430d6a10f2a37a3a8957e5fabfda4f3c7fa9af76bc4b2c020638f023e06f0267

Analysis

max time kernel
60s
max time network
61s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
13-12-2024 16:13

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Server.exe
Size

93KB
MD5

77e8ae03f54ed1ce413314dbb8e00435
SHA1

398ce9204237c30280dce2f3d6cfed34946383c0
SHA256

430d6a10f2a37a3a8957e5fabfda4f3c7fa9af76bc4b2c020638f023e06f0267
SHA512

6a679cd51e75ed9374cd17da763f180fd370e7d86fa88475a75eb1b07bd4f0e4f72b4fdf006345af3c0086a1978a358ade19a3ca422d892e41c3d0a47032b159
SSDEEP

768:gY3wI7yZnDQMMpAZrGSt6udttXy4sahkGJiXxrjEtCdnl2pi1Rz4Rk3wsGdpTgS7:II+ZD3rGWNd7dhkhjEwzGi1dDoDTgS

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
636	netsh.exe
2460	netsh.exe
3052	netsh.exe

Drops startup file 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdce5dfdbb5ec4d4d26d1b02578ff07bWindows Update.exe	server.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fdce5dfdbb5ec4d4d26d1b02578ff07bWindows Update.exe	server.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Corporation.exe	server.exe

Executes dropped EXE 2 IoCs

pid	Process
2808	server.exe
984	tmp454A.tmp.bat

Loads dropped DLL 3 IoCs

pid	Process
2604	Server.exe
2604	Server.exe
2808	server.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Explower.exe	server.exe
File opened for modification	C:\Windows\SysWOW64\Explower.exe	server.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp454A.tmp.bat
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{565C63E1-B96D-11EF-AC25-4298DBAE743E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe
2808	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2808	server.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	server.exe
Token: 33	2808	server.exe
Token: SeIncBasePriorityPrivilege	2808	server.exe
Token: 33	2808	server.exe
Token: SeIncBasePriorityPrivilege	2808	server.exe
Token: 33	2808	server.exe
Token: SeIncBasePriorityPrivilege	2808	server.exe
Token: 33	2808	server.exe
Token: SeIncBasePriorityPrivilege	2808	server.exe
Token: 33	2808	server.exe
Token: SeIncBasePriorityPrivilege	2808	server.exe
Token: 33	2808	server.exe
Token: SeIncBasePriorityPrivilege	2808	server.exe
Token: SeShutdownPrivilege	2232	shutdown.exe
Token: SeRemoteShutdownPrivilege	2232	shutdown.exe
Token: 33	2808	server.exe
Token: SeIncBasePriorityPrivilege	2808	server.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2808	server.exe
2132	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2132	iexplore.exe
2132	iexplore.exe
2684	IEXPLORE.EXE
2684	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2808	2604	Server.exe	29
PID 2604 wrote to memory of 2808	2604	Server.exe	29
PID 2604 wrote to memory of 2808	2604	Server.exe	29
PID 2604 wrote to memory of 2808	2604	Server.exe	29
PID 2808 wrote to memory of 3052	2808	server.exe	31
PID 2808 wrote to memory of 3052	2808	server.exe	31
PID 2808 wrote to memory of 3052	2808	server.exe	31
PID 2808 wrote to memory of 3052	2808	server.exe	31
PID 2808 wrote to memory of 636	2808	server.exe	33
PID 2808 wrote to memory of 636	2808	server.exe	33
PID 2808 wrote to memory of 636	2808	server.exe	33
PID 2808 wrote to memory of 636	2808	server.exe	33
PID 2808 wrote to memory of 2460	2808	server.exe	34
PID 2808 wrote to memory of 2460	2808	server.exe	34
PID 2808 wrote to memory of 2460	2808	server.exe	34
PID 2808 wrote to memory of 2460	2808	server.exe	34
PID 2808 wrote to memory of 984	2808	server.exe	38
PID 2808 wrote to memory of 984	2808	server.exe	38
PID 2808 wrote to memory of 984	2808	server.exe	38
PID 2808 wrote to memory of 984	2808	server.exe	38
PID 2808 wrote to memory of 2996	2808	server.exe	39
PID 2808 wrote to memory of 2996	2808	server.exe	39
PID 2808 wrote to memory of 2996	2808	server.exe	39
PID 2808 wrote to memory of 2996	2808	server.exe	39
PID 2996 wrote to memory of 2232	2996	cmd.exe	41
PID 2996 wrote to memory of 2232	2996	cmd.exe	41
PID 2996 wrote to memory of 2232	2996	cmd.exe	41
PID 2996 wrote to memory of 2232	2996	cmd.exe	41
PID 2808 wrote to memory of 2228	2808	server.exe	42
PID 2808 wrote to memory of 2228	2808	server.exe	42
PID 2808 wrote to memory of 2228	2808	server.exe	42
PID 2808 wrote to memory of 2228	2808	server.exe	42
PID 2808 wrote to memory of 752	2808	server.exe	44
PID 2808 wrote to memory of 752	2808	server.exe	44
PID 2808 wrote to memory of 752	2808	server.exe	44
PID 2808 wrote to memory of 752	2808	server.exe	44
PID 2808 wrote to memory of 1804	2808	server.exe	47
PID 2808 wrote to memory of 1804	2808	server.exe	47
PID 2808 wrote to memory of 1804	2808	server.exe	47
PID 2808 wrote to memory of 1804	2808	server.exe	47
PID 2808 wrote to memory of 828	2808	server.exe	49
PID 2808 wrote to memory of 828	2808	server.exe	49
PID 2808 wrote to memory of 828	2808	server.exe	49
PID 2808 wrote to memory of 828	2808	server.exe	49
PID 752 wrote to memory of 352	752	cmd.exe	51
PID 752 wrote to memory of 352	752	cmd.exe	51
PID 752 wrote to memory of 352	752	cmd.exe	51
PID 752 wrote to memory of 352	752	cmd.exe	51
PID 752 wrote to memory of 352	752	cmd.exe	51
PID 752 wrote to memory of 352	752	cmd.exe	51
PID 752 wrote to memory of 352	752	cmd.exe	51
PID 1804 wrote to memory of 2132	1804	cmd.exe	52
PID 1804 wrote to memory of 2132	1804	cmd.exe	52
PID 1804 wrote to memory of 2132	1804	cmd.exe	52
PID 1804 wrote to memory of 2132	1804	cmd.exe	52
PID 1804 wrote to memory of 1972	1804	cmd.exe	53
PID 1804 wrote to memory of 1972	1804	cmd.exe	53
PID 1804 wrote to memory of 1972	1804	cmd.exe	53
PID 1804 wrote to memory of 1972	1804	cmd.exe	53
PID 1804 wrote to memory of 2056	1804	cmd.exe	54
PID 1804 wrote to memory of 2056	1804	cmd.exe	54
PID 1804 wrote to memory of 2056	1804	cmd.exe	54
PID 1804 wrote to memory of 2056	1804	cmd.exe	54
PID 1804 wrote to memory of 2760	1804	cmd.exe	55

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Roaming\server.exe
  "C:\Users\Admin\AppData\Roaming\server.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3052
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall delete allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe"
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:636
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\server.exe" "server.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2460
- - C:\Users\Admin\AppData\Local\Temp\tmp454A.tmp.bat
    "C:\Users\Admin\AppData\Local\Temp\tmp454A.tmp.bat"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:984
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD95F.tmp.BAT" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown -s -t 1
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD9BE.tmp.BAT" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2228
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD9CF.tmp.BAT" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 USER32.DLL,SwapMouseButton
      4⤵
      System Location Discovery: System Language Discovery
      PID:352
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD9EF.tmp.BAT" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1804
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.sambaporno.com/
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2132
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2132 CREDAT:537601 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2684
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.sambaporno.com/
      4⤵
      PID:1972
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.sambaporno.com/
      4⤵
      PID:2056
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.sambaporno.com/
      4⤵
      PID:2760
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.sambaporno.com/
      4⤵
      PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpDA0F.tmp.BAT" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:828

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1584

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp454A.tmp.bat

Filesize
100KB

MD5
6032ce8ceea46af873b78c1f323547da

SHA1
8c5bd4a70e0f21aeba41c07976ace2919b64fd80

SHA256
19dc8c66d04d1a1d781e59107e2a1db5fd6288761c9dfd0c6909e533e79d04e7

SHA512
3ada1663cb730f43b44e32ceade5d0b9cae20d1c20001691a1d226d99c82510e001581f67f5131d6c21e0e0cf98e5089c3d0f22a6a1e3347053ed73304ccc6fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD95F.tmp.BAT

Filesize
37B

MD5
1cbc3a2f81d4259e3bf61249711fec81

SHA1
7ba62560df466c6dcd794854a25aeb5b088968d8

SHA256
6a207f770478d59da0d2aa43a9719ef05b3f85c8c700400746ca3ab0463d08f0

SHA512
74ba85a391d769686c95001af6e29f9fe2ccaa4d119247fac31e65c8becda7be1ea9fa3eb9f2a06c1d48ac4b580ad8e63c14e06d94e8dd07b26129df7f1f4bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD9BE.tmp.BAT

Filesize
183B

MD5
ab45b6913751e20d60d6c9a44a229a66

SHA1
fbf98231ced1c5667bb8b83114ca2f83b044698f

SHA256
71385e3fb017bb452466ab1ad8764950c14a7af856d0ee8c147cf8f7f073b2ec

SHA512
b462bd82a58ff51d3351ae5168028439fe3dbfbaeb2465c8b300419fb5d9115eb2091aa6fe4e11cf30ba9ee37e3ef175211e5053d6fc7a3398deace787180f4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD9CF.tmp.BAT

Filesize
67B

MD5
1cc401169ef8cf1e8977f4e92dfe72c7

SHA1
d04c32295d4e563978fa0abb1b32ba52699cb08d

SHA256
32c699ebb7394ddb2d56f092ef10fde4d9f4bcf808dbe11bad777e7bc73f7aae

SHA512
076eb06d9fbf8bf1d6a4c5043d803ee7b5cf0307253de6358f8ea70e0bf240f5ae2208fbe9a44778e782e29c54751936f393ade6e292064d2134ed223506866b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD9EF.tmp.BAT

Filesize
83B

MD5
cc795c9c4a83aa1ede067f96f1eb8d15

SHA1
32b8e1c43787353f7d87514e279288aff5f7d4f6

SHA256
37d23694738615464be8a3234bcc59592987432c8863db67e30385b8bb3ef450

SHA512
ec0b8f6600b2b0443ea6f271fcf16804e380b6f51f3f74997dc5c53ed28ece8ece58a12686b451532ed31941a67fa075305314fba7fa8555a7fb8cf6424c6fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDA0F.tmp.BAT

Filesize
76B

MD5
18dc60bfb068d99a80fd22499ec5f252

SHA1
4939c87a7ff6456971aa4baf517646d3df2a7710

SHA256
3be1adc56cfae9722bfa25df2ed2b112349b7aa4d8088cbf694e560dd9e53817

SHA512
890ba3a69f516df93154b7534f2530a5004f9d6ccc01e4f59a434e4c2c49912cc2630d34afcb24a60208173a089b8934ace4acad4cc587d21988a150d9ad32e3

Download Submit
C:\Users\Admin\AppData\Roaming\app

Filesize
5B

MD5
bbcd2be775370c1e106e66d077a93f3b

SHA1
a44b6a98f30e3275fc304bc3b29e0eab8ae47f20

SHA256
a7aa76f137ba550c381cfb8e5195a01963ae49db167e1cd1e0a8b902ed81eda1

SHA512
bb6e0d1f24253a9525fd538debf8ca68eb7078cb8539140c184331a854ecdea192fbcc314c4154a0a474c9aec41a79efeb8150922454c3c9e71eeb5297ae2f72

Download Submit
C:\Users\Admin\AppData\Roaming\server.exe

Filesize
93KB

MD5
77e8ae03f54ed1ce413314dbb8e00435

SHA1
398ce9204237c30280dce2f3d6cfed34946383c0

SHA256
430d6a10f2a37a3a8957e5fabfda4f3c7fa9af76bc4b2c020638f023e06f0267

SHA512
6a679cd51e75ed9374cd17da763f180fd370e7d86fa88475a75eb1b07bd4f0e4f72b4fdf006345af3c0086a1978a358ade19a3ca422d892e41c3d0a47032b159

Download Submit
memory/984-36-0x0000000000020000-0x0000000000040000-memory.dmp

Filesize
128KB

Download
memory/2604-0-0x0000000074201000-0x0000000074202000-memory.dmp

Filesize
4KB

Download
memory/2604-14-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/2604-2-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/2604-1-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/2808-27-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/2808-28-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/2808-16-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/2808-17-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/2808-15-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download
memory/2808-485-0x0000000074200000-0x00000000747AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads