45092a814f08c31f94c8e8a4cd8879f52a68b84dff716d5427a2191c6d9c01a7

Analysis

max time kernel
119s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27-07-2024 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7cdcf97dd866e2aea2b9f531a3d62a40N.exe
Size

83KB
MD5

7cdcf97dd866e2aea2b9f531a3d62a40
SHA1

129a11227b20475bb1bd7898a94fe858c684f0e7
SHA256

45092a814f08c31f94c8e8a4cd8879f52a68b84dff716d5427a2191c6d9c01a7
SHA512

adbe9e82f078bb7e7abbc37fcb07e0b9d36aa4bd418c076ac69f4b503f665d761df1516568781f802530fd98d9771ecb3b95fe4e2078f655fd0fabfa4905d343
SSDEEP

1536:q4Gh0o4e0p3nouy8QbunMxVS3HgdoKjhLJh731xvsr:q4Gh0o4e05outQCMUyNjhLJh731xvsr

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe7cdcf97dd866e2aea2b9f531a3d62a40N.exe{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe{11EAD1AB-58E1-4d37-ABFE-EA36AA8CD4C3}.exe{3EC19664-2173-423d-9459-959AF4FB1D64}.exe{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}	{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39FA6343-6A4C-44a1-A621-BE68BE05D766}\stubpath = "C:\\Windows\\{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe"	{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83242321-1BBD-429d-8CA8-04A0E52B01DE}\stubpath = "C:\\Windows\\{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe"	{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11EAD1AB-58E1-4d37-ABFE-EA36AA8CD4C3}	{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EC19664-2173-423d-9459-959AF4FB1D64}	7cdcf97dd866e2aea2b9f531a3d62a40N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{3EC19664-2173-423d-9459-959AF4FB1D64}\stubpath = "C:\\Windows\\{3EC19664-2173-423d-9459-959AF4FB1D64}.exe"	7cdcf97dd866e2aea2b9f531a3d62a40N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}	{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}\stubpath = "C:\\Windows\\{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe"	{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C6AAFAC-ACA6-49fa-93B4-F8F816627BB2}	{11EAD1AB-58E1-4d37-ABFE-EA36AA8CD4C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{7C6AAFAC-ACA6-49fa-93B4-F8F816627BB2}\stubpath = "C:\\Windows\\{7C6AAFAC-ACA6-49fa-93B4-F8F816627BB2}.exe"	{11EAD1AB-58E1-4d37-ABFE-EA36AA8CD4C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{11EAD1AB-58E1-4d37-ABFE-EA36AA8CD4C3}\stubpath = "C:\\Windows\\{11EAD1AB-58E1-4d37-ABFE-EA36AA8CD4C3}.exe"	{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}	{3EC19664-2173-423d-9459-959AF4FB1D64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}\stubpath = "C:\\Windows\\{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe"	{3EC19664-2173-423d-9459-959AF4FB1D64}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}\stubpath = "C:\\Windows\\{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe"	{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{39FA6343-6A4C-44a1-A621-BE68BE05D766}	{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}	{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}\stubpath = "C:\\Windows\\{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe"	{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{83242321-1BBD-429d-8CA8-04A0E52B01DE}	{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2168 cmd.exe

pid	process
2168	cmd.exe

Executes dropped EXE 9 IoCs

Processes:

{3EC19664-2173-423d-9459-959AF4FB1D64}.exe{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe{11EAD1AB-58E1-4d37-ABFE-EA36AA8CD4C3}.exe{7C6AAFAC-ACA6-49fa-93B4-F8F816627BB2}.exe

pid	process
2316	{3EC19664-2173-423d-9459-959AF4FB1D64}.exe
2716	{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe
604	{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe
2184	{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe
2052	{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe
1864	{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe
1916	{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe
2424	{11EAD1AB-58E1-4d37-ABFE-EA36AA8CD4C3}.exe
1052	{7C6AAFAC-ACA6-49fa-93B4-F8F816627BB2}.exe

UPX packed file 28 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2900-0-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2316-9-0x0000000000400000-0x0000000000413000-memory.dmp	upx
C:\Windows\{3EC19664-2173-423d-9459-959AF4FB1D64}.exe	upx
behavioral1/memory/2900-10-0x0000000000400000-0x0000000000413000-memory.dmp	upx
C:\Windows\{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe	upx
behavioral1/memory/2716-20-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2316-21-0x0000000000400000-0x0000000000413000-memory.dmp	upx
C:\Windows\{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe	upx
behavioral1/memory/2716-31-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/604-30-0x0000000000400000-0x0000000000413000-memory.dmp	upx
C:\Windows\{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe	upx
behavioral1/memory/2184-41-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/604-42-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2184-51-0x0000000000400000-0x0000000000413000-memory.dmp	upx
C:\Windows\{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe	upx
behavioral1/memory/2052-53-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/1864-63-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2052-64-0x0000000000400000-0x0000000000413000-memory.dmp	upx
C:\Windows\{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe	upx
behavioral1/memory/1864-73-0x0000000000400000-0x0000000000413000-memory.dmp	upx
C:\Windows\{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe	upx
behavioral1/memory/1916-75-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2424-85-0x0000000000400000-0x0000000000413000-memory.dmp	upx
C:\Windows\{11EAD1AB-58E1-4d37-ABFE-EA36AA8CD4C3}.exe	upx
behavioral1/memory/1916-86-0x0000000000400000-0x0000000000413000-memory.dmp	upx
C:\Windows\{7C6AAFAC-ACA6-49fa-93B4-F8F816627BB2}.exe	upx
behavioral1/memory/1052-95-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2424-96-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Drops file in Windows directory 9 IoCs

Processes:

{11EAD1AB-58E1-4d37-ABFE-EA36AA8CD4C3}.exe{3EC19664-2173-423d-9459-959AF4FB1D64}.exe{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe7cdcf97dd866e2aea2b9f531a3d62a40N.exe{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe

description	ioc	process
File created	C:\Windows\{7C6AAFAC-ACA6-49fa-93B4-F8F816627BB2}.exe	{11EAD1AB-58E1-4d37-ABFE-EA36AA8CD4C3}.exe
File created	C:\Windows\{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe	{3EC19664-2173-423d-9459-959AF4FB1D64}.exe
File created	C:\Windows\{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe	{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe
File created	C:\Windows\{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe	{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe
File created	C:\Windows\{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe	{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe
File created	C:\Windows\{11EAD1AB-58E1-4d37-ABFE-EA36AA8CD4C3}.exe	{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe
File created	C:\Windows\{3EC19664-2173-423d-9459-959AF4FB1D64}.exe	7cdcf97dd866e2aea2b9f531a3d62a40N.exe
File created	C:\Windows\{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe	{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe
File created	C:\Windows\{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe	{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.execmd.exe{7C6AAFAC-ACA6-49fa-93B4-F8F816627BB2}.execmd.exe{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe{83242321-1BBD-429d-8CA8-04A0E52B01DE}.execmd.exe7cdcf97dd866e2aea2b9f531a3d62a40N.exe{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.execmd.execmd.execmd.execmd.exe{3EC19664-2173-423d-9459-959AF4FB1D64}.execmd.exe{11EAD1AB-58E1-4d37-ABFE-EA36AA8CD4C3}.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{7C6AAFAC-ACA6-49fa-93B4-F8F816627BB2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7cdcf97dd866e2aea2b9f531a3d62a40N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3EC19664-2173-423d-9459-959AF4FB1D64}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{11EAD1AB-58E1-4d37-ABFE-EA36AA8CD4C3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

7cdcf97dd866e2aea2b9f531a3d62a40N.exe{3EC19664-2173-423d-9459-959AF4FB1D64}.exe{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe{11EAD1AB-58E1-4d37-ABFE-EA36AA8CD4C3}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	2900	7cdcf97dd866e2aea2b9f531a3d62a40N.exe
Token: SeIncBasePriorityPrivilege	2316	{3EC19664-2173-423d-9459-959AF4FB1D64}.exe
Token: SeIncBasePriorityPrivilege	2716	{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe
Token: SeIncBasePriorityPrivilege	604	{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe
Token: SeIncBasePriorityPrivilege	2184	{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe
Token: SeIncBasePriorityPrivilege	2052	{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe
Token: SeIncBasePriorityPrivilege	1864	{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe
Token: SeIncBasePriorityPrivilege	1916	{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe
Token: SeIncBasePriorityPrivilege	2424	{11EAD1AB-58E1-4d37-ABFE-EA36AA8CD4C3}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	process	target process
PID 2900 wrote to memory of 2316	2900	7cdcf97dd866e2aea2b9f531a3d62a40N.exe	{3EC19664-2173-423d-9459-959AF4FB1D64}.exe
PID 2900 wrote to memory of 2316	2900	7cdcf97dd866e2aea2b9f531a3d62a40N.exe	{3EC19664-2173-423d-9459-959AF4FB1D64}.exe
PID 2900 wrote to memory of 2316	2900	7cdcf97dd866e2aea2b9f531a3d62a40N.exe	{3EC19664-2173-423d-9459-959AF4FB1D64}.exe
PID 2900 wrote to memory of 2316	2900	7cdcf97dd866e2aea2b9f531a3d62a40N.exe	{3EC19664-2173-423d-9459-959AF4FB1D64}.exe
PID 2900 wrote to memory of 2168	2900	7cdcf97dd866e2aea2b9f531a3d62a40N.exe	cmd.exe
PID 2900 wrote to memory of 2168	2900	7cdcf97dd866e2aea2b9f531a3d62a40N.exe	cmd.exe
PID 2900 wrote to memory of 2168	2900	7cdcf97dd866e2aea2b9f531a3d62a40N.exe	cmd.exe
PID 2900 wrote to memory of 2168	2900	7cdcf97dd866e2aea2b9f531a3d62a40N.exe	cmd.exe
PID 2316 wrote to memory of 2716	2316	{3EC19664-2173-423d-9459-959AF4FB1D64}.exe	{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe
PID 2316 wrote to memory of 2716	2316	{3EC19664-2173-423d-9459-959AF4FB1D64}.exe	{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe
PID 2316 wrote to memory of 2716	2316	{3EC19664-2173-423d-9459-959AF4FB1D64}.exe	{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe
PID 2316 wrote to memory of 2716	2316	{3EC19664-2173-423d-9459-959AF4FB1D64}.exe	{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe
PID 2316 wrote to memory of 2644	2316	{3EC19664-2173-423d-9459-959AF4FB1D64}.exe	cmd.exe
PID 2316 wrote to memory of 2644	2316	{3EC19664-2173-423d-9459-959AF4FB1D64}.exe	cmd.exe
PID 2316 wrote to memory of 2644	2316	{3EC19664-2173-423d-9459-959AF4FB1D64}.exe	cmd.exe
PID 2316 wrote to memory of 2644	2316	{3EC19664-2173-423d-9459-959AF4FB1D64}.exe	cmd.exe
PID 2716 wrote to memory of 604	2716	{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe	{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe
PID 2716 wrote to memory of 604	2716	{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe	{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe
PID 2716 wrote to memory of 604	2716	{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe	{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe
PID 2716 wrote to memory of 604	2716	{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe	{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe
PID 2716 wrote to memory of 1332	2716	{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe	cmd.exe
PID 2716 wrote to memory of 1332	2716	{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe	cmd.exe
PID 2716 wrote to memory of 1332	2716	{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe	cmd.exe
PID 2716 wrote to memory of 1332	2716	{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe	cmd.exe
PID 604 wrote to memory of 2184	604	{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe	{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe
PID 604 wrote to memory of 2184	604	{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe	{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe
PID 604 wrote to memory of 2184	604	{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe	{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe
PID 604 wrote to memory of 2184	604	{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe	{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe
PID 604 wrote to memory of 2420	604	{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe	cmd.exe
PID 604 wrote to memory of 2420	604	{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe	cmd.exe
PID 604 wrote to memory of 2420	604	{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe	cmd.exe
PID 604 wrote to memory of 2420	604	{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe	cmd.exe
PID 2184 wrote to memory of 2052	2184	{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe	{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe
PID 2184 wrote to memory of 2052	2184	{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe	{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe
PID 2184 wrote to memory of 2052	2184	{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe	{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe
PID 2184 wrote to memory of 2052	2184	{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe	{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe
PID 2184 wrote to memory of 2016	2184	{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe	cmd.exe
PID 2184 wrote to memory of 2016	2184	{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe	cmd.exe
PID 2184 wrote to memory of 2016	2184	{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe	cmd.exe
PID 2184 wrote to memory of 2016	2184	{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe	cmd.exe
PID 2052 wrote to memory of 1864	2052	{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe	{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe
PID 2052 wrote to memory of 1864	2052	{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe	{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe
PID 2052 wrote to memory of 1864	2052	{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe	{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe
PID 2052 wrote to memory of 1864	2052	{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe	{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe
PID 2052 wrote to memory of 2936	2052	{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe	cmd.exe
PID 2052 wrote to memory of 2936	2052	{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe	cmd.exe
PID 2052 wrote to memory of 2936	2052	{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe	cmd.exe
PID 2052 wrote to memory of 2936	2052	{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe	cmd.exe
PID 1864 wrote to memory of 1916	1864	{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe	{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe
PID 1864 wrote to memory of 1916	1864	{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe	{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe
PID 1864 wrote to memory of 1916	1864	{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe	{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe
PID 1864 wrote to memory of 1916	1864	{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe	{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe
PID 1864 wrote to memory of 2972	1864	{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe	cmd.exe
PID 1864 wrote to memory of 2972	1864	{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe	cmd.exe
PID 1864 wrote to memory of 2972	1864	{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe	cmd.exe
PID 1864 wrote to memory of 2972	1864	{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe	cmd.exe
PID 1916 wrote to memory of 2424	1916	{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe	{11EAD1AB-58E1-4d37-ABFE-EA36AA8CD4C3}.exe
PID 1916 wrote to memory of 2424	1916	{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe	{11EAD1AB-58E1-4d37-ABFE-EA36AA8CD4C3}.exe
PID 1916 wrote to memory of 2424	1916	{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe	{11EAD1AB-58E1-4d37-ABFE-EA36AA8CD4C3}.exe
PID 1916 wrote to memory of 2424	1916	{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe	{11EAD1AB-58E1-4d37-ABFE-EA36AA8CD4C3}.exe
PID 1916 wrote to memory of 2452	1916	{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe	cmd.exe
PID 1916 wrote to memory of 2452	1916	{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe	cmd.exe
PID 1916 wrote to memory of 2452	1916	{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe	cmd.exe
PID 1916 wrote to memory of 2452	1916	{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7cdcf97dd866e2aea2b9f531a3d62a40N.exe
"C:\Users\Admin\AppData\Local\Temp\7cdcf97dd866e2aea2b9f531a3d62a40N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900

C:\Windows\{3EC19664-2173-423d-9459-959AF4FB1D64}.exe
C:\Windows\{3EC19664-2173-423d-9459-959AF4FB1D64}.exe
2⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316

C:\Windows\{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe
C:\Windows\{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe
3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716

C:\Windows\{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe
C:\Windows\{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe
4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:604

C:\Windows\{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe
C:\Windows\{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe
5⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2184

C:\Windows\{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe
C:\Windows\{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe
6⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052

C:\Windows\{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe
C:\Windows\{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe
7⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864

C:\Windows\{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe
C:\Windows\{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe
8⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916

C:\Windows\{11EAD1AB-58E1-4d37-ABFE-EA36AA8CD4C3}.exe
C:\Windows\{11EAD1AB-58E1-4d37-ABFE-EA36AA8CD4C3}.exe
9⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2424

C:\Windows\{7C6AAFAC-ACA6-49fa-93B4-F8F816627BB2}.exe
C:\Windows\{7C6AAFAC-ACA6-49fa-93B4-F8F816627BB2}.exe
10⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1052

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{11EAD~1.EXE > nul
10⤵
- System Location Discovery: System Language Discovery
PID:1508

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{83242~1.EXE > nul
9⤵
- System Location Discovery: System Language Discovery
PID:2452

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{39FA6~1.EXE > nul
8⤵
- System Location Discovery: System Language Discovery
PID:2972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{BD5E5~1.EXE > nul
7⤵
- System Location Discovery: System Language Discovery
PID:2936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{A99F6~1.EXE > nul
6⤵
- System Location Discovery: System Language Discovery
PID:2016

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{89E9A~1.EXE > nul
5⤵
- System Location Discovery: System Language Discovery
PID:2420

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{AA81E~1.EXE > nul
4⤵
- System Location Discovery: System Language Discovery
PID:1332

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Windows\{3EC19~1.EXE > nul
3⤵
- System Location Discovery: System Language Discovery
PID:2644

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\7CDCF9~1.EXE > nul
2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11EAD1AB-58E1-4d37-ABFE-EA36AA8CD4C3}.exe

Filesize
83KB

MD5
cf9fcf2476c20f5aad19a5a5263fb27b

SHA1
0e897434cb174ea27c50877298caf5ecd498f2f4

SHA256
ba74a6625e5131a2d4b717df1e181c4bb07f5531c786bfde7775c2109b308f4d

SHA512
363e4a8d67a56ad301e9e112d00231f7a9fa8ebe7da74dc6f3baff25b63d4717c0a130a133b16136a7ad2eb6a8c589a030787da6231cf5456abe123f76096c43

Download Submit
C:\Windows\{39FA6343-6A4C-44a1-A621-BE68BE05D766}.exe

Filesize
83KB

MD5
c4fb180fa23c21f3e9fc7d504e0d5870

SHA1
acd0a1a17fea21a23059c0c68e17e227a0d1b1fc

SHA256
aeab4cf8bac707838f92cb7a830b5dce04cf9ea659bc17452307a1839df8b434

SHA512
136b8869bcf865e3f746f6b1f5e1ca969e8f97da5100f6ce9fddf0a965acff9111e3798e29a1a49b57c2b5a2dc79be98f1fc0b4c3de53a5ba190e7eabda4aa40

Download Submit
C:\Windows\{3EC19664-2173-423d-9459-959AF4FB1D64}.exe

Filesize
83KB

MD5
0e65c79de3b7c76f3bbd210413333cfe

SHA1
272abbb9e4c78184c4861528ef6bb3bc791157cb

SHA256
1eb35abb0e72f7cb01c7f2bb6e2f967168147786be5bbf91d8a771d053eb525c

SHA512
192d17ec66191e941ecac6a639bd56def35f98369728b8c3d3458fd1c6011dbba67ac5598622a8a264c404f34a0d43ab2e50f4c0b3329ebd574ed9aea029d5ba

Download Submit
C:\Windows\{7C6AAFAC-ACA6-49fa-93B4-F8F816627BB2}.exe

Filesize
83KB

MD5
df7a24f9e01521e878da7b8270a1767b

SHA1
40a0fb3710231e79075860021eba7246e7aa228a

SHA256
fa594bc64d877ecc1ffc6ed85c3328811205dce6de734f8ffb0e7655a74c6e19

SHA512
d3d34199a3076e14c3d111e730cb088abd4f379a90ebb2ea0f179116f299b484c16d3abe025c9116c8a7e7b1a3295b595f9cd2421e2505703586b9d27a75aeac

Download Submit
C:\Windows\{83242321-1BBD-429d-8CA8-04A0E52B01DE}.exe

Filesize
83KB

MD5
9e4105da990987a692227dcf60804269

SHA1
ac83ef2fbda81f09c4664631f74658777696f962

SHA256
4c68e14f6486c0e62ee1e4f4e7bcb30393765591da82976acfa564287cdd1eea

SHA512
cd1930d406aa60dbe4f9618ffa704ff67ecae53dfc679b0e78554e6152ef8fee7abe7e99313b5ab0d04c235be8863b00b2fc63d2121bb0eb8c35175784a49dce

Download Submit
C:\Windows\{89E9AD56-99E0-4129-8B3F-183A5E93D1EB}.exe

Filesize
83KB

MD5
47e82cb86aca5a986cf388cf01bf3409

SHA1
8b0c0497ffe87ed69eab37da4474725ab7342598

SHA256
2c57a966153f4ac112bf81c57610fc032cf4db363c49df6676823e6b71effbb4

SHA512
4bb34e7e5d2dcfae07f283a1d4b5376fd1af55a0b006c4027fe158b306cf6bad13d173cb3b0b95e9d3f9fc801af2882d7986d199c1cb3c86c1d99c4cb5c768ba

Download Submit
C:\Windows\{A99F6D0E-35D5-45ee-99A6-0A572BE195A7}.exe

Filesize
83KB

MD5
bb45996488177a034174e3b9ce23dc28

SHA1
64743ba613499e6793e941c6c8fb6336903abf59

SHA256
946b42264fe9ea572ebc162696931d10e353f9120036a3094ef4b7b3b0e80390

SHA512
c3755541a50c5497ea95a3a597a0f1437f206e6ede539a6aa977e3c3255606267f943876fb0296e5fd5488cd15b91542b4d69ca3c75941190c3b93b8b5b50e92

Download Submit
C:\Windows\{AA81E6CA-1F0D-4cba-9158-0E105A33EC7A}.exe

Filesize
83KB

MD5
0902c7273613ff6e5e5262d21dcc8a8f

SHA1
6e506bcad0b1d4993b0aadbeab420bf4847ae4b7

SHA256
ac84030901dae8301f79ba2472df317e1eb368709a0f76828cc60418941db570

SHA512
f72fb9fe30cc3d3024990e8964971b8a7c1cb9afd7bcc858f774405d260e844752741a6399d97cc1922a1b349420c2d7b1bafe9a9b4d3aa76b20489ce78a7046

Download Submit
C:\Windows\{BD5E5CE4-E8AD-46ff-BE47-DF7A1049692E}.exe

Filesize
83KB

MD5
61dd68ee9e7b035d55b8f2be4e491d83

SHA1
3caa988352b511aecabe619a893e228008c6d727

SHA256
654df9095d1c1b134de4d228bb9bf51a156aa8397d19ba791ad175e5aaca5bb2

SHA512
1732ce9e1264c7099601ddedde3768be9c6db7c9ff1d5248ce91c6ea092a2c9764185870a20bd6ecb4d609559ad2482a46e418010e660f1b24f35ab7312afff7

Download Submit
memory/604-42-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/604-39-0x00000000003A0000-0x00000000003B3000-memory.dmp

Filesize
76KB

Download
memory/604-40-0x00000000003A0000-0x00000000003B3000-memory.dmp

Filesize
76KB

Download
memory/604-30-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1052-95-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1864-73-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1864-71-0x0000000000290000-0x00000000002A3000-memory.dmp

Filesize
76KB

Download
memory/1864-72-0x0000000000290000-0x00000000002A3000-memory.dmp

Filesize
76KB

Download
memory/1864-63-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1916-75-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1916-84-0x00000000002F0000-0x0000000000303000-memory.dmp

Filesize
76KB

Download
memory/1916-83-0x00000000002F0000-0x0000000000303000-memory.dmp

Filesize
76KB

Download
memory/1916-86-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2052-53-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2052-62-0x00000000003B0000-0x00000000003C3000-memory.dmp

Filesize
76KB

Download
memory/2052-61-0x00000000003B0000-0x00000000003C3000-memory.dmp

Filesize
76KB

Download
memory/2052-64-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2184-51-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2184-50-0x00000000003D0000-0x00000000003E3000-memory.dmp

Filesize
76KB

Download
memory/2184-41-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2184-46-0x00000000003D0000-0x00000000003E3000-memory.dmp

Filesize
76KB

Download
memory/2316-21-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2316-19-0x0000000000320000-0x0000000000333000-memory.dmp

Filesize
76KB

Download
memory/2316-9-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2316-18-0x0000000000320000-0x0000000000333000-memory.dmp

Filesize
76KB

Download
memory/2424-85-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2424-94-0x00000000002A0000-0x00000000002B3000-memory.dmp

Filesize
76KB

Download
memory/2424-96-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2716-20-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2716-31-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2716-29-0x0000000000310000-0x0000000000323000-memory.dmp

Filesize
76KB

Download
memory/2900-7-0x00000000026B0000-0x00000000026C3000-memory.dmp

Filesize
76KB

Download
memory/2900-8-0x00000000026B0000-0x00000000026C3000-memory.dmp

Filesize
76KB

Download
memory/2900-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2900-10-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download