ed0e71d2830dca4a177ca15f4201d3a7ce24e1c895bc1bc1473384798c0626df

Analysis

max time kernel
124s
max time network
150s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
26/12/2022, 22:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Variant.Cerbu.153670.5493.22103.exe
Size

1019KB
MD5

99b88e9277ff6f32113f65e3b0c6988c
SHA1

62b9017372aaae426eff41a1238cf1a95ed0f7b0
SHA256

ed0e71d2830dca4a177ca15f4201d3a7ce24e1c895bc1bc1473384798c0626df
SHA512

7d7421cef79288e8e8a37ff14b32f38f8794f04a50bbac5e64c6fb6a9eec640690de9a8c66dcb7594c8855bd36ec593427f577f8d3fa511c7991e5b956c135a0
SSDEEP

24576:OgDFR9uKh5CHus+YhHFUV8mNY5iJ+MDLS3p6dRD+/EN:OgDFaKLCHus+Yhlk8mNYQJtDLcad+

Score

8^/10

discovery persistence

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
2	1228	rundll32.exe
5	1228	rundll32.exe
9	1228	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\helpmap\Parameters\ServiceDll = "C:\\Program Files (x86)\\Google\\Temp\\helpmap.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\helpmap\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 2 IoCs

pid	Process
1228	rundll32.exe
904	svchost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1228 set thread context of 1680	1228	rundll32.exe	31

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\ZX______.PFB	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\ZX______.PFB	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\cryptocme2.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can03.ths	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\icucnv36.dll	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\ICELAND.TXT	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\review_shared.gif	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\can03.ths	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_sent.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\drvDX8.x3d	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\CMap\Identity-V	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\ended_review_or_form.gif	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\reviews_sent.gif	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\ENUtxt.pdf	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\drvDX8.x3d	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_shared.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\cryptocme2.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.STP	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\Identity-V	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\create_form.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\icucnv36.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\ended_review_or_form.gif	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\AcroSign.prc	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\helpmap.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroSign.prc	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\CP1250.TXT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\create_form.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\CP1250.TXT	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\Dynamic.pdf	rundll32.exe
File created	C:\Program Files (x86)\Google\Temp\SignHere.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\ICELAND.TXT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\ENUtxt.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a0031000000000000000000102054656d700000360008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000540065006d007000000014000000	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000000000000010004c6f63616c00380008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1228	rundll32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1680	rundll32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 1228	1232	SecuriteInfo.com.Variant.Cerbu.153670.5493.22103.exe	28
PID 1232 wrote to memory of 1228	1232	SecuriteInfo.com.Variant.Cerbu.153670.5493.22103.exe	28
PID 1232 wrote to memory of 1228	1232	SecuriteInfo.com.Variant.Cerbu.153670.5493.22103.exe	28
PID 1232 wrote to memory of 1228	1232	SecuriteInfo.com.Variant.Cerbu.153670.5493.22103.exe	28
PID 1232 wrote to memory of 1228	1232	SecuriteInfo.com.Variant.Cerbu.153670.5493.22103.exe	28
PID 1232 wrote to memory of 1228	1232	SecuriteInfo.com.Variant.Cerbu.153670.5493.22103.exe	28
PID 1232 wrote to memory of 1228	1232	SecuriteInfo.com.Variant.Cerbu.153670.5493.22103.exe	28
PID 1228 wrote to memory of 1680	1228	rundll32.exe	31
PID 1228 wrote to memory of 1680	1228	rundll32.exe	31
PID 1228 wrote to memory of 1680	1228	rundll32.exe	31
PID 1228 wrote to memory of 1680	1228	rundll32.exe	31
PID 1228 wrote to memory of 1680	1228	rundll32.exe	31

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Cerbu.153670.5493.22103.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Cerbu.153670.5493.22103.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp",Dioeeedresq
  2⤵
  - Blocklisted process makes network request
  - Sets DLL path for service in the registry
  - Sets service image path in registry
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14020
    3⤵
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:1680
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:1932
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
    3⤵
    PID:1612

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
PID:904
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\google\temp\helpmap.dll",XQZX
  2⤵
  PID:608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Default Programs.lnk

Filesize
1KB

MD5
168cef91b7fc013ee7ed16b8507aa29a

SHA1
7f3d736b8a7af4e125b535e4a565c94b4f913451

SHA256
7121cc4f24245fbdcf8d08ec8c4bae5af0563f795ae0c6494248f0a7b74d4fb2

SHA512
03899faaec47a13cf54f6ee06ef05da112c2c433b4f8c65a5f2a3c5d9d33cb7c33dfeecf3040c83b7ce74d2206e44175028e013c0425e10479c0e7ab59e2f4a7

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Help_MKWD_AssetId.H1W

Filesize
229KB

MD5
c0ff478794c0e0e95c04332036782234

SHA1
05187b9381ac1df0ae1ab4a8746f3a4d8ed8f06a

SHA256
a206d8c382ef5fc79f1cc6e542d4cb8cb0f81d494d3b69a21cca5e203d342ceb

SHA512
f9e18b2cbe45eb31c9a13253dbd730791ec35c823a227bb5067cba45c19e205e65238d97ce1683536271bf7e320744b88b33ff8134c9cd832535e43cc845f36c

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Help_MValidator.H1D

Filesize
14KB

MD5
b226a4b59c83ba36c282168c77a096fa

SHA1
0a4d68225f1426ed3a701fd96756e4a124c3e6b5

SHA256
dbf511e2d1d02fc2fd7b3ff1dae076adacb5e360eb7f8fc590226c267e04c821

SHA512
bd97740b97d441e0f303b49e62bbc6f0d8e2dcb85f56173dcc82e02c082eb3cf1c0014bf1a876c2db408e995287e94241653e37deadf06dee08de7415ee176e7

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Help_MValidator.Lck

Filesize
4B

MD5
b485167c5b0e59d47009a16f90fe2659

SHA1
891ebccd5baa32daed16fb5a0825ca7a4464931f

SHA256
db44b8db4f05d720ef1a57abadeed0c164d47b17416c7dd7d136d8f10fba91c9

SHA512
665e3fcbd83b7876dd1dc7f34fadd8669debdfab8962bdce3b72b08139a75ef157c4f4c3b90ea9c1f20637bb4f2a29091d9186987d22c7d23428a2e7ccf80bd4

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\Ieohspdwyru.tmp

Filesize
3.5MB

MD5
d41df43f4b1285c23dd4688571477e3d

SHA1
2ad63808f68bd92fa2ab9f2b9324c234026abd01

SHA256
80de3fb32f87c3c6cdb6c5591003ce6bb22abc375dc78aed54da9b2de283fed9

SHA512
a3ce234a55efbda73c4186ecf0f825630cacdc675312d4352d9b5d9c3cfa98f8c3b0499cbdd0beb53233d7bd3cb9646e9d63e81378c8996b319ffacb3745a635

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\NetworkProjection.lnk

Filesize
1KB

MD5
e059a83baf697687b223de69b45b2560

SHA1
a48aed37088ef37e387968b1ae4299c52cc674a1

SHA256
76c095797d523a235440457491d6722693ca1b202995a62508d10c3fd174ce54

SHA512
940350152e097bcbc0b3725c2eacc95f0ef69a639b05452ec3143453220230350ba9f79577e7e96d947adb749abb779599395e8bfb8260ba6a537653f7f8d0ff

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\PPINTL.DLL.trx_dll

Filesize
52KB

MD5
c4591860219b59bd82e6ef4c7f8b6e15

SHA1
c049bcc5100c0d2f1805595ad2d47ca80bd22dad

SHA256
6215e1e98c7b4b001f44c49abedef57188001c560439c99fdb510534a985dd25

SHA512
eb21690e0d2f5bc6d8e78da614f6ff3ce781a9e6a3fd420cbfd7638c0d86cb4f792ea6c2c0dc3f21235889720b3842737e7ad7f77dff523c1eff2e97e7c2d5fc

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\PPINTL.REST.trx_dll

Filesize
269KB

MD5
39d7c0a8e025799ef3d2ff41d31be795

SHA1
75ae501fc62565b62dc09634c9e062b2a53e963d

SHA256
02873b34e4873df5ee75a3c42a8742450d738fdbc7896a86e71c060585c9a667

SHA512
9bba01123b80ee7cf68555fd289a4a046a9cd79938026b19ccb56a6887073977b6c8b3d1061a6c4ac8297988bf41ee6c6c4adda6f132632e78b9b16e2c4438c8

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\System Information.lnk

Filesize
1KB

MD5
b1335d7e252d1146cad8030fa46e7d1c

SHA1
f947c673668bcd6767ec72b12b92ba759d8a57ba

SHA256
45f55a11d28d7c2274470ef84f1c17d0ac775a359a190d43fb8d58e37b8dbc7c

SHA512
3d69c030e15fe3c6b466af0462596eb0764b5b505c0ba0ee347608a5a8ad6c22e46e86170bfb5036b0d47839691d00d365f2636afd23548f9d2ea6d7c6119c9e

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\VISBRRES.DLL.trx_dll

Filesize
26KB

MD5
3a408c2eebe2fa62a2f6f23ffcab7648

SHA1
e209d2553d03bc53e21c4f1d2ff3acb25456ca90

SHA256
ef7afbdabb33f09d9f13024176dc11cea6eaa08433ed9304a48fba6fcf53945d

SHA512
d6f23c7539aa71cb2a59fd057214badf26bc17c06cf8b2801d495e0cd0c49149c9e4136ae6257cbd0ae44be8241e705835326ec5ac2a9a11e33f51bbb4cd4f86

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\XLSLICER.DLL.trx_dll

Filesize
14KB

MD5
63d806c555088e6f1589d09a986fdbc5

SHA1
83642f4af4c12ca89b66b2f3c2310c873cf98694

SHA256
084c3b577d59fa3ec200c097cdba5d0aab99c015b350aec438f44e9322c6b54c

SHA512
e31ae6cd0595731e1057a5d736ef735cb8be2bb420b35f6793f329c6baf81c24f854f742a80dea97d9be3c0724288fa2a0f1d608f5bfcce757343d5e55c02d9d

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\netfol.ico

Filesize
28KB

MD5
3fa8c6dc1f72c3f9f8670a3e236459f2

SHA1
fcca30e9c5f861ac907150c76ca5f2174d214b7b

SHA256
dca1bd2f368d6165695ac6f48239722b9d38226bef45764a0076bbfa184cb0a7

SHA512
af6654f32cf0638204293e0117ff43e59f68537e391d3f4b1c7758632767eaa474d7cb44f3b4b7f9ba6cdefda9ec9368cf07814aed4e79949001bd44ede262ec

Download Submit
C:\ProgramData\{0222BCDE-1250-CD5F-F334-C7FEF4A3D675}\usertile35.bmp

Filesize
48KB

MD5
c8d351bf2848d70bacc8c54aebe5ce0a

SHA1
f3e4789442f2bf6f76a03d2462bcdc26e9efc78e

SHA256
b0c2252a53340d411dab77569089953661edf4bbb0e87c2b4b7ab792adc9818f

SHA512
18461905567ed2e40fa29dd7ab1d6a485e0896c8860180286f5524cb4fcc75890b3dcd785163f962b2e3819f9c4bd62d353feb8ba1ba67f73011ec4b42eb2ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp

Filesize
792KB

MD5
822d3ead416a1a85cb96e65f65cd5ae2

SHA1
af32b69e2835d1cacdadb97ae6dfafccc32d1837

SHA256
72bdb3a06dca8458ac9aedf06785b2d7b95a19f8b9f3f8f5be2eb4744e9c5d1d

SHA512
48d0d61efd51fd2d8eb04d990b4a5b3ca34c916199d3b0a3b135d2089e028ee37f5145e4705fb75da77eaabbe12f8c4ea55775a41e1b1c68a90ce68b8c2a7260

Download Submit
\??\c:\program files (x86)\google\temp\helpmap.dll

Filesize
792KB

MD5
1df5be6136f0468a64970dc0a9557731

SHA1
23ae0b2b1f163d55d56c94d00b39b0a83698939f

SHA256
f3ac4e6c767261dcf853c7f72d7657b37c3bab357de2d51b1a20d04fa490c110

SHA512
873d3207eb391f18f43a19d8494faeb8ba66afaf6f176c5b83e019062837421eb1a0cfa3f24b28f8c830c2a9124f1ee6f486202fceed7bbd1634f6cd2f376f34

Download Submit
\Program Files (x86)\Google\Temp\helpmap.dll

Filesize
792KB

MD5
1df5be6136f0468a64970dc0a9557731

SHA1
23ae0b2b1f163d55d56c94d00b39b0a83698939f

SHA256
f3ac4e6c767261dcf853c7f72d7657b37c3bab357de2d51b1a20d04fa490c110

SHA512
873d3207eb391f18f43a19d8494faeb8ba66afaf6f176c5b83e019062837421eb1a0cfa3f24b28f8c830c2a9124f1ee6f486202fceed7bbd1634f6cd2f376f34

Download Submit
\Program Files (x86)\Google\Temp\helpmap.dll

Filesize
792KB

MD5
1df5be6136f0468a64970dc0a9557731

SHA1
23ae0b2b1f163d55d56c94d00b39b0a83698939f

SHA256
f3ac4e6c767261dcf853c7f72d7657b37c3bab357de2d51b1a20d04fa490c110

SHA512
873d3207eb391f18f43a19d8494faeb8ba66afaf6f176c5b83e019062837421eb1a0cfa3f24b28f8c830c2a9124f1ee6f486202fceed7bbd1634f6cd2f376f34

Download Submit
\Program Files (x86)\Google\Temp\helpmap.dll

Filesize
792KB

MD5
1df5be6136f0468a64970dc0a9557731

SHA1
23ae0b2b1f163d55d56c94d00b39b0a83698939f

SHA256
f3ac4e6c767261dcf853c7f72d7657b37c3bab357de2d51b1a20d04fa490c110

SHA512
873d3207eb391f18f43a19d8494faeb8ba66afaf6f176c5b83e019062837421eb1a0cfa3f24b28f8c830c2a9124f1ee6f486202fceed7bbd1634f6cd2f376f34

Download Submit
\Program Files (x86)\Google\Temp\helpmap.dll

Filesize
792KB

MD5
1df5be6136f0468a64970dc0a9557731

SHA1
23ae0b2b1f163d55d56c94d00b39b0a83698939f

SHA256
f3ac4e6c767261dcf853c7f72d7657b37c3bab357de2d51b1a20d04fa490c110

SHA512
873d3207eb391f18f43a19d8494faeb8ba66afaf6f176c5b83e019062837421eb1a0cfa3f24b28f8c830c2a9124f1ee6f486202fceed7bbd1634f6cd2f376f34

Download Submit
\Program Files (x86)\Google\Temp\helpmap.dll

Filesize
792KB

MD5
1df5be6136f0468a64970dc0a9557731

SHA1
23ae0b2b1f163d55d56c94d00b39b0a83698939f

SHA256
f3ac4e6c767261dcf853c7f72d7657b37c3bab357de2d51b1a20d04fa490c110

SHA512
873d3207eb391f18f43a19d8494faeb8ba66afaf6f176c5b83e019062837421eb1a0cfa3f24b28f8c830c2a9124f1ee6f486202fceed7bbd1634f6cd2f376f34

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Users\Admin\AppData\Local\Temp\Qfyshwqueqdpai.tmp

Filesize
792KB

MD5
822d3ead416a1a85cb96e65f65cd5ae2

SHA1
af32b69e2835d1cacdadb97ae6dfafccc32d1837

SHA256
72bdb3a06dca8458ac9aedf06785b2d7b95a19f8b9f3f8f5be2eb4744e9c5d1d

SHA512
48d0d61efd51fd2d8eb04d990b4a5b3ca34c916199d3b0a3b135d2089e028ee37f5145e4705fb75da77eaabbe12f8c4ea55775a41e1b1c68a90ce68b8c2a7260

Download Submit
memory/608-107-0x0000000004280000-0x0000000004DDD000-memory.dmp

Filesize
11.4MB

Download
memory/608-110-0x0000000004280000-0x0000000004DDD000-memory.dmp

Filesize
11.4MB

Download
memory/608-111-0x0000000004280000-0x0000000004DDD000-memory.dmp

Filesize
11.4MB

Download
memory/904-86-0x0000000004320000-0x0000000004E7D000-memory.dmp

Filesize
11.4MB

Download
memory/904-88-0x0000000004320000-0x0000000004E7D000-memory.dmp

Filesize
11.4MB

Download
memory/904-117-0x0000000004320000-0x0000000004E7D000-memory.dmp

Filesize
11.4MB

Download
memory/904-108-0x0000000004320000-0x0000000004E7D000-memory.dmp

Filesize
11.4MB

Download
memory/1228-65-0x0000000004C30000-0x000000000578D000-memory.dmp

Filesize
11.4MB

Download
memory/1228-63-0x0000000004C30000-0x000000000578D000-memory.dmp

Filesize
11.4MB

Download
memory/1228-68-0x0000000004510000-0x0000000004650000-memory.dmp

Filesize
1.2MB

Download
memory/1228-81-0x0000000004C30000-0x000000000578D000-memory.dmp

Filesize
11.4MB

Download
memory/1228-73-0x0000000004510000-0x0000000004650000-memory.dmp

Filesize
1.2MB

Download
memory/1228-66-0x0000000004C30000-0x000000000578D000-memory.dmp

Filesize
11.4MB

Download
memory/1228-74-0x0000000004510000-0x0000000004650000-memory.dmp

Filesize
1.2MB

Download
memory/1228-72-0x0000000004750000-0x0000000004890000-memory.dmp

Filesize
1.2MB

Download
memory/1228-67-0x0000000004510000-0x0000000004650000-memory.dmp

Filesize
1.2MB

Download
memory/1228-69-0x0000000004750000-0x0000000004890000-memory.dmp

Filesize
1.2MB

Download
memory/1232-59-0x0000000001F00000-0x0000000002011000-memory.dmp

Filesize
1.1MB

Download
memory/1232-60-0x0000000000400000-0x0000000000523000-memory.dmp

Filesize
1.1MB

Download
memory/1232-54-0x0000000001D60000-0x0000000001E36000-memory.dmp

Filesize
856KB

Download
memory/1232-55-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1232-57-0x0000000001D60000-0x0000000001E36000-memory.dmp

Filesize
856KB

Download
memory/1680-76-0x0000000002360000-0x00000000024A0000-memory.dmp

Filesize
1.2MB

Download
memory/1680-80-0x00000000020B0000-0x000000000235E000-memory.dmp

Filesize
2.7MB

Download
memory/1680-78-0x0000000000240000-0x00000000004DC000-memory.dmp

Filesize
2.6MB

Download
memory/1680-79-0x000007FEFB9C1000-0x000007FEFB9C3000-memory.dmp

Filesize
8KB

Download
memory/1680-70-0x0000000000240000-0x00000000004DC000-memory.dmp

Filesize
2.6MB

Download
memory/1680-77-0x0000000002360000-0x00000000024A0000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads