a078251c61a4f90bf60da47d99cea465be5d44057684d681fb3d94a20d2025bd

Analysis

max time kernel
31s
max time network
10s
platform
windows7_x64
resource
win7v20201028
submitted
15-01-2021 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

covid21.exe
Size

2.0MB
MD5

1a2e2d295e04f74437652dc9b8a2d03c
SHA1

e3565983ee402856c2cf4eec2ac6ff9636443fe9
SHA256

a078251c61a4f90bf60da47d99cea465be5d44057684d681fb3d94a20d2025bd
SHA512

7d5130ad41c4903aa66fc00b22bc3799ade4b6c3bb82db9aead43158aa03165159b59f8c16d8cf68fb297e69e6a13acc9708669d5916fe52b9254330c1f14df2

Score

8^/10

aspackv2 ransomware

Malware Config

Signatures

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\11DC.tmp\screenscrew.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\11DC.tmp\screenscrew.exe	aspack_v212_v242
\Users\Admin\AppData\Local\Temp\11DC.tmp\screenscrew.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\11DC.tmp\screenscrew.exe	aspack_v212_v242

Executes dropped EXE 3 IoCs

Processes:

CLWCP.exePayloadGDI.exescreenscrew.exe

pid process

1236 CLWCP.exe
844 PayloadGDI.exe
1480 screenscrew.exe
Loads dropped DLL 6 IoCs

Processes:

cmd.exe

pid process

1184 cmd.exe
1184 cmd.exe
1184 cmd.exe
1184 cmd.exe
1184 cmd.exe
1184 cmd.exe

pid	process
1236	CLWCP.exe
844	PayloadGDI.exe
1480	screenscrew.exe

pid	process
1184	cmd.exe
1184	cmd.exe
1184	cmd.exe
1184	cmd.exe
1184	cmd.exe
1184	cmd.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

CLWCP.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Control Panel\Desktop\Wallpaper = "c:\\covid21\\covid.bmp"	CLWCP.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1076 schtasks.exe

pid	process
1076	schtasks.exe

Delays execution with timeout.exe 15 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
368	timeout.exe
240	timeout.exe
956	timeout.exe
1644	timeout.exe
576	timeout.exe
1468	timeout.exe
344	timeout.exe
2020	timeout.exe
316	timeout.exe
1156	timeout.exe
1880	timeout.exe
1772	timeout.exe
1136	timeout.exe
1900	timeout.exe
1608	timeout.exe

Suspicious use of WriteProcessMemory 120 IoCs

Processes:

covid21.execmd.exe

description	pid	process	target process
PID 2024 wrote to memory of 1184	2024	covid21.exe	cmd.exe
PID 2024 wrote to memory of 1184	2024	covid21.exe	cmd.exe
PID 2024 wrote to memory of 1184	2024	covid21.exe	cmd.exe
PID 2024 wrote to memory of 1184	2024	covid21.exe	cmd.exe
PID 1184 wrote to memory of 1236	1184	cmd.exe	CLWCP.exe
PID 1184 wrote to memory of 1236	1184	cmd.exe	CLWCP.exe
PID 1184 wrote to memory of 1236	1184	cmd.exe	CLWCP.exe
PID 1184 wrote to memory of 1236	1184	cmd.exe	CLWCP.exe
PID 1184 wrote to memory of 2016	1184	cmd.exe	WScript.exe
PID 1184 wrote to memory of 2016	1184	cmd.exe	WScript.exe
PID 1184 wrote to memory of 2016	1184	cmd.exe	WScript.exe
PID 1184 wrote to memory of 2016	1184	cmd.exe	WScript.exe
PID 1184 wrote to memory of 2020	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 2020	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 2020	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 2020	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 844	1184	cmd.exe	PayloadGDI.exe
PID 1184 wrote to memory of 844	1184	cmd.exe	PayloadGDI.exe
PID 1184 wrote to memory of 844	1184	cmd.exe	PayloadGDI.exe
PID 1184 wrote to memory of 844	1184	cmd.exe	PayloadGDI.exe
PID 1184 wrote to memory of 368	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 368	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 368	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 368	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 1480	1184	cmd.exe	screenscrew.exe
PID 1184 wrote to memory of 1480	1184	cmd.exe	screenscrew.exe
PID 1184 wrote to memory of 1480	1184	cmd.exe	screenscrew.exe
PID 1184 wrote to memory of 1480	1184	cmd.exe	screenscrew.exe
PID 1184 wrote to memory of 240	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 240	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 240	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 240	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 1404	1184	cmd.exe	WScript.exe
PID 1184 wrote to memory of 1404	1184	cmd.exe	WScript.exe
PID 1184 wrote to memory of 1404	1184	cmd.exe	WScript.exe
PID 1184 wrote to memory of 1404	1184	cmd.exe	WScript.exe
PID 1184 wrote to memory of 956	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 956	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 956	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 956	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 852	1184	cmd.exe	WScript.exe
PID 1184 wrote to memory of 852	1184	cmd.exe	WScript.exe
PID 1184 wrote to memory of 852	1184	cmd.exe	WScript.exe
PID 1184 wrote to memory of 852	1184	cmd.exe	WScript.exe
PID 1184 wrote to memory of 1644	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 1644	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 1644	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 1644	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 572	1184	cmd.exe	WScript.exe
PID 1184 wrote to memory of 572	1184	cmd.exe	WScript.exe
PID 1184 wrote to memory of 572	1184	cmd.exe	WScript.exe
PID 1184 wrote to memory of 572	1184	cmd.exe	WScript.exe
PID 1184 wrote to memory of 1900	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 1900	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 1900	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 1900	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 1980	1184	cmd.exe	WScript.exe
PID 1184 wrote to memory of 1980	1184	cmd.exe	WScript.exe
PID 1184 wrote to memory of 1980	1184	cmd.exe	WScript.exe
PID 1184 wrote to memory of 1980	1184	cmd.exe	WScript.exe
PID 1184 wrote to memory of 1880	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 1880	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 1880	1184	cmd.exe	timeout.exe
PID 1184 wrote to memory of 1880	1184	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\covid21.exe
"C:\Users\Admin\AppData\Local\Temp\covid21.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\11DC.tmp\covid21.bat" "
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184

C:\Users\Admin\AppData\Local\Temp\11DC.tmp\CLWCP.exe
clwcp c:\covid21\covid.bmp
3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:1236

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\covid.vbs"
3⤵
PID:2016

C:\Windows\SysWOW64\timeout.exe
timeout 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:2020

C:\Users\Admin\AppData\Local\Temp\11DC.tmp\PayloadGDI.exe
PayloadGDI.exe
3⤵
- Executes dropped EXE
PID:844

C:\Windows\SysWOW64\timeout.exe
timeout 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:368

C:\Users\Admin\AppData\Local\Temp\11DC.tmp\screenscrew.exe
screenscrew.exe
3⤵
- Executes dropped EXE
PID:1480

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:240

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\corona.vbs"
3⤵
PID:1404

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:956

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\corona.vbs"
3⤵
PID:852

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1644

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\corona.vbs"
3⤵
PID:572

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1900

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\corona.vbs"
3⤵
PID:1980

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1880

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\corona.vbs"
3⤵
PID:1732

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1772

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\corona.vbs"
3⤵
PID:408

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:576

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\corona.vbs"
3⤵
PID:1552

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:316

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\corona.vbs"
3⤵
PID:1544

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1468

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\corona.vbs"
3⤵
PID:272

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1156

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\corona.vbs"
3⤵
PID:1900

C:\Windows\SysWOW64\timeout.exe
timeout 1 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1608

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\corona.vbs"
3⤵
PID:1772

C:\Windows\SysWOW64\timeout.exe
timeout 5 /nobreak
3⤵
- Delays execution with timeout.exe
PID:1136

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\covid21.vbs"
3⤵
PID:820

C:\Windows\SysWOW64\timeout.exe
timeout /3 /nobreak
3⤵
- Delays execution with timeout.exe
PID:344

C:\Users\Admin\AppData\Local\Temp\11DC.tmp\PayloadMBR.exe
PayloadMBR.exe
3⤵
PID:1608

C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /Create /TN "Windows Update" /ru SYSTEM /SC ONSTART /TR "C:\Users\Admin\AppData\Local\Temp\11DC.tmp\PayloadMBR.exe"
4⤵
- Creates scheduled task(s)
PID:1076

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\11DC.tmp\CLWCP.exe
MD5
e62ee6f1efc85cb36d62ab779db6e4ec

SHA1
da07ec94cf2cb2b430e15bd0c5084996a47ee649

SHA256
13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

SHA512
8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\11DC.tmp\CLWCP.exe
MD5
e62ee6f1efc85cb36d62ab779db6e4ec

SHA1
da07ec94cf2cb2b430e15bd0c5084996a47ee649

SHA256
13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

SHA512
8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

Download Submit
C:\Users\Admin\AppData\Local\Temp\11DC.tmp\PayloadGDI.exe
MD5
a7ce5bee03c197f0a99427c4b590f4a0

SHA1
14d8617c51947fb49b3aba7e9aece83e5094cf71

SHA256
0c53a3ec2b432a9013546f92416109d7e8f64cea26ac2491635b4cf2a310d852

SHA512
7f3c56c42d899ada5acdc5c162391f9fa06455db08e6df0a57132ca5b1bb3d52e6dbc9342310480d45aa32915502aceb7552375a45d3fd1a54fee0e73af6024a

Download Submit
C:\Users\Admin\AppData\Local\Temp\11DC.tmp\PayloadGDI.exe
MD5
a7ce5bee03c197f0a99427c4b590f4a0

SHA1
14d8617c51947fb49b3aba7e9aece83e5094cf71

SHA256
0c53a3ec2b432a9013546f92416109d7e8f64cea26ac2491635b4cf2a310d852

SHA512
7f3c56c42d899ada5acdc5c162391f9fa06455db08e6df0a57132ca5b1bb3d52e6dbc9342310480d45aa32915502aceb7552375a45d3fd1a54fee0e73af6024a

Download Submit
C:\Users\Admin\AppData\Local\Temp\11DC.tmp\PayloadMBR.exe
MD5
d917af256a1d20b4eac477cdb189367b

SHA1
6c2fa4648b16b89c4f5664f1c3490ec2022eb5dd

SHA256
e40f57f6693f4b817beb50de68027aabbb0376ca94a774f86e3833baf93dc4c0

SHA512
fd2cb0fb398a5ddd0a52cf2efc733c606884aa68ec406bdbddb3a41b31d6f9c0f0c4837326a9d53b53202792867901899a8cf5024a5e542e8bdcee615be0b707

Download Submit
C:\Users\Admin\AppData\Local\Temp\11DC.tmp\PayloadMBR.exe
MD5
d917af256a1d20b4eac477cdb189367b

SHA1
6c2fa4648b16b89c4f5664f1c3490ec2022eb5dd

SHA256
e40f57f6693f4b817beb50de68027aabbb0376ca94a774f86e3833baf93dc4c0

SHA512
fd2cb0fb398a5ddd0a52cf2efc733c606884aa68ec406bdbddb3a41b31d6f9c0f0c4837326a9d53b53202792867901899a8cf5024a5e542e8bdcee615be0b707

Download Submit
C:\Users\Admin\AppData\Local\Temp\11DC.tmp\corona.vbs
MD5
f4de606815f3bd1bf38b83c91ac66c35

SHA1
abfb1ed384daa10b71c333d9a67721666cbe50ac

SHA256
aac0328f3782aefd5bb8a2df87b65dcc545a0f2cb4a0052f9068b53ba6d4e0d3

SHA512
1c7124dd589b4d4f673780d3ba9c942dcb6dfb65a06a20998a69a04c6af493aa96061bc2ce32b8f12d9074330b37d4fd6c513eda3246a5e736c2c8a760d81327

Download Submit
C:\Users\Admin\AppData\Local\Temp\11DC.tmp\covid.bmp
MD5
cf4483270f71b38dcd27453333d0fd22

SHA1
7420b02927a46dc42de25944234bb02f6f9b4436

SHA256
5c65ac5249bcd106af671a36da4320b6acafe633369dcd45f72e73c4529122e7

SHA512
0ce1d66497f8c3863547d0c0131bda177e262ed7869f3047f6b56ce82c9e3308be1aa3438254bea2b4f2d0f712943a51e1e27394283afa70664bd81b2c6c69a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\11DC.tmp\covid.vbs
MD5
a3716f222b9a4ef9484e95557780a858

SHA1
00e0a1b1a0b1d4f0a99db8ee8110daf177ffd902

SHA256
11b7a39b5caf234d4f027868506fd75e859fa660e737efb95ee514c40e989ca4

SHA512
645f033e27ab65874f1f435912ceb71ec17e52fc24b1e80c07f2bfab7ad6e78a573f4188faedf5a7db7050c19f754605e68b81e48464e7c1d34f964b140d2752

Download Submit
C:\Users\Admin\AppData\Local\Temp\11DC.tmp\covid21.bat
MD5
cb71400420494f3dd91d5cd070b01b3f

SHA1
6fee86981e62ad8ac96ede3435d7f7e9b18c9932

SHA256
25034dccdb96d86e3b797b7db7dd7786d74b51120196c44340a03b3291b3c9ac

SHA512
f3b9dad00c9efbcadd721cf225ec910cc0d6a644e3a86050a3a33cd28152bb3c6f836adca8803ff5553eab461d67472a167c1b6c25efb779aaa60ceb4b9e6285

Download Submit
C:\Users\Admin\AppData\Local\Temp\11DC.tmp\covid21.vbs
MD5
87aaebe24d9cc38cb0357e9723cce915

SHA1
5c301a5165263fe382aefb758ff6494522b9d4f1

SHA256
0aa36c0a57c3f2c57ee9d674cefccd86970c239233f571718d434472c0f6ffba

SHA512
e5c905ead6f158b2908e0f802b9db99419088ec8a638753a875629c07a37748f6fba56e60d4712c113a5de1dbf730ff532b1b002af7262d0a96042851a6d4919

Download Submit
C:\Users\Admin\AppData\Local\Temp\11DC.tmp\screenscrew.exe
MD5
e87a04c270f98bb6b5677cc789d1ad1d

SHA1
8c14cb338e23d4a82f6310d13b36729e543ff0ca

SHA256
e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

SHA512
8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

Download Submit
C:\Users\Admin\AppData\Local\Temp\11DC.tmp\screenscrew.exe
MD5
e87a04c270f98bb6b5677cc789d1ad1d

SHA1
8c14cb338e23d4a82f6310d13b36729e543ff0ca

SHA256
e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

SHA512
8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

Download Submit
\??\c:\covid21\covid.bmp
MD5
cf4483270f71b38dcd27453333d0fd22

SHA1
7420b02927a46dc42de25944234bb02f6f9b4436

SHA256
5c65ac5249bcd106af671a36da4320b6acafe633369dcd45f72e73c4529122e7

SHA512
0ce1d66497f8c3863547d0c0131bda177e262ed7869f3047f6b56ce82c9e3308be1aa3438254bea2b4f2d0f712943a51e1e27394283afa70664bd81b2c6c69a4

Download Submit
\Users\Admin\AppData\Local\Temp\11DC.tmp\CLWCP.exe
MD5
e62ee6f1efc85cb36d62ab779db6e4ec

SHA1
da07ec94cf2cb2b430e15bd0c5084996a47ee649

SHA256
13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

SHA512
8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

Download Submit
\Users\Admin\AppData\Local\Temp\11DC.tmp\CLWCP.exe
MD5
e62ee6f1efc85cb36d62ab779db6e4ec

SHA1
da07ec94cf2cb2b430e15bd0c5084996a47ee649

SHA256
13b4ec59785a1b367efb691a3d5c86eb5aaf1ca0062521c4782e1baac6633f8a

SHA512
8142086979ec1ca9675418e94326a40078400aff8587fc613e17164e034badd828e9615589e6cb8b9339da7cdc9bcb8c48e0890c5f288068f4b86ff659670a69

Download Submit
\Users\Admin\AppData\Local\Temp\11DC.tmp\PayloadGDI.exe
MD5
a7ce5bee03c197f0a99427c4b590f4a0

SHA1
14d8617c51947fb49b3aba7e9aece83e5094cf71

SHA256
0c53a3ec2b432a9013546f92416109d7e8f64cea26ac2491635b4cf2a310d852

SHA512
7f3c56c42d899ada5acdc5c162391f9fa06455db08e6df0a57132ca5b1bb3d52e6dbc9342310480d45aa32915502aceb7552375a45d3fd1a54fee0e73af6024a

Download Submit
\Users\Admin\AppData\Local\Temp\11DC.tmp\PayloadGDI.exe
MD5
a7ce5bee03c197f0a99427c4b590f4a0

SHA1
14d8617c51947fb49b3aba7e9aece83e5094cf71

SHA256
0c53a3ec2b432a9013546f92416109d7e8f64cea26ac2491635b4cf2a310d852

SHA512
7f3c56c42d899ada5acdc5c162391f9fa06455db08e6df0a57132ca5b1bb3d52e6dbc9342310480d45aa32915502aceb7552375a45d3fd1a54fee0e73af6024a

Download Submit
\Users\Admin\AppData\Local\Temp\11DC.tmp\PayloadMBR.exe
MD5
d917af256a1d20b4eac477cdb189367b

SHA1
6c2fa4648b16b89c4f5664f1c3490ec2022eb5dd

SHA256
e40f57f6693f4b817beb50de68027aabbb0376ca94a774f86e3833baf93dc4c0

SHA512
fd2cb0fb398a5ddd0a52cf2efc733c606884aa68ec406bdbddb3a41b31d6f9c0f0c4837326a9d53b53202792867901899a8cf5024a5e542e8bdcee615be0b707

Download Submit
\Users\Admin\AppData\Local\Temp\11DC.tmp\PayloadMBR.exe
MD5
d917af256a1d20b4eac477cdb189367b

SHA1
6c2fa4648b16b89c4f5664f1c3490ec2022eb5dd

SHA256
e40f57f6693f4b817beb50de68027aabbb0376ca94a774f86e3833baf93dc4c0

SHA512
fd2cb0fb398a5ddd0a52cf2efc733c606884aa68ec406bdbddb3a41b31d6f9c0f0c4837326a9d53b53202792867901899a8cf5024a5e542e8bdcee615be0b707

Download Submit
\Users\Admin\AppData\Local\Temp\11DC.tmp\screenscrew.exe
MD5
e87a04c270f98bb6b5677cc789d1ad1d

SHA1
8c14cb338e23d4a82f6310d13b36729e543ff0ca

SHA256
e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

SHA512
8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

Download Submit
\Users\Admin\AppData\Local\Temp\11DC.tmp\screenscrew.exe
MD5
e87a04c270f98bb6b5677cc789d1ad1d

SHA1
8c14cb338e23d4a82f6310d13b36729e543ff0ca

SHA256
e03520794f00fb39ef3cfff012f72a5d03c60f89de28dbe69016f6ed151b5338

SHA512
8784f4d42908e54ecedfb06b254992c63920f43a27903ccedd336daaeed346db44e1f40e7db971735da707b5b32206be1b1571bc0d6a2d6eb90bbf9d1f69de13

Download Submit
memory/240-25-0x0000000000000000-mapping.dmp

Download
memory/272-43-0x0000000000000000-mapping.dmp

Download
memory/316-40-0x0000000000000000-mapping.dmp

Download
memory/344-50-0x0000000000000000-mapping.dmp

Download
memory/368-19-0x0000000000000000-mapping.dmp

Download
memory/408-37-0x0000000000000000-mapping.dmp

Download
memory/572-31-0x0000000000000000-mapping.dmp

Download
memory/576-38-0x0000000000000000-mapping.dmp

Download
memory/820-49-0x0000000000000000-mapping.dmp

Download
memory/844-17-0x0000000000000000-mapping.dmp

Download
memory/852-29-0x0000000000000000-mapping.dmp

Download
memory/956-27-0x0000000000000000-mapping.dmp

Download
memory/1076-57-0x0000000000000000-mapping.dmp

Download
memory/1136-48-0x0000000000000000-mapping.dmp

Download
memory/1156-44-0x0000000000000000-mapping.dmp

Download
memory/1184-2-0x0000000000000000-mapping.dmp

Download
memory/1236-8-0x0000000000000000-mapping.dmp

Download
memory/1404-26-0x0000000000000000-mapping.dmp

Download
memory/1468-42-0x0000000000000000-mapping.dmp

Download
memory/1480-23-0x0000000000000000-mapping.dmp

Download
memory/1544-41-0x0000000000000000-mapping.dmp

Download
memory/1552-39-0x0000000000000000-mapping.dmp

Download
memory/1608-55-0x0000000000000000-mapping.dmp

Download
memory/1608-46-0x0000000000000000-mapping.dmp

Download
memory/1644-30-0x0000000000000000-mapping.dmp

Download
memory/1732-35-0x0000000000000000-mapping.dmp

Download
memory/1772-47-0x0000000000000000-mapping.dmp

Download
memory/1772-36-0x0000000000000000-mapping.dmp

Download
memory/1880-34-0x0000000000000000-mapping.dmp

Download
memory/1900-32-0x0000000000000000-mapping.dmp

Download
memory/1900-45-0x0000000000000000-mapping.dmp

Download
memory/1980-33-0x0000000000000000-mapping.dmp

Download
memory/2016-11-0x0000000000000000-mapping.dmp

Download
memory/2020-12-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads