c2cc73470231e05140dec880b0785c18c7c337bc95ec6b9e11deea1a0b4c326a

Analysis

max time kernel
119s
max time network
117s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-07-2024 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a9333c1d54807390ac10e84ab651f60N.exe
Size

64KB
MD5

9a9333c1d54807390ac10e84ab651f60
SHA1

31a71dc44013ab1c4a3cd71af4403bcf21d5a403
SHA256

c2cc73470231e05140dec880b0785c18c7c337bc95ec6b9e11deea1a0b4c326a
SHA512

5a977341a58babb945ae44c5c3b7ad6ff9078ee0f47ba3cbb80d3c396aad33c90469afba6cca3aabc78415cfac56a6964d48ab70e498e550212d67a54c255f3a
SSDEEP

768:Ovw9813vhKQLroCU4/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVdl:6EGY0oCUlwWMZQcpmgDagIyS1loL7Wrl

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5F71641-3583-4415-BA53-C5608DFF4C74}\stubpath = "C:\\Windows\\{C5F71641-3583-4415-BA53-C5608DFF4C74}.exe"	{9C777D34-9C36-4b0e-8308-9CFB3B09842F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4325623-93AD-41a9-9E88-DAF940DFA63F}	{1F1BA873-040C-41d6-8300-86332B35DE9A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFAFEE3F-F9A5-496c-9029-6FE513D810A8}	9a9333c1d54807390ac10e84ab651f60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CFAFEE3F-F9A5-496c-9029-6FE513D810A8}\stubpath = "C:\\Windows\\{CFAFEE3F-F9A5-496c-9029-6FE513D810A8}.exe"	9a9333c1d54807390ac10e84ab651f60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C777D34-9C36-4b0e-8308-9CFB3B09842F}\stubpath = "C:\\Windows\\{9C777D34-9C36-4b0e-8308-9CFB3B09842F}.exe"	{F5306D2E-B997-41b1-987D-154FAE8D44C6}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD572AB2-11F3-43e0-AA08-5CC52B5A2408}\stubpath = "C:\\Windows\\{AD572AB2-11F3-43e0-AA08-5CC52B5A2408}.exe"	{CA34A4DF-F3FE-4979-BC44-62F39572868B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDDEAC2E-B34E-4d5d-8239-ECC2BA1E37C9}\stubpath = "C:\\Windows\\{DDDEAC2E-B34E-4d5d-8239-ECC2BA1E37C9}.exe"	{AD572AB2-11F3-43e0-AA08-5CC52B5A2408}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F1BA873-040C-41d6-8300-86332B35DE9A}	{C5F71641-3583-4415-BA53-C5608DFF4C74}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1F1BA873-040C-41d6-8300-86332B35DE9A}\stubpath = "C:\\Windows\\{1F1BA873-040C-41d6-8300-86332B35DE9A}.exe"	{C5F71641-3583-4415-BA53-C5608DFF4C74}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA34A4DF-F3FE-4979-BC44-62F39572868B}	{A4325623-93AD-41a9-9E88-DAF940DFA63F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9C777D34-9C36-4b0e-8308-9CFB3B09842F}	{F5306D2E-B997-41b1-987D-154FAE8D44C6}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C5F71641-3583-4415-BA53-C5608DFF4C74}	{9C777D34-9C36-4b0e-8308-9CFB3B09842F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DDDEAC2E-B34E-4d5d-8239-ECC2BA1E37C9}	{AD572AB2-11F3-43e0-AA08-5CC52B5A2408}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CA34A4DF-F3FE-4979-BC44-62F39572868B}\stubpath = "C:\\Windows\\{CA34A4DF-F3FE-4979-BC44-62F39572868B}.exe"	{A4325623-93AD-41a9-9E88-DAF940DFA63F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AD572AB2-11F3-43e0-AA08-5CC52B5A2408}	{CA34A4DF-F3FE-4979-BC44-62F39572868B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5306D2E-B997-41b1-987D-154FAE8D44C6}	{CFAFEE3F-F9A5-496c-9029-6FE513D810A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F5306D2E-B997-41b1-987D-154FAE8D44C6}\stubpath = "C:\\Windows\\{F5306D2E-B997-41b1-987D-154FAE8D44C6}.exe"	{CFAFEE3F-F9A5-496c-9029-6FE513D810A8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A4325623-93AD-41a9-9E88-DAF940DFA63F}\stubpath = "C:\\Windows\\{A4325623-93AD-41a9-9E88-DAF940DFA63F}.exe"	{1F1BA873-040C-41d6-8300-86332B35DE9A}.exe

Deletes itself 1 IoCs

pid	Process
1704	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2388	{CFAFEE3F-F9A5-496c-9029-6FE513D810A8}.exe
2424	{F5306D2E-B997-41b1-987D-154FAE8D44C6}.exe
2672	{9C777D34-9C36-4b0e-8308-9CFB3B09842F}.exe
3056	{C5F71641-3583-4415-BA53-C5608DFF4C74}.exe
2928	{1F1BA873-040C-41d6-8300-86332B35DE9A}.exe
1612	{A4325623-93AD-41a9-9E88-DAF940DFA63F}.exe
1888	{CA34A4DF-F3FE-4979-BC44-62F39572868B}.exe
352	{AD572AB2-11F3-43e0-AA08-5CC52B5A2408}.exe
1476	{DDDEAC2E-B34E-4d5d-8239-ECC2BA1E37C9}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{F5306D2E-B997-41b1-987D-154FAE8D44C6}.exe	{CFAFEE3F-F9A5-496c-9029-6FE513D810A8}.exe
File created	C:\Windows\{9C777D34-9C36-4b0e-8308-9CFB3B09842F}.exe	{F5306D2E-B997-41b1-987D-154FAE8D44C6}.exe
File created	C:\Windows\{AD572AB2-11F3-43e0-AA08-5CC52B5A2408}.exe	{CA34A4DF-F3FE-4979-BC44-62F39572868B}.exe
File created	C:\Windows\{DDDEAC2E-B34E-4d5d-8239-ECC2BA1E37C9}.exe	{AD572AB2-11F3-43e0-AA08-5CC52B5A2408}.exe
File created	C:\Windows\{CA34A4DF-F3FE-4979-BC44-62F39572868B}.exe	{A4325623-93AD-41a9-9E88-DAF940DFA63F}.exe
File created	C:\Windows\{CFAFEE3F-F9A5-496c-9029-6FE513D810A8}.exe	9a9333c1d54807390ac10e84ab651f60N.exe
File created	C:\Windows\{C5F71641-3583-4415-BA53-C5608DFF4C74}.exe	{9C777D34-9C36-4b0e-8308-9CFB3B09842F}.exe
File created	C:\Windows\{1F1BA873-040C-41d6-8300-86332B35DE9A}.exe	{C5F71641-3583-4415-BA53-C5608DFF4C74}.exe
File created	C:\Windows\{A4325623-93AD-41a9-9E88-DAF940DFA63F}.exe	{1F1BA873-040C-41d6-8300-86332B35DE9A}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2100	9a9333c1d54807390ac10e84ab651f60N.exe
Token: SeIncBasePriorityPrivilege	2388	{CFAFEE3F-F9A5-496c-9029-6FE513D810A8}.exe
Token: SeIncBasePriorityPrivilege	2424	{F5306D2E-B997-41b1-987D-154FAE8D44C6}.exe
Token: SeIncBasePriorityPrivilege	2672	{9C777D34-9C36-4b0e-8308-9CFB3B09842F}.exe
Token: SeIncBasePriorityPrivilege	3056	{C5F71641-3583-4415-BA53-C5608DFF4C74}.exe
Token: SeIncBasePriorityPrivilege	2928	{1F1BA873-040C-41d6-8300-86332B35DE9A}.exe
Token: SeIncBasePriorityPrivilege	1612	{A4325623-93AD-41a9-9E88-DAF940DFA63F}.exe
Token: SeIncBasePriorityPrivilege	1888	{CA34A4DF-F3FE-4979-BC44-62F39572868B}.exe
Token: SeIncBasePriorityPrivilege	352	{AD572AB2-11F3-43e0-AA08-5CC52B5A2408}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2388	2100	9a9333c1d54807390ac10e84ab651f60N.exe	30
PID 2100 wrote to memory of 2388	2100	9a9333c1d54807390ac10e84ab651f60N.exe	30
PID 2100 wrote to memory of 2388	2100	9a9333c1d54807390ac10e84ab651f60N.exe	30
PID 2100 wrote to memory of 2388	2100	9a9333c1d54807390ac10e84ab651f60N.exe	30
PID 2100 wrote to memory of 1704	2100	9a9333c1d54807390ac10e84ab651f60N.exe	31
PID 2100 wrote to memory of 1704	2100	9a9333c1d54807390ac10e84ab651f60N.exe	31
PID 2100 wrote to memory of 1704	2100	9a9333c1d54807390ac10e84ab651f60N.exe	31
PID 2100 wrote to memory of 1704	2100	9a9333c1d54807390ac10e84ab651f60N.exe	31
PID 2388 wrote to memory of 2424	2388	{CFAFEE3F-F9A5-496c-9029-6FE513D810A8}.exe	33
PID 2388 wrote to memory of 2424	2388	{CFAFEE3F-F9A5-496c-9029-6FE513D810A8}.exe	33
PID 2388 wrote to memory of 2424	2388	{CFAFEE3F-F9A5-496c-9029-6FE513D810A8}.exe	33
PID 2388 wrote to memory of 2424	2388	{CFAFEE3F-F9A5-496c-9029-6FE513D810A8}.exe	33
PID 2388 wrote to memory of 2720	2388	{CFAFEE3F-F9A5-496c-9029-6FE513D810A8}.exe	34
PID 2388 wrote to memory of 2720	2388	{CFAFEE3F-F9A5-496c-9029-6FE513D810A8}.exe	34
PID 2388 wrote to memory of 2720	2388	{CFAFEE3F-F9A5-496c-9029-6FE513D810A8}.exe	34
PID 2388 wrote to memory of 2720	2388	{CFAFEE3F-F9A5-496c-9029-6FE513D810A8}.exe	34
PID 2424 wrote to memory of 2672	2424	{F5306D2E-B997-41b1-987D-154FAE8D44C6}.exe	35
PID 2424 wrote to memory of 2672	2424	{F5306D2E-B997-41b1-987D-154FAE8D44C6}.exe	35
PID 2424 wrote to memory of 2672	2424	{F5306D2E-B997-41b1-987D-154FAE8D44C6}.exe	35
PID 2424 wrote to memory of 2672	2424	{F5306D2E-B997-41b1-987D-154FAE8D44C6}.exe	35
PID 2424 wrote to memory of 2556	2424	{F5306D2E-B997-41b1-987D-154FAE8D44C6}.exe	36
PID 2424 wrote to memory of 2556	2424	{F5306D2E-B997-41b1-987D-154FAE8D44C6}.exe	36
PID 2424 wrote to memory of 2556	2424	{F5306D2E-B997-41b1-987D-154FAE8D44C6}.exe	36
PID 2424 wrote to memory of 2556	2424	{F5306D2E-B997-41b1-987D-154FAE8D44C6}.exe	36
PID 2672 wrote to memory of 3056	2672	{9C777D34-9C36-4b0e-8308-9CFB3B09842F}.exe	37
PID 2672 wrote to memory of 3056	2672	{9C777D34-9C36-4b0e-8308-9CFB3B09842F}.exe	37
PID 2672 wrote to memory of 3056	2672	{9C777D34-9C36-4b0e-8308-9CFB3B09842F}.exe	37
PID 2672 wrote to memory of 3056	2672	{9C777D34-9C36-4b0e-8308-9CFB3B09842F}.exe	37
PID 2672 wrote to memory of 628	2672	{9C777D34-9C36-4b0e-8308-9CFB3B09842F}.exe	38
PID 2672 wrote to memory of 628	2672	{9C777D34-9C36-4b0e-8308-9CFB3B09842F}.exe	38
PID 2672 wrote to memory of 628	2672	{9C777D34-9C36-4b0e-8308-9CFB3B09842F}.exe	38
PID 2672 wrote to memory of 628	2672	{9C777D34-9C36-4b0e-8308-9CFB3B09842F}.exe	38
PID 3056 wrote to memory of 2928	3056	{C5F71641-3583-4415-BA53-C5608DFF4C74}.exe	39
PID 3056 wrote to memory of 2928	3056	{C5F71641-3583-4415-BA53-C5608DFF4C74}.exe	39
PID 3056 wrote to memory of 2928	3056	{C5F71641-3583-4415-BA53-C5608DFF4C74}.exe	39
PID 3056 wrote to memory of 2928	3056	{C5F71641-3583-4415-BA53-C5608DFF4C74}.exe	39
PID 3056 wrote to memory of 2876	3056	{C5F71641-3583-4415-BA53-C5608DFF4C74}.exe	40
PID 3056 wrote to memory of 2876	3056	{C5F71641-3583-4415-BA53-C5608DFF4C74}.exe	40
PID 3056 wrote to memory of 2876	3056	{C5F71641-3583-4415-BA53-C5608DFF4C74}.exe	40
PID 3056 wrote to memory of 2876	3056	{C5F71641-3583-4415-BA53-C5608DFF4C74}.exe	40
PID 2928 wrote to memory of 1612	2928	{1F1BA873-040C-41d6-8300-86332B35DE9A}.exe	41
PID 2928 wrote to memory of 1612	2928	{1F1BA873-040C-41d6-8300-86332B35DE9A}.exe	41
PID 2928 wrote to memory of 1612	2928	{1F1BA873-040C-41d6-8300-86332B35DE9A}.exe	41
PID 2928 wrote to memory of 1612	2928	{1F1BA873-040C-41d6-8300-86332B35DE9A}.exe	41
PID 2928 wrote to memory of 2836	2928	{1F1BA873-040C-41d6-8300-86332B35DE9A}.exe	42
PID 2928 wrote to memory of 2836	2928	{1F1BA873-040C-41d6-8300-86332B35DE9A}.exe	42
PID 2928 wrote to memory of 2836	2928	{1F1BA873-040C-41d6-8300-86332B35DE9A}.exe	42
PID 2928 wrote to memory of 2836	2928	{1F1BA873-040C-41d6-8300-86332B35DE9A}.exe	42
PID 1612 wrote to memory of 1888	1612	{A4325623-93AD-41a9-9E88-DAF940DFA63F}.exe	43
PID 1612 wrote to memory of 1888	1612	{A4325623-93AD-41a9-9E88-DAF940DFA63F}.exe	43
PID 1612 wrote to memory of 1888	1612	{A4325623-93AD-41a9-9E88-DAF940DFA63F}.exe	43
PID 1612 wrote to memory of 1888	1612	{A4325623-93AD-41a9-9E88-DAF940DFA63F}.exe	43
PID 1612 wrote to memory of 1876	1612	{A4325623-93AD-41a9-9E88-DAF940DFA63F}.exe	44
PID 1612 wrote to memory of 1876	1612	{A4325623-93AD-41a9-9E88-DAF940DFA63F}.exe	44
PID 1612 wrote to memory of 1876	1612	{A4325623-93AD-41a9-9E88-DAF940DFA63F}.exe	44
PID 1612 wrote to memory of 1876	1612	{A4325623-93AD-41a9-9E88-DAF940DFA63F}.exe	44
PID 1888 wrote to memory of 352	1888	{CA34A4DF-F3FE-4979-BC44-62F39572868B}.exe	45
PID 1888 wrote to memory of 352	1888	{CA34A4DF-F3FE-4979-BC44-62F39572868B}.exe	45
PID 1888 wrote to memory of 352	1888	{CA34A4DF-F3FE-4979-BC44-62F39572868B}.exe	45
PID 1888 wrote to memory of 352	1888	{CA34A4DF-F3FE-4979-BC44-62F39572868B}.exe	45
PID 1888 wrote to memory of 264	1888	{CA34A4DF-F3FE-4979-BC44-62F39572868B}.exe	46
PID 1888 wrote to memory of 264	1888	{CA34A4DF-F3FE-4979-BC44-62F39572868B}.exe	46
PID 1888 wrote to memory of 264	1888	{CA34A4DF-F3FE-4979-BC44-62F39572868B}.exe	46
PID 1888 wrote to memory of 264	1888	{CA34A4DF-F3FE-4979-BC44-62F39572868B}.exe	46

C:\Users\Admin\AppData\Local\Temp\9a9333c1d54807390ac10e84ab651f60N.exe
"C:\Users\Admin\AppData\Local\Temp\9a9333c1d54807390ac10e84ab651f60N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\{CFAFEE3F-F9A5-496c-9029-6FE513D810A8}.exe
  C:\Windows\{CFAFEE3F-F9A5-496c-9029-6FE513D810A8}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\{F5306D2E-B997-41b1-987D-154FAE8D44C6}.exe
    C:\Windows\{F5306D2E-B997-41b1-987D-154FAE8D44C6}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\{9C777D34-9C36-4b0e-8308-9CFB3B09842F}.exe
      C:\Windows\{9C777D34-9C36-4b0e-8308-9CFB3B09842F}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\{C5F71641-3583-4415-BA53-C5608DFF4C74}.exe
        
        C:\Windows\{C5F71641-3583-4415-BA53-C5608DFF4C74}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3056
      - C:\Windows\{1F1BA873-040C-41d6-8300-86332B35DE9A}.exe
        
        C:\Windows\{1F1BA873-040C-41d6-8300-86332B35DE9A}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\{A4325623-93AD-41a9-9E88-DAF940DFA63F}.exe
        
        C:\Windows\{A4325623-93AD-41a9-9E88-DAF940DFA63F}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\{CA34A4DF-F3FE-4979-BC44-62F39572868B}.exe
        
        C:\Windows\{CA34A4DF-F3FE-4979-BC44-62F39572868B}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\{AD572AB2-11F3-43e0-AA08-5CC52B5A2408}.exe
        
        C:\Windows\{AD572AB2-11F3-43e0-AA08-5CC52B5A2408}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:352
        
        C:\Windows\{DDDEAC2E-B34E-4d5d-8239-ECC2BA1E37C9}.exe
        
        C:\Windows\{DDDEAC2E-B34E-4d5d-8239-ECC2BA1E37C9}.exe
        10⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AD572~1.EXE > nul
        10⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CA34A~1.EXE > nul
        9⤵
        
        PID:264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A4325~1.EXE > nul
        8⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1F1BA~1.EXE > nul
        7⤵
        
        PID:2836
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C5F71~1.EXE > nul
        6⤵
        
        PID:2876
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9C777~1.EXE > nul
        5⤵
        
        PID:628
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{F5306~1.EXE > nul
      4⤵
      PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{CFAFE~1.EXE > nul
    3⤵
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9A9333~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{1F1BA873-040C-41d6-8300-86332B35DE9A}.exe

Filesize
64KB

MD5
529273157524dca17ea8fb287b368dc9

SHA1
839aeeee54939197e36b97e7d0e9d7b6cee719dc

SHA256
7f116708b6f617e6cd4f6b61b72341538044e7cd1729678e2c0851d6d3b87a5c

SHA512
c8b4ce6c994549a32229123455de68964c1810e0fa567acda0f2f5f532a14716d6e82e6647d066d5b36314e486037f78a22287acf57c2489aac8386093beaaff

Download Submit
C:\Windows\{9C777D34-9C36-4b0e-8308-9CFB3B09842F}.exe

Filesize
64KB

MD5
29a239371d3df2b6e0778d7981af2c52

SHA1
96c5e09138825d502befd52e32885863b5147dc2

SHA256
66f1bef4aef4fae59f2357763e2843390a3c03b3aea42e019df2031b6b2c694f

SHA512
04c529cc07525be419c8cc31330d75774b3d11a53910b18e9dbf95c4ae00c354d6188c8f70e4815e188ec6941c7e7c6eebb0e75dbe768668d3dbda103a712ac3

Download Submit
C:\Windows\{A4325623-93AD-41a9-9E88-DAF940DFA63F}.exe

Filesize
64KB

MD5
2ffc0006f7f8bcf72ecd7d4f2a1cde3c

SHA1
76d2ae7c38468c5dc9068a0abae63f59a78df4e3

SHA256
36abc535a558c07b564eebed81cb53b686c576b047b06d89f72144d7921698c3

SHA512
8d1d64ad97591e9fcf2f04e2d10ea2efb85133dc98350c5754fe32e69a13d84c4b34476057cfa1d5349ebdc2df2287693fae06ad2dc85bc30d3e89e88455191e

Download Submit
C:\Windows\{AD572AB2-11F3-43e0-AA08-5CC52B5A2408}.exe

Filesize
64KB

MD5
bbbfb3207c63a5a10bdb5c64e12c71ea

SHA1
16f11742f01c9d7e5c01bf4d6f30d81907ad7a8d

SHA256
afcd8fa43450d85fe0601779e566ba214a45c64d2b6f321750914faa28bb18b9

SHA512
a623b30817ab368a71d0eadf3a71ab9c6c10ef1675939e0c41a0c9c3a7984ef309b80d45b54671d5ffc1b1045c74f3877bddd402f71025103896a1d09955efb1

Download Submit
C:\Windows\{C5F71641-3583-4415-BA53-C5608DFF4C74}.exe

Filesize
64KB

MD5
83d9914cb4f6e8f5bdd603da96500d5f

SHA1
1fe90cb23cc77092124a167a935bfc5531645a86

SHA256
7d57fad7385dcce5cd41c369056521c8afd9f095a2ef4eff4014da0471d07be4

SHA512
831286ad444b1f9c7fd579104ad507afec6db042e20682ee43e0cc6315be09f5ec8c03e31469146e6a63d643b5373ee3c00113a31ed2f7090dffb64668b24a98

Download Submit
C:\Windows\{CA34A4DF-F3FE-4979-BC44-62F39572868B}.exe

Filesize
64KB

MD5
195904238a0c5c300ef3bca50d9f4122

SHA1
aba36c2917edeba281d13e0bd14f1c70301a2ad9

SHA256
4a4fdbc7bff2bdd4ed736df33a3d324787d7b4e8b50a02a3b5f4c6d873616059

SHA512
6e033ea06ca432b023847fe0a561598dd24a95b79a0996ddde0b2bf11ffd949237f5ed3c46ef6c59eed0385e461554180812f601ed86c536b772f99658e475b5

Download Submit
C:\Windows\{CFAFEE3F-F9A5-496c-9029-6FE513D810A8}.exe

Filesize
64KB

MD5
d24cb7f3611e60fddf3076254dc7d9ba

SHA1
660a0850352518973e3bda946ab5f2ce28bfec88

SHA256
1da7d8a0c6e82f2fcf5a8a85481805d0f2cba5568d3b5fa488b93f2005a4dd15

SHA512
376b015a28cebc3b319b6fbd37055ef9d5577f7cfcefca90aba0d04c9581ceda366e160da9d57aa7b853ac59c404a132d89e5aca3022ed7af48fe1347fbfe8d3

Download Submit
C:\Windows\{DDDEAC2E-B34E-4d5d-8239-ECC2BA1E37C9}.exe

Filesize
64KB

MD5
a21c35e11f7f64b015be7139e0f44c55

SHA1
db018c715fe0f9e2e05dba561bcf3449da6fd697

SHA256
31cfe3423238fbaa4db2c20ebeeda8d3c2cc8a03360a7ae3f73d9c0135983bfa

SHA512
93829443aed13f6a9edb552de9392465f6c8da8612d1c29cb55d1cf1a55b501575a94cdbc9b1ba710bc444df295c110a001aab4e69f7a725713e1d5514702aef

Download Submit
C:\Windows\{F5306D2E-B997-41b1-987D-154FAE8D44C6}.exe

Filesize
64KB

MD5
5d59ea9ef85e039f02f44bb27ecf5e60

SHA1
4dcc4cf7fd8089eb9dc7cc992ac2e50f539c08eb

SHA256
92cbae7ac726ab3b634a230e2b35ad422d2518e61a65a94287d1109dfbe4a82d

SHA512
87a6edbf63372cb5def6bd9d5f4de2de7736d75f83d662a8dabb7dc3c1b89bd1d62e71347c7ae7f79734387446d1893802f926a937cb7d1a6d24970d7e6fd4ed

Download Submit
memory/352-83-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/352-75-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1476-84-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1612-65-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1612-57-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1888-74-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1888-66-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2100-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2100-7-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2100-8-0x0000000000280000-0x0000000000290000-memory.dmp

Filesize
64KB

Download
memory/2388-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2388-9-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2424-26-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2424-25-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2424-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2424-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2672-36-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/2672-37-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/2672-38-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2672-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2928-55-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2928-56-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/3056-47-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads