cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 03:59

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe
Size

2.1MB
MD5

3884cdbc07e9b701a7b073afd9dd9384
SHA1

36586b7e0352881addfa461b8128936484adbf1d
SHA256

cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d
SHA512

5c42bd33fc896d1dab1537907523c9aee884fd33de50baf51f9912dd8494b4de28b8e33c69725b712316cd93ec6095cc120e4eedb5a651c0fc930215480e8c1b
SSDEEP

49152:4XIbtq8bNHYG+AMTUEHhE3JCZVk05Q7VczDvfPeCkR353RMN9GkAHm:YgtqdPVU/3MVrgVcveCkR3/MN9GkAG

Score

10^/10

discovery evasion persistence spyware stealer upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\31414\\13431414.exe\""	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\31414\\13431414.exe\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\31414\\13431414.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\31414\\13431414.exe\""	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\31414\\13431414.exe\""	winlogon.exe

Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	service.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	service.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe

Disables RegEdit via registry modification 5 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	service.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	system.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 20 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\notepad.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	lsass.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe

Drops startup file 6 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\adodb.cmd	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\adodb.cmd	winlogon.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\adodb.cmd	smss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\adodb.cmd	service.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\adodb.cmd	lsass.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\adodb.cmd	system.exe

Executes dropped EXE 5 IoCs

pid	Process
2932	service.exe
4572	smss.exe
4388	system.exe
32	winlogon.exe
1332	lsass.exe

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0414841 = "C:\\Windows\\l532055.exe"	service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\13500550 = "C:\\Windows\\system32\\884154312640l.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0414841 = "C:\\Windows\\l532055.exe"	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\13500550 = "C:\\Windows\\system32\\884154312640l.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0414841 = "C:\\Windows\\l532055.exe"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0414841 = "C:\\Windows\\l532055.exe"	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\13500550 = "C:\\Windows\\system32\\884154312640l.exe"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\0414841 = "C:\\Windows\\l532055.exe"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\13500550 = "C:\\Windows\\system32\\884154312640l.exe"	service.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\13500550 = "C:\\Windows\\system32\\884154312640l.exe"	smss.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\q:	winlogon.exe
File opened (read-only)	\??\j:	system.exe
File opened (read-only)	\??\l:	system.exe
File opened (read-only)	\??\r:	system.exe
File opened (read-only)	\??\g:	service.exe
File opened (read-only)	\??\x:	smss.exe
File opened (read-only)	\??\t:	system.exe
File opened (read-only)	\??\N:	winlogon.exe
File opened (read-only)	\??\m:	system.exe
File opened (read-only)	\??\g:	winlogon.exe
File opened (read-only)	\??\q:	system.exe
File opened (read-only)	\??\r:	service.exe
File opened (read-only)	\??\u:	service.exe
File opened (read-only)	\??\i:	smss.exe
File opened (read-only)	\??\k:	winlogon.exe
File opened (read-only)	\??\o:	smss.exe
File opened (read-only)	\??\i:	winlogon.exe
File opened (read-only)	\??\r:	winlogon.exe
File opened (read-only)	\??\y:	winlogon.exe
File opened (read-only)	\??\e:	system.exe
File opened (read-only)	\??\s:	system.exe
File opened (read-only)	\??\i:	service.exe
File opened (read-only)	\??\e:	smss.exe
File opened (read-only)	\??\z:	system.exe
File opened (read-only)	\??\u:	smss.exe
File opened (read-only)	\??\p:	winlogon.exe
File opened (read-only)	\??\k:	smss.exe
File opened (read-only)	\??\r:	smss.exe
File opened (read-only)	\??\z:	smss.exe
File opened (read-only)	\??\z:	winlogon.exe
File opened (read-only)	\??\w:	system.exe
File opened (read-only)	\??\l:	smss.exe
File opened (read-only)	\??\y:	smss.exe
File opened (read-only)	\??\N:	smss.exe
File opened (read-only)	\??\e:	winlogon.exe
File opened (read-only)	\??\y:	system.exe
File opened (read-only)	\??\m:	service.exe
File opened (read-only)	\??\v:	service.exe
File opened (read-only)	\??\p:	smss.exe
File opened (read-only)	\??\q:	smss.exe
File opened (read-only)	\??\w:	smss.exe
File opened (read-only)	\??\m:	winlogon.exe
File opened (read-only)	\??\v:	system.exe
File opened (read-only)	\??\j:	service.exe
File opened (read-only)	\??\l:	service.exe
File opened (read-only)	\??\g:	system.exe
File opened (read-only)	\??\i:	system.exe
File opened (read-only)	\??\p:	system.exe
File opened (read-only)	\??\t:	smss.exe
File opened (read-only)	\??\l:	winlogon.exe
File opened (read-only)	\??\v:	winlogon.exe
File opened (read-only)	\??\k:	system.exe
File opened (read-only)	\??\o:	system.exe
File opened (read-only)	\??\j:	winlogon.exe
File opened (read-only)	\??\t:	winlogon.exe
File opened (read-only)	\??\x:	service.exe
File opened (read-only)	\??\j:	smss.exe
File opened (read-only)	\??\h:	winlogon.exe
File opened (read-only)	\??\o:	winlogon.exe
File opened (read-only)	\??\N:	system.exe
File opened (read-only)	\??\x:	system.exe
File opened (read-only)	\??\o:	service.exe
File opened (read-only)	\??\w:	service.exe
File opened (read-only)	\??\s:	winlogon.exe

Drops file in System32 directory 52 IoCs

description	ioc	Process
File created	\??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\New Folder(2).exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\37012a	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe
File opened for modification	C:\Windows\SysWOW64\moonlight.scr	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\884154312640l.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\moonlight.scr	service.exe
File opened for modification	C:\Windows\SysWOW64\moonlight.scr	system.exe
File opened for modification	C:\Windows\SysWOW64\884154312640l.exe	system.exe
File created	\??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\Data Admin.exe	smss.exe
File opened for modification	\??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\New Folder(2).exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\crtsys.dll	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File created	C:\Windows\SysWOW64\884154312640l.exe	winlogon.exe
File created	C:\Windows\SysWOW64\moonlight.scr	smss.exe
File opened for modification	C:\Windows\SysWOW64\884154312640l.exe	service.exe
File created	C:\Windows\SysWOW64\884154312640l.exe	system.exe
File opened for modification	\??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\New Folder.scr	smss.exe
File created	C:\Windows\SysWOW64\moonlight.scr	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe
File created	C:\Windows\SysWOW64\884154312640l.exe	smss.exe
File opened for modification	\??\c:\Windows\SysWOW64\IME\SHARED\res\res.exe	smss.exe
File created	\??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\en-US\en-US.exe	smss.exe
File created	\??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\New Folder.scr	smss.exe
File opened for modification	C:\Windows\SysWOW64\37012a\c8841540.cmd	smss.exe
File opened for modification	C:\Windows\SysWOW64\884154312640l.exe	winlogon.exe
File created	C:\Windows\SysWOW64\884154312640l.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\37012a	system.exe
File opened for modification	C:\Windows\SysWOW64\37012a\c8841540.cmd	system.exe
File opened for modification	C:\Windows\SysWOW64\37012a	lsass.exe
File created	C:\Windows\SysWOW64\884154312640l.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\884154312640l.exe	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe
File opened for modification	\??\c:\Windows\SysWOW64\IME\SHARED\New Folder(2).exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\37012a\c8841540.cmd	service.exe
File opened for modification	C:\Windows\SysWOW64\moonlight.scr	lsass.exe
File opened for modification	C:\Windows\SysWOW64\884154312640l.exe	lsass.exe
File opened for modification	\??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\WebDownloadManager\Data Admin.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\37012a\c8841540.cmd	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe
File opened for modification	C:\Windows\SysWOW64\37012a	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\37012a\c8841540.cmd	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\37012a	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system.exe
File opened for modification	\??\c:\Windows\SysWOW64\IME\SHARED\Foto Admin.exe	smss.exe
File created	\??\c:\Windows\SysWOW64\IME\SHARED\res\res.exe	smss.exe
File created	\??\c:\Windows\SysWOW64\IME\SHARED\New Folder(2).exe	smss.exe
File created	C:\Windows\SysWOW64\37012a\c8841540.cmd	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe
File created	C:\Windows\SysWOW64\884154312640l.exe	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe
File opened for modification	C:\Windows\SysWOW64\37012a	smss.exe
File created	C:\Windows\SysWOW64\37012a\c8841540.cmd	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File created	\??\c:\Windows\SysWOW64\IME\SHARED\Foto Admin.exe	smss.exe
File opened for modification	\??\c:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\SmbShare\en-US\en-US.exe	smss.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1788-0-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/files/0x0007000000023c8e-16.dat	upx
behavioral2/memory/4388-77-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/32-106-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/files/0x0007000000023c9a-143.dat	upx
behavioral2/memory/1332-162-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/1788-175-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/files/0x0007000000023c98-139.dat	upx
behavioral2/files/0x0007000000023c98-123.dat	upx
behavioral2/files/0x0007000000023c9a-129.dat	upx
behavioral2/memory/1332-890-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2932-911-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4572-916-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2932-917-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4572-918-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4388-919-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/32-920-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2932-1000-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/32-1003-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4388-1002-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4572-1001-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2932-1023-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4572-1024-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/32-1026-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4388-1025-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2932-1046-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4572-1047-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4388-1048-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/32-1049-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2932-1074-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4572-1075-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4388-1076-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/32-1077-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2932-1102-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4388-1104-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4572-1103-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/32-1105-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2932-1127-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4572-1128-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4388-1129-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/32-1158-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4388-1157-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4572-1156-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2932-1155-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2932-1184-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4572-1185-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/32-1187-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2932-1209-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4572-1213-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/32-1215-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2932-1236-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4388-1238-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4572-1237-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/32-1240-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2932-1262-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4572-1263-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4388-1264-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/32-1265-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2932-1286-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4388-1288-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/32-1289-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/32-1315-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/4388-1314-0x0000000000400000-0x000000000042A000-memory.dmp	upx
behavioral2/memory/2932-1312-0x0000000000400000-0x000000000042A000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hu-hu\hu-hu.exe	smss.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\sl-SI\sl-SI.exe	smss.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\zh-Hant.exe	smss.exe
File created	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\pl.exe	smss.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\js.exe	smss.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\da-dk\da-dk.exe	smss.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\ja.exe	smss.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\Source Engine.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\VSTA.exe	smss.exe
File created	\??\c:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\uk-UA.exe	smss.exe
File created	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\pt-BR.exe	smss.exe
File created	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\fr.exe	smss.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\fr.exe	smss.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\es.exe	smss.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\THEMES16.exe	smss.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\SATIN.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\Download\Admin Porn.exe	smss.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\DataModel.exe	smss.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\BOLDSTRI.exe	smss.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\Portal.exe	smss.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\da-DK\da-DK.exe	smss.exe
File created	\??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\6.0.27.exe	smss.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\ko.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\root\root.exe	smss.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\AFTRNOON.exe	smss.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\ENFR.exe	smss.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\css.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\123.0.6312.123\123.0.6312.123.exe	smss.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknumpad\osknumpad.exe	smss.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\Triedit\en-US\en-US.exe	smss.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\sk-sk.exe	smss.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskpred\oskpred.exe	smss.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\es-ES.exe	smss.exe
File created	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\pt-BR.exe	smss.exe
File opened for modification	\??\c:\Program Files\Windows Sidebar\Shared Gadgets\New Folder(2).exe	smss.exe
File created	\??\c:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\ko-kr.exe	smss.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\el-GR\el-GR.exe	smss.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\pt-BR\pt-BR.exe	smss.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\ru-RU\ru-RU.exe	smss.exe
File created	\??\c:\Program Files (x86)\Common Files\Microsoft Shared\DAO\DAO.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\VSTO.exe	smss.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\osknav\osknav.exe	smss.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\LISTS.exe	smss.exe
File created	\??\c:\Program Files (x86)\Common Files\Microsoft Shared\VGX\VGX.exe	smss.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Pipeline.v10.0.exe	smss.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\cs-CZ\cs-CZ.exe	smss.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\de-DE\de-DE.exe	smss.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\uk-UA\uk-UA.exe	smss.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\ja-JP.exe	smss.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\pl.exe	smss.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\zh-Hans.exe	smss.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\Smart Tag.exe	smss.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\Cartridges.exe	smss.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\hr-HR\hr-HR.exe	smss.exe
File opened for modification	\??\c:\Program Files\Common Files\microsoft shared\ink\nl-NL\nl-NL.exe	smss.exe
File created	\??\c:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypad.exe	smss.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\SKY.exe	smss.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\WATERMAR.exe	smss.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\Portal.exe	smss.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\Cultures.exe	smss.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\pl.exe	smss.exe
File created	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\zh-Hant.exe	smss.exe
File created	\??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\SUMIPNTG.exe	smss.exe
File opened for modification	\??\c:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\pl.exe	smss.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\system\msvbvm60.dll	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe
File opened for modification	C:\Windows\lsass.exe	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe
File created	\??\c:\Windows\WinSxS\amd64_netfx-shared_netfx_20_mscorwks_31bf3856ad364e35_10.0.19041.1_none_359f84f8e5af60e2\New Folder.scr	smss.exe
File created	\??\c:\Windows\WinSxS\x86_netfx-shared_netfx_20_perfcounter_31bf3856ad364e35_10.0.19041.1_none_a723631dce180fe0\Admin Porn.exe	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\f\f.exe	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\r\r.exe	smss.exe
File opened for modification	\??\c:\Windows\ServiceProfiles\LocalService\Downloads\New Folder(2).exe	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.84_none_81616275259e37fe\Data Admin.exe	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-candidateui_31bf3856ad364e35_10.0.19041.746_none_ab42fb092bda9182\f\f.exe	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\f\f.exe	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-update-upshared_31bf3856ad364e35_10.0.19041.1151_none_025296d718a7b3a8\f\f.exe	smss.exe
File opened for modification	C:\Windows\033126405.exe	winlogon.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\l532055.exe	lsass.exe
File created	\??\c:\Windows\WinSxS\amd64_hyperv-compute-cont..ce-shared.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c3d467c525734eb3\Admin Porn.exe	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\r\r.exe	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedpc-sharedpccsp_31bf3856ad364e35_10.0.19041.746_none_4cfe603abbcbfd86\r\r.exe	smss.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_de598551b74a3964\r\r.exe	smss.exe
File opened for modification	\??\c:\Windows\SystemResources\Windows.ShellCommon.SharedResources\PRIS\PRIS.exe	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-u..tyvm-sysprep-shared_31bf3856ad364e35_10.0.19041.1_none_3ba048793ab5eb3f\Data Admin.exe	smss.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.1_none_3a3c49005c947bac\New Folder(2).exe	smss.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_6242879b1c08046f\Admin Porn.exe	smss.exe
File created	\??\c:\Windows\SystemResources\Windows.ShellCommon.SharedResources\Images\Images.exe	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_c494b3b28da10665\f\f.exe	smss.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_e2f5ebbcec2d8fca\Admin Porn.exe	smss.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.1_none_b6514808f7d87b1a\Admin Porn.exe	smss.exe
File opened for modification	C:\Windows\13506\bb633507l.com	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\r\r.exe	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-t..ervices-tsfairshare_31bf3856ad364e35_10.0.19041.746_none_0b33a1c93a22de1c\f\f.exe	smss.exe
File created	\??\c:\Windows\WinSxS\msil_microsoft.powershel..filedownloadmanager_31bf3856ad364e35_10.0.19041.1_none_cb69bad627df9263\New Folder(2).exe	smss.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\r\r.exe	smss.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_6242879b1c08046f\f\f.exe	smss.exe
File created	C:\Windows\13506\bb633507l.com	winlogon.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess_31bf3856ad364e35_10.0.19041.746_none_e2c6a972a81b8d2c\Admin Porn.exe	smss.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_e2f5ebbcec2d8fca\f\f.exe	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-onecore-sharehost.resources_31bf3856ad364e35_10.0.19041.789_en-us_58ebf9ecc407e3c0\r\r.exe	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\Foto Admin.exe	smss.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_cee95e04c201c860\f\f.exe	smss.exe
File opened for modification	\??\c:\Windows\SoftwareDistribution\Download\SharedFileCache\New Folder.scr	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_hyperv-compute-cont..utionservice-shared_31bf3856ad364e35_10.0.19041.1_none_0bc0f3d4cd7dc8fd\Data Admin.exe	smss.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-d..e-eashared-kjshared_31bf3856ad364e35_10.0.19041.746_none_2610450c30b37cc4\f\f.exe	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\New Folder(2).exe	smss.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-t..boration-sharer-api_31bf3856ad364e35_10.0.19041.84_none_cee95e04c201c860\Admin Porn.exe	smss.exe
File created	C:\Windows\13506\system.exe	winlogon.exe
File opened for modification	C:\Windows\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	smss.exe
File created	C:\Windows\system\msvbvm60.dll	service.exe
File created	\??\c:\Windows\SystemResources\Windows.UI.ShellCommon\SharePickerUI\Assets\Assets.exe	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-d..e-eashared-moimeexe_31bf3856ad364e35_10.0.19041.746_none_d01527cffa9c25bc\Foto Admin.exe	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-hvsi-manager-shared_31bf3856ad364e35_10.0.19041.1266_none_7916f7558927ae23\f\f.exe	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-i..nearshareexperience_31bf3856ad364e35_10.0.19041.1288_none_ca3007304990b2ea\r\r.exe	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-mccs-engineshared_31bf3856ad364e35_10.0.19041.746_none_d404daff82e97769\f\f.exe	smss.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.264_none_d58d4747b1d5988c\f\f.exe	smss.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.1_none_d12f2a9a88909fc2\New Folder.scr	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-onecore-sharehost_31bf3856ad364e35_10.0.19041.1202_none_621728fcd3c9d5f6\f\f.exe	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-sharedaccess.resources_31bf3856ad364e35_10.0.19041.1_it-it_f1a0741e853eda74\New Folder.scr	smss.exe
File opened for modification	C:\Windows\lsass.exe	system.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-d..ashared-filemanager_31bf3856ad364e35_10.0.19041.844_none_855aff45853749ef\r\r.exe	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-d..me-eashared-coretip_31bf3856ad364e35_10.0.19041.844_none_57eddd48e7a74274\f\f.exe	smss.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_10.0.19041.906_none_f962ab5f47e1e896\r\r.exe	smss.exe
File created	\??\c:\Windows\WinSxS\wow64_microsoft-windows-s..ty-kerbclientshared_31bf3856ad364e35_10.0.19041.1288_none_6115038ba57fcb33\f\f.exe	smss.exe
File opened for modification	C:\Windows\13506\bb633507l.com	winlogon.exe
File created	\??\c:\Windows\SoftwareDistribution\Download\SharedFileCache\New Folder.scr	smss.exe
File created	\??\c:\Windows\WinSxS\amd64_microsoft-windows-h..public-utils-shared_31bf3856ad364e35_10.0.19041.1202_none_d8a1416ab7cccdcf\New Folder(2).exe	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	service.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	service.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	lsass.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1788	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe
2932	service.exe
4572	smss.exe
4388	system.exe
32	winlogon.exe
1332	lsass.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 2932	1788	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe	86
PID 1788 wrote to memory of 2932	1788	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe	86
PID 1788 wrote to memory of 2932	1788	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe	86
PID 1788 wrote to memory of 4572	1788	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe	87
PID 1788 wrote to memory of 4572	1788	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe	87
PID 1788 wrote to memory of 4572	1788	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe	87
PID 1788 wrote to memory of 4388	1788	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe	88
PID 1788 wrote to memory of 4388	1788	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe	88
PID 1788 wrote to memory of 4388	1788	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe	88
PID 1788 wrote to memory of 32	1788	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe	89
PID 1788 wrote to memory of 32	1788	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe	89
PID 1788 wrote to memory of 32	1788	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe	89
PID 1788 wrote to memory of 1332	1788	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe	90
PID 1788 wrote to memory of 1332	1788	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe	90
PID 1788 wrote to memory of 1332	1788	cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe	90

C:\Users\Admin\AppData\Local\Temp\cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe
"C:\Users\Admin\AppData\Local\Temp\cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\31414\service.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\31414\service.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Drops startup file
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2932
- C:\Windows\13506\smss.exe
  "C:\Windows\13506\smss.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Drops startup file
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4572
- C:\Windows\13506\system.exe
  "C:\Windows\13506\system.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Drops startup file
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4388
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\31414\winlogon.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\31414\winlogon.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Drops startup file
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:32
- C:\Windows\lsass.exe
  "C:\Windows\lsass.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Drops startup file
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\adodb.cmd

Filesize
192KB

MD5
34aecdd4f2902747753a153bc618c01a

SHA1
4a96da412827a61e430dfb527b1844762b542e3d

SHA256
12437ce82302ca42dcefdb446182f70c901f360f1983ad2bd7915364a56d1a41

SHA512
de0fbbb3a565da873bc16fb2425e330f6aed6809b821eed464f72f799a446da8bd6b0a3608cc26d10244c445c363c80f452a6d96aba75ee3f3341897062f4994

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\startup\adodb.cmd

Filesize
128KB

MD5
1b48a332341034cc8202e488e1f5b89a

SHA1
e91c6de6ce327fce0e8f4dc091cfcecad321dc4a

SHA256
9feb662ff66e32853e9d8a10ffa296f85b81cb27161de0af4695d9f92cc8709f

SHA512
ecb9541ba9f4b9e4331e987e5f40c378ed11bc4a9b02e23054df28f12862b3c2c11d691d393f1cb8263bc883104f5f1d11d3458660f6180c0c3e3d6472ca88e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\31414\service.exe

Filesize
2.1MB

MD5
3884cdbc07e9b701a7b073afd9dd9384

SHA1
36586b7e0352881addfa461b8128936484adbf1d

SHA256
cf0b1500c01287e179b8f38a13ca5d357669aec67cbabf8f12651ac58a76944d

SHA512
5c42bd33fc896d1dab1537907523c9aee884fd33de50baf51f9912dd8494b4de28b8e33c69725b712316cd93ec6095cc120e4eedb5a651c0fc930215480e8c1b

Download Submit
C:\Windows\MoonLight.txt

Filesize
176B

MD5
56473592d37a13c9098b21cb442e60fd

SHA1
6f0f49440289a6cef1d93e8c785747a3fb318688

SHA256
acdcb1f96825ca74387ebe03f2a12291f7678da2cf6092607aea2dab6982cf35

SHA512
6c635dc4f1ce55b54e39992531b0a4024c213af7fc3ab0f5b2642a932cb2201e7037a60e37c7aad42308ab7a84f0a2c655391935749d76f02ae7c3afd765dd2a

Download Submit
C:\Windows\SysWOW64\crtsys.dll

Filesize
120B

MD5
84decabdef64c9f2e16474ae4ee5b967

SHA1
10e10f3e5ee555a6f20689c236d2402283dcc896

SHA256
4c30336857ec7582fa5c6e95fd76b02771907ac422622f0084dfb5bb9cccac7e

SHA512
7bb9d64331bd9bfa1e9d186a0e2f22faa540736101d98cb58085fe0757a422662ea2eb5dca7a6f3ed9487fd049f8999520cfb3048ef794df72d6c2c4d2230c95

Download Submit
C:\Windows\SysWOW64\moonlight.scr

Filesize
2.1MB

MD5
ee2e618b4112c4738a53dffe944769df

SHA1
b71d0826b8885af1a01e6b3c70d926f6a31bd34f

SHA256
44d064d4dca7d92705a188f20ce5b8955dc3cb1e94928fc3ca6d2b83a0acc0a1

SHA512
98527d339e6e49897a2f0d68937961ab20d5bca811739b14605bd8c25764fef0adbdb811aedf2de0f54f9503c25320bb0e51d6087b218997e4efee4ba70d541d

Download Submit
C:\Windows\SysWOW64\moonlight.scr

Filesize
2.1MB

MD5
0e52dc72e22b3e03de9d485b29322c47

SHA1
5f26f1e2b216053c745b7005b6a5f866dc899fa7

SHA256
e7a0d908cb15a715e1d6e55a21ab342abcd45e539f020fbddc7fe37b7a713b14

SHA512
6592b102dacbf3d6c6a386f0f352616a550b8ed0aa15c636ee8cea2bad828850ff05d0eb60e9c58ba0586c6afb5aba6099161d242d021f8749fadbcfa52f0c02

Download Submit
C:\Windows\SysWOW64\moonlight.scr

Filesize
2.1MB

MD5
f3c114a21bfbb4e897c9f856be2c7c3a

SHA1
c248fe083a48a7c9406a97c4a4850f453ce49e37

SHA256
822f75ec9e44810307f985d30d4a60161bea98c4902c419a26e025fed8f4fc6b

SHA512
0cad883f36d97a1177a0d275774671f1e9b28319f36b0d1df3b7ef096ee8c7e5ccf5cd4e5cf3d2292f1c85c46da2184f67f5f0de08b7d3887480e6c1a452e85f

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
7b75603a79c4dae0945af01b62d13766

SHA1
2f7b5b5a327f61f05a0568e8cbd60a453f670881

SHA256
bd99d8c268d198dc6a7470581b6e807bcdbab2c38ef35774ce4a7736c9fb09e9

SHA512
993dddbf4d7d9d1fa35e74d88cc5d9c1b205cdc8cae10cba6b3e2d96e45911bf106303c81dd3bb1dd46208ad70968762f67b1ae4fc18c9e5b7faef46dd789a97

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
21386d8979f7cc2aa2a4393cb4709e9c

SHA1
73348d6e829e8e62ee329db2c22eb51161d980b3

SHA256
294e0a93f503356676b9251aaab32789c8059bdd8f4a009fb3a5021ed8fae970

SHA512
002eb5a0450219b832c12f2aad7231778b2e3c80814d45f67bf654082266315666d69b8267c1d34ffdd7dd2c9146cd86a9f64da69a4ecd1985e460db27d94a68

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
c1371e343f7c6b4a4fb179e5ff04a02c

SHA1
14e877f8e3b24e7ed6473bedef8316a58ad79e71

SHA256
fdc56b84da4d802d24ce45fa168b5351bd53e2c754743d6e414483049ac7171c

SHA512
c925036b5581ed9eaaba1add108e5ac1348b0072e17288499d9c13ba207d17d9d694e7cabbf4108764df96c424828b39fb998d4bf57dbdfe24fa70dc9d2fcf63

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
128KB

MD5
a0224c645b578c1d5f1c8572a0b85926

SHA1
b14c5add99c3d3bb351082aa68572eda2254866d

SHA256
7e8e46423d804764b723288f99f09afbe9a7b794a677f0b191d948523fbad35c

SHA512
74db0d3b086b68b2c92c9b1bf187f076c9bcf26afe9e4352e439827a1272ae0d4fb41ef194ce80a9686b6b58ccdaba84fc6299e695de163a23244d78fe79f255

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.4MB

MD5
6d2170fe1089c198f758a7f2403d0e32

SHA1
a165b8894b3ad04da5696e4b3ed53dd7bd94301f

SHA256
0cc33d18b183bd7de6d23caa3bbd118be322d51f83ccd37517bdb119d024e22a

SHA512
fe9dae7c78e5c1b760a5caa43b4960d8aaa137fe4aca92244d6d2fc280d241bd60cb39336c37054a6c850dacec686eeb14df8be769ca60203fe7b09c8f17530e

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
192KB

MD5
b1bbb62a1f02341bf14929284d985907

SHA1
60779a0498d314384b133ce737c39450a38be205

SHA256
e8cd83998a18db42e3e2459ec00e2c0d54223446253030b332591b808a0af91a

SHA512
ce73ec9202d8231fd44ad6bb88f30d64be9b99633f5e9a7803ea1db0883047ef26711cea21aa635f80b6b8d9c8477abd91b6190d647c81235c179ce4baf2c374

Download Submit
memory/32-1315-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/32-1026-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/32-1289-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/32-1265-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/32-1240-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/32-1215-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/32-1187-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/32-920-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/32-1049-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/32-1077-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/32-106-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/32-1105-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/32-1158-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/32-1003-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1332-162-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1332-890-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1788-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1788-175-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2932-1184-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2932-1262-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2932-1046-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2932-1312-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2932-911-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2932-1286-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2932-1074-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2932-917-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2932-1236-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2932-1023-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2932-1102-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2932-1209-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2932-1000-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2932-1155-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2932-1127-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4388-1264-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4388-1048-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4388-1002-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4388-1157-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4388-1314-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4388-77-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4388-1238-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4388-1076-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4388-919-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4388-1104-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4388-1288-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4388-1025-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4388-1129-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4572-1185-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4572-1128-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4572-1075-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4572-918-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4572-1263-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4572-1237-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4572-916-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4572-1024-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4572-1213-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4572-1103-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4572-1001-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4572-1156-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4572-1047-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads