7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 22:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe
Size

347KB
MD5

3627930f5a4b22a08e5d896af3fbc4ef
SHA1

6497c0bc5c214b5090526547eb4d8fe2060893d6
SHA256

7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0
SHA512

0a18bfdba17d86912fa85b6699f206d49cbcac9a2fc5f94676eda6d9c5ca452d5e3bf2f1ea22ea40a34c723262d1e48ea2e786ac5c0c87ef8c4ed36c403498a7
SSDEEP

6144:eY+32WWluqvHpVmXWEjFJRWci+WUd20rUU5EYCTvaBju49:FnWwvHpVmXpjJIUd2cUusvalx9

Score

10^/10

discovery evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\\MEL2U0E.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\\MEL2U0E.exe\""	lsass.exe

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\\regedit.cmd"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\\regedit.cmd"	lsass.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x00070000000234c2-147.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe

Executes dropped EXE 5 IoCs

pid	Process
2480	service.exe
3064	smss.exe
5000	system.exe
2428	winlogon.exe
2324	lsass.exe

Loads dropped DLL 1 IoCs

pid	Process
5000	system.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0U0EFO = "C:\\Windows\\SUH8P1U.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sJP8P1U0 = "C:\\Windows\\system32\\DVU4E0WXFO3J3I.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0U0EFO = "C:\\Windows\\SUH8P1U.exe"	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sJP8P1U0 = "C:\\Windows\\system32\\DVU4E0WXFO3J3I.exe"	lsass.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	service.exe
File opened (read-only)	\??\E:	service.exe
File opened (read-only)	\??\J:	service.exe
File opened (read-only)	\??\U:	service.exe
File opened (read-only)	\??\W:	service.exe
File opened (read-only)	\??\X:	service.exe
File opened (read-only)	\??\Q:	service.exe
File opened (read-only)	\??\T:	service.exe
File opened (read-only)	\??\V:	service.exe
File opened (read-only)	\??\H:	service.exe
File opened (read-only)	\??\L:	service.exe
File opened (read-only)	\??\M:	service.exe
File opened (read-only)	\??\N:	service.exe
File opened (read-only)	\??\P:	service.exe
File opened (read-only)	\??\Y:	service.exe
File opened (read-only)	\??\G:	service.exe
File opened (read-only)	\??\I:	service.exe
File opened (read-only)	\??\O:	service.exe
File opened (read-only)	\??\K:	service.exe
File opened (read-only)	\??\R:	service.exe
File opened (read-only)	\??\S:	service.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\TLM0P1C	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\DVU4E0WXFO3J3I.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\TLM0P1C	lsass.exe
File opened for modification	C:\Windows\SysWOW64\TLM0P1C\DVU4E0W.cmd	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe
File opened for modification	C:\Windows\SysWOW64\DVU4E0WXFO3J3I.exe	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\TLM0P1C\DVU4E0W.cmd	service.exe
File opened for modification	C:\Windows\SysWOW64\KJM8R7F.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\KJM8R7F.exe	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\TLM0P1C\DVU4E0W.cmd	smss.exe
File opened for modification	C:\Windows\SysWOW64\DVU4E0WXFO3J3I.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\DVU4E0WXFO3J3I.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe
File opened for modification	C:\Windows\SysWOW64\TLM0P1C	service.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\KJM8R7F.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\KJM8R7F.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\KJM8R7F.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\TLM0P1C\DVU4E0W.cmd	system.exe
File opened for modification	C:\Windows\SysWOW64\KJM8R7F.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\TLM0P1C	system.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\TLM0P1C	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\TLM0P1C\DVU4E0W.cmd	lsass.exe
File opened for modification	C:\Windows\SysWOW64\DVU4E0WXFO3J3I.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\TLM0P1C	smss.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\DVU4E0WXFO3J3I.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\TLM0P1C\DVU4E0W.cmd	winlogon.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000234c2-147.dat	upx
behavioral2/memory/5000-319-0x0000000010000000-0x0000000010075000-memory.dmp	upx
behavioral2/memory/5000-332-0x0000000010000000-0x0000000010075000-memory.dmp	upx

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	smss.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	winlogon.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	smss.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\OSO8S6L.com	lsass.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\MYpIC.zip	system.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	service.exe
File opened for modification	C:\Windows\cypreg.dll	smss.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	winlogon.exe
File opened for modification	C:\Windows\lsass.exe	service.exe
File opened for modification	C:\Windows\XFO3J3I.exe	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	smss.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	system.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\OSO8S6L.com	service.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	system.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\OSO8S6L.com	system.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	lsass.exe
File opened for modification	C:\Windows\cypreg.dll	winlogon.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\OSO8S6L.com	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}	smss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe
File opened for modification	C:\Windows\lsass.exe	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	smss.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	service.exe
File opened for modification	C:\Windows\XFO3J3I.exe	service.exe
File opened for modification	C:\Windows\XFO3J3I.exe	system.exe
File opened for modification	C:\Windows\moonlight.dll	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\moonlight.dll	lsass.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	lsass.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	smss.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\MEL2U0E.exe	service.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\OSO8S6L.com	smss.exe
File opened for modification	C:\Windows\SUH8P1U.exe	lsass.exe
File opened for modification	C:\Windows\moonlight.dll	system.exe
File opened for modification	C:\Windows\XFO3J3I.exe	smss.exe
File created	C:\Windows\MooNlight.R.txt	smss.exe
File opened for modification	C:\Windows\SUH8P1U.exe	system.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	winlogon.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}	lsass.exe
File created	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\MYpIC.zip	system.exe
File created	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\zia01692	system.exe
File opened for modification	C:\Windows\moonlight.dll	smss.exe
File opened for modification	C:\Windows\64enc.en	system.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\MEL2U0E.exe	smss.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	lsass.exe
File opened for modification	C:\Windows\XFO3J3I.exe	lsass.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	service.exe
File opened for modification	C:\Windows\cypreg.dll	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe
File opened for modification	C:\Windows\moonlight.dll	service.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}	system.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\cypreg.dll	service.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	smss.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}	winlogon.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe
File opened for modification	C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	5000	system.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1576	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe
2480	service.exe
3064	smss.exe
2428	winlogon.exe
5000	system.exe
2324	lsass.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1576 wrote to memory of 2480	1576	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe	82
PID 1576 wrote to memory of 2480	1576	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe	82
PID 1576 wrote to memory of 2480	1576	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe	82
PID 1576 wrote to memory of 3064	1576	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe	83
PID 1576 wrote to memory of 3064	1576	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe	83
PID 1576 wrote to memory of 3064	1576	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe	83
PID 1576 wrote to memory of 5000	1576	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe	84
PID 1576 wrote to memory of 5000	1576	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe	84
PID 1576 wrote to memory of 5000	1576	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe	84
PID 1576 wrote to memory of 2428	1576	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe	85
PID 1576 wrote to memory of 2428	1576	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe	85
PID 1576 wrote to memory of 2428	1576	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe	85
PID 1576 wrote to memory of 2324	1576	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe	86
PID 1576 wrote to memory of 2324	1576	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe	86
PID 1576 wrote to memory of 2324	1576	7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe	86

C:\Users\Admin\AppData\Local\Temp\7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe
"C:\Users\Admin\AppData\Local\Temp\7125dd0404ba4ddbe1a7c251fd17033e1bb0f47f075bdaf4f63155b1c17df0e0.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576
- C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
  "C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2480
- C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe
  "C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3064
- C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
  "C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5000
- C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe
  "C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2428
- C:\Windows\lsass.exe
  "C:\Windows\lsass.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Event Triggered Execution: Image File Execution Options Injection
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\MEL2U0E.exe

Filesize
347KB

MD5
0566ed39e835332465c6216310803a36

SHA1
0cd61285ede79f5a9028aea6f48d0fa3214588a1

SHA256
15fe4127a6aab6ac9dd6dd756c416928e95d560f44b1fabf6b81b7df2b0c7d3d

SHA512
e60eb3a6d804cb5a2350d2a4c420871bca984992a8918ca838db5ff4009ce458429dea7c90a3d5563244f0740e5a2cfd3a726bc85fbfb8bb25a28e6bdf35c5f5

Download Submit
C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\OSO8S6L.com

Filesize
347KB

MD5
c669cf93a6f5151580da8d8dfed7c511

SHA1
0e11d02a15b94068ab5b40fa9238e49f51c6f1ad

SHA256
ea022fdf72087203d8e4b88fb9658f6a9c1bea2a3683731950fb757f69dbcde7

SHA512
2e98fee2ba215aa8c7f7a0d2037d1551a43e9c7ac5d9f529bbd0b2f7681c48196c96e56c67e0ef3c0d58d9b95e00ebbd5c80b37630967b9bcb7b3717e11781fc

Download Submit
C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\OSO8S6L.com

Filesize
347KB

MD5
fe8a3a62fb8cae0657e65a72134e2539

SHA1
37b1b477bf1f1a949b633853c4a9f37a849a24dc

SHA256
9ff9223aecc28137839fbd9dca5794d1c0f66506b2ec2866298cd928f54bdde0

SHA512
61b91d712a5dedebd411749222a8cc33e26d6483ea04e9971f421c0b59583f4fa6cf54bb3a7da05732df37525893c92e6fc4ed914f9c00f7567aa56c2df6b4e5

Download Submit
C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd

Filesize
347KB

MD5
0dd23610b962479ac9212ceff130b2e6

SHA1
363fdde6e39ed0892d70b7e82f63dc1889908d88

SHA256
16be73968c82c3336f4d040e944368ef9c462a29b90dd1d53a08e0a8961b6cd7

SHA512
1850cf65921c51a291b1d58dd9321b9832ac75569622df1028e9096bd5e5f0ccd6f8668f23a7460d76770ef03b050caa4fd92bf19935fab92c3d2ad8f3c7c941

Download Submit
C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe

Filesize
347KB

MD5
325ffa34cae4c5610de26fd20e570456

SHA1
4e7b065fb82ab3cfb2b34833a2f6fe6261148a50

SHA256
6bce8a44ebb98f342ae3d42730ec28fbbbf65c0742745333c89ada7426b8a498

SHA512
d5843f71ff1f27283883cec097129cf94b551b85fa4440f36dea2fb691fc2c838758ab826f900aa27c641b576e152c6d89821cb271e7a3cfdc1f31da8cbdd44e

Download Submit
C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe

Filesize
347KB

MD5
1d661af57fbb8a559aba7bd87287f0ea

SHA1
24dab55939b849b3ee2efd1ad9f1cedd1f90e9bb

SHA256
b1fb42582b94c1a00c61eb4bd36ce75bb0e6b15c0793dd15633d0133d9ab27c9

SHA512
0fa2470e008190d4a332e4201b13bfb0eefca906a55005c82f23c1088d41ca2055455cac2042fe580246687d56eac43ff02293ea10837e322998abd464ea203a

Download Submit
C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe

Filesize
347KB

MD5
c70657f219a29a59b330866c804ee54f

SHA1
4f881c01536d492a67f2a4f7c3b912099f999252

SHA256
b7f8e77edc96a7ca31dc7a4c3ffbb9b3e3242b1722ae083fc9d8973febba4dcf

SHA512
e87c7c9c61ac9c438898c4ce2762981b1835d96ffaf2bff524c54ad066f7b46e250fed0a1066430a260c9dc0ff69b1aa75dc1346fac49c3def9da8177ff6d565

Download Submit
C:\Windows\DJP0Q3E.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe

Filesize
347KB

MD5
92cd0d3dd7dfa3d95e1ff28a3256c010

SHA1
44600bd2c8faab8a251cd6c69377fdba4237cd96

SHA256
657e4a28883811893c0ea98cf200492be0a4d329175ca896a6f609ad5afd0e75

SHA512
27c7f132f8eb1be9c316ab6233c0e64143f954cf991ac82fef035dde51ad1382e61d3a08ba480c83c5bc22582852ba4ea529224726ec8d395a28bac8da9046f0

Download Submit
C:\Windows\SUH8P1U.exe

Filesize
347KB

MD5
460c4033f717a9e978c1cec5d3deee75

SHA1
07506d04e614508f85c8b9b4ad2ec4b72213eee0

SHA256
bc734e90132da5e62405d170660ea3b4279d9d18e0fb1e31e703d9cea46e8f74

SHA512
2c2eaf3ff215984ede326d5ae5d95f2239326bbec8d609ab26d7e3e850ef3c7f1fb5c89623790dba68e9b3fd6d4a95f8b537758676948b0c1ce7381aaf77e47e

Download Submit
C:\Windows\SUH8P1U.exe

Filesize
347KB

MD5
2a5f14f69acdfe6fcdb791edd71be239

SHA1
45566a71baa90dd8a8bb4ca87cc0e7e523187e14

SHA256
e016c6fbb2da0fee7e523a9e3f9b64e38ee1ed7fb7b09215f614c7ca81e03daa

SHA512
8a8d0acf1ea5d27a6003e1b15e6a4c1d9a39dfd44582b690673646bacfccca3b3073404a48d4aa8d8c07f7959718b261af545d5ad85862be377f29a2867e9ea6

Download Submit
C:\Windows\SysWOW64\KJM8R7F.exe

Filesize
347KB

MD5
1f32aa83293e4e7b868a3b4ef3e0f943

SHA1
bdf2a0687ece85267e1c7726c7eafa69de12686d

SHA256
acd28d44fea6ff68ea131d19a94a49ceb30f20ef2a6878417e57dc6866314b8d

SHA512
a9b9d7dfa4b2574bcc908882a92eb628504814df15a46225b7267cb2af72128905ce4682fa1e053cbdb9d5c7f46c7120af57b35147f636e21c30f3f73137ea77

Download Submit
C:\Windows\SysWOW64\KJM8R7F.exe

Filesize
347KB

MD5
b762c1ea72088d0fc76ba15ba88546b0

SHA1
e237dce878e5150c6d280fe880013770a743f757

SHA256
9af6ef03c826020df82ebfb87116061443ea027544fc5c352b7629e518a76ff1

SHA512
cda6c555a9fa9fc5b1cbd6cad5ceb7b391100a199cd6e1e8011ceb380c95c83a450bc7695176cfb4f5298710943680ef412c31af35b4f5709ffa940d2b58d2a3

Download Submit
C:\Windows\SysWOW64\KJM8R7F.exe

Filesize
347KB

MD5
ba8938674a8f6a01ba65592bbf8b224d

SHA1
8b9fa4ca362175bf800d77d4d9d88fda72549935

SHA256
e8fde4bd06e4b0f106a8cd3629c25c3e1df199b0054f953e4ca79d282e73ffe9

SHA512
7f686d8e4435657a22b04731e4ec0479c70affb687c614089c3e0595d5c22a08d19b9894290b0e2e1b589269417752075eac256f6efa2e29d249d4a54f0b1ec0

Download Submit
C:\Windows\SysWOW64\TLM0P1C\DVU4E0W.cmd

Filesize
347KB

MD5
9c1dd080a93d797645ba68fcd9cb4d3b

SHA1
992ea8e4133bb17b920c071d44a730e926cfc332

SHA256
777bf4b3b983d239e55957d74993aaae5cd0ac40730b599a0ae8df554c2e1472

SHA512
7cf5d5bf186330de0dc7fc4116139b1e9bcac0ebdc85e77ee4b185815efeadbe102d3dadb0e33be15f0e545b9921b0cbd1cceb3f64b75e015d43c3a721fd231b

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
127B

MD5
07dc9718e0e6ccaabb08a9e52c940cee

SHA1
07481a9e116ce3981c9bfb10163defffc1979531

SHA256
7292b845f0519d67e855b851e85b879641424fa3bfb378f72d13e011f9e982bb

SHA512
43500037dbf78b4f29ac3b5cc2f140f93505b3462661968bd0a4e81d28612bcfd9fc5cce4d4fb74bccbdc4c85e4e2a17069f5581a9db900d7b6891aa1ff504b3

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
4bfb28d1230fa96db12cdbbf873a073a

SHA1
bca12386236ba960533c147a6b3648a516e16e39

SHA256
165e56ad679a488211ad2887754fbd4b70ecc9b07a5a554849fa5aa51ebde690

SHA512
c12186254bc38586e95d784991224a9afe5f1fc8e8a06749969a061251e55006ffa652ad0a508579289061be712e59cdff7571405283d75d783b81598e368ecc

Download Submit
C:\Windows\XFO3J3I.exe

Filesize
347KB

MD5
7c4cb0972918ab733bf6f32af49c2bf2

SHA1
7ae7316a5a3d85da50919ffb08b291a7d14fd802

SHA256
c3458bd2a9eb4e827a62ac677d3cca6545b1ff24c3f831905e4178241dd3d419

SHA512
00ac36bb55444d7f45c2ee5a98371c7165f5a4a6fd6a66faaad0dd439a8a483aa1c300f8405cfe3c6065597912935f260aaa7341fc8f16c15935a7dbe200d492

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
ec5702730c23e0a018294594ab43b089

SHA1
01fb205e1c0945f20727daf32e5d96a8143dff22

SHA256
6e7a81af9546674515074881e6075070f07f38340d7847b1c45d84a1e7137acd

SHA512
617224e82df6c6b88364194b787436d1cf27d918ad951bd58034955d07e1ed7842bc423ac900a96703f7845cf0c8303c3ef9ece2973851999ddd9f90ce4cb340

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
cad01ce988370f1f7ba6d1b366b67350

SHA1
456ee670f051bc6dc0f6ac660c202da6cf08ca2c

SHA256
ed6cdafd3b8f026f7b564a46e608f49332d8499187dcbfe5e7f4f105a31e8c4c

SHA512
dc133d6c905391a99b2989217d1cb5879bfea710f90a3f013fa3e62e55399edbfee7a167360fde9d33f87016f82a7707da40e4892c0ab72a441e57a13b664821

Download Submit
C:\Windows\cypreg.dll

Filesize
361KB

MD5
743f8e737976b7b58abd2acf2f1082c6

SHA1
5b023c812e28f2b0cf442edc7cb558376c3a67c2

SHA256
192d6a279fbc68fb01b483ea03197ec79e8b8289da57cd0f9aead7a6dbb4e7aa

SHA512
342fcb283694c0fdfb348ccba711c5dc714cd93d875f1e997bc0e853017b80a0d836e2958eff8ece0717246c0781ba93508f4399530965cfa7e010a364129c34

Download Submit
C:\Windows\lsass.exe

Filesize
347KB

MD5
b9902829201bd2b7e4364a00bd93f09c

SHA1
e6b8f1faaed9e922f23cde3de431aa22870b37f5

SHA256
1a92fd442313678de65701e428e5b11c78939b50810fd718a4450417e8ad6b84

SHA512
20ebcb70080fae08afcf713efb5831631551a4efc31c5b92df2e183f2ab67a9072fec7cfaa3ae90ea8414d4d56f545b053cdcce74bb171e15b851f97f2dbda01

Download Submit
C:\Windows\lsass.exe

Filesize
347KB

MD5
c7248f6146ba2e32a8f33fb077d8608d

SHA1
a756959d8b500335500a63e29d8f18df21172048

SHA256
366a9c09e30c73fe4a4541950748105ccf561c946032deebe327b94fe030cbf8

SHA512
106fdb5fed5fcd108df69477ee2be69d4db8f2b463cdfd1cd1a84b0cda319564de98d31665ca2443f143f022007b1428906b67f5860a0cae45d05fe33bd2059f

Download Submit
C:\Windows\moonlight.dll

Filesize
65KB

MD5
c55534452c57efa04f4109310f71ccca

SHA1
b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61

SHA256
4cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc

SHA512
ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a

Download Submit
C:\Windows\onceinabluemoon.mid

Filesize
8KB

MD5
0e528d000aad58b255c1cf8fd0bb1089

SHA1
2445d2cc0921aea9ae53b8920d048d6537940ec6

SHA256
c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

SHA512
89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
3b039cfcb4049f9ddb4d6a89825ba89b

SHA1
db124e3221b89df324b8cce304dbc50baa313145

SHA256
8081e0930368fdd7a905846cc989b12886187812fb20842ba13264b5a1cee097

SHA512
c2caaaa9d072f778abc1ebfea190082234b93e521912fd021e3bb3e8edb23fc7f9cb9e7a5ca5ef028659e1369484815122d11844946c3ef6658104349020eeb6

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
faccb368f1c32d9466d95f537be6983d

SHA1
4d34d1bf813a86bf952a6aab00cd79853bf6f109

SHA256
c91e9718a7ddf97a0a3006751af147415b1cc97e037d908d9d883b3942187a1a

SHA512
8f4a76f4ca840f833774b1cd7dfd7b96e992d7ac33c9f5750656ffaa9f74b6c3cfe876d09d2c2bb7fb4c04b47e9dde8d3fff9fdb3aea8e948d52d3f7a2b00b37

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
3437e10753a2babaf912e7f35933cc46

SHA1
ba859ede6f76ea2fa04af875ad50b53b8c5e269a

SHA256
121a3871efbfe54e2914cb90453ba26af3df816b936c7136d23c1799789b43eb

SHA512
b3c85402b16951ad87d7379929be8b303953ea420f3537128304b8f882db353274caab8996c52a4ba994a99ede2ca87b704bf7ea286dae46b8d7fda775d6f510

Download Submit
memory/1576-0-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1576-292-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2324-314-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2324-291-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2428-313-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2428-92-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2480-310-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/2480-58-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3064-74-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/3064-311-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5000-87-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5000-312-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/5000-319-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/5000-332-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads