8c31df4aa571921a298c7021fa366d19a6603e3cacd692250ea552ce0050e7f7

Analysis

max time kernel
118s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 21:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8c31df4aa571921a298c7021fa366d19a6603e3cacd692250ea552ce0050e7f7N.exe
Size

89KB
MD5

0d4682de41cf510e58b094be2decd860
SHA1

5d77d8cc0a3ddfeb5835e6a37c2154666121730a
SHA256

8c31df4aa571921a298c7021fa366d19a6603e3cacd692250ea552ce0050e7f7
SHA512

64f0b82658e5770e4324e283ea09a3d9fa900ec5c7358f981629b6b7ac987df252413ab5e69f577733053d1f789af9c9b617d089987babe3a1460861fde48e09
SSDEEP

768:Qvw9816vhKQLrot4/wQRNrfrunMxVFA3b7glL:YEGh0otl2unMxVS3Hg9

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44C27BFA-FA6E-4825-8095-2C6BFC7CD03E}	{8582C39F-839E-4bc3-B12A-72A566E46AC1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D1B4F8B-4D88-4a9f-A926-9D0D4D582D3D}	{A9BB4B45-6E46-4d66-9AA8-56C25D488AEA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F28D5C11-8ECA-4325-826B-5EDBDBE28D40}	{44C27BFA-FA6E-4825-8095-2C6BFC7CD03E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5D4EDB4-B3F7-4852-BCC2-C3418AA35CFF}	{F28D5C11-8ECA-4325-826B-5EDBDBE28D40}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{934066ED-1057-4f5d-8E57-5438303206D2}\stubpath = "C:\\Windows\\{934066ED-1057-4f5d-8E57-5438303206D2}.exe"	{D5D4EDB4-B3F7-4852-BCC2-C3418AA35CFF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A331556A-F82E-4efc-A39F-1690837857DB}\stubpath = "C:\\Windows\\{A331556A-F82E-4efc-A39F-1690837857DB}.exe"	{934066ED-1057-4f5d-8E57-5438303206D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A090DFA-90E4-4433-9F7E-AEEAC5B13B80}\stubpath = "C:\\Windows\\{9A090DFA-90E4-4433-9F7E-AEEAC5B13B80}.exe"	8c31df4aa571921a298c7021fa366d19a6603e3cacd692250ea552ce0050e7f7N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9BB4B45-6E46-4d66-9AA8-56C25D488AEA}	{9A090DFA-90E4-4433-9F7E-AEEAC5B13B80}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{44C27BFA-FA6E-4825-8095-2C6BFC7CD03E}\stubpath = "C:\\Windows\\{44C27BFA-FA6E-4825-8095-2C6BFC7CD03E}.exe"	{8582C39F-839E-4bc3-B12A-72A566E46AC1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5D4EDB4-B3F7-4852-BCC2-C3418AA35CFF}\stubpath = "C:\\Windows\\{D5D4EDB4-B3F7-4852-BCC2-C3418AA35CFF}.exe"	{F28D5C11-8ECA-4325-826B-5EDBDBE28D40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{934066ED-1057-4f5d-8E57-5438303206D2}	{D5D4EDB4-B3F7-4852-BCC2-C3418AA35CFF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8582C39F-839E-4bc3-B12A-72A566E46AC1}	{7D1B4F8B-4D88-4a9f-A926-9D0D4D582D3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8582C39F-839E-4bc3-B12A-72A566E46AC1}\stubpath = "C:\\Windows\\{8582C39F-839E-4bc3-B12A-72A566E46AC1}.exe"	{7D1B4F8B-4D88-4a9f-A926-9D0D4D582D3D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D1B4F8B-4D88-4a9f-A926-9D0D4D582D3D}\stubpath = "C:\\Windows\\{7D1B4F8B-4D88-4a9f-A926-9D0D4D582D3D}.exe"	{A9BB4B45-6E46-4d66-9AA8-56C25D488AEA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F28D5C11-8ECA-4325-826B-5EDBDBE28D40}\stubpath = "C:\\Windows\\{F28D5C11-8ECA-4325-826B-5EDBDBE28D40}.exe"	{44C27BFA-FA6E-4825-8095-2C6BFC7CD03E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A331556A-F82E-4efc-A39F-1690837857DB}	{934066ED-1057-4f5d-8E57-5438303206D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A090DFA-90E4-4433-9F7E-AEEAC5B13B80}	8c31df4aa571921a298c7021fa366d19a6603e3cacd692250ea552ce0050e7f7N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A9BB4B45-6E46-4d66-9AA8-56C25D488AEA}\stubpath = "C:\\Windows\\{A9BB4B45-6E46-4d66-9AA8-56C25D488AEA}.exe"	{9A090DFA-90E4-4433-9F7E-AEEAC5B13B80}.exe

Executes dropped EXE 9 IoCs

pid	Process
3040	{9A090DFA-90E4-4433-9F7E-AEEAC5B13B80}.exe
2060	{A9BB4B45-6E46-4d66-9AA8-56C25D488AEA}.exe
2268	{7D1B4F8B-4D88-4a9f-A926-9D0D4D582D3D}.exe
2920	{8582C39F-839E-4bc3-B12A-72A566E46AC1}.exe
3420	{44C27BFA-FA6E-4825-8095-2C6BFC7CD03E}.exe
1456	{F28D5C11-8ECA-4325-826B-5EDBDBE28D40}.exe
1032	{D5D4EDB4-B3F7-4852-BCC2-C3418AA35CFF}.exe
4604	{934066ED-1057-4f5d-8E57-5438303206D2}.exe
916	{A331556A-F82E-4efc-A39F-1690837857DB}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{F28D5C11-8ECA-4325-826B-5EDBDBE28D40}.exe	{44C27BFA-FA6E-4825-8095-2C6BFC7CD03E}.exe
File created	C:\Windows\{D5D4EDB4-B3F7-4852-BCC2-C3418AA35CFF}.exe	{F28D5C11-8ECA-4325-826B-5EDBDBE28D40}.exe
File created	C:\Windows\{9A090DFA-90E4-4433-9F7E-AEEAC5B13B80}.exe	8c31df4aa571921a298c7021fa366d19a6603e3cacd692250ea552ce0050e7f7N.exe
File created	C:\Windows\{A9BB4B45-6E46-4d66-9AA8-56C25D488AEA}.exe	{9A090DFA-90E4-4433-9F7E-AEEAC5B13B80}.exe
File created	C:\Windows\{7D1B4F8B-4D88-4a9f-A926-9D0D4D582D3D}.exe	{A9BB4B45-6E46-4d66-9AA8-56C25D488AEA}.exe
File created	C:\Windows\{8582C39F-839E-4bc3-B12A-72A566E46AC1}.exe	{7D1B4F8B-4D88-4a9f-A926-9D0D4D582D3D}.exe
File created	C:\Windows\{44C27BFA-FA6E-4825-8095-2C6BFC7CD03E}.exe	{8582C39F-839E-4bc3-B12A-72A566E46AC1}.exe
File created	C:\Windows\{934066ED-1057-4f5d-8E57-5438303206D2}.exe	{D5D4EDB4-B3F7-4852-BCC2-C3418AA35CFF}.exe
File created	C:\Windows\{A331556A-F82E-4efc-A39F-1690837857DB}.exe	{934066ED-1057-4f5d-8E57-5438303206D2}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7D1B4F8B-4D88-4a9f-A926-9D0D4D582D3D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D5D4EDB4-B3F7-4852-BCC2-C3418AA35CFF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{934066ED-1057-4f5d-8E57-5438303206D2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9A090DFA-90E4-4433-9F7E-AEEAC5B13B80}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8582C39F-839E-4bc3-B12A-72A566E46AC1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{44C27BFA-FA6E-4825-8095-2C6BFC7CD03E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F28D5C11-8ECA-4325-826B-5EDBDBE28D40}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A9BB4B45-6E46-4d66-9AA8-56C25D488AEA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A331556A-F82E-4efc-A39F-1690837857DB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8c31df4aa571921a298c7021fa366d19a6603e3cacd692250ea552ce0050e7f7N.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2952	8c31df4aa571921a298c7021fa366d19a6603e3cacd692250ea552ce0050e7f7N.exe
Token: SeIncBasePriorityPrivilege	3040	{9A090DFA-90E4-4433-9F7E-AEEAC5B13B80}.exe
Token: SeIncBasePriorityPrivilege	2060	{A9BB4B45-6E46-4d66-9AA8-56C25D488AEA}.exe
Token: SeIncBasePriorityPrivilege	2268	{7D1B4F8B-4D88-4a9f-A926-9D0D4D582D3D}.exe
Token: SeIncBasePriorityPrivilege	2920	{8582C39F-839E-4bc3-B12A-72A566E46AC1}.exe
Token: SeIncBasePriorityPrivilege	3420	{44C27BFA-FA6E-4825-8095-2C6BFC7CD03E}.exe
Token: SeIncBasePriorityPrivilege	1456	{F28D5C11-8ECA-4325-826B-5EDBDBE28D40}.exe
Token: SeIncBasePriorityPrivilege	1032	{D5D4EDB4-B3F7-4852-BCC2-C3418AA35CFF}.exe
Token: SeIncBasePriorityPrivilege	4604	{934066ED-1057-4f5d-8E57-5438303206D2}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 3040	2952	8c31df4aa571921a298c7021fa366d19a6603e3cacd692250ea552ce0050e7f7N.exe	82
PID 2952 wrote to memory of 3040	2952	8c31df4aa571921a298c7021fa366d19a6603e3cacd692250ea552ce0050e7f7N.exe	82
PID 2952 wrote to memory of 3040	2952	8c31df4aa571921a298c7021fa366d19a6603e3cacd692250ea552ce0050e7f7N.exe	82
PID 2952 wrote to memory of 988	2952	8c31df4aa571921a298c7021fa366d19a6603e3cacd692250ea552ce0050e7f7N.exe	83
PID 2952 wrote to memory of 988	2952	8c31df4aa571921a298c7021fa366d19a6603e3cacd692250ea552ce0050e7f7N.exe	83
PID 2952 wrote to memory of 988	2952	8c31df4aa571921a298c7021fa366d19a6603e3cacd692250ea552ce0050e7f7N.exe	83
PID 3040 wrote to memory of 2060	3040	{9A090DFA-90E4-4433-9F7E-AEEAC5B13B80}.exe	88
PID 3040 wrote to memory of 2060	3040	{9A090DFA-90E4-4433-9F7E-AEEAC5B13B80}.exe	88
PID 3040 wrote to memory of 2060	3040	{9A090DFA-90E4-4433-9F7E-AEEAC5B13B80}.exe	88
PID 3040 wrote to memory of 4292	3040	{9A090DFA-90E4-4433-9F7E-AEEAC5B13B80}.exe	89
PID 3040 wrote to memory of 4292	3040	{9A090DFA-90E4-4433-9F7E-AEEAC5B13B80}.exe	89
PID 3040 wrote to memory of 4292	3040	{9A090DFA-90E4-4433-9F7E-AEEAC5B13B80}.exe	89
PID 2060 wrote to memory of 2268	2060	{A9BB4B45-6E46-4d66-9AA8-56C25D488AEA}.exe	95
PID 2060 wrote to memory of 2268	2060	{A9BB4B45-6E46-4d66-9AA8-56C25D488AEA}.exe	95
PID 2060 wrote to memory of 2268	2060	{A9BB4B45-6E46-4d66-9AA8-56C25D488AEA}.exe	95
PID 2060 wrote to memory of 2232	2060	{A9BB4B45-6E46-4d66-9AA8-56C25D488AEA}.exe	96
PID 2060 wrote to memory of 2232	2060	{A9BB4B45-6E46-4d66-9AA8-56C25D488AEA}.exe	96
PID 2060 wrote to memory of 2232	2060	{A9BB4B45-6E46-4d66-9AA8-56C25D488AEA}.exe	96
PID 2268 wrote to memory of 2920	2268	{7D1B4F8B-4D88-4a9f-A926-9D0D4D582D3D}.exe	97
PID 2268 wrote to memory of 2920	2268	{7D1B4F8B-4D88-4a9f-A926-9D0D4D582D3D}.exe	97
PID 2268 wrote to memory of 2920	2268	{7D1B4F8B-4D88-4a9f-A926-9D0D4D582D3D}.exe	97
PID 2268 wrote to memory of 2828	2268	{7D1B4F8B-4D88-4a9f-A926-9D0D4D582D3D}.exe	98
PID 2268 wrote to memory of 2828	2268	{7D1B4F8B-4D88-4a9f-A926-9D0D4D582D3D}.exe	98
PID 2268 wrote to memory of 2828	2268	{7D1B4F8B-4D88-4a9f-A926-9D0D4D582D3D}.exe	98
PID 2920 wrote to memory of 3420	2920	{8582C39F-839E-4bc3-B12A-72A566E46AC1}.exe	99
PID 2920 wrote to memory of 3420	2920	{8582C39F-839E-4bc3-B12A-72A566E46AC1}.exe	99
PID 2920 wrote to memory of 3420	2920	{8582C39F-839E-4bc3-B12A-72A566E46AC1}.exe	99
PID 2920 wrote to memory of 3324	2920	{8582C39F-839E-4bc3-B12A-72A566E46AC1}.exe	100
PID 2920 wrote to memory of 3324	2920	{8582C39F-839E-4bc3-B12A-72A566E46AC1}.exe	100
PID 2920 wrote to memory of 3324	2920	{8582C39F-839E-4bc3-B12A-72A566E46AC1}.exe	100
PID 3420 wrote to memory of 1456	3420	{44C27BFA-FA6E-4825-8095-2C6BFC7CD03E}.exe	101
PID 3420 wrote to memory of 1456	3420	{44C27BFA-FA6E-4825-8095-2C6BFC7CD03E}.exe	101
PID 3420 wrote to memory of 1456	3420	{44C27BFA-FA6E-4825-8095-2C6BFC7CD03E}.exe	101
PID 3420 wrote to memory of 2948	3420	{44C27BFA-FA6E-4825-8095-2C6BFC7CD03E}.exe	102
PID 3420 wrote to memory of 2948	3420	{44C27BFA-FA6E-4825-8095-2C6BFC7CD03E}.exe	102
PID 3420 wrote to memory of 2948	3420	{44C27BFA-FA6E-4825-8095-2C6BFC7CD03E}.exe	102
PID 1456 wrote to memory of 1032	1456	{F28D5C11-8ECA-4325-826B-5EDBDBE28D40}.exe	103
PID 1456 wrote to memory of 1032	1456	{F28D5C11-8ECA-4325-826B-5EDBDBE28D40}.exe	103
PID 1456 wrote to memory of 1032	1456	{F28D5C11-8ECA-4325-826B-5EDBDBE28D40}.exe	103
PID 1456 wrote to memory of 4628	1456	{F28D5C11-8ECA-4325-826B-5EDBDBE28D40}.exe	104
PID 1456 wrote to memory of 4628	1456	{F28D5C11-8ECA-4325-826B-5EDBDBE28D40}.exe	104
PID 1456 wrote to memory of 4628	1456	{F28D5C11-8ECA-4325-826B-5EDBDBE28D40}.exe	104
PID 1032 wrote to memory of 4604	1032	{D5D4EDB4-B3F7-4852-BCC2-C3418AA35CFF}.exe	105
PID 1032 wrote to memory of 4604	1032	{D5D4EDB4-B3F7-4852-BCC2-C3418AA35CFF}.exe	105
PID 1032 wrote to memory of 4604	1032	{D5D4EDB4-B3F7-4852-BCC2-C3418AA35CFF}.exe	105
PID 1032 wrote to memory of 608	1032	{D5D4EDB4-B3F7-4852-BCC2-C3418AA35CFF}.exe	106
PID 1032 wrote to memory of 608	1032	{D5D4EDB4-B3F7-4852-BCC2-C3418AA35CFF}.exe	106
PID 1032 wrote to memory of 608	1032	{D5D4EDB4-B3F7-4852-BCC2-C3418AA35CFF}.exe	106
PID 4604 wrote to memory of 916	4604	{934066ED-1057-4f5d-8E57-5438303206D2}.exe	107
PID 4604 wrote to memory of 916	4604	{934066ED-1057-4f5d-8E57-5438303206D2}.exe	107
PID 4604 wrote to memory of 916	4604	{934066ED-1057-4f5d-8E57-5438303206D2}.exe	107
PID 4604 wrote to memory of 4436	4604	{934066ED-1057-4f5d-8E57-5438303206D2}.exe	108
PID 4604 wrote to memory of 4436	4604	{934066ED-1057-4f5d-8E57-5438303206D2}.exe	108
PID 4604 wrote to memory of 4436	4604	{934066ED-1057-4f5d-8E57-5438303206D2}.exe	108

C:\Users\Admin\AppData\Local\Temp\8c31df4aa571921a298c7021fa366d19a6603e3cacd692250ea552ce0050e7f7N.exe
"C:\Users\Admin\AppData\Local\Temp\8c31df4aa571921a298c7021fa366d19a6603e3cacd692250ea552ce0050e7f7N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\{9A090DFA-90E4-4433-9F7E-AEEAC5B13B80}.exe
  C:\Windows\{9A090DFA-90E4-4433-9F7E-AEEAC5B13B80}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\{A9BB4B45-6E46-4d66-9AA8-56C25D488AEA}.exe
    C:\Windows\{A9BB4B45-6E46-4d66-9AA8-56C25D488AEA}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Windows\{7D1B4F8B-4D88-4a9f-A926-9D0D4D582D3D}.exe
      C:\Windows\{7D1B4F8B-4D88-4a9f-A926-9D0D4D582D3D}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2268
    - - C:\Windows\{8582C39F-839E-4bc3-B12A-72A566E46AC1}.exe
        
        C:\Windows\{8582C39F-839E-4bc3-B12A-72A566E46AC1}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
      - C:\Windows\{44C27BFA-FA6E-4825-8095-2C6BFC7CD03E}.exe
        
        C:\Windows\{44C27BFA-FA6E-4825-8095-2C6BFC7CD03E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\{F28D5C11-8ECA-4325-826B-5EDBDBE28D40}.exe
        
        C:\Windows\{F28D5C11-8ECA-4325-826B-5EDBDBE28D40}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1456
        
        C:\Windows\{D5D4EDB4-B3F7-4852-BCC2-C3418AA35CFF}.exe
        
        C:\Windows\{D5D4EDB4-B3F7-4852-BCC2-C3418AA35CFF}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Windows\{934066ED-1057-4f5d-8E57-5438303206D2}.exe
        
        C:\Windows\{934066ED-1057-4f5d-8E57-5438303206D2}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\{A331556A-F82E-4efc-A39F-1690837857DB}.exe
        
        C:\Windows\{A331556A-F82E-4efc-A39F-1690837857DB}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{93406~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D5D4E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:608
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F28D5~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4628
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44C27~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2948
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8582C~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3324
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D1B4~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A9BB4~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9A090~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4292
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8C31DF~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{44C27BFA-FA6E-4825-8095-2C6BFC7CD03E}.exe

Filesize
89KB

MD5
8780d37063d9e410aee00f6cad800182

SHA1
4a4f20044221906fd0938b2513a38e5bb3e7811a

SHA256
7fc2c95dbf91e1e884f79d2ce0c1f1bbb34a182dd068d998f8209d6d4f5bdf7e

SHA512
e76acc8e9a6da84a3a0daed394572e3e9f30f3018be3faa0d7173696f483aeb15b3562595cdee420629d6a68fa5361c0731231013edf9466cce537999af403d6

Download Submit
C:\Windows\{7D1B4F8B-4D88-4a9f-A926-9D0D4D582D3D}.exe

Filesize
89KB

MD5
e1ef1ef9dde90ed62c6f988595f49e84

SHA1
6b0e34f84a76df5c878678b84b1021205ceb33f2

SHA256
f2d6308a435b5ab21060d891d9f3492bf25ce9da2686d2bd20bbcc5ddaf3775f

SHA512
dc7b4ebae288ede37613d57a693d8b5067a34dc047ca26a80b67f6d8d3f8e88b3e3a4eb695aa071a059d0fa937caa50b090109573db4fbbeef0cc33ad91c4973

Download Submit
C:\Windows\{8582C39F-839E-4bc3-B12A-72A566E46AC1}.exe

Filesize
89KB

MD5
6a108ab56973339e628ac80c6f324304

SHA1
d389b047c3eddf0724512054e81f0a92cb754584

SHA256
906e82f6175e5505487401305552c63782c0f3b51ec44e890dfe1fa023f88c1b

SHA512
6d44fef924048e7434db639984b1b24bf8666792a14ea2730bd797e6fb574c765c4fdfe378c313760abcb9e21f3b6c2654502ea8ee361599e27d6d8dd55c0921

Download Submit
C:\Windows\{934066ED-1057-4f5d-8E57-5438303206D2}.exe

Filesize
89KB

MD5
6faefee96b187c9486e93b89cd015485

SHA1
eefb15d7bf0396edfff4ccdaa95534364f90d415

SHA256
08c4cb1a6d1824290971758352cfbb809c22c91c2a980d3c3853f12291ea86df

SHA512
61d6005d4d5fba14d8142a156ed1c91a82cf0a38e310baa09956e11309340513a712a5497b1a11e3cbc8fa8b992037b60eb6395bbfbf7cb0f81ccdce2e080d5a

Download Submit
C:\Windows\{9A090DFA-90E4-4433-9F7E-AEEAC5B13B80}.exe

Filesize
89KB

MD5
c25401d25f472a5a9973e46cf68305ae

SHA1
c8bf43e68564008efccbb8eb005829cb3b08ae17

SHA256
0375d4e2a57325d670719a015909404e9d474de099ecb16e157257bc808bbb95

SHA512
b16539f32107fc06e245e76e8462e6fddbe38be91fad1b61aabee7df7e77bd56037bd54ec9190404dc117129231e4c23f1107fccc576abc401ead1e077fe4c63

Download Submit
C:\Windows\{A331556A-F82E-4efc-A39F-1690837857DB}.exe

Filesize
89KB

MD5
16396f749f9fe9154ff907a123575c3d

SHA1
1cfd6fa258699cdb44b6bd771d28a6b8fd0b6d19

SHA256
d0d37057406fd38b07e45e851a1b563d51cd3f095e23e747c093ad23b04da0f1

SHA512
7f1b646c0aa2451d4765b4307de80e42a5d9838108a0869ab4184e21a1080b928d8aee31538092e434bbbf3813315ffb2f5d78ccce9dea75ca2ad52ed7325be4

Download Submit
C:\Windows\{A9BB4B45-6E46-4d66-9AA8-56C25D488AEA}.exe

Filesize
89KB

MD5
b3191cb16c74a4494e759b3ebe257a25

SHA1
c07f5a4ff1771b80e6d30b7a6aa71852f953c41f

SHA256
4b44c4d86a2cb75fc60527cc7c7343de404115548879b0a34ca28feb67c3909d

SHA512
3acc2b76462840545039e2ec2c4e773742fe9e485a41f440a9ea7be73978cae82268976703664bcf0c3e412ed1274f191bebaef85f0cb46d3b3f720e5e4b63d9

Download Submit
C:\Windows\{D5D4EDB4-B3F7-4852-BCC2-C3418AA35CFF}.exe

Filesize
89KB

MD5
02f00cbd043148ad220f85fbce72b1d1

SHA1
69689ae570ba20c2fcf56e731461d12041db42f0

SHA256
752c3a40d88bbd053258c88f768c8cf7d22dcd3440456d35f574ff4251fc2793

SHA512
9c1892ea7ffe1353b671c8b01b18447da17e0e3a1a5f38a297c6ea025b1791ff311c05fbcf79028834af677abfbe090c9408e781408aa5a046211201496b4bad

Download Submit
C:\Windows\{F28D5C11-8ECA-4325-826B-5EDBDBE28D40}.exe

Filesize
89KB

MD5
d4a05de240aea5fc32ff17dcf64d122f

SHA1
53a8332605033a744060f149f2333fa16cb0dc93

SHA256
6a601751d099e974ff3bd0ad05d7dc45ee61b2bd087ab9437e164abf7cbfcca4

SHA512
4b598f146e5f59005e0955b0dc3e8a93fcd2f07ae7fe1c595622e14f01a38c9a23d183094b7d4c51501481e51cb1aa219aefd7e6fbddd54899fe8d9829303f66

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads