9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6b

Analysis

max time kernel
118s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe
Size

91KB
MD5

1e2b3437eac561d5e0abd77a07f97090
SHA1

0a43d1c8a50480314f907e7a2736e092ea52a8bf
SHA256

9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6b
SHA512

7b1851077fede5b0e3a8a464dc8989918b928d7921745258920bd89d384603d2292bc53f7c114bcd53d5bfaf12242b67c8e57a3217a58c89b31262355bf459da
SSDEEP

768:5vw9816uhKiroz4/wQNNrfrunMxVFA3bQ:lEGkmozlCunMxVS3E

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{948BDB17-49E7-416e-B856-0C5FDB5918D2}\stubpath = "C:\\Windows\\{948BDB17-49E7-416e-B856-0C5FDB5918D2}.exe"	{5F2AB0E3-9FDB-4953-A8B6-2241E43A0DB7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8F79EF1-8407-42ce-A108-92B272CAD2CC}\stubpath = "C:\\Windows\\{A8F79EF1-8407-42ce-A108-92B272CAD2CC}.exe"	{660E5C88-C8F0-4f11-9E16-1470FB2525FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1BC123B-F84B-4c27-9FD0-25ED5805868A}	9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A20F847E-B6D3-4f72-B7D7-0BBD7EBCED40}\stubpath = "C:\\Windows\\{A20F847E-B6D3-4f72-B7D7-0BBD7EBCED40}.exe"	{B1BC123B-F84B-4c27-9FD0-25ED5805868A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F2AB0E3-9FDB-4953-A8B6-2241E43A0DB7}\stubpath = "C:\\Windows\\{5F2AB0E3-9FDB-4953-A8B6-2241E43A0DB7}.exe"	{EED720ED-7AC7-4067-97C8-41B761ED258C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{948BDB17-49E7-416e-B856-0C5FDB5918D2}	{5F2AB0E3-9FDB-4953-A8B6-2241E43A0DB7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A56555C8-DEC1-4895-BE96-A701302033AB}	{948BDB17-49E7-416e-B856-0C5FDB5918D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A56555C8-DEC1-4895-BE96-A701302033AB}\stubpath = "C:\\Windows\\{A56555C8-DEC1-4895-BE96-A701302033AB}.exe"	{948BDB17-49E7-416e-B856-0C5FDB5918D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{660E5C88-C8F0-4f11-9E16-1470FB2525FA}\stubpath = "C:\\Windows\\{660E5C88-C8F0-4f11-9E16-1470FB2525FA}.exe"	{8B66304D-191F-4c29-9AF4-03DE99098A39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8F79EF1-8407-42ce-A108-92B272CAD2CC}	{660E5C88-C8F0-4f11-9E16-1470FB2525FA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A20F847E-B6D3-4f72-B7D7-0BBD7EBCED40}	{B1BC123B-F84B-4c27-9FD0-25ED5805868A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EED720ED-7AC7-4067-97C8-41B761ED258C}\stubpath = "C:\\Windows\\{EED720ED-7AC7-4067-97C8-41B761ED258C}.exe"	{A20F847E-B6D3-4f72-B7D7-0BBD7EBCED40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5F2AB0E3-9FDB-4953-A8B6-2241E43A0DB7}	{EED720ED-7AC7-4067-97C8-41B761ED258C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B1BC123B-F84B-4c27-9FD0-25ED5805868A}\stubpath = "C:\\Windows\\{B1BC123B-F84B-4c27-9FD0-25ED5805868A}.exe"	9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{EED720ED-7AC7-4067-97C8-41B761ED258C}	{A20F847E-B6D3-4f72-B7D7-0BBD7EBCED40}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{660E5C88-C8F0-4f11-9E16-1470FB2525FA}	{8B66304D-191F-4c29-9AF4-03DE99098A39}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B66304D-191F-4c29-9AF4-03DE99098A39}	{A56555C8-DEC1-4895-BE96-A701302033AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8B66304D-191F-4c29-9AF4-03DE99098A39}\stubpath = "C:\\Windows\\{8B66304D-191F-4c29-9AF4-03DE99098A39}.exe"	{A56555C8-DEC1-4895-BE96-A701302033AB}.exe

Executes dropped EXE 9 IoCs

pid	Process
3872	{B1BC123B-F84B-4c27-9FD0-25ED5805868A}.exe
2572	{A20F847E-B6D3-4f72-B7D7-0BBD7EBCED40}.exe
1264	{EED720ED-7AC7-4067-97C8-41B761ED258C}.exe
960	{5F2AB0E3-9FDB-4953-A8B6-2241E43A0DB7}.exe
4480	{948BDB17-49E7-416e-B856-0C5FDB5918D2}.exe
804	{A56555C8-DEC1-4895-BE96-A701302033AB}.exe
2464	{8B66304D-191F-4c29-9AF4-03DE99098A39}.exe
2280	{660E5C88-C8F0-4f11-9E16-1470FB2525FA}.exe
844	{A8F79EF1-8407-42ce-A108-92B272CAD2CC}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{948BDB17-49E7-416e-B856-0C5FDB5918D2}.exe	{5F2AB0E3-9FDB-4953-A8B6-2241E43A0DB7}.exe
File created	C:\Windows\{8B66304D-191F-4c29-9AF4-03DE99098A39}.exe	{A56555C8-DEC1-4895-BE96-A701302033AB}.exe
File created	C:\Windows\{660E5C88-C8F0-4f11-9E16-1470FB2525FA}.exe	{8B66304D-191F-4c29-9AF4-03DE99098A39}.exe
File created	C:\Windows\{A8F79EF1-8407-42ce-A108-92B272CAD2CC}.exe	{660E5C88-C8F0-4f11-9E16-1470FB2525FA}.exe
File created	C:\Windows\{A20F847E-B6D3-4f72-B7D7-0BBD7EBCED40}.exe	{B1BC123B-F84B-4c27-9FD0-25ED5805868A}.exe
File created	C:\Windows\{EED720ED-7AC7-4067-97C8-41B761ED258C}.exe	{A20F847E-B6D3-4f72-B7D7-0BBD7EBCED40}.exe
File created	C:\Windows\{A56555C8-DEC1-4895-BE96-A701302033AB}.exe	{948BDB17-49E7-416e-B856-0C5FDB5918D2}.exe
File created	C:\Windows\{B1BC123B-F84B-4c27-9FD0-25ED5805868A}.exe	9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe
File created	C:\Windows\{5F2AB0E3-9FDB-4953-A8B6-2241E43A0DB7}.exe	{EED720ED-7AC7-4067-97C8-41B761ED258C}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A20F847E-B6D3-4f72-B7D7-0BBD7EBCED40}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{948BDB17-49E7-416e-B856-0C5FDB5918D2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{660E5C88-C8F0-4f11-9E16-1470FB2525FA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{EED720ED-7AC7-4067-97C8-41B761ED258C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A8F79EF1-8407-42ce-A108-92B272CAD2CC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A56555C8-DEC1-4895-BE96-A701302033AB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8B66304D-191F-4c29-9AF4-03DE99098A39}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B1BC123B-F84B-4c27-9FD0-25ED5805868A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{5F2AB0E3-9FDB-4953-A8B6-2241E43A0DB7}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	848	9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe
Token: SeIncBasePriorityPrivilege	3872	{B1BC123B-F84B-4c27-9FD0-25ED5805868A}.exe
Token: SeIncBasePriorityPrivilege	2572	{A20F847E-B6D3-4f72-B7D7-0BBD7EBCED40}.exe
Token: SeIncBasePriorityPrivilege	1264	{EED720ED-7AC7-4067-97C8-41B761ED258C}.exe
Token: SeIncBasePriorityPrivilege	960	{5F2AB0E3-9FDB-4953-A8B6-2241E43A0DB7}.exe
Token: SeIncBasePriorityPrivilege	4480	{948BDB17-49E7-416e-B856-0C5FDB5918D2}.exe
Token: SeIncBasePriorityPrivilege	804	{A56555C8-DEC1-4895-BE96-A701302033AB}.exe
Token: SeIncBasePriorityPrivilege	2464	{8B66304D-191F-4c29-9AF4-03DE99098A39}.exe
Token: SeIncBasePriorityPrivilege	2280	{660E5C88-C8F0-4f11-9E16-1470FB2525FA}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 3872	848	9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe	86
PID 848 wrote to memory of 3872	848	9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe	86
PID 848 wrote to memory of 3872	848	9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe	86
PID 848 wrote to memory of 5008	848	9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe	87
PID 848 wrote to memory of 5008	848	9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe	87
PID 848 wrote to memory of 5008	848	9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe	87
PID 3872 wrote to memory of 2572	3872	{B1BC123B-F84B-4c27-9FD0-25ED5805868A}.exe	98
PID 3872 wrote to memory of 2572	3872	{B1BC123B-F84B-4c27-9FD0-25ED5805868A}.exe	98
PID 3872 wrote to memory of 2572	3872	{B1BC123B-F84B-4c27-9FD0-25ED5805868A}.exe	98
PID 3872 wrote to memory of 1164	3872	{B1BC123B-F84B-4c27-9FD0-25ED5805868A}.exe	99
PID 3872 wrote to memory of 1164	3872	{B1BC123B-F84B-4c27-9FD0-25ED5805868A}.exe	99
PID 3872 wrote to memory of 1164	3872	{B1BC123B-F84B-4c27-9FD0-25ED5805868A}.exe	99
PID 2572 wrote to memory of 1264	2572	{A20F847E-B6D3-4f72-B7D7-0BBD7EBCED40}.exe	103
PID 2572 wrote to memory of 1264	2572	{A20F847E-B6D3-4f72-B7D7-0BBD7EBCED40}.exe	103
PID 2572 wrote to memory of 1264	2572	{A20F847E-B6D3-4f72-B7D7-0BBD7EBCED40}.exe	103
PID 2572 wrote to memory of 2448	2572	{A20F847E-B6D3-4f72-B7D7-0BBD7EBCED40}.exe	104
PID 2572 wrote to memory of 2448	2572	{A20F847E-B6D3-4f72-B7D7-0BBD7EBCED40}.exe	104
PID 2572 wrote to memory of 2448	2572	{A20F847E-B6D3-4f72-B7D7-0BBD7EBCED40}.exe	104
PID 1264 wrote to memory of 960	1264	{EED720ED-7AC7-4067-97C8-41B761ED258C}.exe	105
PID 1264 wrote to memory of 960	1264	{EED720ED-7AC7-4067-97C8-41B761ED258C}.exe	105
PID 1264 wrote to memory of 960	1264	{EED720ED-7AC7-4067-97C8-41B761ED258C}.exe	105
PID 1264 wrote to memory of 3944	1264	{EED720ED-7AC7-4067-97C8-41B761ED258C}.exe	106
PID 1264 wrote to memory of 3944	1264	{EED720ED-7AC7-4067-97C8-41B761ED258C}.exe	106
PID 1264 wrote to memory of 3944	1264	{EED720ED-7AC7-4067-97C8-41B761ED258C}.exe	106
PID 960 wrote to memory of 4480	960	{5F2AB0E3-9FDB-4953-A8B6-2241E43A0DB7}.exe	107
PID 960 wrote to memory of 4480	960	{5F2AB0E3-9FDB-4953-A8B6-2241E43A0DB7}.exe	107
PID 960 wrote to memory of 4480	960	{5F2AB0E3-9FDB-4953-A8B6-2241E43A0DB7}.exe	107
PID 960 wrote to memory of 2104	960	{5F2AB0E3-9FDB-4953-A8B6-2241E43A0DB7}.exe	108
PID 960 wrote to memory of 2104	960	{5F2AB0E3-9FDB-4953-A8B6-2241E43A0DB7}.exe	108
PID 960 wrote to memory of 2104	960	{5F2AB0E3-9FDB-4953-A8B6-2241E43A0DB7}.exe	108
PID 4480 wrote to memory of 804	4480	{948BDB17-49E7-416e-B856-0C5FDB5918D2}.exe	109
PID 4480 wrote to memory of 804	4480	{948BDB17-49E7-416e-B856-0C5FDB5918D2}.exe	109
PID 4480 wrote to memory of 804	4480	{948BDB17-49E7-416e-B856-0C5FDB5918D2}.exe	109
PID 4480 wrote to memory of 2788	4480	{948BDB17-49E7-416e-B856-0C5FDB5918D2}.exe	110
PID 4480 wrote to memory of 2788	4480	{948BDB17-49E7-416e-B856-0C5FDB5918D2}.exe	110
PID 4480 wrote to memory of 2788	4480	{948BDB17-49E7-416e-B856-0C5FDB5918D2}.exe	110
PID 804 wrote to memory of 2464	804	{A56555C8-DEC1-4895-BE96-A701302033AB}.exe	111
PID 804 wrote to memory of 2464	804	{A56555C8-DEC1-4895-BE96-A701302033AB}.exe	111
PID 804 wrote to memory of 2464	804	{A56555C8-DEC1-4895-BE96-A701302033AB}.exe	111
PID 804 wrote to memory of 2720	804	{A56555C8-DEC1-4895-BE96-A701302033AB}.exe	112
PID 804 wrote to memory of 2720	804	{A56555C8-DEC1-4895-BE96-A701302033AB}.exe	112
PID 804 wrote to memory of 2720	804	{A56555C8-DEC1-4895-BE96-A701302033AB}.exe	112
PID 2464 wrote to memory of 2280	2464	{8B66304D-191F-4c29-9AF4-03DE99098A39}.exe	113
PID 2464 wrote to memory of 2280	2464	{8B66304D-191F-4c29-9AF4-03DE99098A39}.exe	113
PID 2464 wrote to memory of 2280	2464	{8B66304D-191F-4c29-9AF4-03DE99098A39}.exe	113
PID 2464 wrote to memory of 3372	2464	{8B66304D-191F-4c29-9AF4-03DE99098A39}.exe	114
PID 2464 wrote to memory of 3372	2464	{8B66304D-191F-4c29-9AF4-03DE99098A39}.exe	114
PID 2464 wrote to memory of 3372	2464	{8B66304D-191F-4c29-9AF4-03DE99098A39}.exe	114
PID 2280 wrote to memory of 844	2280	{660E5C88-C8F0-4f11-9E16-1470FB2525FA}.exe	115
PID 2280 wrote to memory of 844	2280	{660E5C88-C8F0-4f11-9E16-1470FB2525FA}.exe	115
PID 2280 wrote to memory of 844	2280	{660E5C88-C8F0-4f11-9E16-1470FB2525FA}.exe	115
PID 2280 wrote to memory of 1420	2280	{660E5C88-C8F0-4f11-9E16-1470FB2525FA}.exe	116
PID 2280 wrote to memory of 1420	2280	{660E5C88-C8F0-4f11-9E16-1470FB2525FA}.exe	116
PID 2280 wrote to memory of 1420	2280	{660E5C88-C8F0-4f11-9E16-1470FB2525FA}.exe	116

C:\Users\Admin\AppData\Local\Temp\9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe
"C:\Users\Admin\AppData\Local\Temp\9e993ed3ec524a5fe3d0c3cabc76d9346af445a76179c3f848ecfd2482d31f6bN.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:848
- C:\Windows\{B1BC123B-F84B-4c27-9FD0-25ED5805868A}.exe
  C:\Windows\{B1BC123B-F84B-4c27-9FD0-25ED5805868A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3872
- - C:\Windows\{A20F847E-B6D3-4f72-B7D7-0BBD7EBCED40}.exe
    C:\Windows\{A20F847E-B6D3-4f72-B7D7-0BBD7EBCED40}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\{EED720ED-7AC7-4067-97C8-41B761ED258C}.exe
      C:\Windows\{EED720ED-7AC7-4067-97C8-41B761ED258C}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1264
    - - C:\Windows\{5F2AB0E3-9FDB-4953-A8B6-2241E43A0DB7}.exe
        
        C:\Windows\{5F2AB0E3-9FDB-4953-A8B6-2241E43A0DB7}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:960
      - C:\Windows\{948BDB17-49E7-416e-B856-0C5FDB5918D2}.exe
        
        C:\Windows\{948BDB17-49E7-416e-B856-0C5FDB5918D2}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4480
        
        C:\Windows\{A56555C8-DEC1-4895-BE96-A701302033AB}.exe
        
        C:\Windows\{A56555C8-DEC1-4895-BE96-A701302033AB}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\{8B66304D-191F-4c29-9AF4-03DE99098A39}.exe
        
        C:\Windows\{8B66304D-191F-4c29-9AF4-03DE99098A39}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Windows\{660E5C88-C8F0-4f11-9E16-1470FB2525FA}.exe
        
        C:\Windows\{660E5C88-C8F0-4f11-9E16-1470FB2525FA}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\{A8F79EF1-8407-42ce-A108-92B272CAD2CC}.exe
        
        C:\Windows\{A8F79EF1-8407-42ce-A108-92B272CAD2CC}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:844
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{660E5~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8B663~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A5655~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{948BD~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5F2AB~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2104
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{EED72~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3944
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{A20F8~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{B1BC1~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1164
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9E993E~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{5F2AB0E3-9FDB-4953-A8B6-2241E43A0DB7}.exe

Filesize
91KB

MD5
51daffabb289c578cec050102834b3bf

SHA1
b75bdfd657ee6b6de68807013e10fad4de96b9cf

SHA256
bde8037bf60c44cfc21e660534eb2adb1a3ef4c40180ce95935dffba3cc93dd6

SHA512
b710633359e06206edd1039bc3940a434e6a619343e944689d540db55ba8819c7594b2b5af3feda89353b00ae1ee70f8271df0ea552d36f4d7f49306d695e47e

Download Submit
C:\Windows\{660E5C88-C8F0-4f11-9E16-1470FB2525FA}.exe

Filesize
91KB

MD5
a9c96556ada172b5cafbfc42dcfdfebf

SHA1
c1d9d8e23be4753df5f9ab29a4db680f880f5189

SHA256
8c109aea6803d09aafcd6216f9d01a779a683af1c26da1f1108933678811378f

SHA512
2d27300e74c05c567051452d6a393577c15c8fa67836b7973dd964283a6e5e230b7d27ebde1f687886e484ece5e4044604bd077b16b1b660198396d30ea5d1c2

Download Submit
C:\Windows\{8B66304D-191F-4c29-9AF4-03DE99098A39}.exe

Filesize
91KB

MD5
6ed6201fe5dda051445f1ab17b71ec45

SHA1
93ae5d2c97533ac746b3662c1ca95ec72ffd636c

SHA256
94b6bc3c25f5e167443deba9022fca87c74a1a25a336ba169b12ba1a14cb94fe

SHA512
4045c4557018e042e962afca4b044831099933a92b61e31a16c1c433f81d20067c033153cc85d8452776383145b40ace868354d05311cc6d61520c9052ba75ca

Download Submit
C:\Windows\{948BDB17-49E7-416e-B856-0C5FDB5918D2}.exe

Filesize
91KB

MD5
f6bd06af32886fc323e571effa7dacb1

SHA1
a6b23a344bb87660f89cc1d0cfb175f49cb278b1

SHA256
394662bca91128af40bc789f13eaec77c5457cf5e3221ab4a6ea445ed5fe41da

SHA512
93219b797bcd20c1d2b0bfe81b869486952945766d107cea44556629675dad3f4f2b8c28a7cd10bedf0fbb4f7ffb73ff586c1bd8642717e729ca5d8cfae2669f

Download Submit
C:\Windows\{A20F847E-B6D3-4f72-B7D7-0BBD7EBCED40}.exe

Filesize
91KB

MD5
ccb30c0e50375fc8ae2fb484dd7f46df

SHA1
363e317e9ac749734b4abde12921ef7cb099b55b

SHA256
ef93ab28cdae3752896eac8c9070cc82238de0802506d89d4997447813e3a61b

SHA512
d60bdf63d4bc6d4afdb458edc4c3f7a752805b1be55b7d727489f99399e879c61c9a077301cde427956860e40991f5db5a3866f351d72c5a8103ba2e7a3dbabb

Download Submit
C:\Windows\{A56555C8-DEC1-4895-BE96-A701302033AB}.exe

Filesize
91KB

MD5
e7e029b024ef9a11371ec82a08ece563

SHA1
de363146f5197c4325ed3d7058202d3f2fadcb10

SHA256
ae79b1fde5e68ce84db835b7ec68d9f99ce8ee45412a212d944ef4472f58b24a

SHA512
133584b6fb5ec698022bbe6ce0e881cd11cd2838a60de007718996b8cc19c813178e5edf680b78e8060beece0843d5cc012ee45377e64fa8c2416fa9cdf095cc

Download Submit
C:\Windows\{A8F79EF1-8407-42ce-A108-92B272CAD2CC}.exe

Filesize
91KB

MD5
b16ce77a921726e3a674d6bb1a9f1b36

SHA1
2dc65e2aaf1661e32a2184293f22ecd146a037e7

SHA256
bbf7d536848638d70cc866c1c09254339f81c08a876f81ebb6f50b6c6f65e1fb

SHA512
d47d04ddee241f70d3dab8f11f0f9dd7552fa7a3fb04f5f0fbdee3a50e6fba116eb92e1abd5644237a53088aa5ac44e361ca42a363aa68a612ff2d2db7a6a2e6

Download Submit
C:\Windows\{B1BC123B-F84B-4c27-9FD0-25ED5805868A}.exe

Filesize
91KB

MD5
3dca88b4e37cceded6dd55e0c1de495b

SHA1
28018c2a7e8eb3396b825776525a8a314d0454dd

SHA256
9535cb745d7ac508d5cd513256735642e5330df22db441c2785c993fb94a1f8b

SHA512
cc4550ee5737c336f02d8793077af23df8940c395271c57ea5c8e814535ed274ec21e6bfdf1e955cee0a41cd925601a59675e063c2ff3cec811c6d3916a97f86

Download Submit
C:\Windows\{EED720ED-7AC7-4067-97C8-41B761ED258C}.exe

Filesize
91KB

MD5
57070d132f29f7c02c6b48b5c31f73d1

SHA1
3165e79e21b99ad781d15b6331fe8b33e924957f

SHA256
39e70ecf885ba495a5eb7ace94463388ed6dac0ec53360651640ed9d310d2a86

SHA512
3703f329c33c2c4bb4b8cdc71fba4984f68aa72b580d7d71bcef75ed0ec60c20405e3016d7a7c9d936af79aeff249fb7ef57afdf65adc649cdfcc61bfea491d5

Download Submit
memory/804-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/804-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/844-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/848-7-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/848-1-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/848-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/960-26-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/960-30-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1264-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1264-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2280-54-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2280-49-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2464-44-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2464-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2572-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2572-13-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3872-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3872-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3872-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4480-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4480-31-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads