1612300ca20b531ebef8b105a75cce1774c4b6a93a68cb186f36ac3b97a059f8

Analysis

max time kernel
118s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1612300ca20b531ebef8b105a75cce1774c4b6a93a68cb186f36ac3b97a059f8N.exe
Size

28KB
MD5

226f9c9285d3eeca1f618207796051f0
SHA1

649064cc6364a69bf7bdc2b35d2e7dddb5c5f1d3
SHA256

1612300ca20b531ebef8b105a75cce1774c4b6a93a68cb186f36ac3b97a059f8
SHA512

76ffd6a79924fdb26b19f216155c0f73f29f3d68b2b13de5f2e8fbf018c1e89243bd35e04d8a7578e4f2bc631506a8137d33754a70de44a37e17797c37b9db6e
SSDEEP

384:2/mPAVyp+6srYYCk2gNPapIkFpOQGR9zos2clAKLHRN74u56/R9zZwu9f:J4quFCk2LtXOQ69zbjlAAX5e9zR

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 18 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5D517A3-89F7-4427-9D14-C83C68493870}\stubpath = "C:\\Windows\\{B5D517A3-89F7-4427-9D14-C83C68493870}.exe"	{3A5EFBCF-D3A9-42b8-831A-2E76468017C3}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C8367FC-AD7F-4b39-9A24-BEBA373AAEBA}	{B5D517A3-89F7-4427-9D14-C83C68493870}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0CD2F1E-9237-4e27-B14E-0AAE316C086B}	{BB3B1CB9-3CD9-45c5-8C4C-1606B6BD0AAB}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F14C6E65-6037-4cd4-B14E-56CDAED9A8B4}\stubpath = "C:\\Windows\\{F14C6E65-6037-4cd4-B14E-56CDAED9A8B4}.exe"	{E0CD2F1E-9237-4e27-B14E-0AAE316C086B}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A5EFBCF-D3A9-42b8-831A-2E76468017C3}	{43CEE9B7-5764-4057-B95A-9A688CCA379E}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{3A5EFBCF-D3A9-42b8-831A-2E76468017C3}\stubpath = "C:\\Windows\\{3A5EFBCF-D3A9-42b8-831A-2E76468017C3}.exe"	{43CEE9B7-5764-4057-B95A-9A688CCA379E}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{B5D517A3-89F7-4427-9D14-C83C68493870}	{3A5EFBCF-D3A9-42b8-831A-2E76468017C3}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77D70967-8DCF-4b47-A251-862C02087865}\stubpath = "C:\\Windows\\{77D70967-8DCF-4b47-A251-862C02087865}.exe"	1612300ca20b531ebef8b105a75cce1774c4b6a93a68cb186f36ac3b97a059f8N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43CEE9B7-5764-4057-B95A-9A688CCA379E}	{F14C6E65-6037-4cd4-B14E-56CDAED9A8B4}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{43CEE9B7-5764-4057-B95A-9A688CCA379E}\stubpath = "C:\\Windows\\{43CEE9B7-5764-4057-B95A-9A688CCA379E}.exe"	{F14C6E65-6037-4cd4-B14E-56CDAED9A8B4}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E51EB253-3A2E-4541-9B81-C28651ECC2F7}	{2C8367FC-AD7F-4b39-9A24-BEBA373AAEBA}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E51EB253-3A2E-4541-9B81-C28651ECC2F7}\stubpath = "C:\\Windows\\{E51EB253-3A2E-4541-9B81-C28651ECC2F7}.exe"	{2C8367FC-AD7F-4b39-9A24-BEBA373AAEBA}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{77D70967-8DCF-4b47-A251-862C02087865}	1612300ca20b531ebef8b105a75cce1774c4b6a93a68cb186f36ac3b97a059f8N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB3B1CB9-3CD9-45c5-8C4C-1606B6BD0AAB}\stubpath = "C:\\Windows\\{BB3B1CB9-3CD9-45c5-8C4C-1606B6BD0AAB}.exe"	{77D70967-8DCF-4b47-A251-862C02087865}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{E0CD2F1E-9237-4e27-B14E-0AAE316C086B}\stubpath = "C:\\Windows\\{E0CD2F1E-9237-4e27-B14E-0AAE316C086B}.exe"	{BB3B1CB9-3CD9-45c5-8C4C-1606B6BD0AAB}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{BB3B1CB9-3CD9-45c5-8C4C-1606B6BD0AAB}	{77D70967-8DCF-4b47-A251-862C02087865}.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F14C6E65-6037-4cd4-B14E-56CDAED9A8B4}	{E0CD2F1E-9237-4e27-B14E-0AAE316C086B}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{2C8367FC-AD7F-4b39-9A24-BEBA373AAEBA}\stubpath = "C:\\Windows\\{2C8367FC-AD7F-4b39-9A24-BEBA373AAEBA}.exe"	{B5D517A3-89F7-4427-9D14-C83C68493870}.exe

Executes dropped EXE 9 IoCs

pid	Process
2480	{77D70967-8DCF-4b47-A251-862C02087865}.exe
4524	{BB3B1CB9-3CD9-45c5-8C4C-1606B6BD0AAB}.exe
4824	{E0CD2F1E-9237-4e27-B14E-0AAE316C086B}.exe
5072	{F14C6E65-6037-4cd4-B14E-56CDAED9A8B4}.exe
1580	{43CEE9B7-5764-4057-B95A-9A688CCA379E}.exe
4996	{3A5EFBCF-D3A9-42b8-831A-2E76468017C3}.exe
1224	{B5D517A3-89F7-4427-9D14-C83C68493870}.exe
3076	{2C8367FC-AD7F-4b39-9A24-BEBA373AAEBA}.exe
1408	{E51EB253-3A2E-4541-9B81-C28651ECC2F7}.exe

UPX packed file 20 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4468-0-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/memory/4468-1-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x000a000000023bab-4.dat	upx
behavioral2/memory/4468-6-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x000b000000023bcf-10.dat	upx
behavioral2/memory/2480-12-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x000200000001e762-14.dat	upx
behavioral2/memory/4524-18-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x000c000000023c30-22.dat	upx
behavioral2/memory/4824-24-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x0002000000021f4b-28.dat	upx
behavioral2/memory/5072-30-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x0005000000021f4c-34.dat	upx
behavioral2/memory/1580-36-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x0009000000022701-40.dat	upx
behavioral2/memory/4996-42-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x0003000000000707-46.dat	upx
behavioral2/memory/1224-48-0x0000000000400000-0x0000000000412000-memory.dmp	upx
behavioral2/files/0x0006000000000709-52.dat	upx
behavioral2/memory/3076-54-0x0000000000400000-0x0000000000412000-memory.dmp	upx

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\{2C8367FC-AD7F-4b39-9A24-BEBA373AAEBA}.exe	{B5D517A3-89F7-4427-9D14-C83C68493870}.exe
File created	C:\Windows\{E51EB253-3A2E-4541-9B81-C28651ECC2F7}.exe	{2C8367FC-AD7F-4b39-9A24-BEBA373AAEBA}.exe
File created	C:\Windows\{77D70967-8DCF-4b47-A251-862C02087865}.exe	1612300ca20b531ebef8b105a75cce1774c4b6a93a68cb186f36ac3b97a059f8N.exe
File created	C:\Windows\{BB3B1CB9-3CD9-45c5-8C4C-1606B6BD0AAB}.exe	{77D70967-8DCF-4b47-A251-862C02087865}.exe
File created	C:\Windows\{E0CD2F1E-9237-4e27-B14E-0AAE316C086B}.exe	{BB3B1CB9-3CD9-45c5-8C4C-1606B6BD0AAB}.exe
File created	C:\Windows\{F14C6E65-6037-4cd4-B14E-56CDAED9A8B4}.exe	{E0CD2F1E-9237-4e27-B14E-0AAE316C086B}.exe
File created	C:\Windows\{43CEE9B7-5764-4057-B95A-9A688CCA379E}.exe	{F14C6E65-6037-4cd4-B14E-56CDAED9A8B4}.exe
File created	C:\Windows\{3A5EFBCF-D3A9-42b8-831A-2E76468017C3}.exe	{43CEE9B7-5764-4057-B95A-9A688CCA379E}.exe
File created	C:\Windows\{B5D517A3-89F7-4427-9D14-C83C68493870}.exe	{3A5EFBCF-D3A9-42b8-831A-2E76468017C3}.exe

Program crash 9 IoCs

pid	pid_target	Process	procid_target
1764	4468	WerFault.exe	82
4976	2480	WerFault.exe	84
2068	4524	WerFault.exe	101
2636	4824	WerFault.exe	107
3200	5072	WerFault.exe	110
904	1580	WerFault.exe	114
3952	4996	WerFault.exe	117
1332	1224	WerFault.exe	120
3172	3076	WerFault.exe	123

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{BB3B1CB9-3CD9-45c5-8C4C-1606B6BD0AAB}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{2C8367FC-AD7F-4b39-9A24-BEBA373AAEBA}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1612300ca20b531ebef8b105a75cce1774c4b6a93a68cb186f36ac3b97a059f8N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{77D70967-8DCF-4b47-A251-862C02087865}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{43CEE9B7-5764-4057-B95A-9A688CCA379E}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{3A5EFBCF-D3A9-42b8-831A-2E76468017C3}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{B5D517A3-89F7-4427-9D14-C83C68493870}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E51EB253-3A2E-4541-9B81-C28651ECC2F7}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{E0CD2F1E-9237-4e27-B14E-0AAE316C086B}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{F14C6E65-6037-4cd4-B14E-56CDAED9A8B4}.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 2480	4468	1612300ca20b531ebef8b105a75cce1774c4b6a93a68cb186f36ac3b97a059f8N.exe	84
PID 4468 wrote to memory of 2480	4468	1612300ca20b531ebef8b105a75cce1774c4b6a93a68cb186f36ac3b97a059f8N.exe	84
PID 4468 wrote to memory of 2480	4468	1612300ca20b531ebef8b105a75cce1774c4b6a93a68cb186f36ac3b97a059f8N.exe	84
PID 2480 wrote to memory of 4524	2480	{77D70967-8DCF-4b47-A251-862C02087865}.exe	101
PID 2480 wrote to memory of 4524	2480	{77D70967-8DCF-4b47-A251-862C02087865}.exe	101
PID 2480 wrote to memory of 4524	2480	{77D70967-8DCF-4b47-A251-862C02087865}.exe	101
PID 4524 wrote to memory of 4824	4524	{BB3B1CB9-3CD9-45c5-8C4C-1606B6BD0AAB}.exe	107
PID 4524 wrote to memory of 4824	4524	{BB3B1CB9-3CD9-45c5-8C4C-1606B6BD0AAB}.exe	107
PID 4524 wrote to memory of 4824	4524	{BB3B1CB9-3CD9-45c5-8C4C-1606B6BD0AAB}.exe	107
PID 4824 wrote to memory of 5072	4824	{E0CD2F1E-9237-4e27-B14E-0AAE316C086B}.exe	110
PID 4824 wrote to memory of 5072	4824	{E0CD2F1E-9237-4e27-B14E-0AAE316C086B}.exe	110
PID 4824 wrote to memory of 5072	4824	{E0CD2F1E-9237-4e27-B14E-0AAE316C086B}.exe	110
PID 5072 wrote to memory of 1580	5072	{F14C6E65-6037-4cd4-B14E-56CDAED9A8B4}.exe	114
PID 5072 wrote to memory of 1580	5072	{F14C6E65-6037-4cd4-B14E-56CDAED9A8B4}.exe	114
PID 5072 wrote to memory of 1580	5072	{F14C6E65-6037-4cd4-B14E-56CDAED9A8B4}.exe	114
PID 1580 wrote to memory of 4996	1580	{43CEE9B7-5764-4057-B95A-9A688CCA379E}.exe	117
PID 1580 wrote to memory of 4996	1580	{43CEE9B7-5764-4057-B95A-9A688CCA379E}.exe	117
PID 1580 wrote to memory of 4996	1580	{43CEE9B7-5764-4057-B95A-9A688CCA379E}.exe	117
PID 4996 wrote to memory of 1224	4996	{3A5EFBCF-D3A9-42b8-831A-2E76468017C3}.exe	120
PID 4996 wrote to memory of 1224	4996	{3A5EFBCF-D3A9-42b8-831A-2E76468017C3}.exe	120
PID 4996 wrote to memory of 1224	4996	{3A5EFBCF-D3A9-42b8-831A-2E76468017C3}.exe	120
PID 1224 wrote to memory of 3076	1224	{B5D517A3-89F7-4427-9D14-C83C68493870}.exe	123
PID 1224 wrote to memory of 3076	1224	{B5D517A3-89F7-4427-9D14-C83C68493870}.exe	123
PID 1224 wrote to memory of 3076	1224	{B5D517A3-89F7-4427-9D14-C83C68493870}.exe	123
PID 3076 wrote to memory of 1408	3076	{2C8367FC-AD7F-4b39-9A24-BEBA373AAEBA}.exe	126
PID 3076 wrote to memory of 1408	3076	{2C8367FC-AD7F-4b39-9A24-BEBA373AAEBA}.exe	126
PID 3076 wrote to memory of 1408	3076	{2C8367FC-AD7F-4b39-9A24-BEBA373AAEBA}.exe	126

C:\Users\Admin\AppData\Local\Temp\1612300ca20b531ebef8b105a75cce1774c4b6a93a68cb186f36ac3b97a059f8N.exe
"C:\Users\Admin\AppData\Local\Temp\1612300ca20b531ebef8b105a75cce1774c4b6a93a68cb186f36ac3b97a059f8N.exe"
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\{77D70967-8DCF-4b47-A251-862C02087865}.exe
  C:\Windows\{77D70967-8DCF-4b47-A251-862C02087865}.exe
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\{BB3B1CB9-3CD9-45c5-8C4C-1606B6BD0AAB}.exe
    C:\Windows\{BB3B1CB9-3CD9-45c5-8C4C-1606B6BD0AAB}.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4524
  - - C:\Windows\{E0CD2F1E-9237-4e27-B14E-0AAE316C086B}.exe
      C:\Windows\{E0CD2F1E-9237-4e27-B14E-0AAE316C086B}.exe
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      Executes dropped EXE
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4824
    - - C:\Windows\{F14C6E65-6037-4cd4-B14E-56CDAED9A8B4}.exe
        
        C:\Windows\{F14C6E65-6037-4cd4-B14E-56CDAED9A8B4}.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:5072
      - C:\Windows\{43CEE9B7-5764-4057-B95A-9A688CCA379E}.exe
        
        C:\Windows\{43CEE9B7-5764-4057-B95A-9A688CCA379E}.exe
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\{3A5EFBCF-D3A9-42b8-831A-2E76468017C3}.exe
        
        C:\Windows\{3A5EFBCF-D3A9-42b8-831A-2E76468017C3}.exe
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\{B5D517A3-89F7-4427-9D14-C83C68493870}.exe
        
        C:\Windows\{B5D517A3-89F7-4427-9D14-C83C68493870}.exe
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\{2C8367FC-AD7F-4b39-9A24-BEBA373AAEBA}.exe
        
        C:\Windows\{2C8367FC-AD7F-4b39-9A24-BEBA373AAEBA}.exe
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\{E51EB253-3A2E-4541-9B81-C28651ECC2F7}.exe
        
        C:\Windows\{E51EB253-3A2E-4541-9B81-C28651ECC2F7}.exe
        10⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1408
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 768
        10⤵
        Program crash
        
        PID:3172
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 748
        9⤵
        Program crash
        
        PID:1332
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4996 -s 740
        8⤵
        Program crash
        
        PID:3952
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 764
        7⤵
        Program crash
        
        PID:904
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 740
        6⤵
        Program crash
        
        PID:3200
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 792
        5⤵
        Program crash
        
        PID:2636
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 732
      4⤵
      Program crash
      PID:2068
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 804
    3⤵
    - Program crash
    PID:4976
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 788
  2⤵
  - Program crash
  PID:1764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4468 -ip 4468
1⤵
PID:2892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2480 -ip 2480
1⤵
PID:3764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 4524 -ip 4524
1⤵
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4824 -ip 4824
1⤵
PID:3780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5072 -ip 5072
1⤵
PID:4380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1580 -ip 1580
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 4996 -ip 4996
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1224 -ip 1224
1⤵
PID:4800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3076 -ip 3076
1⤵
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\{2C8367FC-AD7F-4b39-9A24-BEBA373AAEBA}.exe

Filesize
28KB

MD5
a818fdd65b6090ae8a7507f2daa0bb57

SHA1
a453d6fbb9072c990c64bea4ded7c09b6d6a10a0

SHA256
f04dff4444ef6135dc1331a97d15a40e0f8868789838171f43778f9d975272ef

SHA512
032c2396c9a1c8b581877563fab65282f65e8b13a67384d02aa3dd6de7daab39070c88b7c418e50f6a308fc10bb9175bbae07858ebad65617a32adc99fc2988b

Download Submit
C:\Windows\{3A5EFBCF-D3A9-42b8-831A-2E76468017C3}.exe

Filesize
28KB

MD5
b3a482f03b4e562d7cb739440c4ccaa4

SHA1
6eb99a13b8c0f535a1ae4f66976276bc74f4e1a9

SHA256
73256662c76a3061778e4e63058c0560fdeff9b874e49ce1d01d8ad1a3e12ed6

SHA512
d3ba23b9e53be0b1247b7dfeb5d27daa11fa52d9e26c9c4755baac4d9185d964b43a36010eee0626d9ff241858c4f49257e855d1c1c1066e848612a13e63508a

Download Submit
C:\Windows\{43CEE9B7-5764-4057-B95A-9A688CCA379E}.exe

Filesize
28KB

MD5
2989d3ffa990a0db821799d4bb8967b3

SHA1
a8dcdf6097474cb91c28d7f7db627330cc6e3c72

SHA256
3513f8fc40691fa7d4177d7639e8eb1d0f5fda836fea0cdf2ace6e03ba307d3e

SHA512
6f7f01241c45f16cccabcabb413682d66f804f578d9c34c9f01600f712e26b64b8fbe3556a9d9ce89c818f92a23a683b45b709e9d2fc3b01c3024c2b024534ad

Download Submit
C:\Windows\{77D70967-8DCF-4b47-A251-862C02087865}.exe

Filesize
28KB

MD5
51d34a11911d26f7a603adc49cb164d7

SHA1
b8781a2830417dd1748e8b9006d9aaaf15796f0d

SHA256
77bfb06a5fed59b1da7b4cd567937bf3724c6aa73a99bc197d6bd02df1b20cd4

SHA512
8c0e01b1fb643cf819da486a155f4dc724eba23b34a3121283b5cbf9f566b449ccbab7f245b7f222cd1f5f343407463263145042b851a790647019d494eb3e50

Download Submit
C:\Windows\{B5D517A3-89F7-4427-9D14-C83C68493870}.exe

Filesize
28KB

MD5
57507455e1e1aeabe6117beb96d43bf7

SHA1
58bfb422b7fa818a416bc09c134440d1903d0e39

SHA256
f2bdb80b06c34d72e5556009e007d42c232a80269cf742745d68ce8f19a0c9d4

SHA512
07f6a5d12c92e99441f4e9385759339ddbf9c86a5b686d0b8a814f716dc6b808bc3a7c6dbf80f55931e4a6195f4b6e8bfa318972f60053560ccf624644af71d2

Download Submit
C:\Windows\{BB3B1CB9-3CD9-45c5-8C4C-1606B6BD0AAB}.exe

Filesize
28KB

MD5
3693c900d12a7d19c7458fdb9b05b682

SHA1
c936f184bf8687a265018dc8fdafaae4ddec7936

SHA256
c5cb98521ee1789d022a66c7d973053296662c07831e7b62049acad23717f402

SHA512
57e4f4968a5a6c6918e792f64563dc2409563f7853219a94e423a50ec6db371c4c6a010197b568eb072b9fc27d0ce4bab225791f4e8b8a563edba6b0904cd0d9

Download Submit
C:\Windows\{E0CD2F1E-9237-4e27-B14E-0AAE316C086B}.exe

Filesize
28KB

MD5
193b186098ece152e78bc45380ab020a

SHA1
2cfd37b745c57d9616517352709e41a23b112a30

SHA256
230144a2b8dd07db1d04bd38c0b95083746206ba9b5ee3ccf8cb80ee9405cc19

SHA512
d93367f3a01f6fb8e6d3260e638633c8a82e07c6881fa9c724bb87ba0300b46e4157d930c45f5cf52c45833db76d81bb708b5acf7e843d3e35ca0678983f79d2

Download Submit
C:\Windows\{E51EB253-3A2E-4541-9B81-C28651ECC2F7}.exe

Filesize
28KB

MD5
b0832f02a1ab316cb563cff4f13e86b2

SHA1
9c12110032a15d1999e7d081c0edaad9cb8b754f

SHA256
237ef4ec36602a62bf27f71182e290f320789971f5fdfd13591c931ee2cdd444

SHA512
9d0d4824213ad905612e4572b5397fd501cfd4c4c2ec8a31ca62eebf9209a307b0653f2f913feb3c1daa988a289a8780ec4b3b0f2f84e7860e82320883e9eca8

Download Submit
C:\Windows\{F14C6E65-6037-4cd4-B14E-56CDAED9A8B4}.exe

Filesize
28KB

MD5
d650fcce7680140eaf0ee5cd139f7b94

SHA1
b1af322589817ffd9bba0c6b2d4e9cc6be3ff09b

SHA256
5a3496efb89e4e53c9d8e1f6a0370a177c723150532055bdfe050fbbdaabc150

SHA512
c808f66aae0a1a17d7c4b073dcb52aae754d119c18ed587b750a0fb084b2517931270f87fc497e6598eef6bb7c136485a2b6deb057c4d0699d79105be2c880ac

Download Submit
memory/1224-48-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1580-36-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2480-12-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3076-54-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4468-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4468-6-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4468-1-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4524-18-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4824-24-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4996-42-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/5072-30-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads