0592ccf2504ece3c2c9245e7fdd4d03f4f0353a4a5e74cfa49952a1f6e329e8f

Analysis

max time kernel
141s
max time network
146s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
25-08-2024 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe
Size

8.2MB
MD5

b09c95da42bef56442b599edb1d97283
SHA1

adfbeca04e7ddbfdfab0b3e43a4ab3fb7226b7f8
SHA256

0592ccf2504ece3c2c9245e7fdd4d03f4f0353a4a5e74cfa49952a1f6e329e8f
SHA512

f3634878d63d09db9c40207b883d1439f45efe3536a6835ca078f7b8ffb85c5420d86771d748fdc0e7788c3fe66077717d9df241c13e6f85464bfd7d18b53da0
SSDEEP

196608:na0vvN3x9OLIiOK8A+zZd3j85rbz0lHU3zOtlZLwWtt3S2:VN3+LY7inz0MzOrZLnHV

Score

9^/10

discovery evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Runner.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Runner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Runner.exe

Executes dropped EXE 1 IoCs

pid	Process
2608	Runner.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine	Runner.exe

Loads dropped DLL 4 IoCs

pid	Process
2680	2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe
2608	Runner.exe
2608	Runner.exe
2608	Runner.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\vrbrothers.com	2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\ad.vrbrothers.com\ = "63"	2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\vrbrothers.com\Total = "63"	2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Ver = "dbbcfde6"	Runner.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage	2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\vrbrothers.com\NumberOfSubdomains = "1"	2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\ad.vrbrothers.com	2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InprocServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\ = "QMDispatch.QMRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID\ = "{EBEB87A6-E151-4054-AB45-A6E094C5334B}"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InprocServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\ = "QMDispatch.QMRoutine"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ = "QMDispatch.QMLibrary"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID\ = "{241D7F03-9232-4024-8373-149860BE27C0}"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ = "QMDispatch.QMRoutine"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\ = "QMDispatch.QMLibrary"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID\ = "QMDispatch.QMLibrary"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2680	2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2680	2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
2680	2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe
2680	2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe
2680	2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe
2680	2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe
2680	2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe
2680	2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe
2608	Runner.exe
2608	Runner.exe
2608	Runner.exe
2608	Runner.exe
2608	Runner.exe
2608	Runner.exe
2608	Runner.exe
2608	Runner.exe
2608	Runner.exe
2608	Runner.exe
2608	Runner.exe
2608	Runner.exe
2680	2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe
2680	2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe
2608	Runner.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2608	2680	2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe	30
PID 2680 wrote to memory of 2608	2680	2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe	30
PID 2680 wrote to memory of 2608	2680	2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe	30
PID 2680 wrote to memory of 2608	2680	2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Roaming\MyMacro\Runner.exe
  --host_id 3 --verify_key Oz2ZPfLy0SkA --product "C:\Users\Admin\AppData\Local\Temp\2024-08-25_b09c95da42bef56442b599edb1d97283_mafia.exe" --version 2014.03.16101
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
1KB

MD5
a87823f842e8238fbf1d358a925dbde1

SHA1
177dbc98c344437e53e4a03012c82eec594542ff

SHA256
2245127673c2109a58e36880407e2e8245429c21cf64d66fdefc468c8cd6706b

SHA512
634ed4020cc77da8b9d4a975bcc372003f6d9a2263670b1b2ff08ed7d095b5fddc722189b6431956c59203b50f21dec816252f454ca57b7a3ac5e0dc3a5f4059

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_320C97D80B18D9AAD99710A56CE7FDB7

Filesize
1KB

MD5
3542d86b628ce4a6316065e02ccbd413

SHA1
095967da3bbf42fe7f52d9b610a8fdd5ded77df2

SHA256
f4ec73a59a8b2edc87e970ef867063ac8836d593e92a47d0eb6f43f38e8829ac

SHA512
ceeb97dcf0a1cde14ea07fe8af27da16dc6ca32c9c9ba37678a899799c87b859db97d39d53439d7be0501b6b1bf76f1ac49a84774cd198954232a9a4e60fbc39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
1KB

MD5
860cdabfcdb71625d2f6854ffc81a994

SHA1
1a0b2be2da831cdae1c9112d2e7a753b8d33ef00

SHA256
0d393b13857d6fa5f6826eaee7dbdcc6a7cc126b1599313ced4c5eebb1e84799

SHA512
74f2e13803db034fb2b65039a9929fb41105690c0e7560c74241b713408cbbebb07acc5d623df076ec1bd8527a146491392e33033bba77287073bf6e23c3ba17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
508B

MD5
bb9272047775e8e7720c5437191368e2

SHA1
8a819a1994d2a7e44e13eadee4e86ffd953dbebd

SHA256
1f06c021eb065e5dd3a439ab374f496b78eea7f1a43e53b3c1e80d5eecd28c26

SHA512
0a17b3af38ad73001cd4ee1fff274b41c8852dd6610f0cf4ae7d49b3536c13de9d5b3a973eb7f555c3999d9e76dba8b200e40c73c984a63ef634b5699e6996e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_320C97D80B18D9AAD99710A56CE7FDB7

Filesize
532B

MD5
5cb4e10f771ede167facf9e3fa524ac7

SHA1
c2e9646b66d0a87c2a96207c598e395721c04f85

SHA256
8f554f918c784fc2993e6bde21b5dc441733ada6947295ead8f88c4aaf615bfb

SHA512
cb7485ac6491e991321d800b8ef2713a7d5b842bde22beaeaaf473dba3f392076f08c1e9a5658f9a351a858f99eb022741e38ce8b2b9264c40f837ffc9526be0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
506B

MD5
896e59d328c236ab15045d73ff32a79e

SHA1
e1d265da7754f9a69c6875a81b7d04c323716856

SHA256
e9e467fa7fd1a08393733e9b24d3b6b67a3a79d187799e797da1d96004b33255

SHA512
546c656b06e608e4e2dff7b99dda942cc14e97bcd5d8ec44c21e8f185770beddf8c0ada75ee9f4ea380f343de6790a011902b8eb535944aa0c8bbb6f77af0888

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab254C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMLog\20240825.log

Filesize
197B

MD5
6585cbfec92f454e68b52292c22d8160

SHA1
59c12cf08eaac6c10ca95697e72c9591c58965fe

SHA256
1a72885922910849f8afbc59ec35d28405fcb7990f8fa570d91e48d0880c3c55

SHA512
c48a927e6269d7764d1fb66064b098b7c423fee0f6d52105971ee6fccc78ad86659b7d308106e4ee32cf0ccadd812165353335cc12fd036cbcbe72031cfbb2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad-mymacro9.xml.tmp

Filesize
3KB

MD5
6a004b4196400a627b5b6248a2a2dcba

SHA1
fa9a555e83a4c3a73e07a728ec92827f55fbcf02

SHA256
9cd3e3f97866082f8edfed25d56b40786c2809f264c4f8b10c022403e7f0f101

SHA512
1b5cea41dce0742e4ba7a7f3c4bef3eefc92c63d267a306e4098c68b768723abc0f0eace4a486ff3f4b1bb8a74279dd04e9c2a48df9a20125c21209e3d205624

Download Submit
C:\Users\Admin\AppData\Local\Temp\macCB6A.tmp

Filesize
313B

MD5
12b097129ab30166c9422965bb0abdba

SHA1
4278e908cc779d392bbe2b88d151c842f2b4fd30

SHA256
c2d84b3c42dc35fb8b555e292e0123a0be8f1a320dd86fea4cfe82a3b4d765f6

SHA512
71763384db96139e9f5173568687a9b999e272a3598eb13932e4b093ce6c5e42fc7d99be9f104fb722b008dfa281430a11b9abc44aecf3413c68fba58688d3c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\E9SN8HP4.txt

Filesize
94B

MD5
acf10ee5eb034a44ef0474d812008856

SHA1
9379cdfa0e6d6eacba07d6953e6dfcc42707ea8b

SHA256
0a1705a6f32be4c7df0459580932aa2f3e1000a48a131344726f6fa8f6a06d37

SHA512
a08ea13091eb073544a5fdbc967bf9981e63c624ef3020cc9fe9756c62f7158cb10b96f87ec3e523dc6113fbd76c60ec871762c2d5c351f54879853f937047c2

Download Submit
C:\Users\Admin\AppData\Roaming\MyMacro\Runner.exe

Filesize
7.0MB

MD5
051a6bfb9bf149b2b270a4cccec51c47

SHA1
3d184dbb55559aa6716f39892ea1751665bb5bc4

SHA256
e11a05fb21364a1445c1bedf308ed151169efc7720ee73838e0058cffeebad8d

SHA512
f6fd160b6a1d825366c59585a30d331046e57ad6829b179372d5841b6744efbf0e66f95d37b720a559fa349a4e00b88b210677435a93137c89dd4ee46de8cd9a

Download Submit
\Users\Admin\AppData\Roaming\MyMacro\cfgdll.dll

Filesize
59KB

MD5
b35416c2b3e818894df95608b76934f7

SHA1
bbdd1c0f49e9ce54e9312f5edfead76d343c21cf

SHA256
8147481d1c93da5ce5de7ff7a72a45756d45ea1f27d27bb8c9944642f42549a3

SHA512
92382562761b36b4ed2ec0bba832c66c8f720e190630596ff830a047a498889e7a0f3628d1a3ffac066b06ccd8c2d3840e82b4304b636e1b1ee434910c6f0bdf

Download Submit
\Users\Admin\AppData\Roaming\MyMacro\qdisp.dll

Filesize
303KB

MD5
d0cc6ec0c440e44c60930774639de12e

SHA1
06f54a14e7c64b8a05a85a1d612fd7eb2beecc10

SHA256
470fc89109e81eada84ad9744425dd3698672e83a1cb8badf67e350f6c2af7be

SHA512
e5cdd8add2d66e27d36d19a724a5e85ac3c9bb53bbf4cd9ba3fb2169c071970d4313a6763545578b4b332b1f4cac487f6a436d084e6847a92a94685ace1cd980

Download Submit
memory/2608-143-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2608-145-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2608-50-0x0000000000401000-0x00000000008F4000-memory.dmp

Filesize
4.9MB

Download
memory/2608-47-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2608-154-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2608-85-0x0000000000401000-0x00000000008F4000-memory.dmp

Filesize
4.9MB

Download
memory/2608-83-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2608-153-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2608-144-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2608-112-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2608-146-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2608-147-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2608-148-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2608-149-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2608-150-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2608-151-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2608-152-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2680-78-0x0000000005570000-0x0000000005C78000-memory.dmp

Filesize
7.0MB

Download
memory/2680-46-0x0000000005570000-0x0000000005C78000-memory.dmp

Filesize
7.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads