4ee7ce2fdad1a287ac5299129c80dfc3fedb2a5eb31a1af706d1fc466cb2839a

General

Target

bc.vbs
Size

169KB
MD5

c8d448840522a0d83b0a8a32cfa50352
SHA1

98f1145de8f3cc1764451ff65fa1c7051280c455
SHA256

4ee7ce2fdad1a287ac5299129c80dfc3fedb2a5eb31a1af706d1fc466cb2839a
SHA512

0ff8e8b9cd33ec9973fc14e55acf1648a3e6f7ce215157fb41aa737441f0b727934ab6a4cbae8ec7eff02872690bd72f2ae63cee1490b79cbd952b53e937bebd

Score

10^/10

upx

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 1996 created 544 1996 WerFault.exe svchost.exe
Executes dropped EXE 1 IoCs

Processes:

svchost.exe

pid process

544 svchost.exe

description	pid	process	target process
PID 1996 created 544	1996	WerFault.exe	svchost.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\svchost.exe	upx
C:\Users\Admin\AppData\Local\Temp\svchost.exe	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4644 544 WerFault.exe svchost.exe

pid	pid_target	process	target process
4644	544	WerFault.exe	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

svchost.exeWerFault.exe

pid process

544 svchost.exe
544 svchost.exe
4644 WerFault.exe
4644 WerFault.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

svchost.exe

pid	process
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe
544	svchost.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

svchost.exeWerFault.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	544	svchost.exe
Token: SeRestorePrivilege	4644	WerFault.exe
Token: SeBackupPrivilege	4644	WerFault.exe
Token: SeShutdownPrivilege	4340	svchost.exe
Token: SeCreatePagefilePrivilege	4340	svchost.exe
Token: SeShutdownPrivilege	4340	svchost.exe
Token: SeCreatePagefilePrivilege	4340	svchost.exe
Token: SeShutdownPrivilege	4340	svchost.exe
Token: SeCreatePagefilePrivilege	4340	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exesvchost.exe

description	pid	process	target process
PID 940 wrote to memory of 544	940	WScript.exe	svchost.exe
PID 940 wrote to memory of 544	940	WScript.exe	svchost.exe
PID 940 wrote to memory of 544	940	WScript.exe	svchost.exe
PID 544 wrote to memory of 612	544	svchost.exe	winlogon.exe
PID 544 wrote to memory of 612	544	svchost.exe	winlogon.exe
PID 544 wrote to memory of 612	544	svchost.exe	winlogon.exe
PID 544 wrote to memory of 612	544	svchost.exe	winlogon.exe
PID 544 wrote to memory of 612	544	svchost.exe	winlogon.exe
PID 544 wrote to memory of 612	544	svchost.exe	winlogon.exe
PID 544 wrote to memory of 660	544	svchost.exe	lsass.exe
PID 544 wrote to memory of 660	544	svchost.exe	lsass.exe
PID 544 wrote to memory of 660	544	svchost.exe	lsass.exe
PID 544 wrote to memory of 660	544	svchost.exe	lsass.exe
PID 544 wrote to memory of 660	544	svchost.exe	lsass.exe
PID 544 wrote to memory of 660	544	svchost.exe	lsass.exe
PID 544 wrote to memory of 780	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 780	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 780	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 780	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 780	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 780	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 792	544	svchost.exe	fontdrvhost.exe
PID 544 wrote to memory of 792	544	svchost.exe	fontdrvhost.exe
PID 544 wrote to memory of 792	544	svchost.exe	fontdrvhost.exe
PID 544 wrote to memory of 792	544	svchost.exe	fontdrvhost.exe
PID 544 wrote to memory of 792	544	svchost.exe	fontdrvhost.exe
PID 544 wrote to memory of 792	544	svchost.exe	fontdrvhost.exe
PID 544 wrote to memory of 800	544	svchost.exe	fontdrvhost.exe
PID 544 wrote to memory of 800	544	svchost.exe	fontdrvhost.exe
PID 544 wrote to memory of 800	544	svchost.exe	fontdrvhost.exe
PID 544 wrote to memory of 800	544	svchost.exe	fontdrvhost.exe
PID 544 wrote to memory of 800	544	svchost.exe	fontdrvhost.exe
PID 544 wrote to memory of 800	544	svchost.exe	fontdrvhost.exe
PID 544 wrote to memory of 892	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 892	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 892	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 892	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 892	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 892	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 944	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 944	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 944	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 944	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 944	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 944	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 1020	544	svchost.exe	dwm.exe
PID 544 wrote to memory of 1020	544	svchost.exe	dwm.exe
PID 544 wrote to memory of 1020	544	svchost.exe	dwm.exe
PID 544 wrote to memory of 1020	544	svchost.exe	dwm.exe
PID 544 wrote to memory of 1020	544	svchost.exe	dwm.exe
PID 544 wrote to memory of 1020	544	svchost.exe	dwm.exe
PID 544 wrote to memory of 536	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 536	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 536	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 536	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 536	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 536	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 428	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 428	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 428	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 428	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 428	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 428	544	svchost.exe	svchost.exe
PID 544 wrote to memory of 836	544	svchost.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:660

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:612
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:1020
- C:\Windows\system32\fontdrvhost.exe
  "fontdrvhost.exe"
  2⤵
  PID:792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:780
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3420
- C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
  2⤵
  PID:3352
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:3748
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:384
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
  2⤵
  PID:788
- C:\Windows\system32\backgroundTaskHost.exe
  "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
  2⤵
  PID:1260
- C:\Windows\System32\RuntimeBroker.exe
  C:\Windows\System32\RuntimeBroker.exe -Embedding
  2⤵
  PID:4512
- C:\Windows\system32\SppExtComObj.exe
  C:\Windows\system32\SppExtComObj.exe -Embedding
  2⤵
  PID:4540
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:4136
- C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
  2⤵
  PID:3496
- C:\Windows\system32\DllHost.exe
  C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
  2⤵
  PID:3252

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:536

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:2268

C:\Windows\system32\MusNotification.exe
C:\Windows\system32\MusNotification.exe
1⤵
PID:5084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:3672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
PID:2392

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s camsvc
1⤵
PID:3760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2800

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3024
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bc.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 544 -s 288
      4⤵
      Program crash
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2716

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2704

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2536

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2356

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:2120

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2096

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:2056

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1956

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1920

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1800

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1780

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1676

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1644

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1540

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1304

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1108

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 544 -ip 544
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:1996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4340

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5
df455f0fa8fb3fa4e6699ad57ef54db6

SHA1
51a06248c251d614d3a81ac9d842ba807204d17c

SHA256
15068b86edc0473a4f96f109830318e0540af348197e2b65f2e90ff32cfb14a1

SHA512
f69dea5b68e4fc8737fc0e6ef48476d3ed0a5ebd2f9dccc9d966df137f9ffdbb51e413a0852c22399afab53ea8a2755664afdcee6897a1cf387a9a620481b2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5
df455f0fa8fb3fa4e6699ad57ef54db6

SHA1
51a06248c251d614d3a81ac9d842ba807204d17c

SHA256
15068b86edc0473a4f96f109830318e0540af348197e2b65f2e90ff32cfb14a1

SHA512
f69dea5b68e4fc8737fc0e6ef48476d3ed0a5ebd2f9dccc9d966df137f9ffdbb51e413a0852c22399afab53ea8a2755664afdcee6897a1cf387a9a620481b2a6

Download Submit
memory/544-131-0x0000000077272000-0x0000000077273000-memory.dmp

Filesize
4KB

Download
memory/544-132-0x0000000077273000-0x0000000077274000-memory.dmp

Filesize
4KB

Download
memory/4340-134-0x0000013129870000-0x0000013129880000-memory.dmp

Filesize
64KB

Download
memory/4340-135-0x00000131298D0000-0x00000131298E0000-memory.dmp

Filesize
64KB

Download
memory/4340-136-0x000001312BF90000-0x000001312BF94000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads