wannacry | da8e52d81e4475ba9da841ae1d0b4cea23cf4c0dfe39bf102187e657f51aa02c

General

Target

da8e52d81e4475ba9da841ae1d0b4cea23cf4c0dfe39bf102187e657f51aa02c.dll
Size

5.0MB
MD5

b7aaeb286309a92f575247014054dc9a
SHA1

5420861f432a03c2371cd2d38dfa7b311dc4b4b8
SHA256

da8e52d81e4475ba9da841ae1d0b4cea23cf4c0dfe39bf102187e657f51aa02c
SHA512

e4cfe25feb734f93b1c861ad8ae384f04d19773e4c7a081b82150b4d532ebc52c68516c6f8d6281ac32ae61b0f1689b204c541db965158fc7c1a0adf27d5cd0c

Score

10^/10

wannacry evasion ransomware worm

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

mssecsvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	mssecsvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	mssecsvc.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\mssecsvc.exe = "C:\\WINDOWS\\mssecsvc.exe:*:enabled:@shell32.dll,-1"	mssecsvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	mssecsvc.exe

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 2336 created 3832 2336 WerFault.exe mssecsvc.exe
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Executes dropped EXE 2 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid process

3832 mssecsvc.exe
856 mssecsvc.exe

description	pid	process	target process
PID 2336 created 3832	2336	WerFault.exe	mssecsvc.exe

Drops file in System32 directory 1 IoCs

Processes:

mssecsvc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat	mssecsvc.exe

Drops file in Windows directory 2 IoCs

Processes:

rundll32.exemssecsvc.exe

description ioc process

File created C:\WINDOWS\mssecsvc.exe rundll32.exe
File created C:\WINDOWS\tasksche.exe mssecsvc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2336 3832 WerFault.exe mssecsvc.exe

description	ioc	process
File created	C:\WINDOWS\mssecsvc.exe	rundll32.exe
File created	C:\WINDOWS\tasksche.exe	mssecsvc.exe

pid	pid_target	process	target process
2336	3832	WerFault.exe	mssecsvc.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

mssecsvc.exemssecsvc.exeWerFault.exe

pid	process
3832	mssecsvc.exe
3832	mssecsvc.exe
856	mssecsvc.exe
856	mssecsvc.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe
2336	WerFault.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

mssecsvc.exemssecsvc.exe

pid	process
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
3832	mssecsvc.exe
856	mssecsvc.exe
856	mssecsvc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

mssecsvc.exemssecsvc.exeWerFault.exe

description	pid	process
Token: SeDebugPrivilege	3832	mssecsvc.exe
Token: SeDebugPrivilege	856	mssecsvc.exe
Token: SeRestorePrivilege	2336	WerFault.exe
Token: SeBackupPrivilege	2336	WerFault.exe
Token: SeDebugPrivilege	2336	WerFault.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exemssecsvc.exe

description	pid	process	target process
PID 1000 wrote to memory of 4052	1000	rundll32.exe	rundll32.exe
PID 1000 wrote to memory of 4052	1000	rundll32.exe	rundll32.exe
PID 1000 wrote to memory of 4052	1000	rundll32.exe	rundll32.exe
PID 4052 wrote to memory of 3832	4052	rundll32.exe	mssecsvc.exe
PID 4052 wrote to memory of 3832	4052	rundll32.exe	mssecsvc.exe
PID 4052 wrote to memory of 3832	4052	rundll32.exe	mssecsvc.exe
PID 3832 wrote to memory of 540	3832	mssecsvc.exe	winlogon.exe
PID 3832 wrote to memory of 540	3832	mssecsvc.exe	winlogon.exe
PID 3832 wrote to memory of 540	3832	mssecsvc.exe	winlogon.exe
PID 3832 wrote to memory of 540	3832	mssecsvc.exe	winlogon.exe
PID 3832 wrote to memory of 540	3832	mssecsvc.exe	winlogon.exe
PID 3832 wrote to memory of 540	3832	mssecsvc.exe	winlogon.exe
PID 3832 wrote to memory of 624	3832	mssecsvc.exe	lsass.exe
PID 3832 wrote to memory of 624	3832	mssecsvc.exe	lsass.exe
PID 3832 wrote to memory of 624	3832	mssecsvc.exe	lsass.exe
PID 3832 wrote to memory of 624	3832	mssecsvc.exe	lsass.exe
PID 3832 wrote to memory of 624	3832	mssecsvc.exe	lsass.exe
PID 3832 wrote to memory of 624	3832	mssecsvc.exe	lsass.exe
PID 3832 wrote to memory of 708	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 708	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 708	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 708	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 708	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 708	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 716	3832	mssecsvc.exe	fontdrvhost.exe
PID 3832 wrote to memory of 716	3832	mssecsvc.exe	fontdrvhost.exe
PID 3832 wrote to memory of 716	3832	mssecsvc.exe	fontdrvhost.exe
PID 3832 wrote to memory of 716	3832	mssecsvc.exe	fontdrvhost.exe
PID 3832 wrote to memory of 716	3832	mssecsvc.exe	fontdrvhost.exe
PID 3832 wrote to memory of 716	3832	mssecsvc.exe	fontdrvhost.exe
PID 3832 wrote to memory of 724	3832	mssecsvc.exe	fontdrvhost.exe
PID 3832 wrote to memory of 724	3832	mssecsvc.exe	fontdrvhost.exe
PID 3832 wrote to memory of 724	3832	mssecsvc.exe	fontdrvhost.exe
PID 3832 wrote to memory of 724	3832	mssecsvc.exe	fontdrvhost.exe
PID 3832 wrote to memory of 724	3832	mssecsvc.exe	fontdrvhost.exe
PID 3832 wrote to memory of 724	3832	mssecsvc.exe	fontdrvhost.exe
PID 3832 wrote to memory of 792	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 792	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 792	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 792	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 792	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 792	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 844	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 844	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 844	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 844	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 844	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 844	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 892	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 892	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 892	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 892	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 892	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 892	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 976	3832	mssecsvc.exe	dwm.exe
PID 3832 wrote to memory of 976	3832	mssecsvc.exe	dwm.exe
PID 3832 wrote to memory of 976	3832	mssecsvc.exe	dwm.exe
PID 3832 wrote to memory of 976	3832	mssecsvc.exe	dwm.exe
PID 3832 wrote to memory of 976	3832	mssecsvc.exe	dwm.exe
PID 3832 wrote to memory of 976	3832	mssecsvc.exe	dwm.exe
PID 3832 wrote to memory of 340	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 340	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 340	3832	mssecsvc.exe	svchost.exe
PID 3832 wrote to memory of 340	3832	mssecsvc.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:624

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:540

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:976

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:716

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:708

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
1⤵
PID:792

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
2⤵
PID:3268

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3528

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:2240

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
2⤵
PID:3616

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:3816

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
2⤵
PID:3280

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
2⤵
PID:3948

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
2⤵
PID:3864

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:364

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1408

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1568

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3b4
2⤵
PID:2292

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1724

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1788

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1996

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2164

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2528

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2668

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2892

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:1596

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2180

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\da8e52d81e4475ba9da841ae1d0b4cea23cf4c0dfe39bf102187e657f51aa02c.dll,#1
2⤵
- Suspicious use of WriteProcessMemory
PID:1000

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\da8e52d81e4475ba9da841ae1d0b4cea23cf4c0dfe39bf102187e657f51aa02c.dll,#1
3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4052

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe
4⤵
- Modifies firewall policy service
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3832 -s 996
5⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2336

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2684

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2676

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
2⤵
PID:4024

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2592

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2580

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2496

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2484

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2460

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2376

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2364

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1860

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1744

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1736

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1612

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1600

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s FontCache
1⤵
PID:1452

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1444

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1424

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1336

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1252

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1244

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1204

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1188

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
1⤵
PID:940

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:912

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:352

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:340

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:892

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k rpcss
1⤵
PID:844

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:724

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s BITS
1⤵
PID:1224

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:1628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:1956

C:\WINDOWS\mssecsvc.exe
C:\WINDOWS\mssecsvc.exe -m security
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\mssecsvc.exe
MD5
6081e20a243389a518cb8055bc93a948

SHA1
7695d90ba77b4b7c493093805ecae511da226b07

SHA256
3fe6d0ad1b4253c297f7979e6e72196a8e884f45d2921c7133c8cfe6695ad740

SHA512
a4713c0e608bba5c8cc87c83f8d69282a47c487ab3ec587ee62e375bd6c66e5180e88bd539ff2479197dda21268577d10240c4b4fb30e11936fb4a58ec1ae94f

Download Submit
C:\Windows\mssecsvc.exe
MD5
6081e20a243389a518cb8055bc93a948

SHA1
7695d90ba77b4b7c493093805ecae511da226b07

SHA256
3fe6d0ad1b4253c297f7979e6e72196a8e884f45d2921c7133c8cfe6695ad740

SHA512
a4713c0e608bba5c8cc87c83f8d69282a47c487ab3ec587ee62e375bd6c66e5180e88bd539ff2479197dda21268577d10240c4b4fb30e11936fb4a58ec1ae94f

Download Submit
C:\Windows\mssecsvc.exe
MD5
6081e20a243389a518cb8055bc93a948

SHA1
7695d90ba77b4b7c493093805ecae511da226b07

SHA256
3fe6d0ad1b4253c297f7979e6e72196a8e884f45d2921c7133c8cfe6695ad740

SHA512
a4713c0e608bba5c8cc87c83f8d69282a47c487ab3ec587ee62e375bd6c66e5180e88bd539ff2479197dda21268577d10240c4b4fb30e11936fb4a58ec1ae94f

Download Submit
memory/3832-115-0x0000000000000000-mapping.dmp

Download
memory/3832-119-0x000000007FE90000-0x000000007FE9C000-memory.dmp

Filesize
48KB

Download
memory/4052-114-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads