b6426abedc38f91c789d592432db0dec5952565137662f84a2920d1986c2fe23

Analysis

max time kernel
118s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

445e30045f080b95dc89bd25872be6d0N.exe
Size

89KB
MD5

445e30045f080b95dc89bd25872be6d0
SHA1

42a7b44c9921591719d7a8809724c252548c72c9
SHA256

b6426abedc38f91c789d592432db0dec5952565137662f84a2920d1986c2fe23
SHA512

3c6a3a4df4fa56ff045af504e530ba13b48b3ca104f0ea62042a071b79b7e1984fc0269b2b2cbc2ef8687c2951bbd1ffc4ea179e00253593830e940a997ab7f7
SSDEEP

768:5vw9816thKQLroD4/wQkNrfrunMxVFA3k:lEG/0oDlbunMxVS3k

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B92AFBA-F675-4ce0-9CEF-95B657FAB619}\stubpath = "C:\\Windows\\{8B92AFBA-F675-4ce0-9CEF-95B657FAB619}.exe"	445e30045f080b95dc89bd25872be6d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4A54BA1-6280-4c88-BFD8-4D7F1AA52992}	{E6FD8296-FC61-4615-A4E1-5483CAB926B6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E224DA73-4A39-4492-A855-A8F66CC5F31B}\stubpath = "C:\\Windows\\{E224DA73-4A39-4492-A855-A8F66CC5F31B}.exe"	{C4E23428-5FCE-4d7d-844E-020617162646}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38B84A3E-B19A-46ce-9EE9-E42C49144845}\stubpath = "C:\\Windows\\{38B84A3E-B19A-46ce-9EE9-E42C49144845}.exe"	{8B92AFBA-F675-4ce0-9CEF-95B657FAB619}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C915F37-5D8A-4a2e-83BC-AC61295FAF4C}\stubpath = "C:\\Windows\\{1C915F37-5D8A-4a2e-83BC-AC61295FAF4C}.exe"	{93EFF56A-EC2A-4ba1-8B20-A449E4E9A4CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6FD8296-FC61-4615-A4E1-5483CAB926B6}	{B14EA0D0-02D3-4e25-9BEA-D2062AC01D9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4E23428-5FCE-4d7d-844E-020617162646}\stubpath = "C:\\Windows\\{C4E23428-5FCE-4d7d-844E-020617162646}.exe"	{C4A54BA1-6280-4c88-BFD8-4D7F1AA52992}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B92AFBA-F675-4ce0-9CEF-95B657FAB619}	445e30045f080b95dc89bd25872be6d0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{38B84A3E-B19A-46ce-9EE9-E42C49144845}	{8B92AFBA-F675-4ce0-9CEF-95B657FAB619}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93EFF56A-EC2A-4ba1-8B20-A449E4E9A4CB}\stubpath = "C:\\Windows\\{93EFF56A-EC2A-4ba1-8B20-A449E4E9A4CB}.exe"	{38B84A3E-B19A-46ce-9EE9-E42C49144845}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1C915F37-5D8A-4a2e-83BC-AC61295FAF4C}	{93EFF56A-EC2A-4ba1-8B20-A449E4E9A4CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B14EA0D0-02D3-4e25-9BEA-D2062AC01D9F}\stubpath = "C:\\Windows\\{B14EA0D0-02D3-4e25-9BEA-D2062AC01D9F}.exe"	{1C915F37-5D8A-4a2e-83BC-AC61295FAF4C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6FD8296-FC61-4615-A4E1-5483CAB926B6}\stubpath = "C:\\Windows\\{E6FD8296-FC61-4615-A4E1-5483CAB926B6}.exe"	{B14EA0D0-02D3-4e25-9BEA-D2062AC01D9F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4A54BA1-6280-4c88-BFD8-4D7F1AA52992}\stubpath = "C:\\Windows\\{C4A54BA1-6280-4c88-BFD8-4D7F1AA52992}.exe"	{E6FD8296-FC61-4615-A4E1-5483CAB926B6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4E23428-5FCE-4d7d-844E-020617162646}	{C4A54BA1-6280-4c88-BFD8-4D7F1AA52992}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E224DA73-4A39-4492-A855-A8F66CC5F31B}	{C4E23428-5FCE-4d7d-844E-020617162646}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{93EFF56A-EC2A-4ba1-8B20-A449E4E9A4CB}	{38B84A3E-B19A-46ce-9EE9-E42C49144845}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B14EA0D0-02D3-4e25-9BEA-D2062AC01D9F}	{1C915F37-5D8A-4a2e-83BC-AC61295FAF4C}.exe

Executes dropped EXE 9 IoCs

pid	Process
2720	{8B92AFBA-F675-4ce0-9CEF-95B657FAB619}.exe
2776	{38B84A3E-B19A-46ce-9EE9-E42C49144845}.exe
3432	{93EFF56A-EC2A-4ba1-8B20-A449E4E9A4CB}.exe
4500	{1C915F37-5D8A-4a2e-83BC-AC61295FAF4C}.exe
4432	{B14EA0D0-02D3-4e25-9BEA-D2062AC01D9F}.exe
1104	{E6FD8296-FC61-4615-A4E1-5483CAB926B6}.exe
4572	{C4A54BA1-6280-4c88-BFD8-4D7F1AA52992}.exe
2504	{C4E23428-5FCE-4d7d-844E-020617162646}.exe
4316	{E224DA73-4A39-4492-A855-A8F66CC5F31B}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{8B92AFBA-F675-4ce0-9CEF-95B657FAB619}.exe	445e30045f080b95dc89bd25872be6d0N.exe
File created	C:\Windows\{93EFF56A-EC2A-4ba1-8B20-A449E4E9A4CB}.exe	{38B84A3E-B19A-46ce-9EE9-E42C49144845}.exe
File created	C:\Windows\{B14EA0D0-02D3-4e25-9BEA-D2062AC01D9F}.exe	{1C915F37-5D8A-4a2e-83BC-AC61295FAF4C}.exe
File created	C:\Windows\{E6FD8296-FC61-4615-A4E1-5483CAB926B6}.exe	{B14EA0D0-02D3-4e25-9BEA-D2062AC01D9F}.exe
File created	C:\Windows\{E224DA73-4A39-4492-A855-A8F66CC5F31B}.exe	{C4E23428-5FCE-4d7d-844E-020617162646}.exe
File created	C:\Windows\{38B84A3E-B19A-46ce-9EE9-E42C49144845}.exe	{8B92AFBA-F675-4ce0-9CEF-95B657FAB619}.exe
File created	C:\Windows\{1C915F37-5D8A-4a2e-83BC-AC61295FAF4C}.exe	{93EFF56A-EC2A-4ba1-8B20-A449E4E9A4CB}.exe
File created	C:\Windows\{C4A54BA1-6280-4c88-BFD8-4D7F1AA52992}.exe	{E6FD8296-FC61-4615-A4E1-5483CAB926B6}.exe
File created	C:\Windows\{C4E23428-5FCE-4d7d-844E-020617162646}.exe	{C4A54BA1-6280-4c88-BFD8-4D7F1AA52992}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C4A54BA1-6280-4c88-BFD8-4D7F1AA52992}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E224DA73-4A39-4492-A855-A8F66CC5F31B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8B92AFBA-F675-4ce0-9CEF-95B657FAB619}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1C915F37-5D8A-4a2e-83BC-AC61295FAF4C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B14EA0D0-02D3-4e25-9BEA-D2062AC01D9F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E6FD8296-FC61-4615-A4E1-5483CAB926B6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C4E23428-5FCE-4d7d-844E-020617162646}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	445e30045f080b95dc89bd25872be6d0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{38B84A3E-B19A-46ce-9EE9-E42C49144845}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{93EFF56A-EC2A-4ba1-8B20-A449E4E9A4CB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1072	445e30045f080b95dc89bd25872be6d0N.exe
Token: SeIncBasePriorityPrivilege	2720	{8B92AFBA-F675-4ce0-9CEF-95B657FAB619}.exe
Token: SeIncBasePriorityPrivilege	2776	{38B84A3E-B19A-46ce-9EE9-E42C49144845}.exe
Token: SeIncBasePriorityPrivilege	3432	{93EFF56A-EC2A-4ba1-8B20-A449E4E9A4CB}.exe
Token: SeIncBasePriorityPrivilege	4500	{1C915F37-5D8A-4a2e-83BC-AC61295FAF4C}.exe
Token: SeIncBasePriorityPrivilege	4432	{B14EA0D0-02D3-4e25-9BEA-D2062AC01D9F}.exe
Token: SeIncBasePriorityPrivilege	1104	{E6FD8296-FC61-4615-A4E1-5483CAB926B6}.exe
Token: SeIncBasePriorityPrivilege	4572	{C4A54BA1-6280-4c88-BFD8-4D7F1AA52992}.exe
Token: SeIncBasePriorityPrivilege	2504	{C4E23428-5FCE-4d7d-844E-020617162646}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 2720	1072	445e30045f080b95dc89bd25872be6d0N.exe	92
PID 1072 wrote to memory of 2720	1072	445e30045f080b95dc89bd25872be6d0N.exe	92
PID 1072 wrote to memory of 2720	1072	445e30045f080b95dc89bd25872be6d0N.exe	92
PID 1072 wrote to memory of 1412	1072	445e30045f080b95dc89bd25872be6d0N.exe	93
PID 1072 wrote to memory of 1412	1072	445e30045f080b95dc89bd25872be6d0N.exe	93
PID 1072 wrote to memory of 1412	1072	445e30045f080b95dc89bd25872be6d0N.exe	93
PID 2720 wrote to memory of 2776	2720	{8B92AFBA-F675-4ce0-9CEF-95B657FAB619}.exe	96
PID 2720 wrote to memory of 2776	2720	{8B92AFBA-F675-4ce0-9CEF-95B657FAB619}.exe	96
PID 2720 wrote to memory of 2776	2720	{8B92AFBA-F675-4ce0-9CEF-95B657FAB619}.exe	96
PID 2720 wrote to memory of 3112	2720	{8B92AFBA-F675-4ce0-9CEF-95B657FAB619}.exe	97
PID 2720 wrote to memory of 3112	2720	{8B92AFBA-F675-4ce0-9CEF-95B657FAB619}.exe	97
PID 2720 wrote to memory of 3112	2720	{8B92AFBA-F675-4ce0-9CEF-95B657FAB619}.exe	97
PID 2776 wrote to memory of 3432	2776	{38B84A3E-B19A-46ce-9EE9-E42C49144845}.exe	100
PID 2776 wrote to memory of 3432	2776	{38B84A3E-B19A-46ce-9EE9-E42C49144845}.exe	100
PID 2776 wrote to memory of 3432	2776	{38B84A3E-B19A-46ce-9EE9-E42C49144845}.exe	100
PID 2776 wrote to memory of 4784	2776	{38B84A3E-B19A-46ce-9EE9-E42C49144845}.exe	101
PID 2776 wrote to memory of 4784	2776	{38B84A3E-B19A-46ce-9EE9-E42C49144845}.exe	101
PID 2776 wrote to memory of 4784	2776	{38B84A3E-B19A-46ce-9EE9-E42C49144845}.exe	101
PID 3432 wrote to memory of 4500	3432	{93EFF56A-EC2A-4ba1-8B20-A449E4E9A4CB}.exe	102
PID 3432 wrote to memory of 4500	3432	{93EFF56A-EC2A-4ba1-8B20-A449E4E9A4CB}.exe	102
PID 3432 wrote to memory of 4500	3432	{93EFF56A-EC2A-4ba1-8B20-A449E4E9A4CB}.exe	102
PID 3432 wrote to memory of 2960	3432	{93EFF56A-EC2A-4ba1-8B20-A449E4E9A4CB}.exe	103
PID 3432 wrote to memory of 2960	3432	{93EFF56A-EC2A-4ba1-8B20-A449E4E9A4CB}.exe	103
PID 3432 wrote to memory of 2960	3432	{93EFF56A-EC2A-4ba1-8B20-A449E4E9A4CB}.exe	103
PID 4500 wrote to memory of 4432	4500	{1C915F37-5D8A-4a2e-83BC-AC61295FAF4C}.exe	104
PID 4500 wrote to memory of 4432	4500	{1C915F37-5D8A-4a2e-83BC-AC61295FAF4C}.exe	104
PID 4500 wrote to memory of 4432	4500	{1C915F37-5D8A-4a2e-83BC-AC61295FAF4C}.exe	104
PID 4500 wrote to memory of 2484	4500	{1C915F37-5D8A-4a2e-83BC-AC61295FAF4C}.exe	105
PID 4500 wrote to memory of 2484	4500	{1C915F37-5D8A-4a2e-83BC-AC61295FAF4C}.exe	105
PID 4500 wrote to memory of 2484	4500	{1C915F37-5D8A-4a2e-83BC-AC61295FAF4C}.exe	105
PID 4432 wrote to memory of 1104	4432	{B14EA0D0-02D3-4e25-9BEA-D2062AC01D9F}.exe	106
PID 4432 wrote to memory of 1104	4432	{B14EA0D0-02D3-4e25-9BEA-D2062AC01D9F}.exe	106
PID 4432 wrote to memory of 1104	4432	{B14EA0D0-02D3-4e25-9BEA-D2062AC01D9F}.exe	106
PID 4432 wrote to memory of 3228	4432	{B14EA0D0-02D3-4e25-9BEA-D2062AC01D9F}.exe	107
PID 4432 wrote to memory of 3228	4432	{B14EA0D0-02D3-4e25-9BEA-D2062AC01D9F}.exe	107
PID 4432 wrote to memory of 3228	4432	{B14EA0D0-02D3-4e25-9BEA-D2062AC01D9F}.exe	107
PID 1104 wrote to memory of 4572	1104	{E6FD8296-FC61-4615-A4E1-5483CAB926B6}.exe	108
PID 1104 wrote to memory of 4572	1104	{E6FD8296-FC61-4615-A4E1-5483CAB926B6}.exe	108
PID 1104 wrote to memory of 4572	1104	{E6FD8296-FC61-4615-A4E1-5483CAB926B6}.exe	108
PID 1104 wrote to memory of 4988	1104	{E6FD8296-FC61-4615-A4E1-5483CAB926B6}.exe	109
PID 1104 wrote to memory of 4988	1104	{E6FD8296-FC61-4615-A4E1-5483CAB926B6}.exe	109
PID 1104 wrote to memory of 4988	1104	{E6FD8296-FC61-4615-A4E1-5483CAB926B6}.exe	109
PID 4572 wrote to memory of 2504	4572	{C4A54BA1-6280-4c88-BFD8-4D7F1AA52992}.exe	110
PID 4572 wrote to memory of 2504	4572	{C4A54BA1-6280-4c88-BFD8-4D7F1AA52992}.exe	110
PID 4572 wrote to memory of 2504	4572	{C4A54BA1-6280-4c88-BFD8-4D7F1AA52992}.exe	110
PID 4572 wrote to memory of 3520	4572	{C4A54BA1-6280-4c88-BFD8-4D7F1AA52992}.exe	111
PID 4572 wrote to memory of 3520	4572	{C4A54BA1-6280-4c88-BFD8-4D7F1AA52992}.exe	111
PID 4572 wrote to memory of 3520	4572	{C4A54BA1-6280-4c88-BFD8-4D7F1AA52992}.exe	111
PID 2504 wrote to memory of 4316	2504	{C4E23428-5FCE-4d7d-844E-020617162646}.exe	112
PID 2504 wrote to memory of 4316	2504	{C4E23428-5FCE-4d7d-844E-020617162646}.exe	112
PID 2504 wrote to memory of 4316	2504	{C4E23428-5FCE-4d7d-844E-020617162646}.exe	112
PID 2504 wrote to memory of 1048	2504	{C4E23428-5FCE-4d7d-844E-020617162646}.exe	113
PID 2504 wrote to memory of 1048	2504	{C4E23428-5FCE-4d7d-844E-020617162646}.exe	113
PID 2504 wrote to memory of 1048	2504	{C4E23428-5FCE-4d7d-844E-020617162646}.exe	113

C:\Users\Admin\AppData\Local\Temp\445e30045f080b95dc89bd25872be6d0N.exe
"C:\Users\Admin\AppData\Local\Temp\445e30045f080b95dc89bd25872be6d0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\{8B92AFBA-F675-4ce0-9CEF-95B657FAB619}.exe
  C:\Windows\{8B92AFBA-F675-4ce0-9CEF-95B657FAB619}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\{38B84A3E-B19A-46ce-9EE9-E42C49144845}.exe
    C:\Windows\{38B84A3E-B19A-46ce-9EE9-E42C49144845}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2776
  - - C:\Windows\{93EFF56A-EC2A-4ba1-8B20-A449E4E9A4CB}.exe
      C:\Windows\{93EFF56A-EC2A-4ba1-8B20-A449E4E9A4CB}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3432
    - - C:\Windows\{1C915F37-5D8A-4a2e-83BC-AC61295FAF4C}.exe
        
        C:\Windows\{1C915F37-5D8A-4a2e-83BC-AC61295FAF4C}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4500
      - C:\Windows\{B14EA0D0-02D3-4e25-9BEA-D2062AC01D9F}.exe
        
        C:\Windows\{B14EA0D0-02D3-4e25-9BEA-D2062AC01D9F}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Windows\{E6FD8296-FC61-4615-A4E1-5483CAB926B6}.exe
        
        C:\Windows\{E6FD8296-FC61-4615-A4E1-5483CAB926B6}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\{C4A54BA1-6280-4c88-BFD8-4D7F1AA52992}.exe
        
        C:\Windows\{C4A54BA1-6280-4c88-BFD8-4D7F1AA52992}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4572
        
        C:\Windows\{C4E23428-5FCE-4d7d-844E-020617162646}.exe
        
        C:\Windows\{C4E23428-5FCE-4d7d-844E-020617162646}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\{E224DA73-4A39-4492-A855-A8F66CC5F31B}.exe
        
        C:\Windows\{E224DA73-4A39-4492-A855-A8F66CC5F31B}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4E23~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4A54~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6FD8~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B14EA~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3228
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1C915~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2484
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93EFF~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{38B84~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4784
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{8B92A~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3112
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\445E30~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1C915F37-5D8A-4a2e-83BC-AC61295FAF4C}.exe

Filesize
89KB

MD5
29f84250ccaa496cc18116b03990156e

SHA1
26c1bc623d2003ff970f054935b4354ea5fbe30d

SHA256
c455133bc29aa3eb63a8a9e868278094b9d8c17d7164574ab1540d75f62abbdc

SHA512
081ebb14daec42160467e1f0f1afa135b28d402a8f74eb3d691b193876f6ce38c46d23ce41b82c5e6512ee913478658a44ee7db9d4501d5d93bab18334d3d993

Download Submit
C:\Windows\{38B84A3E-B19A-46ce-9EE9-E42C49144845}.exe

Filesize
89KB

MD5
6de9b1468b1a1b8fe0135fe64fc3a3e1

SHA1
8884a3d466e0ea02431b6117b9afad011fa3f0e0

SHA256
f1aae1891e5ad2f13157119485e9924a7093ba3124f45eafb29d9722ca69440c

SHA512
451905c7dcc132b961036c4730804063f1b737869b9ad99654bd3474f697fa2867f200bb211005887aeb0e566fc490910ac70972d37a0159a5a52f6a80a9e8b0

Download Submit
C:\Windows\{8B92AFBA-F675-4ce0-9CEF-95B657FAB619}.exe

Filesize
89KB

MD5
78260f58eb9f4a25971d729ba02c4971

SHA1
88a881cc315cdba0cfde5de8eda37adf4458d0e0

SHA256
b30e95f2589f34e8bb52502728f0ba4ca4aad0fbb913050fdfa7fb7dbb1225cd

SHA512
c77995f248a33b0a7506f6a54b2d83939da238e5659e763d7970ef47f1ee0fae45158d9571a7c37d679245b688d67cd89cd50eb72a26e4fcdf5a85d428fbbe0a

Download Submit
C:\Windows\{93EFF56A-EC2A-4ba1-8B20-A449E4E9A4CB}.exe

Filesize
89KB

MD5
67fe3ea645af68aaa6c304b297aedfb1

SHA1
66d1e633e4fb11f2ad8ee351e6577014c12cefa9

SHA256
3b4cd507733dbd1d2b32a61318c399da8e618ff7d7685b7ebb43c445974c67f6

SHA512
cc0b58833e50b580af534b0e80da64f7dd8eda41663c631d9162ab9c8c00017270f6d654fd88d345e9429da055c73a7f14909514882c6b60f908afde7b6f7f4f

Download Submit
C:\Windows\{B14EA0D0-02D3-4e25-9BEA-D2062AC01D9F}.exe

Filesize
89KB

MD5
5e4a7a54bb8820c3f114f9ef0d756478

SHA1
712458c9a53f91ac4dcec53225ad5841b2059632

SHA256
d08a889b4055128b3ea4d23426507e07cfbe17535598d03b01685fbe01c0eed7

SHA512
c58bbc6f67bae1d26fd49bd394d88857b67103c0a6ffc3bdf5f4e5e5d0de882ac7532a57f032f5e33cf8908772256eb50485830ae139b051851c0d919cdfd118

Download Submit
C:\Windows\{C4A54BA1-6280-4c88-BFD8-4D7F1AA52992}.exe

Filesize
89KB

MD5
834a0a69e944d07478e5b26209c514e4

SHA1
d74f284715be8660b76997a34c2de21b0e9b3f00

SHA256
e4e4526e2de59e25de0385bca05763e8c3372e4dbfea24c03d800a536ee59e1a

SHA512
f773b5dd2676e1661ce4601f04b1d0be32d561ca0ec110888b2469c5b2bc6a6348ecf2b944fb248885c47d5d86f50fea0e0a4d3bfff530e1df99bd5572358ce3

Download Submit
C:\Windows\{C4E23428-5FCE-4d7d-844E-020617162646}.exe

Filesize
89KB

MD5
e0f3f1a464e528e6c6ffcfa318203795

SHA1
5b451aebb81694e43583db4a6c75cba9c595353a

SHA256
511e3053b0e5f30d256a2dab4e48549de2d108f65bdae98419f00a8ca794976c

SHA512
ab680973fe528a50ae2b186c4465ef233cfae7f23df6fdcf3bb1e2a4d05264703d42cd1202f5dcc0895cd542c8438ec2656d8608a611163e6cc38ae468402589

Download Submit
C:\Windows\{E224DA73-4A39-4492-A855-A8F66CC5F31B}.exe

Filesize
89KB

MD5
c384439b56d80ef16f2beb43fe61b07e

SHA1
55028af0b08f5a2a7ce5a5a1842ef64dcc9bb6b5

SHA256
529638f875291532555561d2568277ff9ec06fe8d50e48caa72198ca7c4c9ad0

SHA512
129f8c37b8b3657d9e5d8e2a09520c97ba2f5a01ad2e9cbb5199ee65e7e3ea9013f42837221fe0ef1bf76e874cf934f69133f26e4a938264dc6a88da9357a715

Download Submit
C:\Windows\{E6FD8296-FC61-4615-A4E1-5483CAB926B6}.exe

Filesize
89KB

MD5
963721220bade0d8c57745f0295d19b4

SHA1
259e2c9027fa0f41c466ec6006d3b19f53f6373a

SHA256
459d07d5338c58122ae9067fd9288b91f9b8e2ab335493ef46504a8a0dc02c66

SHA512
9705ee2778b0b91dce907a1a1be8401117f37d752890e1679ab4dc6e978673f8258c1999996687eca1808ee8bedfe96ccd81b6449a9cdec31a98cbfb0feffb04

Download Submit
memory/1072-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1072-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1072-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1104-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1104-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2504-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2504-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2720-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2720-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2776-13-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2776-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2776-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3432-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3432-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4316-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4432-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4432-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4500-32-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4500-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4572-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4572-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads