71f0abebcd6740be679092a937f3c4a886df29febc0f8ed3941b3404df0355c9

Analysis

max time kernel
149s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

135d9cf130dd346b9adf744c6d37469b.exe
Size

140KB
MD5

135d9cf130dd346b9adf744c6d37469b
SHA1

5fa03dd1195777609789561fec0829e4220d48d6
SHA256

71f0abebcd6740be679092a937f3c4a886df29febc0f8ed3941b3404df0355c9
SHA512

383e7795aa1009da8ef9d8370a396a8cc5ef0f0b949294f54aeeece4a922f677443d42e384d9e34a09e52a1f1866dac24cced236ee45ea55447f6d3938ad4e10
SSDEEP

3072:NGQJL20ZG009teM8XnZQLpgwWyM22/z/g21rfeEr+W7REQVH:NlV1E08AELpRWwW/5Xp7WQVH

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	135d9cf130dd346b9adf744c6d37469b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	csrs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	spoolsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	algs.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000\Control Panel\International\Geo\Nation	spooIsv.exe

Executes dropped EXE 10 IoCs

pid	Process
2312	csrs.exe
4312	csrs.exe
5064	spoolsvc.exe
3624	spoolsvc.exe
3240	algs.exe
1612	algs.exe
4812	spooIsv.exe
4604	spooIsv.exe
1520	Isass.exe
2300	Isass.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows DLL Loader = "C:\\Windows\\system32\\Isass.exe"	Isass.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\gdljsds.bat	algs.exe
File created	C:\Windows\SysWOW64\tmoasj.bat	spooIsv.exe
File created	C:\Windows\SysWOW64\Isass.exe	Isass.exe
File created	C:\Windows\SysWOW64\sroazdr.bat	spoolsvc.exe
File created	C:\Windows\SysWOW64\rtymeun.bat	csrs.exe
File created	C:\Windows\SysWOW64\spooIsv.exe	algs.exe
File opened for modification	C:\Windows\SysWOW64\spooIsv.exe	algs.exe
File created	C:\Windows\SysWOW64\Isass.exe	spooIsv.exe
File opened for modification	C:\Windows\SysWOW64\spoolsvc.exe	csrs.exe
File opened for modification	C:\Windows\SysWOW64\csrs.exe	135d9cf130dd346b9adf744c6d37469b.exe
File created	C:\Windows\SysWOW64\spoolsvc.exe	csrs.exe
File created	C:\Windows\SysWOW64\algs.exe	spoolsvc.exe
File opened for modification	C:\Windows\SysWOW64\algs.exe	spoolsvc.exe
File opened for modification	C:\Windows\SysWOW64\Isass.exe	spooIsv.exe
File created	C:\Windows\SysWOW64\csrs.exe	135d9cf130dd346b9adf744c6d37469b.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 4004 set thread context of 1920	4004	135d9cf130dd346b9adf744c6d37469b.exe	16
PID 2312 set thread context of 4312	2312	csrs.exe	48
PID 5064 set thread context of 3624	5064	spoolsvc.exe	70
PID 3240 set thread context of 1612	3240	algs.exe	91
PID 4812 set thread context of 4604	4812	spooIsv.exe	106
PID 1520 set thread context of 2300	1520	Isass.exe	112

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 1920	4004	135d9cf130dd346b9adf744c6d37469b.exe	16
PID 4004 wrote to memory of 1920	4004	135d9cf130dd346b9adf744c6d37469b.exe	16
PID 4004 wrote to memory of 1920	4004	135d9cf130dd346b9adf744c6d37469b.exe	16
PID 4004 wrote to memory of 1920	4004	135d9cf130dd346b9adf744c6d37469b.exe	16
PID 4004 wrote to memory of 1920	4004	135d9cf130dd346b9adf744c6d37469b.exe	16
PID 4004 wrote to memory of 1920	4004	135d9cf130dd346b9adf744c6d37469b.exe	16
PID 4004 wrote to memory of 1920	4004	135d9cf130dd346b9adf744c6d37469b.exe	16
PID 4004 wrote to memory of 1920	4004	135d9cf130dd346b9adf744c6d37469b.exe	16
PID 1920 wrote to memory of 1924	1920	135d9cf130dd346b9adf744c6d37469b.exe	51
PID 1920 wrote to memory of 1924	1920	135d9cf130dd346b9adf744c6d37469b.exe	51
PID 1920 wrote to memory of 1924	1920	135d9cf130dd346b9adf744c6d37469b.exe	51
PID 1920 wrote to memory of 2312	1920	135d9cf130dd346b9adf744c6d37469b.exe	50
PID 1920 wrote to memory of 2312	1920	135d9cf130dd346b9adf744c6d37469b.exe	50
PID 1920 wrote to memory of 2312	1920	135d9cf130dd346b9adf744c6d37469b.exe	50
PID 2312 wrote to memory of 4312	2312	csrs.exe	48
PID 2312 wrote to memory of 4312	2312	csrs.exe	48
PID 2312 wrote to memory of 4312	2312	csrs.exe	48
PID 2312 wrote to memory of 4312	2312	csrs.exe	48
PID 2312 wrote to memory of 4312	2312	csrs.exe	48
PID 2312 wrote to memory of 4312	2312	csrs.exe	48
PID 2312 wrote to memory of 4312	2312	csrs.exe	48
PID 2312 wrote to memory of 4312	2312	csrs.exe	48
PID 4312 wrote to memory of 1812	4312	csrs.exe	73
PID 4312 wrote to memory of 1812	4312	csrs.exe	73
PID 4312 wrote to memory of 1812	4312	csrs.exe	73
PID 4312 wrote to memory of 5064	4312	csrs.exe	72
PID 4312 wrote to memory of 5064	4312	csrs.exe	72
PID 4312 wrote to memory of 5064	4312	csrs.exe	72
PID 5064 wrote to memory of 3624	5064	spoolsvc.exe	70
PID 5064 wrote to memory of 3624	5064	spoolsvc.exe	70
PID 5064 wrote to memory of 3624	5064	spoolsvc.exe	70
PID 5064 wrote to memory of 3624	5064	spoolsvc.exe	70
PID 5064 wrote to memory of 3624	5064	spoolsvc.exe	70
PID 5064 wrote to memory of 3624	5064	spoolsvc.exe	70
PID 5064 wrote to memory of 3624	5064	spoolsvc.exe	70
PID 5064 wrote to memory of 3624	5064	spoolsvc.exe	70
PID 3624 wrote to memory of 4708	3624	spoolsvc.exe	93
PID 3624 wrote to memory of 4708	3624	spoolsvc.exe	93
PID 3624 wrote to memory of 4708	3624	spoolsvc.exe	93
PID 3624 wrote to memory of 3240	3624	spoolsvc.exe	92
PID 3624 wrote to memory of 3240	3624	spoolsvc.exe	92
PID 3624 wrote to memory of 3240	3624	spoolsvc.exe	92
PID 3240 wrote to memory of 1612	3240	algs.exe	91
PID 3240 wrote to memory of 1612	3240	algs.exe	91
PID 3240 wrote to memory of 1612	3240	algs.exe	91
PID 3240 wrote to memory of 1612	3240	algs.exe	91
PID 3240 wrote to memory of 1612	3240	algs.exe	91
PID 3240 wrote to memory of 1612	3240	algs.exe	91
PID 3240 wrote to memory of 1612	3240	algs.exe	91
PID 3240 wrote to memory of 1612	3240	algs.exe	91
PID 1612 wrote to memory of 4232	1612	algs.exe	109
PID 1612 wrote to memory of 4232	1612	algs.exe	109
PID 1612 wrote to memory of 4232	1612	algs.exe	109
PID 1612 wrote to memory of 4812	1612	algs.exe	107
PID 1612 wrote to memory of 4812	1612	algs.exe	107
PID 1612 wrote to memory of 4812	1612	algs.exe	107
PID 4812 wrote to memory of 4604	4812	spooIsv.exe	106
PID 4812 wrote to memory of 4604	4812	spooIsv.exe	106
PID 4812 wrote to memory of 4604	4812	spooIsv.exe	106
PID 4812 wrote to memory of 4604	4812	spooIsv.exe	106
PID 4812 wrote to memory of 4604	4812	spooIsv.exe	106
PID 4812 wrote to memory of 4604	4812	spooIsv.exe	106
PID 4812 wrote to memory of 4604	4812	spooIsv.exe	106
PID 4812 wrote to memory of 4604	4812	spooIsv.exe	106

C:\Users\Admin\AppData\Local\Temp\135d9cf130dd346b9adf744c6d37469b.exe
"C:\Users\Admin\AppData\Local\Temp\135d9cf130dd346b9adf744c6d37469b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Users\Admin\AppData\Local\Temp\135d9cf130dd346b9adf744c6d37469b.exe
  "C:\Users\Admin\AppData\Local\Temp\135d9cf130dd346b9adf744c6d37469b.exe"
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\SysWOW64\csrs.exe
    C:\Windows\system32\csrs.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sdrldr.bat" "
    3⤵
    PID:1924

C:\Windows\SysWOW64\csrs.exe
"C:\Windows\SysWOW64\csrs.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Windows\SysWOW64\spoolsvc.exe
  C:\Windows\system32\spoolsvc.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:5064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\SysWOW64\rtymeun.bat" "
  2⤵
  PID:1812

C:\Windows\SysWOW64\spoolsvc.exe
"C:\Windows\SysWOW64\spoolsvc.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Windows\SysWOW64\algs.exe
  C:\Windows\system32\algs.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3240
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\SysWOW64\sroazdr.bat" "
  2⤵
  PID:4708

C:\Windows\SysWOW64\algs.exe
"C:\Windows\SysWOW64\algs.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\spooIsv.exe
  C:\Windows\system32\spooIsv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4812
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\SysWOW64\gdljsds.bat" "
  2⤵
  PID:4232

C:\Windows\SysWOW64\spooIsv.exe
"C:\Windows\SysWOW64\spooIsv.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
PID:4604
- C:\Windows\SysWOW64\Isass.exe
  C:\Windows\system32\Isass.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:1520
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Windows\SysWOW64\tmoasj.bat" "
  2⤵
  PID:4316

C:\Windows\SysWOW64\Isass.exe
"C:\Windows\SysWOW64\Isass.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:2300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sdrldr.bat

Filesize
200B

MD5
0cf02743ad5f95b32ff8457637c70b5e

SHA1
bd4bafa26aeab5733f6f930de560cd60eac252b8

SHA256
c7d2e45d79dc87cdfc0ba979d727d74b17f87f36cff1dc9804f225a89941330c

SHA512
f3ad6c28ff02eac0d8db17d64b650beb10da5e66f886f6af21b1c4db09f911e357626388138d1199ce4ac9563f06964babc8923a578a6cdfaaa3852141c82d8f

Download Submit
C:\Windows\SysWOW64\Isass.exe

Filesize
68KB

MD5
d48a76cc78c08796cfff974abbc7cb90

SHA1
095c1ae26abe748729dfc39627b47e960b2f805c

SHA256
87987ebb63fbb70a7458a8552a51a8b98afcf20ace30aafd8588772befb2b545

SHA512
ea8217bbbd2ab81f0e015c086024756d47e77b8dff44a44000131f18682db705b4d7e303a0721ad267e74a7e935b8f3076c15c7832901776c15347fe67ec372a

Download Submit
C:\Windows\SysWOW64\Isass.exe

Filesize
109KB

MD5
7f65584395b40d85d722a1cb9a8033a0

SHA1
36cee3442958cc20b21019034bcade6f6bf187aa

SHA256
6a75d864efbfbd53138ecaedb76d904a36c2307c48139e833ae151cf2ae7f0ab

SHA512
042ce6ede95d768ac01e2e2aabc5c08f6d3ff4d0b2c54a594e414f11e109e4a7b5bbd7a199bdc0885773d7ac60d771f31b59845f98aba9d8613b9e1b60ff4d7f

Download Submit
C:\Windows\SysWOW64\Isass.exe

Filesize
117KB

MD5
f83499c673b68c760fffed1a46ffe4fe

SHA1
45139624df3b961d4ef5ebf145efe3ace80c3490

SHA256
85ac53c13b23b9b0c4231e61578af3d3958ea833526a0bff068d0e2590926476

SHA512
8a2bb6ff5b8cfeca628d51428d684304fef98c174eb15aecfe580056b4d6655714ca123eb26773c040a4aa5780ac6054c9865251a8f61f6b6eecacf5256c7b52

Download Submit
C:\Windows\SysWOW64\algs.exe

Filesize
45KB

MD5
74681dcf6304ee9acb772a1b0a9fa7a5

SHA1
f1e098dffcf08eb9a0a144dfb51dc0276eb787d5

SHA256
629d8273fd5b28e0aa32b5008b0e88265829f1ff2e75e9ca46a82dd2989b48d3

SHA512
4459316951db09aba45043b0463ed2943ca3493988b0040c01217c328abfd0732e7ee6519cc2b597e0ffedf08818c49641f0aeb743eea53e8666f3a5f79565ec

Download Submit
C:\Windows\SysWOW64\algs.exe

Filesize
44KB

MD5
d90004c91a452f98732fa763816bb492

SHA1
d2c5877df0f75e8746d214f297f4b361c1d7ecc8

SHA256
f56a0dddb1eca318edae2a01467bf3cbf26b2133d19779ded9f8fbc50aad44bd

SHA512
79953479cac7fc9b76c4ab985acdc2b4f0dbd11e81c016eb5b62b0e1efc22763495ec44477e77ca65737af96fa587f314dee64dbdcec054bcaf10e8ba2be0a51

Download Submit
C:\Windows\SysWOW64\csrs.exe

Filesize
40KB

MD5
53a1b438a8de9a2b200382609b8df602

SHA1
68027478ef476d14599d485198d5e064766603cf

SHA256
d8c3492a3f516541688574c738161ded1f8c0cda633fb6f697679f3364b5338c

SHA512
d6e1306788a0bc79797ac5c6d8e2282d9df5953fee4e5bb730db92b3147e3dcbfcd26c5213e8bcd375273c3fbf89e6dff1da6f8063ddd946c4e2077a615dbb6c

Download Submit
C:\Windows\SysWOW64\csrs.exe

Filesize
16KB

MD5
ede8f3eaad532dc5ed999b582f07cdf3

SHA1
b2000806ee5448d67cc9fdd2719528f46e304155

SHA256
b058340d9c244a6e5c2a13088c733f96f46a892cc5d39fd59e10e7304b12b77c

SHA512
1a293eca799d857ec0a7a327bff493bde1a526a32e7df0a6998198667a3766fd572242a2527523f00cc4be9999340843803e3567f6ea059651c28a4fdaeccbab

Download Submit
C:\Windows\SysWOW64\csrs.exe

Filesize
35KB

MD5
ab9b128ac1372fb359871be4f8c9aaca

SHA1
91f5c46ee533cbf7a742dcb08bff5d394affafd6

SHA256
56a4325bbd718a07f377a8325f6fae388081e6135d4b447d71f21b88640c080c

SHA512
6dfe99488e1ea114acc2739ce047b5e7586d6417cab6f9bedf54383d166a55d23bdcf760efa748165bdd3c80bdb5936e5973c3da9debfcbdc99c8a0046a0822b

Download Submit
C:\Windows\SysWOW64\gdljsds.bat

Filesize
117B

MD5
437e5edc8439ca29f1e2828c1ff38b73

SHA1
d77db92efacc477d6a2bd79ac4307b06c9688ce7

SHA256
5430dfe44ba13c4f6771a2de2f8cb3e018f74e0992dd762cfaed3b97173c0e1d

SHA512
913230ec6d79cdb8f8444d0beac40c17741e680a9f50473907b408a4967a31f68d36e4b6a2594f2a0621b67939dacb9a4fe83598bbc4673565102065a7921b38

Download Submit
C:\Windows\SysWOW64\rtymeun.bat

Filesize
117B

MD5
b5b8db6515721433b5220b8f8af760ac

SHA1
591185c9d3ddd10a0ed34d557c862532cb5cb77a

SHA256
9ddb59f66a665287fa1b983640640884d6045f02991813aa53e1dbddd7167ec2

SHA512
0dad95152575c3190dbb971613fc7f787e0dc7d7a4eccbd42d60df48ddcf91968b2e37d91a891f9cca6f39320ae45f144fcfd8783b190e363f3ee6ad5ed4b920

Download Submit
C:\Windows\SysWOW64\spooIsv.exe

Filesize
72KB

MD5
2d12faeec3459572b42ba472fc10a486

SHA1
03cb61a605f7bf761070e14b7d678b9d1e946939

SHA256
d86f851900123bc590a95389e70a79f3979bbcccf7b1ed1161e3c2ca08395a5f

SHA512
017b573c1acbf22613ae645470525c02f103638770d749cebb204a62a43400529949eb83d72042be04f2980b7ca2e47058220936d90537cfe93f43d77e080cee

Download Submit
C:\Windows\SysWOW64\spooIsv.exe

Filesize
61KB

MD5
31b4609bdeef1c7192eb0ab91619a234

SHA1
4d3400f14691064ee617a2cebb5c65d98f12202f

SHA256
4500c9715818aabe2bfd9dd948049b8ae65fd3f0ee897c14ad252ddd22704caf

SHA512
55a86c0f9b5d9ef9f9d9dd7e6ef9adb747a2dba1dc3f658fb27c591660b8496b0f2cfe9527a10c4e850acfaee443df15c9e12f63930d961be580268cac750f2d

Download Submit
C:\Windows\SysWOW64\spooIsv.exe

Filesize
82KB

MD5
57990a246bb3016294e1aca1a07edca7

SHA1
250b0c9b5436e8c353bab97c36cb6c7a56159020

SHA256
eeee0cae2c070ca74b59d28d4160749df31729893aa9af8573cb3ac802b4a82d

SHA512
eed51fe580292fcdadb7d5fcbaa52b19569a668c783cc5d757980aa37ef214e7602846efb0bfe9c10a0a3bbaf1cb7aa38acfc0051d22b7f794606113e96fcde9

Download Submit
C:\Windows\SysWOW64\spoolsvc.exe

Filesize
47KB

MD5
40d98277cf20d1d0aa418e454277a962

SHA1
082bc61c0633b92822d1f7cbdfd850f35a742c99

SHA256
e6b1160463ff5a8bbf687682cff53243e97c13aba70d4c3487bb9658a5120f7f

SHA512
bed3e51c9f347acbe701ac0c1937e8c4fb3c5d59be497513b827fd580dd840a53ea5f5f2d92bca101112559fcb6b0ecce24768e473f3ccc2c1aa0825306ed977

Download Submit
C:\Windows\SysWOW64\spoolsvc.exe

Filesize
56KB

MD5
7ae3784f0790d6131918b28a2a8d0293

SHA1
69d01f07430cc2de1dc4045dcde15cbc217ecc34

SHA256
1f0d1fc1458eddb49f1bfa0ef4daf30cf77cd9de3c4370f8f9979adafec3f221

SHA512
d8bee50020cf4127d4a9b7cc833c04623efb3f1c24064dd84d5a0aae4e0039c3d4c91d2b3345b53e5b276ab17c543101a75b922822aabad04b432fbea9c1e97f

Download Submit
C:\Windows\SysWOW64\spoolsvc.exe

Filesize
42KB

MD5
b260724b1a2a69d377fa0321e4dff73a

SHA1
0a97181289a20e1b875a1ec6784e9bdb5c8b58a7

SHA256
4fb254ddb287b33a626aa537d612343340113717571d7ea2b5fe80ce0126e916

SHA512
bf9144f2f3da7072603c03db8a0c3ff927570e00083368948ce7e58cf3f599c5469534d5689d3c78bac82cda6d9bddbffc007f07e6a9493b2f802f0cbe5f40cc

Download Submit
C:\Windows\SysWOW64\sroazdr.bat

Filesize
129B

MD5
4dfaf96e9993f374f22137f7f99d8ef9

SHA1
1344d4cd410d7651d38b3a8cfd15ff784970457b

SHA256
87452c545c37779243f0ad9553995a74827c165f790b82ce0ac27650556ef687

SHA512
5dae76a0c3797f8bda33f7b455d6980f2d88838cbd6087c5a4f7a68db5245095ec34e6d4e8baf858cfda81a63c00b500cc2eeb99683b26db67697f4fbf759c7d

Download Submit
C:\Windows\SysWOW64\tmoasj.bat

Filesize
125B

MD5
c65ecd3b77ba32610eebf5bfc4235bc4

SHA1
867cce1b49e621ce9a11866f3b1c82c18857878d

SHA256
8c6214159fcb8cd5afa7731b091d80dee01f1499732766a637b51a70c03e501c

SHA512
75f97f9eea9f818a23fc587dfb3d28e4e7e0535427aa274867e2994c4f1a95a31d6fbb2f30daa8723e9a36f80ec33f4efb53f6251e8615d442ab41e0e982ce24

Download Submit
memory/1520-105-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1612-71-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1920-4-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1920-14-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1920-2-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1920-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1920-1-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2300-112-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2300-106-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2312-82-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3240-103-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/3624-51-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4004-62-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4312-32-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4604-91-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4812-104-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5064-102-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads