2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3

Analysis

max time kernel
149s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-09-2024 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe
Size

204KB
MD5

812845a38d0e46c33d6158022a93546e
SHA1

b94bd84bf01c5f2ace6f57e68e1ef4f02e122027
SHA256

2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3
SHA512

b039e4d5b6b8bd5e2dccf4ec79ec2ae5f75eb8a8e864c64705c1706f6fd47f9ee0ca4bdc370fec0527621bf1f8bb7d25df134571887abd94f22d3e7d3ae90d7a
SSDEEP

1536:1EGh0oBl15IRVhNJ5Qef7BudMeNzVg3Ve+rrS2GunMxVS3Hgdo:1EGh0oBl1OPOe2MUVg3Ve+rXfMUy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A21F9F18-F226-4e78-80A1-B1992B0A6327}	{78D410A3-6851-402b-B780-162C956E49BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC5622CD-615C-4963-AC76-6C449B52AE6B}	{B639ED2D-C1CC-4110-BE27-DE95E77B31D4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5454F782-0ADE-44a2-AEE0-9856FCAF45F1}	{572D2B08-BF71-4e6a-BB09-9E3674841934}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5454F782-0ADE-44a2-AEE0-9856FCAF45F1}\stubpath = "C:\\Windows\\{5454F782-0ADE-44a2-AEE0-9856FCAF45F1}.exe"	{572D2B08-BF71-4e6a-BB09-9E3674841934}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78D410A3-6851-402b-B780-162C956E49BC}	{5454F782-0ADE-44a2-AEE0-9856FCAF45F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86B2C74F-060F-45f2-B263-801F4BC3F8BA}	2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B639ED2D-C1CC-4110-BE27-DE95E77B31D4}\stubpath = "C:\\Windows\\{B639ED2D-C1CC-4110-BE27-DE95E77B31D4}.exe"	{ED73ABDC-0756-4366-86A3-D2585E4C9E97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DC2ECA9-41F3-41bb-B8AD-316E655431F2}	{AC5622CD-615C-4963-AC76-6C449B52AE6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED73ABDC-0756-4366-86A3-D2585E4C9E97}\stubpath = "C:\\Windows\\{ED73ABDC-0756-4366-86A3-D2585E4C9E97}.exe"	{BDBAC8E4-E316-47fa-9754-49DDAE1D8C69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DC2ECA9-41F3-41bb-B8AD-316E655431F2}\stubpath = "C:\\Windows\\{8DC2ECA9-41F3-41bb-B8AD-316E655431F2}.exe"	{AC5622CD-615C-4963-AC76-6C449B52AE6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85DD056A-5D7B-4d4d-857B-42229FE52508}	{8DC2ECA9-41F3-41bb-B8AD-316E655431F2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85DD056A-5D7B-4d4d-857B-42229FE52508}\stubpath = "C:\\Windows\\{85DD056A-5D7B-4d4d-857B-42229FE52508}.exe"	{8DC2ECA9-41F3-41bb-B8AD-316E655431F2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{572D2B08-BF71-4e6a-BB09-9E3674841934}	{85DD056A-5D7B-4d4d-857B-42229FE52508}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86B2C74F-060F-45f2-B263-801F4BC3F8BA}\stubpath = "C:\\Windows\\{86B2C74F-060F-45f2-B263-801F4BC3F8BA}.exe"	2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDBAC8E4-E316-47fa-9754-49DDAE1D8C69}\stubpath = "C:\\Windows\\{BDBAC8E4-E316-47fa-9754-49DDAE1D8C69}.exe"	{86B2C74F-060F-45f2-B263-801F4BC3F8BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED73ABDC-0756-4366-86A3-D2585E4C9E97}	{BDBAC8E4-E316-47fa-9754-49DDAE1D8C69}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A4F43CC-F0C2-487c-863B-723E169EE9BD}\stubpath = "C:\\Windows\\{1A4F43CC-F0C2-487c-863B-723E169EE9BD}.exe"	{A21F9F18-F226-4e78-80A1-B1992B0A6327}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{572D2B08-BF71-4e6a-BB09-9E3674841934}\stubpath = "C:\\Windows\\{572D2B08-BF71-4e6a-BB09-9E3674841934}.exe"	{85DD056A-5D7B-4d4d-857B-42229FE52508}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A21F9F18-F226-4e78-80A1-B1992B0A6327}\stubpath = "C:\\Windows\\{A21F9F18-F226-4e78-80A1-B1992B0A6327}.exe"	{78D410A3-6851-402b-B780-162C956E49BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A4F43CC-F0C2-487c-863B-723E169EE9BD}	{A21F9F18-F226-4e78-80A1-B1992B0A6327}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{78D410A3-6851-402b-B780-162C956E49BC}\stubpath = "C:\\Windows\\{78D410A3-6851-402b-B780-162C956E49BC}.exe"	{5454F782-0ADE-44a2-AEE0-9856FCAF45F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDBAC8E4-E316-47fa-9754-49DDAE1D8C69}	{86B2C74F-060F-45f2-B263-801F4BC3F8BA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B639ED2D-C1CC-4110-BE27-DE95E77B31D4}	{ED73ABDC-0756-4366-86A3-D2585E4C9E97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC5622CD-615C-4963-AC76-6C449B52AE6B}\stubpath = "C:\\Windows\\{AC5622CD-615C-4963-AC76-6C449B52AE6B}.exe"	{B639ED2D-C1CC-4110-BE27-DE95E77B31D4}.exe

Executes dropped EXE 12 IoCs

pid	Process
1204	{86B2C74F-060F-45f2-B263-801F4BC3F8BA}.exe
3640	{BDBAC8E4-E316-47fa-9754-49DDAE1D8C69}.exe
5068	{ED73ABDC-0756-4366-86A3-D2585E4C9E97}.exe
5104	{B639ED2D-C1CC-4110-BE27-DE95E77B31D4}.exe
3768	{AC5622CD-615C-4963-AC76-6C449B52AE6B}.exe
4796	{8DC2ECA9-41F3-41bb-B8AD-316E655431F2}.exe
2184	{85DD056A-5D7B-4d4d-857B-42229FE52508}.exe
472	{572D2B08-BF71-4e6a-BB09-9E3674841934}.exe
4564	{5454F782-0ADE-44a2-AEE0-9856FCAF45F1}.exe
3932	{78D410A3-6851-402b-B780-162C956E49BC}.exe
4524	{A21F9F18-F226-4e78-80A1-B1992B0A6327}.exe
1132	{1A4F43CC-F0C2-487c-863B-723E169EE9BD}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{ED73ABDC-0756-4366-86A3-D2585E4C9E97}.exe	{BDBAC8E4-E316-47fa-9754-49DDAE1D8C69}.exe
File created	C:\Windows\{B639ED2D-C1CC-4110-BE27-DE95E77B31D4}.exe	{ED73ABDC-0756-4366-86A3-D2585E4C9E97}.exe
File created	C:\Windows\{AC5622CD-615C-4963-AC76-6C449B52AE6B}.exe	{B639ED2D-C1CC-4110-BE27-DE95E77B31D4}.exe
File created	C:\Windows\{572D2B08-BF71-4e6a-BB09-9E3674841934}.exe	{85DD056A-5D7B-4d4d-857B-42229FE52508}.exe
File created	C:\Windows\{1A4F43CC-F0C2-487c-863B-723E169EE9BD}.exe	{A21F9F18-F226-4e78-80A1-B1992B0A6327}.exe
File created	C:\Windows\{78D410A3-6851-402b-B780-162C956E49BC}.exe	{5454F782-0ADE-44a2-AEE0-9856FCAF45F1}.exe
File created	C:\Windows\{A21F9F18-F226-4e78-80A1-B1992B0A6327}.exe	{78D410A3-6851-402b-B780-162C956E49BC}.exe
File created	C:\Windows\{86B2C74F-060F-45f2-B263-801F4BC3F8BA}.exe	2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe
File created	C:\Windows\{BDBAC8E4-E316-47fa-9754-49DDAE1D8C69}.exe	{86B2C74F-060F-45f2-B263-801F4BC3F8BA}.exe
File created	C:\Windows\{8DC2ECA9-41F3-41bb-B8AD-316E655431F2}.exe	{AC5622CD-615C-4963-AC76-6C449B52AE6B}.exe
File created	C:\Windows\{85DD056A-5D7B-4d4d-857B-42229FE52508}.exe	{8DC2ECA9-41F3-41bb-B8AD-316E655431F2}.exe
File created	C:\Windows\{5454F782-0ADE-44a2-AEE0-9856FCAF45F1}.exe	{572D2B08-BF71-4e6a-BB09-9E3674841934}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ED73ABDC-0756-4366-86A3-D2585E4C9E97}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5454F782-0ADE-44a2-AEE0-9856FCAF45F1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BDBAC8E4-E316-47fa-9754-49DDAE1D8C69}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{86B2C74F-060F-45f2-B263-801F4BC3F8BA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{572D2B08-BF71-4e6a-BB09-9E3674841934}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1A4F43CC-F0C2-487c-863B-723E169EE9BD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{85DD056A-5D7B-4d4d-857B-42229FE52508}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AC5622CD-615C-4963-AC76-6C449B52AE6B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{78D410A3-6851-402b-B780-162C956E49BC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A21F9F18-F226-4e78-80A1-B1992B0A6327}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B639ED2D-C1CC-4110-BE27-DE95E77B31D4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8DC2ECA9-41F3-41bb-B8AD-316E655431F2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2372	2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe
Token: SeIncBasePriorityPrivilege	1204	{86B2C74F-060F-45f2-B263-801F4BC3F8BA}.exe
Token: SeIncBasePriorityPrivilege	3640	{BDBAC8E4-E316-47fa-9754-49DDAE1D8C69}.exe
Token: SeIncBasePriorityPrivilege	5068	{ED73ABDC-0756-4366-86A3-D2585E4C9E97}.exe
Token: SeIncBasePriorityPrivilege	5104	{B639ED2D-C1CC-4110-BE27-DE95E77B31D4}.exe
Token: SeIncBasePriorityPrivilege	3768	{AC5622CD-615C-4963-AC76-6C449B52AE6B}.exe
Token: SeIncBasePriorityPrivilege	4796	{8DC2ECA9-41F3-41bb-B8AD-316E655431F2}.exe
Token: SeIncBasePriorityPrivilege	2184	{85DD056A-5D7B-4d4d-857B-42229FE52508}.exe
Token: SeIncBasePriorityPrivilege	472	{572D2B08-BF71-4e6a-BB09-9E3674841934}.exe
Token: SeIncBasePriorityPrivilege	4564	{5454F782-0ADE-44a2-AEE0-9856FCAF45F1}.exe
Token: SeIncBasePriorityPrivilege	3932	{78D410A3-6851-402b-B780-162C956E49BC}.exe
Token: SeIncBasePriorityPrivilege	4524	{A21F9F18-F226-4e78-80A1-B1992B0A6327}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 1204	2372	2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe	94
PID 2372 wrote to memory of 1204	2372	2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe	94
PID 2372 wrote to memory of 1204	2372	2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe	94
PID 2372 wrote to memory of 3572	2372	2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe	95
PID 2372 wrote to memory of 3572	2372	2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe	95
PID 2372 wrote to memory of 3572	2372	2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe	95
PID 1204 wrote to memory of 3640	1204	{86B2C74F-060F-45f2-B263-801F4BC3F8BA}.exe	96
PID 1204 wrote to memory of 3640	1204	{86B2C74F-060F-45f2-B263-801F4BC3F8BA}.exe	96
PID 1204 wrote to memory of 3640	1204	{86B2C74F-060F-45f2-B263-801F4BC3F8BA}.exe	96
PID 1204 wrote to memory of 5060	1204	{86B2C74F-060F-45f2-B263-801F4BC3F8BA}.exe	97
PID 1204 wrote to memory of 5060	1204	{86B2C74F-060F-45f2-B263-801F4BC3F8BA}.exe	97
PID 1204 wrote to memory of 5060	1204	{86B2C74F-060F-45f2-B263-801F4BC3F8BA}.exe	97
PID 3640 wrote to memory of 5068	3640	{BDBAC8E4-E316-47fa-9754-49DDAE1D8C69}.exe	100
PID 3640 wrote to memory of 5068	3640	{BDBAC8E4-E316-47fa-9754-49DDAE1D8C69}.exe	100
PID 3640 wrote to memory of 5068	3640	{BDBAC8E4-E316-47fa-9754-49DDAE1D8C69}.exe	100
PID 3640 wrote to memory of 4144	3640	{BDBAC8E4-E316-47fa-9754-49DDAE1D8C69}.exe	101
PID 3640 wrote to memory of 4144	3640	{BDBAC8E4-E316-47fa-9754-49DDAE1D8C69}.exe	101
PID 3640 wrote to memory of 4144	3640	{BDBAC8E4-E316-47fa-9754-49DDAE1D8C69}.exe	101
PID 5068 wrote to memory of 5104	5068	{ED73ABDC-0756-4366-86A3-D2585E4C9E97}.exe	102
PID 5068 wrote to memory of 5104	5068	{ED73ABDC-0756-4366-86A3-D2585E4C9E97}.exe	102
PID 5068 wrote to memory of 5104	5068	{ED73ABDC-0756-4366-86A3-D2585E4C9E97}.exe	102
PID 5068 wrote to memory of 2040	5068	{ED73ABDC-0756-4366-86A3-D2585E4C9E97}.exe	103
PID 5068 wrote to memory of 2040	5068	{ED73ABDC-0756-4366-86A3-D2585E4C9E97}.exe	103
PID 5068 wrote to memory of 2040	5068	{ED73ABDC-0756-4366-86A3-D2585E4C9E97}.exe	103
PID 5104 wrote to memory of 3768	5104	{B639ED2D-C1CC-4110-BE27-DE95E77B31D4}.exe	104
PID 5104 wrote to memory of 3768	5104	{B639ED2D-C1CC-4110-BE27-DE95E77B31D4}.exe	104
PID 5104 wrote to memory of 3768	5104	{B639ED2D-C1CC-4110-BE27-DE95E77B31D4}.exe	104
PID 5104 wrote to memory of 4156	5104	{B639ED2D-C1CC-4110-BE27-DE95E77B31D4}.exe	105
PID 5104 wrote to memory of 4156	5104	{B639ED2D-C1CC-4110-BE27-DE95E77B31D4}.exe	105
PID 5104 wrote to memory of 4156	5104	{B639ED2D-C1CC-4110-BE27-DE95E77B31D4}.exe	105
PID 3768 wrote to memory of 4796	3768	{AC5622CD-615C-4963-AC76-6C449B52AE6B}.exe	106
PID 3768 wrote to memory of 4796	3768	{AC5622CD-615C-4963-AC76-6C449B52AE6B}.exe	106
PID 3768 wrote to memory of 4796	3768	{AC5622CD-615C-4963-AC76-6C449B52AE6B}.exe	106
PID 3768 wrote to memory of 4384	3768	{AC5622CD-615C-4963-AC76-6C449B52AE6B}.exe	107
PID 3768 wrote to memory of 4384	3768	{AC5622CD-615C-4963-AC76-6C449B52AE6B}.exe	107
PID 3768 wrote to memory of 4384	3768	{AC5622CD-615C-4963-AC76-6C449B52AE6B}.exe	107
PID 4796 wrote to memory of 2184	4796	{8DC2ECA9-41F3-41bb-B8AD-316E655431F2}.exe	108
PID 4796 wrote to memory of 2184	4796	{8DC2ECA9-41F3-41bb-B8AD-316E655431F2}.exe	108
PID 4796 wrote to memory of 2184	4796	{8DC2ECA9-41F3-41bb-B8AD-316E655431F2}.exe	108
PID 4796 wrote to memory of 3276	4796	{8DC2ECA9-41F3-41bb-B8AD-316E655431F2}.exe	109
PID 4796 wrote to memory of 3276	4796	{8DC2ECA9-41F3-41bb-B8AD-316E655431F2}.exe	109
PID 4796 wrote to memory of 3276	4796	{8DC2ECA9-41F3-41bb-B8AD-316E655431F2}.exe	109
PID 2184 wrote to memory of 472	2184	{85DD056A-5D7B-4d4d-857B-42229FE52508}.exe	110
PID 2184 wrote to memory of 472	2184	{85DD056A-5D7B-4d4d-857B-42229FE52508}.exe	110
PID 2184 wrote to memory of 472	2184	{85DD056A-5D7B-4d4d-857B-42229FE52508}.exe	110
PID 2184 wrote to memory of 3560	2184	{85DD056A-5D7B-4d4d-857B-42229FE52508}.exe	111
PID 2184 wrote to memory of 3560	2184	{85DD056A-5D7B-4d4d-857B-42229FE52508}.exe	111
PID 2184 wrote to memory of 3560	2184	{85DD056A-5D7B-4d4d-857B-42229FE52508}.exe	111
PID 472 wrote to memory of 4564	472	{572D2B08-BF71-4e6a-BB09-9E3674841934}.exe	112
PID 472 wrote to memory of 4564	472	{572D2B08-BF71-4e6a-BB09-9E3674841934}.exe	112
PID 472 wrote to memory of 4564	472	{572D2B08-BF71-4e6a-BB09-9E3674841934}.exe	112
PID 472 wrote to memory of 3664	472	{572D2B08-BF71-4e6a-BB09-9E3674841934}.exe	113
PID 472 wrote to memory of 3664	472	{572D2B08-BF71-4e6a-BB09-9E3674841934}.exe	113
PID 472 wrote to memory of 3664	472	{572D2B08-BF71-4e6a-BB09-9E3674841934}.exe	113
PID 4564 wrote to memory of 3932	4564	{5454F782-0ADE-44a2-AEE0-9856FCAF45F1}.exe	114
PID 4564 wrote to memory of 3932	4564	{5454F782-0ADE-44a2-AEE0-9856FCAF45F1}.exe	114
PID 4564 wrote to memory of 3932	4564	{5454F782-0ADE-44a2-AEE0-9856FCAF45F1}.exe	114
PID 4564 wrote to memory of 456	4564	{5454F782-0ADE-44a2-AEE0-9856FCAF45F1}.exe	115
PID 4564 wrote to memory of 456	4564	{5454F782-0ADE-44a2-AEE0-9856FCAF45F1}.exe	115
PID 4564 wrote to memory of 456	4564	{5454F782-0ADE-44a2-AEE0-9856FCAF45F1}.exe	115
PID 3932 wrote to memory of 4524	3932	{78D410A3-6851-402b-B780-162C956E49BC}.exe	116
PID 3932 wrote to memory of 4524	3932	{78D410A3-6851-402b-B780-162C956E49BC}.exe	116
PID 3932 wrote to memory of 4524	3932	{78D410A3-6851-402b-B780-162C956E49BC}.exe	116
PID 3932 wrote to memory of 1116	3932	{78D410A3-6851-402b-B780-162C956E49BC}.exe	117

C:\Users\Admin\AppData\Local\Temp\2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe
"C:\Users\Admin\AppData\Local\Temp\2aea86819a6b684a5fbcad254441232d03ce9c9d7a7841939f9a19097dc70df3.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\{86B2C74F-060F-45f2-B263-801F4BC3F8BA}.exe
  C:\Windows\{86B2C74F-060F-45f2-B263-801F4BC3F8BA}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\{BDBAC8E4-E316-47fa-9754-49DDAE1D8C69}.exe
    C:\Windows\{BDBAC8E4-E316-47fa-9754-49DDAE1D8C69}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Windows\{ED73ABDC-0756-4366-86A3-D2585E4C9E97}.exe
      C:\Windows\{ED73ABDC-0756-4366-86A3-D2585E4C9E97}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5068
    - - C:\Windows\{B639ED2D-C1CC-4110-BE27-DE95E77B31D4}.exe
        
        C:\Windows\{B639ED2D-C1CC-4110-BE27-DE95E77B31D4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5104
      - C:\Windows\{AC5622CD-615C-4963-AC76-6C449B52AE6B}.exe
        
        C:\Windows\{AC5622CD-615C-4963-AC76-6C449B52AE6B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Windows\{8DC2ECA9-41F3-41bb-B8AD-316E655431F2}.exe
        
        C:\Windows\{8DC2ECA9-41F3-41bb-B8AD-316E655431F2}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\{85DD056A-5D7B-4d4d-857B-42229FE52508}.exe
        
        C:\Windows\{85DD056A-5D7B-4d4d-857B-42229FE52508}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\Windows\{572D2B08-BF71-4e6a-BB09-9E3674841934}.exe
        
        C:\Windows\{572D2B08-BF71-4e6a-BB09-9E3674841934}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:472
        
        C:\Windows\{5454F782-0ADE-44a2-AEE0-9856FCAF45F1}.exe
        
        C:\Windows\{5454F782-0ADE-44a2-AEE0-9856FCAF45F1}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\{78D410A3-6851-402b-B780-162C956E49BC}.exe
        
        C:\Windows\{78D410A3-6851-402b-B780-162C956E49BC}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3932
        
        C:\Windows\{A21F9F18-F226-4e78-80A1-B1992B0A6327}.exe
        
        C:\Windows\{A21F9F18-F226-4e78-80A1-B1992B0A6327}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4524
        
        C:\Windows\{1A4F43CC-F0C2-487c-863B-723E169EE9BD}.exe
        
        C:\Windows\{1A4F43CC-F0C2-487c-863B-723E169EE9BD}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A21F9~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2656
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78D41~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5454F~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{572D2~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85DD0~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3560
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DC2E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC562~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4384
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B639E~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4156
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED73A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2040
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BDBAC~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4144
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{86B2C~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\2AEA86~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1A4F43CC-F0C2-487c-863B-723E169EE9BD}.exe

Filesize
204KB

MD5
412af69ea37d6a733bb9817aedb48c1b

SHA1
1cfb9ea3d8dd8785e427bb293aa402726959dd85

SHA256
f545e8a27b6bac03c79aaebec5102bb549b67bfa4220a52008f97aff95d07f14

SHA512
11c055ebd43d2789804944c394c28ac69b93dec88b3268bf724252fdf9b288cb034eeadca33d01688867f4708a1d9284651802c1d4d7ec61172afe3631ce26f9

Download Submit
C:\Windows\{5454F782-0ADE-44a2-AEE0-9856FCAF45F1}.exe

Filesize
204KB

MD5
8091bb340133d063e8b47b7c4319f816

SHA1
e45292a0751249a92c4bc9c84c0f71e726f3a8ec

SHA256
a88a7c1271ab4c6b3fb4c7d60fea8fbcf2e8ff0713ae2521e850663665165521

SHA512
137965371d8fa63635c24edf443c87197daf9b3cb4bdda760f22cdffe03bab2b19f8acba1146074e35c84a477e5893e376d14d8ad53a074e7830f66114959375

Download Submit
C:\Windows\{572D2B08-BF71-4e6a-BB09-9E3674841934}.exe

Filesize
204KB

MD5
f7faa62ca0d57562944e3ed412888748

SHA1
ea1baee40e7a6086ce1e192f76f511c4a5a06bf1

SHA256
b6329159c009e6d4600f5f8f8e63c69ef4f42242cb3e280ebc3a180d986fd026

SHA512
eaca0fa6305cab9b8c21de6f060b0ee191dd4360732eb743205d77de3bc0fc89f2a982b01106560bb07a269f87e4c19c232798034852be72295a1e66915ffd4e

Download Submit
C:\Windows\{78D410A3-6851-402b-B780-162C956E49BC}.exe

Filesize
204KB

MD5
edbec17d63741370e9f373a3e1687449

SHA1
2e8deffb5b5953fedd119148c0212a8466a3e837

SHA256
43194b0a865533c6901474c4a9e1484d42d2d89c781107aef6832b2d37e13ae3

SHA512
62bc734b99fcb015ef0df7c1c6c7f41d65b2bb44de9f4d873088499e5ab33ae376efa818c61dcf271b152c237a24242d06a95f4fd995a403e9aea20f65f69bb5

Download Submit
C:\Windows\{85DD056A-5D7B-4d4d-857B-42229FE52508}.exe

Filesize
204KB

MD5
261ea6160aaa5ac1b159cdb44d2a4232

SHA1
33503241546a77dbad0714e2da810568e8ede60d

SHA256
85c0759c654a5403c98597872d9602bc13b85218ccada40108c681a4b6590984

SHA512
af78a93bc934e3f6657ca70a1284b3341459ca67e19438f39316ec65e4d05642932179235afec3d90043a4c7c8465eb7371b083310a5b016cf03926da0972f07

Download Submit
C:\Windows\{86B2C74F-060F-45f2-B263-801F4BC3F8BA}.exe

Filesize
204KB

MD5
912f40734b8fbe49c47b5856651d223c

SHA1
56a6d8c843f50b15f9e5d48297b84f19eeaa0a7d

SHA256
22e5cb60708f123469cef5eb31f5d1329f5354dd7e9cb414c5e3d8461aab09a3

SHA512
33f3cca1be55a2d4a1c3f8cd7945a6e52a5d83a3876be0e59e4a4eb8abdab00055a763580a77420b1ae9114c2779c573fa7d58e1ed9d501d6b476d14fbb1a394

Download Submit
C:\Windows\{8DC2ECA9-41F3-41bb-B8AD-316E655431F2}.exe

Filesize
204KB

MD5
8f535e04b8be0e9eb22bc5a854fb1f06

SHA1
fe1941b552071e2901b3dc9dd6c2f36d92ab2dfc

SHA256
e2029ffca88827abf77d1d2b683d98f9e352193e585536e26980b32909b073d2

SHA512
f1388bcc774eecb44c2b3720b168e1dea31834d82f3663f55fa460b289d98479820381d6f685e0535d746abbc6062382baac568252b436bf59abc74066a0cc10

Download Submit
C:\Windows\{A21F9F18-F226-4e78-80A1-B1992B0A6327}.exe

Filesize
204KB

MD5
787582423ec037bd070b020641236bce

SHA1
c1ff85bf3f7639f60c1f3d467392d1a5e97656f6

SHA256
e903847f427c28bedc8b420f637bc369fbf5f113d666e27d23829737f8bbf2c5

SHA512
8e1fdd0b38b6a1313616ca920ecda04c96fbcef8295cf15d0f6ad9a46ac5a8afb399e48400c764952733250d29e5756a499404304700512ac2486ac051c300a6

Download Submit
C:\Windows\{AC5622CD-615C-4963-AC76-6C449B52AE6B}.exe

Filesize
204KB

MD5
55586b176adb66498489f76a7cc8c2bb

SHA1
f4391810e32e7af8aaebff75cb0e61ed4d7a384e

SHA256
1bf16be17b4afd8986841c9add88deffebeda2c239d9998e48e55e552939c8b7

SHA512
116f55f84dbb44858839a6eba44f15b81cc6d77b95fb41d86c4cf9f51c4c0147186f2a336509c0596f0412591254f8b8dbcc420c74032969447696a2208d1efe

Download Submit
C:\Windows\{B639ED2D-C1CC-4110-BE27-DE95E77B31D4}.exe

Filesize
204KB

MD5
38f1f5db1dd2ac35018e596e7afed23a

SHA1
9b9a3044630692a3ac4f0e33d077f6c10ac2aca0

SHA256
b38a38a1216200b1676623f800ef137ba4d234a37468db8b62e0cb453527fd98

SHA512
beb8db95cc481b596e7c4483a28cdea15425ccfc751df3634fd3366ef8561490ae85f1fbbe5f8da10bd28b3526b4ded685d56ea1700df10fdb1c10b5ca3c5859

Download Submit
C:\Windows\{BDBAC8E4-E316-47fa-9754-49DDAE1D8C69}.exe

Filesize
204KB

MD5
1c9350c02f63ca74ab7c774b2100d088

SHA1
0e586af8884275a8765ef7b1833b7e49c97e6485

SHA256
d7c317afb1f16a125cf4ef2e56c4891d06db55657db4c40b75ab0ed75fb2fb91

SHA512
5f0cfc15380174a38818632f73fa868a45052de866e1b43f44f1d52cda4eed6d81775c49305021ec8e9263ec4d12073966f2784b2448ffe3a4767d63e22c792b

Download Submit
C:\Windows\{ED73ABDC-0756-4366-86A3-D2585E4C9E97}.exe

Filesize
204KB

MD5
ca7a9f28cfee5169d893309c0c9318f7

SHA1
1cefc38ca6e97b50051fe552edf569afbefcfd6b

SHA256
02e917ccafe598df813f349c4555bf77d38d9af6c52b7ce64d631e1bc79e46bd

SHA512
6a9567396b7375695430b2989911eb40193a5446067b7b1d738cba3dbd68e39a390f34bcaf09ae2a9bd0ef7dc6da4dff8e86382f9cc659ce58a7f6aecd58b1d3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads