8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 00:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe
Size

90KB
MD5

93fa62e4a0d19fdbc2979a148e5b5d29
SHA1

363cdb4038c36e8bdc6988a392a002627cd5c972
SHA256

8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed
SHA512

661add87641e6ac3788bd95bbd48ae86355d5aae2bea7c2957353c5a03018f51e99225b7c1e993d6729533376087f66b6af5faac5b457bb0846185c2edff5667
SSDEEP

768:5vw9816thKQLroV4/wQkNrfrunMxVFA3bA:lEG/0oVlbunMxVS3c

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A0377B0-B163-44bb-BEEB-5EC040606D85}\stubpath = "C:\\Windows\\{7A0377B0-B163-44bb-BEEB-5EC040606D85}.exe"	{F79DEE9C-F2FC-4cf7-91F8-59F2FDB55C45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C819028-F305-417b-B598-A748C1200538}\stubpath = "C:\\Windows\\{0C819028-F305-417b-B598-A748C1200538}.exe"	{EE4D647D-8EB1-4ae4-B53B-EB048DF730A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{283655AB-AAA7-4d37-AF90-55F06639DF1F}\stubpath = "C:\\Windows\\{283655AB-AAA7-4d37-AF90-55F06639DF1F}.exe"	{ED437FA1-6DAF-47b9-AC98-E4FB93463A10}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAEEE960-8190-4604-9565-D59133DAA132}\stubpath = "C:\\Windows\\{FAEEE960-8190-4604-9565-D59133DAA132}.exe"	{283655AB-AAA7-4d37-AF90-55F06639DF1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{141FB5C7-BBAE-48e0-9C93-C11F9294E094}\stubpath = "C:\\Windows\\{141FB5C7-BBAE-48e0-9C93-C11F9294E094}.exe"	{C9CFD463-7D00-4d9e-9B10-9D7D1B6A35DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{141FB5C7-BBAE-48e0-9C93-C11F9294E094}	{C9CFD463-7D00-4d9e-9B10-9D7D1B6A35DC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F79DEE9C-F2FC-4cf7-91F8-59F2FDB55C45}	8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC026A63-5AC5-4a59-9B63-516B71A8263C}\stubpath = "C:\\Windows\\{AC026A63-5AC5-4a59-9B63-516B71A8263C}.exe"	{7A0377B0-B163-44bb-BEEB-5EC040606D85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F00B887C-937A-4abd-87F4-5C2708A10BA6}	{F893D831-5AC9-4906-A812-4825718D0E6B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE4D647D-8EB1-4ae4-B53B-EB048DF730A3}	{F00B887C-937A-4abd-87F4-5C2708A10BA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9CFD463-7D00-4d9e-9B10-9D7D1B6A35DC}	{FAEEE960-8190-4604-9565-D59133DAA132}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED437FA1-6DAF-47b9-AC98-E4FB93463A10}	{0C819028-F305-417b-B598-A748C1200538}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FAEEE960-8190-4604-9565-D59133DAA132}	{283655AB-AAA7-4d37-AF90-55F06639DF1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AC026A63-5AC5-4a59-9B63-516B71A8263C}	{7A0377B0-B163-44bb-BEEB-5EC040606D85}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F893D831-5AC9-4906-A812-4825718D0E6B}	{AC026A63-5AC5-4a59-9B63-516B71A8263C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F893D831-5AC9-4906-A812-4825718D0E6B}\stubpath = "C:\\Windows\\{F893D831-5AC9-4906-A812-4825718D0E6B}.exe"	{AC026A63-5AC5-4a59-9B63-516B71A8263C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EE4D647D-8EB1-4ae4-B53B-EB048DF730A3}\stubpath = "C:\\Windows\\{EE4D647D-8EB1-4ae4-B53B-EB048DF730A3}.exe"	{F00B887C-937A-4abd-87F4-5C2708A10BA6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0C819028-F305-417b-B598-A748C1200538}	{EE4D647D-8EB1-4ae4-B53B-EB048DF730A3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9CFD463-7D00-4d9e-9B10-9D7D1B6A35DC}\stubpath = "C:\\Windows\\{C9CFD463-7D00-4d9e-9B10-9D7D1B6A35DC}.exe"	{FAEEE960-8190-4604-9565-D59133DAA132}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F79DEE9C-F2FC-4cf7-91F8-59F2FDB55C45}\stubpath = "C:\\Windows\\{F79DEE9C-F2FC-4cf7-91F8-59F2FDB55C45}.exe"	8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A0377B0-B163-44bb-BEEB-5EC040606D85}	{F79DEE9C-F2FC-4cf7-91F8-59F2FDB55C45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F00B887C-937A-4abd-87F4-5C2708A10BA6}\stubpath = "C:\\Windows\\{F00B887C-937A-4abd-87F4-5C2708A10BA6}.exe"	{F893D831-5AC9-4906-A812-4825718D0E6B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ED437FA1-6DAF-47b9-AC98-E4FB93463A10}\stubpath = "C:\\Windows\\{ED437FA1-6DAF-47b9-AC98-E4FB93463A10}.exe"	{0C819028-F305-417b-B598-A748C1200538}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{283655AB-AAA7-4d37-AF90-55F06639DF1F}	{ED437FA1-6DAF-47b9-AC98-E4FB93463A10}.exe

Executes dropped EXE 12 IoCs

pid	Process
2944	{F79DEE9C-F2FC-4cf7-91F8-59F2FDB55C45}.exe
1536	{7A0377B0-B163-44bb-BEEB-5EC040606D85}.exe
3964	{AC026A63-5AC5-4a59-9B63-516B71A8263C}.exe
3688	{F893D831-5AC9-4906-A812-4825718D0E6B}.exe
1148	{F00B887C-937A-4abd-87F4-5C2708A10BA6}.exe
4288	{EE4D647D-8EB1-4ae4-B53B-EB048DF730A3}.exe
4136	{0C819028-F305-417b-B598-A748C1200538}.exe
1740	{ED437FA1-6DAF-47b9-AC98-E4FB93463A10}.exe
3536	{283655AB-AAA7-4d37-AF90-55F06639DF1F}.exe
4248	{FAEEE960-8190-4604-9565-D59133DAA132}.exe
2264	{C9CFD463-7D00-4d9e-9B10-9D7D1B6A35DC}.exe
3028	{141FB5C7-BBAE-48e0-9C93-C11F9294E094}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{F79DEE9C-F2FC-4cf7-91F8-59F2FDB55C45}.exe	8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe
File created	C:\Windows\{7A0377B0-B163-44bb-BEEB-5EC040606D85}.exe	{F79DEE9C-F2FC-4cf7-91F8-59F2FDB55C45}.exe
File created	C:\Windows\{F893D831-5AC9-4906-A812-4825718D0E6B}.exe	{AC026A63-5AC5-4a59-9B63-516B71A8263C}.exe
File created	C:\Windows\{ED437FA1-6DAF-47b9-AC98-E4FB93463A10}.exe	{0C819028-F305-417b-B598-A748C1200538}.exe
File created	C:\Windows\{141FB5C7-BBAE-48e0-9C93-C11F9294E094}.exe	{C9CFD463-7D00-4d9e-9B10-9D7D1B6A35DC}.exe
File created	C:\Windows\{AC026A63-5AC5-4a59-9B63-516B71A8263C}.exe	{7A0377B0-B163-44bb-BEEB-5EC040606D85}.exe
File created	C:\Windows\{F00B887C-937A-4abd-87F4-5C2708A10BA6}.exe	{F893D831-5AC9-4906-A812-4825718D0E6B}.exe
File created	C:\Windows\{EE4D647D-8EB1-4ae4-B53B-EB048DF730A3}.exe	{F00B887C-937A-4abd-87F4-5C2708A10BA6}.exe
File created	C:\Windows\{0C819028-F305-417b-B598-A748C1200538}.exe	{EE4D647D-8EB1-4ae4-B53B-EB048DF730A3}.exe
File created	C:\Windows\{283655AB-AAA7-4d37-AF90-55F06639DF1F}.exe	{ED437FA1-6DAF-47b9-AC98-E4FB93463A10}.exe
File created	C:\Windows\{FAEEE960-8190-4604-9565-D59133DAA132}.exe	{283655AB-AAA7-4d37-AF90-55F06639DF1F}.exe
File created	C:\Windows\{C9CFD463-7D00-4d9e-9B10-9D7D1B6A35DC}.exe	{FAEEE960-8190-4604-9565-D59133DAA132}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ED437FA1-6DAF-47b9-AC98-E4FB93463A10}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{283655AB-AAA7-4d37-AF90-55F06639DF1F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FAEEE960-8190-4604-9565-D59133DAA132}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0C819028-F305-417b-B598-A748C1200538}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{141FB5C7-BBAE-48e0-9C93-C11F9294E094}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7A0377B0-B163-44bb-BEEB-5EC040606D85}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F00B887C-937A-4abd-87F4-5C2708A10BA6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AC026A63-5AC5-4a59-9B63-516B71A8263C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F79DEE9C-F2FC-4cf7-91F8-59F2FDB55C45}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F893D831-5AC9-4906-A812-4825718D0E6B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C9CFD463-7D00-4d9e-9B10-9D7D1B6A35DC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EE4D647D-8EB1-4ae4-B53B-EB048DF730A3}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3568	8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe
Token: SeIncBasePriorityPrivilege	2944	{F79DEE9C-F2FC-4cf7-91F8-59F2FDB55C45}.exe
Token: SeIncBasePriorityPrivilege	1536	{7A0377B0-B163-44bb-BEEB-5EC040606D85}.exe
Token: SeIncBasePriorityPrivilege	3964	{AC026A63-5AC5-4a59-9B63-516B71A8263C}.exe
Token: SeIncBasePriorityPrivilege	3688	{F893D831-5AC9-4906-A812-4825718D0E6B}.exe
Token: SeIncBasePriorityPrivilege	1148	{F00B887C-937A-4abd-87F4-5C2708A10BA6}.exe
Token: SeIncBasePriorityPrivilege	4288	{EE4D647D-8EB1-4ae4-B53B-EB048DF730A3}.exe
Token: SeIncBasePriorityPrivilege	4136	{0C819028-F305-417b-B598-A748C1200538}.exe
Token: SeIncBasePriorityPrivilege	1740	{ED437FA1-6DAF-47b9-AC98-E4FB93463A10}.exe
Token: SeIncBasePriorityPrivilege	3536	{283655AB-AAA7-4d37-AF90-55F06639DF1F}.exe
Token: SeIncBasePriorityPrivilege	4248	{FAEEE960-8190-4604-9565-D59133DAA132}.exe
Token: SeIncBasePriorityPrivilege	2264	{C9CFD463-7D00-4d9e-9B10-9D7D1B6A35DC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 2944	3568	8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe	94
PID 3568 wrote to memory of 2944	3568	8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe	94
PID 3568 wrote to memory of 2944	3568	8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe	94
PID 3568 wrote to memory of 5060	3568	8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe	95
PID 3568 wrote to memory of 5060	3568	8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe	95
PID 3568 wrote to memory of 5060	3568	8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe	95
PID 2944 wrote to memory of 1536	2944	{F79DEE9C-F2FC-4cf7-91F8-59F2FDB55C45}.exe	96
PID 2944 wrote to memory of 1536	2944	{F79DEE9C-F2FC-4cf7-91F8-59F2FDB55C45}.exe	96
PID 2944 wrote to memory of 1536	2944	{F79DEE9C-F2FC-4cf7-91F8-59F2FDB55C45}.exe	96
PID 2944 wrote to memory of 852	2944	{F79DEE9C-F2FC-4cf7-91F8-59F2FDB55C45}.exe	97
PID 2944 wrote to memory of 852	2944	{F79DEE9C-F2FC-4cf7-91F8-59F2FDB55C45}.exe	97
PID 2944 wrote to memory of 852	2944	{F79DEE9C-F2FC-4cf7-91F8-59F2FDB55C45}.exe	97
PID 1536 wrote to memory of 3964	1536	{7A0377B0-B163-44bb-BEEB-5EC040606D85}.exe	100
PID 1536 wrote to memory of 3964	1536	{7A0377B0-B163-44bb-BEEB-5EC040606D85}.exe	100
PID 1536 wrote to memory of 3964	1536	{7A0377B0-B163-44bb-BEEB-5EC040606D85}.exe	100
PID 1536 wrote to memory of 4864	1536	{7A0377B0-B163-44bb-BEEB-5EC040606D85}.exe	101
PID 1536 wrote to memory of 4864	1536	{7A0377B0-B163-44bb-BEEB-5EC040606D85}.exe	101
PID 1536 wrote to memory of 4864	1536	{7A0377B0-B163-44bb-BEEB-5EC040606D85}.exe	101
PID 3964 wrote to memory of 3688	3964	{AC026A63-5AC5-4a59-9B63-516B71A8263C}.exe	102
PID 3964 wrote to memory of 3688	3964	{AC026A63-5AC5-4a59-9B63-516B71A8263C}.exe	102
PID 3964 wrote to memory of 3688	3964	{AC026A63-5AC5-4a59-9B63-516B71A8263C}.exe	102
PID 3964 wrote to memory of 1612	3964	{AC026A63-5AC5-4a59-9B63-516B71A8263C}.exe	103
PID 3964 wrote to memory of 1612	3964	{AC026A63-5AC5-4a59-9B63-516B71A8263C}.exe	103
PID 3964 wrote to memory of 1612	3964	{AC026A63-5AC5-4a59-9B63-516B71A8263C}.exe	103
PID 3688 wrote to memory of 1148	3688	{F893D831-5AC9-4906-A812-4825718D0E6B}.exe	104
PID 3688 wrote to memory of 1148	3688	{F893D831-5AC9-4906-A812-4825718D0E6B}.exe	104
PID 3688 wrote to memory of 1148	3688	{F893D831-5AC9-4906-A812-4825718D0E6B}.exe	104
PID 3688 wrote to memory of 3488	3688	{F893D831-5AC9-4906-A812-4825718D0E6B}.exe	105
PID 3688 wrote to memory of 3488	3688	{F893D831-5AC9-4906-A812-4825718D0E6B}.exe	105
PID 3688 wrote to memory of 3488	3688	{F893D831-5AC9-4906-A812-4825718D0E6B}.exe	105
PID 1148 wrote to memory of 4288	1148	{F00B887C-937A-4abd-87F4-5C2708A10BA6}.exe	106
PID 1148 wrote to memory of 4288	1148	{F00B887C-937A-4abd-87F4-5C2708A10BA6}.exe	106
PID 1148 wrote to memory of 4288	1148	{F00B887C-937A-4abd-87F4-5C2708A10BA6}.exe	106
PID 1148 wrote to memory of 1476	1148	{F00B887C-937A-4abd-87F4-5C2708A10BA6}.exe	107
PID 1148 wrote to memory of 1476	1148	{F00B887C-937A-4abd-87F4-5C2708A10BA6}.exe	107
PID 1148 wrote to memory of 1476	1148	{F00B887C-937A-4abd-87F4-5C2708A10BA6}.exe	107
PID 4288 wrote to memory of 4136	4288	{EE4D647D-8EB1-4ae4-B53B-EB048DF730A3}.exe	108
PID 4288 wrote to memory of 4136	4288	{EE4D647D-8EB1-4ae4-B53B-EB048DF730A3}.exe	108
PID 4288 wrote to memory of 4136	4288	{EE4D647D-8EB1-4ae4-B53B-EB048DF730A3}.exe	108
PID 4288 wrote to memory of 1596	4288	{EE4D647D-8EB1-4ae4-B53B-EB048DF730A3}.exe	109
PID 4288 wrote to memory of 1596	4288	{EE4D647D-8EB1-4ae4-B53B-EB048DF730A3}.exe	109
PID 4288 wrote to memory of 1596	4288	{EE4D647D-8EB1-4ae4-B53B-EB048DF730A3}.exe	109
PID 4136 wrote to memory of 1740	4136	{0C819028-F305-417b-B598-A748C1200538}.exe	110
PID 4136 wrote to memory of 1740	4136	{0C819028-F305-417b-B598-A748C1200538}.exe	110
PID 4136 wrote to memory of 1740	4136	{0C819028-F305-417b-B598-A748C1200538}.exe	110
PID 4136 wrote to memory of 1128	4136	{0C819028-F305-417b-B598-A748C1200538}.exe	111
PID 4136 wrote to memory of 1128	4136	{0C819028-F305-417b-B598-A748C1200538}.exe	111
PID 4136 wrote to memory of 1128	4136	{0C819028-F305-417b-B598-A748C1200538}.exe	111
PID 1740 wrote to memory of 3536	1740	{ED437FA1-6DAF-47b9-AC98-E4FB93463A10}.exe	112
PID 1740 wrote to memory of 3536	1740	{ED437FA1-6DAF-47b9-AC98-E4FB93463A10}.exe	112
PID 1740 wrote to memory of 3536	1740	{ED437FA1-6DAF-47b9-AC98-E4FB93463A10}.exe	112
PID 1740 wrote to memory of 884	1740	{ED437FA1-6DAF-47b9-AC98-E4FB93463A10}.exe	113
PID 1740 wrote to memory of 884	1740	{ED437FA1-6DAF-47b9-AC98-E4FB93463A10}.exe	113
PID 1740 wrote to memory of 884	1740	{ED437FA1-6DAF-47b9-AC98-E4FB93463A10}.exe	113
PID 3536 wrote to memory of 4248	3536	{283655AB-AAA7-4d37-AF90-55F06639DF1F}.exe	114
PID 3536 wrote to memory of 4248	3536	{283655AB-AAA7-4d37-AF90-55F06639DF1F}.exe	114
PID 3536 wrote to memory of 4248	3536	{283655AB-AAA7-4d37-AF90-55F06639DF1F}.exe	114
PID 3536 wrote to memory of 1188	3536	{283655AB-AAA7-4d37-AF90-55F06639DF1F}.exe	115
PID 3536 wrote to memory of 1188	3536	{283655AB-AAA7-4d37-AF90-55F06639DF1F}.exe	115
PID 3536 wrote to memory of 1188	3536	{283655AB-AAA7-4d37-AF90-55F06639DF1F}.exe	115
PID 4248 wrote to memory of 2264	4248	{FAEEE960-8190-4604-9565-D59133DAA132}.exe	116
PID 4248 wrote to memory of 2264	4248	{FAEEE960-8190-4604-9565-D59133DAA132}.exe	116
PID 4248 wrote to memory of 2264	4248	{FAEEE960-8190-4604-9565-D59133DAA132}.exe	116
PID 4248 wrote to memory of 992	4248	{FAEEE960-8190-4604-9565-D59133DAA132}.exe	117

C:\Users\Admin\AppData\Local\Temp\8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe
"C:\Users\Admin\AppData\Local\Temp\8d9b3ec8e60ec9040f162ace652a6dc7ab6969b3c7a8a0517a81a32ae1f358ed.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Windows\{F79DEE9C-F2FC-4cf7-91F8-59F2FDB55C45}.exe
  C:\Windows\{F79DEE9C-F2FC-4cf7-91F8-59F2FDB55C45}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\{7A0377B0-B163-44bb-BEEB-5EC040606D85}.exe
    C:\Windows\{7A0377B0-B163-44bb-BEEB-5EC040606D85}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Windows\{AC026A63-5AC5-4a59-9B63-516B71A8263C}.exe
      C:\Windows\{AC026A63-5AC5-4a59-9B63-516B71A8263C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3964
    - - C:\Windows\{F893D831-5AC9-4906-A812-4825718D0E6B}.exe
        
        C:\Windows\{F893D831-5AC9-4906-A812-4825718D0E6B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3688
      - C:\Windows\{F00B887C-937A-4abd-87F4-5C2708A10BA6}.exe
        
        C:\Windows\{F00B887C-937A-4abd-87F4-5C2708A10BA6}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\{EE4D647D-8EB1-4ae4-B53B-EB048DF730A3}.exe
        
        C:\Windows\{EE4D647D-8EB1-4ae4-B53B-EB048DF730A3}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Windows\{0C819028-F305-417b-B598-A748C1200538}.exe
        
        C:\Windows\{0C819028-F305-417b-B598-A748C1200538}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\{ED437FA1-6DAF-47b9-AC98-E4FB93463A10}.exe
        
        C:\Windows\{ED437FA1-6DAF-47b9-AC98-E4FB93463A10}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\{283655AB-AAA7-4d37-AF90-55F06639DF1F}.exe
        
        C:\Windows\{283655AB-AAA7-4d37-AF90-55F06639DF1F}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\{FAEEE960-8190-4604-9565-D59133DAA132}.exe
        
        C:\Windows\{FAEEE960-8190-4604-9565-D59133DAA132}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4248
        
        C:\Windows\{C9CFD463-7D00-4d9e-9B10-9D7D1B6A35DC}.exe
        
        C:\Windows\{C9CFD463-7D00-4d9e-9B10-9D7D1B6A35DC}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\{141FB5C7-BBAE-48e0-9C93-C11F9294E094}.exe
        
        C:\Windows\{141FB5C7-BBAE-48e0-9C93-C11F9294E094}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9CFD~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FAEEE~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28365~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1188
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ED437~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:884
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0C819~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EE4D6~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F00B8~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1476
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F893D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3488
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AC026~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7A037~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4864
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{F79DE~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8D9B3E~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C819028-F305-417b-B598-A748C1200538}.exe

Filesize
90KB

MD5
2c522e0ff366b6d505a24eb3a0d85fae

SHA1
61ae1875154873900c8d437ed44bc63a9d4136a4

SHA256
5f3d0bb9643ff731d04e0ee5dd0c6e0ae004504289ad61bb41009f35798fac7c

SHA512
bcf612ceec21f6518bb406efc579933a816afa52ccb377120a8af9ed02c62b8bda8d89b0af533960e3069a28d37f1e5dffe8077f96507ac5862d8a95f2e1605d

Download Submit
C:\Windows\{141FB5C7-BBAE-48e0-9C93-C11F9294E094}.exe

Filesize
90KB

MD5
6ef3c46fd2ad571c6a6d98afec1bdf42

SHA1
3f6c64a0cc08d7d37865a4d952fcf89de336aacf

SHA256
2f34a905f6996412dd9d2980a642a8c341fd6ee525d7bbe6110027f921797f81

SHA512
e97664406fccca766abc938a6062fdbc64f08c506605ed029a59288d2a0fde753984c44e5129a592e9ca968f40e196780cd72456fd1d937fa52c0edfbc5745cc

Download Submit
C:\Windows\{283655AB-AAA7-4d37-AF90-55F06639DF1F}.exe

Filesize
90KB

MD5
97dbb7aa37d98df32addced86b73f454

SHA1
2ed85976817dff1671244c781886ae4fc5bf2822

SHA256
e3f488cc353cecdc2906108d6a8a1f400f1255e0cebab60df23d3cbc66df809f

SHA512
6791a7fa04872bdc2993f14fa94224db0ec5fb96932c6d53849d2723479973fda070aac9a0ff71fd92ea1eb6cdb985a5d25dff8faee0571a8407a2aef7d4c65c

Download Submit
C:\Windows\{7A0377B0-B163-44bb-BEEB-5EC040606D85}.exe

Filesize
90KB

MD5
6b108ef9dae17bd85a4e62744457b07c

SHA1
d2e4d236b765f0922b0c116725ad573263a06306

SHA256
527acf3c4ff72a0a08ba2f6f033f11fa11c2ab929691b66a3e8796ef8472259e

SHA512
4dedff3924d3f1bab8cbbb1ce46e29c43573a41c43ebc7d3031a97791aa618439049e383a6fa0c3b650361a783e438b63a3cba80345d70399490c6f3039e0256

Download Submit
C:\Windows\{AC026A63-5AC5-4a59-9B63-516B71A8263C}.exe

Filesize
90KB

MD5
db0b51d0677e9a8087a7c26ebfe7f90e

SHA1
6a10eb349ea340cdc001d4e074b4d9e5a0aff71a

SHA256
60a1b638996660b9d2b7c25d5adec81432f3a383f33627a73e5c723bed81b058

SHA512
9338c0859d4532506d2ae6a90802d8aa576b9d1369656afc8332a0ec86f9d39bd7ed2b4f2b62029fbab8df0cec7c576a666be7962e4b11254602cc394bf9bd62

Download Submit
C:\Windows\{C9CFD463-7D00-4d9e-9B10-9D7D1B6A35DC}.exe

Filesize
90KB

MD5
739d9d1fb64f91882fd79ca6f4c482ee

SHA1
5634381858d243d254a9ed3b335fce359e245b08

SHA256
190abe5742f0a5677b5a1a059391812473d2a6d447d81a29cf84b5ad8aff3642

SHA512
f50c847af942ab91a6f2a3d4a9ee661dd97d92a013cd184f35b4097d05ac70c815b12a0c7b7b8d56c51f85432ab6add3a29622ceaf30f06caada9231a3196ed3

Download Submit
C:\Windows\{ED437FA1-6DAF-47b9-AC98-E4FB93463A10}.exe

Filesize
90KB

MD5
58d0113bfcf04c5ca085332ef11cb6d9

SHA1
ba54119197d16777c743f092613c0759f5645fdf

SHA256
42cc24292fc8617747de1892c93a986b864f4706076e955fe78577b955bf2578

SHA512
7d4c9977857bc927827367668fba7d2ad16417d021524400eba20be2c8db09a5fce1d476f0a196b2d78ae1f859bc36019febb27b77415e19dceda19435aa6cc8

Download Submit
C:\Windows\{EE4D647D-8EB1-4ae4-B53B-EB048DF730A3}.exe

Filesize
90KB

MD5
f4b1dd237c9f6392ae0bc93be4ee84ef

SHA1
4123fef5e82fe8a9c2e40e5ba504a8b9578bda85

SHA256
6c6fb686a9f33df79bf201531ea3926618d407e71e1f1e2d657846ce5d735b61

SHA512
3d813e9a1b01ce9199f579b8995c2d77ed0f76066d72fbe4d05bef22fc79063d7864a99be8233c75037b783b4b9a5bd5910f411f48c8ed58521ffddfd47605a7

Download Submit
C:\Windows\{F00B887C-937A-4abd-87F4-5C2708A10BA6}.exe

Filesize
90KB

MD5
cb2129f21f6fd758d3503eaa39fc8969

SHA1
377bc64ba3ee2b5e2e4d19bcc47d26f51df323e3

SHA256
b950816f60cd79f01065df54d0204d3c7803e6c35500e7754ec375d1ab5ba69b

SHA512
83e011f6b41dd185abb61449b473750ebf07164bef51fb3783f36879203e5f2d10121071004dc0300ac7388f60f2c11aa4e45dd44a831b593a5ff45a49fbd30d

Download Submit
C:\Windows\{F79DEE9C-F2FC-4cf7-91F8-59F2FDB55C45}.exe

Filesize
90KB

MD5
b5caa9e9d6fbcd2d50ef054f196a1577

SHA1
9fbb375905c7292b99ba65153a154827e4eefac0

SHA256
103b3519cd2e33b09974986e4da072c9d6cd7f9d19ed817268e1f50b4aa5b71b

SHA512
5553cd92bbf7d199f360351e6f540922eb3a803dfefd3203650e1326dbbe83fda489ca2c0a55cc42fbfdc2b41765fa45b151a29e8116cd67ef25db274c9f9bcd

Download Submit
C:\Windows\{F893D831-5AC9-4906-A812-4825718D0E6B}.exe

Filesize
90KB

MD5
ca8f3ab5de3317bb10d20e6a1ae4f5b2

SHA1
09d68e7bcda46a4c029de4a65b71e944306d90d2

SHA256
2d7c6bc96858625b46e4bffa9fd58954afb3535f15866cf10cfc65c6383f0c61

SHA512
dc415998cf02c04e081069c3322f6aecb5a2d779a8d07f6adc7302e09a5fa0688019e2bda8116c9c4ee66148433c04f5baf93c3db9bdcb1e3f8c8647f4629b0d

Download Submit
C:\Windows\{FAEEE960-8190-4604-9565-D59133DAA132}.exe

Filesize
90KB

MD5
a6a55ab1445286dcb85a913e825616a1

SHA1
3d9e4c9ec1766ee3105f90f4955dd59d89904cce

SHA256
218856ece3e1a9ff282f5112b9e159a9aa6cc36f519a1831abb256eb84c1917f

SHA512
9d557087b774d762defe23fd98c97a7c3b6d2368235978bda6430847f8de18cb9b6420680b75919c0a7e9d13b0cbbd694be338a85383a28c96f94f46aeca9ee5

Download Submit
memory/1148-35-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1148-32-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1536-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1536-13-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1536-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1740-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1740-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2264-67-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2264-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2944-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2944-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3028-73-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3536-61-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3536-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3568-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3568-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3568-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3688-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3688-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3964-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3964-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4136-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4136-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4248-62-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4248-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4288-41-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4288-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads