dridex | 7bb7de3215d3e8a98b95fee746692f710b91da494b80bc7fe73636875dc610b7

General

Target

Sales_Invoice_186311_725945_from_Inc.xls
Size

51KB
MD5

e696a3e6497ced315b344d6ab1aa6c5f
SHA1

66c6efb7cc4b48bd6e4a14d9edae16bb7e21ffd0
SHA256

7bb7de3215d3e8a98b95fee746692f710b91da494b80bc7fe73636875dc610b7
SHA512

3879731cb03d4b5d7bc441ca30495cd781cec86205a8fdf6091695598f23974be1c71bbd1e34b17a2989412f5725ef5e7d504ff7c6452014d9e5d3def2dfab61

Score

10^/10

dridex 10444 botnet loader

Malware Config

Extracted

Family

dridex

Botnet

10444

C2

77.220.64.39:443

69.164.207.140:3388

78.47.139.43:4443

103.244.206.74:33443

rc4.plain

Signatures

Dridex
Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.
botnet dridex

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exeregsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1608	1320	regsvr32.exe	EXCEL.EXE
Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process	1760	1320	regsvr32.exe	EXCEL.EXE

Dridex Loader 1 IoCs

Detects Dridex both x86 and x64 loader in memory.

botnet loader

Processes:

resource	yara_rule
behavioral1/memory/1608-7-0x0000000010000000-0x000000001003D000-memory.dmp	dridex_ldr

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exeregsvr32.exe

pid process

1608 regsvr32.exe
1760 regsvr32.exe
Office loads VBA resources, possible macro or embedded object present
Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

pid	process
1608	regsvr32.exe
1760	regsvr32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE

Modifies registry class 280 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8A683C91-BA84-11CF-8110-00A0C9030074}\ = "IReturnEffect"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D53-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{796ED650-5FE9-11CF-8D68-00AA00BDCE1D}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{5512D11F-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLPassword"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}\ = "FormEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{CF3F94A0-F546-11CE-9BCE-00AA00608E01}\ = "OptionFrameEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{5B9D8FC8-4A71-101B-97A6-00000B65C08B}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{5512D111-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLSubmitButton"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLCheckbox"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8BD21D32-EC42-11CE-9E0D-00AA006002F3}\ = "MdcComboEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\TypeLib\{B87F0B0F-091A-4C4B-BF2E-5B8F285DE221}\2.0\HELPDIR	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{82B02370-B5BC-11CF-810F-00A0C9030074}\ = "IReturnInteger"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{04598FC8-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{47FF8FE1-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents2"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{04598FC4-866C-11CF-AB7C-00AA00C08FCF}\ = "ICommandButton"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{7B020EC1-AF6C-11CE-9F46-00AA00574A4F}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D22-EC42-11CE-9E0D-00AA006002F3}\ = "MdcListEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\TypeLib\{B87F0B0F-091A-4C4B-BF2E-5B8F285DE221}\2.0\FLAGS	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D63-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcToggleButton"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{7B020EC8-AF6C-11CE-9F46-00AA00574A4F}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{BEF6E003-A874-101A-8BBA-00AA00300CAB}\ = "Font"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D43-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{47FF8FE0-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{5512D117-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{7B020EC2-AF6C-11CE-9F46-00AA00574A4F}\ = "ScrollbarEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{47FF8FE8-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents9"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}\ = "IControl"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{04598FC6-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}\ = "Controls"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{5512D113-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLImage"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{47FF8FE5-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents6"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B87F0B0F-091A-4C4B-BF2E-5B8F285DE221}\2.0\ = "Microsoft Forms 2.0 Object Library"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{EC72F590-F375-11CE-B9E8-00AA006B1A69}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{5512D119-5CC6-11CF-8D67-00AA00BDCE1D}\ = "IWHTMLOption"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{47FF8FE4-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents5"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{04598FC2-866C-11CF-AB7C-00AA00C08FCF}\ = "ITabStrip"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{5512D123-5CC6-11CF-8D67-00AA00BDCE1D}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{47FF8FE3-6198-11CF-8CE8-00AA006CB389}\ = "WHTMLControlEvents4"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{944ACF93-A1E6-11CE-8104-00AA00611080}\ = "Tabs"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D12-EC42-11CE-9E0D-00AA006002F3}\ = "MdcTextEvents"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8A683C90-BA84-11CF-8110-00A0C9030074}\ = "IReturnSingle"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D13-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcText"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{8BD21D33-EC42-11CE-9E0D-00AA006002F3}\ = "IMdcCombo"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{04598FC7-866C-11CF-AB7C-00AA00C08FCF}	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{4C599243-6926-101B-9992-00000B65C6F9}	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Interface\{7B020EC7-AF6C-11CE-9F46-00AA00574A4F}\ = "TabStripEvents"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000_CLASSES\Wow6432Node\Interface\{8BD21D42-EC42-11CE-9E0D-00AA006002F3}	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1320 EXCEL.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

EXCEL.EXE

pid process

1320 EXCEL.EXE
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

EXCEL.EXE

pid process

1320 EXCEL.EXE
1320 EXCEL.EXE
1320 EXCEL.EXE

pid	process
1320	EXCEL.EXE

pid	process
1320	EXCEL.EXE

pid	process
1320	EXCEL.EXE
1320	EXCEL.EXE
1320	EXCEL.EXE

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

EXCEL.EXE

description	pid	process	target process
PID 1320 wrote to memory of 1608	1320	EXCEL.EXE	regsvr32.exe
PID 1320 wrote to memory of 1608	1320	EXCEL.EXE	regsvr32.exe
PID 1320 wrote to memory of 1608	1320	EXCEL.EXE	regsvr32.exe
PID 1320 wrote to memory of 1608	1320	EXCEL.EXE	regsvr32.exe
PID 1320 wrote to memory of 1608	1320	EXCEL.EXE	regsvr32.exe
PID 1320 wrote to memory of 1608	1320	EXCEL.EXE	regsvr32.exe
PID 1320 wrote to memory of 1608	1320	EXCEL.EXE	regsvr32.exe
PID 1320 wrote to memory of 1760	1320	EXCEL.EXE	regsvr32.exe
PID 1320 wrote to memory of 1760	1320	EXCEL.EXE	regsvr32.exe
PID 1320 wrote to memory of 1760	1320	EXCEL.EXE	regsvr32.exe
PID 1320 wrote to memory of 1760	1320	EXCEL.EXE	regsvr32.exe
PID 1320 wrote to memory of 1760	1320	EXCEL.EXE	regsvr32.exe
PID 1320 wrote to memory of 1760	1320	EXCEL.EXE	regsvr32.exe
PID 1320 wrote to memory of 1760	1320	EXCEL.EXE	regsvr32.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Sales_Invoice_186311_725945_from_Inc.xls
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1320
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\vxomr._ZO
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  PID:1608
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\gzvmr._OL
  2⤵
  - Process spawned unexpected child process
  - Loads dropped DLL
  PID:1760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
1f9d130ab8b5380d6899d489d2380f00

SHA1
f3eae0334d20898a92871c266a6f80d27810a55a

SHA256
ee8ae8d82241c99c241d2f3d0d4c10bd41305339ab2497d9546fdc983b90d602

SHA512
3ae355fe7a47f443f98588e8285841aad31c924f0264d8872caa2aef58de659a0697ed74a3eacdb0261aa813a8fba26012b0f1e347e0cdd496f412d1fc02ffad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5
622a82bbfedc3b7e254274df5b9ae864

SHA1
1b86bbcae9ec28ade2be3f446fb93dd9e3b69a99

SHA256
5ec9cc8ae1346fe5ed25aa2ccd664f7197fbf51ae89799c383bb9320b6ea15a7

SHA512
58f8e6bc5135328d1367fbd56bfb2ae227d14722a0e0fcca0b94466066c2c77ab16b64640e2471ed7bdcd6bdedcfe753f6e3dc286455b350480c9d0196976efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\gzvmr._OL

MD5
c151c22bf1425d8adfa4313ee1f2387c

SHA1
a18a5feb2495d5daeae01be7ae4a0ae58b233278

SHA256
b7416f6229dae7bc167f6f18c25b993c7c11a88a139a77178102bd7ca84c469c

SHA512
9748d5c307facc0a819816ec00fb60c975cbdaa534df5ab6871396f25a258930f45aaeac7d17e8d2e20012ac29cf678510c601914e11b4c965380154d668e170

Download Submit
C:\Users\Admin\AppData\Local\Temp\vxomr._ZO

MD5
c151c22bf1425d8adfa4313ee1f2387c

SHA1
a18a5feb2495d5daeae01be7ae4a0ae58b233278

SHA256
b7416f6229dae7bc167f6f18c25b993c7c11a88a139a77178102bd7ca84c469c

SHA512
9748d5c307facc0a819816ec00fb60c975cbdaa534df5ab6871396f25a258930f45aaeac7d17e8d2e20012ac29cf678510c601914e11b4c965380154d668e170

Download Submit
\Users\Admin\AppData\Local\Temp\gzvmr._OL

MD5
c151c22bf1425d8adfa4313ee1f2387c

SHA1
a18a5feb2495d5daeae01be7ae4a0ae58b233278

SHA256
b7416f6229dae7bc167f6f18c25b993c7c11a88a139a77178102bd7ca84c469c

SHA512
9748d5c307facc0a819816ec00fb60c975cbdaa534df5ab6871396f25a258930f45aaeac7d17e8d2e20012ac29cf678510c601914e11b4c965380154d668e170

Download Submit
\Users\Admin\AppData\Local\Temp\vxomr._ZO

MD5
c151c22bf1425d8adfa4313ee1f2387c

SHA1
a18a5feb2495d5daeae01be7ae4a0ae58b233278

SHA256
b7416f6229dae7bc167f6f18c25b993c7c11a88a139a77178102bd7ca84c469c

SHA512
9748d5c307facc0a819816ec00fb60c975cbdaa534df5ab6871396f25a258930f45aaeac7d17e8d2e20012ac29cf678510c601914e11b4c965380154d668e170

Download Submit
memory/1604-0-0x000007FEF7F70000-0x000007FEF81EA000-memory.dmp

Filesize
2.5MB

Download
memory/1608-1-0x0000000000000000-mapping.dmp

Download
memory/1608-7-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/1760-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads