7cf8b75284e42eb18a0d5b00d5df3c274c3ccbd1db5e7078acec56bf1d38e4ca

Analysis

max time kernel
118s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
16-07-2024 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56e1da5ba551a748358720eed8192200N.exe
Size

91KB
MD5

56e1da5ba551a748358720eed8192200
SHA1

fde2f8c1380fdafe7b3bcbb91bd08c327a300a80
SHA256

7cf8b75284e42eb18a0d5b00d5df3c274c3ccbd1db5e7078acec56bf1d38e4ca
SHA512

0cd13b6c756777b74aeb49f2148a81ebcbd7c0e59f6db7d5044a70e8d781396e1a3bd20ccad35cb024f105ccbea64242c138852d5be28a92a0173b32f6421729
SSDEEP

768:5vw9816uhKirob4/wQNNrfrunMxVFA3b7t:lEGkmoblCunMxVS3Ht

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D19BBE49-4C3D-4331-A26C-271E633A9A66}	{89E1F45E-5D60-4842-8761-C3B98A9C69EE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B494B4A-A38A-4c0a-9EF8-003E4479A0CF}\stubpath = "C:\\Windows\\{2B494B4A-A38A-4c0a-9EF8-003E4479A0CF}.exe"	{B443C601-6BDD-4781-884F-D0495AEBE99B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89E1F45E-5D60-4842-8761-C3B98A9C69EE}\stubpath = "C:\\Windows\\{89E1F45E-5D60-4842-8761-C3B98A9C69EE}.exe"	{B602FFB5-90FF-4f37-8F52-3F94EC224353}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D19BBE49-4C3D-4331-A26C-271E633A9A66}\stubpath = "C:\\Windows\\{D19BBE49-4C3D-4331-A26C-271E633A9A66}.exe"	{89E1F45E-5D60-4842-8761-C3B98A9C69EE}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8212C8D1-33A4-46d7-A517-A4C9CF6D7B40}	{E74ABB60-7D76-4428-93E1-81299764093F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{89E1F45E-5D60-4842-8761-C3B98A9C69EE}	{B602FFB5-90FF-4f37-8F52-3F94EC224353}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8212C8D1-33A4-46d7-A517-A4C9CF6D7B40}\stubpath = "C:\\Windows\\{8212C8D1-33A4-46d7-A517-A4C9CF6D7B40}.exe"	{E74ABB60-7D76-4428-93E1-81299764093F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CCB3915-4181-4ffd-A4E1-3CC203AD2326}	56e1da5ba551a748358720eed8192200N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6CCB3915-4181-4ffd-A4E1-3CC203AD2326}\stubpath = "C:\\Windows\\{6CCB3915-4181-4ffd-A4E1-3CC203AD2326}.exe"	56e1da5ba551a748358720eed8192200N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B443C601-6BDD-4781-884F-D0495AEBE99B}\stubpath = "C:\\Windows\\{B443C601-6BDD-4781-884F-D0495AEBE99B}.exe"	{6CCB3915-4181-4ffd-A4E1-3CC203AD2326}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B602FFB5-90FF-4f37-8F52-3F94EC224353}	{FF879ACC-69BD-41b9-8585-9C1A43F1C0AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B602FFB5-90FF-4f37-8F52-3F94EC224353}\stubpath = "C:\\Windows\\{B602FFB5-90FF-4f37-8F52-3F94EC224353}.exe"	{FF879ACC-69BD-41b9-8585-9C1A43F1C0AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E74ABB60-7D76-4428-93E1-81299764093F}\stubpath = "C:\\Windows\\{E74ABB60-7D76-4428-93E1-81299764093F}.exe"	{D19BBE49-4C3D-4331-A26C-271E633A9A66}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B443C601-6BDD-4781-884F-D0495AEBE99B}	{6CCB3915-4181-4ffd-A4E1-3CC203AD2326}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2B494B4A-A38A-4c0a-9EF8-003E4479A0CF}	{B443C601-6BDD-4781-884F-D0495AEBE99B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF879ACC-69BD-41b9-8585-9C1A43F1C0AB}	{2B494B4A-A38A-4c0a-9EF8-003E4479A0CF}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{FF879ACC-69BD-41b9-8585-9C1A43F1C0AB}\stubpath = "C:\\Windows\\{FF879ACC-69BD-41b9-8585-9C1A43F1C0AB}.exe"	{2B494B4A-A38A-4c0a-9EF8-003E4479A0CF}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E74ABB60-7D76-4428-93E1-81299764093F}	{D19BBE49-4C3D-4331-A26C-271E633A9A66}.exe

Executes dropped EXE 9 IoCs

pid	Process
3124	{6CCB3915-4181-4ffd-A4E1-3CC203AD2326}.exe
1092	{B443C601-6BDD-4781-884F-D0495AEBE99B}.exe
896	{2B494B4A-A38A-4c0a-9EF8-003E4479A0CF}.exe
2296	{FF879ACC-69BD-41b9-8585-9C1A43F1C0AB}.exe
4344	{B602FFB5-90FF-4f37-8F52-3F94EC224353}.exe
2028	{89E1F45E-5D60-4842-8761-C3B98A9C69EE}.exe
1608	{D19BBE49-4C3D-4331-A26C-271E633A9A66}.exe
1892	{E74ABB60-7D76-4428-93E1-81299764093F}.exe
2012	{8212C8D1-33A4-46d7-A517-A4C9CF6D7B40}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{B443C601-6BDD-4781-884F-D0495AEBE99B}.exe	{6CCB3915-4181-4ffd-A4E1-3CC203AD2326}.exe
File created	C:\Windows\{89E1F45E-5D60-4842-8761-C3B98A9C69EE}.exe	{B602FFB5-90FF-4f37-8F52-3F94EC224353}.exe
File created	C:\Windows\{D19BBE49-4C3D-4331-A26C-271E633A9A66}.exe	{89E1F45E-5D60-4842-8761-C3B98A9C69EE}.exe
File created	C:\Windows\{E74ABB60-7D76-4428-93E1-81299764093F}.exe	{D19BBE49-4C3D-4331-A26C-271E633A9A66}.exe
File created	C:\Windows\{8212C8D1-33A4-46d7-A517-A4C9CF6D7B40}.exe	{E74ABB60-7D76-4428-93E1-81299764093F}.exe
File created	C:\Windows\{6CCB3915-4181-4ffd-A4E1-3CC203AD2326}.exe	56e1da5ba551a748358720eed8192200N.exe
File created	C:\Windows\{2B494B4A-A38A-4c0a-9EF8-003E4479A0CF}.exe	{B443C601-6BDD-4781-884F-D0495AEBE99B}.exe
File created	C:\Windows\{FF879ACC-69BD-41b9-8585-9C1A43F1C0AB}.exe	{2B494B4A-A38A-4c0a-9EF8-003E4479A0CF}.exe
File created	C:\Windows\{B602FFB5-90FF-4f37-8F52-3F94EC224353}.exe	{FF879ACC-69BD-41b9-8585-9C1A43F1C0AB}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2536	56e1da5ba551a748358720eed8192200N.exe
Token: SeIncBasePriorityPrivilege	3124	{6CCB3915-4181-4ffd-A4E1-3CC203AD2326}.exe
Token: SeIncBasePriorityPrivilege	1092	{B443C601-6BDD-4781-884F-D0495AEBE99B}.exe
Token: SeIncBasePriorityPrivilege	896	{2B494B4A-A38A-4c0a-9EF8-003E4479A0CF}.exe
Token: SeIncBasePriorityPrivilege	2296	{FF879ACC-69BD-41b9-8585-9C1A43F1C0AB}.exe
Token: SeIncBasePriorityPrivilege	4344	{B602FFB5-90FF-4f37-8F52-3F94EC224353}.exe
Token: SeIncBasePriorityPrivilege	2028	{89E1F45E-5D60-4842-8761-C3B98A9C69EE}.exe
Token: SeIncBasePriorityPrivilege	1608	{D19BBE49-4C3D-4331-A26C-271E633A9A66}.exe
Token: SeIncBasePriorityPrivilege	1892	{E74ABB60-7D76-4428-93E1-81299764093F}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 3124	2536	56e1da5ba551a748358720eed8192200N.exe	86
PID 2536 wrote to memory of 3124	2536	56e1da5ba551a748358720eed8192200N.exe	86
PID 2536 wrote to memory of 3124	2536	56e1da5ba551a748358720eed8192200N.exe	86
PID 2536 wrote to memory of 4908	2536	56e1da5ba551a748358720eed8192200N.exe	87
PID 2536 wrote to memory of 4908	2536	56e1da5ba551a748358720eed8192200N.exe	87
PID 2536 wrote to memory of 4908	2536	56e1da5ba551a748358720eed8192200N.exe	87
PID 3124 wrote to memory of 1092	3124	{6CCB3915-4181-4ffd-A4E1-3CC203AD2326}.exe	88
PID 3124 wrote to memory of 1092	3124	{6CCB3915-4181-4ffd-A4E1-3CC203AD2326}.exe	88
PID 3124 wrote to memory of 1092	3124	{6CCB3915-4181-4ffd-A4E1-3CC203AD2326}.exe	88
PID 3124 wrote to memory of 1464	3124	{6CCB3915-4181-4ffd-A4E1-3CC203AD2326}.exe	89
PID 3124 wrote to memory of 1464	3124	{6CCB3915-4181-4ffd-A4E1-3CC203AD2326}.exe	89
PID 3124 wrote to memory of 1464	3124	{6CCB3915-4181-4ffd-A4E1-3CC203AD2326}.exe	89
PID 1092 wrote to memory of 896	1092	{B443C601-6BDD-4781-884F-D0495AEBE99B}.exe	92
PID 1092 wrote to memory of 896	1092	{B443C601-6BDD-4781-884F-D0495AEBE99B}.exe	92
PID 1092 wrote to memory of 896	1092	{B443C601-6BDD-4781-884F-D0495AEBE99B}.exe	92
PID 1092 wrote to memory of 520	1092	{B443C601-6BDD-4781-884F-D0495AEBE99B}.exe	93
PID 1092 wrote to memory of 520	1092	{B443C601-6BDD-4781-884F-D0495AEBE99B}.exe	93
PID 1092 wrote to memory of 520	1092	{B443C601-6BDD-4781-884F-D0495AEBE99B}.exe	93
PID 896 wrote to memory of 2296	896	{2B494B4A-A38A-4c0a-9EF8-003E4479A0CF}.exe	96
PID 896 wrote to memory of 2296	896	{2B494B4A-A38A-4c0a-9EF8-003E4479A0CF}.exe	96
PID 896 wrote to memory of 2296	896	{2B494B4A-A38A-4c0a-9EF8-003E4479A0CF}.exe	96
PID 896 wrote to memory of 376	896	{2B494B4A-A38A-4c0a-9EF8-003E4479A0CF}.exe	97
PID 896 wrote to memory of 376	896	{2B494B4A-A38A-4c0a-9EF8-003E4479A0CF}.exe	97
PID 896 wrote to memory of 376	896	{2B494B4A-A38A-4c0a-9EF8-003E4479A0CF}.exe	97
PID 2296 wrote to memory of 4344	2296	{FF879ACC-69BD-41b9-8585-9C1A43F1C0AB}.exe	98
PID 2296 wrote to memory of 4344	2296	{FF879ACC-69BD-41b9-8585-9C1A43F1C0AB}.exe	98
PID 2296 wrote to memory of 4344	2296	{FF879ACC-69BD-41b9-8585-9C1A43F1C0AB}.exe	98
PID 2296 wrote to memory of 3968	2296	{FF879ACC-69BD-41b9-8585-9C1A43F1C0AB}.exe	99
PID 2296 wrote to memory of 3968	2296	{FF879ACC-69BD-41b9-8585-9C1A43F1C0AB}.exe	99
PID 2296 wrote to memory of 3968	2296	{FF879ACC-69BD-41b9-8585-9C1A43F1C0AB}.exe	99
PID 4344 wrote to memory of 2028	4344	{B602FFB5-90FF-4f37-8F52-3F94EC224353}.exe	100
PID 4344 wrote to memory of 2028	4344	{B602FFB5-90FF-4f37-8F52-3F94EC224353}.exe	100
PID 4344 wrote to memory of 2028	4344	{B602FFB5-90FF-4f37-8F52-3F94EC224353}.exe	100
PID 4344 wrote to memory of 4308	4344	{B602FFB5-90FF-4f37-8F52-3F94EC224353}.exe	101
PID 4344 wrote to memory of 4308	4344	{B602FFB5-90FF-4f37-8F52-3F94EC224353}.exe	101
PID 4344 wrote to memory of 4308	4344	{B602FFB5-90FF-4f37-8F52-3F94EC224353}.exe	101
PID 2028 wrote to memory of 1608	2028	{89E1F45E-5D60-4842-8761-C3B98A9C69EE}.exe	102
PID 2028 wrote to memory of 1608	2028	{89E1F45E-5D60-4842-8761-C3B98A9C69EE}.exe	102
PID 2028 wrote to memory of 1608	2028	{89E1F45E-5D60-4842-8761-C3B98A9C69EE}.exe	102
PID 2028 wrote to memory of 980	2028	{89E1F45E-5D60-4842-8761-C3B98A9C69EE}.exe	103
PID 2028 wrote to memory of 980	2028	{89E1F45E-5D60-4842-8761-C3B98A9C69EE}.exe	103
PID 2028 wrote to memory of 980	2028	{89E1F45E-5D60-4842-8761-C3B98A9C69EE}.exe	103
PID 1608 wrote to memory of 1892	1608	{D19BBE49-4C3D-4331-A26C-271E633A9A66}.exe	104
PID 1608 wrote to memory of 1892	1608	{D19BBE49-4C3D-4331-A26C-271E633A9A66}.exe	104
PID 1608 wrote to memory of 1892	1608	{D19BBE49-4C3D-4331-A26C-271E633A9A66}.exe	104
PID 1608 wrote to memory of 4948	1608	{D19BBE49-4C3D-4331-A26C-271E633A9A66}.exe	105
PID 1608 wrote to memory of 4948	1608	{D19BBE49-4C3D-4331-A26C-271E633A9A66}.exe	105
PID 1608 wrote to memory of 4948	1608	{D19BBE49-4C3D-4331-A26C-271E633A9A66}.exe	105
PID 1892 wrote to memory of 2012	1892	{E74ABB60-7D76-4428-93E1-81299764093F}.exe	106
PID 1892 wrote to memory of 2012	1892	{E74ABB60-7D76-4428-93E1-81299764093F}.exe	106
PID 1892 wrote to memory of 2012	1892	{E74ABB60-7D76-4428-93E1-81299764093F}.exe	106
PID 1892 wrote to memory of 5112	1892	{E74ABB60-7D76-4428-93E1-81299764093F}.exe	107
PID 1892 wrote to memory of 5112	1892	{E74ABB60-7D76-4428-93E1-81299764093F}.exe	107
PID 1892 wrote to memory of 5112	1892	{E74ABB60-7D76-4428-93E1-81299764093F}.exe	107

C:\Users\Admin\AppData\Local\Temp\56e1da5ba551a748358720eed8192200N.exe
"C:\Users\Admin\AppData\Local\Temp\56e1da5ba551a748358720eed8192200N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\{6CCB3915-4181-4ffd-A4E1-3CC203AD2326}.exe
  C:\Windows\{6CCB3915-4181-4ffd-A4E1-3CC203AD2326}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3124
- - C:\Windows\{B443C601-6BDD-4781-884F-D0495AEBE99B}.exe
    C:\Windows\{B443C601-6BDD-4781-884F-D0495AEBE99B}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1092
  - - C:\Windows\{2B494B4A-A38A-4c0a-9EF8-003E4479A0CF}.exe
      C:\Windows\{2B494B4A-A38A-4c0a-9EF8-003E4479A0CF}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:896
    - - C:\Windows\{FF879ACC-69BD-41b9-8585-9C1A43F1C0AB}.exe
        
        C:\Windows\{FF879ACC-69BD-41b9-8585-9C1A43F1C0AB}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
      - C:\Windows\{B602FFB5-90FF-4f37-8F52-3F94EC224353}.exe
        
        C:\Windows\{B602FFB5-90FF-4f37-8F52-3F94EC224353}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\{89E1F45E-5D60-4842-8761-C3B98A9C69EE}.exe
        
        C:\Windows\{89E1F45E-5D60-4842-8761-C3B98A9C69EE}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\{D19BBE49-4C3D-4331-A26C-271E633A9A66}.exe
        
        C:\Windows\{D19BBE49-4C3D-4331-A26C-271E633A9A66}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1608
        
        C:\Windows\{E74ABB60-7D76-4428-93E1-81299764093F}.exe
        
        C:\Windows\{E74ABB60-7D76-4428-93E1-81299764093F}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\{8212C8D1-33A4-46d7-A517-A4C9CF6D7B40}.exe
        
        C:\Windows\{8212C8D1-33A4-46d7-A517-A4C9CF6D7B40}.exe
        10⤵
        Executes dropped EXE
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{E74AB~1.EXE > nul
        10⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{D19BB~1.EXE > nul
        9⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{89E1F~1.EXE > nul
        8⤵
        
        PID:980
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{B602F~1.EXE > nul
        7⤵
        
        PID:4308
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{FF879~1.EXE > nul
        6⤵
        
        PID:3968
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2B494~1.EXE > nul
        5⤵
        
        PID:376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{B443C~1.EXE > nul
      4⤵
      PID:520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{6CCB3~1.EXE > nul
    3⤵
    PID:1464
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\56E1DA~1.EXE > nul
  2⤵
  PID:4908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2B494B4A-A38A-4c0a-9EF8-003E4479A0CF}.exe

Filesize
91KB

MD5
eac6c9425f3a18c13b6599884973a114

SHA1
6c56e26deaef54f7d799ebd9169431172e71835b

SHA256
cbbb40e41b39b546120231146f129d085100ef623be8a0b0172fa003c014d060

SHA512
0c8a02b3a6389299c7c93db5012a3152d6f5d1ef631d94da252e13464a6398a7e59729806e5cfdb021e27f4e9a5bfe1a34e75ded893c76f9c7f2e793d9c565aa

Download Submit
C:\Windows\{6CCB3915-4181-4ffd-A4E1-3CC203AD2326}.exe

Filesize
91KB

MD5
d74dd52aea1a5cb183c034b3cdf904a6

SHA1
4572174fd7fa14eb5e8fce4972ef5b2ba1752b4c

SHA256
5793ce9c6fcfcab124806a94d05ce09235ded699a79156aaff5c864d7525abf3

SHA512
a25b6f984b92165a4e2981d2967dd437f5f1d9fcbb8099dfb05b21cc5f7e00373e6b6f897df2d9eea23540bcca55205e6ff57c4a4a91d874f5f0aedfd653c7e9

Download Submit
C:\Windows\{8212C8D1-33A4-46d7-A517-A4C9CF6D7B40}.exe

Filesize
91KB

MD5
152a60c99057c6ebc6e98029df74cc7d

SHA1
c909857d41730b6764b4c89c712bc5605c08b89f

SHA256
28b010355d50c59aa50d6d9613724b2328548b041cbb26eb897ce29f25c9a94e

SHA512
d26055ec552431b1f27ba2b64e559c6592d5a8c09e7cab05bec23aedfd314b4f6af0c64bdd8e8d763f345c2a3c4ae38fd505eab688c4dc17a6dd6ace454f5d55

Download Submit
C:\Windows\{89E1F45E-5D60-4842-8761-C3B98A9C69EE}.exe

Filesize
91KB

MD5
bb4427ca86fbb44bc2e61fdf54908738

SHA1
d558b8d8113b9f15d5807fd3c838c33ed0d6e873

SHA256
57bcd3490b8303e00bbc9cd3cd2d9a9100c0bc7432442571d44321967284f850

SHA512
1154fe56ded757dbc9b6f65d4c21cf877b33ba7264e34d673eeda18724643f883b0380dd923bf8c043c26353d423b15fce40394e4d75a0141f1dc4105b93721f

Download Submit
C:\Windows\{B443C601-6BDD-4781-884F-D0495AEBE99B}.exe

Filesize
91KB

MD5
59fe0b367ba189f979931689e70ef717

SHA1
e308fb7f2168d0d92dba1d4a2e99b4e9f320861c

SHA256
a1263fad2a44032360c4d467c7e348fc58693caa19a3f1351707305fdbc1116c

SHA512
a050be8388d72fac0dbd9555963ea53bd9b11b95fb4daad678b9cf042ae4f31258b6f39984d3cae042d6309d4b40d896f4789b574e4c016e3a807a266388b8d7

Download Submit
C:\Windows\{B602FFB5-90FF-4f37-8F52-3F94EC224353}.exe

Filesize
91KB

MD5
7814f3d325c3d4ae16b9aca3bb5fd0f6

SHA1
dd28063a05e36569fa18f0b15ab44c89279b10c5

SHA256
09644c97b0b35f4c078511daf9ae7e6517a84d05b300846a5228b442b6c16450

SHA512
352891f65900e454689d6c4637b8efa9ce465c10ab7a5b76d8bc7d61c24684a6413b0799040a575c207f581e23f1748be236643bacfe8cf8362f1a8e7736032c

Download Submit
C:\Windows\{D19BBE49-4C3D-4331-A26C-271E633A9A66}.exe

Filesize
91KB

MD5
b19ee8a2666aac54a2f2535936bc7d71

SHA1
4e94d1f87bb0cd108e7fbff27a03c8814f584670

SHA256
deec170619f71fcf11d71cd5dd4a4c7191f7309dec8f53bfafc0124a1803b391

SHA512
1ce60827802bbac4016ecf44bc25649615843204f5e3bfb026c554ef55706f8d4f48d84d4329ceb411786393564dbf5b37f81290007c1971110bdea23361e516

Download Submit
C:\Windows\{E74ABB60-7D76-4428-93E1-81299764093F}.exe

Filesize
91KB

MD5
6a460c3d96d42650348244475adaab10

SHA1
b368b7b8ef6cef8e3a9dad2305c0664fa385b34a

SHA256
a8e1fd366e99acf1ea0a0664919e1a61389115e68ec652342454256497b21a37

SHA512
6691507179239eb7d88a0c73d48446ab57b6aa01149001be758f46d90e07bd3645f92509e5544c8284f3a6ae55653e8366a4df71105c271eb42ec5addb80222d

Download Submit
C:\Windows\{FF879ACC-69BD-41b9-8585-9C1A43F1C0AB}.exe

Filesize
91KB

MD5
d600189bd61851d60e59b823ee162c17

SHA1
2b7c1b929227b3f5ad72ea36b598c94d5213b351

SHA256
6915d450b82bca48efcf6cc9995fd0f9106b1587647913007bceebd41af1316b

SHA512
31eac47b3e8c8472eb4018d7c1afa99e1cb8b38050a9eca79608dbbbc07bfbc7b92fc35e6278e665e7438b358c953ac7c9f66a00e746adf5e09f1e8ba747778d

Download Submit
memory/896-17-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/896-23-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1092-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1092-12-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1608-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1608-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1892-52-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1892-47-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2012-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2028-38-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2028-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2296-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2296-24-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2536-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2536-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3124-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3124-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4344-33-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads