95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1

Analysis

max time kernel
144s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 00:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1.exe
Size

408KB
MD5

6f750833147e8499ca4a8e61cf2a9516
SHA1

5475e5936df9783a78bc4043f936b696968be6f7
SHA256

95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1
SHA512

f9182d032a230be2109a4048f872c85b568b8d8eda3fc74c721ec9102b478b9fc99e8e8a7c0d320a90013a3b71a35648db2578d1734c686eceda31a1cf24021c
SSDEEP

3072:CEGh0oZl3OiNOe2MUVg3bHrH/HqOYGte+rcC4F0fJGRIS8Rfd7eQEcGcrTutTBf3:CEG7ldOe2MUVg3vTeKcAEciTBqr3jy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E52C294A-F80F-424a-8A87-1125CC2ACAEC}\stubpath = "C:\\Windows\\{E52C294A-F80F-424a-8A87-1125CC2ACAEC}.exe"	{2D36934B-D3F9-407e-A649-7387A5D84EDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{352DB7C1-45B2-41d2-B250-459CCFCE0048}	{B142AB84-36D3-45ca-9AF0-FF6316ACE81C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97BE3272-98CD-4a81-B387-830C73D4E009}\stubpath = "C:\\Windows\\{97BE3272-98CD-4a81-B387-830C73D4E009}.exe"	{352DB7C1-45B2-41d2-B250-459CCFCE0048}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6364B69-5155-4664-BD75-643126F0BC8F}	{97BE3272-98CD-4a81-B387-830C73D4E009}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D36934B-D3F9-407e-A649-7387A5D84EDC}	{4DA92501-E2DB-4948-97A1-E2E9958498FF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A43791A-B20A-4f8f-A590-DBAAEA9EBC8B}	{7D4D5B01-3A3C-4ccb-BCC5-6CEA33F1BE15}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0A43791A-B20A-4f8f-A590-DBAAEA9EBC8B}\stubpath = "C:\\Windows\\{0A43791A-B20A-4f8f-A590-DBAAEA9EBC8B}.exe"	{7D4D5B01-3A3C-4ccb-BCC5-6CEA33F1BE15}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E39B5CE4-E9E0-4e88-A8C4-B2706F6BDC56}	{0A43791A-B20A-4f8f-A590-DBAAEA9EBC8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E39B5CE4-E9E0-4e88-A8C4-B2706F6BDC56}\stubpath = "C:\\Windows\\{E39B5CE4-E9E0-4e88-A8C4-B2706F6BDC56}.exe"	{0A43791A-B20A-4f8f-A590-DBAAEA9EBC8B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B142AB84-36D3-45ca-9AF0-FF6316ACE81C}	{03521DDD-FC53-49a2-9834-9DBA4E2A9A05}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DA92501-E2DB-4948-97A1-E2E9958498FF}	95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4DA92501-E2DB-4948-97A1-E2E9958498FF}\stubpath = "C:\\Windows\\{4DA92501-E2DB-4948-97A1-E2E9958498FF}.exe"	95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2D36934B-D3F9-407e-A649-7387A5D84EDC}\stubpath = "C:\\Windows\\{2D36934B-D3F9-407e-A649-7387A5D84EDC}.exe"	{4DA92501-E2DB-4948-97A1-E2E9958498FF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03521DDD-FC53-49a2-9834-9DBA4E2A9A05}\stubpath = "C:\\Windows\\{03521DDD-FC53-49a2-9834-9DBA4E2A9A05}.exe"	{E39B5CE4-E9E0-4e88-A8C4-B2706F6BDC56}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B142AB84-36D3-45ca-9AF0-FF6316ACE81C}\stubpath = "C:\\Windows\\{B142AB84-36D3-45ca-9AF0-FF6316ACE81C}.exe"	{03521DDD-FC53-49a2-9834-9DBA4E2A9A05}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{352DB7C1-45B2-41d2-B250-459CCFCE0048}\stubpath = "C:\\Windows\\{352DB7C1-45B2-41d2-B250-459CCFCE0048}.exe"	{B142AB84-36D3-45ca-9AF0-FF6316ACE81C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E52C294A-F80F-424a-8A87-1125CC2ACAEC}	{2D36934B-D3F9-407e-A649-7387A5D84EDC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D4D5B01-3A3C-4ccb-BCC5-6CEA33F1BE15}	{E52C294A-F80F-424a-8A87-1125CC2ACAEC}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7D4D5B01-3A3C-4ccb-BCC5-6CEA33F1BE15}\stubpath = "C:\\Windows\\{7D4D5B01-3A3C-4ccb-BCC5-6CEA33F1BE15}.exe"	{E52C294A-F80F-424a-8A87-1125CC2ACAEC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{03521DDD-FC53-49a2-9834-9DBA4E2A9A05}	{E39B5CE4-E9E0-4e88-A8C4-B2706F6BDC56}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{97BE3272-98CD-4a81-B387-830C73D4E009}	{352DB7C1-45B2-41d2-B250-459CCFCE0048}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F6364B69-5155-4664-BD75-643126F0BC8F}\stubpath = "C:\\Windows\\{F6364B69-5155-4664-BD75-643126F0BC8F}.exe"	{97BE3272-98CD-4a81-B387-830C73D4E009}.exe

Deletes itself 1 IoCs

pid	Process
2112	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
2320	{4DA92501-E2DB-4948-97A1-E2E9958498FF}.exe
2780	{2D36934B-D3F9-407e-A649-7387A5D84EDC}.exe
3044	{E52C294A-F80F-424a-8A87-1125CC2ACAEC}.exe
2636	{7D4D5B01-3A3C-4ccb-BCC5-6CEA33F1BE15}.exe
1008	{0A43791A-B20A-4f8f-A590-DBAAEA9EBC8B}.exe
1116	{E39B5CE4-E9E0-4e88-A8C4-B2706F6BDC56}.exe
2984	{03521DDD-FC53-49a2-9834-9DBA4E2A9A05}.exe
3064	{B142AB84-36D3-45ca-9AF0-FF6316ACE81C}.exe
2276	{352DB7C1-45B2-41d2-B250-459CCFCE0048}.exe
1920	{97BE3272-98CD-4a81-B387-830C73D4E009}.exe
2552	{F6364B69-5155-4664-BD75-643126F0BC8F}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{4DA92501-E2DB-4948-97A1-E2E9958498FF}.exe	95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1.exe
File created	C:\Windows\{2D36934B-D3F9-407e-A649-7387A5D84EDC}.exe	{4DA92501-E2DB-4948-97A1-E2E9958498FF}.exe
File created	C:\Windows\{352DB7C1-45B2-41d2-B250-459CCFCE0048}.exe	{B142AB84-36D3-45ca-9AF0-FF6316ACE81C}.exe
File created	C:\Windows\{F6364B69-5155-4664-BD75-643126F0BC8F}.exe	{97BE3272-98CD-4a81-B387-830C73D4E009}.exe
File created	C:\Windows\{B142AB84-36D3-45ca-9AF0-FF6316ACE81C}.exe	{03521DDD-FC53-49a2-9834-9DBA4E2A9A05}.exe
File created	C:\Windows\{97BE3272-98CD-4a81-B387-830C73D4E009}.exe	{352DB7C1-45B2-41d2-B250-459CCFCE0048}.exe
File created	C:\Windows\{E52C294A-F80F-424a-8A87-1125CC2ACAEC}.exe	{2D36934B-D3F9-407e-A649-7387A5D84EDC}.exe
File created	C:\Windows\{7D4D5B01-3A3C-4ccb-BCC5-6CEA33F1BE15}.exe	{E52C294A-F80F-424a-8A87-1125CC2ACAEC}.exe
File created	C:\Windows\{0A43791A-B20A-4f8f-A590-DBAAEA9EBC8B}.exe	{7D4D5B01-3A3C-4ccb-BCC5-6CEA33F1BE15}.exe
File created	C:\Windows\{E39B5CE4-E9E0-4e88-A8C4-B2706F6BDC56}.exe	{0A43791A-B20A-4f8f-A590-DBAAEA9EBC8B}.exe
File created	C:\Windows\{03521DDD-FC53-49a2-9834-9DBA4E2A9A05}.exe	{E39B5CE4-E9E0-4e88-A8C4-B2706F6BDC56}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E52C294A-F80F-424a-8A87-1125CC2ACAEC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7D4D5B01-3A3C-4ccb-BCC5-6CEA33F1BE15}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{03521DDD-FC53-49a2-9834-9DBA4E2A9A05}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{97BE3272-98CD-4a81-B387-830C73D4E009}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4DA92501-E2DB-4948-97A1-E2E9958498FF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E39B5CE4-E9E0-4e88-A8C4-B2706F6BDC56}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B142AB84-36D3-45ca-9AF0-FF6316ACE81C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{352DB7C1-45B2-41d2-B250-459CCFCE0048}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2D36934B-D3F9-407e-A649-7387A5D84EDC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F6364B69-5155-4664-BD75-643126F0BC8F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0A43791A-B20A-4f8f-A590-DBAAEA9EBC8B}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1972	95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1.exe
Token: SeIncBasePriorityPrivilege	2320	{4DA92501-E2DB-4948-97A1-E2E9958498FF}.exe
Token: SeIncBasePriorityPrivilege	2780	{2D36934B-D3F9-407e-A649-7387A5D84EDC}.exe
Token: SeIncBasePriorityPrivilege	3044	{E52C294A-F80F-424a-8A87-1125CC2ACAEC}.exe
Token: SeIncBasePriorityPrivilege	2636	{7D4D5B01-3A3C-4ccb-BCC5-6CEA33F1BE15}.exe
Token: SeIncBasePriorityPrivilege	1008	{0A43791A-B20A-4f8f-A590-DBAAEA9EBC8B}.exe
Token: SeIncBasePriorityPrivilege	1116	{E39B5CE4-E9E0-4e88-A8C4-B2706F6BDC56}.exe
Token: SeIncBasePriorityPrivilege	2984	{03521DDD-FC53-49a2-9834-9DBA4E2A9A05}.exe
Token: SeIncBasePriorityPrivilege	3064	{B142AB84-36D3-45ca-9AF0-FF6316ACE81C}.exe
Token: SeIncBasePriorityPrivilege	2276	{352DB7C1-45B2-41d2-B250-459CCFCE0048}.exe
Token: SeIncBasePriorityPrivilege	1920	{97BE3272-98CD-4a81-B387-830C73D4E009}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2320	1972	95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1.exe	31
PID 1972 wrote to memory of 2320	1972	95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1.exe	31
PID 1972 wrote to memory of 2320	1972	95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1.exe	31
PID 1972 wrote to memory of 2320	1972	95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1.exe	31
PID 1972 wrote to memory of 2112	1972	95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1.exe	32
PID 1972 wrote to memory of 2112	1972	95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1.exe	32
PID 1972 wrote to memory of 2112	1972	95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1.exe	32
PID 1972 wrote to memory of 2112	1972	95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1.exe	32
PID 2320 wrote to memory of 2780	2320	{4DA92501-E2DB-4948-97A1-E2E9958498FF}.exe	33
PID 2320 wrote to memory of 2780	2320	{4DA92501-E2DB-4948-97A1-E2E9958498FF}.exe	33
PID 2320 wrote to memory of 2780	2320	{4DA92501-E2DB-4948-97A1-E2E9958498FF}.exe	33
PID 2320 wrote to memory of 2780	2320	{4DA92501-E2DB-4948-97A1-E2E9958498FF}.exe	33
PID 2320 wrote to memory of 2852	2320	{4DA92501-E2DB-4948-97A1-E2E9958498FF}.exe	34
PID 2320 wrote to memory of 2852	2320	{4DA92501-E2DB-4948-97A1-E2E9958498FF}.exe	34
PID 2320 wrote to memory of 2852	2320	{4DA92501-E2DB-4948-97A1-E2E9958498FF}.exe	34
PID 2320 wrote to memory of 2852	2320	{4DA92501-E2DB-4948-97A1-E2E9958498FF}.exe	34
PID 2780 wrote to memory of 3044	2780	{2D36934B-D3F9-407e-A649-7387A5D84EDC}.exe	35
PID 2780 wrote to memory of 3044	2780	{2D36934B-D3F9-407e-A649-7387A5D84EDC}.exe	35
PID 2780 wrote to memory of 3044	2780	{2D36934B-D3F9-407e-A649-7387A5D84EDC}.exe	35
PID 2780 wrote to memory of 3044	2780	{2D36934B-D3F9-407e-A649-7387A5D84EDC}.exe	35
PID 2780 wrote to memory of 2664	2780	{2D36934B-D3F9-407e-A649-7387A5D84EDC}.exe	36
PID 2780 wrote to memory of 2664	2780	{2D36934B-D3F9-407e-A649-7387A5D84EDC}.exe	36
PID 2780 wrote to memory of 2664	2780	{2D36934B-D3F9-407e-A649-7387A5D84EDC}.exe	36
PID 2780 wrote to memory of 2664	2780	{2D36934B-D3F9-407e-A649-7387A5D84EDC}.exe	36
PID 3044 wrote to memory of 2636	3044	{E52C294A-F80F-424a-8A87-1125CC2ACAEC}.exe	37
PID 3044 wrote to memory of 2636	3044	{E52C294A-F80F-424a-8A87-1125CC2ACAEC}.exe	37
PID 3044 wrote to memory of 2636	3044	{E52C294A-F80F-424a-8A87-1125CC2ACAEC}.exe	37
PID 3044 wrote to memory of 2636	3044	{E52C294A-F80F-424a-8A87-1125CC2ACAEC}.exe	37
PID 3044 wrote to memory of 2676	3044	{E52C294A-F80F-424a-8A87-1125CC2ACAEC}.exe	38
PID 3044 wrote to memory of 2676	3044	{E52C294A-F80F-424a-8A87-1125CC2ACAEC}.exe	38
PID 3044 wrote to memory of 2676	3044	{E52C294A-F80F-424a-8A87-1125CC2ACAEC}.exe	38
PID 3044 wrote to memory of 2676	3044	{E52C294A-F80F-424a-8A87-1125CC2ACAEC}.exe	38
PID 2636 wrote to memory of 1008	2636	{7D4D5B01-3A3C-4ccb-BCC5-6CEA33F1BE15}.exe	39
PID 2636 wrote to memory of 1008	2636	{7D4D5B01-3A3C-4ccb-BCC5-6CEA33F1BE15}.exe	39
PID 2636 wrote to memory of 1008	2636	{7D4D5B01-3A3C-4ccb-BCC5-6CEA33F1BE15}.exe	39
PID 2636 wrote to memory of 1008	2636	{7D4D5B01-3A3C-4ccb-BCC5-6CEA33F1BE15}.exe	39
PID 2636 wrote to memory of 1804	2636	{7D4D5B01-3A3C-4ccb-BCC5-6CEA33F1BE15}.exe	40
PID 2636 wrote to memory of 1804	2636	{7D4D5B01-3A3C-4ccb-BCC5-6CEA33F1BE15}.exe	40
PID 2636 wrote to memory of 1804	2636	{7D4D5B01-3A3C-4ccb-BCC5-6CEA33F1BE15}.exe	40
PID 2636 wrote to memory of 1804	2636	{7D4D5B01-3A3C-4ccb-BCC5-6CEA33F1BE15}.exe	40
PID 1008 wrote to memory of 1116	1008	{0A43791A-B20A-4f8f-A590-DBAAEA9EBC8B}.exe	41
PID 1008 wrote to memory of 1116	1008	{0A43791A-B20A-4f8f-A590-DBAAEA9EBC8B}.exe	41
PID 1008 wrote to memory of 1116	1008	{0A43791A-B20A-4f8f-A590-DBAAEA9EBC8B}.exe	41
PID 1008 wrote to memory of 1116	1008	{0A43791A-B20A-4f8f-A590-DBAAEA9EBC8B}.exe	41
PID 1008 wrote to memory of 2900	1008	{0A43791A-B20A-4f8f-A590-DBAAEA9EBC8B}.exe	42
PID 1008 wrote to memory of 2900	1008	{0A43791A-B20A-4f8f-A590-DBAAEA9EBC8B}.exe	42
PID 1008 wrote to memory of 2900	1008	{0A43791A-B20A-4f8f-A590-DBAAEA9EBC8B}.exe	42
PID 1008 wrote to memory of 2900	1008	{0A43791A-B20A-4f8f-A590-DBAAEA9EBC8B}.exe	42
PID 1116 wrote to memory of 2984	1116	{E39B5CE4-E9E0-4e88-A8C4-B2706F6BDC56}.exe	43
PID 1116 wrote to memory of 2984	1116	{E39B5CE4-E9E0-4e88-A8C4-B2706F6BDC56}.exe	43
PID 1116 wrote to memory of 2984	1116	{E39B5CE4-E9E0-4e88-A8C4-B2706F6BDC56}.exe	43
PID 1116 wrote to memory of 2984	1116	{E39B5CE4-E9E0-4e88-A8C4-B2706F6BDC56}.exe	43
PID 1116 wrote to memory of 1056	1116	{E39B5CE4-E9E0-4e88-A8C4-B2706F6BDC56}.exe	44
PID 1116 wrote to memory of 1056	1116	{E39B5CE4-E9E0-4e88-A8C4-B2706F6BDC56}.exe	44
PID 1116 wrote to memory of 1056	1116	{E39B5CE4-E9E0-4e88-A8C4-B2706F6BDC56}.exe	44
PID 1116 wrote to memory of 1056	1116	{E39B5CE4-E9E0-4e88-A8C4-B2706F6BDC56}.exe	44
PID 2984 wrote to memory of 3064	2984	{03521DDD-FC53-49a2-9834-9DBA4E2A9A05}.exe	45
PID 2984 wrote to memory of 3064	2984	{03521DDD-FC53-49a2-9834-9DBA4E2A9A05}.exe	45
PID 2984 wrote to memory of 3064	2984	{03521DDD-FC53-49a2-9834-9DBA4E2A9A05}.exe	45
PID 2984 wrote to memory of 3064	2984	{03521DDD-FC53-49a2-9834-9DBA4E2A9A05}.exe	45
PID 2984 wrote to memory of 1224	2984	{03521DDD-FC53-49a2-9834-9DBA4E2A9A05}.exe	46
PID 2984 wrote to memory of 1224	2984	{03521DDD-FC53-49a2-9834-9DBA4E2A9A05}.exe	46
PID 2984 wrote to memory of 1224	2984	{03521DDD-FC53-49a2-9834-9DBA4E2A9A05}.exe	46
PID 2984 wrote to memory of 1224	2984	{03521DDD-FC53-49a2-9834-9DBA4E2A9A05}.exe	46

C:\Users\Admin\AppData\Local\Temp\95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1.exe
"C:\Users\Admin\AppData\Local\Temp\95a0a193638eac7f8fefc0d4f416409bf18b507855e802d64b180563852837f1.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\{4DA92501-E2DB-4948-97A1-E2E9958498FF}.exe
  C:\Windows\{4DA92501-E2DB-4948-97A1-E2E9958498FF}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\{2D36934B-D3F9-407e-A649-7387A5D84EDC}.exe
    C:\Windows\{2D36934B-D3F9-407e-A649-7387A5D84EDC}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\{E52C294A-F80F-424a-8A87-1125CC2ACAEC}.exe
      C:\Windows\{E52C294A-F80F-424a-8A87-1125CC2ACAEC}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Windows\{7D4D5B01-3A3C-4ccb-BCC5-6CEA33F1BE15}.exe
        
        C:\Windows\{7D4D5B01-3A3C-4ccb-BCC5-6CEA33F1BE15}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
      - C:\Windows\{0A43791A-B20A-4f8f-A590-DBAAEA9EBC8B}.exe
        
        C:\Windows\{0A43791A-B20A-4f8f-A590-DBAAEA9EBC8B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1008
        
        C:\Windows\{E39B5CE4-E9E0-4e88-A8C4-B2706F6BDC56}.exe
        
        C:\Windows\{E39B5CE4-E9E0-4e88-A8C4-B2706F6BDC56}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1116
        
        C:\Windows\{03521DDD-FC53-49a2-9834-9DBA4E2A9A05}.exe
        
        C:\Windows\{03521DDD-FC53-49a2-9834-9DBA4E2A9A05}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\{B142AB84-36D3-45ca-9AF0-FF6316ACE81C}.exe
        
        C:\Windows\{B142AB84-36D3-45ca-9AF0-FF6316ACE81C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\{352DB7C1-45B2-41d2-B250-459CCFCE0048}.exe
        
        C:\Windows\{352DB7C1-45B2-41d2-B250-459CCFCE0048}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\{97BE3272-98CD-4a81-B387-830C73D4E009}.exe
        
        C:\Windows\{97BE3272-98CD-4a81-B387-830C73D4E009}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\{F6364B69-5155-4664-BD75-643126F0BC8F}.exe
        
        C:\Windows\{F6364B69-5155-4664-BD75-643126F0BC8F}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2552
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{97BE3~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{352DB~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B142A~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03521~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1224
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E39B5~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A437~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2900
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7D4D5~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1804
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E52C2~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2D369~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{4DA92~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\95A0A1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03521DDD-FC53-49a2-9834-9DBA4E2A9A05}.exe

Filesize
408KB

MD5
92f99b62e591b007d0221eb69ce74575

SHA1
0f51816b5345d2064cc13667285878017173e663

SHA256
db0f642761de5140753bb8601e5af9b59b5913fbe67dd70bb46d5f2fc1668ac5

SHA512
7f8d73a5fb2058e4fc01d8b00393bba7fc475a4af630b2b61e621a7e99d156e6be72a4f7e9def93236c90184e259fda6a282ae9e8ab49b64597891458538728d

Download Submit
C:\Windows\{0A43791A-B20A-4f8f-A590-DBAAEA9EBC8B}.exe

Filesize
408KB

MD5
0c58e18cc8812a45a1505fd693563c8d

SHA1
4bdaadd619badd29daef240fd6ddef9cbc4874b4

SHA256
79ff898d85df51d50ec465a6a9e3dd46a704f82acf11705fd0b8366ea83e63a4

SHA512
603fff9e7b59471a9337bdc1b9aa875990760ea56b9df9d24aa40fe53b5b2d928cea902e9df73a715cefcad140dfe75319aa311a501ede5d0fceff17b036b71a

Download Submit
C:\Windows\{2D36934B-D3F9-407e-A649-7387A5D84EDC}.exe

Filesize
408KB

MD5
f7a1156d14f22a07f299a6f81141d223

SHA1
3d21e000d5979cc23807dc637372cf7bff17a7e6

SHA256
0d4a9b1f3f38abff8c9ff6abff9a6e4c7f33cb3d5bd8a1099e0f49c0200bb34c

SHA512
4d3b856d585390f09dba605495641cd7e797303a3b1923e74f25a0392f992913c65fe6c0d9c0e6748494c42f15452adfc9989e9403037495feadc5d9f9b70c77

Download Submit
C:\Windows\{352DB7C1-45B2-41d2-B250-459CCFCE0048}.exe

Filesize
408KB

MD5
cb8a6098c02934fe3a6181e6f9091335

SHA1
ccc31b859c63bd8bb57db3d0ad756c419c64529d

SHA256
fae355a13ff1b8729edf596b9281bcac23ae4e9665551416a07c078df7282d29

SHA512
4407aa83060eb0c5b9c28f490c526a7009a44ad114fcd1167e7be118aecffc79627b39c96d6434895e4216de5a5ed22a91b0d4cc0768c6f41f4a57e17ea5ca11

Download Submit
C:\Windows\{4DA92501-E2DB-4948-97A1-E2E9958498FF}.exe

Filesize
408KB

MD5
dc519a5c0e1a5eab35b58be24649de96

SHA1
534de4fa5125063098c694d534ce44d6554e4dec

SHA256
2cc3b2da51497b7eb87eb0349c0ab93b40c0e986064e8cddb5008e95e6169a7c

SHA512
53303386aea92a4cfa3e23a0957f4530ab0125d2072cf6e76c21a49258df2a4bddd0591fe96302a2fe0c024e1fb62140291e14a9a55d3b6ebeff153b3ef7e305

Download Submit
C:\Windows\{7D4D5B01-3A3C-4ccb-BCC5-6CEA33F1BE15}.exe

Filesize
408KB

MD5
11e7054d5606c52f19cdb3db1d5882d2

SHA1
8af27a4e4fd82fb84c17b336a11be547bfe8f0db

SHA256
ce10388f00a9bd921fc48423362919c1b6ebc6e606681d7a416174ceccc5a53a

SHA512
2b2f0188663264d645753f74d5def35b69d4894661b51ca9ea2ee1f4183b42fdd3730aa031e17bd13c49f76fb40ba4b189d9e64c3cc8b94720aab36df35493c0

Download Submit
C:\Windows\{97BE3272-98CD-4a81-B387-830C73D4E009}.exe

Filesize
408KB

MD5
14fb3ae00c337a0907bab923b60e7f2c

SHA1
a1c6a723a8c73dd28d653edd2fe90d19c9f1b1c2

SHA256
fde91a67157a348a915e35b781f1645486538415b84f9f23efb86027935326ae

SHA512
8fa98c13bf7c010a1e2a9e027f6d88ad5ae5842874d7a98c587d1f7ee6458703eb654a45079593da81eba7e61c501851462da56428a0a755b21038035282c612

Download Submit
C:\Windows\{B142AB84-36D3-45ca-9AF0-FF6316ACE81C}.exe

Filesize
408KB

MD5
ce99bf4482159fbb28c45d17b9f0d8c9

SHA1
3ad9722824b36550048001516b5beef4d8325783

SHA256
4a7da75eacd1a723b44e3c2841186e9af2e476292eb211b4d7548913ee5567e5

SHA512
ad9f248a73fbe7ca7145a40db62355fb4c06fd13a201764d6e37d772d004d634f1e0d3151947853bb85287cec5f4a7d280963a1c8873a65888f98b43e60b5a4e

Download Submit
C:\Windows\{E39B5CE4-E9E0-4e88-A8C4-B2706F6BDC56}.exe

Filesize
408KB

MD5
19eb327e45882293c0dbe13cb549c1ff

SHA1
ed472540bbed4f71e159d51381f3206c4639ae48

SHA256
c88dde16156909d9bf32d4d5520defecd8f0835e0b4df6f025742dda6cc64696

SHA512
6a32834afb3f014ec6e9b3b1a9e4411528ce3fd698c015948fc15c87cda379272fba2f58a647feb32018f551f8743276af3c2de95a59fd3ef258c32bee78f3f0

Download Submit
C:\Windows\{E52C294A-F80F-424a-8A87-1125CC2ACAEC}.exe

Filesize
408KB

MD5
978b9157efeea88bfefde85ad5d55fe3

SHA1
5413aa31a2e2e4a5340a7278529d30dca6f71417

SHA256
e3bdc29eb8f61a685ec96fcd040d246244b42c3d8aca866d5c03c92261932b14

SHA512
02c079eec2f50111d64d1f0394539f0a73603dc8ee8e801bcf8f71bd7e30b0d39dad933ec2dbf9484a2d623e66eb113d1dbe4a748b7a014b3b009a04e06a1c9d

Download Submit
C:\Windows\{F6364B69-5155-4664-BD75-643126F0BC8F}.exe

Filesize
408KB

MD5
eb6f271e01e7c948a00bf6fd804a3b42

SHA1
df1a126cdfea35b50951742497a708a285abb038

SHA256
1ebf99562fd90bdd18484bf129e20baa6d44eb1eae476b0a1853b6c78410752e

SHA512
b230143d31ab00ede380e8b4653e796839708b6ca00e892102ce7ab860ee94b4b03e04ba10fe93295843421f7288b532e87dd10118cab80643cc076fe679e506

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads