c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

Analysis

max time kernel
155s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/11/2022, 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe
Size

80KB
MD5

08c8af5373c5a02aadfaf9e5beb1a100
SHA1

09b79e91c93d2bfe26881d1c267a2c5b3f06d709
SHA256

c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8
SHA512

c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0
SSDEEP

768:Rvf5BMCddWyabWzq1oskfbI+W9zR4tOEN9DGp5eHNWhCrP42M:d53abeaoFfbM9zRQFNsSHNSX

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	inetinfo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	services.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	inetinfo.exe

Disables RegEdit via registry modification 12 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	inetinfo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	inetinfo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	inetinfo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableCMD = "0"	smss.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts-Denied By-Admin.com	inetinfo.exe
File created	C:\Windows\System32\drivers\etc\hosts-Denied By-Admin.com	inetinfo.exe

Executes dropped EXE 5 IoCs

pid	Process
5048	smss.exe
4868	winlogon.exe
1296	services.exe
116	lsass.exe
2112	inetinfo.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif	smss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif	smss.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\ElnorB.exe\""	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\ElnorB.exe\""	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	inetinfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\ElnorB.exe\""	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\ElnorB.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\ElnorB.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\ShellNew\\ElnorB.exe\""	inetinfo.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Admin's Setting.scr	smss.exe
File opened for modification	C:\Windows\SysWOW64\Admin's Setting.scr	smss.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\ShellNew\ElnorB.exe	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe
File opened for modification	C:\Windows\ShellNew\ElnorB.exe	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe
File opened for modification	C:\Windows\ShellNew\ElnorB.exe	smss.exe
File opened for modification	C:\Windows\ShellNew\ElnorB.exe	winlogon.exe
File opened for modification	C:\Windows\ShellNew\ElnorB.exe	services.exe
File opened for modification	C:\Windows\ShellNew\ElnorB.exe	lsass.exe
File opened for modification	C:\Windows\ShellNew\ElnorB.exe	inetinfo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3208	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe
5048	smss.exe
4868	winlogon.exe
1296	services.exe
116	lsass.exe
2112	inetinfo.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3208 wrote to memory of 3752	3208	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe	81
PID 3208 wrote to memory of 3752	3208	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe	81
PID 3208 wrote to memory of 3752	3208	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe	81
PID 3208 wrote to memory of 5048	3208	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe	82
PID 3208 wrote to memory of 5048	3208	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe	82
PID 3208 wrote to memory of 5048	3208	c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe	82
PID 5048 wrote to memory of 4868	5048	smss.exe	83
PID 5048 wrote to memory of 4868	5048	smss.exe	83
PID 5048 wrote to memory of 4868	5048	smss.exe	83
PID 5048 wrote to memory of 1028	5048	smss.exe	85
PID 5048 wrote to memory of 1028	5048	smss.exe	85
PID 5048 wrote to memory of 1028	5048	smss.exe	85
PID 5048 wrote to memory of 1292	5048	smss.exe	87
PID 5048 wrote to memory of 1292	5048	smss.exe	87
PID 5048 wrote to memory of 1292	5048	smss.exe	87
PID 5048 wrote to memory of 1296	5048	smss.exe	88
PID 5048 wrote to memory of 1296	5048	smss.exe	88
PID 5048 wrote to memory of 1296	5048	smss.exe	88
PID 5048 wrote to memory of 116	5048	smss.exe	90
PID 5048 wrote to memory of 116	5048	smss.exe	90
PID 5048 wrote to memory of 116	5048	smss.exe	90
PID 5048 wrote to memory of 2112	5048	smss.exe	91
PID 5048 wrote to memory of 2112	5048	smss.exe	91
PID 5048 wrote to memory of 2112	5048	smss.exe	91

C:\Users\Admin\AppData\Local\Temp\c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe
"C:\Users\Admin\AppData\Local\Temp\c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3208
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe
  2⤵
  - Modifies registry class
  PID:3752
- C:\Users\Admin\AppData\Local\smss.exe
  C:\Users\Admin\AppData\Local\smss.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Executes dropped EXE
  - Drops startup file
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5048
- - C:\Users\Admin\AppData\Local\winlogon.exe
    C:\Users\Admin\AppData\Local\winlogon.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:4868
- - C:\Windows\SysWOW64\at.exe
    at /delete /y
    3⤵
    PID:1028
- - C:\Windows\SysWOW64\at.exe
    at 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\bararontok.com"
    3⤵
    PID:1292
- - C:\Users\Admin\AppData\Local\services.exe
    C:\Users\Admin\AppData\Local\services.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1296
- - C:\Users\Admin\AppData\Local\lsass.exe
    C:\Users\Admin\AppData\Local\lsass.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:116
- - C:\Users\Admin\AppData\Local\inetinfo.exe
    C:\Users\Admin\AppData\Local\inetinfo.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\csrss.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\csrss.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\csrss.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\csrss.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\csrss.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\inetinfo.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\inetinfo.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\inetinfo.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\inetinfo.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\inetinfo.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\inetinfo.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\lsass.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\smss.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\smss.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Users\Admin\AppData\Local\winlogon.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Windows\ShellNew\ElnorB.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Windows\ShellNew\ElnorB.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Windows\ShellNew\ElnorB.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Windows\ShellNew\ElnorB.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit
C:\Windows\ShellNew\ElnorB.exe

Filesize
80KB

MD5
08c8af5373c5a02aadfaf9e5beb1a100

SHA1
09b79e91c93d2bfe26881d1c267a2c5b3f06d709

SHA256
c00c2ee8a103e5780685d38c4a8d250203dc1da9757a2dee08e10a7c3d84a4d8

SHA512
c35e32b502de3e34c14eeb873daed86b90e2ce618413e5e20629c45e1a28fd183dc70aa76248ec539777f064af59aaa1fd7bd61115ef210d64f484ae0978bfe0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads