f503fdd894ce9c8a8babe19a710c51ba989535870e768d9ede6f76306018d0ec

Analysis

max time kernel
146s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
24/10/2023, 11:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f503fdd894ce9c8a8babe19a710c51ba989535870e768d9ede6f76306018d0ec.exe
Size

12.9MB
MD5

b20d81eed193aa21090f5611ddc4c11b
SHA1

b61a0a07402f41a03f545e135be30fa06a6ba093
SHA256

f503fdd894ce9c8a8babe19a710c51ba989535870e768d9ede6f76306018d0ec
SHA512

74c015d2545172fe71b1e783b2b435ed70d97672e35d77f4d7dd484d06c875e5d80f1dd25549c863c557a38b2307cc8e7eafb864f7df3310032fd29e2046a1c2
SSDEEP

196608:hmPL01EDJVvi+Kv69a85H1D0JQaIAJWRrhCJVOi+Kv69a85H1D0JQaIAJWRd:MLLMQ5H1DAQaIAJIIvQ5H1DAQaIAJId

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 11 IoCs

pid	Process
4596	win.com
4272	win64.com
2156	¼«ËÙÍøÖ·²É¼¯Æ÷1.0.exe
1036	win64.com
8	win64.com
3912	win64.com
3136	win64.com
2108	win64.com
1504	win64.com
4152	win64.com
1468	win64.com

Loads dropped DLL 10 IoCs

pid	Process
4596	win.com
4272	win64.com
1036	win64.com
8	win64.com
3912	win64.com
3136	win64.com
2108	win64.com
1504	win64.com
4152	win64.com
1468	win64.com

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winww = "C:\\Windows\\System64\\win64.com"	win64.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winww = "C:\\Windows\\System64\\win64.com"	win64.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winww = "C:\\Windows\\System64\\win64.com"	win64.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winww = "C:\\Windows\\System64\\win64.com"	win64.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winww = "C:\\Windows\\System64\\win64.com"	win64.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winww = "C:\\Windows\\System64\\win64.com"	win64.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winww = "C:\\Windows\\System64\\win64.com"	win64.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winww = "C:\\Windows\\System64\\win64.com"	win64.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winw = "C:\\Windows\\System16\\win.com"	win.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winww = "C:\\Windows\\System64\\win64.com"	win64.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	win.com

Drops file in Windows directory 23 IoCs

description	ioc	Process
File created	C:\Windows\¼«ËÙÍøÖ·²É¼¯Æ÷1.0.exe	f503fdd894ce9c8a8babe19a710c51ba989535870e768d9ede6f76306018d0ec.exe
File created	C:\Windows\System64\Restart.bat	win64.com
File opened for modification	C:\Windows\System64	win64.com
File opened for modification	C:\Windows\System64	win64.com
File opened for modification	C:\Windows\System16	win.com
File opened for modification	C:\Windows\System64	win64.com
File opened for modification	C:\Windows\System64	win64.com
File created	C:\Windows\System64\Restart.bat	win64.com
File opened for modification	C:\Windows\System64	win64.com
File created	C:\Windows\System64\Restart.bat	win64.com
File created	C:\Windows\System16\win.com	f503fdd894ce9c8a8babe19a710c51ba989535870e768d9ede6f76306018d0ec.exe
File created	C:\Windows\System64\win.ini	f503fdd894ce9c8a8babe19a710c51ba989535870e768d9ede6f76306018d0ec.exe
File created	C:\Windows\System64\Restart.bat	win64.com
File opened for modification	C:\Windows\System64	win64.com
File opened for modification	C:\Windows\System64	win64.com
File created	C:\Windows\System64\Restart.bat	win64.com
File created	C:\Windows\System64\Restart.bat	win64.com
File created	C:\Windows\System64\Restart.bat	win64.com
File created	C:\Windows\System16\win.ini	f503fdd894ce9c8a8babe19a710c51ba989535870e768d9ede6f76306018d0ec.exe
File created	C:\Windows\System64\win64.com	f503fdd894ce9c8a8babe19a710c51ba989535870e768d9ede6f76306018d0ec.exe
File opened for modification	C:\Windows\System64	win64.com
File created	C:\Windows\System64\Restart.bat	win64.com
File opened for modification	C:\Windows\System64	win64.com

Kills process with taskkill 1 IoCs

evasion

pid	Process
3568	taskkill.exe

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

pid	Process
1908	PING.EXE
2920	PING.EXE
3640	PING.EXE
5100	PING.EXE
4716	PING.EXE
4116	PING.EXE
1604	PING.EXE
3268	PING.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3568	taskkill.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
1804	f503fdd894ce9c8a8babe19a710c51ba989535870e768d9ede6f76306018d0ec.exe
1804	f503fdd894ce9c8a8babe19a710c51ba989535870e768d9ede6f76306018d0ec.exe
4596	win.com
4596	win.com
4272	win64.com
4272	win64.com
1036	win64.com
1036	win64.com
8	win64.com
8	win64.com
3912	win64.com
3912	win64.com
3136	win64.com
3136	win64.com
2108	win64.com
2108	win64.com
1504	win64.com
1504	win64.com
4152	win64.com
4152	win64.com
1468	win64.com
1468	win64.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 4596	1804	f503fdd894ce9c8a8babe19a710c51ba989535870e768d9ede6f76306018d0ec.exe	84
PID 1804 wrote to memory of 4596	1804	f503fdd894ce9c8a8babe19a710c51ba989535870e768d9ede6f76306018d0ec.exe	84
PID 1804 wrote to memory of 4596	1804	f503fdd894ce9c8a8babe19a710c51ba989535870e768d9ede6f76306018d0ec.exe	84
PID 1804 wrote to memory of 4272	1804	f503fdd894ce9c8a8babe19a710c51ba989535870e768d9ede6f76306018d0ec.exe	86
PID 1804 wrote to memory of 4272	1804	f503fdd894ce9c8a8babe19a710c51ba989535870e768d9ede6f76306018d0ec.exe	86
PID 1804 wrote to memory of 4272	1804	f503fdd894ce9c8a8babe19a710c51ba989535870e768d9ede6f76306018d0ec.exe	86
PID 1804 wrote to memory of 2156	1804	f503fdd894ce9c8a8babe19a710c51ba989535870e768d9ede6f76306018d0ec.exe	87
PID 1804 wrote to memory of 2156	1804	f503fdd894ce9c8a8babe19a710c51ba989535870e768d9ede6f76306018d0ec.exe	87
PID 1804 wrote to memory of 2156	1804	f503fdd894ce9c8a8babe19a710c51ba989535870e768d9ede6f76306018d0ec.exe	87
PID 1804 wrote to memory of 2300	1804	f503fdd894ce9c8a8babe19a710c51ba989535870e768d9ede6f76306018d0ec.exe	89
PID 1804 wrote to memory of 2300	1804	f503fdd894ce9c8a8babe19a710c51ba989535870e768d9ede6f76306018d0ec.exe	89
PID 1804 wrote to memory of 2300	1804	f503fdd894ce9c8a8babe19a710c51ba989535870e768d9ede6f76306018d0ec.exe	89
PID 2300 wrote to memory of 3568	2300	cmd.exe	91
PID 2300 wrote to memory of 3568	2300	cmd.exe	91
PID 2300 wrote to memory of 3568	2300	cmd.exe	91
PID 4272 wrote to memory of 4484	4272	win64.com	93
PID 4272 wrote to memory of 4484	4272	win64.com	93
PID 4272 wrote to memory of 4484	4272	win64.com	93
PID 4484 wrote to memory of 1604	4484	cmd.exe	95
PID 4484 wrote to memory of 1604	4484	cmd.exe	95
PID 4484 wrote to memory of 1604	4484	cmd.exe	95
PID 4484 wrote to memory of 1036	4484	cmd.exe	96
PID 4484 wrote to memory of 1036	4484	cmd.exe	96
PID 4484 wrote to memory of 1036	4484	cmd.exe	96
PID 1036 wrote to memory of 3472	1036	win64.com	98
PID 1036 wrote to memory of 3472	1036	win64.com	98
PID 1036 wrote to memory of 3472	1036	win64.com	98
PID 3472 wrote to memory of 3268	3472	cmd.exe	100
PID 3472 wrote to memory of 3268	3472	cmd.exe	100
PID 3472 wrote to memory of 3268	3472	cmd.exe	100
PID 3472 wrote to memory of 8	3472	cmd.exe	101
PID 3472 wrote to memory of 8	3472	cmd.exe	101
PID 3472 wrote to memory of 8	3472	cmd.exe	101
PID 8 wrote to memory of 2968	8	win64.com	102
PID 8 wrote to memory of 2968	8	win64.com	102
PID 8 wrote to memory of 2968	8	win64.com	102
PID 2968 wrote to memory of 1908	2968	cmd.exe	104
PID 2968 wrote to memory of 1908	2968	cmd.exe	104
PID 2968 wrote to memory of 1908	2968	cmd.exe	104
PID 2968 wrote to memory of 3912	2968	cmd.exe	105
PID 2968 wrote to memory of 3912	2968	cmd.exe	105
PID 2968 wrote to memory of 3912	2968	cmd.exe	105
PID 3912 wrote to memory of 3280	3912	win64.com	106
PID 3912 wrote to memory of 3280	3912	win64.com	106
PID 3912 wrote to memory of 3280	3912	win64.com	106
PID 3280 wrote to memory of 2920	3280	cmd.exe	108
PID 3280 wrote to memory of 2920	3280	cmd.exe	108
PID 3280 wrote to memory of 2920	3280	cmd.exe	108
PID 3280 wrote to memory of 3136	3280	cmd.exe	109
PID 3280 wrote to memory of 3136	3280	cmd.exe	109
PID 3280 wrote to memory of 3136	3280	cmd.exe	109
PID 3136 wrote to memory of 1324	3136	win64.com	110
PID 3136 wrote to memory of 1324	3136	win64.com	110
PID 3136 wrote to memory of 1324	3136	win64.com	110
PID 1324 wrote to memory of 3640	1324	cmd.exe	112
PID 1324 wrote to memory of 3640	1324	cmd.exe	112
PID 1324 wrote to memory of 3640	1324	cmd.exe	112
PID 1324 wrote to memory of 2108	1324	cmd.exe	113
PID 1324 wrote to memory of 2108	1324	cmd.exe	113
PID 1324 wrote to memory of 2108	1324	cmd.exe	113
PID 2108 wrote to memory of 1836	2108	win64.com	114
PID 2108 wrote to memory of 1836	2108	win64.com	114
PID 2108 wrote to memory of 1836	2108	win64.com	114
PID 1836 wrote to memory of 5100	1836	cmd.exe	116

C:\Users\Admin\AppData\Local\Temp\f503fdd894ce9c8a8babe19a710c51ba989535870e768d9ede6f76306018d0ec.exe
"C:\Users\Admin\AppData\Local\Temp\f503fdd894ce9c8a8babe19a710c51ba989535870e768d9ede6f76306018d0ec.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\System16\win.com
  C:\Windows\System16\win.com
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:4596
- C:\Windows\System64\win64.com
  C:\Windows\System64\win64.com
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\System64\Restart.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      Runs ping.exe
      PID:1604
  - - C:\Windows\System64\win64.com
      "C:\Windows\System64\win64.com"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1036
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\System64\Restart.bat
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3472
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        6⤵
        Runs ping.exe
        
        PID:3268
      - C:\Windows\System64\win64.com
        
        "C:\Windows\System64\win64.com"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\System64\Restart.bat
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        8⤵
        Runs ping.exe
        
        PID:1908
        
        C:\Windows\System64\win64.com
        
        "C:\Windows\System64\win64.com"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\System64\Restart.bat
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        10⤵
        Runs ping.exe
        
        PID:2920
        
        C:\Windows\System64\win64.com
        
        "C:\Windows\System64\win64.com"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\System64\Restart.bat
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        12⤵
        Runs ping.exe
        
        PID:3640
        
        C:\Windows\System64\win64.com
        
        "C:\Windows\System64\win64.com"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\System64\Restart.bat
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1836
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        14⤵
        Runs ping.exe
        
        PID:5100
        
        C:\Windows\System64\win64.com
        
        "C:\Windows\System64\win64.com"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\System64\Restart.bat
        15⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        16⤵
        Runs ping.exe
        
        PID:4716
        
        C:\Windows\System64\win64.com
        
        "C:\Windows\System64\win64.com"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:4152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\System64\Restart.bat
        17⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 2
        18⤵
        Runs ping.exe
        
        PID:4116
        
        C:\Windows\System64\win64.com
        
        "C:\Windows\System64\win64.com"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1468
- C:\Windows\¼«ËÙÍøÖ·²É¼¯Æ÷1.0.exe
  C:\Windows\¼«ËÙÍøÖ·²É¼¯Æ÷1.0.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\update.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\taskkill.exe
    Taskkill /f /im f503fdd894ce9c8a8babe19a710c51ba989535870e768d9ede6f76306018d0ec.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E2EECore.3.3.6.dll

Filesize
10.7MB

MD5
b7f9fba5ac9652dd1b709d96f6efb247

SHA1
7b966c4f7312c07b5cc7e6764f34f068d2c1273d

SHA256
d02b10f7a7c7f5cda18ce7aa35e577adbfbbeecaf194fe5963a81ae07bac9597

SHA512
d451cb784db56ba9c36727afa7be064d803beab782fcff51c4e11c58017cd8ad7464d73a43202b9b02a6e87f7d0f3c699d6533935c1543fdf774712404c7dadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2EECore.3.3.6.dll

Filesize
10.7MB

MD5
b7f9fba5ac9652dd1b709d96f6efb247

SHA1
7b966c4f7312c07b5cc7e6764f34f068d2c1273d

SHA256
d02b10f7a7c7f5cda18ce7aa35e577adbfbbeecaf194fe5963a81ae07bac9597

SHA512
d451cb784db56ba9c36727afa7be064d803beab782fcff51c4e11c58017cd8ad7464d73a43202b9b02a6e87f7d0f3c699d6533935c1543fdf774712404c7dadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2EECore.3.3.6.dll

Filesize
10.7MB

MD5
b7f9fba5ac9652dd1b709d96f6efb247

SHA1
7b966c4f7312c07b5cc7e6764f34f068d2c1273d

SHA256
d02b10f7a7c7f5cda18ce7aa35e577adbfbbeecaf194fe5963a81ae07bac9597

SHA512
d451cb784db56ba9c36727afa7be064d803beab782fcff51c4e11c58017cd8ad7464d73a43202b9b02a6e87f7d0f3c699d6533935c1543fdf774712404c7dadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2EECore.3.3.6.dll

Filesize
10.7MB

MD5
b7f9fba5ac9652dd1b709d96f6efb247

SHA1
7b966c4f7312c07b5cc7e6764f34f068d2c1273d

SHA256
d02b10f7a7c7f5cda18ce7aa35e577adbfbbeecaf194fe5963a81ae07bac9597

SHA512
d451cb784db56ba9c36727afa7be064d803beab782fcff51c4e11c58017cd8ad7464d73a43202b9b02a6e87f7d0f3c699d6533935c1543fdf774712404c7dadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2EECore.3.3.6.dll

Filesize
10.7MB

MD5
b7f9fba5ac9652dd1b709d96f6efb247

SHA1
7b966c4f7312c07b5cc7e6764f34f068d2c1273d

SHA256
d02b10f7a7c7f5cda18ce7aa35e577adbfbbeecaf194fe5963a81ae07bac9597

SHA512
d451cb784db56ba9c36727afa7be064d803beab782fcff51c4e11c58017cd8ad7464d73a43202b9b02a6e87f7d0f3c699d6533935c1543fdf774712404c7dadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2EECore.3.3.6.dll

Filesize
10.7MB

MD5
b7f9fba5ac9652dd1b709d96f6efb247

SHA1
7b966c4f7312c07b5cc7e6764f34f068d2c1273d

SHA256
d02b10f7a7c7f5cda18ce7aa35e577adbfbbeecaf194fe5963a81ae07bac9597

SHA512
d451cb784db56ba9c36727afa7be064d803beab782fcff51c4e11c58017cd8ad7464d73a43202b9b02a6e87f7d0f3c699d6533935c1543fdf774712404c7dadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2EECore.3.3.6.dll

Filesize
10.7MB

MD5
b7f9fba5ac9652dd1b709d96f6efb247

SHA1
7b966c4f7312c07b5cc7e6764f34f068d2c1273d

SHA256
d02b10f7a7c7f5cda18ce7aa35e577adbfbbeecaf194fe5963a81ae07bac9597

SHA512
d451cb784db56ba9c36727afa7be064d803beab782fcff51c4e11c58017cd8ad7464d73a43202b9b02a6e87f7d0f3c699d6533935c1543fdf774712404c7dadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2EECore.3.3.6.dll

Filesize
10.7MB

MD5
b7f9fba5ac9652dd1b709d96f6efb247

SHA1
7b966c4f7312c07b5cc7e6764f34f068d2c1273d

SHA256
d02b10f7a7c7f5cda18ce7aa35e577adbfbbeecaf194fe5963a81ae07bac9597

SHA512
d451cb784db56ba9c36727afa7be064d803beab782fcff51c4e11c58017cd8ad7464d73a43202b9b02a6e87f7d0f3c699d6533935c1543fdf774712404c7dadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2EECore.3.3.6.dll

Filesize
10.7MB

MD5
b7f9fba5ac9652dd1b709d96f6efb247

SHA1
7b966c4f7312c07b5cc7e6764f34f068d2c1273d

SHA256
d02b10f7a7c7f5cda18ce7aa35e577adbfbbeecaf194fe5963a81ae07bac9597

SHA512
d451cb784db56ba9c36727afa7be064d803beab782fcff51c4e11c58017cd8ad7464d73a43202b9b02a6e87f7d0f3c699d6533935c1543fdf774712404c7dadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2EECore.3.3.6.dll

Filesize
10.7MB

MD5
b7f9fba5ac9652dd1b709d96f6efb247

SHA1
7b966c4f7312c07b5cc7e6764f34f068d2c1273d

SHA256
d02b10f7a7c7f5cda18ce7aa35e577adbfbbeecaf194fe5963a81ae07bac9597

SHA512
d451cb784db56ba9c36727afa7be064d803beab782fcff51c4e11c58017cd8ad7464d73a43202b9b02a6e87f7d0f3c699d6533935c1543fdf774712404c7dadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2EECore.3.3.6.dll

Filesize
10.7MB

MD5
b7f9fba5ac9652dd1b709d96f6efb247

SHA1
7b966c4f7312c07b5cc7e6764f34f068d2c1273d

SHA256
d02b10f7a7c7f5cda18ce7aa35e577adbfbbeecaf194fe5963a81ae07bac9597

SHA512
d451cb784db56ba9c36727afa7be064d803beab782fcff51c4e11c58017cd8ad7464d73a43202b9b02a6e87f7d0f3c699d6533935c1543fdf774712404c7dadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.bat

Filesize
369B

MD5
dda5f94f152ad85fb0af4ab4d52e13b8

SHA1
9125fbf32e00224f31f655429726735c4b42fe71

SHA256
d52d69623df581513d9d0e416f7721687fb03c85d8a81a9dcd6d9423c6cb1d68

SHA512
34adc61d49c490969d56cd0eea668251395abf88bc4a1944d0299e5dbc15d0a9298f49cfd5795574bae12ceb423b6c463670bb3fb262fd4cc015857b745398fc

Download Submit
C:\Windows\System16\win.com

Filesize
5.9MB

MD5
7ee294863242ba3a361bcfe7b62db357

SHA1
27564ec0e95cd8382d1f451d940f2c40e2aa23a6

SHA256
315c291642e3469a50febb638f11e4aeb8057ee41ce8dafacabfe3700d766ed6

SHA512
5fc574d49ff6dadfd95d481fc8fd9143780af03f41c295445a3c5896550e18301f2daa029a5e567c907a7cc246db2d75d4bfb23c3084b4a27461c360138482ea

Download Submit
C:\Windows\System16\win.com

Filesize
5.9MB

MD5
7ee294863242ba3a361bcfe7b62db357

SHA1
27564ec0e95cd8382d1f451d940f2c40e2aa23a6

SHA256
315c291642e3469a50febb638f11e4aeb8057ee41ce8dafacabfe3700d766ed6

SHA512
5fc574d49ff6dadfd95d481fc8fd9143780af03f41c295445a3c5896550e18301f2daa029a5e567c907a7cc246db2d75d4bfb23c3084b4a27461c360138482ea

Download Submit
C:\Windows\System16\win.ini

Filesize
24B

MD5
b673c35e2b1534bdda888bfe48d9b5c8

SHA1
2ef761b20938bce82d965527bb3f3ef4616da310

SHA256
2e7fd0c57a92a41d2dc6c462c30688e2ba93f04804358e6451348e21703df8e4

SHA512
f08daadf7902ad4bc56df9590e886b8e62fe34da0b4aa54ce72a70fcf0ec721642132e2cb0d636a0b99aa2431f745fca85b05334100c30a795f8efc0e805f863

Download Submit
C:\Windows\System64\Restart.bat

Filesize
96B

MD5
2863f4afef588d3aa8cc9fa938d967d3

SHA1
88e2f2fff15d5123f692003febcb6ac67ea549e4

SHA256
584bd2cec7396f9742da538f7f6de2d8a921a20e3362d6ec0be4065ff53d3a71

SHA512
023b9614eeef0782620f54d71b41aa9db36b7d1a92df8c4d5c7274d619a2324bd7dee0dc5c788988ab7224ba8ee2ef65a216c6c2d4c61d6e52b92e25cddde65b

Download Submit
C:\Windows\System64\Restart.bat

Filesize
96B

MD5
2863f4afef588d3aa8cc9fa938d967d3

SHA1
88e2f2fff15d5123f692003febcb6ac67ea549e4

SHA256
584bd2cec7396f9742da538f7f6de2d8a921a20e3362d6ec0be4065ff53d3a71

SHA512
023b9614eeef0782620f54d71b41aa9db36b7d1a92df8c4d5c7274d619a2324bd7dee0dc5c788988ab7224ba8ee2ef65a216c6c2d4c61d6e52b92e25cddde65b

Download Submit
C:\Windows\System64\Restart.bat

Filesize
96B

MD5
2863f4afef588d3aa8cc9fa938d967d3

SHA1
88e2f2fff15d5123f692003febcb6ac67ea549e4

SHA256
584bd2cec7396f9742da538f7f6de2d8a921a20e3362d6ec0be4065ff53d3a71

SHA512
023b9614eeef0782620f54d71b41aa9db36b7d1a92df8c4d5c7274d619a2324bd7dee0dc5c788988ab7224ba8ee2ef65a216c6c2d4c61d6e52b92e25cddde65b

Download Submit
C:\Windows\System64\Restart.bat

Filesize
96B

MD5
2863f4afef588d3aa8cc9fa938d967d3

SHA1
88e2f2fff15d5123f692003febcb6ac67ea549e4

SHA256
584bd2cec7396f9742da538f7f6de2d8a921a20e3362d6ec0be4065ff53d3a71

SHA512
023b9614eeef0782620f54d71b41aa9db36b7d1a92df8c4d5c7274d619a2324bd7dee0dc5c788988ab7224ba8ee2ef65a216c6c2d4c61d6e52b92e25cddde65b

Download Submit
C:\Windows\System64\Restart.bat

Filesize
96B

MD5
2863f4afef588d3aa8cc9fa938d967d3

SHA1
88e2f2fff15d5123f692003febcb6ac67ea549e4

SHA256
584bd2cec7396f9742da538f7f6de2d8a921a20e3362d6ec0be4065ff53d3a71

SHA512
023b9614eeef0782620f54d71b41aa9db36b7d1a92df8c4d5c7274d619a2324bd7dee0dc5c788988ab7224ba8ee2ef65a216c6c2d4c61d6e52b92e25cddde65b

Download Submit
C:\Windows\System64\Restart.bat

Filesize
96B

MD5
2863f4afef588d3aa8cc9fa938d967d3

SHA1
88e2f2fff15d5123f692003febcb6ac67ea549e4

SHA256
584bd2cec7396f9742da538f7f6de2d8a921a20e3362d6ec0be4065ff53d3a71

SHA512
023b9614eeef0782620f54d71b41aa9db36b7d1a92df8c4d5c7274d619a2324bd7dee0dc5c788988ab7224ba8ee2ef65a216c6c2d4c61d6e52b92e25cddde65b

Download Submit
C:\Windows\System64\Restart.bat

Filesize
96B

MD5
2863f4afef588d3aa8cc9fa938d967d3

SHA1
88e2f2fff15d5123f692003febcb6ac67ea549e4

SHA256
584bd2cec7396f9742da538f7f6de2d8a921a20e3362d6ec0be4065ff53d3a71

SHA512
023b9614eeef0782620f54d71b41aa9db36b7d1a92df8c4d5c7274d619a2324bd7dee0dc5c788988ab7224ba8ee2ef65a216c6c2d4c61d6e52b92e25cddde65b

Download Submit
C:\Windows\System64\Restart.bat

Filesize
96B

MD5
2863f4afef588d3aa8cc9fa938d967d3

SHA1
88e2f2fff15d5123f692003febcb6ac67ea549e4

SHA256
584bd2cec7396f9742da538f7f6de2d8a921a20e3362d6ec0be4065ff53d3a71

SHA512
023b9614eeef0782620f54d71b41aa9db36b7d1a92df8c4d5c7274d619a2324bd7dee0dc5c788988ab7224ba8ee2ef65a216c6c2d4c61d6e52b92e25cddde65b

Download Submit
C:\Windows\System64\Restart.bat

Filesize
96B

MD5
2863f4afef588d3aa8cc9fa938d967d3

SHA1
88e2f2fff15d5123f692003febcb6ac67ea549e4

SHA256
584bd2cec7396f9742da538f7f6de2d8a921a20e3362d6ec0be4065ff53d3a71

SHA512
023b9614eeef0782620f54d71b41aa9db36b7d1a92df8c4d5c7274d619a2324bd7dee0dc5c788988ab7224ba8ee2ef65a216c6c2d4c61d6e52b92e25cddde65b

Download Submit
C:\Windows\System64\win.ini

Filesize
24B

MD5
48091964055fa1153e0425f4d289fe06

SHA1
745cfb6b03c1e4bfdbf6d0f9ca5af1376751ce3f

SHA256
cb63647c7aa9a13a620ae8f7fb199f53f3aadcbf1b6191dd830489d4e32cf3b9

SHA512
83e94fafa7918b7d951c96f588a507963b1b4bc6b996419a73f95de8cdf87f7f1a1052e5d9122110e9416e9fa9bdbef5083d5ebc54bdb22393f44d8fa8ea555f

Download Submit
C:\Windows\System64\win64.com

Filesize
5.9MB

MD5
fa863ff2e414d11ced807e3647341072

SHA1
86774bb82b9ae00be0e8cd88f81fc2afca248944

SHA256
bac98f723eded69d849024af1fae4e3d3896208298db986cd3cc33035eb14239

SHA512
f747f56628d75e6b638376b67ed8ea2405f50f84a7e45e07f58b4799dab2718b59ab865c90ae0c0a8481418a57ad1daa35dbbf00aed97853d74b0695ff6f2cac

Download Submit
C:\Windows\System64\win64.com

Filesize
5.9MB

MD5
fa863ff2e414d11ced807e3647341072

SHA1
86774bb82b9ae00be0e8cd88f81fc2afca248944

SHA256
bac98f723eded69d849024af1fae4e3d3896208298db986cd3cc33035eb14239

SHA512
f747f56628d75e6b638376b67ed8ea2405f50f84a7e45e07f58b4799dab2718b59ab865c90ae0c0a8481418a57ad1daa35dbbf00aed97853d74b0695ff6f2cac

Download Submit
C:\Windows\System64\win64.com

Filesize
5.9MB

MD5
fa863ff2e414d11ced807e3647341072

SHA1
86774bb82b9ae00be0e8cd88f81fc2afca248944

SHA256
bac98f723eded69d849024af1fae4e3d3896208298db986cd3cc33035eb14239

SHA512
f747f56628d75e6b638376b67ed8ea2405f50f84a7e45e07f58b4799dab2718b59ab865c90ae0c0a8481418a57ad1daa35dbbf00aed97853d74b0695ff6f2cac

Download Submit
C:\Windows\System64\win64.com

Filesize
5.9MB

MD5
fa863ff2e414d11ced807e3647341072

SHA1
86774bb82b9ae00be0e8cd88f81fc2afca248944

SHA256
bac98f723eded69d849024af1fae4e3d3896208298db986cd3cc33035eb14239

SHA512
f747f56628d75e6b638376b67ed8ea2405f50f84a7e45e07f58b4799dab2718b59ab865c90ae0c0a8481418a57ad1daa35dbbf00aed97853d74b0695ff6f2cac

Download Submit
C:\Windows\System64\win64.com

Filesize
5.9MB

MD5
fa863ff2e414d11ced807e3647341072

SHA1
86774bb82b9ae00be0e8cd88f81fc2afca248944

SHA256
bac98f723eded69d849024af1fae4e3d3896208298db986cd3cc33035eb14239

SHA512
f747f56628d75e6b638376b67ed8ea2405f50f84a7e45e07f58b4799dab2718b59ab865c90ae0c0a8481418a57ad1daa35dbbf00aed97853d74b0695ff6f2cac

Download Submit
C:\Windows\System64\win64.com

Filesize
5.9MB

MD5
fa863ff2e414d11ced807e3647341072

SHA1
86774bb82b9ae00be0e8cd88f81fc2afca248944

SHA256
bac98f723eded69d849024af1fae4e3d3896208298db986cd3cc33035eb14239

SHA512
f747f56628d75e6b638376b67ed8ea2405f50f84a7e45e07f58b4799dab2718b59ab865c90ae0c0a8481418a57ad1daa35dbbf00aed97853d74b0695ff6f2cac

Download Submit
C:\Windows\System64\win64.com

Filesize
5.9MB

MD5
fa863ff2e414d11ced807e3647341072

SHA1
86774bb82b9ae00be0e8cd88f81fc2afca248944

SHA256
bac98f723eded69d849024af1fae4e3d3896208298db986cd3cc33035eb14239

SHA512
f747f56628d75e6b638376b67ed8ea2405f50f84a7e45e07f58b4799dab2718b59ab865c90ae0c0a8481418a57ad1daa35dbbf00aed97853d74b0695ff6f2cac

Download Submit
C:\Windows\System64\win64.com

Filesize
5.9MB

MD5
fa863ff2e414d11ced807e3647341072

SHA1
86774bb82b9ae00be0e8cd88f81fc2afca248944

SHA256
bac98f723eded69d849024af1fae4e3d3896208298db986cd3cc33035eb14239

SHA512
f747f56628d75e6b638376b67ed8ea2405f50f84a7e45e07f58b4799dab2718b59ab865c90ae0c0a8481418a57ad1daa35dbbf00aed97853d74b0695ff6f2cac

Download Submit
C:\Windows\System64\win64.com

Filesize
5.9MB

MD5
fa863ff2e414d11ced807e3647341072

SHA1
86774bb82b9ae00be0e8cd88f81fc2afca248944

SHA256
bac98f723eded69d849024af1fae4e3d3896208298db986cd3cc33035eb14239

SHA512
f747f56628d75e6b638376b67ed8ea2405f50f84a7e45e07f58b4799dab2718b59ab865c90ae0c0a8481418a57ad1daa35dbbf00aed97853d74b0695ff6f2cac

Download Submit
C:\Windows\System64\win64.com

Filesize
5.9MB

MD5
fa863ff2e414d11ced807e3647341072

SHA1
86774bb82b9ae00be0e8cd88f81fc2afca248944

SHA256
bac98f723eded69d849024af1fae4e3d3896208298db986cd3cc33035eb14239

SHA512
f747f56628d75e6b638376b67ed8ea2405f50f84a7e45e07f58b4799dab2718b59ab865c90ae0c0a8481418a57ad1daa35dbbf00aed97853d74b0695ff6f2cac

Download Submit
C:\Windows\¼«ËÙÍøÖ·²É¼¯Æ÷1.0.exe

Filesize
153KB

MD5
f9efff4b349db3c4a9d2ffc836c06fa8

SHA1
69545df70e51bed18891081ed24718b716d08bd8

SHA256
4788acb85168eff1f2000773ed89596d9c973211e3178158d9916f39f53e1f5e

SHA512
5e3fad1081210c99458d115ff2606d6e9027f3dfafdbd753b93f629c9b369a5536876ea8197fd47ab93e7f75b0eddb8fc790c67fef4ec2aa0a18937c957262d3

Download Submit
C:\Windows\¼«ËÙÍøÖ·²É¼¯Æ÷1.0.exe

Filesize
153KB

MD5
f9efff4b349db3c4a9d2ffc836c06fa8

SHA1
69545df70e51bed18891081ed24718b716d08bd8

SHA256
4788acb85168eff1f2000773ed89596d9c973211e3178158d9916f39f53e1f5e

SHA512
5e3fad1081210c99458d115ff2606d6e9027f3dfafdbd753b93f629c9b369a5536876ea8197fd47ab93e7f75b0eddb8fc790c67fef4ec2aa0a18937c957262d3

Download Submit
memory/2156-31-0x0000000005730000-0x000000000573A000-memory.dmp

Filesize
40KB

Download
memory/2156-28-0x0000000005740000-0x00000000057D2000-memory.dmp

Filesize
584KB

Download
memory/2156-30-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/2156-25-0x0000000005C50000-0x00000000061F4000-memory.dmp

Filesize
5.6MB

Download
memory/2156-24-0x0000000073E80000-0x0000000074630000-memory.dmp

Filesize
7.7MB

Download
memory/2156-35-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/2156-23-0x0000000000D30000-0x0000000000D5C000-memory.dmp

Filesize
176KB

Download
memory/2156-32-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download
memory/2156-33-0x0000000073E80000-0x0000000074630000-memory.dmp

Filesize
7.7MB

Download
memory/2156-34-0x0000000005720000-0x0000000005730000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads