c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e

Analysis

max time kernel
22s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 16:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Size

234KB
MD5

0ddc10ad8df32ca33019204a3547b127
SHA1

ffc5827d3450c36686a116d7a42bd2b77b36f1ae
SHA256

c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e
SHA512

e515a15d0e3ea9dc4f7f819037724a1378b4d676bf19eb199580640c156d84c0f9676cba7e6aa2b6ee51d3d90a9591aee482dfc71847af7ece077f381ba3aae8
SSDEEP

3072:k9wShh9nsKHcQZYxIs1T+Z3edjHDN4HZ4s8ENObhb5npLdnUInuy+iMS3h0qmr:kThh9sKHRFnWs8ENOblJUIurS3h0qW

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\copy.pif"	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\copy.pif"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\copy.pif"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\copy.pif"	svchost.exe

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	svchost.exe

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	lsass.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 12 IoCs

pid	Process
1972	lsass.exe
540	smss.exe
636	svchost.exe
3584	lsass.exe
1156	smss.exe
364	svchost.exe
4228	lsass.exe
1252	smss.exe
3532	svchost.exe
2296	lsass.exe
2388	smss.exe
316	svchost.exe

Sets file execution options in registry 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\win32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\Windows\\win32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\win32.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Windows\\win32.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Windows\\win32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\win32.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\win32.exe"	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\win32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\Windows\\win32.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\win32.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\win32.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\win32.exe"	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Windows\\win32.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\Windows\\win32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\Windows\\win32.exe"	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Windows\\win32.exe"	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe

Windows security modification 2 TTPs 16 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	lsass.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Default = "C:\\Windows\\system32\\_default.pif"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ present = "C:\\Windows\\.exe"	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Default = "C:\\Windows\\system32\\_default.pif"	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Windows\\system\\winlogon.exe"	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Default = "C:\\Windows\\system32\\_default.pif"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Windows\\system\\winlogon.exe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run\	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Windows\\system\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ present = "C:\\Windows\\.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Windows\\system\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ present = "C:\\Windows\\.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Default = "C:\\Windows\\system32\\_default.pif"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ present = "C:\\Windows\\.exe"	svchost.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened (read-only)	\??\N:	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened (read-only)	\??\S:	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\I:	smss.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\E:	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened (read-only)	\??\I:	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened (read-only)	\??\L:	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened (read-only)	\??\R:	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened (read-only)	\??\B:	lsass.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\Y:	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\B:	smss.exe
File opened (read-only)	\??\L:	smss.exe
File opened (read-only)	\??\R:	smss.exe
File opened (read-only)	\??\G:	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened (read-only)	\??\T:	lsass.exe
File opened (read-only)	\??\U:	smss.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\O:	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened (read-only)	\??\F:	lsass.exe
File opened (read-only)	\??\V:	lsass.exe
File opened (read-only)	\??\Y:	smss.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\Q:	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened (read-only)	\??\Z:	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\H:	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened (read-only)	\??\J:	lsass.exe
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\H:	smss.exe
File opened (read-only)	\??\J:	smss.exe
File opened (read-only)	\??\K:	smss.exe
File opened (read-only)	\??\W:	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\V:	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\F:	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened (read-only)	\??\M:	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened (read-only)	\??\T:	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened (read-only)	\??\U:	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened (read-only)	\??\X:	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened (read-only)	\??\Q:	lsass.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\J:	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\G:	smss.exe
File opened (read-only)	\??\P:	smss.exe
File opened (read-only)	\??\Q:	smss.exe
File opened (read-only)	\??\S:	smss.exe
File opened (read-only)	\??\W:	smss.exe
File opened (read-only)	\??\V:	svchost.exe

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	svchost.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\copy.pif	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened for modification	C:\Windows\SysWOW64\copy.pif	lsass.exe
File opened for modification	C:\Windows\SysWOW64\_default.pif	smss.exe
File created	C:\Windows\SysWOW64\Oeminfo.ini	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened for modification	C:\Windows\SysWOW64\surif.bin	lsass.exe
File opened for modification	C:\Windows\SysWOW64\Oeminfo.ini	svchost.exe
File created	C:\Windows\SysWOW64\copy.pif	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened for modification	C:\Windows\SysWOW64\surif.bin	smss.exe
File opened for modification	C:\Windows\SysWOW64\Oeminfo.ini	smss.exe
File opened for modification	C:\Windows\SysWOW64\_default.pif	svchost.exe
File opened for modification	C:\Windows\SysWOW64\surif.bin	svchost.exe
File opened for modification	C:\Windows\SysWOW64\_default.pif	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File created	C:\Windows\SysWOW64\surif.bin	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened for modification	C:\Windows\SysWOW64\surif.bin	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File created	C:\Windows\SysWOW64\copy.pif	smss.exe
File opened for modification	C:\Windows\SysWOW64\copy.pif	smss.exe
File opened for modification	C:\Windows\SysWOW64\_default.pif	lsass.exe
File opened for modification	C:\Windows\SysWOW64\copy.pif	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Oeminfo.ini	lsass.exe
File created	C:\Windows\SysWOW64\_default.pif	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe

Drops file in Windows directory 55 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\csrss.exe	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File created	C:\Windows\system\smss.exe	lsass.exe
File opened for modification	C:\Windows\win32.exe	svchost.exe
File created	C:\Windows\system\winlogon.exe	smss.exe
File opened for modification	C:\Windows\system\winlogon.exe	svchost.exe
File created	C:\Windows\system\svchost.exe	lsass.exe
File opened for modification	C:\Windows\.exe	smss.exe
File created	C:\Windows\system\smss.exe	smss.exe
File created	C:\Windows\system\lsass.exe	lsass.exe
File opened for modification	C:\Windows\ActiveX.exe	smss.exe
File opened for modification	C:\Windows\.exe	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File created	C:\Windows\win32.exe	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened for modification	C:\Windows\system\lsass.exe	lsass.exe
File opened for modification	C:\Windows\system\smss.exe	smss.exe
File created	C:\Windows\system\svchost.exe	svchost.exe
File opened for modification	C:\Windows\system\csrss.exe	svchost.exe
File opened for modification	C:\Windows\system\svchost.exe	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened for modification	C:\Windows\win32.exe	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File created	C:\Windows\system\csrss.exe	lsass.exe
File opened for modification	C:\Windows\system\csrss.exe	lsass.exe
File opened for modification	C:\Windows\win32.exe	lsass.exe
File created	C:\Windows\system\csrss.exe	smss.exe
File created	C:\Windows\system\svchost.exe	smss.exe
File created	C:\Windows\system\smss.exe	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened for modification	C:\Windows\system\lsass.exe	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File created	C:\Windows\system\winlogon.exe	lsass.exe
File created	C:\Windows\system\lsass.exe	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened for modification	C:\Windows\system\winlogon.exe	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened for modification	C:\Windows\system\lsass.exe	svchost.exe
File created	C:\Windows\system\smss.exe	svchost.exe
File created	C:\Windows\system\winlogon.exe	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened for modification	C:\Windows\system\svchost.exe	svchost.exe
File created	C:\Windows\system\lsass.exe	svchost.exe
File opened for modification	C:\Windows\system\winlogon.exe	smss.exe
File opened for modification	C:\Windows\system\svchost.exe	smss.exe
File opened for modification	C:\Windows\ActiveX.exe	svchost.exe
File opened for modification	C:\Windows\system\smss.exe	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened for modification	C:\Windows\.exe	lsass.exe
File created	C:\Windows\system\lsass.exe	smss.exe
File opened for modification	C:\Windows\system\lsass.exe	smss.exe
File created	C:\Windows\system\winlogon.exe	svchost.exe
File created	C:\Windows\system\csrss.exe	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened for modification	C:\Windows\ActiveX.exe	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened for modification	C:\Windows\system\svchost.exe	lsass.exe
File created	C:\Windows\.exe	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened for modification	C:\Windows\system\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\win32.exe	smss.exe
File opened for modification	C:\Windows\.exe	svchost.exe
File created	C:\Windows\system\csrss.exe	svchost.exe
File opened for modification	C:\Windows\system\smss.exe	svchost.exe
File created	C:\Windows\system\svchost.exe	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened for modification	C:\Windows\system\smss.exe	lsass.exe
File opened for modification	C:\Windows\system\csrss.exe	smss.exe
File created	C:\Windows\ActiveX.exe	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
File opened for modification	C:\Windows\ActiveX.exe	lsass.exe

Modifies registry class 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
1972	lsass.exe
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
636	svchost.exe
540	smss.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
1972	lsass.exe
540	smss.exe
636	svchost.exe
3584	lsass.exe
1156	smss.exe
4228	lsass.exe
364	svchost.exe
1252	smss.exe
3532	svchost.exe
2296	lsass.exe
2388	smss.exe
316	svchost.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4900 wrote to memory of 1972	4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe	81
PID 4900 wrote to memory of 1972	4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe	81
PID 4900 wrote to memory of 1972	4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe	81
PID 4900 wrote to memory of 540	4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe	82
PID 4900 wrote to memory of 540	4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe	82
PID 4900 wrote to memory of 540	4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe	82
PID 4900 wrote to memory of 636	4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe	83
PID 4900 wrote to memory of 636	4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe	83
PID 4900 wrote to memory of 636	4900	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe	83
PID 540 wrote to memory of 3584	540	smss.exe	84
PID 540 wrote to memory of 3584	540	smss.exe	84
PID 540 wrote to memory of 3584	540	smss.exe	84
PID 540 wrote to memory of 1156	540	smss.exe	85
PID 540 wrote to memory of 1156	540	smss.exe	85
PID 540 wrote to memory of 1156	540	smss.exe	85
PID 1972 wrote to memory of 4228	1972	lsass.exe	87
PID 1972 wrote to memory of 4228	1972	lsass.exe	87
PID 1972 wrote to memory of 4228	1972	lsass.exe	87
PID 540 wrote to memory of 364	540	smss.exe	86
PID 540 wrote to memory of 364	540	smss.exe	86
PID 540 wrote to memory of 364	540	smss.exe	86
PID 1972 wrote to memory of 1252	1972	lsass.exe	88
PID 1972 wrote to memory of 1252	1972	lsass.exe	88
PID 1972 wrote to memory of 1252	1972	lsass.exe	88
PID 1972 wrote to memory of 3532	1972	lsass.exe	89
PID 1972 wrote to memory of 3532	1972	lsass.exe	89
PID 1972 wrote to memory of 3532	1972	lsass.exe	89
PID 636 wrote to memory of 2296	636	svchost.exe	90
PID 636 wrote to memory of 2296	636	svchost.exe	90
PID 636 wrote to memory of 2296	636	svchost.exe	90
PID 636 wrote to memory of 2388	636	svchost.exe	91
PID 636 wrote to memory of 2388	636	svchost.exe	91
PID 636 wrote to memory of 2388	636	svchost.exe	91
PID 636 wrote to memory of 316	636	svchost.exe	92
PID 636 wrote to memory of 316	636	svchost.exe	92
PID 636 wrote to memory of 316	636	svchost.exe	92

System policy modification 1 TTPs 8 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	lsass.exe

C:\Users\Admin\AppData\Local\Temp\c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe
"C:\Users\Admin\AppData\Local\Temp\c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Sets file execution options in registry
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4900
- C:\Windows\system\lsass.exe
  C:\Windows\system\lsass.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Executes dropped EXE
  - Sets file execution options in registry
  - Windows security modification
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1972
- - C:\Windows\system\lsass.exe
    C:\Windows\system\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4228
- - C:\Windows\system\smss.exe
    C:\Windows\system\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1252
- - C:\Windows\system\svchost.exe
    C:\Windows\system\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3532
- C:\Windows\system\smss.exe
  C:\Windows\system\smss.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Executes dropped EXE
  - Sets file execution options in registry
  - Windows security modification
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:540
- - C:\Windows\system\lsass.exe
    C:\Windows\system\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3584
- - C:\Windows\system\smss.exe
    C:\Windows\system\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1156
- - C:\Windows\system\svchost.exe
    C:\Windows\system\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:364
- C:\Windows\system\svchost.exe
  C:\Windows\system\svchost.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Executes dropped EXE
  - Sets file execution options in registry
  - Windows security modification
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:636
- - C:\Windows\system\lsass.exe
    C:\Windows\system\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2296
- - C:\Windows\system\smss.exe
    C:\Windows\system\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2388
- - C:\Windows\system\svchost.exe
    C:\Windows\system\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS.exe

Filesize
234KB

MD5
0ddc10ad8df32ca33019204a3547b127

SHA1
ffc5827d3450c36686a116d7a42bd2b77b36f1ae

SHA256
c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e

SHA512
e515a15d0e3ea9dc4f7f819037724a1378b4d676bf19eb199580640c156d84c0f9676cba7e6aa2b6ee51d3d90a9591aee482dfc71847af7ece077f381ba3aae8

Download Submit
C:\Windows\.exe

Filesize
234KB

MD5
86588229775fb55490bc0e46b875c95e

SHA1
d2b8207013140516a452f124d67aeb7eef6c7a55

SHA256
115527e67708cb93ea3e53ee16b3a660ba74db4a6b4dc408b5032573dbab1cd5

SHA512
71324b03ef7feaf4b412cd632fea954dafe9231c65c357c33b412ba2c80a2a4556fe0eb6ae1f2006d030cca5584bc5bb091516d8de0dd6284df851b30e14e340

Download Submit
C:\Windows\.exe

Filesize
234KB

MD5
cbe71be1fdf38ef14031b3a166e1cec6

SHA1
39298b8a4bb0d50306a20a6b6420388792d1869e

SHA256
1b380a0202d815b64105e6314c78e533dbe68083611cfe507f9d58affa44fcb6

SHA512
2a685caf786690a5b1dc2e38771aa492b5954d41ce19b2ac0a1dc9f5a2df00df249945f0679ef0a02484ea3247a70337a2f6288a60b436101e7e21c88d70ea3e

Download Submit
C:\Windows\.exe

Filesize
234KB

MD5
cf386644ff5e0ccc1e722e1b1516fcd8

SHA1
672caf35e7cc8a77a4e8c7bcd5bc72d6bca86ae4

SHA256
988a945b4e26f3f6f7623fe87b42ea34cc919b3bb94d4066c2ab516d4d74244f

SHA512
2711576a9016ece0120b6067b3780ac154481eb876e770c4e99316f13cb61bd68de4b6db007dd9c41c8cb10cd70dc30115d52806fa0ebb309fd26b7b8c044f0e

Download Submit
C:\Windows\ActiveX.exe

Filesize
234KB

MD5
96d001662d0f9b4832fb86a819da5e10

SHA1
417292aeb1a4113ef9b401a9c07ed9e902d9d8a9

SHA256
285e66a6bc197528f45fafbf32b3639279b77bd6f78b8514b32cde63b615ba19

SHA512
32ee6e08afdf7877193b47b9671551e5ff69ada938a35ae8235a0d68a520918a4775a095f3f46ab0a2ca4d1e640c1e0c1e184e1fd2d776c25c8921d147cce8f8

Download Submit
C:\Windows\ActiveX.exe

Filesize
234KB

MD5
b8e6309eec0332b76ac662ae17917e35

SHA1
150f4086033a36b736fecd94cbcdf47aeab75e0e

SHA256
577c3d4959b76b23677a61f76f34a781624497e6b4e5005871bbabf045b240ab

SHA512
f1ca020c996f13859155415e1dbda2c9c5bae512871368b44b6041161b83a47c8b22b695f31f2ec8360575ea608e88be34455fa73230618c8b1727e889c9813d

Download Submit
C:\Windows\ActiveX.exe

Filesize
234KB

MD5
4d17fc6ace20cda16887e7d607b4f117

SHA1
5367d1fca279e2ca8804515af721554ed247cf9a

SHA256
77ab865b47db863fd4c2cf211f72122187d6312196707a12df767ee805108081

SHA512
9a84a9f2e2757424b643bf3c68ddb7b34064e81063ee80af6a321c554ee78e493cca09b58aea6ac86302f2dc730242c142fcd2cdfac208a27df06af5570e7407

Download Submit
C:\Windows\SysWOW64\Oeminfo.ini

Filesize
106B

MD5
67fa4fca4bfa3de3aa2f9a7cf1b1df56

SHA1
beb76e7eace2503011d87c325a54c2a80420f84f

SHA256
cd7dfd7f48a4a8294808196e5870d541603c6cc3a686c8aca2423993f789b62e

SHA512
fe96f45ec32dbb982760421d9fc21c520cd9c8c8aefa994babbea6f3fa09a28f8a811d7385dc31f2abec53b48569d7a5632f08131e66bd3e32745ca0b0a6962d

Download Submit
C:\Windows\SysWOW64\Oeminfo.ini

Filesize
106B

MD5
67fa4fca4bfa3de3aa2f9a7cf1b1df56

SHA1
beb76e7eace2503011d87c325a54c2a80420f84f

SHA256
cd7dfd7f48a4a8294808196e5870d541603c6cc3a686c8aca2423993f789b62e

SHA512
fe96f45ec32dbb982760421d9fc21c520cd9c8c8aefa994babbea6f3fa09a28f8a811d7385dc31f2abec53b48569d7a5632f08131e66bd3e32745ca0b0a6962d

Download Submit
C:\Windows\SysWOW64\Oeminfo.ini

Filesize
106B

MD5
67fa4fca4bfa3de3aa2f9a7cf1b1df56

SHA1
beb76e7eace2503011d87c325a54c2a80420f84f

SHA256
cd7dfd7f48a4a8294808196e5870d541603c6cc3a686c8aca2423993f789b62e

SHA512
fe96f45ec32dbb982760421d9fc21c520cd9c8c8aefa994babbea6f3fa09a28f8a811d7385dc31f2abec53b48569d7a5632f08131e66bd3e32745ca0b0a6962d

Download Submit
C:\Windows\SysWOW64\_default.pif

Filesize
234KB

MD5
f5e550bf38c9396ef2185ccb52713049

SHA1
cdc9bad7f0bf7b5d9bdfffeef75983a823b90826

SHA256
c21e2c08149ef39e5711476c228413a563f506835e7b7954237a1c41c0b234fd

SHA512
7913c0aaca3a4d30c84ab37ce4175aae846aae239df5dca69f7599dc62cd99e26bb8c4625cd87d3622295083986a2c46f9395005b6174fa84ec8c72037eafdce

Download Submit
C:\Windows\SysWOW64\_default.pif

Filesize
234KB

MD5
41bbadd45bb7fe51922e1d3702ac25b9

SHA1
e112adfb557ec16d0eeec0ae4929c648b7400536

SHA256
eb6907cfb952e934696a8def58fe4c38503ce1d8c0bcb0b7f3b68d1e2f6b6b9b

SHA512
cb58a948be138651e21f2b368d4b40b89e81493ee02295316e0ca574385e1ad7e85eb50c7d543d81c031f0c9f114429531e216fa7fdda269283c813bd1a6fdc9

Download Submit
C:\Windows\SysWOW64\_default.pif

Filesize
234KB

MD5
01d7ea2bca5feb9a75c93dfa736d4365

SHA1
a0b2459453d6cfa1d4a966df84750a0d14164bba

SHA256
90da5b161ba3aaa564c45b8e83353f96f6e7f714bdcf8d854c5ee47914e35937

SHA512
65306ccac6ca3c7645a9565627a9a0d1938de71a0e44562372724cd42639b2eba1645402d0bf7ca5411294e03f79b04c2138be5f8c3417819d3941a67a139935

Download Submit
C:\Windows\SysWOW64\copy.pif

Filesize
234KB

MD5
bbbe37de1856139db485adf12c352c2c

SHA1
8a81e7e5c6f56f0896144d45046dc4e1f171c3d9

SHA256
520f0aa6db102fdada307bfe32cd19154627d344f03704af8f198b2c61401378

SHA512
4ddfde5ab9563f2cf0529e8d2f240b9d3c888015b104c906bfe16479763f5711cdf08a5ae400b37275579f124986c4a3489cba07527dacc71b80a873eda64060

Download Submit
C:\Windows\SysWOW64\copy.pif

Filesize
234KB

MD5
aad879ca62a8411d7fa03bb5095d2661

SHA1
6697170b37f5ca9e2f7d0c617bcdbbefdb743d58

SHA256
f857e263f018cb7993c05ecb2e4ccfaf1c78688bcc48dd07488acf729ced40b8

SHA512
5bd4df84c108a7d368dbc03d981ba5666fa9d104f656ab31086a8f87d01f474542528d27d66a749699e5d3c97096701bc1006a4260f445ba8851e43a34b0b8eb

Download Submit
C:\Windows\SysWOW64\copy.pif

Filesize
234KB

MD5
68003abd41a7d3057b9bde4d05b69599

SHA1
5887ced0ce034e353989f962a9c3a2d21ea66280

SHA256
4b1feda7269efc05a84a0d7a5c0e344aa92fd6217f1b404ed648133a6483bec9

SHA512
f11d7480991016c0ddbf7c4fbf34633c2834b05221079dfa5cb6ee2ddd87e2ef0e1a0f70b6348a9bf8343b122ef227f1489ed3545bd7713f4a279c3e966ea73d

Download Submit
C:\Windows\SysWOW64\surif.bin

Filesize
234KB

MD5
56f7a808a82dc082b75b3b790ff1481a

SHA1
81453d2c87f400dab1bad8889535ddcf0ab01e59

SHA256
687e0d7b580e53ba5762f9e2c94802c7a9c02f49d0d4936183d7b7b6fc779f0d

SHA512
e92302fd130858a2ba895d428a344c5d40b241cfb88fb46a705adc7aefda490ebd9907cd1f21cb0c60c9188499f7097d5b50266666332d198c7ea2e06edc7e8f

Download Submit
C:\Windows\SysWOW64\surif.bin

Filesize
234KB

MD5
17204c031475b40762d0ce127db1f6e5

SHA1
1d9e129e0963b14827f2a42102086e20cb19428e

SHA256
22f025e44b8e9f8f9f3a305884c958b825c225a27c947fcdcfc993f95578e123

SHA512
a4a98cce90e7d407f963421df115d2e6608994dd37b73919b59389f9551d2eefb3ea99694dedea0070ebd9c472fa8fe126a4aa88e145ad1175c6696384e0f5fd

Download Submit
C:\Windows\SysWOW64\surif.bin

Filesize
234KB

MD5
c3d1926eedd2ee8b22e54c766b82e4d8

SHA1
936561a36993b01fc245021f2dbd187c5c9008e6

SHA256
ae401c27ba98508ff02cdfb182c863332776acacad0814482096c725274d9225

SHA512
b94a77e0b40086a83f9529daa7621adf30cc96b9caf508a7cc8b609eead19a1a32c4a6df17f28a02a69e66e0c68c01b3039797b65b05d1e73084ab8ce1bb190e

Download Submit
C:\Windows\System\lsass.exe

Filesize
234KB

MD5
0ddc10ad8df32ca33019204a3547b127

SHA1
ffc5827d3450c36686a116d7a42bd2b77b36f1ae

SHA256
c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e

SHA512
e515a15d0e3ea9dc4f7f819037724a1378b4d676bf19eb199580640c156d84c0f9676cba7e6aa2b6ee51d3d90a9591aee482dfc71847af7ece077f381ba3aae8

Download Submit
C:\Windows\System\lsass.exe

Filesize
234KB

MD5
0ddc10ad8df32ca33019204a3547b127

SHA1
ffc5827d3450c36686a116d7a42bd2b77b36f1ae

SHA256
c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e

SHA512
e515a15d0e3ea9dc4f7f819037724a1378b4d676bf19eb199580640c156d84c0f9676cba7e6aa2b6ee51d3d90a9591aee482dfc71847af7ece077f381ba3aae8

Download Submit
C:\Windows\System\lsass.exe

Filesize
234KB

MD5
0ddc10ad8df32ca33019204a3547b127

SHA1
ffc5827d3450c36686a116d7a42bd2b77b36f1ae

SHA256
c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e

SHA512
e515a15d0e3ea9dc4f7f819037724a1378b4d676bf19eb199580640c156d84c0f9676cba7e6aa2b6ee51d3d90a9591aee482dfc71847af7ece077f381ba3aae8

Download Submit
C:\Windows\System\lsass.exe

Filesize
234KB

MD5
0ddc10ad8df32ca33019204a3547b127

SHA1
ffc5827d3450c36686a116d7a42bd2b77b36f1ae

SHA256
c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e

SHA512
e515a15d0e3ea9dc4f7f819037724a1378b4d676bf19eb199580640c156d84c0f9676cba7e6aa2b6ee51d3d90a9591aee482dfc71847af7ece077f381ba3aae8

Download Submit
C:\Windows\System\smss.exe

Filesize
234KB

MD5
0ddc10ad8df32ca33019204a3547b127

SHA1
ffc5827d3450c36686a116d7a42bd2b77b36f1ae

SHA256
c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e

SHA512
e515a15d0e3ea9dc4f7f819037724a1378b4d676bf19eb199580640c156d84c0f9676cba7e6aa2b6ee51d3d90a9591aee482dfc71847af7ece077f381ba3aae8

Download Submit
C:\Windows\System\smss.exe

Filesize
234KB

MD5
0ddc10ad8df32ca33019204a3547b127

SHA1
ffc5827d3450c36686a116d7a42bd2b77b36f1ae

SHA256
c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e

SHA512
e515a15d0e3ea9dc4f7f819037724a1378b4d676bf19eb199580640c156d84c0f9676cba7e6aa2b6ee51d3d90a9591aee482dfc71847af7ece077f381ba3aae8

Download Submit
C:\Windows\System\smss.exe

Filesize
234KB

MD5
0ddc10ad8df32ca33019204a3547b127

SHA1
ffc5827d3450c36686a116d7a42bd2b77b36f1ae

SHA256
c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e

SHA512
e515a15d0e3ea9dc4f7f819037724a1378b4d676bf19eb199580640c156d84c0f9676cba7e6aa2b6ee51d3d90a9591aee482dfc71847af7ece077f381ba3aae8

Download Submit
C:\Windows\System\smss.exe

Filesize
234KB

MD5
0ddc10ad8df32ca33019204a3547b127

SHA1
ffc5827d3450c36686a116d7a42bd2b77b36f1ae

SHA256
c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e

SHA512
e515a15d0e3ea9dc4f7f819037724a1378b4d676bf19eb199580640c156d84c0f9676cba7e6aa2b6ee51d3d90a9591aee482dfc71847af7ece077f381ba3aae8

Download Submit
C:\Windows\System\svchost.exe

Filesize
234KB

MD5
0ddc10ad8df32ca33019204a3547b127

SHA1
ffc5827d3450c36686a116d7a42bd2b77b36f1ae

SHA256
c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e

SHA512
e515a15d0e3ea9dc4f7f819037724a1378b4d676bf19eb199580640c156d84c0f9676cba7e6aa2b6ee51d3d90a9591aee482dfc71847af7ece077f381ba3aae8

Download Submit
C:\Windows\System\svchost.exe

Filesize
234KB

MD5
0ddc10ad8df32ca33019204a3547b127

SHA1
ffc5827d3450c36686a116d7a42bd2b77b36f1ae

SHA256
c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e

SHA512
e515a15d0e3ea9dc4f7f819037724a1378b4d676bf19eb199580640c156d84c0f9676cba7e6aa2b6ee51d3d90a9591aee482dfc71847af7ece077f381ba3aae8

Download Submit
C:\Windows\System\svchost.exe

Filesize
234KB

MD5
0ddc10ad8df32ca33019204a3547b127

SHA1
ffc5827d3450c36686a116d7a42bd2b77b36f1ae

SHA256
c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e

SHA512
e515a15d0e3ea9dc4f7f819037724a1378b4d676bf19eb199580640c156d84c0f9676cba7e6aa2b6ee51d3d90a9591aee482dfc71847af7ece077f381ba3aae8

Download Submit
C:\Windows\System\svchost.exe

Filesize
234KB

MD5
0ddc10ad8df32ca33019204a3547b127

SHA1
ffc5827d3450c36686a116d7a42bd2b77b36f1ae

SHA256
c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e

SHA512
e515a15d0e3ea9dc4f7f819037724a1378b4d676bf19eb199580640c156d84c0f9676cba7e6aa2b6ee51d3d90a9591aee482dfc71847af7ece077f381ba3aae8

Download Submit
C:\Windows\system\csrss.exe

Filesize
234KB

MD5
0ddc10ad8df32ca33019204a3547b127

SHA1
ffc5827d3450c36686a116d7a42bd2b77b36f1ae

SHA256
c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e

SHA512
e515a15d0e3ea9dc4f7f819037724a1378b4d676bf19eb199580640c156d84c0f9676cba7e6aa2b6ee51d3d90a9591aee482dfc71847af7ece077f381ba3aae8

Download Submit
C:\Windows\system\lsass.exe

Filesize
234KB

MD5
0ddc10ad8df32ca33019204a3547b127

SHA1
ffc5827d3450c36686a116d7a42bd2b77b36f1ae

SHA256
c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e

SHA512
e515a15d0e3ea9dc4f7f819037724a1378b4d676bf19eb199580640c156d84c0f9676cba7e6aa2b6ee51d3d90a9591aee482dfc71847af7ece077f381ba3aae8

Download Submit
C:\Windows\system\smss.exe

Filesize
234KB

MD5
0ddc10ad8df32ca33019204a3547b127

SHA1
ffc5827d3450c36686a116d7a42bd2b77b36f1ae

SHA256
c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e

SHA512
e515a15d0e3ea9dc4f7f819037724a1378b4d676bf19eb199580640c156d84c0f9676cba7e6aa2b6ee51d3d90a9591aee482dfc71847af7ece077f381ba3aae8

Download Submit
C:\Windows\system\svchost.exe

Filesize
234KB

MD5
0ddc10ad8df32ca33019204a3547b127

SHA1
ffc5827d3450c36686a116d7a42bd2b77b36f1ae

SHA256
c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e

SHA512
e515a15d0e3ea9dc4f7f819037724a1378b4d676bf19eb199580640c156d84c0f9676cba7e6aa2b6ee51d3d90a9591aee482dfc71847af7ece077f381ba3aae8

Download Submit
C:\Windows\system\winlogon.exe

Filesize
234KB

MD5
0ddc10ad8df32ca33019204a3547b127

SHA1
ffc5827d3450c36686a116d7a42bd2b77b36f1ae

SHA256
c705e911be0f4c424c15dcf9825f412b925587ec1823022a5b6362de3d3c887e

SHA512
e515a15d0e3ea9dc4f7f819037724a1378b4d676bf19eb199580640c156d84c0f9676cba7e6aa2b6ee51d3d90a9591aee482dfc71847af7ece077f381ba3aae8

Download Submit
C:\Windows\win32.exe

Filesize
234KB

MD5
87958290ea50b2794e10e2b5d002ae46

SHA1
94da69fe3c82260311fe21a231833a10c7f5e330

SHA256
6b4c928781e468ce374b2a988d8734fd5b9033e0b020ef46469ba40be5808927

SHA512
f2aaff2299d8033a6f89b7966d044ff27b36854cf1b6c1305335382e21a367d2f88c7d3ce0decba7e0e23e0f5729e2551745fd694154be870dfaff127582e90f

Download Submit
C:\Windows\win32.exe

Filesize
234KB

MD5
4bd53e99414d7d4019f76a4280788f36

SHA1
3b6850fac13b34fc235b2a2e4f9737ab1b7f7ce3

SHA256
ba5ffeb2e35cd07b01a0431928f3d8e1b49346f1f511dbe910e83c4a1264a295

SHA512
867e85a865c3fb6c0ef7ebb9e3d30980d454001e28545c25b8f199afb1a6d6fe67628b8052347b359e928eb4463e220207a615a4c4e1c4e83234a0f1b7146191

Download Submit
C:\Windows\win32.exe

Filesize
234KB

MD5
ed7c6e3b31b2222d95383fab5ee999dc

SHA1
aa503542ba133a51b08a0de42b23f43167286d77

SHA256
dbf499b2cb1c09f2a153a77d26d7131597f46668d374928ef8dfc849425e613f

SHA512
e0374070164f4608012cdf01a3c47f471aa6b775674d46e1c70d7601b489a610b27b7aa8805df5ff0924f49a9cd77b3d665a1fec11a75c60b51ec9c3a13f68bc

Download Submit
C:\baca euy.txt

Filesize
4B

MD5
0ae9bcd0c0b0aa5aab99d84beca26ce8

SHA1
95ae2add76d30dc377e774ec0d5abc17a7832865

SHA256
91a4e2f100227487a802ac040b85700f03520b347fbfe4c23b7bf2d97b43d9fa

SHA512
2e5bce2521d799135a10bb14cc127a0f794d8cdd2bcd97ed90a7f2d4279f72abaf45a58daf7635472b3d845db21f13f03708fc40f89b1963c8344a89df2b3bd0

Download Submit
C:\baca euy.txt

Filesize
4B

MD5
0ae9bcd0c0b0aa5aab99d84beca26ce8

SHA1
95ae2add76d30dc377e774ec0d5abc17a7832865

SHA256
91a4e2f100227487a802ac040b85700f03520b347fbfe4c23b7bf2d97b43d9fa

SHA512
2e5bce2521d799135a10bb14cc127a0f794d8cdd2bcd97ed90a7f2d4279f72abaf45a58daf7635472b3d845db21f13f03708fc40f89b1963c8344a89df2b3bd0

Download Submit
C:\baca euy.txt

Filesize
4B

MD5
0ae9bcd0c0b0aa5aab99d84beca26ce8

SHA1
95ae2add76d30dc377e774ec0d5abc17a7832865

SHA256
91a4e2f100227487a802ac040b85700f03520b347fbfe4c23b7bf2d97b43d9fa

SHA512
2e5bce2521d799135a10bb14cc127a0f794d8cdd2bcd97ed90a7f2d4279f72abaf45a58daf7635472b3d845db21f13f03708fc40f89b1963c8344a89df2b3bd0

Download Submit
memory/316-220-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/364-196-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/540-223-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/540-152-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/636-224-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/636-177-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1156-185-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1972-222-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1972-151-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3532-206-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3584-178-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4900-221-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4900-132-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download