f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5

Analysis

max time kernel
57s
max time network
197s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2022 14:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Size

234KB
MD5

e74f9d9c4b99281b3b0e16be9c63c638
SHA1

a62de451e246efe1892a47a67a3d6b0305dc5c03
SHA256

f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5
SHA512

a812b672a2581b252f1608d2945264954b6aaa827ae673fc2832eab560d4d4cfceb16e7f567aa4ea6ee81480d813044a315a530824d42d752c7ca9183a4ea757
SSDEEP

3072:k9wShh9nsKHcQZYxIs1T+Z3edjHDN4HZ4s8ENObhb5npLdnUInuy+iMS3h0qmkc:kThh9sKHRFnWs8ENOblJUIurS3h0qtc

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\copy.pif"	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\copy.pif"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\copy.pif"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\copy.pif"	svchost.exe

Modifies system executable filetype association 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	svchost.exe

Modifies visibility of file extensions in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	svchost.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	lsass.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 12 IoCs

pid	Process
3284	lsass.exe
5052	smss.exe
4416	svchost.exe
320	lsass.exe
228	lsass.exe
3248	smss.exe
3724	smss.exe
2728	lsass.exe
3560	smss.exe
1856	svchost.exe
2440	svchost.exe
3984	svchost.exe

Sets file execution options in registry 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\win32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\win32.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\Windows\\win32.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\win32.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Windows\\win32.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\win32.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\win32.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "C:\\Windows\\win32.exe"	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\Windows\\win32.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Windows\\win32.exe"	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\Windows\\win32.exe"	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\win32.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\Windows\\win32.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Windows\\win32.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe\Debugger = "C:\\Windows\\win32.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\win32.exe"	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	lsass.exe

Windows security modification 2 TTPs 16 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	smss.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ present = "C:\\Windows\\.exe"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ present = "C:\\Windows\\.exe"	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Windows\\system\\winlogon.exe"	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run\	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ present = "C:\\Windows\\.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Default = "C:\\Windows\\system32\\_default.pif"	lsass.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	smss.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Windows\\system\\winlogon.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Default = "C:\\Windows\\system32\\_default.pif"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Default = "C:\\Windows\\system32\\_default.pif"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Default = "C:\\Windows\\system32\\_default.pif"	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ present = "C:\\Windows\\.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Windows\\system\\winlogon.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Admin = "C:\\Windows\\system\\winlogon.exe"	svchost.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened (read-only)	\??\O:	lsass.exe
File opened (read-only)	\??\E:	smss.exe
File opened (read-only)	\??\U:	smss.exe
File opened (read-only)	\??\Y:	smss.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\J:	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened (read-only)	\??\Z:	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened (read-only)	\??\I:	smss.exe
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\P:	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened (read-only)	\??\W:	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened (read-only)	\??\Y:	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\G:	lsass.exe
File opened (read-only)	\??\S:	lsass.exe
File opened (read-only)	\??\Y:	lsass.exe
File opened (read-only)	\??\M:	smss.exe
File opened (read-only)	\??\T:	smss.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\O:	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened (read-only)	\??\Z:	lsass.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\I:	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened (read-only)	\??\H:	smss.exe
File opened (read-only)	\??\P:	smss.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\F:	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened (read-only)	\??\L:	lsass.exe
File opened (read-only)	\??\U:	lsass.exe
File opened (read-only)	\??\V:	lsass.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\H:	lsass.exe
File opened (read-only)	\??\B:	smss.exe
File opened (read-only)	\??\S:	smss.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\E:	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened (read-only)	\??\H:	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened (read-only)	\??\S:	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened (read-only)	\??\T:	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened (read-only)	\??\U:	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened (read-only)	\??\K:	lsass.exe
File opened (read-only)	\??\Q:	lsass.exe
File opened (read-only)	\??\M:	lsass.exe
File opened (read-only)	\??\X:	lsass.exe
File opened (read-only)	\??\L:	smss.exe
File opened (read-only)	\??\R:	smss.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\B:	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened (read-only)	\??\Q:	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened (read-only)	\??\V:	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened (read-only)	\??\I:	lsass.exe
File opened (read-only)	\??\K:	smss.exe
File opened (read-only)	\??\Q:	smss.exe
File opened (read-only)	\??\R:	lsass.exe

Modifies WinLogon 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\	smss.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\copy.pif	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File created	C:\Windows\SysWOW64\_default.pif	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File created	C:\Windows\SysWOW64\Oeminfo.ini	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened for modification	C:\Windows\SysWOW64\copy.pif	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Oeminfo.ini	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Oeminfo.ini	smss.exe
File opened for modification	C:\Windows\SysWOW64\_default.pif	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened for modification	C:\Windows\SysWOW64\copy.pif	smss.exe
File opened for modification	C:\Windows\SysWOW64\_default.pif	smss.exe
File opened for modification	C:\Windows\SysWOW64\surif.bin	smss.exe
File opened for modification	C:\Windows\SysWOW64\surif.bin	svchost.exe
File opened for modification	C:\Windows\SysWOW64\_default.pif	lsass.exe
File opened for modification	C:\Windows\SysWOW64\surif.bin	lsass.exe
File opened for modification	C:\Windows\SysWOW64\_default.pif	svchost.exe
File opened for modification	C:\Windows\SysWOW64\Oeminfo.ini	lsass.exe
File created	C:\Windows\SysWOW64\copy.pif	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File created	C:\Windows\SysWOW64\surif.bin	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened for modification	C:\Windows\SysWOW64\surif.bin	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened for modification	C:\Windows\SysWOW64\copy.pif	lsass.exe

Drops file in Windows directory 58 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system\svchost.exe	lsass.exe
File created	C:\Windows\system\svchost.exe	smss.exe
File opened for modification	C:\Windows\system\svchost.exe	smss.exe
File opened for modification	C:\Windows\system\svchost.exe	svchost.exe
File created	C:\Windows\ActiveX.exe	svchost.exe
File created	C:\Windows\system\csrss.exe	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File created	C:\Windows\ActiveX.exe	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File created	C:\Windows\system\lsass.exe	lsass.exe
File created	C:\Windows\system\svchost.exe	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened for modification	C:\Windows\system\lsass.exe	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened for modification	C:\Windows\system\lsass.exe	lsass.exe
File created	C:\Windows\system\lsass.exe	smss.exe
File created	C:\Windows\system\csrss.exe	smss.exe
File created	C:\Windows\system\smss.exe	svchost.exe
File opened for modification	C:\Windows\win32.exe	svchost.exe
File opened for modification	C:\Windows\ActiveX.exe	smss.exe
File created	C:\Windows\system\lsass.exe	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened for modification	C:\Windows\win32.exe	smss.exe
File opened for modification	C:\Windows\system\winlogon.exe	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened for modification	C:\Windows\system\csrss.exe	lsass.exe
File opened for modification	C:\Windows\system\smss.exe	smss.exe
File opened for modification	C:\Windows\system\lsass.exe	smss.exe
File opened for modification	C:\Windows\system\winlogon.exe	smss.exe
File opened for modification	C:\Windows\ActiveX.exe	lsass.exe
File created	C:\Windows\system\lsass.exe	svchost.exe
File opened for modification	C:\Windows\system\csrss.exe	svchost.exe
File created	C:\Windows\system\svchost.exe	lsass.exe
File created	C:\Windows\system\csrss.exe	svchost.exe
File created	C:\Windows\system\svchost.exe	svchost.exe
File created	C:\Windows\win32.exe	svchost.exe
File opened for modification	C:\Windows\win32.exe	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File created	C:\Windows\system\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\system\smss.exe	lsass.exe
File opened for modification	C:\Windows\system\winlogon.exe	svchost.exe
File created	C:\Windows\.exe	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File created	C:\Windows\system\winlogon.exe	smss.exe
File opened for modification	C:\Windows\system\lsass.exe	svchost.exe
File opened for modification	C:\Windows\ActiveX.exe	svchost.exe
File opened for modification	C:\Windows\system\smss.exe	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened for modification	C:\Windows\.exe	smss.exe
File opened for modification	C:\Windows\.exe	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened for modification	C:\Windows\ActiveX.exe	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened for modification	C:\Windows\system\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\system\svchost.exe	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened for modification	C:\Windows\.exe	svchost.exe
File created	C:\Windows\win32.exe	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File created	C:\Windows\system\winlogon.exe	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened for modification	C:\Windows\win32.exe	lsass.exe
File created	C:\Windows\system\smss.exe	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File created	C:\Windows\system\csrss.exe	lsass.exe
File opened for modification	C:\Windows\system\smss.exe	svchost.exe
File opened for modification	C:\Windows\system\csrss.exe	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
File opened for modification	C:\Windows\system\csrss.exe	smss.exe
File created	C:\Windows\system\winlogon.exe	svchost.exe
File created	C:\Windows\system\smss.exe	smss.exe
File created	C:\Windows\system\smss.exe	lsass.exe
File created	C:\Windows\.exe	svchost.exe
File opened for modification	C:\Windows\.exe	lsass.exe

Modifies registry class 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
3284	lsass.exe
4416	svchost.exe
5052	smss.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
3284	lsass.exe
5052	smss.exe
4416	svchost.exe
320	lsass.exe
228	lsass.exe
3248	smss.exe
3724	smss.exe
2728	lsass.exe
2440	svchost.exe
3560	smss.exe
1856	svchost.exe
3984	svchost.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1524 wrote to memory of 3284	1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe	82
PID 1524 wrote to memory of 3284	1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe	82
PID 1524 wrote to memory of 3284	1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe	82
PID 1524 wrote to memory of 5052	1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe	83
PID 1524 wrote to memory of 5052	1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe	83
PID 1524 wrote to memory of 5052	1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe	83
PID 1524 wrote to memory of 4416	1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe	84
PID 1524 wrote to memory of 4416	1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe	84
PID 1524 wrote to memory of 4416	1524	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe	84
PID 3284 wrote to memory of 320	3284	lsass.exe	86
PID 3284 wrote to memory of 320	3284	lsass.exe	86
PID 3284 wrote to memory of 320	3284	lsass.exe	86
PID 5052 wrote to memory of 228	5052	smss.exe	85
PID 5052 wrote to memory of 228	5052	smss.exe	85
PID 5052 wrote to memory of 228	5052	smss.exe	85
PID 3284 wrote to memory of 3248	3284	lsass.exe	88
PID 3284 wrote to memory of 3248	3284	lsass.exe	88
PID 3284 wrote to memory of 3248	3284	lsass.exe	88
PID 5052 wrote to memory of 3724	5052	smss.exe	87
PID 5052 wrote to memory of 3724	5052	smss.exe	87
PID 5052 wrote to memory of 3724	5052	smss.exe	87
PID 4416 wrote to memory of 2728	4416	svchost.exe	89
PID 4416 wrote to memory of 2728	4416	svchost.exe	89
PID 4416 wrote to memory of 2728	4416	svchost.exe	89
PID 4416 wrote to memory of 3560	4416	svchost.exe	92
PID 4416 wrote to memory of 3560	4416	svchost.exe	92
PID 4416 wrote to memory of 3560	4416	svchost.exe	92
PID 5052 wrote to memory of 1856	5052	smss.exe	91
PID 5052 wrote to memory of 1856	5052	smss.exe	91
PID 5052 wrote to memory of 1856	5052	smss.exe	91
PID 3284 wrote to memory of 2440	3284	lsass.exe	90
PID 3284 wrote to memory of 2440	3284	lsass.exe	90
PID 3284 wrote to memory of 2440	3284	lsass.exe	90
PID 4416 wrote to memory of 3984	4416	svchost.exe	93
PID 4416 wrote to memory of 3984	4416	svchost.exe	93
PID 4416 wrote to memory of 3984	4416	svchost.exe	93

System policy modification 1 TTPs 8 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	lsass.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFind = "1"	f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe

C:\Users\Admin\AppData\Local\Temp\f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe
"C:\Users\Admin\AppData\Local\Temp\f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies system executable filetype association
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Windows security bypass
- Sets file execution options in registry
- Windows security modification
- Adds Run key to start application
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1524
- C:\Windows\system\lsass.exe
  C:\Windows\system\lsass.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Executes dropped EXE
  - Sets file execution options in registry
  - Windows security modification
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3284
- - C:\Windows\system\lsass.exe
    C:\Windows\system\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:320
- - C:\Windows\system\smss.exe
    C:\Windows\system\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3248
- - C:\Windows\system\svchost.exe
    C:\Windows\system\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2440
- C:\Windows\system\smss.exe
  C:\Windows\system\smss.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Executes dropped EXE
  - Sets file execution options in registry
  - Windows security modification
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:5052
- - C:\Windows\system\lsass.exe
    C:\Windows\system\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:228
- - C:\Windows\system\smss.exe
    C:\Windows\system\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3724
- - C:\Windows\system\svchost.exe
    C:\Windows\system\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1856
- C:\Windows\system\svchost.exe
  C:\Windows\system\svchost.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Windows security bypass
  - Executes dropped EXE
  - Sets file execution options in registry
  - Windows security modification
  - Adds Run key to start application
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:4416
- - C:\Windows\system\lsass.exe
    C:\Windows\system\lsass.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2728
- - C:\Windows\system\smss.exe
    C:\Windows\system\smss.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3560
- - C:\Windows\system\svchost.exe
    C:\Windows\system\svchost.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\WINDOWS.exe

Filesize
234KB

MD5
e74f9d9c4b99281b3b0e16be9c63c638

SHA1
a62de451e246efe1892a47a67a3d6b0305dc5c03

SHA256
f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5

SHA512
a812b672a2581b252f1608d2945264954b6aaa827ae673fc2832eab560d4d4cfceb16e7f567aa4ea6ee81480d813044a315a530824d42d752c7ca9183a4ea757

Download Submit
C:\Windows\.exe

Filesize
234KB

MD5
8014f780eeaf603fd02ecd00679570bb

SHA1
307767d9354bdf9d1248a65192ec894642aea0bf

SHA256
bab15fbf2c34f1821803175f1ac4b8486a8bb927ef7624698948584a33670b13

SHA512
ae9326f3db089223662524261433490187fd4c19967c62a6749a13dce521e4dd7665549caf158e3c1c2f4c7d4b6c7ea55af731c0606c56261a3122d4a2a24a73

Download Submit
C:\Windows\.exe

Filesize
234KB

MD5
d6196e67a03c5e353a96510829423a46

SHA1
1a6c7a5eda9d36397f11d78b5c5299e2aab60183

SHA256
6db07c5c3073760ddfee7bb82b5edff6d9b59e2179872f3e1dcbdd74ffa80adf

SHA512
26953ae28e9b1f276029c3ac3babaa1030f03deced996d6741afe965251c8482039cf666abc54efd4bb66ebf0339cf8751a0d38a6708af934f7c5e9343ce30db

Download Submit
C:\Windows\ActiveX.exe

Filesize
234KB

MD5
a15d8c4dda1fbb9488186e76560104e9

SHA1
ccfce0a4bab86d94ed1132de92eb2cee1cce9d5c

SHA256
b6a6f1b7d735816bc87eeb9d124b557037ef2d418c27fc7e0943129a925981a7

SHA512
2bf889a9b1d1c6c0d1a48f0c4e6def0613e24b428ab2a833ef9bd9888c4b6db0693f7a9e12581da171d71b8624fee29f1211be415a3add181cef8b72035a251f

Download Submit
C:\Windows\ActiveX.exe

Filesize
234KB

MD5
2f5f079effbe02ef801b402d8f4ec74d

SHA1
124824663f2392f46f6ccdb73307cf9578946369

SHA256
b06de6af0d5a0f2a80d438c29f646d653ebdad4acf5e0bbbf49279c7e37f7013

SHA512
e6f8eea6027cf7bb8dece534c7d6bf44b473e68881cee094a754703e13a74e4a00ccbfe9089098eb6263c2850bfdd800d8d9c3246f56ef1798cab53d3ec9c8e7

Download Submit
C:\Windows\ActiveX.exe

Filesize
234KB

MD5
979effe883148d4406843a34e79cf612

SHA1
0867675ec4b0351f51323c1f9f0f4084f036cac7

SHA256
14bf03bf88cd895204d3a2b6e66f523dcc15833767d1e1098ddb147466e001b6

SHA512
aeb3d218ece0beeef3ff7852a3c7e650e85e2907ee4c417c72c60f2c30b808d27b9451a352dcf6cc9c25fa3150519ce87cede4a4f1c6003230efc08a1966a084

Download Submit
C:\Windows\SysWOW64\Oeminfo.ini

Filesize
106B

MD5
67fa4fca4bfa3de3aa2f9a7cf1b1df56

SHA1
beb76e7eace2503011d87c325a54c2a80420f84f

SHA256
cd7dfd7f48a4a8294808196e5870d541603c6cc3a686c8aca2423993f789b62e

SHA512
fe96f45ec32dbb982760421d9fc21c520cd9c8c8aefa994babbea6f3fa09a28f8a811d7385dc31f2abec53b48569d7a5632f08131e66bd3e32745ca0b0a6962d

Download Submit
C:\Windows\SysWOW64\Oeminfo.ini

Filesize
106B

MD5
67fa4fca4bfa3de3aa2f9a7cf1b1df56

SHA1
beb76e7eace2503011d87c325a54c2a80420f84f

SHA256
cd7dfd7f48a4a8294808196e5870d541603c6cc3a686c8aca2423993f789b62e

SHA512
fe96f45ec32dbb982760421d9fc21c520cd9c8c8aefa994babbea6f3fa09a28f8a811d7385dc31f2abec53b48569d7a5632f08131e66bd3e32745ca0b0a6962d

Download Submit
C:\Windows\SysWOW64\Oeminfo.ini

Filesize
106B

MD5
67fa4fca4bfa3de3aa2f9a7cf1b1df56

SHA1
beb76e7eace2503011d87c325a54c2a80420f84f

SHA256
cd7dfd7f48a4a8294808196e5870d541603c6cc3a686c8aca2423993f789b62e

SHA512
fe96f45ec32dbb982760421d9fc21c520cd9c8c8aefa994babbea6f3fa09a28f8a811d7385dc31f2abec53b48569d7a5632f08131e66bd3e32745ca0b0a6962d

Download Submit
C:\Windows\SysWOW64\_default.pif

Filesize
234KB

MD5
900bf4a4a01da1cf390bb6cbd2065486

SHA1
04d05daf74762c1c7fc8135c92cff35c3a42d4a4

SHA256
bf88ffeeb7fb19efdbd8b083ddc5c638b57656d51334ad5d8a39a334e9e6473c

SHA512
8a3b49ee171890b4db0669d15111e0c95d59b70423072239a764894c912951e252557ced5e19795ef1a0b9b3a5d0fd87e4cef7d6531b5c2312c7ff7afa00256b

Download Submit
C:\Windows\SysWOW64\_default.pif

Filesize
234KB

MD5
1a05522ba4740d4ce40216db67d0e0f2

SHA1
eb6195a316b9696aebbdc79a10643dc25c23fa09

SHA256
472830af4d08e6ce520fc79a8fc97ebbb24eb4590b2b318514e8451630597cd3

SHA512
7275b943adde369e8b4e73bf2132ee08cb909d5717921d7bdaf69482fea870a2e159ecc8082121250b712a229c5e028894c10a55008ddfb519b5c63af1dc2b0d

Download Submit
C:\Windows\SysWOW64\_default.pif

Filesize
234KB

MD5
4a7bce965bd7f80ffd93cad4adc3be3c

SHA1
38db269fa085bdbb3861a47bda81c2c4e0a64c72

SHA256
6ca0f1b328a7ea69685cf78d6f00920690c9c6ddfd41c87adfe5ea3c51603ed1

SHA512
79fa9cf5ca195f0b00c4ddcf95821cd51fda6ad3f8048c01c235e6d557d99adedae8e2c7148bb46865efc5f91884261181f8c145fad0a345ca4e4d8cd016c94c

Download Submit
C:\Windows\SysWOW64\copy.pif

Filesize
234KB

MD5
0b4b0fb0a527e1e7ff11baa50a38e13d

SHA1
d6aac97f4f22f8da6a81bb496caff7341004fbb4

SHA256
a9fc13e96af8e87a521b52eeb163700055ec3e4035c18722e110805680ffa6bf

SHA512
9f23a17e85d80e6387dc12e98887107dbf70201206bb73b359761fda08d3910be0d98f8bb0cceb3d519fcf629afbd3454886e9fe531fd63401bc6dd45ccd8c3e

Download Submit
C:\Windows\SysWOW64\copy.pif

Filesize
234KB

MD5
25b8591e14c66f486032a6a2799733f8

SHA1
c6b2b37b36db52f89b993a14efc07c66da1e7e84

SHA256
fbfb9818273183e74eaa079d6590596d75e01e186f88c20fc52209650621d9a9

SHA512
4278f895262991569cb1592b965f26f3cf3f95643bb7ac6499e2309f5fc027c2fdef6ddd80e08899e86662ef34f3625b9ba1069b183ac575f7e397d377c6ed04

Download Submit
C:\Windows\SysWOW64\copy.pif

Filesize
234KB

MD5
969205a643a14b5552076a055f992966

SHA1
c6f067d44313712eef07a8590bbf143d524c187a

SHA256
cffa2e4fdfe71f6d5573a8116e368be4c0504daf82fd2072c3c50fd0b93024de

SHA512
d7d5afcf77fd1ecd535b9232efe0917d29458ea27553089f0443bb405a192f393857a1e956067c4f2f692a3e8d1c6f20dfbee2a9d7c3b02217baf88b2aa3f414

Download Submit
C:\Windows\SysWOW64\surif.bin

Filesize
234KB

MD5
77eb5402d4c3d106c49f0f0bcc0b186b

SHA1
a40d38147085e49f4bf5ed2a56ada785bc30dc4d

SHA256
07ed80164a4eb68d80d7d388bfd2fbc6160b9fb1d5820b9ec8abc52aea83556f

SHA512
b4e996933e3182ec322705af2b6ca01f21789b3e1b3a3aec6e84f973acc3f08c8970fb7a57fcd655e9c87a2a5be4caa1b14e2efc0d060ffa9bfba271ec0f0440

Download Submit
C:\Windows\SysWOW64\surif.bin

Filesize
234KB

MD5
c9d6b34b2a953a553a37052498418e0f

SHA1
7b65e9533aaa479c37901a5eb8710d751ae465f1

SHA256
2a1141b59e6bfc04f6688457461d04844d3b3ce7780c358c2b4d33d2543fefe6

SHA512
a0067cafef762c4dd899f7a2415afd35238e04b82aa2b43918249338f327ef26013ae243ab357b0f325fb5180710189de493074ddf01fc6ac7340f60168fcfa6

Download Submit
C:\Windows\SysWOW64\surif.bin

Filesize
234KB

MD5
cb640e332509cd628c37fd7cb058e66f

SHA1
f4c4cc25ea6766901ddfeb5dc6d4a499108b3945

SHA256
ad06b2d996ef18e4e4a5d5889dc53168de6fafb291dc6f4fde6c1322e0bdb5a0

SHA512
83608f0d4b57328da08d5c7c744e269f0d56860c33ea4330ffaadbe1ebfb8d14697c5552128dc1f1d0784a28c68bb615d5bbcc5f4f48b1a323934ee856b1c444

Download Submit
C:\Windows\System\lsass.exe

Filesize
234KB

MD5
e74f9d9c4b99281b3b0e16be9c63c638

SHA1
a62de451e246efe1892a47a67a3d6b0305dc5c03

SHA256
f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5

SHA512
a812b672a2581b252f1608d2945264954b6aaa827ae673fc2832eab560d4d4cfceb16e7f567aa4ea6ee81480d813044a315a530824d42d752c7ca9183a4ea757

Download Submit
C:\Windows\System\lsass.exe

Filesize
234KB

MD5
e74f9d9c4b99281b3b0e16be9c63c638

SHA1
a62de451e246efe1892a47a67a3d6b0305dc5c03

SHA256
f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5

SHA512
a812b672a2581b252f1608d2945264954b6aaa827ae673fc2832eab560d4d4cfceb16e7f567aa4ea6ee81480d813044a315a530824d42d752c7ca9183a4ea757

Download Submit
C:\Windows\System\lsass.exe

Filesize
234KB

MD5
e74f9d9c4b99281b3b0e16be9c63c638

SHA1
a62de451e246efe1892a47a67a3d6b0305dc5c03

SHA256
f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5

SHA512
a812b672a2581b252f1608d2945264954b6aaa827ae673fc2832eab560d4d4cfceb16e7f567aa4ea6ee81480d813044a315a530824d42d752c7ca9183a4ea757

Download Submit
C:\Windows\System\lsass.exe

Filesize
234KB

MD5
e74f9d9c4b99281b3b0e16be9c63c638

SHA1
a62de451e246efe1892a47a67a3d6b0305dc5c03

SHA256
f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5

SHA512
a812b672a2581b252f1608d2945264954b6aaa827ae673fc2832eab560d4d4cfceb16e7f567aa4ea6ee81480d813044a315a530824d42d752c7ca9183a4ea757

Download Submit
C:\Windows\System\smss.exe

Filesize
234KB

MD5
e74f9d9c4b99281b3b0e16be9c63c638

SHA1
a62de451e246efe1892a47a67a3d6b0305dc5c03

SHA256
f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5

SHA512
a812b672a2581b252f1608d2945264954b6aaa827ae673fc2832eab560d4d4cfceb16e7f567aa4ea6ee81480d813044a315a530824d42d752c7ca9183a4ea757

Download Submit
C:\Windows\System\smss.exe

Filesize
234KB

MD5
e74f9d9c4b99281b3b0e16be9c63c638

SHA1
a62de451e246efe1892a47a67a3d6b0305dc5c03

SHA256
f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5

SHA512
a812b672a2581b252f1608d2945264954b6aaa827ae673fc2832eab560d4d4cfceb16e7f567aa4ea6ee81480d813044a315a530824d42d752c7ca9183a4ea757

Download Submit
C:\Windows\System\smss.exe

Filesize
234KB

MD5
e74f9d9c4b99281b3b0e16be9c63c638

SHA1
a62de451e246efe1892a47a67a3d6b0305dc5c03

SHA256
f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5

SHA512
a812b672a2581b252f1608d2945264954b6aaa827ae673fc2832eab560d4d4cfceb16e7f567aa4ea6ee81480d813044a315a530824d42d752c7ca9183a4ea757

Download Submit
C:\Windows\System\smss.exe

Filesize
234KB

MD5
e74f9d9c4b99281b3b0e16be9c63c638

SHA1
a62de451e246efe1892a47a67a3d6b0305dc5c03

SHA256
f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5

SHA512
a812b672a2581b252f1608d2945264954b6aaa827ae673fc2832eab560d4d4cfceb16e7f567aa4ea6ee81480d813044a315a530824d42d752c7ca9183a4ea757

Download Submit
C:\Windows\System\svchost.exe

Filesize
234KB

MD5
e74f9d9c4b99281b3b0e16be9c63c638

SHA1
a62de451e246efe1892a47a67a3d6b0305dc5c03

SHA256
f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5

SHA512
a812b672a2581b252f1608d2945264954b6aaa827ae673fc2832eab560d4d4cfceb16e7f567aa4ea6ee81480d813044a315a530824d42d752c7ca9183a4ea757

Download Submit
C:\Windows\System\svchost.exe

Filesize
234KB

MD5
e74f9d9c4b99281b3b0e16be9c63c638

SHA1
a62de451e246efe1892a47a67a3d6b0305dc5c03

SHA256
f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5

SHA512
a812b672a2581b252f1608d2945264954b6aaa827ae673fc2832eab560d4d4cfceb16e7f567aa4ea6ee81480d813044a315a530824d42d752c7ca9183a4ea757

Download Submit
C:\Windows\System\svchost.exe

Filesize
234KB

MD5
e74f9d9c4b99281b3b0e16be9c63c638

SHA1
a62de451e246efe1892a47a67a3d6b0305dc5c03

SHA256
f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5

SHA512
a812b672a2581b252f1608d2945264954b6aaa827ae673fc2832eab560d4d4cfceb16e7f567aa4ea6ee81480d813044a315a530824d42d752c7ca9183a4ea757

Download Submit
C:\Windows\System\svchost.exe

Filesize
234KB

MD5
e74f9d9c4b99281b3b0e16be9c63c638

SHA1
a62de451e246efe1892a47a67a3d6b0305dc5c03

SHA256
f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5

SHA512
a812b672a2581b252f1608d2945264954b6aaa827ae673fc2832eab560d4d4cfceb16e7f567aa4ea6ee81480d813044a315a530824d42d752c7ca9183a4ea757

Download Submit
C:\Windows\system\csrss.exe

Filesize
234KB

MD5
e74f9d9c4b99281b3b0e16be9c63c638

SHA1
a62de451e246efe1892a47a67a3d6b0305dc5c03

SHA256
f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5

SHA512
a812b672a2581b252f1608d2945264954b6aaa827ae673fc2832eab560d4d4cfceb16e7f567aa4ea6ee81480d813044a315a530824d42d752c7ca9183a4ea757

Download Submit
C:\Windows\system\lsass.exe

Filesize
234KB

MD5
e74f9d9c4b99281b3b0e16be9c63c638

SHA1
a62de451e246efe1892a47a67a3d6b0305dc5c03

SHA256
f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5

SHA512
a812b672a2581b252f1608d2945264954b6aaa827ae673fc2832eab560d4d4cfceb16e7f567aa4ea6ee81480d813044a315a530824d42d752c7ca9183a4ea757

Download Submit
C:\Windows\system\smss.exe

Filesize
234KB

MD5
e74f9d9c4b99281b3b0e16be9c63c638

SHA1
a62de451e246efe1892a47a67a3d6b0305dc5c03

SHA256
f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5

SHA512
a812b672a2581b252f1608d2945264954b6aaa827ae673fc2832eab560d4d4cfceb16e7f567aa4ea6ee81480d813044a315a530824d42d752c7ca9183a4ea757

Download Submit
C:\Windows\system\svchost.exe

Filesize
234KB

MD5
e74f9d9c4b99281b3b0e16be9c63c638

SHA1
a62de451e246efe1892a47a67a3d6b0305dc5c03

SHA256
f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5

SHA512
a812b672a2581b252f1608d2945264954b6aaa827ae673fc2832eab560d4d4cfceb16e7f567aa4ea6ee81480d813044a315a530824d42d752c7ca9183a4ea757

Download Submit
C:\Windows\system\winlogon.exe

Filesize
234KB

MD5
e74f9d9c4b99281b3b0e16be9c63c638

SHA1
a62de451e246efe1892a47a67a3d6b0305dc5c03

SHA256
f02f36f72aef927a2306fe8524470c694a36593431a1ebb6840fb10b452159d5

SHA512
a812b672a2581b252f1608d2945264954b6aaa827ae673fc2832eab560d4d4cfceb16e7f567aa4ea6ee81480d813044a315a530824d42d752c7ca9183a4ea757

Download Submit
C:\Windows\win32.exe

Filesize
234KB

MD5
d68cb145fa5b80bda2871e93a8ab7b94

SHA1
058fb1e3faae31d6657d9feb79f779d592b891da

SHA256
9d2cff42a95bfbf1b208b7607a84f9c8b0bbb3eb7de0b315fd73ba90b2b8fbbe

SHA512
c97b02b81da69bf5f2cdd1c818979aed2f5b220fe570e6b5d3220155dc98249ad98219dc6ad779a05f6c7023881c5812e5d6ff229b7561c2fb4d612dc820def5

Download Submit
C:\Windows\win32.exe

Filesize
234KB

MD5
738aa14bbdc6495d03aa106e62768f3d

SHA1
3ab8df15bad3cbb9f82608a6292f5d2ce14b544a

SHA256
e7f9ce7d7bb4df9627e0603840267a5fd6096ad79ca804bba25cee0850485e0d

SHA512
57a04df67463481b2a4b2bee0b8c339aa01f1d12bd2541aae569925100d1a14e2b6c41cdfba092b178bc0dcbdadeaab26b0bb21a7127ffac9dc9ec2697869bbb

Download Submit
C:\Windows\win32.exe

Filesize
234KB

MD5
0ad2bdef7c45d48b732049abb6084db5

SHA1
2755dc33b2dcc17f95860853407cb5dc9ffce93a

SHA256
3e67d965d8c588aace5da6ca712fcd433823659995f83480bc1a26effc828536

SHA512
8e3f361d67f0d671204eb1c3ca52d141a208d1b216f44cf78a12c2ec697927fe289c457612bac8407736669a9fe552aa64e7b345bf96c29f6130662f9161f907

Download Submit
C:\baca euy.txt

Filesize
4B

MD5
0ae9bcd0c0b0aa5aab99d84beca26ce8

SHA1
95ae2add76d30dc377e774ec0d5abc17a7832865

SHA256
91a4e2f100227487a802ac040b85700f03520b347fbfe4c23b7bf2d97b43d9fa

SHA512
2e5bce2521d799135a10bb14cc127a0f794d8cdd2bcd97ed90a7f2d4279f72abaf45a58daf7635472b3d845db21f13f03708fc40f89b1963c8344a89df2b3bd0

Download Submit
C:\baca euy.txt

Filesize
4B

MD5
0ae9bcd0c0b0aa5aab99d84beca26ce8

SHA1
95ae2add76d30dc377e774ec0d5abc17a7832865

SHA256
91a4e2f100227487a802ac040b85700f03520b347fbfe4c23b7bf2d97b43d9fa

SHA512
2e5bce2521d799135a10bb14cc127a0f794d8cdd2bcd97ed90a7f2d4279f72abaf45a58daf7635472b3d845db21f13f03708fc40f89b1963c8344a89df2b3bd0

Download Submit
C:\baca euy.txt

Filesize
4B

MD5
0ae9bcd0c0b0aa5aab99d84beca26ce8

SHA1
95ae2add76d30dc377e774ec0d5abc17a7832865

SHA256
91a4e2f100227487a802ac040b85700f03520b347fbfe4c23b7bf2d97b43d9fa

SHA512
2e5bce2521d799135a10bb14cc127a0f794d8cdd2bcd97ed90a7f2d4279f72abaf45a58daf7635472b3d845db21f13f03708fc40f89b1963c8344a89df2b3bd0

Download Submit
memory/228-184-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/228-188-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/228-174-0x0000000000000000-mapping.dmp

Download
memory/320-187-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/320-181-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/320-173-0x0000000000000000-mapping.dmp

Download
memory/1524-226-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1524-132-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1856-225-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1856-217-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1856-202-0x0000000000000000-mapping.dmp

Download
memory/2440-203-0x0000000000000000-mapping.dmp

Download
memory/2440-218-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2728-205-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2728-197-0x0000000000000000-mapping.dmp

Download
memory/3248-204-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3248-185-0x0000000000000000-mapping.dmp

Download
memory/3284-153-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3284-227-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3284-135-0x0000000000000000-mapping.dmp

Download
memory/3560-201-0x0000000000000000-mapping.dmp

Download
memory/3724-186-0x0000000000000000-mapping.dmp

Download
memory/3984-224-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3984-216-0x0000000000000000-mapping.dmp

Download
memory/4416-178-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/4416-155-0x0000000000000000-mapping.dmp

Download
memory/4416-229-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5052-154-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/5052-142-0x0000000000000000-mapping.dmp

Download
memory/5052-228-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download