3ef0ac894f1cca93e4fc8eefeb75da6ad8b6af7f1204af96d921d51da865dcaa

Analysis

max time kernel
118s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 18:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

afefab2dea177f8e80adc26712526190N.exe
Size

91KB
MD5

afefab2dea177f8e80adc26712526190
SHA1

1bfdb93e1fa684db303e663416b1654a9117511f
SHA256

3ef0ac894f1cca93e4fc8eefeb75da6ad8b6af7f1204af96d921d51da865dcaa
SHA512

c1c0ebca8ad2d49ca47398d66d70729d7bdd46ec39aa2f139129efb9fc8bc70fda720b278512c9cc5e7dbe740ee1bd117bd0cd62cab36569a22ff4e9a60c83f5
SSDEEP

768:5vw9816uhKiroM4/wQNNrfrunMxVFA3b7t:lEGkmoMlCunMxVS3Ht

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F261124-3C43-4f84-8E84-B39EB508B70A}	afefab2dea177f8e80adc26712526190N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4F5A645-D0EC-494d-98F2-10DC52D41367}\stubpath = "C:\\Windows\\{E4F5A645-D0EC-494d-98F2-10DC52D41367}.exe"	{0F261124-3C43-4f84-8E84-B39EB508B70A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D4D7A27-DCA0-4b07-B51D-2488A571066C}	{C659F029-85A9-4753-B26D-340F0FFBE727}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1718BC5C-AD09-42f4-90BF-0ACB1E4C312D}	{4D4D7A27-DCA0-4b07-B51D-2488A571066C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A83E074-003C-4289-BAFE-BBC26E16211C}	{1718BC5C-AD09-42f4-90BF-0ACB1E4C312D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA9E4BF8-C76A-40e1-8756-C6B3B7826595}	{1A83E074-003C-4289-BAFE-BBC26E16211C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{545CFA2C-4E0A-4750-BBCC-D4A1627E11FF}	{AA9E4BF8-C76A-40e1-8756-C6B3B7826595}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1718BC5C-AD09-42f4-90BF-0ACB1E4C312D}\stubpath = "C:\\Windows\\{1718BC5C-AD09-42f4-90BF-0ACB1E4C312D}.exe"	{4D4D7A27-DCA0-4b07-B51D-2488A571066C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1A83E074-003C-4289-BAFE-BBC26E16211C}\stubpath = "C:\\Windows\\{1A83E074-003C-4289-BAFE-BBC26E16211C}.exe"	{1718BC5C-AD09-42f4-90BF-0ACB1E4C312D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{545CFA2C-4E0A-4750-BBCC-D4A1627E11FF}\stubpath = "C:\\Windows\\{545CFA2C-4E0A-4750-BBCC-D4A1627E11FF}.exe"	{AA9E4BF8-C76A-40e1-8756-C6B3B7826595}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E14075A8-199B-49b5-92E1-DA9FC1E1AABC}\stubpath = "C:\\Windows\\{E14075A8-199B-49b5-92E1-DA9FC1E1AABC}.exe"	{545CFA2C-4E0A-4750-BBCC-D4A1627E11FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0F261124-3C43-4f84-8E84-B39EB508B70A}\stubpath = "C:\\Windows\\{0F261124-3C43-4f84-8E84-B39EB508B70A}.exe"	afefab2dea177f8e80adc26712526190N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E4F5A645-D0EC-494d-98F2-10DC52D41367}	{0F261124-3C43-4f84-8E84-B39EB508B70A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C659F029-85A9-4753-B26D-340F0FFBE727}\stubpath = "C:\\Windows\\{C659F029-85A9-4753-B26D-340F0FFBE727}.exe"	{E4F5A645-D0EC-494d-98F2-10DC52D41367}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA9E4BF8-C76A-40e1-8756-C6B3B7826595}\stubpath = "C:\\Windows\\{AA9E4BF8-C76A-40e1-8756-C6B3B7826595}.exe"	{1A83E074-003C-4289-BAFE-BBC26E16211C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E14075A8-199B-49b5-92E1-DA9FC1E1AABC}	{545CFA2C-4E0A-4750-BBCC-D4A1627E11FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C659F029-85A9-4753-B26D-340F0FFBE727}	{E4F5A645-D0EC-494d-98F2-10DC52D41367}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D4D7A27-DCA0-4b07-B51D-2488A571066C}\stubpath = "C:\\Windows\\{4D4D7A27-DCA0-4b07-B51D-2488A571066C}.exe"	{C659F029-85A9-4753-B26D-340F0FFBE727}.exe

Executes dropped EXE 9 IoCs

pid	Process
4520	{0F261124-3C43-4f84-8E84-B39EB508B70A}.exe
680	{E4F5A645-D0EC-494d-98F2-10DC52D41367}.exe
5016	{C659F029-85A9-4753-B26D-340F0FFBE727}.exe
4868	{4D4D7A27-DCA0-4b07-B51D-2488A571066C}.exe
1724	{1718BC5C-AD09-42f4-90BF-0ACB1E4C312D}.exe
2316	{1A83E074-003C-4289-BAFE-BBC26E16211C}.exe
868	{AA9E4BF8-C76A-40e1-8756-C6B3B7826595}.exe
780	{545CFA2C-4E0A-4750-BBCC-D4A1627E11FF}.exe
4364	{E14075A8-199B-49b5-92E1-DA9FC1E1AABC}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{4D4D7A27-DCA0-4b07-B51D-2488A571066C}.exe	{C659F029-85A9-4753-B26D-340F0FFBE727}.exe
File created	C:\Windows\{AA9E4BF8-C76A-40e1-8756-C6B3B7826595}.exe	{1A83E074-003C-4289-BAFE-BBC26E16211C}.exe
File created	C:\Windows\{E14075A8-199B-49b5-92E1-DA9FC1E1AABC}.exe	{545CFA2C-4E0A-4750-BBCC-D4A1627E11FF}.exe
File created	C:\Windows\{C659F029-85A9-4753-B26D-340F0FFBE727}.exe	{E4F5A645-D0EC-494d-98F2-10DC52D41367}.exe
File created	C:\Windows\{E4F5A645-D0EC-494d-98F2-10DC52D41367}.exe	{0F261124-3C43-4f84-8E84-B39EB508B70A}.exe
File created	C:\Windows\{1718BC5C-AD09-42f4-90BF-0ACB1E4C312D}.exe	{4D4D7A27-DCA0-4b07-B51D-2488A571066C}.exe
File created	C:\Windows\{1A83E074-003C-4289-BAFE-BBC26E16211C}.exe	{1718BC5C-AD09-42f4-90BF-0ACB1E4C312D}.exe
File created	C:\Windows\{545CFA2C-4E0A-4750-BBCC-D4A1627E11FF}.exe	{AA9E4BF8-C76A-40e1-8756-C6B3B7826595}.exe
File created	C:\Windows\{0F261124-3C43-4f84-8E84-B39EB508B70A}.exe	afefab2dea177f8e80adc26712526190N.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D4D7A27-DCA0-4b07-B51D-2488A571066C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afefab2dea177f8e80adc26712526190N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0F261124-3C43-4f84-8E84-B39EB508B70A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E4F5A645-D0EC-494d-98F2-10DC52D41367}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C659F029-85A9-4753-B26D-340F0FFBE727}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1718BC5C-AD09-42f4-90BF-0ACB1E4C312D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AA9E4BF8-C76A-40e1-8756-C6B3B7826595}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{545CFA2C-4E0A-4750-BBCC-D4A1627E11FF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E14075A8-199B-49b5-92E1-DA9FC1E1AABC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1A83E074-003C-4289-BAFE-BBC26E16211C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4480	afefab2dea177f8e80adc26712526190N.exe
Token: SeIncBasePriorityPrivilege	4520	{0F261124-3C43-4f84-8E84-B39EB508B70A}.exe
Token: SeIncBasePriorityPrivilege	680	{E4F5A645-D0EC-494d-98F2-10DC52D41367}.exe
Token: SeIncBasePriorityPrivilege	5016	{C659F029-85A9-4753-B26D-340F0FFBE727}.exe
Token: SeIncBasePriorityPrivilege	4868	{4D4D7A27-DCA0-4b07-B51D-2488A571066C}.exe
Token: SeIncBasePriorityPrivilege	1724	{1718BC5C-AD09-42f4-90BF-0ACB1E4C312D}.exe
Token: SeIncBasePriorityPrivilege	2316	{1A83E074-003C-4289-BAFE-BBC26E16211C}.exe
Token: SeIncBasePriorityPrivilege	868	{AA9E4BF8-C76A-40e1-8756-C6B3B7826595}.exe
Token: SeIncBasePriorityPrivilege	780	{545CFA2C-4E0A-4750-BBCC-D4A1627E11FF}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 4520	4480	afefab2dea177f8e80adc26712526190N.exe	92
PID 4480 wrote to memory of 4520	4480	afefab2dea177f8e80adc26712526190N.exe	92
PID 4480 wrote to memory of 4520	4480	afefab2dea177f8e80adc26712526190N.exe	92
PID 4480 wrote to memory of 4316	4480	afefab2dea177f8e80adc26712526190N.exe	93
PID 4480 wrote to memory of 4316	4480	afefab2dea177f8e80adc26712526190N.exe	93
PID 4480 wrote to memory of 4316	4480	afefab2dea177f8e80adc26712526190N.exe	93
PID 4520 wrote to memory of 680	4520	{0F261124-3C43-4f84-8E84-B39EB508B70A}.exe	96
PID 4520 wrote to memory of 680	4520	{0F261124-3C43-4f84-8E84-B39EB508B70A}.exe	96
PID 4520 wrote to memory of 680	4520	{0F261124-3C43-4f84-8E84-B39EB508B70A}.exe	96
PID 4520 wrote to memory of 1556	4520	{0F261124-3C43-4f84-8E84-B39EB508B70A}.exe	97
PID 4520 wrote to memory of 1556	4520	{0F261124-3C43-4f84-8E84-B39EB508B70A}.exe	97
PID 4520 wrote to memory of 1556	4520	{0F261124-3C43-4f84-8E84-B39EB508B70A}.exe	97
PID 680 wrote to memory of 5016	680	{E4F5A645-D0EC-494d-98F2-10DC52D41367}.exe	100
PID 680 wrote to memory of 5016	680	{E4F5A645-D0EC-494d-98F2-10DC52D41367}.exe	100
PID 680 wrote to memory of 5016	680	{E4F5A645-D0EC-494d-98F2-10DC52D41367}.exe	100
PID 680 wrote to memory of 2404	680	{E4F5A645-D0EC-494d-98F2-10DC52D41367}.exe	101
PID 680 wrote to memory of 2404	680	{E4F5A645-D0EC-494d-98F2-10DC52D41367}.exe	101
PID 680 wrote to memory of 2404	680	{E4F5A645-D0EC-494d-98F2-10DC52D41367}.exe	101
PID 5016 wrote to memory of 4868	5016	{C659F029-85A9-4753-B26D-340F0FFBE727}.exe	102
PID 5016 wrote to memory of 4868	5016	{C659F029-85A9-4753-B26D-340F0FFBE727}.exe	102
PID 5016 wrote to memory of 4868	5016	{C659F029-85A9-4753-B26D-340F0FFBE727}.exe	102
PID 5016 wrote to memory of 1760	5016	{C659F029-85A9-4753-B26D-340F0FFBE727}.exe	103
PID 5016 wrote to memory of 1760	5016	{C659F029-85A9-4753-B26D-340F0FFBE727}.exe	103
PID 5016 wrote to memory of 1760	5016	{C659F029-85A9-4753-B26D-340F0FFBE727}.exe	103
PID 4868 wrote to memory of 1724	4868	{4D4D7A27-DCA0-4b07-B51D-2488A571066C}.exe	104
PID 4868 wrote to memory of 1724	4868	{4D4D7A27-DCA0-4b07-B51D-2488A571066C}.exe	104
PID 4868 wrote to memory of 1724	4868	{4D4D7A27-DCA0-4b07-B51D-2488A571066C}.exe	104
PID 4868 wrote to memory of 548	4868	{4D4D7A27-DCA0-4b07-B51D-2488A571066C}.exe	105
PID 4868 wrote to memory of 548	4868	{4D4D7A27-DCA0-4b07-B51D-2488A571066C}.exe	105
PID 4868 wrote to memory of 548	4868	{4D4D7A27-DCA0-4b07-B51D-2488A571066C}.exe	105
PID 1724 wrote to memory of 2316	1724	{1718BC5C-AD09-42f4-90BF-0ACB1E4C312D}.exe	106
PID 1724 wrote to memory of 2316	1724	{1718BC5C-AD09-42f4-90BF-0ACB1E4C312D}.exe	106
PID 1724 wrote to memory of 2316	1724	{1718BC5C-AD09-42f4-90BF-0ACB1E4C312D}.exe	106
PID 1724 wrote to memory of 1740	1724	{1718BC5C-AD09-42f4-90BF-0ACB1E4C312D}.exe	107
PID 1724 wrote to memory of 1740	1724	{1718BC5C-AD09-42f4-90BF-0ACB1E4C312D}.exe	107
PID 1724 wrote to memory of 1740	1724	{1718BC5C-AD09-42f4-90BF-0ACB1E4C312D}.exe	107
PID 2316 wrote to memory of 868	2316	{1A83E074-003C-4289-BAFE-BBC26E16211C}.exe	108
PID 2316 wrote to memory of 868	2316	{1A83E074-003C-4289-BAFE-BBC26E16211C}.exe	108
PID 2316 wrote to memory of 868	2316	{1A83E074-003C-4289-BAFE-BBC26E16211C}.exe	108
PID 2316 wrote to memory of 4676	2316	{1A83E074-003C-4289-BAFE-BBC26E16211C}.exe	109
PID 2316 wrote to memory of 4676	2316	{1A83E074-003C-4289-BAFE-BBC26E16211C}.exe	109
PID 2316 wrote to memory of 4676	2316	{1A83E074-003C-4289-BAFE-BBC26E16211C}.exe	109
PID 868 wrote to memory of 780	868	{AA9E4BF8-C76A-40e1-8756-C6B3B7826595}.exe	110
PID 868 wrote to memory of 780	868	{AA9E4BF8-C76A-40e1-8756-C6B3B7826595}.exe	110
PID 868 wrote to memory of 780	868	{AA9E4BF8-C76A-40e1-8756-C6B3B7826595}.exe	110
PID 868 wrote to memory of 3576	868	{AA9E4BF8-C76A-40e1-8756-C6B3B7826595}.exe	111
PID 868 wrote to memory of 3576	868	{AA9E4BF8-C76A-40e1-8756-C6B3B7826595}.exe	111
PID 868 wrote to memory of 3576	868	{AA9E4BF8-C76A-40e1-8756-C6B3B7826595}.exe	111
PID 780 wrote to memory of 4364	780	{545CFA2C-4E0A-4750-BBCC-D4A1627E11FF}.exe	112
PID 780 wrote to memory of 4364	780	{545CFA2C-4E0A-4750-BBCC-D4A1627E11FF}.exe	112
PID 780 wrote to memory of 4364	780	{545CFA2C-4E0A-4750-BBCC-D4A1627E11FF}.exe	112
PID 780 wrote to memory of 2628	780	{545CFA2C-4E0A-4750-BBCC-D4A1627E11FF}.exe	113
PID 780 wrote to memory of 2628	780	{545CFA2C-4E0A-4750-BBCC-D4A1627E11FF}.exe	113
PID 780 wrote to memory of 2628	780	{545CFA2C-4E0A-4750-BBCC-D4A1627E11FF}.exe	113

C:\Users\Admin\AppData\Local\Temp\afefab2dea177f8e80adc26712526190N.exe
"C:\Users\Admin\AppData\Local\Temp\afefab2dea177f8e80adc26712526190N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\{0F261124-3C43-4f84-8E84-B39EB508B70A}.exe
  C:\Windows\{0F261124-3C43-4f84-8E84-B39EB508B70A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\{E4F5A645-D0EC-494d-98F2-10DC52D41367}.exe
    C:\Windows\{E4F5A645-D0EC-494d-98F2-10DC52D41367}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:680
  - - C:\Windows\{C659F029-85A9-4753-B26D-340F0FFBE727}.exe
      C:\Windows\{C659F029-85A9-4753-B26D-340F0FFBE727}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5016
    - - C:\Windows\{4D4D7A27-DCA0-4b07-B51D-2488A571066C}.exe
        
        C:\Windows\{4D4D7A27-DCA0-4b07-B51D-2488A571066C}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4868
      - C:\Windows\{1718BC5C-AD09-42f4-90BF-0ACB1E4C312D}.exe
        
        C:\Windows\{1718BC5C-AD09-42f4-90BF-0ACB1E4C312D}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\{1A83E074-003C-4289-BAFE-BBC26E16211C}.exe
        
        C:\Windows\{1A83E074-003C-4289-BAFE-BBC26E16211C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2316
        
        C:\Windows\{AA9E4BF8-C76A-40e1-8756-C6B3B7826595}.exe
        
        C:\Windows\{AA9E4BF8-C76A-40e1-8756-C6B3B7826595}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\{545CFA2C-4E0A-4750-BBCC-D4A1627E11FF}.exe
        
        C:\Windows\{545CFA2C-4E0A-4750-BBCC-D4A1627E11FF}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:780
        
        C:\Windows\{E14075A8-199B-49b5-92E1-DA9FC1E1AABC}.exe
        
        C:\Windows\{E14075A8-199B-49b5-92E1-DA9FC1E1AABC}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{545CF~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA9E4~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3576
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A83E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4676
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1718B~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1740
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D4D7~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:548
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C659F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E4F5A~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{0F261~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\AFEFAB~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0F261124-3C43-4f84-8E84-B39EB508B70A}.exe

Filesize
91KB

MD5
4ce6d60bf7db5b9805fa90f2655e3854

SHA1
c12bd1d3c933e657025690695cbc1caefa3e5035

SHA256
db6534b90d1cced4d2df68b24a296031966f622cf735c7468482e967a6bc5be2

SHA512
a53a0e7a7408e22ee0beb28e67330ee4061f2d561ef857a2f2c7454d6ae55eda189243e80233cca13047df98c840788681d7d73165524f00864057a1c750dd9b

Download Submit
C:\Windows\{1718BC5C-AD09-42f4-90BF-0ACB1E4C312D}.exe

Filesize
91KB

MD5
a20f641e4d28ca6489725aa1b66a4b6c

SHA1
b22f3b374193409e1407a55367ac93f67fb37fc3

SHA256
e7c8914ecf1eab436a5762f3239b974f6cb9f44d15402d3ac5dcbfc013497045

SHA512
118947b6e72f4152ef1e930be052ffe76def321e3e9e598dc3b1ba151f4f16283361fdd6f1e234d05b26612df8d9dd85d8f98bb5b4851939bca11c378f93fc6d

Download Submit
C:\Windows\{1A83E074-003C-4289-BAFE-BBC26E16211C}.exe

Filesize
91KB

MD5
2091a6622135c067cce209c9334b51f2

SHA1
68ad49810c7e226a13a171eed1ed1902d55a7ccc

SHA256
e30b773cb607ced70932858b3c072669502a97bdb683c7d87aec2e7f8fd2d59a

SHA512
e3d586590d4875f4d6f41597f7ca514164a322a7d613086b7d0e493e599ca0cdfa0af4229df0d919104532d28a208794aa8ae4873c5d3842cfd2780e5dc10b22

Download Submit
C:\Windows\{4D4D7A27-DCA0-4b07-B51D-2488A571066C}.exe

Filesize
91KB

MD5
1f2033ee3a0a5798ee401e48b6eb8e98

SHA1
933a241de77732ccbd82317e36bd462e4697adb1

SHA256
f75be7092a46c06d7f8a51b5b48a6cc111ea38c3820146259143675d15d680f3

SHA512
ff4c430081d0656e797df469f42cc61dd1899a18626d8523814a873b87dbf4fbc9fd271d2852c12ffda648467d90456af2a37e92df6615fab35d24ddc37029c0

Download Submit
C:\Windows\{545CFA2C-4E0A-4750-BBCC-D4A1627E11FF}.exe

Filesize
91KB

MD5
a703d21c9425fe5d9a811006fef84a7c

SHA1
9dcbf320a75cb7fdd6e1624c316958ecc6b414aa

SHA256
6ba15064a2b2d80ebc6c12f7ac2d6a3db1f86e5c716e2a68e62852c9eeb41437

SHA512
71845398c1f7fae467eb395dbd8fc3063c9435d12b9fedfd0e0d5746d8206edecb7ac5441e491a2e6a9f530891b9bb9f60096b945387535029b2f44c46b7ae1b

Download Submit
C:\Windows\{AA9E4BF8-C76A-40e1-8756-C6B3B7826595}.exe

Filesize
91KB

MD5
2ad4079c68df17fba1fef4837db69f51

SHA1
e86ff824502a977843a8d843b00823667eb1fdf2

SHA256
25b2783e998b0eb3f460e9bc2cb48dd514a677cde59f20c6813884c0a52a5e5b

SHA512
24b94a9bf501b8925308dd984a84ac158acfb946f76117aa5148f6c0ec9a988eaacc3745d607be23b2a6b1c99f9992c0e4831424d99cd4b79a564ae27054333e

Download Submit
C:\Windows\{C659F029-85A9-4753-B26D-340F0FFBE727}.exe

Filesize
91KB

MD5
dc17e46f3b5eeea9ee373d93502cc7b2

SHA1
d42b4870e473909e1ad14289d7b8c549df679c39

SHA256
81a2c9c9356acd01a1d9c673a696c54d4f4ba2e5ee6008e5e3bb4b484303d7e0

SHA512
662ec28dfd67b7e76d36531de48161ad42cb618aa6c7c86d4e9b8029f30413142ee11f54794636883e58153e675cd5ea4f1ec56c08ebb36e558e1e41242ec79a

Download Submit
C:\Windows\{E14075A8-199B-49b5-92E1-DA9FC1E1AABC}.exe

Filesize
91KB

MD5
2b898b46cad0cba5ae4f2dd039709f6d

SHA1
fbbbcf13e4f382eeb9e07c6210e3e378c9a86687

SHA256
fc8fb48d91be7b5ecd07407fae336a4c4f2914302544a8c694a0085a9fffe811

SHA512
f41f4a91738096acc26be05ae72d93daac43f5feaacc0408835f4ef275a0d8b28918924a97c0daef41dbc3d69b491a60d36255cd5ca4915b68a222a60bfb6e43

Download Submit
C:\Windows\{E4F5A645-D0EC-494d-98F2-10DC52D41367}.exe

Filesize
91KB

MD5
ecc64d5d2272cf33887c23d243168104

SHA1
c39f9a555cf91c66e7a514698fc4adf6aa03c051

SHA256
95cb81ad241757a2805cab838b9ea73a626ac81eaea3f2c8e087e6ad690113f1

SHA512
266a2b777b6bc3731ff1eb3854c731bfb45d637ea894fc28d8bf82413b0d67b68993e5cc3e7b455a233c777f79d077212396aa4b2a37837bb3d7bcde4c492f48

Download Submit
memory/680-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/680-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/680-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/780-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/780-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/868-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/868-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1724-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1724-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2316-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2316-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4364-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4480-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4480-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4480-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4520-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4520-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4868-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4868-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5016-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5016-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads