70bdf2285b80ba0a78fc701d79543b6d4bbafc329a5aa3ac903673b2bc56cfb9

Analysis

max time kernel
118s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-01-2025 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70bdf2285b80ba0a78fc701d79543b6d4bbafc329a5aa3ac903673b2bc56cfb9.exe
Size

28KB
MD5

f284ea6cbc01384673733702d26540ce
SHA1

19534d5826f0bed9844d7236cde79bae54b59caa
SHA256

70bdf2285b80ba0a78fc701d79543b6d4bbafc329a5aa3ac903673b2bc56cfb9
SHA512

13358b816cb883680af765ad1e1f7f6baa1356c40395d9a11dfd8a610171bbe3aeb52790f8c66277b5ee798746fe28984d7ecac86c621952d3e39c0295387283
SSDEEP

384:2/mPAVyp+6srYYCk2gNPapIyFpOQGR9zos2clAKLHRN74u56/R9zZwu91:J4quFCk2LXXOQ69zbjlAAX5e9z7

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C11D1062-A7D2-45c2-907D-4E1D085441B8}\stubpath = "C:\\Windows\\{C11D1062-A7D2-45c2-907D-4E1D085441B8}.exe"	{11E137E1-2D1D-451a-9109-CA8854150CE2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBBF58F8-4E06-4043-8215-6C4D582F5D45}\stubpath = "C:\\Windows\\{BBBF58F8-4E06-4043-8215-6C4D582F5D45}.exe"	{454F4B4A-8638-41c7-A3EF-23F49B2A8AA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11E137E1-2D1D-451a-9109-CA8854150CE2}\stubpath = "C:\\Windows\\{11E137E1-2D1D-451a-9109-CA8854150CE2}.exe"	{36A613B5-00B3-473a-BEB9-57A171AA9057}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FBB6688-7B71-41c1-846D-6F59FF417073}	{B45F9055-F595-4fb2-A9BA-1EAA65C727DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A60C354-CA29-49af-931D-499DCD441A9F}	{8FBB6688-7B71-41c1-846D-6F59FF417073}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{8FBB6688-7B71-41c1-846D-6F59FF417073}\stubpath = "C:\\Windows\\{8FBB6688-7B71-41c1-846D-6F59FF417073}.exe"	{B45F9055-F595-4fb2-A9BA-1EAA65C727DA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BBBF58F8-4E06-4043-8215-6C4D582F5D45}	{454F4B4A-8638-41c7-A3EF-23F49B2A8AA4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36A613B5-00B3-473a-BEB9-57A171AA9057}\stubpath = "C:\\Windows\\{36A613B5-00B3-473a-BEB9-57A171AA9057}.exe"	{BBBF58F8-4E06-4043-8215-6C4D582F5D45}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{11E137E1-2D1D-451a-9109-CA8854150CE2}	{36A613B5-00B3-473a-BEB9-57A171AA9057}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{C11D1062-A7D2-45c2-907D-4E1D085441B8}	{11E137E1-2D1D-451a-9109-CA8854150CE2}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B45F9055-F595-4fb2-A9BA-1EAA65C727DA}	70bdf2285b80ba0a78fc701d79543b6d4bbafc329a5aa3ac903673b2bc56cfb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B45F9055-F595-4fb2-A9BA-1EAA65C727DA}\stubpath = "C:\\Windows\\{B45F9055-F595-4fb2-A9BA-1EAA65C727DA}.exe"	70bdf2285b80ba0a78fc701d79543b6d4bbafc329a5aa3ac903673b2bc56cfb9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13E43895-A594-4161-9DE6-323F57217558}\stubpath = "C:\\Windows\\{13E43895-A594-4161-9DE6-323F57217558}.exe"	{9A60C354-CA29-49af-931D-499DCD441A9F}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{454F4B4A-8638-41c7-A3EF-23F49B2A8AA4}	{13E43895-A594-4161-9DE6-323F57217558}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{454F4B4A-8638-41c7-A3EF-23F49B2A8AA4}\stubpath = "C:\\Windows\\{454F4B4A-8638-41c7-A3EF-23F49B2A8AA4}.exe"	{13E43895-A594-4161-9DE6-323F57217558}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{36A613B5-00B3-473a-BEB9-57A171AA9057}	{BBBF58F8-4E06-4043-8215-6C4D582F5D45}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{9A60C354-CA29-49af-931D-499DCD441A9F}\stubpath = "C:\\Windows\\{9A60C354-CA29-49af-931D-499DCD441A9F}.exe"	{8FBB6688-7B71-41c1-846D-6F59FF417073}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{13E43895-A594-4161-9DE6-323F57217558}	{9A60C354-CA29-49af-931D-499DCD441A9F}.exe

Executes dropped EXE 9 IoCs

pid	Process
3340	{B45F9055-F595-4fb2-A9BA-1EAA65C727DA}.exe
4524	{8FBB6688-7B71-41c1-846D-6F59FF417073}.exe
3064	{9A60C354-CA29-49af-931D-499DCD441A9F}.exe
3700	{13E43895-A594-4161-9DE6-323F57217558}.exe
3820	{454F4B4A-8638-41c7-A3EF-23F49B2A8AA4}.exe
4576	{BBBF58F8-4E06-4043-8215-6C4D582F5D45}.exe
828	{36A613B5-00B3-473a-BEB9-57A171AA9057}.exe
3488	{11E137E1-2D1D-451a-9109-CA8854150CE2}.exe
2084	{C11D1062-A7D2-45c2-907D-4E1D085441B8}.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5096-0-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/5096-1-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x0007000000023c9e-4.dat	upx
behavioral2/memory/5096-6-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x0011000000023cb2-10.dat	upx
behavioral2/memory/3340-12-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x000a000000023cb9-14.dat	upx
behavioral2/memory/4524-18-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x000d000000023cba-22.dat	upx
behavioral2/memory/3064-24-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x000c0000000219e5-28.dat	upx
behavioral2/memory/3700-31-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x000e0000000219e8-35.dat	upx
behavioral2/memory/3820-37-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x0009000000021fcd-41.dat	upx
behavioral2/memory/4576-43-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x0003000000000705-47.dat	upx
behavioral2/memory/828-49-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x0006000000000707-53.dat	upx
behavioral2/memory/3488-55-0x0000000000400000-0x0000000000412000-memory.dmp	upx

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{C11D1062-A7D2-45c2-907D-4E1D085441B8}.exe	{11E137E1-2D1D-451a-9109-CA8854150CE2}.exe
File created	C:\Windows\{B45F9055-F595-4fb2-A9BA-1EAA65C727DA}.exe	70bdf2285b80ba0a78fc701d79543b6d4bbafc329a5aa3ac903673b2bc56cfb9.exe
File created	C:\Windows\{8FBB6688-7B71-41c1-846D-6F59FF417073}.exe	{B45F9055-F595-4fb2-A9BA-1EAA65C727DA}.exe
File created	C:\Windows\{9A60C354-CA29-49af-931D-499DCD441A9F}.exe	{8FBB6688-7B71-41c1-846D-6F59FF417073}.exe
File created	C:\Windows\{13E43895-A594-4161-9DE6-323F57217558}.exe	{9A60C354-CA29-49af-931D-499DCD441A9F}.exe
File created	C:\Windows\{454F4B4A-8638-41c7-A3EF-23F49B2A8AA4}.exe	{13E43895-A594-4161-9DE6-323F57217558}.exe
File created	C:\Windows\{BBBF58F8-4E06-4043-8215-6C4D582F5D45}.exe	{454F4B4A-8638-41c7-A3EF-23F49B2A8AA4}.exe
File created	C:\Windows\{36A613B5-00B3-473a-BEB9-57A171AA9057}.exe	{BBBF58F8-4E06-4043-8215-6C4D582F5D45}.exe
File created	C:\Windows\{11E137E1-2D1D-451a-9109-CA8854150CE2}.exe	{36A613B5-00B3-473a-BEB9-57A171AA9057}.exe

Program crash 9 IoCs

pid	pid_target	Process	procid_target
4572	5096	WerFault.exe	82
4436	3340	WerFault.exe	90
392	4524	WerFault.exe	101
3516	3064	WerFault.exe	107
2100	3700	WerFault.exe	110
4804	3820	WerFault.exe	113
4168	4576	WerFault.exe	116
436	828	WerFault.exe	119
996	3488	WerFault.exe	122

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{8FBB6688-7B71-41c1-846D-6F59FF417073}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BBBF58F8-4E06-4043-8215-6C4D582F5D45}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{C11D1062-A7D2-45c2-907D-4E1D085441B8}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B45F9055-F595-4fb2-A9BA-1EAA65C727DA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{9A60C354-CA29-49af-931D-499DCD441A9F}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{13E43895-A594-4161-9DE6-323F57217558}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{454F4B4A-8638-41c7-A3EF-23F49B2A8AA4}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{36A613B5-00B3-473a-BEB9-57A171AA9057}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{11E137E1-2D1D-451a-9109-CA8854150CE2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70bdf2285b80ba0a78fc701d79543b6d4bbafc329a5aa3ac903673b2bc56cfb9.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 3340	5096	70bdf2285b80ba0a78fc701d79543b6d4bbafc329a5aa3ac903673b2bc56cfb9.exe	90
PID 5096 wrote to memory of 3340	5096	70bdf2285b80ba0a78fc701d79543b6d4bbafc329a5aa3ac903673b2bc56cfb9.exe	90
PID 5096 wrote to memory of 3340	5096	70bdf2285b80ba0a78fc701d79543b6d4bbafc329a5aa3ac903673b2bc56cfb9.exe	90
PID 3340 wrote to memory of 4524	3340	{B45F9055-F595-4fb2-A9BA-1EAA65C727DA}.exe	101
PID 3340 wrote to memory of 4524	3340	{B45F9055-F595-4fb2-A9BA-1EAA65C727DA}.exe	101
PID 3340 wrote to memory of 4524	3340	{B45F9055-F595-4fb2-A9BA-1EAA65C727DA}.exe	101
PID 4524 wrote to memory of 3064	4524	{8FBB6688-7B71-41c1-846D-6F59FF417073}.exe	107
PID 4524 wrote to memory of 3064	4524	{8FBB6688-7B71-41c1-846D-6F59FF417073}.exe	107
PID 4524 wrote to memory of 3064	4524	{8FBB6688-7B71-41c1-846D-6F59FF417073}.exe	107
PID 3064 wrote to memory of 3700	3064	{9A60C354-CA29-49af-931D-499DCD441A9F}.exe	110
PID 3064 wrote to memory of 3700	3064	{9A60C354-CA29-49af-931D-499DCD441A9F}.exe	110
PID 3064 wrote to memory of 3700	3064	{9A60C354-CA29-49af-931D-499DCD441A9F}.exe	110
PID 3700 wrote to memory of 3820	3700	{13E43895-A594-4161-9DE6-323F57217558}.exe	113
PID 3700 wrote to memory of 3820	3700	{13E43895-A594-4161-9DE6-323F57217558}.exe	113
PID 3700 wrote to memory of 3820	3700	{13E43895-A594-4161-9DE6-323F57217558}.exe	113
PID 3820 wrote to memory of 4576	3820	{454F4B4A-8638-41c7-A3EF-23F49B2A8AA4}.exe	116
PID 3820 wrote to memory of 4576	3820	{454F4B4A-8638-41c7-A3EF-23F49B2A8AA4}.exe	116
PID 3820 wrote to memory of 4576	3820	{454F4B4A-8638-41c7-A3EF-23F49B2A8AA4}.exe	116
PID 4576 wrote to memory of 828	4576	{BBBF58F8-4E06-4043-8215-6C4D582F5D45}.exe	119
PID 4576 wrote to memory of 828	4576	{BBBF58F8-4E06-4043-8215-6C4D582F5D45}.exe	119
PID 4576 wrote to memory of 828	4576	{BBBF58F8-4E06-4043-8215-6C4D582F5D45}.exe	119
PID 828 wrote to memory of 3488	828	{36A613B5-00B3-473a-BEB9-57A171AA9057}.exe	122
PID 828 wrote to memory of 3488	828	{36A613B5-00B3-473a-BEB9-57A171AA9057}.exe	122
PID 828 wrote to memory of 3488	828	{36A613B5-00B3-473a-BEB9-57A171AA9057}.exe	122
PID 3488 wrote to memory of 2084	3488	{11E137E1-2D1D-451a-9109-CA8854150CE2}.exe	125
PID 3488 wrote to memory of 2084	3488	{11E137E1-2D1D-451a-9109-CA8854150CE2}.exe	125
PID 3488 wrote to memory of 2084	3488	{11E137E1-2D1D-451a-9109-CA8854150CE2}.exe	125

C:\Users\Admin\AppData\Local\Temp\70bdf2285b80ba0a78fc701d79543b6d4bbafc329a5aa3ac903673b2bc56cfb9.exe
"C:\Users\Admin\AppData\Local\Temp\70bdf2285b80ba0a78fc701d79543b6d4bbafc329a5aa3ac903673b2bc56cfb9.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\{B45F9055-F595-4fb2-A9BA-1EAA65C727DA}.exe
  C:\Windows\{B45F9055-F595-4fb2-A9BA-1EAA65C727DA}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Windows\{8FBB6688-7B71-41c1-846D-6F59FF417073}.exe
    C:\Windows\{8FBB6688-7B71-41c1-846D-6F59FF417073}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Windows\{9A60C354-CA29-49af-931D-499DCD441A9F}.exe
      C:\Windows\{9A60C354-CA29-49af-931D-499DCD441A9F}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3064
    - - C:\Windows\{13E43895-A594-4161-9DE6-323F57217558}.exe
        
        C:\Windows\{13E43895-A594-4161-9DE6-323F57217558}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3700
      - C:\Windows\{454F4B4A-8638-41c7-A3EF-23F49B2A8AA4}.exe
        
        C:\Windows\{454F4B4A-8638-41c7-A3EF-23F49B2A8AA4}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\{BBBF58F8-4E06-4043-8215-6C4D582F5D45}.exe
        
        C:\Windows\{BBBF58F8-4E06-4043-8215-6C4D582F5D45}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\{36A613B5-00B3-473a-BEB9-57A171AA9057}.exe
        
        C:\Windows\{36A613B5-00B3-473a-BEB9-57A171AA9057}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:828
        
        C:\Windows\{11E137E1-2D1D-451a-9109-CA8854150CE2}.exe
        
        C:\Windows\{11E137E1-2D1D-451a-9109-CA8854150CE2}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3488
        
        C:\Windows\{C11D1062-A7D2-45c2-907D-4E1D085441B8}.exe
        
        C:\Windows\{C11D1062-A7D2-45c2-907D-4E1D085441B8}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3488 -s 744
        10⤵
        Program crash
        
        PID:996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 828 -s 792
        9⤵
        Program crash
        
        PID:436
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 752
        8⤵
        Program crash
        
        PID:4168
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3820 -s 780
        7⤵
        Program crash
        
        PID:4804
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 764
        6⤵
        Program crash
        
        PID:2100
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3064 -s 740
        5⤵
        Program crash
        
        PID:3516
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 620
      4⤵
      Program crash
      PID:392
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3340 -s 808
    3⤵
    - Program crash
    PID:4436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 764
  2⤵
  - Program crash
  PID:4572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5096 -ip 5096
1⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3340 -ip 3340
1⤵
PID:1892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4524 -ip 4524
1⤵
PID:532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3064 -ip 3064
1⤵
PID:3964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3700 -ip 3700
1⤵
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3820 -ip 3820
1⤵
PID:1184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4576 -ip 4576
1⤵
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 828 -ip 828
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3488 -ip 3488
1⤵
PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{11E137E1-2D1D-451a-9109-CA8854150CE2}.exe

Filesize
28KB

MD5
9f0fdfd7b805ad5a2e0b1547fce3ee5a

SHA1
9fffc034d1b7aef288fd1c6ba4bcb5aed8eceaba

SHA256
f8e905b564a4f1324997e5f23b0491826a1a6dd49bed0674f1e4a5e964786846

SHA512
6a5c78b04d44cab93890cca7749b59270de15e9c1538d9a1db6de63298855ab001ad314146461ae376e88e8fcb1b67c5151a01f1cc307716efcf24c7bbb1845b

Download Submit
C:\Windows\{13E43895-A594-4161-9DE6-323F57217558}.exe

Filesize
28KB

MD5
cb384843d4d6b50649718b8b62421d04

SHA1
947cc43efe5d3d9c76ed23ce55795a4d4e716cb9

SHA256
83715631572d0b3022a48234e944f9724709ff85d40480f6fe96b96ff45b5572

SHA512
1be070ad9eac7c0e7a7a7400666668dec82c225a13dcfbabae022f6107c603d121827bcf5a1e847d49afa7f2f51e1b3e2defe38630039dae9e8869ec8a17f51b

Download Submit
C:\Windows\{36A613B5-00B3-473a-BEB9-57A171AA9057}.exe

Filesize
28KB

MD5
471216633042e622f641fa096a7a03fe

SHA1
0684a57ffd923ee883a4e802376993b9acaed852

SHA256
76bafbc3a86809719044676cd4f1a299ee641808887dde2b8fec018de2e8950f

SHA512
55fe199f20667d2c50cd522780af52ece85b4db8308c47ce9e16361de15a5490ef2b58279b3c623d9e2922d24725e184336e07d75f870fb148824fcf65629780

Download Submit
C:\Windows\{454F4B4A-8638-41c7-A3EF-23F49B2A8AA4}.exe

Filesize
28KB

MD5
3796355aa78b0967443a2d348f0ece87

SHA1
09c6058933835ca557db941e3410cade182c5c33

SHA256
92c152edbc92d347dd35bf89e4177433bba68edf200fd298d8798b5e55300f89

SHA512
aedcec44789b54cda3feeb0cdb6cb8972709b8effd8589fc6db0fd4338fca2b6fc303bc22dfcdbd0594e575159e227033ff2b9b29b7d5b393e6e221e71f79b13

Download Submit
C:\Windows\{8FBB6688-7B71-41c1-846D-6F59FF417073}.exe

Filesize
28KB

MD5
0b72b5188fb679a73b424783d00f0f5c

SHA1
9c31b1306d6ee3321d2b2792835b52e1650c8297

SHA256
da6f0b4add0d5aa258b8ff4bfd2bba8331929b56e1d8293216423061372d6934

SHA512
762ccf5c4e6139e8b5a6d2fd407ce7b269f3234d7148dd29975d369752f33fb72c3bbcf2b4bbd50a239a5438302149f315ef8f98a1b85fb8255c9f3626195be3

Download Submit
C:\Windows\{9A60C354-CA29-49af-931D-499DCD441A9F}.exe

Filesize
28KB

MD5
ca3ae254dcdb6b8694cceaf1c4acfa77

SHA1
175767aab4ffa98a3c8381126f3bbf6928248eb0

SHA256
bb86f894dc8710dffeefa66aac905c4ca72fd8de6b685c1c56903be72a8deb69

SHA512
8416b54008c404aabe71fe8495e3f7af30e0b0fe3e2442a49a4e4b5bb3260c57aa335ebc07c329ac471691e54e759165077abaff0f6c6244efda67862595ad30

Download Submit
C:\Windows\{B45F9055-F595-4fb2-A9BA-1EAA65C727DA}.exe

Filesize
28KB

MD5
49a09ff3637e52eb08f6bfa3a6d03035

SHA1
7a9b1c4367166ad11e493def53e8593b3db99e4f

SHA256
54650fbfa40a9247eebd39441ac80b51c7cfb13dfc9bcf694fd03d897aadde1e

SHA512
35abf43ac651ee19e71285b68f34b21fd423c9f7c5656c4defcc322f15eec2b8ec000b2258a7f4c2cac6ded146e13d08198ada52a3c17dcd8fd07f9e684bbeba

Download Submit
C:\Windows\{BBBF58F8-4E06-4043-8215-6C4D582F5D45}.exe

Filesize
28KB

MD5
9d8fdd6995ef1feaabccb45932a96b44

SHA1
93d0fe69b860e637aa5c07d0bf3a9d8f77fd93a7

SHA256
c2800b24d472e424625d05fbd370921c34e35a25a4302a6b7218f24b95efdc8d

SHA512
ad2ed248d304fb43bac055dfce927e7f517ba5bacc0a7f4fd2ac143e9e6aadbfa5d9c7571bf2cb19cd903ca98b41d3725b98ffd5acf0e2b94ef363463e81aa75

Download Submit
C:\Windows\{C11D1062-A7D2-45c2-907D-4E1D085441B8}.exe

Filesize
28KB

MD5
68136f94611770e09352d87fa39908b3

SHA1
7d588db089aeac3b4d1a3fb497ba0716cbe6072c

SHA256
48b208cecc3ba60e41a4e5c56516cdf7258d3ba0547c5582a1e0b1250d4d3926

SHA512
e0be74b67817de27f94b5a4eb72c0dadb7d1f93d48f133b29ca9e69f0b4366f77271756f1e426d3b3b4746d27d275dc0ec088f4c79c7852c662d177897a50a22

Download Submit
memory/828-49-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3064-24-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3340-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3488-55-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3700-31-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3820-37-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4524-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4576-43-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5096-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5096-6-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5096-1-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads