hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/PowerPoint[.]exe

Resubmissions

21/02/2024, 18:43

240221-xdcwxadd8v 8

21/02/2024, 18:42

240221-xcrzfadh82 1

Analysis

max time kernel
27s
max time network
33s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 18:43

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/PowerPoint.exe

Score

8^/10

bootkit persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
936	PowerPoint.exe
1964	sys3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
47	raw.githubusercontent.com
48	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	PowerPoint.exe
File opened for modification	\??\PHYSICALDRIVE0	sys3.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "97"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 31712.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\sys3.exe\:SmartScreen:$DATA	PowerPoint.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4680	msedge.exe
4680	msedge.exe
4960	msedge.exe
4960	msedge.exe
4316	identity_helper.exe
4316	identity_helper.exe
2104	msedge.exe
2104	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1964	sys3.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4928	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4960 wrote to memory of 2044	4960	msedge.exe	38
PID 4960 wrote to memory of 2044	4960	msedge.exe	38
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 1128	4960	msedge.exe	90
PID 4960 wrote to memory of 4680	4960	msedge.exe	89
PID 4960 wrote to memory of 4680	4960	msedge.exe	89
PID 4960 wrote to memory of 4948	4960	msedge.exe	91
PID 4960 wrote to memory of 4948	4960	msedge.exe	91
PID 4960 wrote to memory of 4948	4960	msedge.exe	91
PID 4960 wrote to memory of 4948	4960	msedge.exe	91
PID 4960 wrote to memory of 4948	4960	msedge.exe	91
PID 4960 wrote to memory of 4948	4960	msedge.exe	91
PID 4960 wrote to memory of 4948	4960	msedge.exe	91
PID 4960 wrote to memory of 4948	4960	msedge.exe	91
PID 4960 wrote to memory of 4948	4960	msedge.exe	91
PID 4960 wrote to memory of 4948	4960	msedge.exe	91
PID 4960 wrote to memory of 4948	4960	msedge.exe	91
PID 4960 wrote to memory of 4948	4960	msedge.exe	91
PID 4960 wrote to memory of 4948	4960	msedge.exe	91
PID 4960 wrote to memory of 4948	4960	msedge.exe	91
PID 4960 wrote to memory of 4948	4960	msedge.exe	91
PID 4960 wrote to memory of 4948	4960	msedge.exe	91
PID 4960 wrote to memory of 4948	4960	msedge.exe	91
PID 4960 wrote to memory of 4948	4960	msedge.exe	91
PID 4960 wrote to memory of 4948	4960	msedge.exe	91
PID 4960 wrote to memory of 4948	4960	msedge.exe	91

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Ransomware/PowerPoint.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbe91a46f8,0x7ffbe91a4708,0x7ffbe91a4718
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2248,14913192552497797629,6572764124610382571,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,14913192552497797629,6572764124610382571,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2248,14913192552497797629,6572764124610382571,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,14913192552497797629,6572764124610382571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,14913192552497797629,6572764124610382571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,14913192552497797629,6572764124610382571,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,14913192552497797629,6572764124610382571,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5428 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,14913192552497797629,6572764124610382571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2248,14913192552497797629,6572764124610382571,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4964 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2248,14913192552497797629,6572764124610382571,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2248,14913192552497797629,6572764124610382571,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5828 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2104
- C:\Users\Admin\Downloads\PowerPoint.exe
  "C:\Users\Admin\Downloads\PowerPoint.exe"
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - NTFS ADS
  PID:936
- - C:\Users\Admin\AppData\Local\Temp\sys3.exe
    C:\Users\Admin\AppData\Local\Temp\\sys3.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of AdjustPrivilegeToken
    PID:1964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3676

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3967855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
58670ac03d80eb4bd1cec7ac5672d2e8

SHA1
276295d2f9e58fb0b8ef03bd9567227fb94e03f7

SHA256
76e1645d9c4f363b34e554822cfe0d53ff1fce5e994acdf1edeff13ae8df30f8

SHA512
99fe23263de36ec0c8b6b3b0205df264250392cc9c0dd8fa28cf954ff39f9541f722f96a84fbc0b4e42cfd042f064525a6be4b220c0180109f8b1d51bbdef8ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3782686f747f4a85739b170a3898b645

SHA1
81ae1c4fd3d1fddb50b3773e66439367788c219c

SHA256
67ee813be3c6598a8ea02cd5bb5453fc0aa114606e3fc7ad216f205fe46dfc13

SHA512
54eb860107637a611150ff18ac57856257bf650f70dce822de234aee644423080b570632208d38e45e2f0d2bf60ca2684d3c3480f9637ea4ad81f2bcfb9f24d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7e2ba73e432cb675d85dc621e987df52

SHA1
f263b64079a88243ff96371b41774ccf7b094bb4

SHA256
92bd3085a786e4539fff0130b9be267ea73eae722e72636233738671f47b6314

SHA512
3b850b184266cc921131b810bc202044b97517a9f512159a49be0103420cbdbc7fcf26f09eef2976124f59d056cc953d0eafb0c1f35c46c7a450bcbe0debe7cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
30587a594ebc30c30b0c2aa821a31ce3

SHA1
e6f49e62e79e0eeb9b4fe7b6f0cd9bc2d58cb133

SHA256
67f59fdaca3ecc3d0e590de25821fb26d5378e3cf48ed9790a1d63f522d5d888

SHA512
2836d0c26047a0a60a93dfcd93ba12f4a5d05a294f8523a0fa212153c7cd5fb7c2e925641c07abd4af22e19714f8c209a66e290fce30246438063ddf6a18a5ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
75a21fbe4f64ecc5f4d07ed77c08555f

SHA1
e28e80b254368befc3965d6a5ea057cffdeda055

SHA256
57d034643453b082348bcf5154d74b5f45fff895100807fd3c975c1c0a2d774b

SHA512
e58a8d98c62d9891edae1efe49c41f4225a418024a70e592f496bb8720f17a1008f9d7f06b79805e7e584807d0deea6fa14eeff9bf374736cd396c6f3748ffd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\systm.txt

Filesize
39B

MD5
5bab23550d87f5289492508850e965b8

SHA1
753ba866033acefce32ce0b9221f087310bcc5ad

SHA256
092680746cc546b40d62a2c718599c2031fc590fff2f72e08b8a357970619474

SHA512
2518bce1ed90225be957bb038549e086fb541e32a377d912571da0b29b59effbabd75dba82ce37f74ee237920a6c8614c62865a013004f18477844857db7a399

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 31712.crdownload

Filesize
136KB

MD5
70108103a53123201ceb2e921fcfe83c

SHA1
c71799a6a6d09ee758b04cdf90a4ab76fbd2a7e3

SHA256
9c3f8df80193c085912c9950c58051ae77c321975784cc069ceacd4f57d5861d

SHA512
996701c65eee7f781c2d22dce63f4a95900f36b97a99dcf833045bce239a08b3c2f6326b3a808431cdab92d59161dd80763e44126578e160d79b7095175d276b

Download Submit
memory/936-163-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download
memory/936-171-0x000000002AA00000-0x000000002AA24000-memory.dmp

Filesize
144KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads