ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/09/2024, 02:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe
Size

60KB
MD5

4113fade3d2e3a7cb4fd9ab8f3079c8b
SHA1

35d13be358add2dd6fbf1ae2d107888a1e643f4f
SHA256

ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640
SHA512

92d3f8e2a515446f763b12bce7d39ce6cd64bbc09d53b9852409493f3382f7743d2c6fad358a7a71966a7a547635cd3853f73e3498df0f793ddb2a59047d9e27
SSDEEP

192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqwpfY04/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLroz4/CFsrd

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{229B0334-FD93-44e3-93D4-DFE4588DF576}	{86152526-DFE8-4fbb-8AD0-B146B943C23A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{375E180A-01DA-4728-BB46-3F08F991E226}	{229B0334-FD93-44e3-93D4-DFE4588DF576}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA25EA72-7A29-42ae-9925-ABF3FF0D96B1}	{D37F9010-BE66-437b-885F-969D9C2B430A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28948893-ED34-46bf-872E-6B873DCAD77E}\stubpath = "C:\\Windows\\{28948893-ED34-46bf-872E-6B873DCAD77E}.exe"	{B133F823-7F85-449c-99F3-36CB0D60F366}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E92096D-2E89-412d-8CE6-BE8C81000553}	{F788372F-1BDD-4df5-AFEF-FB3CA8F9E64A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3FD6AAF-7634-4460-A58C-69397A363186}	ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{229B0334-FD93-44e3-93D4-DFE4588DF576}\stubpath = "C:\\Windows\\{229B0334-FD93-44e3-93D4-DFE4588DF576}.exe"	{86152526-DFE8-4fbb-8AD0-B146B943C23A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{375E180A-01DA-4728-BB46-3F08F991E226}\stubpath = "C:\\Windows\\{375E180A-01DA-4728-BB46-3F08F991E226}.exe"	{229B0334-FD93-44e3-93D4-DFE4588DF576}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62C2EC18-84AE-4721-957F-D6F5B0E3E554}	{8195CEE2-FB88-4eb4-9F95-8E3BB4333C15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D37F9010-BE66-437b-885F-969D9C2B430A}\stubpath = "C:\\Windows\\{D37F9010-BE66-437b-885F-969D9C2B430A}.exe"	{62C2EC18-84AE-4721-957F-D6F5B0E3E554}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{28948893-ED34-46bf-872E-6B873DCAD77E}	{B133F823-7F85-449c-99F3-36CB0D60F366}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F788372F-1BDD-4df5-AFEF-FB3CA8F9E64A}\stubpath = "C:\\Windows\\{F788372F-1BDD-4df5-AFEF-FB3CA8F9E64A}.exe"	{28948893-ED34-46bf-872E-6B873DCAD77E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3FD6AAF-7634-4460-A58C-69397A363186}\stubpath = "C:\\Windows\\{C3FD6AAF-7634-4460-A58C-69397A363186}.exe"	ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86152526-DFE8-4fbb-8AD0-B146B943C23A}\stubpath = "C:\\Windows\\{86152526-DFE8-4fbb-8AD0-B146B943C23A}.exe"	{C3FD6AAF-7634-4460-A58C-69397A363186}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8195CEE2-FB88-4eb4-9F95-8E3BB4333C15}\stubpath = "C:\\Windows\\{8195CEE2-FB88-4eb4-9F95-8E3BB4333C15}.exe"	{375E180A-01DA-4728-BB46-3F08F991E226}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{62C2EC18-84AE-4721-957F-D6F5B0E3E554}\stubpath = "C:\\Windows\\{62C2EC18-84AE-4721-957F-D6F5B0E3E554}.exe"	{8195CEE2-FB88-4eb4-9F95-8E3BB4333C15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CA25EA72-7A29-42ae-9925-ABF3FF0D96B1}\stubpath = "C:\\Windows\\{CA25EA72-7A29-42ae-9925-ABF3FF0D96B1}.exe"	{D37F9010-BE66-437b-885F-969D9C2B430A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B133F823-7F85-449c-99F3-36CB0D60F366}\stubpath = "C:\\Windows\\{B133F823-7F85-449c-99F3-36CB0D60F366}.exe"	{CA25EA72-7A29-42ae-9925-ABF3FF0D96B1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4E92096D-2E89-412d-8CE6-BE8C81000553}\stubpath = "C:\\Windows\\{4E92096D-2E89-412d-8CE6-BE8C81000553}.exe"	{F788372F-1BDD-4df5-AFEF-FB3CA8F9E64A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86152526-DFE8-4fbb-8AD0-B146B943C23A}	{C3FD6AAF-7634-4460-A58C-69397A363186}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8195CEE2-FB88-4eb4-9F95-8E3BB4333C15}	{375E180A-01DA-4728-BB46-3F08F991E226}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D37F9010-BE66-437b-885F-969D9C2B430A}	{62C2EC18-84AE-4721-957F-D6F5B0E3E554}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B133F823-7F85-449c-99F3-36CB0D60F366}	{CA25EA72-7A29-42ae-9925-ABF3FF0D96B1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F788372F-1BDD-4df5-AFEF-FB3CA8F9E64A}	{28948893-ED34-46bf-872E-6B873DCAD77E}.exe

Executes dropped EXE 12 IoCs

pid	Process
1580	{C3FD6AAF-7634-4460-A58C-69397A363186}.exe
4440	{86152526-DFE8-4fbb-8AD0-B146B943C23A}.exe
2800	{229B0334-FD93-44e3-93D4-DFE4588DF576}.exe
1712	{375E180A-01DA-4728-BB46-3F08F991E226}.exe
2352	{8195CEE2-FB88-4eb4-9F95-8E3BB4333C15}.exe
2312	{62C2EC18-84AE-4721-957F-D6F5B0E3E554}.exe
3828	{D37F9010-BE66-437b-885F-969D9C2B430A}.exe
3764	{CA25EA72-7A29-42ae-9925-ABF3FF0D96B1}.exe
2720	{B133F823-7F85-449c-99F3-36CB0D60F366}.exe
4712	{28948893-ED34-46bf-872E-6B873DCAD77E}.exe
2816	{F788372F-1BDD-4df5-AFEF-FB3CA8F9E64A}.exe
4556	{4E92096D-2E89-412d-8CE6-BE8C81000553}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{C3FD6AAF-7634-4460-A58C-69397A363186}.exe	ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe
File created	C:\Windows\{F788372F-1BDD-4df5-AFEF-FB3CA8F9E64A}.exe	{28948893-ED34-46bf-872E-6B873DCAD77E}.exe
File created	C:\Windows\{B133F823-7F85-449c-99F3-36CB0D60F366}.exe	{CA25EA72-7A29-42ae-9925-ABF3FF0D96B1}.exe
File created	C:\Windows\{86152526-DFE8-4fbb-8AD0-B146B943C23A}.exe	{C3FD6AAF-7634-4460-A58C-69397A363186}.exe
File created	C:\Windows\{229B0334-FD93-44e3-93D4-DFE4588DF576}.exe	{86152526-DFE8-4fbb-8AD0-B146B943C23A}.exe
File created	C:\Windows\{375E180A-01DA-4728-BB46-3F08F991E226}.exe	{229B0334-FD93-44e3-93D4-DFE4588DF576}.exe
File created	C:\Windows\{8195CEE2-FB88-4eb4-9F95-8E3BB4333C15}.exe	{375E180A-01DA-4728-BB46-3F08F991E226}.exe
File created	C:\Windows\{62C2EC18-84AE-4721-957F-D6F5B0E3E554}.exe	{8195CEE2-FB88-4eb4-9F95-8E3BB4333C15}.exe
File created	C:\Windows\{D37F9010-BE66-437b-885F-969D9C2B430A}.exe	{62C2EC18-84AE-4721-957F-D6F5B0E3E554}.exe
File created	C:\Windows\{CA25EA72-7A29-42ae-9925-ABF3FF0D96B1}.exe	{D37F9010-BE66-437b-885F-969D9C2B430A}.exe
File created	C:\Windows\{28948893-ED34-46bf-872E-6B873DCAD77E}.exe	{B133F823-7F85-449c-99F3-36CB0D60F366}.exe
File created	C:\Windows\{4E92096D-2E89-412d-8CE6-BE8C81000553}.exe	{F788372F-1BDD-4df5-AFEF-FB3CA8F9E64A}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C3FD6AAF-7634-4460-A58C-69397A363186}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{86152526-DFE8-4fbb-8AD0-B146B943C23A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4E92096D-2E89-412d-8CE6-BE8C81000553}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B133F823-7F85-449c-99F3-36CB0D60F366}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{28948893-ED34-46bf-872E-6B873DCAD77E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F788372F-1BDD-4df5-AFEF-FB3CA8F9E64A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{62C2EC18-84AE-4721-957F-D6F5B0E3E554}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D37F9010-BE66-437b-885F-969D9C2B430A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CA25EA72-7A29-42ae-9925-ABF3FF0D96B1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{229B0334-FD93-44e3-93D4-DFE4588DF576}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{375E180A-01DA-4728-BB46-3F08F991E226}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8195CEE2-FB88-4eb4-9F95-8E3BB4333C15}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4704	ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe
Token: SeIncBasePriorityPrivilege	1580	{C3FD6AAF-7634-4460-A58C-69397A363186}.exe
Token: SeIncBasePriorityPrivilege	4440	{86152526-DFE8-4fbb-8AD0-B146B943C23A}.exe
Token: SeIncBasePriorityPrivilege	2800	{229B0334-FD93-44e3-93D4-DFE4588DF576}.exe
Token: SeIncBasePriorityPrivilege	1712	{375E180A-01DA-4728-BB46-3F08F991E226}.exe
Token: SeIncBasePriorityPrivilege	2352	{8195CEE2-FB88-4eb4-9F95-8E3BB4333C15}.exe
Token: SeIncBasePriorityPrivilege	2312	{62C2EC18-84AE-4721-957F-D6F5B0E3E554}.exe
Token: SeIncBasePriorityPrivilege	3828	{D37F9010-BE66-437b-885F-969D9C2B430A}.exe
Token: SeIncBasePriorityPrivilege	3764	{CA25EA72-7A29-42ae-9925-ABF3FF0D96B1}.exe
Token: SeIncBasePriorityPrivilege	2720	{B133F823-7F85-449c-99F3-36CB0D60F366}.exe
Token: SeIncBasePriorityPrivilege	4712	{28948893-ED34-46bf-872E-6B873DCAD77E}.exe
Token: SeIncBasePriorityPrivilege	2816	{F788372F-1BDD-4df5-AFEF-FB3CA8F9E64A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 1580	4704	ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe	94
PID 4704 wrote to memory of 1580	4704	ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe	94
PID 4704 wrote to memory of 1580	4704	ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe	94
PID 4704 wrote to memory of 1452	4704	ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe	95
PID 4704 wrote to memory of 1452	4704	ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe	95
PID 4704 wrote to memory of 1452	4704	ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe	95
PID 1580 wrote to memory of 4440	1580	{C3FD6AAF-7634-4460-A58C-69397A363186}.exe	96
PID 1580 wrote to memory of 4440	1580	{C3FD6AAF-7634-4460-A58C-69397A363186}.exe	96
PID 1580 wrote to memory of 4440	1580	{C3FD6AAF-7634-4460-A58C-69397A363186}.exe	96
PID 1580 wrote to memory of 1232	1580	{C3FD6AAF-7634-4460-A58C-69397A363186}.exe	97
PID 1580 wrote to memory of 1232	1580	{C3FD6AAF-7634-4460-A58C-69397A363186}.exe	97
PID 1580 wrote to memory of 1232	1580	{C3FD6AAF-7634-4460-A58C-69397A363186}.exe	97
PID 4440 wrote to memory of 2800	4440	{86152526-DFE8-4fbb-8AD0-B146B943C23A}.exe	100
PID 4440 wrote to memory of 2800	4440	{86152526-DFE8-4fbb-8AD0-B146B943C23A}.exe	100
PID 4440 wrote to memory of 2800	4440	{86152526-DFE8-4fbb-8AD0-B146B943C23A}.exe	100
PID 4440 wrote to memory of 3136	4440	{86152526-DFE8-4fbb-8AD0-B146B943C23A}.exe	101
PID 4440 wrote to memory of 3136	4440	{86152526-DFE8-4fbb-8AD0-B146B943C23A}.exe	101
PID 4440 wrote to memory of 3136	4440	{86152526-DFE8-4fbb-8AD0-B146B943C23A}.exe	101
PID 2800 wrote to memory of 1712	2800	{229B0334-FD93-44e3-93D4-DFE4588DF576}.exe	102
PID 2800 wrote to memory of 1712	2800	{229B0334-FD93-44e3-93D4-DFE4588DF576}.exe	102
PID 2800 wrote to memory of 1712	2800	{229B0334-FD93-44e3-93D4-DFE4588DF576}.exe	102
PID 2800 wrote to memory of 4756	2800	{229B0334-FD93-44e3-93D4-DFE4588DF576}.exe	103
PID 2800 wrote to memory of 4756	2800	{229B0334-FD93-44e3-93D4-DFE4588DF576}.exe	103
PID 2800 wrote to memory of 4756	2800	{229B0334-FD93-44e3-93D4-DFE4588DF576}.exe	103
PID 1712 wrote to memory of 2352	1712	{375E180A-01DA-4728-BB46-3F08F991E226}.exe	104
PID 1712 wrote to memory of 2352	1712	{375E180A-01DA-4728-BB46-3F08F991E226}.exe	104
PID 1712 wrote to memory of 2352	1712	{375E180A-01DA-4728-BB46-3F08F991E226}.exe	104
PID 1712 wrote to memory of 4028	1712	{375E180A-01DA-4728-BB46-3F08F991E226}.exe	105
PID 1712 wrote to memory of 4028	1712	{375E180A-01DA-4728-BB46-3F08F991E226}.exe	105
PID 1712 wrote to memory of 4028	1712	{375E180A-01DA-4728-BB46-3F08F991E226}.exe	105
PID 2352 wrote to memory of 2312	2352	{8195CEE2-FB88-4eb4-9F95-8E3BB4333C15}.exe	106
PID 2352 wrote to memory of 2312	2352	{8195CEE2-FB88-4eb4-9F95-8E3BB4333C15}.exe	106
PID 2352 wrote to memory of 2312	2352	{8195CEE2-FB88-4eb4-9F95-8E3BB4333C15}.exe	106
PID 2352 wrote to memory of 3924	2352	{8195CEE2-FB88-4eb4-9F95-8E3BB4333C15}.exe	107
PID 2352 wrote to memory of 3924	2352	{8195CEE2-FB88-4eb4-9F95-8E3BB4333C15}.exe	107
PID 2352 wrote to memory of 3924	2352	{8195CEE2-FB88-4eb4-9F95-8E3BB4333C15}.exe	107
PID 2312 wrote to memory of 3828	2312	{62C2EC18-84AE-4721-957F-D6F5B0E3E554}.exe	108
PID 2312 wrote to memory of 3828	2312	{62C2EC18-84AE-4721-957F-D6F5B0E3E554}.exe	108
PID 2312 wrote to memory of 3828	2312	{62C2EC18-84AE-4721-957F-D6F5B0E3E554}.exe	108
PID 2312 wrote to memory of 3648	2312	{62C2EC18-84AE-4721-957F-D6F5B0E3E554}.exe	109
PID 2312 wrote to memory of 3648	2312	{62C2EC18-84AE-4721-957F-D6F5B0E3E554}.exe	109
PID 2312 wrote to memory of 3648	2312	{62C2EC18-84AE-4721-957F-D6F5B0E3E554}.exe	109
PID 3828 wrote to memory of 3764	3828	{D37F9010-BE66-437b-885F-969D9C2B430A}.exe	110
PID 3828 wrote to memory of 3764	3828	{D37F9010-BE66-437b-885F-969D9C2B430A}.exe	110
PID 3828 wrote to memory of 3764	3828	{D37F9010-BE66-437b-885F-969D9C2B430A}.exe	110
PID 3828 wrote to memory of 876	3828	{D37F9010-BE66-437b-885F-969D9C2B430A}.exe	111
PID 3828 wrote to memory of 876	3828	{D37F9010-BE66-437b-885F-969D9C2B430A}.exe	111
PID 3828 wrote to memory of 876	3828	{D37F9010-BE66-437b-885F-969D9C2B430A}.exe	111
PID 3764 wrote to memory of 2720	3764	{CA25EA72-7A29-42ae-9925-ABF3FF0D96B1}.exe	112
PID 3764 wrote to memory of 2720	3764	{CA25EA72-7A29-42ae-9925-ABF3FF0D96B1}.exe	112
PID 3764 wrote to memory of 2720	3764	{CA25EA72-7A29-42ae-9925-ABF3FF0D96B1}.exe	112
PID 3764 wrote to memory of 1336	3764	{CA25EA72-7A29-42ae-9925-ABF3FF0D96B1}.exe	113
PID 3764 wrote to memory of 1336	3764	{CA25EA72-7A29-42ae-9925-ABF3FF0D96B1}.exe	113
PID 3764 wrote to memory of 1336	3764	{CA25EA72-7A29-42ae-9925-ABF3FF0D96B1}.exe	113
PID 2720 wrote to memory of 4712	2720	{B133F823-7F85-449c-99F3-36CB0D60F366}.exe	114
PID 2720 wrote to memory of 4712	2720	{B133F823-7F85-449c-99F3-36CB0D60F366}.exe	114
PID 2720 wrote to memory of 4712	2720	{B133F823-7F85-449c-99F3-36CB0D60F366}.exe	114
PID 2720 wrote to memory of 5020	2720	{B133F823-7F85-449c-99F3-36CB0D60F366}.exe	115
PID 2720 wrote to memory of 5020	2720	{B133F823-7F85-449c-99F3-36CB0D60F366}.exe	115
PID 2720 wrote to memory of 5020	2720	{B133F823-7F85-449c-99F3-36CB0D60F366}.exe	115
PID 4712 wrote to memory of 2816	4712	{28948893-ED34-46bf-872E-6B873DCAD77E}.exe	116
PID 4712 wrote to memory of 2816	4712	{28948893-ED34-46bf-872E-6B873DCAD77E}.exe	116
PID 4712 wrote to memory of 2816	4712	{28948893-ED34-46bf-872E-6B873DCAD77E}.exe	116
PID 4712 wrote to memory of 388	4712	{28948893-ED34-46bf-872E-6B873DCAD77E}.exe	117

C:\Users\Admin\AppData\Local\Temp\ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe
"C:\Users\Admin\AppData\Local\Temp\ec879d5683c1ab7c3a382cdc2ded69718a293fb673674e18229358a31f970640.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\{C3FD6AAF-7634-4460-A58C-69397A363186}.exe
  C:\Windows\{C3FD6AAF-7634-4460-A58C-69397A363186}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\{86152526-DFE8-4fbb-8AD0-B146B943C23A}.exe
    C:\Windows\{86152526-DFE8-4fbb-8AD0-B146B943C23A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\{229B0334-FD93-44e3-93D4-DFE4588DF576}.exe
      C:\Windows\{229B0334-FD93-44e3-93D4-DFE4588DF576}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\{375E180A-01DA-4728-BB46-3F08F991E226}.exe
        
        C:\Windows\{375E180A-01DA-4728-BB46-3F08F991E226}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1712
      - C:\Windows\{8195CEE2-FB88-4eb4-9F95-8E3BB4333C15}.exe
        
        C:\Windows\{8195CEE2-FB88-4eb4-9F95-8E3BB4333C15}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\{62C2EC18-84AE-4721-957F-D6F5B0E3E554}.exe
        
        C:\Windows\{62C2EC18-84AE-4721-957F-D6F5B0E3E554}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\{D37F9010-BE66-437b-885F-969D9C2B430A}.exe
        
        C:\Windows\{D37F9010-BE66-437b-885F-969D9C2B430A}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3828
        
        C:\Windows\{CA25EA72-7A29-42ae-9925-ABF3FF0D96B1}.exe
        
        C:\Windows\{CA25EA72-7A29-42ae-9925-ABF3FF0D96B1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3764
        
        C:\Windows\{B133F823-7F85-449c-99F3-36CB0D60F366}.exe
        
        C:\Windows\{B133F823-7F85-449c-99F3-36CB0D60F366}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\{28948893-ED34-46bf-872E-6B873DCAD77E}.exe
        
        C:\Windows\{28948893-ED34-46bf-872E-6B873DCAD77E}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4712
        
        C:\Windows\{F788372F-1BDD-4df5-AFEF-FB3CA8F9E64A}.exe
        
        C:\Windows\{F788372F-1BDD-4df5-AFEF-FB3CA8F9E64A}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\{4E92096D-2E89-412d-8CE6-BE8C81000553}.exe
        
        C:\Windows\{4E92096D-2E89-412d-8CE6-BE8C81000553}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7883~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{28948~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B133F~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA25E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D37F9~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{62C2E~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3648
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8195C~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3924
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{375E1~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4028
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{229B0~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4756
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{86152~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3136
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C3FD6~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1232
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EC879D~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{229B0334-FD93-44e3-93D4-DFE4588DF576}.exe

Filesize
60KB

MD5
ac162101f0fdd59fd98bf00d21a9f11a

SHA1
7408a91d7ffefe8c9fb253cdc8bfa6a3a7173e95

SHA256
295950c6e494d628d86a351f7e31f0a256d6a2cde38ec446ac2e0b4aeb47dc13

SHA512
8b55bcc6eded422f52033186b7bb847777f8844a2c3c1b13884ee62fcebf936fb2d57480ad66dfd2632a841d8eae0bfcac4097b157c70053dd4ecd7fb5664497

Download Submit
C:\Windows\{28948893-ED34-46bf-872E-6B873DCAD77E}.exe

Filesize
60KB

MD5
ef71e6828b28faa1b36a9992bb0b3d18

SHA1
772072726e57d047136d4768f6d4aad9770af4d7

SHA256
3b6d1a13271de023e6ef9400d314d7ec7f4e9f99943bcd16dec94a956d57bc03

SHA512
b355c555b38c70702a66b3941b385ca0925adab6151f3383a4f7ebf3dcd9f5a6efac264a66f60655ff6677bf5273ba58153103a56b212e0f8f4d1b834fae4ff8

Download Submit
C:\Windows\{375E180A-01DA-4728-BB46-3F08F991E226}.exe

Filesize
60KB

MD5
f7def15bfa03db66ca0959d18128a17d

SHA1
4f45df080d4a9805ad94b5ec84fc32594e6002ec

SHA256
2f1c13cb3ae9f6c242ca5c3ccfcd3da950d867a43be756dd48145d48b0180ed8

SHA512
8ef0e24c2c9bf6e0efaad8c7932d8d23198deaa0172eda57a0b18e4cd0c68478a355bfcfbea02f16bbeeb0aa1205099f2b311f6c1cdd50ced91061fab78aa380

Download Submit
C:\Windows\{4E92096D-2E89-412d-8CE6-BE8C81000553}.exe

Filesize
60KB

MD5
eca60df6812f26c768907a46ace1f242

SHA1
4992360d9dffcdde54787abe5f54829231d3559e

SHA256
08bcced966afd6ecd98acd2b58c2dca9e411f898c8cb9dcfb53afe917bd73c29

SHA512
448a25522e9f92bfaad4a67832af8190384d9767bd1fa8a7c8c9124cabe220919a6b2a6c8bfa73e027725119c7d3aea53c4bd3149fb555e6a86e353945efee26

Download Submit
C:\Windows\{62C2EC18-84AE-4721-957F-D6F5B0E3E554}.exe

Filesize
60KB

MD5
504b7904cc31bfb4119b45d3ff51ec49

SHA1
b5a048f773b21e999dde583f16ec186df1064bca

SHA256
087f9fdecc4314ec0e4e121d7f5e8315db9bfda443d1615722c96e3d6e9e1e90

SHA512
42b9d0911b9c219ed9b23d258b956d8a38817558d3e6b906fa741028a34a7993719d61c83d204f5dacef4c8e238d22efbf030d9d25db6eb76a607596a4160166

Download Submit
C:\Windows\{8195CEE2-FB88-4eb4-9F95-8E3BB4333C15}.exe

Filesize
60KB

MD5
96582e0b9c7c5eb831396ec7986e53db

SHA1
91bf28febd6e94d3f55f6d1f68074006e2acc707

SHA256
a6574c005d8e4b0f39b11425e8dc223d6d0b86bf0a3c9e7443e05517324f5e64

SHA512
8bcab37c9bcf30fe5f043b08ea2f0a5a31ddbb97c5ffe733eb8bd7935a8aee5d4f807fa6ff8c9e83142b52c7e956d0ac8ce7fa84f3568a65299051866eb11674

Download Submit
C:\Windows\{86152526-DFE8-4fbb-8AD0-B146B943C23A}.exe

Filesize
60KB

MD5
83047b1e89593e6167aae1ba5fa95fbf

SHA1
627233efb8a6b0b7e6dab958434e96d109070257

SHA256
4db6c4f4c36d7502ba63c6cd7334f8d14236252d0a905d053443920c37c507a7

SHA512
99c09ce200f500b20bac417295a21f9253b73b9a5de52e165b2a0e0b6416c50573e6362b8fc5dcfb7e9636d6c7ca1cc7d20681145f5c05cc67d2eca4ee2c8131

Download Submit
C:\Windows\{B133F823-7F85-449c-99F3-36CB0D60F366}.exe

Filesize
60KB

MD5
611b2ed6781ccd2c7addb7890de89c7b

SHA1
0473bd554be93455452e145f0471998e184dfda0

SHA256
b222430f0061255b7b599fe522a1fc2033c33de8b79088ecd42be10cf679fd56

SHA512
fd3e9ba2eb0c830aa2d58797ce6c544a46be01257e3b72321e2e9df53bc46871b43fb0be5005531ba3df73b292a809139671625013b5c0a631bcea24691e6f4f

Download Submit
C:\Windows\{C3FD6AAF-7634-4460-A58C-69397A363186}.exe

Filesize
60KB

MD5
8478064a8ff781cc0a258d2cdbed379f

SHA1
461a4832cc84c8e6959321c4c74ead60ed4bea0c

SHA256
4113aa31dac2a3f48d1fe10773daff502e79719c757e7cc0234faa7a52f59c66

SHA512
5c5921ad06d252808d5b1fcb895dbd6e7c0fae814353e4abcf4b776f293bb58aba51bd198e5eccb2e4a0bae0ce09b19025c971479c7ec571a368f1201f4a7541

Download Submit
C:\Windows\{CA25EA72-7A29-42ae-9925-ABF3FF0D96B1}.exe

Filesize
60KB

MD5
201074ef2d05d620dbd9613bf54fe0a2

SHA1
5213fb9cb857c08ce1ded300906b2cf562feeae9

SHA256
d5fab8b7165c5ce3ca0dc9bba7adc385ea0d0c75b6588c2ce276ab6cabd2eecd

SHA512
7c44d6e5978c37278309aad6dd79311cb4b2887f4d4fee78f9ee6e4c32bddfa697f244bb1a7ea344ddd371c0c805d423797d528f84f575d9efd4421ea21645ac

Download Submit
C:\Windows\{D37F9010-BE66-437b-885F-969D9C2B430A}.exe

Filesize
60KB

MD5
bbd9bfa825e2b85875c0be5a38c94eb4

SHA1
a524ac433b1d6c8ef94eea10cc0b779cc5928467

SHA256
a47e242bd86d21f54c98ab7dba3981b11ef78e6a9878d1821326814d74e867d2

SHA512
67b4a1184385902d5d06146898f435a8c9e5fd89aa47ddce08ab413eca152f98b6dae3c1bc30104d1684fa967824adf27a1b8b0f0a835d9b1e9a735c57d158ac

Download Submit
C:\Windows\{F788372F-1BDD-4df5-AFEF-FB3CA8F9E64A}.exe

Filesize
60KB

MD5
0846125f361467721efbea01259b1308

SHA1
a3058a91162ffa34ba291575a749f25e8ea575d3

SHA256
7eb878f773f0bfe4cdbf727e111223f1295e71f106a37e2ce3aad5d149d743bb

SHA512
b9b83540a0e460d013c0ec7ff3355cd35e303ea0654f934a6efcac296081369858865a4d1f507d0a22345eb7a948af0eb8fdc96cf2d6d107282b5fbc15d0a4d9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads