formbook | aa6874a63646474141e2928b094c5dc15a1fc2ea610ece7ca7f95b80ec856be5

General

Target

Confirmation transfer Ref No_0033463247892.exe
Size

890KB
MD5

03c738a9106a7ba9bad7f4995d52f028
SHA1

204762dbb01579ea39295660d86085591578e0a1
SHA256

aa6874a63646474141e2928b094c5dc15a1fc2ea610ece7ca7f95b80ec856be5
SHA512

d87e427aa177cd28b989e00a4bb382679054009a55021834319ee78bcc181b91d72b639c78fceb7e89584aef552af2fbb7cd90ec76719fb8cc81b18acf4e8c8d
SSDEEP

24576:jmRx3Gdhk0yClxNwArBMQm8i9eXiDdEPf:jmr32hkGFxBlmFezP

Score

10^/10

formbook q4k5 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

q4k5

Decoy

ZXN4RZ1db9JIzC7mhQ==

5+KpXZWys/DewpGQbChh6uPT5SNzFQ==

A8YuEKESXrzBhw==

uYH/9+Amwe1ZMkaR

KAusoWlA4I1Rt0P0jA==

AgIBy9IHiq8cdo4h47hB

PsX/0DrQRr+0hQ==

3z4v9UwXBjNTf48h47hB

bySPUkT+SFuT

VsQK5NkDks06l5z+TUG3eetd/twx2Mcjlg==

3+DcnQWuXG84sOphj5LEHIv/hA==

TOZXSDkjSHDoLk/pl2HYpOXJ

q7GGZ9KJrss/oTNwyxI=

2+O/k7y22Qo=

Joatk/qnSoO3q48h47hB

KT1UQcQ9yxWFQzCI

onRBEIHmYIl9XzhAIMtPLFAh5SNzFQ==

a8IY/+/oCDOj2TuM4Ohc

UlIOzyniF1sRnTNwyxI=

8UJiR6gijbvt+exXo7oCvdNV4BE=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Executes dropped EXE 2 IoCs

Processes:

Cookies2dg.exeCookies2dg.exe

pid process

560 Cookies2dg.exe
940 Cookies2dg.exe

pid	process
560	Cookies2dg.exe
940	Cookies2dg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Confirmation transfer Ref No_0033463247892.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\International\Geo\Nation	Confirmation transfer Ref No_0033463247892.exe

Loads dropped DLL 1 IoCs

Processes:

control.exe

pid process

1120 control.exe

pid	process
1120	control.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

control.exe

description	ioc	process
Key created	\Registry\Machine\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	control.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\K6A4ANSXGV = "C:\\Program Files (x86)\\Gjptlgbx0\\Cookies2dg.exe"	control.exe

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

Confirmation transfer Ref No_0033463247892.exeConfirmation transfer Ref No_0033463247892.execontrol.exeCookies2dg.exe

description	pid	process	target process
PID 1252 set thread context of 1844	1252	Confirmation transfer Ref No_0033463247892.exe	Confirmation transfer Ref No_0033463247892.exe
PID 1844 set thread context of 1208	1844	Confirmation transfer Ref No_0033463247892.exe	Explorer.EXE
PID 1844 set thread context of 1208	1844	Confirmation transfer Ref No_0033463247892.exe	Explorer.EXE
PID 1120 set thread context of 1208	1120	control.exe	Explorer.EXE
PID 560 set thread context of 940	560	Cookies2dg.exe	Cookies2dg.exe

Drops file in Program Files directory 2 IoCs

Processes:

Explorer.EXEcontrol.exe

description	ioc	process
File created	C:\Program Files (x86)\Gjptlgbx0\Cookies2dg.exe	Explorer.EXE
File opened for modification	C:\Program Files (x86)\Gjptlgbx0\Cookies2dg.exe	control.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1260 schtasks.exe
1792 schtasks.exe

pid	process
1260	schtasks.exe
1792	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

control.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	control.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Confirmation transfer Ref No_0033463247892.exepowershell.exeConfirmation transfer Ref No_0033463247892.execontrol.exe

pid	process
1252	Confirmation transfer Ref No_0033463247892.exe
1252	Confirmation transfer Ref No_0033463247892.exe
1252	Confirmation transfer Ref No_0033463247892.exe
1252	Confirmation transfer Ref No_0033463247892.exe
1252	Confirmation transfer Ref No_0033463247892.exe
1252	Confirmation transfer Ref No_0033463247892.exe
1252	Confirmation transfer Ref No_0033463247892.exe
1488	powershell.exe
1844	Confirmation transfer Ref No_0033463247892.exe
1844	Confirmation transfer Ref No_0033463247892.exe
1844	Confirmation transfer Ref No_0033463247892.exe
1844	Confirmation transfer Ref No_0033463247892.exe
1844	Confirmation transfer Ref No_0033463247892.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE

pid	process
1208	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

Confirmation transfer Ref No_0033463247892.execontrol.exe

pid	process
1844	Confirmation transfer Ref No_0033463247892.exe
1844	Confirmation transfer Ref No_0033463247892.exe
1844	Confirmation transfer Ref No_0033463247892.exe
1844	Confirmation transfer Ref No_0033463247892.exe
1120	control.exe
1120	control.exe
1120	control.exe
1120	control.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

Confirmation transfer Ref No_0033463247892.exepowershell.exeConfirmation transfer Ref No_0033463247892.execontrol.exeExplorer.EXECookies2dg.exepowershell.exeCookies2dg.exe

description	pid	process
Token: SeDebugPrivilege	1252	Confirmation transfer Ref No_0033463247892.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	1844	Confirmation transfer Ref No_0033463247892.exe
Token: SeDebugPrivilege	1120	control.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeDebugPrivilege	560	Cookies2dg.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	940	Cookies2dg.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
1208 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
1208 Explorer.EXE

pid	process
1208	Explorer.EXE
1208	Explorer.EXE

pid	process
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of WriteProcessMemory 43 IoCs

Processes:

Confirmation transfer Ref No_0033463247892.exeExplorer.EXEcontrol.exeCookies2dg.exe

description	pid	process	target process
PID 1252 wrote to memory of 1488	1252	Confirmation transfer Ref No_0033463247892.exe	powershell.exe
PID 1252 wrote to memory of 1488	1252	Confirmation transfer Ref No_0033463247892.exe	powershell.exe
PID 1252 wrote to memory of 1488	1252	Confirmation transfer Ref No_0033463247892.exe	powershell.exe
PID 1252 wrote to memory of 1488	1252	Confirmation transfer Ref No_0033463247892.exe	powershell.exe
PID 1252 wrote to memory of 1260	1252	Confirmation transfer Ref No_0033463247892.exe	schtasks.exe
PID 1252 wrote to memory of 1260	1252	Confirmation transfer Ref No_0033463247892.exe	schtasks.exe
PID 1252 wrote to memory of 1260	1252	Confirmation transfer Ref No_0033463247892.exe	schtasks.exe
PID 1252 wrote to memory of 1260	1252	Confirmation transfer Ref No_0033463247892.exe	schtasks.exe
PID 1252 wrote to memory of 1844	1252	Confirmation transfer Ref No_0033463247892.exe	Confirmation transfer Ref No_0033463247892.exe
PID 1252 wrote to memory of 1844	1252	Confirmation transfer Ref No_0033463247892.exe	Confirmation transfer Ref No_0033463247892.exe
PID 1252 wrote to memory of 1844	1252	Confirmation transfer Ref No_0033463247892.exe	Confirmation transfer Ref No_0033463247892.exe
PID 1252 wrote to memory of 1844	1252	Confirmation transfer Ref No_0033463247892.exe	Confirmation transfer Ref No_0033463247892.exe
PID 1252 wrote to memory of 1844	1252	Confirmation transfer Ref No_0033463247892.exe	Confirmation transfer Ref No_0033463247892.exe
PID 1252 wrote to memory of 1844	1252	Confirmation transfer Ref No_0033463247892.exe	Confirmation transfer Ref No_0033463247892.exe
PID 1252 wrote to memory of 1844	1252	Confirmation transfer Ref No_0033463247892.exe	Confirmation transfer Ref No_0033463247892.exe
PID 1208 wrote to memory of 1120	1208	Explorer.EXE	control.exe
PID 1208 wrote to memory of 1120	1208	Explorer.EXE	control.exe
PID 1208 wrote to memory of 1120	1208	Explorer.EXE	control.exe
PID 1208 wrote to memory of 1120	1208	Explorer.EXE	control.exe
PID 1120 wrote to memory of 668	1120	control.exe	Firefox.exe
PID 1120 wrote to memory of 668	1120	control.exe	Firefox.exe
PID 1120 wrote to memory of 668	1120	control.exe	Firefox.exe
PID 1120 wrote to memory of 668	1120	control.exe	Firefox.exe
PID 1120 wrote to memory of 668	1120	control.exe	Firefox.exe
PID 1208 wrote to memory of 560	1208	Explorer.EXE	Cookies2dg.exe
PID 1208 wrote to memory of 560	1208	Explorer.EXE	Cookies2dg.exe
PID 1208 wrote to memory of 560	1208	Explorer.EXE	Cookies2dg.exe
PID 1208 wrote to memory of 560	1208	Explorer.EXE	Cookies2dg.exe
PID 560 wrote to memory of 1988	560	Cookies2dg.exe	powershell.exe
PID 560 wrote to memory of 1988	560	Cookies2dg.exe	powershell.exe
PID 560 wrote to memory of 1988	560	Cookies2dg.exe	powershell.exe
PID 560 wrote to memory of 1988	560	Cookies2dg.exe	powershell.exe
PID 560 wrote to memory of 1792	560	Cookies2dg.exe	schtasks.exe
PID 560 wrote to memory of 1792	560	Cookies2dg.exe	schtasks.exe
PID 560 wrote to memory of 1792	560	Cookies2dg.exe	schtasks.exe
PID 560 wrote to memory of 1792	560	Cookies2dg.exe	schtasks.exe
PID 560 wrote to memory of 940	560	Cookies2dg.exe	Cookies2dg.exe
PID 560 wrote to memory of 940	560	Cookies2dg.exe	Cookies2dg.exe
PID 560 wrote to memory of 940	560	Cookies2dg.exe	Cookies2dg.exe
PID 560 wrote to memory of 940	560	Cookies2dg.exe	Cookies2dg.exe
PID 560 wrote to memory of 940	560	Cookies2dg.exe	Cookies2dg.exe
PID 560 wrote to memory of 940	560	Cookies2dg.exe	Cookies2dg.exe
PID 560 wrote to memory of 940	560	Cookies2dg.exe	Cookies2dg.exe

C:\Users\Admin\AppData\Local\Temp\Confirmation transfer Ref No_0033463247892.exe
"C:\Users\Admin\AppData\Local\Temp\Confirmation transfer Ref No_0033463247892.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eSdygJSxTrIOo.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eSdygJSxTrIOo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4B53.tmp"
2⤵
- Creates scheduled task(s)
PID:1260

C:\Users\Admin\AppData\Local\Temp\Confirmation transfer Ref No_0033463247892.exe
"C:\Users\Admin\AppData\Local\Temp\Confirmation transfer Ref No_0033463247892.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Drops file in Program Files directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1128

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1524

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1368

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1504

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1632

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:620

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1960

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1716

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1668

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1352

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1672

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1776

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1324

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:884

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1068

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:912

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1348

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1396

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:808

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1144

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1564

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:840

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1924

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1956

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1316

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1332

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1392

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1120

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:668

C:\Program Files (x86)\Gjptlgbx0\Cookies2dg.exe
"C:\Program Files (x86)\Gjptlgbx0\Cookies2dg.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eSdygJSxTrIOo.exe"
3⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1988

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eSdygJSxTrIOo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCE58.tmp"
3⤵
- Creates scheduled task(s)
PID:1792

C:\Program Files (x86)\Gjptlgbx0\Cookies2dg.exe
"C:\Program Files (x86)\Gjptlgbx0\Cookies2dg.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Gjptlgbx0\Cookies2dg.exe
Filesize
890KB

MD5
03c738a9106a7ba9bad7f4995d52f028

SHA1
204762dbb01579ea39295660d86085591578e0a1

SHA256
aa6874a63646474141e2928b094c5dc15a1fc2ea610ece7ca7f95b80ec856be5

SHA512
d87e427aa177cd28b989e00a4bb382679054009a55021834319ee78bcc181b91d72b639c78fceb7e89584aef552af2fbb7cd90ec76719fb8cc81b18acf4e8c8d

Download Submit
C:\Program Files (x86)\Gjptlgbx0\Cookies2dg.exe
Filesize
890KB

MD5
03c738a9106a7ba9bad7f4995d52f028

SHA1
204762dbb01579ea39295660d86085591578e0a1

SHA256
aa6874a63646474141e2928b094c5dc15a1fc2ea610ece7ca7f95b80ec856be5

SHA512
d87e427aa177cd28b989e00a4bb382679054009a55021834319ee78bcc181b91d72b639c78fceb7e89584aef552af2fbb7cd90ec76719fb8cc81b18acf4e8c8d

Download Submit
C:\Program Files (x86)\Gjptlgbx0\Cookies2dg.exe
Filesize
890KB

MD5
03c738a9106a7ba9bad7f4995d52f028

SHA1
204762dbb01579ea39295660d86085591578e0a1

SHA256
aa6874a63646474141e2928b094c5dc15a1fc2ea610ece7ca7f95b80ec856be5

SHA512
d87e427aa177cd28b989e00a4bb382679054009a55021834319ee78bcc181b91d72b639c78fceb7e89584aef552af2fbb7cd90ec76719fb8cc81b18acf4e8c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4B53.tmp
Filesize
1KB

MD5
80083c976d3db828344ad04fc0be1067

SHA1
bc57d731649729c4b453d8cc203cbc6b78172022

SHA256
028f1be09fed5288c43180c7d30cd68d82d14ea43a8cf325517eb0fa756c7c10

SHA512
31c5d4317178786ed1018bb07864caea8570d10f07543d702ed21239b7dd2c66528fa7d6b520cdcaf634ca92acf538053743fcfd7b99bdfdcf429fe4c3d0fc17

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCE58.tmp
Filesize
1KB

MD5
80083c976d3db828344ad04fc0be1067

SHA1
bc57d731649729c4b453d8cc203cbc6b78172022

SHA256
028f1be09fed5288c43180c7d30cd68d82d14ea43a8cf325517eb0fa756c7c10

SHA512
31c5d4317178786ed1018bb07864caea8570d10f07543d702ed21239b7dd2c66528fa7d6b520cdcaf634ca92acf538053743fcfd7b99bdfdcf429fe4c3d0fc17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
670dadb46158c003c20395bfb8daa5bb

SHA1
89967cabb8d2c8ae8fd4678977e236cbab70f2d8

SHA256
6f6e1ad7fdac9550a97227a8cabb2a3ca38665a1bdd63281ac39454b092f7f3b

SHA512
cd9436c53cfcdd1a35bc7427e472ef2370d9c0d661f370ba27756eb742dfc55a56bda29789d91e8c236dfaf4bda7ad8a3d4c7757f0c5a12b67fccf0b10eed0a3

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll
Filesize
831KB

MD5
05ace2f6d9bef6fd9bbd05ee5262a1f2

SHA1
5cce2228e0d9c6cc913cf551e0bf7c76ed74ff59

SHA256
002459f4d4758011b4d7f36935f1fe323494b847f8c173a551076a3d30475ebc

SHA512
1e717a66a72eb626727144fa7458f472ada54fd1be37072c9e740945e34ba94025737aef44e54752c50c5b79a583c6a91a0d8043bf1bf7c3e7cab8537207f9fc

Download Submit
memory/560-95-0x0000000000000000-mapping.dmp

Download
memory/560-100-0x0000000000480000-0x0000000000496000-memory.dmp

Filesize
88KB

Download
memory/560-98-0x0000000000940000-0x0000000000A24000-memory.dmp

Filesize
912KB

Download
memory/940-110-0x00000000004012B0-mapping.dmp

Download
memory/940-113-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/940-115-0x0000000000A30000-0x0000000000D33000-memory.dmp

Filesize
3.0MB

Download
memory/1120-83-0x0000000000000000-mapping.dmp

Download
memory/1120-92-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1120-90-0x0000000001E50000-0x0000000001EDF000-memory.dmp

Filesize
572KB

Download
memory/1120-89-0x0000000001FE0000-0x00000000022E3000-memory.dmp

Filesize
3.0MB

Download
memory/1120-88-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1120-87-0x00000000001F0000-0x000000000020F000-memory.dmp

Filesize
124KB

Download
memory/1208-82-0x0000000004E50000-0x0000000004F37000-memory.dmp

Filesize
924KB

Download
memory/1208-93-0x0000000006760000-0x0000000006863000-memory.dmp

Filesize
1.0MB

Download
memory/1208-91-0x0000000006760000-0x0000000006863000-memory.dmp

Filesize
1.0MB

Download
memory/1208-77-0x0000000004C50000-0x0000000004DC5000-memory.dmp

Filesize
1.5MB

Download
memory/1252-58-0x0000000005470000-0x0000000005500000-memory.dmp

Filesize
576KB

Download
memory/1252-54-0x0000000000D60000-0x0000000000E44000-memory.dmp

Filesize
912KB

Download
memory/1252-57-0x0000000000630000-0x000000000063E000-memory.dmp

Filesize
56KB

Download
memory/1252-56-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/1252-55-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/1252-63-0x0000000005790000-0x00000000057E6000-memory.dmp

Filesize
344KB

Download
memory/1260-60-0x0000000000000000-mapping.dmp

Download
memory/1488-59-0x0000000000000000-mapping.dmp

Download
memory/1488-78-0x000000006F050000-0x000000006F5FB000-memory.dmp

Filesize
5.7MB

Download
memory/1488-64-0x000000006F050000-0x000000006F5FB000-memory.dmp

Filesize
5.7MB

Download
memory/1792-102-0x0000000000000000-mapping.dmp

Download
memory/1844-84-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1844-76-0x0000000000150000-0x0000000000160000-memory.dmp

Filesize
64KB

Download
memory/1844-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1844-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1844-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1844-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1844-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1844-80-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/1844-73-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1844-74-0x00000000008F0000-0x0000000000BF3000-memory.dmp

Filesize
3.0MB

Download
memory/1844-69-0x00000000004012B0-mapping.dmp

Download
memory/1844-85-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1844-75-0x0000000000422000-0x0000000000424000-memory.dmp

Filesize
8KB

Download
memory/1844-81-0x00000000001A0000-0x00000000001B0000-memory.dmp

Filesize
64KB

Download
memory/1988-114-0x000000006F6D0000-0x000000006FC7B000-memory.dmp

Filesize
5.7MB

Download
memory/1988-101-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads