21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6

Analysis

max time kernel
143s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/08/2023, 07:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
Size

1.2MB
MD5

a21d654f5d1ec670946d2d19d8af71fa
SHA1

9954fc6f649e091ba182313f03ca5a0670cdd8a3
SHA256

21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6
SHA512

500912f1301b10a9b4bb98fc1be2be2dc29b7809093daa082a69f72586bc9962cb0a3aa79e896b9f7692474ae2b153758edf58e34ee7958b6e210be1ba5a140e
SSDEEP

24576:K/gFWeW4ED0V1k/bSfMO3V8yypRtb2c6xU8dj5kkr6Got9:KYGDN/bir8yEvSU8dVkJt9

Score

8^/10

aspackv2 evasion upx

Malware Config

Signatures

Sets file to hidden 1 TTPs 21 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4020	attrib.exe
4460	attrib.exe
2192	attrib.exe
4864	attrib.exe
4908	attrib.exe
4392	attrib.exe
4608	attrib.exe
1092	attrib.exe
5008	attrib.exe
5104	attrib.exe
3588	attrib.exe
1696	attrib.exe
3008	attrib.exe
4524	attrib.exe
2480	attrib.exe
1704	attrib.exe
2912	attrib.exe
3296	attrib.exe
4932	attrib.exe
536	attrib.exe
3560	attrib.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00060000000231fa-211.dat	acprotect

ASPack v2.12-2.42 4 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00060000000231f5-210.dat	aspack_v212_v242
behavioral2/files/0x00060000000231f7-214.dat	aspack_v212_v242
behavioral2/files/0x00060000000231f8-215.dat	aspack_v212_v242
behavioral2/files/0x00060000000231f9-217.dat	aspack_v212_v242

Executes dropped EXE 4 IoCs

pid	Process
516	h.exe
1732	h.exe
3548	h.exe
1012	h.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00060000000231f6-163.dat	upx
behavioral2/files/0x00060000000231f6-166.dat	upx
behavioral2/files/0x00060000000231f6-168.dat	upx
behavioral2/memory/516-167-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/516-171-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x00060000000231f6-204.dat	upx
behavioral2/memory/1732-205-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x00060000000231f6-206.dat	upx
behavioral2/memory/3548-207-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x00060000000231f6-208.dat	upx
behavioral2/memory/1012-209-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x00060000000231fa-211.dat	upx

Drops file in Windows directory 49 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM\DRIVER\winlogon.dll	attrib.exe
File opened for modification	C:\Windows\SYSTEM\DRIVER	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File opened for modification	C:\Windows\System\DRIVER\csrss.exe	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File created	C:\Windows\System\DRIVER\ntuser.exe	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File created	C:\Windows\System\DRIVER\cygcrypt-0.dll	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File opened for modification	C:\Windows\System\DRIVER\ntauth.dll	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File opened for modification	C:\Windows\System\DRIVER\Copy (41) of 5.txt	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File opened for modification	C:\Windows\System\DRIVER\ntauth.dll	cmd.exe
File opened for modification	C:\Windows\system\driver\DAP	attrib.exe
File opened for modification	C:\Windows\SYSTEM\DRIVER\csrss.exe	attrib.exe
File opened for modification	C:\Windows\system\driver\DAP\NTLOG	attrib.exe
File created	C:\Windows\System\DRIVER\setup.bat	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File created	C:\Windows\System\DRIVER\h.exe	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File created	C:\Windows\System\DRIVER\cygwin1.dll	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File opened for modification	C:\Windows\System\DRIVER\svchostlogon.dll	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File created	C:\Windows\System\DRIVER\New Text Document (5).txt	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File opened for modification	C:\Windows\SYSTEM\DRIVER\svchostlogon.dll	attrib.exe
File opened for modification	C:\Windows\system\driver\DAP\LOG	attrib.exe
File created	C:\Windows\System\DRIVER\csrss.exe	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File opened for modification	C:\Windows\System\DRIVER\cygcrypt-0.dll	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File created	C:\Windows\System\DRIVER\ntauth.dll	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File created	C:\Windows\System\DRIVER\servicesmgr.dll	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File created	C:\Windows\System\DRIVER\svchostlogon.dll	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File opened for modification	C:\Windows\System\DRIVER\servicesmgr.dll	cmd.exe
File opened for modification	C:\Windows\SYSTEM\DRIVER\cygwin1.dll	attrib.exe
File opened for modification	C:\Windows\System\DRIVER\setup.bat	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File opened for modification	C:\Windows\System\DRIVER\ntsrv.exe	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File created	C:\Windows\System\DRIVER\services.exe	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File opened for modification	C:\Windows\System\DRIVER\servicesmgr.dll	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File opened for modification	C:\Windows\SYSTEM\DRIVER\servicesmgr.dll	attrib.exe
File opened for modification	C:\Windows\System\DRIVER\ntuser.exe	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File opened for modification	C:\Windows\System\DRIVER\winlogon.dll	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File created	C:\Windows\System\DRIVER\Copy (41) of 5.txt	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File opened for modification	C:\Windows\SYSTEM\DRIVER\ntsrv.exe	attrib.exe
File opened for modification	C:\Windows\SYSTEM\DRIVER\ntuser.exe	attrib.exe
File opened for modification	C:\Windows\SYSTEM\DRIVER\services.exe	attrib.exe
File opened for modification	C:\Windows\System\DRIVER\cygwin1.dll	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File created	C:\Windows\System\DRIVER\servicelogon.dll	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File opened for modification	C:\Windows\System\DRIVER\servicelogon.dll	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File created	C:\Windows\System\DRIVER\winlogon.dll	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File opened for modification	C:\Windows\System\DRIVER\New Text Document (5).txt	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File opened for modification	C:\Windows\SYSTEM\DRIVER\ntauth.dll	attrib.exe
File opened for modification	C:\Windows\SYSTEM\DRIVER\servicelogon.dll	attrib.exe
File opened for modification	C:\Windows\System\DRIVER\h.exe	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File created	C:\Windows\System\DRIVER\ntsrv.exe	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File opened for modification	C:\Windows\System\DRIVER\services.exe	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
File opened for modification	C:\Windows\System\DRIVER\winlogon.dll	cmd.exe
File opened for modification	C:\Windows\SYSTEM\DRIVER\cygcrypt-0.dll	attrib.exe
File opened for modification	C:\Windows\system\DRIVER	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 516	2960	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe	85
PID 2960 wrote to memory of 516	2960	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe	85
PID 2960 wrote to memory of 516	2960	21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe	85
PID 516 wrote to memory of 524	516	h.exe	86
PID 516 wrote to memory of 524	516	h.exe	86
PID 516 wrote to memory of 524	516	h.exe	86
PID 524 wrote to memory of 1732	524	cmd.exe	88
PID 524 wrote to memory of 1732	524	cmd.exe	88
PID 524 wrote to memory of 1732	524	cmd.exe	88
PID 524 wrote to memory of 3548	524	cmd.exe	89
PID 524 wrote to memory of 3548	524	cmd.exe	89
PID 524 wrote to memory of 3548	524	cmd.exe	89
PID 524 wrote to memory of 1012	524	cmd.exe	90
PID 524 wrote to memory of 1012	524	cmd.exe	90
PID 524 wrote to memory of 1012	524	cmd.exe	90
PID 524 wrote to memory of 5040	524	cmd.exe	91
PID 524 wrote to memory of 5040	524	cmd.exe	91
PID 524 wrote to memory of 5040	524	cmd.exe	91
PID 5040 wrote to memory of 1384	5040	net.exe	92
PID 5040 wrote to memory of 1384	5040	net.exe	92
PID 5040 wrote to memory of 1384	5040	net.exe	92
PID 524 wrote to memory of 2660	524	cmd.exe	93
PID 524 wrote to memory of 2660	524	cmd.exe	93
PID 524 wrote to memory of 2660	524	cmd.exe	93
PID 2660 wrote to memory of 4316	2660	net.exe	94
PID 2660 wrote to memory of 4316	2660	net.exe	94
PID 2660 wrote to memory of 4316	2660	net.exe	94
PID 524 wrote to memory of 1616	524	cmd.exe	95
PID 524 wrote to memory of 1616	524	cmd.exe	95
PID 524 wrote to memory of 1616	524	cmd.exe	95
PID 1616 wrote to memory of 1676	1616	net.exe	96
PID 1616 wrote to memory of 1676	1616	net.exe	96
PID 1616 wrote to memory of 1676	1616	net.exe	96
PID 524 wrote to memory of 2480	524	cmd.exe	97
PID 524 wrote to memory of 2480	524	cmd.exe	97
PID 524 wrote to memory of 2480	524	cmd.exe	97
PID 524 wrote to memory of 4932	524	cmd.exe	98
PID 524 wrote to memory of 4932	524	cmd.exe	98
PID 524 wrote to memory of 4932	524	cmd.exe	98
PID 524 wrote to memory of 1092	524	cmd.exe	99
PID 524 wrote to memory of 1092	524	cmd.exe	99
PID 524 wrote to memory of 1092	524	cmd.exe	99
PID 524 wrote to memory of 4864	524	cmd.exe	100
PID 524 wrote to memory of 4864	524	cmd.exe	100
PID 524 wrote to memory of 4864	524	cmd.exe	100
PID 524 wrote to memory of 1704	524	cmd.exe	101
PID 524 wrote to memory of 1704	524	cmd.exe	101
PID 524 wrote to memory of 1704	524	cmd.exe	101
PID 524 wrote to memory of 536	524	cmd.exe	102
PID 524 wrote to memory of 536	524	cmd.exe	102
PID 524 wrote to memory of 536	524	cmd.exe	102
PID 524 wrote to memory of 4908	524	cmd.exe	103
PID 524 wrote to memory of 4908	524	cmd.exe	103
PID 524 wrote to memory of 4908	524	cmd.exe	103
PID 524 wrote to memory of 2912	524	cmd.exe	104
PID 524 wrote to memory of 2912	524	cmd.exe	104
PID 524 wrote to memory of 2912	524	cmd.exe	104
PID 524 wrote to memory of 4392	524	cmd.exe	105
PID 524 wrote to memory of 4392	524	cmd.exe	105
PID 524 wrote to memory of 4392	524	cmd.exe	105
PID 524 wrote to memory of 4020	524	cmd.exe	106
PID 524 wrote to memory of 4020	524	cmd.exe	106
PID 524 wrote to memory of 4020	524	cmd.exe	106
PID 524 wrote to memory of 4460	524	cmd.exe	107

Views/modifies file attributes 1 TTPs 21 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2912	attrib.exe
4392	attrib.exe
2192	attrib.exe
3296	attrib.exe
4908	attrib.exe
5104	attrib.exe
4932	attrib.exe
536	attrib.exe
3008	attrib.exe
4460	attrib.exe
5008	attrib.exe
3588	attrib.exe
2480	attrib.exe
1092	attrib.exe
4864	attrib.exe
1704	attrib.exe
4020	attrib.exe
1696	attrib.exe
3560	attrib.exe
4524	attrib.exe
4608	attrib.exe

C:\Users\Admin\AppData\Local\Temp\21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe
"C:\Users\Admin\AppData\Local\Temp\21cc23e78ed3b7bf0c0a34fd671640b31ea92a8f263bab6e127bdcffec9d60a6.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\SYSTEM\DRIVER\h.exe
  "C:\Windows\SYSTEM\DRIVER\h.exe" setup.bat
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:516
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c setup.bat
    3⤵
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:524
  - - C:\Windows\SYSTEM\DRIVER\h.exe
      h.exe ntsrv -install -name:"NTLOAD" -launch:"C:\Windows\system\driver\csrss.exe"
      4⤵
      Executes dropped EXE
      PID:1732
  - - C:\Windows\SYSTEM\DRIVER\h.exe
      h.exe ntsrv -install -name:"NTSVCMGR" -launch:"C:\Windows\system\driver\services.exe C:\Windows\system\driver\ntauth.dll"
      4⤵
      Executes dropped EXE
      PID:3548
  - - C:\Windows\SYSTEM\DRIVER\h.exe
      h.exe ntuser.exe -install
      4⤵
      Executes dropped EXE
      PID:1012
  - - C:\Windows\SysWOW64\net.exe
      net start NTLOAD
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5040
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start NTLOAD
        5⤵
        
        PID:1384
  - - C:\Windows\SysWOW64\net.exe
      net start NTSVCMGR
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start NTSVCMGR
        5⤵
        
        PID:4316
  - - C:\Windows\SysWOW64\net.exe
      net start NTBOOTMGR
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1616
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start NTBOOTMGR
        5⤵
        
        PID:1676
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +R +S +H csrss.exe
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:2480
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +R +S +H cygcrypt-0.dll
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:4932
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +R +S +H cygwin1.dll
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:1092
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +R +S +H libeay32.dll
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:4864
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +R +S +H ntauth.dll
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:1704
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +R +S +H ntservice.dll
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:536
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +R +S +H ntsrv.exe
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:4908
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +R +S +H ntuser.exe
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:2912
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +R +S +H servicelogon.dll
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:4392
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +R +S +H servicent.dll
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:4020
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +R +S +H services.exe
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:4460
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +R +S +H servicesmgr.dll
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:5008
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +R +S +H ssleay32.dll
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:3588
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +R +S +H svchostlogon.dll
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:2192
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +R +S +H winlogon.dll
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:1696
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +R +S +H servicent.dll
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:3008
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +R +S +H ntservice.dll
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:3560
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +R +S +H C:\Windows\system\driver
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:5104
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +R +S +H C:\Windows\system\driver\DAP
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:4524
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +R +S +H C:\Windows\system\driver\DAP\LOG
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:3296
  - - C:\Windows\SysWOW64\attrib.exe
      ATTRIB +R +S +H C:\Windows\system\driver\DAP\NTLOG
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:4608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SYSTEM\DRIVER\csrss.exe

Filesize
682KB

MD5
dee02ab15d2431bd7627b43df870a964

SHA1
85714c62d5723d7cf03c8e22d003a0f338eadade

SHA256
7e68c6e03c827a65ddf511f5d4b8254aeb265b39363d94dc614ffe47ea30e7d8

SHA512
82c018c117c789ef6e49c6ccf0a77f055362d7a132fb65868e2cddc155be2a7b3279d64b5e05f4cdf82490e4a79999b2d9988a02bd4892b606139b79e4418a81

Download Submit
C:\Windows\SYSTEM\DRIVER\cygcrypt-0.dll

Filesize
4KB

MD5
82b006aa0e496983a112a61df57a9677

SHA1
3150fc701f26cf80502857cb2fbfb859c349dd9f

SHA256
1c1b4ad96af649f217a3d56b3d82547f40a775698b7e8bcbc9334cd545bda59f

SHA512
e6fd7ba2d0839223612f446c493b9c33c4a39bd7bb95e965cd1c979f5eb6656a4f4a4dd053edd41007c78fc9e86c74cc6cb5f72b88e7d6b9f53859f03c5b7bda

Download Submit
C:\Windows\SYSTEM\DRIVER\cygwin1.dll

Filesize
1.1MB

MD5
2852ff9d8f43590d3963b298f9a6492e

SHA1
63b0ce1799cd60696968fda81f6fa0ffa81deb47

SHA256
e19cdbce37da1ed5acfd8e7b888922fda770ebf52e9164bcf3c8036f33184780

SHA512
2c0884449b20b22c5703a769fafdc77b7dea15629c222f187937ec6332d3d249d6744d893d4dda4b23a2eab519e1a5799c71576d4afb26c3bf895b324568c066

Download Submit
C:\Windows\SYSTEM\DRIVER\h.exe

Filesize
3KB

MD5
939d2741a041283109410348245bd381

SHA1
674bd31a65b8fe81f53117cc1c49fbca63d0d865

SHA256
e434295904ce959106585d50c77a70627bccf0a02d879eb6e306d7e22c5bafc2

SHA512
9c3125c03b35c858d9f625754a295ab4b1b3e144a632ca77577d20b9792beedb343535b7c70c101ab0debeecaaaccf2dc82416a88e8fe674b6dbb3c0447bbcd0

Download Submit
C:\Windows\SYSTEM\DRIVER\ntauth.dll

Filesize
822B

MD5
84632078ca4696e6d4677b4bb7281018

SHA1
13f6c818231be60fe0d1c1197f57335b3f40d695

SHA256
eb226eda9f03e844d279cfc7d1c168323fb6bdfd0443d05f54f204848cb82636

SHA512
63150a8620c2842ab17de9f9a9945489792179417c18129799c535b4191d68c7fe7d60e42464dfdac3e9d2072aee2f0c8d3f7db974dc5a331bca21e6e0b03de0

Download Submit
C:\Windows\SYSTEM\DRIVER\ntsrv.exe

Filesize
16KB

MD5
906510472f226daf373a500ddfdd7560

SHA1
6bf43cb6497fb3ecd46b51b1682ad7ff729fd241

SHA256
c4a293a4069a9666f4ef194ec4df930dfd75322f8e64d6f1ed70e5d9139413bf

SHA512
7a0b38d95d01e7f84170fbf9521372877afd82517e0b3502f0b49655a42f409e1dc533b213a59e2f695bbc726f9a4fa19bdbd26fd78a80780f01230b9364b3f1

Download Submit
C:\Windows\SYSTEM\DRIVER\ntuser.exe

Filesize
11KB

MD5
80858f87275634946eed13b514222cdb

SHA1
518d634a2bd8a7723638256ff66eaf3b7a06e755

SHA256
03d522c8d6339b597501033925ed7eeb49d885e7beb13de54b8dcd7ba6cc603b

SHA512
40705da2a852b34f842d5eef0c868b238089fb68aebcdbaeba08c635de92a4daf23473b26bb8c21ea532fbe7c0828d3187858a82f15fa3c13c31f3ec76e93a73

Download Submit
C:\Windows\SYSTEM\DRIVER\servicelogon.dll

Filesize
1KB

MD5
fa59828cf8a77b077318efa7d667b9e9

SHA1
9aa17e7da53903e44773958e13ef43f1f4f51b69

SHA256
b832e9e2b68fa089ff9c3d5c281d5e727423a3350940d205788d070e105cffb3

SHA512
5d3dca0c616039e006bfc41927fd0519103f0727db1b09878c91b3b0f727e0c1086b932e323b814a9107c58dfa8ee561128ce966cb4178b25522e48d03f38112

Download Submit
C:\Windows\SYSTEM\DRIVER\services.exe

Filesize
80KB

MD5
e6ff5cd0591ca1f9fcebfb11d75494e9

SHA1
1c899df15c4464321680293b9bc93c6869fa3580

SHA256
ce3463b34a9c7dfbe98dd6b4e199dbee3df0eab77d3e17bfddaa84477da04b32

SHA512
5f850e762283f9f85f4362e40e5419f10dc99c052ce8f4b39e3119cf883ddbfb76c2aa7d166d9b9ef1cd36460d1428a0b9203ee74e453231df7c98bb179167f3

Download Submit
C:\Windows\SYSTEM\DRIVER\servicesmgr.dll

Filesize
1KB

MD5
a96177862c0d067386157e5cb1ce844a

SHA1
627a72cdac25e4e32ec4d77395afc190a866d566

SHA256
2ea7db377c12fe81c7d9d7a09e350272047c8443d83e5b79eb949473c0d16f9d

SHA512
9784f9263f21dd3fbb630cb0e53b1fd31f912f7a02e0946ce941a92032227275c5ffbb1ad1018b6cc5d3d704dde32611aef429f45b7d940e916048c6ef5e4deb

Download Submit
C:\Windows\SYSTEM\DRIVER\setup.bat

Filesize
3KB

MD5
4e98ca19f073df4458015dc913beb074

SHA1
30e3e8a75e7f1599aeb64f9c97d6f48b5fe66ba3

SHA256
57edfa1ad74d1233a62577fbd639777f086f96aa65ccfb7f2f79be469f71fbf0

SHA512
e1fb69345b7e875dc713964824b5a08ebe2fd4dd1ca7f3a9bc66a8a1bf53b05959257d1412c8052b23f14c06dc7825661da7c2b30d039f8a9aa95fe1f3de4cd5

Download Submit
C:\Windows\SYSTEM\DRIVER\svchostlogon.dll

Filesize
1KB

MD5
ca7a86d7a1b6b5d4ab1a08a43710eba2

SHA1
f3153ca081be8fb93e9968344d98676139b39b09

SHA256
db23e4ae1e3f95d863c83b928abedd23aff9cc115abdfc56a97f39cf293ded37

SHA512
a34650b49f689b0b2ff0a582b493606f1c842b4d562089ecdbd17044a6422ef1d6c8de8dfd7f9c46b78448cc8d6ef709ca4096dc4d5799424ae5d380ab22b78a

Download Submit
C:\Windows\SYSTEM\DRIVER\winlogon.dll

Filesize
1KB

MD5
2800ecb090ef3e97d631dbece00454ca

SHA1
7789a9413d8cbbe5b6150c084fd7f4b60250fe11

SHA256
9aaa34310a49aa3e65fa8ab409810362e80247e87f6f5df337373d6261dc37dc

SHA512
582bd87802b68f5f69b1be9cd3b77da74a31dfe0b4eedeb7c1fb383e8a51dd5a0f3987074b7f01d4a55e55d4846e77aa5bf20082663cf3077c422c4014c3558a

Download Submit
C:\Windows\System\DRIVER\h.exe

Filesize
3KB

MD5
939d2741a041283109410348245bd381

SHA1
674bd31a65b8fe81f53117cc1c49fbca63d0d865

SHA256
e434295904ce959106585d50c77a70627bccf0a02d879eb6e306d7e22c5bafc2

SHA512
9c3125c03b35c858d9f625754a295ab4b1b3e144a632ca77577d20b9792beedb343535b7c70c101ab0debeecaaaccf2dc82416a88e8fe674b6dbb3c0447bbcd0

Download Submit
C:\Windows\System\DRIVER\h.exe

Filesize
3KB

MD5
939d2741a041283109410348245bd381

SHA1
674bd31a65b8fe81f53117cc1c49fbca63d0d865

SHA256
e434295904ce959106585d50c77a70627bccf0a02d879eb6e306d7e22c5bafc2

SHA512
9c3125c03b35c858d9f625754a295ab4b1b3e144a632ca77577d20b9792beedb343535b7c70c101ab0debeecaaaccf2dc82416a88e8fe674b6dbb3c0447bbcd0

Download Submit
C:\Windows\System\DRIVER\h.exe

Filesize
3KB

MD5
939d2741a041283109410348245bd381

SHA1
674bd31a65b8fe81f53117cc1c49fbca63d0d865

SHA256
e434295904ce959106585d50c77a70627bccf0a02d879eb6e306d7e22c5bafc2

SHA512
9c3125c03b35c858d9f625754a295ab4b1b3e144a632ca77577d20b9792beedb343535b7c70c101ab0debeecaaaccf2dc82416a88e8fe674b6dbb3c0447bbcd0

Download Submit
C:\Windows\System\DRIVER\h.exe

Filesize
3KB

MD5
939d2741a041283109410348245bd381

SHA1
674bd31a65b8fe81f53117cc1c49fbca63d0d865

SHA256
e434295904ce959106585d50c77a70627bccf0a02d879eb6e306d7e22c5bafc2

SHA512
9c3125c03b35c858d9f625754a295ab4b1b3e144a632ca77577d20b9792beedb343535b7c70c101ab0debeecaaaccf2dc82416a88e8fe674b6dbb3c0447bbcd0

Download Submit
C:\Windows\System\DRIVER\h.exe

Filesize
3KB

MD5
939d2741a041283109410348245bd381

SHA1
674bd31a65b8fe81f53117cc1c49fbca63d0d865

SHA256
e434295904ce959106585d50c77a70627bccf0a02d879eb6e306d7e22c5bafc2

SHA512
9c3125c03b35c858d9f625754a295ab4b1b3e144a632ca77577d20b9792beedb343535b7c70c101ab0debeecaaaccf2dc82416a88e8fe674b6dbb3c0447bbcd0

Download Submit
C:\Windows\System\DRIVER\ntauth.dll

Filesize
723B

MD5
009b586bf0c22f50a6662f6582b32744

SHA1
ce1b6764f557cd8bb4ff5688eb35e46487dad5d7

SHA256
049d5a2523608c4f68ef8dc4c65a7005e5a12e559372e0662fb8510318a739cb

SHA512
9dab13e9fd08e7669682010cc699000c0aec78f31e136fcfeba1c1d6d114bad97be3a152ee98bf8f4344681a6cac3fcf6a81d9b6e4e7fc2585375f4a04e8cb9b

Download Submit
C:\Windows\System\DRIVER\servicesmgr.dll

Filesize
1KB

MD5
7a5bed56efa878891d5224f60e4d8932

SHA1
ee9863d4018a14a24d22cdf582c0469fb68d4d70

SHA256
dc420d32438a40cc59c017681d9c5aa3cd3cdd3042fb01f4648e5d7e3ad96ec8

SHA512
f5f8321d2b21013708fdbaaaf9f81e0d1deee297406a00976ccebbd537c2e29ad6070c7f7a1ed9d9a38e56f429b3b6b925157ebe114eb466e55d0a69a337e5b0

Download Submit
C:\Windows\System\DRIVER\winlogon.dll

Filesize
1KB

MD5
2800ecb090ef3e97d631dbece00454ca

SHA1
7789a9413d8cbbe5b6150c084fd7f4b60250fe11

SHA256
9aaa34310a49aa3e65fa8ab409810362e80247e87f6f5df337373d6261dc37dc

SHA512
582bd87802b68f5f69b1be9cd3b77da74a31dfe0b4eedeb7c1fb383e8a51dd5a0f3987074b7f01d4a55e55d4846e77aa5bf20082663cf3077c422c4014c3558a

Download Submit
memory/516-167-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/516-171-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1012-209-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1732-205-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2960-169-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3548-207-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads