe
2900	{2DB2AF0E-E9AE-4954-B1DE-ACDEFD9E2188}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{005453C1-39C1-4690-8FE5-3EA29CBA89FD}.exe	{5266CBAE-08AA-461b-8AAA-FAB0FC191A28}.exe
File created	C:\Windows\{CD9F2DC4-ADAC-4f53-A0F8-7148636BA8EC}.exe	{005453C1-39C1-4690-8FE5-3EA29CBA89FD}.exe
File created	C:\Windows\{627504D8-B546-41f9-B0AA-E49F9EC1E72E}.exe	{CD9F2DC4-ADAC-4f53-A0F8-7148636BA8EC}.exe
File created	C:\Windows\{2DB2AF0E-E9AE-4954-B1DE-ACDEFD9E2188}.exe	{627504D8-B546-41f9-B0AA-E49F9EC1E72E}.exe
File created	C:\Windows\{519FA0A7-D376-40a5-9037-3657089B140D}.exe	e764d0cfdcfff4f78d6c4ba072bd01f4901a2e61e1154c64943f13f24882d08c.exe
File created	C:\Windows\{BB49B29D-2999-4f23-B098-216936D0F72D}.exe	{519FA0A7-D376-40a5-9037-3657089B140D}.exe
File created	C:\Windows\{21EBAEEA-EEED-4982-993B-690DCE6029E5}.exe	{3ADC7624-C966-4427-8B08-89F27F4642C1}.exe
File created	C:\Windows\{5266CBAE-08AA-461b-8AAA-FAB0FC191A28}.exe	{21EBAEEA-EEED-4982-993B-690DCE6029E5}.exe
File created	C:\Windows\{6EECDC62-6C3A-4f70-9E93-868F11634082}.exe	{BB49B29D-2999-4f23-B098-216936D0F72D}.exe
File created	C:\Windows\{333F653B-DA46-4629-BEDA-585FF5DAC2DA}.exe	{6EECDC62-6C3A-4f70-9E93-868F11634082}.exe
File created	C:\Windows\{D2EC4D50-19BF-4efb-82E9-292561D639AC}.exe	{333F653B-DA46-4629-BEDA-585FF5DAC2DA}.exe
File created	C:\Windows\{3ADC7624-C966-4427-8B08-89F27F4642C1}.exe	{D2EC4D50-19BF-4efb-82E9-292561D639AC}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{005453C1-39C1-4690-8FE5-3EA29CBA89FD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6EECDC62-6C3A-4f70-9E93-868F11634082}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{627504D8-B546-41f9-B0AA-E49F9EC1E72E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2DB2AF0E-E9AE-4954-B1DE-ACDEFD9E2188}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3ADC7624-C966-4427-8B08-89F27F4642C1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D2EC4D50-19BF-4efb-82E9-292561D639AC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{21EBAEEA-EEED-4982-993B-690DCE6029E5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CD9F2DC4-ADAC-4f53-A0F8-7148636BA8EC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BB49B29D-2999-4f23-B098-216936D0F72D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{519FA0A7-D376-40a5-9037-3657089B140D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{333F653B-DA46-4629-BEDA-585FF5DAC2DA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5266CBAE-08AA-461b-8AAA-FAB0FC191A28}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e764d0cfdcfff4f78d6c4ba072bd01f4901a2e61e1154c64943f13f24882d08c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2920	e764d0cfdcfff4f78d6c4ba072bd01f4901a2e61e1154c64943f13f24882d08c.exe
Token: SeIncBasePriorityPrivilege	3972	{519FA0A7-D376-40a5-9037-3657089B140D}.exe
Token: SeIncBasePriorityPrivilege	1344	{BB49B29D-2999-4f23-B098-216936D0F72D}.exe
Token: SeIncBasePriorityPrivilege	2896	{6EECDC62-6C3A-4f70-9E93-868F11634082}.exe
Token: SeIncBasePriorityPrivilege	2328	{333F653B-DA46-4629-BEDA-585FF5DAC2DA}.exe
Token: SeIncBasePriorityPrivilege	1564	{D2EC4D50-19BF-4efb-82E9-292561D639AC}.exe
Token: SeIncBasePriorityPrivilege	4844	{3ADC7624-C966-4427-8B08-89F27F4642C1}.exe
Token: SeIncBasePriorityPrivilege	3164	{21EBAEEA-EEED-4982-993B-690DCE6029E5}.exe
Token: SeIncBasePriorityPrivilege	3804	{5266CBAE-08AA-461b-8AAA-FAB0FC191A28}.exe
Token: SeIncBasePriorityPrivilege	3608	{005453C1-39C1-4690-8FE5-3EA29CBA89FD}.exe
Token: SeIncBasePriorityPrivilege	3044	{CD9F2DC4-ADAC-4f53-A0F8-7148636BA8EC}.exe
Token: SeIncBasePriorityPrivilege	1468	{627504D8-B546-41f9-B0AA-E49F9EC1E72E}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 3972	2920	e764d0cfdcfff4f78d6c4ba072bd01f4901a2e61e1154c64943f13f24882d08c.exe	94
PID 2920 wrote to memory of 3972	2920	e764d0cfdcfff4f78d6c4ba072bd01f4901a2e61e1154c64943f13f24882d08c.exe	94
PID 2920 wrote to memory of 3972	2920	e764d0cfdcfff4f78d6c4ba072bd01f4901a2e61e1154c64943f13f24882d08c.exe	94
PID 2920 wrote to memory of 2492	2920	e764d0cfdcfff4f78d6c4ba072bd01f4901a2e61e1154c64943f13f24882d08c.exe	95
PID 2920 wrote to memory of 2492	2920	e764d0cfdcfff4f78d6c4ba072bd01f4901a2e61e1154c64943f13f24882d08c.exe	95
PID 2920 wrote to memory of 2492	2920	e764d0cfdcfff4f78d6c4ba072bd01f4901a2e61e1154c64943f13f24882d08c.exe	95
PID 3972 wrote to memory of 1344	3972	{519FA0A7-D376-40a5-9037-3657089B140D}.exe	96
PID 3972 wrote to memory of 1344	3972	{519FA0A7-D376-40a5-9037-3657089B140D}.exe	96
PID 3972 wrote to memory of 1344	3972	{519FA0A7-D376-40a5-9037-3657089B140D}.exe	96
PID 3972 wrote to memory of 796	3972	{519FA0A7-D376-40a5-9037-3657089B140D}.exe	97
PID 3972 wrote to memory of 796	3972	{519FA0A7-D376-40a5-9037-3657089B140D}.exe	97
PID 3972 wrote to memory of 796	3972	{519FA0A7-D376-40a5-9037-3657089B140D}.exe	97
PID 1344 wrote to memory of 2896	1344	{BB49B29D-2999-4f23-B098-216936D0F72D}.exe	100
PID 1344 wrote to memory of 2896	1344	{BB49B29D-2999-4f23-B098-216936D0F72D}.exe	100
PID 1344 wrote to memory of 2896	1344	{BB49B29D-2999-4f23-B098-216936D0F72D}.exe	100
PID 1344 wrote to memory of 5044	1344	{BB49B29D-2999-4f23-B098-216936D0F72D}.exe	101
PID 1344 wrote to memory of 5044	1344	{BB49B29D-2999-4f23-B098-216936D0F72D}.exe	101
PID 1344 wrote to memory of 5044	1344	{BB49B29D-2999-4f23-B098-216936D0F72D}.exe	101
PID 2896 wrote to memory of 2328	2896	{6EECDC62-6C3A-4f70-9E93-868F11634082}.exe	102
PID 2896 wrote to memory of 2328	2896	{6EECDC62-6C3A-4f70-9E93-868F11634082}.exe	102
PID 2896 wrote to memory of 2328	2896	{6EECDC62-6C3A-4f70-9E93-868F11634082}.exe	102
PID 2896 wrote to memory of 2808	2896	{6EECDC62-6C3A-4f70-9E93-868F11634082}.exe	103
PID 2896 wrote to memory of 2808	2896	{6EECDC62-6C3A-4f70-9E93-868F11634082}.exe	103
PID 2896 wrote to memory of 2808	2896	{6EECDC62-6C3A-4f70-9E93-868F11634082}.exe	103
PID 2328 wrote to memory of 1564	2328	{333F653B-DA46-4629-BEDA-585FF5DAC2DA}.exe	104
PID 2328 wrote to memory of 1564	2328	{333F653B-DA46-4629-BEDA-585FF5DAC2DA}.exe	104
PID 2328 wrote to memory of 1564	2328	{333F653B-DA46-4629-BEDA-585FF5DAC2DA}.exe	104
PID 2328 wrote to memory of 3088	2328	{333F653B-DA46-4629-BEDA-585FF5DAC2DA}.exe	105
PID 2328 wrote to memory of 3088	2328	{333F653B-DA46-4629-BEDA-585FF5DAC2DA}.exe	105
PID 2328 wrote to memory of 3088	2328	{333F653B-DA46-4629-BEDA-585FF5DAC2DA}.exe	105
PID 1564 wrote to memory of 4844	1564	{D2EC4D50-19BF-4efb-82E9-292561D639AC}.exe	106
PID 1564 wrote to memory of 4844	1564	{D2EC4D50-19BF-4efb-82E9-292561D639AC}.exe	106
PID 1564 wrote to memory of 4844	1564	{D2EC4D50-19BF-4efb-82E9-292561D639AC}.exe	106
PID 1564 wrote to memory of 912	1564	{D2EC4D50-19BF-4efb-82E9-292561D639AC}.exe	107
PID 1564 wrote to memory of 912	1564	{D2EC4D50-19BF-4efb-82E9-292561D639AC}.exe	107
PID 1564 wrote to memory of 912	1564	{D2EC4D50-19BF-4efb-82E9-292561D639AC}.exe	107
PID 4844 wrote to memory of 3164	4844	{3ADC7624-C966-4427-8B08-89F27F4642C1}.exe	108
PID 4844 wrote to memory of 3164	4844	{3ADC7624-C966-4427-8B08-89F27F4642C1}.exe	108
PID 4844 wrote to memory of 3164	4844	{3ADC7624-C966-4427-8B08-89F27F4642C1}.exe	108
PID 4844 wrote to memory of 864	4844	{3ADC7624-C966-4427-8B08-89F27F4642C1}.exe	109
PID 4844 wrote to memory of 864	4844	{3ADC7624-C966-4427-8B08-89F27F4642C1}.exe	109
PID 4844 wrote to memory of 864	4844	{3ADC7624-C966-4427-8B08-89F27F4642C1}.exe	109
PID 3164 wrote to memory of 3804	3164	{21EBAEEA-EEED-4982-993B-690DCE6029E5}.exe	110
PID 3164 wrote to memory of 3804	3164	{21EBAEEA-EEED-4982-993B-690DCE6029E5}.exe	110
PID 3164 wrote to memory of 3804	3164	{21EBAEEA-EEED-4982-993B-690DCE6029E5}.exe	110
PID 3164 wrote to memory of 2448	3164	{21EBAEEA-EEED-4982-993B-690DCE6029E5}.exe	111
PID 3164 wrote to memory of 2448	3164	{21EBAEEA-EEED-4982-993B-690DCE6029E5}.exe	111
PID 3164 wrote to memory of 2448	3164	{21EBAEEA-EEED-4982-993B-690DCE6029E5}.exe	111
PID 3804 wrote to memory of 3608	3804	{5266CBAE-08AA-461b-8AAA-FAB0FC191A28}.exe	112
PID 3804 wrote to memory of 3608	3804	{5266CBAE-08AA-461b-8AAA-FAB0FC191A28}.exe	112
PID 3804 wrote to memory of 3608	3804	{5266CBAE-08AA-461b-8AAA-FAB0FC191A28}.exe	112
PID 3804 wrote to memory of 1500	3804	{5266CBAE-08AA-461b-8AAA-FAB0FC191A28}.exe	113
PID 3804 wrote to memory of 1500	3804	{5266CBAE-08AA-461b-8AAA-FAB0FC191A28}.exe	113
PID 3804 wrote to memory of 1500	3804	{5266CBAE-08AA-461b-8AAA-FAB0FC191A28}.exe	113
PID 3608 wrote to memory of 3044	3608	{005453C1-39C1-4690-8FE5-3EA29CBA89FD}.exe	114
PID 3608 wrote to memory of 3044	3608	{005453C1-39C1-4690-8FE5-3EA29CBA89FD}.exe	114
PID 3608 wrote to memory of 3044	3608	{005453C1-39C1-4690-8FE5-3EA29CBA89FD}.exe	114
PID 3608 wrote to memory of 2136	3608	{005453C1-39C1-4690-8FE5-3EA29CBA89FD}.exe	115
PID 3608 wrote to memory of 2136	3608	{005453C1-39C1-4690-8FE5-3EA29CBA89FD}.exe	115
PID 3608 wrote to memory of 2136	3608	{005453C1-39C1-4690-8FE5-3EA29CBA89FD}.exe	115
PID 3044 wrote to memory of 1468	3044	{CD9F2DC4-ADAC-4f53-A0F8-7148636BA8EC}.exe	116
PID 3044 wrote to memory of 1468	3044	{CD9F2DC4-ADAC-4f53-A0F8-7148636BA8EC}.exe	116
PID 3044 wrote to memory of 1468	3044	{CD9F2DC4-ADAC-4f53-A0F8-7148636BA8EC}.exe	116
PID 3044 wrote to memory of 1952	3044	{CD9F2DC4-ADAC-4f53-A0F8-7148636BA8EC}.exe	117

C:\Users\Admin\AppData\Local\Temp\e764d0cfdcfff4f78d6c4ba072bd01f4901a2e61e1154c64943f13f24882d08c.exe
"C:\Users\Admin\AppData\Local\Temp\e764d0cfdcfff4f78d6c4ba072bd01f4901a2e61e1154c64943f13f24882d08c.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Windows\{519FA0A7-D376-40a5-9037-3657089B140D}.exe
  C:\Windows\{519FA0A7-D376-40a5-9037-3657089B140D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\{BB49B29D-2999-4f23-B098-216936D0F72D}.exe
    C:\Windows\{BB49B29D-2999-4f23-B098-216936D0F72D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1344
  - - C:\Windows\{6EECDC62-6C3A-4f70-9E93-868F11634082}.exe
      C:\Windows\{6EECDC62-6C3A-4f70-9E93-868F11634082}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\{333F653B-DA46-4629-BEDA-585FF5DAC2DA}.exe
        
        C:\Windows\{333F653B-DA46-4629-BEDA-585FF5DAC2DA}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2328
      - C:\Windows\{D2EC4D50-19BF-4efb-82E9-292561D639AC}.exe
        
        C:\Windows\{D2EC4D50-19BF-4efb-82E9-292561D639AC}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\{3ADC7624-C966-4427-8B08-89F27F4642C1}.exe
        
        C:\Windows\{3ADC7624-C966-4427-8B08-89F27F4642C1}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\{21EBAEEA-EEED-4982-993B-690DCE6029E5}.exe
        
        C:\Windows\{21EBAEEA-EEED-4982-993B-690DCE6029E5}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3164
        
        C:\Windows\{5266CBAE-08AA-461b-8AAA-FAB0FC191A28}.exe
        
        C:\Windows\{5266CBAE-08AA-461b-8AAA-FAB0FC191A28}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\{005453C1-39C1-4690-8FE5-3EA29CBA89FD}.exe
        
        C:\Windows\{005453C1-39C1-4690-8FE5-3EA29CBA89FD}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3608
        
        C:\Windows\{CD9F2DC4-ADAC-4f53-A0F8-7148636BA8EC}.exe
        
        C:\Windows\{CD9F2DC4-ADAC-4f53-A0F8-7148636BA8EC}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\{627504D8-B546-41f9-B0AA-E49F9EC1E72E}.exe
        
        C:\Windows\{627504D8-B546-41f9-B0AA-E49F9EC1E72E}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
        
        C:\Windows\{2DB2AF0E-E9AE-4954-B1DE-ACDEFD9E2188}.exe
        
        C:\Windows\{2DB2AF0E-E9AE-4954-B1DE-ACDEFD9E2188}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2900
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62750~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD9F2~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00545~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5266C~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{21EBA~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3ADC7~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D2EC4~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{333F6~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3088
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6EECD~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2808
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BB49B~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:5044
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{519FA~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E764D0~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{005453C1-39C1-4690-8FE5-3EA29CBA89FD}.exe

Filesize
168KB

MD5
851d50f75221867556a75f1e38c3246f

SHA1
5080f4c62c2b30b5a3bf5f6bf90101a00264c485

SHA256
36a7893dc983a111b8f02d0e47eba0710b5a62908344375275484c65efc9192d

SHA512
3224742217fc70b2a3f09b0bf0a95f86d43f94c994dea69bbf631a0f36c46fc8c461120ce1bea5a8f1c3758ede8fcef2d33977d8c2f4e7c29a5068eb134a95da

Download Submit
C:\Windows\{21EBAEEA-EEED-4982-993B-690DCE6029E5}.exe

Filesize
168KB

MD5
cce6271b413dd0528d81ad2683a11684

SHA1
5bb304a0d2cb3754d9cb4b28aa6ed57db8f4c1ea

SHA256
9511ac1c8fa32495f3bc9f9ec649e62d7a79319380a12120475093404587c45b

SHA512
9fb8943fb0a943e69ba0c231563f373effead8ead15cbb9b6a5f349762d10c490d94f92dd796f16235607e8120cbda4dfe02f1fb407073861ad6260d803e4563

Download Submit
C:\Windows\{2DB2AF0E-E9AE-4954-B1DE-ACDEFD9E2188}.exe

Filesize
168KB

MD5
87b1669b9285984e48e193f549ac4f82

SHA1
bc1e8f2c4b4d8db3e3fb03d716aeb37cf901eb13

SHA256
9ac00f8f174b5b615f5d6f6d1ac7f5dadb494e5a10bc4c32066fbd919802ed67

SHA512
4c872fb425518dc73b82c46dc3392ce23a5817a12c83bf0c8b0017704903e88804374b368f12347ecb5b0d1dfa62fedf93efa4fbb54ca9d75cbf966ec089e4d7

Download Submit
C:\Windows\{333F653B-DA46-4629-BEDA-585FF5DAC2DA}.exe

Filesize
168KB

MD5
56a21e3ee5f88acdbabba273ff8ff87e

SHA1
2a7f96f07027e8a70681f96bf18111ebfb03725b

SHA256
9ceae0f94cc2365a9d89af051de074046d4cb5fe404bb0f6fc463b33147c097b

SHA512
2afc59fb4f48294839ac287ededd9f08f69811f31cda68d5cdf33051f658b0c90054f4ac6683749e9ba24e8e5ea5d532802ef0099c7181a0f2171bec647907b9

Download Submit
C:\Windows\{3ADC7624-C966-4427-8B08-89F27F4642C1}.exe

Filesize
168KB

MD5
31cf0518d66b6ebab76bbd7acdc89432

SHA1
5e98fcd0d2dfcee809cd14edbad05e4463d402a0

SHA256
c42cf6056212ecc1d94e0509cbd0f0e5ecd3289a204c07f38ac04abfcc3b19be

SHA512
89854481637111c3a552e791ca417a65c12e30525f59affd1fa8d586da0e5e4bbdb8e5d44369db76bf37b885a9856d07a62d5a237b350ba40c0bfc02bf4401ca

Download Submit
C:\Windows\{519FA0A7-D376-40a5-9037-3657089B140D}.exe

Filesize
168KB

MD5
da60483c317e7081cff81ca76adf8318

SHA1
bc34fb6c26411056eeff1087472475132ee589f7

SHA256
d59162ddae57942849b605e5180e76fba1619a4c5d3da0002b2dec4cb135096c

SHA512
95eb421d29bf0b23c03eac487747b58a2d5ec46b39ee3d51b8bc212cba68c2989083ad891266ebd24641b7553a55ec71736801383fc2f838f5c2016f1b366dc8

Download Submit
C:\Windows\{5266CBAE-08AA-461b-8AAA-FAB0FC191A28}.exe

Filesize
168KB

MD5
94a4c94f5c1483a5505f249b53fc4973

SHA1
b744c7523765a0ecc83544c88b3bd7530096e0b9

SHA256
e61d7a98cd3472d70d17099d4d91d54eea93612782b7361f9520f5a93f7a98b4

SHA512
fbfb01872cf0d2b0d442d6923de0e4db570d687957453f1dc6e2e93bddb2cdc0c26b96a91a42045ccd653e20f1481265d6710d20857fd43f9aa8c3b879463ef0

Download Submit
C:\Windows\{627504D8-B546-41f9-B0AA-E49F9EC1E72E}.exe

Filesize
168KB

MD5
93d64cb56f624b2066f84b7a79126615

SHA1
5e3fb629ff3714dc65ba66d0844cdbeede939748

SHA256
eb9089d6b90dcdb74df6837d572e9d469344b9466cbc7a379efb917da379b5c3

SHA512
585bb11e8c09f440aa3f1b7d99415fba01154ed0ead7c1ba91894ac31d4e990efdd32aabfb9ddaedfd565f306a23a421961bbb387aaa553b1fa9377923ea9e8e

Download Submit
C:\Windows\{6EECDC62-6C3A-4f70-9E93-868F11634082}.exe

Filesize
168KB

MD5
8d953ed7a5589419fc0c179c4699daae

SHA1
224681120d527d635ad1ac0f585d9eece6df2193

SHA256
67160ef55fce0e32adf9cf92f5567c9f6ebf8f133c0dfa169acecebd227f709e

SHA512
04822a8365875591a86540b3984b554a118f1c58a6f5fcbd83bce3b9bfaf3f9e58619a2920b2f55233a85083914b9c5b6d4096c3ab0c3cddc72443a7bbe5fb97

Download Submit
C:\Windows\{BB49B29D-2999-4f23-B098-216936D0F72D}.exe

Filesize
168KB

MD5
d73e0aad6a38dbfd07e742c1f020d47c

SHA1
d78422eda7c783a34cd6594de9ef9d4a78d868ec

SHA256
1e0cfd0ebd5e42bb183256fd8ba6763f87712a8f72dbd7b9229c656f7991d476

SHA512
10e8c6dfa58c96570825469def5cc3a4687269b1e006a3348b9ea6ada15d23723f1d399378ad068cbc6a8997bb97e32ecf567ea5fef348f27c7191b69ac15293

Download Submit
C:\Windows\{CD9F2DC4-ADAC-4f53-A0F8-7148636BA8EC}.exe

Filesize
168KB

MD5
a60366a30282cba3968219be679634be

SHA1
f029888f75dfa06b161f9b92570ca40f9b062068

SHA256
dc9218a9eabdc53415110d93b866c482bb1b5a690e45dd0b072254925d5d3f84

SHA512
6b5b3599d62b5db953f765bc98fc4347e59954ca050a6a0e3eb1e61ce690b76f93bdbf55464f476803887972ca303a8ba7065cc5932d3f5e2314df7e49b13b34

Download Submit
C:\Windows\{D2EC4D50-19BF-4efb-82E9-292561D639AC}.exe

Filesize
168KB

MD5
f30d2e3f4d6c8601259447e9d410b7c9

SHA1
9c223d318245685399d029b99e930f19b6ed4098

SHA256
e80493f09ab9a04c39fd7aa7f80ec44b11267f1dda5bff437213d1d64a0bc54a

SHA512
4c5ce14e155ea769ab18c06458aa11e6f50e05c5ed789c437d4a7bf92215c9591d97ee209bf96af500611cf25c765d7dad4c0fdb0dc8c936223c8f01edcc8397

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads