Analysis
-
max time kernel
44s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-06-2022 00:02
Static task
static1
Behavioral task
behavioral1
Sample
23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe
Resource
win7-20220414-en
General
-
Target
23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe
-
Size
4.4MB
-
MD5
fdb1dfbf7f1aa178161dd3a06839b38e
-
SHA1
e5708f772e7573ea49a47edd0c07ca7cffb3664a
-
SHA256
23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879
-
SHA512
8c599904363c77988e0452bde3314bd764f3f692d697ae9280251ed4e34df529da2ec42ed150c030fdc1c871ed34d89df0d4dee5f6310fd7b021003f551eb58e
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Detect XtremeRAT Payload 7 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\server.exe family_xtremerat C:\Users\Admin\AppData\Local\Temp\server.exe family_xtremerat behavioral2/memory/4016-138-0x0000000000000000-mapping.dmp family_xtremerat C:\Windows\InstallDir\Server.exe family_xtremerat behavioral2/memory/4016-140-0x0000000000C80000-0x0000000000D11000-memory.dmp family_xtremerat behavioral2/memory/4680-141-0x0000000000000000-mapping.dmp family_xtremerat behavioral2/memory/4680-148-0x0000000000C80000-0x0000000000D11000-memory.dmp family_xtremerat -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
981cashio.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 981cashio.exe -
Processes:
981cashio.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 981cashio.exe -
Processes:
981cashio.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 981cashio.exe -
XtremeRAT
The XtremeRAT was developed by xtremecoder and has been available since at least 2010, and written in Delphi.
-
Disables RegEdit via registry modification 1 IoCs
Processes:
981cashio.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 981cashio.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
server.exe981cashio.exepid process 4012 server.exe 4040 981cashio.exe -
Modifies Installed Components in the registry 2 TTPs 2 IoCs
Processes:
server.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{401U8C6H-C2PP-64K7-D0JP-W3GRK0OXHHY6} server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{401U8C6H-C2PP-64K7-D0JP-W3GRK0OXHHY6}\StubPath = "C:\\Windows\\InstallDir\\Server.exe restart" server.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\981cashio.exe upx C:\Users\Admin\AppData\Local\Temp\981cashio.exe upx behavioral2/memory/4040-149-0x0000000000400000-0x000000000051A000-memory.dmp upx behavioral2/memory/4040-150-0x0000000002300000-0x000000000338E000-memory.dmp upx behavioral2/memory/4040-153-0x0000000002300000-0x000000000338E000-memory.dmp upx -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exeserver.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation 23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation server.exe -
Processes:
981cashio.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 981cashio.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 981cashio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 981cashio.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
server.exe23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\InstallDir\\Server.exe" server.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\InstallDir\\Server.exe" server.exe Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe = "C:\\Users\\Admin\\AppData\\Roaming/Microsoft/Skype.exe" 23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run server.exe -
Processes:
981cashio.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 981cashio.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exedescription pid process target process PID 2812 set thread context of 4184 2812 23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe 23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe -
Drops file in Windows directory 4 IoCs
Processes:
server.exe981cashio.exedescription ioc process File opened for modification C:\Windows\InstallDir\Server.exe server.exe File created C:\Windows\InstallDir\Server.exe server.exe File opened for modification C:\Windows\InstallDir\ server.exe File opened for modification C:\Windows\SYSTEM.INI 981cashio.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 1 IoCs
Processes:
23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings 23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
981cashio.exepid process 4040 981cashio.exe 4040 981cashio.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
981cashio.exedescription pid process Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe Token: SeDebugPrivilege 4040 981cashio.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
explorer.exepid process 4680 explorer.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exeserver.exe981cashio.exedescription pid process target process PID 2812 wrote to memory of 4184 2812 23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe 23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe PID 2812 wrote to memory of 4184 2812 23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe 23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe PID 2812 wrote to memory of 4184 2812 23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe 23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe PID 2812 wrote to memory of 4184 2812 23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe 23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe PID 2812 wrote to memory of 4184 2812 23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe 23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe PID 4184 wrote to memory of 4012 4184 23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe server.exe PID 4184 wrote to memory of 4012 4184 23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe server.exe PID 4184 wrote to memory of 4012 4184 23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe server.exe PID 4012 wrote to memory of 4016 4012 server.exe svchost.exe PID 4012 wrote to memory of 4016 4012 server.exe svchost.exe PID 4012 wrote to memory of 4016 4012 server.exe svchost.exe PID 4012 wrote to memory of 4016 4012 server.exe svchost.exe PID 4012 wrote to memory of 1956 4012 server.exe msedge.exe PID 4012 wrote to memory of 1956 4012 server.exe msedge.exe PID 4012 wrote to memory of 4680 4012 server.exe explorer.exe PID 4012 wrote to memory of 4680 4012 server.exe explorer.exe PID 4012 wrote to memory of 4680 4012 server.exe explorer.exe PID 4012 wrote to memory of 4680 4012 server.exe explorer.exe PID 4184 wrote to memory of 2124 4184 23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe javaw.exe PID 4184 wrote to memory of 2124 4184 23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe javaw.exe PID 4012 wrote to memory of 4040 4012 server.exe 981cashio.exe PID 4012 wrote to memory of 4040 4012 server.exe 981cashio.exe PID 4012 wrote to memory of 4040 4012 server.exe 981cashio.exe PID 4040 wrote to memory of 804 4040 981cashio.exe fontdrvhost.exe PID 4040 wrote to memory of 812 4040 981cashio.exe fontdrvhost.exe PID 4040 wrote to memory of 1020 4040 981cashio.exe dwm.exe PID 4040 wrote to memory of 2780 4040 981cashio.exe sihost.exe PID 4040 wrote to memory of 2832 4040 981cashio.exe svchost.exe PID 4040 wrote to memory of 2892 4040 981cashio.exe taskhostw.exe PID 4040 wrote to memory of 892 4040 981cashio.exe Explorer.EXE PID 4040 wrote to memory of 684 4040 981cashio.exe svchost.exe PID 4040 wrote to memory of 3264 4040 981cashio.exe DllHost.exe PID 4040 wrote to memory of 3352 4040 981cashio.exe StartMenuExperienceHost.exe PID 4040 wrote to memory of 3412 4040 981cashio.exe RuntimeBroker.exe PID 4040 wrote to memory of 3500 4040 981cashio.exe SearchApp.exe PID 4040 wrote to memory of 3648 4040 981cashio.exe RuntimeBroker.exe PID 4040 wrote to memory of 2140 4040 981cashio.exe RuntimeBroker.exe PID 4040 wrote to memory of 4016 4040 981cashio.exe svchost.exe PID 4040 wrote to memory of 4016 4040 981cashio.exe svchost.exe PID 4040 wrote to memory of 4680 4040 981cashio.exe explorer.exe PID 4040 wrote to memory of 4680 4040 981cashio.exe explorer.exe PID 4040 wrote to memory of 2124 4040 981cashio.exe javaw.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
981cashio.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 981cashio.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:812
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3412
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3352
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2140
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3648
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3500
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3264
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:684
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:892
-
C:\Users\Admin\AppData\Local\Temp\23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe"C:\Users\Admin\AppData\Local\Temp\23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe"2⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe"C:\Users\Admin\AppData\Local\Temp\23e6c76201fa61634aff840cbfaec84ff808d84a6e69eef096469a2dbe239879.exe"3⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"4⤵
- Executes dropped EXE
- Modifies Installed Components in the registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\svchost.exesvchost.exe5⤵PID:4016
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"5⤵PID:1956
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe5⤵
- Suspicious use of SetWindowsHookEx
PID:4680 -
C:\Users\Admin\AppData\Local\Temp\981cashio.exe"C:\Users\Admin\AppData\Local\Temp\981cashio.exe"5⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4040 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\uyauu.jar"4⤵PID:2124
-
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.12707333028387193998548360586709197.class5⤵PID:3736
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2892
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2832
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2780
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestampFilesize
50B
MD562a94cbcce10dfd54c9cc92b2cd671f3
SHA18fb8e0a4b285191b14a5779a96b8599f31e03399
SHA2563c1a313a7856ba217687fc6328d35d403c7b97ba32f72e345f15b8875372f176
SHA51292b771edb85a4da0edbe82558bfee205704e1446028cb85555b395f0a5478d2735c3b3b8c91dc8a7ebdd3786a4f4a6292fdd65641975e85889a562889d8145d4
-
C:\Users\Admin\AppData\Local\Temp\981cashio.exeFilesize
481KB
MD5478e7a6eccee4b5b5f00b98bb003d31d
SHA14cace4e30c896bf4de5a828eae973e4977fa39c7
SHA2567f15b227a8583f418e1017a4746b0a9293bedbbe120112e0ab9e5b8ea0e0d3ce
SHA5129997f5fd05926b079620e8c10542227bb63fc7c1442402a6aaf1e9c49b443d8f90ed79af0346e9f2da1df11d72a2979ad2aae37267fa3ca4f679b86b4e7f2a78
-
C:\Users\Admin\AppData\Local\Temp\981cashio.exeFilesize
481KB
MD5478e7a6eccee4b5b5f00b98bb003d31d
SHA14cace4e30c896bf4de5a828eae973e4977fa39c7
SHA2567f15b227a8583f418e1017a4746b0a9293bedbbe120112e0ab9e5b8ea0e0d3ce
SHA5129997f5fd05926b079620e8c10542227bb63fc7c1442402a6aaf1e9c49b443d8f90ed79af0346e9f2da1df11d72a2979ad2aae37267fa3ca4f679b86b4e7f2a78
-
C:\Users\Admin\AppData\Local\Temp\981cashio.exe.exeFilesize
4B
MD5a2ce4c7b743725199da04033b5b57469
SHA11ae348eafa097ab898941eafe912d711a407da10
SHA2560fff86057dcfb3975c8bc44459740ba5ffb43551931163538df3f39a6bb991bc
SHA51223bd59f57b16cd496b550c1bba09eb3f9a9dfe764ea03470e3cc43e4d0b4ca415d239772e4a9b930749e88cead9a7ec4b0a77d0dd310e61d8c6521ae6ff278b0
-
C:\Users\Admin\AppData\Local\Temp\_0.12707333028387193998548360586709197.classFilesize
241KB
MD5781fb531354d6f291f1ccab48da6d39f
SHA19ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA25697d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA5123e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
536KB
MD5f7adfeb5d58bf7ee95517bdf0d908f28
SHA18a847cca654b0942260ae0b46e4f7b457116bd55
SHA2563b9a8fd4cc4bc8f86bb0183cef90e39775a3d38dc4a91dca8d427cd22cbf865d
SHA5121b29df50682156d9d72f84d474c80d86ff171e4b80d86eff11e347ca69b3180034fb0ad3de7124228165a5c4137228b02c80c2885b202e78f754c15fb65d2e2d
-
C:\Users\Admin\AppData\Local\Temp\server.exeFilesize
536KB
MD5f7adfeb5d58bf7ee95517bdf0d908f28
SHA18a847cca654b0942260ae0b46e4f7b457116bd55
SHA2563b9a8fd4cc4bc8f86bb0183cef90e39775a3d38dc4a91dca8d427cd22cbf865d
SHA5121b29df50682156d9d72f84d474c80d86ff171e4b80d86eff11e347ca69b3180034fb0ad3de7124228165a5c4137228b02c80c2885b202e78f754c15fb65d2e2d
-
C:\Users\Admin\AppData\Local\Temp\uyauu.jarFilesize
479KB
MD5943436a89a2537a419e5389ecd388bbb
SHA166170c36fdc124afe888a873e71d4422e5e5db71
SHA256102bc3e052864283c7e5df6fb3a3d04e33c9346c5c6e36175cd1cd591ebbf65d
SHA512011018e7454400837a4937b23641d020ae05c8b5782a87c07a489317d578fa6fcd1f6dd2f71dceacc5c39c537bed0b98d28924d7f7bed5dfaf08e441e8b7cf7f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2632097139-1792035885-811742494-1000\83aa4cc77f591dfc2374580bbd95f6ba_2c37a701-1043-4f89-b4d1-d05ed25c6971Filesize
45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
C:\Windows\InstallDir\Server.exeFilesize
536KB
MD5f7adfeb5d58bf7ee95517bdf0d908f28
SHA18a847cca654b0942260ae0b46e4f7b457116bd55
SHA2563b9a8fd4cc4bc8f86bb0183cef90e39775a3d38dc4a91dca8d427cd22cbf865d
SHA5121b29df50682156d9d72f84d474c80d86ff171e4b80d86eff11e347ca69b3180034fb0ad3de7124228165a5c4137228b02c80c2885b202e78f754c15fb65d2e2d
-
memory/2124-190-0x0000000002460000-0x0000000003460000-memory.dmpFilesize
16.0MB
-
memory/2124-189-0x0000000002460000-0x0000000003460000-memory.dmpFilesize
16.0MB
-
memory/2124-185-0x0000000002460000-0x0000000003460000-memory.dmpFilesize
16.0MB
-
memory/2124-142-0x0000000000000000-mapping.dmp
-
memory/2124-154-0x0000000002460000-0x0000000003460000-memory.dmpFilesize
16.0MB
-
memory/3736-163-0x0000000000000000-mapping.dmp
-
memory/3736-175-0x0000000002AB0000-0x0000000003AB0000-memory.dmpFilesize
16.0MB
-
memory/3736-191-0x0000000002AB0000-0x0000000003AB0000-memory.dmpFilesize
16.0MB
-
memory/4012-135-0x0000000000000000-mapping.dmp
-
memory/4016-138-0x0000000000000000-mapping.dmp
-
memory/4016-140-0x0000000000C80000-0x0000000000D11000-memory.dmpFilesize
580KB
-
memory/4040-149-0x0000000000400000-0x000000000051A000-memory.dmpFilesize
1.1MB
-
memory/4040-150-0x0000000002300000-0x000000000338E000-memory.dmpFilesize
16.6MB
-
memory/4040-153-0x0000000002300000-0x000000000338E000-memory.dmpFilesize
16.6MB
-
memory/4040-145-0x0000000000000000-mapping.dmp
-
memory/4184-130-0x0000000000000000-mapping.dmp
-
memory/4184-131-0x0000000000400000-0x0000000000510000-memory.dmpFilesize
1.1MB
-
memory/4184-143-0x0000000000400000-0x000000000050F6DF-memory.dmpFilesize
1.1MB
-
memory/4184-134-0x0000000000400000-0x000000000050F6DF-memory.dmpFilesize
1.1MB
-
memory/4184-133-0x0000000000400000-0x000000000050F6DF-memory.dmpFilesize
1.1MB
-
memory/4680-141-0x0000000000000000-mapping.dmp
-
memory/4680-148-0x0000000000C80000-0x0000000000D11000-memory.dmpFilesize
580KB