f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a

Analysis

max time kernel
154s
max time network
159s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
Size

278KB
MD5

08793715570c4e82e126a8cad2bf43b3
SHA1

121378053d0554e3abd2d97cb9fe9aa33b4c62d7
SHA256

f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a
SHA512

97126b07d47262aba4b5fdead7b9b74352ca9bd62738878cb915376d7109a6c8e4d6864dda09f10509864334bcffc6715cffb0961b750c0b81b4bcae90efc658
SSDEEP

6144:cR27i9mD3yJidmJOVsjnc6N0oPtdTpd4izD6zKSAEOgQcK:cR27i9VEdmMVsTc6NXdT9zOeiml

Score

10^/10

evasion persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\WEK7L1X\\FUD8N6T.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\WEK7L1X\\FUD8N6T.exe\""	system.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	system.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	lsass.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	system.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	lsass.exe

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00080000000122e1-92.dat	acprotect
behavioral1/files/0x00080000000122e1-119.dat	acprotect
behavioral1/files/0x00080000000122e1-128.dat	acprotect
behavioral1/files/0x00080000000122e1-143.dat	acprotect

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 5 IoCs

pid	Process
2004	service.exe
612	smss.exe
1684	system.exe
520	winlogon.exe
2044	lsass.exe

Sets file execution options in registry 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\WEK7L1X\\regedit.cmd"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Windows\\WEK7L1X\\regedit.cmd"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "C:\\Windows\\notepad.exe"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Windows\\notepad.exe"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	lsass.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000122e1-92.dat	upx
behavioral1/files/0x00080000000122e1-119.dat	upx
behavioral1/files/0x00080000000122e1-128.dat	upx
behavioral1/files/0x00080000000122e1-143.dat	upx
behavioral1/memory/1684-161-0x00000000033E0000-0x0000000003455000-memory.dmp	upx

Loads dropped DLL 14 IoCs

pid	Process
1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
2004	service.exe
1684	system.exe
520	winlogon.exe
612	smss.exe
2044	lsass.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0N6TIR = "C:\\Windows\\VXK0S2X.exe"	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RUN	system.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sEK0S2X0 = "C:\\Windows\\system32\\HYX5H1CDIR4M4L.exe"	system.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\0N6TIR = "C:\\Windows\\VXK0S2X.exe"	system.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\RUN	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\sEK0S2X0 = "C:\\Windows\\system32\\HYX5H1CDIR4M4L.exe"	lsass.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	service.exe
File opened (read-only)	\??\U:	service.exe
File opened (read-only)	\??\V:	service.exe
File opened (read-only)	\??\W:	service.exe
File opened (read-only)	\??\F:	service.exe
File opened (read-only)	\??\H:	service.exe
File opened (read-only)	\??\I:	service.exe
File opened (read-only)	\??\J:	service.exe
File opened (read-only)	\??\X:	service.exe
File opened (read-only)	\??\Y:	service.exe
File opened (read-only)	\??\Z:	service.exe
File opened (read-only)	\??\K:	service.exe
File opened (read-only)	\??\S:	service.exe
File opened (read-only)	\??\G:	service.exe
File opened (read-only)	\??\L:	service.exe
File opened (read-only)	\??\N:	service.exe
File opened (read-only)	\??\O:	service.exe
File opened (read-only)	\??\T:	service.exe
File opened (read-only)	\??\E:	service.exe
File opened (read-only)	\??\M:	service.exe
File opened (read-only)	\??\P:	service.exe
File opened (read-only)	\??\Q:	service.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\HYX5H1CDIR4M4L.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	system.exe
File opened for modification	C:\Windows\SysWOW64\WOP1S2F	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
File opened for modification	C:\Windows\SysWOW64\NMP1V8I.exe	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
File opened for modification	C:\Windows\SysWOW64\WOP1S2F\HYX5H1C.cmd	service.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\WOP1S2F	system.exe
File opened for modification	C:\Windows\SysWOW64\NMP1V8I.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\WOP1S2F	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	service.exe
File opened for modification	C:\Windows\SysWOW64\HYX5H1CDIR4M4L.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\HYX5H1CDIR4M4L.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\WOP1S2F\HYX5H1C.cmd	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\WOP1S2F\HYX5H1C.cmd	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\WOP1S2F\HYX5H1C.cmd	system.exe
File opened for modification	C:\Windows\SysWOW64\WOP1S2F	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\HYX5H1CDIR4M4L.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\NMP1V8I.exe	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
File opened for modification	C:\Windows\SysWOW64\HYX5H1CDIR4M4L.exe	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
File opened for modification	C:\Windows\SysWOW64\NMP1V8I.exe	service.exe
File opened for modification	C:\Windows\SysWOW64\HYX5H1CDIR4M4L.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\WOP1S2F	smss.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	lsass.exe
File opened for modification	C:\Windows\SysWOW64\systear.dll	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
File opened for modification	C:\Windows\SysWOW64\NMP1V8I.exe	system.exe
File opened for modification	C:\Windows\SysWOW64\NMP1V8I.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\WOP1S2F	lsass.exe
File opened for modification	C:\Windows\SysWOW64\WOP1S2F\HYX5H1C.cmd	lsass.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\WOP1S2F\HYX5H1C.cmd	smss.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\lsass.exe	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
File opened for modification	C:\Windows\WEK7L1X\regedit.cmd	service.exe
File opened for modification	C:\Windows\WEK7L1X\smss.exe	service.exe
File opened for modification	C:\Windows\WEK7L1X\SVR1V7P.com	system.exe
File opened for modification	C:\Windows\WEK7L1X\smss.exe	winlogon.exe
File opened for modification	C:\Windows\WEK7L1X	smss.exe
File opened for modification	C:\Windows\cypreg.dll	lsass.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
File opened for modification	C:\Windows\WEK7L1X	system.exe
File opened for modification	C:\Windows\DIR4M4L.exe	lsass.exe
File created	C:\Windows\WEK7L1X\MYpIC.zip	system.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	service.exe
File opened for modification	C:\Windows\WEK7L1X\system.exe	system.exe
File opened for modification	C:\Windows\DIR4M4L.exe	winlogon.exe
File opened for modification	C:\Windows\WEK7L1X\smss.exe	lsass.exe
File opened for modification	C:\Windows\64enc.en	system.exe
File opened for modification	C:\Windows\WEK7L1X\service.exe	service.exe
File opened for modification	C:\Windows\WEK7L1X\FUD8N6T.exe	system.exe
File opened for modification	C:\Windows\WEK7L1X\FUD8N6T.exe	winlogon.exe
File opened for modification	C:\Windows\WEK7L1X\service.exe	lsass.exe
File opened for modification	C:\Windows\WEK7L1X\service.exe	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
File opened for modification	C:\Windows\lsass.exe	service.exe
File opened for modification	C:\Windows\WEK7L1X\smss.exe	system.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\WEK7L1X\FUD8N6T.exe	lsass.exe
File opened for modification	C:\Windows\cypreg.dll	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
File opened for modification	C:\Windows\WEK7L1X\winlogon.exe	service.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	smss.exe
File opened for modification	C:\Windows\WEK7L1X\smss.exe	smss.exe
File opened for modification	C:\Windows\WEK7L1X\MYpIC.zip	system.exe
File opened for modification	C:\Windows\WEK7L1X\system.exe	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	winlogon.exe
File opened for modification	C:\Windows\moonlight.dll	service.exe
File opened for modification	C:\Windows\WEK7L1X\winlogon.exe	smss.exe
File opened for modification	C:\Windows\WEK7L1X\system.exe	smss.exe
File opened for modification	C:\Windows\lsass.exe	smss.exe
File opened for modification	C:\Windows\WEK7L1X\SVR1V7P.com	smss.exe
File opened for modification	C:\Windows\onceinabluemoon.mid	lsass.exe
File opened for modification	C:\Windows\VXK0S2X.exe	winlogon.exe
File opened for modification	C:\Windows\WEK7L1X	service.exe
File opened for modification	C:\Windows\cypreg.dll	service.exe
File opened for modification	C:\Windows\moonlight.dll	winlogon.exe
File opened for modification	C:\Windows\lsass.exe	winlogon.exe
File opened for modification	C:\Windows\moonlight.dll	smss.exe
File opened for modification	C:\Windows\WEK7L1X	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
File opened for modification	C:\Windows\cypreg.dll	system.exe
File opened for modification	C:\Windows\VXK0S2X.exe	smss.exe
File opened for modification	C:\Windows\moonlight.dll	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
File opened for modification	C:\Windows\DIR4M4L.exe	service.exe
File opened for modification	C:\Windows\WEK7L1X\service.exe	system.exe
File opened for modification	C:\Windows\WEK7L1X\SVR1V7P.com	winlogon.exe
File opened for modification	C:\Windows\WEK7L1X\regedit.cmd	smss.exe
File opened for modification	C:\Windows\WEK7L1X\winlogon.exe	lsass.exe
File created	C:\Windows\WEK7L1X\zia01736	system.exe
File opened for modification	C:\Windows\DIR4M4L.exe	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
File opened for modification	C:\Windows\WEK7L1X\SVR1V7P.com	service.exe
File opened for modification	C:\Windows\WEK7L1X\FUD8N6T.exe	service.exe
File opened for modification	C:\Windows\WEK7L1X\winlogon.exe	system.exe
File opened for modification	C:\Windows\cypreg.dll	winlogon.exe
File opened for modification	C:\Windows\WEK7L1X\service.exe	smss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\lsass.exe	lsass.exe
File opened for modification	C:\Windows\WEK7L1X\FUD8N6T.exe	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
File opened for modification	C:\Windows\WEK7L1X\SVR1V7P.com	lsass.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	lsass.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile	system.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\ = "File Folder"	system.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeBackupPrivilege	1684	system.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
2004	service.exe
1684	system.exe
520	winlogon.exe
2004	service.exe
612	smss.exe
1684	system.exe
520	winlogon.exe
612	smss.exe
2044	lsass.exe
2044	lsass.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 2004	1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe	27
PID 1456 wrote to memory of 2004	1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe	27
PID 1456 wrote to memory of 2004	1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe	27
PID 1456 wrote to memory of 2004	1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe	27
PID 1456 wrote to memory of 612	1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe	29
PID 1456 wrote to memory of 612	1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe	29
PID 1456 wrote to memory of 612	1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe	29
PID 1456 wrote to memory of 612	1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe	29
PID 1456 wrote to memory of 1684	1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe	28
PID 1456 wrote to memory of 1684	1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe	28
PID 1456 wrote to memory of 1684	1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe	28
PID 1456 wrote to memory of 1684	1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe	28
PID 1456 wrote to memory of 520	1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe	30
PID 1456 wrote to memory of 520	1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe	30
PID 1456 wrote to memory of 520	1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe	30
PID 1456 wrote to memory of 520	1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe	30
PID 1456 wrote to memory of 2044	1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe	31
PID 1456 wrote to memory of 2044	1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe	31
PID 1456 wrote to memory of 2044	1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe	31
PID 1456 wrote to memory of 2044	1456	f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe	31

C:\Users\Admin\AppData\Local\Temp\f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe
"C:\Users\Admin\AppData\Local\Temp\f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Windows\WEK7L1X\service.exe
  "C:\Windows\WEK7L1X\service.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2004
- C:\Windows\WEK7L1X\system.exe
  "C:\Windows\WEK7L1X\system.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Sets file execution options in registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1684
- C:\Windows\WEK7L1X\smss.exe
  "C:\Windows\WEK7L1X\smss.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:612
- C:\Windows\WEK7L1X\winlogon.exe
  "C:\Windows\WEK7L1X\winlogon.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:520
- C:\Windows\lsass.exe
  "C:\Windows\lsass.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies system executable filetype association
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Sets file execution options in registry
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\VCab.DLL

Filesize
33KB

MD5
955b398a5821396aa64045e758102295

SHA1
b727a84f2fb76f39e14d003bfd9bff1b3127aed1

SHA256
175acaad4dccc052b16eee2f904f4e393d47141e989b2468654d554b392d692a

SHA512
0b005d58d1f3c002eb082cfd47b0c2b7f8d350a93cc005e1ec282164fc9e083a259a87b44b56c25d8dece758e0ab275d13d32b11fc7cf7e6f3dfe43ea27b3744

Download Submit
C:\Windows\DIR4M4L.exe

Filesize
278KB

MD5
ee2d798908d4619d7dbc4b4cca96e34c

SHA1
800dbdbec09dc92f6835343ed6adef123dd49860

SHA256
5707a2891b864245d7d601647f43f1f6ab1ba0312d1959b1d8bd195c2f3eca7e

SHA512
4bcc23a6718ed265c8041f2c6cc16ab7c50bafcc22ac4e5cc6ed2f0c83f65e47be683a7fd44286767f5b96950f66d0021d67c2d870ca462fe18c37800158ae4d

Download Submit
C:\Windows\DIR4M4L.exe

Filesize
278KB

MD5
08793715570c4e82e126a8cad2bf43b3

SHA1
121378053d0554e3abd2d97cb9fe9aa33b4c62d7

SHA256
f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a

SHA512
97126b07d47262aba4b5fdead7b9b74352ca9bd62738878cb915376d7109a6c8e4d6864dda09f10509864334bcffc6715cffb0961b750c0b81b4bcae90efc658

Download Submit
C:\Windows\DIR4M4L.exe

Filesize
278KB

MD5
08793715570c4e82e126a8cad2bf43b3

SHA1
121378053d0554e3abd2d97cb9fe9aa33b4c62d7

SHA256
f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a

SHA512
97126b07d47262aba4b5fdead7b9b74352ca9bd62738878cb915376d7109a6c8e4d6864dda09f10509864334bcffc6715cffb0961b750c0b81b4bcae90efc658

Download Submit
C:\Windows\DIR4M4L.exe

Filesize
278KB

MD5
08793715570c4e82e126a8cad2bf43b3

SHA1
121378053d0554e3abd2d97cb9fe9aa33b4c62d7

SHA256
f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a

SHA512
97126b07d47262aba4b5fdead7b9b74352ca9bd62738878cb915376d7109a6c8e4d6864dda09f10509864334bcffc6715cffb0961b750c0b81b4bcae90efc658

Download Submit
C:\Windows\SysWOW64\HYX5H1CDIR4M4L.exe

Filesize
278KB

MD5
912dac7596eb24f1b6c9042a82e3aac6

SHA1
222649dc28d65b1f46e82ef434ae4d011d66c198

SHA256
2d71eaaaa33b61403a45ea1d98fbb7d8d6dd5b7cb88a77c5998d82b36496c7c9

SHA512
b811cc870d5f694150db791ba70eff152e2273e19acea8923704553124a525bd0366b4b51488cb9990fac90a9f4796b99db995156fcdcd7345c91f01ca581dae

Download Submit
C:\Windows\SysWOW64\HYX5H1CDIR4M4L.exe

Filesize
278KB

MD5
1c218ecd5cc1dc04d4618d3aea5f9d13

SHA1
0e1f60667538878d663723511ee55ed63e771fd2

SHA256
d2bc0e8df068c83b1a9db2521eb26d4a9188f8b9c6f6d2465c9dfca3caa1b746

SHA512
ef88e3a1f54e594d623419a201b10101d674a2b925c646e82912810e489505078e29dfedf0381a3549c4de303926e2b71fabf6a229573d76843f736cc0c67f7e

Download Submit
C:\Windows\SysWOW64\HYX5H1CDIR4M4L.exe

Filesize
278KB

MD5
1c218ecd5cc1dc04d4618d3aea5f9d13

SHA1
0e1f60667538878d663723511ee55ed63e771fd2

SHA256
d2bc0e8df068c83b1a9db2521eb26d4a9188f8b9c6f6d2465c9dfca3caa1b746

SHA512
ef88e3a1f54e594d623419a201b10101d674a2b925c646e82912810e489505078e29dfedf0381a3549c4de303926e2b71fabf6a229573d76843f736cc0c67f7e

Download Submit
C:\Windows\SysWOW64\NMP1V8I.exe

Filesize
278KB

MD5
d7fee5ca97fec831c4ce81f8b2a8d63a

SHA1
c7f91884c1da28aa1bff3f62aaaa610b39060438

SHA256
eebc92f9e3f615640e2ebe355516fbd5b7d3e1e2c84a4fadcfe313b5a7f19f14

SHA512
29cdb81ad451f9af6f5f7597259ed5399cd3691b1d7170796d4ef0d27344dcbb1bcdaf4059ad436d3d90664d6227bd414a082e0112a1f1f9a45ab98169729146

Download Submit
C:\Windows\SysWOW64\NMP1V8I.exe

Filesize
278KB

MD5
912dac7596eb24f1b6c9042a82e3aac6

SHA1
222649dc28d65b1f46e82ef434ae4d011d66c198

SHA256
2d71eaaaa33b61403a45ea1d98fbb7d8d6dd5b7cb88a77c5998d82b36496c7c9

SHA512
b811cc870d5f694150db791ba70eff152e2273e19acea8923704553124a525bd0366b4b51488cb9990fac90a9f4796b99db995156fcdcd7345c91f01ca581dae

Download Submit
C:\Windows\SysWOW64\NMP1V8I.exe

Filesize
278KB

MD5
912dac7596eb24f1b6c9042a82e3aac6

SHA1
222649dc28d65b1f46e82ef434ae4d011d66c198

SHA256
2d71eaaaa33b61403a45ea1d98fbb7d8d6dd5b7cb88a77c5998d82b36496c7c9

SHA512
b811cc870d5f694150db791ba70eff152e2273e19acea8923704553124a525bd0366b4b51488cb9990fac90a9f4796b99db995156fcdcd7345c91f01ca581dae

Download Submit
C:\Windows\SysWOW64\WOP1S2F\HYX5H1C.cmd

Filesize
278KB

MD5
d029338e4dd5162a875dc7741161d61e

SHA1
d58fed3e272da22ce5d0cd3a513f57c5f0dca9dd

SHA256
98158679bb4e8a2c77396c1cd0d58cbff4be1e6eeef2d2fb699a967d3072ebeb

SHA512
56206deac551fa92899d67bacc3a560a0b09afc504cbf7fec38d250c4e9d8717e87761023868b0d21a05fdf68192ab3d9850f99b208734247b61a8c3e2b172dd

Download Submit
C:\Windows\SysWOW64\WOP1S2F\HYX5H1C.cmd

Filesize
278KB

MD5
42fe2fb7ecd3043917c6c8ae6ec6832a

SHA1
82e8fe3c7eaa02540dc89b369e6d7716acf14a1b

SHA256
f1ec87df50320abc3cef4eb35f6b905818aa546666bcb8e6cdb9cd415385157b

SHA512
2c588182d9370c94c646b8dfb15edf991a4eb7057d9f83eda9ce5ecd9548bdfc5d8c2530e90f6da0f11b57113bc51531023557ac1a8fa80c8eed12da746365bc

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
a9c11e31f4910879d7c444818cdcf663

SHA1
92daf710419d02a09bc414ee6b96a077e8adb952

SHA256
7a54835fabd3a1a2bf3f4b165e60af8cc47c3c214d4fbb4b9ba727c7820365d2

SHA512
b8148bcca433813bac4af68f79019aa9ebc814a7a1bf8098ef9d672a26fe67bbec91dd4f0fe61df78ca7aa04185d9bc5dd4eb458ed7a0ddfa91cbd16f555a79a

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
a9c11e31f4910879d7c444818cdcf663

SHA1
92daf710419d02a09bc414ee6b96a077e8adb952

SHA256
7a54835fabd3a1a2bf3f4b165e60af8cc47c3c214d4fbb4b9ba727c7820365d2

SHA512
b8148bcca433813bac4af68f79019aa9ebc814a7a1bf8098ef9d672a26fe67bbec91dd4f0fe61df78ca7aa04185d9bc5dd4eb458ed7a0ddfa91cbd16f555a79a

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
a9c11e31f4910879d7c444818cdcf663

SHA1
92daf710419d02a09bc414ee6b96a077e8adb952

SHA256
7a54835fabd3a1a2bf3f4b165e60af8cc47c3c214d4fbb4b9ba727c7820365d2

SHA512
b8148bcca433813bac4af68f79019aa9ebc814a7a1bf8098ef9d672a26fe67bbec91dd4f0fe61df78ca7aa04185d9bc5dd4eb458ed7a0ddfa91cbd16f555a79a

Download Submit
C:\Windows\SysWOW64\systear.dll

Filesize
141B

MD5
a9c11e31f4910879d7c444818cdcf663

SHA1
92daf710419d02a09bc414ee6b96a077e8adb952

SHA256
7a54835fabd3a1a2bf3f4b165e60af8cc47c3c214d4fbb4b9ba727c7820365d2

SHA512
b8148bcca433813bac4af68f79019aa9ebc814a7a1bf8098ef9d672a26fe67bbec91dd4f0fe61df78ca7aa04185d9bc5dd4eb458ed7a0ddfa91cbd16f555a79a

Download Submit
C:\Windows\VXK0S2X.exe

Filesize
278KB

MD5
1c218ecd5cc1dc04d4618d3aea5f9d13

SHA1
0e1f60667538878d663723511ee55ed63e771fd2

SHA256
d2bc0e8df068c83b1a9db2521eb26d4a9188f8b9c6f6d2465c9dfca3caa1b746

SHA512
ef88e3a1f54e594d623419a201b10101d674a2b925c646e82912810e489505078e29dfedf0381a3549c4de303926e2b71fabf6a229573d76843f736cc0c67f7e

Download Submit
C:\Windows\VXK0S2X.exe

Filesize
278KB

MD5
d679021a0983a972c3da54159244a909

SHA1
571be240d7f6f48b312a8cae91acf81e4b0fa6f3

SHA256
766e1d3c2dabb8c59b5c9f26d40a52ee2877d50b871a72b02802a36eb984f76a

SHA512
0befdf8a3efe993c380fe1c78d82890de83aa666b23fb45128308376adea593b1afea474c640fe981f587d32b958032cce2848d3415cce0aa9ab4f29a4ec72e2

Download Submit
C:\Windows\VXK0S2X.exe

Filesize
278KB

MD5
ee2d798908d4619d7dbc4b4cca96e34c

SHA1
800dbdbec09dc92f6835343ed6adef123dd49860

SHA256
5707a2891b864245d7d601647f43f1f6ab1ba0312d1959b1d8bd195c2f3eca7e

SHA512
4bcc23a6718ed265c8041f2c6cc16ab7c50bafcc22ac4e5cc6ed2f0c83f65e47be683a7fd44286767f5b96950f66d0021d67c2d870ca462fe18c37800158ae4d

Download Submit
C:\Windows\VXK0S2X.exe

Filesize
278KB

MD5
ee2d798908d4619d7dbc4b4cca96e34c

SHA1
800dbdbec09dc92f6835343ed6adef123dd49860

SHA256
5707a2891b864245d7d601647f43f1f6ab1ba0312d1959b1d8bd195c2f3eca7e

SHA512
4bcc23a6718ed265c8041f2c6cc16ab7c50bafcc22ac4e5cc6ed2f0c83f65e47be683a7fd44286767f5b96950f66d0021d67c2d870ca462fe18c37800158ae4d

Download Submit
C:\Windows\WEK7L1X\FUD8N6T.exe

Filesize
278KB

MD5
0a21587fce584ce44779b990417c59f0

SHA1
ffdbde06086fc5d2dc6a1fc99514df69b2880d81

SHA256
acb6791cc28af27039f273015f608ecd4264d9817234695d76fec88633e2f56a

SHA512
78dadaefb6335ae7a8b805287815cb330d8c987ac5ec119c4a914c958d047cf9ae7dff4ed5129f54785fe1b6c619998a38759c4ff9a1ada91f048f44d79c0fa8

Download Submit
C:\Windows\WEK7L1X\FUD8N6T.exe

Filesize
278KB

MD5
c6b4858b13cfd5c95a5d00268b37c4bd

SHA1
c9ed03304cb775fa6dc2339bc77bfb7f7b0b406b

SHA256
90df7c78a5b83ae4de746c969369462456a74d65828bbd4ebad5e261e45dbb2c

SHA512
8fcac9a083e158cb2b260f23d2baf5fca433d6e6d2159848e77c2784b1779aa4a88b266b47d0f53ca7741002651ca46c6751a3e95535e8352433a5bd3191a894

Download Submit
C:\Windows\WEK7L1X\SVR1V7P.com

Filesize
278KB

MD5
82e0f1a6678c5a23ca62e1a7f8412efd

SHA1
5c26e50702245db384d1ae279f76f8e6aa3ec73c

SHA256
f77c343cbcf0ddbcd37463c249321ffa8b0451fe0a223721cf755cc79b599863

SHA512
9d3f7cf09fd0f62e6a913e7da6315ce588c01dec1b8e5a40e068bfa5afd63f4495457183276dc948ec2b316971ddbb8ec60410c0ef856f0ad3c5172b11c3d180

Download Submit
C:\Windows\WEK7L1X\SVR1V7P.com

Filesize
278KB

MD5
08793715570c4e82e126a8cad2bf43b3

SHA1
121378053d0554e3abd2d97cb9fe9aa33b4c62d7

SHA256
f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a

SHA512
97126b07d47262aba4b5fdead7b9b74352ca9bd62738878cb915376d7109a6c8e4d6864dda09f10509864334bcffc6715cffb0961b750c0b81b4bcae90efc658

Download Submit
C:\Windows\WEK7L1X\SVR1V7P.com

Filesize
278KB

MD5
08793715570c4e82e126a8cad2bf43b3

SHA1
121378053d0554e3abd2d97cb9fe9aa33b4c62d7

SHA256
f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a

SHA512
97126b07d47262aba4b5fdead7b9b74352ca9bd62738878cb915376d7109a6c8e4d6864dda09f10509864334bcffc6715cffb0961b750c0b81b4bcae90efc658

Download Submit
C:\Windows\WEK7L1X\regedit.cmd

Filesize
278KB

MD5
08793715570c4e82e126a8cad2bf43b3

SHA1
121378053d0554e3abd2d97cb9fe9aa33b4c62d7

SHA256
f5b8f7c722d4f238bb13c9d2ec809088683ff39c7eaeb43eca18759e761fef8a

SHA512
97126b07d47262aba4b5fdead7b9b74352ca9bd62738878cb915376d7109a6c8e4d6864dda09f10509864334bcffc6715cffb0961b750c0b81b4bcae90efc658

Download Submit
C:\Windows\WEK7L1X\regedit.cmd

Filesize
278KB

MD5
4ea874d31ba415dce3e519f2fa023776

SHA1
fc459357c2320be82c3b3db89f89cc26bad5a357

SHA256
62324e01906feff1ea6333c0688688b7c25b4004e7c6380485e0fc34bedd24ce

SHA512
093d0ae4f29852ca7275831347031a9157ce8df15955a35fdebcc106d46bde2cb537b8d793cc3fec67bf69cf0a6a6560a0121175dccd02cf0cfdf13f157b9bca

Download Submit
C:\Windows\WEK7L1X\service.exe

Filesize
278KB

MD5
4ea874d31ba415dce3e519f2fa023776

SHA1
fc459357c2320be82c3b3db89f89cc26bad5a357

SHA256
62324e01906feff1ea6333c0688688b7c25b4004e7c6380485e0fc34bedd24ce

SHA512
093d0ae4f29852ca7275831347031a9157ce8df15955a35fdebcc106d46bde2cb537b8d793cc3fec67bf69cf0a6a6560a0121175dccd02cf0cfdf13f157b9bca

Download Submit
C:\Windows\WEK7L1X\service.exe

Filesize
278KB

MD5
4ea874d31ba415dce3e519f2fa023776

SHA1
fc459357c2320be82c3b3db89f89cc26bad5a357

SHA256
62324e01906feff1ea6333c0688688b7c25b4004e7c6380485e0fc34bedd24ce

SHA512
093d0ae4f29852ca7275831347031a9157ce8df15955a35fdebcc106d46bde2cb537b8d793cc3fec67bf69cf0a6a6560a0121175dccd02cf0cfdf13f157b9bca

Download Submit
C:\Windows\WEK7L1X\smss.exe

Filesize
278KB

MD5
d029338e4dd5162a875dc7741161d61e

SHA1
d58fed3e272da22ce5d0cd3a513f57c5f0dca9dd

SHA256
98158679bb4e8a2c77396c1cd0d58cbff4be1e6eeef2d2fb699a967d3072ebeb

SHA512
56206deac551fa92899d67bacc3a560a0b09afc504cbf7fec38d250c4e9d8717e87761023868b0d21a05fdf68192ab3d9850f99b208734247b61a8c3e2b172dd

Download Submit
C:\Windows\WEK7L1X\smss.exe

Filesize
278KB

MD5
d029338e4dd5162a875dc7741161d61e

SHA1
d58fed3e272da22ce5d0cd3a513f57c5f0dca9dd

SHA256
98158679bb4e8a2c77396c1cd0d58cbff4be1e6eeef2d2fb699a967d3072ebeb

SHA512
56206deac551fa92899d67bacc3a560a0b09afc504cbf7fec38d250c4e9d8717e87761023868b0d21a05fdf68192ab3d9850f99b208734247b61a8c3e2b172dd

Download Submit
C:\Windows\WEK7L1X\system.exe

Filesize
278KB

MD5
912dac7596eb24f1b6c9042a82e3aac6

SHA1
222649dc28d65b1f46e82ef434ae4d011d66c198

SHA256
2d71eaaaa33b61403a45ea1d98fbb7d8d6dd5b7cb88a77c5998d82b36496c7c9

SHA512
b811cc870d5f694150db791ba70eff152e2273e19acea8923704553124a525bd0366b4b51488cb9990fac90a9f4796b99db995156fcdcd7345c91f01ca581dae

Download Submit
C:\Windows\WEK7L1X\system.exe

Filesize
278KB

MD5
912dac7596eb24f1b6c9042a82e3aac6

SHA1
222649dc28d65b1f46e82ef434ae4d011d66c198

SHA256
2d71eaaaa33b61403a45ea1d98fbb7d8d6dd5b7cb88a77c5998d82b36496c7c9

SHA512
b811cc870d5f694150db791ba70eff152e2273e19acea8923704553124a525bd0366b4b51488cb9990fac90a9f4796b99db995156fcdcd7345c91f01ca581dae

Download Submit
C:\Windows\WEK7L1X\winlogon.exe

Filesize
278KB

MD5
c5b4a486c21cc7f9e783a9213d8653e4

SHA1
51f36595377d58f3fab7fe78b344d0212e7bd83c

SHA256
a013f2aa1532ddb61664708a9da88cb88c924bba75f473bdd8f7f9f8333fd6d7

SHA512
f938a1006b1acc5f9418bc355b856fede3b9dcf725d77ab144330bd615bd3d9a129cf595cbcb2a8137c6beffc91ac2e1fce493fb12c4dce6e5fc50f9a626e027

Download Submit
C:\Windows\WEK7L1X\winlogon.exe

Filesize
278KB

MD5
c5b4a486c21cc7f9e783a9213d8653e4

SHA1
51f36595377d58f3fab7fe78b344d0212e7bd83c

SHA256
a013f2aa1532ddb61664708a9da88cb88c924bba75f473bdd8f7f9f8333fd6d7

SHA512
f938a1006b1acc5f9418bc355b856fede3b9dcf725d77ab144330bd615bd3d9a129cf595cbcb2a8137c6beffc91ac2e1fce493fb12c4dce6e5fc50f9a626e027

Download Submit
C:\Windows\cypreg.dll

Filesize
417KB

MD5
afc4f1b045476f92e0454b2b9e7a8084

SHA1
b8492feb7bc365eba6aa3ef4acbe93a3829bcc6b

SHA256
405e631e5b06e18fd4530857ac0a3c3b89ada9cad812fa21f0b12e4d7a573dcb

SHA512
44ce557e30f6814476747f42d7abe4c63ad2d67c969d3e591144a7c905ff73a949a655b1bf5c71f8532ac82040a130dea81a7f459ca8287b59ab06379d3c66e8

Download Submit
C:\Windows\cypreg.dll

Filesize
417KB

MD5
eec2587f559fe1c02d050826be6f4bc7

SHA1
0b027a21ddded95284175505b8542c49a465078b

SHA256
87b96f6a596506f001c6c9098c86d3cf75ce9432f82ccedf3a9217c813839e8b

SHA512
9cdb205153fd6f4195d0e4906ceb3289225e4b4e466c8d8cef289860dfdb8374c548dc35328be14939ff9990e5e229bbdcc7bc46a5c3e89e7eb3bba87b3d83ea

Download Submit
C:\Windows\lsass.exe

Filesize
278KB

MD5
efbc21fbad96d779115865f47034f11d

SHA1
cc2917449be9fc4903d55a0decdaa822402722d0

SHA256
b13c0f8c5d1ffae49a2826bbde05adac34bc4196077d7f7f88ac68e26d941175

SHA512
11db6a60a477b7997afcb47d0b7783f62c7f9aa159a5f81e5f3ac935cb33354998c4ed96d51887ea2431875f00a11ed8a3c6799846d9239a8e3076d09fe3fcd9

Download Submit
C:\Windows\lsass.exe

Filesize
278KB

MD5
e013e31656ae36c25d865221be2d94e8

SHA1
225d531c20686871c6b945784cbf5164417c7c7d

SHA256
e8aabdd7d5f8360761148823c79763ff8b8d9c9dd25a833ee143650b39d37648

SHA512
a643d7f1aec0111b44b1376531f6d965bbb6ae7678481c8af1dd60d0a89998340b06a564974d87913a2183d65c9c3a71971b03754f65af0a1cb730a059a8d1a0

Download Submit
C:\Windows\lsass.exe

Filesize
278KB

MD5
e013e31656ae36c25d865221be2d94e8

SHA1
225d531c20686871c6b945784cbf5164417c7c7d

SHA256
e8aabdd7d5f8360761148823c79763ff8b8d9c9dd25a833ee143650b39d37648

SHA512
a643d7f1aec0111b44b1376531f6d965bbb6ae7678481c8af1dd60d0a89998340b06a564974d87913a2183d65c9c3a71971b03754f65af0a1cb730a059a8d1a0

Download Submit
C:\Windows\lsass.exe

Filesize
278KB

MD5
16da752f275480bcfccf59820f180407

SHA1
1a759d8c3e547c775e8ced54b708d83c95b3d5d9

SHA256
03df566f82cb6dd6a25abdc1340266a5f5937f2026983eb0f272ab9abacfbce8

SHA512
a36ef17991880abe700715709fc75523396f77d0b190dac3aeb6652f8c3136ceb0b08645506a535477bbb8a8fcea8f1baca47a916443374bb735a3ce88bd2ba5

Download Submit
C:\Windows\moonlight.dll

Filesize
65KB

MD5
c55534452c57efa04f4109310f71ccca

SHA1
b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61

SHA256
4cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc

SHA512
ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a

Download Submit
C:\Windows\moonlight.dll

Filesize
65KB

MD5
c55534452c57efa04f4109310f71ccca

SHA1
b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61

SHA256
4cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc

SHA512
ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a

Download Submit
C:\Windows\moonlight.dll

Filesize
65KB

MD5
c55534452c57efa04f4109310f71ccca

SHA1
b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61

SHA256
4cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc

SHA512
ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a

Download Submit
C:\Windows\moonlight.dll

Filesize
65KB

MD5
c55534452c57efa04f4109310f71ccca

SHA1
b97a3d9e2c1ad9314562b7d0d77b2a4b34e77d61

SHA256
4cbbe69bcd0a2debae6a584e1fa49f8d4a27f90d9cd364255bbbd930ca0a38bc

SHA512
ad324f1f1bfde9c9b6057d5526ae62155b3b897d27225ed74fdb867a2c6d5f21cebfb63e3dc68bd807993b0f4c72fb3ce880696b9c3358b3b982204d60c7161a

Download Submit
C:\Windows\onceinabluemoon.mid

Filesize
8KB

MD5
0e528d000aad58b255c1cf8fd0bb1089

SHA1
2445d2cc0921aea9ae53b8920d048d6537940ec6

SHA256
c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

SHA512
89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

Download Submit
C:\Windows\onceinabluemoon.mid

Filesize
8KB

MD5
0e528d000aad58b255c1cf8fd0bb1089

SHA1
2445d2cc0921aea9ae53b8920d048d6537940ec6

SHA256
c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

SHA512
89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

Download Submit
C:\Windows\onceinabluemoon.mid

Filesize
8KB

MD5
0e528d000aad58b255c1cf8fd0bb1089

SHA1
2445d2cc0921aea9ae53b8920d048d6537940ec6

SHA256
c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

SHA512
89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

Download Submit
C:\Windows\onceinabluemoon.mid

Filesize
8KB

MD5
0e528d000aad58b255c1cf8fd0bb1089

SHA1
2445d2cc0921aea9ae53b8920d048d6537940ec6

SHA256
c8aa5c023bf32f1c1e27b8136cf4d622101e58a80417d97271d3c0ba44528cae

SHA512
89ff6a1f1bf364925704a83ab4d222e2335e6486e0b90641f0133236b5f6b0fede1e9f17b577d6d069537e737b761f745d1fde4a9d0b43cb59143edf2d9c2116

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.3MB

MD5
2f593c451e4243ce08634d5ccb6e8f1d

SHA1
1f72faf6e085aba90482f3edbdec7eed997370b9

SHA256
5c30df5afbcb16e2fcd4f4ddf4bd2573a3f79ca69c1b3cefad83552f725bc52a

SHA512
b1c4a5d642bd59271e7d42dae4116af2705ba4af60d7d456da73d78a10e0a571468e0eb618712993b12ed15d4746bf0d84b1ee49c468b964e28b204d2a2c77fe

Download Submit
C:\Windows\system\msvbvm60.dll

Filesize
1.3MB

MD5
381ee69841c54efd9f93ebe332337865

SHA1
3327c2f495d3dedd4c07bd258e7026e0de1c1d7c

SHA256
24be6f1a5642f8bf311bcb1c85142178be6d682ced4f5ef8fdeeddeb39df16be

SHA512
69cb19699ba5c83883ef6d24ffed4345448e2ead12ba1d41378e6a6ca5ed7d788c637dab05996969b4c9837545490e63aa6b52ef7168d646c27442acca2ae3ad

Download Submit
\Users\Admin\AppData\Local\Temp\VCab.DLL

Filesize
33KB

MD5
955b398a5821396aa64045e758102295

SHA1
b727a84f2fb76f39e14d003bfd9bff1b3127aed1

SHA256
175acaad4dccc052b16eee2f904f4e393d47141e989b2468654d554b392d692a

SHA512
0b005d58d1f3c002eb082cfd47b0c2b7f8d350a93cc005e1ec282164fc9e083a259a87b44b56c25d8dece758e0ab275d13d32b11fc7cf7e6f3dfe43ea27b3744

Download Submit
\Users\Admin\AppData\Local\Temp\VCab.DLL

Filesize
33KB

MD5
955b398a5821396aa64045e758102295

SHA1
b727a84f2fb76f39e14d003bfd9bff1b3127aed1

SHA256
175acaad4dccc052b16eee2f904f4e393d47141e989b2468654d554b392d692a

SHA512
0b005d58d1f3c002eb082cfd47b0c2b7f8d350a93cc005e1ec282164fc9e083a259a87b44b56c25d8dece758e0ab275d13d32b11fc7cf7e6f3dfe43ea27b3744

Download Submit
\Users\Admin\AppData\Local\Temp\VCab.DLL

Filesize
33KB

MD5
955b398a5821396aa64045e758102295

SHA1
b727a84f2fb76f39e14d003bfd9bff1b3127aed1

SHA256
175acaad4dccc052b16eee2f904f4e393d47141e989b2468654d554b392d692a

SHA512
0b005d58d1f3c002eb082cfd47b0c2b7f8d350a93cc005e1ec282164fc9e083a259a87b44b56c25d8dece758e0ab275d13d32b11fc7cf7e6f3dfe43ea27b3744

Download Submit
\Users\Admin\AppData\Local\Temp\VCab.DLL

Filesize
33KB

MD5
955b398a5821396aa64045e758102295

SHA1
b727a84f2fb76f39e14d003bfd9bff1b3127aed1

SHA256
175acaad4dccc052b16eee2f904f4e393d47141e989b2468654d554b392d692a

SHA512
0b005d58d1f3c002eb082cfd47b0c2b7f8d350a93cc005e1ec282164fc9e083a259a87b44b56c25d8dece758e0ab275d13d32b11fc7cf7e6f3dfe43ea27b3744

Download Submit
\Windows\WEK7L1X\service.exe

Filesize
278KB

MD5
4ea874d31ba415dce3e519f2fa023776

SHA1
fc459357c2320be82c3b3db89f89cc26bad5a357

SHA256
62324e01906feff1ea6333c0688688b7c25b4004e7c6380485e0fc34bedd24ce

SHA512
093d0ae4f29852ca7275831347031a9157ce8df15955a35fdebcc106d46bde2cb537b8d793cc3fec67bf69cf0a6a6560a0121175dccd02cf0cfdf13f157b9bca

Download Submit
\Windows\WEK7L1X\service.exe

Filesize
278KB

MD5
4ea874d31ba415dce3e519f2fa023776

SHA1
fc459357c2320be82c3b3db89f89cc26bad5a357

SHA256
62324e01906feff1ea6333c0688688b7c25b4004e7c6380485e0fc34bedd24ce

SHA512
093d0ae4f29852ca7275831347031a9157ce8df15955a35fdebcc106d46bde2cb537b8d793cc3fec67bf69cf0a6a6560a0121175dccd02cf0cfdf13f157b9bca

Download Submit
\Windows\WEK7L1X\smss.exe

Filesize
278KB

MD5
d029338e4dd5162a875dc7741161d61e

SHA1
d58fed3e272da22ce5d0cd3a513f57c5f0dca9dd

SHA256
98158679bb4e8a2c77396c1cd0d58cbff4be1e6eeef2d2fb699a967d3072ebeb

SHA512
56206deac551fa92899d67bacc3a560a0b09afc504cbf7fec38d250c4e9d8717e87761023868b0d21a05fdf68192ab3d9850f99b208734247b61a8c3e2b172dd

Download Submit
\Windows\WEK7L1X\smss.exe

Filesize
278KB

MD5
d029338e4dd5162a875dc7741161d61e

SHA1
d58fed3e272da22ce5d0cd3a513f57c5f0dca9dd

SHA256
98158679bb4e8a2c77396c1cd0d58cbff4be1e6eeef2d2fb699a967d3072ebeb

SHA512
56206deac551fa92899d67bacc3a560a0b09afc504cbf7fec38d250c4e9d8717e87761023868b0d21a05fdf68192ab3d9850f99b208734247b61a8c3e2b172dd

Download Submit
\Windows\WEK7L1X\system.exe

Filesize
278KB

MD5
912dac7596eb24f1b6c9042a82e3aac6

SHA1
222649dc28d65b1f46e82ef434ae4d011d66c198

SHA256
2d71eaaaa33b61403a45ea1d98fbb7d8d6dd5b7cb88a77c5998d82b36496c7c9

SHA512
b811cc870d5f694150db791ba70eff152e2273e19acea8923704553124a525bd0366b4b51488cb9990fac90a9f4796b99db995156fcdcd7345c91f01ca581dae

Download Submit
\Windows\WEK7L1X\system.exe

Filesize
278KB

MD5
912dac7596eb24f1b6c9042a82e3aac6

SHA1
222649dc28d65b1f46e82ef434ae4d011d66c198

SHA256
2d71eaaaa33b61403a45ea1d98fbb7d8d6dd5b7cb88a77c5998d82b36496c7c9

SHA512
b811cc870d5f694150db791ba70eff152e2273e19acea8923704553124a525bd0366b4b51488cb9990fac90a9f4796b99db995156fcdcd7345c91f01ca581dae

Download Submit
\Windows\WEK7L1X\winlogon.exe

Filesize
278KB

MD5
c5b4a486c21cc7f9e783a9213d8653e4

SHA1
51f36595377d58f3fab7fe78b344d0212e7bd83c

SHA256
a013f2aa1532ddb61664708a9da88cb88c924bba75f473bdd8f7f9f8333fd6d7

SHA512
f938a1006b1acc5f9418bc355b856fede3b9dcf725d77ab144330bd615bd3d9a129cf595cbcb2a8137c6beffc91ac2e1fce493fb12c4dce6e5fc50f9a626e027

Download Submit
\Windows\WEK7L1X\winlogon.exe

Filesize
278KB

MD5
c5b4a486c21cc7f9e783a9213d8653e4

SHA1
51f36595377d58f3fab7fe78b344d0212e7bd83c

SHA256
a013f2aa1532ddb61664708a9da88cb88c924bba75f473bdd8f7f9f8333fd6d7

SHA512
f938a1006b1acc5f9418bc355b856fede3b9dcf725d77ab144330bd615bd3d9a129cf595cbcb2a8137c6beffc91ac2e1fce493fb12c4dce6e5fc50f9a626e027

Download Submit
memory/520-168-0x0000000000540000-0x0000000000560000-memory.dmp

Filesize
128KB

Download
memory/520-82-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/520-165-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/520-150-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/612-163-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/612-151-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/612-152-0x0000000000340000-0x0000000000360000-memory.dmp

Filesize
128KB

Download
memory/612-80-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1456-78-0x0000000002A00000-0x0000000002A78000-memory.dmp

Filesize
480KB

Download
memory/1456-77-0x0000000002A00000-0x0000000002A10000-memory.dmp

Filesize
64KB

Download
memory/1456-60-0x0000000000220000-0x0000000000240000-memory.dmp

Filesize
128KB

Download
memory/1456-59-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1456-58-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1456-57-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/1456-154-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1684-164-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1684-161-0x00000000033E0000-0x0000000003455000-memory.dmp

Filesize
468KB

Download
memory/1684-167-0x00000000002C0000-0x00000000002E0000-memory.dmp

Filesize
128KB

Download
memory/1684-148-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/1684-81-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1684-149-0x00000000002C0000-0x00000000002E0000-memory.dmp

Filesize
128KB

Download
memory/2004-162-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2004-114-0x0000000001BE0000-0x0000000001C00000-memory.dmp

Filesize
128KB

Download
memory/2004-166-0x0000000001BE0000-0x0000000001C00000-memory.dmp

Filesize
128KB

Download
memory/2004-79-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2004-113-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2044-159-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download
memory/2044-160-0x00000000003D0000-0x00000000003F0000-memory.dmp

Filesize
128KB

Download
memory/2044-158-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2044-169-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2044-170-0x00000000003D0000-0x00000000003F0000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads