6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8

General

Target

6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe
Size

947KB
MD5

5fc51b17977c56d7158e744f254bb2fa
SHA1

a9197dc78760886546d386ec7f5b0b253b1cb86f
SHA256

6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8
SHA512

9f718873df048898e2186ec85e79eedbecc773935471d91a0e8c70603be7683f8cbdf2a611fb90801736470cb4e7d417df9dc1c635204f8e3bce924b7bfca8c0
SSDEEP

24576:ZhpOrzcwXRXk96ZcoexPoHhYBssWTmpA:ZSNXtkEcoGgGW6pA

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\Temp\\FolderName\\file.exe"	6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\9GPH0NJ1TN.exe = "C:\\Users\\Admin\\AppData\\Roaming\\9GPH0NJ1TN.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\notepad .exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\notepad .exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Executes dropped EXE 1 IoCs

Processes:

notepad .exe

pid process

2084 notepad .exe

pid	process
2084	notepad .exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\file.exe	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe

description	pid	process	target process
PID 4132 set thread context of 2084	4132	6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe	notepad .exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1300 timeout.exe
Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

1812 reg.exe
604 reg.exe
2488 reg.exe
4956 reg.exe

pid	process
1300	timeout.exe

pid	process
1812	reg.exe
604	reg.exe
2488	reg.exe
4956	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe

pid	process
4132	6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe
4132	6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe
4132	6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exenotepad .exe

description	pid	process
Token: SeDebugPrivilege	4132	6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe
Token: 1	2084	notepad .exe
Token: SeCreateTokenPrivilege	2084	notepad .exe
Token: SeAssignPrimaryTokenPrivilege	2084	notepad .exe
Token: SeLockMemoryPrivilege	2084	notepad .exe
Token: SeIncreaseQuotaPrivilege	2084	notepad .exe
Token: SeMachineAccountPrivilege	2084	notepad .exe
Token: SeTcbPrivilege	2084	notepad .exe
Token: SeSecurityPrivilege	2084	notepad .exe
Token: SeTakeOwnershipPrivilege	2084	notepad .exe
Token: SeLoadDriverPrivilege	2084	notepad .exe
Token: SeSystemProfilePrivilege	2084	notepad .exe
Token: SeSystemtimePrivilege	2084	notepad .exe
Token: SeProfSingleProcessPrivilege	2084	notepad .exe
Token: SeIncBasePriorityPrivilege	2084	notepad .exe
Token: SeCreatePagefilePrivilege	2084	notepad .exe
Token: SeCreatePermanentPrivilege	2084	notepad .exe
Token: SeBackupPrivilege	2084	notepad .exe
Token: SeRestorePrivilege	2084	notepad .exe
Token: SeShutdownPrivilege	2084	notepad .exe
Token: SeDebugPrivilege	2084	notepad .exe
Token: SeAuditPrivilege	2084	notepad .exe
Token: SeSystemEnvironmentPrivilege	2084	notepad .exe
Token: SeChangeNotifyPrivilege	2084	notepad .exe
Token: SeRemoteShutdownPrivilege	2084	notepad .exe
Token: SeUndockPrivilege	2084	notepad .exe
Token: SeSyncAgentPrivilege	2084	notepad .exe
Token: SeEnableDelegationPrivilege	2084	notepad .exe
Token: SeManageVolumePrivilege	2084	notepad .exe
Token: SeImpersonatePrivilege	2084	notepad .exe
Token: SeCreateGlobalPrivilege	2084	notepad .exe
Token: 31	2084	notepad .exe
Token: 32	2084	notepad .exe
Token: 33	2084	notepad .exe
Token: 34	2084	notepad .exe
Token: 35	2084	notepad .exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

notepad .exe

pid process

2084 notepad .exe
2084 notepad .exe
2084 notepad .exe
2084 notepad .exe

pid	process
2084	notepad .exe
2084	notepad .exe
2084	notepad .exe
2084	notepad .exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.execmd.exewscript.exenotepad .execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4132 wrote to memory of 2228	4132	6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe	cmd.exe
PID 4132 wrote to memory of 2228	4132	6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe	cmd.exe
PID 4132 wrote to memory of 2228	4132	6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe	cmd.exe
PID 2228 wrote to memory of 1960	2228	cmd.exe	wscript.exe
PID 2228 wrote to memory of 1960	2228	cmd.exe	wscript.exe
PID 2228 wrote to memory of 1960	2228	cmd.exe	wscript.exe
PID 4132 wrote to memory of 2084	4132	6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe	notepad .exe
PID 4132 wrote to memory of 2084	4132	6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe	notepad .exe
PID 4132 wrote to memory of 2084	4132	6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe	notepad .exe
PID 4132 wrote to memory of 2084	4132	6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe	notepad .exe
PID 4132 wrote to memory of 2084	4132	6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe	notepad .exe
PID 4132 wrote to memory of 2084	4132	6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe	notepad .exe
PID 4132 wrote to memory of 2084	4132	6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe	notepad .exe
PID 4132 wrote to memory of 2084	4132	6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe	notepad .exe
PID 1960 wrote to memory of 2888	1960	wscript.exe	cmd.exe
PID 1960 wrote to memory of 2888	1960	wscript.exe	cmd.exe
PID 1960 wrote to memory of 2888	1960	wscript.exe	cmd.exe
PID 2084 wrote to memory of 1180	2084	notepad .exe	cmd.exe
PID 2084 wrote to memory of 1180	2084	notepad .exe	cmd.exe
PID 2084 wrote to memory of 1180	2084	notepad .exe	cmd.exe
PID 2084 wrote to memory of 4892	2084	notepad .exe	cmd.exe
PID 2084 wrote to memory of 4892	2084	notepad .exe	cmd.exe
PID 2084 wrote to memory of 4892	2084	notepad .exe	cmd.exe
PID 2084 wrote to memory of 4264	2084	notepad .exe	cmd.exe
PID 2084 wrote to memory of 4264	2084	notepad .exe	cmd.exe
PID 2084 wrote to memory of 4264	2084	notepad .exe	cmd.exe
PID 2084 wrote to memory of 4564	2084	notepad .exe	cmd.exe
PID 2084 wrote to memory of 4564	2084	notepad .exe	cmd.exe
PID 2084 wrote to memory of 4564	2084	notepad .exe	cmd.exe
PID 4892 wrote to memory of 1812	4892	cmd.exe	reg.exe
PID 4892 wrote to memory of 1812	4892	cmd.exe	reg.exe
PID 4892 wrote to memory of 1812	4892	cmd.exe	reg.exe
PID 4264 wrote to memory of 4956	4264	cmd.exe	reg.exe
PID 4264 wrote to memory of 4956	4264	cmd.exe	reg.exe
PID 4264 wrote to memory of 4956	4264	cmd.exe	reg.exe
PID 1180 wrote to memory of 604	1180	cmd.exe	reg.exe
PID 1180 wrote to memory of 604	1180	cmd.exe	reg.exe
PID 1180 wrote to memory of 604	1180	cmd.exe	reg.exe
PID 4564 wrote to memory of 2488	4564	cmd.exe	reg.exe
PID 4564 wrote to memory of 2488	4564	cmd.exe	reg.exe
PID 4564 wrote to memory of 2488	4564	cmd.exe	reg.exe
PID 4132 wrote to memory of 2388	4132	6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe	cmd.exe
PID 4132 wrote to memory of 2388	4132	6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe	cmd.exe
PID 4132 wrote to memory of 2388	4132	6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe	cmd.exe
PID 2388 wrote to memory of 1300	2388	cmd.exe	timeout.exe
PID 2388 wrote to memory of 1300	2388	cmd.exe	timeout.exe
PID 2388 wrote to memory of 1300	2388	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe
"C:\Users\Admin\AppData\Local\Temp\6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\wscript.exe
wscript.exe "C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs" "C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat
3⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat" "
4⤵
- Drops startup file
PID:2888

C:\Users\Admin\AppData\Local\Temp\notepad .exe
"C:\Users\Admin\AppData\Local\Temp\notepad .exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:1180

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:604

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\notepad .exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\notepad .exe:*:Enabled:Windows Messanger" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\notepad .exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\notepad .exe:*:Enabled:Windows Messanger" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:1812

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\9GPH0NJ1TN.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\9GPH0NJ1TN.exe:*:Enabled:Windows Messanger" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:4564

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\9GPH0NJ1TN.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\9GPH0NJ1TN.exe:*:Enabled:Windows Messanger" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:2488

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
3⤵
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Modifies firewall policy service
- Modifies registry key
PID:4956

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FolderName\stres.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\timeout.exe
timeout /t 300
3⤵
- Delays execution with timeout.exe
PID:1300

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FolderName\file.exe

Filesize
947KB

MD5
5fc51b17977c56d7158e744f254bb2fa

SHA1
a9197dc78760886546d386ec7f5b0b253b1cb86f

SHA256
6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8

SHA512
9f718873df048898e2186ec85e79eedbecc773935471d91a0e8c70603be7683f8cbdf2a611fb90801736470cb4e7d417df9dc1c635204f8e3bce924b7bfca8c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\invs.vbs

Filesize
78B

MD5
c578d9653b22800c3eb6b6a51219bbb8

SHA1
a97aa251901bbe179a48dbc7a0c1872e163b1f2d

SHA256
20a98a7e6e137bb1b9bd5ef6911a479cb8eac925b80d6db4e70b19f62a40cce2

SHA512
3ae6dc8f02d1a78e1235a0782b632972da5a74ab32287cc41aa672d4fa4a9d34bb5fc50eba07b6915f2e61c402927cd5f6feeb7f7602afa2f64e91efb3b7fc4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata.bat

Filesize
69B

MD5
c96a3b31fc4a115c977ce5d8a3256f4f

SHA1
8c71b0d75099af30ac1fe33266e3970b47ba716d

SHA256
a5b672a4863abcf46556d2e606b2833e8897a3206e554ad93043a82a792df49e

SHA512
f4337e85ca0b3c0242c35a09f1ff7154c9e37ea3c7de3c2337385fb4b57e25a8550877ce2f37d023c94a3fa69b2b4e003207790297879d29a5bbe4856d0a0f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\mata2.bat

Filesize
176B

MD5
b77f8e41f69f39412b204cc781212baa

SHA1
38d70fce7d44d1935955cf4b519664c7969d5989

SHA256
05ebddcab0758b634954345905825e611eed207bbbb989e6dded1e3476e5deab

SHA512
8b404359b8c854822fb97262c55dad5293a75d353ba2a2210840c9fbbea96e3ff985856601bb6ca4d10bc21effb3af33558e0c2d9c90128133ae35fe09dccb61

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\rundll11-.txt

Filesize
947KB

MD5
5fc51b17977c56d7158e744f254bb2fa

SHA1
a9197dc78760886546d386ec7f5b0b253b1cb86f

SHA256
6b4d9956d8b5dbc50c6346c011f82e708f4722f558739cac6b2ca6d2c46e0bd8

SHA512
9f718873df048898e2186ec85e79eedbecc773935471d91a0e8c70603be7683f8cbdf2a611fb90801736470cb4e7d417df9dc1c635204f8e3bce924b7bfca8c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\FolderName\stres.bat

Filesize
211B

MD5
fcea7e008224fa9f82bba83e3562baf0

SHA1
f8ccd10830a0e5e979099a022fb07019e2ac479e

SHA256
0d9caf1dc4c3317085c4fd81a56df506c99dacb883c341a2250d8ef9beffbdba

SHA512
5083a7b3500841b05c879151cde2dda997cf70fbe0dbec5b218dc5efe37084af976fcb67511c92fff21f6b0b5dafdc01f03b448b731db56e7f1f851017467304

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad .exe

Filesize
57KB

MD5
454501a66ad6e85175a6757573d79f8b

SHA1
8ca96c61f26a640a5b1b1152d055260b9d43e308

SHA256
7fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8

SHA512
9dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\notepad .exe

Filesize
57KB

MD5
454501a66ad6e85175a6757573d79f8b

SHA1
8ca96c61f26a640a5b1b1152d055260b9d43e308

SHA256
7fd4f35aff4a0d4bfaae3a5dfb14b94934276df0e96d1a417a8f3693915e72c8

SHA512
9dc3b9a9b7e661acc3ac9a0ff4fd764097fc41ccbc2e7969cae9805cc693a87e8255e459ea5f315271825e7e517a46649acc8d42122a8018264cc3f2efa34fb7

Download Submit
memory/604-156-0x0000000000000000-mapping.dmp

Download
memory/1180-150-0x0000000000000000-mapping.dmp

Download
memory/1300-162-0x0000000000000000-mapping.dmp

Download
memory/1812-154-0x0000000000000000-mapping.dmp

Download
memory/1960-135-0x0000000000000000-mapping.dmp

Download
memory/2084-136-0x0000000000000000-mapping.dmp

Download
memory/2084-146-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2084-142-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2228-133-0x0000000000000000-mapping.dmp

Download
memory/2388-158-0x0000000000000000-mapping.dmp

Download
memory/2488-157-0x0000000000000000-mapping.dmp

Download
memory/2888-139-0x0000000000000000-mapping.dmp

Download
memory/4132-132-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/4132-160-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/4132-141-0x0000000074AB0000-0x0000000075061000-memory.dmp

Filesize
5.7MB

Download
memory/4264-152-0x0000000000000000-mapping.dmp

Download
memory/4564-153-0x0000000000000000-mapping.dmp

Download
memory/4892-151-0x0000000000000000-mapping.dmp

Download
memory/4956-155-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads