xworm | a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

Analysis

max time kernel
1139s
max time network
1140s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 11:21

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

sv.exe
Size

63KB
MD5

c095a62b525e62244cad230e696028cf
SHA1

67232c186d3efe248b540f1f2fe3382770b5074a
SHA256

a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA512

5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
SSDEEP

1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM

Score

10^/10

xworm execution persistence rat trojan

Malware Config

Extracted

Family

xworm

amount-acceptance.gl.at.ply.gg:7420

Attributes

Install_directory
%ProgramData%
install_file
svhost.exe

Signatures

Detect Xworm Payload 11 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2968-1-0x0000000000BA0000-0x0000000000BB6000-memory.dmp	family_xworm
C:\ProgramData\svhost.exe	family_xworm
behavioral2/memory/792-40-0x0000000000F60000-0x0000000000F76000-memory.dmp	family_xworm
behavioral2/memory/940-48-0x0000000000CE0000-0x0000000000CF6000-memory.dmp	family_xworm
behavioral2/memory/1948-50-0x00000000011B0000-0x00000000011C6000-memory.dmp	family_xworm
behavioral2/memory/2140-55-0x00000000011C0000-0x00000000011D6000-memory.dmp	family_xworm
behavioral2/memory/2920-58-0x00000000013D0000-0x00000000013E6000-memory.dmp	family_xworm
behavioral2/memory/1904-75-0x0000000000AD0000-0x0000000000AE6000-memory.dmp	family_xworm
behavioral2/memory/1628-658-0x00000000001C0000-0x00000000001D6000-memory.dmp	family_xworm
behavioral2/memory/2604-1253-0x0000000000E70000-0x0000000000E86000-memory.dmp	family_xworm
behavioral2/memory/2908-1255-0x0000000000F10000-0x0000000000F26000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2976 powershell.exe
2672 powershell.exe
2784 powershell.exe
2524 powershell.exe

pid	process
2976	powershell.exe
2672	powershell.exe
2784	powershell.exe
2524	powershell.exe

Drops startup file 2 IoCs

Processes:

sv.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svhost.lnk	sv.exe

Executes dropped EXE 22 IoCs

Processes:

ohsgwv.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exemwjjla.exesqu674B.tmp.exesvhost.exesvhost.exesvhost.exesvhost.exe

pid	process
1788	ohsgwv.exe
792	svhost.exe
2320	svhost.exe
1312	svhost.exe
3032	svhost.exe
916	svhost.exe
1916	svhost.exe
940	svhost.exe
1948	svhost.exe
2604	svhost.exe
2824	svhost.exe
1604	svhost.exe
2140	svhost.exe
1920	svhost.exe
2920	svhost.exe
2540	svhost.exe
2916	mwjjla.exe
276	squ674B.tmp.exe
1904	svhost.exe
1628	svhost.exe
2604	svhost.exe
2908	svhost.exe

Loads dropped DLL 1 IoCs

Processes:

mwjjla.exe

pid process

2916 mwjjla.exe
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

sv.exe

description ioc process

Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe" sv.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
2916	mwjjla.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost = "C:\\ProgramData\\svhost.exe"	sv.exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{758BEE81-379E-11EF-BF0E-72CCAFC2F3F6} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ad2c239da2cbe74ab4cf504f06708f2400000000020000000000106600000001000020000000936e1a06752b9a5945f814c9c1c1f8fc01e9f45797d68d66ce64a7fdc18a375d000000000e8000000002000020000000fac47c96f3901494eaff036a0ab6b88b9bf437f400667c775dc565e9bf55148d900000004b577a9b2b5e1024491dce66c590e545bc4f1596cf56f5b22bd9408f8bd1b7401834939dd20f4f8fc5b86ed354437b368f9bb1269c0eb3061017ff335eb5f5f676731ebdea6746fdd1fc440463bc9b93957bf9909d82afba0362c8b5774aea29173cf429c287356dd4c5219073d0f091c609f9d17b2976394510c8177e6170775e87cdf71510fe920d1ab41463ed8df040000000ff81ecc3c68fd80dc0d085c4c0fb9de0d426c2eafea1d5888a59a8bd6c4c3595ae1ce04876270a191e5556ebeb5474ed5be00d47e9f47f35daea791fd890f128	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ad2c239da2cbe74ab4cf504f06708f2400000000020000000000106600000001000020000000887530d7c4ed29ea58794e99cd128737610c6048a2c56d15688e63d54fa9e38a000000000e80000000020000200000003972f8fd0f1d1cfc3a36c51b16f9bff33dc55320937b2c26b77e72eaa155ec3620000000fcc853c3a5bff7787778714bd19d75343005ea33fa125943bc70001f296400f9400000006adc4eb18815f3ffb5f222fccf0e9de593738dd48026bfaef56dbe0c616fd99a3f047275edd441589e591be061384a1eaee2a08f71816b4d60a75f50f83b4c1d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b00b974aabcbda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425995786"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2108 schtasks.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

2976 powershell.exe
2672 powershell.exe
2784 powershell.exe
2524 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

sv.exe

pid process

2968 sv.exe

pid	process
2108	schtasks.exe

pid	process
2976	powershell.exe
2672	powershell.exe
2784	powershell.exe
2524	powershell.exe

pid	process
2968	sv.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

sv.exepowershell.exepowershell.exepowershell.exepowershell.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exeshutdown.exe

description	pid	process
Token: SeDebugPrivilege	2968	sv.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2968	sv.exe
Token: SeDebugPrivilege	792	svhost.exe
Token: SeDebugPrivilege	2320	svhost.exe
Token: SeDebugPrivilege	1312	svhost.exe
Token: SeDebugPrivilege	3032	svhost.exe
Token: SeDebugPrivilege	916	svhost.exe
Token: SeDebugPrivilege	1916	svhost.exe
Token: SeDebugPrivilege	940	svhost.exe
Token: SeDebugPrivilege	1948	svhost.exe
Token: SeDebugPrivilege	2604	svhost.exe
Token: SeDebugPrivilege	2824	svhost.exe
Token: SeDebugPrivilege	1604	svhost.exe
Token: SeDebugPrivilege	2140	svhost.exe
Token: SeDebugPrivilege	1920	svhost.exe
Token: SeDebugPrivilege	2920	svhost.exe
Token: SeDebugPrivilege	2540	svhost.exe
Token: SeDebugPrivilege	1904	svhost.exe
Token: SeDebugPrivilege	1628	svhost.exe
Token: SeDebugPrivilege	2604	svhost.exe
Token: SeDebugPrivilege	2908	svhost.exe
Token: SeShutdownPrivilege	1052	shutdown.exe
Token: SeRemoteShutdownPrivilege	1052	shutdown.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2776 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2776 iexplore.exe
2776 iexplore.exe
1536 IEXPLORE.EXE
1536 IEXPLORE.EXE
1536 IEXPLORE.EXE
1536 IEXPLORE.EXE

pid	process
2776	iexplore.exe

pid	process
2776	iexplore.exe
2776	iexplore.exe
1536	IEXPLORE.EXE
1536	IEXPLORE.EXE
1536	IEXPLORE.EXE
1536	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sv.exetaskeng.exe

description	pid	process	target process
PID 2968 wrote to memory of 2976	2968	sv.exe	powershell.exe
PID 2968 wrote to memory of 2976	2968	sv.exe	powershell.exe
PID 2968 wrote to memory of 2976	2968	sv.exe	powershell.exe
PID 2968 wrote to memory of 2672	2968	sv.exe	powershell.exe
PID 2968 wrote to memory of 2672	2968	sv.exe	powershell.exe
PID 2968 wrote to memory of 2672	2968	sv.exe	powershell.exe
PID 2968 wrote to memory of 2784	2968	sv.exe	powershell.exe
PID 2968 wrote to memory of 2784	2968	sv.exe	powershell.exe
PID 2968 wrote to memory of 2784	2968	sv.exe	powershell.exe
PID 2968 wrote to memory of 2524	2968	sv.exe	powershell.exe
PID 2968 wrote to memory of 2524	2968	sv.exe	powershell.exe
PID 2968 wrote to memory of 2524	2968	sv.exe	powershell.exe
PID 2968 wrote to memory of 2108	2968	sv.exe	schtasks.exe
PID 2968 wrote to memory of 2108	2968	sv.exe	schtasks.exe
PID 2968 wrote to memory of 2108	2968	sv.exe	schtasks.exe
PID 324 wrote to memory of 792	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 792	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 792	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 2320	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 2320	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 2320	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 1312	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 1312	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 1312	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 3032	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 3032	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 3032	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 916	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 916	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 916	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 1916	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 1916	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 1916	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 940	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 940	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 940	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 1948	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 1948	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 1948	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 2604	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 2604	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 2604	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 2824	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 2824	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 2824	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 1604	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 1604	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 1604	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 2140	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 2140	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 2140	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 1920	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 1920	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 1920	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 2920	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 2920	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 2920	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 2540	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 2540	324	taskeng.exe	svhost.exe
PID 324 wrote to memory of 2540	324	taskeng.exe	svhost.exe
PID 2968 wrote to memory of 2916	2968	sv.exe	mwjjla.exe
PID 2968 wrote to memory of 2916	2968	sv.exe	mwjjla.exe
PID 2968 wrote to memory of 2916	2968	sv.exe	mwjjla.exe
PID 2968 wrote to memory of 2916	2968	sv.exe	mwjjla.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\sv.exe
"C:\Users\Admin\AppData\Local\Temp\sv.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Users\Admin\AppData\Local\Temp\ohsgwv.exe
"C:\Users\Admin\AppData\Local\Temp\ohsgwv.exe"
2⤵
- Executes dropped EXE
PID:1788

C:\Users\Admin\AppData\Local\Temp\mwjjla.exe
"C:\Users\Admin\AppData\Local\Temp\mwjjla.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916

C:\Users\Admin\AppData\Local\Temp\squ674B.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\squ674B.tmp.exe" --setup "C:\Users\Admin\AppData\Local\Temp\squ674C.tmp.nupkg"
3⤵
- Executes dropped EXE
PID:276

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\zmnsua.html
2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2776

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2776 CREDAT:275457 /prefetch:2
3⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1536

C:\Windows\system32\shutdown.exe
shutdown.exe /f /s /t 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\system32\taskeng.exe
taskeng.exe {1D2C79A0-8640-44FE-9564-3201E42F6AA8} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:324

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:792

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2320

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1312

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1916

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:940

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1948

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1604

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2140

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1920

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2920

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1628

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\ProgramData\svhost.exe
C:\ProgramData\svhost.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2136

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2384

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svhost.exe
Filesize
63KB

MD5
c095a62b525e62244cad230e696028cf

SHA1
67232c186d3efe248b540f1f2fe3382770b5074a

SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6

SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
Filesize
252B

MD5
3e18efb0052858664347bf99d224d77e

SHA1
467f8b8923622185e827daa3be0df50ee22583dd

SHA256
eb33164d16c075a6622f73dbca721b5eebd61fe299c86b9eb862179cd54bf2d9

SHA512
7b1784c2105523eabe6007c732c4bb853ebcac568eb9bb61c82ce9c9183e0561864e2cae31999b77addaa423a0c1762ff75fc4a9489f5d599524f3a7bbeca219

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
f81a933f3a0ef96777df0c7512ec7a26

SHA1
9d26c2d5e28e3992c286e9a82ab35729d1fa9137

SHA256
c14d373ffc133040380b020c46833d201f1db086096e790c03df10edca8356cc

SHA512
922f56a43b8e105b5b5eec35aec1dfe1ac3fc5b8326f9b995abbc6962b1cac35834e4c2f44a4978ea1c185b6da9fbbd9ffa6fcb9834c22a621808c56935f69f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e989732efa8ac64d7eeff5629111be3c

SHA1
cdd8395e45eae4f91f691e5b3537fea05ca99290

SHA256
ffa05226a59dbfe8e0abeab3eb8540648ab91c58d0a8dd51f59480af4749397f

SHA512
f293da9b4b79ca8515a4fab19705ee847a1f06d1459513640dcf2e747b1c950d52b02fafc34236d9b9775a1d9ebf9bda5a629583567c52fa863bfcf7f9015789

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
3eb02292a00cf9710079c67b87b51287

SHA1
9d0974fcb2543d8d5eeb901e56a9d80687bc3992

SHA256
f7acee57a485dce44aa520af09d2c7304b24d89e9a2e53c65201eb3e53c321bd

SHA512
d09ebb067c7943f2a816100f527246ddbf523bfb90247462ce0f5e99b324028e3e7591e9e3647687075d039bcef67615b490d8969d34b8078d160bfa7de3d924

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4046a1a41cfb13f5371383c8d0bfb272

SHA1
768ce6aba2254f29b3b039c28fc37ba959eb61ff

SHA256
2a3c31944e243150250186284e75da22bc084fcb70802460ca28ce09d5a9a0cd

SHA512
091e389553956bf81a0df950ffd0b25c50b2f5f4ae3c96a44d0bc1b1f7fd0dc4fda2601f248645551d4504a1871e667c97128cd30da68732f7a593bb373809a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
2e1cb8b84824bc9ba2216bb5a7c4e108

SHA1
e122673b67b5d93e9b4f37cf4074f2a70b103469

SHA256
4034f402e00fd57e2cc25980dd5f249657f8ce44732e94942b9c24fe2bc38701

SHA512
28d1b619a0f77a8a4be79d191dfcc5a6826c7ae2232f55eaf3a3e359ac5d3fdab0c59f74eee9802e18bddf453781ecf4ba702ce14e489e1cb6e4241c1e69b787

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
8a96913f14ca43f0598964f74bf14b9c

SHA1
7bcefa5c8c0f08199fde8de5fb1806b6816f3b37

SHA256
e8c99d95d19ce9e2782c5a6f7d06acf27aba6689083c7962e29a7f6e8fb07ea7

SHA512
526ff84f0bf96ad2678829f3eef6fc22b5b565fd2d81ec897e002fb71c127c8b0bf97a759ac290cd9e8ea8fd3b07a820782f4b98f8444ecf34088da616b18e26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
cdc50fa499e6145fddc0bd713ec732ae

SHA1
07956258afb4b36ba2f1af07b635939ce71a2c8e

SHA256
07789a68a1764d1b14c4d02cc99e12d08428a7bb4e59fb8943a0fc7e542f9781

SHA512
6b4a2f4ce14ae560cfb594453e07787d081358e563a311c4b9b94fcdc3be2a37a436cf19edf6d3e85421dfced6f03a8cf538bc9bb659bf12012d1e34ab5f5b15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
65c02ae8a15a80aed781c9b51ca5af85

SHA1
1d34bd4dbc5a16947ed383dae9a15185b1ab9470

SHA256
6421e0939dbe2b08e793c9d790ca88c532a22ba63e4095505fa5806d0ae89575

SHA512
3c0106d5067defc082d2b283ffe2a55247b582e1c6628d56ad29033f6ca826f212974a3550b63e71fd5b065d420753b6ac0d1804d7257d983c2ad90acea6c352

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b00a354d8cf603d835a665657590247f

SHA1
f0c77ab4a9d070c63575d6162eebaa702f20632b

SHA256
37b78978dc8317b169b1a227a35ca500a342b1745e361decc75e38e53af30fd3

SHA512
d0e28cccbf117f5d4c7b90f941acee414770dcf85f6d0d5e6498f0f36d7d1438af7deeaaafa6ab0a2ad1eb3254df81f5268ae12bc22e74f695640074ca1d67e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
2b2d00b410cdc0f6cf99da3d6c813cd3

SHA1
42d47018888d013aee14c253a22b9f01beaa0389

SHA256
4d469eeac2b364a6d9e0894335f5c1b6d93ed0b1e03c0d0fc633379d15cbc18e

SHA512
8ffa2226ff025bb7eb52ac5fb320f25540edbe6ec258fda9539e86e4f20e23acfcd345b61e6380e68820c763ac244ce245d32ed604e18dd4ef1136828750530c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
fbc191272d669f1eabda83b134d38dcf

SHA1
f220f89d6112b5698c73fd78ee6b2680119a2dd9

SHA256
1ec1420dea369005f69988594be3da767383f1c4de3ecddc3cda3de667d23b7f

SHA512
3766f7a28e2535859eaee8f50a18809be0711d3bdb915ebd22cb630c8bbab8ad9cacac208487dc9b9d5a09ec54c7b38b2596316ecf7f293eb9cfb31b6f702a8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
6b51cea726c869cfaea58ad8b656e40d

SHA1
b84b10a9fc56542cdfa348f1d31671fdf83a92ef

SHA256
13a638c3c3714fbcebe9e06fcabd2449dcba604ca9545a3a8df1c5663631723e

SHA512
184f75027643c467d7effec6b6cf36418c64c44167de5c8b5152a2efe46f1d0f1b7ea26b38e782c43bcba4f86e6fc157bbbd72c33d2b61767040edfd65ae9319

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5a704cd84191dde4f5e6b0b49790ea49

SHA1
4904471c486c91955d78ce24942b92eafe12288a

SHA256
eba4b00c8be39f52690248389a9360890df75bfc7264aa03d850e00b2c0fc8b6

SHA512
9fe5c5c4c59674a69104f33b03f051e6359ad4cef1b1000b0fd82e857b93740a605c0894cac6e1fec2d38adb60c349c1490ef07c5fa5bc33495eb83d500aca5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
b0e673ba2477fbd93e39f8d54855cb6c

SHA1
a8ecff4f34b403014c256e2ad0e5b073f51c4b7a

SHA256
97c569ef981ebc4c4ad09a24efa404cd893c3a6eaf86b2792a0392810bcf482c

SHA512
3c13c250f38ec0ea4ccd41060e2cbc59db13c0f55e79fafa10ffdd332f9907df5aba36d19512ffa404e4f70c466bb02dc4751486e3ad51b233e4919b4e9a70d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
64eff5e63d3c8b99e70afef81bfd621e

SHA1
1f68975e202ce39ed30c616a0b30ce7abc1da96a

SHA256
87cebebb521e17d86e39ede5c42f30f8217397bde34c2bc0f5cb7fc8c50123cd

SHA512
e6067fd584cf9e73f78d1c0354df6dec89a20c8ad350e68567e24e617eaf2cba4f807701e9d4d060cc03126ca9b81a2333cb61221ea5f31c8cda5aef42505638

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a8e9e90652468d24c78559e3effa3d7c

SHA1
56304363dfb9fba718cef92363053c16a1a3e775

SHA256
dfd66c88d7600db4062d3d4eaa822dce3b6e0123a1e99526e492287112ea6483

SHA512
b39410bab7ec0bef52ce4e4763a3b2f814bf94606ea78f4de784d7f802086d9a3d5a7263df08bf5f318aa892a293b4c2602d60078306bef3fa261fbf9d5817c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5585b334e8ac1ae7d29062115a99f602

SHA1
a4bf24eb021d1e7c9c35ab56006cc11508a908de

SHA256
bf036dbe8dd37794cbc0ba2fc1f137b49a3693827a495e9827c862be13b4cb0f

SHA512
c32ea127f4e46fa61a9ff22961974556cb0ccd547d4df655e9326bbaecc3fa25c2282e0b91dd2a5d455c1bdfffa65f623d807aaf5f5cd11a12216e7337506163

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
4b792991a3ec99bbdb8805e0740f0f0e

SHA1
f922662857f5c55a617c394491e1db82e94a35e0

SHA256
7ff07bc1fc340b1b772ffd0c987aeceb28d4e0de03c591d6d03fdce4910f1e49

SHA512
301af37118cf0334c7acd50658783e7032d3841b77091e3f8978a76dcb010cdc535db7706d0d6939089ba0aa3491d9c7399feaf24cf3e572a9b0d3ea1b488ff4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
35a68f664e13e831be13796aecad5fc7

SHA1
31781788086d32fcaa52c7cc3eb7ee17a8f5967d

SHA256
3bf3dc9814323fe57f9b17bdc98c52e83a05c32cd47b27f90526d09d7c33e974

SHA512
0cae0b40dc720b135b04e32b0a4e68552d46bd137f29dc2a309758dd6210a95e5726a6f77a3f22c395ee05e91d6a7155c10c6bd186864fbbb970a2640b41905d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize
242B

MD5
1898a9bb9da393840846f4818f7f5258

SHA1
7c63a7e5beff5c56f34b76264b2329babe9ed8de

SHA256
8b75c900ca37754e9c852a2cfbfe1ea5bd4b3ce1c4764d1b588ed05e321cd710

SHA512
2d1310a53777bc5c41ebe084a0b0586a6e79a7d74685bf119f89fd2e214c342bcfbd083bb270c2d677b45b51f14dd39aab3a298724d4b530c5818b2b1ac53198

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6CDD.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ohsgwv.exe
Filesize
8.0MB

MD5
780d9df36221ccd24716da39ee3e2708

SHA1
3a2e4f8bc401856f1870e9fd3a3977044db68729

SHA256
f765d1d4012f47223a47c5992da55066e81d76b0714eb347ca6a54c55f4e374c

SHA512
36b1df97a9b0a3ae9cae704f722537c877c6b8a091c513be66bd16645cdf9ab424912e6dac3ddfbbf9419a9d0acc17113dec88418b8134e641a87028e8e4d6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zmnsua.html
Filesize
25.6MB

MD5
93ff3422fefbc1976fdc11c4fe15169b

SHA1
e6be4b9a96a28a7d32cad1ceda04c8edeb4f5a9a

SHA256
cd3dea6e79c0f9dda0f16a608ff04dc41dde17b3b6f3ce42d9018be839f058da

SHA512
8cdaee06dad6babd133853d59d511957e4ba056c5cf24200db1996d05be2d53d4711649316ea352912da5fb5c6f0080a77a7d645d14af6448a4b1e1c33343589

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
805c1eb02ad0b145bf6d0bea55c1aa7a

SHA1
3687cc1da9315bfe8da4ceac2c516898ee924c31

SHA256
29b2256210284cc7b27d1bedb690f7d43a4ff3121a8a87b0bdc9034e8d292d58

SHA512
e42e419fafb1205ecb22fc9e753c77f7f5d11cceee580bb092ec3255ea6cf0fe78ae1c820614ef318400c68758f09d0cff36d2478c9edc5cec1a3fab4444f753

Download Submit
\Users\Admin\AppData\Local\Temp\squ674B.tmp.exe
Filesize
12.1MB

MD5
19f260fd99cee82277338002e98b8729

SHA1
a2b688cde0c316fa40534aac2c34d53ea73de84b

SHA256
68376cde6708b39994c9d5d2d28097d4d6fb79f867f68298751ea3d3d854832d

SHA512
74d6e423e22f1f706fe72d0beab24eb4d0b87996746c0886234a572a6688c78919a2cc613594ee159723e06e9eaff3d0c78361542e7fa3acb7e4611f6c237c52

Download Submit
memory/792-40-0x0000000000F60000-0x0000000000F76000-memory.dmp

Filesize
88KB

Download
memory/940-48-0x0000000000CE0000-0x0000000000CF6000-memory.dmp

Filesize
88KB

Download
memory/1628-658-0x00000000001C0000-0x00000000001D6000-memory.dmp

Filesize
88KB

Download
memory/1904-75-0x0000000000AD0000-0x0000000000AE6000-memory.dmp

Filesize
88KB

Download
memory/1948-50-0x00000000011B0000-0x00000000011C6000-memory.dmp

Filesize
88KB

Download
memory/2140-55-0x00000000011C0000-0x00000000011D6000-memory.dmp

Filesize
88KB

Download
memory/2604-1253-0x0000000000E70000-0x0000000000E86000-memory.dmp

Filesize
88KB

Download
memory/2672-15-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download
memory/2672-14-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download
memory/2908-1255-0x0000000000F10000-0x0000000000F26000-memory.dmp

Filesize
88KB

Download
memory/2920-58-0x00000000013D0000-0x00000000013E6000-memory.dmp

Filesize
88KB

Download
memory/2968-30-0x000000001B120000-0x000000001B1A0000-memory.dmp

Filesize
512KB

Download
memory/2968-31-0x000007FEF5CE3000-0x000007FEF5CE4000-memory.dmp

Filesize
4KB

Download
memory/2968-36-0x000000001B120000-0x000000001B1A0000-memory.dmp

Filesize
512KB

Download
memory/2968-0-0x000007FEF5CE3000-0x000007FEF5CE4000-memory.dmp

Filesize
4KB

Download
memory/2968-77-0x000000001A2E0000-0x000000001A2F0000-memory.dmp

Filesize
64KB

Download
memory/2968-1-0x0000000000BA0000-0x0000000000BB6000-memory.dmp

Filesize
88KB

Download
memory/2976-7-0x000000001B8D0000-0x000000001BBB2000-memory.dmp

Filesize
2.9MB

Download
memory/2976-6-0x00000000029D0000-0x0000000002A50000-memory.dmp

Filesize
512KB

Download
memory/2976-8-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads