343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3

Analysis

max time kernel
118s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 06:54

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe
Size

88KB
MD5

1952da201837e633a68990f307c98280
SHA1

05787a9a764a96e5af585460696f9ad8b60a0743
SHA256

343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3
SHA512

caf82b9b7bdf3dc2c923d0775897c0ada0f1ad3534440119664895f806d08e8b0f1e4650570b192e7920cb2a902c6648da90aa32b588689a227aca5c5131ff81
SSDEEP

768:5vw9816thKQLroQ4/wQUNrfrunMxVFA3d:lEG/0oQlrunMxVS3d

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65F01BAD-3DE0-4e4b-9133-58A6B35EFFDC}	343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AF1D08F-4467-4e43-BB3E-FD30387AB150}	{65F01BAD-3DE0-4e4b-9133-58A6B35EFFDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0A9E1D2-0537-4aa8-A9B1-A1528F39ED89}	{0AF1D08F-4467-4e43-BB3E-FD30387AB150}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{667CC21E-68E9-4b04-A17C-94C34ED3244F}\stubpath = "C:\\Windows\\{667CC21E-68E9-4b04-A17C-94C34ED3244F}.exe"	{C0A9E1D2-0537-4aa8-A9B1-A1528F39ED89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2FEAAEB-F3C3-4b80-95F4-AA25EFCA8E38}	{FCB0AB51-AFC1-4851-AF60-CA5F917748D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B011D396-117A-478d-BF11-54959CEAAD4B}	{E2FEAAEB-F3C3-4b80-95F4-AA25EFCA8E38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0AF1D08F-4467-4e43-BB3E-FD30387AB150}\stubpath = "C:\\Windows\\{0AF1D08F-4467-4e43-BB3E-FD30387AB150}.exe"	{65F01BAD-3DE0-4e4b-9133-58A6B35EFFDC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{890C2F47-9A9F-4e89-9547-26933336AECC}\stubpath = "C:\\Windows\\{890C2F47-9A9F-4e89-9547-26933336AECC}.exe"	{667CC21E-68E9-4b04-A17C-94C34ED3244F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B011D396-117A-478d-BF11-54959CEAAD4B}\stubpath = "C:\\Windows\\{B011D396-117A-478d-BF11-54959CEAAD4B}.exe"	{E2FEAAEB-F3C3-4b80-95F4-AA25EFCA8E38}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C0A9E1D2-0537-4aa8-A9B1-A1528F39ED89}\stubpath = "C:\\Windows\\{C0A9E1D2-0537-4aa8-A9B1-A1528F39ED89}.exe"	{0AF1D08F-4467-4e43-BB3E-FD30387AB150}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{667CC21E-68E9-4b04-A17C-94C34ED3244F}	{C0A9E1D2-0537-4aa8-A9B1-A1528F39ED89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCB0AB51-AFC1-4851-AF60-CA5F917748D8}	{890C2F47-9A9F-4e89-9547-26933336AECC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FCB0AB51-AFC1-4851-AF60-CA5F917748D8}\stubpath = "C:\\Windows\\{FCB0AB51-AFC1-4851-AF60-CA5F917748D8}.exe"	{890C2F47-9A9F-4e89-9547-26933336AECC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2FEAAEB-F3C3-4b80-95F4-AA25EFCA8E38}\stubpath = "C:\\Windows\\{E2FEAAEB-F3C3-4b80-95F4-AA25EFCA8E38}.exe"	{FCB0AB51-AFC1-4851-AF60-CA5F917748D8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18EF646B-A4B0-4441-9290-022470E01B00}	{B011D396-117A-478d-BF11-54959CEAAD4B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{65F01BAD-3DE0-4e4b-9133-58A6B35EFFDC}\stubpath = "C:\\Windows\\{65F01BAD-3DE0-4e4b-9133-58A6B35EFFDC}.exe"	343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{890C2F47-9A9F-4e89-9547-26933336AECC}	{667CC21E-68E9-4b04-A17C-94C34ED3244F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18EF646B-A4B0-4441-9290-022470E01B00}\stubpath = "C:\\Windows\\{18EF646B-A4B0-4441-9290-022470E01B00}.exe"	{B011D396-117A-478d-BF11-54959CEAAD4B}.exe

Executes dropped EXE 9 IoCs

pid	Process
4492	{65F01BAD-3DE0-4e4b-9133-58A6B35EFFDC}.exe
5116	{0AF1D08F-4467-4e43-BB3E-FD30387AB150}.exe
3996	{C0A9E1D2-0537-4aa8-A9B1-A1528F39ED89}.exe
4028	{667CC21E-68E9-4b04-A17C-94C34ED3244F}.exe
1748	{890C2F47-9A9F-4e89-9547-26933336AECC}.exe
3920	{FCB0AB51-AFC1-4851-AF60-CA5F917748D8}.exe
3460	{E2FEAAEB-F3C3-4b80-95F4-AA25EFCA8E38}.exe
1788	{B011D396-117A-478d-BF11-54959CEAAD4B}.exe
4332	{18EF646B-A4B0-4441-9290-022470E01B00}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{0AF1D08F-4467-4e43-BB3E-FD30387AB150}.exe	{65F01BAD-3DE0-4e4b-9133-58A6B35EFFDC}.exe
File created	C:\Windows\{667CC21E-68E9-4b04-A17C-94C34ED3244F}.exe	{C0A9E1D2-0537-4aa8-A9B1-A1528F39ED89}.exe
File created	C:\Windows\{890C2F47-9A9F-4e89-9547-26933336AECC}.exe	{667CC21E-68E9-4b04-A17C-94C34ED3244F}.exe
File created	C:\Windows\{E2FEAAEB-F3C3-4b80-95F4-AA25EFCA8E38}.exe	{FCB0AB51-AFC1-4851-AF60-CA5F917748D8}.exe
File created	C:\Windows\{B011D396-117A-478d-BF11-54959CEAAD4B}.exe	{E2FEAAEB-F3C3-4b80-95F4-AA25EFCA8E38}.exe
File created	C:\Windows\{18EF646B-A4B0-4441-9290-022470E01B00}.exe	{B011D396-117A-478d-BF11-54959CEAAD4B}.exe
File created	C:\Windows\{65F01BAD-3DE0-4e4b-9133-58A6B35EFFDC}.exe	343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe
File created	C:\Windows\{C0A9E1D2-0537-4aa8-A9B1-A1528F39ED89}.exe	{0AF1D08F-4467-4e43-BB3E-FD30387AB150}.exe
File created	C:\Windows\{FCB0AB51-AFC1-4851-AF60-CA5F917748D8}.exe	{890C2F47-9A9F-4e89-9547-26933336AECC}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{65F01BAD-3DE0-4e4b-9133-58A6B35EFFDC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{890C2F47-9A9F-4e89-9547-26933336AECC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FCB0AB51-AFC1-4851-AF60-CA5F917748D8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0AF1D08F-4467-4e43-BB3E-FD30387AB150}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C0A9E1D2-0537-4aa8-A9B1-A1528F39ED89}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{667CC21E-68E9-4b04-A17C-94C34ED3244F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E2FEAAEB-F3C3-4b80-95F4-AA25EFCA8E38}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B011D396-117A-478d-BF11-54959CEAAD4B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{18EF646B-A4B0-4441-9290-022470E01B00}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2948	343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe
Token: SeIncBasePriorityPrivilege	4492	{65F01BAD-3DE0-4e4b-9133-58A6B35EFFDC}.exe
Token: SeIncBasePriorityPrivilege	5116	{0AF1D08F-4467-4e43-BB3E-FD30387AB150}.exe
Token: SeIncBasePriorityPrivilege	3996	{C0A9E1D2-0537-4aa8-A9B1-A1528F39ED89}.exe
Token: SeIncBasePriorityPrivilege	4028	{667CC21E-68E9-4b04-A17C-94C34ED3244F}.exe
Token: SeIncBasePriorityPrivilege	1748	{890C2F47-9A9F-4e89-9547-26933336AECC}.exe
Token: SeIncBasePriorityPrivilege	3920	{FCB0AB51-AFC1-4851-AF60-CA5F917748D8}.exe
Token: SeIncBasePriorityPrivilege	3460	{E2FEAAEB-F3C3-4b80-95F4-AA25EFCA8E38}.exe
Token: SeIncBasePriorityPrivilege	1788	{B011D396-117A-478d-BF11-54959CEAAD4B}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 4492	2948	343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe	89
PID 2948 wrote to memory of 4492	2948	343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe	89
PID 2948 wrote to memory of 4492	2948	343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe	89
PID 2948 wrote to memory of 2168	2948	343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe	90
PID 2948 wrote to memory of 2168	2948	343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe	90
PID 2948 wrote to memory of 2168	2948	343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe	90
PID 4492 wrote to memory of 5116	4492	{65F01BAD-3DE0-4e4b-9133-58A6B35EFFDC}.exe	91
PID 4492 wrote to memory of 5116	4492	{65F01BAD-3DE0-4e4b-9133-58A6B35EFFDC}.exe	91
PID 4492 wrote to memory of 5116	4492	{65F01BAD-3DE0-4e4b-9133-58A6B35EFFDC}.exe	91
PID 4492 wrote to memory of 3144	4492	{65F01BAD-3DE0-4e4b-9133-58A6B35EFFDC}.exe	92
PID 4492 wrote to memory of 3144	4492	{65F01BAD-3DE0-4e4b-9133-58A6B35EFFDC}.exe	92
PID 4492 wrote to memory of 3144	4492	{65F01BAD-3DE0-4e4b-9133-58A6B35EFFDC}.exe	92
PID 5116 wrote to memory of 3996	5116	{0AF1D08F-4467-4e43-BB3E-FD30387AB150}.exe	95
PID 5116 wrote to memory of 3996	5116	{0AF1D08F-4467-4e43-BB3E-FD30387AB150}.exe	95
PID 5116 wrote to memory of 3996	5116	{0AF1D08F-4467-4e43-BB3E-FD30387AB150}.exe	95
PID 5116 wrote to memory of 724	5116	{0AF1D08F-4467-4e43-BB3E-FD30387AB150}.exe	96
PID 5116 wrote to memory of 724	5116	{0AF1D08F-4467-4e43-BB3E-FD30387AB150}.exe	96
PID 5116 wrote to memory of 724	5116	{0AF1D08F-4467-4e43-BB3E-FD30387AB150}.exe	96
PID 3996 wrote to memory of 4028	3996	{C0A9E1D2-0537-4aa8-A9B1-A1528F39ED89}.exe	97
PID 3996 wrote to memory of 4028	3996	{C0A9E1D2-0537-4aa8-A9B1-A1528F39ED89}.exe	97
PID 3996 wrote to memory of 4028	3996	{C0A9E1D2-0537-4aa8-A9B1-A1528F39ED89}.exe	97
PID 3996 wrote to memory of 2024	3996	{C0A9E1D2-0537-4aa8-A9B1-A1528F39ED89}.exe	98
PID 3996 wrote to memory of 2024	3996	{C0A9E1D2-0537-4aa8-A9B1-A1528F39ED89}.exe	98
PID 3996 wrote to memory of 2024	3996	{C0A9E1D2-0537-4aa8-A9B1-A1528F39ED89}.exe	98
PID 4028 wrote to memory of 1748	4028	{667CC21E-68E9-4b04-A17C-94C34ED3244F}.exe	99
PID 4028 wrote to memory of 1748	4028	{667CC21E-68E9-4b04-A17C-94C34ED3244F}.exe	99
PID 4028 wrote to memory of 1748	4028	{667CC21E-68E9-4b04-A17C-94C34ED3244F}.exe	99
PID 4028 wrote to memory of 1948	4028	{667CC21E-68E9-4b04-A17C-94C34ED3244F}.exe	100
PID 4028 wrote to memory of 1948	4028	{667CC21E-68E9-4b04-A17C-94C34ED3244F}.exe	100
PID 4028 wrote to memory of 1948	4028	{667CC21E-68E9-4b04-A17C-94C34ED3244F}.exe	100
PID 1748 wrote to memory of 3920	1748	{890C2F47-9A9F-4e89-9547-26933336AECC}.exe	101
PID 1748 wrote to memory of 3920	1748	{890C2F47-9A9F-4e89-9547-26933336AECC}.exe	101
PID 1748 wrote to memory of 3920	1748	{890C2F47-9A9F-4e89-9547-26933336AECC}.exe	101
PID 1748 wrote to memory of 3360	1748	{890C2F47-9A9F-4e89-9547-26933336AECC}.exe	102
PID 1748 wrote to memory of 3360	1748	{890C2F47-9A9F-4e89-9547-26933336AECC}.exe	102
PID 1748 wrote to memory of 3360	1748	{890C2F47-9A9F-4e89-9547-26933336AECC}.exe	102
PID 3920 wrote to memory of 3460	3920	{FCB0AB51-AFC1-4851-AF60-CA5F917748D8}.exe	103
PID 3920 wrote to memory of 3460	3920	{FCB0AB51-AFC1-4851-AF60-CA5F917748D8}.exe	103
PID 3920 wrote to memory of 3460	3920	{FCB0AB51-AFC1-4851-AF60-CA5F917748D8}.exe	103
PID 3920 wrote to memory of 2760	3920	{FCB0AB51-AFC1-4851-AF60-CA5F917748D8}.exe	104
PID 3920 wrote to memory of 2760	3920	{FCB0AB51-AFC1-4851-AF60-CA5F917748D8}.exe	104
PID 3920 wrote to memory of 2760	3920	{FCB0AB51-AFC1-4851-AF60-CA5F917748D8}.exe	104
PID 3460 wrote to memory of 1788	3460	{E2FEAAEB-F3C3-4b80-95F4-AA25EFCA8E38}.exe	105
PID 3460 wrote to memory of 1788	3460	{E2FEAAEB-F3C3-4b80-95F4-AA25EFCA8E38}.exe	105
PID 3460 wrote to memory of 1788	3460	{E2FEAAEB-F3C3-4b80-95F4-AA25EFCA8E38}.exe	105
PID 3460 wrote to memory of 1204	3460	{E2FEAAEB-F3C3-4b80-95F4-AA25EFCA8E38}.exe	106
PID 3460 wrote to memory of 1204	3460	{E2FEAAEB-F3C3-4b80-95F4-AA25EFCA8E38}.exe	106
PID 3460 wrote to memory of 1204	3460	{E2FEAAEB-F3C3-4b80-95F4-AA25EFCA8E38}.exe	106
PID 1788 wrote to memory of 4332	1788	{B011D396-117A-478d-BF11-54959CEAAD4B}.exe	107
PID 1788 wrote to memory of 4332	1788	{B011D396-117A-478d-BF11-54959CEAAD4B}.exe	107
PID 1788 wrote to memory of 4332	1788	{B011D396-117A-478d-BF11-54959CEAAD4B}.exe	107
PID 1788 wrote to memory of 4716	1788	{B011D396-117A-478d-BF11-54959CEAAD4B}.exe	108
PID 1788 wrote to memory of 4716	1788	{B011D396-117A-478d-BF11-54959CEAAD4B}.exe	108
PID 1788 wrote to memory of 4716	1788	{B011D396-117A-478d-BF11-54959CEAAD4B}.exe	108

C:\Users\Admin\AppData\Local\Temp\343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe
"C:\Users\Admin\AppData\Local\Temp\343259afa016e470b5ad05d0fb6bbdb7259b95211425814179d18c1c6619dce3N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\{65F01BAD-3DE0-4e4b-9133-58A6B35EFFDC}.exe
  C:\Windows\{65F01BAD-3DE0-4e4b-9133-58A6B35EFFDC}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4492
- - C:\Windows\{0AF1D08F-4467-4e43-BB3E-FD30387AB150}.exe
    C:\Windows\{0AF1D08F-4467-4e43-BB3E-FD30387AB150}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Windows\{C0A9E1D2-0537-4aa8-A9B1-A1528F39ED89}.exe
      C:\Windows\{C0A9E1D2-0537-4aa8-A9B1-A1528F39ED89}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3996
    - - C:\Windows\{667CC21E-68E9-4b04-A17C-94C34ED3244F}.exe
        
        C:\Windows\{667CC21E-68E9-4b04-A17C-94C34ED3244F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4028
      - C:\Windows\{890C2F47-9A9F-4e89-9547-26933336AECC}.exe
        
        C:\Windows\{890C2F47-9A9F-4e89-9547-26933336AECC}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\{FCB0AB51-AFC1-4851-AF60-CA5F917748D8}.exe
        
        C:\Windows\{FCB0AB51-AFC1-4851-AF60-CA5F917748D8}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Windows\{E2FEAAEB-F3C3-4b80-95F4-AA25EFCA8E38}.exe
        
        C:\Windows\{E2FEAAEB-F3C3-4b80-95F4-AA25EFCA8E38}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\{B011D396-117A-478d-BF11-54959CEAAD4B}.exe
        
        C:\Windows\{B011D396-117A-478d-BF11-54959CEAAD4B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\{18EF646B-A4B0-4441-9290-022470E01B00}.exe
        
        C:\Windows\{18EF646B-A4B0-4441-9290-022470E01B00}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B011D~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2FEA~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FCB0A~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{890C2~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3360
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{667CC~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1948
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C0A9E~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0AF1D~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:724
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{65F01~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\343259~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0AF1D08F-4467-4e43-BB3E-FD30387AB150}.exe

Filesize
88KB

MD5
a8ce0b52de5bc0f7ecd8df3341e35de9

SHA1
a398fd4074cab42bd1b552832c4519fef3eab6a0

SHA256
b1446ad7a81c788f3ddb6f7c30fcb16ef35f052b34e4f84e2517944178a38108

SHA512
13ff4bd783b414dec0a72e884fb5d3b15d69cf5e6415395be4932adc8d8938e422e23b8eb22e7d4bd2735935f486f79ad6f5ec37c5a15488771bfa56bb4293c6

Download Submit
C:\Windows\{18EF646B-A4B0-4441-9290-022470E01B00}.exe

Filesize
88KB

MD5
6cf6238f5fd79d526f6a7bcee22e92ee

SHA1
7b4407d13fcf342903b71ffc6702425814dd60c2

SHA256
35bcec249ff58aab0dfd76f609f4be026854397aca894bec17dd05569e6cafc9

SHA512
8d4346fe52d960fc5c2c0e17019f7c00b110cb52f5036deca99cac058f05349f1afcf9eea99f049a03be0c813e510bfbcab437cfdb7c4eb2e663b14ae7656a1a

Download Submit
C:\Windows\{65F01BAD-3DE0-4e4b-9133-58A6B35EFFDC}.exe

Filesize
88KB

MD5
ad085844f3f2fc83e89dff96e098063e

SHA1
f9c546e06208f1c53b5f3511b9d90367f88effe4

SHA256
9aa2854fe2077a6ff2ea2a91a085b54c91b90b3d138c29b21bfe1765b7a09390

SHA512
856b15c91824935a0ce04cd63c895d01c4912d71f5bcd4f92deacac8d1bf8fff1187524879a9de511bff53f65fbdc04db656f5ecfa70b23e9ed014c3e4753724

Download Submit
C:\Windows\{667CC21E-68E9-4b04-A17C-94C34ED3244F}.exe

Filesize
88KB

MD5
d6e74c720a1a3d29751d2846a7b2de89

SHA1
9c97f05703f98e7692cd0f09a4af3e17feef2874

SHA256
766ac61ede6fbed4a836aeb3c6ade1ddf9b21bf50d86f037c003e7905378b147

SHA512
46143d8c4c3a0047adb40194a81c081e3f9168d5738a95867343d0488e31872c2c2779af33a39521c8c835b4b35afccd875455de8da5c2b96df531db4fc10c95

Download Submit
C:\Windows\{890C2F47-9A9F-4e89-9547-26933336AECC}.exe

Filesize
88KB

MD5
f7064db84c24d6bae7c2281be7e5c24d

SHA1
a5bf8f14d78e42922a73d01ac8311ef635482d1c

SHA256
742959380397758ba13cb543bce6d83ebc7efba55a797f612575a19a82ef4305

SHA512
cebd46b1848559a768467fd7be522f046e7e5551ff539cef0be0f6a8410df9a823e9c097929e1df51b6d8c40547ecd9140bbff23d3e02f5096f80ae11f4b6fde

Download Submit
C:\Windows\{B011D396-117A-478d-BF11-54959CEAAD4B}.exe

Filesize
88KB

MD5
a9c1b71d67a1350c5b5805b9df726e7e

SHA1
2a4e15cd3f3135bc14c2529dfdae490f3f212fd9

SHA256
7cbc0e1c32e0acd76d09a382c484d0bb416ec03f9718eb961e911c6d937c5339

SHA512
d856f18416f8cc4877fbb7b882cf44660174ac8f15b1c29f99407742007df956bc353247e87ad08c0b04ff3384e8ff659bb33ff08f73f3bf41ba6c20c83c74d1

Download Submit
C:\Windows\{C0A9E1D2-0537-4aa8-A9B1-A1528F39ED89}.exe

Filesize
88KB

MD5
139b1be4238e5230f243a2ac08590e2e

SHA1
4d894a1998608fa29c67fd4c7082c81629420c4f

SHA256
26f3b675ecf7ce0b6beeb84f7a5a6803a6333259fb0782d9ee5aa759705e2980

SHA512
592614925982461d3b9c3bcce5667e3bad1e425ffd97144ed69b99cc4e8430ce4638aeb7574075b6a448f55de5c06d237a8a506b134eba7870377d7569cbd319

Download Submit
C:\Windows\{E2FEAAEB-F3C3-4b80-95F4-AA25EFCA8E38}.exe

Filesize
88KB

MD5
523f99cd6b3b47444de895adf51128a3

SHA1
4e3de5b81ada4ae173ad9b0974f52e4cfe0f3e5b

SHA256
2f0c63b85aa7de5eef9704489d9c2132a19ced4867c7f592f007afe926088cce

SHA512
2ddc8cbcec92615d84574ad7941b319c684bf6c84326ef1e368ce6cad9a7daf52da367aca0ff3385c2a419e3eb27274de338dce59b2d639680dd9d7d2d1baa54

Download Submit
C:\Windows\{FCB0AB51-AFC1-4851-AF60-CA5F917748D8}.exe

Filesize
88KB

MD5
edf5f56cca09118804068fa11b417619

SHA1
159d09bf621e9ef154eb6a30e389d618cd61445e

SHA256
4f5dc929b4f1d594e41e2eb19d66005e1ebb4e5aee8918989e46e37974ea3449

SHA512
3376fade238871552b5a14919a77f5c94dfc6ba5cc7e70dca5e44d2eab276fc1917af805c557ffc7a665422dbb485d38596c47ec56f89c25afc58dbc7aa24f2c

Download Submit
memory/1748-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1748-32-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1788-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2948-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2948-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2948-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3460-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3920-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3920-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3996-23-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3996-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4028-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4028-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4492-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4492-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4492-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5116-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/5116-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads