7185e8c694984f512a44f240e4b89647c759ba756bd9e9947414941e4342d466

Analysis

max time kernel
1795s
max time network
1561s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17-07-2024 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
Size

236KB
MD5

6aa5d9b03d34c87026ac11a6f30524fe
SHA1

c0c532d64bc1d16aeb12ea58c9e94c48eb3d64d4
SHA256

5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0
SHA512

1e0cdbfd5399c03e6db32b309d38f56dc0761d6a9d2319c712f771fecc9fec8aac0c2dd2ee00e4674b26168265558e4d02a810a6326c73e36a1e453ecc394069
SSDEEP

3072:A2XIX/5EEAmkN7HqOaeV/RPMObiZif2fXSF9uvm8dDuCb4NeIAg0Fuj3RK3o1yL:AliN3qO1hR0UiZi+fC+iAObo41I

Score

10^/10

defense_evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\!#_READ_ME_#!.inf

Ransom Note

[WHAT HAPPENED] Your important files produced on this computer have been encrypted due a security problem If you want to restore them, write us to the e-mail: [email protected] You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files. [FREE DECRYPTION AS GUARANTEE] Before paying you can send to us up to 3 files for free decryption. Please note that files must NOT contain valuable information and their total size must be less than 1Mb [HOW TO OBTAIN BITCOINS] The easiest way to buy bitcoin is LocalBitcoins site. You have to register, click Buy bitcoins and select the seller by payment method and price https://localbitcoins.com/buy_bitcoins [ATTENTION] Do not rename encrypted files Do not try to decrypt your data using third party software, it may cause permanent data loss If you not write on e-mail in 36 hours - your key has been deleted and you cant decrypt your files Your ID: zxtjW4UJF5TSKRaKWXub+Sk86bIyuYfScGLuzdSpTKGyTQIjXRV7xZ+ICKWMUprVUyptmG7Ve6aq8KP1ESlo7nnuVynLo/4XePhI9B5flZobcTTNd2+GeX6Z8jomPKRuhiyCn891JRi/P9prkkl3jR93lGO2DCjcdwgWzF7asZI=

Emails

[email protected]

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (278) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\DECRYPTINFO = "\"C:\\Users\\Admin\\AppData\\Roaming\\!#_READ_ME_#!.inf\""	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe

Drops desktop.ini file(s) 27 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Cookies\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Public\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Roaming\\1.bmp"	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Firebird\!#_READ_ME_#!.inf	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Program Files (x86)\Firebird\lãUwÅ8xè¾	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File created	C:\Program Files (x86)\MSSQL.1\!#_READ_ME_#!.inf	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Program Files (x86)\MSSQL.1\lãUwÅ8xè¾	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File created	C:\Program Files\MySQL\!#_READ_ME_#!.inf	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
File opened for modification	C:\Program Files\MySQL\lãUwÅ8xè¾	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Interacts with shadow copies 3 TTPs 4 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
1368	vssadmin.exe
2684	vssadmin.exe
2904	vssadmin.exe
1856	vssadmin.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	2720	vssvc.exe
Token: SeRestorePrivilege	2720	vssvc.exe
Token: SeAuditPrivilege	2720	vssvc.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 3024	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	30
PID 2676 wrote to memory of 3024	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	30
PID 2676 wrote to memory of 3024	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	30
PID 2676 wrote to memory of 3024	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	30
PID 2676 wrote to memory of 2536	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	31
PID 2676 wrote to memory of 2536	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	31
PID 2676 wrote to memory of 2536	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	31
PID 2676 wrote to memory of 2536	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	31
PID 2676 wrote to memory of 2224	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	32
PID 2676 wrote to memory of 2224	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	32
PID 2676 wrote to memory of 2224	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	32
PID 2676 wrote to memory of 2224	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	32
PID 2676 wrote to memory of 2104	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	35
PID 2676 wrote to memory of 2104	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	35
PID 2676 wrote to memory of 2104	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	35
PID 2676 wrote to memory of 2104	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	35
PID 3024 wrote to memory of 2904	3024	cmd.exe	38
PID 3024 wrote to memory of 2904	3024	cmd.exe	38
PID 3024 wrote to memory of 2904	3024	cmd.exe	38
PID 3024 wrote to memory of 2904	3024	cmd.exe	38
PID 2104 wrote to memory of 2684	2104	cmd.exe	39
PID 2104 wrote to memory of 2684	2104	cmd.exe	39
PID 2104 wrote to memory of 2684	2104	cmd.exe	39
PID 2104 wrote to memory of 2684	2104	cmd.exe	39
PID 2676 wrote to memory of 1192	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	42
PID 2676 wrote to memory of 1192	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	42
PID 2676 wrote to memory of 1192	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	42
PID 2676 wrote to memory of 1192	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	42
PID 2676 wrote to memory of 764	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	44
PID 2676 wrote to memory of 764	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	44
PID 2676 wrote to memory of 764	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	44
PID 2676 wrote to memory of 764	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	44
PID 2676 wrote to memory of 2308	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	45
PID 2676 wrote to memory of 2308	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	45
PID 2676 wrote to memory of 2308	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	45
PID 2676 wrote to memory of 2308	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	45
PID 2676 wrote to memory of 492	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	47
PID 2676 wrote to memory of 492	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	47
PID 2676 wrote to memory of 492	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	47
PID 2676 wrote to memory of 492	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	47
PID 2676 wrote to memory of 888	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	50
PID 2676 wrote to memory of 888	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	50
PID 2676 wrote to memory of 888	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	50
PID 2676 wrote to memory of 888	2676	5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe	50
PID 1192 wrote to memory of 1368	1192	cmd.exe	51
PID 1192 wrote to memory of 1368	1192	cmd.exe	51
PID 1192 wrote to memory of 1368	1192	cmd.exe	51
PID 1192 wrote to memory of 1368	1192	cmd.exe	51
PID 492 wrote to memory of 1856	492	cmd.exe	52
PID 492 wrote to memory of 1856	492	cmd.exe	52
PID 492 wrote to memory of 1856	492	cmd.exe	52
PID 492 wrote to memory of 1856	492	cmd.exe	52

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe
"C:\Users\Admin\AppData\Local\Temp\5b79b6a81407caf12cf1894346a15e40c4dc017a35105119db3b23c7bf91c7b0.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:2904
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
  2⤵
  PID:2536
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:2224
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2684
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe Delete Shadows /All /Quiet
    3⤵
    - Interacts with shadow copies
    PID:1368
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} recoveryenabled No
  2⤵
  PID:764
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  PID:2308
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:492
- - C:\Windows\SysWOW64\vssadmin.exe
    vssadmin.exe delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:1856
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\!#_READ_ME_#!.inf
  2⤵
  PID:888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Assistance\Client\1.0\en-US\Help_MValidator.Lck

Filesize
16B

MD5
c788d4895d5cd0153c0f1b05601a318f

SHA1
ee6a61d785769a502ae37610ffd8bd0261a4fe36

SHA256
72bcb27bb274e4a425a3cf25d5c74464b5f7cbce9baa9b9b9bb8e7223c95cb44

SHA512
254d5a4fe323de6148c40fb9611c273eada0ed4b27e042602bc27f4122abae2de2200f993b07ece7ad6fbe33e5f3e3e7e3f17051f571c445a5c7e0b0aac9070d

Download Submit
C:\ProgramData\Microsoft\MF\Pending.GRL

Filesize
14KB

MD5
096ae6899d6708be770bd3aacff81176

SHA1
824915d9bcd602b1f1f94b08c9bda8d8982e1568

SHA256
a46d73fb099f392beb9f1b64277166b21060a61035b3a474fa1f7427d780186f

SHA512
0de7041015bed7d2048e9c419c46cc27c4b3fd8ded1e4ada0fecdeaa365d005d4b5e836e66e4e512f16a9ac759ead3ef574fc3bf453dff9e11f4adb226b07bf4

Download Submit
C:\ProgramData\Microsoft\User Account Pictures\user.bmp

Filesize
48KB

MD5
61e8e744bf0d30ea10a734a6b4eb8f97

SHA1
63404aa73bac4bd4c850cce13d2e4f17e86d4e5c

SHA256
bc6fa041fede28a3d1c3518d212a2abb8ae397bd0286917e2f9d1019019e0f47

SHA512
cec326dd3d723fbc47cc3d5f90b55783f51a45b4ef2fe62187a0e490c26ed65ee0f756a4f713e199c2bfb4defb89a52dc465dfb2b1ea45b9d0de7c52aa30f9ca

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
140KB

MD5
7d25d70a046782353428fce7534a7fe8

SHA1
f3944242b4664995da572fa23afd3a9b3a5f22f4

SHA256
4ee587d23f773163cc7add10e4d784f078ba752e541386b682d44ae003a90345

SHA512
67e38c522c5b165c09d741b7c45424ec428ab70887dd08df90bb1462f350eb747a6503e611ed42d62b04102e1e2fcef13be3faf10c7a54d745d71e4ae945fdf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\!#_READ_ME_#!.inf

Filesize
1KB

MD5
66734f6dc11963cf91583df1fe7f4a99

SHA1
fda2bd512bf37c1eb395ac158f5b84c10aebe644

SHA256
664db968ce7b1213367497cd2d9647bd909b981ba3bc3c44f8cdf3db66875fc2

SHA512
e1f87f04d2bdbc6758163af5bca31db4f365923b11ab810ea4255113cdbd05df9eb04aabe587d028b35d1a0d99ba958b3a73b783be385277245a9ea3a2b83684

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1952_349438139\349ed2f0-bb5d-4fb5-b0a8-223bee30c029.tmp

Filesize
242KB

MD5
ff7c4dca8c9586a10526e5b14adca92c

SHA1
9ead64b0f3e459db09c6b16f343017d39c7b5ba4

SHA256
8f5cc68db9e2404cfa0b1492029bb962ca360ef40caae4d087b8e0a8a512e186

SHA512
0f2ccadb019eba39a769819ef48a8e673ae7e120eedcb6104e61671b0f1c1302eef7ed46beb6ce13a694c1d94400c8098c5797f88129fca33c3e5b237451ec8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1952_524532188\eab1df67-8f59-4e03-9692-e04763e3f4f8.tmp

Filesize
88KB

MD5
39454936af459c948a371022ebc7f894

SHA1
0833bb8b323885581ebdf807658ced715402fc3f

SHA256
dab9cc77401c2cba84cb81082f097f9dfec6dc030300fa5b8797c8d4a1c6de59

SHA512
d07cda1da7678cfb2d14e53c274f6665dcf19c679a7bc028cf6a5be523df722c7d192baf62f6216d896aff440e5cbf2b5f740722cb46a30515104f03f7f1e452

Download Submit
C:\Users\Admin\Documents\MoveNew.xlsx

Filesize
11KB

MD5
8a5827a88463d5131127791e24525032

SHA1
0e950a0a0e91ef1434c7994e47580a9798373b85

SHA256
99f9c83ae2c6784d781aa2be8019576f5edf2a49b539490e2e98ba28327057d5

SHA512
a2f2d744f25b3e2492f9f463584cc20b5772a5641b1560528fd1177b507c545d99ea2986bcaa6f65a34d9aaedd66290cccc0836735f241588a264cbd0b82a089

Download Submit
C:\vcredist2010_x64.log.html

Filesize
86KB

MD5
4b9573e055799d1281259329865cd1d7

SHA1
cf3c85b899fb5bbfe37ac57d263efe6a6566bd78

SHA256
5419a93b12d8afaaa00695a5b98f9fa393478e87202d63b0a64035061b97b9f6

SHA512
d6789e1f7be0586581526efc424494e3e6372ed0c6e7327a22cdab45005f7546d3be3f7816a5244a27cb61822c3e22254ad980d9ea57911da52b47913f60ba0f

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads