d8c5e4dd5d8dd55a68c8ff754e6f7a64468861e3db20d91f7885061d2840aadc

Analysis

max time kernel
149s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d8c5e4dd5d8dd55a68c8ff754e6f7a64468861e3db20d91f7885061d2840aadc.exe
Size

64KB
MD5

73a0bad04b0af52e433ef384de21ddd7
SHA1

3e96465da02d594a0851ad47f04013eb4956f49f
SHA256

d8c5e4dd5d8dd55a68c8ff754e6f7a64468861e3db20d91f7885061d2840aadc
SHA512

5b37b9251a537fb1876217117a2fe995db7beaa9bee4c648758885cbcc830a5fc0e7aee96d794ed35aa6c9cf80f7b2d189aa0db651a878333e6f0dae9d7ee07e
SSDEEP

192:ObOzawOs81elJHsc45ecRZOgtShcWaOT2QLrCqwXY04/CFxyNhoy5t1:ObLwOs8AHsc4QMfwhKQLrop4/CFsrd1

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7CBB3CC-4626-45b1-88A3-5CCACD079F57}\stubpath = "C:\\Windows\\{E7CBB3CC-4626-45b1-88A3-5CCACD079F57}.exe"	{00BE052E-7714-4bbd-A556-9DAC34E9FADA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6299E38-F62E-477f-9CAE-0586EDEC4C8E}\stubpath = "C:\\Windows\\{F6299E38-F62E-477f-9CAE-0586EDEC4C8E}.exe"	{AA1A6638-6082-4eda-A3A2-6D0F32660F9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10662194-DDB1-4186-8015-D184615C5EF1}	{E2F74CAC-C32B-4025-AD22-A072E44E2BFD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF392441-3CE4-4c1c-B87B-B2874E3DAF84}	{10662194-DDB1-4186-8015-D184615C5EF1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DF392441-3CE4-4c1c-B87B-B2874E3DAF84}\stubpath = "C:\\Windows\\{DF392441-3CE4-4c1c-B87B-B2874E3DAF84}.exe"	{10662194-DDB1-4186-8015-D184615C5EF1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DF9F1D9-82A2-4651-B556-785B38F4D551}	{DF392441-3CE4-4c1c-B87B-B2874E3DAF84}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00BE052E-7714-4bbd-A556-9DAC34E9FADA}\stubpath = "C:\\Windows\\{00BE052E-7714-4bbd-A556-9DAC34E9FADA}.exe"	{2DF9F1D9-82A2-4651-B556-785B38F4D551}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E7CBB3CC-4626-45b1-88A3-5CCACD079F57}	{00BE052E-7714-4bbd-A556-9DAC34E9FADA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC654D8C-73EA-479e-9CE0-8E7BE4B277A9}	{E7CBB3CC-4626-45b1-88A3-5CCACD079F57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EC654D8C-73EA-479e-9CE0-8E7BE4B277A9}\stubpath = "C:\\Windows\\{EC654D8C-73EA-479e-9CE0-8E7BE4B277A9}.exe"	{E7CBB3CC-4626-45b1-88A3-5CCACD079F57}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4279EB5-D27F-44b5-B3F7-D9B055F4FC44}\stubpath = "C:\\Windows\\{D4279EB5-D27F-44b5-B3F7-D9B055F4FC44}.exe"	{EC654D8C-73EA-479e-9CE0-8E7BE4B277A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5CBFE6E-2BA4-45bd-A8F7-2C5B4D68CDF0}	d8c5e4dd5d8dd55a68c8ff754e6f7a64468861e3db20d91f7885061d2840aadc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D5CBFE6E-2BA4-45bd-A8F7-2C5B4D68CDF0}\stubpath = "C:\\Windows\\{D5CBFE6E-2BA4-45bd-A8F7-2C5B4D68CDF0}.exe"	d8c5e4dd5d8dd55a68c8ff754e6f7a64468861e3db20d91f7885061d2840aadc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDDF46C3-E65B-4317-BC2D-CEBC00687BF4}	{F6299E38-F62E-477f-9CAE-0586EDEC4C8E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2F74CAC-C32B-4025-AD22-A072E44E2BFD}	{EDDF46C3-E65B-4317-BC2D-CEBC00687BF4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{00BE052E-7714-4bbd-A556-9DAC34E9FADA}	{2DF9F1D9-82A2-4651-B556-785B38F4D551}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F6299E38-F62E-477f-9CAE-0586EDEC4C8E}	{AA1A6638-6082-4eda-A3A2-6D0F32660F9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D4279EB5-D27F-44b5-B3F7-D9B055F4FC44}	{EC654D8C-73EA-479e-9CE0-8E7BE4B277A9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA1A6638-6082-4eda-A3A2-6D0F32660F9C}	{D5CBFE6E-2BA4-45bd-A8F7-2C5B4D68CDF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{AA1A6638-6082-4eda-A3A2-6D0F32660F9C}\stubpath = "C:\\Windows\\{AA1A6638-6082-4eda-A3A2-6D0F32660F9C}.exe"	{D5CBFE6E-2BA4-45bd-A8F7-2C5B4D68CDF0}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EDDF46C3-E65B-4317-BC2D-CEBC00687BF4}\stubpath = "C:\\Windows\\{EDDF46C3-E65B-4317-BC2D-CEBC00687BF4}.exe"	{F6299E38-F62E-477f-9CAE-0586EDEC4C8E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E2F74CAC-C32B-4025-AD22-A072E44E2BFD}\stubpath = "C:\\Windows\\{E2F74CAC-C32B-4025-AD22-A072E44E2BFD}.exe"	{EDDF46C3-E65B-4317-BC2D-CEBC00687BF4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{10662194-DDB1-4186-8015-D184615C5EF1}\stubpath = "C:\\Windows\\{10662194-DDB1-4186-8015-D184615C5EF1}.exe"	{E2F74CAC-C32B-4025-AD22-A072E44E2BFD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2DF9F1D9-82A2-4651-B556-785B38F4D551}\stubpath = "C:\\Windows\\{2DF9F1D9-82A2-4651-B556-785B38F4D551}.exe"	{DF392441-3CE4-4c1c-B87B-B2874E3DAF84}.exe

Executes dropped EXE 12 IoCs

pid	Process
912	{D5CBFE6E-2BA4-45bd-A8F7-2C5B4D68CDF0}.exe
4936	{AA1A6638-6082-4eda-A3A2-6D0F32660F9C}.exe
1524	{F6299E38-F62E-477f-9CAE-0586EDEC4C8E}.exe
400	{EDDF46C3-E65B-4317-BC2D-CEBC00687BF4}.exe
4052	{E2F74CAC-C32B-4025-AD22-A072E44E2BFD}.exe
1528	{10662194-DDB1-4186-8015-D184615C5EF1}.exe
1980	{DF392441-3CE4-4c1c-B87B-B2874E3DAF84}.exe
2160	{2DF9F1D9-82A2-4651-B556-785B38F4D551}.exe
3316	{00BE052E-7714-4bbd-A556-9DAC34E9FADA}.exe
4972	{E7CBB3CC-4626-45b1-88A3-5CCACD079F57}.exe
1520	{EC654D8C-73EA-479e-9CE0-8E7BE4B277A9}.exe
3280	{D4279EB5-D27F-44b5-B3F7-D9B055F4FC44}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{EDDF46C3-E65B-4317-BC2D-CEBC00687BF4}.exe	{F6299E38-F62E-477f-9CAE-0586EDEC4C8E}.exe
File created	C:\Windows\{DF392441-3CE4-4c1c-B87B-B2874E3DAF84}.exe	{10662194-DDB1-4186-8015-D184615C5EF1}.exe
File created	C:\Windows\{2DF9F1D9-82A2-4651-B556-785B38F4D551}.exe	{DF392441-3CE4-4c1c-B87B-B2874E3DAF84}.exe
File created	C:\Windows\{00BE052E-7714-4bbd-A556-9DAC34E9FADA}.exe	{2DF9F1D9-82A2-4651-B556-785B38F4D551}.exe
File created	C:\Windows\{E7CBB3CC-4626-45b1-88A3-5CCACD079F57}.exe	{00BE052E-7714-4bbd-A556-9DAC34E9FADA}.exe
File created	C:\Windows\{D4279EB5-D27F-44b5-B3F7-D9B055F4FC44}.exe	{EC654D8C-73EA-479e-9CE0-8E7BE4B277A9}.exe
File created	C:\Windows\{AA1A6638-6082-4eda-A3A2-6D0F32660F9C}.exe	{D5CBFE6E-2BA4-45bd-A8F7-2C5B4D68CDF0}.exe
File created	C:\Windows\{F6299E38-F62E-477f-9CAE-0586EDEC4C8E}.exe	{AA1A6638-6082-4eda-A3A2-6D0F32660F9C}.exe
File created	C:\Windows\{10662194-DDB1-4186-8015-D184615C5EF1}.exe	{E2F74CAC-C32B-4025-AD22-A072E44E2BFD}.exe
File created	C:\Windows\{EC654D8C-73EA-479e-9CE0-8E7BE4B277A9}.exe	{E7CBB3CC-4626-45b1-88A3-5CCACD079F57}.exe
File created	C:\Windows\{D5CBFE6E-2BA4-45bd-A8F7-2C5B4D68CDF0}.exe	d8c5e4dd5d8dd55a68c8ff754e6f7a64468861e3db20d91f7885061d2840aadc.exe
File created	C:\Windows\{E2F74CAC-C32B-4025-AD22-A072E44E2BFD}.exe	{EDDF46C3-E65B-4317-BC2D-CEBC00687BF4}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F6299E38-F62E-477f-9CAE-0586EDEC4C8E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E2F74CAC-C32B-4025-AD22-A072E44E2BFD}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DF392441-3CE4-4c1c-B87B-B2874E3DAF84}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d8c5e4dd5d8dd55a68c8ff754e6f7a64468861e3db20d91f7885061d2840aadc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EDDF46C3-E65B-4317-BC2D-CEBC00687BF4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2DF9F1D9-82A2-4651-B556-785B38F4D551}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{00BE052E-7714-4bbd-A556-9DAC34E9FADA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EC654D8C-73EA-479e-9CE0-8E7BE4B277A9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D5CBFE6E-2BA4-45bd-A8F7-2C5B4D68CDF0}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AA1A6638-6082-4eda-A3A2-6D0F32660F9C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{10662194-DDB1-4186-8015-D184615C5EF1}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E7CBB3CC-4626-45b1-88A3-5CCACD079F57}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D4279EB5-D27F-44b5-B3F7-D9B055F4FC44}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1208	d8c5e4dd5d8dd55a68c8ff754e6f7a64468861e3db20d91f7885061d2840aadc.exe
Token: SeIncBasePriorityPrivilege	912	{D5CBFE6E-2BA4-45bd-A8F7-2C5B4D68CDF0}.exe
Token: SeIncBasePriorityPrivilege	4936	{AA1A6638-6082-4eda-A3A2-6D0F32660F9C}.exe
Token: SeIncBasePriorityPrivilege	1524	{F6299E38-F62E-477f-9CAE-0586EDEC4C8E}.exe
Token: SeIncBasePriorityPrivilege	400	{EDDF46C3-E65B-4317-BC2D-CEBC00687BF4}.exe
Token: SeIncBasePriorityPrivilege	4052	{E2F74CAC-C32B-4025-AD22-A072E44E2BFD}.exe
Token: SeIncBasePriorityPrivilege	1528	{10662194-DDB1-4186-8015-D184615C5EF1}.exe
Token: SeIncBasePriorityPrivilege	1980	{DF392441-3CE4-4c1c-B87B-B2874E3DAF84}.exe
Token: SeIncBasePriorityPrivilege	2160	{2DF9F1D9-82A2-4651-B556-785B38F4D551}.exe
Token: SeIncBasePriorityPrivilege	3316	{00BE052E-7714-4bbd-A556-9DAC34E9FADA}.exe
Token: SeIncBasePriorityPrivilege	4972	{E7CBB3CC-4626-45b1-88A3-5CCACD079F57}.exe
Token: SeIncBasePriorityPrivilege	1520	{EC654D8C-73EA-479e-9CE0-8E7BE4B277A9}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 912	1208	d8c5e4dd5d8dd55a68c8ff754e6f7a64468861e3db20d91f7885061d2840aadc.exe	99
PID 1208 wrote to memory of 912	1208	d8c5e4dd5d8dd55a68c8ff754e6f7a64468861e3db20d91f7885061d2840aadc.exe	99
PID 1208 wrote to memory of 912	1208	d8c5e4dd5d8dd55a68c8ff754e6f7a64468861e3db20d91f7885061d2840aadc.exe	99
PID 1208 wrote to memory of 3164	1208	d8c5e4dd5d8dd55a68c8ff754e6f7a64468861e3db20d91f7885061d2840aadc.exe	100
PID 1208 wrote to memory of 3164	1208	d8c5e4dd5d8dd55a68c8ff754e6f7a64468861e3db20d91f7885061d2840aadc.exe	100
PID 1208 wrote to memory of 3164	1208	d8c5e4dd5d8dd55a68c8ff754e6f7a64468861e3db20d91f7885061d2840aadc.exe	100
PID 912 wrote to memory of 4936	912	{D5CBFE6E-2BA4-45bd-A8F7-2C5B4D68CDF0}.exe	101
PID 912 wrote to memory of 4936	912	{D5CBFE6E-2BA4-45bd-A8F7-2C5B4D68CDF0}.exe	101
PID 912 wrote to memory of 4936	912	{D5CBFE6E-2BA4-45bd-A8F7-2C5B4D68CDF0}.exe	101
PID 912 wrote to memory of 5060	912	{D5CBFE6E-2BA4-45bd-A8F7-2C5B4D68CDF0}.exe	102
PID 912 wrote to memory of 5060	912	{D5CBFE6E-2BA4-45bd-A8F7-2C5B4D68CDF0}.exe	102
PID 912 wrote to memory of 5060	912	{D5CBFE6E-2BA4-45bd-A8F7-2C5B4D68CDF0}.exe	102
PID 4936 wrote to memory of 1524	4936	{AA1A6638-6082-4eda-A3A2-6D0F32660F9C}.exe	106
PID 4936 wrote to memory of 1524	4936	{AA1A6638-6082-4eda-A3A2-6D0F32660F9C}.exe	106
PID 4936 wrote to memory of 1524	4936	{AA1A6638-6082-4eda-A3A2-6D0F32660F9C}.exe	106
PID 4936 wrote to memory of 3660	4936	{AA1A6638-6082-4eda-A3A2-6D0F32660F9C}.exe	107
PID 4936 wrote to memory of 3660	4936	{AA1A6638-6082-4eda-A3A2-6D0F32660F9C}.exe	107
PID 4936 wrote to memory of 3660	4936	{AA1A6638-6082-4eda-A3A2-6D0F32660F9C}.exe	107
PID 1524 wrote to memory of 400	1524	{F6299E38-F62E-477f-9CAE-0586EDEC4C8E}.exe	108
PID 1524 wrote to memory of 400	1524	{F6299E38-F62E-477f-9CAE-0586EDEC4C8E}.exe	108
PID 1524 wrote to memory of 400	1524	{F6299E38-F62E-477f-9CAE-0586EDEC4C8E}.exe	108
PID 1524 wrote to memory of 4736	1524	{F6299E38-F62E-477f-9CAE-0586EDEC4C8E}.exe	109
PID 1524 wrote to memory of 4736	1524	{F6299E38-F62E-477f-9CAE-0586EDEC4C8E}.exe	109
PID 1524 wrote to memory of 4736	1524	{F6299E38-F62E-477f-9CAE-0586EDEC4C8E}.exe	109
PID 400 wrote to memory of 4052	400	{EDDF46C3-E65B-4317-BC2D-CEBC00687BF4}.exe	111
PID 400 wrote to memory of 4052	400	{EDDF46C3-E65B-4317-BC2D-CEBC00687BF4}.exe	111
PID 400 wrote to memory of 4052	400	{EDDF46C3-E65B-4317-BC2D-CEBC00687BF4}.exe	111
PID 400 wrote to memory of 3860	400	{EDDF46C3-E65B-4317-BC2D-CEBC00687BF4}.exe	112
PID 400 wrote to memory of 3860	400	{EDDF46C3-E65B-4317-BC2D-CEBC00687BF4}.exe	112
PID 400 wrote to memory of 3860	400	{EDDF46C3-E65B-4317-BC2D-CEBC00687BF4}.exe	112
PID 4052 wrote to memory of 1528	4052	{E2F74CAC-C32B-4025-AD22-A072E44E2BFD}.exe	113
PID 4052 wrote to memory of 1528	4052	{E2F74CAC-C32B-4025-AD22-A072E44E2BFD}.exe	113
PID 4052 wrote to memory of 1528	4052	{E2F74CAC-C32B-4025-AD22-A072E44E2BFD}.exe	113
PID 4052 wrote to memory of 5116	4052	{E2F74CAC-C32B-4025-AD22-A072E44E2BFD}.exe	114
PID 4052 wrote to memory of 5116	4052	{E2F74CAC-C32B-4025-AD22-A072E44E2BFD}.exe	114
PID 4052 wrote to memory of 5116	4052	{E2F74CAC-C32B-4025-AD22-A072E44E2BFD}.exe	114
PID 1528 wrote to memory of 1980	1528	{10662194-DDB1-4186-8015-D184615C5EF1}.exe	115
PID 1528 wrote to memory of 1980	1528	{10662194-DDB1-4186-8015-D184615C5EF1}.exe	115
PID 1528 wrote to memory of 1980	1528	{10662194-DDB1-4186-8015-D184615C5EF1}.exe	115
PID 1528 wrote to memory of 2832	1528	{10662194-DDB1-4186-8015-D184615C5EF1}.exe	116
PID 1528 wrote to memory of 2832	1528	{10662194-DDB1-4186-8015-D184615C5EF1}.exe	116
PID 1528 wrote to memory of 2832	1528	{10662194-DDB1-4186-8015-D184615C5EF1}.exe	116
PID 1980 wrote to memory of 2160	1980	{DF392441-3CE4-4c1c-B87B-B2874E3DAF84}.exe	117
PID 1980 wrote to memory of 2160	1980	{DF392441-3CE4-4c1c-B87B-B2874E3DAF84}.exe	117
PID 1980 wrote to memory of 2160	1980	{DF392441-3CE4-4c1c-B87B-B2874E3DAF84}.exe	117
PID 1980 wrote to memory of 3180	1980	{DF392441-3CE4-4c1c-B87B-B2874E3DAF84}.exe	118
PID 1980 wrote to memory of 3180	1980	{DF392441-3CE4-4c1c-B87B-B2874E3DAF84}.exe	118
PID 1980 wrote to memory of 3180	1980	{DF392441-3CE4-4c1c-B87B-B2874E3DAF84}.exe	118
PID 2160 wrote to memory of 3316	2160	{2DF9F1D9-82A2-4651-B556-785B38F4D551}.exe	119
PID 2160 wrote to memory of 3316	2160	{2DF9F1D9-82A2-4651-B556-785B38F4D551}.exe	119
PID 2160 wrote to memory of 3316	2160	{2DF9F1D9-82A2-4651-B556-785B38F4D551}.exe	119
PID 2160 wrote to memory of 1312	2160	{2DF9F1D9-82A2-4651-B556-785B38F4D551}.exe	120
PID 2160 wrote to memory of 1312	2160	{2DF9F1D9-82A2-4651-B556-785B38F4D551}.exe	120
PID 2160 wrote to memory of 1312	2160	{2DF9F1D9-82A2-4651-B556-785B38F4D551}.exe	120
PID 3316 wrote to memory of 4972	3316	{00BE052E-7714-4bbd-A556-9DAC34E9FADA}.exe	121
PID 3316 wrote to memory of 4972	3316	{00BE052E-7714-4bbd-A556-9DAC34E9FADA}.exe	121
PID 3316 wrote to memory of 4972	3316	{00BE052E-7714-4bbd-A556-9DAC34E9FADA}.exe	121
PID 3316 wrote to memory of 4436	3316	{00BE052E-7714-4bbd-A556-9DAC34E9FADA}.exe	122
PID 3316 wrote to memory of 4436	3316	{00BE052E-7714-4bbd-A556-9DAC34E9FADA}.exe	122
PID 3316 wrote to memory of 4436	3316	{00BE052E-7714-4bbd-A556-9DAC34E9FADA}.exe	122
PID 4972 wrote to memory of 1520	4972	{E7CBB3CC-4626-45b1-88A3-5CCACD079F57}.exe	123
PID 4972 wrote to memory of 1520	4972	{E7CBB3CC-4626-45b1-88A3-5CCACD079F57}.exe	123
PID 4972 wrote to memory of 1520	4972	{E7CBB3CC-4626-45b1-88A3-5CCACD079F57}.exe	123
PID 4972 wrote to memory of 2652	4972	{E7CBB3CC-4626-45b1-88A3-5CCACD079F57}.exe	124

C:\Users\Admin\AppData\Local\Temp\d8c5e4dd5d8dd55a68c8ff754e6f7a64468861e3db20d91f7885061d2840aadc.exe
"C:\Users\Admin\AppData\Local\Temp\d8c5e4dd5d8dd55a68c8ff754e6f7a64468861e3db20d91f7885061d2840aadc.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\{D5CBFE6E-2BA4-45bd-A8F7-2C5B4D68CDF0}.exe
  C:\Windows\{D5CBFE6E-2BA4-45bd-A8F7-2C5B4D68CDF0}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Windows\{AA1A6638-6082-4eda-A3A2-6D0F32660F9C}.exe
    C:\Windows\{AA1A6638-6082-4eda-A3A2-6D0F32660F9C}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Windows\{F6299E38-F62E-477f-9CAE-0586EDEC4C8E}.exe
      C:\Windows\{F6299E38-F62E-477f-9CAE-0586EDEC4C8E}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1524
    - - C:\Windows\{EDDF46C3-E65B-4317-BC2D-CEBC00687BF4}.exe
        
        C:\Windows\{EDDF46C3-E65B-4317-BC2D-CEBC00687BF4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:400
      - C:\Windows\{E2F74CAC-C32B-4025-AD22-A072E44E2BFD}.exe
        
        C:\Windows\{E2F74CAC-C32B-4025-AD22-A072E44E2BFD}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4052
        
        C:\Windows\{10662194-DDB1-4186-8015-D184615C5EF1}.exe
        
        C:\Windows\{10662194-DDB1-4186-8015-D184615C5EF1}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\{DF392441-3CE4-4c1c-B87B-B2874E3DAF84}.exe
        
        C:\Windows\{DF392441-3CE4-4c1c-B87B-B2874E3DAF84}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\{2DF9F1D9-82A2-4651-B556-785B38F4D551}.exe
        
        C:\Windows\{2DF9F1D9-82A2-4651-B556-785B38F4D551}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\{00BE052E-7714-4bbd-A556-9DAC34E9FADA}.exe
        
        C:\Windows\{00BE052E-7714-4bbd-A556-9DAC34E9FADA}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3316
        
        C:\Windows\{E7CBB3CC-4626-45b1-88A3-5CCACD079F57}.exe
        
        C:\Windows\{E7CBB3CC-4626-45b1-88A3-5CCACD079F57}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\{EC654D8C-73EA-479e-9CE0-8E7BE4B277A9}.exe
        
        C:\Windows\{EC654D8C-73EA-479e-9CE0-8E7BE4B277A9}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\{D4279EB5-D27F-44b5-B3F7-D9B055F4FC44}.exe
        
        C:\Windows\{D4279EB5-D27F-44b5-B3F7-D9B055F4FC44}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3280
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EC654~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E7CBB~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{00BE0~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2DF9F~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DF392~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{10662~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E2F74~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5116
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EDDF4~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3860
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F6299~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{AA1A6~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3660
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{D5CBF~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5060
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D8C5E4~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{00BE052E-7714-4bbd-A556-9DAC34E9FADA}.exe

Filesize
64KB

MD5
33cf8379f3d5341fdd6eaa20ae3dd3f8

SHA1
766d5602f12bc9e5274bca58938fc3986e2e36cb

SHA256
f5ea31d9363b08c028f6b9930e7857392742c34e98cd87c5b65d713f020f86b6

SHA512
009f3e7eccb6bfb172e8eb5efc8850433619144405de066e7496c0c20086aab25b661b8c89dc4f6ca96163bd71b7ec405fed5f371b0deade831f4089a57d479b

Download Submit
C:\Windows\{10662194-DDB1-4186-8015-D184615C5EF1}.exe

Filesize
64KB

MD5
2fc36a7013f6db1bc2684c59e3527c3f

SHA1
63f9c69e6128dd91e160704a91d2f492271597f6

SHA256
a266d2b793b0041b88d0a49b3430d0081abaf42857c4fec926d0c4524d3cb432

SHA512
ea475eb6eb782bd45fc96fb6d0d563f58556608c6c52dfa0128abf566a96664ce43a92555b08645c590bc9c7f7618f40e0231cdc79d978fe0ff5a5708bd02586

Download Submit
C:\Windows\{2DF9F1D9-82A2-4651-B556-785B38F4D551}.exe

Filesize
64KB

MD5
6c931e4ad70533bb86ece46b1310b8de

SHA1
0bea7a2ebd658ab06b65b04d2f8bf65184848b4e

SHA256
f84bd3347a9bc51e08500b513e63ba63c70f1ab73d27a139497adbb0845183c7

SHA512
aadee14477f1375655c3033d2c64a406dad3ca93ad83c0cecb9d08ea81939ab81d82e1d5f43b68ae4d1e700b2cdd197f9224af8eb0dbdfe395c820bea0f0413f

Download Submit
C:\Windows\{AA1A6638-6082-4eda-A3A2-6D0F32660F9C}.exe

Filesize
64KB

MD5
92dcefa8aabc78daa00d021706697ac7

SHA1
89e989f8e9c009c658125e81b134913997878a34

SHA256
9b4c23e6c76cb5a86810c193f8189af9dd82a5620e214baf537e9fa722a9b8c7

SHA512
65ac974e573aa8b660c1a5611c90402d536064fbccbd0d67cb005a5e1ccd211f9fdbb1466eac3b6b96104ac944ade6d827f8b6780b3f0ea8fd185a471d9854f1

Download Submit
C:\Windows\{D4279EB5-D27F-44b5-B3F7-D9B055F4FC44}.exe

Filesize
64KB

MD5
92352f4018a093041889c5cf2e2e845f

SHA1
cba7a0446c14677e8a2f9605213190ba3cd2e130

SHA256
c1357ab2c994b9ebd89903ea4f84a13a7ef107b8defd91a954396fc8a9271a0a

SHA512
22247850f34ff6c1004916d0fc139464f5ec07a5f2e87e95181e0024201d5983e1779a5f90a5f9c283b29c693b4a2481be8219ebe826c8d17c3363b53e60f794

Download Submit
C:\Windows\{D5CBFE6E-2BA4-45bd-A8F7-2C5B4D68CDF0}.exe

Filesize
64KB

MD5
5e21bf1d796c8377d58acf35f7e3bdf0

SHA1
8bdb25d234bc0730d91c2dbfb550cb0bc5f8eec0

SHA256
0c6f6b12b2182e30b52df89b2a4ac27ce7fd019349b52e1c3497a26541776ef3

SHA512
db0298dfb17ef7ae0e8b0fa4c5a0cedeb71977eb995f19397c02d2a2281fa7d3b52216493c14fe83a89d79dda6afe6eae874e059564a76780c18cd36cd2f8fdc

Download Submit
C:\Windows\{DF392441-3CE4-4c1c-B87B-B2874E3DAF84}.exe

Filesize
64KB

MD5
8aac9443fe2b0d9b2c17bc1a1c89ee7d

SHA1
9efe1b628d3746f6495bd3a5f8d7cab653857e83

SHA256
f8bfcb4fe085699f75ba317fe91f02b40161013d47857f513701ad9c634cfb61

SHA512
eee1757bb73da3b22402f95d7dce5717eee552eef0949d02c4087f16aff003b20e34a267ec2c8372ffd5f5222ce84e569a8fc4a272255889edf828382ac5d0c4

Download Submit
C:\Windows\{E2F74CAC-C32B-4025-AD22-A072E44E2BFD}.exe

Filesize
64KB

MD5
31fab3a32789b501deca8d4465d44ee6

SHA1
07cf5e8a558dbbd16ec8b7a07dbf4d419ceacbac

SHA256
c46df40e539db5a50572d56151cf51a378cc29345acbf880bc8999edc88f5fc3

SHA512
706f3c4cab39290abd9a14b53107ca577fa53ed992ea1ce124eaedfdeac1632662b091985647518681988e837875c0b2f6aa7a83e2cddb3f290c909699a8f4d1

Download Submit
C:\Windows\{E7CBB3CC-4626-45b1-88A3-5CCACD079F57}.exe

Filesize
64KB

MD5
344d0f7592fb8d6e2b945cafd42ca13a

SHA1
9db421e41db4e6295d407836445e286c4d7d4394

SHA256
6c393f16fa73a0d0a26c41b486ede4e84699fdaf9848557a972ab4c4ad594e9b

SHA512
8581818cad081cb6df6de4bb83ae4ee6843d4511115d06b2a1907fa398f0e5359b5bdffe8aee3dfb26f259419aae99e00e63500f568c74344df90e6c3c559507

Download Submit
C:\Windows\{EC654D8C-73EA-479e-9CE0-8E7BE4B277A9}.exe

Filesize
64KB

MD5
0637ad3d8fc41417c07dfab4953475b5

SHA1
a33e70a48f12debad4ffd1309a3984ed083159d5

SHA256
fde0656e944b3e884b032ce45c1747a04cf036c02a711282d9cbfcf624dd8158

SHA512
be64272353533e3f91ec18ba985b49b2474ed926f8524768081e76bc884e8f9cbe394de6f2585156d78ca3dca65939088b465ef205af58734a22a4890df64713

Download Submit
C:\Windows\{EDDF46C3-E65B-4317-BC2D-CEBC00687BF4}.exe

Filesize
64KB

MD5
bdfed974dbe6ca41819ba3cdb690c9c8

SHA1
aa35aab7b7f9d8cc39f112988892162e8ce11bd0

SHA256
412b80fa410b8986c89d3b7b3bd8c169967f20e301b1d66fd125be84c201c8ce

SHA512
7022b13fb9cfbc8d84f28442e155228784e5bd35dc339253da02aa9974bec66257e9396b2a10ba75b95fd860086eaf830334b0f7231e095b333d65ec32a71b10

Download Submit
C:\Windows\{F6299E38-F62E-477f-9CAE-0586EDEC4C8E}.exe

Filesize
64KB

MD5
d449351dd2ea49e657d94af29b5e7651

SHA1
0506f032ade08bc56854b2c3fd88800c866974c8

SHA256
a7848693013b4be19d18c175101a83386526114f1d828dbfd04a1f5d7e8d819d

SHA512
16f28dab97bf373d1e680f7e01d9b4c274760fc5681582300cf15674093a7bec68a99584b7f7c6d8edd73d33478c4e3e555f0b983162a55ab53a4249eade6ed7

Download Submit
memory/400-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/400-25-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/912-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/912-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1208-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1208-7-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1208-1-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1520-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1520-70-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1524-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1524-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1528-40-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1980-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2160-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2160-51-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3280-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3316-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3316-58-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4052-31-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4052-36-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4936-16-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4936-13-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4972-63-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4972-59-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads