c2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9

Analysis

max time kernel
144s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9.exe
Size

90KB
MD5

ce4b012ab72e23e9b69455b5bc1e4e3b
SHA1

63b007c9da69ebdf3adc27d7a2508b43a13c7b7c
SHA256

c2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9
SHA512

1d687133de6d565a824242af61bf1350630bea65dd99ad9307d88f011fe11af59027ddc51985420ceb4cbef38c2d7ca32a4e85e85a824c491a59b636fd6aab31
SSDEEP

768:Qvw9816vhKQLroV4/wQRNrfrunMxVFA3b7glws:YEGh0oVl2unMxVS3Hgz

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 22 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

{16F526F4-E4B1-405d-84AB-25F28A19B7ED}.exe{86514099-BE25-4fba-8513-05099DB3B599}.exe{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe{85CFCA57-95AF-497a-9A30-61FD3300774A}.exec2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9.exe{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe{91F726F4-D36B-4ca2-B7F7-F1555307FC02}.exe{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe{07FF03C7-70B7-448d-8054-91695F3C862B}.exe{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91F726F4-D36B-4ca2-B7F7-F1555307FC02}	{16F526F4-E4B1-405d-84AB-25F28A19B7ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}	{86514099-BE25-4fba-8513-05099DB3B599}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{394DE64A-6545-4418-92FB-7AF51F2C86EF}	{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{394DE64A-6545-4418-92FB-7AF51F2C86EF}\stubpath = "C:\\Windows\\{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe"	{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16F526F4-E4B1-405d-84AB-25F28A19B7ED}	{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52D265CE-F52E-40c3-AF18-108BC02C914C}\stubpath = "C:\\Windows\\{52D265CE-F52E-40c3-AF18-108BC02C914C}.exe"	{85CFCA57-95AF-497a-9A30-61FD3300774A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0735774D-1FF2-4563-AA36-B77C528EDF82}	c2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86514099-BE25-4fba-8513-05099DB3B599}\stubpath = "C:\\Windows\\{86514099-BE25-4fba-8513-05099DB3B599}.exe"	{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85CFCA57-95AF-497a-9A30-61FD3300774A}	{91F726F4-D36B-4ca2-B7F7-F1555307FC02}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{52D265CE-F52E-40c3-AF18-108BC02C914C}	{85CFCA57-95AF-497a-9A30-61FD3300774A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{91F726F4-D36B-4ca2-B7F7-F1555307FC02}\stubpath = "C:\\Windows\\{91F726F4-D36B-4ca2-B7F7-F1555307FC02}.exe"	{16F526F4-E4B1-405d-84AB-25F28A19B7ED}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{85CFCA57-95AF-497a-9A30-61FD3300774A}\stubpath = "C:\\Windows\\{85CFCA57-95AF-497a-9A30-61FD3300774A}.exe"	{91F726F4-D36B-4ca2-B7F7-F1555307FC02}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0735774D-1FF2-4563-AA36-B77C528EDF82}\stubpath = "C:\\Windows\\{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe"	c2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}\stubpath = "C:\\Windows\\{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe"	{86514099-BE25-4fba-8513-05099DB3B599}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}\stubpath = "C:\\Windows\\{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe"	{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92FF6E5E-E09B-41d9-93B1-CF8154917706}	{07FF03C7-70B7-448d-8054-91695F3C862B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{92FF6E5E-E09B-41d9-93B1-CF8154917706}\stubpath = "C:\\Windows\\{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe"	{07FF03C7-70B7-448d-8054-91695F3C862B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{16F526F4-E4B1-405d-84AB-25F28A19B7ED}\stubpath = "C:\\Windows\\{16F526F4-E4B1-405d-84AB-25F28A19B7ED}.exe"	{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{86514099-BE25-4fba-8513-05099DB3B599}	{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}	{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07FF03C7-70B7-448d-8054-91695F3C862B}	{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{07FF03C7-70B7-448d-8054-91695F3C862B}\stubpath = "C:\\Windows\\{07FF03C7-70B7-448d-8054-91695F3C862B}.exe"	{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2836 cmd.exe

pid	process
2836	cmd.exe

Executes dropped EXE 11 IoCs

Processes:

{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe{86514099-BE25-4fba-8513-05099DB3B599}.exe{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe{07FF03C7-70B7-448d-8054-91695F3C862B}.exe{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe{16F526F4-E4B1-405d-84AB-25F28A19B7ED}.exe{91F726F4-D36B-4ca2-B7F7-F1555307FC02}.exe{85CFCA57-95AF-497a-9A30-61FD3300774A}.exe{52D265CE-F52E-40c3-AF18-108BC02C914C}.exe

pid	process
2160	{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe
2952	{86514099-BE25-4fba-8513-05099DB3B599}.exe
2724	{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe
2268	{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe
564	{07FF03C7-70B7-448d-8054-91695F3C862B}.exe
2092	{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe
2148	{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe
652	{16F526F4-E4B1-405d-84AB-25F28A19B7ED}.exe
1248	{91F726F4-D36B-4ca2-B7F7-F1555307FC02}.exe
1940	{85CFCA57-95AF-497a-9A30-61FD3300774A}.exe
776	{52D265CE-F52E-40c3-AF18-108BC02C914C}.exe

Drops file in Windows directory 11 IoCs

Processes:

c2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9.exe{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe{86514099-BE25-4fba-8513-05099DB3B599}.exe{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe{16F526F4-E4B1-405d-84AB-25F28A19B7ED}.exe{85CFCA57-95AF-497a-9A30-61FD3300774A}.exe{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe{07FF03C7-70B7-448d-8054-91695F3C862B}.exe{91F726F4-D36B-4ca2-B7F7-F1555307FC02}.exe

description	ioc	process
File created	C:\Windows\{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe	c2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9.exe
File created	C:\Windows\{86514099-BE25-4fba-8513-05099DB3B599}.exe	{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe
File created	C:\Windows\{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe	{86514099-BE25-4fba-8513-05099DB3B599}.exe
File created	C:\Windows\{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe	{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe
File created	C:\Windows\{16F526F4-E4B1-405d-84AB-25F28A19B7ED}.exe	{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe
File created	C:\Windows\{91F726F4-D36B-4ca2-B7F7-F1555307FC02}.exe	{16F526F4-E4B1-405d-84AB-25F28A19B7ED}.exe
File created	C:\Windows\{52D265CE-F52E-40c3-AF18-108BC02C914C}.exe	{85CFCA57-95AF-497a-9A30-61FD3300774A}.exe
File created	C:\Windows\{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe	{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe
File created	C:\Windows\{07FF03C7-70B7-448d-8054-91695F3C862B}.exe	{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe
File created	C:\Windows\{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe	{07FF03C7-70B7-448d-8054-91695F3C862B}.exe
File created	C:\Windows\{85CFCA57-95AF-497a-9A30-61FD3300774A}.exe	{91F726F4-D36B-4ca2-B7F7-F1555307FC02}.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

c2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9.exe{0735774D-1FF2-4563-AA36-B77C528EDF82}.execmd.exe{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.execmd.exe{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe{91F726F4-D36B-4ca2-B7F7-F1555307FC02}.exe{86514099-BE25-4fba-8513-05099DB3B599}.execmd.exe{52D265CE-F52E-40c3-AF18-108BC02C914C}.execmd.exe{07FF03C7-70B7-448d-8054-91695F3C862B}.exe{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe{16F526F4-E4B1-405d-84AB-25F28A19B7ED}.execmd.exe{85CFCA57-95AF-497a-9A30-61FD3300774A}.execmd.execmd.execmd.exe{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.execmd.execmd.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{91F726F4-D36B-4ca2-B7F7-F1555307FC02}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{86514099-BE25-4fba-8513-05099DB3B599}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{52D265CE-F52E-40c3-AF18-108BC02C914C}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{07FF03C7-70B7-448d-8054-91695F3C862B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{16F526F4-E4B1-405d-84AB-25F28A19B7ED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{85CFCA57-95AF-497a-9A30-61FD3300774A}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

c2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9.exe{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe{86514099-BE25-4fba-8513-05099DB3B599}.exe{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe{07FF03C7-70B7-448d-8054-91695F3C862B}.exe{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe{16F526F4-E4B1-405d-84AB-25F28A19B7ED}.exe{91F726F4-D36B-4ca2-B7F7-F1555307FC02}.exe{85CFCA57-95AF-497a-9A30-61FD3300774A}.exe

description	pid	process
Token: SeIncBasePriorityPrivilege	1520	c2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9.exe
Token: SeIncBasePriorityPrivilege	2160	{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe
Token: SeIncBasePriorityPrivilege	2952	{86514099-BE25-4fba-8513-05099DB3B599}.exe
Token: SeIncBasePriorityPrivilege	2724	{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe
Token: SeIncBasePriorityPrivilege	2268	{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe
Token: SeIncBasePriorityPrivilege	564	{07FF03C7-70B7-448d-8054-91695F3C862B}.exe
Token: SeIncBasePriorityPrivilege	2092	{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe
Token: SeIncBasePriorityPrivilege	2148	{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe
Token: SeIncBasePriorityPrivilege	652	{16F526F4-E4B1-405d-84AB-25F28A19B7ED}.exe
Token: SeIncBasePriorityPrivilege	1248	{91F726F4-D36B-4ca2-B7F7-F1555307FC02}.exe
Token: SeIncBasePriorityPrivilege	1940	{85CFCA57-95AF-497a-9A30-61FD3300774A}.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9.exe{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe{86514099-BE25-4fba-8513-05099DB3B599}.exe{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe{07FF03C7-70B7-448d-8054-91695F3C862B}.exe{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe

description	pid	process	target process
PID 1520 wrote to memory of 2160	1520	c2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9.exe	{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe
PID 1520 wrote to memory of 2160	1520	c2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9.exe	{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe
PID 1520 wrote to memory of 2160	1520	c2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9.exe	{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe
PID 1520 wrote to memory of 2160	1520	c2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9.exe	{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe
PID 1520 wrote to memory of 2836	1520	c2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9.exe	cmd.exe
PID 1520 wrote to memory of 2836	1520	c2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9.exe	cmd.exe
PID 1520 wrote to memory of 2836	1520	c2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9.exe	cmd.exe
PID 1520 wrote to memory of 2836	1520	c2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9.exe	cmd.exe
PID 2160 wrote to memory of 2952	2160	{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe	{86514099-BE25-4fba-8513-05099DB3B599}.exe
PID 2160 wrote to memory of 2952	2160	{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe	{86514099-BE25-4fba-8513-05099DB3B599}.exe
PID 2160 wrote to memory of 2952	2160	{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe	{86514099-BE25-4fba-8513-05099DB3B599}.exe
PID 2160 wrote to memory of 2952	2160	{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe	{86514099-BE25-4fba-8513-05099DB3B599}.exe
PID 2160 wrote to memory of 592	2160	{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe	cmd.exe
PID 2160 wrote to memory of 592	2160	{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe	cmd.exe
PID 2160 wrote to memory of 592	2160	{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe	cmd.exe
PID 2160 wrote to memory of 592	2160	{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe	cmd.exe
PID 2952 wrote to memory of 2724	2952	{86514099-BE25-4fba-8513-05099DB3B599}.exe	{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe
PID 2952 wrote to memory of 2724	2952	{86514099-BE25-4fba-8513-05099DB3B599}.exe	{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe
PID 2952 wrote to memory of 2724	2952	{86514099-BE25-4fba-8513-05099DB3B599}.exe	{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe
PID 2952 wrote to memory of 2724	2952	{86514099-BE25-4fba-8513-05099DB3B599}.exe	{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe
PID 2952 wrote to memory of 2860	2952	{86514099-BE25-4fba-8513-05099DB3B599}.exe	cmd.exe
PID 2952 wrote to memory of 2860	2952	{86514099-BE25-4fba-8513-05099DB3B599}.exe	cmd.exe
PID 2952 wrote to memory of 2860	2952	{86514099-BE25-4fba-8513-05099DB3B599}.exe	cmd.exe
PID 2952 wrote to memory of 2860	2952	{86514099-BE25-4fba-8513-05099DB3B599}.exe	cmd.exe
PID 2724 wrote to memory of 2268	2724	{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe	{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe
PID 2724 wrote to memory of 2268	2724	{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe	{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe
PID 2724 wrote to memory of 2268	2724	{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe	{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe
PID 2724 wrote to memory of 2268	2724	{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe	{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe
PID 2724 wrote to memory of 2424	2724	{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe	cmd.exe
PID 2724 wrote to memory of 2424	2724	{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe	cmd.exe
PID 2724 wrote to memory of 2424	2724	{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe	cmd.exe
PID 2724 wrote to memory of 2424	2724	{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe	cmd.exe
PID 2268 wrote to memory of 564	2268	{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe	{07FF03C7-70B7-448d-8054-91695F3C862B}.exe
PID 2268 wrote to memory of 564	2268	{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe	{07FF03C7-70B7-448d-8054-91695F3C862B}.exe
PID 2268 wrote to memory of 564	2268	{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe	{07FF03C7-70B7-448d-8054-91695F3C862B}.exe
PID 2268 wrote to memory of 564	2268	{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe	{07FF03C7-70B7-448d-8054-91695F3C862B}.exe
PID 2268 wrote to memory of 2308	2268	{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe	cmd.exe
PID 2268 wrote to memory of 2308	2268	{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe	cmd.exe
PID 2268 wrote to memory of 2308	2268	{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe	cmd.exe
PID 2268 wrote to memory of 2308	2268	{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe	cmd.exe
PID 564 wrote to memory of 2092	564	{07FF03C7-70B7-448d-8054-91695F3C862B}.exe	{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe
PID 564 wrote to memory of 2092	564	{07FF03C7-70B7-448d-8054-91695F3C862B}.exe	{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe
PID 564 wrote to memory of 2092	564	{07FF03C7-70B7-448d-8054-91695F3C862B}.exe	{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe
PID 564 wrote to memory of 2092	564	{07FF03C7-70B7-448d-8054-91695F3C862B}.exe	{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe
PID 564 wrote to memory of 2136	564	{07FF03C7-70B7-448d-8054-91695F3C862B}.exe	cmd.exe
PID 564 wrote to memory of 2136	564	{07FF03C7-70B7-448d-8054-91695F3C862B}.exe	cmd.exe
PID 564 wrote to memory of 2136	564	{07FF03C7-70B7-448d-8054-91695F3C862B}.exe	cmd.exe
PID 564 wrote to memory of 2136	564	{07FF03C7-70B7-448d-8054-91695F3C862B}.exe	cmd.exe
PID 2092 wrote to memory of 2148	2092	{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe	{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe
PID 2092 wrote to memory of 2148	2092	{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe	{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe
PID 2092 wrote to memory of 2148	2092	{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe	{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe
PID 2092 wrote to memory of 2148	2092	{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe	{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe
PID 2092 wrote to memory of 1804	2092	{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe	cmd.exe
PID 2092 wrote to memory of 1804	2092	{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe	cmd.exe
PID 2092 wrote to memory of 1804	2092	{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe	cmd.exe
PID 2092 wrote to memory of 1804	2092	{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe	cmd.exe
PID 2148 wrote to memory of 652	2148	{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe	{16F526F4-E4B1-405d-84AB-25F28A19B7ED}.exe
PID 2148 wrote to memory of 652	2148	{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe	{16F526F4-E4B1-405d-84AB-25F28A19B7ED}.exe
PID 2148 wrote to memory of 652	2148	{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe	{16F526F4-E4B1-405d-84AB-25F28A19B7ED}.exe
PID 2148 wrote to memory of 652	2148	{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe	{16F526F4-E4B1-405d-84AB-25F28A19B7ED}.exe
PID 2148 wrote to memory of 784	2148	{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe	cmd.exe
PID 2148 wrote to memory of 784	2148	{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe	cmd.exe
PID 2148 wrote to memory of 784	2148	{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe	cmd.exe
PID 2148 wrote to memory of 784	2148	{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\c2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9.exe
"C:\Users\Admin\AppData\Local\Temp\c2c4a34d1323b14554310d2f5a367970c120fb99d16be72513c6cc8a9225a8a9.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe
  C:\Windows\{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\{86514099-BE25-4fba-8513-05099DB3B599}.exe
    C:\Windows\{86514099-BE25-4fba-8513-05099DB3B599}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe
      C:\Windows\{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe
        
        C:\Windows\{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2268
      - C:\Windows\{07FF03C7-70B7-448d-8054-91695F3C862B}.exe
        
        C:\Windows\{07FF03C7-70B7-448d-8054-91695F3C862B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:564
        
        C:\Windows\{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe
        
        C:\Windows\{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe
        
        C:\Windows\{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\{16F526F4-E4B1-405d-84AB-25F28A19B7ED}.exe
        
        C:\Windows\{16F526F4-E4B1-405d-84AB-25F28A19B7ED}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:652
        
        C:\Windows\{91F726F4-D36B-4ca2-B7F7-F1555307FC02}.exe
        
        C:\Windows\{91F726F4-D36B-4ca2-B7F7-F1555307FC02}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Windows\{85CFCA57-95AF-497a-9A30-61FD3300774A}.exe
        
        C:\Windows\{85CFCA57-95AF-497a-9A30-61FD3300774A}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\{52D265CE-F52E-40c3-AF18-108BC02C914C}.exe
        
        C:\Windows\{52D265CE-F52E-40c3-AF18-108BC02C914C}.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:776
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{85CFC~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{91F72~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{16F52~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{394DE~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{92FF6~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{07FF0~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2136
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A5F0~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2308
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{20B9D~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{86514~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{07357~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:592
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\C2C4A3~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0735774D-1FF2-4563-AA36-B77C528EDF82}.exe

Filesize
90KB

MD5
fb55323364a91c4fca12026d3c4468d2

SHA1
b3b6532de40c1a05526ce9ae1704690d1fb78951

SHA256
c458f1ba36b8dde5986518bd761861c11c24a2606821f5bcd990a3599fecdc4a

SHA512
90378293e10a8569cbcd4c784fdc01f9715e8aa8db8de679b56b904ebb8ff4100c26f3953aab6bad2f13b12a7d3c480f3e22d3b1b9880aef784e9552e568c1aa

Download Submit
C:\Windows\{07FF03C7-70B7-448d-8054-91695F3C862B}.exe

Filesize
90KB

MD5
1929c53ad58fbc03a8616194ab0abb5f

SHA1
59c0e186c1b25ffd4659107b57edc062222d23a0

SHA256
48fd65f6b93f2264599f60e694c941898c1d4381624d46411c043f3d877e0d1d

SHA512
a6d17c365e6a86eaf892d885a808423c1f22b7c27c9f7dd26b1a0b05f55ebb58862588f19b2bf5dd9af17f103328b0d11e67c2f763d2f3c290a5ad207e9d68c7

Download Submit
C:\Windows\{16F526F4-E4B1-405d-84AB-25F28A19B7ED}.exe

Filesize
90KB

MD5
e7044eb5d2aad8d70a4e10c002041bfb

SHA1
526bac29512d0c5d1e11685295df3980b693a6d8

SHA256
83fdd9b6d7e188cded1e1872b4cec97ac09e2433981fc0018f49536c40242e9a

SHA512
b55bde0f3e018562edfe50d3da9ccdf3a2c40a30d166c3cd3462dac989759f9a4c98cfe7b6f80ad65debb9a0a619b6155a43a8f4c08102c226a008b9379f5dbe

Download Submit
C:\Windows\{20B9DF9D-1C66-449e-BBCE-A7C9054758ED}.exe

Filesize
90KB

MD5
955b3b96684a5fb4be538c0a69d11e53

SHA1
287ccd15d4a68814bc844a596e7e348b78ce2da7

SHA256
0b868f455c65ed2d8ca84039921db75d0181d267fe7edfbeef6249d8be3bd0d6

SHA512
0cd65337317a49b9d61512649a7343f3f0ac7c398bbb04fb2be7775b10c415d6a7ec1063366d4f6b774970d57b7155b411e11d9bc2696659f1e7d8b38b55dfc2

Download Submit
C:\Windows\{394DE64A-6545-4418-92FB-7AF51F2C86EF}.exe

Filesize
90KB

MD5
dd9bd7d88e737607439dda3e8cbad40f

SHA1
6fe4378f96266ed07214b2f839125ef0f3c26115

SHA256
a3bff3b344293f41e088577be8fc458ec5341868919a02f8612013d36132471d

SHA512
9982a852b50717a737bf8430d1ad1d75f73c49f4ccad57b15ffdffb67438cd55aee278878d0c1b8269391eeb208153ecd746ef6b6353b3fbfd3a7fdd22039be1

Download Submit
C:\Windows\{4A5F0910-D78E-49e7-B1CF-E015F9E3CC8B}.exe

Filesize
90KB

MD5
7a4b6c60c97cf8e2b3084f8b0fdc0d90

SHA1
064741aea7af29a3fdb3e7c58276cfdd2f4199da

SHA256
bb1c8969e0d6fc3e3cf6656d0e4d9f309a05f8553982537e1fde052e51142723

SHA512
10de6a218934824d4a9398399af7ea2b4daa1139383d72e8e8bf2c79bd5bf12f8612d5f61d292318409b239d18c846f9963d5e22c6d0b7024b4e69530b775ce5

Download Submit
C:\Windows\{52D265CE-F52E-40c3-AF18-108BC02C914C}.exe

Filesize
90KB

MD5
60040e7a15da92b889bb334804a9cf9b

SHA1
fee88c8edc56f12f6abf6dff9edba44da1703e92

SHA256
17f0a492d0ecd8fd19240c7b7bd7de1ff4ab88c385cb65730f14d0ac893b031d

SHA512
38014cd95bd56cbbf4e4302905b52c52b926d0c49c9773683b09dc8a9952e0a1d41c6b354d9060fb7a11f262015a7ff481a592267b3d5a2b0d8507d5562b8d26

Download Submit
C:\Windows\{85CFCA57-95AF-497a-9A30-61FD3300774A}.exe

Filesize
90KB

MD5
6ec5cce616978bd4806b7194ca819b2d

SHA1
6aa07cd35b1244b54bede21d9be5e6000ef4d577

SHA256
0e7283327906aeaf16ca66781e3af706d8083ece3e388451d7fe3f210134a2d1

SHA512
b773e9216d157c576505c1dd387b910e1f0d3669309408d00aa0caf33a20779e6a5e6e5ed131449f7618d06f3149a315732c84b0cf162fb7d7ee47d2813f28b3

Download Submit
C:\Windows\{86514099-BE25-4fba-8513-05099DB3B599}.exe

Filesize
90KB

MD5
4f7301d7b41b93cb838071058eb69674

SHA1
e7d0977fa740dec180cb6c3eff8a5370f9af18cc

SHA256
8021c54f4ae726b947434b4535804816073a7640705fc4fb020f307b8823d61e

SHA512
c57e44f15c4676132fac6550f325f01ddb82295ee91cf1e5a377f9bdea710b65d840437337c1a789278d0794c1daeca18cbdd64ac5407e345ba6e4a8d5b2e00b

Download Submit
C:\Windows\{91F726F4-D36B-4ca2-B7F7-F1555307FC02}.exe

Filesize
90KB

MD5
1e8794a2e6a2c26f63089afdfbfd2316

SHA1
5ad7dd40f8a2eb77f255f9491b1dc91b16f90ab8

SHA256
685cb9c439e6fe73e345e124957d4ce04a1e309f9fe7a88f08f6c6d7c23acf97

SHA512
d6cda3b1286ea308ae38ea25a48a6f02b3e5240617b4c358f41dc8abdfa8451c2d3603368eb6c9f261d367c82657c3e24a61e3a68a15e6c634113e1b3239d5ef

Download Submit
C:\Windows\{92FF6E5E-E09B-41d9-93B1-CF8154917706}.exe

Filesize
90KB

MD5
33ee42ac52aac9d5f2b86056c965fe7b

SHA1
7943fab70fd5bfd932712d22a39fad77e8275473

SHA256
b290e4d99e2857ff43ce03e3edaaea117061409c3d06ca29ee7f915280064040

SHA512
ea15cfb05ffdd6bf67584aee6b6e586e084565af987dbf813940a4209d1d725b88954747d73ba71490685a874e60909459eab3127230c5c7f9e8eadec5ac48fd

Download Submit