2695946f21260256746ea43cdc8602768973cda58a45c0795fe251623962bf12

General

Target

2695946f21260256746ea43cdc8602768973cda58a45c0795fe251623962bf12.exe
Size

926KB
MD5

60c7692389ad61eaafba95c1bec088f6
SHA1

06262a6155fc81aebbe4ce92a123eda90e1d3b68
SHA256

2695946f21260256746ea43cdc8602768973cda58a45c0795fe251623962bf12
SHA512

05da400f8b7c007a94e8787717271889ca905b2834770ffdeaedb7e2cf251141f3b4446f27be3b49804c90072b7fe628f3fe8550759e9adeb1677c6274aca0dd
SSDEEP

12288:xtb20Qc3lT7af41ePBRYuQLKpqeUhbTv5OFgNuPPpHSgak7rL28Gal16A:xtb20pkaCqT5TBWgNQ7asPI216A

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

winrt.exe

pid process

632 winrt.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

280 cmd.exe

pid	process
280	cmd.exe

Loads dropped DLL 4 IoCs

Processes:

2695946f21260256746ea43cdc8602768973cda58a45c0795fe251623962bf12.exe

pid	process
1544	2695946f21260256746ea43cdc8602768973cda58a45c0795fe251623962bf12.exe
1544	2695946f21260256746ea43cdc8602768973cda58a45c0795fe251623962bf12.exe
1544	2695946f21260256746ea43cdc8602768973cda58a45c0795fe251623962bf12.exe
1544	2695946f21260256746ea43cdc8602768973cda58a45c0795fe251623962bf12.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

winrt.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	winrt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinRT = "C:\\Users\\Admin\\AppData\\Roaming\\winrt.exe"	winrt.exe

AutoIT Executable 6 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\winrt.exe	autoit_exe
\Users\Admin\AppData\Roaming\winrt.exe	autoit_exe
\Users\Admin\AppData\Roaming\winrt.exe	autoit_exe
\Users\Admin\AppData\Roaming\winrt.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\winrt.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\winrt.exe	autoit_exe

Suspicious use of SetThreadContext 64 IoCs

Processes:

winrt.exe

description	pid	process	target process
PID 632 set thread context of 332	632	winrt.exe	vbc.exe
PID 632 set thread context of 1600	632	winrt.exe	vbc.exe
PID 632 set thread context of 2012	632	winrt.exe	vbc.exe
PID 632 set thread context of 912	632	winrt.exe	vbc.exe
PID 632 set thread context of 1844	632	winrt.exe	vbc.exe
PID 632 set thread context of 960	632	winrt.exe	vbc.exe
PID 632 set thread context of 1548	632	winrt.exe	vbc.exe
PID 632 set thread context of 1476	632	winrt.exe	vbc.exe
PID 632 set thread context of 1784	632	winrt.exe	vbc.exe
PID 632 set thread context of 1628	632	winrt.exe	vbc.exe
PID 632 set thread context of 1732	632	winrt.exe	vbc.exe
PID 632 set thread context of 908	632	winrt.exe	vbc.exe
PID 632 set thread context of 808	632	winrt.exe	vbc.exe
PID 632 set thread context of 1552	632	winrt.exe	vbc.exe
PID 632 set thread context of 280	632	winrt.exe	vbc.exe
PID 632 set thread context of 776	632	winrt.exe	vbc.exe
PID 632 set thread context of 892	632	winrt.exe	vbc.exe
PID 632 set thread context of 1532	632	winrt.exe	vbc.exe
PID 632 set thread context of 988	632	winrt.exe	vbc.exe
PID 632 set thread context of 1296	632	winrt.exe	vbc.exe
PID 632 set thread context of 588	632	winrt.exe	vbc.exe
PID 632 set thread context of 536	632	winrt.exe	vbc.exe
PID 632 set thread context of 1616	632	winrt.exe	vbc.exe
PID 632 set thread context of 1832	632	winrt.exe	vbc.exe
PID 632 set thread context of 1308	632	winrt.exe	vbc.exe
PID 632 set thread context of 800	632	winrt.exe	vbc.exe
PID 632 set thread context of 1572	632	winrt.exe	vbc.exe
PID 632 set thread context of 1180	632	winrt.exe	vbc.exe
PID 632 set thread context of 592	632	winrt.exe	vbc.exe
PID 632 set thread context of 888	632	winrt.exe	vbc.exe
PID 632 set thread context of 948	632	winrt.exe	vbc.exe
PID 632 set thread context of 868	632	winrt.exe	vbc.exe
PID 632 set thread context of 2008	632	winrt.exe	vbc.exe
PID 632 set thread context of 1992	632	winrt.exe	vbc.exe
PID 632 set thread context of 1808	632	winrt.exe	vbc.exe
PID 632 set thread context of 1892	632	winrt.exe	vbc.exe
PID 632 set thread context of 568	632	winrt.exe	vbc.exe
PID 632 set thread context of 280	632	winrt.exe	vbc.exe
PID 632 set thread context of 1604	632	winrt.exe	vbc.exe
PID 632 set thread context of 892	632	winrt.exe	vbc.exe
PID 632 set thread context of 344	632	winrt.exe	vbc.exe
PID 632 set thread context of 1556	632	winrt.exe	vbc.exe
PID 632 set thread context of 1636	632	winrt.exe	vbc.exe
PID 632 set thread context of 1652	632	winrt.exe	vbc.exe
PID 632 set thread context of 904	632	winrt.exe	vbc.exe
PID 632 set thread context of 1724	632	winrt.exe	vbc.exe
PID 632 set thread context of 552	632	winrt.exe	vbc.exe
PID 632 set thread context of 1420	632	winrt.exe	vbc.exe
PID 632 set thread context of 1532	632	winrt.exe	vbc.exe
PID 632 set thread context of 1956	632	winrt.exe	vbc.exe
PID 632 set thread context of 1036	632	winrt.exe	vbc.exe
PID 632 set thread context of 1584	632	winrt.exe	vbc.exe
PID 632 set thread context of 2000	632	winrt.exe	vbc.exe
PID 632 set thread context of 320	632	winrt.exe	vbc.exe
PID 632 set thread context of 1320	632	winrt.exe	vbc.exe
PID 632 set thread context of 1960	632	winrt.exe	vbc.exe
PID 632 set thread context of 1372	632	winrt.exe	vbc.exe
PID 632 set thread context of 1068	632	winrt.exe	vbc.exe
PID 632 set thread context of 1120	632	winrt.exe	vbc.exe
PID 632 set thread context of 1544	632	winrt.exe	vbc.exe
PID 632 set thread context of 524	632	winrt.exe	vbc.exe
PID 632 set thread context of 1332	632	winrt.exe	vbc.exe
PID 632 set thread context of 776	632	winrt.exe	vbc.exe
PID 632 set thread context of 1980	632	winrt.exe	vbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

676 PING.EXE

pid	process
676	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

winrt.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

pid	process
632	winrt.exe
632	winrt.exe
632	winrt.exe
632	winrt.exe
332	vbc.exe
332	vbc.exe
632	winrt.exe
1600	vbc.exe
1600	vbc.exe
632	winrt.exe
2012	vbc.exe
2012	vbc.exe
632	winrt.exe
912	vbc.exe
912	vbc.exe
632	winrt.exe
1844	vbc.exe
1844	vbc.exe
632	winrt.exe
960	vbc.exe
960	vbc.exe
632	winrt.exe
1548	vbc.exe
1548	vbc.exe
632	winrt.exe
1476	vbc.exe
1476	vbc.exe
632	winrt.exe
1784	vbc.exe
1784	vbc.exe
632	winrt.exe
1628	vbc.exe
1628	vbc.exe
632	winrt.exe
1732	vbc.exe
1732	vbc.exe
632	winrt.exe
908	vbc.exe
908	vbc.exe
632	winrt.exe
808	vbc.exe
808	vbc.exe
632	winrt.exe
1552	vbc.exe
1552	vbc.exe
632	winrt.exe
280	vbc.exe
280	vbc.exe
632	winrt.exe
776	vbc.exe
776	vbc.exe
632	winrt.exe
892	vbc.exe
892	vbc.exe
632	winrt.exe
1532	vbc.exe
1532	vbc.exe
632	winrt.exe
988	vbc.exe
988	vbc.exe
632	winrt.exe
1296	vbc.exe
1296	vbc.exe
632	winrt.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

vbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	332	vbc.exe
Token: SeDebugPrivilege	1600	vbc.exe
Token: SeDebugPrivilege	2012	vbc.exe
Token: SeDebugPrivilege	912	vbc.exe
Token: SeDebugPrivilege	1844	vbc.exe
Token: SeDebugPrivilege	960	vbc.exe
Token: SeDebugPrivilege	1548	vbc.exe
Token: SeDebugPrivilege	1476	vbc.exe
Token: SeDebugPrivilege	1784	vbc.exe
Token: SeDebugPrivilege	1628	vbc.exe
Token: SeDebugPrivilege	1732	vbc.exe
Token: SeDebugPrivilege	908	vbc.exe
Token: SeDebugPrivilege	808	vbc.exe
Token: SeDebugPrivilege	1552	vbc.exe
Token: SeDebugPrivilege	280	vbc.exe
Token: SeDebugPrivilege	776	vbc.exe
Token: SeDebugPrivilege	892	vbc.exe
Token: SeDebugPrivilege	1532	vbc.exe
Token: SeDebugPrivilege	988	vbc.exe
Token: SeDebugPrivilege	1296	vbc.exe
Token: SeDebugPrivilege	588	vbc.exe
Token: SeDebugPrivilege	536	vbc.exe
Token: SeDebugPrivilege	1616	vbc.exe
Token: SeDebugPrivilege	1832	vbc.exe
Token: SeDebugPrivilege	1308	vbc.exe
Token: SeDebugPrivilege	800	vbc.exe
Token: SeDebugPrivilege	1572	vbc.exe
Token: SeDebugPrivilege	1180	vbc.exe
Token: SeDebugPrivilege	592	vbc.exe
Token: SeDebugPrivilege	888	vbc.exe
Token: SeDebugPrivilege	948	vbc.exe
Token: SeDebugPrivilege	868	vbc.exe
Token: SeDebugPrivilege	2008	vbc.exe
Token: SeDebugPrivilege	1992	vbc.exe
Token: SeDebugPrivilege	1808	vbc.exe
Token: SeDebugPrivilege	1892	vbc.exe
Token: SeDebugPrivilege	568	vbc.exe
Token: SeDebugPrivilege	280	vbc.exe
Token: SeDebugPrivilege	1604	vbc.exe
Token: SeDebugPrivilege	892	vbc.exe
Token: SeDebugPrivilege	344	vbc.exe
Token: SeDebugPrivilege	1556	vbc.exe
Token: SeDebugPrivilege	1636	vbc.exe
Token: SeDebugPrivilege	1652	vbc.exe
Token: SeDebugPrivilege	904	vbc.exe
Token: SeDebugPrivilege	1724	vbc.exe
Token: SeDebugPrivilege	552	vbc.exe
Token: SeDebugPrivilege	1420	vbc.exe
Token: SeDebugPrivilege	1532	vbc.exe
Token: SeDebugPrivilege	1956	vbc.exe
Token: SeDebugPrivilege	1036	vbc.exe
Token: SeDebugPrivilege	1584	vbc.exe
Token: SeDebugPrivilege	2000	vbc.exe
Token: SeDebugPrivilege	320	vbc.exe
Token: SeDebugPrivilege	1320	vbc.exe
Token: SeDebugPrivilege	1960	vbc.exe
Token: SeDebugPrivilege	1372	vbc.exe
Token: SeDebugPrivilege	1068	vbc.exe
Token: SeDebugPrivilege	1120	vbc.exe
Token: SeDebugPrivilege	1544	vbc.exe
Token: SeDebugPrivilege	524	vbc.exe
Token: SeDebugPrivilege	1332	vbc.exe
Token: SeDebugPrivilege	776	vbc.exe
Token: SeDebugPrivilege	1980	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2695946f21260256746ea43cdc8602768973cda58a45c0795fe251623962bf12.execmd.exewinrt.exe

description	pid	process	target process
PID 1544 wrote to memory of 632	1544	2695946f21260256746ea43cdc8602768973cda58a45c0795fe251623962bf12.exe	winrt.exe
PID 1544 wrote to memory of 632	1544	2695946f21260256746ea43cdc8602768973cda58a45c0795fe251623962bf12.exe	winrt.exe
PID 1544 wrote to memory of 632	1544	2695946f21260256746ea43cdc8602768973cda58a45c0795fe251623962bf12.exe	winrt.exe
PID 1544 wrote to memory of 632	1544	2695946f21260256746ea43cdc8602768973cda58a45c0795fe251623962bf12.exe	winrt.exe
PID 1544 wrote to memory of 280	1544	2695946f21260256746ea43cdc8602768973cda58a45c0795fe251623962bf12.exe	cmd.exe
PID 1544 wrote to memory of 280	1544	2695946f21260256746ea43cdc8602768973cda58a45c0795fe251623962bf12.exe	cmd.exe
PID 1544 wrote to memory of 280	1544	2695946f21260256746ea43cdc8602768973cda58a45c0795fe251623962bf12.exe	cmd.exe
PID 1544 wrote to memory of 280	1544	2695946f21260256746ea43cdc8602768973cda58a45c0795fe251623962bf12.exe	cmd.exe
PID 280 wrote to memory of 676	280	cmd.exe	PING.EXE
PID 280 wrote to memory of 676	280	cmd.exe	PING.EXE
PID 280 wrote to memory of 676	280	cmd.exe	PING.EXE
PID 280 wrote to memory of 676	280	cmd.exe	PING.EXE
PID 632 wrote to memory of 332	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 332	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 332	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 332	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 332	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 332	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1600	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1600	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1600	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1600	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1600	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1600	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 2012	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 2012	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 2012	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 2012	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 2012	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 2012	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 912	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 912	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 912	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 912	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 912	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 912	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1844	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1844	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1844	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1844	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1844	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1844	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 960	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 960	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 960	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 960	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 960	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 960	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1548	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1548	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1548	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1548	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1548	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1548	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1476	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1476	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1476	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1476	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1476	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1476	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1784	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1784	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1784	632	winrt.exe	vbc.exe
PID 632 wrote to memory of 1784	632	winrt.exe	vbc.exe

C:\Users\Admin\AppData\Local\Temp\2695946f21260256746ea43cdc8602768973cda58a45c0795fe251623962bf12.exe
"C:\Users\Admin\AppData\Local\Temp\2695946f21260256746ea43cdc8602768973cda58a45c0795fe251623962bf12.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Roaming\winrt.exe
"C:\Users\Admin\AppData\Roaming\winrt.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1180

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:868

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1724

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1120

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1980

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1732

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2012

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1808

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1652

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:540

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1776

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1908

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1476

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1396

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1988

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:612

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1996

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:516

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1836

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:484

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1000

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1280

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1308

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1800

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:832

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:436

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1624

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:700

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:888

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:936

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1260

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
PID:1832

C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\90.bat
2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:280

C:\Windows\SysWOW64\PING.EXE
ping -n 0127.0.0.1
3⤵
- Runs ping.exe
PID:676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Remote System Discovery

1

T1018

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\90.bat
Filesize
312B

MD5
a31e0d8010b9822d84bc5f98f04565c5

SHA1
f94c38cfbb34554da48b7f5e15d757ee7346eb53

SHA256
3763ed69bee2e12403d9c0bd2006d667fe76fdf220b433d099b680b884026211

SHA512
9e37db324eb7325380d490ab042c4b13e966f9c182fe28cfb7914ae421f1321221979c97ecbac40d31d8001351237f9a1f98713f2947076dcac6be3e0cc492fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\incl1
Filesize
12KB

MD5
a2734a383723c2620e506dcbc57a4067

SHA1
fbe4aa08bfb49163d59d7d07cae6b8ced14d4d52

SHA256
831aefdf6c0acd5824f4c8bf7d544a100dbe77f485327011635b0a5d0fbf32b5

SHA512
79e5af88531cb5c28740e777643abedde47fe1471f4e4a02cb0e902708cc87ac56c7490ed42d0dbf33fc471fef73f5da13ca6675f4dbe1af1322b7929668141a

Download Submit
C:\Users\Admin\AppData\Roaming\winrt.exe
Filesize
926KB

MD5
60c7692389ad61eaafba95c1bec088f6

SHA1
06262a6155fc81aebbe4ce92a123eda90e1d3b68

SHA256
2695946f21260256746ea43cdc8602768973cda58a45c0795fe251623962bf12

SHA512
05da400f8b7c007a94e8787717271889ca905b2834770ffdeaedb7e2cf251141f3b4446f27be3b49804c90072b7fe628f3fe8550759e9adeb1677c6274aca0dd

Download Submit
C:\Users\Admin\AppData\Roaming\winrt.exe
Filesize
926KB

MD5
60c7692389ad61eaafba95c1bec088f6

SHA1
06262a6155fc81aebbe4ce92a123eda90e1d3b68

SHA256
2695946f21260256746ea43cdc8602768973cda58a45c0795fe251623962bf12

SHA512
05da400f8b7c007a94e8787717271889ca905b2834770ffdeaedb7e2cf251141f3b4446f27be3b49804c90072b7fe628f3fe8550759e9adeb1677c6274aca0dd

Download Submit
\Users\Admin\AppData\Roaming\winrt.exe
Filesize
926KB

MD5
60c7692389ad61eaafba95c1bec088f6

SHA1
06262a6155fc81aebbe4ce92a123eda90e1d3b68

SHA256
2695946f21260256746ea43cdc8602768973cda58a45c0795fe251623962bf12

SHA512
05da400f8b7c007a94e8787717271889ca905b2834770ffdeaedb7e2cf251141f3b4446f27be3b49804c90072b7fe628f3fe8550759e9adeb1677c6274aca0dd

Download Submit
\Users\Admin\AppData\Roaming\winrt.exe
Filesize
926KB

MD5
60c7692389ad61eaafba95c1bec088f6

SHA1
06262a6155fc81aebbe4ce92a123eda90e1d3b68

SHA256
2695946f21260256746ea43cdc8602768973cda58a45c0795fe251623962bf12

SHA512
05da400f8b7c007a94e8787717271889ca905b2834770ffdeaedb7e2cf251141f3b4446f27be3b49804c90072b7fe628f3fe8550759e9adeb1677c6274aca0dd

Download Submit
\Users\Admin\AppData\Roaming\winrt.exe
Filesize
926KB

MD5
60c7692389ad61eaafba95c1bec088f6

SHA1
06262a6155fc81aebbe4ce92a123eda90e1d3b68

SHA256
2695946f21260256746ea43cdc8602768973cda58a45c0795fe251623962bf12

SHA512
05da400f8b7c007a94e8787717271889ca905b2834770ffdeaedb7e2cf251141f3b4446f27be3b49804c90072b7fe628f3fe8550759e9adeb1677c6274aca0dd

Download Submit
\Users\Admin\AppData\Roaming\winrt.exe
Filesize
926KB

MD5
60c7692389ad61eaafba95c1bec088f6

SHA1
06262a6155fc81aebbe4ce92a123eda90e1d3b68

SHA256
2695946f21260256746ea43cdc8602768973cda58a45c0795fe251623962bf12

SHA512
05da400f8b7c007a94e8787717271889ca905b2834770ffdeaedb7e2cf251141f3b4446f27be3b49804c90072b7fe628f3fe8550759e9adeb1677c6274aca0dd

Download Submit
memory/280-62-0x0000000000000000-mapping.dmp

Download
memory/280-408-0x000000000009192E-mapping.dmp

Download
memory/280-198-0x000000000009192E-mapping.dmp

Download
memory/320-552-0x000000000009192E-mapping.dmp

Download
memory/332-67-0x0000000000080000-0x0000000000096000-memory.dmp

Filesize
88KB

Download
memory/332-69-0x0000000000080000-0x0000000000096000-memory.dmp

Filesize
88KB

Download
memory/332-70-0x000000000009192E-mapping.dmp

Download
memory/332-72-0x0000000000080000-0x0000000000096000-memory.dmp

Filesize
88KB

Download
memory/332-74-0x0000000000080000-0x0000000000096000-memory.dmp

Filesize
88KB

Download
memory/344-435-0x000000000009192E-mapping.dmp

Download
memory/524-616-0x000000000009192E-mapping.dmp

Download
memory/536-262-0x000000000009192E-mapping.dmp

Download
memory/552-489-0x000000000009192E-mapping.dmp

Download
memory/568-403-0x00000000000C0000-0x00000000000D6000-memory.dmp

Filesize
88KB

Download
memory/568-398-0x00000000000D192E-mapping.dmp

Download
memory/588-253-0x000000000009192E-mapping.dmp

Download
memory/592-325-0x000000000009192E-mapping.dmp

Download
memory/632-59-0x0000000000000000-mapping.dmp

Download
memory/676-66-0x0000000000000000-mapping.dmp

Download
memory/776-207-0x000000000009192E-mapping.dmp

Download
memory/800-298-0x000000000009192E-mapping.dmp

Download
memory/808-180-0x000000000009192E-mapping.dmp

Download
memory/868-352-0x00000000000E192E-mapping.dmp

Download
memory/888-334-0x00000000000E192E-mapping.dmp

Download
memory/892-426-0x000000000009192E-mapping.dmp

Download
memory/892-216-0x000000000009192E-mapping.dmp

Download
memory/896-1015-0x00000000001C0000-0x00000000001D6000-memory.dmp

Filesize
88KB

Download
memory/904-471-0x000000000009192E-mapping.dmp

Download
memory/908-171-0x000000000009192E-mapping.dmp

Download
memory/912-97-0x000000000009192E-mapping.dmp

Download
memory/948-343-0x000000000009192E-mapping.dmp

Download
memory/960-115-0x000000000019192E-mapping.dmp

Download
memory/960-119-0x0000000000180000-0x0000000000196000-memory.dmp

Filesize
88KB

Download
memory/960-117-0x0000000000180000-0x0000000000196000-memory.dmp

Filesize
88KB

Download
memory/960-114-0x0000000000180000-0x0000000000196000-memory.dmp

Filesize
88KB

Download
memory/988-234-0x000000000009192E-mapping.dmp

Download
memory/1036-525-0x000000000009192E-mapping.dmp

Download
memory/1068-589-0x000000000009192E-mapping.dmp

Download
memory/1120-598-0x000000000009192E-mapping.dmp

Download
memory/1180-316-0x000000000009192E-mapping.dmp

Download
memory/1296-243-0x00000000000D192E-mapping.dmp

Download
memory/1296-248-0x00000000000C0000-0x00000000000D6000-memory.dmp

Filesize
88KB

Download
memory/1308-289-0x000000000009192E-mapping.dmp

Download
memory/1320-561-0x000000000009192E-mapping.dmp

Download
memory/1372-579-0x000000000019192E-mapping.dmp

Download
memory/1372-584-0x0000000000180000-0x0000000000196000-memory.dmp

Filesize
88KB

Download
memory/1420-498-0x00000000000E192E-mapping.dmp

Download
memory/1476-138-0x00000000000D0000-0x00000000000E6000-memory.dmp

Filesize
88KB

Download
memory/1476-135-0x00000000000D0000-0x00000000000E6000-memory.dmp

Filesize
88KB

Download
memory/1476-133-0x00000000000E192E-mapping.dmp

Download
memory/1476-132-0x00000000000D0000-0x00000000000E6000-memory.dmp

Filesize
88KB

Download
memory/1532-507-0x00000000000D192E-mapping.dmp

Download
memory/1532-225-0x000000000009192E-mapping.dmp

Download
memory/1544-54-0x0000000075681000-0x0000000075683000-memory.dmp

Filesize
8KB

Download
memory/1544-607-0x000000000009192E-mapping.dmp

Download
memory/1548-124-0x000000000009192E-mapping.dmp

Download
memory/1552-189-0x000000000009192E-mapping.dmp

Download
memory/1556-444-0x000000000009192E-mapping.dmp

Download
memory/1572-307-0x000000000009192E-mapping.dmp

Download
memory/1584-534-0x00000000001E192E-mapping.dmp

Download
memory/1600-79-0x000000000009192E-mapping.dmp

Download
memory/1600-81-0x0000000000080000-0x0000000000096000-memory.dmp

Filesize
88KB

Download
memory/1600-83-0x0000000000080000-0x0000000000096000-memory.dmp

Filesize
88KB

Download
memory/1604-417-0x000000000009192E-mapping.dmp

Download
memory/1616-271-0x000000000009192E-mapping.dmp

Download
memory/1628-152-0x00000000001E192E-mapping.dmp

Download
memory/1628-157-0x00000000001D0000-0x00000000001E6000-memory.dmp

Filesize
88KB

Download
memory/1636-453-0x00000000000D192E-mapping.dmp

Download
memory/1652-462-0x00000000000D192E-mapping.dmp

Download
memory/1724-480-0x000000000009192E-mapping.dmp

Download
memory/1732-162-0x000000000009192E-mapping.dmp

Download
memory/1752-1006-0x00000000000D0000-0x00000000000E6000-memory.dmp

Filesize
88KB

Download
memory/1784-143-0x000000000009192E-mapping.dmp

Download
memory/1808-384-0x00000000001C0000-0x00000000001D6000-memory.dmp

Filesize
88KB

Download
memory/1808-379-0x00000000001D192E-mapping.dmp

Download
memory/1832-280-0x000000000009192E-mapping.dmp

Download
memory/1844-106-0x000000000009192E-mapping.dmp

Download
memory/1892-389-0x000000000009192E-mapping.dmp

Download
memory/1908-733-0x00000000001D0000-0x00000000001E6000-memory.dmp

Filesize
88KB

Download
memory/1956-516-0x00000000000D192E-mapping.dmp

Download
memory/1960-570-0x000000000009192E-mapping.dmp

Download
memory/1992-370-0x000000000009192E-mapping.dmp

Download
memory/2000-543-0x000000000009192E-mapping.dmp

Download
memory/2008-361-0x000000000009192E-mapping.dmp

Download
memory/2012-88-0x000000000009192E-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads