e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550

General

Target

e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
Size

293KB
MD5

48ea1846b7eb008d80290bb78ccf5fd0
SHA1

75ef09492b396d75d6b01b4a0bd4a14c29eff508
SHA256

e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550
SHA512

77646d699102b647c3f65babf726e628920b38fdbff5f87920f6e2ff3d3efb01d41d7e17c5560f19650633ae9df8924fa009167a1b9bdf8b6005f72ce32f8312
SSDEEP

6144:f50k6tyigGdn+Hvg9YHSilDeGTj6XlHyuDMsJVrUDQI4p+8Xm0fldmbgxZ5Byy4:OvRn96HSi8EjQxyuDMoNmE6Mld6g9BT4

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exee987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe

pid	process
5112	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
2920	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exee987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exee987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exee987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Software Utilizer = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Utilizer.exe"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Windows Software Utilizer = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Utilizer.exe"	WScript.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exee987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exee987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe

description	pid	process	target process
PID 3584 set thread context of 688	3584	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 688 set thread context of 1836	688	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 5112 set thread context of 2920	5112	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 3 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	explorer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4868 PING.EXE

pid	process
4868	PING.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exee987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exee987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exee987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe

description	pid	process
Token: SeDebugPrivilege	3584	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
Token: SeDebugPrivilege	688	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
Token: SeDebugPrivilege	1836	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
Token: SeDebugPrivilege	5112	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe

Suspicious use of WriteProcessMemory 48 IoCs

Processes:

e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exeexplorer.exee987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exeexplorer.exee987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.execmd.exee987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exeexplorer.exe

description	pid	process	target process
PID 3584 wrote to memory of 2376	3584	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	explorer.exe
PID 3584 wrote to memory of 2376	3584	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	explorer.exe
PID 3584 wrote to memory of 2376	3584	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	explorer.exe
PID 3584 wrote to memory of 688	3584	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 3584 wrote to memory of 688	3584	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 3584 wrote to memory of 688	3584	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 3584 wrote to memory of 688	3584	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 3584 wrote to memory of 688	3584	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 3584 wrote to memory of 688	3584	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 3584 wrote to memory of 688	3584	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 3584 wrote to memory of 688	3584	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 312 wrote to memory of 3464	312	explorer.exe	WScript.exe
PID 312 wrote to memory of 3464	312	explorer.exe	WScript.exe
PID 688 wrote to memory of 2952	688	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	explorer.exe
PID 688 wrote to memory of 2952	688	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	explorer.exe
PID 688 wrote to memory of 2952	688	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	explorer.exe
PID 688 wrote to memory of 1836	688	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 688 wrote to memory of 1836	688	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 688 wrote to memory of 1836	688	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 688 wrote to memory of 1836	688	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 688 wrote to memory of 1836	688	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 688 wrote to memory of 1836	688	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 688 wrote to memory of 1836	688	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 688 wrote to memory of 1836	688	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 5116 wrote to memory of 1968	5116	explorer.exe	WScript.exe
PID 5116 wrote to memory of 1968	5116	explorer.exe	WScript.exe
PID 1836 wrote to memory of 5112	1836	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 1836 wrote to memory of 5112	1836	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 1836 wrote to memory of 5112	1836	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 1836 wrote to memory of 1780	1836	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	cmd.exe
PID 1836 wrote to memory of 1780	1836	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	cmd.exe
PID 1836 wrote to memory of 1780	1836	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	cmd.exe
PID 1780 wrote to memory of 4868	1780	cmd.exe	PING.EXE
PID 1780 wrote to memory of 4868	1780	cmd.exe	PING.EXE
PID 1780 wrote to memory of 4868	1780	cmd.exe	PING.EXE
PID 5112 wrote to memory of 3292	5112	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	explorer.exe
PID 5112 wrote to memory of 3292	5112	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	explorer.exe
PID 5112 wrote to memory of 3292	5112	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	explorer.exe
PID 5112 wrote to memory of 2920	5112	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 5112 wrote to memory of 2920	5112	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 5112 wrote to memory of 2920	5112	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 5112 wrote to memory of 2920	5112	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 5112 wrote to memory of 2920	5112	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 5112 wrote to memory of 2920	5112	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 5112 wrote to memory of 2920	5112	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 5112 wrote to memory of 2920	5112	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe	e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
PID 1460 wrote to memory of 3040	1460	explorer.exe	WScript.exe
PID 1460 wrote to memory of 3040	1460	explorer.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
"C:\Users\Admin\AppData\Local\Temp\e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3584

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Roaming\dgbXEyc.vbs
2⤵
PID:2376

C:\Users\Admin\AppData\Local\Temp\e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
"C:\Users\Admin\AppData\Local\Temp\e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Roaming\LdKhI.vbs
3⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
"C:\Users\Admin\AppData\Local\Temp\e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe"
3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1836

C:\Users\Admin\AppData\Local\Temp\e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550\e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
"C:\Users\Admin\AppData\Local\Temp\e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550\e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5112

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\System32\explorer.exe" C:\Users\Admin\AppData\Roaming\dgbXEyc.vbs
5⤵
PID:3292

C:\Users\Admin\AppData\Local\Temp\e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550\e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
"C:\Users\Admin\AppData\Local\Temp\e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550\e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe"
5⤵
- Executes dropped EXE
PID:2920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 1.1.1.1 -n 1 -w 1000 > Nul & Del "C:\Users\Admin\AppData\Local\Temp\e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:1780

C:\Windows\SysWOW64\PING.EXE
ping 1.1.1.1 -n 1 -w 1000
5⤵
- Runs ping.exe
PID:4868

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:312

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\dgbXEyc.vbs"
2⤵
- Adds Run key to start application
PID:3464

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5116

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\LdKhI.vbs"
2⤵
- Adds Run key to start application
PID:1968

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\dgbXEyc.vbs"
2⤵
PID:3040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe.log
Filesize
319B

MD5
da4fafeffe21b7cb3a8c170ca7911976

SHA1
50ef77e2451ab60f93f4db88325b897d215be5ad

SHA256
7341a4a13e81cbb5b7f39ec47bb45f84836b08b8d8e3ea231d2c7dad982094f7

SHA512
0bc24b69460f31a0ebc0628b99908d818ee85feb7e4b663271d9375b30cced0cd55a0bbf8edff1281a4c886ddf4476ffc989c283069cdcb1235ffcb265580fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550\e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
Filesize
293KB

MD5
48ea1846b7eb008d80290bb78ccf5fd0

SHA1
75ef09492b396d75d6b01b4a0bd4a14c29eff508

SHA256
e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550

SHA512
77646d699102b647c3f65babf726e628920b38fdbff5f87920f6e2ff3d3efb01d41d7e17c5560f19650633ae9df8924fa009167a1b9bdf8b6005f72ce32f8312

Download Submit
C:\Users\Admin\AppData\Local\Temp\e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550\e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
Filesize
293KB

MD5
48ea1846b7eb008d80290bb78ccf5fd0

SHA1
75ef09492b396d75d6b01b4a0bd4a14c29eff508

SHA256
e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550

SHA512
77646d699102b647c3f65babf726e628920b38fdbff5f87920f6e2ff3d3efb01d41d7e17c5560f19650633ae9df8924fa009167a1b9bdf8b6005f72ce32f8312

Download Submit
C:\Users\Admin\AppData\Local\Temp\e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550\e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550.exe
Filesize
293KB

MD5
48ea1846b7eb008d80290bb78ccf5fd0

SHA1
75ef09492b396d75d6b01b4a0bd4a14c29eff508

SHA256
e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550

SHA512
77646d699102b647c3f65babf726e628920b38fdbff5f87920f6e2ff3d3efb01d41d7e17c5560f19650633ae9df8924fa009167a1b9bdf8b6005f72ce32f8312

Download Submit
C:\Users\Admin\AppData\Roaming\LdKhI.vbs
Filesize
601B

MD5
a77d5619362307159baa3c88773f1018

SHA1
ec1a4d116035b91dcfe32b2890bb245f9a21a27e

SHA256
558b84e535b8042845560031feeba8dd93cee52338473d35206e0e039b46b48a

SHA512
09f1a0e0c0419fe621fbc6ef4bea627c394c22978592265fc4eb8b3316b762e4391e54f62e282ce8c5c8c87fa587f1d70a2d9b79e717669e0ecc8f46f7e994a6

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Utilizer.exe
Filesize
293KB

MD5
48ea1846b7eb008d80290bb78ccf5fd0

SHA1
75ef09492b396d75d6b01b4a0bd4a14c29eff508

SHA256
e987822bc4d12a26d0bde191742a107cb3b4118d61505c5a95f4e8dee74b6550

SHA512
77646d699102b647c3f65babf726e628920b38fdbff5f87920f6e2ff3d3efb01d41d7e17c5560f19650633ae9df8924fa009167a1b9bdf8b6005f72ce32f8312

Download Submit
C:\Users\Admin\AppData\Roaming\dgbXEyc.vbs
Filesize
601B

MD5
a77d5619362307159baa3c88773f1018

SHA1
ec1a4d116035b91dcfe32b2890bb245f9a21a27e

SHA256
558b84e535b8042845560031feeba8dd93cee52338473d35206e0e039b46b48a

SHA512
09f1a0e0c0419fe621fbc6ef4bea627c394c22978592265fc4eb8b3316b762e4391e54f62e282ce8c5c8c87fa587f1d70a2d9b79e717669e0ecc8f46f7e994a6

Download Submit
C:\Users\Admin\AppData\Roaming\dgbXEyc.vbs
Filesize
666B

MD5
e9de9fdda3ee3d2d837c1ee5ad4856a7

SHA1
d4994701d62e2e9c7c4a29ea5f19474c5f49cc46

SHA256
1a7157c9651648d1af2cc47b27b6e436dff7b0f2a4b3fd0e8a4fab5b70daa72e

SHA512
91c777bc6f959ebe5e61fc858a98da4492c91e3dc0c81f7548b7a792569653831efa40752e1b987c5603f415dd637ef1c7a3f810c5f2cc4dcf0f16f524d1ea6f

Download Submit
memory/688-135-0x0000000000000000-mapping.dmp

Download
memory/688-140-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/688-137-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/688-136-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1780-152-0x0000000000000000-mapping.dmp

Download
memory/1836-148-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/1836-154-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/1836-144-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/1836-142-0x0000000000000000-mapping.dmp

Download
memory/1836-143-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/1968-146-0x0000000000000000-mapping.dmp

Download
memory/2376-134-0x0000000000000000-mapping.dmp

Download
memory/2920-164-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/2920-158-0x0000000000000000-mapping.dmp

Download
memory/2952-141-0x0000000000000000-mapping.dmp

Download
memory/3040-163-0x0000000000000000-mapping.dmp

Download
memory/3292-157-0x0000000000000000-mapping.dmp

Download
memory/3464-139-0x0000000000000000-mapping.dmp

Download
memory/3584-132-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/3584-133-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/4868-153-0x0000000000000000-mapping.dmp

Download
memory/5112-156-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/5112-155-0x0000000074E50000-0x0000000075401000-memory.dmp

Filesize
5.7MB

Download
memory/5112-149-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads