03dbd12b32d587d1075f9c157579ef8f4116e2925134925078311b1af5ed7902

General

Target

ForkBomb.exe
Size

5.9MB
MD5

7abeb676f65cd7571a2eb0ff72da9958
SHA1

1f58501eb857bc9b6842273fd40e13ae01057656
SHA256

ccb8a1b6cb26e6238694749efc490ee9f50381066da7d9f4c8e69650cbeb63d3
SHA512

6900b053bba4029c8a5001cef41aeac0cc76f1b7407f7bbd72f24ef3c3566c49d6d3f6ef462515bf06a4c04e951863127043cf4d4d24ee83d5823cebc5d64384

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

ForkBomb.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	ForkBomb.exe

Loads dropped DLL 3 IoCs

Processes:

ForkBomb.exe

pid process

4920 ForkBomb.exe
4920 ForkBomb.exe
4920 ForkBomb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ForkBomb.exe

description pid process

Token: 35 4920 ForkBomb.exe

pid	process
4920	ForkBomb.exe
4920	ForkBomb.exe
4920	ForkBomb.exe

description	pid	process
Token: 35	4920	ForkBomb.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

ForkBomb.exeForkBomb.exe

description	pid	process	target process
PID 4476 wrote to memory of 4920	4476	ForkBomb.exe	ForkBomb.exe
PID 4476 wrote to memory of 4920	4476	ForkBomb.exe	ForkBomb.exe
PID 4920 wrote to memory of 1144	4920	ForkBomb.exe	cmd.exe
PID 4920 wrote to memory of 1144	4920	ForkBomb.exe	cmd.exe
PID 4920 wrote to memory of 3392	4920	ForkBomb.exe	cmd.exe
PID 4920 wrote to memory of 3392	4920	ForkBomb.exe	cmd.exe
PID 4920 wrote to memory of 5004	4920	ForkBomb.exe	cmd.exe
PID 4920 wrote to memory of 5004	4920	ForkBomb.exe	cmd.exe
PID 4920 wrote to memory of 3492	4920	ForkBomb.exe	cmd.exe
PID 4920 wrote to memory of 3492	4920	ForkBomb.exe	cmd.exe
PID 4920 wrote to memory of 4744	4920	ForkBomb.exe	cmd.exe
PID 4920 wrote to memory of 4744	4920	ForkBomb.exe	cmd.exe
PID 4920 wrote to memory of 4796	4920	ForkBomb.exe	cmd.exe
PID 4920 wrote to memory of 4796	4920	ForkBomb.exe	cmd.exe
PID 4920 wrote to memory of 1452	4920	ForkBomb.exe	cmd.exe
PID 4920 wrote to memory of 1452	4920	ForkBomb.exe	cmd.exe
PID 4920 wrote to memory of 952	4920	ForkBomb.exe	cmd.exe
PID 4920 wrote to memory of 952	4920	ForkBomb.exe	cmd.exe
PID 4920 wrote to memory of 1936	4920	ForkBomb.exe	cmd.exe
PID 4920 wrote to memory of 1936	4920	ForkBomb.exe	cmd.exe
PID 4920 wrote to memory of 3324	4920	ForkBomb.exe	cmd.exe
PID 4920 wrote to memory of 3324	4920	ForkBomb.exe	cmd.exe
PID 4920 wrote to memory of 3092	4920	ForkBomb.exe	cmd.exe
PID 4920 wrote to memory of 3092	4920	ForkBomb.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\ForkBomb.exe
"C:\Users\Admin\AppData\Local\Temp\ForkBomb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4476

C:\Users\Admin\AppData\Local\Temp\ForkBomb.exe
"C:\Users\Admin\AppData\Local\Temp\ForkBomb.exe"
2⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:1144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:3392

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:5004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:3492

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:4744

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:4796

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:1452

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:952

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:1936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:3324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:3092

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:3764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:220

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:4000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:2116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:3664

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:4376

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:1916

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:1440

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:4388

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:1928

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:4024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:3008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:3988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:408

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:4320

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:3064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:3840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:1724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:1972

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:1920

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:2132

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:1572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:3616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:1620

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:4504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:4988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:3884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:2964

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:4692

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:4084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:3572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:1444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:5048

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:2856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:1188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:5136

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:5180

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:5212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:5256

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:5324

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:5288

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:5416

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:5436

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:5508

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:5548

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:5600

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:5636

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:5696

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:5716

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:5800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:5840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:5896

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:5940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:5988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6020

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:5228

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:5608

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:5868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:2624

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6200

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6232

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6260

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6320

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6312

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6372

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6452

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6556

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6596

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6636

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6688

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6764

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6732

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6656

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7000

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7064

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7152

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6472

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6252

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7292

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7360

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7368

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7284

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7540

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7604

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7640

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7628

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7692

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7712

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7860

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7948

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7988

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:8040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:8084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:8112

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:6884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7464

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7356

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7572

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:8240

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:8188

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:8264

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:8300

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:8308

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:8396

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:8448

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:8440

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:8520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:8512

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:8504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:8696

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:8724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:8828

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:8604

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:8576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:8864

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:8924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:8980

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:9040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:9096

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:7904

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:8616

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:9236

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:8968

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:9340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:9404

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:9456

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:9484

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:9592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:9520

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:9504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:9496

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:9692

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:9852

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:9884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:9940

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:10020

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:9996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:9924

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:10080

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:10168

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:10140

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:10212

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:10248

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:10276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:10380

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:10420

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:10488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:10476

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:10468

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:10372

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:10632

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:10716

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:10788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:10820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:10844

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI44762\ForkBomb.exe.manifest
Filesize
1KB

MD5
6d094eb37e5ac137310f1c0b4d190139

SHA1
1761ce897f9b308ecc643fe82a53ac69973c32ad

SHA256
137cbef28bf024fd069c2a0ba0fd2219b7857bd7ae806b0a1ff3ae9f6aeeafa5

SHA512
d1852be68bc1e7d35f17958424426bdf039f98ac614843fa22c2c948dcf162674ef9ac3297f9904005bcfda364ae280184d01f55072442d8f00c1da59ed316d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\VCRUNTIME140.dll
Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\VCRUNTIME140.dll
Filesize
87KB

MD5
0e675d4a7a5b7ccd69013386793f68eb

SHA1
6e5821ddd8fea6681bda4448816f39984a33596b

SHA256
bf5ff4603557c9959acec995653d052d9054ad4826df967974efd2f377c723d1

SHA512
cae69a90f92936febde67dacd6ce77647cb3b3ed82bb66463cd9047e90723f633aa2fc365489de09fecdc510be15808c183b12e6236b0893af19633f6a670e66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\base_library.zip
Filesize
772KB

MD5
ae6fb190c26ef658d05adcd36203f872

SHA1
a9d4ed8e61b34a86234970e12f70a2a860e900f1

SHA256
f8d2235a1f8e39384603675193af8d7d41b69b68ad5bd1e63b6aa9db330ec7f9

SHA512
ad660974064c87a65e85af65dff905f69432dac0bfd6fff0882cfd2346b5e59b771b28ce62a29960493e937072b34da353f10abd425101bef4c5ad11b7231cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\python37.dll
Filesize
3.6MB

MD5
5d8c22938d89077f64537a9d09cf6fd5

SHA1
15971f1b4bc2420eafbd40b0cd3fc4d2af204ec4

SHA256
8eb835d88e72e998b82916fb20a252af615d6e641827e013411239d115d5dd69

SHA512
dbd1febd18e29eab046b98f6b970e35e040adddead81561c0d165a1353a124d1dc26f3b3f5aa9ef0cb8e813baa8fc706514c0350c6428f25c5e5c050773b7d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\python37.dll
Filesize
3.6MB

MD5
5d8c22938d89077f64537a9d09cf6fd5

SHA1
15971f1b4bc2420eafbd40b0cd3fc4d2af204ec4

SHA256
8eb835d88e72e998b82916fb20a252af615d6e641827e013411239d115d5dd69

SHA512
dbd1febd18e29eab046b98f6b970e35e040adddead81561c0d165a1353a124d1dc26f3b3f5aa9ef0cb8e813baa8fc706514c0350c6428f25c5e5c050773b7d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\ucrtbase.dll
Filesize
961KB

MD5
2381e189321ead521ff71e72d08a6b17

SHA1
0db7fea07b4bc14f0f9d71ecfa6ddf3097229875

SHA256
4918f2e631ef1ae34c7863fa4f3bd7663b2fdf0fa160c0de507ed343484ac806

SHA512
2d51d1de627deb852d5ce48315654dfb34115ea9f546f640bb2304cd763d4576eadff5cd7fd184a9b17bac8bf37309a0409034d6303662edfa1a6db69366b9e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\ucrtbase.dll
Filesize
961KB

MD5
2381e189321ead521ff71e72d08a6b17

SHA1
0db7fea07b4bc14f0f9d71ecfa6ddf3097229875

SHA256
4918f2e631ef1ae34c7863fa4f3bd7663b2fdf0fa160c0de507ed343484ac806

SHA512
2d51d1de627deb852d5ce48315654dfb34115ea9f546f640bb2304cd763d4576eadff5cd7fd184a9b17bac8bf37309a0409034d6303662edfa1a6db69366b9e5

Download Submit
memory/220-151-0x0000000000000000-mapping.dmp

Download
memory/408-161-0x0000000000000000-mapping.dmp

Download
memory/768-164-0x0000000000000000-mapping.dmp

Download
memory/952-146-0x0000000000000000-mapping.dmp

Download
memory/1144-139-0x0000000000000000-mapping.dmp

Download
memory/1188-185-0x0000000000000000-mapping.dmp

Download
memory/1440-157-0x0000000000000000-mapping.dmp

Download
memory/1444-182-0x0000000000000000-mapping.dmp

Download
memory/1452-145-0x0000000000000000-mapping.dmp

Download
memory/1572-172-0x0000000000000000-mapping.dmp

Download
memory/1620-174-0x0000000000000000-mapping.dmp

Download
memory/1724-168-0x0000000000000000-mapping.dmp

Download
memory/1916-156-0x0000000000000000-mapping.dmp

Download
memory/1920-170-0x0000000000000000-mapping.dmp

Download
memory/1928-159-0x0000000000000000-mapping.dmp

Download
memory/1936-147-0x0000000000000000-mapping.dmp

Download
memory/1972-169-0x0000000000000000-mapping.dmp

Download
memory/2116-153-0x0000000000000000-mapping.dmp

Download
memory/2132-171-0x0000000000000000-mapping.dmp

Download
memory/2856-184-0x0000000000000000-mapping.dmp

Download
memory/2964-178-0x0000000000000000-mapping.dmp

Download
memory/3008-162-0x0000000000000000-mapping.dmp

Download
memory/3064-166-0x0000000000000000-mapping.dmp

Download
memory/3092-149-0x0000000000000000-mapping.dmp

Download
memory/3324-148-0x0000000000000000-mapping.dmp

Download
memory/3392-140-0x0000000000000000-mapping.dmp

Download
memory/3492-142-0x0000000000000000-mapping.dmp

Download
memory/3572-181-0x0000000000000000-mapping.dmp

Download
memory/3616-173-0x0000000000000000-mapping.dmp

Download
memory/3664-154-0x0000000000000000-mapping.dmp

Download
memory/3764-150-0x0000000000000000-mapping.dmp

Download
memory/3840-167-0x0000000000000000-mapping.dmp

Download
memory/3884-177-0x0000000000000000-mapping.dmp

Download
memory/3988-163-0x0000000000000000-mapping.dmp

Download
memory/4000-152-0x0000000000000000-mapping.dmp

Download
memory/4024-160-0x0000000000000000-mapping.dmp

Download
memory/4084-180-0x0000000000000000-mapping.dmp

Download
memory/4320-165-0x0000000000000000-mapping.dmp

Download
memory/4376-155-0x0000000000000000-mapping.dmp

Download
memory/4388-158-0x0000000000000000-mapping.dmp

Download
memory/4504-175-0x0000000000000000-mapping.dmp

Download
memory/4692-179-0x0000000000000000-mapping.dmp

Download
memory/4744-143-0x0000000000000000-mapping.dmp

Download
memory/4796-144-0x0000000000000000-mapping.dmp

Download
memory/4920-130-0x0000000000000000-mapping.dmp

Download
memory/4988-176-0x0000000000000000-mapping.dmp

Download
memory/5004-141-0x0000000000000000-mapping.dmp

Download
memory/5048-183-0x0000000000000000-mapping.dmp

Download
memory/5136-186-0x0000000000000000-mapping.dmp

Download
memory/5180-187-0x0000000000000000-mapping.dmp

Download
memory/5212-188-0x0000000000000000-mapping.dmp

Download
memory/5256-189-0x0000000000000000-mapping.dmp

Download
memory/5288-190-0x0000000000000000-mapping.dmp

Download
memory/5324-191-0x0000000000000000-mapping.dmp

Download
memory/5416-192-0x0000000000000000-mapping.dmp

Download
memory/5436-193-0x0000000000000000-mapping.dmp

Download
memory/5508-194-0x0000000000000000-mapping.dmp

Download
memory/5548-195-0x0000000000000000-mapping.dmp

Download
memory/5600-196-0x0000000000000000-mapping.dmp

Download
memory/5636-197-0x0000000000000000-mapping.dmp

Download
memory/5696-198-0x0000000000000000-mapping.dmp

Download
memory/5716-199-0x0000000000000000-mapping.dmp

Download
memory/5800-200-0x0000000000000000-mapping.dmp

Download
memory/5840-201-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing