e88822a680d16042ddf11c0eba10a07038a05ee0735fe4e9a3b0f22694e46b96

Analysis

max time kernel
141s
max time network
141s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
26/08/2024, 08:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
Size

6.6MB
MD5

dcc68b6c2cec13406c1cdd0e5f8cd9e3
SHA1

d41072cbfd3cb1ba48d67ff238368729d5ba6ca1
SHA256

e88822a680d16042ddf11c0eba10a07038a05ee0735fe4e9a3b0f22694e46b96
SHA512

b41d1cbae5cab11c6557efd88d4e83848f5b2d0c862480b21740594d8124014c571a624fa3b4ce172fe5973270cee1b89f04a71df091549c1fb65587ef18af20
SSDEEP

196608:na0vvN3x9OLIiOK8A+zZdCj85rbz0lHU3zOtlo:VN3+LY2inz0MzOro

Score

9^/10

discovery evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Runner.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Runner.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Runner.exe

Executes dropped EXE 1 IoCs

pid	Process
2692	Runner.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Wine	Runner.exe

Loads dropped DLL 4 IoCs

pid	Process
1644	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
2692	Runner.exe
2692	Runner.exe
2692	Runner.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Runner.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\ad.vrbrothers.com	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\ad.vrbrothers.com\ = "63"	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\vrbrothers.com\Total = "63"	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\Main	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\vrbrothers.com	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
Key created	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Ver = "e67b87e2"	Runner.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\vrbrothers.com\NumberOfSubdomains = "1"	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\CLSID\ = "{241D7F03-9232-4024-8373-149860BE27C0}"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InprocServer32	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID\ = "{EBEB87A6-E151-4054-AB45-A6E094C5334B}"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\ProgID\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\ = "QMDispatch.QMVBSRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\ = "QMDispatch.QMRoutine"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\ = "QMDispatch.QMLibrary"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ = "QMDispatch.QMLibrary"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\mymacro\\qdisp.dll"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InprocServer32	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\ = "QMDispatch.QMRoutine"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ = "QMDispatch.QMRoutine"	Runner.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ProgID\ = "QMDispatch.QMLibrary"	Runner.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InProcServer32\ThreadingModel = "Apartment"	Runner.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1644	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1644	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
1644	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
1644	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
1644	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
1644	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
1644	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
1644	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
2692	Runner.exe
2692	Runner.exe
2692	Runner.exe
2692	Runner.exe
2692	Runner.exe
2692	Runner.exe
2692	Runner.exe
2692	Runner.exe
2692	Runner.exe
2692	Runner.exe
2692	Runner.exe
2692	Runner.exe
1644	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
1644	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
2692	Runner.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 2692	1644	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe	30
PID 1644 wrote to memory of 2692	1644	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe	30
PID 1644 wrote to memory of 2692	1644	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe	30
PID 1644 wrote to memory of 2692	1644	2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe	30

C:\Users\Admin\AppData\Local\Temp\2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Roaming\MyMacro\Runner.exe
  --host_id 3 --verify_key FPq2s94_ZJ6M --product "C:\Users\Admin\AppData\Local\Temp\2024-08-26_dcc68b6c2cec13406c1cdd0e5f8cd9e3_mafia.exe" --version 2014.03.16101
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
1KB

MD5
a8ec72f19af8fe0d62379577a9278cb9

SHA1
964fc0402921c5470c9b7d4645e0b2d9cb61bd3a

SHA256
22430d0b65c6b03ada764a320c4d750d48a2127fa79364c107d8f60c9140e738

SHA512
2e08c3e3deef76ae660f3ad881e3bf4add1b1add30d3d66a21e76dabea6fa2774c39f674c85733f0518aba364d161b558a1bc676f6f93f3bc3ed6d2a2f157ad9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_320C97D80B18D9AAD99710A56CE7FDB7

Filesize
1KB

MD5
7eb83e3c9e2f0a6e6ee7355162b8cf19

SHA1
b846edfce082ce690a379ccab99e05eb3f337527

SHA256
979c8914d490992097cc7592d77d91e7d7636aef0ae5dec2cb89a13498fe0837

SHA512
0b45e4b2a4e2ba44796b82a3fd75f32716a0f00d7a3fa6282c9b597afd72b72d3c27403028a19b9b0cdb229fadbc189e2c21739e88bf2fe654ddea009434faa1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
1KB

MD5
e84b5447ce69ad9071842d1e67da53a0

SHA1
7632747f16aa20e7c358a7310c9af330b680d517

SHA256
56075875d51e07112a9731e27e65072cdb5f670db98ae1fa8480b53795c8209f

SHA512
f13f4aa8320e46db07b566041c218c5606ab6d851de5e35b5ab55bb2cbbc2ea91f39863359d9dd8fae24a72891469e084b1e5fa4e45420246646bbe21d3fc59f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
508B

MD5
af57b5b1af89d6aa33c61756336ff2ce

SHA1
6e4f5d14ee53bbef4ffaed0abf8c7702349ce309

SHA256
cd7fc026982c0b6e6910f45bb50f05f00c31a850128d3930c555120b25ff08f8

SHA512
18e3d5865bd1bfedcba6da460fa0686be9e3a08caf7f362c49da2b4a616efd0bd3725ff5b1907667e9111a2cd05bd552872fa23876fbb428df09bb2d31e32f3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_320C97D80B18D9AAD99710A56CE7FDB7

Filesize
532B

MD5
96965c707117b5f52725cb455381d7d8

SHA1
57718937499663066f539444c4f2f1b90c362d2a

SHA256
53ba75a2efce5eafc134ca0b8c44370215fc7a700d92c8521e2f9387e229da02

SHA512
f396b92fea57f602a538b1dde4e0f7c2753191104ccd685e4c96131bf754b7d504e3cc877fe96c234d56977605fe9fda6942e83d434836182dce6ada1d0b3cb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
506B

MD5
9cfbef36a675681c2b987445a55aa889

SHA1
807a0703ab8d4d5a8c5fe87d3458a82ae6380e30

SHA256
c90f25676a13092fd3876eded4746bdba429956325e5aa7d2ed14d00b786b76b

SHA512
79ff7041191338c520c1536ef53d0aaeed0f3f133cc31351628433b3fbc799eb7e53ffc29efbc5e2a8929476910d7cb455956cbc4c23f43bd68d3b50f41dd8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab11AD.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QMLog\20240826.log

Filesize
197B

MD5
0ca216b14491c895aa88d34d5215563b

SHA1
5faee8c955f62c120bf60d2b9301cf3a49671435

SHA256
97bc7b074f0db412ec7c577dd9817c9c339e4d17d2288f21cff28ee377bdae47

SHA512
ea226163f98fdfd10524d128e5027d68b6da801c5f4ea66c75c359c5b2000fc642fa8b12779c1b153fe32b1598d9a504dbd407b2fccb5207774edaeb15235847

Download Submit
C:\Users\Admin\AppData\Local\Temp\ad-mymacro9.xml

Filesize
3KB

MD5
6a004b4196400a627b5b6248a2a2dcba

SHA1
fa9a555e83a4c3a73e07a728ec92827f55fbcf02

SHA256
9cd3e3f97866082f8edfed25d56b40786c2809f264c4f8b10c022403e7f0f101

SHA512
1b5cea41dce0742e4ba7a7f3c4bef3eefc92c63d267a306e4098c68b768723abc0f0eace4a486ff3f4b1bb8a74279dd04e9c2a48df9a20125c21209e3d205624

Download Submit
C:\Users\Admin\AppData\Local\Temp\macA4D7.tmp

Filesize
311B

MD5
0de3224600fa47596b75fd24e035958a

SHA1
a36267c9ba27dbd2110e8c12e8ec2b8fd144f897

SHA256
dca2989cb0580eec83f0951b5136152734585c6a9a1542faa113d72866ca110e

SHA512
6884b5407479956e3dda0d52c37a5ffa4c2ce9c6289939c73d788fb67f235f2790bf67fb438fccf2aebf948b1af8b3b1c492f7bd426f232da147f3fd1ab53c7e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WTK7BVGE.txt

Filesize
94B

MD5
d54cd6ddd856e13cce2331efa4295f86

SHA1
97f8b8e90c16c43a2f89d33fb45136e661779d36

SHA256
1730529f1ed804218127b055c9e310e3400e9686f9921e25caf92a6e7da66f62

SHA512
9c149a66d9c292c75e916b31e6844807a84746958459fb1e1b574c8d2268e0d06c43b802f8d2f4db1bfa6c2ffa66259a76db223c14dcd85ec90b3b2354644f46

Download Submit
\Users\Admin\AppData\Roaming\MyMacro\Runner.exe

Filesize
7.0MB

MD5
051a6bfb9bf149b2b270a4cccec51c47

SHA1
3d184dbb55559aa6716f39892ea1751665bb5bc4

SHA256
e11a05fb21364a1445c1bedf308ed151169efc7720ee73838e0058cffeebad8d

SHA512
f6fd160b6a1d825366c59585a30d331046e57ad6829b179372d5841b6744efbf0e66f95d37b720a559fa349a4e00b88b210677435a93137c89dd4ee46de8cd9a

Download Submit
\Users\Admin\AppData\Roaming\MyMacro\cfgdll.dll

Filesize
59KB

MD5
b35416c2b3e818894df95608b76934f7

SHA1
bbdd1c0f49e9ce54e9312f5edfead76d343c21cf

SHA256
8147481d1c93da5ce5de7ff7a72a45756d45ea1f27d27bb8c9944642f42549a3

SHA512
92382562761b36b4ed2ec0bba832c66c8f720e190630596ff830a047a498889e7a0f3628d1a3ffac066b06ccd8c2d3840e82b4304b636e1b1ee434910c6f0bdf

Download Submit
\Users\Admin\AppData\Roaming\MyMacro\qdisp.dll

Filesize
303KB

MD5
d0cc6ec0c440e44c60930774639de12e

SHA1
06f54a14e7c64b8a05a85a1d612fd7eb2beecc10

SHA256
470fc89109e81eada84ad9744425dd3698672e83a1cb8badf67e350f6c2af7be

SHA512
e5cdd8add2d66e27d36d19a724a5e85ac3c9bb53bbf4cd9ba3fb2169c071970d4313a6763545578b4b332b1f4cac487f6a436d084e6847a92a94685ace1cd980

Download Submit
memory/1644-43-0x00000000052B0000-0x00000000059B8000-memory.dmp

Filesize
7.0MB

Download
memory/1644-75-0x00000000052B0000-0x00000000059B8000-memory.dmp

Filesize
7.0MB

Download
memory/2692-47-0x0000000000401000-0x00000000008F4000-memory.dmp

Filesize
4.9MB

Download
memory/2692-136-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2692-133-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2692-129-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2692-44-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2692-80-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2692-81-0x0000000000401000-0x00000000008F4000-memory.dmp

Filesize
4.9MB

Download
memory/2692-79-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2692-83-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2692-134-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2692-135-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2692-137-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2692-138-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2692-139-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2692-140-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2692-141-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2692-142-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download
memory/2692-143-0x0000000000400000-0x0000000000B08000-memory.dmp

Filesize
7.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads