d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1

Analysis

max time kernel
144s
max time network
118s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
11/01/2025, 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe
Size

64KB
MD5

5ad1006fa53718b28aef93a8070b25db
SHA1

43a6b6b04b2f157c6e9c903e01c864abe59776ef
SHA256

d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1
SHA512

1c7801601ff271c9169bd73fa0366eaee8dfc22938273994c86d3f6b3d70d18066c21091f4acee342ef479dc8def2fadbb5cf688a9d8137d7a338407bada392b
SSDEEP

384:ObLwOs8AHsc42MfwhKQLrox4/CFsrdHWMZE:Ovw981EvhKQLrox4/wQpWMZE

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCE9BA28-DAD8-4fb1-B990-1CCB8C1AD521}\stubpath = "C:\\Windows\\{DCE9BA28-DAD8-4fb1-B990-1CCB8C1AD521}.exe"	{457B664A-680E-4efb-A695-32F0A5322C41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A156D25D-92E5-4223-B73A-FF1D5BA05221}	{C575B7B4-690F-4499-B20E-BF104CB70752}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D90B87E0-8F54-4265-B40F-F497797657BB}	{C542E54A-632E-4795-AF11-943C6700A4CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D90B87E0-8F54-4265-B40F-F497797657BB}\stubpath = "C:\\Windows\\{D90B87E0-8F54-4265-B40F-F497797657BB}.exe"	{C542E54A-632E-4795-AF11-943C6700A4CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B4BDE35-D99D-498b-A1C7-A5CAEE7189D2}\stubpath = "C:\\Windows\\{5B4BDE35-D99D-498b-A1C7-A5CAEE7189D2}.exe"	{D90B87E0-8F54-4265-B40F-F497797657BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C745D04-C41B-4aa5-8EAB-494059C73EAD}\stubpath = "C:\\Windows\\{4C745D04-C41B-4aa5-8EAB-494059C73EAD}.exe"	{7DA4BA25-29B3-456d-BD76-D11D28301240}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C542E54A-632E-4795-AF11-943C6700A4CF}	{44FCF4A2-F750-475c-ADF5-AE62D164827A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4C745D04-C41B-4aa5-8EAB-494059C73EAD}	{7DA4BA25-29B3-456d-BD76-D11D28301240}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{457B664A-680E-4efb-A695-32F0A5322C41}	d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C79765E4-4486-4f3a-A131-1746B3D1C6CB}\stubpath = "C:\\Windows\\{C79765E4-4486-4f3a-A131-1746B3D1C6CB}.exe"	{DCE9BA28-DAD8-4fb1-B990-1CCB8C1AD521}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C575B7B4-690F-4499-B20E-BF104CB70752}	{C79765E4-4486-4f3a-A131-1746B3D1C6CB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A156D25D-92E5-4223-B73A-FF1D5BA05221}\stubpath = "C:\\Windows\\{A156D25D-92E5-4223-B73A-FF1D5BA05221}.exe"	{C575B7B4-690F-4499-B20E-BF104CB70752}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C542E54A-632E-4795-AF11-943C6700A4CF}\stubpath = "C:\\Windows\\{C542E54A-632E-4795-AF11-943C6700A4CF}.exe"	{44FCF4A2-F750-475c-ADF5-AE62D164827A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5B4BDE35-D99D-498b-A1C7-A5CAEE7189D2}	{D90B87E0-8F54-4265-B40F-F497797657BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DA4BA25-29B3-456d-BD76-D11D28301240}\stubpath = "C:\\Windows\\{7DA4BA25-29B3-456d-BD76-D11D28301240}.exe"	{5B4BDE35-D99D-498b-A1C7-A5CAEE7189D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{457B664A-680E-4efb-A695-32F0A5322C41}\stubpath = "C:\\Windows\\{457B664A-680E-4efb-A695-32F0A5322C41}.exe"	d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DCE9BA28-DAD8-4fb1-B990-1CCB8C1AD521}	{457B664A-680E-4efb-A695-32F0A5322C41}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C79765E4-4486-4f3a-A131-1746B3D1C6CB}	{DCE9BA28-DAD8-4fb1-B990-1CCB8C1AD521}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C575B7B4-690F-4499-B20E-BF104CB70752}\stubpath = "C:\\Windows\\{C575B7B4-690F-4499-B20E-BF104CB70752}.exe"	{C79765E4-4486-4f3a-A131-1746B3D1C6CB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44FCF4A2-F750-475c-ADF5-AE62D164827A}	{A156D25D-92E5-4223-B73A-FF1D5BA05221}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{44FCF4A2-F750-475c-ADF5-AE62D164827A}\stubpath = "C:\\Windows\\{44FCF4A2-F750-475c-ADF5-AE62D164827A}.exe"	{A156D25D-92E5-4223-B73A-FF1D5BA05221}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7DA4BA25-29B3-456d-BD76-D11D28301240}	{5B4BDE35-D99D-498b-A1C7-A5CAEE7189D2}.exe

Deletes itself 1 IoCs

pid	Process
2940	cmd.exe

Executes dropped EXE 11 IoCs

pid	Process
1884	{457B664A-680E-4efb-A695-32F0A5322C41}.exe
2168	{DCE9BA28-DAD8-4fb1-B990-1CCB8C1AD521}.exe
2528	{C79765E4-4486-4f3a-A131-1746B3D1C6CB}.exe
2732	{C575B7B4-690F-4499-B20E-BF104CB70752}.exe
316	{A156D25D-92E5-4223-B73A-FF1D5BA05221}.exe
1252	{44FCF4A2-F750-475c-ADF5-AE62D164827A}.exe
1948	{C542E54A-632E-4795-AF11-943C6700A4CF}.exe
3044	{D90B87E0-8F54-4265-B40F-F497797657BB}.exe
2196	{5B4BDE35-D99D-498b-A1C7-A5CAEE7189D2}.exe
2664	{7DA4BA25-29B3-456d-BD76-D11D28301240}.exe
304	{4C745D04-C41B-4aa5-8EAB-494059C73EAD}.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\{7DA4BA25-29B3-456d-BD76-D11D28301240}.exe	{5B4BDE35-D99D-498b-A1C7-A5CAEE7189D2}.exe
File created	C:\Windows\{DCE9BA28-DAD8-4fb1-B990-1CCB8C1AD521}.exe	{457B664A-680E-4efb-A695-32F0A5322C41}.exe
File created	C:\Windows\{C575B7B4-690F-4499-B20E-BF104CB70752}.exe	{C79765E4-4486-4f3a-A131-1746B3D1C6CB}.exe
File created	C:\Windows\{44FCF4A2-F750-475c-ADF5-AE62D164827A}.exe	{A156D25D-92E5-4223-B73A-FF1D5BA05221}.exe
File created	C:\Windows\{C542E54A-632E-4795-AF11-943C6700A4CF}.exe	{44FCF4A2-F750-475c-ADF5-AE62D164827A}.exe
File created	C:\Windows\{D90B87E0-8F54-4265-B40F-F497797657BB}.exe	{C542E54A-632E-4795-AF11-943C6700A4CF}.exe
File created	C:\Windows\{457B664A-680E-4efb-A695-32F0A5322C41}.exe	d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe
File created	C:\Windows\{C79765E4-4486-4f3a-A131-1746B3D1C6CB}.exe	{DCE9BA28-DAD8-4fb1-B990-1CCB8C1AD521}.exe
File created	C:\Windows\{A156D25D-92E5-4223-B73A-FF1D5BA05221}.exe	{C575B7B4-690F-4499-B20E-BF104CB70752}.exe
File created	C:\Windows\{5B4BDE35-D99D-498b-A1C7-A5CAEE7189D2}.exe	{D90B87E0-8F54-4265-B40F-F497797657BB}.exe
File created	C:\Windows\{4C745D04-C41B-4aa5-8EAB-494059C73EAD}.exe	{7DA4BA25-29B3-456d-BD76-D11D28301240}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{44FCF4A2-F750-475c-ADF5-AE62D164827A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5B4BDE35-D99D-498b-A1C7-A5CAEE7189D2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{457B664A-680E-4efb-A695-32F0A5322C41}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{DCE9BA28-DAD8-4fb1-B990-1CCB8C1AD521}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C79765E4-4486-4f3a-A131-1746B3D1C6CB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7DA4BA25-29B3-456d-BD76-D11D28301240}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C575B7B4-690F-4499-B20E-BF104CB70752}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A156D25D-92E5-4223-B73A-FF1D5BA05221}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D90B87E0-8F54-4265-B40F-F497797657BB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C542E54A-632E-4795-AF11-943C6700A4CF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4C745D04-C41B-4aa5-8EAB-494059C73EAD}.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2612	d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe
Token: SeIncBasePriorityPrivilege	1884	{457B664A-680E-4efb-A695-32F0A5322C41}.exe
Token: SeIncBasePriorityPrivilege	2168	{DCE9BA28-DAD8-4fb1-B990-1CCB8C1AD521}.exe
Token: SeIncBasePriorityPrivilege	2528	{C79765E4-4486-4f3a-A131-1746B3D1C6CB}.exe
Token: SeIncBasePriorityPrivilege	2732	{C575B7B4-690F-4499-B20E-BF104CB70752}.exe
Token: SeIncBasePriorityPrivilege	316	{A156D25D-92E5-4223-B73A-FF1D5BA05221}.exe
Token: SeIncBasePriorityPrivilege	1252	{44FCF4A2-F750-475c-ADF5-AE62D164827A}.exe
Token: SeIncBasePriorityPrivilege	1948	{C542E54A-632E-4795-AF11-943C6700A4CF}.exe
Token: SeIncBasePriorityPrivilege	3044	{D90B87E0-8F54-4265-B40F-F497797657BB}.exe
Token: SeIncBasePriorityPrivilege	2196	{5B4BDE35-D99D-498b-A1C7-A5CAEE7189D2}.exe
Token: SeIncBasePriorityPrivilege	2664	{7DA4BA25-29B3-456d-BD76-D11D28301240}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 1884	2612	d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe	31
PID 2612 wrote to memory of 1884	2612	d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe	31
PID 2612 wrote to memory of 1884	2612	d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe	31
PID 2612 wrote to memory of 1884	2612	d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe	31
PID 2612 wrote to memory of 2940	2612	d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe	32
PID 2612 wrote to memory of 2940	2612	d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe	32
PID 2612 wrote to memory of 2940	2612	d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe	32
PID 2612 wrote to memory of 2940	2612	d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe	32
PID 1884 wrote to memory of 2168	1884	{457B664A-680E-4efb-A695-32F0A5322C41}.exe	33
PID 1884 wrote to memory of 2168	1884	{457B664A-680E-4efb-A695-32F0A5322C41}.exe	33
PID 1884 wrote to memory of 2168	1884	{457B664A-680E-4efb-A695-32F0A5322C41}.exe	33
PID 1884 wrote to memory of 2168	1884	{457B664A-680E-4efb-A695-32F0A5322C41}.exe	33
PID 1884 wrote to memory of 2928	1884	{457B664A-680E-4efb-A695-32F0A5322C41}.exe	34
PID 1884 wrote to memory of 2928	1884	{457B664A-680E-4efb-A695-32F0A5322C41}.exe	34
PID 1884 wrote to memory of 2928	1884	{457B664A-680E-4efb-A695-32F0A5322C41}.exe	34
PID 1884 wrote to memory of 2928	1884	{457B664A-680E-4efb-A695-32F0A5322C41}.exe	34
PID 2168 wrote to memory of 2528	2168	{DCE9BA28-DAD8-4fb1-B990-1CCB8C1AD521}.exe	35
PID 2168 wrote to memory of 2528	2168	{DCE9BA28-DAD8-4fb1-B990-1CCB8C1AD521}.exe	35
PID 2168 wrote to memory of 2528	2168	{DCE9BA28-DAD8-4fb1-B990-1CCB8C1AD521}.exe	35
PID 2168 wrote to memory of 2528	2168	{DCE9BA28-DAD8-4fb1-B990-1CCB8C1AD521}.exe	35
PID 2168 wrote to memory of 2848	2168	{DCE9BA28-DAD8-4fb1-B990-1CCB8C1AD521}.exe	36
PID 2168 wrote to memory of 2848	2168	{DCE9BA28-DAD8-4fb1-B990-1CCB8C1AD521}.exe	36
PID 2168 wrote to memory of 2848	2168	{DCE9BA28-DAD8-4fb1-B990-1CCB8C1AD521}.exe	36
PID 2168 wrote to memory of 2848	2168	{DCE9BA28-DAD8-4fb1-B990-1CCB8C1AD521}.exe	36
PID 2528 wrote to memory of 2732	2528	{C79765E4-4486-4f3a-A131-1746B3D1C6CB}.exe	37
PID 2528 wrote to memory of 2732	2528	{C79765E4-4486-4f3a-A131-1746B3D1C6CB}.exe	37
PID 2528 wrote to memory of 2732	2528	{C79765E4-4486-4f3a-A131-1746B3D1C6CB}.exe	37
PID 2528 wrote to memory of 2732	2528	{C79765E4-4486-4f3a-A131-1746B3D1C6CB}.exe	37
PID 2528 wrote to memory of 2508	2528	{C79765E4-4486-4f3a-A131-1746B3D1C6CB}.exe	38
PID 2528 wrote to memory of 2508	2528	{C79765E4-4486-4f3a-A131-1746B3D1C6CB}.exe	38
PID 2528 wrote to memory of 2508	2528	{C79765E4-4486-4f3a-A131-1746B3D1C6CB}.exe	38
PID 2528 wrote to memory of 2508	2528	{C79765E4-4486-4f3a-A131-1746B3D1C6CB}.exe	38
PID 2732 wrote to memory of 316	2732	{C575B7B4-690F-4499-B20E-BF104CB70752}.exe	39
PID 2732 wrote to memory of 316	2732	{C575B7B4-690F-4499-B20E-BF104CB70752}.exe	39
PID 2732 wrote to memory of 316	2732	{C575B7B4-690F-4499-B20E-BF104CB70752}.exe	39
PID 2732 wrote to memory of 316	2732	{C575B7B4-690F-4499-B20E-BF104CB70752}.exe	39
PID 2732 wrote to memory of 1980	2732	{C575B7B4-690F-4499-B20E-BF104CB70752}.exe	40
PID 2732 wrote to memory of 1980	2732	{C575B7B4-690F-4499-B20E-BF104CB70752}.exe	40
PID 2732 wrote to memory of 1980	2732	{C575B7B4-690F-4499-B20E-BF104CB70752}.exe	40
PID 2732 wrote to memory of 1980	2732	{C575B7B4-690F-4499-B20E-BF104CB70752}.exe	40
PID 316 wrote to memory of 1252	316	{A156D25D-92E5-4223-B73A-FF1D5BA05221}.exe	41
PID 316 wrote to memory of 1252	316	{A156D25D-92E5-4223-B73A-FF1D5BA05221}.exe	41
PID 316 wrote to memory of 1252	316	{A156D25D-92E5-4223-B73A-FF1D5BA05221}.exe	41
PID 316 wrote to memory of 1252	316	{A156D25D-92E5-4223-B73A-FF1D5BA05221}.exe	41
PID 316 wrote to memory of 376	316	{A156D25D-92E5-4223-B73A-FF1D5BA05221}.exe	42
PID 316 wrote to memory of 376	316	{A156D25D-92E5-4223-B73A-FF1D5BA05221}.exe	42
PID 316 wrote to memory of 376	316	{A156D25D-92E5-4223-B73A-FF1D5BA05221}.exe	42
PID 316 wrote to memory of 376	316	{A156D25D-92E5-4223-B73A-FF1D5BA05221}.exe	42
PID 1252 wrote to memory of 1948	1252	{44FCF4A2-F750-475c-ADF5-AE62D164827A}.exe	43
PID 1252 wrote to memory of 1948	1252	{44FCF4A2-F750-475c-ADF5-AE62D164827A}.exe	43
PID 1252 wrote to memory of 1948	1252	{44FCF4A2-F750-475c-ADF5-AE62D164827A}.exe	43
PID 1252 wrote to memory of 1948	1252	{44FCF4A2-F750-475c-ADF5-AE62D164827A}.exe	43
PID 1252 wrote to memory of 1640	1252	{44FCF4A2-F750-475c-ADF5-AE62D164827A}.exe	44
PID 1252 wrote to memory of 1640	1252	{44FCF4A2-F750-475c-ADF5-AE62D164827A}.exe	44
PID 1252 wrote to memory of 1640	1252	{44FCF4A2-F750-475c-ADF5-AE62D164827A}.exe	44
PID 1252 wrote to memory of 1640	1252	{44FCF4A2-F750-475c-ADF5-AE62D164827A}.exe	44
PID 1948 wrote to memory of 3044	1948	{C542E54A-632E-4795-AF11-943C6700A4CF}.exe	45
PID 1948 wrote to memory of 3044	1948	{C542E54A-632E-4795-AF11-943C6700A4CF}.exe	45
PID 1948 wrote to memory of 3044	1948	{C542E54A-632E-4795-AF11-943C6700A4CF}.exe	45
PID 1948 wrote to memory of 3044	1948	{C542E54A-632E-4795-AF11-943C6700A4CF}.exe	45
PID 1948 wrote to memory of 3028	1948	{C542E54A-632E-4795-AF11-943C6700A4CF}.exe	46
PID 1948 wrote to memory of 3028	1948	{C542E54A-632E-4795-AF11-943C6700A4CF}.exe	46
PID 1948 wrote to memory of 3028	1948	{C542E54A-632E-4795-AF11-943C6700A4CF}.exe	46
PID 1948 wrote to memory of 3028	1948	{C542E54A-632E-4795-AF11-943C6700A4CF}.exe	46

C:\Users\Admin\AppData\Local\Temp\d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe
"C:\Users\Admin\AppData\Local\Temp\d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\{457B664A-680E-4efb-A695-32F0A5322C41}.exe
  C:\Windows\{457B664A-680E-4efb-A695-32F0A5322C41}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\{DCE9BA28-DAD8-4fb1-B990-1CCB8C1AD521}.exe
    C:\Windows\{DCE9BA28-DAD8-4fb1-B990-1CCB8C1AD521}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\{C79765E4-4486-4f3a-A131-1746B3D1C6CB}.exe
      C:\Windows\{C79765E4-4486-4f3a-A131-1746B3D1C6CB}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\{C575B7B4-690F-4499-B20E-BF104CB70752}.exe
        
        C:\Windows\{C575B7B4-690F-4499-B20E-BF104CB70752}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\{A156D25D-92E5-4223-B73A-FF1D5BA05221}.exe
        
        C:\Windows\{A156D25D-92E5-4223-B73A-FF1D5BA05221}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:316
        
        C:\Windows\{44FCF4A2-F750-475c-ADF5-AE62D164827A}.exe
        
        C:\Windows\{44FCF4A2-F750-475c-ADF5-AE62D164827A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1252
        
        C:\Windows\{C542E54A-632E-4795-AF11-943C6700A4CF}.exe
        
        C:\Windows\{C542E54A-632E-4795-AF11-943C6700A4CF}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\{D90B87E0-8F54-4265-B40F-F497797657BB}.exe
        
        C:\Windows\{D90B87E0-8F54-4265-B40F-F497797657BB}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
        
        C:\Windows\{5B4BDE35-D99D-498b-A1C7-A5CAEE7189D2}.exe
        
        C:\Windows\{5B4BDE35-D99D-498b-A1C7-A5CAEE7189D2}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\{7DA4BA25-29B3-456d-BD76-D11D28301240}.exe
        
        C:\Windows\{7DA4BA25-29B3-456d-BD76-D11D28301240}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\{4C745D04-C41B-4aa5-8EAB-494059C73EAD}.exe
        
        C:\Windows\{4C745D04-C41B-4aa5-8EAB-494059C73EAD}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:304
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7DA4B~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5B4BD~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D90B8~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C542E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{44FCF~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A156D~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:376
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C575B~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1980
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C7976~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{DCE9B~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{457B6~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D17B65~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{44FCF4A2-F750-475c-ADF5-AE62D164827A}.exe

Filesize
64KB

MD5
e3d43258a4f42dae6bb6d7ca3724379c

SHA1
9bd031536663f278c3b50d4a35aca5cdfa7c19cf

SHA256
dad0cdb1abb47a355f0860e70e237aa5d9fcfe72390cddda6c7821b2658251f0

SHA512
7c0b428842cd2c89f47f048d6c0a791eb50ce0810eaf2cfc35e2b5ac3ba7cdfee7952cd59fae53f7941f440ff397d3d29188038cb85c08f99624e294671e2697

Download Submit
C:\Windows\{457B664A-680E-4efb-A695-32F0A5322C41}.exe

Filesize
64KB

MD5
c06a1280cde828ad5e1a3cbdb55265f8

SHA1
4170107aad3a637d598b312bbdc39ccea8536391

SHA256
706f8e970c5079344b49b02908a91a23b73dc2227a7c9c43721098d69cb0ebd3

SHA512
f14e9efe37efd740761f7a96722a25bd378590505c8d467df3bc9117efca149c1ee27541bdfa4261d95d06b70f84783d451ede78922692b8c48f70d4674e7ed3

Download Submit
C:\Windows\{4C745D04-C41B-4aa5-8EAB-494059C73EAD}.exe

Filesize
64KB

MD5
1bbe286c2c67e64562be95cdfc2374f7

SHA1
b81992e5de1d10d3f2fb3242416df36cae9ad0e4

SHA256
8b0c2e122f7410249df02c22bdfd1fdfe16e3aebc29b2729268c72f60524e58a

SHA512
7fd913dd5834b5c03665671a121dd8c898eb8ad2d94235bb0199026117d9043cb3eaca2324b3a41dcbdc65d888adf37df985cc0ea98af8f094236346bb001425

Download Submit
C:\Windows\{5B4BDE35-D99D-498b-A1C7-A5CAEE7189D2}.exe

Filesize
64KB

MD5
c7b5dffe29c31b5c3049633e7684cd3e

SHA1
827556874651a62c29105d15323b2bdda615a92f

SHA256
c3182ba2709c821e09ba98222666b51335cc20cd5cd6915d2042f1c2fe6d02e3

SHA512
e235cd02593e2a397df0d0b142cbb4ffb0c190c59a05c3cafb3fa727e6d9f4d30d96d797d74916a9fa65c3f11b22cc4a11974aff68c600b0cd1d1b866800add1

Download Submit
C:\Windows\{7DA4BA25-29B3-456d-BD76-D11D28301240}.exe

Filesize
64KB

MD5
4c3973282044334ba6641a8d470271ce

SHA1
1cb4a1971f0ab6579ee369654a8c3a676210c36d

SHA256
e08657b76deac3e27ec60183a69157039f2e318cf5e5882f360c78bb60d0206b

SHA512
9c34286ab13f760cefcafdf919163c421da98959625fe69b30670c4573a1250a2657bcde566508fa6fb1a04aefc2f8ab8c0f6d1a57bd63e6a0696053bdea70c3

Download Submit
C:\Windows\{A156D25D-92E5-4223-B73A-FF1D5BA05221}.exe

Filesize
64KB

MD5
6964006eb712781d70652aa3e5218f73

SHA1
422deee7d98dca8f30e32950e89d710f283f4473

SHA256
8a0a5b61c2975ee8aa7470beb1250907479e542981a8541011aadb92e6009441

SHA512
f32280297a617ad2fb3f77bc64d5f196485133260c99103d158a9dabc86de3415f981d6f19322b55190074c18cf2962379bf61041527d11642fe6f6cee0f1a3e

Download Submit
C:\Windows\{C542E54A-632E-4795-AF11-943C6700A4CF}.exe

Filesize
64KB

MD5
12f7873002b3618806c1d90d3aed048d

SHA1
9820a5f7dbab0518e293e39062bcb44986759400

SHA256
d7c3d75deb077a53ddbacbbde35c86df9267b5df6dfafde72157f85f442aafb5

SHA512
57a1e23230776d194a7b24a3b58421c3b30b63e2991ef81d3f5aa36f9846ce684878d409b351915fccd5f84cd549d9583290555cb67c942f16329bc72708554f

Download Submit
C:\Windows\{C575B7B4-690F-4499-B20E-BF104CB70752}.exe

Filesize
64KB

MD5
79270b95c253cbc225a692499ee7ccaf

SHA1
23fd8b1166b74ba90943fbc33e16779e51494e45

SHA256
bc6b0dcff017f49dee355be7b02768b2f013d9089514a953a3babf525ae6188d

SHA512
560adeab9d317ff9e6081a44860b2d6e49f83e35a75da44a03dd96b261bf2d2277bced7717fde75e8225c9bc12a57bdf00b8bc84220d8e773f0c19827edcb166

Download Submit
C:\Windows\{C79765E4-4486-4f3a-A131-1746B3D1C6CB}.exe

Filesize
64KB

MD5
f6b9eda6bca3a9d051e2e2ddd6cc4d96

SHA1
0f548878df38b56efffa2692a7e29d4e948883f9

SHA256
3f39e988e6ba613e8625f902563351d8355def0e43f8917d9e83db78d4e1d581

SHA512
dfe947c161335d4c85ca770f4ca1a069680d10d476a92db2c5304181b6c29aa0c4ebfb78c4e70c1d615e07ae018da8407a4fe7ddba76775c9c08719d1aac06e2

Download Submit
C:\Windows\{D90B87E0-8F54-4265-B40F-F497797657BB}.exe

Filesize
64KB

MD5
ff1e4b4f0368d9b2f670020ca1b458cc

SHA1
8ebd732ddd4a595c570bab066e8e96ceb2454b20

SHA256
1d3f7d968caba83dff42c7cf6873353d1d87df2a47123b82469abae55c758a38

SHA512
e3f96302c4cbac80dfd47f1b97e44902131ff2bd0c3a4f5096b4a666d2c71a4870e6e84bf223eba6a4382bf38d38c8465772643c5991b312b0b3b05e92c51d77

Download Submit
C:\Windows\{DCE9BA28-DAD8-4fb1-B990-1CCB8C1AD521}.exe

Filesize
64KB

MD5
72ce067caa0fd722f41b0e1988402bce

SHA1
d9c1f0bde9f995e3dd7190960fa72c777efa1a9d

SHA256
4568b35e42098b82fa383e40b8705c4967c3ebd0883b464117327fee1e383e8d

SHA512
8b39cd14c60684aa0ccbdb8762edeab22fe3e7bbaa035e7e92db2023719c84980a302387233dcf0b80a5ecb1525d396455d05400bbae5a9b53283819ce516799

Download Submit
memory/316-55-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1252-63-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/1252-64-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1252-56-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1884-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1884-14-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/1948-72-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2168-20-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2168-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2168-26-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2168-25-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2196-89-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2528-38-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2612-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2612-4-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/2612-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2612-9-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/2612-1-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2664-94-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/2664-98-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2732-45-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/2732-46-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3044-74-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3044-81-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads