023a41716b8900a56d33d5becadd4b1441a45851d70905866565c872f457da26

Analysis

max time kernel
694s
max time network
519s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 05:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

22.1MB
MD5

bf8bffb4ecd1b7fe3290a63c37fd5686
SHA1

b8e2287e56cac741cd39a46f45c91e359ab81f7a
SHA256

023a41716b8900a56d33d5becadd4b1441a45851d70905866565c872f457da26
SHA512

9d61eefe000be3edab81c16f3917d6c27fd9dbfb9d289423a8f8bcf6615a69709c50f6e6a019e7def8d2218c791072f1bf0b1de7e041cfd508077f252cbbed7d
SSDEEP

393216:qKnuOQUrMhX1iaZ+lPd/OJWsruCkxiBnuJpIsinmqlpkR0arq6eoH2Jg2TG/:rrkX8KMP0JWmu4Zgpunmqlpi0i1WJgAi

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
648	setup.exe
2220	win64_32_x64.exe

Loads dropped DLL 1 IoCs

pid	Process
4264	java.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Zero G Registry	attrib.exe
File opened for modification	C:\Program Files\Zero G Registry\.com.zerog.registry.xml	java.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1640	wmic.exe
Token: SeSecurityPrivilege	1640	wmic.exe
Token: SeTakeOwnershipPrivilege	1640	wmic.exe
Token: SeLoadDriverPrivilege	1640	wmic.exe
Token: SeSystemProfilePrivilege	1640	wmic.exe
Token: SeSystemtimePrivilege	1640	wmic.exe
Token: SeProfSingleProcessPrivilege	1640	wmic.exe
Token: SeIncBasePriorityPrivilege	1640	wmic.exe
Token: SeCreatePagefilePrivilege	1640	wmic.exe
Token: SeBackupPrivilege	1640	wmic.exe
Token: SeRestorePrivilege	1640	wmic.exe
Token: SeShutdownPrivilege	1640	wmic.exe
Token: SeDebugPrivilege	1640	wmic.exe
Token: SeSystemEnvironmentPrivilege	1640	wmic.exe
Token: SeRemoteShutdownPrivilege	1640	wmic.exe
Token: SeUndockPrivilege	1640	wmic.exe
Token: SeManageVolumePrivilege	1640	wmic.exe
Token: 33	1640	wmic.exe
Token: 34	1640	wmic.exe
Token: 35	1640	wmic.exe
Token: 36	1640	wmic.exe
Token: SeIncreaseQuotaPrivilege	1640	wmic.exe
Token: SeSecurityPrivilege	1640	wmic.exe
Token: SeTakeOwnershipPrivilege	1640	wmic.exe
Token: SeLoadDriverPrivilege	1640	wmic.exe
Token: SeSystemProfilePrivilege	1640	wmic.exe
Token: SeSystemtimePrivilege	1640	wmic.exe
Token: SeProfSingleProcessPrivilege	1640	wmic.exe
Token: SeIncBasePriorityPrivilege	1640	wmic.exe
Token: SeCreatePagefilePrivilege	1640	wmic.exe
Token: SeBackupPrivilege	1640	wmic.exe
Token: SeRestorePrivilege	1640	wmic.exe
Token: SeShutdownPrivilege	1640	wmic.exe
Token: SeDebugPrivilege	1640	wmic.exe
Token: SeSystemEnvironmentPrivilege	1640	wmic.exe
Token: SeRemoteShutdownPrivilege	1640	wmic.exe
Token: SeUndockPrivilege	1640	wmic.exe
Token: SeManageVolumePrivilege	1640	wmic.exe
Token: 33	1640	wmic.exe
Token: 34	1640	wmic.exe
Token: 35	1640	wmic.exe
Token: 36	1640	wmic.exe
Token: SeIncreaseQuotaPrivilege	1080	wmic.exe
Token: SeSecurityPrivilege	1080	wmic.exe
Token: SeTakeOwnershipPrivilege	1080	wmic.exe
Token: SeLoadDriverPrivilege	1080	wmic.exe
Token: SeSystemProfilePrivilege	1080	wmic.exe
Token: SeSystemtimePrivilege	1080	wmic.exe
Token: SeProfSingleProcessPrivilege	1080	wmic.exe
Token: SeIncBasePriorityPrivilege	1080	wmic.exe
Token: SeCreatePagefilePrivilege	1080	wmic.exe
Token: SeBackupPrivilege	1080	wmic.exe
Token: SeRestorePrivilege	1080	wmic.exe
Token: SeShutdownPrivilege	1080	wmic.exe
Token: SeDebugPrivilege	1080	wmic.exe
Token: SeSystemEnvironmentPrivilege	1080	wmic.exe
Token: SeRemoteShutdownPrivilege	1080	wmic.exe
Token: SeUndockPrivilege	1080	wmic.exe
Token: SeManageVolumePrivilege	1080	wmic.exe
Token: 33	1080	wmic.exe
Token: 34	1080	wmic.exe
Token: 35	1080	wmic.exe
Token: 36	1080	wmic.exe
Token: SeIncreaseQuotaPrivilege	1080	wmic.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4264	java.exe
4264	java.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4592 wrote to memory of 648	4592	setup.exe	86
PID 4592 wrote to memory of 648	4592	setup.exe	86
PID 4592 wrote to memory of 648	4592	setup.exe	86
PID 648 wrote to memory of 4264	648	setup.exe	87
PID 648 wrote to memory of 4264	648	setup.exe	87
PID 4264 wrote to memory of 1640	4264	java.exe	88
PID 4264 wrote to memory of 1640	4264	java.exe	88
PID 4264 wrote to memory of 1080	4264	java.exe	92
PID 4264 wrote to memory of 1080	4264	java.exe	92
PID 4264 wrote to memory of 2544	4264	java.exe	95
PID 4264 wrote to memory of 2544	4264	java.exe	95
PID 4264 wrote to memory of 4436	4264	java.exe	97
PID 4264 wrote to memory of 4436	4264	java.exe	97
PID 4264 wrote to memory of 2220	4264	java.exe	104
PID 4264 wrote to memory of 2220	4264	java.exe	104
PID 4264 wrote to memory of 3172	4264	java.exe	106
PID 4264 wrote to memory of 3172	4264	java.exe	106
PID 4264 wrote to memory of 4864	4264	java.exe	108
PID 4264 wrote to memory of 4864	4264	java.exe	108
PID 4264 wrote to memory of 4816	4264	java.exe	110
PID 4264 wrote to memory of 4816	4264	java.exe	110
PID 4264 wrote to memory of 4232	4264	java.exe	112
PID 4264 wrote to memory of 4232	4264	java.exe	112
PID 4264 wrote to memory of 4396	4264	java.exe	114
PID 4264 wrote to memory of 4396	4264	java.exe	114
PID 4264 wrote to memory of 4628	4264	java.exe	116
PID 4264 wrote to memory of 4628	4264	java.exe	116
PID 4264 wrote to memory of 4556	4264	java.exe	118
PID 4264 wrote to memory of 4556	4264	java.exe	118
PID 4264 wrote to memory of 2884	4264	java.exe	121
PID 4264 wrote to memory of 2884	4264	java.exe	121

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
4232	attrib.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\setup.exe
  C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\setup.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Program Files\Java\jre1.8.0_66\bin\java.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -Xms20971520 -classpath "C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData\IAClasses.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData\Execute.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\InstallerData\Execute.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData\Resource1.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\InstallerData\Resource1.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData;C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\InstallerData;" com.zerog.lax.LAX "C:/Users/Admin/AppData/Local/Temp/I1683270172/Windows/setup.lax" "C:/Users/Admin/AppData/Local/Temp/lax97FF.tmp"
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4264
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic os get name
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1640
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic os get name
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1080
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic os get name
      4⤵
      PID:2544
  - - C:\Windows\System32\Wbem\wmic.exe
      wmic os get version
      4⤵
      PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\resource\win64_32_x64.exe
      "C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\resource\win64_32_x64.exe" -sys32
      4⤵
      Executes dropped EXE
      PID:2220
  - - C:\ProgramData\Oracle\Java\javapath\java.exe
      C:\ProgramData\Oracle\Java\javapath\java.exe -cp C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData\IAClasses.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData\Execute.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\InstallerData\Execute.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData\Resource1.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\InstallerData\Resource1.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData;C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\InstallerData; com.zerog.util.jvm.JVMInformationRetrieverServer 2 C:\ProgramData\Oracle\Java\javapath\java.exe 1.7+
      4⤵
      PID:3172
  - - C:\Program Files\Java\jdk1.8.0_66\bin\java.exe
      "C:\Program Files\Java\jdk1.8.0_66\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData\IAClasses.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData\Execute.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\InstallerData\Execute.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData\Resource1.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\InstallerData\Resource1.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData;C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\InstallerData; com.zerog.util.jvm.JVMInformationRetrieverServer 2 "C:\Program Files\Java\jdk1.8.0_66\bin\java.exe" 1.7+
      4⤵
      PID:4864
  - - C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe
      "C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData\IAClasses.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData\Execute.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\InstallerData\Execute.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData\Resource1.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\InstallerData\Resource1.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData;C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\InstallerData; com.zerog.util.jvm.JVMInformationRetrieverServer 2 "C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe" 1.7+
      4⤵
      PID:4816
  - - C:\Windows\SYSTEM32\attrib.exe
      attrib +h "C:\Program Files\Zero G Registry"
      4⤵
      Drops file in Program Files directory
      Views/modifies file attributes
      PID:4232
  - - C:\Program Files\Java\jdk1.8.0_66\bin\java.exe
      "C:\Program Files\Java\jdk1.8.0_66\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData\IAClasses.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData\Execute.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\InstallerData\Execute.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData\Resource1.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\InstallerData\Resource1.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData;C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\InstallerData; com.zerog.util.jvm.JVMInformationRetrieverServer 2 "C:\Program Files\Java\jdk1.8.0_66\bin\java.exe" 1.7+
      4⤵
      PID:4396
  - - C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe
      "C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData\IAClasses.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData\Execute.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\InstallerData\Execute.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData\Resource1.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\InstallerData\Resource1.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData;C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\InstallerData; com.zerog.util.jvm.JVMInformationRetrieverServer 2 "C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe" 1.7+
      4⤵
      PID:4628
  - - C:\Program Files\Java\jre1.8.0_66\bin\java.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData\IAClasses.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData\Execute.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\InstallerData\Execute.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData\Resource1.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\InstallerData\Resource1.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData;C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\InstallerData; com.zerog.util.jvm.JVMInformationRetrieverServer 2 "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" 1.7+
      4⤵
      PID:4556
  - - C:\Program Files\Java\jre1.8.0_66\bin\java.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -cp C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData\IAClasses.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData\Execute.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\InstallerData\Execute.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData\Resource1.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\InstallerData\Resource1.zip;C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData;C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\InstallerData; com.zerog.util.jvm.JVMInformationRetrieverServer 2 "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" 1.7+
      4⤵
      PID:2884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
170ff1f3538f773151a0621a02292da7

SHA1
62cd1bf3c9c7b9d044c10f51c43aa46e8745b42e

SHA256
d657d5b8f40bea0617211d43085d441b0eeb29dd58b0be60db502f3d74e6a32f

SHA512
a663fbd6b727fc407159dea84cfe7c76f9b71fea513c7bddc3d296f2e8d618f9f75aad067b2d2e12588d3397fa9cf4932c90b5b7acc29d916b1d81307348bb2a

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
c86b051a095a1d2435b66fab3dbf24f2

SHA1
3873ab1050082fc8d955f54fcf63884425f04be4

SHA256
175b5ea6de03d7f1108247afd5513bc66186ef9f24ad2bd7d09eb263df1fcfad

SHA512
351b157e1bb2d191713a6bfee95aff7befb59a69c527bff3261783a6456eb80bc83fb94d0afb32eaee0d973ad713e7b388f13df6369ee2de30d360ae1ae2a8d8

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
7010949db1f1e866d5867f1e4578fe34

SHA1
9d1e83816aede19dcbd8fb7101d5d799e92c3476

SHA256
3a6b12cebab5aabe3174d8d566cc14f77fda2dc654696f8db4a846403bf89300

SHA512
0b04db0eb30557647d869805d0d4a44bd7b95da3c9c55fc93e096677b999403a88c46e32a9dc611ddf2a11c996a5a47c61ea0aeb568f8f6e72ce420e84ff7358

Download Submit
C:\Users\Admin\.oracle_jre_usage\f9b9f6b8ff8b2b60.timestamp

Filesize
54B

MD5
aec5f84833a8a526ed46168e69e41fa2

SHA1
5038a1f8038ff7cd6ad8637876f9344031575cf9

SHA256
4c9c21820a751d8a53eba373676f6ffa963303241c505da687adb32f8f7847a4

SHA512
d7bdf92315cba611cf82406a2b662414ae36751b8930e0c9e2c1f98b5c7e2234173cd082ecb54171859cbac29e8f90075edd3b36ab3f102a543e0503df883fc0

Download Submit
C:\Users\Admin\.oracle_jre_usage\f9b9f6b8ff8b2b60.timestamp

Filesize
54B

MD5
65b6b9ddfeb5c9812dcbd710e9d23f0e

SHA1
f630da408f11edf9c096f35e513b2e67c9cc1b6b

SHA256
63661cfe5b2f137a7944fd4aa4f1ed28967aff1c29ee92b11cac9e3b8c187c49

SHA512
361782b5063c6b0b4ae8e00f64e46a2154e3d5a65b9ca77bb56d0d9c486b67f46b63377caa2b441c071c7e35774b0d133b528545a218cf21cc4595e0fbc75788

Download Submit
C:\Users\Admin\.oracle_jre_usage\f9b9f6b8ff8b2b60.timestamp

Filesize
54B

MD5
b4e61d9b327a12af712447f9365df2a6

SHA1
0eb54745618972456f0d369126c35c9cd5e69cd6

SHA256
494dde22b9df7962e3428c0b0a0e9169652e276193625002142425df68017639

SHA512
875bf39bf6725ff7921a5eafdafd7caed4b608e0ec37bd2ccd4b34aeec3a39d8dd87613b134f82958807e3f12dbef6932e38cae916e8398eb5392f0363a32109

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData\Execute.zip

Filesize
18.0MB

MD5
fb90e663bce3ba198c01f3be086aedd4

SHA1
2ed063059cbee8910bd685a678ca46375a5b74c6

SHA256
2f3ed7a2f099a2a8b6659b8190f85ba633baff99828bc0e32bef21c441868f21

SHA512
de161ba3415fe9baa58a6654d2879797d81088176203c8b203e87f1ff3b7568885c41074469f306bb7eb89d2459d7fdd2ef6ff68085a95a4b04986f2edf91070

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1683270172\InstallerData\IAClasses.zip

Filesize
4.7MB

MD5
1e5280726dd5f67513a751277ab1f99d

SHA1
6a5ea3874095e285c7311f81719344801e407e78

SHA256
e01aa1f3af160de1a81321d0cb9fb9d8bc6b9790d881382da8f07cb95bc0595f

SHA512
21f8e75432270b1c6ec6d7569d9dc63d98e2c68e1435e241cd5b52ff65f932afc1c5c88cafc87fe04811c45ac41a1f8b9176c7238a6594465a9f44c8eb8b02b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\jvmspecs\jvmspecs.properties

Filesize
448B

MD5
9ea1f68278fc08c315a1457237da584a

SHA1
0387799d27cd1944a1798d82613786fc91ade4c1

SHA256
b374be5a723bc5e3fff8c9ad5b9ee1aab09e814b1bed53d569e82e3653af5d9e

SHA512
fe02dd56c7f8b2c99e7f9673128c4867b6682c3081452bf0a78420ab910670d3a9866fa0e2ce2f891795bec8a9cc690468441130abef4e3700542f9da2d4c6f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\resource\iawin64_x64.dll

Filesize
130KB

MD5
29abcd83cadb184d0e2552a6103bad44

SHA1
902131c67019b6f27aa02b60db9ce8fae7259f05

SHA256
85bf3ff44c3ec0883947ae7f38c152ac4f97350d95a40f0db01f8923192dc617

SHA512
5058f15ff99321ecfd1e7054739bd764c0e6da240b485c92326691869ba75e912ff705a90659a882a92a5039e5e7fafa8043629ce83e8b950721d4c1d702daa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\resource\iawin64_x64.dll

Filesize
130KB

MD5
29abcd83cadb184d0e2552a6103bad44

SHA1
902131c67019b6f27aa02b60db9ce8fae7259f05

SHA256
85bf3ff44c3ec0883947ae7f38c152ac4f97350d95a40f0db01f8923192dc617

SHA512
5058f15ff99321ecfd1e7054739bd764c0e6da240b485c92326691869ba75e912ff705a90659a882a92a5039e5e7fafa8043629ce83e8b950721d4c1d702daa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\resource\win64_32_x64.exe

Filesize
103KB

MD5
9a8f078a6aded61165e0442c875b2d11

SHA1
65fbe8c945a7fb0b4f20f00e4b4313cb2502e72e

SHA256
13fd959e277660ed3de7fbbf865e06fbace6a5e76e9f3ea153532fd3764b3194

SHA512
1a54dee4c252143fb0e6c3a175fd64f3112aac93e31094a76370c7b8cd3cb8114e057c5a40c49d3dd4c97eba76e2912cd254056d847f413cfc26a2640366c35f

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\resource\win64_32_x64.exe

Filesize
103KB

MD5
9a8f078a6aded61165e0442c875b2d11

SHA1
65fbe8c945a7fb0b4f20f00e4b4313cb2502e72e

SHA256
13fd959e277660ed3de7fbbf865e06fbace6a5e76e9f3ea153532fd3764b3194

SHA512
1a54dee4c252143fb0e6c3a175fd64f3112aac93e31094a76370c7b8cd3cb8114e057c5a40c49d3dd4c97eba76e2912cd254056d847f413cfc26a2640366c35f

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\setup.exe

Filesize
538KB

MD5
5f0c61a74ae912c9b37bceb449b8b33e

SHA1
9d90020032e44e2a8465c77fb85ece57f2a09193

SHA256
dede6586c6679f0dbcb242572c4a7a617c7c960a39c9417673574db8ad813997

SHA512
53b23ecc33dc91e2de62c9c07ec7feedfbe8093f95496abf836eaee507f9096294dd6d4618a99297ad32b1117eb16a3ff5f9cf387b8d99235cf47659b24981e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\setup.exe

Filesize
538KB

MD5
5f0c61a74ae912c9b37bceb449b8b33e

SHA1
9d90020032e44e2a8465c77fb85ece57f2a09193

SHA256
dede6586c6679f0dbcb242572c4a7a617c7c960a39c9417673574db8ad813997

SHA512
53b23ecc33dc91e2de62c9c07ec7feedfbe8093f95496abf836eaee507f9096294dd6d4618a99297ad32b1117eb16a3ff5f9cf387b8d99235cf47659b24981e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1683270172\Windows\setup.lax

Filesize
1KB

MD5
6775ee9a0c7ec3c4c3518312facea186

SHA1
128e666f482d201910a5b620afc595736f18fa78

SHA256
c95de3e32edf58eb2f6c0c82a80033a30cd0a4c0e86a7d98ec56a1c5117574bf

SHA512
350b0ca1e6ac0a42768b1516049a6cbe0d3c90115e760cf97ac0e19f30af765130990c62de9441d35c49e4f590b6ef1b825c86f71669ed8ae2962af91f8f3f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1683270172\sea_loc

Filesize
45B

MD5
d8143de7a6779bf01772f9b0565f41f7

SHA1
c7556bb074f53750314eb9d8c6614ccfd0f0c93c

SHA256
da9d71d6fec28ff5dbcab9094a9310ce83a009d6c7c1538fff5aebf48a461f73

SHA512
3b8c55e75b912614ed1738cfe6aefb97c0d2ff29dbb02d5ee0bc795a726e7a176c9549151621aaad39babfa398a917b3c9104c66718c9f78abadcfee14fde6eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\lax97FF.tmp

Filesize
7KB

MD5
3e547b76700e0fb746ed78c0ac797a91

SHA1
cafa8f246d18ecf2d44e60b7535387a335be8b46

SHA256
89ecc51289ebb58b6ae6a187f13c79e4b48f8a2495990d50ea325cb704c58f33

SHA512
868d39cea6e190fabd20d816c79f66bf67ee498db96761c35d72f21a80f52e1c537d1bf52a3c463966661ebb31ede2a339dc08ffeb856c9e70a027bbfa16bd55

Download Submit
memory/4264-213-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/4264-247-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/4264-248-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/4264-259-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/4264-234-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/4264-229-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/4264-219-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/4264-217-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/4264-205-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/4264-200-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/4264-199-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/4264-189-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads