f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7f

Analysis

max time kernel
118s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/10/2024, 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe
Size

89KB
MD5

4f8a2d0d1f7241bc9c67b92bddac5f10
SHA1

28c18cdbc5aa0946c0b84d238cdb3065aca5eb28
SHA256

f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7f
SHA512

7e83e55e97225864eef37a727259f6f24456449af51828e2605a60365b7a71c7bc311d7849c66994bb644a4e10ce21ae910c2bc3ac55bafdc9f166f976132c6f
SSDEEP

768:5vw9816thKQLroZ4/wQkNrfrunMxVFA3k:lEG/0oZlbunMxVS3k

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C39FEBC6-793C-4172-B6B0-EBF0C3A37D86}\stubpath = "C:\\Windows\\{C39FEBC6-793C-4172-B6B0-EBF0C3A37D86}.exe"	{4DFF2923-675A-4df7-9E78-997A08879B95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45B142BF-C078-4ba5-B214-D33097213773}	{C39FEBC6-793C-4172-B6B0-EBF0C3A37D86}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA1C6581-3557-4673-BD04-A4ABC5AC6359}\stubpath = "C:\\Windows\\{DA1C6581-3557-4673-BD04-A4ABC5AC6359}.exe"	{1AB62F8F-9750-4c66-88D9-1481D4E04BB2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B20C65D-6824-46f1-9D42-9B9A87D3EA62}	{4AE8F518-7656-4bb3-9D68-827D3A8EBCF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2CA4F67-B49B-47a7-8A7D-6E5F1DA11743}\stubpath = "C:\\Windows\\{B2CA4F67-B49B-47a7-8A7D-6E5F1DA11743}.exe"	f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DFF2923-675A-4df7-9E78-997A08879B95}	{276DE89A-373E-4a2a-9799-EADFFA793A09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{45B142BF-C078-4ba5-B214-D33097213773}\stubpath = "C:\\Windows\\{45B142BF-C078-4ba5-B214-D33097213773}.exe"	{C39FEBC6-793C-4172-B6B0-EBF0C3A37D86}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AE8F518-7656-4bb3-9D68-827D3A8EBCF1}	{DA1C6581-3557-4673-BD04-A4ABC5AC6359}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4DFF2923-675A-4df7-9E78-997A08879B95}\stubpath = "C:\\Windows\\{4DFF2923-675A-4df7-9E78-997A08879B95}.exe"	{276DE89A-373E-4a2a-9799-EADFFA793A09}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AB62F8F-9750-4c66-88D9-1481D4E04BB2}\stubpath = "C:\\Windows\\{1AB62F8F-9750-4c66-88D9-1481D4E04BB2}.exe"	{45B142BF-C078-4ba5-B214-D33097213773}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AE8F518-7656-4bb3-9D68-827D3A8EBCF1}\stubpath = "C:\\Windows\\{4AE8F518-7656-4bb3-9D68-827D3A8EBCF1}.exe"	{DA1C6581-3557-4673-BD04-A4ABC5AC6359}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0B20C65D-6824-46f1-9D42-9B9A87D3EA62}\stubpath = "C:\\Windows\\{0B20C65D-6824-46f1-9D42-9B9A87D3EA62}.exe"	{4AE8F518-7656-4bb3-9D68-827D3A8EBCF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B2CA4F67-B49B-47a7-8A7D-6E5F1DA11743}	f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{276DE89A-373E-4a2a-9799-EADFFA793A09}	{B2CA4F67-B49B-47a7-8A7D-6E5F1DA11743}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{276DE89A-373E-4a2a-9799-EADFFA793A09}\stubpath = "C:\\Windows\\{276DE89A-373E-4a2a-9799-EADFFA793A09}.exe"	{B2CA4F67-B49B-47a7-8A7D-6E5F1DA11743}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C39FEBC6-793C-4172-B6B0-EBF0C3A37D86}	{4DFF2923-675A-4df7-9E78-997A08879B95}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1AB62F8F-9750-4c66-88D9-1481D4E04BB2}	{45B142BF-C078-4ba5-B214-D33097213773}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DA1C6581-3557-4673-BD04-A4ABC5AC6359}	{1AB62F8F-9750-4c66-88D9-1481D4E04BB2}.exe

Executes dropped EXE 9 IoCs

pid	Process
4788	{B2CA4F67-B49B-47a7-8A7D-6E5F1DA11743}.exe
4212	{276DE89A-373E-4a2a-9799-EADFFA793A09}.exe
3968	{4DFF2923-675A-4df7-9E78-997A08879B95}.exe
1324	{C39FEBC6-793C-4172-B6B0-EBF0C3A37D86}.exe
1996	{45B142BF-C078-4ba5-B214-D33097213773}.exe
1488	{1AB62F8F-9750-4c66-88D9-1481D4E04BB2}.exe
2016	{DA1C6581-3557-4673-BD04-A4ABC5AC6359}.exe
3832	{4AE8F518-7656-4bb3-9D68-827D3A8EBCF1}.exe
2536	{0B20C65D-6824-46f1-9D42-9B9A87D3EA62}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{B2CA4F67-B49B-47a7-8A7D-6E5F1DA11743}.exe	f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe
File created	C:\Windows\{0B20C65D-6824-46f1-9D42-9B9A87D3EA62}.exe	{4AE8F518-7656-4bb3-9D68-827D3A8EBCF1}.exe
File created	C:\Windows\{276DE89A-373E-4a2a-9799-EADFFA793A09}.exe	{B2CA4F67-B49B-47a7-8A7D-6E5F1DA11743}.exe
File created	C:\Windows\{4DFF2923-675A-4df7-9E78-997A08879B95}.exe	{276DE89A-373E-4a2a-9799-EADFFA793A09}.exe
File created	C:\Windows\{C39FEBC6-793C-4172-B6B0-EBF0C3A37D86}.exe	{4DFF2923-675A-4df7-9E78-997A08879B95}.exe
File created	C:\Windows\{45B142BF-C078-4ba5-B214-D33097213773}.exe	{C39FEBC6-793C-4172-B6B0-EBF0C3A37D86}.exe
File created	C:\Windows\{1AB62F8F-9750-4c66-88D9-1481D4E04BB2}.exe	{45B142BF-C078-4ba5-B214-D33097213773}.exe
File created	C:\Windows\{DA1C6581-3557-4673-BD04-A4ABC5AC6359}.exe	{1AB62F8F-9750-4c66-88D9-1481D4E04BB2}.exe
File created	C:\Windows\{4AE8F518-7656-4bb3-9D68-827D3A8EBCF1}.exe	{DA1C6581-3557-4673-BD04-A4ABC5AC6359}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0B20C65D-6824-46f1-9D42-9B9A87D3EA62}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1AB62F8F-9750-4c66-88D9-1481D4E04BB2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DA1C6581-3557-4673-BD04-A4ABC5AC6359}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4DFF2923-675A-4df7-9E78-997A08879B95}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{45B142BF-C078-4ba5-B214-D33097213773}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{276DE89A-373E-4a2a-9799-EADFFA793A09}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4AE8F518-7656-4bb3-9D68-827D3A8EBCF1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B2CA4F67-B49B-47a7-8A7D-6E5F1DA11743}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C39FEBC6-793C-4172-B6B0-EBF0C3A37D86}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1300	f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe
Token: SeIncBasePriorityPrivilege	4788	{B2CA4F67-B49B-47a7-8A7D-6E5F1DA11743}.exe
Token: SeIncBasePriorityPrivilege	4212	{276DE89A-373E-4a2a-9799-EADFFA793A09}.exe
Token: SeIncBasePriorityPrivilege	3968	{4DFF2923-675A-4df7-9E78-997A08879B95}.exe
Token: SeIncBasePriorityPrivilege	1324	{C39FEBC6-793C-4172-B6B0-EBF0C3A37D86}.exe
Token: SeIncBasePriorityPrivilege	1996	{45B142BF-C078-4ba5-B214-D33097213773}.exe
Token: SeIncBasePriorityPrivilege	1488	{1AB62F8F-9750-4c66-88D9-1481D4E04BB2}.exe
Token: SeIncBasePriorityPrivilege	2016	{DA1C6581-3557-4673-BD04-A4ABC5AC6359}.exe
Token: SeIncBasePriorityPrivilege	3832	{4AE8F518-7656-4bb3-9D68-827D3A8EBCF1}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1300 wrote to memory of 4788	1300	f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe	82
PID 1300 wrote to memory of 4788	1300	f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe	82
PID 1300 wrote to memory of 4788	1300	f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe	82
PID 1300 wrote to memory of 5060	1300	f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe	83
PID 1300 wrote to memory of 5060	1300	f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe	83
PID 1300 wrote to memory of 5060	1300	f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe	83
PID 4788 wrote to memory of 4212	4788	{B2CA4F67-B49B-47a7-8A7D-6E5F1DA11743}.exe	91
PID 4788 wrote to memory of 4212	4788	{B2CA4F67-B49B-47a7-8A7D-6E5F1DA11743}.exe	91
PID 4788 wrote to memory of 4212	4788	{B2CA4F67-B49B-47a7-8A7D-6E5F1DA11743}.exe	91
PID 4788 wrote to memory of 4556	4788	{B2CA4F67-B49B-47a7-8A7D-6E5F1DA11743}.exe	92
PID 4788 wrote to memory of 4556	4788	{B2CA4F67-B49B-47a7-8A7D-6E5F1DA11743}.exe	92
PID 4788 wrote to memory of 4556	4788	{B2CA4F67-B49B-47a7-8A7D-6E5F1DA11743}.exe	92
PID 4212 wrote to memory of 3968	4212	{276DE89A-373E-4a2a-9799-EADFFA793A09}.exe	95
PID 4212 wrote to memory of 3968	4212	{276DE89A-373E-4a2a-9799-EADFFA793A09}.exe	95
PID 4212 wrote to memory of 3968	4212	{276DE89A-373E-4a2a-9799-EADFFA793A09}.exe	95
PID 4212 wrote to memory of 732	4212	{276DE89A-373E-4a2a-9799-EADFFA793A09}.exe	96
PID 4212 wrote to memory of 732	4212	{276DE89A-373E-4a2a-9799-EADFFA793A09}.exe	96
PID 4212 wrote to memory of 732	4212	{276DE89A-373E-4a2a-9799-EADFFA793A09}.exe	96
PID 3968 wrote to memory of 1324	3968	{4DFF2923-675A-4df7-9E78-997A08879B95}.exe	97
PID 3968 wrote to memory of 1324	3968	{4DFF2923-675A-4df7-9E78-997A08879B95}.exe	97
PID 3968 wrote to memory of 1324	3968	{4DFF2923-675A-4df7-9E78-997A08879B95}.exe	97
PID 3968 wrote to memory of 4680	3968	{4DFF2923-675A-4df7-9E78-997A08879B95}.exe	98
PID 3968 wrote to memory of 4680	3968	{4DFF2923-675A-4df7-9E78-997A08879B95}.exe	98
PID 3968 wrote to memory of 4680	3968	{4DFF2923-675A-4df7-9E78-997A08879B95}.exe	98
PID 1324 wrote to memory of 1996	1324	{C39FEBC6-793C-4172-B6B0-EBF0C3A37D86}.exe	99
PID 1324 wrote to memory of 1996	1324	{C39FEBC6-793C-4172-B6B0-EBF0C3A37D86}.exe	99
PID 1324 wrote to memory of 1996	1324	{C39FEBC6-793C-4172-B6B0-EBF0C3A37D86}.exe	99
PID 1324 wrote to memory of 4988	1324	{C39FEBC6-793C-4172-B6B0-EBF0C3A37D86}.exe	100
PID 1324 wrote to memory of 4988	1324	{C39FEBC6-793C-4172-B6B0-EBF0C3A37D86}.exe	100
PID 1324 wrote to memory of 4988	1324	{C39FEBC6-793C-4172-B6B0-EBF0C3A37D86}.exe	100
PID 1996 wrote to memory of 1488	1996	{45B142BF-C078-4ba5-B214-D33097213773}.exe	101
PID 1996 wrote to memory of 1488	1996	{45B142BF-C078-4ba5-B214-D33097213773}.exe	101
PID 1996 wrote to memory of 1488	1996	{45B142BF-C078-4ba5-B214-D33097213773}.exe	101
PID 1996 wrote to memory of 4228	1996	{45B142BF-C078-4ba5-B214-D33097213773}.exe	102
PID 1996 wrote to memory of 4228	1996	{45B142BF-C078-4ba5-B214-D33097213773}.exe	102
PID 1996 wrote to memory of 4228	1996	{45B142BF-C078-4ba5-B214-D33097213773}.exe	102
PID 1488 wrote to memory of 2016	1488	{1AB62F8F-9750-4c66-88D9-1481D4E04BB2}.exe	103
PID 1488 wrote to memory of 2016	1488	{1AB62F8F-9750-4c66-88D9-1481D4E04BB2}.exe	103
PID 1488 wrote to memory of 2016	1488	{1AB62F8F-9750-4c66-88D9-1481D4E04BB2}.exe	103
PID 1488 wrote to memory of 4552	1488	{1AB62F8F-9750-4c66-88D9-1481D4E04BB2}.exe	104
PID 1488 wrote to memory of 4552	1488	{1AB62F8F-9750-4c66-88D9-1481D4E04BB2}.exe	104
PID 1488 wrote to memory of 4552	1488	{1AB62F8F-9750-4c66-88D9-1481D4E04BB2}.exe	104
PID 2016 wrote to memory of 3832	2016	{DA1C6581-3557-4673-BD04-A4ABC5AC6359}.exe	105
PID 2016 wrote to memory of 3832	2016	{DA1C6581-3557-4673-BD04-A4ABC5AC6359}.exe	105
PID 2016 wrote to memory of 3832	2016	{DA1C6581-3557-4673-BD04-A4ABC5AC6359}.exe	105
PID 2016 wrote to memory of 3692	2016	{DA1C6581-3557-4673-BD04-A4ABC5AC6359}.exe	106
PID 2016 wrote to memory of 3692	2016	{DA1C6581-3557-4673-BD04-A4ABC5AC6359}.exe	106
PID 2016 wrote to memory of 3692	2016	{DA1C6581-3557-4673-BD04-A4ABC5AC6359}.exe	106
PID 3832 wrote to memory of 2536	3832	{4AE8F518-7656-4bb3-9D68-827D3A8EBCF1}.exe	107
PID 3832 wrote to memory of 2536	3832	{4AE8F518-7656-4bb3-9D68-827D3A8EBCF1}.exe	107
PID 3832 wrote to memory of 2536	3832	{4AE8F518-7656-4bb3-9D68-827D3A8EBCF1}.exe	107
PID 3832 wrote to memory of 1216	3832	{4AE8F518-7656-4bb3-9D68-827D3A8EBCF1}.exe	108
PID 3832 wrote to memory of 1216	3832	{4AE8F518-7656-4bb3-9D68-827D3A8EBCF1}.exe	108
PID 3832 wrote to memory of 1216	3832	{4AE8F518-7656-4bb3-9D68-827D3A8EBCF1}.exe	108

C:\Users\Admin\AppData\Local\Temp\f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe
"C:\Users\Admin\AppData\Local\Temp\f0bbf5b2b3dca0869cb8e726e44a122d868ab305b078ab10c0695b0cf14fff7fN.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\{B2CA4F67-B49B-47a7-8A7D-6E5F1DA11743}.exe
  C:\Windows\{B2CA4F67-B49B-47a7-8A7D-6E5F1DA11743}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Windows\{276DE89A-373E-4a2a-9799-EADFFA793A09}.exe
    C:\Windows\{276DE89A-373E-4a2a-9799-EADFFA793A09}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4212
  - - C:\Windows\{4DFF2923-675A-4df7-9E78-997A08879B95}.exe
      C:\Windows\{4DFF2923-675A-4df7-9E78-997A08879B95}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3968
    - - C:\Windows\{C39FEBC6-793C-4172-B6B0-EBF0C3A37D86}.exe
        
        C:\Windows\{C39FEBC6-793C-4172-B6B0-EBF0C3A37D86}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1324
      - C:\Windows\{45B142BF-C078-4ba5-B214-D33097213773}.exe
        
        C:\Windows\{45B142BF-C078-4ba5-B214-D33097213773}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\{1AB62F8F-9750-4c66-88D9-1481D4E04BB2}.exe
        
        C:\Windows\{1AB62F8F-9750-4c66-88D9-1481D4E04BB2}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\{DA1C6581-3557-4673-BD04-A4ABC5AC6359}.exe
        
        C:\Windows\{DA1C6581-3557-4673-BD04-A4ABC5AC6359}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\{4AE8F518-7656-4bb3-9D68-827D3A8EBCF1}.exe
        
        C:\Windows\{4AE8F518-7656-4bb3-9D68-827D3A8EBCF1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3832
        
        C:\Windows\{0B20C65D-6824-46f1-9D42-9B9A87D3EA62}.exe
        
        C:\Windows\{0B20C65D-6824-46f1-9D42-9B9A87D3EA62}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AE8F~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1216
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DA1C6~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1AB62~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{45B14~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4228
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C39FE~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4988
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4DFF2~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{276DE~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:732
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B2CA4~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F0BBF5~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0B20C65D-6824-46f1-9D42-9B9A87D3EA62}.exe

Filesize
89KB

MD5
1c0a875728851bd7b1b0b63e935271ce

SHA1
ba68cd4bf64faca99c09b60dbaf27b31a4a31df0

SHA256
1c874c9c601b2341a8f8d16f8c98a4c7b3021d7d4383bccb6acc3c6270ed8ac3

SHA512
4b8a19e03d8aadd9f515370ade4d0cb9899a625fbf0b7a2a101c960e71bbcdfee243b6b1c7fce5e12f663aac7c6c3bd6de1b73e4c8815ba31ac6906316eb6d00

Download Submit
C:\Windows\{1AB62F8F-9750-4c66-88D9-1481D4E04BB2}.exe

Filesize
89KB

MD5
47e2390ac00d6b004ca4d8a629ff06dc

SHA1
50bbfdcecd0de763e3d4e9f2b2b049bfcfd04f08

SHA256
68fbcabfb60c855e1bc53bc1cb98587180333ef3b45270281916ef39613dd9ff

SHA512
b6857178c812a889cf8185b84d0864d60b82fa035995bafa3ae066431b94976cdae6a6d69dc9199f6279165ff4c1d5c38595e5193dc333cfdb133bdf8eb1a44e

Download Submit
C:\Windows\{276DE89A-373E-4a2a-9799-EADFFA793A09}.exe

Filesize
89KB

MD5
2b6b0ffd9eca7268e0612263e210f05b

SHA1
929bfeab7d4f8d9ca2e7961752c2fcf9c9846ca6

SHA256
c944809a5fc10199a733f0d8ab8a04e313d80f95153dbbbcc40a70f2481f1b5a

SHA512
6c7401f5dfec62ad2ffa8462776feb85da32ca65f9c2384b123b54b2d697783e55f4d3b9def9be8168c4903ba8fe0333f4447c8a086eb6590a446c90c70e9394

Download Submit
C:\Windows\{45B142BF-C078-4ba5-B214-D33097213773}.exe

Filesize
89KB

MD5
e33eba97b85ba6daa68fe44d40604d13

SHA1
5d63853121e129de5c45618d0030497dc4b02722

SHA256
37a9d1cd116697dbf9a8bc1efddf3eb2fe8afa1438c9b53fb6dba01b92c97e6e

SHA512
46cc43926976408a7f1eebfe3d4feb871dd9371a086e30ec0d4bc7d0bd0a1485151b651ae3efc4a9fb8f10b380602142e9fb3e5b070575c028a352ebe57bb2c7

Download Submit
C:\Windows\{4AE8F518-7656-4bb3-9D68-827D3A8EBCF1}.exe

Filesize
89KB

MD5
e9fc588b61ad16fbbdfe83f8e934e376

SHA1
edcd7de52cc39fb7740c140ed437e7fdbb796a3e

SHA256
c435c039995480fc2efb8cd567a86c18c92c63df969ec7de1925a2c8d9a69fa5

SHA512
80221d9fb03b27ad21991ba9b2f0e7f654fbeabb58f731adc01dfa65dadd85dd6ff5add816d9b95aef3ec838e05e1a7317e72307c168db3ca065326671e00537

Download Submit
C:\Windows\{4DFF2923-675A-4df7-9E78-997A08879B95}.exe

Filesize
89KB

MD5
3d34abccfbbda754e4109d86660bafde

SHA1
6224370ad7c82113d59145ae76624f1fa36158e1

SHA256
e3f99d0de29dabf44632690b6f730d074f6dac6ca0e98f08c1ae4c2d978ea328

SHA512
d5735602583f523b906bbcb43e472de29b1fc2493a8586b815d5d423d407079206c88a5eaaac50d4cec6754a3ff7447e0c5af92d0a6c386eb077fbed285143f7

Download Submit
C:\Windows\{B2CA4F67-B49B-47a7-8A7D-6E5F1DA11743}.exe

Filesize
89KB

MD5
9b9f85139db1f0d1390f13836cbfda07

SHA1
8da07a708fe01b1dacbd95a74f8bec9bef64d71b

SHA256
8a48eefab60ca7b6a0d8c72ce5203d3dd59d012ffd1c530011202d2d1fb62ae6

SHA512
0fd501c75717ab400ec7d3d3c91bdf274154d8c33a47efd8865916c7eff77df3c3f7f0442723405c38e617b3b44ab9ba75cecbe02f1f5633d2acdc1b873a1b76

Download Submit
C:\Windows\{C39FEBC6-793C-4172-B6B0-EBF0C3A37D86}.exe

Filesize
89KB

MD5
cc0da466839273b60a68b55502c967bf

SHA1
049a80b28cee9b33f37cd55972f22a056bd16028

SHA256
63a4dd8a5061e90136ab7aafa0632e493b6a6be7e820c1386acfbc017a2cee17

SHA512
1ad0d7ca1b874eb9062d30d9b4a5da7d87985d4f8f06b16c697c5670a6dc609002f82d68306a51ababb6d03e44d6fd6aabb7f7b45c4cd51fac0516ce658e0552

Download Submit
C:\Windows\{DA1C6581-3557-4673-BD04-A4ABC5AC6359}.exe

Filesize
89KB

MD5
fcdae3066790262fa18b672d4fcac722

SHA1
958502eeb69d34b23538fe0b1209622cc572ec4c

SHA256
cc12925ab36d075bc3b552e8366e7fc2d4c1112e2a2961ec5b751677e383199b

SHA512
2b7522f23fb1c1dc8fd535e9a687db18e13529cc5495e9b2d3c3989945a4c8f2912e719f0bbdfa9285ad14f8d33c313e13a11a3216705e2dcaef86574d117800

Download Submit
memory/1300-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1300-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1300-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1324-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1324-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1488-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1488-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1996-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1996-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2016-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2016-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3832-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3832-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3968-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3968-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4212-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4212-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4788-13-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4788-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4788-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads