93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
04/04/2024, 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe
Size

1.1MB
MD5

29d044809809aabd82305ce04ac88736
SHA1

683b89f68681730e2828be556d5c687cc1a4a2bf
SHA256

93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c
SHA512

a7517d7e12962ee42ff42fb941bc6756238cb9f157e8f14958563fc43f9929db8b3a76fd944d7136e21b5bc85178c76b2ba0e412ceb828a74e5b5e78b735c286
SSDEEP

12288:Lkt3OB1IWL78Z8L7JQQRfOBkkt3OB9JQQRnOBHIWL7JQQRZOBrOB1IWL7JQQRZOV:4eB1BRWBZeBbROBHDRABqB1DRAB19

Score

10^/10

evasion persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\64746\\13464746.exe\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\64746\\13464746.exe\""	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\64746\\13464746.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\64746\\13464746.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\64746\\13464746.exe\""	lsass.exe

Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	service.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	service.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe

UPX dump on OEP (original entry point) 61 IoCs

resource	yara_rule
behavioral1/memory/2604-0-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/files/0x0008000000016d81-16.dat	UPX
behavioral1/memory/2656-53-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2412-67-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2824-108-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/300-257-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2604-314-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2656-807-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2824-809-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2412-808-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2412-813-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2656-812-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/300-810-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2352-819-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2824-832-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2656-839-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/300-842-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2824-841-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2412-840-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2656-865-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/300-872-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2824-871-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2412-870-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/300-899-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2824-898-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2412-897-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2656-896-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2656-921-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2824-923-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/300-924-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2412-922-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2656-947-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2824-949-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2412-948-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/300-950-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2656-979-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2412-980-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2824-981-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/300-982-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2656-1004-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2412-1006-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2824-1007-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/300-1008-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2656-1029-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2824-1031-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/300-1032-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2656-1054-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2412-1055-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2824-1056-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/300-1061-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2656-1086-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2412-1087-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2824-1088-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/300-1089-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2656-1113-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2412-1114-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2824-1115-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/300-1116-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2656-1140-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2412-1141-0x0000000000400000-0x000000000042A000-memory.dmp	UPX
behavioral1/memory/2824-1142-0x0000000000400000-0x000000000042A000-memory.dmp	UPX

Disables RegEdit via registry modification 5 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	service.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	system.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe

Sets file execution options in registry 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	winlogon.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\adodb.cmd	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\adodb.cmd	smss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\adodb.cmd	service.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\adodb.cmd	system.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\adodb.cmd	winlogon.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\adodb.cmd	lsass.exe

Executes dropped EXE 5 IoCs

pid	Process
2656	service.exe
2412	smss.exe
2824	system.exe
300	winlogon.exe
2352	lsass.exe

Loads dropped DLL 8 IoCs

pid	Process
2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe
2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe
2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe
2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe
2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe
2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe
2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe
2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2604-0-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/files/0x0008000000016d81-16.dat	upx
behavioral1/memory/2656-53-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2412-67-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2824-108-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/300-257-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2604-314-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2656-807-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2824-809-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2412-808-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2412-813-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2656-812-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/300-810-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2352-819-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2824-832-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2656-839-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/300-842-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2824-841-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2412-840-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2656-865-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/300-872-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2824-871-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2412-870-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/300-899-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2824-898-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2412-897-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2656-896-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2656-921-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2824-923-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/300-924-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2412-922-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2656-947-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2824-949-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2412-948-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/300-950-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2656-979-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2412-980-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2824-981-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/300-982-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2656-1004-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2412-1006-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2824-1007-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/300-1008-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2656-1029-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2824-1031-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/300-1032-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2656-1054-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2412-1055-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2824-1056-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/300-1061-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2656-1086-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2412-1087-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2824-1088-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/300-1089-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2656-1113-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2412-1114-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2824-1115-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/300-1116-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2656-1140-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2412-1141-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral1/memory/2824-1142-0x0000000000400000-0x000000000042A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0746273 = "C:\\Windows\\l865287.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0746273 = "C:\\Windows\\l865287.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\15832870 = "C:\\Windows\\system32\\127387645063l.exe"	service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\15832870 = "C:\\Windows\\system32\\127387645063l.exe"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\15832870 = "C:\\Windows\\system32\\127387645063l.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0746273 = "C:\\Windows\\l865287.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\15832870 = "C:\\Windows\\system32\\127387645063l.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\15832870 = "C:\\Windows\\system32\\127387645063l.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0746273 = "C:\\Windows\\l865287.exe"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0746273 = "C:\\Windows\\l865287.exe"	system.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\l:	service.exe
File opened (read-only)	\??\x:	system.exe
File opened (read-only)	\??\i:	winlogon.exe
File opened (read-only)	\??\j:	winlogon.exe
File opened (read-only)	\??\w:	service.exe
File opened (read-only)	\??\y:	smss.exe
File opened (read-only)	\??\w:	winlogon.exe
File opened (read-only)	\??\k:	service.exe
File opened (read-only)	\??\t:	smss.exe
File opened (read-only)	\??\x:	smss.exe
File opened (read-only)	\??\k:	system.exe
File opened (read-only)	\??\q:	system.exe
File opened (read-only)	\??\r:	system.exe
File opened (read-only)	\??\j:	service.exe
File opened (read-only)	\??\s:	service.exe
File opened (read-only)	\??\z:	service.exe
File opened (read-only)	\??\h:	smss.exe
File opened (read-only)	\??\j:	smss.exe
File opened (read-only)	\??\r:	smss.exe
File opened (read-only)	\??\v:	system.exe
File opened (read-only)	\??\z:	winlogon.exe
File opened (read-only)	\??\r:	service.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\w:	smss.exe
File opened (read-only)	\??\s:	system.exe
File opened (read-only)	\??\o:	winlogon.exe
File opened (read-only)	\??\v:	winlogon.exe
File opened (read-only)	\??\g:	service.exe
File opened (read-only)	\??\e:	winlogon.exe
File opened (read-only)	\??\q:	winlogon.exe
File opened (read-only)	\??\m:	smss.exe
File opened (read-only)	\??\p:	smss.exe
File opened (read-only)	\??\l:	system.exe
File opened (read-only)	\??\u:	system.exe
File opened (read-only)	\??\N:	winlogon.exe
File opened (read-only)	\??\p:	winlogon.exe
File opened (read-only)	\??\x:	winlogon.exe
File opened (read-only)	\??\N:	service.exe
File opened (read-only)	\??\e:	system.exe
File opened (read-only)	\??\m:	system.exe
File opened (read-only)	\??\t:	system.exe
File opened (read-only)	\??\z:	system.exe
File opened (read-only)	\??\k:	winlogon.exe
File opened (read-only)	\??\p:	service.exe
File opened (read-only)	\??\v:	smss.exe
File opened (read-only)	\??\z:	smss.exe
File opened (read-only)	\??\N:	system.exe
File opened (read-only)	\??\h:	winlogon.exe
File opened (read-only)	\??\r:	winlogon.exe
File opened (read-only)	\??\q:	service.exe
File opened (read-only)	\??\g:	smss.exe
File opened (read-only)	\??\o:	system.exe
File opened (read-only)	\??\y:	winlogon.exe
File opened (read-only)	\??\v:	service.exe
File opened (read-only)	\??\u:	smss.exe
File opened (read-only)	\??\o:	service.exe
File opened (read-only)	\??\y:	service.exe
File opened (read-only)	\??\k:	smss.exe
File opened (read-only)	\??\g:	system.exe
File opened (read-only)	\??\g:	winlogon.exe
File opened (read-only)	\??\j:	system.exe
File opened (read-only)	\??\p:	system.exe
File opened (read-only)	\??\t:	service.exe
File opened (read-only)	\??\e:	smss.exe

Drops file in System32 directory 43 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\127387645063l.exe	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File created	C:\Windows\SysWOW64\127387645063l.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\moonlight.scr	system.exe
File opened for modification	C:\Windows\SysWOW64\127387645063l.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\51335a	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\51335a	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe
File opened for modification	C:\Windows\SysWOW64\moonlight.scr	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\51335a	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\51335a	system.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\51335a\c1273870.cmd	winlogon.exe
File created	C:\Windows\SysWOW64\127387645063l.exe	winlogon.exe
File created	\??\c:\Windows\SysWOW64\IME\shared\Data Admin.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\51335a	smss.exe
File opened for modification	C:\Windows\SysWOW64\moonlight.scr	smss.exe
File opened for modification	C:\Windows\SysWOW64\moonlight.scr	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\51335a\c1273870.cmd	lsass.exe
File created	C:\Windows\SysWOW64\127387645063l.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\127387645063l.exe	lsass.exe
File opened for modification	\??\c:\Windows\SysWOW64\IME\shared\New Folder(2).exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\crtsys.dll	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe
File created	C:\Windows\SysWOW64\127387645063l.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\127387645063l.exe	winlogon.exe
File created	C:\Windows\SysWOW64\127387645063l.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\127387645063l.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\moonlight.scr	lsass.exe
File created	\??\c:\Windows\SysWOW64\IME\shared\New Folder(2).exe	smss.exe
File opened for modification	\??\c:\Windows\SysWOW64\IME\shared\Data Admin.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\51335a	service.exe
File opened for modification	C:\Windows\SysWOW64\127387645063l.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\51335a\c1273870.cmd	smss.exe
File opened for modification	C:\Windows\SysWOW64\51335a\c1273870.cmd	service.exe
File created	C:\Windows\SysWOW64\127387645063l.exe	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe
File created	C:\Windows\SysWOW64\moonlight.scr	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe
File created	\??\c:\Windows\SysWOW64\IME\shared\res\res.exe	smss.exe
File opened for modification	\??\c:\Windows\SysWOW64\IME\shared\res\res.exe	smss.exe
File created	C:\Windows\SysWOW64\51335a\c1273870.cmd	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe
File opened for modification	C:\Windows\SysWOW64\51335a\c1273870.cmd	system.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\fr-FR.exe	smss.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\BLUEPRNT.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\x86.exe	smss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\VGX\VGX.exe	smss.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\FlipPage.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\InfoPath.en-us.exe	smss.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\Office.en-us.exe	smss.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\HostSideAdapters.exe	smss.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\zh-TW\zh-TW.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\DAO\DAO.exe	smss.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\fsdefinitions.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\JOURNAL.exe	smss.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\Triedit\ja-JP\ja-JP.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Help\1028\1028.exe	smss.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\1033.exe	smss.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\Outlook.en-us.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\BLUEPRNT.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\ICE.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\de-DE.exe	smss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Foto Admin.exe	smss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\TextConv\fr-FR\fr-FR.exe	smss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\uk-UA\uk-UA.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Portal\Portal.exe	smss.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\SKY.exe	smss.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\el-GR\el-GR.exe	smss.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\sl-SI\sl-SI.exe	smss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\1033\1033.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\Word.en-us.exe	smss.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\BLUECALM.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\WATERMAR.exe	smss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\el-GR\el-GR.exe	smss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\he-IL\he-IL.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\fr-FR.exe	smss.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\WksConv.exe	smss.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\ink\fi-FI\fi-FI.exe	smss.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\VGX\VGX.exe	smss.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\Stationery\Stationery.exe	smss.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\10.0.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\ECHO.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\PAPYRUS.exe	smss.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\ARFR.exe	smss.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\de-DE.exe	smss.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\en-US.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PowerPoint.en-us\PowerPoint.en-us.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\1033.exe	smss.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\ARCTIC.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\SATIN.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\10.0.exe	smss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\MSInfo\it-IT\it-IT.exe	smss.exe
File opened for modification	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\ResizingPanels.exe	smss.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\VC\VC.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\STRTEDGE.exe	smss.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\AddInSideAdapters.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\Download\New Folder.scr	smss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\main.exe	smss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\numbers\numbers.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\es-ES.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\WksConv.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\INDUST.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\14.exe	smss.exe
File created	\??\c:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\Stacking.exe	smss.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\es-ES.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\Proof.es.exe	smss.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\ink\en-US\en-US.exe	smss.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	\??\c:\Windows\assembly\GAC_MSIL\Microsoft.SharePoint.BusinessData.Administration.Client.Intl\Foto Admin.exe	smss.exe
File created	\??\c:\Windows\winsxs\x86_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_6.1.7600.16385_none_3d98a610fed70b75\New Folder(2).exe	smss.exe
File created	\??\c:\Windows\winsxs\x86_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_7bfdfb15e7184c41\Data Admin.exe	smss.exe
File opened for modification	C:\Windows\l865287.exe	lsass.exe
File created	\??\c:\Windows\ServiceProfiles\NetworkService\Downloads\New Folder.scr	smss.exe
File created	\??\c:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8d9f242de8497d58\Foto Admin.exe	smss.exe
File created	\??\c:\Windows\winsxs\amd64_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_9498b282333b64ec\Admin Porn.exe	smss.exe
File opened for modification	C:\Windows\35838\bb856821l.com	winlogon.exe
File opened for modification	\??\c:\Windows\ServiceProfiles\NetworkService\Downloads\New Folder.scr	smss.exe
File created	\??\c:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_de-de_b4aea777fe683838\New Folder.scr	smss.exe
File created	\??\c:\Windows\winsxs\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_6.1.7600.16385_none_60c2504d62fd4f0e\Data Admin.exe	smss.exe
File created	\??\c:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_it-it_3b85bcbe4734e96a\Admin Porn.exe	smss.exe
File opened for modification	\??\c:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\Foto Admin.exe	smss.exe
File created	\??\c:\Windows\winsxs\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_ad7c61fb28607522\New Folder.scr	smss.exe
File created	\??\c:\Windows\winsxs\amd64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_6f0f7833cb71e18d\Foto Admin.exe	smss.exe
File created	C:\Windows\35838\bb856821l.com	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe
File created	C:\Windows\35838\smss.exe	winlogon.exe
File created	C:\Windows\35838\bb856821l.com	winlogon.exe
File created	\??\c:\Windows\SoftwareDistribution\Download\Data Admin.exe	smss.exe
File created	\??\c:\Windows\winsxs\x86_microsoft-windows-sx-shared_31bf3856ad364e35_6.1.7600.16385_none_387a16fe7addf3b6\Foto Admin.exe	smss.exe
File created	C:\Windows\l865287.exe	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe
File created	C:\Windows\MoonLight.txt	smss.exe
File created	C:\Windows\l865287.exe	service.exe
File opened for modification	C:\Windows\036450635.exe	smss.exe
File created	C:\Windows\036450635.exe	service.exe
File created	C:\Windows\036450635.exe	system.exe
File created	C:\Windows\system\msvbvm60.dll	service.exe
File created	\??\c:\Windows\winsxs\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_6.1.7601.17514_none_d81c96999f75bd77\New Folder(2).exe	smss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe
File created	C:\Windows\35838\smss.exe	system.exe
File opened for modification	C:\Windows\35838	lsass.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	system.exe
File created	C:\Windows\35838\bb856821l.com	smss.exe
File created	C:\Windows\35838\system.exe	service.exe
File opened for modification	C:\Windows\036450635.exe	winlogon.exe
File created	C:\Windows\35838\bb856821l.com	lsass.exe
File opened for modification	\??\c:\Windows\Downloaded Program Files\New Folder.scr	smss.exe
File created	\??\c:\Windows\winsxs\amd64_microsoft-windows-d..ime-eashared-imepad_31bf3856ad364e35_6.1.7601.17514_none_98b24799b5d08c05\New Folder.scr	smss.exe
File created	\??\c:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5d6ada54ed6d35a2\Admin Porn.exe	smss.exe
File created	C:\Windows\35838\system.exe	smss.exe
File created	C:\Windows\lsass.exe	smss.exe
File created	C:\Windows\l865287.exe	system.exe
File opened for modification	C:\Windows\lsass.exe	system.exe
File created	C:\Windows\lsass.exe	winlogon.exe
File created	\??\c:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\14.0.0.0__71e9bce111e9429c\14.0.0.0__71e9bce111e9429c.exe	smss.exe
File opened for modification	\??\c:\Windows\assembly\GAC_32\Microsoft.SharePoint.BusinessData.Administration.Client\14.0.0.0__71e9bce111e9429c\14.0.0.0__71e9bce111e9429c.exe	smss.exe
File created	\??\c:\Windows\ServiceProfiles\LocalService\Downloads\New Folder(2).exe	smss.exe
File opened for modification	C:\Windows\35838	smss.exe
File created	\??\c:\Windows\winsxs\amd64_microsoft-windows-sharedfolders-adm_31bf3856ad364e35_6.1.7600.16385_none_af6f98ff87b0e3cc\Foto Admin.exe	smss.exe
File created	\??\c:\Windows\winsxs\amd64_netfx-shared_registry_whidbey_31bf3856ad364e35_6.1.7600.16385_none_c26c5b8280c6af34\Foto Admin.exe	smss.exe
File created	\??\c:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_en-us_aedaf3947d09fbe5\New Folder(2).exe	smss.exe
File created	\??\c:\Windows\winsxs\amd64_microsoft-windows-nfs-shared.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5803850b2f40840e\Admin Porn.exe	smss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	lsass.exe
File created	C:\Windows\036450635.exe	lsass.exe
File opened for modification	C:\Windows\MoonLight.txt	lsass.exe
File created	\??\c:\Windows\winsxs\amd64_microsoft-windows-h..-hmeshare.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ea4a469ab7713182\Foto Admin.exe	smss.exe
File created	\??\c:\Windows\winsxs\x86_microsoft-windows-d..-ime-eashared-proxy_31bf3856ad364e35_6.1.7600.16385_none_965db382b6fef5cb\New Folder.scr	smss.exe
File opened for modification	C:\Windows\l865287.exe	winlogon.exe
File created	\??\c:\Windows\winsxs\x86_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_6.1.7600.16385_none_cd2006602e5ee22e\Foto Admin.exe	smss.exe
File created	\??\c:\Windows\winsxs\x86_microsoft-windows-ime-eashared-ccshared_31bf3856ad364e35_6.1.7601.17514_none_d8216ed3d8746200\Admin Porn.exe	smss.exe
File created	\??\c:\Windows\winsxs\x86_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_ddab3bcb3a4ffb45\Admin Porn.exe	smss.exe
File created	\??\c:\Windows\winsxs\x86_netfx-shared_netfx_20_mscorlib_b03f5f7f11d50a3a_6.1.7600.16385_none_2958d4a31d2ec64f\Admin Porn.exe	smss.exe
File opened for modification	C:\Windows\036450635.exe	lsass.exe
File created	C:\Windows\036450635.exe	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 20 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe
2656	service.exe
2412	smss.exe
2824	system.exe
300	winlogon.exe
2352	lsass.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2656	2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe	28
PID 2604 wrote to memory of 2656	2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe	28
PID 2604 wrote to memory of 2656	2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe	28
PID 2604 wrote to memory of 2656	2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe	28
PID 2604 wrote to memory of 2412	2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe	29
PID 2604 wrote to memory of 2412	2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe	29
PID 2604 wrote to memory of 2412	2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe	29
PID 2604 wrote to memory of 2412	2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe	29
PID 2604 wrote to memory of 2824	2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe	30
PID 2604 wrote to memory of 2824	2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe	30
PID 2604 wrote to memory of 2824	2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe	30
PID 2604 wrote to memory of 2824	2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe	30
PID 2604 wrote to memory of 300	2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe	31
PID 2604 wrote to memory of 300	2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe	31
PID 2604 wrote to memory of 300	2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe	31
PID 2604 wrote to memory of 300	2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe	31
PID 2604 wrote to memory of 2352	2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe	32
PID 2604 wrote to memory of 2352	2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe	32
PID 2604 wrote to memory of 2352	2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe	32
PID 2604 wrote to memory of 2352	2604	93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe	32

C:\Users\Admin\AppData\Local\Temp\93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe
"C:\Users\Admin\AppData\Local\Temp\93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\64746\service.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\64746\service.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Sets file execution options in registry
  - Drops startup file
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2656
- C:\Windows\35838\smss.exe
  "C:\Windows\35838\smss.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Sets file execution options in registry
  - Drops startup file
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2412
- C:\Windows\35838\system.exe
  "C:\Windows\35838\system.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Sets file execution options in registry
  - Drops startup file
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2824
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\64746\winlogon.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\64746\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Sets file execution options in registry
  - Drops startup file
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:300
- C:\Windows\lsass.exe
  "C:\Windows\lsass.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Sets file execution options in registry
  - Drops startup file
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\35838\system.exe

Filesize
1.1MB

MD5
29d044809809aabd82305ce04ac88736

SHA1
683b89f68681730e2828be556d5c687cc1a4a2bf

SHA256
93d67529cf14412f253e3ffc005e235733a4fea83e999f77fac31a0f581a867c

SHA512
a7517d7e12962ee42ff42fb941bc6756238cb9f157e8f14958563fc43f9929db8b3a76fd944d7136e21b5bc85178c76b2ba0e412ceb828a74e5b5e78b735c286

Download Submit
C:\Windows\MoonLight.txt

Filesize
176B

MD5
56473592d37a13c9098b21cb442e60fd

SHA1
6f0f49440289a6cef1d93e8c785747a3fb318688

SHA256
acdcb1f96825ca74387ebe03f2a12291f7678da2cf6092607aea2dab6982cf35

SHA512
6c635dc4f1ce55b54e39992531b0a4024c213af7fc3ab0f5b2642a932cb2201e7037a60e37c7aad42308ab7a84f0a2c655391935749d76f02ae7c3afd765dd2a

Download Submit
C:\Windows\SysWOW64\crtsys.dll

Filesize
120B

MD5
9ae4a469cf7e668ccde8c0fa0a906282

SHA1
eded194c39a8ecd19da33a338bfe43a1266a8d53

SHA256
7f3ee2d2827fa3c2e8ef5f073c40a52f79acf1d8c26d6812c19fb985e3736a22

SHA512
fcc863ce54dd4dad2464b8551a7e224467a0c0785d511fa2af28490913560113cf0541690cd65d1f12f063df3866233ba80262cd281f7ef5346bd323bef3ee2b

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.1MB

MD5
b128bc57cc86fe69c2ea4e1fa881609c

SHA1
ff902939b3a48de09a518c5b64cc8f198a33e9a5

SHA256
d5cb68a9ec8f4b3ced5e1ab7cdacecd21bc5ed38a03ba8cfe5d1e7ce50aab737

SHA512
e0436ea39aed9ee6075e82a8586a82660db15c30e940560dfad4c620b60324c7719175a5a8439b1d13639c29197100cd7357032284b45183df05bbad588a0e0d

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.3MB

MD5
71023e7fffa6a0be2de4f19868caeedc

SHA1
be49b39cbe8ea9b0d2aaa4541e0faf1a690eede3

SHA256
2a71378796a7c5978c19bb90bd6fde1aa2c541f490239b8c62fb5895db23414c

SHA512
473522fdfe66facec49dc55abd9eeca864931016df7459666d4cd7100d5d2c1146faa4c97f62673f1283b7a678ff3f69290f61064254f09619611d1441f602f0

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.3MB

MD5
1c7fd53a5274e107f1f99a135ac4c33b

SHA1
1d1c8b328bfa5a8358e018fb92c66f22a825e682

SHA256
7fd00a20410c651b482440352e7d4ffce4b7155595053584e3acc80b0f12014c

SHA512
ece3d35b7f3b695d9b4034b22bb3bcdd4f12b19349f4c016f4b307ca9347389f6f04a508c6df31cbdd624056f701df6e312872ae8e0f1a33cdd4a8ae379b1bb0

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
320KB

MD5
e127fa7006e40320de8026258097ea02

SHA1
65dcfb4003ed722ba670661bc90470141457ca65

SHA256
a2051f9d1420d3d80cdb03b6219c0ec0c55b59a7a2eecfc6b9685639d2bfa29d

SHA512
32be160316820bb6fab46f6d103d3cabe876e2a18d852a766a7cf005be8da4d593d2df82948f2f5a6488d04c7fcd46a726368d210c83df3555eb5eeb517704f3

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.3MB

MD5
a80d803cc767cf411cf17145423da49c

SHA1
4b1c2b04ee012e54d2933c70758e872a7e0c4097

SHA256
3e42e1fb91cd42bab7dac50c45af1da6f860931ffee77828a82033d7a2f5e6b4

SHA512
b5349e4d0e7102721a21abd0a50e6c5cd3ea1eaa77f530aac65b23a7755342b55fe3405281007e346b78e022c5247be0d9271275316bca6d37fbca9e89c74975

Download Submit
memory/300-1061-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/300-924-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/300-1032-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/300-982-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/300-950-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/300-810-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/300-257-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/300-1008-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/300-899-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/300-1089-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/300-1116-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/300-872-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/300-842-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2352-819-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2412-870-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2412-897-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2412-1141-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2412-813-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2412-808-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2412-1114-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2412-1087-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2412-1055-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2412-67-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2412-840-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2412-1006-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2412-980-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2412-948-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2412-922-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2604-102-0x00000000030B0000-0x00000000030DA000-memory.dmp

Filesize
168KB

Download
memory/2604-51-0x00000000030B0000-0x00000000030DA000-memory.dmp

Filesize
168KB

Download
memory/2604-314-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2604-65-0x00000000030B0000-0x00000000030DA000-memory.dmp

Filesize
168KB

Download
memory/2604-52-0x00000000030B0000-0x00000000030DA000-memory.dmp

Filesize
168KB

Download
memory/2604-811-0x00000000030B0000-0x00000000030DA000-memory.dmp

Filesize
168KB

Download
memory/2604-253-0x00000000030B0000-0x00000000030DA000-memory.dmp

Filesize
168KB

Download
memory/2604-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2656-812-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2656-53-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2656-947-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2656-1054-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2656-979-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2656-807-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2656-1113-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2656-1140-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2656-1004-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2656-865-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2656-839-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2656-1086-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2656-1029-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2656-921-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2656-896-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2824-871-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2824-809-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2824-1056-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2824-1031-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2824-841-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2824-1007-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2824-1088-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2824-108-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2824-981-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2824-832-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2824-1115-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2824-898-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2824-949-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2824-923-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2824-1142-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads