Analysis
-
max time kernel
118s -
max time network
105s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
14-10-2024 13:12
Static task
static1
Behavioral task
behavioral1
Sample
f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe
Resource
win10v2004-20241007-en
General
-
Target
f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe
-
Size
90KB
-
MD5
053c7dccc4f69f1a71b788276b118d10
-
SHA1
2b074b5bb48804caa24ce96db33376b1cc94b999
-
SHA256
f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734
-
SHA512
9c29bcc720965ddfd4f6a1a0f67fb864ed3f0bfa628739fd1cccc94ab8c200838e97e00123a4c4cb04f18db0463f6cf9bbe533bbadbb50088b2724b6df527f22
-
SSDEEP
768:5vw9816thKQLro84/wQkNrfrunMxVFA3bA:lEG/0o8lbunMxVS3c
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63447141-CC22-4078-9DFC-3D96EC92EA8E} {852DECEC-8C3D-44f8-AC4C-AAA92A7D103E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{63447141-CC22-4078-9DFC-3D96EC92EA8E}\stubpath = "C:\\Windows\\{63447141-CC22-4078-9DFC-3D96EC92EA8E}.exe" {852DECEC-8C3D-44f8-AC4C-AAA92A7D103E}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E50A89D-B4F4-4a24-B7A9-43CFE6815312}\stubpath = "C:\\Windows\\{1E50A89D-B4F4-4a24-B7A9-43CFE6815312}.exe" {237773CD-97F6-4dd9-A15E-A217189902B7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16FA2F02-6E05-4f81-AAF1-C7595E5A471F}\stubpath = "C:\\Windows\\{16FA2F02-6E05-4f81-AAF1-C7595E5A471F}.exe" {1EAC1BEC-58DD-48b1-8959-797F81087644}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AA52DD1-502E-4ad0-94B3-36C31717DBB7} {63447141-CC22-4078-9DFC-3D96EC92EA8E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{237773CD-97F6-4dd9-A15E-A217189902B7} f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90F53314-2378-425c-B409-9047000F5EEB} {1E50A89D-B4F4-4a24-B7A9-43CFE6815312}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EAC1BEC-58DD-48b1-8959-797F81087644}\stubpath = "C:\\Windows\\{1EAC1BEC-58DD-48b1-8959-797F81087644}.exe" {90F53314-2378-425c-B409-9047000F5EEB}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{852DECEC-8C3D-44f8-AC4C-AAA92A7D103E}\stubpath = "C:\\Windows\\{852DECEC-8C3D-44f8-AC4C-AAA92A7D103E}.exe" {16FA2F02-6E05-4f81-AAF1-C7595E5A471F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7F60DBC-3419-410c-BB56-D1E9D89BC821}\stubpath = "C:\\Windows\\{A7F60DBC-3419-410c-BB56-D1E9D89BC821}.exe" {2AA52DD1-502E-4ad0-94B3-36C31717DBB7}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{852DECEC-8C3D-44f8-AC4C-AAA92A7D103E} {16FA2F02-6E05-4f81-AAF1-C7595E5A471F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2AA52DD1-502E-4ad0-94B3-36C31717DBB7}\stubpath = "C:\\Windows\\{2AA52DD1-502E-4ad0-94B3-36C31717DBB7}.exe" {63447141-CC22-4078-9DFC-3D96EC92EA8E}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A7F60DBC-3419-410c-BB56-D1E9D89BC821} {2AA52DD1-502E-4ad0-94B3-36C31717DBB7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{237773CD-97F6-4dd9-A15E-A217189902B7}\stubpath = "C:\\Windows\\{237773CD-97F6-4dd9-A15E-A217189902B7}.exe" f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1E50A89D-B4F4-4a24-B7A9-43CFE6815312} {237773CD-97F6-4dd9-A15E-A217189902B7}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{90F53314-2378-425c-B409-9047000F5EEB}\stubpath = "C:\\Windows\\{90F53314-2378-425c-B409-9047000F5EEB}.exe" {1E50A89D-B4F4-4a24-B7A9-43CFE6815312}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1EAC1BEC-58DD-48b1-8959-797F81087644} {90F53314-2378-425c-B409-9047000F5EEB}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{16FA2F02-6E05-4f81-AAF1-C7595E5A471F} {1EAC1BEC-58DD-48b1-8959-797F81087644}.exe -
Executes dropped EXE 9 IoCs
pid Process 3948 {237773CD-97F6-4dd9-A15E-A217189902B7}.exe 2124 {1E50A89D-B4F4-4a24-B7A9-43CFE6815312}.exe 5012 {90F53314-2378-425c-B409-9047000F5EEB}.exe 2596 {1EAC1BEC-58DD-48b1-8959-797F81087644}.exe 3908 {16FA2F02-6E05-4f81-AAF1-C7595E5A471F}.exe 4356 {852DECEC-8C3D-44f8-AC4C-AAA92A7D103E}.exe 1964 {63447141-CC22-4078-9DFC-3D96EC92EA8E}.exe 976 {2AA52DD1-502E-4ad0-94B3-36C31717DBB7}.exe 4856 {A7F60DBC-3419-410c-BB56-D1E9D89BC821}.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\{237773CD-97F6-4dd9-A15E-A217189902B7}.exe f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe File created C:\Windows\{16FA2F02-6E05-4f81-AAF1-C7595E5A471F}.exe {1EAC1BEC-58DD-48b1-8959-797F81087644}.exe File created C:\Windows\{852DECEC-8C3D-44f8-AC4C-AAA92A7D103E}.exe {16FA2F02-6E05-4f81-AAF1-C7595E5A471F}.exe File created C:\Windows\{63447141-CC22-4078-9DFC-3D96EC92EA8E}.exe {852DECEC-8C3D-44f8-AC4C-AAA92A7D103E}.exe File created C:\Windows\{2AA52DD1-502E-4ad0-94B3-36C31717DBB7}.exe {63447141-CC22-4078-9DFC-3D96EC92EA8E}.exe File created C:\Windows\{1E50A89D-B4F4-4a24-B7A9-43CFE6815312}.exe {237773CD-97F6-4dd9-A15E-A217189902B7}.exe File created C:\Windows\{90F53314-2378-425c-B409-9047000F5EEB}.exe {1E50A89D-B4F4-4a24-B7A9-43CFE6815312}.exe File created C:\Windows\{1EAC1BEC-58DD-48b1-8959-797F81087644}.exe {90F53314-2378-425c-B409-9047000F5EEB}.exe File created C:\Windows\{A7F60DBC-3419-410c-BB56-D1E9D89BC821}.exe {2AA52DD1-502E-4ad0-94B3-36C31717DBB7}.exe -
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {2AA52DD1-502E-4ad0-94B3-36C31717DBB7}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {1E50A89D-B4F4-4a24-B7A9-43CFE6815312}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {90F53314-2378-425c-B409-9047000F5EEB}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {1EAC1BEC-58DD-48b1-8959-797F81087644}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {16FA2F02-6E05-4f81-AAF1-C7595E5A471F}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {A7F60DBC-3419-410c-BB56-D1E9D89BC821}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {237773CD-97F6-4dd9-A15E-A217189902B7}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {852DECEC-8C3D-44f8-AC4C-AAA92A7D103E}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {63447141-CC22-4078-9DFC-3D96EC92EA8E}.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 3068 f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe Token: SeIncBasePriorityPrivilege 3948 {237773CD-97F6-4dd9-A15E-A217189902B7}.exe Token: SeIncBasePriorityPrivilege 2124 {1E50A89D-B4F4-4a24-B7A9-43CFE6815312}.exe Token: SeIncBasePriorityPrivilege 5012 {90F53314-2378-425c-B409-9047000F5EEB}.exe Token: SeIncBasePriorityPrivilege 2596 {1EAC1BEC-58DD-48b1-8959-797F81087644}.exe Token: SeIncBasePriorityPrivilege 3908 {16FA2F02-6E05-4f81-AAF1-C7595E5A471F}.exe Token: SeIncBasePriorityPrivilege 4356 {852DECEC-8C3D-44f8-AC4C-AAA92A7D103E}.exe Token: SeIncBasePriorityPrivilege 1964 {63447141-CC22-4078-9DFC-3D96EC92EA8E}.exe Token: SeIncBasePriorityPrivilege 976 {2AA52DD1-502E-4ad0-94B3-36C31717DBB7}.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 3068 wrote to memory of 3948 3068 f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe 86 PID 3068 wrote to memory of 3948 3068 f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe 86 PID 3068 wrote to memory of 3948 3068 f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe 86 PID 3068 wrote to memory of 4224 3068 f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe 87 PID 3068 wrote to memory of 4224 3068 f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe 87 PID 3068 wrote to memory of 4224 3068 f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe 87 PID 3948 wrote to memory of 2124 3948 {237773CD-97F6-4dd9-A15E-A217189902B7}.exe 88 PID 3948 wrote to memory of 2124 3948 {237773CD-97F6-4dd9-A15E-A217189902B7}.exe 88 PID 3948 wrote to memory of 2124 3948 {237773CD-97F6-4dd9-A15E-A217189902B7}.exe 88 PID 3948 wrote to memory of 4972 3948 {237773CD-97F6-4dd9-A15E-A217189902B7}.exe 89 PID 3948 wrote to memory of 4972 3948 {237773CD-97F6-4dd9-A15E-A217189902B7}.exe 89 PID 3948 wrote to memory of 4972 3948 {237773CD-97F6-4dd9-A15E-A217189902B7}.exe 89 PID 2124 wrote to memory of 5012 2124 {1E50A89D-B4F4-4a24-B7A9-43CFE6815312}.exe 93 PID 2124 wrote to memory of 5012 2124 {1E50A89D-B4F4-4a24-B7A9-43CFE6815312}.exe 93 PID 2124 wrote to memory of 5012 2124 {1E50A89D-B4F4-4a24-B7A9-43CFE6815312}.exe 93 PID 2124 wrote to memory of 388 2124 {1E50A89D-B4F4-4a24-B7A9-43CFE6815312}.exe 94 PID 2124 wrote to memory of 388 2124 {1E50A89D-B4F4-4a24-B7A9-43CFE6815312}.exe 94 PID 2124 wrote to memory of 388 2124 {1E50A89D-B4F4-4a24-B7A9-43CFE6815312}.exe 94 PID 5012 wrote to memory of 2596 5012 {90F53314-2378-425c-B409-9047000F5EEB}.exe 95 PID 5012 wrote to memory of 2596 5012 {90F53314-2378-425c-B409-9047000F5EEB}.exe 95 PID 5012 wrote to memory of 2596 5012 {90F53314-2378-425c-B409-9047000F5EEB}.exe 95 PID 5012 wrote to memory of 1900 5012 {90F53314-2378-425c-B409-9047000F5EEB}.exe 96 PID 5012 wrote to memory of 1900 5012 {90F53314-2378-425c-B409-9047000F5EEB}.exe 96 PID 5012 wrote to memory of 1900 5012 {90F53314-2378-425c-B409-9047000F5EEB}.exe 96 PID 2596 wrote to memory of 3908 2596 {1EAC1BEC-58DD-48b1-8959-797F81087644}.exe 97 PID 2596 wrote to memory of 3908 2596 {1EAC1BEC-58DD-48b1-8959-797F81087644}.exe 97 PID 2596 wrote to memory of 3908 2596 {1EAC1BEC-58DD-48b1-8959-797F81087644}.exe 97 PID 2596 wrote to memory of 3944 2596 {1EAC1BEC-58DD-48b1-8959-797F81087644}.exe 98 PID 2596 wrote to memory of 3944 2596 {1EAC1BEC-58DD-48b1-8959-797F81087644}.exe 98 PID 2596 wrote to memory of 3944 2596 {1EAC1BEC-58DD-48b1-8959-797F81087644}.exe 98 PID 3908 wrote to memory of 4356 3908 {16FA2F02-6E05-4f81-AAF1-C7595E5A471F}.exe 100 PID 3908 wrote to memory of 4356 3908 {16FA2F02-6E05-4f81-AAF1-C7595E5A471F}.exe 100 PID 3908 wrote to memory of 4356 3908 {16FA2F02-6E05-4f81-AAF1-C7595E5A471F}.exe 100 PID 3908 wrote to memory of 1264 3908 {16FA2F02-6E05-4f81-AAF1-C7595E5A471F}.exe 101 PID 3908 wrote to memory of 1264 3908 {16FA2F02-6E05-4f81-AAF1-C7595E5A471F}.exe 101 PID 3908 wrote to memory of 1264 3908 {16FA2F02-6E05-4f81-AAF1-C7595E5A471F}.exe 101 PID 4356 wrote to memory of 1964 4356 {852DECEC-8C3D-44f8-AC4C-AAA92A7D103E}.exe 102 PID 4356 wrote to memory of 1964 4356 {852DECEC-8C3D-44f8-AC4C-AAA92A7D103E}.exe 102 PID 4356 wrote to memory of 1964 4356 {852DECEC-8C3D-44f8-AC4C-AAA92A7D103E}.exe 102 PID 4356 wrote to memory of 1272 4356 {852DECEC-8C3D-44f8-AC4C-AAA92A7D103E}.exe 103 PID 4356 wrote to memory of 1272 4356 {852DECEC-8C3D-44f8-AC4C-AAA92A7D103E}.exe 103 PID 4356 wrote to memory of 1272 4356 {852DECEC-8C3D-44f8-AC4C-AAA92A7D103E}.exe 103 PID 1964 wrote to memory of 976 1964 {63447141-CC22-4078-9DFC-3D96EC92EA8E}.exe 104 PID 1964 wrote to memory of 976 1964 {63447141-CC22-4078-9DFC-3D96EC92EA8E}.exe 104 PID 1964 wrote to memory of 976 1964 {63447141-CC22-4078-9DFC-3D96EC92EA8E}.exe 104 PID 1964 wrote to memory of 3408 1964 {63447141-CC22-4078-9DFC-3D96EC92EA8E}.exe 105 PID 1964 wrote to memory of 3408 1964 {63447141-CC22-4078-9DFC-3D96EC92EA8E}.exe 105 PID 1964 wrote to memory of 3408 1964 {63447141-CC22-4078-9DFC-3D96EC92EA8E}.exe 105 PID 976 wrote to memory of 4856 976 {2AA52DD1-502E-4ad0-94B3-36C31717DBB7}.exe 113 PID 976 wrote to memory of 4856 976 {2AA52DD1-502E-4ad0-94B3-36C31717DBB7}.exe 113 PID 976 wrote to memory of 4856 976 {2AA52DD1-502E-4ad0-94B3-36C31717DBB7}.exe 113 PID 976 wrote to memory of 1692 976 {2AA52DD1-502E-4ad0-94B3-36C31717DBB7}.exe 114 PID 976 wrote to memory of 1692 976 {2AA52DD1-502E-4ad0-94B3-36C31717DBB7}.exe 114 PID 976 wrote to memory of 1692 976 {2AA52DD1-502E-4ad0-94B3-36C31717DBB7}.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe"C:\Users\Admin\AppData\Local\Temp\f90c817a04c61f54ca196036c1f6bf8c667ea4d1d4e990304ae6267410457734N.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\{237773CD-97F6-4dd9-A15E-A217189902B7}.exeC:\Windows\{237773CD-97F6-4dd9-A15E-A217189902B7}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\{1E50A89D-B4F4-4a24-B7A9-43CFE6815312}.exeC:\Windows\{1E50A89D-B4F4-4a24-B7A9-43CFE6815312}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\{90F53314-2378-425c-B409-9047000F5EEB}.exeC:\Windows\{90F53314-2378-425c-B409-9047000F5EEB}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\{1EAC1BEC-58DD-48b1-8959-797F81087644}.exeC:\Windows\{1EAC1BEC-58DD-48b1-8959-797F81087644}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\{16FA2F02-6E05-4f81-AAF1-C7595E5A471F}.exeC:\Windows\{16FA2F02-6E05-4f81-AAF1-C7595E5A471F}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\{852DECEC-8C3D-44f8-AC4C-AAA92A7D103E}.exeC:\Windows\{852DECEC-8C3D-44f8-AC4C-AAA92A7D103E}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\{63447141-CC22-4078-9DFC-3D96EC92EA8E}.exeC:\Windows\{63447141-CC22-4078-9DFC-3D96EC92EA8E}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\{2AA52DD1-502E-4ad0-94B3-36C31717DBB7}.exeC:\Windows\{2AA52DD1-502E-4ad0-94B3-36C31717DBB7}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\{A7F60DBC-3419-410c-BB56-D1E9D89BC821}.exeC:\Windows\{A7F60DBC-3419-410c-BB56-D1E9D89BC821}.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4856
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2AA52~1.EXE > nul10⤵
- System Location Discovery: System Language Discovery
PID:1692
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{63447~1.EXE > nul9⤵
- System Location Discovery: System Language Discovery
PID:3408
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{852DE~1.EXE > nul8⤵
- System Location Discovery: System Language Discovery
PID:1272
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{16FA2~1.EXE > nul7⤵
- System Location Discovery: System Language Discovery
PID:1264
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1EAC1~1.EXE > nul6⤵
- System Location Discovery: System Language Discovery
PID:3944
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{90F53~1.EXE > nul5⤵
- System Location Discovery: System Language Discovery
PID:1900
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{1E50A~1.EXE > nul4⤵
- System Location Discovery: System Language Discovery
PID:388
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{23777~1.EXE > nul3⤵
- System Location Discovery: System Language Discovery
PID:4972
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\F90C81~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
PID:4224
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD5cef0794409df9bbf0bbd6a11921192b5
SHA1f615f7f8d6a050b54618c54055f3674ab2b1bbc2
SHA2564621ac6feae5072dd4e6f45d9a757008504c898df7d969ef699fdd3734d1f71a
SHA51248d8003db778332bed604e91e7ee54c604246d10f9e4832a37c2bf1239c6588ef30777dcd2b17d64b5479a9c133b2b7fc318c697969c8a0f7088ea87d31d4d1d
-
Filesize
90KB
MD5ecd71c26be7ac87a94e410691f1eec74
SHA12aa89621a2c1d52303a8fc7b8b230a575ff8be81
SHA256bd9bb8a1df203a16da0c74060647ff270359c4b82927d56ceeddaeea65d4fb74
SHA5127b76dd53c9dfd7095a6ea4e8ba3eec37a6fbe049c0e843138f99a9d0503205cc312c05227e10febfce948adfc5dc0f57af5b223fbd60945646529e977a4e7baf
-
Filesize
90KB
MD510f45f251922bccf6a0562c0e7f2f1e8
SHA14fa35847050f1e8171700f65bb3a78dfbb55440f
SHA256b749d801363710eed532a152dd7d488fb0f056da8790ba20978317615f12e7dd
SHA5129ff317b6a09c30ac7913f51408d6ae0d305621d790fb0a0d96ee3a65a4446b89941cbfddb328e31861ac11215ba81515bee750ecb325fe91f5e0436fc3521a7d
-
Filesize
90KB
MD5a2d29cbcbf8dff3f3b33a3600071628e
SHA169ef4cf10121e765f585975fed2814b1a7d6012a
SHA2564c3388aabca50cf371c927a43bc8bf7317bd924e7712935ccc0c93d4a908df30
SHA5120d0f983381e99e08e559c23faf6221078c66c16ee892b2ccd9d806d4242f564111d64df07001f2a913564ee8766c98ad16525c47f8374d8254ed2196c492aa26
-
Filesize
90KB
MD5552c64da0c2eb4b60081696f10d5a437
SHA17b3fb5f60ea32670682cc674999692a6d0965657
SHA2561572ed7d602ad165ab00ace9af651cb131a462a9794748e23851548e9771d201
SHA51293a9c895d1f5e4b9527d948bdcee2f39c5bc6ba88897f36fae9812e61c04a656c8cb126aeb8fa146804a3c40639678e6591e8cd0aedd4c5b99f9a50575da9085
-
Filesize
90KB
MD56d3d6176fd83748685620f417afa8d59
SHA1361b447ee2f1224acd63b515ca5e1423bada988f
SHA256a435997235b2ff997ab69501fecf9ee94aa02ca1f173d8492a6f399c1d6af56c
SHA512d9b5c5b36ef2b65e7942b7c352654962796217bb7d5a02f7bbafb3a89c25f9e16833a8374d03db48feafbddc918f5c83e20e645ecfbf3a0722fa949f9d49296c
-
Filesize
90KB
MD515f85bf4c7582134afe382d006363362
SHA1e77017f56508a0fa15ac68fb0e142ebddfa796eb
SHA256bb3fb8853777ec283cb22ee72ea035cddf8ad1b11563ad56ae7b95c19dcfb5a3
SHA512f6c29d1831d3059fbebf66507217902b774f64416cb30c4caaccc778c986b4aac9f5ff1002913c468fb77fc91a4b76c3fba6240f580fe479a886fd8b19d077fb
-
Filesize
90KB
MD50ccd00adee2fe451129c3556db0fa5de
SHA1e4ffd881e77db91b527998e6fae31cfd85c3e801
SHA256b06e7fbfee4c7a2531786d1aacb700002eeb713c71e2173ab06a04f36fa1fc18
SHA5125bd97ab46d1d01de35a7e09c54e3bee46f10b18771e1424bd660a85a0435003b1201009956e3e7136c704a9a93d338ddb5fcdeb69b41172316f191b0a4124dea
-
Filesize
90KB
MD57f7c32225757fb5851ddcbb7344b842a
SHA13b15afe2496526414c5858379659fa2a30f30ecb
SHA25690efe14eeaff0a14eb9615fc88904f98360665384644c0a887e244f34114d1c1
SHA5122f72e8aa7793c2731c35f4a6f1d4b2cb185416174c981df4e53596d9f4201e0bc3f52f7655785bed4a182bb9fb5e47a8fe5cde5170d25ce4b14e2be9042d336e