8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
Size

8.4MB
MD5

47be6cb513ff8728c7c815fd745b67fb
SHA1

5efa5cd2894fc56f4ed63a4495c031b508352b93
SHA256

8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d
SHA512

80a01f60719685e5d990a409d0d3927d5287f4b44903be26c4b5040c9279786f4cf8e76472caba36093f1ab1a882fd4982fb727e5adb572015fb3313102bdaeb
SSDEEP

98304:Jt/9fgbbS0sYu2YOZbVTSiR36yLWbktYSeufBu31t6yPbX5gMZhf10bfW257NZb:X+5vuMbV6Jk2SpkFYyj5gMZN45rb

Score

10^/10

bootkit discovery evasion persistence spyware stealer

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

wmcSystem7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	wmcSystem7.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	wmcSystem7.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	wmcSystem7.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	wmcSystem7.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List	wmcSystem7.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\8150:TCP = "8150:TCP:*:Enabled:8150"	wmcSystem7.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List	wmcSystem7.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\8150:TCP = "8150:TCP:*:Enabled:8150"	wmcSystem7.exe

Drops file in Drivers directory 8 IoCs

Processes:

wmcSystem7.exerundll32.exewmcSystem7.exe

description	ioc	process
File created	C:\Windows\System32\drivers\WM7F.inf	wmcSystem7.exe
File created	C:\Windows\System32\drivers\WM7F.sys	wmcSystem7.exe
File opened for modification	C:\Windows\system32\DRIVERS\SET17F4.tmp	rundll32.exe
File created	C:\Windows\system32\DRIVERS\SET17F4.tmp	rundll32.exe
File opened for modification	C:\Windows\system32\DRIVERS\WM7F.sys	rundll32.exe
File opened for modification	C:\Windows\System32\drivers\WM7F.inf	wmcSystem7.exe
File created	C:\Windows\system32\drivers\cbregistry20.sys	wmcSystem7.exe
File opened for modification	C:\Windows\System32\drivers\WM7F.inf	wmcSystem7.exe

Modifies Windows Firewall 2 TTPs 21 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
1748	netsh.exe
1052	netsh.exe
1348	netsh.exe
3060	netsh.exe
1840	netsh.exe
1560	netsh.exe
1348	netsh.exe
1592	netsh.exe
1700	netsh.exe
2872	netsh.exe
268	netsh.exe
2364	netsh.exe
1152	netsh.exe
1884	netsh.exe
2960	netsh.exe
1924	netsh.exe
2316	netsh.exe
2916	netsh.exe
968	netsh.exe
1808	netsh.exe
2700	netsh.exe

Executes dropped EXE 12 IoCs

Processes:

wmcSystem7.exewmcSystem7.exewmcSystem7.exewmcUpdater.exewmcUpdater.exewmcUpdater.exeScheduleTask.exewmcUpdater.exewmcUpdater.exewmcUser7.exewmcProc7.exe

pid	process
1768	wmcSystem7.exe
2032	wmcSystem7.exe
476
2144	wmcSystem7.exe
2420	wmcUpdater.exe
2784	wmcUpdater.exe
3020	wmcUpdater.exe
1376	ScheduleTask.exe
2556	wmcUpdater.exe
1680	wmcUpdater.exe
1044	wmcUser7.exe
2272	wmcProc7.exe

Loads dropped DLL 43 IoCs

Processes:

8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exewmcSystem7.exewmcSystem7.exewmcSystem7.exerundll32.exeregsvr32.exeregsvr32.exewmcUpdater.exeregsvr32.exewmcProc7.exewmcUser7.exe

pid	process
2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
1768	wmcSystem7.exe
2032	wmcSystem7.exe
2144	wmcSystem7.exe
2964	rundll32.exe
2964	rundll32.exe
2964	rundll32.exe
2964	rundll32.exe
2144	wmcSystem7.exe
2732	regsvr32.exe
2592	regsvr32.exe
2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
2420	wmcUpdater.exe
1816	regsvr32.exe
2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
2144	wmcSystem7.exe
2144	wmcSystem7.exe
2272	wmcProc7.exe
2272	wmcProc7.exe
1044	wmcUser7.exe
1044	wmcUser7.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

rundll32.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wmcSystem7.exe

description	ioc	process
File opened (read-only)	\??\L:	wmcSystem7.exe
File opened (read-only)	\??\M:	wmcSystem7.exe
File opened (read-only)	\??\N:	wmcSystem7.exe
File opened (read-only)	\??\X:	wmcSystem7.exe
File opened (read-only)	\??\Y:	wmcSystem7.exe
File opened (read-only)	\??\B:	wmcSystem7.exe
File opened (read-only)	\??\V:	wmcSystem7.exe
File opened (read-only)	\??\G:	wmcSystem7.exe
File opened (read-only)	\??\S:	wmcSystem7.exe
File opened (read-only)	\??\T:	wmcSystem7.exe
File opened (read-only)	\??\Z:	wmcSystem7.exe
File opened (read-only)	\??\A:	wmcSystem7.exe
File opened (read-only)	\??\D:	wmcSystem7.exe
File opened (read-only)	\??\F:	wmcSystem7.exe
File opened (read-only)	\??\H:	wmcSystem7.exe
File opened (read-only)	\??\U:	wmcSystem7.exe
File opened (read-only)	\??\E:	wmcSystem7.exe
File opened (read-only)	\??\I:	wmcSystem7.exe
File opened (read-only)	\??\J:	wmcSystem7.exe
File opened (read-only)	\??\R:	wmcSystem7.exe
File opened (read-only)	\??\Q:	wmcSystem7.exe
File opened (read-only)	\??\W:	wmcSystem7.exe
File opened (read-only)	\??\K:	wmcSystem7.exe
File opened (read-only)	\??\O:	wmcSystem7.exe
File opened (read-only)	\??\P:	wmcSystem7.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

wmcSystem7.exe

description ioc process

File opened for modification \??\PhysicalDrive0 wmcSystem7.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	wmcSystem7.exe

Drops file in System32 directory 13 IoCs

Processes:

wmcUpdater.exe8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exewmcSystem7.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\wmcUpdater.exe	wmcUpdater.exe
File created	C:\Windows\SysWOW64\pcinfo7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Windows\SysWOW64\WinNetDaily.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Windows\system32\cbregistryevtmsg.dll	wmcSystem7.exe
File created	C:\Windows\system32\pcinfo7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Windows\system32\pcinfo7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Windows\SysWOW64\HuRMS.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Windows\system32\HuRMS.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Windows\system32\WinNetDaily.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Windows\SysWOW64\pcinfo7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Windows\SysWOW64\WinNetDaily.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Windows\SysWOW64\wmcUpdater.exe	wmcUpdater.exe
File created	C:\Windows\system32\WinNetDaily.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe

Drops file in Program Files directory 64 IoCs

Processes:

8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exewmcSystem7.exewmcSystem7.exe

description	ioc	process
File opened for modification	C:\Program Files\WW2017CF\wmcUpdater.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\wmcWatermark7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\Policy\System\PolicyContainer.opt	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\wmcHook7.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\Info\PCInfo.opt	wmcSystem7.exe
File opened for modification	C:\Program Files\WW2017CF\Info\ADUserInfo.txt	wmcSystem7.exe
File created	C:\Program Files\WW2017CF\Info\RemoteService.opt	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\wmcRCSlaveX7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\Info\LogonInfo.opt	wmcSystem7.exe
File created	C:\Program Files\WW2017CF\wmcFTSlave7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\wmcRCSlaveX7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\wmcService7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\ServerSchTask.dat	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\WinNetDaily.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\wmcWatermark_DLL.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\wmcUser7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\winet.lnk	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\wmcFTSlave7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\wmcMemmgr.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\wmcWatermark_DLL64.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\Updater7.ini	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\WM7F.cab	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\wmcEnterprise.dat	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\cbfsfilter2032.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\ScheduleTask.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\Version.dat	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\WM7F.sys.w7_x64_Signed	wmcSystem7.exe
File created	C:\Program Files\WW2017CF\wmcRCSlave7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\Info\MachineSWInfo.opt	wmcSystem7.exe
File opened for modification	C:\Program Files\WW2017CF\cbfsfilter2032.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\wmcProc7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\TGT2.ini	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\wmcHook7.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\XceedCry.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\cbregistry.cab	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\Info\RemoteService.opt	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\Info\BootInfo.opt	wmcSystem7.exe
File opened for modification	C:\Program Files\WW2017CF\Policy\System\PolicyContainer.opt	wmcSystem7.exe
File opened for modification	C:\Program Files\WW2017CF\Info\DatBackup\SoftwareX86.txt	wmcSystem7.exe
File created	C:\Program Files\WW2017CF\Version.dat	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\wmcHook764.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\wmcDataBurner7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\wmcRCSlave7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\FoxSDKU32w.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\Policy\System\PolicyContainer.opt	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\PolicyViewer.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\Policy	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\wmcEnterprise.dat	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\wmcWatermark7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\PCInfo7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\PCInfo7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\Info\HWInfo.opt	wmcSystem7.exe
File opened for modification	C:\Program Files\WW2017CF\Info	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\Updater7.ini	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\wmcSystem7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\wmcWatermark764.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\WM7F.inf.w7_x64_Signed	wmcSystem7.exe
File opened for modification	C:\Program Files\WW2017CF\TGT2.ini	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\WM7F.sys.w7_x64_Signed	wmcSystem7.exe
File opened for modification	C:\Program Files\WW2017CF\cbfsfilter20.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\ScheduleTask.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\wmcMemmgr.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\WinNetDaily.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\Policy\Log\2024_04_19.log	wmcSystem7.exe

Drops file in Windows directory 34 IoCs

Processes:

wmcSystem7.exewmcUpdater.exewmcUser7.exewmcProc7.exewmcSystem7.exerundll32.exewmcSystem7.exewmcUpdater.exewmcUpdater.exewmcUpdater.exewmcUpdater.exeScheduleTask.exe

description	ioc	process
File created	C:\Windows\Debug\WM7\Client\Network\LogWriteTest.txt	wmcSystem7.exe
File opened for modification	C:\Windows\Debug\WM7\Client\wmcSystem7.exe\20240419.log	wmcSystem7.exe
File opened for modification	C:\Windows\Debug\WM7\AutoUpdate\20240419.log	wmcUpdater.exe
File created	C:\Windows\Debug\WM7\Client\wmcUser7.exe\LogWriteTest.txt	wmcUser7.exe
File opened for modification	C:\Windows\Debug\WM7\Client\wmcProc7.exe\20240419.log	wmcProc7.exe
File created	C:\Windows\Debug\WM7\Client\wmcSystem7.exe\LogWriteTest.txt	wmcSystem7.exe
File created	C:\Windows\Debug\WM7\Client\FileMonitor\LogWriteTest.txt	wmcSystem7.exe
File opened for modification	C:\Windows\Debug\WM7\Client\wmcSystem7.exe\20240419.log	wmcSystem7.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe
File created	C:\Windows\Debug\WM7\Client\Network\LogWriteTest.txt	wmcSystem7.exe
File created	C:\Windows\Debug\WM7\SystemDisk.opt	wmcSystem7.exe
File opened for modification	C:\Windows\WindowsUpdate.log	wmcSystem7.exe
File created	C:\Windows\inf\oem0.PNF	wmcSystem7.exe
File created	C:\Windows\Debug\WM7\Client\Network\LogWriteTest.txt	wmcSystem7.exe
File created	C:\Windows\Debug\WM7\Client\wmcSystem7.exe\LogWriteTest.txt	wmcSystem7.exe
File opened for modification	C:\Windows\Debug\WM7\AutoUpdate\20240419.log	wmcUpdater.exe
File created	C:\Windows\Debug\WM7\Client\FileMonitor\LogWriteTest.txt	wmcProc7.exe
File created	C:\Windows\Debug\WM7\Client\wmcProc7.exe\20240419.log	wmcProc7.exe
File created	C:\Windows\Debug\WM7\Client\wmcSystem7.exe\20240419.log	wmcSystem7.exe
File created	C:\Windows\Debug\WM7\Client\FileMonitor\LogWriteTest.txt	wmcUser7.exe
File opened for modification	C:\Windows\Debug\WM7\Client\wmcUser7.exe\20240419.log	wmcUser7.exe
File opened for modification	C:\Windows\Debug\WM7\AutoUpdate\20240419.log	wmcUpdater.exe
File created	C:\Windows\inf\oem1.PNF	wmcSystem7.exe
File created	C:\Windows\Debug\WM7\Client\wmcProc7.exe\LogWriteTest.txt	wmcProc7.exe
File opened for modification	C:\Windows\Debug\WM7\AutoUpdate\20240419.log	wmcUpdater.exe
File created	C:\Windows\Debug\WM7\Client\FileMonitor\LogWriteTest.txt	wmcSystem7.exe
File created	C:\Windows\Debug\WM7\Client\wmcUser7.exe\20240419.log	wmcUser7.exe
File created	C:\Windows\Debug\WM7\Client\FileMonitor\LogWriteTest.txt	wmcSystem7.exe
File created	C:\Windows\Debug\WM7\Client\Network\LogWriteTest.txt	wmcProc7.exe
File created	C:\Windows\Debug\WM7\Client\Network\LogWriteTest.txt	wmcUser7.exe
File opened for modification	C:\Windows\Debug\WM7\AutoUpdate\20240419.log	wmcUpdater.exe
File opened for modification	C:\Windows\Debug\WM7\Client\wmcSystem7.exe\20240419.log	wmcSystem7.exe
File opened for modification	C:\Windows\Debug\SMR7\ScheduleTask\2024_04_19.log	ScheduleTask.exe
File created	C:\Windows\Debug\WM7\Client\wmcSystem7.exe\LogWriteTest.txt	wmcSystem7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

runonce.exe8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe

description	ioc	process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\1	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\2	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe

Modifies data under HKEY_USERS 46 IoCs

Processes:

netsh.exenetsh.exewmcSystem7.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\474A91C\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	wmcSystem7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\474A91C\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	wmcSystem7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\474A91C\LanguageList = 7a0068002d005400570000007a0068002d00480061006e00740000007a006800000065006e002d0055005300000065006e0000000000	wmcSystem7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wmcSystem7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\474A91C\@%SystemRoot%\system32\qagentrt.dll,-10 = "System Health Authentication"	wmcSystem7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\474A91C\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	wmcSystem7.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d\474A91C	wmcSystem7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\474A91C\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust"	wmcSystem7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wmcSystem7.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wmcSystem7.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace\Session	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	wmcSystem7.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 010000000000000020edbd100192da01	wmcSystem7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{231D1CF6-C578-411D-9B9B-48264355805D}\InprocServer32\ = "C:\\Program Files\\WW2017CF\\XceedCry.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6081A14B-77EC-4451-ABA0-20957C818BFE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BBA63CAC-9913-4A13-9212-E97BB70C05C9}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Xceed.HavalHashingMethod.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{02084676-181B-4E44-9E8A-7D2C38BFF609}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7BBBF946-057B-4B1E-BCD4-5AB8F32DB7A1}\ = "DXceedSHAHashingMethod"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4C6F5554-32C4-4304-A235-B5F2B97F1B20}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Xceed.RijndaelEncryptionMethod.1\CLSID\ = "{BBA63CAC-9913-4A13-9212-E97BB70C05C9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Xceed.RSAEncryptionMethod	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{02084676-181B-4E44-9E8A-7D2C38BFF609}\TypeLib\Version = "1.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6F9F8921-D7A9-47E4-A0D5-B5F2CA673408}\ = "DXceedTwofishEncryptionMethod"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BBBF946-057B-4B1E-BCD4-5AB8F32DB7A1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F46F6141-7C9C-4d70-911A-E49CE2ADA922}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{02084676-181B-4E44-9E8A-7D2C38BFF609}\TypeLib\ = "{55A560A7-E3F9-4790-8D22-F3A97009AC8F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BBBF946-057B-4B1E-BCD4-5AB8F32DB7A1}\ = "DXceedSHAHashingMethod"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0C8D3206-4A88-43D9-BB91-0ECC8C5F79CF}\TypeLib\Version = "1.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA68A3FF-C69C-4FE8-947B-BD561EE15EFA}\InprocServer32\ = "C:\\Program Files\\WW2017CF\\FoxSDKU32w.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA68A3FF-C69C-4FE8-947B-BD561EE15EFA}\TypeLib\ = "{D0521D27-066B-4207-900B-6C3DF64B3CA0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A02A65C1-50E4-4E5D-B9D0-625D5DEBC671}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{55A560A7-E3F9-4790-8D22-F3A97009AC8F}\1.1\HELPDIR\ = "C:\\Program Files\\WW2017CF\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F066CCAD-163A-4617-BA3C-BA4A4F80320C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6081A14B-77EC-4451-ABA0-20957C818BFE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Xceed.SHAHashingMethod\CurVer\ = "Xceed.SHAHashingMethod.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Xceed.HavalHashingMethod\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0521D27-066B-4207-900B-6C3DF64B3CA0}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{065BFAE3-3448-4E31-BAAC-CB599C7AAA24}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BAF7A82C-443E-4FF5-8A04-286E30C67553}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C14B6BF4-85A9-4DDF-BD42-59928595634F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A0A61B00-96A6-457F-AA5E-AFA5167852E5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3E95E1D-D003-42A0-91FD-465DC624BC7A}\TypeLib\ = "{55A560A7-E3F9-4790-8D22-F3A97009AC8F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C6F5554-32C4-4304-A235-B5F2B97F1B20}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA68A3FF-C69C-4FE8-947B-BD561EE15EFA}\AppID = "{C6EDF056-F922-4B2E-A7A7-03DA4CC5518C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Xceed.TwofishEncryptionMethod	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Xceed.TwofishEncryptionMethod\ = "XceedTwofishEncryptionMethod Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Xceed.SHAHashingMethod.1\CLSID\ = "{231D1CF6-C578-411D-9B9B-48264355805D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Xceed.RSASigningMethod.1\ = "XceedRSASigningMethod Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxBurner.FoxBurner\ = "FoxBurner Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxBurner.FoxBurner\CurVer\ = "FoxBurner.FoxBurner.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{05755065-6ECA-4F26-A3B1-0AE425B0EE07}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E0FC6DA-5E53-4F8B-A139-BFF7ACE28FC6}\VersionIndependentProgID\ = "FoxBurnerCOM.FoxDeviceCapabilities"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F46F6141-7C9C-4d70-911A-E49CE2ADA922}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4C6F5554-32C4-4304-A235-B5F2B97F1B20}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BAF7A82C-443E-4FF5-8A04-286E30C67553}\ = "IFoxDiskDirectory"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DA68A3FF-C69C-4FE8-947B-BD561EE15EFA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Xceed.RSAEncryptionMethod.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A02A65C1-50E4-4E5D-B9D0-625D5DEBC671}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7EC04D5B-19A8-45EE-BCB0-6FE0067F9468}\Insertable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CA6D55E7-F279-42BA-AEC5-5338C5CE5B30}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C14B6BF4-85A9-4DDF-BD42-59928595634F}\TypeLib\ = "{D0521D27-066B-4207-900B-6C3DF64B3CA0}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8E0FC6DA-5E53-4F8B-A139-BFF7ACE28FC6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxBurner.FoxBurner\CLSID\ = "{DA68A3FF-C69C-4FE8-947B-BD561EE15EFA}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{05755065-6ECA-4F26-A3B1-0AE425B0EE07}\ = "DXceedEncryption__0100"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F066CCAD-163A-4617-BA3C-BA4A4F80320C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6F9F8921-D7A9-47E4-A0D5-B5F2CA673408}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CA6D55E7-F279-42BA-AEC5-5338C5CE5B30}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{065BFAE3-3448-4E31-BAAC-CB599C7AAA24}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.jm7e	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.jm7e\shell	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxBurnerCOM.FoxDiskSession\CurVer\ = "FoxBurnerCOM.FoxDiskSession.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Xceed.RijndaelEncryptionMethod.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D3E95E1D-D003-42A0-91FD-465DC624BC7A}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90FDB7BD-EB76-4AC9-8385-D1EE80BBCDCD}\ = "XceedRSASigningMethod Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{90FDB7BD-EB76-4AC9-8385-D1EE80BBCDCD}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{55A560A7-E3F9-4790-8D22-F3A97009AC8F}\1.1\ = "Xceed Encryption Library v1.1"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exewmcSystem7.exewmcProc7.exewmcUser7.exe

pid	process
2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
2144	wmcSystem7.exe
2144	wmcSystem7.exe
2144	wmcSystem7.exe
2144	wmcSystem7.exe
2144	wmcSystem7.exe
2144	wmcSystem7.exe
2144	wmcSystem7.exe
2144	wmcSystem7.exe
2144	wmcSystem7.exe
2272	wmcProc7.exe
2144	wmcSystem7.exe
2144	wmcSystem7.exe
2144	wmcSystem7.exe
1044	wmcUser7.exe
2144	wmcSystem7.exe
2144	wmcSystem7.exe
2144	wmcSystem7.exe
2144	wmcSystem7.exe
2144	wmcSystem7.exe
2144	wmcSystem7.exe
2144	wmcSystem7.exe
2144	wmcSystem7.exe

Suspicious behavior: LoadsDriver 7 IoCs

Processes:

pid process

476
476
476
476
476
476
476

pid	process
476
476
476
476
476
476
476

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

rundll32.exewmcSystem7.exe

description	pid	process
Token: SeRestorePrivilege	2964	rundll32.exe
Token: SeRestorePrivilege	2964	rundll32.exe
Token: SeRestorePrivilege	2964	rundll32.exe
Token: SeRestorePrivilege	2964	rundll32.exe
Token: SeRestorePrivilege	2964	rundll32.exe
Token: SeRestorePrivilege	2964	rundll32.exe
Token: SeRestorePrivilege	2964	rundll32.exe
Token: SeRestorePrivilege	2144	wmcSystem7.exe
Token: SeRestorePrivilege	2144	wmcSystem7.exe
Token: SeRestorePrivilege	2144	wmcSystem7.exe
Token: SeRestorePrivilege	2144	wmcSystem7.exe
Token: SeRestorePrivilege	2144	wmcSystem7.exe
Token: SeRestorePrivilege	2144	wmcSystem7.exe
Token: SeRestorePrivilege	2144	wmcSystem7.exe
Token: SeDebugPrivilege	2144	wmcSystem7.exe
Token: SeDebugPrivilege	2144	wmcSystem7.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

wmcProc7.exewmcUser7.exe

pid process

2272 wmcProc7.exe
1044 wmcUser7.exe

pid	process
2272	wmcProc7.exe
1044	wmcUser7.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exewmcSystem7.exewmcSystem7.exerundll32.exeregsvr32.exeregsvr32.exerunonce.exewmcUpdater.exe

description	pid	process	target process
PID 2880 wrote to memory of 308	2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	reg.exe
PID 2880 wrote to memory of 308	2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	reg.exe
PID 2880 wrote to memory of 308	2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	reg.exe
PID 2880 wrote to memory of 308	2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	reg.exe
PID 2880 wrote to memory of 1768	2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcSystem7.exe
PID 2880 wrote to memory of 1768	2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcSystem7.exe
PID 2880 wrote to memory of 1768	2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcSystem7.exe
PID 2880 wrote to memory of 1768	2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcSystem7.exe
PID 2880 wrote to memory of 2032	2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcSystem7.exe
PID 2880 wrote to memory of 2032	2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcSystem7.exe
PID 2880 wrote to memory of 2032	2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcSystem7.exe
PID 2880 wrote to memory of 2032	2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcSystem7.exe
PID 1768 wrote to memory of 2964	1768	wmcSystem7.exe	rundll32.exe
PID 1768 wrote to memory of 2964	1768	wmcSystem7.exe	rundll32.exe
PID 1768 wrote to memory of 2964	1768	wmcSystem7.exe	rundll32.exe
PID 2144 wrote to memory of 2720	2144	wmcSystem7.exe	regsvr32.exe
PID 2144 wrote to memory of 2720	2144	wmcSystem7.exe	regsvr32.exe
PID 2144 wrote to memory of 2720	2144	wmcSystem7.exe	regsvr32.exe
PID 2144 wrote to memory of 2720	2144	wmcSystem7.exe	regsvr32.exe
PID 2144 wrote to memory of 2720	2144	wmcSystem7.exe	regsvr32.exe
PID 2144 wrote to memory of 2696	2144	wmcSystem7.exe	regsvr32.exe
PID 2144 wrote to memory of 2696	2144	wmcSystem7.exe	regsvr32.exe
PID 2144 wrote to memory of 2696	2144	wmcSystem7.exe	regsvr32.exe
PID 2144 wrote to memory of 2696	2144	wmcSystem7.exe	regsvr32.exe
PID 2144 wrote to memory of 2696	2144	wmcSystem7.exe	regsvr32.exe
PID 2964 wrote to memory of 2608	2964	rundll32.exe	runonce.exe
PID 2964 wrote to memory of 2608	2964	rundll32.exe	runonce.exe
PID 2964 wrote to memory of 2608	2964	rundll32.exe	runonce.exe
PID 2720 wrote to memory of 2592	2720	regsvr32.exe	regsvr32.exe
PID 2720 wrote to memory of 2592	2720	regsvr32.exe	regsvr32.exe
PID 2720 wrote to memory of 2592	2720	regsvr32.exe	regsvr32.exe
PID 2720 wrote to memory of 2592	2720	regsvr32.exe	regsvr32.exe
PID 2720 wrote to memory of 2592	2720	regsvr32.exe	regsvr32.exe
PID 2720 wrote to memory of 2592	2720	regsvr32.exe	regsvr32.exe
PID 2720 wrote to memory of 2592	2720	regsvr32.exe	regsvr32.exe
PID 2696 wrote to memory of 2732	2696	regsvr32.exe	regsvr32.exe
PID 2696 wrote to memory of 2732	2696	regsvr32.exe	regsvr32.exe
PID 2696 wrote to memory of 2732	2696	regsvr32.exe	regsvr32.exe
PID 2696 wrote to memory of 2732	2696	regsvr32.exe	regsvr32.exe
PID 2696 wrote to memory of 2732	2696	regsvr32.exe	regsvr32.exe
PID 2696 wrote to memory of 2732	2696	regsvr32.exe	regsvr32.exe
PID 2696 wrote to memory of 2732	2696	regsvr32.exe	regsvr32.exe
PID 2608 wrote to memory of 2800	2608	runonce.exe	grpconv.exe
PID 2608 wrote to memory of 2800	2608	runonce.exe	grpconv.exe
PID 2608 wrote to memory of 2800	2608	runonce.exe	grpconv.exe
PID 2880 wrote to memory of 2420	2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcUpdater.exe
PID 2880 wrote to memory of 2420	2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcUpdater.exe
PID 2880 wrote to memory of 2420	2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcUpdater.exe
PID 2880 wrote to memory of 2420	2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcUpdater.exe
PID 2880 wrote to memory of 2420	2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcUpdater.exe
PID 2880 wrote to memory of 2420	2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcUpdater.exe
PID 2880 wrote to memory of 2420	2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcUpdater.exe
PID 2420 wrote to memory of 2784	2420	wmcUpdater.exe	wmcUpdater.exe
PID 2420 wrote to memory of 2784	2420	wmcUpdater.exe	wmcUpdater.exe
PID 2420 wrote to memory of 2784	2420	wmcUpdater.exe	wmcUpdater.exe
PID 2420 wrote to memory of 2784	2420	wmcUpdater.exe	wmcUpdater.exe
PID 2420 wrote to memory of 2784	2420	wmcUpdater.exe	wmcUpdater.exe
PID 2420 wrote to memory of 2784	2420	wmcUpdater.exe	wmcUpdater.exe
PID 2420 wrote to memory of 2784	2420	wmcUpdater.exe	wmcUpdater.exe
PID 2880 wrote to memory of 2916	2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	netsh.exe
PID 2880 wrote to memory of 2916	2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	netsh.exe
PID 2880 wrote to memory of 2916	2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	netsh.exe
PID 2880 wrote to memory of 2916	2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	netsh.exe
PID 2880 wrote to memory of 268	2880	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	netsh.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

wmcSystem7.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer wmcSystem7.exe
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	wmcSystem7.exe

C:\Users\Admin\AppData\Local\Temp\8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
"C:\Users\Admin\AppData\Local\Temp\8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2880

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe export HKLM\SYSTEM\CurrentControlSet\Services\Win-Win7 "C:\Users\Public\SMR7\Debug\WinWin7.RegDebug.log"
2⤵
PID:308

C:\Program Files\WW2017CF\wmcSystem7.exe
"C:\Program Files\WW2017CF\wmcSystem7.exe" -di
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Windows\System32\drivers\WM7F.inf
3⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
4⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2608

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
5⤵
PID:2800

C:\Program Files\WW2017CF\wmcSystem7.exe
"C:\Program Files\WW2017CF\wmcSystem7.exe" -ai
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2032

C:\Users\Public\SMR7\WM7installTemp\wmcUpdater.exe
"C:\Users\Public\SMR7\WM7installTemp\wmcUpdater.exe" -smr_inst
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2420

C:\Windows\SysWOW64\wmcUpdater.exe
"C:\Windows\SysWOW64\wmcUpdater.exe" -smr_inst
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2784

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="ICMPv4 Inbound"
2⤵
- Modifies Windows Firewall
PID:2916

C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall firewall delete rule name="ICMPv4 Inbound"
2⤵
- Modifies Windows Firewall
PID:268

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="WinMasterServices V7 Client7"
2⤵
- Modifies Windows Firewall
PID:968

C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall firewall delete rule name="WinMasterServices V7 Client7"
2⤵
- Modifies Windows Firewall
PID:1808

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="WinMasterRC Slave7"
2⤵
- Modifies Windows Firewall
PID:3060

C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall firewall delete rule name="WinMasterRC Slave7"
2⤵
- Modifies Windows Firewall
PID:2364

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="WinMasterRC SlaveX7"
2⤵
- Modifies Windows Firewall
PID:1560

C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall firewall delete rule name="WinMasterRC SlaveX7"
2⤵
- Modifies Windows Firewall
PID:1152

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="WinMasterFT Slave7"
2⤵
- Modifies Windows Firewall
PID:1884

C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall firewall delete rule name="WinMasterFT Slave7"
2⤵
- Modifies Windows Firewall
PID:1840

C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall firewall add rule name="ICMPv4 Inbound" dir=in action=allow enable=yes profile=any localip=any remoteip=any protocol=icmpv4:8,any interfacetype=any edge=yes
2⤵
- Modifies Windows Firewall
PID:1348

C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall firewall add rule name="WinMasterServices V7 Client7" dir=in program="C:\Program Files\WW2017CF\wmcSystem7.exe" action=allow enable=yes profile=any localip=any remoteip=any protocol=TCP interfacetype=any edge=yes
2⤵
- Modifies Windows Firewall
PID:1748

C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall firewall add rule name="WinMasterRC Slave7" dir=in program="C:\Program Files\WW2017CF\wmcRCSlave7.exe" action=allow enable=yes profile=any localip=any remoteip=any protocol=TCP interfacetype=any edge=yes
2⤵
- Modifies Windows Firewall
PID:1592

C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall firewall add rule name="WinMasterRC SlaveX7" dir=in program="C:\Program Files\WW2017CF\wmcRCSlaveX7.exe" action=allow enable=yes profile=any localip=any remoteip=any protocol=TCP interfacetype=any edge=yes
2⤵
- Modifies Windows Firewall
PID:2960

C:\Windows\SysWOW64\netsh.exe
C:\Windows\system32\netsh.exe advfirewall firewall add rule name="WinMasterFT Slave7" dir=in program="C:\Program Files\WW2017CF\wmcFTSlave7.exe" action=allow enable=yes profile=any localip=any remoteip=any protocol=TCP interfacetype=any edge=yes
2⤵
- Modifies Windows Firewall
PID:2700

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /i /s "C:\Program Files\WW2017CF\FoxSDKU32w.dll"
2⤵
- Loads dropped DLL
- Modifies registry class
PID:1816

C:\Program Files\WW2017CF\ScheduleTask.exe
"C:\Program Files\WW2017CF\ScheduleTask.exe" -SetSchedule
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1376

C:\Windows\SysWOW64\wmcUpdater.exe
"C:\Windows\SysWOW64\wmcUpdater.exe" -smr_run
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2556

C:\Windows\SysWOW64\wmcUpdater.exe
"C:\Windows\System32\wmcUpdater.exe" -smr_run
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1680

C:\Program Files\WW2017CF\wmcSystem7.exe
"C:\Program Files\WW2017CF\wmcSystem7.exe"
1⤵
- Modifies firewall policy service
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2144

C:\Windows\System32\regsvr32.exe
/i /s "C:\Program Files\WW2017CF\XceedCry.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\WW2017CF\XceedCry.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:2592

C:\Windows\System32\regsvr32.exe
/i /s "C:\Program Files\WW2017CF\FoxSDKU32w.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:2696

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\WW2017CF\FoxSDKU32w.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:2732

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="WinMaster Client7"
2⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1052

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="WinMaster Client7" dir=in program="C:\Program Files\ww2017cf\wmcSystem7.exe" action=allow enable=yes profile=any localip=any remoteip=any protocol=TCP interfacetype=any edge=yes
2⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1924

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="WinMasterRC Slave7"
2⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1700

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="WinMasterRC Slave7" dir=in program="C:\Program Files\ww2017cf\wmcRCSlave7.exe" action=allow enable=yes profile=any localip=any remoteip=any protocol=TCP interfacetype=any edge=yes
2⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2316

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="WinMasterFT Slave7"
2⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1348

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="WinMasterFT Slave7" dir=in program="C:\Program Files\ww2017cf\wmcFTSlave7.exe" action=allow enable=yes profile=any localip=any remoteip=any protocol=TCP interfacetype=any edge=yes
2⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:2872

C:\Program Files\WW2017CF\wmcUser7.exe
"C:\Program Files\WW2017CF\wmcUser7.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1044

C:\Program Files\WW2017CF\wmcProc7.exe
"C:\Program Files\WW2017CF\wmcProc7.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2272

C:\Windows\SysWOW64\wmcUpdater.exe
"C:\Windows\SysWOW64\wmcUpdater.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:3020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WW2017CF\FoxSDKU32w.dll

Filesize
2.9MB

MD5
25e0bf4889612fc23561d79c942ada1c

SHA1
f9428cc4f4a9640a244875687178b43a74f4211e

SHA256
3a69e8fa1426b7cc4b837875c0bb5ca19f6b93fe49172f3e2dfa14256fd32d30

SHA512
8c4f6608b2e9930d38b8064a881b7a849b2f8f2222dfcd8915bf137a8ab4a616db56fc784c80600036dbcaa0351946171f17cd7160a8295a2310eed0efa9677d

Download Submit
C:\Program Files\WW2017CF\Info\ADUserInfo.txt

Filesize
160B

MD5
f80bbb051c37f3d6e4f5d8c9ae30b6b9

SHA1
72f2fbbef502420a51691992337da155269418d8

SHA256
6ddeb06d1d8b59c839e92149f4f24225bb8742daf3a95f30b8112cf021189fe3

SHA512
d48d5580842f1d160f22c1df39a751cdaf244c698c015d67a392d29ac4e874b3fe14d0abb055f5ca1b5276c5d5290cbc9b3e793d7daf3682efd98162460e3514

Download Submit
C:\Program Files\WW2017CF\Info\BootInfo.opt

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\WW2017CF\Info\PCInfo.opt

Filesize
156B

MD5
70611f65eaf18e83577ac0f7b6357d13

SHA1
d741630cdda0dba0230fdb4601c2941cbf3500dd

SHA256
11ec587335293449e322e330d2c95d0e2489ef6498ee50b52198e4833b191437

SHA512
c15f1f66de5571457b8a8ca631b017ef4b3525bed94f6ddb91f35c1b51c166862d3131cc171ce5fe9539dd88682e723afde46b932b18b4e041dff0c47adf403e

Download Submit
C:\Program Files\WW2017CF\Info\PCInfo.opt

Filesize
190B

MD5
8c24a3cad8f17c725ab67e5472fa8cdf

SHA1
dab5b3a7b37a62d8dbb69128378bfea60d7a3466

SHA256
368402fbfc6479f2a5a65728ee62b25ddd23f79bde7f6e45d482f73bc8b9c8ef

SHA512
c3deed340abae76e824e1e4ff8e4f8651cd5eca7fb1733ec2df1474105a15d36819fc6b812e09079705e846dec1bda60cb8397dbe3440188f65e2475956d6b3f

Download Submit
C:\Program Files\WW2017CF\Info\PCInfo.opt

Filesize
248B

MD5
7a3fc14138bf64b2d7d85e0013978cb9

SHA1
469d80e28e9ce5e5fcce687c2f67a0e3b59867ec

SHA256
c8936eb06d30f2977d55c62e46ee309014a7d97783333e389c60a13f0448aaab

SHA512
2e47522c3df92de547eddd39563b5dd638d1e7d1ed330cd7dbd6205c9e3a15c6b95b6a77bb52cebb129070814aa5ccd5b9feb8fea199434ff2ae2385a1f76d50

Download Submit
C:\Program Files\WW2017CF\Info\RemoteService.opt

Filesize
44B

MD5
21f084d77a7851f7bdc063d42edc02a9

SHA1
a018660ab7e63050facd2a9234bb739ae37dafe0

SHA256
594045032987458e03e396b7a40673138cb71ed175e9b71c2d29f8e31096c463

SHA512
82791e2b6ee4a14e8d408df0dcc4ba4102fd943e2bda5913e320f19d2b10ac0cd53b88a5e6bbc028b72f06a4958a21527d863bc568ec40709b56093a660737ce

Download Submit
C:\Program Files\WW2017CF\Policy\System\PolicyContainer.opt

Filesize
7KB

MD5
8b1bc4e30ea55792e78a657796e5994d

SHA1
e7701910505add5f92e06bbb59e31ff16037e534

SHA256
bed0748239cc31454b02be10bc82718eceff704d12ebb908b0b3608732f373bc

SHA512
05dba20e29ce39e6be3ba4b08fb10a73cc1527fbd32fe92d7643ba0559c3494f3783b6e9ee22ba4fabe6ebef8e4e669ccc63d94e345bcaa7499894f1ceda43a7

Download Submit
C:\Program Files\WW2017CF\Policy\System\PolicyContainer.opt

Filesize
7KB

MD5
ece088f944d76905f4b5e7799ea044e1

SHA1
b7ce58481c0d0c1c30b270138961dd45311c93d6

SHA256
4ae5fd9487a1fbfaf699d129c71403f3a36c0f63561025d8490a877e6466e57f

SHA512
ad268a799e9848ff8bde885a2b45ba17b7ab56f2922a6b8961ce33869bd1bddc12f3f6641ed4f085b61ffabd2f235f25faa1a333198b46fcb2f038c780bd4294

Download Submit
C:\Program Files\WW2017CF\WM7F.cab

Filesize
564KB

MD5
d2b5469d6d6f602e9b088ee24e3a1e4c

SHA1
e9ea2fefffe528190f744986ca19aebd57276425

SHA256
2cab26da7d4a72dc92b9d3310784017cd7603863a7ed4aac8d3a2508e289909e

SHA512
f0270d78e1d5ccb6d7d542551182a1c20378c7ed5d94dfdb901e95fc2cef40ef80a322ead9ca802a124ccdd0575d26876012999166cc092ed011fac48085d667

Download Submit
C:\Program Files\WW2017CF\WM7F.inf.w7_x64_Signed

Filesize
2KB

MD5
c71f9a1ecef6ffbcafc9a1e07a5176a2

SHA1
63884a6868b9e3d0f4bdc50e7a4a459fe61a0fa0

SHA256
2332d8520bc7efda94331f466e42bd8953b03579a80a5187bae336a061f99902

SHA512
263b1029870126a643c879611ed1fdc4b25f176d0a54999e2b000ff49602438862f9432ce67666086768725df8ff68ed100009a532b75e3fe6f87b5a760df4c9

Download Submit
C:\Program Files\WW2017CF\WM7F.sys.w7_x64_Signed

Filesize
142KB

MD5
577f201f985ce1cbd5d9ccd42c26e943

SHA1
780e8e78382f77b735be405fb9379838f6993dc0

SHA256
5a730f50f0891fa54af0c7551f65f8e0864ae2be0e8c7293a85c0615422ca954

SHA512
1e9e111ee9f5c193640ac3ec8944bf202de61b897c49a8f5e7d70fc8614217596e9e14e98fc2eb5b01c0414c0d402f7abe298ad80b6159bc539ecc19c4254f29

Download Submit
C:\Program Files\WW2017CF\XceedCry.dll

Filesize
513KB

MD5
2c0c746eecffdcedd18450659f3a8ee6

SHA1
68dcbd003837545a07608ed3f2efa77612c30456

SHA256
ff9722c64be81caad50e14bb3f50f345b4a30ca76c87113292ff852e934590b3

SHA512
ccc2a0f7d3f18eb1ff3506cc8545e7fa72b05758bfeb8b5e8348de4f7648ff57deba69839f8b7d7a350d6cb383030267e81bb3d274aa62f1e9a6002d5b2a7751

Download Submit
C:\Program Files\WW2017CF\wmcEnterprise.dat

Filesize
736B

MD5
b215c2a72a1d4ac359c51182cb3fde98

SHA1
d025ca51263bdfd798f03f642af2be4895ca5bde

SHA256
9c95f735068e012e5c2ed99b3ef51a75cfc774d65b8148db5aa22083fbc2fcf8

SHA512
8895e8ac8082ff2ef9d25e7f645802efe96ebc7a2147c8c488a4842ce734c121a1be8aa6a403efb86a0a470c1ff5a30f24d6e280209d5f1a097d0774dc40d3c4

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_12cce00e-511f-47e5-8588-7df67886da42

Filesize
1KB

MD5
5f17a6dedea709d33f68b86fb9395669

SHA1
f42ad67aeb99b4110ff4586614f12cfd2316c5fb

SHA256
b775bcee5217b62bada1b09f08610915d3c79ca6a407b7733902e421693a5dc0

SHA512
c156fe994dc882d37906b32d280bf66dd5d1c00b08d66d97ee390a36c0e09111cbe21ef40d03ce04e6baf7c81903f268679b5424fc82829d51dae9faf7d315e4

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_12cce00e-511f-47e5-8588-7df67886da42

Filesize
1KB

MD5
966aa0f6b61497409181f242d9afc130

SHA1
b62ce432e663224f5fa4da3926a2164c5a27c9c9

SHA256
87a4d04b862b6b978cd4e38ef61d6a717c63c43f7a6dcc1c79519d4093a8f884

SHA512
74db35d19ea9908fe75a475b1bb81dd70dc2fcf6501b7d156f90d420a8bc1d25bba90427bd2ec226f67395a278ec1723011d9404d88ecb7b4747525222b0fb36

Download Submit
C:\Users\Public\SMR7\Debug\ManualUpdate\2024_04_19_SCFGBRBT.log

Filesize
4KB

MD5
5c6ff96f7555639dd09a39add17b1c8b

SHA1
df13bec86756d296e1e32f4c2411db1e90a890be

SHA256
1ba66d7a2cdd974cdb66e52bdad70d3cbb570c5efd20173efe4bf1e66015a03f

SHA512
1137f697369940077e6de059df5673c4e69725127cef930323dfcaef8012f40eb81e4915d2fcd832e662bc824597a8d578364b228b1ba46d0045b7e3b471458c

Download Submit
C:\Users\Public\SMR7\Debug\ManualUpdate\2024_04_19_SCFGBRBT.log

Filesize
2KB

MD5
46526c8f17600fc996db0dfc7d1b1e42

SHA1
7b8ec6d8a9688d9b04654ace84e2c1a262e4cd95

SHA256
ad10f14a334150e1e1e11b23e64c14c5bf602362de3be17df31c00ddf304ae11

SHA512
2e0baa14e38ee6889f54543f9777c91e7a13b14b188ca6567f2d558bb2d9853c7cbac8b6e9f4536e7ad68ac11dfab3b26d596eb1eda45f7074bc4e63dcf8f4a8

Download Submit
C:\Users\Public\SMR7\ManualUpdate.ini

Filesize
4KB

MD5
4263dd8e8eda252cff15a50ee523acb4

SHA1
d5afe9e071be018d8fddb905f06949c4c3b5f906

SHA256
1ea758d73e1910637b716738a11ac609510b0e4e941bb47d699ab03ee725bbaa

SHA512
76f5b52afc58fcb1aff214827594b0be9671086210b0801f021d432c7ba6c58126ae96e921131434e6e9657249752d13389c9ee7b8ea26aaad89d0cbda5fca33

Download Submit
C:\Users\Public\SMR7\WM7installTemp\ServerSchTask.dat

Filesize
60B

MD5
aca73f319209e2556b36c21030592252

SHA1
2e5fe3b619642158dd224e189b9492eb0ceba7ee

SHA256
d7a6e2f0cc0f34b8c4a616516ccdbedb563acfc91de72ee9a3c2cf26da70efbb

SHA512
85de70bcc089fa308b8b3a68cbb924ab4473fb34c2fe2627856bbce9a4114dba7b254e9ea3992038bde65d5717e6242b7fe592b9676eea542a10d4be9ee8f366

Download Submit
C:\Users\Public\SMR7\WM7installTemp\TGT2.ini

Filesize
272KB

MD5
14b6600ea20ecf376cc0916adca4664c

SHA1
1a2e60830b18d3938b92e9fdecaca4fc64adb9c3

SHA256
50f17744a841e27360e8d109fe2e4b81cb488a5ea420ef85f53ef307fc5c3aaa

SHA512
f96b706f17745013add0214383598341e6d726a1ff24c9ff782ec45356fa517fd038d1f52de0e3d1c29c3adcdace3df42055d324499a20ff600e14c8e82e10d4

Download Submit
C:\Users\Public\SMR7\WM7installTemp\Updater7.ini

Filesize
81B

MD5
70f1d3e435ad52f73b9a2fd99bda7215

SHA1
07e524460d637d2356a70c6a8c2f9e45f9c37acd

SHA256
8d91d4d13ccb53493e472cd5f87fca17e0773d4864ba9f6e44979313cd56a822

SHA512
7d1524094ffd0dfdef9e39fb768824e48e7895d46f8bd0f636ef712861b944acc8c6f33d1280377131121824033c448a99563d8afc3a2b1a37f13a094058b0d2

Download Submit
C:\Users\Public\SMR7\WM7installTemp\Version.dat

Filesize
28B

MD5
0a84c17c042db33f179b9680df1fce17

SHA1
b3bfb5c4c6cf96c84d8e6db7beb055df141060f8

SHA256
3078e46ad036eec394117cb3832c5883a3174173d9fdaa430d12d3d7e6bff2c2

SHA512
c283436036dfa937c20aa8d7bb6776fd6fc53f46f66e9e7e3b60d33003c2702ad4e706953a4057a2cbd83d3abcbbaf14c0377846963c0e4b4ec2d440ab57f8cd

Download Submit
C:\Users\Public\SMR7\WM7installTemp\WinNetDaily.dll

Filesize
7KB

MD5
6dc31af9f2b09740922065ea28b5eb3c

SHA1
4a1c267b30535aef8c3109f2104da9dd01c17f0c

SHA256
869941e24817fce286963877bad58b0de73486de1bcbfcc7f7d2f9056d514745

SHA512
4303263999c61414c6f29949c70c6cdc6a96cdf210708a39c84b0037a08a108c807a7f03620b7d3303449610c0cfe0ba4fb518e9f37917f983bc70a1e21a6321

Download Submit
C:\Users\Public\SMR7\WM7installTemp\cbfsfilter20.dll

Filesize
763KB

MD5
be8818d3615195035cd9975c47204a85

SHA1
309e2195d53f486afe3f87ed186dcc39ff79c7d9

SHA256
2340772c80a5f90801d307f1e8f3ff4e77d6fd0f7d643a837e429129988c1e8a

SHA512
7b1ab6fe500edba69a792daf6a06c2d17a43ccf89f4ee8c65fb1ca162beca027a02a9b89e95fde9bab8789f2de3eb677ab7fb4d1d8f3ca000b8d4a2e4035b344

Download Submit
C:\Users\Public\SMR7\WM7installTemp\cbfsfilter2032.dll

Filesize
512KB

MD5
4efb2a895ecd3792eed52e850af847c9

SHA1
74e43921d052fecf4190c813c9ee56b37d79dea8

SHA256
8a21206fe6d151d5c18fa48d8bb6cb600190bdf62999c6cc7e53a31b8fcdc72c

SHA512
40a90f67830d7f1415f9781ccb09f2ec68b075004db238aadd09afb7a1b11b61c266d25f60c96966b0eb0aa3ed1531e2f9b04e4d1b2fe753cda68a59af26e6f6

Download Submit
C:\Users\Public\SMR7\WM7installTemp\cbregistry.cab

Filesize
277KB

MD5
cbf0c82d8867a425a0a04527e89425f1

SHA1
7c946358da28fb35b62755e3854edfd349f8bf84

SHA256
ce731190ee0d63e9051b1ea58f305d49256a799e170de45baa3a5bc1b0bb5e9c

SHA512
e793e4ec38e8d031c568a94b559053504b44b0f5938d71ddedea2b09996e9cdb472f976f181f24e3a53c6c621d3936a7ed955e716e8d10b8867c39b45570dbf0

Download Submit
C:\Users\Public\SMR7\WM7installTemp\winet.lnk

Filesize
748B

MD5
d34cbdf1a37e06133cf75c17eebbf58d

SHA1
db861919287928e8a5efeb930056c96bd9c815c3

SHA256
a55978e4257023fb61896e82bf006ca4d1a9a5b9c7994042355339ae688b0147

SHA512
dac577250345d2d5a40c8c96eeb489f19de1b3c7a3aee87e31146870216176bc9fcf94decbe1fee4dba60bc7a6b88fa2ff5d0b926097ac86ea9c47c1d62e372c

Download Submit
C:\Users\Public\SMR7\WM7installTemp\wmcHook7.dll

Filesize
423KB

MD5
9e1a5b9ef4c6351c410c822b8796c4d0

SHA1
5feb7c8f985578125c4b345b16111a69546fa6a0

SHA256
a1a4069af1e1202c90db189f26f355bcc1c0ecf1c9692d25ce1e599f0e0fc423

SHA512
fa65065703894c185f6b14777f665462963fd03fe4e37bc2ec235a0c98be7c8e5674c9040da2a2a2f1d9f5e817367d47320080dbaeae6cca527c3e17ffa4a516

Download Submit
C:\Users\Public\SMR7\WM7installTemp\wmcHook764.dll

Filesize
448KB

MD5
d39e398dc52861911471073da71b323c

SHA1
5dd07ad79e641eee93f0ee34c8d6a5e5b9d99c35

SHA256
ffbe1d91088c7b3e9216670ee6830a1299f621d01491f414c6215b280f6684ed

SHA512
3c5ff20c47040d692ac94821d9d4074347be072caf1ae0c745875043c405b66fee46a3d0196c751d48085206f15699683740d426ec22c3dcb9bf1278aca13950

Download Submit
C:\Users\Public\SMR7\WM7installTemp\wmcMemmgr.dll

Filesize
197KB

MD5
d99cc965d90cc82bdb8fe4a11e091cd0

SHA1
2b3a7a2f09198652d35d93f1a6d62341879737c7

SHA256
f206cfa152dab26959af921765fe722b4e401c99f3da243f1253ad510dee5f41

SHA512
294765c3fe81ac3eeefc2c7e0c7b5bf2026813a5e51ef346f7ccefbe037aa4f716af1efedce68c50529e03c99897e271f6a91bdeadf67505f52d204bfd4b065d

Download Submit
C:\Users\Public\SMR7\WM7installTemp\wmcWatermark_DLL.dll

Filesize
133KB

MD5
7177157c26a832403751cdcb6363088c

SHA1
52180deea01a7a6196873340df05360dd57a97ee

SHA256
387426e026dc7f3aee8d8c01ccaae1a7b2db66a37d65d2992bb069af13ffd63f

SHA512
ab438eca268e334412be9d84cd2993b32e5bdc6bc824624cd7e045741801c4a3e56e0f8f94371f2667f50a2220b8a096efbdcb422da681d476ef9ef8beb8ddcd

Download Submit
C:\Users\Public\SMR7\WM7installTemp\wmcWatermark_DLL64.dll

Filesize
138KB

MD5
e76918b7c29c4b949ec96b67ee6027c1

SHA1
010ff58cf3738d88ff4f0bf1785c36433c1d89c9

SHA256
a89ac5d2162a341c829729b882142b6fd3fb542a70f5611b65e22e3481e33607

SHA512
66026a6e5502dd0a227cec78c62ade211bca960347e9655b18a2cefef49a9ec0adaea98c1d19b776fc020b1a14e46f8a61165444a11ffe3dd3abf57bcfdfc8f5

Download Submit
C:\Windows\Debug\WM7\AutoUpdate\20240419.log

Filesize
418B

MD5
5b248c9ebb705aaa577f1d84ac9dfb6f

SHA1
5816550936f380bd5bbf0faeb031e7ab99ddfba4

SHA256
92b027be831212fae9339668d575ded2cb21102ff81ad4e9b052089b7c2e304a

SHA512
a9aabdb233fc80dc38c6e6e2a15791e930c5c7352820ab36bf30aa1b954d4117444cc08b89e657ea6cc231f221b903c6fe2375f2b3972c3366a9edc7ce98fa0c

Download Submit
C:\Windows\Debug\WM7\AutoUpdate\20240419.log

Filesize
1KB

MD5
1b9b8aec93d6e48db3f4b6fc1bf0f0d4

SHA1
749576b8998f15d2e30049cbd35a78e42fd319e2

SHA256
84236cb539fbdf3e6c7ec4e42aba33863c7febe6ab6e6b69b691a7cb726978e3

SHA512
e7fac3e607dcf81441825e98ee6afba3d847adc1087ac7cea5d3627bbeade72014d70df1f65c6f69c991490bb20782a2fd43a64769f853f775e95cc70423fb2c

Download Submit
C:\Windows\Debug\WM7\AutoUpdate\20240419.log

Filesize
2KB

MD5
e99b80ede8e7f4266700f17958839aea

SHA1
b8c76a80c832cde9eb16c94764031cc9fb5c47f0

SHA256
d80e2093b4826a3d6912d213e3c7d747e56d3428e0aec97cf0581fbbb4cf80aa

SHA512
a96b2a7350b4b01a53d69ad4bb5f357ad5e19ee611213303228a5124173804fd90c3487cd2e7d7c595c00560de67257c138e3a16c3b7d77c8a935b188012fc56

Download Submit
C:\Windows\Debug\WM7\Client\wmcSystem7.exe\20240419.log

Filesize
1KB

MD5
1723b9c7095b8dc5a1ca6e660c4b027a

SHA1
79958123b38cede4089313bf3994f035a9c4333c

SHA256
ed03ac70df434b7eb1a23419c900994d6c58b7970012b410b118863ae9c8c03b

SHA512
f8a618e7d5143a83be89347dcc07f09efc31dc31f6e1bef7c9e3d1cc5e0ae1b3e22b3fc2435f7e6147bed948a88e35acdcc0fd2b62274e6e75737f7bda3e188c

Download Submit
C:\Windows\Debug\WM7\Client\wmcSystem7.exe\20240419.log

Filesize
2KB

MD5
c138c6c9c75605ca1cc124380a1d3096

SHA1
7f6ede51c153b97964233a71f0f3308d3e04af3a

SHA256
bfc37148ddf66e251d011c1644f9ad090ad57790b5c23b3dadf8b521509e6571

SHA512
821488c6e5dc4eeb22d8eb3d0d1221831737fd677210b40cbce55a79145265c37e80949119d27d5d24abdf5f2f83a4a24debfb90e39cdc8df79260647a3e8a1f

Download Submit
C:\Windows\debug\SMR7\ScheduleTask\2024_04_19.log

Filesize
238B

MD5
d0505872c034ddc77def5c65f6dbc01f

SHA1
2c1068ebc9ccbeb214ef79bf640c2c442bbf8e6e

SHA256
60561e82e92e74845a8fd55cf049ceb3aa6da3e49ff978772e17fa63dd2661d2

SHA512
b8c61493e44739a85849e059d789492e13a2916455ecc984a05d9a6118bec4fb8fe9c56e1b0e3e081ea10c9a06e63dd93840db0b9f89ad96a348370c7870bd0d

Download Submit
C:\Windows\debug\WM7\AutoUpdate\20240419.log

Filesize
2KB

MD5
e2bb50a69419397df5df83943c4da1c2

SHA1
057ee75a7c1fece4b64ebb4aeeadd7552b4a2869

SHA256
6a1041ae46296ec1294f09b2ebff4e3164e9e47902a2229be83945eda49c9bfc

SHA512
fdbc54251dcba2568f053ed67d0baed523e51a107a5739ba18dec6036d74d308081bf088d519a5fb8671c99f5ac6a4a0675345372c39bd8ae2af0daa9bd12881

Download Submit
\Program Files\WW2017CF\wmcMemmgr64.dll

Filesize
210KB

MD5
3bd82a3c60313298df8a40d86189c8c1

SHA1
781cf701f9e9973075385bc91eb2d42daada3dd7

SHA256
2dab7cbdec521b78a64e1ef05090e0b3a3ffab98bfcd4bb649d4b9c0d7dfbdf4

SHA512
e4aeedb8810d74baf52f389ab649d0cca66baeacf2f12c8b39ddf85a34ba843c1336cf87712c476c12bf8e05779b6c53a534ca07652b61c2a218a844ad05c2a2

Download Submit
\Users\Public\SMR7\WM7installTemp\GCBClient.exe

Filesize
793KB

MD5
955dc3b296d89da2c9034adc0f71ea71

SHA1
4dd92fa858e9561a7ab8edfcfc5b4a8ac08228b3

SHA256
4bfd032d891f8d9686dbbb098935db02e948e988b18fa8e22396f55e7f9194bc

SHA512
01866266256015eb1f41ce51ef86f065a09b2026523a885c848f8baada2aea9cf54b4a6662eb8d21bb36f739561181b8b823d8e13219af2c92a7e8d85f1d632d

Download Submit
\Users\Public\SMR7\WM7installTemp\PCInfo7.exe

Filesize
120KB

MD5
b163e896a74ee9becad5770c34bce10c

SHA1
4d166a080385acdeb115fcdb8b8acee428f196db

SHA256
e0ad39c486fa93799f3ce4019687027b9dda7f3b69a5e5d572c9cba775931979

SHA512
d65f7d4f1a33011a7c0a59c864d39d4bb27138bf158818d11e34fc4659f4d0cc9bedf77a44eddce6906f785e0bac9b329a86c9b48e4125bdbbdcb630da1e887b

Download Submit
\Users\Public\SMR7\WM7installTemp\PolicyViewer20.exe

Filesize
76KB

MD5
67be6064557474ae467cbbac5d749be5

SHA1
65dd83ce9ec0952e2a5f63716734b87765196f32

SHA256
6665ad75ebdd3db7d3a3624f8d3cb817ddc8162ac891d15d058efe27a916d473

SHA512
1000c0ac8117715c1c7c88e313a5c9131a8a54e6f7abecf9ab7d4e3c6f9ac5191a45f87a95d6c17d719fdccdaafcfa889c84ccc927d2842dec59b58f940f1521

Download Submit
\Users\Public\SMR7\WM7installTemp\PolicyViewer40.exe

Filesize
76KB

MD5
3a1b35c59faee8f49564a844886c5e2f

SHA1
71eed14b8c1b39c74ff7a8d7f18555ab428e165b

SHA256
e836912ef4f75b7e208539fc0af37092e3a5b36e36324154e3ac5e270de826c8

SHA512
f32c8d0cf7464d6358328f57a5ded664a034931f47f52434343958adc6451ca4f6747faab5c307df0ed1db0f941d9dea31e110d74f01394a96faf51d325a9049

Download Submit
\Users\Public\SMR7\WM7installTemp\ScheduleTask.exe

Filesize
127KB

MD5
97b22d17f9b149e0abf2a9d1406afab0

SHA1
30bd9f4f5270fbe57983d60d7b5549f1e8caecba

SHA256
a599d8ec969c3fb73bb07371455aedfe7fa9037f906afa0235ab8d16e3e28aec

SHA512
f3c8cd68e797f23e16d8f0e2e7477238b236913f9f129548296b24c1f8ab8afa2fb0e8a7eb77baed492fad9cac5e9420b2fd65a755352ed506a81ebda87b3cd4

Download Submit
\Users\Public\SMR7\WM7installTemp\wmcDataBurner7.exe

Filesize
322KB

MD5
bc373622942e7bb98d1c6a40628091fe

SHA1
2f664a2ad3dd493d1f0a5fb160c76dbed57afda7

SHA256
f2632ee75380f8eeea75e5102666eb7e8f8cfce92537aed5f4562be2d6089388

SHA512
6cf923110deae8bf6d3308aa3a980bedfa2f0d5d3372ae56a64a843bbed877e4f5ce4f39531be874421a32f8d29b099a9846c66e468d06489e502078158ff59a

Download Submit
\Users\Public\SMR7\WM7installTemp\wmcEncryption7.exe

Filesize
257KB

MD5
e971355a07d27067788d7513c82845a6

SHA1
3a41aaff4a2a79670a70680ada85f59a2970bcc5

SHA256
e821bbb7eaa0859b66f26df15d860d3a10eec4d78e8d9c126cb6f5f4b5a68892

SHA512
9a3815a029e2168111c130c951e0131ad83f6ddc7a178f39964e153bbb342fc80c90ae33234522efe0228e502627342f2f5517928b4f6f203dc8f85ff55795c5

Download Submit
\Users\Public\SMR7\WM7installTemp\wmcFTSlave7.exe

Filesize
243KB

MD5
51020d430cd5852d3c7fe425ea7f6a56

SHA1
c65d32af77862285e9a253a289954d098d5c638c

SHA256
e7c79144e5a4ab3b25be63483f0dd3c9c3fc425aaf874bab115e048a7dc1a6b8

SHA512
c915bd542d1ee4973a87591f22f7f022a7320d989e283a19499af4f38372a212ef034fcb2a944993076700b55f698e9a422d1aaa12710f0c5ed1c4026cd30604

Download Submit
\Users\Public\SMR7\WM7installTemp\wmcProc7.exe

Filesize
234KB

MD5
c72ccf056fdab14bb32db2c927ad565b

SHA1
a3b32c261924033988df8d7d4d86c3d094e6dfc0

SHA256
067d44a12608082eed7eb21e23135c523e7a6af5f37a604fbb2fa2b28f687ab4

SHA512
61e35a07547eb4cbba68c1161a11a1cca270888be8c3f02c973d275349af563065ce243870e04175bf342748a1a25e9d3175a8609d351cbd6befe54d1a405bb2

Download Submit
\Users\Public\SMR7\WM7installTemp\wmcRCSlave7.exe

Filesize
296KB

MD5
76c29dd7640dea18fde4a616e5be447e

SHA1
b67ea85893604dd236ffb9632c0cc83924f0c9c5

SHA256
b4a4788f4522b0ecc66c45d084f5966722073196b38a42dcb709c6c86d3b4271

SHA512
20a625aa10c342139f4a71f90faffd21aab877649e0d873f1a2aeb1ab7fb45c1ab3a885d41a805225c8c1a62c1c2dd2ad62ff5a6f3f88c95f97406d33334c9a8

Download Submit
\Users\Public\SMR7\WM7installTemp\wmcRCSlaveX7.exe

Filesize
316KB

MD5
20516c0b263f90b5f9f7131e4e0bec4e

SHA1
3e3ac2e5c936f79be008f2fe9610b9ba617f24e2

SHA256
757106cde2f309b1e8eb4409066bfa585014e0a16d823591f76899903daa3191

SHA512
5f92cf62d75b6bb8f5ac67c9637f74445bd7e8d9f593fabf536b664cbaf931115d87b605541c62f3ad2a920022fd77f5dcd62810bf14673f98282ccf9e183cd0

Download Submit
\Users\Public\SMR7\WM7installTemp\wmcService7.exe

Filesize
236KB

MD5
34b68ed01f93e9321409f6e1b98df600

SHA1
60d92e7f50a94ace6ac567e5267849afa029ecaf

SHA256
00dbd54cd51a3923beefee7ffda89633b86b694864590a1295607d902ae5a2bf

SHA512
02865540a1815a213a1141cdd4ebb77445fa89c61c34d9cca04a7690e5d53201adf19f696d2052f54abd64d60cfcbe0c697e949e0dd09540762952f7fc155a08

Download Submit
\Users\Public\SMR7\WM7installTemp\wmcService764.exe

Filesize
259KB

MD5
20d59af473d94dadd590df5242746477

SHA1
3baa8fd3cd6ba73e44f42e8376f8616e0d2a1655

SHA256
1a48e6d258bc68bd0a953a0872854d0d1dacfe5737d3a198d1e279cb4081e7ae

SHA512
50d916412f319de708472e1d13904183b1217b66acf578994372d33f5698bc947d8ea8d7d5b930beb59f94a8bbb3034cac6512d6e3c0b042997c7ffaf3a0152d

Download Submit
\Users\Public\SMR7\WM7installTemp\wmcSystem7.exe

Filesize
1.3MB

MD5
16056eacd55d7c7c91c396a81ea10fdd

SHA1
5c0cead414222f2ed9159d0a00f3776309002fad

SHA256
3fc4b197d120bc8e9044aafbce4f9d2aa23acc73b42d74ba22d92603e10cfdf6

SHA512
1ccb4f335dde98ff6c5b9e954f824467523e878c7ad874c1a28d910d88efbd9fe56864ef88ead28656519a0ac09398d9f5f6a05541171f359f83043c7c33cfaf

Download Submit
\Users\Public\SMR7\WM7installTemp\wmcSystem764.exe

Filesize
1.6MB

MD5
c06a33a3e9b772193ce9817d7673cb09

SHA1
6be5020ae7fc9d82b8d64c7e457fe4bc56c23829

SHA256
e46ddc0e85cec5b4a1f105285a8d050653ef7d0143f9dc7a588ed49693b4af91

SHA512
cf64b72232759c439281152bf6184136d1d0b4f917355a0ea013b224330c693f423c0e9579c7450b2b5ed15de97b4d8faac136b69f103167b42457faafa657ec

Download Submit
\Users\Public\SMR7\WM7installTemp\wmcUpdater.exe

Filesize
221KB

MD5
7b0da8fcd21be619eaa1c097f7098e3a

SHA1
dabf1337edfa2aea38dd8e29e19b6917855b37ec

SHA256
1afa91b1e11e044d6bbe7ee5909037bacc4bc12d4529646e614e883fc80925d0

SHA512
08c5f0952eb37b04b0e884ac39f5b1d8a38ab5e852b2a03ef9497a13fd7286805d0840245ae78cd8a1fa25b5cc0e6dc801d8c7419c9c37c92f32019beb0e77ce

Download Submit
\Users\Public\SMR7\WM7installTemp\wmcUser7.exe

Filesize
372KB

MD5
43768f646b0fc27fbabe1916e01fe387

SHA1
9ca8490505717c107e873664d9bb5ac83939588c

SHA256
5883c80db49ea9270c67d2ffca8d5cd18ae71e17e9b6e8cb5bd58ece7df8c8f4

SHA512
0afe4da5b26e6d0edad7b01d9640b13a9416aaa9dbaf27f3a28305e1287f82af05e120ef01b74bb56468e2c75afa8be4fdfa2b9f16e5020dc820b9ca207b8299

Download Submit
\Users\Public\SMR7\WM7installTemp\wmcWatermark7.exe

Filesize
251KB

MD5
59b645950cca37369c9747e17a8b04ba

SHA1
8c4092d4190ccd0f29a0086f5f24b356adf7b22a

SHA256
5febc863ab60be96a17355d4346736a923905860fa653556df8a268cc0e8e432

SHA512
addaff87e42de7839a88b42fef7071861b18ff75c39f98530f2315dbdb17b76ecd1f8e28c24e06e3b7ff45deae7739da38233781fbf85095b5e84ba1cbd737e3

Download Submit
\Users\Public\SMR7\WM7installTemp\wmcWatermark764.exe

Filesize
276KB

MD5
00b606a2e58b6a748691df14d3a20ea2

SHA1
e53b5452b9bb908623a34e591b688bfeb796fdf9

SHA256
93c94437d3987dd18e249d727a80a2cd1bb7d2cf47bc61d8de228a8cd560aa98

SHA512
42223fdeb1a520950b94500c4729f742ae04a85866ce08552af49def0cc11e474eb29c78aa12f8e71a42c29dda61974365ead2e0c8e85da8c1f3e897dbb3a81f

Download Submit
memory/2964-404-0x000000013FCE0000-0x000000013FE5C000-memory.dmp

Filesize
1.5MB

Download
memory/2964-403-0x000000013F160000-0x000000013F2DC000-memory.dmp

Filesize
1.5MB

Download