8ff8af7b31fe7ed58b2afc1b556c635c2ccdf20bce7ca371897dea490a8b5027

Analysis

max time kernel
87s
max time network
51s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13-07-2024 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Size

146KB
MD5

c4944d000475c9c6b515e030b59652c9
SHA1

eaf2695c872913f35a450b11a7b5f58d848d0735
SHA256

0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5
SHA512

e41e21ef56cb097c78b7b8a48d54e9d611e863da5a15d14d8fb11c7975348c71708ccb9d491f00a682874dd6667fa2252ba3568b3d06fa2c2600648838d080fd
SSDEEP

1536:KzICS4AAwczUUf8y8gvMH+1zGSNAojMP95D1xDmi3rNHUmVNypY2hamdb2SxsUyz:5qJogYkcSNm9V7DmCymVoRwmd/qT

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Jjf2IQlAQ.README.txt

Ransom Note

Your data is downloaded and encrypted. To restore the files and prevent it leaked on onion website, you need to pay some money for it. Send email to [email protected] with subject of the encrypted file extension. What guarantees that we will not deceive you? We are not a politically motivated group and we do not need anything other than your money. If you pay, we will provide you the programs for decryption and we will delete your data. Life is too short to be sad. Be not sad, money, it is only paper. If we do not give you decrypters, or we do not delete your data after payment, then nobody will pay us in the future. Therefore to us our reputation is very important. We attack the companies worldwide and there is no dissatisfied victim after payment. Warning! Do not DELETE or MODIFY any files, it can lead to recovery problems! Warning! If you do not pay the ransom we will attack your company repeatedly again. We will delete the decryptor after 48 hours if you don't send email to us.

Emails

[email protected]

Signatures

Renames multiple (189) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Deletes itself 1 IoCs

Processes:

1101.tmp

pid process

2456 1101.tmp
Executes dropped EXE 1 IoCs

Processes:

1101.tmp

pid process

2456 1101.tmp
Loads dropped DLL 1 IoCs

Processes:

0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe

pid process

3004 0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe

description	ioc	process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\Jjf2IQlAQ.bmp"	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Jjf2IQlAQ.bmp"	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

1101.tmp

pid process

2456 1101.tmp
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 2 IoCs

evasion

Processes:

0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\WallpaperStyle = "10"	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe

Modifies registry class 5 IoCs

Processes:

0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Jjf2IQlAQ	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Jjf2IQlAQ\ = "Jjf2IQlAQ"	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Jjf2IQlAQ\DefaultIcon	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Jjf2IQlAQ	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Jjf2IQlAQ\DefaultIcon\ = "C:\\ProgramData\\Jjf2IQlAQ.ico"	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe

pid	process
3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe

Suspicious behavior: RenamesItself 26 IoCs

Processes:

1101.tmp

pid	process
2456	1101.tmp
2456	1101.tmp
2456	1101.tmp
2456	1101.tmp
2456	1101.tmp
2456	1101.tmp
2456	1101.tmp
2456	1101.tmp
2456	1101.tmp
2456	1101.tmp
2456	1101.tmp
2456	1101.tmp
2456	1101.tmp
2456	1101.tmp
2456	1101.tmp
2456	1101.tmp
2456	1101.tmp
2456	1101.tmp
2456	1101.tmp
2456	1101.tmp
2456	1101.tmp
2456	1101.tmp
2456	1101.tmp
2456	1101.tmp
2456	1101.tmp
2456	1101.tmp

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe

description	pid	process
Token: SeAssignPrimaryTokenPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeBackupPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeDebugPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: 36	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeImpersonatePrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeIncBasePriorityPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeIncreaseQuotaPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: 33	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeManageVolumePrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeProfSingleProcessPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeRestorePrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeSecurityPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeSystemProfilePrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeTakeOwnershipPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeShutdownPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeDebugPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeBackupPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeBackupPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeSecurityPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeSecurityPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeBackupPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeBackupPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeSecurityPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeSecurityPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeBackupPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeBackupPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeSecurityPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeSecurityPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeBackupPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeBackupPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeSecurityPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeSecurityPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeBackupPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeBackupPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeSecurityPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeSecurityPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeBackupPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeBackupPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeSecurityPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeSecurityPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeBackupPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeBackupPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeSecurityPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeSecurityPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeBackupPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeBackupPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeSecurityPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeSecurityPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeBackupPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeBackupPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeSecurityPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeSecurityPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeBackupPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeBackupPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeSecurityPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeSecurityPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeBackupPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeBackupPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeSecurityPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeSecurityPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeBackupPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeBackupPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeSecurityPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
Token: SeSecurityPrivilege	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe1101.tmp

description	pid	process	target process
PID 3004 wrote to memory of 2456	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe	1101.tmp
PID 3004 wrote to memory of 2456	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe	1101.tmp
PID 3004 wrote to memory of 2456	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe	1101.tmp
PID 3004 wrote to memory of 2456	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe	1101.tmp
PID 3004 wrote to memory of 2456	3004	0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe	1101.tmp
PID 2456 wrote to memory of 2624	2456	1101.tmp	cmd.exe
PID 2456 wrote to memory of 2624	2456	1101.tmp	cmd.exe
PID 2456 wrote to memory of 2624	2456	1101.tmp	cmd.exe
PID 2456 wrote to memory of 2624	2456	1101.tmp	cmd.exe

C:\Users\Admin\AppData\Local\Temp\0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe
"C:\Users\Admin\AppData\Local\Temp\0e9f24d9b122f16a0817890872ab88e91cfddeaf1bac8a1e41a724f5eadd9ad5.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004

C:\ProgramData\1101.tmp
"C:\ProgramData\1101.tmp"
2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\1101.tmp >> NUL
3⤵
PID:2624

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x154
1⤵
PID:1812

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2212144002-1172735686-1556890956-1000\desktop.ini
Filesize
129B

MD5
a5de7b1141009d8b10a5b07d15029ee4

SHA1
194d41d697a7dd659202ac2df9cea98d6d76475d

SHA256
219dc70ad45a42827f8076ea8e35b13bdd003ce7c20d22219213c5e0bb9c3930

SHA512
a8ac72ae10124652e053b2f7467109fb4b3b9d0a55888fe9f8d812747f0e32fc6a7543327608a9e95895cd4ba8adbad4f92a3694a22c8eeef4d2cbf777f0ff79

Download Submit
C:\Jjf2IQlAQ.README.txt
Filesize
1KB

MD5
248032372780bc95bf1fddba7aa0f79d

SHA1
fd80b5a721a8b8d60f47942c51cd59bc5e5eceef

SHA256
4047be6c6bfd2d580eb80020455aaf7fd090c770aaa07444ec166d6d3f1a3329

SHA512
24a0e894cf870266d2c2365faaa0d6f8275ce0347fa5592eeb8d28b64dc81d1a8ddec15196770dfb529a77e5dd06ff08a7fd30617e0af293b3a140d75762230e

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
Filesize
146KB

MD5
598ec8d927d6ee47515b6265a2cd949b

SHA1
38fa51a452672ee97f35c935b636429a38340397

SHA256
46c40fc943b2f611cac19f636755eadfa6bc6b5d881cf571d9cc6a752afe861c

SHA512
389bd65a91fd0e109ba02ed7a6d3e029e907dbd3c9abf9d72d4557279d6a3336a75dd24a44d4cce678464787db5fd7a82aa435ba6f20a527332f81b40cc01e9f

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2212144002-1172735686-1556890956-1000\DDDDDDDDDDD
Filesize
129B

MD5
d7a288680e370b5a69befd38f410a61c

SHA1
584cb8138e5974441d069a930cf39849006493f5

SHA256
59d6aaf5fb1de5e0bb63193d043bc606bf49f12c7a239b63cc3229e789266f31

SHA512
a0b1ab785525c6e8c7924f3ff8b86d2b43d66d45f5b3954db1d9b0188a75461a19b454276e57d0fd1e4729307553b3b1e7f956621e040db38effa820c284dd8e

Download Submit
\ProgramData\1101.tmp
Filesize
14KB

MD5
294e9f64cb1642dd89229fff0592856b

SHA1
97b148c27f3da29ba7b18d6aee8a0db9102f47c9

SHA256
917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2

SHA512
b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

Download Submit
memory/2456-342-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/2456-344-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/3004-0-0x0000000002170000-0x00000000021B0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads