204a8848fe4ac7372fcaf6d5991d3307b2a830cdb512a101bb98bdc76c4ae0f9

Analysis

max time kernel
118s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61f6f1ce2c200de6548715b00bf883b0N.exe
Size

88KB
MD5

61f6f1ce2c200de6548715b00bf883b0
SHA1

d163e12718ca0f7e393bc2d90a1abec58e4b0f2c
SHA256

204a8848fe4ac7372fcaf6d5991d3307b2a830cdb512a101bb98bdc76c4ae0f9
SHA512

97fdf30958f1ac59e3dd8e7c7034ec11938bc489942c121b2c78a478d8b43093738ab512750ba2d9ff65d25573d032fb6352841c91291029554044f4abaeca50
SSDEEP

768:5vw9816thKQLron4/wQkNrfrunMxVFA3V:lEG/0onlbunMxVS3V

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B71F4C21-6BB9-4cf8-A11E-54BE597B9B2A}\stubpath = "C:\\Windows\\{B71F4C21-6BB9-4cf8-A11E-54BE597B9B2A}.exe"	{17D63270-32D9-4806-BAC6-7457B64A4337}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{462F0F0D-221F-449b-89A7-76CAFF75333A}	{B71F4C21-6BB9-4cf8-A11E-54BE597B9B2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9374810A-9AB4-4ca7-A87A-743F5E01A50D}\stubpath = "C:\\Windows\\{9374810A-9AB4-4ca7-A87A-743F5E01A50D}.exe"	{CE49EF28-C424-4883-8A94-4D42ADF6EBA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17D63270-32D9-4806-BAC6-7457B64A4337}	61f6f1ce2c200de6548715b00bf883b0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9D54AA1-4DDA-4522-ABD0-117AFF23F579}	{9374810A-9AB4-4ca7-A87A-743F5E01A50D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9D54AA1-4DDA-4522-ABD0-117AFF23F579}\stubpath = "C:\\Windows\\{B9D54AA1-4DDA-4522-ABD0-117AFF23F579}.exe"	{9374810A-9AB4-4ca7-A87A-743F5E01A50D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{17D63270-32D9-4806-BAC6-7457B64A4337}\stubpath = "C:\\Windows\\{17D63270-32D9-4806-BAC6-7457B64A4337}.exe"	61f6f1ce2c200de6548715b00bf883b0N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{462F0F0D-221F-449b-89A7-76CAFF75333A}\stubpath = "C:\\Windows\\{462F0F0D-221F-449b-89A7-76CAFF75333A}.exe"	{B71F4C21-6BB9-4cf8-A11E-54BE597B9B2A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADB5685E-45C3-41a7-9A39-15D14CE89EA6}\stubpath = "C:\\Windows\\{ADB5685E-45C3-41a7-9A39-15D14CE89EA6}.exe"	{462F0F0D-221F-449b-89A7-76CAFF75333A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{381A7A3E-D7E5-4dad-8C3B-C52F00AF31F1}	{ADB5685E-45C3-41a7-9A39-15D14CE89EA6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{381A7A3E-D7E5-4dad-8C3B-C52F00AF31F1}\stubpath = "C:\\Windows\\{381A7A3E-D7E5-4dad-8C3B-C52F00AF31F1}.exe"	{ADB5685E-45C3-41a7-9A39-15D14CE89EA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9374810A-9AB4-4ca7-A87A-743F5E01A50D}	{CE49EF28-C424-4883-8A94-4D42ADF6EBA3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B71F4C21-6BB9-4cf8-A11E-54BE597B9B2A}	{17D63270-32D9-4806-BAC6-7457B64A4337}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ADB5685E-45C3-41a7-9A39-15D14CE89EA6}	{462F0F0D-221F-449b-89A7-76CAFF75333A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE49EF28-C424-4883-8A94-4D42ADF6EBA3}	{381A7A3E-D7E5-4dad-8C3B-C52F00AF31F1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CE49EF28-C424-4883-8A94-4D42ADF6EBA3}\stubpath = "C:\\Windows\\{CE49EF28-C424-4883-8A94-4D42ADF6EBA3}.exe"	{381A7A3E-D7E5-4dad-8C3B-C52F00AF31F1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{450DF1EE-9959-4340-AA0C-A57E95749871}	{B9D54AA1-4DDA-4522-ABD0-117AFF23F579}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{450DF1EE-9959-4340-AA0C-A57E95749871}\stubpath = "C:\\Windows\\{450DF1EE-9959-4340-AA0C-A57E95749871}.exe"	{B9D54AA1-4DDA-4522-ABD0-117AFF23F579}.exe

Executes dropped EXE 9 IoCs

pid	Process
1496	{17D63270-32D9-4806-BAC6-7457B64A4337}.exe
4744	{B71F4C21-6BB9-4cf8-A11E-54BE597B9B2A}.exe
3756	{462F0F0D-221F-449b-89A7-76CAFF75333A}.exe
1636	{ADB5685E-45C3-41a7-9A39-15D14CE89EA6}.exe
3124	{381A7A3E-D7E5-4dad-8C3B-C52F00AF31F1}.exe
4412	{CE49EF28-C424-4883-8A94-4D42ADF6EBA3}.exe
4192	{9374810A-9AB4-4ca7-A87A-743F5E01A50D}.exe
1588	{B9D54AA1-4DDA-4522-ABD0-117AFF23F579}.exe
3728	{450DF1EE-9959-4340-AA0C-A57E95749871}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{ADB5685E-45C3-41a7-9A39-15D14CE89EA6}.exe	{462F0F0D-221F-449b-89A7-76CAFF75333A}.exe
File created	C:\Windows\{CE49EF28-C424-4883-8A94-4D42ADF6EBA3}.exe	{381A7A3E-D7E5-4dad-8C3B-C52F00AF31F1}.exe
File created	C:\Windows\{450DF1EE-9959-4340-AA0C-A57E95749871}.exe	{B9D54AA1-4DDA-4522-ABD0-117AFF23F579}.exe
File created	C:\Windows\{B9D54AA1-4DDA-4522-ABD0-117AFF23F579}.exe	{9374810A-9AB4-4ca7-A87A-743F5E01A50D}.exe
File created	C:\Windows\{17D63270-32D9-4806-BAC6-7457B64A4337}.exe	61f6f1ce2c200de6548715b00bf883b0N.exe
File created	C:\Windows\{B71F4C21-6BB9-4cf8-A11E-54BE597B9B2A}.exe	{17D63270-32D9-4806-BAC6-7457B64A4337}.exe
File created	C:\Windows\{462F0F0D-221F-449b-89A7-76CAFF75333A}.exe	{B71F4C21-6BB9-4cf8-A11E-54BE597B9B2A}.exe
File created	C:\Windows\{381A7A3E-D7E5-4dad-8C3B-C52F00AF31F1}.exe	{ADB5685E-45C3-41a7-9A39-15D14CE89EA6}.exe
File created	C:\Windows\{9374810A-9AB4-4ca7-A87A-743F5E01A50D}.exe	{CE49EF28-C424-4883-8A94-4D42ADF6EBA3}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CE49EF28-C424-4883-8A94-4D42ADF6EBA3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B9D54AA1-4DDA-4522-ABD0-117AFF23F579}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9374810A-9AB4-4ca7-A87A-743F5E01A50D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B71F4C21-6BB9-4cf8-A11E-54BE597B9B2A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{462F0F0D-221F-449b-89A7-76CAFF75333A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ADB5685E-45C3-41a7-9A39-15D14CE89EA6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{450DF1EE-9959-4340-AA0C-A57E95749871}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{17D63270-32D9-4806-BAC6-7457B64A4337}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{381A7A3E-D7E5-4dad-8C3B-C52F00AF31F1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	61f6f1ce2c200de6548715b00bf883b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1408	61f6f1ce2c200de6548715b00bf883b0N.exe
Token: SeIncBasePriorityPrivilege	1496	{17D63270-32D9-4806-BAC6-7457B64A4337}.exe
Token: SeIncBasePriorityPrivilege	4744	{B71F4C21-6BB9-4cf8-A11E-54BE597B9B2A}.exe
Token: SeIncBasePriorityPrivilege	3756	{462F0F0D-221F-449b-89A7-76CAFF75333A}.exe
Token: SeIncBasePriorityPrivilege	1636	{ADB5685E-45C3-41a7-9A39-15D14CE89EA6}.exe
Token: SeIncBasePriorityPrivilege	3124	{381A7A3E-D7E5-4dad-8C3B-C52F00AF31F1}.exe
Token: SeIncBasePriorityPrivilege	4412	{CE49EF28-C424-4883-8A94-4D42ADF6EBA3}.exe
Token: SeIncBasePriorityPrivilege	4192	{9374810A-9AB4-4ca7-A87A-743F5E01A50D}.exe
Token: SeIncBasePriorityPrivilege	1588	{B9D54AA1-4DDA-4522-ABD0-117AFF23F579}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1408 wrote to memory of 1496	1408	61f6f1ce2c200de6548715b00bf883b0N.exe	94
PID 1408 wrote to memory of 1496	1408	61f6f1ce2c200de6548715b00bf883b0N.exe	94
PID 1408 wrote to memory of 1496	1408	61f6f1ce2c200de6548715b00bf883b0N.exe	94
PID 1408 wrote to memory of 964	1408	61f6f1ce2c200de6548715b00bf883b0N.exe	95
PID 1408 wrote to memory of 964	1408	61f6f1ce2c200de6548715b00bf883b0N.exe	95
PID 1408 wrote to memory of 964	1408	61f6f1ce2c200de6548715b00bf883b0N.exe	95
PID 1496 wrote to memory of 4744	1496	{17D63270-32D9-4806-BAC6-7457B64A4337}.exe	96
PID 1496 wrote to memory of 4744	1496	{17D63270-32D9-4806-BAC6-7457B64A4337}.exe	96
PID 1496 wrote to memory of 4744	1496	{17D63270-32D9-4806-BAC6-7457B64A4337}.exe	96
PID 1496 wrote to memory of 3264	1496	{17D63270-32D9-4806-BAC6-7457B64A4337}.exe	97
PID 1496 wrote to memory of 3264	1496	{17D63270-32D9-4806-BAC6-7457B64A4337}.exe	97
PID 1496 wrote to memory of 3264	1496	{17D63270-32D9-4806-BAC6-7457B64A4337}.exe	97
PID 4744 wrote to memory of 3756	4744	{B71F4C21-6BB9-4cf8-A11E-54BE597B9B2A}.exe	100
PID 4744 wrote to memory of 3756	4744	{B71F4C21-6BB9-4cf8-A11E-54BE597B9B2A}.exe	100
PID 4744 wrote to memory of 3756	4744	{B71F4C21-6BB9-4cf8-A11E-54BE597B9B2A}.exe	100
PID 4744 wrote to memory of 4492	4744	{B71F4C21-6BB9-4cf8-A11E-54BE597B9B2A}.exe	101
PID 4744 wrote to memory of 4492	4744	{B71F4C21-6BB9-4cf8-A11E-54BE597B9B2A}.exe	101
PID 4744 wrote to memory of 4492	4744	{B71F4C21-6BB9-4cf8-A11E-54BE597B9B2A}.exe	101
PID 3756 wrote to memory of 1636	3756	{462F0F0D-221F-449b-89A7-76CAFF75333A}.exe	102
PID 3756 wrote to memory of 1636	3756	{462F0F0D-221F-449b-89A7-76CAFF75333A}.exe	102
PID 3756 wrote to memory of 1636	3756	{462F0F0D-221F-449b-89A7-76CAFF75333A}.exe	102
PID 3756 wrote to memory of 3188	3756	{462F0F0D-221F-449b-89A7-76CAFF75333A}.exe	103
PID 3756 wrote to memory of 3188	3756	{462F0F0D-221F-449b-89A7-76CAFF75333A}.exe	103
PID 3756 wrote to memory of 3188	3756	{462F0F0D-221F-449b-89A7-76CAFF75333A}.exe	103
PID 1636 wrote to memory of 3124	1636	{ADB5685E-45C3-41a7-9A39-15D14CE89EA6}.exe	104
PID 1636 wrote to memory of 3124	1636	{ADB5685E-45C3-41a7-9A39-15D14CE89EA6}.exe	104
PID 1636 wrote to memory of 3124	1636	{ADB5685E-45C3-41a7-9A39-15D14CE89EA6}.exe	104
PID 1636 wrote to memory of 1316	1636	{ADB5685E-45C3-41a7-9A39-15D14CE89EA6}.exe	105
PID 1636 wrote to memory of 1316	1636	{ADB5685E-45C3-41a7-9A39-15D14CE89EA6}.exe	105
PID 1636 wrote to memory of 1316	1636	{ADB5685E-45C3-41a7-9A39-15D14CE89EA6}.exe	105
PID 3124 wrote to memory of 4412	3124	{381A7A3E-D7E5-4dad-8C3B-C52F00AF31F1}.exe	106
PID 3124 wrote to memory of 4412	3124	{381A7A3E-D7E5-4dad-8C3B-C52F00AF31F1}.exe	106
PID 3124 wrote to memory of 4412	3124	{381A7A3E-D7E5-4dad-8C3B-C52F00AF31F1}.exe	106
PID 3124 wrote to memory of 1500	3124	{381A7A3E-D7E5-4dad-8C3B-C52F00AF31F1}.exe	107
PID 3124 wrote to memory of 1500	3124	{381A7A3E-D7E5-4dad-8C3B-C52F00AF31F1}.exe	107
PID 3124 wrote to memory of 1500	3124	{381A7A3E-D7E5-4dad-8C3B-C52F00AF31F1}.exe	107
PID 4412 wrote to memory of 4192	4412	{CE49EF28-C424-4883-8A94-4D42ADF6EBA3}.exe	108
PID 4412 wrote to memory of 4192	4412	{CE49EF28-C424-4883-8A94-4D42ADF6EBA3}.exe	108
PID 4412 wrote to memory of 4192	4412	{CE49EF28-C424-4883-8A94-4D42ADF6EBA3}.exe	108
PID 4412 wrote to memory of 4724	4412	{CE49EF28-C424-4883-8A94-4D42ADF6EBA3}.exe	109
PID 4412 wrote to memory of 4724	4412	{CE49EF28-C424-4883-8A94-4D42ADF6EBA3}.exe	109
PID 4412 wrote to memory of 4724	4412	{CE49EF28-C424-4883-8A94-4D42ADF6EBA3}.exe	109
PID 4192 wrote to memory of 1588	4192	{9374810A-9AB4-4ca7-A87A-743F5E01A50D}.exe	110
PID 4192 wrote to memory of 1588	4192	{9374810A-9AB4-4ca7-A87A-743F5E01A50D}.exe	110
PID 4192 wrote to memory of 1588	4192	{9374810A-9AB4-4ca7-A87A-743F5E01A50D}.exe	110
PID 4192 wrote to memory of 2276	4192	{9374810A-9AB4-4ca7-A87A-743F5E01A50D}.exe	111
PID 4192 wrote to memory of 2276	4192	{9374810A-9AB4-4ca7-A87A-743F5E01A50D}.exe	111
PID 4192 wrote to memory of 2276	4192	{9374810A-9AB4-4ca7-A87A-743F5E01A50D}.exe	111
PID 1588 wrote to memory of 3728	1588	{B9D54AA1-4DDA-4522-ABD0-117AFF23F579}.exe	112
PID 1588 wrote to memory of 3728	1588	{B9D54AA1-4DDA-4522-ABD0-117AFF23F579}.exe	112
PID 1588 wrote to memory of 3728	1588	{B9D54AA1-4DDA-4522-ABD0-117AFF23F579}.exe	112
PID 1588 wrote to memory of 2612	1588	{B9D54AA1-4DDA-4522-ABD0-117AFF23F579}.exe	113
PID 1588 wrote to memory of 2612	1588	{B9D54AA1-4DDA-4522-ABD0-117AFF23F579}.exe	113
PID 1588 wrote to memory of 2612	1588	{B9D54AA1-4DDA-4522-ABD0-117AFF23F579}.exe	113

C:\Users\Admin\AppData\Local\Temp\61f6f1ce2c200de6548715b00bf883b0N.exe
"C:\Users\Admin\AppData\Local\Temp\61f6f1ce2c200de6548715b00bf883b0N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1408
- C:\Windows\{17D63270-32D9-4806-BAC6-7457B64A4337}.exe
  C:\Windows\{17D63270-32D9-4806-BAC6-7457B64A4337}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\{B71F4C21-6BB9-4cf8-A11E-54BE597B9B2A}.exe
    C:\Windows\{B71F4C21-6BB9-4cf8-A11E-54BE597B9B2A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Windows\{462F0F0D-221F-449b-89A7-76CAFF75333A}.exe
      C:\Windows\{462F0F0D-221F-449b-89A7-76CAFF75333A}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3756
    - - C:\Windows\{ADB5685E-45C3-41a7-9A39-15D14CE89EA6}.exe
        
        C:\Windows\{ADB5685E-45C3-41a7-9A39-15D14CE89EA6}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
      - C:\Windows\{381A7A3E-D7E5-4dad-8C3B-C52F00AF31F1}.exe
        
        C:\Windows\{381A7A3E-D7E5-4dad-8C3B-C52F00AF31F1}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3124
        
        C:\Windows\{CE49EF28-C424-4883-8A94-4D42ADF6EBA3}.exe
        
        C:\Windows\{CE49EF28-C424-4883-8A94-4D42ADF6EBA3}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4412
        
        C:\Windows\{9374810A-9AB4-4ca7-A87A-743F5E01A50D}.exe
        
        C:\Windows\{9374810A-9AB4-4ca7-A87A-743F5E01A50D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4192
        
        C:\Windows\{B9D54AA1-4DDA-4522-ABD0-117AFF23F579}.exe
        
        C:\Windows\{B9D54AA1-4DDA-4522-ABD0-117AFF23F579}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\{450DF1EE-9959-4340-AA0C-A57E95749871}.exe
        
        C:\Windows\{450DF1EE-9959-4340-AA0C-A57E95749871}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9D54~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93748~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CE49E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{381A7~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1500
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ADB56~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1316
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{462F0~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3188
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B71F4~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{17D63~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3264
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\61F6F1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{17D63270-32D9-4806-BAC6-7457B64A4337}.exe

Filesize
88KB

MD5
734941fef37b749030502d26b851d663

SHA1
ea3fe0dc55dd422840d5135b693ad52352be6622

SHA256
12e07cf7e3285aedbc4adcc87d6d0200c50cb9a427eb9de733531f2406f70bf6

SHA512
9d426840e24cadff5beb7bc5162e736489c941f1122691754cbf5fa7fcee8be5e8f40eb9a2f933a17a96d8b2224df35fca77fc9fbb0dbc8539aa90f98836359e

Download Submit
C:\Windows\{381A7A3E-D7E5-4dad-8C3B-C52F00AF31F1}.exe

Filesize
88KB

MD5
8760724929cac685eaae959fd1f13945

SHA1
5b2737c2783b2c5d1a2f9f5b6a670e67932db916

SHA256
010be9922b1c25e641f868fc69ee0e1ad154dbd44efb17c368f893a5b9d3db2f

SHA512
3acf25c02152e530a6c0fa1bf7762d648d02bd97eee2e0b7049bb6fa1ab130914fa51bb1a2087db4774220edce286e85dbb6ca8b85cff87cda8ab7f0fe8570bd

Download Submit
C:\Windows\{450DF1EE-9959-4340-AA0C-A57E95749871}.exe

Filesize
88KB

MD5
d217006e1de8381c400618ddb17fcc67

SHA1
f6ca469bdd83d095f9a6bf435fe22d409aaf6580

SHA256
d8bc3024b0ac4a93960aa4abdd4871d10f235720612c8e0733258bf7f71df70d

SHA512
ac502205701d5622ffd8853da9cbdf5887766a7dfdb51e132f4891bd21ffba87d54cf00d4cfc61487a0e0afc9ef2d98f8604e1112489ef4e256f77ba60a74147

Download Submit
C:\Windows\{462F0F0D-221F-449b-89A7-76CAFF75333A}.exe

Filesize
88KB

MD5
6a3634b88efe886fa17a1084dbe9c4c9

SHA1
0aae0ed113ae3900cac10c334d243f74f2652a86

SHA256
7bea4fc5eb75a4c045ebd8ef93be00ac329666eae507d42d2e9921ef5629e65d

SHA512
7bad88246d248058696ecec96bf7b37e215f9100231e7d56a2cadc3328efd8fa8532a1c38a848266526e2982ed1dc9911ee2104ff57dfd19244ff8c106f9f036

Download Submit
C:\Windows\{9374810A-9AB4-4ca7-A87A-743F5E01A50D}.exe

Filesize
88KB

MD5
55b9ddc0624e1409a9022a4cc520babe

SHA1
dca98985b559c7d028797abf8d0c0d9a23e251d9

SHA256
27c8b11f9c7957f5bfcd12f2014c6666a3c063e158549de454152e7fb56a5779

SHA512
eb59dbef7069ad6f8f5425cc5e53f62699f1cd175d4c5bf0c9d8cd2cc7bc4a63db3ac93dfece5ccfda3348d27f551828ee37e10f7b047508e00238e3f2e3aaf4

Download Submit
C:\Windows\{ADB5685E-45C3-41a7-9A39-15D14CE89EA6}.exe

Filesize
88KB

MD5
839de3f59c507db09c41faacf8900566

SHA1
dd7b1965038d7c8d268c2f0a5de4dd9f175c41ab

SHA256
a5758c1c71bb03b442fe782dcf49351a0f1a6b2c780acc15d564bc967127f027

SHA512
642f0143203794149c7298d457f87aaf5cec155046388ff6905dd756e4533128b71fec0a162f6cf8755f140479615a03643622ec99931f749562d790d782c902

Download Submit
C:\Windows\{B71F4C21-6BB9-4cf8-A11E-54BE597B9B2A}.exe

Filesize
88KB

MD5
d48e225b799d8848656c70388f89c30e

SHA1
6e798fae1933f12fe67dfc32059e76716d4455de

SHA256
e44068db1507be420ce18d97f8637539d4caf79e6f167150d740685860aa2102

SHA512
48d8bd2ad9b58cab6895c76db40a54d646e5f5dac83fa2088d0191ed22ad60f2c568dcec0621c054d2f2af40c26826fba6323e91251474ddb4e35cfad7667d17

Download Submit
C:\Windows\{B9D54AA1-4DDA-4522-ABD0-117AFF23F579}.exe

Filesize
88KB

MD5
df5d14d5cdb4810c1048ab6de58df0ba

SHA1
a45342f2cbd4ba4d067b5cdbdbbd7afb6067e18b

SHA256
a896fdaf1850747bb764a5a72a3b3650199738bb548acbad7532878c872a15a9

SHA512
3a0ad758bcbc1f29ed3900f78232f7597634b90d859d86e94050a807cd0887cdcb3cf5b8d731578beb481eaea23028be62f90c09dd6240af886e03aa112db836

Download Submit
C:\Windows\{CE49EF28-C424-4883-8A94-4D42ADF6EBA3}.exe

Filesize
88KB

MD5
f665c01841e0f870e8ab46ddb7a5991a

SHA1
83ef67d811a364f6d9ec490c4f6806ee4e52ce02

SHA256
b9b4b94e7313f4bc794447f40a19123d63c309af587bb2a96d7da5f1c3193f98

SHA512
5f6343b4deda6a03beaa5227ba5d4dd267df35da8d020cf494c7621ce138c60d92935a87d48713ac54953d77898012bf2bb881d8fb81646a9ee14a4751cac596

Download Submit
memory/1408-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1408-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1408-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1496-13-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1496-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1496-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1588-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1588-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1636-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1636-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3124-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3124-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3728-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3756-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4192-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4412-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4412-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4744-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4744-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads