63466aaeb1c59461c309449977de4160ad36b242c484115019176bc930fa0863

Analysis

max time kernel
113s
max time network
126s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 22:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63466aaeb1c59461c309449977de4160ad36b242c484115019176bc930fa0863.exe
Size

91KB
MD5

1dae4eabf236e67e6c74122f695640cb
SHA1

cc2f0532715b38ea35834311418dbf2fc4f308f0
SHA256

63466aaeb1c59461c309449977de4160ad36b242c484115019176bc930fa0863
SHA512

623693604ca8068853d571b953df17bfdc8cada0fe605be3a664e90c5d950bf053d08fc0710343a1eab09e0eee7e187899bce44c4fc257ebeef85684ab268e75
SSDEEP

768:5vw9816uhKirop4/wQNNrfrunMxVFA3b7t:lEGkmoplCunMxVS3Ht

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7F1EB85-7EA4-45ab-995F-F575FBA2F321}	{5E6A48A1-06DC-4646-BEA1-D141173EF877}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{B7F1EB85-7EA4-45ab-995F-F575FBA2F321}\stubpath = "C:\\Windows\\{B7F1EB85-7EA4-45ab-995F-F575FBA2F321}.exe"	{5E6A48A1-06DC-4646-BEA1-D141173EF877}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{420B04F1-2325-42e7-9DC8-B0A17E28A4BD}	{B7F1EB85-7EA4-45ab-995F-F575FBA2F321}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E83C5933-4613-4f82-92B6-A9B4F40B789C}	{FE76797B-0766-4a95-BD84-A3B81564AC1C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CF6191D-C86E-4e78-8C27-94CF0002CFAB}	{E83C5933-4613-4f82-92B6-A9B4F40B789C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5CF6191D-C86E-4e78-8C27-94CF0002CFAB}\stubpath = "C:\\Windows\\{5CF6191D-C86E-4e78-8C27-94CF0002CFAB}.exe"	{E83C5933-4613-4f82-92B6-A9B4F40B789C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE76797B-0766-4a95-BD84-A3B81564AC1C}	{420B04F1-2325-42e7-9DC8-B0A17E28A4BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A566DB8F-96A7-493b-9835-69407359CA1A}	63466aaeb1c59461c309449977de4160ad36b242c484115019176bc930fa0863.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C38EAAD2-6D69-4b65-896E-2285543D9669}\stubpath = "C:\\Windows\\{C38EAAD2-6D69-4b65-896E-2285543D9669}.exe"	{A566DB8F-96A7-493b-9835-69407359CA1A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{751E38E1-8A28-4c58-AC8A-7CAA749FBAD4}	{C38EAAD2-6D69-4b65-896E-2285543D9669}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E6A48A1-06DC-4646-BEA1-D141173EF877}	{751E38E1-8A28-4c58-AC8A-7CAA749FBAD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5E6A48A1-06DC-4646-BEA1-D141173EF877}\stubpath = "C:\\Windows\\{5E6A48A1-06DC-4646-BEA1-D141173EF877}.exe"	{751E38E1-8A28-4c58-AC8A-7CAA749FBAD4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E83C5933-4613-4f82-92B6-A9B4F40B789C}\stubpath = "C:\\Windows\\{E83C5933-4613-4f82-92B6-A9B4F40B789C}.exe"	{FE76797B-0766-4a95-BD84-A3B81564AC1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A566DB8F-96A7-493b-9835-69407359CA1A}\stubpath = "C:\\Windows\\{A566DB8F-96A7-493b-9835-69407359CA1A}.exe"	63466aaeb1c59461c309449977de4160ad36b242c484115019176bc930fa0863.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C38EAAD2-6D69-4b65-896E-2285543D9669}	{A566DB8F-96A7-493b-9835-69407359CA1A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{751E38E1-8A28-4c58-AC8A-7CAA749FBAD4}\stubpath = "C:\\Windows\\{751E38E1-8A28-4c58-AC8A-7CAA749FBAD4}.exe"	{C38EAAD2-6D69-4b65-896E-2285543D9669}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{420B04F1-2325-42e7-9DC8-B0A17E28A4BD}\stubpath = "C:\\Windows\\{420B04F1-2325-42e7-9DC8-B0A17E28A4BD}.exe"	{B7F1EB85-7EA4-45ab-995F-F575FBA2F321}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{FE76797B-0766-4a95-BD84-A3B81564AC1C}\stubpath = "C:\\Windows\\{FE76797B-0766-4a95-BD84-A3B81564AC1C}.exe"	{420B04F1-2325-42e7-9DC8-B0A17E28A4BD}.exe

Deletes itself 1 IoCs

pid	Process
2052	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2924	{A566DB8F-96A7-493b-9835-69407359CA1A}.exe
2852	{C38EAAD2-6D69-4b65-896E-2285543D9669}.exe
2624	{751E38E1-8A28-4c58-AC8A-7CAA749FBAD4}.exe
2676	{5E6A48A1-06DC-4646-BEA1-D141173EF877}.exe
1196	{B7F1EB85-7EA4-45ab-995F-F575FBA2F321}.exe
1448	{420B04F1-2325-42e7-9DC8-B0A17E28A4BD}.exe
2556	{FE76797B-0766-4a95-BD84-A3B81564AC1C}.exe
1260	{E83C5933-4613-4f82-92B6-A9B4F40B789C}.exe
2468	{5CF6191D-C86E-4e78-8C27-94CF0002CFAB}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{FE76797B-0766-4a95-BD84-A3B81564AC1C}.exe	{420B04F1-2325-42e7-9DC8-B0A17E28A4BD}.exe
File created	C:\Windows\{5CF6191D-C86E-4e78-8C27-94CF0002CFAB}.exe	{E83C5933-4613-4f82-92B6-A9B4F40B789C}.exe
File created	C:\Windows\{A566DB8F-96A7-493b-9835-69407359CA1A}.exe	63466aaeb1c59461c309449977de4160ad36b242c484115019176bc930fa0863.exe
File created	C:\Windows\{751E38E1-8A28-4c58-AC8A-7CAA749FBAD4}.exe	{C38EAAD2-6D69-4b65-896E-2285543D9669}.exe
File created	C:\Windows\{5E6A48A1-06DC-4646-BEA1-D141173EF877}.exe	{751E38E1-8A28-4c58-AC8A-7CAA749FBAD4}.exe
File created	C:\Windows\{B7F1EB85-7EA4-45ab-995F-F575FBA2F321}.exe	{5E6A48A1-06DC-4646-BEA1-D141173EF877}.exe
File created	C:\Windows\{420B04F1-2325-42e7-9DC8-B0A17E28A4BD}.exe	{B7F1EB85-7EA4-45ab-995F-F575FBA2F321}.exe
File created	C:\Windows\{E83C5933-4613-4f82-92B6-A9B4F40B789C}.exe	{FE76797B-0766-4a95-BD84-A3B81564AC1C}.exe
File created	C:\Windows\{C38EAAD2-6D69-4b65-896E-2285543D9669}.exe	{A566DB8F-96A7-493b-9835-69407359CA1A}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2096	63466aaeb1c59461c309449977de4160ad36b242c484115019176bc930fa0863.exe
Token: SeIncBasePriorityPrivilege	2924	{A566DB8F-96A7-493b-9835-69407359CA1A}.exe
Token: SeIncBasePriorityPrivilege	2852	{C38EAAD2-6D69-4b65-896E-2285543D9669}.exe
Token: SeIncBasePriorityPrivilege	2624	{751E38E1-8A28-4c58-AC8A-7CAA749FBAD4}.exe
Token: SeIncBasePriorityPrivilege	2676	{5E6A48A1-06DC-4646-BEA1-D141173EF877}.exe
Token: SeIncBasePriorityPrivilege	1196	{B7F1EB85-7EA4-45ab-995F-F575FBA2F321}.exe
Token: SeIncBasePriorityPrivilege	1448	{420B04F1-2325-42e7-9DC8-B0A17E28A4BD}.exe
Token: SeIncBasePriorityPrivilege	2556	{FE76797B-0766-4a95-BD84-A3B81564AC1C}.exe
Token: SeIncBasePriorityPrivilege	1260	{E83C5933-4613-4f82-92B6-A9B4F40B789C}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2096 wrote to memory of 2924	2096	63466aaeb1c59461c309449977de4160ad36b242c484115019176bc930fa0863.exe	28
PID 2096 wrote to memory of 2924	2096	63466aaeb1c59461c309449977de4160ad36b242c484115019176bc930fa0863.exe	28
PID 2096 wrote to memory of 2924	2096	63466aaeb1c59461c309449977de4160ad36b242c484115019176bc930fa0863.exe	28
PID 2096 wrote to memory of 2924	2096	63466aaeb1c59461c309449977de4160ad36b242c484115019176bc930fa0863.exe	28
PID 2096 wrote to memory of 2052	2096	63466aaeb1c59461c309449977de4160ad36b242c484115019176bc930fa0863.exe	29
PID 2096 wrote to memory of 2052	2096	63466aaeb1c59461c309449977de4160ad36b242c484115019176bc930fa0863.exe	29
PID 2096 wrote to memory of 2052	2096	63466aaeb1c59461c309449977de4160ad36b242c484115019176bc930fa0863.exe	29
PID 2096 wrote to memory of 2052	2096	63466aaeb1c59461c309449977de4160ad36b242c484115019176bc930fa0863.exe	29
PID 2924 wrote to memory of 2852	2924	{A566DB8F-96A7-493b-9835-69407359CA1A}.exe	30
PID 2924 wrote to memory of 2852	2924	{A566DB8F-96A7-493b-9835-69407359CA1A}.exe	30
PID 2924 wrote to memory of 2852	2924	{A566DB8F-96A7-493b-9835-69407359CA1A}.exe	30
PID 2924 wrote to memory of 2852	2924	{A566DB8F-96A7-493b-9835-69407359CA1A}.exe	30
PID 2924 wrote to memory of 2604	2924	{A566DB8F-96A7-493b-9835-69407359CA1A}.exe	31
PID 2924 wrote to memory of 2604	2924	{A566DB8F-96A7-493b-9835-69407359CA1A}.exe	31
PID 2924 wrote to memory of 2604	2924	{A566DB8F-96A7-493b-9835-69407359CA1A}.exe	31
PID 2924 wrote to memory of 2604	2924	{A566DB8F-96A7-493b-9835-69407359CA1A}.exe	31
PID 2852 wrote to memory of 2624	2852	{C38EAAD2-6D69-4b65-896E-2285543D9669}.exe	32
PID 2852 wrote to memory of 2624	2852	{C38EAAD2-6D69-4b65-896E-2285543D9669}.exe	32
PID 2852 wrote to memory of 2624	2852	{C38EAAD2-6D69-4b65-896E-2285543D9669}.exe	32
PID 2852 wrote to memory of 2624	2852	{C38EAAD2-6D69-4b65-896E-2285543D9669}.exe	32
PID 2852 wrote to memory of 2544	2852	{C38EAAD2-6D69-4b65-896E-2285543D9669}.exe	33
PID 2852 wrote to memory of 2544	2852	{C38EAAD2-6D69-4b65-896E-2285543D9669}.exe	33
PID 2852 wrote to memory of 2544	2852	{C38EAAD2-6D69-4b65-896E-2285543D9669}.exe	33
PID 2852 wrote to memory of 2544	2852	{C38EAAD2-6D69-4b65-896E-2285543D9669}.exe	33
PID 2624 wrote to memory of 2676	2624	{751E38E1-8A28-4c58-AC8A-7CAA749FBAD4}.exe	36
PID 2624 wrote to memory of 2676	2624	{751E38E1-8A28-4c58-AC8A-7CAA749FBAD4}.exe	36
PID 2624 wrote to memory of 2676	2624	{751E38E1-8A28-4c58-AC8A-7CAA749FBAD4}.exe	36
PID 2624 wrote to memory of 2676	2624	{751E38E1-8A28-4c58-AC8A-7CAA749FBAD4}.exe	36
PID 2624 wrote to memory of 2796	2624	{751E38E1-8A28-4c58-AC8A-7CAA749FBAD4}.exe	37
PID 2624 wrote to memory of 2796	2624	{751E38E1-8A28-4c58-AC8A-7CAA749FBAD4}.exe	37
PID 2624 wrote to memory of 2796	2624	{751E38E1-8A28-4c58-AC8A-7CAA749FBAD4}.exe	37
PID 2624 wrote to memory of 2796	2624	{751E38E1-8A28-4c58-AC8A-7CAA749FBAD4}.exe	37
PID 2676 wrote to memory of 1196	2676	{5E6A48A1-06DC-4646-BEA1-D141173EF877}.exe	38
PID 2676 wrote to memory of 1196	2676	{5E6A48A1-06DC-4646-BEA1-D141173EF877}.exe	38
PID 2676 wrote to memory of 1196	2676	{5E6A48A1-06DC-4646-BEA1-D141173EF877}.exe	38
PID 2676 wrote to memory of 1196	2676	{5E6A48A1-06DC-4646-BEA1-D141173EF877}.exe	38
PID 2676 wrote to memory of 1588	2676	{5E6A48A1-06DC-4646-BEA1-D141173EF877}.exe	39
PID 2676 wrote to memory of 1588	2676	{5E6A48A1-06DC-4646-BEA1-D141173EF877}.exe	39
PID 2676 wrote to memory of 1588	2676	{5E6A48A1-06DC-4646-BEA1-D141173EF877}.exe	39
PID 2676 wrote to memory of 1588	2676	{5E6A48A1-06DC-4646-BEA1-D141173EF877}.exe	39
PID 1196 wrote to memory of 1448	1196	{B7F1EB85-7EA4-45ab-995F-F575FBA2F321}.exe	40
PID 1196 wrote to memory of 1448	1196	{B7F1EB85-7EA4-45ab-995F-F575FBA2F321}.exe	40
PID 1196 wrote to memory of 1448	1196	{B7F1EB85-7EA4-45ab-995F-F575FBA2F321}.exe	40
PID 1196 wrote to memory of 1448	1196	{B7F1EB85-7EA4-45ab-995F-F575FBA2F321}.exe	40
PID 1196 wrote to memory of 1580	1196	{B7F1EB85-7EA4-45ab-995F-F575FBA2F321}.exe	41
PID 1196 wrote to memory of 1580	1196	{B7F1EB85-7EA4-45ab-995F-F575FBA2F321}.exe	41
PID 1196 wrote to memory of 1580	1196	{B7F1EB85-7EA4-45ab-995F-F575FBA2F321}.exe	41
PID 1196 wrote to memory of 1580	1196	{B7F1EB85-7EA4-45ab-995F-F575FBA2F321}.exe	41
PID 1448 wrote to memory of 2556	1448	{420B04F1-2325-42e7-9DC8-B0A17E28A4BD}.exe	42
PID 1448 wrote to memory of 2556	1448	{420B04F1-2325-42e7-9DC8-B0A17E28A4BD}.exe	42
PID 1448 wrote to memory of 2556	1448	{420B04F1-2325-42e7-9DC8-B0A17E28A4BD}.exe	42
PID 1448 wrote to memory of 2556	1448	{420B04F1-2325-42e7-9DC8-B0A17E28A4BD}.exe	42
PID 1448 wrote to memory of 1624	1448	{420B04F1-2325-42e7-9DC8-B0A17E28A4BD}.exe	43
PID 1448 wrote to memory of 1624	1448	{420B04F1-2325-42e7-9DC8-B0A17E28A4BD}.exe	43
PID 1448 wrote to memory of 1624	1448	{420B04F1-2325-42e7-9DC8-B0A17E28A4BD}.exe	43
PID 1448 wrote to memory of 1624	1448	{420B04F1-2325-42e7-9DC8-B0A17E28A4BD}.exe	43
PID 2556 wrote to memory of 1260	2556	{FE76797B-0766-4a95-BD84-A3B81564AC1C}.exe	44
PID 2556 wrote to memory of 1260	2556	{FE76797B-0766-4a95-BD84-A3B81564AC1C}.exe	44
PID 2556 wrote to memory of 1260	2556	{FE76797B-0766-4a95-BD84-A3B81564AC1C}.exe	44
PID 2556 wrote to memory of 1260	2556	{FE76797B-0766-4a95-BD84-A3B81564AC1C}.exe	44
PID 2556 wrote to memory of 2240	2556	{FE76797B-0766-4a95-BD84-A3B81564AC1C}.exe	45
PID 2556 wrote to memory of 2240	2556	{FE76797B-0766-4a95-BD84-A3B81564AC1C}.exe	45
PID 2556 wrote to memory of 2240	2556	{FE76797B-0766-4a95-BD84-A3B81564AC1C}.exe	45
PID 2556 wrote to memory of 2240	2556	{FE76797B-0766-4a95-BD84-A3B81564AC1C}.exe	45

C:\Users\Admin\AppData\Local\Temp\63466aaeb1c59461c309449977de4160ad36b242c484115019176bc930fa0863.exe
"C:\Users\Admin\AppData\Local\Temp\63466aaeb1c59461c309449977de4160ad36b242c484115019176bc930fa0863.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\{A566DB8F-96A7-493b-9835-69407359CA1A}.exe
  C:\Windows\{A566DB8F-96A7-493b-9835-69407359CA1A}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\{C38EAAD2-6D69-4b65-896E-2285543D9669}.exe
    C:\Windows\{C38EAAD2-6D69-4b65-896E-2285543D9669}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2852
  - - C:\Windows\{751E38E1-8A28-4c58-AC8A-7CAA749FBAD4}.exe
      C:\Windows\{751E38E1-8A28-4c58-AC8A-7CAA749FBAD4}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2624
    - - C:\Windows\{5E6A48A1-06DC-4646-BEA1-D141173EF877}.exe
        
        C:\Windows\{5E6A48A1-06DC-4646-BEA1-D141173EF877}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2676
      - C:\Windows\{B7F1EB85-7EA4-45ab-995F-F575FBA2F321}.exe
        
        C:\Windows\{B7F1EB85-7EA4-45ab-995F-F575FBA2F321}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1196
        
        C:\Windows\{420B04F1-2325-42e7-9DC8-B0A17E28A4BD}.exe
        
        C:\Windows\{420B04F1-2325-42e7-9DC8-B0A17E28A4BD}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1448
        
        C:\Windows\{FE76797B-0766-4a95-BD84-A3B81564AC1C}.exe
        
        C:\Windows\{FE76797B-0766-4a95-BD84-A3B81564AC1C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2556
        
        C:\Windows\{E83C5933-4613-4f82-92B6-A9B4F40B789C}.exe
        
        C:\Windows\{E83C5933-4613-4f82-92B6-A9B4F40B789C}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
        
        C:\Windows\{5CF6191D-C86E-4e78-8C27-94CF0002CFAB}.exe
        
        C:\Windows\{5CF6191D-C86E-4e78-8C27-94CF0002CFAB}.exe
        10⤵
        Executes dropped EXE
        
        PID:2468
        
        C:\Windows\{272E5FD3-931F-477d-8A6E-6966480C7DD2}.exe
        
        C:\Windows\{272E5FD3-931F-477d-8A6E-6966480C7DD2}.exe
        11⤵
        
        PID:1140
        
        C:\Windows\{35F432E0-C5DE-4dc5-A975-BA7DCA2C3D16}.exe
        
        C:\Windows\{35F432E0-C5DE-4dc5-A975-BA7DCA2C3D16}.exe
        12⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{272E5~1.EXE > nul
        12⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5CF61~1.EXE > nul
        11⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E83C5~1.EXE > nul
        10⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FE767~1.EXE > nul
        9⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{420B0~1.EXE > nul
        8⤵
        
        PID:1624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B7F1E~1.EXE > nul
        7⤵
        
        PID:1580
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{5E6A4~1.EXE > nul
        6⤵
        
        PID:1588
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{751E3~1.EXE > nul
        5⤵
        
        PID:2796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{C38EA~1.EXE > nul
      4⤵
      PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{A566D~1.EXE > nul
    3⤵
    PID:2604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\63466A~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{272E5FD3-931F-477d-8A6E-6966480C7DD2}.exe

Filesize
91KB

MD5
6aa35db24d97b258590890f8362dc95c

SHA1
040c93f54a00f8eb231f58b080cf55f20e090eda

SHA256
b4a46181e0c3881fc090e393f613ae7185f2d0f1cfb27ba0849bd55f9a48bd03

SHA512
57c589b11ef0dfb00f62d7a06b6dcf2bb4989031d8a0a250001eec438362e46e2a16873c8cdb45f0c7b5f96224dbddfb728d62702a625b335661c73eb28b4c4f

Download Submit
C:\Windows\{35F432E0-C5DE-4dc5-A975-BA7DCA2C3D16}.exe

Filesize
91KB

MD5
6805d38b741ed1873b4f80f70479c8a8

SHA1
3439db349cac792cb6426d58dffdb03da12411fa

SHA256
55ed1dddfe9c5dae79d3c66b0d0a091587ccdeae7cd932acde901142feb8fe86

SHA512
90a85f70efcb6de7190e3c9bda5c35ccf2f55a95a59480ff91a2a97c1b235a1d40fa52dc6ab94cf5f937b4392e74569bd7e604c427b0625c3a29277833aae17b

Download Submit
C:\Windows\{420B04F1-2325-42e7-9DC8-B0A17E28A4BD}.exe

Filesize
91KB

MD5
05ce7b03ab1095110277b1a84d90a44c

SHA1
2056c7ae2b6be347078ced769dccb9d36b602795

SHA256
04d15c3783d27ad1d70353a628cba84538842ee09fbb3aefde7c86959cd6550b

SHA512
42fe06af095fe26fdb8e13d8c9938369ac19e5cd8271ba8fc6a561cf768fcf3cb2fb14618f29b668ec70d52cbd8e8f8ca170579f5fa1b1d80e472dd7b95c846d

Download Submit
C:\Windows\{5CF6191D-C86E-4e78-8C27-94CF0002CFAB}.exe

Filesize
91KB

MD5
cedc510f6ab01216c2bd6c804626e8f2

SHA1
20ba9e04537bd276963bdb300da2c002057dd419

SHA256
be703c23cfe3638825798d0f7b273d2f5266a021c472f9ed6c79b5cb693aa2d5

SHA512
a955d4de73d32aa1e6b6567e7c869d7983ffccedf9d4c74db19c8a9f198308b08568c4681c4b2197cc6737d4585c0a2e3011dcbc9bb5541393af65aaecf15da2

Download Submit
C:\Windows\{5E6A48A1-06DC-4646-BEA1-D141173EF877}.exe

Filesize
91KB

MD5
c758fe5b5a35c984269e36377379811c

SHA1
33e22d6b1bd980ea6e9f8985822ba69cec3da4aa

SHA256
ccc354f02a9e53eb4eb4a4a891aadb165f25f27b91067017153887ee8277c8fd

SHA512
71cb28c62da333f2d0c935d0de4482da85f7590f781deb56bb0c346d7e52c7c7c31c52bd637d0a4da7f3c68654b66cc5add375319b2185d69b3f328bf31f9575

Download Submit
C:\Windows\{751E38E1-8A28-4c58-AC8A-7CAA749FBAD4}.exe

Filesize
91KB

MD5
bd92167e3d0a788e993ba33460a8b3ac

SHA1
fd5f21d314d2547024006dd8c50b488ef67767f1

SHA256
79a1facd93ac56301508dac793dc60ac81118bb1ebe872d8e6b93abce7091c48

SHA512
489e6262caf992dc77c348452fce4e26acf5715abcb022cc58f6f1031a35c2ae2810442ede18dcb3ec2a7d0c437ab0aaa1950e8e1c8790acfa7205d57d67a62e

Download Submit
C:\Windows\{A566DB8F-96A7-493b-9835-69407359CA1A}.exe

Filesize
91KB

MD5
24239df1059a76987b6e06ec787a2534

SHA1
21189ee2773221353fff05e04701cd30e280c722

SHA256
e7304e8ed2c4e01217ca17db7908b7f1bf1af1b3a6e5a6c4d125c4e5f5561816

SHA512
6439a54c3d0b6f68140a6e600f6ff6b6b892da74763576846ddb6e43a61601573e1c5e3bfd2dc28dac33da52349e94cd851dfe0bf2243a72fad6c3f08cb385fa

Download Submit
C:\Windows\{B7F1EB85-7EA4-45ab-995F-F575FBA2F321}.exe

Filesize
91KB

MD5
6e45ff1aac77b09be53941e598394b53

SHA1
85f6235dff5ff3231419093871ed6b6a9f06f01c

SHA256
ba16967029e7e243bda6684c5e9985fa73ef810f27b3dd51e9cc35353331275b

SHA512
77694dc8e2fa6f664c3187d342db9b6727a9855e37ec10210f27dd2cf31f3b42fb6caad6d490f9a4caca2b21dd03cf4e8bbebad3e4ffc011808d84753dcb9b88

Download Submit
C:\Windows\{C38EAAD2-6D69-4b65-896E-2285543D9669}.exe

Filesize
91KB

MD5
0a8424349e9686fc01863ab0ecd429b8

SHA1
dd3e63995cedbae01c763b83e5a609fe6176a1da

SHA256
7a105e0381209625e884866f258f326324b5d7e676ac7b287b37298d55d5a445

SHA512
96e4e6cd93fd28913ba907375c0d36a83ddafea5c22bfe7443fabff584ae432ad83a1fd124f18ac0f3cd1187494ea11e4efc2a1de598fdd05e1cc923e0a7510a

Download Submit
C:\Windows\{E83C5933-4613-4f82-92B6-A9B4F40B789C}.exe

Filesize
91KB

MD5
1d6b3ddd8c04e848b9870f95845e0a57

SHA1
5c699cbc62a06a4538993f8f0fa15e00fc394e35

SHA256
53ffb6147d06d1ef49972dbdcdce0abae514300f66e8719a7b02f0a2cc338779

SHA512
cb80c690bf94c30de12abdc229f200871878d829b32b2e20e0aca97ce85e398dafc8fa0552c6b619f2f5cddc3fb3ea8281db95b8fa9d22fbb0b90f3d3724c6d1

Download Submit
C:\Windows\{FE76797B-0766-4a95-BD84-A3B81564AC1C}.exe

Filesize
91KB

MD5
c9bb74211130243fbb9a8766f0c2e4f3

SHA1
27f7311701aba5741c0c2adfbfaf4f3846b3e3c7

SHA256
cdd83dd97bca3f5b2c54822b2281fc85171e72c61bc0ec86110472ba34aeec11

SHA512
f39eaa613f6e6c36b550dc3acbb6bf257e80c68fe37cdec20066deed0b56561e17768d4931179ffecbb09b204cd93be36dcd33f409467bf49d2d5ab01c1e795f

Download Submit
memory/1140-99-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1140-96-0x0000000000320000-0x0000000000331000-memory.dmp

Filesize
68KB

Download
memory/1140-95-0x0000000000320000-0x0000000000331000-memory.dmp

Filesize
68KB

Download
memory/1196-54-0x0000000000360000-0x0000000000371000-memory.dmp

Filesize
68KB

Download
memory/1196-56-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1260-81-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1448-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1448-60-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download
memory/2096-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2096-7-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2096-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2096-4-0x0000000000390000-0x00000000003A1000-memory.dmp

Filesize
68KB

Download
memory/2468-89-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2556-73-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2624-33-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/2624-37-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2624-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2676-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2676-39-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2852-24-0x00000000004F0000-0x0000000000501000-memory.dmp

Filesize
68KB

Download
memory/2852-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2924-14-0x00000000003E0000-0x00000000003F1000-memory.dmp

Filesize
68KB

Download
memory/2924-19-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2924-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads