6d22e09e56ea48a1f1f3e84a511bae12f9aac12025e722c4463f845fe6495c5b

Analysis

max time kernel
152s
max time network
152s
platform
windows7_x64
resource
win7v20210408
submitted
21-06-2021 09:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bad.exe
Size

444KB
MD5

e869d577fdb63504a7886dafda500ff5
SHA1

7f1067d951f5dfe33323076e558c53c96ae140f2
SHA256

6d22e09e56ea48a1f1f3e84a511bae12f9aac12025e722c4463f845fe6495c5b
SHA512

dd70868c3b534e1c2a8e8d9ff149fc36cae6a0604073da405285289249924af8ef9422f819db7502b9e734dc7d78af633a16e571b48d23e95bc29378c0fe0c23

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 64 IoCs

Processes:

pid	process
756	bad.exe
756	bad.exe
1264	bad.exe
1264	bad.exe
1276	bad.exe
1276	bad.exe
360	bad.exe
360	bad.exe
616	bad.exe
616	bad.exe
324	bad.exe
324	bad.exe
1528	bad.exe
1528	bad.exe
328	bad.exe
328	bad.exe
1712	bad.exe
1712	bad.exe
2036	bad.exe
2036	bad.exe
1880	bad.exe
1880	bad.exe
1316	bad.exe
1316	bad.exe
652	bad.exe
652	bad.exe
112	bad.exe
112	bad.exe
1000	bad.exe
1000	bad.exe
1568	bad.exe
1568	bad.exe
1804	bad.exe
1804	bad.exe
1708	bad.exe
1708	bad.exe
1820	bad.exe
1820	bad.exe
1408	bad.exe
1408	bad.exe
1264	bad.exe
1264	bad.exe
920	bad.exe
920	bad.exe
916	bad.exe
916	bad.exe
1340	bad.exe
1340	bad.exe
1316	bad.exe
1316	bad.exe
1640	bad.exe
1640	bad.exe
2020	bad.exe
2020	bad.exe
1272	bad.exe
1272	bad.exe
568	bad.exe
568	bad.exe
1040	bad.exe
1040	bad.exe
1568	bad.exe
1568	bad.exe
1696	bad.exe
1696	bad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

bad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exe

pid	process
756	bad.exe
756	bad.exe
756	bad.exe
756	bad.exe
1264	bad.exe
1264	bad.exe
1264	bad.exe
1264	bad.exe
1276	bad.exe
1276	bad.exe
1276	bad.exe
1276	bad.exe
360	bad.exe
360	bad.exe
360	bad.exe
360	bad.exe
616	bad.exe
616	bad.exe
616	bad.exe
616	bad.exe
324	bad.exe
324	bad.exe
324	bad.exe
324	bad.exe
1528	bad.exe
1528	bad.exe
1528	bad.exe
1528	bad.exe
328	bad.exe
328	bad.exe
328	bad.exe
328	bad.exe
1712	bad.exe
1712	bad.exe
1712	bad.exe
1712	bad.exe
2036	bad.exe
2036	bad.exe
2036	bad.exe
2036	bad.exe
1880	bad.exe
1880	bad.exe
1880	bad.exe
1880	bad.exe
1316	bad.exe
1316	bad.exe
1316	bad.exe
1316	bad.exe
652	bad.exe
652	bad.exe
652	bad.exe
652	bad.exe
112	bad.exe
112	bad.exe
112	bad.exe
112	bad.exe
1000	bad.exe
1000	bad.exe
1000	bad.exe
1000	bad.exe
1568	bad.exe
1568	bad.exe
1568	bad.exe
1568	bad.exe

Suspicious behavior: MapViewOfSection 53 IoCs

Processes:

bad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exe

pid	process
756	bad.exe
1264	bad.exe
1276	bad.exe
360	bad.exe
616	bad.exe
616	bad.exe
324	bad.exe
1528	bad.exe
328	bad.exe
1712	bad.exe
2036	bad.exe
1880	bad.exe
1316	bad.exe
652	bad.exe
112	bad.exe
1000	bad.exe
1568	bad.exe
1804	bad.exe
1708	bad.exe
1820	bad.exe
1408	bad.exe
1408	bad.exe
1264	bad.exe
920	bad.exe
916	bad.exe
1340	bad.exe
1316	bad.exe
1640	bad.exe
2020	bad.exe
1272	bad.exe
568	bad.exe
1040	bad.exe
1568	bad.exe
1696	bad.exe
1848	bad.exe
1848	bad.exe
848	bad.exe
848	bad.exe
1712	bad.exe
304	bad.exe
1360	bad.exe
1264	bad.exe
1872	bad.exe
1884	bad.exe
1880	bad.exe
1008	bad.exe
1008	bad.exe
1756	bad.exe
468	bad.exe
468	bad.exe
1816	bad.exe
712	bad.exe
1000	bad.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bad.exebad.exebad.exebad.exebad.exebad.exebad.exebad.exe

description	pid	process	target process
PID 756 wrote to memory of 1612	756	bad.exe	MSBuild.exe
PID 756 wrote to memory of 1612	756	bad.exe	MSBuild.exe
PID 756 wrote to memory of 1612	756	bad.exe	MSBuild.exe
PID 756 wrote to memory of 1612	756	bad.exe	MSBuild.exe
PID 756 wrote to memory of 1612	756	bad.exe	MSBuild.exe
PID 756 wrote to memory of 1264	756	bad.exe	bad.exe
PID 756 wrote to memory of 1264	756	bad.exe	bad.exe
PID 756 wrote to memory of 1264	756	bad.exe	bad.exe
PID 756 wrote to memory of 1264	756	bad.exe	bad.exe
PID 1264 wrote to memory of 1204	1264	bad.exe	MSBuild.exe
PID 1264 wrote to memory of 1204	1264	bad.exe	MSBuild.exe
PID 1264 wrote to memory of 1204	1264	bad.exe	MSBuild.exe
PID 1264 wrote to memory of 1204	1264	bad.exe	MSBuild.exe
PID 1264 wrote to memory of 1204	1264	bad.exe	MSBuild.exe
PID 1264 wrote to memory of 1276	1264	bad.exe	bad.exe
PID 1264 wrote to memory of 1276	1264	bad.exe	bad.exe
PID 1264 wrote to memory of 1276	1264	bad.exe	bad.exe
PID 1264 wrote to memory of 1276	1264	bad.exe	bad.exe
PID 1276 wrote to memory of 1884	1276	bad.exe	MSBuild.exe
PID 1276 wrote to memory of 1884	1276	bad.exe	MSBuild.exe
PID 1276 wrote to memory of 1884	1276	bad.exe	MSBuild.exe
PID 1276 wrote to memory of 1884	1276	bad.exe	MSBuild.exe
PID 1276 wrote to memory of 1884	1276	bad.exe	MSBuild.exe
PID 1276 wrote to memory of 360	1276	bad.exe	bad.exe
PID 1276 wrote to memory of 360	1276	bad.exe	bad.exe
PID 1276 wrote to memory of 360	1276	bad.exe	bad.exe
PID 1276 wrote to memory of 360	1276	bad.exe	bad.exe
PID 360 wrote to memory of 1844	360	bad.exe	MSBuild.exe
PID 360 wrote to memory of 1844	360	bad.exe	MSBuild.exe
PID 360 wrote to memory of 1844	360	bad.exe	MSBuild.exe
PID 360 wrote to memory of 1844	360	bad.exe	MSBuild.exe
PID 360 wrote to memory of 1844	360	bad.exe	MSBuild.exe
PID 360 wrote to memory of 616	360	bad.exe	bad.exe
PID 360 wrote to memory of 616	360	bad.exe	bad.exe
PID 360 wrote to memory of 616	360	bad.exe	bad.exe
PID 360 wrote to memory of 616	360	bad.exe	bad.exe
PID 616 wrote to memory of 2020	616	bad.exe	MSBuild.exe
PID 616 wrote to memory of 2020	616	bad.exe	MSBuild.exe
PID 616 wrote to memory of 2020	616	bad.exe	MSBuild.exe
PID 616 wrote to memory of 2020	616	bad.exe	MSBuild.exe
PID 616 wrote to memory of 2020	616	bad.exe	MSBuild.exe
PID 616 wrote to memory of 324	616	bad.exe	bad.exe
PID 616 wrote to memory of 324	616	bad.exe	bad.exe
PID 616 wrote to memory of 324	616	bad.exe	bad.exe
PID 616 wrote to memory of 324	616	bad.exe	bad.exe
PID 324 wrote to memory of 568	324	bad.exe	MSBuild.exe
PID 324 wrote to memory of 568	324	bad.exe	MSBuild.exe
PID 324 wrote to memory of 568	324	bad.exe	MSBuild.exe
PID 324 wrote to memory of 568	324	bad.exe	MSBuild.exe
PID 324 wrote to memory of 568	324	bad.exe	MSBuild.exe
PID 324 wrote to memory of 1528	324	bad.exe	bad.exe
PID 324 wrote to memory of 1528	324	bad.exe	bad.exe
PID 324 wrote to memory of 1528	324	bad.exe	bad.exe
PID 324 wrote to memory of 1528	324	bad.exe	bad.exe
PID 1528 wrote to memory of 1576	1528	bad.exe	MSBuild.exe
PID 1528 wrote to memory of 1576	1528	bad.exe	MSBuild.exe
PID 1528 wrote to memory of 1576	1528	bad.exe	MSBuild.exe
PID 1528 wrote to memory of 1576	1528	bad.exe	MSBuild.exe
PID 1528 wrote to memory of 1576	1528	bad.exe	MSBuild.exe
PID 1528 wrote to memory of 328	1528	bad.exe	bad.exe
PID 1528 wrote to memory of 328	1528	bad.exe	bad.exe
PID 1528 wrote to memory of 328	1528	bad.exe	bad.exe
PID 1528 wrote to memory of 328	1528	bad.exe	bad.exe
PID 328 wrote to memory of 1620	328	bad.exe	MSBuild.exe

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
2⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
3⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
4⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
4⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
5⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
5⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
6⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
6⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
7⤵
PID:568

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
7⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
8⤵
PID:1576

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
8⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
9⤵
PID:1620

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
9⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
10⤵
PID:1104

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
10⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
11⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
11⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
12⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
12⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
13⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
13⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
14⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
14⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:112

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
15⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
15⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
16⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
16⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
17⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
17⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1804

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
18⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
18⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1708

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
19⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
19⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1820

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
20⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
20⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
21⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
21⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
22⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
22⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:920

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
23⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
23⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:916

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
24⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
24⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
25⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
25⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1316

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
26⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
26⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
27⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
27⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:2020

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
28⤵
PID:1100

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
28⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
29⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
29⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
30⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
30⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
31⤵
PID:324

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
31⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
32⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
32⤵
- Loads dropped DLL
- Suspicious behavior: MapViewOfSection
PID:1696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
33⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
33⤵
- Suspicious behavior: MapViewOfSection
PID:1848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
34⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
34⤵
- Suspicious behavior: MapViewOfSection
PID:848

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
35⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
35⤵
- Suspicious behavior: MapViewOfSection
PID:1712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
36⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
36⤵
- Suspicious behavior: MapViewOfSection
PID:304

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
37⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
37⤵
- Suspicious behavior: MapViewOfSection
PID:1360

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
38⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
38⤵
- Suspicious behavior: MapViewOfSection
PID:1264

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
39⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
39⤵
- Suspicious behavior: MapViewOfSection
PID:1872

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
40⤵
PID:944

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
40⤵
- Suspicious behavior: MapViewOfSection
PID:1884

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
41⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
41⤵
- Suspicious behavior: MapViewOfSection
PID:1880

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
42⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
42⤵
- Suspicious behavior: MapViewOfSection
PID:1008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
43⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
43⤵
- Suspicious behavior: MapViewOfSection
PID:1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
44⤵
PID:1476

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
44⤵
- Suspicious behavior: MapViewOfSection
PID:468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
45⤵
PID:1100

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
45⤵
- Suspicious behavior: MapViewOfSection
PID:1816

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
46⤵
PID:1280

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
46⤵
- Suspicious behavior: MapViewOfSection
PID:712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
47⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\bad.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
47⤵
- Suspicious behavior: MapViewOfSection
PID:1000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Users\Admin\AppData\Local\Temp\bad.exe"
48⤵
PID:324

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\62vb1dvxilftqk6ei
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\62vb1dvxilftqk6ei
MD5
22cf8f80898bfb4fba8cab07fdbb68ec

SHA1
dda807e70a5902929e1410c4d0d6e3a1e3f20eac

SHA256
37d770be1ac6716f8be33274e3e84e439c2079d25cb3cc4a59b18b432cef1f24

SHA512
30aaffe6ece4d2b22829a6a52e1a335251be1fb4cb8cc7b5081127e1862bebb99f1111bd9c9109e8ed4f83c83cebcf964c39901c485826c83389113ac9d7f16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\62vb1dvxilftqk6ei
MD5
22cf8f80898bfb4fba8cab07fdbb68ec

SHA1
dda807e70a5902929e1410c4d0d6e3a1e3f20eac

SHA256
37d770be1ac6716f8be33274e3e84e439c2079d25cb3cc4a59b18b432cef1f24

SHA512
30aaffe6ece4d2b22829a6a52e1a335251be1fb4cb8cc7b5081127e1862bebb99f1111bd9c9109e8ed4f83c83cebcf964c39901c485826c83389113ac9d7f16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\62vb1dvxilftqk6ei
MD5
22cf8f80898bfb4fba8cab07fdbb68ec

SHA1
dda807e70a5902929e1410c4d0d6e3a1e3f20eac

SHA256
37d770be1ac6716f8be33274e3e84e439c2079d25cb3cc4a59b18b432cef1f24

SHA512
30aaffe6ece4d2b22829a6a52e1a335251be1fb4cb8cc7b5081127e1862bebb99f1111bd9c9109e8ed4f83c83cebcf964c39901c485826c83389113ac9d7f16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\62vb1dvxilftqk6ei
MD5
22cf8f80898bfb4fba8cab07fdbb68ec

SHA1
dda807e70a5902929e1410c4d0d6e3a1e3f20eac

SHA256
37d770be1ac6716f8be33274e3e84e439c2079d25cb3cc4a59b18b432cef1f24

SHA512
30aaffe6ece4d2b22829a6a52e1a335251be1fb4cb8cc7b5081127e1862bebb99f1111bd9c9109e8ed4f83c83cebcf964c39901c485826c83389113ac9d7f16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\62vb1dvxilftqk6ei
MD5
22cf8f80898bfb4fba8cab07fdbb68ec

SHA1
dda807e70a5902929e1410c4d0d6e3a1e3f20eac

SHA256
37d770be1ac6716f8be33274e3e84e439c2079d25cb3cc4a59b18b432cef1f24

SHA512
30aaffe6ece4d2b22829a6a52e1a335251be1fb4cb8cc7b5081127e1862bebb99f1111bd9c9109e8ed4f83c83cebcf964c39901c485826c83389113ac9d7f16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\62vb1dvxilftqk6ei
MD5
22cf8f80898bfb4fba8cab07fdbb68ec

SHA1
dda807e70a5902929e1410c4d0d6e3a1e3f20eac

SHA256
37d770be1ac6716f8be33274e3e84e439c2079d25cb3cc4a59b18b432cef1f24

SHA512
30aaffe6ece4d2b22829a6a52e1a335251be1fb4cb8cc7b5081127e1862bebb99f1111bd9c9109e8ed4f83c83cebcf964c39901c485826c83389113ac9d7f16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\62vb1dvxilftqk6ei
MD5
31702b03c4fa916671837232542ac619

SHA1
71fd52b06e97c1b3f7cdd272290fdfd34fe54ed2

SHA256
f992bb6d7b5933d639f55900e0c4c9092768a8b268e20118205326d3f12fdec6

SHA512
d32c89652655046c9094b1d33128f8751066ed79875af39a94dfc445561900588db0dc711ef0aa195000cbb94338e5ca35c45f2511cf2a47235a0b73ef4c198c

Download Submit
C:\Users\Admin\AppData\Local\Temp\62vb1dvxilftqk6ei
MD5
22cf8f80898bfb4fba8cab07fdbb68ec

SHA1
dda807e70a5902929e1410c4d0d6e3a1e3f20eac

SHA256
37d770be1ac6716f8be33274e3e84e439c2079d25cb3cc4a59b18b432cef1f24

SHA512
30aaffe6ece4d2b22829a6a52e1a335251be1fb4cb8cc7b5081127e1862bebb99f1111bd9c9109e8ed4f83c83cebcf964c39901c485826c83389113ac9d7f16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\62vb1dvxilftqk6ei
MD5
22cf8f80898bfb4fba8cab07fdbb68ec

SHA1
dda807e70a5902929e1410c4d0d6e3a1e3f20eac

SHA256
37d770be1ac6716f8be33274e3e84e439c2079d25cb3cc4a59b18b432cef1f24

SHA512
30aaffe6ece4d2b22829a6a52e1a335251be1fb4cb8cc7b5081127e1862bebb99f1111bd9c9109e8ed4f83c83cebcf964c39901c485826c83389113ac9d7f16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\62vb1dvxilftqk6ei
MD5
22cf8f80898bfb4fba8cab07fdbb68ec

SHA1
dda807e70a5902929e1410c4d0d6e3a1e3f20eac

SHA256
37d770be1ac6716f8be33274e3e84e439c2079d25cb3cc4a59b18b432cef1f24

SHA512
30aaffe6ece4d2b22829a6a52e1a335251be1fb4cb8cc7b5081127e1862bebb99f1111bd9c9109e8ed4f83c83cebcf964c39901c485826c83389113ac9d7f16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\62vb1dvxilftqk6ei
MD5
22cf8f80898bfb4fba8cab07fdbb68ec

SHA1
dda807e70a5902929e1410c4d0d6e3a1e3f20eac

SHA256
37d770be1ac6716f8be33274e3e84e439c2079d25cb3cc4a59b18b432cef1f24

SHA512
30aaffe6ece4d2b22829a6a52e1a335251be1fb4cb8cc7b5081127e1862bebb99f1111bd9c9109e8ed4f83c83cebcf964c39901c485826c83389113ac9d7f16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\62vb1dvxilftqk6ei
MD5
22cf8f80898bfb4fba8cab07fdbb68ec

SHA1
dda807e70a5902929e1410c4d0d6e3a1e3f20eac

SHA256
37d770be1ac6716f8be33274e3e84e439c2079d25cb3cc4a59b18b432cef1f24

SHA512
30aaffe6ece4d2b22829a6a52e1a335251be1fb4cb8cc7b5081127e1862bebb99f1111bd9c9109e8ed4f83c83cebcf964c39901c485826c83389113ac9d7f16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\62vb1dvxilftqk6ei
MD5
22cf8f80898bfb4fba8cab07fdbb68ec

SHA1
dda807e70a5902929e1410c4d0d6e3a1e3f20eac

SHA256
37d770be1ac6716f8be33274e3e84e439c2079d25cb3cc4a59b18b432cef1f24

SHA512
30aaffe6ece4d2b22829a6a52e1a335251be1fb4cb8cc7b5081127e1862bebb99f1111bd9c9109e8ed4f83c83cebcf964c39901c485826c83389113ac9d7f16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\62vb1dvxilftqk6ei
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\62vb1dvxilftqk6ei
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmrpeqgekmdylao
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmrpeqgekmdylao
MD5
72a1451031420737e0c8c214887def3c

SHA1
f73bdca87445f90cfb546b477745cd88a671237d

SHA256
b2268ede73b7bda06d97fab30665604e74f7f002c3b0cd617fd5a7c18ef86bc2

SHA512
9b05e569f6cff58a5d9bd8404fa64eb87db23cefabae01e673ddc9f2b347278aafcd2781ea2986a821a11301849db3916b7fec6c25023bd77713b20830cd2bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmrpeqgekmdylao
MD5
72a1451031420737e0c8c214887def3c

SHA1
f73bdca87445f90cfb546b477745cd88a671237d

SHA256
b2268ede73b7bda06d97fab30665604e74f7f002c3b0cd617fd5a7c18ef86bc2

SHA512
9b05e569f6cff58a5d9bd8404fa64eb87db23cefabae01e673ddc9f2b347278aafcd2781ea2986a821a11301849db3916b7fec6c25023bd77713b20830cd2bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmrpeqgekmdylao
MD5
72a1451031420737e0c8c214887def3c

SHA1
f73bdca87445f90cfb546b477745cd88a671237d

SHA256
b2268ede73b7bda06d97fab30665604e74f7f002c3b0cd617fd5a7c18ef86bc2

SHA512
9b05e569f6cff58a5d9bd8404fa64eb87db23cefabae01e673ddc9f2b347278aafcd2781ea2986a821a11301849db3916b7fec6c25023bd77713b20830cd2bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmrpeqgekmdylao
MD5
72a1451031420737e0c8c214887def3c

SHA1
f73bdca87445f90cfb546b477745cd88a671237d

SHA256
b2268ede73b7bda06d97fab30665604e74f7f002c3b0cd617fd5a7c18ef86bc2

SHA512
9b05e569f6cff58a5d9bd8404fa64eb87db23cefabae01e673ddc9f2b347278aafcd2781ea2986a821a11301849db3916b7fec6c25023bd77713b20830cd2bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmrpeqgekmdylao
MD5
72a1451031420737e0c8c214887def3c

SHA1
f73bdca87445f90cfb546b477745cd88a671237d

SHA256
b2268ede73b7bda06d97fab30665604e74f7f002c3b0cd617fd5a7c18ef86bc2

SHA512
9b05e569f6cff58a5d9bd8404fa64eb87db23cefabae01e673ddc9f2b347278aafcd2781ea2986a821a11301849db3916b7fec6c25023bd77713b20830cd2bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmrpeqgekmdylao
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmrpeqgekmdylao
MD5
5e3c9ac23bc3a956008ceab85307df1d

SHA1
f217a9519be9d44c1fb167665b8eb9c410600cda

SHA256
b45d6857a5cc6abae6208a311927246d8a80ecb2217e15e1e5413406c0a62b57

SHA512
5a0e8d37d2ac837213d5fd8c28547071629e7c24fff54d60da7a47fc98e2109f565ad9af5c2aa757c644a95233e6741922b753118e980e1c1a618bd1356f8ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmrpeqgekmdylao
MD5
72a1451031420737e0c8c214887def3c

SHA1
f73bdca87445f90cfb546b477745cd88a671237d

SHA256
b2268ede73b7bda06d97fab30665604e74f7f002c3b0cd617fd5a7c18ef86bc2

SHA512
9b05e569f6cff58a5d9bd8404fa64eb87db23cefabae01e673ddc9f2b347278aafcd2781ea2986a821a11301849db3916b7fec6c25023bd77713b20830cd2bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmrpeqgekmdylao
MD5
5e3c9ac23bc3a956008ceab85307df1d

SHA1
f217a9519be9d44c1fb167665b8eb9c410600cda

SHA256
b45d6857a5cc6abae6208a311927246d8a80ecb2217e15e1e5413406c0a62b57

SHA512
5a0e8d37d2ac837213d5fd8c28547071629e7c24fff54d60da7a47fc98e2109f565ad9af5c2aa757c644a95233e6741922b753118e980e1c1a618bd1356f8ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmrpeqgekmdylao
MD5
72a1451031420737e0c8c214887def3c

SHA1
f73bdca87445f90cfb546b477745cd88a671237d

SHA256
b2268ede73b7bda06d97fab30665604e74f7f002c3b0cd617fd5a7c18ef86bc2

SHA512
9b05e569f6cff58a5d9bd8404fa64eb87db23cefabae01e673ddc9f2b347278aafcd2781ea2986a821a11301849db3916b7fec6c25023bd77713b20830cd2bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmrpeqgekmdylao
MD5
72a1451031420737e0c8c214887def3c

SHA1
f73bdca87445f90cfb546b477745cd88a671237d

SHA256
b2268ede73b7bda06d97fab30665604e74f7f002c3b0cd617fd5a7c18ef86bc2

SHA512
9b05e569f6cff58a5d9bd8404fa64eb87db23cefabae01e673ddc9f2b347278aafcd2781ea2986a821a11301849db3916b7fec6c25023bd77713b20830cd2bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmrpeqgekmdylao
MD5
72a1451031420737e0c8c214887def3c

SHA1
f73bdca87445f90cfb546b477745cd88a671237d

SHA256
b2268ede73b7bda06d97fab30665604e74f7f002c3b0cd617fd5a7c18ef86bc2

SHA512
9b05e569f6cff58a5d9bd8404fa64eb87db23cefabae01e673ddc9f2b347278aafcd2781ea2986a821a11301849db3916b7fec6c25023bd77713b20830cd2bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmrpeqgekmdylao
MD5
6800e1b0bf5dc64cbd3c2f8d75373117

SHA1
febf9999da116f68b91cc58e5dfe9ec7ae1e5cd3

SHA256
7501c49b9d8fc5021185d2fd727612c0a83172af8e4de1a806481b1b4bd26d18

SHA512
e15c81d6f7fbdb75026617d5983b4ad93a50f19ff26c6402a91675334f3dcc6f146c0417b8e95488e9e0304e1f08d6ae36d5ec5102c70799e9f3f9fefe26f8ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmrpeqgekmdylao
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmrpeqgekmdylao
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2CCC.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsd2CCC.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsd92EE.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsd92EE.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsdD470.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsdD470.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsdE0EE.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsdE0EE.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsi201F.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsi201F.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsi6D5.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsi6D5.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsiA1AD.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsiA1AD.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsiED8B.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsiED8B.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsn1372.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsn1372.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsn52D2.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsn52D2.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nss4625.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nss4625.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nssAE69.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nssAE69.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nssBB35.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nssBB35.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nssC7B3.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nssC7B3.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3979.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3979.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFA19.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
\Users\Admin\AppData\Local\Temp\nsyFA19.tmp\System.dll
MD5
fccff8cb7a1067e23fd2e2b63971a8e1

SHA1
30e2a9e137c1223a78a0f7b0bf96a1c361976d91

SHA256
6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

SHA512
f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

Download Submit
memory/112-135-0x0000000000000000-mapping.dmp

Download
memory/304-193-0x0000000000000000-mapping.dmp

Download
memory/324-87-0x0000000000000000-mapping.dmp

Download
memory/328-99-0x0000000000000000-mapping.dmp

Download
memory/360-75-0x0000000000000000-mapping.dmp

Download
memory/468-209-0x0000000000000000-mapping.dmp

Download
memory/568-179-0x0000000000000000-mapping.dmp

Download
memory/616-81-0x0000000000000000-mapping.dmp

Download
memory/652-129-0x0000000000000000-mapping.dmp

Download
memory/712-213-0x0000000000000000-mapping.dmp

Download
memory/756-60-0x00000000750C1000-0x00000000750C3000-memory.dmp

Filesize
8KB

Download
memory/848-189-0x0000000000000000-mapping.dmp

Download
memory/916-167-0x0000000000000000-mapping.dmp

Download
memory/920-165-0x0000000000000000-mapping.dmp

Download
memory/1000-141-0x0000000000000000-mapping.dmp

Download
memory/1000-215-0x0000000000000000-mapping.dmp

Download
memory/1008-205-0x0000000000000000-mapping.dmp

Download
memory/1040-181-0x0000000000000000-mapping.dmp

Download
memory/1264-197-0x0000000000000000-mapping.dmp

Download
memory/1264-163-0x0000000000000000-mapping.dmp

Download
memory/1264-63-0x0000000000000000-mapping.dmp

Download
memory/1272-177-0x0000000000000000-mapping.dmp

Download
memory/1276-69-0x0000000000000000-mapping.dmp

Download
memory/1316-123-0x0000000000000000-mapping.dmp

Download
memory/1316-171-0x0000000000000000-mapping.dmp

Download
memory/1340-169-0x0000000000000000-mapping.dmp

Download
memory/1360-195-0x0000000000000000-mapping.dmp

Download
memory/1408-161-0x0000000000000000-mapping.dmp

Download
memory/1528-93-0x0000000000000000-mapping.dmp

Download
memory/1568-147-0x0000000000000000-mapping.dmp

Download
memory/1568-183-0x0000000000000000-mapping.dmp

Download
memory/1640-173-0x0000000000000000-mapping.dmp

Download
memory/1696-185-0x0000000000000000-mapping.dmp

Download
memory/1708-157-0x0000000000000000-mapping.dmp

Download
memory/1712-105-0x0000000000000000-mapping.dmp

Download
memory/1712-191-0x0000000000000000-mapping.dmp

Download
memory/1756-207-0x0000000000000000-mapping.dmp

Download
memory/1804-153-0x0000000000000000-mapping.dmp

Download
memory/1816-211-0x0000000000000000-mapping.dmp

Download
memory/1820-159-0x0000000000000000-mapping.dmp

Download
memory/1848-187-0x0000000000000000-mapping.dmp

Download
memory/1872-199-0x0000000000000000-mapping.dmp

Download
memory/1880-203-0x0000000000000000-mapping.dmp

Download
memory/1880-117-0x0000000000000000-mapping.dmp

Download
memory/1884-201-0x0000000000000000-mapping.dmp

Download
memory/2020-175-0x0000000000000000-mapping.dmp

Download
memory/2036-111-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads