33494cfa8b6b74c21f3adf8905b62a1ac8dcb7f79b1f78905702a7312ac9ceae

Analysis

max time kernel
118s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 01:06

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3ac6aa3a8790687e23b21ea6f778e020N.exe
Size

89KB
MD5

3ac6aa3a8790687e23b21ea6f778e020
SHA1

4b4c6ceffd2409d2411e7bc84d8875df12f33eb6
SHA256

33494cfa8b6b74c21f3adf8905b62a1ac8dcb7f79b1f78905702a7312ac9ceae
SHA512

bf2f82b536b86518908d66c24264f7c564c2347c67f12a26176501993a30481e651d57ee722af9bde175087110534f5198ca8c0d41e8de1d5197bb71a3dd26de
SSDEEP

768:5vw9816thKQLron4/wQkNrfrunMxVFA3k:lEG/0onlbunMxVS3k

Score

8^/10

persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA06FF2C-AE6A-4039-8C63-B7B23889687D}	{61A4DF4F-6FF6-4a10-88A5-F5CDF5E308DB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB75C09B-8684-40a2-9C76-D2F70568C488}\stubpath = "C:\\Windows\\{BB75C09B-8684-40a2-9C76-D2F70568C488}.exe"	{98D53C65-8198-4171-91B3-10FE450DEE9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70D3D8A8-3B15-4ff0-9824-77463EB9C853}	{DB6B4B5B-A9DA-49e9-B471-A53743EC1359}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37DBD67C-3884-4915-879C-7F47CC101619}	{BB75C09B-8684-40a2-9C76-D2F70568C488}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98D53C65-8198-4171-91B3-10FE450DEE9C}\stubpath = "C:\\Windows\\{98D53C65-8198-4171-91B3-10FE450DEE9C}.exe"	{7A2CA0CB-42B1-4b46-A003-85027F2F6EF8}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BA06FF2C-AE6A-4039-8C63-B7B23889687D}\stubpath = "C:\\Windows\\{BA06FF2C-AE6A-4039-8C63-B7B23889687D}.exe"	{61A4DF4F-6FF6-4a10-88A5-F5CDF5E308DB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB6B4B5B-A9DA-49e9-B471-A53743EC1359}	{BA06FF2C-AE6A-4039-8C63-B7B23889687D}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{DB6B4B5B-A9DA-49e9-B471-A53743EC1359}\stubpath = "C:\\Windows\\{DB6B4B5B-A9DA-49e9-B471-A53743EC1359}.exe"	{BA06FF2C-AE6A-4039-8C63-B7B23889687D}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C926FE64-497C-4e5e-B225-EBA3B2788FF5}	{70D3D8A8-3B15-4ff0-9824-77463EB9C853}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C926FE64-497C-4e5e-B225-EBA3B2788FF5}\stubpath = "C:\\Windows\\{C926FE64-497C-4e5e-B225-EBA3B2788FF5}.exe"	{70D3D8A8-3B15-4ff0-9824-77463EB9C853}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A2CA0CB-42B1-4b46-A003-85027F2F6EF8}	{C926FE64-497C-4e5e-B225-EBA3B2788FF5}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{98D53C65-8198-4171-91B3-10FE450DEE9C}	{7A2CA0CB-42B1-4b46-A003-85027F2F6EF8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB75C09B-8684-40a2-9C76-D2F70568C488}	{98D53C65-8198-4171-91B3-10FE450DEE9C}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61A4DF4F-6FF6-4a10-88A5-F5CDF5E308DB}	3ac6aa3a8790687e23b21ea6f778e020N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{61A4DF4F-6FF6-4a10-88A5-F5CDF5E308DB}\stubpath = "C:\\Windows\\{61A4DF4F-6FF6-4a10-88A5-F5CDF5E308DB}.exe"	3ac6aa3a8790687e23b21ea6f778e020N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{70D3D8A8-3B15-4ff0-9824-77463EB9C853}\stubpath = "C:\\Windows\\{70D3D8A8-3B15-4ff0-9824-77463EB9C853}.exe"	{DB6B4B5B-A9DA-49e9-B471-A53743EC1359}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{7A2CA0CB-42B1-4b46-A003-85027F2F6EF8}\stubpath = "C:\\Windows\\{7A2CA0CB-42B1-4b46-A003-85027F2F6EF8}.exe"	{C926FE64-497C-4e5e-B225-EBA3B2788FF5}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{37DBD67C-3884-4915-879C-7F47CC101619}\stubpath = "C:\\Windows\\{37DBD67C-3884-4915-879C-7F47CC101619}.exe"	{BB75C09B-8684-40a2-9C76-D2F70568C488}.exe

Executes dropped EXE 9 IoCs

pid	Process
4632	{61A4DF4F-6FF6-4a10-88A5-F5CDF5E308DB}.exe
4976	{BA06FF2C-AE6A-4039-8C63-B7B23889687D}.exe
2076	{DB6B4B5B-A9DA-49e9-B471-A53743EC1359}.exe
2448	{70D3D8A8-3B15-4ff0-9824-77463EB9C853}.exe
624	{C926FE64-497C-4e5e-B225-EBA3B2788FF5}.exe
2680	{7A2CA0CB-42B1-4b46-A003-85027F2F6EF8}.exe
2960	{98D53C65-8198-4171-91B3-10FE450DEE9C}.exe
4504	{BB75C09B-8684-40a2-9C76-D2F70568C488}.exe
456	{37DBD67C-3884-4915-879C-7F47CC101619}.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{BA06FF2C-AE6A-4039-8C63-B7B23889687D}.exe	{61A4DF4F-6FF6-4a10-88A5-F5CDF5E308DB}.exe
File created	C:\Windows\{DB6B4B5B-A9DA-49e9-B471-A53743EC1359}.exe	{BA06FF2C-AE6A-4039-8C63-B7B23889687D}.exe
File created	C:\Windows\{70D3D8A8-3B15-4ff0-9824-77463EB9C853}.exe	{DB6B4B5B-A9DA-49e9-B471-A53743EC1359}.exe
File created	C:\Windows\{C926FE64-497C-4e5e-B225-EBA3B2788FF5}.exe	{70D3D8A8-3B15-4ff0-9824-77463EB9C853}.exe
File created	C:\Windows\{BB75C09B-8684-40a2-9C76-D2F70568C488}.exe	{98D53C65-8198-4171-91B3-10FE450DEE9C}.exe
File created	C:\Windows\{37DBD67C-3884-4915-879C-7F47CC101619}.exe	{BB75C09B-8684-40a2-9C76-D2F70568C488}.exe
File created	C:\Windows\{61A4DF4F-6FF6-4a10-88A5-F5CDF5E308DB}.exe	3ac6aa3a8790687e23b21ea6f778e020N.exe
File created	C:\Windows\{7A2CA0CB-42B1-4b46-A003-85027F2F6EF8}.exe	{C926FE64-497C-4e5e-B225-EBA3B2788FF5}.exe
File created	C:\Windows\{98D53C65-8198-4171-91B3-10FE450DEE9C}.exe	{7A2CA0CB-42B1-4b46-A003-85027F2F6EF8}.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2756	3ac6aa3a8790687e23b21ea6f778e020N.exe
Token: SeIncBasePriorityPrivilege	4632	{61A4DF4F-6FF6-4a10-88A5-F5CDF5E308DB}.exe
Token: SeIncBasePriorityPrivilege	4976	{BA06FF2C-AE6A-4039-8C63-B7B23889687D}.exe
Token: SeIncBasePriorityPrivilege	2076	{DB6B4B5B-A9DA-49e9-B471-A53743EC1359}.exe
Token: SeIncBasePriorityPrivilege	2448	{70D3D8A8-3B15-4ff0-9824-77463EB9C853}.exe
Token: SeIncBasePriorityPrivilege	624	{C926FE64-497C-4e5e-B225-EBA3B2788FF5}.exe
Token: SeIncBasePriorityPrivilege	2680	{7A2CA0CB-42B1-4b46-A003-85027F2F6EF8}.exe
Token: SeIncBasePriorityPrivilege	2960	{98D53C65-8198-4171-91B3-10FE450DEE9C}.exe
Token: SeIncBasePriorityPrivilege	4504	{BB75C09B-8684-40a2-9C76-D2F70568C488}.exe

Suspicious use of WriteProcessMemory 54 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 4632	2756	3ac6aa3a8790687e23b21ea6f778e020N.exe	96
PID 2756 wrote to memory of 4632	2756	3ac6aa3a8790687e23b21ea6f778e020N.exe	96
PID 2756 wrote to memory of 4632	2756	3ac6aa3a8790687e23b21ea6f778e020N.exe	96
PID 2756 wrote to memory of 2980	2756	3ac6aa3a8790687e23b21ea6f778e020N.exe	97
PID 2756 wrote to memory of 2980	2756	3ac6aa3a8790687e23b21ea6f778e020N.exe	97
PID 2756 wrote to memory of 2980	2756	3ac6aa3a8790687e23b21ea6f778e020N.exe	97
PID 4632 wrote to memory of 4976	4632	{61A4DF4F-6FF6-4a10-88A5-F5CDF5E308DB}.exe	98
PID 4632 wrote to memory of 4976	4632	{61A4DF4F-6FF6-4a10-88A5-F5CDF5E308DB}.exe	98
PID 4632 wrote to memory of 4976	4632	{61A4DF4F-6FF6-4a10-88A5-F5CDF5E308DB}.exe	98
PID 4632 wrote to memory of 2072	4632	{61A4DF4F-6FF6-4a10-88A5-F5CDF5E308DB}.exe	99
PID 4632 wrote to memory of 2072	4632	{61A4DF4F-6FF6-4a10-88A5-F5CDF5E308DB}.exe	99
PID 4632 wrote to memory of 2072	4632	{61A4DF4F-6FF6-4a10-88A5-F5CDF5E308DB}.exe	99
PID 4976 wrote to memory of 2076	4976	{BA06FF2C-AE6A-4039-8C63-B7B23889687D}.exe	103
PID 4976 wrote to memory of 2076	4976	{BA06FF2C-AE6A-4039-8C63-B7B23889687D}.exe	103
PID 4976 wrote to memory of 2076	4976	{BA06FF2C-AE6A-4039-8C63-B7B23889687D}.exe	103
PID 4976 wrote to memory of 2180	4976	{BA06FF2C-AE6A-4039-8C63-B7B23889687D}.exe	104
PID 4976 wrote to memory of 2180	4976	{BA06FF2C-AE6A-4039-8C63-B7B23889687D}.exe	104
PID 4976 wrote to memory of 2180	4976	{BA06FF2C-AE6A-4039-8C63-B7B23889687D}.exe	104
PID 2076 wrote to memory of 2448	2076	{DB6B4B5B-A9DA-49e9-B471-A53743EC1359}.exe	105
PID 2076 wrote to memory of 2448	2076	{DB6B4B5B-A9DA-49e9-B471-A53743EC1359}.exe	105
PID 2076 wrote to memory of 2448	2076	{DB6B4B5B-A9DA-49e9-B471-A53743EC1359}.exe	105
PID 2076 wrote to memory of 4368	2076	{DB6B4B5B-A9DA-49e9-B471-A53743EC1359}.exe	106
PID 2076 wrote to memory of 4368	2076	{DB6B4B5B-A9DA-49e9-B471-A53743EC1359}.exe	106
PID 2076 wrote to memory of 4368	2076	{DB6B4B5B-A9DA-49e9-B471-A53743EC1359}.exe	106
PID 2448 wrote to memory of 624	2448	{70D3D8A8-3B15-4ff0-9824-77463EB9C853}.exe	107
PID 2448 wrote to memory of 624	2448	{70D3D8A8-3B15-4ff0-9824-77463EB9C853}.exe	107
PID 2448 wrote to memory of 624	2448	{70D3D8A8-3B15-4ff0-9824-77463EB9C853}.exe	107
PID 2448 wrote to memory of 4072	2448	{70D3D8A8-3B15-4ff0-9824-77463EB9C853}.exe	108
PID 2448 wrote to memory of 4072	2448	{70D3D8A8-3B15-4ff0-9824-77463EB9C853}.exe	108
PID 2448 wrote to memory of 4072	2448	{70D3D8A8-3B15-4ff0-9824-77463EB9C853}.exe	108
PID 624 wrote to memory of 2680	624	{C926FE64-497C-4e5e-B225-EBA3B2788FF5}.exe	110
PID 624 wrote to memory of 2680	624	{C926FE64-497C-4e5e-B225-EBA3B2788FF5}.exe	110
PID 624 wrote to memory of 2680	624	{C926FE64-497C-4e5e-B225-EBA3B2788FF5}.exe	110
PID 624 wrote to memory of 4660	624	{C926FE64-497C-4e5e-B225-EBA3B2788FF5}.exe	111
PID 624 wrote to memory of 4660	624	{C926FE64-497C-4e5e-B225-EBA3B2788FF5}.exe	111
PID 624 wrote to memory of 4660	624	{C926FE64-497C-4e5e-B225-EBA3B2788FF5}.exe	111
PID 2680 wrote to memory of 2960	2680	{7A2CA0CB-42B1-4b46-A003-85027F2F6EF8}.exe	112
PID 2680 wrote to memory of 2960	2680	{7A2CA0CB-42B1-4b46-A003-85027F2F6EF8}.exe	112
PID 2680 wrote to memory of 2960	2680	{7A2CA0CB-42B1-4b46-A003-85027F2F6EF8}.exe	112
PID 2680 wrote to memory of 1096	2680	{7A2CA0CB-42B1-4b46-A003-85027F2F6EF8}.exe	113
PID 2680 wrote to memory of 1096	2680	{7A2CA0CB-42B1-4b46-A003-85027F2F6EF8}.exe	113
PID 2680 wrote to memory of 1096	2680	{7A2CA0CB-42B1-4b46-A003-85027F2F6EF8}.exe	113
PID 2960 wrote to memory of 4504	2960	{98D53C65-8198-4171-91B3-10FE450DEE9C}.exe	118
PID 2960 wrote to memory of 4504	2960	{98D53C65-8198-4171-91B3-10FE450DEE9C}.exe	118
PID 2960 wrote to memory of 4504	2960	{98D53C65-8198-4171-91B3-10FE450DEE9C}.exe	118
PID 2960 wrote to memory of 3868	2960	{98D53C65-8198-4171-91B3-10FE450DEE9C}.exe	119
PID 2960 wrote to memory of 3868	2960	{98D53C65-8198-4171-91B3-10FE450DEE9C}.exe	119
PID 2960 wrote to memory of 3868	2960	{98D53C65-8198-4171-91B3-10FE450DEE9C}.exe	119
PID 4504 wrote to memory of 456	4504	{BB75C09B-8684-40a2-9C76-D2F70568C488}.exe	124
PID 4504 wrote to memory of 456	4504	{BB75C09B-8684-40a2-9C76-D2F70568C488}.exe	124
PID 4504 wrote to memory of 456	4504	{BB75C09B-8684-40a2-9C76-D2F70568C488}.exe	124
PID 4504 wrote to memory of 2808	4504	{BB75C09B-8684-40a2-9C76-D2F70568C488}.exe	125
PID 4504 wrote to memory of 2808	4504	{BB75C09B-8684-40a2-9C76-D2F70568C488}.exe	125
PID 4504 wrote to memory of 2808	4504	{BB75C09B-8684-40a2-9C76-D2F70568C488}.exe	125

C:\Users\Admin\AppData\Local\Temp\3ac6aa3a8790687e23b21ea6f778e020N.exe
"C:\Users\Admin\AppData\Local\Temp\3ac6aa3a8790687e23b21ea6f778e020N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\{61A4DF4F-6FF6-4a10-88A5-F5CDF5E308DB}.exe
  C:\Windows\{61A4DF4F-6FF6-4a10-88A5-F5CDF5E308DB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Windows\{BA06FF2C-AE6A-4039-8C63-B7B23889687D}.exe
    C:\Windows\{BA06FF2C-AE6A-4039-8C63-B7B23889687D}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Windows\{DB6B4B5B-A9DA-49e9-B471-A53743EC1359}.exe
      C:\Windows\{DB6B4B5B-A9DA-49e9-B471-A53743EC1359}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2076
    - - C:\Windows\{70D3D8A8-3B15-4ff0-9824-77463EB9C853}.exe
        
        C:\Windows\{70D3D8A8-3B15-4ff0-9824-77463EB9C853}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2448
      - C:\Windows\{C926FE64-497C-4e5e-B225-EBA3B2788FF5}.exe
        
        C:\Windows\{C926FE64-497C-4e5e-B225-EBA3B2788FF5}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\{7A2CA0CB-42B1-4b46-A003-85027F2F6EF8}.exe
        
        C:\Windows\{7A2CA0CB-42B1-4b46-A003-85027F2F6EF8}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\{98D53C65-8198-4171-91B3-10FE450DEE9C}.exe
        
        C:\Windows\{98D53C65-8198-4171-91B3-10FE450DEE9C}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\{BB75C09B-8684-40a2-9C76-D2F70568C488}.exe
        
        C:\Windows\{BB75C09B-8684-40a2-9C76-D2F70568C488}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4504
        
        C:\Windows\{37DBD67C-3884-4915-879C-7F47CC101619}.exe
        
        C:\Windows\{37DBD67C-3884-4915-879C-7F47CC101619}.exe
        10⤵
        Executes dropped EXE
        
        PID:456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BB75C~1.EXE > nul
        10⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{98D53~1.EXE > nul
        9⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{7A2CA~1.EXE > nul
        8⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C926F~1.EXE > nul
        7⤵
        
        PID:4660
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{70D3D~1.EXE > nul
        6⤵
        
        PID:4072
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{DB6B4~1.EXE > nul
        5⤵
        
        PID:4368
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{BA06F~1.EXE > nul
      4⤵
      PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{61A4D~1.EXE > nul
    3⤵
    PID:2072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\3AC6AA~1.EXE > nul
  2⤵
  PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{37DBD67C-3884-4915-879C-7F47CC101619}.exe

Filesize
89KB

MD5
31af41ab1a6ca04a19ca4812eaf4c59d

SHA1
f3ed0197785f82712f023ec0c101941496c73947

SHA256
ff86e5a5c10db761bd69a9bf8ff01b16c63e203531398e9684b3690cf2b1f9fc

SHA512
69a112d44478349fd396de62fdf5174b8c61e4a9de8f69bd52e0632716a719c08ec004c3b2e3c979a1e45d753265cce3ed0dcf8ff2f74a52fc72f8c8815a8a14

Download Submit
C:\Windows\{61A4DF4F-6FF6-4a10-88A5-F5CDF5E308DB}.exe

Filesize
89KB

MD5
deb4f6d9e1718dd18ce082a8d2d259a8

SHA1
0ad1f4aa6611ce13cf600c425dfebf92d11254aa

SHA256
d32c1a51f2d94176bbf6853f66f6ca3a914addf043a013723e602fbb68294c89

SHA512
2ee155ff396311a61fcfee0e8dbf5fa6601d3ef382e5825b3388c6bd34db01e4529cd603cf8081055e109fd2665b21887c7b8802b286a103902223d12e62a8e2

Download Submit
C:\Windows\{70D3D8A8-3B15-4ff0-9824-77463EB9C853}.exe

Filesize
89KB

MD5
873558e91fe8029ac52fdcedaca6a4ed

SHA1
0fa3c794a31853849aa8c854f4ce73190c9dbf89

SHA256
d8108c54d882087a4b1b6f8b684663f2edc668d1548719573eb01599d07ca689

SHA512
5bdadf5aa8bca1ccebc353efa19b3900056ec9187b375102b72cd52e32869e6007006551732b097e8ca7f804f578c74a480e74db5964fce7f7bdfb4154267585

Download Submit
C:\Windows\{7A2CA0CB-42B1-4b46-A003-85027F2F6EF8}.exe

Filesize
89KB

MD5
d65fb8e3589b91873ae827d60cc0fc1f

SHA1
7e5a8c4377c6eec74486e3d597291273dd77687e

SHA256
a890f8a1dceaee629305c59049379531832b2bcae7f53f180e796258cf6f09d5

SHA512
2fc03a9aed34582e8426f8374da7342d394002270181f700d1690a2a1116bbd6d58b8252ec2095925c325e27fa30d33fdb5bc876eb65cbc212d837d09967ef4e

Download Submit
C:\Windows\{98D53C65-8198-4171-91B3-10FE450DEE9C}.exe

Filesize
89KB

MD5
820065d38e961b57dae64cdcb8539423

SHA1
92fd1697999c9439cb3feda8b1631c7aae49cf05

SHA256
5cbd23c613c218fb6800d71bb8480a4478dddf645c3a50ca9af2f41019197ba4

SHA512
e490fa3197c704e4ed6f95e0bb6670c79ae4ae2d3b346335afe88ea178b045cdfb72508a26e62a0f642fd8e16432dfacdc730783bba22efbe525144e20cef2af

Download Submit
C:\Windows\{BA06FF2C-AE6A-4039-8C63-B7B23889687D}.exe

Filesize
89KB

MD5
9d39ca5abdb97438e9646347defa0b6d

SHA1
8a8414df8033f57cdf8dff9f280d065c82c5f7e7

SHA256
0c253d439596051b28762f59681c18176ee28c7d3f84e4d6b16604791fa9bc25

SHA512
289bc14411607788345a9e8623cfcfd09e9c03cab5b169815cca88c33d751566cae7b364601338d70eaf66c4e63165b31c318cd8dc81a887dd3dc336de422fe1

Download Submit
C:\Windows\{BB75C09B-8684-40a2-9C76-D2F70568C488}.exe

Filesize
89KB

MD5
47c21def6263621fbe8e42512d01fbf5

SHA1
9d2480aba66a0eb3ccd3acd77d6d0430456d9598

SHA256
66b103da51b3faa5d566d5cbe7294b01789ad8c2efd37eba58d9ac7c67aa4200

SHA512
9cdb1dadb0cfe512682c0ef3628b8d7a4e25b9ee7539db7253efeee7be57ef4d8f39831b147a33eb2ec9fca97e66800a5395e2a29b1ba3355f71ab4ac87c2b6c

Download Submit
C:\Windows\{C926FE64-497C-4e5e-B225-EBA3B2788FF5}.exe

Filesize
89KB

MD5
fcc496918e00117303a02ce88d2bdcf4

SHA1
8645c2cc232caeba491717a0b51547095e7d01e4

SHA256
6382399acb904b321813122594dad6a4aa49d5876d25c8f3abfe87e7ff88587f

SHA512
79e7de02ff6fd8baf4f79c523b9ee208be98ac4b12d859ac9fc92d2f25e3c454f4ab7c8e5f3c23c400db48fbba7ab94db63855de1ff9951aeb2035db5a61d3d5

Download Submit
C:\Windows\{DB6B4B5B-A9DA-49e9-B471-A53743EC1359}.exe

Filesize
89KB

MD5
501fc75bdc3ddb517e13176ce98d465e

SHA1
666f1abf3837dbb64ce59a87c39b028798ed01c8

SHA256
dc9b373e1c8a43a04b2fd66ceced58fbc5c835a820f6f31f275c5aa0a97fbb47

SHA512
8a629e7c69720479c409e7e6055de133d392759c6466d86f20f316fe24e388ce90d046de44d5080363f903f77c6c827b549d13c5884afe2c8c78455166f0086d

Download Submit
memory/624-34-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/624-29-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2076-18-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2076-22-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2448-23-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2448-28-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2680-36-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2680-40-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2756-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2756-6-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2960-42-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2960-46-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4504-48-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4504-53-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4632-10-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4632-4-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4976-16-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4976-11-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads