8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 02:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
Size

8.4MB
MD5

47be6cb513ff8728c7c815fd745b67fb
SHA1

5efa5cd2894fc56f4ed63a4495c031b508352b93
SHA256

8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d
SHA512

80a01f60719685e5d990a409d0d3927d5287f4b44903be26c4b5040c9279786f4cf8e76472caba36093f1ab1a882fd4982fb727e5adb572015fb3313102bdaeb
SSDEEP

98304:Jt/9fgbbS0sYu2YOZbVTSiR36yLWbktYSeufBu31t6yPbX5gMZhf10bfW257NZb:X+5vuMbV6Jk2SpkFYyj5gMZN45rb

Score

10^/10

bootkit discovery evasion persistence spyware stealer

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

wmcSystem7.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List	wmcSystem7.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\8150:TCP = "8150:TCP:*:Enabled:8150"	wmcSystem7.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List	wmcSystem7.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts	wmcSystem7.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\8150:TCP = "8150:TCP:*:Enabled:8150"	wmcSystem7.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	wmcSystem7.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	wmcSystem7.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	wmcSystem7.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts	wmcSystem7.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	wmcSystem7.exe

Drops file in Drivers directory 5 IoCs

Processes:

wmcSystem7.exewmcSystem7.exe

description	ioc	process
File created	C:\Windows\System32\drivers\WM7F.sys	wmcSystem7.exe
File opened for modification	C:\Windows\System32\drivers\WM7F.inf	wmcSystem7.exe
File created	C:\Windows\system32\drivers\cbregistry20.sys	wmcSystem7.exe
File opened for modification	C:\Windows\System32\drivers\WM7F.inf	wmcSystem7.exe
File created	C:\Windows\System32\drivers\WM7F.inf	wmcSystem7.exe

Modifies Windows Firewall 2 TTPs 7 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

1292 netsh.exe
2932 netsh.exe
4020 netsh.exe
2168 netsh.exe
4240 netsh.exe
2680 netsh.exe
4068 netsh.exe

pid	process
1292	netsh.exe
2932	netsh.exe
4020	netsh.exe
2168	netsh.exe
4240	netsh.exe
2680	netsh.exe
4068	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wmcUpdater.exe8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exewmcSystem7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation	wmcUpdater.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation	wmcSystem7.exe

Executes dropped EXE 11 IoCs

Processes:

wmcSystem7.exewmcSystem7.exewmcSystem7.exewmcUpdater.exewmcUpdater.exewmcUpdater.exeScheduleTask.exewmcUpdater.exewmcUpdater.exewmcUser7.exewmcProc7.exe

pid	process
1708	wmcSystem7.exe
2284	wmcSystem7.exe
1840	wmcSystem7.exe
2704	wmcUpdater.exe
212	wmcUpdater.exe
4780	wmcUpdater.exe
2588	ScheduleTask.exe
1868	wmcUpdater.exe
2208	wmcUpdater.exe
1988	wmcUser7.exe
4320	wmcProc7.exe

Loads dropped DLL 11 IoCs

Processes:

wmcSystem7.exewmcSystem7.exewmcSystem7.exeregsvr32.exeregsvr32.exeregsvr32.exewmcUser7.exewmcProc7.exe

pid	process
1708	wmcSystem7.exe
2284	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
2032	regsvr32.exe
2740	regsvr32.exe
1492	regsvr32.exe
1988	wmcUser7.exe
1988	wmcUser7.exe
4320	wmcProc7.exe
4320	wmcProc7.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

rundll32.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

wmcSystem7.exe

description ioc process

File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini wmcSystem7.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

description	ioc	process
File opened for modification	C:\$RECYCLE.BIN\S-1-5-18\desktop.ini	wmcSystem7.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wmcSystem7.exe

description	ioc	process
File opened (read-only)	\??\L:	wmcSystem7.exe
File opened (read-only)	\??\B:	wmcSystem7.exe
File opened (read-only)	\??\H:	wmcSystem7.exe
File opened (read-only)	\??\Q:	wmcSystem7.exe
File opened (read-only)	\??\S:	wmcSystem7.exe
File opened (read-only)	\??\T:	wmcSystem7.exe
File opened (read-only)	\??\E:	wmcSystem7.exe
File opened (read-only)	\??\I:	wmcSystem7.exe
File opened (read-only)	\??\O:	wmcSystem7.exe
File opened (read-only)	\??\Y:	wmcSystem7.exe
File opened (read-only)	\??\F:	wmcSystem7.exe
File opened (read-only)	\??\P:	wmcSystem7.exe
File opened (read-only)	\??\U:	wmcSystem7.exe
File opened (read-only)	\??\X:	wmcSystem7.exe
File opened (read-only)	\??\G:	wmcSystem7.exe
File opened (read-only)	\??\J:	wmcSystem7.exe
File opened (read-only)	\??\K:	wmcSystem7.exe
File opened (read-only)	\??\M:	wmcSystem7.exe
File opened (read-only)	\??\V:	wmcSystem7.exe
File opened (read-only)	\??\W:	wmcSystem7.exe
File opened (read-only)	\??\A:	wmcSystem7.exe
File opened (read-only)	\??\D:	wmcSystem7.exe
File opened (read-only)	\??\N:	wmcSystem7.exe
File opened (read-only)	\??\R:	wmcSystem7.exe
File opened (read-only)	\??\Z:	wmcSystem7.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

wmcSystem7.exe

description ioc process

File opened for modification \??\PhysicalDrive0 wmcSystem7.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	wmcSystem7.exe

Drops file in System32 directory 13 IoCs

Processes:

8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exewmcUpdater.exewmcSystem7.exe

description	ioc	process
File created	C:\Windows\system32\WinNetDaily.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Windows\SysWOW64\HuRMS.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Windows\SysWOW64\wmcUpdater.exe	wmcUpdater.exe
File opened for modification	C:\Windows\system32\WinNetDaily.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Windows\SysWOW64\WinNetDaily.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Windows\system32\pcinfo7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Windows\SysWOW64\pcinfo7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Windows\SysWOW64\pcinfo7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Windows\system32\HuRMS.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Windows\system32\pcinfo7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Windows\SysWOW64\WinNetDaily.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Windows\SysWOW64\wmcUpdater.exe	wmcUpdater.exe
File created	C:\Windows\system32\cbregistryevtmsg.dll	wmcSystem7.exe

Drops file in Program Files directory 64 IoCs

Processes:

8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exewmcSystem7.exewmcSystem7.exe

description	ioc	process
File created	C:\Program Files\WW2017CF\wmcService7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\wmcUser7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\wmcWatermark_DLL64.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\Info\Admin.opt	wmcSystem7.exe
File opened for modification	C:\Program Files\WW2017CF\TGT2.ini	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\TGT2.ini	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\Info\MachineSWInfo.opt	wmcSystem7.exe
File created	C:\Program Files\WW2017CF\wmcDataBurner7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\WM7F.sys.w8_x64_Signed	wmcSystem7.exe
File created	C:\Program Files\WW2017CF\Info\DatBackup\SoftwareX64.txt	wmcSystem7.exe
File created	C:\Program Files\WW2017CF\cbregistry.cab	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\wmcWatermark764.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\wmcRCSlave7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\wmcWatermark7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\wmcWatermark764.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\WM7F.inf.w8_x64_Signed	wmcSystem7.exe
File opened for modification	C:\Program Files\WW2017CF\cbregistry.cab	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\PolicyViewer.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\Version.dat	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\WinNetDaily.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\wmcEnterprise.dat	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\WM7F.sys.w8_x64_Signed	wmcSystem7.exe
File opened for modification	C:\Program Files\WW2017CF\Info\PCInfo.opt	wmcSystem7.exe
File created	C:\Program Files\WW2017CF\FoxSDKU32w.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\Info	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\wmcEncryption7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\wmcMemmgr.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\Info\DatBackup\SoftwareX86.txt	wmcSystem7.exe
File opened for modification	C:\Program Files\WW2017CF\Info\BootInfo.opt	wmcSystem7.exe
File opened for modification	C:\Program Files\WW2017CF\WinNetDaily.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\wmcEncryption7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\FoxSDKU32w.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\Policy\System	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\wmcMemmgr.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\WM7F.inf.w8_x64_Signed	wmcSystem7.exe
File opened for modification	C:\Program Files\WW2017CF\Policy\System\PolicyContainer.opt	wmcSystem7.exe
File opened for modification	C:\Program Files\WW2017CF\cbfsfilter2032.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\cbfsfilter2032.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\PCInfo7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\Policy\System\PolicyContainer.opt	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\Policy\System\PolicyContainer.opt	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\WM7F.cab	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\WM7F.cab	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\wmcService7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\Info\RemoteService.opt	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\Info\RemoteService.opt	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\wmcWatermark7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\wmcSystem7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\wmcUser7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\ScheduleTask.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\winet.lnk	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\wmcHook7.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\wmcRCSlave7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\cbfsfilter20.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\GCBClient.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\wmcHook764.dll	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\WM7F.inf.w8_x64_Signed	wmcSystem7.exe
File opened for modification	C:\Program Files\WW2017CF\winet.lnk	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\wmcDataBurner7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\wmcUpdater.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\Version.dat	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\wmcEnterprise.dat	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File opened for modification	C:\Program Files\WW2017CF\wmcProc7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
File created	C:\Program Files\WW2017CF\wmcProc7.exe	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe

Drops file in Windows directory 33 IoCs

Processes:

wmcSystem7.exewmcSystem7.exewmcProc7.exewmcSystem7.exewmcUser7.exewmcUpdater.exeScheduleTask.exewmcUpdater.exewmcUpdater.exewmcUpdater.exewmcUpdater.exe

description	ioc	process
File created	C:\Windows\Debug\WM7\Client\wmcSystem7.exe\20240419.log	wmcSystem7.exe
File created	C:\Windows\inf\oem1.PNF	wmcSystem7.exe
File created	C:\Windows\Debug\WM7\Client\wmcProc7.exe\20240419.log	wmcProc7.exe
File created	C:\Windows\Debug\WM7\Client\FileMonitor\LogWriteTest.txt	wmcSystem7.exe
File created	C:\Windows\Debug\WM7\Client\Network\LogWriteTest.txt	wmcSystem7.exe
File created	C:\Windows\Debug\WM7\Client\FileMonitor\LogWriteTest.txt	wmcSystem7.exe
File created	C:\Windows\Debug\WM7\Client\Network\LogWriteTest.txt	wmcUser7.exe
File opened for modification	C:\Windows\Debug\WM7\Client\wmcUser7.exe\20240419.log	wmcUser7.exe
File created	C:\Windows\Debug\WM7\Client\wmcSystem7.exe\LogWriteTest.txt	wmcSystem7.exe
File created	C:\Windows\Debug\WM7\Client\wmcSystem7.exe\LogWriteTest.txt	wmcSystem7.exe
File created	C:\Windows\Debug\WM7\SystemDisk.opt	wmcSystem7.exe
File opened for modification	C:\Windows\Debug\WM7\AutoUpdate\20240419.log	wmcUpdater.exe
File opened for modification	C:\Windows\Debug\WM7\Client\wmcSystem7.exe\20240419.log	wmcSystem7.exe
File created	C:\Windows\Debug\WM7\Client\wmcSystem7.exe\LogWriteTest.txt	wmcSystem7.exe
File opened for modification	C:\Windows\Debug\SMR7\ScheduleTask\2024_04_19.log	ScheduleTask.exe
File created	C:\Windows\Debug\WM7\Client\FileMonitor\LogWriteTest.txt	wmcProc7.exe
File created	C:\Windows\Debug\WM7\Client\Network\LogWriteTest.txt	wmcSystem7.exe
File opened for modification	C:\Windows\Debug\WM7\AutoUpdate\20240419.log	wmcUpdater.exe
File opened for modification	C:\Windows\Debug\WM7\AutoUpdate\20240419.log	wmcUpdater.exe
File created	C:\Windows\Debug\WM7\Client\FileMonitor\LogWriteTest.txt	wmcUser7.exe
File opened for modification	C:\Windows\Debug\WM7\AutoUpdate\20240419.log	wmcUpdater.exe
File opened for modification	C:\Windows\Debug\WM7\Client\wmcProc7.exe\20240419.log	wmcProc7.exe
File created	C:\Windows\Debug\WM7\Client\wmcUser7.exe\20240419.log	wmcUser7.exe
File opened for modification	C:\Windows\Debug\WM7\Client\wmcSystem7.exe\20240419.log	wmcSystem7.exe
File opened for modification	C:\Windows\Debug\WM7\Client\wmcSystem7.exe\20240419.log	wmcSystem7.exe
File created	C:\Windows\Debug\WM7\Client\wmcProc7.exe\LogWriteTest.txt	wmcProc7.exe
File created	C:\Windows\inf\oem2.PNF	wmcSystem7.exe
File created	C:\Windows\inf\oem0.PNF	wmcSystem7.exe
File created	C:\Windows\Debug\WM7\Client\FileMonitor\LogWriteTest.txt	wmcSystem7.exe
File created	C:\Windows\Debug\WM7\Client\Network\LogWriteTest.txt	wmcSystem7.exe
File opened for modification	C:\Windows\Debug\WM7\AutoUpdate\20240419.log	wmcUpdater.exe
File created	C:\Windows\Debug\WM7\Client\wmcUser7.exe\LogWriteTest.txt	wmcUser7.exe
File created	C:\Windows\Debug\WM7\Client\Network\LogWriteTest.txt	wmcProc7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wmcSystem7.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	wmcSystem7.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	wmcSystem7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	wmcSystem7.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	wmcSystem7.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	wmcSystem7.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service	wmcSystem7.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	wmcSystem7.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ContainerID	wmcSystem7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	wmcSystem7.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exerunonce.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\2	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\1	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

cscript.exewmcSystem7.execscript.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs	cscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000b403811f0192da01	wmcSystem7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\474A91C\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	wmcSystem7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	cscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	wmcSystem7.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	wmcSystem7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume	wmcSystem7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\474A91C	wmcSystem7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\474A91C\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	wmcSystem7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	cscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\474A91C\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	wmcSystem7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\474A91C\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	wmcSystem7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	cscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "6"	wmcSystem7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket	wmcSystem7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wmcSystem7.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{a5bee7f6-0000-0000-0000-d01200000000}\NukeOnDelete = "0"	wmcSystem7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	cscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	wmcSystem7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	cscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\474A91C\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	wmcSystem7.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\474A91C\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	wmcSystem7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	wmcSystem7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs	cscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\474A91C\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	wmcSystem7.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	cscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	cscript.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exeregsvr32.exe8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{626BC99A-6FF2-4CFC-B027-66D618CFD6DE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA68A3FF-C69C-4FE8-947B-BD561EE15EFA}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA68A3FF-C69C-4FE8-947B-BD561EE15EFA}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxBurnerCOM.FoxDeviceCapabilities.1\CLSID\ = "{8E0FC6DA-5E53-4F8B-A139-BFF7ACE28FC6}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E0FC6DA-5E53-4F8B-A139-BFF7ACE28FC6}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxBurnerCOM.FoxDiskSession\CLSID\ = "{F46F6141-7C9C-4d70-911A-E49CE2ADA922}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F46F6141-7C9C-4d70-911A-E49CE2ADA922}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D0521D27-066B-4207-900B-6C3DF64B3CA0}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{90FDB7BD-EB76-4AC9-8385-D1EE80BBCDCD}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF814B45-2ED1-4471-B151-89E6D49AD3E5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DBAC3AFA-8540-497E-BB31-D6A8667A43AF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F066CCAD-163A-4617-BA3C-BA4A4F80320C}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CA6D55E7-F279-42BA-AEC5-5338C5CE5B30}\TypeLib\Version = "1.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A0A61B00-96A6-457F-AA5E-AFA5167852E5}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E0FC6DA-5E53-4F8B-A139-BFF7ACE28FC6}\ProgID\ = "FoxBurnerCOM.FoxDeviceCapabilities.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D3E95E1D-D003-42A0-91FD-465DC624BC7A}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{231D1CF6-C578-411D-9B9B-48264355805D}\VersionIndependentProgID\ = "Xceed.SHAHashingMethod"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wm7e\DefaultIcon\ = "C:\\Program Files\\WW2017CF\\wmcEncryption7.exe"	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxBurner.FoxBurner	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E0FC6DA-5E53-4F8B-A139-BFF7ACE28FC6}\ = "FoxDeviceCapabilities Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EA8B5033-ADA7-4B06-B5D0-8BC7C13909D2}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A02A65C1-50E4-4E5D-B9D0-625D5DEBC671}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7BBBF946-057B-4B1E-BCD4-5AB8F32DB7A1}\TypeLib\Version = "1.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.jm7e\DefaultIcon	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA68A3FF-C69C-4FE8-947B-BD561EE15EFA}\ProgID\ = "FoxBurner.FoxBurner.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxBurnerCOM.FoxDeviceCapabilities\CLSID\ = "{8E0FC6DA-5E53-4F8B-A139-BFF7ACE28FC6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Xceed.RijndaelEncryptionMethod.1\CLSID\ = "{BBA63CAC-9913-4A13-9212-E97BB70C05C9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CA6D55E7-F279-42BA-AEC5-5338C5CE5B30}\TypeLib\Version = "1.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0C8D3206-4A88-43D9-BB91-0ECC8C5F79CF}\ = "DXceedRSASigningMethod"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.jsef\Shell\open	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F46F6141-7C9C-4d70-911A-E49CE2ADA922}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Xceed.HavalHashingMethod.1\CLSID\ = "{A02A65C1-50E4-4E5D-B9D0-625D5DEBC671}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6081A14B-77EC-4451-ABA0-20957C818BFE}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6081A14B-77EC-4451-ABA0-20957C818BFE}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.jsef	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8E0FC6DA-5E53-4F8B-A139-BFF7ACE28FC6}\AppID = "{C6EDF056-F922-4B2E-A7A7-03DA4CC5518C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Xceed.SHAHashingMethod\CLSID\ = "{231D1CF6-C578-411D-9B9B-48264355805D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6081A14B-77EC-4451-ABA0-20957C818BFE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C8D3206-4A88-43D9-BB91-0ECC8C5F79CF}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.jm7e\shell\open\command\ = "C:\\Program Files\\WW2017CF\\wmcEncryption7.exe %1 decrypt"	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F46F6141-7C9C-4d70-911A-E49CE2ADA922}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Xceed.RijndaelEncryptionMethod\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7BBBF946-057B-4B1E-BCD4-5AB8F32DB7A1}\TypeLib\ = "{55A560A7-E3F9-4790-8D22-F3A97009AC8F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBA63CAC-9913-4A13-9212-E97BB70C05C9}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BBA63CAC-9913-4A13-9212-E97BB70C05C9}\InprocServer32\ = "C:\\Program Files\\WW2017CF\\XceedCry.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxBurnerCOM.FoxDeviceCapabilities\ = "FoxDeviceCapabilities Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Xceed.RSAEncryptionMethod\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7EC04D5B-19A8-45EE-BCB0-6FE0067F9468}\MiscStatus\1\ = "132497"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F066CCAD-163A-4617-BA3C-BA4A4F80320C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA68A3FF-C69C-4FE8-947B-BD561EE15EFA}\AppID = "{C6EDF056-F922-4B2E-A7A7-03DA4CC5518C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FoxBurnerCOM.FoxDeviceCapabilities\CurVer\ = "FoxBurnerCOM.FoxDeviceCapabilities.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Xceed.RijndaelEncryptionMethod.1\ = "XceedRijndaelEncryptionMethod Class"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F46F6141-7C9C-4d70-911A-E49CE2ADA922}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{626BC99A-6FF2-4CFC-B027-66D618CFD6DE}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.jsef\DefaultIcon	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DA68A3FF-C69C-4FE8-947B-BD561EE15EFA}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Xceed.SHAHashingMethod.1\CLSID\ = "{231D1CF6-C578-411D-9B9B-48264355805D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D865F1E7-BAC6-4ECA-B37B-0A5DDFF2D031}\Version\ = "1.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DBAC3AFA-8540-497E-BB31-D6A8667A43AF}\TypeLib\Version = "1.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BBBF946-057B-4B1E-BCD4-5AB8F32DB7A1}\ = "DXceedSHAHashingMethod"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{065BFAE3-3448-4E31-BAAC-CB599C7AAA24}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{231D1CF6-C578-411D-9B9B-48264355805D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{231D1CF6-C578-411D-9B9B-48264355805D}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{626BC99A-6FF2-4CFC-B027-66D618CFD6DE}\ = "DXceedHashing__0100"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exewmcSystem7.exewmcUser7.exewmcProc7.exe

pid	process
3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1988	wmcUser7.exe
1988	wmcUser7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
4320	wmcProc7.exe
4320	wmcProc7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe
1840	wmcSystem7.exe

Suspicious behavior: LoadsDriver 7 IoCs

Processes:

pid process

660
660
660
660
660
660
660
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wmcSystem7.exe

description pid process

Token: SeDebugPrivilege 1840 wmcSystem7.exe
Token: SeDebugPrivilege 1840 wmcSystem7.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

wmcUser7.exewmcProc7.exe

pid process

1988 wmcUser7.exe
4320 wmcProc7.exe

pid	process
660
660
660
660
660
660
660

description	pid	process
Token: SeDebugPrivilege	1840	wmcSystem7.exe
Token: SeDebugPrivilege	1840	wmcSystem7.exe

pid	process
1988	wmcUser7.exe
4320	wmcProc7.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exewmcSystem7.exewmcSystem7.exerundll32.exeregsvr32.exeregsvr32.exerunonce.exewmcUpdater.exe

description	pid	process	target process
PID 3100 wrote to memory of 3080	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	reg.exe
PID 3100 wrote to memory of 3080	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	reg.exe
PID 3100 wrote to memory of 3080	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	reg.exe
PID 3100 wrote to memory of 2284	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcSystem7.exe
PID 3100 wrote to memory of 2284	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcSystem7.exe
PID 3100 wrote to memory of 1708	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcSystem7.exe
PID 3100 wrote to memory of 1708	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcSystem7.exe
PID 2284 wrote to memory of 116	2284	wmcSystem7.exe	rundll32.exe
PID 2284 wrote to memory of 116	2284	wmcSystem7.exe	rundll32.exe
PID 1840 wrote to memory of 4584	1840	wmcSystem7.exe	regsvr32.exe
PID 1840 wrote to memory of 4584	1840	wmcSystem7.exe	regsvr32.exe
PID 1840 wrote to memory of 1200	1840	wmcSystem7.exe	regsvr32.exe
PID 1840 wrote to memory of 1200	1840	wmcSystem7.exe	regsvr32.exe
PID 3100 wrote to memory of 2704	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcUpdater.exe
PID 3100 wrote to memory of 2704	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcUpdater.exe
PID 3100 wrote to memory of 2704	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcUpdater.exe
PID 116 wrote to memory of 1976	116	rundll32.exe	runonce.exe
PID 116 wrote to memory of 1976	116	rundll32.exe	runonce.exe
PID 4584 wrote to memory of 2032	4584	regsvr32.exe	regsvr32.exe
PID 4584 wrote to memory of 2032	4584	regsvr32.exe	regsvr32.exe
PID 4584 wrote to memory of 2032	4584	regsvr32.exe	regsvr32.exe
PID 1200 wrote to memory of 2740	1200	regsvr32.exe	regsvr32.exe
PID 1200 wrote to memory of 2740	1200	regsvr32.exe	regsvr32.exe
PID 1200 wrote to memory of 2740	1200	regsvr32.exe	regsvr32.exe
PID 1976 wrote to memory of 4708	1976	runonce.exe	grpconv.exe
PID 1976 wrote to memory of 4708	1976	runonce.exe	grpconv.exe
PID 2704 wrote to memory of 212	2704	wmcUpdater.exe	wmcUpdater.exe
PID 2704 wrote to memory of 212	2704	wmcUpdater.exe	wmcUpdater.exe
PID 2704 wrote to memory of 212	2704	wmcUpdater.exe	wmcUpdater.exe
PID 3100 wrote to memory of 4020	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	netsh.exe
PID 3100 wrote to memory of 4020	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	netsh.exe
PID 3100 wrote to memory of 4020	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	netsh.exe
PID 3100 wrote to memory of 2168	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	netsh.exe
PID 3100 wrote to memory of 2168	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	netsh.exe
PID 3100 wrote to memory of 2168	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	netsh.exe
PID 3100 wrote to memory of 4240	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	netsh.exe
PID 3100 wrote to memory of 4240	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	netsh.exe
PID 3100 wrote to memory of 4240	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	netsh.exe
PID 3100 wrote to memory of 2680	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	netsh.exe
PID 3100 wrote to memory of 2680	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	netsh.exe
PID 3100 wrote to memory of 2680	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	netsh.exe
PID 3100 wrote to memory of 4068	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	netsh.exe
PID 3100 wrote to memory of 4068	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	netsh.exe
PID 3100 wrote to memory of 4068	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	netsh.exe
PID 3100 wrote to memory of 1492	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	regsvr32.exe
PID 3100 wrote to memory of 1492	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	regsvr32.exe
PID 3100 wrote to memory of 1492	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	regsvr32.exe
PID 3100 wrote to memory of 2588	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	ScheduleTask.exe
PID 3100 wrote to memory of 2588	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	ScheduleTask.exe
PID 3100 wrote to memory of 2588	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	ScheduleTask.exe
PID 3100 wrote to memory of 1868	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcUpdater.exe
PID 3100 wrote to memory of 1868	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcUpdater.exe
PID 3100 wrote to memory of 1868	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcUpdater.exe
PID 3100 wrote to memory of 2208	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcUpdater.exe
PID 3100 wrote to memory of 2208	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcUpdater.exe
PID 3100 wrote to memory of 2208	3100	8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe	wmcUpdater.exe
PID 1840 wrote to memory of 4496	1840	wmcSystem7.exe	cscript.exe
PID 1840 wrote to memory of 4496	1840	wmcSystem7.exe	cscript.exe
PID 1840 wrote to memory of 4276	1840	wmcSystem7.exe	cscript.exe
PID 1840 wrote to memory of 4276	1840	wmcSystem7.exe	cscript.exe
PID 1840 wrote to memory of 2868	1840	wmcSystem7.exe	cscript.exe
PID 1840 wrote to memory of 2868	1840	wmcSystem7.exe	cscript.exe
PID 1840 wrote to memory of 1292	1840	wmcSystem7.exe	netsh.exe
PID 1840 wrote to memory of 1292	1840	wmcSystem7.exe	netsh.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

wmcSystem7.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer wmcSystem7.exe
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer	wmcSystem7.exe

C:\Users\Admin\AppData\Local\Temp\8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe
"C:\Users\Admin\AppData\Local\Temp\8f45f898226a5d7ee206ce2cba141d03a47fd4ca2d82713378981c767378d55d.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3100

C:\Windows\SysWOW64\reg.exe
C:\Windows\system32\reg.exe export HKLM\SYSTEM\CurrentControlSet\Services\Win-Win7 "C:\Users\Public\SMR7\Debug\WinWin7.RegDebug.log"
2⤵
PID:3080

C:\Program Files\WW2017CF\wmcSystem7.exe
"C:\Program Files\WW2017CF\wmcSystem7.exe" -di
2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2284

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe setupapi.dll,InstallHinfSection DefaultInstall 128 C:\Windows\System32\drivers\WM7F.inf
3⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:116

C:\Windows\system32\runonce.exe
"C:\Windows\system32\runonce.exe" -r
4⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1976

C:\Windows\System32\grpconv.exe
"C:\Windows\System32\grpconv.exe" -o
5⤵
PID:4708

C:\Program Files\WW2017CF\wmcSystem7.exe
"C:\Program Files\WW2017CF\wmcSystem7.exe" -ai
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:1708

C:\Users\Public\SMR7\WM7installTemp\wmcUpdater.exe
"C:\Users\Public\SMR7\WM7installTemp\wmcUpdater.exe" -smr_inst
2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2704

C:\Windows\SysWOW64\wmcUpdater.exe
"C:\Windows\SysWOW64\wmcUpdater.exe" -smr_inst
3⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:212

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="ICMPv4 Inbound"
2⤵
- Modifies Windows Firewall
PID:4020

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="WinMasterServices V7 Client7"
2⤵
- Modifies Windows Firewall
PID:2168

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="WinMasterRC Slave7"
2⤵
- Modifies Windows Firewall
PID:4240

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="WinMasterRC SlaveX7"
2⤵
- Modifies Windows Firewall
PID:2680

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="WinMasterFT Slave7"
2⤵
- Modifies Windows Firewall
PID:4068

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /i /s "C:\Program Files\WW2017CF\FoxSDKU32w.dll"
2⤵
- Loads dropped DLL
- Modifies registry class
PID:1492

C:\Program Files\WW2017CF\ScheduleTask.exe
"C:\Program Files\WW2017CF\ScheduleTask.exe" -SetSchedule
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2588

C:\Windows\SysWOW64\wmcUpdater.exe
"C:\Windows\SysWOW64\wmcUpdater.exe" -smr_run
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1868

C:\Windows\SysWOW64\wmcUpdater.exe
"C:\Windows\System32\wmcUpdater.exe" -smr_run
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2208

C:\Program Files\WW2017CF\wmcSystem7.exe
"C:\Program Files\WW2017CF\wmcSystem7.exe"
1⤵
- Modifies firewall policy service
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1840

C:\Windows\System32\regsvr32.exe
/i /s "C:\Program Files\WW2017CF\XceedCry.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:4584

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\WW2017CF\XceedCry.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:2032

C:\Windows\System32\regsvr32.exe
/i /s "C:\Program Files\WW2017CF\FoxSDKU32w.dll"
2⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Windows\SysWOW64\regsvr32.exe
/s "C:\Program Files\WW2017CF\FoxSDKU32w.dll"
3⤵
- Loads dropped DLL
- Modifies registry class
PID:2740

C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
2⤵
- Modifies data under HKEY_USERS
PID:4496

C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
2⤵
PID:4276

C:\Windows\System32\cscript.exe
C:\Windows\System32\cscript.exe "C:\Program Files\Microsoft Office\Office15\ospp.vbs" /dstatus
2⤵
- Modifies data under HKEY_USERS
PID:2868

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name="WinMaster Client7"
2⤵
- Modifies Windows Firewall
PID:1292

C:\Windows\system32\netsh.exe
"C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="WinMaster Client7" dir=in program="C:\Program Files\ww2017cf\wmcSystem7.exe" action=allow enable=yes profile=any localip=any remoteip=any protocol=TCP interfacetype=any edge=yes
2⤵
- Modifies Windows Firewall
PID:2932

C:\Program Files\WW2017CF\wmcUser7.exe
"C:\Program Files\WW2017CF\wmcUser7.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1988

C:\Program Files\WW2017CF\wmcProc7.exe
"C:\Program Files\WW2017CF\wmcProc7.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4320

C:\Windows\SysWOW64\wmcUpdater.exe
"C:\Windows\SysWOW64\wmcUpdater.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WW2017CF\FoxSDKU32w.dll

Filesize
2.9MB

MD5
25e0bf4889612fc23561d79c942ada1c

SHA1
f9428cc4f4a9640a244875687178b43a74f4211e

SHA256
3a69e8fa1426b7cc4b837875c0bb5ca19f6b93fe49172f3e2dfa14256fd32d30

SHA512
8c4f6608b2e9930d38b8064a881b7a849b2f8f2222dfcd8915bf137a8ab4a616db56fc784c80600036dbcaa0351946171f17cd7160a8295a2310eed0efa9677d

Download Submit
C:\Program Files\WW2017CF\Info\PCInfo.opt

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Program Files\WW2017CF\Info\PCInfo.opt

Filesize
174B

MD5
fde00f4306defe2c11c143041ded9c42

SHA1
95ca01b82028932df0b9828e9dc9cba3156c1e92

SHA256
1ba7c4fc50c47c4ac7b0269dc631ce26e73c4c416ad8dce067aca466544985f8

SHA512
9d04984d526cab17917549c1e7f9c51ad2398fe2b79fa531c71c551466055b193f6bac9ace1c7f57b683665b09d3fee8f1dbbdb4c5612d7b17a89528065eb712

Download Submit
C:\Program Files\WW2017CF\Info\PCInfo.opt

Filesize
208B

MD5
f7ec61bf606209cc8be7f459085e7f1a

SHA1
fc5a5d5b576fdb2047e418d912633cdb3d34c8b4

SHA256
ad749280bb90a5c11c269cd152647acf960ceb5c7f11ae33b57463a5f5e38c9d

SHA512
320b4d3a5aff8dd22473feebdaed71add370526ad9f464d5655c3f1469503087f3f1502f81e230e7011f7fd184efdfaeecec549a2910a139e318b2cccc191158

Download Submit
C:\Program Files\WW2017CF\Policy\System\PolicyContainer.opt

Filesize
7KB

MD5
c55138e1122f0559f0152cf4b610743b

SHA1
4fa103f965ff924634f8f364d967c59ef16354e0

SHA256
c0d2bfed76f1f3589a0d16966075c0843b44d3a2a2efd728a3d33d53242eeaf1

SHA512
31d588563fda73e75f1100848be7a6aea234fb8e0cbc1a90fa697478436740e106e526a9c96ad8024446d79e38d85375eb9d5d135d77c2f9bf32dc9537036d0a

Download Submit
C:\Program Files\WW2017CF\ServerSchTask.dat

Filesize
60B

MD5
aca73f319209e2556b36c21030592252

SHA1
2e5fe3b619642158dd224e189b9492eb0ceba7ee

SHA256
d7a6e2f0cc0f34b8c4a616516ccdbedb563acfc91de72ee9a3c2cf26da70efbb

SHA512
85de70bcc089fa308b8b3a68cbb924ab4473fb34c2fe2627856bbce9a4114dba7b254e9ea3992038bde65d5717e6242b7fe592b9676eea542a10d4be9ee8f366

Download Submit
C:\Program Files\WW2017CF\TGT2.ini

Filesize
272KB

MD5
14b6600ea20ecf376cc0916adca4664c

SHA1
1a2e60830b18d3938b92e9fdecaca4fc64adb9c3

SHA256
50f17744a841e27360e8d109fe2e4b81cb488a5ea420ef85f53ef307fc5c3aaa

SHA512
f96b706f17745013add0214383598341e6d726a1ff24c9ff782ec45356fa517fd038d1f52de0e3d1c29c3adcdace3df42055d324499a20ff600e14c8e82e10d4

Download Submit
C:\Program Files\WW2017CF\Updater7.ini

Filesize
81B

MD5
70f1d3e435ad52f73b9a2fd99bda7215

SHA1
07e524460d637d2356a70c6a8c2f9e45f9c37acd

SHA256
8d91d4d13ccb53493e472cd5f87fca17e0773d4864ba9f6e44979313cd56a822

SHA512
7d1524094ffd0dfdef9e39fb768824e48e7895d46f8bd0f636ef712861b944acc8c6f33d1280377131121824033c448a99563d8afc3a2b1a37f13a094058b0d2

Download Submit
C:\Program Files\WW2017CF\Version.dat

Filesize
28B

MD5
0a84c17c042db33f179b9680df1fce17

SHA1
b3bfb5c4c6cf96c84d8e6db7beb055df141060f8

SHA256
3078e46ad036eec394117cb3832c5883a3174173d9fdaa430d12d3d7e6bff2c2

SHA512
c283436036dfa937c20aa8d7bb6776fd6fc53f46f66e9e7e3b60d33003c2702ad4e706953a4057a2cbd83d3abcbbaf14c0377846963c0e4b4ec2d440ab57f8cd

Download Submit
C:\Program Files\WW2017CF\WM7F.cab

Filesize
564KB

MD5
d2b5469d6d6f602e9b088ee24e3a1e4c

SHA1
e9ea2fefffe528190f744986ca19aebd57276425

SHA256
2cab26da7d4a72dc92b9d3310784017cd7603863a7ed4aac8d3a2508e289909e

SHA512
f0270d78e1d5ccb6d7d542551182a1c20378c7ed5d94dfdb901e95fc2cef40ef80a322ead9ca802a124ccdd0575d26876012999166cc092ed011fac48085d667

Download Submit
C:\Program Files\WW2017CF\WM7F.inf.w8_x64_Signed

Filesize
2KB

MD5
cf9c0d78656c6c534dd507a88c99ac72

SHA1
f073d26c447ce6468ecb68948886f7adb40ed604

SHA256
ae6429929cf3419798fe6cd59bbd8c7c492c92e79dd6d32df368aa5c09264360

SHA512
4edb5eec216318ff0f514c9069c63a3a7a44f516915987d3e6fb8d27793679f6a0ef2a8dfa2d20bb85768cf53985c7f274d43eea47231072db3c6eaaaa824cd3

Download Submit
C:\Program Files\WW2017CF\WM7F.sys.w8_x64_Signed

Filesize
143KB

MD5
28772736ac10bcca04987cc215a5065c

SHA1
6ba6602f718b7fe6f1ce9d65ed86ea84d7755dac

SHA256
3545f4c15ecdff64b5d44f9505a002d3549b05a5a52a6fdc975db5d2dbe0efb8

SHA512
3188d3da55641f916ca68ba26c4a6208853c57e57be5661ee4e3b2e33749d7f089c669cfef624d230640a93513c22ac803287b9f6910772f49bbcbdbe03dfb3f

Download Submit
C:\Program Files\WW2017CF\WinNetDaily.dll

Filesize
7KB

MD5
6dc31af9f2b09740922065ea28b5eb3c

SHA1
4a1c267b30535aef8c3109f2104da9dd01c17f0c

SHA256
869941e24817fce286963877bad58b0de73486de1bcbfcc7f7d2f9056d514745

SHA512
4303263999c61414c6f29949c70c6cdc6a96cdf210708a39c84b0037a08a108c807a7f03620b7d3303449610c0cfe0ba4fb518e9f37917f983bc70a1e21a6321

Download Submit
C:\Program Files\WW2017CF\XceedCry.dll

Filesize
513KB

MD5
2c0c746eecffdcedd18450659f3a8ee6

SHA1
68dcbd003837545a07608ed3f2efa77612c30456

SHA256
ff9722c64be81caad50e14bb3f50f345b4a30ca76c87113292ff852e934590b3

SHA512
ccc2a0f7d3f18eb1ff3506cc8545e7fa72b05758bfeb8b5e8348de4f7648ff57deba69839f8b7d7a350d6cb383030267e81bb3d274aa62f1e9a6002d5b2a7751

Download Submit
C:\Program Files\WW2017CF\cbfsfilter2032.dll

Filesize
512KB

MD5
4efb2a895ecd3792eed52e850af847c9

SHA1
74e43921d052fecf4190c813c9ee56b37d79dea8

SHA256
8a21206fe6d151d5c18fa48d8bb6cb600190bdf62999c6cc7e53a31b8fcdc72c

SHA512
40a90f67830d7f1415f9781ccb09f2ec68b075004db238aadd09afb7a1b11b61c266d25f60c96966b0eb0aa3ed1531e2f9b04e4d1b2fe753cda68a59af26e6f6

Download Submit
C:\Program Files\WW2017CF\cbregistry.cab

Filesize
277KB

MD5
cbf0c82d8867a425a0a04527e89425f1

SHA1
7c946358da28fb35b62755e3854edfd349f8bf84

SHA256
ce731190ee0d63e9051b1ea58f305d49256a799e170de45baa3a5bc1b0bb5e9c

SHA512
e793e4ec38e8d031c568a94b559053504b44b0f5938d71ddedea2b09996e9cdb472f976f181f24e3a53c6c621d3936a7ed955e716e8d10b8867c39b45570dbf0

Download Submit
C:\Program Files\WW2017CF\winet.lnk

Filesize
748B

MD5
d34cbdf1a37e06133cf75c17eebbf58d

SHA1
db861919287928e8a5efeb930056c96bd9c815c3

SHA256
a55978e4257023fb61896e82bf006ca4d1a9a5b9c7994042355339ae688b0147

SHA512
dac577250345d2d5a40c8c96eeb489f19de1b3c7a3aee87e31146870216176bc9fcf94decbe1fee4dba60bc7a6b88fa2ff5d0b926097ac86ea9c47c1d62e372c

Download Submit
C:\Program Files\WW2017CF\wmcHook7.dll

Filesize
423KB

MD5
9e1a5b9ef4c6351c410c822b8796c4d0

SHA1
5feb7c8f985578125c4b345b16111a69546fa6a0

SHA256
a1a4069af1e1202c90db189f26f355bcc1c0ecf1c9692d25ce1e599f0e0fc423

SHA512
fa65065703894c185f6b14777f665462963fd03fe4e37bc2ec235a0c98be7c8e5674c9040da2a2a2f1d9f5e817367d47320080dbaeae6cca527c3e17ffa4a516

Download Submit
C:\Program Files\WW2017CF\wmcHook764.dll

Filesize
448KB

MD5
d39e398dc52861911471073da71b323c

SHA1
5dd07ad79e641eee93f0ee34c8d6a5e5b9d99c35

SHA256
ffbe1d91088c7b3e9216670ee6830a1299f621d01491f414c6215b280f6684ed

SHA512
3c5ff20c47040d692ac94821d9d4074347be072caf1ae0c745875043c405b66fee46a3d0196c751d48085206f15699683740d426ec22c3dcb9bf1278aca13950

Download Submit
C:\Program Files\WW2017CF\wmcMemmgr.dll

Filesize
197KB

MD5
d99cc965d90cc82bdb8fe4a11e091cd0

SHA1
2b3a7a2f09198652d35d93f1a6d62341879737c7

SHA256
f206cfa152dab26959af921765fe722b4e401c99f3da243f1253ad510dee5f41

SHA512
294765c3fe81ac3eeefc2c7e0c7b5bf2026813a5e51ef346f7ccefbe037aa4f716af1efedce68c50529e03c99897e271f6a91bdeadf67505f52d204bfd4b065d

Download Submit
C:\Program Files\WW2017CF\wmcMemmgr64.dll

Filesize
210KB

MD5
3bd82a3c60313298df8a40d86189c8c1

SHA1
781cf701f9e9973075385bc91eb2d42daada3dd7

SHA256
2dab7cbdec521b78a64e1ef05090e0b3a3ffab98bfcd4bb649d4b9c0d7dfbdf4

SHA512
e4aeedb8810d74baf52f389ab649d0cca66baeacf2f12c8b39ddf85a34ba843c1336cf87712c476c12bf8e05779b6c53a534ca07652b61c2a218a844ad05c2a2

Download Submit
C:\Program Files\WW2017CF\wmcWatermark_DLL.dll

Filesize
133KB

MD5
7177157c26a832403751cdcb6363088c

SHA1
52180deea01a7a6196873340df05360dd57a97ee

SHA256
387426e026dc7f3aee8d8c01ccaae1a7b2db66a37d65d2992bb069af13ffd63f

SHA512
ab438eca268e334412be9d84cd2993b32e5bdc6bc824624cd7e045741801c4a3e56e0f8f94371f2667f50a2220b8a096efbdcb422da681d476ef9ef8beb8ddcd

Download Submit
C:\Program Files\WW2017CF\wmcWatermark_DLL64.dll

Filesize
138KB

MD5
e76918b7c29c4b949ec96b67ee6027c1

SHA1
010ff58cf3738d88ff4f0bf1785c36433c1d89c9

SHA256
a89ac5d2162a341c829729b882142b6fd3fb542a70f5611b65e22e3481e33607

SHA512
66026a6e5502dd0a227cec78c62ade211bca960347e9655b18a2cefef49a9ec0adaea98c1d19b776fc020b1a14e46f8a61165444a11ffe3dd3abf57bcfdfc8f5

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_66f3ac8f-aa40-456a-9a7d-d8b3ebc9da1b

Filesize
1KB

MD5
659173be222dec7763319879ff523c2e

SHA1
96931ccc93b27ad4f33f4d0a53acd068056a4f20

SHA256
813357da36b61c69b76677d38a6dcd4700bb7c7e4fac220f5d9f7f2dae963b68

SHA512
a6c64a4d687660a830667a2e361a03cb07ddaeef1ea6a367de7ca0b7ebbd23ac0c6bcfbdccc037fb140111945e5fb8852b9d54e1ac8b545bb777b9fc24beefd6

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\fc1e3851f429ea606d6ff1e01a5229f1_66f3ac8f-aa40-456a-9a7d-d8b3ebc9da1b

Filesize
1KB

MD5
d3a556fc7490114f9e9eea60e176e5df

SHA1
b1bc426d4ff44564d0f0f315fa54eb1f0845a9a2

SHA256
e8916f54189be8b97dfeeae0553ad3c2c05e8f9165ee383dac539487ae93cf55

SHA512
a20505d1a69fe341cfe3e8352cad6d8c8b89af7a65b999a37829ab0d9ea89306fede45e792132e7fbec9ec2294f79fcc80941151ba6de2fc196edddcbac0cd5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\REGA79A.tmp

Filesize
5KB

MD5
d16d2b762f5aeb097ebc00ee8c8b258b

SHA1
6c6d2007cfab83856542edbc4417c729e0e4f3cd

SHA256
0fa2070c0ef388680f96192da85e24669962ac20bdee8bcd021638414caefebd

SHA512
5d155222ec97b419b7f3596a45a03d314c0237f3db464b0f290fe61c25ab94345147f47a008601b66438f249d0bae49df017273fcabf171a781e50e1825c5cf1

Download Submit
C:\Users\Public\SMR7\Debug\ManualUpdate\2024_04_19_RSMDTHRA.log

Filesize
4KB

MD5
2522f0406e670c055f4fc9ce377a9778

SHA1
f3bd5476934289ec4d67a12e713899e3278a6e1c

SHA256
cc1985916b6ccbae52f72051e67f948ece1b088a608891c970fb0a38c1427cff

SHA512
f257c1c6ca4d043840ffb7d33f1c3e7bc4076c8055e7a739b4629c9fac90224e6bb682f0ce808dc3a6697e9b9e63208b5dd1b8ab430d740c4e5d5e5a4fd9e628

Download Submit
C:\Users\Public\SMR7\Debug\ManualUpdate\2024_04_19_RSMDTHRA.log

Filesize
2KB

MD5
8e892e39c10df6b8e8dbc52569f88487

SHA1
49aebf9151e8b8b362aafda13289c85045d044f3

SHA256
ed434fd1b364d7345eca85bac6cc1e338d11d1e0ec63acf2e781d62b5b301aea

SHA512
b04b7c9dae2dd7bdb92af16d6b30a0b644cab98e663c4913b6948e11c7a270b0cef041a59763b0f89ba6be1d9ee29383cabda50634ba84c9823c0eb9e8ee8894

Download Submit
C:\Users\Public\SMR7\Debug\ManualUpdate\2024_04_19_RSMDTHRA.log

Filesize
3KB

MD5
4ec2bf529ae8b5e54c2234f1c42a881e

SHA1
24382483e377fd0686953713929563070ade1933

SHA256
1a9a13a37492ab99623c6d2a24258bb446d7cbbd122f167e83487cf7a27b6652

SHA512
f93b0dab3d5a4c9a5f698e1ae338988399fd2de488da20f2caf198da0acf0751a924774ea9f7bd659352b7e445b9056652a7e4f37beaff243a398cd7bad2dd62

Download Submit
C:\Users\Public\SMR7\ManualUpdate.ini

Filesize
4KB

MD5
4263dd8e8eda252cff15a50ee523acb4

SHA1
d5afe9e071be018d8fddb905f06949c4c3b5f906

SHA256
1ea758d73e1910637b716738a11ac609510b0e4e941bb47d699ab03ee725bbaa

SHA512
76f5b52afc58fcb1aff214827594b0be9671086210b0801f021d432c7ba6c58126ae96e921131434e6e9657249752d13389c9ee7b8ea26aaad89d0cbda5fca33

Download Submit
C:\Users\Public\SMR7\WM7installTemp\GCBClient.exe

Filesize
793KB

MD5
955dc3b296d89da2c9034adc0f71ea71

SHA1
4dd92fa858e9561a7ab8edfcfc5b4a8ac08228b3

SHA256
4bfd032d891f8d9686dbbb098935db02e948e988b18fa8e22396f55e7f9194bc

SHA512
01866266256015eb1f41ce51ef86f065a09b2026523a885c848f8baada2aea9cf54b4a6662eb8d21bb36f739561181b8b823d8e13219af2c92a7e8d85f1d632d

Download Submit
C:\Users\Public\SMR7\WM7installTemp\Info\RemoteService.opt

Filesize
44B

MD5
21f084d77a7851f7bdc063d42edc02a9

SHA1
a018660ab7e63050facd2a9234bb739ae37dafe0

SHA256
594045032987458e03e396b7a40673138cb71ed175e9b71c2d29f8e31096c463

SHA512
82791e2b6ee4a14e8d408df0dcc4ba4102fd943e2bda5913e320f19d2b10ac0cd53b88a5e6bbc028b72f06a4958a21527d863bc568ec40709b56093a660737ce

Download Submit
C:\Users\Public\SMR7\WM7installTemp\PCInfo7.exe

Filesize
120KB

MD5
b163e896a74ee9becad5770c34bce10c

SHA1
4d166a080385acdeb115fcdb8b8acee428f196db

SHA256
e0ad39c486fa93799f3ce4019687027b9dda7f3b69a5e5d572c9cba775931979

SHA512
d65f7d4f1a33011a7c0a59c864d39d4bb27138bf158818d11e34fc4659f4d0cc9bedf77a44eddce6906f785e0bac9b329a86c9b48e4125bdbbdcb630da1e887b

Download Submit
C:\Users\Public\SMR7\WM7installTemp\PolicyViewer40.exe

Filesize
76KB

MD5
3a1b35c59faee8f49564a844886c5e2f

SHA1
71eed14b8c1b39c74ff7a8d7f18555ab428e165b

SHA256
e836912ef4f75b7e208539fc0af37092e3a5b36e36324154e3ac5e270de826c8

SHA512
f32c8d0cf7464d6358328f57a5ded664a034931f47f52434343958adc6451ca4f6747faab5c307df0ed1db0f941d9dea31e110d74f01394a96faf51d325a9049

Download Submit
C:\Users\Public\SMR7\WM7installTemp\Policy\System\PolicyContainer.opt

Filesize
7KB

MD5
8b1bc4e30ea55792e78a657796e5994d

SHA1
e7701910505add5f92e06bbb59e31ff16037e534

SHA256
bed0748239cc31454b02be10bc82718eceff704d12ebb908b0b3608732f373bc

SHA512
05dba20e29ce39e6be3ba4b08fb10a73cc1527fbd32fe92d7643ba0559c3494f3783b6e9ee22ba4fabe6ebef8e4e669ccc63d94e345bcaa7499894f1ceda43a7

Download Submit
C:\Users\Public\SMR7\WM7installTemp\ScheduleTask.exe

Filesize
127KB

MD5
97b22d17f9b149e0abf2a9d1406afab0

SHA1
30bd9f4f5270fbe57983d60d7b5549f1e8caecba

SHA256
a599d8ec969c3fb73bb07371455aedfe7fa9037f906afa0235ab8d16e3e28aec

SHA512
f3c8cd68e797f23e16d8f0e2e7477238b236913f9f129548296b24c1f8ab8afa2fb0e8a7eb77baed492fad9cac5e9420b2fd65a755352ed506a81ebda87b3cd4

Download Submit
C:\Users\Public\SMR7\WM7installTemp\cbfsfilter20.dll

Filesize
763KB

MD5
be8818d3615195035cd9975c47204a85

SHA1
309e2195d53f486afe3f87ed186dcc39ff79c7d9

SHA256
2340772c80a5f90801d307f1e8f3ff4e77d6fd0f7d643a837e429129988c1e8a

SHA512
7b1ab6fe500edba69a792daf6a06c2d17a43ccf89f4ee8c65fb1ca162beca027a02a9b89e95fde9bab8789f2de3eb677ab7fb4d1d8f3ca000b8d4a2e4035b344

Download Submit
C:\Users\Public\SMR7\WM7installTemp\wmcDataBurner7.exe

Filesize
322KB

MD5
bc373622942e7bb98d1c6a40628091fe

SHA1
2f664a2ad3dd493d1f0a5fb160c76dbed57afda7

SHA256
f2632ee75380f8eeea75e5102666eb7e8f8cfce92537aed5f4562be2d6089388

SHA512
6cf923110deae8bf6d3308aa3a980bedfa2f0d5d3372ae56a64a843bbed877e4f5ce4f39531be874421a32f8d29b099a9846c66e468d06489e502078158ff59a

Download Submit
C:\Users\Public\SMR7\WM7installTemp\wmcEncryption7.exe

Filesize
257KB

MD5
e971355a07d27067788d7513c82845a6

SHA1
3a41aaff4a2a79670a70680ada85f59a2970bcc5

SHA256
e821bbb7eaa0859b66f26df15d860d3a10eec4d78e8d9c126cb6f5f4b5a68892

SHA512
9a3815a029e2168111c130c951e0131ad83f6ddc7a178f39964e153bbb342fc80c90ae33234522efe0228e502627342f2f5517928b4f6f203dc8f85ff55795c5

Download Submit
C:\Users\Public\SMR7\WM7installTemp\wmcEnterprise.dat

Filesize
736B

MD5
b215c2a72a1d4ac359c51182cb3fde98

SHA1
d025ca51263bdfd798f03f642af2be4895ca5bde

SHA256
9c95f735068e012e5c2ed99b3ef51a75cfc774d65b8148db5aa22083fbc2fcf8

SHA512
8895e8ac8082ff2ef9d25e7f645802efe96ebc7a2147c8c488a4842ce734c121a1be8aa6a403efb86a0a470c1ff5a30f24d6e280209d5f1a097d0774dc40d3c4

Download Submit
C:\Users\Public\SMR7\WM7installTemp\wmcFTSlave7.exe

Filesize
243KB

MD5
51020d430cd5852d3c7fe425ea7f6a56

SHA1
c65d32af77862285e9a253a289954d098d5c638c

SHA256
e7c79144e5a4ab3b25be63483f0dd3c9c3fc425aaf874bab115e048a7dc1a6b8

SHA512
c915bd542d1ee4973a87591f22f7f022a7320d989e283a19499af4f38372a212ef034fcb2a944993076700b55f698e9a422d1aaa12710f0c5ed1c4026cd30604

Download Submit
C:\Users\Public\SMR7\WM7installTemp\wmcProc7.exe

Filesize
234KB

MD5
c72ccf056fdab14bb32db2c927ad565b

SHA1
a3b32c261924033988df8d7d4d86c3d094e6dfc0

SHA256
067d44a12608082eed7eb21e23135c523e7a6af5f37a604fbb2fa2b28f687ab4

SHA512
61e35a07547eb4cbba68c1161a11a1cca270888be8c3f02c973d275349af563065ce243870e04175bf342748a1a25e9d3175a8609d351cbd6befe54d1a405bb2

Download Submit
C:\Users\Public\SMR7\WM7installTemp\wmcRCSlave7.exe

Filesize
296KB

MD5
76c29dd7640dea18fde4a616e5be447e

SHA1
b67ea85893604dd236ffb9632c0cc83924f0c9c5

SHA256
b4a4788f4522b0ecc66c45d084f5966722073196b38a42dcb709c6c86d3b4271

SHA512
20a625aa10c342139f4a71f90faffd21aab877649e0d873f1a2aeb1ab7fb45c1ab3a885d41a805225c8c1a62c1c2dd2ad62ff5a6f3f88c95f97406d33334c9a8

Download Submit
C:\Users\Public\SMR7\WM7installTemp\wmcRCSlaveX7.exe

Filesize
316KB

MD5
20516c0b263f90b5f9f7131e4e0bec4e

SHA1
3e3ac2e5c936f79be008f2fe9610b9ba617f24e2

SHA256
757106cde2f309b1e8eb4409066bfa585014e0a16d823591f76899903daa3191

SHA512
5f92cf62d75b6bb8f5ac67c9637f74445bd7e8d9f593fabf536b664cbaf931115d87b605541c62f3ad2a920022fd77f5dcd62810bf14673f98282ccf9e183cd0

Download Submit
C:\Users\Public\SMR7\WM7installTemp\wmcService764.exe

Filesize
259KB

MD5
20d59af473d94dadd590df5242746477

SHA1
3baa8fd3cd6ba73e44f42e8376f8616e0d2a1655

SHA256
1a48e6d258bc68bd0a953a0872854d0d1dacfe5737d3a198d1e279cb4081e7ae

SHA512
50d916412f319de708472e1d13904183b1217b66acf578994372d33f5698bc947d8ea8d7d5b930beb59f94a8bbb3034cac6512d6e3c0b042997c7ffaf3a0152d

Download Submit
C:\Users\Public\SMR7\WM7installTemp\wmcSystem7.exe

Filesize
1.6MB

MD5
c06a33a3e9b772193ce9817d7673cb09

SHA1
6be5020ae7fc9d82b8d64c7e457fe4bc56c23829

SHA256
e46ddc0e85cec5b4a1f105285a8d050653ef7d0143f9dc7a588ed49693b4af91

SHA512
cf64b72232759c439281152bf6184136d1d0b4f917355a0ea013b224330c693f423c0e9579c7450b2b5ed15de97b4d8faac136b69f103167b42457faafa657ec

Download Submit
C:\Users\Public\SMR7\WM7installTemp\wmcUpdater.exe

Filesize
221KB

MD5
7b0da8fcd21be619eaa1c097f7098e3a

SHA1
dabf1337edfa2aea38dd8e29e19b6917855b37ec

SHA256
1afa91b1e11e044d6bbe7ee5909037bacc4bc12d4529646e614e883fc80925d0

SHA512
08c5f0952eb37b04b0e884ac39f5b1d8a38ab5e852b2a03ef9497a13fd7286805d0840245ae78cd8a1fa25b5cc0e6dc801d8c7419c9c37c92f32019beb0e77ce

Download Submit
C:\Users\Public\SMR7\WM7installTemp\wmcUser7.exe

Filesize
372KB

MD5
43768f646b0fc27fbabe1916e01fe387

SHA1
9ca8490505717c107e873664d9bb5ac83939588c

SHA256
5883c80db49ea9270c67d2ffca8d5cd18ae71e17e9b6e8cb5bd58ece7df8c8f4

SHA512
0afe4da5b26e6d0edad7b01d9640b13a9416aaa9dbaf27f3a28305e1287f82af05e120ef01b74bb56468e2c75afa8be4fdfa2b9f16e5020dc820b9ca207b8299

Download Submit
C:\Users\Public\SMR7\WM7installTemp\wmcWatermark7.exe

Filesize
251KB

MD5
59b645950cca37369c9747e17a8b04ba

SHA1
8c4092d4190ccd0f29a0086f5f24b356adf7b22a

SHA256
5febc863ab60be96a17355d4346736a923905860fa653556df8a268cc0e8e432

SHA512
addaff87e42de7839a88b42fef7071861b18ff75c39f98530f2315dbdb17b76ecd1f8e28c24e06e3b7ff45deae7739da38233781fbf85095b5e84ba1cbd737e3

Download Submit
C:\Users\Public\SMR7\WM7installTemp\wmcWatermark764.exe

Filesize
276KB

MD5
00b606a2e58b6a748691df14d3a20ea2

SHA1
e53b5452b9bb908623a34e591b688bfeb796fdf9

SHA256
93c94437d3987dd18e249d727a80a2cd1bb7d2cf47bc61d8de228a8cd560aa98

SHA512
42223fdeb1a520950b94500c4729f742ae04a85866ce08552af49def0cc11e474eb29c78aa12f8e71a42c29dda61974365ead2e0c8e85da8c1f3e897dbb3a81f

Download Submit
C:\Windows\Debug\WM7\AutoUpdate\20240419.log

Filesize
798B

MD5
df9eed27d613eaff32fd42b00efd12dd

SHA1
9ec3984e7637092182b121aba3819d727c19be71

SHA256
1c82fa22e5de2e5a7acaea35a0037dd1b0f3491558d7f359bba0e2db6431b84a

SHA512
eacc90d4fbc4fedf954e667659cdc6d9cc1b1230529288f0a3922f4dc032bb4d943d7c873a0b997643b944abb6f68c56ddd87ce1ff04691c9df4b8454b39b047

Download Submit
C:\Windows\Debug\WM7\AutoUpdate\20240419.log

Filesize
2KB

MD5
83cf0bbf218aa1a6eb4f58d3089ad072

SHA1
3ac53b015bfe9cafe6efd41338f28ea0da13869a

SHA256
0e3739719b65c403747ca97028cb5b3c82d781c4924e6cc002cf13b7d66523da

SHA512
187368feb570776eb99f4c508e915f9da6a4093a92e9010da9f7354b0a51e4d225363ca2e0dbbda052bfa720c4d2fda040fddd4655eb5bcca338ae5d35eed02a

Download Submit
C:\Windows\Debug\WM7\AutoUpdate\20240419.log

Filesize
3KB

MD5
f0a70b33b756b7b430fec0544257242b

SHA1
6c45ac8d899ebe97303424bac678b18e483742ad

SHA256
9e5f7bbb2345e46d6d36547fea3079c777ed9e94f3c15146447aca7ae185c7cc

SHA512
a1b5d42b4f34cda5447265262d6e56dbd8995b051fe89147fdbece8652bd316acfbe9495492b5f8ab34e9f713268d16e21d3eb26e7c672a5af9050bae5234888

Download Submit
C:\Windows\Debug\WM7\Client\wmcSystem7.exe\20240419.log

Filesize
1KB

MD5
c4ec9e9dd3749c1fb9602d3557cfc4b3

SHA1
037da90e6ea657251ac068a257fe1eb157d3b6a3

SHA256
c1ed3bdbb54d50d67be679740250098f3889df1113606247d45a2d3473cee7c3

SHA512
23f7fd24770098aedab827ec924e5d9826b09ab4362ce436aa077be9d7a4c4b88b44675e376d21285502cbbd153570f381dc232cdb265a108e0f7489e5373571

Download Submit
C:\Windows\Debug\WM7\Client\wmcSystem7.exe\20240419.log

Filesize
3KB

MD5
31c217bed4963797cb2e0c62033774cf

SHA1
3f8a55d898afd97163ff6208934ff169b9a4a1c4

SHA256
2df1ce2dcea77722f898c0a09fa4bbe44cd1b95e1a3608e96d5e459decc568bd

SHA512
002f2ce94b1d277ad0685481c921d1341556ab7ff13a4b2a2470f54ff68cc45e9df6e11a4f9f3cfbd2bf0ca48e5d8cf2a93e4bd091a47483110a5270d3ac56c2

Download Submit
C:\Windows\Temp\{713CC6CE-B3E2-4fd9-838D-E28F558F6866}\cbregistryevtmsg.dll

Filesize
11KB

MD5
7241dcbab33ff2c6a3ea211e3f095be3

SHA1
3fd21f3b8bf054fe34324eba66f0e98ebe6d4bda

SHA256
4be5a326f9f4c07ea1e1df22f27a84aa197a54fab1928d05835f11505005d430

SHA512
66db36e8c4d37391115c6fb1300c1dbffddc84ef4d0db996c05c03687c2d0aa180a57e01be7d72ebffe80fca6fadba0f5e1bb01381065205ae5d476c5a9569b7

Download Submit
C:\Windows\Temp\{713CC6CE-B3E2-4fd9-838D-E28F558F6866}\x64\cbregistry20.sys

Filesize
110KB

MD5
1f6379ecb10624498a6955969cc1d77f

SHA1
8811d30255aceb2d622737a3e12229cc67f6d60e

SHA256
3817532a39d2bfac5445ef205e2c8700dc098c3d27d2fe812ba8608745e5605e

SHA512
2f2bd3be0bd01886c3f76d2a695e171f624139ea38a96b6789e0b400b6b5f7270fcae6e2ee07e82e5c45ddd47699f4e3fe3827a311ee731b79aeb7548c4698a3

Download Submit
C:\Windows\debug\SMR7\ScheduleTask\2024_04_19.log

Filesize
238B

MD5
a7c89bd54cfb78dadc2fd0265b5198c5

SHA1
c72ee78ecad667b14d25fb486191b2aae10a8f6e

SHA256
2241f9a214b8a26a7ec464802329d475757e5e3f01a33f572fc87e7d2a272057

SHA512
c81f6a33f4dc04d3eec806aa450eec01f65a80f426eef74dc6d2839bebe0704a24b45b60eda1de6d0a5cd54538fbc5b395e9581ae18c34894ea68f623e43f690

Download Submit