439202c41928e352f46c1181b40758485b93b87e0b007ffeb05da30dfe5399b7

Resubmissions

19/03/2024, 05:16

240319-fyb2nsbd8s 3

19/03/2024, 02:16

240319-cp6yxafd9z 6

Analysis

max time kernel
135s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
19/03/2024, 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22891453.exe
Size

74KB
MD5

0b3b9eaf06832cb9c5b5252e20bf6398
SHA1

61929eba0bca5476ec54231988ffdc5531ace2ef
SHA256

439202c41928e352f46c1181b40758485b93b87e0b007ffeb05da30dfe5399b7
SHA512

b30c855ff47f2cc8fe754563596217c8a396ac2e1abe614b353c0e00de065febdd1b25fca53e9e040c3d4479d274b125339e27eb88920b4c20c41c6627a5d2b3
SSDEEP

1536:lGQXlk2qxJZKBViNqupsu8w1duOoWsFxQJVsWN5mcdam1lSe9I:lAZKBVCFVp1duLWgwV5Ham1lSeK

Score

6^/10

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\O:	unregmp2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1764	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31095203"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2196435452"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31095203"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000089aef8a8f4794a43a89181d1015e243f00000000020000000000106600000001000020000000d3a3d888c19698795186381fbe224fab3798ba72079486c840d593fd21832ce5000000000e8000000002000020000000be1089a4b902351605bb30f099e7ea1b553ba8e825454af667597664ce81925d20000000b05aec4d1a2159801096da69eb5885b3f000314e18bb35f8b9e19e8086ea3a634000000075962d1cb478b91994d1fb216a67a62262f1875d97c2aaec2bccce54de5fed25409c3b4bbb70c75cad22f51a1478de4ceb3647bc0e5119b38aa62a5389e14ec7	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 408ce685a379da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2196435452"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000089aef8a8f4794a43a89181d1015e243f00000000020000000000106600000001000020000000e148f6baae2dc55a1525bee9ec679b907f8d60b4b905ecd5554175a2ab11e1b8000000000e8000000002000020000000990e73f909d19a01db6c49676fdb41a9c9a778938c180360084b258f393a5cef200000001ad561d680e94a392a5009a9a19f42ff064f43fe342185c20455fe14fc15c20b40000000dc3dadacddae645bde7041d19778256963901b3fcb397a965b0e80470d279b807fb42c2a26c636f87cad307ed4cbb24924d105fba94353da00da40b90212a080	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c071e085a379da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AE553230-E596-11EE-9EA0-F6021099935F} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2852630833-2010812756-3750823755-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3036	vlc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3036	vlc.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	924	unregmp2.exe
Token: SeCreatePagefilePrivilege	924	unregmp2.exe
Token: SeShutdownPrivilege	3860	wmplayer.exe
Token: SeCreatePagefilePrivilege	3860	wmplayer.exe

Suspicious use of FindShellTrayWindow 24 IoCs

pid	Process
2980	iexplore.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3860	wmplayer.exe

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe
3036	vlc.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2980	iexplore.exe
2980	iexplore.exe
792	IEXPLORE.EXE
792	IEXPLORE.EXE
792	IEXPLORE.EXE
792	IEXPLORE.EXE
792	IEXPLORE.EXE
3036	vlc.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3504 wrote to memory of 1028	3504	22891453.exe	73
PID 3504 wrote to memory of 1028	3504	22891453.exe	73
PID 3504 wrote to memory of 1028	3504	22891453.exe	73
PID 1028 wrote to memory of 1764	1028	cmd.exe	75
PID 1028 wrote to memory of 1764	1028	cmd.exe	75
PID 1028 wrote to memory of 1764	1028	cmd.exe	75
PID 2980 wrote to memory of 792	2980	iexplore.exe	78
PID 2980 wrote to memory of 792	2980	iexplore.exe	78
PID 2980 wrote to memory of 792	2980	iexplore.exe	78
PID 788 wrote to memory of 424	788	wmplayer.exe	82
PID 788 wrote to memory of 424	788	wmplayer.exe	82
PID 788 wrote to memory of 424	788	wmplayer.exe	82
PID 788 wrote to memory of 364	788	wmplayer.exe	83
PID 788 wrote to memory of 364	788	wmplayer.exe	83
PID 788 wrote to memory of 364	788	wmplayer.exe	83
PID 364 wrote to memory of 924	364	unregmp2.exe	84
PID 364 wrote to memory of 924	364	unregmp2.exe	84
PID 4956 wrote to memory of 3824	4956	wmplayer.exe	87
PID 4956 wrote to memory of 3824	4956	wmplayer.exe	87
PID 4956 wrote to memory of 3824	4956	wmplayer.exe	87
PID 3824 wrote to memory of 3860	3824	setup_wm.exe	88
PID 3824 wrote to memory of 3860	3824	setup_wm.exe	88
PID 3824 wrote to memory of 3860	3824	setup_wm.exe	88

C:\Users\Admin\AppData\Local\Temp\22891453.exe
"C:\Users\Admin\AppData\Local\Temp\22891453.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3504
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c "ipconfig /all"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /all
    3⤵
    - Gathers network information
    PID:1764

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2980 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:792

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SetFind.mp4v"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3036

C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\PingCopy.fon
1⤵
PID:600

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:788
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
  2⤵
  PID:424
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:364
- - C:\Windows\System32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:924

C:\Windows\System32\fontview.exe
"C:\Windows\System32\fontview.exe" C:\Users\Admin\Desktop\PingCopy.fon
1⤵
PID:4272

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /Play C:\Users\Admin\Desktop\ReceiveCheckpoint.midi
    3⤵
    - Drops desktop.ini file(s)
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3860

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
- Drops file in Windows directory
PID:1464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
0e807656bd86f2aef7ccf207f963973b

SHA1
27052af8d103d134369e356b793eb88ba873df55

SHA256
c509c498682bec50142782a51785655020bea27652f46e104e07a530c2ff5162

SHA512
e6c7d5e001e8322ccb1abd101d47e7f1401597518f45dd8da1d757728147262bcb3b1f96128f291e0e367c5b34026b401468e4219b27cf3c37a8d434180cd8f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
2596359faa82ef6cd665ec6a127bf1e5

SHA1
64c244504dfb41fc286b96d83c5fdc2362828b3b

SHA256
2dcf0f834289dbee4dd2d4e540646b09ac9f37421335bd95300c029ee691c1e1

SHA512
bfa0bb70c802f57b7c0131895cef96a0528d5b63ec4de9b2476dae2e3ff87866667f97570e4f1b6999962999919dfbda48d6dc0d5a1f99e045ddd1f5a1d40b31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
89dd5fd1337b9ebb7d19d8702d8ec525

SHA1
8ef3fd423323f828fa4bf8dd406771872058e9a5

SHA256
c865bccf81ec99a1c09d002affd3f104a9e929d53ecc69d5f2c12888d208aae0

SHA512
d7f1afbb6f24abcf8a8860bf402dc33a8a719881730b782ec8e5e483317aa961310407525d5b66943358d3c24703391bc5391e3842f323bbf5df518e3ba28307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp70671.WMC\allservices.xml

Filesize
546B

MD5
df03e65b8e082f24dab09c57bc9c6241

SHA1
6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf

SHA256
155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba

SHA512
ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp85640.WMC\serviceinfo.xml

Filesize
523B

MD5
d58da90d6dc51f97cb84dfbffe2b2300

SHA1
5f86b06b992a3146cb698a99932ead57a5ec4666

SHA256
93acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad

SHA512
7f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
91d9446cb572f9c5630f1018033a1df2

SHA1
288f9f69b187a87d032040e855a07616d581b772

SHA256
3888389c76e38adc14b64a72e44efb47be69861f793fc56b4d23960b29aab939

SHA512
b3f7d8a32068eba98143cab5987573c03e570d1147abd28c404d58c1cf1f14304dc164d9ae671baf83ba08413d70362ec8cb1d418a26df9684cae4a7534774fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
2KB

MD5
346a6291600312967721bd69aca56cdf

SHA1
b0751075dbc6cedce2485da4f70caec276c0b656

SHA256
ba88d32351667ca0ef1567b59d56da2f512d006506590c894b4cb527008976c2

SHA512
073cd83bd14163d0b644a40bab3e89d8d95e676722c88b3ac8ee506446dc3d1d64e26ecbe33bf44c4189210dab0a0f6f45097bc124db17ab018202fcb948154d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF44A0A56A3C506613.TMP

Filesize
16KB

MD5
fc06b1d4ca10f6f150779fe48254fe35

SHA1
c17d35fa2e2d00c739034dca1ffc441596007920

SHA256
917432668ddb052afa449ecec034a4d251c84b8859bfc7b0d38dee883ab09382

SHA512
80eb563ec5321942443b4c076af4881aaa3c98c3111c590b3d6207e73a5c593f34e6d196d20800a7bb91c06722b49ff621e07c3d2ba4b828d5b6a736fd2a6cf5

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.em3036

Filesize
73B

MD5
120be08294f06450fa744ffa117aab45

SHA1
4013e4cf44e10886b3a07660821f8ed73c9d527d

SHA256
1604166ae27f4ee2f5bf69908d17bbf57e5df434c4660726a7b9923bd3a00303

SHA512
a845700d2cf130a0f1bd25aeb5c8f7a2861368b39efd72d2cd7735b8c0c5e6b2e95bffbb10ff5208fa3a77f0726f68b8853ff6e01ae53379e61e7ff44fac636d

Download Submit
memory/3036-64-0x00007FF990C00000-0x00007FF990D3B000-memory.dmp

Filesize
1.2MB

Download
memory/3036-69-0x00007FF9908F0000-0x00007FF990987000-memory.dmp

Filesize
604KB

Download
memory/3036-36-0x00007FF9A2A60000-0x00007FF9A2A71000-memory.dmp

Filesize
68KB

Download
memory/3036-37-0x00007FF9A1FD0000-0x00007FF9A1FED000-memory.dmp

Filesize
116KB

Download
memory/3036-38-0x00007FF9A1FB0000-0x00007FF9A1FC1000-memory.dmp

Filesize
68KB

Download
memory/3036-39-0x00007FF991ED0000-0x00007FF9920D0000-memory.dmp

Filesize
2.0MB

Download
memory/3036-40-0x00007FF9A1F70000-0x00007FF9A1FAF000-memory.dmp

Filesize
252KB

Download
memory/3036-41-0x00007FF990E20000-0x00007FF991ECB000-memory.dmp

Filesize
16.7MB

Download
memory/3036-42-0x00007FF9A1F40000-0x00007FF9A1F61000-memory.dmp

Filesize
132KB

Download
memory/3036-43-0x00007FF9A1F20000-0x00007FF9A1F38000-memory.dmp

Filesize
96KB

Download
memory/3036-44-0x00007FF9A1F00000-0x00007FF9A1F11000-memory.dmp

Filesize
68KB

Download
memory/3036-45-0x00007FF9A1AE0000-0x00007FF9A1AF1000-memory.dmp

Filesize
68KB

Download
memory/3036-46-0x00007FF9A1AC0000-0x00007FF9A1AD1000-memory.dmp

Filesize
68KB

Download
memory/3036-47-0x00007FF9A1AA0000-0x00007FF9A1ABB000-memory.dmp

Filesize
108KB

Download
memory/3036-48-0x00007FF9A1A80000-0x00007FF9A1A91000-memory.dmp

Filesize
68KB

Download
memory/3036-51-0x00007FF99DCD0000-0x00007FF99DD37000-memory.dmp

Filesize
412KB

Download
memory/3036-50-0x00007FF9A1A30000-0x00007FF9A1A60000-memory.dmp

Filesize
192KB

Download
memory/3036-49-0x00007FF9A1A60000-0x00007FF9A1A78000-memory.dmp

Filesize
96KB

Download
memory/3036-52-0x00007FF990DB0000-0x00007FF990E1F000-memory.dmp

Filesize
444KB

Download
memory/3036-53-0x00007FF9A1A10000-0x00007FF9A1A21000-memory.dmp

Filesize
68KB

Download
memory/3036-60-0x00007FF99DCB0000-0x00007FF99DCC2000-memory.dmp

Filesize
72KB

Download
memory/3036-59-0x00007FF99DE60000-0x00007FF99DE71000-memory.dmp

Filesize
68KB

Download
memory/3036-61-0x00007FF990D80000-0x00007FF990DA1000-memory.dmp

Filesize
132KB

Download
memory/3036-58-0x00007FF99F530000-0x00007FF99F553000-memory.dmp

Filesize
140KB

Download
memory/3036-57-0x00007FF99FBC0000-0x00007FF99FBD7000-memory.dmp

Filesize
92KB

Download
memory/3036-56-0x00007FF99F560000-0x00007FF99F584000-memory.dmp

Filesize
144KB

Download
memory/3036-55-0x00007FF9A0AC0000-0x00007FF9A0AE8000-memory.dmp

Filesize
160KB

Download
memory/3036-54-0x00007FF99F5C0000-0x00007FF99F616000-memory.dmp

Filesize
344KB

Download
memory/3036-62-0x00007FF990D60000-0x00007FF990D73000-memory.dmp

Filesize
76KB

Download
memory/3036-65-0x00007FF990BD0000-0x00007FF990BFC000-memory.dmp

Filesize
176KB

Download
memory/3036-34-0x00007FF9A2E00000-0x00007FF9A2E11000-memory.dmp

Filesize
68KB

Download
memory/3036-63-0x00007FF990D40000-0x00007FF990D52000-memory.dmp

Filesize
72KB

Download
memory/3036-67-0x00007FF9909B0000-0x00007FF990A0C000-memory.dmp

Filesize
368KB

Download
memory/3036-68-0x00007FF990990000-0x00007FF9909A1000-memory.dmp

Filesize
68KB

Download
memory/3036-66-0x00007FF990A10000-0x00007FF990BC2000-memory.dmp

Filesize
1.7MB

Download
memory/3036-70-0x00007FF9908D0000-0x00007FF9908E2000-memory.dmp

Filesize
72KB

Download
memory/3036-71-0x00007FF990690000-0x00007FF9908C1000-memory.dmp

Filesize
2.2MB

Download
memory/3036-35-0x00007FF9A2DE0000-0x00007FF9A2DF7000-memory.dmp

Filesize
92KB

Download
memory/3036-72-0x00007FF990570000-0x00007FF990682000-memory.dmp

Filesize
1.1MB

Download
memory/3036-74-0x00007FF990500000-0x00007FF990525000-memory.dmp

Filesize
148KB

Download
memory/3036-81-0x00007FF990350000-0x00007FF990361000-memory.dmp

Filesize
68KB

Download
memory/3036-80-0x00007FF990370000-0x00007FF99040F000-memory.dmp

Filesize
636KB

Download
memory/3036-83-0x00007FF990220000-0x00007FF990231000-memory.dmp

Filesize
68KB

Download
memory/3036-84-0x00007FF990200000-0x00007FF990211000-memory.dmp

Filesize
68KB

Download
memory/3036-82-0x00007FF990240000-0x00007FF990342000-memory.dmp

Filesize
1.0MB

Download
memory/3036-79-0x00007FF990410000-0x00007FF990423000-memory.dmp

Filesize
76KB

Download
memory/3036-78-0x00007FF990430000-0x00007FF990442000-memory.dmp

Filesize
72KB

Download
memory/3036-77-0x00007FF990450000-0x00007FF990461000-memory.dmp

Filesize
68KB

Download
memory/3036-76-0x00007FF990470000-0x00007FF9904D1000-memory.dmp

Filesize
388KB

Download
memory/3036-75-0x00007FF9904E0000-0x00007FF9904F1000-memory.dmp

Filesize
68KB

Download
memory/3036-73-0x00007FF990530000-0x00007FF990565000-memory.dmp

Filesize
212KB

Download
memory/3036-86-0x00007FF9901C0000-0x00007FF9901D2000-memory.dmp

Filesize
72KB

Download
memory/3036-91-0x00007FF990110000-0x00007FF990121000-memory.dmp

Filesize
68KB

Download
memory/3036-90-0x00007FF990130000-0x00007FF990142000-memory.dmp

Filesize
72KB

Download
memory/3036-33-0x00007FF9A2E20000-0x00007FF9A2E37000-memory.dmp

Filesize
92KB

Download
memory/3036-32-0x00007FF9A58C0000-0x00007FF9A58D8000-memory.dmp

Filesize
96KB

Download
memory/3036-31-0x00007FF9920D0000-0x00007FF992384000-memory.dmp

Filesize
2.7MB

Download
memory/3036-92-0x00007FF9900F0000-0x00007FF990101000-memory.dmp

Filesize
68KB

Download
memory/3036-89-0x00007FF990150000-0x00007FF990179000-memory.dmp

Filesize
164KB

Download
memory/3036-88-0x00007FF990180000-0x00007FF990196000-memory.dmp

Filesize
88KB

Download
memory/3036-87-0x00007FF9901A0000-0x00007FF9901B8000-memory.dmp

Filesize
96KB

Download
memory/3036-85-0x00007FF9901E0000-0x00007FF9901F1000-memory.dmp

Filesize
68KB

Download
memory/3036-30-0x00007FF9A58E0000-0x00007FF9A5914000-memory.dmp

Filesize
208KB

Download
memory/3036-29-0x00007FF67C720000-0x00007FF67C818000-memory.dmp

Filesize
992KB

Download
memory/3860-207-0x000000000A8C0000-0x000000000A8D0000-memory.dmp

Filesize
64KB

Download
memory/3860-204-0x000000000A8C0000-0x000000000A8D0000-memory.dmp

Filesize
64KB

Download
memory/3860-210-0x000000000A8C0000-0x000000000A8D0000-memory.dmp

Filesize
64KB

Download
memory/3860-211-0x0000000008190000-0x00000000081A0000-memory.dmp

Filesize
64KB

Download
memory/3860-218-0x0000000007EB0000-0x0000000007EC0000-memory.dmp

Filesize
64KB

Download
memory/3860-217-0x000000000A8C0000-0x000000000A8D0000-memory.dmp

Filesize
64KB

Download
memory/3860-221-0x000000000A8C0000-0x000000000A8D0000-memory.dmp

Filesize
64KB

Download
memory/3860-198-0x000000000A8C0000-0x000000000A8D0000-memory.dmp

Filesize
64KB

Download
memory/3860-240-0x0000000008190000-0x00000000081A0000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads