d056c418568dd86d47c90501a8720138235ebb34c22e59e37efce00635930ce7

Analysis

max time kernel
72s
max time network
89s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
14-11-2023 19:07

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

d056c418568dd86d47c90501a8720138235ebb34c22e59e37efce00635930ce7.exe
Size

6.5MB
MD5

70122224b1c86d872233c6ca0b690fe5
SHA1

e682b4037538ef9eb3e9b7fbabf94a6856de0620
SHA256

d056c418568dd86d47c90501a8720138235ebb34c22e59e37efce00635930ce7
SHA512

fc7b8542554bd0b2cdd19d24fe5a22d3407ac06068ba22621d0f38be0b6d628e7250d6bef8bdebdb38ac81934059bd5fd6ea359361596b7133c7aece05260d4d
SSDEEP

98304:GbHBJM8U9VfiDqJw59FBSD3Xv7A7rNJQeKBddwWLObUChI78n+S73j3q1:GbHBi86Vq+Jw5/O07jJid7kIC+qbq1

Score

8^/10

evasion persistence

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
62	5076	rundll32.exe
65	5076	rundll32.exe
69	5076	rundll32.exe
71	5076	rundll32.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 8 IoCs

pid	Process
4788	LC_IP4~1.EXE
3440	LC_IP4~1.EXE
4692	LC_Ip4B.exe
4992	is171190.exe
2932	loader.exe
2744	frmwrk32.exe
3352	ETAMKR~1.EXE
4068	VG.exe

Loads dropped DLL 2 IoCs

pid	Process
4992	is171190.exe
5076	rundll32.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	d056c418568dd86d47c90501a8720138235ebb34c22e59e37efce00635930ce7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	LC_IP4~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	LC_IP4~1.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	LC_Ip4B.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Framework Windows = "frmwrk32.exe"	loader.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Framework Windows = "frmwrk32.exe"	frmwrk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MSServer = "rundll32.exe C:\\Windows\\system32\\hgGvtRKb.dll,#1"	rundll32.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\frmwrk32.exe	loader.exe
File opened for modification	C:\Windows\SysWOW64\frmwrk32.exe	loader.exe
File created	C:\Windows\SysWOW64\frmwrk32.exe	frmwrk32.exe
File opened for modification	C:\Windows\SysWOW64\uniq.tll	frmwrk32.exe
File opened for modification	C:\Windows\SysWOW64\hgGvtRKb.dll	is171190.exe
File created	C:\Windows\SysWOW64\hgGvtRKb.dll	is171190.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\2229298842\1834721596.pri	LogonUI.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4604	3352	WerFault.exe	109
4572	3352	WerFault.exe	109

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000022e3a-84.dat	nsis_installer_1
behavioral2/files/0x0007000000022e3a-84.dat	nsis_installer_2

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "167"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ = "C:\\Windows\\SysWow64\\hgGvtRKb.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}\InprocServer32\ThreadingModel = "Both"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}	rundll32.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4992	is171190.exe
4992	is171190.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe
5076	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4992	is171190.exe
Token: SeShutdownPrivilege	3440	LC_IP4~1.EXE

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2744	frmwrk32.exe
2744	frmwrk32.exe
2744	frmwrk32.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2744	frmwrk32.exe
2744	frmwrk32.exe
2744	frmwrk32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4992	is171190.exe
4696	LogonUI.exe
4696	LogonUI.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 3992 wrote to memory of 4788	3992	d056c418568dd86d47c90501a8720138235ebb34c22e59e37efce00635930ce7.exe	89
PID 3992 wrote to memory of 4788	3992	d056c418568dd86d47c90501a8720138235ebb34c22e59e37efce00635930ce7.exe	89
PID 3992 wrote to memory of 4788	3992	d056c418568dd86d47c90501a8720138235ebb34c22e59e37efce00635930ce7.exe	89
PID 4788 wrote to memory of 3440	4788	LC_IP4~1.EXE	90
PID 4788 wrote to memory of 3440	4788	LC_IP4~1.EXE	90
PID 4788 wrote to memory of 3440	4788	LC_IP4~1.EXE	90
PID 3440 wrote to memory of 4692	3440	LC_IP4~1.EXE	91
PID 3440 wrote to memory of 4692	3440	LC_IP4~1.EXE	91
PID 3440 wrote to memory of 4692	3440	LC_IP4~1.EXE	91
PID 4692 wrote to memory of 4992	4692	LC_Ip4B.exe	92
PID 4692 wrote to memory of 4992	4692	LC_Ip4B.exe	92
PID 4692 wrote to memory of 4992	4692	LC_Ip4B.exe	92
PID 4992 wrote to memory of 616	4992	is171190.exe	5
PID 4992 wrote to memory of 5076	4992	is171190.exe	103
PID 4992 wrote to memory of 5076	4992	is171190.exe	103
PID 4992 wrote to memory of 5076	4992	is171190.exe	103
PID 4992 wrote to memory of 4548	4992	is171190.exe	104
PID 4992 wrote to memory of 4548	4992	is171190.exe	104
PID 4992 wrote to memory of 4548	4992	is171190.exe	104
PID 4692 wrote to memory of 2932	4692	LC_Ip4B.exe	106
PID 4692 wrote to memory of 2932	4692	LC_Ip4B.exe	106
PID 4692 wrote to memory of 2932	4692	LC_Ip4B.exe	106
PID 2932 wrote to memory of 2744	2932	loader.exe	108
PID 2932 wrote to memory of 2744	2932	loader.exe	108
PID 2932 wrote to memory of 2744	2932	loader.exe	108
PID 3440 wrote to memory of 3352	3440	LC_IP4~1.EXE	109
PID 3440 wrote to memory of 3352	3440	LC_IP4~1.EXE	109
PID 3440 wrote to memory of 3352	3440	LC_IP4~1.EXE	109
PID 3352 wrote to memory of 4604	3352	ETAMKR~1.EXE	111
PID 3352 wrote to memory of 4604	3352	ETAMKR~1.EXE	111
PID 3352 wrote to memory of 4604	3352	ETAMKR~1.EXE	111

System policy modification 1 TTPs 5 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper = "1"	frmwrk32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges = "1"	frmwrk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	frmwrk32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop = "1"	frmwrk32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop	frmwrk32.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x4 /state0:0xa395b055 /state1:0x41c64e6d
  2⤵
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:4696

C:\Users\Admin\AppData\Local\Temp\d056c418568dd86d47c90501a8720138235ebb34c22e59e37efce00635930ce7.exe
"C:\Users\Admin\AppData\Local\Temp\d056c418568dd86d47c90501a8720138235ebb34c22e59e37efce00635930ce7.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LC_IP4~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LC_IP4~1.EXE
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:4788
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LC_IP4~1.EXE
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LC_IP4~1.EXE
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LC_Ip4B.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LC_Ip4B.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:4692
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\is171190.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\is171190.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4992
      - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32.exe C:\Windows\system32\hgGvtRKb.dll,a
        6⤵
        Blocklisted process makes network request
        Loads dropped DLL
        Adds Run key to start application
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:5076
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yaywtQkK.bat "C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\is171190.exe"
        6⤵
        
        PID:4548
    - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\loader.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\loader.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Windows\SysWOW64\frmwrk32.exe
        
        C:\Windows\system32\frmwrk32.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        System policy modification
        
        PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ETAMKR~1.EXE
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ETAMKR~1.EXE
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3352
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 296
        5⤵
        Program crash
        
        PID:4604
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3352 -s 296
        5⤵
        Program crash
        
        PID:4572
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VG.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VG.exe
    3⤵
    - Executes dropped EXE
    PID:4068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3352 -ip 3352
1⤵
PID:3520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LC_IP4~1.EXE

Filesize
6.2MB

MD5
14b230502ed188d8f01a8cc900558809

SHA1
e38ff71881b1f01a17fb85e4df372d163f352dea

SHA256
e10e652b82af328350e830e4fb5160a25866aff99c32fff273d3b427f5c88ef1

SHA512
ea0b94ee54b6c682ad61f9754297e1fbdd6030c2f8636c15e4b47c48d0d25ba1fffbdaf5fec784705a5848fead0faa997a9d6f4be46f1f8ee56492e7541a8b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LC_IP4~1.EXE

Filesize
6.2MB

MD5
14b230502ed188d8f01a8cc900558809

SHA1
e38ff71881b1f01a17fb85e4df372d163f352dea

SHA256
e10e652b82af328350e830e4fb5160a25866aff99c32fff273d3b427f5c88ef1

SHA512
ea0b94ee54b6c682ad61f9754297e1fbdd6030c2f8636c15e4b47c48d0d25ba1fffbdaf5fec784705a5848fead0faa997a9d6f4be46f1f8ee56492e7541a8b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LC_IP4~1.EXE

Filesize
206KB

MD5
f1e913d6f814635d49d964a03ecabf20

SHA1
fd798d3f8dd629160735142b54849e13d527484b

SHA256
f58d736e3254d4e72a123f3dd88d624eb9a478facd63d811e6b4caf0b06f4d20

SHA512
87400c9f43fdd76806042ed044b3e4c5dd6828dad9dfdd286a9eb49d3a7721d6086f399e828d85b55783ab80f3f0c18128efb2e1879ee52b3fdc7ce7ae5c23c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\LC_IP4~1.EXE

Filesize
206KB

MD5
f1e913d6f814635d49d964a03ecabf20

SHA1
fd798d3f8dd629160735142b54849e13d527484b

SHA256
f58d736e3254d4e72a123f3dd88d624eb9a478facd63d811e6b4caf0b06f4d20

SHA512
87400c9f43fdd76806042ed044b3e4c5dd6828dad9dfdd286a9eb49d3a7721d6086f399e828d85b55783ab80f3f0c18128efb2e1879ee52b3fdc7ce7ae5c23c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\VG.exe

Filesize
6.1MB

MD5
396aca7961e82c7f03268ae34105a0ba

SHA1
4ddbf7b8b90752fbf1c743657212128c889c53c1

SHA256
98587c056f2e5afd15786df08cf805846960276a576d3e0b245b5efe853036cd

SHA512
05d1898c5994d31ae5300a8e4202d4138e305348f1e025d11043e651544900e0cd0816432661de34a3d5c1c65936ea76a8e4fd88622a39ccb88ce92d4b4a954e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ETAMKR~1.EXE

Filesize
30KB

MD5
33e7927762c502a9d0d395a56fc90343

SHA1
bbb5ceede5312def98e7d1a79cb87845a738ac90

SHA256
7f42840a386aef76f785e42922d428be6e4d80009a34433e23cb9124d3fd4fc8

SHA512
510a957c3462699932e3ede6ce667adbbecd7210a3e60a15d7b659583d4dc431a0b78c525e2b81bc2d901161f5f642daf2a8dad08239e0bbdb01e8f9c71b0414

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\ETAMKR~1.EXE

Filesize
30KB

MD5
33e7927762c502a9d0d395a56fc90343

SHA1
bbb5ceede5312def98e7d1a79cb87845a738ac90

SHA256
7f42840a386aef76f785e42922d428be6e4d80009a34433e23cb9124d3fd4fc8

SHA512
510a957c3462699932e3ede6ce667adbbecd7210a3e60a15d7b659583d4dc431a0b78c525e2b81bc2d901161f5f642daf2a8dad08239e0bbdb01e8f9c71b0414

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LC_Ip4B.exe

Filesize
153KB

MD5
4640327103deaaf70155f65cfdc3600f

SHA1
fd74dac1f8d04c89ad16d7f8bc6e6d4a601e0c9f

SHA256
c34861fbbd79c2fe10b7f0e48c50b442a8965faa6640ba11236fbe651009f9ae

SHA512
8cbd173f91734fcab16999607f72f50e383418264fca81815f802a9fc2aa90eff9df1b5a2569203ded802ab895f0cbdc7b4f262a78aa223003ad238bb1d7b161

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LC_Ip4B.exe

Filesize
153KB

MD5
4640327103deaaf70155f65cfdc3600f

SHA1
fd74dac1f8d04c89ad16d7f8bc6e6d4a601e0c9f

SHA256
c34861fbbd79c2fe10b7f0e48c50b442a8965faa6640ba11236fbe651009f9ae

SHA512
8cbd173f91734fcab16999607f72f50e383418264fca81815f802a9fc2aa90eff9df1b5a2569203ded802ab895f0cbdc7b4f262a78aa223003ad238bb1d7b161

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\is171190.exe

Filesize
44KB

MD5
6329af3086e3ac42ce02ab26796bc8ff

SHA1
9b3172ae0ab4f1402fbdee431f116aeaf8a06639

SHA256
c62cd9f405cbf8be071dff6ae08ea4adf27a2819f20ac7d30c08270b532c239c

SHA512
b20064ef8f8288d0563d8395d947911db434eb76aaafb8ce233af3465bc037996056c222c829944686aca404772708f1e0bf3e5dc284bf17a48a030a36a82ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\is171190.exe

Filesize
44KB

MD5
6329af3086e3ac42ce02ab26796bc8ff

SHA1
9b3172ae0ab4f1402fbdee431f116aeaf8a06639

SHA256
c62cd9f405cbf8be071dff6ae08ea4adf27a2819f20ac7d30c08270b532c239c

SHA512
b20064ef8f8288d0563d8395d947911db434eb76aaafb8ce233af3465bc037996056c222c829944686aca404772708f1e0bf3e5dc284bf17a48a030a36a82ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\loader.exe

Filesize
31KB

MD5
dc045b88b13f453e8693d46d5ad352dd

SHA1
4dba6ceb1a2c44826e9b697ee33ac6dc8701cf46

SHA256
ae34dce1adb09f31c428338e37da492cc94bbe0926e5a7ba297be72e56dfa9ef

SHA512
97366f864a59e5c592667d111031739f0d607bd333254bca26de64105ad09e92c849aa2c8bc58d0ed4b37f07b0e174117cb52ce5e272f4cb37ef239bb7347cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\loader.exe

Filesize
31KB

MD5
dc045b88b13f453e8693d46d5ad352dd

SHA1
4dba6ceb1a2c44826e9b697ee33ac6dc8701cf46

SHA256
ae34dce1adb09f31c428338e37da492cc94bbe0926e5a7ba297be72e56dfa9ef

SHA512
97366f864a59e5c592667d111031739f0d607bd333254bca26de64105ad09e92c849aa2c8bc58d0ed4b37f07b0e174117cb52ce5e272f4cb37ef239bb7347cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\yaywtQkK.bat

Filesize
95B

MD5
6c23ca4cc5bfb7ebf0ea477103af6c36

SHA1
6d954decee96428726444c190fafd7ace1d80e80

SHA256
3e3bb90e2310ab821f835ba58a754d293514cbba189bcb9981e72c9ec46de474

SHA512
c9cfda2bcff2933ec745bce7d1d6e4ccd2b959315271a3c54c3c86ce2af068a780798306524b9f33b338a1570fb7287738b2060c983265a4f1d55516e917f263

Download Submit
C:\Windows\SysWOW64\frmwrk32.exe

Filesize
31KB

MD5
dc045b88b13f453e8693d46d5ad352dd

SHA1
4dba6ceb1a2c44826e9b697ee33ac6dc8701cf46

SHA256
ae34dce1adb09f31c428338e37da492cc94bbe0926e5a7ba297be72e56dfa9ef

SHA512
97366f864a59e5c592667d111031739f0d607bd333254bca26de64105ad09e92c849aa2c8bc58d0ed4b37f07b0e174117cb52ce5e272f4cb37ef239bb7347cf5

Download Submit
C:\Windows\SysWOW64\frmwrk32.exe

Filesize
31KB

MD5
dc045b88b13f453e8693d46d5ad352dd

SHA1
4dba6ceb1a2c44826e9b697ee33ac6dc8701cf46

SHA256
ae34dce1adb09f31c428338e37da492cc94bbe0926e5a7ba297be72e56dfa9ef

SHA512
97366f864a59e5c592667d111031739f0d607bd333254bca26de64105ad09e92c849aa2c8bc58d0ed4b37f07b0e174117cb52ce5e272f4cb37ef239bb7347cf5

Download Submit
C:\Windows\SysWOW64\frmwrk32.exe

Filesize
31KB

MD5
dc045b88b13f453e8693d46d5ad352dd

SHA1
4dba6ceb1a2c44826e9b697ee33ac6dc8701cf46

SHA256
ae34dce1adb09f31c428338e37da492cc94bbe0926e5a7ba297be72e56dfa9ef

SHA512
97366f864a59e5c592667d111031739f0d607bd333254bca26de64105ad09e92c849aa2c8bc58d0ed4b37f07b0e174117cb52ce5e272f4cb37ef239bb7347cf5

Download Submit
C:\Windows\SysWOW64\hgGvtRKb.dll

Filesize
34KB

MD5
26d7276d7e5421d9d269c3a1dd3e8d46

SHA1
d70a4471a70b4702afb27ddccfd8d77253f722d0

SHA256
4e0702253c03ab07a6b5c0bd2702c686b825e2b808cd70e593913204881a613f

SHA512
61782aec394e5f224188db1ed98f99ec9ca2590751abe224edcf0fd94eb820b2f1399884708be3f0d8cb85145614d0bd0d6abb957907da88064d99af1888b226

Download Submit
C:\Windows\SysWOW64\hgGvtRKb.dll

Filesize
34KB

MD5
26d7276d7e5421d9d269c3a1dd3e8d46

SHA1
d70a4471a70b4702afb27ddccfd8d77253f722d0

SHA256
4e0702253c03ab07a6b5c0bd2702c686b825e2b808cd70e593913204881a613f

SHA512
61782aec394e5f224188db1ed98f99ec9ca2590751abe224edcf0fd94eb820b2f1399884708be3f0d8cb85145614d0bd0d6abb957907da88064d99af1888b226

Download Submit
C:\Windows\SysWOW64\hgGvtRKb.dll

Filesize
34KB

MD5
26d7276d7e5421d9d269c3a1dd3e8d46

SHA1
d70a4471a70b4702afb27ddccfd8d77253f722d0

SHA256
4e0702253c03ab07a6b5c0bd2702c686b825e2b808cd70e593913204881a613f

SHA512
61782aec394e5f224188db1ed98f99ec9ca2590751abe224edcf0fd94eb820b2f1399884708be3f0d8cb85145614d0bd0d6abb957907da88064d99af1888b226

Download Submit
memory/2744-65-0x0000000000840000-0x0000000000858000-memory.dmp

Filesize
96KB

Download
memory/2744-83-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2744-85-0x0000000000840000-0x0000000000858000-memory.dmp

Filesize
96KB

Download
memory/2744-82-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2744-74-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2932-60-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2932-58-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2932-51-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2932-61-0x0000000000450000-0x0000000000468000-memory.dmp

Filesize
96KB

Download
memory/2932-48-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2932-49-0x0000000000450000-0x0000000000468000-memory.dmp

Filesize
96KB

Download
memory/4992-34-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/4992-35-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/4992-28-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5076-72-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/5076-73-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/5076-86-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads