c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5

Analysis

max time kernel
55s
max time network
216s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 13:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Size

234KB
MD5

dbcc431d9a085f869a915f7c7286a866
SHA1

4bfa341e66cd5c3e3307fe2f71d3b5ffb0f71854
SHA256

c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5
SHA512

bb966ce1c4480883a357b0f8d2da47f8ae390e8707ab865da58af8507d9f2f973c52e3ae4f322d830a4ad1f3b0bb9a278eb0f243df28729c1d2dd3fa2aed2afc
SSDEEP

3072:k9wShh9nsKHcQZYxIs1T+Z3edjHDN4HZ4s8ENObhb5npLdnUInuy+iMS3h0qmi:kThh9sKHRFnWs8ENOblJUIurS3h0qv

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\copy.pif"	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\copy.pif"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\copy.pif"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\copy.pif"	svchost.exe

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	smss.exe

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	lsass.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 12 IoCs

pid	Process
320	lsass.exe
1028	smss.exe
2912	svchost.exe
2944	lsass.exe
1412	lsass.exe
1548	lsass.exe
2052	smss.exe
3056	smss.exe
1692	smss.exe
4392	svchost.exe
4340	svchost.exe
3132	svchost.exe

Sets file execution options in registry 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Windows\\win32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Windows\\win32.exe"	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\win32.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Windows\\win32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\win32.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\Windows\\win32.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\Windows\\win32.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\win32.exe"	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\Windows\\win32.exe"	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\win32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\Windows\\win32.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\win32.exe"	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\win32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\win32.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Windows\\win32.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\win32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	lsass.exe

Windows security modification 2 TTPs 16 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ present = "C:\\Windows\\.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Windows\\system\\winlogon.exe"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Windows\\system\\winlogon.exe"	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ present = "C:\\Windows\\.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Windows\\system\\winlogon.exe"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\	smss.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Default = "C:\\Windows\\system32\\_default.pif"	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Default = "C:\\Windows\\system32\\_default.pif"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Windows\\system\\winlogon.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ present = "C:\\Windows\\.exe"	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Default = "C:\\Windows\\system32\\_default.pif"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run\	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ present = "C:\\Windows\\.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Default = "C:\\Windows\\system32\\_default.pif"	smss.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	svchost.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	lsass.exe
File opened (read-only)	\??\T:	lsass.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\U:	smss.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\K:	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened (read-only)	\??\J:	lsass.exe
File opened (read-only)	\??\W:	lsass.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\I:	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened (read-only)	\??\Z:	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened (read-only)	\??\O:	smss.exe
File opened (read-only)	\??\S:	smss.exe
File opened (read-only)	\??\T:	smss.exe
File opened (read-only)	\??\J:	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened (read-only)	\??\T:	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened (read-only)	\??\X:	smss.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\P:	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened (read-only)	\??\B:	smss.exe
File opened (read-only)	\??\L:	smss.exe
File opened (read-only)	\??\M:	smss.exe
File opened (read-only)	\??\B:	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened (read-only)	\??\X:	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened (read-only)	\??\F:	lsass.exe
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\P:	lsass.exe
File opened (read-only)	\??\W:	smss.exe
File opened (read-only)	\??\Y:	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\N:	lsass.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\I:	smss.exe
File opened (read-only)	\??\J:	smss.exe
File opened (read-only)	\??\P:	smss.exe
File opened (read-only)	\??\Z:	smss.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\G:	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened (read-only)	\??\R:	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\M:	lsass.exe
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\V:	lsass.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\H:	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened (read-only)	\??\N:	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened (read-only)	\??\S:	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened (read-only)	\??\U:	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened (read-only)	\??\E:	smss.exe
File opened (read-only)	\??\Q:	smss.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\Q:	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened (read-only)	\??\E:	lsass.exe
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\I:	lsass.exe
File opened (read-only)	\??\H:	smss.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\F:	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened (read-only)	\??\M:	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	svchost.exe

Drops file in System32 directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\copy.pif	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened for modification	C:\Windows\SysWOW64\surif.bin	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened for modification	C:\Windows\SysWOW64\_default.pif	lsass.exe
File opened for modification	C:\Windows\SysWOW64\surif.bin	lsass.exe
File opened for modification	C:\Windows\SysWOW64\Oeminfo.ini	lsass.exe
File opened for modification	C:\Windows\SysWOW64\copy.pif	svchost.exe
File opened for modification	C:\Windows\SysWOW64\_default.pif	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Oeminfo.ini	smss.exe
File created	C:\Windows\SysWOW64\_default.pif	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened for modification	C:\Windows\SysWOW64\_default.pif	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File created	C:\Windows\SysWOW64\Oeminfo.ini	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File created	C:\Windows\SysWOW64\_default.pif	lsass.exe
File created	C:\Windows\SysWOW64\surif.bin	smss.exe
File opened for modification	C:\Windows\SysWOW64\surif.bin	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Oeminfo.ini	svchost.exe
File created	C:\Windows\SysWOW64\copy.pif	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File created	C:\Windows\SysWOW64\surif.bin	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened for modification	C:\Windows\SysWOW64\copy.pif	lsass.exe
File created	C:\Windows\SysWOW64\copy.pif	smss.exe
File opened for modification	C:\Windows\SysWOW64\copy.pif	smss.exe
File opened for modification	C:\Windows\SysWOW64\_default.pif	smss.exe
File opened for modification	C:\Windows\SysWOW64\surif.bin	smss.exe

Drops file in Windows directory 56 IoCs

description	ioc	Process
File created	C:\Windows\system\smss.exe	smss.exe
File created	C:\Windows\system\lsass.exe	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File created	C:\Windows\system\winlogon.exe	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File created	C:\Windows\system\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\system\lsass.exe	smss.exe
File opened for modification	C:\Windows\.exe	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened for modification	C:\Windows\win32.exe	lsass.exe
File created	C:\Windows\win32.exe	smss.exe
File opened for modification	C:\Windows\win32.exe	smss.exe
File created	C:\Windows\system\csrss.exe	smss.exe
File created	C:\Windows\ActiveX.exe	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened for modification	C:\Windows\system\winlogon.exe	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened for modification	C:\Windows\system\winlogon.exe	smss.exe
File opened for modification	C:\Windows\system\svchost.exe	smss.exe
File opened for modification	C:\Windows\system\smss.exe	svchost.exe
File opened for modification	C:\Windows\system\csrss.exe	svchost.exe
File opened for modification	C:\Windows\system\lsass.exe	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened for modification	C:\Windows\system\csrss.exe	smss.exe
File opened for modification	C:\Windows\win32.exe	svchost.exe
File opened for modification	C:\Windows\system\csrss.exe	lsass.exe
File created	C:\Windows\system\winlogon.exe	svchost.exe
File opened for modification	C:\Windows\system\lsass.exe	svchost.exe
File opened for modification	C:\Windows\.exe	lsass.exe
File opened for modification	C:\Windows\.exe	svchost.exe
File opened for modification	C:\Windows\.exe	smss.exe
File opened for modification	C:\Windows\system\winlogon.exe	svchost.exe
File opened for modification	C:\Windows\system\svchost.exe	lsass.exe
File created	C:\Windows\win32.exe	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened for modification	C:\Windows\system\lsass.exe	lsass.exe
File created	C:\Windows\system\csrss.exe	lsass.exe
File opened for modification	C:\Windows\system\svchost.exe	svchost.exe
File created	C:\Windows\system\csrss.exe	svchost.exe
File opened for modification	C:\Windows\ActiveX.exe	svchost.exe
File opened for modification	C:\Windows\system\svchost.exe	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened for modification	C:\Windows\ActiveX.exe	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File created	C:\Windows\system\svchost.exe	lsass.exe
File created	C:\Windows\system\lsass.exe	smss.exe
File opened for modification	C:\Windows\win32.exe	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened for modification	C:\Windows\system\smss.exe	smss.exe
File created	C:\Windows\system\winlogon.exe	smss.exe
File created	C:\Windows\system\svchost.exe	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File created	C:\Windows\system\smss.exe	lsass.exe
File created	C:\Windows\system\svchost.exe	smss.exe
File created	C:\Windows\system\smss.exe	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File created	C:\Windows\system\smss.exe	svchost.exe
File opened for modification	C:\Windows\ActiveX.exe	smss.exe
File opened for modification	C:\Windows\system\csrss.exe	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened for modification	C:\Windows\system\smss.exe	lsass.exe
File created	C:\Windows\system\svchost.exe	svchost.exe
File created	C:\Windows\system\csrss.exe	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File opened for modification	C:\Windows\ActiveX.exe	lsass.exe
File created	C:\Windows\system\lsass.exe	svchost.exe
File opened for modification	C:\Windows\system\smss.exe	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
File created	C:\Windows\system\lsass.exe	lsass.exe
File opened for modification	C:\Windows\system\winlogon.exe	lsass.exe
File created	C:\Windows\.exe	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
320	lsass.exe
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
2912	svchost.exe
1028	smss.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
320	lsass.exe
1028	smss.exe
2912	svchost.exe
2944	lsass.exe
1412	lsass.exe
1548	lsass.exe
1692	smss.exe
3056	smss.exe
2052	smss.exe
4392	svchost.exe
4340	svchost.exe
3132	svchost.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 320	4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe	82
PID 4052 wrote to memory of 320	4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe	82
PID 4052 wrote to memory of 320	4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe	82
PID 4052 wrote to memory of 1028	4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe	83
PID 4052 wrote to memory of 1028	4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe	83
PID 4052 wrote to memory of 1028	4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe	83
PID 4052 wrote to memory of 2912	4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe	84
PID 4052 wrote to memory of 2912	4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe	84
PID 4052 wrote to memory of 2912	4052	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe	84
PID 1028 wrote to memory of 2944	1028	smss.exe	85
PID 1028 wrote to memory of 2944	1028	smss.exe	85
PID 1028 wrote to memory of 2944	1028	smss.exe	85
PID 320 wrote to memory of 1412	320	lsass.exe	86
PID 320 wrote to memory of 1412	320	lsass.exe	86
PID 320 wrote to memory of 1412	320	lsass.exe	86
PID 2912 wrote to memory of 1548	2912	svchost.exe	87
PID 2912 wrote to memory of 1548	2912	svchost.exe	87
PID 2912 wrote to memory of 1548	2912	svchost.exe	87
PID 320 wrote to memory of 2052	320	lsass.exe	90
PID 320 wrote to memory of 2052	320	lsass.exe	90
PID 320 wrote to memory of 2052	320	lsass.exe	90
PID 1028 wrote to memory of 3056	1028	smss.exe	88
PID 1028 wrote to memory of 3056	1028	smss.exe	88
PID 1028 wrote to memory of 3056	1028	smss.exe	88
PID 2912 wrote to memory of 1692	2912	svchost.exe	89
PID 2912 wrote to memory of 1692	2912	svchost.exe	89
PID 2912 wrote to memory of 1692	2912	svchost.exe	89
PID 2912 wrote to memory of 4392	2912	svchost.exe	91
PID 2912 wrote to memory of 4392	2912	svchost.exe	91
PID 2912 wrote to memory of 4392	2912	svchost.exe	91
PID 320 wrote to memory of 4340	320	lsass.exe	92
PID 320 wrote to memory of 4340	320	lsass.exe	92
PID 320 wrote to memory of 4340	320	lsass.exe	92
PID 1028 wrote to memory of 3132	1028	smss.exe	93
PID 1028 wrote to memory of 3132	1028	smss.exe	93
PID 1028 wrote to memory of 3132	1028	smss.exe	93

System policy modification 1 TTPs 8 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	svchost.exe

C:\Users\Admin\AppData\Local\Temp\c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe
"C:\Users\Admin\AppData\Local\Temp\c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Sets file execution options in registry
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4052
- C:\Windows\system\lsass.exe
  C:\Windows\system\lsass.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Executes dropped EXE
  - Sets file execution options in registry
  - Windows security modification
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:320
- - C:\Windows\system\lsass.exe
    C:\Windows\system\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1412
- - C:\Windows\system\smss.exe
    C:\Windows\system\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2052
- - C:\Windows\system\svchost.exe
    C:\Windows\system\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4340
- C:\Windows\system\smss.exe
  C:\Windows\system\smss.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Executes dropped EXE
  - Sets file execution options in registry
  - Windows security modification
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1028
- - C:\Windows\system\lsass.exe
    C:\Windows\system\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2944
- - C:\Windows\system\smss.exe
    C:\Windows\system\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3056
- - C:\Windows\system\svchost.exe
    C:\Windows\system\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3132
- C:\Windows\system\svchost.exe
  C:\Windows\system\svchost.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Executes dropped EXE
  - Sets file execution options in registry
  - Windows security modification
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2912
- - C:\Windows\system\lsass.exe
    C:\Windows\system\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1548
- - C:\Windows\system\smss.exe
    C:\Windows\system\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1692
- - C:\Windows\system\svchost.exe
    C:\Windows\system\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4392

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS.exe

Filesize
234KB

MD5
dbcc431d9a085f869a915f7c7286a866

SHA1
4bfa341e66cd5c3e3307fe2f71d3b5ffb0f71854

SHA256
c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5

SHA512
bb966ce1c4480883a357b0f8d2da47f8ae390e8707ab865da58af8507d9f2f973c52e3ae4f322d830a4ad1f3b0bb9a278eb0f243df28729c1d2dd3fa2aed2afc

Download Submit
C:\Windows\.exe

Filesize
234KB

MD5
1af6267e20c199d090bc17b8336af7d6

SHA1
08d05a4aabedc42909a720cbd702df76e86793c8

SHA256
4369eb04c71c47367a0a96f3bf43f8205b0eeeb7ea9d55b2d2f1fcdc7efb6048

SHA512
0cb3ba780f6b67a8eb9cb1d255bc2626972cc3bd02fdc0c733d3f1c8d3dab2d25558af1a3d5056a2d0bc596359a4b473ae69864953794bede0c0d1d090955369

Download Submit
C:\Windows\.exe

Filesize
234KB

MD5
4539c2e8dedbd60c03d2be8bdb59400a

SHA1
efd71de1308dcb52e11b5e93692929e0e7cc1fd3

SHA256
37f8b8ed7177047b0035e64255899c83bfe03b7fd8a0532b315d22df56a607e7

SHA512
e0136646ecd46ed061d0b4677dba497976f06e4b42605479c42052150c72909aa9106218f0adf16192159cbae6d1a831c605e4d02b045c232712664235dca98b

Download Submit
C:\Windows\.exe

Filesize
234KB

MD5
1faa35102b84b0a72942e98dcaff3a13

SHA1
714fc0c15751e12af477c557815c19f5abacf77f

SHA256
853d25b402b1b5198b00519f9b9eca789aa732a433c78e15fe5965c3753fb452

SHA512
78dff3e042f3406e1b1ef317b8200a7af198445729ad1269366c77229862ef8b43aad0a54cbbb40d6dfd23b8571458bec602a89f73bace8292a0f624feba4713

Download Submit
C:\Windows\ActiveX.exe

Filesize
234KB

MD5
c1080fa6604e2f7d0d78bd78ae22111b

SHA1
0d97db02f62111216d9275bd41c2499b84f6e7d1

SHA256
45b7ac580bbdd88231ec718aad42b4e24006bc7e5b8848ba1da78ac56b57960a

SHA512
ff540374dbb0782b793583101225e02a2f8402c7b371c3ad68dc50c5fc3ad67d6d15573c365651c47a9c8265e274cb9e437913161f940d639d3fe324a27b7572

Download Submit
C:\Windows\ActiveX.exe

Filesize
234KB

MD5
044097bd8a318a7374c6939a64d9b39f

SHA1
a29c2c070d1fbc44c846ba69a94128f949dead00

SHA256
e8d3527bd25fb30fac10405e7a845fa3cae925ad7e08d7534988dfa45fdd8ad4

SHA512
f2c9057498b70110f05ce1ea4bbd283f73e3b645231d116d67ee0fd3625126e3504194bb5c92d1e4f41afcda3ed2cb26bfa1922b66e558759575f3ddf96c5868

Download Submit
C:\Windows\ActiveX.exe

Filesize
234KB

MD5
db34212533fdea715b05ce00abb89711

SHA1
1770fdb92b704108777d25b211b67f5c83b75d4e

SHA256
fa27ba777e37399743d2524821404d1b53ab25474b277767f291cd1ab1fbc659

SHA512
5390f97959b9f0834120f41accd15d6d9b32dfaf3225bdb154b4da313abe0691b9a3e13add0107c9a24e7e009ba577ff944ed6a680fe9d117a06e1b1642d536d

Download Submit
C:\Windows\SysWOW64\Oeminfo.ini

Filesize
106B

MD5
67fa4fca4bfa3de3aa2f9a7cf1b1df56

SHA1
beb76e7eace2503011d87c325a54c2a80420f84f

SHA256
cd7dfd7f48a4a8294808196e5870d541603c6cc3a686c8aca2423993f789b62e

SHA512
fe96f45ec32dbb982760421d9fc21c520cd9c8c8aefa994babbea6f3fa09a28f8a811d7385dc31f2abec53b48569d7a5632f08131e66bd3e32745ca0b0a6962d

Download Submit
C:\Windows\SysWOW64\Oeminfo.ini

Filesize
106B

MD5
67fa4fca4bfa3de3aa2f9a7cf1b1df56

SHA1
beb76e7eace2503011d87c325a54c2a80420f84f

SHA256
cd7dfd7f48a4a8294808196e5870d541603c6cc3a686c8aca2423993f789b62e

SHA512
fe96f45ec32dbb982760421d9fc21c520cd9c8c8aefa994babbea6f3fa09a28f8a811d7385dc31f2abec53b48569d7a5632f08131e66bd3e32745ca0b0a6962d

Download Submit
C:\Windows\SysWOW64\Oeminfo.ini

Filesize
106B

MD5
67fa4fca4bfa3de3aa2f9a7cf1b1df56

SHA1
beb76e7eace2503011d87c325a54c2a80420f84f

SHA256
cd7dfd7f48a4a8294808196e5870d541603c6cc3a686c8aca2423993f789b62e

SHA512
fe96f45ec32dbb982760421d9fc21c520cd9c8c8aefa994babbea6f3fa09a28f8a811d7385dc31f2abec53b48569d7a5632f08131e66bd3e32745ca0b0a6962d

Download Submit
C:\Windows\SysWOW64\_default.pif

Filesize
234KB

MD5
278864c2ce5f24aebaefa2102be78f48

SHA1
16585301e9745e639630dd911fc7ebdf68fc6f79

SHA256
1b29ce7dc52ad600b850f634eb3011d4a94483ce5337d0aa4a425e7f2d575925

SHA512
16866b92adec4b8195b62df7f845d41be554901875f90903d46014f4dbca7c57a1238fa35a0570cb7e4ec05a772cdd4d7e56c5635fd099f61f008f5076d2a120

Download Submit
C:\Windows\SysWOW64\_default.pif

Filesize
234KB

MD5
09f2414e3866d545572d45d1a74ed2af

SHA1
9256324c843d3f717552a60e11824b9e2136b1be

SHA256
dbeaef39f9a23a88eb2fe60a276fd37364cadec1c1d34fb5771b670b30a9bcf7

SHA512
c887300404693a516ffd7812dc3b07ffa1b1b3ded0024dd7417d3550ee160cc5955bc590d684d8e58e02f52e0b54ebb971678d0d14241026dbef0e426f0f76a3

Download Submit
C:\Windows\SysWOW64\_default.pif

Filesize
234KB

MD5
df11b1858136fbd4dc5b5d1d73355ef3

SHA1
d130d41e8e6c803fb5e5e4e05ee3d186068f4633

SHA256
a106abaa7ceedd1e89187e0b5177d7763ad58a14c515fb99c8dfa9f6834f3230

SHA512
0fe195c5f5018f8a6f9e15d4b403ad11b4fd6b3d4061503fcad3cfe8f9f9c00b472ef00af8e066aef1633947253aba6e515690f00fc2cc65e5392234fd6c7e2e

Download Submit
C:\Windows\SysWOW64\copy.pif

Filesize
234KB

MD5
3f26436f8386c181642fa9d7a58e1d1e

SHA1
431236502313f84983e04ec7fbf019affce1d817

SHA256
26c3ee49abd51386db17411f51431be9ef6ec92d0401e00cd2b6369020ed8070

SHA512
de5bd6bd65b6942d460b058786fda38628d0a84e460d221f9012b07dc7099ea99028e5bbc38c91c9b9388f216e67d4185be28bc2e0118cbf463a667f52156299

Download Submit
C:\Windows\SysWOW64\copy.pif

Filesize
234KB

MD5
414a931430b8e54b7976836e662961be

SHA1
0de688dbf4e66c73bf9be60834f0b5187a203ecd

SHA256
67dd82d41a9e6a684d3bf560623d7ba48cab3e41d2104f90f0e97695ee581d09

SHA512
6633d32e52aa414bafecf45bc9dab8f55f0440b6e7924ac912553824b01519c53262629568d16c0abfecd4ad65aec76d9df644b5ee0cb5fbf52005706a7df97f

Download Submit
C:\Windows\SysWOW64\copy.pif

Filesize
234KB

MD5
019b6cbd1430e0c7aee6ad1c06e08af7

SHA1
4730219c358238bd7b4f092a72cc3f81fb80d265

SHA256
d8d0c2c461a3f511139cf6eb4a3ea0d417bbe1edf3a7f9d97c5ce2fa888537db

SHA512
d03d4bf105c5b6c70ab8777ccb7eccda79fa0ad3d9f7d9f0853a25c84914bdbaa127dc21656487cc515109c85851a91a37b3436ec66cad16518c561fe9799357

Download Submit
C:\Windows\SysWOW64\surif.bin

Filesize
234KB

MD5
0da91d978bc3ec912303721b0ce125d0

SHA1
3e947439ec86deaf43a3a6c40b8ed96a452ed518

SHA256
e03cd2ee2b1f7ab126090e199f6141beb37ac0417e580071bba26faf95faf22c

SHA512
d35b623d7a288c1abb6a78f19a8b295af107e18e04bccf2915e6c951e23e140e7db3c2fe00ad6760f75a0cbad8799462fbb99235055c0c42930c75138b292bc0

Download Submit
C:\Windows\SysWOW64\surif.bin

Filesize
234KB

MD5
0da91d978bc3ec912303721b0ce125d0

SHA1
3e947439ec86deaf43a3a6c40b8ed96a452ed518

SHA256
e03cd2ee2b1f7ab126090e199f6141beb37ac0417e580071bba26faf95faf22c

SHA512
d35b623d7a288c1abb6a78f19a8b295af107e18e04bccf2915e6c951e23e140e7db3c2fe00ad6760f75a0cbad8799462fbb99235055c0c42930c75138b292bc0

Download Submit
C:\Windows\SysWOW64\surif.bin

Filesize
234KB

MD5
755620e6f448d7faa1adc1a26762a7af

SHA1
7160f6097ed724da822d85c7075f771b7079d983

SHA256
3bac80c46eadfb88699efa69d6771070a99a7eb3215159acd1457449f9c58516

SHA512
40d72e085a0d665ba076b68e212667e5e839832e1441d730fb194b9d86c144ff11652e74ae8dd5886ee0318eead9da643f21e54fca6f36ee0908001075d5a725

Download Submit
C:\Windows\System\lsass.exe

Filesize
234KB

MD5
dbcc431d9a085f869a915f7c7286a866

SHA1
4bfa341e66cd5c3e3307fe2f71d3b5ffb0f71854

SHA256
c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5

SHA512
bb966ce1c4480883a357b0f8d2da47f8ae390e8707ab865da58af8507d9f2f973c52e3ae4f322d830a4ad1f3b0bb9a278eb0f243df28729c1d2dd3fa2aed2afc

Download Submit
C:\Windows\System\lsass.exe

Filesize
234KB

MD5
dbcc431d9a085f869a915f7c7286a866

SHA1
4bfa341e66cd5c3e3307fe2f71d3b5ffb0f71854

SHA256
c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5

SHA512
bb966ce1c4480883a357b0f8d2da47f8ae390e8707ab865da58af8507d9f2f973c52e3ae4f322d830a4ad1f3b0bb9a278eb0f243df28729c1d2dd3fa2aed2afc

Download Submit
C:\Windows\System\lsass.exe

Filesize
234KB

MD5
dbcc431d9a085f869a915f7c7286a866

SHA1
4bfa341e66cd5c3e3307fe2f71d3b5ffb0f71854

SHA256
c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5

SHA512
bb966ce1c4480883a357b0f8d2da47f8ae390e8707ab865da58af8507d9f2f973c52e3ae4f322d830a4ad1f3b0bb9a278eb0f243df28729c1d2dd3fa2aed2afc

Download Submit
C:\Windows\System\lsass.exe

Filesize
234KB

MD5
dbcc431d9a085f869a915f7c7286a866

SHA1
4bfa341e66cd5c3e3307fe2f71d3b5ffb0f71854

SHA256
c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5

SHA512
bb966ce1c4480883a357b0f8d2da47f8ae390e8707ab865da58af8507d9f2f973c52e3ae4f322d830a4ad1f3b0bb9a278eb0f243df28729c1d2dd3fa2aed2afc

Download Submit
C:\Windows\System\smss.exe

Filesize
234KB

MD5
dbcc431d9a085f869a915f7c7286a866

SHA1
4bfa341e66cd5c3e3307fe2f71d3b5ffb0f71854

SHA256
c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5

SHA512
bb966ce1c4480883a357b0f8d2da47f8ae390e8707ab865da58af8507d9f2f973c52e3ae4f322d830a4ad1f3b0bb9a278eb0f243df28729c1d2dd3fa2aed2afc

Download Submit
C:\Windows\System\smss.exe

Filesize
234KB

MD5
dbcc431d9a085f869a915f7c7286a866

SHA1
4bfa341e66cd5c3e3307fe2f71d3b5ffb0f71854

SHA256
c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5

SHA512
bb966ce1c4480883a357b0f8d2da47f8ae390e8707ab865da58af8507d9f2f973c52e3ae4f322d830a4ad1f3b0bb9a278eb0f243df28729c1d2dd3fa2aed2afc

Download Submit
C:\Windows\System\smss.exe

Filesize
234KB

MD5
dbcc431d9a085f869a915f7c7286a866

SHA1
4bfa341e66cd5c3e3307fe2f71d3b5ffb0f71854

SHA256
c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5

SHA512
bb966ce1c4480883a357b0f8d2da47f8ae390e8707ab865da58af8507d9f2f973c52e3ae4f322d830a4ad1f3b0bb9a278eb0f243df28729c1d2dd3fa2aed2afc

Download Submit
C:\Windows\System\smss.exe

Filesize
234KB

MD5
dbcc431d9a085f869a915f7c7286a866

SHA1
4bfa341e66cd5c3e3307fe2f71d3b5ffb0f71854

SHA256
c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5

SHA512
bb966ce1c4480883a357b0f8d2da47f8ae390e8707ab865da58af8507d9f2f973c52e3ae4f322d830a4ad1f3b0bb9a278eb0f243df28729c1d2dd3fa2aed2afc

Download Submit
C:\Windows\System\svchost.exe

Filesize
234KB

MD5
dbcc431d9a085f869a915f7c7286a866

SHA1
4bfa341e66cd5c3e3307fe2f71d3b5ffb0f71854

SHA256
c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5

SHA512
bb966ce1c4480883a357b0f8d2da47f8ae390e8707ab865da58af8507d9f2f973c52e3ae4f322d830a4ad1f3b0bb9a278eb0f243df28729c1d2dd3fa2aed2afc

Download Submit
C:\Windows\System\svchost.exe

Filesize
234KB

MD5
dbcc431d9a085f869a915f7c7286a866

SHA1
4bfa341e66cd5c3e3307fe2f71d3b5ffb0f71854

SHA256
c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5

SHA512
bb966ce1c4480883a357b0f8d2da47f8ae390e8707ab865da58af8507d9f2f973c52e3ae4f322d830a4ad1f3b0bb9a278eb0f243df28729c1d2dd3fa2aed2afc

Download Submit
C:\Windows\System\svchost.exe

Filesize
234KB

MD5
dbcc431d9a085f869a915f7c7286a866

SHA1
4bfa341e66cd5c3e3307fe2f71d3b5ffb0f71854

SHA256
c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5

SHA512
bb966ce1c4480883a357b0f8d2da47f8ae390e8707ab865da58af8507d9f2f973c52e3ae4f322d830a4ad1f3b0bb9a278eb0f243df28729c1d2dd3fa2aed2afc

Download Submit
C:\Windows\System\svchost.exe

Filesize
234KB

MD5
dbcc431d9a085f869a915f7c7286a866

SHA1
4bfa341e66cd5c3e3307fe2f71d3b5ffb0f71854

SHA256
c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5

SHA512
bb966ce1c4480883a357b0f8d2da47f8ae390e8707ab865da58af8507d9f2f973c52e3ae4f322d830a4ad1f3b0bb9a278eb0f243df28729c1d2dd3fa2aed2afc

Download Submit
C:\Windows\system\csrss.exe

Filesize
234KB

MD5
dbcc431d9a085f869a915f7c7286a866

SHA1
4bfa341e66cd5c3e3307fe2f71d3b5ffb0f71854

SHA256
c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5

SHA512
bb966ce1c4480883a357b0f8d2da47f8ae390e8707ab865da58af8507d9f2f973c52e3ae4f322d830a4ad1f3b0bb9a278eb0f243df28729c1d2dd3fa2aed2afc

Download Submit
C:\Windows\system\lsass.exe

Filesize
234KB

MD5
dbcc431d9a085f869a915f7c7286a866

SHA1
4bfa341e66cd5c3e3307fe2f71d3b5ffb0f71854

SHA256
c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5

SHA512
bb966ce1c4480883a357b0f8d2da47f8ae390e8707ab865da58af8507d9f2f973c52e3ae4f322d830a4ad1f3b0bb9a278eb0f243df28729c1d2dd3fa2aed2afc

Download Submit
C:\Windows\system\smss.exe

Filesize
234KB

MD5
dbcc431d9a085f869a915f7c7286a866

SHA1
4bfa341e66cd5c3e3307fe2f71d3b5ffb0f71854

SHA256
c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5

SHA512
bb966ce1c4480883a357b0f8d2da47f8ae390e8707ab865da58af8507d9f2f973c52e3ae4f322d830a4ad1f3b0bb9a278eb0f243df28729c1d2dd3fa2aed2afc

Download Submit
C:\Windows\system\svchost.exe

Filesize
234KB

MD5
dbcc431d9a085f869a915f7c7286a866

SHA1
4bfa341e66cd5c3e3307fe2f71d3b5ffb0f71854

SHA256
c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5

SHA512
bb966ce1c4480883a357b0f8d2da47f8ae390e8707ab865da58af8507d9f2f973c52e3ae4f322d830a4ad1f3b0bb9a278eb0f243df28729c1d2dd3fa2aed2afc

Download Submit
C:\Windows\system\winlogon.exe

Filesize
234KB

MD5
dbcc431d9a085f869a915f7c7286a866

SHA1
4bfa341e66cd5c3e3307fe2f71d3b5ffb0f71854

SHA256
c925ee33d992f8b2d0949ff78b94b761a8e989c423052d0e8c774c9476862ce5

SHA512
bb966ce1c4480883a357b0f8d2da47f8ae390e8707ab865da58af8507d9f2f973c52e3ae4f322d830a4ad1f3b0bb9a278eb0f243df28729c1d2dd3fa2aed2afc

Download Submit
C:\Windows\win32.exe

Filesize
234KB

MD5
affc5a082cd3905dc70ba6750fce7a93

SHA1
b06db9671b3db9beab2569ab299bbec075ccf2df

SHA256
524b8e050a260110c0dcf6830f3ee365b841b30e4656154bdef075845f16a03c

SHA512
9aefec5e71049d8e478cdae68628e58958727702128e15d183b9583c1dd8905208cf2fa0a33c8784f70ccc911bbc9c0dc30f49cc6262c855e9a85c1e21d48ab9

Download Submit
C:\Windows\win32.exe

Filesize
234KB

MD5
b3e15a40413840b042ad564ea395efde

SHA1
35a80308429bb3d60e6f455ad92151184f87e275

SHA256
f24384e68919cfbdac6cac434559a75bb698fd9bc11c59f38f5e416c8db8106e

SHA512
475d61ab997b99b85fb9d4427947619947f59d57d4fbaa4a664e3efe4d9060add5e40f2ca0d827ad5a5d8aa1ed11631323ffa915ea6cd47fb3fdf6947cee794c

Download Submit
C:\Windows\win32.exe

Filesize
234KB

MD5
c1e694c533aa61a7f9392265d46c4c05

SHA1
2a0c39d5db10a8ef64716687b147ebd1fb126335

SHA256
60fee50c86c581987d05c3fcb166aea9d1beb49a15a6c15738fb2388e443e920

SHA512
1c22094d55ab293ae43864ba9851996a28d1d3b7e109b3fcb0358bc4074060b43dc2344634faafc0033817105361a2d2ce08a706ff12dc148109c5d196832a36

Download Submit
C:\baca euy.txt

Filesize
4B

MD5
0ae9bcd0c0b0aa5aab99d84beca26ce8

SHA1
95ae2add76d30dc377e774ec0d5abc17a7832865

SHA256
91a4e2f100227487a802ac040b85700f03520b347fbfe4c23b7bf2d97b43d9fa

SHA512
2e5bce2521d799135a10bb14cc127a0f794d8cdd2bcd97ed90a7f2d4279f72abaf45a58daf7635472b3d845db21f13f03708fc40f89b1963c8344a89df2b3bd0

Download Submit
C:\baca euy.txt

Filesize
4B

MD5
0ae9bcd0c0b0aa5aab99d84beca26ce8

SHA1
95ae2add76d30dc377e774ec0d5abc17a7832865

SHA256
91a4e2f100227487a802ac040b85700f03520b347fbfe4c23b7bf2d97b43d9fa

SHA512
2e5bce2521d799135a10bb14cc127a0f794d8cdd2bcd97ed90a7f2d4279f72abaf45a58daf7635472b3d845db21f13f03708fc40f89b1963c8344a89df2b3bd0

Download Submit
C:\baca euy.txt

Filesize
4B

MD5
0ae9bcd0c0b0aa5aab99d84beca26ce8

SHA1
95ae2add76d30dc377e774ec0d5abc17a7832865

SHA256
91a4e2f100227487a802ac040b85700f03520b347fbfe4c23b7bf2d97b43d9fa

SHA512
2e5bce2521d799135a10bb14cc127a0f794d8cdd2bcd97ed90a7f2d4279f72abaf45a58daf7635472b3d845db21f13f03708fc40f89b1963c8344a89df2b3bd0

Download Submit
memory/320-228-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/320-147-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1028-181-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1028-229-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1412-184-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1548-231-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1548-201-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1692-208-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2052-213-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2052-205-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2912-230-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2912-182-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2944-183-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2944-200-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3056-216-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3056-207-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3132-226-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4052-227-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4052-133-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4340-225-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download