1fa3ee19ae94ae6af5e16147c257e5e2e6cdc578d342b349043f99bffa284366

Analysis

max time kernel
118s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 22:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fa3ee19ae94ae6af5e16147c257e5e2e6cdc578d342b349043f99bffa284366N.exe
Size

90KB
MD5

1df7ffe2ae542144baeac76d85e0fa90
SHA1

d6c14814ae66f780b8990d1848f4716601553a45
SHA256

1fa3ee19ae94ae6af5e16147c257e5e2e6cdc578d342b349043f99bffa284366
SHA512

160ee69201a43f850e51c96b61f614f4229fc8b50c9bcd7327000f324408c614ba31fe43c962af69ba4a319f2de0dd30f25e197f72b34081f0c8f5007c8fe40d
SSDEEP

768:Qvw9816vhKQLro84/wQRNrfrunMxVFA3b7glws:YEGh0o8l2unMxVS3Hgz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{018FA083-47DC-4f5e-82E0-BACB853DAB84}	{9980019D-16FF-47bd-82BE-9174388766EA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EE31F4D-2ED8-4120-9DE9-72CED85B6278}\stubpath = "C:\\Windows\\{3EE31F4D-2ED8-4120-9DE9-72CED85B6278}.exe"	{5CA6BAD5-E3C3-4865-B8AB-C6DE9EADEB34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9980019D-16FF-47bd-82BE-9174388766EA}	{D16AE637-B23B-46bf-9C65-BB5991FB2758}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9980019D-16FF-47bd-82BE-9174388766EA}\stubpath = "C:\\Windows\\{9980019D-16FF-47bd-82BE-9174388766EA}.exe"	{D16AE637-B23B-46bf-9C65-BB5991FB2758}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{018FA083-47DC-4f5e-82E0-BACB853DAB84}\stubpath = "C:\\Windows\\{018FA083-47DC-4f5e-82E0-BACB853DAB84}.exe"	{9980019D-16FF-47bd-82BE-9174388766EA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE124D37-8938-4b65-98EA-74500838E601}	{C3F5334E-21BD-4e4c-B050-2A62D7B5F244}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AE124D37-8938-4b65-98EA-74500838E601}\stubpath = "C:\\Windows\\{AE124D37-8938-4b65-98EA-74500838E601}.exe"	{C3F5334E-21BD-4e4c-B050-2A62D7B5F244}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E57684C-672E-4311-BA30-C3E68E208DF4}	{AE124D37-8938-4b65-98EA-74500838E601}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB35B522-796F-4ad7-BCEC-7E65DBF5CEFB}\stubpath = "C:\\Windows\\{DB35B522-796F-4ad7-BCEC-7E65DBF5CEFB}.exe"	1fa3ee19ae94ae6af5e16147c257e5e2e6cdc578d342b349043f99bffa284366N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CA6BAD5-E3C3-4865-B8AB-C6DE9EADEB34}	{8E57684C-672E-4311-BA30-C3E68E208DF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB35B522-796F-4ad7-BCEC-7E65DBF5CEFB}	1fa3ee19ae94ae6af5e16147c257e5e2e6cdc578d342b349043f99bffa284366N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D16AE637-B23B-46bf-9C65-BB5991FB2758}	{DB35B522-796F-4ad7-BCEC-7E65DBF5CEFB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D16AE637-B23B-46bf-9C65-BB5991FB2758}\stubpath = "C:\\Windows\\{D16AE637-B23B-46bf-9C65-BB5991FB2758}.exe"	{DB35B522-796F-4ad7-BCEC-7E65DBF5CEFB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3F5334E-21BD-4e4c-B050-2A62D7B5F244}	{018FA083-47DC-4f5e-82E0-BACB853DAB84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3F5334E-21BD-4e4c-B050-2A62D7B5F244}\stubpath = "C:\\Windows\\{C3F5334E-21BD-4e4c-B050-2A62D7B5F244}.exe"	{018FA083-47DC-4f5e-82E0-BACB853DAB84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E57684C-672E-4311-BA30-C3E68E208DF4}\stubpath = "C:\\Windows\\{8E57684C-672E-4311-BA30-C3E68E208DF4}.exe"	{AE124D37-8938-4b65-98EA-74500838E601}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CA6BAD5-E3C3-4865-B8AB-C6DE9EADEB34}\stubpath = "C:\\Windows\\{5CA6BAD5-E3C3-4865-B8AB-C6DE9EADEB34}.exe"	{8E57684C-672E-4311-BA30-C3E68E208DF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3EE31F4D-2ED8-4120-9DE9-72CED85B6278}	{5CA6BAD5-E3C3-4865-B8AB-C6DE9EADEB34}.exe

Executes dropped EXE 9 IoCs

pid	Process
1376	{DB35B522-796F-4ad7-BCEC-7E65DBF5CEFB}.exe
5024	{D16AE637-B23B-46bf-9C65-BB5991FB2758}.exe
2760	{9980019D-16FF-47bd-82BE-9174388766EA}.exe
4652	{018FA083-47DC-4f5e-82E0-BACB853DAB84}.exe
448	{C3F5334E-21BD-4e4c-B050-2A62D7B5F244}.exe
3384	{AE124D37-8938-4b65-98EA-74500838E601}.exe
2896	{8E57684C-672E-4311-BA30-C3E68E208DF4}.exe
3364	{5CA6BAD5-E3C3-4865-B8AB-C6DE9EADEB34}.exe
3356	{3EE31F4D-2ED8-4120-9DE9-72CED85B6278}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{DB35B522-796F-4ad7-BCEC-7E65DBF5CEFB}.exe	1fa3ee19ae94ae6af5e16147c257e5e2e6cdc578d342b349043f99bffa284366N.exe
File created	C:\Windows\{D16AE637-B23B-46bf-9C65-BB5991FB2758}.exe	{DB35B522-796F-4ad7-BCEC-7E65DBF5CEFB}.exe
File created	C:\Windows\{C3F5334E-21BD-4e4c-B050-2A62D7B5F244}.exe	{018FA083-47DC-4f5e-82E0-BACB853DAB84}.exe
File created	C:\Windows\{AE124D37-8938-4b65-98EA-74500838E601}.exe	{C3F5334E-21BD-4e4c-B050-2A62D7B5F244}.exe
File created	C:\Windows\{8E57684C-672E-4311-BA30-C3E68E208DF4}.exe	{AE124D37-8938-4b65-98EA-74500838E601}.exe
File created	C:\Windows\{5CA6BAD5-E3C3-4865-B8AB-C6DE9EADEB34}.exe	{8E57684C-672E-4311-BA30-C3E68E208DF4}.exe
File created	C:\Windows\{3EE31F4D-2ED8-4120-9DE9-72CED85B6278}.exe	{5CA6BAD5-E3C3-4865-B8AB-C6DE9EADEB34}.exe
File created	C:\Windows\{9980019D-16FF-47bd-82BE-9174388766EA}.exe	{D16AE637-B23B-46bf-9C65-BB5991FB2758}.exe
File created	C:\Windows\{018FA083-47DC-4f5e-82E0-BACB853DAB84}.exe	{9980019D-16FF-47bd-82BE-9174388766EA}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{018FA083-47DC-4f5e-82E0-BACB853DAB84}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1fa3ee19ae94ae6af5e16147c257e5e2e6cdc578d342b349043f99bffa284366N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5CA6BAD5-E3C3-4865-B8AB-C6DE9EADEB34}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8E57684C-672E-4311-BA30-C3E68E208DF4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C3F5334E-21BD-4e4c-B050-2A62D7B5F244}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3EE31F4D-2ED8-4120-9DE9-72CED85B6278}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9980019D-16FF-47bd-82BE-9174388766EA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AE124D37-8938-4b65-98EA-74500838E601}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DB35B522-796F-4ad7-BCEC-7E65DBF5CEFB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D16AE637-B23B-46bf-9C65-BB5991FB2758}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4012	1fa3ee19ae94ae6af5e16147c257e5e2e6cdc578d342b349043f99bffa284366N.exe
Token: SeIncBasePriorityPrivilege	1376	{DB35B522-796F-4ad7-BCEC-7E65DBF5CEFB}.exe
Token: SeIncBasePriorityPrivilege	5024	{D16AE637-B23B-46bf-9C65-BB5991FB2758}.exe
Token: SeIncBasePriorityPrivilege	2760	{9980019D-16FF-47bd-82BE-9174388766EA}.exe
Token: SeIncBasePriorityPrivilege	4652	{018FA083-47DC-4f5e-82E0-BACB853DAB84}.exe
Token: SeIncBasePriorityPrivilege	448	{C3F5334E-21BD-4e4c-B050-2A62D7B5F244}.exe
Token: SeIncBasePriorityPrivilege	3384	{AE124D37-8938-4b65-98EA-74500838E601}.exe
Token: SeIncBasePriorityPrivilege	2896	{8E57684C-672E-4311-BA30-C3E68E208DF4}.exe
Token: SeIncBasePriorityPrivilege	3364	{5CA6BAD5-E3C3-4865-B8AB-C6DE9EADEB34}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 1376	4012	1fa3ee19ae94ae6af5e16147c257e5e2e6cdc578d342b349043f99bffa284366N.exe	86
PID 4012 wrote to memory of 1376	4012	1fa3ee19ae94ae6af5e16147c257e5e2e6cdc578d342b349043f99bffa284366N.exe	86
PID 4012 wrote to memory of 1376	4012	1fa3ee19ae94ae6af5e16147c257e5e2e6cdc578d342b349043f99bffa284366N.exe	86
PID 4012 wrote to memory of 64	4012	1fa3ee19ae94ae6af5e16147c257e5e2e6cdc578d342b349043f99bffa284366N.exe	87
PID 4012 wrote to memory of 64	4012	1fa3ee19ae94ae6af5e16147c257e5e2e6cdc578d342b349043f99bffa284366N.exe	87
PID 4012 wrote to memory of 64	4012	1fa3ee19ae94ae6af5e16147c257e5e2e6cdc578d342b349043f99bffa284366N.exe	87
PID 1376 wrote to memory of 5024	1376	{DB35B522-796F-4ad7-BCEC-7E65DBF5CEFB}.exe	91
PID 1376 wrote to memory of 5024	1376	{DB35B522-796F-4ad7-BCEC-7E65DBF5CEFB}.exe	91
PID 1376 wrote to memory of 5024	1376	{DB35B522-796F-4ad7-BCEC-7E65DBF5CEFB}.exe	91
PID 1376 wrote to memory of 1788	1376	{DB35B522-796F-4ad7-BCEC-7E65DBF5CEFB}.exe	92
PID 1376 wrote to memory of 1788	1376	{DB35B522-796F-4ad7-BCEC-7E65DBF5CEFB}.exe	92
PID 1376 wrote to memory of 1788	1376	{DB35B522-796F-4ad7-BCEC-7E65DBF5CEFB}.exe	92
PID 5024 wrote to memory of 2760	5024	{D16AE637-B23B-46bf-9C65-BB5991FB2758}.exe	95
PID 5024 wrote to memory of 2760	5024	{D16AE637-B23B-46bf-9C65-BB5991FB2758}.exe	95
PID 5024 wrote to memory of 2760	5024	{D16AE637-B23B-46bf-9C65-BB5991FB2758}.exe	95
PID 5024 wrote to memory of 2520	5024	{D16AE637-B23B-46bf-9C65-BB5991FB2758}.exe	96
PID 5024 wrote to memory of 2520	5024	{D16AE637-B23B-46bf-9C65-BB5991FB2758}.exe	96
PID 5024 wrote to memory of 2520	5024	{D16AE637-B23B-46bf-9C65-BB5991FB2758}.exe	96
PID 2760 wrote to memory of 4652	2760	{9980019D-16FF-47bd-82BE-9174388766EA}.exe	97
PID 2760 wrote to memory of 4652	2760	{9980019D-16FF-47bd-82BE-9174388766EA}.exe	97
PID 2760 wrote to memory of 4652	2760	{9980019D-16FF-47bd-82BE-9174388766EA}.exe	97
PID 2760 wrote to memory of 1360	2760	{9980019D-16FF-47bd-82BE-9174388766EA}.exe	98
PID 2760 wrote to memory of 1360	2760	{9980019D-16FF-47bd-82BE-9174388766EA}.exe	98
PID 2760 wrote to memory of 1360	2760	{9980019D-16FF-47bd-82BE-9174388766EA}.exe	98
PID 4652 wrote to memory of 448	4652	{018FA083-47DC-4f5e-82E0-BACB853DAB84}.exe	99
PID 4652 wrote to memory of 448	4652	{018FA083-47DC-4f5e-82E0-BACB853DAB84}.exe	99
PID 4652 wrote to memory of 448	4652	{018FA083-47DC-4f5e-82E0-BACB853DAB84}.exe	99
PID 4652 wrote to memory of 2140	4652	{018FA083-47DC-4f5e-82E0-BACB853DAB84}.exe	100
PID 4652 wrote to memory of 2140	4652	{018FA083-47DC-4f5e-82E0-BACB853DAB84}.exe	100
PID 4652 wrote to memory of 2140	4652	{018FA083-47DC-4f5e-82E0-BACB853DAB84}.exe	100
PID 448 wrote to memory of 3384	448	{C3F5334E-21BD-4e4c-B050-2A62D7B5F244}.exe	101
PID 448 wrote to memory of 3384	448	{C3F5334E-21BD-4e4c-B050-2A62D7B5F244}.exe	101
PID 448 wrote to memory of 3384	448	{C3F5334E-21BD-4e4c-B050-2A62D7B5F244}.exe	101
PID 448 wrote to memory of 3104	448	{C3F5334E-21BD-4e4c-B050-2A62D7B5F244}.exe	102
PID 448 wrote to memory of 3104	448	{C3F5334E-21BD-4e4c-B050-2A62D7B5F244}.exe	102
PID 448 wrote to memory of 3104	448	{C3F5334E-21BD-4e4c-B050-2A62D7B5F244}.exe	102
PID 3384 wrote to memory of 2896	3384	{AE124D37-8938-4b65-98EA-74500838E601}.exe	103
PID 3384 wrote to memory of 2896	3384	{AE124D37-8938-4b65-98EA-74500838E601}.exe	103
PID 3384 wrote to memory of 2896	3384	{AE124D37-8938-4b65-98EA-74500838E601}.exe	103
PID 3384 wrote to memory of 1772	3384	{AE124D37-8938-4b65-98EA-74500838E601}.exe	104
PID 3384 wrote to memory of 1772	3384	{AE124D37-8938-4b65-98EA-74500838E601}.exe	104
PID 3384 wrote to memory of 1772	3384	{AE124D37-8938-4b65-98EA-74500838E601}.exe	104
PID 2896 wrote to memory of 3364	2896	{8E57684C-672E-4311-BA30-C3E68E208DF4}.exe	105
PID 2896 wrote to memory of 3364	2896	{8E57684C-672E-4311-BA30-C3E68E208DF4}.exe	105
PID 2896 wrote to memory of 3364	2896	{8E57684C-672E-4311-BA30-C3E68E208DF4}.exe	105
PID 2896 wrote to memory of 1896	2896	{8E57684C-672E-4311-BA30-C3E68E208DF4}.exe	106
PID 2896 wrote to memory of 1896	2896	{8E57684C-672E-4311-BA30-C3E68E208DF4}.exe	106
PID 2896 wrote to memory of 1896	2896	{8E57684C-672E-4311-BA30-C3E68E208DF4}.exe	106
PID 3364 wrote to memory of 3356	3364	{5CA6BAD5-E3C3-4865-B8AB-C6DE9EADEB34}.exe	107
PID 3364 wrote to memory of 3356	3364	{5CA6BAD5-E3C3-4865-B8AB-C6DE9EADEB34}.exe	107
PID 3364 wrote to memory of 3356	3364	{5CA6BAD5-E3C3-4865-B8AB-C6DE9EADEB34}.exe	107
PID 3364 wrote to memory of 60	3364	{5CA6BAD5-E3C3-4865-B8AB-C6DE9EADEB34}.exe	108
PID 3364 wrote to memory of 60	3364	{5CA6BAD5-E3C3-4865-B8AB-C6DE9EADEB34}.exe	108
PID 3364 wrote to memory of 60	3364	{5CA6BAD5-E3C3-4865-B8AB-C6DE9EADEB34}.exe	108

C:\Users\Admin\AppData\Local\Temp\1fa3ee19ae94ae6af5e16147c257e5e2e6cdc578d342b349043f99bffa284366N.exe
"C:\Users\Admin\AppData\Local\Temp\1fa3ee19ae94ae6af5e16147c257e5e2e6cdc578d342b349043f99bffa284366N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4012
- C:\Windows\{DB35B522-796F-4ad7-BCEC-7E65DBF5CEFB}.exe
  C:\Windows\{DB35B522-796F-4ad7-BCEC-7E65DBF5CEFB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\{D16AE637-B23B-46bf-9C65-BB5991FB2758}.exe
    C:\Windows\{D16AE637-B23B-46bf-9C65-BB5991FB2758}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Windows\{9980019D-16FF-47bd-82BE-9174388766EA}.exe
      C:\Windows\{9980019D-16FF-47bd-82BE-9174388766EA}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\{018FA083-47DC-4f5e-82E0-BACB853DAB84}.exe
        
        C:\Windows\{018FA083-47DC-4f5e-82E0-BACB853DAB84}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4652
      - C:\Windows\{C3F5334E-21BD-4e4c-B050-2A62D7B5F244}.exe
        
        C:\Windows\{C3F5334E-21BD-4e4c-B050-2A62D7B5F244}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\{AE124D37-8938-4b65-98EA-74500838E601}.exe
        
        C:\Windows\{AE124D37-8938-4b65-98EA-74500838E601}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\{8E57684C-672E-4311-BA30-C3E68E208DF4}.exe
        
        C:\Windows\{8E57684C-672E-4311-BA30-C3E68E208DF4}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\{5CA6BAD5-E3C3-4865-B8AB-C6DE9EADEB34}.exe
        
        C:\Windows\{5CA6BAD5-E3C3-4865-B8AB-C6DE9EADEB34}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\{3EE31F4D-2ED8-4120-9DE9-72CED85B6278}.exe
        
        C:\Windows\{3EE31F4D-2ED8-4120-9DE9-72CED85B6278}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CA6B~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8E576~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AE124~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3F53~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3104
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{018FA~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2140
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99800~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{D16AE~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DB35B~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1788
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\1FA3EE~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:64

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{018FA083-47DC-4f5e-82E0-BACB853DAB84}.exe

Filesize
90KB

MD5
56ba501a2d1a5f165099434a82b9bc7a

SHA1
d3c5dcebd1470b28d8fb889b01803c236d329880

SHA256
c306597f82fbeead15ba3bd7749625880ac799e719e2086cdddc98adb5354497

SHA512
3f6f6acda2e433acf5f214d274cc1c245a8b92d3f85870db8966e637342dc94d8dd9bf85fba8e6d0004f5e0eeab1a4387eb30905d61f274a3a45126625630942

Download Submit
C:\Windows\{3EE31F4D-2ED8-4120-9DE9-72CED85B6278}.exe

Filesize
90KB

MD5
24aa1dcb0ada3b86da08ac449c5048cd

SHA1
44be02b6117c6e688a4dc5d9c4124d13ab6aac7e

SHA256
e59557e25afa95831d3cd7e3eace506939b4c99fd5735b2915d586b0db173851

SHA512
97059d8da9fa17e049a5b856cb9c723d59426929eb6048ab98cdd8b2b4a40d8d3c8e8c1ae51eb4549057fd4b7b34f949851770681ab48aa76f430dd6a319758b

Download Submit
C:\Windows\{5CA6BAD5-E3C3-4865-B8AB-C6DE9EADEB34}.exe

Filesize
90KB

MD5
9e8d00c6a644ab93434029299f6e6dd6

SHA1
e89b9da49fe36275b77e9e941e5614616835b0ff

SHA256
0bf28e861c1b277e674f1b708ef96f1ab2b338f25985e735f4a6a1abd7aec591

SHA512
414bc70e7cbf035596660213c49e3f46e8fe3645865a1d45270ccfb71e7928f5ba1a04652c72e1d549d1ccb9c6cfc86858868f22d58c06f5c1cd64ad21d2bd71

Download Submit
C:\Windows\{8E57684C-672E-4311-BA30-C3E68E208DF4}.exe

Filesize
90KB

MD5
2f4fd86ca327d1597e2168ed33e212fb

SHA1
4ef9666b30a9bf6e2d0866af4709a733600312cc

SHA256
11a6d08d1c23074b905a796d80b17095b0edf35dda3c08fd0f68cbe463d9bb4b

SHA512
a4695571a31a2dc3dc6a1b7dec6956474d0d60b77fe9dd327602c1b7a7e2a09f32ba43b599c6a4594fdb7c7bededf60392ac23eef52e747f0fba6162870f63e9

Download Submit
C:\Windows\{9980019D-16FF-47bd-82BE-9174388766EA}.exe

Filesize
90KB

MD5
ddd449b9b5c581a8cdad9959e8db8cd2

SHA1
27a82928e17d0cbc6f4201e1e09e2c605686f573

SHA256
4e8087dc9a649dd7e8c2394a0236e9bce61700cce7d3744040f14e7b5479afe3

SHA512
08e84454d0926e8123d544bfcfaa35c955e3feec2969381ca8d9a09df88063c268f5e3f4710db92e72d39d8cad40832a6f8101a111aebc1dfd00ec9a6e2ab439

Download Submit
C:\Windows\{AE124D37-8938-4b65-98EA-74500838E601}.exe

Filesize
90KB

MD5
1861278f4be62beaa25fc7bedb758f86

SHA1
96a3e005ebee3dfdfc5f62d688edc2ab894f8e50

SHA256
f47271253584c1bda1caa1a45acadf6b137e07b7ddb24540e23d1a32f3f5fa92

SHA512
5d6b87585030753ae1064c00fda6b957b243ea75732fa5b33b5f1164cc9cbf4f5daec7f9b2d074d24ee59697790cc575cf05ef839930e94949ab22a1c0ebe9e9

Download Submit
C:\Windows\{C3F5334E-21BD-4e4c-B050-2A62D7B5F244}.exe

Filesize
90KB

MD5
ccf0f9a3f7db9d7947ee92e882462f86

SHA1
432e75aca307d17e12d0bd470b2e886360e13ffd

SHA256
d1b4b6238460e5b3c1d78d436e89f9c411a9871e58c7570e1a540257f418d6a6

SHA512
ea9496f3f2e3993a440398e355b070538d95ab2fff6c0abc9c07ffe338248bd304db915448a0682e2b4fc2481d4c2e90d7f8778aba21898cc1bb420f9eaea617

Download Submit
C:\Windows\{D16AE637-B23B-46bf-9C65-BB5991FB2758}.exe

Filesize
90KB

MD5
a59b4c255a2e4c913f2c256d0b6566fc

SHA1
663e418bd20bf0343d0166bd2a0e64ae7398e9fc

SHA256
0b3885fb260aa589ba7201474889c44b36343798ee0b81599ec1d45e84fc6227

SHA512
7b9b09b0698bbefe5d7f9954c518e727bd9fece3a4475dfd6795d7260cea3fd9f4e4331ab5ff5c63ecb3811da0793ee41ebfcd170eb1889afc2a29afde4e1b26

Download Submit
C:\Windows\{DB35B522-796F-4ad7-BCEC-7E65DBF5CEFB}.exe

Filesize
90KB

MD5
01c9308668e2d3a8cc00098d2ef62454

SHA1
7c1c4d9134e5f568f078664dac331ae3f807ef1f

SHA256
c08fba59776afa7a069153b52249cf074ff166446d79c9fe73246f4f7201b223

SHA512
48273aa9ed562e47ca19dade29a0dc8d89fc3ac7e2b80057dab6389cd0b36421c851ba2e3ad854651cfcee984420d2d294642fb773cf9169b25b348703d00999

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads