20992c292fbc5a9bb246c7a0f1e69c12502944c86d814772f1c9a37c8b2e937c

Analysis

max time kernel
119s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14/07/2024, 22:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3456fcd08e30b68e60adfb014d46ad20N.exe
Size

103KB
MD5

3456fcd08e30b68e60adfb014d46ad20
SHA1

475573463ee3527e26fdac3c9c63bd7edd556b42
SHA256

20992c292fbc5a9bb246c7a0f1e69c12502944c86d814772f1c9a37c8b2e937c
SHA512

8de4b45d2d796183f9840d94e79128041ec5d6244711922a276e52f6a5448236f5d047311d7ccd64dff2ce81a780c7770b260aafb6ceafe3cfd5b79f67c3af80
SSDEEP

768:Qvw9816vhKQLrod4/wQRNrfrunMxVFA3b7glwRjMlfwGxEIU:YEGh0odl2unMxVS3Hgdor

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{164DFBD8-B7E0-4c08-9CD0-01D236D2640E}	3456fcd08e30b68e60adfb014d46ad20N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB08AA6C-4986-4a52-A52D-351E81413D45}	{4157CA20-D8A8-4b8c-8003-513A63115C34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C063EF39-7E69-459d-9879-1A38531D201B}	{CA9F0263-47C3-4068-AD35-A2816AA1156B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0A8892E-1075-4a8d-989A-0FBA5D61815D}	{A067D346-7A1C-4442-AF28-837795E7C8BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{E0A8892E-1075-4a8d-989A-0FBA5D61815D}\stubpath = "C:\\Windows\\{E0A8892E-1075-4a8d-989A-0FBA5D61815D}.exe"	{A067D346-7A1C-4442-AF28-837795E7C8BF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65C88896-5117-4dfd-9A99-8D5E73DD3D58}\stubpath = "C:\\Windows\\{65C88896-5117-4dfd-9A99-8D5E73DD3D58}.exe"	{E0A8892E-1075-4a8d-989A-0FBA5D61815D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C063EF39-7E69-459d-9879-1A38531D201B}\stubpath = "C:\\Windows\\{C063EF39-7E69-459d-9879-1A38531D201B}.exe"	{CA9F0263-47C3-4068-AD35-A2816AA1156B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{164DFBD8-B7E0-4c08-9CD0-01D236D2640E}\stubpath = "C:\\Windows\\{164DFBD8-B7E0-4c08-9CD0-01D236D2640E}.exe"	3456fcd08e30b68e60adfb014d46ad20N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04FA153F-604D-4b69-A13C-4501ECC79580}\stubpath = "C:\\Windows\\{04FA153F-604D-4b69-A13C-4501ECC79580}.exe"	{65C88896-5117-4dfd-9A99-8D5E73DD3D58}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A067D346-7A1C-4442-AF28-837795E7C8BF}\stubpath = "C:\\Windows\\{A067D346-7A1C-4442-AF28-837795E7C8BF}.exe"	{C063EF39-7E69-459d-9879-1A38531D201B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{65C88896-5117-4dfd-9A99-8D5E73DD3D58}	{E0A8892E-1075-4a8d-989A-0FBA5D61815D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4157CA20-D8A8-4b8c-8003-513A63115C34}	{164DFBD8-B7E0-4c08-9CD0-01D236D2640E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{4157CA20-D8A8-4b8c-8003-513A63115C34}\stubpath = "C:\\Windows\\{4157CA20-D8A8-4b8c-8003-513A63115C34}.exe"	{164DFBD8-B7E0-4c08-9CD0-01D236D2640E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CB08AA6C-4986-4a52-A52D-351E81413D45}\stubpath = "C:\\Windows\\{CB08AA6C-4986-4a52-A52D-351E81413D45}.exe"	{4157CA20-D8A8-4b8c-8003-513A63115C34}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA9F0263-47C3-4068-AD35-A2816AA1156B}	{CB08AA6C-4986-4a52-A52D-351E81413D45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA9F0263-47C3-4068-AD35-A2816AA1156B}\stubpath = "C:\\Windows\\{CA9F0263-47C3-4068-AD35-A2816AA1156B}.exe"	{CB08AA6C-4986-4a52-A52D-351E81413D45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A067D346-7A1C-4442-AF28-837795E7C8BF}	{C063EF39-7E69-459d-9879-1A38531D201B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{04FA153F-604D-4b69-A13C-4501ECC79580}	{65C88896-5117-4dfd-9A99-8D5E73DD3D58}.exe

Deletes itself 1 IoCs

pid	Process
2948	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2356	{164DFBD8-B7E0-4c08-9CD0-01D236D2640E}.exe
2736	{4157CA20-D8A8-4b8c-8003-513A63115C34}.exe
2888	{CB08AA6C-4986-4a52-A52D-351E81413D45}.exe
2772	{CA9F0263-47C3-4068-AD35-A2816AA1156B}.exe
1976	{C063EF39-7E69-459d-9879-1A38531D201B}.exe
1996	{A067D346-7A1C-4442-AF28-837795E7C8BF}.exe
1548	{E0A8892E-1075-4a8d-989A-0FBA5D61815D}.exe
352	{65C88896-5117-4dfd-9A99-8D5E73DD3D58}.exe
2860	{04FA153F-604D-4b69-A13C-4501ECC79580}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{4157CA20-D8A8-4b8c-8003-513A63115C34}.exe	{164DFBD8-B7E0-4c08-9CD0-01D236D2640E}.exe
File created	C:\Windows\{CB08AA6C-4986-4a52-A52D-351E81413D45}.exe	{4157CA20-D8A8-4b8c-8003-513A63115C34}.exe
File created	C:\Windows\{CA9F0263-47C3-4068-AD35-A2816AA1156B}.exe	{CB08AA6C-4986-4a52-A52D-351E81413D45}.exe
File created	C:\Windows\{C063EF39-7E69-459d-9879-1A38531D201B}.exe	{CA9F0263-47C3-4068-AD35-A2816AA1156B}.exe
File created	C:\Windows\{65C88896-5117-4dfd-9A99-8D5E73DD3D58}.exe	{E0A8892E-1075-4a8d-989A-0FBA5D61815D}.exe
File created	C:\Windows\{04FA153F-604D-4b69-A13C-4501ECC79580}.exe	{65C88896-5117-4dfd-9A99-8D5E73DD3D58}.exe
File created	C:\Windows\{164DFBD8-B7E0-4c08-9CD0-01D236D2640E}.exe	3456fcd08e30b68e60adfb014d46ad20N.exe
File created	C:\Windows\{E0A8892E-1075-4a8d-989A-0FBA5D61815D}.exe	{A067D346-7A1C-4442-AF28-837795E7C8BF}.exe
File created	C:\Windows\{A067D346-7A1C-4442-AF28-837795E7C8BF}.exe	{C063EF39-7E69-459d-9879-1A38531D201B}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2068	3456fcd08e30b68e60adfb014d46ad20N.exe
Token: SeIncBasePriorityPrivilege	2356	{164DFBD8-B7E0-4c08-9CD0-01D236D2640E}.exe
Token: SeIncBasePriorityPrivilege	2736	{4157CA20-D8A8-4b8c-8003-513A63115C34}.exe
Token: SeIncBasePriorityPrivilege	2888	{CB08AA6C-4986-4a52-A52D-351E81413D45}.exe
Token: SeIncBasePriorityPrivilege	2772	{CA9F0263-47C3-4068-AD35-A2816AA1156B}.exe
Token: SeIncBasePriorityPrivilege	1976	{C063EF39-7E69-459d-9879-1A38531D201B}.exe
Token: SeIncBasePriorityPrivilege	1996	{A067D346-7A1C-4442-AF28-837795E7C8BF}.exe
Token: SeIncBasePriorityPrivilege	1548	{E0A8892E-1075-4a8d-989A-0FBA5D61815D}.exe
Token: SeIncBasePriorityPrivilege	352	{65C88896-5117-4dfd-9A99-8D5E73DD3D58}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2356	2068	3456fcd08e30b68e60adfb014d46ad20N.exe	31
PID 2068 wrote to memory of 2356	2068	3456fcd08e30b68e60adfb014d46ad20N.exe	31
PID 2068 wrote to memory of 2356	2068	3456fcd08e30b68e60adfb014d46ad20N.exe	31
PID 2068 wrote to memory of 2356	2068	3456fcd08e30b68e60adfb014d46ad20N.exe	31
PID 2068 wrote to memory of 2948	2068	3456fcd08e30b68e60adfb014d46ad20N.exe	32
PID 2068 wrote to memory of 2948	2068	3456fcd08e30b68e60adfb014d46ad20N.exe	32
PID 2068 wrote to memory of 2948	2068	3456fcd08e30b68e60adfb014d46ad20N.exe	32
PID 2068 wrote to memory of 2948	2068	3456fcd08e30b68e60adfb014d46ad20N.exe	32
PID 2356 wrote to memory of 2736	2356	{164DFBD8-B7E0-4c08-9CD0-01D236D2640E}.exe	33
PID 2356 wrote to memory of 2736	2356	{164DFBD8-B7E0-4c08-9CD0-01D236D2640E}.exe	33
PID 2356 wrote to memory of 2736	2356	{164DFBD8-B7E0-4c08-9CD0-01D236D2640E}.exe	33
PID 2356 wrote to memory of 2736	2356	{164DFBD8-B7E0-4c08-9CD0-01D236D2640E}.exe	33
PID 2356 wrote to memory of 2864	2356	{164DFBD8-B7E0-4c08-9CD0-01D236D2640E}.exe	34
PID 2356 wrote to memory of 2864	2356	{164DFBD8-B7E0-4c08-9CD0-01D236D2640E}.exe	34
PID 2356 wrote to memory of 2864	2356	{164DFBD8-B7E0-4c08-9CD0-01D236D2640E}.exe	34
PID 2356 wrote to memory of 2864	2356	{164DFBD8-B7E0-4c08-9CD0-01D236D2640E}.exe	34
PID 2736 wrote to memory of 2888	2736	{4157CA20-D8A8-4b8c-8003-513A63115C34}.exe	35
PID 2736 wrote to memory of 2888	2736	{4157CA20-D8A8-4b8c-8003-513A63115C34}.exe	35
PID 2736 wrote to memory of 2888	2736	{4157CA20-D8A8-4b8c-8003-513A63115C34}.exe	35
PID 2736 wrote to memory of 2888	2736	{4157CA20-D8A8-4b8c-8003-513A63115C34}.exe	35
PID 2736 wrote to memory of 2820	2736	{4157CA20-D8A8-4b8c-8003-513A63115C34}.exe	36
PID 2736 wrote to memory of 2820	2736	{4157CA20-D8A8-4b8c-8003-513A63115C34}.exe	36
PID 2736 wrote to memory of 2820	2736	{4157CA20-D8A8-4b8c-8003-513A63115C34}.exe	36
PID 2736 wrote to memory of 2820	2736	{4157CA20-D8A8-4b8c-8003-513A63115C34}.exe	36
PID 2888 wrote to memory of 2772	2888	{CB08AA6C-4986-4a52-A52D-351E81413D45}.exe	37
PID 2888 wrote to memory of 2772	2888	{CB08AA6C-4986-4a52-A52D-351E81413D45}.exe	37
PID 2888 wrote to memory of 2772	2888	{CB08AA6C-4986-4a52-A52D-351E81413D45}.exe	37
PID 2888 wrote to memory of 2772	2888	{CB08AA6C-4986-4a52-A52D-351E81413D45}.exe	37
PID 2888 wrote to memory of 2816	2888	{CB08AA6C-4986-4a52-A52D-351E81413D45}.exe	38
PID 2888 wrote to memory of 2816	2888	{CB08AA6C-4986-4a52-A52D-351E81413D45}.exe	38
PID 2888 wrote to memory of 2816	2888	{CB08AA6C-4986-4a52-A52D-351E81413D45}.exe	38
PID 2888 wrote to memory of 2816	2888	{CB08AA6C-4986-4a52-A52D-351E81413D45}.exe	38
PID 2772 wrote to memory of 1976	2772	{CA9F0263-47C3-4068-AD35-A2816AA1156B}.exe	39
PID 2772 wrote to memory of 1976	2772	{CA9F0263-47C3-4068-AD35-A2816AA1156B}.exe	39
PID 2772 wrote to memory of 1976	2772	{CA9F0263-47C3-4068-AD35-A2816AA1156B}.exe	39
PID 2772 wrote to memory of 1976	2772	{CA9F0263-47C3-4068-AD35-A2816AA1156B}.exe	39
PID 2772 wrote to memory of 2200	2772	{CA9F0263-47C3-4068-AD35-A2816AA1156B}.exe	40
PID 2772 wrote to memory of 2200	2772	{CA9F0263-47C3-4068-AD35-A2816AA1156B}.exe	40
PID 2772 wrote to memory of 2200	2772	{CA9F0263-47C3-4068-AD35-A2816AA1156B}.exe	40
PID 2772 wrote to memory of 2200	2772	{CA9F0263-47C3-4068-AD35-A2816AA1156B}.exe	40
PID 1976 wrote to memory of 1996	1976	{C063EF39-7E69-459d-9879-1A38531D201B}.exe	41
PID 1976 wrote to memory of 1996	1976	{C063EF39-7E69-459d-9879-1A38531D201B}.exe	41
PID 1976 wrote to memory of 1996	1976	{C063EF39-7E69-459d-9879-1A38531D201B}.exe	41
PID 1976 wrote to memory of 1996	1976	{C063EF39-7E69-459d-9879-1A38531D201B}.exe	41
PID 1976 wrote to memory of 1856	1976	{C063EF39-7E69-459d-9879-1A38531D201B}.exe	42
PID 1976 wrote to memory of 1856	1976	{C063EF39-7E69-459d-9879-1A38531D201B}.exe	42
PID 1976 wrote to memory of 1856	1976	{C063EF39-7E69-459d-9879-1A38531D201B}.exe	42
PID 1976 wrote to memory of 1856	1976	{C063EF39-7E69-459d-9879-1A38531D201B}.exe	42
PID 1996 wrote to memory of 1548	1996	{A067D346-7A1C-4442-AF28-837795E7C8BF}.exe	43
PID 1996 wrote to memory of 1548	1996	{A067D346-7A1C-4442-AF28-837795E7C8BF}.exe	43
PID 1996 wrote to memory of 1548	1996	{A067D346-7A1C-4442-AF28-837795E7C8BF}.exe	43
PID 1996 wrote to memory of 1548	1996	{A067D346-7A1C-4442-AF28-837795E7C8BF}.exe	43
PID 1996 wrote to memory of 2348	1996	{A067D346-7A1C-4442-AF28-837795E7C8BF}.exe	44
PID 1996 wrote to memory of 2348	1996	{A067D346-7A1C-4442-AF28-837795E7C8BF}.exe	44
PID 1996 wrote to memory of 2348	1996	{A067D346-7A1C-4442-AF28-837795E7C8BF}.exe	44
PID 1996 wrote to memory of 2348	1996	{A067D346-7A1C-4442-AF28-837795E7C8BF}.exe	44
PID 1548 wrote to memory of 352	1548	{E0A8892E-1075-4a8d-989A-0FBA5D61815D}.exe	45
PID 1548 wrote to memory of 352	1548	{E0A8892E-1075-4a8d-989A-0FBA5D61815D}.exe	45
PID 1548 wrote to memory of 352	1548	{E0A8892E-1075-4a8d-989A-0FBA5D61815D}.exe	45
PID 1548 wrote to memory of 352	1548	{E0A8892E-1075-4a8d-989A-0FBA5D61815D}.exe	45
PID 1548 wrote to memory of 1972	1548	{E0A8892E-1075-4a8d-989A-0FBA5D61815D}.exe	46
PID 1548 wrote to memory of 1972	1548	{E0A8892E-1075-4a8d-989A-0FBA5D61815D}.exe	46
PID 1548 wrote to memory of 1972	1548	{E0A8892E-1075-4a8d-989A-0FBA5D61815D}.exe	46
PID 1548 wrote to memory of 1972	1548	{E0A8892E-1075-4a8d-989A-0FBA5D61815D}.exe	46

C:\Users\Admin\AppData\Local\Temp\3456fcd08e30b68e60adfb014d46ad20N.exe
"C:\Users\Admin\AppData\Local\Temp\3456fcd08e30b68e60adfb014d46ad20N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Windows\{164DFBD8-B7E0-4c08-9CD0-01D236D2640E}.exe
  C:\Windows\{164DFBD8-B7E0-4c08-9CD0-01D236D2640E}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\{4157CA20-D8A8-4b8c-8003-513A63115C34}.exe
    C:\Windows\{4157CA20-D8A8-4b8c-8003-513A63115C34}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\{CB08AA6C-4986-4a52-A52D-351E81413D45}.exe
      C:\Windows\{CB08AA6C-4986-4a52-A52D-351E81413D45}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\{CA9F0263-47C3-4068-AD35-A2816AA1156B}.exe
        
        C:\Windows\{CA9F0263-47C3-4068-AD35-A2816AA1156B}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
      - C:\Windows\{C063EF39-7E69-459d-9879-1A38531D201B}.exe
        
        C:\Windows\{C063EF39-7E69-459d-9879-1A38531D201B}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\{A067D346-7A1C-4442-AF28-837795E7C8BF}.exe
        
        C:\Windows\{A067D346-7A1C-4442-AF28-837795E7C8BF}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\{E0A8892E-1075-4a8d-989A-0FBA5D61815D}.exe
        
        C:\Windows\{E0A8892E-1075-4a8d-989A-0FBA5D61815D}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\{65C88896-5117-4dfd-9A99-8D5E73DD3D58}.exe
        
        C:\Windows\{65C88896-5117-4dfd-9A99-8D5E73DD3D58}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:352
        
        C:\Windows\{04FA153F-604D-4b69-A13C-4501ECC79580}.exe
        
        C:\Windows\{04FA153F-604D-4b69-A13C-4501ECC79580}.exe
        10⤵
        Executes dropped EXE
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{65C88~1.EXE > nul
        10⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E0A88~1.EXE > nul
        9⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A067D~1.EXE > nul
        8⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C063E~1.EXE > nul
        7⤵
        
        PID:1856
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA9F0~1.EXE > nul
        6⤵
        
        PID:2200
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CB08A~1.EXE > nul
        5⤵
        
        PID:2816
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{4157C~1.EXE > nul
      4⤵
      PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{164DF~1.EXE > nul
    3⤵
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3456FC~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{04FA153F-604D-4b69-A13C-4501ECC79580}.exe

Filesize
103KB

MD5
d24015e5581590a94f4588a6d678ae38

SHA1
cf6023301a3e49ff67bbc1a1d5915f1154ffe6e1

SHA256
984ab1b48eab5f959735e80d25b154a5a948b2acc273905dd57cbe2b223fd6ac

SHA512
ff763a91ff12060674cd648809d86f77fb9fab9195c8e361a3c6999f2f56caf45f04ef6cf487189237e71941f8440296030356335d42f1d851fb70c4a1ae8deb

Download Submit
C:\Windows\{164DFBD8-B7E0-4c08-9CD0-01D236D2640E}.exe

Filesize
103KB

MD5
c58be34a230dcf6d9148c66376f6f9d5

SHA1
1213d27a9c4d908962b828b01b8ab01ed32eb2a7

SHA256
974e03db5dd6629943050219e261cae3c11fa6b55a8424cd28e7655f1fd7d4ce

SHA512
341e45ffec9fcfbb22d817c65b704366b5b36a30f4125d84d877769becbf4d6addbc7c916369ca804557ab94eedb8d24e36c9648f642a7fd27a7cf463d82e524

Download Submit
C:\Windows\{4157CA20-D8A8-4b8c-8003-513A63115C34}.exe

Filesize
103KB

MD5
3cde13a9787e442f645b478a3256f012

SHA1
dd2d4b5a510facab9337881a58b35a2c1f54f384

SHA256
e29f6390cb2aeeb28eff9bedb57fef4967f6f5b4b25460a0cbbde12121864ffd

SHA512
a3c7d480fad550ff46020727d928db140cd742c5addf99bd7f143dd46b64175b2f7030a9ff44014511200ccb2a61a9f48980e4f1d102478978f62da1d2471ffb

Download Submit
C:\Windows\{65C88896-5117-4dfd-9A99-8D5E73DD3D58}.exe

Filesize
103KB

MD5
c1bf9279610ee71bde82ecc574631d94

SHA1
5061fc4d603552a19c7059dcadc306dbd5b946d2

SHA256
96e83fd494c52a52a009515b2e93363e5c88cb99d0fde492b2d72dd7e3284b0f

SHA512
76729755e3f51dd368fc6759e8e27fc569fb3aaa01f9d7ea42d805d5d181d57e84214856557609af67f2e7cc4b3f7c9538ee801538e121cda8574ea9c18f1d00

Download Submit
C:\Windows\{A067D346-7A1C-4442-AF28-837795E7C8BF}.exe

Filesize
103KB

MD5
c2495578edb975b61eae92c34ea94ab1

SHA1
035acba33844adb9c5293324ed525bae7cac7320

SHA256
8254fa3f6f73e89e629335198b31e9d54dda4b7b6382c5fd1f5f81ea2c360ee5

SHA512
3ac4c03a90f8adb3c8d94d3ffdb444784ad41424ceb26b834ca100cb56784fa9b6d1c0f4a8014cc641df7180903e23fd459d62ea7389dd48775a5da01a2b0d57

Download Submit
C:\Windows\{C063EF39-7E69-459d-9879-1A38531D201B}.exe

Filesize
103KB

MD5
560bf5d34f2c28497379bff7a0686997

SHA1
eb8e3d1c9043a57e309caca9ddbbfa3cad92de30

SHA256
4a4d2f2da24b188e0d8e5243c8312d04b0071e96c5b5c7bf7bc0e39275fbcbdf

SHA512
bb71c546ca2dc742d9e7b07ff0a16d505cda9a3400b82b6c5803ed1752f0d66ca504fdb2e609aaa14735edd44fe9f5b6f1f212cde1c31dba0c16940150d09b56

Download Submit
C:\Windows\{CA9F0263-47C3-4068-AD35-A2816AA1156B}.exe

Filesize
103KB

MD5
75c96a1071c2c1525df725f080d9fd28

SHA1
eddf17fac1512431f5ff80921108c4cf98fca27d

SHA256
94285324f75555dce915c2c309ca75a87e7b319fd64185e7e4c52137c4b6c7ec

SHA512
11e78202347c8083b347762748cc965dcc16b113bb485d76b5b7e66e90667711a902b8c4633b828c40032258cf202427d73759dfa5b7ed66a285d8cc310536d0

Download Submit
C:\Windows\{CB08AA6C-4986-4a52-A52D-351E81413D45}.exe

Filesize
103KB

MD5
6b0ada00a8c6623f61b6075b9b1c38ed

SHA1
70c87d7459f6efcb21a536872dad4bce12cb98d8

SHA256
83fffd1631605449057d2b7de114b6ca4f193c695633c1fb7ffe2e3791a92073

SHA512
671327df626058a77b1d177a317178ddd870dfed0892dec7b2a5ae6a2f487d4a4bbe07567e4176734325ec122dba9a16066fb30ceba10cba96fb10760409ab84

Download Submit
C:\Windows\{E0A8892E-1075-4a8d-989A-0FBA5D61815D}.exe

Filesize
103KB

MD5
6d3bf2e15c3b9b40a27f3e294f4714d4

SHA1
9842f8c435c1d4964b035ce958ee4d1cd8c180da

SHA256
b1796cd152540ee8c1a08c60bfdda3b08eba19e0fd1d9ae12ffc382c7fbe22ee

SHA512
73b871468aa0e0bc81c909b4454175a7c84280571edbbd6b247fdc6d4cdb9665dbe6f444f405cae20a744f07ca1d9d82e5e10f5bfecad878ecf97eb8971aa8e7

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads