ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0

Analysis

max time kernel
118s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe
Size

79KB
MD5

73ae5a63a08725057c33ff0b8f461051
SHA1

fe08e7d1ba9e540b43609dc160eed8f74e9c8d1f
SHA256

ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0
SHA512

28aea43b167cb2e5c598daf6ff27872ea08bca7a8c72aced92fdf2e66797d0067280030b0b9a8ed1a508477cb575baa131637cbbda240fdcd9288d077b055637
SSDEEP

768:4vw9816vhKQLroUN4/wQzXOQ69zbjlAAX5e9zp:wEGh0oYlGizbR9Xwzp

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47A9EA84-FC1E-4df3-ADFB-FE3700A508DE}	{40BC9C5A-26BB-4919-8F8C-6B8A887C9140}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8232E8FD-91E5-42ec-8337-828EFEB3E9FF}	{47A9EA84-FC1E-4df3-ADFB-FE3700A508DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8232E8FD-91E5-42ec-8337-828EFEB3E9FF}\stubpath = "C:\\Windows\\{8232E8FD-91E5-42ec-8337-828EFEB3E9FF}.exe"	{47A9EA84-FC1E-4df3-ADFB-FE3700A508DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67940CC7-08D9-42de-B760-982B6D559B89}	ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{105E309A-2D6B-4e1b-8E26-28DE3612358A}\stubpath = "C:\\Windows\\{105E309A-2D6B-4e1b-8E26-28DE3612358A}.exe"	{67940CC7-08D9-42de-B760-982B6D559B89}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBF8E7A6-7841-40f2-A339-BB01566BE17B}	{105E309A-2D6B-4e1b-8E26-28DE3612358A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84190473-6930-4ba5-B594-48D71A8DBC2C}	{4D034C4C-2A5E-4aa8-9814-D2E5A5C23438}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40BC9C5A-26BB-4919-8F8C-6B8A887C9140}	{84190473-6930-4ba5-B594-48D71A8DBC2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{67940CC7-08D9-42de-B760-982B6D559B89}\stubpath = "C:\\Windows\\{67940CC7-08D9-42de-B760-982B6D559B89}.exe"	ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{105E309A-2D6B-4e1b-8E26-28DE3612358A}	{67940CC7-08D9-42de-B760-982B6D559B89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D034C4C-2A5E-4aa8-9814-D2E5A5C23438}\stubpath = "C:\\Windows\\{4D034C4C-2A5E-4aa8-9814-D2E5A5C23438}.exe"	{4AF19E3F-CDFC-4fee-BD71-AAC6D78D5687}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{84190473-6930-4ba5-B594-48D71A8DBC2C}\stubpath = "C:\\Windows\\{84190473-6930-4ba5-B594-48D71A8DBC2C}.exe"	{4D034C4C-2A5E-4aa8-9814-D2E5A5C23438}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DBF8E7A6-7841-40f2-A339-BB01566BE17B}\stubpath = "C:\\Windows\\{DBF8E7A6-7841-40f2-A339-BB01566BE17B}.exe"	{105E309A-2D6B-4e1b-8E26-28DE3612358A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AF19E3F-CDFC-4fee-BD71-AAC6D78D5687}	{DBF8E7A6-7841-40f2-A339-BB01566BE17B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4AF19E3F-CDFC-4fee-BD71-AAC6D78D5687}\stubpath = "C:\\Windows\\{4AF19E3F-CDFC-4fee-BD71-AAC6D78D5687}.exe"	{DBF8E7A6-7841-40f2-A339-BB01566BE17B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4D034C4C-2A5E-4aa8-9814-D2E5A5C23438}	{4AF19E3F-CDFC-4fee-BD71-AAC6D78D5687}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{40BC9C5A-26BB-4919-8F8C-6B8A887C9140}\stubpath = "C:\\Windows\\{40BC9C5A-26BB-4919-8F8C-6B8A887C9140}.exe"	{84190473-6930-4ba5-B594-48D71A8DBC2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47A9EA84-FC1E-4df3-ADFB-FE3700A508DE}\stubpath = "C:\\Windows\\{47A9EA84-FC1E-4df3-ADFB-FE3700A508DE}.exe"	{40BC9C5A-26BB-4919-8F8C-6B8A887C9140}.exe

Executes dropped EXE 9 IoCs

pid	Process
2544	{67940CC7-08D9-42de-B760-982B6D559B89}.exe
3976	{105E309A-2D6B-4e1b-8E26-28DE3612358A}.exe
4296	{DBF8E7A6-7841-40f2-A339-BB01566BE17B}.exe
4824	{4AF19E3F-CDFC-4fee-BD71-AAC6D78D5687}.exe
2696	{4D034C4C-2A5E-4aa8-9814-D2E5A5C23438}.exe
3540	{84190473-6930-4ba5-B594-48D71A8DBC2C}.exe
4696	{40BC9C5A-26BB-4919-8F8C-6B8A887C9140}.exe
4016	{47A9EA84-FC1E-4df3-ADFB-FE3700A508DE}.exe
4436	{8232E8FD-91E5-42ec-8337-828EFEB3E9FF}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{8232E8FD-91E5-42ec-8337-828EFEB3E9FF}.exe	{47A9EA84-FC1E-4df3-ADFB-FE3700A508DE}.exe
File created	C:\Windows\{67940CC7-08D9-42de-B760-982B6D559B89}.exe	ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe
File created	C:\Windows\{40BC9C5A-26BB-4919-8F8C-6B8A887C9140}.exe	{84190473-6930-4ba5-B594-48D71A8DBC2C}.exe
File created	C:\Windows\{4AF19E3F-CDFC-4fee-BD71-AAC6D78D5687}.exe	{DBF8E7A6-7841-40f2-A339-BB01566BE17B}.exe
File created	C:\Windows\{4D034C4C-2A5E-4aa8-9814-D2E5A5C23438}.exe	{4AF19E3F-CDFC-4fee-BD71-AAC6D78D5687}.exe
File created	C:\Windows\{84190473-6930-4ba5-B594-48D71A8DBC2C}.exe	{4D034C4C-2A5E-4aa8-9814-D2E5A5C23438}.exe
File created	C:\Windows\{47A9EA84-FC1E-4df3-ADFB-FE3700A508DE}.exe	{40BC9C5A-26BB-4919-8F8C-6B8A887C9140}.exe
File created	C:\Windows\{105E309A-2D6B-4e1b-8E26-28DE3612358A}.exe	{67940CC7-08D9-42de-B760-982B6D559B89}.exe
File created	C:\Windows\{DBF8E7A6-7841-40f2-A339-BB01566BE17B}.exe	{105E309A-2D6B-4e1b-8E26-28DE3612358A}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{40BC9C5A-26BB-4919-8F8C-6B8A887C9140}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{67940CC7-08D9-42de-B760-982B6D559B89}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4D034C4C-2A5E-4aa8-9814-D2E5A5C23438}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{105E309A-2D6B-4e1b-8E26-28DE3612358A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{47A9EA84-FC1E-4df3-ADFB-FE3700A508DE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8232E8FD-91E5-42ec-8337-828EFEB3E9FF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DBF8E7A6-7841-40f2-A339-BB01566BE17B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4AF19E3F-CDFC-4fee-BD71-AAC6D78D5687}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{84190473-6930-4ba5-B594-48D71A8DBC2C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	116	ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe
Token: SeIncBasePriorityPrivilege	2544	{67940CC7-08D9-42de-B760-982B6D559B89}.exe
Token: SeIncBasePriorityPrivilege	3976	{105E309A-2D6B-4e1b-8E26-28DE3612358A}.exe
Token: SeIncBasePriorityPrivilege	4296	{DBF8E7A6-7841-40f2-A339-BB01566BE17B}.exe
Token: SeIncBasePriorityPrivilege	4824	{4AF19E3F-CDFC-4fee-BD71-AAC6D78D5687}.exe
Token: SeIncBasePriorityPrivilege	2696	{4D034C4C-2A5E-4aa8-9814-D2E5A5C23438}.exe
Token: SeIncBasePriorityPrivilege	3540	{84190473-6930-4ba5-B594-48D71A8DBC2C}.exe
Token: SeIncBasePriorityPrivilege	4696	{40BC9C5A-26BB-4919-8F8C-6B8A887C9140}.exe
Token: SeIncBasePriorityPrivilege	4016	{47A9EA84-FC1E-4df3-ADFB-FE3700A508DE}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 2544	116	ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe	99
PID 116 wrote to memory of 2544	116	ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe	99
PID 116 wrote to memory of 2544	116	ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe	99
PID 116 wrote to memory of 1660	116	ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe	100
PID 116 wrote to memory of 1660	116	ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe	100
PID 116 wrote to memory of 1660	116	ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe	100
PID 2544 wrote to memory of 3976	2544	{67940CC7-08D9-42de-B760-982B6D559B89}.exe	101
PID 2544 wrote to memory of 3976	2544	{67940CC7-08D9-42de-B760-982B6D559B89}.exe	101
PID 2544 wrote to memory of 3976	2544	{67940CC7-08D9-42de-B760-982B6D559B89}.exe	101
PID 2544 wrote to memory of 3464	2544	{67940CC7-08D9-42de-B760-982B6D559B89}.exe	102
PID 2544 wrote to memory of 3464	2544	{67940CC7-08D9-42de-B760-982B6D559B89}.exe	102
PID 2544 wrote to memory of 3464	2544	{67940CC7-08D9-42de-B760-982B6D559B89}.exe	102
PID 3976 wrote to memory of 4296	3976	{105E309A-2D6B-4e1b-8E26-28DE3612358A}.exe	106
PID 3976 wrote to memory of 4296	3976	{105E309A-2D6B-4e1b-8E26-28DE3612358A}.exe	106
PID 3976 wrote to memory of 4296	3976	{105E309A-2D6B-4e1b-8E26-28DE3612358A}.exe	106
PID 3976 wrote to memory of 4964	3976	{105E309A-2D6B-4e1b-8E26-28DE3612358A}.exe	107
PID 3976 wrote to memory of 4964	3976	{105E309A-2D6B-4e1b-8E26-28DE3612358A}.exe	107
PID 3976 wrote to memory of 4964	3976	{105E309A-2D6B-4e1b-8E26-28DE3612358A}.exe	107
PID 4296 wrote to memory of 4824	4296	{DBF8E7A6-7841-40f2-A339-BB01566BE17B}.exe	108
PID 4296 wrote to memory of 4824	4296	{DBF8E7A6-7841-40f2-A339-BB01566BE17B}.exe	108
PID 4296 wrote to memory of 4824	4296	{DBF8E7A6-7841-40f2-A339-BB01566BE17B}.exe	108
PID 4296 wrote to memory of 3920	4296	{DBF8E7A6-7841-40f2-A339-BB01566BE17B}.exe	109
PID 4296 wrote to memory of 3920	4296	{DBF8E7A6-7841-40f2-A339-BB01566BE17B}.exe	109
PID 4296 wrote to memory of 3920	4296	{DBF8E7A6-7841-40f2-A339-BB01566BE17B}.exe	109
PID 4824 wrote to memory of 2696	4824	{4AF19E3F-CDFC-4fee-BD71-AAC6D78D5687}.exe	111
PID 4824 wrote to memory of 2696	4824	{4AF19E3F-CDFC-4fee-BD71-AAC6D78D5687}.exe	111
PID 4824 wrote to memory of 2696	4824	{4AF19E3F-CDFC-4fee-BD71-AAC6D78D5687}.exe	111
PID 4824 wrote to memory of 2428	4824	{4AF19E3F-CDFC-4fee-BD71-AAC6D78D5687}.exe	112
PID 4824 wrote to memory of 2428	4824	{4AF19E3F-CDFC-4fee-BD71-AAC6D78D5687}.exe	112
PID 4824 wrote to memory of 2428	4824	{4AF19E3F-CDFC-4fee-BD71-AAC6D78D5687}.exe	112
PID 2696 wrote to memory of 3540	2696	{4D034C4C-2A5E-4aa8-9814-D2E5A5C23438}.exe	113
PID 2696 wrote to memory of 3540	2696	{4D034C4C-2A5E-4aa8-9814-D2E5A5C23438}.exe	113
PID 2696 wrote to memory of 3540	2696	{4D034C4C-2A5E-4aa8-9814-D2E5A5C23438}.exe	113
PID 2696 wrote to memory of 4568	2696	{4D034C4C-2A5E-4aa8-9814-D2E5A5C23438}.exe	114
PID 2696 wrote to memory of 4568	2696	{4D034C4C-2A5E-4aa8-9814-D2E5A5C23438}.exe	114
PID 2696 wrote to memory of 4568	2696	{4D034C4C-2A5E-4aa8-9814-D2E5A5C23438}.exe	114
PID 3540 wrote to memory of 4696	3540	{84190473-6930-4ba5-B594-48D71A8DBC2C}.exe	115
PID 3540 wrote to memory of 4696	3540	{84190473-6930-4ba5-B594-48D71A8DBC2C}.exe	115
PID 3540 wrote to memory of 4696	3540	{84190473-6930-4ba5-B594-48D71A8DBC2C}.exe	115
PID 3540 wrote to memory of 3716	3540	{84190473-6930-4ba5-B594-48D71A8DBC2C}.exe	116
PID 3540 wrote to memory of 3716	3540	{84190473-6930-4ba5-B594-48D71A8DBC2C}.exe	116
PID 3540 wrote to memory of 3716	3540	{84190473-6930-4ba5-B594-48D71A8DBC2C}.exe	116
PID 4696 wrote to memory of 4016	4696	{40BC9C5A-26BB-4919-8F8C-6B8A887C9140}.exe	117
PID 4696 wrote to memory of 4016	4696	{40BC9C5A-26BB-4919-8F8C-6B8A887C9140}.exe	117
PID 4696 wrote to memory of 4016	4696	{40BC9C5A-26BB-4919-8F8C-6B8A887C9140}.exe	117
PID 4696 wrote to memory of 4420	4696	{40BC9C5A-26BB-4919-8F8C-6B8A887C9140}.exe	118
PID 4696 wrote to memory of 4420	4696	{40BC9C5A-26BB-4919-8F8C-6B8A887C9140}.exe	118
PID 4696 wrote to memory of 4420	4696	{40BC9C5A-26BB-4919-8F8C-6B8A887C9140}.exe	118
PID 4016 wrote to memory of 4436	4016	{47A9EA84-FC1E-4df3-ADFB-FE3700A508DE}.exe	119
PID 4016 wrote to memory of 4436	4016	{47A9EA84-FC1E-4df3-ADFB-FE3700A508DE}.exe	119
PID 4016 wrote to memory of 4436	4016	{47A9EA84-FC1E-4df3-ADFB-FE3700A508DE}.exe	119
PID 4016 wrote to memory of 3000	4016	{47A9EA84-FC1E-4df3-ADFB-FE3700A508DE}.exe	120
PID 4016 wrote to memory of 3000	4016	{47A9EA84-FC1E-4df3-ADFB-FE3700A508DE}.exe	120
PID 4016 wrote to memory of 3000	4016	{47A9EA84-FC1E-4df3-ADFB-FE3700A508DE}.exe	120

C:\Users\Admin\AppData\Local\Temp\ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe
"C:\Users\Admin\AppData\Local\Temp\ec3a0f3dc0ce49d09dfc77ebf9d80bf68279a0a7d16dafa41b2f4144072fd5a0.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116
- C:\Windows\{67940CC7-08D9-42de-B760-982B6D559B89}.exe
  C:\Windows\{67940CC7-08D9-42de-B760-982B6D559B89}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\{105E309A-2D6B-4e1b-8E26-28DE3612358A}.exe
    C:\Windows\{105E309A-2D6B-4e1b-8E26-28DE3612358A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Windows\{DBF8E7A6-7841-40f2-A339-BB01566BE17B}.exe
      C:\Windows\{DBF8E7A6-7841-40f2-A339-BB01566BE17B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4296
    - - C:\Windows\{4AF19E3F-CDFC-4fee-BD71-AAC6D78D5687}.exe
        
        C:\Windows\{4AF19E3F-CDFC-4fee-BD71-AAC6D78D5687}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4824
      - C:\Windows\{4D034C4C-2A5E-4aa8-9814-D2E5A5C23438}.exe
        
        C:\Windows\{4D034C4C-2A5E-4aa8-9814-D2E5A5C23438}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\{84190473-6930-4ba5-B594-48D71A8DBC2C}.exe
        
        C:\Windows\{84190473-6930-4ba5-B594-48D71A8DBC2C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3540
        
        C:\Windows\{40BC9C5A-26BB-4919-8F8C-6B8A887C9140}.exe
        
        C:\Windows\{40BC9C5A-26BB-4919-8F8C-6B8A887C9140}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4696
        
        C:\Windows\{47A9EA84-FC1E-4df3-ADFB-FE3700A508DE}.exe
        
        C:\Windows\{47A9EA84-FC1E-4df3-ADFB-FE3700A508DE}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4016
        
        C:\Windows\{8232E8FD-91E5-42ec-8337-828EFEB3E9FF}.exe
        
        C:\Windows\{8232E8FD-91E5-42ec-8337-828EFEB3E9FF}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47A9E~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{40BC9~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{84190~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4D034~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4568
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4AF19~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2428
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DBF8E~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3920
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{105E3~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{67940~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\EC3A0F~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{105E309A-2D6B-4e1b-8E26-28DE3612358A}.exe

Filesize
79KB

MD5
09bdefd5eadac7a5e18ae45343d3d6b0

SHA1
0aaa3a84a02902074b7f24f6216d9b42a05311ad

SHA256
cd8a1c6392eec406822f61ec39de1c15508e3ca303718c145ed9da811eabca97

SHA512
2618ab392435cb688cd28f388057f3f2f648be95765b54dad335643156f6b5e3e9707ff8130c907df9199f70c43efb1c8aaa2a2038340749b229387d3c2f31fa

Download Submit
C:\Windows\{40BC9C5A-26BB-4919-8F8C-6B8A887C9140}.exe

Filesize
79KB

MD5
289215c4740b03d7f8df21327cf3cc17

SHA1
8ace3b85455dc8e64d09b416f735245116bd8a06

SHA256
5ac93c4f23e4fa8687f5f81f7e531b5f93098d7b07f1419d9d70f0dd73b47c80

SHA512
551a23634a77b2c4447c285185dca71560c7d50399c730e631cd466c4dcff9237eb09b3cab70fd606dec54e48e2c6642a24fcd3a072a0459c586b26e80b9e60e

Download Submit
C:\Windows\{47A9EA84-FC1E-4df3-ADFB-FE3700A508DE}.exe

Filesize
79KB

MD5
8a4f4c62e52c859c4b05c65670605233

SHA1
ecf3018a5711108fd7ae2397e7b3a188e803aba9

SHA256
116039568ac84fcd59da64a57603ddbc496488dbc21004ea37ee88af0ec7ee12

SHA512
6f5271180091f6183564f5fa7842f972739524af369fa24e84f45d79138a3a03fed4c79f4e0265196c332191ca7dc29f9f9968862379b0c62092cc2e615f126c

Download Submit
C:\Windows\{4AF19E3F-CDFC-4fee-BD71-AAC6D78D5687}.exe

Filesize
79KB

MD5
d71d109f34f72b8d300e97e5a9b0d4d8

SHA1
1d06aab47365a4f3d24cfaba46ee06df34ed33c9

SHA256
ac19133e4b345fc2246c4d956077777b6ae4bd5be4ce058867358d1e2add9518

SHA512
f0b36a3085733939e271156e8cf4553401ba71780557d285af6d501ea48bfd302821e21973b3eb0d84fa1c72b5b9301199d1048874ea66d861260e25940d2971

Download Submit
C:\Windows\{4D034C4C-2A5E-4aa8-9814-D2E5A5C23438}.exe

Filesize
79KB

MD5
420a824ec223f50615b01eb087233066

SHA1
96217597d1e0a4a316627646f9948a2ceb2b080c

SHA256
06bafa35a560c0b4d12a3d891f57b11fc11068c191246b6a58e9865ce8bb56c1

SHA512
7813274d4464d8e0ddb0bf09599c534cddb333b8693357f5886920aba9889be266ece905e53cd085903e452a5ebe36c3969f46b6769b4381572926a665f40999

Download Submit
C:\Windows\{67940CC7-08D9-42de-B760-982B6D559B89}.exe

Filesize
79KB

MD5
5bde1b86d9de7917b2cebc9380c28c5d

SHA1
aa21601f59defda343fd68e23be31852217bb5be

SHA256
7e4d158b18d9c5b2fdb470ce40415296c498eb9b38428b71557eee1f071d7769

SHA512
e0484846c8df72faa72cf76ea7ef6e2957a081b32ad7d30b04966a0b5c095067996ddec72d701f209aec64d6365affc322b205ce30d1a864be76c71af61a5826

Download Submit
C:\Windows\{8232E8FD-91E5-42ec-8337-828EFEB3E9FF}.exe

Filesize
79KB

MD5
80c07cbf4f36959505644cbee949197e

SHA1
71b7726af3ff13b33945ea3ff63dfdcdaf0ff93a

SHA256
181cc061be5e4669da0c9fc50a0242e8ad070e2cfa90452b6d5cf911daebac64

SHA512
ff4b5d5263372892b63c4bad21547ea5285d7facda0fba4ffe6d039f98a1efa5fbc94beb69abfa554cdfa34a69c2aec6ac8283cf16ed8937bb5896c84e18cec0

Download Submit
C:\Windows\{84190473-6930-4ba5-B594-48D71A8DBC2C}.exe

Filesize
79KB

MD5
cc4442e83179f0a83a6ca26ed5c94109

SHA1
7e968aa02f1d6e2cb620b39f537d7dbab95e0c97

SHA256
b15fab569b0cd88515349ce3f50191e70c18dcc09edcbf17f7093e5ba7a0f0db

SHA512
ee9bb99ab9c169d85ba0a0fb8e08db438595d526df84c665a633cc8377a64ae84b1d3b2f3569204ff36c027a7bd20b68ec01de02751cecbe0a87ff278e6727f1

Download Submit
C:\Windows\{DBF8E7A6-7841-40f2-A339-BB01566BE17B}.exe

Filesize
79KB

MD5
2dffc636b1dd4fb11c9053be8719a395

SHA1
f9fdb9c51228c99db9ecc40184bae4d9f22e6f8a

SHA256
1e0a3d38b74d6055b6c6d1817538aff5cbf1cfe3e06bfe0cbb7a2e2bdf7489e7

SHA512
0ed62943c83a24775d361b19356a0d07a667c9ddf307ac4590698e81dce8d96ec22ec9dc237f450b2eefc6b963e11a4e35c3fc6ee70bd4ba396023f3927c7d62

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads