b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5

Analysis

max time kernel
149s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 02:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe
Size

90KB
MD5

679da92d799ea9a74f171fe40d783dcb
SHA1

b0687033cf4c64b98aaf4fad60d2331faa87d3f8
SHA256

b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5
SHA512

bc63ebe4981fac675d9145a9c646abf548bcc1b0ccafa1c2313c294031b0f81a7abab81eb6c8685a3f806a6fa75a0ac2561428c0076a96e4fac2cae894981761
SSDEEP

768:Qvw9816vhKQLrop4/wQRNrfrunMxVFA3b7glws:YEGh0opl2unMxVS3Hgz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1B2D287-AA33-4047-ACF6-512ECCDB0B7A}	{80989334-5028-4435-9283-6487F423EF25}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4ADD88E-CDC9-47d5-B996-9A402808B7C4}	{8F521D35-B1E7-4430-9DC2-9F7272E1B646}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F60D5A2-E475-4997-9D27-BF8273433B06}	{F6DC8877-1A6E-458e-8416-196F6AAD7FF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF9BEFFA-25A9-490b-8B5E-076E3CF6AF16}\stubpath = "C:\\Windows\\{AF9BEFFA-25A9-490b-8B5E-076E3CF6AF16}.exe"	{331B18B3-BB2C-42fd-B412-C807915E83C1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFDE7176-EFFB-47a9-AFB1-F76A717E8EE5}	{AF9BEFFA-25A9-490b-8B5E-076E3CF6AF16}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{331B18B3-BB2C-42fd-B412-C807915E83C1}	{0F60D5A2-E475-4997-9D27-BF8273433B06}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19893CE5-E565-4622-B172-06D2DB70EB12}\stubpath = "C:\\Windows\\{19893CE5-E565-4622-B172-06D2DB70EB12}.exe"	b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C4D582B-9C9B-494a-83D9-64516F070006}	{19893CE5-E565-4622-B172-06D2DB70EB12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6DC8877-1A6E-458e-8416-196F6AAD7FF6}	{A4ADD88E-CDC9-47d5-B996-9A402808B7C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6DC8877-1A6E-458e-8416-196F6AAD7FF6}\stubpath = "C:\\Windows\\{F6DC8877-1A6E-458e-8416-196F6AAD7FF6}.exe"	{A4ADD88E-CDC9-47d5-B996-9A402808B7C4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80989334-5028-4435-9283-6487F423EF25}\stubpath = "C:\\Windows\\{80989334-5028-4435-9283-6487F423EF25}.exe"	{DFDE7176-EFFB-47a9-AFB1-F76A717E8EE5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C4D582B-9C9B-494a-83D9-64516F070006}\stubpath = "C:\\Windows\\{3C4D582B-9C9B-494a-83D9-64516F070006}.exe"	{19893CE5-E565-4622-B172-06D2DB70EB12}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F521D35-B1E7-4430-9DC2-9F7272E1B646}	{F9C94464-130F-4d8e-9D3C-A44CBCF3033D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4ADD88E-CDC9-47d5-B996-9A402808B7C4}\stubpath = "C:\\Windows\\{A4ADD88E-CDC9-47d5-B996-9A402808B7C4}.exe"	{8F521D35-B1E7-4430-9DC2-9F7272E1B646}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F60D5A2-E475-4997-9D27-BF8273433B06}\stubpath = "C:\\Windows\\{0F60D5A2-E475-4997-9D27-BF8273433B06}.exe"	{F6DC8877-1A6E-458e-8416-196F6AAD7FF6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{331B18B3-BB2C-42fd-B412-C807915E83C1}\stubpath = "C:\\Windows\\{331B18B3-BB2C-42fd-B412-C807915E83C1}.exe"	{0F60D5A2-E475-4997-9D27-BF8273433B06}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AF9BEFFA-25A9-490b-8B5E-076E3CF6AF16}	{331B18B3-BB2C-42fd-B412-C807915E83C1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DFDE7176-EFFB-47a9-AFB1-F76A717E8EE5}\stubpath = "C:\\Windows\\{DFDE7176-EFFB-47a9-AFB1-F76A717E8EE5}.exe"	{AF9BEFFA-25A9-490b-8B5E-076E3CF6AF16}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{80989334-5028-4435-9283-6487F423EF25}	{DFDE7176-EFFB-47a9-AFB1-F76A717E8EE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{19893CE5-E565-4622-B172-06D2DB70EB12}	b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9C94464-130F-4d8e-9D3C-A44CBCF3033D}	{3C4D582B-9C9B-494a-83D9-64516F070006}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F9C94464-130F-4d8e-9D3C-A44CBCF3033D}\stubpath = "C:\\Windows\\{F9C94464-130F-4d8e-9D3C-A44CBCF3033D}.exe"	{3C4D582B-9C9B-494a-83D9-64516F070006}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F521D35-B1E7-4430-9DC2-9F7272E1B646}\stubpath = "C:\\Windows\\{8F521D35-B1E7-4430-9DC2-9F7272E1B646}.exe"	{F9C94464-130F-4d8e-9D3C-A44CBCF3033D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A1B2D287-AA33-4047-ACF6-512ECCDB0B7A}\stubpath = "C:\\Windows\\{A1B2D287-AA33-4047-ACF6-512ECCDB0B7A}.exe"	{80989334-5028-4435-9283-6487F423EF25}.exe

Executes dropped EXE 12 IoCs

pid	Process
4928	{19893CE5-E565-4622-B172-06D2DB70EB12}.exe
2196	{3C4D582B-9C9B-494a-83D9-64516F070006}.exe
2416	{F9C94464-130F-4d8e-9D3C-A44CBCF3033D}.exe
4824	{8F521D35-B1E7-4430-9DC2-9F7272E1B646}.exe
448	{A4ADD88E-CDC9-47d5-B996-9A402808B7C4}.exe
3960	{F6DC8877-1A6E-458e-8416-196F6AAD7FF6}.exe
452	{0F60D5A2-E475-4997-9D27-BF8273433B06}.exe
4272	{331B18B3-BB2C-42fd-B412-C807915E83C1}.exe
3804	{AF9BEFFA-25A9-490b-8B5E-076E3CF6AF16}.exe
3444	{DFDE7176-EFFB-47a9-AFB1-F76A717E8EE5}.exe
1184	{80989334-5028-4435-9283-6487F423EF25}.exe
4356	{A1B2D287-AA33-4047-ACF6-512ECCDB0B7A}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{19893CE5-E565-4622-B172-06D2DB70EB12}.exe	b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe
File created	C:\Windows\{F9C94464-130F-4d8e-9D3C-A44CBCF3033D}.exe	{3C4D582B-9C9B-494a-83D9-64516F070006}.exe
File created	C:\Windows\{F6DC8877-1A6E-458e-8416-196F6AAD7FF6}.exe	{A4ADD88E-CDC9-47d5-B996-9A402808B7C4}.exe
File created	C:\Windows\{A1B2D287-AA33-4047-ACF6-512ECCDB0B7A}.exe	{80989334-5028-4435-9283-6487F423EF25}.exe
File created	C:\Windows\{331B18B3-BB2C-42fd-B412-C807915E83C1}.exe	{0F60D5A2-E475-4997-9D27-BF8273433B06}.exe
File created	C:\Windows\{AF9BEFFA-25A9-490b-8B5E-076E3CF6AF16}.exe	{331B18B3-BB2C-42fd-B412-C807915E83C1}.exe
File created	C:\Windows\{DFDE7176-EFFB-47a9-AFB1-F76A717E8EE5}.exe	{AF9BEFFA-25A9-490b-8B5E-076E3CF6AF16}.exe
File created	C:\Windows\{80989334-5028-4435-9283-6487F423EF25}.exe	{DFDE7176-EFFB-47a9-AFB1-F76A717E8EE5}.exe
File created	C:\Windows\{3C4D582B-9C9B-494a-83D9-64516F070006}.exe	{19893CE5-E565-4622-B172-06D2DB70EB12}.exe
File created	C:\Windows\{8F521D35-B1E7-4430-9DC2-9F7272E1B646}.exe	{F9C94464-130F-4d8e-9D3C-A44CBCF3033D}.exe
File created	C:\Windows\{A4ADD88E-CDC9-47d5-B996-9A402808B7C4}.exe	{8F521D35-B1E7-4430-9DC2-9F7272E1B646}.exe
File created	C:\Windows\{0F60D5A2-E475-4997-9D27-BF8273433B06}.exe	{F6DC8877-1A6E-458e-8416-196F6AAD7FF6}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F6DC8877-1A6E-458e-8416-196F6AAD7FF6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AF9BEFFA-25A9-490b-8B5E-076E3CF6AF16}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3C4D582B-9C9B-494a-83D9-64516F070006}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8F521D35-B1E7-4430-9DC2-9F7272E1B646}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A4ADD88E-CDC9-47d5-B996-9A402808B7C4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{19893CE5-E565-4622-B172-06D2DB70EB12}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0F60D5A2-E475-4997-9D27-BF8273433B06}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{331B18B3-BB2C-42fd-B412-C807915E83C1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F9C94464-130F-4d8e-9D3C-A44CBCF3033D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{80989334-5028-4435-9283-6487F423EF25}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DFDE7176-EFFB-47a9-AFB1-F76A717E8EE5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A1B2D287-AA33-4047-ACF6-512ECCDB0B7A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4620	b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe
Token: SeIncBasePriorityPrivilege	4928	{19893CE5-E565-4622-B172-06D2DB70EB12}.exe
Token: SeIncBasePriorityPrivilege	2196	{3C4D582B-9C9B-494a-83D9-64516F070006}.exe
Token: SeIncBasePriorityPrivilege	2416	{F9C94464-130F-4d8e-9D3C-A44CBCF3033D}.exe
Token: SeIncBasePriorityPrivilege	4824	{8F521D35-B1E7-4430-9DC2-9F7272E1B646}.exe
Token: SeIncBasePriorityPrivilege	448	{A4ADD88E-CDC9-47d5-B996-9A402808B7C4}.exe
Token: SeIncBasePriorityPrivilege	3960	{F6DC8877-1A6E-458e-8416-196F6AAD7FF6}.exe
Token: SeIncBasePriorityPrivilege	452	{0F60D5A2-E475-4997-9D27-BF8273433B06}.exe
Token: SeIncBasePriorityPrivilege	4272	{331B18B3-BB2C-42fd-B412-C807915E83C1}.exe
Token: SeIncBasePriorityPrivilege	3804	{AF9BEFFA-25A9-490b-8B5E-076E3CF6AF16}.exe
Token: SeIncBasePriorityPrivilege	3444	{DFDE7176-EFFB-47a9-AFB1-F76A717E8EE5}.exe
Token: SeIncBasePriorityPrivilege	1184	{80989334-5028-4435-9283-6487F423EF25}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4620 wrote to memory of 4928	4620	b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe	94
PID 4620 wrote to memory of 4928	4620	b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe	94
PID 4620 wrote to memory of 4928	4620	b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe	94
PID 4620 wrote to memory of 2320	4620	b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe	95
PID 4620 wrote to memory of 2320	4620	b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe	95
PID 4620 wrote to memory of 2320	4620	b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe	95
PID 4928 wrote to memory of 2196	4928	{19893CE5-E565-4622-B172-06D2DB70EB12}.exe	96
PID 4928 wrote to memory of 2196	4928	{19893CE5-E565-4622-B172-06D2DB70EB12}.exe	96
PID 4928 wrote to memory of 2196	4928	{19893CE5-E565-4622-B172-06D2DB70EB12}.exe	96
PID 4928 wrote to memory of 4984	4928	{19893CE5-E565-4622-B172-06D2DB70EB12}.exe	97
PID 4928 wrote to memory of 4984	4928	{19893CE5-E565-4622-B172-06D2DB70EB12}.exe	97
PID 4928 wrote to memory of 4984	4928	{19893CE5-E565-4622-B172-06D2DB70EB12}.exe	97
PID 2196 wrote to memory of 2416	2196	{3C4D582B-9C9B-494a-83D9-64516F070006}.exe	100
PID 2196 wrote to memory of 2416	2196	{3C4D582B-9C9B-494a-83D9-64516F070006}.exe	100
PID 2196 wrote to memory of 2416	2196	{3C4D582B-9C9B-494a-83D9-64516F070006}.exe	100
PID 2196 wrote to memory of 4888	2196	{3C4D582B-9C9B-494a-83D9-64516F070006}.exe	101
PID 2196 wrote to memory of 4888	2196	{3C4D582B-9C9B-494a-83D9-64516F070006}.exe	101
PID 2196 wrote to memory of 4888	2196	{3C4D582B-9C9B-494a-83D9-64516F070006}.exe	101
PID 2416 wrote to memory of 4824	2416	{F9C94464-130F-4d8e-9D3C-A44CBCF3033D}.exe	102
PID 2416 wrote to memory of 4824	2416	{F9C94464-130F-4d8e-9D3C-A44CBCF3033D}.exe	102
PID 2416 wrote to memory of 4824	2416	{F9C94464-130F-4d8e-9D3C-A44CBCF3033D}.exe	102
PID 2416 wrote to memory of 2160	2416	{F9C94464-130F-4d8e-9D3C-A44CBCF3033D}.exe	103
PID 2416 wrote to memory of 2160	2416	{F9C94464-130F-4d8e-9D3C-A44CBCF3033D}.exe	103
PID 2416 wrote to memory of 2160	2416	{F9C94464-130F-4d8e-9D3C-A44CBCF3033D}.exe	103
PID 4824 wrote to memory of 448	4824	{8F521D35-B1E7-4430-9DC2-9F7272E1B646}.exe	104
PID 4824 wrote to memory of 448	4824	{8F521D35-B1E7-4430-9DC2-9F7272E1B646}.exe	104
PID 4824 wrote to memory of 448	4824	{8F521D35-B1E7-4430-9DC2-9F7272E1B646}.exe	104
PID 4824 wrote to memory of 764	4824	{8F521D35-B1E7-4430-9DC2-9F7272E1B646}.exe	105
PID 4824 wrote to memory of 764	4824	{8F521D35-B1E7-4430-9DC2-9F7272E1B646}.exe	105
PID 4824 wrote to memory of 764	4824	{8F521D35-B1E7-4430-9DC2-9F7272E1B646}.exe	105
PID 448 wrote to memory of 3960	448	{A4ADD88E-CDC9-47d5-B996-9A402808B7C4}.exe	106
PID 448 wrote to memory of 3960	448	{A4ADD88E-CDC9-47d5-B996-9A402808B7C4}.exe	106
PID 448 wrote to memory of 3960	448	{A4ADD88E-CDC9-47d5-B996-9A402808B7C4}.exe	106
PID 448 wrote to memory of 4148	448	{A4ADD88E-CDC9-47d5-B996-9A402808B7C4}.exe	107
PID 448 wrote to memory of 4148	448	{A4ADD88E-CDC9-47d5-B996-9A402808B7C4}.exe	107
PID 448 wrote to memory of 4148	448	{A4ADD88E-CDC9-47d5-B996-9A402808B7C4}.exe	107
PID 3960 wrote to memory of 452	3960	{F6DC8877-1A6E-458e-8416-196F6AAD7FF6}.exe	108
PID 3960 wrote to memory of 452	3960	{F6DC8877-1A6E-458e-8416-196F6AAD7FF6}.exe	108
PID 3960 wrote to memory of 452	3960	{F6DC8877-1A6E-458e-8416-196F6AAD7FF6}.exe	108
PID 3960 wrote to memory of 3648	3960	{F6DC8877-1A6E-458e-8416-196F6AAD7FF6}.exe	109
PID 3960 wrote to memory of 3648	3960	{F6DC8877-1A6E-458e-8416-196F6AAD7FF6}.exe	109
PID 3960 wrote to memory of 3648	3960	{F6DC8877-1A6E-458e-8416-196F6AAD7FF6}.exe	109
PID 452 wrote to memory of 4272	452	{0F60D5A2-E475-4997-9D27-BF8273433B06}.exe	110
PID 452 wrote to memory of 4272	452	{0F60D5A2-E475-4997-9D27-BF8273433B06}.exe	110
PID 452 wrote to memory of 4272	452	{0F60D5A2-E475-4997-9D27-BF8273433B06}.exe	110
PID 452 wrote to memory of 2576	452	{0F60D5A2-E475-4997-9D27-BF8273433B06}.exe	111
PID 452 wrote to memory of 2576	452	{0F60D5A2-E475-4997-9D27-BF8273433B06}.exe	111
PID 452 wrote to memory of 2576	452	{0F60D5A2-E475-4997-9D27-BF8273433B06}.exe	111
PID 4272 wrote to memory of 3804	4272	{331B18B3-BB2C-42fd-B412-C807915E83C1}.exe	112
PID 4272 wrote to memory of 3804	4272	{331B18B3-BB2C-42fd-B412-C807915E83C1}.exe	112
PID 4272 wrote to memory of 3804	4272	{331B18B3-BB2C-42fd-B412-C807915E83C1}.exe	112
PID 4272 wrote to memory of 4320	4272	{331B18B3-BB2C-42fd-B412-C807915E83C1}.exe	113
PID 4272 wrote to memory of 4320	4272	{331B18B3-BB2C-42fd-B412-C807915E83C1}.exe	113
PID 4272 wrote to memory of 4320	4272	{331B18B3-BB2C-42fd-B412-C807915E83C1}.exe	113
PID 3804 wrote to memory of 3444	3804	{AF9BEFFA-25A9-490b-8B5E-076E3CF6AF16}.exe	114
PID 3804 wrote to memory of 3444	3804	{AF9BEFFA-25A9-490b-8B5E-076E3CF6AF16}.exe	114
PID 3804 wrote to memory of 3444	3804	{AF9BEFFA-25A9-490b-8B5E-076E3CF6AF16}.exe	114
PID 3804 wrote to memory of 2000	3804	{AF9BEFFA-25A9-490b-8B5E-076E3CF6AF16}.exe	115
PID 3804 wrote to memory of 2000	3804	{AF9BEFFA-25A9-490b-8B5E-076E3CF6AF16}.exe	115
PID 3804 wrote to memory of 2000	3804	{AF9BEFFA-25A9-490b-8B5E-076E3CF6AF16}.exe	115
PID 3444 wrote to memory of 1184	3444	{DFDE7176-EFFB-47a9-AFB1-F76A717E8EE5}.exe	116
PID 3444 wrote to memory of 1184	3444	{DFDE7176-EFFB-47a9-AFB1-F76A717E8EE5}.exe	116
PID 3444 wrote to memory of 1184	3444	{DFDE7176-EFFB-47a9-AFB1-F76A717E8EE5}.exe	116
PID 3444 wrote to memory of 4832	3444	{DFDE7176-EFFB-47a9-AFB1-F76A717E8EE5}.exe	117

C:\Users\Admin\AppData\Local\Temp\b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe
"C:\Users\Admin\AppData\Local\Temp\b50360e60fb3442bdb73986c72ffa8416aaf708f66217ead69df8249390e79a5.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4620
- C:\Windows\{19893CE5-E565-4622-B172-06D2DB70EB12}.exe
  C:\Windows\{19893CE5-E565-4622-B172-06D2DB70EB12}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4928
- - C:\Windows\{3C4D582B-9C9B-494a-83D9-64516F070006}.exe
    C:\Windows\{3C4D582B-9C9B-494a-83D9-64516F070006}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\{F9C94464-130F-4d8e-9D3C-A44CBCF3033D}.exe
      C:\Windows\{F9C94464-130F-4d8e-9D3C-A44CBCF3033D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2416
    - - C:\Windows\{8F521D35-B1E7-4430-9DC2-9F7272E1B646}.exe
        
        C:\Windows\{8F521D35-B1E7-4430-9DC2-9F7272E1B646}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4824
      - C:\Windows\{A4ADD88E-CDC9-47d5-B996-9A402808B7C4}.exe
        
        C:\Windows\{A4ADD88E-CDC9-47d5-B996-9A402808B7C4}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\{F6DC8877-1A6E-458e-8416-196F6AAD7FF6}.exe
        
        C:\Windows\{F6DC8877-1A6E-458e-8416-196F6AAD7FF6}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3960
        
        C:\Windows\{0F60D5A2-E475-4997-9D27-BF8273433B06}.exe
        
        C:\Windows\{0F60D5A2-E475-4997-9D27-BF8273433B06}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\{331B18B3-BB2C-42fd-B412-C807915E83C1}.exe
        
        C:\Windows\{331B18B3-BB2C-42fd-B412-C807915E83C1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\{AF9BEFFA-25A9-490b-8B5E-076E3CF6AF16}.exe
        
        C:\Windows\{AF9BEFFA-25A9-490b-8B5E-076E3CF6AF16}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3804
        
        C:\Windows\{DFDE7176-EFFB-47a9-AFB1-F76A717E8EE5}.exe
        
        C:\Windows\{DFDE7176-EFFB-47a9-AFB1-F76A717E8EE5}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3444
        
        C:\Windows\{80989334-5028-4435-9283-6487F423EF25}.exe
        
        C:\Windows\{80989334-5028-4435-9283-6487F423EF25}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
        
        C:\Windows\{A1B2D287-AA33-4047-ACF6-512ECCDB0B7A}.exe
        
        C:\Windows\{A1B2D287-AA33-4047-ACF6-512ECCDB0B7A}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{80989~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DFDE7~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AF9BE~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{331B1~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0F60D~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6DC8~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4ADD~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4148
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F521~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:764
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9C94~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{3C4D5~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4888
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{19893~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\B50360~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F60D5A2-E475-4997-9D27-BF8273433B06}.exe

Filesize
90KB

MD5
d6fe1087b420002d55013c641f0aad6b

SHA1
4aba7728c613525f77eb9589c0cdaa998bce738e

SHA256
30a65857d89775552bd5c382078f3e0e4c929f9466dd3c6f88c6bc2180686f28

SHA512
dc5ba379be39c2d5c1b4c1ab7a3d2d775d06def7182a5c142917064c9eda3605398c0af643b6c0cc8fa60365252bcb6ecd957b19bfcc18c309f6de3a06ecf925

Download Submit
C:\Windows\{19893CE5-E565-4622-B172-06D2DB70EB12}.exe

Filesize
90KB

MD5
a050bc114c2fb89f550ef28d5acbbf78

SHA1
d529cb046c7ee15f31aed809910dd30df1387eec

SHA256
6eb293c5756924754a2a878488505717721f793bbedaa48428c69a4c51c8225a

SHA512
f482297085a1c056f113ce842190423192d7ee655da39687c58a6de64f64d8e7d1216e0be500faf6ea1c144c2ab3e164059efe177f951d7c65117f3d2807305c

Download Submit
C:\Windows\{331B18B3-BB2C-42fd-B412-C807915E83C1}.exe

Filesize
90KB

MD5
ce0cd89f76024028f0194aba6e43fb03

SHA1
fdf575dc4f5f0fe94e899ccfed248700c5791a6f

SHA256
54e6b8efc3e6a4ed74717b3bcd68055addbdf12b1dbd73cdfe7e1e4eefee5daf

SHA512
7fcb5d4ded46d475b6a3640e1b7e469547ea7a16d5f2dad45bf02f48006ce68379e6493caa8f3b97c0579c1e5d98d8fde23ffecf7e710eb54b3467ead583117e

Download Submit
C:\Windows\{3C4D582B-9C9B-494a-83D9-64516F070006}.exe

Filesize
90KB

MD5
cd2ec43ae14f56e836ec9a9782393c3f

SHA1
e805b1189fb5e31da2294eb94ce9d212fa9af479

SHA256
490f1cddf5f401b356f8e11ac6690da21d1b7134072c0a4f9bb7ef8402715b07

SHA512
76a36bc12f63fc0ca615e424973c1af9ae1bafa98d066ec18c4ad032b05fd500e31be3c2638bf2a7e3fe8d4aa9d376186b2c3096a536f1a947b7ea41f445c65f

Download Submit
C:\Windows\{80989334-5028-4435-9283-6487F423EF25}.exe

Filesize
90KB

MD5
1f62e27c705e4fe1d23f76d2acd56deb

SHA1
0b496194ed41737116dda652bc0ae16db9497384

SHA256
c0f83ea71eb23afdaef1335303423ffc1f0433e43975baf3cc040b0e43c88746

SHA512
839a2799c4bc92fd6c1977c8e774c498b35f2df516726ef85575032d9493134e2f45d63e691108242e0ddb04422a09930d29bba759222922f991d508ae54bcaa

Download Submit
C:\Windows\{8F521D35-B1E7-4430-9DC2-9F7272E1B646}.exe

Filesize
90KB

MD5
73bd51f38c572d11058fa9b0595f9b82

SHA1
ed9bfb2a19acd45c334269cd1ec88866d99e2c7e

SHA256
240c21f50778078f88cc6f4896ee248d6143003ccbfd16084c27ee3acb438c7f

SHA512
955f2fb1904872e27fca48cc881c1e58eeb81d42c6709c599bdc2a4d1067db32412d021fb9d3be220ad681e222875db1fd535d86baebcf25025941ccf87536e2

Download Submit
C:\Windows\{A1B2D287-AA33-4047-ACF6-512ECCDB0B7A}.exe

Filesize
90KB

MD5
bc6b273472b1ee8a5ef48e154f950b06

SHA1
11c8df100637d3a9283782ea485e40e4d329978f

SHA256
f00b82e431c83734e534cff37cafcbb8e8140823a7e8eb9e3d9e87c1e8f67029

SHA512
d3e0a33e15cc84b058a2ac97322dd1bfec10f0abe322012e104bb1f0607c99f1496aa707316f54307f3ed10be45c363bdce2c716d73ebe2060330763319f58b3

Download Submit
C:\Windows\{A4ADD88E-CDC9-47d5-B996-9A402808B7C4}.exe

Filesize
90KB

MD5
239bef730b8425ba0b09769cdeed51e7

SHA1
ec03e544c216c912f956a2f03f4f56fd21a731fe

SHA256
d2e65fdff393252c4beb792b24beabfd43a2b95c92ea23f0785e1b6bf2f84ec4

SHA512
794f7fb855f33733f1c317e4eca9800d1404c07c2d0b08d4fe2f9e6e831f74cf5c9a063842e1fb9a963465bbab2078295c621cd213576dd1767c10920832d1ce

Download Submit
C:\Windows\{AF9BEFFA-25A9-490b-8B5E-076E3CF6AF16}.exe

Filesize
90KB

MD5
598c9c36dbf5cb66b16b27a4cc913583

SHA1
2d28b306d9f1b0620e1fc13ec9af65fd0e2065db

SHA256
105bff3254618b77301a32d7592e829d8cc1144c8673635a3b07442588546744

SHA512
00445d81540bee6e12f340633a7a1c286a3e362b18425ff494ff96543dae7d48893e4241d0012c88e23f81c886ec03f4b5d60f29841379c65dfde1fcaf2f15a6

Download Submit
C:\Windows\{DFDE7176-EFFB-47a9-AFB1-F76A717E8EE5}.exe

Filesize
90KB

MD5
1fcdb9b594635bb258209b5eab86f567

SHA1
2bfbea98f1dea25934a788e61913c3510a0783af

SHA256
bf847c011917e672c6cd68d2a2faee02e1791bd3b88b58c8289a001079eacef6

SHA512
54be595322bdc66f12e20d1957fedfe8f23c3a1f897e28e70106f5fa6af29969fd2bfc306d8f4e34ec544cbc8a5bba962b234769bf353fb635d8520c2ac717fe

Download Submit
C:\Windows\{F6DC8877-1A6E-458e-8416-196F6AAD7FF6}.exe

Filesize
90KB

MD5
8f92a9df3422edf61fb85a8c5459112f

SHA1
b923d2fc702ebfd8c887db16e26104538f8c89db

SHA256
ff369a64707af3f1a8385795cb3b4fbb5b061331938b089840d6b809e0e1aab8

SHA512
997eb201a6649d8bce824bf0fecef0ec06941b3cd4f8ba9d511bdcbc510669b26f9578d01b274489604c1364fb5b1616c5fbe09fd7af07db6f4ea373ad4bc766

Download Submit
C:\Windows\{F9C94464-130F-4d8e-9D3C-A44CBCF3033D}.exe

Filesize
90KB

MD5
3276ea68796433552b11d874908dfc6c

SHA1
f4fdf28820cb3739ae18be675e40b8add8f56826

SHA256
693b21512d619344dcc6388bac6a8f251f46aa7e3be92fd5787fc29e80a6e5fc

SHA512
22884ff6eb89fa8d185c7994b9ad4d066da4ddadcac62efe9b685ba84d98ee244286397740968de21ed7b818f2918083476b51c05167c72c2f19d30f08302e04

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads