cerber | 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100

General

Target

5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
Size

382KB
MD5

432ad4941c057927786e3b6646ecf2f3
SHA1

45babe449954544219054e327523de5812597eaa
SHA256

5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100
SHA512

8b8fa755cf8a18fe7a822edcb977e8d8ee7615ccc56f5eac5c4eb7113f1faa8c983a9da18a08923c7e14d1bc86f2cae7d0a98322e8fcb8fb180733c0e9b04ab3

Score

10^/10

cerber discovery evasion persistence ransomware spyware stealer suricata

Malware Config

Signatures

Cerber 2 IoCs

Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.

ransomware cerber

Processes:

5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exeRunLegacyCPLElevated.exe

description	ioc	process
Mutant opened	shell.{FBDF6928-0741-9A42-4148-F6231E486DF1}	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
Mutant created	shell.{FBDF6928-0741-9A42-4148-F6231E486DF1}	RunLegacyCPLElevated.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exeRunLegacyCPLElevated.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	RunLegacyCPLElevated.exe

suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata: ET MALWARE Ransomware/Cerber Checkin 2
suricata
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exe

pid process

1504 bcdedit.exe
1456 bcdedit.exe

pid	process
1504	bcdedit.exe
1456	bcdedit.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exeRunLegacyCPLElevated.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{42265351-17C5-8579-D85E-5A3545A2D848}\\RunLegacyCPLElevated.exe\""	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run = "\"C:\\Users\\Admin\\AppData\\Roaming\\{42265351-17C5-8579-D85E-5A3545A2D848}\\RunLegacyCPLElevated.exe\""	RunLegacyCPLElevated.exe

Contacts a large (514) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046
Executes dropped EXE 1 IoCs

Processes:

RunLegacyCPLElevated.exe

pid process

472 RunLegacyCPLElevated.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

580 cmd.exe

pid	process
472	RunLegacyCPLElevated.exe

pid	process
580	cmd.exe

Drops startup file 1 IoCs

Processes:

5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\RunLegacyCPLElevated.lnk	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe

Loads dropped DLL 2 IoCs

Processes:

5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exeRunLegacyCPLElevated.exe

pid process

1564 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
472 RunLegacyCPLElevated.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1564	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
472	RunLegacyCPLElevated.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

RunLegacyCPLElevated.exe5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run	RunLegacyCPLElevated.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\RunLegacyCPLElevated = "\"C:\\Users\\Admin\\AppData\\Roaming\\{42265351-17C5-8579-D85E-5A3545A2D848}\\RunLegacyCPLElevated.exe\""	RunLegacyCPLElevated.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	RunLegacyCPLElevated.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\RunLegacyCPLElevated = "\"C:\\Users\\Admin\\AppData\\Roaming\\{42265351-17C5-8579-D85E-5A3545A2D848}\\RunLegacyCPLElevated.exe\""	RunLegacyCPLElevated.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\Run\RunLegacyCPLElevated = "\"C:\\Users\\Admin\\AppData\\Roaming\\{42265351-17C5-8579-D85E-5A3545A2D848}\\RunLegacyCPLElevated.exe\""	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\RunLegacyCPLElevated = "\"C:\\Users\\Admin\\AppData\\Roaming\\{42265351-17C5-8579-D85E-5A3545A2D848}\\RunLegacyCPLElevated.exe\""	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exe

pid process

1664 vssadmin.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1156 taskkill.exe

flow	ioc
3	ip-api.com

pid	process
1664	vssadmin.exe

pid	process
1156	taskkill.exe

Modifies Control Panel 4 IoCs

evasion

Processes:

5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exeRunLegacyCPLElevated.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Control Panel\Desktop	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{42265351-17C5-8579-D85E-5A3545A2D848}\\RunLegacyCPLElevated.exe\""	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
Key created	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Control Panel\Desktop	RunLegacyCPLElevated.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-335065374-4263250628-1829373619-1000\Control Panel\Desktop\SCRNSAVE.EXE = "\"C:\\Users\\Admin\\AppData\\Roaming\\{42265351-17C5-8579-D85E-5A3545A2D848}\\RunLegacyCPLElevated.exe\""	RunLegacyCPLElevated.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

636 PING.EXE

pid	process
636	PING.EXE

Suspicious use of AdjustPrivilegeToken 46 IoCs

Processes:

5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exetaskkill.exeRunLegacyCPLElevated.exevssvc.exewmic.exe

description	pid	process
Token: SeDebugPrivilege	1564	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
Token: SeDebugPrivilege	1156	taskkill.exe
Token: SeDebugPrivilege	472	RunLegacyCPLElevated.exe
Token: SeBackupPrivilege	1868	vssvc.exe
Token: SeRestorePrivilege	1868	vssvc.exe
Token: SeAuditPrivilege	1868	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1764	wmic.exe
Token: SeSecurityPrivilege	1764	wmic.exe
Token: SeTakeOwnershipPrivilege	1764	wmic.exe
Token: SeLoadDriverPrivilege	1764	wmic.exe
Token: SeSystemProfilePrivilege	1764	wmic.exe
Token: SeSystemtimePrivilege	1764	wmic.exe
Token: SeProfSingleProcessPrivilege	1764	wmic.exe
Token: SeIncBasePriorityPrivilege	1764	wmic.exe
Token: SeCreatePagefilePrivilege	1764	wmic.exe
Token: SeBackupPrivilege	1764	wmic.exe
Token: SeRestorePrivilege	1764	wmic.exe
Token: SeShutdownPrivilege	1764	wmic.exe
Token: SeDebugPrivilege	1764	wmic.exe
Token: SeSystemEnvironmentPrivilege	1764	wmic.exe
Token: SeRemoteShutdownPrivilege	1764	wmic.exe
Token: SeUndockPrivilege	1764	wmic.exe
Token: SeManageVolumePrivilege	1764	wmic.exe
Token: 33	1764	wmic.exe
Token: 34	1764	wmic.exe
Token: 35	1764	wmic.exe
Token: SeIncreaseQuotaPrivilege	1764	wmic.exe
Token: SeSecurityPrivilege	1764	wmic.exe
Token: SeTakeOwnershipPrivilege	1764	wmic.exe
Token: SeLoadDriverPrivilege	1764	wmic.exe
Token: SeSystemProfilePrivilege	1764	wmic.exe
Token: SeSystemtimePrivilege	1764	wmic.exe
Token: SeProfSingleProcessPrivilege	1764	wmic.exe
Token: SeIncBasePriorityPrivilege	1764	wmic.exe
Token: SeCreatePagefilePrivilege	1764	wmic.exe
Token: SeBackupPrivilege	1764	wmic.exe
Token: SeRestorePrivilege	1764	wmic.exe
Token: SeShutdownPrivilege	1764	wmic.exe
Token: SeDebugPrivilege	1764	wmic.exe
Token: SeSystemEnvironmentPrivilege	1764	wmic.exe
Token: SeRemoteShutdownPrivilege	1764	wmic.exe
Token: SeUndockPrivilege	1764	wmic.exe
Token: SeManageVolumePrivilege	1764	wmic.exe
Token: 33	1764	wmic.exe
Token: 34	1764	wmic.exe
Token: 35	1764	wmic.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exeRunLegacyCPLElevated.exe

pid process

1564 5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
472 RunLegacyCPLElevated.exe

pid	process
1564	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
472	RunLegacyCPLElevated.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.execmd.exeRunLegacyCPLElevated.exe

description	pid	process	target process
PID 1564 wrote to memory of 472	1564	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe	RunLegacyCPLElevated.exe
PID 1564 wrote to memory of 472	1564	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe	RunLegacyCPLElevated.exe
PID 1564 wrote to memory of 472	1564	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe	RunLegacyCPLElevated.exe
PID 1564 wrote to memory of 472	1564	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe	RunLegacyCPLElevated.exe
PID 1564 wrote to memory of 580	1564	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe	cmd.exe
PID 1564 wrote to memory of 580	1564	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe	cmd.exe
PID 1564 wrote to memory of 580	1564	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe	cmd.exe
PID 1564 wrote to memory of 580	1564	5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe	cmd.exe
PID 580 wrote to memory of 1156	580	cmd.exe	taskkill.exe
PID 580 wrote to memory of 1156	580	cmd.exe	taskkill.exe
PID 580 wrote to memory of 1156	580	cmd.exe	taskkill.exe
PID 580 wrote to memory of 1156	580	cmd.exe	taskkill.exe
PID 580 wrote to memory of 636	580	cmd.exe	PING.EXE
PID 580 wrote to memory of 636	580	cmd.exe	PING.EXE
PID 580 wrote to memory of 636	580	cmd.exe	PING.EXE
PID 580 wrote to memory of 636	580	cmd.exe	PING.EXE
PID 472 wrote to memory of 1664	472	RunLegacyCPLElevated.exe	vssadmin.exe
PID 472 wrote to memory of 1664	472	RunLegacyCPLElevated.exe	vssadmin.exe
PID 472 wrote to memory of 1664	472	RunLegacyCPLElevated.exe	vssadmin.exe
PID 472 wrote to memory of 1664	472	RunLegacyCPLElevated.exe	vssadmin.exe
PID 472 wrote to memory of 1764	472	RunLegacyCPLElevated.exe	wmic.exe
PID 472 wrote to memory of 1764	472	RunLegacyCPLElevated.exe	wmic.exe
PID 472 wrote to memory of 1764	472	RunLegacyCPLElevated.exe	wmic.exe
PID 472 wrote to memory of 1764	472	RunLegacyCPLElevated.exe	wmic.exe
PID 472 wrote to memory of 1504	472	RunLegacyCPLElevated.exe	bcdedit.exe
PID 472 wrote to memory of 1504	472	RunLegacyCPLElevated.exe	bcdedit.exe
PID 472 wrote to memory of 1504	472	RunLegacyCPLElevated.exe	bcdedit.exe
PID 472 wrote to memory of 1504	472	RunLegacyCPLElevated.exe	bcdedit.exe
PID 472 wrote to memory of 1456	472	RunLegacyCPLElevated.exe	bcdedit.exe
PID 472 wrote to memory of 1456	472	RunLegacyCPLElevated.exe	bcdedit.exe
PID 472 wrote to memory of 1456	472	RunLegacyCPLElevated.exe	bcdedit.exe
PID 472 wrote to memory of 1456	472	RunLegacyCPLElevated.exe	bcdedit.exe

C:\Users\Admin\AppData\Local\Temp\5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe
"C:\Users\Admin\AppData\Local\Temp\5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe"
1⤵
- Cerber
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1564

C:\Users\Admin\AppData\Roaming\{42265351-17C5-8579-D85E-5A3545A2D848}\RunLegacyCPLElevated.exe
"C:\Users\Admin\AppData\Roaming\{42265351-17C5-8579-D85E-5A3545A2D848}\RunLegacyCPLElevated.exe"
2⤵
- Cerber
- Modifies visiblity of hidden/system files in Explorer
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:472

C:\Windows\system32\vssadmin.exe
"C:\Windows\system32\vssadmin.exe" delete shadows /all /quiet
3⤵
- Interacts with shadow copies
PID:1664

C:\Windows\system32\wbem\wmic.exe
"C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set {default} recoveryenabled no
3⤵
- Modifies boot configuration data using bcdedit
PID:1504

C:\Windows\System32\bcdedit.exe
"C:\Windows\System32\bcdedit.exe" /set {default} bootstatuspolicy ignoreallfailures
3⤵
- Modifies boot configuration data using bcdedit
PID:1456

C:\Windows\SysWOW64\cmd.exe
/d /c taskkill /f /im "5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe" > NUL & ping -n 1 127.0.0.1 > NUL & del "C:\Users\Admin\AppData\Local\Temp\5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe" > NUL
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:580

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im "5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100.exe"
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\SysWOW64\PING.EXE
ping -n 1 127.0.0.1
3⤵
- Runs ping.exe
PID:636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1868

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

2

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

1

T1158

Modify Registry

3

T1112

File Deletion

2

T1107

Credential Access

Credentials in Files

1

T1081

Discovery

Network Service Scanning

1

T1046

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UANRNN0F\json[1].json
Filesize
302B

MD5
8e05f3c0db548fd239a695579aee88d5

SHA1
61bca21b1c2ca5e1f381d78e700750b5b70e4232

SHA256
c8e544e4519ee3dcfbebd98b060c640bd9d5327ac9b263ecae5449e0e502adc3

SHA512
e352dd9dc53f9fdb226a5bc79ccbd1d741fa36e1c151f9169b585de9629bb94637ed1f6da158998b44556f07bd54a3a1673aeff340c87248e142204ee8ddb9cb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\RunLegacyCPLElevated.lnk
Filesize
1KB

MD5
a35cf85f1370b6b5da9949bc4c31c246

SHA1
a680ec09d12d64edc716ae3b8346f9cf026f77dc

SHA256
5adbcbc225fb4da7bcdc889b5409474ce9046f888379e921d9438b9b9fabe91a

SHA512
46510626ea3e968fa0c198644fe3c3e100a09fad934ebe1ad2b14b53c9325b9b2ff75662510f57c35033ab991de70387e030946fc9e10ab130bf808bd38f0470

Download Submit
C:\Users\Admin\AppData\Roaming\{42265351-17C5-8579-D85E-5A3545A2D848}\RunLegacyCPLElevated.exe
Filesize
382KB

MD5
432ad4941c057927786e3b6646ecf2f3

SHA1
45babe449954544219054e327523de5812597eaa

SHA256
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100

SHA512
8b8fa755cf8a18fe7a822edcb977e8d8ee7615ccc56f5eac5c4eb7113f1faa8c983a9da18a08923c7e14d1bc86f2cae7d0a98322e8fcb8fb180733c0e9b04ab3

Download Submit
C:\Users\Admin\AppData\Roaming\{42265351-17C5-8579-D85E-5A3545A2D848}\RunLegacyCPLElevated.exe
Filesize
382KB

MD5
432ad4941c057927786e3b6646ecf2f3

SHA1
45babe449954544219054e327523de5812597eaa

SHA256
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100

SHA512
8b8fa755cf8a18fe7a822edcb977e8d8ee7615ccc56f5eac5c4eb7113f1faa8c983a9da18a08923c7e14d1bc86f2cae7d0a98322e8fcb8fb180733c0e9b04ab3

Download Submit
\Users\Admin\AppData\Roaming\{42265351-17C5-8579-D85E-5A3545A2D848}\RunLegacyCPLElevated.exe
Filesize
382KB

MD5
432ad4941c057927786e3b6646ecf2f3

SHA1
45babe449954544219054e327523de5812597eaa

SHA256
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100

SHA512
8b8fa755cf8a18fe7a822edcb977e8d8ee7615ccc56f5eac5c4eb7113f1faa8c983a9da18a08923c7e14d1bc86f2cae7d0a98322e8fcb8fb180733c0e9b04ab3

Download Submit
\Users\Admin\AppData\Roaming\{42265351-17C5-8579-D85E-5A3545A2D848}\RunLegacyCPLElevated.exe
Filesize
382KB

MD5
432ad4941c057927786e3b6646ecf2f3

SHA1
45babe449954544219054e327523de5812597eaa

SHA256
5607414907c0494f734000ba029c6b74a0eafdf2bfbecc24d410855108635100

SHA512
8b8fa755cf8a18fe7a822edcb977e8d8ee7615ccc56f5eac5c4eb7113f1faa8c983a9da18a08923c7e14d1bc86f2cae7d0a98322e8fcb8fb180733c0e9b04ab3

Download Submit
memory/472-74-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/472-58-0x0000000000000000-mapping.dmp

Download
memory/472-67-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/580-62-0x0000000000000000-mapping.dmp

Download
memory/636-66-0x0000000000000000-mapping.dmp

Download
memory/1156-65-0x0000000000000000-mapping.dmp

Download
memory/1456-72-0x0000000000000000-mapping.dmp

Download
memory/1504-71-0x0000000000000000-mapping.dmp

Download
memory/1564-54-0x00000000763E1000-0x00000000763E3000-memory.dmp

Filesize
8KB

Download
memory/1564-63-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1564-55-0x0000000000270000-0x00000000002A5000-memory.dmp

Filesize
212KB

Download
memory/1564-56-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1664-69-0x0000000000000000-mapping.dmp

Download
memory/1764-70-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads