c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

Analysis

max time kernel
155s
max time network
119s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/11/2022, 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe
Size

80KB
MD5

08c8af5373c5a02aadfaf9e5beb1a100
SHA1

09b79e91c93d2bfe26881d1c267a2c5b3f06d709
SHA256

c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8
SHA512

c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0
SSDEEP

768:Rvf5BMCddWyabWzq1oskfbI+W9zR4tOEN9DGp5eHNWhCrP42M:d53abeaoFfbM9zRQFNsSHNSX

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	inetinfo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	inetinfo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe

Disables RegEdit via registry modification 12 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	inetinfo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	inetinfo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	winlogon.exe

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	inetinfo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	lsass.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts-Denied By-Admin.com	inetinfo.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts-Denied By-Admin.com	inetinfo.exe

Executes dropped EXE 5 IoCs

pid	Process
1512	smss.exe
632	winlogon.exe
1656	services.exe
1320	lsass.exe
1732	inetinfo.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif	smss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif	smss.exe

Loads dropped DLL 10 IoCs

pid	Process
1044	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe
1044	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe
1512	smss.exe
1512	smss.exe
1512	smss.exe
1512	smss.exe
1512	smss.exe
1512	smss.exe
1512	smss.exe
1512	smss.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\ElnorB.exe\""	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\ElnorB.exe\""	inetinfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\ElnorB.exe\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\ElnorB.exe\""	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\ElnorB.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	inetinfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\ElnorB.exe\""	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Admin's Setting.scr	smss.exe
File opened for modification	C:\Windows\SysWOW64\Admin's Setting.scr	smss.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ShellNew\ElnorB.exe	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe
File opened for modification	C:\Windows\ShellNew\ElnorB.exe	smss.exe
File opened for modification	C:\Windows\ShellNew\ElnorB.exe	winlogon.exe
File opened for modification	C:\Windows\ShellNew\ElnorB.exe	services.exe
File opened for modification	C:\Windows\ShellNew\ElnorB.exe	lsass.exe
File opened for modification	C:\Windows\ShellNew\ElnorB.exe	inetinfo.exe
File created	C:\Windows\ShellNew\ElnorB.exe	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	inetinfo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	inetinfo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	inetinfo.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	inetinfo.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1044	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe
1512	smss.exe
632	winlogon.exe
1656	services.exe
1320	lsass.exe
1732	inetinfo.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 1136	1044	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe	27
PID 1044 wrote to memory of 1136	1044	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe	27
PID 1044 wrote to memory of 1136	1044	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe	27
PID 1044 wrote to memory of 1136	1044	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe	27
PID 1044 wrote to memory of 1512	1044	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe	29
PID 1044 wrote to memory of 1512	1044	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe	29
PID 1044 wrote to memory of 1512	1044	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe	29
PID 1044 wrote to memory of 1512	1044	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe	29
PID 1512 wrote to memory of 632	1512	smss.exe	30
PID 1512 wrote to memory of 632	1512	smss.exe	30
PID 1512 wrote to memory of 632	1512	smss.exe	30
PID 1512 wrote to memory of 632	1512	smss.exe	30
PID 1512 wrote to memory of 1088	1512	smss.exe	31
PID 1512 wrote to memory of 1088	1512	smss.exe	31
PID 1512 wrote to memory of 1088	1512	smss.exe	31
PID 1512 wrote to memory of 1088	1512	smss.exe	31
PID 1512 wrote to memory of 1880	1512	smss.exe	33
PID 1512 wrote to memory of 1880	1512	smss.exe	33
PID 1512 wrote to memory of 1880	1512	smss.exe	33
PID 1512 wrote to memory of 1880	1512	smss.exe	33
PID 1512 wrote to memory of 1656	1512	smss.exe	34
PID 1512 wrote to memory of 1656	1512	smss.exe	34
PID 1512 wrote to memory of 1656	1512	smss.exe	34
PID 1512 wrote to memory of 1656	1512	smss.exe	34
PID 1512 wrote to memory of 1320	1512	smss.exe	36
PID 1512 wrote to memory of 1320	1512	smss.exe	36
PID 1512 wrote to memory of 1320	1512	smss.exe	36
PID 1512 wrote to memory of 1320	1512	smss.exe	36
PID 1512 wrote to memory of 1732	1512	smss.exe	37
PID 1512 wrote to memory of 1732	1512	smss.exe	37
PID 1512 wrote to memory of 1732	1512	smss.exe	37
PID 1512 wrote to memory of 1732	1512	smss.exe	37

C:\Users\Admin\AppData\Local\Temp\c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe
"C:\Users\Admin\AppData\Local\Temp\c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  PID:1136
- C:\Users\Admin\AppData\Local\smss.exe
  C:\Users\Admin\AppData\Local\smss.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Drops startup file
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1512
- - C:\Users\Admin\AppData\Local\winlogon.exe
    C:\Users\Admin\AppData\Local\winlogon.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:632
- - C:\Windows\SysWOW64\at.exe
    at /delete /y
    3⤵
    PID:1088
- - C:\Windows\SysWOW64\at.exe
    at 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\bararontok.com"
    3⤵
    PID:1880
- - C:\Users\Admin\AppData\Local\services.exe
    C:\Users\Admin\AppData\Local\services.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1656
- - C:\Users\Admin\AppData\Local\lsass.exe
    C:\Users\Admin\AppData\Local\lsass.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1320
- - C:\Users\Admin\AppData\Local\inetinfo.exe
    C:\Users\Admin\AppData\Local\inetinfo.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Modifies system certificate store
    - Suspicious use of SetWindowsHookEx
    PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\csrss.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\csrss.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\csrss.exe

Filesize
63KB

MD5
d0606703bc6e472ddfea04ccfb0f7178

SHA1
809fd8fbf6fabff2fc93e4d32f6545c7ffd72383

SHA256
aa4bd68920d615b44fa6cca634c38540ed20cb0e9f4aea6e2c9d54c0688bafbe

SHA512
aecfddc13da2d313505c51fc5cfa699de5f3396f2eadd9798c944991531b26d34a77008a67a67df351953d43ce153cb587a6c544c5afef789430369d928df7c1

Download Submit
C:\Users\Admin\AppData\Local\csrss.exe

Filesize
63KB

MD5
d0606703bc6e472ddfea04ccfb0f7178

SHA1
809fd8fbf6fabff2fc93e4d32f6545c7ffd72383

SHA256
aa4bd68920d615b44fa6cca634c38540ed20cb0e9f4aea6e2c9d54c0688bafbe

SHA512
aecfddc13da2d313505c51fc5cfa699de5f3396f2eadd9798c944991531b26d34a77008a67a67df351953d43ce153cb587a6c544c5afef789430369d928df7c1

Download Submit
C:\Users\Admin\AppData\Local\csrss.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\inetinfo.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\inetinfo.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\inetinfo.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\inetinfo.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\inetinfo.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\inetinfo.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\smss.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\smss.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Windows\ShellNew\ElnorB.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Windows\ShellNew\ElnorB.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Windows\ShellNew\ElnorB.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Windows\ShellNew\ElnorB.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
\Users\Admin\AppData\Local\inetinfo.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
\Users\Admin\AppData\Local\inetinfo.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
\Users\Admin\AppData\Local\lsass.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
\Users\Admin\AppData\Local\lsass.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
\Users\Admin\AppData\Local\services.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
\Users\Admin\AppData\Local\services.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
\Users\Admin\AppData\Local\smss.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
\Users\Admin\AppData\Local\smss.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
\Users\Admin\AppData\Local\winlogon.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
\Users\Admin\AppData\Local\winlogon.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
memory/1044-56-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1136-59-0x0000000074281000-0x0000000074283000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads