netwire | 0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e

General

Target

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Size

2.6MB
MD5

c61b4229f2a9e1d05569736a4faf29d1
SHA1

2e1207d54b55dd7aad206b2722696b1b07953e64
SHA256

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e
SHA512

9bffa6b6afefa1f9c40c19b5e89803ce0be56ea92dd8c6f585f9275a998e6c71a9f08b8604f6885ce02aea2c471dd10ff0c6eb6a8ddb49188aec9e99b99f7a0c

Score

10^/10

netwire botnet evasion persistence rat stealer trojan

Malware Config

Extracted

Family

netwire

C2

haija.mine.nu:1338

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
Data Encoder
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
qays1122
registry_autorun
false
use_mutex
false

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe\""	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

NetWire RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/840-164-0x0000000000400000-0x0000000000437000-memory.dmp	netwire
behavioral2/memory/840-166-0x0000000000400000-0x0000000000437000-memory.dmp	netwire
behavioral2/memory/840-171-0x0000000000400000-0x0000000000437000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe = "0"	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe = "0"	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

Drops startup file 2 IoCs

Processes:

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe = "0"	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe = "0"	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe"	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe"	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of SetThreadContext 1 IoCs

Processes:

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

description	pid	process	target process
PID 3804 set thread context of 840	3804	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3124 840 WerFault.exe 0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

pid	pid_target	process	target process
3124	840	WerFault.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2276	powershell.exe
2324	powershell.exe
4508	powershell.exe
3676	powershell.exe
4508	powershell.exe
2276	powershell.exe
2324	powershell.exe
3676	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3804	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

description	pid	process	target process
PID 3804 wrote to memory of 2324	3804	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 3804 wrote to memory of 2324	3804	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 3804 wrote to memory of 2324	3804	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 3804 wrote to memory of 2276	3804	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 3804 wrote to memory of 2276	3804	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 3804 wrote to memory of 2276	3804	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 3804 wrote to memory of 3676	3804	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 3804 wrote to memory of 3676	3804	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 3804 wrote to memory of 3676	3804	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 3804 wrote to memory of 4508	3804	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 3804 wrote to memory of 4508	3804	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 3804 wrote to memory of 4508	3804	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	powershell.exe
PID 3804 wrote to memory of 840	3804	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
PID 3804 wrote to memory of 840	3804	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
PID 3804 wrote to memory of 840	3804	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
PID 3804 wrote to memory of 840	3804	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
PID 3804 wrote to memory of 840	3804	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
PID 3804 wrote to memory of 840	3804	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
PID 3804 wrote to memory of 840	3804	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
PID 3804 wrote to memory of 840	3804	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
PID 3804 wrote to memory of 840	3804	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
PID 3804 wrote to memory of 840	3804	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
PID 3804 wrote to memory of 840	3804	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
PID 3804 wrote to memory of 840	3804	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe	0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe

C:\Users\Admin\AppData\Local\Temp\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
"C:\Users\Admin\AppData\Local\Temp\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Checks computer location settings
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4508

C:\Users\Admin\AppData\Local\Temp\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe
"C:\Users\Admin\AppData\Local\Temp\0096d73eafc106724bac02d3fa23458d6f0c5d2f233cef348a73b3f157be8e0e.exe"
2⤵
PID:840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 840 -s 328
3⤵
- Program crash
PID:3124

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 840 -ip 840
1⤵
PID:452

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Defense Evasion

Disabling Security Tools

Modify Registry

Web Service

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
6e56cdd57c026b6be31e96483bc53600

SHA1
1814ad1fd6bc9dee5b042ce2c70e9cdaa5b20207

SHA256
82603a94dc758e60cea4c4fd414d229fb68fac32c8c182034b91deb9d3b80304

SHA512
dd9a0e0ae78f6e2099b61842f5ceb7cb9dc91717f8f5cbe013aed7b2a95ae4bd2c3c82a8e2d4c78c0f480575f8d0ff6d5926989bf9a5f1159508febb15def750

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e873d385bd053e43fbe28a78997419cb

SHA1
942c63067ef0e1aea81b65215f0a2e4ed65db63a

SHA256
e99579639a5c28b4bf0e7ddf3767ed87f4121e62d83516dc67150b53a4bbe799

SHA512
af20ec97ef17532ef2f99e86332a4750de8f5b895ee7aded9c5e55c67829dba4e53759eeff62f792b71fbbc343a79611c3245219f341294ef967863a82756c55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e152f3b8552e4bce5be50442db9f5ae6

SHA1
695233f311916aa67f12b78fd0537d4ac9423429

SHA256
5703b8a4892ec81a3961ffe7399986418f1b2d2e3f1c93f2dec7f4b11d95e409

SHA512
2ee3750423fff716e71a4fc49ed4dd56bb4bb92cf55372c601dfb8a9cfecf401e11912487fad42eacbe6bbca3930b9852775e5d9e0f5a294fe99d0417817abde

Download Submit
memory/840-171-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/840-167-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/840-166-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/840-164-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/840-163-0x0000000000000000-mapping.dmp

Download
memory/2276-140-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/2276-150-0x00000000078A0000-0x00000000078BA000-memory.dmp

Filesize
104KB

Download
memory/2276-134-0x0000000000000000-mapping.dmp

Download
memory/2276-143-0x0000000007540000-0x0000000007572000-memory.dmp

Filesize
200KB

Download
memory/2276-141-0x0000000005940000-0x00000000059A6000-memory.dmp

Filesize
408KB

Download
memory/2276-138-0x00000000059E0000-0x0000000006008000-memory.dmp

Filesize
6.2MB

Download
memory/2276-155-0x0000000007AD0000-0x0000000007AD8000-memory.dmp

Filesize
32KB

Download
memory/2276-145-0x000000006FD50000-0x000000006FD9C000-memory.dmp

Filesize
304KB

Download
memory/2276-154-0x0000000007C10000-0x0000000007C2A000-memory.dmp

Filesize
104KB

Download
memory/2324-137-0x0000000002D70000-0x0000000002DA6000-memory.dmp

Filesize
216KB

Download
memory/2324-133-0x0000000000000000-mapping.dmp

Download
memory/2324-148-0x000000006FD50000-0x000000006FD9C000-memory.dmp

Filesize
304KB

Download
memory/3676-147-0x000000006FD50000-0x000000006FD9C000-memory.dmp

Filesize
304KB

Download
memory/3676-151-0x0000000006FF0000-0x0000000006FFA000-memory.dmp

Filesize
40KB

Download
memory/3676-135-0x0000000000000000-mapping.dmp

Download
memory/3804-162-0x00000000009B0000-0x00000000009BA000-memory.dmp

Filesize
40KB

Download
memory/3804-130-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/3804-161-0x00000000008E0000-0x0000000000972000-memory.dmp

Filesize
584KB

Download
memory/3804-132-0x00000000076D0000-0x0000000007C74000-memory.dmp

Filesize
5.6MB

Download
memory/3804-131-0x0000000004DC0000-0x0000000004E5C000-memory.dmp

Filesize
624KB

Download
memory/4508-139-0x0000000005480000-0x00000000054A2000-memory.dmp

Filesize
136KB

Download
memory/4508-144-0x000000006FD50000-0x000000006FD9C000-memory.dmp

Filesize
304KB

Download
memory/4508-146-0x0000000006840000-0x000000000685E000-memory.dmp

Filesize
120KB

Download
memory/4508-136-0x0000000000000000-mapping.dmp

Download
memory/4508-149-0x0000000007CB0000-0x000000000832A000-memory.dmp

Filesize
6.5MB

Download
memory/4508-153-0x0000000007890000-0x000000000789E000-memory.dmp

Filesize
56KB

Download
memory/4508-142-0x0000000006350000-0x000000000636E000-memory.dmp

Filesize
120KB

Download
memory/4508-152-0x00000000078E0000-0x0000000007976000-memory.dmp

Filesize
600KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads