a1c750ff276f725b657460cbf0b22c8bedd1984eb1a664abc0ab90b4f710cf63

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 23:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a1c750ff276f725b657460cbf0b22c8bedd1984eb1a664abc0ab90b4f710cf63.exe
Size

89KB
MD5

2c0071fa52c40ffebbd786f410d7be62
SHA1

b99f86b0dd53e8c26cc5ed80f0d6938ee33fc5cb
SHA256

a1c750ff276f725b657460cbf0b22c8bedd1984eb1a664abc0ab90b4f710cf63
SHA512

7643aebfcd620651da30a43d40f8811c5a5cac094327585b31c4cae6b3af9898a8e5cbdf463995746012d77d9e26399e59059cefc76f8903d420e904957472e5
SSDEEP

768:Qvw9816vhKQLror4/wQRNrfrunMxVFA3b7gl5:YEGh0orl2unMxVS3HgX

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E76E40DA-127E-4df5-9B5B-34E079DC6DBB}	{028378F7-8BAD-47e8-BCD7-760E65B180CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{975EF8AD-1E5F-4a7b-AA8B-1FD5C644EC00}	a1c750ff276f725b657460cbf0b22c8bedd1984eb1a664abc0ab90b4f710cf63.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{975EF8AD-1E5F-4a7b-AA8B-1FD5C644EC00}\stubpath = "C:\\Windows\\{975EF8AD-1E5F-4a7b-AA8B-1FD5C644EC00}.exe"	a1c750ff276f725b657460cbf0b22c8bedd1984eb1a664abc0ab90b4f710cf63.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23DA0F65-FAEC-47d1-8207-7068341CBC08}	{B9E5ED75-54A8-4e39-99CE-F5EBE11E8DE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{824BB0B3-6203-4274-A54C-0FE62DA06DAD}	{E35C5107-3F92-4c5e-BFA5-BF8F931EC776}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2222DA73-2B63-4f52-BD14-6AAD2B608929}	{824BB0B3-6203-4274-A54C-0FE62DA06DAD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2222DA73-2B63-4f52-BD14-6AAD2B608929}\stubpath = "C:\\Windows\\{2222DA73-2B63-4f52-BD14-6AAD2B608929}.exe"	{824BB0B3-6203-4274-A54C-0FE62DA06DAD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{028378F7-8BAD-47e8-BCD7-760E65B180CC}	{6F8A3F46-6CAA-434e-B4B2-B052FB16C4A6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E76E40DA-127E-4df5-9B5B-34E079DC6DBB}\stubpath = "C:\\Windows\\{E76E40DA-127E-4df5-9B5B-34E079DC6DBB}.exe"	{028378F7-8BAD-47e8-BCD7-760E65B180CC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E35C5107-3F92-4c5e-BFA5-BF8F931EC776}	{23DA0F65-FAEC-47d1-8207-7068341CBC08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC1F0943-3EE7-49ec-9DE7-7A4D25C620C0}\stubpath = "C:\\Windows\\{CC1F0943-3EE7-49ec-9DE7-7A4D25C620C0}.exe"	{2222DA73-2B63-4f52-BD14-6AAD2B608929}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F8A3F46-6CAA-434e-B4B2-B052FB16C4A6}\stubpath = "C:\\Windows\\{6F8A3F46-6CAA-434e-B4B2-B052FB16C4A6}.exe"	{CC1F0943-3EE7-49ec-9DE7-7A4D25C620C0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1FD31BA-DB10-464e-ABF9-F03AEFE3E485}\stubpath = "C:\\Windows\\{C1FD31BA-DB10-464e-ABF9-F03AEFE3E485}.exe"	{975EF8AD-1E5F-4a7b-AA8B-1FD5C644EC00}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9E5ED75-54A8-4e39-99CE-F5EBE11E8DE5}\stubpath = "C:\\Windows\\{B9E5ED75-54A8-4e39-99CE-F5EBE11E8DE5}.exe"	{603AB75B-524F-4706-A815-980BE52B1C99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{23DA0F65-FAEC-47d1-8207-7068341CBC08}\stubpath = "C:\\Windows\\{23DA0F65-FAEC-47d1-8207-7068341CBC08}.exe"	{B9E5ED75-54A8-4e39-99CE-F5EBE11E8DE5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CC1F0943-3EE7-49ec-9DE7-7A4D25C620C0}	{2222DA73-2B63-4f52-BD14-6AAD2B608929}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{028378F7-8BAD-47e8-BCD7-760E65B180CC}\stubpath = "C:\\Windows\\{028378F7-8BAD-47e8-BCD7-760E65B180CC}.exe"	{6F8A3F46-6CAA-434e-B4B2-B052FB16C4A6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C1FD31BA-DB10-464e-ABF9-F03AEFE3E485}	{975EF8AD-1E5F-4a7b-AA8B-1FD5C644EC00}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{603AB75B-524F-4706-A815-980BE52B1C99}	{C1FD31BA-DB10-464e-ABF9-F03AEFE3E485}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{603AB75B-524F-4706-A815-980BE52B1C99}\stubpath = "C:\\Windows\\{603AB75B-524F-4706-A815-980BE52B1C99}.exe"	{C1FD31BA-DB10-464e-ABF9-F03AEFE3E485}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B9E5ED75-54A8-4e39-99CE-F5EBE11E8DE5}	{603AB75B-524F-4706-A815-980BE52B1C99}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E35C5107-3F92-4c5e-BFA5-BF8F931EC776}\stubpath = "C:\\Windows\\{E35C5107-3F92-4c5e-BFA5-BF8F931EC776}.exe"	{23DA0F65-FAEC-47d1-8207-7068341CBC08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{824BB0B3-6203-4274-A54C-0FE62DA06DAD}\stubpath = "C:\\Windows\\{824BB0B3-6203-4274-A54C-0FE62DA06DAD}.exe"	{E35C5107-3F92-4c5e-BFA5-BF8F931EC776}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6F8A3F46-6CAA-434e-B4B2-B052FB16C4A6}	{CC1F0943-3EE7-49ec-9DE7-7A4D25C620C0}.exe

Executes dropped EXE 12 IoCs

pid	Process
2072	{975EF8AD-1E5F-4a7b-AA8B-1FD5C644EC00}.exe
3708	{C1FD31BA-DB10-464e-ABF9-F03AEFE3E485}.exe
1716	{603AB75B-524F-4706-A815-980BE52B1C99}.exe
448	{B9E5ED75-54A8-4e39-99CE-F5EBE11E8DE5}.exe
1920	{23DA0F65-FAEC-47d1-8207-7068341CBC08}.exe
456	{E35C5107-3F92-4c5e-BFA5-BF8F931EC776}.exe
1096	{824BB0B3-6203-4274-A54C-0FE62DA06DAD}.exe
4696	{2222DA73-2B63-4f52-BD14-6AAD2B608929}.exe
1148	{CC1F0943-3EE7-49ec-9DE7-7A4D25C620C0}.exe
2912	{6F8A3F46-6CAA-434e-B4B2-B052FB16C4A6}.exe
3116	{028378F7-8BAD-47e8-BCD7-760E65B180CC}.exe
2940	{E76E40DA-127E-4df5-9B5B-34E079DC6DBB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{6F8A3F46-6CAA-434e-B4B2-B052FB16C4A6}.exe	{CC1F0943-3EE7-49ec-9DE7-7A4D25C620C0}.exe
File created	C:\Windows\{C1FD31BA-DB10-464e-ABF9-F03AEFE3E485}.exe	{975EF8AD-1E5F-4a7b-AA8B-1FD5C644EC00}.exe
File created	C:\Windows\{603AB75B-524F-4706-A815-980BE52B1C99}.exe	{C1FD31BA-DB10-464e-ABF9-F03AEFE3E485}.exe
File created	C:\Windows\{B9E5ED75-54A8-4e39-99CE-F5EBE11E8DE5}.exe	{603AB75B-524F-4706-A815-980BE52B1C99}.exe
File created	C:\Windows\{23DA0F65-FAEC-47d1-8207-7068341CBC08}.exe	{B9E5ED75-54A8-4e39-99CE-F5EBE11E8DE5}.exe
File created	C:\Windows\{E35C5107-3F92-4c5e-BFA5-BF8F931EC776}.exe	{23DA0F65-FAEC-47d1-8207-7068341CBC08}.exe
File created	C:\Windows\{2222DA73-2B63-4f52-BD14-6AAD2B608929}.exe	{824BB0B3-6203-4274-A54C-0FE62DA06DAD}.exe
File created	C:\Windows\{CC1F0943-3EE7-49ec-9DE7-7A4D25C620C0}.exe	{2222DA73-2B63-4f52-BD14-6AAD2B608929}.exe
File created	C:\Windows\{028378F7-8BAD-47e8-BCD7-760E65B180CC}.exe	{6F8A3F46-6CAA-434e-B4B2-B052FB16C4A6}.exe
File created	C:\Windows\{975EF8AD-1E5F-4a7b-AA8B-1FD5C644EC00}.exe	a1c750ff276f725b657460cbf0b22c8bedd1984eb1a664abc0ab90b4f710cf63.exe
File created	C:\Windows\{824BB0B3-6203-4274-A54C-0FE62DA06DAD}.exe	{E35C5107-3F92-4c5e-BFA5-BF8F931EC776}.exe
File created	C:\Windows\{E76E40DA-127E-4df5-9B5B-34E079DC6DBB}.exe	{028378F7-8BAD-47e8-BCD7-760E65B180CC}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{824BB0B3-6203-4274-A54C-0FE62DA06DAD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{028378F7-8BAD-47e8-BCD7-760E65B180CC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{975EF8AD-1E5F-4a7b-AA8B-1FD5C644EC00}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2222DA73-2B63-4f52-BD14-6AAD2B608929}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C1FD31BA-DB10-464e-ABF9-F03AEFE3E485}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{23DA0F65-FAEC-47d1-8207-7068341CBC08}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6F8A3F46-6CAA-434e-B4B2-B052FB16C4A6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{603AB75B-524F-4706-A815-980BE52B1C99}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E35C5107-3F92-4c5e-BFA5-BF8F931EC776}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CC1F0943-3EE7-49ec-9DE7-7A4D25C620C0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B9E5ED75-54A8-4e39-99CE-F5EBE11E8DE5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1c750ff276f725b657460cbf0b22c8bedd1984eb1a664abc0ab90b4f710cf63.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E76E40DA-127E-4df5-9B5B-34E079DC6DBB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2484	a1c750ff276f725b657460cbf0b22c8bedd1984eb1a664abc0ab90b4f710cf63.exe
Token: SeIncBasePriorityPrivilege	2072	{975EF8AD-1E5F-4a7b-AA8B-1FD5C644EC00}.exe
Token: SeIncBasePriorityPrivilege	3708	{C1FD31BA-DB10-464e-ABF9-F03AEFE3E485}.exe
Token: SeIncBasePriorityPrivilege	1716	{603AB75B-524F-4706-A815-980BE52B1C99}.exe
Token: SeIncBasePriorityPrivilege	448	{B9E5ED75-54A8-4e39-99CE-F5EBE11E8DE5}.exe
Token: SeIncBasePriorityPrivilege	1920	{23DA0F65-FAEC-47d1-8207-7068341CBC08}.exe
Token: SeIncBasePriorityPrivilege	456	{E35C5107-3F92-4c5e-BFA5-BF8F931EC776}.exe
Token: SeIncBasePriorityPrivilege	1096	{824BB0B3-6203-4274-A54C-0FE62DA06DAD}.exe
Token: SeIncBasePriorityPrivilege	4696	{2222DA73-2B63-4f52-BD14-6AAD2B608929}.exe
Token: SeIncBasePriorityPrivilege	1148	{CC1F0943-3EE7-49ec-9DE7-7A4D25C620C0}.exe
Token: SeIncBasePriorityPrivilege	2912	{6F8A3F46-6CAA-434e-B4B2-B052FB16C4A6}.exe
Token: SeIncBasePriorityPrivilege	3116	{028378F7-8BAD-47e8-BCD7-760E65B180CC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2072	2484	a1c750ff276f725b657460cbf0b22c8bedd1984eb1a664abc0ab90b4f710cf63.exe	89
PID 2484 wrote to memory of 2072	2484	a1c750ff276f725b657460cbf0b22c8bedd1984eb1a664abc0ab90b4f710cf63.exe	89
PID 2484 wrote to memory of 2072	2484	a1c750ff276f725b657460cbf0b22c8bedd1984eb1a664abc0ab90b4f710cf63.exe	89
PID 2484 wrote to memory of 3964	2484	a1c750ff276f725b657460cbf0b22c8bedd1984eb1a664abc0ab90b4f710cf63.exe	90
PID 2484 wrote to memory of 3964	2484	a1c750ff276f725b657460cbf0b22c8bedd1984eb1a664abc0ab90b4f710cf63.exe	90
PID 2484 wrote to memory of 3964	2484	a1c750ff276f725b657460cbf0b22c8bedd1984eb1a664abc0ab90b4f710cf63.exe	90
PID 2072 wrote to memory of 3708	2072	{975EF8AD-1E5F-4a7b-AA8B-1FD5C644EC00}.exe	91
PID 2072 wrote to memory of 3708	2072	{975EF8AD-1E5F-4a7b-AA8B-1FD5C644EC00}.exe	91
PID 2072 wrote to memory of 3708	2072	{975EF8AD-1E5F-4a7b-AA8B-1FD5C644EC00}.exe	91
PID 2072 wrote to memory of 856	2072	{975EF8AD-1E5F-4a7b-AA8B-1FD5C644EC00}.exe	92
PID 2072 wrote to memory of 856	2072	{975EF8AD-1E5F-4a7b-AA8B-1FD5C644EC00}.exe	92
PID 2072 wrote to memory of 856	2072	{975EF8AD-1E5F-4a7b-AA8B-1FD5C644EC00}.exe	92
PID 3708 wrote to memory of 1716	3708	{C1FD31BA-DB10-464e-ABF9-F03AEFE3E485}.exe	95
PID 3708 wrote to memory of 1716	3708	{C1FD31BA-DB10-464e-ABF9-F03AEFE3E485}.exe	95
PID 3708 wrote to memory of 1716	3708	{C1FD31BA-DB10-464e-ABF9-F03AEFE3E485}.exe	95
PID 3708 wrote to memory of 2700	3708	{C1FD31BA-DB10-464e-ABF9-F03AEFE3E485}.exe	96
PID 3708 wrote to memory of 2700	3708	{C1FD31BA-DB10-464e-ABF9-F03AEFE3E485}.exe	96
PID 3708 wrote to memory of 2700	3708	{C1FD31BA-DB10-464e-ABF9-F03AEFE3E485}.exe	96
PID 1716 wrote to memory of 448	1716	{603AB75B-524F-4706-A815-980BE52B1C99}.exe	97
PID 1716 wrote to memory of 448	1716	{603AB75B-524F-4706-A815-980BE52B1C99}.exe	97
PID 1716 wrote to memory of 448	1716	{603AB75B-524F-4706-A815-980BE52B1C99}.exe	97
PID 1716 wrote to memory of 2020	1716	{603AB75B-524F-4706-A815-980BE52B1C99}.exe	98
PID 1716 wrote to memory of 2020	1716	{603AB75B-524F-4706-A815-980BE52B1C99}.exe	98
PID 1716 wrote to memory of 2020	1716	{603AB75B-524F-4706-A815-980BE52B1C99}.exe	98
PID 448 wrote to memory of 1920	448	{B9E5ED75-54A8-4e39-99CE-F5EBE11E8DE5}.exe	99
PID 448 wrote to memory of 1920	448	{B9E5ED75-54A8-4e39-99CE-F5EBE11E8DE5}.exe	99
PID 448 wrote to memory of 1920	448	{B9E5ED75-54A8-4e39-99CE-F5EBE11E8DE5}.exe	99
PID 448 wrote to memory of 3104	448	{B9E5ED75-54A8-4e39-99CE-F5EBE11E8DE5}.exe	100
PID 448 wrote to memory of 3104	448	{B9E5ED75-54A8-4e39-99CE-F5EBE11E8DE5}.exe	100
PID 448 wrote to memory of 3104	448	{B9E5ED75-54A8-4e39-99CE-F5EBE11E8DE5}.exe	100
PID 1920 wrote to memory of 456	1920	{23DA0F65-FAEC-47d1-8207-7068341CBC08}.exe	101
PID 1920 wrote to memory of 456	1920	{23DA0F65-FAEC-47d1-8207-7068341CBC08}.exe	101
PID 1920 wrote to memory of 456	1920	{23DA0F65-FAEC-47d1-8207-7068341CBC08}.exe	101
PID 1920 wrote to memory of 1800	1920	{23DA0F65-FAEC-47d1-8207-7068341CBC08}.exe	102
PID 1920 wrote to memory of 1800	1920	{23DA0F65-FAEC-47d1-8207-7068341CBC08}.exe	102
PID 1920 wrote to memory of 1800	1920	{23DA0F65-FAEC-47d1-8207-7068341CBC08}.exe	102
PID 456 wrote to memory of 1096	456	{E35C5107-3F92-4c5e-BFA5-BF8F931EC776}.exe	103
PID 456 wrote to memory of 1096	456	{E35C5107-3F92-4c5e-BFA5-BF8F931EC776}.exe	103
PID 456 wrote to memory of 1096	456	{E35C5107-3F92-4c5e-BFA5-BF8F931EC776}.exe	103
PID 456 wrote to memory of 2252	456	{E35C5107-3F92-4c5e-BFA5-BF8F931EC776}.exe	104
PID 456 wrote to memory of 2252	456	{E35C5107-3F92-4c5e-BFA5-BF8F931EC776}.exe	104
PID 456 wrote to memory of 2252	456	{E35C5107-3F92-4c5e-BFA5-BF8F931EC776}.exe	104
PID 1096 wrote to memory of 4696	1096	{824BB0B3-6203-4274-A54C-0FE62DA06DAD}.exe	105
PID 1096 wrote to memory of 4696	1096	{824BB0B3-6203-4274-A54C-0FE62DA06DAD}.exe	105
PID 1096 wrote to memory of 4696	1096	{824BB0B3-6203-4274-A54C-0FE62DA06DAD}.exe	105
PID 1096 wrote to memory of 2684	1096	{824BB0B3-6203-4274-A54C-0FE62DA06DAD}.exe	106
PID 1096 wrote to memory of 2684	1096	{824BB0B3-6203-4274-A54C-0FE62DA06DAD}.exe	106
PID 1096 wrote to memory of 2684	1096	{824BB0B3-6203-4274-A54C-0FE62DA06DAD}.exe	106
PID 4696 wrote to memory of 1148	4696	{2222DA73-2B63-4f52-BD14-6AAD2B608929}.exe	107
PID 4696 wrote to memory of 1148	4696	{2222DA73-2B63-4f52-BD14-6AAD2B608929}.exe	107
PID 4696 wrote to memory of 1148	4696	{2222DA73-2B63-4f52-BD14-6AAD2B608929}.exe	107
PID 4696 wrote to memory of 1564	4696	{2222DA73-2B63-4f52-BD14-6AAD2B608929}.exe	108
PID 4696 wrote to memory of 1564	4696	{2222DA73-2B63-4f52-BD14-6AAD2B608929}.exe	108
PID 4696 wrote to memory of 1564	4696	{2222DA73-2B63-4f52-BD14-6AAD2B608929}.exe	108
PID 1148 wrote to memory of 2912	1148	{CC1F0943-3EE7-49ec-9DE7-7A4D25C620C0}.exe	109
PID 1148 wrote to memory of 2912	1148	{CC1F0943-3EE7-49ec-9DE7-7A4D25C620C0}.exe	109
PID 1148 wrote to memory of 2912	1148	{CC1F0943-3EE7-49ec-9DE7-7A4D25C620C0}.exe	109
PID 1148 wrote to memory of 3204	1148	{CC1F0943-3EE7-49ec-9DE7-7A4D25C620C0}.exe	110
PID 1148 wrote to memory of 3204	1148	{CC1F0943-3EE7-49ec-9DE7-7A4D25C620C0}.exe	110
PID 1148 wrote to memory of 3204	1148	{CC1F0943-3EE7-49ec-9DE7-7A4D25C620C0}.exe	110
PID 2912 wrote to memory of 3116	2912	{6F8A3F46-6CAA-434e-B4B2-B052FB16C4A6}.exe	111
PID 2912 wrote to memory of 3116	2912	{6F8A3F46-6CAA-434e-B4B2-B052FB16C4A6}.exe	111
PID 2912 wrote to memory of 3116	2912	{6F8A3F46-6CAA-434e-B4B2-B052FB16C4A6}.exe	111
PID 2912 wrote to memory of 436	2912	{6F8A3F46-6CAA-434e-B4B2-B052FB16C4A6}.exe	112

C:\Users\Admin\AppData\Local\Temp\a1c750ff276f725b657460cbf0b22c8bedd1984eb1a664abc0ab90b4f710cf63.exe
"C:\Users\Admin\AppData\Local\Temp\a1c750ff276f725b657460cbf0b22c8bedd1984eb1a664abc0ab90b4f710cf63.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\{975EF8AD-1E5F-4a7b-AA8B-1FD5C644EC00}.exe
  C:\Windows\{975EF8AD-1E5F-4a7b-AA8B-1FD5C644EC00}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\{C1FD31BA-DB10-464e-ABF9-F03AEFE3E485}.exe
    C:\Windows\{C1FD31BA-DB10-464e-ABF9-F03AEFE3E485}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3708
  - - C:\Windows\{603AB75B-524F-4706-A815-980BE52B1C99}.exe
      C:\Windows\{603AB75B-524F-4706-A815-980BE52B1C99}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Windows\{B9E5ED75-54A8-4e39-99CE-F5EBE11E8DE5}.exe
        
        C:\Windows\{B9E5ED75-54A8-4e39-99CE-F5EBE11E8DE5}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:448
      - C:\Windows\{23DA0F65-FAEC-47d1-8207-7068341CBC08}.exe
        
        C:\Windows\{23DA0F65-FAEC-47d1-8207-7068341CBC08}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\{E35C5107-3F92-4c5e-BFA5-BF8F931EC776}.exe
        
        C:\Windows\{E35C5107-3F92-4c5e-BFA5-BF8F931EC776}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\{824BB0B3-6203-4274-A54C-0FE62DA06DAD}.exe
        
        C:\Windows\{824BB0B3-6203-4274-A54C-0FE62DA06DAD}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\{2222DA73-2B63-4f52-BD14-6AAD2B608929}.exe
        
        C:\Windows\{2222DA73-2B63-4f52-BD14-6AAD2B608929}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\{CC1F0943-3EE7-49ec-9DE7-7A4D25C620C0}.exe
        
        C:\Windows\{CC1F0943-3EE7-49ec-9DE7-7A4D25C620C0}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\{6F8A3F46-6CAA-434e-B4B2-B052FB16C4A6}.exe
        
        C:\Windows\{6F8A3F46-6CAA-434e-B4B2-B052FB16C4A6}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\{028378F7-8BAD-47e8-BCD7-760E65B180CC}.exe
        
        C:\Windows\{028378F7-8BAD-47e8-BCD7-760E65B180CC}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3116
        
        C:\Windows\{E76E40DA-127E-4df5-9B5B-34E079DC6DBB}.exe
        
        C:\Windows\{E76E40DA-127E-4df5-9B5B-34E079DC6DBB}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{02837~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6F8A3~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CC1F0~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3204
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2222D~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{824BB~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E35C5~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{23DA0~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1800
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B9E5E~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{603AB~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2020
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C1FD3~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{975EF~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:856
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A1C750~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{028378F7-8BAD-47e8-BCD7-760E65B180CC}.exe

Filesize
89KB

MD5
06f8800cf35ffc13ccbcf5c343a64326

SHA1
9d610da4949ae2368d4f6dbc5e74d33fc16b7117

SHA256
1a263d0394df39a14a374c46589e6fde8134a3de7b3674ea2068552d43292377

SHA512
c5909e742cfebe73988a9cfd5548b2eeaf6084cbb5b54058bd6c114906066343a5e3c2bd2fd04187fbd3bdedca2545eea4993edabd1e2eb74558e0cf599bab18

Download Submit
C:\Windows\{2222DA73-2B63-4f52-BD14-6AAD2B608929}.exe

Filesize
89KB

MD5
e3832d5324913a857906e03ce52feee2

SHA1
069730e0487fbd50c7b884669366fe1358c2a7aa

SHA256
4185e300d913aeac927d8a832f4c1bb43b91c3685b9ed8de99b4f3cc7284de47

SHA512
2cdc74c41a48d962443524e7d3ed5e21e41c6572dd479b1ffd8224f1abb354bf5d5172312b88a644d919fdccaadebc05457fd49363291762eaf0f17bc559ba43

Download Submit
C:\Windows\{23DA0F65-FAEC-47d1-8207-7068341CBC08}.exe

Filesize
89KB

MD5
292ff5ae99e8c7a8bb13bc57f9b57ad6

SHA1
31909ec69aec9d6d3e233564922fa70a2c602a81

SHA256
2fd9e717ae0195222c3a8cc2382f27d8ef258e01c6bf1b16ceb92efc74f5fdb5

SHA512
6d0d835fa938a0149d3723cab97e07d8c81dad23f61c4493ec25f7c2385892ec0107c094312b7ab8f3f132e0bb38d4718c594e412d081d4bc2ec2055b1108aa3

Download Submit
C:\Windows\{603AB75B-524F-4706-A815-980BE52B1C99}.exe

Filesize
89KB

MD5
a061fbd8c7e7e38e77eef8a3735f293e

SHA1
59082fadf97dddbd517c47723a8ed3cf78e38ff9

SHA256
52688e3d7073bc86b7e1d647253d2ddd4843eb435e1d38f7d4ef910fe9c23b0f

SHA512
20bbff203dd9266e64e8711f35c6e7435db685f4d54a7b8951be599e42a3564dc3d6edce5ddfba7f079f4b9d04281d5e16278daca289bd4631c72c0d5fd4f58b

Download Submit
C:\Windows\{6F8A3F46-6CAA-434e-B4B2-B052FB16C4A6}.exe

Filesize
89KB

MD5
f98b92cdc5f685e2e1529d4df2fdf954

SHA1
69d1ca32a2a266ffc91867176d2bfbe4f16fc80c

SHA256
178f7d1222032a6ec96c0bce8bb97f84ef7d4aee406f29a8952e4889cf300e14

SHA512
604d549cf2e7dde3e83fcac5e3e017b24e56bd7d7f7c238ba6ef1227c505957ada419139e2e30bea97e6c89a3a3f321978280058e71afb3535e4c02c75891449

Download Submit
C:\Windows\{824BB0B3-6203-4274-A54C-0FE62DA06DAD}.exe

Filesize
89KB

MD5
1fcb8f8985a635cffac326bd727c2ef8

SHA1
b2e2f7be67dd3158b3a06c53771dc4ce01242978

SHA256
c2b11f997e632ab41792491eb018a0cb28a33bc8ca28f2877813ba9de1ea70d2

SHA512
51f795317136de9f8d56e07da54d89dfec9834624764e88d8657719920c31e746c23e5fce9a1127dcc529812c1973a2f165bf6abf3028d6ca4df56ee0ce60c2b

Download Submit
C:\Windows\{975EF8AD-1E5F-4a7b-AA8B-1FD5C644EC00}.exe

Filesize
89KB

MD5
4105f7c543819f78fc63b0089450d7a5

SHA1
8489f67c3fb927f7517501527378254d42f8f489

SHA256
343b11908e207debccf4193605b33e881e0a288c5080c294329f7d3a9b42f210

SHA512
a2213a8d3f2e77c35b65aaf13c23928b63c9be2b04c03f1345680fd7cebc75b56030bba68754f8cc83919a1d9917b5d2df5fac7e6caad4e9129b3ab4cc70da17

Download Submit
C:\Windows\{B9E5ED75-54A8-4e39-99CE-F5EBE11E8DE5}.exe

Filesize
89KB

MD5
8cfbaf3f45383d4077a96d830a225010

SHA1
c3a1e03a2d020cd7b2d26700199bcf20a5613d55

SHA256
20defa1f4ce53dbc8cc588b893904878fd3a27a81bec8e9a314fcdc7266eb9e6

SHA512
9625d00ca48a1785f8858b93c99e254c12e4e27c02a817277128a2da3614d05e3e1a0fb07a0d0f2c5142647fae1589d19ca9c14bc4f556ffc7038a60bee07aa0

Download Submit
C:\Windows\{C1FD31BA-DB10-464e-ABF9-F03AEFE3E485}.exe

Filesize
89KB

MD5
b0a22a0554bf8fba1ceb3886e3a40112

SHA1
abf8235ceae07b58395f07a6c2856fd1928ab7af

SHA256
e6943ab07687b2ca396116a355c742fe84b3306ae303f4bfbb5f9747bf3c9b9f

SHA512
765e778b48e79601d2ab7bb6358f1aafc6d829433a87a3c8f9919827ef473e1b1df5c1c584d73180bcea424f5df3b43b6540a17daccf0e571500a89ab82fb7aa

Download Submit
C:\Windows\{CC1F0943-3EE7-49ec-9DE7-7A4D25C620C0}.exe

Filesize
89KB

MD5
a1f15e096eb6d5d2056179adbd1c1858

SHA1
ffda8f1532c9ad731ad72dae8d88eff70ceac077

SHA256
503c87e7423870ce9da4a9a6c5c8b1adce09ed83c797c8a680b34ac372f4b42f

SHA512
e29b23e9b44cde0f6f0f78588cb6059217b6b32b054e60ca2b049c9b729bdbaca8be2e959c7d54407b11cfd44f1ce5c60060c30953cf2cce3fc7bb2b7cc8ad97

Download Submit
C:\Windows\{E35C5107-3F92-4c5e-BFA5-BF8F931EC776}.exe

Filesize
89KB

MD5
a635d0d65d95dc117da586c389cd4954

SHA1
ce6806591fab1d2836682e348c9f331aee66e410

SHA256
5dd9386ad3391678ee3c0309f413f700c6d93e3ff14174b516f6bac874fd886c

SHA512
807e75ca12e25b5271325895870824904b83fcd59b21507061c07eac68848b52a6fdd754aa956eb997589a0980732e8b6a99dd650ddd9f4354e3bb1e7c1104bd

Download Submit
C:\Windows\{E76E40DA-127E-4df5-9B5B-34E079DC6DBB}.exe

Filesize
89KB

MD5
e986db6e561fa8e7ba68fcc49a86eaf8

SHA1
1bdea75ef6e348677ccadcd8bdce4f00c41a9457

SHA256
8d4aad20fe4dd7dc355880df2c231c8117f2bdacec6e2ac5ac42c86dd198d5ef

SHA512
7dfee8e1b5e171fa8c997f5c560cf367a8fed734e34b3eccc055f463a08c8beafaa2d7534ce61bf09e09fb64ecc40e04c57fad2459755c92f0e04bb918a38b38

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads