8d1c7cab2db6656b5cb133cdeb0e32ee68aa5ccfb8b223d5f6d27b6610496e2e

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 00:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8d1c7cab2db6656b5cb133cdeb0e32ee68aa5ccfb8b223d5f6d27b6610496e2e.exe
Size

83KB
MD5

afca40013a773e297cf4968dc79d7f0e
SHA1

a2ae32f6394831b3f14c3eea8c85a5f0ced25f73
SHA256

8d1c7cab2db6656b5cb133cdeb0e32ee68aa5ccfb8b223d5f6d27b6610496e2e
SHA512

339cc0c4d846a44f1c6e1e81efc9677abeb85bdf8f0cc3469e93afa2346af2cd745f19ad1a79e61bee37e2b866006ed3fc35faf14bcd66698145c05483d7228f
SSDEEP

1536:q4Gh0o4c0p3nouy8QbunMxVS3HgdoKjhLJh731xvsr:q4Gh0o4c05outQCMUyNjhLJh731xvsr

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 24 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E17CA5F-25FB-4220-A08D-29BE73D496F9}	{18C7B304-F2F9-4633-B654-2F6114F86D08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D726C50F-9041-44dc-953C-18AF589FAF1D}\stubpath = "C:\\Windows\\{D726C50F-9041-44dc-953C-18AF589FAF1D}.exe"	{4A994142-8C6F-456e-AFE3-520864489AB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18C7B304-F2F9-4633-B654-2F6114F86D08}	{E98AB76E-68B1-403c-922D-16991718A1AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CE34200-80FE-4ac7-86D5-258ECA8858E4}\stubpath = "C:\\Windows\\{2CE34200-80FE-4ac7-86D5-258ECA8858E4}.exe"	{2E17CA5F-25FB-4220-A08D-29BE73D496F9}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8AB4CA1-D426-40f5-A1CE-C5FB265566E3}\stubpath = "C:\\Windows\\{A8AB4CA1-D426-40f5-A1CE-C5FB265566E3}.exe"	{2CE34200-80FE-4ac7-86D5-258ECA8858E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72921A9A-DF5C-4c8f-B14D-0F9C092D322B}	{A8AB4CA1-D426-40f5-A1CE-C5FB265566E3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3187DAD-FD43-496a-8BE2-7249C3E1FE76}	{0854D9E9-E33A-4d54-939D-A721EE6A8F7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{834546A1-BAA5-47b2-A5DA-58A0E184A9BE}	{BEDDE75A-BFF9-48c4-B5F9-7BB56684D5BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{D726C50F-9041-44dc-953C-18AF589FAF1D}	{4A994142-8C6F-456e-AFE3-520864489AB8}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E98AB76E-68B1-403c-922D-16991718A1AB}	8d1c7cab2db6656b5cb133cdeb0e32ee68aa5ccfb8b223d5f6d27b6610496e2e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2CE34200-80FE-4ac7-86D5-258ECA8858E4}	{2E17CA5F-25FB-4220-A08D-29BE73D496F9}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{A8AB4CA1-D426-40f5-A1CE-C5FB265566E3}	{2CE34200-80FE-4ac7-86D5-258ECA8858E4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0854D9E9-E33A-4d54-939D-A721EE6A8F7F}	{72921A9A-DF5C-4c8f-B14D-0F9C092D322B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{0854D9E9-E33A-4d54-939D-A721EE6A8F7F}\stubpath = "C:\\Windows\\{0854D9E9-E33A-4d54-939D-A721EE6A8F7F}.exe"	{72921A9A-DF5C-4c8f-B14D-0F9C092D322B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{834546A1-BAA5-47b2-A5DA-58A0E184A9BE}\stubpath = "C:\\Windows\\{834546A1-BAA5-47b2-A5DA-58A0E184A9BE}.exe"	{BEDDE75A-BFF9-48c4-B5F9-7BB56684D5BC}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A994142-8C6F-456e-AFE3-520864489AB8}	{834546A1-BAA5-47b2-A5DA-58A0E184A9BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{4A994142-8C6F-456e-AFE3-520864489AB8}\stubpath = "C:\\Windows\\{4A994142-8C6F-456e-AFE3-520864489AB8}.exe"	{834546A1-BAA5-47b2-A5DA-58A0E184A9BE}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E98AB76E-68B1-403c-922D-16991718A1AB}\stubpath = "C:\\Windows\\{E98AB76E-68B1-403c-922D-16991718A1AB}.exe"	8d1c7cab2db6656b5cb133cdeb0e32ee68aa5ccfb8b223d5f6d27b6610496e2e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{18C7B304-F2F9-4633-B654-2F6114F86D08}\stubpath = "C:\\Windows\\{18C7B304-F2F9-4633-B654-2F6114F86D08}.exe"	{E98AB76E-68B1-403c-922D-16991718A1AB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2E17CA5F-25FB-4220-A08D-29BE73D496F9}\stubpath = "C:\\Windows\\{2E17CA5F-25FB-4220-A08D-29BE73D496F9}.exe"	{18C7B304-F2F9-4633-B654-2F6114F86D08}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{72921A9A-DF5C-4c8f-B14D-0F9C092D322B}\stubpath = "C:\\Windows\\{72921A9A-DF5C-4c8f-B14D-0F9C092D322B}.exe"	{A8AB4CA1-D426-40f5-A1CE-C5FB265566E3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C3187DAD-FD43-496a-8BE2-7249C3E1FE76}\stubpath = "C:\\Windows\\{C3187DAD-FD43-496a-8BE2-7249C3E1FE76}.exe"	{0854D9E9-E33A-4d54-939D-A721EE6A8F7F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEDDE75A-BFF9-48c4-B5F9-7BB56684D5BC}	{C3187DAD-FD43-496a-8BE2-7249C3E1FE76}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BEDDE75A-BFF9-48c4-B5F9-7BB56684D5BC}\stubpath = "C:\\Windows\\{BEDDE75A-BFF9-48c4-B5F9-7BB56684D5BC}.exe"	{C3187DAD-FD43-496a-8BE2-7249C3E1FE76}.exe

Executes dropped EXE 12 IoCs

pid	Process
2188	{E98AB76E-68B1-403c-922D-16991718A1AB}.exe
4912	{18C7B304-F2F9-4633-B654-2F6114F86D08}.exe
4576	{2E17CA5F-25FB-4220-A08D-29BE73D496F9}.exe
4012	{2CE34200-80FE-4ac7-86D5-258ECA8858E4}.exe
4344	{A8AB4CA1-D426-40f5-A1CE-C5FB265566E3}.exe
4384	{72921A9A-DF5C-4c8f-B14D-0F9C092D322B}.exe
4592	{0854D9E9-E33A-4d54-939D-A721EE6A8F7F}.exe
3468	{C3187DAD-FD43-496a-8BE2-7249C3E1FE76}.exe
4360	{BEDDE75A-BFF9-48c4-B5F9-7BB56684D5BC}.exe
4204	{834546A1-BAA5-47b2-A5DA-58A0E184A9BE}.exe
3628	{4A994142-8C6F-456e-AFE3-520864489AB8}.exe
116	{D726C50F-9041-44dc-953C-18AF589FAF1D}.exe

UPX packed file 49 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4280-0-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4280-1-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/2188-5-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4280-7-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0009000000023acf-6.dat	upx
behavioral2/memory/2188-8-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x000e000000023b26-11.dat	upx
behavioral2/memory/4912-14-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/2188-12-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4912-15-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x000d000000023ac8-16.dat	upx
behavioral2/memory/4576-21-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4912-20-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4576-22-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x000f000000023b26-25.dat	upx
behavioral2/memory/4576-27-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4012-28-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4012-29-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x000e000000023ac8-32.dat	upx
behavioral2/memory/4344-35-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4012-33-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4344-36-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0010000000023b26-39.dat	upx
behavioral2/memory/4344-41-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4384-42-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4384-43-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x000f000000023ac8-47.dat	upx
behavioral2/memory/4384-46-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4592-48-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4592-50-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0011000000023b26-53.dat	upx
behavioral2/memory/4592-54-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3468-55-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3468-57-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0010000000023ac8-62.dat	upx
behavioral2/memory/4360-63-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3468-61-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4360-64-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4204-69-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0012000000023b26-70.dat	upx
behavioral2/memory/4360-67-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4204-71-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0011000000023ac8-77.dat	upx
behavioral2/memory/3628-76-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/4204-74-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3628-78-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/files/0x0013000000023b26-81.dat	upx
behavioral2/memory/116-84-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral2/memory/3628-82-0x0000000000400000-0x0000000000413000-memory.dmp	upx

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\{72921A9A-DF5C-4c8f-B14D-0F9C092D322B}.exe	{A8AB4CA1-D426-40f5-A1CE-C5FB265566E3}.exe
File created	C:\Windows\{D726C50F-9041-44dc-953C-18AF589FAF1D}.exe	{4A994142-8C6F-456e-AFE3-520864489AB8}.exe
File created	C:\Windows\{18C7B304-F2F9-4633-B654-2F6114F86D08}.exe	{E98AB76E-68B1-403c-922D-16991718A1AB}.exe
File created	C:\Windows\{2E17CA5F-25FB-4220-A08D-29BE73D496F9}.exe	{18C7B304-F2F9-4633-B654-2F6114F86D08}.exe
File created	C:\Windows\{2CE34200-80FE-4ac7-86D5-258ECA8858E4}.exe	{2E17CA5F-25FB-4220-A08D-29BE73D496F9}.exe
File created	C:\Windows\{A8AB4CA1-D426-40f5-A1CE-C5FB265566E3}.exe	{2CE34200-80FE-4ac7-86D5-258ECA8858E4}.exe
File created	C:\Windows\{0854D9E9-E33A-4d54-939D-A721EE6A8F7F}.exe	{72921A9A-DF5C-4c8f-B14D-0F9C092D322B}.exe
File created	C:\Windows\{C3187DAD-FD43-496a-8BE2-7249C3E1FE76}.exe	{0854D9E9-E33A-4d54-939D-A721EE6A8F7F}.exe
File created	C:\Windows\{BEDDE75A-BFF9-48c4-B5F9-7BB56684D5BC}.exe	{C3187DAD-FD43-496a-8BE2-7249C3E1FE76}.exe
File created	C:\Windows\{834546A1-BAA5-47b2-A5DA-58A0E184A9BE}.exe	{BEDDE75A-BFF9-48c4-B5F9-7BB56684D5BC}.exe
File created	C:\Windows\{E98AB76E-68B1-403c-922D-16991718A1AB}.exe	8d1c7cab2db6656b5cb133cdeb0e32ee68aa5ccfb8b223d5f6d27b6610496e2e.exe
File created	C:\Windows\{4A994142-8C6F-456e-AFE3-520864489AB8}.exe	{834546A1-BAA5-47b2-A5DA-58A0E184A9BE}.exe

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{72921A9A-DF5C-4c8f-B14D-0F9C092D322B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C3187DAD-FD43-496a-8BE2-7249C3E1FE76}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BEDDE75A-BFF9-48c4-B5F9-7BB56684D5BC}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2CE34200-80FE-4ac7-86D5-258ECA8858E4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{A8AB4CA1-D426-40f5-A1CE-C5FB265566E3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{0854D9E9-E33A-4d54-939D-A721EE6A8F7F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{4A994142-8C6F-456e-AFE3-520864489AB8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{D726C50F-9041-44dc-953C-18AF589FAF1D}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E98AB76E-68B1-403c-922D-16991718A1AB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{18C7B304-F2F9-4633-B654-2F6114F86D08}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2E17CA5F-25FB-4220-A08D-29BE73D496F9}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{834546A1-BAA5-47b2-A5DA-58A0E184A9BE}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8d1c7cab2db6656b5cb133cdeb0e32ee68aa5ccfb8b223d5f6d27b6610496e2e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	4280	8d1c7cab2db6656b5cb133cdeb0e32ee68aa5ccfb8b223d5f6d27b6610496e2e.exe
Token: SeIncBasePriorityPrivilege	2188	{E98AB76E-68B1-403c-922D-16991718A1AB}.exe
Token: SeIncBasePriorityPrivilege	4912	{18C7B304-F2F9-4633-B654-2F6114F86D08}.exe
Token: SeIncBasePriorityPrivilege	4576	{2E17CA5F-25FB-4220-A08D-29BE73D496F9}.exe
Token: SeIncBasePriorityPrivilege	4012	{2CE34200-80FE-4ac7-86D5-258ECA8858E4}.exe
Token: SeIncBasePriorityPrivilege	4344	{A8AB4CA1-D426-40f5-A1CE-C5FB265566E3}.exe
Token: SeIncBasePriorityPrivilege	4384	{72921A9A-DF5C-4c8f-B14D-0F9C092D322B}.exe
Token: SeIncBasePriorityPrivilege	4592	{0854D9E9-E33A-4d54-939D-A721EE6A8F7F}.exe
Token: SeIncBasePriorityPrivilege	3468	{C3187DAD-FD43-496a-8BE2-7249C3E1FE76}.exe
Token: SeIncBasePriorityPrivilege	4360	{BEDDE75A-BFF9-48c4-B5F9-7BB56684D5BC}.exe
Token: SeIncBasePriorityPrivilege	4204	{834546A1-BAA5-47b2-A5DA-58A0E184A9BE}.exe
Token: SeIncBasePriorityPrivilege	3628	{4A994142-8C6F-456e-AFE3-520864489AB8}.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 2188	4280	8d1c7cab2db6656b5cb133cdeb0e32ee68aa5ccfb8b223d5f6d27b6610496e2e.exe	86
PID 4280 wrote to memory of 2188	4280	8d1c7cab2db6656b5cb133cdeb0e32ee68aa5ccfb8b223d5f6d27b6610496e2e.exe	86
PID 4280 wrote to memory of 2188	4280	8d1c7cab2db6656b5cb133cdeb0e32ee68aa5ccfb8b223d5f6d27b6610496e2e.exe	86
PID 4280 wrote to memory of 3640	4280	8d1c7cab2db6656b5cb133cdeb0e32ee68aa5ccfb8b223d5f6d27b6610496e2e.exe	87
PID 4280 wrote to memory of 3640	4280	8d1c7cab2db6656b5cb133cdeb0e32ee68aa5ccfb8b223d5f6d27b6610496e2e.exe	87
PID 4280 wrote to memory of 3640	4280	8d1c7cab2db6656b5cb133cdeb0e32ee68aa5ccfb8b223d5f6d27b6610496e2e.exe	87
PID 2188 wrote to memory of 4912	2188	{E98AB76E-68B1-403c-922D-16991718A1AB}.exe	88
PID 2188 wrote to memory of 4912	2188	{E98AB76E-68B1-403c-922D-16991718A1AB}.exe	88
PID 2188 wrote to memory of 4912	2188	{E98AB76E-68B1-403c-922D-16991718A1AB}.exe	88
PID 2188 wrote to memory of 4792	2188	{E98AB76E-68B1-403c-922D-16991718A1AB}.exe	89
PID 2188 wrote to memory of 4792	2188	{E98AB76E-68B1-403c-922D-16991718A1AB}.exe	89
PID 2188 wrote to memory of 4792	2188	{E98AB76E-68B1-403c-922D-16991718A1AB}.exe	89
PID 4912 wrote to memory of 4576	4912	{18C7B304-F2F9-4633-B654-2F6114F86D08}.exe	93
PID 4912 wrote to memory of 4576	4912	{18C7B304-F2F9-4633-B654-2F6114F86D08}.exe	93
PID 4912 wrote to memory of 4576	4912	{18C7B304-F2F9-4633-B654-2F6114F86D08}.exe	93
PID 4912 wrote to memory of 4404	4912	{18C7B304-F2F9-4633-B654-2F6114F86D08}.exe	94
PID 4912 wrote to memory of 4404	4912	{18C7B304-F2F9-4633-B654-2F6114F86D08}.exe	94
PID 4912 wrote to memory of 4404	4912	{18C7B304-F2F9-4633-B654-2F6114F86D08}.exe	94
PID 4576 wrote to memory of 4012	4576	{2E17CA5F-25FB-4220-A08D-29BE73D496F9}.exe	95
PID 4576 wrote to memory of 4012	4576	{2E17CA5F-25FB-4220-A08D-29BE73D496F9}.exe	95
PID 4576 wrote to memory of 4012	4576	{2E17CA5F-25FB-4220-A08D-29BE73D496F9}.exe	95
PID 4576 wrote to memory of 1924	4576	{2E17CA5F-25FB-4220-A08D-29BE73D496F9}.exe	96
PID 4576 wrote to memory of 1924	4576	{2E17CA5F-25FB-4220-A08D-29BE73D496F9}.exe	96
PID 4576 wrote to memory of 1924	4576	{2E17CA5F-25FB-4220-A08D-29BE73D496F9}.exe	96
PID 4012 wrote to memory of 4344	4012	{2CE34200-80FE-4ac7-86D5-258ECA8858E4}.exe	97
PID 4012 wrote to memory of 4344	4012	{2CE34200-80FE-4ac7-86D5-258ECA8858E4}.exe	97
PID 4012 wrote to memory of 4344	4012	{2CE34200-80FE-4ac7-86D5-258ECA8858E4}.exe	97
PID 4012 wrote to memory of 2884	4012	{2CE34200-80FE-4ac7-86D5-258ECA8858E4}.exe	98
PID 4012 wrote to memory of 2884	4012	{2CE34200-80FE-4ac7-86D5-258ECA8858E4}.exe	98
PID 4012 wrote to memory of 2884	4012	{2CE34200-80FE-4ac7-86D5-258ECA8858E4}.exe	98
PID 4344 wrote to memory of 4384	4344	{A8AB4CA1-D426-40f5-A1CE-C5FB265566E3}.exe	99
PID 4344 wrote to memory of 4384	4344	{A8AB4CA1-D426-40f5-A1CE-C5FB265566E3}.exe	99
PID 4344 wrote to memory of 4384	4344	{A8AB4CA1-D426-40f5-A1CE-C5FB265566E3}.exe	99
PID 4344 wrote to memory of 1632	4344	{A8AB4CA1-D426-40f5-A1CE-C5FB265566E3}.exe	100
PID 4344 wrote to memory of 1632	4344	{A8AB4CA1-D426-40f5-A1CE-C5FB265566E3}.exe	100
PID 4344 wrote to memory of 1632	4344	{A8AB4CA1-D426-40f5-A1CE-C5FB265566E3}.exe	100
PID 4384 wrote to memory of 4592	4384	{72921A9A-DF5C-4c8f-B14D-0F9C092D322B}.exe	101
PID 4384 wrote to memory of 4592	4384	{72921A9A-DF5C-4c8f-B14D-0F9C092D322B}.exe	101
PID 4384 wrote to memory of 4592	4384	{72921A9A-DF5C-4c8f-B14D-0F9C092D322B}.exe	101
PID 4384 wrote to memory of 4388	4384	{72921A9A-DF5C-4c8f-B14D-0F9C092D322B}.exe	102
PID 4384 wrote to memory of 4388	4384	{72921A9A-DF5C-4c8f-B14D-0F9C092D322B}.exe	102
PID 4384 wrote to memory of 4388	4384	{72921A9A-DF5C-4c8f-B14D-0F9C092D322B}.exe	102
PID 4592 wrote to memory of 3468	4592	{0854D9E9-E33A-4d54-939D-A721EE6A8F7F}.exe	103
PID 4592 wrote to memory of 3468	4592	{0854D9E9-E33A-4d54-939D-A721EE6A8F7F}.exe	103
PID 4592 wrote to memory of 3468	4592	{0854D9E9-E33A-4d54-939D-A721EE6A8F7F}.exe	103
PID 4592 wrote to memory of 3660	4592	{0854D9E9-E33A-4d54-939D-A721EE6A8F7F}.exe	104
PID 4592 wrote to memory of 3660	4592	{0854D9E9-E33A-4d54-939D-A721EE6A8F7F}.exe	104
PID 4592 wrote to memory of 3660	4592	{0854D9E9-E33A-4d54-939D-A721EE6A8F7F}.exe	104
PID 3468 wrote to memory of 4360	3468	{C3187DAD-FD43-496a-8BE2-7249C3E1FE76}.exe	105
PID 3468 wrote to memory of 4360	3468	{C3187DAD-FD43-496a-8BE2-7249C3E1FE76}.exe	105
PID 3468 wrote to memory of 4360	3468	{C3187DAD-FD43-496a-8BE2-7249C3E1FE76}.exe	105
PID 3468 wrote to memory of 1636	3468	{C3187DAD-FD43-496a-8BE2-7249C3E1FE76}.exe	106
PID 3468 wrote to memory of 1636	3468	{C3187DAD-FD43-496a-8BE2-7249C3E1FE76}.exe	106
PID 3468 wrote to memory of 1636	3468	{C3187DAD-FD43-496a-8BE2-7249C3E1FE76}.exe	106
PID 4360 wrote to memory of 4204	4360	{BEDDE75A-BFF9-48c4-B5F9-7BB56684D5BC}.exe	107
PID 4360 wrote to memory of 4204	4360	{BEDDE75A-BFF9-48c4-B5F9-7BB56684D5BC}.exe	107
PID 4360 wrote to memory of 4204	4360	{BEDDE75A-BFF9-48c4-B5F9-7BB56684D5BC}.exe	107
PID 4360 wrote to memory of 4028	4360	{BEDDE75A-BFF9-48c4-B5F9-7BB56684D5BC}.exe	108
PID 4360 wrote to memory of 4028	4360	{BEDDE75A-BFF9-48c4-B5F9-7BB56684D5BC}.exe	108
PID 4360 wrote to memory of 4028	4360	{BEDDE75A-BFF9-48c4-B5F9-7BB56684D5BC}.exe	108
PID 4204 wrote to memory of 3628	4204	{834546A1-BAA5-47b2-A5DA-58A0E184A9BE}.exe	109
PID 4204 wrote to memory of 3628	4204	{834546A1-BAA5-47b2-A5DA-58A0E184A9BE}.exe	109
PID 4204 wrote to memory of 3628	4204	{834546A1-BAA5-47b2-A5DA-58A0E184A9BE}.exe	109
PID 4204 wrote to memory of 1052	4204	{834546A1-BAA5-47b2-A5DA-58A0E184A9BE}.exe	110

C:\Users\Admin\AppData\Local\Temp\8d1c7cab2db6656b5cb133cdeb0e32ee68aa5ccfb8b223d5f6d27b6610496e2e.exe
"C:\Users\Admin\AppData\Local\Temp\8d1c7cab2db6656b5cb133cdeb0e32ee68aa5ccfb8b223d5f6d27b6610496e2e.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\{E98AB76E-68B1-403c-922D-16991718A1AB}.exe
  C:\Windows\{E98AB76E-68B1-403c-922D-16991718A1AB}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\{18C7B304-F2F9-4633-B654-2F6114F86D08}.exe
    C:\Windows\{18C7B304-F2F9-4633-B654-2F6114F86D08}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4912
  - - C:\Windows\{2E17CA5F-25FB-4220-A08D-29BE73D496F9}.exe
      C:\Windows\{2E17CA5F-25FB-4220-A08D-29BE73D496F9}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4576
    - - C:\Windows\{2CE34200-80FE-4ac7-86D5-258ECA8858E4}.exe
        
        C:\Windows\{2CE34200-80FE-4ac7-86D5-258ECA8858E4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4012
      - C:\Windows\{A8AB4CA1-D426-40f5-A1CE-C5FB265566E3}.exe
        
        C:\Windows\{A8AB4CA1-D426-40f5-A1CE-C5FB265566E3}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4344
        
        C:\Windows\{72921A9A-DF5C-4c8f-B14D-0F9C092D322B}.exe
        
        C:\Windows\{72921A9A-DF5C-4c8f-B14D-0F9C092D322B}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4384
        
        C:\Windows\{0854D9E9-E33A-4d54-939D-A721EE6A8F7F}.exe
        
        C:\Windows\{0854D9E9-E33A-4d54-939D-A721EE6A8F7F}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\Windows\{C3187DAD-FD43-496a-8BE2-7249C3E1FE76}.exe
        
        C:\Windows\{C3187DAD-FD43-496a-8BE2-7249C3E1FE76}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3468
        
        C:\Windows\{BEDDE75A-BFF9-48c4-B5F9-7BB56684D5BC}.exe
        
        C:\Windows\{BEDDE75A-BFF9-48c4-B5F9-7BB56684D5BC}.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\{834546A1-BAA5-47b2-A5DA-58A0E184A9BE}.exe
        
        C:\Windows\{834546A1-BAA5-47b2-A5DA-58A0E184A9BE}.exe
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4204
        
        C:\Windows\{4A994142-8C6F-456e-AFE3-520864489AB8}.exe
        
        C:\Windows\{4A994142-8C6F-456e-AFE3-520864489AB8}.exe
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3628
        
        C:\Windows\{D726C50F-9041-44dc-953C-18AF589FAF1D}.exe
        
        C:\Windows\{D726C50F-9041-44dc-953C-18AF589FAF1D}.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:116
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{4A994~1.EXE > nul
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{83454~1.EXE > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{BEDDE~1.EXE > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{C3187~1.EXE > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{0854D~1.EXE > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{72921~1.EXE > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{A8AB4~1.EXE > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1632
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2CE34~1.EXE > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\{2E17C~1.EXE > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1924
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\{18C7B~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4404
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\{E98AB~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4792
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\8D1C7C~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{0854D9E9-E33A-4d54-939D-A721EE6A8F7F}.exe

Filesize
83KB

MD5
2c5c9ec1a7882fc72dce42bfc43ddfaf

SHA1
10176c97036a9212b17624ca447ec294bf6a860f

SHA256
6f93bb1e9e53a7004e4557ae336a211af54ac68f2afbd07d98ca9f32012251b8

SHA512
f1b32a1720eaec8ad0fd3fe5e23c3fbf0a77078ca064b6240eb338a6dd05bb588ce58d031665d1ae5405ee286799d5bbf0b7ee3f7497e39232a3b810603f8f4e

Download Submit
C:\Windows\{18C7B304-F2F9-4633-B654-2F6114F86D08}.exe

Filesize
83KB

MD5
93b5e40cd13928d0f96e43bd1516dd4d

SHA1
09591d78d8933fe6d282ac34292d6381bd463db5

SHA256
9ccb5c8408b0d1fd60696a649244c9c456767ebba7016f84d49eb195ab34631a

SHA512
6ca958c5bfcb0cfc912d682fd05cd79c69fc9f91cf8312a78232d3cf97326836d78c800e28124d3e54497ba4b8cdb87eb64bf31d9422a827ac171758218cab40

Download Submit
C:\Windows\{2CE34200-80FE-4ac7-86D5-258ECA8858E4}.exe

Filesize
83KB

MD5
d246d19c71d9a7976d8826b944b6dbaf

SHA1
beadd342a456f17791ed1ebccab3ffd057437113

SHA256
f871223e224613c9a721f10a2a5f33f7f948ea547778e7d2c1d9dc1e27d43f72

SHA512
0227c777896a29f1ad1820fa99696b9f7affd449f20da1ce8d38d76ed350e4af53280db761cc5d1c9feb867ef4a6cdc881fc1abe90ec0e96db0de7eb6dc42359

Download Submit
C:\Windows\{2E17CA5F-25FB-4220-A08D-29BE73D496F9}.exe

Filesize
83KB

MD5
db5ab693f3d7c2c7f15879071dea0f97

SHA1
dcbb0fc26fd68e43892078f1dd23b745abd73469

SHA256
c9b9303af8dcd54262b104ff008104f9cbcbf5c13bcc72503ba78d41b01ca782

SHA512
59d0beab2220037c61d3527d50e86843ad48a8419522c0d37f859f285387b604faea53a4cee5bd0ce14c5f0e7a3209e52b0af453db875fd6ed3b12a0efb42ec4

Download Submit
C:\Windows\{4A994142-8C6F-456e-AFE3-520864489AB8}.exe

Filesize
83KB

MD5
43df849b6e41ec4a3269a08f1f1063d7

SHA1
83796006a4e7bc4ed28946d52e7df3532fe456d1

SHA256
24c2f8883eed93b769c41ca46c82e8d5f4e1d2e6a879f6fcc05f935c17a3fbb6

SHA512
2e80903c9ebefb10db6ab052e340bd48bf4ae92668794adbe58252785e061398e8291c6c771bf6fcbf07b2e8907a47fb8181e14b3a83681b67274d41db7e3f36

Download Submit
C:\Windows\{72921A9A-DF5C-4c8f-B14D-0F9C092D322B}.exe

Filesize
83KB

MD5
d9d514de8858e4a021d9d831eddd0b6f

SHA1
67f38938df894302bca23f7fe938ff5ad75de2a1

SHA256
1458cf82f66d0b5b6f35b6300bfe6224c79c203f75e39ede18abbd5e64f00b88

SHA512
17bb8768eed7884bb913862686214d7dcbee4829a3dc8ddd34e2f82f20f28ce61c378d931144a8cf50d6dc8c866c4c8cee3944f9cc371a40e61dd5308c000111

Download Submit
C:\Windows\{834546A1-BAA5-47b2-A5DA-58A0E184A9BE}.exe

Filesize
83KB

MD5
3bad82d3066826601f4086845b0302ff

SHA1
d76fe90b1d7e06f5be777383a9fbe8eaf206d5c2

SHA256
2bfcd1d0906e471deeadb52882659a83b371dfcd51cfc3f2f986e538c471acb9

SHA512
f8524c4df510ca1853037d0a8d1a08e83810432f631e53733afa5d999a74116513e59aa672bae17e8d3388e48b37ef975fac335d233e6d98283314e8b7145828

Download Submit
C:\Windows\{A8AB4CA1-D426-40f5-A1CE-C5FB265566E3}.exe

Filesize
83KB

MD5
426ad4b5384039e4b9c723bcacb41377

SHA1
68fdacfe4cdae0320eba6d058bfe274e52b15b32

SHA256
7c2dc93653b763c89dd4822c3ce0fa580a13fe4445e376107d8437be96db3f60

SHA512
18b89b242769e2d505c042acfe743f12cbd1365467e11aaf6a67d763dd63bf6f286ef4434476992c5193f4455deca16c994c458f4385d0fd8b90d4b56c1948d3

Download Submit
C:\Windows\{BEDDE75A-BFF9-48c4-B5F9-7BB56684D5BC}.exe

Filesize
83KB

MD5
df208f78e5bbeb4e09e4b31442a1b4a3

SHA1
e7c6d9f273036de2c892faa5e9cf5f619cd32319

SHA256
de13d357ef00f67b0c66535d22af22a9ef327952ca0e4c99efde0d62d29c9a86

SHA512
42c8fc2f525e8aee28092fcd419b92e18dbbe157c37c0673fc3b84963a269b5dd9b44fb77e7b0247fdc6e15c1af9fc22e0add99547aa35c39b8e950ab0504158

Download Submit
C:\Windows\{C3187DAD-FD43-496a-8BE2-7249C3E1FE76}.exe

Filesize
83KB

MD5
2a5a9e72636ebc6ce11dc7e30e4421ad

SHA1
d3171187053b371e594450cb129e8b982aac843b

SHA256
616743f26a0ba6a6efc3fc278d917040ae3752466f5f0fbc5ac26cf3c874f6a1

SHA512
c989141d272e09af5cb487ce06c9bb46f67a3b922481d07b285197d63455efbfc28874ebb11ac07495c2eb044a5e2a86e1de197c4288b1be8bde69a92b0e0b95

Download Submit
C:\Windows\{D726C50F-9041-44dc-953C-18AF589FAF1D}.exe

Filesize
83KB

MD5
9c3a4550de97441a54d80b83891917d6

SHA1
f44afc686feb617332d1745eefed3a0ff926fbd7

SHA256
be50d8054a1a5b8fcb3747ec7a8dd3681b461134b07d3b7fed15cd0cd22ccdda

SHA512
c957f1f2271ea1a99bbf6f5b1897722631dbec6ce3cd51b0e734e2dcb772b910c7d78e30e4c7026401f9d7e2a32311c955dbf22544e4105bb98f07cac4357b8a

Download Submit
C:\Windows\{E98AB76E-68B1-403c-922D-16991718A1AB}.exe

Filesize
83KB

MD5
44aac25a2353bf81cc7b8c81c31729da

SHA1
50ffef16e750e1b7851be52ffde6f807523835c2

SHA256
017f41059b9b0c35df2d149c1084b66b7e69d83387fb747d977234852cc5f29a

SHA512
f0c8f58edab85eb2db1d5b5737c5eecb5b2d2132097fd453441446144dc4a0ea06810f4a3794016d48e75558e7d03936731e0c66f1e729ed4632963c22d52ba9

Download Submit
memory/116-84-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2188-12-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2188-5-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2188-8-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3468-61-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3468-57-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3468-55-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3628-82-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3628-78-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3628-76-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4012-28-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4012-29-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4012-33-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4204-69-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4204-71-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4204-74-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4280-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4280-7-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4280-1-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4344-41-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4344-36-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4344-35-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4360-67-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4360-63-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4360-64-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4384-42-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4384-46-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4384-43-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4576-27-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4576-22-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4576-21-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4592-54-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4592-50-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4592-48-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4912-20-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4912-15-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4912-14-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads