753133fd1a1fd89dbc8c736105d87dad6ce5a4deb531c054d53f2593b88f3d93

Analysis

max time kernel
120s
max time network
116s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2cdd90e5b69dbbad23a43b26356696c0N.exe
Size

325KB
MD5

2cdd90e5b69dbbad23a43b26356696c0
SHA1

27eaf57a25fd34696e6dbb772d9081cbb377252f
SHA256

753133fd1a1fd89dbc8c736105d87dad6ce5a4deb531c054d53f2593b88f3d93
SHA512

1a2203c542d764dabb340960eba74111926985152ec042a6b386d6edc3db40911c7893227b12e818ddbc05d1cf8d6e5ddc95b0ee425a6ac8a4abc5c8e9ba7c0e
SSDEEP

6144:LY+32WWluqvHpVmXWEjFJRWci+WUW20rUU5EYCTvaBju43:EnWwvHpVmXpjJIUW2cUusvalx3

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\\PIO4X1H.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\\PIO4X1H.exe\""	lsass.exe

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\\regedit.cmd"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\\regedit.cmd"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000700000002344f-147.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	2cdd90e5b69dbbad23a43b26356696c0N.exe

Executes dropped EXE 5 IoCs

pid	Process
3244	service.exe
3040	smss.exe
4964	system.exe
1408	winlogon.exe
3636	lsass.exe

Loads dropped DLL 1 IoCs

pid	Process
4964	system.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002344f-147.dat	upx
behavioral2/memory/4964-319-0x0000000010000000-0x0000000010075000-memory.dmp	upx
behavioral2/memory/4964-331-0x0000000010000000-0x0000000010075000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0X1HPY = "C:\\Windows\\GIS3D5I.exe"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sMS3D5I0 = "C:\\Windows\\system32\\RML1S6NLPY7U7T.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0X1HPY = "C:\\Windows\\GIS3D5I.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sMS3D5I0 = "C:\\Windows\\system32\\RML1S6NLPY7U7T.exe"	system.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	service.exe
File opened (read-only)	\??\Y:	service.exe
File opened (read-only)	\??\Z:	service.exe
File opened (read-only)	\??\H:	service.exe
File opened (read-only)	\??\X:	service.exe
File opened (read-only)	\??\L:	service.exe
File opened (read-only)	\??\N:	service.exe
File opened (read-only)	\??\O:	service.exe
File opened (read-only)	\??\Q:	service.exe
File opened (read-only)	\??\V:	service.exe
File opened (read-only)	\??\G:	service.exe
File opened (read-only)	\??\I:	service.exe
File opened (read-only)	\??\K:	service.exe
File opened (read-only)	\??\M:	service.exe
File opened (read-only)	\??\P:	service.exe
File opened (read-only)	\??\R:	service.exe
File opened (read-only)	\??\S:	service.exe
File opened (read-only)	\??\T:	service.exe
File opened (read-only)	\??\E:	service.exe
File opened (read-only)	\??\J:	service.exe
File opened (read-only)	\??\W:	service.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\RML1S6NLPY7U7T.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\KYD5G6Q\RML1S6N.cmd	system.exe
File opened for modification	C:\Windows\SysWOW64\RML1S6NLPY7U7T.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\VTX4F2Q.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	2cdd90e5b69dbbad23a43b26356696c0N.exe
File opened for modification	C:\Windows\SysWOW64\RML1S6NLPY7U7T.exe	2cdd90e5b69dbbad23a43b26356696c0N.exe
File opened for modification	C:\Windows\SysWOW64\KYD5G6Q	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\KYD5G6Q\RML1S6N.cmd	lsass.exe
File opened for modification	C:\Windows\SysWOW64\KYD5G6Q	2cdd90e5b69dbbad23a43b26356696c0N.exe
File opened for modification	C:\Windows\SysWOW64\RML1S6NLPY7U7T.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\RML1S6NLPY7U7T.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\KYD5G6Q\RML1S6N.cmd	2cdd90e5b69dbbad23a43b26356696c0N.exe
File opened for modification	C:\Windows\SysWOW64\KYD5G6Q	service.exe
File opened for modification	C:\Windows\SysWOW64\RML1S6NLPY7U7T.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	2cdd90e5b69dbbad23a43b26356696c0N.exe
File opened for modification	C:\Windows\SysWOW64\KYD5G6Q	system.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\VTX4F2Q.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\VTX4F2Q.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\VTX4F2Q.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\KYD5G6Q\RML1S6N.cmd	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\KYD5G6Q\RML1S6N.cmd	smss.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\KYD5G6Q	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\KYD5G6Q	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\VTX4F2Q.exe	2cdd90e5b69dbbad23a43b26356696c0N.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\KYD5G6Q\RML1S6N.cmd	service.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	2cdd90e5b69dbbad23a43b26356696c0N.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\VTX4F2Q.exe	smss.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}	winlogon.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	system.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	2cdd90e5b69dbbad23a43b26356696c0N.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	2cdd90e5b69dbbad23a43b26356696c0N.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\CFC4G1W.com	2cdd90e5b69dbbad23a43b26356696c0N.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	service.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	winlogon.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\CFC4G1W.com	winlogon.exe
File opened for modification	C:\Windows\LPY7U7T.exe	system.exe
File opened for modification	C:\Windows\GIS3D5I.exe	smss.exe
File opened for modification	C:\Windows\moonlight.dll	lsass.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	winlogon.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	service.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\PIO4X1H.exe	winlogon.exe
File opened for modification	C:\Windows\GIS3D5I.exe	system.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\PIO4X1H.exe	system.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\CFC4G1W.com	smss.exe
File opened for modification	C:\Windows\lsass.exe	lsass.exe
File opened for modification	C:\Windows\moonlight.dll	2cdd90e5b69dbbad23a43b26356696c0N.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	winlogon.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	system.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}	smss.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	winlogon.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\PIO4X1H.exe	smss.exe
File created	C:\Windows\MooNlight.R.txt	smss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	2cdd90e5b69dbbad23a43b26356696c0N.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	system.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	lsass.exe
File opened for modification	C:\Windows\GIS3D5I.exe	lsass.exe
File opened for modification	C:\Windows\cypreg.dll	2cdd90e5b69dbbad23a43b26356696c0N.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	2cdd90e5b69dbbad23a43b26356696c0N.exe
File opened for modification	C:\Windows\LPY7U7T.exe	2cdd90e5b69dbbad23a43b26356696c0N.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	system.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\CFC4G1W.com	service.exe
File opened for modification	C:\Windows\LPY7U7T.exe	winlogon.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	system.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	lsass.exe
File created	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\MYpIC.zip	system.exe
File opened for modification	C:\Windows\GIS3D5I.exe	2cdd90e5b69dbbad23a43b26356696c0N.exe
File opened for modification	C:\Windows\cypreg.dll	smss.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	smss.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}	lsass.exe
File opened for modification	C:\Windows\cypreg.dll	lsass.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\CFC4G1W.com	lsass.exe
File opened for modification	C:\Windows\moonlight.dll	system.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	2cdd90e5b69dbbad23a43b26356696c0N.exe
File opened for modification	C:\Windows\lsass.exe	2cdd90e5b69dbbad23a43b26356696c0N.exe
File opened for modification	C:\Windows\moonlight.dll	service.exe
File opened for modification	C:\Windows\moonlight.dll	smss.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	smss.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	winlogon.exe
File opened for modification	C:\Windows\lsass.exe	system.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	smss.exe
File opened for modification	C:\Windows\lsass.exe	smss.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	lsass.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\PIO4X1H.exe	2cdd90e5b69dbbad23a43b26356696c0N.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}	service.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}	system.exe
File opened for modification	C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	smss.exe
File opened for modification	C:\Windows\LPY7U7T.exe	service.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2cdd90e5b69dbbad23a43b26356696c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2cdd90e5b69dbbad23a43b26356696c0N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	4964	system.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3508	2cdd90e5b69dbbad23a43b26356696c0N.exe
3244	service.exe
3040	smss.exe
1408	winlogon.exe
4964	system.exe
3636	lsass.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 3244	3508	2cdd90e5b69dbbad23a43b26356696c0N.exe	85
PID 3508 wrote to memory of 3244	3508	2cdd90e5b69dbbad23a43b26356696c0N.exe	85
PID 3508 wrote to memory of 3244	3508	2cdd90e5b69dbbad23a43b26356696c0N.exe	85
PID 3508 wrote to memory of 3040	3508	2cdd90e5b69dbbad23a43b26356696c0N.exe	86
PID 3508 wrote to memory of 3040	3508	2cdd90e5b69dbbad23a43b26356696c0N.exe	86
PID 3508 wrote to memory of 3040	3508	2cdd90e5b69dbbad23a43b26356696c0N.exe	86
PID 3508 wrote to memory of 4964	3508	2cdd90e5b69dbbad23a43b26356696c0N.exe	87
PID 3508 wrote to memory of 4964	3508	2cdd90e5b69dbbad23a43b26356696c0N.exe	87
PID 3508 wrote to memory of 4964	3508	2cdd90e5b69dbbad23a43b26356696c0N.exe	87
PID 3508 wrote to memory of 1408	3508	2cdd90e5b69dbbad23a43b26356696c0N.exe	88
PID 3508 wrote to memory of 1408	3508	2cdd90e5b69dbbad23a43b26356696c0N.exe	88
PID 3508 wrote to memory of 1408	3508	2cdd90e5b69dbbad23a43b26356696c0N.exe	88
PID 3508 wrote to memory of 3636	3508	2cdd90e5b69dbbad23a43b26356696c0N.exe	91
PID 3508 wrote to memory of 3636	3508	2cdd90e5b69dbbad23a43b26356696c0N.exe	91
PID 3508 wrote to memory of 3636	3508	2cdd90e5b69dbbad23a43b26356696c0N.exe	91

C:\Users\Admin\AppData\Local\Temp\2cdd90e5b69dbbad23a43b26356696c0N.exe
"C:\Users\Admin\AppData\Local\Temp\2cdd90e5b69dbbad23a43b26356696c0N.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
  "C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3244
- C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe
  "C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3040
- C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
  "C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:4964
- C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe
  "C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1408
- C:\Windows\lsass.exe
  "C:\Windows\lsass.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Event Triggered Execution: Image File Execution Options Injection
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\GIS3D5I.exe

Filesize
325KB

MD5
50c4bf1113f7d2d65ba38fcdb04ee6af

SHA1
50e128c69e17d24aedb042e9ca7ef356b468ba63

SHA256
795ed0e8342d5266d4dceb596e427fce8bd3ab9ecc7c639c0b9ada2bf51dc601

SHA512
b7528285fa6d66a063c778996c30a711a1ab72a471333ebe1d8c3ea982d729b581ea0b51baeb131cbdd262c886127f688f9540c14e3163b66ac7d1374184757d

Download Submit
C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\CFC4G1W.com

Filesize
325KB

MD5
27ca1e419d7e11d9d2d97a1c6888b956

SHA1
11e6a9f9f38944ace3d9b64c0fd3f59c5caf3a23

SHA256
771dc9415f2852fad796253095e0da1aa169716462bba5840a24d833a39e0bb3

SHA512
a5e44e85c01c859b572ea6e3f429f55dedd05a43d2e17551b4d11f373ef8cbae7606bb94ef4d968c94a96c6d98391e78961a628b1b49717852feb2aebe94ffdc

Download Submit
C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\CFC4G1W.com

Filesize
325KB

MD5
0d948f09a03f8443f5e7e05ba5c1a7a9

SHA1
d89e2089c176b404d5e625aa855261bfe946be7e

SHA256
e6abf8db6c55dc18deee71181b5f5f0a71ad9990145f20319f5c78ca17782146

SHA512
66a934411085d197283c1824d416af497baf6507fbb7e671423e839a15cd0c34e773974e4d654cd3874c51ad4521d7d5e6418a2fd29fd5f3bfc66ee6830b877a

Download Submit
C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\CFC4G1W.com

Filesize
325KB

MD5
d995c4fc5fab9e9791642a385a321954

SHA1
4994c9d07df55975d5cfd73411e6a59a1c46eaf3

SHA256
b3b4fc94277964a64e9c8092cefb45da40a9c31599956c64d4382bdc0b701335

SHA512
82423ca43ff29394797742c92255a60c084fdea3406577f6552a19abc5420b9787aaa31d9f6397b141fc1b06693061da93cbd7ea34c2674d024b50687b73ac75

Download Submit
C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\PIO4X1H.exe

Filesize
325KB

MD5
1ddc6b2e324484a2ce75b1a5691b6c11

SHA1
a32a1664048d7ea2bef7ea8d8c9e42eb3f28d4e5

SHA256
3fac5025b96d6ca8a555387fae8fe137f98b559462858263c9a403f8e3dc889d

SHA512
6420983605676a01cf9376f1a861bac718dcead39ec09bb93b40dddf3b5b3db6611a4683e501679c85cc7001a9ec205d70ea9052777e051a6835bd4c9c881f05

Download Submit
C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\PIO4X1H.exe

Filesize
325KB

MD5
d832564f2a2612ae657f29515127881b

SHA1
a360ce918efca507aed29f63867418def85c2b86

SHA256
c38b1355c4abb56a3abe9beebae813872fad4d82dbe23664c4e7bc13e85c9c54

SHA512
ba7ee1e5bc993e21005af9078ca818d740ff0a3fb22a07ce63c856d633150916dfe6fbec505ba9f1e07292c6f3ecee6bde9b3981e39d4acc4222451e652d5a16

Download Submit
C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\PIO4X1H.exe

Filesize
325KB

MD5
a0c16a664d5fef4d0bba6d7b079a79ed

SHA1
8921a8fc72d0049b978763aa6b2f720f941b94a3

SHA256
5476e9f8cc6940d067e325af2cacbe0b597c60385ff7e1f601fb34ca727929de

SHA512
9aed63cbf3cf85700aac10007e542a1e9b57514bc7dd630f246efaafa935a210d2dcf9d9f2ec23ab18a8104040a132e1d8335de5ca5762518639677a552acbf1

Download Submit
C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd

Filesize
325KB

MD5
673d81432014e959d510da15697573a5

SHA1
d0ff2235bb9825211f5a9288d0c4a830ac7d2ab4

SHA256
5336e3cf47b6d925d3ea343ea638104b4180143945ea14370466fe17901654f0

SHA512
2d3376a920d9d02df0996460b7738574edae5cde0671a471b7c7cba441e67b619b3935c96b13dc5936557142ed7738971e11f83b058cc2b002b5c079870910c8

Download Submit
C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd

Filesize
325KB

MD5
b1f0027eefb445c5030fda1d35f0f2e3

SHA1
d06e1a23755f80c5c13b7e2e63857cede8ab77cc

SHA256
166adb13d91c8196a65371742e8c9b33dc4229534fbbf436a39a26970a0e0fbc

SHA512
04e5b6e38ee31cc5e8c387e6c7aafe66612ecd01bd990615950a1323b0f2858d10244d1884bf40aff0aff8db8806811fd5a06126243cc8c75ac8bba286c5e2f3

Download Submit
C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe

Filesize
325KB

MD5
78ebdbe032a2df194523960e9d3fdfe4

SHA1
fc8d9484fbbafa89b3dd568c9565b9820d3265fd

SHA256
5687360d3598e20cce3f425a09c01f7520a94a1008dc843acb73bfd8aca1067e

SHA512
ea386462c1648ab7bb5ca7b2750e7f4db03ed1e1774c2eaff47c0faaa1b1d3335ceae36c701f8ed31adcfa5c01b01f069b7e24fbfa759835c580ad2e2c7aed1a

Download Submit
C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe

Filesize
325KB

MD5
d1f09577d97c402324133124a720abc5

SHA1
ec529922b99e5613849667ced842ece3dd1a99bc

SHA256
b67f011e51f45995d3aa119b1678f2b03a53980d9d4861d602a09b25e7ebc256

SHA512
d2690feab1a6c4f1f78192ece8b8e3b447ef67e27d4204ee074668449e30eaf0a3175284b94e692642295c4080c1fd990d0dad7127568b81b74a6e71788bec47

Download Submit
C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe

Filesize
325KB

MD5
99922297a23d0299f1ced6fdb70531da

SHA1
d2259c7600a6ba671921fc07d6dc70ccd9958d43

SHA256
c86c1f0d803dc62167ba123943d87e005025141c1a3d13351a4f791de921245c

SHA512
af63e023dd6210017b5e594f62d74549e232bdff2c6061736c02cfa5540382962baf8abbc280eafd26844eebd7f48739aa33a4db792802afa93d2fb4dd943f25

Download Submit
C:\Windows\GMS1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe

Filesize
325KB

MD5
c1162554364b293ec3830fa7a829781f

SHA1
ed953aa8de6296b9d4262a6a7efc1f91bd773862

SHA256
b344ddc027c2bd80f08245c724f9c415992095ac19e82361eb6528ee35351a2f

SHA512
afef10e7c558ffb1749cd7799f707e26859f2572846392f1339f911485a9a279c937cae3ba4bb2a230700bb51721903c4df4d1fa5ae9d9e5a7a597517262fb65

Download Submit
C:\Windows\LPY7U7T.exe

Filesize
325KB

MD5
ce76f740f66b15be3a5a1b926d869115

SHA1
60297c893c56a657679e2052038429b1f6c07d04

SHA256
6ea3dd5728f5283f46ee210ab218f862ef6d017480306922e1b8655066a6b5c6

SHA512
87c999152d185b7c5dccb39fdded0ddca04c45d2bfe43e5b72fe092857378ffd578bb47124cc68e71bee1444ae9352694de1deea56dcf952d062397115271f4a

Download Submit
C:\Windows\LPY7U7T.exe

Filesize
325KB

MD5
58b141daae7f62146f928af75a0ab990

SHA1
5a0022696824de40574a219b70a79a08b257714f

SHA256
ee52121625a231f7994397629f0e2672cb5ddd711b8af88de90e580aadb1700b

SHA512
13ccf36dcda0e1bfdea6ef0cde125751af76e36ed691a3bcdea95be44fc878294048d76f2d1ab7b322d91628095ebfafb88f1e8770e006687fe177da67cde2e9

Download Submit
C:\Windows\SysWOW64\KYD5G6Q\RML1S6N.cmd

Filesize
325KB

MD5
e5ca751d07edae2064dcdb415ddb3c99

SHA1
4764c0770d8024dae6ed427d4233e44db299e09e

SHA256
23666e595533e510b74d5a8c1a9b03e1ce7277cd0a048d150af67d4cb2ab16ce

SHA512
781361ea72d62883b66f3866136fe197f25a1ed6cc40ecd1b850edfc57bbacf6a8df3c28a10b60166b687cf6f65a627cfeac07aa855b83fa0ea694d8421b76a5

Download Submit
C:\Windows\SysWOW64\KYD5G6Q\RML1S6N.cmd

Filesize
325KB

MD5
56c6f6fb138c1e9a83c6299eff70ebb4

SHA1
4b1a2bad3f14a4a8ecda10820e6cbe3f9ffdbc29

SHA256
93a2002e46addf856fe804d760a10f1f4e08a3ad259a1b6b7127375e0f2827c4

SHA512
263e7488a4ebe7a7c007b08d0a888108f1c74529b6c063569aa28f5f98a977ffd7b517237a588acc94b8de29d6d67ecc803af3264477ac9d9457d6ef5685f57c

Download Submit
C:\Windows\SysWOW64\VTX4F2Q.exe

Filesize
325KB

MD5
f53c00a0cdde3a6b7b70b9ea3f7bab45

SHA1
0e073f955f7424f3a94b335d45fcd77f7e75b940

SHA256
9676bbafa7bcfc79239b171681a57c3978b90a8b0c71cb0cc8000362396da785

SHA512
21ee823f7868191ff73dc429d7cf737242ddf07206c0f8251b5995ba407a09fe997b0e48618c014b181e42525573e167af1b48213092535e99f6ea0546eac190

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
127B

MD5
99a75729e2b9e0e55ea2571dfbb0c0e0

SHA1
7a386771122b0c786f0777dbc82d8c84a85c4ca6

SHA256
8a35263b316e405984c4079a693abcc70dccfa4bb413060a0cbef40469a1f5f3

SHA512
c46114d89945071347a456ceb1ab9ff4da1dc963c80e5331f7fabdb873030641468eb5cd271aa2ab7dc770873243df7f504fa786b49e4315519d2df1d4b282a2

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
af34ca93d64f43e1a4ab7e9ad981cdcc

SHA1
58ae5dcb7b011d696667cc5db1ab09b275568c4d

SHA256
c8a9089c2d9ba1b9a31f67a57a3ff2adf23dcc57d291aa9b2783d5ea3622dd52

SHA512
c959edd7421a11e34917b9cd2867cff7fc278c2e493da9a8575ea3f8d9383886de84495eb04a8ad0bad602c66172aac2386e7794f5de8f930b98ae5120daf923

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
71004378b0f33f3896c33c49bff4b92c

SHA1
1fc600fb35b9999ae5fa53f3996a2e6a5cc1941c

SHA256
0dfa598f510d68b0a393a3c3afbc8c743cbe6d56a22761ce46b0712f81df382e

SHA512
e392e980248ed91a20a6d427635a73c8e475350fa31d5a4881225e814edfe5c817c6f319595a7051d3fa262318a0394f233508401eb02d97e444dd62433df6d3

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
1e1e0ba48fa72dc5e7b482afd9d3a7e0

SHA1
2a930121ef6839a0905d253ddeae565b45a95782

SHA256
94ca13a7007fb2c1db881f79c436a1b392e7a41ff8e126f5d3b4f32cfe2183c9

SHA512
70e0886004a164817cad5829d588fda560527579842d4fed654a2bfbe2999e473aebd8f67ac733362c107c5c40245cbf58906e7934e6138e43ce630c850fcc7d

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
b8ebc4cf5cfc35dbd116076639c6ea4a

SHA1
8ccb2941483c70095ecc1f77b5d34465c1b3fc07

SHA256
2e5fcf58ca00004e2ab8793fb8ab64121119d4f737f6eb5baa7f52f8d3059d10

SHA512
6ba8d358e216965ee4b1c16afa21c8a773d8c903a6d37ae15ded25f0f13bf3424480a6e50c7d90c755c545b2c45ed1c0086993b427c2c37b492e775faec4f8ea

Download Submit
C:\Windows\lsass.exe

Filesize
325KB

MD5
fa4d1fad7875fec6b2a535cf2796d72e

SHA1
b890817151ad28caedd931277b77384e33dfcd72

SHA256
eae73675a3ffa3909517aa19e0f2f3ba52527ca74b8a3959f83f9b48e4c0b04b

SHA512
548fe9c0123c7f8ecc562aeaafa875095c46c48f089c7943b78949569befe4c8a259a0d5da0f5ac5a13efc2f91a47b10ca715e325acd767bf6c996f863fdec85

Download Submit
C:\Windows\lsass.exe

Filesize
325KB

MD5
64935faa9b17dfc65e7c2dda274bd457

SHA1
c1b134f614c19da1d08392970d508800a8b627a9

SHA256
beea2622aebc0fdd2f741a82d760b320ee665d344e3df3cfd6fbd552ecf2dd99

SHA512
c1c1c3807126c02808a0325f857a36c9669c56e631bf8c7780296b70eeaad8e3d5948350033313424dc24cb16f0498bda7c79a46e8845c283adac4547f8d1f50

Download Submit
C:\Windows\moonlight.dll

Filesize
65KB

MD5
c55534452c57efa04f4109310f71ccca

SHA1
b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61

SHA256
4cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc

SHA512
ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a

Download Submit
C:\Windows\onceinabluemoon.mid

Filesize
8KB

MD5
0e528d000aad58b255c1cf8fd0bb1089

SHA1
2445d2cc0921aea9ae53b8920d048d6537940ec6

SHA256
c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

SHA512
89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
d93921be0a8cc54b2914d59edda504ff

SHA1
61699b7bf5b7b3903ed8a99623367054f57a934a

SHA256
2160e45f6bb10d3e3a8765ffc01b42dd6a68159abf14c1a8dea2602365bb002d

SHA512
6dc0088e685920d63b7898a413d1351b37c5c431d02ffd04c3db42527ec09178641a94abefdaa2dd2a70792240d1caf25f943fe04ca4eb9556a52f9ed17e4a36

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
220cd5b36a14cfc83715839698aeaaa8

SHA1
e2957eb14abffa17ad61b7555221803444f92288

SHA256
eb319cc5c5e432b3f111b185fa12e1410b43d90b81b4bd8d7f007c860256b4b1

SHA512
65f4473e6f2f6af2c9197fb25955b58f1f2504b3cf364e6e6f41b9e1ba9fb6a80613797a0b4b24b41ce88b1f2afbb52cc3efcc5a362c4f54f2beb745028a9441

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
121c6d3c64d63e8bcefaf599acfd9ed5

SHA1
97273b1d544a2ba345eb118de55431fe25e03ee0

SHA256
27b91e8f5888115fcabcc721905935555dee46f5c8e1bff2a2f6ee7b8dd74009

SHA512
d1b0d63d08ee04f37999a86a6f0cd7e151d3bd74432c3052668d9c0ee8f0d0d681e74fe58beca534e1166f58b7fe578fa7105f37b0f8d707e46615337315b362

Download Submit
memory/1408-95-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/1408-313-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3040-76-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3040-311-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3244-63-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3244-310-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3508-292-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3508-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3636-289-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3636-327-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4964-312-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4964-87-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4964-319-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/4964-331-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads