c2cc73470231e05140dec880b0785c18c7c337bc95ec6b9e11deea1a0b4c326a

Analysis

max time kernel
118s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a9333c1d54807390ac10e84ab651f60N.exe
Size

64KB
MD5

9a9333c1d54807390ac10e84ab651f60
SHA1

31a71dc44013ab1c4a3cd71af4403bcf21d5a403
SHA256

c2cc73470231e05140dec880b0785c18c7c337bc95ec6b9e11deea1a0b4c326a
SHA512

5a977341a58babb945ae44c5c3b7ad6ff9078ee0f47ba3cbb80d3c396aad33c90469afba6cca3aabc78415cfac56a6964d48ab70e498e550212d67a54c255f3a
SSDEEP

768:Ovw9813vhKQLroCU4/wQxWMZQcpFM1FgDagXP2TyS1tl7lfqvocqcdT3WVdl:6EGY0oCUlwWMZQcpmgDagIyS1loL7Wrl

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4D63CCE-EF9F-4ced-8080-665C54F5A78F}	{7D049361-0C0F-49bd-860F-E425B8639B5A}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C4D63CCE-EF9F-4ced-8080-665C54F5A78F}\stubpath = "C:\\Windows\\{C4D63CCE-EF9F-4ced-8080-665C54F5A78F}.exe"	{7D049361-0C0F-49bd-860F-E425B8639B5A}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCD4B08E-A2EB-4c87-AC35-BBC9AC39987D}	{7BB7B35B-94F1-423f-8435-B94E6E9EEE1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47A2F913-9013-4b9b-ABC6-E3714A515749}\stubpath = "C:\\Windows\\{47A2F913-9013-4b9b-ABC6-E3714A515749}.exe"	{C4D63CCE-EF9F-4ced-8080-665C54F5A78F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6977AA18-664F-43b2-B81C-38DF54753216}	{DCD4B08E-A2EB-4c87-AC35-BBC9AC39987D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DAE0C73-5B6E-45ca-BF69-F8492325DCD1}	{6977AA18-664F-43b2-B81C-38DF54753216}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C19D9E7C-0FDC-4d47-8313-82D5E9D6AFC6}	{8DAE0C73-5B6E-45ca-BF69-F8492325DCD1}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C19D9E7C-0FDC-4d47-8313-82D5E9D6AFC6}\stubpath = "C:\\Windows\\{C19D9E7C-0FDC-4d47-8313-82D5E9D6AFC6}.exe"	{8DAE0C73-5B6E-45ca-BF69-F8492325DCD1}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D049361-0C0F-49bd-860F-E425B8639B5A}	{303BD105-4400-4303-808F-F51C1C990FF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7D049361-0C0F-49bd-860F-E425B8639B5A}\stubpath = "C:\\Windows\\{7D049361-0C0F-49bd-860F-E425B8639B5A}.exe"	{303BD105-4400-4303-808F-F51C1C990FF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BB7B35B-94F1-423f-8435-B94E6E9EEE1C}	{47A2F913-9013-4b9b-ABC6-E3714A515749}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DCD4B08E-A2EB-4c87-AC35-BBC9AC39987D}\stubpath = "C:\\Windows\\{DCD4B08E-A2EB-4c87-AC35-BBC9AC39987D}.exe"	{7BB7B35B-94F1-423f-8435-B94E6E9EEE1C}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6977AA18-664F-43b2-B81C-38DF54753216}\stubpath = "C:\\Windows\\{6977AA18-664F-43b2-B81C-38DF54753216}.exe"	{DCD4B08E-A2EB-4c87-AC35-BBC9AC39987D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8DAE0C73-5B6E-45ca-BF69-F8492325DCD1}\stubpath = "C:\\Windows\\{8DAE0C73-5B6E-45ca-BF69-F8492325DCD1}.exe"	{6977AA18-664F-43b2-B81C-38DF54753216}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{303BD105-4400-4303-808F-F51C1C990FF8}	9a9333c1d54807390ac10e84ab651f60N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{303BD105-4400-4303-808F-F51C1C990FF8}\stubpath = "C:\\Windows\\{303BD105-4400-4303-808F-F51C1C990FF8}.exe"	9a9333c1d54807390ac10e84ab651f60N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{47A2F913-9013-4b9b-ABC6-E3714A515749}	{C4D63CCE-EF9F-4ced-8080-665C54F5A78F}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7BB7B35B-94F1-423f-8435-B94E6E9EEE1C}\stubpath = "C:\\Windows\\{7BB7B35B-94F1-423f-8435-B94E6E9EEE1C}.exe"	{47A2F913-9013-4b9b-ABC6-E3714A515749}.exe

Executes dropped EXE 9 IoCs

pid	Process
3036	{303BD105-4400-4303-808F-F51C1C990FF8}.exe
4820	{7D049361-0C0F-49bd-860F-E425B8639B5A}.exe
2992	{C4D63CCE-EF9F-4ced-8080-665C54F5A78F}.exe
4284	{47A2F913-9013-4b9b-ABC6-E3714A515749}.exe
4216	{7BB7B35B-94F1-423f-8435-B94E6E9EEE1C}.exe
920	{DCD4B08E-A2EB-4c87-AC35-BBC9AC39987D}.exe
4688	{6977AA18-664F-43b2-B81C-38DF54753216}.exe
4960	{8DAE0C73-5B6E-45ca-BF69-F8492325DCD1}.exe
4264	{C19D9E7C-0FDC-4d47-8313-82D5E9D6AFC6}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{303BD105-4400-4303-808F-F51C1C990FF8}.exe	9a9333c1d54807390ac10e84ab651f60N.exe
File created	C:\Windows\{C19D9E7C-0FDC-4d47-8313-82D5E9D6AFC6}.exe	{8DAE0C73-5B6E-45ca-BF69-F8492325DCD1}.exe
File created	C:\Windows\{47A2F913-9013-4b9b-ABC6-E3714A515749}.exe	{C4D63CCE-EF9F-4ced-8080-665C54F5A78F}.exe
File created	C:\Windows\{7BB7B35B-94F1-423f-8435-B94E6E9EEE1C}.exe	{47A2F913-9013-4b9b-ABC6-E3714A515749}.exe
File created	C:\Windows\{DCD4B08E-A2EB-4c87-AC35-BBC9AC39987D}.exe	{7BB7B35B-94F1-423f-8435-B94E6E9EEE1C}.exe
File created	C:\Windows\{6977AA18-664F-43b2-B81C-38DF54753216}.exe	{DCD4B08E-A2EB-4c87-AC35-BBC9AC39987D}.exe
File created	C:\Windows\{8DAE0C73-5B6E-45ca-BF69-F8492325DCD1}.exe	{6977AA18-664F-43b2-B81C-38DF54753216}.exe
File created	C:\Windows\{7D049361-0C0F-49bd-860F-E425B8639B5A}.exe	{303BD105-4400-4303-808F-F51C1C990FF8}.exe
File created	C:\Windows\{C4D63CCE-EF9F-4ced-8080-665C54F5A78F}.exe	{7D049361-0C0F-49bd-860F-E425B8639B5A}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2964	9a9333c1d54807390ac10e84ab651f60N.exe
Token: SeIncBasePriorityPrivilege	3036	{303BD105-4400-4303-808F-F51C1C990FF8}.exe
Token: SeIncBasePriorityPrivilege	4820	{7D049361-0C0F-49bd-860F-E425B8639B5A}.exe
Token: SeIncBasePriorityPrivilege	2992	{C4D63CCE-EF9F-4ced-8080-665C54F5A78F}.exe
Token: SeIncBasePriorityPrivilege	4284	{47A2F913-9013-4b9b-ABC6-E3714A515749}.exe
Token: SeIncBasePriorityPrivilege	4216	{7BB7B35B-94F1-423f-8435-B94E6E9EEE1C}.exe
Token: SeIncBasePriorityPrivilege	920	{DCD4B08E-A2EB-4c87-AC35-BBC9AC39987D}.exe
Token: SeIncBasePriorityPrivilege	4688	{6977AA18-664F-43b2-B81C-38DF54753216}.exe
Token: SeIncBasePriorityPrivilege	4960	{8DAE0C73-5B6E-45ca-BF69-F8492325DCD1}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 3036	2964	9a9333c1d54807390ac10e84ab651f60N.exe	94
PID 2964 wrote to memory of 3036	2964	9a9333c1d54807390ac10e84ab651f60N.exe	94
PID 2964 wrote to memory of 3036	2964	9a9333c1d54807390ac10e84ab651f60N.exe	94
PID 2964 wrote to memory of 4688	2964	9a9333c1d54807390ac10e84ab651f60N.exe	95
PID 2964 wrote to memory of 4688	2964	9a9333c1d54807390ac10e84ab651f60N.exe	95
PID 2964 wrote to memory of 4688	2964	9a9333c1d54807390ac10e84ab651f60N.exe	95
PID 3036 wrote to memory of 4820	3036	{303BD105-4400-4303-808F-F51C1C990FF8}.exe	96
PID 3036 wrote to memory of 4820	3036	{303BD105-4400-4303-808F-F51C1C990FF8}.exe	96
PID 3036 wrote to memory of 4820	3036	{303BD105-4400-4303-808F-F51C1C990FF8}.exe	96
PID 3036 wrote to memory of 3928	3036	{303BD105-4400-4303-808F-F51C1C990FF8}.exe	97
PID 3036 wrote to memory of 3928	3036	{303BD105-4400-4303-808F-F51C1C990FF8}.exe	97
PID 3036 wrote to memory of 3928	3036	{303BD105-4400-4303-808F-F51C1C990FF8}.exe	97
PID 4820 wrote to memory of 2992	4820	{7D049361-0C0F-49bd-860F-E425B8639B5A}.exe	102
PID 4820 wrote to memory of 2992	4820	{7D049361-0C0F-49bd-860F-E425B8639B5A}.exe	102
PID 4820 wrote to memory of 2992	4820	{7D049361-0C0F-49bd-860F-E425B8639B5A}.exe	102
PID 4820 wrote to memory of 4032	4820	{7D049361-0C0F-49bd-860F-E425B8639B5A}.exe	103
PID 4820 wrote to memory of 4032	4820	{7D049361-0C0F-49bd-860F-E425B8639B5A}.exe	103
PID 4820 wrote to memory of 4032	4820	{7D049361-0C0F-49bd-860F-E425B8639B5A}.exe	103
PID 2992 wrote to memory of 4284	2992	{C4D63CCE-EF9F-4ced-8080-665C54F5A78F}.exe	104
PID 2992 wrote to memory of 4284	2992	{C4D63CCE-EF9F-4ced-8080-665C54F5A78F}.exe	104
PID 2992 wrote to memory of 4284	2992	{C4D63CCE-EF9F-4ced-8080-665C54F5A78F}.exe	104
PID 2992 wrote to memory of 5036	2992	{C4D63CCE-EF9F-4ced-8080-665C54F5A78F}.exe	105
PID 2992 wrote to memory of 5036	2992	{C4D63CCE-EF9F-4ced-8080-665C54F5A78F}.exe	105
PID 2992 wrote to memory of 5036	2992	{C4D63CCE-EF9F-4ced-8080-665C54F5A78F}.exe	105
PID 4284 wrote to memory of 4216	4284	{47A2F913-9013-4b9b-ABC6-E3714A515749}.exe	107
PID 4284 wrote to memory of 4216	4284	{47A2F913-9013-4b9b-ABC6-E3714A515749}.exe	107
PID 4284 wrote to memory of 4216	4284	{47A2F913-9013-4b9b-ABC6-E3714A515749}.exe	107
PID 4284 wrote to memory of 2656	4284	{47A2F913-9013-4b9b-ABC6-E3714A515749}.exe	108
PID 4284 wrote to memory of 2656	4284	{47A2F913-9013-4b9b-ABC6-E3714A515749}.exe	108
PID 4284 wrote to memory of 2656	4284	{47A2F913-9013-4b9b-ABC6-E3714A515749}.exe	108
PID 4216 wrote to memory of 920	4216	{7BB7B35B-94F1-423f-8435-B94E6E9EEE1C}.exe	109
PID 4216 wrote to memory of 920	4216	{7BB7B35B-94F1-423f-8435-B94E6E9EEE1C}.exe	109
PID 4216 wrote to memory of 920	4216	{7BB7B35B-94F1-423f-8435-B94E6E9EEE1C}.exe	109
PID 4216 wrote to memory of 2124	4216	{7BB7B35B-94F1-423f-8435-B94E6E9EEE1C}.exe	110
PID 4216 wrote to memory of 2124	4216	{7BB7B35B-94F1-423f-8435-B94E6E9EEE1C}.exe	110
PID 4216 wrote to memory of 2124	4216	{7BB7B35B-94F1-423f-8435-B94E6E9EEE1C}.exe	110
PID 920 wrote to memory of 4688	920	{DCD4B08E-A2EB-4c87-AC35-BBC9AC39987D}.exe	111
PID 920 wrote to memory of 4688	920	{DCD4B08E-A2EB-4c87-AC35-BBC9AC39987D}.exe	111
PID 920 wrote to memory of 4688	920	{DCD4B08E-A2EB-4c87-AC35-BBC9AC39987D}.exe	111
PID 920 wrote to memory of 3080	920	{DCD4B08E-A2EB-4c87-AC35-BBC9AC39987D}.exe	112
PID 920 wrote to memory of 3080	920	{DCD4B08E-A2EB-4c87-AC35-BBC9AC39987D}.exe	112
PID 920 wrote to memory of 3080	920	{DCD4B08E-A2EB-4c87-AC35-BBC9AC39987D}.exe	112
PID 4688 wrote to memory of 4960	4688	{6977AA18-664F-43b2-B81C-38DF54753216}.exe	120
PID 4688 wrote to memory of 4960	4688	{6977AA18-664F-43b2-B81C-38DF54753216}.exe	120
PID 4688 wrote to memory of 4960	4688	{6977AA18-664F-43b2-B81C-38DF54753216}.exe	120
PID 4688 wrote to memory of 632	4688	{6977AA18-664F-43b2-B81C-38DF54753216}.exe	121
PID 4688 wrote to memory of 632	4688	{6977AA18-664F-43b2-B81C-38DF54753216}.exe	121
PID 4688 wrote to memory of 632	4688	{6977AA18-664F-43b2-B81C-38DF54753216}.exe	121
PID 4960 wrote to memory of 4264	4960	{8DAE0C73-5B6E-45ca-BF69-F8492325DCD1}.exe	122
PID 4960 wrote to memory of 4264	4960	{8DAE0C73-5B6E-45ca-BF69-F8492325DCD1}.exe	122
PID 4960 wrote to memory of 4264	4960	{8DAE0C73-5B6E-45ca-BF69-F8492325DCD1}.exe	122
PID 4960 wrote to memory of 4300	4960	{8DAE0C73-5B6E-45ca-BF69-F8492325DCD1}.exe	123
PID 4960 wrote to memory of 4300	4960	{8DAE0C73-5B6E-45ca-BF69-F8492325DCD1}.exe	123
PID 4960 wrote to memory of 4300	4960	{8DAE0C73-5B6E-45ca-BF69-F8492325DCD1}.exe	123

C:\Users\Admin\AppData\Local\Temp\9a9333c1d54807390ac10e84ab651f60N.exe
"C:\Users\Admin\AppData\Local\Temp\9a9333c1d54807390ac10e84ab651f60N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\{303BD105-4400-4303-808F-F51C1C990FF8}.exe
  C:\Windows\{303BD105-4400-4303-808F-F51C1C990FF8}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\{7D049361-0C0F-49bd-860F-E425B8639B5A}.exe
    C:\Windows\{7D049361-0C0F-49bd-860F-E425B8639B5A}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4820
  - - C:\Windows\{C4D63CCE-EF9F-4ced-8080-665C54F5A78F}.exe
      C:\Windows\{C4D63CCE-EF9F-4ced-8080-665C54F5A78F}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2992
    - - C:\Windows\{47A2F913-9013-4b9b-ABC6-E3714A515749}.exe
        
        C:\Windows\{47A2F913-9013-4b9b-ABC6-E3714A515749}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4284
      - C:\Windows\{7BB7B35B-94F1-423f-8435-B94E6E9EEE1C}.exe
        
        C:\Windows\{7BB7B35B-94F1-423f-8435-B94E6E9EEE1C}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\{DCD4B08E-A2EB-4c87-AC35-BBC9AC39987D}.exe
        
        C:\Windows\{DCD4B08E-A2EB-4c87-AC35-BBC9AC39987D}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\{6977AA18-664F-43b2-B81C-38DF54753216}.exe
        
        C:\Windows\{6977AA18-664F-43b2-B81C-38DF54753216}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\{8DAE0C73-5B6E-45ca-BF69-F8492325DCD1}.exe
        
        C:\Windows\{8DAE0C73-5B6E-45ca-BF69-F8492325DCD1}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4960
        
        C:\Windows\{C19D9E7C-0FDC-4d47-8313-82D5E9D6AFC6}.exe
        
        C:\Windows\{C19D9E7C-0FDC-4d47-8313-82D5E9D6AFC6}.exe
        10⤵
        Executes dropped EXE
        
        PID:4264
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{8DAE0~1.EXE > nul
        10⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{6977A~1.EXE > nul
        9⤵
        
        PID:632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DCD4B~1.EXE > nul
        8⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7BB7B~1.EXE > nul
        7⤵
        
        PID:2124
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{47A2F~1.EXE > nul
        6⤵
        
        PID:2656
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C4D63~1.EXE > nul
        5⤵
        
        PID:5036
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{7D049~1.EXE > nul
      4⤵
      PID:4032
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{303BD~1.EXE > nul
    3⤵
    PID:3928
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\9A9333~1.EXE > nul
  2⤵
  PID:4688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{303BD105-4400-4303-808F-F51C1C990FF8}.exe

Filesize
64KB

MD5
4ce50b7d35f87707b9cdc64314a83a10

SHA1
21238a0529b31baf354719b3920bc0d27d811c4f

SHA256
a9ac5e61324bd4d32357ea991868e9c273623ad8b08c8996f354aa60e72b4ec9

SHA512
4ad299821462cee68dcfdba6d31e0a44925e544a11bd69ed51a045699f2a4f13edf9e51e4d68e7cec79639f268e575a89370ee8a605ef4d5599e6e223bd37a00

Download Submit
C:\Windows\{47A2F913-9013-4b9b-ABC6-E3714A515749}.exe

Filesize
64KB

MD5
cb2c7cc2978da9a3639d7a1eac6db1d7

SHA1
b0bbe658f4b151468a677a5c75c1b4df5308fb87

SHA256
0cc88b54562359725b55f790a505a31ff6961b1e02f13dc4f8dc7740432c32af

SHA512
9cbd2890bc714fe50c2c061e50d00838bbe97ab2219060df0f2f18b655a0636ba7cb53003a3d201146c3ac31cec47b41a73a5b4bc3f7621957a19adbce39d6ac

Download Submit
C:\Windows\{6977AA18-664F-43b2-B81C-38DF54753216}.exe

Filesize
64KB

MD5
827f7410111c5851bc591e9d41775ff1

SHA1
a7afcfe0c22d2d06d0d7a811aaf53dae512bf82f

SHA256
d8b4bba3fdd287a88fe8296e89f9ad97d47f020699984ae556827325891398ec

SHA512
4a3bbf2c1a991814a5f51a0f260c2daf077f14add36969665ecbe985f90002aaf5f98481e92c094c5f9d1fdf072615934c639933cd11d4aad90d848cff7fef21

Download Submit
C:\Windows\{7BB7B35B-94F1-423f-8435-B94E6E9EEE1C}.exe

Filesize
64KB

MD5
d6f24e201ab97e55b54074edf6077a39

SHA1
7b8dd004b8c7bc4f07a5716bb5946e42696fa807

SHA256
39ef80588cad97ee45f4ceeacd0806c7c55d975f3c67e3202d3da3df53ea8c76

SHA512
a9d1bca94e314ecbd037a698070247f539c5ad825b1248d3eb13ed96483067dc9832f754b1dd91ca20da4a2287a166863c8293ec19d08f4308359defe0851457

Download Submit
C:\Windows\{7D049361-0C0F-49bd-860F-E425B8639B5A}.exe

Filesize
64KB

MD5
38ca0316cff8f3d282739ff4a8d05e2b

SHA1
18b52f0c40ace0ed9445cfd0c781b50a7a864c62

SHA256
45ee516da907c5a6bc2473e5b4e66b9df2645eeda6582692ca6705527ef47ab7

SHA512
9124ee6fa3338343ba02f5c9a51770ab9ee68a849854b875a0a853b156b278ab07ba88c2102b1df519ba652175ad585c0d00c85e10662657e8a415ca7e529b57

Download Submit
C:\Windows\{8DAE0C73-5B6E-45ca-BF69-F8492325DCD1}.exe

Filesize
64KB

MD5
62c1254048981aeb41ff9bbdce39341d

SHA1
1d105d0bf33bb22103dc76907c71e22c79b5764e

SHA256
8dd776e894a72ed6d9e780b98095514b46c42b627047ea1d842849c779d9a5fa

SHA512
d328c9d55e8a9b86cd22bcecf90ef791c1c24765a6fb1c84b199fc248cc276eccc035611c09daf50ba848cfca67508b2394faa918cffa0c25f9537f3f90f5d25

Download Submit
C:\Windows\{C19D9E7C-0FDC-4d47-8313-82D5E9D6AFC6}.exe

Filesize
64KB

MD5
1b024b375c2bba8f1c274409aec3bb70

SHA1
aebf830fc83bea7d49410f0883177d9ff51642f8

SHA256
1a3ca52169ae97ef0956204045a87a12f7ba1e07eee9ecfa8fa8abc74960642e

SHA512
99a9a686ab6c401879a36220ab37bbe892673d3605d9175410859c819af3813341d7b0279f7f2f7761506d50b52d94841bec4c46dc659c8566fb272feaa3ef3b

Download Submit
C:\Windows\{C4D63CCE-EF9F-4ced-8080-665C54F5A78F}.exe

Filesize
64KB

MD5
2304546911d7e0abe4b0fe953997278a

SHA1
b42336740052babeaa581d848417f9e872616c4b

SHA256
16d91901e8ec113ba1504d56a12f6fafbfef0f6fa7350c18aa8f1025ff95d2d4

SHA512
99eaf4704738e6b00823d1169fed368ad9cebc3d13676b11d4bf45d4b3149856503211bc73b4ae4cc41ece89ca85c35aae91c7e7a7fc7f2b1f99b0e0c5e0c0ea

Download Submit
C:\Windows\{DCD4B08E-A2EB-4c87-AC35-BBC9AC39987D}.exe

Filesize
64KB

MD5
918fa892b6840afb6cfcd3af05389824

SHA1
bcc04720305bcc7ac0bfe68d12deb29313e44fc3

SHA256
07fd2a6cc8c784cb4730655df076b71378db5aad4b7cbfd4315e1224e760514c

SHA512
015bdeccdeb9adcc675188b55c1340b7c81c4471fcad7bfac8b8ee706d2098b2d66255d266ee91dff2af12bfafb37905fe1f3af4fb570a0b080ab0456504527a

Download Submit
memory/920-40-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/920-36-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2964-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2964-6-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2992-22-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2992-18-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3036-10-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3036-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4216-34-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4216-30-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4264-53-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4284-27-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4284-23-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4688-45-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4820-17-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4820-12-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4960-47-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4960-51-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads