Analysis
-
max time kernel
118s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 19:48
Static task
static1
Behavioral task
behavioral1
Sample
713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe
Resource
win10v2004-20241007-en
General
-
Target
713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe
-
Size
87KB
-
MD5
b0bf294b4fd731b84360e1bbcf4d8be0
-
SHA1
5e39a181470843c1714399e78af18103394629d2
-
SHA256
713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557
-
SHA512
07a99fece68a18e0f48dac4397638bf786352e40a02e154c6ed3ae6d35a01e57eb45980b55e7a44d0c7aa3f0641630e70302a218fb6a392a7a7509ae5e51d36e
-
SSDEEP
384:5bLwOs8AHsc4sM6whKiroZ4/CFsrdk5I1Nb7g7FX7XYfruVDtM9tQ/FKlnVwUUO3:5vw9816uhKiroZ4/wQNNrfrunMxVFj
Malware Config
Signatures
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{502EDC23-3BDF-485c-82A9-C7C516523D6C}\stubpath = "C:\\Windows\\{502EDC23-3BDF-485c-82A9-C7C516523D6C}.exe" {3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}\stubpath = "C:\\Windows\\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe" {15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}\stubpath = "C:\\Windows\\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe" {F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{502EDC23-3BDF-485c-82A9-C7C516523D6C} {3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}\stubpath = "C:\\Windows\\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe" {250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE} {F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}\stubpath = "C:\\Windows\\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe" {E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A83E85A-C878-44cd-95DE-102A0527132D} 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F} {2A83E85A-C878-44cd-95DE-102A0527132D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{250A4FD9-7980-40f5-BF2A-52E26658F7C8} {67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F2917989-30B5-43c3-AD84-ECADD8E14EB3} {15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5} {E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}\stubpath = "C:\\Windows\\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe" {2A83E85A-C878-44cd-95DE-102A0527132D}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D} {EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}\stubpath = "C:\\Windows\\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe" {67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2A83E85A-C878-44cd-95DE-102A0527132D}\stubpath = "C:\\Windows\\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe" 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}\stubpath = "C:\\Windows\\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe" {EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108} {250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe -
Executes dropped EXE 9 IoCs
pid Process 2452 {2A83E85A-C878-44cd-95DE-102A0527132D}.exe 3076 {EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe 4876 {67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe 4740 {250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe 4560 {15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe 5104 {F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe 4036 {E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe 4556 {3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe 3528 {502EDC23-3BDF-485c-82A9-C7C516523D6C}.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File created C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe File created C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe {250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe File created C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe {15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe File created C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe {F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe File created C:\Windows\{502EDC23-3BDF-485c-82A9-C7C516523D6C}.exe {3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe File created C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe {2A83E85A-C878-44cd-95DE-102A0527132D}.exe File created C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe {EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe File created C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe {67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe File created C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe {E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe -
System Location Discovery: System Language Discovery 1 TTPs 19 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {502EDC23-3BDF-485c-82A9-C7C516523D6C}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {2A83E85A-C878-44cd-95DE-102A0527132D}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language {3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 1092 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe Token: SeIncBasePriorityPrivilege 2452 {2A83E85A-C878-44cd-95DE-102A0527132D}.exe Token: SeIncBasePriorityPrivilege 3076 {EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe Token: SeIncBasePriorityPrivilege 4876 {67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe Token: SeIncBasePriorityPrivilege 4740 {250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe Token: SeIncBasePriorityPrivilege 4560 {15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe Token: SeIncBasePriorityPrivilege 5104 {F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe Token: SeIncBasePriorityPrivilege 4036 {E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe Token: SeIncBasePriorityPrivilege 4556 {3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 1092 wrote to memory of 2452 1092 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe 97 PID 1092 wrote to memory of 2452 1092 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe 97 PID 1092 wrote to memory of 2452 1092 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe 97 PID 1092 wrote to memory of 4928 1092 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe 98 PID 1092 wrote to memory of 4928 1092 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe 98 PID 1092 wrote to memory of 4928 1092 713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe 98 PID 2452 wrote to memory of 3076 2452 {2A83E85A-C878-44cd-95DE-102A0527132D}.exe 102 PID 2452 wrote to memory of 3076 2452 {2A83E85A-C878-44cd-95DE-102A0527132D}.exe 102 PID 2452 wrote to memory of 3076 2452 {2A83E85A-C878-44cd-95DE-102A0527132D}.exe 102 PID 2452 wrote to memory of 3272 2452 {2A83E85A-C878-44cd-95DE-102A0527132D}.exe 103 PID 2452 wrote to memory of 3272 2452 {2A83E85A-C878-44cd-95DE-102A0527132D}.exe 103 PID 2452 wrote to memory of 3272 2452 {2A83E85A-C878-44cd-95DE-102A0527132D}.exe 103 PID 3076 wrote to memory of 4876 3076 {EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe 107 PID 3076 wrote to memory of 4876 3076 {EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe 107 PID 3076 wrote to memory of 4876 3076 {EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe 107 PID 3076 wrote to memory of 4516 3076 {EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe 108 PID 3076 wrote to memory of 4516 3076 {EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe 108 PID 3076 wrote to memory of 4516 3076 {EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe 108 PID 4876 wrote to memory of 4740 4876 {67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe 109 PID 4876 wrote to memory of 4740 4876 {67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe 109 PID 4876 wrote to memory of 4740 4876 {67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe 109 PID 4876 wrote to memory of 644 4876 {67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe 110 PID 4876 wrote to memory of 644 4876 {67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe 110 PID 4876 wrote to memory of 644 4876 {67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe 110 PID 4740 wrote to memory of 4560 4740 {250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe 111 PID 4740 wrote to memory of 4560 4740 {250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe 111 PID 4740 wrote to memory of 4560 4740 {250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe 111 PID 4740 wrote to memory of 3712 4740 {250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe 112 PID 4740 wrote to memory of 3712 4740 {250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe 112 PID 4740 wrote to memory of 3712 4740 {250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe 112 PID 4560 wrote to memory of 5104 4560 {15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe 113 PID 4560 wrote to memory of 5104 4560 {15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe 113 PID 4560 wrote to memory of 5104 4560 {15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe 113 PID 4560 wrote to memory of 2604 4560 {15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe 114 PID 4560 wrote to memory of 2604 4560 {15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe 114 PID 4560 wrote to memory of 2604 4560 {15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe 114 PID 5104 wrote to memory of 4036 5104 {F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe 115 PID 5104 wrote to memory of 4036 5104 {F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe 115 PID 5104 wrote to memory of 4036 5104 {F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe 115 PID 5104 wrote to memory of 4672 5104 {F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe 116 PID 5104 wrote to memory of 4672 5104 {F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe 116 PID 5104 wrote to memory of 4672 5104 {F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe 116 PID 4036 wrote to memory of 4556 4036 {E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe 117 PID 4036 wrote to memory of 4556 4036 {E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe 117 PID 4036 wrote to memory of 4556 4036 {E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe 117 PID 4036 wrote to memory of 4764 4036 {E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe 118 PID 4036 wrote to memory of 4764 4036 {E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe 118 PID 4036 wrote to memory of 4764 4036 {E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe 118 PID 4556 wrote to memory of 3528 4556 {3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe 119 PID 4556 wrote to memory of 3528 4556 {3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe 119 PID 4556 wrote to memory of 3528 4556 {3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe 119 PID 4556 wrote to memory of 2412 4556 {3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe 120 PID 4556 wrote to memory of 2412 4556 {3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe 120 PID 4556 wrote to memory of 2412 4556 {3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe 120
Processes
-
C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe"C:\Users\Admin\AppData\Local\Temp\713ee2911fa4306c84b0966e1bf0a2f6031846d9707320399291cefb85db5557N.exe"1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exeC:\Windows\{2A83E85A-C878-44cd-95DE-102A0527132D}.exe2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exeC:\Windows\{EF3D00DF-2620-4e6c-876D-CD0EF1F8641F}.exe3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exeC:\Windows\{67AFF633-862C-4993-BA10-FDFEC2CF5D3D}.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exeC:\Windows\{250A4FD9-7980-40f5-BF2A-52E26658F7C8}.exe5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exeC:\Windows\{15B8B0A1-39E0-4e9b-9FD1-CFC6776BA108}.exe6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exeC:\Windows\{F2917989-30B5-43c3-AD84-ECADD8E14EB3}.exe7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exeC:\Windows\{E6ED2796-A7A8-4416-9CD7-094F8942CEEE}.exe8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exeC:\Windows\{3D6125C3-ACED-4f29-A858-66C03F1AD4D5}.exe9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\{502EDC23-3BDF-485c-82A9-C7C516523D6C}.exeC:\Windows\{502EDC23-3BDF-485c-82A9-C7C516523D6C}.exe10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3528
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{3D612~1.EXE > nul10⤵
- System Location Discovery: System Language Discovery
PID:2412
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E6ED2~1.EXE > nul9⤵
- System Location Discovery: System Language Discovery
PID:4764
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{F2917~1.EXE > nul8⤵
- System Location Discovery: System Language Discovery
PID:4672
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{15B8B~1.EXE > nul7⤵
- System Location Discovery: System Language Discovery
PID:2604
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{250A4~1.EXE > nul6⤵
- System Location Discovery: System Language Discovery
PID:3712
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{67AFF~1.EXE > nul5⤵
- System Location Discovery: System Language Discovery
PID:644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{EF3D0~1.EXE > nul4⤵
- System Location Discovery: System Language Discovery
PID:4516
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{2A83E~1.EXE > nul3⤵
- System Location Discovery: System Language Discovery
PID:3272
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\713EE2~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
PID:4928
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87KB
MD52a2c04ac39201c8d046778757215f454
SHA178432332070cecae05d0d5594c682d84a54c30aa
SHA256c85b0eec5600d942b8bfe485822a056667f550167faf89b556fefd9d49f1c747
SHA512d11e58d672621a70ed9677d960030cab8327630418c2fe5d201a7722e57a74154f0c8330c8852635fd765b75e986dece616a1d464081d006ba19e37c5a7e0e93
-
Filesize
87KB
MD50acb9e3a90c35532f9de3f3a37208c52
SHA14c33e5d1c6dcc5845c816e42880d64ad3958d24d
SHA25630ab586b3759f869b348169a646264e0210b53d227db7c4093ecd4ff54b8804c
SHA512a107fa6c0e86b600b5bfef7cee95673f1268b60377da84c32a264d9081fa7ace0931092bd0a8dbcc2aeac597256a07b894a6b9ac8afc1922a0e5d8de5c260c98
-
Filesize
87KB
MD573c016645f066042e21ce34b2f5731e3
SHA1e87aec85b28063342654bc7e2286fb10598d7552
SHA2562561708509b6fb1c7a4eceb1c2148957f45b3dc3c780e0c0bef6667c25e8e639
SHA51279711bf16828973a5f9433560152c5d1e23268dea585593597c835ac919196fbe150cca65d56b34dcfd450a6751da81609c66939c00d908f40effd1b91d8894e
-
Filesize
87KB
MD59e90b1e21e136380008bce9beba943bb
SHA139be035e807330b6732a01bb5a8d3c724cfaeb82
SHA256535105885bfc3c1d3a3e8e5a7336802b0bfb31c24bd3ed9039d876ab48a898e2
SHA5129efa9e71741fd5cfec03421a4201b620398e5a029854e9a381f272eab94e6474c93ced078f9880885e147118f3eea3ccfe157bf5a604f44cbf7f5bfd030c7729
-
Filesize
87KB
MD53ea8eb488d2c03a1b2aafc479bdad308
SHA17e0ebe05040e56e96c6e8d51e8d482c2be80f9f9
SHA256a88c03e74d09f696d990d48a0590637966fa8ccc7d4f01e93e3f7c70be547e10
SHA5128f9f2a2a6c76b00ca1350e371822d03f019dbf4a45f324227ea1054124fa347316999aa0e58f030a17191167915a42fe3d1322bb752151e0a6751e03832c15e8
-
Filesize
87KB
MD544e87882e71544fdd1a39f9f0908e11f
SHA1c1fc0e9bc84766474dda3ff15c7e31099f26bf4d
SHA256e4ef5471c81d2045a471fab212d3844cda164b8fea18b90c78bb3f3586c5110a
SHA5128889b9d19fe46a9be3e6a249dbda95e16c0e73af8b55506133617a8f706e120b863196d646b77759c3547fc72c35c1db3d2a086398aa0704bf06a786c414b4ef
-
Filesize
87KB
MD55c89603187dd11d676859cd80d268cfb
SHA10c78dc4dbfc72d4bc94776b6011136a5877b965e
SHA25699921341c32464844a3a5e258c505f4524ab4cff210be16d1fccf78e096b9e44
SHA51228b2a2fdaceddeeef0df6f7516c117812512e4ad55e259e39b9299799f177a1acd2721efcdaa9e83a37429720e5cb97178db151a9cec38ce3befb3dd7362ed03
-
Filesize
87KB
MD54d2c5e8ba4c00bcf43e75dcfd95cc460
SHA148ea815a62b0d818cb72a6c142cdd1e2afcb285e
SHA25693227d22e9720e5ab8fef4d5b6c877ccfdab318eef3aeabba6aff3c9a5dfc3d5
SHA512323ef6e7a2c1e9d36f7350378872738159f929927ea2b4b121547bc79f909e361796ee376d2e6a6c93c2e1656111548f82d2448661ed722a97a1dbcfbc2605c4
-
Filesize
87KB
MD5b0625623b1a0b5a4ee1b2c9c6cea6941
SHA1a9b975b5cc8e718c6b906578d2bef5a4c7ac3fd7
SHA2561063f7c06aa1aae9ef612bc6a765a05c4d526e6abfd92e6a098e33328abdfc00
SHA5124c1d223b657df493721a18a896cb94833d04853c85af291be52d14926135c1288832406115a7160f175833b657a4e52f82d4414df90b070b9f0cbf7416e3159d