cryptolocker | c738c78fd727e661119899099f61ada68dd59df7c9b66c0810f4549a906a6c8f

Analysis

max time kernel
108s
max time network
112s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
18/01/2025, 15:03

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

The-MALWARE-Repo-master.zip
Size

121.3MB
MD5

be2f06e08241e418152c6ce91176085b
SHA1

145e7527506be10c6f25e7b3c231ccc38f044bee
SHA256

c738c78fd727e661119899099f61ada68dd59df7c9b66c0810f4549a906a6c8f
SHA512

cd86644e1875ee4b48c6c233a45e5a0516e1a8515b6b86973c8dfcc53a0caf74cbfab6ebb819f61c109310153aeed112cb0fa7dee0e04317613dc5f26f5a7a23
SSDEEP

3145728:wNl3aFs1C4SA2hlHf9Rfi5xuT+FAiilgJcPdlwCzCLfH:wNl3aFW2h9/fiqaiiilpwCzCL/

Score

10^/10

cryptolocker bootkit defense_evasion discovery macro macro_on_action persistence ransomware

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Cryptolocker family
cryptolocker

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

resource	yara_rule
behavioral1/files/0x00280000000461a1-4.dat	office_macro_on_action

Executes dropped EXE 5 IoCs

pid	Process
2276	CryptoLocker.exe
3216	{34184A33-0407-212E-3320-09040709E2C2}.exe
3872	{34184A33-0407-212E-3320-09040709E2C2}.exe
1712	GoldenEye.exe
4776	RdpSaProxy.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	RdpSaProxy.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{C19A2AEC-A842-4890-9ED2-B27F6CB18537}\8tr.exe:Zone.Identifier	WINWORD.EXE

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GoldenEye.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdpSaProxy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3454535599-122122096-1812617400-1000_Classes\Local Settings	7zFM.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{C19A2AEC-A842-4890-9ED2-B27F6CB18537}\8tr.exe:Zone.Identifier	WINWORD.EXE

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
1032	WINWORD.EXE
1032	WINWORD.EXE
2332	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2600	7zFM.exe
2600	7zFM.exe
2600	7zFM.exe
2600	7zFM.exe
2600	7zFM.exe
2600	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2600	7zFM.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	2600	7zFM.exe
Token: 35	2600	7zFM.exe
Token: SeSecurityPrivilege	2600	7zFM.exe
Token: SeSecurityPrivilege	2600	7zFM.exe
Token: SeSecurityPrivilege	2600	7zFM.exe
Token: SeSecurityPrivilege	2600	7zFM.exe
Token: SeSecurityPrivilege	2600	7zFM.exe
Token: SeShutdownPrivilege	4776	RdpSaProxy.exe
Token: SeSecurityPrivilege	2600	7zFM.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
2600	7zFM.exe
2600	7zFM.exe
2600	7zFM.exe
2600	7zFM.exe
2600	7zFM.exe
2600	7zFM.exe
2600	7zFM.exe
2600	7zFM.exe
2600	7zFM.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
1032	WINWORD.EXE
1032	WINWORD.EXE
1032	WINWORD.EXE
1032	WINWORD.EXE
1032	WINWORD.EXE
1032	WINWORD.EXE
1032	WINWORD.EXE
1032	WINWORD.EXE
1032	WINWORD.EXE
1032	WINWORD.EXE
1032	WINWORD.EXE
1032	WINWORD.EXE
1032	WINWORD.EXE
1032	WINWORD.EXE
2332	WINWORD.EXE
2332	WINWORD.EXE
2332	WINWORD.EXE
2332	WINWORD.EXE
2332	WINWORD.EXE
2332	WINWORD.EXE
2332	WINWORD.EXE
2332	WINWORD.EXE
2332	WINWORD.EXE
2332	WINWORD.EXE
1032	WINWORD.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 1032	2600	7zFM.exe	85
PID 2600 wrote to memory of 1032	2600	7zFM.exe	85
PID 1032 wrote to memory of 2800	1032	WINWORD.EXE	90
PID 1032 wrote to memory of 2800	1032	WINWORD.EXE	90
PID 2600 wrote to memory of 2276	2600	7zFM.exe	92
PID 2600 wrote to memory of 2276	2600	7zFM.exe	92
PID 2600 wrote to memory of 2276	2600	7zFM.exe	92
PID 2276 wrote to memory of 3216	2276	CryptoLocker.exe	93
PID 2276 wrote to memory of 3216	2276	CryptoLocker.exe	93
PID 2276 wrote to memory of 3216	2276	CryptoLocker.exe	93
PID 3216 wrote to memory of 3872	3216	{34184A33-0407-212E-3320-09040709E2C2}.exe	94
PID 3216 wrote to memory of 3872	3216	{34184A33-0407-212E-3320-09040709E2C2}.exe	94
PID 3216 wrote to memory of 3872	3216	{34184A33-0407-212E-3320-09040709E2C2}.exe	94
PID 2600 wrote to memory of 1712	2600	7zFM.exe	95
PID 2600 wrote to memory of 1712	2600	7zFM.exe	95
PID 2600 wrote to memory of 1712	2600	7zFM.exe	95
PID 1712 wrote to memory of 4776	1712	GoldenEye.exe	96
PID 1712 wrote to memory of 4776	1712	GoldenEye.exe	96
PID 1712 wrote to memory of 4776	1712	GoldenEye.exe	96

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\The-MALWARE-Repo-master.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\7zO82A06C78\metrofax.doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:2800
- C:\Users\Admin\AppData\Local\Temp\7zO82A89429\CryptoLocker.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO82A89429\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\AppData\Local\Temp\7zO82A89429\CryptoLocker.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3216
  - - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
      "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000240
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3872
- C:\Users\Admin\AppData\Local\Temp\7zO82A92519\GoldenEye.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO82A92519\GoldenEye.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Admin\AppData\Roaming\{8a6bc24a-ff60-4aa6-be18-59c20e832d9e}\RdpSaProxy.exe
    "C:\Users\Admin\AppData\Roaming\{8a6bc24a-ff60-4aa6-be18-59c20e832d9e}\RdpSaProxy.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4776

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\B0FC2024-2A26-409A-B65B-FD27EE4FAA75

Filesize
177KB

MD5
96842ef4e9ca408942b0b2c75f416289

SHA1
7de1eadd5629dc80f5a50932f57bc171eb710868

SHA256
dc6bf3cc04ede30edfb5dd84fdc06ba094bbe8c6c7b16a189a52d41d29f41005

SHA512
3c814e0067d6427b81761279677084b4c7733c5fa53e8da68d81abe34268ec71e96fcfa9f06b4739ff768be78eec5e93af82ad0a5d7ea08f0e6a3e8f58980e17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
10KB

MD5
3b80622f8e6a2574705a79e90380c1fc

SHA1
b3ad9c1001dbbb2a83612ad68c4502662cdc426b

SHA256
d059dfae48fd8e5071da4a2310de2bcc3071855d176e9e2fd6ce29d8ddb821f9

SHA512
a3b982c092b741c3c79016404a673c45a1b21d859b2f71fe933f25f367bb5850b5d171df1483eba9291db7ed76d019e294a36c8b760e665d310e057cd662a85b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
8KB

MD5
4f1c2ebd6b6fae906cfc8e03b976ffe1

SHA1
2b5372b8710bef405128c9625f3fbf8cb5de1874

SHA256
70b64b1fb379a174e1a211ffa089e2bd9121329dc921a3ef63070664beaaf897

SHA512
7ba931c9d133bdeb8248164b3b9d3b75df6f07f0a52f4e0c8c9de57ee98f9193e77eee4f0e2584af36ae3f9300396ed1fba10f04b97d96f76e734e5455efd313

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal

Filesize
329KB

MD5
ad3b075a8ff23ceae1b065c0a1b9adca

SHA1
c3db09c5bcf997d44c671044acbfea2d7d9d6786

SHA256
c48f03e46a3b30fd408b8c74248ed5094fc6a154283860968aecdb15234f07b4

SHA512
d62054e0284062bf563c61effa33672cc56af7c792ce77cb6741a961757ee8600167a4220f663d0e94077609ba5745ddd277d14dadf756e429cbff5303867649

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres

Filesize
2KB

MD5
be9dfb454d0a2bd8ff82c2d3c7c34198

SHA1
8c29f0339f60789a9046462c504c4d078aea80f1

SHA256
0e5e6b00909e51d8ead0b656df00a6b04c9c3a12ba7f842bd5342b09d650e6dd

SHA512
574b6b16c7a43fa3aa2f2433b1b9cfd9b2b1b0267620fa1cca38c5c57acd878841f7d7ff64fbf232e828abf090809b2e90bdd9539d29b1f57814874adaac1b1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres

Filesize
2KB

MD5
1da092b5b297071037197abdb29ed368

SHA1
31733aa65abdaf73499d8fa7846889a0e0f1bbbd

SHA256
aa863820b8eb5ec64c6062ed0dc2d0d044d76f40fb4eff6ce4e256b040a815e1

SHA512
fed40dcff419ce4a09de9b6ab4c7d20a139f078e09aef9272ec557611c7b49caa012708fe28e86ffd33d538e8fc25f212d5f82281b710a50b582aaedef75c861

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\2AEBA0A5.emf

Filesize
5KB

MD5
0ed5bc16545d23c325d756013579a697

SHA1
dcdde3196414a743177131d7d906cb67315d88e7

SHA256
3e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3

SHA512
c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO82A06C78\metrofax.doc

Filesize
221KB

MD5
28e855032f83adbd2d8499af6d2d0e22

SHA1
6b590325e2e465d9762fa5d1877846667268558a

SHA256
b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e

SHA512
e401cbd41e044ff7d557f57960d50fb821244eaa97ce1218191d58e0935f6c069e6a0ff4788ed91ead279f36ba4eddfaa08dc3de01082c41dc9c2fc3c4b0ae34

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO82A89429\CryptoLocker.exe

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO82A92519\GoldenEye.exe

Filesize
254KB

MD5
e3b7d39be5e821b59636d0fe7c2944cc

SHA1
00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

SHA256
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

SHA512
8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD9413.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbhja.rtf

Filesize
816KB

MD5
8bef879ff75cfe0342d8948a521c0d21

SHA1
fa7384de9cb63db8c7f070f26d303197919da0d0

SHA256
11a63e3dd38a9701e63fb0d1dcf50f9dea04eafc704a78290889643c47699c98

SHA512
cf6bfd2ea2384ba59c55d14d639529902fe9c019591c006b60cf2a0de731c38490b0551695958b6cbdfbee3102a2188f28c74207991c558f63ff318f49bb1706

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
1KB

MD5
2b56ec031fcc7e96f56f1ff25e29a725

SHA1
f352229f9edac8e7c3229da6d1e57556dbea39b9

SHA256
87effb17b0a31b50a0ccebdb0ef58c6803b4f05379f734996e7d7c6edd8b5dfb

SHA512
89d4eee793e66097871d113a82fc3fa261975ab8c6a78328598c6cfb29ad4d228e2963cd871a6a651a995e5f920abeb4546483c1ca24069d0356b05177b3ce62

Download Submit
C:\Users\Admin\AppData\Roaming\{8a6bc24a-ff60-4aa6-be18-59c20e832d9e}\RdpSaProxy.exe

Filesize
255KB

MD5
80ae0f1ada85efa9e9da7aad027731a6

SHA1
14a3e3f8144c50b551401b37f6002704d6931ebf

SHA256
fa517e69ede4ca54095509fcfc0218ebfefc9a76e2c61c3f9efac8c848324dc1

SHA512
d1238b72a71a86d6a01d8b9889b339dcf018e075a4c60a32b3a548f8c9c9d0fcc4243000415269626fe9cdb3f50e631abdbb4377418665efb1591b015b6cc27b

Download Submit
memory/1032-31-0x00007FF89D770000-0x00007FF89D968000-memory.dmp

Filesize
2.0MB

Download
memory/1032-160-0x00007FF89D770000-0x00007FF89D968000-memory.dmp

Filesize
2.0MB

Download
memory/1032-36-0x00007FF89D770000-0x00007FF89D968000-memory.dmp

Filesize
2.0MB

Download
memory/1032-37-0x00007FF89D770000-0x00007FF89D968000-memory.dmp

Filesize
2.0MB

Download
memory/1032-35-0x00007FF89D770000-0x00007FF89D968000-memory.dmp

Filesize
2.0MB

Download
memory/1032-34-0x00007FF89D770000-0x00007FF89D968000-memory.dmp

Filesize
2.0MB

Download
memory/1032-32-0x00007FF89D770000-0x00007FF89D968000-memory.dmp

Filesize
2.0MB

Download
memory/1032-30-0x00007FF85B280000-0x00007FF85B290000-memory.dmp

Filesize
64KB

Download
memory/1032-29-0x00007FF89D770000-0x00007FF89D968000-memory.dmp

Filesize
2.0MB

Download
memory/1032-27-0x00007FF89D770000-0x00007FF89D968000-memory.dmp

Filesize
2.0MB

Download
memory/1032-28-0x00007FF89D770000-0x00007FF89D968000-memory.dmp

Filesize
2.0MB

Download
memory/1032-17-0x00007FF89D770000-0x00007FF89D968000-memory.dmp

Filesize
2.0MB

Download
memory/1032-26-0x00007FF85B280000-0x00007FF85B290000-memory.dmp

Filesize
64KB

Download
memory/1032-19-0x00007FF85D7F0000-0x00007FF85D800000-memory.dmp

Filesize
64KB

Download
memory/1032-21-0x00007FF89D770000-0x00007FF89D968000-memory.dmp

Filesize
2.0MB

Download
memory/1032-22-0x00007FF89D770000-0x00007FF89D968000-memory.dmp

Filesize
2.0MB

Download
memory/1032-159-0x00007FF89D80D000-0x00007FF89D80E000-memory.dmp

Filesize
4KB

Download
memory/1032-33-0x00007FF89D770000-0x00007FF89D968000-memory.dmp

Filesize
2.0MB

Download
memory/1032-161-0x00007FF89D770000-0x00007FF89D968000-memory.dmp

Filesize
2.0MB

Download
memory/1032-163-0x00007FF89D770000-0x00007FF89D968000-memory.dmp

Filesize
2.0MB

Download
memory/1032-23-0x00007FF89D770000-0x00007FF89D968000-memory.dmp

Filesize
2.0MB

Download
memory/1032-12-0x00007FF89D80D000-0x00007FF89D80E000-memory.dmp

Filesize
4KB

Download
memory/1032-13-0x00007FF85D7F0000-0x00007FF85D800000-memory.dmp

Filesize
64KB

Download
memory/1032-14-0x00007FF85D7F0000-0x00007FF85D800000-memory.dmp

Filesize
64KB

Download
memory/1032-362-0x00007FF89D770000-0x00007FF89D968000-memory.dmp

Filesize
2.0MB

Download
memory/1032-25-0x00007FF89D770000-0x00007FF89D968000-memory.dmp

Filesize
2.0MB

Download
memory/1032-24-0x00007FF89D770000-0x00007FF89D968000-memory.dmp

Filesize
2.0MB

Download
memory/1032-20-0x00007FF89D770000-0x00007FF89D968000-memory.dmp

Filesize
2.0MB

Download
memory/1032-18-0x00007FF89D770000-0x00007FF89D968000-memory.dmp

Filesize
2.0MB

Download
memory/1032-16-0x00007FF85D7F0000-0x00007FF85D800000-memory.dmp

Filesize
64KB

Download
memory/1032-15-0x00007FF85D7F0000-0x00007FF85D800000-memory.dmp

Filesize
64KB

Download
memory/2332-193-0x00007FF85D7F0000-0x00007FF85D800000-memory.dmp

Filesize
64KB

Download
memory/2332-194-0x00007FF85D7F0000-0x00007FF85D800000-memory.dmp

Filesize
64KB

Download
memory/2332-195-0x00007FF85D7F0000-0x00007FF85D800000-memory.dmp

Filesize
64KB

Download
memory/2332-196-0x00007FF85D7F0000-0x00007FF85D800000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads