99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7

Analysis

max time kernel
59s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
21-05-2022 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe
Size

5.3MB
MD5

3e4e6091833b5b343142199f591d9fc2
SHA1

c8da3112aec96c69874b08a34e9adb7245babde3
SHA256

99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7
SHA512

0f8c4c1aa612c0fc00c3383017a41b013f7ab483a685c1d2c0ad48d28da7274c5532915d6a7c34dc7a22fcde26aa4825d8dae5c0e010e29d99362858a172926c

Score

8^/10

evasion

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

7Z.EXEkms_x64.exe

pid process

1656 7Z.EXE
1536 kms_x64.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

pid	process
1656	7Z.EXE
1536	kms_x64.exe

Loads dropped DLL 3 IoCs

Processes:

99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe

pid	process
1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe
1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe
1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe

AutoIT Executable 3 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
\Windows\_temp05212022386408\kms_x64.exe	autoit_exe
C:\Windows\_temp05212022386408\kms_x64.exe	autoit_exe
C:\Windows\_temp05212022386408\kms_x64.exe	autoit_exe

Drops file in Windows directory 64 IoCs

Processes:

7Z.EXE99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe

description	ioc	process
File created	C:\Windows\_temp05212022386408\OEM\cert\CREAAS.xrm-ms	7Z.EXE
File created	C:\Windows\_temp05212022386408\OEM\cert\PHILCO.xrm-ms	7Z.EXE
File created	C:\Windows\_temp05212022386408\OEM\cert\TOSASU.xrm-ms	7Z.EXE
File created	C:\Windows\_temp05212022386408\OEM\cert\VSCAIO.xrm-ms	7Z.EXE
File created	C:\Windows\_temp05212022386408\OEM\OEMDumpNET35.exe	7Z.EXE
File created	C:\Windows\_temp05212022386408\7Z.EXE	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe
File created	C:\Windows\_temp05212022386408\OEM\cert\SYSMAX.xrm-ms	7Z.EXE
File created	C:\Windows\_temp05212022386408\cert.7z	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe
File opened for modification	C:\Windows\_temp05212022386408\SvcTrigger.xml	7Z.EXE
File created	C:\Windows\_temp05212022386408\OEM\cert\LENOVO.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\DigitalLicence.7z	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe
File opened for modification	C:\Windows\_temp05212022386408\x64	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\OEM\cert\ALWARE.xrm-ms	7Z.EXE
File created	C:\Windows\_temp05212022386408\OEM\cert\ATCOMP.xrm-ms	7Z.EXE
File created	C:\Windows\_temp05212022386408\OEM\cert\IBM.xrm-ms	7Z.EXE
File created	C:\Windows\_temp05212022386408\pic\ewm_wx.jpg	7Z.EXE
File created	C:\Windows\_temp05212022386408\SvcTrigger.xml	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\OEM\cert\BEKOPC.xrm-ms	7Z.EXE
File created	C:\Windows\_temp05212022386408\OEM\cert\ITINFO.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\OEM\cert\MSI_NB.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\OEM\cert\CGWALL.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\OEM\cert\TOSHIB.xrm-ms	7Z.EXE
File created	C:\Windows\_temp05212022386408\KMSmini.7z	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe
File created	C:\Windows\_temp05212022386408\x64\SetACL.exe	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\x64\WinDivert64.sys	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\pic\ewm_zfb.jpg	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\OEM\cert\LOGIN2.xrm-ms	7Z.EXE
File created	C:\Windows\_temp05212022386408\OEM\cert\QBEXCO.xrm-ms	7Z.EXE
File created	C:\Windows\_temp05212022386408\OEM\cert\TRIGEM.xrm-ms	7Z.EXE
File created	C:\Windows\_temp05212022386408\OEM\cert\HCLINF.xrm-ms	7Z.EXE
File created	C:\Windows\_temp05212022386408\OEM\cert\MSI_NB.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\OEM\cert	7Z.EXE
File created	C:\Windows\_temp05212022386408\pic\Windows.jpg	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\OtherOfficeOSPP\slerror.xml	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\OEM\cert\JETWAY.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\OEM\cert\SYNNEX.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\OEM\cert\TOSCPL.xrm-ms	7Z.EXE
File created	C:\Windows\_temp05212022386408\OEM\cert\LOGIN2.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\OEM\cert\OLISLP.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\OEM\cert\LGE.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\OEM\cert\POSITI.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\OEM\cert\SECCSD.xrm-ms	7Z.EXE
File created	C:\Windows\_temp05212022386408\pic\left.jpg	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\OEM\cert\FOUNDR.xrm-ms	7Z.EXE
File created	C:\Windows\_temp05212022386408\OEM\cert\NOKIA.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\kms.exe	7Z.EXE
File created	C:\Windows\_temp05212022386408\OtherOfficeOSPP\OSPP.VBS	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\x64\msvcr100.dll	7Z.EXE
File created	C:\Windows\_temp05212022386408\OEM\gr1dr1	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\OEM\cert\CMSCOM.xrm-ms	7Z.EXE
File created	C:\Windows\_temp05212022386408\OEM\bootrest.exe	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\pic\ewm_wx.jpg	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\OEM\cert\BENQ.xrm-ms	7Z.EXE
File created	C:\Windows\_temp05212022386408\OEM\cert\CCELNF.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\OEM\cert\DATATE.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\OEM\cert\NEC.xrm-ms	7Z.EXE
File created	C:\Windows\_temp05212022386408\kms-server.exe	7Z.EXE
File created	C:\Windows\_temp05212022386408\OEM\cert\ALWARE.xrm-ms	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\OEM\cert\PRDGT.xrm-ms	7Z.EXE
File created	C:\Windows\_temp05212022386408\OEM\gr1dr2	7Z.EXE
File created	C:\Windows\_temp05212022386408\OtherOfficeOSPP\slerror.xml	7Z.EXE
File opened for modification	C:\Windows\_temp05212022386408\OEM\cert\LENOVO.xrm-ms	7Z.EXE
File created	C:\Windows\_temp05212022386408\OEM\cert\SECCSD.xrm-ms	7Z.EXE
File created	C:\Windows\_temp05212022386408\x64\cleanospp.exe	7Z.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe

NTFS ADS 2 IoCs

Processes:

99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exekms_x64.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\winmgmts:	kms_x64.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

kms_x64.exe

pid process

1536 kms_x64.exe

pid	process
1536	kms_x64.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe

pid	process
1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe
1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.execmd.execmd.exe

description	pid	process	target process
PID 1784 wrote to memory of 1896	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 1784 wrote to memory of 1896	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 1784 wrote to memory of 1896	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 1784 wrote to memory of 1896	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 1784 wrote to memory of 1972	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 1784 wrote to memory of 1972	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 1784 wrote to memory of 1972	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 1784 wrote to memory of 1972	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 1784 wrote to memory of 840	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 1784 wrote to memory of 840	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 1784 wrote to memory of 840	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 1784 wrote to memory of 840	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 840 wrote to memory of 1800	840	cmd.exe	netsh.exe
PID 840 wrote to memory of 1800	840	cmd.exe	netsh.exe
PID 840 wrote to memory of 1800	840	cmd.exe	netsh.exe
PID 840 wrote to memory of 1800	840	cmd.exe	netsh.exe
PID 1784 wrote to memory of 584	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 1784 wrote to memory of 584	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 1784 wrote to memory of 584	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 1784 wrote to memory of 584	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 584 wrote to memory of 1356	584	cmd.exe	netsh.exe
PID 584 wrote to memory of 1356	584	cmd.exe	netsh.exe
PID 584 wrote to memory of 1356	584	cmd.exe	netsh.exe
PID 584 wrote to memory of 1356	584	cmd.exe	netsh.exe
PID 1784 wrote to memory of 1656	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	7Z.EXE
PID 1784 wrote to memory of 1656	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	7Z.EXE
PID 1784 wrote to memory of 1656	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	7Z.EXE
PID 1784 wrote to memory of 1656	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	7Z.EXE
PID 1784 wrote to memory of 1272	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 1784 wrote to memory of 1272	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 1784 wrote to memory of 1272	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 1784 wrote to memory of 1272	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 1784 wrote to memory of 288	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 1784 wrote to memory of 288	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 1784 wrote to memory of 288	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 1784 wrote to memory of 288	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 1784 wrote to memory of 1008	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 1784 wrote to memory of 1008	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 1784 wrote to memory of 1008	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 1784 wrote to memory of 1008	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	cmd.exe
PID 1784 wrote to memory of 1536	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	kms_x64.exe
PID 1784 wrote to memory of 1536	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	kms_x64.exe
PID 1784 wrote to memory of 1536	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	kms_x64.exe
PID 1784 wrote to memory of 1536	1784	99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe	kms_x64.exe

C:\Users\Admin\AppData\Local\Temp\99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe
"C:\Users\Admin\AppData\Local\Temp\99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Modifies Internet Explorer settings
- NTFS ADS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo [Temp] >%windir%\ScriptTemp.ini
2⤵
PID:1896

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c echo Temp=_temp05212022386408 >>%windir%\ScriptTemp.ini
2⤵
PID:1972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & netsh advfirewall firewall delete rule name="HEU_KMS_Activator"
2⤵
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall delete rule name="HEU_KMS_Activator"
3⤵
PID:1800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & netsh advfirewall firewall add rule name="HEU_KMS_Activator" dir=in action=allow profile=any program="C:\Users\Admin\AppData\Local\Temp\99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:584

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="HEU_KMS_Activator" dir=in action=allow profile=any program="C:\Users\Admin\AppData\Local\Temp\99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe"
3⤵
PID:1356

C:\Windows\_temp05212022386408\7Z.EXE
C:\Windows\_temp05212022386408\7Z.EXE x C:\Windows\_temp05212022386408\KMSmini.7z -y -oC:\Windows\_temp05212022386408
2⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & echo [Direction] >%windir%\_temp05212022386408\ScriptDir.ini
2⤵
PID:1272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & echo Dir=C:\Users\Admin\AppData\Local\Temp >>%windir%\_temp05212022386408\ScriptDir.ini
2⤵
PID:288

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c set "Path=%SystemRoot%;%SystemRoot%\system32;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;" & echo Name=99f37be737f2a1d0cfe958cc65fde94c310689d59304845c6e9a882bb75c08a7.exe >>%windir%\_temp05212022386408\ScriptDir.ini
2⤵
PID:1008

C:\Windows\_temp05212022386408\kms_x64.exe
C:\Windows\_temp05212022386408\kms_x64.exe
2⤵
- Executes dropped EXE
- NTFS ADS
- Suspicious behavior: GetForegroundWindowSpam
PID:1536

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ScriptTemp.ini
Filesize
9B

MD5
c999b467ee495f6effd312ba405d77b0

SHA1
b76723ee41b7a8dd2230f11840683b88adeec3ca

SHA256
7cb0b3d2b9d157fbf86a7a882edb46b5b1b3d1936e21dd1254f9bafc9fd07d03

SHA512
1a94e9a519b1c8dc88fbc2cc6d95336df36c8b4c7b01f06b5a46bfa0491970934b6df22360dddf348f9dcd80ffa09aeb3af29b2cce5a042021f3e49d8a12d444

Download Submit
C:\Windows\ScriptTemp.ini
Filesize
36B

MD5
b7ad63dee38fb57371877489d3f13bdd

SHA1
7894aa35375d8578cec6f16831cfc9328cf56940

SHA256
4f0a69bd81f14d0816d2e4a09bf7aa254afc6cd99ff08b7fd0ab53a4174b662d

SHA512
e38a69fc99e549df4f37c8fd96e35232fabd2bb794e3b37b5af1c1d3f86db3fb93d8697ee8dd93296bfb15fa87257bb0840aa8a88db87ce6c2b9edb731835bfe

Download Submit
C:\Windows\_temp05212022386408\7Z.EXE
Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Windows\_temp05212022386408\KMSmini.7z
Filesize
2.2MB

MD5
19d6252765eb66809bec9ac0ba8b02e8

SHA1
7070e76e18532f7b78678d7e606906b683e83c87

SHA256
f3b4e65e959b0a7e7f9cb926740699d74fcc07bcfdf9667526d2bd3a3d9d08f8

SHA512
6ca5a4c99c51a8633b23e24702cf727a4dcf36fa2b4dccac39e9da42648aa43820e307c818b2aaf81aa7a4a0cd00b588463d0359798f9b176fd8389ba7568734

Download Submit
C:\Windows\_temp05212022386408\ScriptDir.ini
Filesize
54B

MD5
8ae2dae3a0651c88dc193f63deb0cdee

SHA1
4466469ed06e699dd8647263c4060fec752c5cc0

SHA256
b70662ce78f1b79d25502b40e95718f6f118ff4526f7e8153adf785e90e11f50

SHA512
1440888a5703c818053a3e7de13410e65dde4500ccfba3e1161eca05244fe5f4a7309fc1e20fddfdedfb669fdb0ec3ca6577a5f42b4400c06b1205e6929f9058

Download Submit
C:\Windows\_temp05212022386408\ScriptDir.ini
Filesize
130B

MD5
460acd8037387e23306d3673693f9a58

SHA1
849809aa178b10c39cd324e2bfa7c4abc5f5ecea

SHA256
5fbe685e0f41b00aaff0ea289efe560b15acccb8507e8c63111cab3ee695cd72

SHA512
7ca9e5197e96ba843bb503cb1e97e173bc3f4a7452fbbe904e33c7f72456bdda6626d63b546b0582c4a6a4aa7d8b5432a4db52e46400e8bc8d8cd6be685bc7e5

Download Submit
C:\Windows\_temp05212022386408\kms_x64.exe
Filesize
1.1MB

MD5
3cff65359b6bb21bdcf3195a88784f37

SHA1
c76a4b003bb9a39425c031512e5de845353264c4

SHA256
ee58b25b152479356ab5d6575aae2c755df9ea339731558fa16582900708b3fc

SHA512
27febd02d700a4072fb2190070366d5fc006683819fbf4ebf77948a167d7735cabf020bf8a309a7e579e4c0993794d7785bfacab32febf56307f5a709dd06863

Download Submit
C:\Windows\_temp05212022386408\kms_x64.exe
Filesize
1.1MB

MD5
3cff65359b6bb21bdcf3195a88784f37

SHA1
c76a4b003bb9a39425c031512e5de845353264c4

SHA256
ee58b25b152479356ab5d6575aae2c755df9ea339731558fa16582900708b3fc

SHA512
27febd02d700a4072fb2190070366d5fc006683819fbf4ebf77948a167d7735cabf020bf8a309a7e579e4c0993794d7785bfacab32febf56307f5a709dd06863

Download Submit
C:\Windows\_temp05212022386408\pic\ewm_wx.jpg
Filesize
32KB

MD5
362e94b6ad5ac32ced1e9c84b7409506

SHA1
094584059b3e3462da4298b651a92d1fd0691325

SHA256
1f81e6d61080adbbacb425c21bc9fc8eb33269da462cbf00fbf6be3bdb14c308

SHA512
672a21ffbdc578e820e307acef68bd1cb0a252adc3e2dd6f097fb6320bb313f89711e71c232589b78bb856323e062424a73edfd5720a68e4d7b67c044cc7fdab

Download Submit
C:\Windows\_temp05212022386408\pic\ewm_zfb.jpg
Filesize
33KB

MD5
d3a12977fffc2002685151f0af5143ea

SHA1
ac3c887bee44748fa9192aaa32606ea768b9e459

SHA256
f046f91eac3dbe86d9e2dcc11281ca855a96f15a8f8ed62f0216f3076826fa35

SHA512
4247aee80b6f55466d4ba2fc6b3d9ba76575cbdbc74b96cb810768d396c1e7469cbcc2d81cd4f7c79a39bf1a69ad3fd14a97e97156d6ff2ef43e4c56be5885d0

Download Submit
C:\Windows\_temp05212022386408\pic\head.jpg
Filesize
28KB

MD5
069d803d68fa5bb3bade568a8f6bc1ce

SHA1
dbb7b41831d705b762a2b87a6f8e7cb4ee6fc9e5

SHA256
9c047b20f9baa9fdeadd70d93cce5fc5f31d1c4f446cb2d9acc523209e6c75e3

SHA512
abeb1e94bc63fdc5496b354b8788cdb249e92b0fe0829f8a0052f5b8d4f09309b62dbc85f2fe1370c527f97f9e45ac0aabde44bedf9175792db90131432be885

Download Submit
C:\Windows\_temp05212022386408\pic\left.jpg
Filesize
17KB

MD5
ea96d8162a586640d7ac631f52b83372

SHA1
36984ec6b439cd61210b80ba29c46348310aecdd

SHA256
5e74ac75bf1609aa8e05316d19121e24b095b6796dd330d6fa7a6c084db2c03b

SHA512
f561b801aec17d899c260dcb06d46b8664f82e9be6cb6791c567ffd76c175a1eb2668a9f4806b403db8c9eca343c906562771b88a45d67fc2b197bb5f0cc2ceb

Download Submit
C:\Windows\_temp05212022386408\pic\ver.ico
Filesize
22KB

MD5
3b456048c963f39b7b918c34742dff8d

SHA1
8dd5bd2f1dc5f896d3cb14cdec7691c42a60ec9a

SHA256
d352bbe8c271cc9007a841a5b7db960262fc85cae580f9814eb0b5c7e7e0b7e8

SHA512
abc38e1de5d9c982975965b784b692f6e8220bcb6e19cf0e66105a3207477f7cc03710e4563aa86666cfc4c411b0ea110c9e9efe827d26ea76a5e82010629a96

Download Submit
C:\Windows\_temp05212022386408\pic\zanzhu.ico
Filesize
24KB

MD5
94306384efdadfdcea096a022738bf1e

SHA1
72385c23173686ac2500ba3bca094c0c94e76212

SHA256
9672b50641ba9f9f1735fee2d3ba4fdc5bda18545530ee1869e01c25618c1345

SHA512
38f7de2ab148daea9f879665459fe374b1032b10eb1be6769fa17ffc8fc9b12a4bf8b9822a3bca2c8704aec7a996d5fe058e2a759a21f351162a8fcca729bbdf

Download Submit
\Windows\_temp05212022386408\7Z.EXE
Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
\Windows\_temp05212022386408\7Z.EXE
Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
\Windows\_temp05212022386408\kms_x64.exe
Filesize
1.1MB

MD5
3cff65359b6bb21bdcf3195a88784f37

SHA1
c76a4b003bb9a39425c031512e5de845353264c4

SHA256
ee58b25b152479356ab5d6575aae2c755df9ea339731558fa16582900708b3fc

SHA512
27febd02d700a4072fb2190070366d5fc006683819fbf4ebf77948a167d7735cabf020bf8a309a7e579e4c0993794d7785bfacab32febf56307f5a709dd06863

Download Submit
memory/288-72-0x0000000000000000-mapping.dmp

Download
memory/584-63-0x0000000000000000-mapping.dmp

Download
memory/840-59-0x0000000000000000-mapping.dmp

Download
memory/1008-74-0x0000000000000000-mapping.dmp

Download
memory/1272-71-0x0000000000000000-mapping.dmp

Download
memory/1356-64-0x0000000000000000-mapping.dmp

Download
memory/1536-79-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmp

Filesize
8KB

Download
memory/1536-77-0x0000000000000000-mapping.dmp

Download
memory/1656-68-0x0000000000000000-mapping.dmp

Download
memory/1784-54-0x00000000765F1000-0x00000000765F3000-memory.dmp

Filesize
8KB

Download
memory/1800-60-0x0000000000000000-mapping.dmp

Download
memory/1896-55-0x0000000000000000-mapping.dmp

Download
memory/1972-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads