f428da8798c8c888b926355bbc8b22b944b0fbbedf8641ba0bc2f8fe118ac45a

Analysis

max time kernel
118s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 03:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f428da8798c8c888b926355bbc8b22b944b0fbbedf8641ba0bc2f8fe118ac45aN.exe
Size

88KB
MD5

4acf39369353677aee7f130b17984fe0
SHA1

8211dc0c965bf24466988ca3f0a868c45d9c825d
SHA256

f428da8798c8c888b926355bbc8b22b944b0fbbedf8641ba0bc2f8fe118ac45a
SHA512

3984eaddb53c12a305be765701573ee8798b49befa2a8b3d3cc910b5535fadd0149479ba48fed12df73397697a2073bd22eced7bd63909bc8eb209d09b9fab0f
SSDEEP

768:5vw9816thKQLrow4/wQUNrfrunMxVFA3d:lEG/0owlrunMxVS3d

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CB39E69-2982-4604-A2FE-D5591F2046B9}	{B20D3922-915D-402f-B535-301E66D7DA49}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5CB39E69-2982-4604-A2FE-D5591F2046B9}\stubpath = "C:\\Windows\\{5CB39E69-2982-4604-A2FE-D5591F2046B9}.exe"	{B20D3922-915D-402f-B535-301E66D7DA49}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75B79D73-85FC-4008-B1BA-03EBC735E06B}	{5CB39E69-2982-4604-A2FE-D5591F2046B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A43D3F83-1C48-4d9c-BA0F-6F17FD504434}	{75B79D73-85FC-4008-B1BA-03EBC735E06B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A43D3F83-1C48-4d9c-BA0F-6F17FD504434}\stubpath = "C:\\Windows\\{A43D3F83-1C48-4d9c-BA0F-6F17FD504434}.exe"	{75B79D73-85FC-4008-B1BA-03EBC735E06B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF6939E6-BE90-439e-8D3D-810C85343C87}	f428da8798c8c888b926355bbc8b22b944b0fbbedf8641ba0bc2f8fe118ac45aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D750A9F3-E136-43f8-ACD1-F724B34149FF}	{A534F764-14CA-43c7-B0A9-DB13F151C584}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F39ACBB0-F25E-4a81-B60B-551212D7E343}\stubpath = "C:\\Windows\\{F39ACBB0-F25E-4a81-B60B-551212D7E343}.exe"	{D750A9F3-E136-43f8-ACD1-F724B34149FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3D7E31E-8CF8-4e79-AD90-D7A46881FA23}\stubpath = "C:\\Windows\\{F3D7E31E-8CF8-4e79-AD90-D7A46881FA23}.exe"	{A43D3F83-1C48-4d9c-BA0F-6F17FD504434}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{CF6939E6-BE90-439e-8D3D-810C85343C87}\stubpath = "C:\\Windows\\{CF6939E6-BE90-439e-8D3D-810C85343C87}.exe"	f428da8798c8c888b926355bbc8b22b944b0fbbedf8641ba0bc2f8fe118ac45aN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F39ACBB0-F25E-4a81-B60B-551212D7E343}	{D750A9F3-E136-43f8-ACD1-F724B34149FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A534F764-14CA-43c7-B0A9-DB13F151C584}	{CF6939E6-BE90-439e-8D3D-810C85343C87}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B20D3922-915D-402f-B535-301E66D7DA49}	{F39ACBB0-F25E-4a81-B60B-551212D7E343}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{75B79D73-85FC-4008-B1BA-03EBC735E06B}\stubpath = "C:\\Windows\\{75B79D73-85FC-4008-B1BA-03EBC735E06B}.exe"	{5CB39E69-2982-4604-A2FE-D5591F2046B9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F3D7E31E-8CF8-4e79-AD90-D7A46881FA23}	{A43D3F83-1C48-4d9c-BA0F-6F17FD504434}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A534F764-14CA-43c7-B0A9-DB13F151C584}\stubpath = "C:\\Windows\\{A534F764-14CA-43c7-B0A9-DB13F151C584}.exe"	{CF6939E6-BE90-439e-8D3D-810C85343C87}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D750A9F3-E136-43f8-ACD1-F724B34149FF}\stubpath = "C:\\Windows\\{D750A9F3-E136-43f8-ACD1-F724B34149FF}.exe"	{A534F764-14CA-43c7-B0A9-DB13F151C584}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B20D3922-915D-402f-B535-301E66D7DA49}\stubpath = "C:\\Windows\\{B20D3922-915D-402f-B535-301E66D7DA49}.exe"	{F39ACBB0-F25E-4a81-B60B-551212D7E343}.exe

Executes dropped EXE 9 IoCs

pid	Process
1300	{CF6939E6-BE90-439e-8D3D-810C85343C87}.exe
4040	{A534F764-14CA-43c7-B0A9-DB13F151C584}.exe
3896	{D750A9F3-E136-43f8-ACD1-F724B34149FF}.exe
3768	{F39ACBB0-F25E-4a81-B60B-551212D7E343}.exe
1812	{B20D3922-915D-402f-B535-301E66D7DA49}.exe
4352	{5CB39E69-2982-4604-A2FE-D5591F2046B9}.exe
1184	{75B79D73-85FC-4008-B1BA-03EBC735E06B}.exe
1984	{A43D3F83-1C48-4d9c-BA0F-6F17FD504434}.exe
1144	{F3D7E31E-8CF8-4e79-AD90-D7A46881FA23}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{CF6939E6-BE90-439e-8D3D-810C85343C87}.exe	f428da8798c8c888b926355bbc8b22b944b0fbbedf8641ba0bc2f8fe118ac45aN.exe
File created	C:\Windows\{A534F764-14CA-43c7-B0A9-DB13F151C584}.exe	{CF6939E6-BE90-439e-8D3D-810C85343C87}.exe
File created	C:\Windows\{D750A9F3-E136-43f8-ACD1-F724B34149FF}.exe	{A534F764-14CA-43c7-B0A9-DB13F151C584}.exe
File created	C:\Windows\{F39ACBB0-F25E-4a81-B60B-551212D7E343}.exe	{D750A9F3-E136-43f8-ACD1-F724B34149FF}.exe
File created	C:\Windows\{B20D3922-915D-402f-B535-301E66D7DA49}.exe	{F39ACBB0-F25E-4a81-B60B-551212D7E343}.exe
File created	C:\Windows\{5CB39E69-2982-4604-A2FE-D5591F2046B9}.exe	{B20D3922-915D-402f-B535-301E66D7DA49}.exe
File created	C:\Windows\{75B79D73-85FC-4008-B1BA-03EBC735E06B}.exe	{5CB39E69-2982-4604-A2FE-D5591F2046B9}.exe
File created	C:\Windows\{A43D3F83-1C48-4d9c-BA0F-6F17FD504434}.exe	{75B79D73-85FC-4008-B1BA-03EBC735E06B}.exe
File created	C:\Windows\{F3D7E31E-8CF8-4e79-AD90-D7A46881FA23}.exe	{A43D3F83-1C48-4d9c-BA0F-6F17FD504434}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{CF6939E6-BE90-439e-8D3D-810C85343C87}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5CB39E69-2982-4604-A2FE-D5591F2046B9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{75B79D73-85FC-4008-B1BA-03EBC735E06B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F3D7E31E-8CF8-4e79-AD90-D7A46881FA23}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A43D3F83-1C48-4d9c-BA0F-6F17FD504434}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f428da8798c8c888b926355bbc8b22b944b0fbbedf8641ba0bc2f8fe118ac45aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A534F764-14CA-43c7-B0A9-DB13F151C584}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D750A9F3-E136-43f8-ACD1-F724B34149FF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F39ACBB0-F25E-4a81-B60B-551212D7E343}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B20D3922-915D-402f-B535-301E66D7DA49}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	524	f428da8798c8c888b926355bbc8b22b944b0fbbedf8641ba0bc2f8fe118ac45aN.exe
Token: SeIncBasePriorityPrivilege	1300	{CF6939E6-BE90-439e-8D3D-810C85343C87}.exe
Token: SeIncBasePriorityPrivilege	4040	{A534F764-14CA-43c7-B0A9-DB13F151C584}.exe
Token: SeIncBasePriorityPrivilege	3896	{D750A9F3-E136-43f8-ACD1-F724B34149FF}.exe
Token: SeIncBasePriorityPrivilege	3768	{F39ACBB0-F25E-4a81-B60B-551212D7E343}.exe
Token: SeIncBasePriorityPrivilege	1812	{B20D3922-915D-402f-B535-301E66D7DA49}.exe
Token: SeIncBasePriorityPrivilege	4352	{5CB39E69-2982-4604-A2FE-D5591F2046B9}.exe
Token: SeIncBasePriorityPrivilege	1184	{75B79D73-85FC-4008-B1BA-03EBC735E06B}.exe
Token: SeIncBasePriorityPrivilege	1984	{A43D3F83-1C48-4d9c-BA0F-6F17FD504434}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 524 wrote to memory of 1300	524	f428da8798c8c888b926355bbc8b22b944b0fbbedf8641ba0bc2f8fe118ac45aN.exe	82
PID 524 wrote to memory of 1300	524	f428da8798c8c888b926355bbc8b22b944b0fbbedf8641ba0bc2f8fe118ac45aN.exe	82
PID 524 wrote to memory of 1300	524	f428da8798c8c888b926355bbc8b22b944b0fbbedf8641ba0bc2f8fe118ac45aN.exe	82
PID 524 wrote to memory of 1692	524	f428da8798c8c888b926355bbc8b22b944b0fbbedf8641ba0bc2f8fe118ac45aN.exe	83
PID 524 wrote to memory of 1692	524	f428da8798c8c888b926355bbc8b22b944b0fbbedf8641ba0bc2f8fe118ac45aN.exe	83
PID 524 wrote to memory of 1692	524	f428da8798c8c888b926355bbc8b22b944b0fbbedf8641ba0bc2f8fe118ac45aN.exe	83
PID 1300 wrote to memory of 4040	1300	{CF6939E6-BE90-439e-8D3D-810C85343C87}.exe	91
PID 1300 wrote to memory of 4040	1300	{CF6939E6-BE90-439e-8D3D-810C85343C87}.exe	91
PID 1300 wrote to memory of 4040	1300	{CF6939E6-BE90-439e-8D3D-810C85343C87}.exe	91
PID 1300 wrote to memory of 2224	1300	{CF6939E6-BE90-439e-8D3D-810C85343C87}.exe	92
PID 1300 wrote to memory of 2224	1300	{CF6939E6-BE90-439e-8D3D-810C85343C87}.exe	92
PID 1300 wrote to memory of 2224	1300	{CF6939E6-BE90-439e-8D3D-810C85343C87}.exe	92
PID 4040 wrote to memory of 3896	4040	{A534F764-14CA-43c7-B0A9-DB13F151C584}.exe	95
PID 4040 wrote to memory of 3896	4040	{A534F764-14CA-43c7-B0A9-DB13F151C584}.exe	95
PID 4040 wrote to memory of 3896	4040	{A534F764-14CA-43c7-B0A9-DB13F151C584}.exe	95
PID 4040 wrote to memory of 5108	4040	{A534F764-14CA-43c7-B0A9-DB13F151C584}.exe	96
PID 4040 wrote to memory of 5108	4040	{A534F764-14CA-43c7-B0A9-DB13F151C584}.exe	96
PID 4040 wrote to memory of 5108	4040	{A534F764-14CA-43c7-B0A9-DB13F151C584}.exe	96
PID 3896 wrote to memory of 3768	3896	{D750A9F3-E136-43f8-ACD1-F724B34149FF}.exe	97
PID 3896 wrote to memory of 3768	3896	{D750A9F3-E136-43f8-ACD1-F724B34149FF}.exe	97
PID 3896 wrote to memory of 3768	3896	{D750A9F3-E136-43f8-ACD1-F724B34149FF}.exe	97
PID 3896 wrote to memory of 5056	3896	{D750A9F3-E136-43f8-ACD1-F724B34149FF}.exe	98
PID 3896 wrote to memory of 5056	3896	{D750A9F3-E136-43f8-ACD1-F724B34149FF}.exe	98
PID 3896 wrote to memory of 5056	3896	{D750A9F3-E136-43f8-ACD1-F724B34149FF}.exe	98
PID 3768 wrote to memory of 1812	3768	{F39ACBB0-F25E-4a81-B60B-551212D7E343}.exe	99
PID 3768 wrote to memory of 1812	3768	{F39ACBB0-F25E-4a81-B60B-551212D7E343}.exe	99
PID 3768 wrote to memory of 1812	3768	{F39ACBB0-F25E-4a81-B60B-551212D7E343}.exe	99
PID 3768 wrote to memory of 404	3768	{F39ACBB0-F25E-4a81-B60B-551212D7E343}.exe	100
PID 3768 wrote to memory of 404	3768	{F39ACBB0-F25E-4a81-B60B-551212D7E343}.exe	100
PID 3768 wrote to memory of 404	3768	{F39ACBB0-F25E-4a81-B60B-551212D7E343}.exe	100
PID 1812 wrote to memory of 4352	1812	{B20D3922-915D-402f-B535-301E66D7DA49}.exe	101
PID 1812 wrote to memory of 4352	1812	{B20D3922-915D-402f-B535-301E66D7DA49}.exe	101
PID 1812 wrote to memory of 4352	1812	{B20D3922-915D-402f-B535-301E66D7DA49}.exe	101
PID 1812 wrote to memory of 4436	1812	{B20D3922-915D-402f-B535-301E66D7DA49}.exe	102
PID 1812 wrote to memory of 4436	1812	{B20D3922-915D-402f-B535-301E66D7DA49}.exe	102
PID 1812 wrote to memory of 4436	1812	{B20D3922-915D-402f-B535-301E66D7DA49}.exe	102
PID 4352 wrote to memory of 1184	4352	{5CB39E69-2982-4604-A2FE-D5591F2046B9}.exe	103
PID 4352 wrote to memory of 1184	4352	{5CB39E69-2982-4604-A2FE-D5591F2046B9}.exe	103
PID 4352 wrote to memory of 1184	4352	{5CB39E69-2982-4604-A2FE-D5591F2046B9}.exe	103
PID 4352 wrote to memory of 4956	4352	{5CB39E69-2982-4604-A2FE-D5591F2046B9}.exe	104
PID 4352 wrote to memory of 4956	4352	{5CB39E69-2982-4604-A2FE-D5591F2046B9}.exe	104
PID 4352 wrote to memory of 4956	4352	{5CB39E69-2982-4604-A2FE-D5591F2046B9}.exe	104
PID 1184 wrote to memory of 1984	1184	{75B79D73-85FC-4008-B1BA-03EBC735E06B}.exe	105
PID 1184 wrote to memory of 1984	1184	{75B79D73-85FC-4008-B1BA-03EBC735E06B}.exe	105
PID 1184 wrote to memory of 1984	1184	{75B79D73-85FC-4008-B1BA-03EBC735E06B}.exe	105
PID 1184 wrote to memory of 5116	1184	{75B79D73-85FC-4008-B1BA-03EBC735E06B}.exe	106
PID 1184 wrote to memory of 5116	1184	{75B79D73-85FC-4008-B1BA-03EBC735E06B}.exe	106
PID 1184 wrote to memory of 5116	1184	{75B79D73-85FC-4008-B1BA-03EBC735E06B}.exe	106
PID 1984 wrote to memory of 1144	1984	{A43D3F83-1C48-4d9c-BA0F-6F17FD504434}.exe	107
PID 1984 wrote to memory of 1144	1984	{A43D3F83-1C48-4d9c-BA0F-6F17FD504434}.exe	107
PID 1984 wrote to memory of 1144	1984	{A43D3F83-1C48-4d9c-BA0F-6F17FD504434}.exe	107
PID 1984 wrote to memory of 2464	1984	{A43D3F83-1C48-4d9c-BA0F-6F17FD504434}.exe	108
PID 1984 wrote to memory of 2464	1984	{A43D3F83-1C48-4d9c-BA0F-6F17FD504434}.exe	108
PID 1984 wrote to memory of 2464	1984	{A43D3F83-1C48-4d9c-BA0F-6F17FD504434}.exe	108

C:\Users\Admin\AppData\Local\Temp\f428da8798c8c888b926355bbc8b22b944b0fbbedf8641ba0bc2f8fe118ac45aN.exe
"C:\Users\Admin\AppData\Local\Temp\f428da8798c8c888b926355bbc8b22b944b0fbbedf8641ba0bc2f8fe118ac45aN.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524
- C:\Windows\{CF6939E6-BE90-439e-8D3D-810C85343C87}.exe
  C:\Windows\{CF6939E6-BE90-439e-8D3D-810C85343C87}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\{A534F764-14CA-43c7-B0A9-DB13F151C584}.exe
    C:\Windows\{A534F764-14CA-43c7-B0A9-DB13F151C584}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Windows\{D750A9F3-E136-43f8-ACD1-F724B34149FF}.exe
      C:\Windows\{D750A9F3-E136-43f8-ACD1-F724B34149FF}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3896
    - - C:\Windows\{F39ACBB0-F25E-4a81-B60B-551212D7E343}.exe
        
        C:\Windows\{F39ACBB0-F25E-4a81-B60B-551212D7E343}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3768
      - C:\Windows\{B20D3922-915D-402f-B535-301E66D7DA49}.exe
        
        C:\Windows\{B20D3922-915D-402f-B535-301E66D7DA49}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1812
        
        C:\Windows\{5CB39E69-2982-4604-A2FE-D5591F2046B9}.exe
        
        C:\Windows\{5CB39E69-2982-4604-A2FE-D5591F2046B9}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\{75B79D73-85FC-4008-B1BA-03EBC735E06B}.exe
        
        C:\Windows\{75B79D73-85FC-4008-B1BA-03EBC735E06B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1184
        
        C:\Windows\{A43D3F83-1C48-4d9c-BA0F-6F17FD504434}.exe
        
        C:\Windows\{A43D3F83-1C48-4d9c-BA0F-6F17FD504434}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\{F3D7E31E-8CF8-4e79-AD90-D7A46881FA23}.exe
        
        C:\Windows\{F3D7E31E-8CF8-4e79-AD90-D7A46881FA23}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A43D3~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75B79~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CB39~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B20D3~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4436
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F39AC~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:404
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D750A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5056
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A534F~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:5108
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CF693~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2224
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F428DA~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{5CB39E69-2982-4604-A2FE-D5591F2046B9}.exe

Filesize
88KB

MD5
db8cd6273df78fb2301a1ae359792b56

SHA1
8485dd5f772e8cfcd239cc41d393ccef47f456be

SHA256
ed8cc6f5fd530b27a53f53f61e6e218520c16242a076bb44b7e700cb1ef4795c

SHA512
abfb433c2e88179cbc349bb015dd506e76ac7b5b020390e41b15ef29c7a968f107a8047cdb2bc770cda089f84e38b8423ab644291a55c05b867af818b5cd31c1

Download Submit
C:\Windows\{75B79D73-85FC-4008-B1BA-03EBC735E06B}.exe

Filesize
88KB

MD5
0c2912965c8535c569479291ef610b21

SHA1
cee9ccc90e52284ef2c84c5deae4e2f6cd82e2fd

SHA256
c3b455070d268aa63d6df036532e0b759af441d5005876f1ed9520a4a1d878ee

SHA512
850f82dec3f8dc28c728f5f28f00cf1eebbb2948a0b9b4c92e2d05535416d74139b3082f3832cd24474dec0203684d02024f0030b732a1a8e94e6d8eabca51ee

Download Submit
C:\Windows\{A43D3F83-1C48-4d9c-BA0F-6F17FD504434}.exe

Filesize
88KB

MD5
27673b0c1e230caf4589a6984c58eb19

SHA1
055d3ca2f47354475b86e4958b87fa72807e6afe

SHA256
9135ee491410f471579df100da003e1035961c7adbc9f909cfe22217278abde2

SHA512
c952b326c9242463a460c4f5fd76b98abd948412ccf0b38d6420525967769c97553a549b477480fec8206c79e4cce3a6f3eb2c908be7c788cf1680bb5ad381aa

Download Submit
C:\Windows\{A534F764-14CA-43c7-B0A9-DB13F151C584}.exe

Filesize
88KB

MD5
bdf701f5b2ed33b48cd66e327de72c36

SHA1
e966649bfe9dfe803f8720f21685d5c67bc73221

SHA256
7ddbf5524662d8201e73abd90a6c76fcbaf0b45b7638c4363f9f10c358a50165

SHA512
b04f723bd9d787af601d8d3d0536ad059fa892b804a36e0e6f1c513e76529082dc52696f6c20bda1992bdb592b71e0131707b200cdf2511e594b64074f86410a

Download Submit
C:\Windows\{B20D3922-915D-402f-B535-301E66D7DA49}.exe

Filesize
88KB

MD5
44b7252484054e37d40c2942477392b5

SHA1
1eb0e657a4ab72af882a1b2770cbe035bb93c943

SHA256
2c05e0ec9228934c4ecd68d2c78d0f9d6cb6ae8fd1854e39b32b007470c83881

SHA512
4fa91e863c5c1907ca6a707333bafe0e3632d78abe973dca4a12920920fc4aaf650a87ccafa805bac98fc4bc1505c24ec9ddf67e658a76d05209e4a162f9062d

Download Submit
C:\Windows\{CF6939E6-BE90-439e-8D3D-810C85343C87}.exe

Filesize
88KB

MD5
c2a7add24966a3c568820236718f5a92

SHA1
c05b0d745bd1815c8eb70e8334afd1623bedbc77

SHA256
e3573672bf8df8831d9228e1b81549dfb9d201d9bcda877444ea418a30933aeb

SHA512
fdc40e44f55a9b91f9100e97034a538e2b3eb4485c315725077706465cbfd8ef074f4c855a79972c457ea2f54e66a95b95c6de07d0481b1074ad37118575a0ae

Download Submit
C:\Windows\{D750A9F3-E136-43f8-ACD1-F724B34149FF}.exe

Filesize
88KB

MD5
988cdc138d7e932bb345404c408207c4

SHA1
bf143c890143d9cde94a2de2cbd2a6fcbfbcc0b8

SHA256
23b73c3a6af070a6cad5b4dda4d9fff34494478176176158164c09d43083a146

SHA512
afefe94052fe971de2974ad5f3a9474f78cb09322a6b7bff14f02864eb26d57d85e4685e6fd6ebda0714ae9a2f4477b49bb5adab259312c8c103d69e647fa42a

Download Submit
C:\Windows\{F39ACBB0-F25E-4a81-B60B-551212D7E343}.exe

Filesize
88KB

MD5
0574b9e304fec7b2e364e164a1cdd364

SHA1
a50797ed66d3c71a88ca180ac7539b421ea33d44

SHA256
23f56c441f79cc569d407bcf4bc5bde42a9db6286cf6f7dbe2e668969e3ba84a

SHA512
3b766d2e7e72de95fe6628eec8a4cb07972cd2d0aac68c71e25d13d1bfde1a30969e7c687dc2a12f55ae637004ec6e840d0aae123aed8e19ee48cd7c55e04e96

Download Submit
C:\Windows\{F3D7E31E-8CF8-4e79-AD90-D7A46881FA23}.exe

Filesize
88KB

MD5
30b12eef4fce673fdca390c099b67c96

SHA1
573614c9d7c5cc0b7da243fcd709a276b422133e

SHA256
2e1563d9f8a02e1a89e10f8bb6b7a99dec1563479bab34efb770fad6739fb9f8

SHA512
fbe1fd0544011f8b5a0371f302d98fbaabb4e8bb75ecb6a26e556aac7bd289ed52c1c4225758846d41726f6b9962eee7253f7cef7ed064dbcb88ccede604745d

Download Submit
memory/524-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/524-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/524-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1144-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1184-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1184-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1300-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1300-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1300-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1812-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1812-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1984-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1984-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3768-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3896-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3896-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4040-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4040-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4352-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4352-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads