90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae

Analysis

max time kernel
118s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe
Size

88KB
MD5

1012b63cceb9f0a40384afb4752c81f5
SHA1

4d1bdaca23b6d3a8af9d61cc9fcd894b62538100
SHA256

90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae
SHA512

21682c33d4feab8b2328b8775c116e2837ef4195b0d2cdb09f1d69767e6fef4fbb892eee126a43e11e0139f5f4cceff75e8cfd4976c164faee1fa34c1b322e59
SSDEEP

768:Qvw9816vhKQLroO4/wQRN/frunMxVFA3b70:YEGh0oOlKunMxVS3H0

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0EE01D0-E863-4668-A815-6B94052680D9}	{2D077939-DA62-4165-BA55-EADFD6AC87E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0EE01D0-E863-4668-A815-6B94052680D9}\stubpath = "C:\\Windows\\{F0EE01D0-E863-4668-A815-6B94052680D9}.exe"	{2D077939-DA62-4165-BA55-EADFD6AC87E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7429665-7544-4922-8FAA-D53A779F84BB}\stubpath = "C:\\Windows\\{F7429665-7544-4922-8FAA-D53A779F84BB}.exe"	{F0EE01D0-E863-4668-A815-6B94052680D9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4BE215B-48DF-4b00-95D4-727FA7474857}\stubpath = "C:\\Windows\\{A4BE215B-48DF-4b00-95D4-727FA7474857}.exe"	{C9946B57-B9C0-4b38-88FB-A398A5404418}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25F934BC-7213-4d25-BBFE-D8593525C89F}\stubpath = "C:\\Windows\\{25F934BC-7213-4d25-BBFE-D8593525C89F}.exe"	{DAFEE078-0F30-44c3-B81C-EAD7B5D749E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{229747A6-1833-400a-9166-CD353A4F471B}	{A4BE215B-48DF-4b00-95D4-727FA7474857}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86EB5D9A-DEEF-48c9-81CC-48B462708DBA}	90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{86EB5D9A-DEEF-48c9-81CC-48B462708DBA}\stubpath = "C:\\Windows\\{86EB5D9A-DEEF-48c9-81CC-48B462708DBA}.exe"	90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F7429665-7544-4922-8FAA-D53A779F84BB}	{F0EE01D0-E863-4668-A815-6B94052680D9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9946B57-B9C0-4b38-88FB-A398A5404418}	{F7429665-7544-4922-8FAA-D53A779F84BB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A4BE215B-48DF-4b00-95D4-727FA7474857}	{C9946B57-B9C0-4b38-88FB-A398A5404418}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAFEE078-0F30-44c3-B81C-EAD7B5D749E6}	{229747A6-1833-400a-9166-CD353A4F471B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DAFEE078-0F30-44c3-B81C-EAD7B5D749E6}\stubpath = "C:\\Windows\\{DAFEE078-0F30-44c3-B81C-EAD7B5D749E6}.exe"	{229747A6-1833-400a-9166-CD353A4F471B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{25F934BC-7213-4d25-BBFE-D8593525C89F}	{DAFEE078-0F30-44c3-B81C-EAD7B5D749E6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D077939-DA62-4165-BA55-EADFD6AC87E7}	{86EB5D9A-DEEF-48c9-81CC-48B462708DBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2D077939-DA62-4165-BA55-EADFD6AC87E7}\stubpath = "C:\\Windows\\{2D077939-DA62-4165-BA55-EADFD6AC87E7}.exe"	{86EB5D9A-DEEF-48c9-81CC-48B462708DBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C9946B57-B9C0-4b38-88FB-A398A5404418}\stubpath = "C:\\Windows\\{C9946B57-B9C0-4b38-88FB-A398A5404418}.exe"	{F7429665-7544-4922-8FAA-D53A779F84BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{229747A6-1833-400a-9166-CD353A4F471B}\stubpath = "C:\\Windows\\{229747A6-1833-400a-9166-CD353A4F471B}.exe"	{A4BE215B-48DF-4b00-95D4-727FA7474857}.exe

Executes dropped EXE 9 IoCs

pid	Process
1228	{86EB5D9A-DEEF-48c9-81CC-48B462708DBA}.exe
2992	{2D077939-DA62-4165-BA55-EADFD6AC87E7}.exe
3988	{F0EE01D0-E863-4668-A815-6B94052680D9}.exe
444	{F7429665-7544-4922-8FAA-D53A779F84BB}.exe
216	{C9946B57-B9C0-4b38-88FB-A398A5404418}.exe
4840	{A4BE215B-48DF-4b00-95D4-727FA7474857}.exe
1448	{229747A6-1833-400a-9166-CD353A4F471B}.exe
4540	{DAFEE078-0F30-44c3-B81C-EAD7B5D749E6}.exe
5060	{25F934BC-7213-4d25-BBFE-D8593525C89F}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{2D077939-DA62-4165-BA55-EADFD6AC87E7}.exe	{86EB5D9A-DEEF-48c9-81CC-48B462708DBA}.exe
File created	C:\Windows\{F0EE01D0-E863-4668-A815-6B94052680D9}.exe	{2D077939-DA62-4165-BA55-EADFD6AC87E7}.exe
File created	C:\Windows\{A4BE215B-48DF-4b00-95D4-727FA7474857}.exe	{C9946B57-B9C0-4b38-88FB-A398A5404418}.exe
File created	C:\Windows\{229747A6-1833-400a-9166-CD353A4F471B}.exe	{A4BE215B-48DF-4b00-95D4-727FA7474857}.exe
File created	C:\Windows\{DAFEE078-0F30-44c3-B81C-EAD7B5D749E6}.exe	{229747A6-1833-400a-9166-CD353A4F471B}.exe
File created	C:\Windows\{86EB5D9A-DEEF-48c9-81CC-48B462708DBA}.exe	90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe
File created	C:\Windows\{F7429665-7544-4922-8FAA-D53A779F84BB}.exe	{F0EE01D0-E863-4668-A815-6B94052680D9}.exe
File created	C:\Windows\{C9946B57-B9C0-4b38-88FB-A398A5404418}.exe	{F7429665-7544-4922-8FAA-D53A779F84BB}.exe
File created	C:\Windows\{25F934BC-7213-4d25-BBFE-D8593525C89F}.exe	{DAFEE078-0F30-44c3-B81C-EAD7B5D749E6}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2D077939-DA62-4165-BA55-EADFD6AC87E7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{229747A6-1833-400a-9166-CD353A4F471B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{86EB5D9A-DEEF-48c9-81CC-48B462708DBA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{25F934BC-7213-4d25-BBFE-D8593525C89F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F0EE01D0-E863-4668-A815-6B94052680D9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C9946B57-B9C0-4b38-88FB-A398A5404418}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A4BE215B-48DF-4b00-95D4-727FA7474857}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DAFEE078-0F30-44c3-B81C-EAD7B5D749E6}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F7429665-7544-4922-8FAA-D53A779F84BB}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2664	90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe
Token: SeIncBasePriorityPrivilege	1228	{86EB5D9A-DEEF-48c9-81CC-48B462708DBA}.exe
Token: SeIncBasePriorityPrivilege	2992	{2D077939-DA62-4165-BA55-EADFD6AC87E7}.exe
Token: SeIncBasePriorityPrivilege	3988	{F0EE01D0-E863-4668-A815-6B94052680D9}.exe
Token: SeIncBasePriorityPrivilege	444	{F7429665-7544-4922-8FAA-D53A779F84BB}.exe
Token: SeIncBasePriorityPrivilege	216	{C9946B57-B9C0-4b38-88FB-A398A5404418}.exe
Token: SeIncBasePriorityPrivilege	4840	{A4BE215B-48DF-4b00-95D4-727FA7474857}.exe
Token: SeIncBasePriorityPrivilege	1448	{229747A6-1833-400a-9166-CD353A4F471B}.exe
Token: SeIncBasePriorityPrivilege	4540	{DAFEE078-0F30-44c3-B81C-EAD7B5D749E6}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 1228	2664	90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe	101
PID 2664 wrote to memory of 1228	2664	90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe	101
PID 2664 wrote to memory of 1228	2664	90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe	101
PID 2664 wrote to memory of 3232	2664	90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe	102
PID 2664 wrote to memory of 3232	2664	90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe	102
PID 2664 wrote to memory of 3232	2664	90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe	102
PID 1228 wrote to memory of 2992	1228	{86EB5D9A-DEEF-48c9-81CC-48B462708DBA}.exe	103
PID 1228 wrote to memory of 2992	1228	{86EB5D9A-DEEF-48c9-81CC-48B462708DBA}.exe	103
PID 1228 wrote to memory of 2992	1228	{86EB5D9A-DEEF-48c9-81CC-48B462708DBA}.exe	103
PID 1228 wrote to memory of 3172	1228	{86EB5D9A-DEEF-48c9-81CC-48B462708DBA}.exe	104
PID 1228 wrote to memory of 3172	1228	{86EB5D9A-DEEF-48c9-81CC-48B462708DBA}.exe	104
PID 1228 wrote to memory of 3172	1228	{86EB5D9A-DEEF-48c9-81CC-48B462708DBA}.exe	104
PID 2992 wrote to memory of 3988	2992	{2D077939-DA62-4165-BA55-EADFD6AC87E7}.exe	108
PID 2992 wrote to memory of 3988	2992	{2D077939-DA62-4165-BA55-EADFD6AC87E7}.exe	108
PID 2992 wrote to memory of 3988	2992	{2D077939-DA62-4165-BA55-EADFD6AC87E7}.exe	108
PID 2992 wrote to memory of 3936	2992	{2D077939-DA62-4165-BA55-EADFD6AC87E7}.exe	109
PID 2992 wrote to memory of 3936	2992	{2D077939-DA62-4165-BA55-EADFD6AC87E7}.exe	109
PID 2992 wrote to memory of 3936	2992	{2D077939-DA62-4165-BA55-EADFD6AC87E7}.exe	109
PID 3988 wrote to memory of 444	3988	{F0EE01D0-E863-4668-A815-6B94052680D9}.exe	110
PID 3988 wrote to memory of 444	3988	{F0EE01D0-E863-4668-A815-6B94052680D9}.exe	110
PID 3988 wrote to memory of 444	3988	{F0EE01D0-E863-4668-A815-6B94052680D9}.exe	110
PID 3988 wrote to memory of 4036	3988	{F0EE01D0-E863-4668-A815-6B94052680D9}.exe	111
PID 3988 wrote to memory of 4036	3988	{F0EE01D0-E863-4668-A815-6B94052680D9}.exe	111
PID 3988 wrote to memory of 4036	3988	{F0EE01D0-E863-4668-A815-6B94052680D9}.exe	111
PID 444 wrote to memory of 216	444	{F7429665-7544-4922-8FAA-D53A779F84BB}.exe	113
PID 444 wrote to memory of 216	444	{F7429665-7544-4922-8FAA-D53A779F84BB}.exe	113
PID 444 wrote to memory of 216	444	{F7429665-7544-4922-8FAA-D53A779F84BB}.exe	113
PID 444 wrote to memory of 3444	444	{F7429665-7544-4922-8FAA-D53A779F84BB}.exe	114
PID 444 wrote to memory of 3444	444	{F7429665-7544-4922-8FAA-D53A779F84BB}.exe	114
PID 444 wrote to memory of 3444	444	{F7429665-7544-4922-8FAA-D53A779F84BB}.exe	114
PID 216 wrote to memory of 4840	216	{C9946B57-B9C0-4b38-88FB-A398A5404418}.exe	115
PID 216 wrote to memory of 4840	216	{C9946B57-B9C0-4b38-88FB-A398A5404418}.exe	115
PID 216 wrote to memory of 4840	216	{C9946B57-B9C0-4b38-88FB-A398A5404418}.exe	115
PID 216 wrote to memory of 2716	216	{C9946B57-B9C0-4b38-88FB-A398A5404418}.exe	116
PID 216 wrote to memory of 2716	216	{C9946B57-B9C0-4b38-88FB-A398A5404418}.exe	116
PID 216 wrote to memory of 2716	216	{C9946B57-B9C0-4b38-88FB-A398A5404418}.exe	116
PID 4840 wrote to memory of 1448	4840	{A4BE215B-48DF-4b00-95D4-727FA7474857}.exe	117
PID 4840 wrote to memory of 1448	4840	{A4BE215B-48DF-4b00-95D4-727FA7474857}.exe	117
PID 4840 wrote to memory of 1448	4840	{A4BE215B-48DF-4b00-95D4-727FA7474857}.exe	117
PID 4840 wrote to memory of 4724	4840	{A4BE215B-48DF-4b00-95D4-727FA7474857}.exe	118
PID 4840 wrote to memory of 4724	4840	{A4BE215B-48DF-4b00-95D4-727FA7474857}.exe	118
PID 4840 wrote to memory of 4724	4840	{A4BE215B-48DF-4b00-95D4-727FA7474857}.exe	118
PID 1448 wrote to memory of 4540	1448	{229747A6-1833-400a-9166-CD353A4F471B}.exe	119
PID 1448 wrote to memory of 4540	1448	{229747A6-1833-400a-9166-CD353A4F471B}.exe	119
PID 1448 wrote to memory of 4540	1448	{229747A6-1833-400a-9166-CD353A4F471B}.exe	119
PID 1448 wrote to memory of 1936	1448	{229747A6-1833-400a-9166-CD353A4F471B}.exe	120
PID 1448 wrote to memory of 1936	1448	{229747A6-1833-400a-9166-CD353A4F471B}.exe	120
PID 1448 wrote to memory of 1936	1448	{229747A6-1833-400a-9166-CD353A4F471B}.exe	120
PID 4540 wrote to memory of 5060	4540	{DAFEE078-0F30-44c3-B81C-EAD7B5D749E6}.exe	121
PID 4540 wrote to memory of 5060	4540	{DAFEE078-0F30-44c3-B81C-EAD7B5D749E6}.exe	121
PID 4540 wrote to memory of 5060	4540	{DAFEE078-0F30-44c3-B81C-EAD7B5D749E6}.exe	121
PID 4540 wrote to memory of 1716	4540	{DAFEE078-0F30-44c3-B81C-EAD7B5D749E6}.exe	122
PID 4540 wrote to memory of 1716	4540	{DAFEE078-0F30-44c3-B81C-EAD7B5D749E6}.exe	122
PID 4540 wrote to memory of 1716	4540	{DAFEE078-0F30-44c3-B81C-EAD7B5D749E6}.exe	122

C:\Users\Admin\AppData\Local\Temp\90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe
"C:\Users\Admin\AppData\Local\Temp\90f08ef641529c0ba1fd58aeb45c932711f1ac5faa64cf3d8133ad01a79c5cae.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\{86EB5D9A-DEEF-48c9-81CC-48B462708DBA}.exe
  C:\Windows\{86EB5D9A-DEEF-48c9-81CC-48B462708DBA}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\{2D077939-DA62-4165-BA55-EADFD6AC87E7}.exe
    C:\Windows\{2D077939-DA62-4165-BA55-EADFD6AC87E7}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\{F0EE01D0-E863-4668-A815-6B94052680D9}.exe
      C:\Windows\{F0EE01D0-E863-4668-A815-6B94052680D9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3988
    - - C:\Windows\{F7429665-7544-4922-8FAA-D53A779F84BB}.exe
        
        C:\Windows\{F7429665-7544-4922-8FAA-D53A779F84BB}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:444
      - C:\Windows\{C9946B57-B9C0-4b38-88FB-A398A5404418}.exe
        
        C:\Windows\{C9946B57-B9C0-4b38-88FB-A398A5404418}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:216
        
        C:\Windows\{A4BE215B-48DF-4b00-95D4-727FA7474857}.exe
        
        C:\Windows\{A4BE215B-48DF-4b00-95D4-727FA7474857}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\{229747A6-1833-400a-9166-CD353A4F471B}.exe
        
        C:\Windows\{229747A6-1833-400a-9166-CD353A4F471B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\{DAFEE078-0F30-44c3-B81C-EAD7B5D749E6}.exe
        
        C:\Windows\{DAFEE078-0F30-44c3-B81C-EAD7B5D749E6}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\{25F934BC-7213-4d25-BBFE-D8593525C89F}.exe
        
        C:\Windows\{25F934BC-7213-4d25-BBFE-D8593525C89F}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5060
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DAFEE~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{22974~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4BE2~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C9946~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2716
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F7429~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3444
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0EE0~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{2D077~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3936
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{86EB5~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3172
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\90F08E~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{229747A6-1833-400a-9166-CD353A4F471B}.exe

Filesize
88KB

MD5
9de21cb7985e585629a75e2834688a47

SHA1
116510e719be7d36621850624042422bcae42fcf

SHA256
427f2e5aa94c1ed6bdc265a887bf59829ec88524a8ea997aee07a198773cce7a

SHA512
d577733006edbfc8fe5b344ecc116d53a6cb41076fc3924e756fe4127f47150dcaea523ba9b349c2aef7bf2d16e46501969cbcb98f547e9bf1708ca7b79912da

Download Submit
C:\Windows\{25F934BC-7213-4d25-BBFE-D8593525C89F}.exe

Filesize
88KB

MD5
483e48bf3eb606abe1f8521128154292

SHA1
2e1ac0dce9dcd9cf0dc3526b82aa35cfce2ca40a

SHA256
d901f196fbdfa60b792e71f3fffcd5ef327914dbc09f2835fd97ee0c637c0dea

SHA512
fa50870d50794bdf45bf11c0cfd98600fc0111856108e66fdf6fb6c390b89889adc558a09727e7cb83bd36329a631af198906653a3e12206311ef98ad625b155

Download Submit
C:\Windows\{2D077939-DA62-4165-BA55-EADFD6AC87E7}.exe

Filesize
88KB

MD5
c8017d2bc99ef994eb77c51440258c05

SHA1
689bbe5c30192565a359d29a36623e39fd683a7d

SHA256
c90fdc97b2bcdfc2b110a3b8b5b4f2b65e1c00354ae6cdb520ebf1c361dacfc4

SHA512
8a3284a89272323d6cda7b0f63fe992a67a1444781035e19e23aeee5f48f677e3e0ea72902f605cc881559afe03e1f7980c2d4e23c39e62c2220f5aa4859eb17

Download Submit
C:\Windows\{86EB5D9A-DEEF-48c9-81CC-48B462708DBA}.exe

Filesize
88KB

MD5
a39473c60ddc0155c2f8505a76b4f869

SHA1
44ca52191dc6402368dd4631df2519e820f310cb

SHA256
0e7109bf9b14fda6de581244ed93f44434be5031916a57a85a610314bdd9de8c

SHA512
799175e96e3513de2c3b8e95d5625df17b4c58f186f6f87d26f4bce52a768a1e7f36c0cb5f2a10b519448827dfd9d7e35471aae0cd0522a1aaa2696067e1833d

Download Submit
C:\Windows\{A4BE215B-48DF-4b00-95D4-727FA7474857}.exe

Filesize
88KB

MD5
ae79b50a91ddbba2ff8e0e15870465e9

SHA1
3e34cab6d00365c8e48da311fad2019452b1fd44

SHA256
e445fcc85a2e1ef379bbebc52b25e318213afc68bdd6c1bab7a60da5404a0973

SHA512
a90db8b4869e8636ebf7fe49ae2804c250a4dd2cb366c15485a2d2e0ffe9446e1c765f4a0ca2f1d8b978d48f8eafa7eaf7e6f60742ab9747c9e8d225e40559f0

Download Submit
C:\Windows\{C9946B57-B9C0-4b38-88FB-A398A5404418}.exe

Filesize
88KB

MD5
6626c9bdc71434fc02cf8e77007f0e04

SHA1
a879aabe5c416cbedec7e9cc9ab6012d5f3d6723

SHA256
35e1e079724a6185d518cfe294b0879d8a44ead64602d5403af41ff9ddffc134

SHA512
6e97e9dc0c1fe1fdad5170a32d84821e5887e92aa8ec25b11ac052a22afad3aa71f583c414e1d924cf0cd67b0ae64eddb27090a0a9c17d63756592a9fc176c51

Download Submit
C:\Windows\{DAFEE078-0F30-44c3-B81C-EAD7B5D749E6}.exe

Filesize
88KB

MD5
4fbf7abbbd6b57cbeb34bf67c4390a67

SHA1
376ed25d74e90bce5a2560e2898dfe58a36dcc6a

SHA256
2b6ca2691044e7c414cd45e3893d627ba0bf4212d6beba1436cc083832264636

SHA512
d66ac2ac4441798d449b3b2f92d39c5cd438b15bcff829453ac5e6f5ba9f517d59258be0b67f88225f426ed21eeb40f4a096310afc37c0bfdb0b7710d7e84f65

Download Submit
C:\Windows\{F0EE01D0-E863-4668-A815-6B94052680D9}.exe

Filesize
88KB

MD5
5674e2f6fb631c687ea13dc8a35f8246

SHA1
8c6c7c0b7ef1c1fea33c399d958d655945aec6ca

SHA256
d7c004ccbf8a3ab47b52f29af26b875bccc36c611107fc8e300250e2986277e4

SHA512
0bb6aa20d5a830a1a37a257142102a10770f0c04a6e75bac2421da16b308a4eb796eb7f9d4b84aa0135808320fcc6766a5159755b0c95667cf1673efad088908

Download Submit
C:\Windows\{F7429665-7544-4922-8FAA-D53A779F84BB}.exe

Filesize
88KB

MD5
fb4f4451b48ee1bc6d2a7ffd9325ecfb

SHA1
dd86a6fa5a1e82a8ead07a4ca028a486c095c0c6

SHA256
f061fae94a366643e8b05d25c7e3ce99c614f59826bf8d8aaa83a34fc6345265

SHA512
411d0652e46ca7d1e0e7e74a0a57bee52fa94b4d9a6a58d5274898cd6a6fb3da9f7a2170de998981a70c7a4ee965ce6291ecb5a30368db877e5aad3065ab437e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads