njrat | 21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-09-2022 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR-Trojan.Win32.Generic-21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732.exe
Size

93KB
MD5

22862e6f7d03b5c16fefebb80e5070c2
SHA1

1a3d11049829774b165287d715b55063aa0cdc7e
SHA256

21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732
SHA512

02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d
SSDEEP

768:bY3/2/nkpjTMpALPGMtsas88EtNXhU9Y1mxCXxrjEtCdnl2pi1Rz4Rk3JsGdpVgM:S2fkVbPGHz88Eb71pjEwzGi1dD5DVgS

Score

10^/10

njrat hacked evasion trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

Hacked

cWl3YXBpdm8uZGRucy5uZXQStrik:MTE3Nw==

Mutex

dd294006da6e1298c186045132ffa2f6

Attributes

reg_key
dd294006da6e1298c186045132ffa2f6
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Disables Task Manager via registry modification
evasion

Executes dropped EXE 17 IoCs

Processes:

server.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exe

pid	process
1736	server.exe
784	svchost.exe
1636	server.exe
1488	svchost.exe
2016	server.exe
1480	svchost.exe
1912	server.exe
1716	svchost.exe
628	server.exe
1332	svchost.exe
1496	server.exe
892	svchost.exe
1032	server.exe
1480	svchost.exe
1592	server.exe
1632	svchost.exe
2008	server.exe

Modifies Windows Firewall 1 TTPs 25 IoCs

evasion

Modify Existing Service

T1031

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
1204	netsh.exe
1284	netsh.exe
1980	netsh.exe
800	netsh.exe
472	netsh.exe
956	netsh.exe
628	netsh.exe
944	netsh.exe
1808	netsh.exe
316	netsh.exe
1944	netsh.exe
1064	netsh.exe
1380	netsh.exe
856	netsh.exe
1224	netsh.exe
1712	netsh.exe
2000	netsh.exe
1916	netsh.exe
1672	netsh.exe
1776	netsh.exe
2012	netsh.exe
1712	netsh.exe
1360	netsh.exe
580	netsh.exe
1640	netsh.exe

Drops startup file 20 IoCs

Processes:

server.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dd294006da6e1298c186045132ffa2f6Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dd294006da6e1298c186045132ffa2f6Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dd294006da6e1298c186045132ffa2f6Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dd294006da6e1298c186045132ffa2f6Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dd294006da6e1298c186045132ffa2f6Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dd294006da6e1298c186045132ffa2f6Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dd294006da6e1298c186045132ffa2f6Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dd294006da6e1298c186045132ffa2f6Windows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dd294006da6e1298c186045132ffa2f6Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dd294006da6e1298c186045132ffa2f6Windows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe

Loads dropped DLL 34 IoCs

Processes:

HEUR-Trojan.Win32.Generic-21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exe

pid	process
1488	HEUR-Trojan.Win32.Generic-21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732.exe
1488	HEUR-Trojan.Win32.Generic-21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732.exe
1736	server.exe
1736	server.exe
784	svchost.exe
784	svchost.exe
1636	server.exe
1636	server.exe
1488	svchost.exe
1488	svchost.exe
2016	server.exe
2016	server.exe
1480	svchost.exe
1480	svchost.exe
1912	server.exe
1912	server.exe
1716	svchost.exe
1716	svchost.exe
628	server.exe
628	server.exe
1332	svchost.exe
1332	svchost.exe
1496	server.exe
1496	server.exe
892	svchost.exe
892	svchost.exe
1032	server.exe
1032	server.exe
1480	svchost.exe
1480	svchost.exe
1592	server.exe
1592	server.exe
1632	svchost.exe
1632	svchost.exe

Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

server.exe

description ioc process

File created C:\autorun.inf server.exe
File opened for modification C:\autorun.inf server.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\autorun.inf	server.exe
File opened for modification	C:\autorun.inf	server.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

server.exeserver.exe

pid	process
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1736	server.exe
1636	server.exe
1636	server.exe
1636	server.exe
1636	server.exe
1636	server.exe
1636	server.exe
1636	server.exe
1636	server.exe
1636	server.exe
1636	server.exe
1636	server.exe
1636	server.exe
1636	server.exe
1636	server.exe
1636	server.exe
1636	server.exe
1636	server.exe
1636	server.exe
1636	server.exe
1636	server.exe
1636	server.exe
1636	server.exe
1636	server.exe
1636	server.exe
1636	server.exe
1636	server.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

server.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exeserver.exe

description	pid	process
Token: SeDebugPrivilege	1736	server.exe
Token: SeDebugPrivilege	1636	server.exe
Token: SeDebugPrivilege	2016	server.exe
Token: SeDebugPrivilege	1912	server.exe
Token: SeDebugPrivilege	628	server.exe
Token: SeDebugPrivilege	1496	server.exe
Token: SeDebugPrivilege	1032	server.exe
Token: SeDebugPrivilege	1592	server.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

HEUR-Trojan.Win32.Generic-21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732.exeserver.exesvchost.exeserver.exesvchost.exeserver.exesvchost.exe

description	pid	process	target process
PID 1488 wrote to memory of 1736	1488	HEUR-Trojan.Win32.Generic-21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732.exe	server.exe
PID 1488 wrote to memory of 1736	1488	HEUR-Trojan.Win32.Generic-21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732.exe	server.exe
PID 1488 wrote to memory of 1736	1488	HEUR-Trojan.Win32.Generic-21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732.exe	server.exe
PID 1488 wrote to memory of 1736	1488	HEUR-Trojan.Win32.Generic-21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732.exe	server.exe
PID 1736 wrote to memory of 944	1736	server.exe	netsh.exe
PID 1736 wrote to memory of 944	1736	server.exe	netsh.exe
PID 1736 wrote to memory of 944	1736	server.exe	netsh.exe
PID 1736 wrote to memory of 944	1736	server.exe	netsh.exe
PID 1736 wrote to memory of 1204	1736	server.exe	netsh.exe
PID 1736 wrote to memory of 1204	1736	server.exe	netsh.exe
PID 1736 wrote to memory of 1204	1736	server.exe	netsh.exe
PID 1736 wrote to memory of 1204	1736	server.exe	netsh.exe
PID 1736 wrote to memory of 1360	1736	server.exe	netsh.exe
PID 1736 wrote to memory of 1360	1736	server.exe	netsh.exe
PID 1736 wrote to memory of 1360	1736	server.exe	netsh.exe
PID 1736 wrote to memory of 1360	1736	server.exe	netsh.exe
PID 1736 wrote to memory of 784	1736	server.exe	svchost.exe
PID 1736 wrote to memory of 784	1736	server.exe	svchost.exe
PID 1736 wrote to memory of 784	1736	server.exe	svchost.exe
PID 1736 wrote to memory of 784	1736	server.exe	svchost.exe
PID 784 wrote to memory of 1636	784	svchost.exe	server.exe
PID 784 wrote to memory of 1636	784	svchost.exe	server.exe
PID 784 wrote to memory of 1636	784	svchost.exe	server.exe
PID 784 wrote to memory of 1636	784	svchost.exe	server.exe
PID 1636 wrote to memory of 1808	1636	server.exe	netsh.exe
PID 1636 wrote to memory of 1808	1636	server.exe	netsh.exe
PID 1636 wrote to memory of 1808	1636	server.exe	netsh.exe
PID 1636 wrote to memory of 1808	1636	server.exe	netsh.exe
PID 1636 wrote to memory of 1712	1636	server.exe	netsh.exe
PID 1636 wrote to memory of 1712	1636	server.exe	netsh.exe
PID 1636 wrote to memory of 1712	1636	server.exe	netsh.exe
PID 1636 wrote to memory of 1712	1636	server.exe	netsh.exe
PID 1636 wrote to memory of 2000	1636	server.exe	netsh.exe
PID 1636 wrote to memory of 2000	1636	server.exe	netsh.exe
PID 1636 wrote to memory of 2000	1636	server.exe	netsh.exe
PID 1636 wrote to memory of 2000	1636	server.exe	netsh.exe
PID 1636 wrote to memory of 1488	1636	server.exe	svchost.exe
PID 1636 wrote to memory of 1488	1636	server.exe	svchost.exe
PID 1636 wrote to memory of 1488	1636	server.exe	svchost.exe
PID 1636 wrote to memory of 1488	1636	server.exe	svchost.exe
PID 1488 wrote to memory of 2016	1488	svchost.exe	server.exe
PID 1488 wrote to memory of 2016	1488	svchost.exe	server.exe
PID 1488 wrote to memory of 2016	1488	svchost.exe	server.exe
PID 1488 wrote to memory of 2016	1488	svchost.exe	server.exe
PID 2016 wrote to memory of 1916	2016	server.exe	netsh.exe
PID 2016 wrote to memory of 1916	2016	server.exe	netsh.exe
PID 2016 wrote to memory of 1916	2016	server.exe	netsh.exe
PID 2016 wrote to memory of 1916	2016	server.exe	netsh.exe
PID 2016 wrote to memory of 1284	2016	server.exe	netsh.exe
PID 2016 wrote to memory of 1284	2016	server.exe	netsh.exe
PID 2016 wrote to memory of 1284	2016	server.exe	netsh.exe
PID 2016 wrote to memory of 1284	2016	server.exe	netsh.exe
PID 2016 wrote to memory of 1672	2016	server.exe	netsh.exe
PID 2016 wrote to memory of 1672	2016	server.exe	netsh.exe
PID 2016 wrote to memory of 1672	2016	server.exe	netsh.exe
PID 2016 wrote to memory of 1672	2016	server.exe	netsh.exe
PID 2016 wrote to memory of 1480	2016	server.exe	svchost.exe
PID 2016 wrote to memory of 1480	2016	server.exe	svchost.exe
PID 2016 wrote to memory of 1480	2016	server.exe	svchost.exe
PID 2016 wrote to memory of 1480	2016	server.exe	svchost.exe
PID 1480 wrote to memory of 1912	1480	svchost.exe	server.exe
PID 1480 wrote to memory of 1912	1480	svchost.exe	server.exe
PID 1480 wrote to memory of 1912	1480	svchost.exe	server.exe
PID 1480 wrote to memory of 1912	1480	svchost.exe	server.exe

C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR-Trojan.Win32.Generic-21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
2⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:944

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
3⤵
- Modifies Windows Firewall
PID:1204

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
3⤵
- Modifies Windows Firewall
PID:1360

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
4⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:1808

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
5⤵
- Modifies Windows Firewall
PID:1712

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
5⤵
- Modifies Windows Firewall
PID:2000

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
6⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
7⤵
- Modifies Windows Firewall
PID:1916

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
7⤵
- Modifies Windows Firewall
PID:1284

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
7⤵
- Modifies Windows Firewall
PID:1672

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1480

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
8⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1912

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
9⤵
- Modifies Windows Firewall
PID:1776

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
9⤵
- Modifies Windows Firewall
PID:1380

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
9⤵
- Modifies Windows Firewall
PID:1980

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
9⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
10⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:628

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
11⤵
- Modifies Windows Firewall
PID:316

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
11⤵
- Modifies Windows Firewall
PID:856

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
11⤵
- Modifies Windows Firewall
PID:800

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
11⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1332

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
12⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
13⤵
- Modifies Windows Firewall
PID:1224

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
13⤵
- Modifies Windows Firewall
PID:1944

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
13⤵
- Modifies Windows Firewall
PID:1064

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
13⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
14⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1032

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
15⤵
- Modifies Windows Firewall
PID:956

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
15⤵
- Modifies Windows Firewall
PID:628

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
15⤵
- Modifies Windows Firewall
PID:472

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
15⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
16⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1592

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
17⤵
- Modifies Windows Firewall
PID:580

C:\Windows\SysWOW64\netsh.exe
netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
17⤵
- Modifies Windows Firewall
PID:2012

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
17⤵
- Modifies Windows Firewall
PID:1640

C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632

C:\Users\Admin\AppData\Roaming\server.exe
"C:\Users\Admin\AppData\Roaming\server.exe"
18⤵
- Executes dropped EXE
- Drops startup file
PID:2008

C:\Windows\SysWOW64\netsh.exe
netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
19⤵
- Modifies Windows Firewall
PID:1712

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Notepad.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Notepad.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Notepad.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Notepad.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt
Filesize
41B

MD5
964ddaa3491c746b5ef7e7fb6b653384

SHA1
1bb95b5f8f514d2840cf399812631f2838979452

SHA256
157eee8b1b5ad0c0beac03f59dc40c5326eae961d495cde8deb3625537810adb

SHA512
a06d3735cc7e5c707b52082a061eeb0fd2298c7bdc9ff476de1d0062ae716a6ed757d3aba6e7f36d76dbe0e69349c6bef7e3f840c0516500ddd0bf0d90497752

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt
Filesize
41B

MD5
964ddaa3491c746b5ef7e7fb6b653384

SHA1
1bb95b5f8f514d2840cf399812631f2838979452

SHA256
157eee8b1b5ad0c0beac03f59dc40c5326eae961d495cde8deb3625537810adb

SHA512
a06d3735cc7e5c707b52082a061eeb0fd2298c7bdc9ff476de1d0062ae716a6ed757d3aba6e7f36d76dbe0e69349c6bef7e3f840c0516500ddd0bf0d90497752

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt
Filesize
41B

MD5
964ddaa3491c746b5ef7e7fb6b653384

SHA1
1bb95b5f8f514d2840cf399812631f2838979452

SHA256
157eee8b1b5ad0c0beac03f59dc40c5326eae961d495cde8deb3625537810adb

SHA512
a06d3735cc7e5c707b52082a061eeb0fd2298c7bdc9ff476de1d0062ae716a6ed757d3aba6e7f36d76dbe0e69349c6bef7e3f840c0516500ddd0bf0d90497752

Download Submit
C:\Users\Admin\AppData\Local\Temp\melt.txt
Filesize
41B

MD5
964ddaa3491c746b5ef7e7fb6b653384

SHA1
1bb95b5f8f514d2840cf399812631f2838979452

SHA256
157eee8b1b5ad0c0beac03f59dc40c5326eae961d495cde8deb3625537810adb

SHA512
a06d3735cc7e5c707b52082a061eeb0fd2298c7bdc9ff476de1d0062ae716a6ed757d3aba6e7f36d76dbe0e69349c6bef7e3f840c0516500ddd0bf0d90497752

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dd294006da6e1298c186045132ffa2f6Windows Update.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dd294006da6e1298c186045132ffa2f6Windows Update.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dd294006da6e1298c186045132ffa2f6Windows Update.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dd294006da6e1298c186045132ffa2f6Windows Update.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
5B

MD5
cac4598fdc0f92181616d12833eb6ca1

SHA1
80a7b7a46a0e8e674b782b9eb569e5430a69c84b

SHA256
275918973c23ad700f278c69cc03c9c82ec9f4d9ed0f53111ad22bec197ff440

SHA512
01a7556bfcce6d9d8251aadc7f6e6169fdd0477d487ce88729c44bfe8b85b2eee500985d553c0479765ef5b5c6dc3517c0305efb9089814c3f8a9ea6fc51c713

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
5B

MD5
cac4598fdc0f92181616d12833eb6ca1

SHA1
80a7b7a46a0e8e674b782b9eb569e5430a69c84b

SHA256
275918973c23ad700f278c69cc03c9c82ec9f4d9ed0f53111ad22bec197ff440

SHA512
01a7556bfcce6d9d8251aadc7f6e6169fdd0477d487ce88729c44bfe8b85b2eee500985d553c0479765ef5b5c6dc3517c0305efb9089814c3f8a9ea6fc51c713

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
5B

MD5
cac4598fdc0f92181616d12833eb6ca1

SHA1
80a7b7a46a0e8e674b782b9eb569e5430a69c84b

SHA256
275918973c23ad700f278c69cc03c9c82ec9f4d9ed0f53111ad22bec197ff440

SHA512
01a7556bfcce6d9d8251aadc7f6e6169fdd0477d487ce88729c44bfe8b85b2eee500985d553c0479765ef5b5c6dc3517c0305efb9089814c3f8a9ea6fc51c713

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
5B

MD5
cac4598fdc0f92181616d12833eb6ca1

SHA1
80a7b7a46a0e8e674b782b9eb569e5430a69c84b

SHA256
275918973c23ad700f278c69cc03c9c82ec9f4d9ed0f53111ad22bec197ff440

SHA512
01a7556bfcce6d9d8251aadc7f6e6169fdd0477d487ce88729c44bfe8b85b2eee500985d553c0479765ef5b5c6dc3517c0305efb9089814c3f8a9ea6fc51c713

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
5B

MD5
cac4598fdc0f92181616d12833eb6ca1

SHA1
80a7b7a46a0e8e674b782b9eb569e5430a69c84b

SHA256
275918973c23ad700f278c69cc03c9c82ec9f4d9ed0f53111ad22bec197ff440

SHA512
01a7556bfcce6d9d8251aadc7f6e6169fdd0477d487ce88729c44bfe8b85b2eee500985d553c0479765ef5b5c6dc3517c0305efb9089814c3f8a9ea6fc51c713

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
5B

MD5
cac4598fdc0f92181616d12833eb6ca1

SHA1
80a7b7a46a0e8e674b782b9eb569e5430a69c84b

SHA256
275918973c23ad700f278c69cc03c9c82ec9f4d9ed0f53111ad22bec197ff440

SHA512
01a7556bfcce6d9d8251aadc7f6e6169fdd0477d487ce88729c44bfe8b85b2eee500985d553c0479765ef5b5c6dc3517c0305efb9089814c3f8a9ea6fc51c713

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
5B

MD5
cac4598fdc0f92181616d12833eb6ca1

SHA1
80a7b7a46a0e8e674b782b9eb569e5430a69c84b

SHA256
275918973c23ad700f278c69cc03c9c82ec9f4d9ed0f53111ad22bec197ff440

SHA512
01a7556bfcce6d9d8251aadc7f6e6169fdd0477d487ce88729c44bfe8b85b2eee500985d553c0479765ef5b5c6dc3517c0305efb9089814c3f8a9ea6fc51c713

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
5B

MD5
cac4598fdc0f92181616d12833eb6ca1

SHA1
80a7b7a46a0e8e674b782b9eb569e5430a69c84b

SHA256
275918973c23ad700f278c69cc03c9c82ec9f4d9ed0f53111ad22bec197ff440

SHA512
01a7556bfcce6d9d8251aadc7f6e6169fdd0477d487ce88729c44bfe8b85b2eee500985d553c0479765ef5b5c6dc3517c0305efb9089814c3f8a9ea6fc51c713

Download Submit
C:\Users\Admin\AppData\Roaming\app
Filesize
5B

MD5
cac4598fdc0f92181616d12833eb6ca1

SHA1
80a7b7a46a0e8e674b782b9eb569e5430a69c84b

SHA256
275918973c23ad700f278c69cc03c9c82ec9f4d9ed0f53111ad22bec197ff440

SHA512
01a7556bfcce6d9d8251aadc7f6e6169fdd0477d487ce88729c44bfe8b85b2eee500985d553c0479765ef5b5c6dc3517c0305efb9089814c3f8a9ea6fc51c713

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
\Users\Admin\AppData\Roaming\server.exe
Filesize
93KB

MD5
22862e6f7d03b5c16fefebb80e5070c2

SHA1
1a3d11049829774b165287d715b55063aa0cdc7e

SHA256
21f67417336481aa8cf02e4b3d4b4306ed27fd98a41d471bceabf455a6764732

SHA512
02d4b36900fca69c33c74d7669e6df27bedf6ccd716ebfdb8a162f3b0c43bb69e4c3f95bff36cc307446353ad09985192fee7a38537cd819e085e53c2bbaf74d

Download Submit
memory/316-173-0x0000000000000000-mapping.dmp

Download
memory/472-211-0x0000000000000000-mapping.dmp

Download
memory/580-222-0x0000000000000000-mapping.dmp

Download
memory/628-188-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/628-166-0x0000000000000000-mapping.dmp

Download
memory/628-210-0x0000000000000000-mapping.dmp

Download
memory/628-172-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/784-78-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/784-86-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/784-73-0x0000000000000000-mapping.dmp

Download
memory/800-179-0x0000000000000000-mapping.dmp

Download
memory/856-178-0x0000000000000000-mapping.dmp

Download
memory/892-198-0x0000000000000000-mapping.dmp

Download
memory/892-203-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/892-206-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/944-65-0x0000000000000000-mapping.dmp

Download
memory/956-208-0x0000000000000000-mapping.dmp

Download
memory/1032-204-0x0000000000000000-mapping.dmp

Download
memory/1032-207-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1032-216-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1064-196-0x0000000000000000-mapping.dmp

Download
memory/1204-67-0x0000000000000000-mapping.dmp

Download
memory/1224-194-0x0000000000000000-mapping.dmp

Download
memory/1284-122-0x0000000000000000-mapping.dmp

Download
memory/1332-192-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1332-183-0x0000000000000000-mapping.dmp

Download
memory/1332-189-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1360-68-0x0000000000000000-mapping.dmp

Download
memory/1380-150-0x0000000000000000-mapping.dmp

Download
memory/1480-214-0x0000000000000000-mapping.dmp

Download
memory/1480-127-0x0000000000000000-mapping.dmp

Download
memory/1480-142-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1480-217-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1480-220-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1480-134-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1488-62-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1488-106-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1488-55-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1488-114-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1488-54-0x0000000076DC1000-0x0000000076DC3000-memory.dmp

Filesize
8KB

Download
memory/1488-100-0x0000000000000000-mapping.dmp

Download
memory/1496-190-0x0000000000000000-mapping.dmp

Download
memory/1496-193-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1496-201-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1592-221-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1592-218-0x0000000000000000-mapping.dmp

Download
memory/1592-230-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1632-231-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1632-234-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1632-226-0x0000000000000000-mapping.dmp

Download
memory/1636-105-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1636-88-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1636-82-0x0000000000000000-mapping.dmp

Download
memory/1640-225-0x0000000000000000-mapping.dmp

Download
memory/1672-123-0x0000000000000000-mapping.dmp

Download
memory/1712-94-0x0000000000000000-mapping.dmp

Download
memory/1712-236-0x0000000000000000-mapping.dmp

Download
memory/1716-155-0x0000000000000000-mapping.dmp

Download
memory/1716-170-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1716-163-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1736-77-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1736-58-0x0000000000000000-mapping.dmp

Download
memory/1736-64-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1776-145-0x0000000000000000-mapping.dmp

Download
memory/1808-89-0x0000000000000000-mapping.dmp

Download
memory/1912-138-0x0000000000000000-mapping.dmp

Download
memory/1912-160-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1912-144-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/1916-117-0x0000000000000000-mapping.dmp

Download
memory/1944-197-0x0000000000000000-mapping.dmp

Download
memory/1980-151-0x0000000000000000-mapping.dmp

Download
memory/2000-95-0x0000000000000000-mapping.dmp

Download
memory/2008-232-0x0000000000000000-mapping.dmp

Download
memory/2008-235-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2012-224-0x0000000000000000-mapping.dmp

Download
memory/2016-133-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-116-0x0000000074E70000-0x000000007541B000-memory.dmp

Filesize
5.7MB

Download
memory/2016-110-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads