eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-09-2024 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe
Size

88KB
MD5

10d976d8213afa0fc844f5f415bf2e38
SHA1

424a63ff49b73134c11f1ae2c9017bc9b251d2f8
SHA256

eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f
SHA512

d81cf205608da8d7dc50fd6d82fb1f11b8be70f61deada3d38c980f77f513042d316e7e8c9c45f81cfe4ee4418729cb34643eff85fcec65ce83ec4ce9ee67919
SSDEEP

768:5vw9816thKQLro2Z4/wQkNrfrunMxVFA3V:lEG/0o2ZlbunMxVS3V

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3B65BF6-E6AC-4a23-9D98-35DF01B9B5EA}	eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{073BD8AA-0537-4fbe-B5B8-7B2E6C1F53DF}	{144479C3-F04A-49e9-AB63-D4FBBB4EFAFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{443CE18D-280D-4bfb-9D3A-6E87FFD198BD}\stubpath = "C:\\Windows\\{443CE18D-280D-4bfb-9D3A-6E87FFD198BD}.exe"	{073BD8AA-0537-4fbe-B5B8-7B2E6C1F53DF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C68F6B2-5D0B-474a-9E93-3545B75D9B38}\stubpath = "C:\\Windows\\{8C68F6B2-5D0B-474a-9E93-3545B75D9B38}.exe"	{2310E373-FCD7-4389-A03E-450ED9101950}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F193C3A-152F-46d5-901C-66D7009A142D}	{1B9CB532-4FFB-48af-8250-35E9A59ED76E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7F193C3A-152F-46d5-901C-66D7009A142D}\stubpath = "C:\\Windows\\{7F193C3A-152F-46d5-901C-66D7009A142D}.exe"	{1B9CB532-4FFB-48af-8250-35E9A59ED76E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2CB7F94-E9A4-45a4-9D40-2925DAE28127}	{7F193C3A-152F-46d5-901C-66D7009A142D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43DD6571-D208-492a-9A9B-54F498C3A8DE}	{BDF911B3-B66C-4be0-8DEC-8CDED888493D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F10AE1C-40C9-4213-865F-F7D6D744485D}\stubpath = "C:\\Windows\\{5F10AE1C-40C9-4213-865F-F7D6D744485D}.exe"	{D3B65BF6-E6AC-4a23-9D98-35DF01B9B5EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{144479C3-F04A-49e9-AB63-D4FBBB4EFAFB}	{5F10AE1C-40C9-4213-865F-F7D6D744485D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{144479C3-F04A-49e9-AB63-D4FBBB4EFAFB}\stubpath = "C:\\Windows\\{144479C3-F04A-49e9-AB63-D4FBBB4EFAFB}.exe"	{5F10AE1C-40C9-4213-865F-F7D6D744485D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{073BD8AA-0537-4fbe-B5B8-7B2E6C1F53DF}\stubpath = "C:\\Windows\\{073BD8AA-0537-4fbe-B5B8-7B2E6C1F53DF}.exe"	{144479C3-F04A-49e9-AB63-D4FBBB4EFAFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{443CE18D-280D-4bfb-9D3A-6E87FFD198BD}	{073BD8AA-0537-4fbe-B5B8-7B2E6C1F53DF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2310E373-FCD7-4389-A03E-450ED9101950}	{443CE18D-280D-4bfb-9D3A-6E87FFD198BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B9CB532-4FFB-48af-8250-35E9A59ED76E}	{8C68F6B2-5D0B-474a-9E93-3545B75D9B38}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDF911B3-B66C-4be0-8DEC-8CDED888493D}	{F2CB7F94-E9A4-45a4-9D40-2925DAE28127}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BDF911B3-B66C-4be0-8DEC-8CDED888493D}\stubpath = "C:\\Windows\\{BDF911B3-B66C-4be0-8DEC-8CDED888493D}.exe"	{F2CB7F94-E9A4-45a4-9D40-2925DAE28127}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D3B65BF6-E6AC-4a23-9D98-35DF01B9B5EA}\stubpath = "C:\\Windows\\{D3B65BF6-E6AC-4a23-9D98-35DF01B9B5EA}.exe"	eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2310E373-FCD7-4389-A03E-450ED9101950}\stubpath = "C:\\Windows\\{2310E373-FCD7-4389-A03E-450ED9101950}.exe"	{443CE18D-280D-4bfb-9D3A-6E87FFD198BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C68F6B2-5D0B-474a-9E93-3545B75D9B38}	{2310E373-FCD7-4389-A03E-450ED9101950}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1B9CB532-4FFB-48af-8250-35E9A59ED76E}\stubpath = "C:\\Windows\\{1B9CB532-4FFB-48af-8250-35E9A59ED76E}.exe"	{8C68F6B2-5D0B-474a-9E93-3545B75D9B38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43DD6571-D208-492a-9A9B-54F498C3A8DE}\stubpath = "C:\\Windows\\{43DD6571-D208-492a-9A9B-54F498C3A8DE}.exe"	{BDF911B3-B66C-4be0-8DEC-8CDED888493D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F10AE1C-40C9-4213-865F-F7D6D744485D}	{D3B65BF6-E6AC-4a23-9D98-35DF01B9B5EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2CB7F94-E9A4-45a4-9D40-2925DAE28127}\stubpath = "C:\\Windows\\{F2CB7F94-E9A4-45a4-9D40-2925DAE28127}.exe"	{7F193C3A-152F-46d5-901C-66D7009A142D}.exe

Executes dropped EXE 12 IoCs

pid	Process
3936	{D3B65BF6-E6AC-4a23-9D98-35DF01B9B5EA}.exe
1000	{5F10AE1C-40C9-4213-865F-F7D6D744485D}.exe
3088	{144479C3-F04A-49e9-AB63-D4FBBB4EFAFB}.exe
2520	{073BD8AA-0537-4fbe-B5B8-7B2E6C1F53DF}.exe
1744	{443CE18D-280D-4bfb-9D3A-6E87FFD198BD}.exe
3380	{2310E373-FCD7-4389-A03E-450ED9101950}.exe
4480	{8C68F6B2-5D0B-474a-9E93-3545B75D9B38}.exe
3128	{1B9CB532-4FFB-48af-8250-35E9A59ED76E}.exe
4924	{7F193C3A-152F-46d5-901C-66D7009A142D}.exe
1300	{F2CB7F94-E9A4-45a4-9D40-2925DAE28127}.exe
4080	{BDF911B3-B66C-4be0-8DEC-8CDED888493D}.exe
1928	{43DD6571-D208-492a-9A9B-54F498C3A8DE}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{5F10AE1C-40C9-4213-865F-F7D6D744485D}.exe	{D3B65BF6-E6AC-4a23-9D98-35DF01B9B5EA}.exe
File created	C:\Windows\{443CE18D-280D-4bfb-9D3A-6E87FFD198BD}.exe	{073BD8AA-0537-4fbe-B5B8-7B2E6C1F53DF}.exe
File created	C:\Windows\{8C68F6B2-5D0B-474a-9E93-3545B75D9B38}.exe	{2310E373-FCD7-4389-A03E-450ED9101950}.exe
File created	C:\Windows\{BDF911B3-B66C-4be0-8DEC-8CDED888493D}.exe	{F2CB7F94-E9A4-45a4-9D40-2925DAE28127}.exe
File created	C:\Windows\{1B9CB532-4FFB-48af-8250-35E9A59ED76E}.exe	{8C68F6B2-5D0B-474a-9E93-3545B75D9B38}.exe
File created	C:\Windows\{7F193C3A-152F-46d5-901C-66D7009A142D}.exe	{1B9CB532-4FFB-48af-8250-35E9A59ED76E}.exe
File created	C:\Windows\{F2CB7F94-E9A4-45a4-9D40-2925DAE28127}.exe	{7F193C3A-152F-46d5-901C-66D7009A142D}.exe
File created	C:\Windows\{43DD6571-D208-492a-9A9B-54F498C3A8DE}.exe	{BDF911B3-B66C-4be0-8DEC-8CDED888493D}.exe
File created	C:\Windows\{D3B65BF6-E6AC-4a23-9D98-35DF01B9B5EA}.exe	eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe
File created	C:\Windows\{144479C3-F04A-49e9-AB63-D4FBBB4EFAFB}.exe	{5F10AE1C-40C9-4213-865F-F7D6D744485D}.exe
File created	C:\Windows\{073BD8AA-0537-4fbe-B5B8-7B2E6C1F53DF}.exe	{144479C3-F04A-49e9-AB63-D4FBBB4EFAFB}.exe
File created	C:\Windows\{2310E373-FCD7-4389-A03E-450ED9101950}.exe	{443CE18D-280D-4bfb-9D3A-6E87FFD198BD}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F2CB7F94-E9A4-45a4-9D40-2925DAE28127}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{443CE18D-280D-4bfb-9D3A-6E87FFD198BD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D3B65BF6-E6AC-4a23-9D98-35DF01B9B5EA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5F10AE1C-40C9-4213-865F-F7D6D744485D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1B9CB532-4FFB-48af-8250-35E9A59ED76E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8C68F6B2-5D0B-474a-9E93-3545B75D9B38}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BDF911B3-B66C-4be0-8DEC-8CDED888493D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{144479C3-F04A-49e9-AB63-D4FBBB4EFAFB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{43DD6571-D208-492a-9A9B-54F498C3A8DE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{073BD8AA-0537-4fbe-B5B8-7B2E6C1F53DF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2310E373-FCD7-4389-A03E-450ED9101950}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7F193C3A-152F-46d5-901C-66D7009A142D}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4600	eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe
Token: SeIncBasePriorityPrivilege	3936	{D3B65BF6-E6AC-4a23-9D98-35DF01B9B5EA}.exe
Token: SeIncBasePriorityPrivilege	1000	{5F10AE1C-40C9-4213-865F-F7D6D744485D}.exe
Token: SeIncBasePriorityPrivilege	3088	{144479C3-F04A-49e9-AB63-D4FBBB4EFAFB}.exe
Token: SeIncBasePriorityPrivilege	2520	{073BD8AA-0537-4fbe-B5B8-7B2E6C1F53DF}.exe
Token: SeIncBasePriorityPrivilege	1744	{443CE18D-280D-4bfb-9D3A-6E87FFD198BD}.exe
Token: SeIncBasePriorityPrivilege	3380	{2310E373-FCD7-4389-A03E-450ED9101950}.exe
Token: SeIncBasePriorityPrivilege	4480	{8C68F6B2-5D0B-474a-9E93-3545B75D9B38}.exe
Token: SeIncBasePriorityPrivilege	3128	{1B9CB532-4FFB-48af-8250-35E9A59ED76E}.exe
Token: SeIncBasePriorityPrivilege	4924	{7F193C3A-152F-46d5-901C-66D7009A142D}.exe
Token: SeIncBasePriorityPrivilege	1300	{F2CB7F94-E9A4-45a4-9D40-2925DAE28127}.exe
Token: SeIncBasePriorityPrivilege	4080	{BDF911B3-B66C-4be0-8DEC-8CDED888493D}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 3936	4600	eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe	93
PID 4600 wrote to memory of 3936	4600	eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe	93
PID 4600 wrote to memory of 3936	4600	eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe	93
PID 4600 wrote to memory of 2480	4600	eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe	94
PID 4600 wrote to memory of 2480	4600	eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe	94
PID 4600 wrote to memory of 2480	4600	eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe	94
PID 3936 wrote to memory of 1000	3936	{D3B65BF6-E6AC-4a23-9D98-35DF01B9B5EA}.exe	95
PID 3936 wrote to memory of 1000	3936	{D3B65BF6-E6AC-4a23-9D98-35DF01B9B5EA}.exe	95
PID 3936 wrote to memory of 1000	3936	{D3B65BF6-E6AC-4a23-9D98-35DF01B9B5EA}.exe	95
PID 3936 wrote to memory of 4260	3936	{D3B65BF6-E6AC-4a23-9D98-35DF01B9B5EA}.exe	96
PID 3936 wrote to memory of 4260	3936	{D3B65BF6-E6AC-4a23-9D98-35DF01B9B5EA}.exe	96
PID 3936 wrote to memory of 4260	3936	{D3B65BF6-E6AC-4a23-9D98-35DF01B9B5EA}.exe	96
PID 1000 wrote to memory of 3088	1000	{5F10AE1C-40C9-4213-865F-F7D6D744485D}.exe	99
PID 1000 wrote to memory of 3088	1000	{5F10AE1C-40C9-4213-865F-F7D6D744485D}.exe	99
PID 1000 wrote to memory of 3088	1000	{5F10AE1C-40C9-4213-865F-F7D6D744485D}.exe	99
PID 1000 wrote to memory of 3848	1000	{5F10AE1C-40C9-4213-865F-F7D6D744485D}.exe	100
PID 1000 wrote to memory of 3848	1000	{5F10AE1C-40C9-4213-865F-F7D6D744485D}.exe	100
PID 1000 wrote to memory of 3848	1000	{5F10AE1C-40C9-4213-865F-F7D6D744485D}.exe	100
PID 3088 wrote to memory of 2520	3088	{144479C3-F04A-49e9-AB63-D4FBBB4EFAFB}.exe	101
PID 3088 wrote to memory of 2520	3088	{144479C3-F04A-49e9-AB63-D4FBBB4EFAFB}.exe	101
PID 3088 wrote to memory of 2520	3088	{144479C3-F04A-49e9-AB63-D4FBBB4EFAFB}.exe	101
PID 3088 wrote to memory of 3296	3088	{144479C3-F04A-49e9-AB63-D4FBBB4EFAFB}.exe	102
PID 3088 wrote to memory of 3296	3088	{144479C3-F04A-49e9-AB63-D4FBBB4EFAFB}.exe	102
PID 3088 wrote to memory of 3296	3088	{144479C3-F04A-49e9-AB63-D4FBBB4EFAFB}.exe	102
PID 2520 wrote to memory of 1744	2520	{073BD8AA-0537-4fbe-B5B8-7B2E6C1F53DF}.exe	103
PID 2520 wrote to memory of 1744	2520	{073BD8AA-0537-4fbe-B5B8-7B2E6C1F53DF}.exe	103
PID 2520 wrote to memory of 1744	2520	{073BD8AA-0537-4fbe-B5B8-7B2E6C1F53DF}.exe	103
PID 2520 wrote to memory of 5072	2520	{073BD8AA-0537-4fbe-B5B8-7B2E6C1F53DF}.exe	104
PID 2520 wrote to memory of 5072	2520	{073BD8AA-0537-4fbe-B5B8-7B2E6C1F53DF}.exe	104
PID 2520 wrote to memory of 5072	2520	{073BD8AA-0537-4fbe-B5B8-7B2E6C1F53DF}.exe	104
PID 1744 wrote to memory of 3380	1744	{443CE18D-280D-4bfb-9D3A-6E87FFD198BD}.exe	105
PID 1744 wrote to memory of 3380	1744	{443CE18D-280D-4bfb-9D3A-6E87FFD198BD}.exe	105
PID 1744 wrote to memory of 3380	1744	{443CE18D-280D-4bfb-9D3A-6E87FFD198BD}.exe	105
PID 1744 wrote to memory of 116	1744	{443CE18D-280D-4bfb-9D3A-6E87FFD198BD}.exe	106
PID 1744 wrote to memory of 116	1744	{443CE18D-280D-4bfb-9D3A-6E87FFD198BD}.exe	106
PID 1744 wrote to memory of 116	1744	{443CE18D-280D-4bfb-9D3A-6E87FFD198BD}.exe	106
PID 3380 wrote to memory of 4480	3380	{2310E373-FCD7-4389-A03E-450ED9101950}.exe	107
PID 3380 wrote to memory of 4480	3380	{2310E373-FCD7-4389-A03E-450ED9101950}.exe	107
PID 3380 wrote to memory of 4480	3380	{2310E373-FCD7-4389-A03E-450ED9101950}.exe	107
PID 3380 wrote to memory of 232	3380	{2310E373-FCD7-4389-A03E-450ED9101950}.exe	108
PID 3380 wrote to memory of 232	3380	{2310E373-FCD7-4389-A03E-450ED9101950}.exe	108
PID 3380 wrote to memory of 232	3380	{2310E373-FCD7-4389-A03E-450ED9101950}.exe	108
PID 4480 wrote to memory of 3128	4480	{8C68F6B2-5D0B-474a-9E93-3545B75D9B38}.exe	109
PID 4480 wrote to memory of 3128	4480	{8C68F6B2-5D0B-474a-9E93-3545B75D9B38}.exe	109
PID 4480 wrote to memory of 3128	4480	{8C68F6B2-5D0B-474a-9E93-3545B75D9B38}.exe	109
PID 4480 wrote to memory of 1724	4480	{8C68F6B2-5D0B-474a-9E93-3545B75D9B38}.exe	110
PID 4480 wrote to memory of 1724	4480	{8C68F6B2-5D0B-474a-9E93-3545B75D9B38}.exe	110
PID 4480 wrote to memory of 1724	4480	{8C68F6B2-5D0B-474a-9E93-3545B75D9B38}.exe	110
PID 3128 wrote to memory of 4924	3128	{1B9CB532-4FFB-48af-8250-35E9A59ED76E}.exe	111
PID 3128 wrote to memory of 4924	3128	{1B9CB532-4FFB-48af-8250-35E9A59ED76E}.exe	111
PID 3128 wrote to memory of 4924	3128	{1B9CB532-4FFB-48af-8250-35E9A59ED76E}.exe	111
PID 3128 wrote to memory of 1996	3128	{1B9CB532-4FFB-48af-8250-35E9A59ED76E}.exe	112
PID 3128 wrote to memory of 1996	3128	{1B9CB532-4FFB-48af-8250-35E9A59ED76E}.exe	112
PID 3128 wrote to memory of 1996	3128	{1B9CB532-4FFB-48af-8250-35E9A59ED76E}.exe	112
PID 4924 wrote to memory of 1300	4924	{7F193C3A-152F-46d5-901C-66D7009A142D}.exe	113
PID 4924 wrote to memory of 1300	4924	{7F193C3A-152F-46d5-901C-66D7009A142D}.exe	113
PID 4924 wrote to memory of 1300	4924	{7F193C3A-152F-46d5-901C-66D7009A142D}.exe	113
PID 4924 wrote to memory of 2644	4924	{7F193C3A-152F-46d5-901C-66D7009A142D}.exe	114
PID 4924 wrote to memory of 2644	4924	{7F193C3A-152F-46d5-901C-66D7009A142D}.exe	114
PID 4924 wrote to memory of 2644	4924	{7F193C3A-152F-46d5-901C-66D7009A142D}.exe	114
PID 1300 wrote to memory of 4080	1300	{F2CB7F94-E9A4-45a4-9D40-2925DAE28127}.exe	115
PID 1300 wrote to memory of 4080	1300	{F2CB7F94-E9A4-45a4-9D40-2925DAE28127}.exe	115
PID 1300 wrote to memory of 4080	1300	{F2CB7F94-E9A4-45a4-9D40-2925DAE28127}.exe	115
PID 1300 wrote to memory of 4600	1300	{F2CB7F94-E9A4-45a4-9D40-2925DAE28127}.exe	116

C:\Users\Admin\AppData\Local\Temp\eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe
"C:\Users\Admin\AppData\Local\Temp\eee158e06d2852480bc71a3d6f393ac52077716bd882fb24d302c962e8cd054f.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Windows\{D3B65BF6-E6AC-4a23-9D98-35DF01B9B5EA}.exe
  C:\Windows\{D3B65BF6-E6AC-4a23-9D98-35DF01B9B5EA}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\{5F10AE1C-40C9-4213-865F-F7D6D744485D}.exe
    C:\Windows\{5F10AE1C-40C9-4213-865F-F7D6D744485D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\Windows\{144479C3-F04A-49e9-AB63-D4FBBB4EFAFB}.exe
      C:\Windows\{144479C3-F04A-49e9-AB63-D4FBBB4EFAFB}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3088
    - - C:\Windows\{073BD8AA-0537-4fbe-B5B8-7B2E6C1F53DF}.exe
        
        C:\Windows\{073BD8AA-0537-4fbe-B5B8-7B2E6C1F53DF}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2520
      - C:\Windows\{443CE18D-280D-4bfb-9D3A-6E87FFD198BD}.exe
        
        C:\Windows\{443CE18D-280D-4bfb-9D3A-6E87FFD198BD}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\{2310E373-FCD7-4389-A03E-450ED9101950}.exe
        
        C:\Windows\{2310E373-FCD7-4389-A03E-450ED9101950}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3380
        
        C:\Windows\{8C68F6B2-5D0B-474a-9E93-3545B75D9B38}.exe
        
        C:\Windows\{8C68F6B2-5D0B-474a-9E93-3545B75D9B38}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\{1B9CB532-4FFB-48af-8250-35E9A59ED76E}.exe
        
        C:\Windows\{1B9CB532-4FFB-48af-8250-35E9A59ED76E}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3128
        
        C:\Windows\{7F193C3A-152F-46d5-901C-66D7009A142D}.exe
        
        C:\Windows\{7F193C3A-152F-46d5-901C-66D7009A142D}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4924
        
        C:\Windows\{F2CB7F94-E9A4-45a4-9D40-2925DAE28127}.exe
        
        C:\Windows\{F2CB7F94-E9A4-45a4-9D40-2925DAE28127}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\{BDF911B3-B66C-4be0-8DEC-8CDED888493D}.exe
        
        C:\Windows\{BDF911B3-B66C-4be0-8DEC-8CDED888493D}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4080
        
        C:\Windows\{43DD6571-D208-492a-9A9B-54F498C3A8DE}.exe
        
        C:\Windows\{43DD6571-D208-492a-9A9B-54F498C3A8DE}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BDF91~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F2CB7~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7F193~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1B9CB~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C68F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2310E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{443CE~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:116
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{073BD~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5072
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{14447~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3296
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{5F10A~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D3B65~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EEE158~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{073BD8AA-0537-4fbe-B5B8-7B2E6C1F53DF}.exe

Filesize
88KB

MD5
12ff6fa949af2539ee4b6e910321d2a6

SHA1
6b9a0fe8bbf58ae0e6cac075d5f8fa3c1bb1eb73

SHA256
09d92f7d678c482eeeb282f3898558741e8204677f783888f592a95520af4e69

SHA512
e604caa79ca25ce998de158c6425104b1d46a9da9a410d26c865e63b9441bc52b01ad81b3f960e461146cb2940aea81490849dae028a15ea7abc727de123a62b

Download Submit
C:\Windows\{144479C3-F04A-49e9-AB63-D4FBBB4EFAFB}.exe

Filesize
88KB

MD5
58c1029df7fc1f34ef376781c14c4d7a

SHA1
a5ef85e9bd19cddc678b487f0c80cc5ca34c8689

SHA256
cd94f288107a8a7f1d68aa435e4210bb46dfead4969b49fbb37749f8b0bdf40a

SHA512
f80c265afe949b181dd30ab65321c340b5ae0b9773b90e4974f580687dcd6800db6505ea13b71a0bbdce35efea4aa3d16cb8e291047b63036d54576ae4bc1c9b

Download Submit
C:\Windows\{1B9CB532-4FFB-48af-8250-35E9A59ED76E}.exe

Filesize
88KB

MD5
a2694333f922b619bf666453d5bfc44b

SHA1
b6900a9af1f24dcb6bd1b5dc4a101eff64829a49

SHA256
2d1418509fe1fdfb7131661fc3e4d64f6ad1a9ee93f34e2e473de2764e4561c8

SHA512
ff713ebec872091a3cc8cd96e5c46966707b6133ecad63d315b56acf738e6a7a86f1260eb7aa6510523b4f256c7f8c7e130f6dae3da5ca11e6cfa1d294eed4da

Download Submit
C:\Windows\{2310E373-FCD7-4389-A03E-450ED9101950}.exe

Filesize
88KB

MD5
47cce3e20d747873ba491cdc48cd4158

SHA1
768544763338884c9eecd9f836ed0dff981d3d65

SHA256
9adcf067d9c399b9cecddbfba5de57b35506d43678461726d1ce10555eac0654

SHA512
196b1fd9eb817d16167e5858039ebb74dbb9cf3c46759612af00e3f25d228169b76b5bc51ac0fbaffaa5a8968266e71f8ea4007e461c8a44a598b2e2a64a5e26

Download Submit
C:\Windows\{43DD6571-D208-492a-9A9B-54F498C3A8DE}.exe

Filesize
88KB

MD5
35b0bdb0b3b413b6cc1101ba26531163

SHA1
bc52556a7695d0aecf172777a019f7467328c286

SHA256
852a97cddcbc31e9ff31b6c9fde4cff419b896b5ec5e45dd19b2a90f9ed3cc57

SHA512
6c68d7b1815fc857509e3ca2b254fb02d2ff4fe32f73ee6595f9a0add57b83eda5adb410b3f98c5c2f69fd1f908c2b99dbec17a877c7202d960c8aaff137fc3e

Download Submit
C:\Windows\{443CE18D-280D-4bfb-9D3A-6E87FFD198BD}.exe

Filesize
88KB

MD5
d21a1f55136dfb9fabb26f23ffc2669d

SHA1
970460f5dde75dfd1a630894944eaeee44807564

SHA256
dadb27be74b0223c5a5cc4c0e5f58116bfd7093c17926ea3e03c776ed7b01a8d

SHA512
6dbfe0219b07ed48d73497e0a894e24c82bb5dee38a8ce2c29c0390ab4f878ea7bb20ca9814d90acc285cf608c2ee0d2066888c9139109b36edaef3df949d731

Download Submit
C:\Windows\{5F10AE1C-40C9-4213-865F-F7D6D744485D}.exe

Filesize
88KB

MD5
da40d0426a99cbfe79405d593de724b2

SHA1
4fae4f04f6ee43275eea09b83a1d2d9018f422f2

SHA256
6a5d7d22f252023a97453a11934eec279376cc29a9ac19ff3984be00992864b6

SHA512
0f04fbf3e43a5ae332a2d24f1aaa8f7f8d58fbbbc0e8cf9a9b66f3992919304ee7d4d159a8b1e9f25034e947b62037cbc7dcbe46509c6f147321f9a697a98221

Download Submit
C:\Windows\{7F193C3A-152F-46d5-901C-66D7009A142D}.exe

Filesize
88KB

MD5
125669305f6c14abfa3297de1bbe22b9

SHA1
499580f178052e13a4ac869d045da5a7be2a4870

SHA256
2a15de55066ba3672b08bde40e89f281a200bf1418018f07b39106428f171cc1

SHA512
b8ce585827d09f2db2a2c5f3bd8749ab8fb8fa9bb9a52b15a242445024a52d2903e73b9235e443e10cc97923532e5e44ab131284aa5b2f8731630dc4270726ac

Download Submit
C:\Windows\{8C68F6B2-5D0B-474a-9E93-3545B75D9B38}.exe

Filesize
88KB

MD5
584eda5cba11e7e788d443bbbd19ccc3

SHA1
b5f21dced1462e1b9670cdf211905ce7989db1eb

SHA256
2655d7289d5f3eb59e38d63ef3d9cb8e81755e652e720a7135102296c0947e08

SHA512
03de90908f05a3854d0e5d2962fb1309fed5ff4fe191fe7af367ad7f87452d026236eb0fca3f371c9a6950fa137b3f40a31552c023c5b343e70fb5e61220116a

Download Submit
C:\Windows\{BDF911B3-B66C-4be0-8DEC-8CDED888493D}.exe

Filesize
88KB

MD5
df3ba48d6e998919d2da6c3c64b3ab7f

SHA1
971caac5bf8567e21555d260e4390a1b282882cf

SHA256
45881ecaff79d6349e6eb1b0ae192cba05369de6fb4d2041159603560b36937b

SHA512
4e3d6f5ae12d7219c39291d24ed87c674995e4fa91aeec8db3e72bd10ced839e520206f29f791b5a907dd2847162551a9747b91ac33b8dc5981049fadf7d2712

Download Submit
C:\Windows\{D3B65BF6-E6AC-4a23-9D98-35DF01B9B5EA}.exe

Filesize
88KB

MD5
2c048857bb3fa2b7644e7207f8bc474b

SHA1
2cf49a56a1d007508a25caa222d4a9092add5dc7

SHA256
7acc3e853b22cace679dbe9e5388d500fe01ab49b69ace2b1bc5fd7f4fd19a0a

SHA512
d1ae6daf4ffbf0e78f997254b11556e70938cec8c1c2745a691b65696ec4a359d6e00165b2fa560dc84a9f238423d657af95c6d0c506521c3bfd3984d2cbcef1

Download Submit
C:\Windows\{F2CB7F94-E9A4-45a4-9D40-2925DAE28127}.exe

Filesize
88KB

MD5
1712590a15194e8e51d0550d2252685b

SHA1
10306a4729f9874a8b22a8548e9c34b0654c0887

SHA256
80a06636ed607df1267561ce96d7865149fd33f0172bd80ea47ff3666c5f6637

SHA512
54e5b83ad14dd5f5e3e9b1c10b10540198ca4986e8d767ce99434a8be93d8526ba0fdf49ddd92cc559f27bb23fee1e72c1757b76d8afd8d4dc3108aad23041c6

Download Submit
memory/1000-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1000-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1300-62-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1300-67-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1744-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1744-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1928-73-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2520-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2520-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3088-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3088-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3128-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3128-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3380-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3380-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3936-13-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3936-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3936-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4080-72-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4080-68-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4480-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4480-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4600-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4600-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4600-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4924-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4924-61-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads