c937044b5ca8ff27ffd0c7f2531df6bb4583416a21d81809e14219808b0e9035

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c937044b5ca8ff27ffd0c7f2531df6bb4583416a21d81809e14219808b0e9035.exe
Size

90KB
MD5

a19f1807122963e2331337a66e55cd86
SHA1

bde12bcb403ed6d409efa6a62f6dd0e2415498f2
SHA256

c937044b5ca8ff27ffd0c7f2531df6bb4583416a21d81809e14219808b0e9035
SHA512

7807e3a0f50e0b6e81d9bf80d51fcb8866f399329c3d793749e17e16a608adeb6e232f661c12789dbc6b9eb6a01f71e8b8f5e70b4485fb8ceffdc48b1d4d7d02
SSDEEP

768:Qvw9816vhKQLro/Z4/wQRNrfrunMxVFA3b7glws:YEGh0o/Zl2unMxVS3Hgz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55601EAD-9B03-45ed-825A-24E991482B8D}\stubpath = "C:\\Windows\\{55601EAD-9B03-45ed-825A-24E991482B8D}.exe"	c937044b5ca8ff27ffd0c7f2531df6bb4583416a21d81809e14219808b0e9035.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0972475-1AE3-4090-9450-9D7FD905B697}	{1DA9261E-6C25-41bf-BB92-07ADEDA6BC1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7096461-725D-499d-82D8-161BEE417A5C}\stubpath = "C:\\Windows\\{A7096461-725D-499d-82D8-161BEE417A5C}.exe"	{2D055B67-16FD-4d80-8F17-20E3AC9D827E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76AFA0DE-DFC9-4817-AC16-56C94CEDA113}	{A7096461-725D-499d-82D8-161BEE417A5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B3B8ACE-743C-4efd-A379-543729F4F3C4}	{AAF5AF5A-ED1D-4444-95D4-0E4470A8CE45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04F48D4F-7AB6-4db9-9A38-E97B18D402E6}	{8B3B8ACE-743C-4efd-A379-543729F4F3C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DA9261E-6C25-41bf-BB92-07ADEDA6BC1C}	{55601EAD-9B03-45ed-825A-24E991482B8D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1DA9261E-6C25-41bf-BB92-07ADEDA6BC1C}\stubpath = "C:\\Windows\\{1DA9261E-6C25-41bf-BB92-07ADEDA6BC1C}.exe"	{55601EAD-9B03-45ed-825A-24E991482B8D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69BD4F53-B14C-4ca1-8B68-49F5C9D41058}	{800C5924-4437-4ae3-9F86-99AF8775D463}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{69BD4F53-B14C-4ca1-8B68-49F5C9D41058}\stubpath = "C:\\Windows\\{69BD4F53-B14C-4ca1-8B68-49F5C9D41058}.exe"	{800C5924-4437-4ae3-9F86-99AF8775D463}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAF5AF5A-ED1D-4444-95D4-0E4470A8CE45}	{69BD4F53-B14C-4ca1-8B68-49F5C9D41058}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AAF5AF5A-ED1D-4444-95D4-0E4470A8CE45}\stubpath = "C:\\Windows\\{AAF5AF5A-ED1D-4444-95D4-0E4470A8CE45}.exe"	{69BD4F53-B14C-4ca1-8B68-49F5C9D41058}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04F48D4F-7AB6-4db9-9A38-E97B18D402E6}\stubpath = "C:\\Windows\\{04F48D4F-7AB6-4db9-9A38-E97B18D402E6}.exe"	{8B3B8ACE-743C-4efd-A379-543729F4F3C4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{55601EAD-9B03-45ed-825A-24E991482B8D}	c937044b5ca8ff27ffd0c7f2531df6bb4583416a21d81809e14219808b0e9035.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0972475-1AE3-4090-9450-9D7FD905B697}\stubpath = "C:\\Windows\\{E0972475-1AE3-4090-9450-9D7FD905B697}.exe"	{1DA9261E-6C25-41bf-BB92-07ADEDA6BC1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7096461-725D-499d-82D8-161BEE417A5C}	{2D055B67-16FD-4d80-8F17-20E3AC9D827E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA60BA99-C6EC-44a8-9457-31A0CFC994AB}	{76AFA0DE-DFC9-4817-AC16-56C94CEDA113}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA60BA99-C6EC-44a8-9457-31A0CFC994AB}\stubpath = "C:\\Windows\\{CA60BA99-C6EC-44a8-9457-31A0CFC994AB}.exe"	{76AFA0DE-DFC9-4817-AC16-56C94CEDA113}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{800C5924-4437-4ae3-9F86-99AF8775D463}\stubpath = "C:\\Windows\\{800C5924-4437-4ae3-9F86-99AF8775D463}.exe"	{CA60BA99-C6EC-44a8-9457-31A0CFC994AB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D055B67-16FD-4d80-8F17-20E3AC9D827E}	{E0972475-1AE3-4090-9450-9D7FD905B697}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D055B67-16FD-4d80-8F17-20E3AC9D827E}\stubpath = "C:\\Windows\\{2D055B67-16FD-4d80-8F17-20E3AC9D827E}.exe"	{E0972475-1AE3-4090-9450-9D7FD905B697}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{76AFA0DE-DFC9-4817-AC16-56C94CEDA113}\stubpath = "C:\\Windows\\{76AFA0DE-DFC9-4817-AC16-56C94CEDA113}.exe"	{A7096461-725D-499d-82D8-161BEE417A5C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{800C5924-4437-4ae3-9F86-99AF8775D463}	{CA60BA99-C6EC-44a8-9457-31A0CFC994AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B3B8ACE-743C-4efd-A379-543729F4F3C4}\stubpath = "C:\\Windows\\{8B3B8ACE-743C-4efd-A379-543729F4F3C4}.exe"	{AAF5AF5A-ED1D-4444-95D4-0E4470A8CE45}.exe

Executes dropped EXE 12 IoCs

pid	Process
3944	{55601EAD-9B03-45ed-825A-24E991482B8D}.exe
4832	{1DA9261E-6C25-41bf-BB92-07ADEDA6BC1C}.exe
1168	{E0972475-1AE3-4090-9450-9D7FD905B697}.exe
2696	{2D055B67-16FD-4d80-8F17-20E3AC9D827E}.exe
5044	{A7096461-725D-499d-82D8-161BEE417A5C}.exe
4320	{76AFA0DE-DFC9-4817-AC16-56C94CEDA113}.exe
4512	{CA60BA99-C6EC-44a8-9457-31A0CFC994AB}.exe
1532	{800C5924-4437-4ae3-9F86-99AF8775D463}.exe
1172	{69BD4F53-B14C-4ca1-8B68-49F5C9D41058}.exe
3180	{AAF5AF5A-ED1D-4444-95D4-0E4470A8CE45}.exe
3852	{8B3B8ACE-743C-4efd-A379-543729F4F3C4}.exe
4876	{04F48D4F-7AB6-4db9-9A38-E97B18D402E6}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{2D055B67-16FD-4d80-8F17-20E3AC9D827E}.exe	{E0972475-1AE3-4090-9450-9D7FD905B697}.exe
File created	C:\Windows\{69BD4F53-B14C-4ca1-8B68-49F5C9D41058}.exe	{800C5924-4437-4ae3-9F86-99AF8775D463}.exe
File created	C:\Windows\{04F48D4F-7AB6-4db9-9A38-E97B18D402E6}.exe	{8B3B8ACE-743C-4efd-A379-543729F4F3C4}.exe
File created	C:\Windows\{55601EAD-9B03-45ed-825A-24E991482B8D}.exe	c937044b5ca8ff27ffd0c7f2531df6bb4583416a21d81809e14219808b0e9035.exe
File created	C:\Windows\{1DA9261E-6C25-41bf-BB92-07ADEDA6BC1C}.exe	{55601EAD-9B03-45ed-825A-24E991482B8D}.exe
File created	C:\Windows\{E0972475-1AE3-4090-9450-9D7FD905B697}.exe	{1DA9261E-6C25-41bf-BB92-07ADEDA6BC1C}.exe
File created	C:\Windows\{800C5924-4437-4ae3-9F86-99AF8775D463}.exe	{CA60BA99-C6EC-44a8-9457-31A0CFC994AB}.exe
File created	C:\Windows\{AAF5AF5A-ED1D-4444-95D4-0E4470A8CE45}.exe	{69BD4F53-B14C-4ca1-8B68-49F5C9D41058}.exe
File created	C:\Windows\{8B3B8ACE-743C-4efd-A379-543729F4F3C4}.exe	{AAF5AF5A-ED1D-4444-95D4-0E4470A8CE45}.exe
File created	C:\Windows\{A7096461-725D-499d-82D8-161BEE417A5C}.exe	{2D055B67-16FD-4d80-8F17-20E3AC9D827E}.exe
File created	C:\Windows\{76AFA0DE-DFC9-4817-AC16-56C94CEDA113}.exe	{A7096461-725D-499d-82D8-161BEE417A5C}.exe
File created	C:\Windows\{CA60BA99-C6EC-44a8-9457-31A0CFC994AB}.exe	{76AFA0DE-DFC9-4817-AC16-56C94CEDA113}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AAF5AF5A-ED1D-4444-95D4-0E4470A8CE45}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{04F48D4F-7AB6-4db9-9A38-E97B18D402E6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E0972475-1AE3-4090-9450-9D7FD905B697}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CA60BA99-C6EC-44a8-9457-31A0CFC994AB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c937044b5ca8ff27ffd0c7f2531df6bb4583416a21d81809e14219808b0e9035.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2D055B67-16FD-4d80-8F17-20E3AC9D827E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{69BD4F53-B14C-4ca1-8B68-49F5C9D41058}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{55601EAD-9B03-45ed-825A-24E991482B8D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1DA9261E-6C25-41bf-BB92-07ADEDA6BC1C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{76AFA0DE-DFC9-4817-AC16-56C94CEDA113}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{800C5924-4437-4ae3-9F86-99AF8775D463}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8B3B8ACE-743C-4efd-A379-543729F4F3C4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A7096461-725D-499d-82D8-161BEE417A5C}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1548	c937044b5ca8ff27ffd0c7f2531df6bb4583416a21d81809e14219808b0e9035.exe
Token: SeIncBasePriorityPrivilege	3944	{55601EAD-9B03-45ed-825A-24E991482B8D}.exe
Token: SeIncBasePriorityPrivilege	4832	{1DA9261E-6C25-41bf-BB92-07ADEDA6BC1C}.exe
Token: SeIncBasePriorityPrivilege	1168	{E0972475-1AE3-4090-9450-9D7FD905B697}.exe
Token: SeIncBasePriorityPrivilege	2696	{2D055B67-16FD-4d80-8F17-20E3AC9D827E}.exe
Token: SeIncBasePriorityPrivilege	5044	{A7096461-725D-499d-82D8-161BEE417A5C}.exe
Token: SeIncBasePriorityPrivilege	4320	{76AFA0DE-DFC9-4817-AC16-56C94CEDA113}.exe
Token: SeIncBasePriorityPrivilege	4512	{CA60BA99-C6EC-44a8-9457-31A0CFC994AB}.exe
Token: SeIncBasePriorityPrivilege	1532	{800C5924-4437-4ae3-9F86-99AF8775D463}.exe
Token: SeIncBasePriorityPrivilege	1172	{69BD4F53-B14C-4ca1-8B68-49F5C9D41058}.exe
Token: SeIncBasePriorityPrivilege	3180	{AAF5AF5A-ED1D-4444-95D4-0E4470A8CE45}.exe
Token: SeIncBasePriorityPrivilege	3852	{8B3B8ACE-743C-4efd-A379-543729F4F3C4}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 3944	1548	c937044b5ca8ff27ffd0c7f2531df6bb4583416a21d81809e14219808b0e9035.exe	95
PID 1548 wrote to memory of 3944	1548	c937044b5ca8ff27ffd0c7f2531df6bb4583416a21d81809e14219808b0e9035.exe	95
PID 1548 wrote to memory of 3944	1548	c937044b5ca8ff27ffd0c7f2531df6bb4583416a21d81809e14219808b0e9035.exe	95
PID 1548 wrote to memory of 3912	1548	c937044b5ca8ff27ffd0c7f2531df6bb4583416a21d81809e14219808b0e9035.exe	96
PID 1548 wrote to memory of 3912	1548	c937044b5ca8ff27ffd0c7f2531df6bb4583416a21d81809e14219808b0e9035.exe	96
PID 1548 wrote to memory of 3912	1548	c937044b5ca8ff27ffd0c7f2531df6bb4583416a21d81809e14219808b0e9035.exe	96
PID 3944 wrote to memory of 4832	3944	{55601EAD-9B03-45ed-825A-24E991482B8D}.exe	97
PID 3944 wrote to memory of 4832	3944	{55601EAD-9B03-45ed-825A-24E991482B8D}.exe	97
PID 3944 wrote to memory of 4832	3944	{55601EAD-9B03-45ed-825A-24E991482B8D}.exe	97
PID 3944 wrote to memory of 1620	3944	{55601EAD-9B03-45ed-825A-24E991482B8D}.exe	98
PID 3944 wrote to memory of 1620	3944	{55601EAD-9B03-45ed-825A-24E991482B8D}.exe	98
PID 3944 wrote to memory of 1620	3944	{55601EAD-9B03-45ed-825A-24E991482B8D}.exe	98
PID 4832 wrote to memory of 1168	4832	{1DA9261E-6C25-41bf-BB92-07ADEDA6BC1C}.exe	101
PID 4832 wrote to memory of 1168	4832	{1DA9261E-6C25-41bf-BB92-07ADEDA6BC1C}.exe	101
PID 4832 wrote to memory of 1168	4832	{1DA9261E-6C25-41bf-BB92-07ADEDA6BC1C}.exe	101
PID 4832 wrote to memory of 744	4832	{1DA9261E-6C25-41bf-BB92-07ADEDA6BC1C}.exe	102
PID 4832 wrote to memory of 744	4832	{1DA9261E-6C25-41bf-BB92-07ADEDA6BC1C}.exe	102
PID 4832 wrote to memory of 744	4832	{1DA9261E-6C25-41bf-BB92-07ADEDA6BC1C}.exe	102
PID 1168 wrote to memory of 2696	1168	{E0972475-1AE3-4090-9450-9D7FD905B697}.exe	103
PID 1168 wrote to memory of 2696	1168	{E0972475-1AE3-4090-9450-9D7FD905B697}.exe	103
PID 1168 wrote to memory of 2696	1168	{E0972475-1AE3-4090-9450-9D7FD905B697}.exe	103
PID 1168 wrote to memory of 2640	1168	{E0972475-1AE3-4090-9450-9D7FD905B697}.exe	104
PID 1168 wrote to memory of 2640	1168	{E0972475-1AE3-4090-9450-9D7FD905B697}.exe	104
PID 1168 wrote to memory of 2640	1168	{E0972475-1AE3-4090-9450-9D7FD905B697}.exe	104
PID 2696 wrote to memory of 5044	2696	{2D055B67-16FD-4d80-8F17-20E3AC9D827E}.exe	105
PID 2696 wrote to memory of 5044	2696	{2D055B67-16FD-4d80-8F17-20E3AC9D827E}.exe	105
PID 2696 wrote to memory of 5044	2696	{2D055B67-16FD-4d80-8F17-20E3AC9D827E}.exe	105
PID 2696 wrote to memory of 3752	2696	{2D055B67-16FD-4d80-8F17-20E3AC9D827E}.exe	106
PID 2696 wrote to memory of 3752	2696	{2D055B67-16FD-4d80-8F17-20E3AC9D827E}.exe	106
PID 2696 wrote to memory of 3752	2696	{2D055B67-16FD-4d80-8F17-20E3AC9D827E}.exe	106
PID 5044 wrote to memory of 4320	5044	{A7096461-725D-499d-82D8-161BEE417A5C}.exe	107
PID 5044 wrote to memory of 4320	5044	{A7096461-725D-499d-82D8-161BEE417A5C}.exe	107
PID 5044 wrote to memory of 4320	5044	{A7096461-725D-499d-82D8-161BEE417A5C}.exe	107
PID 5044 wrote to memory of 4908	5044	{A7096461-725D-499d-82D8-161BEE417A5C}.exe	108
PID 5044 wrote to memory of 4908	5044	{A7096461-725D-499d-82D8-161BEE417A5C}.exe	108
PID 5044 wrote to memory of 4908	5044	{A7096461-725D-499d-82D8-161BEE417A5C}.exe	108
PID 4320 wrote to memory of 4512	4320	{76AFA0DE-DFC9-4817-AC16-56C94CEDA113}.exe	109
PID 4320 wrote to memory of 4512	4320	{76AFA0DE-DFC9-4817-AC16-56C94CEDA113}.exe	109
PID 4320 wrote to memory of 4512	4320	{76AFA0DE-DFC9-4817-AC16-56C94CEDA113}.exe	109
PID 4320 wrote to memory of 4444	4320	{76AFA0DE-DFC9-4817-AC16-56C94CEDA113}.exe	110
PID 4320 wrote to memory of 4444	4320	{76AFA0DE-DFC9-4817-AC16-56C94CEDA113}.exe	110
PID 4320 wrote to memory of 4444	4320	{76AFA0DE-DFC9-4817-AC16-56C94CEDA113}.exe	110
PID 4512 wrote to memory of 1532	4512	{CA60BA99-C6EC-44a8-9457-31A0CFC994AB}.exe	111
PID 4512 wrote to memory of 1532	4512	{CA60BA99-C6EC-44a8-9457-31A0CFC994AB}.exe	111
PID 4512 wrote to memory of 1532	4512	{CA60BA99-C6EC-44a8-9457-31A0CFC994AB}.exe	111
PID 4512 wrote to memory of 3468	4512	{CA60BA99-C6EC-44a8-9457-31A0CFC994AB}.exe	112
PID 4512 wrote to memory of 3468	4512	{CA60BA99-C6EC-44a8-9457-31A0CFC994AB}.exe	112
PID 4512 wrote to memory of 3468	4512	{CA60BA99-C6EC-44a8-9457-31A0CFC994AB}.exe	112
PID 1532 wrote to memory of 1172	1532	{800C5924-4437-4ae3-9F86-99AF8775D463}.exe	113
PID 1532 wrote to memory of 1172	1532	{800C5924-4437-4ae3-9F86-99AF8775D463}.exe	113
PID 1532 wrote to memory of 1172	1532	{800C5924-4437-4ae3-9F86-99AF8775D463}.exe	113
PID 1532 wrote to memory of 1472	1532	{800C5924-4437-4ae3-9F86-99AF8775D463}.exe	114
PID 1532 wrote to memory of 1472	1532	{800C5924-4437-4ae3-9F86-99AF8775D463}.exe	114
PID 1532 wrote to memory of 1472	1532	{800C5924-4437-4ae3-9F86-99AF8775D463}.exe	114
PID 1172 wrote to memory of 3180	1172	{69BD4F53-B14C-4ca1-8B68-49F5C9D41058}.exe	115
PID 1172 wrote to memory of 3180	1172	{69BD4F53-B14C-4ca1-8B68-49F5C9D41058}.exe	115
PID 1172 wrote to memory of 3180	1172	{69BD4F53-B14C-4ca1-8B68-49F5C9D41058}.exe	115
PID 1172 wrote to memory of 2152	1172	{69BD4F53-B14C-4ca1-8B68-49F5C9D41058}.exe	116
PID 1172 wrote to memory of 2152	1172	{69BD4F53-B14C-4ca1-8B68-49F5C9D41058}.exe	116
PID 1172 wrote to memory of 2152	1172	{69BD4F53-B14C-4ca1-8B68-49F5C9D41058}.exe	116
PID 3180 wrote to memory of 3852	3180	{AAF5AF5A-ED1D-4444-95D4-0E4470A8CE45}.exe	117
PID 3180 wrote to memory of 3852	3180	{AAF5AF5A-ED1D-4444-95D4-0E4470A8CE45}.exe	117
PID 3180 wrote to memory of 3852	3180	{AAF5AF5A-ED1D-4444-95D4-0E4470A8CE45}.exe	117
PID 3180 wrote to memory of 3368	3180	{AAF5AF5A-ED1D-4444-95D4-0E4470A8CE45}.exe	118

C:\Users\Admin\AppData\Local\Temp\c937044b5ca8ff27ffd0c7f2531df6bb4583416a21d81809e14219808b0e9035.exe
"C:\Users\Admin\AppData\Local\Temp\c937044b5ca8ff27ffd0c7f2531df6bb4583416a21d81809e14219808b0e9035.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Windows\{55601EAD-9B03-45ed-825A-24E991482B8D}.exe
  C:\Windows\{55601EAD-9B03-45ed-825A-24E991482B8D}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\{1DA9261E-6C25-41bf-BB92-07ADEDA6BC1C}.exe
    C:\Windows\{1DA9261E-6C25-41bf-BB92-07ADEDA6BC1C}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4832
  - - C:\Windows\{E0972475-1AE3-4090-9450-9D7FD905B697}.exe
      C:\Windows\{E0972475-1AE3-4090-9450-9D7FD905B697}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1168
    - - C:\Windows\{2D055B67-16FD-4d80-8F17-20E3AC9D827E}.exe
        
        C:\Windows\{2D055B67-16FD-4d80-8F17-20E3AC9D827E}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
      - C:\Windows\{A7096461-725D-499d-82D8-161BEE417A5C}.exe
        
        C:\Windows\{A7096461-725D-499d-82D8-161BEE417A5C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\{76AFA0DE-DFC9-4817-AC16-56C94CEDA113}.exe
        
        C:\Windows\{76AFA0DE-DFC9-4817-AC16-56C94CEDA113}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\{CA60BA99-C6EC-44a8-9457-31A0CFC994AB}.exe
        
        C:\Windows\{CA60BA99-C6EC-44a8-9457-31A0CFC994AB}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4512
        
        C:\Windows\{800C5924-4437-4ae3-9F86-99AF8775D463}.exe
        
        C:\Windows\{800C5924-4437-4ae3-9F86-99AF8775D463}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\{69BD4F53-B14C-4ca1-8B68-49F5C9D41058}.exe
        
        C:\Windows\{69BD4F53-B14C-4ca1-8B68-49F5C9D41058}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1172
        
        C:\Windows\{AAF5AF5A-ED1D-4444-95D4-0E4470A8CE45}.exe
        
        C:\Windows\{AAF5AF5A-ED1D-4444-95D4-0E4470A8CE45}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3180
        
        C:\Windows\{8B3B8ACE-743C-4efd-A379-543729F4F3C4}.exe
        
        C:\Windows\{8B3B8ACE-743C-4efd-A379-543729F4F3C4}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3852
        
        C:\Windows\{04F48D4F-7AB6-4db9-9A38-E97B18D402E6}.exe
        
        C:\Windows\{04F48D4F-7AB6-4db9-9A38-E97B18D402E6}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B3B8~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2584
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AAF5A~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{69BD4~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{800C5~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1472
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA60B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{76AFA~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A7096~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4908
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2D055~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3752
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0972~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{1DA92~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{55601~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1620
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C93704~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04F48D4F-7AB6-4db9-9A38-E97B18D402E6}.exe

Filesize
90KB

MD5
7c0690aa2d23b5151536ff3da5f6b7e2

SHA1
eed32553556ebaa1afe07f1d0506df1414a0a923

SHA256
b73e80d81e625064a9124c3d9289b742faac84f0f42faba659bd308a2b432f29

SHA512
19484feb7cd793639f29988d3b8f8311d7e2e4349c9e5ac05668591f3dc8fdd10e3160561f864fa0748a1b0508e5d125ffa18d76db8740135778c2c438a08d78

Download Submit
C:\Windows\{1DA9261E-6C25-41bf-BB92-07ADEDA6BC1C}.exe

Filesize
90KB

MD5
71a100176d16c13a13d94cf5b51771ec

SHA1
775c468e913008fce6e41cdb072007eee97752bf

SHA256
5e315d3a6bdc9a413f450a2225fab9ddd0f9d937fac5c77b43811fb3bacf2b69

SHA512
8e6b4be8532bb7878a676524086843f01d06548dda0d162c885f6c1057857e38240d6acf9ecdfe9541fcb9e778e310c814edfc3f0fb518275b13e6844c226a9d

Download Submit
C:\Windows\{2D055B67-16FD-4d80-8F17-20E3AC9D827E}.exe

Filesize
90KB

MD5
09e13ae54970e1fc89ee76ff8c7f274b

SHA1
8bca9b12c81303af26f78cbf9656d54245cf891f

SHA256
41ebb23b74c883e18630ea888413cca84601f891961cadf67ac511e0eb4e844f

SHA512
0d0417c32c0828e9c2c62e707da0378d4618489da4d28418892ac423f8bb449474b434aa486268c9c63b6e9643af8aaced4657327e35c38ffa61bb137e8fc732

Download Submit
C:\Windows\{55601EAD-9B03-45ed-825A-24E991482B8D}.exe

Filesize
90KB

MD5
757967a28aefad65191d969678839584

SHA1
eccee8dddecc6b1bf3ae9506414d0cb424a03a35

SHA256
a937c2d27cf549d9dec62deed4ae61f6935c939d46919f3002e68adcf2dc7197

SHA512
791bc045ce5cc1bae414f6bf4debd94537f4ceb609845d8c5a609195d55e23a7cea39fa3ecf1403041558c0ac62dd1f7f16f16e0a8b7aa3479cc1ed50bc1baa1

Download Submit
C:\Windows\{69BD4F53-B14C-4ca1-8B68-49F5C9D41058}.exe

Filesize
90KB

MD5
f82be05ffec86a5563e6faf4c98b2ee3

SHA1
3a03a394fb96b81644028417782a785919e89455

SHA256
111a423d75cbaaf2fa26d1338daccdf4db9dabfb9803bb0d975e4ddea1a5388b

SHA512
3bad5f8b22e86448b49dc1cf659908041535015baaa1682285c69d18bd9fa1f511773f9406dddb59d940fd452caa33e0d9f5eb832c71187ecbcfa96d263fef0d

Download Submit
C:\Windows\{76AFA0DE-DFC9-4817-AC16-56C94CEDA113}.exe

Filesize
90KB

MD5
653ef2487553c4d0fc9bca16c6934569

SHA1
32b059b39439b5d6b8ff4e0b7d56429a82c21a8a

SHA256
de74d12657a942e2f9bf649ff96b522669a2dca928aa4923aab68a29fba89e4a

SHA512
16f65e587e2fad0347e740ba41c066e3de746cc487eaeffdea0545e54e7c4aa6c8f333fa2f3e8a8cc28d757abbabf8c57f3a75e7c982a2cd46815c6644fb85db

Download Submit
C:\Windows\{800C5924-4437-4ae3-9F86-99AF8775D463}.exe

Filesize
90KB

MD5
ae92b36bab2e76a82be3e083e8361bbf

SHA1
ae23258cb54ca2785bea14d658e0797afe5db90a

SHA256
919cfb77e288eecc0d47420221fadd6682d71749d6fefc821984728f1de92cc2

SHA512
55633e7e5ae4eafd595426dabecc42f57c9e360e3fa936f06e830ac4e0e25354a5b78b894a747bd64bf772ff33970cf454dfaba566f2fe9cac8f39d6faf0ddf0

Download Submit
C:\Windows\{8B3B8ACE-743C-4efd-A379-543729F4F3C4}.exe

Filesize
90KB

MD5
95247ccac2cd37890ca07962449ebba3

SHA1
eacc2c4a9925bc148109ca1f3f7ef4065f79183f

SHA256
6fc59d744dfda5a3c9ddc0971b392e35a80ca5f27e545320f43af77553c4ddc5

SHA512
93c4cc8d1efd3824897ba2d290aca9a487bd370d86a92b20c772a8d98f68b6ab780968e107af1db78ef721d0e6bb240b8cb5b8fa9bea87451a431d45a1f7c11f

Download Submit
C:\Windows\{A7096461-725D-499d-82D8-161BEE417A5C}.exe

Filesize
90KB

MD5
86eb38b63da558a55b192cf06cda126b

SHA1
c6cc7ec2091ad01585bc48500d881fcf9b787d96

SHA256
1cbf241bade9980122d15547dac32b98fda09b0f7ad32c096dec8e42648dfa83

SHA512
558548f40e62bcd1f19ac69d5b8d6f5106efe643b876a64d2a7a1dfe00139e9e49057eaf97742a97e0d7f7e37049f9da9b1619fe58a02b978e45196f6b2f8f39

Download Submit
C:\Windows\{AAF5AF5A-ED1D-4444-95D4-0E4470A8CE45}.exe

Filesize
90KB

MD5
f8d06846ceafc307619520bb6a90115e

SHA1
16e89fe638bf7e71a10354b9e00bf787ceeef79b

SHA256
303c29a5c3ede880d3b37a910e9dfb21159e6a4a4e2a9a5ee32e46b7df453b3c

SHA512
2cba7afb1db1ead5691d1fe107faa66a94cda0593f454bbd1e757ff28e423709a6d22730cf6d87d9e441190ebd43a6fc89bff0abbb94a6b0f07ad0711c4c2271

Download Submit
C:\Windows\{CA60BA99-C6EC-44a8-9457-31A0CFC994AB}.exe

Filesize
90KB

MD5
a3dbf61576b0963975142869d2374a27

SHA1
3598a7b2006cdf83af29893ea8f9f7399328721c

SHA256
298a011bd91fdf2dc40729df43b5733619807f006c441855d61e8fcaac1add41

SHA512
f9f1750e6b9b530a32f4c9ef3d802e00d278f8f002c2589f32060bff4a65a9c590db758f45f91fdd0c47b39dea915efb8b9ff1c8c7b18571ba9da79a28d6b206

Download Submit
C:\Windows\{E0972475-1AE3-4090-9450-9D7FD905B697}.exe

Filesize
90KB

MD5
c421848059437320366a7211617a193b

SHA1
e7e882bad434374dc64ff453b91d7025b19792e4

SHA256
dbd050cbdfb30ac429baf664620259401376b21948a6ab8c9a58401cbf5088e2

SHA512
83be0857fdc0ea3d160b398fd84bed497b3e986489eae6be845e3cfb8d48842cc4f9ff54763c9dc4ce5a106915a2ba00cf1a41e887f2f7e07409e64e544c5782

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads