d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2025, 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe
Size

64KB
MD5

5ad1006fa53718b28aef93a8070b25db
SHA1

43a6b6b04b2f157c6e9c903e01c864abe59776ef
SHA256

d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1
SHA512

1c7801601ff271c9169bd73fa0366eaee8dfc22938273994c86d3f6b3d70d18066c21091f4acee342ef479dc8def2fadbb5cf688a9d8137d7a338407bada392b
SSDEEP

384:ObLwOs8AHsc42MfwhKQLrox4/CFsrdHWMZE:Ovw981EvhKQLrox4/wQpWMZE

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E50A83D-A913-427c-B257-75B5C1864A11}	{94976A21-9DAA-4bf6-8D6E-B4F724CE715F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5BB4187-04F0-4689-BD0B-D4EED22F21FE}\stubpath = "C:\\Windows\\{E5BB4187-04F0-4689-BD0B-D4EED22F21FE}.exe"	{4F93A1F2-ED4E-46a4-809E-87E659C026BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72743139-1B77-46e8-872B-51B4A7BE513C}\stubpath = "C:\\Windows\\{72743139-1B77-46e8-872B-51B4A7BE513C}.exe"	{0A410766-1C8D-4219-A494-7070B3F17B2C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F93A1F2-ED4E-46a4-809E-87E659C026BF}	{8E50A83D-A913-427c-B257-75B5C1864A11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4F93A1F2-ED4E-46a4-809E-87E659C026BF}\stubpath = "C:\\Windows\\{4F93A1F2-ED4E-46a4-809E-87E659C026BF}.exe"	{8E50A83D-A913-427c-B257-75B5C1864A11}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C4AECC4-E5A5-4472-8BA1-DCF07552D7EB}\stubpath = "C:\\Windows\\{9C4AECC4-E5A5-4472-8BA1-DCF07552D7EB}.exe"	{C553E8FE-3892-47f0-A955-B4C62CB86251}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE6C4378-700D-4ecc-9481-BD87D8FA8B1F}	{61746001-72E6-4d0f-8610-8E5543717F9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61746001-72E6-4d0f-8610-8E5543717F9B}	{7C6B493F-03FB-4ced-8C37-4A17E3E7E245}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61746001-72E6-4d0f-8610-8E5543717F9B}\stubpath = "C:\\Windows\\{61746001-72E6-4d0f-8610-8E5543717F9B}.exe"	{7C6B493F-03FB-4ced-8C37-4A17E3E7E245}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94976A21-9DAA-4bf6-8D6E-B4F724CE715F}	d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A410766-1C8D-4219-A494-7070B3F17B2C}	{E5BB4187-04F0-4689-BD0B-D4EED22F21FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0A410766-1C8D-4219-A494-7070B3F17B2C}\stubpath = "C:\\Windows\\{0A410766-1C8D-4219-A494-7070B3F17B2C}.exe"	{E5BB4187-04F0-4689-BD0B-D4EED22F21FE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C553E8FE-3892-47f0-A955-B4C62CB86251}\stubpath = "C:\\Windows\\{C553E8FE-3892-47f0-A955-B4C62CB86251}.exe"	{72743139-1B77-46e8-872B-51B4A7BE513C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C553E8FE-3892-47f0-A955-B4C62CB86251}	{72743139-1B77-46e8-872B-51B4A7BE513C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9C4AECC4-E5A5-4472-8BA1-DCF07552D7EB}	{C553E8FE-3892-47f0-A955-B4C62CB86251}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C6B493F-03FB-4ced-8C37-4A17E3E7E245}	{9C4AECC4-E5A5-4472-8BA1-DCF07552D7EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7C6B493F-03FB-4ced-8C37-4A17E3E7E245}\stubpath = "C:\\Windows\\{7C6B493F-03FB-4ced-8C37-4A17E3E7E245}.exe"	{9C4AECC4-E5A5-4472-8BA1-DCF07552D7EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{94976A21-9DAA-4bf6-8D6E-B4F724CE715F}\stubpath = "C:\\Windows\\{94976A21-9DAA-4bf6-8D6E-B4F724CE715F}.exe"	d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8E50A83D-A913-427c-B257-75B5C1864A11}\stubpath = "C:\\Windows\\{8E50A83D-A913-427c-B257-75B5C1864A11}.exe"	{94976A21-9DAA-4bf6-8D6E-B4F724CE715F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E5BB4187-04F0-4689-BD0B-D4EED22F21FE}	{4F93A1F2-ED4E-46a4-809E-87E659C026BF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72743139-1B77-46e8-872B-51B4A7BE513C}	{0A410766-1C8D-4219-A494-7070B3F17B2C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FE6C4378-700D-4ecc-9481-BD87D8FA8B1F}\stubpath = "C:\\Windows\\{FE6C4378-700D-4ecc-9481-BD87D8FA8B1F}.exe"	{61746001-72E6-4d0f-8610-8E5543717F9B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5374E285-B15C-4767-BBE1-75379208CDDB}	{FE6C4378-700D-4ecc-9481-BD87D8FA8B1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5374E285-B15C-4767-BBE1-75379208CDDB}\stubpath = "C:\\Windows\\{5374E285-B15C-4767-BBE1-75379208CDDB}.exe"	{FE6C4378-700D-4ecc-9481-BD87D8FA8B1F}.exe

Executes dropped EXE 12 IoCs

pid	Process
3508	{94976A21-9DAA-4bf6-8D6E-B4F724CE715F}.exe
2800	{8E50A83D-A913-427c-B257-75B5C1864A11}.exe
536	{4F93A1F2-ED4E-46a4-809E-87E659C026BF}.exe
4036	{E5BB4187-04F0-4689-BD0B-D4EED22F21FE}.exe
2220	{0A410766-1C8D-4219-A494-7070B3F17B2C}.exe
3048	{72743139-1B77-46e8-872B-51B4A7BE513C}.exe
1536	{C553E8FE-3892-47f0-A955-B4C62CB86251}.exe
712	{9C4AECC4-E5A5-4472-8BA1-DCF07552D7EB}.exe
3032	{7C6B493F-03FB-4ced-8C37-4A17E3E7E245}.exe
4320	{61746001-72E6-4d0f-8610-8E5543717F9B}.exe
1324	{FE6C4378-700D-4ecc-9481-BD87D8FA8B1F}.exe
4684	{5374E285-B15C-4767-BBE1-75379208CDDB}.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{0A410766-1C8D-4219-A494-7070B3F17B2C}.exe	{E5BB4187-04F0-4689-BD0B-D4EED22F21FE}.exe
File created	C:\Windows\{72743139-1B77-46e8-872B-51B4A7BE513C}.exe	{0A410766-1C8D-4219-A494-7070B3F17B2C}.exe
File created	C:\Windows\{C553E8FE-3892-47f0-A955-B4C62CB86251}.exe	{72743139-1B77-46e8-872B-51B4A7BE513C}.exe
File created	C:\Windows\{9C4AECC4-E5A5-4472-8BA1-DCF07552D7EB}.exe	{C553E8FE-3892-47f0-A955-B4C62CB86251}.exe
File created	C:\Windows\{94976A21-9DAA-4bf6-8D6E-B4F724CE715F}.exe	d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe
File created	C:\Windows\{8E50A83D-A913-427c-B257-75B5C1864A11}.exe	{94976A21-9DAA-4bf6-8D6E-B4F724CE715F}.exe
File created	C:\Windows\{4F93A1F2-ED4E-46a4-809E-87E659C026BF}.exe	{8E50A83D-A913-427c-B257-75B5C1864A11}.exe
File created	C:\Windows\{E5BB4187-04F0-4689-BD0B-D4EED22F21FE}.exe	{4F93A1F2-ED4E-46a4-809E-87E659C026BF}.exe
File created	C:\Windows\{61746001-72E6-4d0f-8610-8E5543717F9B}.exe	{7C6B493F-03FB-4ced-8C37-4A17E3E7E245}.exe
File created	C:\Windows\{7C6B493F-03FB-4ced-8C37-4A17E3E7E245}.exe	{9C4AECC4-E5A5-4472-8BA1-DCF07552D7EB}.exe
File created	C:\Windows\{FE6C4378-700D-4ecc-9481-BD87D8FA8B1F}.exe	{61746001-72E6-4d0f-8610-8E5543717F9B}.exe
File created	C:\Windows\{5374E285-B15C-4767-BBE1-75379208CDDB}.exe	{FE6C4378-700D-4ecc-9481-BD87D8FA8B1F}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{94976A21-9DAA-4bf6-8D6E-B4F724CE715F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8E50A83D-A913-427c-B257-75B5C1864A11}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0A410766-1C8D-4219-A494-7070B3F17B2C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{FE6C4378-700D-4ecc-9481-BD87D8FA8B1F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4F93A1F2-ED4E-46a4-809E-87E659C026BF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C553E8FE-3892-47f0-A955-B4C62CB86251}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9C4AECC4-E5A5-4472-8BA1-DCF07552D7EB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{61746001-72E6-4d0f-8610-8E5543717F9B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E5BB4187-04F0-4689-BD0B-D4EED22F21FE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{72743139-1B77-46e8-872B-51B4A7BE513C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7C6B493F-03FB-4ced-8C37-4A17E3E7E245}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5374E285-B15C-4767-BBE1-75379208CDDB}.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4224	d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe
Token: SeIncBasePriorityPrivilege	3508	{94976A21-9DAA-4bf6-8D6E-B4F724CE715F}.exe
Token: SeIncBasePriorityPrivilege	2800	{8E50A83D-A913-427c-B257-75B5C1864A11}.exe
Token: SeIncBasePriorityPrivilege	536	{4F93A1F2-ED4E-46a4-809E-87E659C026BF}.exe
Token: SeIncBasePriorityPrivilege	4036	{E5BB4187-04F0-4689-BD0B-D4EED22F21FE}.exe
Token: SeIncBasePriorityPrivilege	2220	{0A410766-1C8D-4219-A494-7070B3F17B2C}.exe
Token: SeIncBasePriorityPrivilege	3048	{72743139-1B77-46e8-872B-51B4A7BE513C}.exe
Token: SeIncBasePriorityPrivilege	1536	{C553E8FE-3892-47f0-A955-B4C62CB86251}.exe
Token: SeIncBasePriorityPrivilege	712	{9C4AECC4-E5A5-4472-8BA1-DCF07552D7EB}.exe
Token: SeIncBasePriorityPrivilege	3032	{7C6B493F-03FB-4ced-8C37-4A17E3E7E245}.exe
Token: SeIncBasePriorityPrivilege	4320	{61746001-72E6-4d0f-8610-8E5543717F9B}.exe
Token: SeIncBasePriorityPrivilege	1324	{FE6C4378-700D-4ecc-9481-BD87D8FA8B1F}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 3508	4224	d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe	82
PID 4224 wrote to memory of 3508	4224	d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe	82
PID 4224 wrote to memory of 3508	4224	d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe	82
PID 4224 wrote to memory of 4260	4224	d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe	83
PID 4224 wrote to memory of 4260	4224	d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe	83
PID 4224 wrote to memory of 4260	4224	d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe	83
PID 3508 wrote to memory of 2800	3508	{94976A21-9DAA-4bf6-8D6E-B4F724CE715F}.exe	91
PID 3508 wrote to memory of 2800	3508	{94976A21-9DAA-4bf6-8D6E-B4F724CE715F}.exe	91
PID 3508 wrote to memory of 2800	3508	{94976A21-9DAA-4bf6-8D6E-B4F724CE715F}.exe	91
PID 3508 wrote to memory of 1524	3508	{94976A21-9DAA-4bf6-8D6E-B4F724CE715F}.exe	92
PID 3508 wrote to memory of 1524	3508	{94976A21-9DAA-4bf6-8D6E-B4F724CE715F}.exe	92
PID 3508 wrote to memory of 1524	3508	{94976A21-9DAA-4bf6-8D6E-B4F724CE715F}.exe	92
PID 2800 wrote to memory of 536	2800	{8E50A83D-A913-427c-B257-75B5C1864A11}.exe	95
PID 2800 wrote to memory of 536	2800	{8E50A83D-A913-427c-B257-75B5C1864A11}.exe	95
PID 2800 wrote to memory of 536	2800	{8E50A83D-A913-427c-B257-75B5C1864A11}.exe	95
PID 2800 wrote to memory of 1792	2800	{8E50A83D-A913-427c-B257-75B5C1864A11}.exe	96
PID 2800 wrote to memory of 1792	2800	{8E50A83D-A913-427c-B257-75B5C1864A11}.exe	96
PID 2800 wrote to memory of 1792	2800	{8E50A83D-A913-427c-B257-75B5C1864A11}.exe	96
PID 536 wrote to memory of 4036	536	{4F93A1F2-ED4E-46a4-809E-87E659C026BF}.exe	97
PID 536 wrote to memory of 4036	536	{4F93A1F2-ED4E-46a4-809E-87E659C026BF}.exe	97
PID 536 wrote to memory of 4036	536	{4F93A1F2-ED4E-46a4-809E-87E659C026BF}.exe	97
PID 536 wrote to memory of 3128	536	{4F93A1F2-ED4E-46a4-809E-87E659C026BF}.exe	98
PID 536 wrote to memory of 3128	536	{4F93A1F2-ED4E-46a4-809E-87E659C026BF}.exe	98
PID 536 wrote to memory of 3128	536	{4F93A1F2-ED4E-46a4-809E-87E659C026BF}.exe	98
PID 4036 wrote to memory of 2220	4036	{E5BB4187-04F0-4689-BD0B-D4EED22F21FE}.exe	99
PID 4036 wrote to memory of 2220	4036	{E5BB4187-04F0-4689-BD0B-D4EED22F21FE}.exe	99
PID 4036 wrote to memory of 2220	4036	{E5BB4187-04F0-4689-BD0B-D4EED22F21FE}.exe	99
PID 4036 wrote to memory of 1880	4036	{E5BB4187-04F0-4689-BD0B-D4EED22F21FE}.exe	100
PID 4036 wrote to memory of 1880	4036	{E5BB4187-04F0-4689-BD0B-D4EED22F21FE}.exe	100
PID 4036 wrote to memory of 1880	4036	{E5BB4187-04F0-4689-BD0B-D4EED22F21FE}.exe	100
PID 2220 wrote to memory of 3048	2220	{0A410766-1C8D-4219-A494-7070B3F17B2C}.exe	101
PID 2220 wrote to memory of 3048	2220	{0A410766-1C8D-4219-A494-7070B3F17B2C}.exe	101
PID 2220 wrote to memory of 3048	2220	{0A410766-1C8D-4219-A494-7070B3F17B2C}.exe	101
PID 2220 wrote to memory of 2392	2220	{0A410766-1C8D-4219-A494-7070B3F17B2C}.exe	102
PID 2220 wrote to memory of 2392	2220	{0A410766-1C8D-4219-A494-7070B3F17B2C}.exe	102
PID 2220 wrote to memory of 2392	2220	{0A410766-1C8D-4219-A494-7070B3F17B2C}.exe	102
PID 3048 wrote to memory of 1536	3048	{72743139-1B77-46e8-872B-51B4A7BE513C}.exe	103
PID 3048 wrote to memory of 1536	3048	{72743139-1B77-46e8-872B-51B4A7BE513C}.exe	103
PID 3048 wrote to memory of 1536	3048	{72743139-1B77-46e8-872B-51B4A7BE513C}.exe	103
PID 3048 wrote to memory of 3132	3048	{72743139-1B77-46e8-872B-51B4A7BE513C}.exe	104
PID 3048 wrote to memory of 3132	3048	{72743139-1B77-46e8-872B-51B4A7BE513C}.exe	104
PID 3048 wrote to memory of 3132	3048	{72743139-1B77-46e8-872B-51B4A7BE513C}.exe	104
PID 1536 wrote to memory of 712	1536	{C553E8FE-3892-47f0-A955-B4C62CB86251}.exe	105
PID 1536 wrote to memory of 712	1536	{C553E8FE-3892-47f0-A955-B4C62CB86251}.exe	105
PID 1536 wrote to memory of 712	1536	{C553E8FE-3892-47f0-A955-B4C62CB86251}.exe	105
PID 1536 wrote to memory of 4392	1536	{C553E8FE-3892-47f0-A955-B4C62CB86251}.exe	106
PID 1536 wrote to memory of 4392	1536	{C553E8FE-3892-47f0-A955-B4C62CB86251}.exe	106
PID 1536 wrote to memory of 4392	1536	{C553E8FE-3892-47f0-A955-B4C62CB86251}.exe	106
PID 712 wrote to memory of 3032	712	{9C4AECC4-E5A5-4472-8BA1-DCF07552D7EB}.exe	107
PID 712 wrote to memory of 3032	712	{9C4AECC4-E5A5-4472-8BA1-DCF07552D7EB}.exe	107
PID 712 wrote to memory of 3032	712	{9C4AECC4-E5A5-4472-8BA1-DCF07552D7EB}.exe	107
PID 712 wrote to memory of 2456	712	{9C4AECC4-E5A5-4472-8BA1-DCF07552D7EB}.exe	108
PID 712 wrote to memory of 2456	712	{9C4AECC4-E5A5-4472-8BA1-DCF07552D7EB}.exe	108
PID 712 wrote to memory of 2456	712	{9C4AECC4-E5A5-4472-8BA1-DCF07552D7EB}.exe	108
PID 3032 wrote to memory of 4320	3032	{7C6B493F-03FB-4ced-8C37-4A17E3E7E245}.exe	109
PID 3032 wrote to memory of 4320	3032	{7C6B493F-03FB-4ced-8C37-4A17E3E7E245}.exe	109
PID 3032 wrote to memory of 4320	3032	{7C6B493F-03FB-4ced-8C37-4A17E3E7E245}.exe	109
PID 3032 wrote to memory of 4408	3032	{7C6B493F-03FB-4ced-8C37-4A17E3E7E245}.exe	110
PID 3032 wrote to memory of 4408	3032	{7C6B493F-03FB-4ced-8C37-4A17E3E7E245}.exe	110
PID 3032 wrote to memory of 4408	3032	{7C6B493F-03FB-4ced-8C37-4A17E3E7E245}.exe	110
PID 4320 wrote to memory of 1324	4320	{61746001-72E6-4d0f-8610-8E5543717F9B}.exe	111
PID 4320 wrote to memory of 1324	4320	{61746001-72E6-4d0f-8610-8E5543717F9B}.exe	111
PID 4320 wrote to memory of 1324	4320	{61746001-72E6-4d0f-8610-8E5543717F9B}.exe	111
PID 4320 wrote to memory of 2784	4320	{61746001-72E6-4d0f-8610-8E5543717F9B}.exe	112

C:\Users\Admin\AppData\Local\Temp\d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe
"C:\Users\Admin\AppData\Local\Temp\d17b65d5d48b87b592b01752bb919cc73cde5aaa7a344b267f16eeac6a0173f1.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Windows\{94976A21-9DAA-4bf6-8D6E-B4F724CE715F}.exe
  C:\Windows\{94976A21-9DAA-4bf6-8D6E-B4F724CE715F}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Windows\{8E50A83D-A913-427c-B257-75B5C1864A11}.exe
    C:\Windows\{8E50A83D-A913-427c-B257-75B5C1864A11}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\{4F93A1F2-ED4E-46a4-809E-87E659C026BF}.exe
      C:\Windows\{4F93A1F2-ED4E-46a4-809E-87E659C026BF}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:536
    - - C:\Windows\{E5BB4187-04F0-4689-BD0B-D4EED22F21FE}.exe
        
        C:\Windows\{E5BB4187-04F0-4689-BD0B-D4EED22F21FE}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4036
      - C:\Windows\{0A410766-1C8D-4219-A494-7070B3F17B2C}.exe
        
        C:\Windows\{0A410766-1C8D-4219-A494-7070B3F17B2C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\{72743139-1B77-46e8-872B-51B4A7BE513C}.exe
        
        C:\Windows\{72743139-1B77-46e8-872B-51B4A7BE513C}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\{C553E8FE-3892-47f0-A955-B4C62CB86251}.exe
        
        C:\Windows\{C553E8FE-3892-47f0-A955-B4C62CB86251}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\{9C4AECC4-E5A5-4472-8BA1-DCF07552D7EB}.exe
        
        C:\Windows\{9C4AECC4-E5A5-4472-8BA1-DCF07552D7EB}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:712
        
        C:\Windows\{7C6B493F-03FB-4ced-8C37-4A17E3E7E245}.exe
        
        C:\Windows\{7C6B493F-03FB-4ced-8C37-4A17E3E7E245}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3032
        
        C:\Windows\{61746001-72E6-4d0f-8610-8E5543717F9B}.exe
        
        C:\Windows\{61746001-72E6-4d0f-8610-8E5543717F9B}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4320
        
        C:\Windows\{FE6C4378-700D-4ecc-9481-BD87D8FA8B1F}.exe
        
        C:\Windows\{FE6C4378-700D-4ecc-9481-BD87D8FA8B1F}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\{5374E285-B15C-4767-BBE1-75379208CDDB}.exe
        
        C:\Windows\{5374E285-B15C-4767-BBE1-75379208CDDB}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE6C4~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{61746~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7C6B4~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C4AE~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C553E~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72743~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0A410~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E5BB4~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1880
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4F93A~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3128
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{8E50A~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:1792
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{94976~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1524
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\D17B65~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0A410766-1C8D-4219-A494-7070B3F17B2C}.exe

Filesize
64KB

MD5
167b3714bc45078c76f4c6461dc4ca57

SHA1
fc0da43a0a30b367bb9f8e2d1109451a959598b4

SHA256
589001d434bf6c808af4c9d6e440c695b4642a17813c905c4dad7a1909821d84

SHA512
cd176090a7d1d4d67fa7a2bbe99805078069ee5baab4b8435daeaff44dbda76dc592fbcf043301344a72f28261cdf53e45df457c4a30fd11fd2f5463396dc219

Download Submit
C:\Windows\{4F93A1F2-ED4E-46a4-809E-87E659C026BF}.exe

Filesize
64KB

MD5
bc0781ef93108d5f56d111a30efbf96f

SHA1
e30fb3bd5aceef60308d17c745fa50c58b841599

SHA256
b3ca619b475fe41bf8ed6d9e4742adf934b5ba1c2fbc881f94d93396df3118d8

SHA512
78562c78f9f7b19d9c8f9f899aa22159bd2b3830b68913975c64f71f535d802db768a2311dec41f9f0577f3326797ca7101e4dd9c0dd445ffb5c049df1af1613

Download Submit
C:\Windows\{5374E285-B15C-4767-BBE1-75379208CDDB}.exe

Filesize
64KB

MD5
4eaa4306be490d99664310d3fd320c53

SHA1
d32dfe0c62fb8e3c98113d82f8351b861a754f17

SHA256
fdb2ac787aa18e223c4d0838cb7560386bcbb4463eb325c4744af4b182d0604e

SHA512
ec450dde2f27faafb70ee315e1707272b27c5cdb67de354633782617bfaaef2a70e6bd203d068a9bdcf765cf8b97aa489a371c429b575505ccd5f9eb8d0db281

Download Submit
C:\Windows\{61746001-72E6-4d0f-8610-8E5543717F9B}.exe

Filesize
64KB

MD5
0c61a1cdb57ae2e82a4899276f1fbc86

SHA1
b0bd0c5e8a204f27f37fa2b2aa1a2e898bcb5f0f

SHA256
846eb664da6fe668d9647b633a2feffe768286711ce16822a192d3ec043e3803

SHA512
756714bb9cf50f48e06ca1d79eeaf1266d391ca28b265a02633fe86ae501aa28e70abc00eab26587b19991798f5c1fda43e8e2bd4b924c3ae7a941898dec6a87

Download Submit
C:\Windows\{72743139-1B77-46e8-872B-51B4A7BE513C}.exe

Filesize
64KB

MD5
5f62a3fee95cd61f82a00636adafe806

SHA1
45464bdefa5fe400acf7f0644badd4d1e83cba20

SHA256
794e3f40db1b6befb576d6120fa4e3aab703d8065649403d22c4a5effe106e7b

SHA512
09cc8b4f9662853330b49448c5808b2c7ba901ba04dfe8dc766044aabad4a123e5aaec7d22e5970868af7b82461dcaec28072333af6c4268e63b2f359b80a63c

Download Submit
C:\Windows\{7C6B493F-03FB-4ced-8C37-4A17E3E7E245}.exe

Filesize
64KB

MD5
34aa06fe9c879e17f8cdb9de26a5d442

SHA1
cb6654cfbfd7a3171ba05429a462f4b34ed9945a

SHA256
a82d3156966d36342572f919a3fab961f78be5d4e41b4fa231b4e738707b65b8

SHA512
0d9c14515a4d482f02d94716dab26ed52a4802edb09bba4067d0bf06234e9b671f1c02f45875b06d719379b94ee3330e2ca91fb5c9d1366f2d61a806e6884cda

Download Submit
C:\Windows\{8E50A83D-A913-427c-B257-75B5C1864A11}.exe

Filesize
64KB

MD5
b3219eaa8f67e2736ec0bb2d4766084a

SHA1
4621323a6a6bf6cb1a5e8ce4443f4126028d6db7

SHA256
134e5487e021e183721acc49bf78f91c3506e8f85e604c048654cd362e8789a8

SHA512
8862890d89cdee2ec799449e203415dd31195eacf3560a1ba382286641dd7ceb88469665a12ef3a172205f6e3a9230db019b2ef5239b826b191809eed453d833

Download Submit
C:\Windows\{94976A21-9DAA-4bf6-8D6E-B4F724CE715F}.exe

Filesize
64KB

MD5
6c051b099abf3cea91d996166e6db2c4

SHA1
eda429561a117aa22f59ff9112347526e016f873

SHA256
f8aa4efca1361fd0e0fdc5f70e5e2d0e2cdf861ce438c4812c8a2016ba64f43d

SHA512
d82d795d772555cb7fb5a7d1f769f28934e58631f6cec5d3991232914d4e38250998dba620fedcc3fe371a0e386e7b2f24c605273b020ca7f8bb4fe93a14783a

Download Submit
C:\Windows\{9C4AECC4-E5A5-4472-8BA1-DCF07552D7EB}.exe

Filesize
64KB

MD5
55d6f8239ec14835fc38dc69bad536fd

SHA1
b0472245e0a3b2aa845debe628d20ecdf131fe56

SHA256
177fa8f7cf382e1c0977bef0e1bd28c3164dbfecac60cf70eebe6dd6aab399f3

SHA512
95f6e2af38439c23877ec5ae549e9fa73bc09c44a5226e416d6572b5541ecf497fdb6a315313ff1376de4e7dcf494e12a0de9608a2f8a0a780f483bbecf9b9c6

Download Submit
C:\Windows\{C553E8FE-3892-47f0-A955-B4C62CB86251}.exe

Filesize
64KB

MD5
37d37b3d71ec241278984b950bc45b9b

SHA1
858778458bc386599c8025cbd10aed9edaa42148

SHA256
b843ac6cfbc9367e341761202b1a715fa3211abe088fd36c0ecbe6ac5353f75b

SHA512
374c5f7dff49e51b40372353f23c4e903de1b61d3343d50041ac9941ade8b40e9b35a37bafcbba36024b8e6bf869e3130bb0b9bb4cbca0f768ae46309eab6fd6

Download Submit
C:\Windows\{E5BB4187-04F0-4689-BD0B-D4EED22F21FE}.exe

Filesize
64KB

MD5
5b881368e45d85d182797254e86bbc05

SHA1
4d24e1d031a10b41406c6703cb5c109e19975d8c

SHA256
5d17e4cd63b54f5335055991101f7a0deaa548bd3287c46d46d11620b359567b

SHA512
5ed71e4dd24d9ed1a952ebd1ff14d9ea70f362fc0986b083cc2c89a4816bb49057bdffd32ca9cf838346819399720c6d11cde4cd39b328da342185f207eb9da3

Download Submit
C:\Windows\{FE6C4378-700D-4ecc-9481-BD87D8FA8B1F}.exe

Filesize
64KB

MD5
87e55df2e115df15d69c21f464201ad2

SHA1
a7d5cb46db658874f153250a93d183fa5466cf5c

SHA256
a70563c601a5a79215a24c4f0ce46c688e2c6e5b567ca32e5f6d08e8020ad4db

SHA512
0b28bef69f756292c63d5b8c534642f37047af1265ad2a0f38acfa6c213c7f8132e73b833f7081eb260cd71ebb41524fb89a95adb3b871b596770fc5d0bf5b51

Download Submit
memory/536-24-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/536-19-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/712-48-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/712-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1324-67-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1324-71-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1536-47-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1536-42-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2220-32-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2220-37-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2800-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2800-14-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2800-13-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3032-60-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3032-55-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3048-41-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3508-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3508-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4036-26-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4036-31-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4224-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4224-1-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4224-7-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4320-61-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4320-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4684-73-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads