2c052a04edc60fd3d3506ed29b0940519ec0456bbfe5a11a232d27792565aa88

Analysis

max time kernel
119s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21/07/2024, 16:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e5a424c127b1787ee70d6e8536046730N.exe
Size

89KB
MD5

e5a424c127b1787ee70d6e8536046730
SHA1

148bde2358c4dd2bf3dc7e569b0bef1d4ddc2b3e
SHA256

2c052a04edc60fd3d3506ed29b0940519ec0456bbfe5a11a232d27792565aa88
SHA512

08d57069d4d15866f52574fce6ac0bcc30e26f027e5cbaf66cfed06d2cd9dec6121058209892cbe0553f9422a1a149f133e581d353ce8711951c6896006669db
SSDEEP

768:Qvw9816vhKQLroq4/wQRNrfrunMxVFA3b7glL:YEGh0oql2unMxVS3Hg9

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C6F755F-FAEE-44b3-9E71-000FDD0827DE}\stubpath = "C:\\Windows\\{0C6F755F-FAEE-44b3-9E71-000FDD0827DE}.exe"	{DC3E5C9B-DA0C-49f9-BB48-0CD3F5E8A606}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB2E8EE4-6BB1-4e40-98B0-14BB141799D2}	{0C6F755F-FAEE-44b3-9E71-000FDD0827DE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19E8CB2F-5DA7-431d-AF49-1F4CBF8A97A7}\stubpath = "C:\\Windows\\{19E8CB2F-5DA7-431d-AF49-1F4CBF8A97A7}.exe"	{BB2E8EE4-6BB1-4e40-98B0-14BB141799D2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A31EE08-F8B6-46a2-B5E2-DB4CEAF14610}	{19E8CB2F-5DA7-431d-AF49-1F4CBF8A97A7}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E27D63D-F5E5-4e90-B946-01D4CF182DB3}	{CD7642AD-7ACA-43e5-8782-40AC7626932A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{0C6F755F-FAEE-44b3-9E71-000FDD0827DE}	{DC3E5C9B-DA0C-49f9-BB48-0CD3F5E8A606}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD7642AD-7ACA-43e5-8782-40AC7626932A}\stubpath = "C:\\Windows\\{CD7642AD-7ACA-43e5-8782-40AC7626932A}.exe"	{1A31EE08-F8B6-46a2-B5E2-DB4CEAF14610}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{9E27D63D-F5E5-4e90-B946-01D4CF182DB3}\stubpath = "C:\\Windows\\{9E27D63D-F5E5-4e90-B946-01D4CF182DB3}.exe"	{CD7642AD-7ACA-43e5-8782-40AC7626932A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9A8A03F-E8A5-4ac3-BBF9-C5313EDF751B}\stubpath = "C:\\Windows\\{A9A8A03F-E8A5-4ac3-BBF9-C5313EDF751B}.exe"	{9E27D63D-F5E5-4e90-B946-01D4CF182DB3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90DFC644-D33A-42cc-B664-42A2B8A8ED48}	{A9A8A03F-E8A5-4ac3-BBF9-C5313EDF751B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{19E8CB2F-5DA7-431d-AF49-1F4CBF8A97A7}	{BB2E8EE4-6BB1-4e40-98B0-14BB141799D2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{BB2E8EE4-6BB1-4e40-98B0-14BB141799D2}\stubpath = "C:\\Windows\\{BB2E8EE4-6BB1-4e40-98B0-14BB141799D2}.exe"	{0C6F755F-FAEE-44b3-9E71-000FDD0827DE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{CD7642AD-7ACA-43e5-8782-40AC7626932A}	{1A31EE08-F8B6-46a2-B5E2-DB4CEAF14610}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A9A8A03F-E8A5-4ac3-BBF9-C5313EDF751B}	{9E27D63D-F5E5-4e90-B946-01D4CF182DB3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{90DFC644-D33A-42cc-B664-42A2B8A8ED48}\stubpath = "C:\\Windows\\{90DFC644-D33A-42cc-B664-42A2B8A8ED48}.exe"	{A9A8A03F-E8A5-4ac3-BBF9-C5313EDF751B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC3E5C9B-DA0C-49f9-BB48-0CD3F5E8A606}	e5a424c127b1787ee70d6e8536046730N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{1A31EE08-F8B6-46a2-B5E2-DB4CEAF14610}\stubpath = "C:\\Windows\\{1A31EE08-F8B6-46a2-B5E2-DB4CEAF14610}.exe"	{19E8CB2F-5DA7-431d-AF49-1F4CBF8A97A7}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{DC3E5C9B-DA0C-49f9-BB48-0CD3F5E8A606}\stubpath = "C:\\Windows\\{DC3E5C9B-DA0C-49f9-BB48-0CD3F5E8A606}.exe"	e5a424c127b1787ee70d6e8536046730N.exe

Deletes itself 1 IoCs

pid	Process
2732	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2176	{DC3E5C9B-DA0C-49f9-BB48-0CD3F5E8A606}.exe
2836	{0C6F755F-FAEE-44b3-9E71-000FDD0827DE}.exe
2588	{BB2E8EE4-6BB1-4e40-98B0-14BB141799D2}.exe
2304	{19E8CB2F-5DA7-431d-AF49-1F4CBF8A97A7}.exe
784	{1A31EE08-F8B6-46a2-B5E2-DB4CEAF14610}.exe
2132	{CD7642AD-7ACA-43e5-8782-40AC7626932A}.exe
2560	{9E27D63D-F5E5-4e90-B946-01D4CF182DB3}.exe
1952	{A9A8A03F-E8A5-4ac3-BBF9-C5313EDF751B}.exe
2052	{90DFC644-D33A-42cc-B664-42A2B8A8ED48}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{BB2E8EE4-6BB1-4e40-98B0-14BB141799D2}.exe	{0C6F755F-FAEE-44b3-9E71-000FDD0827DE}.exe
File created	C:\Windows\{1A31EE08-F8B6-46a2-B5E2-DB4CEAF14610}.exe	{19E8CB2F-5DA7-431d-AF49-1F4CBF8A97A7}.exe
File created	C:\Windows\{9E27D63D-F5E5-4e90-B946-01D4CF182DB3}.exe	{CD7642AD-7ACA-43e5-8782-40AC7626932A}.exe
File created	C:\Windows\{A9A8A03F-E8A5-4ac3-BBF9-C5313EDF751B}.exe	{9E27D63D-F5E5-4e90-B946-01D4CF182DB3}.exe
File created	C:\Windows\{DC3E5C9B-DA0C-49f9-BB48-0CD3F5E8A606}.exe	e5a424c127b1787ee70d6e8536046730N.exe
File created	C:\Windows\{0C6F755F-FAEE-44b3-9E71-000FDD0827DE}.exe	{DC3E5C9B-DA0C-49f9-BB48-0CD3F5E8A606}.exe
File created	C:\Windows\{19E8CB2F-5DA7-431d-AF49-1F4CBF8A97A7}.exe	{BB2E8EE4-6BB1-4e40-98B0-14BB141799D2}.exe
File created	C:\Windows\{CD7642AD-7ACA-43e5-8782-40AC7626932A}.exe	{1A31EE08-F8B6-46a2-B5E2-DB4CEAF14610}.exe
File created	C:\Windows\{90DFC644-D33A-42cc-B664-42A2B8A8ED48}.exe	{A9A8A03F-E8A5-4ac3-BBF9-C5313EDF751B}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3024	e5a424c127b1787ee70d6e8536046730N.exe
Token: SeIncBasePriorityPrivilege	2176	{DC3E5C9B-DA0C-49f9-BB48-0CD3F5E8A606}.exe
Token: SeIncBasePriorityPrivilege	2836	{0C6F755F-FAEE-44b3-9E71-000FDD0827DE}.exe
Token: SeIncBasePriorityPrivilege	2588	{BB2E8EE4-6BB1-4e40-98B0-14BB141799D2}.exe
Token: SeIncBasePriorityPrivilege	2304	{19E8CB2F-5DA7-431d-AF49-1F4CBF8A97A7}.exe
Token: SeIncBasePriorityPrivilege	784	{1A31EE08-F8B6-46a2-B5E2-DB4CEAF14610}.exe
Token: SeIncBasePriorityPrivilege	2132	{CD7642AD-7ACA-43e5-8782-40AC7626932A}.exe
Token: SeIncBasePriorityPrivilege	2560	{9E27D63D-F5E5-4e90-B946-01D4CF182DB3}.exe
Token: SeIncBasePriorityPrivilege	1952	{A9A8A03F-E8A5-4ac3-BBF9-C5313EDF751B}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2176	3024	e5a424c127b1787ee70d6e8536046730N.exe	30
PID 3024 wrote to memory of 2176	3024	e5a424c127b1787ee70d6e8536046730N.exe	30
PID 3024 wrote to memory of 2176	3024	e5a424c127b1787ee70d6e8536046730N.exe	30
PID 3024 wrote to memory of 2176	3024	e5a424c127b1787ee70d6e8536046730N.exe	30
PID 3024 wrote to memory of 2732	3024	e5a424c127b1787ee70d6e8536046730N.exe	31
PID 3024 wrote to memory of 2732	3024	e5a424c127b1787ee70d6e8536046730N.exe	31
PID 3024 wrote to memory of 2732	3024	e5a424c127b1787ee70d6e8536046730N.exe	31
PID 3024 wrote to memory of 2732	3024	e5a424c127b1787ee70d6e8536046730N.exe	31
PID 2176 wrote to memory of 2836	2176	{DC3E5C9B-DA0C-49f9-BB48-0CD3F5E8A606}.exe	33
PID 2176 wrote to memory of 2836	2176	{DC3E5C9B-DA0C-49f9-BB48-0CD3F5E8A606}.exe	33
PID 2176 wrote to memory of 2836	2176	{DC3E5C9B-DA0C-49f9-BB48-0CD3F5E8A606}.exe	33
PID 2176 wrote to memory of 2836	2176	{DC3E5C9B-DA0C-49f9-BB48-0CD3F5E8A606}.exe	33
PID 2176 wrote to memory of 2616	2176	{DC3E5C9B-DA0C-49f9-BB48-0CD3F5E8A606}.exe	34
PID 2176 wrote to memory of 2616	2176	{DC3E5C9B-DA0C-49f9-BB48-0CD3F5E8A606}.exe	34
PID 2176 wrote to memory of 2616	2176	{DC3E5C9B-DA0C-49f9-BB48-0CD3F5E8A606}.exe	34
PID 2176 wrote to memory of 2616	2176	{DC3E5C9B-DA0C-49f9-BB48-0CD3F5E8A606}.exe	34
PID 2836 wrote to memory of 2588	2836	{0C6F755F-FAEE-44b3-9E71-000FDD0827DE}.exe	35
PID 2836 wrote to memory of 2588	2836	{0C6F755F-FAEE-44b3-9E71-000FDD0827DE}.exe	35
PID 2836 wrote to memory of 2588	2836	{0C6F755F-FAEE-44b3-9E71-000FDD0827DE}.exe	35
PID 2836 wrote to memory of 2588	2836	{0C6F755F-FAEE-44b3-9E71-000FDD0827DE}.exe	35
PID 2836 wrote to memory of 2620	2836	{0C6F755F-FAEE-44b3-9E71-000FDD0827DE}.exe	36
PID 2836 wrote to memory of 2620	2836	{0C6F755F-FAEE-44b3-9E71-000FDD0827DE}.exe	36
PID 2836 wrote to memory of 2620	2836	{0C6F755F-FAEE-44b3-9E71-000FDD0827DE}.exe	36
PID 2836 wrote to memory of 2620	2836	{0C6F755F-FAEE-44b3-9E71-000FDD0827DE}.exe	36
PID 2588 wrote to memory of 2304	2588	{BB2E8EE4-6BB1-4e40-98B0-14BB141799D2}.exe	37
PID 2588 wrote to memory of 2304	2588	{BB2E8EE4-6BB1-4e40-98B0-14BB141799D2}.exe	37
PID 2588 wrote to memory of 2304	2588	{BB2E8EE4-6BB1-4e40-98B0-14BB141799D2}.exe	37
PID 2588 wrote to memory of 2304	2588	{BB2E8EE4-6BB1-4e40-98B0-14BB141799D2}.exe	37
PID 2588 wrote to memory of 1900	2588	{BB2E8EE4-6BB1-4e40-98B0-14BB141799D2}.exe	38
PID 2588 wrote to memory of 1900	2588	{BB2E8EE4-6BB1-4e40-98B0-14BB141799D2}.exe	38
PID 2588 wrote to memory of 1900	2588	{BB2E8EE4-6BB1-4e40-98B0-14BB141799D2}.exe	38
PID 2588 wrote to memory of 1900	2588	{BB2E8EE4-6BB1-4e40-98B0-14BB141799D2}.exe	38
PID 2304 wrote to memory of 784	2304	{19E8CB2F-5DA7-431d-AF49-1F4CBF8A97A7}.exe	39
PID 2304 wrote to memory of 784	2304	{19E8CB2F-5DA7-431d-AF49-1F4CBF8A97A7}.exe	39
PID 2304 wrote to memory of 784	2304	{19E8CB2F-5DA7-431d-AF49-1F4CBF8A97A7}.exe	39
PID 2304 wrote to memory of 784	2304	{19E8CB2F-5DA7-431d-AF49-1F4CBF8A97A7}.exe	39
PID 2304 wrote to memory of 2476	2304	{19E8CB2F-5DA7-431d-AF49-1F4CBF8A97A7}.exe	40
PID 2304 wrote to memory of 2476	2304	{19E8CB2F-5DA7-431d-AF49-1F4CBF8A97A7}.exe	40
PID 2304 wrote to memory of 2476	2304	{19E8CB2F-5DA7-431d-AF49-1F4CBF8A97A7}.exe	40
PID 2304 wrote to memory of 2476	2304	{19E8CB2F-5DA7-431d-AF49-1F4CBF8A97A7}.exe	40
PID 784 wrote to memory of 2132	784	{1A31EE08-F8B6-46a2-B5E2-DB4CEAF14610}.exe	41
PID 784 wrote to memory of 2132	784	{1A31EE08-F8B6-46a2-B5E2-DB4CEAF14610}.exe	41
PID 784 wrote to memory of 2132	784	{1A31EE08-F8B6-46a2-B5E2-DB4CEAF14610}.exe	41
PID 784 wrote to memory of 2132	784	{1A31EE08-F8B6-46a2-B5E2-DB4CEAF14610}.exe	41
PID 784 wrote to memory of 2136	784	{1A31EE08-F8B6-46a2-B5E2-DB4CEAF14610}.exe	42
PID 784 wrote to memory of 2136	784	{1A31EE08-F8B6-46a2-B5E2-DB4CEAF14610}.exe	42
PID 784 wrote to memory of 2136	784	{1A31EE08-F8B6-46a2-B5E2-DB4CEAF14610}.exe	42
PID 784 wrote to memory of 2136	784	{1A31EE08-F8B6-46a2-B5E2-DB4CEAF14610}.exe	42
PID 2132 wrote to memory of 2560	2132	{CD7642AD-7ACA-43e5-8782-40AC7626932A}.exe	43
PID 2132 wrote to memory of 2560	2132	{CD7642AD-7ACA-43e5-8782-40AC7626932A}.exe	43
PID 2132 wrote to memory of 2560	2132	{CD7642AD-7ACA-43e5-8782-40AC7626932A}.exe	43
PID 2132 wrote to memory of 2560	2132	{CD7642AD-7ACA-43e5-8782-40AC7626932A}.exe	43
PID 2132 wrote to memory of 1688	2132	{CD7642AD-7ACA-43e5-8782-40AC7626932A}.exe	44
PID 2132 wrote to memory of 1688	2132	{CD7642AD-7ACA-43e5-8782-40AC7626932A}.exe	44
PID 2132 wrote to memory of 1688	2132	{CD7642AD-7ACA-43e5-8782-40AC7626932A}.exe	44
PID 2132 wrote to memory of 1688	2132	{CD7642AD-7ACA-43e5-8782-40AC7626932A}.exe	44
PID 2560 wrote to memory of 1952	2560	{9E27D63D-F5E5-4e90-B946-01D4CF182DB3}.exe	45
PID 2560 wrote to memory of 1952	2560	{9E27D63D-F5E5-4e90-B946-01D4CF182DB3}.exe	45
PID 2560 wrote to memory of 1952	2560	{9E27D63D-F5E5-4e90-B946-01D4CF182DB3}.exe	45
PID 2560 wrote to memory of 1952	2560	{9E27D63D-F5E5-4e90-B946-01D4CF182DB3}.exe	45
PID 2560 wrote to memory of 2428	2560	{9E27D63D-F5E5-4e90-B946-01D4CF182DB3}.exe	46
PID 2560 wrote to memory of 2428	2560	{9E27D63D-F5E5-4e90-B946-01D4CF182DB3}.exe	46
PID 2560 wrote to memory of 2428	2560	{9E27D63D-F5E5-4e90-B946-01D4CF182DB3}.exe	46
PID 2560 wrote to memory of 2428	2560	{9E27D63D-F5E5-4e90-B946-01D4CF182DB3}.exe	46

C:\Users\Admin\AppData\Local\Temp\e5a424c127b1787ee70d6e8536046730N.exe
"C:\Users\Admin\AppData\Local\Temp\e5a424c127b1787ee70d6e8536046730N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\{DC3E5C9B-DA0C-49f9-BB48-0CD3F5E8A606}.exe
  C:\Windows\{DC3E5C9B-DA0C-49f9-BB48-0CD3F5E8A606}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\{0C6F755F-FAEE-44b3-9E71-000FDD0827DE}.exe
    C:\Windows\{0C6F755F-FAEE-44b3-9E71-000FDD0827DE}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\{BB2E8EE4-6BB1-4e40-98B0-14BB141799D2}.exe
      C:\Windows\{BB2E8EE4-6BB1-4e40-98B0-14BB141799D2}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\{19E8CB2F-5DA7-431d-AF49-1F4CBF8A97A7}.exe
        
        C:\Windows\{19E8CB2F-5DA7-431d-AF49-1F4CBF8A97A7}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2304
      - C:\Windows\{1A31EE08-F8B6-46a2-B5E2-DB4CEAF14610}.exe
        
        C:\Windows\{1A31EE08-F8B6-46a2-B5E2-DB4CEAF14610}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\{CD7642AD-7ACA-43e5-8782-40AC7626932A}.exe
        
        C:\Windows\{CD7642AD-7ACA-43e5-8782-40AC7626932A}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\{9E27D63D-F5E5-4e90-B946-01D4CF182DB3}.exe
        
        C:\Windows\{9E27D63D-F5E5-4e90-B946-01D4CF182DB3}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\{A9A8A03F-E8A5-4ac3-BBF9-C5313EDF751B}.exe
        
        C:\Windows\{A9A8A03F-E8A5-4ac3-BBF9-C5313EDF751B}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\{90DFC644-D33A-42cc-B664-42A2B8A8ED48}.exe
        
        C:\Windows\{90DFC644-D33A-42cc-B664-42A2B8A8ED48}.exe
        10⤵
        Executes dropped EXE
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A9A8A~1.EXE > nul
        10⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{9E27D~1.EXE > nul
        9⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{CD764~1.EXE > nul
        8⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{1A31E~1.EXE > nul
        7⤵
        
        PID:2136
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{19E8C~1.EXE > nul
        6⤵
        
        PID:2476
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB2E8~1.EXE > nul
        5⤵
        
        PID:1900
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{0C6F7~1.EXE > nul
      4⤵
      PID:2620
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{DC3E5~1.EXE > nul
    3⤵
    PID:2616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\E5A424~1.EXE > nul
  2⤵
  - Deletes itself
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0C6F755F-FAEE-44b3-9E71-000FDD0827DE}.exe

Filesize
89KB

MD5
98608e845f852b1b2108741390de1e6c

SHA1
ddc136b95b3da1301f0b8bc0ad0ad91d76a42761

SHA256
58c05f55fcef54fda61c77bf26d8bb7d85d33f4a755cdd65c21f170f9c14c7e8

SHA512
6c3aa69299b8b63785de1bbbbdaa05be320569de81df9a9349717354ffb8b8d8763e68200425ce99860ee897dde977a6940557ebbe779c6067bc86489cab7d44

Download Submit
C:\Windows\{19E8CB2F-5DA7-431d-AF49-1F4CBF8A97A7}.exe

Filesize
89KB

MD5
b2da97c4ec4276d2d1d9f0c18090e6f2

SHA1
09da613585da1049505fd99be87ce86d45c387f9

SHA256
cbe78ad9b5315c05eb4e540d96188ea7a6989e3c257a4d96e0adcaf934c97580

SHA512
d522cd69fa45f7207243244ae9e04bf011f820d3edc78d09f473063aadbd08dadea2246e32fb36a318b6db55a0a37d5ebc84dacc0532dee401f19462634dcbfc

Download Submit
C:\Windows\{1A31EE08-F8B6-46a2-B5E2-DB4CEAF14610}.exe

Filesize
89KB

MD5
0c8fa98f0523401af3ee9244dd8efcea

SHA1
b1c486c0603b0f55b72563a03471257ca96dab2a

SHA256
fb291082315c2e016d70b466607b75695eb044e24954faa2687967540731c7e5

SHA512
82a8400ebcbc418ace494b9cb6405a32ee582bd1ae0547ff7f2d148ccdfb117eb0b52d8be810d8ba1e50d64326f9aa64f3b67336871e313e0472bf06ec37b9a5

Download Submit
C:\Windows\{90DFC644-D33A-42cc-B664-42A2B8A8ED48}.exe

Filesize
89KB

MD5
1a6e1f350680af7ae72ad22fbd236723

SHA1
221305dfb914c43d3208abc492a7b95b559e1f9a

SHA256
e1809206ab7b001918d05960221fc7f5efffb2598e62487b674a3718a49e0c29

SHA512
74de780caa0e7bff003bb5bbf766a3b2491f3eef3dccfa562d9af5ddd59511f9eb46b600215eac2f0885e4213f545be07ffe4affacfb3c904165e5428779e1c4

Download Submit
C:\Windows\{9E27D63D-F5E5-4e90-B946-01D4CF182DB3}.exe

Filesize
89KB

MD5
852c497f329acf12b17fe2f55c0f42ec

SHA1
c0998f874b52db93ee8f35c87102266d17e9cb67

SHA256
292ab3276ede15c132be5b28dd45bd3103d3420fb54010bd67938ad48ba3acfa

SHA512
838c9c8e1b6d310b9a1699e55f3924f19791ccd31834c36382c3a651cf6ceccd5f1fe5b34b065346ebe4c80868c1e42b3bdba69c51be67d6eb2a819ad48a2ba1

Download Submit
C:\Windows\{A9A8A03F-E8A5-4ac3-BBF9-C5313EDF751B}.exe

Filesize
89KB

MD5
6673128207cc8da75df2710b739d02f3

SHA1
7c482ad6e9c6dd42f16f4f1ff86eb525fd845627

SHA256
e4948529aa88786e602a5655e30962495c7f05b77ef3ed87325e5dadc8b484a9

SHA512
6428f1276d3f55f06805790a1e098a21ebbc8bca32274510916bc707d28e2cded6bc43aaeb234a3e70e919a919272c523053344aea8bc846bfce1c663513d4d5

Download Submit
C:\Windows\{BB2E8EE4-6BB1-4e40-98B0-14BB141799D2}.exe

Filesize
89KB

MD5
d2a2dfb4a1761a94952854808d1ae434

SHA1
4f862416067fd1bc0bfb3bfe5e8459eca1fd49c8

SHA256
1fc9e81a7e3e460c1575892fc2cf38e8f06a0ffd68dd322166b62a51eb882dad

SHA512
b2b1d6989fa5864dd04ee643c6c910c0cf26dd6775839cfe5f3039033c4a6f90d80a4ddec28ddcbd4b1858211ef92a494a8256988a81e3757e1ab5da111538c3

Download Submit
C:\Windows\{CD7642AD-7ACA-43e5-8782-40AC7626932A}.exe

Filesize
89KB

MD5
5c811971f5cbc1071055684d4c113b12

SHA1
8e2de8be7a17b05637c6fe2766250140e7e352f2

SHA256
86921c96c5549b7ad74eaacbac00253279af0f7d5cf5d088ad1b7a303f78f4a6

SHA512
9f174437eed798904a8687415b1890775c9177ab00a8266fb42e5cbc45e00daed825c04a762df96753cea20b49f76032155ae4551cd48c15f483cf613db938a5

Download Submit
C:\Windows\{DC3E5C9B-DA0C-49f9-BB48-0CD3F5E8A606}.exe

Filesize
89KB

MD5
50d5793994ed62dd23fa739e488b8ec4

SHA1
973dfb5da5e8e08f19913c16ad9424df8d600b36

SHA256
faf21937f5ecd736199e5d154727eded7fe53680f9c6fdb0326ecc410a6f9e16

SHA512
36621f4f6e0669b01f4aac1bb477d9b63da0df22d502135b37cef29ed9bbeb2527d07b20c6f68a73ed81eff51b94f496d79ec85013cd4e08e9fd357d907161b1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads