c56cb5a62835ae61cf85203818cb9fd82e60c69a6781922eab51dbb62398e205

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c56cb5a62835ae61cf85203818cb9fd82e60c69a6781922eab51dbb62398e205.exe
Size

88KB
MD5

a155db0d1259d157ba3cb4b720d7a5c4
SHA1

75833b5a448e96de9ba92cc777ff48d009993813
SHA256

c56cb5a62835ae61cf85203818cb9fd82e60c69a6781922eab51dbb62398e205
SHA512

540d4639d273621e7eab36b49c463f8825eb68aa66bf14ac6fed34fd6b33e8abe974be5efb7827f7b4497c8b8e4443159a01120454451bc510215e974d925662
SSDEEP

768:5vw9816thKQLro14/wQkNrfrunMxVFA3V:lEG/0o1lbunMxVS3V

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6CEFA3D-8DE8-499d-8FFF-0FA3A0FE727E}\stubpath = "C:\\Windows\\{B6CEFA3D-8DE8-499d-8FFF-0FA3A0FE727E}.exe"	{EF5EE31A-9A75-41a3-BCFE-EE4C7F790F17}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5152D67A-D2F3-494f-AC27-C4B5021CF285}\stubpath = "C:\\Windows\\{5152D67A-D2F3-494f-AC27-C4B5021CF285}.exe"	{B6CEFA3D-8DE8-499d-8FFF-0FA3A0FE727E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0709B31C-4D14-4d22-96A4-BCF5B8DC6C95}\stubpath = "C:\\Windows\\{0709B31C-4D14-4d22-96A4-BCF5B8DC6C95}.exe"	{8D4A9B0C-A639-4605-8C0C-BBC8008B40F6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E906D421-54E5-4f0f-BE00-42564140EA7D}\stubpath = "C:\\Windows\\{E906D421-54E5-4f0f-BE00-42564140EA7D}.exe"	{8F0CEB0F-42C8-4df5-B1CF-C022AC5A27F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFCCB86E-3A8E-4fb0-885F-0252500F97B2}	{E906D421-54E5-4f0f-BE00-42564140EA7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BFCCB86E-3A8E-4fb0-885F-0252500F97B2}\stubpath = "C:\\Windows\\{BFCCB86E-3A8E-4fb0-885F-0252500F97B2}.exe"	{E906D421-54E5-4f0f-BE00-42564140EA7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF5EE31A-9A75-41a3-BCFE-EE4C7F790F17}\stubpath = "C:\\Windows\\{EF5EE31A-9A75-41a3-BCFE-EE4C7F790F17}.exe"	c56cb5a62835ae61cf85203818cb9fd82e60c69a6781922eab51dbb62398e205.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B6CEFA3D-8DE8-499d-8FFF-0FA3A0FE727E}	{EF5EE31A-9A75-41a3-BCFE-EE4C7F790F17}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D4A9B0C-A639-4605-8C0C-BBC8008B40F6}	{B14523B2-1221-4a59-A096-CF81D39CE666}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5152D67A-D2F3-494f-AC27-C4B5021CF285}	{B6CEFA3D-8DE8-499d-8FFF-0FA3A0FE727E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B14523B2-1221-4a59-A096-CF81D39CE666}	{3217930C-8F0B-4d11-BABC-30219A4E24B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B14523B2-1221-4a59-A096-CF81D39CE666}\stubpath = "C:\\Windows\\{B14523B2-1221-4a59-A096-CF81D39CE666}.exe"	{3217930C-8F0B-4d11-BABC-30219A4E24B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8D4A9B0C-A639-4605-8C0C-BBC8008B40F6}\stubpath = "C:\\Windows\\{8D4A9B0C-A639-4605-8C0C-BBC8008B40F6}.exe"	{B14523B2-1221-4a59-A096-CF81D39CE666}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0709B31C-4D14-4d22-96A4-BCF5B8DC6C95}	{8D4A9B0C-A639-4605-8C0C-BBC8008B40F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E906D421-54E5-4f0f-BE00-42564140EA7D}	{8F0CEB0F-42C8-4df5-B1CF-C022AC5A27F4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{277ABC15-CE27-4036-9D8E-2852A002CDAC}	{BFCCB86E-3A8E-4fb0-885F-0252500F97B2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{277ABC15-CE27-4036-9D8E-2852A002CDAC}\stubpath = "C:\\Windows\\{277ABC15-CE27-4036-9D8E-2852A002CDAC}.exe"	{BFCCB86E-3A8E-4fb0-885F-0252500F97B2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF5EE31A-9A75-41a3-BCFE-EE4C7F790F17}	c56cb5a62835ae61cf85203818cb9fd82e60c69a6781922eab51dbb62398e205.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3217930C-8F0B-4d11-BABC-30219A4E24B8}	{5152D67A-D2F3-494f-AC27-C4B5021CF285}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3217930C-8F0B-4d11-BABC-30219A4E24B8}\stubpath = "C:\\Windows\\{3217930C-8F0B-4d11-BABC-30219A4E24B8}.exe"	{5152D67A-D2F3-494f-AC27-C4B5021CF285}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F0CEB0F-42C8-4df5-B1CF-C022AC5A27F4}	{0709B31C-4D14-4d22-96A4-BCF5B8DC6C95}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8F0CEB0F-42C8-4df5-B1CF-C022AC5A27F4}\stubpath = "C:\\Windows\\{8F0CEB0F-42C8-4df5-B1CF-C022AC5A27F4}.exe"	{0709B31C-4D14-4d22-96A4-BCF5B8DC6C95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A96D39E2-5665-42d5-931C-EE7A77537CD1}	{277ABC15-CE27-4036-9D8E-2852A002CDAC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A96D39E2-5665-42d5-931C-EE7A77537CD1}\stubpath = "C:\\Windows\\{A96D39E2-5665-42d5-931C-EE7A77537CD1}.exe"	{277ABC15-CE27-4036-9D8E-2852A002CDAC}.exe

Executes dropped EXE 12 IoCs

pid	Process
1508	{EF5EE31A-9A75-41a3-BCFE-EE4C7F790F17}.exe
3908	{B6CEFA3D-8DE8-499d-8FFF-0FA3A0FE727E}.exe
1488	{5152D67A-D2F3-494f-AC27-C4B5021CF285}.exe
1652	{3217930C-8F0B-4d11-BABC-30219A4E24B8}.exe
4824	{B14523B2-1221-4a59-A096-CF81D39CE666}.exe
3260	{8D4A9B0C-A639-4605-8C0C-BBC8008B40F6}.exe
4500	{0709B31C-4D14-4d22-96A4-BCF5B8DC6C95}.exe
4612	{8F0CEB0F-42C8-4df5-B1CF-C022AC5A27F4}.exe
3816	{E906D421-54E5-4f0f-BE00-42564140EA7D}.exe
448	{BFCCB86E-3A8E-4fb0-885F-0252500F97B2}.exe
4048	{277ABC15-CE27-4036-9D8E-2852A002CDAC}.exe
4856	{A96D39E2-5665-42d5-931C-EE7A77537CD1}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{B6CEFA3D-8DE8-499d-8FFF-0FA3A0FE727E}.exe	{EF5EE31A-9A75-41a3-BCFE-EE4C7F790F17}.exe
File created	C:\Windows\{0709B31C-4D14-4d22-96A4-BCF5B8DC6C95}.exe	{8D4A9B0C-A639-4605-8C0C-BBC8008B40F6}.exe
File created	C:\Windows\{E906D421-54E5-4f0f-BE00-42564140EA7D}.exe	{8F0CEB0F-42C8-4df5-B1CF-C022AC5A27F4}.exe
File created	C:\Windows\{A96D39E2-5665-42d5-931C-EE7A77537CD1}.exe	{277ABC15-CE27-4036-9D8E-2852A002CDAC}.exe
File created	C:\Windows\{277ABC15-CE27-4036-9D8E-2852A002CDAC}.exe	{BFCCB86E-3A8E-4fb0-885F-0252500F97B2}.exe
File created	C:\Windows\{EF5EE31A-9A75-41a3-BCFE-EE4C7F790F17}.exe	c56cb5a62835ae61cf85203818cb9fd82e60c69a6781922eab51dbb62398e205.exe
File created	C:\Windows\{5152D67A-D2F3-494f-AC27-C4B5021CF285}.exe	{B6CEFA3D-8DE8-499d-8FFF-0FA3A0FE727E}.exe
File created	C:\Windows\{3217930C-8F0B-4d11-BABC-30219A4E24B8}.exe	{5152D67A-D2F3-494f-AC27-C4B5021CF285}.exe
File created	C:\Windows\{B14523B2-1221-4a59-A096-CF81D39CE666}.exe	{3217930C-8F0B-4d11-BABC-30219A4E24B8}.exe
File created	C:\Windows\{8D4A9B0C-A639-4605-8C0C-BBC8008B40F6}.exe	{B14523B2-1221-4a59-A096-CF81D39CE666}.exe
File created	C:\Windows\{8F0CEB0F-42C8-4df5-B1CF-C022AC5A27F4}.exe	{0709B31C-4D14-4d22-96A4-BCF5B8DC6C95}.exe
File created	C:\Windows\{BFCCB86E-3A8E-4fb0-885F-0252500F97B2}.exe	{E906D421-54E5-4f0f-BE00-42564140EA7D}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EF5EE31A-9A75-41a3-BCFE-EE4C7F790F17}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B14523B2-1221-4a59-A096-CF81D39CE666}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B6CEFA3D-8DE8-499d-8FFF-0FA3A0FE727E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3217930C-8F0B-4d11-BABC-30219A4E24B8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8F0CEB0F-42C8-4df5-B1CF-C022AC5A27F4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{277ABC15-CE27-4036-9D8E-2852A002CDAC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0709B31C-4D14-4d22-96A4-BCF5B8DC6C95}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A96D39E2-5665-42d5-931C-EE7A77537CD1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c56cb5a62835ae61cf85203818cb9fd82e60c69a6781922eab51dbb62398e205.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5152D67A-D2F3-494f-AC27-C4B5021CF285}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8D4A9B0C-A639-4605-8C0C-BBC8008B40F6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E906D421-54E5-4f0f-BE00-42564140EA7D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BFCCB86E-3A8E-4fb0-885F-0252500F97B2}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3368	c56cb5a62835ae61cf85203818cb9fd82e60c69a6781922eab51dbb62398e205.exe
Token: SeIncBasePriorityPrivilege	1508	{EF5EE31A-9A75-41a3-BCFE-EE4C7F790F17}.exe
Token: SeIncBasePriorityPrivilege	3908	{B6CEFA3D-8DE8-499d-8FFF-0FA3A0FE727E}.exe
Token: SeIncBasePriorityPrivilege	1488	{5152D67A-D2F3-494f-AC27-C4B5021CF285}.exe
Token: SeIncBasePriorityPrivilege	1652	{3217930C-8F0B-4d11-BABC-30219A4E24B8}.exe
Token: SeIncBasePriorityPrivilege	4824	{B14523B2-1221-4a59-A096-CF81D39CE666}.exe
Token: SeIncBasePriorityPrivilege	3260	{8D4A9B0C-A639-4605-8C0C-BBC8008B40F6}.exe
Token: SeIncBasePriorityPrivilege	4500	{0709B31C-4D14-4d22-96A4-BCF5B8DC6C95}.exe
Token: SeIncBasePriorityPrivilege	4612	{8F0CEB0F-42C8-4df5-B1CF-C022AC5A27F4}.exe
Token: SeIncBasePriorityPrivilege	3816	{E906D421-54E5-4f0f-BE00-42564140EA7D}.exe
Token: SeIncBasePriorityPrivilege	448	{BFCCB86E-3A8E-4fb0-885F-0252500F97B2}.exe
Token: SeIncBasePriorityPrivilege	4048	{277ABC15-CE27-4036-9D8E-2852A002CDAC}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3368 wrote to memory of 1508	3368	c56cb5a62835ae61cf85203818cb9fd82e60c69a6781922eab51dbb62398e205.exe	84
PID 3368 wrote to memory of 1508	3368	c56cb5a62835ae61cf85203818cb9fd82e60c69a6781922eab51dbb62398e205.exe	84
PID 3368 wrote to memory of 1508	3368	c56cb5a62835ae61cf85203818cb9fd82e60c69a6781922eab51dbb62398e205.exe	84
PID 3368 wrote to memory of 4460	3368	c56cb5a62835ae61cf85203818cb9fd82e60c69a6781922eab51dbb62398e205.exe	85
PID 3368 wrote to memory of 4460	3368	c56cb5a62835ae61cf85203818cb9fd82e60c69a6781922eab51dbb62398e205.exe	85
PID 3368 wrote to memory of 4460	3368	c56cb5a62835ae61cf85203818cb9fd82e60c69a6781922eab51dbb62398e205.exe	85
PID 1508 wrote to memory of 3908	1508	{EF5EE31A-9A75-41a3-BCFE-EE4C7F790F17}.exe	91
PID 1508 wrote to memory of 3908	1508	{EF5EE31A-9A75-41a3-BCFE-EE4C7F790F17}.exe	91
PID 1508 wrote to memory of 3908	1508	{EF5EE31A-9A75-41a3-BCFE-EE4C7F790F17}.exe	91
PID 1508 wrote to memory of 3256	1508	{EF5EE31A-9A75-41a3-BCFE-EE4C7F790F17}.exe	92
PID 1508 wrote to memory of 3256	1508	{EF5EE31A-9A75-41a3-BCFE-EE4C7F790F17}.exe	92
PID 1508 wrote to memory of 3256	1508	{EF5EE31A-9A75-41a3-BCFE-EE4C7F790F17}.exe	92
PID 3908 wrote to memory of 1488	3908	{B6CEFA3D-8DE8-499d-8FFF-0FA3A0FE727E}.exe	97
PID 3908 wrote to memory of 1488	3908	{B6CEFA3D-8DE8-499d-8FFF-0FA3A0FE727E}.exe	97
PID 3908 wrote to memory of 1488	3908	{B6CEFA3D-8DE8-499d-8FFF-0FA3A0FE727E}.exe	97
PID 3908 wrote to memory of 1872	3908	{B6CEFA3D-8DE8-499d-8FFF-0FA3A0FE727E}.exe	98
PID 3908 wrote to memory of 1872	3908	{B6CEFA3D-8DE8-499d-8FFF-0FA3A0FE727E}.exe	98
PID 3908 wrote to memory of 1872	3908	{B6CEFA3D-8DE8-499d-8FFF-0FA3A0FE727E}.exe	98
PID 1488 wrote to memory of 1652	1488	{5152D67A-D2F3-494f-AC27-C4B5021CF285}.exe	99
PID 1488 wrote to memory of 1652	1488	{5152D67A-D2F3-494f-AC27-C4B5021CF285}.exe	99
PID 1488 wrote to memory of 1652	1488	{5152D67A-D2F3-494f-AC27-C4B5021CF285}.exe	99
PID 1488 wrote to memory of 372	1488	{5152D67A-D2F3-494f-AC27-C4B5021CF285}.exe	100
PID 1488 wrote to memory of 372	1488	{5152D67A-D2F3-494f-AC27-C4B5021CF285}.exe	100
PID 1488 wrote to memory of 372	1488	{5152D67A-D2F3-494f-AC27-C4B5021CF285}.exe	100
PID 1652 wrote to memory of 4824	1652	{3217930C-8F0B-4d11-BABC-30219A4E24B8}.exe	101
PID 1652 wrote to memory of 4824	1652	{3217930C-8F0B-4d11-BABC-30219A4E24B8}.exe	101
PID 1652 wrote to memory of 4824	1652	{3217930C-8F0B-4d11-BABC-30219A4E24B8}.exe	101
PID 1652 wrote to memory of 5052	1652	{3217930C-8F0B-4d11-BABC-30219A4E24B8}.exe	102
PID 1652 wrote to memory of 5052	1652	{3217930C-8F0B-4d11-BABC-30219A4E24B8}.exe	102
PID 1652 wrote to memory of 5052	1652	{3217930C-8F0B-4d11-BABC-30219A4E24B8}.exe	102
PID 4824 wrote to memory of 3260	4824	{B14523B2-1221-4a59-A096-CF81D39CE666}.exe	103
PID 4824 wrote to memory of 3260	4824	{B14523B2-1221-4a59-A096-CF81D39CE666}.exe	103
PID 4824 wrote to memory of 3260	4824	{B14523B2-1221-4a59-A096-CF81D39CE666}.exe	103
PID 4824 wrote to memory of 1828	4824	{B14523B2-1221-4a59-A096-CF81D39CE666}.exe	104
PID 4824 wrote to memory of 1828	4824	{B14523B2-1221-4a59-A096-CF81D39CE666}.exe	104
PID 4824 wrote to memory of 1828	4824	{B14523B2-1221-4a59-A096-CF81D39CE666}.exe	104
PID 3260 wrote to memory of 4500	3260	{8D4A9B0C-A639-4605-8C0C-BBC8008B40F6}.exe	105
PID 3260 wrote to memory of 4500	3260	{8D4A9B0C-A639-4605-8C0C-BBC8008B40F6}.exe	105
PID 3260 wrote to memory of 4500	3260	{8D4A9B0C-A639-4605-8C0C-BBC8008B40F6}.exe	105
PID 3260 wrote to memory of 452	3260	{8D4A9B0C-A639-4605-8C0C-BBC8008B40F6}.exe	106
PID 3260 wrote to memory of 452	3260	{8D4A9B0C-A639-4605-8C0C-BBC8008B40F6}.exe	106
PID 3260 wrote to memory of 452	3260	{8D4A9B0C-A639-4605-8C0C-BBC8008B40F6}.exe	106
PID 4500 wrote to memory of 4612	4500	{0709B31C-4D14-4d22-96A4-BCF5B8DC6C95}.exe	107
PID 4500 wrote to memory of 4612	4500	{0709B31C-4D14-4d22-96A4-BCF5B8DC6C95}.exe	107
PID 4500 wrote to memory of 4612	4500	{0709B31C-4D14-4d22-96A4-BCF5B8DC6C95}.exe	107
PID 4500 wrote to memory of 1356	4500	{0709B31C-4D14-4d22-96A4-BCF5B8DC6C95}.exe	108
PID 4500 wrote to memory of 1356	4500	{0709B31C-4D14-4d22-96A4-BCF5B8DC6C95}.exe	108
PID 4500 wrote to memory of 1356	4500	{0709B31C-4D14-4d22-96A4-BCF5B8DC6C95}.exe	108
PID 4612 wrote to memory of 3816	4612	{8F0CEB0F-42C8-4df5-B1CF-C022AC5A27F4}.exe	109
PID 4612 wrote to memory of 3816	4612	{8F0CEB0F-42C8-4df5-B1CF-C022AC5A27F4}.exe	109
PID 4612 wrote to memory of 3816	4612	{8F0CEB0F-42C8-4df5-B1CF-C022AC5A27F4}.exe	109
PID 4612 wrote to memory of 1780	4612	{8F0CEB0F-42C8-4df5-B1CF-C022AC5A27F4}.exe	110
PID 4612 wrote to memory of 1780	4612	{8F0CEB0F-42C8-4df5-B1CF-C022AC5A27F4}.exe	110
PID 4612 wrote to memory of 1780	4612	{8F0CEB0F-42C8-4df5-B1CF-C022AC5A27F4}.exe	110
PID 3816 wrote to memory of 448	3816	{E906D421-54E5-4f0f-BE00-42564140EA7D}.exe	111
PID 3816 wrote to memory of 448	3816	{E906D421-54E5-4f0f-BE00-42564140EA7D}.exe	111
PID 3816 wrote to memory of 448	3816	{E906D421-54E5-4f0f-BE00-42564140EA7D}.exe	111
PID 3816 wrote to memory of 4840	3816	{E906D421-54E5-4f0f-BE00-42564140EA7D}.exe	112
PID 3816 wrote to memory of 4840	3816	{E906D421-54E5-4f0f-BE00-42564140EA7D}.exe	112
PID 3816 wrote to memory of 4840	3816	{E906D421-54E5-4f0f-BE00-42564140EA7D}.exe	112
PID 448 wrote to memory of 4048	448	{BFCCB86E-3A8E-4fb0-885F-0252500F97B2}.exe	113
PID 448 wrote to memory of 4048	448	{BFCCB86E-3A8E-4fb0-885F-0252500F97B2}.exe	113
PID 448 wrote to memory of 4048	448	{BFCCB86E-3A8E-4fb0-885F-0252500F97B2}.exe	113
PID 448 wrote to memory of 3356	448	{BFCCB86E-3A8E-4fb0-885F-0252500F97B2}.exe	114

C:\Users\Admin\AppData\Local\Temp\c56cb5a62835ae61cf85203818cb9fd82e60c69a6781922eab51dbb62398e205.exe
"C:\Users\Admin\AppData\Local\Temp\c56cb5a62835ae61cf85203818cb9fd82e60c69a6781922eab51dbb62398e205.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3368
- C:\Windows\{EF5EE31A-9A75-41a3-BCFE-EE4C7F790F17}.exe
  C:\Windows\{EF5EE31A-9A75-41a3-BCFE-EE4C7F790F17}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\{B6CEFA3D-8DE8-499d-8FFF-0FA3A0FE727E}.exe
    C:\Windows\{B6CEFA3D-8DE8-499d-8FFF-0FA3A0FE727E}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3908
  - - C:\Windows\{5152D67A-D2F3-494f-AC27-C4B5021CF285}.exe
      C:\Windows\{5152D67A-D2F3-494f-AC27-C4B5021CF285}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1488
    - - C:\Windows\{3217930C-8F0B-4d11-BABC-30219A4E24B8}.exe
        
        C:\Windows\{3217930C-8F0B-4d11-BABC-30219A4E24B8}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1652
      - C:\Windows\{B14523B2-1221-4a59-A096-CF81D39CE666}.exe
        
        C:\Windows\{B14523B2-1221-4a59-A096-CF81D39CE666}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4824
        
        C:\Windows\{8D4A9B0C-A639-4605-8C0C-BBC8008B40F6}.exe
        
        C:\Windows\{8D4A9B0C-A639-4605-8C0C-BBC8008B40F6}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\{0709B31C-4D14-4d22-96A4-BCF5B8DC6C95}.exe
        
        C:\Windows\{0709B31C-4D14-4d22-96A4-BCF5B8DC6C95}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Windows\{8F0CEB0F-42C8-4df5-B1CF-C022AC5A27F4}.exe
        
        C:\Windows\{8F0CEB0F-42C8-4df5-B1CF-C022AC5A27F4}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\{E906D421-54E5-4f0f-BE00-42564140EA7D}.exe
        
        C:\Windows\{E906D421-54E5-4f0f-BE00-42564140EA7D}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3816
        
        C:\Windows\{BFCCB86E-3A8E-4fb0-885F-0252500F97B2}.exe
        
        C:\Windows\{BFCCB86E-3A8E-4fb0-885F-0252500F97B2}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\{277ABC15-CE27-4036-9D8E-2852A002CDAC}.exe
        
        C:\Windows\{277ABC15-CE27-4036-9D8E-2852A002CDAC}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4048
        
        C:\Windows\{A96D39E2-5665-42d5-931C-EE7A77537CD1}.exe
        
        C:\Windows\{A96D39E2-5665-42d5-931C-EE7A77537CD1}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{277AB~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BFCCB~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E906D~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8F0CE~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0709B~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8D4A9~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B1452~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1828
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{32179~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5052
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5152D~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:372
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B6CEF~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1872
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{EF5EE~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C56CB5~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0709B31C-4D14-4d22-96A4-BCF5B8DC6C95}.exe

Filesize
88KB

MD5
1b9f1ebf6c629a83288c5c416e20de5c

SHA1
6f85d71f7f1b9fe7c620d3d1eecb472d8f31f5fe

SHA256
4a7f213bec8f63548ac11764517cf30fa5ff485c0d39ada64d451c859fac6ecd

SHA512
2bf29867a22cc532348ce0786fdea55d6a1ef6b312f2731568734ba68999d3c38e46c469608e3d6bfac1c48feeca6f8484d5fde3d0fa0ea3668db7acd6e08b20

Download Submit
C:\Windows\{277ABC15-CE27-4036-9D8E-2852A002CDAC}.exe

Filesize
88KB

MD5
12ac05cc760ab76e6ec962fa649bca76

SHA1
f16839f7fdaaf3189c815659a0dbce618247bf1b

SHA256
24e33a382e2f2bb5289432b2ca926233bd05cabcb53efd2b005f746787193b06

SHA512
edcac869cc5e8d1e4b6c5288d2b5ac9dc94f9d9dffd85fab6bd003d276a16fad1ee7587d985b6e7e11f26e82ac2075f13f7b218e89ef9d005f6d20919bbfe872

Download Submit
C:\Windows\{3217930C-8F0B-4d11-BABC-30219A4E24B8}.exe

Filesize
88KB

MD5
9213e12c70782c45e9abefea800ad8a6

SHA1
e239c5a08ffc826c00adf80c73e226110e2aa98f

SHA256
c7afd3ac1e69b68438c998bc30aa92dcabe270e184ab9d755cda2e0a635845c2

SHA512
d6437b70504a92152b9c8d573e4c34b09798d8719d4a072ef74df4bf3d709cc945dfe6ea15493fb3ffcd773747ad8c1f7811b00213d89a1b3b165d336a6baf72

Download Submit
C:\Windows\{5152D67A-D2F3-494f-AC27-C4B5021CF285}.exe

Filesize
88KB

MD5
590f4da1a3ddc8fb292de5b75febdf88

SHA1
c0783402d25b567d250417c3d03078ca34b0d6a8

SHA256
18be0a614f53b8e9d11ec9cd41de5806b322923ba997181d3de261f20fc41bdf

SHA512
4f6ceb56a2713513cdeab2c7ae58b41a1a09fa2a3ef8ef8a5b1b2edff1900e1c81802cd52e2c1fc4c400c48bb10bde5638bd6fe445b48aa62cb0ccd9b923c927

Download Submit
C:\Windows\{8D4A9B0C-A639-4605-8C0C-BBC8008B40F6}.exe

Filesize
88KB

MD5
98429219e69c16b69e5338b96d6794e7

SHA1
45057fc1199584b3292e8a3356b554a68aaaaf76

SHA256
1d8e74becc0838762d8225f5e374e57e7a58a6b884864a641ed5f2eb7e265c55

SHA512
17cc5f59f7b4e18ba69fcc032f2429e40e7bc2518108e53c6ea6eb7d781aeb7f1bb72cd876177d13916a09b840f7a7314ee741680f5ce800158e31d75cdd049e

Download Submit
C:\Windows\{8F0CEB0F-42C8-4df5-B1CF-C022AC5A27F4}.exe

Filesize
88KB

MD5
ac6f489519c14e9b6829c68cf3e2cad0

SHA1
39f156526ec172915457e40eb56d9e73d8eed266

SHA256
4520630212bfa3b48ff21a8ac8e33c4fd071edb424683d20cc1be94cdec4e3c7

SHA512
f1ec0dbc11b8bc2a3b1ec3af9782608c8d81afd9c198f85617fe9fef2056235c223d0d47e5d4c74dd7402c663e3c44682dc34f0620a7b28672a27e1c0d00847a

Download Submit
C:\Windows\{A96D39E2-5665-42d5-931C-EE7A77537CD1}.exe

Filesize
88KB

MD5
a851ce7d02c035245c59c7b309ab3d11

SHA1
c895bb6ad0fabe316f088a53601c6b975a00b4b5

SHA256
bcd4c59ad553806c3a63a9deccbd3de7047aca0760e556c7900c3de3e1770b45

SHA512
7a194dbf9ce73a2d6c32fffe5c9be8e93ee8bca087f54a3a4548cef2f293f6b0474d82879da857e5f0ef8fc2797ee9fbe03e0739323aeed6a8bb31a043531675

Download Submit
C:\Windows\{B14523B2-1221-4a59-A096-CF81D39CE666}.exe

Filesize
88KB

MD5
f7d83f72356ad840a2851ac4fdd53705

SHA1
e85b5e42792484662af403e1290ec12b92a3ae9e

SHA256
e7055d7aa7c085f1341900d30f2a8a4b1f182c9f349a9c736adc911e58b63401

SHA512
034922bb1bcff218ae97e370bb753def3e7bea52c3d62c00f87934d2ed7f596ac2fd86a2de65fd6768f4dfefd324388ad692d38f70b6ee5de0b787eb5c5d8d00

Download Submit
C:\Windows\{B6CEFA3D-8DE8-499d-8FFF-0FA3A0FE727E}.exe

Filesize
88KB

MD5
ebc48555dfd7a7f45c29c88bac14cd57

SHA1
00a9a19061c9bbaa2fa30df79ac1df8b6634ba7a

SHA256
6f5b0e5f1d3ecf254696a4a52f6a0555d5dc576b79407003f0765698f16417d2

SHA512
124018a4616b583794d55ad42d83d6c5e6e5e36e6294d31cec6ce33e78239de45c2708726a862b643b6a717433638ae0b0e516c9dcd6f97b70bcaecfc55710a1

Download Submit
C:\Windows\{BFCCB86E-3A8E-4fb0-885F-0252500F97B2}.exe

Filesize
88KB

MD5
f11f9dd525d6dcb88d4f67ee0453c901

SHA1
141fbd250a78a7eac4be80394fe97676331428cd

SHA256
2ed302d89f541931e4f69917e5a3fc8416d47170f4c0516ffff9d723e35bf663

SHA512
64410a8caebfe9fb1659a94209066024b0556de6b2bd3108407f11a809cbd17bd9e8061671bfa22a3f4a15043ed0a63550bffd8228caa1c5ff3f937182c4e6af

Download Submit
C:\Windows\{E906D421-54E5-4f0f-BE00-42564140EA7D}.exe

Filesize
88KB

MD5
f0d4f01f30345a227e71386c223159d4

SHA1
1b0fe4f7351c206430f77581036442344dcaf022

SHA256
c3dac1586e06e62bb119a68955a17400f570e856936e500360d71438635c5e0f

SHA512
b5af6605ff8ca6f64aeab39aa6ae543c3b078cb4c3274b6658b36b003ab2563a1d7e910e0138a79325db5eb73aee7a7c70b2cfbf63cef4f9ae427468c11e57fb

Download Submit
C:\Windows\{EF5EE31A-9A75-41a3-BCFE-EE4C7F790F17}.exe

Filesize
88KB

MD5
f541ca6cf668b2e043fc39a859fe114b

SHA1
2f64b10124dda05ff00ec568004c8911f650f5df

SHA256
d069a775dd1fba3f2238ee450f44843266dd3665b0edf74cfc50e57664874d16

SHA512
3f22be226285b77aed2001b120201ee656d1f125be4c378562047d39d8847527ef5fca2448ae07c4357e8b5cfb4c429944da8cbf5e221f84381ddc96687d0bf2

Download Submit
memory/448-64-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/448-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1488-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1488-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1508-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1508-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1652-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1652-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3260-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3260-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3368-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3368-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3368-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3816-58-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3816-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3908-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3908-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3908-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4048-66-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4048-71-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4500-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4612-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4612-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4824-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4824-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4856-73-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads