5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
17/10/2022, 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe
Size

170KB
MD5

2e9d01b8649d28ea0a5471c12e8b2b78
SHA1

3eadff1e644b3f4dc509e8661029d1fa63223a48
SHA256

5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8
SHA512

28fb65f1946348b42cac1c7679d858bc24c3966ee8ef423368116052fb7b81b86dc06c68ad04596336182669065f1818ee902c07d2badee41d579d74ad083355
SSDEEP

3072:pCcKpzOpm3uKQCDWeyDKVPy7THK4WZZzUR9Lr0lQbN:k7zOSuccuVqfp2+So

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\\YQW7J5P.exe\""	system.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system.exe

ACProtect 1.3x - 1.4x DLL software 5 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000900000001230f-70.dat	acprotect
behavioral1/files/0x000900000001230f-96.dat	acprotect
behavioral1/files/0x000900000001230f-106.dat	acprotect
behavioral1/files/0x000900000001230f-134.dat	acprotect
behavioral1/files/0x000900000001230f-143.dat	acprotect

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 4 IoCs

pid	Process
944	service.exe
888	smss.exe
296	system.exe
1924	lsass.exe

Sets file execution options in registry 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\\regedit.cmd"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000900000001230f-70.dat	upx
behavioral1/files/0x000900000001230f-96.dat	upx
behavioral1/files/0x000900000001230f-106.dat	upx
behavioral1/files/0x000900000001230f-134.dat	upx
behavioral1/files/0x000900000001230f-143.dat	upx
behavioral1/memory/296-144-0x0000000010000000-0x0000000010075000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
1048	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe
1048	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe
1048	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe
1048	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe
1048	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe
1048	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RUN	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sLR8O1U0 = "C:\\Windows\\system32\\DVT4D0VWEN2J3H.exe"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0J5PEN = "C:\\Windows\\RTG8O1U.exe"	system.exe

Drops desktop.ini file(s) 28 IoCs

description	ioc	Process
File created	\??\UNC\RYNKSFQE\A$\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\F$\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\K$\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\Z$\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\R$\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\T$\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\W$\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\G$\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\H$\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\S$\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\C$\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\I$\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\O$\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\P$\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\D$\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\L$\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\M$\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\X$\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\ADMIN$\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\J$\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\N$\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\Q$\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\U$\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\B$\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\E$\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\V$\desktop.ini	lsass.exe
File created	\??\UNC\RYNKSFQE\Y$\desktop.ini	lsass.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	service.exe
File opened (read-only)	\??\T:	service.exe
File opened (read-only)	\??\X:	service.exe
File opened (read-only)	\??\G:	service.exe
File opened (read-only)	\??\N:	service.exe
File opened (read-only)	\??\U:	service.exe
File opened (read-only)	\??\V:	service.exe
File opened (read-only)	\??\W:	service.exe
File opened (read-only)	\??\R:	service.exe
File opened (read-only)	\??\E:	service.exe
File opened (read-only)	\??\H:	service.exe
File opened (read-only)	\??\I:	service.exe
File opened (read-only)	\??\K:	service.exe
File opened (read-only)	\??\O:	service.exe
File opened (read-only)	\??\S:	service.exe
File opened (read-only)	\??\Y:	service.exe
File opened (read-only)	\??\Z:	service.exe
File opened (read-only)	\??\F:	service.exe
File opened (read-only)	\??\L:	service.exe
File opened (read-only)	\??\M:	service.exe
File opened (read-only)	\??\P:	service.exe
File opened (read-only)	\??\Q:	service.exe

Drops file in System32 directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\DVT4D0VWEN2J3H.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\SKL8P0Y\DVT4D0V.cmd	smss.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\POS2X0K.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\DVT4D0VWEN2J3H.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\SKL8P0Y	lsass.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe
File opened for modification	C:\Windows\SysWOW64\SKL8P0Y\DVT4D0V.cmd	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe
File opened for modification	C:\Windows\SysWOW64\DVT4D0VWEN2J3H.exe	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe
File opened for modification	C:\Windows\SysWOW64\SKL8P0Y	smss.exe
File opened for modification	C:\Windows\SysWOW64\POS2X0K.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\SKL8P0Y	system.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\DVT4D0VWEN2J3H.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\SKL8P0Y\DVT4D0V.cmd	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe
File opened for modification	C:\Windows\SysWOW64\SKL8P0Y	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe
File opened for modification	C:\Windows\SysWOW64\SKL8P0Y\DVT4D0V.cmd	service.exe
File opened for modification	C:\Windows\SysWOW64\SKL8P0Y\DVT4D0V.cmd	system.exe
File opened for modification	C:\Windows\SysWOW64\DVT4D0VWEN2J3H.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\POS2X0K.exe	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe
File opened for modification	C:\Windows\SysWOW64\POS2X0K.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\POS2X0K.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\SKL8P0Y	service.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	system.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	system.exe
File created	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\zia01688	system.exe
File opened for modification	C:\Windows\RTG8O1U.exe	lsass.exe
File opened for modification	C:\Windows\64enc.en	system.exe
File opened for modification	C:\Windows\RTG8O1U.exe	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}	system.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\UXU1Y8R.com	service.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\YQW7J5P.exe	system.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	lsass.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe
File opened for modification	C:\Windows\lsass.exe	service.exe
File opened for modification	C:\Windows\cypreg.dll	system.exe
File opened for modification	C:\Windows\RTG8O1U.exe	system.exe
File opened for modification	C:\Windows\lsass.exe	lsass.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	smss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	lsass.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\YQW7J5P.exe	service.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	smss.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	system.exe
File opened for modification	C:\Windows\WEN2J3H.exe	system.exe
File opened for modification	C:\Windows\moonlight.dll	lsass.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}	lsass.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	lsass.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\YQW7J5P.exe	lsass.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	service.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	service.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	service.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	smss.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}	smss.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\UXU1Y8R.com	smss.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe
File opened for modification	C:\Windows\RTG8O1U.exe	service.exe
File opened for modification	C:\Windows\lsass.exe	smss.exe
File opened for modification	C:\Windows\WEN2J3H.exe	smss.exe
File opened for modification	C:\Windows\moonlight.dll	system.exe
File created	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\MYpIC.zip	system.exe
File opened for modification	C:\Windows\moonlight.dll	service.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe	service.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	service.exe
File opened for modification	C:\Windows\cypreg.dll	smss.exe
File created	C:\Windows\MooNlight.R.txt	smss.exe
File opened for modification	C:\Windows\WEN2J3H.exe	lsass.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\MYpIC.zip	system.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\UXU1Y8R.com	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe
File opened for modification	C:\Windows\cypreg.dll	lsass.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	lsass.exe
File opened for modification	C:\Windows\cypreg.dll	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe
File opened for modification	C:\Windows\WEN2J3H.exe	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\YQW7J5P.exe	smss.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\UXU1Y8R.com	system.exe
File opened for modification	C:\Windows\moonlight.dll	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}	service.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	smss.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe
File opened for modification	C:\Windows\cypreg.dll	service.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe
File opened for modification	C:\Windows\moonlight.dll	smss.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe	lsass.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\UXU1Y8R.com	lsass.exe
File opened for modification	C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	296	system.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1048	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe
944	service.exe
888	smss.exe
296	system.exe
1924	lsass.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 944	1048	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe	27
PID 1048 wrote to memory of 944	1048	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe	27
PID 1048 wrote to memory of 944	1048	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe	27
PID 1048 wrote to memory of 944	1048	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe	27
PID 1048 wrote to memory of 888	1048	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe	28
PID 1048 wrote to memory of 888	1048	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe	28
PID 1048 wrote to memory of 888	1048	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe	28
PID 1048 wrote to memory of 888	1048	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe	28
PID 1048 wrote to memory of 296	1048	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe	29
PID 1048 wrote to memory of 296	1048	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe	29
PID 1048 wrote to memory of 296	1048	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe	29
PID 1048 wrote to memory of 296	1048	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe	29
PID 1048 wrote to memory of 1924	1048	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe	30
PID 1048 wrote to memory of 1924	1048	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe	30
PID 1048 wrote to memory of 1924	1048	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe	30
PID 1048 wrote to memory of 1924	1048	5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe	30

C:\Users\Admin\AppData\Local\Temp\5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe
"C:\Users\Admin\AppData\Local\Temp\5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe
  "C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:944
- C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe
  "C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:888
- C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe
  "C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Sets file execution options in registry
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:296
- C:\Windows\lsass.exe
  "C:\Windows\lsass.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:1924

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\UXU1Y8R.com

Filesize
170KB

MD5
30ee6daccaa1d33f522db91e9607b876

SHA1
a010afbcbd6658d8c65c82fcef00a50dd4b5135b

SHA256
e78b15e8c11bf84ab1d0f1767c2d7c0a82c6f8a21f90d94c69df98365c165de4

SHA512
87030f5ed556e8cd223eafd5d47b59e7d7de260a80324f0909a2061d2146c81c42bf596726a05434a7e12f54c2e8992748974e4851a6332241e566951cd9476f

Download Submit
C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\UXU1Y8R.com

Filesize
170KB

MD5
58a100691231c8b1e323852bcca5de49

SHA1
a3a4a235a007a5e6fe582244f7e59b650f932c7e

SHA256
27476c347a448361b265925f70093b764c92ad678ed1903629076f86ac3849fd

SHA512
85930e6fa8ffb06a45ae0dbdd569364420e770b402691f855f96cd7c60418d7d74942b7387bb9683825295142d8060dbf4e0613d603695a5903c212e1705b1e2

Download Submit
C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\UXU1Y8R.com

Filesize
170KB

MD5
08b8b19857b0bd56df4e44f52cf1d92d

SHA1
8ccaa25365d0349144618df69e061cba4ee1251b

SHA256
a5f9bb0cc9316a9e9976af8349105409913f816efd2b5ee08b6a992be8a3a84a

SHA512
1d3b7acd0ea66a1e2e1700e89b1ee10d27289894183f53212bbbdc131120f144fc2ba16d207d827bb08a8d1bbaa761047706b29993d5dcdd85dc192b88d52bae

Download Submit
C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\UXU1Y8R.com

Filesize
170KB

MD5
43eb10ee94e186cc8bafc13b28fa370f

SHA1
0d160613c95d1c84d7806217f9bfeeeef44ad35c

SHA256
8f5847dcce803110f952551998567f49034bc2ebb7778039e1d3696456743eb9

SHA512
8a5d5d5cb78c2441f407fa3e74ea18ebc8c7cba19c438258a1c63989f408605b6ec23fb758edc7051b709d2ae0ad90074c88d23f41ca59adf2264cb97b204236

Download Submit
C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\YQW7J5P.exe

Filesize
170KB

MD5
47c8c67fce334a4f617c343b73502f49

SHA1
0d955748b2be356f97c7948f2bf4eab4afd8b428

SHA256
2d12fc69efe618a5fbdf8e1324bd038ac625473b841cef2341dc2297d71fd92b

SHA512
9a72b27a2286b51b61fcb655d21060fb5472aa80176b8cff709b647aca5605662a0f35f0838c62d206bfdda0b4ee7468f7bf52c5604719287b20d3dc0c3921bf

Download Submit
C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\YQW7J5P.exe

Filesize
170KB

MD5
544abc2d84685e5ee25dc30029cae9e9

SHA1
39e16512fdebd9df50b562d977defc321dcc6374

SHA256
c70e7776eef907d6d87efc31441ee4cf21ff32d60c0002a1afe4fec8065ff6c8

SHA512
456aa8a6d8cda0f8681954ee5cd262e4e032736d9a79142d81dae74261fb576cb98545cb436b1793f7422e862410a0243f10790d80b78b1f3884ade8d627ad28

Download Submit
C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd

Filesize
170KB

MD5
6fb2adce7891001ba1387979c1f0e0ac

SHA1
6be58e6942049aba4290fc277ec3370b41dc82bf

SHA256
d6ff26751acbe1d09096a59acd4406fad3b8e873085fd5d9162630d3347e5433

SHA512
6a581128690e69b62e11a12a3098486a59238366a45f3ea59b214b56d3df7cf059ff248c155fc1b9073da91b8c9fbbfad607d1b2170329a44c187cf6dd2f2720

Download Submit
C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\regedit.cmd

Filesize
170KB

MD5
82ba0cb8c274beaff0bc476b0592bf42

SHA1
713324ab55783b0ceae0a4a6e52513742941f780

SHA256
a9da831e03736bdb8a12f53462874e596ece45158cb7956597bbf52f6c13d054

SHA512
e38ae72c87bdd3421c3af901e51a15784a9ad1d3074b41afffb1d8340084f94d0ebc7ddf5ebf98f720c75e640b5c66edc2fcef79270c96f8e63f59b9b1892e8c

Download Submit
C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe

Filesize
170KB

MD5
2e94fb1b1642b6f76385ee973103d4d5

SHA1
64826293e53967b4cfa1146eeebae2a5600b93d4

SHA256
bc636d8c9cde2de08682dd66b97dc481131ce64d0574cea8f78fdfc6ed609216

SHA512
e0202ea92b3bcafbf00a6d653304e56f88a50f1b3cfd3b1ab742ad2df7faa41baffcff240ca02ee069438822190413e12c1cfb59813bcd648e160cd47f330f35

Download Submit
C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe

Filesize
170KB

MD5
2e94fb1b1642b6f76385ee973103d4d5

SHA1
64826293e53967b4cfa1146eeebae2a5600b93d4

SHA256
bc636d8c9cde2de08682dd66b97dc481131ce64d0574cea8f78fdfc6ed609216

SHA512
e0202ea92b3bcafbf00a6d653304e56f88a50f1b3cfd3b1ab742ad2df7faa41baffcff240ca02ee069438822190413e12c1cfb59813bcd648e160cd47f330f35

Download Submit
C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe

Filesize
170KB

MD5
b3b6e84e97e2fe485a6843a07f42a080

SHA1
2078e01df03f078f19aa83671f6575a3d11b77ad

SHA256
a2bfe6b46d5a37546ff5967360f8719a500824d47a05cf8321932a4da863fb95

SHA512
3da0b4b461d34e11f036536e35d28ddafdb7726ffc7afce7e0862f27f22a9b6b1c58faa83ace0a39f78f05dafe488f4cb33cd3b57f8f6f6e6f72003f9a9851dd

Download Submit
C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe

Filesize
170KB

MD5
b3b6e84e97e2fe485a6843a07f42a080

SHA1
2078e01df03f078f19aa83671f6575a3d11b77ad

SHA256
a2bfe6b46d5a37546ff5967360f8719a500824d47a05cf8321932a4da863fb95

SHA512
3da0b4b461d34e11f036536e35d28ddafdb7726ffc7afce7e0862f27f22a9b6b1c58faa83ace0a39f78f05dafe488f4cb33cd3b57f8f6f6e6f72003f9a9851dd

Download Submit
C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe

Filesize
170KB

MD5
b62cff525543e1b2b772580c1c70168a

SHA1
79a57bce2c07b83ca85510312a3d0787d3e5d982

SHA256
3fa81d2fc46b0e93c3deca67aa76df276629de96240d8b9ce550c4c425ef1f91

SHA512
805527b0d32f5d896ad27a336089eab6afcfcce3f5d8d831fe76e3c52e15d3ed6ad0d3872b67673425d0727e3ac0afa1bd1d3a681cc7f8518f862ac64528cdf1

Download Submit
C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe

Filesize
170KB

MD5
b62cff525543e1b2b772580c1c70168a

SHA1
79a57bce2c07b83ca85510312a3d0787d3e5d982

SHA256
3fa81d2fc46b0e93c3deca67aa76df276629de96240d8b9ce550c4c425ef1f91

SHA512
805527b0d32f5d896ad27a336089eab6afcfcce3f5d8d831fe76e3c52e15d3ed6ad0d3872b67673425d0727e3ac0afa1bd1d3a681cc7f8518f862ac64528cdf1

Download Submit
C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe

Filesize
170KB

MD5
4d9e36558a2fba68eb8d06f9fc6fd0b6

SHA1
df26a9bbf338c87e822f9276f3a1a4f116f56b13

SHA256
e6ad685476a6798017b841693ff5b848cf76c636b19596420589339546d19656

SHA512
1ac2bfdbd01bff80eb920143730d60385633704b62e23f46e6c90671d63276f74fc9130ed68e100d8645f9a2fe49473c6acd14293995ce8d0293fec49acfb92e

Download Submit
C:\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\winlogon.exe

Filesize
170KB

MD5
2e9d01b8649d28ea0a5471c12e8b2b78

SHA1
3eadff1e644b3f4dc509e8661029d1fa63223a48

SHA256
5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8

SHA512
28fb65f1946348b42cac1c7679d858bc24c3966ee8ef423368116052fb7b81b86dc06c68ad04596336182669065f1818ee902c07d2badee41d579d74ad083355

Download Submit
C:\Windows\RTG8O1U.exe

Filesize
170KB

MD5
2e94fb1b1642b6f76385ee973103d4d5

SHA1
64826293e53967b4cfa1146eeebae2a5600b93d4

SHA256
bc636d8c9cde2de08682dd66b97dc481131ce64d0574cea8f78fdfc6ed609216

SHA512
e0202ea92b3bcafbf00a6d653304e56f88a50f1b3cfd3b1ab742ad2df7faa41baffcff240ca02ee069438822190413e12c1cfb59813bcd648e160cd47f330f35

Download Submit
C:\Windows\RTG8O1U.exe

Filesize
170KB

MD5
4d9e36558a2fba68eb8d06f9fc6fd0b6

SHA1
df26a9bbf338c87e822f9276f3a1a4f116f56b13

SHA256
e6ad685476a6798017b841693ff5b848cf76c636b19596420589339546d19656

SHA512
1ac2bfdbd01bff80eb920143730d60385633704b62e23f46e6c90671d63276f74fc9130ed68e100d8645f9a2fe49473c6acd14293995ce8d0293fec49acfb92e

Download Submit
C:\Windows\RTG8O1U.exe

Filesize
170KB

MD5
ca30ea531da6a82742c5a89a3c134da9

SHA1
34c615aec58cce09a75052ef243824e1c8db9416

SHA256
47a7655741935b9a35e89b591b48885f50c7526af2b55d84f12f126c5acc6916

SHA512
48e2dace5ca9a6d63029fbddbc6cc62201ef0d42cf3405ce344d07263b9d9ad63d485136c89cb5eba6179c6d364e7ef6bd37dfcf2dfa663440689801be829963

Download Submit
C:\Windows\RTG8O1U.exe

Filesize
170KB

MD5
2e9d01b8649d28ea0a5471c12e8b2b78

SHA1
3eadff1e644b3f4dc509e8661029d1fa63223a48

SHA256
5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8

SHA512
28fb65f1946348b42cac1c7679d858bc24c3966ee8ef423368116052fb7b81b86dc06c68ad04596336182669065f1818ee902c07d2badee41d579d74ad083355

Download Submit
C:\Windows\SysWOW64\DVT4D0VWEN2J3H.exe

Filesize
170KB

MD5
aaa1ee429560cbc30a63d67ce02e1e1a

SHA1
d7333c41a705ff51634567459b04cfe5cc9b9eaa

SHA256
8b18936c08bdb408e99c96d35fa21e83f50e2770736a6ff7e003876f51f92bbc

SHA512
0816542e3a895cf1e72abd7092c57358340648f11293e427c60b9101177096c525d006581a5b0e80368e5a1b23ab49005cbb9ad7870f95a01895158428512b37

Download Submit
C:\Windows\SysWOW64\DVT4D0VWEN2J3H.exe

Filesize
170KB

MD5
2e9d01b8649d28ea0a5471c12e8b2b78

SHA1
3eadff1e644b3f4dc509e8661029d1fa63223a48

SHA256
5f8ec4048bb8f44f9e4909f57e9cd8880a0c30f1037b7b576443d32c146117b8

SHA512
28fb65f1946348b42cac1c7679d858bc24c3966ee8ef423368116052fb7b81b86dc06c68ad04596336182669065f1818ee902c07d2badee41d579d74ad083355

Download Submit
C:\Windows\SysWOW64\DVT4D0VWEN2J3H.exe

Filesize
170KB

MD5
ca30ea531da6a82742c5a89a3c134da9

SHA1
34c615aec58cce09a75052ef243824e1c8db9416

SHA256
47a7655741935b9a35e89b591b48885f50c7526af2b55d84f12f126c5acc6916

SHA512
48e2dace5ca9a6d63029fbddbc6cc62201ef0d42cf3405ce344d07263b9d9ad63d485136c89cb5eba6179c6d364e7ef6bd37dfcf2dfa663440689801be829963

Download Submit
C:\Windows\SysWOW64\DVT4D0VWEN2J3H.exe

Filesize
170KB

MD5
bb3a6d27b8a51fc51867de9bebdfbf85

SHA1
0eb0addd9f7e680e334b5a71ddcd8d7db26291a1

SHA256
18043e8fabb479ccaf5368e40c4c460d2004d2fd6aff8bde70033d22bc7cb1cc

SHA512
0e4c56f1d77b49d042b027be1d1a28532297108e570afef24ab113547893cca367cb0b662098740d39010bf9e3e2fa0494b3c43fc49fb8d3e5f65804ab6555b5

Download Submit
C:\Windows\SysWOW64\POS2X0K.exe

Filesize
170KB

MD5
aaa1ee429560cbc30a63d67ce02e1e1a

SHA1
d7333c41a705ff51634567459b04cfe5cc9b9eaa

SHA256
8b18936c08bdb408e99c96d35fa21e83f50e2770736a6ff7e003876f51f92bbc

SHA512
0816542e3a895cf1e72abd7092c57358340648f11293e427c60b9101177096c525d006581a5b0e80368e5a1b23ab49005cbb9ad7870f95a01895158428512b37

Download Submit
C:\Windows\SysWOW64\POS2X0K.exe

Filesize
170KB

MD5
213533355bebb33e0710c19becb97bd1

SHA1
17e32dea46599ddac9a769ca770b200853bae82b

SHA256
6a2fd5b35dab2ee10753130fdd3b8f6802a9854d69e723c50bd6ceaa535bb389

SHA512
196f203b5cbd40054e86259a0ecd2784819fa1f1ddcde26e6cd6a513641cd3c48694dea7b32de03d591bc1ba644f058ab96cbae10724f62761359bf3f0880b44

Download Submit
C:\Windows\SysWOW64\POS2X0K.exe

Filesize
170KB

MD5
47c8c67fce334a4f617c343b73502f49

SHA1
0d955748b2be356f97c7948f2bf4eab4afd8b428

SHA256
2d12fc69efe618a5fbdf8e1324bd038ac625473b841cef2341dc2297d71fd92b

SHA512
9a72b27a2286b51b61fcb655d21060fb5472aa80176b8cff709b647aca5605662a0f35f0838c62d206bfdda0b4ee7468f7bf52c5604719287b20d3dc0c3921bf

Download Submit
C:\Windows\SysWOW64\POS2X0K.exe

Filesize
170KB

MD5
2e94fb1b1642b6f76385ee973103d4d5

SHA1
64826293e53967b4cfa1146eeebae2a5600b93d4

SHA256
bc636d8c9cde2de08682dd66b97dc481131ce64d0574cea8f78fdfc6ed609216

SHA512
e0202ea92b3bcafbf00a6d653304e56f88a50f1b3cfd3b1ab742ad2df7faa41baffcff240ca02ee069438822190413e12c1cfb59813bcd648e160cd47f330f35

Download Submit
C:\Windows\SysWOW64\SKL8P0Y\DVT4D0V.cmd

Filesize
170KB

MD5
6fb2adce7891001ba1387979c1f0e0ac

SHA1
6be58e6942049aba4290fc277ec3370b41dc82bf

SHA256
d6ff26751acbe1d09096a59acd4406fad3b8e873085fd5d9162630d3347e5433

SHA512
6a581128690e69b62e11a12a3098486a59238366a45f3ea59b214b56d3df7cf059ff248c155fc1b9073da91b8c9fbbfad607d1b2170329a44c187cf6dd2f2720

Download Submit
C:\Windows\SysWOW64\SKL8P0Y\DVT4D0V.cmd

Filesize
170KB

MD5
2e94fb1b1642b6f76385ee973103d4d5

SHA1
64826293e53967b4cfa1146eeebae2a5600b93d4

SHA256
bc636d8c9cde2de08682dd66b97dc481131ce64d0574cea8f78fdfc6ed609216

SHA512
e0202ea92b3bcafbf00a6d653304e56f88a50f1b3cfd3b1ab742ad2df7faa41baffcff240ca02ee069438822190413e12c1cfb59813bcd648e160cd47f330f35

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
a5df0669bed4fb8a27388adcb3a74cea

SHA1
1ae8d2eec75fa0420da314bbb2963766e207059c

SHA256
405ab24762c0793c223d0639dbfdbd99254c974f54ed1dc9604ad6fe8f798482

SHA512
1c65af18eac6146e559ed299071c7c7a68a562e3d76553ed717369d056c8896a47f3492d43bf2dda81b2ac0c767b7b7abfdfac2d23c1cef29db7a54049c971fa

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
a5df0669bed4fb8a27388adcb3a74cea

SHA1
1ae8d2eec75fa0420da314bbb2963766e207059c

SHA256
405ab24762c0793c223d0639dbfdbd99254c974f54ed1dc9604ad6fe8f798482

SHA512
1c65af18eac6146e559ed299071c7c7a68a562e3d76553ed717369d056c8896a47f3492d43bf2dda81b2ac0c767b7b7abfdfac2d23c1cef29db7a54049c971fa

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
a5df0669bed4fb8a27388adcb3a74cea

SHA1
1ae8d2eec75fa0420da314bbb2963766e207059c

SHA256
405ab24762c0793c223d0639dbfdbd99254c974f54ed1dc9604ad6fe8f798482

SHA512
1c65af18eac6146e559ed299071c7c7a68a562e3d76553ed717369d056c8896a47f3492d43bf2dda81b2ac0c767b7b7abfdfac2d23c1cef29db7a54049c971fa

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
127B

MD5
e1a6af5b372e406c2f71dd12b6cd64ce

SHA1
89583011189aad47169e5d58e4a3bb968f69df6f

SHA256
02633cf0e3ca835884cc9f692271686e7c4922441c1d4b6c2f231ec6a09e8a29

SHA512
c7d883802e796fad030e09cc16dbf6de6349db4b5238f2e50aa012d6eb5184554194940e738078bf2ead3827e426d166ff7e2350cf3ecfabcd172090a20a0d94

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
a5df0669bed4fb8a27388adcb3a74cea

SHA1
1ae8d2eec75fa0420da314bbb2963766e207059c

SHA256
405ab24762c0793c223d0639dbfdbd99254c974f54ed1dc9604ad6fe8f798482

SHA512
1c65af18eac6146e559ed299071c7c7a68a562e3d76553ed717369d056c8896a47f3492d43bf2dda81b2ac0c767b7b7abfdfac2d23c1cef29db7a54049c971fa

Download Submit
C:\Windows\WEN2J3H.exe

Filesize
170KB

MD5
43eb10ee94e186cc8bafc13b28fa370f

SHA1
0d160613c95d1c84d7806217f9bfeeeef44ad35c

SHA256
8f5847dcce803110f952551998567f49034bc2ebb7778039e1d3696456743eb9

SHA512
8a5d5d5cb78c2441f407fa3e74ea18ebc8c7cba19c438258a1c63989f408605b6ec23fb758edc7051b709d2ae0ad90074c88d23f41ca59adf2264cb97b204236

Download Submit
C:\Windows\WEN2J3H.exe

Filesize
170KB

MD5
08b8b19857b0bd56df4e44f52cf1d92d

SHA1
8ccaa25365d0349144618df69e061cba4ee1251b

SHA256
a5f9bb0cc9316a9e9976af8349105409913f816efd2b5ee08b6a992be8a3a84a

SHA512
1d3b7acd0ea66a1e2e1700e89b1ee10d27289894183f53212bbbdc131120f144fc2ba16d207d827bb08a8d1bbaa761047706b29993d5dcdd85dc192b88d52bae

Download Submit
C:\Windows\WEN2J3H.exe

Filesize
170KB

MD5
30ee6daccaa1d33f522db91e9607b876

SHA1
a010afbcbd6658d8c65c82fcef00a50dd4b5135b

SHA256
e78b15e8c11bf84ab1d0f1767c2d7c0a82c6f8a21f90d94c69df98365c165de4

SHA512
87030f5ed556e8cd223eafd5d47b59e7d7de260a80324f0909a2061d2146c81c42bf596726a05434a7e12f54c2e8992748974e4851a6332241e566951cd9476f

Download Submit
C:\Windows\WEN2J3H.exe

Filesize
170KB

MD5
8bda638b2928ada9d70c341ee5674ca2

SHA1
cff1b603cdbaf5523d1f94dd2b5fd08677af9658

SHA256
2c24520af759d77924f1c17d363331c7ec5655694ed4515fda1f863eda235190

SHA512
875e60179e7cc55c240d9b56e7c0c307c72a77295a336d4c11bf4cde630ccc5895a281992ffe630042e55f93f58cbda28c98ffe2f5fc457a05895c8f05d4d416

Download Submit
C:\Windows\cypreg.dll

Filesize
417KB

MD5
eb44e8097c1eb2a5e1a22f393ddd6d45

SHA1
f80e54c86d77ee8d994cc966a3feaa6ccd261ef7

SHA256
dc97e08dbc2c3efcfa73031a94604224608c524a3b32dd73972e9422c3cc4566

SHA512
c6e4af7b8ca84818dd969345c29c100f9288e9dd98ac8fcf9f11b09cf0659acc26c9107d54228b4decd9e68988fd275579235ce715507a139bee8f002441d90c

Download Submit
C:\Windows\cypreg.dll

Filesize
417KB

MD5
65a3ed6f11ee1ee326e040a1348e49c1

SHA1
fc5a7b62fca85ea1b59089ddd42c61c9a4174556

SHA256
45c87ad35ff04e777d59cf81520d85bbef33f124c029e0f66c099d9ca001b8e1

SHA512
34cf8335336f998b3f7ea37ecb90a8e0ba0e49549be9970d2a0601aa59431759bdfc12ab8210549e6b4e8b6a311f494372a63a8bab23dd8685e9166e185b870a

Download Submit
C:\Windows\lsass.exe

Filesize
170KB

MD5
b62cff525543e1b2b772580c1c70168a

SHA1
79a57bce2c07b83ca85510312a3d0787d3e5d982

SHA256
3fa81d2fc46b0e93c3deca67aa76df276629de96240d8b9ce550c4c425ef1f91

SHA512
805527b0d32f5d896ad27a336089eab6afcfcce3f5d8d831fe76e3c52e15d3ed6ad0d3872b67673425d0727e3ac0afa1bd1d3a681cc7f8518f862ac64528cdf1

Download Submit
C:\Windows\lsass.exe

Filesize
170KB

MD5
b62cff525543e1b2b772580c1c70168a

SHA1
79a57bce2c07b83ca85510312a3d0787d3e5d982

SHA256
3fa81d2fc46b0e93c3deca67aa76df276629de96240d8b9ce550c4c425ef1f91

SHA512
805527b0d32f5d896ad27a336089eab6afcfcce3f5d8d831fe76e3c52e15d3ed6ad0d3872b67673425d0727e3ac0afa1bd1d3a681cc7f8518f862ac64528cdf1

Download Submit
C:\Windows\lsass.exe

Filesize
170KB

MD5
b62cff525543e1b2b772580c1c70168a

SHA1
79a57bce2c07b83ca85510312a3d0787d3e5d982

SHA256
3fa81d2fc46b0e93c3deca67aa76df276629de96240d8b9ce550c4c425ef1f91

SHA512
805527b0d32f5d896ad27a336089eab6afcfcce3f5d8d831fe76e3c52e15d3ed6ad0d3872b67673425d0727e3ac0afa1bd1d3a681cc7f8518f862ac64528cdf1

Download Submit
C:\Windows\lsass.exe

Filesize
170KB

MD5
b62cff525543e1b2b772580c1c70168a

SHA1
79a57bce2c07b83ca85510312a3d0787d3e5d982

SHA256
3fa81d2fc46b0e93c3deca67aa76df276629de96240d8b9ce550c4c425ef1f91

SHA512
805527b0d32f5d896ad27a336089eab6afcfcce3f5d8d831fe76e3c52e15d3ed6ad0d3872b67673425d0727e3ac0afa1bd1d3a681cc7f8518f862ac64528cdf1

Download Submit
C:\Windows\lsass.exe

Filesize
170KB

MD5
108ac24cea492ced4f126c3dd1eab189

SHA1
d3120075e79ebc4effe9bbbc105236fa5b0f7c00

SHA256
55da62a18651c3d05e3bf43ef676baa63c4bd2f8c648911ed5eafc60bb179371

SHA512
6ad0ed500bba91097d92cb550e924e9ba04d071d366b62400038325af9c18ef23220e0f58f7df68676d011e865ec87279b2215b16c469d2fb15e7092ddf3ef1a

Download Submit
C:\Windows\moonlight.dll

Filesize
65KB

MD5
c55534452c57efa04f4109310f71ccca

SHA1
b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61

SHA256
4cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc

SHA512
ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a

Download Submit
C:\Windows\moonlight.dll

Filesize
65KB

MD5
c55534452c57efa04f4109310f71ccca

SHA1
b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61

SHA256
4cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc

SHA512
ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a

Download Submit
C:\Windows\moonlight.dll

Filesize
65KB

MD5
c55534452c57efa04f4109310f71ccca

SHA1
b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61

SHA256
4cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc

SHA512
ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a

Download Submit
C:\Windows\moonlight.dll

Filesize
65KB

MD5
c55534452c57efa04f4109310f71ccca

SHA1
b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61

SHA256
4cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc

SHA512
ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a

Download Submit
C:\Windows\moonlight.dll

Filesize
65KB

MD5
c55534452c57efa04f4109310f71ccca

SHA1
b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61

SHA256
4cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc

SHA512
ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a

Download Submit
C:\Windows\onceinabluemoon.mid

Filesize
8KB

MD5
0e528d000aad58b255c1cf8fd0bb1089

SHA1
2445d2cc0921aea9ae53b8920d048d6537940ec6

SHA256
c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

SHA512
89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

Download Submit
C:\Windows\onceinabluemoon.mid

Filesize
8KB

MD5
0e528d000aad58b255c1cf8fd0bb1089

SHA1
2445d2cc0921aea9ae53b8920d048d6537940ec6

SHA256
c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

SHA512
89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

Download Submit
C:\Windows\onceinabluemoon.mid

Filesize
8KB

MD5
0e528d000aad58b255c1cf8fd0bb1089

SHA1
2445d2cc0921aea9ae53b8920d048d6537940ec6

SHA256
c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

SHA512
89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

Download Submit
C:\Windows\onceinabluemoon.mid

Filesize
8KB

MD5
0e528d000aad58b255c1cf8fd0bb1089

SHA1
2445d2cc0921aea9ae53b8920d048d6537940ec6

SHA256
c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

SHA512
89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.3MB

MD5
b8449b22ac12063d2fda7f59a53134fa

SHA1
b6be749ee311f9d9403ddb16e1ca454d7b541c0c

SHA256
aa1ae9873ce2e396c4d770e09e670be98de9c5a66300300f4289ec883579c5ab

SHA512
f1840b95f7a066378f2f1daf4635e9afc4522c8d80751eb989b3ac9f2b6f8c9241bbeaa9f25dc38eadaebd6d2817b0ea5ac722e9f8a0c441121901086e26a70a

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.3MB

MD5
deb587c0534f75f5ec60619bb5423c91

SHA1
177417687ab7741c2904625700d0150dd40a18b4

SHA256
1a80c97d3f4aaa82eff53e2abf6256cb5ca77a6819cf266a7f1772de40277606

SHA512
17626ceb67a31c85b6e49ea7d4b9be3c0799f26b436c68734fb200872b9f239c6c4866ce199182748f17c4b1420b79ac05cac45377542907b3980616e74c4b6f

Download Submit
\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe

Filesize
170KB

MD5
2e94fb1b1642b6f76385ee973103d4d5

SHA1
64826293e53967b4cfa1146eeebae2a5600b93d4

SHA256
bc636d8c9cde2de08682dd66b97dc481131ce64d0574cea8f78fdfc6ed609216

SHA512
e0202ea92b3bcafbf00a6d653304e56f88a50f1b3cfd3b1ab742ad2df7faa41baffcff240ca02ee069438822190413e12c1cfb59813bcd648e160cd47f330f35

Download Submit
\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\service.exe

Filesize
170KB

MD5
2e94fb1b1642b6f76385ee973103d4d5

SHA1
64826293e53967b4cfa1146eeebae2a5600b93d4

SHA256
bc636d8c9cde2de08682dd66b97dc481131ce64d0574cea8f78fdfc6ed609216

SHA512
e0202ea92b3bcafbf00a6d653304e56f88a50f1b3cfd3b1ab742ad2df7faa41baffcff240ca02ee069438822190413e12c1cfb59813bcd648e160cd47f330f35

Download Submit
\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe

Filesize
170KB

MD5
b3b6e84e97e2fe485a6843a07f42a080

SHA1
2078e01df03f078f19aa83671f6575a3d11b77ad

SHA256
a2bfe6b46d5a37546ff5967360f8719a500824d47a05cf8321932a4da863fb95

SHA512
3da0b4b461d34e11f036536e35d28ddafdb7726ffc7afce7e0862f27f22a9b6b1c58faa83ace0a39f78f05dafe488f4cb33cd3b57f8f6f6e6f72003f9a9851dd

Download Submit
\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\smss.exe

Filesize
170KB

MD5
b3b6e84e97e2fe485a6843a07f42a080

SHA1
2078e01df03f078f19aa83671f6575a3d11b77ad

SHA256
a2bfe6b46d5a37546ff5967360f8719a500824d47a05cf8321932a4da863fb95

SHA512
3da0b4b461d34e11f036536e35d28ddafdb7726ffc7afce7e0862f27f22a9b6b1c58faa83ace0a39f78f05dafe488f4cb33cd3b57f8f6f6e6f72003f9a9851dd

Download Submit
\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe

Filesize
170KB

MD5
b62cff525543e1b2b772580c1c70168a

SHA1
79a57bce2c07b83ca85510312a3d0787d3e5d982

SHA256
3fa81d2fc46b0e93c3deca67aa76df276629de96240d8b9ce550c4c425ef1f91

SHA512
805527b0d32f5d896ad27a336089eab6afcfcce3f5d8d831fe76e3c52e15d3ed6ad0d3872b67673425d0727e3ac0afa1bd1d3a681cc7f8518f862ac64528cdf1

Download Submit
\Windows\GLR1T4H.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe

Filesize
170KB

MD5
b62cff525543e1b2b772580c1c70168a

SHA1
79a57bce2c07b83ca85510312a3d0787d3e5d982

SHA256
3fa81d2fc46b0e93c3deca67aa76df276629de96240d8b9ce550c4c425ef1f91

SHA512
805527b0d32f5d896ad27a336089eab6afcfcce3f5d8d831fe76e3c52e15d3ed6ad0d3872b67673425d0727e3ac0afa1bd1d3a681cc7f8518f862ac64528cdf1

Download Submit
memory/296-125-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/296-147-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/296-144-0x0000000010000000-0x0000000010075000-memory.dmp

Filesize
468KB

Download
memory/888-124-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/888-146-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/944-145-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/944-123-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1048-56-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1048-122-0x0000000003060000-0x00000000030B8000-memory.dmp

Filesize
352KB

Download
memory/1048-121-0x0000000000600000-0x0000000000610000-memory.dmp

Filesize
64KB

Download
memory/1048-120-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1048-131-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1924-141-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download
memory/1924-148-0x0000000000400000-0x0000000000458000-memory.dmp

Filesize
352KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads