a4072e8eaeb6b20ac1cf86e4c41749c36cceb40874f1b7aa91436273659e812f

Analysis

max time kernel
118s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4072e8eaeb6b20ac1cf86e4c41749c36cceb40874f1b7aa91436273659e812f.exe
Size

89KB
MD5

49a81dfb663d039613d3042213bde9f6
SHA1

b97e6624b58d18ad87669de1fa6092d93d342c13
SHA256

a4072e8eaeb6b20ac1cf86e4c41749c36cceb40874f1b7aa91436273659e812f
SHA512

1a931ed945c2dc1432a2ff9bfec51a1b9cacff8b248e7d5fe66d246a118251ecc64b05c06254d3327acf462b92e70048d4b9a5a2c27197bc63674a16b99b22a9
SSDEEP

768:Qvw9816vhKQLro54/wQRNrfrunMxVFA3b7gli:YEGh0o5l2unMxVS3Hgw

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C280C8F2-84A8-4ebf-8430-C0B6068E737B}	a4072e8eaeb6b20ac1cf86e4c41749c36cceb40874f1b7aa91436273659e812f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04AB2199-529F-4f24-9924-E8175EEAE883}	{C280C8F2-84A8-4ebf-8430-C0B6068E737B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{04AB2199-529F-4f24-9924-E8175EEAE883}\stubpath = "C:\\Windows\\{04AB2199-529F-4f24-9924-E8175EEAE883}.exe"	{C280C8F2-84A8-4ebf-8430-C0B6068E737B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{427B8155-A05C-4404-9B52-305BBB105A89}	{FF3BC05C-97CA-4a46-A9C0-183667D8541D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9DDB7DA-9B10-496e-8397-73BEA367167D}	{427B8155-A05C-4404-9B52-305BBB105A89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FBACB80-946B-458d-B8ED-5E20A070B440}\stubpath = "C:\\Windows\\{5FBACB80-946B-458d-B8ED-5E20A070B440}.exe"	{E9DDB7DA-9B10-496e-8397-73BEA367167D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{910CBED4-8677-49b0-9FF5-48E524C5E3BB}	{5FBACB80-946B-458d-B8ED-5E20A070B440}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F02150B1-C514-44eb-87E9-4AE705A6B7E7}\stubpath = "C:\\Windows\\{F02150B1-C514-44eb-87E9-4AE705A6B7E7}.exe"	{04AB2199-529F-4f24-9924-E8175EEAE883}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF3BC05C-97CA-4a46-A9C0-183667D8541D}\stubpath = "C:\\Windows\\{FF3BC05C-97CA-4a46-A9C0-183667D8541D}.exe"	{F02150B1-C514-44eb-87E9-4AE705A6B7E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E9DDB7DA-9B10-496e-8397-73BEA367167D}\stubpath = "C:\\Windows\\{E9DDB7DA-9B10-496e-8397-73BEA367167D}.exe"	{427B8155-A05C-4404-9B52-305BBB105A89}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3A62420-C8DD-48d6-B927-F022CDEEF4B2}\stubpath = "C:\\Windows\\{A3A62420-C8DD-48d6-B927-F022CDEEF4B2}.exe"	{910CBED4-8677-49b0-9FF5-48E524C5E3BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C280C8F2-84A8-4ebf-8430-C0B6068E737B}\stubpath = "C:\\Windows\\{C280C8F2-84A8-4ebf-8430-C0B6068E737B}.exe"	a4072e8eaeb6b20ac1cf86e4c41749c36cceb40874f1b7aa91436273659e812f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF3BC05C-97CA-4a46-A9C0-183667D8541D}	{F02150B1-C514-44eb-87E9-4AE705A6B7E7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{910CBED4-8677-49b0-9FF5-48E524C5E3BB}\stubpath = "C:\\Windows\\{910CBED4-8677-49b0-9FF5-48E524C5E3BB}.exe"	{5FBACB80-946B-458d-B8ED-5E20A070B440}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F02150B1-C514-44eb-87E9-4AE705A6B7E7}	{04AB2199-529F-4f24-9924-E8175EEAE883}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{427B8155-A05C-4404-9B52-305BBB105A89}\stubpath = "C:\\Windows\\{427B8155-A05C-4404-9B52-305BBB105A89}.exe"	{FF3BC05C-97CA-4a46-A9C0-183667D8541D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5FBACB80-946B-458d-B8ED-5E20A070B440}	{E9DDB7DA-9B10-496e-8397-73BEA367167D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A3A62420-C8DD-48d6-B927-F022CDEEF4B2}	{910CBED4-8677-49b0-9FF5-48E524C5E3BB}.exe

Executes dropped EXE 9 IoCs

pid	Process
3400	{C280C8F2-84A8-4ebf-8430-C0B6068E737B}.exe
1688	{04AB2199-529F-4f24-9924-E8175EEAE883}.exe
4400	{F02150B1-C514-44eb-87E9-4AE705A6B7E7}.exe
460	{FF3BC05C-97CA-4a46-A9C0-183667D8541D}.exe
3684	{427B8155-A05C-4404-9B52-305BBB105A89}.exe
3468	{E9DDB7DA-9B10-496e-8397-73BEA367167D}.exe
1408	{5FBACB80-946B-458d-B8ED-5E20A070B440}.exe
1740	{910CBED4-8677-49b0-9FF5-48E524C5E3BB}.exe
4588	{A3A62420-C8DD-48d6-B927-F022CDEEF4B2}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{5FBACB80-946B-458d-B8ED-5E20A070B440}.exe	{E9DDB7DA-9B10-496e-8397-73BEA367167D}.exe
File created	C:\Windows\{910CBED4-8677-49b0-9FF5-48E524C5E3BB}.exe	{5FBACB80-946B-458d-B8ED-5E20A070B440}.exe
File created	C:\Windows\{A3A62420-C8DD-48d6-B927-F022CDEEF4B2}.exe	{910CBED4-8677-49b0-9FF5-48E524C5E3BB}.exe
File created	C:\Windows\{C280C8F2-84A8-4ebf-8430-C0B6068E737B}.exe	a4072e8eaeb6b20ac1cf86e4c41749c36cceb40874f1b7aa91436273659e812f.exe
File created	C:\Windows\{04AB2199-529F-4f24-9924-E8175EEAE883}.exe	{C280C8F2-84A8-4ebf-8430-C0B6068E737B}.exe
File created	C:\Windows\{427B8155-A05C-4404-9B52-305BBB105A89}.exe	{FF3BC05C-97CA-4a46-A9C0-183667D8541D}.exe
File created	C:\Windows\{F02150B1-C514-44eb-87E9-4AE705A6B7E7}.exe	{04AB2199-529F-4f24-9924-E8175EEAE883}.exe
File created	C:\Windows\{FF3BC05C-97CA-4a46-A9C0-183667D8541D}.exe	{F02150B1-C514-44eb-87E9-4AE705A6B7E7}.exe
File created	C:\Windows\{E9DDB7DA-9B10-496e-8397-73BEA367167D}.exe	{427B8155-A05C-4404-9B52-305BBB105A89}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4072e8eaeb6b20ac1cf86e4c41749c36cceb40874f1b7aa91436273659e812f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{04AB2199-529F-4f24-9924-E8175EEAE883}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F02150B1-C514-44eb-87E9-4AE705A6B7E7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FF3BC05C-97CA-4a46-A9C0-183667D8541D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{910CBED4-8677-49b0-9FF5-48E524C5E3BB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5FBACB80-946B-458d-B8ED-5E20A070B440}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C280C8F2-84A8-4ebf-8430-C0B6068E737B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{427B8155-A05C-4404-9B52-305BBB105A89}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E9DDB7DA-9B10-496e-8397-73BEA367167D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A3A62420-C8DD-48d6-B927-F022CDEEF4B2}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1340	a4072e8eaeb6b20ac1cf86e4c41749c36cceb40874f1b7aa91436273659e812f.exe
Token: SeIncBasePriorityPrivilege	3400	{C280C8F2-84A8-4ebf-8430-C0B6068E737B}.exe
Token: SeIncBasePriorityPrivilege	1688	{04AB2199-529F-4f24-9924-E8175EEAE883}.exe
Token: SeIncBasePriorityPrivilege	4400	{F02150B1-C514-44eb-87E9-4AE705A6B7E7}.exe
Token: SeIncBasePriorityPrivilege	460	{FF3BC05C-97CA-4a46-A9C0-183667D8541D}.exe
Token: SeIncBasePriorityPrivilege	3684	{427B8155-A05C-4404-9B52-305BBB105A89}.exe
Token: SeIncBasePriorityPrivilege	3468	{E9DDB7DA-9B10-496e-8397-73BEA367167D}.exe
Token: SeIncBasePriorityPrivilege	1408	{5FBACB80-946B-458d-B8ED-5E20A070B440}.exe
Token: SeIncBasePriorityPrivilege	1740	{910CBED4-8677-49b0-9FF5-48E524C5E3BB}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 3400	1340	a4072e8eaeb6b20ac1cf86e4c41749c36cceb40874f1b7aa91436273659e812f.exe	99
PID 1340 wrote to memory of 3400	1340	a4072e8eaeb6b20ac1cf86e4c41749c36cceb40874f1b7aa91436273659e812f.exe	99
PID 1340 wrote to memory of 3400	1340	a4072e8eaeb6b20ac1cf86e4c41749c36cceb40874f1b7aa91436273659e812f.exe	99
PID 1340 wrote to memory of 4212	1340	a4072e8eaeb6b20ac1cf86e4c41749c36cceb40874f1b7aa91436273659e812f.exe	100
PID 1340 wrote to memory of 4212	1340	a4072e8eaeb6b20ac1cf86e4c41749c36cceb40874f1b7aa91436273659e812f.exe	100
PID 1340 wrote to memory of 4212	1340	a4072e8eaeb6b20ac1cf86e4c41749c36cceb40874f1b7aa91436273659e812f.exe	100
PID 3400 wrote to memory of 1688	3400	{C280C8F2-84A8-4ebf-8430-C0B6068E737B}.exe	101
PID 3400 wrote to memory of 1688	3400	{C280C8F2-84A8-4ebf-8430-C0B6068E737B}.exe	101
PID 3400 wrote to memory of 1688	3400	{C280C8F2-84A8-4ebf-8430-C0B6068E737B}.exe	101
PID 3400 wrote to memory of 928	3400	{C280C8F2-84A8-4ebf-8430-C0B6068E737B}.exe	102
PID 3400 wrote to memory of 928	3400	{C280C8F2-84A8-4ebf-8430-C0B6068E737B}.exe	102
PID 3400 wrote to memory of 928	3400	{C280C8F2-84A8-4ebf-8430-C0B6068E737B}.exe	102
PID 1688 wrote to memory of 4400	1688	{04AB2199-529F-4f24-9924-E8175EEAE883}.exe	106
PID 1688 wrote to memory of 4400	1688	{04AB2199-529F-4f24-9924-E8175EEAE883}.exe	106
PID 1688 wrote to memory of 4400	1688	{04AB2199-529F-4f24-9924-E8175EEAE883}.exe	106
PID 1688 wrote to memory of 4884	1688	{04AB2199-529F-4f24-9924-E8175EEAE883}.exe	107
PID 1688 wrote to memory of 4884	1688	{04AB2199-529F-4f24-9924-E8175EEAE883}.exe	107
PID 1688 wrote to memory of 4884	1688	{04AB2199-529F-4f24-9924-E8175EEAE883}.exe	107
PID 4400 wrote to memory of 460	4400	{F02150B1-C514-44eb-87E9-4AE705A6B7E7}.exe	108
PID 4400 wrote to memory of 460	4400	{F02150B1-C514-44eb-87E9-4AE705A6B7E7}.exe	108
PID 4400 wrote to memory of 460	4400	{F02150B1-C514-44eb-87E9-4AE705A6B7E7}.exe	108
PID 4400 wrote to memory of 5076	4400	{F02150B1-C514-44eb-87E9-4AE705A6B7E7}.exe	109
PID 4400 wrote to memory of 5076	4400	{F02150B1-C514-44eb-87E9-4AE705A6B7E7}.exe	109
PID 4400 wrote to memory of 5076	4400	{F02150B1-C514-44eb-87E9-4AE705A6B7E7}.exe	109
PID 460 wrote to memory of 3684	460	{FF3BC05C-97CA-4a46-A9C0-183667D8541D}.exe	111
PID 460 wrote to memory of 3684	460	{FF3BC05C-97CA-4a46-A9C0-183667D8541D}.exe	111
PID 460 wrote to memory of 3684	460	{FF3BC05C-97CA-4a46-A9C0-183667D8541D}.exe	111
PID 460 wrote to memory of 3128	460	{FF3BC05C-97CA-4a46-A9C0-183667D8541D}.exe	112
PID 460 wrote to memory of 3128	460	{FF3BC05C-97CA-4a46-A9C0-183667D8541D}.exe	112
PID 460 wrote to memory of 3128	460	{FF3BC05C-97CA-4a46-A9C0-183667D8541D}.exe	112
PID 3684 wrote to memory of 3468	3684	{427B8155-A05C-4404-9B52-305BBB105A89}.exe	113
PID 3684 wrote to memory of 3468	3684	{427B8155-A05C-4404-9B52-305BBB105A89}.exe	113
PID 3684 wrote to memory of 3468	3684	{427B8155-A05C-4404-9B52-305BBB105A89}.exe	113
PID 3684 wrote to memory of 4640	3684	{427B8155-A05C-4404-9B52-305BBB105A89}.exe	114
PID 3684 wrote to memory of 4640	3684	{427B8155-A05C-4404-9B52-305BBB105A89}.exe	114
PID 3684 wrote to memory of 4640	3684	{427B8155-A05C-4404-9B52-305BBB105A89}.exe	114
PID 3468 wrote to memory of 1408	3468	{E9DDB7DA-9B10-496e-8397-73BEA367167D}.exe	115
PID 3468 wrote to memory of 1408	3468	{E9DDB7DA-9B10-496e-8397-73BEA367167D}.exe	115
PID 3468 wrote to memory of 1408	3468	{E9DDB7DA-9B10-496e-8397-73BEA367167D}.exe	115
PID 3468 wrote to memory of 4912	3468	{E9DDB7DA-9B10-496e-8397-73BEA367167D}.exe	116
PID 3468 wrote to memory of 4912	3468	{E9DDB7DA-9B10-496e-8397-73BEA367167D}.exe	116
PID 3468 wrote to memory of 4912	3468	{E9DDB7DA-9B10-496e-8397-73BEA367167D}.exe	116
PID 1408 wrote to memory of 1740	1408	{5FBACB80-946B-458d-B8ED-5E20A070B440}.exe	117
PID 1408 wrote to memory of 1740	1408	{5FBACB80-946B-458d-B8ED-5E20A070B440}.exe	117
PID 1408 wrote to memory of 1740	1408	{5FBACB80-946B-458d-B8ED-5E20A070B440}.exe	117
PID 1408 wrote to memory of 1456	1408	{5FBACB80-946B-458d-B8ED-5E20A070B440}.exe	118
PID 1408 wrote to memory of 1456	1408	{5FBACB80-946B-458d-B8ED-5E20A070B440}.exe	118
PID 1408 wrote to memory of 1456	1408	{5FBACB80-946B-458d-B8ED-5E20A070B440}.exe	118
PID 1740 wrote to memory of 4588	1740	{910CBED4-8677-49b0-9FF5-48E524C5E3BB}.exe	119
PID 1740 wrote to memory of 4588	1740	{910CBED4-8677-49b0-9FF5-48E524C5E3BB}.exe	119
PID 1740 wrote to memory of 4588	1740	{910CBED4-8677-49b0-9FF5-48E524C5E3BB}.exe	119
PID 1740 wrote to memory of 372	1740	{910CBED4-8677-49b0-9FF5-48E524C5E3BB}.exe	120
PID 1740 wrote to memory of 372	1740	{910CBED4-8677-49b0-9FF5-48E524C5E3BB}.exe	120
PID 1740 wrote to memory of 372	1740	{910CBED4-8677-49b0-9FF5-48E524C5E3BB}.exe	120

C:\Users\Admin\AppData\Local\Temp\a4072e8eaeb6b20ac1cf86e4c41749c36cceb40874f1b7aa91436273659e812f.exe
"C:\Users\Admin\AppData\Local\Temp\a4072e8eaeb6b20ac1cf86e4c41749c36cceb40874f1b7aa91436273659e812f.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1340
- C:\Windows\{C280C8F2-84A8-4ebf-8430-C0B6068E737B}.exe
  C:\Windows\{C280C8F2-84A8-4ebf-8430-C0B6068E737B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Windows\{04AB2199-529F-4f24-9924-E8175EEAE883}.exe
    C:\Windows\{04AB2199-529F-4f24-9924-E8175EEAE883}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\{F02150B1-C514-44eb-87E9-4AE705A6B7E7}.exe
      C:\Windows\{F02150B1-C514-44eb-87E9-4AE705A6B7E7}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4400
    - - C:\Windows\{FF3BC05C-97CA-4a46-A9C0-183667D8541D}.exe
        
        C:\Windows\{FF3BC05C-97CA-4a46-A9C0-183667D8541D}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:460
      - C:\Windows\{427B8155-A05C-4404-9B52-305BBB105A89}.exe
        
        C:\Windows\{427B8155-A05C-4404-9B52-305BBB105A89}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\{E9DDB7DA-9B10-496e-8397-73BEA367167D}.exe
        
        C:\Windows\{E9DDB7DA-9B10-496e-8397-73BEA367167D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\{5FBACB80-946B-458d-B8ED-5E20A070B440}.exe
        
        C:\Windows\{5FBACB80-946B-458d-B8ED-5E20A070B440}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\{910CBED4-8677-49b0-9FF5-48E524C5E3BB}.exe
        
        C:\Windows\{910CBED4-8677-49b0-9FF5-48E524C5E3BB}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\{A3A62420-C8DD-48d6-B927-F022CDEEF4B2}.exe
        
        C:\Windows\{A3A62420-C8DD-48d6-B927-F022CDEEF4B2}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4588
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{910CB~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5FBAC~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E9DDB~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{427B8~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4640
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF3BC~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3128
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F0215~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5076
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{04AB2~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4884
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C280C~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\A4072E~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04AB2199-529F-4f24-9924-E8175EEAE883}.exe

Filesize
89KB

MD5
d4f99e870555fbf27e9cbfd988e0c7b3

SHA1
13ea7013453477ae6ed71aee0bcab2755d15ef6c

SHA256
18f5e67e281117bf50872d3db5c76401f93f73a5557f96421e5b06c7faea61f1

SHA512
00d35fd5f94f5e50026bfac0e429dfe29a2c293d94d7b9d3506dda3ac95cc6c02899bbe540904d583eefb1abc7a91332379573d352610fc2db1a1502ab067be3

Download Submit
C:\Windows\{427B8155-A05C-4404-9B52-305BBB105A89}.exe

Filesize
89KB

MD5
07fa0a4eb889edfff80d4309ce123851

SHA1
c5c79e79633b1e808906905a00568891f028ea94

SHA256
8eb54be7cbe75b527142e7cee018c1e56d9e27ca093ea5abfc8a9a05980737bd

SHA512
28c82ea2e9100c9fd2809f48c092ab481a9baace68670e63bdffc2f9688ba10181ec95192b0b5ddd2ea37f5b37a7ae43d8e182cfb427b0294dcb03e8799d9e45

Download Submit
C:\Windows\{5FBACB80-946B-458d-B8ED-5E20A070B440}.exe

Filesize
89KB

MD5
91fcebd474a7d44193a6a7866db41fb4

SHA1
ab8cac48c27394285bf9eb047b0c7bd109c35fe7

SHA256
e6c62215652cfdab4e1e98577bf3cdac544224a4effc23b8d6d265853c9d8632

SHA512
aef884ad1e8cb44127b8028bbed17d8377e113b45e5adea6a16bfab331d03a95f83740c682b269742615d9bc92e786545fb082c80ff8b21dc670310bcbf8d6b3

Download Submit
C:\Windows\{910CBED4-8677-49b0-9FF5-48E524C5E3BB}.exe

Filesize
89KB

MD5
ccbe75b7b6414f53b75bec3d052272a6

SHA1
97ac399b59d1742505f6e68a49d8dd32a644c8e3

SHA256
c13b281e979874b33f875487de9d355d801025849a417cb23bf21ae76d6a21c7

SHA512
8226d714196f0106891f3a715e12cb1b00858ce0a1f784ba1792c8c6ec5a70b8cc49842ba97cb4001846ea9da9f644ce2a0ace4bdaf60a14c075c123970abcc3

Download Submit
C:\Windows\{A3A62420-C8DD-48d6-B927-F022CDEEF4B2}.exe

Filesize
89KB

MD5
cfa03ce4af421468e9c85419e6099a2a

SHA1
3edc19fa213cd91a2dd6a2356ed487d71e92b933

SHA256
0c325277dfa56d8215dbb3e613cbcbde36358be601f82d5d6d791f504de5e2a2

SHA512
12d1153aba2a4f9ca1c1315774e4b035c98cfc64f652e292889f830100488a47daae7c2111a6a7500180fbf16a6f8738db12ede54391a17d5b2c08a79de1b223

Download Submit
C:\Windows\{C280C8F2-84A8-4ebf-8430-C0B6068E737B}.exe

Filesize
89KB

MD5
89a802edd08733bc1fd9c690a87322b9

SHA1
017b92aadd39d0d359c71ce7d6c3506266f6e000

SHA256
f6cd25db20ac52e71ebf70eb0e1fdd17c922773875443904eb0e9e5ec34ca575

SHA512
537a1f954c37cc91d2da339af54a48b769b475c8470d9506fab78af4aa8f2e2ade3f270d9745328ea44a2f5cc33b5bf0a37ddd3e415574496346914d40be4e5d

Download Submit
C:\Windows\{E9DDB7DA-9B10-496e-8397-73BEA367167D}.exe

Filesize
89KB

MD5
21b9a7af03ed40fb9a6bc4cdea9733d7

SHA1
1dc67107c7157de60bd186fa45ff7e9a36a5ed28

SHA256
6b3af9a0859f8e85f494bfc635561f0e74cc14615da21b51a77c6a0b29ddbf48

SHA512
25015e03f43027a78361c98c95fdca9473685efebfa4637fcfd57f8d9827ae1e8e713ca4fbea1fe549e50f7e763d17dddd2d2e576b2a6560db20ef76dc56d5f4

Download Submit
C:\Windows\{F02150B1-C514-44eb-87E9-4AE705A6B7E7}.exe

Filesize
89KB

MD5
811fa43639a4e22c99f4201ac86d4ebf

SHA1
4ad28a747a9fb233ae39a82ccfc293dc4c9c1894

SHA256
95425064343c9e88ef0ccf293f3e868ce8b3dd73d0f2b7ca62b9fb0d9628757e

SHA512
3d41e3a6546ad44a098362096d80e7281635e183d2f3d78abe95c9af1e29b292dc783794b4923b43d2bfbdaa06dee738d02bba1566b419d30b15e33f2cfea086

Download Submit
C:\Windows\{FF3BC05C-97CA-4a46-A9C0-183667D8541D}.exe

Filesize
89KB

MD5
623c93258b0b57321fe72de5a52afd00

SHA1
68dc49328b71f2c44d061c68230e00afa40e3203

SHA256
4f46a20d4895a744b0f8e0f61c5f7187da7559e30ced943a2579ac81ac10cfc7

SHA512
d2383ebbf0d2e4c2c95751ed009d23facca54984b90fcddb4a9f4532efbaf1fd17e98c6ff76b0301ca84aa78da953c4826a73180ab2c7aee17dfdef9c9d60aca

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads