d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 04:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe
Size

267KB
MD5

06e2f2b76a12acc1673f3bc5d2b6e0dd
SHA1

823a535162560825c1b766f40049acf2c0fdfbbb
SHA256

d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da
SHA512

f75069e7fbeb0242240ca2aa161c27b6bad7f4152a2e31fd65b467c5b545d095e7d5448404591233d954ace9d952441979154525420edee31c360ae8984598bf
SSDEEP

6144:XbfO3SlNyTkyhlx0kRujRYO4VYAtHJ3DFLjxIE++/gAxcbibMoS6:LfIST8kk0kMlCPTvXxKXoS6

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe = "C:\\Users\\Admin\\AppData\\Roaming\\darkeye-nosttingspersistent2.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\winlogon.exe = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe

Executes dropped EXE 3 IoCs

pid	Process
1712	winlogon.exe
1364	winlogon.exe
1168	winlogon.exe

UPX packed file 23 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
	upx
behavioral1/memory/816-56-0x0000000000400000-0x000000000057E000-memory.dmp	upx
behavioral1/files/0x000800000001420e-61.dat	upx
behavioral1/files/0x000800000001420e-62.dat	upx
behavioral1/files/0x000800000001420e-64.dat	upx
behavioral1/files/0x000800000001420e-65.dat	upx
behavioral1/files/0x000800000001420e-63.dat	upx
behavioral1/files/0x000800000001420e-67.dat	upx
behavioral1/memory/816-68-0x0000000000400000-0x000000000057E000-memory.dmp	upx
behavioral1/files/0x000800000001420e-71.dat	upx
behavioral1/memory/1712-72-0x0000000000400000-0x000000000057E000-memory.dmp	upx
behavioral1/memory/1364-73-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1364-77-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/files/0x000800000001420e-75.dat	upx
behavioral1/memory/1364-78-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1168-80-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/1712-85-0x0000000000400000-0x000000000057E000-memory.dmp	upx
behavioral1/files/0x000800000001420e-83.dat	upx
behavioral1/memory/1168-86-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/1168-88-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/1364-101-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1168-100-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/1364-103-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Loads dropped DLL 5 IoCs

pid	Process
816	d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe
816	d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe
816	d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe
816	d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe
816	d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Winlogon = "C:\\Users\\Admin\\AppData\\Roaming\\winlogon.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1712 set thread context of 1364	1712	winlogon.exe	31
PID 1712 set thread context of 1168	1712	winlogon.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
880	reg.exe
1312	reg.exe
1584	reg.exe
1900	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: SeDebugPrivilege	1168	winlogon.exe
Token: 1	1364	winlogon.exe
Token: SeCreateTokenPrivilege	1364	winlogon.exe
Token: SeAssignPrimaryTokenPrivilege	1364	winlogon.exe
Token: SeLockMemoryPrivilege	1364	winlogon.exe
Token: SeIncreaseQuotaPrivilege	1364	winlogon.exe
Token: SeMachineAccountPrivilege	1364	winlogon.exe
Token: SeTcbPrivilege	1364	winlogon.exe
Token: SeSecurityPrivilege	1364	winlogon.exe
Token: SeTakeOwnershipPrivilege	1364	winlogon.exe
Token: SeLoadDriverPrivilege	1364	winlogon.exe
Token: SeSystemProfilePrivilege	1364	winlogon.exe
Token: SeSystemtimePrivilege	1364	winlogon.exe
Token: SeProfSingleProcessPrivilege	1364	winlogon.exe
Token: SeIncBasePriorityPrivilege	1364	winlogon.exe
Token: SeCreatePagefilePrivilege	1364	winlogon.exe
Token: SeCreatePermanentPrivilege	1364	winlogon.exe
Token: SeBackupPrivilege	1364	winlogon.exe
Token: SeRestorePrivilege	1364	winlogon.exe
Token: SeShutdownPrivilege	1364	winlogon.exe
Token: SeDebugPrivilege	1364	winlogon.exe
Token: SeAuditPrivilege	1364	winlogon.exe
Token: SeSystemEnvironmentPrivilege	1364	winlogon.exe
Token: SeChangeNotifyPrivilege	1364	winlogon.exe
Token: SeRemoteShutdownPrivilege	1364	winlogon.exe
Token: SeUndockPrivilege	1364	winlogon.exe
Token: SeSyncAgentPrivilege	1364	winlogon.exe
Token: SeEnableDelegationPrivilege	1364	winlogon.exe
Token: SeManageVolumePrivilege	1364	winlogon.exe
Token: SeImpersonatePrivilege	1364	winlogon.exe
Token: SeCreateGlobalPrivilege	1364	winlogon.exe
Token: 31	1364	winlogon.exe
Token: 32	1364	winlogon.exe
Token: 33	1364	winlogon.exe
Token: 34	1364	winlogon.exe
Token: 35	1364	winlogon.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
816	d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe
1712	winlogon.exe
1364	winlogon.exe
1364	winlogon.exe
1168	winlogon.exe
1364	winlogon.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 1736	816	d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe	27
PID 816 wrote to memory of 1736	816	d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe	27
PID 816 wrote to memory of 1736	816	d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe	27
PID 816 wrote to memory of 1736	816	d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe	27
PID 1736 wrote to memory of 960	1736	cmd.exe	29
PID 1736 wrote to memory of 960	1736	cmd.exe	29
PID 1736 wrote to memory of 960	1736	cmd.exe	29
PID 1736 wrote to memory of 960	1736	cmd.exe	29
PID 816 wrote to memory of 1712	816	d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe	30
PID 816 wrote to memory of 1712	816	d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe	30
PID 816 wrote to memory of 1712	816	d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe	30
PID 816 wrote to memory of 1712	816	d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe	30
PID 1712 wrote to memory of 1364	1712	winlogon.exe	31
PID 1712 wrote to memory of 1364	1712	winlogon.exe	31
PID 1712 wrote to memory of 1364	1712	winlogon.exe	31
PID 1712 wrote to memory of 1364	1712	winlogon.exe	31
PID 1712 wrote to memory of 1364	1712	winlogon.exe	31
PID 1712 wrote to memory of 1364	1712	winlogon.exe	31
PID 1712 wrote to memory of 1364	1712	winlogon.exe	31
PID 1712 wrote to memory of 1364	1712	winlogon.exe	31
PID 1712 wrote to memory of 1364	1712	winlogon.exe	31
PID 1712 wrote to memory of 1168	1712	winlogon.exe	32
PID 1712 wrote to memory of 1168	1712	winlogon.exe	32
PID 1712 wrote to memory of 1168	1712	winlogon.exe	32
PID 1712 wrote to memory of 1168	1712	winlogon.exe	32
PID 1712 wrote to memory of 1168	1712	winlogon.exe	32
PID 1712 wrote to memory of 1168	1712	winlogon.exe	32
PID 1712 wrote to memory of 1168	1712	winlogon.exe	32
PID 1712 wrote to memory of 1168	1712	winlogon.exe	32
PID 1712 wrote to memory of 1168	1712	winlogon.exe	32
PID 1364 wrote to memory of 672	1364	winlogon.exe	33
PID 1364 wrote to memory of 672	1364	winlogon.exe	33
PID 1364 wrote to memory of 672	1364	winlogon.exe	33
PID 1364 wrote to memory of 672	1364	winlogon.exe	33
PID 1364 wrote to memory of 1996	1364	winlogon.exe	34
PID 1364 wrote to memory of 1996	1364	winlogon.exe	34
PID 1364 wrote to memory of 1996	1364	winlogon.exe	34
PID 1364 wrote to memory of 1996	1364	winlogon.exe	34
PID 1364 wrote to memory of 1188	1364	winlogon.exe	36
PID 1364 wrote to memory of 1188	1364	winlogon.exe	36
PID 1364 wrote to memory of 1188	1364	winlogon.exe	36
PID 1364 wrote to memory of 1188	1364	winlogon.exe	36
PID 1364 wrote to memory of 1704	1364	winlogon.exe	39
PID 1364 wrote to memory of 1704	1364	winlogon.exe	39
PID 1364 wrote to memory of 1704	1364	winlogon.exe	39
PID 1364 wrote to memory of 1704	1364	winlogon.exe	39
PID 1996 wrote to memory of 1312	1996	cmd.exe	41
PID 1996 wrote to memory of 1312	1996	cmd.exe	41
PID 1996 wrote to memory of 1312	1996	cmd.exe	41
PID 1996 wrote to memory of 1312	1996	cmd.exe	41
PID 672 wrote to memory of 1584	672	cmd.exe	42
PID 672 wrote to memory of 1584	672	cmd.exe	42
PID 672 wrote to memory of 1584	672	cmd.exe	42
PID 672 wrote to memory of 1584	672	cmd.exe	42
PID 1704 wrote to memory of 1900	1704	cmd.exe	43
PID 1704 wrote to memory of 1900	1704	cmd.exe	43
PID 1704 wrote to memory of 1900	1704	cmd.exe	43
PID 1704 wrote to memory of 1900	1704	cmd.exe	43
PID 1188 wrote to memory of 880	1188	cmd.exe	44
PID 1188 wrote to memory of 880	1188	cmd.exe	44
PID 1188 wrote to memory of 880	1188	cmd.exe	44
PID 1188 wrote to memory of 880	1188	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe
"C:\Users\Admin\AppData\Local\Temp\d98dee41146be954611c93a73c3f695d4f39d6533139e0ea45d9eebc7fdd48da.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:816
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\LAGLG.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Winlogon" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe" /f
    3⤵
    - Adds Run key to start application
    PID:960
- C:\Users\Admin\AppData\Roaming\winlogon.exe
  "C:\Users\Admin\AppData\Roaming\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Users\Admin\AppData\Roaming\winlogon.exe
    winlogon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1364
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:672
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1584
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1996
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winlogon.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winlogon.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1312
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1188
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:880
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1704
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\darkeye-nosttingspersistent2.exe:*:Enabled:Windows Messanger" /f
        5⤵
        Modifies firewall policy service
        Modifies registry key
        
        PID:1900
- - C:\Users\Admin\AppData\Roaming\winlogon.exe
    C:\Users\Admin\AppData\Roaming\winlogon.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\LAGLG.bat

Filesize
138B

MD5
4da6717f2c70f4bd32ad33a227a2ff47

SHA1
3d7f7159e1f695bd469287d1ad4ffa0841b407a8

SHA256
a12bb2e5d2fb0b3c400ce311fae72995a00b57a97d23e4b9effec47cff189d07

SHA512
6765314054ad9bf2164058248f3d3a17775176925abbe4376aec030dca3a5e59be8b9e96139941fec2b2e1a9bff38f87abdb29ea09a299d8ab7e23ecec4083df

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon.exe

Filesize
267KB

MD5
b64e24180fac6fb2213979c9a865a793

SHA1
fe91a76f2008b762584eea35cc54e08ca0a72c35

SHA256
f44edc671fdbb68ff28a67358790f58c021607c0a1d433fc7ae07e77fbd62b76

SHA512
0c07604f38cf2afc9f494e3bbc29ac3c8462fb7aa1019a8360ec90a3369088e919d43e247adf297682e76bf41057b4757e93aae68f5c7d858cc06cc7073c3112

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon.exe

Filesize
267KB

MD5
b64e24180fac6fb2213979c9a865a793

SHA1
fe91a76f2008b762584eea35cc54e08ca0a72c35

SHA256
f44edc671fdbb68ff28a67358790f58c021607c0a1d433fc7ae07e77fbd62b76

SHA512
0c07604f38cf2afc9f494e3bbc29ac3c8462fb7aa1019a8360ec90a3369088e919d43e247adf297682e76bf41057b4757e93aae68f5c7d858cc06cc7073c3112

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon.exe

Filesize
267KB

MD5
b64e24180fac6fb2213979c9a865a793

SHA1
fe91a76f2008b762584eea35cc54e08ca0a72c35

SHA256
f44edc671fdbb68ff28a67358790f58c021607c0a1d433fc7ae07e77fbd62b76

SHA512
0c07604f38cf2afc9f494e3bbc29ac3c8462fb7aa1019a8360ec90a3369088e919d43e247adf297682e76bf41057b4757e93aae68f5c7d858cc06cc7073c3112

Download Submit
C:\Users\Admin\AppData\Roaming\winlogon.exe

Filesize
267KB

MD5
b64e24180fac6fb2213979c9a865a793

SHA1
fe91a76f2008b762584eea35cc54e08ca0a72c35

SHA256
f44edc671fdbb68ff28a67358790f58c021607c0a1d433fc7ae07e77fbd62b76

SHA512
0c07604f38cf2afc9f494e3bbc29ac3c8462fb7aa1019a8360ec90a3369088e919d43e247adf297682e76bf41057b4757e93aae68f5c7d858cc06cc7073c3112

Download Submit
\Users\Admin\AppData\Roaming\winlogon.exe

Filesize
267KB

MD5
b64e24180fac6fb2213979c9a865a793

SHA1
fe91a76f2008b762584eea35cc54e08ca0a72c35

SHA256
f44edc671fdbb68ff28a67358790f58c021607c0a1d433fc7ae07e77fbd62b76

SHA512
0c07604f38cf2afc9f494e3bbc29ac3c8462fb7aa1019a8360ec90a3369088e919d43e247adf297682e76bf41057b4757e93aae68f5c7d858cc06cc7073c3112

Download Submit
\Users\Admin\AppData\Roaming\winlogon.exe

Filesize
267KB

MD5
b64e24180fac6fb2213979c9a865a793

SHA1
fe91a76f2008b762584eea35cc54e08ca0a72c35

SHA256
f44edc671fdbb68ff28a67358790f58c021607c0a1d433fc7ae07e77fbd62b76

SHA512
0c07604f38cf2afc9f494e3bbc29ac3c8462fb7aa1019a8360ec90a3369088e919d43e247adf297682e76bf41057b4757e93aae68f5c7d858cc06cc7073c3112

Download Submit
\Users\Admin\AppData\Roaming\winlogon.exe

Filesize
267KB

MD5
b64e24180fac6fb2213979c9a865a793

SHA1
fe91a76f2008b762584eea35cc54e08ca0a72c35

SHA256
f44edc671fdbb68ff28a67358790f58c021607c0a1d433fc7ae07e77fbd62b76

SHA512
0c07604f38cf2afc9f494e3bbc29ac3c8462fb7aa1019a8360ec90a3369088e919d43e247adf297682e76bf41057b4757e93aae68f5c7d858cc06cc7073c3112

Download Submit
\Users\Admin\AppData\Roaming\winlogon.exe

Filesize
267KB

MD5
b64e24180fac6fb2213979c9a865a793

SHA1
fe91a76f2008b762584eea35cc54e08ca0a72c35

SHA256
f44edc671fdbb68ff28a67358790f58c021607c0a1d433fc7ae07e77fbd62b76

SHA512
0c07604f38cf2afc9f494e3bbc29ac3c8462fb7aa1019a8360ec90a3369088e919d43e247adf297682e76bf41057b4757e93aae68f5c7d858cc06cc7073c3112

Download Submit
\Users\Admin\AppData\Roaming\winlogon.exe

Filesize
267KB

MD5
b64e24180fac6fb2213979c9a865a793

SHA1
fe91a76f2008b762584eea35cc54e08ca0a72c35

SHA256
f44edc671fdbb68ff28a67358790f58c021607c0a1d433fc7ae07e77fbd62b76

SHA512
0c07604f38cf2afc9f494e3bbc29ac3c8462fb7aa1019a8360ec90a3369088e919d43e247adf297682e76bf41057b4757e93aae68f5c7d858cc06cc7073c3112

Download Submit
memory/816-68-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/816-56-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/816-57-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1168-100-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1168-88-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1168-80-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1168-86-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/1364-78-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1364-77-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1364-103-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1364-73-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1364-101-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1712-72-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download
memory/1712-85-0x0000000000400000-0x000000000057E000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads