351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 20:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f.exe
Size

176KB
MD5

0adc31b293bee217af1878ed64423b48
SHA1

0e9169dff616826167f17fbf175dddec8ff0bfd2
SHA256

351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f
SHA512

398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254
SSDEEP

1536:v05AakFmuH8d3pDfT9tdXVC8/o5cJ45cL/I5l8IxdgtoeDpveL1bEOCTui:vagmvJfdXVCkLicDIUIx6thDpKE1ui

Score

8^/10

evasion persistence

Malware Config

Signatures

Disables RegEdit via registry modification 12 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	inetinfo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	inetinfo.exe

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	inetinfo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f.exe

Executes dropped EXE 5 IoCs

pid	Process
1808	smss.exe
1476	winlogon.exe
1796	services.exe
1208	lsass.exe
1684	inetinfo.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif	smss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif	smss.exe

Loads dropped DLL 10 IoCs

pid	Process
1672	351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f.exe
1672	351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f.exe
1808	smss.exe
1808	smss.exe
1808	smss.exe
1808	smss.exe
1808	smss.exe
1808	smss.exe
1808	smss.exe
1808	smss.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\INF\\norBtok.exe\""	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\INF\\norBtok.exe\""	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\INF\\norBtok.exe\""	inetinfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	inetinfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\INF\\norBtok.exe\""	351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\INF\\norBtok.exe\""	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\INF\\norBtok.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	lsass.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\3D Animation.scr	smss.exe
File opened for modification	C:\Windows\SysWOW64\3D Animation.scr	smss.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\norBtok.exe	smss.exe
File opened for modification	C:\Windows\INF\norBtok.exe	winlogon.exe
File opened for modification	C:\Windows\INF\norBtok.exe	services.exe
File opened for modification	C:\Windows\INF\norBtok.exe	lsass.exe
File opened for modification	C:\Windows\INF\norBtok.exe	inetinfo.exe
File created	C:\Windows\INF\norBtok.exe	351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f.exe
File opened for modification	C:\Windows\INF\norBtok.exe	351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	inetinfo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	inetinfo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	inetinfo.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1672	351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f.exe
1808	smss.exe
1476	winlogon.exe
1796	services.exe
1208	lsass.exe
1684	inetinfo.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 2036	1672	351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f.exe	27
PID 1672 wrote to memory of 2036	1672	351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f.exe	27
PID 1672 wrote to memory of 2036	1672	351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f.exe	27
PID 1672 wrote to memory of 2036	1672	351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f.exe	27
PID 1672 wrote to memory of 1808	1672	351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f.exe	29
PID 1672 wrote to memory of 1808	1672	351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f.exe	29
PID 1672 wrote to memory of 1808	1672	351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f.exe	29
PID 1672 wrote to memory of 1808	1672	351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f.exe	29
PID 1808 wrote to memory of 1476	1808	smss.exe	30
PID 1808 wrote to memory of 1476	1808	smss.exe	30
PID 1808 wrote to memory of 1476	1808	smss.exe	30
PID 1808 wrote to memory of 1476	1808	smss.exe	30
PID 1808 wrote to memory of 660	1808	smss.exe	31
PID 1808 wrote to memory of 660	1808	smss.exe	31
PID 1808 wrote to memory of 660	1808	smss.exe	31
PID 1808 wrote to memory of 660	1808	smss.exe	31
PID 1808 wrote to memory of 1984	1808	smss.exe	33
PID 1808 wrote to memory of 1984	1808	smss.exe	33
PID 1808 wrote to memory of 1984	1808	smss.exe	33
PID 1808 wrote to memory of 1984	1808	smss.exe	33
PID 1808 wrote to memory of 1796	1808	smss.exe	34
PID 1808 wrote to memory of 1796	1808	smss.exe	34
PID 1808 wrote to memory of 1796	1808	smss.exe	34
PID 1808 wrote to memory of 1796	1808	smss.exe	34
PID 1808 wrote to memory of 1208	1808	smss.exe	36
PID 1808 wrote to memory of 1208	1808	smss.exe	36
PID 1808 wrote to memory of 1208	1808	smss.exe	36
PID 1808 wrote to memory of 1208	1808	smss.exe	36
PID 1808 wrote to memory of 1684	1808	smss.exe	37
PID 1808 wrote to memory of 1684	1808	smss.exe	37
PID 1808 wrote to memory of 1684	1808	smss.exe	37
PID 1808 wrote to memory of 1684	1808	smss.exe	37

C:\Users\Admin\AppData\Local\Temp\351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f.exe
"C:\Users\Admin\AppData\Local\Temp\351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f.exe"
1⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:2036
- C:\Users\Admin\AppData\Local\smss.exe
  C:\Users\Admin\AppData\Local\smss.exe
  2⤵
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Users\Admin\AppData\Local\winlogon.exe
    C:\Users\Admin\AppData\Local\winlogon.exe
    3⤵
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1476
- - C:\Windows\SysWOW64\at.exe
    at /delete /y
    3⤵
    PID:660
- - C:\Windows\SysWOW64\at.exe
    at 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\A.kotnorB.com"
    3⤵
    PID:1984
- - C:\Users\Admin\AppData\Local\services.exe
    C:\Users\Admin\AppData\Local\services.exe
    3⤵
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1796
- - C:\Users\Admin\AppData\Local\lsass.exe
    C:\Users\Admin\AppData\Local\lsass.exe
    3⤵
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1208
- - C:\Users\Admin\AppData\Local\inetinfo.exe
    C:\Users\Admin\AppData\Local\inetinfo.exe
    3⤵
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:1684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\csrss.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
C:\Users\Admin\AppData\Local\csrss.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
C:\Users\Admin\AppData\Local\csrss.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
C:\Users\Admin\AppData\Local\csrss.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
C:\Users\Admin\AppData\Local\csrss.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
C:\Users\Admin\AppData\Local\inetinfo.exe

Filesize
63KB

MD5
416bf16a9ca4d4ccec40d042420743b1

SHA1
b46bbb4ce12d7f7b31bda45400c95a4d6ba36a12

SHA256
973bde0b9e5c28b394a42a820ecc2db0bcc7739337de4efb186f75878bcd5510

SHA512
44e6d11f8033458e7b3bcff14377c69201a1a0fb2370090b72e255490f9ff8884bd65e84e82fa744af6c177c197af0bc3ded8d654b45f23384c6f49c765db728

Download Submit
C:\Users\Admin\AppData\Local\inetinfo.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
C:\Users\Admin\AppData\Local\inetinfo.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
C:\Users\Admin\AppData\Local\inetinfo.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
C:\Users\Admin\AppData\Local\inetinfo.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
C:\Users\Admin\AppData\Local\inetinfo.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe

Filesize
63KB

MD5
416bf16a9ca4d4ccec40d042420743b1

SHA1
b46bbb4ce12d7f7b31bda45400c95a4d6ba36a12

SHA256
973bde0b9e5c28b394a42a820ecc2db0bcc7739337de4efb186f75878bcd5510

SHA512
44e6d11f8033458e7b3bcff14377c69201a1a0fb2370090b72e255490f9ff8884bd65e84e82fa744af6c177c197af0bc3ded8d654b45f23384c6f49c765db728

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
C:\Users\Admin\AppData\Local\smss.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
C:\Users\Admin\AppData\Local\smss.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
C:\Windows\INF\norBtok.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
C:\Windows\INF\norBtok.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
C:\Windows\INF\norBtok.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
C:\Windows\INF\norBtok.exe

Filesize
128KB

MD5
1b0ff20950492b0c210c4d076de70cbc

SHA1
43cbbf46c8633498a9bdf54c8ba5df6b47e6e2f7

SHA256
8b31a05702a637e94af743e7fa0dcf50c1ed8f57be95017a765c8e6c53842cb6

SHA512
0e87b6e6758dfee7eec9c09c65d6d378830bb32b2b1bc22629d7bc14c0a81fe693bcf33792d8280709acaa90644381cab250af433282696ffa6498cdfc3ef25a

Download Submit
\Users\Admin\AppData\Local\inetinfo.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
\Users\Admin\AppData\Local\inetinfo.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
\Users\Admin\AppData\Local\lsass.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
\Users\Admin\AppData\Local\lsass.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
\Users\Admin\AppData\Local\services.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
\Users\Admin\AppData\Local\services.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
\Users\Admin\AppData\Local\smss.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
\Users\Admin\AppData\Local\smss.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
\Users\Admin\AppData\Local\winlogon.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
\Users\Admin\AppData\Local\winlogon.exe

Filesize
176KB

MD5
0adc31b293bee217af1878ed64423b48

SHA1
0e9169dff616826167f17fbf175dddec8ff0bfd2

SHA256
351cd194caefb6447e96e2ce829d3e804e50d3422b6d16d593d738338254a25f

SHA512
398ab562db9a11936584c920eb9755cca378aa3d5d7c3b7732dfbf0ac30c50c1936f9a737e6848d98c90164e2484b2cc526f012b5af4eaa8165d2db81da16254

Download Submit
memory/1208-120-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1476-87-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1672-70-0x00000000027F0000-0x000000000282A000-memory.dmp

Filesize
232KB

Download
memory/1672-57-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1672-56-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1672-94-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1672-71-0x00000000027F0000-0x000000000282A000-memory.dmp

Filesize
232KB

Download
memory/1684-137-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1684-134-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1796-106-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1808-105-0x00000000024F0000-0x000000000252A000-memory.dmp

Filesize
232KB

Download
memory/1808-72-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1808-133-0x00000000024F0000-0x000000000252A000-memory.dmp

Filesize
232KB

Download
memory/1808-119-0x00000000024F0000-0x000000000252A000-memory.dmp

Filesize
232KB

Download
memory/1808-86-0x00000000024F0000-0x000000000252A000-memory.dmp

Filesize
232KB

Download
memory/1808-136-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2036-60-0x00000000747E1000-0x00000000747E3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads