d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

Analysis

max time kernel
150s
max time network
116s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/11/2022, 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b.exe
Size

80KB
MD5

1235d14d61ec340b9b2306fffcee8966
SHA1

60b690386749ba4023ed408488cee61654d78f14
SHA256

d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b
SHA512

c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb
SSDEEP

768:Rv35BMCddWyabWzq1oskfbI+W9zR4tOEN9DGp5eHNWhCrP42MmaX5BMCkJLZ:F53abeaoFfbM9zRQFNsSHNSXmaX58LZ

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	inetinfo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	inetinfo.exe

Disables RegEdit via registry modification 12 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	inetinfo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	inetinfo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b.exe

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	inetinfo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	lsass.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts-Denied By-Admin.com	inetinfo.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts-Denied By-Admin.com	inetinfo.exe

Executes dropped EXE 5 IoCs

pid	Process
816	smss.exe
580	winlogon.exe
1180	services.exe
1728	lsass.exe
1120	inetinfo.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif	smss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif	smss.exe

Loads dropped DLL 10 IoCs

pid	Process
1160	d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b.exe
1160	d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe
816	smss.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\ElnorB.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\ElnorB.exe\""	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\ElnorB.exe\""	inetinfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	inetinfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\ElnorB.exe\""	d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\ElnorB.exe\""	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\ElnorB.exe\""	services.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Admin's Setting.scr	smss.exe
File opened for modification	C:\Windows\SysWOW64\Admin's Setting.scr	smss.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ShellNew\ElnorB.exe	inetinfo.exe
File created	C:\Windows\ShellNew\ElnorB.exe	d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b.exe
File opened for modification	C:\Windows\ShellNew\ElnorB.exe	d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b.exe
File opened for modification	C:\Windows\ShellNew\ElnorB.exe	smss.exe
File opened for modification	C:\Windows\ShellNew\ElnorB.exe	winlogon.exe
File opened for modification	C:\Windows\ShellNew\ElnorB.exe	services.exe
File opened for modification	C:\Windows\ShellNew\ElnorB.exe	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	inetinfo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	inetinfo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	inetinfo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	inetinfo.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1160	d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b.exe
816	smss.exe
580	winlogon.exe
1180	services.exe
1728	lsass.exe
1120	inetinfo.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 1416	1160	d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b.exe	26
PID 1160 wrote to memory of 1416	1160	d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b.exe	26
PID 1160 wrote to memory of 1416	1160	d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b.exe	26
PID 1160 wrote to memory of 1416	1160	d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b.exe	26
PID 1160 wrote to memory of 816	1160	d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b.exe	27
PID 1160 wrote to memory of 816	1160	d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b.exe	27
PID 1160 wrote to memory of 816	1160	d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b.exe	27
PID 1160 wrote to memory of 816	1160	d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b.exe	27
PID 816 wrote to memory of 580	816	smss.exe	29
PID 816 wrote to memory of 580	816	smss.exe	29
PID 816 wrote to memory of 580	816	smss.exe	29
PID 816 wrote to memory of 580	816	smss.exe	29
PID 816 wrote to memory of 1708	816	smss.exe	30
PID 816 wrote to memory of 1708	816	smss.exe	30
PID 816 wrote to memory of 1708	816	smss.exe	30
PID 816 wrote to memory of 1708	816	smss.exe	30
PID 816 wrote to memory of 868	816	smss.exe	32
PID 816 wrote to memory of 868	816	smss.exe	32
PID 816 wrote to memory of 868	816	smss.exe	32
PID 816 wrote to memory of 868	816	smss.exe	32
PID 816 wrote to memory of 1180	816	smss.exe	33
PID 816 wrote to memory of 1180	816	smss.exe	33
PID 816 wrote to memory of 1180	816	smss.exe	33
PID 816 wrote to memory of 1180	816	smss.exe	33
PID 816 wrote to memory of 1728	816	smss.exe	35
PID 816 wrote to memory of 1728	816	smss.exe	35
PID 816 wrote to memory of 1728	816	smss.exe	35
PID 816 wrote to memory of 1728	816	smss.exe	35
PID 816 wrote to memory of 1120	816	smss.exe	36
PID 816 wrote to memory of 1120	816	smss.exe	36
PID 816 wrote to memory of 1120	816	smss.exe	36
PID 816 wrote to memory of 1120	816	smss.exe	36

C:\Users\Admin\AppData\Local\Temp\d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b.exe
"C:\Users\Admin\AppData\Local\Temp\d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:1416
- C:\Users\Admin\AppData\Local\smss.exe
  C:\Users\Admin\AppData\Local\smss.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Users\Admin\AppData\Local\winlogon.exe
    C:\Users\Admin\AppData\Local\winlogon.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:580
- - C:\Windows\SysWOW64\at.exe
    at /delete /y
    3⤵
    PID:1708
- - C:\Windows\SysWOW64\at.exe
    at 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\bararontok.com"
    3⤵
    PID:868
- - C:\Users\Admin\AppData\Local\services.exe
    C:\Users\Admin\AppData\Local\services.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1180
- - C:\Users\Admin\AppData\Local\lsass.exe
    C:\Users\Admin\AppData\Local\lsass.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1728
- - C:\Users\Admin\AppData\Local\inetinfo.exe
    C:\Users\Admin\AppData\Local\inetinfo.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\csrss.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Users\Admin\AppData\Local\csrss.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Users\Admin\AppData\Local\csrss.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Users\Admin\AppData\Local\csrss.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Users\Admin\AppData\Local\csrss.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Users\Admin\AppData\Local\inetinfo.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Users\Admin\AppData\Local\inetinfo.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Users\Admin\AppData\Local\inetinfo.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Users\Admin\AppData\Local\inetinfo.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Users\Admin\AppData\Local\inetinfo.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Users\Admin\AppData\Local\inetinfo.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Users\Admin\AppData\Local\smss.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Users\Admin\AppData\Local\smss.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Windows\ShellNew\ElnorB.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Windows\ShellNew\ElnorB.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Windows\ShellNew\ElnorB.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
C:\Windows\ShellNew\ElnorB.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
\Users\Admin\AppData\Local\inetinfo.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
\Users\Admin\AppData\Local\inetinfo.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
\Users\Admin\AppData\Local\lsass.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
\Users\Admin\AppData\Local\lsass.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
\Users\Admin\AppData\Local\services.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
\Users\Admin\AppData\Local\services.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
\Users\Admin\AppData\Local\smss.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
\Users\Admin\AppData\Local\smss.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
\Users\Admin\AppData\Local\winlogon.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
\Users\Admin\AppData\Local\winlogon.exe

Filesize
80KB

MD5
1235d14d61ec340b9b2306fffcee8966

SHA1
60b690386749ba4023ed408488cee61654d78f14

SHA256
d89b12cf26d1aca7f2955d8243570e76e9692fac15688558bfdfcf629fcd715b

SHA512
c1806ca2e6bfc4589a7c5a0bdc7c48e7d710ba2a2e3bc7004f3f93b5d8c46abc90100305ae607a9bbb375782811a5c1a09e347d086011446f8bb3987592053eb

Download Submit
memory/1160-56-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1416-59-0x0000000074681000-0x0000000074683000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads