hxxps://google[.]com

Reason

Machine shutdown

General

Target

https://google.com

Score

7^/10

bootkit defense_evasion discovery persistence trojan upx

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 1 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	DB.EXE

Executes dropped EXE 6 IoCs

pid	Process
5016	Ana.exe
4636	AV.EXE
1832	AV2.EXE
3764	DB.EXE
3720	EN.EXE
128	SB.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	DB.EXE

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
140	raw.githubusercontent.com
141	raw.githubusercontent.com
142	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\physicaldrive0	SB.EXE

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MSVPXENC4.exe	DB.EXE

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002b2b3-26.dat	upx
behavioral1/memory/3764-45-0x0000000000760000-0x00000000007F3000-memory.dmp	upx
behavioral1/memory/3764-46-0x0000000000760000-0x00000000007F3000-memory.dmp	upx
behavioral1/memory/3764-41-0x0000000000760000-0x00000000007F3000-memory.dmp	upx
behavioral1/memory/3764-39-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/files/0x001900000002b2b4-56.dat	upx
behavioral1/memory/3720-65-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/3764-64-0x0000000000760000-0x00000000007F3000-memory.dmp	upx
behavioral1/memory/3764-84-0x0000000000760000-0x00000000007F3000-memory.dmp	upx

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Ana.exe:Zone.Identifier	msedge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EN.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SB.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ana.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DB.EXE

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30530A0C86EDB1CD5A2A5FE37EF3BF28E69BE16D	AV.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30530A0C86EDB1CD5A2A5FE37EF3BF28E69BE16D\Blob = 03000000010000001400000030530a0c86edb1cd5a2a5fe37ef3bf28e69be16d2000000001000000b3020000308202af308202180209009168978ee53f5964300d06092a864886f70d010105050030819b310b30090603550406130255533110300e06035504081307566972676e69613110300e060355040713074e65776275727931123010060355040a13094261636f72204c4c43312330210603550403131a746f74616c736f6c7574696f6e616e746976697275732e636f6d312f302d06092a864886f70d010901162061646d696e40746f74616c736f6c7574696f6e616e746976697275732e636f6d301e170d3131303931383131313834395a170d3132303931373131313834395a30819b310b30090603550406130255533110300e06035504081307566972676e69613110300e060355040713074e65776275727931123010060355040a13094261636f72204c4c43312330210603550403131a746f74616c736f6c7574696f6e616e746976697275732e636f6d312f302d06092a864886f70d010901162061646d696e40746f74616c736f6c7574696f6e616e746976697275732e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100cac8419346518527133fdefd7982ac3919f1d6e2f815ecab0b5d219ccf843885645cfd9c35cae2eff8e7506e690b52c587a59c8d667cb671454030bd370fa334b18afb5ea4f4f819a36685a705a8543f320af913ca680a1d32a402db6d3e42d93228e44ba230fda524d490ddc35b922f23d36d95417136ac50afa567e21359350203010001300d06092a864886f70d0101050500038181003c6a7f43ca2cee1caafee88b04777032a4c9d7794222537e3ebe57953198281bdbe0d3a58f7d3eb358f361848f30ad88a364cd0ae3376e6239dedb01497d52d3dd55e78e49375373419ad7e5e2e036f713bf4d96a552f2aa26b35b66d7a83fb2a9b6e317d162d8342f09ccc71b2a1c7d9474ca7872bfa4acd623d61c4491d740	AV.EXE

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Ana.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3764	DB.EXE
3764	DB.EXE
3764	DB.EXE
3764	DB.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3764	DB.EXE
Token: SeShutdownPrivilege	128	SB.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 4636	5016	Ana.exe	108
PID 5016 wrote to memory of 4636	5016	Ana.exe	108
PID 5016 wrote to memory of 4636	5016	Ana.exe	108
PID 5016 wrote to memory of 1832	5016	Ana.exe	109
PID 5016 wrote to memory of 1832	5016	Ana.exe	109
PID 5016 wrote to memory of 1832	5016	Ana.exe	109
PID 5016 wrote to memory of 3764	5016	Ana.exe	110
PID 5016 wrote to memory of 3764	5016	Ana.exe	110
PID 5016 wrote to memory of 3764	5016	Ana.exe	110
PID 5016 wrote to memory of 3720	5016	Ana.exe	111
PID 5016 wrote to memory of 3720	5016	Ana.exe	111
PID 5016 wrote to memory of 3720	5016	Ana.exe	111
PID 5016 wrote to memory of 128	5016	Ana.exe	112
PID 5016 wrote to memory of 128	5016	Ana.exe	112
PID 5016 wrote to memory of 128	5016	Ana.exe	112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://google.com
1⤵
PID:3424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --always-read-main-dll --field-trial-handle=3268,i,14789280491621588039,7318997745351127167,262144 --variations-seed-version --mojo-platform-channel-handle=4780 /prefetch:1
1⤵
PID:2616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --always-read-main-dll --field-trial-handle=5284,i,14789280491621588039,7318997745351127167,262144 --variations-seed-version --mojo-platform-channel-handle=4852 /prefetch:1
1⤵
PID:796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --always-read-main-dll --field-trial-handle=5596,i,14789280491621588039,7318997745351127167,262144 --variations-seed-version --mojo-platform-channel-handle=5616 /prefetch:1
1⤵
PID:3160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations --always-read-main-dll --field-trial-handle=5760,i,14789280491621588039,7318997745351127167,262144 --variations-seed-version --mojo-platform-channel-handle=5780 /prefetch:14
1⤵
PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --string-annotations --always-read-main-dll --field-trial-handle=5772,i,14789280491621588039,7318997745351127167,262144 --variations-seed-version --mojo-platform-channel-handle=5812 /prefetch:14
1⤵
PID:1640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --always-read-main-dll --field-trial-handle=6272,i,14789280491621588039,7318997745351127167,262144 --variations-seed-version --mojo-platform-channel-handle=5816 /prefetch:1
1⤵
PID:4960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --always-read-main-dll --field-trial-handle=6464,i,14789280491621588039,7318997745351127167,262144 --variations-seed-version --mojo-platform-channel-handle=6100 /prefetch:1
1⤵
PID:2652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --string-annotations --always-read-main-dll --field-trial-handle=6520,i,14789280491621588039,7318997745351127167,262144 --variations-seed-version --mojo-platform-channel-handle=6436 /prefetch:14
1⤵
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --always-read-main-dll --field-trial-handle=5648,i,14789280491621588039,7318997745351127167,262144 --variations-seed-version --mojo-platform-channel-handle=6752 /prefetch:1
1⤵
PID:3152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --always-read-main-dll --field-trial-handle=6872,i,14789280491621588039,7318997745351127167,262144 --variations-seed-version --mojo-platform-channel-handle=6768 /prefetch:1
1⤵
PID:3640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --always-read-main-dll --field-trial-handle=7012,i,14789280491621588039,7318997745351127167,262144 --variations-seed-version --mojo-platform-channel-handle=7040 /prefetch:1
1⤵
PID:3400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --always-read-main-dll --field-trial-handle=6728,i,14789280491621588039,7318997745351127167,262144 --variations-seed-version --mojo-platform-channel-handle=6908 /prefetch:1
1⤵
PID:2472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --always-read-main-dll --field-trial-handle=7248,i,14789280491621588039,7318997745351127167,262144 --variations-seed-version --mojo-platform-channel-handle=7240 /prefetch:1
1⤵
PID:3596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=5116,i,14789280491621588039,7318997745351127167,262144 --variations-seed-version --mojo-platform-channel-handle=5812 /prefetch:14
1⤵
PID:1104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --always-read-main-dll --field-trial-handle=6172,i,14789280491621588039,7318997745351127167,262144 --variations-seed-version --mojo-platform-channel-handle=7024 /prefetch:1
1⤵
PID:424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --string-annotations --always-read-main-dll --field-trial-handle=5788,i,14789280491621588039,7318997745351127167,262144 --variations-seed-version --mojo-platform-channel-handle=7004 /prefetch:14
1⤵
PID:2216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=7696,i,14789280491621588039,7318997745351127167,262144 --variations-seed-version --mojo-platform-channel-handle=7732 /prefetch:14
1⤵
- Subvert Trust Controls: Mark-of-the-Web Bypass
- NTFS ADS
PID:796

C:\Users\Admin\Downloads\Ana.exe
"C:\Users\Admin\Downloads\Ana.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Users\Admin\AppData\Local\Temp\AV.EXE
  "C:\Users\Admin\AppData\Local\Temp\AV.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:4636
- C:\Users\Admin\AppData\Local\Temp\AV2.EXE
  "C:\Users\Admin\AppData\Local\Temp\AV2.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1832
- C:\Users\Admin\AppData\Local\Temp\DB.EXE
  "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3764
- - C:\Windows\SysWOW64\cmd.exe
    /c C:\Users\Admin\AppData\Local\Temp\~unins7125.bat "C:\Users\Admin\AppData\Local\Temp\DB.EXE"
    3⤵
    PID:1940
- C:\Users\Admin\AppData\Local\Temp\EN.EXE
  "C:\Users\Admin\AppData\Local\Temp\EN.EXE"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3720
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\EN.EXE > nul
    3⤵
    PID:684
- C:\Users\Admin\AppData\Local\Temp\SB.EXE
  "C:\Users\Admin\AppData\Local\Temp\SB.EXE"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

Modify Registry

Pre-OS Boot

T1542

Bootkit

1

T1542.003

Subvert Trust Controls

2

T1553

Install Root Certificate

1

T1553.004

SIP and Trust Provider Hijacking

1

T1553.003

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AV.EXE

Filesize
1.1MB

MD5
f284568010505119f479617a2e7dc189

SHA1
e23707625cce0035e3c1d2255af1ed326583a1ea

SHA256
26c8f13ea8dc17443a9fa005610537cb6700aebaf748e747e9278d504e416eb1

SHA512
ebe96e667dfde547c5a450b97cd7534b977f4073c7f4cbc123a0e00baaefeb3be725c1cafbfb5bb040b3359267954cd1b4e2094ef71fc273732016ee822064bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\AV2.EXE

Filesize
368KB

MD5
014578edb7da99e5ba8dd84f5d26dfd5

SHA1
df56d701165a480e925a153856cbc3ab799c5a04

SHA256
4ce5e8b510895abb204f97e883d8cbaacc29ccef0844d9ae81f8666f234b0529

SHA512
bd5159af96d83fc7528956c5b1bd6f93847db18faa0680c6041f87bbebef5e3ba2de1f185d77ff28b8d7d78ec4f7bd54f48b37a16da39f43314ef022b4a36068

Download Submit
C:\Users\Admin\AppData\Local\Temp\DB.EXE

Filesize
243KB

MD5
c6746a62feafcb4fca301f606f7101fa

SHA1
e09cd1382f9ceec027083b40e35f5f3d184e485f

SHA256
b5a255d0454853c8afc0b321e1d86dca22c3dbefb88e5d385d2d72f9bc0109e6

SHA512
ee5dfa08c86bf1524666f0851c729970dbf0b397db9595a2bae01516299344edb68123e976592a83e492f2982fafe8d350ba2d41368eb4ecf4e6fe12af8f5642

Download Submit
C:\Users\Admin\AppData\Local\Temp\EN.EXE

Filesize
6KB

MD5
621f2279f69686e8547e476b642b6c46

SHA1
66f486cd566f86ab16015fe74f50d4515decce88

SHA256
c17a18cf2c243303b8a6688aad83b3e6e9b727fcd89f69065785ef7f1a2a3e38

SHA512
068402b02f1056b722f21b0a354b038f094d02e4a066b332553cd6b36e3640e8f35aa0499a2b057c566718c3593d3cea6bbabd961e04f0a001fd45d8be8e1c4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GB.EXE

Filesize
149KB

MD5
fe731b4c6684d643eb5b55613ef9ed31

SHA1
cfafe2a14f5413278304920154eb467f7c103c80

SHA256
e7953daad7a68f8634ded31a21a31f0c2aa394ca9232e2f980321f7b69176496

SHA512
f7756d69138df6d3b0ffa47bdf274e5fd8aab4fff9d68abe403728c8497ac58e0f3d28d41710de715f57b7a2b5daa2dd7e04450f19c6d013a08f543bd6fc9c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SB.EXE

Filesize
224KB

MD5
9252e1be9776af202d6ad5c093637022

SHA1
6cc686d837cd633d9c2e8bc1eaba5fc364bf71d8

SHA256
ce822ff86e584f15b6abd14c61453bd3b481d4ec3fdeb961787fceb52acd8bd6

SHA512
98b1b3ce4d16d36f738478c6cf41e8f4a57d3a5ecfa8999d45592f79a469d8af8554bf4d5db34cb79cec71ce103f4fde1b41bd3cce30714f803e432e53da71ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\~unins7125.bat

Filesize
49B

MD5
9e0a2f5ab30517809b95a1ff1dd98c53

SHA1
5c1eefdf10e67d1e9216e2e3f5e92352d583c9ce

SHA256
97ac9fee75a1f7b63b3115e9c4fb9dda80b1caba26d2fb51325670dee261fe32

SHA512
e959cc1fd48fb1cccf135a697924c775a3812bab211fc7f9b00c5a9d617261d84c5d6f7cb548774c1e8f46811b06ca39c5603d0e10cbcb7b805f9abbe49b9b42

Download Submit
C:\Users\Admin\Downloads\Ana.exe

Filesize
2.1MB

MD5
f571faca510bffe809c76c1828d44523

SHA1
7a3ca1660f0a513316b8cd5496ac7dbe82f0e0c2

SHA256
117d7af0deb40b3fe532bb6cbe374884fa55ed7cfe053fe698720cdccb5a59cb

SHA512
a08bca2fb1387cc70b737520d566c7117aa3fdb9a52f5dbb0bb7be44630da7977882d8c808cbee843c8a180777b4ac5819e8bafda6b2c883e380dc7fb5358a51

Download Submit
C:\Users\Admin\Downloads\tsa.crt

Filesize
1010B

MD5
6e630504be525e953debd0ce831b9aa0

SHA1
edfa47b3edf98af94954b5b0850286a324608503

SHA256
2563fe2f793f119a1bae5cca6eab9d8c20409aa1f1e0db341c623e1251244ef5

SHA512
bbcf285309a4d5605e19513c77ef077a4c451cbef04e3cbdfec6d15cc157a9800a7ff6f70964b0452ddb939ff50766e887904eda06a9999fdedf5b2e8776ebd2

Download Submit
memory/3720-65-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/3764-46-0x0000000000760000-0x00000000007F3000-memory.dmp

Filesize
588KB

Download
memory/3764-39-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/3764-40-0x0000000000620000-0x0000000000651000-memory.dmp

Filesize
196KB

Download
memory/3764-41-0x0000000000760000-0x00000000007F3000-memory.dmp

Filesize
588KB

Download
memory/3764-64-0x0000000000760000-0x00000000007F3000-memory.dmp

Filesize
588KB

Download
memory/3764-70-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/3764-45-0x0000000000760000-0x00000000007F3000-memory.dmp

Filesize
588KB

Download
memory/3764-84-0x0000000000760000-0x00000000007F3000-memory.dmp

Filesize
588KB

Download
memory/4636-47-0x0000000073590000-0x0000000073B41000-memory.dmp

Filesize
5.7MB

Download
memory/4636-43-0x0000000073592000-0x0000000073594000-memory.dmp

Filesize
8KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads