c8543bbabaa0414c509e9b9ef5ae83fc049d7a6ca9da05a73817e38958da9519

Analysis

max time kernel
118s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

329bcf486218a0bef6fae74eef71ed10N.exe
Size

89KB
MD5

329bcf486218a0bef6fae74eef71ed10
SHA1

6fff49a4a5be6121aa6180a3645b166c16c5c843
SHA256

c8543bbabaa0414c509e9b9ef5ae83fc049d7a6ca9da05a73817e38958da9519
SHA512

58fb058e160b95112d3688a0f10cc8d99c38383067dd45e66655d326bd1fabde5fe6cae989915824997507af8e8e41ac82db97bcf379d336ccfbcd1a11f030bf
SSDEEP

768:Qvw9816vhKQLrob4/wQRNrfrunMxVFA3b7gl5:YEGh0obl2unMxVS3HgX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C96D8F5-777D-408a-9F14-12ECD983B3A3}\stubpath = "C:\\Windows\\{3C96D8F5-777D-408a-9F14-12ECD983B3A3}.exe"	{C06223B1-3A61-40dc-B254-3269FAC83D5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FC32B8F-B0D2-4477-AEBD-5E6E5AD0330A}	{1616151B-5A07-499e-8D5A-FA7DBB41B9C7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DC02B3A-7FD4-4c66-98B9-25F45E3B7D98}	{385917D7-646E-4120-866D-3F471F935F64}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85E05698-534A-47ee-92AF-2B3A9ECBB69A}	{6462C610-AB67-4c5e-95FD-45D7D6EE70FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C06223B1-3A61-40dc-B254-3269FAC83D5E}	{85E05698-534A-47ee-92AF-2B3A9ECBB69A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1499314-FCA2-48c5-963F-72962068801D}	329bcf486218a0bef6fae74eef71ed10N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C06223B1-3A61-40dc-B254-3269FAC83D5E}\stubpath = "C:\\Windows\\{C06223B1-3A61-40dc-B254-3269FAC83D5E}.exe"	{85E05698-534A-47ee-92AF-2B3A9ECBB69A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FC32B8F-B0D2-4477-AEBD-5E6E5AD0330A}\stubpath = "C:\\Windows\\{8FC32B8F-B0D2-4477-AEBD-5E6E5AD0330A}.exe"	{1616151B-5A07-499e-8D5A-FA7DBB41B9C7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6462C610-AB67-4c5e-95FD-45D7D6EE70FA}\stubpath = "C:\\Windows\\{6462C610-AB67-4c5e-95FD-45D7D6EE70FA}.exe"	{6DC02B3A-7FD4-4c66-98B9-25F45E3B7D98}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{85E05698-534A-47ee-92AF-2B3A9ECBB69A}\stubpath = "C:\\Windows\\{85E05698-534A-47ee-92AF-2B3A9ECBB69A}.exe"	{6462C610-AB67-4c5e-95FD-45D7D6EE70FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1616151B-5A07-499e-8D5A-FA7DBB41B9C7}	{3C96D8F5-777D-408a-9F14-12ECD983B3A3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{385917D7-646E-4120-866D-3F471F935F64}	{D1499314-FCA2-48c5-963F-72962068801D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{385917D7-646E-4120-866D-3F471F935F64}\stubpath = "C:\\Windows\\{385917D7-646E-4120-866D-3F471F935F64}.exe"	{D1499314-FCA2-48c5-963F-72962068801D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6DC02B3A-7FD4-4c66-98B9-25F45E3B7D98}\stubpath = "C:\\Windows\\{6DC02B3A-7FD4-4c66-98B9-25F45E3B7D98}.exe"	{385917D7-646E-4120-866D-3F471F935F64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1616151B-5A07-499e-8D5A-FA7DBB41B9C7}\stubpath = "C:\\Windows\\{1616151B-5A07-499e-8D5A-FA7DBB41B9C7}.exe"	{3C96D8F5-777D-408a-9F14-12ECD983B3A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D1499314-FCA2-48c5-963F-72962068801D}\stubpath = "C:\\Windows\\{D1499314-FCA2-48c5-963F-72962068801D}.exe"	329bcf486218a0bef6fae74eef71ed10N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6462C610-AB67-4c5e-95FD-45D7D6EE70FA}	{6DC02B3A-7FD4-4c66-98B9-25F45E3B7D98}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3C96D8F5-777D-408a-9F14-12ECD983B3A3}	{C06223B1-3A61-40dc-B254-3269FAC83D5E}.exe

Executes dropped EXE 9 IoCs

pid	Process
1392	{D1499314-FCA2-48c5-963F-72962068801D}.exe
2516	{385917D7-646E-4120-866D-3F471F935F64}.exe
4696	{6DC02B3A-7FD4-4c66-98B9-25F45E3B7D98}.exe
4404	{6462C610-AB67-4c5e-95FD-45D7D6EE70FA}.exe
2212	{85E05698-534A-47ee-92AF-2B3A9ECBB69A}.exe
4676	{C06223B1-3A61-40dc-B254-3269FAC83D5E}.exe
3096	{3C96D8F5-777D-408a-9F14-12ECD983B3A3}.exe
3400	{1616151B-5A07-499e-8D5A-FA7DBB41B9C7}.exe
3412	{8FC32B8F-B0D2-4477-AEBD-5E6E5AD0330A}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{3C96D8F5-777D-408a-9F14-12ECD983B3A3}.exe	{C06223B1-3A61-40dc-B254-3269FAC83D5E}.exe
File created	C:\Windows\{1616151B-5A07-499e-8D5A-FA7DBB41B9C7}.exe	{3C96D8F5-777D-408a-9F14-12ECD983B3A3}.exe
File created	C:\Windows\{8FC32B8F-B0D2-4477-AEBD-5E6E5AD0330A}.exe	{1616151B-5A07-499e-8D5A-FA7DBB41B9C7}.exe
File created	C:\Windows\{D1499314-FCA2-48c5-963F-72962068801D}.exe	329bcf486218a0bef6fae74eef71ed10N.exe
File created	C:\Windows\{385917D7-646E-4120-866D-3F471F935F64}.exe	{D1499314-FCA2-48c5-963F-72962068801D}.exe
File created	C:\Windows\{C06223B1-3A61-40dc-B254-3269FAC83D5E}.exe	{85E05698-534A-47ee-92AF-2B3A9ECBB69A}.exe
File created	C:\Windows\{6DC02B3A-7FD4-4c66-98B9-25F45E3B7D98}.exe	{385917D7-646E-4120-866D-3F471F935F64}.exe
File created	C:\Windows\{6462C610-AB67-4c5e-95FD-45D7D6EE70FA}.exe	{6DC02B3A-7FD4-4c66-98B9-25F45E3B7D98}.exe
File created	C:\Windows\{85E05698-534A-47ee-92AF-2B3A9ECBB69A}.exe	{6462C610-AB67-4c5e-95FD-45D7D6EE70FA}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3C96D8F5-777D-408a-9F14-12ECD983B3A3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1616151B-5A07-499e-8D5A-FA7DBB41B9C7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6DC02B3A-7FD4-4c66-98B9-25F45E3B7D98}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{385917D7-646E-4120-866D-3F471F935F64}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C06223B1-3A61-40dc-B254-3269FAC83D5E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D1499314-FCA2-48c5-963F-72962068801D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{85E05698-534A-47ee-92AF-2B3A9ECBB69A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8FC32B8F-B0D2-4477-AEBD-5E6E5AD0330A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	329bcf486218a0bef6fae74eef71ed10N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6462C610-AB67-4c5e-95FD-45D7D6EE70FA}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3276	329bcf486218a0bef6fae74eef71ed10N.exe
Token: SeIncBasePriorityPrivilege	1392	{D1499314-FCA2-48c5-963F-72962068801D}.exe
Token: SeIncBasePriorityPrivilege	2516	{385917D7-646E-4120-866D-3F471F935F64}.exe
Token: SeIncBasePriorityPrivilege	4696	{6DC02B3A-7FD4-4c66-98B9-25F45E3B7D98}.exe
Token: SeIncBasePriorityPrivilege	4404	{6462C610-AB67-4c5e-95FD-45D7D6EE70FA}.exe
Token: SeIncBasePriorityPrivilege	2212	{85E05698-534A-47ee-92AF-2B3A9ECBB69A}.exe
Token: SeIncBasePriorityPrivilege	4676	{C06223B1-3A61-40dc-B254-3269FAC83D5E}.exe
Token: SeIncBasePriorityPrivilege	3096	{3C96D8F5-777D-408a-9F14-12ECD983B3A3}.exe
Token: SeIncBasePriorityPrivilege	3400	{1616151B-5A07-499e-8D5A-FA7DBB41B9C7}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 1392	3276	329bcf486218a0bef6fae74eef71ed10N.exe	96
PID 3276 wrote to memory of 1392	3276	329bcf486218a0bef6fae74eef71ed10N.exe	96
PID 3276 wrote to memory of 1392	3276	329bcf486218a0bef6fae74eef71ed10N.exe	96
PID 3276 wrote to memory of 2264	3276	329bcf486218a0bef6fae74eef71ed10N.exe	97
PID 3276 wrote to memory of 2264	3276	329bcf486218a0bef6fae74eef71ed10N.exe	97
PID 3276 wrote to memory of 2264	3276	329bcf486218a0bef6fae74eef71ed10N.exe	97
PID 1392 wrote to memory of 2516	1392	{D1499314-FCA2-48c5-963F-72962068801D}.exe	98
PID 1392 wrote to memory of 2516	1392	{D1499314-FCA2-48c5-963F-72962068801D}.exe	98
PID 1392 wrote to memory of 2516	1392	{D1499314-FCA2-48c5-963F-72962068801D}.exe	98
PID 1392 wrote to memory of 920	1392	{D1499314-FCA2-48c5-963F-72962068801D}.exe	99
PID 1392 wrote to memory of 920	1392	{D1499314-FCA2-48c5-963F-72962068801D}.exe	99
PID 1392 wrote to memory of 920	1392	{D1499314-FCA2-48c5-963F-72962068801D}.exe	99
PID 2516 wrote to memory of 4696	2516	{385917D7-646E-4120-866D-3F471F935F64}.exe	102
PID 2516 wrote to memory of 4696	2516	{385917D7-646E-4120-866D-3F471F935F64}.exe	102
PID 2516 wrote to memory of 4696	2516	{385917D7-646E-4120-866D-3F471F935F64}.exe	102
PID 2516 wrote to memory of 1468	2516	{385917D7-646E-4120-866D-3F471F935F64}.exe	103
PID 2516 wrote to memory of 1468	2516	{385917D7-646E-4120-866D-3F471F935F64}.exe	103
PID 2516 wrote to memory of 1468	2516	{385917D7-646E-4120-866D-3F471F935F64}.exe	103
PID 4696 wrote to memory of 4404	4696	{6DC02B3A-7FD4-4c66-98B9-25F45E3B7D98}.exe	104
PID 4696 wrote to memory of 4404	4696	{6DC02B3A-7FD4-4c66-98B9-25F45E3B7D98}.exe	104
PID 4696 wrote to memory of 4404	4696	{6DC02B3A-7FD4-4c66-98B9-25F45E3B7D98}.exe	104
PID 4696 wrote to memory of 3900	4696	{6DC02B3A-7FD4-4c66-98B9-25F45E3B7D98}.exe	105
PID 4696 wrote to memory of 3900	4696	{6DC02B3A-7FD4-4c66-98B9-25F45E3B7D98}.exe	105
PID 4696 wrote to memory of 3900	4696	{6DC02B3A-7FD4-4c66-98B9-25F45E3B7D98}.exe	105
PID 4404 wrote to memory of 2212	4404	{6462C610-AB67-4c5e-95FD-45D7D6EE70FA}.exe	106
PID 4404 wrote to memory of 2212	4404	{6462C610-AB67-4c5e-95FD-45D7D6EE70FA}.exe	106
PID 4404 wrote to memory of 2212	4404	{6462C610-AB67-4c5e-95FD-45D7D6EE70FA}.exe	106
PID 4404 wrote to memory of 4460	4404	{6462C610-AB67-4c5e-95FD-45D7D6EE70FA}.exe	107
PID 4404 wrote to memory of 4460	4404	{6462C610-AB67-4c5e-95FD-45D7D6EE70FA}.exe	107
PID 4404 wrote to memory of 4460	4404	{6462C610-AB67-4c5e-95FD-45D7D6EE70FA}.exe	107
PID 2212 wrote to memory of 4676	2212	{85E05698-534A-47ee-92AF-2B3A9ECBB69A}.exe	108
PID 2212 wrote to memory of 4676	2212	{85E05698-534A-47ee-92AF-2B3A9ECBB69A}.exe	108
PID 2212 wrote to memory of 4676	2212	{85E05698-534A-47ee-92AF-2B3A9ECBB69A}.exe	108
PID 2212 wrote to memory of 516	2212	{85E05698-534A-47ee-92AF-2B3A9ECBB69A}.exe	109
PID 2212 wrote to memory of 516	2212	{85E05698-534A-47ee-92AF-2B3A9ECBB69A}.exe	109
PID 2212 wrote to memory of 516	2212	{85E05698-534A-47ee-92AF-2B3A9ECBB69A}.exe	109
PID 4676 wrote to memory of 3096	4676	{C06223B1-3A61-40dc-B254-3269FAC83D5E}.exe	110
PID 4676 wrote to memory of 3096	4676	{C06223B1-3A61-40dc-B254-3269FAC83D5E}.exe	110
PID 4676 wrote to memory of 3096	4676	{C06223B1-3A61-40dc-B254-3269FAC83D5E}.exe	110
PID 4676 wrote to memory of 5004	4676	{C06223B1-3A61-40dc-B254-3269FAC83D5E}.exe	111
PID 4676 wrote to memory of 5004	4676	{C06223B1-3A61-40dc-B254-3269FAC83D5E}.exe	111
PID 4676 wrote to memory of 5004	4676	{C06223B1-3A61-40dc-B254-3269FAC83D5E}.exe	111
PID 3096 wrote to memory of 3400	3096	{3C96D8F5-777D-408a-9F14-12ECD983B3A3}.exe	112
PID 3096 wrote to memory of 3400	3096	{3C96D8F5-777D-408a-9F14-12ECD983B3A3}.exe	112
PID 3096 wrote to memory of 3400	3096	{3C96D8F5-777D-408a-9F14-12ECD983B3A3}.exe	112
PID 3096 wrote to memory of 2136	3096	{3C96D8F5-777D-408a-9F14-12ECD983B3A3}.exe	113
PID 3096 wrote to memory of 2136	3096	{3C96D8F5-777D-408a-9F14-12ECD983B3A3}.exe	113
PID 3096 wrote to memory of 2136	3096	{3C96D8F5-777D-408a-9F14-12ECD983B3A3}.exe	113
PID 3400 wrote to memory of 3412	3400	{1616151B-5A07-499e-8D5A-FA7DBB41B9C7}.exe	114
PID 3400 wrote to memory of 3412	3400	{1616151B-5A07-499e-8D5A-FA7DBB41B9C7}.exe	114
PID 3400 wrote to memory of 3412	3400	{1616151B-5A07-499e-8D5A-FA7DBB41B9C7}.exe	114
PID 3400 wrote to memory of 5008	3400	{1616151B-5A07-499e-8D5A-FA7DBB41B9C7}.exe	115
PID 3400 wrote to memory of 5008	3400	{1616151B-5A07-499e-8D5A-FA7DBB41B9C7}.exe	115
PID 3400 wrote to memory of 5008	3400	{1616151B-5A07-499e-8D5A-FA7DBB41B9C7}.exe	115

C:\Users\Admin\AppData\Local\Temp\329bcf486218a0bef6fae74eef71ed10N.exe
"C:\Users\Admin\AppData\Local\Temp\329bcf486218a0bef6fae74eef71ed10N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Windows\{D1499314-FCA2-48c5-963F-72962068801D}.exe
  C:\Windows\{D1499314-FCA2-48c5-963F-72962068801D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Windows\{385917D7-646E-4120-866D-3F471F935F64}.exe
    C:\Windows\{385917D7-646E-4120-866D-3F471F935F64}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\{6DC02B3A-7FD4-4c66-98B9-25F45E3B7D98}.exe
      C:\Windows\{6DC02B3A-7FD4-4c66-98B9-25F45E3B7D98}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4696
    - - C:\Windows\{6462C610-AB67-4c5e-95FD-45D7D6EE70FA}.exe
        
        C:\Windows\{6462C610-AB67-4c5e-95FD-45D7D6EE70FA}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4404
      - C:\Windows\{85E05698-534A-47ee-92AF-2B3A9ECBB69A}.exe
        
        C:\Windows\{85E05698-534A-47ee-92AF-2B3A9ECBB69A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2212
        
        C:\Windows\{C06223B1-3A61-40dc-B254-3269FAC83D5E}.exe
        
        C:\Windows\{C06223B1-3A61-40dc-B254-3269FAC83D5E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Windows\{3C96D8F5-777D-408a-9F14-12ECD983B3A3}.exe
        
        C:\Windows\{3C96D8F5-777D-408a-9F14-12ECD983B3A3}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3096
        
        C:\Windows\{1616151B-5A07-499e-8D5A-FA7DBB41B9C7}.exe
        
        C:\Windows\{1616151B-5A07-499e-8D5A-FA7DBB41B9C7}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3400
        
        C:\Windows\{8FC32B8F-B0D2-4477-AEBD-5E6E5AD0330A}.exe
        
        C:\Windows\{8FC32B8F-B0D2-4477-AEBD-5E6E5AD0330A}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16161~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{3C96D~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0622~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85E05~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:516
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6462C~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4460
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6DC02~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{38591~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D1499~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:920
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\329BCF~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1616151B-5A07-499e-8D5A-FA7DBB41B9C7}.exe

Filesize
89KB

MD5
3747615d44a96219d526acd6cb215113

SHA1
a8cfe5c3d90400f3407b3d471506a0debd14e0fd

SHA256
7d9fb93c9ed589fa24ef8a307e3734b5bd3f6feec218952f20ad64f2dd10b7aa

SHA512
477921eae3a1988556d4e241b6ca19a4b53459432bf48a08f063c7c696b49f15117f76d26e4c00ce39321f9fbe081cde535e83675578c86c09750d52e8dfeb7e

Download Submit
C:\Windows\{385917D7-646E-4120-866D-3F471F935F64}.exe

Filesize
89KB

MD5
523c0a9cd05698def1c31bc42221b103

SHA1
da242746f0feb5f49122c6f826c7ebfd6445cc0c

SHA256
97ee3fb240ea395b8df23918a4f3151094201fcd9c54c5b337bbf1571e08b86e

SHA512
774926f1f64853beac991b5718d1319e686a29e32d0e064e2e5cefad332f69574e106163d31cf9adb0bcacf1eb1b16e894d8a099990b47d478385b4d9cecade0

Download Submit
C:\Windows\{3C96D8F5-777D-408a-9F14-12ECD983B3A3}.exe

Filesize
89KB

MD5
d47f923ddab31fc138be6bd57c25ba02

SHA1
ec436bfe74a71e001df35e22ce94a6d9e335a57b

SHA256
0d49d1bbeb62ebf5e7fee633c2ab08b0015c8a13ca1777dc0bee27ba9f8e3404

SHA512
b2174089d3e6c8d51d7c269945e5aa4415d1f51732ea66f9c9706b6cb5d3a437ddc3130c74413e1adb8518d0ae6ba22fa5a9bdb5088bd447cc3fe288c41d0e0c

Download Submit
C:\Windows\{6462C610-AB67-4c5e-95FD-45D7D6EE70FA}.exe

Filesize
89KB

MD5
0823ff4042b4ff08e1ff8a4e11f53e5a

SHA1
a4b01e374893e53572f45e67376a544afcc99704

SHA256
c99ee91bbac3187a6d6ea5d3203e274b679a31cb58aef6b6a7d6a6389bb74022

SHA512
1ab7707a8aa0be61ef83b4570d22392a4b19dc886025fa24914b1b78ea736c44f0b2f1554f065147e109523b44c063eb16dcaf460b78c12ac1ab64c536439408

Download Submit
C:\Windows\{6DC02B3A-7FD4-4c66-98B9-25F45E3B7D98}.exe

Filesize
89KB

MD5
9a3db26e4b610294f701a3fcf4ae801b

SHA1
bfd2a6476a3b6297c3ad06d54d179250ba288808

SHA256
3d64c97a19f89877e3c32cd343eff530f1a115660614dc036d2825dc044795af

SHA512
f327269db884e43f057981ad58d2208937917a7c05ef4a637e4fc1ed3947116164a8168b63b20c3f05daa9365a6045ffaedc2024fb17980d93a08054811e201d

Download Submit
C:\Windows\{85E05698-534A-47ee-92AF-2B3A9ECBB69A}.exe

Filesize
89KB

MD5
bc985e17d108bd9510fc9f40b0394027

SHA1
5d2e3f9b782c7c33b90f2c3304d12c2d38fcefac

SHA256
8fe4ff311a4946796f506d5ce4a9a4f8ada8c600394ab9dda755e636a351c5f0

SHA512
3957294a50ebca2747d3ffe342e088adae7a50340d5afa861b4eb750e3c03861f7d926ab2513075856683703aea24ed337e50cc8094fb441bcc3feab65cfc549

Download Submit
C:\Windows\{8FC32B8F-B0D2-4477-AEBD-5E6E5AD0330A}.exe

Filesize
89KB

MD5
e4994c5d21c621860bcae0d977154d39

SHA1
7b96872bbc6f71dd305d203d06fde0a0b7adf1c5

SHA256
328673abea34c18131aa191dbccae58ada6533115eba426b0545e8f54a519653

SHA512
0208d8f721f48d98a01fe87961a8f3542894f5a44c8b230e2fb7b5511b0df205ef4c2d6fb46660f3f37162fbfda93a99e789f23966d2c91c7a34a46d8cb2c75e

Download Submit
C:\Windows\{C06223B1-3A61-40dc-B254-3269FAC83D5E}.exe

Filesize
89KB

MD5
b72918a61fc631782d43abdf007b9409

SHA1
b9f193e25be76e9e474ca3be677441284220f694

SHA256
935c0357280be339d8b21221d3d6a8d5912a8f5035428b409765c95aacba69df

SHA512
bd382061a1b16703746108a2785739786fde5295b0027415eaf31b8baba75f48a075843fc0dce84b812c39f4bb6b4aa80ab7c13e5c8a258caacff88ad9a7ab45

Download Submit
C:\Windows\{D1499314-FCA2-48c5-963F-72962068801D}.exe

Filesize
89KB

MD5
203d2f483ee7860278a3dba85899765a

SHA1
d831ade31ba007f9edde1cc6bcbfcb84d2c50fdd

SHA256
0df01297d6f8999a7f024ead346d186dd532ca39ee6025481f73a5b86de868eb

SHA512
c682e4fa11caa57f39606866e5b44b9d4823cf139f83b55227aefc50db360ed1d78a92038f7ebf7affa4e863e7b02ae597e1792af11521c9ed4de8fd1cf0f4e2

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads