fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7

Analysis

max time kernel
154s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 23:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
Size

868KB
MD5

d419bae96cbc8ca22f5dc4462f8a6ca3
SHA1

786b5a894aa05a6d10eee9a42997eea18265d8af
SHA256

fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7
SHA512

3e6a4081c8471d0fc50f66cdb16d14c36fd942625af16dce716191d76769db84f426a3ff78f92efdb9ef497dc6bf6e9522d8b1981e83ceac7865b2672dc3b134
SSDEEP

12288:O0anuaIFAQHh+xk283kP5NE0fC/mtuwdEncMvsFw+USLFucawSiB4ivzjIjO:OjNIFbkxT5NE0fXtbEn3ewoGwSinfs

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5080	temp.exe
2864	temp.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeBackupPrivilege	3552	dw20.exe
Token: SeBackupPrivilege	3552	dw20.exe
Token: SeBackupPrivilege	4248	dw20.exe
Token: SeBackupPrivilege	4248	dw20.exe
Token: SeBackupPrivilege	2224	dw20.exe
Token: SeBackupPrivilege	2224	dw20.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4204 wrote to memory of 2168	4204	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	82
PID 4204 wrote to memory of 2168	4204	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	82
PID 4204 wrote to memory of 5080	4204	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	84
PID 4204 wrote to memory of 5080	4204	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	84
PID 5080 wrote to memory of 3552	5080	temp.exe	85
PID 5080 wrote to memory of 3552	5080	temp.exe	85
PID 5080 wrote to memory of 1692	5080	temp.exe	87
PID 5080 wrote to memory of 1692	5080	temp.exe	87
PID 2168 wrote to memory of 4600	2168	vbc.exe	86
PID 2168 wrote to memory of 4600	2168	vbc.exe	86
PID 1692 wrote to memory of 1888	1692	vbc.exe	90
PID 1692 wrote to memory of 1888	1692	vbc.exe	90
PID 4204 wrote to memory of 4228	4204	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	91
PID 4204 wrote to memory of 4228	4204	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	91
PID 4228 wrote to memory of 4564	4228	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	92
PID 4228 wrote to memory of 4564	4228	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	92
PID 4228 wrote to memory of 2864	4228	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	94
PID 4228 wrote to memory of 2864	4228	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	94
PID 4564 wrote to memory of 4660	4564	vbc.exe	95
PID 4564 wrote to memory of 4660	4564	vbc.exe	95
PID 2864 wrote to memory of 4248	2864	temp.exe	96
PID 2864 wrote to memory of 4248	2864	temp.exe	96
PID 2864 wrote to memory of 2092	2864	temp.exe	97
PID 2864 wrote to memory of 2092	2864	temp.exe	97
PID 4228 wrote to memory of 2800	4228	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	99
PID 4228 wrote to memory of 2800	4228	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	99
PID 2092 wrote to memory of 2664	2092	vbc.exe	100
PID 2092 wrote to memory of 2664	2092	vbc.exe	100
PID 2800 wrote to memory of 2224	2800	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	101
PID 2800 wrote to memory of 2224	2800	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	101
PID 2800 wrote to memory of 1940	2800	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	102
PID 2800 wrote to memory of 1940	2800	fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe	102
PID 1940 wrote to memory of 2888	1940	vbc.exe	104
PID 1940 wrote to memory of 2888	1940	vbc.exe	104

C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
"C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\k6qgo3xt.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0DA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc33E1E67AF7874560BD3CE58D6A5CDDA.TMP"
    3⤵
    PID:4600
- C:\Users\Admin\AppData\Roaming\temp.exe
  "C:\Users\Admin\AppData\Roaming\temp.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 816
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:3552
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\jfvj_vt2.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE2DE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD9AB4EBDF7004EDE9523B436D920F7BB.TMP"
      4⤵
      PID:1888
- C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
  C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mm8rgld6.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE937.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9F3E2F70A51D44B0A2EFEF798AF691D.TMP"
      4⤵
      PID:4660
- - C:\Users\Admin\AppData\Roaming\temp.exe
    "C:\Users\Admin\AppData\Roaming\temp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
      dw20.exe -x -s 800
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:4248
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oxzhsism.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2092
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF42.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA2212091C1E747358F912CDCB48836EF.TMP"
        5⤵
        
        PID:2664
- - C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
    C:\Users\Admin\AppData\Local\Temp\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
      dw20.exe -x -s 792
      4⤵
      Checks processor information in registry
      Enumerates system info in registry
      Suspicious use of AdjustPrivilegeToken
      PID:2224
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\57og-wpe.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF117.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc121C0EC0F4B544F383CA142297EBB1A3.TMP"
        5⤵
        
        PID:2888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\fbc4c80bed684e0f027c46cba49e933b99df69bbfc62b7ee3b001821543623b7.exe.log

Filesize
319B

MD5
3865e90083233524ea2066cec1c0e1f9

SHA1
46675f5064ec75e7a1f0b724eec1e594e795d793

SHA256
3ad86cf159df245f5a90542366944292c4e79d1b81468d4da9f78804b25f36d0

SHA512
8fad6aa496b49660dbe6c6de0f96b37ae60c68827c74450be42bab5d4345201f1377872733f4a45d25ba196ca9fc572aa5a5fa9a87c6a1dc75b4aaadaa8a42f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\57og-wpe.0.vb

Filesize
362KB

MD5
e8b2625fcda39a8e9ad84f2741287b03

SHA1
01157cd39ddf823f33d6c496adf5d8ebfd6b245e

SHA256
15a1e48526600daec1caaac801f407524690cc1b471dc7c47a5e0c340cf79927

SHA512
39dd027b776c9665b04770e4ad09ca729b0bc7ecfcf20129caf9bf8d5aa500ac6f9523769a81dbf6e30fc6d90550664f11fb177f10822dfccffb84ddf990e524

Download Submit
C:\Users\Admin\AppData\Local\Temp\57og-wpe.cmdline

Filesize
138B

MD5
0279b0fd937fe7c859340ae171e38399

SHA1
f6c6a2e5a9b3f637daf34170f3466478b3a75e5d

SHA256
c570212809b1804c0bf15afc1e4c3a18aa01ab0bcd080d8b65e47376c1818b61

SHA512
af1596913186745c32ea0c07bb514e9f31e9328b9d5504852cd96260674767028331df2dbe0d77e2f4960e68abefc6ba24330a130503740e868b5e2cadb1b556

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE0DA.tmp

Filesize
1KB

MD5
4342e827163c924d2db1b98e36b9b5ab

SHA1
d6a21a1e1deca676d7f52d4373c6af13a440400a

SHA256
64450de97bc594b7316821809db020aba1504fc8b978669050ea63e6ce81b2b0

SHA512
501853a20db621cbb6c1efb5d0383053221cb07eb1ef1f4ba64e4d16c811dea7309a1be6d8ac9e60909ce3535289065f60acbda941e0168d447c63b48b36457d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE2DE.tmp

Filesize
1KB

MD5
7c74beb4bea4615876968017f1fa4ddb

SHA1
9ae00aa53ac336dc4c0f966500c71684b35db4e1

SHA256
6c4ef45c44028acb3a28c19a2e622e44cc0bd91ce04df055f3be412d95f1e43d

SHA512
00816138e7d7c212a26a9151ed1f914514b99c801858e0add77a7fd95c72a7e7b6fa3bf2148ff79cb7041739664f58a26cd6f01140bc43f0388db789d24d72fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE937.tmp

Filesize
1KB

MD5
3459028381a347d5901bf49a17d779da

SHA1
2f58d877d14e88e138cac1c036fe3ddf05bdc37f

SHA256
56f4bf58b1899d14b8a0743cf30e50f5770effc322d706ad95ef65e22892e3f1

SHA512
e2f6f04099e050f56f7a4f533f4c25e08c10f377d1d06ca99891b079ff57f375b0e9c9c4f5a65df477eb54dc81dd5388ce604e92a7df05b8a807e25fe59dd9b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEF42.tmp

Filesize
1KB

MD5
edfb3157f77f751d88260abe74c6c374

SHA1
70d5048591e3dfb5c2df037221d12a0d9f14e3c6

SHA256
4805fda4f819b5d84ecd54c12eb83deda25be9c92a3599e43e065fc5c65a9f15

SHA512
db34c1272b67ba14cc8eb669089a9f1aa88efca5d0459ef9887c008f03eee02809866598cd53e36044e081dc590c5acb37586487a9aff0a2e07d9dd15f789df5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF117.tmp

Filesize
1KB

MD5
a5c27c5e87e7df012e76f62fa8384355

SHA1
aecce46f913e712551b17ed9a2b0bd05d5d42cf5

SHA256
f4f8f4cb1bbf898e765fd20ae87bb074b7c668b62eb9115ae4dedd8bb53395a0

SHA512
4a47d0b357e0cb064da28da1d4a99582d3aa6690a055283dba264937ced29339a082c84ca4c01331b89feae431a2c3c7586e84dce36f059edd57437f12eb4638

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfvj_vt2.0.vb

Filesize
104KB

MD5
d1e62009e817e620fff3f6bb21139c2b

SHA1
8d3ada7ae4a4fa648db961f9ba65bd74e68750d3

SHA256
9b01960cb2f6af89f669714c7c57dc039cb3058e5db3034d173cb0aa0b6205f3

SHA512
b460b675796cc79115729e263de8f50415b6fd307823928320050bf69c8d85270675626b82ea03bc543f3007b2d068bfac25a2053d9074c91a5f73837b6cbccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfvj_vt2.cmdline

Filesize
138B

MD5
6c32952342ba34b96fc234f3ed167900

SHA1
6d461da5dc2bb4adc9bbe2e07cb99908e726b634

SHA256
e3cd1c91f4e07967b148e68e242509dda97c3f4fe64792693626afe468752003

SHA512
86411bcf37ec94afbfc46a75d9c62148cac35c4d2ff370e635ff7c61f6da914dd6c1884c3b2335674b665bfaf0f5854a45a393bbb54f4fde79a0d87b3a6e2f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfvj_vt2.dll

Filesize
220KB

MD5
c534d56aa7acedfe514688ce74625288

SHA1
0032b597baf93088b80d210bd4abed4251a33cff

SHA256
ca667fbcb686ac254e406b24fee74fec14a84c952543f5ba998eddea76a82d08

SHA512
c1ee1e9d47a9aa34f3e002264b49547819ddfcbabaceb62d0c12f652e42227d3936073957d9bd240b029a58b5e2cbe6518bcee23068a6abf0c4f886ae9560b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\k6qgo3xt.0.vb

Filesize
362KB

MD5
e8b2625fcda39a8e9ad84f2741287b03

SHA1
01157cd39ddf823f33d6c496adf5d8ebfd6b245e

SHA256
15a1e48526600daec1caaac801f407524690cc1b471dc7c47a5e0c340cf79927

SHA512
39dd027b776c9665b04770e4ad09ca729b0bc7ecfcf20129caf9bf8d5aa500ac6f9523769a81dbf6e30fc6d90550664f11fb177f10822dfccffb84ddf990e524

Download Submit
C:\Users\Admin\AppData\Local\Temp\k6qgo3xt.cmdline

Filesize
138B

MD5
174460e63f6177581ebaee9354b199c9

SHA1
380eefc5944011db52ba1f5275d4de555e08f794

SHA256
6472e75bf67aa3c381082b2ccc88b76bad15a1d94042aac19280ddc39ed92cf4

SHA512
f6636ca9f2e71220caa3dc8fce6b0fb84bc40d300602e144656362e6a75c10654469f108d31a534b7246fb2b5b2a06d9b0e580fb4800b4db3e85d2d556e22cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\k6qgo3xt.dll

Filesize
736KB

MD5
839887938bd5ce6db57973685048fd65

SHA1
76d6369576df278afaea95a2daa85ac6c3cb216f

SHA256
b8798e3ce78cec4e97be1c37f8ad214f174d74d1a5cc41771a7165d531894e3d

SHA512
b5a5d77ce3a745efb5afcb98076ab5b5fcfaf0d470f81abf0a37a81eadc3853027e967c23c484040591ca90e96e1e84174488e902ecfce9592fba3c131b85d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mm8rgld6.0.vb

Filesize
362KB

MD5
e8b2625fcda39a8e9ad84f2741287b03

SHA1
01157cd39ddf823f33d6c496adf5d8ebfd6b245e

SHA256
15a1e48526600daec1caaac801f407524690cc1b471dc7c47a5e0c340cf79927

SHA512
39dd027b776c9665b04770e4ad09ca729b0bc7ecfcf20129caf9bf8d5aa500ac6f9523769a81dbf6e30fc6d90550664f11fb177f10822dfccffb84ddf990e524

Download Submit
C:\Users\Admin\AppData\Local\Temp\mm8rgld6.cmdline

Filesize
138B

MD5
66bbcd4f241b5cf68e91cbec2f271803

SHA1
4d6bae058271755692f679f4b5b9acade8fc2ba6

SHA256
4547d7ce46c5e8dffc16634821e0187ad4ffe0b4ab66bff5abd84a9a1956e39e

SHA512
2b5d4bc89e3cbeb4988e382bd0af3ddcbd39c723768b3c860e019cae9ea2da61be7182442095fa82246117208c1d0b336d44d2d0bc2bcde8e27fb203c03d4ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mm8rgld6.dll

Filesize
736KB

MD5
6ea45fb2357e05d4a4e4b8b3df0dd6d1

SHA1
b75d823ff9e920ab43212ec2a4fd7d409936976e

SHA256
e87a01f1a557ba9dbe58d104bc41b9409f070033f106a4684941abb978e01109

SHA512
aa753c912512eaa6211582d19f6d98602471400de5e35385a21798fc564cf005698636beb4f87929e941f478006025809c46484512b7e62634ea2d6516dc8d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxzhsism.0.vb

Filesize
104KB

MD5
d1e62009e817e620fff3f6bb21139c2b

SHA1
8d3ada7ae4a4fa648db961f9ba65bd74e68750d3

SHA256
9b01960cb2f6af89f669714c7c57dc039cb3058e5db3034d173cb0aa0b6205f3

SHA512
b460b675796cc79115729e263de8f50415b6fd307823928320050bf69c8d85270675626b82ea03bc543f3007b2d068bfac25a2053d9074c91a5f73837b6cbccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\oxzhsism.cmdline

Filesize
138B

MD5
d792104722c9421657c33a60a39cd697

SHA1
be0fc53a009d003df4a9f41510e9f3906880b0fb

SHA256
1711021027b1a4238804b15e4d2255bb4ee24361788fa3ca5d9b883eb7eed354

SHA512
ea2d8371d34dbb93d879fcb98eea15faaff6deaef3e7afaa163fe8539239df1c51a69063bea7181e93804df8b043733e7861eab4658ce763f1bcf3d5b45c38bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc121C0EC0F4B544F383CA142297EBB1A3.TMP

Filesize
652B

MD5
50e3db59e7c8589f7ba2961738120f77

SHA1
9502e0b99a2287910aa1b469b1eecf362296b265

SHA256
a376f56bd963811596f2bd027727ccfe4fc21a96fdc344ab846033a42f160101

SHA512
3b877f78012b900c739fc0c62e9b679b3c42b888b06a05a72db3c2d3168e1d748b7934199893858334d999a74ffbed990784b21369a77a6e121ecde06cb3e430

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc33E1E67AF7874560BD3CE58D6A5CDDA.TMP

Filesize
652B

MD5
b743a1572760d946739cfc6c381953df

SHA1
fbdfe0168afea0053b235495c706429ad713373d

SHA256
77afbf7c54741df087011eba77fdb07c43c45980be4b152e038d6d3ac39ebfe3

SHA512
3d79177fe597a2fc76862fe48022b409b83414bebfe6fec4d73ba18f6d7c43ce4fb9147cc092c9eda6e8aae7dabe8d517e083498b3ce2b369ce79451febf9240

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc9F3E2F70A51D44B0A2EFEF798AF691D.TMP

Filesize
652B

MD5
4f5520e66986a08cabdd84a376b848c9

SHA1
34087a08f52eac9e8613a3c2c02cfb7ad809fdc6

SHA256
83b8aa3e4d3773aeed136c0cfcdc92b3a91b7ec742a771181c085a91b3b54199

SHA512
9a32613f1197603499f54939fb01d6903b67a8760835e9863135185e547cd905b8260b013fe1d15364c1e5e22bb14aa4230dce3e14ab48ea8515192374ef6817

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA2212091C1E747358F912CDCB48836EF.TMP

Filesize
652B

MD5
41c77ee4a8da6f94c3f578175abb9fc1

SHA1
2b693c5f352b658a31a0743864c9bf887f3e1e7c

SHA256
7b840bf2c1ad5afd0de42f5093a6a543195dd44add791817f4e18d0c626fa4d3

SHA512
be8dac6c818771d7ecfbb0b4f2f63aad2c86e8da5d03be0462f6121b470cd47bbde12064b3eae3f7363af19b96c82a4ca1a569632f482629f7f188590356c7d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcD9AB4EBDF7004EDE9523B436D920F7BB.TMP

Filesize
652B

MD5
2f46d5d4c633574c1202a83f9b35419c

SHA1
a854804e62f01177379d65aa7bb03274a302087e

SHA256
ca2153e7b033addbfefb4cfcc324a8f6f184bf048a6d7cb96bdce86c8b2df2a2

SHA512
5c866980033eeebd2d92b70ed26a5c9d240dc394eaf211df88429caf8c06b451020886920a4898ed7e6b9b5a175d2218a056f01215d3f4512f80bdaa51569d8f

Download Submit
C:\Users\Admin\AppData\Roaming\temp.exe

Filesize
268KB

MD5
0cce1cf312fbd068c5cbba9cc44e7ded

SHA1
c9d617774212a8e7b4995da3378b3ca502a5e85d

SHA256
ae2e042575b5a9eb145e76d3c791e8e1ddb67dfd803e7d9b17f032e8e6012914

SHA512
e768ef2a915607d6118a3ed91189aca3af5fd17f16624911986672672334f86ba6b0a18c7c3d20fb186fa3c609dfea2c0cfad77d639f0964243cb2e429c4c0c6

Download Submit
C:\Users\Admin\AppData\Roaming\temp.exe

Filesize
268KB

MD5
0cce1cf312fbd068c5cbba9cc44e7ded

SHA1
c9d617774212a8e7b4995da3378b3ca502a5e85d

SHA256
ae2e042575b5a9eb145e76d3c791e8e1ddb67dfd803e7d9b17f032e8e6012914

SHA512
e768ef2a915607d6118a3ed91189aca3af5fd17f16624911986672672334f86ba6b0a18c7c3d20fb186fa3c609dfea2c0cfad77d639f0964243cb2e429c4c0c6

Download Submit
C:\Users\Admin\AppData\Roaming\temp.exe

Filesize
268KB

MD5
0cce1cf312fbd068c5cbba9cc44e7ded

SHA1
c9d617774212a8e7b4995da3378b3ca502a5e85d

SHA256
ae2e042575b5a9eb145e76d3c791e8e1ddb67dfd803e7d9b17f032e8e6012914

SHA512
e768ef2a915607d6118a3ed91189aca3af5fd17f16624911986672672334f86ba6b0a18c7c3d20fb186fa3c609dfea2c0cfad77d639f0964243cb2e429c4c0c6

Download Submit
C:\Users\Admin\AppData\Roaming\temp.exe

Filesize
268KB

MD5
0cce1cf312fbd068c5cbba9cc44e7ded

SHA1
c9d617774212a8e7b4995da3378b3ca502a5e85d

SHA256
ae2e042575b5a9eb145e76d3c791e8e1ddb67dfd803e7d9b17f032e8e6012914

SHA512
e768ef2a915607d6118a3ed91189aca3af5fd17f16624911986672672334f86ba6b0a18c7c3d20fb186fa3c609dfea2c0cfad77d639f0964243cb2e429c4c0c6

Download Submit
memory/1692-141-0x0000000000000000-mapping.dmp

Download
memory/1888-146-0x0000000000000000-mapping.dmp

Download
memory/1940-175-0x0000000000000000-mapping.dmp

Download
memory/2092-164-0x0000000000000000-mapping.dmp

Download
memory/2168-133-0x0000000000000000-mapping.dmp

Download
memory/2224-173-0x0000000000000000-mapping.dmp

Download
memory/2664-172-0x0000000000000000-mapping.dmp

Download
memory/2800-170-0x00007FFD8B2C0000-0x00007FFD8BCF6000-memory.dmp

Filesize
10.2MB

Download
memory/2800-167-0x0000000000000000-mapping.dmp

Download
memory/2864-155-0x0000000000000000-mapping.dmp

Download
memory/2864-160-0x00007FFD8B2C0000-0x00007FFD8BCF6000-memory.dmp

Filesize
10.2MB

Download
memory/2888-179-0x0000000000000000-mapping.dmp

Download
memory/3552-140-0x0000000000000000-mapping.dmp

Download
memory/4204-132-0x00007FFD8B2C0000-0x00007FFD8BCF6000-memory.dmp

Filesize
10.2MB

Download
memory/4228-152-0x0000000000000000-mapping.dmp

Download
memory/4228-153-0x00007FFD8B2C0000-0x00007FFD8BCF6000-memory.dmp

Filesize
10.2MB

Download
memory/4248-163-0x0000000000000000-mapping.dmp

Download
memory/4564-154-0x0000000000000000-mapping.dmp

Download
memory/4600-142-0x0000000000000000-mapping.dmp

Download
memory/4660-161-0x0000000000000000-mapping.dmp

Download
memory/5080-134-0x0000000000000000-mapping.dmp

Download
memory/5080-138-0x00007FFD8B2C0000-0x00007FFD8BCF6000-memory.dmp

Filesize
10.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads