95f1e4169f8485e97b682bda42643e8c2652c0c130d284d9d8192d44587fd33f

Analysis

max time kernel
118s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2024, 21:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95f1e4169f8485e97b682bda42643e8c2652c0c130d284d9d8192d44587fd33fN.exe
Size

60KB
MD5

f9dd43ea65983fd979a987bf8530bc80
SHA1

69886de23019c29c4ea0bfbe07d32667744c03ea
SHA256

95f1e4169f8485e97b682bda42643e8c2652c0c130d284d9d8192d44587fd33f
SHA512

2a5e39a132c3e91c6f1a3424a0c0e4baae0f4e3de455b799091db4a3f2ae1c4c10fea17aa239f53486478d68764319ef51d5ff3fb9a2db866a844816b9a2afcb
SSDEEP

192:vbOzawOs81elJHsc45CcRZOgtShcWaOT2QLrCqw4gY04/CFxyNhoy5t:vbLwOs8AHsc4sMfwhKQLro4u4/CFsrd

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99D0F687-DF5F-4e10-9027-315BAF82CEA5}\stubpath = "C:\\Windows\\{99D0F687-DF5F-4e10-9027-315BAF82CEA5}.exe"	{6AFA5A0C-5F4E-42ec-88D8-8B4F76328CBF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C441052-7C82-4fa4-B4DD-D1D20BB690F6}\stubpath = "C:\\Windows\\{8C441052-7C82-4fa4-B4DD-D1D20BB690F6}.exe"	{41BE4A4B-CB72-40a0-B05F-0278B27A980E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6A6142A-8F60-4e89-A1FF-987DC72C5B5E}\stubpath = "C:\\Windows\\{E6A6142A-8F60-4e89-A1FF-987DC72C5B5E}.exe"	{8C441052-7C82-4fa4-B4DD-D1D20BB690F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6884257F-86BB-4031-835A-57F91BACF07A}	{E6A6142A-8F60-4e89-A1FF-987DC72C5B5E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{245FD93F-3F01-4072-92C6-43A70DF8FA95}	{0FE52B3B-C742-43d7-9E4F-027BD51B9323}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{245FD93F-3F01-4072-92C6-43A70DF8FA95}\stubpath = "C:\\Windows\\{245FD93F-3F01-4072-92C6-43A70DF8FA95}.exe"	{0FE52B3B-C742-43d7-9E4F-027BD51B9323}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8C441052-7C82-4fa4-B4DD-D1D20BB690F6}	{41BE4A4B-CB72-40a0-B05F-0278B27A980E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6884257F-86BB-4031-835A-57F91BACF07A}\stubpath = "C:\\Windows\\{6884257F-86BB-4031-835A-57F91BACF07A}.exe"	{E6A6142A-8F60-4e89-A1FF-987DC72C5B5E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FE52B3B-C742-43d7-9E4F-027BD51B9323}\stubpath = "C:\\Windows\\{0FE52B3B-C742-43d7-9E4F-027BD51B9323}.exe"	{6884257F-86BB-4031-835A-57F91BACF07A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C904C95-8F2B-4867-8DB4-EDADF4AC8110}	95f1e4169f8485e97b682bda42643e8c2652c0c130d284d9d8192d44587fd33fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C904C95-8F2B-4867-8DB4-EDADF4AC8110}\stubpath = "C:\\Windows\\{9C904C95-8F2B-4867-8DB4-EDADF4AC8110}.exe"	95f1e4169f8485e97b682bda42643e8c2652c0c130d284d9d8192d44587fd33fN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AFA5A0C-5F4E-42ec-88D8-8B4F76328CBF}\stubpath = "C:\\Windows\\{6AFA5A0C-5F4E-42ec-88D8-8B4F76328CBF}.exe"	{9C904C95-8F2B-4867-8DB4-EDADF4AC8110}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41BE4A4B-CB72-40a0-B05F-0278B27A980E}	{99D0F687-DF5F-4e10-9027-315BAF82CEA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6AFA5A0C-5F4E-42ec-88D8-8B4F76328CBF}	{9C904C95-8F2B-4867-8DB4-EDADF4AC8110}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{99D0F687-DF5F-4e10-9027-315BAF82CEA5}	{6AFA5A0C-5F4E-42ec-88D8-8B4F76328CBF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41BE4A4B-CB72-40a0-B05F-0278B27A980E}\stubpath = "C:\\Windows\\{41BE4A4B-CB72-40a0-B05F-0278B27A980E}.exe"	{99D0F687-DF5F-4e10-9027-315BAF82CEA5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6A6142A-8F60-4e89-A1FF-987DC72C5B5E}	{8C441052-7C82-4fa4-B4DD-D1D20BB690F6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0FE52B3B-C742-43d7-9E4F-027BD51B9323}	{6884257F-86BB-4031-835A-57F91BACF07A}.exe

Executes dropped EXE 9 IoCs

pid	Process
2940	{9C904C95-8F2B-4867-8DB4-EDADF4AC8110}.exe
2944	{6AFA5A0C-5F4E-42ec-88D8-8B4F76328CBF}.exe
2588	{99D0F687-DF5F-4e10-9027-315BAF82CEA5}.exe
3980	{41BE4A4B-CB72-40a0-B05F-0278B27A980E}.exe
2196	{8C441052-7C82-4fa4-B4DD-D1D20BB690F6}.exe
884	{E6A6142A-8F60-4e89-A1FF-987DC72C5B5E}.exe
1564	{6884257F-86BB-4031-835A-57F91BACF07A}.exe
1856	{0FE52B3B-C742-43d7-9E4F-027BD51B9323}.exe
536	{245FD93F-3F01-4072-92C6-43A70DF8FA95}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{99D0F687-DF5F-4e10-9027-315BAF82CEA5}.exe	{6AFA5A0C-5F4E-42ec-88D8-8B4F76328CBF}.exe
File created	C:\Windows\{41BE4A4B-CB72-40a0-B05F-0278B27A980E}.exe	{99D0F687-DF5F-4e10-9027-315BAF82CEA5}.exe
File created	C:\Windows\{8C441052-7C82-4fa4-B4DD-D1D20BB690F6}.exe	{41BE4A4B-CB72-40a0-B05F-0278B27A980E}.exe
File created	C:\Windows\{E6A6142A-8F60-4e89-A1FF-987DC72C5B5E}.exe	{8C441052-7C82-4fa4-B4DD-D1D20BB690F6}.exe
File created	C:\Windows\{0FE52B3B-C742-43d7-9E4F-027BD51B9323}.exe	{6884257F-86BB-4031-835A-57F91BACF07A}.exe
File created	C:\Windows\{9C904C95-8F2B-4867-8DB4-EDADF4AC8110}.exe	95f1e4169f8485e97b682bda42643e8c2652c0c130d284d9d8192d44587fd33fN.exe
File created	C:\Windows\{6AFA5A0C-5F4E-42ec-88D8-8B4F76328CBF}.exe	{9C904C95-8F2B-4867-8DB4-EDADF4AC8110}.exe
File created	C:\Windows\{6884257F-86BB-4031-835A-57F91BACF07A}.exe	{E6A6142A-8F60-4e89-A1FF-987DC72C5B5E}.exe
File created	C:\Windows\{245FD93F-3F01-4072-92C6-43A70DF8FA95}.exe	{0FE52B3B-C742-43d7-9E4F-027BD51B9323}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E6A6142A-8F60-4e89-A1FF-987DC72C5B5E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6884257F-86BB-4031-835A-57F91BACF07A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95f1e4169f8485e97b682bda42643e8c2652c0c130d284d9d8192d44587fd33fN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{6AFA5A0C-5F4E-42ec-88D8-8B4F76328CBF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{99D0F687-DF5F-4e10-9027-315BAF82CEA5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8C441052-7C82-4fa4-B4DD-D1D20BB690F6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0FE52B3B-C742-43d7-9E4F-027BD51B9323}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9C904C95-8F2B-4867-8DB4-EDADF4AC8110}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{41BE4A4B-CB72-40a0-B05F-0278B27A980E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{245FD93F-3F01-4072-92C6-43A70DF8FA95}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2424	95f1e4169f8485e97b682bda42643e8c2652c0c130d284d9d8192d44587fd33fN.exe
Token: SeIncBasePriorityPrivilege	2940	{9C904C95-8F2B-4867-8DB4-EDADF4AC8110}.exe
Token: SeIncBasePriorityPrivilege	2944	{6AFA5A0C-5F4E-42ec-88D8-8B4F76328CBF}.exe
Token: SeIncBasePriorityPrivilege	2588	{99D0F687-DF5F-4e10-9027-315BAF82CEA5}.exe
Token: SeIncBasePriorityPrivilege	3980	{41BE4A4B-CB72-40a0-B05F-0278B27A980E}.exe
Token: SeIncBasePriorityPrivilege	2196	{8C441052-7C82-4fa4-B4DD-D1D20BB690F6}.exe
Token: SeIncBasePriorityPrivilege	884	{E6A6142A-8F60-4e89-A1FF-987DC72C5B5E}.exe
Token: SeIncBasePriorityPrivilege	1564	{6884257F-86BB-4031-835A-57F91BACF07A}.exe
Token: SeIncBasePriorityPrivilege	1856	{0FE52B3B-C742-43d7-9E4F-027BD51B9323}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2940	2424	95f1e4169f8485e97b682bda42643e8c2652c0c130d284d9d8192d44587fd33fN.exe	85
PID 2424 wrote to memory of 2940	2424	95f1e4169f8485e97b682bda42643e8c2652c0c130d284d9d8192d44587fd33fN.exe	85
PID 2424 wrote to memory of 2940	2424	95f1e4169f8485e97b682bda42643e8c2652c0c130d284d9d8192d44587fd33fN.exe	85
PID 2424 wrote to memory of 876	2424	95f1e4169f8485e97b682bda42643e8c2652c0c130d284d9d8192d44587fd33fN.exe	86
PID 2424 wrote to memory of 876	2424	95f1e4169f8485e97b682bda42643e8c2652c0c130d284d9d8192d44587fd33fN.exe	86
PID 2424 wrote to memory of 876	2424	95f1e4169f8485e97b682bda42643e8c2652c0c130d284d9d8192d44587fd33fN.exe	86
PID 2940 wrote to memory of 2944	2940	{9C904C95-8F2B-4867-8DB4-EDADF4AC8110}.exe	87
PID 2940 wrote to memory of 2944	2940	{9C904C95-8F2B-4867-8DB4-EDADF4AC8110}.exe	87
PID 2940 wrote to memory of 2944	2940	{9C904C95-8F2B-4867-8DB4-EDADF4AC8110}.exe	87
PID 2940 wrote to memory of 2372	2940	{9C904C95-8F2B-4867-8DB4-EDADF4AC8110}.exe	88
PID 2940 wrote to memory of 2372	2940	{9C904C95-8F2B-4867-8DB4-EDADF4AC8110}.exe	88
PID 2940 wrote to memory of 2372	2940	{9C904C95-8F2B-4867-8DB4-EDADF4AC8110}.exe	88
PID 2944 wrote to memory of 2588	2944	{6AFA5A0C-5F4E-42ec-88D8-8B4F76328CBF}.exe	94
PID 2944 wrote to memory of 2588	2944	{6AFA5A0C-5F4E-42ec-88D8-8B4F76328CBF}.exe	94
PID 2944 wrote to memory of 2588	2944	{6AFA5A0C-5F4E-42ec-88D8-8B4F76328CBF}.exe	94
PID 2944 wrote to memory of 4460	2944	{6AFA5A0C-5F4E-42ec-88D8-8B4F76328CBF}.exe	95
PID 2944 wrote to memory of 4460	2944	{6AFA5A0C-5F4E-42ec-88D8-8B4F76328CBF}.exe	95
PID 2944 wrote to memory of 4460	2944	{6AFA5A0C-5F4E-42ec-88D8-8B4F76328CBF}.exe	95
PID 2588 wrote to memory of 3980	2588	{99D0F687-DF5F-4e10-9027-315BAF82CEA5}.exe	96
PID 2588 wrote to memory of 3980	2588	{99D0F687-DF5F-4e10-9027-315BAF82CEA5}.exe	96
PID 2588 wrote to memory of 3980	2588	{99D0F687-DF5F-4e10-9027-315BAF82CEA5}.exe	96
PID 2588 wrote to memory of 3732	2588	{99D0F687-DF5F-4e10-9027-315BAF82CEA5}.exe	97
PID 2588 wrote to memory of 3732	2588	{99D0F687-DF5F-4e10-9027-315BAF82CEA5}.exe	97
PID 2588 wrote to memory of 3732	2588	{99D0F687-DF5F-4e10-9027-315BAF82CEA5}.exe	97
PID 3980 wrote to memory of 2196	3980	{41BE4A4B-CB72-40a0-B05F-0278B27A980E}.exe	98
PID 3980 wrote to memory of 2196	3980	{41BE4A4B-CB72-40a0-B05F-0278B27A980E}.exe	98
PID 3980 wrote to memory of 2196	3980	{41BE4A4B-CB72-40a0-B05F-0278B27A980E}.exe	98
PID 3980 wrote to memory of 780	3980	{41BE4A4B-CB72-40a0-B05F-0278B27A980E}.exe	99
PID 3980 wrote to memory of 780	3980	{41BE4A4B-CB72-40a0-B05F-0278B27A980E}.exe	99
PID 3980 wrote to memory of 780	3980	{41BE4A4B-CB72-40a0-B05F-0278B27A980E}.exe	99
PID 2196 wrote to memory of 884	2196	{8C441052-7C82-4fa4-B4DD-D1D20BB690F6}.exe	100
PID 2196 wrote to memory of 884	2196	{8C441052-7C82-4fa4-B4DD-D1D20BB690F6}.exe	100
PID 2196 wrote to memory of 884	2196	{8C441052-7C82-4fa4-B4DD-D1D20BB690F6}.exe	100
PID 2196 wrote to memory of 1636	2196	{8C441052-7C82-4fa4-B4DD-D1D20BB690F6}.exe	101
PID 2196 wrote to memory of 1636	2196	{8C441052-7C82-4fa4-B4DD-D1D20BB690F6}.exe	101
PID 2196 wrote to memory of 1636	2196	{8C441052-7C82-4fa4-B4DD-D1D20BB690F6}.exe	101
PID 884 wrote to memory of 1564	884	{E6A6142A-8F60-4e89-A1FF-987DC72C5B5E}.exe	102
PID 884 wrote to memory of 1564	884	{E6A6142A-8F60-4e89-A1FF-987DC72C5B5E}.exe	102
PID 884 wrote to memory of 1564	884	{E6A6142A-8F60-4e89-A1FF-987DC72C5B5E}.exe	102
PID 884 wrote to memory of 3408	884	{E6A6142A-8F60-4e89-A1FF-987DC72C5B5E}.exe	103
PID 884 wrote to memory of 3408	884	{E6A6142A-8F60-4e89-A1FF-987DC72C5B5E}.exe	103
PID 884 wrote to memory of 3408	884	{E6A6142A-8F60-4e89-A1FF-987DC72C5B5E}.exe	103
PID 1564 wrote to memory of 1856	1564	{6884257F-86BB-4031-835A-57F91BACF07A}.exe	104
PID 1564 wrote to memory of 1856	1564	{6884257F-86BB-4031-835A-57F91BACF07A}.exe	104
PID 1564 wrote to memory of 1856	1564	{6884257F-86BB-4031-835A-57F91BACF07A}.exe	104
PID 1564 wrote to memory of 4420	1564	{6884257F-86BB-4031-835A-57F91BACF07A}.exe	105
PID 1564 wrote to memory of 4420	1564	{6884257F-86BB-4031-835A-57F91BACF07A}.exe	105
PID 1564 wrote to memory of 4420	1564	{6884257F-86BB-4031-835A-57F91BACF07A}.exe	105
PID 1856 wrote to memory of 536	1856	{0FE52B3B-C742-43d7-9E4F-027BD51B9323}.exe	106
PID 1856 wrote to memory of 536	1856	{0FE52B3B-C742-43d7-9E4F-027BD51B9323}.exe	106
PID 1856 wrote to memory of 536	1856	{0FE52B3B-C742-43d7-9E4F-027BD51B9323}.exe	106
PID 1856 wrote to memory of 3184	1856	{0FE52B3B-C742-43d7-9E4F-027BD51B9323}.exe	107
PID 1856 wrote to memory of 3184	1856	{0FE52B3B-C742-43d7-9E4F-027BD51B9323}.exe	107
PID 1856 wrote to memory of 3184	1856	{0FE52B3B-C742-43d7-9E4F-027BD51B9323}.exe	107

C:\Users\Admin\AppData\Local\Temp\95f1e4169f8485e97b682bda42643e8c2652c0c130d284d9d8192d44587fd33fN.exe
"C:\Users\Admin\AppData\Local\Temp\95f1e4169f8485e97b682bda42643e8c2652c0c130d284d9d8192d44587fd33fN.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\{9C904C95-8F2B-4867-8DB4-EDADF4AC8110}.exe
  C:\Windows\{9C904C95-8F2B-4867-8DB4-EDADF4AC8110}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Windows\{6AFA5A0C-5F4E-42ec-88D8-8B4F76328CBF}.exe
    C:\Windows\{6AFA5A0C-5F4E-42ec-88D8-8B4F76328CBF}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Windows\{99D0F687-DF5F-4e10-9027-315BAF82CEA5}.exe
      C:\Windows\{99D0F687-DF5F-4e10-9027-315BAF82CEA5}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\{41BE4A4B-CB72-40a0-B05F-0278B27A980E}.exe
        
        C:\Windows\{41BE4A4B-CB72-40a0-B05F-0278B27A980E}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3980
      - C:\Windows\{8C441052-7C82-4fa4-B4DD-D1D20BB690F6}.exe
        
        C:\Windows\{8C441052-7C82-4fa4-B4DD-D1D20BB690F6}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\{E6A6142A-8F60-4e89-A1FF-987DC72C5B5E}.exe
        
        C:\Windows\{E6A6142A-8F60-4e89-A1FF-987DC72C5B5E}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:884
        
        C:\Windows\{6884257F-86BB-4031-835A-57F91BACF07A}.exe
        
        C:\Windows\{6884257F-86BB-4031-835A-57F91BACF07A}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\{0FE52B3B-C742-43d7-9E4F-027BD51B9323}.exe
        
        C:\Windows\{0FE52B3B-C742-43d7-9E4F-027BD51B9323}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\{245FD93F-3F01-4072-92C6-43A70DF8FA95}.exe
        
        C:\Windows\{245FD93F-3F01-4072-92C6-43A70DF8FA95}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0FE52~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{68842~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E6A61~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8C441~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{41BE4~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:780
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{99D0F~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3732
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{6AFA5~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4460
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{9C904~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2372
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\95F1E4~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0FE52B3B-C742-43d7-9E4F-027BD51B9323}.exe

Filesize
60KB

MD5
7ff0f284052d62cd535b10a229fe580a

SHA1
6548a681f7965ef9e1a7af28f2548a86295d1824

SHA256
7108ce27330718a60f6b3f100a39ed3f749641455ed463730282a893f0fdd982

SHA512
7a198739b18b16e24d941aaa1ae3201d41fe4c260b92d2fa53855109372078b3c409dc379aebde00f671f27a9ff61d257bdc1693215f6a909dbae5bc51f666e6

Download Submit
C:\Windows\{245FD93F-3F01-4072-92C6-43A70DF8FA95}.exe

Filesize
60KB

MD5
02ce907e21813993ffde811777aa7fb2

SHA1
d2517dc3d263ab80e5b31059a840765cf9efac56

SHA256
828e1d0a97982b74dba8a3582f84bda9e3240b8ecb21acc2397bc89dda3984a5

SHA512
458a2e669dfa78b53071a67fbaa2187bd1c449bdecc87b0e345180f4113ebd5190b192281638108af9a1c0ae027b9e51101c6e923e31815a3cd6e11d546e9bd4

Download Submit
C:\Windows\{41BE4A4B-CB72-40a0-B05F-0278B27A980E}.exe

Filesize
60KB

MD5
d3adc0b9f65ea7ecec39b84588845cc2

SHA1
e0999891d9f63e29a674a6bb3a4c79321919a895

SHA256
b6cfe85628ade44b2b9cafd04c82e2ad0a7ab1e074edb17c358fb7ae02d41099

SHA512
0f624127bd390f2dcb750e28f0c82fa55e800e46c5a97b498e346be554996fbc4f0bf236bcba13fe8c1e3bc0926b9e443206ff28046358f0fd21a26f6c9eda59

Download Submit
C:\Windows\{6884257F-86BB-4031-835A-57F91BACF07A}.exe

Filesize
60KB

MD5
10b860ffe550276a28884f8774eaa1f3

SHA1
7ece2040862de8dd09a3ee2606937fe573fe7c5f

SHA256
092a4524c5bfbb466fb61d86e67730ad50f6bdcd58a97cb5c021d563598677f7

SHA512
d074b3060664f26d584f721292f922f050b3778da3576f710bc498372576d0d4e9db63a67e80ac78aed55512d10f92107a6f73c3e9fd368d3da9fafcc4cd3e99

Download Submit
C:\Windows\{6AFA5A0C-5F4E-42ec-88D8-8B4F76328CBF}.exe

Filesize
60KB

MD5
da6e551516d108dc3e92ed801feed4b1

SHA1
48eecd533b6164cd36ae9495d8d59d57ed67b98c

SHA256
95f2eea13665bf6c6efe92f1a013b96e74d0fe7baaef73f912c0f844a0fab740

SHA512
8969d34e93bdaacc89f091c76a4770e47b19422d5c71516f80f4628ad6b29aab4f80b868d2145a354cff0f1da86cb6d3f7ae9e47d9f67976e44894e33648ae1c

Download Submit
C:\Windows\{8C441052-7C82-4fa4-B4DD-D1D20BB690F6}.exe

Filesize
60KB

MD5
7add4272d3e5a0cfd008036a2863ce6e

SHA1
0726d25915f10099be813ad96638a0ea77aff004

SHA256
be2c76fcc55612315c53215f17e1701f7526888604b6d8d9d142e3d3786d1f0b

SHA512
68f05b928802e0d1da5787cab7ed728e720b12966887a47e75e411428de8d2c73b73e776ba9db98ce0c5ad1c42446a5b5e475cff672f8f1a3494a150c8a7ed45

Download Submit
C:\Windows\{99D0F687-DF5F-4e10-9027-315BAF82CEA5}.exe

Filesize
60KB

MD5
250407d2f77b8d88a04f161bd978b4ba

SHA1
fdd6503486e5a8263d94144052019e7150380bdd

SHA256
4bd73a5ba3ee47f03ffd287589374b3ab2052209ab8258229f7ed518d9fb7d86

SHA512
9718d8eb522fcd866f101484a10404e5a0581c2de0630645e6b4a9333938caa4f7e47bab43f3d1478c4e8305e6a3c8d26f81bbb6843f991d51e38e7d889dc6e0

Download Submit
C:\Windows\{9C904C95-8F2B-4867-8DB4-EDADF4AC8110}.exe

Filesize
60KB

MD5
6652af544e7771643a7a9f1a6c43db6a

SHA1
5861096c372e253682545dd05e8e050c5c383d25

SHA256
58f6c763c57d6694f1f776a86c3a1305eda2c93c2f94d247f3f683f37a13345e

SHA512
5be548d51565980446b433be6a13f4ef61f7c0f47aef750172ff0276975c50c480883d784c5da378695363ad2794cffb8e911d6fcaa28fd94f60bcf1a2536e5f

Download Submit
C:\Windows\{E6A6142A-8F60-4e89-A1FF-987DC72C5B5E}.exe

Filesize
60KB

MD5
6e2005e6809b3aff2f9ba09812058727

SHA1
cb01cef6e262f0bc9816c6e74497e4e70453b03a

SHA256
bc34e6a558a818120c854479ce13fb01f66b99839b008304664d70986ebd4286

SHA512
e9d18367e9e87c29cb57bcd6bbc80ee56b83aac50e0a475e6244ae4fc7d27c3e7db08c7d82553aef3ba1986ab72737042dcb5756adef52932e98901de4fd1c87

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads