5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5be

Analysis

max time kernel
118s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2024, 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe
Size

87KB
MD5

5c7b983e7118d8b304acb37b199281c0
SHA1

f6217fca224dcf85dd5f1e5c18dfe3f637493320
SHA256

5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5be
SHA512

86e76bb5b1ccc5b78b14ac33bec55aa474b3ebe3363d6699ca7327675aed35eef88cd0422e9ba37a7d8d433ec9bd98407a63758c7e2a4e0a3aeeced40c95ff70
SSDEEP

384:5bLwOs8AHsc4sM6whKiro04/CFsrdk5I1Nb7g7FX7XYfruVDtM9tQ/FKlnVwUUOP:5vw9816uhKiro04/wQNNrfrunMxVF7

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A525BE0-5E44-4593-AB5E-759D661C98FD}\stubpath = "C:\\Windows\\{0A525BE0-5E44-4593-AB5E-759D661C98FD}.exe"	{2BE768F2-973D-42db-B9DC-70CC383ECAB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{222B22E6-7E93-4dad-A0B9-12E91E103B57}	{4A554F3C-4655-417f-B850-2783BCEBB37F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC09C0D3-30C8-4184-B35B-B6C4CA61632E}	{DE7025FE-EAFB-44e6-A384-9E9969034E9B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FC09C0D3-30C8-4184-B35B-B6C4CA61632E}\stubpath = "C:\\Windows\\{FC09C0D3-30C8-4184-B35B-B6C4CA61632E}.exe"	{DE7025FE-EAFB-44e6-A384-9E9969034E9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BE768F2-973D-42db-B9DC-70CC383ECAB5}	{FB5890A6-83B1-47f9-A69A-C96D4D7AB911}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A525BE0-5E44-4593-AB5E-759D661C98FD}	{2BE768F2-973D-42db-B9DC-70CC383ECAB5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{747508EF-5DD6-44c2-AC18-B6D20BF69E7D}	{0A525BE0-5E44-4593-AB5E-759D661C98FD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{747508EF-5DD6-44c2-AC18-B6D20BF69E7D}\stubpath = "C:\\Windows\\{747508EF-5DD6-44c2-AC18-B6D20BF69E7D}.exe"	{0A525BE0-5E44-4593-AB5E-759D661C98FD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A554F3C-4655-417f-B850-2783BCEBB37F}	{747508EF-5DD6-44c2-AC18-B6D20BF69E7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE7025FE-EAFB-44e6-A384-9E9969034E9B}\stubpath = "C:\\Windows\\{DE7025FE-EAFB-44e6-A384-9E9969034E9B}.exe"	5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43C57B71-A32C-460a-AFEB-763B6B0E4299}	{FC09C0D3-30C8-4184-B35B-B6C4CA61632E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2BE768F2-973D-42db-B9DC-70CC383ECAB5}\stubpath = "C:\\Windows\\{2BE768F2-973D-42db-B9DC-70CC383ECAB5}.exe"	{FB5890A6-83B1-47f9-A69A-C96D4D7AB911}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A554F3C-4655-417f-B850-2783BCEBB37F}\stubpath = "C:\\Windows\\{4A554F3C-4655-417f-B850-2783BCEBB37F}.exe"	{747508EF-5DD6-44c2-AC18-B6D20BF69E7D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{222B22E6-7E93-4dad-A0B9-12E91E103B57}\stubpath = "C:\\Windows\\{222B22E6-7E93-4dad-A0B9-12E91E103B57}.exe"	{4A554F3C-4655-417f-B850-2783BCEBB37F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43C57B71-A32C-460a-AFEB-763B6B0E4299}\stubpath = "C:\\Windows\\{43C57B71-A32C-460a-AFEB-763B6B0E4299}.exe"	{FC09C0D3-30C8-4184-B35B-B6C4CA61632E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB5890A6-83B1-47f9-A69A-C96D4D7AB911}\stubpath = "C:\\Windows\\{FB5890A6-83B1-47f9-A69A-C96D4D7AB911}.exe"	{43C57B71-A32C-460a-AFEB-763B6B0E4299}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DE7025FE-EAFB-44e6-A384-9E9969034E9B}	5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FB5890A6-83B1-47f9-A69A-C96D4D7AB911}	{43C57B71-A32C-460a-AFEB-763B6B0E4299}.exe

Executes dropped EXE 9 IoCs

pid	Process
4228	{DE7025FE-EAFB-44e6-A384-9E9969034E9B}.exe
2608	{FC09C0D3-30C8-4184-B35B-B6C4CA61632E}.exe
720	{43C57B71-A32C-460a-AFEB-763B6B0E4299}.exe
4352	{FB5890A6-83B1-47f9-A69A-C96D4D7AB911}.exe
4864	{2BE768F2-973D-42db-B9DC-70CC383ECAB5}.exe
4800	{0A525BE0-5E44-4593-AB5E-759D661C98FD}.exe
2088	{747508EF-5DD6-44c2-AC18-B6D20BF69E7D}.exe
3064	{4A554F3C-4655-417f-B850-2783BCEBB37F}.exe
2420	{222B22E6-7E93-4dad-A0B9-12E91E103B57}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{747508EF-5DD6-44c2-AC18-B6D20BF69E7D}.exe	{0A525BE0-5E44-4593-AB5E-759D661C98FD}.exe
File created	C:\Windows\{4A554F3C-4655-417f-B850-2783BCEBB37F}.exe	{747508EF-5DD6-44c2-AC18-B6D20BF69E7D}.exe
File created	C:\Windows\{FC09C0D3-30C8-4184-B35B-B6C4CA61632E}.exe	{DE7025FE-EAFB-44e6-A384-9E9969034E9B}.exe
File created	C:\Windows\{43C57B71-A32C-460a-AFEB-763B6B0E4299}.exe	{FC09C0D3-30C8-4184-B35B-B6C4CA61632E}.exe
File created	C:\Windows\{FB5890A6-83B1-47f9-A69A-C96D4D7AB911}.exe	{43C57B71-A32C-460a-AFEB-763B6B0E4299}.exe
File created	C:\Windows\{2BE768F2-973D-42db-B9DC-70CC383ECAB5}.exe	{FB5890A6-83B1-47f9-A69A-C96D4D7AB911}.exe
File created	C:\Windows\{0A525BE0-5E44-4593-AB5E-759D661C98FD}.exe	{2BE768F2-973D-42db-B9DC-70CC383ECAB5}.exe
File created	C:\Windows\{DE7025FE-EAFB-44e6-A384-9E9969034E9B}.exe	5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe
File created	C:\Windows\{222B22E6-7E93-4dad-A0B9-12E91E103B57}.exe	{4A554F3C-4655-417f-B850-2783BCEBB37F}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FC09C0D3-30C8-4184-B35B-B6C4CA61632E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FB5890A6-83B1-47f9-A69A-C96D4D7AB911}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2BE768F2-973D-42db-B9DC-70CC383ECAB5}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0A525BE0-5E44-4593-AB5E-759D661C98FD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{747508EF-5DD6-44c2-AC18-B6D20BF69E7D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4A554F3C-4655-417f-B850-2783BCEBB37F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DE7025FE-EAFB-44e6-A384-9E9969034E9B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{222B22E6-7E93-4dad-A0B9-12E91E103B57}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{43C57B71-A32C-460a-AFEB-763B6B0E4299}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2496	5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe
Token: SeIncBasePriorityPrivilege	4228	{DE7025FE-EAFB-44e6-A384-9E9969034E9B}.exe
Token: SeIncBasePriorityPrivilege	2608	{FC09C0D3-30C8-4184-B35B-B6C4CA61632E}.exe
Token: SeIncBasePriorityPrivilege	720	{43C57B71-A32C-460a-AFEB-763B6B0E4299}.exe
Token: SeIncBasePriorityPrivilege	4352	{FB5890A6-83B1-47f9-A69A-C96D4D7AB911}.exe
Token: SeIncBasePriorityPrivilege	4864	{2BE768F2-973D-42db-B9DC-70CC383ECAB5}.exe
Token: SeIncBasePriorityPrivilege	4800	{0A525BE0-5E44-4593-AB5E-759D661C98FD}.exe
Token: SeIncBasePriorityPrivilege	2088	{747508EF-5DD6-44c2-AC18-B6D20BF69E7D}.exe
Token: SeIncBasePriorityPrivilege	3064	{4A554F3C-4655-417f-B850-2783BCEBB37F}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 4228	2496	5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe	94
PID 2496 wrote to memory of 4228	2496	5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe	94
PID 2496 wrote to memory of 4228	2496	5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe	94
PID 2496 wrote to memory of 4900	2496	5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe	95
PID 2496 wrote to memory of 4900	2496	5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe	95
PID 2496 wrote to memory of 4900	2496	5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe	95
PID 4228 wrote to memory of 2608	4228	{DE7025FE-EAFB-44e6-A384-9E9969034E9B}.exe	96
PID 4228 wrote to memory of 2608	4228	{DE7025FE-EAFB-44e6-A384-9E9969034E9B}.exe	96
PID 4228 wrote to memory of 2608	4228	{DE7025FE-EAFB-44e6-A384-9E9969034E9B}.exe	96
PID 4228 wrote to memory of 3008	4228	{DE7025FE-EAFB-44e6-A384-9E9969034E9B}.exe	97
PID 4228 wrote to memory of 3008	4228	{DE7025FE-EAFB-44e6-A384-9E9969034E9B}.exe	97
PID 4228 wrote to memory of 3008	4228	{DE7025FE-EAFB-44e6-A384-9E9969034E9B}.exe	97
PID 2608 wrote to memory of 720	2608	{FC09C0D3-30C8-4184-B35B-B6C4CA61632E}.exe	100
PID 2608 wrote to memory of 720	2608	{FC09C0D3-30C8-4184-B35B-B6C4CA61632E}.exe	100
PID 2608 wrote to memory of 720	2608	{FC09C0D3-30C8-4184-B35B-B6C4CA61632E}.exe	100
PID 2608 wrote to memory of 4448	2608	{FC09C0D3-30C8-4184-B35B-B6C4CA61632E}.exe	101
PID 2608 wrote to memory of 4448	2608	{FC09C0D3-30C8-4184-B35B-B6C4CA61632E}.exe	101
PID 2608 wrote to memory of 4448	2608	{FC09C0D3-30C8-4184-B35B-B6C4CA61632E}.exe	101
PID 720 wrote to memory of 4352	720	{43C57B71-A32C-460a-AFEB-763B6B0E4299}.exe	102
PID 720 wrote to memory of 4352	720	{43C57B71-A32C-460a-AFEB-763B6B0E4299}.exe	102
PID 720 wrote to memory of 4352	720	{43C57B71-A32C-460a-AFEB-763B6B0E4299}.exe	102
PID 720 wrote to memory of 380	720	{43C57B71-A32C-460a-AFEB-763B6B0E4299}.exe	103
PID 720 wrote to memory of 380	720	{43C57B71-A32C-460a-AFEB-763B6B0E4299}.exe	103
PID 720 wrote to memory of 380	720	{43C57B71-A32C-460a-AFEB-763B6B0E4299}.exe	103
PID 4352 wrote to memory of 4864	4352	{FB5890A6-83B1-47f9-A69A-C96D4D7AB911}.exe	104
PID 4352 wrote to memory of 4864	4352	{FB5890A6-83B1-47f9-A69A-C96D4D7AB911}.exe	104
PID 4352 wrote to memory of 4864	4352	{FB5890A6-83B1-47f9-A69A-C96D4D7AB911}.exe	104
PID 4352 wrote to memory of 3092	4352	{FB5890A6-83B1-47f9-A69A-C96D4D7AB911}.exe	105
PID 4352 wrote to memory of 3092	4352	{FB5890A6-83B1-47f9-A69A-C96D4D7AB911}.exe	105
PID 4352 wrote to memory of 3092	4352	{FB5890A6-83B1-47f9-A69A-C96D4D7AB911}.exe	105
PID 4864 wrote to memory of 4800	4864	{2BE768F2-973D-42db-B9DC-70CC383ECAB5}.exe	106
PID 4864 wrote to memory of 4800	4864	{2BE768F2-973D-42db-B9DC-70CC383ECAB5}.exe	106
PID 4864 wrote to memory of 4800	4864	{2BE768F2-973D-42db-B9DC-70CC383ECAB5}.exe	106
PID 4864 wrote to memory of 912	4864	{2BE768F2-973D-42db-B9DC-70CC383ECAB5}.exe	107
PID 4864 wrote to memory of 912	4864	{2BE768F2-973D-42db-B9DC-70CC383ECAB5}.exe	107
PID 4864 wrote to memory of 912	4864	{2BE768F2-973D-42db-B9DC-70CC383ECAB5}.exe	107
PID 4800 wrote to memory of 2088	4800	{0A525BE0-5E44-4593-AB5E-759D661C98FD}.exe	108
PID 4800 wrote to memory of 2088	4800	{0A525BE0-5E44-4593-AB5E-759D661C98FD}.exe	108
PID 4800 wrote to memory of 2088	4800	{0A525BE0-5E44-4593-AB5E-759D661C98FD}.exe	108
PID 4800 wrote to memory of 876	4800	{0A525BE0-5E44-4593-AB5E-759D661C98FD}.exe	109
PID 4800 wrote to memory of 876	4800	{0A525BE0-5E44-4593-AB5E-759D661C98FD}.exe	109
PID 4800 wrote to memory of 876	4800	{0A525BE0-5E44-4593-AB5E-759D661C98FD}.exe	109
PID 2088 wrote to memory of 3064	2088	{747508EF-5DD6-44c2-AC18-B6D20BF69E7D}.exe	110
PID 2088 wrote to memory of 3064	2088	{747508EF-5DD6-44c2-AC18-B6D20BF69E7D}.exe	110
PID 2088 wrote to memory of 3064	2088	{747508EF-5DD6-44c2-AC18-B6D20BF69E7D}.exe	110
PID 2088 wrote to memory of 3480	2088	{747508EF-5DD6-44c2-AC18-B6D20BF69E7D}.exe	111
PID 2088 wrote to memory of 3480	2088	{747508EF-5DD6-44c2-AC18-B6D20BF69E7D}.exe	111
PID 2088 wrote to memory of 3480	2088	{747508EF-5DD6-44c2-AC18-B6D20BF69E7D}.exe	111
PID 3064 wrote to memory of 2420	3064	{4A554F3C-4655-417f-B850-2783BCEBB37F}.exe	112
PID 3064 wrote to memory of 2420	3064	{4A554F3C-4655-417f-B850-2783BCEBB37F}.exe	112
PID 3064 wrote to memory of 2420	3064	{4A554F3C-4655-417f-B850-2783BCEBB37F}.exe	112
PID 3064 wrote to memory of 2264	3064	{4A554F3C-4655-417f-B850-2783BCEBB37F}.exe	113
PID 3064 wrote to memory of 2264	3064	{4A554F3C-4655-417f-B850-2783BCEBB37F}.exe	113
PID 3064 wrote to memory of 2264	3064	{4A554F3C-4655-417f-B850-2783BCEBB37F}.exe	113

C:\Users\Admin\AppData\Local\Temp\5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe
"C:\Users\Admin\AppData\Local\Temp\5f5667146b7abc3c6102e098bbf331dd71dfabb42b57063af2065fb78b67b5beN.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\{DE7025FE-EAFB-44e6-A384-9E9969034E9B}.exe
  C:\Windows\{DE7025FE-EAFB-44e6-A384-9E9969034E9B}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Windows\{FC09C0D3-30C8-4184-B35B-B6C4CA61632E}.exe
    C:\Windows\{FC09C0D3-30C8-4184-B35B-B6C4CA61632E}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\{43C57B71-A32C-460a-AFEB-763B6B0E4299}.exe
      C:\Windows\{43C57B71-A32C-460a-AFEB-763B6B0E4299}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:720
    - - C:\Windows\{FB5890A6-83B1-47f9-A69A-C96D4D7AB911}.exe
        
        C:\Windows\{FB5890A6-83B1-47f9-A69A-C96D4D7AB911}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4352
      - C:\Windows\{2BE768F2-973D-42db-B9DC-70CC383ECAB5}.exe
        
        C:\Windows\{2BE768F2-973D-42db-B9DC-70CC383ECAB5}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\{0A525BE0-5E44-4593-AB5E-759D661C98FD}.exe
        
        C:\Windows\{0A525BE0-5E44-4593-AB5E-759D661C98FD}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\{747508EF-5DD6-44c2-AC18-B6D20BF69E7D}.exe
        
        C:\Windows\{747508EF-5DD6-44c2-AC18-B6D20BF69E7D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Windows\{4A554F3C-4655-417f-B850-2783BCEBB37F}.exe
        
        C:\Windows\{4A554F3C-4655-417f-B850-2783BCEBB37F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\{222B22E6-7E93-4dad-A0B9-12E91E103B57}.exe
        
        C:\Windows\{222B22E6-7E93-4dad-A0B9-12E91E103B57}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A554~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{74750~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3480
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A525~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2BE76~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:912
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FB589~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3092
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{43C57~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{FC09C~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DE702~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3008
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\5F5667~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A525BE0-5E44-4593-AB5E-759D661C98FD}.exe

Filesize
87KB

MD5
753c9c06ce1d306d2c3cdb3f93f7495b

SHA1
51f66ba17d4a0f0a91d79a98b8fa90cd031e034a

SHA256
8d61056fe464afd8d721810a8715a737b019c1d9e88e668ad6a698c0f798c1ba

SHA512
57e1fe859c7bbbd4f61512f5ebbc2098617c6b985138f22400c8c4e7306f3b15c5bc4ca4bddc538890e6fc70f05acdd00f9772e59a668fd6836509380a3fd1ef

Download Submit
C:\Windows\{222B22E6-7E93-4dad-A0B9-12E91E103B57}.exe

Filesize
87KB

MD5
d5a855b4699cee664fe7922b80110e50

SHA1
828deb7b1ae04c89876e74fe94355096f035ed62

SHA256
f985639a3ff74d2e8233141ea92c1347d2b528375ecda91653feb991d972c62b

SHA512
322e819adb7890191becb1b0b01d5d4098ed947e1be9de59ac96ce0bd3edd6a5936390d4eab4adf687e6ea49500879b2339eba2878574fb11dc23f368eb2272e

Download Submit
C:\Windows\{2BE768F2-973D-42db-B9DC-70CC383ECAB5}.exe

Filesize
87KB

MD5
78b6b0d6cc5b56da7a0548fd8b0f49da

SHA1
26d472ffc3aba7d64af32ca4d2ac47824d61198d

SHA256
dc6e7bbd4a768ee491c65a91e92e14fbeb6c1a6dce4c9fff877e994084254c8a

SHA512
7a23dd8f7dc26bb9550788e4ef0357d0c59a79599b47c04285f8a22a7459b2aae08529b524eb1e1924d50bac4e995baa67fec16925b02dac70b049fa2e24c990

Download Submit
C:\Windows\{43C57B71-A32C-460a-AFEB-763B6B0E4299}.exe

Filesize
87KB

MD5
b100fcd11d84780372443fe341712d58

SHA1
4d06e5a2a2ca7f1a38cea48fd330d4ce5ccf1835

SHA256
f677874e571b358ad0875b261e9bed1c958e4dfd8eaa879ce1ad30056eea6d8b

SHA512
0db791a5bc0ee9c4d94968f493218a86b61953626921a771cf78d4fbf8845141cbdc42329c4cbe6ddf075ae97f3e87a17afbf49377b8d17d2061d8fa688ae38f

Download Submit
C:\Windows\{4A554F3C-4655-417f-B850-2783BCEBB37F}.exe

Filesize
87KB

MD5
9862801d1988a68235608467aca5f4b9

SHA1
aff5a9d086a80c95d96ae0f41fe4996699f28d1f

SHA256
079e962cf11ae9a11c03f010fc16cf8b530636d0284d395428990651406036fc

SHA512
7a2fdec26ad50edab87c057dcd8fb9505fd68946932b0e6604ace60b669fc782951ca4b899141b1258c783670708b13a6517bf7a6025441aa5c30aa0862fcea2

Download Submit
C:\Windows\{747508EF-5DD6-44c2-AC18-B6D20BF69E7D}.exe

Filesize
87KB

MD5
1eec248484affb6db9a16c446edbbc3c

SHA1
0c1ad49778f719fd9230d6fa93f4d9edf2eb675c

SHA256
a8245c5d32f6f35c3e46461d6a79c27883a77e7574c806fbea50ce15bcf4ec40

SHA512
5dbe46affd8c67863feb15716251d06aa567170d9b284d286d58f663df11910e91fe293603471e9cd915e6bf713cc4fdbeffbf7e484eea0084805c36e5ecd57e

Download Submit
C:\Windows\{DE7025FE-EAFB-44e6-A384-9E9969034E9B}.exe

Filesize
87KB

MD5
2ba5dc693f90b931d7853d9ab92c7fe8

SHA1
408c0829421d82b70db18dd90774e405333125e8

SHA256
109e1c6d61fb49009c16a51cb9b11a877ef891e446d04a8eb55f024993a50c5e

SHA512
52d3af89908a83dbdf80dae6c59dafb2c47f1d92e101c9b8d05a5d6246c68880861c253a99f42bd39a2c06bbdbfa224e8b3642bf13716721d0a96bb1fb3d7348

Download Submit
C:\Windows\{FB5890A6-83B1-47f9-A69A-C96D4D7AB911}.exe

Filesize
87KB

MD5
6c955fcae2f1238d3ca9dbdbe26262ab

SHA1
083e031ccb797886c39ba5cf72eb24dd06b78f2f

SHA256
b1dd07d9d1e3f4e4010b3d2348f5e8782de8d4e7e39c3f88115dd668dc78684e

SHA512
50998a7a3a55ea516f12ba78a9502062d1f3ad91e5bf5b69a9adca97a6ac7b9a75180b65c612d52f7c98c2dcd22652cdf2751d5551e35dd4e9d92a4747c1ab25

Download Submit
C:\Windows\{FC09C0D3-30C8-4184-B35B-B6C4CA61632E}.exe

Filesize
87KB

MD5
e156b33e511f844d5cef87d044dece34

SHA1
4b9a8e0a12445fabeaf2b73856b3a825605f0c32

SHA256
0473bd1c43455c06296551873b5bf2c931262a967fa0d4089aeef053fdfff215

SHA512
65ac185e59f6bf625a7595df106735bfa5f519d748244f2d6052631f4a97b15a70bda98950ba8ef16c91631ca6ccae1eb05ac72951f4187e6124cb71f21a4c4a

Download Submit
memory/720-25-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/720-20-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2088-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2088-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2420-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2496-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2496-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2496-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2608-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2608-14-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3064-50-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3064-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4228-13-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4228-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4228-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4352-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4352-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4800-43-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4800-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4864-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4864-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads