phemedrone | 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6

General

Target

35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe
Size

291KB
MD5

37992d4e5349d0a9275c8d1fe0290591
SHA1

2ea1bb73a8459672c7f8a1133c4edc8040c2c63c
SHA256

35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6
SHA512

dc2bd50f573d806c88eba2f599476d431ad3b2c64cf14e058e6df53edd2383d2a8b18e99aeae14af6fbbdec7f14c4403ced2883cb20a93c77515b1ed5fae7d88
SSDEEP

6144:rTiaVHkOlGtyUFB3XjdOwkL1xOJ9NLzof6TUIa1bq/KMw:rXJUFB3zEjLPDf6J

Score

10^/10

phemedrone xworm credential_access execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:19121

goods-flex.gl.at.ply.gg:19121

Attributes

Install_directory
%AppData%
install_file
GoogleUpdateUA.exe

Extracted

Family

phemedrone

C2

https://api.telegram.org/bot6766891578:AAE47sIyviQ0_skRFQtvxeYcndg1C8RFyo4/sendDocument

Signatures

Detect Xworm Payload 4 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe	family_xworm
behavioral1/memory/2720-15-0x00000000011D0000-0x00000000011E6000-memory.dmp	family_xworm
behavioral1/memory/1836-70-0x0000000000270000-0x0000000000286000-memory.dmp	family_xworm
behavioral1/memory/2588-73-0x00000000013D0000-0x00000000013E6000-memory.dmp	family_xworm

Phemedrone
An information and wallet stealer written in C#.
stealer phemedrone
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid process

2188 powershell.exe
2776 powershell.exe
1900 powershell.exe
2956 powershell.exe
2528 powershell.exe
2068 powershell.exe
2292 powershell.exe

Drops startup file 2 IoCs

Processes:

GoogleUpdateUA.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleUpdateUA.lnk	GoogleUpdateUA.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GoogleUpdateUA.lnk	GoogleUpdateUA.exe

Executes dropped EXE 5 IoCs

Processes:

GoogleUpdateUA.exelauncher.exeSync Center.exeGoogleUpdateUA.exeGoogleUpdateUA.exe

pid process

2720 GoogleUpdateUA.exe
2824 launcher.exe
2128 Sync Center.exe
1836 GoogleUpdateUA.exe
2588 GoogleUpdateUA.exe
Loads dropped DLL 2 IoCs

Processes:

35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe

pid process

1812 35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe
2612
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

pid	process
2720	GoogleUpdateUA.exe
2824	launcher.exe
2128	Sync Center.exe
1836	GoogleUpdateUA.exe
2588	GoogleUpdateUA.exe

pid	process
1812	35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe
2612

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

GoogleUpdateUA.exe35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdateUA = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleUpdateUA.exe"	GoogleUpdateUA.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\launcher = "C:\\Users\\Admin\\AppData\\Local\\Temp\\launcher.exe"	35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1252 schtasks.exe

flow	ioc
4	ip-api.com

pid	process
1252	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exepowershell.exeSync Center.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2188	powershell.exe
2776	powershell.exe
1900	powershell.exe
2128	Sync Center.exe
2956	powershell.exe
2528	powershell.exe
2068	powershell.exe
2292	powershell.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exepowershell.exeGoogleUpdateUA.exepowershell.exepowershell.exeSync Center.exepowershell.exepowershell.exepowershell.exepowershell.exeGoogleUpdateUA.exeGoogleUpdateUA.exe

description	pid	process
Token: SeDebugPrivilege	1812	35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2720	GoogleUpdateUA.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	2128	Sync Center.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2720	GoogleUpdateUA.exe
Token: SeDebugPrivilege	1836	GoogleUpdateUA.exe
Token: SeDebugPrivilege	2588	GoogleUpdateUA.exe

Suspicious use of WriteProcessMemory 45 IoCs

Processes:

35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exelauncher.exeSync Center.exeGoogleUpdateUA.exetaskeng.exe

description	pid	process	target process
PID 1812 wrote to memory of 2188	1812	35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe	powershell.exe
PID 1812 wrote to memory of 2188	1812	35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe	powershell.exe
PID 1812 wrote to memory of 2188	1812	35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe	powershell.exe
PID 1812 wrote to memory of 2720	1812	35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe	GoogleUpdateUA.exe
PID 1812 wrote to memory of 2720	1812	35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe	GoogleUpdateUA.exe
PID 1812 wrote to memory of 2720	1812	35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe	GoogleUpdateUA.exe
PID 1812 wrote to memory of 2776	1812	35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe	powershell.exe
PID 1812 wrote to memory of 2776	1812	35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe	powershell.exe
PID 1812 wrote to memory of 2776	1812	35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe	powershell.exe
PID 1812 wrote to memory of 2824	1812	35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe	launcher.exe
PID 1812 wrote to memory of 2824	1812	35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe	launcher.exe
PID 1812 wrote to memory of 2824	1812	35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe	launcher.exe
PID 1812 wrote to memory of 1900	1812	35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe	powershell.exe
PID 1812 wrote to memory of 1900	1812	35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe	powershell.exe
PID 1812 wrote to memory of 1900	1812	35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe	powershell.exe
PID 2824 wrote to memory of 2832	2824	launcher.exe	cmd.exe
PID 2824 wrote to memory of 2832	2824	launcher.exe	cmd.exe
PID 2824 wrote to memory of 2832	2824	launcher.exe	cmd.exe
PID 1812 wrote to memory of 2128	1812	35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe	Sync Center.exe
PID 1812 wrote to memory of 2128	1812	35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe	Sync Center.exe
PID 1812 wrote to memory of 2128	1812	35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe	Sync Center.exe
PID 2128 wrote to memory of 1224	2128	Sync Center.exe	WerFault.exe
PID 2128 wrote to memory of 1224	2128	Sync Center.exe	WerFault.exe
PID 2128 wrote to memory of 1224	2128	Sync Center.exe	WerFault.exe
PID 2720 wrote to memory of 2956	2720	GoogleUpdateUA.exe	powershell.exe
PID 2720 wrote to memory of 2956	2720	GoogleUpdateUA.exe	powershell.exe
PID 2720 wrote to memory of 2956	2720	GoogleUpdateUA.exe	powershell.exe
PID 2720 wrote to memory of 2528	2720	GoogleUpdateUA.exe	powershell.exe
PID 2720 wrote to memory of 2528	2720	GoogleUpdateUA.exe	powershell.exe
PID 2720 wrote to memory of 2528	2720	GoogleUpdateUA.exe	powershell.exe
PID 2720 wrote to memory of 2068	2720	GoogleUpdateUA.exe	powershell.exe
PID 2720 wrote to memory of 2068	2720	GoogleUpdateUA.exe	powershell.exe
PID 2720 wrote to memory of 2068	2720	GoogleUpdateUA.exe	powershell.exe
PID 2720 wrote to memory of 2292	2720	GoogleUpdateUA.exe	powershell.exe
PID 2720 wrote to memory of 2292	2720	GoogleUpdateUA.exe	powershell.exe
PID 2720 wrote to memory of 2292	2720	GoogleUpdateUA.exe	powershell.exe
PID 2720 wrote to memory of 1252	2720	GoogleUpdateUA.exe	schtasks.exe
PID 2720 wrote to memory of 1252	2720	GoogleUpdateUA.exe	schtasks.exe
PID 2720 wrote to memory of 1252	2720	GoogleUpdateUA.exe	schtasks.exe
PID 2428 wrote to memory of 1836	2428	taskeng.exe	GoogleUpdateUA.exe
PID 2428 wrote to memory of 1836	2428	taskeng.exe	GoogleUpdateUA.exe
PID 2428 wrote to memory of 1836	2428	taskeng.exe	GoogleUpdateUA.exe
PID 2428 wrote to memory of 2588	2428	taskeng.exe	GoogleUpdateUA.exe
PID 2428 wrote to memory of 2588	2428	taskeng.exe	GoogleUpdateUA.exe
PID 2428 wrote to memory of 2588	2428	taskeng.exe	GoogleUpdateUA.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe
"C:\Users\Admin\AppData\Local\Temp\35c96710224c62bd8dbfb9a6f65cd524fb54657d8e75f2bc4268530b004c6dc6.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe
  "C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GoogleUpdateUA.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'GoogleUpdateUA.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2292
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "GoogleUpdateUA" /tr "C:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1252
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\launcher.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:2832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Sync Center.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1900
- C:\Users\Admin\AppData\Local\Temp\Sync Center.exe
  "C:\Users\Admin\AppData\Local\Temp\Sync Center.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2128 -s 636
    3⤵
    PID:1224

C:\Windows\system32\taskeng.exe
taskeng.exe {0E9897F3-625F-4359-9A59-F2274636CE52} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exe
  C:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1836
- C:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exe
  C:\Users\Admin\AppData\Roaming\GoogleUpdateUA.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

3

T1552

Credentials In Files

3

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GoogleUpdateUA.exe

Filesize
63KB

MD5
9d84713a034176855221121b1b82e66d

SHA1
1f8b51b489510ba4d7d899b698f0ae1cf24380c3

SHA256
43fe14e317713480c623a3fef46f3347c7051796eac95f489db2ea2f5a9830f3

SHA512
434a8d9e81fb22ed38ba8c593b7d17be1d8b674b9a0441b194352a7072b7dfc20fdb81bb4aa8451d8b69671ac9f008e3d5611a209894cb1fbc86583a924e84dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sync Center.exe

Filesize
121KB

MD5
7b6c19c2c8fc4ff9cc5b136f22cf490d

SHA1
e557a697a268c54a73aaffd02d25e54c4f601719

SHA256
cf6c9880812d48fe7ba3a1d1a1692a881745a7fb8cf6534f94555dd7dd1c3353

SHA512
afe23d16011e1eb71ce3be9f8796cf0398cc9e01415c93cd4e8403f1ee84f48e23396ab7709b60d5a9e5b3e5daee9e8f90bae99e6a85ece6475fa8bdd82f953b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ce2217a9c39ea918cbe321a09f8410db

SHA1
01c04247f656303eb9712f7fd4d04ed9cccfdff3

SHA256
a3aef42b915affefeaab1422c1c1a1cdefcb659914936469ff2f4c1c6b5c19ad

SHA512
fd47d4ebafb7c1602235ef7e936fd41244afef202b79ecdf4039e50ebbd316419cbfb7b5fe3f0e19c6faf481b14f099f187567abc56c3133a4916f70d141009e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\LRDWC200STC2SHDM4YCO.temp

Filesize
7KB

MD5
22e02d3e017029ed6865e1915feb2851

SHA1
a59631455ddaea426a3ca4c96be4f6af64f73200

SHA256
51b63799e2de52753fad60da37294ea7ddd072d401bfa8760ee1cb9cb6e408fe

SHA512
6586f752e7b5a69433720e84e004de0d48baac557e267482715e672eac927cdd7b6aa34d49a9bfbab21642f5327ca04a92354e4d28c68895822cb9ad93b9fb81

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\launcher.exe

Filesize
251KB

MD5
f71fc206efa0533dc5a9bdce59fd342e

SHA1
077e3d50d9db91cb943c6dcdfb8913b6b4e8bfda

SHA256
98d7a0cf5249443da87cc97998d885ed9811bd0790d49c8ee45577e54296acc6

SHA512
2913315fdc26efced8114173761a20c52705778d8fe65a84fc6ca99e8218bf85eabec67a4693dfa9e57596d9e85597aca0d7fafc18b649a2c7b0fa71062daa8e

Download Submit
memory/1812-1-0x00000000009E0000-0x0000000000A2E000-memory.dmp

Filesize
312KB

Download
memory/1812-2-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1812-0-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

Filesize
4KB

Download
memory/1812-41-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/1836-70-0x0000000000270000-0x0000000000286000-memory.dmp

Filesize
88KB

Download
memory/2128-40-0x0000000000AF0000-0x0000000000B14000-memory.dmp

Filesize
144KB

Download
memory/2188-9-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2188-8-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2188-7-0x0000000002C60000-0x0000000002CE0000-memory.dmp

Filesize
512KB

Download
memory/2528-52-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2588-73-0x00000000013D0000-0x00000000013E6000-memory.dmp

Filesize
88KB

Download
memory/2720-15-0x00000000011D0000-0x00000000011E6000-memory.dmp

Filesize
88KB

Download
memory/2776-22-0x0000000002970000-0x0000000002978000-memory.dmp

Filesize
32KB

Download
memory/2776-21-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads