cdb99e1b67207238c0c7908683223905772e34745e11b0c8ead8d99cf3a1c6b4

Analysis

max time kernel
119s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 07:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

847f8984ccd54634268777412a98a430N.exe
Size

89KB
MD5

847f8984ccd54634268777412a98a430
SHA1

3d9ae25ad41af978d483c271a8c71c390c22c27f
SHA256

cdb99e1b67207238c0c7908683223905772e34745e11b0c8ead8d99cf3a1c6b4
SHA512

1a52a37d494bd52ada59866c367136939915cc0d5d10a4672fa55b5fd5b4948390f6304ebf73f9851d46c47ca357eb2bd3a9d0de8c6904fe33cf4d3404e280f7
SSDEEP

768:5vw9816thKQLrog4/wQkNrfrunMxVFA3k:lEG/0oglbunMxVS3k

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C893EC73-A2F4-41e5-8485-48C52E2492B8}	847f8984ccd54634268777412a98a430N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99940DFE-58FA-4adc-99F8-89ACB09A7E97}\stubpath = "C:\\Windows\\{99940DFE-58FA-4adc-99F8-89ACB09A7E97}.exe"	{C893EC73-A2F4-41e5-8485-48C52E2492B8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A35C5535-A210-4c77-8E5C-6A8D53098A1F}	{99940DFE-58FA-4adc-99F8-89ACB09A7E97}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA0CEC8B-8864-4a27-AE7A-CCA3DA725809}	{78489B37-31B0-4a38-BD8B-5169CD87C741}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D100CC2E-434D-4c13-9C04-16697F7E76BD}\stubpath = "C:\\Windows\\{D100CC2E-434D-4c13-9C04-16697F7E76BD}.exe"	{F9B13680-6B4A-4ae9-9BFF-11F069328E48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D100CC2E-434D-4c13-9C04-16697F7E76BD}	{F9B13680-6B4A-4ae9-9BFF-11F069328E48}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21949D9A-9B8B-42e6-8D0D-F55FB766FCCB}	{D100CC2E-434D-4c13-9C04-16697F7E76BD}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{21949D9A-9B8B-42e6-8D0D-F55FB766FCCB}\stubpath = "C:\\Windows\\{21949D9A-9B8B-42e6-8D0D-F55FB766FCCB}.exe"	{D100CC2E-434D-4c13-9C04-16697F7E76BD}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75E347E9-88A6-4a6b-8BDE-EDFE88ACB8BB}	{A35C5535-A210-4c77-8E5C-6A8D53098A1F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78489B37-31B0-4a38-BD8B-5169CD87C741}\stubpath = "C:\\Windows\\{78489B37-31B0-4a38-BD8B-5169CD87C741}.exe"	{75E347E9-88A6-4a6b-8BDE-EDFE88ACB8BB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{AA0CEC8B-8864-4a27-AE7A-CCA3DA725809}\stubpath = "C:\\Windows\\{AA0CEC8B-8864-4a27-AE7A-CCA3DA725809}.exe"	{78489B37-31B0-4a38-BD8B-5169CD87C741}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9B13680-6B4A-4ae9-9BFF-11F069328E48}	{AA0CEC8B-8864-4a27-AE7A-CCA3DA725809}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{F9B13680-6B4A-4ae9-9BFF-11F069328E48}\stubpath = "C:\\Windows\\{F9B13680-6B4A-4ae9-9BFF-11F069328E48}.exe"	{AA0CEC8B-8864-4a27-AE7A-CCA3DA725809}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{C893EC73-A2F4-41e5-8485-48C52E2492B8}\stubpath = "C:\\Windows\\{C893EC73-A2F4-41e5-8485-48C52E2492B8}.exe"	847f8984ccd54634268777412a98a430N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{99940DFE-58FA-4adc-99F8-89ACB09A7E97}	{C893EC73-A2F4-41e5-8485-48C52E2492B8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{A35C5535-A210-4c77-8E5C-6A8D53098A1F}\stubpath = "C:\\Windows\\{A35C5535-A210-4c77-8E5C-6A8D53098A1F}.exe"	{99940DFE-58FA-4adc-99F8-89ACB09A7E97}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{75E347E9-88A6-4a6b-8BDE-EDFE88ACB8BB}\stubpath = "C:\\Windows\\{75E347E9-88A6-4a6b-8BDE-EDFE88ACB8BB}.exe"	{A35C5535-A210-4c77-8E5C-6A8D53098A1F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{78489B37-31B0-4a38-BD8B-5169CD87C741}	{75E347E9-88A6-4a6b-8BDE-EDFE88ACB8BB}.exe

Deletes itself 1 IoCs

pid	Process
1636	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2368	{C893EC73-A2F4-41e5-8485-48C52E2492B8}.exe
2756	{99940DFE-58FA-4adc-99F8-89ACB09A7E97}.exe
2896	{A35C5535-A210-4c77-8E5C-6A8D53098A1F}.exe
2688	{75E347E9-88A6-4a6b-8BDE-EDFE88ACB8BB}.exe
836	{78489B37-31B0-4a38-BD8B-5169CD87C741}.exe
1808	{AA0CEC8B-8864-4a27-AE7A-CCA3DA725809}.exe
1972	{F9B13680-6B4A-4ae9-9BFF-11F069328E48}.exe
1960	{D100CC2E-434D-4c13-9C04-16697F7E76BD}.exe
2072	{21949D9A-9B8B-42e6-8D0D-F55FB766FCCB}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{C893EC73-A2F4-41e5-8485-48C52E2492B8}.exe	847f8984ccd54634268777412a98a430N.exe
File created	C:\Windows\{75E347E9-88A6-4a6b-8BDE-EDFE88ACB8BB}.exe	{A35C5535-A210-4c77-8E5C-6A8D53098A1F}.exe
File created	C:\Windows\{78489B37-31B0-4a38-BD8B-5169CD87C741}.exe	{75E347E9-88A6-4a6b-8BDE-EDFE88ACB8BB}.exe
File created	C:\Windows\{F9B13680-6B4A-4ae9-9BFF-11F069328E48}.exe	{AA0CEC8B-8864-4a27-AE7A-CCA3DA725809}.exe
File created	C:\Windows\{D100CC2E-434D-4c13-9C04-16697F7E76BD}.exe	{F9B13680-6B4A-4ae9-9BFF-11F069328E48}.exe
File created	C:\Windows\{99940DFE-58FA-4adc-99F8-89ACB09A7E97}.exe	{C893EC73-A2F4-41e5-8485-48C52E2492B8}.exe
File created	C:\Windows\{A35C5535-A210-4c77-8E5C-6A8D53098A1F}.exe	{99940DFE-58FA-4adc-99F8-89ACB09A7E97}.exe
File created	C:\Windows\{AA0CEC8B-8864-4a27-AE7A-CCA3DA725809}.exe	{78489B37-31B0-4a38-BD8B-5169CD87C741}.exe
File created	C:\Windows\{21949D9A-9B8B-42e6-8D0D-F55FB766FCCB}.exe	{D100CC2E-434D-4c13-9C04-16697F7E76BD}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2552	847f8984ccd54634268777412a98a430N.exe
Token: SeIncBasePriorityPrivilege	2368	{C893EC73-A2F4-41e5-8485-48C52E2492B8}.exe
Token: SeIncBasePriorityPrivilege	2756	{99940DFE-58FA-4adc-99F8-89ACB09A7E97}.exe
Token: SeIncBasePriorityPrivilege	2896	{A35C5535-A210-4c77-8E5C-6A8D53098A1F}.exe
Token: SeIncBasePriorityPrivilege	2688	{75E347E9-88A6-4a6b-8BDE-EDFE88ACB8BB}.exe
Token: SeIncBasePriorityPrivilege	836	{78489B37-31B0-4a38-BD8B-5169CD87C741}.exe
Token: SeIncBasePriorityPrivilege	1808	{AA0CEC8B-8864-4a27-AE7A-CCA3DA725809}.exe
Token: SeIncBasePriorityPrivilege	1972	{F9B13680-6B4A-4ae9-9BFF-11F069328E48}.exe
Token: SeIncBasePriorityPrivilege	1960	{D100CC2E-434D-4c13-9C04-16697F7E76BD}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 2368	2552	847f8984ccd54634268777412a98a430N.exe	29
PID 2552 wrote to memory of 2368	2552	847f8984ccd54634268777412a98a430N.exe	29
PID 2552 wrote to memory of 2368	2552	847f8984ccd54634268777412a98a430N.exe	29
PID 2552 wrote to memory of 2368	2552	847f8984ccd54634268777412a98a430N.exe	29
PID 2552 wrote to memory of 1636	2552	847f8984ccd54634268777412a98a430N.exe	30
PID 2552 wrote to memory of 1636	2552	847f8984ccd54634268777412a98a430N.exe	30
PID 2552 wrote to memory of 1636	2552	847f8984ccd54634268777412a98a430N.exe	30
PID 2552 wrote to memory of 1636	2552	847f8984ccd54634268777412a98a430N.exe	30
PID 2368 wrote to memory of 2756	2368	{C893EC73-A2F4-41e5-8485-48C52E2492B8}.exe	31
PID 2368 wrote to memory of 2756	2368	{C893EC73-A2F4-41e5-8485-48C52E2492B8}.exe	31
PID 2368 wrote to memory of 2756	2368	{C893EC73-A2F4-41e5-8485-48C52E2492B8}.exe	31
PID 2368 wrote to memory of 2756	2368	{C893EC73-A2F4-41e5-8485-48C52E2492B8}.exe	31
PID 2368 wrote to memory of 2848	2368	{C893EC73-A2F4-41e5-8485-48C52E2492B8}.exe	32
PID 2368 wrote to memory of 2848	2368	{C893EC73-A2F4-41e5-8485-48C52E2492B8}.exe	32
PID 2368 wrote to memory of 2848	2368	{C893EC73-A2F4-41e5-8485-48C52E2492B8}.exe	32
PID 2368 wrote to memory of 2848	2368	{C893EC73-A2F4-41e5-8485-48C52E2492B8}.exe	32
PID 2756 wrote to memory of 2896	2756	{99940DFE-58FA-4adc-99F8-89ACB09A7E97}.exe	33
PID 2756 wrote to memory of 2896	2756	{99940DFE-58FA-4adc-99F8-89ACB09A7E97}.exe	33
PID 2756 wrote to memory of 2896	2756	{99940DFE-58FA-4adc-99F8-89ACB09A7E97}.exe	33
PID 2756 wrote to memory of 2896	2756	{99940DFE-58FA-4adc-99F8-89ACB09A7E97}.exe	33
PID 2756 wrote to memory of 2664	2756	{99940DFE-58FA-4adc-99F8-89ACB09A7E97}.exe	34
PID 2756 wrote to memory of 2664	2756	{99940DFE-58FA-4adc-99F8-89ACB09A7E97}.exe	34
PID 2756 wrote to memory of 2664	2756	{99940DFE-58FA-4adc-99F8-89ACB09A7E97}.exe	34
PID 2756 wrote to memory of 2664	2756	{99940DFE-58FA-4adc-99F8-89ACB09A7E97}.exe	34
PID 2896 wrote to memory of 2688	2896	{A35C5535-A210-4c77-8E5C-6A8D53098A1F}.exe	35
PID 2896 wrote to memory of 2688	2896	{A35C5535-A210-4c77-8E5C-6A8D53098A1F}.exe	35
PID 2896 wrote to memory of 2688	2896	{A35C5535-A210-4c77-8E5C-6A8D53098A1F}.exe	35
PID 2896 wrote to memory of 2688	2896	{A35C5535-A210-4c77-8E5C-6A8D53098A1F}.exe	35
PID 2896 wrote to memory of 2640	2896	{A35C5535-A210-4c77-8E5C-6A8D53098A1F}.exe	36
PID 2896 wrote to memory of 2640	2896	{A35C5535-A210-4c77-8E5C-6A8D53098A1F}.exe	36
PID 2896 wrote to memory of 2640	2896	{A35C5535-A210-4c77-8E5C-6A8D53098A1F}.exe	36
PID 2896 wrote to memory of 2640	2896	{A35C5535-A210-4c77-8E5C-6A8D53098A1F}.exe	36
PID 2688 wrote to memory of 836	2688	{75E347E9-88A6-4a6b-8BDE-EDFE88ACB8BB}.exe	37
PID 2688 wrote to memory of 836	2688	{75E347E9-88A6-4a6b-8BDE-EDFE88ACB8BB}.exe	37
PID 2688 wrote to memory of 836	2688	{75E347E9-88A6-4a6b-8BDE-EDFE88ACB8BB}.exe	37
PID 2688 wrote to memory of 836	2688	{75E347E9-88A6-4a6b-8BDE-EDFE88ACB8BB}.exe	37
PID 2688 wrote to memory of 2612	2688	{75E347E9-88A6-4a6b-8BDE-EDFE88ACB8BB}.exe	38
PID 2688 wrote to memory of 2612	2688	{75E347E9-88A6-4a6b-8BDE-EDFE88ACB8BB}.exe	38
PID 2688 wrote to memory of 2612	2688	{75E347E9-88A6-4a6b-8BDE-EDFE88ACB8BB}.exe	38
PID 2688 wrote to memory of 2612	2688	{75E347E9-88A6-4a6b-8BDE-EDFE88ACB8BB}.exe	38
PID 836 wrote to memory of 1808	836	{78489B37-31B0-4a38-BD8B-5169CD87C741}.exe	39
PID 836 wrote to memory of 1808	836	{78489B37-31B0-4a38-BD8B-5169CD87C741}.exe	39
PID 836 wrote to memory of 1808	836	{78489B37-31B0-4a38-BD8B-5169CD87C741}.exe	39
PID 836 wrote to memory of 1808	836	{78489B37-31B0-4a38-BD8B-5169CD87C741}.exe	39
PID 836 wrote to memory of 1676	836	{78489B37-31B0-4a38-BD8B-5169CD87C741}.exe	40
PID 836 wrote to memory of 1676	836	{78489B37-31B0-4a38-BD8B-5169CD87C741}.exe	40
PID 836 wrote to memory of 1676	836	{78489B37-31B0-4a38-BD8B-5169CD87C741}.exe	40
PID 836 wrote to memory of 1676	836	{78489B37-31B0-4a38-BD8B-5169CD87C741}.exe	40
PID 1808 wrote to memory of 1972	1808	{AA0CEC8B-8864-4a27-AE7A-CCA3DA725809}.exe	41
PID 1808 wrote to memory of 1972	1808	{AA0CEC8B-8864-4a27-AE7A-CCA3DA725809}.exe	41
PID 1808 wrote to memory of 1972	1808	{AA0CEC8B-8864-4a27-AE7A-CCA3DA725809}.exe	41
PID 1808 wrote to memory of 1972	1808	{AA0CEC8B-8864-4a27-AE7A-CCA3DA725809}.exe	41
PID 1808 wrote to memory of 2136	1808	{AA0CEC8B-8864-4a27-AE7A-CCA3DA725809}.exe	42
PID 1808 wrote to memory of 2136	1808	{AA0CEC8B-8864-4a27-AE7A-CCA3DA725809}.exe	42
PID 1808 wrote to memory of 2136	1808	{AA0CEC8B-8864-4a27-AE7A-CCA3DA725809}.exe	42
PID 1808 wrote to memory of 2136	1808	{AA0CEC8B-8864-4a27-AE7A-CCA3DA725809}.exe	42
PID 1972 wrote to memory of 1960	1972	{F9B13680-6B4A-4ae9-9BFF-11F069328E48}.exe	43
PID 1972 wrote to memory of 1960	1972	{F9B13680-6B4A-4ae9-9BFF-11F069328E48}.exe	43
PID 1972 wrote to memory of 1960	1972	{F9B13680-6B4A-4ae9-9BFF-11F069328E48}.exe	43
PID 1972 wrote to memory of 1960	1972	{F9B13680-6B4A-4ae9-9BFF-11F069328E48}.exe	43
PID 1972 wrote to memory of 1992	1972	{F9B13680-6B4A-4ae9-9BFF-11F069328E48}.exe	44
PID 1972 wrote to memory of 1992	1972	{F9B13680-6B4A-4ae9-9BFF-11F069328E48}.exe	44
PID 1972 wrote to memory of 1992	1972	{F9B13680-6B4A-4ae9-9BFF-11F069328E48}.exe	44
PID 1972 wrote to memory of 1992	1972	{F9B13680-6B4A-4ae9-9BFF-11F069328E48}.exe	44

C:\Users\Admin\AppData\Local\Temp\847f8984ccd54634268777412a98a430N.exe
"C:\Users\Admin\AppData\Local\Temp\847f8984ccd54634268777412a98a430N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\{C893EC73-A2F4-41e5-8485-48C52E2492B8}.exe
  C:\Windows\{C893EC73-A2F4-41e5-8485-48C52E2492B8}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\{99940DFE-58FA-4adc-99F8-89ACB09A7E97}.exe
    C:\Windows\{99940DFE-58FA-4adc-99F8-89ACB09A7E97}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\{A35C5535-A210-4c77-8E5C-6A8D53098A1F}.exe
      C:\Windows\{A35C5535-A210-4c77-8E5C-6A8D53098A1F}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\{75E347E9-88A6-4a6b-8BDE-EDFE88ACB8BB}.exe
        
        C:\Windows\{75E347E9-88A6-4a6b-8BDE-EDFE88ACB8BB}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\{78489B37-31B0-4a38-BD8B-5169CD87C741}.exe
        
        C:\Windows\{78489B37-31B0-4a38-BD8B-5169CD87C741}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\{AA0CEC8B-8864-4a27-AE7A-CCA3DA725809}.exe
        
        C:\Windows\{AA0CEC8B-8864-4a27-AE7A-CCA3DA725809}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1808
        
        C:\Windows\{F9B13680-6B4A-4ae9-9BFF-11F069328E48}.exe
        
        C:\Windows\{F9B13680-6B4A-4ae9-9BFF-11F069328E48}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\{D100CC2E-434D-4c13-9C04-16697F7E76BD}.exe
        
        C:\Windows\{D100CC2E-434D-4c13-9C04-16697F7E76BD}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
        
        C:\Windows\{21949D9A-9B8B-42e6-8D0D-F55FB766FCCB}.exe
        
        C:\Windows\{21949D9A-9B8B-42e6-8D0D-F55FB766FCCB}.exe
        10⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D100C~1.EXE > nul
        10⤵
        
        PID:928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{F9B13~1.EXE > nul
        9⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{AA0CE~1.EXE > nul
        8⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{78489~1.EXE > nul
        7⤵
        
        PID:1676
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{75E34~1.EXE > nul
        6⤵
        
        PID:2612
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A35C5~1.EXE > nul
        5⤵
        
        PID:2640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{99940~1.EXE > nul
      4⤵
      PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{C893E~1.EXE > nul
    3⤵
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\847F89~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{21949D9A-9B8B-42e6-8D0D-F55FB766FCCB}.exe

Filesize
89KB

MD5
6354f116daedab3d82167895b41d8bc9

SHA1
19be98866e90b13a67e2358553141c5933b0830e

SHA256
bd8f089cc77ee4432e410248d75245415af2adc73bd57cc2599e36991a0ac1fe

SHA512
da755bd1ae233c618a47614052c506a5a2b40b72acddc8c95bae1873d503bdb0a89fabeca826f326acf537d2b243ac33bdf6daf04e9869c3be1d655d71bc3910

Download Submit
C:\Windows\{75E347E9-88A6-4a6b-8BDE-EDFE88ACB8BB}.exe

Filesize
89KB

MD5
74a70c9e400c4fde5fc0b91509218e84

SHA1
8cb376932fbe7f226211c131d71b1e58fe0d9b49

SHA256
4de59128f33dd4a0db90aa569b290b81a7326b959b3d1f1292e2728f44f603be

SHA512
898f3f3061f41dd54ae6df968c70f408c29a3e7193a1895825e52c6362579fbd92bd911e4d2f027c90fb3d3202ebd38747510409c84dab8e4c8339b0f73879c2

Download Submit
C:\Windows\{78489B37-31B0-4a38-BD8B-5169CD87C741}.exe

Filesize
89KB

MD5
94252aacbd117d0a1ada9e7787843f7c

SHA1
1e2320e16e809729848cdb3beef6c2bb42fe079a

SHA256
cd91cadb147513f037eb9e72959fbd1cf219b3d44bc6629dc5584022d884a01a

SHA512
a39a7c22286f76db1f6bb871b3211222bfc4fd94650eba6f5a6439e391098a3d4fbfda7394515944ae368f08caae28d636b60fac3efe137c33ffa24ebd2ccf00

Download Submit
C:\Windows\{99940DFE-58FA-4adc-99F8-89ACB09A7E97}.exe

Filesize
89KB

MD5
bb59436144ca6311aa82b47be4911f79

SHA1
3a457c5c2db4a8628db20305f108f4a1fb920837

SHA256
48606b359c7669bda50a0692ceaea2d3d9e36a88a9319540dcd7067aba67468e

SHA512
1e81e517a58b529afd983c5db8a9754c79bd217440b4aa30392a4b4c9582bd55b3a9550f4c7f8c4078e9e92f2ae6c07ddd2b7cc00eeca1c59f17632f3f91cbc5

Download Submit
C:\Windows\{A35C5535-A210-4c77-8E5C-6A8D53098A1F}.exe

Filesize
89KB

MD5
d4973175801ef9dc2872cc2fe97ddcc0

SHA1
194a472cb24c2793ec772bbe5f8d23569a64420c

SHA256
4e96bcfc42b817e5bfcaecefdc7c32d4606c8b9bbab3157f59f69c0fe038f4ab

SHA512
d4e72582fce9258285ede21672e89b912cef5b5e3278391677fdbff894c7b39a2a165f4705a476439319c6df7dac44db778ab5ff7c834aef16c082ef2c31a3e5

Download Submit
C:\Windows\{AA0CEC8B-8864-4a27-AE7A-CCA3DA725809}.exe

Filesize
89KB

MD5
721c65e838dc3a74ddc0a58a116411d5

SHA1
c7ed33665dcc29b7ef75ccaa67fbc7e9543954e0

SHA256
1965bd8ca26bf9a123077752e3387d2189c3719bdc87ea8a4aefc9213e54a7ad

SHA512
274517db8ec9bc7c0c1c775c8b73458d541fd00cb875859a20c55a8d9875ce2239662c8c9503acf549f3244ea80c97aee2eb56359efc3051d0a8b7483aa14c0f

Download Submit
C:\Windows\{C893EC73-A2F4-41e5-8485-48C52E2492B8}.exe

Filesize
89KB

MD5
e518b70117448c36cc5a9fc0f54bd8d5

SHA1
0f277c44cd8505658557d09e20832d445bfa3f8a

SHA256
a7915e8e6ab9f2b29e21dae2b4d615b234a3f577eeba7a8322e68acf3dfe8157

SHA512
8e192b5c027793097019cc2407e47b41d0d160f58aab2e89f94854f5068a5416da2d62951425beddfc77596c56b6749cec4cd606d23819de3310f9a72fed750c

Download Submit
C:\Windows\{D100CC2E-434D-4c13-9C04-16697F7E76BD}.exe

Filesize
89KB

MD5
0b188ff097c6aefd2e60b8d1f309cbd3

SHA1
32583f5560e2773d30d30393885b99e296dd51a3

SHA256
d51ab56ccadf5dc0e52faf6df9ba1507a41631c98d1218d6f96afbd0f7de26b1

SHA512
65671e0d2f5c3b2343f4a5492b1134044fcc10667fd550793a446315a6c78a606b25ac998b9670a8deaa072e2eb5dec56e522da43b997a8c2fe0999632604d89

Download Submit
C:\Windows\{F9B13680-6B4A-4ae9-9BFF-11F069328E48}.exe

Filesize
89KB

MD5
130f4c9c48a87b51379337fd780b3bc3

SHA1
d203e99edaae284cf4430199401bf9198014bcbf

SHA256
e954b852e6144b4c9cbeba6c81a3026bebc8973568cce8ac090caab2a2469684

SHA512
618f063999c4d0cd7eba52720c3b53dcb71a2c6cf6a90f157d124bb302eb8571f6c257381e56f4b9d5ff373cb8972a2c722a455926e9d9c1861bed5b890b15c3

Download Submit
memory/836-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/836-56-0x0000000000330000-0x0000000000341000-memory.dmp

Filesize
68KB

Download
memory/836-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1808-61-0x0000000000370000-0x0000000000381000-memory.dmp

Filesize
68KB

Download
memory/1808-65-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1960-84-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1960-79-0x00000000003B0000-0x00000000003C1000-memory.dmp

Filesize
68KB

Download
memory/1960-75-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1972-73-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2072-85-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2368-16-0x0000000000280000-0x0000000000291000-memory.dmp

Filesize
68KB

Download
memory/2368-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2368-9-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2552-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2552-3-0x0000000000420000-0x0000000000431000-memory.dmp

Filesize
68KB

Download
memory/2552-8-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2688-42-0x0000000000350000-0x0000000000361000-memory.dmp

Filesize
68KB

Download
memory/2688-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2756-25-0x0000000000330000-0x0000000000341000-memory.dmp

Filesize
68KB

Download
memory/2756-27-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2756-26-0x0000000000330000-0x0000000000341000-memory.dmp

Filesize
68KB

Download
memory/2896-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2896-33-0x0000000000700000-0x0000000000711000-memory.dmp

Filesize
68KB

Download
memory/2896-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads