fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7

Analysis

max time kernel
149s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
28-11-2022 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe
Size

2.6MB
MD5

e72aaafff683d056502cc68ab1333deb
SHA1

934deb70f68a11e75985933a8a449fb4a8269dc4
SHA256

fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7
SHA512

101d7c33bad59ce83b5d372e013fc838f1b6c33e96d94b22bcf499ef6a3a6277f2ec86d864d5d6ac7edfa1e6dee83a0e7dfc4a277b7e63546c7899585d5a29f2
SSDEEP

49152:SJZoQrbTFZY1iazcBXcmdxoNmiHFNWt7jAui5Uj2MNo:StrbTA1Eo

Score

10^/10

persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Users\\Admin\\AppData\\Roaming\\Windows\\winmgr125.exe,explorer.exe"	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe

Executes dropped EXE 4 IoCs

Processes:

File.exevegas.pro.12.-patch.exevbc.exewinmgr125.exe

pid process

1692 File.exe
956 vegas.pro.12.-patch.exe
968 vbc.exe
268 winmgr125.exe

pid	process
1692	File.exe
956	vegas.pro.12.-patch.exe
968	vbc.exe
268	winmgr125.exe

Loads dropped DLL 13 IoCs

Processes:

cmd.exeFile.exevegas.pro.12.-patch.exevbc.exe

pid	process
2016	cmd.exe
2016	cmd.exe
1692	File.exe
1692	File.exe
1692	File.exe
1692	File.exe
1692	File.exe
956	vegas.pro.12.-patch.exe
956	vegas.pro.12.-patch.exe
968	vbc.exe
968	vbc.exe
956	vegas.pro.12.-patch.exe
956	vegas.pro.12.-patch.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Windows\winmgr125.exe	autoit_exe
C:\Users\Admin\AppData\Roaming\Windows\winmgr125.exe	autoit_exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe

description	pid	process	target process
PID 1212 set thread context of 948	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	RegAsm.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
688	schtasks.exe
1612	schtasks.exe
628	schtasks.exe
1768	schtasks.exe
1304	schtasks.exe
980	schtasks.exe
280	schtasks.exe
1996	schtasks.exe
1736	schtasks.exe
976	schtasks.exe
1712	schtasks.exe
1812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe

pid	process
1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe
1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe
1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe
1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe
1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe
1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe
1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe
1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe
1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe
1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe
1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe
1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe
1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe
1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe
1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe
1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe
1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe
1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe
1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe
1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe
1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe
1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe
1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe
1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

AUDIODG.EXE

description	pid	process
Token: 33	1732	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1732	AUDIODG.EXE
Token: 33	1732	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1732	AUDIODG.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.execmd.exeFile.exe

description	pid	process	target process
PID 1212 wrote to memory of 2016	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	cmd.exe
PID 1212 wrote to memory of 2016	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	cmd.exe
PID 1212 wrote to memory of 2016	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	cmd.exe
PID 1212 wrote to memory of 2016	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	cmd.exe
PID 2016 wrote to memory of 1692	2016	cmd.exe	File.exe
PID 2016 wrote to memory of 1692	2016	cmd.exe	File.exe
PID 2016 wrote to memory of 1692	2016	cmd.exe	File.exe
PID 2016 wrote to memory of 1692	2016	cmd.exe	File.exe
PID 2016 wrote to memory of 1692	2016	cmd.exe	File.exe
PID 2016 wrote to memory of 1692	2016	cmd.exe	File.exe
PID 2016 wrote to memory of 1692	2016	cmd.exe	File.exe
PID 1212 wrote to memory of 948	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	RegAsm.exe
PID 1212 wrote to memory of 948	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	RegAsm.exe
PID 1212 wrote to memory of 948	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	RegAsm.exe
PID 1212 wrote to memory of 948	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	RegAsm.exe
PID 1212 wrote to memory of 948	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	RegAsm.exe
PID 1212 wrote to memory of 948	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	RegAsm.exe
PID 1212 wrote to memory of 948	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	RegAsm.exe
PID 1212 wrote to memory of 948	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	RegAsm.exe
PID 1212 wrote to memory of 948	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	RegAsm.exe
PID 1212 wrote to memory of 948	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	RegAsm.exe
PID 1212 wrote to memory of 948	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	RegAsm.exe
PID 1212 wrote to memory of 948	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	RegAsm.exe
PID 1212 wrote to memory of 628	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe
PID 1212 wrote to memory of 628	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe
PID 1212 wrote to memory of 628	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe
PID 1212 wrote to memory of 628	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe
PID 1212 wrote to memory of 1768	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe
PID 1212 wrote to memory of 1768	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe
PID 1212 wrote to memory of 1768	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe
PID 1212 wrote to memory of 1768	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe
PID 1212 wrote to memory of 688	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe
PID 1212 wrote to memory of 688	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe
PID 1212 wrote to memory of 688	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe
PID 1212 wrote to memory of 688	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe
PID 1212 wrote to memory of 1304	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe
PID 1212 wrote to memory of 1304	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe
PID 1212 wrote to memory of 1304	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe
PID 1212 wrote to memory of 1304	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe
PID 1212 wrote to memory of 980	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe
PID 1212 wrote to memory of 980	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe
PID 1212 wrote to memory of 980	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe
PID 1212 wrote to memory of 980	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe
PID 1212 wrote to memory of 280	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe
PID 1212 wrote to memory of 280	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe
PID 1212 wrote to memory of 280	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe
PID 1212 wrote to memory of 280	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe
PID 1692 wrote to memory of 956	1692	File.exe	vegas.pro.12.-patch.exe
PID 1692 wrote to memory of 956	1692	File.exe	vegas.pro.12.-patch.exe
PID 1692 wrote to memory of 956	1692	File.exe	vegas.pro.12.-patch.exe
PID 1692 wrote to memory of 956	1692	File.exe	vegas.pro.12.-patch.exe
PID 1692 wrote to memory of 956	1692	File.exe	vegas.pro.12.-patch.exe
PID 1692 wrote to memory of 956	1692	File.exe	vegas.pro.12.-patch.exe
PID 1692 wrote to memory of 956	1692	File.exe	vegas.pro.12.-patch.exe
PID 1692 wrote to memory of 968	1692	File.exe	vbc.exe
PID 1692 wrote to memory of 968	1692	File.exe	vbc.exe
PID 1692 wrote to memory of 968	1692	File.exe	vbc.exe
PID 1692 wrote to memory of 968	1692	File.exe	vbc.exe
PID 1692 wrote to memory of 968	1692	File.exe	vbc.exe
PID 1692 wrote to memory of 968	1692	File.exe	vbc.exe
PID 1692 wrote to memory of 968	1692	File.exe	vbc.exe
PID 1212 wrote to memory of 1996	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe
PID 1212 wrote to memory of 1996	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe
PID 1212 wrote to memory of 1996	1212	fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe
"C:\Users\Admin\AppData\Local\Temp\fed74fd902778dd9263ec46c97192a4d0238afd343b2c73b43bed3b309df55b7.exe"
1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Local\Temp\File.exe
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016

C:\Users\Admin\AppData\Local\Temp\File.exe
C:\Users\Admin\AppData\Local\Temp\File.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\vegas.pro.12.-patch.exe
"C:\Users\Admin\AppData\Local\Temp\vegas.pro.12.-patch.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956

C:\Users\Admin\AppData\Local\Temp\vbc.exe
"C:\Users\Admin\AppData\Local\Temp\vbc.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:968

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
2⤵
PID:948

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr125.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr125.exe" /f
2⤵
- Creates scheduled task(s)
PID:628

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr125.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr125.exe" /f
2⤵
- Creates scheduled task(s)
PID:1768

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr125.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr125.exe" /f
2⤵
- Creates scheduled task(s)
PID:688

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr125.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr125.exe" /f
2⤵
- Creates scheduled task(s)
PID:1304

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr125.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr125.exe" /f
2⤵
- Creates scheduled task(s)
PID:980

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr125.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr125.exe" /f
2⤵
- Creates scheduled task(s)
PID:280

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr125.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr125.exe" /f
2⤵
- Creates scheduled task(s)
PID:1996

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr125.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr125.exe" /f
2⤵
- Creates scheduled task(s)
PID:1612

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr125.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr125.exe" /f
2⤵
- Creates scheduled task(s)
PID:1736

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr125.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr125.exe" /f
2⤵
- Creates scheduled task(s)
PID:976

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr125.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr125.exe" /f
2⤵
- Creates scheduled task(s)
PID:1712

C:\Windows\SysWOW64\schtasks.exe
C:\Windows\SysWOW64\schtasks.exe /create /sc minute /mo 1 /tn "winmgr125.exe" /tr "C:\Users\Admin\AppData\Roaming\Windows\winmgr125.exe" /f
2⤵
- Creates scheduled task(s)
PID:1812

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x568
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1732

C:\Windows\system32\taskeng.exe
taskeng.exe {78617E62-086C-4089-A98A-1E222511892D} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
1⤵
PID:1524

C:\Users\Admin\AppData\Roaming\Windows\winmgr125.exe
C:\Users\Admin\AppData\Roaming\Windows\winmgr125.exe
2⤵
- Executes dropped EXE
PID:268

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\File.exe
Filesize
1.1MB

MD5
5e39c63781767d37289b856d42d7a466

SHA1
4b677be118b2c5c0413d0e47691e8c9266502006

SHA256
50b35255bdaf57c1afe35589925e0a7a8ad549880518f8b22ef07e704aac4ad1

SHA512
f2f5319cd6eab3c0b21bb5f2b7a6d2714af5597547fecf4d6c881c09e4d36d50660942a3c90646ca2c0fcc79f1f982b1de451b0e725237962fda977ef34c7110

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
Filesize
1.1MB

MD5
5e39c63781767d37289b856d42d7a466

SHA1
4b677be118b2c5c0413d0e47691e8c9266502006

SHA256
50b35255bdaf57c1afe35589925e0a7a8ad549880518f8b22ef07e704aac4ad1

SHA512
f2f5319cd6eab3c0b21bb5f2b7a6d2714af5597547fecf4d6c881c09e4d36d50660942a3c90646ca2c0fcc79f1f982b1de451b0e725237962fda977ef34c7110

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe
Filesize
104KB

MD5
252ff7ee1ee5556f3060ccdb4a5f546a

SHA1
75b012ccb52d403a8beb55b1382e9dae25a25af5

SHA256
1ddb00abce8dbda3aa0dd5e4d2d00c14b9b668c9b4533058764163706c1e093d

SHA512
73e4313230c2efd717902ec3b5a8a7ef5b57b3f1c3624c465f350efa2dca273d5f988275a519c927ff76b0cc811ab399c01c493ba82ee06a3c05c56459ee5972

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc.exe
Filesize
104KB

MD5
252ff7ee1ee5556f3060ccdb4a5f546a

SHA1
75b012ccb52d403a8beb55b1382e9dae25a25af5

SHA256
1ddb00abce8dbda3aa0dd5e4d2d00c14b9b668c9b4533058764163706c1e093d

SHA512
73e4313230c2efd717902ec3b5a8a7ef5b57b3f1c3624c465f350efa2dca273d5f988275a519c927ff76b0cc811ab399c01c493ba82ee06a3c05c56459ee5972

Download Submit
C:\Users\Admin\AppData\Local\Temp\vegas.pro.12.-patch.exe
Filesize
923KB

MD5
9ce24ef65f2af35e42079ea84b535097

SHA1
fb2b10c924e107597aabf49d5bb6c624ac10e3b4

SHA256
903bcf62888ce93b6b7e29a6c6243bf0f11931b5db02c703cd7ea857737c2358

SHA512
dad6168e4f0ee425fca9522d7dc5a79ef51f279c37a293e2cfaa3ce0faf24165a485042bebcb6984a0fe47eba9e847a6f55cc53721514c71141c0c5deb517197

Download Submit
C:\Users\Admin\AppData\Local\Temp\vegas.pro.12.-patch.exe
Filesize
923KB

MD5
9ce24ef65f2af35e42079ea84b535097

SHA1
fb2b10c924e107597aabf49d5bb6c624ac10e3b4

SHA256
903bcf62888ce93b6b7e29a6c6243bf0f11931b5db02c703cd7ea857737c2358

SHA512
dad6168e4f0ee425fca9522d7dc5a79ef51f279c37a293e2cfaa3ce0faf24165a485042bebcb6984a0fe47eba9e847a6f55cc53721514c71141c0c5deb517197

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\winmgr125.exe
Filesize
5.2MB

MD5
87b0ab9ea7c848a123b6d549e40132f1

SHA1
d38c00b3d916aadb61b2fd6d4653f8c214c1033f

SHA256
0eea6b205bb130bf91377842c10c6c4f73d56e94300209053fce945a3cd1db79

SHA512
c164bbfa9a84aad0ab074fa905523ee271a0c1fec1b195a52eb172dba70e25d7a9b7d63de00ddf69711d7d7d0575bacfa1bd1454bddc67ef7f80e2dc63852428

Download Submit
C:\Users\Admin\AppData\Roaming\Windows\winmgr125.exe
Filesize
5.2MB

MD5
87b0ab9ea7c848a123b6d549e40132f1

SHA1
d38c00b3d916aadb61b2fd6d4653f8c214c1033f

SHA256
0eea6b205bb130bf91377842c10c6c4f73d56e94300209053fce945a3cd1db79

SHA512
c164bbfa9a84aad0ab074fa905523ee271a0c1fec1b195a52eb172dba70e25d7a9b7d63de00ddf69711d7d7d0575bacfa1bd1454bddc67ef7f80e2dc63852428

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe
Filesize
1.1MB

MD5
5e39c63781767d37289b856d42d7a466

SHA1
4b677be118b2c5c0413d0e47691e8c9266502006

SHA256
50b35255bdaf57c1afe35589925e0a7a8ad549880518f8b22ef07e704aac4ad1

SHA512
f2f5319cd6eab3c0b21bb5f2b7a6d2714af5597547fecf4d6c881c09e4d36d50660942a3c90646ca2c0fcc79f1f982b1de451b0e725237962fda977ef34c7110

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe
Filesize
1.1MB

MD5
5e39c63781767d37289b856d42d7a466

SHA1
4b677be118b2c5c0413d0e47691e8c9266502006

SHA256
50b35255bdaf57c1afe35589925e0a7a8ad549880518f8b22ef07e704aac4ad1

SHA512
f2f5319cd6eab3c0b21bb5f2b7a6d2714af5597547fecf4d6c881c09e4d36d50660942a3c90646ca2c0fcc79f1f982b1de451b0e725237962fda977ef34c7110

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe
Filesize
1.1MB

MD5
5e39c63781767d37289b856d42d7a466

SHA1
4b677be118b2c5c0413d0e47691e8c9266502006

SHA256
50b35255bdaf57c1afe35589925e0a7a8ad549880518f8b22ef07e704aac4ad1

SHA512
f2f5319cd6eab3c0b21bb5f2b7a6d2714af5597547fecf4d6c881c09e4d36d50660942a3c90646ca2c0fcc79f1f982b1de451b0e725237962fda977ef34c7110

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe
Filesize
1.1MB

MD5
5e39c63781767d37289b856d42d7a466

SHA1
4b677be118b2c5c0413d0e47691e8c9266502006

SHA256
50b35255bdaf57c1afe35589925e0a7a8ad549880518f8b22ef07e704aac4ad1

SHA512
f2f5319cd6eab3c0b21bb5f2b7a6d2714af5597547fecf4d6c881c09e4d36d50660942a3c90646ca2c0fcc79f1f982b1de451b0e725237962fda977ef34c7110

Download Submit
\Users\Admin\AppData\Local\Temp\File.exe
Filesize
1.1MB

MD5
5e39c63781767d37289b856d42d7a466

SHA1
4b677be118b2c5c0413d0e47691e8c9266502006

SHA256
50b35255bdaf57c1afe35589925e0a7a8ad549880518f8b22ef07e704aac4ad1

SHA512
f2f5319cd6eab3c0b21bb5f2b7a6d2714af5597547fecf4d6c881c09e4d36d50660942a3c90646ca2c0fcc79f1f982b1de451b0e725237962fda977ef34c7110

Download Submit
\Users\Admin\AppData\Local\Temp\bassmod.dll
Filesize
33KB

MD5
e4ec57e8508c5c4040383ebe6d367928

SHA1
b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

SHA256
8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

SHA512
77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

Download Submit
\Users\Admin\AppData\Local\Temp\dup2patcher.dll
Filesize
615KB

MD5
ad68a51c74adfd0ea926a692783d6479

SHA1
a828edd399720c492e8fe556acbc4e6d9649ad8d

SHA256
394b34e3ea4114e2181324e0a289e1db0cec01a15886af2bf1c23610cf415e76

SHA512
31e5583c65d77114045735e1561fef896cdcfc53fd0bf367baa3e4d234931edf3b6756ae6a66be2babc8c8d7d9e1ba33f7475ccc560b6766a6ee10c389ef1904

Download Submit
\Users\Admin\AppData\Local\Temp\vbc.exe
Filesize
104KB

MD5
252ff7ee1ee5556f3060ccdb4a5f546a

SHA1
75b012ccb52d403a8beb55b1382e9dae25a25af5

SHA256
1ddb00abce8dbda3aa0dd5e4d2d00c14b9b668c9b4533058764163706c1e093d

SHA512
73e4313230c2efd717902ec3b5a8a7ef5b57b3f1c3624c465f350efa2dca273d5f988275a519c927ff76b0cc811ab399c01c493ba82ee06a3c05c56459ee5972

Download Submit
\Users\Admin\AppData\Local\Temp\vbc.exe
Filesize
104KB

MD5
252ff7ee1ee5556f3060ccdb4a5f546a

SHA1
75b012ccb52d403a8beb55b1382e9dae25a25af5

SHA256
1ddb00abce8dbda3aa0dd5e4d2d00c14b9b668c9b4533058764163706c1e093d

SHA512
73e4313230c2efd717902ec3b5a8a7ef5b57b3f1c3624c465f350efa2dca273d5f988275a519c927ff76b0cc811ab399c01c493ba82ee06a3c05c56459ee5972

Download Submit
\Users\Admin\AppData\Local\Temp\vbc.exe
Filesize
104KB

MD5
252ff7ee1ee5556f3060ccdb4a5f546a

SHA1
75b012ccb52d403a8beb55b1382e9dae25a25af5

SHA256
1ddb00abce8dbda3aa0dd5e4d2d00c14b9b668c9b4533058764163706c1e093d

SHA512
73e4313230c2efd717902ec3b5a8a7ef5b57b3f1c3624c465f350efa2dca273d5f988275a519c927ff76b0cc811ab399c01c493ba82ee06a3c05c56459ee5972

Download Submit
\Users\Admin\AppData\Local\Temp\vegas.pro.12.-patch.exe
Filesize
923KB

MD5
9ce24ef65f2af35e42079ea84b535097

SHA1
fb2b10c924e107597aabf49d5bb6c624ac10e3b4

SHA256
903bcf62888ce93b6b7e29a6c6243bf0f11931b5db02c703cd7ea857737c2358

SHA512
dad6168e4f0ee425fca9522d7dc5a79ef51f279c37a293e2cfaa3ce0faf24165a485042bebcb6984a0fe47eba9e847a6f55cc53721514c71141c0c5deb517197

Download Submit
\Users\Admin\AppData\Local\Temp\vegas.pro.12.-patch.exe
Filesize
923KB

MD5
9ce24ef65f2af35e42079ea84b535097

SHA1
fb2b10c924e107597aabf49d5bb6c624ac10e3b4

SHA256
903bcf62888ce93b6b7e29a6c6243bf0f11931b5db02c703cd7ea857737c2358

SHA512
dad6168e4f0ee425fca9522d7dc5a79ef51f279c37a293e2cfaa3ce0faf24165a485042bebcb6984a0fe47eba9e847a6f55cc53721514c71141c0c5deb517197

Download Submit
\Users\Admin\AppData\Local\Temp\vegas.pro.12.-patch.exe
Filesize
923KB

MD5
9ce24ef65f2af35e42079ea84b535097

SHA1
fb2b10c924e107597aabf49d5bb6c624ac10e3b4

SHA256
903bcf62888ce93b6b7e29a6c6243bf0f11931b5db02c703cd7ea857737c2358

SHA512
dad6168e4f0ee425fca9522d7dc5a79ef51f279c37a293e2cfaa3ce0faf24165a485042bebcb6984a0fe47eba9e847a6f55cc53721514c71141c0c5deb517197

Download Submit
memory/268-115-0x0000000000000000-mapping.dmp

Download
memory/280-84-0x0000000000000000-mapping.dmp

Download
memory/628-73-0x0000000000000000-mapping.dmp

Download
memory/688-79-0x0000000000000000-mapping.dmp

Download
memory/948-72-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/948-68-0x00000000004453AE-mapping.dmp

Download
memory/948-62-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/948-111-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/948-63-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/948-105-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/948-65-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/948-66-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/948-70-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/948-67-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/956-101-0x00000000001E0000-0x00000000001E4000-memory.dmp

Filesize
16KB

Download
memory/956-107-0x0000000010000000-0x0000000010013000-memory.dmp

Filesize
76KB

Download
memory/956-85-0x0000000000000000-mapping.dmp

Download
memory/956-99-0x00000000009D0000-0x0000000000B07000-memory.dmp

Filesize
1.2MB

Download
memory/956-90-0x0000000000070000-0x00000000001A7000-memory.dmp

Filesize
1.2MB

Download
memory/956-102-0x0000000074D00000-0x0000000074DB2000-memory.dmp

Filesize
712KB

Download
memory/968-88-0x0000000000000000-mapping.dmp

Download
memory/968-110-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/968-104-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/976-112-0x0000000000000000-mapping.dmp

Download
memory/980-81-0x0000000000000000-mapping.dmp

Download
memory/1212-54-0x0000000076711000-0x0000000076713000-memory.dmp

Filesize
8KB

Download
memory/1304-80-0x0000000000000000-mapping.dmp

Download
memory/1612-108-0x0000000000000000-mapping.dmp

Download
memory/1692-83-0x0000000002AB0000-0x0000000002BE7000-memory.dmp

Filesize
1.2MB

Download
memory/1692-59-0x0000000000000000-mapping.dmp

Download
memory/1712-113-0x0000000000000000-mapping.dmp

Download
memory/1736-109-0x0000000000000000-mapping.dmp

Download
memory/1768-75-0x0000000000000000-mapping.dmp

Download
memory/1812-118-0x0000000000000000-mapping.dmp

Download
memory/1996-103-0x0000000000000000-mapping.dmp

Download
memory/2016-55-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads