fd2b6cb7d3cd36aa996ce6839f1a5022bfd654fb7ab617feff7dfcb43fb4ac36

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2022, 10:18 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd2b6cb7d3cd36aa996ce6839f1a5022bfd654fb7ab617feff7dfcb43fb4ac36.exe
Size

621KB
MD5

289a8b4467fd91845a8b8aff5c54c2f8
SHA1

bdbed0c0f569c687fc0f55d81b68b5ca86f10a95
SHA256

fd2b6cb7d3cd36aa996ce6839f1a5022bfd654fb7ab617feff7dfcb43fb4ac36
SHA512

731ab3436d987447477d866396b06246dc4e99671f311b3340cc41705c9ef36847a0ab3b4c0aa9301cbbd65909def2f32f734293b5ffeb66798b509ca08bf29c
SSDEEP

12288:NtiHUfEZjVOExNUr31MTzpW64bIM1FYr+u+96r:NtiHU8ZjVOExNQ1MT46+1FY5+96r

Score

8^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4228	MSN.exe
1504	windll.com

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	MSN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	windll.com
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	fd2b6cb7d3cd36aa996ce6839f1a5022bfd654fb7ab617feff7dfcb43fb4ac36.exe

Loads dropped DLL 2 IoCs

pid	Process
4676	fd2b6cb7d3cd36aa996ce6839f1a5022bfd654fb7ab617feff7dfcb43fb4ac36.exe
4676	fd2b6cb7d3cd36aa996ce6839f1a5022bfd654fb7ab617feff7dfcb43fb4ac36.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CFTMON = "C:\\Windows\\MSN.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CFTMON = "C:\\Windows\\MSN.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CFTMON = "C:\\Windows\\MSN.exe"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CFTMON = "C:\\Windows\\MSN.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CFTMON = "C:\\Windows\\MSN.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CFTMON = "C:\\Windows\\MSN.exe"	regedit.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\MSN.exe	fd2b6cb7d3cd36aa996ce6839f1a5022bfd654fb7ab617feff7dfcb43fb4ac36.exe
File opened for modification	C:\Windows\name.dll	fd2b6cb7d3cd36aa996ce6839f1a5022bfd654fb7ab617feff7dfcb43fb4ac36.exe
File opened for modification	C:\Windows\nick.dll	fd2b6cb7d3cd36aa996ce6839f1a5022bfd654fb7ab617feff7dfcb43fb4ac36.exe
File opened for modification	C:\Windows\win30.sys	fd2b6cb7d3cd36aa996ce6839f1a5022bfd654fb7ab617feff7dfcb43fb4ac36.exe
File opened for modification	C:\Windows\MSN.exe	MSN.exe
File created	C:\Windows\x.reg	windll.com
File opened for modification	C:\Windows\dal.dll	fd2b6cb7d3cd36aa996ce6839f1a5022bfd654fb7ab617feff7dfcb43fb4ac36.exe
File opened for modification	C:\Windows\win30.sys	windll.com
File created	C:\Windows\us32.reg	windll.com
File opened for modification	C:\Windows\windll.com	MSN.exe
File opened for modification	C:\Windows\windll.com	fd2b6cb7d3cd36aa996ce6839f1a5022bfd654fb7ab617feff7dfcb43fb4ac36.exe
File opened for modification	C:\Windows\mlRC.ini	windll.com
File opened for modification	C:\Windows\x.reg	windll.com
File opened for modification	C:\Windows\mlRC.ini	fd2b6cb7d3cd36aa996ce6839f1a5022bfd654fb7ab617feff7dfcb43fb4ac36.exe
File opened for modification	C:\Windows\win1.sys	fd2b6cb7d3cd36aa996ce6839f1a5022bfd654fb7ab617feff7dfcb43fb4ac36.exe
File opened for modification	C:\Windows\win1.sys	windll.com
File opened for modification	C:\Windows\us32.reg	windll.com
File opened for modification	C:\Windows\idnt.dll	fd2b6cb7d3cd36aa996ce6839f1a5022bfd654fb7ab617feff7dfcb43fb4ac36.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 41 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec	windll.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ = "%1"	windll.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command	windll.com
Key created	\REGISTRY\MACHINE\Software\Classes\irc	windll.com
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\command	windll.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command	windll.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\ = "URL:IRC Protocol"	windll.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\URL Protocol	windll.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat	windll.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open	windll.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\command\ = "\"C:\\Windows\\windll.com\" -noconnect"	windll.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application\ = "mIRC"	windll.com
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\ifexec	windll.com
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Topic	windll.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon\ = "\"C:\\Windows\\windll.com\""	windll.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ = "%1"	windll.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc	windll.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\command\ = "\"C:\\Windows\\windll.com\" -noconnect"	windll.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Topic\ = "Connect"	windll.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec	windll.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic\ = "Connect"	windll.com
Key created	\REGISTRY\MACHINE\Software\Classes\irc\DefaultIcon	windll.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open	windll.com
Key created	\REGISTRY\MACHINE\Software\Classes\irc\Shell\open\ddeexec\Application	windll.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha	windll.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cha\ = "ChatFile"	windll.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile	windll.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\ = "Chat File"	windll.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\ifexec\ = "%1"	windll.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell	windll.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\Application\ = "mIRC"	windll.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\Shell\open\ddeexec\ifexec\ = "%1"	windll.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	fd2b6cb7d3cd36aa996ce6839f1a5022bfd654fb7ab617feff7dfcb43fb4ac36.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.chat\ = "ChatFile"	windll.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Topic	windll.com
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\EditFlags = 02000000	windll.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\irc\DefaultIcon\ = "\"C:\\Windows\\windll.com\""	windll.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\DefaultIcon	windll.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell	windll.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec	windll.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChatFile\Shell\open\ddeexec\Application	windll.com

Runs .reg file with regedit 6 IoCs

pid	Process
3784	regedit.exe
2644	regedit.exe
1404	regedit.exe
220	regedit.exe
3596	regedit.exe
1456	regedit.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1504	windll.com
1504	windll.com

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4676 wrote to memory of 4228	4676	fd2b6cb7d3cd36aa996ce6839f1a5022bfd654fb7ab617feff7dfcb43fb4ac36.exe	80
PID 4676 wrote to memory of 4228	4676	fd2b6cb7d3cd36aa996ce6839f1a5022bfd654fb7ab617feff7dfcb43fb4ac36.exe	80
PID 4676 wrote to memory of 4228	4676	fd2b6cb7d3cd36aa996ce6839f1a5022bfd654fb7ab617feff7dfcb43fb4ac36.exe	80
PID 4228 wrote to memory of 1504	4228	MSN.exe	81
PID 4228 wrote to memory of 1504	4228	MSN.exe	81
PID 4228 wrote to memory of 1504	4228	MSN.exe	81
PID 1504 wrote to memory of 3784	1504	windll.com	83
PID 1504 wrote to memory of 3784	1504	windll.com	83
PID 1504 wrote to memory of 3784	1504	windll.com	83
PID 1504 wrote to memory of 2644	1504	windll.com	84
PID 1504 wrote to memory of 2644	1504	windll.com	84
PID 1504 wrote to memory of 2644	1504	windll.com	84
PID 1504 wrote to memory of 1404	1504	windll.com	85
PID 1504 wrote to memory of 1404	1504	windll.com	85
PID 1504 wrote to memory of 1404	1504	windll.com	85
PID 1504 wrote to memory of 220	1504	windll.com	86
PID 1504 wrote to memory of 220	1504	windll.com	86
PID 1504 wrote to memory of 220	1504	windll.com	86
PID 1504 wrote to memory of 3596	1504	windll.com	87
PID 1504 wrote to memory of 3596	1504	windll.com	87
PID 1504 wrote to memory of 3596	1504	windll.com	87
PID 1504 wrote to memory of 1456	1504	windll.com	88
PID 1504 wrote to memory of 1456	1504	windll.com	88
PID 1504 wrote to memory of 1456	1504	windll.com	88

C:\Users\Admin\AppData\Local\Temp\fd2b6cb7d3cd36aa996ce6839f1a5022bfd654fb7ab617feff7dfcb43fb4ac36.exe
"C:\Users\Admin\AppData\Local\Temp\fd2b6cb7d3cd36aa996ce6839f1a5022bfd654fb7ab617feff7dfcb43fb4ac36.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4676
- C:\Windows\MSN.exe
  "C:\Windows\MSN.exe"
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4228
- - C:\Windows\windll.com
    "C:\Windows\windll.com"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in Windows directory
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\regedit.exe" /s x.reg
      4⤵
      Adds Run key to start application
      Runs .reg file with regedit
      PID:3784
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\regedit.exe" /s us32.reg
      4⤵
      Adds Run key to start application
      Runs .reg file with regedit
      PID:2644
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\regedit.exe" /s x.reg
      4⤵
      Adds Run key to start application
      Runs .reg file with regedit
      PID:1404
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\regedit.exe" /s us32.reg
      4⤵
      Adds Run key to start application
      Runs .reg file with regedit
      PID:220
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\regedit.exe" /s x.reg
      4⤵
      Adds Run key to start application
      Runs .reg file with regedit
      PID:3596
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\regedit.exe" /s us32.reg
      4⤵
      Adds Run key to start application
      Runs .reg file with regedit
      PID:1456

Network

DNS

forums.cpanel.net

windll.com

Remote address:

8.8.8.8:53

Request

forums.cpanel.net

IN A

Response

forums.cpanel.net

IN CNAME

forums.cpanel.net.cdn.cloudflare.net

forums.cpanel.net.cdn.cloudflare.net

IN A

104.18.17.164

forums.cpanel.net.cdn.cloudflare.net

IN A

104.18.16.164
GET

http://forums.cpanel.net/member.php?u=73978&so=41c576a3bac4220845f9427b002a2a9d

windll.com

Remote address:

104.18.17.164:80

Request

GET /member.php?u=73978&so=41c576a3bac4220845f9427b002a2a9d HTTP/1.1
Host: forums.cpanel.net

Response

HTTP/1.1 301 Moved Permanently

Date: Mon, 28 Nov 2022 06:34:54 GMT
Content-Type: text/html; charset=iso-8859-1
Transfer-Encoding: chunked
Connection: keep-alive
Location: https://forums.cpanel.net/member.php?so=41c576a3bac4220845f9427b002a2a9d&u=73978
CF-Cache-Status: DYNAMIC
Set-Cookie: __cf_bm=PyiJ0LFcyXZhPcKJll7p0ZTMu2AyMzwiCqiVhTmRbbk-1669617294-0-AdgRSIvQbLBa/0yKojrld+5uPb5/JAwmgqUjd76iTAZXPArMEPQwLsVge3dw4GTWzzOVJIwAZRNThrAaH6gHfl8=; path=/; expires=Mon, 28-Nov-22 07:04:54 GMT; domain=.cpanel.net; HttpOnly
Server: cloudflare
CF-RAY: 771114978a66b78b-AMS
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400

104.18.17.164:80

http://forums.cpanel.net/member.php?u=73978&so=41c576a3bac4220845f9427b002a2a9d

http

windll.com

321 B
1.1kB
5
5

HTTP Request

GET http://forums.cpanel.net/member.php?u=73978&so=41c576a3bac4220845f9427b002a2a9d

HTTP Response

301
8.238.23.254:80

322 B
7
8.238.23.254:80

322 B
7
51.116.253.170:443

322 B
7
93.184.221.240:80

322 B
7
93.184.221.240:80

322 B
7
93.184.221.240:80

322 B
7
93.184.220.29:80

322 B
7

8.8.8.8:53

forums.cpanel.net

dns

windll.com

63 B
142 B
1
1

DNS Request

forums.cpanel.net

DNS Response

104.18.17.164

104.18.16.164

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GS7B11.tmp

Filesize
44KB

MD5
7d46ea623eba5073b7e3a2834fe58cc9

SHA1
29ad585cdf812c92a7f07ab2e124a0d2721fe727

SHA256
4ebf13835a117a2551d80352ca532f6596e6f2729e41b3de7015db558429dea5

SHA512
a1e5724d035debf31b1b1be45e3dc8432428b7893d2bfc8611571abbf3bcd9f08cb36f585671a8a2baa6bcf7f4b4fe39ba60417631897b4e4154561b396947ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\GS7B11.tmp

Filesize
44KB

MD5
7d46ea623eba5073b7e3a2834fe58cc9

SHA1
29ad585cdf812c92a7f07ab2e124a0d2721fe727

SHA256
4ebf13835a117a2551d80352ca532f6596e6f2729e41b3de7015db558429dea5

SHA512
a1e5724d035debf31b1b1be45e3dc8432428b7893d2bfc8611571abbf3bcd9f08cb36f585671a8a2baa6bcf7f4b4fe39ba60417631897b4e4154561b396947ca

Download Submit
C:\Windows\MSN.exe

Filesize
1KB

MD5
fe3afe61038e5af45400c344b7c9aedd

SHA1
c7d9baf1461f189d52d99f40276c64891cf3da65

SHA256
fb8e85219028b61bf55b2ada6df6e6c086231ddee71401086865e1c275437fb9

SHA512
2c5be4e6694b9a7a677a2b1cb272ff652703a97d113feab7560b73f4a355e458358d14314b1204297c999b77c696fa89f150ccb2572bd38ccf6c86695fb3f545

Download Submit
C:\Windows\MSN.exe

Filesize
1KB

MD5
fe3afe61038e5af45400c344b7c9aedd

SHA1
c7d9baf1461f189d52d99f40276c64891cf3da65

SHA256
fb8e85219028b61bf55b2ada6df6e6c086231ddee71401086865e1c275437fb9

SHA512
2c5be4e6694b9a7a677a2b1cb272ff652703a97d113feab7560b73f4a355e458358d14314b1204297c999b77c696fa89f150ccb2572bd38ccf6c86695fb3f545

Download Submit
C:\Windows\idnt.dll

Filesize
749B

MD5
b8d5e9d404c7eaea8a07022368f1fd46

SHA1
810edf7197e8d693f9278bec8a9e2a4489a966de

SHA256
12235bc2b770d49b1ca3021d331cc752e0143bc6c318f12e764d6025529c32ea

SHA512
cfd22dd82731b62ab3778495f97414c86cfba24929fa79cad27c933513c8f70234fb58543db814bee71b2238acea101a4c393d32896de91f3dde500c9390bd8b

Download Submit
C:\Windows\mlRC.ini

Filesize
2KB

MD5
ab72ce8819fe6aff26d1ff72ba581047

SHA1
eb7f9ead91c27729266a0b1d7fe56d7a9b0a9964

SHA256
7896008140c7bc1a8216c56198e203d0f1f8004775adf17c8602ec78e888999b

SHA512
0865d095f944ebcc310c097abfd28bfd49d8f8d8cc6f1f41eebfc5f70ff5908a43e044a19e981c1ff28c329ed6d27299d5689d2db7df80891fd7fe458d18adc7

Download Submit
C:\Windows\name.dll

Filesize
1KB

MD5
a873f6061d978bd72cfbb84ed5d3224e

SHA1
833b5010675a2259d3819e30425fc34c7ef57023

SHA256
b607ca2db6f29c63169af312f68fcc21dee55f29d32df291bf36addac2b1e74d

SHA512
8873c7629066e6b1cdd0275b74ca802452b2c996f6c0d65f5fc6b24e71048b7ab065eba616b7fbe14602bb43ebfcc1b6b7955d96485189c7b94194a27f6f036c

Download Submit
C:\Windows\nick.dll

Filesize
2KB

MD5
51e75b835676eaec38a062b1de3f1853

SHA1
d0e438eb6def370aee5e37ade185d07fb57d9cf0

SHA256
2d88fa23942380a3217bc787595d06bca69a941f87097c591cedd0e89c0a5dcb

SHA512
d98a7a2f42ae2b8faae3f66754647c67763ebab592b7d9d5d135f93323f93b3785c78cef0105171c233e077aae81d2ce23632e16b8c8dfb83b38166accfaff40

Download Submit
C:\Windows\us32.reg

Filesize
111B

MD5
361d94b81f3f66d88ff9276e1d53877f

SHA1
8b6c45770100ad708b4dae0f6a02c60c56d1e570

SHA256
c558bd42efe2f4292394d459115a0c6174233cc287b410c6b3710c2fdb68c68f

SHA512
82cb573c31cade5fc96ff2e7361e3fbea8638c5df70df4ec07d8e9ea0985b35876662eb96298372ad87de2d1f049db072424cd891b15649098ce14973d6acd19

Download Submit
C:\Windows\us32.reg

Filesize
111B

MD5
361d94b81f3f66d88ff9276e1d53877f

SHA1
8b6c45770100ad708b4dae0f6a02c60c56d1e570

SHA256
c558bd42efe2f4292394d459115a0c6174233cc287b410c6b3710c2fdb68c68f

SHA512
82cb573c31cade5fc96ff2e7361e3fbea8638c5df70df4ec07d8e9ea0985b35876662eb96298372ad87de2d1f049db072424cd891b15649098ce14973d6acd19

Download Submit
C:\Windows\us32.reg

Filesize
111B

MD5
361d94b81f3f66d88ff9276e1d53877f

SHA1
8b6c45770100ad708b4dae0f6a02c60c56d1e570

SHA256
c558bd42efe2f4292394d459115a0c6174233cc287b410c6b3710c2fdb68c68f

SHA512
82cb573c31cade5fc96ff2e7361e3fbea8638c5df70df4ec07d8e9ea0985b35876662eb96298372ad87de2d1f049db072424cd891b15649098ce14973d6acd19

Download Submit
C:\Windows\win1.sys

Filesize
6KB

MD5
ed002a649afa99ecceda7e1b2b6ab9aa

SHA1
a6e572e8fc1f47a29be6729220f7b7e768c97d57

SHA256
c8e81d469f03f8bbb4409077d8b8970b40a4f7d95106ccf0058da7698c77e957

SHA512
be8c3e4448e9d77b970d62ec0c9c8a9b1122ef10cb944df9bfed26b9b10c9e43dbc9e328a5cad42b48e96ea50269a8a47771f6ea634a026c2dc8e76224a58f93

Download Submit
C:\Windows\win30.sys

Filesize
5KB

MD5
06ac0286a7a20bbb26cdda5b026c5822

SHA1
e049581515728273108896650d6af72245ebbf49

SHA256
d971ada9174464e2272d5841a983d53ab58b4455865250094fba9bf2f400764a

SHA512
fa19335cdd902b254e56e3af848007a99197f812266b2e46c047dc8d6a671d6934e7e5842c93cee39439246d228381a478ab431cf91317bd448cc61b67a46538

Download Submit
C:\Windows\windll.com

Filesize
563KB

MD5
a54b0c1454c790dace702a148c5a0222

SHA1
f44026d4ca67f8c3089d1374e8419908e2c92f57

SHA256
4e7025093178a1f10316710bfa36e0e279bd9228bdf3e8354400222c2f146783

SHA512
595c452b90fc6307b52fcc4d390c72b6dfecf9e9779eff35e65d2cda2035c928cd01a0c02aaf861f9834b287229f50a546a576b701179e605c7714651ac18a17

Download Submit
C:\Windows\windll.com

Filesize
563KB

MD5
a54b0c1454c790dace702a148c5a0222

SHA1
f44026d4ca67f8c3089d1374e8419908e2c92f57

SHA256
4e7025093178a1f10316710bfa36e0e279bd9228bdf3e8354400222c2f146783

SHA512
595c452b90fc6307b52fcc4d390c72b6dfecf9e9779eff35e65d2cda2035c928cd01a0c02aaf861f9834b287229f50a546a576b701179e605c7714651ac18a17

Download Submit
C:\Windows\x.reg

Filesize
141B

MD5
777e139eecbab2fb4a4d5dadd78d0fb8

SHA1
7df2e59601367fd578cd95034b91440cd0f1f946

SHA256
564aa87694a34bb5a2c23d39aa82a07c6b585f9f2f5cbf982f7b978d4779ed4b

SHA512
e42081d475933f3d5f3b8a174157e29b67fd24032ce0778cb2f66ff33e84730a0140171380a73cb529736a3cb948ec9776f4e1200a7304fc28bd5154f46f6128

Download Submit
C:\Windows\x.reg

Filesize
141B

MD5
777e139eecbab2fb4a4d5dadd78d0fb8

SHA1
7df2e59601367fd578cd95034b91440cd0f1f946

SHA256
564aa87694a34bb5a2c23d39aa82a07c6b585f9f2f5cbf982f7b978d4779ed4b

SHA512
e42081d475933f3d5f3b8a174157e29b67fd24032ce0778cb2f66ff33e84730a0140171380a73cb529736a3cb948ec9776f4e1200a7304fc28bd5154f46f6128

Download Submit
C:\Windows\x.reg

Filesize
141B

MD5
777e139eecbab2fb4a4d5dadd78d0fb8

SHA1
7df2e59601367fd578cd95034b91440cd0f1f946

SHA256
564aa87694a34bb5a2c23d39aa82a07c6b585f9f2f5cbf982f7b978d4779ed4b

SHA512
e42081d475933f3d5f3b8a174157e29b67fd24032ce0778cb2f66ff33e84730a0140171380a73cb529736a3cb948ec9776f4e1200a7304fc28bd5154f46f6128

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Response

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.