9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44b

Analysis

max time kernel
118s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe
Size

380KB
MD5

04d89e338027b99222b32f45263f8ed0
SHA1

0b1923290ed255b70fa1f88ed4e7582948956638
SHA256

9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44b
SHA512

189869143e51e9ce19b9f731c416b1e874a689c3cd26bfa7c2f4bd577016cb4c3c35bd6474b59d33adabd5d18261007b22b28922f5197a2597bd67c03ae433e6
SSDEEP

3072:mEGh0ohlPOiDOe2MUVg3bHrH/HqOYGb+4QnZZIne+rcC4F0fJGRIS8Rfd7eQEcGw:mEG7l7Oe2MUVg3v2IneKcAEcARy

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6E1BEE3-21FE-4514-A550-9A5A8B650896}	{1BDAD369-E9C8-4b06-9570-3160635CD934}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D337E811-F4F8-4a46-BA0E-0FC4C9232AFE}\stubpath = "C:\\Windows\\{D337E811-F4F8-4a46-BA0E-0FC4C9232AFE}.exe"	{FC06D7C6-9E4F-4be5-B986-F98582B4982F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACADDF28-3A91-4447-9F0C-6D4DA2DA13EF}\stubpath = "C:\\Windows\\{ACADDF28-3A91-4447-9F0C-6D4DA2DA13EF}.exe"	{D337E811-F4F8-4a46-BA0E-0FC4C9232AFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E958EA2B-5E8B-47c4-B1AC-E6CC2A450D08}\stubpath = "C:\\Windows\\{E958EA2B-5E8B-47c4-B1AC-E6CC2A450D08}.exe"	{2291FDE7-B1D2-4669-A05F-E49D2C535855}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6962A66-6DDC-4aae-A050-B77C319FD47B}	{E958EA2B-5E8B-47c4-B1AC-E6CC2A450D08}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BDAD369-E9C8-4b06-9570-3160635CD934}	9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{1BDAD369-E9C8-4b06-9570-3160635CD934}\stubpath = "C:\\Windows\\{1BDAD369-E9C8-4b06-9570-3160635CD934}.exe"	9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2291FDE7-B1D2-4669-A05F-E49D2C535855}	{ACADDF28-3A91-4447-9F0C-6D4DA2DA13EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E958EA2B-5E8B-47c4-B1AC-E6CC2A450D08}	{2291FDE7-B1D2-4669-A05F-E49D2C535855}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D337E811-F4F8-4a46-BA0E-0FC4C9232AFE}	{FC06D7C6-9E4F-4be5-B986-F98582B4982F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{ACADDF28-3A91-4447-9F0C-6D4DA2DA13EF}	{D337E811-F4F8-4a46-BA0E-0FC4C9232AFE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03D5DEB8-68FD-4500-804B-D19295434E83}\stubpath = "C:\\Windows\\{03D5DEB8-68FD-4500-804B-D19295434E83}.exe"	{E6E1BEE3-21FE-4514-A550-9A5A8B650896}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC06D7C6-9E4F-4be5-B986-F98582B4982F}\stubpath = "C:\\Windows\\{FC06D7C6-9E4F-4be5-B986-F98582B4982F}.exe"	{03D5DEB8-68FD-4500-804B-D19295434E83}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC06D7C6-9E4F-4be5-B986-F98582B4982F}	{03D5DEB8-68FD-4500-804B-D19295434E83}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2291FDE7-B1D2-4669-A05F-E49D2C535855}\stubpath = "C:\\Windows\\{2291FDE7-B1D2-4669-A05F-E49D2C535855}.exe"	{ACADDF28-3A91-4447-9F0C-6D4DA2DA13EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D6962A66-6DDC-4aae-A050-B77C319FD47B}\stubpath = "C:\\Windows\\{D6962A66-6DDC-4aae-A050-B77C319FD47B}.exe"	{E958EA2B-5E8B-47c4-B1AC-E6CC2A450D08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6E1BEE3-21FE-4514-A550-9A5A8B650896}\stubpath = "C:\\Windows\\{E6E1BEE3-21FE-4514-A550-9A5A8B650896}.exe"	{1BDAD369-E9C8-4b06-9570-3160635CD934}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{03D5DEB8-68FD-4500-804B-D19295434E83}	{E6E1BEE3-21FE-4514-A550-9A5A8B650896}.exe

Executes dropped EXE 9 IoCs

pid	Process
1444	{1BDAD369-E9C8-4b06-9570-3160635CD934}.exe
2336	{E6E1BEE3-21FE-4514-A550-9A5A8B650896}.exe
5092	{03D5DEB8-68FD-4500-804B-D19295434E83}.exe
2112	{FC06D7C6-9E4F-4be5-B986-F98582B4982F}.exe
5004	{D337E811-F4F8-4a46-BA0E-0FC4C9232AFE}.exe
656	{ACADDF28-3A91-4447-9F0C-6D4DA2DA13EF}.exe
3260	{2291FDE7-B1D2-4669-A05F-E49D2C535855}.exe
3808	{E958EA2B-5E8B-47c4-B1AC-E6CC2A450D08}.exe
4056	{D6962A66-6DDC-4aae-A050-B77C319FD47B}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{E6E1BEE3-21FE-4514-A550-9A5A8B650896}.exe	{1BDAD369-E9C8-4b06-9570-3160635CD934}.exe
File created	C:\Windows\{2291FDE7-B1D2-4669-A05F-E49D2C535855}.exe	{ACADDF28-3A91-4447-9F0C-6D4DA2DA13EF}.exe
File created	C:\Windows\{D6962A66-6DDC-4aae-A050-B77C319FD47B}.exe	{E958EA2B-5E8B-47c4-B1AC-E6CC2A450D08}.exe
File created	C:\Windows\{ACADDF28-3A91-4447-9F0C-6D4DA2DA13EF}.exe	{D337E811-F4F8-4a46-BA0E-0FC4C9232AFE}.exe
File created	C:\Windows\{E958EA2B-5E8B-47c4-B1AC-E6CC2A450D08}.exe	{2291FDE7-B1D2-4669-A05F-E49D2C535855}.exe
File created	C:\Windows\{1BDAD369-E9C8-4b06-9570-3160635CD934}.exe	9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe
File created	C:\Windows\{03D5DEB8-68FD-4500-804B-D19295434E83}.exe	{E6E1BEE3-21FE-4514-A550-9A5A8B650896}.exe
File created	C:\Windows\{FC06D7C6-9E4F-4be5-B986-F98582B4982F}.exe	{03D5DEB8-68FD-4500-804B-D19295434E83}.exe
File created	C:\Windows\{D337E811-F4F8-4a46-BA0E-0FC4C9232AFE}.exe	{FC06D7C6-9E4F-4be5-B986-F98582B4982F}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2291FDE7-B1D2-4669-A05F-E49D2C535855}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{1BDAD369-E9C8-4b06-9570-3160635CD934}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D337E811-F4F8-4a46-BA0E-0FC4C9232AFE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{ACADDF28-3A91-4447-9F0C-6D4DA2DA13EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FC06D7C6-9E4F-4be5-B986-F98582B4982F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E958EA2B-5E8B-47c4-B1AC-E6CC2A450D08}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E6E1BEE3-21FE-4514-A550-9A5A8B650896}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{03D5DEB8-68FD-4500-804B-D19295434E83}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D6962A66-6DDC-4aae-A050-B77C319FD47B}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2252	9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe
Token: SeIncBasePriorityPrivilege	1444	{1BDAD369-E9C8-4b06-9570-3160635CD934}.exe
Token: SeIncBasePriorityPrivilege	2336	{E6E1BEE3-21FE-4514-A550-9A5A8B650896}.exe
Token: SeIncBasePriorityPrivilege	5092	{03D5DEB8-68FD-4500-804B-D19295434E83}.exe
Token: SeIncBasePriorityPrivilege	2112	{FC06D7C6-9E4F-4be5-B986-F98582B4982F}.exe
Token: SeIncBasePriorityPrivilege	5004	{D337E811-F4F8-4a46-BA0E-0FC4C9232AFE}.exe
Token: SeIncBasePriorityPrivilege	656	{ACADDF28-3A91-4447-9F0C-6D4DA2DA13EF}.exe
Token: SeIncBasePriorityPrivilege	3260	{2291FDE7-B1D2-4669-A05F-E49D2C535855}.exe
Token: SeIncBasePriorityPrivilege	3808	{E958EA2B-5E8B-47c4-B1AC-E6CC2A450D08}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2252 wrote to memory of 1444	2252	9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe	86
PID 2252 wrote to memory of 1444	2252	9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe	86
PID 2252 wrote to memory of 1444	2252	9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe	86
PID 2252 wrote to memory of 4636	2252	9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe	87
PID 2252 wrote to memory of 4636	2252	9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe	87
PID 2252 wrote to memory of 4636	2252	9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe	87
PID 1444 wrote to memory of 2336	1444	{1BDAD369-E9C8-4b06-9570-3160635CD934}.exe	88
PID 1444 wrote to memory of 2336	1444	{1BDAD369-E9C8-4b06-9570-3160635CD934}.exe	88
PID 1444 wrote to memory of 2336	1444	{1BDAD369-E9C8-4b06-9570-3160635CD934}.exe	88
PID 1444 wrote to memory of 912	1444	{1BDAD369-E9C8-4b06-9570-3160635CD934}.exe	89
PID 1444 wrote to memory of 912	1444	{1BDAD369-E9C8-4b06-9570-3160635CD934}.exe	89
PID 1444 wrote to memory of 912	1444	{1BDAD369-E9C8-4b06-9570-3160635CD934}.exe	89
PID 2336 wrote to memory of 5092	2336	{E6E1BEE3-21FE-4514-A550-9A5A8B650896}.exe	94
PID 2336 wrote to memory of 5092	2336	{E6E1BEE3-21FE-4514-A550-9A5A8B650896}.exe	94
PID 2336 wrote to memory of 5092	2336	{E6E1BEE3-21FE-4514-A550-9A5A8B650896}.exe	94
PID 2336 wrote to memory of 2504	2336	{E6E1BEE3-21FE-4514-A550-9A5A8B650896}.exe	95
PID 2336 wrote to memory of 2504	2336	{E6E1BEE3-21FE-4514-A550-9A5A8B650896}.exe	95
PID 2336 wrote to memory of 2504	2336	{E6E1BEE3-21FE-4514-A550-9A5A8B650896}.exe	95
PID 5092 wrote to memory of 2112	5092	{03D5DEB8-68FD-4500-804B-D19295434E83}.exe	96
PID 5092 wrote to memory of 2112	5092	{03D5DEB8-68FD-4500-804B-D19295434E83}.exe	96
PID 5092 wrote to memory of 2112	5092	{03D5DEB8-68FD-4500-804B-D19295434E83}.exe	96
PID 5092 wrote to memory of 1256	5092	{03D5DEB8-68FD-4500-804B-D19295434E83}.exe	97
PID 5092 wrote to memory of 1256	5092	{03D5DEB8-68FD-4500-804B-D19295434E83}.exe	97
PID 5092 wrote to memory of 1256	5092	{03D5DEB8-68FD-4500-804B-D19295434E83}.exe	97
PID 2112 wrote to memory of 5004	2112	{FC06D7C6-9E4F-4be5-B986-F98582B4982F}.exe	98
PID 2112 wrote to memory of 5004	2112	{FC06D7C6-9E4F-4be5-B986-F98582B4982F}.exe	98
PID 2112 wrote to memory of 5004	2112	{FC06D7C6-9E4F-4be5-B986-F98582B4982F}.exe	98
PID 2112 wrote to memory of 3504	2112	{FC06D7C6-9E4F-4be5-B986-F98582B4982F}.exe	99
PID 2112 wrote to memory of 3504	2112	{FC06D7C6-9E4F-4be5-B986-F98582B4982F}.exe	99
PID 2112 wrote to memory of 3504	2112	{FC06D7C6-9E4F-4be5-B986-F98582B4982F}.exe	99
PID 5004 wrote to memory of 656	5004	{D337E811-F4F8-4a46-BA0E-0FC4C9232AFE}.exe	101
PID 5004 wrote to memory of 656	5004	{D337E811-F4F8-4a46-BA0E-0FC4C9232AFE}.exe	101
PID 5004 wrote to memory of 656	5004	{D337E811-F4F8-4a46-BA0E-0FC4C9232AFE}.exe	101
PID 5004 wrote to memory of 4964	5004	{D337E811-F4F8-4a46-BA0E-0FC4C9232AFE}.exe	102
PID 5004 wrote to memory of 4964	5004	{D337E811-F4F8-4a46-BA0E-0FC4C9232AFE}.exe	102
PID 5004 wrote to memory of 4964	5004	{D337E811-F4F8-4a46-BA0E-0FC4C9232AFE}.exe	102
PID 656 wrote to memory of 3260	656	{ACADDF28-3A91-4447-9F0C-6D4DA2DA13EF}.exe	103
PID 656 wrote to memory of 3260	656	{ACADDF28-3A91-4447-9F0C-6D4DA2DA13EF}.exe	103
PID 656 wrote to memory of 3260	656	{ACADDF28-3A91-4447-9F0C-6D4DA2DA13EF}.exe	103
PID 656 wrote to memory of 3960	656	{ACADDF28-3A91-4447-9F0C-6D4DA2DA13EF}.exe	104
PID 656 wrote to memory of 3960	656	{ACADDF28-3A91-4447-9F0C-6D4DA2DA13EF}.exe	104
PID 656 wrote to memory of 3960	656	{ACADDF28-3A91-4447-9F0C-6D4DA2DA13EF}.exe	104
PID 3260 wrote to memory of 3808	3260	{2291FDE7-B1D2-4669-A05F-E49D2C535855}.exe	108
PID 3260 wrote to memory of 3808	3260	{2291FDE7-B1D2-4669-A05F-E49D2C535855}.exe	108
PID 3260 wrote to memory of 3808	3260	{2291FDE7-B1D2-4669-A05F-E49D2C535855}.exe	108
PID 3260 wrote to memory of 4416	3260	{2291FDE7-B1D2-4669-A05F-E49D2C535855}.exe	109
PID 3260 wrote to memory of 4416	3260	{2291FDE7-B1D2-4669-A05F-E49D2C535855}.exe	109
PID 3260 wrote to memory of 4416	3260	{2291FDE7-B1D2-4669-A05F-E49D2C535855}.exe	109
PID 3808 wrote to memory of 4056	3808	{E958EA2B-5E8B-47c4-B1AC-E6CC2A450D08}.exe	114
PID 3808 wrote to memory of 4056	3808	{E958EA2B-5E8B-47c4-B1AC-E6CC2A450D08}.exe	114
PID 3808 wrote to memory of 4056	3808	{E958EA2B-5E8B-47c4-B1AC-E6CC2A450D08}.exe	114
PID 3808 wrote to memory of 1268	3808	{E958EA2B-5E8B-47c4-B1AC-E6CC2A450D08}.exe	115
PID 3808 wrote to memory of 1268	3808	{E958EA2B-5E8B-47c4-B1AC-E6CC2A450D08}.exe	115
PID 3808 wrote to memory of 1268	3808	{E958EA2B-5E8B-47c4-B1AC-E6CC2A450D08}.exe	115

C:\Users\Admin\AppData\Local\Temp\9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe
"C:\Users\Admin\AppData\Local\Temp\9217d12f976b923310c48bdec89d36b5a580d53803b4a13530f1d235474ce44bN.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252
- C:\Windows\{1BDAD369-E9C8-4b06-9570-3160635CD934}.exe
  C:\Windows\{1BDAD369-E9C8-4b06-9570-3160635CD934}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\{E6E1BEE3-21FE-4514-A550-9A5A8B650896}.exe
    C:\Windows\{E6E1BEE3-21FE-4514-A550-9A5A8B650896}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\{03D5DEB8-68FD-4500-804B-D19295434E83}.exe
      C:\Windows\{03D5DEB8-68FD-4500-804B-D19295434E83}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5092
    - - C:\Windows\{FC06D7C6-9E4F-4be5-B986-F98582B4982F}.exe
        
        C:\Windows\{FC06D7C6-9E4F-4be5-B986-F98582B4982F}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2112
      - C:\Windows\{D337E811-F4F8-4a46-BA0E-0FC4C9232AFE}.exe
        
        C:\Windows\{D337E811-F4F8-4a46-BA0E-0FC4C9232AFE}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\{ACADDF28-3A91-4447-9F0C-6D4DA2DA13EF}.exe
        
        C:\Windows\{ACADDF28-3A91-4447-9F0C-6D4DA2DA13EF}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:656
        
        C:\Windows\{2291FDE7-B1D2-4669-A05F-E49D2C535855}.exe
        
        C:\Windows\{2291FDE7-B1D2-4669-A05F-E49D2C535855}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3260
        
        C:\Windows\{E958EA2B-5E8B-47c4-B1AC-E6CC2A450D08}.exe
        
        C:\Windows\{E958EA2B-5E8B-47c4-B1AC-E6CC2A450D08}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3808
        
        C:\Windows\{D6962A66-6DDC-4aae-A050-B77C319FD47B}.exe
        
        C:\Windows\{D6962A66-6DDC-4aae-A050-B77C319FD47B}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E958E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2291F~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{ACADD~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3960
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D337E~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4964
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FC06D~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3504
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{03D5D~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{E6E1B~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2504
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{1BDAD~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:912
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9217D1~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{03D5DEB8-68FD-4500-804B-D19295434E83}.exe

Filesize
380KB

MD5
1d56d4f875def9cfd7f67e3cebee74cd

SHA1
95ce260e6b8894a48b47e3f836ab3a826ba0e562

SHA256
b0600f317002bccc655962d178c8f49a938ab18e4906a6d7fde1824b396873dc

SHA512
69801304f1ab6a297de19a64cdf614de76031f9b551af1df00ed9c8ffc908980276c0a40f829a9b24d7b5e8d84b5ba834cddd460a7abde67ca9946bbb77a054d

Download Submit
C:\Windows\{1BDAD369-E9C8-4b06-9570-3160635CD934}.exe

Filesize
380KB

MD5
6e22b1bcae5499fb04e079d18a37662e

SHA1
7673e9a3f9e651ab9af96fcdca5b9c1b6b07fa86

SHA256
d12245de683c79bbc2de220b840ac3ffeec1c678a3d50e0bad193ff1424e4135

SHA512
dbcf1e5cef54f7641220f37b01425c91369d7a924731a8d7a5a30821cc41d0fd71748c337ea34fb7b315085ca7162c5e71f32a0cdeff39b87a23ae0055515f35

Download Submit
C:\Windows\{2291FDE7-B1D2-4669-A05F-E49D2C535855}.exe

Filesize
380KB

MD5
77ff1aa5c32cc3bc5b759483334071ed

SHA1
81cd4f884fcc2eddbf89855cc868e4fca7ce689f

SHA256
a6ddfe442d6492e92d88f07ac007d47797a2fee2480d6bfb922e6c0b2997c429

SHA512
d086b95b1012b5a271a865c423ebb44096bf5270d6659febb806ae9e8c84dabab88784e671a3bac868dae1b1c6ac5f5899ca6f2446d5e4bd63a72f0be90685d9

Download Submit
C:\Windows\{ACADDF28-3A91-4447-9F0C-6D4DA2DA13EF}.exe

Filesize
380KB

MD5
d46c73d73a1ed5e16e5779798cb5d63d

SHA1
fadea649112460602b584f7c5a0556933329ab6f

SHA256
fa3dea380d96d30bc4767263286e6efe9b9d1922d19794c635cca45f08f04e4d

SHA512
44d4c192c8a7097c52c15b2df62e5c2b124ec92cd96801923d0fb905b9d36b84aeefb94596356e728c49f3486023e2ab7c553c4d176558c0ed739e80beb6f66e

Download Submit
C:\Windows\{D337E811-F4F8-4a46-BA0E-0FC4C9232AFE}.exe

Filesize
380KB

MD5
08dc0503ad5a2e600fa412e10d514c12

SHA1
5ebd0039b33b3c75aa3919ba8ba4040e3cb88a82

SHA256
883d632aca4c7aa29fb8c2030b14c274eb8efadeb9a119ecc21aa82a65de4835

SHA512
dfc9acbbaee25b08cd3fe38562f5c1ad8b53351e0441e4ac1ff23eca253dc0323c0aea108a248edb9293e52ceea389ecd6be3fd1862b096bdb366a0d8dc0f820

Download Submit
C:\Windows\{D6962A66-6DDC-4aae-A050-B77C319FD47B}.exe

Filesize
380KB

MD5
5b364bf7fc7b736b117083ca91dc2141

SHA1
bd2ff7f7fd4ad3c71c9a512c8745eec2b4f8a0b0

SHA256
0f6d1b02519c978bc4c976f66218b90301c2ae337fd32c7c15d583d0fde1d7b7

SHA512
14505e0ba3852eb5f9e863092ea62621e918896c7c81412805a44e40efe213b4dd8e65694b8974d6e8588d2008e8624c5c31fc95fd05ea85cb2ea9aa4948111a

Download Submit
C:\Windows\{E6E1BEE3-21FE-4514-A550-9A5A8B650896}.exe

Filesize
380KB

MD5
8a673395427c824bfc0b0214c55f3b7d

SHA1
dcfe1789d339d9a7c6fcb915b72f0c08bd49ecb6

SHA256
a3ccbf8ff5716e9cb0bb22b6823dbd490d02120d5a60ff983dd88f12dc3b6f82

SHA512
f92704066f7d978e52297d1d6915e9b151e0e06f682d8d5c2d57e27e311e2a197adf1d18e61243b8b67e30ecb4a3fd4c2287534eaa768219b022c943f26aa8a0

Download Submit
C:\Windows\{E958EA2B-5E8B-47c4-B1AC-E6CC2A450D08}.exe

Filesize
380KB

MD5
a8e0dcf350d8c4b7a6e0ae82647613be

SHA1
244358e90d6e34d978ab096e87822f25ad37fd51

SHA256
db943975c87b407884d670bac82e4e9f078d8b2f46a021d59bd6ac049ba9c63a

SHA512
2ab5529367d7464cd03c50df04c79018b354288a2c3fbc682c324fc741709a88c4544cc3f4c59959515b64edc6c9b145f6cd279bdc81c0ccd2dcf9bf83f82e1a

Download Submit
C:\Windows\{FC06D7C6-9E4F-4be5-B986-F98582B4982F}.exe

Filesize
380KB

MD5
fb0c36f22773550ba13f9f7470f849fc

SHA1
a3f66f71530444a889fd8e040a7320702586e25c

SHA256
9943e2763883759cc1b9aa1a6e4add91116906183bc0865b1dd45e0e21fde310

SHA512
fa6700ef4332fa1e4d53154e3a9ec4e453ff1988439233ac15fabde776793e30969e787ae70800283238ab2f75eafaf2cab4508ef52376d74ee6089c1d09c2b9

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads