7949a5596e0299424e4457c280362287f7480c9bd3ef48da9bb24ddba0a21919

Analysis

max time kernel
1355s
max time network
1179s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 14:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
Size

16.6MB
MD5

22e496083d46047375130e0a2dd4cd78
SHA1

d097db0f57aeffc88ce93733ba4009324911f37e
SHA256

188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a
SHA512

4cb1e3161884ff3690829fbfe5440d0b4e929623dc8ff7d307aa8c2db81db5ce4b87996a8cb6e7b868b72916e4bdcca2e4c6a68b6506bc9267752faff9ae2c6d
SSDEEP

196608:GBcR6cLLLzLLLzLLLvss5ALLaALLaALL/ooViYiYiPuOaak4qbb10jwg8+:mcR66ss577C4qbb10jM+

Score

9^/10

persistence ransomware spyware stealer

Malware Config

Signatures

Renames multiple (700) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HANTA.exe	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hanta_ransom = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\HANTA.exe\""	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.doc	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File created	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.xls	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File created	C:\Windows\SysWOW64\MSDRM\MsoIrmProtector.ppt	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wall.jpg"	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.png	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ja.txt	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\UpdateSet.xlsx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-180.png	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-100.png	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable.png	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\THMBNAIL.PNG	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.png	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.png	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-100.png	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.White.png	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\MSFT_PackageManagement.strings.psd1	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.White.png	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\PSGet.Resource.psd1	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-100.png	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\THMBNAIL.PNG	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-140.png	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm.html	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\THMBNAIL.PNG	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-80.png	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\PSGet.Resource.psd1	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jvmti.h	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\de-DE\PackageManagementDscUtilities.strings.psd1	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\PackageManagementDscUtilities.strings.psd1	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Archive.zip	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.png	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-180.png	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\EditAppSetting.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\security.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\managePermissions.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\default.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\home2.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\security.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\error.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\EditAppSetting.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\error.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\DefaultWsdlHelpGenerator.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\ManageAppSettings.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File created	C:\Windows\WinSxS\amd64_microsoft-hyper-v-bpa.resources_31bf3856ad364e35_10.0.19041.1_de-de_6d91bbf7a5a9e010\Hyper-V.psd1	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\manageUsers.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\home1.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\findUsers.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\AppConfigHome.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\setUpAuthentication.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File created	C:\Windows\WinSxS\amd64_netfx-aspnet_defwsdlhlpgen_b03f5f7f11d50a3a_10.0.19041.1_none_b1ce8b4dc83ef422\DefaultWsdlHelpGenerator.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\AppConfigHome.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\DefineErrorPage.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\addUser.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\DefineErrorPage.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizard.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Internals.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Permissions\managePermissions.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\manageSingleRole.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\findUsers.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Provider.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Providers\chooseProviderManagement.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\default.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Provider.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\manageAllRoles.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\error.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\DefineErrorPage.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\setUpAuthentication.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\createPermission.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp_Security.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\security0.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Provider.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\DebugAndTrace.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\editUser.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizard.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\WebAdminHelp.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\findUsers.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\editUser.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Internals.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\managePermissions.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\DefineErrorPage.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Security.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\addUser.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\chooseProviderManagement.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\editUser.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\DebugAndTrace.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Security\security.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Providers\ManageConsolidatedProviders.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\home2.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\error.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\home1.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\ManageAppSettings.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\DefaultWsdlHelpGenerator.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\DebugAndTrace.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\addUser.aspx	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\Desktop\WallpaperStyle = "1"	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\Desktop\TileWallpaper = "0"	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe

C:\Users\Admin\AppData\Local\Temp\188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe
"C:\Users\Admin\AppData\Local\Temp\188a788960d15df85065cbc52f537434f3abd41aabd3299531fb58dfa98bbb1a.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of AdjustPrivilegeToken
PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\CreateAppSetting.aspx

Filesize
3KB

MD5
3b53144bd407f9c589baf0a16d47ca83

SHA1
7d991a7af16079c165508f46870f66160469fb65

SHA256
8788ad3df6c246ec59ced3216753b89ef5176745d2071648746d1cf077f6d794

SHA512
f3c95ea8cb8d002b3d9fc3e497642b41b8c133627824670b25f709027383df0f39004e767f1a65985c359f42d106f28c7cbc71e81657691a5d49ef304b1b083f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\EditAppSetting.aspx

Filesize
2KB

MD5
5c57b725f0a5b21e7f8dd979f56eb98a

SHA1
226f4c2cbd800f91a7834a1910386793f52ae697

SHA256
d9cff65fca05fc9a03fc74c795a08c5ac12e801224741c79f2e9cb1040389315

SHA512
45a7f045049e8c76c871e502ae6beabf3520cbb61043b46aaf9746b17c480085cc26491b0461ec4b70d6571dde19fa12a9458e9c19813a1e9f6632c739da8541

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\ManageAppSettings.aspx

Filesize
14KB

MD5
873b6587a7de5b85992548b17c921718

SHA1
3874bff3b6dc5297d59c8dbfac5ccd2702707326

SHA256
49d6ff6715fe46cc1da323efa28452de2cc570de4f19a7b4f69682a131b32db9

SHA512
050834b0d7b3dd42940a5b82d78f83745ea97a70ee4f72362c0621fe6b8682e83f88a2abaf81aa474454019aae5218b0233f9e78e2c3d9a67f92edc4cd0b06a4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Providers\ManageConsolidatedProviders.aspx

Filesize
12KB

MD5
e993750d4705a8b65496cd5a8405edd7

SHA1
02cb4f73a7a77ebec5ac14454782c19ede7e7a7b

SHA256
afa583ffb82b0170b1b7a174bcecfe614f80d252d8c96a58a0d0ed89d3f382df

SHA512
d890573f657a6ca4d31e72e03363f6368c617333cc8c01b750642017300229c0ccd5ef06bb6af932d833c2b90cd0ee1f69f4ed75b5c10fb58fd9d3865f6cc1d2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Providers\ManageProviders.aspx

Filesize
9KB

MD5
0fe48118bcef88bd7f4668aaf858d376

SHA1
d89729df0310b4b4039b19ed2cc7c19581bdcb37

SHA256
869ab950f91d353a91994ee43ec47b46c7119422a2c56522624319c6eba85628

SHA512
0d646d304d70393da9834d75a0e1e2afa4d3bd69efe54098ab788b0b52c8ccf6183dd066e7e39c2f99719dad59b7eaf455020c7f031cbe147b258c53bd9c1978

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Providers\chooseProviderManagement.aspx

Filesize
2KB

MD5
de99e656ce1f3607cbda94d323332d55

SHA1
4fe204ef06461fe6475c339b2782d729eaa4b68d

SHA256
34178cfde2ba37bb0380cca7844e451640f087b17c368f56cff68acafe902e99

SHA512
2f42a8651f8f21aeba89d2789e84f286409ca10c6c7f9013a204ac02fc715dd844cefe32730de1acabeb6bd1735b47ad0871ecc82ac75aa1b188ed2fd0aadd70

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\createPermission.aspx

Filesize
10KB

MD5
e8745cfd38238b69e802c58c63140ee5

SHA1
527d4d643ed186501c94a637ac78f9d827693fdc

SHA256
f4c6eb65a32262ef1be31a4e9bad7ef55819924991ec95b4433bd5fd74701fe2

SHA512
628df34ce871edd485e2f37d1e1f31de961aefef4334c65f38f0ba08830c4c3fdafe42188e6ffde4e7c4f55a3534b2b6d73ac7b7dc59d5f56bcac49fd296a33a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Permissions\managePermissions.aspx

Filesize
21KB

MD5
968f91b7be2abb747be12da8cdc41500

SHA1
8220a2c8c63a2c3bdfa8b5929240ad961a39f1ab

SHA256
764c603c40f22fc6c1894eedd69b17d8432d9b4bfd9bdb54d9b797e29d84b74a

SHA512
284e1f3e1aa8bacf5af76ba6c21f909d21a3d8504adc4effa3a8d8f86c9f14b88012fe298d9a314b872931c23c433019bd7de929c75c48e0c9eb24349b9cc51e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\editUser.aspx

Filesize
11KB

MD5
f83dd303e412b078157fa2d558eaea70

SHA1
0cdd983b8d9053528908a3daddf195abdb07aceb

SHA256
1a453f44ac283ee1b1acf7a79dd01b6e7a286865776cab220d23d4f13fd64bdf

SHA512
1e17c962a59f19fadf7d028a8d138ccea1a69d4a0ec749e3f83e972a827ab823739a90c1f8fa553bdb6a669de6dcc982ead21fee0d60838854a2ae308b271a68

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\wizard.aspx

Filesize
10KB

MD5
c9b22318ccb50ad9905ce35dca60a362

SHA1
04c0d2f98a5026027d401263d80e7af854799fac

SHA256
725fd1e885d7c6314b83ae99c32a077647b9d0feed79ffc1853ddefb125a7e76

SHA512
8b0bbee97e2667ab2ba621aabf2e75e4892bddc913f195a52c99e8f7836320b1c2fc802004ec6ded7ce4464a0a4759adf4c8f765ebd0880e4629e8f70dc80c56

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\security.aspx

Filesize
9KB

MD5
d829027d19a8f80a4c343ca8cc3f4c00

SHA1
5385b560b78e06449d5c045a1dad60f2b8c315fb

SHA256
671aefebda925644a8f2556a4bba4740d40ccaed343bf417456cb34b6c5b31fe

SHA512
f8ccc5f6e173ba2a3e9cfcda6653b25a4190c1418f2602dded88900939b069da2317e7f405c0799f4b27124a620da42acf6fb19c922a791220594e90ef9dd854

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\security0.aspx

Filesize
1KB

MD5
4c651ade65fedcb0ca649bca34b2258e

SHA1
61e09937a43a6fced82c13604841a4664f3465f3

SHA256
172f461c856d948c53b7e91cce67aa1e744559693feefde1d90c7560e38c5e1f

SHA512
1346234bd55cb772cb504981f151dadc5b732acbb29b9e253f6f8ce592789c3de473e559d4c8a5dfdd03c5e80435d9b1caf981e1b5cb4874245798cf92a1a701

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\setUpAuthentication.aspx

Filesize
2KB

MD5
46061fd36e7f75269f194308f92297a9

SHA1
5dce2a2005127e487ced5524714a0faf186a27ca

SHA256
07aeb96747b342195120221f8b75f44d637c9ffab1f5d05a1a9ebbfdb7e27d93

SHA512
74ae1063b556bbc691289c995c0eabbc958045f4c38d6cde81d10dae50716210be01bca8c417e536b0d94317642aa09f65f75c3b4b36383e43a80cbb0e642b92

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp.aspx

Filesize
6KB

MD5
fa5f375252736c124c97d122530fc96f

SHA1
8534b9965c870f41f081c6da4405173cbe255e62

SHA256
4495e30b77a60af63ab231482a90cbbdbe2501b7192e6460f2152efe68358330

SHA512
41a9b199452888019d492548aae329d9ae7729f0cfae16b1d7af3681067ab68836cba6ae960cd6329d6b37306086d5171ccbb50826eb4a11b847609185a91e14

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Application.aspx

Filesize
13KB

MD5
b4d4d9b1f9f73b0f8691a283dda916f2

SHA1
239a97517e13089b039f14590b306508b1b9e670

SHA256
fb250d7ad0318f6d3f5cbf8ff065fe92e4cda6db864f23487574d35901a2b7eb

SHA512
fe1a007d8fb1156b14b43a4ecd4c955a5b9c491b6d797dea009fa7851372a0fef071f2e00e53f8a68d50fb50373b0e25e0170361e87a847f947b42cd39d5f1b8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Internals.aspx

Filesize
3KB

MD5
9ac277dba628528f875ea97306a75f56

SHA1
ba94b82d1d4a784b3e24d3b0b1a6fa1a13415b8d

SHA256
137a8d941c991be66f336949e95ae749592d60cb1e882269f4d48e8d007569a2

SHA512
1a123a2e8959ce1130d9ef66dacbb7ef1d843dfa146b29c40df3b03bae53bbfab5cb73ad90600139ca9ab4076a6da8c8102f792373a827471f137140399b4417

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Provider.aspx

Filesize
6KB

MD5
bb0d1a497b0637531c411c1636cac587

SHA1
ff6b5e7befd45c56a37ccf0f64c16caec071942f

SHA256
e5b902ca98363ea74b5defc434ad5a0707d36bbe1a05762977c1fe734bd25a3e

SHA512
243ba1865d673b03c40a10298f344c033af1ea532c921dd4ff20731aadb060a48e233008330225181f2f05e3c5864ff9e243f133c6d88874f69e7dc68a8efdcb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Security.aspx

Filesize
10KB

MD5
6ea1036018536e03b0ea6d4deeda2c19

SHA1
12e6c63a588c3bbb524e3e101cee352d0c7083ca

SHA256
10c5da1a3ed444043b56aebf33a3217f3885ffb508d666ec6cac96100926f1d8

SHA512
eb3ef9437b6ecccb2b943761af4cb5d729f4b327ff32731afdce8ebdcf5b59b566641152dbf4614c9231ca7bb8949e5ec027dd2fdf7dfb8e28344b9df3f8692f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\default.aspx

Filesize
4KB

MD5
30b99fc42def31e8667ec0a0f338b8bd

SHA1
981cb6c6d07ddf06b3eec8e3884d0f9d7be0e3ab

SHA256
b25ae5141a6422bd1c5771be7ffe97c26e238cea1bb7e877cb687d89ae72ae40

SHA512
194d1c53a479d3321091d474a5159898778086ab170178958f76ef2fad8df8773aa7fd72004c0d10f69fffd44a6634584d17012c76addc6797826bab8dba0b53

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\error.aspx

Filesize
6KB

MD5
91493b878f723b3b1affda9546f2b705

SHA1
12d5cc54bfc3f5cfc2cac1a2341a593d539ecf35

SHA256
d5a013ad47e4c63efc5861edad966d53835a3797176bc6eaa761d8ef8a11ac3a

SHA512
d171070656a643f40dd9255d029887a34acd414f0c237b2a21abe962c9c793010105d0c04a6b143b2ef150160d1d1ebc7a35c838de1628cce3b3f205bdb56455

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\home0.aspx

Filesize
1KB

MD5
a7ca6102122015ed991200fc070e1746

SHA1
97136aecb93327f85d960816b1a7e9b6dc9a1eab

SHA256
58a1d41fda79d18ad07877c09818d6c660445bb4905aa416eb8c7aeb93ef4804

SHA512
99eb40e16494d572c881bc4a63b4f446fbaea8f6f4b43f585e63d7cd16c8e6567012e38a79efd327de7c0b3acddeea88db6178a6301ff4bdcd81804383a8c87b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\home1.aspx

Filesize
752B

MD5
1813d63485712c8513846cabb85b15e4

SHA1
ce44cb8a1866a66b57b70e09f17b9ed0ca374d03

SHA256
d654c5cf1c0a1518dbecc127de8e44eda1d81478ac8d411131f1b5e0d5862643

SHA512
578df3f0d716ef6ccc57d60e2180da575964da6a32c9a47fdbd1cf121f8add798d3f328ac20f95ab85868afd28d2e5a4c5a0020f5ff03a49552bba9e21d0a204

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\home2.aspx

Filesize
1KB

MD5
18fc8d442907b4b809dbc983f130fb15

SHA1
072f921ce32dcaceddb4cfe2d10140c81ec62a7a

SHA256
c75baa44ddba0d6ee336016cb44fdde2579e2247491127b45e3c7fa8b715d0da

SHA512
318a7b2ddc8c6d680b00a899a6fa13ab56bdb5c3dd76a0ac09446561a49ef0d538b7b06a04db0ccf848ba0d61b25b780c79d294485a6c16016f53e37c22bc6d1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\DefaultWsdlHelpGenerator.aspx

Filesize
68KB

MD5
d776e0296fa3c586090db78ef53f29cc

SHA1
4affc5943a5a07c715c5eb01e6a764382a82cd19

SHA256
e17c8399a28511219a54d9e04c0c403e55cea369d6533525ea0f75d94a807d83

SHA512
4db051021f8e41d90e15b46396128d3f346097f6f0563999cfb07229e39b1bd5b048ac44674ebf0763b1080f636a5431038e910f47816e6d2ef677c7994909b6

Download Submit
memory/2672-5-0x0000000006C30000-0x0000000006C3A000-memory.dmp

Filesize
40KB

Download
memory/2672-8-0x0000000006C70000-0x0000000006C80000-memory.dmp

Filesize
64KB

Download
memory/2672-3-0x0000000006A70000-0x0000000006B02000-memory.dmp

Filesize
584KB

Download
memory/2672-0-0x0000000074F60000-0x0000000075710000-memory.dmp

Filesize
7.7MB

Download
memory/2672-4-0x0000000006C70000-0x0000000006C80000-memory.dmp

Filesize
64KB

Download
memory/2672-1-0x0000000000FF0000-0x000000000209A000-memory.dmp

Filesize
16.7MB

Download
memory/2672-7-0x0000000074F60000-0x0000000075710000-memory.dmp

Filesize
7.7MB

Download
memory/2672-2-0x00000000070D0000-0x0000000007674000-memory.dmp

Filesize
5.6MB

Download
memory/2672-1409-0x0000000002A30000-0x0000000002A96000-memory.dmp

Filesize
408KB

Download
memory/2672-1412-0x00000000064F0000-0x00000000064F8000-memory.dmp

Filesize
32KB

Download
memory/2672-1413-0x0000000006C70000-0x0000000006C80000-memory.dmp

Filesize
64KB

Download
memory/2672-1414-0x0000000006C70000-0x0000000006C80000-memory.dmp

Filesize
64KB

Download
memory/2672-1415-0x0000000006C70000-0x0000000006C80000-memory.dmp

Filesize
64KB

Download
memory/2672-1416-0x0000000006C70000-0x0000000006C80000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads