7ec95111e00ce9c19ebf88e9683363390873451b00e0348bca4d80ef1e4b20ed

General

Target

7ec95111e00ce9c19ebf88e9683363390873451b00e0348bca4d80ef1e4b20ed.exe
Size

22KB
MD5

c6b6ec00b64069d66c8d14d65f7cfd8f
SHA1

b90e6bf12728fa3b0984aabc32b39f1db082a1da
SHA256

7ec95111e00ce9c19ebf88e9683363390873451b00e0348bca4d80ef1e4b20ed
SHA512

c9d7c97c63806e87804c33530f48ba950542ba28421d354cb287c9bf027ff5a853b76200e87eadd3cde0469f4b8c93f8c4bc0e71f5e4aa1cdf33e05c0673254a

Score

10^/10

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4220 created 4972 4220 WerFault.exe 7ec95111e00ce9c19ebf88e9683363390873451b00e0348bca4d80ef1e4b20ed.exe

description	pid	process	target process
PID 4220 created 4972	4220	WerFault.exe	7ec95111e00ce9c19ebf88e9683363390873451b00e0348bca4d80ef1e4b20ed.exe

Drops file in System32 directory 6 IoCs

Processes:

WaaSMedicAgent.exesihclient.exeWaaSMedicAgent.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	WaaSMedicAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	sihclient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	sihclient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	WaaSMedicAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	WaaSMedicAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	WaaSMedicAgent.exe

Drops file in Windows directory 6 IoCs

Processes:

svchost.exeTiWorker.exesihclient.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\Download\d62540ea7d8b4a9d1958e44f689fb27e\BITCD8C.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d62540ea7d8b4a9d1958e44f689fb27e\Windows10.0-KB5004342-x64-NDP48.cab	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\sls.cab	sihclient.exe
File opened for modification	C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\sls.cab	sihclient.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4124 4972 WerFault.exe 7ec95111e00ce9c19ebf88e9683363390873451b00e0348bca4d80ef1e4b20ed.exe

pid	pid_target	process	target process
4124	4972	WerFault.exe	7ec95111e00ce9c19ebf88e9683363390873451b00e0348bca4d80ef1e4b20ed.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

WaaSMedicAgent.exeWaaSMedicAgent.exeWaaSMedicAgent.exesvchost.exesihclient.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

WerFault.exe

pid process

4124 WerFault.exe
4124 WerFault.exe

pid	process
4124	WerFault.exe
4124	WerFault.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

TiWorker.exe

description	pid	process
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe
Token: SeRestorePrivilege	4680	TiWorker.exe
Token: SeSecurityPrivilege	4680	TiWorker.exe
Token: SeBackupPrivilege	4680	TiWorker.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

WerFault.exe

description	pid	process	target process
PID 4220 wrote to memory of 4972	4220	WerFault.exe	7ec95111e00ce9c19ebf88e9683363390873451b00e0348bca4d80ef1e4b20ed.exe
PID 4220 wrote to memory of 4972	4220	WerFault.exe	7ec95111e00ce9c19ebf88e9683363390873451b00e0348bca4d80ef1e4b20ed.exe

C:\Users\Admin\AppData\Local\Temp\7ec95111e00ce9c19ebf88e9683363390873451b00e0348bca4d80ef1e4b20ed.exe
"C:\Users\Admin\AppData\Local\Temp\7ec95111e00ce9c19ebf88e9683363390873451b00e0348bca4d80ef1e4b20ed.exe"
1⤵
PID:4972
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4972 -s 152
  2⤵
  - Program crash
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4124

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 4972 -ip 4972
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:4220

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv sjuMneG/lkSK2C7c/HduvQ.0.2
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4584

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4496

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe f3a62cb651cc7b970e2dca730e260b2e sjuMneG/lkSK2C7c/HduvQ.0.1.0.3.0
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3112

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4680

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe f3a62cb651cc7b970e2dca730e260b2e sjuMneG/lkSK2C7c/HduvQ.0.1.0.3.0
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1176

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe f3a62cb651cc7b970e2dca730e260b2e sjuMneG/lkSK2C7c/HduvQ.0.1.0.3.0
1⤵
- Modifies data under HKEY_USERS
PID:2244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5
8a80554c91d9fca8acb82f023de02f11

SHA1
5f36b2ea290645ee34d943220a14b54ee5ea5be5

SHA256
ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356

SHA512
ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5
8a80554c91d9fca8acb82f023de02f11

SHA1
5f36b2ea290645ee34d943220a14b54ee5ea5be5

SHA256
ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356

SHA512
ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5
d7a6e7546e1abb638c8f13c0e7c9173a

SHA1
c594ce05e31a0ed3d3ba1ac7d4bf0cc257d16d14

SHA256
4271a31911d6b081ce879c0d78cf043335983a6198292e1d7bbcfeef6f728e42

SHA512
4200a8e3f11009f4daefd97533ab49f6c662fae678ce3f5d996e30636b0b0ca8e953c654da4f33838a5bc7bde3c459245602ebc50c81c0a89d66d81bead6d1fe

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5
7a0778ddf3c007e5c9fdeb6821d42ff8

SHA1
bf5e52fa3bfef2a930acfefbcfc90baf96937fa4

SHA256
9e7ba9b4423d45cbb8d47739b1c387a6e386a00b76bcffe689dcda4718e38144

SHA512
7341b2e29e25be61d3bdbd7343319abbccb26e73183a8b8b53d062840285b39ea4b5f6cb48376e19501b8ebc4b67e75297678b13bea5230a6c15dd0eb8e4ac60

Download Submit
memory/2996-146-0x000001FA99660000-0x000001FA99670000-memory.dmp

Filesize
64KB

Download
memory/2996-147-0x000001FA996E0000-0x000001FA996F0000-memory.dmp

Filesize
64KB

Download
memory/2996-148-0x000001FA9BCE0000-0x000001FA9BCE4000-memory.dmp

Filesize
16KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads