b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71

Analysis

max time kernel
159s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe
Size

68KB
MD5

ee5efe8092f313535790ce2105e7188a
SHA1

8a3f3d18d247b87034b562e5554e030867e6afc5
SHA256

b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71
SHA512

5d41de036f05c1eab717bbdfcccacecdb5cdedafcfb42f02001f21e80dbc5380a6fc4d21ddf8848e3fd27e40ed140773cb93ffcaccd16068dde6a8d5171fcb6d
SSDEEP

768:+RImfYdewbz6GUHNdCdbUC0i0VPfDm0T71nDLZElEF3i9ASULR41OtLeFF16jNQH:+RImfYdeRQon2QwmphdJ+HJuM

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 20 IoCs

pid	Process
3284	svchost.exe
1536	svchost.exe
3772	lsass.exe
2952	svchost.exe
1092	lsass.exe
4380	csrss.exe
5040	svchost.exe
176	lsass.exe
2716	csrss.exe
3512	service.exe
3496	svchost.exe
4692	lsass.exe
1916	csrss.exe
2692	service.exe
2152	service.exe
3232	csrss.exe
4576	service.exe
4464	lsass.exe
3336	csrss.exe
3504	service.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Security Center = "C:\\WINDOWS\\lsass.exe"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Security Center = "C:\\WINDOWS\\lsass.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Service Host = "C:\\WINDOWS\\svchost.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Security Center = "C:\\WINDOWS\\lsass.exe"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	service.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Service Host = "C:\\WINDOWS\\svchost.exe"	b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Service Host = "C:\\WINDOWS\\svchost.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Security Center = "C:\\WINDOWS\\lsass.exe"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Service Host = "C:\\WINDOWS\\svchost.exe"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Security Center = "C:\\WINDOWS\\lsass.exe"	b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Service Host = "C:\\WINDOWS\\svchost.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	service.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\service.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	service.exe
File created	C:\Windows\SysWOW64\service.exe	b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	svchost.exe
File created	C:\Windows\SysWOW64\service.exe	lsass.exe
File created	C:\Windows\SysWOW64\service.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\dslist.inf	service.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe
File created	C:\Windows\SysWOW64\service.exe	svchost.exe
File opened for modification	C:\Windows\SysWOW64\service.exe	lsass.exe
File created	C:\Windows\SysWOW64\service.exe	service.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File created	C:\WINDOWS\svchost.exe	b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe
File created	C:\WINDOWS\svchost.exe	lsass.exe
File created	C:\WINDOWS\csrss.exe	b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe
File created	C:\WINDOWS\lsass.exe	lsass.exe
File opened for modification	C:\WINDOWS\svchost.exe	service.exe
File created	C:\WINDOWS\lsass.exe	b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe
File opened for modification	C:\WINDOWS\lsass.exe	lsass.exe
File opened for modification	C:\WINDOWS\csrss.exe	svchost.exe
File opened for modification	C:\WINDOWS\svchost.exe	csrss.exe
File created	C:\WINDOWS\svchost.exe	svchost.exe
File created	C:\WINDOWS\lsass.exe	svchost.exe
File opened for modification	C:\WINDOWS\lsass.exe	svchost.exe
File created	C:\WINDOWS\svchost.exe	csrss.exe
File created	C:\WINDOWS\lsass.exe	service.exe
File created	C:\WINDOWS\csrss.exe	service.exe
File opened for modification	C:\WINDOWS\csrss.exe	service.exe
File opened for modification	C:\WINDOWS\svchost.exe	b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe
File opened for modification	C:\WINDOWS\lsass.exe	b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe
File created	C:\WINDOWS\lsass.exe	csrss.exe
File opened for modification	C:\WINDOWS\lsass.exe	csrss.exe
File created	C:\WINDOWS\svchost.exe	service.exe
File created	C:\WINDOWS\csrss.exe	svchost.exe
File opened for modification	C:\WINDOWS\svchost.exe	lsass.exe
File opened for modification	C:\WINDOWS\csrss.exe	b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe
File opened for modification	C:\WINDOWS\csrss.exe	lsass.exe
File created	C:\WINDOWS\csrss.exe	csrss.exe
File opened for modification	C:\WINDOWS\csrss.exe	csrss.exe
File opened for modification	C:\WINDOWS\lsass.exe	service.exe
File opened for modification	C:\WINDOWS\svchost.exe	svchost.exe
File created	C:\WINDOWS\csrss.exe	lsass.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3512	service.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
3540	b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe
3284	svchost.exe
1536	svchost.exe
3772	lsass.exe
2952	svchost.exe
1092	lsass.exe
4380	csrss.exe
5040	svchost.exe
176	lsass.exe
2716	csrss.exe
3512	service.exe
3496	svchost.exe
4692	lsass.exe
1916	csrss.exe
2692	service.exe
2152	service.exe
3232	csrss.exe
4576	service.exe
4464	lsass.exe
3336	csrss.exe
3504	service.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 3284	3540	b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe	82
PID 3540 wrote to memory of 3284	3540	b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe	82
PID 3540 wrote to memory of 3284	3540	b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe	82
PID 3284 wrote to memory of 1536	3284	svchost.exe	83
PID 3284 wrote to memory of 1536	3284	svchost.exe	83
PID 3284 wrote to memory of 1536	3284	svchost.exe	83
PID 3284 wrote to memory of 3772	3284	svchost.exe	84
PID 3284 wrote to memory of 3772	3284	svchost.exe	84
PID 3284 wrote to memory of 3772	3284	svchost.exe	84
PID 3772 wrote to memory of 2952	3772	lsass.exe	85
PID 3772 wrote to memory of 2952	3772	lsass.exe	85
PID 3772 wrote to memory of 2952	3772	lsass.exe	85
PID 3772 wrote to memory of 1092	3772	lsass.exe	86
PID 3772 wrote to memory of 1092	3772	lsass.exe	86
PID 3772 wrote to memory of 1092	3772	lsass.exe	86
PID 3772 wrote to memory of 4380	3772	lsass.exe	87
PID 3772 wrote to memory of 4380	3772	lsass.exe	87
PID 3772 wrote to memory of 4380	3772	lsass.exe	87
PID 4380 wrote to memory of 5040	4380	csrss.exe	88
PID 4380 wrote to memory of 5040	4380	csrss.exe	88
PID 4380 wrote to memory of 5040	4380	csrss.exe	88
PID 4380 wrote to memory of 176	4380	csrss.exe	89
PID 4380 wrote to memory of 176	4380	csrss.exe	89
PID 4380 wrote to memory of 176	4380	csrss.exe	89
PID 4380 wrote to memory of 2716	4380	csrss.exe	90
PID 4380 wrote to memory of 2716	4380	csrss.exe	90
PID 4380 wrote to memory of 2716	4380	csrss.exe	90
PID 4380 wrote to memory of 3512	4380	csrss.exe	91
PID 4380 wrote to memory of 3512	4380	csrss.exe	91
PID 4380 wrote to memory of 3512	4380	csrss.exe	91
PID 3512 wrote to memory of 3496	3512	service.exe	92
PID 3512 wrote to memory of 3496	3512	service.exe	92
PID 3512 wrote to memory of 3496	3512	service.exe	92
PID 3512 wrote to memory of 4692	3512	service.exe	93
PID 3512 wrote to memory of 4692	3512	service.exe	93
PID 3512 wrote to memory of 4692	3512	service.exe	93
PID 3512 wrote to memory of 1916	3512	service.exe	94
PID 3512 wrote to memory of 1916	3512	service.exe	94
PID 3512 wrote to memory of 1916	3512	service.exe	94
PID 3512 wrote to memory of 2692	3512	service.exe	95
PID 3512 wrote to memory of 2692	3512	service.exe	95
PID 3512 wrote to memory of 2692	3512	service.exe	95
PID 3772 wrote to memory of 2152	3772	lsass.exe	96
PID 3772 wrote to memory of 2152	3772	lsass.exe	96
PID 3772 wrote to memory of 2152	3772	lsass.exe	96
PID 3284 wrote to memory of 3232	3284	svchost.exe	97
PID 3284 wrote to memory of 3232	3284	svchost.exe	97
PID 3284 wrote to memory of 3232	3284	svchost.exe	97
PID 3284 wrote to memory of 4576	3284	svchost.exe	98
PID 3284 wrote to memory of 4576	3284	svchost.exe	98
PID 3284 wrote to memory of 4576	3284	svchost.exe	98
PID 3540 wrote to memory of 4464	3540	b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe	99
PID 3540 wrote to memory of 4464	3540	b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe	99
PID 3540 wrote to memory of 4464	3540	b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe	99
PID 3540 wrote to memory of 3336	3540	b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe	100
PID 3540 wrote to memory of 3336	3540	b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe	100
PID 3540 wrote to memory of 3336	3540	b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe	100
PID 3540 wrote to memory of 3504	3540	b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe	101
PID 3540 wrote to memory of 3504	3540	b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe	101
PID 3540 wrote to memory of 3504	3540	b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe	101

C:\Users\Admin\AppData\Local\Temp\b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe
"C:\Users\Admin\AppData\Local\Temp\b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3540
- C:\WINDOWS\svchost.exe
  C:\WINDOWS\svchost.exe
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\WINDOWS\svchost.exe
    C:\WINDOWS\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1536
- - C:\WINDOWS\lsass.exe
    C:\WINDOWS\lsass.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3772
  - - C:\WINDOWS\svchost.exe
      C:\WINDOWS\svchost.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2952
  - - C:\WINDOWS\lsass.exe
      C:\WINDOWS\lsass.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1092
  - - C:\WINDOWS\csrss.exe
      C:\WINDOWS\csrss.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4380
    - - C:\WINDOWS\svchost.exe
        
        C:\WINDOWS\svchost.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5040
    - - C:\WINDOWS\lsass.exe
        
        C:\WINDOWS\lsass.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:176
    - - C:\WINDOWS\csrss.exe
        
        C:\WINDOWS\csrss.exe
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2716
    - - C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\\service.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3512
      - C:\WINDOWS\svchost.exe
        
        C:\WINDOWS\svchost.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3496
      - C:\WINDOWS\lsass.exe
        
        C:\WINDOWS\lsass.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4692
      - C:\WINDOWS\csrss.exe
        
        C:\WINDOWS\csrss.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1916
      - C:\Windows\SysWOW64\service.exe
        
        C:\Windows\system32\\service.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2692
  - - C:\Windows\SysWOW64\service.exe
      C:\Windows\system32\\service.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2152
- - C:\WINDOWS\csrss.exe
    C:\WINDOWS\csrss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3232
- - C:\Windows\SysWOW64\service.exe
    C:\Windows\system32\\service.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4576
- C:\WINDOWS\lsass.exe
  C:\WINDOWS\lsass.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4464
- C:\WINDOWS\csrss.exe
  C:\WINDOWS\csrss.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3336
- C:\Windows\SysWOW64\service.exe
  C:\Windows\system32\\service.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS\csrss.exe

Filesize
68KB

MD5
ee5efe8092f313535790ce2105e7188a

SHA1
8a3f3d18d247b87034b562e5554e030867e6afc5

SHA256
b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71

SHA512
5d41de036f05c1eab717bbdfcccacecdb5cdedafcfb42f02001f21e80dbc5380a6fc4d21ddf8848e3fd27e40ed140773cb93ffcaccd16068dde6a8d5171fcb6d

Download Submit
C:\WINDOWS\lsass.exe

Filesize
68KB

MD5
ee5efe8092f313535790ce2105e7188a

SHA1
8a3f3d18d247b87034b562e5554e030867e6afc5

SHA256
b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71

SHA512
5d41de036f05c1eab717bbdfcccacecdb5cdedafcfb42f02001f21e80dbc5380a6fc4d21ddf8848e3fd27e40ed140773cb93ffcaccd16068dde6a8d5171fcb6d

Download Submit
C:\WINDOWS\svchost.exe

Filesize
68KB

MD5
ee5efe8092f313535790ce2105e7188a

SHA1
8a3f3d18d247b87034b562e5554e030867e6afc5

SHA256
b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71

SHA512
5d41de036f05c1eab717bbdfcccacecdb5cdedafcfb42f02001f21e80dbc5380a6fc4d21ddf8848e3fd27e40ed140773cb93ffcaccd16068dde6a8d5171fcb6d

Download Submit
C:\Windows\SysWOW64\service.exe

Filesize
68KB

MD5
ee5efe8092f313535790ce2105e7188a

SHA1
8a3f3d18d247b87034b562e5554e030867e6afc5

SHA256
b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71

SHA512
5d41de036f05c1eab717bbdfcccacecdb5cdedafcfb42f02001f21e80dbc5380a6fc4d21ddf8848e3fd27e40ed140773cb93ffcaccd16068dde6a8d5171fcb6d

Download Submit
C:\Windows\SysWOW64\service.exe

Filesize
68KB

MD5
ee5efe8092f313535790ce2105e7188a

SHA1
8a3f3d18d247b87034b562e5554e030867e6afc5

SHA256
b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71

SHA512
5d41de036f05c1eab717bbdfcccacecdb5cdedafcfb42f02001f21e80dbc5380a6fc4d21ddf8848e3fd27e40ed140773cb93ffcaccd16068dde6a8d5171fcb6d

Download Submit
C:\Windows\SysWOW64\service.exe

Filesize
68KB

MD5
ee5efe8092f313535790ce2105e7188a

SHA1
8a3f3d18d247b87034b562e5554e030867e6afc5

SHA256
b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71

SHA512
5d41de036f05c1eab717bbdfcccacecdb5cdedafcfb42f02001f21e80dbc5380a6fc4d21ddf8848e3fd27e40ed140773cb93ffcaccd16068dde6a8d5171fcb6d

Download Submit
C:\Windows\SysWOW64\service.exe

Filesize
68KB

MD5
ee5efe8092f313535790ce2105e7188a

SHA1
8a3f3d18d247b87034b562e5554e030867e6afc5

SHA256
b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71

SHA512
5d41de036f05c1eab717bbdfcccacecdb5cdedafcfb42f02001f21e80dbc5380a6fc4d21ddf8848e3fd27e40ed140773cb93ffcaccd16068dde6a8d5171fcb6d

Download Submit
C:\Windows\SysWOW64\service.exe

Filesize
68KB

MD5
ee5efe8092f313535790ce2105e7188a

SHA1
8a3f3d18d247b87034b562e5554e030867e6afc5

SHA256
b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71

SHA512
5d41de036f05c1eab717bbdfcccacecdb5cdedafcfb42f02001f21e80dbc5380a6fc4d21ddf8848e3fd27e40ed140773cb93ffcaccd16068dde6a8d5171fcb6d

Download Submit
C:\Windows\SysWOW64\service.exe

Filesize
68KB

MD5
ee5efe8092f313535790ce2105e7188a

SHA1
8a3f3d18d247b87034b562e5554e030867e6afc5

SHA256
b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71

SHA512
5d41de036f05c1eab717bbdfcccacecdb5cdedafcfb42f02001f21e80dbc5380a6fc4d21ddf8848e3fd27e40ed140773cb93ffcaccd16068dde6a8d5171fcb6d

Download Submit
C:\Windows\csrss.exe

Filesize
68KB

MD5
ee5efe8092f313535790ce2105e7188a

SHA1
8a3f3d18d247b87034b562e5554e030867e6afc5

SHA256
b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71

SHA512
5d41de036f05c1eab717bbdfcccacecdb5cdedafcfb42f02001f21e80dbc5380a6fc4d21ddf8848e3fd27e40ed140773cb93ffcaccd16068dde6a8d5171fcb6d

Download Submit
C:\Windows\csrss.exe

Filesize
68KB

MD5
ee5efe8092f313535790ce2105e7188a

SHA1
8a3f3d18d247b87034b562e5554e030867e6afc5

SHA256
b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71

SHA512
5d41de036f05c1eab717bbdfcccacecdb5cdedafcfb42f02001f21e80dbc5380a6fc4d21ddf8848e3fd27e40ed140773cb93ffcaccd16068dde6a8d5171fcb6d

Download Submit
C:\Windows\csrss.exe

Filesize
68KB

MD5
ee5efe8092f313535790ce2105e7188a

SHA1
8a3f3d18d247b87034b562e5554e030867e6afc5

SHA256
b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71

SHA512
5d41de036f05c1eab717bbdfcccacecdb5cdedafcfb42f02001f21e80dbc5380a6fc4d21ddf8848e3fd27e40ed140773cb93ffcaccd16068dde6a8d5171fcb6d

Download Submit
C:\Windows\csrss.exe

Filesize
68KB

MD5
ee5efe8092f313535790ce2105e7188a

SHA1
8a3f3d18d247b87034b562e5554e030867e6afc5

SHA256
b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71

SHA512
5d41de036f05c1eab717bbdfcccacecdb5cdedafcfb42f02001f21e80dbc5380a6fc4d21ddf8848e3fd27e40ed140773cb93ffcaccd16068dde6a8d5171fcb6d

Download Submit
C:\Windows\csrss.exe

Filesize
68KB

MD5
ee5efe8092f313535790ce2105e7188a

SHA1
8a3f3d18d247b87034b562e5554e030867e6afc5

SHA256
b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71

SHA512
5d41de036f05c1eab717bbdfcccacecdb5cdedafcfb42f02001f21e80dbc5380a6fc4d21ddf8848e3fd27e40ed140773cb93ffcaccd16068dde6a8d5171fcb6d

Download Submit
C:\Windows\lsass.exe

Filesize
68KB

MD5
ee5efe8092f313535790ce2105e7188a

SHA1
8a3f3d18d247b87034b562e5554e030867e6afc5

SHA256
b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71

SHA512
5d41de036f05c1eab717bbdfcccacecdb5cdedafcfb42f02001f21e80dbc5380a6fc4d21ddf8848e3fd27e40ed140773cb93ffcaccd16068dde6a8d5171fcb6d

Download Submit
C:\Windows\lsass.exe

Filesize
68KB

MD5
ee5efe8092f313535790ce2105e7188a

SHA1
8a3f3d18d247b87034b562e5554e030867e6afc5

SHA256
b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71

SHA512
5d41de036f05c1eab717bbdfcccacecdb5cdedafcfb42f02001f21e80dbc5380a6fc4d21ddf8848e3fd27e40ed140773cb93ffcaccd16068dde6a8d5171fcb6d

Download Submit
C:\Windows\lsass.exe

Filesize
68KB

MD5
ee5efe8092f313535790ce2105e7188a

SHA1
8a3f3d18d247b87034b562e5554e030867e6afc5

SHA256
b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71

SHA512
5d41de036f05c1eab717bbdfcccacecdb5cdedafcfb42f02001f21e80dbc5380a6fc4d21ddf8848e3fd27e40ed140773cb93ffcaccd16068dde6a8d5171fcb6d

Download Submit
C:\Windows\lsass.exe

Filesize
68KB

MD5
ee5efe8092f313535790ce2105e7188a

SHA1
8a3f3d18d247b87034b562e5554e030867e6afc5

SHA256
b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71

SHA512
5d41de036f05c1eab717bbdfcccacecdb5cdedafcfb42f02001f21e80dbc5380a6fc4d21ddf8848e3fd27e40ed140773cb93ffcaccd16068dde6a8d5171fcb6d

Download Submit
C:\Windows\lsass.exe

Filesize
68KB

MD5
ee5efe8092f313535790ce2105e7188a

SHA1
8a3f3d18d247b87034b562e5554e030867e6afc5

SHA256
b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71

SHA512
5d41de036f05c1eab717bbdfcccacecdb5cdedafcfb42f02001f21e80dbc5380a6fc4d21ddf8848e3fd27e40ed140773cb93ffcaccd16068dde6a8d5171fcb6d

Download Submit
C:\Windows\svchost.exe

Filesize
68KB

MD5
ee5efe8092f313535790ce2105e7188a

SHA1
8a3f3d18d247b87034b562e5554e030867e6afc5

SHA256
b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71

SHA512
5d41de036f05c1eab717bbdfcccacecdb5cdedafcfb42f02001f21e80dbc5380a6fc4d21ddf8848e3fd27e40ed140773cb93ffcaccd16068dde6a8d5171fcb6d

Download Submit
C:\Windows\svchost.exe

Filesize
68KB

MD5
ee5efe8092f313535790ce2105e7188a

SHA1
8a3f3d18d247b87034b562e5554e030867e6afc5

SHA256
b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71

SHA512
5d41de036f05c1eab717bbdfcccacecdb5cdedafcfb42f02001f21e80dbc5380a6fc4d21ddf8848e3fd27e40ed140773cb93ffcaccd16068dde6a8d5171fcb6d

Download Submit
C:\Windows\svchost.exe

Filesize
68KB

MD5
ee5efe8092f313535790ce2105e7188a

SHA1
8a3f3d18d247b87034b562e5554e030867e6afc5

SHA256
b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71

SHA512
5d41de036f05c1eab717bbdfcccacecdb5cdedafcfb42f02001f21e80dbc5380a6fc4d21ddf8848e3fd27e40ed140773cb93ffcaccd16068dde6a8d5171fcb6d

Download Submit
C:\Windows\svchost.exe

Filesize
68KB

MD5
ee5efe8092f313535790ce2105e7188a

SHA1
8a3f3d18d247b87034b562e5554e030867e6afc5

SHA256
b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71

SHA512
5d41de036f05c1eab717bbdfcccacecdb5cdedafcfb42f02001f21e80dbc5380a6fc4d21ddf8848e3fd27e40ed140773cb93ffcaccd16068dde6a8d5171fcb6d

Download Submit
C:\Windows\svchost.exe

Filesize
68KB

MD5
ee5efe8092f313535790ce2105e7188a

SHA1
8a3f3d18d247b87034b562e5554e030867e6afc5

SHA256
b25da798c598034e21ab485219ba8eb0bd1aa90ef05569c0ad9375f8dce2cd71

SHA512
5d41de036f05c1eab717bbdfcccacecdb5cdedafcfb42f02001f21e80dbc5380a6fc4d21ddf8848e3fd27e40ed140773cb93ffcaccd16068dde6a8d5171fcb6d

Download Submit
memory/176-172-0x0000000000000000-mapping.dmp

Download
memory/176-179-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1092-158-0x0000000000000000-mapping.dmp

Download
memory/1092-163-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1536-150-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1536-148-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1536-143-0x0000000000000000-mapping.dmp

Download
memory/1916-205-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1916-200-0x0000000000000000-mapping.dmp

Download
memory/2152-216-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2152-210-0x0000000000000000-mapping.dmp

Download
memory/2692-209-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2692-204-0x0000000000000000-mapping.dmp

Download
memory/2716-177-0x0000000000000000-mapping.dmp

Download
memory/2716-182-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2952-154-0x0000000000000000-mapping.dmp

Download
memory/2952-160-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3232-217-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3232-214-0x0000000000000000-mapping.dmp

Download
memory/3284-147-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3284-241-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3284-135-0x0000000000000000-mapping.dmp

Download
memory/3336-230-0x0000000000000000-mapping.dmp

Download
memory/3336-234-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3496-196-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3496-190-0x0000000000000000-mapping.dmp

Download
memory/3504-235-0x0000000000000000-mapping.dmp

Download
memory/3504-239-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3512-244-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3512-183-0x0000000000000000-mapping.dmp

Download
memory/3512-189-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3540-132-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3540-240-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3772-187-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/3772-149-0x0000000000000000-mapping.dmp

Download
memory/3772-242-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4380-164-0x0000000000000000-mapping.dmp

Download
memory/4380-188-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4380-243-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4464-224-0x0000000000000000-mapping.dmp

Download
memory/4464-229-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4576-226-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4576-220-0x0000000000000000-mapping.dmp

Download
memory/4692-199-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/4692-194-0x0000000000000000-mapping.dmp

Download
memory/5040-168-0x0000000000000000-mapping.dmp

Download
memory/5040-174-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads