Analysis
-
max time kernel
104s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2025, 05:48
Behavioral task
behavioral1
Sample
2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe
Resource
win10v2004-20250314-en
General
-
Target
2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe
-
Size
37.3MB
-
MD5
ed792723ba21a8e0d0cc25cb5cf66c46
-
SHA1
effafd6d4b2ea916a4633c7065d84beb806386e7
-
SHA256
c92d1b2c314fb70cc2f150b5bd5501291c4019cfc41c1a6f414401b1530e6be8
-
SHA512
67dd677ec19c8462aa1dd24ed95791c20dcd1fdaf67a3daa673d8ebc353013130f7d77ac428a650303abfd81a20d860d6e53643c198d2450f78b43e71f4bedac
-
SSDEEP
786432:upuNz0ZyK9DRNFOCWQnTzHTWg9DhGsVDHXMb8ODw05q4WUXE:upSz8yKiuHakDcbqv
Malware Config
Extracted
aresloader
http://127.0.0.1:8888
http://127.0.0.1:8080
http://192.168.31.111
Signatures
-
AresLoader
AresLoader is a loader and downloader written in C++.
-
Aresloader family
-
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 2068 netsh.exe 3812 netsh.exe 5048 netsh.exe -
Executes dropped EXE 13 IoCs
pid Process 1028 installPrxer64.exe 2988 installPrxer64.exe 5708 installPrxer64.exe 1636 installPrxer64.exe 3328 installPrxer64.exe 2800 installPrxer64.exe 5288 installPrxer32.exe 5576 installPrxer32.exe 3324 installPrxer32.exe 4732 installPrxer32.exe 4052 installPrxer32.exe 6116 installPrxer32.exe 2764 Process not Found -
Loads dropped DLL 44 IoCs
pid Process 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 1028 installPrxer64.exe 2988 installPrxer64.exe 2988 installPrxer64.exe 5708 installPrxer64.exe 1636 installPrxer64.exe 3328 installPrxer64.exe 2800 installPrxer64.exe 5288 installPrxer32.exe 5576 installPrxer32.exe 5576 installPrxer32.exe 3324 installPrxer32.exe 4732 installPrxer32.exe 4052 installPrxer32.exe 6116 installPrxer32.exe 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 3884 Process not Found 3884 Process not Found 2668 Process not Found 1644 Process not Found 1644 Process not Found -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\System32\PrxerDrv.dll 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe File created C:\Windows\System32\PrxerNsp.dll 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe File created C:\Windows\SysWOW64\PrxerDrv.dll 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe File created C:\Windows\SysWOW64\PrxerNsp.dll 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe -
resource yara_rule behavioral2/files/0x000700000002427b-84.dat upx behavioral2/memory/1028-85-0x00007FF710850000-0x00007FF71085D000-memory.dmp upx behavioral2/memory/1028-89-0x00007FF710850000-0x00007FF71085D000-memory.dmp upx behavioral2/memory/2988-96-0x00007FF710850000-0x00007FF71085D000-memory.dmp upx behavioral2/memory/5708-100-0x00007FF710850000-0x00007FF71085D000-memory.dmp upx behavioral2/memory/1636-103-0x00007FF710850000-0x00007FF71085D000-memory.dmp upx behavioral2/memory/3328-107-0x00007FF710850000-0x00007FF71085D000-memory.dmp upx behavioral2/memory/2800-109-0x00007FF710850000-0x00007FF71085D000-memory.dmp upx behavioral2/memory/5288-112-0x0000000000A40000-0x0000000000A4B000-memory.dmp upx behavioral2/memory/5288-114-0x0000000000A40000-0x0000000000A4B000-memory.dmp upx behavioral2/memory/5576-117-0x0000000000A40000-0x0000000000A4B000-memory.dmp upx behavioral2/memory/3324-119-0x0000000000A40000-0x0000000000A4B000-memory.dmp upx behavioral2/memory/4732-120-0x0000000000A40000-0x0000000000A4B000-memory.dmp upx behavioral2/memory/4052-122-0x0000000000A40000-0x0000000000A4B000-memory.dmp upx behavioral2/memory/6116-123-0x0000000000A40000-0x0000000000A4B000-memory.dmp upx -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\installPrxer64.exe 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe File created C:\Windows\installPrxer32.exe 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 15 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language installPrxer32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language installPrxer32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language installPrxer32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language installPrxer32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language installPrxer32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language installPrxer32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 4136 wrote to memory of 5680 4136 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 90 PID 4136 wrote to memory of 5680 4136 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 90 PID 5680 wrote to memory of 6120 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 91 PID 5680 wrote to memory of 6120 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 91 PID 5680 wrote to memory of 4932 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 92 PID 5680 wrote to memory of 4932 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 92 PID 5680 wrote to memory of 4880 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 93 PID 5680 wrote to memory of 4880 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 93 PID 5680 wrote to memory of 4952 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 94 PID 5680 wrote to memory of 4952 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 94 PID 5680 wrote to memory of 5048 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 97 PID 5680 wrote to memory of 5048 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 97 PID 5680 wrote to memory of 2068 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 98 PID 5680 wrote to memory of 2068 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 98 PID 5680 wrote to memory of 3812 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 99 PID 5680 wrote to memory of 3812 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 99 PID 5680 wrote to memory of 1028 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 102 PID 5680 wrote to memory of 1028 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 102 PID 5680 wrote to memory of 2988 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 103 PID 5680 wrote to memory of 2988 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 103 PID 5680 wrote to memory of 5708 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 104 PID 5680 wrote to memory of 5708 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 104 PID 5680 wrote to memory of 1636 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 105 PID 5680 wrote to memory of 1636 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 105 PID 5680 wrote to memory of 3328 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 106 PID 5680 wrote to memory of 3328 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 106 PID 5680 wrote to memory of 2800 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 107 PID 5680 wrote to memory of 2800 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 107 PID 5680 wrote to memory of 5288 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 108 PID 5680 wrote to memory of 5288 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 108 PID 5680 wrote to memory of 5288 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 108 PID 5680 wrote to memory of 5576 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 109 PID 5680 wrote to memory of 5576 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 109 PID 5680 wrote to memory of 5576 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 109 PID 5680 wrote to memory of 3324 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 110 PID 5680 wrote to memory of 3324 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 110 PID 5680 wrote to memory of 3324 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 110 PID 5680 wrote to memory of 4732 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 111 PID 5680 wrote to memory of 4732 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 111 PID 5680 wrote to memory of 4732 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 111 PID 5680 wrote to memory of 4052 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 112 PID 5680 wrote to memory of 4052 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 112 PID 5680 wrote to memory of 4052 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 112 PID 5680 wrote to memory of 6116 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 113 PID 5680 wrote to memory of 6116 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 113 PID 5680 wrote to memory of 6116 5680 2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe 113
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4136 -
C:\Users\Admin\AppData\Local\Temp\2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe"C:\Users\Admin\AppData\Local\Temp\2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5680 -
C:\Windows\system32\netsh.exenetsh int ipv4 set dynamicport tcp start=10000 num=550003⤵
- Event Triggered Execution: Netsh Helper DLL
PID:6120
-
-
C:\Windows\system32\netsh.exenetsh int ipv6 set dynamicport tcp start=10000 num=550003⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4932
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:4880
-
-
C:\Windows\system32\certutil.execertutil -addstore root C:\Users\Admin\AppData\Local\Temp\SunnyNet.crt3⤵PID:4952
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall delete rule name=SunnyNet3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5048
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name=SunnyNet dir=in action=allow program=C:\Users\Admin\AppData\Local\Temp\2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2068
-
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name=SunnyNetOut dir=out action=allow program=C:\Users\Admin\AppData\Local\Temp\2025-03-29_ed792723ba21a8e0d0cc25cb5cf66c46_black-basta_cobalt-strike_satacom.exe3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3812
-
-
C:\Windows\installPrxer64.exeC:\Windows\installPrxer64.exe il3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1028
-
-
C:\Windows\installPrxer64.exeC:\Windows\installPrxer64.exe l3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988
-
-
C:\Windows\installPrxer64.exeC:\Windows\installPrxer64.exe il3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5708
-
-
C:\Windows\installPrxer64.exeC:\Windows\installPrxer64.exe in3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1636
-
-
C:\Windows\installPrxer64.exeC:\Windows\installPrxer64.exe n3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3328
-
-
C:\Windows\installPrxer64.exeC:\Windows\installPrxer64.exe in3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800
-
-
C:\Windows\installPrxer32.exeC:\Windows\installPrxer32.exe il3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5288
-
-
C:\Windows\installPrxer32.exeC:\Windows\installPrxer32.exe l3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5576
-
-
C:\Windows\installPrxer32.exeC:\Windows\installPrxer32.exe il3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3324
-
-
C:\Windows\installPrxer32.exeC:\Windows\installPrxer32.exe in3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4732
-
-
C:\Windows\installPrxer32.exeC:\Windows\installPrxer32.exe n3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4052
-
-
C:\Windows\installPrxer32.exeC:\Windows\installPrxer32.exe in3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:6116
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD529b54579baced4daf7153b961d02837d
SHA1534e448e54a7ad827e48c97f631008b7001d5999
SHA2569f42eb74eed9e79de2d2d9862676bcbd1043d74901813d01cb7fd5956bc4b55c
SHA512dee57bad7afdf70c0ff8fd4b8794013b9bc2a4f1e3ccdd2af6b5f9f4c4e3128e2b0c50e2a73e02c86f1bb62a7828d1e80dce69cbf36b6d41762e72f83d64f16d
-
Filesize
34.5MB
MD52ae1ce92f1440868be77f5707974212c
SHA12d30f2155cb3e154d277184beaea8b4d09ab75a9
SHA2566822f262f3b380d9ff6267d1fa40b6885d2c80eddffc8f701e3c929ed15a7025
SHA512a232da760ead99f226116abf2d26c553a37d3d3bcf02eb3296fec27b9135f70f9c0bc39f7f06dae2c2422da6f8037dfda742865a1f5c9fab9ceea9560b074a7d
-
Filesize
35.7MB
MD5c9af76b3b26291343954a36ded1e9046
SHA143e9970806f5abc79eaed888cc792e8bd6e2b432
SHA256033356e174cae3a8b3ad772e2d6b2b65f843c13dc6f993d38ccb37cbc9247beb
SHA5120e645684ca32ef36b054fac03d5f6a89960d61ff3e2807e556bdd4b13ab01c86486d8678a115924457918efd9c9ad6ee2c06f8f62c09479c94deaa5d23c2975b
-
Filesize
117KB
MD5862f820c3251e4ca6fc0ac00e4092239
SHA1ef96d84b253041b090c243594f90938e9a487a9a
SHA25636585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153
SHA5122f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e
-
Filesize
48KB
MD568156f41ae9a04d89bb6625a5cd222d4
SHA13be29d5c53808186eba3a024be377ee6f267c983
SHA25682a2f9ae1e6146ae3cb0f4bc5a62b7227e0384209d9b1aef86bbcc105912f7cd
SHA512f7bf8ad7cd8b450050310952c56f6a20b378a972c822ccc253ef3d7381b56ffb3ca6ce3323bea9872674ed1c02017f78ab31e9eb9927fc6b3cba957c247e5d57
-
Filesize
70KB
MD570dec3ce00e5caf45246736b53ea3ad0
SHA13cd7037d211ebf9bd023c248ec6420f193ad7ed2
SHA2568cef0cd8333f88a9f9e52fa0d151b5f661d452efbcfc507dc28a46259b82596c
SHA512eddbeb527c01167fb69d9c743495c868073b5cacae3652d777b6a635c4feb0344f085bdc2aeb6a775ffef8056394ddb4df5cd47e622ccbf974d11c30857fd536
-
Filesize
84KB
MD5057325e89b4db46e6b18a52d1a691caa
SHA18eab0897d679e223aa0d753f6d3d2119f4d72230
SHA2565ba872caa7fcee0f4fb81c6e0201ceed9bd92a3624f16828dd316144d292a869
SHA5126bc7606869ca871b7ee5f2d43ec52ed295fa5c3a7df31dbd7e955ddb98c0748aff58d67f09d82edcde9d727e662d1550c6a9cf82f9cb7be021159d4b410e7cbc
-
Filesize
131KB
MD52185849bc0423f6641ee30804f475478
SHA1d37ca3e68f4b2111fc0c0cead9695d598795c780
SHA256199cd8d7db743c316771ef7bbf414ba9a9cdae1f974e90da6103563b2023538d
SHA512ba89db9f265a546b331482d779ab30131814e42ad3711a837a3450f375d2910bd41b3b3258db90b29cd5afccdc695318fc8ad8cd921a57ce25f69aea539b26ee
-
Filesize
273KB
MD5f465c15e7baceac920dc58a5fb922c1c
SHA13a5a0156f5288f14938494609d377ede0b67d993
SHA256f4a486a0ca6a53659159a404614c7e7edccb6bfbcdeb844f6cee544436a826cb
SHA51222902c1bcca7f80ed064e1e822c253bc8242b4e15e34a878a623e0a562a11203b45d5ff43904268322a7ef5cebb8e80e5fe1f1f1bcaa972e219348f84a1daf5f
-
Filesize
63KB
MD5cf4120bad9a7f77993dd7a95568d83d7
SHA1ac477c046d14c5306aa09bb65015330701ef0f89
SHA25614765e83996fe6d50aedc11bb41d7c427a3e846a6a6293a4a46f7ea7e3f14148
SHA512f905f9d203f86a7b1fc81be3aba51a82174411878c53fd7a62d17f8e26f5010d195f9371fa7400e2e2dc35fda0db0cbe68367fcaf834dd157542e9ee7a9742b6
-
Filesize
155KB
MD53e73bc69efb418e76d38be5857a77027
SHA17bee01096669caa7bec81cdc77d6bb2f2346608c
SHA2566f48e7eba363cb67f3465a6c91b5872454b44fc30b82710dfa4a4489270ce95c
SHA512b6850e764c8849058488f7051dcabff096709b002d2f427a49e83455838d62a9d3fc7b65285702de2b995858ed433e35a0c4da93c2d5ae34684bf624eb59fa6a
-
Filesize
36KB
MD524aee7d83525cb43ad02fd3116b28274
SHA168a2870bd5496c959ee7e499f4472d0614fdfd87
SHA2563262ec7496d397c0b6bfb2f745516e9e225bd9246f78518852c61d559aa89485
SHA5126ef5082e83f9400e8ffdbb2f945b080085fd48c0e89e2283bcedd193a4e6a9f533f8da78c643dad95db138ec265099110a3a6dc8bc68563dbef5ca08d5e0d029
-
Filesize
56KB
MD551e4c701e4efa92a56adaf5bdc9cf49b
SHA11adbc8b57e5ec0a90b9ec629323833daead8c3b4
SHA2569ef177db14cfa3aa66193078c431a96b6ae70858e9dd774b3d3e3cb6e39d10a3
SHA51235b2d4114aa12843cb767b7d7a2c82b00144fe8fea04b41601b790d8b4026e271148b5186308f461f2ed70d75df7c0ac56c4e023ed069f4f0f6f23f5ea11a2d1
-
Filesize
33KB
MD559c05030e47bde800ad937ccb98802d8
SHA1f7b830029a9371b4e500c1548597beb8fbc1864f
SHA256e4956834df819c1758d17c1c42a152306f7c0ea7b457ca24ce2f6466a6cb1caa
SHA5124f5e7ef0948155db6712e1bd7f4f31cb81602b325ba4e6e199f67693913b4bb70bb2c983393646c0ac0d86ef81071907d04bceb8ab0d506b7c5ac7c389fe692d
-
Filesize
82KB
MD569c4a9a654cf6d1684b73a431949b333
SHA13c8886dac45bb21a6b11d25893c83a273ff19e0b
SHA2568daefaff53e6956f5aea5279a7c71f17d8c63e2b0d54031c3b9e82fcb0fb84db
SHA512cadcec9a6688b54b36dbd125210d1a742047167dad308907a3c4e976b68483a8c6144e02d5cf26f887744dc41af63b7731551287bb3ef8bd947c38c277783c16
-
Filesize
178KB
MD5ce19076f6b62292ed66fd06e5ba67bba
SHA1231f6236bdbbe95c662e860d46e56e42c4e3fe28
SHA25621ca71b2c1766fc68734cb3d1e7c2c0439b86bcfb95e00b367c5fd48c59e617c
SHA5127357598bc63195c2fd2ddde0376b3ecf5bd0211a286f4a5c1e72e8c68b6e881e7e617f561e7a859c800fe67bec8f4c376e7a6943cab8dacfeda0056b8e864143
-
Filesize
27KB
MD5ccf609ae4416f13fcb80a122c4345348
SHA1be60263e7cbb2702733a37513d5fb717f6b30216
SHA25699e97e0af615f43150778aaa44d82bc58b70bf595a8412cfafcc5d38be38bdfb
SHA5129dfe0e4aa31e50e5b799cdc86a276c6576ffc44c919657e4230e17c9b739b8e69e0865eed38ab9ec0b07e77090a6f2c03c415e68fa431fde108d2d92cb3e8987
-
Filesize
39KB
MD5e3213cf44340d7b4cb65f7231a65e3a4
SHA1815e5809a01905ecaa463f6827f657c11b95d243
SHA256ab87fe4b0cf5b2b17901905ea86367b9756c44845eb463e77435648f0f719354
SHA512d32b6cb1c5a286b2ce9837051d099fea98f9e5ad00c15b14ccce02b4556d74c4b703b1c94a59670599bf6a9bfbf84c7c22dac25653af9b455999a5e42cf38b7a
-
Filesize
1.3MB
MD5838e37d04e41c569f417ffdc92b16459
SHA19659d9b386611dd2f279a2129c591dc86c10d6e0
SHA25632e2a92eed870511ba2b71f28764faa2bb0ba89628ed51867b1fea0701ec1882
SHA5128addb16de4fed7ce68701077608638ed21292dbcfc305020b07045fcb21427ad9e41ba5173ea788fb29407b7ca76b8a86d10d154116d62014c533efa468f15df
-
Filesize
290KB
MD5234d271ecb91165aaec148ad6326dd39
SHA1d7fccec47f7a5fbc549222a064f3053601400b6f
SHA256c55b21f907f7f86d48add093552fb5651749ff5f860508ccbb423d6c1fbd80c7
SHA51269289a9b1b923d89ba6e914ab601c9aee4d03ff98f4ed8400780d4b88df5f4d92a8ca1a458abcfde00c8455d3676aca9ec03f7d0593c64b7a05ed0895701d7ed
-
Filesize
10KB
MD5480b5eb45af69a315bd2c3b1b34459d1
SHA1e056c3e8b3c4d46163e105e6095703d092676b5b
SHA2561f8a5173d8bfe6c569e81c738b830800307ed4586d2ae9ac5cc13a468c6e1892
SHA5122aefd6356cf6f9ab773e0c19d828c065b41447b0da24c98d0fa2e14b9580e5e7e8f5d3b707e73f682cad85a199f134c42b103740caf3173e8f29e75dadda6623
-
Filesize
122KB
MD5501b867c424a8e3a41a9be4ab22dbeed
SHA197bf5d2c9fa5bb833e739b183a01ce53d19f4a6c
SHA256437ceb75e7bc7c72c9090558397ef3598b0bc7bc499434af5827028083d300ca
SHA51238b2d7f2587d73d2edf9cb685ef920ea4c511b88ae9cc25f7fc65d04a87e07ac03024228b9119adfd6914441089cf13ad9d67ff144cf86576cb37d97946677ff
-
Filesize
5.0MB
MD5123ad0908c76ccba4789c084f7a6b8d0
SHA186de58289c8200ed8c1fc51d5f00e38e32c1aad5
SHA2564e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43
SHA51280fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04
-
Filesize
38KB
MD50f8e4992ca92baaf54cc0b43aaccce21
SHA1c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA5126e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978
-
Filesize
774KB
MD54ff168aaa6a1d68e7957175c8513f3a2
SHA1782f886709febc8c7cebcec4d92c66c4d5dbcf57
SHA2562e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950
SHA512c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3
-
Filesize
197KB
MD50351dc34c06a7e74e977c142a8784da8
SHA11096bc9b3ae3a57dc7f684d53191df5365889164
SHA256b93e6083eb06137cc9191dac0d9cf4483e47192113d3ac2228b4549f737bac85
SHA51292caee00cc0588d30659d4b0bde38bf229beab0fc07d9aac362b84814b6ea541c39c03aba936124cbfd5d60c219d01cb09eba8005dd2236774503094cbdc609b
-
Filesize
5.8MB
MD5501080884bed38cb8801a307c9d7b7b4
SHA1881b250cc8f4fa4f75111ac557a4fde8e1e217af
SHA256bf68cf819a1e865170430c10e91c18b427aef88db1da1742020443864aa2b749
SHA51263d74a4871d1c72c2a79ae8a5d380070f9d2128c16949c3ad36c9862fcc4dab738137ed3d51caf0bc46b36655f8bd8a2d425d68200123415ee8d4de0e1cbebc9
-
Filesize
31KB
MD52663e22900ab5791c6687a264473ae1e
SHA1d8db587b6c632200ae13be880cc824cdc8390df9
SHA256baee284995b22d495fd12fa8378077e470978db1522c61bfb9af37fb827f33d1
SHA5125f29ff4288b9db33976f5f79b9fd07c4900a560bb41fe98c93a33da7a36c0981ffd71f460e81e13e4f6a2debafa6d9284bc1a728734752ba5ad5fbd766659e80
-
Filesize
694KB
MD5c0b4c55ce3711af914b2015f707e4452
SHA1f1c1e9f8a461cfee1199d2100f5c0796733518b6
SHA256a67eec238162fde20ac24ca7df931792734aad0611be22d1b3a71bc15acf72f3
SHA512fa6bd9223898ef0c54ca9a67b10207bfce152eadbaec4c91d4e951d0790f455066f5095ed739fa2452aea1420d154beb00bfa9e6e10b46bed687c5d0d7484900
-
Filesize
12KB
MD5bc91459992d74a9e1f077685b697196e
SHA18a307bcc85cd24a9d78bce6abd54e04c178bfad3
SHA256ba35d29f4150cc19a6930eab946d9e6d47b6f9a2fbe582af6def0a1f357f2ab3
SHA5121f80e35324cfc08b66ef28431e1b851c925a46e38c75cd884f4c5cf247498a90c792ffb753a03a3131939cb62fda8e47c34066b23d5eb040a5155374b43c89ad
-
Filesize
124KB
MD510a009d7968bb7a2790dec78d49c531b
SHA17228abcfcfbbf1db5f9479af698cc5e18ad5f034
SHA256bb60ff52a164a6da3b0d80bc5382e16cc3d1a3634e17b225052bca33b608eecc
SHA512f16df4689463b543dcf27f2929e998f1754ca7fc996f80aa5f57a788e58e18b4c967276b11817f119bb1223337f2fa14e547677260908e02ef7a6c900f5bf8cc