441116d55e97124a067207bf57483dd3462bccfb034e56c4152675b0dcb118e7

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16-03-2024 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe
Size

121KB
MD5

eac0a08470ee67c63b14ae2ce7f6aa61
SHA1

285c0163376d5d9a5806364411652fe73424d571
SHA256

fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7
SHA512

f3fd7eeae18843d049443f0d5e818302eb3b3f73ad85e26c01e1ddc0a102a0a22b065afe01879aafc95ff3a2d15b5c302394bd03d91e6c4401648cd4222bddc5
SSDEEP

1536:3THoX8wNjiMsyPcjgbKx534oU6Llg/iLBkZhifkdol9LYuVF5yZbn:DjksYKx5o3Slg/itMg8+LYu9ubn

Score

9^/10

evasion persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 2 IoCs

pid	Process
1344	BC1C9B74EA.exe
2332	BC1C9B74EA.exe

Loads dropped DLL 2 IoCs

pid	Process
1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe
1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\00FF1C9B74EA = "\"C:\\Users\\Admin\\AppData\\Roaming\\BC1C9B74EA.exe\""	BC1C9B74EA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\00FF1C9B74EA = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe\""	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\BC1C9B74EA = "\"C:\\Users\\Admin\\AppData\\Roaming\\BC1C9B74EA.exe\""	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*BC1C9B74EA = "\"C:\\Users\\Admin\\AppData\\Roaming\\BC1C9B74EA.exe\""	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe

Drops desktop.ini file(s) 26 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	BC1C9B74EA.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	BC1C9B74EA.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1444 set thread context of 1708	1444	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	28
PID 1344 set thread context of 2332	1344	BC1C9B74EA.exe	60

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\_HELP_INSTRUCTION.TXT	BC1C9B74EA.exe
File opened for modification	C:\Program Files (x86)\_HELP_INSTRUCTION.TXT	BC1C9B74EA.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\_HELP_INSTRUCTION.TXT	BC1C9B74EA.exe

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2692	sc.exe
2816	sc.exe
2456	sc.exe
2472	sc.exe
2532	sc.exe
2656	sc.exe
2592	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2712	vssadmin.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\BC1C9B74EA.exe:Zone.Identifier	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1040	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2764	vssvc.exe
Token: SeRestorePrivilege	2764	vssvc.exe
Token: SeAuditPrivilege	2764	vssvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1708	1444	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	28
PID 1444 wrote to memory of 1708	1444	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	28
PID 1444 wrote to memory of 1708	1444	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	28
PID 1444 wrote to memory of 1708	1444	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	28
PID 1444 wrote to memory of 1708	1444	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	28
PID 1444 wrote to memory of 1708	1444	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	28
PID 1444 wrote to memory of 1708	1444	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	28
PID 1444 wrote to memory of 1708	1444	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	28
PID 1444 wrote to memory of 1708	1444	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	28
PID 1444 wrote to memory of 1708	1444	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	28
PID 1444 wrote to memory of 1708	1444	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	28
PID 1708 wrote to memory of 1728	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	29
PID 1708 wrote to memory of 1728	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	29
PID 1708 wrote to memory of 1728	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	29
PID 1708 wrote to memory of 1728	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	29
PID 1708 wrote to memory of 2620	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	31
PID 1708 wrote to memory of 2620	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	31
PID 1708 wrote to memory of 2620	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	31
PID 1708 wrote to memory of 2620	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	31
PID 1728 wrote to memory of 2532	1728	cmd.exe	33
PID 1728 wrote to memory of 2532	1728	cmd.exe	33
PID 1728 wrote to memory of 2532	1728	cmd.exe	33
PID 1728 wrote to memory of 2532	1728	cmd.exe	33
PID 1708 wrote to memory of 3032	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	34
PID 1708 wrote to memory of 3032	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	34
PID 1708 wrote to memory of 3032	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	34
PID 1708 wrote to memory of 3032	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	34
PID 1708 wrote to memory of 2108	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	36
PID 1708 wrote to memory of 2108	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	36
PID 1708 wrote to memory of 2108	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	36
PID 1708 wrote to memory of 2108	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	36
PID 2620 wrote to memory of 2656	2620	cmd.exe	38
PID 2620 wrote to memory of 2656	2620	cmd.exe	38
PID 2620 wrote to memory of 2656	2620	cmd.exe	38
PID 2620 wrote to memory of 2656	2620	cmd.exe	38
PID 1708 wrote to memory of 2716	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	39
PID 1708 wrote to memory of 2716	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	39
PID 1708 wrote to memory of 2716	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	39
PID 1708 wrote to memory of 2716	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	39
PID 3032 wrote to memory of 2592	3032	cmd.exe	41
PID 3032 wrote to memory of 2592	3032	cmd.exe	41
PID 3032 wrote to memory of 2592	3032	cmd.exe	41
PID 3032 wrote to memory of 2592	3032	cmd.exe	41
PID 1708 wrote to memory of 2568	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	42
PID 1708 wrote to memory of 2568	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	42
PID 1708 wrote to memory of 2568	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	42
PID 1708 wrote to memory of 2568	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	42
PID 2716 wrote to memory of 2692	2716	cmd.exe	44
PID 2716 wrote to memory of 2692	2716	cmd.exe	44
PID 2716 wrote to memory of 2692	2716	cmd.exe	44
PID 2716 wrote to memory of 2692	2716	cmd.exe	44
PID 1708 wrote to memory of 2696	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	45
PID 1708 wrote to memory of 2696	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	45
PID 1708 wrote to memory of 2696	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	45
PID 1708 wrote to memory of 2696	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	45
PID 2108 wrote to memory of 2816	2108	cmd.exe	47
PID 2108 wrote to memory of 2816	2108	cmd.exe	47
PID 2108 wrote to memory of 2816	2108	cmd.exe	47
PID 2108 wrote to memory of 2816	2108	cmd.exe	47
PID 1708 wrote to memory of 2676	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	48
PID 1708 wrote to memory of 2676	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	48
PID 1708 wrote to memory of 2676	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	48
PID 1708 wrote to memory of 2676	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	48
PID 1708 wrote to memory of 2496	1708	fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe	50

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe
"C:\Users\Admin\AppData\Local\Temp\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Users\Admin\AppData\Local\Temp\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe
  "C:\Users\Admin\AppData\Local\Temp\fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7_WthaiV9ed2.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc stop VVS
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Windows\SysWOW64\sc.exe
      sc stop VVS
      4⤵
      Launches sc.exe
      PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc stop wscsvc
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\sc.exe
      sc stop wscsvc
      4⤵
      Launches sc.exe
      PID:2656
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc stop WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\SysWOW64\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc stop wuauserv
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2108
  - - C:\Windows\SysWOW64\sc.exe
      sc stop wuauserv
      4⤵
      Launches sc.exe
      PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc stop BITS
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\sc.exe
      sc stop BITS
      4⤵
      Launches sc.exe
      PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc stop ERSvc
    3⤵
    PID:2568
  - - C:\Windows\SysWOW64\sc.exe
      sc stop ERSvc
      4⤵
      Launches sc.exe
      PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C sc stop WerSvc
    3⤵
    PID:2696
  - - C:\Windows\SysWOW64\sc.exe
      sc stop WerSvc
      4⤵
      Launches sc.exe
      PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    PID:2676
  - - C:\Windows\SysWOW64\vssadmin.exe
      vssadmin.exe Delete Shadows /All /Quiet
      4⤵
      Interacts with shadow copies
      PID:2712
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} recoveryenabled No
    3⤵
    PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    PID:2492
- - C:\Users\Admin\AppData\Roaming\BC1C9B74EA.exe
    C:\Users\Admin\AppData\Roaming\BC1C9B74EA.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:1344
  - - C:\Users\Admin\AppData\Roaming\BC1C9B74EA.exe
      C:\Users\Admin\AppData\Roaming\BC1C9B74EA.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops desktop.ini file(s)
      Drops file in Program Files directory
      Drops file in Windows directory
      PID:2332
    - - C:\Windows\SysWOW64\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_HELP_INSTRUCTION.TXT
        5⤵
        Opens file in notepad (likely ransom note)
        
        PID:1040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\_HELP_INSTRUCTION.TXT

Filesize
1KB

MD5
f480f3c998a5f67a35659cf835b6198e

SHA1
c87c6e95868517c1040adf5f07a1410f6b1093c7

SHA256
896223c6736729eeb6ea5dbed5df3a784baef1a2bcc97b76ec33396135f55fb2

SHA512
2fd2bbb7ce257ab2ff0c884dd837f38b60416adde92380797d7d463c03bfd4e18b12c3d1bf1c91eaccb6fbb42e5c2962d506f705f652b1c77e837bba3f889371

Download Submit
\Users\Admin\AppData\Roaming\BC1C9B74EA.exe

Filesize
121KB

MD5
eac0a08470ee67c63b14ae2ce7f6aa61

SHA1
285c0163376d5d9a5806364411652fe73424d571

SHA256
fa0c321e1aad571daaa3bf642ced8ab10931a05957ce9f17da49317816ca50c7

SHA512
f3fd7eeae18843d049443f0d5e818302eb3b3f73ad85e26c01e1ddc0a102a0a22b065afe01879aafc95ff3a2d15b5c302394bd03d91e6c4401648cd4222bddc5

Download Submit
memory/1344-21-0x0000000000390000-0x0000000000490000-memory.dmp

Filesize
1024KB

Download
memory/1444-4-0x00000000005B0000-0x00000000006B0000-memory.dmp

Filesize
1024KB

Download
memory/1708-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1708-3-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1708-6-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-80-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-100-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-35-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-40-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-45-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-50-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-55-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-60-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-65-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-70-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-75-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-29-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-85-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-90-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-95-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-31-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-105-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-26-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-121-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-127-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-134-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-140-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-145-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-147-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-149-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-151-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-153-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-155-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2332-614-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads